hipchat-secrets 0.9.1

data/.gitignore

@@ -0,0 +1,2 @@
+Gemfile.lock
+tmp

data/Gemfile

@@ -0,0 +1,3 @@
+source 'http://rubygems.org'
+
+gemspec

data/Guardfile

@@ -0,0 +1,15 @@
+# More info at https://github.com/guard/guard#readme
+interactor :off
+
+guard 'bundler' do
+  watch('Gemfile')
+  watch(%r{\.gemspec$})
+end
+
+guard 'rspec', :cli => '--drb' do
+  watch(%r{^spec/.+_spec\.rb$})
+  watch(%r{^lib/(.+)\.rb$})                   { |m| "spec/lib/#{m[1]}_spec.rb" }
+
+  watch('spec/spec_helper.rb')                { "spec" }
+  watch(%r{^spec/support/(.+)\.rb$})          { "spec" }
+end

data/LICENSE.txt

@@ -0,0 +1,22 @@
+Copyright © 2013 Jeremy Ebler
+
+MIT License
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/Rakefile

@@ -0,0 +1 @@
+require "bundler/gem_tasks"

data/Readme.md

@@ -0,0 +1,66 @@
+hipchat-secrets
+===============
+
+Decode the weakly crypted password from the hipchat configuration file. The API allows decoding/encoding but the wrapper script only decodes passwords. See the specs, if you care.
+
+## Prerequsite: Find the HipChat Secret
+
+1. Discover Hipchat's Secret Hashing key. You're on your own for this.
+1. Put the secret in ~/.hipchat_secret or in your environment, HIPCHAT_SECRET
+1. …
+1. Profit!
+
+## Example Usage
+
+Automagical:
+
+```
+$ hipchat-secrets
+Analyzing HipChat config: /Users/xxx/Library/Preferences/com.hipchat.xxx/Local Store/hipchatConfig.json
+
+xxx@xxx.com's password is xxx
+```
+
+With non-standard config file location:
+
+```
+$ hipchat-secrets /some/other/file/that/was/a/hipchatConfig.json
+Analyzing HipChat config: /some/other/file/that/was/a/hipchatConfig.json
+
+xxx@xxx.com's password is xxx
+```
+
+With secret from environment:
+
+```
+$ HIPCHAT_SECRET=IFoundTheSecret hipchat-secrets
+```
+
+Windows:
+
+```
+> env HIPCHAT_SECRET=IFoundTheSecret hipchat-secrets
+```
+
+
+## Tested against
+
+- 1.8.7-p371
+- 1.9.2-p320
+- 1.9.3-p374
+- 2.0.0-rc1
+- jruby-1.7.0
+- jruby-1.7.2
+
+
+## Contributing
+
+1. Fork it
+2. Create your feature branch (`git checkout -b my-new-feature`)
+3. Commit your changes (`git commit -am 'Add some feature'`)
+4. Push to the branch (`git push origin my-new-feature`)
+5. Create new Pull Request
+
+## Come on Atlassian
+
+Seriously. Your password _encryption_ is hardly better than plaintext. Use real encryption to protect secrets.

data/bin/hipchat-secrets

@@ -0,0 +1,13 @@
+#!/usr/bin/env ruby
+# hipchat-secrets.rb
+require 'rubygems'
+
+$:<< File.join(File.dirname(__FILE__), '../lib')
+require 'settings_file'
+require 'crypt'
+
+settings = HipChatSecrets::SettingsFile.new ARGV[0]
+
+puts  "Analyzing HipChat config: #{settings.config_file}",
+      nil,
+      "#{settings.email}'s password is #{HipChatSecrets::Crypt.decode settings.password}"

data/hipchat-secrets.gemspec

@@ -0,0 +1,28 @@
+# encoding: utf-8
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'version'
+
+Gem::Specification.new do |gem|
+  gem.name          = "hipchat-secrets"
+  gem.version       = HipChatSecrets::VERSION
+  gem.authors       = ["Jeremy Ebler"]
+  gem.email         = ["jebler@gmail.com"]
+  gem.description   = %q{Extract secrets from hipchat configuration files}
+  gem.summary       = %q{Decode the weakly crypted password from the hipchat configuration file. The API allows decoding/encoding—everything you need to discover the secret key!}
+  gem.homepage      = "https://github.com/whitehat101/hipchat-secrets"
+
+  gem.files         = `git ls-files`.split($/)
+  gem.executables   = gem.files.grep(%r{^bin/}).map{ |f| File.basename(f) }
+  gem.test_files    = gem.files.grep(%r{^spec/})
+  gem.require_paths = ["lib"]
+
+  gem.add_dependency 'json'
+  # gem.add_dependency 'base64'
+
+  gem.add_development_dependency 'spork'
+  gem.add_development_dependency 'rspec'
+  gem.add_development_dependency 'guard-rspec'
+  gem.add_development_dependency 'guard-bundler'
+  gem.add_development_dependency 'rb-fsevent', '~> 0.9.1'
+end

data/lib/crypt.rb

@@ -0,0 +1,51 @@
+# crypt.rb
+require 'base64'
+
+module HipChatSecrets
+  class Crypt
+
+    def self.encode str
+      Base64::encode64(xor str).strip
+    end
+
+    def self.decode str
+      xor Base64::decode64(str)
+    end
+
+    def self.xor input
+      input = input.unpack 'U*'
+      output = []
+
+      input.each_with_index do |num,index|
+        output << (num ^ secret[index%secret.length])
+      end
+
+      output.pack 'U*'
+    end
+
+    # You have to figure out the Secret on your own. Good luck!
+
+    def self.secret
+      return @@key if defined? @@key
+      key_file = File.expand_path('~/.hipchat_secret')
+
+      send 'secret=',
+        if ENV['HIPCHAT_SECRET']
+          ENV['HIPCHAT_SECRET']
+        elsif File.exists? key_file
+          File.open(key_file, 'r') {|f| f.read }
+        else
+          raise "Could not locate HipChat Secret Key in HIPCHAT_SECRET or #{key_file}"
+        end
+    end
+
+    def self.secret= key
+      @@key = key.strip.unpack 'U*'
+    end
+
+    def self.secret_str
+      secret.pack 'U*'
+    end
+
+  end
+end

data/lib/settings_file.rb

@@ -0,0 +1,59 @@
+# settings_file.rb
+require 'json'
+
+module HipChatSecrets
+  class SettingsFile
+    attr_reader :config_file, :config
+
+    def initialize setting_path=nil
+      configs = find_configs(setting_path)
+      raise "Could not locate any config files." if configs.length < 1
+      @config_file = configs.first
+      parse_config
+    end
+
+    # pass unknown method calls to the config object
+    def method_missing meth, *args, &block
+      if @config.include? meth.to_s
+        @config[meth.to_s]
+      else
+        super
+      end
+    end
+
+  private
+
+    def find_configs additional_path=nil
+      possible_configs = [
+        additional_path,
+        "~/Library/Preferences/com.hipchat.87969878BBF1203EC547B61E69990E8273C4626D.1/Local Store/hipchatConfig.json", # OS X
+        "~/.appdata/com.hipchat.87969878BBF1203EC547B61E69990E8273C4626D.1/Local Store/hipchatConfig.json",            # Linux
+        "~/AppData/Roaming/com.hipchat.87969878BBF1203EC547B61E69990E8273C4626D.1/Local Store/hipchatConfig.json",     # Win 7
+        # TODO: where does older windows stash this file? does anyone care?
+      ].compact.map {|path| File.expand_path path }
+
+      Dir[*possible_configs]
+    end
+
+    def parse_config
+      config_data = File.open(@config_file,'r') {|f| f.read }
+
+      begin
+        @config = JSON.parse config_data
+      rescue JSON::ParserError => e
+        raise e.exception("I cannot parse #{@config_file}! Is is a valid JSON hipchatConfig.json? (I doubt it!)")
+      end
+
+
+      # verify that config smells right
+      # ['firstLogin','email'].each do |key|
+      #   unless @config.include? key
+      #     puts %Q{I was expecting key '#{key}' in the config, but it's missing. Strange.}
+      #   end
+      # end
+
+      raise "The 'password' key is missing! I cannot continue." unless @config.include? 'password'
+    end
+
+  end
+end

data/lib/version.rb

@@ -0,0 +1,3 @@
+module HipChatSecrets
+  VERSION = "0.9.1"
+end

data/spec/fixtures/hipchatConfig.json

@@ -0,0 +1 @@
+{"55555":{"5555_room_one@conf.hipchat.com":{},"chatToFocus":"5555_room_two@conf.hipchat.com","5555_room_two@conf.hipchat.com":{},"autoJoin":[{"name":"room one","jid":"5555_room_one@conf.hipchat.com"},{"name":"room two","jid":"5555_room_two@conf.hipchat.com"},{"name":"Robert Paulson","jid":"5555_555555@chat.hipchat.com"}]},"enableSpellcheck":true,"email":"test@pass.com","rosterSorting":"alpha","checkForUpdate":true,"runOnStartup":false,"timeFormat24Hour":false,"enableLogging":false,"password":"DRh7OjodIAYxEyk5NQc/EnkYMQ==","secondsToIdle":300,"width":1127,"disableSounds":true,"showLog":false,"height":524,"autoLogin":true,"visualNotifications":false,"uploadServer":"uploads.hipchat.com","hidePresenceMessages":false,"notifyDnd":false,"enableEmoticons":true,"notifyForPrivateRoom":true,"hideGifs":false,"playIncomingCallSound":true,"notifyForRoom":false,"persistentToasters":false,"showTypingNotif":true,"x":285,"fontSize":12,"firstLogin":false,"y":314,"showToasters":true,"checkMinorUpdates":false,"enableNumberShortcuts":true,"macCRFix":false,"notifyForPrivate":true,"notifyForTag":true,"i18nKeyboardFix":false}

data/spec/fixtures/hipchatConfigBad.json

@@ -0,0 +1 @@
+{"55555":{"5555_room_one@conf.hipchat.com":{},"chatToFocus":"5555_room_two@conf.hipchat.com","5555_room_two@conf.hipchat.com":{},"autoJoin":[{"name":"room one","jid":"5555_room_one@conf.hipchat.com"},{"name":"room two","jid":"5555_room_two@conf.hipchat.com"},{"name":"Robert Paulson","jid":"5555_555555@chat.hipchat.com"}]},"enableSpellcheck":true,"rosterSorting":"alpha","checkForUpdate":true,"runOnStartup":false,"timeFormat24Hour":false,"enableLogging":false,"secondsToIdle":300,"width":1127,"disableSounds":true,"showLog":false,"height":524,"autoLogin":true,"visualNotifications":false,"uploadServer":"uploads.hipchat.com","hidePresenceMessages":false,"notifyDnd":false,"enableEmoticons":true,"notifyForPrivateRoom":true,"hideGifs":false,"playIncomingCallSound":true,"notifyForRoom":false,"persistentToasters":false,"showTypingNotif":true,"x":285,"fontSize":12,"firstLogin":false,"y":314,"showToasters":true,"checkMinorUpdates":false,"enableNumberShortcuts":true,"macCRFix":false,"notifyForPrivate":true,"notifyForTag":true,"i18nKeyboardFix":false}

data/spec/fixtures/hipchatConfigMalformed.json

@@ -0,0 +1 @@
+}}{}{}::

data/spec/lib/crypt_spec.rb

@@ -0,0 +1,43 @@
+require 'spec_helper'
+require 'crypt'
+
+describe HipChatSecrets::Crypt do
+  # The subject is static methods / don't create an object
+  subject { HipChatSecrets::Crypt }
+
+  before do
+    subject.secret = 'not the real secret'
+  end
+
+  it "tests with a phoney secret" do
+    subject.secret_str.should eq 'not the real secret'
+  end
+
+  it "xor of string => string" do
+    subject.xor('hello').should be_a_kind_of String
+  end
+
+  it "xor of xor of string => string" do
+    result = subject.xor(subject.xor 'hello')
+    result.should be_a_kind_of String
+    result.should eq 'hello'
+  end
+
+  it "decodes secrets" do
+    subject.decode('Hg4aRBUb').should eq 'pandas'
+  end
+
+  it "encodes secrets" do
+    subject.encode('pandas').should eq 'Hg4aRBUb'
+  end
+
+  it "is symmetric" do
+    subject.decode(subject.encode 'pandas').should eq 'pandas'
+  end
+
+  it "is symmetric even with long strings" do
+    str = 'Hello, I noticed that you are reading my code. Enjoy and happy hacking!'
+    subject.decode(subject.encode str*20).should eq str*20
+  end
+
+end

data/spec/lib/settings_file_spec.rb

@@ -0,0 +1,55 @@
+require 'spec_helper'
+require 'settings_file'
+
+describe HipChatSecrets::SettingsFile do
+
+  context "with a valid config" do
+
+    subject do
+      HipChatSecrets::SettingsFile.new File.join(File.dirname(__FILE__), '../fixtures/hipchatConfig.json')
+    end
+
+    it "uses the fixture config" do
+      subject.email.should eq 'test@pass.com'
+    end
+
+    it "can find a settings file" do
+      subject.send(:find_configs).should be_a_kind_of Array
+      subject.send(:find_configs,'~/a_file_that_shouldnt_exist').should be_a_kind_of Array
+    end
+
+    it "exposes the raw config" do
+      subject.config.should be_a_kind_of Hash
+    end
+
+    it "exposes the config_file's path" do
+      subject.config_file.should be_a_kind_of String
+    end
+
+    it "can pass missing method calls to the config hash" do
+      subject.email.should be_a_kind_of String
+      subject.password.should be_a_kind_of String
+    end
+  end
+
+  context "with an invalid config" do
+    subject do
+      HipChatSecrets::SettingsFile.new File.join(File.dirname(__FILE__), '../fixtures/hipchatConfigBad.json')
+    end
+
+    it "aborts when the password is missing" do
+      expect { subject }.to raise_error /'password' key is missing!/
+    end
+  end
+
+  context "with a malformed config" do
+    subject do
+      HipChatSecrets::SettingsFile.new File.join(File.dirname(__FILE__), '../fixtures/hipchatConfigMalformed.json')
+    end
+
+    it "aborts when the config is garbage" do
+      expect { subject }.to raise_error JSON::ParserError
+    end
+  end
+
+end

data/spec/spec_helper.rb

@@ -0,0 +1,16 @@
+require 'rubygems'
+require 'spork'
+
+Spork.prefork do
+  $:<< File.join(File.dirname(__FILE__), '../lib')
+  require 'rspec/autorun'
+
+  RSpec.configure do |config|
+    config.mock_with :rspec
+    config.order = "random"
+  end
+end
+
+Spork.each_run do
+  Dir[File.join(File.dirname(__FILE__), '../support/**/*.rb')].each {|f| require f }
+end

metadata

@@ -0,0 +1,136 @@
+--- !ruby/object:Gem::Specification
+name: hipchat-secrets
+version: !ruby/object:Gem::Version
+  version: 0.9.1
+  prerelease: 
+platform: ruby
+authors:
+- Jeremy Ebler
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2013-02-06 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: json
+  requirement: &70275614471580 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: *70275614471580
+- !ruby/object:Gem::Dependency
+  name: spork
+  requirement: &70275614470960 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: *70275614470960
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: &70275614470200 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: *70275614470200
+- !ruby/object:Gem::Dependency
+  name: guard-rspec
+  requirement: &70275614469660 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: *70275614469660
+- !ruby/object:Gem::Dependency
+  name: guard-bundler
+  requirement: &70275614468980 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: *70275614468980
+- !ruby/object:Gem::Dependency
+  name: rb-fsevent
+  requirement: &70275614467800 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 0.9.1
+  type: :development
+  prerelease: false
+  version_requirements: *70275614467800
+description: Extract secrets from hipchat configuration files
+email:
+- jebler@gmail.com
+executables:
+- hipchat-secrets
+extensions: []
+extra_rdoc_files: []
+files:
+- .gitignore
+- Gemfile
+- Guardfile
+- LICENSE.txt
+- Rakefile
+- Readme.md
+- bin/hipchat-secrets
+- hipchat-secrets.gemspec
+- lib/crypt.rb
+- lib/settings_file.rb
+- lib/version.rb
+- spec/fixtures/hipchatConfig.json
+- spec/fixtures/hipchatConfigBad.json
+- spec/fixtures/hipchatConfigMalformed.json
+- spec/lib/crypt_spec.rb
+- spec/lib/settings_file_spec.rb
+- spec/spec_helper.rb
+homepage: https://github.com/whitehat101/hipchat-secrets
+licenses: []
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 1.8.10
+signing_key: 
+specification_version: 3
+summary: Decode the weakly crypted password from the hipchat configuration file. The
+  API allows decoding/encoding—everything you need to discover the secret key!
+test_files:
+- spec/fixtures/hipchatConfig.json
+- spec/fixtures/hipchatConfigBad.json
+- spec/fixtures/hipchatConfigMalformed.json
+- spec/lib/crypt_spec.rb
+- spec/lib/settings_file_spec.rb
+- spec/spec_helper.rb