cici 0.1.0 → 0.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: e0e0d27ce6125fb072e36aa5a3e197bd3ad70742d5171c2f2f360b771179d23a
-  data.tar.gz: bd919b3ef9990aa2952461ee646febdb9c803fbafe2c2f298d5168ea0b286731
+  metadata.gz: fc0f1060894123ec9ccd7d9679db5a3a43f16cfd30194ebfc9446b7b424e3398
+  data.tar.gz: c30d7439f9088bd33b935749c9f42628abf5e3b23d3d899957acacd83ceb4a72
 SHA512:
-  metadata.gz: d1f5f125bbcfb71b5975f1cec0a5aeb7a442af524ceca952d6e8583da752bfb79627397958768bacd88dc89aa44c4333053f0f8fe76a5de58c6b5a381fddd735
-  data.tar.gz: 71614938679b2d015f7224e5d4d4f754d2d116a8a687fe3a5b36fed1aded3e429720fe3640b8475a7703d4e1acae5e73d17bf68d2cbb320c456d143a3d7e27be
+  metadata.gz: 28e9d08d9cf1e40bcc983593234fac72fa27cbff47ee98f85f6b9e683f7715a09477f3b135681788e7958cd7dda9dd88dfebbbcb72fdd28ba5a03e348890d2aa
+  data.tar.gz: e78fa84bb9d79582a794ade9464a449ffa6ecb0d1b27143b6e6ed394828e4b4ef3d99e68d8a712442f0e6eb03672f7977c65b772cd238a8c9cf9853495fbfe03

data/CHANGELOG.md

@@ -1,3 +1,8 @@
+## [0.2.0] - 2020-03-03
+
+### Changed
+- Reuse the key/iv values to encrypt. [Issue](https://github.com/levibostian/cici/issues/2)
+
 ## [0.1.0] - 2019-12-17
 
 ### Added 

data/lib/cici/cli.rb

@@ -24,6 +24,9 @@ module CICI
       @config = CICI::Config.new(@ui)
       @config.load
 
+      @decrypter = CICI::Decrypt.new(@ui, @config)
+      @encrypter = CICI::Encrypt.new(@ui, @decrypter, @config)
+
       run_command
     end
 
@@ -82,11 +85,11 @@ module CICI
     end
 
     def encrypt
-      CICI::Encrypt.new(@ui, @config).start
+      @encrypter.start
     end
 
     def decrypt
-      CICI::Decrypt.new(@ui, @config).start(@options.set)
+      @decrypter.start(@options.set)
     end
   end
 end

data/lib/cici/decrypt.rb

@@ -25,29 +25,35 @@ module CICI
       @set = set
 
       assert_encrypted_secret_exist
-      decrypt
+      plain = decrypt(Base64.decode64(@util.get_env(CICI::DECRYPT_KEY_ENV_VAR)), Base64.decode64(@util.get_env(CICI::DECRYPT_IV_ENV_VAR)))
+      if !plain.empty?
+        File.write(@config.output_file, plain)
+      else
+        @ui.fail('Wrong key/iv pair for decryption.')
+      end
       decompress
       copy_files
 
       @ui.success('Files successfully decrypted and copied to their destination!')
     end
 
-    private
-
-    def assert_encrypted_secret_exist
-      @ui.fail("Encrypted secrets file, #{@config.output_file_encrypted}, does not exist") unless File.file?(@config.output_file_encrypted)
-    end
-
-    def decrypt
+    def decrypt(key, iv)
       @ui.verbose('Decrypting secrets encrypted file.')
 
       decipher = OpenSSL::Cipher.new('AES-256-CBC')
       decipher.decrypt
-      decipher.key = Base64.decode64(@util.get_env(CICI::DECRYPT_KEY_ENV_VAR))
-      decipher.iv = Base64.decode64(@util.get_env(CICI::DECRYPT_IV_ENV_VAR))
+      decipher.key = key
+      decipher.iv = iv
 
       plain = decipher.update(File.read(@config.output_file_encrypted)) + decipher.final
-      File.write(@config.output_file, plain)
+
+      plain
+    end
+
+    private
+
+    def assert_encrypted_secret_exist
+      @ui.fail("Encrypted secrets file, #{@config.output_file_encrypted}, does not exist") unless File.file?(@config.output_file_encrypted)
     end
 
     def decompress

data/lib/cici/encrypt.rb

@@ -14,14 +14,24 @@ module CICI
   class Encrypt
     include CICI
 
-    def initialize(ui, config)
+    def initialize(ui, decrypter, config)
       @ui = ui
       @config = config
       @util = CICI::Util.new(@ui)
+      @decrypter = decrypter
+
+      # Default key/iv that's generated for you. We can change these values later before encryption.
+      aes = OpenSSL::Cipher.new('AES-256-CBC')
+      aes.encrypt
+      @encryption_key = aes.random_key
+      @encryption_iv = aes.random_iv
+      @first_time_encrypting = false
     end
 
     def start
       assert_secret_files_exist
+      # We want to reuse key/iv values for encryption. So, let's get those values before moving forward.
+      prompt_for_keys
       compress
       assert_files_in_gitignore
       encrypt
@@ -45,6 +55,30 @@ module CICI
       end
     end
 
+    def prompt_for_keys
+      has_encrypted_before = File.exist?(@config.output_file)
+
+      if has_encrypted_before
+        @ui.message('It looks like you have encrypted your secrets before.')
+        @ui.message('Enter the key you use to encrypt:')
+        key = Base64.decode64(STDIN.gets.chomp)
+        @ui.message('Enter the IV you use to encrypt:')
+        iv = Base64.decode64(STDIN.gets.chomp)
+
+        plain = @decrypter.decrypt(key, iv)
+        @ui.fail('Key or IV value does not match the key/IV pair used when previously encrypting') if plain.empty?
+
+        @encryption_key = key
+        @encryption_iv = iv
+      else
+        @ui.debug("Encrypted output file, #{@config.output_file}, does not exist. Therefore, let's assume this is the first time encrypting secrets.")
+
+        @ui.message('It looks like this is the first time that you are encrypting secrets.')
+        @ui.message('Generating secure keys for you...')
+        @first_time_encrypting = true
+      end
+    end
+
     def compress
       @ui.verbose('Compressing secrets...')
 
@@ -57,14 +91,23 @@ module CICI
       aes = OpenSSL::Cipher.new('AES-256-CBC')
       data = File.binread(@config.output_file)
       aes.encrypt
-      key = aes.random_key
-      iv = aes.random_iv
+      aes.key = @encryption_key
+      aes.iv = @encryption_iv
       File.write(@config.output_file_encrypted, aes.update(data) + aes.final)
 
-      @ui.success('Success! Now, you need to follow these last few steps:')
-      @ui.success("1. Make sure to add #{@config.output_file_encrypted} to your source code repository")
-      @ui.success("2. Create a *secret* environment variable with key: #{CICI::DECRYPT_KEY_ENV_VAR} with value: #{Base64.encode64(key).strip}")
-      @ui.success("3. Create a *secret* environment variable with key: #{CICI::DECRYPT_IV_ENV_VAR} with value: #{Base64.encode64(iv).strip}")
+      if @first_time_encrypting
+        @ui.success('Success! Now, you need to follow these last few steps:')
+        @ui.success("1. Make sure to add #{@config.output_file_encrypted} to your version control")
+        @ui.success('Below you will find secret keys used to encrypt and decrypt your secrets in the future.')
+        @ui.success('**These will not be revealed ever again!** Store these in a safe and secure place.')
+        @ui.success('')
+        @ui.success('2. Share these secret keys with your team. They must provide the same keys to encrypt again. Keep secrets up-to-date with a git hook.')
+        @ui.success('3. Set these *secret* environment variables in your CI server for decryption.')
+        @ui.success("Key: #{CICI::DECRYPT_KEY_ENV_VAR} and value: #{Base64.encode64(@encryption_key).strip}")
+        @ui.success("Key: #{CICI::DECRYPT_IV_ENV_VAR} and value: #{Base64.encode64(@encryption_iv).strip}")
+      else
+        @ui.success('Success!')
+      end
     end
 
     def assert_files_in_gitignore

data/lib/cici/ui.rb

@@ -18,6 +18,11 @@ module CICI
       abort(message.colorize(:red))
     end
 
+    # No way to disable this. These are message that must be outputted.
+    def message(message)
+      puts message
+    end
+
     def warning(message)
       puts message.to_s.colorize(:yellow)
     end

data/lib/cici/version.rb

@@ -3,7 +3,7 @@
 module CICI
   class Version
     def self.get
-      '0.1.0'
+      '0.2.0'
     end
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: cici
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 0.2.0
 platform: ruby
 authors:
 - Levi Bostian
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-12-18 00:00:00.000000000 Z
+date: 2020-03-04 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: colorize