dynamo_secret 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: eceed7ab952b1bfb775f44552c484acd65854864
+  data.tar.gz: 8c1b80312dedd3e880bcbff04ad3836cb577e56e
+SHA512:
+  metadata.gz: 6ac8d52f9f3d97d0d4b7d921454484d533858021624d618b673f2b06e45c2f42e0f416cea761e20542a71b2f123d9e91262e589ba7513c36ac19a217f76ddc24
+  data.tar.gz: 29eb552532e791d797ca5db55397950e9552bd66f6d74a33cdd0a076222320e28ebb947e6ae66ffbf5f2e8107daf553d611bc516abf6907e9ef4779b8a6afc1e

data/CHANGELOG.md

@@ -0,0 +1,4 @@
+# Unreleased Changes
+
+# 0.1.0 (2017-10-15)
+* initial release

data/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2017 Robert Bayerl
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

data/README.md

@@ -0,0 +1,46 @@
+# dynamo_secret
+Ruby gem for encrypting secrets with [GnuPG](https://gnupg.org/) and/or
+[KMS](https://aws.amazon.com/kms/) and storing them in
+[DynamoDB](https://aws.amazon.com/dynamodb/).
+
+## Usage
+`dynamo_secret` can be used to store, fetch, update, and delete encrypted
+information. It is intended to be used as a remote password store, but could be
+used for other things as well. Data is organized by site, and can contain
+almost anything.
+Usage:
+```
+dynamo_secret -l|--list
+dynamo_secret -i|--init   [-k|--kms]
+dynamo_secret -g|--get    [site] [key1,key2,...]
+dynamo_secret -a|--add    [site] [key1,key2,...] [val1,val2,...]
+dynamo_secret -u|--update [site] [key1,key2,...] [val1,val2,...]
+dynamo_secret -d|--delete [site]
+```
+
+### List
+`dynamo_secret -l` will list all of the sites stored in the DynamoDB table.
+
+### Init
+Before storing secrets the table needs to be created. `dynamo_secret -i [-k]`
+will create the table. If the optional `-k` flag is supplied a KMS key will
+also be created. KMS keys do not qualify for free tier usage and will cost $1
+or more per month.
+
+### Get
+`dynamo_secret -g|--get [site] [key1,key2,...]` will retreive and decrypt
+information stored under the specified site. Specific fields (keys) can also
+be specified if not all fields are wanted or required.
+
+### Add
+`dynamo_secret -a|--add [site] [key1,key2,...] [val1,val2,...]` stores key
+value pairs under `site`. Values may be omitted to keep them out of history
+files, or `-` may be used for extra sensitive secrets.
+
+### Update
+`dynamo_secret -u|--update` works exactly like `--put`, but it replaces the
+specified key value pairs while keeping anything else.
+
+### Delete
+`dynamo_secret -d|--delete [site]` completely removes all records under `site`
+from the DynamoDB table.

data/bin/dynamo_secret

@@ -0,0 +1,5 @@
+#!/usr/bin/env ruby
+
+require 'dynamo_secret'
+
+DynamoSecret::CLI.new(ARGV).run

