gpgenv 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 61dc67c1d292e3bc921f5f9b339242b837343618
+  data.tar.gz: f7c17f198c57e38a52f82adacea4553ad2d8ea4f
+SHA512:
+  metadata.gz: bf9163ff53362c7a6b6516ae7ec0b8278632070bf665199e965839a286bda5e27c14ccb1019fac4ae25a5a1d4ff3e9e1a81674777b3ed79860edfb2bf99a9898
+  data.tar.gz: c68b159231cab74e839b21de888e61294d9bc5c5d9e74b05b0010d0d4e92f00aea5fa54cf66d10ef896b7c5bf4785c124b342ad57ca9b0658f0ba09a46069435

data/.gitignore

@@ -0,0 +1,10 @@
+/.bundle/
+/.yardoc
+/Gemfile.lock
+/_yardoc/
+/coverage/
+/doc/
+/pkg/
+/spec/reports/
+/tmp/
+*.gem

data/.rspec

@@ -0,0 +1,2 @@
+--format documentation
+--color

data/.travis.yml

@@ -0,0 +1,3 @@
+language: ruby
+rvm:
+  - 2.1.3

data/Gemfile

@@ -0,0 +1,4 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in gpgenv.gemspec
+gemspec

data/LICENSE

@@ -0,0 +1,19 @@
+The MIT License
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,64 @@
+# Gpgenv
+
+## Wat?
+Gpgenv is similar to [envdir](http://cr.yp.to/daemontools/envdir.html), but it lets you use gpg-encrypted 
+files. This is very useful if you want to store sensitive credentials on your machine, but you want to 
+keep them encrypted. 
+
+Please note that this is *not meant to run services*, despite its similarity to 
+envdir: When you use it, you will be required to enter the passphrase to decrypt the gpg files. Robots and
+automated processes should not have this passphrase (otherwise, why encrypt at all?). The primary use case for this is to stop *you, personally*,
+from storing unencrypted, sensitive credentials on disk (like in your .netrc file, your ~/.aws/credentials file, etc), but to still make it
+easy for you to actually use these sensitive credentials.
+
+Also note that gpgenv will ask you to decrypt files *repeatedly* unless you have `gpg-agent` configured, which will make it borderline unusable.
+
+Gpgenv plays very nicely with [pass](http://www.passwordstore.org/). For example:
+
+```bash
+# Set up a shortcut to your passwordstore home directory
+export GPGENV_HOME=$HOME/.password-store
+
+# Insert your oauth token into your password store:
+pass insert myservice/OAUTH_TOKEN
+
+# Use gpgenv to spawn a bash session:
+gpgenv $GPGENV_HOME/myservice bash
+
+# From the new bash session, use your oauth token to hit the service:
+curl https://$user:$OAUTH_TOKEN@myservice.com/get_some_data
+```
+
+## Why?
+As an admin, I am guilty of occasionally storing sensitive credentials on disk. Personal experience leads me to believe that this is
+extremely common. Your .netrc file probably contains all sorts of sensitive data, and even if you use a gpg-encrypted .netrc file, many tools
+simply don't understand gpg. Storing this stuff in plaintext is dangerous - but you do it anyway because the alternatives are just too painful.
+
+I love [pass](http://www.passwordstore.org/), because it makes it easy to store passwords encrypted. But it doesn't make it easy to *use* them
+(tbh, that isn't its job). I wrote `gpgenv` to bridge that gap, and make it easy for me to never store sensitive information in an unencrypted format 
+on my own machine. I hope that you find it useful as well, and you use it to stop yourself from committing security sins.
+
+## Installation
+```gem install gpgenv```
+
+## Usage
+
+### Spawn a child process
+Gpgenv can spawn a child process that inherits environment variables like so:
+```bash
+gpgenv /some/dir /some/other/dir "process_to_run argument1 argument2"
+```
+
+### Export environment variables
+Gpgenv can export environment variables in your current shell session, like so:
+```bash
+eval `gpgshell /some/dir /some/other/dir`
+```
+
+## Contributing
+
+1. Fork it ( https://github.com/[my-github-username]/gpgenv/fork )
+2. Create your feature branch (`git checkout -b my-new-feature`)
+3. Commit your changes (`git commit -am 'Add some feature'`)
+4. Push to the branch (`git push origin my-new-feature`)
+5. Create a new Pull Request

data/Rakefile

@@ -0,0 +1,6 @@
+require 'bundler/gem_tasks'
+require 'rspec/core/rake_task'
+
+RSpec::Core::RakeTask.new(:spec)
+
+task default: :spec

data/bin/gpgenv

@@ -0,0 +1,12 @@
+#!/usr/bin/env ruby
+require 'gpgenv/exec_command'
+begin
+  Gpgenv::ExecCommand.new(ARGV).run
+rescue StandardError => bang
+  raise if ENV['DEBUG'] == 'true'
+  puts bang.message
+  exit 1
+end
+
+
+

data/bin/gpgshell

@@ -0,0 +1,9 @@
+#!/usr/bin/env ruby
+require 'gpgenv/shell_command'
+begin
+  Gpgenv::ShellCommand.new(ARGV).run
+rescue StandardError => bang
+  raise if ENV['DEBUG'] == 'true'
+  puts bang.message
+  exit 1
+end

data/gpgenv.gemspec

@@ -0,0 +1,33 @@
+# coding: utf-8
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'gpgenv/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = "gpgenv"
+  spec.version       = Gpgenv::VERSION
+  spec.authors       = ["Michael Shea"]
+  spec.email         = ["michael.shea@heroku.com"]
+
+  spec.summary       = %q{Read environment variables from gpg-encrypted files}
+  spec.description   = %q{Plays nicely with passwordstore.org}
+  spec.homepage      = "https://github.com/heroku/gpgenv"
+
+  # Prevent pushing this gem to RubyGems.org by setting 'allowed_push_host', or
+  # delete this section to allow pushing this gem to any host.
+  if spec.respond_to?(:metadata)
+    spec.metadata['allowed_push_host'] = "https://rubygems.org"
+  else
+    raise "RubyGems 2.0 or newer is required to protect against public gem pushes."
+  end
+
+  spec.files         = `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
+  spec.bindir        = "bin"
+  spec.executables   = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
+  spec.require_paths = ["lib"]
+
+  spec.add_development_dependency "bundler", "~> 1.9"
+  spec.add_development_dependency "rake", "~> 10.0"
+  spec.add_development_dependency "rspec"
+  spec.add_development_dependency "simplecov"
+end

data/lib/gpgenv/config.rb

@@ -0,0 +1,7 @@
+module Gpgenv
+  module Config
+    def self.gpgenv_home
+      ENV['GPGENV_HOME'] 
+    end
+  end  
+end

data/lib/gpgenv/error.rb

@@ -0,0 +1,4 @@
+module Gpgenv
+  class Error < StandardError
+  end
+end

data/lib/gpgenv/exec_command.rb

@@ -0,0 +1,22 @@
+require 'gpgenv'
+
+module Gpgenv
+  class ExecCommand
+
+    attr_reader :args
+
+    def initialize(args)
+      @args = args
+    end
+
+    def run
+      fail("Usage: gpgenv dir1 dir2 dir3 ... command") unless args.size >= 2
+      directories = args[0..-2]
+      cmd = args.last
+      hash = Gpgenv.read_files(directories)
+      hash.each{ |k,v| ENV[k]=v }
+      exec cmd
+    end
+
+  end
+end

data/lib/gpgenv/shell_command.rb

@@ -0,0 +1,22 @@
+require 'gpgenv'
+require 'shellwords'
+
+module Gpgenv
+  class ShellCommand 
+
+    attr_reader :args
+
+    def initialize(args)
+      @args = args
+    end
+
+    def run
+      fail("Usage: gpgshell dir1 dir2 ...") unless args.size >= 1
+      hash = Gpgenv.read_files(args)
+      hash.each do |k, v|
+        puts "export #{k}=#{Shellwords.escape(v)}"
+      end
+    end
+
+  end
+end

data/lib/gpgenv/version.rb

@@ -0,0 +1,3 @@
+module Gpgenv
+  VERSION = "0.1.0"
+end

data/lib/gpgenv.rb

@@ -0,0 +1,47 @@
+require "gpgenv/version"
+require 'gpgenv/config'
+require 'gpgenv/error'
+
+module Gpgenv
+  def self.read_files(directories)
+
+    # Prefix relative paths that don't exist with gpgenv_home directory, if it is set.
+    if Config.gpgenv_home
+      directories = directories.map do |d|
+        if File.directory?(d)
+          d
+        else
+          gpgenv_dir = "#{Config.gpgenv_home}/#{d}"
+          if File.directory?(gpgenv_dir)
+            gpgenv_dir 
+          else
+            d
+          end
+        end
+      end
+    end
+
+    # Validate existence of directories
+    directories.each do |d|
+      raise Error.new("#{d} does not exist.") unless File.exists?(d)
+      raise Error.new("#{d} is not a directory.") unless File.directory?(d)
+    end
+
+    hash = {}
+    directories.each do |dir|
+      Dir.glob("#{dir}/*").reject{|f| File.directory? f }.each do |f|
+        ext = File.extname(f)
+        var = File.basename(f, ext)
+        if ext == '.gpg' 
+          data = `gpg --batch --quiet --decrypt #{f}`
+          raise Error.new("Decrypting #{f} failed.") unless $?.success?
+        else
+          data = File.read(f)
+        end
+        hash[var] = data.rstrip
+      end
+    end
+
+    hash
+  end
+end

metadata

@@ -0,0 +1,118 @@
+--- !ruby/object:Gem::Specification
+name: gpgenv
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Michael Shea
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2015-11-10 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.9'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.9'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: simplecov
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: Plays nicely with passwordstore.org
+email:
+- michael.shea@heroku.com
+executables:
+- gpgenv
+- gpgshell
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- ".rspec"
+- ".travis.yml"
+- Gemfile
+- LICENSE
+- README.md
+- Rakefile
+- bin/gpgenv
+- bin/gpgshell
+- gpgenv.gemspec
+- lib/gpgenv.rb
+- lib/gpgenv/config.rb
+- lib/gpgenv/error.rb
+- lib/gpgenv/exec_command.rb
+- lib/gpgenv/shell_command.rb
+- lib/gpgenv/version.rb
+homepage: https://github.com/heroku/gpgenv
+licenses: []
+metadata:
+  allowed_push_host: https://rubygems.org
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.2.2
+signing_key: 
+specification_version: 4
+summary: Read environment variables from gpg-encrypted files
+test_files: []