dirt-envelope 0.0.1.placeholder → 0.0.1.pre1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: 187735bbf5949199cba257eb0d38f6c423358ef4
-  data.tar.gz: c315b1ce36473021776e2b919c33427c548fa760
+SHA256:
+  metadata.gz: d09180f8f86b0e8185d719b77b7803759567654c68c6a204a94e113f836af239
+  data.tar.gz: 5ef797a7641950d58474854c44d746d80f320b28ae6d182ea08b07d6f554b1ac
 SHA512:
-  metadata.gz: f00a9d6e8d021dcdbd05078971e7be880660284658e14ab505a808c4126428b4a68ee1e77cbbb3f479c7b81950f0049462ea641d1e4c08fd54ac059d17a90ca9
-  data.tar.gz: 65868d02f3bb41826352af86d2bd7f7bc4b8b9c476b2bff6b2ef6fdc312d85008dd4c8c2c09305cf22d16f8d8230cb388240c7565e9ef5f7416aaee81d2582a1
+  metadata.gz: 6418213a9c59ae1a7a70f9fa30f1b6ab1a5032541056e735c5659c0f3ff82853f358d521abf31af073f7bf944f633d3d8dc9cd85be42719aff123edb406114dc
+  data.tar.gz: 13e32abd1a7c74840bb403df613b336e6aaec3331504a5588f348a58046c5b1a267335ea1c9ee7e2290a3b49102caeed67f1eabf567c63045201ac43980f51fd

data/.rubocop.yml

@@ -0,0 +1,26 @@
+inherit_from: ../.rubocop.yml
+
+AllCops:
+  Exclude:
+    - 'bin/*'
+
+  TargetRubyVersion: 2.4
+
+Layout/LineLength:
+  Exclude:
+    - 'spec/**/*.rb'
+
+# setting to 6 to match RubyMine autoformat
+Layout/FirstArrayElementIndentation:
+  IndentationWidth: 6
+
+
+# rspec blocks are huge by design
+Metrics/BlockLength:
+  Exclude:
+    - 'spec/**/*.rb'
+
+Metrics/ModuleLength:
+  Exclude:
+    - 'spec/**/*.rb'
+

data/.ruby-version

@@ -0,0 +1 @@
+ruby-2.7.1

data/Gemfile

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 source 'https://rubygems.org'
 
 # Specify your gem's dependencies in dirt-envelope.gemspec

data/README.md

@@ -1,43 +1,105 @@
-# Dirt::Envelope
+# ENVelope
 
-Welcome to your new gem! In this directory, you'll find the files you need to be able to package up your Ruby library into a gem. Put your Ruby code in the file `lib/dirt/envelope`. To experiment with that code, run `bin/console` for an interactive prompt.
+> **Note:** This gem is a prototype spike. The API is not yet stable.
 
-TODO: Delete this and the text above, and describe your gem
+## Big Picture
+
+Single source of truth for application-wide configuration and environment variables.
+
+the [12 Factor](http://12factor.net/config) application style is a good start, but the downside to environment variables
+is that they can be leaked to untrustable subprocesses or 3rd party logging services.
+
+### Features
+
+* File schema
+* Location defaults based on the [XDG](https://en.wikipedia.org/wiki/Freedesktop.org#Base_Directory_Specification) file
+  location standard
+* Distinction between configurations and secrets
+* Secrets encrypted using [Lockbox](https://github.com/ankane/lockbox)
+* Immutable
+
+### Anti-Features
+
+Things that ENVelope intentionally does **not** support include:
+
+* Multiple config files
+    * No subtle overrides
+    * No implicit priority-ordering knowledge
+* Modes
+    * A testing environment should control itself
+    * No forgetting to set the mode before running rake, etc
+* Config file code interpretation (eg. ERB in YAML)
+    * Security implications
+    * File structure complexity
+    * Value ambiguity
+
+### But That's Bonkers
+
+It might be! Some situations may legitimately need extremely complex configuration setups. But sometimes a complex
+configuration environment is a code smell indicating that life could be better by:
+
+* Reducing your application into smaller parts (eg. microservices etc)
+* Reducing the number of service providers
+* Improving your deployment process
+
+You know your situation better than this README can.
 
 ## Installation
 
 Add this line to your application's Gemfile:
 
 ```ruby
-gem 'dirt-envelope'
+gem 'procrastinator'
 ```
 
-And then execute:
+And then run in a terminal:
 
-    $ bundle
+    bundle install
 
-Or install it manually with:
+## Usage
 
-    $ gem install dirt-envelope
+### Configs
 
-## Usage
+To create the config file, run this in a terminal:
 
-TODO: Write usage instructions here
+    bundle exec rake envelope:create:configs
+
+If a config file already exists in any of the search path locations, it will yell at you.
+
+To edit the config file, run this in a terminal:
+
+    bundle exec rake envelope:edit:configs
+
+### Secrets
+
+To create the config file, run this in a terminal:
+
+    bundle exec rake envelope:create:secrets
+
+To edit the secrets file, run this and provide the file's encryption key:
+
+    bundle exec rake envelope:edit:secrets
+
+It will then open the decrypted file your default editor (eg. nano). Once you have saved the file, it will be
+re-encrypted.
 
 ## Contributing
+
 Bug reports and pull requests are welcome on GitHub at https://github.com/TenjinInc/dirt-envelope.
 
-This project is intended to be a friendly space for collaboration, and contributors are expected to adhere to the 
+This project is intended to be a friendly space for collaboration, and contributors are expected to adhere to the
 [Contributor Covenant](http://contributor-covenant.org) code of conduct.
 
 ### Core Developers
-After checking out the repo, run `bundle install` to install dependencies. Then, run `rake spec` to run the tests. 
-You can also run `bin/console` for an interactive prompt that will allow you to experiment.
 
-To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the 
-version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, 
+After checking out the repo, run `bundle install` to install dependencies. Then, run `rake spec` to run the tests. You
+can also run `bin/console` for an interactive prompt that will allow you to experiment.
+
+To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the
+version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version,
 push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
 
 ## License
+
 The gem is available as open source under the terms of the [MIT License](http://opensource.org/licenses/MIT).
 

data/RELEASE_NOTES.md

@@ -0,0 +1,15 @@
+# Release Notes
+
+## 0.0.1 (          )
+
+### Major Changes
+
+* none
+
+### Minor Changes
+
+* none
+
+### Bugfixes
+
+* none

data/Rakefile

@@ -1,6 +1,15 @@
-require "bundler/gem_tasks"
-require "rspec/core/rake_task"
+# frozen_string_literal: true
+
+require 'bundler/gem_tasks'
+require 'rspec/core/rake_task'
+require 'yard'
 
 RSpec::Core::RakeTask.new(:spec)
 
 task :default => :spec
+
+YARD::Rake::YardocTask.new do |t|
+   t.files = %w[lib/**/*.rb]
+   # t.options       = %w[--some-option]
+   t.stats_options = ['--list-undoc']
+end

data/dirt-envelope.gemspec

@@ -9,18 +9,24 @@ Gem::Specification.new do |spec|
    spec.authors = ['Robin Miller']
    spec.email   = ['robin@tenjin.ca']
 
-   spec.summary     = %q{A nicer way to use environment variables. }
+   spec.summary     = %q{Unified environment config.}
    spec.description = %q{Provides symbol access and namespacing for environment variables. }
    spec.homepage    = 'https://github.com/TenjinInc/dirt-envelope'
    spec.license     = 'MIT'
+   spec.metadata    = {
+         'rubygems_mfa_required' => 'true'
+   }
 
    spec.files         = `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
    spec.bindir        = 'exe'
    spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
    spec.require_paths = ['lib']
 
