https://nick.pearson.dev/posts en Copyright 2026 nick.pearson.dev Thu, 01 Jan 2026 06:36:04 GMT nick.pearson.dev blog feed https://nick.pearson.dev/posts/ruby-verify-cert-trust Sun, 27 Mar 2022 13:43:29 GMT https://nick.pearson.dev/posts/ruby-verify-cert-trust <p>Last week I needed to verify an SSL certificate’s trust with Ruby and wasn’t able to find a complete answer anywhere. After much poking around, I came up with the following code:</p> <div class="language-ruby highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="k">def</span> <span class="nf">trusted?</span><span class="p">(</span><span class="n">fullchain_pem</span><span class="p">)</span> <span class="n">certs</span> <span class="o">=</span> <span class="n">fullchain_pem</span><span class="p">.</span><span class="nf">split</span><span class="p">(</span><span class="sr">/(?=-----BEGIN)/</span><span class="p">).</span><span class="nf">map</span> <span class="k">do</span> <span class="o">|</span><span class="n">pem</span><span class="o">|</span> <span class="no">OpenSSL</span><span class="o">::</span><span class="no">X509</span><span class="o">::</span><span class="no">Certificate</span><span class="p">.</span><span class="nf">new</span><span class="p">(</span><span class="n">pem</span><span class="p">)</span> <span class="k">end</span> <span class="n">store</span> <span class="o">=</span> <span class="no">OpenSSL</span><span class="o">::</span><span class="no">X509</span><span class="o">::</span><span class="no">Store</span><span class="p">.</span><span class="nf">new</span> <span class="n">store</span><span class="p">.</span><span class="nf">set_default_paths</span> <span class="n">store</span><span class="p">.</span><span class="nf">verify</span><span class="p">(</span><span class="n">certs</span><span class="p">.</span><span class="nf">first</span><span class="p">,</span> <span class="n">certs</span><span class="p">[</span><span class="mi">1</span><span class="o">..-</span><span class="mi">1</span><span class="p">])</span> <span class="k">end</span> </code></pre></div></div> <p>This code:</p> <ol> <li>takes a certificate with its intermediary certs as a PEM-format string,</li> <li>splits it into individual PEM strings and creates an <a href="https://docs.ruby-lang.org/en/3.1/OpenSSL/X509/Certificate.html"><code class="highlight language-ruby highlighter-rouge"><span class="no">OpenSSL</span><span class="o">::</span><span class="no">X509</span><span class="o">::</span><span class="no">Certificate</span></code></a> object for each one, and</li> <li>verifies the chain using an <a href="https://docs.ruby-lang.org/en/3.1/OpenSSL/X509/Store.html"><code class="highlight language-ruby highlighter-rouge"><span class="no">OpenSSL</span><span class="o">::</span><span class="no">X509</span><span class="o">::</span><span class="no">Store</span></code></a> with the operating system’s default trust store.</li> </ol> <p>I needed this for an automated deployment script, which checks whether the existing certificate is trusted and should be kept. Why would there ever be an untrusted cert? When the app is initially deployed, a self-signed certificate is generated if one does not yet exist, allowing nginx (and anything else requiring a cert) to start. Alternatively, during initial setup and testing, a “staging” cert might be obtained, e.g. from Let’s Encrypt’s staging environment.</p> <p>Once we’re ready for the new production environment to go live, we need to obtain a real certificate from Let’s Encrypt. The code above is used for determining whether the certificate we already have can be keept or needs to be replaced.</p> https://nick.pearson.dev/posts/validating-elastic-beanstalk-cron-schedules Mon, 14 Feb 2022 01:36:20 GMT https://nick.pearson.dev/posts/validating-elastic-beanstalk-cron-schedules aws elastic-beanstalk cron <p>If you’ve worked with Elastic Beanstalk worker tiers, you may be familiar with the <code>cron.yaml</code> file, which sqsd uses to send jobs to your app. I recently deployed a new version of a Rails app to our worker tier environment, and the deploy failed, and hard.</p> <p>I’ve had bad deploys before, but one nice thing about Elastic Beanstalk is that the previous version of your app continues running if a deployment fails. Not this time though. The deployment failed and took everything down with it, including the previous (and should-be-still-running) version of the app.</p> <p>This seemed very strange, so I tried re-deploying the previous version, which had been running just a few minutes prior, but that deployment failed too.</p> <p>Now, I’m writing this based on my memory from a couple months ago, so bear with me here if the details aren’t 100%. I believe I checked <code>systemctl status sqsd.service</code> and was directed to run <code>journalctl -xe</code>. I think I tried starting sqsd manually using the command shown in the <code>journalctl</code> output (<code>/opt/elasticbeanstalk/lib/ruby/bin/aws-sqsd start</code>).</p> <p>Regardless, at some point I saw this (or a similar) message:</p> <pre><code class="language-wrap">Failed of parsing file 'cron.yaml', because: min out of range (ArgumentError) </code></pre> <p>I <em>had</em> just added a new job to the <code>cron.yaml</code> file in the latest deployment, but I couldn’t find anything wrong with it. The <code>schedule</code> value seemed fine and was identical to the schedule of another job, but set for a couple minutes later.</p> <p>After more digging, I found that the problem was coming from inside sqsd, the worker-tier daemon that delivers messages from an SQS queue to the app. I found the sqsd code on the machine<sup id="fnref:1" role="doc-noteref"><a href="#fn:1" class="footnote" rel="footnote">1</a></sup> and started adding logging output to find exactly where it was failing.</p> <p>Turns out the failure was occurring when sqsd parses the cron schedules (in <code>schedule_parser.rb</code>) using the <a href="https://rubygems.org/gems/parse-cron">parse-cron</a> gem. Here’s the relevant bit showing the part of the code that was failing and raising the error:</p> <div class="language-ruby highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="k">begin</span> <span class="c1"># ...</span> <span class="n">schedule</span> <span class="o">=</span> <span class="n">task_def</span><span class="p">.</span><span class="nf">fetch</span><span class="p">(</span><span class="s1">'schedule'</span><span class="p">)</span> <span class="n">parser</span> <span class="o">=</span> <span class="no">CronParser</span><span class="p">.</span><span class="nf">new</span><span class="p">(</span><span class="n">schedule</span><span class="p">)</span> <span class="n">parser</span><span class="p">.</span><span class="nf">next</span><span class="p">(</span><span class="no">Time</span><span class="p">.</span><span class="nf">now</span><span class="p">)</span> <span class="c1"># test by computing next scheduled time</span> <span class="n">parser</span><span class="p">.</span><span class="nf">last</span><span class="p">(</span><span class="no">Time</span><span class="p">.</span><span class="nf">now</span><span class="p">)</span> <span class="c1"># test by computing last scheduled time</span> <span class="c1"># ...</span> <span class="k">rescue</span> <span class="o">=&gt;</span> <span class="n">e</span> <span class="k">raise</span> <span class="no">ScheduleFileError</span><span class="p">.</span><span class="nf">new</span><span class="p">(</span><span class="s2">"Failed of parsing file '</span><span class="si">#{</span><span class="no">SCHEDULE_FILE_NAME</span><span class="si">}</span><span class="s2">', because: </span><span class="si">#{</span><span class="n">e</span><span class="p">.</span><span class="nf">message</span><span class="si">}</span><span class="s2">"</span><span class="p">)</span> <span class="k">end</span> </code></pre></div></div> <p>After banging my head against the wall trying to figure out <em>how</em> this new job could be failing, I added a line of code to log the <code>schedule</code> variable before it was parsed. That’s when I found it wasn’t the new job with a bad schedule, but one that had been there for months, successfully parsing and deploying all along. What on earth…</p> <p>Here’s the job that was failing. It should run every 15 minutes from 7:00am until 7:45pm Central<sup id="fnref:2" role="doc-noteref"><a href="#fn:2" class="footnote" rel="footnote">2</a></sup>.</p> <div class="language-yaml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">my-job</span> <span class="na">url</span><span class="pi">:</span> <span class="s">/my-job</span> <span class="na">schedule</span><span class="pi">:</span> <span class="s1">'</span><span class="s">*/15</span><span class="nv"> </span><span class="s">12-24</span><span class="nv"> </span><span class="s">*</span><span class="nv"> </span><span class="s">*</span><span class="nv"> </span><span class="s">*'</span> </code></pre></div></div> <p>If you work with cron schedules much, you’ll probably spot the error right away. I don’t, and didn’t. The <em>original</em> schedule (from years ago) was <span class="nowrap"><code>*/15 12-23 * * *</code></span>, but I decided I wanted it to run for an extra hour each day, so I increased the hours component from <code>12-23</code> to <code>12-24</code>. Without realizing it at the time, I’d made an invalid cron schedule, <a href="https://crontab.guru/#*/15_12-24_*_*_*">as Crontab.guru shows</a>.</p> <p>I hurridly updated the schedule to its correct form, <code>*/15 0,12-23 * * *</code>, and deployed the app. It worked.</p> <p>But I wasn’t satisfied. I had to figure out why the bad schedule had worked all along until now. I started off by trying this in a local IRB session:</p> <div class="language-ruby highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">parser</span> <span class="o">=</span> <span class="no">CronParser</span><span class="p">.</span><span class="nf">new</span><span class="p">(</span><span class="s1">'*/15 12-24 * * *'</span><span class="p">)</span> <span class="c1">#=&gt; #&lt;CronParser:... @source="*/15 12-24 * * *", @time_source=Time&gt;</span> <span class="n">parser</span><span class="p">.</span><span class="nf">next</span><span class="p">(</span><span class="no">Time</span><span class="p">.</span><span class="nf">now</span><span class="p">)</span> <span class="c1">#=&gt; (a timestamp)</span> <span class="n">parser</span><span class="p">.</span><span class="nf">last</span><span class="p">(</span><span class="no">Time</span><span class="p">.</span><span class="nf">now</span><span class="p">)</span> <span class="c1">#=&gt; (a timestamp)</span> </code></pre></div></div> <p>No failures… So the <code>CronParser</code> is allowing the invalid <code>12-24</code> hour field. More poking around… until it hit me. The (literal) variable here was <code class="highlight language-ruby highlighter-rouge"><span class="no">Time</span><span class="p">.