encrypted_env 0.0.1

data/.gitignore

@@ -0,0 +1,3 @@
+/.idea/
+/.DS_Store
+/output.txt

data/.rspec

@@ -0,0 +1,2 @@
+--color
+--format progress

data/.rvmrc

@@ -0,0 +1,2 @@
+#rvm use 1.9.2-p290@encrypted_env --create
+rvm use 1.8.7@encrypted_env --create

data/.travis.yml

@@ -0,0 +1,6 @@
+language: ruby
+rvm:
+  - 1.8.7
+  - 1.9.2
+  - 1.9.3
+script: bundle exec rspec spec

data/Gemfile

@@ -0,0 +1,4 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in encrypted_env.gemspec
+gemspec

data/Gemfile.lock

@@ -0,0 +1,28 @@
+PATH
+  remote: .
+  specs:
+    encrypted_env (0.0.1)
+      encryptor
+      thor
+
+GEM
+  remote: https://rubygems.org/
+  specs:
+    diff-lcs (1.1.3)
+    encryptor (1.1.3)
+    rspec (2.11.0)
+      rspec-core (~> 2.11.0)
+      rspec-expectations (~> 2.11.0)
+      rspec-mocks (~> 2.11.0)
+    rspec-core (2.11.1)
+    rspec-expectations (2.11.2)
+      diff-lcs (~> 1.1.3)
+    rspec-mocks (2.11.1)
+    thor (0.15.4)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  encrypted_env!
+  rspec (~> 2.0)

data/LICENSE

@@ -0,0 +1,22 @@
+Copyright (c) 2012 John Kamenik
+
+MIT License
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/MIT-LICENSE

