biscuit 0.0.4 → 0.1.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: 253f89fecd633548a513fd8a14c3a14855064345
-  data.tar.gz: af77d6cb79d80de2799057967a417286b496cc75
+SHA256:
+  metadata.gz: c9d55cb873d9a420bce70989d2463e389a14ae834e168bf8f105b1a5bf182f42
+  data.tar.gz: 61188e6d68cc7c24d50a20a567e4266408ec3cd097c07e3cd450e49e0503f756
 SHA512:
-  metadata.gz: 37c8c96c880392b7e87d5e267f5a69a3d9fc5019c938f44009f2640b4f2f817b3b3d3f5b1c675b9a770bf8d20dd9c8fd8fecc9ce89f8329a8206e7f3a0cb6a3c
-  data.tar.gz: 9c7a0cce8635141c4ae1fb0593b35c27cf7f3f76d1ae5ee34aab096f645aea191cfa3ebb5af631cc94ccc906a9d3764cb7e0bc056bc2e93e1192c8b4970ae8ad
+  metadata.gz: 44c2897ae14a681bf090b21ada81c70ba77acb436e586eca6456da4d9400fa21afdf4a844d27dee2b30f018071904f542fe57eb799727cd06c402d1332e93cec
+  data.tar.gz: 603f4e54503779d12433ddcb2edd1af17a94a1d9aa17f0b24e63538b3f0668448dbf82fa93bdd760edecd5566c13fd4ab1902a3d34c6882a3aa6cb1ad5d1a930

data/.github/workflows/publish_gem.yml

@@ -0,0 +1,21 @@
+name: Publish Gem
+
+on:
+  push:
+    branches:
+      - "master"
+      - "github-workflow-publish-gem"
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v1
+
+      - name: Release Gem
+        uses: cadwallion/publish-rubygems-action@master
+        env:
+          GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
+          RUBYGEMS_API_KEY: ${{secrets.RUBYGEMS_API_KEY}}
+          RELEASE_COMMAND: rake release

data/.gitignore

@@ -3,7 +3,9 @@
 /Gemfile.lock
 /_yardoc/
 /coverage/
-/doc/
 /pkg/
 /spec/reports/
 /tmp/
+
+# This is downloaded when the gem is installed:
+bin/_biscuit

data/.rspec

@@ -0,0 +1 @@
+--require spec_helper

data/.travis.yml

@@ -0,0 +1,13 @@
+language: ruby
+rvm:
+  - 2.3
+  - 2.4
+  - 2.5
+  - 2.6
+
+before_script:
+  # Installs the _biscuit executable:
+  - rake
+
+script:
+  - bundle exec rspec spec/ --format=doc

data/CHANGELOG.markdown

@@ -0,0 +1,16 @@
+# 0.1.4
+- [FIX] `open()` is deprecated for URIs. Uses `URI.open()`
+- Bumps bundler version
+- Bumps rake gem version
+
+# 0.1.3
+- No changes - apparently there was already a yanked 0.1.2 out there somewhere
+
+# 0.1.2
+
+- [FIX] Revert to using `YAML.load` to load the secrets
+- [FIX] Don't split values containing `:` into broken pieces
+- Relax `rake` dependency
+- [DOC] Fill out README
+- Set up CI
+- Gitignore the actual `biscuit` binary

data/Gemfile

@@ -2,3 +2,6 @@ source 'https://rubygems.org'
 
 # Specify your gem's dependencies in biscuit.gemspec
 gemspec
+
+gem "rspec"
+gem "coveralls", require: false

data/LICENSE

@@ -0,0 +1,17 @@
+The MIT License (MIT)
+Copyright (c) 2019 User Testing, Inc.
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of this software
+and associated documentation files (the "Software"), to deal in the Software without restriction,
+including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense,
+and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so,
+subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all copies or substantial
+portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT
+LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
+WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE
+OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -1,28 +1,108 @@
 # Biscuit
 
