encipher 0.0.1a

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 2960852e4181fe772df6e890cb788745f1b024b7
+  data.tar.gz: 616cfc3a33a901aea4a816ab5f45c3705c69e8e4
+SHA512:
+  metadata.gz: 82ab87765e53556bfd026d5a9ee40dfa3b86a391f5773c5462104b6052527d9c92972f3301fceee6d0d6a2deec4eaa2d619cf176df8f6d694ab728e6276e5d52
+  data.tar.gz: 1c10702862f9fc8eb685b37d0c8e34048446231df372cd21df1f756258817586f29a5779f86f3f880f1176940a637d204b5061e3f7e91aca501e812775816ea1

data/.env

@@ -0,0 +1,5 @@
+TEST_KEY: asdfkasdf;lkajsdf;lkajsdf;lkasjdf;laksdjf
+TEST_SECRET: 98hw7fh87yf9ba8sd7f
+
+TEST_KEY2: asdfkasdf;lkajsdf;lkajsdf;lkasjdf;laksdjf
+TEST_SECRET2: 98hw7fh87yf9ba8sd7f

data/.gitignore

@@ -0,0 +1,25 @@
+*.gem
+*.rbc
+.bundle
+.config
+.yardoc
+Gemfile.lock
+InstalledFiles
+_yardoc
+coverage
+doc/
+lib/bundler/man
+pkg
+rdoc
+spec/reports
+test/tmp
+test/version_tmp
+tmp
+*.bundle
+*.so
+*.o
+*.a
+mkmf.log
+.DS_Store*
+.encipher
+developers.yml

data/.travis.yml

@@ -0,0 +1,6 @@
+language: ruby
+rvm: 2.1.2
+cache: bundler
+before_script:
+  - bundle exec clint --lint lib --warn
+  - bundle exec rspec

data/Gemfile

@@ -0,0 +1,4 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in encipher.gemspec
+gemspec

data/LICENSE.txt

@@ -0,0 +1,22 @@
+Copyright (c) 2014 Joey Lorich
+
+MIT License
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,97 @@
+# Encipher
+
+An RSA ssh-key encryption based configuration storage solution. 
+
+Keeping configuration information in the environment is one of the tenants of a [twelve-factor app](http://12factor.net/config), however configuring each server individually can be time consuming and when configuration information needs to change often lots of work must be done.
+
+Encipher provides a method to simplify this situation by keeping enviroment and user restricted, public-key encrypted, secrets right in the repository.  On application load Encipher decrepts the secrets for the appropriate environment using a private key held on the server and stores them in memory.
+
+####Really? Secrets in the repository?
+
+Yes.  In general, secret information should not be kept in a source repository.  Each developer with permission to clone a repository should not necessarily have permission to deploy or edit configuration information. However, all Encipher-kept secrets are only decryptable by a user with a valid, enrolled, private key that has had a certain environments secrets enabled by an authorized user.
+
+####How it works
+Each encipher user and server has a public ssh key enrolled by another authroized user for a given environment (the initial secrets database creation enrolls the first user).  The enrolled user's public key is then stored for future use.  When a secret is added or modified, an entry is created and encrypted with each enrolled key.  Each user can *only* decrypt secrets encrypted with their public key, so limiting a key's access to a certain set of secrets is easy.
+
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+    gem 'encipher', git: git://github.com/jlorich/encipher.git
+
+And then execute:
+
+    $ bundle
+
+
+## Environment-based restrictions
+All actions are by default segregated by encipher-environment.  Each key must be enrolled in each environment to be able to read or set secrets for it. The enviorment is by default `:development`, but may be set by specifiying the `ENCIPHER_ENV` enviornment variable. The enviornment may also be set in code by calling `Encipher.env = :my_env`.
+
+All secrets set will only be encrypted for keys enrolled in the given environment.
+
+
+## Command line usage
+
+Initialize encipher with your desired private key (this location will be cached in the .encipher file)
+
+    encipher init
+
+You can also specify the key path with 
+
+    encipher init /path/to/your/private_key
+
+#####Enroll yourself.  Your public key will be auto-generated from the private key used with encipher init.
+
+    encipher enroll
+
+#####Enroll a new user or servers key
+
+    encipher enroll ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDCvRm/KvZy8iDyDgjokMMMMUz8UK84OlBGbeeo6VT8UZc6e8E1xUNfFCNp6xUQMO8N+vpqxlOr3haAXn6sdHCnMb8BpWYwq0Un19WaToTiv/15tRvZzkQw9KPu/TjBy8OaSjNAAxo5rWkJbDc0K4WdBtDJ4uk3i+UmxpYXhOtC9eCLgMdxZ6xIWuP0ymyYe/SZSdupeKblaehYyFEb2NKTVbvnbef79ZogJG7IlWFYS+qaqk+xFZIRYEX3yLIijF/WvLmZw2NVurb8rhnNLNDI3v+Gy+bw0sitZKvX5MWunpmykFY8/5YnWuEA1AJGaexC/1EWXUzVN6o2my4Aqlwz
+
+#####To store a secret:
+
+    encipher set "secret name" "this is really cool"
+
+#####To retreive a secret:
+
+    encipher get "secret name"
+
+#####To list all enrolled secrets:
+
+    encipher list
+
+## Easy Editing
+For ease of editing, Encipher also provides the `edit` command line option.
+
+    encipher edit
+
+Calling `edit` will launch an external editor (specified by the `EDITOR` environment variable, and by default `vi` on most systems) populated with the entire secrets hash in [YAML](http://www.yaml.org/) for the current environment.  Once saved, all specified secrets will be re-encrypted for all appropriately enrolled keys and the tempfile used for editing will be destroyed.
+
+## Programmatic usage
+
+##### Configuration
+Each application can be configured as follows:
+
+    Encipher.configure do |config|
+      config.keypath = '~/.ssh/my_server_key'
+      config.env = :staging
+    end
+
+##### Secrets
+
+All secrets are accessabile by calling
+
+    Encipher.secrets
+    
+This returns a [Recursive OpenStruct](https://github.com/aetherknight/recursive-open-struct) (a hash deeply accessible by string, symbol, or dot notation) containing all secrets information for the specified environment.  Once loaded the information is cached in-memory so all subsequent calls to `secrets` won't need to re-decrypt each secret.
+
+If secrets reloading is desired `Encipher.reload` can be called, or `Encipher.secrets(reload: true)` can be referenced to force reloading.
+
+## Contributing
+
+1. Fork it ( https://github.com/jlorich/encipher/fork )
+2. Create your feature branch (`git checkout -b my-new-feature`)
+3. Commit your changes (`git commit -am 'Add some feature'`)
+4. Push to the branch (`git push origin my-new-feature`)
+5. Create a new Pull Request

data/Rakefile

@@ -0,0 +1,2 @@
+require "bundler/gem_tasks"
+

data/bin/encipher

@@ -0,0 +1,5 @@
+#!/usr/bin/env ruby
+
+require 'encipher/cli/cli'
+
+Encipher::Cli::Cli.start(ARGV)

data/config/rubocop.yml

@@ -0,0 +1,47 @@
+Documentation:
+  Enabled: false
+
+EmptyLinesAroundBody:
+  Enabled: false
+
+LineLength:
+  Max: 120
+  Exclude: 
+
+ClassLength:
+  Enabled: true
+  CountComments: false
+  Max: 150
+
+MethodLength:
+  Enabled: false
+
+WhileUntilModifier:
+  Enabled: false
+
+ClassAndModuleChildren:
+  Enabled: false
+
+Rails/ActionFilter:
+  Enabled: false
+
+Rails/DefaultScope:
+  Enabled: false
+
+Rails/HasAndBelongsToMany:
+  Enabled: false
+
+Rails/Output:
+  Enabled: false
+
+Rails/ReadWriteAttribute:
+  Enabled: false
+
+Rails/ScopeArgs:
+   Enabled: false
+
+Rails/Validation:
+  Enabled: false
+
+Rails/Delegate:
+  Enabled: false

data/encipher.gemspec

@@ -0,0 +1,40 @@
+# coding: utf-8
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'encipher/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = "encipher"
+  spec.version       = Encipher::VERSION
+  spec.authors       = ["Joey Lorich"]
+  spec.email         = ["joseph@lorich.me"]
+  spec.summary       = %q{Secure secrets management}
+  spec.description   = %q{Secure secrets management description!}
+  spec.homepage      = ""
+  spec.license       = "MIT"
+
+  spec.files         = `git ls-files -z`.split("\x0")
+  spec.executables   = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
+  spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
+  spec.require_paths = ["lib"]
+
+  spec.add_development_dependency "bundler", "~> 1.6"
+  spec.add_development_dependency 'rake', '~> 10.3.2'
+  spec.add_development_dependency 'pry-byebug', '~> 1.3.3'
+  spec.add_development_dependency 'rspec', '~> 3.0.0'
+  spec.add_development_dependency 'clint_eastwood', '~> 0.0.1'
+
+  spec.add_dependency 'thor', '~> 0.19.1'
+  spec.add_dependency 'highline', '~> 1.6.21'
+  spec.add_dependency 'deep_merge', '~> 1.0.1'
+  spec.add_dependency 'net-ssh', '~> 2.9.1'
+  spec.add_dependency 'sqlite3', '~> 1.3.9'
+  spec.add_dependency 'data_mapper', '~> 1.2.0'
+  spec.add_dependency 'dm-sqlite-adapter', '~> 1.2.0'
+  spec.add_dependency 'dot_configure', '~> 0.0.1'
+  spec.add_dependency 'exedit', '~> 0.0.2'
+  spec.add_dependency 'awesome_print', '~> 1.2.0'
+  spec.add_dependency 'recursive-open-struct', '~> 0.5.0'
+
+  spec.executables = ['encipher']
+end

data/lib/encipher.rb

@@ -0,0 +1,14 @@
+require 'encipher/version'
+require 'encipher/security'
+require 'encipher/vault'
+require 'encipher/environment'
+require 'encipher/models/secret'
+require 'encipher/models/user'
+require 'encipher/encipher'
+
+require 'sqlite3'
+require 'rubygems'
+require 'base64'
+require 'data_mapper'
+require 'net/ssh'
+require 'pry'

data/lib/encipher/cli/base.rb

@@ -0,0 +1,41 @@
+require 'thor'
+require 'yaml'
+require 'ostruct'
+require 'encipher/vault'
+require 'encipher/environment'
+
+module Encipher
+  module Cli
+
+    # Base CLI commands
+    class Base < Thor
+      protected
+
+      # Loads and configures encipher
+      def environment
+        return @environment if defined? @environment
+
+        @environment = Encipher::Environment.new(config.key_path)
+      end
+
+      def vault
+        return @vault if defined? @vault
+
+        @vault = Encipher::Vault.new(config.key_path)
+      end
+
+      # Loads and returns the config file (memoized)
+      def config
+        return @config if defined? @config
+
+        config_path = File.expand_path './.encipher'
+
+        unless File.exist? config_path
+          fail 'You must run encipher init before running'
+        end
+
+        @config = OpenStruct.new YAML.load(File.read(config_path))
+      end
+    end
+  end
+end

data/lib/encipher/cli/cli.rb

@@ -0,0 +1,86 @@
+require 'encipher/cli/base'
+require 'encipher/cli/convert'
+require 'exedit'
+require 'json'
+require 'awesome_print'
+require 'pry'
+
+module Encipher
+  module Cli
+    # Encipher command line interface
+    class Cli < Base
+      desc 'get [key]', 'Returns an unencrypted value'
+      def get(key)
+        puts environment.get key
+      end
+
+      desc 'set [key] [value]', 'Set an encrypted value'
+      def set(key, value)
+        environment.set key, value
+      end
+
+      desc 'list', 'Lists all secrets for the current environment'
+      def list
+        puts environment.list
+      end
+
+      desc 'edit', 'Edit all secrets in an external editor'
+      def edit
+        result = Exedit.edit environment.hash.to_yaml
+
+        environment.hash = YAML.load(result)
+      end
+
+      desc 'keys', 'Lists all enrolled keys'
+      def keys
+        environment.user_hash.each do |id, ssh_key|
+          wrapped = wrap(ssh_key, 70)
+
+          if wrapped.count > 1
+            puts "#{id.to_s.rjust(10)} - #{wrapped.shift}"
+
+            wrapped.each do |string|
+              puts "             #{string}"
+            end
+          else
+            puts puts "#{id} - #{ssh_key}"
+          end
+        end
+      end
+
+      desc 'convert [type]', 'Converts various password stores to encipher'
+      subcommand 'convert', Convert
+
+      desc 'init', 'loads they key at the given keypath'
+      def init(key_path = '~/.ssh/id_rsa')
+        key_path = File.expand_path key_path
+        config_path = File.expand_path './.encipher'
+
+        fail '.encipher file already exists' if File.exist? config_path
+        fail 'Specified key path does not exist' unless File.exist? key_path
+
+        File.open(config_path, 'w') do |file|
+          file.write({ key_path: key_path }.to_yaml)
+        end
+
+        puts 'Encipher is ready for use'
+      end
+
+      desc 'enroll', 'Enrolls a new public key'
+      def enroll(key = nil)
+        vault.enroll(key)
+      end
+
+      desc 'revoke', 'Destroys a user and all their secrets'
+      def revoke(user_id)
+        vault.revoke(user_id)
+      end
+
+      protected
+
+      def wrap(string, width)
+        string.chars.each_slice(width).map(&:join)
+      end
+    end
+  end
+end

data/lib/encipher/cli/convert.rb

@@ -0,0 +1,26 @@
+require 'encipher/cli/base'
+
+module Encipher
+  module Cli
+    # Encipher conversions
+    class Convert < Base
+      # desc 'dotenv', 'Loads a .env file to secrets.db'
+      # def dotenv(path='./.env')
+      #   path = File.expand_path path
+
+      #   if !File.exist? path
+      #     fail Exception.new 'A valid .env file must exist'
+      #   end
+
+      #   loader = Dotenv.new(path, encipher)
+      #   loader.store
+
+      #   if loader.secrets.count == 0
+      #     puts 'No secrets stored'
+      #   else
+      #     puts "#{loader.secrets.count} secrets loaded"
+      #   end
+      # end
+    end
+  end
+end

data/lib/encipher/dotenv.rb

@@ -0,0 +1,20 @@
+# Encipher
+module Encipher
+  # Dotenv parser
+  class Dotenv
+    def initialize(path, encipher)
+      @dotenv = YAML.load(File.read(path))
+      @encipher = encipher
+    end
+
+    def secrets
+      @dotenv
+    end
+
+    def store
+      @dotenv.each do |name, secret|
+        @encipher.store name, secret
+      end
+    end
+  end
+end

data/lib/encipher/encipher.rb

@@ -0,0 +1,42 @@
+require 'dot_configure'
+require 'recursive-open-struct'
+
+# Encipher secrets storage
+module Encipher
+  extend DotConfigure
+
+  # Requires a key or array of keys to be present, otherwise throw an exception
+  def self.require(keys)
+    [*keys].each do |key|
+      fail "Encipher key (#{key}) not found" unless secrets.keys.include? key.to_s
+    end
+  end
+
+  # Gets the current encipher environment
+  # Precedence: Manually set env, ENCIPHER_ENV environment variable, options env, default
+  def self.env
+    @env ||= if ENV['ENCIPHER_ENV']
+               ENV['ENCIPHER_ENV'].to_sym
+             else
+               (options.env ? options.env.to_sym : nil) || :development
+             end
+  end
+
+  # Manually set the encipher env
+  def self.env=(env)
+    @env = env.to_sym
+  end
+
+  # Loads, caches, and returns all available secrets
+  # @param reload [Boolean] Forces the secrets to reload
+  def self.secrets(reload: false)
+    return @secrets if @secrets && !reload
+    environment = Encipher::Environment.new(options.keypath)
+    @secrets = RecursiveOpenStruct.new(environment.hash)
+  end
+
+  # Forces a secrets reload
+  def self.reload
+    secrets(reload: true)
+  end
+end

data/lib/encipher/environment.rb

@@ -0,0 +1,73 @@
+require 'yaml'
+require 'encipher'
+require 'encipher/vault'
+require 'recursive-open-struct'
+
+module Encipher
+  # Enviornment variable storage
+  class Environment < Vault
+
+    # Store a new environment variable
+    def set(name, value)
+      require_user
+
+      # Delete all existing variables of that name
+      where(type: :env, name: name).map(&:destroy)
+
+      User.each do |user|
+        lock(Secret.new(
+          user: user,
+          unlocked_value: {
+            env: Encipher.env,
+            type: :env,
+            name: name,
+            value: value
+          }
+        )).save
+      end
+    end
+
+    def get(name)
+      require_user
+
+      env = unlock(where(type: :env, name: name).first).unlocked_value
+      env[:value]
+    end
+
+    def list
+      require_user
+      where(type: :env).map { |s| unlock(s).unlocked_value[:name] }
+    end
+
+    def hash
+      all.each_with_object({}) do |secret, result|
+        result[secret[:name]] = secret[:value]
+      end
+    end
+
+    def hash=(hash)
+      hash.each do |key, value|
+        set(key, value)
+      end
+    end
+
+    def user_hash
+      users.each_with_object({}) do |user, result|
+        key = OpenSSL::PKey::RSA.new(user.public_key)
+        type = key.ssh_type
+        data = [key.to_blob].pack('m0')
+        result[user.id] = "#{type} #{data}"
+      end
+    end
+
+    private
+
+    def users
+      User.all
+    end
+
+    def all
+      where(type: :env).map { |s| unlock(s).unlocked_value }
+    end
+  end
+end

data/lib/encipher/models/secret.rb

@@ -0,0 +1,32 @@
+require 'data_mapper'
+
+module Encipher
+  # An encipher secret
+  class Secret
+    include DataMapper::Resource
+
+    attr_accessor :unlocked_value
+    attr_accessor :locked
+
+    belongs_to :user
+
+    property :id,          Serial
+    property :value,       Text
+
+    def value=(v)
+      fail 'Secret must be unlocked to set the value' if locked
+
+      super v
+    end
+
+    def unlocked_value=(value)
+      @unlocked_value = value
+      @unlocked = true
+    end
+
+    def save
+      fail 'Cannot save an unlocked secret' unless locked
+      super
+    end
+  end
+end

data/lib/encipher/models/user.rb

@@ -0,0 +1,13 @@
+require 'data_mapper'
+
+module Encipher
+  # An encipher user
+  class User
+    include DataMapper::Resource
+
+    has n, :secrets
+
+    property :id,         Serial
+    property :public_key, Text
+  end
+end

data/lib/encipher/security.rb

@@ -0,0 +1,41 @@
+# Encipher
+module Encipher
+  # Handles key loading, encryption, and decryption
+  class Security
+
+    # Loads the private key
+    def initialize(private_key)
+      @private_key = Net::SSH::KeyFactory.load_private_key(private_key)
+    end
+
+    # Returns the pem public key associated with this security object
+    def public_key
+      require_key
+
+      @private_key.public_key.to_pem
+    end
+
+    # Encrypts a string of text with the given public key
+    def encrypt(string, public_key = nil)
+      require_key unless public_key
+
+      key =  OpenSSL::PKey::RSA.new(public_key || @private_key.public_key.to_pem)
+
+      Base64.encode64(key.public_encrypt(string))
+    end
+
+    # Decrypts a string of text with the current private key
+    def decrypt(string)
+      require_key
+
+      @private_key.private_decrypt(Base64.decode64(string))
+    end
+
+    private
+
+    # Raises an error if no private key has been loaded
+    def require_key
+      fail 'No private key loaded' unless @private_key
+    end
+  end
+end

data/lib/encipher/vault.rb

@@ -0,0 +1,123 @@
+require 'pry'
+require 'data_mapper'
+require 'encipher/security'
+require 'encipher/models/user'
+require 'encipher/models/secret'
+require 'net/ssh'
+require 'base64'
+require 'deep_merge'
+
+module Encipher
+  # The main encipher secrets storage entrypoint
+  class Vault
+    # Initalizes the database and loads the keys
+    def initialize(secret_key)
+      @secret_key = secret_key
+      initialize_database
+    end
+
+    # locks a secrets contents
+    def lock(secret)
+      secret.value = security.encrypt(secret.unlocked_value.to_yaml, secret.user.public_key)
+      secret.locked = true
+      secret
+    end
+
+    # unlocks a secrets contents
+    def unlock(secret)
+      secret.locked = false
+      secret.unlocked_value = YAML.load(security.decrypt(secret.value))
+      secret
+    end
+
+    def where(options)
+      require_user
+
+      [].tap do |r|
+        current_user.secrets.each do |secret|
+          contents = unlock(secret).unlocked_value
+          r << secret if compare(contents, { env: Encipher.env }.deep_merge(options))
+        end
+      end
+    end
+
+    # checks if the keys/values in options are included in ojbect
+    def compare(object, options)
+      options.keys.each do |key|
+        return false unless object[key] == options[key]
+      end
+
+      true
+    end
+
+    # Enroll a new user's key or the current users
+    def enroll(key = nil, path: nil)
+      fail 'Must specify key OR path, not both' unless (!!key ^ !!path) || !(key || path)
+
+      if path
+        fail 'Bad key path' unless File.exist? File.expand_path(path)
+        data = File.read(File.expand_path path)
+        key =  Net::SSH::KeyFactory.load_data_public_key(data).to_pem
+      elsif key
+        key = Net::SSH::KeyFactory.load_data_public_key(key).to_pem
+      else
+        key = security.public_key
+      end
+
+      if user_exists? key
+        puts 'Key already enrolled'
+      else
+        User.create(public_key: key)
+        puts 'Key was successfully enrolled'
+      end
+    end
+
+    # Checks if a user exists by public key
+    def user_exists?(public_key)
+      User.all(public_key: public_key).count > 0
+    end
+
+    # Revoke a user by id
+    def revoke(user_id)
+      require_user
+
+      user = User.find(user_id)
+      user.secrets.each do |secret|
+        secret.destroy
+      end
+
+      user.destroy
+    end
+
+    protected
+
+    # returns the memoized security object
+    def security
+      return @security if defined? @security
+      @security = Security.new(@secret_key)
+    end
+
+    # Finalizes datamapper and initializes the sqlite database
+    def initialize_database(database_path = './secrets.db')
+      DataMapper.finalize
+
+      database_path = File.expand_path database_path
+
+      @dm = DataMapper.setup(:default, "sqlite:///#{database_path}")
+
+      return if File.exist? database_path
+
+      SQLite3::Database.new(database_path)
+      DataMapper.auto_migrate!
+    end
+
+    # Gets the current user object
+    def current_user
+      User.all(public_key: security.public_key).first
+    end
+
+    def require_user
+      fail 'Current user must be enrolled' unless current_user
+    end
+  end
+end

data/lib/encipher/version.rb

@@ -0,0 +1,3 @@
+module Encipher
+  VERSION = '0.0.1a'
+end

data/spec/enchiper/cli/base_spec.rb

@@ -0,0 +1,70 @@
+require 'spec_helper'
+
+describe Encipher::Cli::Base do
+  let(:key_path) { 'keypath' }
+  let(:config) { double(key_path: 'keypath') }
+  
+  context do
+    before :each do
+      allow(subject).to receive(:config) { config }
+    end
+
+    describe '.environment' do
+      let(:environment) { double }
+
+      it 'memoizes the environment object' do
+        subject.instance_variable_set(:@environment, environment)
+        expect(Encipher::Environment).to_not receive(:new)
+        expect(subject.send(:environment)).to be environment
+      end
+
+      it 'creates a new environment object if not set' do
+        expect(Encipher::Environment).to receive(:new).with(key_path) { environment }
+        expect(subject.send(:environment)).to be(environment)
+      end
+    end
+
+    describe '.vault' do
+      let(:vault) { double }
+
+      it 'memoizes the vault object' do
+        subject.instance_variable_set(:@vault, vault)
+        expect(Encipher::Vault).to_not receive(:new)
+        expect(subject.send(:vault)).to be vault
+      end
+
+      it 'creates a new vault object if not set' do
+        expect(Encipher::Vault).to receive(:new).with(key_path) { vault }
+        expect(subject.send(:vault)).to be(vault)
+      end
+    end
+  end
+
+  describe '.config' do
+    let (:yaml_hash) { double }
+    let (:config) { double }
+
+    before :each do
+      allow(OpenStruct).to receive(:new) { config }
+      allow(YAML).to receive(:load) { yaml_hash }
+      allow(File).to receive(:read)
+      allow(File).to receive(:exist?) { true }
+    end
+
+    it 'memoizes the config object' do
+      subject.instance_variable_set(:@config, config)
+      expect(OpenStruct).to_not receive(:new)
+      expect(subject.send(:config)).to be config
+    end
+
+    it 'loads the config from yaml' do
+      expect(YAML).to receive(:load)
+      subject.send(:config)
+    end
+
+    it 'creates a new config object if not set' do
+      expect(OpenStruct).to receive(:new).with(yaml_hash) { config }
+      expect(subject.send(:config)).to be(config)
+    end
+  end
+end

data/spec/spec_helper.rb

@@ -0,0 +1,82 @@
+require 'pry-byebug'
+require 'encipher'
+require 'encipher/cli/cli'
+
+# This file was generated by the `rails generate rspec:install` command. Conventionally, all
+# specs live under a `spec` directory, which RSpec adds to the `$LOAD_PATH`.
+# The generated `.rspec` file contains `--require spec_helper` which will cause this
+# file to always be loaded, without a need to explicitly require it in any files.
+#
+# Given that it is always loaded, you are encouraged to keep this file as
+# light-weight as possible. Requiring heavyweight dependencies from this file
+# will add to the boot time of your test suite on EVERY test run, even for an
+# individual file that may not need all of that loaded. Instead, make a
+# separate helper file that requires this one and then use it only in the specs
+# that actually need it.
+#
+# The `.rspec` file also contains a few flags that are not defaults but that
+# users commonly want.
+#
+# See http://rubydoc.info/gems/rspec-core/RSpec/Core/Configuration
+RSpec.configure do |config|
+  # The settings below are suggested to provide a good initial experience
+  # with RSpec, but feel free to customize to your heart's content.
+  # These two settings work together to allow you to limit a spec run
+  # to individual examples or groups you care about by tagging them with
+  # `:focus` metadata. When nothing is tagged with `:focus`, all examples
+  # get run.
+  config.filter_run :focus
+  config.run_all_when_everything_filtered = true
+
+  # Many RSpec users commonly either run the entire suite or an individual
+  # file, and it's useful to allow more verbose output when running an
+  # individual spec file.
+  if config.files_to_run.one?
+    # Use the documentation formatter for detailed output,
+    # unless a formatter has already been configured
+    # (e.g. via a command-line flag).
+    config.default_formatter = 'doc'
+  end
+
+  # Print the 10 slowest examples and example groups at the
+  # end of the spec run, to help surface which specs are running
+  # particularly slow.
+  config.profile_examples = 10
+
+  # Run specs in random order to surface order dependencies. If you find an
+  # order dependency and want to debug it, you can fix the order by providing
+  # the seed, which is printed after each run.
+  #     --seed 1234
+  config.order = :random
+
+  # Seed global randomization in this process using the `--seed` CLI option.
+  # Setting this allows you to use `--seed` to deterministically reproduce
+  # test failures related to randomization by passing the same `--seed` value
+  # as the one that triggered the failure.
+  Kernel.srand config.seed
+
+  # rspec-expectations config goes here. You can use an alternate
+  # assertion/expectation library such as wrong or the stdlib/minitest
+  # assertions if you prefer.
+  config.expect_with :rspec do |expectations|
+    # Enable only the newer, non-monkey-patching expect syntax.
+    # For more details, see:
+    #   - http://myronmars.to/n/dev-blog/2012/06/rspecs-new-expectation-syntax
+    expectations.syntax = :expect
+  end
+
+  config.color = true
+
+  # rspec-mocks config goes here. You can use an alternate test double
+  # library (such as bogus or mocha) by changing the `mock_with` option here.
+  config.mock_with :rspec do |mocks|
+    # Enable only the newer, non-monkey-patching expect syntax.
+    # For more details, see:
+    #   - http://teaisaweso.me/blog/2013/05/27/rspecs-new-message-expectation-syntax/
+    mocks.syntax = :expect
+
+    # Prevents you from mocking or stubbing a method that does not exist on
+    # a real object. This is generally recommended.
+    mocks.verify_partial_doubles = true
+  end
+end

metadata

@@ -0,0 +1,296 @@
+--- !ruby/object:Gem::Specification
+name: encipher
+version: !ruby/object:Gem::Version
+  version: 0.0.1a
+platform: ruby
+authors:
+- Joey Lorich
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2015-01-27 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '1.6'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '1.6'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 10.3.2
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 10.3.2
+- !ruby/object:Gem::Dependency
+  name: pry-byebug
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 1.3.3
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 1.3.3
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 3.0.0
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 3.0.0
+- !ruby/object:Gem::Dependency
+  name: clint_eastwood
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 0.0.1
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 0.0.1
+- !ruby/object:Gem::Dependency
+  name: thor
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 0.19.1
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 0.19.1
+- !ruby/object:Gem::Dependency
+  name: highline
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 1.6.21
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 1.6.21
+- !ruby/object:Gem::Dependency
+  name: deep_merge
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 1.0.1
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 1.0.1
+- !ruby/object:Gem::Dependency
+  name: net-ssh
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 2.9.1
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 2.9.1
+- !ruby/object:Gem::Dependency
+  name: sqlite3
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 1.3.9
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 1.3.9
+- !ruby/object:Gem::Dependency
+  name: data_mapper
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 1.2.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 1.2.0
+- !ruby/object:Gem::Dependency
+  name: dm-sqlite-adapter
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 1.2.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 1.2.0
+- !ruby/object:Gem::Dependency
+  name: dot_configure
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 0.0.1
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 0.0.1
+- !ruby/object:Gem::Dependency
+  name: exedit
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 0.0.2
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 0.0.2
+- !ruby/object:Gem::Dependency
+  name: awesome_print
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 1.2.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 1.2.0
+- !ruby/object:Gem::Dependency
+  name: recursive-open-struct
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 0.5.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 0.5.0
+description: Secure secrets management description!
+email:
+- joseph@lorich.me
+executables:
+- encipher
+extensions: []
+extra_rdoc_files: []
+files:
+- .env
+- .gitignore
+- .travis.yml
+- Gemfile
+- LICENSE.txt
+- README.md
+- Rakefile
+- bin/encipher
+- config/rubocop.yml
+- encipher.gemspec
+- lib/encipher.rb
+- lib/encipher/cli/base.rb
+- lib/encipher/cli/cli.rb
+- lib/encipher/cli/convert.rb
+- lib/encipher/dotenv.rb
+- lib/encipher/encipher.rb
+- lib/encipher/environment.rb
+- lib/encipher/models/secret.rb
+- lib/encipher/models/user.rb
+- lib/encipher/security.rb
+- lib/encipher/vault.rb
+- lib/encipher/version.rb
+- secrets.db
+- spec/enchiper/cli/base_spec.rb
+- spec/spec_helper.rb
+homepage: ''
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - '>'
+    - !ruby/object:Gem::Version
+      version: 1.3.1
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.0.14
+signing_key: 
+specification_version: 4
+summary: Secure secrets management
+test_files:
+- spec/enchiper/cli/base_spec.rb
+- spec/spec_helper.rb