diffcrypt 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 123f8eedd18059e8df8ceee8ab1d8bf67db179c05102f13fc0eb826e05c5d1de
+  data.tar.gz: 9ea816271de575fc3e101b2bc7898ab85513beffc0ab126426a286e86310ebdc
+SHA512:
+  metadata.gz: 8a97bbbd2f9c0f3f5ec04acb7ab65514b747da321fa1bf1d295c9e7a8a98b755d711b653cc888c60fa44b26a1e115a87061ee80d01788e6680a05e42eb5c8162
+  data.tar.gz: 5a1b1446b201762d5463d0774638dee995af9c26c6aad375f804f0682dd0efb8ce74c4fb40c7c048ba306a1e24fa18bc37408173f4bbe1852e12bd552522f25d

data/.gitignore

@@ -0,0 +1,10 @@
+/.bundle/
+/.yardoc
+/_yardoc/
+/coverage/
+/doc/
+/pkg/
+/spec/reports/
+/tmp/
+Gemfile.lock
+*.gem

data/.rubocop.yml

@@ -0,0 +1,15 @@
+AllCops:
+  NewCops: enable
+
+Style/ClassAndModuleChildren:
+  Exclude:
+    - test/**/*_test.rb
+Style/Documentation:
+  Enabled: false
+Metrics/MethodLength:
+  Exclude:
+    - test/**/*_test.rb
+
+Layout/LineLength:
+  Exclude:
+    - test/**/*_test.rb

data/.travis.yml

@@ -0,0 +1,6 @@
+---
+language: ruby
+cache: bundler
+rvm:
+  - 2.6.6
+before_install: gem install bundler -v 2.1.4

data/Gemfile

@@ -0,0 +1,10 @@
+# frozen_string_literal: true
+
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in diffcrypt.gemspec
+gemspec
+
+gem 'minitest', '~> 5.0'
+gem 'rake', '~> 13.0'
+gem 'rubocop', '~> 0.86'

data/LICENSE.txt

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2020 Marc Qualie
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,84 @@
+# Diffcrypt
+
+Diffable encrypted files that you can safely commit into your repo.
+
+
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+```ruby
+gem 'diffcrypt'
+```
+
+And then execute:
+
+    $ bundle install
+
+Or install it yourself as:
+
+    $ gem install diffcrypt
+
+
+
+## Usage
+
+
+### Encrypt existing file
+
+```ruby
+encryptor = Diffcrypt::Encryptor.new('99e1f86b9e61f24c56ff4108dd415091')
+yaml = File.read('test/fixtures/example.yml')
+encrypted = encryptor.encrypt(yaml)
+File.write('tmp/example.yml.enc', encrypted)
+```
+
+### Decrypt a file
+
+```ruby
+encryptor = Diffcrypt::Encryptor.new('99e1f86b9e61f24c56ff4108dd415091')
+yaml = File.read('test/fixtures/example.yml.enc')
+config = YAML.safe_load(encryptor.decrypt(yaml))
+```
+
+### Rails
+
+Currently there is not native support for rails, but ActiveSupport can be monkeypatched to override
+the build in encrypter.
+
+```ruby
+require 'diffcrypt/rails/encrypted_configuration'
+module Rails
+  class Application
+    def encrypted(path, key_path: 'config/master.key', env_key: 'RAILS_MASTER_KEY')
+      Diffcrypt::Rails::EncryptedConfiguration.new(
+        config_path: Rails.root.join(path),
+        key_path: Rails.root.join(key_path),
+        env_key: env_key,
+        raise_if_missing_key: config.require_master_key,
+      )
+    end
+  end
+end
+```
+
+
+
+## Development
+
+After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake test` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
+
+To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
+
+
+
+## Contributing
+
+Bug reports and pull requests are welcome on GitHub at https://github.com/marcqualie/diffcrypt.
+
+
+
+## License
+
+The gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).

data/Rakefile

@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+
+require 'bundler/gem_tasks'
+require 'rake/testtask'
+
+Rake::TestTask.new(:test) do |t|
+  t.libs << 'test'
+  t.libs << 'lib'
+  t.test_files = FileList['test/**/*_test.rb']
+end
+
+task default: :test

data/bin/console

@@ -0,0 +1,15 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+
+require 'bundler/setup'
+require 'diffcrypt'
+
+# You can add fixtures and/or initialization code here to make experimenting
+# with your gem easier. You can also use a different console, if you like.
+
+# (If you use this, don't forget to add pry to your Gemfile!)
+# require "pry"
+# Pry.start
+
+require 'irb'
+IRB.start(__FILE__)

data/bin/setup

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+set -euo pipefail
+IFS=$'\n\t'
+set -vx
+
+bundle install
+
+# Do any other automated setup that you need to do here

data/diffcrypt.gemspec

@@ -0,0 +1,33 @@
+# frozen_string_literal: true
+
+require_relative 'lib/diffcrypt/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = 'diffcrypt'
+  spec.version       = Diffcrypt::VERSION
+  spec.authors       = ['Marc Qualie']
+  spec.email         = ['marc@marcqualie.com']
+
+  spec.summary       = 'Diffable encrypted configuration files'
+  spec.description   = 'Diffable encrypted configuration files that can be safely committed into a git repository'
+  spec.homepage      = 'https://github.com/marcqualie/diffcrypt'
+  spec.license       = 'MIT'
+  spec.required_ruby_version = Gem::Requirement.new('>= 2.3.0')
+
+  # spec.metadata["allowed_push_host"] = "TODO: Set to 'http://mygemserver.com'"
+
+  spec.metadata['homepage_uri'] = spec.homepage
+  spec.metadata['source_code_uri'] = 'https://github.com/marcqualie/diffcrypt'
+  # spec.metadata['changelog_uri'] = "TODO: Put your gem's CHANGELOG.md URL here."
+
+  # Specify which files should be added to the gem when it is released.
+  # The `git ls-files -z` loads the files in the RubyGem that have been added into git.
+  spec.files = Dir.chdir(File.expand_path(__dir__)) do
+    `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
+  end
+  spec.bindir = 'exe'
+  spec.executables = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
+  spec.require_paths = ['lib']
+
+  spec.add_runtime_dependency 'activesupport', '~> 6.0.0'
+end

data/lib/diffcrypt.rb

@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+
+require 'diffcrypt/encryptor'
+require 'diffcrypt/version'
+
+module Diffcrypt
+  class Error < StandardError; end
+
+  class MissingContentError < RuntimeError
+    def initialize(content_path)
+      super "Missing encrypted content file in #{content_path}."
+    end
+  end
+
+  class MissingKeyError < RuntimeError
+    def initialize(key_path:, env_key:)
+      super \
+        'Missing encryption key to decrypt file with. ' \
+          "Ask your team for your master key and write it to #{key_path} or put it in the ENV['#{env_key}']."
+    end
+  end
+end

data/lib/diffcrypt/encryptor.rb

@@ -0,0 +1,86 @@
+# rubocop:disable Layout/LineLength
+# frozen_string_literal: true
+
+require 'pathname'
+require 'tmpdir'
+require 'securerandom'
+require 'yaml'
+
+require 'active_support/message_encryptor'
+
+module Diffcrypt
+  class Encryptor
+    CIPHER = 'aes-128-gcm'
+
+    def self.generate_key
+      SecureRandom.hex(ActiveSupport::MessageEncryptor.key_len(CIPHER))
+    end
+
+    def initialize(key)
+      @key = key
+      @encryptor ||= ActiveSupport::MessageEncryptor.new([key].pack('H*'), cipher: CIPHER)
+    end
+
+    # @param [String] contents The raw YAML string to be encrypted
+    def decrypt(contents)
+      yaml = YAML.safe_load contents
+      decrypted = decrypt_hash yaml
+      YAML.dump decrypted
+    end
+
+    # @param [Hash] data
+    # @return [Hash]
+    def decrypt_hash(data)
+      data.each do |key, value|
+        data[key] = if value.is_a?(Hash) || value.is_a?(Array)
+                      decrypt_hash(value)
+                    else
+                      decrypt_string value
+                    end
+      end
+      data
+    end
+
+    # @param [String] contents The raw YAML string to be encrypted
+    # @param [String, nil] original_encrypted_contents The original (encrypted) content to determine which keys have changed
+    def encrypt(contents, original_encrypted_contents = nil)
+      yaml = YAML.safe_load contents
+      original_yaml = original_encrypted_contents ? YAML.safe_load(original_encrypted_contents) : nil
+      encrypted = encrypt_values yaml, original_yaml
+      YAML.dump encrypted
+    end
+
+    # @param [String] value Plain text string that needs encrypting
+    # @return [String]
+    def encrypt_string(value)
+      @encryptor.encrypt_and_sign value
+    end
+
+    # TODO: Fix the complexity of this method
+    # rubocop:disable Metrics/PerceivedComplexity, Metrics/MethodLength, Metrics/CyclomaticComplexity
+    # @param [Hash] keys
+    # @return [Hash]
+    def encrypt_values(data, original_data = nil)
+      data.each do |key, value|
+        original_encrypted_value = original_data ? original_data[key] : nil
+        data[key] = if value.is_a?(Hash) || value.is_a?(Array)
+                      encrypt_values(value, original_encrypted_value)
+                    else
+                      original_decrypted_value = original_data ? decrypt_string(original_encrypted_value) : nil
+                      key_changed = original_decrypted_value.nil? || original_decrypted_value != value
+                      key_changed ? encrypt_string(value) : original_encrypted_value
+                    end
+      end
+      data
+    end
+    # rubocop:enable Metrics/PerceivedComplexity, Metrics/MethodLength, Metrics/CyclomaticComplexity
+
+    # @param [String] value The encrypted value that needs decrypting
+    # @return [String]
+    def decrypt_string(value)
+      @encryptor.decrypt_and_verify value
+    end
+  end
+end
+
+# rubocop:enable Layout/LineLength

data/lib/diffcrypt/rails/encrypted_configuration.rb

@@ -0,0 +1,126 @@
+# frozen_string_literal: true
+
+require 'pathname'
+require 'tmpdir'
+
+require 'active_support/ordered_options'
+require 'active_support/core_ext/hash'
+require 'active_support/core_ext/module/delegation'
+require 'active_support/core_ext/object/inclusion'
+
+module Diffcrypt
+  module Rails
+    class EncryptedConfiguration
+      attr_reader :content_path
+      attr_reader :key_path
+      attr_reader :env_key
+      attr_reader :raise_if_missing_key
+
+      delegate :[], :fetch, to: :config
+      delegate_missing_to :options
+
+      def initialize(config_path:, key_path:, env_key:, raise_if_missing_key:)
+        @content_path = Pathname.new(File.absolute_path(config_path)).yield_self do |path|
+          path.symlink? ? path.realpath : path
+        end
+        @key_path = Pathname.new(key_path)
+        @env_key = env_key
+        @raise_if_missing_key = raise_if_missing_key
+        @active_support_encryptor = ActiveSupport::MessageEncryptor.new([key].pack('H*'), cipher: Encryptor::CIPHER)
+      end
+
+      # Allow a config to be started without a file present
+      # @return [String] Returns decryped content or a blank string
+      def read
+        raise MissingContentError, content_path unless !key.nil? && content_path.exist?
+
+        decrypt content_path.binread
+      rescue MissingContentError
+        ''
+      end
+
+      def write(contents, original_encrypted_contents = nil)
+        deserialize(contents)
+
+        IO.binwrite "#{content_path}.tmp", encrypt(contents, original_encrypted_contents)
+        FileUtils.mv "#{content_path}.tmp", content_path
+      end
+
+      def config
+        @config ||= deserialize(read).deep_symbolize_keys
+      end
+
+      # @raise [MissingKeyError] Will raise if key is not set
+      # @return [String]
+      def key
+        read_env_key || read_key_file || handle_missing_key
+      end
+
+      def change(&block)
+        writing read, &block
+      end
+
+      protected
+
+      # rubocop:disable Metrics/AbcSize
+      def writing(contents)
+        tmp_file = "#{Process.pid}.#{content_path.basename.to_s.chomp('.enc')}"
+        tmp_path = Pathname.new File.join(Dir.tmpdir, tmp_file)
+        tmp_path.binwrite contents
+
+        yield tmp_path
+
+        updated_contents = tmp_path.binread
+
+        write(updated_contents, content_path.binread)
+      ensure
+        FileUtils.rm(tmp_path) if tmp_path&.exist?
+      end
+      # rubocop:enable Metrics/AbcSize
+
+      # @param [String] contents The new content to be encrypted
+      # @param [String] diff_against The original (encrypted) content to determine which keys have changed
+      # @return [String] Encrypted content to commit
+      def encrypt(contents, original_encrypted_contents = nil)
+        encryptor.encrypt contents, original_encrypted_contents
+      end
+
+      # @param [String] contents
+      # @return [String]
+      def decrypt(contents)
+        if contents.index('---').nil?
+          @active_support_encryptor.decrypt_and_verify contents
+        else
+          encryptor.decrypt contents
+        end
+      end
+
+      # @return [Encryptor]
+      def encryptor
+        @encryptor ||= Encryptor.new key
+      end
+
+      def read_env_key
+        ENV[env_key]
+      end
+
+      def read_key_file
+        key_path.binread.strip if key_path.exist?
+      end
+
+      # @raise [MissingKeyError]
+      # @return [void]
+      def handle_missing_key
+        raise MissingKeyError.new(key_path: key_path, env_key: env_key) if raise_if_missing_key
+      end
+
+      def options
+        @options ||= ActiveSupport::InheritableOptions.new(config)
+      end
+
+      def deserialize(config)
+        YAML.safe_load(config).presence || {}
+      end
+    end
+  end
+end

data/lib/diffcrypt/version.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+module Diffcrypt
+  VERSION = '0.1.0'
+end

metadata

@@ -0,0 +1,74 @@
+--- !ruby/object:Gem::Specification
+name: diffcrypt
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Marc Qualie
+autorequire:
+bindir: exe
+cert_chain: []
+date: 2020-06-28 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: activesupport
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 6.0.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 6.0.0
+description: Diffable encrypted configuration files that can be safely committed into
+  a git repository
+email:
+- marc@marcqualie.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- ".rubocop.yml"
+- ".travis.yml"
+- Gemfile
+- LICENSE.txt
+- README.md
+- Rakefile
+- bin/console
+- bin/setup
+- diffcrypt.gemspec
+- lib/diffcrypt.rb
+- lib/diffcrypt/encryptor.rb
+- lib/diffcrypt/rails/encrypted_configuration.rb
+- lib/diffcrypt/version.rb
+homepage: https://github.com/marcqualie/diffcrypt
+licenses:
+- MIT
+metadata:
+  homepage_uri: https://github.com/marcqualie/diffcrypt
+  source_code_uri: https://github.com/marcqualie/diffcrypt
+post_install_message:
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 2.3.0
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.0.3
+signing_key:
+specification_version: 4
+summary: Diffable encrypted configuration files
+test_files: []