Module: DotenvVault

Includes:

Dotenv

Defined in:

lib/dotenv-vault.rb,
lib/dotenv-vault/rails.rb,
lib/dotenv-vault/version.rb

Defined Under Namespace

Classes: DecryptionFailed, InvalidDotenvKey, NotFoundDotenvEnvironment, NotFoundDotenvKey, NotFoundDotenvVault, Railtie

Constant Summary

VERSION =

"0.10.1"

Class Attribute Summary

• .instrumenter ⇒ Object

  Returns the value of attribute instrumenter.

Class Method Summary

• .decrypt(ciphertext, key) ⇒ Object
• .dotenv_key ⇒ Object
• .dotenv_key_present? ⇒ Boolean
• .dotenv_vault_present? ⇒ Boolean
• .ignoring_nonexistent_files ⇒ Object
• .instructions(parsed, split_dotenv_key) ⇒ Object
• .instrument(name, payload = {}, &block) ⇒ Object
• .load(*filenames) ⇒ Object
• .load!(*filenames) ⇒ Object

  same as ‘load`, but raises Errno::ENOENT if any files don’t exist.

• .load_vault(*filenames) ⇒ Object

  Vault: Load from .env.vault.

• .logger ⇒ Object
• .overload(*filenames) ⇒ Object

  same as ‘load`, but will override existing values in `ENV`.

• .overload!(*filenames) ⇒ Object

  same as ‘overload`, but raises Errno:ENOENT if any files don’t exist.

• .overload_vault(*filenames) ⇒ Object

  Vault: Overload from .env.vault.

• .parse(*filenames) ⇒ Object

  returns a hash of parsed key/value pairs but does not modify ENV.

• .parse_vault(*filenames) ⇒ Object
• .present?(str) ⇒ Boolean
• .require_keys(*keys) ⇒ Object
• .using_vault? ⇒ Boolean
• .vault_path ⇒ Object
• .with(*filenames) ⇒ Object

  Internal: Helper to expand list of filenames.

Class Attribute Details

.instrumenter ⇒ Object

Returns the value of attribute instrumenter.

# File 'lib/dotenv-vault.rb', line 17

def instrumenter
  @instrumenter
end

Class Method Details

.decrypt(ciphertext, key) ⇒ Object

Raises:

• (InvalidDotenvKey)

# File 'lib/dotenv-vault.rb', line 180

def decrypt(ciphertext, key)
  key = key[-64..-1] # last 64 characters. allows for passing keys with preface like key_*****

  raise InvalidDotenvKey, "INVALID_DOTENV_KEY: Key part must be 64 characters long (or more)" unless key && key.bytesize == 64

  lockbox = Lockbox.new(key: key, encode: true)
  begin
    lockbox.decrypt(ciphertext)
  rescue Lockbox::Error
    raise DecryptionFailed, "DECRYPTION_FAILED: Please check your DOTENV_KEY"
  end
end

.dotenv_key ⇒ Object

# File 'lib/dotenv-vault.rb', line 162

def dotenv_key
  return ENV["DOTENV_KEY"] if present?(ENV["DOTENV_KEY"])

  ""
end

.dotenv_key_present? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/dotenv-vault.rb', line 158

def dotenv_key_present?
  present?(dotenv_key) && dotenv_vault_present?
end

.dotenv_vault_present? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/dotenv-vault.rb', line 168

def dotenv_vault_present?
  File.file?(vault_path)
end

.ignoring_nonexistent_files ⇒ Object

# File 'lib/dotenv-vault.rb', line 85

def ignoring_nonexistent_files
  Dotenv.ignoring_nonexistent_files
end

.instructions(parsed, split_dotenv_key) ⇒ Object

Raises:

• (InvalidDotenvKey)

# File 'lib/dotenv-vault.rb', line 193

def instructions(parsed, split_dotenv_key)
  # Parse DOTENV_KEY. Format is a URI
  uri = URI.parse(split_dotenv_key) # dotenv://:key_1234@dotenv.org/vault/.env.vault?environment=production

  # Get decrypt key
  key = uri.password
  raise InvalidDotenvKey, "INVALID_DOTENV_KEY: Missing key part" unless present?(key)

  # Get environment
  params = Hash[URI::decode_www_form(uri.query.to_s)]
  environment = params["environment"]
  raise InvalidDotenvKey, "INVALID_DOTENV_KEY: Missing environment part" unless present?(environment)

  # Get ciphertext payload
  environment_key = "DOTENV_VAULT_#{environment.upcase}"
  ciphertext = parsed[environment_key] # DOTENV_VAULT_PRODUCTION
  raise NotFoundDotenvEnvironment, "NOT_FOUND_DOTENV_ENVIRONMENT: Cannot locate #{environment_key} in .env.vault" unless ciphertext

