chamber 2.4.0 → 2.7.1

data/Rakefile

@@ -0,0 +1,6 @@
+require 'bundler/gem_tasks'
+require 'rspec/core/rake_task'
+
+RSpec::Core::RakeTask.new(:spec)
+
+task default: :spec

data/lib/chamber.rb

@@ -3,8 +3,6 @@ require 'chamber/instance'
 require 'chamber/rails'
 
 module  Chamber
-  extend self
-
   def load(options = {})
     self.instance = Instance.new(options)
   end
@@ -19,12 +17,10 @@ module  Chamber
 
   protected
 
-  def instance
-    @@instance ||= Instance.new({})
-  end
+  attr_accessor :instance
 
-  def instance=(new_instance)
-    @@instance = new_instance
+  def instance
+    @instance ||= Instance.new({})
   end
 
   public
@@ -38,4 +34,12 @@ module  Chamber
   def respond_to_missing?(name, include_private = false)
     instance.respond_to?(name, include_private)
   end
+
+  module_function :load,
+                  :to_s,
+                  :env,
+                  :instance,
+                  :instance=,
+                  :method_missing,
+                  :respond_to_missing?
 end

data/lib/chamber/binary/heroku.rb

@@ -7,50 +7,70 @@ require 'chamber/commands/heroku/compare'
 module  Chamber
 module  Binary
 class   Heroku < Thor
-
   class_option :app,
-                type:     :string,
-                aliases:  '-a',
-                required: true,
-                desc:     'The name of the Heroku application whose config values will be affected'
+               type:     :string,
+               aliases:  '-a',
+               required: true,
+               desc:     'The name of the Heroku application whose config values will ' \
+                         'be affected'
+
+  desc 'clear', 'Removes all Heroku environment variables which match settings that ' \
+                'Chamber knows about'
 
-  desc 'clear', 'Removes all Heroku environment variables which match settings that Chamber knows about'
   method_option :dry_run,
-                type:     :boolean,
-                aliases:  '-d',
-                desc:     'Does not actually remove anything, but instead displays what would change if cleared'
+                type:    :boolean,
+                aliases: '-d',
+                desc:    'Does not actually remove anything, but instead displays what ' \
+                         'would change if cleared'
+
   def clear
     Commands::Heroku::Clear.call(options)
   end
 
-  desc 'push', 'Sends settings to Heroku so that they may be used in the application once it is deployed'
+  desc 'push', 'Sends settings to Heroku so that they may be used in the application ' \
+               'once it is deployed'
+
   method_option :dry_run,
-                type:     :boolean,
-                aliases:  '-d',
-                desc:     'Does not actually push anything to Heroku, but instead displays what would change if pushed'
+                type:    :boolean,
+                aliases: '-d',
+                desc:    'Does not actually push anything to Heroku, but instead ' \
+                         'displays what would change if pushed'
+
   method_option :only_sensitive,
-                type:     :boolean,
-                aliases:  '-o',
-                default:  true,
-                desc:     'When enabled, only settings contained in files which have been gitignored or settings which are marked as "_secure" will be pushed'
+                type:    :boolean,
+                aliases: '-o',
+                default: true,
+                desc:    'When enabled, only settings contained in files which have ' \
+                         'been gitignored or settings which are marked as "_secure" ' \
+                         'will be pushed'
+
   def push
     Commands::Heroku::Push.call(options)
   end
 
-  desc 'pull', 'Retrieves the environment variables for the application and stores them in a temporary file'
+  desc 'pull', 'Retrieves the environment variables for the application and stores ' \
+               'them in a temporary file'
+
   method_option :into,
-                type:     :string,
-                desc:     'The file into which the Heroku config information should be stored. This file WILL BE OVERRIDDEN.'
+                type: :string,
+                desc: 'The file into which the Heroku config information should be ' \
+                      'stored. This file WILL BE OVERRIDDEN.'
+
   def pull
     puts Commands::Heroku::Pull.call(options)
   end
 
-  desc 'compare', 'Displays the difference between what is currently stored in the Heroku application\'s config and what Chamber knows about locally'
+  desc 'compare', 'Displays the difference between what is currently stored in the ' \
+                  'Heroku application\'s config and what Chamber knows about locally'
+
   method_option :only_sensitive,
-                type:     :boolean,
-                aliases:  '-o',
-                default:  true,
-                desc:     'When enabled, the diff will only consider settings contained in files which have been gitignored or settings which are marked as "_secure"'
+                type:    :boolean,
+                aliases: '-o',
+                default: true,
+                desc:    'When enabled, the diff will only consider settings ' \
+                         'contained in files which have been gitignored or settings ' \
+                         'which are marked as "_secure"'
+
   def compare
     Commands::Heroku::Compare.call(options)
   end

data/lib/chamber/binary/runner.rb

@@ -16,49 +16,72 @@ class   Runner < Thor
   source_root ::File.expand_path('../../../../templates', __FILE__)
 
   class_option  :rootpath,
-                type:     :string,
-                aliases:  '-r',
-                default:  ENV['PWD'],
-                desc:     'The root filepath of the application'
+                type:    :string,
+                aliases: '-r',
+                default: ENV['PWD'],
+                desc:    'The root filepath of the application'
+
   class_option  :basepath,
-                type:     :string,
-                aliases:  '-b',
-                desc:     'The base filepath where Chamber will look for the conventional settings files'
+                type:    :string,
+                aliases: '-b',
+                desc:    'The base filepath where Chamber will look for the ' \
+                         'conventional settings files'
+
   class_option  :files,
-                type:     :array,
-                aliases:  '-f',
-                desc:     'The set of file globs that Chamber will use for processing'
+                type:    :array,
+                aliases: '-f',
+                desc:    'The set of file globs that Chamber will use for processing'
+
   class_option  :namespaces,
-                type:     :array,
-                aliases:  '-n',
-                default:  [],
-                desc:     'The set of namespaces that Chamber will use for processing'
+                type:    :array,
+                aliases: '-n',
+                default: [],
+                desc:    'The set of namespaces that Chamber will use for processing'
+
   class_option  :preset,
-                type:     :string,
-                aliases:  '-p',
-                enum:     ['rails'],
-                desc:     'Used to quickly assign a given scenario to the chamber command (eg Rails apps)'
+                type:    :string,
+                aliases: '-p',
+                enum:    %w{rails},
+                desc:    'Used to quickly assign a given scenario to the chamber ' \
+                         'command (eg Rails apps)'
+
   class_option  :decryption_key,
-                type:     :string,
-                desc:     'The path to or contents of the private key associated with the project (typically .chamber.pem)'
+                type: :string,
+                desc: 'The path to or contents of the private key associated with ' \
+                      'the project (typically .chamber.pem)'
+
   class_option  :encryption_key,
-                type:     :string,
-                desc:     'The path to or contents of the public key associated with the project (typically .chamber.pub.pem)'
+                type: :string,
+                desc: 'The path to or contents of the public key associated with ' \
+                      'the project (typically .chamber.pub.pem)'
+
   class_option  :shell,
-                default:  self.new,
-                desc:     'The command runner.  Can be overridden for specific logging capabilities.'
+                default: new,
+                desc:    'The command runner.  Can be overridden for specific logging ' \
+                         'capabilities.'
 
   desc 'travis SUBCOMMAND ...ARGS',   'For manipulating Travis CI environment variables'
-  subcommand 'travis',    Chamber::Binary::Travis
+  subcommand 'travis', Chamber::Binary::Travis
 
   desc 'heroku SUBCOMMAND ...ARGS',   'For manipulating Heroku environment variables'
-  subcommand 'heroku',    Chamber::Binary::Heroku
+  subcommand 'heroku', Chamber::Binary::Heroku
 
   desc 'show', 'Displays the list of settings and their values'
+
   method_option :as_env,
-                type:     :boolean,
-                aliases:  '-e',
-                desc:     'Whether the displayed settings should be environment variable compatible'
+                type:    :boolean,
+                aliases: '-e',
+                desc:    'Whether the displayed settings should be environment ' \
+                         'variable compatible'
+
+  desc 'only_sensitive', 'Only show secured/securable settings'
+
+  method_option :only_sensitive,
+                type:    :boolean,
+                aliases: '-s',
+                desc:    'Only displays the settings that are/should be secured. ' \
+                         'Useful for debugging.'
+
   def show
     puts Commands::Show.call(options)
   end
@@ -68,34 +91,49 @@ class   Runner < Thor
     puts Commands::Files.call(options)
   end
 
-  desc 'compare', 'Displays the difference between what is currently stored in the Heroku application\'s config and what Chamber knows about locally'
+  desc 'compare', 'Displays the difference between what is currently stored in the ' \
+                  'Heroku application\'s config and what Chamber knows about locally'
+
   method_option :keys_only,
-                type:     :boolean,
-                default:  true,
-                desc:     'Whether or not to only compare the keys but not the values of the two sets of settings'
+                type:    :boolean,
+                default: true,
+                desc:    'Whether or not to only compare the keys but not the values ' \
+                         'of the two sets of settings'
+
   method_option :first,
-                type:     :array,
-                desc:     'The list of namespaces which will be used as the source of the comparison'
+                type: :array,
+                desc: 'The list of namespaces which will be used as the source of ' \
+                      'the comparison'
+
   method_option :second,
-                type:     :array,
-                desc:     'The list of namespaces which will be used as the destination of the comparison'
+                type: :array,
+                desc: 'The list of namespaces which will be used as the destination ' \
+                      'of the comparison'
+
   def compare
     Commands::Compare.call(options)
   end
 
-  desc 'secure', 'Secures any values which appear to need to be encrypted in any of the settings files which match irrespective of namespaces'
+  desc 'secure', 'Secures any values which appear to need to be encrypted in any of ' \
+                 'the settings files which match irrespective of namespaces'
+
   method_option :only_sensitive,
-                type:     :boolean,
-                default:  true
+                type:    :boolean,
+                default: true
+
   method_option :dry_run,
-                type:     :boolean,
-                aliases:  '-d',
-                desc:     'Does not actually encrypt anything, but instead displays what values would be encrypted'
+                type:    :boolean,
+                aliases: '-d',
+                desc:    'Does not actually encrypt anything, but instead displays ' \
+                         'what values would be encrypted'
+
   def secure
     Commands::Secure.call(options)
   end
 
-  desc 'init', 'Sets Chamber up matching best practices for secure configuration management'
+  desc 'init', 'Sets Chamber up matching best practices for secure configuration ' \
+               'management'
+
   def init
     Commands::Initialize.call(options)
   end

data/lib/chamber/binary/travis.rb

@@ -4,17 +4,23 @@ require 'chamber/commands/travis/secure'
 module  Chamber
 module  Binary
 class   Travis < Thor
+  desc 'secure', 'Uses your Travis CI public key to encrypt the settings you have ' \
+                 'chosen not to commit to the repo'
 
-  desc 'secure', 'Uses your Travis CI public key to encrypt the settings you have chosen not to commit to the repo'
   method_option :dry_run,
-                type:     :boolean,
-                aliases:  '-d',
-                desc:     'Does not actually encrypt anything to .travis.yml, but instead displays what values would be encrypted'
+                type:    :boolean,
+                aliases: '-d',
+                desc:    'Does not actually encrypt anything to .travis.yml, but ' \
+                         'instead displays what values would be encrypted'
+
   method_option :only_sensitive,
-                type:     :boolean,
-                aliases:  '-o',
-                default:  true,
-                desc:     'Does not encrypt settings into .travis.yml unless they are  contained in files which have been gitignored or settings which are marked as "_secure"'
+                type:    :boolean,
+                aliases: '-o',
+                default: true,
+                desc:    'Does not encrypt settings into .travis.yml unless they are ' \
+                         'contained in files which have been gitignored or settings ' \
+                         'which are marked as "_secure"'
+
   def secure
     Commands::Travis::Secure.call(options)
   end

data/lib/chamber/commands/base.rb

@@ -4,7 +4,6 @@ require 'chamber/instance'
 module  Chamber
 module  Commands
 class   Base
-
   def initialize(options = {})
     self.chamber  = Chamber::Instance.new options
     self.shell    = options[:shell]
@@ -13,7 +12,7 @@ class   Base
   end
 
   def self.call(options = {})
-    self.new(options).call
+    new(options).call
   end
 
   protected

data/lib/chamber/commands/comparable.rb

@@ -3,7 +3,6 @@ require 'tempfile'
 module  Chamber
 module  Commands
 module  Comparable
-
   def initialize(options = {})
     super
 

data/lib/chamber/commands/compare.rb

@@ -18,7 +18,7 @@ class   Compare < Chamber::Commands::Base
   end
 
   def self.call(options = {})
-    self.new(options).call
+    new(options).call
   end
 
   protected

data/lib/chamber/commands/files.rb

@@ -3,7 +3,6 @@ require 'chamber/commands/base'
 module  Chamber
 module  Commands
 class   Files < Chamber::Commands::Base
-
   def call
     chamber.filenames
   end

data/lib/chamber/commands/heroku.rb

@@ -3,7 +3,6 @@ require 'bundler'
 module  Chamber
 module  Commands
 module  Heroku
-
   def initialize(options = {})
     super
 
@@ -15,7 +14,7 @@ module  Heroku
   attr_accessor :app
 
   def configuration
-    @configuration ||= heroku("config --shell").chomp
+    @configuration ||= heroku('config --shell').chomp
   end
 
   def heroku(command)
@@ -23,7 +22,7 @@ module  Heroku
   end
 
   def app_option
-    app ? " --app #{app}" : ""
+    app ? " --app #{app}" : ''
   end
 end
 end

data/lib/chamber/commands/heroku/push.rb

@@ -15,7 +15,7 @@ class   Push < Chamber::Commands::Base
         shell.say_status 'push', key, :blue
       else
         shell.say_status 'push', key, :green
-        shell.say heroku(%Q{config:set #{key}=#{value}})
+        heroku("config:set #{key}=#{value}")
       end
     end
   end

data/lib/chamber/commands/initialize.rb

@@ -6,29 +6,56 @@ require 'chamber/commands/base'
 module  Chamber
 module  Commands
 class   Initialize < Chamber::Commands::Base
-
   def initialize(options = {})
     super
 
     self.basepath = Chamber.configuration.basepath
   end
 
+  # rubocop:disable Metrics/LineLength, Metrics/MethodLength
   def call
-    shell.create_file private_key_filepath, rsa_private_key.to_pem
-    shell.create_file public_key_filepath,  rsa_public_key.to_pem
+    shell.create_file private_key_filepath,    rsa_private_key.to_pem
+    shell.create_file protected_key_filepath,  rsa_protected_key
+    shell.create_file public_key_filepath,     rsa_public_key.to_pem
 
     `chmod 600 #{private_key_filepath}`
+    `chmod 600 #{protected_key_filepath}`
     `chmod 644 #{public_key_filepath}`
 
     unless ::File.read(gitignore_filepath).match(/^.chamber.pem$/)
-      shell.append_to_file gitignore_filepath, private_key_filepath.basename.to_s
+      shell.append_to_file gitignore_filepath, private_key_filename
+      shell.append_to_file gitignore_filepath, protected_key_filename
     end
 
     shell.copy_file settings_template_filepath, settings_filepath
+
+    shell.say ''
+    shell.say 'The passphrase for your encrypted private key is:', :green
+    shell.say ''
+    shell.say rsa_key_passphrase, :green
+    shell.say ''
+    shell.say 'Store this securely somewhere.', :green
+    shell.say ''
+    shell.say 'You can send them the file located at:', :green
+    shell.say ''
+    shell.say protected_key_filepath, :green
+    shell.say ''
+    shell.say 'and not have to worry about sending it via a secure medium (such as', :green
+    shell.say 'email), however do not send the passphrase along with it.  Give it to'
+    shell.say 'your team members in person.', :green
+    shell.say ''
+    shell.say 'In order for them to decrypt it (for use with Chamber), they can run:'
+    shell.say ''
+    shell.say "$ cp /path/to/{#{protected_key_filename},#{private_key_filename}}", :green
+    shell.say "$ ssh-keygen -p -f /path/to/#{private_key_filename}", :green
+    shell.say ''
+    shell.say 'Enter the passphrase when prompted and leave the new passphrase blank.', :green
+    shell.say ''
   end
+  # rubocop:enable Metrics/LineLength, Metrics/MethodLength
 
   def self.call(options = {})
-    self.new(options).call
+    new(options).call
   end
 
   protected
@@ -40,7 +67,12 @@ class   Initialize < Chamber::Commands::Base
   end
 
   def templates_path
-    @templates_path             ||= Pathname.new(::File.expand_path('../../../../templates', __FILE__))
+    @templates_path             ||= gem_path + 'templates'
+  end
+
+  def gem_path
+    @gem_path                   ||= Pathname.new(
+                                      ::File.expand_path('../../../..', __FILE__))
   end
 
   def settings_filepath
@@ -51,24 +83,49 @@ class   Initialize < Chamber::Commands::Base
     @gitignore_filepath         ||= rootpath + '.gitignore'
   end
 
+  def protected_key_filepath
+    @protected_key_filepath     ||= rootpath + protected_key_filename
+  end
+
   def private_key_filepath
-    @private_key_filepath       ||= rootpath + '.chamber.pem'
+    @private_key_filepath       ||= rootpath + private_key_filename
   end
 
   def public_key_filepath
-    @public_key_filepath        ||= rootpath + '.chamber.pub.pem'
+    @public_key_filepath        ||= rootpath + public_key_filename
+  end
+
+  def protected_key_filename
+    '.chamber.pem.enc'
   end
 
-  def rsa_key
-    @rsa_key                    ||= OpenSSL::PKey::RSA.new(2048)
+  def private_key_filename
+    '.chamber.pem'
+  end
+
+  def public_key_filename
+    '.chamber.pub.pem'
+  end
+
+  def rsa_protected_key
+    @rsa_protected_key          ||= begin
+                                      cipher = OpenSSL::Cipher.new 'AES-128-CBC'
+                                      key    = OpenSSL::PKey::RSA.new(2048)
+
+                                      key.export cipher, rsa_key_passphrase
+                                    end
   end
 
   def rsa_private_key
-    rsa_key
+    @rsa_private_key            ||= OpenSSL::PKey::RSA.new(2048)
   end
 
   def rsa_public_key
-    rsa_key.public_key
+    rsa_private_key.public_key
+  end
+
+  def rsa_key_passphrase
+    @rsa_key_passphrase         ||= SecureRandom.uuid
   end
 end
 end