chamber 2.10.2 → 2.11.0

data/lib/chamber/filters/secure_filter.rb

@@ -1,22 +1,23 @@
 # frozen_string_literal: true
+
 require 'hashie/mash'
 
 module  Chamber
 module  Filters
 class   SecureFilter
-  SECURE_KEY_TOKEN = /\A_secure_/
-
-  def initialize(options = {})
-    self.data = Hashie::Mash.new(options.fetch(:data))
-  end
-
   def self.execute(options = {})
     new(options).__send__(:execute)
   end
 
-  protected
+  attr_accessor :data,
+                :secure_key_token
 
-  attr_accessor :data
+  def initialize(options = {})
+    self.data             = Hashie::Mash.new(options.fetch(:data))
+    self.secure_key_token = /\A#{Regexp.escape(options.fetch(:secure_key_prefix))}/
+  end
+
+  protected
 
   def execute(raw_data = data)
     settings = Hashie::Mash.new
@@ -25,7 +26,7 @@ class   SecureFilter
       secure_value  = if value.respond_to? :each_pair
                         execute(value)
                       elsif key.respond_to? :match
-                        value if key.match(SECURE_KEY_TOKEN)
+                        value if key.match(secure_key_token)
                       end
 
       settings[key] = secure_value unless secure_value.nil?

data/lib/chamber/filters/translate_secure_keys_filter.rb

@@ -1,22 +1,23 @@
 # frozen_string_literal: true
+
 require 'hashie/mash'
 
 module  Chamber
 module  Filters
 class   TranslateSecureKeysFilter
-  SECURE_KEY_TOKEN = /\A_secure_/
-
-  def initialize(options = {})
-    self.data = options.fetch(:data).dup
-  end
-
   def self.execute(options = {})
     new(options).__send__(:execute)
   end
 
-  protected
+  attr_accessor :data,
+                :secure_key_token
 
-  attr_accessor :data
+  def initialize(options = {})
+    self.data             = options.fetch(:data).dup
+    self.secure_key_token = /\A#{Regexp.escape(options.fetch(:secure_key_prefix))}/
+  end
+
+  protected
 
   def execute(raw_data = data)
     settings = Hashie::Mash.new
@@ -24,7 +25,7 @@ class   TranslateSecureKeysFilter
     raw_data.each_pair do |key, value|
       value = execute(value) if value.respond_to? :each_pair
       key   = key.to_s
-      key   = key.sub(SECURE_KEY_TOKEN, '') if key.match(SECURE_KEY_TOKEN)
+      key   = key.sub(secure_key_token, '') if key.match(secure_key_token)
 
       settings[key] = value
     end

data/lib/chamber/instance.rb

@@ -1,4 +1,5 @@
 # frozen_string_literal: true
+
 require 'chamber/configuration'
 require 'chamber/file_set'
 require 'chamber/settings'
@@ -29,21 +30,21 @@ class   Instance
     config = configuration.to_hash.merge(options)
 
     Settings.
-    new(
+      new(
       config.merge(
         settings:     data,
         pre_filters:  [Filters::EncryptionFilter],
         post_filters: [],
       ),
     ).
-    to_hash
+      to_hash
   end
 
   def decrypt(data, options = {})
     config = configuration.to_hash.merge(options)
 
     Settings.
-    new(
+      new(
       config.merge(
         settings:     data,
         pre_filters:  [Filters::NamespaceFilter],
@@ -53,7 +54,7 @@ class   Instance
                       ],
       ),
     ).
-    to_hash
+      to_hash
   end
 
   def to_s(options = {})

data/lib/chamber/key_pair.rb

@@ -0,0 +1,82 @@
+# frozen_string_literal: true
+
+require 'pathname'
+require 'securerandom'
+
+module Chamber
+class  KeyPair
+  attr_accessor :key_file_path,
+                :namespace,
+                :passphrase
+
+  def initialize(options = {})
+    self.namespace     = options[:namespace]
+    self.passphrase    = options.fetch(:passphrase, SecureRandom.uuid)
+    self.key_file_path = Pathname.new(options.fetch(:key_file_path))
+  end
+
+  def encrypted_private_key_filepath
+    key_file_path + encrypted_private_key_filename
+  end
+
+  def unencrypted_private_key_filepath
+    key_file_path + unencrypted_private_key_filename
+  end
+
+  def public_key_filepath
+    key_file_path + public_key_filename
+  end
+
+  def encrypted_private_key_pem
+    encrypted_private_key
+  end
+
+  def unencrypted_private_key_pem
+    unencrypted_private_key.to_pem
+  end
+
+  def public_key_pem
+    public_key.to_pem
+  end
+
+  def encrypted_private_key_filename
+    "#{base_key_filename}.enc"
+  end
+
+  def unencrypted_private_key_filename
+    "#{base_key_filename}.pem"
+  end
+
+  def public_key_filename
+    "#{base_key_filename}.pub.pem"
+  end
+
+  private
+
+  def encrypted_private_key
+    @encrypted_private_key ||= \
+      unencrypted_private_key.export(encryption_cipher, passphrase)
+  end
+
+  def unencrypted_private_key
+    @unencrypted_private_key ||= OpenSSL::PKey::RSA.new(2048)
+  end
+
+  def public_key
+    @public_key ||= unencrypted_private_key.public_key
+  end
+
+  def encryption_cipher
+    @encryption_cipher ||= OpenSSL::Cipher.new('AES-128-CBC')
+  end
+
+  def base_key_filename
+    @base_key_filename ||= [
+                             '.chamber',
+                             namespace,
+                           ].
+                             compact.
+                             join('.')
+  end
+end
+end

data/lib/chamber/keys/base.rb

@@ -0,0 +1,64 @@
+# frozen_string_literal: true
+
+module  Chamber
+module  Keys
+class   Base
+  def self.resolve(*args)
+    new(*args).resolve
+  end
+
+  attr_accessor :namespaces,
+                :rootpath
+  attr_reader   :filenames
+
+  def initialize(options = {})
+    self.rootpath   = Pathname.new(options.fetch(:rootpath))
+    self.namespaces = options.fetch(:namespaces)
+    self.filenames  = options[:filenames]
+  end
+
+  def resolve
+    filenames.each_with_object({}) do |filename, memo|
+      namespace = namespace_from_filename(filename) || '__default'
+      value     = key_from_file_contents(filename) ||
+                  key_from_environment_variable(filename)
+
+      memo[namespace.downcase.to_sym] = value if value
+    end
+  end
+
+  def filenames=(other)
+    @filenames = begin
+                   paths = Array(other).
+                             map { |o| Pathname.new(o) }.
+                             compact
+
+                   paths << default_key_file_path if paths.empty?
+
+                   (
+                     paths +
+                     generate_key_filenames
+                   ).
+                     uniq
+                 end
+  end
+
+  private
+
+  def key_from_file_contents(filename)
+    filename.readable? && filename.read
+  end
+
+  def key_from_environment_variable(filename)
+    ENV[environment_variable_from_filename(filename)]
+  end
+
+  def namespace_from_filename(filename)
+    filename.
+      basename.
+      to_s.
+      match(self.class::NAMESPACE_PATTERN) { |m| m[1].upcase }
+  end
+end
+end
+end

data/lib/chamber/keys/decryption.rb

@@ -0,0 +1,41 @@
+# frozen_string_literal: true
+
+require 'pathname'
+require 'chamber/keys/base'
+
+module  Chamber
+module  Keys
+class   Decryption < Chamber::Keys::Base
+  NAMESPACE_PATTERN = /
+                        \A          # Beginning of Filename
+                        \.chamber   # Initial Chamber Prefix
+                        \.          # Pre-Namespace Dot
+                        (\w+)       # Namespace
+                        \.pem       # Extension
+                        \z          # End of Filename
+                      /x
+
+  private
+
+  def environment_variable_from_filename(filename)
+    [
+      'CHAMBER',
+      namespace_from_filename(filename),
+      'KEY',
+    ].
+      compact.
+      join('_')
+  end
+
+  def generate_key_filenames
+    namespaces.map do |namespace|
+      rootpath + ".chamber.#{namespace}.pem"
+    end
+  end
+
+  def default_key_file_path
+    Pathname.new(rootpath + '.chamber.pem')
+  end
+end
+end
+end

data/lib/chamber/keys/encryption.rb

@@ -0,0 +1,41 @@
+# frozen_string_literal: true
+
+require 'pathname'
+require 'chamber/keys/base'
+
+module  Chamber
+module  Keys
+class   Encryption < Chamber::Keys::Base
+  NAMESPACE_PATTERN = /
+                        \A          # Beginning of Filename
+                        \.chamber   # Initial Chamber Prefix
+                        \.          # Pre-Namespace Dot
+                        (\w+)       # Namespace
+                        \.pub\.pem  # Extension
+                        \z          # End of Filename
+                      /x
+
+  private
+
+  def environment_variable_from_filename(filename)
+    [
+      'CHAMBER',
+      namespace_from_filename(filename),
+      'PUBLIC_KEY',
+    ].
+      compact.
+      join('_')
+  end
+
+  def generate_key_filenames
+    namespaces.map do |namespace|
+      rootpath + ".chamber.#{namespace}.pub.pem"
+    end
+  end
+
+  def default_key_file_path
+    Pathname.new(rootpath + '.chamber.pub.pem')
+  end
+end
+end
+end

data/lib/chamber/namespace_set.rb

@@ -1,4 +1,5 @@
 # frozen_string_literal: true
+
 require 'set'
 
 ###
@@ -13,13 +14,6 @@ module  Chamber
 class   NamespaceSet
   include Enumerable
 
-  ###
-  # Internal: Creates a new NamespaceSet from arrays, hashes and sets.
-  #
-  def initialize(raw_namespaces = {})
-    self.raw_namespaces = raw_namespaces
-  end
-
   ###
   # Internal: Allows for more compact NamespaceSet creation by giving a list of
   # namespace values.
@@ -34,6 +28,15 @@ class   NamespaceSet
     new(namespace_values)
   end
 
+  attr_reader :raw_namespaces
+
+  ###
+  # Internal: Creates a new NamespaceSet from arrays, hashes and sets.
+  #
+  def initialize(raw_namespaces = {})
+    self.raw_namespaces = raw_namespaces
+  end
+
   ###
   # Internal: Allows a NamespaceSet to be combined with some other array-like
   # object.
@@ -109,8 +112,6 @@ class   NamespaceSet
 
   protected
 
-  attr_accessor :raw_namespaces
-
   ###
   # Internal: Sets the namespaces for the set from a variety of objects and
   # processes them by checking to see if they can be 'called'.

data/lib/chamber/rails.rb

@@ -1,2 +1,3 @@
 # frozen_string_literal: true
+
 require 'chamber/rails/railtie' if defined?(::Rails)

data/lib/chamber/rails/railtie.rb

@@ -1,4 +1,5 @@
 # frozen_string_literal: true
+
 require 'socket'
 
 module  Chamber

data/lib/chamber/rubinius_fix.rb

@@ -1,4 +1,5 @@
 # frozen_string_literal: true
+
 require 'pathname'
 
 unless Pathname.instance_methods.include?(:write)

data/lib/chamber/settings.rb

@@ -1,11 +1,11 @@
 # frozen_string_literal: true
+
 require 'hashie/mash'
 require 'chamber/namespace_set'
 require 'chamber/filters/namespace_filter'
 require 'chamber/filters/encryption_filter'
 require 'chamber/filters/decryption_filter'
 require 'chamber/filters/environment_filter'
-require 'chamber/filters/boolean_conversion_filter'
 require 'chamber/filters/secure_filter'
 require 'chamber/filters/translate_secure_keys_filter'
 require 'chamber/filters/insecure_filter'
@@ -16,24 +16,29 @@ require 'chamber/filters/failed_decryption_filter'
 #
 module  Chamber
 class   Settings
-  attr_reader :namespaces
+  attr_accessor :pre_filters,
+                :post_filters,
+                :encryption_keys,
+                :decryption_keys
+  attr_reader   :namespaces
 
+  # rubocop:disable Metrics/CyclomaticComplexity, Metrics/LineLength
   def initialize(options = {})
-    self.namespaces       = options[:namespaces]      ||  []
-    self.raw_data         = options[:settings]        ||  {}
-    self.decryption_key   = options[:decryption_key]
-    self.encryption_key   = options[:encryption_key]
-    self.pre_filters  = options[:pre_filters]  || [
-                                                    Filters::NamespaceFilter,
-                                                  ]
-    self.post_filters = options[:post_filters] || [
-                                                    Filters::DecryptionFilter,
-                                                    Filters::EnvironmentFilter,
-                                                    Filters::FailedDecryptionFilter,
-                                                    Filters::BooleanConversionFilter,
-                                                    Filters::TranslateSecureKeysFilter,
-                                                  ]
+    self.namespaces      = options[:namespaces]      || []
+    self.raw_data        = options[:settings]        || {}
+    self.decryption_keys = options[:decryption_keys] || {}
+    self.encryption_keys = options[:encryption_keys] || {}
+    self.pre_filters     = options[:pre_filters]     || [
+                                                          Filters::NamespaceFilter,
+                                                        ]
+    self.post_filters    = options[:post_filters]    || [
+                                                          Filters::DecryptionFilter,
+                                                          Filters::EnvironmentFilter,
+                                                          Filters::FailedDecryptionFilter,
+                                                          Filters::TranslateSecureKeysFilter,
+                                                        ]
   end
+  # rubocop:enable Metrics/CyclomaticComplexity, Metrics/LineLength
 
   ###
   # Internal: Converts a Settings object into a hash that is compatible as an
@@ -183,12 +188,14 @@ class   Settings
                        Settings.new(settings: other)
                      end
 
+    # rubocop:disable Metrics/LineLength
     Settings.new(
-      encryption_key: encryption_key || other_settings.encryption_key,
-      decryption_key: decryption_key || other_settings.decryption_key,
-      namespaces:     (namespaces + other_settings.namespaces),
-      settings:       raw_data.merge(other_settings.raw_data),
+      encryption_keys: encryption_keys.any? ? encryption_keys : other_settings.encryption_keys,
+      decryption_keys: decryption_keys.any? ? decryption_keys : other_settings.decryption_keys,
+      namespaces:      (namespaces + other_settings.namespaces),
+      settings:        raw_data.merge(other_settings.raw_data),
     )
+    # rubocop:enable Metrics/LineLength
   end
 
   ###
@@ -235,13 +242,17 @@ class   Settings
     ))
   end
 
-  protected
+  def method_missing(name, *args)
+    return data.public_send(name, *args) if data.respond_to?(name)
 
-  attr_accessor :pre_filters,
-                :post_filters,
-                :encryption_key,
-                :decryption_key,
-                :raw_data
+    super
+  end
+
+  def respond_to_missing?(name, include_private = false)
+    data.respond_to?(name, include_private)
+  end
+
+  protected
 
   def raw_data=(new_raw_data)
     @raw_data   = Hashie::Mash.new(new_raw_data)
@@ -265,24 +276,17 @@ class   Settings
     end
   end
 
+  def secure_key_prefix
+    '_secure_'
+  end
+
   def metadata
     {
-      namespaces:     namespaces,
-      decryption_key: decryption_key,
-      encryption_key: encryption_key,
+      decryption_keys:   decryption_keys,
+      encryption_keys:   encryption_keys,
+      namespaces:        namespaces,
+      secure_key_prefix: secure_key_prefix,
     }
   end
-
-  public
-
-  def method_missing(name, *args)
-    return data.public_send(name, *args) if data.respond_to?(name)
-
-    super
-  end
-
-  def respond_to_missing?(name, include_private = false)
-    data.respond_to?(name, include_private)
-  end
 end
 end