ejson 0.2.2

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 45c8c29f86387553314be3e8738a55173944bdf1
+  data.tar.gz: 3353be24350564b401c3cfc631bd09d7ab98d1d1
+SHA512:
+  metadata.gz: 52504a192b550a1d4391617b5695a87f14e974299db5760cb845f14612b36faf54e2087b0184ce7cf3556a7c5ec1d2d75ad569cc6ea18cc501c70b8a26d3145c
+  data.tar.gz: bb65c77a6500b0d550337e51fe7af6704c9c6c81b022e86dee2e968706100318427aea9f872895d0efc328bc38d4c3364299f1e496a8ddbce597dfbe2cd88904

data/.gitignore

@@ -0,0 +1,17 @@
+*.gem
+*.rbc
+.bundle
+.config
+.yardoc
+Gemfile.lock
+InstalledFiles
+_yardoc
+coverage
+doc/
+lib/bundler/man
+pkg
+rdoc
+spec/reports
+test/tmp
+test/version_tmp
+tmp

data/Gemfile

@@ -0,0 +1,4 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in ejson.gemspec
+gemspec

data/LICENSE.txt

@@ -0,0 +1,22 @@
+Copyright (c) 2014 Burke Libbey
+
+MIT License
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,54 @@
+# EJSON
+
+EJSON is a small library to manage encrypted secrets using PKCS7 (asymmetric)
+encryption. It provides a simple command interface to manage and update secrets
+in a JSON file where keys are cleartext and values are encrypted.
+
+## Installation
+
+It's on rubygems. Just `gem install ejson` or add it to your `Gemfile`.
+
+## Usage
+
+#### 1) Create a `secrets.ejson`:
+
+    echo '{"a": "b"}' > config/secrets.production.ejson
+
+Keys in this file will remain in cleartext, while values will all be encrypted.
+It can be arbitrarily nested.
+
+#### 2) Encrypt the file:
+
+    ejson
+
+This updates `config/secrets.ejson` in place, encrypting any newly-added or
+modified values that are not yet encrypted. `ejson` is short-hand for `ejson encrypt`.
+
+#### 3) Decrypt the file:
+
+     ejson decrypt -k ~/.keys/ejson.priv.pem -p config/ejson.pub.pem secrets.production.ejson > secrets.production.json
+
+Unlike encrypt, decrypt doesn't update the file in-place; it prints the
+decrypted contents to stdout. It also requires access to the private key
+created in step 1.
+
+#### See `ejson help` for more information.
+
+## Custom keypair:
+
+We use a single keypair internally; the default public key is fetched from S3
+on each run. However, you can generate your own keypair like so:
+
+    mkdir config && cd config
+    openssl req -x509 -nodes -days 100000 -newkey rsa:2048 -keyout privatekey.pem -out publickey.pem -subj '/'
+
+`publickey.pem` and `privatekey.pem` are created. Move `privatekey.pem`
+somewhere more secure.
+
+    mkdir -p ~/.keys
+    mv config/privatekey.pem ~/.keys/ejson.pem
+
+Then you can encrypt like:
+
+    ejson encrypt -p config/publickey.pem secrets.ejson
+

data/Rakefile

@@ -0,0 +1,7 @@
+require "bundler/gem_tasks"
+
+task default: :test
+
+task :test do
+  exec "ruby -I./lib test/ejson_test.rb"
+end

data/bin/ejson

@@ -0,0 +1,4 @@
+#!/usr/bin/env ruby
+
+require 'ejson/cli'
+EJSON::CLI.start

data/ejson.gemspec

@@ -0,0 +1,22 @@
+# coding: utf-8
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'ejson/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = "ejson"
+  spec.version       = Ejson::VERSION
+  spec.authors       = ["Burke Libbey"]
+  spec.email         = ["burke.libbey@shopify.com"]
+  spec.summary       = %q{Asymmetric keywise encryption for JSON}
+  spec.description   = %q{Secret management by encrypting values in a JSON hash with a public/private keypair}
+  spec.homepage      = "https://github.com/Shopify/ejson"
+  spec.license       = "MIT"
+
+  spec.files         = `git ls-files -z`.split("\x0")
+  spec.executables   = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
+  spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
+  spec.require_paths = ["lib"]
+
+  spec.add_runtime_dependency "thor", "~> 0.18"
+end

