biscuit 0.0.7 → 0.1.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: 67a2dd92f873d5ac7e7ca2b8464fcd8e6b49d6b0
-  data.tar.gz: 135d6b22c9cbb9ae526df66a6a539c52f5740e5f
+SHA256:
+  metadata.gz: 772b6c3f55da69d87fbe4ab2f66f92a05c0129e63ae5dea063deed7746d6962e
+  data.tar.gz: 06ccf7df45f75ae126e3ee90399db3cf042aab46d023f759de261e2214114946
 SHA512:
-  metadata.gz: 51479480b630c1f95bd73a52ba0cc0ca0e7dd20c1e0f168ee6878f116301163b14c9ec608e5583ade08aa5eb9a6b97a281db0c271f4e9572fbe2c67a57cb3e46
-  data.tar.gz: 60e4c3c4ea99e3e8e7248ad927581754077b4baa1cac138cfe7b9388d1c4d82750d480aed153c99e8c6e295fb72ba961dcac16b666bc43f40b3b30f0f1b32281
+  metadata.gz: ceadbc913378a7198ba124894db276a7e27e0da91f51432db3f5ed634b3325fe9995ed6e472e0f0c9edca056824c2e3495fa2a21a35510eb1d776716b51bb4eb
+  data.tar.gz: 01f63ef22d709b3e3190f4d9ef1f7b8afa9dbad01348a32b8b696623da2506d395e568f6367f1d9684fcca5b0dd63c9e06cbf51c2c6a2ce196c96e7ba0f8e3c7

data/.gitignore

@@ -3,7 +3,9 @@
 /Gemfile.lock
 /_yardoc/
 /coverage/
-/doc/
 /pkg/
 /spec/reports/
 /tmp/
+
+# This is downloaded when the gem is installed:
+bin/_biscuit

data/.rspec

@@ -0,0 +1 @@
+--require spec_helper

data/.travis.yml

@@ -0,0 +1,13 @@
+language: ruby
+rvm:
+  - 2.3
+  - 2.4
+  - 2.5
+  - 2.6
+
+before_script:
+  # Installs the _biscuit executable:
+  - rake
+
+script:
+  - bundle exec rspec spec/ --format=doc

data/CHANGELOG.markdown

@@ -0,0 +1,11 @@
+# 0.1.3
+- No changes - apparently there was already a yanked 0.1.2 out there somewhere
+
+# 0.1.2
+
+- [FIX] Revert to using `YAML.load` to load the secrets
+- [FIX] Don't split values containing `:` into broken pieces
+- Relax `rake` dependency
+- [DOC] Fill out README
+- Set up CI
+- Gitignore the actual `biscuit` binary

data/Gemfile

@@ -2,3 +2,6 @@ source 'https://rubygems.org'
 
 # Specify your gem's dependencies in biscuit.gemspec
 gemspec
+
+gem "rspec"
+gem "coveralls", require: false

data/LICENSE

@@ -1,5 +1,5 @@
 The MIT License (MIT)
-Copyright (c) 2016 User Testing, Inc.
+Copyright (c) 2019 User Testing, Inc.
 
 Permission is hereby granted, free of charge, to any person obtaining a copy of this software
 and associated documentation files (the "Software"), to deal in the Software without restriction,

data/README.md

@@ -1,28 +1,108 @@
 # Biscuit
 
-Welcome to your new gem! In this directory, you'll find the files you need to be able to package up your Ruby library into a gem. Put your Ruby code in the file `lib/biscuit`. To experiment with that code, run `bin/console` for an interactive prompt.
+[![Travis](https://img.shields.io/travis/usertesting/biscuit?style=for-the-badge)](https://travis-ci.org/usertesting/biscuit) [![Coveralls github](https://img.shields.io/coveralls/github/usertesting/biscuit?style=for-the-badge)](https://coveralls.io/github/usertesting/biscuit) [![Code Climate maintainability](https://img.shields.io/codeclimate/maintainability/usertesting/biscuit?style=for-the-badge)](https://codeclimate.com/github/usertesting/biscuit)
 
-TODO: Delete this and the text above, and describe your gem
+
+This gem is a Ruby wrapper around `@dcoker`'s [biscuit library](https://github.com/dcoker/biscuit), a multi-region HA key-value store for your AWS infrastructure secrets.
+
+By using this Ruby library, it is easy to integrate into a Ruby/Rails stack.
 
 ## Installation
 
-Add this line to your application's Gemfile:
+- Add this line to your application's Gemfile:
+
+    ```ruby
+    gem 'biscuit'
+    ```
+
+- And then run `bundle`.
+
+- `touch` a yaml file (or multiple for different environments).
+
+## Usage
+
+### Loading K/V pairs into a hash
+
+```ruby
+secrets_file = "some_yaml_file.yaml"
+SECRETS = Biscuit::SecretsDecrypter.new(secrets_file).load
+
+puts SECRETS["some_password"]
+# => "decrypted password"
+```
+
+### Loading into ENV Vars
+
+If you store config in ENV vars as suggested by the [12 Factor App](https://12factor.net/config), you can load your AWS encrypted secrets into ENV vars like this:
 
 ```ruby
-gem 'biscuit'
+secrets_file = "some_yaml_file.yaml"
+Biscuit::SecretsDecrypter.new(secrets_file).load do |key, value|
+  ENV[key] = value
+end
 ```
 
-And then execute:
+This approach pairs with [dotenv](https://github.com/bkeepers/dotenv) really well - dotenv for test/development, and biscuit for staging/production environments.
+
+#### With Rails
 
-    $ bundle
+Load your secrets in `application.rb`, between loading Rails/bundler, before the Application config starts:
 
-Or install it yourself as:
+```ruby
+require "rails/all"
 
-    $ gem install biscuit
+...
 
-## Usage
+Bundler.require(*Rails.groups)
+
+...
+
+# Add in your biscuit loading here:
+secrets_file = "#{__dir__}/secrets/#{Rails.env}.yml"
+if File.exist?(secrets_file) # You can also check things like if Rails.env.production?
+  Biscuit::SecretsDecrypter.new(secrets_file).load do |key, value|
+    ENV[key] = value
+  end
+end
+
+...
 
-TODO: Write usage instructions here
+module MyApp
+  class Application < Rails::Application
+    ....
+```
+
+#### Adding a new key
+
+From the application root, run `biscuit put -f`, followed by the path to the yaml you want to encrypt in, followed by the key, followed by the example.
+
+```bash
+$ biscuit put -f config/secrets/production.yml SECRET_KEY "sensitive value"
+```
+
+#### Getting a key (CLI)
+
+```bash
+$ biscuit export -f config/secrets/production.yml | grep "SECRET_KEY"
+```
+
+#### A note on parsed values and quoting
+
+Given this unencrypted YAML:
+
+```yaml
+foo: 1,2,3,4,5
+```
+
+You might think that `foo`'s value after being loaded would be `"1,2,3,4,5"`.
+You'd be wrong... Ruby's YAML parser [strips out the commas](https://github.com/ruby/psych/issues/273), sees `12345`, and thinks "ah we have a number!"
+Then the value is `12345`.
+
+If you desire to keep the commas, you'll have to encode it quoted:
+
+```yaml
+foo: "1,2,3,4,5"
+```
 
 ## Development
 
@@ -30,9 +110,17 @@ After checking out the repo, run `bin/setup` to install dependencies. Then, run
 
 To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release` to create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
 
+## License
+
+[MIT](LICENSE).
+
+Library created by [UserTesting](https://usertesting.com)
+
+![UserTesting](doc/UserTesting.png)
+
 ## Contributing
 
-1. Fork it ( https://github.com/[my-github-username]/biscuit/fork )
+1. Fork it ( https://github.com/usertesting/biscuit/fork )
 2. Create your feature branch (`git checkout -b my-new-feature`)
 3. Commit your changes (`git commit -am 'Add some feature'`)
 4. Push to the branch (`git push origin my-new-feature`)

data/biscuit.gemspec

@@ -6,22 +6,15 @@ require 'biscuit/version'
 Gem::Specification.new do |spec|
   spec.name          = "biscuit"
   spec.version       = Biscuit::VERSION
-  spec.authors       = ["Suan-Aik Yeo"]
-  spec.email         = ["yeosuanaik@gmail.com"]
+  spec.authors       = ["Suan-Aik Yeo", "Justin Aiken"]
+  spec.email         = ["yeosuanaik@gmail.com", "60tonangel@gmail.com"]
 
   spec.summary       = %q{Ruby wrapper for biscuit (https://github.com/dcoker/biscuit).}
   spec.description   = %q{Ruby wrapper for biscuit (https://github.com/dcoker/biscuit).}
   spec.homepage      = "https://github.com/usertesting/biscuit"
+  spec.license       = "MIT"
 
-  # Prevent pushing this gem to RubyGems.org by setting 'allowed_push_host', or
-  # delete this section to allow pushing this gem to any host.
-  if spec.respond_to?(:metadata)
-    spec.metadata['allowed_push_host'] = "TODO: Set to 'http://mygemserver.com'"
-  else
-    raise "RubyGems 2.0 or newer is required to protect against public gem pushes."
-  end
-
-  spec.files         = `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
+  spec.files         = `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features|doc)/}) }
   spec.bindir        = "bin"
   spec.executables   = 'biscuit'
   spec.require_paths = ["lib"]
@@ -30,5 +23,5 @@ Gem::Specification.new do |spec|
   spec.add_development_dependency "bundler", "~> 1.9"
   spec.add_development_dependency "rake", "~> 10.0"
 
-  spec.add_runtime_dependency "rake", "~> 10.0"
+  spec.add_runtime_dependency "rake"
 end

data/lib/biscuit.rb

@@ -1,9 +1,14 @@
 require "biscuit/version"
+require "biscuit/secrets_decrypter"
+require "biscuit/execution_error"
+
+require "open3"
+require "yaml"
 
 module Biscuit
   def self.run!(command)
-    result = `#{__dir__}/../bin/_biscuit #{command}`
-    raise(result.slice(0, 200)) unless $?.success?
-    result
+    stdout, stderr, status = Open3.capture3("#{__dir__}/../bin/_biscuit #{command}")
+    raise Biscuit::ExecutionError.new(stderr, stdout) unless status == 0
+    stdout
   end
 end

data/lib/biscuit/execution_error.rb

@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+module Biscuit
+  class ExecutionError < StandardError
+    def initialize(stderr, stdout=nil)
+      @stdout = stdout
+      @stderr = stderr
+      super(message)
+    end
+
+    def message
+      messages = []
+      messages << "std_out: #{truncate(@stdout)}" if @stdout
+      messages << "std_err: #{truncate(@stderr)}" if @stderr
+      messages.join(" ")
+    end
+
+    private
+
+    def truncate(message)
+      message.slice(0, 200)
+    end
+  end
+end

data/lib/biscuit/secrets_decrypter.rb

@@ -0,0 +1,37 @@
+# frozen_string_literal: true
+
+module Biscuit
+  class SecretsDecrypter
+    attr_reader :secrets_file
+
+    def initialize(secrets_file)
+      fail "#{secrets_file} is not found" unless File.exists? secrets_file
+
+      @secrets_file = secrets_file
+    end
+
+    def load(&block)
+      if block_given?
+        secrets.each{ |key, value|
+          block.call(key, value)
+        }
+      else
+        secrets
+      end
+    end
+
+    private
+
+    def secrets
+      @_secrets ||= YAML.load(exported)
+    end
+
+    def exported
+      @_exported ||= Biscuit.run!("export -f '#{secrets_file}'")
+    end
+
+    def secret_lines
+      @_secret_lines ||= exported.split("\n").select { |line| line =~ /\S/ }
+    end
+  end
+end

data/lib/biscuit/version.rb

@@ -1,3 +1,3 @@
 module Biscuit
-  VERSION = "0.0.7"
+  VERSION = "0.1.3"
 end

metadata

@@ -1,67 +1,72 @@
 --- !ruby/object:Gem::Specification
 name: biscuit
 version: !ruby/object:Gem::Version
-  version: 0.0.7
+  version: 0.1.3
 platform: ruby
 authors:
 - Suan-Aik Yeo
+- Justin Aiken
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2016-11-16 00:00:00.000000000 Z
+date: 2019-10-23 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '1.9'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '1.9'
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '10.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '10.0'
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '10.0'
+        version: '0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '10.0'
+        version: '0'
 description: Ruby wrapper for biscuit (https://github.com/dcoker/biscuit).
 email:
 - yeosuanaik@gmail.com
+- 60tonangel@gmail.com
 executables:
 - biscuit
 extensions:
 - Rakefile
 extra_rdoc_files: []
 files:
-- .gitignore
+- ".gitignore"
+- ".rspec"
+- ".travis.yml"
+- CHANGELOG.markdown
 - Gemfile
 - LICENSE
 - README.md
@@ -71,30 +76,30 @@ files:
 - bin/setup
 - biscuit.gemspec
 - lib/biscuit.rb
+- lib/biscuit/execution_error.rb
+- lib/biscuit/secrets_decrypter.rb
 - lib/biscuit/version.rb
 homepage: https://github.com/usertesting/biscuit
-licenses: []
-metadata:
-  allowed_push_host: 'TODO: Set to ''http://mygemserver.com'''
+licenses:
+- MIT
+metadata: {}
 post_install_message: 
 rdoc_options: []
 require_paths:
 - lib
 required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
-  - - '>='
+  - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - '>='
+  - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.0.14
+rubygems_version: 3.0.6
 signing_key: 
 specification_version: 4
 summary: Ruby wrapper for biscuit (https://github.com/dcoker/biscuit).
 test_files: []
-has_rdoc: