chamber 3.0.0rc1 → 3.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 3119f8787d3c63913a0ab69a0114cbf6d43a154ad1703aef610a2b02720b0cbc
-  data.tar.gz: ed25f8e4a9f93045c94aba4776fa6a0296f9db9f1312e4a1dadeb35343eba140
+  metadata.gz: 0d89ed0b7af0eced2bb6890ea18af915dfdecaf4e521fb8f48bea9bc39fbbaae
+  data.tar.gz: 5befdc9cd11ca4e0aced5a7da916f6d849e49eb3a8a60df63cd61c9afb5e5637
 SHA512:
-  metadata.gz: acc3d5daf9e6570ccf16e76b8433e8d0912cdd85f4858f6634ee37531aa6a1c53b47621afeb21c0b9524eea6f8af3a02b52872f843b28a3f94d3e20bfa582880
-  data.tar.gz: 39a117062b19f734066f11c405730e499cc0325e6b2e3fd208aa68a930645e28f6b88f4f98e43133e8b70457d82ac3860f426b1385611b0d4b924003f79f0490
+  metadata.gz: 3bdebbf96a6ca8183d4f480230d2cffe39d2d927f9ffa3fe396ab394271e3f33c7fcde2c58259483617817fc2fe1528c92391ecd822845de71e9d3dddca6a67a
+  data.tar.gz: 54603c3d40c94f6d4b7c57bd7a424730afe1e3d1ddd9e499426d14fa57549176bb32844034ef8da3b0fee1c38c9d3245e920941dc65c671a7362150f7ba157a9

data/README.md

@@ -19,7 +19,7 @@ Chamber
   </a>
 
   <a href="https://github.com/thekompanee/chamber/actions?query=workflow%3ABuild" alt="Build Status">
-    <img src="https://img.shields.io/github/workflow/status/thekompanee/chamber/Build?label=CI&style=flat-square&logo=github" alt="Build Status" />
+    <img src="https://img.shields.io/github/actions/workflow/status/thekompanee/chamber/testing.yml?branch=master&label=CI&style=flat-square&logo=github" alt="Build Status" />
   </a>
 
   <a href="#" alt="Maintainability">
@@ -61,11 +61,11 @@ smtp_username: 'my_username'
 smtp_password: 'my_password'
 ```
 
-From there you can access your settings by using the special `Chamber.env`
+From there you can access your settings by using the special `Chamber.dig`
 constant.
 
 ```ruby
-Chamber.env.smtp_password
+Chamber.dig('smtp_password')
 # => 'my_password'
 ```
 
@@ -92,7 +92,7 @@ which you still access the same way because Chamber handles the decryption for
 you:
 
 ```ruby
-Chamber.env.smtp_password
+Chamber.dig('smtp_password')
 # => 'my_password'
 ```
 
@@ -117,7 +117,7 @@ The names and logos for The Kompanee are trademarks of The Kompanee, Ltd.
 License
 --------------------------------------------------------------------------------
 
-Chamber is Copyright © 2014-2021 Jeff Felchner and Mark McEahern. It is free
+Chamber is Copyright © 2014-2023 Jeff Felchner and Mark McEahern. It is free
 software, and may be redistributed under the terms specified in the
 [LICENSE][license] file.
 

data/lib/chamber/binary/runner.rb

@@ -12,20 +12,18 @@ require 'chamber/commands/sign'
 require 'chamber/commands/verify'
 require 'chamber/commands/compare'
 require 'chamber/commands/initialize'
-require 'chamber/refinements/hash'
 
 module  Chamber
 module  Binary
-class   Runner < ::Thor
-  include ::Thor::Actions
-  using ::Chamber::Refinements::Hash
+class   Runner < Thor
+  include Thor::Actions
 
   source_root ::File.expand_path('../../../templates', __dir__)
 
   class_option  :rootpath,
                 type:    :string,
                 aliases: '-r',
-                default: ENV['PWD'],
+                default: ENV.fetch('PWD', nil),
                 desc:    'The root filepath of the application'
 
   class_option  :basepath,
@@ -94,7 +92,7 @@ class   Runner < ::Thor
                          'Useful for debugging.'
 
   def show
-    puts Commands::Show.call(**options.deep_transform_keys(&:to_sym).merge(shell: self))
+    puts Commands::Show.call(**options.transform_keys(&:to_sym).merge(shell: self))
   end
 
   ################################################################################
@@ -102,7 +100,7 @@ class   Runner < ::Thor
   desc 'files', 'Lists the settings files which are parsed with the given options'
 
   def files
-    puts Commands::Files.call(**options.deep_transform_keys(&:to_sym).merge(shell: self))
+    puts Commands::Files.call(**options.transform_keys(&:to_sym).merge(shell: self))
   end
 
   ################################################################################
@@ -132,7 +130,7 @@ class   Runner < ::Thor
                           'destination of the comparison'
 
   def compare
-    Commands::Compare.call(**options.deep_transform_keys(&:to_sym).merge(shell: self))
+    Commands::Compare.call(**options.transform_keys(&:to_sym).merge(shell: self))
   end
 
   ################################################################################
@@ -152,7 +150,7 @@ class   Runner < ::Thor
                          'what values would be encrypted'
 
   def secure
-    Commands::Secure.call(**options.deep_transform_keys(&:to_sym).merge(shell: self))
+    Commands::Secure.call(**options.transform_keys(&:to_sym).merge(shell: self))
   end
 
   ################################################################################
@@ -171,9 +169,9 @@ class   Runner < ::Thor
 
   def sign
     if options[:verify]
-      Commands::Verify.call(**options.deep_transform_keys(&:to_sym).merge(shell: self))
+      Commands::Verify.call(**options.transform_keys(&:to_sym).merge(shell: self))
     else
-      Commands::Sign.call(**options.deep_transform_keys(&:to_sym).merge(shell: self))
+      Commands::Sign.call(**options.transform_keys(&:to_sym).merge(shell: self))
     end
   end
 
@@ -187,7 +185,7 @@ class   Runner < ::Thor
                 default: false
 
   def init
-    Commands::Initialize.call(**options.deep_transform_keys(&:to_sym).merge(shell: self))
+    Commands::Initialize.call(**options.transform_keys(&:to_sym).merge(shell: self))
   end
 end
 end

data/lib/chamber/commands/base.rb

@@ -6,15 +6,15 @@ require 'chamber/instance'
 module  Chamber
 module  Commands
 class   Base
-  def self.call(**args)
-    new(**args).call
-  end
-
   attr_accessor :chamber,
                 :dry_run,
                 :rootpath,
                 :shell
 
+  def self.call(**args)
+    new(**args).call
+  end
+
   def initialize(shell: nil, rootpath: nil, dry_run: nil, **args)
     self.chamber  = Chamber::Instance.new(rootpath: rootpath, **args)
     self.shell    = shell

data/lib/chamber/commands/initialize.rb

@@ -11,14 +11,14 @@ require 'chamber/commands/base'
 module  Chamber
 module  Commands
 class   Initialize < Chamber::Commands::Base
-  def self.call(**args)
-    new(**args).call
-  end
-
   attr_accessor :basepath,
                 :namespaces,
                 :signature
 
+  def self.call(**args)
+    new(**args).call
+  end
+
   def initialize(signature:, namespaces: [], **args)
     super(**args)
 
@@ -194,7 +194,7 @@ class   Initialize < Chamber::Commands::Base
       .chamber*.enc.pass
       !.chamber*.pub.pem
     }.each do |pattern|
-      unless gitignore_contents =~ Regexp.new(Regexp.escape(pattern))
+      unless gitignore_contents&.match?(Regexp.new(Regexp.escape(pattern)))
         shell.append_to_file gitignore_filepath, "#{pattern}\n"
       end
     end

data/lib/chamber/commands/securable.rb

@@ -2,18 +2,15 @@
 
 require 'shellwords'
 require 'chamber/instance'
-require 'chamber/refinements/hash'
 
 module  Chamber
 module  Commands
 module  Securable
-  using ::Chamber::Refinements::Hash
-
   def initialize(only_sensitive: nil, **args)
     super(**args)
 
     ignored_settings_options        = args
-                                        .deep_merge(files: ignored_settings_filepaths)
+                                        .merge(files: ignored_settings_filepaths)
                                         .reject { |k, _v| k == 'basepath' }
     self.ignored_settings_instance  = Chamber::Instance.new(**ignored_settings_options)
     self.current_settings_instance  = Chamber::Instance.new(**args)
@@ -55,11 +52,10 @@ module  Securable
       Shellwords.escape(filename)
     end
 
-    `
-      git ls-files --other --ignored --exclude-per-directory=.gitignore |
-      sed -e "s|^|#{Shellwords.escape(rootpath.to_s)}/|" |
-      grep --colour=never -E '#{shell_escaped_chamber_filenames.join('|')}'
-    `.split("\n")
+    `git ls-files --other --ignored --exclude-per-directory=.gitignore`
+      .split("\n")
+      .map    { |filename| "#{Shellwords.escape(rootpath.to_s)}/#{filename}" }
+      .select { |filename| shell_escaped_chamber_filenames.include?(filename) }
   end
 end
 end

data/lib/chamber/commands/show.rb

@@ -1,6 +1,5 @@
 # frozen_string_literal: true
 
-require 'pp'
 require 'chamber/commands/base'
 
 module  Chamber

data/lib/chamber/context_resolver.rb

@@ -10,6 +10,10 @@ module  Chamber
 class   ContextResolver
   attr_accessor :options
 
+  def self.resolve(**args)
+    new(**args).resolve
+  end
+
   def initialize(**args)
     self.options = args
   end
@@ -41,16 +45,13 @@ class   ContextResolver
                                     options[:basepath] + 'settings*.yml',
                                     options[:basepath] + 'settings',
                                   ]
+
     options[:signature_name]    = options[:signature_name]
 
     options
   end
   # rubocop:enable Metrics/CyclomaticComplexity, Metrics/PerceivedComplexity, Metrics/AbcSize, Layout/LineLength
 
-  def self.resolve(**args)
-    new(**args).resolve
-  end
-
   protected
 
   def resolve_namespaces(other)

data/lib/chamber/encryption_methods/public_key.rb

@@ -2,29 +2,41 @@
 
 require 'base64'
 
+require 'chamber/errors/disallowed_class'
+
 module  Chamber
 module  EncryptionMethods
 class   PublicKey
-  def self.encrypt(_key, value, encryption_key)
+  def self.encrypt(_settings_key, value, encryption_key)
     value            = YAML.dump(value)
     encrypted_string = encryption_key.public_encrypt(value)
 
     Base64.strict_encode64(encrypted_string)
   end
 
-  def self.decrypt(_key, value, decryption_key)
-    if decryption_key.nil?
-      value
-    else
-      decoded_string    = Base64.strict_decode64(value)
-      unencrypted_value = decryption_key.private_decrypt(decoded_string)
-
-      begin
-        _unserialized_value = YAML.load(unencrypted_value)
-      rescue TypeError
-        unencrypted_value
-      end
-    end
+  def self.decrypt(_settings_key, value, decryption_key)
+    return value if decryption_key.nil?
+
+    decoded_string    = ::Base64.strict_decode64(value)
+    unencrypted_value = decryption_key.private_decrypt(decoded_string)
+
+    ::YAML.safe_load(unencrypted_value,
+                     aliases:           true,
+                     permitted_classes: [
+                                          ::Date,
+                                          ::Time,
+                                          ::Regexp,
+                                        ])
+  rescue ::Psych::DisallowedClass => error
+    raise ::Chamber::Errors::DisallowedClass, <<~HEREDOC
+      #{error.message}
+
+      You attempted to load a class instance via your Chamber settings that is not allowed.
+
+      See https://github.com/thekompanee/chamber/wiki/Upgrading-To-Chamber-3.0#limiting-complex-classes for full details.
+    HEREDOC
+  rescue ::TypeError
+    unencrypted_value
   end
 end
 end

data/lib/chamber/encryption_methods/ssl.rb

@@ -16,7 +16,7 @@ class   Ssl
                                 \z
                               /x.freeze
 
-  def self.encrypt(_key, value, encryption_keys) # rubocop:disable Metrics/AbcSize
+  def self.encrypt(_settings_key, value, encryption_keys) # rubocop:disable Metrics/AbcSize
     value         = YAML.dump(value)
     cipher        = OpenSSL::Cipher.new('AES-128-CBC')
     cipher.encrypt
@@ -35,38 +35,46 @@ class   Ssl
     Base64.strict_encode64(encrypted_data)
   end
 
-  def self.decrypt(key, value, decryption_keys) # rubocop:disable Metrics/AbcSize
-    if decryption_keys.nil?
-      value
-    else
-      key, iv, decoded_string = value
-                                  .match(LARGE_DATA_STRING_PATTERN)
-                                  .captures
-                                  .map do |part|
-        Base64.strict_decode64(part)
-      end
-      key                     = decryption_keys.private_decrypt(key)
+  def self.decrypt(_settings_key, value, decryption_keys) # rubocop:disable Metrics/AbcSize
+    return value if decryption_keys.nil?
 
-      cipher_dec = OpenSSL::Cipher.new('AES-128-CBC')
+    key, iv, decoded_string = value
+                                .match(LARGE_DATA_STRING_PATTERN)
+                                .captures
+                                .map do |part|
+                                  ::Base64.strict_decode64(part)
+                                end
+    key                     = decryption_keys.private_decrypt(key)
 
-      cipher_dec.decrypt
+    cipher_dec = ::OpenSSL::Cipher.new('AES-128-CBC')
 
-      cipher_dec.key = key
-      cipher_dec.iv  = iv
+    cipher_dec.decrypt
 
-      begin
-        unencrypted_value = cipher_dec.update(decoded_string) + cipher_dec.final
-      rescue OpenSSL::Cipher::CipherError
-        raise Chamber::Errors::DecryptionFailure,
-              'A decryption error occurred. It was probably due to invalid key data.'
-      end
+    cipher_dec.key = key
+    cipher_dec.iv  = iv
 
-      begin
-        _unserialized_value = YAML.load(unencrypted_value)
-      rescue TypeError
-        unencrypted_value
-      end
-    end
+    unencrypted_value = cipher_dec.update(decoded_string) + cipher_dec.final
+
+    ::YAML.safe_load(unencrypted_value,
+                     aliases:           true,
+                     permitted_classes: [
+                                          ::Date,
+                                          ::Time,
+                                          ::Regexp,
+                                        ])
+  rescue ::OpenSSL::Cipher::CipherError
+    raise ::Chamber::Errors::DecryptionFailure,
+          'A decryption error occurred. It was probably due to invalid key data.'
+  rescue ::Psych::DisallowedClass => error
+    raise ::Chamber::Errors::DisallowedClass, <<~HEREDOC
+      #{error.message}
+
+      You attempted to load a class instance via your Chamber settings that is not allowed.
+
+      See https://github.com/thekompanee/chamber/wiki/Upgrading-To-Chamber-3.0#limiting-complex-classes for full details.
+    HEREDOC
+  rescue ::TypeError
+    unencrypted_value
   end
 end
 end

data/lib/chamber/errors/disallowed_class.rb

@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+
+module  Chamber
+module  Errors
+class   DisallowedClass < ::ArgumentError
+end
+end
+end

data/lib/chamber/errors/invalid_key_type.rb

@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+
+module Chamber
+module Errors
+class  InvalidKeyType < ::ArgumentError
+end
+end
+end

data/lib/chamber/errors/missing_index.rb

@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+module Chamber
+module Errors
+class  MissingIndex < ::IndexError
+  def initialize(missing_index, all_keys)
+    super(<<~HEREDOC.chomp)
+      You attempted to access setting '#{all_keys.join(':')}' but the index '#{missing_index}' in the array did not exist.
+    HEREDOC
+  end
+end
+end
+end

data/lib/chamber/errors/missing_setting.rb

@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+module Chamber
+module Errors
+class  MissingSetting < ::KeyError
+  def initialize(missing_key, all_keys)
+    super(<<~HEREDOC.chomp)
+      You attempted to access setting '#{all_keys.join(':')}' but '#{missing_key}' did not exist.
+    HEREDOC
+  end
+end
+end
+end

data/lib/chamber/errors/non_conforming_key.rb

@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+
+module  Chamber
+module  Errors
+class   NonConformingKey < ::ArgumentError
+end
+end
+end

data/lib/chamber/file.rb

@@ -4,7 +4,6 @@ require 'pathname'
 require 'yaml'
 require 'erb'
 require 'chamber/files/signature'
-require 'chamber/refinements/hash'
 
 ###
 # Internal: Represents a single file containing settings information in a given
@@ -12,8 +11,6 @@ require 'chamber/refinements/hash'
 #
 module  Chamber
 class   File < Pathname
-  using ::Chamber::Refinements::Hash
-
   attr_accessor :namespaces,
                 :decryption_keys,
                 :encryption_keys,
@@ -144,10 +141,24 @@ class   File < Pathname
 
   def file_contents_hash
     file_contents = read
-    erb_result    = ERB.new(file_contents).result
-
-    (YAML.load(erb_result) || {}).deep_transform_keys(&:to_s)
-  rescue Errno::ENOENT
+    erb_result    = ::ERB.new(file_contents).result
+
+    ::YAML.safe_load(erb_result,
+                     aliases:           true,
+                     permitted_classes: [
+                                          ::Date,
+                                          ::Time,
+                                          ::Regexp,
+                                        ]) || {}
+  rescue ::Psych::DisallowedClass => error
+    raise ::Chamber::Errors::DisallowedClass, <<~HEREDOC
+      #{error.message}
+
+      You attempted to load a class instance via your Chamber settings that is not allowed.
+
+      See https://github.com/thekompanee/chamber/wiki/Upgrading-To-Chamber-3.0#limiting-complex-classes for full details.
+    HEREDOC
+  rescue ::Errno::ENOENT
     {}
   end
 end

data/lib/chamber/file_set.rb

@@ -257,7 +257,11 @@ class   FileSet
   private
 
   def all_files
-    @all_files ||= file_globs.map { |fg| Pathname.glob(fg) }.flatten.uniq.sort # rubocop:disable Performance/ChainArrayAllocation
+    @all_files ||= file_globs
+                     .map { |fg| Pathname.glob(fg) }
+                     .flatten
+                     .uniq
+                     .sort
   end
 
   def non_namespaced_files

data/lib/chamber/files/signature.rb

@@ -42,13 +42,13 @@ class  Signature
   end
 
   def write
-    signature_filename.write(<<-HEREDOC, 0, mode: 'w+')
-Signed By: #{signature_name}
-Signed At: #{Time.now.utc.iso8601}
+    signature_filename.write(<<~HEREDOC, 0, mode: 'w+')
+      Signed By: #{signature_name}
+      Signed At: #{Time.now.utc.iso8601}
 
-#{SIGNATURE_HEADER}
-#{encoded_signature}
-#{SIGNATURE_FOOTER}
+      #{SIGNATURE_HEADER}
+      #{encoded_signature}
+      #{SIGNATURE_FOOTER}
     HEREDOC
   end
 

data/lib/chamber/filters/decryption_filter.rb

@@ -35,16 +35,16 @@ class   DecryptionFilter
                 :secure_key_token
   attr_reader   :decryption_keys
 
+  def self.execute(**args)
+    new(**args).__send__(:execute)
+  end
+
   def initialize(data:, secure_key_prefix:, decryption_keys: {}, **_args)
-    self.decryption_keys  = decryption_keys || {}
+    self.decryption_keys  = (decryption_keys || {}).transform_keys(&:to_s)
     self.data             = data.deep_dup
     self.secure_key_token = /\A#{Regexp.escape(secure_key_prefix)}/
   end
 
-  def self.execute(**args)
-    new(**args).__send__(:execute)
-  end
-
   protected
 
   def execute(raw_data = data)
@@ -81,18 +81,16 @@ class   DecryptionFilter
     method = decryption_method(value)
 
     decryption_keys.each do |decryption_key|
-      begin
-        return method.decrypt(key, value, decryption_key)
-      rescue OpenSSL::PKey::RSAError
-        next
-      end
+      return method.decrypt(key, value, decryption_key)
+    rescue OpenSSL::PKey::RSAError
+      next
     end
 
     value
   end
 
   def decryption_method(value)
-    if value.respond_to?(:match)
+    if value.is_a?(::String)
       if value.match(BASE64_STRING_PATTERN)
         EncryptionMethods::PublicKey
       elsif value.match(LARGE_DATA_STRING_PATTERN)

data/lib/chamber/filters/encryption_filter.rb

@@ -28,16 +28,16 @@ class     EncryptionFilter
                 :secure_key_token
   attr_reader   :encryption_keys
 
+  def self.execute(**args)
+    new(**args).__send__(:execute)
+  end
+
   def initialize(data:, secure_key_prefix:, encryption_keys: {}, **_args)
-    self.encryption_keys  = encryption_keys || {}
+    self.encryption_keys  = (encryption_keys || {}).transform_keys(&:to_s)
     self.data             = data.deep_dup
     self.secure_key_token = /\A#{Regexp.escape(secure_key_prefix)}/
   end
 
-  def self.execute(**args)
-    new(**args).__send__(:execute)
-  end
-
   protected
 
   def execute(raw_data = data, namespace = nil)
@@ -53,7 +53,7 @@ class     EncryptionFilter
   end
 
   def encryption_keys=(other)
-    @encryption_keys = other.each_with_object({}) do |(namespace, keyish), memo|
+    @encryption_keys = other.each_with_object({}) do |(namespace, keyish), memo| # rubocop:disable Style/HashTransformValues
       memo[namespace] = if keyish.is_a?(OpenSSL::PKey::RSA)
                           keyish
                         elsif ::File.readable?(::File.expand_path(keyish))
@@ -69,8 +69,7 @@ class     EncryptionFilter
 
   def encrypt(namespace, key, value)
     method         = encryption_method(value)
-    namespace_key  = namespace ? namespace.to_sym : nil
-    encryption_key = encryption_keys[namespace_key] || encryption_keys[:__default]
+    encryption_key = encryption_keys[namespace] || encryption_keys['__default']
 
     return value unless encryption_key
 
@@ -78,7 +77,7 @@ class     EncryptionFilter
   end
 
   def encryption_method(value)
-    value_is_encrypted = value.respond_to?(:match) &&
+    value_is_encrypted = value.is_a?(::String) &&
                            (value.match(BASE64_STRING_PATTERN) ||
                             value.match(LARGE_DATA_STRING_PATTERN))