data/lib/ejson.rb

@@ -0,0 +1,60 @@
+require 'json'
+require 'forwardable'
+require 'ejson/encryption'
+
+class EJSON
+  extend Forwardable
+  def_delegators :@encryption, :load_string, :dump_string
+
+  def initialize(public_key_file, private_key_file = nil)
+    @encryption = Encryption.new(public_key_file, private_key_file)
+  end
+
+  def load(json_text)
+    Data.new(JSON.load(json_text), @encryption)
+  end
+
+  class Data
+    extend Forwardable
+    def_delegators :@data, :[]=
+
+    attr_reader :encryption
+    def initialize(data, encryption)
+      @data, @encryption = data, encryption
+    end
+
+    def dump
+      JSON.pretty_generate(encrypt_all(@data))
+    end
+
+    def encrypt_all(data=@data)
+      case data
+      when Hash
+        Hash[ data.map { |k,v| [k, encrypt_all(v)] } ]
+      when Array
+        data.map { |d| encrypt_all(d) }
+      when String
+        encryption.dump(data)
+      else
+        data
+      end
+    end
+
+    def decrypt_all(data=@data)
+      case data
+      when Hash
+        Hash[ data.map { |k,v| [k, decrypt_all(v)] } ]
+      when Array
+        data.map { |d| decrypt_all(d) }
+      when String
+        encryption.load(data)
+      else
+        data
+      end
+    end
+
+  end
+
+end
+
+

data/lib/ejson/cli.rb

@@ -0,0 +1,86 @@
+require 'thor'
+require 'json'
+require 'ejson'
+require 'net/http'
+
+class EJSON
+
+  class CLI < Thor
+    class_option "privkey", type: :string, aliases: "-k", desc: "Path to PKCS7 private key in PEM format"
+    class_option "pubkey",  type: :string, aliases: "-p", desc: "Path or URL to PKCS7 public key in PEM format",  default: "https://s3.amazonaws.com/shopify-ops/ejson-publickey.pem"
+
+    default_task :encrypt
+
+    desc "decrypt [file]", "decrypt some data from file to stdout"
+    def decrypt(file)
+      ciphertext = File.read(file)
+      ej = EJSON.new(pubkey, options[:privkey])
+      puts JSON.pretty_generate(ej.load(ciphertext).decrypt_all)
+    rescue EJSON::Encryption::PrivateKeyMissing => e
+      fatal("can't decrypt data without private key (specify path with -k)", e)
+    rescue EJSON::Encryption::ExpectedEncryptedString => e
+      fatal("can't decrypt data with cleartext strings (use ejson recrypt first)", e)
+    end
+
+    desc "encrypt [file=**/*.ejson]", "encrypt an ejson file in place (encrypt any unencrypted values)"
+    def encrypt(file="**/*.ejson")
+      ej = EJSON.new(pubkey)
+      fpaths = Dir.glob(file)
+      if fpaths.empty?
+        fatal("no ejson files found!", nil)
+      end
+      fpaths.each do |fpath|
+        data = ej.load(File.read(fpath))
+        dump = data.dump
+        File.open(fpath, "w") { |f| f.puts dump }
+        puts "Wrote #{dump.size+1} bytes to #{fpath}"
+      end
+    rescue OpenSSL::X509::CertificateError => e
+      fatal("invalid certificate", e)
+    end
+
+    desc "version", "show version information"
+    def version
+      puts "ejson version #{EJSON::VERSION}"
+    end
+
+    private
+
+    def fatal(str, err=str)
+      raise err if defined?(Minitest)
+      msg = $stderr.tty? ? "\x1b[31m#{str}\x1b[0m" : str
+      $stderr.puts msg
+      exit 1
+    end
+
+    def get_input(file)
+      return File.read(file) if file
+      $stdin.read
+    end
+
+    def pubkey
+      @pubkey ||= _pubkey
+    end
+
+    def _pubkey
+      if options[:pubkey] =~ %r{https://}
+        uri = URI.parse(options[:pubkey])
+        http = Net::HTTP.new(uri.host, uri.port)
+        http.use_ssl = true
+        http.verify_mode = OpenSSL::SSL::VERIFY_PEER
+        req = Net::HTTP::Get.new(URI.parse(options[:pubkey]).request_uri)
+        resp = http.request(req)
+        resp.value # raises on code >399
+        f = Tempfile.new("pubkey")
+        f.write resp.body
+        f.close
+        at_exit { f.unlink }
+        f.path
+      else
+        options[:pubkey]
+      end
+    end
+
+  end
+end
+