</span><span class="nf">now</span></code>.</p> <p>I had done the (failed) deployment at night but was now trying to reproduce the problem during the day. I tried <code class="highlight language-ruby highlighter-rouge"><span class="n">parser</span><span class="p">.</span><span class="nf">next</span><span class="p">(</span><span class="mi">10</span><span class="p">.</span><span class="nf">hours</span><span class="p">.</span><span class="nf">from_now</span><span class="p">)</span></code>, and there it was, the error I’d been searching for: <strong>min out of range</strong>.</p> <p>Without further inspecting the parse-cron gem’s code, it appears to be parsing an invalid cron schedule without complaint and then failing when trying to determine the next or previous execution time if the schedule is invalid.</p> <p>To prevent future failures like this, I now have a test that reads and parses the app’s <code>cron.yaml</code> file and validates its cron schedules using a different gem called <a href="https://github.com/bkr/crontab_syntax_checker">crontab_syntax_checker</a>.<sup id="fnref:3" role="doc-noteref"><a href="#fn:3" class="footnote" rel="footnote">3</a></sup> Here’s a simplified version for minitest:</p> <div class="language-ruby highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nb">require</span> <span class="s1">'test_helper'</span> <span class="nb">require</span> <span class="s1">'crontab_line'</span> <span class="k">class</span> <span class="nc">CronTest</span> <span class="o">&lt;</span> <span class="no">ActiveSupport</span><span class="o">::</span><span class="no">TestCase</span> <span class="n">cron_file</span> <span class="o">=</span> <span class="no">Rails</span><span class="p">.</span><span class="nf">root</span><span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="s1">'cron.yaml'</span><span class="p">)</span> <span class="no">YAML</span><span class="p">.</span><span class="nf">load</span><span class="p">(</span><span class="n">cron_file</span><span class="p">.</span><span class="nf">read</span><span class="p">)[</span><span class="s1">'cron'</span><span class="p">].</span><span class="nf">each</span> <span class="k">do</span> <span class="o">|</span><span class="n">task</span><span class="o">|</span> <span class="nb">test</span> <span class="s2">"</span><span class="si">#{</span><span class="n">task</span><span class="p">[</span><span class="s1">'name'</span><span class="p">]</span><span class="si">}</span><span class="s2"> has a valid schedule"</span> <span class="k">do</span> <span class="c1"># this raises an error if the schedule is bad</span> <span class="no">CrontabLine</span><span class="p">.</span><span class="nf">create_by_entry</span><span class="p">(</span><span class="s2">"</span><span class="si">#{</span><span class="n">task</span><span class="p">[</span><span class="s1">'schedule'</span><span class="p">]</span><span class="si">}</span><span class="s2"> echo"</span><span class="p">)</span> <span class="k">end</span> <span class="k">end</span> <span class="k">end</span> </code></pre></div></div> <p>The <code>echo</code> part is there because this gem expects a command to come after the schedule, so I’ve added a dummy command.</p> <p>If you wanted to be <em>really</em> sure sqsd won’t choke on a cron schedule, you could write a test that uses the same parse-cron library that sqsd uses and try each schedule in your <code>cron.yaml</code> file for every minute of a two-year period (a leap year and a common year). That’s the approach I started with, but it means calling <code class="highlight language-ruby highlighter-rouge"><span class="n">parser</span><span class="p">.</span><span class="nf">next</span></code> (and maybe <code class="highlight language-ruby highlighter-rouge"><span class="n">parser</span><span class="p">.</span><span class="nf">last</span></code>) more than a million times for each schedule:</p> <pre><code class="language-wrap">(366 days + 365 days) × 24 hours × 60 minutes = 1,052,640 times </code></pre> <p>To be sure, this is overkill. But it’s also exhaustive. You could have a test like this and only run it with a special command line flag. I think the above test is enough, but if you’re unhapy with how fast your test suite runs and would like to slow it down, here’s your code:</p> <div class="language-ruby highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nb">require</span> <span class="s1">'test_helper'</span> <span class="k">class</span> <span class="nc">CronTest</span> <span class="o">&lt;</span> <span class="no">ActiveSupport</span><span class="o">::</span><span class="no">TestCase</span> <span class="n">cron_file</span> <span class="o">=</span> <span class="no">Rails</span><span class="p">.</span><span class="nf">root</span><span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="s1">'cron.yaml'</span><span class="p">)</span> <span class="no">YAML</span><span class="p">.</span><span class="nf">load</span><span class="p">(</span><span class="n">cron_file</span><span class="p">.</span><span class="nf">read</span><span class="p">)[</span><span class="s1">'cron'</span><span class="p">].</span><span class="nf">each</span> <span class="k">do</span> <span class="o">|</span><span class="n">task</span><span class="o">|</span> <span class="nb">test</span> <span class="s2">"</span><span class="si">#{</span><span class="n">task</span><span class="p">[</span><span class="s1">'name'</span><span class="p">]</span><span class="si">}</span><span class="s2"> has a valid schedule"</span> <span class="k">do</span> <span class="c1"># guarantee one of the two years is a leap year</span> <span class="n">base_time</span> <span class="o">=</span> <span class="no">Time</span><span class="p">.</span><span class="nf">local</span><span class="p">(</span><span class="mi">2020</span><span class="p">,</span> <span class="mi">1</span><span class="p">,</span> <span class="mi">1</span><span class="p">).</span><span class="nf">utc</span><span class="p">.</span><span class="nf">midnight</span> <span class="mi">0</span><span class="p">.</span><span class="nf">upto</span><span class="p">((</span><span class="mi">366</span> <span class="o">+</span> <span class="mi">365</span><span class="p">)</span> <span class="o">*</span> <span class="mi">24</span> <span class="o">*</span> <span class="mi">60</span><span class="p">)</span> <span class="k">do</span> <span class="o">|</span><span class="n">add_minutes</span><span class="o">|</span> <span class="n">parser</span> <span class="o">=</span> <span class="no">CronParser</span><span class="p">.</span><span class="nf">new</span><span class="p">(</span><span class="n">task</span><span class="p">[</span><span class="s1">'schedule'</span><span class="p">])</span> <span class="no">Timecop</span><span class="p">.</span><span class="nf">freeze</span><span class="p">(</span><span class="n">base_time</span> <span class="o">+</span> <span class="n">add_minutes</span><span class="p">.</span><span class="nf">minutes</span><span class="p">)</span> <span class="k">do</span> <span class="c1"># calling next and last can cause parser to raise</span> <span class="c1"># `ArgumentError: min out of range` if the cron</span> <span class="c1"># schedule syntax contains an out-of-range value</span> <span class="n">parser</span><span class="p">.</span><span class="nf">next</span> <span class="n">parser</span><span class="p">.</span><span class="nf">last</span> <span class="k">end</span> <span class="k">end</span> <span class="k">end</span> <span class="k">end</span> <span class="k">end</span> </code></pre></div></div> <div class="footnotes" role="doc-endnotes"> <ol> <li id="fn:1" role="doc-endnote"> <p>At the time of this writing, the code for <code>aws-sqsd</code> lives on worker tiers at <code>/opt/elasticbeanstalk/lib/ruby/lib/ruby/gems/2.6.0/gems/aws-sqsd-3.0.3/</code> <a href="#fnref:1" class="reversefootnote" role="doc-backlink">&#8617;</a></p> </li> <li id="fn:2" role="doc-endnote"> <p>The instance uses UTC, and I’m on Central Time, which has a -0600 standard offset and -0500 daylight offset. Daylight Saving Time is accounted for in the app so that a “cron” hour of “12” means “7am CST” or “7am CDT” depending on whether DST is in effect. <a href="#fnref:2" class="reversefootnote" role="doc-backlink">&#8617;</a></p> </li> <li id="fn:3" role="doc-endnote"> <p>crontab_syntax_checker defines global methods, so it’s in our <code>Gemfile</code> as:</p> <div class="language-ruby highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">group</span> <span class="ss">:test</span> <span class="k">do</span> <span class="n">gem</span> <span class="s1">'crontab_syntax_checker'</span><span class="p">,</span> <span class="ss">require: </span><span class="kp">false</span> <span class="k">end</span> </code></pre></div> </div> <p>Then in the test, I require a <a href="https://github.com/bkr/crontab_syntax_checker/blob/master/lib/crontab_line.rb">specific class</a> (<code class="highlight language-ruby highlighter-rouge"><span class="nb">require</span> <span class="s1">'crontab_line'</span></code>) which has everything we need and doesn’t pollute the global namespace. <a href="#fnref:3" class="reversefootnote" role="doc-backlink">&#8617;</a></p> </li> </ol> </div> https://nick.pearson.dev/posts/github-action-elastic-beanstalk-package Sat, 22 Jan 2022 06:00:00 GMT https://nick.pearson.dev/posts/github-action-elastic-beanstalk-package aws elastic-beanstalk <p>When my apps were still on the now-deprecated platform version of Elastic Beanstalk (pre-Amazon Linux 2), my deployment process was simple. I’d create a release on GitHub, download the “Source code (zip)” file GitHub automatically creates, and upload it to the Elastic Beanstalk console.</p> <p>When I started the migration to the new Amazon Linux 2 platform version, I quickly found that the GitHub zip file no longer worked, because it contains a root directory. Here’s what GitHub creates, and what works on the older version of Elastic Beanstalk:</p> <pre><code>myapp-1.0.2.zip ↳ myapp/ ↳ .ebextensions/ ↳ 01_setup.config </code></pre> <p>And here’s what the new Elastic Beanstalk requires:</p> <pre><code>myapp-1.0.2.zip ↳ .ebextensions/ ↳ 01_setup.config </code></pre> <p>At first I wrote a simple Bash script that would move the contents of the zip file “up” one directory level. It worked, but I didn’t like the manual step between getting the release from GitHub and uploading to Elastic Beanstalk. I wanted to have confidence that my code hadn’t been tampered with after the release was created, even if I was the one doing the tampering.</p> <p>I’d seen other projects using GitHub Actions to create release artifacts automatically, and it seemd a good fit, so I made one by piecing together code from the actions of a couple open source projects.</p> <p>Here’s the <code>package.yml</code> I use now:</p> <div class="language-yaml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c1"># AWS Elastic Beanstalk platform version 3 requires</span> <span class="c1"># files in the deployment zip file to exist at the</span> <span class="c1"># root of the zip file. The zip file GitHub creates</span> <span class="c1"># for a release (named "Source code (zip)") has a</span> <span class="c1"># directory at its root that contains all other</span> <span class="c1"># files and directories in the repository, making</span> <span class="c1"># it unsuitable for uploading to Elastic Beanstalk.</span> <span class="c1">#</span> <span class="c1"># This workflow builds a zip file that conforms to</span> <span class="c1"># the structure that Elastic Beanstalk expects, and</span> <span class="c1"># excludes all git and GitHub files.</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Package release</span> <span class="na">on</span><span class="pi">:</span> <span class="na">release</span><span class="pi">:</span> <span class="na">types</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">published</span><span class="pi">]</span> <span class="na">permissions</span><span class="pi">:</span> <span class="na">contents</span><span class="pi">:</span> <span class="s">read</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">build</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Build release package</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">environment</span><span class="pi">:</span> <span class="s">Build release package</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Checkout</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v2</span> <span class="na">with</span><span class="pi">:</span> <span class="na">fetch-depth</span><span class="pi">:</span> <span class="m">0</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Build zip file</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">VERSION="$(echo "$GITHUB_REF" | cut -d/ -f3 | cut -dv -f2)"</span> <span class="s">REPO_NAME="$(echo $GITHUB_REPOSITORY | cut -d/ -f2)"</span> <span class="s">DIR="$(mktemp -d)"</span> <span class="s">zip $DIR/release.zip -q -r --symlinks . -x *.git* *.pkg.zip</span> <span class="s">mv $DIR/release.zip $REPO_NAME-$VERSION.pkg.zip</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Upload artifact</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/upload-artifact@v2</span> <span class="na">with</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">package-release</span> <span class="na">path</span><span class="pi">:</span> <span class="s2">"</span><span class="s">*.pkg.zip"</span> <span class="na">upload</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Upload release package</span> <span class="na">if</span><span class="pi">:</span> <span class="s">${{ github.event_name == 'release' }}</span> <span class="na">needs</span><span class="pi">:</span> <span class="s">build</span> <span class="na">permissions</span><span class="pi">:</span> <span class="na">contents</span><span class="pi">:</span> <span class="s">write</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Download artifact</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/download-artifact@v2</span> <span class="na">with</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">package-release</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Upload release artifact</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/github-script@v5</span> <span class="na">with</span><span class="pi">:</span> <span class="na">github-token</span><span class="pi">:</span> <span class="s">${{ secrets.GITHUB_TOKEN }}</span> <span class="na">script</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">const fs = require("fs").promises;</span> <span class="s">const { repo: { owner, repo }, sha } = context;</span> <span class="s">const tag = process.env.GITHUB_REF.replace("refs/tags/", "");</span> <span class="s">const release = await github.rest.repos.getReleaseByTag({</span> <span class="s">owner, repo, tag,</span> <span class="s">});</span> <span class="s">core.info(`Release: ${owner}/${repo}@${tag}`);</span> <span class="s">for (let file of await fs.readdir(".")) {</span> <span class="s">if (!file.endsWith(".pkg.zip")) continue;</span> <span class="s">core.info(`Uploading: ${file}`);</span> <span class="s">await github.rest.repos.uploadReleaseAsset({</span> <span class="s">owner, repo,</span> <span class="s">release_id: release.data.id,</span> <span class="s">name: file,</span> <span class="s">data: await fs.readFile(file),</span> <span class="s">});</span> <span class="s">}</span> </code></pre></div></div> <p>This action checks out the repository at the release tag, creates a zip file containing the repository files (excluding <code>.git*</code>), and uploads it as an asset on the release.</p> <p>The file name matches GitHub’s “Source code (zip)” download file name with <code>.pkg</code> added before <code>.zip</code> (e.g., GitHub’s file is downloaded as <code>myapp-1.0.2.zip</code> and this action creates <code>myapp-1.0.2.pkg.zip</code>).</p> <p>Now I can create a release in GitHub, wait 30 seconds or so, then download the <code>.pkg.zip</code> file and upload it to Elastic Beanstalk to deploy.</p> https://nick.pearson.dev/posts/ebenv-update Wed, 12 Jan 2022 06:00:00 GMT https://nick.pearson.dev/posts/ebenv-update aws elastic-beanstalk scripts <p>In a <a href="/posts/ebenv">previous post</a> I wrote about a small script I call <code>ebenv</code>, which makes AWS Elastic Beanstalk environment properties available to shell commands as environment variables. See that post for the rationale behind this script.</p> <p>Since that time, I came up with a simpler way to obtain the environment properties, and the new script does not depend on <code>jq</code>.</p> <p>It turns out Elastic Beanstalk on Amazon Linux 2 stores its environment properties in a file at <code>/opt/elasticbeanstalk/deployment/env</code>, readable by root. Each property is defined on its own line, in shell variable syntax, like this:</p> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nv">RACK_ENV</span><span class="o">=</span>production <span class="nv">MY_PROP</span><span class="o">=</span>my-val </code></pre></div></div> <p>When I found this file, I realized I could simplify my <a href="/posts/ebenv">ebenv</a> script fairly significantly. All it needs to do is read this file and <code class="highlight language-bash highlighter-rouge"><span class="nb">export</span></code> each line, then run the supplied command.</p> <p>There’s one caveat though—it needs to handle special shell characters, namely <code>'</code>, <code>"</code>, and <code>$</code>, because the values in the <code>env</code> file can contain these characters, which will cause problems with shell interpolation and expansion.</p> <p>The first version prepended the environment variables to the command invocation. If our command was <code>rails c</code>, the command sent to the shell was <code class="highlight language-bash highlighter-rouge"><span class="nv">RACK_ENV</span><span class="o">=</span>production <span class="nv">MY_PROP</span><span class="o">=</span>my-val rails c</code>. The updated version <code class="highlight language-bash highlighter-rouge"><span class="nb">export</span></code>s each property and then runs the command, which is simpler and easier to reason about.</p> <p>Here’s the updated script, with a couple of strange line breaks so that it’s easier to read here.</p> <div class="language-shell highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c">#!/bin/bash</span> <span class="c"># This script runs the command (and args) passed to it</span> <span class="c"># as the EB AppUser, after making Elastic Beanstalk</span> <span class="c"># environment properties available to the command.</span> <span class="c">#</span> <span class="c"># Usage:</span> <span class="c">#</span> <span class="c"># ebenv &lt;command&gt; [arguments]</span> <span class="c">#</span> <span class="c"># Example:</span> <span class="c">#</span> <span class="c"># ebenv bin/rails c</span> <span class="c">#</span> <span class="c"># When using shell variables in a command, be sure to</span> <span class="c"># escape or properly quote them so they are expanded by</span> <span class="c"># ebenv rather than by the shell before the arguments</span> <span class="c"># reach ebenv. For example:</span> <span class="c">#</span> <span class="c"># ebenv echo $RACK_ENV #=&gt; [blank]</span> <span class="c"># ebenv echo "$RACK_ENV" #=&gt; [blank]</span> <span class="c"># ebenv echo '$RACK_ENV' #=&gt; production</span> <span class="c"># ebenv echo \$RACK_ENV #=&gt; production</span> <span class="c">#</span> <span class="c"># In the first two examples, $RACK_ENV is interpreted</span> <span class="c"># by the shell before calling ebenv. In the second two</span> <span class="c"># examples, $RACK_ENV is interpolated inside ebenv.</span> <span class="c"># exit if there's no command to run</span> <span class="k">if</span> <span class="o">[[</span> <span class="s2">"$#"</span> <span class="o">==</span> <span class="s2">"0"</span> <span class="o">]]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s1">'Usage: ebenv &lt;command&gt; [arguments]'</span> <span class="nb">exit </span>1 <span class="k">fi</span> <span class="c"># get the user to run the command as</span> <span class="nv">EB_APP_USER</span><span class="o">=</span><span class="s2">"</span><span class="si">$(</span> /opt/elasticbeanstalk/bin/get-config <span class="se">\</span> platformconfig <span class="nt">-k</span> AppUser <span class="si">)</span><span class="s2">"</span> <span class="c"># export each key=value after escaping special chars</span> <span class="k">while </span><span class="nb">read</span> <span class="nt">-r</span> line<span class="p">;</span> <span class="k">do </span><span class="nv">key</span><span class="o">=</span><span class="s2">"</span><span class="si">$(</span><span class="nb">cut</span> <span class="nt">-d</span><span class="o">=</span> <span class="nt">-f1</span> <span class="o">&lt;&lt;&lt;</span> <span class="s2">"</span><span class="nv">$line</span><span class="s2">"</span><span class="si">)</span><span class="s2">"</span> <span class="nv">val</span><span class="o">=</span><span class="s2">"</span><span class="si">$(</span><span class="nb">cut</span> <span class="nt">-d</span><span class="o">=</span> <span class="nt">-f2-</span> <span class="o">&lt;&lt;&lt;</span> <span class="s2">"</span><span class="nv">$line</span><span class="s2">"</span> <span class="se">\</span> | <span class="nb">sed</span> <span class="nt">-r</span> <span class="s2">"/[</span><span class="se">\\</span><span class="nv">$\</span><span class="s2">"</span><span class="s1">']/s/[\\$\"'</span><span class="o">]</span>/<span class="se">\\\\\\</span>0/g<span class="s2">")"</span> <span class="nb">export</span> <span class="s2">"</span><span class="nv">$key</span><span class="s2">=</span><span class="nv">$val</span><span class="s2">"</span> <span class="k">done</span> &lt; /opt/elasticbeanstalk/deployment/env <span class="c"># run the command as the EB AppUser</span> <span class="nb">eval</span> <span class="s2">"su -s /bin/bash -c </span><span class="se">\"</span><span class="nv">$*</span><span class="se">\"</span><span class="s2"> </span><span class="se">\"</span><span class="nv">$EB_APP_USER</span><span class="se">\"</span><span class="s2">"</span> </code></pre></div></div> <p>Feel free to <a href="/about">email me</a> if you have suggestions for further improvement.</p> https://nick.pearson.dev/posts/file-streaming-bug Mon, 10 Jan 2022 01:58:09 GMT https://nick.pearson.dev/posts/file-streaming-bug rails <p>A Rails app I work on accepts file uploads from public-facing websites. Uploaded files may contain sensitive information. We offer this so people don’t have to email their sensitive documents to our customers.</p> <p>When a file is uploaded, our app generates a new asymmetric encryption key pair and uses the public key to encrypt the uploaded file. The encrypted file is then stored, and the private key is stored separately.</p> <p>The app then makes the original file available to our customers to download. When a download request is initiated, the app retrieves the encrypted file and the private key, decrypts the file, streams it to the client, and then deletes the decrypted file, so that no sensitive info is left lying around on our server.</p> <p>Here’s a simplified version of the code I’m talking about, showing a Rails controller action (<code>download</code>) that streams a file, and a private method the action depends on (<code>with_decrypted_file</code>) that decrypts a file, yields it to a block, and then deletes it.</p> <div class="language-ruby highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="k">def</span> <span class="nf">download</span> <span class="n">form_post</span> <span class="o">=</span> <span class="no">FormPost</span><span class="p">.</span><span class="nf">for</span><span class="p">(</span><span class="n">current_user</span><span class="p">).</span><span class="nf">find</span><span class="p">(</span><span class="n">params</span><span class="p">[</span><span class="ss">:id</span><span class="p">])</span> <span class="n">with_decrypted_file</span><span class="p">(</span><span class="n">form_post</span><span class="p">)</span> <span class="k">do</span> <span class="o">|</span><span class="n">file</span><span class="o">|</span> <span class="c1"># Pathname</span> <span class="n">send_file_headers!</span><span class="p">(</span> <span class="ss">disposition: </span><span class="s1">'attachment'</span><span class="p">,</span> <span class="ss">filename: </span><span class="n">file</span><span class="p">.</span><span class="nf">basename</span><span class="p">)</span> <span class="n">response</span><span class="p">.</span><span class="nf">delete_header</span><span class="p">(</span><span class="s1">'Content-Length'</span><span class="p">)</span> <span class="nb">self</span><span class="p">.</span><span class="nf">response_body</span> <span class="o">=</span> <span class="no">Enumerator</span><span class="p">.</span><span class="nf">new</span> <span class="k">do</span> <span class="o">|</span><span class="n">chunks</span><span class="o">|</span> <span class="n">file</span><span class="p">.</span><span class="nf">open</span><span class="p">(</span><span class="s1">'r'</span><span class="p">)</span> <span class="k">do</span> <span class="o">|</span><span class="n">f</span><span class="o">|</span> <span class="n">chunks</span> <span class="o">&lt;&lt;</span> <span class="n">f</span><span class="p">.</span><span class="nf">read</span><span class="p">(</span><span class="mi">8192</span><span class="p">)</span> <span class="k">while</span> <span class="o">!</span><span class="n">f</span><span class="p">.</span><span class="nf">eof?</span> <span class="k">end</span> <span class="k">end</span> <span class="k">end</span> <span class="k">end</span> <span class="kp">private</span> <span class="k">def</span> <span class="nf">with_decrypted_file</span><span class="p">(</span><span class="n">form_post</span><span class="p">)</span> <span class="n">encrypted_file</span> <span class="o">=</span> <span class="n">form_post</span><span class="p">.</span><span class="nf">fetch_decrypted_file</span> <span class="n">decrypted_file</span> <span class="o">=</span> <span class="kp">nil</span> <span class="k">begin</span> <span class="n">decrypted_file</span> <span class="o">=</span> <span class="no">EncryptionHandler</span><span class="p">.</span><span class="nf">decrypt</span><span class="p">(</span> <span class="n">encrypted_file</span><span class="p">,</span> <span class="n">form_post</span><span class="p">.</span><span class="nf">private_key</span><span class="p">)</span> <span class="nb">fail</span> <span class="k">if</span> <span class="o">!</span><span class="n">decrypted_file</span><span class="p">.</span><span class="nf">exist?</span> <span class="k">yield</span><span class="p">(</span><span class="n">decrypted_file</span><span class="p">)</span> <span class="k">ensure</span> <span class="n">encrypted_file</span><span class="p">.</span><span class="nf">delete</span> <span class="k">if</span> <span class="n">encrypted_file</span><span class="o">&amp;</span><span class="p">.</span><span class="nf">exist?</span> <span class="n">decrypted_file</span><span class="p">.</span><span class="nf">delete</span> <span class="k">if</span> <span class="n">decrypted_file</span><span class="o">&amp;</span><span class="p">.</span><span class="nf">exist?</span> <span class="k">end</span> <span class="k">end</span> </code></pre></div></div> <p>Here is the same code as above, simplified even further to make it easier to see the meat of what’s going on.</p> <div class="language-ruby highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="k">def</span> <span class="nf">download</span> <span class="n">with_decrypted_file</span> <span class="k">do</span> <span class="o">|</span><span class="n">file</span><span class="o">|</span> <span class="nb">self</span><span class="p">.</span><span class="nf">response_body</span> <span class="o">=</span> <span class="no">Enumerator</span><span class="p">.</span><span class="nf">new</span> <span class="k">do</span> <span class="o">|</span><span class="n">chunks</span><span class="o">|</span> <span class="n">file</span><span class="p">.</span><span class="nf">open</span><span class="p">(</span><span class="s1">'r'</span><span class="p">)</span> <span class="k">do</span> <span class="o">|</span><span class="n">f</span><span class="o">|</span> <span class="n">chunks</span> <span class="o">&lt;&lt;</span> <span class="n">f</span><span class="p">.</span><span class="nf">read</span><span class="p">(</span><span class="mi">8192</span><span class="p">)</span> <span class="k">while</span> <span class="o">!</span><span class="n">f</span><span class="p">.</span><span class="nf">eof?</span> <span class="k">end</span> <span class="k">end</span> <span class="k">end</span> <span class="k">end</span> <span class="kp">private</span> <span class="k">def</span> <span class="nf">with_decrypted_file</span> <span class="n">decrypted_file</span> <span class="o">=</span> <span class="n">fetch_and_decrypt_file</span> <span class="k">yield</span><span class="p">(</span><span class="n">decrypted_file</span><span class="p">)</span> <span class="k">ensure</span> <span class="n">decrypted_file</span><span class="p">.</span><span class="nf">delete</span> <span class="k">end</span> </code></pre></div></div> <p>I didn’t have much experience about Rails response streaming when I wrote this code, but it seemed fairly straightforward and worked fine. Encrypted files were fetched, decrypted, streamed, and deleted. Everyone was happy.</p> <p>Until we started seeing errors, that is. The errors were only happening in some cases, and even then they were sometimes not reproducible. We would get a user report that a download was failing, but we’d try it ourselves and it would work. We’d have the user try it again and it would work. 🤷‍♂️</p> <p>Stranger still, there were two different errors that were occurring, but only one would occur at a time, the choice seemingly random:</p> <ul> <li><code>Errno::ENOENT: No such file or directory @ rb_sysopen</code><code class="highlight language-ruby highlighter-rouge"> <span class="p">(</span><span class="n">at</span> <span class="n">file</span><span class="p">.</span><span class="nf">open</span><span class="p">)</span></code></li> <li><code>IOError: closed stream</code><code class="highlight language-ruby highlighter-rouge"> <span class="p">(</span><span class="n">at</span> <span class="n">f</span><span class="p">.</span><span class="nf">eof?</span><span class="p">)</span></code></li> </ul> <p>At first this didn’t make any sense. There’s an explicit <code class="highlight language-ruby highlighter-rouge"><span class="nb">fail</span></code> if the decrypted file doesn’t exist (a sanity check to make sure decryption didn’t fail silently), but it wasn’t being tripped. The file definitely existed, and it wasn’t being deleted (cleaned up) until after the <code class="highlight language-ruby highlighter-rouge"><span class="k">yield</span></code> block had finished.</p> <p>Right? <em>Wrong.</em> A look under the hood revealed that Rails streaming happens in a separate thread. So we had a race condition, which explained why this issue only happens sometimes and is difficult to reproduce. Turns out it was happening less often on smaller files (maybe under 250K), when reading the file in one thread could finish before the file was deleted in another thread.</p> <p>I couldn’t find much in the way of how to solve this, such as a <code class="highlight language-ruby highlighter-rouge"><span class="n">flush</span></code> method on the response stream, but I found my way to the <a href="https://api.rubyonrails.org/classes/ActionDispatch/Response.html#method-i-await_sent"><code>Response#await_sent</code></a> method, which is exactly what was needed. (There’s also <a href="https://api.rubyonrails.org/classes/ActionDispatch/Response.html#method-i-await_commit"><code>Response#await_commit</code></a>, but that wasn’t enough for this case.)</p> <p>Adding <code class="highlight language-ruby highlighter-rouge"><span class="n">response</span><span class="p">.</span><span class="nf">await_sent</span></code> as the last line of the <code class="highlight language-ruby highlighter-rouge"><span class="n">with_decrypted_file</span></code> block fixed the issue by eliminating the race condition. The decrypted file is now guaranteed to finish being streamed before it gets deleted.</p> <p>Here’s the updated <code>download</code> action method:</p> <div class="language-ruby highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="k">def</span> <span class="nf">download</span> <span class="n">form_post</span> <span class="o">=</span> <span class="no">FormPost</span><span class="p">.</span><span class="nf">for</span><span class="p">(</span><span class="n">current_user</span><span class="p">).</span><span class="nf">find</span><span class="p">(</span><span class="n">params</span><span class="p">[</span><span class="ss">:id</span><span class="p">])</span> <span class="n">with_decrypted_file</span><span class="p">(</span><span class="n">form_post</span><span class="p">)</span> <span class="k">do</span> <span class="o">|</span><span class="n">file</span><span class="o">|</span> <span class="c1"># Pathname</span> <span class="n">send_file_headers!</span><span class="p">(</span> <span class="ss">disposition: </span><span class="s1">'attachment'</span><span class="p">,</span> <span class="ss">filename: </span><span class="n">file</span><span class="p">.</span><span class="nf">basename</span><span class="p">)</span> <span class="n">response</span><span class="p">.</span><span class="nf">delete_header</span><span class="p">(</span><span class="s1">'Content-Length'</span><span class="p">)</span> <span class="nb">self</span><span class="p">.</span><span class="nf">response_body</span> <span class="o">=</span> <span class="no">Enumerator</span><span class="p">.</span><span class="nf">new</span> <span class="k">do</span> <span class="o">|</span><span class="n">chunks</span><span class="o">|</span> <span class="n">file</span><span class="p">.</span><span class="nf">open</span><span class="p">(</span><span class="s1">'r'</span><span class="p">)</span> <span class="k">do</span> <span class="o">|</span><span class="n">f</span><span class="o">|</span> <span class="n">chunks</span> <span class="o">&lt;&lt;</span> <span class="n">f</span><span class="p">.</span><span class="nf">read</span><span class="p">(</span><span class="mi">8192</span><span class="p">)</span> <span class="k">while</span> <span class="o">!</span><span class="n">f</span><span class="p">.</span><span class="nf">eof?</span> <span class="k">end</span> <span class="k">end</span> <span class="c1"># wait to exit the block until the file has been</span> <span class="c1"># streamed so it doesn't get deleted beforehand</span> <span class="n">response</span><span class="p">.</span><span class="nf">await_sent</span> <span class="k">end</span> <span class="k">end</span> </code></pre></div></div> <p>I hope this post saves someone else some time if they are greeted with intermittent <strong><code>IOError</code></strong> and <strong><code>Errno::ENOENT</code></strong> errors while using a <code>response_body Enumerator</code> to stream files in Rails.</p> https://nick.pearson.dev/posts/cfgpkg Thu, 16 Dec 2021 15:00:00 GMT https://nick.pearson.dev/posts/cfgpkg age encryption scripts <p>I have a case where I need to store a YAML file in an S3 bucket where it’s available to be copied to a server as part of an automated deployment process. The YAML file contains a few sensitive values, like API keys, so it’d be best to keep those values encrypted.</p> <p>I’d prefer not to have to encrypt the entire file, because that makes it more difficult to work with and update. It would be nice if I could safely keep a local copy of the file, update it as needed, and only have to deal with encryption when I’m adding or changing a sensitive value.</p> <p>Not being aware of anything that could encrypt and decrypt just a subset of values in a YAML file—and not looking too hard for one, since this seemed like a fun problem to solve. Let’s write a script.</p> <p><a href="https://github.com/FiloSottile/age">age</a> reached its 1.0.0 release recently, and it looks like a good tool for the job. It has a simple command line interface, and there are binaries for multiple platforms. Plus, age uses asymmetric encryption, which will let us keep a copy of the public key locally for encrypting new and updated values without having to worry about having a private key (capable of decrypting) lying around.</p> <p>First, the requirements:</p> <ol> <li>Encrypt sensitive values locally and leave others alone</li> <li>Decrypt sensitive values on the server during deployment</li> </ol> <p>That’s it, really. We should be able to open our .yml file in a text editor, add a key/value pair, mark it as sensitive, and then run the script to encrypt the sensitive value.</p> <p>Both requirements imply the script will need a way to identify sensitive values—it needs to know what to encrypt and what to decrypt. Since config keys aren’t likely to include an exclamation mark, that seems like a good way to mark sensitive keys. Let’s do it like this: <code>API_KEY!</code>. And to let’s surround encrypted values in an age “tag” like this: <code class="highlight language-xml highlighter-rouge"><span class="nt">&lt;age&gt;</span>c2VjcmV0<span class="nt">&lt;/age&gt;</span></code>.</p> <p>It’s probably easiest to visualize what we’re going for, so let’s start with a simple YAML file at each state we want to handle: (1) the original file with a cleartext sensitive value, (2) the encrypted version that will be stored where a deployment script can get it, and (3) the final decrypted file for our application to use.</p> <ol> <li> <p>The original file:</p> <div class="language-yaml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="na">APP_HOST</span><span class="pi">:</span> <span class="s">app.example.com</span> <span class="na">API_KEY!</span><span class="pi">:</span> <span class="s">secret_key_abc123</span> </code></pre></div> </div> </li> <li> <p>The encrypted file:</p> <div class="language-yaml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="na">APP_HOST</span><span class="pi">:</span> <span class="s">app.example.com</span> <span class="na">API_KEY</span><span class="pi">:</span> <span class="s">&lt;age&gt;c2VjcmV0X2tleV9hYmMxMjMK&lt;/age&gt;</span> </code></pre></div> </div> </li> <li> <p>The decrypted file:</p> <div class="language-yaml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="na">APP_HOST</span><span class="pi">:</span> <span class="s">app.example.com</span> <span class="na">API_KEY</span><span class="pi">:</span> <span class="s">secret_key_abc123</span> </code></pre></div> </div> </li> </ol> <p>The original file and decrypted file are identical except that the decrypted file does not contain a <code>!</code> character marking the sensitive key.</p> <p>Because the script needs to run locally and on our server, let’s write it as a Bash script. Ruby would surely make for simpler code, but that would introduce a deployment dependency our app may not already have.</p> <p>Let’s start writing some code. At first we can ignore validation and usage instructions and just keep it simple. We know we need to be able to tell the program what to do (encrypt or decrypt), what YAML file to operate on, and what encryption key to use, so let’s start with a simple outline.</p> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c">#!/bin/bash</span> <span class="nv">cmd</span><span class="o">=</span><span class="s2">"</span><span class="nv">$1</span><span class="s2">"</span> <span class="nv">yaml_file</span><span class="o">=</span><span class="s2">"</span><span class="nv">$2</span><span class="s2">"</span> <span class="k">if</span> <span class="o">[[</span> <span class="s2">"</span><span class="nv">$cmd</span><span class="s2">"</span> <span class="o">==</span> <span class="s2">"enc"</span> <span class="o">]]</span><span class="p">;</span> <span class="k">then </span><span class="nv">public_key</span><span class="o">=</span><span class="s2">"</span><span class="nv">$3</span><span class="s2">"</span> <span class="c"># TODO: encrypt sensitive values in $yaml_file</span> <span class="k">else </span><span class="nv">private_key_file</span><span class="o">=</span><span class="s2">"</span><span class="nv">$3</span><span class="s2">"</span> <span class="c"># TODO: decrypt encrypted values in $yaml_file</span> <span class="k">fi</span> </code></pre></div></div> <p>Now’s would be a good time to see briefly how to interact with the <code>age</code> program using stdout and stdin:</p> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c"># generate a key pair</span> <span class="nv">$ </span>age-keygen <span class="nt">-o</span> key.txt Public key: age1abc123... <span class="c"># encrypt and base64-encode a string using</span> <span class="c"># public key from age-keygen output</span> <span class="nv">$ </span><span class="nb">echo</span> <span class="s2">"secret"</span> | age <span class="nt">-r</span> age1abc123... | <span class="nb">base64 </span>xyz789... <span class="c"># base64-decode and decrypt string using</span> <span class="c"># private key from age-keygen run</span> <span class="nv">$ </span><span class="nb">echo</span> <span class="s2">"xyz789..."</span> | <span class="nb">base64</span> <span class="nt">-d</span> | age <span class="nt">-d</span> <span class="nt">-i</span> key.txt secret </code></pre></div></div> <p>Next, let’s implement the encryption part. sed seems like a good tool to use for our in-place file editing.<sup id="fnref:1" role="doc-noteref"><a href="#fn:1" class="footnote" rel="footnote">1</a></sup> We need to identify each sensitive key, remove the <code>!</code> key suffix, and encrypt the value and wrap it in our <code class="highlight language-xml highlighter-rouge"><span class="nt">&lt;age&gt;</span>...<span class="nt">&lt;/age&gt;</span></code> marker. To keep things simple we’ll assume sensitive values are on a single line with their keys. Indentation won’t matter.<sup id="fnref:2" role="doc-noteref"><a href="#fn:2" class="footnote" rel="footnote">2</a></sup> And to avoid accidentally leaving a sensitive value on a commented-out line, let’s process those lines too.</p> <p>So, let’s first find and extract sensitive keys into an array. (Note that I’m writing this on macOS, so I’ll use <code class="highlight language-bash highlighter-rouge"><span class="nb">sed</span> <span class="nt">-E</span></code>, which is like <code class="highlight language-bash highlighter-rouge"><span class="nb">sed</span> <span class="nt">-r</span></code> on Linux. We’ll address this in our script later. I’m also including extra line breaks to make the script more readable without horizontal scrolling.)</p> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c"># extract keys ending with '!' from the</span> <span class="c"># YAML file, including commented-out lines</span> <span class="k">while </span><span class="nv">IFS</span><span class="o">=</span><span class="s1">''</span> <span class="nb">read</span> <span class="nt">-r</span> line<span class="p">;</span> <span class="k">do </span>keys+<span class="o">=(</span><span class="s2">"</span><span class="nv">$line</span><span class="s2">"</span><span class="o">)</span> <span class="k">done</span> &lt; &lt;<span class="o">(</span> <span class="se">\</span> <span class="nb">grep</span> <span class="nt">-E</span> <span class="s1">'^[# ]*\w+! *:'</span> <span class="s2">"</span><span class="nv">$yaml_file</span><span class="s2">"</span> | <span class="nb">sed</span> <span class="nt">-E</span> <span class="se">\</span> <span class="s1">'/[a-zA-Z0-9_]+! *:/ s/^[# ]*([a-zA-Z0-9_]+)! *:.*/\1/'</span> <span class="se">\</span> <span class="o">)</span> </code></pre></div></div> <p>Now let’s iterate over our <code class="highlight language-bash highlighter-rouge"><span class="nv">$keys</span></code> array to remove its <code>!</code> suffix and encrypt its value.</p> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c"># encrypt values for extracted keys,</span> <span class="c"># and remove the '!' from the keys</span> <span class="k">for </span>key <span class="k">in</span> <span class="s2">"</span><span class="k">${</span><span class="nv">keys</span><span class="p">[@]</span><span class="k">}</span><span class="s2">"</span><span class="p">;</span> <span class="k">do</span> <span class="c"># find the key and extract its value</span> <span class="nv">val</span><span class="o">=</span><span class="s2">"</span><span class="si">$(</span><span class="nb">grep</span> <span class="nt">-E</span> <span class="s2">"^[# ]*</span><span class="nv">$key</span><span class="s2">! *:"</span> <span class="s2">"</span><span class="nv">$yaml_file</span><span class="s2">"</span> <span class="se">\</span> | <span class="nb">head</span> <span class="nt">-n</span> 1 | <span class="nb">sed</span> <span class="nt">-E</span> <span class="s2">"s/^[# ]*</span><span class="nv">$key</span><span class="s2">! *: *(.*)/</span><span class="se">\1</span><span class="s2">/"</span><span class="si">)</span><span class="s2">"</span> <span class="c"># encrypt the value and encode as Base64</span> <span class="nv">enc</span><span class="o">=</span><span class="s2">"</span><span class="si">$(</span><span class="nb">echo</span> <span class="nt">-n</span> <span class="s2">"</span><span class="nv">$val</span><span class="s2">"</span> <span class="se">\</span> | age <span class="nt">-r</span> <span class="s2">"</span><span class="nv">$public_key</span><span class="s2">"</span> | <span class="nb">base64</span><span class="si">)</span><span class="s2">"</span> <span class="c"># replace the "key!: val" line with "key: &lt;age&gt;...&lt;/age&gt;"</span> <span class="o">[[</span> <span class="nt">-n</span> <span class="s2">"</span><span class="nv">$enc</span><span class="s2">"</span> <span class="o">]]</span> <span class="o">&amp;&amp;</span> <span class="nb">sed</span> <span class="nt">-E</span> <span class="nt">-i</span> <span class="se">\</span> <span class="s2">"/&lt;age&gt;/! s%^([# ]*</span><span class="nv">$key</span><span class="s2">)!( *: *).*%</span><span class="se">\1\2</span><span class="s2">&lt;age&gt;</span><span class="nv">$enc</span><span class="s2">&lt;/age&gt;%"</span> <span class="se">\</span> <span class="s2">"</span><span class="nv">$yaml_file</span><span class="s2">"</span> <span class="k">done</span> </code></pre></div></div> <p>Ok, not too bad, as shell scripts go. How about the decryption part? It’ll be similar to encryption—we just need to build our <code class="highlight language-bash highlighter-rouge"><span class="nv">$keys</span></code> array by looking for encrypted values instead of sensitive keys.</p> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c"># extract keys with &lt;age&gt; values from the</span> <span class="c"># YAML file, including commented-out lines</span> <span class="k">while </span><span class="nv">IFS</span><span class="o">=</span><span class="s1">''</span> <span class="nb">read</span> <span class="nt">-r</span> line<span class="p">;</span> <span class="k">do </span>keys+<span class="o">=(</span><span class="s2">"</span><span class="nv">$line</span><span class="s2">"</span><span class="o">)</span> <span class="k">done</span> &lt; &lt;<span class="o">(</span> <span class="se">\</span> <span class="nb">grep</span> <span class="nt">-E</span> <span class="s1">'^[# ]*\w+ *: *&lt;age&gt;.*&lt;/age&gt;'</span> <span class="s2">"</span><span class="nv">$yaml_file</span><span class="s2">"</span> | <span class="nb">sed</span> <span class="nt">-E</span> <span class="se">\</span> <span class="s1">'/[a-zA-Z0-9_]+:/ s/^[# ]*([a-zA-Z0-9_]+) *:.*/\1/'</span> <span class="se">\</span> <span class="o">)</span> </code></pre></div></div> <p>Then we’ll Base64-decode and decrypt each value.</p> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c"># decrypt values for extracted keys</span> <span class="k">for </span>key <span class="k">in</span> <span class="s2">"</span><span class="k">${</span><span class="nv">keys</span><span class="p">[@]</span><span class="k">}</span><span class="s2">"</span><span class="p">;</span> <span class="k">do </span><span class="nv">enc</span><span class="o">=</span><span class="s2">"</span><span class="si">$(</span><span class="nb">grep</span> <span class="nt">-E</span> <span class="s2">"^[# ]*</span><span class="nv">$key</span><span class="s2"> *:"</span> <span class="s2">"</span><span class="nv">$yaml_file</span><span class="s2">"</span> <span class="se">\</span> | <span class="nb">sed</span> <span class="nt">-E</span> <span class="s1">'s:.*&lt;age&gt;(.*)&lt;/age&gt;.*:\1:'</span><span class="si">)</span><span class="s2">"</span> <span class="nv">val</span><span class="o">=</span><span class="s2">"</span><span class="si">$(</span><span class="nb">base64</span> <span class="nt">-d</span> <span class="o">&lt;&lt;&lt;</span> <span class="s2">"</span><span class="nv">$enc</span><span class="s2">"</span> | age <span class="nt">-d</span> <span class="nt">-i</span> <span class="s2">"</span><span class="nv">$private_key_file</span><span class="s2">"</span><span class="si">)</span><span class="s2">"</span> <span class="o">[[</span> <span class="nt">-n</span> <span class="s2">"</span><span class="nv">$val</span><span class="s2">"</span> <span class="o">]]</span> <span class="o">&amp;&amp;</span> <span class="nb">sed</span> <span class="nt">-E</span> <span class="nt">-i</span> <span class="se">\</span> <span class="s2">"s%^([# ]*</span><span class="nv">$key</span><span class="s2"> *: *).*%</span><span class="se">\1</span><span class="nv">$val</span><span class="s2">%"</span> <span class="s2">"</span><span class="nv">$yaml_file</span><span class="s2">"</span> <span class="k">done</span> </code></pre></div></div> <p>Before putting it all together, let’s make a function for invoking <code>sed</code> using the arguments it expects based on the OS the script is running on. (I originally saw this <a href="https://github.com/dehydrated-io/dehydrated/blob/v0.7.0/dehydrated#L724">in dehydrated</a>.)</p> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c"># use `-r` or `-E` depending on platform</span> _sed<span class="o">()</span> <span class="o">{</span> <span class="k">if</span> <span class="o">[[</span> <span class="s2">"</span><span class="si">$(</span><span class="nb">uname</span><span class="si">)</span><span class="s2">"</span> <span class="o">=</span> <span class="s2">"Linux"</span> <span class="o">]]</span><span class="p">;</span> <span class="k">then </span><span class="nb">sed</span> <span class="nt">-r</span> <span class="s2">"</span><span class="k">${</span><span class="p">@</span><span class="k">}</span><span class="s2">"</span> <span class="k">else </span><span class="nb">sed</span> <span class="nt">-E</span> <span class="s2">"</span><span class="k">${</span><span class="p">@</span><span class="k">}</span><span class="s2">"</span> <span class="k">fi</span> <span class="o">}</span> <span class="c"># use `-i` or `-i ''` depending on platform</span> _sed_i<span class="o">()</span> <span class="o">{</span> <span class="k">if</span> <span class="o">[[</span> <span class="s2">"</span><span class="si">$(</span><span class="nb">uname</span><span class="si">)</span><span class="s2">"</span> <span class="o">=</span> <span class="s2">"Linux"</span> <span class="o">]]</span><span class="p">;</span> <span class="k">then </span><span class="nb">sed</span> <span class="nt">-r</span> <span class="nt">-i</span> <span class="s2">"</span><span class="k">${</span><span class="p">@</span><span class="k">}</span><span class="s2">"</span> <span class="k">else </span><span class="nb">sed</span> <span class="nt">-E</span> <span class="nt">-i</span> <span class="s1">''</span> <span class="s2">"</span><span class="k">${</span><span class="p">@</span><span class="k">}</span><span class="s2">"</span> <span class="k">fi</span> <span class="o">}</span> </code></pre></div></div> <p>Let’s put together what we have so far, using our new <code>_sed</code> and <code>_sed_i</code> functions and some docs and input validation:</p> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c">#!/bin/bash</span> <span class="c"># Encrypts and decrypts sensitive values in a YAML file.</span> <span class="c">#</span> <span class="c"># Values can be encrypted locally, such as in preparation</span> <span class="c"># for placing the file where it's available to a deployment</span> <span class="c"># process, and then decrypted on a server during deployment.</span> <span class="c">#</span> <span class="c"># Sub commands:</span> <span class="c">#</span> <span class="c"># enc: identifies sensitive key-value pairs (any key</span> <span class="c"># ending with "!"), then encrypts sensitive values</span> <span class="c"># and removes trailing "!" from keys</span> <span class="c">#</span> <span class="c"># dec: decrypts encrypted values</span> <span class="c">#</span> <span class="c"># Usage:</span> <span class="c">#</span> <span class="c"># cfgpkg enc &lt;config-file&gt; &lt;public-key&gt;</span> <span class="c"># cfgpkg dec &lt;config-file&gt; &lt;key-file&gt;</span> <span class="c">#</span> <span class="c"># Examples:</span> <span class="c">#</span> <span class="c"># cfgpkg enc app.yml age1abc123...