itamae-secrets 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: df379b9fa313eb7a3516694a0efc764d086d23cf
+  data.tar.gz: 08e47d784901105a67f80ac1b1340e61e8e6524a
+SHA512:
+  metadata.gz: bffd0e6a9b7def10679ef9783cbc908cc909e1cfa778463a31f3a25eec6afc630c270fc92445c2caa6dde0802df4529231211b46e07d708dcc2393d6fa86a446
+  data.tar.gz: 740a9e5f8bd2d130769b94a7399aad5769d9631a2b1cdb79a8a6e29dacbc9025027e48ce9c74f6613257d225436f522d8fefaef3034fbe851a6e4caec54cc7d9

data/.gitignore

@@ -0,0 +1,9 @@
+/.bundle/
+/.yardoc
+/Gemfile.lock
+/_yardoc/
+/coverage/
+/doc/
+/pkg/
+/spec/reports/
+/tmp/

data/.rspec

@@ -0,0 +1,2 @@
+--format documentation
+--color

data/.travis.yml

@@ -0,0 +1,4 @@
+language: ruby
+rvm:
+  - 2.3.0
+before_install: gem install bundler -v 1.10.5

data/CONTRIBUTING.md

@@ -0,0 +1 @@
+__Security issues?__ Send me directly at `security@sorah.jp`. My GPG key is available here: <http://sorah.jp/id.html> ([SSL](https://github.com/sorah/sorah.jp/tree/master/source/pgp-pubkeys))

data/Gemfile

@@ -0,0 +1,4 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in itamae-secrets.gemspec
+gemspec

data/LICENSE.txt

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2015 Shota Fukumori (sora_h)
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,92 @@
+# Itamae::Secrets - Encrypted Data Bag for Itamae
+
+This is [itamae](https://github.com/itamae-kitchen/itamae) plugin that provides store for secrets, like encrypted data bag in chef.
+
+## Installation
+
+```ruby
+gem 'itamae-secrets'
+```
+
+or
+
+```
+$ gem install itamae-secrets
+```
+
+## Basic
+
+- `itamae-secrets` command for storing data or manually reading
+  - specify base directory to `--base` option
+  - you should exclude `${base}/keys` from checking into VCS. (`.gitignore` it!)
+
+## Walkthrough
+
+### Generate a key
+
+##### randomly
+
+```
+$ itamae-secrets newkey --base=./secret --method=aes-random
+```
+
+##### from passphrase
+
+```
+$ itamae-secrets newkey --base=./secret --method=aes-passphrase
+```
+
+Both generates `./secret/keys/default`. Make sure `./secret/keys` be excluded from VCS.
+
+### Store value
+
+```
+$ itamae-secrets set --base=./secret awesome_secret value
+```
+
+(when omit `value`, it'll read from STDIN until EOF. You can also use `--noecho` if you want hide value in your terminal's buffer completely.)
+
+### Reading data from itamae
+
+on your itamae recipe, do:
+
+``` ruby
+require 'itamae/secrets'
+node[:secrets] = Itamae::Secrets(File.join(__dir__, 'secrets'))
+
+# Use it
+p node[:secrets][:awesome_secret]
+```
+
+### Reading data fro CLI
+
+```
+$ itamae-secrets get --base=./secret awesome_secret
+```
+
+### Remembering `--base`
+
+```
+$ echo 'base: ./secret' >> .itamae-secrets.yml
+```
+
+## Development
+
+After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake rspec` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
+
+To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
+
+## Contributing
+
+Bug reports and pull requests are welcome on GitHub at https://github.com/sorah/itamae-secrets.
+
+__Security issues?__ Send me directly at `security@sorah.jp`. My GPG key is available here: <http://sorah.jp/id.html> ([SSL](https://github.com/sorah/sorah.jp/tree/master/source/pgp-pubkeys))
+
+
+## License
+
+The gem is available as open source under the terms of the [MIT License](http://opensource.org/licenses/MIT).
+
+## To-dos
+
+- [ ] Missing test :(

