keeper_secrets_manager 17.0.3 → 17.1.0

data/lib/keeper_secrets_manager/storage.rb

@@ -6,18 +6,18 @@ module KeeperSecretsManager
   module Storage
     # Base storage interface
     module KeyValueStorage
-      def get_string(key)
-        raise NotImplementedError, "Subclass must implement get_string"
+      def get_string(_key)
+        raise NotImplementedError, 'Subclass must implement get_string'
       end
 
-      def save_string(key, value)
-        raise NotImplementedError, "Subclass must implement save_string"
+      def save_string(_key, _value)
+        raise NotImplementedError, 'Subclass must implement save_string'
       end
 
       def get_bytes(key)
         data = get_string(key)
         return nil unless data
-        
+
         # Handle both standard and URL-safe base64
         begin
           # First try standard base64
@@ -28,7 +28,7 @@ module KeeperSecretsManager
             padding = 4 - (data.length % 4)
             padding = 0 if padding == 4
             Base64.urlsafe_decode64(data + '=' * padding)
-          rescue => e
+          rescue StandardError => e
             # Last resort - try with decode64 which is more lenient
             Base64.decode64(data)
           end
@@ -39,8 +39,8 @@ module KeeperSecretsManager
         save_string(key, Base64.strict_encode64(value))
       end
 
-      def delete(key)
-        raise NotImplementedError, "Subclass must implement delete"
+      def delete(_key)
+        raise NotImplementedError, 'Subclass must implement delete'
       end
 
       def contains?(key)
@@ -54,7 +54,7 @@ module KeeperSecretsManager
 
       def initialize(config_data = nil)
         @data = {}
-        
+
         # Initialize from JSON string, base64 string, or hash
         if config_data
           parsed = case config_data
@@ -70,7 +70,7 @@ module KeeperSecretsManager
                    else
                      {}
                    end
-          
+
           parsed.each { |k, v| @data[k.to_s] = v.to_s }
         end
       end
@@ -94,20 +94,20 @@ module KeeperSecretsManager
       def to_json(*args)
         @data.to_json(*args)
       end
-      
+
       private
-      
+
       def is_base64?(str)
         # Check if string is valid base64
         return false if str.nil? || str.empty?
-        
+
         # Remove whitespace
         str = str.strip
-        
+
         # Check if length is multiple of 4 (with padding) or can be padded to multiple of 4
         # Also check if it only contains base64 characters
-        base64_regex = /\A[A-Za-z0-9+\/]*={0,2}\z/
-        
+        base64_regex = %r{\A[A-Za-z0-9+/]*={0,2}\z}
+
         str.match?(base64_regex) && (str.length % 4 == 0 || str.length % 4 == 2 || str.length % 4 == 3)
       end
     end
@@ -143,11 +143,11 @@ module KeeperSecretsManager
           begin
             content = File.read(@filename)
             # Handle empty files
-            if content.strip.empty?
-              @data = {}
-            else
-              @data = JSON.parse(content)
-            end
+            @data = if content.strip.empty?
+                      {}
+                    else
+                      JSON.parse(content)
+                    end
           rescue JSON::ParserError => e
             raise Error, "Failed to parse config file: #{e.message}"
           end
@@ -157,19 +157,19 @@ module KeeperSecretsManager
       def save_data
         # Ensure directory exists
         FileUtils.mkdir_p(File.dirname(@filename))
-        
+
         # Write atomically to avoid corruption
         temp_file = "#{@filename}.tmp"
         File.open(temp_file, 'w') do |f|
           f.write(JSON.pretty_generate(@data))
         end
-        
+
         # Move atomically
         File.rename(temp_file, @filename)
-        
+
         # Set restrictive permissions (owner read/write only)
-        File.chmod(0600, @filename)
-      rescue => e
+        File.chmod(0o600, @filename)
+      rescue StandardError => e
         raise Error, "Failed to save config file: #{e.message}"
       end
     end
@@ -186,12 +186,12 @@ module KeeperSecretsManager
         ENV["#{@prefix}#{key.to_s.upcase}"]
       end
 
-      def save_string(key, value)
-        raise Error, "Environment storage is read-only"
+      def save_string(_key, _value)
+        raise Error, 'Environment storage is read-only'
       end
 
-      def delete(key)
-        raise Error, "Environment storage is read-only"
+      def delete(_key)
+        raise Error, 'Environment storage is read-only'
       end
     end
 
@@ -208,11 +208,9 @@ module KeeperSecretsManager
 
       def get_string(key)
         key_str = key.to_s
-        
+
         # Check cache validity
-        if @cache.key?(key_str) && !expired?(key_str)
-          return @cache[key_str]
-        end
+        return @cache[key_str] if @cache.key?(key_str) && !expired?(key_str)
 
         # Fetch from base storage
         value = @base_storage.get_string(key)
@@ -220,7 +218,7 @@ module KeeperSecretsManager
           @cache[key_str] = value
           @timestamps[key_str] = Time.now
         end
-        
+
         value
       end
 
@@ -247,8 +245,9 @@ module KeeperSecretsManager
 
       def expired?(key)
         return true unless @timestamps[key]
+
         Time.now - @timestamps[key] > @ttl_seconds
       end
     end
   end
-end
+end

data/lib/keeper_secrets_manager/totp.rb

@@ -12,7 +12,7 @@ module KeeperSecretsManager
       'SHA256' => OpenSSL::Digest::SHA256,
       'SHA512' => OpenSSL::Digest::SHA512
     }.freeze
-    
+
     # Generate a TOTP code
     # @param secret [String] Base32 encoded secret
     # @param time [Time] Time to generate code for (default: current time)
@@ -23,45 +23,45 @@ module KeeperSecretsManager
     def self.generate_code(secret, time: Time.now, algorithm: 'SHA1', digits: 6, period: 30)
       # Validate inputs
       raise ArgumentError, "Invalid algorithm: #{algorithm}" unless ALGORITHMS.key?(algorithm)
-      raise ArgumentError, "Digits must be 6 or 8" unless [6, 8].include?(digits)
-      raise ArgumentError, "Period must be positive" unless period.positive?
-      
+      raise ArgumentError, 'Digits must be 6 or 8' unless [6, 8].include?(digits)
+      raise ArgumentError, 'Period must be positive' unless period.positive?
+
       # Decode base32 secret
       key = Base32.decode(secret.upcase.tr(' ', ''))
-      
+
       # Calculate time counter
       counter = (time.to_i / period).floor
-      
+
       # Convert counter to 8-byte string (big-endian)
       counter_bytes = [counter].pack('Q>')
-      
+
       # Generate HMAC
       digest = ALGORITHMS[algorithm].new
       hmac = OpenSSL::HMAC.digest(digest, key, counter_bytes)
-      
+
       # Extract dynamic binary code
       offset = hmac[-1].ord & 0x0f
       code = (hmac[offset].ord & 0x7f) << 24 |
              (hmac[offset + 1].ord & 0xff) << 16 |
              (hmac[offset + 2].ord & 0xff) << 8 |
              (hmac[offset + 3].ord & 0xff)
-      
+
       # Generate final OTP value
-      otp = code % (10 ** digits)
-      
+      otp = code % (10**digits)
+
       # Pad with leading zeros if necessary
       otp.to_s.rjust(digits, '0')
     end
-    
+
     # Parse TOTP URL (otpauth://totp/...)
     # @param url [String] TOTP URL
     # @return [Hash] Parsed components
     def self.parse_url(url)
       uri = URI(url)
-      
-      raise ArgumentError, "Invalid TOTP URL scheme" unless uri.scheme == 'otpauth'
-      raise ArgumentError, "Invalid TOTP URL type" unless uri.host == 'totp'
-      
+
+      raise ArgumentError, 'Invalid TOTP URL scheme' unless uri.scheme == 'otpauth'
+      raise ArgumentError, 'Invalid TOTP URL type' unless uri.host == 'totp'
+
       # Extract label (issuer:account or just account)
       path = uri.path[1..-1] # Remove leading /
       if path.include?(':')
@@ -70,10 +70,10 @@ module KeeperSecretsManager
         account = path
         issuer = nil
       end
-      
+
       # Parse query parameters
       params = URI.decode_www_form(uri.query || '').to_h
-      
+
       {
         'account' => URI.decode_www_form_component(account || ''),
         'issuer' => issuer ? URI.decode_www_form_component(issuer) : params['issuer'],
@@ -83,7 +83,7 @@ module KeeperSecretsManager
         'period' => (params['period'] || '30').to_i
       }
     end
-    
+
     # Generate TOTP URL
     # @param account [String] Account name (e.g., email)
     # @param secret [String] Base32 encoded secret
@@ -94,20 +94,20 @@ module KeeperSecretsManager
     # @return [String] TOTP URL
     def self.generate_url(account, secret, issuer: nil, algorithm: 'SHA1', digits: 6, period: 30)
       label = issuer ? "#{issuer}:#{account}" : account
-      
+
       params = {
         'secret' => secret,
         'algorithm' => algorithm,
         'digits' => digits,
         'period' => period
       }
-      
+
       params['issuer'] = issuer if issuer
-      
+
       query = URI.encode_www_form(params)
       "otpauth://totp/#{URI.encode_www_form_component(label)}?#{query}"
     end
-    
+
     # Validate a TOTP code
     # @param secret [String] Base32 encoded secret
     # @param code [String] Code to validate
@@ -122,13 +122,13 @@ module KeeperSecretsManager
       (-window..window).each do |offset|
         test_time = time + (offset * period)
         test_code = generate_code(secret, time: test_time, algorithm: algorithm, digits: digits, period: period)
-        
+
         return true if test_code == code
       end
-      
+
       false
     end
-    
+
     # Generate a random secret suitable for TOTP
     # @param length [Integer] Number of bytes (default: 20 for 160 bits)
     # @return [String] Base32 encoded secret
@@ -137,4 +137,4 @@ module KeeperSecretsManager
       Base32.encode(random_bytes).delete('=')
     end
   end
-end
+end

data/lib/keeper_secrets_manager/utils.rb

@@ -67,6 +67,75 @@ module KeeperSecretsManager
         generate_random_bytes(16)
       end
 
+      # Generate a cryptographically secure random password
+      #
+      # @param length [Integer] Total password length (default: 64)
+      # @param lowercase [Integer] Minimum number of lowercase letters (default: 0)
+      # @param uppercase [Integer] Minimum number of uppercase letters (default: 0)
+      # @param digits [Integer] Minimum number of digit characters (default: 0)
+      # @param special_characters [Integer] Minimum number of special characters (default: 0)
+      # @return [String] Generated password
+      # @raise [ArgumentError] If parameters are invalid or minimums exceed length
+      #
+      # @example Generate a default 64-character password
+      #   password = KeeperSecretsManager::Utils.generate_password
+      #   # => "Xk9$mP2...64 chars total"
+      #
+      # @example Generate a 32-character password with specific requirements
+      #   password = KeeperSecretsManager::Utils.generate_password(
+      #     length: 32,
+      #     lowercase: 2,
+      #     uppercase: 2,
+      #     digits: 2,
+      #     special_characters: 2
+      #   )
+      #   # => "aB12$...32 chars with at least 2 of each type"
+      #
+      # @example Use with record update
+      #   record = secrets_manager.get_secrets(['RECORD_UID']).first
+      #   record.password = KeeperSecretsManager::Utils.generate_password(length: 20)
+      #   secrets_manager.update_secret(record)
+      def generate_password(length: 64, lowercase: 0, uppercase: 0, digits: 0, special_characters: 0)
+        # Validate inputs
+        raise ArgumentError, 'Length must be positive' if length <= 0
+        raise ArgumentError, 'Character counts must be non-negative' if [lowercase, uppercase, digits, special_characters].any?(&:negative?)
+
+        total_minimums = lowercase + uppercase + digits + special_characters
+        raise ArgumentError, "Sum of character minimums (#{total_minimums}) cannot exceed password length (#{length})" if total_minimums > length
+
+        # Character sets
+        lowercase_chars = 'abcdefghijklmnopqrstuvwxyz'
+        uppercase_chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'
+        digit_chars = '0123456789'
+        special_chars = '!@#$%^&*()_+-=[]{}|;:,.<>?'
+
+        # Build password character array
+        password_chars = []
+
+        # Add minimum required characters from each category
+        lowercase.times { password_chars << lowercase_chars[SecureRandom.random_number(lowercase_chars.length)] }
+        uppercase.times { password_chars << uppercase_chars[SecureRandom.random_number(uppercase_chars.length)] }
+        digits.times { password_chars << digit_chars[SecureRandom.random_number(digit_chars.length)] }
+        special_characters.times { password_chars << special_chars[SecureRandom.random_number(special_chars.length)] }
+
+        # Fill remaining length with random characters from all categories
+        remaining = length - total_minimums
+        all_chars = lowercase_chars + uppercase_chars + digit_chars + special_chars
+
+        remaining.times do
+          password_chars << all_chars[SecureRandom.random_number(all_chars.length)]
+        end
+
+        # Shuffle using Fisher-Yates algorithm with SecureRandom for cryptographic security
+        # This ensures minimum characters aren't clustered at the beginning
+        (password_chars.length - 1).downto(1) do |i|
+          j = SecureRandom.random_number(i + 1)
+          password_chars[i], password_chars[j] = password_chars[j], password_chars[i]
+        end
+
+        password_chars.join
+      end
+
       # Get current time in milliseconds
       def now_milliseconds
         (Time.now.to_f * 1000).to_i
@@ -75,7 +144,7 @@ module KeeperSecretsManager
       # Convert string to boolean
       def strtobool(val)
         return val if val.is_a?(TrueClass) || val.is_a?(FalseClass)
-        
+
         val_str = val.to_s.downcase.strip
         case val_str
         when 'true', '1', 'yes', 'y', 'on'
@@ -94,7 +163,7 @@ module KeeperSecretsManager
 
       # Deep merge hashes
       def deep_merge(hash1, hash2)
-        hash1.merge(hash2) do |key, old_val, new_val|
+        hash1.merge(hash2) do |_key, old_val, new_val|
           if old_val.is_a?(Hash) && new_val.is_a?(Hash)
             deep_merge(old_val, new_val)
           else
@@ -112,10 +181,9 @@ module KeeperSecretsManager
 
       # Convert snake_case to camelCase
       def snake_to_camel(str, capitalize_first = false)
-        result = str.split('_').map.with_index do |word, i|
+        str.split('_').map.with_index do |word, i|
           i == 0 && !capitalize_first ? word : word.capitalize
         end.join
-        result
       end
 
       # Safe integer conversion
@@ -135,10 +203,10 @@ module KeeperSecretsManager
       # Parse server URL from hostname
       def get_server_url(hostname, use_ssl = true)
         return nil if blank?(hostname)
-        
+
         # Remove protocol if present
         hostname = hostname.sub(%r{^https?://}, '')
-        
+
         # Build URL
         protocol = use_ssl ? 'https' : 'http'
         "#{protocol}://#{hostname}"
@@ -151,13 +219,13 @@ module KeeperSecretsManager
           parts = token_or_hostname.split(':')
           return parts[0].upcase if parts.length >= 2
         end
-        
+
         # Check if hostname matches a known region
         hostname = token_or_hostname.to_s.downcase
         KeeperGlobals::KEEPER_SERVERS.each do |region, server|
           return region if hostname.include?(server)
         end
-        
+
         # Default to US
         'US'
       end
@@ -165,12 +233,12 @@ module KeeperSecretsManager
       # Validate UID format
       def valid_uid?(uid)
         return false if blank?(uid)
-        
+
         # UIDs are base64url encoded 16-byte values
         begin
           bytes = url_safe_str_to_bytes(uid)
           bytes.length == 16
-        rescue
+        rescue StandardError
           false
         end
       end
@@ -180,17 +248,15 @@ module KeeperSecretsManager
         attempt = 0
         begin
           yield
-        rescue => e
+        rescue StandardError => e
           attempt += 1
-          if attempt >= max_attempts
-            raise e
-          end
-          
-          delay = [base_delay * (2 ** (attempt - 1)), max_delay].min
+          raise e if attempt >= max_attempts
+
+          delay = [base_delay * (2**(attempt - 1)), max_delay].min
           sleep(delay)
           retry
         end
       end
     end
   end
-end
+end

data/lib/keeper_secrets_manager/version.rb

@@ -1,3 +1,3 @@
 module KeeperSecretsManager
-  VERSION = '17.0.3'.freeze
-end
+  VERSION = '17.1.0'.freeze
+end

data/lib/keeper_secrets_manager.rb

@@ -24,15 +24,15 @@ module KeeperSecretsManager
   def self.new(options = {})
     Core::SecretsManager.new(options)
   end
-  
+
   # Convenience method to create from token
   def self.from_token(token, options = {})
     Core::SecretsManager.new(options.merge(token: token))
   end
-  
+
   # Convenience method to create from config file
   def self.from_file(filename, options = {})
     storage = Storage::FileStorage.new(filename)
     Core::SecretsManager.new(options.merge(config: storage))
   end
-end
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: keeper_secrets_manager
 version: !ruby/object:Gem::Version
-  version: 17.0.3
+  version: 17.1.0
 platform: ruby
 authors:
 - Keeper Security
-autorequire: 
+autorequire:
 bindir: exe
 cert_chain: []
-date: 2025-06-25 00:00:00.000000000 Z
+date: 2025-11-06 00:00:00.000000000 Z
 dependencies: []
 description: Ruby SDK for Keeper Secrets Manager - A zero-knowledge platform for managing
   and protecting infrastructure secrets
@@ -25,17 +25,6 @@ files:
 - LICENSE
 - README.md
 - Rakefile
-- examples/basic_usage.rb
-- examples/config_string_example.rb
-- examples/debug_secrets.rb
-- examples/demo_list_secrets.rb
-- examples/download_files.rb
-- examples/flexible_records_example.rb
-- examples/folder_hierarchy_demo.rb
-- examples/full_demo.rb
-- examples/my_test_standalone.rb
-- examples/simple_test.rb
-- examples/storage_examples.rb
 - lib/keeper_secrets_manager.rb
 - lib/keeper_secrets_manager/config_keys.rb
 - lib/keeper_secrets_manager/core.rb
@@ -60,7 +49,7 @@ metadata:
   homepage_uri: https://github.com/Keeper-Security/secrets-manager
   source_code_uri: https://github.com/Keeper-Security/secrets-manager
   changelog_uri: https://github.com/Keeper-Security/secrets-manager/blob/master/CHANGELOG.md
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -68,15 +57,15 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: 2.6.0
+      version: 3.1.0
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.3.1
-signing_key: 
+rubygems_version: 3.5.22
+signing_key:
 specification_version: 4
 summary: Keeper Secrets Manager SDK for Ruby
 test_files: []