chamber 2.11.0 → 2.12.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 212f658524053ccae210207899aaadd11fca8dc3
-  data.tar.gz: 2ab2300b8a8a0107f7c094b79e344209f24a385a
+  metadata.gz: f2244ac836ff26be17476fae140643427bd61ec3
+  data.tar.gz: 3acbda9e98904305001f0aad0cd45f92909afbfa
 SHA512:
-  metadata.gz: 6d90c504c34d974a5d915aa1eb63f5c5c1c6dff4cf7fda43a072b2464e04d6d11ecacf196d921a5ecb9c2521a685a6199421abcfb6dad90c62f149cba277a273
-  data.tar.gz: d9168743dc703563e8e5ef86f4fb5fce13d00a3d6a7c590a7147d0902d2f8e73df7957fb070f8ce7d5541b483a7c5f8d94bf7b350ec56ab63a8d5ef58f27f357
+  metadata.gz: ca89abd49137ef3cae8a54b5a4a38029a55ef4e9498473dab173094704be265f0801e8698c34281dc624cbedb1b3f9f5d68ff6a3466b97b6c328575a6ab5c829
+  data.tar.gz: 5205ce62e2c54e5d5348a50e7bffa7fe2e196516b9d667f2b903c086f646e885c7d6459aba57fb9620edd96930f1480aa8655baa10f658fd312ad294a5e2c44a

data/README.md

@@ -1,45 +1,56 @@
-# Chamber [![Build Status](https://travis-ci.org/thekompanee/chamber.png)](https://travis-ci.org/thekompanee/chamber) [![Code Climate](https://codeclimate.com/github/thekompanee/chamber.png)](https://codeclimate.com/github/thekompanee/chamber) [![Code Climate](https://codeclimate.com/github/thekompanee/chamber/coverage.png)](https://codeclimate.com/github/thekompanee/chamber)
+# Chamber
+[![Gem Version](https://img.shields.io/gem/v/chamber.svg)](https://rubygems.org/gems/chamber) ![Rubygems Rank Overall](https://img.shields.io/gem/rt/chamber.svg) ![Rubygems Rank Daily](https://img.shields.io/gem/rd/chamber.svg) ![Rubygems Downloads](https://img.shields.io/gem/dv/chamber/stable.svg) [![Build Status](https://img.shields.io/travis/thekompanee/chamber/master.svg)](http://travis-ci.org/thekompanee/chamber) [![Code Climate](https://codeclimate.com/github/thekompanee/chamber.svg)](https://codeclimate.com/github/thekompanee/chamber) [![Code Climate](https://codeclimate.com/github/thekompanee/chamber/coverage.svg)](https://codeclimate.com/github/thekompanee/chamber)
 
-Chamber is the auto-encrypting, extremely organizable, Heroku-loving, CLI-having,
-non-extra-repo-needing, non-Rails-specific-ing, CI-serving configuration
-management library.
+Chamber is the auto-encrypting, extremely organizable, Heroku-loving,
+CLI-having, non-extra-repo-needing, non-Rails-specific-ing, CI-serving
+configuration management library.
 
-[![TrueFact](https://cloud.githubusercontent.com/assets/285582/4803823/ad8110fa-5e5e-11e4-90d6-59320045a786.png)](https://www.youtube.com/watch?v=NNG1OoH2RwE)
+We looked at all of the options out there and thought something was still
+missing, so we wrote Chamber.  We made it with lots of ❤ and we hope you like it
+as much as we do.
 
-**Our Ten Commandments of Configuration Management**
+## What Sets Chamber Apart?
 
-<img src="https://akiajm7spx4gtbhaxe3qcomhaystacksoftwarearp.s3.amazonaws.com/photos/readmes/ten-commandments.png" align="right" />
+For an idea of how Chamber compares to other popular libraries, check out our
+[Gem Comparison][comparison].
 
-1. Thou shalt be configurable, but [use conventions so that configuration isn't
-   necessary](https://github.com/thekompanee/chamber/wiki/Basic-Usage#convention-over-configuration)
-1. Thou shalt [seamlessly work with Heroku](https://github.com/thekompanee/chamber/wiki/Heroku) or other deployment platforms, where custom
-   settings must be stored in [environment variables](https://github.com/thekompanee/chamber/wiki/Environment-Variable-Compatibility)
-1. Thou shalt seamlessly work with [Travis CI](https://github.com/thekompanee/chamber/wiki/TravisCI) and other cloud CI platforms
-1. Thou shalt not force users to use arcane
-   [long_variables_to_keep_their_settings_organized](https://github.com/thekompanee/chamber/wiki/Accessing-Settings)
-1. Thou shalt not require users keep a separate repo or cloud share sync [just to
-   keep their secure settings updated](https://github.com/thekompanee/chamber/wiki/Encrypting-Your-Settings)
-1. Thou shalt not be bound to a single framework like Rails (it should be usable [in
-   plain Ruby projects](https://github.com/thekompanee/chamber/wiki/Basic-Usage#in-a-plain-old-ruby-project))
-1. Thou shalt have an [easy-to-use CLI](https://github.com/thekompanee/chamber/wiki/Command-Line-Reference) for scripting
-1. Thou shalt easily integrate with Capistrano for deployments
-1. Thou shalt be [well documented](https://github.com/thekompanee/chamber/wiki/) with full test coverage
-1. Thou shalt not have to worry about [accidentally committing secure settings](https://github.com/thekompanee/chamber/wiki/Git-Commit-Hook)
+## Basic Usage
 
-## Full Reference
-
-Visit the [wiki](https://github.com/thekompanee/chamber/wiki)
+You can view our Basic Usage Guide [here][basic-usage].  Otherwise, for the full
+Chamber guide, visit the [wiki][wiki].
 
 ## Credits
 
-Chamber was written by Jeff Felchner and Mark McEahern.
+Chamber was written by [Jeff Felchner][jeff-profile] and
+[Mark McEahern][mark-profile]
 
-![The Kompanee](https://www.dropbox.com/s/86jfka1d6bhv8as/kompanee-text-black.png?dl=1)
+![The Kompanee][kompanee-logo]
 
-Chamber is maintained and funded by [The Kompanee, Ltd.](http://www.thekompanee.com/)
+Chamber is maintained and funded by [The Kompanee, Ltd.][kompanee-site]
 
 The names and logos for The Kompanee are trademarks of The Kompanee, Ltd.
 
 ## License
 
-Chamber is Copyright © 2014 Jeff Felchner and Mark McEahern. It is free software, and may be redistributed under the terms specified in the [LICENSE](https://github.com/thekompanee/chamber/blob/master/LICENSE) file.
+Chamber is Copyright © 2014-2018 Jeff Felchner and Mark McEahern. It is free
+software, and may be redistributed under the terms specified in the
+[LICENSE][license] file.
+
+[accessing]:      https://github.com/thekompanee/chamber/wiki/Accessing-Settings
+[basic-usage]:    https://github.com/thekompanee/chamber/wiki/Basic-Usage
+[cli]:            https://github.com/thekompanee/chamber/wiki/CLI-Overview
+[commit-hook]:    https://github.com/thekompanee/chamber/wiki/Git-Commit-Hooks
+[comparison]:     https://github.com/thekompanee/chamber/wiki/Gem-Comparison
+[encryption]:     https://github.com/thekompanee/chamber/wiki/Encryption-Basics
+[env-vars]:       https://github.com/thekompanee/chamber/wiki/Environment-Variables
+[heroku]:         https://github.com/thekompanee/chamber/wiki/Heroku
+[inch]:           https://inch-ci.org/github/thekompanee/chamber
+[jeff-profile]:   https://github.com/jfelchner
+[kompanee-logo]:  https://kompanee-public-assets.s3.amazonaws.com/readmes/kompanee-horizontal-black.png
+[kompanee-site]:  http://www.thekompanee.com
+[license]:        https://github.com/thekompanee/chamber/blob/master/LICENSE.txt
+[mark-profile]:   https://github.com/m5rk
+[namespace-keys]: https://github.com/thekompanee/chamber/wiki/Namespaced-Key-Pairs
+[plain-ruby]:     https://github.com/thekompanee/chamber/wiki/Installation#in-a-ruby-project-or-ruby-gem
+[travis]:         https://github.com/thekompanee/chamber/wiki/TravisCI
+[wiki]:           https://github.com/thekompanee/chamber/wiki

data/lib/chamber/binary/runner.rb

@@ -7,6 +7,8 @@ require 'chamber/binary/heroku'
 require 'chamber/commands/show'
 require 'chamber/commands/files'
 require 'chamber/commands/secure'
+require 'chamber/commands/sign'
+require 'chamber/commands/verify'
 require 'chamber/commands/compare'
 require 'chamber/commands/initialize'
 
@@ -143,9 +145,30 @@ class   Runner < Thor
 
   ################################################################################
 
+  desc 'sign', 'Creates or verifies signatures for all current settings files using ' \
+               'the signature private key.'
+
+  method_option :verify,
+                type:    :boolean,
+                default: false
+
+  def sign
+    if options[:verify]
+      Commands::Verify.call(options.merge(shell: self))
+    else
+      Commands::Sign.call(options.merge(shell: self))
+    end
+  end
+
+  ################################################################################
+
   desc 'init', 'Sets Chamber up using best practices for secure configuration ' \
                'management'
 
+  method_option :signature,
+                type:    :boolean,
+                default: false
+
   def init
     Commands::Initialize.call(options.merge(shell: self))
   end

data/lib/chamber/commands/initialize.rb

@@ -16,13 +16,15 @@ class   Initialize < Chamber::Commands::Base
   end
 
   attr_accessor :basepath,
-                :namespaces
+                :namespaces,
+                :signature
 
   def initialize(options = {})
     super
 
     self.basepath   = Chamber.configuration.basepath
     self.namespaces = options.fetch(:namespaces, [])
+    self.signature  = options.fetch(:signature)
   end
 
   # rubocop:disable Metrics/LineLength, Metrics/MethodLength, Metrics/AbcSize
@@ -36,9 +38,16 @@ class   Initialize < Chamber::Commands::Base
 
     key_pairs.each { |key_pair| generate_key_pair(key_pair) }
 
+    if signature
+      signature_key_pair = Chamber::KeyPair.new(namespace:     'signature',
+                                                key_file_path: rootpath)
+
+      generate_key_pair(signature_key_pair)
+    end
+
     append_to_gitignore
 
-    shell.copy_file settings_template_filepath, settings_filepath
+    shell.copy_file settings_template_filepath, settings_filepath, skip: true
 
     shell.say ''
     shell.say '********************************************************************************', :green
@@ -46,47 +55,103 @@ class   Initialize < Chamber::Commands::Base
     shell.say '********************************************************************************', :green
     shell.say ''
 
-    shell.say '.chamber.pem is a DEFAULT Chamber key.', :red
-    shell.say ''
-    shell.say 'If you would like a key which is used only for things such as a certain'
-    shell.say 'environment (such as production), or your local machine, you can rerun'
-    shell.say 'the command like so:'
-    shell.say ''
-    shell.say '$ chamber init --namespaces="production my_machines_hostname"', :yellow
-    shell.say ''
+    if namespaces.empty?
+      shell.say '.chamber.pem is your DEFAULT Chamber key.', :yellow
+      shell.say ''
+      shell.say 'If you would like a key which is used only for a certain environment (such as'
+      shell.say 'production), or your local machine, you can rerun the command like so:'
+      shell.say ''
+      shell.say '$ chamber init --namespaces="production my_machines_hostname"', :yellow
+      shell.say ''
+      shell.say 'You can find more information about namespace keys here:'
+      shell.say ''
+      shell.say '  * '
+      shell.say 'https://github.com/thekompanee/chamber/wiki/Namespaced-Key-Pairs', :blue
+      shell.say ''
+      shell.say '--------------------------------------------------------------------------------'
+      shell.say ''
+    end
+
+    if signature
+      shell.say '                                Your Signature Keys'
+      shell.say ''
+      shell.say 'Your signature keys, which will be used for verification, are located at:'
+      shell.say ''
+      shell.say '  * Public Key:            '
+      shell.say signature_key_pair.
+                  public_key_filepath.
+                  relative_path_from(Pathname.pwd), :yellow
+      shell.say '  * Private Key:           '
+      shell.say signature_key_pair.
+                  unencrypted_private_key_filepath.
+                  relative_path_from(Pathname.pwd), :yellow
+      shell.say '  * Encrypted Private Key: '
+      shell.say signature_key_pair.
+                  encrypted_private_key_filepath.
+                  relative_path_from(Pathname.pwd), :yellow
+      shell.say '  * Encrypted Passphrase:  '
+      shell.say signature_key_pair.
+                  encrypted_private_key_passphrase_filepath.
+                  relative_path_from(Pathname.pwd), :yellow
+
+      shell.say ''
+      shell.say 'The signature private keys should be thought of separately from the other'
+      shell.say 'project private keys you generate. They are not required to run the app'
+      shell.say 'and should only be given out to *very select* people.'
+      shell.say ''
+      shell.say 'You can find more information about settings verification here:'
+      shell.say ''
+      shell.say '  * '
+      shell.say 'https://github.com/thekompanee/chamber/wiki/Verifying-Settings', :blue
+      shell.say ''
+      shell.say '--------------------------------------------------------------------------------'
+      shell.say ''
+    end
 
-    shell.say 'The passphrase for your encrypted private key(s) are:'
+    shell.say '                                Your Encrypted Keys'
+    shell.say ''
+    shell.say 'You can send your team members any of the file(s) located at:'
     shell.say ''
 
     key_pairs.each do |key_pair|
-      shell.say "* #{key_pair.encrypted_private_key_filename}: "
-      shell.say key_pair.passphrase, :yellow
+      shell.say '  * '
+      shell.say key_pair.encrypted_private_key_filepath.relative_path_from(Pathname.pwd), :yellow
     end
 
     shell.say ''
-    shell.say 'Store these securely somewhere.'
+    shell.say 'and not have to worry about sending them via a secure medium, however do'
+    shell.say 'not send the passphrase along with it.  Give it to your team members in'
+    shell.say 'person.'
     shell.say ''
-    shell.say 'You can send your team members any of the file(s) located at:'
+    shell.say 'You can learn more about encrypted keys here:'
+    shell.say ''
+    shell.say '  * '
+    shell.say 'https://github.com/thekompanee/chamber/wiki/Keypair-Encryption#the-encrypted-private-key', :blue
+    shell.say ''
+    shell.say '--------------------------------------------------------------------------------'
+    shell.say ''
+    shell.say '                                Your Key Passphrases'
+    shell.say ''
+    shell.say 'The passphrases for your encrypted private key(s) are stored in the'
+    shell.say 'following locations:'
     shell.say ''
 
     key_pairs.each do |key_pair|
-      shell.say '* '
-      shell.say key_pair.encrypted_private_key_filepath, :yellow
+      shell.say '  * '
+      shell.say key_pair.encrypted_private_key_passphrase_filepath.relative_path_from(Pathname.pwd), :yellow
     end
 
-    shell.say ''
-    shell.say 'and not have to worry about sending it via a secure medium (such as'
-    shell.say 'email), however do not send the passphrase along with it.  Give it to'
-    shell.say 'your team members in person.'
     shell.say ''
     shell.say 'In order for them to decrypt it (for use with Chamber), they can use something'
     shell.say 'like the following (swapping out the actual key filenames if necessary):'
     shell.say ''
-    shell.say "$ cp #{key_pairs[0].encrypted_private_key_filepath} #{key_pairs[0].unencrypted_private_key_filepath}", :yellow
-    shell.say "$ ssh-keygen -p -f #{key_pairs[0].unencrypted_private_key_filepath}", :yellow
+    shell.say "$ cp #{key_pairs[0].encrypted_private_key_filepath.relative_path_from(Pathname.pwd)} #{key_pairs[0].unencrypted_private_key_filepath.relative_path_from(Pathname.pwd)}", :yellow
+    shell.say "$ ssh-keygen -p -f #{key_pairs[0].unencrypted_private_key_filepath.relative_path_from(Pathname.pwd)}", :yellow
     shell.say ''
     shell.say 'Enter the passphrase when prompted and leave the new passphrase blank.'
     shell.say ''
+    shell.say '--------------------------------------------------------------------------------'
+    shell.say ''
   end
   # rubocop:enable Metrics/LineLength, Metrics/MethodLength, Metrics/AbcSize
 
@@ -102,27 +167,34 @@ class   Initialize < Chamber::Commands::Base
     shell.create_file key_pair.public_key_filepath,
                       key_pair.public_key_pem,
                       skip: true
+    shell.create_file key_pair.encrypted_private_key_passphrase_filepath,
+                      key_pair.passphrase,
+                      skip: true
 
     `chmod 600 #{key_pair.unencrypted_private_key_filepath}`
     `chmod 600 #{key_pair.encrypted_private_key_filepath}`
+    `chmod 600 #{key_pair.encrypted_private_key_passphrase_filepath}`
     `chmod 644 #{key_pair.public_key_filepath}`
   end
 
-  # rubocop:disable Style/GuardClause
   def append_to_gitignore
     ::FileUtils.touch gitignore_filepath
 
     gitignore_contents = ::File.read(gitignore_filepath)
 
-    unless gitignore_contents =~ /^\.chamber\*\.enc$/
-      shell.append_to_file gitignore_filepath, ".chamber*.enc\n"
-    end
-
-    unless gitignore_contents =~ /^\.chamber\*\.pem$/
-      shell.append_to_file gitignore_filepath, ".chamber*.pem\n"
+    %w{
+      **/settings/*-local.yml
+      **/settings-local.yml
+      .chamber*.enc
+      .chamber*.pem
+      .chamber*.enc.pass
+      !.chamber*.pub.pem
+    }.each do |pattern|
+      unless gitignore_contents =~ Regexp.new(Regexp.escape(pattern))
+        shell.append_to_file gitignore_filepath, "#{pattern}\n"
+      end
     end
   end
-  # rubocop:enable Style/GuardClause
 
   def settings_template_filepath
     @settings_template_filepath ||= templates_path + 'settings.yml'

data/lib/chamber/commands/secure.rb

@@ -15,11 +15,9 @@ class   Secure < Chamber::Commands::Base
   def call
     disable_warnings do
       insecure_environment_variables.each_key do |key|
-        if dry_run
-          shell.say_status 'encrypt', key, :blue
-        else
-          shell.say_status 'encrypt', key, :green
-        end
+        color = dry_run ? :blue : :green
+
+        shell.say_status 'encrypt', key, color
       end
     end
 

data/lib/chamber/commands/sign.rb

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+require 'chamber/commands/base'
+
+module  Chamber
+module  Commands
+class   Sign < Chamber::Commands::Base
+  def initialize(options = {})
+    super(options.merge(namespaces: ['*']))
+  end
+
+  def call
+    chamber.sign
+  end
+end
+end
+end

data/lib/chamber/commands/verify.rb

@@ -0,0 +1,25 @@
+# frozen_string_literal: true
+
+require 'chamber/commands/base'
+
+module  Chamber
+module  Commands
+class   Verify < Chamber::Commands::Base
+  def initialize(options = {})
+    super(options.merge(namespaces: ['*']))
+  end
+
+  def call
+    verification_results = chamber.verify
+
+    verification_results.each_pair do |filename, result|
+      unless result
+        shell.say("The signature for '#{filename}' failed verification.", :yellow)
+      end
+    end
+
+    verification_results
+  end
+end
+end
+end

data/lib/chamber/encryption_methods/public_key.rb

@@ -1,11 +1,13 @@
 # frozen_string_literal: true
 
+require 'base64'
+
 module  Chamber
 module  EncryptionMethods
 class   PublicKey
-  def self.encrypt(_key, value, encryption_keys)
-    value = YAML.dump(value)
-    encrypted_string = encryption_keys.public_encrypt(value)
+  def self.encrypt(_key, value, encryption_key)
+    value            = YAML.dump(value)
+    encrypted_string = encryption_key.public_encrypt(value)
 
     Base64.strict_encode64(encrypted_string)
   end

data/lib/chamber/encryption_methods/ssl.rb

@@ -1,5 +1,7 @@
 # frozen_string_literal: true
 
+require 'base64'
+
 module  Chamber
 module  EncryptionMethods
 class   Ssl

data/lib/chamber/file.rb

@@ -3,6 +3,7 @@
 require 'pathname'
 require 'yaml'
 require 'erb'
+require 'chamber/files/signature'
 
 ###
 # Internal: Represents a single file containing settings information in a given
@@ -104,6 +105,28 @@ class   File < Pathname
   end
   # rubocop:enable Metrics/LineLength
 
+  def sign
+    signature_key_contents = decryption_keys[:signature]
+
+    fail ArgumentError, 'You asked to sign your settings files but no signature key was found.  Run `chamber init --signature` to generate one.' \
+      unless signature_key_contents
+
+    signature = Files::Signature.new(to_s, read, signature_key_contents)
+
+    signature.write
+  end
+
+  def verify
+    signature_key_contents = encryption_keys[:signature]
+
+    fail ArgumentError, 'You asked to verify your settings files but no signature key was found.  Run `chamber init --signature` to generate one.' \
+      unless signature_key_contents
+
+    signature = Files::Signature.new(to_s, read, signature_key_contents)
+
+    signature.verify
+  end
+
   private
 
   def secure_prefix

data/lib/chamber/file_set.rb

@@ -115,13 +115,15 @@ class   FileSet
   attr_reader   :namespaces,
                 :paths
   attr_accessor :decryption_keys,
-                :encryption_keys
+                :encryption_keys,
+                :basepath
 
   def initialize(options = {})
     self.namespaces      = options[:namespaces] || {}
     self.decryption_keys = options[:decryption_keys]
     self.encryption_keys = options[:encryption_keys]
     self.paths           = options.fetch(:files)
+    self.basepath        = options[:basepath]
   end
 
   ###
@@ -181,6 +183,18 @@ class   FileSet
     files.each(&:secure)
   end
 
+  def sign
+    files.each(&:sign)
+  end
+
+  def verify
+    files.each_with_object({}) do |file, memo|
+      relative_filepath = Pathname.new(file.to_s).relative_path_from(basepath).to_s
+
+      memo[relative_filepath] = file.verify
+    end
+  end
+
   protected
 
   ###

data/lib/chamber/files/signature.rb

@@ -0,0 +1,85 @@
+# frozen_string_literal: true
+
+require 'base64'
+require 'pathname'
+require 'time'
+
+module Chamber
+module Files
+class  Signature
+  SIGNATURE_HEADER                    = '-----BEGIN CHAMBER SIGNATURE-----'
+  SIGNATURE_FOOTER                    = '-----END CHAMBER SIGNATURE-----'
+  SIGNATURE_IN_SIGNATURE_FILE_PATTERN = /#{SIGNATURE_HEADER}\n(.*)\n#{SIGNATURE_FOOTER}/
+
+  attr_accessor :settings_content,
+                :settings_filename
+
+  attr_reader   :signature_key
+
+  def initialize(settings_filename, settings_content, signature_key)
+    self.signature_key     = signature_key
+    self.settings_content  = settings_content
+    self.settings_filename = Pathname.new(settings_filename)
+  end
+
+  def signature_key=(keyish)
+    @signature_key ||= if keyish.is_a?(OpenSSL::PKey::RSA)
+                         keyish
+                       elsif ::File.readable?(::File.expand_path(keyish))
+                         file_contents = ::File.read(::File.expand_path(keyish))
+                         OpenSSL::PKey::RSA.new(file_contents)
+                       else
+                         OpenSSL::PKey::RSA.new(keyish)
+                       end
+  end
+
+  def write
+    signature_filename.write(<<-HEREDOC, 0, mode: 'w+')
+Signed By: #{`git config --get 'user.name'`.chomp}
+Signed At: #{Time.now.utc.iso8601}
+
+#{SIGNATURE_HEADER}
+#{encoded_signature}
+#{SIGNATURE_FOOTER}
+    HEREDOC
+  end
+
+  def verify
+    signature_key.verify(digest, signature_content, settings_content)
+  end
+
+  private
+
+  def encoded_signature
+    @encoded_signature ||= Base64.strict_encode64(raw_signature)
+  end
+
+  def raw_signature
+    @raw_signature ||= signature_key.
+                         sign(digest, settings_content)
+  end
+
+  def signature_filename
+    @signature_filename ||= settings_filename.
+                              sub('.yml', '.sig').
+                              sub('.erb', '')
+  end
+
+  def encoded_signature_content
+    @encoded_signature_content ||= signature_filename.
+                                     read.
+                                     match(SIGNATURE_IN_SIGNATURE_FILE_PATTERN) do |match|
+      match[1]
+    end
+  end
+
+  def signature_content
+    @signature_content ||= Base64.strict_decode64(encoded_signature_content)
+  end
+
+  def digest
+    @digest ||= OpenSSL::Digest::SHA512.new
+  end
+end
+end
+end

data/lib/chamber/filters/encryption_filter.rb

@@ -1,7 +1,6 @@
 # frozen_string_literal: true
 
 require 'openssl'
-require 'base64'
 require 'hashie/mash'
 require 'yaml'
 require 'chamber/encryption_methods/public_key'

data/lib/chamber/filters/environment_filter.rb

@@ -151,6 +151,8 @@ class   EnvironmentFilter
       end
     when 'Float'
       Float(environment_value)
+    when 'Time'
+      Time.iso8601(environment_value)
     when 'Array'
       YAML.safe_load(environment_value).tap do |parsed_value|
         unless parsed_value.is_a?(Array)

data/lib/chamber/instance.rb

@@ -26,6 +26,14 @@ class   Instance
     files.secure
   end
 
+  def sign
+    files.sign
+  end
+
+  def verify
+    files.verify
+  end
+
   def encrypt(data, options = {})
     config = configuration.to_hash.merge(options)
 

data/lib/chamber/{rails/railtie.rb → integrations/rails.rb}

@@ -3,8 +3,8 @@
 require 'socket'
 
 module  Chamber
-module  Rails
-class   Railtie < ::Rails::Railtie
+module  Integrations
+class   Rails < ::Rails::Railtie
   initializer 'chamber.load', before: :load_environment_config do
     Chamber.load(basepath:   ::Rails.root.join('config'),
                  namespaces: {

data/lib/chamber/integrations/sinatra.rb

@@ -0,0 +1,29 @@
+# frozen_string_literal: true
+
+require 'socket'
+
+module Chamber
+module Integrations
+module Sinatra
+  def self.registered(app)
+    app.configure do |inner_app|
+      env  = inner_app.environment || ENV['RACK_ENV']
+      root = inner_app.root
+
+      if defined?(Padrino)
+        env  = Padrino.env  if Padrino.respond_to?(:env)
+        root = Padrino.root if Padrino.respond_to?(:root)
+      end
+
+      Chamber.load(
+                    basepath:   root,
+                    namespaces: {
+                      environment: -> { env },
+                      hostname:    -> { Socket.gethostname },
+                    },
+                  )
+    end
+  end
+end
+end
+end

data/lib/chamber/key_pair.rb

@@ -15,6 +15,10 @@ class  KeyPair
     self.key_file_path = Pathname.new(options.fetch(:key_file_path))
   end
 
+  def encrypted_private_key_passphrase_filepath
+    key_file_path + "#{encrypted_private_key_filename}.pass"
+  end
+
   def encrypted_private_key_filepath
     key_file_path + encrypted_private_key_filename
   end

data/lib/chamber/keys/base.rb

@@ -7,9 +7,9 @@ class   Base
     new(*args).resolve
   end
 
-  attr_accessor :namespaces,
-                :rootpath
-  attr_reader   :filenames
+  attr_accessor :rootpath
+  attr_reader   :filenames,
+                :namespaces
 
   def initialize(options = {})
     self.rootpath   = Pathname.new(options.fetch(:rootpath))
@@ -45,6 +45,18 @@ class   Base
 
   private
 
+  def namespaces=(other)
+    @namespaces ||= begin
+                      keys = if other.respond_to?(:keys)
+                               other.keys.map(&:to_s)
+                             else
+                               other
+                             end
+
+                      keys + %w{signature}
+                    end
+  end
+
   def key_from_file_contents(filename)
     filename.readable? && filename.read
   end

data/lib/chamber/rails.rb

@@ -1,3 +1,3 @@
 # frozen_string_literal: true
 
-require 'chamber/rails/railtie' if defined?(::Rails)
+require 'chamber/integrations/rails' if defined?(::Rails)

data/lib/chamber/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Chamber
-  VERSION = '2.11.0'
+  VERSION = '2.12.0'
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: chamber
 version: !ruby/object:Gem::Version
-  version: 2.11.0
+  version: 2.12.0
 platform: ruby
 authors:
 - thekompanee
@@ -34,7 +34,7 @@ cert_chain:
   etYUO0DlNY/qYfSfExrgt0W5dZeT09V++WPlYauHw/EZtAB0AsJwVdtIscq0HSvX
   yH9AFp3KIe0v70EXzao/94n+XoDULrHEhqGMo34iS+37ZA==
   -----END CERTIFICATE-----
-date: 2018-01-12 00:00:00.000000000 Z
+date: 2018-01-16 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: thor
@@ -120,6 +120,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '4.0'
+- !ruby/object:Gem::Dependency
+  name: timecop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.0'
 description: Chamber lets you source your Settings from an arbitrary number of YAML
   files and provides a simple mechanism for overriding settings from the ENV, which
   is friendly to how Heroku addons work.
@@ -149,8 +163,10 @@ files:
 - lib/chamber/commands/securable.rb
 - lib/chamber/commands/secure.rb
 - lib/chamber/commands/show.rb
+- lib/chamber/commands/sign.rb
 - lib/chamber/commands/travis.rb
 - lib/chamber/commands/travis/secure.rb
+- lib/chamber/commands/verify.rb
 - lib/chamber/configuration.rb
 - lib/chamber/context_resolver.rb
 - lib/chamber/encryption_methods/none.rb
@@ -159,6 +175,7 @@ files:
 - lib/chamber/errors/decryption_failure.rb
 - lib/chamber/file.rb
 - lib/chamber/file_set.rb
+- lib/chamber/files/signature.rb
 - lib/chamber/filters/decryption_filter.rb
 - lib/chamber/filters/encryption_filter.rb
 - lib/chamber/filters/environment_filter.rb
@@ -168,13 +185,14 @@ files:
 - lib/chamber/filters/secure_filter.rb
 - lib/chamber/filters/translate_secure_keys_filter.rb
 - lib/chamber/instance.rb
+- lib/chamber/integrations/rails.rb
+- lib/chamber/integrations/sinatra.rb
 - lib/chamber/key_pair.rb
 - lib/chamber/keys/base.rb
 - lib/chamber/keys/decryption.rb
 - lib/chamber/keys/encryption.rb
 - lib/chamber/namespace_set.rb
 - lib/chamber/rails.rb
-- lib/chamber/rails/railtie.rb
 - lib/chamber/rubinius_fix.rb
 - lib/chamber/settings.rb
 - lib/chamber/types/secured.rb