New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Added support for managing custom encrypted files from cli. #30940

Closed
wants to merge 1 commit into
base: master
from

Conversation

Projects
None yet
6 participants
@morgoth
Member

morgoth commented Oct 20, 2017

One can now generate/edit file by
bin/rails credentials:edit config/staging-credentials.yml.enc --key config/staging.key
bin/rails encrypted:edit config/staging-credentials.yml.enc --key config/staging.key

and display it by

bin/rails credentials:show config/staging-credentials.yml.enc --key config/staging.key
bin/rails encrypted:show config/staging-credentials.yml.enc --key config/staging.key

When --key option is omitted then default config/master.key is used.

This is a follow up to #29909

/cc @dhh and @kaspth as you introduced encrypted files

@rails-bot

This comment has been minimized.

rails-bot commented Oct 20, 2017

r? @rafaelfranca

(@rails-bot has picked a reviewer for you, use r? to override)

@rafaelfranca

This comment has been minimized.

Member

rafaelfranca commented Oct 20, 2017

r? @kaspth

@rails-bot rails-bot assigned kaspth and unassigned rafaelfranca Oct 20, 2017

@morgoth

This comment has been minimized.

Member

morgoth commented Nov 12, 2017

@kaspth Did you maybe have some time to look into it? Hopefully, we can make it to the Rails 5.2

@kaspth

This comment has been minimized.

Member

kaspth commented Nov 12, 2017

Why do you want to use a separate credentials file for your staging environment? :)

I'm not liking a lot of the underlying code changes as they stand currently. Throwing all those configs around and manually instantiating the EncryptedConfiguration in multiple places seems off.

@kaspth

This comment has been minimized.

Member

kaspth commented Nov 12, 2017

@dhh proposed an access API at one point that looks like:

Rails.application.encrypted.config(:special_tokens) # Uses master key to decrypt `config/special_token.yml.enc`.
Rails.application.encrypted_with(env_key: "SPECIAL_KEY").config(:special_tokens) # With another key.
Rails.application.encrypted.file("path") # Later. Provides a wrapper for EncryptedFile. Maybe they're stored in `config/files/*.json.enc`

encrypted_with should probably just be an alias for encrypted, so people can pick which sounds better in a given situation.

Then Rails.application.credentials would just be a wrapper for Rails.application.encrypted.config(:credentials).


So with that in mind, perhaps we shouldn't cram this in under credentials? E.g. this could work:

bin/rails encrypted:edit --config special_tokens
bin/rails encrypted:edit --file gcs_keyfile
@dhh

This comment has been minimized.

Member

dhh commented Nov 12, 2017

Don't think we even need #encrypted_with as a separate method. We could just do:

Rails.application.encrypted(env_key: "SPECIAL_KEY").config(:special_tokens)

That's clear enough 👍

@morgoth

This comment has been minimized.

Member

morgoth commented Nov 12, 2017

@kaspth For staging, I would like to have the same flow for managing credentials as for production, but obviously don't want to have all the secret values mixed into one file for both envs.

I like the idea of having separate cli bin/rails encrypted, so if you agree I can change this PR to introduce it. Does the following look correct?:

  • bin/rails encrypted:edit --config special_tokens edits file config/special_tokens.yml.enc
  • bin/rails encrypted:edit --config special_tokens --key config/special.key uses the given key defaulting to config/master.key
  • Rails.application.encrypted(env_key: "SPECIAL_KEY").config(:special_tokens) decrypts config/special_tokens.yml.enc using env SPECIAL_KEY
@kaspth

This comment has been minimized.

Member

kaspth commented Nov 13, 2017

Had a chat with @dhh

This is the API we'd like:

Rails.application.encrypted("config/special_tokens.yml.enc", env_key: "SOMETHING")

And for the CLI:

bin/rails encrypted:edit config/special_tokens.yml.enc --key config/something.key

@kaspth kaspth added this to the 5.2.0 milestone Nov 14, 2017

Added CLI for encrypted files management.
One can edit/show encrypted file by:
```
bin/rails encrypted:edit config/staging_tokens.yml.enc
bin/rails encrypted:edit config/staging_tokens.yml.enc --key config/staging.key
bin/rails encrypted:show config/staging_tokens.yml.enc
```
@morgoth

This comment has been minimized.

Member

morgoth commented Nov 14, 2017

@kaspth I added CLI wrapper for ActiveSupport::EncryptedFile to not force YAML format (which is used in ActiveSupport::EncryptedConfiguration).
If that's ok, then having Rails.application.encrypted doesn't give that much as one would have to manually cast it to given format like JSON.load(Rails.application.encrypted("config/file.json.enc"), which is not any better than JSON.load(ActiveSupport::EncryptedFile.new(content_path: "config/file.json.enc").read)

Should we leave it like this or change the CLI to be a wrapper for ActiveSupport::EncryptedConfiguration which is strictly a YAML file?

@kaspth

This comment has been minimized.

Member

kaspth commented Nov 14, 2017

Rails.application.encrypted gives us plenty in readability. Plus the manual encrypted file instantiation is missing config_path, key_path and/or env_key arguments, so it's not the same comparison.

Rails.application.encrypted should just be a wrapper for the encrypted configuration then calling read would just interpret it as an encrypted file while config would read it and parse YAML.

@kaspth

This comment has been minimized.

Member

kaspth commented Nov 14, 2017

Glancing over the code, I think this would take too many review rounds to get it to where I'd like it to be. It also showed that there's some kinks in the CLI API that needs to be thought through, which I don't think I can do without playing around locally.

Mind if I take over? I'd base it on your work and you'd still get credit on contributors.rubyonrails.org :)

@morgoth

This comment has been minimized.

Member

morgoth commented Nov 14, 2017

Of course. Go ahead :-)

@kaspth kaspth closed this in 68479d0 Nov 15, 2017

@kaspth

This comment has been minimized.

Member

kaspth commented Nov 15, 2017

@morgoth got it in there, thanks! ❤️

@arianf

This comment has been minimized.

arianf commented Oct 19, 2018

Why do you want to use a separate credentials file for your staging environment? :)

The answer to this question seems very obvious... you don't want to encrypt your production passwords with the same encryption key as your staging env. For security each environment should have its own encryption key.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment