Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Added support for managing custom encrypted files from cli. #30940

Closed

Conversation

@morgoth
Copy link
Member

@morgoth morgoth commented Oct 20, 2017

One can now generate/edit file by
bin/rails credentials:edit config/staging-credentials.yml.enc --key config/staging.key
bin/rails encrypted:edit config/staging-credentials.yml.enc --key config/staging.key

and display it by

bin/rails credentials:show config/staging-credentials.yml.enc --key config/staging.key
bin/rails encrypted:show config/staging-credentials.yml.enc --key config/staging.key

When --key option is omitted then default config/master.key is used.

This is a follow up to #29909

/cc @dhh and @kaspth as you introduced encrypted files

@rails-bot
Copy link

@rails-bot rails-bot commented Oct 20, 2017

r? @rafaelfranca

(@rails-bot has picked a reviewer for you, use r? to override)

@rafaelfranca
Copy link
Member

@rafaelfranca rafaelfranca commented Oct 20, 2017

r? @kaspth

@rails-bot rails-bot assigned kaspth and unassigned rafaelfranca Oct 20, 2017
@morgoth
Copy link
Member Author

@morgoth morgoth commented Nov 12, 2017

@kaspth Did you maybe have some time to look into it? Hopefully, we can make it to the Rails 5.2

@kaspth
Copy link
Member

@kaspth kaspth commented Nov 12, 2017

Why do you want to use a separate credentials file for your staging environment? :)

I'm not liking a lot of the underlying code changes as they stand currently. Throwing all those configs around and manually instantiating the EncryptedConfiguration in multiple places seems off.

@kaspth
Copy link
Member

@kaspth kaspth commented Nov 12, 2017

@dhh proposed an access API at one point that looks like:

Rails.application.encrypted.config(:special_tokens) # Uses master key to decrypt `config/special_token.yml.enc`.
Rails.application.encrypted_with(env_key: "SPECIAL_KEY").config(:special_tokens) # With another key.
Rails.application.encrypted.file("path") # Later. Provides a wrapper for EncryptedFile. Maybe they're stored in `config/files/*.json.enc`

encrypted_with should probably just be an alias for encrypted, so people can pick which sounds better in a given situation.

Then Rails.application.credentials would just be a wrapper for Rails.application.encrypted.config(:credentials).


So with that in mind, perhaps we shouldn't cram this in under credentials? E.g. this could work:

bin/rails encrypted:edit --config special_tokens
bin/rails encrypted:edit --file gcs_keyfile
@dhh
Copy link
Member

@dhh dhh commented Nov 12, 2017

Don't think we even need #encrypted_with as a separate method. We could just do:

Rails.application.encrypted(env_key: "SPECIAL_KEY").config(:special_tokens)

That's clear enough 👍

@morgoth
Copy link
Member Author

@morgoth morgoth commented Nov 12, 2017

@kaspth For staging, I would like to have the same flow for managing credentials as for production, but obviously don't want to have all the secret values mixed into one file for both envs.

I like the idea of having separate cli bin/rails encrypted, so if you agree I can change this PR to introduce it. Does the following look correct?:

  • bin/rails encrypted:edit --config special_tokens edits file config/special_tokens.yml.enc
  • bin/rails encrypted:edit --config special_tokens --key config/special.key uses the given key defaulting to config/master.key
  • Rails.application.encrypted(env_key: "SPECIAL_KEY").config(:special_tokens) decrypts config/special_tokens.yml.enc using env SPECIAL_KEY
@kaspth
Copy link
Member

@kaspth kaspth commented Nov 13, 2017

Had a chat with @dhh

This is the API we'd like:

Rails.application.encrypted("config/special_tokens.yml.enc", env_key: "SOMETHING")

And for the CLI:

bin/rails encrypted:edit config/special_tokens.yml.enc --key config/something.key
@kaspth kaspth added this to the 5.2.0 milestone Nov 14, 2017
@morgoth morgoth force-pushed the freeletics:manage-multiple-credential-files branch Nov 14, 2017
One can edit/show encrypted file by:
```
bin/rails encrypted:edit config/staging_tokens.yml.enc
bin/rails encrypted:edit config/staging_tokens.yml.enc --key config/staging.key
bin/rails encrypted:show config/staging_tokens.yml.enc
```
@morgoth morgoth force-pushed the freeletics:manage-multiple-credential-files branch to adc9396 Nov 14, 2017
@morgoth
Copy link
Member Author

@morgoth morgoth commented Nov 14, 2017

@kaspth I added CLI wrapper for ActiveSupport::EncryptedFile to not force YAML format (which is used in ActiveSupport::EncryptedConfiguration).
If that's ok, then having Rails.application.encrypted doesn't give that much as one would have to manually cast it to given format like JSON.load(Rails.application.encrypted("config/file.json.enc"), which is not any better than JSON.load(ActiveSupport::EncryptedFile.new(content_path: "config/file.json.enc").read)

Should we leave it like this or change the CLI to be a wrapper for ActiveSupport::EncryptedConfiguration which is strictly a YAML file?

@kaspth
Copy link
Member

@kaspth kaspth commented Nov 14, 2017

Rails.application.encrypted gives us plenty in readability. Plus the manual encrypted file instantiation is missing config_path, key_path and/or env_key arguments, so it's not the same comparison.

Rails.application.encrypted should just be a wrapper for the encrypted configuration then calling read would just interpret it as an encrypted file while config would read it and parse YAML.

@kaspth
Copy link
Member

@kaspth kaspth commented Nov 14, 2017

Glancing over the code, I think this would take too many review rounds to get it to where I'd like it to be. It also showed that there's some kinks in the CLI API that needs to be thought through, which I don't think I can do without playing around locally.

Mind if I take over? I'd base it on your work and you'd still get credit on contributors.rubyonrails.org :)

@morgoth
Copy link
Member Author

@morgoth morgoth commented Nov 14, 2017

Of course. Go ahead :-)

@kaspth kaspth closed this in 68479d0 Nov 15, 2017
@kaspth
Copy link
Member

@kaspth kaspth commented Nov 15, 2017

@morgoth got it in there, thanks! ❤️

@arianf
Copy link

@arianf arianf commented Oct 19, 2018

Why do you want to use a separate credentials file for your staging environment? :)

The answer to this question seems very obvious... you don't want to encrypt your production passwords with the same encryption key as your staging env. For security each environment should have its own encryption key.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

6 participants
You can’t perform that action at this time.