-Welcome to your new gem! In this directory, you'll find the files you need to be able to package up your Ruby library into a gem. Put your Ruby code in the file `lib/biscuit`. To experiment with that code, run `bin/console` for an interactive prompt.
+[![Travis](https://img.shields.io/travis/usertesting/biscuit?style=for-the-badge)](https://travis-ci.org/usertesting/biscuit) [![Coveralls github](https://img.shields.io/coveralls/github/usertesting/biscuit?style=for-the-badge)](https://coveralls.io/github/usertesting/biscuit) [![Code Climate maintainability](https://img.shields.io/codeclimate/maintainability/usertesting/biscuit?style=for-the-badge)](https://codeclimate.com/github/usertesting/biscuit)
 
-TODO: Delete this and the text above, and describe your gem
+
+This gem is a Ruby wrapper around `@dcoker`'s [biscuit library](https://github.com/dcoker/biscuit), a multi-region HA key-value store for your AWS infrastructure secrets.
+
+By using this Ruby library, it is easy to integrate into a Ruby/Rails stack.
 
 ## Installation
 
-Add this line to your application's Gemfile:
+- Add this line to your application's Gemfile:
+
+    ```ruby
+    gem 'biscuit'
+    ```
+
+- And then run `bundle`.
+
+- `touch` a yaml file (or multiple for different environments).
+
+## Usage
+
+### Loading K/V pairs into a hash
+
+```ruby
+secrets_file = "some_yaml_file.yaml"
+SECRETS = Biscuit::SecretsDecrypter.new(secrets_file).load
+
+puts SECRETS["some_password"]
+# => "decrypted password"
+```
+
+### Loading into ENV Vars
+
+If you store config in ENV vars as suggested by the [12 Factor App](https://12factor.net/config), you can load your AWS encrypted secrets into ENV vars like this:
 
 ```ruby
-gem 'biscuit'
+secrets_file = "some_yaml_file.yaml"
+Biscuit::SecretsDecrypter.new(secrets_file).load do |key, value|
+  ENV[key] = value
+end
 ```
 
-And then execute:
+This approach pairs with [dotenv](https://github.com/bkeepers/dotenv) really well - dotenv for test/development, and biscuit for staging/production environments.
+
+#### With Rails
 
-    $ bundle
+Load your secrets in `application.rb`, between loading Rails/bundler, before the Application config starts:
 
-Or install it yourself as:
+```ruby
+require "rails/all"
 
-    $ gem install biscuit
+...
 
-## Usage
+Bundler.require(*Rails.groups)
+
+...
+
+# Add in your biscuit loading here:
+secrets_file = "#{__dir__}/secrets/#{Rails.env}.yml"
+if File.exist?(secrets_file) # You can also check things like if Rails.env.production?
+  Biscuit::SecretsDecrypter.new(secrets_file).load do |key, value|
+    ENV[key] = value
+  end
+end
+
+...
 
-TODO: Write usage instructions here
+module MyApp
+  class Application < Rails::Application
+    ....
+```
+
+#### Adding a new key
+
+From the application root, run `biscuit put -f`, followed by the path to the yaml you want to encrypt in, followed by the key, followed by the example.
+
+```bash
+$ biscuit put -f config/secrets/production.yml SECRET_KEY "sensitive value"
+```
+
+#### Getting a key (CLI)
+
+```bash
+$ biscuit export -f config/secrets/production.yml | grep "SECRET_KEY"
+```
+
+#### A note on parsed values and quoting
+
+Given this unencrypted YAML:
+
+```yaml
+foo: 1,2,3,4,5
+```
+
+You might think that `foo`'s value after being loaded would be `"1,2,3,4,5"`.
+You'd be wrong... Ruby's YAML parser [strips out the commas](https://github.com/ruby/psych/issues/273), sees `12345`, and thinks "ah we have a number!"
+Then the value is `12345`.
+
+If you desire to keep the commas, you'll have to encode it quoted:
+
+```yaml
+foo: "1,2,3,4,5"
+```
 
