RubyGems - ecfg - Versions diffs - 0.0.1 - Mend

ecfg 0.0.1

Files changed (13) hide show

checksums.yaml ADDED

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 8efdd4d0e48264d36d74d1f58e31f1845d9bcfff
+  data.tar.gz: 8c09c019102a2858b18a9c745f525c30d15dcb03
+SHA512:
+  metadata.gz: cc6474f290df48e039877cdd3157d41b8266b8adcf4bc2b6476b6eb1e6f14281aab60507a468c643bcfbca058cc3ce2354c70b8eb653c3883270104ff67d1d56
+  data.tar.gz: 7b3fc93a30c82ae36bde6cdc566926d2d7628ee8ed482f6bd7fbe654b36f3c6e17513552b176fb31a0c9bf2c36e2d2106a47644ef951bf34d7397a401c7757e2

data/LICENSE ADDED

@@ -0,0 +1,22 @@
+Copyright (c) 2014 - 2016 Shopify
+MIT License
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/bin/ecfg ADDED

@@ -0,0 +1,23 @@
+#!/usr/bin/env ruby
+platform = `uname -sm`
+platform_dir = case platform
+               when /^Darwin/
+                 'darwin-amd64'
+               when /^Linux.*64/
+                 'linux-amd64'
+               else
+                 abort 'ecfg is not supported on your platform.'
+               end
+bindir = File.expand_path("../../build/#{platform_dir}", __FILE__)
+exec(
+  {
+    'PATH'    => "#{bindir}:#{ENV['PATH']}",
+    'MANPATH' => File.expand_path('../../man', __FILE__)
+  },
+  'ecfg',
+  *ARGV
+)

data/build/darwin-amd64/ecfg ADDED

Binary file

data/build/linux-amd64/ecfg ADDED

Binary file

data/ecfg.gemspec ADDED

@@ -0,0 +1,20 @@
+# coding: utf-8
+require File.expand_path('../lib/ecfg/version', __FILE__)
+files = File.read("MANIFEST").lines.map(&:chomp)
+Gem::Specification.new do |spec|
+  spec.name          = "ecfg"
+  spec.version       = Ecfg::VERSION
+  spec.authors       = ["Burke Libbey"]
+  spec.email         = ["burke.libbey@shopify.com"]
+  spec.summary       = %q{Asymmetric keywise encryption for configuration}
+  spec.description   = %q{Secret management by encrypting values in a JSON or YAML file with a public/private keypair}
+  spec.homepage      = "https://github.com/Shopify/ecfg"
+  spec.license       = "MIT"
+  spec.files         = files
+  spec.executables   = ["ecfg"]
+  spec.test_files    = []
+  spec.require_paths = ["lib"]
+end

data/lib/ecfg/version.rb ADDED

@@ -0,0 +1,3 @@
+module Ecfg
+  VERSION = "0.0.1"
+end

data/man/man1/ecfg-decrypt.1 ADDED

@@ -0,0 +1,25 @@
+.\" generated with Ronn/v0.7.3
+.\" http://github.com/rtomayko/ronn/tree/0.7.3
+.
+.TH "ECFG\-DECRYPT" "1" "July 2016" "Shopify" "Version 0.0.1"
+.
+.SH "NAME"
+\fBecfg\-decrypt\fR \- decrypt an ecfg file
+.
+.SH "SYNOPSIS"
+\fBecfg decrypt\fR [\fB\-t\fR|\fB\-\-type\fR \fIfiletype\fR] [\fIfile\fR]
+.
+.SH "DESCRIPTION"
+\fBecfg decrypt\fR decrypts the given file; that is, decrypts all the encrypted keys within it, printing the full decrypted file to stdout\. The key mentioned in the ecfg(5) file must be present in the keydir unless \fBECFG_PRIVATE_KEY\fR is present in the environment\. See ecfg(1) for more on key lookup semantics\.
+.
+.P
+If no filename is given, data will instead be read from \fBstdin\fR\.
+.
+.SH "OPTIONS"
+.
+.TP
+\fB\-t\fR, \fB\-\-type\fR="json|yaml"
+Specify the filetype\. Required when passing data from \fBstdin\fR and when \fIfile\fR does not end in "\.ecfg\.json" or "\.ecfg\.yaml"\.
+.
+.SH "SEE ALSO"
+ecfg(1), ecfg\-encrypt(1), ecfg\-keygen(1), ecfg(5)

data/man/man1/ecfg-encrypt.1 ADDED

@@ -0,0 +1,28 @@
+.\" generated with Ronn/v0.7.3
+.\" http://github.com/rtomayko/ronn/tree/0.7.3
+.
+.TH "ECFG\-ENCRYPT" "1" "July 2016" "Shopify" "Version 0.0.1"
+.
+.SH "NAME"
+\fBecfg\-encrypt\fR \- encrypt an ecfg file
+.
+.SH "SYNOPSIS"
+\fBecfg encrypt\fR [\fB\-t\fR|\fB\-\-type\fR \fIfiletype\fR] [\fIfile\fR]
+.
+.SH "DESCRIPTION"
+\fBefcg encrypt\fR encrypts any unencrypted data in the given file or, if no filename is given, \fBstdin\fR\.
+.
+.P
+If a filename is given, that file will be modified in place; or, if the data is being read from \fBstdin\fR, the encrypted file will be written to \fBstdout\fR\.
+.
+.P
+See ecfg(5) for information on the structure of an encryptable file\.
+.
+.SH "OPTIONS"
+.
+.TP
+\fB\-t\fR, \fB\-\-type\fR="json|yaml"
+Specify the filetype\. Required when passing data from \fBstdin\fR and when \fIfile\fR does not end in "\.ecfg\.json" or "\.ecfg\.yaml"\.
+.
+.SH "SEE ALSO"
+ecfg(1), ecfg\-decrypt(1), ecfg\-keygen(1), ecfg(5)

data/man/man1/ecfg-keygen.1 ADDED

@@ -0,0 +1,22 @@
+.\" generated with Ronn/v0.7.3
+.\" http://github.com/rtomayko/ronn/tree/0.7.3
+.
+.TH "ECFG\-KEYGEN" "1" "July 2016" "Shopify" "Version 0.0.1"
+.
+.SH "NAME"
+\fBecfg\-keygen\fR \- generate a new keypair for use with ecfg
+.
+.SH "SYNOPSIS"
+\fBecfg keygen\fR [\fB\-w\fR|\fB\-\-write\fR]
+.
+.SH "DESCRIPTION"
+Generates a new keypair suitable for use with ecfg(1) and prints the resulting public and private keys to \fBstdout\fR\. The public key should be inserted into an ecfg(5) document and the private key should be stored in the keydir of the decrypting system(s)\.
+.
+.SH "OPTIONS"
+.
+.TP
+\fB\-w\fR, \fB\-\-write\fR
+Rather than printing the keypair to the screen, write it directly to the keydir\. The public key will still be printed, but the private key will be inserted into the keydir
+.
+.SH "SEE ALSO"
+ecfg(1), ecfg\-encrypt(1), ecfg\-decrypt(1), ecfg(5)

data/man/man1/ecfg.1 ADDED

@@ -0,0 +1,59 @@
+.\" generated with Ronn/v0.7.3
+.\" http://github.com/rtomayko/ronn/tree/0.7.3
+.
+.TH "ECFG" "1" "July 2016" "Shopify" "Version 0.0.1"
+.
+.SH "NAME"
+\fBecfg\fR \- manage application secrets via encrypted config
+.
+.SH "SYNOPSIS"
+\fBecfg\fR \fBcommand\fR [\fBargs\fR]
+.
+.SH "DESCRIPTION"
+\fBecfg\fR is a utility for managing a collection of secrets, typically to be committed to source control\. The secrets are encrypted using public key, elliptic curve cryptography\. Secrets are collected in a JSON or YAML file, in which all the string values are encrypted\. Public keys are embedded in the file, and the decrypter looks up the corresponding private key from its local filesystem or process environment\.
+.
+.P
+See ecfg(5) for more information on the \fBecfg\fR file format, and read on for a workflow example\.
+.
+.SH "COMMANDS"
+.
+.TP
+\fBecfg help\fR [\fIcommand\fR]
+Show (this) help for \fBecfg\fR in general, or for a specific command
+.
+.TP
+\fBecfg encrypt\fR : ecfg\-encrypt(1)
+Encrypt an \fBecfg\fR file (alias: \fBecfg e\fR)
+.
+.TP
+\fBecfg decrypt\fR : ecfg\-decrypt(1)
+Decrypt an \fBecfg\fR file (alias: \fBecfg d\fR)
+.
+.TP
+\fBecfg keygen\fR : ecfg\-keygen(1)
+Generate an \fBecfg\fR keypair (alias: \fBecfg g\fR)
+.
+.SH "ENVIRONMENT"
+.
+.TP
+\fBECFG_KEYDIR\fR
+Override the default key lookup directory of /opt/ecfg/keys\.
+.
+.TP
+\fBECFG_PRIVATE_KEY\fR
+When decrypting, instead of looking up the matching private key for the public key given in the input file, assume the file was encrypted to the provided private key\. This option is useful when running in environments such as heroku where obtaining keys from disk is impractical\.
+.
+.SH "WORKFLOW"
+TODO
+.
+.SH "BUGS"
+Report security issues to \fIburke\.libbey@shopify\.com\fR and \fIsecurity@shopify\.com\fR\.
+.
+.P
+File non\-security\-related bugs at \fIhttps://github\.com/Shopify/ecfg\fR\.
+.
+.SH "COPYRIGHT"
+\fBecfg\fR is copyright (C) 2016 Shopify under MIT license\.
+.
+.SH "SEE ALSO"
+ecfg\-encrypt(1), ecfg\-decrypt(1), ecfg\-keygen(1), ecfg(5)

data/man/man5/ecfg.5 ADDED

@@ -0,0 +1,87 @@
+.\" generated with Ronn/v0.7.3
+.\" http://github.com/rtomayko/ronn/tree/0.7.3
+.
+.TH "ECFG" "5" "July 2016" "Shopify" "Version 0.0.1"
+.
+.SH "NAME"
+\fBecfg\fR \- JSON or YAML file with asymmetric\-key\-encrypted values
+.
+.SH "SYNOPSIS"
+An \fBecfg\fR file is syntactically a \fBjson\fR or \fByaml\fR file, but with a few minor semantic additions described below\.
+.
+.SH "PUBLIC KEY"
+Each \fBecfg\fR file must have a key at the top level named \fB_public_key\fR\. This implies that the top\-level structure must be a hashmap, not an array\.
+.
+.P
+The \fB_public_key\fR key must have a string value, which is a hex\-encoded 32\-byte (totalling 64 ASCII bytes) public key as generated by \fIecfg\-keygen\fR(1)\.
+.
+.P
+By convention, \fB_public_key\fR should be the first key in the file\.
+.
+.SH "ENCRYPTABLE VALUES"
+A value is considered encryptable if:
+.
+.IP "1." 4
+It is a string literal (numbers, true, false, null all remain unencrypted);
+.
+.IP "2." 4
+It is not an object key (ie\. not immediately followed by a ":");
+.
+.IP "3." 4
+Its corresponding object key did not begin with an underscore ("_")\.
+.
+.IP "" 0
+.
+.P
+Take special note of point 3\. This is the reason \fB_public_key\fR isn\'t encrypted, and can be used to construct metadata schemes\. For example, in the excerpt below, only the values for \fBrotation_password\fR and \fBsecret\fR will be encrypted\.
+.
+.IP "" 4
+.
+.nf
+"my_secret": {
+  "_description": "API key for foocorp",
+  "_rotation": "https://example\.com/foocorp/apikey",
+  "_rotation_username": "admin",
+  "rotation_password": "password",
+  "secret": "123123123123123123123"
+}
+.
+.fi
+.
+.IP "" 0
+.
+.P
+Also note that this underscore "unencryptable" attribute is not heritable\. For example, the password in this excerpt \fBwill\fR be encrypted\.
+.
+.IP "" 4
+.
+.nf
+"_unencryptable": {
+  "password": "encrypted anyway"
+}
+.
+.fi
+.
+.IP "" 0
+.
+.SH "SECRET SCHEMA"
+When a value is encrypted, it will be replaced by a relatively long string of the form \fI"EJ[V:P:N:M]"\fR\. The fields are:
+.
+.IP "\(bu" 4
+\fBV\fR (decimal\-as\-string int) Schema Version, hard\-coded to "1" for now
+.
+.IP "\(bu" 4
+\fBP\fR (base64\-encoded 32\-byte array) Public key of an ephemeral keypair used to encrypt this key
+.
+.IP "\(bu" 4
+\fBN\fR (base64\-encoded 24\-byte array) Nonce used to encrypt this key
+.
+.IP "\(bu" 4
+\fBM\fR (base64\-encoded variable\-length array) Raw ciphertext
+.
+.IP "" 0
+.
+.SH "SEE ALSO"
+ecfg(1), ecfg\-encrypt(1), ecfg\-decrypt(1), ecfg\-keygen(1)

metadata ADDED

@@ -0,0 +1,57 @@
+--- !ruby/object:Gem::Specification
+name: ecfg
+version: !ruby/object:Gem::Version
+  version: 0.0.1
+platform: ruby
+authors:
+- Burke Libbey
+autorequire:
+bindir: bin
+cert_chain: []
+date: 2016-07-08 00:00:00.000000000 Z
+dependencies: []
+description: Secret management by encrypting values in a JSON or YAML file with a
+  public/private keypair
+email:
+- burke.libbey@shopify.com
+executables:
+- ecfg
+extensions: []
+extra_rdoc_files: []
+files:
+- LICENSE
+- bin/ecfg
+- build/darwin-amd64/ecfg
+- build/linux-amd64/ecfg
+- ecfg.gemspec
+- lib/ecfg/version.rb
+- man/man1/ecfg-decrypt.1
+- man/man1/ecfg-encrypt.1
+- man/man1/ecfg-keygen.1
+- man/man1/ecfg.1
+- man/man5/ecfg.5
+homepage: https://github.com/Shopify/ecfg
+licenses:
+- MIT
+metadata: {}
+post_install_message:
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project:
+rubygems_version: 2.2.3
+signing_key:
+specification_version: 4
+summary: Asymmetric keywise encryption for configuration
+test_files: []