data/lib/ejson/encryption.rb

@@ -0,0 +1,61 @@
+require 'openssl'
+require 'base64'
+
+class EJSON
+
+  class Encryption
+    PrivateKeyMissing = Class.new(StandardError)
+    ExpectedEncryptedString = Class.new(StandardError)
+
+    def initialize(public_key_file, private_key_file)
+      @public_key_x509 = load_public_key(public_key_file)
+      if private_key_file
+        @private_key_rsa = load_private_key(private_key_file)
+      end
+    end
+
+    ENCRYPTED = /\AENC\[(.*)\]\n*\z/m
+
+    def load(str)
+      if str =~ ENCRYPTED
+        decrypt_string($1)
+      else
+        raise ExpectedEncryptedString
+      end
+    end
+
+    def dump(str)
+      if str =~ ENCRYPTED
+        str
+      else
+        "ENC[#{encrypt_string(str)}]"
+      end
+    end
+
+    private
+
+    def encrypt_string(plaintext)
+      cipher = OpenSSL::Cipher::AES.new(256, :CBC)
+      bin = OpenSSL::PKCS7.encrypt([@public_key_x509], plaintext, cipher, OpenSSL::PKCS7::BINARY).to_der
+      Base64.encode64(bin).tr("\n",'')
+    end
+
+    def decrypt_string(ciphertext)
+      raise PrivateKeyMissing unless @private_key_rsa
+      bin = Base64.decode64(ciphertext)
+      pkcs7 = OpenSSL::PKCS7.new(bin)
+      pkcs7.decrypt(@private_key_rsa, @public_key_x509)
+    end
+
+    def load_public_key(public_key_file)
+      public_key_pem = File.read(public_key_file)
+      OpenSSL::X509::Certificate.new(public_key_pem)
+    end
+
+    def load_private_key(private_key_file)
+      private_key_pem = File.read(private_key_file)
+      OpenSSL::PKey::RSA.new(private_key_pem)
+    end
+
+  end
+end

data/lib/ejson/version.rb

@@ -0,0 +1,3 @@
+class Ejson
+  VERSION = "0.2.2"
+end

data/test/ejson_test.rb

@@ -0,0 +1,85 @@
+require 'minitest/autorun'
+require 'tempfile'
+
+require 'ejson/cli'
+
+class CLITest < Minitest::Unit::TestCase
+
+  def test_ejson
+    f = Tempfile.create("encrypt")
+
+    f.puts JSON.dump({a: "b"})
+    f.close
+
+    encrypt f.path
+
+    first_run = JSON.load(File.read(f.path))
+    assert_match(/\AENC\[MIIB.*\]\z/, first_run["a"])
+
+    File.open(f.path, "w") { |f2|
+      f2.puts JSON.dump(first_run.merge({new_key: "new_value"}))
+    }
+
+    encrypt f.path
+
+    second_run = JSON.load(File.read(f.path))
+
+    assert_equal first_run["a"], second_run["a"]
+    assert_match(/\AENC\[MIIB.*\]\z/, second_run["new_key"])
+
+    val = JSON.parse(decrypt(f.path))
+    assert_equal({"a" => "b", "new_key" => "new_value"}, val)
+  ensure
+    File.unlink(f.path)
+  end
+
+  def test_default_key_exists
+    f = Tempfile.create("encrypt")
+
+    f.puts JSON.dump({a: "b"})
+    f.close
+
+    runcli "encrypt", f.path # no pubkey specified
+
+    first_run = JSON.load(File.read(f.path))
+    # We don't have the decryption key to this, and it may change over time,
+    # so just make sure it was encrypted.
+    assert_match(/\AENC\[MIIB.*\]\z/, first_run["a"])
+  ensure
+    File.unlink(f.path)
+  end
+
+  def test_library_is_picky
+    f = Tempfile.create("decrypt")
+    f.puts JSON.dump({a: "b"})
+    f.close
+    assert_raises(EJSON::Encryption::ExpectedEncryptedString) {
+      decrypt(f.path)
+    }
+  ensure
+    File.unlink(f.path)
+  end
+
+  private
+
+  def encrypt(path)
+    runcli "encrypt", "-p", pubkey, path
+  end
+
+  def decrypt(path)
+    runcli "decrypt", "-p", pubkey, "-k", privkey, path
+  end
+
+  def runcli(*args)
+    sio = StringIO.new
+    _stdout, $stdout = $stdout, sio
+    EJSON::CLI.start(args)
+    sio.string.chomp
+  ensure
+    $stdout = _stdout
+  end
+
+  def pubkey  ; File.expand_path("../publickey.pem", __FILE__); end
+  def privkey ; File.expand_path("../privatekey.pem", __FILE__); end
+
+end

