chamber 2.10.2 → 2.11.0

data/lib/chamber/file_set.rb

@@ -1,4 +1,5 @@
 # frozen_string_literal: true
+
 require 'pathname'
 require 'chamber/namespace_set'
 require 'chamber/file'
@@ -111,11 +112,16 @@ require 'chamber/settings'
 #
 module  Chamber
 class   FileSet
+  attr_reader   :namespaces,
+                :paths
+  attr_accessor :decryption_keys,
+                :encryption_keys
+
   def initialize(options = {})
-    self.namespaces     = options[:namespaces] || {}
-    self.decryption_key = options[:decryption_key]
-    self.encryption_key = options[:encryption_key]
-    self.paths          = options.fetch(:files)
+    self.namespaces      = options[:namespaces] || {}
+    self.decryption_keys = options[:decryption_keys]
+    self.encryption_keys = options[:encryption_keys]
+    self.paths           = options.fetch(:files)
   end
 
   ###
@@ -177,11 +183,6 @@ class   FileSet
 
   protected
 
-  attr_reader   :namespaces,
-                :paths
-  attr_accessor :decryption_key,
-                :encryption_key
-
   ###
   # Internal: Allows the paths for the FileSet to be set. It can either be an
   # object that responds to `#each` like an Array or one that doesn't. In which
@@ -216,10 +217,10 @@ class   FileSet
         relevant_glob_files = relevant_files & current_glob_files
 
         relevant_glob_files.map! do |file|
-          File.new(path:           file,
-                   namespaces:     namespaces,
-                   decryption_key: decryption_key,
-                   encryption_key: encryption_key)
+          File.new(path:            file,
+                   namespaces:      namespaces,
+                   decryption_keys: decryption_keys,
+                   encryption_keys: encryption_keys)
         end
 
         sorted_relevant_files += relevant_glob_files

data/lib/chamber/filters/decryption_filter.rb

@@ -1,4 +1,5 @@
 # frozen_string_literal: true
+
 require 'openssl'
 require 'base64'
 require 'hashie/mash'
@@ -11,13 +12,31 @@ require 'chamber/errors/decryption_failure'
 module  Chamber
 module  Filters
 class   DecryptionFilter
-  SECURE_KEY_TOKEN          = /\A_secure_/
   BASE64_STRING_PATTERN     = %r{\A[A-Za-z0-9\+/]{342}==\z}
-  LARGE_DATA_STRING_PATTERN = %r{\A([A-Za-z0-9\+\/#]*\={0,2})#([A-Za-z0-9\+\/#]*\={0,2})#([A-Za-z0-9\+\/#]*\={0,2})\z} # rubocop:disable Metrics/LineLength
+  LARGE_DATA_STRING_PATTERN = %r{
+                                  \A                            # Beginning of String
+                                  (
+                                    [A-Za-z0-9\+\/#]*\={0,2}    # Base64 Encoded Key
+                                  )
+                                  \#                            # Separator
+                                  (
+                                    [A-Za-z0-9\+\/#]*\={0,2}    # Base64 Encoded IV
+                                  )
+                                  \#                            # Separator
+                                  (
+                                    [A-Za-z0-9\+\/#]*\={0,2}    # Base64 Encoded Data
+                                  )
+                                  \z                            # End of String
+                                }x
+
+  attr_accessor :data,
+                :secure_key_token
+  attr_reader   :decryption_keys
 
   def initialize(options = {})
-    self.decryption_key = options.fetch(:decryption_key, nil)
-    self.data           = options.fetch(:data).dup
+    self.decryption_keys  = options.fetch(:decryption_keys, {}) || {}
+    self.data             = options.fetch(:data).dup
+    self.secure_key_token = /\A#{Regexp.escape(options.fetch(:secure_key_prefix))}/
   end
 
   def self.execute(options = {})
@@ -26,17 +45,14 @@ class   DecryptionFilter
 
   protected
 
-  attr_accessor :data
-  attr_reader   :decryption_key
-
   def execute(raw_data = data)
     settings = Hashie::Mash.new
 
     raw_data.each_pair do |key, value|
       settings[key] = if value.respond_to? :each_pair
                         execute(value)
-                      elsif key.match(SECURE_KEY_TOKEN)
-                        decryption_method(value).decrypt(key, value, decryption_key)
+                      elsif key.match(secure_key_token)
+                        decrypt(key, value)
                       else
                         value
                       end
@@ -45,20 +61,34 @@ class   DecryptionFilter
     settings
   end
 
-  def decryption_key=(keyish)
-    return @decryption_key = nil if keyish.nil?
+  def decryption_keys=(other)
+    @decryption_keys = other.each_value.map do |keyish|
+      content = if ::File.readable?(::File.expand_path(keyish))
+                  ::File.read(::File.expand_path(keyish))
+                else
+                  keyish
+                end
 
-    key_content     = if ::File.readable?(::File.expand_path(keyish))
-                        ::File.read(::File.expand_path(keyish))
-                      else
-                        keyish
-                      end
-
-    @decryption_key = OpenSSL::PKey::RSA.new(key_content)
+      OpenSSL::PKey::RSA.new(content)
+    end
   end
 
   private
 
+  def decrypt(key, value)
+    method = decryption_method(value)
+
+    decryption_keys.each do |decryption_key|
+      begin
+        return method.decrypt(key, value, decryption_key)
+      rescue OpenSSL::PKey::RSAError
+        next
+      end
+    end
+
+    value
+  end
+
   def decryption_method(value)
     if value.respond_to?(:match)
       if value.match(BASE64_STRING_PATTERN)

data/lib/chamber/filters/encryption_filter.rb

@@ -1,4 +1,5 @@
 # frozen_string_literal: true
+
 require 'openssl'
 require 'base64'
 require 'hashie/mash'
@@ -10,13 +11,17 @@ require 'chamber/encryption_methods/none'
 module    Chamber
 module    Filters
 class     EncryptionFilter
-  SECURE_KEY_TOKEN          = /\A_secure_/
   BASE64_STRING_PATTERN     = %r{\A[A-Za-z0-9\+\/]{342}==\z}
   LARGE_DATA_STRING_PATTERN = %r{\A([A-Za-z0-9\+\/#]*\={0,2})#([A-Za-z0-9\+\/#]*\={0,2})#([A-Za-z0-9\+\/#]*\={0,2})\z} # rubocop:disable Metrics/LineLength
 
+  attr_accessor :data,
+                :secure_key_token
+  attr_reader   :encryption_keys
+
   def initialize(options = {})
-    self.encryption_key = options.fetch(:encryption_key, nil)
-    self.data           = options.fetch(:data).dup
+    self.encryption_keys  = options.fetch(:encryption_keys, {}) || {}
+    self.data             = options.fetch(:data).dup
+    self.secure_key_token = /\A#{Regexp.escape(options.fetch(:secure_key_prefix))}/
   end
 
   def self.execute(options = {})
@@ -25,35 +30,40 @@ class     EncryptionFilter
 
   protected
 
-  attr_accessor :data
-  attr_reader   :encryption_key
-
-  def execute(raw_data = data)
-    settings = Hashie::Mash.new
-
-    raw_data.each_pair do |key, value|
+  def execute(raw_data = data, namespace = nil)
+    raw_data.each_with_object(Hashie::Mash.new) do |(key, value), settings|
       settings[key] = if value.respond_to? :each_pair
-                        execute(value)
-                      elsif key.match(SECURE_KEY_TOKEN)
-                        encryption_method(value).encrypt(key, value, encryption_key)
+                        execute(value, namespace || key)
+                      elsif key.match(secure_key_token)
+                        encrypt(namespace, key, value)
                       else
                         value
                       end
     end
+  end
 
-    settings
+  def encryption_keys=(other)
+    @encryption_keys = other.each_with_object({}) do |(namespace, keyish), memo|
+      memo[namespace] = if keyish.is_a?(OpenSSL::PKey::RSA)
+                          keyish
+                        elsif ::File.readable?(::File.expand_path(keyish))
+                          file_contents = ::File.read(::File.expand_path(keyish))
+                          OpenSSL::PKey::RSA.new(file_contents)
+                        else
+                          OpenSSL::PKey::RSA.new(keyish)
+                        end
+    end
   end
 
-  def encryption_key=(keyish)
-    return @encryption_key = nil if keyish.nil?
+  private
 
-    key_content     = if ::File.readable?(::File.expand_path(keyish))
-                        ::File.read(::File.expand_path(keyish))
-                      else
-                        keyish
-                      end
+  def encrypt(namespace, key, value)
+    method         = encryption_method(value)
+    encryption_key = encryption_keys[namespace] || encryption_keys[:__default]
+
+    return value unless encryption_key
 
-    @encryption_key = OpenSSL::PKey::RSA.new(key_content)
+    method.encrypt(key, value, encryption_key)
   end
 
   def encryption_method(value)

data/lib/chamber/filters/environment_filter.rb

@@ -1,20 +1,33 @@
 # frozen_string_literal: true
-require 'chamber/environmentable'
+
+require 'yaml'
+require 'hashie/mash'
 
 module  Chamber
 module  Filters
 class   EnvironmentFilter
-  include Environmentable
-
-  def initialize(options = {})
-    self.data = options.fetch(:data)
-  end
-
   ###
   # Internal: Allows the existing environment to be injected into the passed in
   # hash.  The hash that is passed in is *not* modified, instead a new hash is
   # returned.
   #
+  # This filter will also do basic value conversions from the environment
+  # variable string to the data type defined in the YAML.  For example if the
+  # YAML value is `true`, then the conversion knows it's a Boolean.  If there's
+  # an environment varible which should override that value, it will look to see
+  # if it is a `String` of 'true', 'false', 't', 'f', 'yes', or 'no' and perform
+  # the appropriate conversion of that value into a Boolean.
+  #
+  # This will work for:
+  #
+  #   * Booleans
+  #   * Integers
+  #   * Floats
+  #   * Arrays
+  #
+  # For the Arrays, it will convert the environment value by parsing the string
+  # as YAML.  Whatever the parsed value ends up being, *must* be an Array.
+  #
   # Examples:
   #
   #   ###
@@ -37,6 +50,25 @@ class   EnvironmentFilter
   #   }
   #
   #   ###
+  #   # Can do basic value conversions based on the raw data
+  #   #
+  #   ENV['LEVEL_ONE_1_LEVEL_TWO_1']               = '1'
+  #   ENV['LEVEL_ONE_1_LEVEL_TWO_2_LEVEL_THREE_1'] = '[1, 2, 3]'
+  #
+  #   EnvironmentFilter.execute(
+  #     level_one_1: {
+  #       level_two_1: 4,
+  #       level_two_2: {
+  #         level_three_1: [4, 5, 6] } } )
+  #
+  #   # => {
+  #     'level_one_1' => {
+  #       'level_two_1' => 1,
+  #       'level_two_2' => {
+  #         'level_three_1' => [1, 2, 3],
+  #   }
+  #
+  #   ###
   #   # Can inject environment variables if said variables are prefixed
   #   #
   #   ENV['PREFIX_LEVEL_TWO_1'] = 'env value 1'
@@ -58,19 +90,80 @@ class   EnvironmentFilter
     new(options).__send__(:execute)
   end
 
-  protected
+  attr_accessor :data,
+                :secure_key_token
 
-  attr_accessor :data
+  def initialize(options = {})
+    self.data             = options.fetch(:data)
+    self.secure_key_token = /\A#{Regexp.escape(options.fetch(:secure_key_prefix))}/
+  end
+
+  protected
 
   def execute(settings = data, parent_keys = [])
-    with_environment(settings, parent_keys,
-                     lambda do |key, value, environment_keys|
-                       { key => execute(value, environment_keys) }
-                     end,
-                     lambda do |key, value, environment_key|
-                       { key => (ENV[environment_key] || value) }
-                     end)
+    with_environment(
+      settings,
+      parent_keys,
+      lambda do |key, value, environment_keys|
+        { key => execute(value, environment_keys) }
+      end,
+      lambda do |key, value, environment_key|
+        { key => convert_environment_value(ENV[environment_key], value) }
+      end,
+    )
+  end
+
+  private
+
+  def with_environment(settings, parent_keys, hash_block, value_block)
+    environment_hash = Hashie::Mash.new
+
+    settings.each_pair do |key, value|
+      environment_key  = key.to_s.gsub(secure_key_token, '')
+      environment_keys = parent_keys.dup.push(environment_key)
+
+      if value.respond_to? :each_pair
+        environment_hash.merge!(hash_block.call(key, value, environment_keys))
+      else
+        environment_key = environment_keys.join('_').upcase
+
+        environment_hash.merge!(value_block.call(key, value, environment_key))
+      end
+    end
+
+    environment_hash
+  end
+
+  # rubocop:disable Metrics/CyclomaticComplexity
+  def convert_environment_value(environment_value, settings_value)
+    return settings_value unless environment_value
+    return                if %w{___nil___ ___null___}.include?(environment_value)
+
+    case settings_value.class.name
+    when 'TrueClass', 'FalseClass'
+      case environment_value.downcase
+      when 'false', 'f', 'no', 'off', '0'
+        false
+      when 'true', 't', 'yes', 'on', '1'
+        true
+      else
+        fail ArgumentError, "Invalid value for Boolean: #{environment_value}"
+      end
+    when 'Float'
+      Float(environment_value)
+    when 'Array'
+      YAML.safe_load(environment_value).tap do |parsed_value|
+        unless parsed_value.is_a?(Array)
+          fail ArgumentError, "Invalid value for Array: #{environment_value}"
+        end
+      end
+    when 'Integer'
+      Integer(environment_value)
+    else
+      environment_value
+    end
   end
+  # rubocop:enable Metrics/CyclomaticComplexity
 end
 end
 end

data/lib/chamber/filters/failed_decryption_filter.rb

@@ -1,23 +1,25 @@
 # frozen_string_literal: true
+
 require 'chamber/errors/decryption_failure'
 
 module  Chamber
 module  Filters
 class   FailedDecryptionFilter
-  SECURE_KEY_TOKEN      = /\A_secure_/
   BASE64_STRING_PATTERN = %r{\A[A-Za-z0-9\+/]{342}==\z}
 
-  def initialize(options = {})
-    self.data = options.fetch(:data).dup
-  end
-
   def self.execute(options = {})
     new(options).__send__(:execute)
   end
 
-  protected
+  attr_accessor :data,
+                :secure_key_token
 
-  attr_accessor :data
+  def initialize(options = {})
+    self.data             = options.fetch(:data).dup
+    self.secure_key_token = /\A#{Regexp.escape(options.fetch(:secure_key_prefix))}/
+  end
+
+  protected
 
   def execute(raw_data = data)
     settings = raw_data
@@ -25,7 +27,7 @@ class   FailedDecryptionFilter
     raw_data.each_pair do |key, value|
       if value.respond_to? :each_pair
         execute(value)
-      elsif key.match(SECURE_KEY_TOKEN) &&
+      elsif key.match(secure_key_token) &&
             value.respond_to?(:match)   &&
             value.match(BASE64_STRING_PATTERN)
 

data/lib/chamber/filters/insecure_filter.rb

@@ -1,4 +1,5 @@
 # frozen_string_literal: true
+
 require 'hashie/mash'
 require 'chamber/filters/secure_filter'
 

data/lib/chamber/filters/namespace_filter.rb

@@ -1,23 +1,24 @@
 # frozen_string_literal: true
+
 require 'hashie/mash'
 
 module  Chamber
 module  Filters
 class   NamespaceFilter
-  def initialize(options = {})
-    self.data       = Hashie::Mash.new(options.fetch(:data))
-    self.namespaces = options.fetch(:namespaces)
-  end
-
   def self.execute(options = {})
     new(options).__send__(:execute)
   end
 
-  protected
-
   attr_accessor :data,
                 :namespaces
 
+  def initialize(options = {})
+    self.data       = Hashie::Mash.new(options.fetch(:data))
+    self.namespaces = options.fetch(:namespaces)
+  end
+
+  protected
+
   def execute
     if data_is_namespaced?
       namespaces.each_with_object(Hashie::Mash.new) do |namespace, filtered_data|