ccli 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: b51dfcdf9a76d67d7bb633b23527d834e1eefeed029b4d8cce842ce1d114126c
+  data.tar.gz: e4aaff7ebd82de60040209ee625b7e4b479d84ffff1f2eeed3f9d919ea48ac83
+SHA512:
+  metadata.gz: c325b131a7eacbee13c0c6caa99288876958ee5a1424a7a14cbff80d13fdc3d8f7886f4f46d57b483fa6ee47c2e019497e72a75d223360698079c59d6db8e138
+  data.tar.gz: ec80bdf42056d9101b64a7eb99ec991b7aef7a7007a9481ab714253455e260c777af1d42b26765c250c3e9343f84a716b86c860c4c6f677fa9682a5a0e198eb3

data/.rubocop.yml

@@ -0,0 +1,121 @@
+AllCops:
+  DisplayCopNames: true
+  Exclude:
+    - spec/**/*
+
+Metrics/AbcSize:
+  Max: 20
+  Severity: error
+
+Metrics/ClassLength:
+  Max: 200
+  Severity: error
+
+Metrics/ModuleLength:
+  Max: 200
+  Severity: error
+
+Metrics/CyclomaticComplexity:
+  Max: 6
+  Severity: error
+
+Layout/LineLength:
+  Max: 100
+  Severity: warning
+  AutoCorrect: true
+
+Metrics/MethodLength:
+  Max: 10
+  Severity: error
+
+Metrics/ParameterLists:
+  Max: 6
+  Severity: warning
+
+Layout/ClassStructure:
+  Enabled: true
+
+# controller#entry methods have @model_name instance variables.
+# therefore disable this cop
+Naming/MemoizedInstanceVariableName:
+  Enabled: false
+
+# Keep for now, easier with superclass definitions
+Style/ClassAndModuleChildren:
+  Enabled: false
+
+# The ones we use must exist for the entire class hierarchy.
+Style/ClassVars:
+  Enabled: false
+
+Style/EmptyMethod:
+  EnforcedStyle: expanded
+
+# We thinks that's fine
+Style/FormatStringToken:
+  Enabled: false
+
+
+Style/HashSyntax:
+  Exclude:
+    - lib/tasks/**/*.rake
+
+Style/SymbolArray:
+  EnforcedStyle: brackets
+
+# map instead of collect, reduce instead of inject.
+# Probably later
+Style/CollectionMethods:
+  Enabled: false
+
+# Well, well, well
+Style/Documentation:
+  Enabled: false
+
+# Probably later
+Layout/DotPosition:
+  Enabled: false
+
+# Missing UTF-8 encoding statements should always be created.
+Style/Encoding:
+  Severity: error
+
+# Keep single line bodys for if and unless
+Style/IfUnlessModifier:
+  Enabled: false
+
+# That's no huge stopper
+Layout/EmptyLines:
+  Enabled: false
+
+# We thinks that's fine for specs
+Layout/EmptyLinesAroundBlockBody:
+  Enabled: false
+
+# We thinks that's fine
+Layout/EmptyLinesAroundClassBody:
+  Enabled: false
+
+# We thinks that's fine
+Layout/EmptyLinesAroundModuleBody:
+  Enabled: false
+
+# We thinks that's fine
+Layout/MultilineOperationIndentation:
+  Enabled: false
+
+# We thinks that's fine
+Style/RegexpLiteral:
+  Enabled: false
+
+# We think that's the developers choice
+Style/SymbolProc:
+  Enabled: false
+
+# Probably later
+Style/GuardClause:
+  Enabled: false
+
+# We thinks that's fine
+Style/SingleLineBlockParams:
+  Enabled: false

data/.travis.yml

@@ -0,0 +1,9 @@
+language: ruby
+rvm:
+  - 2.5
+install:
+  - gem install bundler
+  - bundle install
+script:
+  - rubocop
+  - rspec

data/Gemfile

@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+source 'https://rubygems.org'
+
+gem 'commander', '~> 4.5', '>= 4.5.2'
+gem 'rspec', '~> 3.9'
+gem 'rubocop', '~> 0.89.0'
+gem 'tty-command'
+gem 'tty-exit'
+gem 'tty-logger'
+
+gem 'pry'
+gem 'pry-byebug'

data/Gemfile.lock

@@ -0,0 +1,75 @@
+GEM
+  remote: https://rubygems.org/
+  specs:
+    ast (2.4.1)
+    byebug (11.1.3)
+    coderay (1.1.3)
+    commander (4.5.2)
+      highline (~> 2.0.0)
+    diff-lcs (1.4.4)
+    equatable (0.6.1)
+    highline (2.0.3)
+    method_source (1.0.0)
+    parallel (1.19.2)
+    parser (2.7.1.4)
+      ast (~> 2.4.1)
+    pastel (0.7.4)
+      equatable (~> 0.6)
+      tty-color (~> 0.5)
+    pry (0.13.1)
+      coderay (~> 1.1)
+      method_source (~> 1.0)
+    pry-byebug (3.9.0)
+      byebug (~> 11.0)
+      pry (~> 0.13.0)
+    rainbow (3.0.0)
+    regexp_parser (1.7.1)
+    rexml (3.2.4)
+    rspec (3.9.0)
+      rspec-core (~> 3.9.0)
+      rspec-expectations (~> 3.9.0)
+      rspec-mocks (~> 3.9.0)
+    rspec-core (3.9.2)
+      rspec-support (~> 3.9.3)
+    rspec-expectations (3.9.2)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.9.0)
+    rspec-mocks (3.9.1)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.9.0)
+    rspec-support (3.9.3)
+    rubocop (0.89.0)
+      parallel (~> 1.10)
+      parser (>= 2.7.1.1)
+      rainbow (>= 2.2.2, < 4.0)
+      regexp_parser (>= 1.7)
+      rexml
+      rubocop-ast (>= 0.1.0, < 1.0)
+      ruby-progressbar (~> 1.7)
+      unicode-display_width (>= 1.4.0, < 2.0)
+    rubocop-ast (0.3.0)
+      parser (>= 2.7.1.4)
+    ruby-progressbar (1.10.1)
+    tty-color (0.5.2)
+    tty-command (0.9.0)
+      pastel (~> 0.7.0)
+    tty-exit (0.1.0)
+    tty-logger (0.3.0)
+      pastel (~> 0.7.0)
+    unicode-display_width (1.7.0)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  commander (~> 4.5, >= 4.5.2)
+  pry
+  pry-byebug
+  rspec (~> 3.9)
+  rubocop (~> 0.89.0)
+  tty-command
+  tty-exit
+  tty-logger
+
+BUNDLED WITH
+   2.1.4

data/README.md

@@ -0,0 +1,63 @@
+# ccli
+
+Cryptopus Command Line Client
+
+## Installation
+
+`sudo gem install ccli`
+
+This will install the `cry` command including its dependencies
+
+## Features
+
+- Fetch account data from Cryptopus
+- List accessable teams in Cryptopus
+- Sync Openshift/Kubernetes Secrets to Cryptopus
+- Sync Secrets from Cryptopus to Openshift/Kubernetes
+
+## Usage
+
+### Labeling secret to be synced
+
+So that a secret even gets considered by the `ccli`, you have to add the `cryptopus-sync=true` label to your secret:
+
+**oc:** `oc label secret <secret-name> cryptopus-sync=true`
+
+
+**kubectl:** `kubectl label secret <secret-name> cryptopus-sync=true`
+
+### Commands
+
+```
+  Command:           Summary:
+
+  account            Fetches an account by the given id          
+  folder             Selects the Cryptopus folder by id          
+  help               Display global or [command] help documentation              
+  k8s-secret-pull    Pulls secret from Kubectl to Cryptopus              
+  k8s-secret-push    Pushes secret from Cryptopus to Kubectl             
+  login              Logs in to the ccli         
+  logout             Logs out of the ccli                
+  ose-secret-pull    Pulls secret from Openshift to Cryptopus            
+  ose-secret-push    Pushes secret from Cryptopus to Openshift           
+  teams              Lists all available teams           
+  use                Select the current folder   
+```
+
+Show more specific documentation by calling `cry help <command>`
+
+
+## Development
+
+### Prerequisites
+
+You will need the following things properly installed on your computer:
+
+- [Git (Version Control System)](http://git-scm.com/)
+- [RVM (Ruby Version Manager)](http://rvm.io/)
+
+### Setup
+
+- `rvm install 2.6.0`
+- `gem install bundler`
+- `bundle install`

data/bin/cry

@@ -0,0 +1,6 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+
+require_relative '../lib/cli'
+
+CLI.new.run

data/ccli.gemspec

@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+lib = File.expand_path('lib', __dir__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+
+Gem::Specification.new do |s|
+  s.name          = 'ccli'
+  s.version       = '0.1.0'
+  s.summary       = 'Command line client for the opensource password manager Cryptopus'
+  s.authors       = ['Nils Rauch']
+  s.email         = 'rauch@puzzle.ch'
+  s.require_paths = ['lib']
+  s.files         = `git ls-files -z`.split("\x0").reject do |f|
+    f.match(%r{(^(test|spec|features)/)})
+  end
+  s.bindir        = 'bin'
+  s.executables   = s.files.grep(%r{^bin/}) { |f| File.basename(f) }
+  s.required_ruby_version = Gem::Requirement.new('>= 2.0')
+
+  s.add_runtime_dependency 'commander', '~> 4.5', '>= 4.5.2'
+  s.add_runtime_dependency 'tty-command'
+  s.add_runtime_dependency 'tty-exit'
+  s.add_runtime_dependency 'tty-logger'
+end