</span> <span class="c"># cfgpkg dec app.yml /path/to/age.key</span> _sed<span class="o">()</span> <span class="o">{</span> <span class="k">if</span> <span class="o">[[</span> <span class="s2">"</span><span class="si">$(</span><span class="nb">uname</span><span class="si">)</span><span class="s2">"</span> <span class="o">=</span> <span class="s2">"Linux"</span> <span class="o">]]</span><span class="p">;</span> <span class="k">then </span><span class="nb">sed</span> <span class="nt">-r</span> <span class="s2">"</span><span class="k">${</span><span class="p">@</span><span class="k">}</span><span class="s2">"</span> <span class="k">else </span><span class="nb">sed</span> <span class="nt">-E</span> <span class="s2">"</span><span class="k">${</span><span class="p">@</span><span class="k">}</span><span class="s2">"</span> <span class="k">fi</span> <span class="o">}</span> _sed_i<span class="o">()</span> <span class="o">{</span> <span class="k">if</span> <span class="o">[[</span> <span class="s2">"</span><span class="si">$(</span><span class="nb">uname</span><span class="si">)</span><span class="s2">"</span> <span class="o">=</span> <span class="s2">"Linux"</span> <span class="o">]]</span><span class="p">;</span> <span class="k">then </span><span class="nb">sed</span> <span class="nt">-r</span> <span class="nt">-i</span> <span class="s2">"</span><span class="k">${</span><span class="p">@</span><span class="k">}</span><span class="s2">"</span> <span class="k">else </span><span class="nb">sed</span> <span class="nt">-E</span> <span class="nt">-i</span> <span class="s1">''</span> <span class="s2">"</span><span class="k">${</span><span class="p">@</span><span class="k">}</span><span class="s2">"</span> <span class="k">fi</span> <span class="o">}</span> <span class="nv">cmd</span><span class="o">=</span><span class="s2">"</span><span class="nv">$1</span><span class="s2">"</span> <span class="nv">yaml_file</span><span class="o">=</span><span class="s2">"</span><span class="nv">$2</span><span class="s2">"</span> <span class="c"># exit if command, file, and key were not specified</span> <span class="k">if</span> <span class="o">[[</span> <span class="nv">$# </span><span class="nt">-ne</span> 3 <span class="o">]]</span> <span class="o">||</span> <span class="o">[[</span> <span class="s2">"</span><span class="nv">$cmd</span><span class="s2">"</span> <span class="o">!=</span> <span class="s2">"enc"</span> <span class="o">&amp;&amp;</span> <span class="s2">"</span><span class="nv">$cmd</span><span class="s2">"</span> <span class="o">!=</span> <span class="s2">"dec"</span> <span class="o">]]</span><span class="p">;</span> <span class="k">then</span> <span class="o">&gt;</span>&amp;2 <span class="nb">echo</span> <span class="s1">'Usage: cfgpkg &lt;enc|dec&gt; &lt;yaml-file&gt; &lt;pub-key/key-file&gt;'</span> <span class="nb">exit </span>1 <span class="k">elif</span> <span class="o">[[</span> <span class="o">!</span> <span class="nt">-f</span> <span class="s2">"</span><span class="nv">$yaml_file</span><span class="s2">"</span> <span class="o">]]</span><span class="p">;</span> <span class="k">then</span> <span class="o">&gt;</span>&amp;2 <span class="nb">echo</span> <span class="s2">"</span><span class="nv">$yaml_file</span><span class="s2"> does not exist"</span> <span class="nb">exit </span>1 <span class="k">fi if</span> <span class="o">[[</span> <span class="s2">"</span><span class="nv">$cmd</span><span class="s2">"</span> <span class="o">==</span> <span class="s2">"enc"</span> <span class="o">]]</span><span class="p">;</span> <span class="k">then </span><span class="nv">public_key</span><span class="o">=</span><span class="s2">"</span><span class="nv">$3</span><span class="s2">"</span> <span class="c"># extract keys ending with '!' from the</span> <span class="c"># YAML file, including commented-out lines</span> <span class="k">while </span><span class="nv">IFS</span><span class="o">=</span><span class="s1">''</span> <span class="nb">read</span> <span class="nt">-r</span> line<span class="p">;</span> <span class="k">do </span>keys+<span class="o">=(</span><span class="s2">"</span><span class="nv">$line</span><span class="s2">"</span><span class="o">)</span> <span class="k">done</span> &lt; &lt;<span class="o">(</span> <span class="se">\</span> <span class="nb">grep</span> <span class="nt">-E</span> <span class="s1">'^[# ]*\w+! *:'</span> <span class="s2">"</span><span class="nv">$yaml_file</span><span class="s2">"</span> | _sed <span class="se">\</span> <span class="s1">'/[a-zA-Z0-9_]+! *:/ s/^[# ]*([a-zA-Z0-9_]+)! *:.*/\1/'</span> <span class="se">\</span> <span class="o">)</span> <span class="c"># encrypt values for extracted keys,</span> <span class="c"># and remove the '!' from the keys</span> <span class="k">for </span>key <span class="k">in</span> <span class="s2">"</span><span class="k">${</span><span class="nv">keys</span><span class="p">[@]</span><span class="k">}</span><span class="s2">"</span><span class="p">;</span> <span class="k">do</span> <span class="c"># find the key and extract its value</span> <span class="nv">val</span><span class="o">=</span><span class="s2">"</span><span class="si">$(</span><span class="nb">grep</span> <span class="nt">-E</span> <span class="s2">"^[# ]*</span><span class="nv">$key</span><span class="s2">! *:"</span> <span class="s2">"</span><span class="nv">$yaml_file</span><span class="s2">"</span> <span class="se">\</span> | <span class="nb">head</span> <span class="nt">-n</span> 1 | _sed <span class="s2">"s/^[# ]*</span><span class="nv">$key</span><span class="s2">! *: *(.*)/</span><span class="se">\1</span><span class="s2">/"</span><span class="si">)</span><span class="s2">"</span> <span class="c"># encrypt the value and encode as Base64</span> <span class="nv">enc</span><span class="o">=</span><span class="s2">"</span><span class="si">$(</span><span class="nb">echo</span> <span class="nt">-n</span> <span class="s2">"</span><span class="nv">$val</span><span class="s2">"</span> <span class="se">\</span> | age <span class="nt">-r</span> <span class="s2">"</span><span class="nv">$public_key</span><span class="s2">"</span> | <span class="nb">base64</span><span class="si">)</span><span class="s2">"</span> <span class="c"># replace the "key!: val" line with "key: &lt;age&gt;...&lt;/age&gt;"</span> <span class="o">[[</span> <span class="nt">-n</span> <span class="s2">"</span><span class="nv">$enc</span><span class="s2">"</span> <span class="o">]]</span> <span class="o">&amp;&amp;</span> _sed_i <span class="se">\</span> <span class="s2">"/&lt;age&gt;/! s%^([# ]*</span><span class="nv">$key</span><span class="s2">)!( *: *).*%</span><span class="se">\1\2</span><span class="s2">&lt;age&gt;</span><span class="nv">$enc</span><span class="s2">&lt;/age&gt;%"</span> <span class="se">\</span> <span class="s2">"</span><span class="nv">$yaml_file</span><span class="s2">"</span> <span class="k">done else </span><span class="nv">private_key_file</span><span class="o">=</span><span class="s2">"</span><span class="nv">$3</span><span class="s2">"</span> <span class="c"># extract keys with &lt;age&gt; values from the</span> <span class="c"># YAML file, including commented-out lines</span> <span class="k">while </span><span class="nv">IFS</span><span class="o">=</span><span class="s1">''</span> <span class="nb">read</span> <span class="nt">-r</span> line<span class="p">;</span> <span class="k">do </span>keys+<span class="o">=(</span><span class="s2">"</span><span class="nv">$line</span><span class="s2">"</span><span class="o">)</span> <span class="k">done</span> &lt; &lt;<span class="o">(</span> <span class="se">\</span> <span class="nb">grep</span> <span class="nt">-E</span> <span class="s1">'^[# ]*\w+ *: *&lt;age&gt;.*&lt;/age&gt;'</span> <span class="s2">"</span><span class="nv">$yaml_file</span><span class="s2">"</span> | _sed <span class="se">\</span> <span class="s1">'/[a-zA-Z0-9_]+:/ s/^[# ]*([a-zA-Z0-9_]+) *:.*/\1/'</span> <span class="se">\</span> <span class="o">)</span> <span class="c"># decrypt values for extracted keys</span> <span class="k">for </span>key <span class="k">in</span> <span class="s2">"</span><span class="k">${</span><span class="nv">keys</span><span class="p">[@]</span><span class="k">}</span><span class="s2">"</span><span class="p">;</span> <span class="k">do </span><span class="nv">enc</span><span class="o">=</span><span class="s2">"</span><span class="si">$(</span><span class="nb">grep</span> <span class="nt">-E</span> <span class="s2">"^[# ]*</span><span class="nv">$key</span><span class="s2"> *:"</span> <span class="s2">"</span><span class="nv">$yaml_file</span><span class="s2">"</span> <span class="se">\</span> | _sed <span class="s1">'s:.*&lt;age&gt;(.*)&lt;/age&gt;.*:\1:'</span><span class="si">)</span><span class="s2">"</span> <span class="nv">val</span><span class="o">=</span><span class="s2">"</span><span class="si">$(</span><span class="nb">base64</span> <span class="nt">-d</span> <span class="o">&lt;&lt;&lt;</span> <span class="s2">"</span><span class="nv">$enc</span><span class="s2">"</span> | age <span class="nt">-d</span> <span class="nt">-i</span> <span class="s2">"</span><span class="nv">$private_key_file</span><span class="s2">"</span><span class="si">)</span><span class="s2">"</span> <span class="o">[[</span> <span class="nt">-n</span> <span class="s2">"</span><span class="nv">$val</span><span class="s2">"</span> <span class="o">]]</span> <span class="o">&amp;&amp;</span> _sed_i <span class="se">\</span> <span class="s2">"s%^([# ]*</span><span class="nv">$key</span><span class="s2"> *: *).*%</span><span class="se">\1</span><span class="nv">$val</span><span class="s2">%"</span> <span class="s2">"</span><span class="nv">$yaml_file</span><span class="s2">"</span> <span class="k">done fi</span> </code></pre></div></div> <p>Ok, we have a working, (*nix) platform-independent script. I named it “cfgpkg” (config packager). Let’s give it a try using the sample YAML from the beginning of this post to ensure it works end-to-end. (You’ll need to <a href="https://github.com/FiloSottile/age#installation">install age</a> if you haven’t already.)</p> <ol> <li> <p>Create our .yml file with sample data and generate our age key:</p> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nv">$ </span><span class="nb">echo</span> <span class="s1">'APP_HOST: app.example.com'</span> <span class="o">&gt;</span> app.yml <span class="nv">$ </span><span class="nb">echo</span> <span class="s1">'API_KEY!: secret_key_abc123'</span> <span class="o">&gt;&gt;</span> app.yml <span class="nv">$ </span>age-keygen <span class="nt">-o</span> age.key Public key: age1abc123... </code></pre></div> </div> </li> <li> <p>Encrypt the sensitive value in our .yml file:</p> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nv">$ </span>cfgpkg enc app.yml age1abc123... <span class="nv">$ </span><span class="nb">cat </span>app.yml APP_HOST: app.example.com API_KEY: &lt;age&gt;c2VjcmV0X2tleV9hYmMxMjMK&lt;/age&gt; </code></pre></div> </div> </li> <li> <p>Decrypt the sensitive value in our .yml file:</p> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nv">$ </span>cfgpkg dec app.yml age.key <span class="nv">$ </span><span class="nb">cat </span>app.yml APP_HOST: app.example.com API_KEY: secret_key_abc123 </code></pre></div> </div> </li> </ol> <p>There are two features I’d like to add and one known bug to fix, but we’ll save these for another time:</p> <ol> <li> <p>[feature] the ability to “undo” an encryption run, essentially restoring our .yml file to its original pre-encryption state (same as the decrypted state, but with the <code>!</code> sensitive key markers), possibly as a <code>rev</code> sub command</p> </li> <li> <p>[feature] the ability to extract a single encrypted value without modifying the file, possibly as an <code>ext</code> sub command</p> </li> <li> <p>[bug] duplicate sensitive keys cause a problem, including on commented-out lines, because sed replaces every matching occurrence it finds</p> </li> </ol> <p>I plan to update this post when these three things have been addressed. If you find other bugs or have an idea for a useful feature, feel free to <a href="/about">email me</a>.</p> <div class="footnotes" role="doc-endnotes"> <ol> <li id="fn:1" role="doc-endnote"> <p>When initially researching, I discovered sed has an <a href="https://www.gnu.org/software/sed/manual/html_node/The-_0022s_0022-Command.html#index-s-command_002c-option-flags"><code>e</code> (execute) command</a> that allows you to do substitutions using the output of a shell command that runs for each match. This did exactly what I needed, but I’ll save you the time you might have otherwise spent before finding this line in the docs: <em>“This is a GNU sed extension.”</em> This means it won’t work on the version of sed that ships with macOS, so I opted against using it here. <a href="#fnref:1" class="reversefootnote" role="doc-backlink">&#8617;</a></p> </li> <li id="fn:2" role="doc-endnote"> <p>If your YAML file contains a multi-line value, and one of the lines in that value starts with what looks like a sensitve key followed by a colon, this script will incorrectly process that line. To keep things simple, our script will process the file as text using regular expressions. In other words, it won’t use a YAML parser, because that would introduce a dependency. <a href="#fnref:2" class="reversefootnote" role="doc-backlink">&#8617;</a></p> </li> </ol> </div> https://nick.pearson.dev/posts/ebenv Thu, 14 Oct 2021 05:00:00 GMT https://nick.pearson.dev/posts/ebenv aws elastic-beanstalk scripts <p><em>Update [Jan 12, 2022]: I came up with a simpler script and <a href="/posts/ebenv-update">wrote about it</a>.</em></p> <p>I recently deployed a Rails app onto the latest AWS Elastic Beanstalk platform version running Ruby. I had done this a couple years ago, but a newer platform version (running Amazon Linux 2) is out now, with some significant changes.</p> <p>One such change: the Elastic Beanstalk application’s environment properties are no longer automatically available in a login shell as environment variables. In the previous platform version, I could start a Rails console like this:</p> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c"># switch to root, then start a Rails</span> <span class="c"># console session as the webapp user</span> <span class="nb">sudo </span>su - <span class="nb">cd</span> /var/app/current su <span class="nt">-s</span> /bin/bash <span class="nt">-c</span> <span class="s1">'bin/rails c'</span> webapp </code></pre></div></div> <p>To my surprise, when I tried doing this for the first time on an instance launched via the newer Elastic Beanstalk platform version, I was greeted with this error message after trying to query the database:</p> <pre><code class="language-wrap">Mysql2::Error::ConnectionError (Can't connect to local MySQL server through socket '/tmp/mysql.sock' (2)) </code></pre> <p>Odd that it was trying to connect via a local socket rather than my RDS instance… So I tried <code class="highlight language-ruby highlighter-rouge"><span class="no">Rails</span><span class="p">.</span><span class="nf">env</span></code> and got back <code class="highlight language-ruby highlighter-rouge"><span class="s2">"development"</span></code>. Definitely not correct. It seemed that the environment variables were not being set.</p> <p>I exited the console and tried <code class="highlight language-bash highlighter-rouge"><span class="nb">echo</span> <span class="nv">$MY_VAR</span></code> to test for a variable defined as an Elastic Beanstalk environment property. Empty. Same for <code class="highlight language-ruby highlighter-rouge"><span class="vg">$RACK_ENV</span></code>, a (Ruby) platform built-in, which I expected to be set to <code>production</code>.</p> <p>While I could just add <code class="highlight language-bash highlighter-rouge"><span class="nv">RACK_ENV</span><span class="o">=</span>production <span class="nv">MY_VAR</span><span class="o">=</span>my-val</code> before <code class="highlight language-bash highlighter-rouge">rails c</code>, this would be a lot to remember and to type each time, and a copy/paste note could easily get out of sync with the list of properties the application needs.</p> <p>What I needed was a way to start a Rails console (or run other scripts) with my application’s environment variables available. I looked around a bit but didn’t find a way to do this. On a <a href="https://aws.amazon.com/premiumsupport/knowledge-center/elastic-beanstalk-pass-variables/">help page</a>, AWS notes:</p> <blockquote> <p>Environment properties aren’t automatically exported to the shell, even though they are present in the instance. Instead, environment properties are made available to the application through the stack that it runs in, based on which platform you’re using.</p> </blockquote> <p>Just under that note is a link to <a href="https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/environments-cfg-softwaresettings.html#environments-cfg-softwaresettings-accessing">Accessing environment properties</a>, which shows how to access individual properties from within an application, but not from a shell. At the bottom, though, there’s a link to the built-in <a href="https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/custom-platforms-scripts.html"><code>get-config</code> program</a>, which looks promising.</p> <p>This page shows how to get a single environment property using <code>get-config</code>:</p> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>/opt/elasticbeanstalk/bin/get-config environment <span class="nt">-k</span> PORT </code></pre></div></div> <p>While not entirely clear from the documentation, all environment properties can be obtained by leaving off the <code class="highlight language-bash highlighter-rouge"><span class="nt">-k</span></code> option. The results are returned as JSON. Now we just need to convert the JSON to environment variables.</p> <p>Amazon Linux 2 instances on Elastic Beanstalk (on the Ruby platform, at least) come with <a href="https://stedolan.github.io/jq/"><code>jq</code></a> preinstalled. We can use this to parse the JSON from the <code>get-config</code> program and turn the key/value pairs into <code class="highlight language-bash highlighter-rouge"><span class="nb">export</span></code> commands.</p> <p>Assuming <code>get-config</code> returns this JSON:</p> <div class="language-json highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="p">{</span><span class="nl">"RACK_ENV"</span><span class="p">:</span><span class="s2">"production"</span><span class="p">,</span><span class="nl">"MY_VAR"</span><span class="p">:</span><span class="s2">"my-val"</span><span class="p">}</span><span class="w"> </span></code></pre></div></div> <p>we want to get these <code class="highlight language-bash highlighter-rouge"><span class="nb">export</span></code> commands:</p> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nb">export </span><span class="nv">RACK_ENV</span><span class="o">=</span><span class="s2">"production"</span><span class="p">;</span> <span class="nb">export </span><span class="nv">MY_VAR</span><span class="o">=</span><span class="s2">"my-val"</span><span class="p">;</span> </code></pre></div></div> <p>Here’s a command that does just that<sup id="fnref:1" role="doc-noteref"><a href="#fn:1" class="footnote" rel="footnote">1</a></sup>:</p> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>/opt/elasticbeanstalk/bin/get-config environment <span class="se">\</span> | jq <span class="nt">-j</span> <span class="s1">'to_entries | .[] | "export \(.key)=\"\(.value)\"; "'</span> </code></pre></div></div> <p>Rather than having to copy and paste that command each time I ssh to a server, I put it into a script. I named it <code>ebenv</code> because it loads the EB properties into the shell as environment variables.</p> <p><em>Note: If you plan on using this code, be sure to first check out the <a href="/posts/ebenv-update">update</a>.</em></p> <div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c">#!/bin/bash</span> <span class="c"># This script runs the command (and args)</span> <span class="c"># passed to it as the EB app user, after</span> <span class="c"># making Elastic Beanstalk environment</span> <span class="c"># variables available to the command.</span> <span class="c">#</span> <span class="c"># Usage:</span> <span class="c">#</span> <span class="c"># ebenv &lt;command&gt; [arguments]</span> <span class="c">#</span> <span class="c"># Example:</span> <span class="c">#</span> <span class="c"># ebenv bin/rails c</span> <span class="c"># exit if there's no command to run</span> <span class="k">if</span> <span class="o">[[</span> <span class="s2">"$#"</span> <span class="o">==</span> <span class="s2">"0"</span> <span class="o">]]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s1">'Usage: ebenv &lt;command&gt; [arguments]'</span> <span class="nb">exit </span>1 <span class="k">fi</span> <span class="c"># convert env properties to export commands</span> <span class="nv">EXPORTS</span><span class="o">=</span><span class="s2">"</span><span class="si">$(</span> /opt/elasticbeanstalk/bin/get-config environment <span class="se">\</span> | jq <span class="nt">-j</span> <span class="s1">'to_entries | .[] | "export \(.key)=\"\(.value)\"; "'</span> <span class="si">)</span><span class="s2">"</span> <span class="c"># get the user to run the command as</span> <span class="nv">EB_APP_USER</span><span class="o">=</span><span class="s2">"</span><span class="si">$(</span> /opt/elasticbeanstalk/bin/get-config platformconfig <span class="nt">-k</span> AppUser <span class="si">)</span><span class="s2">"</span> <span class="nb">eval</span> <span class="s2">"</span><span class="nv">$EXPORTS</span><span class="s2"> su -s /bin/bash -c </span><span class="se">\"</span><span class="nv">$*</span><span class="se">\"</span><span class="s2"> </span><span class="nv">$EB_APP_USER</span><span class="s2">"</span> </code></pre></div></div> <p>After making sure there’s a command to run, this script collects the Beanstalk environment’s properties, converts them to <code class="highlight language-bash highlighter-rouge"><span class="nb">export</span></code> commands, and then runs the command (preceeded by the <code class="highlight language-bash highlighter-rouge"><span class="nb">export</span></code>s) as the app user (<code>webapp</code>).</p> <p>This little script lives happily in my Rails app’s <code>bin</code> directory, and I also have a <em>prebuild</em> platform hook script that copies it to <code>/usr/local/bin/</code> so that it’s available everywhere.</p> <div class="footnotes" role="doc-endnotes"> <ol> <li id="fn:1" role="doc-endnote"> <p>Note that this is a simple implementation that assumes the property values do not contain quotes, escape characters, or dollar-sign characters. It just slaps a <code title="double-quote character">"</code> at the beginning and end of the value. <a href="#fnref:1" class="reversefootnote" role="doc-backlink">&#8617;</a></p> </li> </ol> </div>