  {
    ciphertext: ciphertext,
    key: key
  }
end

.instrument(name, payload = {}, &block) ⇒ Object

# File 'lib/dotenv-vault.rb', line 77

def instrument(name, payload = {}, &block)
  Dotenv.instrument(name, payload = {}, &block)
end

.load(*filenames) ⇒ Object

# File 'lib/dotenv-vault.rb', line 26

def load(*filenames)
  if using_vault?
    load_vault(*filenames)
  else
    Dotenv.load(*filenames) # fallback
  end
end

.load!(*filenames) ⇒ Object

same as ‘load`, but raises Errno::ENOENT if any files don’t exist

# File 'lib/dotenv-vault.rb', line 35

def load!(*filenames)
  if using_vault?
    load_vault(*filenames)
  else
    Dotenv.load!(*filenames)
  end
end

.load_vault(*filenames) ⇒ Object

Vault: Load from .env.vault

Decrypts and loads to ENV

# File 'lib/dotenv-vault.rb', line 92

def load_vault(*filenames)
  DotenvVault.logger.info("[dotenv-vault] Loading env from encrypted .env.vault") if DotenvVault.logger

  parsed = parse_vault(*filenames)
  
  # Set ENV
  parsed.each { |k, v| ENV[k] ||= v }

  { parsed: parsed }
end

.logger ⇒ Object

# File 'lib/dotenv-vault.rb', line 19

def logger
  @logger ||= Logger.new(STDOUT)
end

.overload(*filenames) ⇒ Object

same as ‘load`, but will override existing values in `ENV`

# File 'lib/dotenv-vault.rb', line 44

def overload(*filenames)
  if using_vault?
    overload_vault(*filenames)
  else
    Dotenv.overload(*filenames)
  end
end

.overload!(*filenames) ⇒ Object

same as ‘overload`, but raises Errno:ENOENT if any files don’t exist

# File 'lib/dotenv-vault.rb', line 53

def overload!(*filenames)
  if using_vault?
    overload_vault(*filenames)
  else
    Dotenv.overload!(*filenames)
  end
end

.overload_vault(*filenames) ⇒ Object

Vault: Overload from .env.vault

Decrypts and overloads to ENV

# File 'lib/dotenv-vault.rb', line 106

def overload_vault(*filenames)
  DotenvVault.logger.info("[dotenv-vault] Overloading env from encrypted .env.vault") if DotenvVault.logger

  parsed = parse_vault(*filenames)
  
  # Set ENV
  parsed.each { |k, v| ENV[k] = v }

  { parsed: parsed }
end

.parse(*filenames) ⇒ Object

returns a hash of parsed key/value pairs but does not modify ENV

# File 'lib/dotenv-vault.rb', line 62

def parse(*filenames)
  if using_vault?
    parse_vault(*filenames)
  else
    Dotenv.parse(*filenames)
  end
end

.parse_vault(*filenames) ⇒ Object

Raises:

• (NotFoundDotenvKey)

# File 'lib/dotenv-vault.rb', line 117

def parse_vault(*filenames)
  # DOTENV_KEY=development/key_1234
  #
  # Warn the developer unless present
  raise NotFoundDotenvKey, "NOT_FOUND_DOTENV_KEY: Cannot find ENV['DOTENV_KEY']" unless present?(dotenv_key)

  # Parse .env.vault
  parsed = Dotenv.parse(vault_path)

  # handle scenario for comma separated keys - for use with key rotation
  # example: DOTENV_KEY="dotenv://:key_1234@dotenv.org/vault/.env.vault?environment=prod,dotenv://:key_7890@dotenv.org/vault/.env.vault?environment=prod"
  keys = dotenv_key.split(',')

  decrypted = nil
  keys.each_with_index do |split_dotenv_key, index|
    begin
      # Get full key
      key = split_dotenv_key.strip

      # Get instructions for decrypt
      attrs = instructions(parsed, key)

      # Decrypt
      decrypted = decrypt(attrs[:ciphertext], attrs[:key])

      break
    rescue => error
      # last key
      raise error if index >= keys.length - 1
      # try next key
    end
  end

  # Parse decrypted .env string
  Dotenv::Parser.call(decrypted, true)
end

.present?(str) ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/dotenv-vault.rb', line 176

def present?(str)
  !(str.nil? || str.empty?)
end

.require_keys(*keys) ⇒ Object

# File 'lib/dotenv-vault.rb', line 81

def require_keys(*keys)
  Dotenv.require_keys(*keys)
end

.using_vault? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/dotenv-vault.rb', line 154

def using_vault?
  dotenv_key_present? && dotenv_vault_present?
end

.vault_path ⇒ Object

# File 'lib/dotenv-vault.rb', line 172

def vault_path
  ".env.vault"
end

.with(*filenames) ⇒ Object

Internal: Helper to expand list of filenames.

Returns a hash of all the loaded environment variables.

# File 'lib/dotenv-vault.rb', line 73

def with(*filenames)
  Dotenv.with(*filenames)
end