-   spec.add_development_dependency 'bundler', '~> 1.11'
-   spec.add_development_dependency 'rake', '~> 10.0'
-   spec.add_development_dependency 'rspec', '~> 3.0'
-   spec.add_development_dependency 'simplecov', '~> 0.11'
+   spec.add_dependency 'lockbox', '>= 1.0'
+
+   spec.add_development_dependency 'bundler', '~> 2.3'
+   spec.add_development_dependency 'rake', '~> 13.0'
+   spec.add_development_dependency 'rspec', '~> 3.9'
+   spec.add_development_dependency 'simplecov', '~> 0.21'
+   spec.add_development_dependency 'yard', '~> 0.9'
 end

data/lib/dirt/envelope/rake/tasks.rb

@@ -0,0 +1,116 @@
+# frozen_string_literal: true
+
+require 'io/console'
+require 'tempfile'
+
+namespace :envelope do
+   # TODO: replace with actual path search mechanism (though not sure how to handle creates)
+   config_dir = Pathname.new('~/.config/').expand_path
+
+   namespace :configs do
+      desc 'Create a new configuration file'
+      task :create, [:app_name] do |_task, args|
+         if args[:app_name].nil?
+            raise 'app namespace argument required. Run with bundle exec rake envelope:secrets:create[app_name_here]'
+         end
+
+         file = config_dir / args[:app_name] / 'config.yml'
+         if file.exist?
+            warn 'Abort: File exists. Maybe you meant to edit the file with rake envelope:secrets:edit?'
+            exit 1
+         end
+
+         file.write <<~CONFIG_TEMPLATE
+            ---
+         CONFIG_TEMPLATE
+
+         warn "Created file #{ file }"
+      end
+
+      task :edit, [:app_name] do |_task, args|
+         if args[:app_name].nil?
+            raise 'app namespace argument required. Run with bundle exec rake envelope:secrets:create[app_name_here]'
+         end
+
+         # TODO: better to use the actual path search mechanism
+         configs_file = config_dir / args[:app_name] / 'config.yml'
+
+         # TODO: is exception good here? thought is to avoid clobbering exiting file on error.
+         system(ENV.fetch('EDITOR', 'editor'), configs_file.to_s, exception: true)
+
+         # TODO: it should warn about file unchanged. hint maybe you forgot to hit save?
+         # TODO: should avoid writing empty string. tell them to delete the file if that is what they want
+
+         warn "File saved to #{ configs_file }"
+      end
+   end
+
+   namespace :secrets do
+      desc 'Create a new encrypted secrets file'
+      task :create, [:app_name] do |_task, args|
+         if args[:app_name].nil?
+            raise 'app namespace argument required. Run with bundle exec rake envelope:secrets:create[app_name_here]'
+         end
+
+         file = config_dir / args[:app_name] / 'secrets.yml'
+         if file.exist?
+            warn 'Abort: File exists. Maybe you meant to edit the file with rake envelope:secrets:edit?'
+            exit 1
+         end
+
+         # TODO: add a comment inside the default template that tells people how to use it
+         file_str = <<~SECRETS_TEMPLATE
+            ---
+         SECRETS_TEMPLATE
+
+         master_key = Lockbox.generate_key
+
+         lockbox = Lockbox.new(key: master_key)
+
+         # TODO: explicitly set permissions, just in case they have weird inherited defaults
+         file.binwrite(lockbox.encrypt(file_str))
+         warn "Created file #{ file }"
+
+         # TODO: ideally this would not (always) print to terminal. maybe save to a file? or perhaps leverage stdout vs stderr to allow piping to file?
+         warn <<~INSTRUCTIONS
+            Generated key is:
+               #{ master_key }
+            
+            Save this key to a secure password manager. You will need it to edit the secrets.yml file.
+         INSTRUCTIONS
+      end
+
+      desc 'Edit the encrypted secrets file'
+      task :edit, [:app_name] do |_task, args|
+         if args[:app_name].nil?
+            raise 'app namespace argument required. Run with bundle exec rake envelope:secrets:create[app_name_here]'
+         end
+
+         # TODO: better to use the actual path search mechanism
+         secrets_file = config_dir / args[:app_name] / 'secrets.yml'
+
+         master_key = ENV.fetch 'LOCKBOX_KEY' do
+            $stderr.puts 'Enter master key:'
+            $stdin.noecho(&:gets).strip
+         end
+
+         lockbox = Lockbox.new(key: master_key)
+
+         file_str = Tempfile.create(secrets_file.basename.to_s) do |tmp_file|
+            decrypted = lockbox.decrypt(secrets_file.binread)
+
+            tmp_file.write(decrypted)
+            tmp_file.rewind # rewind seems to be needed before system call for some reason?
+            # TODO: is exception good here? thought is to avoid clobbering exiting file on error.
+            system(ENV.fetch('EDITOR', 'editor'), tmp_file.path, exception: true)
+            tmp_file.read
+         end
+
+         # TODO: it should warn about file unchanged. hint maybe you forgot to hit save?
+         # TODO: should avoid writing empty string. tell them to delete the file if that is what they want
+         secrets_file.binwrite(lockbox.encrypt(file_str))
+
+         warn "File saved to #{ secrets_file }"
+      end
+   end
+end

data/lib/dirt/envelope/version.rb

@@ -1,5 +1,7 @@
+# frozen_string_literal: true
+
 module Dirt
-  module Envelope
-    VERSION = '0.0.1.placeholder'
-  end
+   module Envelope
+      VERSION = '0.0.1.pre1'
+   end
 end

data/lib/dirt/envelope.rb

@@ -1,7 +1,148 @@
-require "dirt/envelope/version"
+# frozen_string_literal: true
+
+require 'dirt/envelope/version'
+require 'yaml'
+require 'lockbox'
+require 'pathname'
+require 'forwardable'
 
 module Dirt
-  module Envelope
-    # Your code goes here...
-  end
+
+   # ENVelope
+   module Envelope
+      # TODO: replace PATH_KEY and DEFAULT_PATH with XDG gem. won't need them then
+      PATH_KEY = 'ENVELOPE_PATH'
+      # specifically not looking in app directory since we want to discourage saving any of these in git
+      DEFAULT_PATH = %w[
+         /etc
+         /usr/local/etc
+         ~/.config
+      ].join(' ').freeze
+
+      EXT = '.yml'
+
+      class Envelope
+         extend Forwardable
+
+         def_delegators :@configs, :fetch, :[]
+
+         def_delegator :@secrets, :secret, :fetch
+
+         attr_reader :configs, :secrets
+
+         def initialize(app_name:)
+            @configs = {}
+            @secrets = {}
+
+            config_files = locate_files(app_name, :config)
+
+            load_configs(config_files)
+
+            secret_files = locate_files(app_name, :secrets)
+
+            # TODO: this should be read from ENV or specific key in config file
+            master_key         = ENV.fetch('LOCKBOX_KEY') do
+               raise KeyError, 'missing environment variable LOCKBOX_KEY' unless $stdin.respond_to? :noecho
+               $stderr.puts 'Enter master key:'
+               $stdin.noecho(&:gets).strip
+            end
+            Lockbox.master_key = master_key
+
+            load_secrets(secret_files, master_key)
+
+            # TODO: should be nice to recursively freeze secrets and configs, so that the whole settings hash chain is frozen
+            # secrets and main object are frozen prior to calling override block. This is on purpose to prevent folks from
+            # putting secrets into their code in that block.
+            @secrets.freeze
+            freeze
+
+            # TODO: setting & runninng override block should have some guards around it that raise if called after freezing
+            #       (with a better error msg, hint that it must be set) or if called too early
+            self.class.__override_block__&.call(@configs)
+            @configs.freeze
+         end
+
+         class << self
+            attr_accessor :__override_block__
+         end
+
+         private
+
+         def search_path
+            ENV.fetch(PATH_KEY, DEFAULT_PATH).split(/\s+/).collect { |path| Pathname.new(path).expand_path }
+         end
+
+         def load_configs(files)
+            files.each do |config_file|
+               data = YAML.safe_load(config_file.read, symbolize_names: true)
+               next unless data
+
+               @configs.merge!(data)
+            end
+         end
+
+         def load_secrets(files, master_key)
+            lockbox = Lockbox.new(key: master_key)
+
+            # TODO: error out if any config files are readable by any other user
+
+            files.each do |config_file|
+               raw_file  = config_file.binread
+               file_data = begin
+                              lockbox.decrypt raw_file
+                           rescue Lockbox::DecryptionError => e
+                              raise RuntimeError, "Failed to open #{ config_file } (#{ e })"
+                           end
+               data      = YAML.safe_load(file_data, symbolize_names: true)
+               next unless data
+
+               @secrets.merge!(data)
+            end
+         end
+
+         def locate_files(app_name, type)
+            full_paths = search_path.collect { |dir| dir / app_name / "#{ type }#{ EXT }" }.collect(&:expand_path)
+
+            config_files = full_paths.select(&:exist?)
+
+            if config_files.empty?
+               raise "No #{ type } files found. Looked for: #{ full_paths.join(', ') }. Create at least one of these."
+            end
+
+            config_files
+         end
+
+         class SettingSet
+            extend Forwardable
+
+            def_delegators :@config, :fetch, :[]
+
+            def_delegator :@secrets, :secret, :fetch
+
+            def initialize(config)
+               @config  = config
+               @secrets = {}
+            end
+
+            def merge!(other)
+               if other.is_a? Hash
+                  @delegate_sd_obj.merge!(SettingSet.new(other))
+               else
+                  @delegate_sd_obj.merge!(other)
+               end
+            end
+         end
+      end
+
+      class << self
+         # Override block that will be run after loading from config files and prior to freezing. It is intended to allow
+         # for test suites to tweak configurations without having to duplicate the entire config file.
+         #
+         # @yieldparam the configs from the Envelope
+         # @return [void]
+         def override(&block)
+            ::Dirt::Envelope::Envelope.__override_block__ = block
+         end
+      end
+   end
 end

metadata

@@ -1,71 +1,99 @@
 --- !ruby/object:Gem::Specification
 name: dirt-envelope
 version: !ruby/object:Gem::Version
-  version: 0.0.1.placeholder
+  version: 0.0.1.pre1
 platform: ruby
 authors:
 - Robin Miller
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2016-02-21 00:00:00.000000000 Z
+date: 2022-09-28 00:00:00.000000000 Z
 dependencies:
+- !ruby/object:Gem::Dependency
+  name: lockbox
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '1.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '1.0'
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.11'
+        version: '2.3'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.11'
+        version: '2.3'
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '10.0'
+        version: '13.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '10.0'
+        version: '13.0'
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.0'
+        version: '3.9'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.0'
+        version: '3.9'
 - !ruby/object:Gem::Dependency
   name: simplecov
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.11'
+        version: '0.21'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.21'
+- !ruby/object:Gem::Dependency
+  name: yard
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.9'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.11'
+        version: '0.9'
 description: 'Provides symbol access and namespacing for environment variables. '
 email:
 - robin@tenjin.ca
@@ -75,21 +103,25 @@ extra_rdoc_files: []
 files:
 - ".gitignore"
 - ".rspec"
-- ".travis.yml"
+- ".rubocop.yml"
+- ".ruby-version"
 - CODE_OF_CONDUCT.md
 - Gemfile
 - LICENSE.txt
 - README.md
+- RELEASE_NOTES.md
 - Rakefile
 - bin/console
 - bin/setup
 - dirt-envelope.gemspec
 - lib/dirt/envelope.rb
+- lib/dirt/envelope/rake/tasks.rb
 - lib/dirt/envelope/version.rb
 homepage: https://github.com/TenjinInc/dirt-envelope
 licenses:
 - MIT
-metadata: {}
+metadata:
+  rubygems_mfa_required: 'true'
 post_install_message: 
 rdoc_options: []
 require_paths:
@@ -105,9 +137,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: 1.3.1
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.4.6
+rubygems_version: 3.1.2
 signing_key: 
 specification_version: 4
-summary: A nicer way to use environment variables.
+summary: Unified environment config.
 test_files: []

data/.travis.yml

@@ -1,4 +0,0 @@
-language: ruby
-rvm:
-  - 2.2.1
-before_install: gem install bundler -v 1.11.2