data/Rakefile

@@ -0,0 +1,6 @@
+require "bundler/gem_tasks"
+require "rspec/core/rake_task"
+
+RSpec::Core::RakeTask.new(:spec)
+
+task :default => :spec

data/bin/itamae-secrets

@@ -0,0 +1,4 @@
+#!/usr/bin/env ruby
+require 'itamae/secrets/cli'
+
+Itamae::Secrets::Cli.start

data/itamae-secrets.gemspec

@@ -0,0 +1,26 @@
+# coding: utf-8
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'itamae/secrets/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = "itamae-secrets"
+  spec.version       = Itamae::Secrets::VERSION
+  spec.authors       = ["Shota Fukumori (sora_h)"]
+  spec.email         = ["her@sorah.jp"]
+
+  spec.summary       = %q{Encrypted Data Bag for itamae}
+  spec.homepage      = "https://github.com/sorah/itamae-secrets"
+  spec.license       = "MIT"
+
+  spec.files         = `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
+  spec.bindir        = "bin"
+  spec.executables   = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
+  spec.require_paths = ["lib"]
+
+  spec.add_dependency 'thor'
+
+  spec.add_development_dependency "bundler"
+  spec.add_development_dependency "rake"
+  spec.add_development_dependency "rspec"
+end

data/lib/itamae/secrets.rb

@@ -0,0 +1,12 @@
+require "itamae/secrets/version"
+require "itamae/secrets/store"
+
+module Itamae
+  def self.Secrets(*args)
+    Itamae::Secrets::Store.new *args
+  end
+
+  module Secrets
+  end
+
+end

data/lib/itamae/secrets/aes_key.rb

@@ -0,0 +1,63 @@
+require 'openssl'
+require 'json'
+
+module Itamae
+  module Secrets
+    class AesKey
+      AES1_KEY_LEN = OpenSSL::Cipher.new('aes-256-gcm').key_len
+
+      def self.key_len_for_type(type)
+        case type
+        when 'aes1'
+          AES1_KEY_LEN
+        else
+          raise ArgumentError, "unknown type #{type.inspect}"
+        end
+      end
+
+      def self.generate_random(name)
+        key_len = key_len_for_type('aes1')
+        new name, 'aes1', OpenSSL::Random.random_bytes(key_len)
+      end
+
+      def self.generate_pkcs5(name, passphrase)
+        key_len = key_len_for_type('aes1')
+
+        salt = OpenSSL::Digest::SHA256.digest(name)
+        key = OpenSSL::PKCS5.pbkdf2_hmac(passphrase, salt, 30000, key_len, OpenSSL::Digest::SHA256.new)
+
+        new name, 'aes1', key
+      end
+
+      def self.load_json(json)
+        data = JSON.parse(json)
+        new(data['name'], data['type'], data['key'].unpack('m*')[0])
+      end
+
+      def initialize(name, type, key)
+        raise ArgumentError, "name must not contain slashes, commas, backslackes" if name.include?("\\") || name.include?(?/) || name.include?(?:)
+        @name = name
+        @type = type
+        @key = key
+      end
+
+      attr_reader :name, :type, :key
+
+      def algorithm_compatible?(algorithm)
+        algorithm == 'aes-256-gcm'
+      end
+
+      def to_s
+        key
+      end
+
+      def to_json
+        {
+          name: name,
+          type: type,
+          key: [key].pack('m*'),
+        }.to_json
+      end
+    end
+  end
+end

data/lib/itamae/secrets/cli.rb

@@ -0,0 +1,120 @@
+require 'thor'
+require 'yaml'
+require 'pathname'
+
+require 'itamae/secrets/aes_key'
+require 'itamae/secrets/store'
+
+module Itamae
+  module Secrets
+    class Cli < Thor
+      class_option :base, type: :string, desc: 'path to base directory for storing secrets and keys'
+
+
+      desc 'newkey [KEYNAME]', 'generate then save key'
+      method_option :method, type: :string, required: true, desc: 'generating method (aes-file, aes-passphrase)'
+      method_option :confirm_passphrase, type: :boolean, default: true, desc: 'Confirm passphrase when asking'
+
+      def newkey(name='default')
+        if keychain.exist?(name)
+          raise ArgumentError, "key #{name} already exists"
+        end
+
+        key = case options[:method] || config['generate_method']
+        when 'aes-random'
+          AesKey.generate_random(name)
+        when 'aes-passphrase'
+          passphrase = ask_noecho('Passphrase:', true)
+          AesKey.generate_pkcs5(name, passphrase)
+        else
+          raise ArgumentError, "Unknown method: #{name.inspect}"
+        end
+
+        keychain.save(key)
+      end
+
+      desc 'set VARNAME [VALUE]', 'store value (when VALUE is omitted, read from STDIN)'
+      method_option :key, type: :string, default: 'default', desc: 'key name'
+      method_option :noecho, type: :boolean, desc: 'Ask one-line value with noecho when stdin is tty'
+      def set(name, value = nil)
+        value ||= if options[:noecho]
+                    ask_noecho("#{name}:", false)
+                  else
+                    $stdin.read.chomp
+                  end
+
+        store.store(name, value, options[:key])
+      end
+
+      desc 'get VARNAME', 'read value'
+      def get(name)
+        value = store[name]
+        if value
+          puts value
+        else
+          exit 1
+        end
+      end
+
+      private
+
+      def store
+        @store ||= Store.new base_dir
+      end
+
+      def keychain
+        store.keychain
+      end
+
+      def base_dir
+        unless config['base']
+          raise ArgumentError, 'Missing --base'
+        end
+        Pathname.new config['base']
+      end
+
+      def config
+        @config ||= config_file.merge(
+          'base' => config_file['base'] || options[:base],
+        )
+      end
+
+      def config_file
+        @config_file ||= if File.exist?('./.itamae-secrets.yml')
+          YAML.load_file('./.itamae-secrets.yml')
+        else
+          {}
+        end
+      end
+
+      def ask_noecho(prompt, confirm = true)
+        io_console = false
+        begin
+          require 'io/console'
+          io_console = true
+        rescue LoadError
+        end
+
+        get = -> do
+          if $stdin.tty?
+            $stdin.noecho { $stdin.gets.chomp }
+          else
+            $stdin.gets.chomp
+          end
+        end
+
+        loop do
+          $stdout.print "#{prompt} "
+          value = get.call
+
+          break value unless confirm
+
+          $stdout.print "(confirm) #{prompt} "
+          break value if value  == get.call
+
+          $stderr.puts "Confirmation didn't match..."
+        end
+      end
+    end
+  end
+end

data/lib/itamae/secrets/decryptor.rb

@@ -0,0 +1,77 @@
+require 'openssl'
+
+module Itamae
+  module Secrets
+    class Decryptor
+      ALGORITHM = 'aes-256-gcm'
+
+      def self.load_json(json, key = nil)
+        data = JSON.parse(json)
+
+        raise ArgumentError, "unknown version #{data['version'].inspect}" if data['version'] != 1
+        raise ArgumentError, "unknown version #{data['algorithm'].inspect}" if data['algorithm'] != ALGORITHM
+
+        new(
+          data['ciphertext'],
+          data['auth_tag'],
+          data['iv'],
+          data['key_name'],
+          key
+        )
+      end
+
+      def initialize(ciphertext, auth_tag, iv, key_name, key = nil)
+        ensure_algorithm_key_compatiblity!(key) if key
+        @ciphertext = ciphertext
+        @auth_tag = auth_tag
+        @iv = iv
+        @key_name = key_name
+        @key = key
+      end
+
+      attr_reader :ciphertext, :auth_tag, :iv, :key_name
+      attr_accessor :key
+
+      def key=(other)
+        raise "can't overwrite" if @key
+        ensure_algorithm_key_compatiblity!(other)
+        @key = other
+      end
+
+      def plaintext
+        @plaintext ||= begin
+          txt = cipher.update(ciphertext.unpack('m*')[0])
+          txt << cipher.final
+        end
+      end
+
+      def version
+        1
+      end
+
+      def algorithm
+        ALGORITHM
+      end
+
+      def cipher
+        @cipher ||= OpenSSL::Cipher.new(algorithm).tap do |c|
+          raise 'key is required to proceed' unless key
+          c.decrypt
+          c.key = key.to_s
+          c.iv = iv.unpack('m*')[0]
+          c.auth_data = ''
+          c.auth_tag = auth_tag.unpack('m*')[0]
+        end
+      end
+
+      private
+
+      def ensure_algorithm_key_compatiblity!(key)
+        unless key.algorithm_compatible?(algorithm)
+          raise ArgumentError, "#{key.type} is not compatible"
+        end
+      end
+    end
+  end
+end
+

