cipherpipe 0.2.4 → 0.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: a4f0e32f480bf3dfd34b87dded6a5bf13ab9e37e8cffcecf597828cac5f3d756
-  data.tar.gz: f68ddc736e43122d4790f29647b898629be30804fc035c6d1c241decc3a6effa
+  metadata.gz: 9fbd9abc8551bd0d9d03d7fd91e1d4eb1c57ca0bffd8d12c0d8a13412fc23e8e
+  data.tar.gz: cbfee38900e2ed2bd30328c1789532fa53f3aa6f27b8ea56c0296948e97a9439
 SHA512:
-  metadata.gz: 71f09bf4723137bc0e205d993d67ab9a9cb97e54b8aac05ce9d904ecf4596dd34caa22fffbeffe8f528148d8d8f9057ff78fe6973fcf3be48cb68d13a2519c9f
-  data.tar.gz: aa5fd99b6dfac62daac9a2a2bf622ec614fb047bd169684b01077380c21f281a3612e0cf28c1a9094e001ede149320e23af8e5a935ec7b8d01ae23b2ded5f074
+  metadata.gz: 3ae3d44347e9f054c72bc838e83ff29d50e848dc46f47ab4aa78dbf0c114749141184037488452b48c986e13cc48a82fb93df594dbeaa4836632df366644bc35
+  data.tar.gz: '0079cb88864cd97ffea062d65ffdbd96ce20d3a4ab3b7fc0c5c44be67bc135102926d6ac939ebf39f13129654729f893466363f8a1555430fff7afad35b82257'

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    cipherpipe (0.2.4)
+    cipherpipe (0.3.0)
 
 GEM
   remote: https://rubygems.org/
@@ -29,6 +29,7 @@ GEM
       rspec-support (~> 3.7.0)
     rspec-support (3.7.1)
     safe_yaml (1.0.4)
+    shell_mock (0.3.3)
     vault (0.11.0)
       aws-sigv4
     webmock (3.4.2)
@@ -44,6 +45,7 @@ DEPENDENCIES
   cipherpipe!
   rake (~> 12.0)
   rspec (~> 3.7)
+  shell_mock (~> 0.3.3)
   vault (~> 0.11)
   webmock (~> 3.4)
 

data/README.md

@@ -1,6 +1,6 @@
 # Cipherpipe
 
-Cipherpipe transfers secrets from stores (such as Vault) onto your local machine, or into the `ENV` of a Ruby app. You can then make changes and upload these back into the store - all of which is done only when you have valid access.
+Cipherpipe transfers secrets from stores (such as Vault and 1Password) onto your local machine, or into the `ENV` of a Ruby app. You can then make changes and upload these back into the store - all of which is done only when you have valid access.
 
 ## Why?
 
@@ -34,11 +34,13 @@ Cipherpipe::Commands::Load.call
 
 If you're using Vault's EC2 authentication and have specified an `ec2_role` value for the primary source (as noted in the configuration example below), then loading the secrets will automatically authenticate against Vault using the EC2 instance's PKCS7-signed identity.
 
+If you're using 1Password, you'll want to have [their command-line tool](https://support.1password.com/command-line-getting-started/) installed (testing has been conducted with v0.4.1). Any time you use cipherpipe commands that interact with 1Password, you'll have to be authenticated first (`op signin team-subdomain.1password.com me@myemail.com A3-XXXXXX-XXXXXX-XXXXX-XXXXX-XXXXX-XXXXX`).
+
 ## Configuration
 
 Everything for Cipherpipe is managed in a YAML configuration file `.cipherpipe.yml` which you should place in the root of your project. You'll need to specify at least one source (and mark it as the primary). Having an output file/format is optional, but likely useful.
 
-When setting a Vault source, the destination is a key-value store (v2) and the `secret/` prefix is added automatically.
+When setting a Vault source, the destination is a key-value store (v2) and the `secret/` prefix is added automatically. When setting up 1Password, the destination is the name of the document, and you'll want to specify a vault as well.
 
 Here's an example for a Rails application using `dotenv` (and `ENVIRONMENT` is automatically translated to the appropriate Rails environment, as based on the RAILS_ENV variable):
 
@@ -49,6 +51,9 @@ sources:
 - type: vault
   destination: apps/myapp/ENVIRONMENT
   primary: true
+- type: 1password
+  destination: "Apps: myapp ENVIRONMENT"
+  vault: Developers
 ```
 
 If you're running this on EC2 servers that are set up to authenticate with Vault via a specific role, you can provide that with the `ec2_role` setting and it'll automatically be used:
@@ -85,6 +90,8 @@ sources:
   primary: true
 ```
 
+Note that you must have one primary source - the primary source is where data is downloaded from. Other sources are only for uploading (i.e. as a backup).
+
 ## Usage
 
 Once you've got things configured, you can use the `cipherpipe` executable to download or upload configuration.
@@ -105,7 +112,9 @@ If you're using Vault's EC2 authentication and have specified an `ec2_role` valu
 
 ## Dependencies
 
-If you're using Vault (which is likely, given it's currently the only supported secret storage service), you'll need to make sure it's using the V2 kv secrets engine.
+If you're using Vault, you'll need to make sure it's using the V2 kv secrets engine.
+
+If you're using 1Password, you'll need [their command-line tool](https://support.1password.com/command-line-getting-started/) installed (v0.4.1 or newer is recommended).
 
 ## Contributing
 

data/cipherpipe.gemspec

@@ -1,6 +1,6 @@
 Gem::Specification.new do |spec|
   spec.name          = "cipherpipe"
-  spec.version       = "0.2.4"
+  spec.version       = "0.3.0"
   spec.authors       = ["Pat Allan"]
   spec.email         = ["pat@freelancing-gods.com"]
 
@@ -15,8 +15,9 @@ Gem::Specification.new do |spec|
   spec.executables   = spec.files.grep(%r{^exe/}) { |file| File.basename(file) }
   spec.require_paths = ["lib"]
 
-  spec.add_development_dependency "bundler", "~> 1.16"
-  spec.add_development_dependency "rake",    "~> 12.0"
-  spec.add_development_dependency "rspec",   "~> 3.7"
-  spec.add_development_dependency "webmock", "~> 3.4"
+  spec.add_development_dependency "bundler",    "~> 1.16"
+  spec.add_development_dependency "rake",       "~> 12.0"
+  spec.add_development_dependency "rspec",      "~> 3.7"
+  spec.add_development_dependency "shell_mock", "~> 0.3.3"
+  spec.add_development_dependency "webmock",    "~> 3.4"
 end

data/lib/cipherpipe/configuration.rb

@@ -49,15 +49,11 @@ class Cipherpipe::Configuration
   end
 
   def parse_source(hash)
-    role = hash["ec2_role"]
-    role.gsub!("ENVIRONMENT", environment) unless role.nil?
+    hash.each do |key, value|
+      hash[key] = value.gsub("ENVIRONMENT", environment) if value.is_a?(String)
+    end
 
-    Cipherpipe::ExternalSource.new(
-      hash["type"],
-      hash["destination"].gsub("ENVIRONMENT", environment),
-      hash["primary"],
-      role
-    )
+    Cipherpipe::ExternalSource.new hash
   end
 
   def yaml

data/lib/cipherpipe/external_source.rb

@@ -1,13 +1,14 @@
 class Cipherpipe::ExternalSource
   UnknownProviderError = Class.new Cipherpipe::Error
 
-  attr_reader :type, :destination, :primary, :ec2_role
+  attr_reader :type, :destination, :primary, :ec2_role, :options
 
-  def initialize(type, destination, primary = false, ec2_role = nil)
-    @type        = type
-    @destination = destination
-    @primary     = primary
-    @ec2_role    = ec2_role
+  def initialize(options = {})
+    @type        = options.delete "type"
+    @destination = options.delete "destination"
+    @primary     = options.delete "primary"
+    @ec2_role    = options.delete "ec2_role"
+    @options     = options
   end
 
   def download
@@ -37,6 +38,9 @@ class Cipherpipe::ExternalSource
     when "vault"
       require_relative "vault"
       Cipherpipe::Vault
+    when "1password"
+      require_relative "one_password"
+      Cipherpipe::OnePassword
     else
       raise UnknownProviderError, "unknown provider #{type}"
     end

data/lib/cipherpipe/one_password.rb

@@ -0,0 +1,17 @@
+class Cipherpipe::OnePassword
+  def self.available?
+    !`which op`.empty?
+  end
+
+  def self.download(external_source)
+    require_relative "one_password/download"
+
+    Cipherpipe::OnePassword::Download.call external_source
+  end
+
+  def self.upload(external_source, settings)
+    require_relative "one_password/upload"
+
+    Cipherpipe::OnePassword::Upload.call external_source, settings
+  end
+end

data/lib/cipherpipe/one_password/download.rb

@@ -0,0 +1,38 @@
+require "json"
+
+class Cipherpipe::OnePassword::Download
+  UnknownDocument = Class.new Cipherpipe::Error
+
+  def self.call(external_source)
+    new(external_source).call
+  end
+
+  def initialize(external_source)
+    @external_source = external_source
+  end
+
+  def call
+    hash = documents.detect do |document|
+      document["overview"]["title"] == external_source.destination
+    end
+
+    if hash.nil?
+      raise UnknownDocument,
+        "Cannot find #{external_source.destination} in 1Password vault #{vault}"
+    end
+
+    JSON.load `op get document \"#{hash["uuid"]}\" --vault \"#{vault}\"`
+  end
+
+  private
+
+  attr_reader :external_source
+
+  def documents
+    JSON.load `op list documents --vault \"#{vault}\"`
+  end
+
+  def vault
+    external_source.options["vault"]
+  end
+end

data/lib/cipherpipe/one_password/upload.rb

@@ -0,0 +1,39 @@
+require "tmpdir"
+require "json"
+
+class Cipherpipe::OnePassword::Upload
+  def self.call(external_source, variables)
+    new(external_source, variables).call
+  end
+
+  def initialize(external_source, variables)
+    @external_source = external_source
+    @variables       = variables
+  end
+
+  def call
+    documents.each do |document|
+      next unless document["overview"]["title"] == external_source.destination
+
+      `op delete item "#{document["uuid"]}" --vault="#{vault}"`
+    end
+
+    Dir.mktmpdir do |directory|
+      File.write "#{directory}/cipherpipe.json", JSON.dump(variables)
+
+      `op create document "#{directory}/cipherpipe.json" --title="#{external_source.destination}" --vault="#{vault}"`
+    end
+  end
+
+  private
+
+  attr_reader :external_source, :variables
+
+  def documents
+    JSON.load `op list documents --vault "#{vault}"`
+  end
+
+  def vault
+    external_source.options["vault"]
+  end
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: cipherpipe
 version: !ruby/object:Gem::Version
-  version: 0.2.4
+  version: 0.3.0
 platform: ruby
 authors:
 - Pat Allan
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2018-06-12 00:00:00.000000000 Z
+date: 2018-06-14 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -52,6 +52,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '3.7'
+- !ruby/object:Gem::Dependency
+  name: shell_mock
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.3.3
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.3.3
 - !ruby/object:Gem::Dependency
   name: webmock
   requirement: !ruby/object:Gem::Requirement
@@ -99,6 +113,9 @@ files:
 - lib/cipherpipe/formatters/env.rb
 - lib/cipherpipe/formatters/hcl.rb
 - lib/cipherpipe/formatters/json.rb
+- lib/cipherpipe/one_password.rb
+- lib/cipherpipe/one_password/download.rb
+- lib/cipherpipe/one_password/upload.rb
 - lib/cipherpipe/vault.rb
 - lib/cipherpipe/vault/api.rb
 - lib/cipherpipe/vault/download.rb