Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add secret encrypted to api keys model
- Loading branch information
Maksym Naichuk
committed
May 13, 2020
1 parent
ab590fd
commit ea2869c
Showing
15 changed files
with
99 additions
and
27 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
class AddEncryptedSecret < ActiveRecord::Migration[5.2] | ||
def change | ||
add_column :apikeys, :secret_encrypted, :string, limit: 1024, after: :scope | ||
end | ||
end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,72 @@ | ||
# Vault configuration | ||
|
||
## Introduction | ||
|
||
This document describe how to create vault tokens in order to configure **barong-rails** to be able **to encrypt** and **to decrypt** secrets, **to renew** token and **to manage** totp. | ||
|
||
## Connect to vault | ||
|
||
Set those variables according to your deployment: | ||
```bash | ||
export VAULT_ADDR=http://127.0.0.1:8200 | ||
export VAULT_TOKEN=s.jyH1vmrOmkZ0FZZ0NZtgRenS | ||
``` | ||
|
||
You can validate it works running the following command: | ||
```bash | ||
$ vault status | ||
|
||
Type: shamir | ||
Sealed: false | ||
Key Shares: 1 | ||
Key Threshold: 1 | ||
Unseal Progress: 0 | ||
Unseal Nonce: | ||
Version: 1.3.4 | ||
Cluster Name: vault-cluster-650930cf | ||
Cluster ID: 9f40327d-ec71-9655-b728-7588ce47d0b4 | ||
|
||
High-Availability Enabled: false | ||
``` | ||
## Create ACL groups | ||
|
||
### Create the following policy files | ||
|
||
**barong-rails.hcl** | ||
|
||
```bash | ||
# Manage the transit secrets engine | ||
path "transit/keys/*" { | ||
capabilities = [ "create", "read", "list" ] | ||
} | ||
|
||
# Encrypt engines secrets | ||
path "transit/encrypt/opendax_apikeys_*" { | ||
capabilities = [ "create", "read", "update" ] | ||
} | ||
|
||
# Decrypt engines secrets | ||
path "transit/decrypt/opendax_apikeys_*" { | ||
capabilities = [ "create", "read", "update" ] | ||
} | ||
|
||
# Renew tokens | ||
path "auth/token/renew" { | ||
capabilities = [ "update" ] | ||
} | ||
|
||
# Lookup tokens | ||
path "auth/token/lookup" { | ||
capabilities = [ "update" ] | ||
} | ||
|
||
# Generate otp code | ||
path "totp/keys/opendax_*" { | ||
capabilities = ["create", "read"] | ||
} | ||
|
||
# Verify an otp code | ||
path "totp/code/opendax_*" { | ||
capabilities = ["update"] | ||
} | ||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters