encrypted_credentials 0.1.2

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 46ebb3c54baa7d63c62cd79b34acd6ddc8756d9b025e57d942d75467cb19ad6a
+  data.tar.gz: c34ffac0161c1574283378525c5202b12c83347578553ebd71cfc6ea73f9c861
+SHA512:
+  metadata.gz: 9c646a6dfc693c9334e24b4341e44e5c39e61a05e4a7ab1619a5391aa6e7ceb0725facd5bbfbbf5a2a905c8c4c64c22554c4f9e60b99fbc95213423dec5bf0f3
+  data.tar.gz: 31b2f1481798a054c36916f06a223bd49227c0097bf741b43bf02f07d4a0181449c6938834c64502da4871d9a472a7fa2df59b563dc10c19850780bbaba8bf3a

data/.gitignore

@@ -0,0 +1,11 @@
+/.bundle/
+/.yardoc
+/_yardoc/
+/coverage/
+/doc/
+/pkg/
+/spec/reports/
+/tmp/
+
+# rspec failure tracking
+.rspec_status

data/.rspec

@@ -0,0 +1,3 @@
+--format documentation
+--color
+--require spec_helper

data/Gemfile

@@ -0,0 +1,10 @@
+# frozen_string_literal: true
+
+source "https://rubygems.org"
+
+# Specify your gem's dependencies in encrypted_credentials.gemspec
+gemspec
+
+gem "rake", "~> 13.0"
+
+gem "rspec", "~> 3.0"

data/Gemfile.lock

@@ -0,0 +1,35 @@
+PATH
+  remote: .
+  specs:
+    encrypted_credentials (0.1.2)
+
+GEM
+  remote: https://rubygems.org/
+  specs:
+    diff-lcs (1.3)
+    rake (13.0.3)
+    rspec (3.9.0)
+      rspec-core (~> 3.9.0)
+      rspec-expectations (~> 3.9.0)
+      rspec-mocks (~> 3.9.0)
+    rspec-core (3.9.2)
+      rspec-support (~> 3.9.3)
+    rspec-expectations (3.9.2)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.9.0)
+    rspec-mocks (3.9.1)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.9.0)
+    rspec-support (3.9.3)
+
+PLATFORMS
+  ruby
+  x86_64-linux
+
+DEPENDENCIES
+  encrypted_credentials!
+  rake (~> 13.0)
+  rspec (~> 3.0)
+
+BUNDLED WITH
+   2.2.19

data/LICENSE.txt

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2021 Eugene Zolotarev & Hodlex Ltd.
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,65 @@
+# Encrypted credentials
+
+If you ever wanted to:
+
+✅ edit Rails [encrypted credentials](https://guides.rubyonrails.org/security.html#environmental-security) without a need to run Rails environment (e.g. from host machine inside a docker volume, from system user which doesn't have Rails installed, etc.)
+
+✅ employ Rails-compatible encrypted credentials in your non-Rails Ruby app
+
+...this gem is for you.
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+```ruby
+gem 'encrypted_credentials'
+```
+
+And then execute:
+
+    $ bundle install
+
+Or install it yourself as:
+
+    $ gem install encrypted_credentials
+
+## Usage (CLI)
+
+```
+# To open EDITOR (nano by default) for 'development.yml.enc', using 'development.key' as key:
+edit_credentials -i config/credentials/development.yml.enc
+
+# To open EDITOR (nano by default) for 'credentials.yml.enc', using 'master.key' as key:
+edit_credentials -i config/credentials.yml.enc
+```
+
+Run `edit_credentials --help` for full list of options.
+
+## Usage (Ruby)
+
+```
+require 'encrypted_credentials/coder'
+
+# Decrypt
+
+key_hex = "9b3821b4116cec2f1db839151eaf18bb"
+data = "gf3IRwit9tIvWtaa+Ytf7ulImIyIooOH+w==--2YttW0Yus3vxR9I+--ytgdvdU9L3CnTvCSqzFzuw=="
+
+EncryptedCredentials::Coder.decrypt(data, key_hex) #=> "some_key: some_value\n"
+
+# Encrypt
+
+key_hex = EncryptedCredentials::Coder.generate_key_hex
+rails_compatible_encrypted_data = EncryptedCredentials::Coder.encrypt("some_key: some_value", key_hex, true)
+File.write('master.key', key_hex)
+File.write('credentials.yml.enc', rails_compatible_encrypted_data)
+```
+
+## Contributing
+
+Bug reports and pull requests are welcome on GitHub at https://github.com/EugZol/credentials.
+
+## License
+
+The gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).

data/Rakefile

@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+
+require "bundler/gem_tasks"
+require "rspec/core/rake_task"
+
+RSpec::Core::RakeTask.new(:spec)
+
+task default: :spec

data/bin/console

@@ -0,0 +1,14 @@
+#!/usr/bin/env ruby
+
+require "bundler/setup"
+require "encrypted_credentials"
+
+# You can add fixtures and/or initialization code here to make experimenting
+# with your gem easier. You can also use a different console, if you like.
+
+# (If you use this, don't forget to add pry to your Gemfile!)
+# require "pry"
+# Pry.start
+
+require "irb"
+IRB.start(__FILE__)

data/bin/setup

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+set -euo pipefail
+IFS=$'\n\t'
+set -vx
+
+bundle install
+
+# Do any other automated setup that you need to do here

data/encrypted_credentials.gemspec

@@ -0,0 +1,25 @@
+# frozen_string_literal: true
+
+require_relative "lib/encrypted_credentials/version"
+
+Gem::Specification.new do |spec|
+  spec.name          = "encrypted_credentials"
+  spec.version       = EncryptedCredentials::VERSION
+  spec.authors       = ["Eugene Zolotarev", "Hodlex Ltd."]
+  spec.email         = ["eugzol@gmail.com", "cto@hodlhodl.com"]
+
+  spec.summary       = "Light weight credentials encoder/decoder, compatible with Rails Credentials"
+  spec.homepage      = "https://github.com/EugZol/enrypted_credentials"
+  spec.license       = "MIT"
+  spec.required_ruby_version = ">= 2.4.0"
+
+  spec.metadata["homepage_uri"] = spec.homepage
+  spec.metadata["source_code_uri"] = spec.homepage
+
+  spec.files = Dir.chdir(File.expand_path(__dir__)) do
+    `git ls-files -z`.split("\x0").reject { |f| f.match(%r{\A(?:test|spec|features)/}) }
+  end
+  spec.bindir        = "exe"
+  spec.executables   = spec.files.grep(%r{\Aexe/}) { |f| File.basename(f) }
+  spec.require_paths = ["lib"]
+end

data/exe/decrypt_credentials

@@ -0,0 +1,32 @@
+#!/usr/bin/env ruby
+
+require 'optionparser'
+
+require_relative '../lib/encrypted_credentials/coder'
+
+options = {}
+
+options[:in] = '/dev/stdin'
+options[:out] = '/dev/stdout'
+
+parser =
+  OptionParser.new do |x|
+    x.banner = "Usage: decrypt_credentials [options]"
+    x.separator ""
+    x.separator "Either -k or -f is required. Other options are optional."
+    x.separator ""
+
+    x.on('-i', '--in FILENAME', 'File with data to decrypt (omit to use STDIN)') { |o| options[:in] = o }
+    x.on('-o', '--out FILENAME', 'File to write decrypted data (omit to use STDOUT)') { |o| options[:out] = o }
+    x.on('-k', '--key KEY_HEX', 'Key (hex representation)') { |o| options[:key] = o }
+    x.on('-f', '--keyfile KEY_FILE', 'Key file (with hex representation of the key)') { |o| options[:key] = File.read(o) }
+  end
+
+parser.parse!
+
+key_hex = options[:key]
+abort "Specify either -f or -k. See #{$0} --help" unless key_hex
+
+data_bin = File.binread(options[:in])
+
+File.write(options[:out], EncryptedCredentials::Coder.decrypt(data_bin, key_hex))

data/exe/edit_credentials

@@ -0,0 +1,93 @@
+#!/usr/bin/env ruby
+
+require 'optionparser'
+require 'tempfile'
+require 'pathname'
+require 'shellwords'
+require 'securerandom'
+
+require_relative '../lib/encrypted_credentials/coder'
+
+options = {}
+options[:in] = '/dev/stdin'
+
+parser =
+  OptionParser.new do |x|
+    x.banner = "Usage: EDITOR=nano edit_credentials [options]"
+    x.separator ""
+    x.separator "Only -i is required."
+    x.separator ""
+    x.separator "If neither -k nor -f is provided key filename will be guessed from input filename (master.key or <environment>.key)."
+    x.separator "If guessed key file is not found, it will be created with a random key."
+    x.separator ""
+
+    x.on('-i', '--in FILENAME', 'Encrypted credentials file (omit to use STDIN/STDOUT)') { |o| options[:in] = o }
+    x.on('-k', '--key KEY_HEX', 'Key (hex representation)') { |o| options[:key] = o }
+    x.on('-f', '--keyfile KEY_FILE', 'Key file (with hex representation of the key)') { |o| options[:key] = File.read(o) }
+  end
+
+parser.parse!
+
+if options[:in] == '/dev/stdin'
+  options[:in] = '/dev/stdin'
+  options[:out] = '/dev/stdout'
+else
+  options[:out] = options[:in]
+end
+
+editor = ENV['EDITOR'] || 'nano'
+
+data_bin = File.read(options[:in]) if File.exists?(options[:in])
+
+key_hex = options[:key]
+key_hex ||= begin
+  credentials_path = File.dirname(options[:in])
+
+  # credentials.yml.enc -> master.key
+  master_key = credentials_path + '/master.key'
+  # development.yml.enc -> development.key
+  environment_key = credentials_path + '/' + File.basename(options[:in]).split('.').first + '.key'
+
+  if File.exists?(master_key)
+    File.read(master_key)
+  elsif File.exists?(environment_key)
+    File.read(environment_key)
+  else
+    puts "Could not find key file (checked: #{master_key}, #{environment_key})"
+    key_file =
+      if File.basename(options[:in]).split('.').first == 'credentials'
+        master_key
+      else
+        environment_key
+      end
+    puts "Creating #{key_file}"
+    key = SecureRandom.hex(16)
+    File.write(key_file, key)
+    key
+  end
+end
+
+begin
+  tmp_file = "#{Process.pid}.#{File.basename(options[:in]).chomp('.enc')}"
+  tmp_path = Pathname.new(File.join(Dir.tmpdir, tmp_file))
+
+  decrypted_data = EncryptedCredentials::Coder.decrypt(data_bin, key_hex) if data_bin
+  tmp_path.binwrite decrypted_data
+
+  begin
+    system("#{editor} #{Shellwords.escape(tmp_path)}")
+  rescue Interrupt
+    puts "Interrupted. Nothing was changed."
+    exit
+  end
+
+  updated_decrypted_data = tmp_path.binread
+
+  if updated_decrypted_data == decrypted_data
+    puts "No changes were made, credentials file was not updated"
+  else
+    File.write(options[:out], EncryptedCredentials::Coder.encrypt(updated_decrypted_data, key_hex))
+  end
+ensure
+  FileUtils.rm(tmp_path) if tmp_path&.exist?
+end

data/exe/encrypt_credentials

@@ -0,0 +1,32 @@
+#!/usr/bin/env ruby
+
+require 'optionparser'
+
+require_relative '../lib/encrypted_credentials/coder'
+
+options = {}
+
+options[:in] = '/dev/stdin'
+options[:out] = '/dev/stdout'
+
+parser =
+  OptionParser.new do |x|
+    x.banner = "Usage: encrypt_credentials [options]"
+    x.separator ""
+    x.separator "Either -k or -f is required. Other options are optional."
+    x.separator ""
+
+    x.on('-i', '--in FILENAME', 'File with data to encrypt (omit to use STDIN)') { |o| options[:in] = o }
+    x.on('-o', '--out FILENAME', 'File to write encrypted data (omit to use STDOUT)') { |o| options[:out] = o }
+    x.on('-k', '--key KEY_HEX', 'Key (hex representation)') { |o| options[:key] = o }
+    x.on('-f', '--keyfile KEY_FILE', 'Key file (with hex representation of the key)') { |o| options[:key] = File.read(o) }
+  end
+
+parser.parse!
+
+key_hex = options[:key]
+abort "Specify either -f or -k. See #{$0} --help" unless key_hex
+
+data_bin = File.binread(options[:in])
+
+File.write(options[:out], EncryptedCredentials::Coder.encrypt(data_bin, key_hex))

data/lib/encrypted_credentials/coder.rb

@@ -0,0 +1,86 @@
+require 'openssl'
+require 'base64'
+require 'securerandom'
+
+# References:
+# - https://github.com/rails/rails/blob/main/activesupport/lib/active_support/encrypted_file.rb
+# - https://github.com/rails/rails/blob/b71a9ccce04ac08e159d4a21de91a8d76f13d8d0/activesupport/lib/active_support/message_encryptor.rb#L147
+# - https://github.com/rails/rails/blob/174ee7bb602f63e7a5c44ec52e6592f3a5dd10b1/activesupport/lib/active_support/message_encryptor.rb#L163
+
+module EncryptedCredentials
+  class Coder
+    def self.decrypt(data_bin, key_hex)
+      encrypted_data, iv, auth_tag = data_bin.split("--").map { |v| Base64.strict_decode64(v) }
+      key = [key_hex].pack('H*')
+
+      cipher_type =
+        case key.bytes.length
+        when 16
+          'aes-128-gcm'
+        when 32
+          'aes-256-gcm'
+        else
+          raise "Wrong key length: #{key.bytes.length}"
+        end
+
+      raise "Unauthenticated message" if auth_tag.nil? || auth_tag.bytes.length != 16
+
+      cipher = OpenSSL::Cipher.new(cipher_type)
+      cipher.decrypt
+      cipher.key = key
+      cipher.iv = iv
+      cipher.auth_tag = auth_tag
+      cipher.auth_data = ""
+
+      decrypted_data = cipher.update(encrypted_data)
+      decrypted_data << cipher.final
+
+      if decrypted_data.bytes[0..1] == [4, 8]
+        Marshal.load(decrypted_data)
+      else
+        decrypted_data
+      end
+    end
+
+    def self.generate_key_hex(cipher = 'aes-128-gcm')
+      key_length =
+        case cipher
+        when 'aes-128-gcm'
+          16
+        when 'aes-256-gcm'
+          32
+        else
+          raise "Unsupported cipher: #{cipher}"
+        end
+
+      SecureRandom.hex(key_length)
+    end
+
+    def self.encrypt(data_bin, key_hex, use_marshal = true)
+      key = [key_hex].pack('H*')
+
+      cipher_type =
+        case key.bytes.length
+        when 16
+          'aes-128-gcm'
+        when 32
+          'aes-256-gcm'
+        else
+          raise "Wrong key length: #{key.bytes.length}"
+        end
+
+      cipher = OpenSSL::Cipher.new(cipher_type)
+      cipher.encrypt
+      cipher.key = key
+      iv = cipher.random_iv
+      cipher.auth_data = ""
+
+      data = data_bin
+      data = Marshal.dump(data) if use_marshal
+      encrypted_data = cipher.update(data)
+      encrypted_data << cipher.final
+
+      [encrypted_data, iv, cipher.auth_tag].map{ |x| Base64.strict_encode64(x) }.join('--')
+    end
+  end
+end

data/lib/encrypted_credentials/version.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+module EncryptedCredentials
+  VERSION = "0.1.2"
+end

data/lib/encrypted_credentials.rb

@@ -0,0 +1,6 @@
+# frozen_string_literal: true
+
+require_relative "encrypted_credentials/version"
+
+module EncryptedCredentials
+end

metadata

@@ -0,0 +1,66 @@
+--- !ruby/object:Gem::Specification
+name: encrypted_credentials
+version: !ruby/object:Gem::Version
+  version: 0.1.2
+platform: ruby
+authors:
+- Eugene Zolotarev
+- Hodlex Ltd.
+autorequire: 
+bindir: exe
+cert_chain: []
+date: 2021-12-10 00:00:00.000000000 Z
+dependencies: []
+description: 
+email:
+- eugzol@gmail.com
+- cto@hodlhodl.com
+executables:
+- decrypt_credentials
+- edit_credentials
+- encrypt_credentials
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- ".rspec"
+- Gemfile
+- Gemfile.lock
+- LICENSE.txt
+- README.md
+- Rakefile
+- bin/console
+- bin/setup
+- encrypted_credentials.gemspec
+- exe/decrypt_credentials
+- exe/edit_credentials
+- exe/encrypt_credentials
+- lib/encrypted_credentials.rb
+- lib/encrypted_credentials/coder.rb
+- lib/encrypted_credentials/version.rb
+homepage: https://github.com/EugZol/enrypted_credentials
+licenses:
+- MIT
+metadata:
+  homepage_uri: https://github.com/EugZol/enrypted_credentials
+  source_code_uri: https://github.com/EugZol/enrypted_credentials
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 2.4.0
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.1.6
+signing_key: 
+specification_version: 4
+summary: Light weight credentials encoder/decoder, compatible with Rails Credentials
+test_files: []