arcanus 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 52e5895e0c0560d9a912260b996068dce2b1a775
+  data.tar.gz: d80b64ee9c1774a87b472d08f2780e65971fb075
+SHA512:
+  metadata.gz: df1be1a9de6798d5ca787f6a1d5d8e92e29533afbfd7a83ef05ad879a40560377f6a6bfb4d98013471250f8433df5cf9afb84a9229a041d89233d9fc9747188f
+  data.tar.gz: 04ce87f5fe98d26de59e1ac8e4e1d15dd9e308a595bdc313d4a51fbcfad2ab22dcdf46169ed188f55f182fb9dab8edeb31ab01ef633ba41826a18f320d1a5dd5

data/bin/arcanus

@@ -0,0 +1,7 @@
+#!/usr/bin/env ruby
+
+require 'arcanus/cli'
+
+input = Arcanus::Input.new(STDIN)
+output = Arcanus::Output.new(STDOUT)
+exit Arcanus::CLI.new(input: input, output: output).run(ARGV)

data/lib/arcanus.rb

@@ -0,0 +1,13 @@
+require 'arcanus/constants'
+require 'arcanus/errors'
+require 'arcanus/error_handler'
+require 'arcanus/configuration'
+require 'arcanus/input'
+require 'arcanus/output'
+require 'arcanus/ui'
+require 'arcanus/repo'
+require 'arcanus/subprocess'
+require 'arcanus/key'
+require 'arcanus/chest'
+require 'arcanus/utils'
+require 'arcanus/version'

data/lib/arcanus/chest.rb

@@ -0,0 +1,137 @@
+require 'base64'
+require 'digest'
+require 'securerandom'
+require 'yaml'
+
+module Arcanus
+  # Encapsulates the collection of encrypted secrets managed by Arcanus.
+  class Chest
+    SIGNATURE_SIZE_BITS = 256
+
+    def initialize(key_file_path:, chest_file_path:)
+      @key = Key.from_file(key_file_path)
+      @chest_file_path = chest_file_path
+      @original_encrypted_hash = YAML.load_file(chest_file_path).to_hash
+      @original_decrypted_hash = decrypt_hash(@original_encrypted_hash)
+      @hash = @original_decrypted_hash.dup
+    end
+
+    # Access the collection as if it were a hash.
+    #
+    # @param key [String]
+    # @return [Object]
+    def [](key)
+      @hash[key]
+    end
+
+    # Returns the contents of the chest as a hash.
+    def contents
+      @hash
+    end
+
+    def update(new_hash)
+      @hash = new_hash
+    end
+
+    # For each key in the chest, encrypt the new value if it has changed.
+    #
+    # The goal is to create a file where the only lines that differ are the keys
+    # that changed.
+    def save
+      modified_hash =
+        process_hash_changes(@original_encrypted_hash, @original_decrypted_hash, @hash)
+
+      File.open(@chest_file_path, 'w') { |f| f.write(modified_hash.to_yaml) }
+    end
+
+    private
+
+    def process_hash_changes(original_encrypted, original_decrypted, current)
+      result = {}
+
+      current.keys.each do |key|
+        value = current[key]
+
+        result[key] =
+          if original_encrypted.key?(key)
+            # Key still exists; check if modified.
+            if original_encrypted[key].is_a?(Hash) && value.is_a?(Hash)
+              process_hash_changes(original_encrypted[key], original_decrypted[key], current[key])
+            elsif value != original_decrypted[key]
+              # Value was changed; encrypt the new value
+              encrypt_value(value)
+            else
+              # Value wasn't changed; keep original encrypted blob
+              original_encrypted[key]
+            end
+          else
+            # Key was added
+            value.is_a?(Hash) ? process_hash_changes({}, {}, value) : encrypt_value(value)
+          end
+      end
+
+      result
+    end
+
+    def decrypt_hash(hash)
+      decrypted_hash = {}
+
+      hash.each do |key, value|
+        begin
+          if value.is_a?(Hash)
+            decrypted_hash[key] = decrypt_hash(value)
+          else
+            decrypted_hash[key] = decrypt_value(value)
+          end
+        rescue Errors::DecryptionError => ex
+          raise Errors::DecryptionError,
+                "Problem decrypting value for key '#{key}': #{ex.message}"
+        end
+      end
+
+      decrypted_hash
+    end
+
+    def encrypt_value(value)
+      dumped_value = Marshal.dump(value)
+      encrypted_value = Base64.encode64(@key.encrypt(dumped_value))
+      salt = SecureRandom.hex(8)
+
+      signature = Digest::SHA2.new(SIGNATURE_SIZE_BITS).tap do |digest|
+        digest << salt
+        digest << dumped_value
+      end.to_s
+
+      "#{encrypted_value}:#{salt}:#{signature}"
+    end
+
+    def decrypt_value(blob)
+      unless blob.is_a?(String)
+        raise Errors::DecryptionError,
+              "Expecting an encrypted blob but got '#{blob}'"
+      end
+
+      encrypted_value, salt, signature = blob.split(':')
+
+      if signature.nil? || salt.nil? || encrypted_value.nil?
+        raise Errors::DecryptionError,
+              "Invalid blob format '#{blob}' (must be of the form 'signature:salt:ciphertext')"
+      end
+
+      dumped_value = @key.decrypt(Base64.decode64(encrypted_value))
+
+      actual_signature = Digest::SHA2.new(SIGNATURE_SIZE_BITS).tap do |digest|
+        digest << salt
+        digest << dumped_value
+      end.to_s
+
+      if signature != actual_signature
+        raise Errors::DecryptionError,
+              'Signature of decrypted value does not match: ' \
+              "expected #{signature} but got #{actual_signature}"
+      end
+
+      Marshal.load(dumped_value)
+    end
+  end
+end

data/lib/arcanus/cli.rb

@@ -0,0 +1,64 @@
+require 'arcanus'
+
+module Arcanus
+  # Command line application interface.
+  class CLI
+    # Set of semantic exit codes we can return.
+    #
+    # @see http://www.gsp.com/cgi-bin/man.cgi?section=3&topic=sysexits
+    module ExitCodes
+      OK          = 0   # Successful execution
+      ERROR       = 1   # Generic error
+      USAGE       = 64  # User error (bad command line or invalid input)
+      SOFTWARE    = 70  # Internal software error (bug)
+      CONFIG      = 78  # Configuration error (invalid file or options)
+    end
+
+    # Create a CLI that outputs to the given output destination.
+    #
+    # @param input [Arcanus::Input]
+    # @param output [Arcanus::Output]
+    def initialize(input:, output:)
+      @ui = UI.new(input, output)
+    end
+
+    # Parses the given command-line arguments and executes appropriate logic
+    # based on those arguments.
+    #
+    # @param [Array<String>] arguments
+    # @return [Integer] exit status code
+    def run(arguments)
+      config = Configuration.load_applicable
+      run_command(config, arguments)
+
+      ExitCodes::OK
+    rescue => ex
+      ErrorHandler.new(@ui).handle(ex)
+    end
+
+    private
+
+    # Executes the appropriate command given the list of command line arguments.
+    #
+    # @param config [Arcanus::Configuration]
+    # @param ui [Arcanus::UI]
+    # @param arguments [Array<String>]
+    # @raise [Arcanus::Errors::ArcanusError] when any exceptional circumstance occurs
+    def run_command(config, arguments)
+      arguments = convert_arguments(arguments)
+
+      require 'arcanus/command/base'
+      Command::Base.from_arguments(config, @ui, arguments).run
+    end
+
+    def convert_arguments(arguments)
+      # Display all open changes by default
+      return ['help'] if arguments.empty? # TODO: Evaluate repo and recommend next step
+
+      return ['help'] if %w[-h --help].include?(arguments.first)
+      return ['version'] if %w[-v --version].include?(arguments.first)
+
+      arguments
+    end
+  end
+end

data/lib/arcanus/command/base.rb

@@ -0,0 +1,93 @@
+module Arcanus::Command
+  # Abstract base class of all commands.
+  #
+  # @abstract
+  class Base
+    include Arcanus::Utils
+
+    class << self
+      # Create a command from a list of arguments.
+      #
+      # @param config [Arcanus::Configuration]
+      # @param ui [Arcanus::UI]
+      # @param arguments [Array<String>]
+      # @return [Arcanus::Command::Base] appropriate command for the given
+      #   arguments
+      def from_arguments(config, ui, arguments)
+        cmd = arguments.first
+
+        begin
+          require "arcanus/command/#{Arcanus::Utils.snake_case(cmd)}"
+        rescue LoadError
+          raise Arcanus::Errors::CommandInvalidError,
+                "`arcanus #{cmd}` is not a valid command"
+        end
+
+        Arcanus::Command.const_get(Arcanus::Utils.camel_case(cmd)).new(config, ui, arguments)
+      end
+
+      def description(desc = nil)
+        @description = desc if desc
+        @description
+      end
+
+      def short_name
+        name.split('::').last.downcase
+      end
+    end
+
+    # @param config [Arcanus::Configuration]
+    # @param ui [Arcanus::UI]
+    # @param arguments [Array<String>]
+    def initialize(config, ui, arguments)
+      @config = config
+      @ui = ui
+      @arguments = arguments
+    end
+
+    # Parses arguments and executes the command.
+    def run
+      # TODO: include a parse step here and remove duplicate parsing code from
+      # individual commands
+      execute
+    end
+
+    # Executes the command given the previously-parsed arguments.
+    def execute
+      raise NotImplementedError, 'Define `execute` in Command subclass'
+    end
+
+    # Executes another command from the same context as this command.
+    #
+    # @param command_arguments [Array<String>]
+    def execute_command(command_arguments)
+      self.class.from_arguments(config, ui, command_arguments).execute
+    end
+
+    private
+
+    # @return [Array<String>]
+    attr_reader :arguments
+
+    # @return [Arcanus::Configuration]
+    attr_reader :config
+
+    # @return [Arcanus::UI]
+    attr_reader :ui
+
+    # Returns information about this repository.
+    #
+    # @return [Arcanus::Repo]
+    def repo
+      @repo ||= Arcanus::Repo.new(@config)
+    end
+
+    # Execute a process and return the result including status and output.
+    #
+    # @param args [Array<String>]
+    # @return [#status, #stdout, #stderr]
+    def spawn(args)
+      Arcanus::Subprocess.spawn(args)
+    end
+  end
+end

data/lib/arcanus/command/edit.rb

@@ -0,0 +1,66 @@
+require_relative 'shared/ensure_key'
+require 'tempfile'
+
+module Arcanus::Command
+  class Edit < Base
+    include Shared::EnsureKey
+
+    description 'Opens $EDITOR to modify the contents of the chest'
+
+    def execute
+      ensure_key_unlocked
+
+      unless editor_defined?
+        raise Arcanus::Errors::ConfigurationError,
+              '$EDITOR environment variable is not defined'
+      end
+
+      chest = Arcanus::Chest.new(key_file_path: repo.unlocked_key_path,
+                                 chest_file_path: repo.chest_file_path)
+
+      ::Tempfile.new('arcanus-chest').tap do |file|
+        file.sync = true
+        file.write(chest.contents.to_yaml)
+        edit_until_done(chest, file.path)
+      end
+    end
+
+    private
+
+    def editor_defined?
+      !ENV['EDITOR'].strip.empty?
+    end
+
+    def edit_until_done(chest, tempfile_path)
+      # Keep editing until there are no syntax errors or user decides to quit
+      loop do
+        unless system(ENV['EDITOR'], tempfile_path)
+          ui.error 'Editor exited unsuccessfully; ignoring any changes made.'
+          break
+        end
+
+        begin
+          update_chest(chest, tempfile_path)
+          ui.success 'Chest updated successfully'
+          break
+        rescue => ex
+          ui.error "Error occurred while modifying the chest: #{ex.message}"
+
+          unless ui.ask('Do you want to try editing the same file again? (y/n)')
+                   .argument(:required)
+                   .default('y')
+                   .modify('downcase')
+                   .read_string == 'y'
+            break
+          end
+        end
+      end
+    end
+
+    def update_chest(chest, tempfile_path)
+      changed_hash = YAML.load_file(tempfile_path).to_hash
+      chest.update(changed_hash)
+      chest.save # TODO: Show diff and let user accept/reject before saving
+    end
+  end
+end

data/lib/arcanus/command/export.rb

@@ -0,0 +1,55 @@
+require_relative 'shared/ensure_key'
+require 'shellwords'
+
+module Arcanus::Command
+  class Export < Base
+    include Shared::EnsureKey
+
+    description 'Outputs the decrypted values in a format suitable for ' \
+                'consumption by other programs'
+
+    def execute
+      ensure_key_unlocked
+
+      chest = Arcanus::Chest.new(key_file_path: repo.unlocked_key_path,
+                                 chest_file_path: repo.chest_file_path)
+
+      env_vars = extract_env_vars(chest.contents)
+
+      output_lines =
+        case arguments[1]
+        when nil
+          env_vars.map { |var, val| "#{var}=#{val.to_s.shellescape}" }
+        when '--shell'
+          env_vars.map { |var, val| "export #{var}=#{val.to_s.shellescape}" }
+        when '--docker'
+          # Docker env files don't need any escaping
+          env_vars.map { |var, val| "#{var}=#{val}" }
+        else
+          raise Arcanus::Errors::UsageError, "Unknown export flag #{arguments[1]}"
+        end
+
+      ui.print output_lines.join("\n")
+    end
+
+    private
+
+    def normalize_key(key)
+      key.upcase.tr('-', '_')
+    end
+
+    def extract_env_vars(hash, prefix = '')
+      output = []
+
+      hash.each do |key, value|
+        if value.is_a?(Hash)
+          output += extract_env_vars(value, "#{prefix}#{normalize_key(key)}_")
+        else
+          output << ["#{prefix}#{normalize_key(key)}", value]
+        end
+      end
+
+      output
+    end
+  end
+end