envault 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: af2de945195b941624c2f5e2a992f3d8eea9eb80
+  data.tar.gz: 22faf369eead70da1d5e4bddf896b13df3318030
+SHA512:
+  metadata.gz: dcd47c0296c6c41ba87c8a4e4d1b51bd3da4fa4be65dd5c0f17d34738b26d9472a27b586a33656c3402d6225e916376d133d6ebddc7be8e61ca7adf1e2ab1692
+  data.tar.gz: b186a443ff600835a0e04460c682ab4ff35d8602cc4b155eaa2bce7a961d72fa08dc4052244887db39029913d4088292ffa42c430db9bb55408ef894d0aeeccc

data/.document

@@ -0,0 +1,3 @@
+- 
+ChangeLog.md
+LICENSE.txt

data/.gitignore

@@ -0,0 +1,8 @@
+Gemfile.lock
+doc/
+pkg/
+**/*.gem
+.yardoc/
+.bundle/
+vendor/bundle/
+.tags

data/.rspec

@@ -0,0 +1 @@
+--colour --format documentation

data/.travis.yml

@@ -0,0 +1,16 @@
+language: ruby
+
+rvm:
+  - 2.1.*
+  - 2.2.*
+  - 2.3.1
+
+gemfile:
+  - Gemfile
+
+os:
+  - linux
+
+before_install: gem update bundler
+
+script: 'bundle exec rake spec'

data/.yardopts

@@ -0,0 +1 @@
+--markup markdown --title "envault Documentation" --protected

data/ChangeLog.md

@@ -0,0 +1,4 @@
+### 0.1.0 / 2016-08-31
+
+* Initial release:
+

data/Gemfile

@@ -0,0 +1,7 @@
+source 'https://rubygems.org'
+
+gemspec
+
+group :development do
+  gem 'kramdown'
+end

data/LICENSE.txt

@@ -0,0 +1,20 @@
+Copyright (c) 2016 toyama0919
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,180 @@
+# envault [![Build Status](https://secure.travis-ci.org/toyama0919/envault.png?branch=master)](http://travis-ci.org/toyama0919/envault)
+
+Encrypt secret information environment variables by yaml.
+
+## Settings(Environment Variables)
+```
+export ENVAULT_PASSPHRASE=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+export ENVAULT_SIGN_PASSPHRASE=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+export ENVAULT_SALT=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+```
+
+## Settings(yaml file)
+```
+development:
+  passphrase: ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ
+  sign_passphrase: ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ
+  salt: ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ
+  prefix: ENVAULT_
+
+staging:
+  passphrase: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+  sign_passphrase: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+  salt: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+  prefix: ENVAULT_
+
+production:
+  passphrase: YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY
+  sign_passphrase: YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY
+  salt: YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY
+  prefix: ENVAULT_
+```
+
+## Encrypt and Decrypt
+```bash
+$ cat .env
+USERNAME_A: hogehoge
+USERNAME_B: fugafuga
+USERNAME_C: mogomogo
+PASSWORD_A: hogehoge
+PASSWORD_B: fugafuga
+PASSWORD_C: mogomogo
+API_KEY_A: hogehoge
+API_KEY_B: fugafuga
+API_KEY_C: mogomogo
+
+## encrypt file
+$ envault -e -s .env -c envault.yml --profile staging -k '^PASSWORD_.*' '^API_KEY_.*' > .env.encrypt
+$ cat .env.encrypt
+USERNAME_A: "hogehoge"
+USERNAME_B: "fugafuga"
+USERNAME_C: "mogomogo"
+ENVAULT_PASSWORD_A: "VmI4TkcwYXFRdnp3cTNINFo5NHZNWWtUakd4WE9iWDhJdFIzVnQydXlMaz0tLU5CS2JONW1FalorMGxsOGxUYmpXUFE9PQ==--3e301c251f5a7cf0e6280daa3bc14cc04c2cbff492758028c9e5fd6ddc72660e"
+ENVAULT_PASSWORD_B: "QzI1eFZnampSZkk3QWxEYkZjemNlMVpmWWVEVFluZjhJV01zS3JKNUlvST0tLUNvWDdNWVFGMUMwVGEvaTNFMkJVU2c9PQ==--d58c39f5e71b382f2d2778e8c02c58339ed330e0dc31067ed6544fcb94397700"
+ENVAULT_PASSWORD_C: "eGo0S3pLRWV0OFRrdVRzTmwvZlR3VkN6a2xjeHpvcHV0ZlZMenNOUm1Wbz0tLS80WjFuRzQrQ29uSU5SbDBSOGUyRlE9PQ==--7c2342c9533b70af50be5cf1dd12aa66f595263ea4c8aa347b185a7a8e57fb3c"
+ENVAULT_API_KEY_A: "QThLSGF4VXNST3ZXL0VTVURzMlQ3aUE2aXppTlc5aUxUWk9Xa0hXS25NYz0tLTAxWlI0OU0zdnZXUG1MdmtYY2FZK0E9PQ==--fff50bafac593d6c50da369f1e040e0f6db8623299078ccda029bbeed12a93c7"
+ENVAULT_API_KEY_B: "cWdFS21HdnArNlBzcFhremhFNTJzdzhtYkNwWUIrb2dzekFsbzZxQjRsQT0tLWZUZTdpYW1Bc2xqRXcvMjB4eDRNc1E9PQ==--edb6d0bace9f1cd4c9eeef0a9289d43fd6724625e601aa46e9ebb12f6405efb6"
+ENVAULT_API_KEY_C: "YllDcDhYUTJGZWhTRjBaQTU4L3RlZitzYVN3OTV6OXhSbkZHbFBWaWF3cz0tLVo1MGFZVkNWQ3g2UXdwRlBFaW43MWc9PQ==--fd0642530754f235856f9ebba252bb34156666498433e05c2ce29573aad6ec69"
+
+## decrypt file
+$ envault -d -s .env.encrypt -c envault.yml --profile staging
+USERNAME_A: "hogehoge"
+USERNAME_B: "fugafuga"
+USERNAME_C: "mogomogo"
+PASSWORD_A: "hogehoge"
+PASSWORD_B: "fugafuga"
+PASSWORD_C: "mogomogo"
+API_KEY_A: "hogehoge"
+API_KEY_B: "fugafuga"
+API_KEY_C: "mogomogo"
+
+## if use other profile, Error
+$ envault -d -s .env.encrypt -c envault.yml --profile production                                                                                            1 ↵
+/Users/toyama-h/.rbenv/versions/2.3.1/lib/ruby/gems/2.3.0/gems/activesupport-4.2.5/lib/active_support/message_verifier.rb:49:in `verify': ActiveSupport::MessageVerifier::InvalidSignature (ActiveSupport::MessageVerifier::InvalidSignature)
+        from /Users/toyama-h/.rbenv/versions/2.3.1/lib/ruby/gems/2.3.0/gems/activesupport-4.2.5/lib/active_support/message_encryptor.rb:64:in `decrypt_and_verify'
+        from /Users/toyama-h/Dropbox/github/envault/lib/envault/core.rb:51:in `block in decrypt_process'
+        from /Users/toyama-h/Dropbox/github/envault/lib/envault/core.rb:49:in `each'
+        from /Users/toyama-h/Dropbox/github/envault/lib/envault/core.rb:49:in `map'
+        from /Users/toyama-h/Dropbox/github/envault/lib/envault/core.rb:49:in `decrypt_process'
+        from /Users/toyama-h/Dropbox/github/envault/lib/envault/core.rb:44:in `decrypt_yaml'
+        from /Users/toyama-h/Dropbox/github/envault/lib/envault/cli.rb:74:in `block in decrypt_file'
+        from /Users/toyama-h/Dropbox/github/envault/lib/envault/cli.rb:73:in `each'
+        from /Users/toyama-h/Dropbox/github/envault/lib/envault/cli.rb:73:in `decrypt_file'
+        from /Users/toyama-h/.rbenv/versions/2.3.1/lib/ruby/gems/2.3.0/gems/thor-0.19.1/lib/thor/command.rb:27:in `run'
+        from /Users/toyama-h/.rbenv/versions/2.3.1/lib/ruby/gems/2.3.0/gems/thor-0.19.1/lib/thor/invocation.rb:126:in `invoke_command'
+        from /Users/toyama-h/.rbenv/versions/2.3.1/lib/ruby/gems/2.3.0/gems/thor-0.19.1/lib/thor.rb:359:in `dispatch'
+        from /Users/toyama-h/.rbenv/versions/2.3.1/lib/ruby/gems/2.3.0/gems/thor-0.19.1/lib/thor/base.rb:440:in `start'
+        from /Users/toyama-h/Dropbox/github/envault/bin/envault:6:in `<top (required)>'
+        from /Users/toyama-h/bin/envault:17:in `load'
+        from /Users/toyama-h/bin/envault:17:in `<main>'
+```
+
+## reencrypt(config)
+```bash
+$ cat .envault.test
+old_staging:
+  passphrase: ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ
+  sign_passphrase: ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ
+  salt: ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ
+  prefix: OLD_ENVAULT_
+
+staging:
+  passphrase: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+  sign_passphrase: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+  salt: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+  prefix: ENVAULT_
+
+$ cat .env.encrypt
+OLD_ENVAULT_A: "aaaaaaaaaaaaaa"
+OLD_ENVAULT_B: "bbbbbbbbbbbbbbb"
+C: "hoge"
+
+$ envault reencrypt_file -s .env.encrypt -c ~/.envault --from_profile old_staging --to_profile staging --overwrite
+
+$ cat .env.encrypt
+ENVAULT_A: "ccccccccccccccc"
+ENVAULT_B: "ddddddddddddddd"
+C: "hoge"
+
+```
+
+## Load AND command(Environment Variables)
+```bash
+$ envault load -s .env.encrypt --command 'echo $PASSWORD_A'
+hogehoge
+```
+
+## Load Application(Environment Variables)
+```bash
+require 'envault'
+Envault.load('.env.encrypt')
+p ENV['PASSWORD_A']
+#=> hogehoge
+```
+
+## Load Application(Profile)
+```bash
+require 'envault'
+Envault.load_with_profile('.env.encrypt', config: '.envault', profile: 'staging')
+p ENV['PASSWORD_B']
+#=> fugafuga
+```
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+    gem 'envault'
+
+And then execute:
+
+    $ bundle
+
+Or install it yourself as:
+
+    $ gem install envault
+
+## Synopsis
+
+    $ envault
+
+## Contributing
+
+1. Fork it
+2. Create your feature branch (`git checkout -b my-new-feature`)
+3. Commit your changes (`git commit -am 'Add some feature'`)
+4. Push to the branch (`git push origin my-new-feature`)
+5. Create new [Pull Request](../../pull/new/master)
+
+## Information
+
+* [Homepage](https://github.com/toyama0919/envault)
+* [Issues](https://github.com/toyama0919/envault/issues)
+* [Documentation](http://rubydoc.info/gems/envault/frames)
+* [Email](mailto:toyama0919@gmail.com)
+
+## Copyright
+
+Copyright (c) 2016 toyama0919
+
+See [LICENSE.txt](../LICENSE.txt) for details.

data/Rakefile

@@ -0,0 +1,25 @@
+# encoding: utf-8
+
+require 'rubygems'
+
+begin
+  require 'bundler/setup'
+rescue LoadError => e
+  abort e.message
+end
+
+require 'rake'
+
+
+require 'rubygems/tasks'
+Gem::Tasks.new
+
+require 'rspec/core/rake_task'
+RSpec::Core::RakeTask.new
+
+task :test    => :spec
+task :default => :spec
+
+require 'yard'
+YARD::Rake::YardocTask.new  
+task :doc => :yard

data/bin/envault

@@ -0,0 +1,6 @@
+#!/usr/bin/env ruby
+
+require 'rubygems'
+require 'envault'
+
+Envault::CLI.start

data/envault.gemspec

@@ -0,0 +1,33 @@
+# -*- encoding: utf-8 -*-
+
+require File.expand_path('../lib/envault/version', __FILE__)
+
+Gem::Specification.new do |gem|
+  gem.name          = "envault"
+  gem.version       = Envault::VERSION
+  gem.summary       = %q{Encrypt secret information environment variables by yaml.}
+  gem.description   = %q{Encrypt secret information environment variables by yaml.}
+  gem.license       = "MIT"
+  gem.authors       = ["toyama0919"]
+  gem.email         = "toyama0919@gmail.com"
+  gem.homepage      = "https://github.com/toyama0919/envault"
+
+  gem.files         = `git ls-files`.split($/)
+  gem.executables   = gem.files.grep(%r{^bin/}).map{ |f| File.basename(f) }
+  gem.test_files    = gem.files.grep(%r{^(test|spec|features)/})
+  gem.require_paths = ['lib']
+
+  gem.required_ruby_version = '>= 2.1'
+
+  gem.add_dependency 'thor'
+  gem.add_dependency 'dotenv'
+  gem.add_dependency 'activesupport', ">=4", "<5"
+
+  gem.add_development_dependency 'bundler'
+  gem.add_development_dependency 'pry'
+  gem.add_development_dependency 'rake'
+  gem.add_development_dependency 'rspec', '~> 3.0'
+  gem.add_development_dependency 'rubocop', '~> 0.24.1'
+  gem.add_development_dependency 'rubygems-tasks', '~> 0.2'
+  gem.add_development_dependency 'yard', '~> 0.8'
+end

data/lib/envault.rb

@@ -0,0 +1,22 @@
+require 'envault/version'
+require 'envault/constants'
+require 'envault/core'
+require 'envault/cli'
+require 'envault/environment'
+require 'envault/formatter'
+
+module Envault
+  def self.load(*source_files)
+    source_files = ['.env'] if source_files.empty?
+    params = ['load', '--sources', source_files]
+    Envault::CLI.start(params)
+  end
+
+  def self.load_with_profile(*source_files, config:, profile:)
+    source_files = ['.env'] if source_files.empty?
+    params = ['load', '--sources', source_files]
+    params.concat(['-c', config]) if config
+    params.concat(['--profile', profile]) if profile
+    Envault::CLI.start(params)
+  end
+end

data/lib/envault/cli.rb

@@ -0,0 +1,126 @@
+require 'thor'
+require 'erb'
+require 'yaml'
+
+module Envault
+  class CLI < Thor
+    map '-e' => :encrypt_file
+    map '-d' => :decrypt_file
+    map '-r' => :reencrypt_file
+    map '-l' => :load
+
+    class_option :config, aliases: '-c', type: :string ,desc: 'config'
+    class_option :profile, aliases: '-p', type: :string, default: 'default',desc: 'profile'
+    class_option :debug, aliases: '--debug', type: :boolean, default: false, desc: 'debug'
+    class_option :prefix, type: :string, default: nil, desc: 'prefix'
+    def initialize(args = [], options = {}, config = {})
+      super(args, options, config)
+      @class_options = config[:shell].base.options
+      current_command = config[:current_command].name
+      unless SKIP_INITIALIZE_COMMANDS.include?(current_command)
+        @core = Core.new(
+          config: @class_options[:config],
+          profile: @class_options[:profile],
+          prefix: @class_options[:prefix],
+          debug: @class_options[:debug]
+        )
+        @logger = @core.logger
+      end
+    end
+
+    desc "encrypt", "encrypt string. exp: envault encrypt -s hoge"
+    option :source, aliases: '-s', type: :string, required: true, desc: 'source', banner: 'source'
+    def encrypt
+      puts @core.cryptor.encrypt_and_sign(options[:source])
+    end
+
+    desc "decrypt", "decrypt string. exp: envault decrypt -s hoge"
+    option :source, aliases: '-s', type: :string, required: true, desc: 'source'
+    def decrypt
+      puts @core.cryptor.decrypt_and_verify(options[:source])
+    end
+
+    desc "-r", "reencrypt file. exp: envault -r -s .env.encrypt -c ~/.envault --from_profile staging --to_profile production"
+    option :source, aliases: '-s', type: :string, required: true, desc: 'source'
+    option :from_profile, type: :string, required: true, desc: 'from_profile'
+    option :to_profile, type: :string, required: true, desc: 'to_profile'
+    option :overwrite, type: :boolean, default: false, desc: 'overwrite'
+    def reencrypt_file
+      yaml = YAML.load_file(options[:source])
+      from = Core.new(
+        config: @class_options[:config],
+        profile: options[:from_profile],
+        prefix: @class_options[:prefix],
+        debug: @class_options[:debug]
+      )
+      cipher_keys = from.get_cipher_keys(yaml).map{ |cipher_key| cipher_key.gsub(/^#{from.prefix}/, '') }
+      decrypted = from.decrypt_yaml(options[:source])
+      to = Core.new(
+        config: @class_options[:config],
+        profile: options[:to_profile],
+        prefix: @class_options[:prefix],
+        debug: @class_options[:debug]
+      )
+      output = to.encrypt_process(decrypted, cipher_keys)
+      if options[:overwrite]
+        Formatter.write_escape_yaml(options[:source], output)
+      else
+        puts Formatter.escape_yaml(output)
+      end
+    end
+
+    desc "-e", "encrypt file. exp. envault -e -s .env -k '^PASSWORD_.*' '^API_KEY_.*'"
+    option :source, aliases: '-s', type: :array, required: true, desc: 'secret'
+    option :keys, aliases: '-k', type: :array, required: false, desc: 'keys'
+    option :plain_text, aliases: '-t', type: :array, default: [], required: false, desc: 'plain'
+    option :output, aliases: '-o', type: :string, default: nil, desc: 'output'
+    def encrypt_file
+      result = {}
+      options[:plain_text].each do |plain_text_path|
+        result = result.merge(YAML.load(ERB.new(File.read(plain_text_path)).result))
+      end
+      options[:source].each do |secret_yaml_path|
+        result = result.merge(@core.encrypt_yaml(secret_yaml_path, options[:keys]))
+      end
+      if options[:output]
+        Formatter.write_escape_yaml(options[:output], result)
+      else
+        puts Formatter.escape_yaml(result)
+      end
+    end
+
+    desc "-d", "decrypt file. exp: envault -d -s .env"
+    option :source, aliases: '-s', type: :array, required: true, desc: 'source'
+    option :plain_text, aliases: '-t', type: :array, default: [], required: false, desc: 'plain_text'
+    option :output, aliases: '-o', type: :string, default: nil, desc: 'output'
+    def decrypt_file
+      result = {}
+      options[:plain_text].each do |plain_text_path|
+        result = result.merge(YAML.load(ERB.new(File.read(plain_text_path)).result))
+      end
+      options[:source].each do |encrypt_yaml_path|
+        result = result.merge(@core.decrypt_yaml(encrypt_yaml_path))
+      end
+      if options[:output]
+        Formatter.write_escape_yaml(options[:output], result)
+      else
+        puts Formatter.escape_yaml(result)
+      end
+    end
+
+    desc "-l", "load environment. exp: envault -l -s .env --command 'echo $myhostname'"
+    option :sources, aliases: '-s', type: :array, required: true, default: [DEFAULT_SOURCE_FILE], desc: 'source'
+    option :command, type: :string, desc: 'source'
+    def load
+      options[:sources].each do |source|
+        begin
+          @core.load(source)
+        rescue => e
+          raise "error => [#{source}]\n#{e.message}\n#{e.backtrace.join("\n")}"
+        end
+      end
+      @logger.debug(ENV)
+      exec(options[:command]) if options[:command]
+    end
+  end
+end

data/lib/envault/constants.rb

@@ -0,0 +1,7 @@
+module Envault
+  DEFAULT_SOURCE_FILE = ".env"
+  DEFAULT_ENV_PREFIX = "ENVAULT_"
+  DEFAULT_CIPHER = "aes-256-cbc"
+  DEFAULT_DIGEST = "SHA256"
+  SKIP_INITIALIZE_COMMANDS = ["reencrypt_file"]
+end

data/lib/envault/core.rb

@@ -0,0 +1,118 @@
+require 'dotenv'
+require 'pp'
+require 'logger'
+require 'tempfile'
+require 'active_support'
+
+module Envault
+  class Core
+    attr_accessor :logger, :cryptor, :prefix
+
+    def initialize(config: nil, profile: nil, prefix: nil, debug: false)
+      @logger = Logger.new(STDOUT)
+      @logger.level = debug ? Logger::DEBUG : Logger::INFO
+      profile = get_profile(config, profile)
+      @cryptor = get_cryptor(profile[:passphrase] || '', profile[:sign_passphrase], profile[:salt] || '')
+      @prefix = prefix || profile[:prefix] || DEFAULT_ENV_PREFIX
+    end
+
+    def encrypt_yaml(path, keys = nil)
+      hash = YAML.load_file(path)
+      encrypt_process(hash, keys)
+    end
+
+    def encrypt_process(hash, keys = nil)
+      cipher_keys = get_cipher_keys(hash, keys)
+      encrypted = hash.map do |k, v|
+        if cipher_keys.include?(k)
+          [@prefix + k, @cryptor.encrypt_and_sign(v)]
+        else
+          [k, v]
+        end
+      end
+      Hash[encrypted]
+    end
+
+    def decrypt_yaml(path)
+      hash = YAML.load_file(path)
+      decrypt_process(hash)
+    end
+
+    def decrypt_process(hash)
+      cipher_keys = get_cipher_keys(hash)
+      decrypted = hash.map do |k, v|
+        if cipher_keys.include?(k)
+          [k.gsub(/^#{@prefix}/, ''), @cryptor.decrypt_and_verify(v)]
+        else
+          [k, v]
+        end
+      end
+      Hash[decrypted]
+    end
+
+    def get_cipher_keys(hash, keys = ["^#{@prefix}.*"])
+      all_keys = hash.keys
+      if keys
+        regexps = []
+        keys.each do |key|
+          regexps << Regexp.new(key)
+        end
+        results = regexps.map do |regexp|
+          all_keys.select do |key|
+            regexp =~ key
+          end
+        end
+        results.flatten
+      else
+        all_keys
+      end
+    end
+
+    def load(path = DEFAULT_SOURCE_FILE)
+      hash = decrypt_yaml(path)
+
+      Tempfile.create("dotenv-vault") do |f|
+        Formatter.write_escape_yaml(f.path, hash)
+        Dotenv.load(f.path)
+      end
+    end
+
+    private
+
+    def get_cryptor(passphrase, sign_passphrase, salt)
+      key = ActiveSupport::KeyGenerator.new(passphrase).generate_key(salt, 64)
+      signature_key = ActiveSupport::KeyGenerator.new(sign_passphrase).generate_key(salt, 64) if sign_passphrase
+
+      if signature_key
+        ActiveSupport::MessageEncryptor.new(key, signature_key, cipher: DEFAULT_CIPHER, digest: DEFAULT_DIGEST)
+      else
+        ActiveSupport::MessageEncryptor.new(key, cipher: DEFAULT_CIPHER, digest: DEFAULT_DIGEST)
+      end
+    end
+
+    def get_profile(config_path, profile_name)
+      return get_profile_form_env unless config_path
+      config = YAML.load_file(config_path)
+      return get_profile_form_env unless config
+      profile = config[profile_name]
+      unless profile
+        raise %Q{invalid profile [#{profile_name}].}
+      end
+      {
+        passphrase: profile['passphrase'],
+        sign_passphrase: profile['sign_passphrase'],
+        salt: profile['salt'],
+        prefix: profile['prefix']
+      }
+    end
+
+    def get_profile_form_env
+      {
+        passphrase: ENV['ENVAULT_PASSPHRASE'],
+        sign_passphrase: ENV['ENVAULT_SIGN_PASSPHRASE'],
+        salt: ENV['ENVAULT_SALT'],
+        prefix: ENV['ENVAULT_PREFIX']
+      }
+    end
+  end
+end

data/lib/envault/environment.rb

@@ -0,0 +1,7 @@
+module Envault
+  class Environment < Dotenv::Environment
+    def initialize(hash)
+      update hash
+    end
+  end
+end

data/lib/envault/formatter.rb

@@ -0,0 +1,15 @@
+module Envault
+  class Formatter
+    def self.escape_yaml(hash)
+      lines = []
+      hash.map do |k, v|
+        lines << %Q{#{k}: #{v.inspect}}
+      end
+      lines.join("\n")
+    end
+
+    def self.write_escape_yaml(path, hash)
+      File.write(path, escape_yaml(hash))
+    end
+  end
+end

data/lib/envault/version.rb

@@ -0,0 +1,4 @@
+module Envault
+  # envault version
+  VERSION = "0.1.0"
+end

data/spec/cli_spec.rb

@@ -0,0 +1,39 @@
+require 'spec_helper'
+require 'envault'
+
+describe Envault::CLI do
+  before do
+    clear_env
+    ENV['ENVAULT_PASSPHRASE'] = 'ENV'
+    ENV['ENVAULT_SIGN_PASSPHRASE'] = 'ENV'
+    ENV['ENVAULT_SALT'] = 'ENV'
+  end
+
+  it "should stdout help" do
+    output = capture_stdout do
+      Envault::CLI.start(['help'])
+    end
+    expect(output).not_to eq(nil)
+  end
+
+  it "encrypt options" do
+    output = capture_stdout do
+      Envault::CLI.start(['help', 'encrypt'])
+    end
+    expect(output).to include('-s,')
+    expect(output).to include('-c,')
+    expect(output).to include('-p,')
+  end
+
+  it "decrypt options" do
+    output = capture_stdout do
+      Envault::CLI.start(['help', 'decrypt'])
+    end
+    expect(output).to include('-s,')
+    expect(output).to include('-c,')
+    expect(output).to include('-p,')
+  end
+
+  after do
+  end
+end

data/spec/config/envault.yml

@@ -0,0 +1,35 @@
+a:
+  passphrase: 'p1'
+  sign_passphrase: 'sp1'
+  salt: 's1'
+  prefix: ENVAULT_
+
+a1:
+  sign_passphrase: 'sp1'
+  salt: 's1'
+  prefix: ENVAULT_
+
+a2:
+  passphrase: 'p1'
+  prefix: ENVAULT_
+
+a3:
+  passphrase: 'p1'
+  sign_passphrase: 'sp1'
+  prefix: ENVAULT_
+
+a4:
+  passphrase: 'p1'
+  salt: 's1'
+  prefix: ENVAULT_
+
+a5:
+  salt: 's1'
+  prefix: ENVAULT_
+
+b:
+  passphrase: 'p2'
+  sign_passphrase: 'sp2'
+  salt: 's2'
+  prefix: ENVAULT_
+

data/spec/core_spec.rb

@@ -0,0 +1,145 @@
+require 'spec_helper'
+require 'envault'
+
+describe Envault::Core do
+
+  before do
+    clear_env
+    @config_path = File.expand_path("../config/envault.yml", __FILE__)
+    @core = Core.new(config: @config_path, profile: 'a')
+    @envs = {
+      'USERNAME_A' => 'hogehoge',
+      'PASSWORD_A' => 'hogehoge',
+      'API_KEY_A' => 'fugafuga'
+    }
+    @encrypted = @core.encrypt_process(@envs, ['PASSWORD_A', 'API_KEY_A'])
+  end
+
+  it "core not nil" do
+    expect(@core).not_to eq(nil)
+  end
+
+  it "exist logger" do
+    expect(@core.logger).not_to eq(nil)
+  end
+
+  describe 'profile ok case' do
+    it "encrypt envs" do
+      expect(@encrypted.keys).to eq(['USERNAME_A', 'ENVAULT_PASSWORD_A', 'ENVAULT_API_KEY_A'])
+      expect(@encrypted['USERNAME_A']).to eq('hogehoge')
+      expect(@encrypted['ENVAULT_PASSWORD_A']).not_to eq('hogehoge')
+      expect(@encrypted['ENVAULT_API_KEY_A']).not_to eq('hogehoge')
+    end
+
+    it "decrypt envs" do
+      expect(@core.decrypt_process(@encrypted)).to include(@envs)
+    end
+
+    it "decrypt envs other instance" do    
+      other = Core.new(config: @config_path, profile: 'a')
+      expect(other.decrypt_process(@encrypted)).to include(@envs)
+    end
+  end
+
+  describe 'profile error case' do
+    it "cannot encrypt 1" do
+      other = Core.new(config: @config_path, profile: 'a1')
+      expect {
+        other.decrypt_process(@encrypted)
+      }.to raise_exception(ActiveSupport::MessageEncryptor::InvalidMessage)
+    end
+
+    it "cannot encrypt 2" do
+      other = Core.new(config: @config_path, profile: 'a2')
+      expect {
+        other.decrypt_process(@encrypted)
+      }.to raise_exception(ActiveSupport::MessageVerifier::InvalidSignature)
+    end
+
+    it "cannot encrypt 3 no salt" do
+      other = Core.new(config: @config_path, profile: 'a3')
+      expect {
+        other.decrypt_process(@encrypted)
+      }.to raise_exception(ActiveSupport::MessageVerifier::InvalidSignature)
+    end
+
+    it "cannot encrypt 4 different sign_passphrase" do
+      other = Core.new(config: @config_path, profile: 'a4')
+      expect {
+        other.decrypt_process(@encrypted)
+      }.to raise_exception(ActiveSupport::MessageVerifier::InvalidSignature)
+    end
+
+    it "cannot encrypt 5 different sign_passphrase" do
+      other = Core.new(config: @config_path, profile: 'a5')
+      expect {
+        other.decrypt_process(@encrypted)
+      }.to raise_exception(ActiveSupport::MessageVerifier::InvalidSignature)
+    end
+
+    it "cannot encrypt" do
+      other = Core.new(config: @config_path, profile: 'b')
+      expect {
+        other.decrypt_process(@encrypted)
+      }.to raise_exception(ActiveSupport::MessageVerifier::InvalidSignature)
+    end
+  end
+
+  describe 'environment variables' do
+    it "environment variables decrypt" do
+      ENV['ENVAULT_PASSPHRASE'] = 'p1'
+      ENV['ENVAULT_SIGN_PASSPHRASE'] = 'sp1'
+      ENV['ENVAULT_SALT'] = 's1'
+      ENV['ENVAULT_PREFIX'] = 'ENVAULT_'
+      other = Core.new
+      expect(other.decrypt_process(@encrypted)).to include(@envs)
+      clear_env
+    end
+
+    it "environment variables decrypt other prefix" do
+      ENV['ENVAULT_PASSPHRASE'] = 'p1'
+      ENV['ENVAULT_PREFIX'] = 'ENVAULT_OTHER_PREFIX_'
+      other = Core.new
+      decrypted = other.decrypt_process(@encrypted)
+      expect(@encrypted['USERNAME_A']).to eq('hogehoge')
+      expect(decrypted['ENVAULT_PASSWORD_A']).not_to eq('hogehoge')
+      expect(decrypted['ENVAULT_API_KEY_A']).not_to eq('fugafuga')
+      clear_env
+    end
+
+    it "environment variables cannot decrypt" do
+      ENV['ENVAULT_PASSPHRASE'] = 'p1'
+      ENV['ENVAULT_PREFIX'] = 'ENVAULT_'
+      other = Core.new
+      expect {
+        other.decrypt_process(@encrypted)
+      }.to raise_exception(ActiveSupport::MessageVerifier::InvalidSignature)
+      clear_env
+    end
+
+    it "environment variables cannot decrypt no salt" do
+      ENV['ENVAULT_PASSPHRASE'] = 'p1'
+      ENV['ENVAULT_SIGN_PASSPHRASE'] = 'sp1'
+      ENV['ENVAULT_PREFIX'] = 'ENVAULT_'
+      other = Core.new
+      expect {
+        other.decrypt_process(@encrypted)
+      }.to raise_exception(ActiveSupport::MessageVerifier::InvalidSignature)
+      clear_env
+    end
+
+    it "environment variables cannot decrypt no passphrase" do
+      ENV['ENVAULT_SIGN_PASSPHRASE'] = 'sp1'
+      ENV['ENVAULT_SALT'] = 's1'
+      ENV['ENVAULT_PREFIX'] = 'ENVAULT_'
+      other = Core.new
+      expect {
+        other.decrypt_process(@encrypted)
+      }.to raise_exception(ActiveSupport::MessageEncryptor::InvalidMessage)
+      clear_env
+    end
+  end
+
+  after do
+  end
+end

data/spec/envault_spec.rb

@@ -0,0 +1,8 @@
+require 'spec_helper'
+require 'envault'
+
+describe Envault do
+  it "should have a VERSION constant" do
+    expect(subject.const_get('VERSION')).to_not be_empty
+  end
+end

data/spec/formatter_spec.rb

@@ -0,0 +1,15 @@
+require 'spec_helper'
+require 'envault'
+
+describe Envault do
+  it "escape_yaml" do
+    @envs = {
+      'USERNAME_A' => 'hogehoge',
+      'PASSWORD_A' => 'hogehoge',
+      'API_KEY_A' => 'fugafuga'
+    }
+
+    yaml = Formatter.escape_yaml(@envs)
+    expect(yaml).to eq("USERNAME_A: \"hogehoge\"\nPASSWORD_A: \"hogehoge\"\nAPI_KEY_A: \"fugafuga\"")
+  end
+end

data/spec/spec_helper.rb

@@ -0,0 +1,29 @@
+require 'rspec'
+require 'envault/version'
+
+include Envault
+
+def capture_stdout
+  out = StringIO.new
+  $stdout = out
+  yield
+  return out.string
+ensure
+  $stdout = STDOUT
+end
+
+def capture_stderr
+  out = StringIO.new
+  $stderr = out
+  yield
+  return out.string
+ensure
+  $stderr = STDERR
+end
+
+def clear_env
+  ENV['ENVAULT_PASSPHRASE'] = nil
+  ENV['ENVAULT_SIGN_PASSPHRASE'] = nil
+  ENV['ENVAULT_SALT'] = nil
+  ENV['ENVAULT_PREFIX'] = nil
+end

metadata

@@ -0,0 +1,221 @@
+--- !ruby/object:Gem::Specification
+name: envault
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- toyama0919
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2016-09-16 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: thor
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: dotenv
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: activesupport
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '4'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '5'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '4'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '5'
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: pry
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+- !ruby/object:Gem::Dependency
+  name: rubocop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.24.1
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.24.1
+- !ruby/object:Gem::Dependency
+  name: rubygems-tasks
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.2'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.2'
+- !ruby/object:Gem::Dependency
+  name: yard
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.8'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.8'
+description: Encrypt secret information environment variables by yaml.
+email: toyama0919@gmail.com
+executables:
+- envault
+extensions: []
+extra_rdoc_files: []
+files:
+- ".document"
+- ".gitignore"
+- ".rspec"
+- ".travis.yml"
+- ".yardopts"
+- ChangeLog.md
+- Gemfile
+- LICENSE.txt
+- README.md
+- Rakefile
+- bin/envault
+- envault.gemspec
+- lib/envault.rb
+- lib/envault/cli.rb
+- lib/envault/constants.rb
+- lib/envault/core.rb
+- lib/envault/environment.rb
+- lib/envault/formatter.rb
+- lib/envault/version.rb
+- spec/cli_spec.rb
+- spec/config/envault.yml
+- spec/core_spec.rb
+- spec/envault_spec.rb
+- spec/formatter_spec.rb
+- spec/spec_helper.rb
+homepage: https://github.com/toyama0919/envault
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '2.1'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.5.1
+signing_key: 
+specification_version: 4
+summary: Encrypt secret information environment variables by yaml.
+test_files:
+- spec/cli_spec.rb
+- spec/config/envault.yml
+- spec/core_spec.rb
+- spec/envault_spec.rb
+- spec/formatter_spec.rb
+- spec/spec_helper.rb