Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Transform Secrets engine support #102

Merged
merged 5 commits into from
Jul 8, 2020
Merged

Add Transform Secrets engine support #102

merged 5 commits into from
Jul 8, 2020

Conversation

Valarissa
Copy link
Contributor

@Valarissa Valarissa commented Jun 24, 2020
edited
Loading

ENTERPRISE VAULT ONLY

Description

The vault ruby gem was updated to allow usage of the transform secrets engine a little while back. This PR allows for the usage of that engine within rails, extending the vault_attribute class function to accept a transform_secret hash that allows for the usage of FPE with a vault-internal tweak_source. Support for additional tweak_sources and transformation types may be provided in the future.

Similar to the Transit engine already implemented, this functionality uses a db column either provided by the user with the encrypted_column option, or uses the vault_attribute name provided with a _encrypted appended as a suffix (e.g. vault_attribute :ssn will have ssn_encrypted as the column that stores the value.

Note: due to constraints from ActiveRecord, we do NOT encourage people to use the name of the attribute as the column name (i.e. specifying encrypted_column: 'ssn' for the above example). The reason is this causes some instance attribute collisions that creates some confusion on the exact state of the data, particularly after calling reload on the object.

Usage Instructions

Currently, the only fields accepted by the transform_secrets hash are:

  • transformation - required - String of the transformation name
  • role - String of the role name to be using the given transformation

All configuration of a given transformation should be done in vault, either via the HTTP API (which vault-ruby uses), or via the Vault CLI. Information on how to do so can be found here.

@kalafut kalafut requested a review from calvn June 29, 2020 18:05
calvn
calvn reviewed Jun 29, 2020
View reviewed changes
lib/vault/encrypted_model.rb Outdated Show resolved Hide resolved
@Valarissa Valarissa force-pushed the add_transform_secrets_support branch from c913dc5 to 2a10df8 Compare June 30, 2020 23:31
@Valarissa Valarissa force-pushed the add_transform_secrets_support branch from 2a10df8 to 945dbdc Compare July 1, 2020 17:56
@calvn calvn self-requested a review July 6, 2020 17:44
calvn
calvn reviewed Jul 6, 2020
View reviewed changes
lib/vault/encrypted_model.rb Outdated Show resolved Hide resolved
@Valarissa Valarissa force-pushed the add_transform_secrets_support branch from 98bc2d4 to ac52a2a Compare July 6, 2020 21:35
@Valarissa Valarissa force-pushed the add_transform_secrets_support branch from ac52a2a to a2cef6c Compare July 6, 2020 21:36
@Valarissa Valarissa requested a review from calvn July 6, 2020 22:03
calvn
calvn reviewed Jul 6, 2020
View reviewed changes
lib/vault/encrypted_model.rb Outdated Show resolved Hide resolved
@Valarissa Valarissa requested a review from calvn July 7, 2020 22:19
@Valarissa Valarissa merged commit b8d4ddf into master Jul 8, 2020
@Valarissa Valarissa deleted the add_transform_secrets_support branch July 8, 2020 16:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jasonodonnell jasonodonnell jasonodonnell left review comments

@calvn calvn calvn approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@Valarissa @calvn @jasonodonnell