bcdatabase 1.0.0

data/.gitignore

@@ -0,0 +1,3 @@
+*.gemspec
+pkg
+coverage

data/CHANGELOG.markdown

@@ -0,0 +1,29 @@
+1.0.0
+=====
+- Split out from NUBIC internal `bcdatabase` project.
+  (Changelog entries below reflect the relevant changes & version numbers from that project.)
+
+0.4.1
+=====
+- Fix `bcdatabase encrypt` so that it doesn't re-encrypt already encrypted 
+  epassword entries.
+
+0.4.0
+=====
+- Use the YAML entry name as the "database" value if no other value is
+  provided.  This is to DRY up PostgreSQL configurations where the username
+  (already defaulted) and the database name are the same.
+
+0.2.0
+=====
+- Change default encrypted secret password location
+
+0.1.0
+=====
+- Support encrypted passwords
+- Command-line utility (also called bcdatabase) for creating encrypted passwords
+- Gem distribution
+
+0.0.0
+=====
+Original release.

data/LICENSE

@@ -0,0 +1,20 @@
+Copyright (c) 2009 Rhett Sutphin
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.markdown

@@ -0,0 +1,142 @@
+bcdatabase
+==========
+
+*bcdatabase* is a library and utility which provides database configuration parameter management for Ruby on Rails applications.  It provides a simple mechanism for separating database configuration attributes from application source code so that there's no temptation to check passwords into the version control system.  And it centralizes the parameters for a single server so that they can be easily shared among multiple applications and easily updated by a single administrator.
+
+## Installing bcdatabase
+
+Ensure that [gemcutter](http://gemcutter.org) is in your gem sources list, then:
+
+    $ gem install bcdatabase
+
+## Using bcdatabase to configure the database for a Rails application
+
+A bog-standard rails application's `config/database.yml` file looks like this:
+
+    development:
+      adapter: oracle-enhanced
+      database: //localhost/XE
+      username: cfg_animal
+      password: not-important
+
+    test:
+      adapter: oracle-enhanced
+      database: //localhost/XE
+      username: cfg_animal_test
+      password: who-cares
+
+    production:
+      adapter: oracle-enhanced
+      database: //super/prod
+      username: cfg_animal
+      password: very-secret
+
+Rails allows this file to contain [ERB][].  `bcdatabase` uses ERB to replace an entire configuration block.  If you wanted to replace, say, just the production block in this example, you would transform it like so:
+
+    <%
+      require 'bcdatabase'
+      bcdb = Bcdatabase.load
+    %>
+
+    development:
+      adapter: oracle-enhanced
+      database: //localhost/XE
+      username: cfg_animal
+      password: not-important
+
+    test:
+      adapter: oracle-enhanced
+      database: //localhost/XE
+      username: cfg_animal_test
+      password: who-cares
+
+    <%= bcdb.production :prod, :cfg_animal %>
+
+This means "create a YAML block for the *production* environment from the configuration entry named *cfg_animal* in /etc/nubic/db/*prod*.yml."  The method called can be anything:
+
+    <%= bcdb.development :local, :cfg_animal %>
+    <%= bcdb.staging 'stage', 'cfg_animal' %>
+    <%= bcdb.automated :dev, :cfg_animal_hudson %>
+
+[ERB]: http://www.ruby-doc.org/stdlib/libdoc/erb/rdoc/
+
+## Directly accessing configuration parameters from bcdatabase
+
+More rarely, you might need to access the actual configuration hash, instead of the YAMLized version.  You can access it by invoking `Bcdatabase.load` as shown earlier, then using the bracket operator to specify the configuration you want:
+
+    bcdb[:local, :cfg_animal]
+
+The resulting hash is suitable for passing to `ActiveRecord::Base.establish_connection`, for instance.
+
+## Central configuration files
+
+The database configuration properties for all the applications on a server are stored in one or more files under `/etc/nubic/db` (by default; see "File locations" below).  Each one is a standard YAML file, similar to rails' `database.yml` but with a few enhancements:
+
+* Each file can have a defaults entry which provides attributes which are shared across all configurations in the file
+* Each entry defaults its "username" attribute to the name of the entry (useful for Oracle)
+* Each entry defaults its "database" attribute to the name of the entry (useful for PostgreSQL)
+
+Since each file can define a set of default properties which are shared by all the contained configurations, it makes sense to group databases which have some shared configuration elements.
+
+### Example
+
+If you have an `/etc/nubic/db/stage.yml` file that looks like this:
+
+    defaults:
+      adapter: oracle-enhanced
+      database: //mondo/stage
+    cfg_animal:
+      password: secret
+    personnel:
+      username: pers
+      password: more-secret
+
+You have defined two configuration entries.  `:stage, :cfg_animal`:
+
+    adapter:  oracle-enhanced
+    username: cfg_animal
+    password: secret
+    database: //mondo/stage
+
+and `:bcstage, :personnel`:
+
+    adapter:  oracle-enhanced
+    username: pers
+    password: more-secret
+    database: //mondo/stage
+
+## Obscuring passwords
+
+bcdatabase supports storing encrypted passwords instead of the plaintext ones shown in the previous example.  Encrypted passwords are defined with the key `epassword` instead of `password`.  The library will decrypt the `epassword` value and expose it to the calling code (usually rails) unencrypted under the `password` key.  The `bcdatabase` command line utility handles encrypting passwords; see the next section.
+
+While the passwords are technically encrypted, the master key must be stored on the same machine so that they can be decrypted on demand.  That means this feature only obscures passwords &mdash; it will not deter a determined attacker.
+
+## `bcdatabase` command line utility
+
+The gem includes a command line utility (also called `bcdatabase`) which assists with creating `epassword` entries.  It has online help; after installing the gem, try `bcdatabase help` to read it:
+
+    $ bcdatabase help
+    usage: bcdatabase <command> [args]
+    Command-line utility for bcdatabase 1.0.0
+      encrypt  Encrypts all the password entries in a bcdatabase YAML file
+        epass  Generate epasswords from individual database passwords
+      gen-key  Generate a key for bcdatabase to use
+         help  List commands or display help for one
+
+## File locations
+
+`/etc/nubic/db` is the default place the library will look for the central configuration files.  It may be overridden with the environment variable `BCDATABASE_PATH`.  For instance, if you wanted to keep these files in your home directory on your development machine &mdash; perhaps so that editing them doesn't require elevated privileges &mdash; you could add this to `~/.bashrc`:
+
+    export BCDATABASE_PATH=${HOME}/nubic/db
+
+Similarly, the file containing the encryption password has a sensible default location, but that location can be overridden by setting `BCDATABASE_PASS`.
+
+## Credits
+
+`bcdatabase` was developed at and for the [Northwestern University Biomedical Informatics Center][NUBIC].
+
+[NUBIC]: http://www.nucats.northwestern.edu/centers/nubic/index.html
+
+### Copyright
+
+Copyright (c) 2009 Rhett Sutphin. See LICENSE for details.

data/Rakefile

@@ -0,0 +1,53 @@
+require 'rubygems'
+require 'rake'
+
+begin
+  require 'jeweler'
+  Jeweler::Tasks.new do |gem|
+    gem.name = "bcdatabase"
+    gem.summary = %Q{Server-central database configuration for rails and other ruby apps}
+    gem.description = %Q{bcdatabase is a tool for storing passwords and other database configuration information outside of your application source tree.}
+    gem.email = "rhett@detailedbalance.net"
+    gem.homepage = "http://github.com/rsutphin/bcdatabase"
+    gem.authors = ["Rhett Sutphin"]
+    gem.add_development_dependency 'rspec', ">= 1.2"
+    gem.add_dependency 'highline', '>= 1.4'
+    gem.add_dependency 'activesupport', '>= 2.0'
+  end
+  Jeweler::GemcutterTasks.new
+rescue LoadError
+  puts "Jeweler (or a dependency) not available. Install it with: gem install jeweler"
+end
+
+require 'spec/rake/spectask'
+Spec::Rake::SpecTask.new(:spec) do |spec|
+  spec.libs << 'lib' << 'spec'
+  spec.spec_files = FileList['spec/**/*_spec.rb']
+end
+
+Spec::Rake::SpecTask.new(:rcov) do |spec|
+  spec.libs << 'lib' << 'spec'
+  spec.pattern = 'spec/**/*_spec.rb'
+  spec.rcov = true
+  # rcov can't tell that /Library/Ruby is a system path
+  spec.rcov_opts = ['--exclude', "spec/*,/Library/Ruby/*"]
+end
+
+task :spec => :check_dependencies
+
+task :default => :spec
+
+require 'rake/rdoctask'
+Rake::RDocTask.new do |rdoc|
+  version = File.exist?('VERSION') ? File.read('VERSION') : ""
+
+  rdoc.rdoc_dir = 'rdoc'
+  rdoc.title = "schema_qualified_tables #{version}"
+  rdoc.rdoc_files.include('README*')
+  rdoc.rdoc_files.include('lib/**/*.rb')
+end
+
+# Disable github release since I don't want to commit the gemspec
+Rake::Task[:release].prerequisites.delete 'github:release'
+
+task :build => [:gemspec]