data/lib/adapters/cluster_secret_adapter.rb

@@ -0,0 +1,70 @@
+# frozen_string_literal: true
+
+require 'tty-command'
+
+class ClusterSecretAdapter
+
+  CCLI_FLAG_LABEL = 'cryptopus-sync'
+
+  def fetch_secret(name)
+    raise client_missing_error unless client_installed?
+    raise client_not_logged_in_error unless client_logged_in?
+
+    begin
+      out, _err = cmd.run("#{client} get -o yaml secret --field-selector='metadata.name=#{name}' " \
+                          "-l #{CCLI_FLAG_LABEL}=true")
+
+      Psych.load(out)['items'].first.to_yaml
+    rescue TTY::Command::ExitError
+      raise OpenshiftSecretNotFoundError
+    end
+  end
+
+  def fetch_all_secrets
+    raise client_missing_error unless client_installed?
+    raise client_not_logged_in_error unless client_logged_in?
+
+    secrets, _err = cmd.run("#{client} get secret -o yaml -l #{CCLI_FLAG_LABEL}=true")
+    Psych.load(secrets)['items'].map do |secret|
+      secret.to_yaml
+    end
+  end
+
+  def insert_secret(secret)
+    raise client_missing_error unless client_installed?
+    raise client_not_logged_in_error unless client_logged_in?
+
+    File.open("/tmp/#{secret.name}.yml", 'w') do |file|
+      file.write secret.ose_secret
+    end
+
+    cmd.run("#{client} delete -f /tmp/#{secret.name}.yml --ignore-not-found=true")
+    cmd.run("#{client} create -f /tmp/#{secret.name}.yml")
+  end
+
+  private
+
+  def client_installed?
+    cmd.run!("which #{client}").success?
+  end
+
+  def client_logged_in?
+    cmd.run!("#{client} get secret").success?
+  end
+
+  def cmd
+    @cmd ||= TTY::Command.new(printer: :null)
+  end
+
+  def client
+    raise 'implement in subclass'
+  end
+
+  def client_missing_error
+    raise 'implement in subclass'
+  end
+
+  def client_not_logged_in_error
+    raise 'implement in subclass'
+  end
+end

data/lib/adapters/cryptopus_adapter.rb

@@ -0,0 +1,100 @@
+# frozen_string_literal: true
+
+require 'singleton'
+require 'net/http'
+require 'json'
+require 'base64'
+
+class CryptopusAdapter
+
+  def root_url
+    raise SessionMissingError unless session_adapter.session_data[:url]
+
+    @root_url ||= "#{session_adapter.session_data[:url]}/api"
+  end
+
+  def get(path)
+    uri = URI("#{root_url}/#{path}")
+    request = new_request(:get, uri)
+    send_request(request, uri)
+  end
+
+  def post(path, body)
+    uri = URI("#{root_url}/#{path}")
+    request = new_request(:post, uri)
+    request.body = body
+    send_request(request, uri)
+  end
+
+  def patch(path, body)
+    uri = URI("#{root_url}/#{path}")
+    request = new_request(:patch, uri)
+    request.body = body
+    send_request(request, uri)
+  end
+
+  def save_secret(secret)
+    secret_account = secret.to_account
+    secret_account.folder = session_adapter.selected_folder.id
+
+    persisted_secret = Account.find_by_name_and_folder_id(secret.name,
+                                                          session_adapter.selected_folder.id)
+    if persisted_secret
+      patch("accounts/#{persisted_secret.id}", secret_account.to_json)
+    else
+      post('accounts', secret_account.to_json)
+    end
+  end
+
+  def find_account_by_name(name)
+    secret_account = Account.find_by_name_and_folder_id(name, session_adapter.selected_folder.id)
+
+    raise CryptopusAccountNotFoundError unless secret_account
+
+    secret_account
+  end
+
+  def renewed_auth_token
+    json = get("api_users/#{current_user_id}/token")
+    JSON.parse(json)['token']
+  end
+
+  private
+
+  def current_user_id
+    users = JSON.parse(get('api_users'), symbolize_names: true)
+    users[:data].find do |user|
+      user[:attributes][:username] == session_adapter.session_data[:username]
+    end[:id]
+  end
+
+  def session_adapter
+    @session_adapter ||= SessionAdapter.new
+  end
+
+  def header_token
+    Base64.strict_encode64(session_adapter.session_data[:token] || '')
+  end
+
+  def new_request(verb, uri)
+    request = Object.const_get("Net::HTTP::#{verb.capitalize}").new(uri)
+    request['Authorization-User'] = session_adapter.session_data[:username]
+    request['Authorization-Password'] = header_token
+    if [:post, :patch].include? verb
+      request['Content-Type'] = 'application/json'
+      request['Accept'] = 'application/vnd.api+json'
+    end
+    request
+  end
+
+  def send_request(request, uri)
+    is_ssl_connection = uri.port == 443
+    response = Net::HTTP.start(uri.hostname, uri.port, use_ssl: is_ssl_connection) do |http|
+      http.request(request)
+    end
+    raise UnauthorizedError if response.is_a?(Net::HTTPUnauthorized)
+    raise ForbiddenError if response.is_a?(Net::HTTPForbidden)
+
+    response.body
+  end
+end