data/lib/dynamo_secret/cli.rb

@@ -0,0 +1,98 @@
+module DynamoSecret
+  class CLI
+    def initialize(args)
+      @args = args
+    end
+
+    def run
+      load_config
+      parse_args(@args)
+      perform_action
+    end
+
+    private
+
+    def ask_key_pairs(keys, values)
+      keys = keys.to_s.split(',')
+      values = values.to_s.split(',')
+      if keys.empty?
+        loop do
+          key = ask('Key [ENTER to quit]: ')
+          break if key == ''
+          keys << key
+        end
+      end
+      keys.map.with_index do |key, index|
+        { key => values[index].nil? || values[index] == '-' ? ask("Value for #{key}: ") : values[index] }
+      end
+    end
+
+    def ask_secret_data
+      if @args.count > 3
+        $stderr.puts usage
+        exit 1
+      else
+        @config[:secret_data][site] = ask_key_pairs(@args.shift, @args.shift)
+      end
+    end
+
+    def load_config
+      config_file = "#{ENV['HOME']}/.dynamo_secret.yml"
+      @config = File.exist?(config_file) ? YAML.load_file(config_file) : {}
+      @config[:secret_data] = {}
+    end
+
+    def parse_args(args)
+      OptionParser.new do |opts|
+        opts.banner = usage
+        opts.version = VERSION
+        opts.on('-l', '--list', 'List all sites stored in table') { |_l| @action = 'list' }
+        opts.on('-i', '--init', 'Set up DynamoDB and KMS') { |_i| @action = 'init' }
+        opts.on('-g', '--get', 'Get a secret') { |_g| @action = 'get' }
+        opts.on('-a', '--add', 'Add a new secret') { |_a| @action = 'put' }
+        opts.on('-u', '--update', 'Update an existing secret') { |_u| @action = 'update' }
+        opts.on('-d', '--delete', 'Remove site from table') { |_d| @action = 'delete' }
+        opts.on('-k', '--kms', 'Enable KMS key creation (init only)') { |k| @config[:enable_kms] = k }
+      end.parse!(args)
+      @args = args
+    end
+
+    def perform_action
+      case @action
+      when 'init'
+        Secret.new(@config).setup
+      when 'get'
+        @config[:secret_data][site] = []
+        Secret.new(@config).get(@args.shift)
+      when 'put'
+        ask_secret_data
+        Secret.new(@config).put
+      when 'update'
+        ask_secret_data
+        Secret.new(@config).update
+      when 'delete'
+        @config[:secret_data][site] = []
+        Secret.new(@config).delete
+      when 'list'
+        DynamoDB.new(@config).list_secrets
+      else
+        $stderr.puts usage
+        exit 1
+      end
+    end
+
+    def site
+      @site ||= @args.any? ? @args.shift : ask('Site: ')
+    end
+
+    def usage
+      'Usage:
+dynamo_secret -l|--list
+dynamo_secret -i|--init   [-k|--kms]
+dynamo_secret -g|--get    [site] [key1,key2,...]
+dynamo_secret -a|--add    [site] [key1,key2,...] [val1,val2,...]
+dynamo_secret -u|--update [site] [key1,key2,...] [val1,val2,...]
+dynamo_secret -d|--delete [site]'
+    end
+  end
+end

data/lib/dynamo_secret/dynamodb.rb

@@ -0,0 +1,70 @@
+module DynamoSecret
+  class DynamoDB
+    def initialize(config)
+      @table_name = config[:table_name] || table_name
+      @region = config.fetch(:region, region)
+      @secret_data = config.fetch(:secret_data, {})
+    end
+
+    def create_table
+      client.create_table(
+        attribute_definitions: [{ attribute_name: 'Site', attribute_type: 'S' }],
+        table_name: @table_name,
+        key_schema: [{ attribute_name: 'Site', key_type: 'HASH' }],
+        provisioned_throughput: {
+          read_capacity_units: 25,
+          write_capacity_units: 25
+        }
+      )
+      $stdout.puts "Created new table: #{@table_name}"
+    rescue Aws::DynamoDB::Errors::ResourceInUseException
+      $stderr.puts "Table #{@table_name} already exists"
+    end
+
+    def delete
+      client.delete_item(
+        key: {
+          'Site' => @secret_data.map { |k, _v| k }.first
+        },
+        table_name: @table_name
+      )
+    end
+
+    def fetch_secret
+      client.get_item(
+        key: {
+          'Site' => @secret_data.map { |k, _v| k }.first
+        },
+        table_name: @table_name
+      ).item
+    rescue Aws::DynamoDB::Errors::ResourceNotFoundException
+      $stderr.puts "Table #{@table_name} not found"
+      exit 1
+    end
+
+    def list_secrets
+      client.scan(table_name: @table_name).items.each { |item| $stdout.puts item['Site'] }
+    end
+
+    def put_secret(secret_data)
+      client.put_item(
+        item: secret_data,
+        table_name: @table_name
+      )
+    end
+
+    private
+
+    def client
+      @client ||= Aws::DynamoDB::Client.new(region: @region)
+    end
+
+    def region
+      ENV.fetch('AWS_REGION', 'us-west-2')
+    end
+
+    def table_name
+      "dynamo_secret_#{IAM.new.user_id}"
+    end
+  end
+end

data/lib/dynamo_secret/gpg.rb

@@ -0,0 +1,24 @@
+module DynamoSecret
+  class Gpg
+    def decrypt(data)
+      crypto.decrypt(data).read
+    rescue GPGME::Error::NoData
+      $stderr.puts 'Key was found but GPG decrypt failed - skipping'
+      data
+    end
+
+    def encrypt(data)
+      crypto.encrypt(data, recipients: [key.uids.first.name]).read
+    end
+
+    def key
+      @gpg_key ||= GPGME::Key.find(:secret).map { |k| k if k.expires > Date.today.to_time }.first
+    end
+
+    private
+
+    def crypto
+      @crypto ||= GPGME::Crypto.new
+    end
+  end
+end

data/lib/dynamo_secret/iam.rb

@@ -0,0 +1,8 @@
+module DynamoSecret
+  class IAM
+    def user_id
+      @user ||= Aws::IAM::CurrentUser.new(region: 'us-west-2')
+      @user.user_name || @user.user_id
+    end
+  end
+end

data/lib/dynamo_secret/kms.rb

@@ -0,0 +1,49 @@
+module DynamoSecret
+  class Kms
+    def initialize(config)
+      @key_name = config[:key_name] || key_name
+      @region = config.fetch(:region, region)
+    end
+
+    def create_key
+      return $stdout.puts "KMS alias #{@key_name} already exists" if key
+      id = client.create_key(tags: [{ tag_key: 'Owner', tag_value: user_id }]).key_metadata.key_id
+      client.create_alias(alias_name: "alias/#{@key_name}", target_key_id: id)
+    end
+
+    def decrypt(data)
+      client.decrypt(ciphertext_blob: data).plaintext
+    rescue Aws::KMS::Errors::InvalidCiphertextException
+      $stderr.puts 'Key was found but KMS decrypt failed - skipping'
+      data
+    end
+
+    def encrypt(data)
+      client.encrypt(key_id: key, plaintext: data).ciphertext_blob
+    end
+
+    def key
+      @key ||= client.list_aliases.aliases.map do |kms_alias|
+        kms_alias.target_key_id if kms_alias.alias_name == "alias/#{@key_name}"
+      end.compact.first
+    end
+
+    private
+
+    def client
+      @client ||= Aws::KMS::Client.new(region: @region)
+    end
+
+    def key_name
+      "dynamo_secret_#{user_id}"
+    end
+
+    def region
+      ENV.fetch('AWS_REGION', 'us-west-2')
+    end
+
+    def user_id
+      @user_id ||= IAM.new.user_id
+    end
+  end
+end

data/lib/dynamo_secret/secret.rb

@@ -0,0 +1,97 @@
+module DynamoSecret
+  class Secret
+    def initialize(config)
+      @config = config
+    end
+
+    def delete
+      resp = ask("Really delete #{site}? (y/N) ")
+      return unless resp.casecmp('y')
+      dynamodb.delete
+      $stdout.puts "#{site} deleted"
+    end
+
+    def get(fields)
+      secret = dynamodb.fetch_secret
+      return decrypt(secret, fields) if secret
+      $stderr.puts "Could not find record for #{site}"
+      exit 1
+    end
+
+    def put
+      if gpg.key.nil? && kms.key.nil?
+        $stderr.puts 'Refusing to store secrets in plain text'
+        exit 1
+      elsif dynamodb.fetch_secret
+        $stderr.puts "Site #{site} already exists"
+        exit 1
+      else
+        secret = encrypt
+        dynamodb.put_secret(secret)
+      end
+    end
+
+    def setup
+      dynamodb.create_table
+      kms.create_key unless @config.fetch(:enable_kms, nil).nil?
+    end
+
+    def update
+      secret = dynamodb.fetch_secret.merge(encrypt)
+      dynamodb.put_secret(secret)
+    end
+
+    private
+
+    def decode(data)
+      data = Base64.decode64(data)
+      data = kms.decrypt(data) if kms.key
+      data = gpg.decrypt(data) if gpg.key
+      data
+    end
+
+    def decrypt(data, fields)
+      headers = [['Key', 'Value'], ['---', '-----']]
+      fields ||= [['Site', data['Site']]] + data.map { |k, v| [k, decode(v)] unless k == 'Site' }.compact
+      output = if fields.is_a?(Array)
+                 headers + fields
+               else
+                 headers + data.map { |k, v| [k, decode(v)] if fields.include?(k) }.compact
+               end
+      widths = output.transpose.map { |x| x.map(&:length).max }.map { |w| "%-#{w}s" }.join('   ')
+      output.each { |line| $stdout.puts widths % line }
+    end
+
+    def encode(data)
+      data = gpg.encrypt(data) if gpg.key
+      data = kms.encrypt(data) if kms.key
+      Base64.encode64(data)
+    end
+
+    def dynamodb
+      @dynamodb ||= DynamoDB.new(@config)
+    end
+
+    def encrypt
+      encrypted_data = {
+        'Site' => site
+      }
+      @config[:secret_data][site].each do |kv|
+        kv.map { |k, v| encrypted_data[k] = encode(v) }
+      end
+      encrypted_data
+    end
+
+    def gpg
+      @gpg ||= Gpg.new
+    end
+
+    def kms
+      @kms ||= Kms.new(@config)
+    end
+
+    def site
+      @config[:secret_data].map { |k, _v| k }.first
+    end
+  end
+end

data/lib/dynamo_secret/version.rb

@@ -0,0 +1,3 @@
+module DynamoSecret
+  VERSION = '0.1.0'.freeze
+end

data/lib/dynamo_secret.rb

@@ -0,0 +1,14 @@
+require 'aws-sdk-dynamodb'
+require 'aws-sdk-iam'
+require 'aws-sdk-kms'
+require 'gpgme'
+require 'highline/import'
+require 'optparse'
+require 'yaml'
+require 'dynamo_secret/cli'
+require 'dynamo_secret/dynamodb'
+require 'dynamo_secret/gpg'
+require 'dynamo_secret/iam'
+require 'dynamo_secret/kms'
+require 'dynamo_secret/secret'
+require 'dynamo_secret/version'

metadata

@@ -0,0 +1,196 @@
+--- !ruby/object:Gem::Specification
+name: dynamo_secret
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Rob Bayerl
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2017-10-21 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: aws-sdk-dynamodb
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: aws-sdk-iam
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: aws-sdk-kms
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: gpgme
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: highline
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: bump
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rubocop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: single_cov
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: Encrypt and decrypt secrets stored in DynamoDB with GPG and/or KMS
+email: 
+executables:
+- dynamo_secret
+extensions: []
+extra_rdoc_files: []
+files:
+- CHANGELOG.md
+- LICENSE
+- README.md
+- bin/dynamo_secret
+- lib/dynamo_secret.rb
+- lib/dynamo_secret/cli.rb
+- lib/dynamo_secret/dynamodb.rb
+- lib/dynamo_secret/gpg.rb
+- lib/dynamo_secret/iam.rb
+- lib/dynamo_secret/kms.rb
+- lib/dynamo_secret/secret.rb
+- lib/dynamo_secret/version.rb
+homepage: https://github.com/rbayerl/dynamo_secret
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.6.11
+signing_key: 
+specification_version: 4
+summary: Store and fetch encrypted secrets in DynamoDB
+test_files: []