ejson 0.2.2 → 0.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 45c8c29f86387553314be3e8738a55173944bdf1
-  data.tar.gz: 3353be24350564b401c3cfc631bd09d7ab98d1d1
+  metadata.gz: 9e7a3d4927ceae8e72ece8df8749391e2620d683
+  data.tar.gz: d3f5c4b1c24e2d73cde70f136f3a64c6ed0abb18
 SHA512:
-  metadata.gz: 52504a192b550a1d4391617b5695a87f14e974299db5760cb845f14612b36faf54e2087b0184ce7cf3556a7c5ec1d2d75ad569cc6ea18cc501c70b8a26d3145c
-  data.tar.gz: bb65c77a6500b0d550337e51fe7af6704c9c6c81b022e86dee2e968706100318427aea9f872895d0efc328bc38d4c3364299f1e496a8ddbce597dfbe2cd88904
+  metadata.gz: 8925b554189010a94fe8760c184c92ab3ab72771ef3cd217192f9a04067f4a650e086d3d3e9ed77c83e21f20ceb34fc63ef52d05965982e747706e3c72c7f490
+  data.tar.gz: 7b14d361b4e9b0398208205de262d9c360aeb82a6828e8e324ec0322258b18a2a3cb1a05544425c70d13f758c5ac421f2e3f6561e5903b95615efbc19339b391

data/LICENSE.txt

@@ -1,4 +1,4 @@
-Copyright (c) 2014 Burke Libbey
+Copyright (c) 2014 Shopify
 
 MIT License
 

data/README.md

@@ -24,13 +24,21 @@ It can be arbitrarily nested.
 This updates `config/secrets.ejson` in place, encrypting any newly-added or
 modified values that are not yet encrypted. `ejson` is short-hand for `ejson encrypt`.
 
+By default, it uses a public key that you won't be able to decrypt (and
+shouldn't use because we *can* decrypt it!). You can use your own by following
+the "Custom keypair" directions below. Feel free to fork the gem to reference
+your own keypair by default.
+
 #### 3) Decrypt the file:
 
      ejson decrypt -k ~/.keys/ejson.priv.pem -p config/ejson.pub.pem secrets.production.ejson > secrets.production.json
+     # OR
+     ejson decrypt -i -k ~/.keys/ejson.priv.pem -p config/ejson.pub.pem secrets.production.ejson
 
 Unlike encrypt, decrypt doesn't update the file in-place; it prints the
 decrypted contents to stdout. It also requires access to the private key
-created in step 1.
+created in step 1. By default, the secrets will be decrypted to stdout,
+but passing the `-i` flag causes them to be overwritten to the input file.
 
 #### See `ejson help` for more information.
 
@@ -39,16 +47,15 @@ created in step 1.
 We use a single keypair internally; the default public key is fetched from S3
 on each run. However, you can generate your own keypair like so:
 
-    mkdir config && cd config
     openssl req -x509 -nodes -days 100000 -newkey rsa:2048 -keyout privatekey.pem -out publickey.pem -subj '/'
 
 `publickey.pem` and `privatekey.pem` are created. Move `privatekey.pem`
-somewhere more secure.
-
-    mkdir -p ~/.keys
-    mv config/privatekey.pem ~/.keys/ejson.pem
+somewhere more private, and move `publickey.pem` somewhere more public.
 
 Then you can encrypt like:
 
-    ejson encrypt -p config/publickey.pem secrets.ejson
+    ejson encrypt -p publickey.pem secrets.ejson
+
+If you'd like to fork the gem to reference your own public key, that
+information lives around line 10 of `lib/ejson/cli.rb`.
 

data/ejson.gemspec

@@ -5,7 +5,7 @@ require 'ejson/version'
 
 Gem::Specification.new do |spec|
   spec.name          = "ejson"
-  spec.version       = Ejson::VERSION
+  spec.version       = EJSON::VERSION
   spec.authors       = ["Burke Libbey"]
   spec.email         = ["burke.libbey@shopify.com"]
   spec.summary       = %q{Asymmetric keywise encryption for JSON}
@@ -19,4 +19,5 @@ Gem::Specification.new do |spec|
   spec.require_paths = ["lib"]
 
   spec.add_runtime_dependency "thor", "~> 0.18"
+  spec.add_development_dependency "rake", "~> 10.3.2"
 end

data/lib/ejson.rb

@@ -6,8 +6,8 @@ class EJSON
   extend Forwardable
   def_delegators :@encryption, :load_string, :dump_string
 
-  def initialize(public_key_file, private_key_file = nil)
-    @encryption = Encryption.new(public_key_file, private_key_file)
+  def initialize(public_key, private_key = nil)
+    @encryption = Encryption.new(public_key, private_key)
   end
 
   def load(json_text)

data/lib/ejson/cli.rb

@@ -12,10 +12,17 @@ class EJSON
     default_task :encrypt
 
     desc "decrypt [file]", "decrypt some data from file to stdout"
+    method_option :inplace, type: :boolean, default: false, aliases: "-i", desc: "Overwrite input file rather than dumping to stdout"
     def decrypt(file)
       ciphertext = File.read(file)
       ej = EJSON.new(pubkey, options[:privkey])
-      puts JSON.pretty_generate(ej.load(ciphertext).decrypt_all)
+      output = JSON.pretty_generate(ej.load(ciphertext).decrypt_all)
+      if options[:inplace]
+        File.open(file, "w") { |f| f.puts output }
+        puts "Wrote #{output.size} bytes to #{file}"
+      else
+        puts output
+      end
     rescue EJSON::Encryption::PrivateKeyMissing => e
       fatal("can't decrypt data without private key (specify path with -k)", e)
     rescue EJSON::Encryption::ExpectedEncryptedString => e
@@ -41,6 +48,7 @@ class EJSON
 
     desc "version", "show version information"
     def version
+      require 'ejson/version'
       puts "ejson version #{EJSON::VERSION}"
     end
 

data/lib/ejson/encryption.rb

@@ -7,10 +7,10 @@ class EJSON
     PrivateKeyMissing = Class.new(StandardError)
     ExpectedEncryptedString = Class.new(StandardError)
 
-    def initialize(public_key_file, private_key_file)
-      @public_key_x509 = load_public_key(public_key_file)
-      if private_key_file
-        @private_key_rsa = load_private_key(private_key_file)
+    def initialize(public_key, private_key)
+      @public_key_x509 = load_public_key(public_key)
+      if private_key
+        @private_key_rsa = load_private_key(private_key)
       end
     end
 
@@ -47,15 +47,16 @@ class EJSON
       pkcs7.decrypt(@private_key_rsa, @public_key_x509)
     end
 
-    def load_public_key(public_key_file)
-      public_key_pem = File.read(public_key_file)
-      OpenSSL::X509::Certificate.new(public_key_pem)
+    def load_public_key(public_key)
+      OpenSSL::X509::Certificate.new(get_pem(public_key))
     end
 
-    def load_private_key(private_key_file)
-      private_key_pem = File.read(private_key_file)
-      OpenSSL::PKey::RSA.new(private_key_pem)
+    def load_private_key(private_key)
+      OpenSSL::PKey::RSA.new(get_pem(private_key))
     end
 
+    def get_pem(string)
+      string =~ /^-----BEGIN/ ? string : File.read(string)
+    end
   end
 end

data/lib/ejson/version.rb

@@ -1,3 +1,3 @@
-class Ejson
-  VERSION = "0.2.2"
+class EJSON
+  VERSION = "0.3.0"
 end

data/test/ejson_test.rb

@@ -6,7 +6,7 @@ require 'ejson/cli'
 class CLITest < Minitest::Unit::TestCase
 
   def test_ejson
-    f = Tempfile.create("encrypt")
+    f = Tempfile.new("encrypt")
 
     f.puts JSON.dump({a: "b"})
     f.close
@@ -33,8 +33,25 @@ class CLITest < Minitest::Unit::TestCase
     File.unlink(f.path)
   end
 
+  def test_inplace
+    f = Tempfile.new("encrypt")
+
+    f.puts JSON.dump({a: "b"})
+    f.close
+
+    runcli "encrypt", "-p", pubkey, f.path
+    encrypted = JSON.load(File.read(f.path))
+    assert_match(/\AENC\[MIIB.*\]\z/, encrypted["a"])
+
+    runcli "decrypt", "-i", "-p", pubkey, "-k", privkey, f.path
+    decrypted = JSON.load(File.read(f.path))
+    refute_match(/\AENC\[MIIB.*\]\z/, decrypted["a"])
+  ensure
+    File.unlink(f.path)
+  end
+
   def test_default_key_exists
-    f = Tempfile.create("encrypt")
+    f = Tempfile.new("encrypt")
 
     f.puts JSON.dump({a: "b"})
     f.close
@@ -50,7 +67,7 @@ class CLITest < Minitest::Unit::TestCase
   end
 
   def test_library_is_picky
-    f = Tempfile.create("decrypt")
+    f = Tempfile.new("decrypt")
     f.puts JSON.dump({a: "b"})
     f.close
     assert_raises(EJSON::Encryption::ExpectedEncryptedString) {
@@ -60,6 +77,16 @@ class CLITest < Minitest::Unit::TestCase
     File.unlink(f.path)
   end
 
+  def test_key_strings
+    public_key = File.read(pubkey)
+    private_key = File.read(privkey)
+
+    @enc = EJSON::Encryption.new(public_key, private_key)
+
+    assert_equal public_key, @enc.instance_variable_get(:@public_key_x509).to_s
+    assert_equal private_key, @enc.instance_variable_get(:@private_key_rsa).to_s
+  end
+
   private
 
   def encrypt(path)

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: ejson
 version: !ruby/object:Gem::Version
-  version: 0.2.2
+  version: 0.3.0
 platform: ruby
 authors:
 - Burke Libbey
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2014-04-15 00:00:00.000000000 Z
+date: 2014-07-14 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: thor
@@ -24,6 +24,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '0.18'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 10.3.2
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 10.3.2
 description: Secret management by encrypting values in a JSON hash with a public/private
   keypair
 email:
@@ -67,7 +81,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.2.0
+rubygems_version: 2.2.2
 signing_key: 
 specification_version: 4
 summary: Asymmetric keywise encryption for JSON
@@ -75,4 +89,3 @@ test_files:
 - test/ejson_test.rb
 - test/privatekey.pem
 - test/publickey.pem
-has_rdoc: