aws-s3crets 0.0.2

checksums.yaml

@@ -0,0 +1,15 @@
+---
+!binary "U0hBMQ==":
+  metadata.gz: !binary |-
+    ZTQ2MjViNjUxY2Q4MmVlZmE4MGYzNDEzOWYyODczNmNkYWRiMDgyYQ==
+  data.tar.gz: !binary |-
+    OGRkMzRkOWNkOTAyZWQzNDcyMjYyNTZhOGZjNTVjYjQ2ODJhN2I2Zg==
+SHA512:
+  metadata.gz: !binary |-
+    OWFjNWMwNWQwMWIwMWExOTM5YmVhY2M0M2NmNmJlNWVhNzNlODlhOGMxNDIw
+    YjdjZTJjZjMxZWFkODczYTk1NGFjMWUwZTgwNGJmZTlhNDkzN2U3MjdkNWYx
+    NDgzODNhZDMxMWY1OWM4YTBkYjg5ZmIzMDRjMDIwOThiZTQ1NzM=
+  data.tar.gz: !binary |-
+    OTZhZWM0MzEyZGE1ZTdhNDk1NGVhMTNiYWM5ODBkMzRiZDVlZGVhZmJhNWZm
+    MTdkYjg0MmRiZjE2MDFjZWNkNTllY2NmMmIxOGVjZDRhNTA3NGU3N2I3MTIw
+    ODI4YWUwNjNjOWQwMDA1MDgyNDI0YTgwYmFmZDczNWU1NmY4NGM=

data/.gitignore

@@ -0,0 +1,14 @@
+/.bundle/
+/.yardoc
+/Gemfile.lock
+/_yardoc/
+/coverage/
+/doc/
+/pkg/
+/spec/reports/
+/tmp/
+*.bundle
+*.so
+*.o
+*.a
+mkmf.log

data/.rspec

@@ -0,0 +1,2 @@
+--color
+--require spec_helper

data/.rubocop.yml

@@ -0,0 +1,11 @@
+# Configuration parameters: AllowURI, URISchemes.
+Metrics/LineLength:
+  Max: 110
+
+# Offense count: 2
+Style/Documentation:
+  Enabled: false
+
+# Offense count: 2
+Style/RegexpLiteral:
+  MaxSlashes: 0

data/.travis.yml

@@ -0,0 +1,12 @@
+language: ruby
+rvm:
+- 2.1.0
+- 2.0.0
+deploy:
+  provider: rubygems
+  gem: aws-s3crets
+  on:
+    tags: true
+    all_branches: true
+  api_key:
+    secure: crwL3RJgh7X9hJK3+3gJQ3ucn9uJjJNytEGqgmnVHvAw2WNcg3oHLnro/529wfMc961ZtwMSQ75Zc4jAeDLlxR6AdMTrUJ7SOmvaIkrvmJCUaadu3C8JXY/EoIx/8tJ4V+4u5hkDvcZUoZ9g9kI68r1NtBopJMaSCgrBbYCoCZA=

data/Gemfile

@@ -0,0 +1,4 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in s3crets.gemspec
+gemspec

data/LICENSE.txt

@@ -0,0 +1,22 @@
+Copyright (c) 2015 Norm MacLennan
+
+MIT License
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,109 @@
+# S3crets
+
+[![Build Status](https://travis-ci.org/maclennann/s3crets.svg?branch=master)](https://travis-ci.org/maclennann/s3crets)
+
+`s3crets` is a gem that allows you to fetch secret files (password, certs, keys,
+etc) from an S3 bucket via the command-line, rake, or ruby script.
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+```ruby
+gem 'aws-s3crets'
+```
+
+And then execute:
+
+    $ bundle
+
+Or install it yourself as:
+
+    $ gem install s3crets
+
+## Usage
+
+### Setup
+
+The most-common use-case for `s3crets` involves the use of a `Secretfile`.
+
+This is a yaml file that contains S3 location information (region/bucket)
+as well as the key/path to all of your required secrets.
+
+You can generate a sample `Secretfile` by running `s3crets init`. Now you can
+fill in your secrets. A completed `Secretfile` looks something like:
+
+```yaml
+---
+settings:
+  bucket: 'secrets_bucket'
+  region: 'us-west-2'
+  secret_dir: secrets/dev
+secrets:
+  aws_key: 'AWS/Keys/ec2-myteam-write'
+  ssh_key: 'SSH/myteam/myserver/server-priv'
+  cloud_config: 'AWS/cloudinit/myserver.yaml'
+```
+
+This `Secretfile` describes 3 secrets stored in the `secrets_bucket` bucket.
+In this example, the files are 3 secrets required to provision a new EC2 instance -
+an AWS credential file, an SSH private key, and a cloud-init config.
+
+It will download these secrets to `secrets/dev/[filename]`.
+
+### Fetching Secrets
+
+Once you have your `Secretfile` ready, there are two ways you can actually fetch
+the secrets. Both ways, assume you have you [AWS credentials set up](http://docs.aws.amazon.com/sdkforruby/api/#Credentials).
+
+#### Command Line
+
+Just type `s3crets bundle` to download all of the secrets. Secrets that already exist
+in the target directory will not be re-downloaded.
+
+#### Rake
+
+`s3crets` comes with default rake tasks. Simply `require 's3crets/default_tasks'`
+somewhere in your Rakefile and it will construct tasks based on your folder
+structure and the location of your `Secretfile`(s).
+
+For example, the following directory hierarchy:
+
+```
+Rakefile
+secrets/
+    production/
+        Secretfile
+    development/
+        Secretfile
+```
+
+Will create the following rake tasks:
+
+```
+rake secrets:development   # Fetch secrets for development
+rake secrets:production    # Fetch secrets for production
+```
+
+The following configuration can be applied to the default tasks:
+
+* `ENV['S3CRETS_ENVIRONMENT_GLOB']` - The directory glob that is used to identify
+your environments (default: `secrets/**/Secretfile`)
+
+### `Secretfile.resolved`
+
+Once you have fetched your secrets, a `Secretsfile.resolved` will be created in
+the directory. This file contains the name and hash of the files that were
+downloaded.
+
+If you have a file locally that doesn't match the hash in your `resolved` file,
+it will be redownloaded the next time you fetch secrets. Then the resolved file
+will be updated.
+
+## Contributing
+
+1. Fork it ( https://github.com/maclennann/s3crets/fork )
+2. Create your feature branch (`git checkout -b my-new-feature`)
+3. Commit your changes (`git commit -am 'Add some feature'`)
+4. Push to the branch (`git push origin my-new-feature`)
+5. Create a new Pull Request

data/Rakefile

@@ -0,0 +1,11 @@
+require 'bundler/gem_tasks'
+require 'rubocop/rake_task'
+require 'rspec/core/rake_task'
+
+task default: [:rubocop, :spec]
+
+# Ensure default rake tasks load
+require 's3crets/default_tasks'
+
+RSpec::Core::RakeTask.new(:spec)
+RuboCop::RakeTask.new(:rubocop)

data/aws-s3crets.gemspec

@@ -0,0 +1,30 @@
+# coding: utf-8
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 's3crets/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = 'aws-s3crets'
+  spec.version       = S3crets::VERSION
+  spec.authors       = ['Norm MacLennan']
+  spec.email         = ['norm.maclennan@gmail.com']
+  spec.summary       = 'Fetch secret files from AWS S3 buckets.'
+  spec.description   = 'Fetch secret files from AWS S3 buckets.'
+  spec.homepage      = ''
+  spec.license       = 'MIT'
+
+  spec.files         = `git ls-files -z`.split("\x0")
+  spec.executables   = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
+  spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
+  spec.require_paths = ['lib']
+
+  spec.add_development_dependency 'bundler', '~> 1'
+  spec.add_development_dependency 'rake', '~> 10.0'
+  spec.add_development_dependency 'rubocop', '~> 0.29'
+  spec.add_development_dependency 'rspec', '~> 3.2'
+  spec.add_development_dependency 'fakefs', '~> 0.6'
+  spec.add_development_dependency 'gem-path', '~> 0.6'
+
+  spec.add_dependency 'aws-sdk', '~> 2.0'
+  spec.add_dependency 'thor'
+end

data/bin/s3crets

@@ -0,0 +1,4 @@
+#! ruby
+require 's3crets/cli'
+
+S3crets::Cli.start(ARGV)

data/lib/s3crets.rb

@@ -0,0 +1,4 @@
+require 's3crets/version'
+
+module S3crets
+end

data/lib/s3crets/actions.rb

@@ -0,0 +1,3 @@
+require 's3crets/actions/init'
+require 's3crets/actions/bundle'
+require 's3crets/actions/get'

data/lib/s3crets/actions/base.rb

@@ -0,0 +1,27 @@
+module S3crets
+  module Actions
+    # Basic plumbing for all actions
+    class Base
+      attr_accessor :options
+      private :options=
+
+      attr_accessor :logger
+      private :logger=
+
+      def initialize(logger, options = {})
+        self.logger  = logger
+        self.options = options
+      end
+
+      private
+
+      def debug(*args, &block)
+        logger.debug(*args, &block)
+      end
+
+      def source_root
+        @source_root ||= Pathname.new(File.expand_path('../../../../', __FILE__))
+      end
+    end
+  end
+end

data/lib/s3crets/actions/bundle.rb

@@ -0,0 +1,120 @@
+require 's3crets/actions/base'
+require 's3crets/error'
+require 'aws-sdk'
+require 'yaml'
+
+module S3crets
+  module Actions
+    # Download or verify the secrets in a Secretfile
+    class Bundle < Base
+      attr_accessor :settings
+      attr_accessor :remote_secrets
+      attr_accessor :local_secrets
+      attr_accessor :update
+
+      def initialize(ui, options, args = {})
+        super(ui, options)
+        @update = args[:update]
+      end
+
+      def run
+        ensure_secretfile
+        load_required_secrets
+        ensure_secrets_path
+        validate_environment
+        load_resolved_secrets if resolved_file?
+        validate_local_secrets unless @update
+        run!
+      end
+
+      private
+
+      def run!
+        if need_secrets?
+          new_secrets = download_remote_secrets
+          update_resolved_file new_secrets
+        else
+          debug { 'No secrets to download...' }
+        end
+      end
+
+      def ensure_secretfile
+        fail Error, NO_SECRETFILE_ERROR unless File.exist? SECRETFILE_NAME
+        debug { "#{SECRETFILE_NAME} located..." }
+      end
+
+      def ensure_secrets_path
+        FileUtils.mkdir_p(@settings['secret_dir']) unless @settings['secret_dir'].nil?
+      end
+
+      def resolved_file?
+        File.exist? RESOLVED_NAME
+      end
+
+      def load_required_secrets
+        secretfile = YAML.load_file(SECRETFILE_NAME)
+        @settings = secretfile['settings'] || {}
+        @remote_secrets = secretfile['secrets'] || {}
+        @local_secrets = {}
+      end
+
+      def validate_environment
+        return unless @settings.empty? || @remote_secrets.empty?
+        fail Error, INVALID_SECRETFILE_ERROR
+      end
+
+      def load_resolved_secrets
+        @local_secrets = YAML.load_file RESOLVED_NAME
+      end
+
+      def need_secrets?
+        !@remote_secrets.empty?
+      end
+
+      def validate_local_secrets
+        @local_secrets.each do |key, secret|
+          if File.exist?(secret[:path]) && secret[:hash] == Digest::MD5.file(secret[:path]).hexdigest
+            debug { "#{key} found locally, skipping download..." }
+            @remote_secrets.delete key
+          end
+        end
+      end
+
+      def download_remote_secrets
+        downloaded_secrets = {}
+        remote_secrets.each do |key, secret|
+          downloaded_secrets[key] = download_one_secret(secret,
+                                                        @settings['secret_dir'] || '.')
+
+          debug { "Downloaded secret: #{key} to #{@settings['secret_dir']}..." }
+        end
+
+        downloaded_secrets
+      end
+
+      def download_one_secret(remote_path, local_path)
+        path = File.join(local_path, File.basename(remote_path))
+
+        resp = s3.get_object(bucket: @settings['bucket'],
+                             key: remote_path)
+
+        File.write(path, resp.body.read)
+        { path: path, hash: Digest::MD5.file(path).hexdigest }
+      end
+
+      def update_resolved_file(new_secrets)
+        @local_secrets.merge! new_secrets
+
+        File.open(RESOLVED_NAME, 'w') do |out|
+          YAML.dump(@local_secrets, out)
+        end
+
+        debug { 'Updated resolved file...' }
+      end
+
+      def s3
+        @s3 ||= ::Aws::S3::Client.new(region: @settings['region'])
+      end
+    end
+  end
+end

data/lib/s3crets/actions/get.rb

@@ -0,0 +1,32 @@
+require 's3crets/actions/base'
+require 's3crets/error'
+require 'aws-sdk'
+require 's3crets/defaults'
+
+module S3crets
+  module Actions
+    # Fetch a single secret
+    class Get < Base
+      attr_accessor :path
+
+      def initialize(ui, options, path)
+        super(ui, options)
+        @path = path
+      end
+
+      def run
+        fetch_secret(@path)
+      end
+
+      def fetch_secret(path)
+        filename = File.basename(path)
+
+        s3 = ::Aws::S3::Client.new(region: options['region'])
+        resp = s3.get_object(bucket: options['bucket'],
+                             key: path)
+
+        File.write(filename, resp.body.read)
+      end
+    end
+  end
+end

data/lib/s3crets/actions/init.rb

@@ -0,0 +1,40 @@
+require 's3crets/actions/base'
+require 's3crets/error'
+require 'ostruct'
+require 'erb'
+require 's3crets/defaults'
+
+module S3crets
+  module Actions
+    # Create a new Zanzifile
+    class Init < Base
+      def run
+        check_for_secretfile
+        write_template
+      end
+
+      private
+
+      def check_for_secretfile
+        return unless File.exist?(SECRETFILE_NAME) && !options['force']
+        fail Error, ALREADY_EXISTS_ERROR
+      end
+
+      def write_template
+        template = TemplateRenderer.new(options)
+
+        File.open(SECRETFILE_NAME, 'w') do |f|
+          f.write template.render(File.read(source_root.join(TEMPLATE_NAME)))
+        end
+      end
+
+      # Allows us to easily feed our options hash
+      # to an ERB
+      class TemplateRenderer < OpenStruct
+        def render(template)
+          ERB.new(template).result(binding)
+        end
+      end
+    end
+  end
+end

data/lib/s3crets/cli.rb

@@ -0,0 +1,118 @@
+require 'thor'
+require 'thor/actions'
+require 's3crets/version'
+require 's3crets/ui'
+require 's3crets/actions'
+require 's3crets/error'
+require 's3crets/defaults'
+
+module S3crets
+  # The `s3crets` binay/thor application main class
+  class Cli < Thor
+    include Thor::Actions
+
+    attr_accessor :ui
+
+    def initialize(*)
+      super
+      the_shell = (options['no-color'] ? Thor::Shell::Basic.new : shell)
+      @ui = Shell.new(the_shell)
+      @ui.be_quiet! if options['quiet']
+      @ui.debug! if options['verbose']
+
+      debug_header
+    end
+
+    desc 'version', 'Display your Zanzibar verion'
+    def version
+      say "#{APPLICATION_NAME} Version: #{VERSION}"
+    end
+
+    desc 'init', "Create an empty #{SECRETFILE_NAME} in the current directory."
+    option 'verbose', type: :boolean, default: false, aliases: :v
+    option 'force', type: :boolean, default: false
+    option 'bucket', type: :string, aliases: :b, default: 'my_bucket',
+                     desc: 'The S3 bucket to connect to.'
+    option 'region', type: :string, aliases: :r, default: 'us-west-2',
+                     desc: 'The AWS region to use.'
+    option 'credential_file', type: :string, aliases: :f,
+                              default: '~/.aws/credential',
+                              desc: 'The AWS credential file'
+    def init
+      run_action { init! }
+    end
+
+    desc 'bundle', "Fetch secrets declared in your #{SECRETFILE_NAME}"
+    option 'verbose', type: :boolean, default: false, aliases: :v
+    def bundle
+      run_action { bundle! }
+    end
+
+    desc 'plunder', "Alias to `#{APPLICATION_NAME} bundle`", hide: true
+    option 'verbose', type: :boolean, default: false, aliases: :v
+    alias_method :plunder, :bundle
+
+    desc 'install', "Alias to `#{APPLICATION_NAME} bundle`"
+    alias_method :install, :bundle
+
+    desc 'update', "Redownload all secrets in your #{SECRETFILE_NAME}"
+    option 'verbose', type: :boolean, default: false, aliases: :v
+    def update
+      run_action { update! }
+    end
+
+    desc 'get KEY', 'Fetch a single KEY from S3'
+    option 'bucket', type: :string, aliases: :b,
+                     desc: 'The S3 bucket to connect to.'
+    option 'region', type: :string, aliases: :r,
+                     desc: 'The AWS region to use.'
+    option 'credential_file', type: :string, aliases: :f,
+                              default: '~/.aws/credential',
+                              desc: 'The AWS credential file'
+    def get(key)
+      run_action { get! key }
+    end
+
+    private
+
+    def debug_header
+      @ui.debug { "Running #{APPLICATION_NAME} in debug mode..." }
+      @ui.debug { "Ruby Version: #{RUBY_VERSION}" }
+      @ui.debug { "Ruby Platform: #{RUBY_PLATFORM}" }
+      @ui.debug { "#{APPLICATION_NAME} Version: #{VERSION}" }
+    end
+
+    # Run the specified action and rescue errors we
+    # explicitly send back to format them
+    def run_action(&_block)
+      yield
+    rescue ::S3crets::Error => e
+      @ui.error e
+      abort "Fatal error: #{e.message}"
+    end
+
+    def init!
+      say "Initializing a new #{SECRETFILE_NAME} in the current directory..."
+      Actions::Init.new(@ui, options).run
+      say "Your #{SECRETFILE_NAME} has been created!"
+      say 'You should check the settings and add your secrets.'
+      say "Then run `#{APPLICATION_NAME} bundle` to fetch them."
+    end
+
+    def bundle!
+      say "Checking for secrets declared in your #{SECRETFILE_NAME}..."
+      Actions::Bundle.new(@ui, options).run
+      say 'Finished downloading secrets!'
+    end
+
+    def update!
+      say "Redownloading all secrets declared in your #{SECRETFILE_NAME}..."
+      Actions::Bundle.new(@ui, options, update: true).run
+      say 'Finished downloading secrets!'
+    end
+
+    def get!(path)
+      say Actions::Get.new(@ui, options, path).run
+    end
+  end
+end

data/lib/s3crets/default_tasks.rb

@@ -0,0 +1,18 @@
+require 's3crets/cli'
+
+namespace :secrets do
+  env_glob = ENV['S3CRETS_ENVIRONMENT_GLOB'] || 'secrets/**/Secretfile'
+  environments = (Dir.glob env_glob).map { |f| File.dirname f }.uniq
+
+  environments.each do |env|
+    short_name = File.basename env
+
+    desc "Fetch secrets for #{short_name}"
+    task "#{short_name}" do
+      puts "CHDIR #{env}"
+      Dir.chdir env do
+        (S3crets::Cli.new).install
+      end
+    end
+  end
+end

data/lib/s3crets/defaults.rb

@@ -0,0 +1,16 @@
+require 'pathname'
+
+# Definitions for various strings used throughout the gem
+module S3crets
+  APPLICATION_NAME = Pathname.new($PROGRAM_NAME).basename
+  SECRETFILE_NAME = 'Secretfile'
+  RESOLVED_NAME = 'Secretfile.resolved'
+  TEMPLATE_NAME = 'templates/Secretfile.erb'
+  DEFAULT_REGION = 'us-west-2'
+  DEFAULT_BUCKET = 'bucketname'
+
+  ALREADY_EXISTS_ERROR = "#{SECRETFILE_NAME} already exists! Aborting..."
+  NO_BUCKET_ERROR = 'Could not identify S3 bucket.'
+  NO_SECRETFILE_ERROR = "You don't have a #{SECRETFILE_NAME}! Run `#{APPLICATION_NAME} init` first!"
+  INVALID_SECRETFILE_ERROR = "Unable to load your #{SECRETFILE_NAME}. Please ensure it is valid YAML."
+end

data/lib/s3crets/error.rb

@@ -0,0 +1,6 @@
+module S3crets
+  # A standard error with a different name
+  # for identifying errors internal to S3crets
+  class Error < StandardError
+  end
+end

data/lib/s3crets/ui.rb

@@ -0,0 +1,42 @@
+require 'rubygems/user_interaction'
+
+module S3crets
+  # Prints messages out to stdout
+  class Shell
+    attr_writer :shell
+
+    def initialize(shell)
+      @shell = shell
+      @quiet = false
+      @debug = ENV['DEBUG']
+    end
+
+    def debug(message = nil)
+      @shell.say(message || yield) if @debug && !@quiet
+    end
+
+    def info(message = nil)
+      @shell.say(message || yield) unless @quiet
+    end
+
+    def confirm(message = nil)
+      @shell.say(message || yield, :green) unless @quiet
+    end
+
+    def warn(message = nil)
+      @shell.say(message || yield, :yellow)
+    end
+
+    def error(message = nil)
+      @shell.say(message || yield, :red)
+    end
+
+    def be_quiet!
+      @quiet = true
+    end
+
+    def debug!
+      @debug = true
+    end
+  end
+end

data/lib/s3crets/version.rb

@@ -0,0 +1,3 @@
+module S3crets
+  VERSION = '0.0.2'
+end

data/spec/files/Secretfile

@@ -0,0 +1,8 @@
+---
+settings:
+  bucket: 'testbucket'
+  region: 'us-west-2'
+  secret_dir: 'secrets/'
+secrets:
+  tst1: 'this/is/secret/1.txt'
+  tst2: 'this/is/secret/2'

data/spec/lib/s3crets/actions/bundle_spec.rb

@@ -0,0 +1,55 @@
+require 's3crets/cli'
+require 's3crets/defaults'
+require 'rspec'
+require 'fakefs/spec_helpers'
+require 'aws-sdk'
+
+describe S3crets::Cli do
+  include FakeFS::SpecHelpers
+
+  describe '#bundle' do
+    context 'when Secretfile already exists' do
+      before(:each) do
+        spec_root = File.join(source_root, 'spec')
+        files = File.join(spec_root, 'files')
+        FakeFS::FileSystem.clone files
+
+        path = `gem path aws-sdk`.chomp
+        FakeFS::FileSystem.clone path, path
+        Dir.chdir File.join(source_root, 'spec', 'files')
+      end
+
+      before(:all) do
+        Aws.config[:stub_responses] = true
+      end
+
+      it 'should have a Secretfile' do
+        expect(FakeFS::FileTest.file? S3crets::SECRETFILE_NAME).to be(true)
+        expect(File.read(S3crets::SECRETFILE_NAME)).to include('testbucket')
+      end
+
+      xit 'should download a file' do
+        expect(FakeFS::FileTest.file? File.join('secrets', '1.txt')).to be(false)
+        expect { subject.bundle }.to output(/Finished downloading secrets/).to_stdout
+        expect(FakeFS::FileTest.file? File.join('secrets', '1.txt')).to be(true)
+      end
+
+      xit 'should create a resolved file' do
+        expect(FakeFS::FileTest.file? S3crets::RESOLVED_NAME).to be(false)
+        expect { subject.bundle }.to output(/Finished downloading secrets/).to_stdout
+        expect(FakeFS::FileTest.file? S3crets::RESOLVED_NAME).to be(true)
+      end
+
+      it 'should reject a malformed Secretfile' do
+        File.write('Secretfile', 'broken YAML')
+        expect { subject.bundle }.to raise_error.with_message(/#{S3crets::INVALID_SECRETFILE_ERROR}/)
+      end
+    end
+
+    context 'when Secretfile does not exist' do
+      it 'should return an error' do
+        expect { subject.bundle }.to raise_error.with_message(/#{S3crets::NO_SECRETFILE_ERROR}/)
+      end
+    end
+  end
+end

data/spec/lib/s3crets/actions/init_spec.rb

@@ -0,0 +1,51 @@
+require 's3crets/cli'
+require 's3crets/defaults'
+require 'rspec'
+require 'fakefs/spec_helpers'
+
+describe S3crets::Cli do
+  include FakeFS::SpecHelpers
+
+  describe '#init' do
+    before(:each) do
+      templates_root = File.join(source_root, 'templates')
+      FakeFS::FileSystem.clone templates_root
+    end
+
+    context 'when a file does not yet exist' do
+      it 'should create a template file' do
+        expect { subject.init }.to output(/has been created/).to_stdout
+        expect(FakeFS::FileTest.file? S3crets::SECRETFILE_NAME).to be(true)
+        expect(File.read S3crets::SECRETFILE_NAME).to match(/Fill in secrets/)
+      end
+
+      it 'should accept settings as options' do
+        subject.options = { 'region' => 'us-east-1',
+                            'bucket' => 'an_example_bucket',
+                            'secretdir' => '.' }
+
+        expect { subject.init }.to output(/has been created/).to_stdout
+        contents = File.read S3crets::SECRETFILE_NAME
+        expect(contents).to include('region: us-east-1')
+        expect(contents).to include('bucket: an_example_bucket')
+        expect(contents).to include('secret_dir: .')
+      end
+    end
+
+    context 'when a file already exists' do
+      before(:each) { File.write(S3crets::SECRETFILE_NAME, 'test value') }
+
+      it 'should not overwrite an existing file' do
+        expect { subject.init }.to raise_error.with_message(/#{S3crets::ALREADY_EXISTS_ERROR}/)
+        expect(File.read S3crets::SECRETFILE_NAME).to eq('test value')
+      end
+
+      it 'should obey the force flag' do
+        subject.options = { 'force' => true }
+
+        expect { subject.init }.to output(/has been created/).to_stdout
+        expect(File.read S3crets::SECRETFILE_NAME).to match('Fill in secrets')
+      end
+    end
+  end
+end

data/spec/spec_helper.rb

@@ -0,0 +1,14 @@
+
+RSpec.configure do |config|
+  config.expect_with :rspec do |expectations|
+    expectations.include_chain_clauses_in_custom_matcher_descriptions = true
+  end
+
+  config.mock_with :rspec do |mocks|
+    mocks.verify_partial_doubles = true
+  end
+end
+
+def source_root
+  File.expand_path('../../', __FILE__)
+end

data/templates/Secretfile.erb

@@ -0,0 +1,9 @@
+---
+settings:
+  bucket: <%= bucket %>
+  region: <%= region %>
+  credentials: <%= credential_file %>
+  secret_dir: .
+secrets:
+#  TODO: Fill in secrets like so:
+#  my_secret: 'path/to/your/secret/file.ext'

metadata

@@ -0,0 +1,188 @@
+--- !ruby/object:Gem::Specification
+name: aws-s3crets
+version: !ruby/object:Gem::Version
+  version: 0.0.2
+platform: ruby
+authors:
+- Norm MacLennan
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2015-03-21 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '1'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '1'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '10.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '10.0'
+- !ruby/object:Gem::Dependency
+  name: rubocop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '0.29'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '0.29'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '3.2'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '3.2'
+- !ruby/object:Gem::Dependency
+  name: fakefs
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '0.6'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '0.6'
+- !ruby/object:Gem::Dependency
+  name: gem-path
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '0.6'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '0.6'
+- !ruby/object:Gem::Dependency
+  name: aws-sdk
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '2.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '2.0'
+- !ruby/object:Gem::Dependency
+  name: thor
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+description: Fetch secret files from AWS S3 buckets.
+email:
+- norm.maclennan@gmail.com
+executables:
+- s3crets
+extensions: []
+extra_rdoc_files: []
+files:
+- .gitignore
+- .rspec
+- .rubocop.yml
+- .travis.yml
+- Gemfile
+- LICENSE.txt
+- README.md
+- Rakefile
+- aws-s3crets.gemspec
+- bin/s3crets
+- lib/s3crets.rb
+- lib/s3crets/actions.rb
+- lib/s3crets/actions/base.rb
+- lib/s3crets/actions/bundle.rb
+- lib/s3crets/actions/get.rb
+- lib/s3crets/actions/init.rb
+- lib/s3crets/cli.rb
+- lib/s3crets/default_tasks.rb
+- lib/s3crets/defaults.rb
+- lib/s3crets/error.rb
+- lib/s3crets/ui.rb
+- lib/s3crets/version.rb
+- spec/files/Secretfile
+- spec/lib/s3crets/actions/bundle_spec.rb
+- spec/lib/s3crets/actions/init_spec.rb
+- spec/spec_helper.rb
+- templates/Secretfile.erb
+homepage: ''
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.4.5
+signing_key: 
+specification_version: 4
+summary: Fetch secret files from AWS S3 buckets.
+test_files:
+- spec/files/Secretfile
+- spec/lib/s3crets/actions/bundle_spec.rb
+- spec/lib/s3crets/actions/init_spec.rb
+- spec/spec_helper.rb