data/lib/itamae/secrets/encryptor.rb

@@ -0,0 +1,86 @@
+require 'openssl'
+
+module Itamae
+  module Secrets
+    class Encryptor
+      ALGORITHM = 'aes-256-gcm'
+
+      def initialize(plaintext, key = nil, iv = nil)
+        ensure_algorithm_key_compatiblity!(key) if key
+        @key = key
+        @iv = iv
+        @plaintext = plaintext
+      end
+
+      attr_reader :key, :plaintext
+
+      def key=(other)
+        raise "can't overwrite" if @key
+        ensure_algorithm_key_compatiblity!(other)
+        @key = other
+      end
+
+      def to_s
+        {
+          version: version,
+          algorithm: algorithm,
+          key_name: key.name,
+          ciphertext: ciphertext,
+          iv: iv,
+          auth_tag: auth_tag,
+        }.to_json
+      end
+
+      alias data to_s
+
+      def ciphertext
+        @ciphertext ||= begin
+          data = cipher.update(plaintext)
+          data << cipher.final
+          @auth_tag = cipher.auth_tag
+          [data].pack('m*')
+        end
+      end
+
+      def iv
+        @iv && [@iv].pack('m*')
+      end
+
+      def auth_tag
+        if @auth_tag
+          [@auth_tag].pack('m*')
+        else
+          raise '[BUG] auth_tag not exists'
+        end
+      end
+
+      def version
+        1
+      end
+
+      def algorithm
+        ALGORITHM
+      end
+
+      def cipher
+        @cipher ||= OpenSSL::Cipher.new(algorithm).tap do |c|
+          raise 'key is required to proceed' unless key
+          c.encrypt
+          c.key = key.to_s
+          # XXX: avoid generate IV here, but consider if extract to a method like #iv, it have to know Cipher#iv_len...
+          @iv ||= c.random_iv
+          c.iv = @iv
+          c.auth_data = ''
+        end
+      end
+
+      private
+
+      def ensure_algorithm_key_compatiblity!(key)
+        unless key.algorithm_compatible?(algorithm)
+          raise ArgumentError, "#{key.type} is not compatible"
+        end
+      end
+    end
+  end
+end

data/lib/itamae/secrets/keychain.rb

@@ -0,0 +1,32 @@
+require 'pathname'
+require 'itamae/secrets/aes_key'
+
+module Itamae
+  module Secrets
+    class Keychain
+      class KeyNotFound < StandardError; end
+
+      def initialize(path)
+        @path = Pathname.new(path)
+      end
+
+      attr_reader :path
+
+      def exist?(name)
+        @path.join(name).exist?
+      end
+
+      def load(name)
+        AesKey.load_json @path.join(name).read
+      rescue File::ENOENT
+        raise KeyNotFound, "Couldn't find key #{name.inspect}"
+      end
+
+      def save(key)
+        open(@path.join(key.name), 'w', 0600) do |io|
+          io.puts key.to_json
+        end
+      end
+    end
+  end
+end

data/lib/itamae/secrets/store.rb

@@ -0,0 +1,81 @@
+require 'pathname'
+
+require 'itamae/secrets/keychain'
+require 'itamae/secrets/encryptor'
+require 'itamae/secrets/decryptor'
+
+module Itamae
+  module Secrets
+    class Store
+      def initialize(base_dir)
+        @base_dir = Pathname.new(base_dir)
+        ensure_base_dir!
+      end
+
+      attr_reader :base_dir
+
+      def keychain_path
+        base_dir.join('keys')
+      end
+
+      def values_path
+        base_dir.join('values')
+      end
+
+      def keychain
+        @keychain ||= Keychain.new(keychain_path)
+      end
+
+      def [](name)
+        name = name.to_s
+        validate_name!(name)
+
+        value_path = values_path.join(name)
+
+        if value_path.exist?
+          encrypted_data = Decryptor.load_json(value_path.read)
+          encrypted_data.key = keychain.load(encrypted_data.key_name)
+          JSON.parse(encrypted_data.plaintext)['value']
+        else
+          nil
+        end
+      end
+
+      def []=(*args)
+        case args.size
+        when 2
+          store(*args)
+        when 3
+          store(args[0], args[2], args[1])
+        else
+          raise ArgumentError, "wrong number of arguments (#{args.size} for 2..3)"
+        end
+      end
+
+      def store(name, value, key = 'default')
+        name = name.to_s
+        validate_name!(name)
+        value_path = values_path.join(name)
+
+        encrypted_data = Encryptor.new({value: value}.to_json, keychain.load(key))
+
+        open(value_path, 'w', 0600) do |io|
+          io.puts encrypted_data.to_s
+        end
+      end
+
+      private
+
+      def ensure_base_dir!
+        base_dir.mkpath
+        base_dir.join('keys').mkpath
+        base_dir.join('values').mkpath
+      end
+
+      def validate_name!(name)
+        # XXX: dupe
+        raise ArgumentError, "name must not contain slashes, commas, backslackes" if name.include?("\\") || name.include?(?/) || name.include?(?:)
+      end
+    end
+  end
+end

data/lib/itamae/secrets/version.rb

@@ -0,0 +1,5 @@
+module Itamae
+  module Secrets
+    VERSION = "0.1.0"
+  end
+end

data/script/console

@@ -0,0 +1,14 @@
+#!/usr/bin/env ruby
+
+require "bundler/setup"
+require "itamae/secrets"
+
+# You can add fixtures and/or initialization code here to make experimenting
+# with your gem easier. You can also use a different console, if you like.
+
+# (If you use this, don't forget to add pry to your Gemfile!)
+# require "pry"
+# Pry.start
+
+require "irb"
+IRB.start

data/script/setup

@@ -0,0 +1,7 @@
+#!/bin/bash
+set -euo pipefail
+IFS=$'\n\t'
+
+bundle install
+
+# Do any other automated setup that you need to do here

metadata

@@ -0,0 +1,121 @@
+--- !ruby/object:Gem::Specification
+name: itamae-secrets
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Shota Fukumori (sora_h)
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2015-08-25 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: thor
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: 
+email:
+- her@sorah.jp
+executables:
+- itamae-secrets
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- ".rspec"
+- ".travis.yml"
+- CONTRIBUTING.md
+- Gemfile
+- LICENSE.txt
+- README.md
+- Rakefile
+- bin/itamae-secrets
+- itamae-secrets.gemspec
+- lib/itamae/secrets.rb
+- lib/itamae/secrets/aes_key.rb
+- lib/itamae/secrets/cli.rb
+- lib/itamae/secrets/decryptor.rb
+- lib/itamae/secrets/encryptor.rb
+- lib/itamae/secrets/keychain.rb
+- lib/itamae/secrets/store.rb
+- lib/itamae/secrets/version.rb
+- script/console
+- script/setup
+homepage: https://github.com/sorah/itamae-secrets
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.4.5
+signing_key: 
+specification_version: 4
+summary: Encrypted Data Bag for itamae
+test_files: []