biscuit 0.0.7 → 0.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: 67a2dd92f873d5ac7e7ca2b8464fcd8e6b49d6b0
-  data.tar.gz: 135d6b22c9cbb9ae526df66a6a539c52f5740e5f
+SHA256:
+  metadata.gz: c0ae8dd43c9d7b9cf11433ec6f56f8417d9df0a237396162f85a9a54eecb14af
+  data.tar.gz: ade9a35a78ea2e62c0ae1786b98a1f1c41f4e02186b6a4ccb9a246ffecc60ae4
 SHA512:
-  metadata.gz: 51479480b630c1f95bd73a52ba0cc0ca0e7dd20c1e0f168ee6878f116301163b14c9ec608e5583ade08aa5eb9a6b97a281db0c271f4e9572fbe2c67a57cb3e46
-  data.tar.gz: 60e4c3c4ea99e3e8e7248ad927581754077b4baa1cac138cfe7b9388d1c4d82750d480aed153c99e8c6e295fb72ba961dcac16b666bc43f40b3b30f0f1b32281
+  metadata.gz: 6a50e6cb9da879f6537aa10768bd2821d69771df478ec86ece1e88a918a54bc2e9ad0f06055f6cb9a4bfbfb4cfc03689d82925c80ef7245ad0778541ae04ab1a
+  data.tar.gz: 6ba191f9c910089ca2a92f6545a3cd46149d2d9e3071cc0fb0166831808eb855aaac1b9cb09a09e9086595fd1c05b871445d6c915b632bfe17e9d6416a9430e7

data/.github/workflows/publish_gem.yml

@@ -0,0 +1,17 @@
+name: Publish Gem
+
+on:
+  release:
+    types:
+      - published
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v1
+      - name: Release Gem
+        uses: cadwallion/publish-rubygems-action@master
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          RUBYGEMS_API_KEY: ${{secrets.RUBYGEMS_API_KEY}}

data/.github/workflows/ruby.yml

@@ -0,0 +1,21 @@
+name: Ruby CI
+
+on: [push, pull_request]
+jobs:
+  build:
+    name: build (${{ matrix.ruby }} / ${{ matrix.os }})
+    strategy:
+      matrix:
+        ruby: [ "3.0", "2.7", "2.6", "2.5", "2.4", "2.3", head ]
+        os: [ ubuntu-latest ]
+    runs-on: ${{ matrix.os }}
+    steps:
+    - uses: actions/checkout@v2
+    - name: Set up Ruby
+      uses: ruby/setup-ruby@v1
+      with:
+        ruby-version: ${{ matrix.ruby }}
+    - name: Install dependencies
+      run: bundle install
+    - name: Run test
+      run: bundle exec rspec spec

data/.gitignore

@@ -3,7 +3,9 @@
 /Gemfile.lock
 /_yardoc/
 /coverage/
-/doc/
 /pkg/
 /spec/reports/
 /tmp/
+
+# This is downloaded when the gem is installed:
+bin/_biscuit

data/.rspec

@@ -0,0 +1 @@
+--require spec_helper

data/CHANGELOG.markdown

@@ -0,0 +1,21 @@
+# 0.2.0
+- [FIX] Resolve File.exists? deprecation removal in latest Ruby.
+- Bump upstream biscuit binary dependency to latest 0.1.4 release.
+- Adds diagnostic logging to install task.
+
+# 0.1.4
+- [FIX] `open()` is deprecated for URIs. Uses `URI.open()`
+- Bumps bundler version
+- Bumps rake gem version
+
+# 0.1.3
+- No changes - apparently there was already a yanked 0.1.2 out there somewhere
+
+# 0.1.2
+
+- [FIX] Revert to using `YAML.load` to load the secrets
+- [FIX] Don't split values containing `:` into broken pieces
+- Relax `rake` dependency
+- [DOC] Fill out README
+- Set up CI
+- Gitignore the actual `biscuit` binary

data/Gemfile

@@ -2,3 +2,6 @@ source 'https://rubygems.org'
 
 # Specify your gem's dependencies in biscuit.gemspec
 gemspec
+
+gem "rspec"
+gem "coveralls", require: false

data/LICENSE

@@ -1,5 +1,5 @@
 The MIT License (MIT)
-Copyright (c) 2016 User Testing, Inc.
+Copyright (c) 2019 User Testing, Inc.
 
 Permission is hereby granted, free of charge, to any person obtaining a copy of this software
 and associated documentation files (the "Software"), to deal in the Software without restriction,

data/README.md

@@ -1,28 +1,108 @@
 # Biscuit
 
-Welcome to your new gem! In this directory, you'll find the files you need to be able to package up your Ruby library into a gem. Put your Ruby code in the file `lib/biscuit`. To experiment with that code, run `bin/console` for an interactive prompt.
+[![Travis](https://img.shields.io/travis/usertesting/biscuit?style=for-the-badge)](https://travis-ci.org/usertesting/biscuit) [![Coveralls github](https://img.shields.io/coveralls/github/usertesting/biscuit?style=for-the-badge)](https://coveralls.io/github/usertesting/biscuit) [![Code Climate maintainability](https://img.shields.io/codeclimate/maintainability/usertesting/biscuit?style=for-the-badge)](https://codeclimate.com/github/usertesting/biscuit)
 
-TODO: Delete this and the text above, and describe your gem
+
+This gem is a Ruby wrapper around `@dcoker`'s [biscuit library](https://github.com/dcoker/biscuit), a multi-region HA key-value store for your AWS infrastructure secrets.
+
+By using this Ruby library, it is easy to integrate into a Ruby/Rails stack.
 
 ## Installation
 
-Add this line to your application's Gemfile:
+- Add this line to your application's Gemfile:
+
+    ```ruby
+    gem 'biscuit'
+    ```
+
+- And then run `bundle`.
+
+- `touch` a yaml file (or multiple for different environments).
+
+## Usage
+
+### Loading K/V pairs into a hash
 
 ```ruby
-gem 'biscuit'
+secrets_file = "some_yaml_file.yaml"
+SECRETS = Biscuit::SecretsDecrypter.new(secrets_file).load
+
+puts SECRETS["some_password"]
+# => "decrypted password"
 ```
 
-And then execute:
+### Loading into ENV Vars
 
-    $ bundle
+If you store config in ENV vars as suggested by the [12 Factor App](https://12factor.net/config), you can load your AWS encrypted secrets into ENV vars like this:
 
-Or install it yourself as:
+```ruby
+secrets_file = "some_yaml_file.yaml"
+Biscuit::SecretsDecrypter.new(secrets_file).load do |key, value|
+  ENV[key] = value
+end
+```
 
-    $ gem install biscuit
+This approach pairs with [dotenv](https://github.com/bkeepers/dotenv) really well - dotenv for test/development, and biscuit for staging/production environments.
 
-## Usage
+#### With Rails
+
+Load your secrets in `application.rb`, between loading Rails/bundler, before the Application config starts:
+
+```ruby
+require "rails/all"
+
+...
+
+Bundler.require(*Rails.groups)
+
+...
+
+# Add in your biscuit loading here:
+secrets_file = "#{__dir__}/secrets/#{Rails.env}.yml"
+if File.exist?(secrets_file) # You can also check things like if Rails.env.production?
+  Biscuit::SecretsDecrypter.new(secrets_file).load do |key, value|
+    ENV[key] = value
+  end
+end
+
+...
+
+module MyApp
+  class Application < Rails::Application
+    ....
+```
+
+#### Adding a new key
+
+From the application root, run `biscuit put -f`, followed by the path to the yaml you want to encrypt in, followed by the key, followed by the example.
+
+```bash
+$ biscuit put -f config/secrets/production.yml SECRET_KEY "sensitive value"
+```
+
+#### Getting a key (CLI)
 
-TODO: Write usage instructions here
+```bash
+$ biscuit export -f config/secrets/production.yml | grep "SECRET_KEY"
+```
+
+#### A note on parsed values and quoting
+
+Given this unencrypted YAML:
+
+```yaml
+foo: 1,2,3,4,5
+```
+
+You might think that `foo`'s value after being loaded would be `"1,2,3,4,5"`.
+You'd be wrong... Ruby's YAML parser [strips out the commas](https://github.com/ruby/psych/issues/273), sees `12345`, and thinks "ah we have a number!"
+Then the value is `12345`.
+
+If you desire to keep the commas, you'll have to encode it quoted:
+
+```yaml
+foo: "1,2,3,4,5"
+```
 
 ## Development
 
@@ -30,9 +110,22 @@ After checking out the repo, run `bin/setup` to install dependencies. Then, run
 
 To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release` to create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
 
+## Performing a release
+
+First, go to `lib/biscuit/version.rb` and update the gem to the version you'd like. We follow semantic versioning, if you have questions about this please consult this [document](https://semver.org/).
+After merging the change into the default branch you can go [here](https://github.com/usertesting/biscuit/releases/new) and publish a new release. Which will automatically push the new version to rubygems.org
+
+## License
+
+[MIT](LICENSE).
+
+Library created by [UserTesting](https://usertesting.com)
+
+![UserTesting](doc/UserTesting.png)
+
 ## Contributing
 
-1. Fork it ( https://github.com/[my-github-username]/biscuit/fork )
+1. Fork it ( https://github.com/usertesting/biscuit/fork )
 2. Create your feature branch (`git checkout -b my-new-feature`)
 3. Commit your changes (`git commit -am 'Add some feature'`)
 4. Push to the branch (`git push origin my-new-feature`)

data/Rakefile

@@ -1,30 +1,34 @@
 require 'open-uri'
+require 'bundler/gem_tasks'
 
-UPSTREAM_VERSION = '0.1.3'
+UPSTREAM_VERSION = '0.1.4'
 
 def fetch(release_url)
+  puts "Fetching native biscuit executable: #{release_url}"
   tgz_path = download_file(release_url)
 
   system("tar -xzf #{tgz_path} -C #{File.dirname(tgz_path)}") || raise
   system("mv #{File.dirname(tgz_path)}/biscuit #{__dir__}/bin/_biscuit") || raise
+  puts "Successfully fetched native biscuit executable"
 end
 
 def download_file(url)
   filename = URI(url).path.split('/').last
 
-  IO.copy_stream(open(url), "/tmp/#{filename}")
+  IO.copy_stream(URI.open(url), "/tmp/#{filename}")
 
   "/tmp/#{filename}"
 end
 
 task :default do
   platform = Gem::Platform.local
-  base_release_url = "https://github.com/dcoker/biscuit/releases/download/v#{UPSTREAM_VERSION}/biscuit"
+  base_release_url = 
+    "https://github.com/dcoker/biscuit/releases/download/v#{UPSTREAM_VERSION}/biscuit_#{UPSTREAM_VERSION}_"
 
-  if platform.os == 'darwin' && platform.cpu == 'x86_64'
-    fetch("#{base_release_url}-darwin_amd64.tgz") 
+  if platform.os == 'darwin'
+    fetch("#{base_release_url}MacOS-all.tar.gz")
   elsif platform.os == 'linux' && platform.cpu == 'x86_64'
-    fetch("#{base_release_url}-linux_amd64.tgz") 
+    fetch("#{base_release_url}Linux-64bit.tar.gz")
   else
     puts "Unsupported platform #{platform}"
   end

data/biscuit.gemspec

@@ -6,29 +6,22 @@ require 'biscuit/version'
 Gem::Specification.new do |spec|
   spec.name          = "biscuit"
   spec.version       = Biscuit::VERSION
-  spec.authors       = ["Suan-Aik Yeo"]
-  spec.email         = ["yeosuanaik@gmail.com"]
+  spec.authors       = ["Suan-Aik Yeo", "Justin Aiken"]
+  spec.email         = ["yeosuanaik@gmail.com", "60tonangel@gmail.com"]
 
   spec.summary       = %q{Ruby wrapper for biscuit (https://github.com/dcoker/biscuit).}
   spec.description   = %q{Ruby wrapper for biscuit (https://github.com/dcoker/biscuit).}
   spec.homepage      = "https://github.com/usertesting/biscuit"
+  spec.license       = "MIT"
 
-  # Prevent pushing this gem to RubyGems.org by setting 'allowed_push_host', or
-  # delete this section to allow pushing this gem to any host.
-  if spec.respond_to?(:metadata)
-    spec.metadata['allowed_push_host'] = "TODO: Set to 'http://mygemserver.com'"
-  else
-    raise "RubyGems 2.0 or newer is required to protect against public gem pushes."
-  end
-
-  spec.files         = `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
+  spec.files         = `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features|doc)/}) }
   spec.bindir        = "bin"
   spec.executables   = 'biscuit'
   spec.require_paths = ["lib"]
   spec.extensions    = ["Rakefile"]
 
-  spec.add_development_dependency "bundler", "~> 1.9"
-  spec.add_development_dependency "rake", "~> 10.0"
+  spec.add_development_dependency "bundler", "~> 2.1"
+  spec.add_development_dependency "rake", "~> 13.0"
 
-  spec.add_runtime_dependency "rake", "~> 10.0"
+  spec.add_runtime_dependency "rake"
 end

data/lib/biscuit/execution_error.rb

@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+module Biscuit
+  class ExecutionError < StandardError
+    def initialize(stderr, stdout=nil)
+      @stdout = stdout
+      @stderr = stderr
+      super(message)
+    end
+
+    def message
+      messages = []
+      messages << "std_out: #{truncate(@stdout)}" if @stdout
+      messages << "std_err: #{truncate(@stderr)}" if @stderr
+      messages.join(" ")
+    end
+
+    private
+
+    def truncate(message)
+      message.slice(0, 200)
+    end
+  end
+end

data/lib/biscuit/secrets_decrypter.rb

@@ -0,0 +1,37 @@
+# frozen_string_literal: true
+
+module Biscuit
+  class SecretsDecrypter
+    attr_reader :secrets_file
+
+    def initialize(secrets_file)
+      fail "#{secrets_file} is not found" unless File.exist? secrets_file
+
+      @secrets_file = secrets_file
+    end
+
+    def load(&block)
+      if block_given?
+        secrets.each{ |key, value|
+          block.call(key, value)
+        }
+      else
+        secrets
+      end
+    end
+
+    private
+
+    def secrets
+      @_secrets ||= YAML.load(exported)
+    end
+
+    def exported
+      @_exported ||= Biscuit.run!("export -f '#{secrets_file}'")
+    end
+
+    def secret_lines
+      @_secret_lines ||= exported.split("\n").select { |line| line =~ /\S/ }
+    end
+  end
+end

data/lib/biscuit/version.rb

@@ -1,3 +1,3 @@
 module Biscuit
-  VERSION = "0.0.7"
+  VERSION = "0.2.0"
 end

data/lib/biscuit.rb

@@ -1,9 +1,14 @@
 require "biscuit/version"
+require "biscuit/secrets_decrypter"
+require "biscuit/execution_error"
+
+require "open3"
+require "yaml"
 
 module Biscuit
   def self.run!(command)
-    result = `#{__dir__}/../bin/_biscuit #{command}`
-    raise(result.slice(0, 200)) unless $?.success?
-    result
+    stdout, stderr, status = Open3.capture3("#{__dir__}/../bin/_biscuit #{command}")
+    raise Biscuit::ExecutionError.new(stderr, stdout) unless status == 0
+    stdout
   end
 end

metadata

@@ -1,67 +1,73 @@
 --- !ruby/object:Gem::Specification
 name: biscuit
 version: !ruby/object:Gem::Version
-  version: 0.0.7
+  version: 0.2.0
 platform: ruby
 authors:
 - Suan-Aik Yeo
+- Justin Aiken
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2016-11-16 00:00:00.000000000 Z
+date: 2022-06-14 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.9'
+        version: '2.1'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.9'
+        version: '2.1'
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '10.0'
+        version: '13.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '10.0'
+        version: '13.0'
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '10.0'
+        version: '0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '10.0'
+        version: '0'
 description: Ruby wrapper for biscuit (https://github.com/dcoker/biscuit).
 email:
 - yeosuanaik@gmail.com
+- 60tonangel@gmail.com
 executables:
 - biscuit
 extensions:
 - Rakefile
 extra_rdoc_files: []
 files:
-- .gitignore
+- ".github/workflows/publish_gem.yml"
+- ".github/workflows/ruby.yml"
+- ".gitignore"
+- ".rspec"
+- CHANGELOG.markdown
 - Gemfile
 - LICENSE
 - README.md
@@ -71,30 +77,30 @@ files:
 - bin/setup
 - biscuit.gemspec
 - lib/biscuit.rb
+- lib/biscuit/execution_error.rb
+- lib/biscuit/secrets_decrypter.rb
 - lib/biscuit/version.rb
 homepage: https://github.com/usertesting/biscuit
-licenses: []
-metadata:
-  allowed_push_host: 'TODO: Set to ''http://mygemserver.com'''
+licenses:
+- MIT
+metadata: {}
 post_install_message: 
 rdoc_options: []
 require_paths:
 - lib
 required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
-  - - '>='
+  - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - '>='
+  - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.0.14
+rubygems_version: 3.3.7
 signing_key: 
 specification_version: 4
 summary: Ruby wrapper for biscuit (https://github.com/dcoker/biscuit).
 test_files: []
-has_rdoc: