Birst_Command 0.3.0 → 0.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: bcdd92e145719837d3ed3e8852f5988dd67ce45f
-  data.tar.gz: d2da607de6a3b7b6464f2d75a3b184233f3bc06b
+  metadata.gz: 2fcfeb6fbba597581204ab786c08a523038a34dd
+  data.tar.gz: 3aa45b83a061a5375c33d1a25caa0f7f9a242d2a
 SHA512:
-  metadata.gz: a4b62531154a7185851a7063ca352c4f02b5699b7c971c776d66923564dfcf1df4cd207b1e057c499cf6623519cbf7a214d6f5a7134841d198acf084a3b7c330
-  data.tar.gz: 4450044f4856ed4ecfe05b59ba189926f8edf93cad684a3d38f9b5ab0ebbfb024579448a39bede084cb75843e98c3811163c2d1f676155ade18c5861253e8043
+  metadata.gz: 06dc2ba21870c94529450d603469d216b77cbfd307d2b8ec2784404320273d367e40715dcd22d9a1a0597b9e6dae8ec8aab05c6e875745f84dfad97161350d38
+  data.tar.gz: 58252f327c73d797487fe37cb8e9f901400454c46495df153751ee12efbfb82f9a65c6c6baecc918ff2cda63d51b5ab9ad13d4efc63cb131111fb096c733d7e4

data/README.md

@@ -2,13 +2,17 @@ Birst_Command
 ====================
 
 Birst Command is a Ruby gem that allows you to build Ruby scripts that
-interface with the Birst Web API.
+interface with the Birst Web API.  It also comes with a simple command line
+tool that can be used to execute simple API requests from the command line.
 
 Note: this is not an officially-sanctioned Birst project.  I'm just a
 Birst user that needed to set up a very basic Ruby interface.
 
 # Installation & Setup
 
+**SPECIAL NOTE:** Password management has changed since version 0.3.0.
+It is now more secure but requires some new configuration.
+
 Prerequisites: Ruby > 2.0 and rubygems.
 
 Install the gem using `gem install Birst_Command` or using rvm or
@@ -22,23 +26,38 @@ config file should look like,
         "wsdl": "https://app2102.bws.birst.com/CommandWebService.asmx?WSDL",
         "endpoint": "https://app2102.bws.birst.com/CommandWebService.asmx",
         "username": "name@myplace.com",
-        "password": "obfuscated pwd"
+        "password": "encrypted pwd"
     }
 
-Most users should only need to modify the username and
-password. (**Note**: do not use `login.bws.birst.com` since it does
-not use an updated WSDL; a specific app server must be specified).
-Since I have a strong aversion to storing passwords in plaintext, the
-password in the config file needs to be an obfuscated password.  Birst
-Command comes with a password obfuscator that can be executed via
+Save it to `$HOME/.birstcl`.  Most users should only need to modify
+the username and password. (**Note**: do not use `login.bws.birst.com`
+since it does not use an updated WSDL; a specific app server must be
+specified).  Since I have a strong aversion to storing passwords in
+plaintext, the password in the config file needs to use and encrypted
+password.  Birst Command comes with a password encryptor that can be
+executed via
 
-    $ obfuscate_pwd.rb mypassword
-    0x8GOZ5nA3oRSSS8ao1l6Q==
+````bash
+$ birstcl -e mypassword
+````
 
-Copy and paste the obfuscated password into the config file and **save
-to a secure location**.  If any attacker is able to get your
-obfuscated password and knows it was created using this program, it
-would be trivial to get your Birst login credentials.
+which should give an output similar to
+````
+Set these keys as environment variables
+ - Do not lose them or you will have to regenerate your password.
+ - Keep them secure, your password is compromised if these keys are compromised.
+ - Remove them as environment variables to generate new ones
+BIRST_COMMAND_IV="3Nn26chRPkclusqTHePpig=="
+BIRST_COMMAND_KEY="MWHa7gksYQaZTTq4snjyOnBDWUnKaVJq1VF4cv82MgA="
+BIRST_COMMAND_SALT="KI//0xfSrX4mdSpiSp69BQ=="
+...
+Use this encrypted password in your .birstcl file: "JlCX9/RvHnGuWZWUcjTelg=="
+````
+
+Copy and paste the encrypted password into the config file.  You will
+also need to ensure that the three environment variables are set as
+indicated above.  If you're running in a development environment, you
+can include these in your bash `~/.profile` file.
 
 # Usage - Birst command line tool
 
@@ -130,6 +149,18 @@ The `spaces` variable is a Ruby hash parsed from the SOAP response.
 The structure of the returned hash follows the structure that Birst
 returns.
 
+## Command arguments
+
+Some Birst API commands require arguments.  All arguments are supplied
+as an argument hash.  All arguments are mandatory even if they're blank/null
+(Birst web API requirement).  For example, to create a new space,
+
+````ruby
+Birst_Command::Session.start do |bc|
+  new_space_id = bc.create_new_space :spaceName => "myNewSpace", :comments => "Just testing",:automatic => "false"
+end
+````
+
 ## Cookies
 
 The start session block can also accept an argument named `use_cookie` to
@@ -157,7 +188,8 @@ puts "COMPLETE? #{is_job_complete}"
 ## Helper methods
 
 I find some of the Birst API responses to be rather cumbersome.  For
-example, why do I need hash with a single `user_space` key?  I'd
+example, why do I need hash with a single `user_space` key when I
+run the `list_spaces` command?  I'd
 rather have an array of hashes here.  To that end I find it convenient
 to define helper methods that extend the Session class to simplify
 some of this.  To override the return value of the native
@@ -168,7 +200,7 @@ class Birst_Command::Session
   def list_spaces(*args)
     result = command __method__, *args
     [result[:user_space]].flatten
-  end 
+  end
 end
 ````
 
@@ -181,17 +213,6 @@ gem because what I find helpful, you may not.  Birst Command just
 provides the basic interface.
 
 
-## Command arguments
-
-Some Birst API commands require arguments.  All arguments are supplied
-as an argument hash.  For example, to create a new space,
-
-````ruby
-Birst_Command::Session.start do |bc|
-  new_space_id = bc.create_new_space :spaceName => "myNewSpace", :comments => "Just testing",:automatic => "false"
-end
-````
-
 ## camelCase/snake_case issues
 
 Birst Command uses [Savon](http://savonrb.com/version2/client.html) as
@@ -206,4 +227,3 @@ entirely consistent in its use of camelCase for arguments (e.g.,
 `listUsersInSpace`).  This inconsistency requires us to **submit
 commands as snake_case and arguments as the camelCase that Birst
 uses.**
-

data/bin/birstcl

@@ -6,6 +6,24 @@ require "optparse"
 module BirstCL
   extend self
 
+  def run
+    set_options
+
+    if @options[:version]
+      puts "Birst_Command Version: #{Birst_Command::VERSION}"
+      exit
+    end
+
+    if @options[:encrypt_password]
+      encrypt_password(@options[:encrypt_password])
+    end
+
+    if @options[:command]
+      read_config_file
+      execute_command
+    end
+  end
+
   def set_options
     @options = {}
 
@@ -26,6 +44,11 @@ module BirstCL
         exit
       end
 
+      @options[:encrypt_password] = nil
+      opts.on("-e","--encrypt_password <PASSWORD>","Generates an encrypted version of PASSWORD that needs to be placed in ~/.birstcl") do |opt|
+        @options[:encrypt_password] = opt
+      end
+
       @options[:command] = nil
       opts.on("-c","--command <COMMAND>","COMMAND is the snake_case Birst web API command") do |opt|
         @options[:command] = opt
@@ -57,13 +80,7 @@ module BirstCL
       opts.on("-r","--read_cookie_file <COOKIE FILE>", "Path to cookie file to read") do |opt|
         @options[:read_cookie_full_path] = opt
       end
-
     end.parse!
-
-    if @options[:version]
-      puts "Birst_Command Version: #{Birst_Command::VERSION}"
-      exit
-    end
   end
 
 
@@ -71,6 +88,14 @@ module BirstCL
     Birst_Command::Config.read_config(@options[:config_full_path])
   end
 
+  def encrypt_password(password)
+    Birst_Command::Password.generate_keys(verbose: true)
+    puts <<-EOF.unindent
+    ...
+    Use this encrypted password in your .birstcl file: "#{Birst_Command::Password.encrypt(password)}"
+    EOF
+  end
+
 
   def write_cookie_file(file_full_path)
     return nil if file_full_path.nil?
@@ -100,6 +125,4 @@ module BirstCL
   end
 end
 
-BirstCL.set_options
-BirstCL.read_config_file
-BirstCL.execute_command
+BirstCL.run

data/lib/birst_command.rb

@@ -2,10 +2,12 @@ require 'savon'
 require 'httpclient'
 require 'openssl'
 require 'base64'
+require 'securerandom'
 require 'json'
 
 require 'birst_command/config'
+require 'birst_command/core_additions'
 require 'birst_command/version'
-require 'birst_command/obfuscate'
+require 'birst_command/password'
 require 'birst_command/session'
 

data/lib/birst_command/config.rb

@@ -1,4 +1,5 @@
 module Birst_Command
+  require 'erb'
   module Config
     extend self
 
@@ -12,7 +13,9 @@ module Birst_Command
     }
 
     def read_config(config_full_path = @config_full_path)
-      @options = @options.merge!(JSON.parse(IO.read(config_full_path), :symbolize_names => true))
+      parse_erb = ERB.new(IO.read(config_full_path)).result(binding)
+      parse_json = JSON.parse(parse_erb, :symbolize_names => true)
+      @options = @options.merge!(parse_json)
     end
     
     def set_debug

data/lib/birst_command/core_additions.rb

@@ -0,0 +1,8 @@
+class String
+  # Strip leading whitespace from each line that is the same as the 
+  # amount of whitespace on the first line of the string.
+  # Leaves _additional_ indentation on later lines intact.
+  def unindent
+    gsub /^#{self[/\A\s*/]}/, ''
+  end
+end

data/lib/birst_command/password.rb

@@ -0,0 +1,66 @@
+module Birst_Command
+  module Password
+    extend self
+
+    def generate_keys(verbose: false)
+      iv    = ENV['BIRST_COMMAND_IV']   || SecureRandom.base64
+      key   = ENV['BIRST_COMMAND_KEY']  || SecureRandom.base64(32)
+      salt  = ENV['BIRST_COMMAND_SALT'] || SecureRandom.base64
+
+      if verbose
+        puts <<-EOF.unindent
+        Set these keys as environment variables 
+         - Do not lose them or you will have to regenerate your password.
+         - Keep them secure, your password is compromised if these keys are compromised.
+         - Remove them as environment variables to generate new ones
+        BIRST_COMMAND_IV="#{iv}"
+        BIRST_COMMAND_KEY="#{key}"
+        BIRST_COMMAND_SALT="#{salt}"
+        EOF
+      end
+      
+      ENV['BIRST_COMMAND_IV']   = iv
+      ENV['BIRST_COMMAND_KEY']  = key
+      ENV['BIRST_COMMAND_SALT'] = salt
+    end
+
+    # Generate a new cipher for encryption or decryption
+    def create_cipher(mode)
+      iv   = ENV['BIRST_COMMAND_IV']   || SecureRandom.base64
+      key  = ENV['BIRST_COMMAND_KEY']  || SecureRandom.base64(32)
+      salt = ENV['BIRST_COMMAND_SALT'] || SecureRandom.base64
+
+      cipher = OpenSSL::Cipher.new 'AES-128-CBC'
+      cipher.send(mode)
+      cipher.iv = iv
+
+      digest = OpenSSL::Digest::SHA256.new
+      key_len = cipher.key_len
+      iter = 20000
+      cipher.key = OpenSSL::PKCS5.pbkdf2_hmac(key, salt, iter, key_len, digest)
+      cipher
+    end
+
+
+    # Returns a base64-obfuscated password to be stored in the config.json file
+    def encrypt(pwd)
+      cipher = create_cipher(:encrypt)
+
+      encrypted = cipher.update pwd
+      encrypted << cipher.final
+
+      Base64.encode64(encrypted).chomp
+    end
+
+
+    # Returns a plaintext password
+    def decrypt(encrypted_pwd)
+      cipher = create_cipher(:decrypt)
+
+      decrypted = cipher.update Base64.decode64(encrypted_pwd)
+      decrypted << cipher.final
+
+      decrypted
+    end
+  end
+end

data/lib/birst_command/session.rb

@@ -39,7 +39,7 @@ module Birst_Command
         cookies: @auth_cookies,
         message: {
           username: @options[:username], 
-          password: Obfuscate.deobfuscate(@options[:password])
+          password: Password.decrypt(@options[:password])
         })
 
       @auth_cookies = @response.http.cookies if @auth_cookies.nil?

data/lib/birst_command/version.rb

@@ -1,3 +1,3 @@
 module Birst_Command
-  VERSION = "0.3.0"
+  VERSION = "0.4.0"
 end

data/test/standard/test_password.rb

@@ -0,0 +1,54 @@
+require "test_birst_command"
+
+class Test_password < Test::Unit::TestCase
+
+  def setup
+    ENV['BIRST_COMMAND_IV']   = "3Ez9fL0Jlt/E1d7QlVtKdw=="
+    ENV['BIRST_COMMAND_KEY']  = "N589Xi0YzzkE+bRGwp3yaoVk/lneYsLHdFP+366hwcY="
+    ENV['BIRST_COMMAND_SALT'] = "AUkJj8QSmNW3QazpyNl7og=="
+
+    @password = "mysecretpass"
+    @encrypted = "dP5+BfQyTAvKOM6s1ik4zg=="
+  end
+
+  def teardown
+  end
+
+  def test_key_generation
+    ENV['BIRST_COMMAND_IV']   = nil
+    ENV['BIRST_COMMAND_KEY']  = nil
+    ENV['BIRST_COMMAND_SALT'] = nil
+
+    Password.generate_keys
+
+    encrypted = Password.encrypt(@password)
+    decrypted = Password.decrypt(encrypted)
+
+    assert_equal @password, decrypted, "Wrong decrypted password"
+  end
+
+
+  def test_decryption_failure
+    Password.generate_keys
+
+    encrypted = Password.encrypt(@password)
+    ENV['BIRST_COMMAND_SALT'] = SecureRandom.base64
+
+    assert_raise OpenSSL::Cipher::CipherError do
+      decrypted = Password.decrypt(encrypted)
+    end
+  end
+
+
+  def test_encrypt
+    assert_equal @encrypted, Password.encrypt(@password), "Expecting encrypted password #{@encrypted}"
+  end
+
+  def test_decrypt
+    assert_equal @password, Password.decrypt(@encrypted), "Expecting decrypted password #{@password}"
+  end
+
+
+end
+
+

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: Birst_Command
 version: !ruby/object:Gem::Version
-  version: 0.3.0
+  version: 0.4.0
 platform: ruby
 authors:
 - Sterling Paramore
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2014-05-14 00:00:00.000000000 Z
+date: 2014-05-24 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: savon
@@ -43,7 +43,6 @@ email:
 - gnilrets@gmail.com
 executables:
 - birstcl
-- obfuscate_pwd.rb
 extensions: []
 extra_rdoc_files: []
 files:
@@ -56,12 +55,12 @@ files:
 - README.md
 - Rakefile
 - bin/birstcl
-- bin/obfuscate_pwd.rb
 - config.json_template
 - doc/roadmap.md
 - lib/birst_command.rb
 - lib/birst_command/config.rb
-- lib/birst_command/obfuscate.rb
+- lib/birst_command/core_additions.rb
+- lib/birst_command/password.rb
 - lib/birst_command/session.rb
 - lib/birst_command/version.rb
 - test/.gitignore
@@ -71,9 +70,9 @@ files:
 - test/standard/test_command_helper.rb
 - test/standard/test_cookie.rb
 - test/standard/test_copy_space.rb
-- test/standard/test_deobfuscate.rb
 - test/standard/test_list_spaces.rb
 - test/standard/test_login.rb
+- test/standard/test_password.rb
 - test/standard/test_read_config.rb
 - test/test_birst_command.rb
 homepage: https://github.com/gnilrets
@@ -107,8 +106,8 @@ test_files:
 - test/standard/test_command_helper.rb
 - test/standard/test_cookie.rb
 - test/standard/test_copy_space.rb
-- test/standard/test_deobfuscate.rb
 - test/standard/test_list_spaces.rb
 - test/standard/test_login.rb
+- test/standard/test_password.rb
 - test/standard/test_read_config.rb
 - test/test_birst_command.rb

data/bin/obfuscate_pwd.rb

@@ -1,9 +0,0 @@
-#!/usr/bin/env ruby
-require "birst_command"
-
-if ARGV[0]
-  puts Birst_Command::Obfuscate.obfuscate(ARGV[0])
-else
-  puts "USAGE: ./obfuscate_pwd <plaintxt password>"
-end
-

data/lib/birst_command/obfuscate.rb

@@ -1,35 +0,0 @@
-module Birst_Command
-  module Obfuscate
-    extend self
-
-    @crypt_pwd = "BirstIsAwesome"
-    @salt = "31415927"
-    @cypher = "AES-128-CBC"
-
-    def obfuscate(pwd)
-      # Returns a base64-obfuscated password to be stored in the config.json file
-      encrypter = OpenSSL::Cipher::Cipher.new @cypher
-      encrypter.encrypt
-      encrypter.pkcs5_keyivgen @crypt_pwd, @salt
-
-      encrypted = encrypter.update pwd
-      encrypted << encrypter.final
-
-      Base64.encode64(encrypted).chomp
-    end
-
-
-    def deobfuscate(obfuscated_pwd)
-      # Returns a plaintext password
-      decrypter = OpenSSL::Cipher::Cipher.new @cypher
-      decrypter.decrypt
-      decrypter.pkcs5_keyivgen @crypt_pwd, @salt
-
-      plain = decrypter.update Base64.decode64(obfuscated_pwd)
-      plain << decrypter.final
-
-      plain
-    end
-
-  end
-end

data/test/standard/test_deobfuscate.rb

@@ -1,23 +0,0 @@
-require "test_birst_command"
-
-class Test_deobfuscate < Test::Unit::TestCase
-
-  def setup
-    @pwd = "mysecretpass"
-    @obs_pwd = "IQX4os6wCE7rl+JuSYL2Iw=="
-  end
-
-  def teardown
-  end
-
-  def test_obfuscate
-    assert_equal @obs_pwd, Obfuscate.obfuscate(@pwd), "Expecting password #{@obs_pwd}"
-  end
-
-  def test_deobfuscate
-    assert_equal @pwd, Obfuscate.deobfuscate(@obs_pwd), "Expecting password #{@pwd}"
-  end
-
-end
-
-