data/test/privatekey.pem

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEogIBAAKCAQEAunMnKCNM9NRDvaANZ3wSBTM7EA4fl3ix/QjwCp3k118n7+Jf
+1DpdBAjqbx0jWVUZHjKan4t4ZHkCTKW4BXGzdEWVkFebYtYdxCm9DAiHFV53RscI
+gVmzrxxpC8Lxa7RApam1iGPK7TXXlkMe+2d3Jij1hZdCHCYT48/DDBRtIEcXCZRg
+nFkoSuvGbGwMBCxVhLTnvveIF5IgBV3la3vPJFfY62Hafuinpsy/hL4108pbrQcq
+oiyb3OgflTe6JrBmA29qqWoCLAW+6XRgcHsOUfTYiBx6XFHQ42SfzQhu+FY57a38
+Q3TkZLOb6abE6t5lsBqnJoE+dL/2WjLkhxQ/jQIDAQABAoIBAErqjBg/nuNdCt79
+mYU0QBVg0WGRGzaEo5fVaIYLjXDQZj6oCfM/hDJj1rbQ0WxKmi4dDS4AH17XlInx
+qHBfkEiu0PrPiLr857bzQme8YXK/o1OIE63NujopQzgbm1+4bKVj/HISDu6jTL2u
+uJsxpplpqcWE0mZ3ElTeHTQUXQizdz12DPn5vgXvtVS0yFFBErE7aAKorRRFoLPq
+OcajLIMODMo6huUAJW7uYR6PT6uwbt3Phc+VLQtdXpCCfLtDJK427G/5uJ/2vnY/
+rLVWConeNZcUDWRuc34agiXA4yjErXdKXJ/yiEdz2pKtAerf+N9VCoIBLBala3oL
+2BeMYY0CgYEA848omruvavfp4dJimdEHj0yTsFFggGHefoJWHG8Cvgyv9avISiAk
+T5gB01pSjpTTGL+Ba2aeSPKgKZcGNjp/F5xzeZzuP2tMxT8bs2FR3y9tGmLnhvF8
+JkKtlHilrGLt4pWh9eF+jiLDDmJE1N3fCU8TtIva+a/M60ZORA5ZSrcCgYEAw/k3
+sJs72xhUhjrNdpzww5dpHYxmoOxhCTyKG1H0r4sQ0Jv9w4K3mrphp/WRygA2LylO
+iCEc+56JJ6l4A6rdSFyV+YRtcdU7TKi9sarMDVBttqWsDkr/bnIIHE+QQhsScEBH
+e7rHE+1NP5rPfDB7ibBJ3QCOCpjHbkhUGAZIU9sCgYBa176RWAepoiY98DaOoIRt
+UmaTkQapW9ec4Ag2OsGPGTRYMWZXH33rogqsRjgcri2+QU+IO5I2KyjJ2maau17D
+87quVXYXeXH87/jpAxeCYzIScWlhz5g6vQv5ILbKgWuw45axGxYU9apDJyv9KXQT
+CMeUw8U88/E+n855W9C6KQKBgGtfKU7+zl2tR+o/X4FEXXmchIAnA7fZqxTHcZek
+YJ6pX+4b+X5cKUKCKa0/k8AMO6O9SwS0t894vgbYCCRiQlk6OQV7tAcxYAsRTNWC
+Ecidr27p+IngN3EI0z7HrO87K/AKl9/HpvlZBAD8Tf/qBFWdG+sVOb2+lU3sHP8I
+uioPAoGAVWyvmQsABl3ydPrvVl4zk3AHm3Bnouy1vM1RchQzXp6OD/u5mNGJ37Ks
+zIgipj/z9xf4J3ii5w0Qnxusq9Zy/6xKO1pgIEhiJUAYcm5jHGC51n7Y+d1NUPe1
+gnJAzuwmvbefN800tmZJtWv7dWSc7whoFsdR1rNwrlZXUoNJzPk=
+-----END RSA PRIVATE KEY-----

data/test/publickey.pem

@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC5jCCAc6gAwIBAgIJAKY1nRwN7afeMA0GCSqGSIb3DQEBBQUAMAAwIBcNMTQw
+MzE0MTc1ODQzWhgPMjI4NzEyMjgxNzU4NDNaMAAwggEiMA0GCSqGSIb3DQEBAQUA
+A4IBDwAwggEKAoIBAQC6cycoI0z01EO9oA1nfBIFMzsQDh+XeLH9CPAKneTXXyfv
+4l/UOl0ECOpvHSNZVRkeMpqfi3hkeQJMpbgFcbN0RZWQV5ti1h3EKb0MCIcVXndG
+xwiBWbOvHGkLwvFrtEClqbWIY8rtNdeWQx77Z3cmKPWFl0IcJhPjz8MMFG0gRxcJ
+lGCcWShK68ZsbAwELFWEtOe+94gXkiAFXeVre88kV9jrYdp+6KemzL+EvjXTylut
+ByqiLJvc6B+VN7omsGYDb2qpagIsBb7pdGBwew5R9NiIHHpcUdDjZJ/NCG74Vjnt
+rfxDdORks5vppsTq3mWwGqcmgT50v/ZaMuSHFD+NAgMBAAGjYTBfMB0GA1UdDgQW
+BBTzh5Sf8+voPm2ZI6iHFQ+gItYb6zAwBgNVHSMEKTAngBTzh5Sf8+voPm2ZI6iH
+FQ+gItYb66EEpAIwAIIJAKY1nRwN7afeMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcN
+AQEFBQADggEBACr61pBSpsz931OUztFcDjm07u+vatM5XE5qAH18BZeKbXzCRz4j
+9cAEYIYrtBdJZj3RLDzKB3Hn38BeuXebb4UlbzPJwIj1klHKH90Nwl84XWBCJqPX
+rsGv7C5EOLAR1w/hxT+K2JC2LDJz9hkuDU1hjX1MeRpnJwXzPbHBQvgYb4lIgaOb
+ikSlcTpkdG5fGafanyZwxDeQsy4tHAUP/jRQ4/Xzkzp0GzuX+v9d+2FXJLyoh6vJ
+Fze3kL1+RH13Fn5NkdTAHpkX9AX0BuLKWslY3I/lusn3x9kPxVQTmTF2WQTVdKDg
+FDvqWYvyLcuiWcfNUdy3EOpKLBKyyan3DZ8=
+-----END CERTIFICATE-----

metadata

@@ -0,0 +1,78 @@
+--- !ruby/object:Gem::Specification
+name: ejson
+version: !ruby/object:Gem::Version
+  version: 0.2.2
+platform: ruby
+authors:
+- Burke Libbey
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2014-04-15 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: thor
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.18'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.18'
+description: Secret management by encrypting values in a JSON hash with a public/private
+  keypair
+email:
+- burke.libbey@shopify.com
+executables:
+- ejson
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- Gemfile
+- LICENSE.txt
+- README.md
+- Rakefile
+- bin/ejson
+- ejson.gemspec
+- lib/ejson.rb
+- lib/ejson/cli.rb
+- lib/ejson/encryption.rb
+- lib/ejson/version.rb
+- test/ejson_test.rb
+- test/privatekey.pem
+- test/publickey.pem
+homepage: https://github.com/Shopify/ejson
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.2.0
+signing_key: 
+specification_version: 4
+summary: Asymmetric keywise encryption for JSON
+test_files:
+- test/ejson_test.rb
+- test/privatekey.pem
+- test/publickey.pem
+has_rdoc: