chamber 2.10.2 → 2.11.0

data/lib/chamber/commands/securable.rb

@@ -1,4 +1,5 @@
 # frozen_string_literal: true
+
 require 'shellwords'
 require 'chamber/instance'
 
@@ -9,8 +10,8 @@ module  Securable
     super
 
     ignored_settings_options        = options.
-                                      merge(files: ignored_settings_filepaths).
-                                      reject { |k, _v| k == 'basepath' }
+                                        merge(files: ignored_settings_filepaths).
+                                        reject { |k, _v| k == 'basepath' }
     self.ignored_settings_instance  = Chamber::Instance.new(ignored_settings_options)
     self.current_settings_instance  = Chamber::Instance.new(options)
     self.only_sensitive             = options[:only_sensitive]

data/lib/chamber/commands/secure.rb

@@ -1,5 +1,7 @@
 # frozen_string_literal: true
+
 require 'chamber/commands/base'
+require 'chamber/commands/securable'
 
 module  Chamber
 module  Commands
@@ -12,7 +14,7 @@ class   Secure < Chamber::Commands::Base
 
   def call
     disable_warnings do
-      insecure_environment_variables.each do |key, _value|
+      insecure_environment_variables.each_key do |key|
         if dry_run
           shell.say_status 'encrypt', key, :blue
         else

data/lib/chamber/commands/show.rb

@@ -1,10 +1,14 @@
 # frozen_string_literal: true
+
 require 'pp'
 require 'chamber/commands/base'
 
 module  Chamber
 module  Commands
 class   Show < Chamber::Commands::Base
+  attr_accessor :as_env,
+                :only_sensitive
+
   def initialize(options = {})
     super
 
@@ -17,17 +21,14 @@ class   Show < Chamber::Commands::Base
       settings.to_s(pair_separator: "\n")
     else
       PP.
-      pp(settings.to_hash, StringIO.new, 60).
-      string.
-      chomp
+        pp(settings.to_hash, StringIO.new, 60).
+        string.
+        chomp
     end
   end
 
   protected
 
-  attr_accessor :as_env,
-                :only_sensitive
-
   def settings
     @settings ||= if only_sensitive
                     chamber.settings.securable

data/lib/chamber/commands/travis.rb

@@ -1,4 +1,5 @@
 # frozen_string_literal: true
+
 require 'bundler'
 
 module  Chamber

data/lib/chamber/commands/travis/secure.rb

@@ -1,4 +1,5 @@
 # frozen_string_literal: true
+
 require 'chamber/commands/base'
 require 'chamber/commands/travis'
 require 'chamber/commands/securable'

data/lib/chamber/configuration.rb

@@ -1,31 +1,32 @@
 # frozen_string_literal: true
+
 require 'chamber/context_resolver'
 
 module  Chamber
 class   Configuration
   attr_accessor :basepath,
-                :decryption_key,
-                :encryption_key,
+                :decryption_keys,
+                :encryption_keys,
                 :files,
                 :namespaces
 
   def initialize(options = {})
-    options             = ContextResolver.resolve(options)
+    options              = ContextResolver.resolve(options)
 
-    self.basepath       = options[:basepath]
-    self.namespaces     = options[:namespaces]
-    self.decryption_key = options[:decryption_key]
-    self.encryption_key = options[:encryption_key]
-    self.files          = options[:files]
+    self.basepath        = options.fetch(:basepath)
+    self.namespaces      = options.fetch(:namespaces)
+    self.decryption_keys = options.fetch(:decryption_keys)
+    self.encryption_keys = options.fetch(:encryption_keys)
+    self.files           = options.fetch(:files)
   end
 
   def to_hash
     {
-      basepath:       basepath,
-      decryption_key: decryption_key,
-      encryption_key: encryption_key,
-      files:          files,
-      namespaces:     namespaces,
+      basepath:        basepath,
+      decryption_keys: decryption_keys,
+      encryption_keys: encryption_keys,
+      files:           files,
+      namespaces:      namespaces,
     }
   end
 end

data/lib/chamber/context_resolver.rb

@@ -1,64 +1,50 @@
 # frozen_string_literal: true
+
 require 'pathname'
 require 'socket'
 require 'hashie/mash'
-require 'chamber/decryption_key'
+
+require 'chamber/keys/decryption'
+require 'chamber/keys/encryption'
 
 module  Chamber
 class   ContextResolver
+  attr_accessor :options
+
   def initialize(options = {})
-    self.options = Hashie::Mash.new(options)
+    self.options = options.dup
   end
 
-  # rubocop:disable Metrics/AbcSize, Metrics/CyclomaticComplexity
-  # rubocop:disable Metrics/PerceivedComplexity, Metrics/MethodLength
+  # rubocop:disable Metrics/AbcSize, Metrics/LineLength
   def resolve
-    options[:rootpath]       ||= Pathname.pwd
-    options[:rootpath]         = Pathname.new(options[:rootpath])
-    options[:encryption_key]   = resolve_encryption_key(options[:encryption_key])
-    options[:decryption_key]   = resolve_decryption_key(options[:decryption_key])
-    options[:namespaces]     ||= []
-    options[:preset]         ||= resolve_preset
+    options[:rootpath]   ||= Pathname.pwd
+    options[:rootpath]     = Pathname.new(options[:rootpath])
+    options[:namespaces] ||= []
+    options[:preset]     ||= resolve_preset
 
     if %w{rails rails-engine}.include?(options[:preset])
-      if options[:preset] == 'rails-engine'
-        engine_spec_dummy_directory = options[:rootpath] + 'spec' + 'dummy'
-        engine_test_dummy_directory = options[:rootpath] + 'test' + 'dummy'
-
-        options[:rootpath] = if (engine_spec_dummy_directory + 'config.ru').exist?
-                               engine_spec_dummy_directory
-                             elsif (engine_test_dummy_directory + 'config.ru').exist?
-                               engine_test_dummy_directory
-                             end
-      end
-
-      options[:basepath]     ||= options[:rootpath] + 'config'
-
-      if options[:namespaces] == []
-        require options[:rootpath].join('config', 'application').to_s
-
-        options[:namespaces] = [
-                                 ::Rails.env,
-                                 Socket.gethostname,
-                               ]
-      end
+      options[:rootpath]     = detect_engine_root                                if options[:preset]     == 'rails-engine'
+      options[:namespaces]   = load_rails_default_namespaces(options[:rootpath]) if options[:namespaces] == []
+      options[:basepath]   ||= options[:rootpath] + 'config'
     else
-      options[:basepath] ||= options[:rootpath]
+      options[:basepath]   ||= options[:rootpath]
     end
 
-    options[:basepath]         = Pathname.new(options[:basepath])
-
-    options[:files]          ||= [
-                                   options[:basepath] + 'settings*.yml',
-                                   options[:basepath] + 'settings',
-                                 ]
+    options[:encryption_keys]   = Keys::Encryption.resolve(filenames:  options[:encryption_keys],
+                                                           namespaces: options[:namespaces],
+                                                           rootpath:   options[:rootpath])
+    options[:decryption_keys]   = Keys::Decryption.resolve(filenames:  options[:decryption_keys],
+                                                           namespaces: options[:namespaces],
+                                                           rootpath:   options[:rootpath])
+    options[:basepath]          = Pathname.new(options[:basepath])
+    options[:files]           ||= [
+                                    options[:basepath] + 'settings*.yml',
+                                    options[:basepath] + 'settings',
+                                  ]
 
-    options
-  rescue LoadError
     options
   end
-  # rubocop:enable Metrics/AbcSize, Metrics/CyclomaticComplexity
-  # rubocop:enable Metrics/PerceivedComplexity, Metrics/MethodLength
+  # rubocop:enable Metrics/AbcSize, Metrics/LineLength
 
   def self.resolve(options = {})
     new(options).resolve
@@ -66,8 +52,6 @@ class   ContextResolver
 
   protected
 
-  attr_accessor :options
-
   def resolve_preset
     if in_a_rails_project?
       'rails'
@@ -76,17 +60,6 @@ class   ContextResolver
     end
   end
 
-  def resolve_encryption_key(key)
-    key ||= options[:rootpath] + '.chamber.pub.pem'
-
-    key if Pathname.new(key).readable?
-  end
-
-  def resolve_decryption_key(key)
-    DecryptionKey.resolve(filename: key,
-                          rootpath: options[:rootpath])
-  end
-
   def in_a_rails_project?
     (options[:rootpath] + 'config.ru').exist? &&
     rails_executable_exists?
@@ -102,5 +75,29 @@ class   ContextResolver
     options[:rootpath].join('script', 'rails').exist? ||
     options[:rootpath].join('script', 'console').exist?
   end
+
+  private
+
+  def detect_engine_root
+    engine_spec_dummy_directory = options[:rootpath] + 'spec' + 'dummy'
+    engine_test_dummy_directory = options[:rootpath] + 'test' + 'dummy'
+
+    if (engine_spec_dummy_directory + 'config.ru').exist?
+      engine_spec_dummy_directory
+    elsif (engine_test_dummy_directory + 'config.ru').exist?
+      engine_test_dummy_directory
+    end
+  end
+
+  def load_rails_default_namespaces(root)
+    require root.join('config', 'application').to_s
+
+    [
+      ::Rails.env,
+      Socket.gethostname,
+    ]
+  rescue LoadError
+    []
+  end
 end
 end

data/lib/chamber/encryption_methods/none.rb

@@ -1,11 +1,13 @@
+# frozen_string_literal: true
+
 module  Chamber
 module  EncryptionMethods
 class   None
-  def self.encrypt(_key, value, _encryption_key)
+  def self.encrypt(_key, value, _encryption_keys)
     value
   end
 
-  def self.decrypt(key, value, _decryption_key)
+  def self.decrypt(key, value, _decryption_keys)
     return value if value.nil?
 
     warn "WARNING: It appears that you would like to keep your information for #{key} " \

data/lib/chamber/encryption_methods/public_key.rb

@@ -1,9 +1,11 @@
+# frozen_string_literal: true
+
 module  Chamber
 module  EncryptionMethods
 class   PublicKey
-  def self.encrypt(_key, value, encryption_key)
+  def self.encrypt(_key, value, encryption_keys)
     value = YAML.dump(value)
-    encrypted_string = encryption_key.public_encrypt(value)
+    encrypted_string = encryption_keys.public_encrypt(value)
 
     Base64.strict_encode64(encrypted_string)
   end

data/lib/chamber/encryption_methods/ssl.rb

@@ -1,9 +1,11 @@
+# frozen_string_literal: true
+
 module  Chamber
 module  EncryptionMethods
 class   Ssl
   LARGE_DATA_STRING_PATTERN = %r{\A([A-Za-z0-9\+\/#]*\={0,2})#([A-Za-z0-9\+\/#]*\={0,2})#([A-Za-z0-9\+\/#]*\={0,2})\z} # rubocop:disable Metrics/LineLength
 
-  def self.encrypt(_key, value, encryption_key)
+  def self.encrypt(_key, value, encryption_keys)
     value = YAML.dump(value)
     cipher = OpenSSL::Cipher.new('AES-128-CBC')
     cipher.encrypt
@@ -14,7 +16,7 @@ class   Ssl
     encrypted_data = cipher.update(value) + cipher.final
 
     # encrypt the key with the public key
-    encrypted_key = encryption_key.public_encrypt(symmetric_key)
+    encrypted_key = encryption_keys.public_encrypt(symmetric_key)
 
     # assemble the resulting Base64 encoded data, the key
     Base64.strict_encode64(encrypted_key) + '#' +
@@ -22,17 +24,17 @@ class   Ssl
     Base64.strict_encode64(encrypted_data)
   end
 
-  def self.decrypt(key, value, decryption_key)
-    if decryption_key.nil?
+  def self.decrypt(key, value, decryption_keys)
+    if decryption_keys.nil?
       value
     else
       key, iv, decoded_string = value.
-                                match(LARGE_DATA_STRING_PATTERN).
-                                captures.
-                                map do |part|
-                                    Base64.strict_decode64(part)
+                                  match(LARGE_DATA_STRING_PATTERN).
+                                  captures.
+                                  map do |part|
+        Base64.strict_decode64(part)
       end
-      key = decryption_key.private_decrypt(key)
+      key = decryption_keys.private_decrypt(key)
 
       cipher_dec = OpenSSL::Cipher.new('AES-128-CBC')
 

data/lib/chamber/errors/decryption_failure.rb

@@ -1,4 +1,5 @@
 # frozen_string_literal: true
+
 module  Chamber
 module  Errors
 class   DecryptionFailure < RuntimeError

data/lib/chamber/file.rb

@@ -1,4 +1,5 @@
 # frozen_string_literal: true
+
 require 'pathname'
 require 'yaml'
 require 'erb'
@@ -9,6 +10,10 @@ require 'erb'
 #
 module  Chamber
 class   File < Pathname
+  attr_accessor :namespaces,
+                :decryption_keys,
+                :encryption_keys
+
   ###
   # Internal: Creates a settings file representing a path to a file on the
   # filesystem.
@@ -37,9 +42,9 @@ class   File < Pathname
   #   # => <Chamber::File>
   #
   def initialize(options = {})
-    self.namespaces     = options[:namespaces] || {}
-    self.decryption_key = options[:decryption_key]
-    self.encryption_key = options[:encryption_key]
+    self.namespaces      = options[:namespaces]      || {}
+    self.decryption_keys = options[:decryption_keys] || {}
+    self.encryption_keys = options[:encryption_keys] || {}
 
     super options.fetch(:path)
   end
@@ -64,12 +69,13 @@ class   File < Pathname
   # ```
   #
   def to_settings
-    @data ||= Settings.new(settings:       file_contents_hash,
-                           namespaces:     namespaces,
-                           decryption_key: decryption_key,
-                           encryption_key: encryption_key)
+    @data ||= Settings.new(settings:        file_contents_hash,
+                           namespaces:      namespaces,
+                           decryption_keys: decryption_keys,
+                           encryption_keys: encryption_keys)
   end
 
+  # rubocop:disable Metrics/LineLength
   def secure
     insecure_settings = to_settings.insecure.to_flattened_name_hash
     secure_settings   = to_settings.insecure.secure.to_flattened_name_hash
@@ -82,28 +88,31 @@ class   File < Pathname
       escaped_value = Regexp.escape(value)
 
       file_contents.
-      sub!(
-          /^(\s*)_secure_#{escaped_name}(\s*):(\s*)['"]?#{escaped_value}['"]?$/,
-          "\\1_secure_#{name_pieces.last}\\2:\\3#{secure_value}",
+        sub!(
+          /^(\s*)#{secure_prefix_pattern}#{escaped_name}(\s*):(\s*)['"]?#{escaped_value}['"]?$/,
+          "\\1#{secure_prefix}#{name_pieces.last}\\2:\\3#{secure_value}",
       )
 
       file_contents.
-      sub!(
-          /^(\s*)_secure_#{escaped_name}(\s*):(\s*)\|((?:\n\1\s{2}.*)+)/,
-          "\\1_secure_#{name_pieces.last}\\2:\\3#{secure_value}",
+        sub!(
+          /^(\s*)#{secure_prefix_pattern}#{escaped_name}(\s*):(\s*)\|((?:\n\1\s{2}.*)+)/,
+          "\\1#{secure_prefix}#{name_pieces.last}\\2:\\3#{secure_value}",
       )
     end
 
     write(file_contents)
   end
+  # rubocop:enable Metrics/LineLength
 
-  protected
+  private
 
-  attr_accessor :namespaces,
-                :decryption_key,
-                :encryption_key
+  def secure_prefix
+    '_secure_'
+  end
 
-  private
+  def secure_prefix_pattern
+    @secure_prefix_pattern ||= Regexp.escape(secure_prefix)
+  end
 
   def file_contents_hash
     file_contents = read