 ## Development
 
@@ -30,9 +110,17 @@ After checking out the repo, run `bin/setup` to install dependencies. Then, run
 
 To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release` to create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
 
+## License
+
+[MIT](LICENSE).
+
+Library created by [UserTesting](https://usertesting.com)
+
+![UserTesting](doc/UserTesting.png)
+
 ## Contributing
 
-1. Fork it ( https://github.com/[my-github-username]/biscuit/fork )
+1. Fork it ( https://github.com/usertesting/biscuit/fork )
 2. Create your feature branch (`git checkout -b my-new-feature`)
 3. Commit your changes (`git commit -am 'Add some feature'`)
 4. Push to the branch (`git push origin my-new-feature`)

data/Rakefile

@@ -1,8 +1,6 @@
-require 'bundler'
-require 'bundler/gem_tasks'
 require 'open-uri'
 
-UPSTREAM_VERSION = '0.1.2'
+UPSTREAM_VERSION = '0.1.3'
 
 def fetch(release_url)
   tgz_path = download_file(release_url)
@@ -14,7 +12,7 @@ end
 def download_file(url)
   filename = URI(url).path.split('/').last
 
-  IO.copy_stream(open(url), "/tmp/#{filename}")
+  IO.copy_stream(URI.open(url), "/tmp/#{filename}")
 
   "/tmp/#{filename}"
 end

data/bin/biscuit

@@ -1,5 +1,9 @@
 #!/usr/bin/env ruby
 
 this_gems_root = Gem::Specification.find_by_name("biscuit").gem_dir
+
+# We aren't using Biscuit.run! here because we want output to be streamed as it arrives for interactive use,
+# and we don't care about capturing the result
 system("#{this_gems_root}/bin/_biscuit", *ARGV)
+
 exit $?.exitstatus

data/biscuit.gemspec

@@ -6,27 +6,22 @@ require 'biscuit/version'
 Gem::Specification.new do |spec|
   spec.name          = "biscuit"
   spec.version       = Biscuit::VERSION
-  spec.authors       = ["Suan-Aik Yeo"]
-  spec.email         = ["yeosuanaik@gmail.com"]
+  spec.authors       = ["Suan-Aik Yeo", "Justin Aiken"]
+  spec.email         = ["yeosuanaik@gmail.com", "60tonangel@gmail.com"]
 
   spec.summary       = %q{Ruby wrapper for biscuit (https://github.com/dcoker/biscuit).}
   spec.description   = %q{Ruby wrapper for biscuit (https://github.com/dcoker/biscuit).}
   spec.homepage      = "https://github.com/usertesting/biscuit"
+  spec.license       = "MIT"
 
-  # Prevent pushing this gem to RubyGems.org by setting 'allowed_push_host', or
-  # delete this section to allow pushing this gem to any host.
-  if spec.respond_to?(:metadata)
-    spec.metadata['allowed_push_host'] = "TODO: Set to 'http://mygemserver.com'"
-  else
-    raise "RubyGems 2.0 or newer is required to protect against public gem pushes."
-  end
-
-  spec.files         = `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
+  spec.files         = `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features|doc)/}) }
   spec.bindir        = "bin"
   spec.executables   = 'biscuit'
   spec.require_paths = ["lib"]
   spec.extensions    = ["Rakefile"]
 
-  spec.add_development_dependency "bundler", "~> 1.9"
-  spec.add_development_dependency "rake", "~> 10.0"
+  spec.add_development_dependency "bundler", "~> 2.1"
+  spec.add_development_dependency "rake", "~> 13.0"
+
+  spec.add_runtime_dependency "rake"
 end

data/lib/biscuit.rb

@@ -1,5 +1,14 @@
 require "biscuit/version"
+require "biscuit/secrets_decrypter"
+require "biscuit/execution_error"
+
+require "open3"
+require "yaml"
 
 module Biscuit
-  # Your code goes here...
+  def self.run!(command)
+    stdout, stderr, status = Open3.capture3("#{__dir__}/../bin/_biscuit #{command}")
+    raise Biscuit::ExecutionError.new(stderr, stdout) unless status == 0
+    stdout
+  end
 end

data/lib/biscuit/execution_error.rb

@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+module Biscuit
+  class ExecutionError < StandardError
+    def initialize(stderr, stdout=nil)
+      @stdout = stdout
+      @stderr = stderr
+      super(message)
+    end
+
+    def message
+      messages = []
+      messages << "std_out: #{truncate(@stdout)}" if @stdout
+      messages << "std_err: #{truncate(@stderr)}" if @stderr
+      messages.join(" ")
+    end
+
+    private
+
+    def truncate(message)
+      message.slice(0, 200)
+    end
+  end
+end

data/lib/biscuit/secrets_decrypter.rb

@@ -0,0 +1,37 @@
+# frozen_string_literal: true
+
+module Biscuit
+  class SecretsDecrypter
+    attr_reader :secrets_file
+
+    def initialize(secrets_file)
+      fail "#{secrets_file} is not found" unless File.exists? secrets_file
+
+      @secrets_file = secrets_file
+    end
+
+    def load(&block)
+      if block_given?
+        secrets.each{ |key, value|
+          block.call(key, value)
+        }
+      else
+        secrets
+      end
+    end
+
+    private
+
+    def secrets
+      @_secrets ||= YAML.load(exported)
+    end
+
+    def exported
+      @_exported ||= Biscuit.run!("export -f '#{secrets_file}'")
+    end
+
+    def secret_lines
+      @_secret_lines ||= exported.split("\n").select { |line| line =~ /\S/ }
+    end
+  end
+end

data/lib/biscuit/version.rb

@@ -1,3 +1,3 @@
 module Biscuit
-  VERSION = "0.0.4"
+  VERSION = "0.1.4"
 end

metadata

@@ -1,54 +1,75 @@
 --- !ruby/object:Gem::Specification
 name: biscuit
 version: !ruby/object:Gem::Version
-  version: 0.0.4
+  version: 0.1.4
 platform: ruby
 authors:
 - Suan-Aik Yeo
-autorequire: 
+- Justin Aiken
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2016-11-08 00:00:00.000000000 Z
+date: 2021-06-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.9'
+        version: '2.1'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.9'
+        version: '2.1'
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '10.0'
+        version: '13.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '10.0'
+        version: '13.0'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 description: Ruby wrapper for biscuit (https://github.com/dcoker/biscuit).
 email:
 - yeosuanaik@gmail.com
+- 60tonangel@gmail.com
 executables:
 - biscuit
 extensions:
 - Rakefile
 extra_rdoc_files: []
 files:
-- .gitignore
+- ".github/workflows/publish_gem.yml"
+- ".gitignore"
+- ".rspec"
+- ".travis.yml"
+- CHANGELOG.markdown
 - Gemfile
+- LICENSE
 - README.md
 - Rakefile
 - bin/biscuit
@@ -56,30 +77,30 @@ files:
 - bin/setup
 - biscuit.gemspec
 - lib/biscuit.rb
+- lib/biscuit/execution_error.rb
+- lib/biscuit/secrets_decrypter.rb
 - lib/biscuit/version.rb
 homepage: https://github.com/usertesting/biscuit
-licenses: []
-metadata:
-  allowed_push_host: 'TODO: Set to ''http://mygemserver.com'''
-post_install_message: 
+licenses:
+- MIT
+metadata: {}
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
 required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
-  - - '>='
+  - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - '>='
+  - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.0.14
-signing_key: 
+rubygems_version: 3.2.3
+signing_key:
 specification_version: 4
 summary: Ruby wrapper for biscuit (https://github.com/dcoker/biscuit).
 test_files: []
-has_rdoc: