invar 0.5.1 → 0.6.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: d7402299987dd129eaa1626ca46ea07f90fb15d8dec329a83ee8a33ea81974ee
-  data.tar.gz: b47b0b5678fc96626d36c796d26472ff384ef70630c208b49e5591dcb441806b
+  metadata.gz: 881d31e6095f54b8a1167b7e06324397dcd823098fa25846a49cbe085679ee81
+  data.tar.gz: c6c4732702207659323642ef6522c0bd4ba3b4fde7054c9f9eee7a3baa9e5cea
 SHA512:
-  metadata.gz: d2973d08e11198e26e528dc858344fac2ba78a92841fbe4448e37a251a86bf6d96855f28655ef9953732456f240454d9597c72aeb0d8d722d993c4f23abbeb15
-  data.tar.gz: e3671eaea2a99e28ec28a647d2dcd70b29980c073888248b091f5ddf02f9d6b57485b911029ae072b6408c3ae1af6982555fe111a6cf405f47092e476ab3dbb6
+  metadata.gz: 167260ced258a4792560570c395a17267f5ffe4b78ffda5b40804b018a6e1ee5697b1389fa5d631048ac9c62f89a2e988b038e3d02b9b214c9682447a0d01b2c
+  data.tar.gz: 2d49307b7c02060d112dbd8d703a21b13bc1d7b80836c24012680dd3c737c715a0784e3402cbcf341f481091584562e1e8be3fc519f503f67de6fdd41d9c7e43

data/.rubocop.yml

@@ -1,4 +1,4 @@
-inherit_from: ../.rubocop.yml
+inherit_from: ~/.config/rubocop/config.yml
 
 AllCops:
   Exclude:

data/README.md

@@ -148,32 +148,32 @@ next section), but tests may need to override some of those values.
 Call `#pretend` on the relevant selector:
 
 ```ruby
-# Your application require Invar as normal:
+# Your application uses Invar as normal:
 require 'invar'
 
 invar = Invar.new(namespace: 'my-app')
 
-# ... then, in your test suite:
+# ... but in your test suite, require the testing extension
 require 'invar/test'
 
-# Usually this would be in a test suite hook, 
-# like Cucumber's `BeforeAll` or RSpec's `before(:all)`
-invar[:config][:theme].pretend dark_mode: true
+# And override the values as needed. Usually this would be in a test
+# suite hook, like Cucumber's `BeforeAll` or RSpec's `before(:all)`
+invar[:config][:mysql].pretend database: 'myapp_test'
 ```
 
-Calling `#pretend` without requiring `invar/test` will raise an `ImmutableRealityError`.
+**Note**: Calling `#pretend` without requiring `invar/test` will raise an `ImmutableRealityError`.
 
 To override values immediately after the config files are read, use an `Invar.after_load` block:
 
 ```ruby
 Invar.after_load do |invar|
-   invar[:config][:database].pretend name: 'my_app_test'
+   invar[:config][:postgres].pretend database: 'my_app_test'
 end
 
 # This Invar will return database name 'my_app_test'
 invar = Invar.new(namespace: 'my-app')
 
-puts invar / :config / :database
+puts invar / :config / :postgres
 ```
 
 ### Rake Tasks
@@ -194,38 +194,36 @@ This will show you the XDG search locations.
 
     bundle exec rake invar:paths
 
-#### Create Config File
+#### Create Config and Secrets Files
 
-    bundle exec rake invar:create:configs
+To create a `config.yml` file and an encrypted `secrets.yml` file:
 
-If a config file already exists in any of the search path locations, it will yell at you.
+    bundle exec rake invar:init
 
-#### Edit Config File
-
-    bundle exec rake invar:edit:configs
-
-#### Create Secrets File
+It will also output to terminal the generated master key used to decrypt the secrets file. Save this key in a password
+manager. If you do not want it to be displayed (eg. you're in public), you can pipe STDOUT to a file:
 
-To create the config file, run this in a terminal:
+    bundle exec rake invar:init > master_key
 
-    bundle exec rake invar:create:secrets
+Then handle the `master_key` file as needed.
 
-It will print out the generated master key. Save it to a password manager.
+If either a pre-existing config or secrets file is found in any of the search path locations, it will yell at you with
+an `AmbiguousSourceError`.
 
-If you do not want it to be displayed (eg. you're in public), you can pipe it to a file:
+#### Edit Config File
 
-    bundle exec rake invar:create:secrets > master_key
+To open the file your system's default text editor (eg. nano):
 
-Then handle the `master_key` file as needed.
+    bundle exec rake invar:config
 
 #### Edit Secrets File
 
 To edit the secrets file, run this and provide the file's encryption key:
 
-    bundle exec rake invar:edit:secrets
+    bundle exec rake invar:secrets
 
-The file will be decrypted and opened in your default editor (eg. nano). Once you have exited the editor, it will be
-re-encrypted (remember to save, too!).
+The file will be decrypted and opened in your default editor like the config file. Once you have exited the editor, it
+will be re-encrypted. Remember to save your changes!
 
 ### Code
 

data/RELEASE_NOTES.md

@@ -19,6 +19,23 @@ to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 * none
 
+## [0.6.0] - 2023-05-21
+
+### Major Changes
+
+* Simplified rake task syntax
+    * Added `rake invar:init`
+    * Now use `rake invar:config` and `rake invar:secrets`to edit
+
+### Minor Changes
+
+* Loosened file permission restrictions to allow group access as well
+* Added file permissions checking to `config.yml` and `secrets.yml`
+
+### Bugfixes
+
+* none
+
 ## [0.5.1] - 2022-12-10
 
 ### Major Changes

data/lib/invar/file_locator.rb

@@ -2,6 +2,7 @@
 
 require 'invar/version'
 require 'invar/scope'
+require 'invar/private_file'
 
 require 'yaml'
 require 'lockbox'
@@ -50,7 +51,7 @@ module Invar
          freeze
       end
 
-      # Locates the file with the given same. You may optionally provide an extension as a second argument.
+      # Locates the file with the given name. You may optionally provide an extension as a second argument.
       #
       # These are equivalent:
       #    find('config.yml')
@@ -58,7 +59,7 @@ module Invar
       #
       # @param [String] basename The file's basename
       # @param [String] ext the file extension, excluding the dot.
-      # @return [Pathname] the path of the located file
+      # @return [PrivateFile] the path of the located file
       # @raise [AmbiguousSourceError] if the file is found in multiple locations
       # @raise [FileNotFoundError] if the file cannot be found
       def find(basename, ext = nil)
@@ -72,7 +73,7 @@ module Invar
             raise AmbiguousSourceError, "#{ msg } #{ AmbiguousSourceError::HINT }"
          end
 
-         files.first || raise(FileNotFoundError, "Could not find #{ basename }")
+         PrivateFile.new(files.first || raise(FileNotFoundError, "Could not find #{ basename }"))
       end
 
       # Raised when the file cannot be found in any of the XDG search locations.

data/lib/invar/private_file.rb

@@ -0,0 +1,57 @@
+# frozen_string_literal: true
+
+require 'invar/version'
+require 'invar/scope'
+
+require 'delegate'
+
+module Invar
+   # Verifies a file is secure
+   class PrivateFile #< SimpleDelegator
+      extend Forwardable
+      def_delegators :@delegate_sd_obj, :stat, :to_s, :basename, :==, :chmod
+
+      # Allowed permissions modes for lockfile. Readable or read-writable by the user or group only
+      ALLOWED_MODES = [0o600, 0o400, 0o060, 0o040].freeze
+
+      def initialize(file_path)
+         @delegate_sd_obj = file_path
+      end
+
+      def read(**args)
+         verify_permissions!
+
+         @delegate_sd_obj.read(**args)
+      end
+
+      def binread(**args)
+         verify_permissions!
+
+         @delegate_sd_obj.binread(**args)
+      end
+
+      # Raised when the file has improper permissions
+      class FilePermissionsError < RuntimeError
+      end
+
+      private
+
+      # Verifies the file has proper permissions
+      #
+      # @raise [FilePermissionsError] if the file has insecure permissions
+      def verify_permissions!
+         permissions_mask = 0o777 # only the lowest three digits are perms, so masking
+         # stat             = @delegate_sd_obj.stat
+         file_mode = stat.mode & permissions_mask
+         # TODO: use stat.world_readable? etc instead
+         return if ALLOWED_MODES.include? file_mode
+
+         msg = format("File '%<path>s' has improper permissions (%<mode>04o). %<hint>s",
+                      path: @delegate_sd_obj,
+                      mode: file_mode,
+                      hint: "Try: chmod 600 #{ @delegate_sd_obj }")
+
+         raise FilePermissionsError, msg
+      end
+   end
+end

data/lib/invar/rake/tasks.rb

@@ -22,6 +22,10 @@ module Invar
             ---
          YML
 
+         CREATE_SUGGESTION = <<~SUGGESTION
+            Maybe you used the wrong namespace or need to create the file with bundle exec rake invar:init?
+         SUGGESTION
+
          # Shorthand for Invar::Rake::Tasks.new.define
          #
          # @param (see #define)
@@ -44,51 +48,57 @@ module Invar
 
          def define_all_tasks(app_namespace)
             namespace :invar do
-               define_config_tasks(app_namespace)
-               define_secrets_tasks(app_namespace)
+               define_init_task(app_namespace)
+
+               define_config_task(app_namespace)
+               define_secrets_task(app_namespace)
 
                define_info_tasks(app_namespace)
             end
          end
 
-         def define_config_tasks(app_namespace)
-            namespace :configs do
-               desc 'Create a new configuration file'
-               task :create do
-                  ::Invar::Rake::Tasks::ConfigTask.new(app_namespace).create
+         def define_init_task(app_namespace)
+            desc 'Create new configuration and encrypted secrets files'
+            task :init, [:mode] do |_task, args|
+               mode = args.mode
+
+               config  = ::Invar::Rake::Tasks::ConfigTask.new(app_namespace)
+               secrets = ::Invar::Rake::Tasks::SecretTask.new(app_namespace)
+
+               case mode
+               when 'config'
+                  secrets = nil
+               when 'secrets'
+                  config = nil
+               else
+                  raise "unknown mode #{ mode }. Must be one of 'config' or 'secrets'" unless mode.nil?
                end
 
-               desc 'Edit the config in your default editor'
-               task :edit do
-                  ::Invar::Rake::Tasks::ConfigTask.new(app_namespace).edit
-               end
-            end
+               assert_init_conditions(config&.file_path, secrets&.file_path)
 
-            # alias
-            namespace :config do
-               task create: ['configs:create']
-               task edit: ['configs:edit']
+               config&.create
+               secrets&.create
             end
          end
 
-         def define_secrets_tasks(app_namespace)
-            namespace :secrets do
-               desc 'Create a new encrypted secrets file'
-               task :create do
-                  ::Invar::Rake::Tasks::SecretTask.new(app_namespace).create
-               end
-
-               desc 'Edit the encrypted secrets file in your default editor'
-               task :edit do
-                  ::Invar::Rake::Tasks::SecretTask.new(app_namespace).edit
-               end
+         def define_config_task(app_namespace)
+            desc 'Edit the config in your default editor'
+            task :configs do
+               ::Invar::Rake::Tasks::ConfigTask.new(app_namespace).edit
             end
 
             # alias
-            namespace :secret do
-               task create: ['secrets:create']
-               task edit: ['secrets:edit']
+            task config: ['configs']
+         end
+
+         def define_secrets_task(app_namespace)
+            desc 'Edit the encrypted secrets file in your default editor'
+            task :secrets do
+               ::Invar::Rake::Tasks::SecretTask.new(app_namespace).edit
             end
+
+            # alias
+            task secret: ['secrets']
          end
 
          def define_info_tasks(app_namespace)
@@ -98,32 +108,58 @@ module Invar
             end
          end
 
+         def assert_init_conditions(config_file, secrets_file)
+            return unless config_file&.exist? || secrets_file&.exist?
+
+            msg = if !config_file&.exist?
+                     <<~MSG
+                        Abort: Secrets file already exists (#{ secrets_file })
+                        Run this to init only the config file: bundle exec rake tasks invar:init[config]
+                     MSG
+                  elsif !secrets_file&.exist?
+                     <<~MSG
+                        Abort: Config file already exists (#{ config_file })
+                        Run this to init only the secrets file: bundle exec rake tasks invar:init[secrets]
+                     MSG
+                  else
+                     <<~MSG
+                        Abort: Files already exist (#{ config_file }, #{ secrets_file })
+                        Maybe you meant to edit the file using rake tasks invar:config or invar:secrets?
+                     MSG
+                  end
+
+            warn msg
+            exit 1
+         end
+
          # Tasks that use a namespace for file searching
          class NamespacedTask
             def initialize(namespace)
                @locator = FileLocator.new(namespace)
             end
+
+            def file_path
+               config_dir / filename
+            end
+
+            private
+
+            def config_dir
+               @locator.search_paths.first
+            end
          end
 
          # Configuration file actions.
          class ConfigTask < NamespacedTask
             # Creates a config file in the appropriate location
             def create
-               config_dir = @locator.search_paths.first
-               config_dir.mkpath
-
-               file = config_dir / 'config.yml'
-               if file.exist?
-                  warn <<~MSG
-                     Abort: File exists. (#{ file })
-                     Maybe you meant to edit the file with bundle exec rake invar:secrets:edit?
-                  MSG
-                  exit 1
-               end
+               raise 'File already exists' if file_path.exist?
 
-               file.write CONFIG_TEMPLATE
+               config_dir.mkpath
+               file_path.write CONFIG_TEMPLATE
+               file_path.chmod 0o600
 
-               warn "Created file: #{ file }"
+               warn "Created file: #{ file_path }"
             end
 
             # Edits the existing config file in the appropriate location
@@ -133,7 +169,7 @@ module Invar
                               rescue ::Invar::FileLocator::FileNotFoundError => e
                                  warn <<~ERR
                                     Abort: #{ e.message }. Searched in: #{ @locator.search_paths.join(', ') }
-                                    Maybe you used the wrong namespace or need to create the file with bundle exec rake invar:configs:create?
+                                    #{ CREATE_SUGGESTION }
                                  ERR
                                  exit 1
                               end
@@ -142,6 +178,12 @@ module Invar
 
                warn "File saved to: #{ configs_file }"
             end
+
+            private
+
+            def filename
+               'config.yml'
+            end
          end
 
          # Secrets file actions.
@@ -153,24 +195,13 @@ module Invar
 
             # Creates a new encrypted secrets file and prints the generated encryption key to STDOUT
             def create
-               config_dir = @locator.search_paths.first
-               config_dir.mkpath
-
-               file = config_dir / 'secrets.yml'
-
-               if file.exist?
-                  warn <<~ERR
-                     Abort: File exists. (#{ file })
-                     Maybe you meant to edit the file with bundle exec rake invar:secrets:edit?
-                  ERR
-                  exit 1
-               end
+               raise 'File already exists' if file_path.exist?
 
                encryption_key = Lockbox.generate_key
 
-               write_encrypted_file(file, encryption_key, SECRETS_TEMPLATE)
+               write_encrypted_file(file_path, encryption_key, SECRETS_TEMPLATE)
 
-               warn "Created file #{ file }"
+               warn "Created file: #{ file_path }"
 
                warn SECRETS_INSTRUCTIONS
                warn 'Generated key is:'
@@ -185,7 +216,7 @@ module Invar
                               rescue ::Invar::FileLocator::FileNotFoundError => e
                                  warn <<~ERR
                                     Abort: #{ e.message }. Searched in: #{ @locator.search_paths.join(', ') }
-                                    Maybe you used the wrong namespace or need to create the file with bundle exec rake invar:secrets:create?
+                                    #{ CREATE_SUGGESTION }
                                  ERR
                                  exit 1
                               end
@@ -197,13 +228,19 @@ module Invar
 
             private
 
+            def filename
+               'secrets.yml'
+            end
+
             def write_encrypted_file(file_path, encryption_key, content)
                lockbox = Lockbox.new(key: encryption_key)
 
                encrypted_data = lockbox.encrypt(content)
 
+               config_dir.mkpath
                # TODO: replace File.opens with photo_path.binwrite(uri.data) once FakeFS can handle it
                File.open(file_path.to_s, 'wb') { |f| f.write encrypted_data }
+               file_path.chmod 0o600
             end
 
             def edit_encrypted_file(file_path)
@@ -251,4 +288,3 @@ module Invar
       end
    end
 end
-

data/lib/invar/reality.rb

@@ -42,9 +42,6 @@ module Invar
    # @see Reality#after_load
    # @see Reality#pretend
    class Reality
-      # Allowed permissions modes for lockfile. Readable or read-writable by the current user only
-      ALLOWED_LOCKFILE_MODES = [0o600, 0o400].freeze
-
       # Name of the default key file to be searched for within config directories
       DEFAULT_KEY_FILE_NAME = 'master_key'
 
@@ -174,19 +171,6 @@ module Invar
       end
 
       def read_keyfile(key_file)
-         permissions_mask = 0o777 # only the lowest three digits are perms, so masking
-         stat             = key_file.stat
-         file_mode        = stat.mode & permissions_mask
-         # TODO: use stat.world_readable? etc instead
-         unless ALLOWED_LOCKFILE_MODES.include? file_mode
-            hint = "Try: chmod 600 #{ key_file }"
-            raise SecretsFileDecryptionError,
-                  format("File '%<path>s' has improper permissions (%<mode>04o). %<hint>s",
-                         path: key_file,
-                         mode: file_mode,
-                         hint: hint)
-         end
-
          key_file.read.strip
       end
 

data/lib/invar/version.rb

@@ -2,5 +2,5 @@
 
 module Invar
    # Current version of the gem
-   VERSION = '0.5.1'
+   VERSION = '0.6.0'
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: invar
 version: !ruby/object:Gem::Version
-  version: 0.5.1
+  version: 0.6.0
 platform: ruby
 authors:
 - Robin Miller
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2022-12-10 00:00:00.000000000 Z
+date: 2023-05-21 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: dry-schema
@@ -144,6 +144,7 @@ files:
 - invar.gemspec
 - lib/invar.rb
 - lib/invar/file_locator.rb
+- lib/invar/private_file.rb
 - lib/invar/rake/tasks.rb
 - lib/invar/reality.rb
 - lib/invar/scope.rb