data/VERSION.yml

@@ -0,0 +1,5 @@
+---
+:major: 1
+:minor: 0
+:build:
+:patch: 0

data/bin/bcdatabase

@@ -0,0 +1,25 @@
+#!/usr/bin/env ruby -W
+
+require 'rubygems'
+require 'bcdatabase/commands'
+
+module Bcdatabase::Commands
+  UTILITY_NAME = File.basename(__FILE__)
+end
+
+###### MAIN
+
+command = ARGV.shift
+unless command
+  $stderr.puts "Please specify a command."
+  $stderr.puts Bcdatabase::Commands.help
+  exit(1)
+end
+
+klass = Bcdatabase::Commands[command]
+unless klass
+  $stderr.puts "Unknown command #{command}."
+  $stderr.puts Bcdatabase::Commands.help
+  exit(2)
+end
+klass.new(ARGV).main

data/lib/bcdatabase/commands.rb

@@ -0,0 +1,238 @@
+require 'rubygems'
+require 'fileutils'
+require 'highline'
+require 'active_support'
+require 'bcdatabase'
+
+HL = HighLine.new
+
+module Bcdatabase::Commands
+  class Base
+    protected
+
+    def self.usage(use)
+      "usage: #{UTILITY_NAME} #{use}"
+    end
+
+    def self.help_message(use)
+      msg = [ "#{command_name}: #{summary}", usage(use), "" ]
+      yield msg if block_given?
+      msg.join("\n")
+    end
+  end
+
+  class Epass < Base
+    def initialize(argv)
+      @streaming = argv[-1] == '-'
+    end
+
+    def self.summary
+      "Generate epasswords from individual database passwords"
+    end
+
+    def self.help
+      help_message("epass [-]") do |msg|
+        msg << "With no arguments, interactively prompts for passwords and"
+        msg << "  prints the corresponding epassword entry."
+        msg << ""
+        msg << "If the last argument is -, reads a newline-separated list"
+        msg << "  of passwords from standard in and prints the corresponding "
+        msg << "  epasswords to standard out."
+      end
+    end
+
+    def main
+      @streaming ? streamed : interactive
+    end
+
+    private
+
+    def streamed
+      $stdin.readlines.each do |line|
+        puts Bcdatabase.encrypt(line.chomp)
+      end
+    end
+
+    def interactive
+      begin
+        loop do
+          pass = HL.ask("Password (^C to end): ") do |q|
+            q.echo = false
+          end
+          puts "  epassword: #{Bcdatabase.encrypt(pass)}"
+        end
+      rescue Interrupt
+        puts "\nQuit"
+        exit(0)
+      end
+    end
+  end
+
+  class Encrypt < Base
+    def initialize(argv)
+      @input = argv.shift
+      @output = argv.shift
+    end
+
+    def self.summary
+      "Encrypts all the password entries in a bcdatabase YAML file"
+    end
+
+    def self.help
+      help_message("encrypt [inputfile [outputfile]]") do |msg|
+        msg << "Specifically, this command finds all the keys named 'password'"
+        msg << "  in the input YAML and substitutes appropriate 'epassword'"
+        msg << "  keys."
+        msg << ""
+        msg << "If inputfile is specified, the source will be that file."
+        msg << "  If not, the source will be standard in."
+        msg << ""
+        msg << "If inputfile and outputfile are specified, the new file"
+        msg << "  will be written to the output file.  Otherwise the output"
+        msg << "  will go to standard out.  Input and output may be the same"
+        msg << "  file."
+        msg << ""
+        msg << "You can't read from standard in and write to a file directly; "
+        msg << "  use shell file redirection if you need to do that."
+      end
+    end
+
+    def main
+      inio =
+        if @input
+          open(@input, "r")
+        else
+          $stdin
+        end
+      # try to preserve the order by replacing everything using regexes
+      contents = inio.read
+      contents.gsub!(/\bpassword:(\s*)(\S+)\s*?$/) { "epassword:#{$1}#{Bcdatabase.encrypt($2)}" }
+      outio =
+        if @output
+          open(@output, "w")
+        else
+          $stdout
+        end
+      outio.write(contents)
+      outio.close
+    end
+  end
+
+  class Help < Base
+    def initialize(argv)
+      @cmd = argv.shift
+    end
+
+    def self.summary
+      "List commands or display help for one; e.g. #{UTILITY_NAME} help epass"
+    end
+
+    def self.help
+      help_message "help [command name]"
+    end
+
+    def main
+      if @cmd
+        klass = Bcdatabase::Commands[@cmd]
+        if klass
+          msg = klass.respond_to?(:help) ? klass.help : klass.summary
+          $stderr.puts msg
+          exit(0)
+        else
+          $stderr.puts "Unknown command #{@cmd}"
+          exit(1)
+        end
+      else
+        $stderr.puts Bcdatabase::Commands.help
+        exit(0)
+      end
+    end
+  end
+
+  class GenKey < Base
+    def initialize(argv)
+      @stream = argv[-1] == '-'
+    end
+
+    def self.summary
+      "Generate a key for bcdatabase to use"
+    end
+
+    def self.help
+      help_message("gen-key [-]") do |msg|
+        msg << "By default, the key will be generated in "
+        msg << "  #{Bcdatabase.pass_file}.  If the last argument to this"
+        msg << "  command is -, the key will be generated to standard out"
+        msg << "  instead."
+        msg << ""
+        msg << "CAUTION: writing to #{Bcdatabase.pass_file} may overwrite"
+        msg << "  an existing bcdatabase key.  If that happens, you will"
+        msg << "  need to reencrypt all the epasswords on this machine."
+      end
+    end
+
+    def main
+      key = random_key(128)
+      outio =
+        if @stream
+          $stdout
+        else
+          file = Bcdatabase.pass_file
+          if File.exist?(file)
+            sure = HL.ask("This operation will overwrite the existing pass file.\n  Are you sure you want to do that? ", %w{yes no}) do |q|
+              q.case = :down
+            end
+            unless sure == 'yes'
+              exit(0)
+            end
+          end
+          open(file, "w")
+        end
+      outio.write key
+      outio.close
+    end
+
+    private
+
+    def random_key(length)
+      k = ""
+      # This is probably not going to work in ruby 1.9
+      until k.size == length; k << rand(126 - 32) + 32; end
+      k
+    end
+  end
+
+  class << self
+    def help
+      all_help = commands.collect { |c| [c.command_name, c.summary] }.sort_by { |p| p[0] }
+      max_name_length = all_help.collect { |a| a[0].size }.max
+      msg = Base.usage "<command> [args]\n"
+      msg << "Utility for bcdatabase #{Bcdatabase::VERSION}\n"
+      msg << "Commands:\n"
+      msg << all_help.collect { |name, help| " %#{max_name_length + 1}s  %s" % [name, help] }.join("\n")
+    end
+
+    # Lists all the commands
+    def commands
+      constants.reject { |cs| cs == "Base" }.collect { |cs| const_get(cs) }.select { |c| c.kind_of? Class }
+    end
+
+    # Locates the command class for a user-entered command name.
+    # Returns nil if the name is invalid.
+    def command(command_name)
+      begin
+        klassname = command_name.gsub('-', '_').camelize
+        Bcdatabase::Commands.const_get "#{klassname}"
+      rescue NameError
+        nil
+      end
+    end
+    alias :[] :command
+  end
+end
+
+class Class
+  def command_name
+    name.gsub(Bcdatabase::Commands.name + "::", '').underscore.gsub("_", '-')
+  end
+end

data/lib/bcdatabase.rb

@@ -0,0 +1,116 @@
+require 'yaml'
+require 'openssl'
+require 'digest/sha2'
+require 'base64'
+
+module Bcdatabase
+  VERSION = begin
+    config = YAML.load(File.read(File.expand_path('../VERSION.yml', File.dirname(__FILE__))))
+    [config[:major], config[:minor], config[:patch]].join('.')
+  end
+  DEFAULT_BASE_PATH = File.join('/', 'etc', 'nubic', 'db')
+  DEFAULT_PASS_FILE = File.join('/', 'var', 'lib', 'nubic', 'db.pass')
+  CIPHER = 'aes-256-ecb'
+
+  class << self
+    def load(path=nil)
+      path ||= base_path
+      files = Dir.glob(File.join(path, "*.yml")) + Dir.glob(File.join(path, "*.yaml"))
+      DatabaseConfigurations.new(files)
+    end
+
+    def encrypt(s)
+      Base64.encode64(encipher(:encrypt, s)).strip
+    end
+
+    def decrypt(s)
+      encipher(:decrypt, Base64.decode64(s))
+    end
+
+    def pass_file
+      ENV["BCDATABASE_PASS"] || DEFAULT_PASS_FILE
+    end
+
+    private
+
+    # based on http://snippets.dzone.com/posts/show/576
+    def encipher(direction, s)
+      # the order of operations here is very important
+      c = OpenSSL::Cipher::Cipher.new(CIPHER)
+      c.send direction
+      c.key = pass
+      t = c.update(s)
+      t << c.final
+    end
+
+    def pass
+      return @pass if instance_variable_defined? :@pass
+
+      contents = open(pass_file).read.chomp
+      # This code may not work correctly on Ruby 1.9
+      if contents.size == 32
+        @pass = contents
+      else
+        @pass = Digest::SHA256.digest(contents)
+      end
+    end
+
+    def base_path
+      ENV["BCDATABASE_PATH"] || DEFAULT_BASE_PATH
+    end
+  end
+
+  class DatabaseConfigurations
+    def initialize(files)
+      @files = files
+      @map = { }
+      files.each do |filename|
+        name = File.basename(filename).gsub(/\.ya?ml/, '')
+        @map[name] = YAML.load(File.open(filename))
+      end
+    end
+
+    def [](groupname, dbname)
+      create_entry(groupname.to_s, dbname.to_s)
+    end
+
+    def method_missing(name, *args)
+      groupname = (args[0] or raise "Database configuration group not specified for #{name}")
+      dbname = (args[1] or raise "Database entry name not specified for #{name}")
+      n = name.to_s
+      begin
+        unseparated_yaml({ n, self[groupname, dbname] })
+      rescue Bcdatabase::Error => e
+        if defined?(RAILS_ENV) and RAILS_ENV == n
+          raise e
+        else
+          # Not using that configuration right now, so return a dummy instead
+          # of throwing an exception
+          unseparated_yaml({ n, { 'error' => e.message } })
+        end
+      end
+    end
+
+    private
+
+    def create_entry(groupname, dbname)
+      group = @map[groupname] or raise Error.new("No databasease configuration group named #{groupname.inspect} found.  (Found #{@map.keys.inspect}.)")
+      db = group[dbname] or raise Error.new("No database entry for #{dbname.inspect} in #{groupname}")
+      merged = { 'username' => dbname, 'database' => dbname } \
+        .merge(group['defaults'] || {}) \
+        .merge(group['default'] || {}) \
+        .merge(db)
+      # include the decrypted password if an encrypted one was provided
+      if merged['epassword']
+        merged['password'] = Bcdatabase.decrypt(merged['epassword'])
+      end
+      merged
+    end
+
+    def unseparated_yaml(arg)
+      arg.to_yaml.gsub(/^---.*\n/, '')
+    end
+  end
+
+  class Error < Exception; end
+end unless defined?(Bcdatabase)

data/spec/bcdatabase/commands_spec.rb

@@ -0,0 +1,55 @@
+require File.expand_path("../spec_helper", File.dirname(__FILE__))
+
+require "bcdatabase/commands"
+
+describe "CLI: bcdatabase" do
+  before(:each) do
+    ENV["BCDATABASE_PATH"] = "/tmp/bcdb_specs"
+    FileUtils.mkdir_p ENV["BCDATABASE_PATH"]
+  end
+
+  after(:each) do
+    FileUtils.rm_rf ENV["BCDATABASE_PATH"]
+    ENV["BCDATABASE_PATH"] = nil
+  end
+
+  describe "encrypt" do
+    before do
+      enable_fake_cipherment
+    end
+
+    after do
+      disable_fake_cipherment
+    end
+
+    def bcdatabase_encrypt(infile)
+      StringIO.open("", "w") do |io|
+        $stdout = io
+        Bcdatabase::Commands::Encrypt.new([File.join(ENV["BCDATABASE_PATH"], infile)]).main
+        $stdout = STDOUT
+        YAML::load(io.string)
+      end
+    end
+
+    it "replaces password: clauses with epasswords" do
+      temporary_yaml "plain", {
+        "single" =>  {
+          "password" => 'zanzibar'
+        }
+      }
+
+      bcdatabase_encrypt('plain.yaml')['single']['epassword'].should == 'rabiznaz'
+      bcdatabase_encrypt('plain.yaml')['single']['password'].should be_nil
+    end
+
+    it "leaves existing epasswords alone" do
+      temporary_yaml "plain", {
+        "single" =>  {
+          "epassword" => 'etalocohc'
+        }
+      }
+
+      bcdatabase_encrypt('plain.yaml')['single']['epassword'].should == 'etalocohc'
+    end
+  end
+end

data/spec/bcdatabase_spec.rb

@@ -0,0 +1,200 @@
+require File.expand_path("spec_helper", File.dirname(__FILE__))
+
+describe Bcdatabase, "cipherment" do
+  before(:all) do
+    keyfile = "/tmp/bcdb-spec-key"
+    open(keyfile, 'w') { |f| f.write "01234567890123456789012345678901" }
+    ENV["BCDATABASE_PASS"] = keyfile
+  end
+
+  after(:all) do
+    FileUtils.rm ENV["BCDATABASE_PASS"]
+    ENV["BCDATABASE_PASS"] = nil
+  end
+
+  it "should be reversible" do
+    e = Bcdatabase.encrypt("riboflavin")
+    Bcdatabase.decrypt(e).should == "riboflavin"
+  end
+
+  it "should permute the input" do
+    Bcdatabase.encrypt("zanzibar").should_not == "zanzibar"
+  end
+
+  it "should do more than just encode" do
+    Bcdatabase.encrypt("zanzibar").should_not == Base64.encode64("zanzibar")
+  end
+end
+
+describe Bcdatabase, "module " do
+  it "should have a d.d.d version" do
+    Bcdatabase::VERSION.should =~ /^\d+\.\d+\.\d+$/
+  end
+end
+
+describe Bcdatabase, "loading" do
+  before(:each) do
+    ENV["BCDATABASE_PATH"] = "/tmp/bcdb_specs"
+    FileUtils.mkdir_p ENV["BCDATABASE_PATH"]
+  end
+
+  after(:each) do
+    FileUtils.rm_rf ENV["BCDATABASE_PATH"]
+    ENV["BCDATABASE_PATH"] = nil
+  end
+
+  it "should read simple YAML" do
+    temporary_yaml "simple", {
+      "single" =>  {
+        "adapter" => "foo", "username" => "baz"
+      }
+    }
+    bcdb = Bcdatabase.load
+    bcdb[:simple, :single]['adapter'].should == "foo"
+    bcdb[:simple, :single]['username'].should == "baz"
+  end
+
+  it "should read and expose multiple groups from multiple files" do
+    temporary_yaml "one", {
+      "first" => { "dc" => "etc" }
+    }
+    temporary_yaml "two", {
+      "fourth" => { "dc" => "etc" }
+    }
+    bcdb = Bcdatabase.load
+    bcdb['one', 'first'].should_not be_nil
+    bcdb['two', 'fourth'].should_not be_nil
+  end
+
+  it "should merge defaults from 'defaults'" do
+    temporary_yaml "defaulted", {
+      "defaults" => {
+        "database" => "postgresql"
+      },
+      "real" => {
+        "password" => "frood"
+      }
+    }
+    bcdb = Bcdatabase.load
+    bcdb['defaulted', 'real']['password'].should == 'frood'
+    bcdb['defaulted', 'real']['database'].should == 'postgresql'
+  end
+
+  it "should merge defaults from 'default'" do
+    temporary_yaml "singular", {
+      "default" => {
+        "adapter" => "three-eighths"
+      },
+      "real" => {
+        "password" => "frood"
+      }
+    }
+    bcdb = Bcdatabase.load
+    bcdb['singular', 'real']['adapter'].should == 'three-eighths'
+  end
+
+  it "should preserve values overridden from defaults" do
+    temporary_yaml "jam", {
+      "default" => {
+        "adapter" => "three-eighths"
+      },
+      "standard" => {
+        "password" => "frood"
+      },
+      "custom" => {
+        "adapter" => "five-sixteenths",
+        "password" => "lazlo"
+      }
+    }
+    bcdb = Bcdatabase.load
+    bcdb['jam', 'standard']['adapter'].should == 'three-eighths'
+    bcdb['jam', 'custom']['adapter'].should == 'five-sixteenths'
+  end
+
+  it "should default the username to the entry name" do
+    temporary_yaml "scran", {
+      "jim" => { "password" => "leather" }
+    }
+    bcdb = Bcdatabase.load
+    bcdb['scran', 'jim']['username'].should == 'jim'
+    bcdb['scran', 'jim']['password'].should == 'leather'
+  end
+
+  it "should default the database name to the entry name" do
+    temporary_yaml "scran", {
+      "jim" => { "password" => "leather" }
+    }
+    bcdb = Bcdatabase.load
+    bcdb['scran', 'jim']['database'].should == 'jim'
+    bcdb['scran', 'jim']['password'].should == 'leather'
+  end
+
+  it "should not default the database name if there's an explicit database name" do
+    temporary_yaml "scran", {
+      "jim" => {
+        "password" => "leather",
+        "database" => "james"
+      }
+    }
+    bcdb = Bcdatabase.load
+    bcdb['scran', 'jim']['database'].should == 'james'
+    bcdb['scran', 'jim']['password'].should == 'leather'
+  end
+
+  it "should not default the database name to the entry name if there's a default database name" do
+    temporary_yaml "scran", {
+      "default" => {
+        "database" => "//localhost:345/etc"
+      },
+      "jim" => {
+        "password" => "leather",
+      }
+    }
+    bcdb = Bcdatabase.load
+    bcdb['scran', 'jim']['database'].should == '//localhost:345/etc'
+    bcdb['scran', 'jim']['password'].should == 'leather'
+  end
+
+  it "should use an explicit username instead of the entry name if provided" do
+    temporary_yaml "scran", {
+      "jim" => {
+        "username" => "james",
+        "password" => "earldom"
+      }
+    }
+    bcdb = Bcdatabase.load
+    bcdb['scran', 'jim']['username'].should == 'james'
+    bcdb['scran', 'jim']['password'].should == 'earldom'
+  end
+
+  describe "with encrypted passwords" do
+    before do
+      enable_fake_cipherment
+    end
+
+    after do
+      disable_fake_cipherment
+    end
+
+    it "should decrypt and expose the password" do
+      temporary_yaml "secure", {
+        "safe" => {
+          "epassword" => "moof"
+        }
+      }
+      bcdb = Bcdatabase.load
+      bcdb['secure', 'safe']['password'].should == "foom"
+    end
+
+    it "should prefer the decrypted version of an epassword" do
+      temporary_yaml "secure", {
+        "safe" => {
+          "password" => "fake",
+          "epassword" => "moof"
+        }
+      }
+      bcdb = Bcdatabase.load
+      bcdb['secure', 'safe']['password'].should == "foom" # not "fake"
+    end
+  end
+end

data/spec/spec_helper.rb

@@ -0,0 +1,32 @@
+$LOAD_PATH.unshift(File.dirname(__FILE__))
+$LOAD_PATH.unshift(File.join(File.dirname(__FILE__), '..', 'lib'))
+require 'bcdatabase'
+require 'rubygems'
+require 'fileutils'
+
+def temporary_yaml(name, hash)
+  filename = "/#{ENV['BCDATABASE_PATH']}/#{name}.yaml"
+  open(filename, "w") { |f| YAML.dump(hash, f) }
+  filename
+end
+
+def enable_fake_cipherment
+  # replace real encryption methods with something predictable
+  Bcdatabase.module_eval do
+    class << self
+      alias :encrypt_original :encrypt
+      alias :decrypt_original :decrypt
+      def encrypt(s); s.reverse; end
+      def decrypt(s); s.reverse; end
+    end
+  end
+end
+
+def disable_fake_cipherment
+  Bcdatabase.module_eval do
+    class << self
+      alias :encrypt :encrypt_original
+      alias :decrypt :decrypt_original
+    end
+  end
+end

metadata

@@ -0,0 +1,98 @@
+--- !ruby/object:Gem::Specification 
+name: bcdatabase
+version: !ruby/object:Gem::Version 
+  version: 1.0.0
+platform: ruby
+authors: 
+- Rhett Sutphin
+autorequire: 
+bindir: bin
+cert_chain: []
+
+date: 2009-12-08 00:00:00 -06:00
+default_executable: bcdatabase
+dependencies: 
+- !ruby/object:Gem::Dependency 
+  name: rspec
+  type: :development
+  version_requirement: 
+  version_requirements: !ruby/object:Gem::Requirement 
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        version: "1.2"
+    version: 
+- !ruby/object:Gem::Dependency 
+  name: highline
+  type: :runtime
+  version_requirement: 
+  version_requirements: !ruby/object:Gem::Requirement 
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        version: "1.4"
+    version: 
+- !ruby/object:Gem::Dependency 
+  name: activesupport
+  type: :runtime
+  version_requirement: 
+  version_requirements: !ruby/object:Gem::Requirement 
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        version: "2.0"
+    version: 
+description: bcdatabase is a tool for storing passwords and other database configuration information outside of your application source tree.
+email: rhett@detailedbalance.net
+executables: 
+- bcdatabase
+extensions: []
+
+extra_rdoc_files: 
+- LICENSE
+- README.markdown
+files: 
+- .gitignore
+- CHANGELOG.markdown
+- LICENSE
+- README.markdown
+- Rakefile
+- VERSION.yml
+- bin/bcdatabase
+- lib/bcdatabase.rb
+- lib/bcdatabase/commands.rb
+- spec/bcdatabase/commands_spec.rb
+- spec/bcdatabase_spec.rb
+- spec/spec_helper.rb
+has_rdoc: true
+homepage: http://github.com/rsutphin/bcdatabase
+licenses: []
+
+post_install_message: 
+rdoc_options: 
+- --charset=UTF-8
+require_paths: 
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement 
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      version: "0"
+  version: 
+required_rubygems_version: !ruby/object:Gem::Requirement 
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      version: "0"
+  version: 
+requirements: []
+
+rubyforge_project: 
+rubygems_version: 1.3.5
+signing_key: 
+specification_version: 3
+summary: Server-central database configuration for rails and other ruby apps
+test_files: 
+- spec/bcdatabase/commands_spec.rb
+- spec/bcdatabase_spec.rb
+- spec/spec_helper.rb