diff --git a/README.md b/README.md index 3906fef..87694cd 100644 --- a/README.md +++ b/README.md @@ -14,7 +14,7 @@ This can be an even bigger issue if you use scheduled jobs since sensitive data ## Solution -This gem adds Sidekiq middleware that allows you to specify job arguments for your workers that should be encrypted in Redis. You do this by adding `encrypted_args` to the `sidekiq_options` in the worker. Jobs for these workers will have their arguments encrypted in Redis and decrypted when passed to `perform` method. +This gem adds Sidekiq middleware that allows you to specify job arguments for your workers that should be encrypted in Redis. You do this by adding `encrypted_args` to the `sidekiq_options` in the worker. Jobs for these workers will have their arguments encrypted in Redis and decrypted when passed to the `perform` method. To use the gem, you will need to specify a secret that will be used to encrypt the arguments as well as add the middleware to your Sidekiq client and server middleware stacks. You can set that up by adding this to the end of your Sidekiq initialization: @@ -24,7 +24,9 @@ Sidekiq::EncryptedArgs.configure!(secret: "YourSecretKey") If the secret is not set, the value of the `SIDEKIQ_ENCRYPTED_ARGS_SECRET` environment variable will be used as the secret. If this variable is not set, job arguments will not be encrypted. -The call to `Sidekiq::EncryptedArgs.configure!` will append the encryption middleware to the end of the client and server middleware chains. You can add the middlewares manually if you need more control over where they appear in the stacks. +The call to `Sidekiq::EncryptedArgs.configure!` will **prepend** the client encryption middleware and **append** server decryption middleware. By doing this, any other middleware you register will only receive the encrypted parameters (e.g. logging middleware will receive the encrypted parameters). + +You can add the middleware manually if you need more control over where they appear in the stacks. ```ruby Sidekiq::EncryptedArgs.secret = "YourSecretKey" diff --git a/lib/sidekiq/encrypted_args.rb b/lib/sidekiq/encrypted_args.rb index f25f3c8..533b442 100644 --- a/lib/sidekiq/encrypted_args.rb +++ b/lib/sidekiq/encrypted_args.rb @@ -18,21 +18,26 @@ class << self # the value will be loaded from the `SIDEKIQ_ENCRYPTED_ARGS_SECRET` environment # variable. If that value is not set, arguments will not be encrypted. # - # @param [String] value One or more secrets to use for encrypting arguments. - # - # @note You can set multiple secrets by passing an array if you need to roll your secrets. + # You can set multiple secrets by passing an array if you need to roll your secrets. # The left most value in the array will be used as the encryption secret, but # all the values will be tried when decrypting. That way if you have scheduled # jobs that were encrypted with a different secret, you can still make it available # when decrypting the arguments when the job gets run. If you are using the # environment variable, separate the keys with spaces. + # + # @param [String] value One or more secrets to use for encrypting arguments. + # @return [void] def secret=(value) @encryptors = make_encryptors(value) end - # Calling this method will add the client and server middleware to the Sidekiq + # Add the client and server middleware to the Sidekiq # middleware chains. If you need to ensure the order of where the middleware is # added, you can forgo this method and add it yourself. + # + # This method prepends client middleware and appends server middleware. + # + # @param [String] secret optionally set the secret here. See {.secret=} def configure!(secret: nil) self.secret = secret unless secret.nil? diff --git a/lib/sidekiq/encrypted_args/client_middleware.rb b/lib/sidekiq/encrypted_args/client_middleware.rb index 70ffc42..af8a3a4 100644 --- a/lib/sidekiq/encrypted_args/client_middleware.rb +++ b/lib/sidekiq/encrypted_args/client_middleware.rb @@ -19,7 +19,7 @@ def call(worker_class, job, queue, redis_pool = nil) # Encrypt the arguments on job # - # Additionally, set `job["encrypted_args"` to the canonicalized version (i.e. `Array`) + # Additionally, set `job["encrypted_args"]` to the canonicalized version (i.e. `Array`) # # @param [Hash] # @param [Array] encrypted_args array of indexes in job to encrypt