@@ -0,0 +1,20 @@
+Copyright (c) 2012 John Kamenik - john@waterfallfms.com
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,177 @@
+# EncryptedEnv
+
+Allows you to read from and write to the ENV in an encrypted way.  This is useful if you are running an app on a server
+that do you not have complete control over (Heroku).  You can place an encryption key in your code, or in the database.
+You can then place your various API tokens in the ENV encrypted.
+
+If you also use attr_encypted to encrypt database columns and store the ENV decryption key in an encrypted column then
+a hacker would have to get your code, your database, and your running ENV to get your API keys.  Not 100% fool proof
+but a lot more secure.
+
+[![Build Status](https://secure.travis-ci.org/WaterfallFMS/encrypted_env.png)](http://travis-ci.org/WaterfallFMS/encrypted_env)
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+    gem 'encrypted_env', :git => 'git@github.com:WaterfallFMS/encrypted_env.git'
+
+And then execute:
+
+    $ bundle install
+
+## Usage
+
+### Decypting ENV variables (programatically)
+
+If the gem is in your Gemfile then you can just start using it.  Otherwise `require 'encrypted_env'` should be in your
+boot script.  Also in the boot script, set the default encryption key
+`EncryptedEnv.default_options = {:key => 'default key'}`. If you have a different `:algorithm` you can set that too.
+
+Anywhere you use `ENV['KEY']` change it to `ENV.decrypt('KEY')`.
+
+If you decrypt variables using different keys and algorithms you can pass those in as options to `decrypt`: `Env.decrypt('KEY',:key => 'other encryption key')
+
+Example:
+
+```ruby
+# rails config/initializers/asset_sync.rb
+require 'encrypted_env'
+
+EncryptedEnv.default_options = {:key => 'super secret', :algorithm => 'aes-256-ecb'}
+
+AssetSync.configure do |config|
+  config.fog_provider          = 'AWS'
+  config.aws_access_key_id     = ENV.decrypt('AWS_ACCESS_KEY')
+  config.aws_secret_access_key = ENV.decrypt('AWS_SECRET_ACCESS_KEY')
+  config.fog_directory         = ENV.decrypt('AWS_DIRECTORY')
+end
+```
+
+
+### Decrypting ENV Variables (from shell)
+
+`encrypt_env` actually has a decrypt option as well.  It will only read values in the ENV.
+
+```bash
+$ encrypted_env decrypt key -k ENCRYPTION_KEY
+key: value
+```
+
+Full flow might be something like this.
+
+```bash
+$ encrypted_env bash KEY=test OTHER=good -k FOOBAR > output.txt ; source output.txt
+$ encrypted_env decrypt KEY OTHER -k foobar
+# Encryption is case sensitive, hence no output
+$ encrypted_env decrypt KEY OTHER -k FOOBAR
+KEY: test
+OTHER: good
+```
+
+### Encrypting ENV Variables
+
+Ruby provides no way to write environment variables, without some serious hacks.  However, it is pretty often that
+ENV is used to pass information into a ruby program at start (RAILS_ENV for example).  Often times this will include
+API keys so that they do not have been stored in sources or HD.
+
+`encrypt_env` provides output that can be used to print assignment commands that can be used to set up an env with the
+ data already encyrpted.
+
+#### Bash
+
+Bash is the default output.
+
+Print something that bash will understand.
+
+```bash
+$ ecrypted_env bash var=value var1="value1" etc...
+```
+
+Why not just execute set the ENV from it.
+
+```bash
+$ encrypt_env bash var=value > output.txt ; source output.txt
+```
+
+#### Heroku
+
+Print something that heorku will understand.
+
+```bash
+$ ecrypted_env heroku var=value var1="value1" etc...
+```
+
+If you already have heroku installed, why not just execute it directly.
+
+```bash
+$ `encrypt_env heroku var=value`
+```
+
+If you have more then one heroku app for the repo you can specify it with `-r`.
+
+```bash
+$ `encrypt_env heroku -r staging var=value`
+```
+
+### Custom Algorithms
+
+Run `openssl list-cipher-commands` to view a list of algorithms supported on your platform. See http://github.com/shuber/encryptor for more information.
+
+```
+aes-128-cbc
+aes-128-ecb
+aes-192-cbc
+aes-192-ecb
+aes-256-cbc
+aes-256-ecb
+base64
+bf
+bf-cbc
+bf-cfb
+bf-ecb
+bf-ofb
+cast
+cast-cbc
+cast5-cbc
+cast5-cfb
+cast5-ecb
+cast5-ofb
+des
+des-cbc
+des-cfb
+des-ecb
+des-ede
+des-ede-cbc
+des-ede-cfb
+des-ede-ofb
+des-ede3
+des-ede3-cbc
+des-ede3-cfb
+des-ede3-ofb
+des-ofb
+des3
+desx
+idea
+idea-cbc
+idea-cfb
+idea-ecb
+idea-ofb
+rc2
+rc2-40-cbc
+rc2-64-cbc
+rc2-cbc
+rc2-cfb
+rc2-ecb
+rc2-ofb
+rc4
+rc4-40
+```
+
+## Contributing
+
+1. Fork it
+2. Create your feature branch (`git checkout -b my-new-feature`)
+3. Commit your changes (`git commit -am 'Added some feature'`)
+4. Push to the branch (`git push origin my-new-feature`)
+5. Create new Pull Request

data/Rakefile

@@ -0,0 +1,2 @@
+#!/usr/bin/env rake
+require "bundler/gem_tasks"

data/bin/encryptenv

@@ -0,0 +1,5 @@
+#!/usr/bin/env ruby
+$:.unshift(File.dirname(__FILE__) + '/../lib') unless $:.include?(File.dirname(__FILE__) + '/../lib')
+require 'encrypted_env/cli'
+
+EncryptedEnv::Cli.start

data/encrypted_env.gemspec

@@ -0,0 +1,21 @@
+# -*- encoding: utf-8 -*-
+require File.expand_path('../lib/encrypted_env/version', __FILE__)
+
+Gem::Specification.new do |gem|
+  gem.authors       = ["John Kamenik"]
+  gem.email         = ["john@waterfallfms.com"]
+  gem.description   = %q{Allows for reading and writing to the ENV in an encrypted way}
+  gem.summary       = %q{Allows for reading and writing to the ENV in an encrypted way}
+  gem.homepage      = "https://github.com/WaterfallFMS/encrypted_env"
+
+  gem.files         = `git ls-files`.split($\)
+  gem.executables   = gem.files.grep(%r{^bin/}).map{ |f| File.basename(f) }
+  gem.test_files    = gem.files.grep(%r{^(test|spec|features)/})
+  gem.name          = "encrypted_env"
+  gem.require_paths = ["lib"]
+  gem.version       = EncryptedEnv::VERSION
+
+  gem.add_dependency "encryptor"
+  gem.add_dependency 'thor'
+  gem.add_development_dependency "rspec", "~> 2.0"
+end

data/lib/encrypted_env.rb

@@ -0,0 +1,51 @@
+require "encrypted_env/version"
+require 'encrypted_env/env'
+require 'encryptor'
+require 'base64'
+require 'encrypted_env/base64'
+
+ENV.send(:extend, EncryptedEnv::ENV)
+
+module EncryptedEnv
+  # The default options used when called encrypt and decrypt
+  #
+  # Defaults to Encryptor.default_options, or { :algorithm => 'aes-256-cbc' }
+  def self.default_options
+    @default_options || ::Encryptor.default_options
+  end
+
+  # Sets some default options that are globally used
+  #
+  # Valid keys are
+  #  :key -> The encryption key
+  #  :algorithm -> run 'openssl list-cipher-commands' to see what can be used
+  def self.default_options=(options={})
+    @default_options = default_options.merge(options)
+  end
+
+
+  # Encrypts a value and base64 encodes it into the ENV
+  def self.encrypt(value,options={})
+    encrypted_value = Encryptor.encrypt(self.default_options.merge(options).merge(:value => value.to_s))
+
+    Base64.strict_encode64 encrypted_value.to_s
+  end
+
+  # Decrypt a value already stored in the ENV.  The value is assumed be Base64 encoded
+  def self.decrypt(key,options={})
+    decoded_value = Base64.decode64 env[key]
+
+    Encryptor.decrypt(self.default_options.merge(options).merge(:value => decoded_value))
+  end
+
+  # Returns a hash like structure that should be the ENV.  It defaults to ::ENV
+  def self.env
+    @env || ::ENV
+  end
+
+  # Allows the setting of the environment to something other then ::ENV.  Good for testing or if you are serializing
+  # to something.  The items passed should behave like a Hash
+  def self.env=(env)
+    @env = env
+  end
+end

data/lib/encrypted_env/base64.rb

@@ -0,0 +1,8 @@
+# this fixes the issue with 1.8.7 where strict_encode doesn't exist
+unless Base64.respond_to? :strict_encode64
+  module Base64
+    def strict_encode64(bin)
+      [bin].pack('m0')
+    end
+  end
+end

data/lib/encrypted_env/cli.rb

@@ -0,0 +1,43 @@
+require 'thor'
+require 'encrypted_env'
+
+module EncryptedEnv
+  class Cli < Thor
+    desc "bash key=value key1=value1 ...", "prints output that bash can understand"
+    method_option :key, :aliases => '-k', :type => :string, :required => true
+    def bash(*args)
+      encrypt(*args) do |key,value|
+        puts %Q(export "#{key}"="#{value}")
+      end
+    end
+
+    desc "heroku key=value key1=value1 ...", 'prints output that heroku can understand'
+    method_option :remote, :aliases => '-r', :type => :string
+    method_option :key, :aliases => '-k', :type => :string, :required => true
+    def heroku(*args)
+      heroku_opt = "-r #{options[:remote]}" if options[:remote]
+      encrypt(*args) do |key,value|
+        puts %Q(heroku config:add #{heroku_opt} "#{key}=#{value}")
+      end
+    end
+
+    no_tasks do
+      def encrypt(*args, &block)
+        EncryptedEnv.default_options = {:key => options[:key]}
+        args.each do |arg|
+          key,value = arg.split('=')
+          yield key, EncryptedEnv.encrypt(value)
+        end
+      end
+    end
+
+    desc 'decrypt key ...', 'Decrypts a key in the ENV'
+    method_option :key, :aliases => '-k', :type => :string, :required => true
+    def decrypt(*args)
+      EncryptedEnv.default_options = {:key => options[:key]}
+      args.each do |key|
+        puts "#{key}: #{::ENV.decrypt key}" rescue nil
+      end
+    end
+  end
+end

data/lib/encrypted_env/env.rb

@@ -0,0 +1,11 @@
+module EncryptedEnv
+  module ENV
+    def encrypt(key,value,options={})
+      EncryptedEnv.encrypt(key,value,options)
+    end
+
+    def decrypt(key,options={})
+      EncryptedEnv.decrypt(key,options)
+    end
+  end
+end

data/lib/encrypted_env/version.rb

@@ -0,0 +1,3 @@
+module EncryptedEnv
+  VERSION = "0.0.1"
+end

data/spec/encrypted_env_spec.rb

@@ -0,0 +1,85 @@
+require 'spec_helper'
+
+describe EncryptedEnv do
+  before do
+    EncryptedEnv.class_eval "@default_options = nil"
+  end
+
+  context "#default_options" do
+    it 'should be Encryptor default value' do
+      EncryptedEnv.default_options.should == ::Encryptor.default_options
+    end
+
+    it 'should return overridden values' do
+      # maybe it isn't good to depend on this function, but it should work
+      EncryptedEnv.default_options = {:foo => :bar}
+      Encryptor.should_not_receive(:default_options)
+
+      EncryptedEnv.default_options[:foo].should == :bar
+    end
+  end
+
+  context "#default_options=" do
+    it 'should store any key passed' do
+      EncryptedEnv.default_options = {:key => :value}
+
+      EncryptedEnv.default_options.should include(:key)
+    end
+
+    it 'should allow rewriting of any previously written key' do
+      EncryptedEnv.default_options = {:algorithm => :bf}
+
+      EncryptedEnv.default_options[:algorithm].should == :bf
+    end
+  end
+
+  context "#encrypt" do
+    it 'should return the encrypted value' do
+      # we can't actually write to the env directly, but we can print a value that can be used directly
+      EncryptedEnv.encrypt('this is a test', :key => 'test').should_not be_nil
+    end
+
+    it 'should pass all optional args merged with defaults to the Encryptor' do
+      Encryptor.should_receive(:encrypt).with(Encryptor.default_options.merge(:foo => :bar, :baz => :aaa, :value => 'value', :key => 'test'))
+      EncryptedEnv.default_options = {:foo => :bar}
+
+      EncryptedEnv.encrypt(:value, :baz => :aaa, :key => 'test')
+    end
+
+    it 'should base64 encode the value before dumping in the ENV' do
+      value = Encryptor.encrypt(:value => 'this is a test', :key => 'test')
+      Base64.should_receive(:strict_encode64).with(value)
+
+      EncryptedEnv.encrypt('this is a test', :key => 'test')
+    end
+  end
+
+  context "#decrypt" do
+    before do
+      EncryptedEnv.default_options = {:key => 'hello world'}
+      @value = EncryptedEnv.encrypt('testing')
+      EncryptedEnv.env = {'TEST_VALUE' => @value}
+    end
+
+
+    it 'should pass all optional args merged with defaults to the Encryptor' do
+      Encryptor.should_receive(:decrypt).with(
+        Encryptor.default_options.merge(:foo => :bar, :baz => :aaa,:key => 'hello world',:value => Base64.decode64(@value))
+      )
+      EncryptedEnv.default_options = {:foo => :bar}
+
+      EncryptedEnv.decrypt('TEST_VALUE', :baz => :aaa)
+    end
+
+    it 'should base64 decode the ENV before processing' do
+      decoded = Base64.decode64 EncryptedEnv.env['TEST_VALUE']
+      Base64.should_receive(:decode64).with(@value).and_return decoded
+
+      EncryptedEnv.decrypt('TEST_VALUE')
+    end
+
+    it 'should return the decrypted value of the key' do
+      EncryptedEnv.decrypt('TEST_VALUE').should == 'testing'
+    end
+  end
+end

data/spec/env_spec.rb

@@ -0,0 +1,19 @@
+require 'spec_helper'
+
+describe ENV do
+  context "#encypt" do
+    it 'should be a pass through to EncryptedEnv.encrypt method' do
+      EncryptedEnv.should_receive(:encrypt).with(:foo, :bar, :key => :baz)
+
+      ENV.encrypt(:foo, :bar, :key => :baz)
+    end
+  end
+
+  context "#decrypt" do
+    it 'should be a pass through to EncryptedEnv.decrypt method' do
+      EncryptedEnv.should_receive(:decrypt).with(:foo, :key => :baz)
+
+      ENV.decrypt(:foo, :key => :baz)
+    end
+  end
+end

data/spec/spec_helper.rb

@@ -0,0 +1,16 @@
+require 'rubygems'
+require 'bundler/setup'
+
+require 'encrypted_env'
+
+RSpec.configure do |config|
+  config.treat_symbols_as_metadata_keys_with_true_values = true
+  config.run_all_when_everything_filtered = true
+  config.filter_run :focus
+
+  # Run specs in random order to surface order dependencies. If you find an
+  # order dependency and want to debug it, you can fix the order by providing
+  # the seed, which is printed after each run.
+  #     --seed 1234
+  config.order = 'random'
+end

metadata

@@ -0,0 +1,129 @@
+--- !ruby/object:Gem::Specification 
+name: encrypted_env
+version: !ruby/object:Gem::Version 
+  hash: 29
+  prerelease: 
+  segments: 
+  - 0
+  - 0
+  - 1
+  version: 0.0.1
+platform: ruby
+authors: 
+- John Kamenik
+autorequire: 
+bindir: bin
+cert_chain: []
+
+date: 2012-08-14 00:00:00 Z
+dependencies: 
+- !ruby/object:Gem::Dependency 
+  name: encryptor
+  prerelease: false
+  requirement: &id001 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        hash: 3
+        segments: 
+        - 0
+        version: "0"
+  type: :runtime
+  version_requirements: *id001
+- !ruby/object:Gem::Dependency 
+  name: thor
+  prerelease: false
+  requirement: &id002 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        hash: 3
+        segments: 
+        - 0
+        version: "0"
+  type: :runtime
+  version_requirements: *id002
+- !ruby/object:Gem::Dependency 
+  name: rspec
+  prerelease: false
+  requirement: &id003 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ~>
+      - !ruby/object:Gem::Version 
+        hash: 3
+        segments: 
+        - 2
+        - 0
+        version: "2.0"
+  type: :development
+  version_requirements: *id003
+description: Allows for reading and writing to the ENV in an encrypted way
+email: 
+- john@waterfallfms.com
+executables: 
+- encryptenv
+extensions: []
+
+extra_rdoc_files: []
+
+files: 
+- .gitignore
+- .rspec
+- .rvmrc
+- .travis.yml
+- Gemfile
+- Gemfile.lock
+- LICENSE
+- MIT-LICENSE
+- README.md
+- Rakefile
+- bin/encryptenv
+- encrypted_env.gemspec
+- lib/encrypted_env.rb
+- lib/encrypted_env/base64.rb
+- lib/encrypted_env/cli.rb
+- lib/encrypted_env/env.rb
+- lib/encrypted_env/version.rb
+- spec/encrypted_env_spec.rb
+- spec/env_spec.rb
+- spec/spec_helper.rb
+homepage: https://github.com/WaterfallFMS/encrypted_env
+licenses: []
+
+post_install_message: 
+rdoc_options: []
+
+require_paths: 
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement 
+  none: false
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      hash: 3
+      segments: 
+      - 0
+      version: "0"
+required_rubygems_version: !ruby/object:Gem::Requirement 
+  none: false
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      hash: 3
+      segments: 
+      - 0
+      version: "0"
+requirements: []
+
+rubyforge_project: 
+rubygems_version: 1.8.24
+signing_key: 
+specification_version: 3
+summary: Allows for reading and writing to the ENV in an encrypted way
+test_files: 
+- spec/encrypted_env_spec.rb
+- spec/env_spec.rb
+- spec/spec_helper.rb