knife-briefcase 0.0.1

checksums.yaml

@@ -0,0 +1,15 @@
+---
+!binary "U0hBMQ==":
+  metadata.gz: !binary |-
+    MjI5YTE4YzQ3OTk0ZTA2MjA5OGFhMTFkODJmNTAxYzk0ZWUwMTY2MA==
+  data.tar.gz: !binary |-
+    YTVmMGZiMGRkYTAwYjg1NzBjNzhiZGFhYmFjNmE5ZmE1NDc2ODk2Yw==
+!binary "U0hBNTEy":
+  metadata.gz: !binary |-
+    NDRkMmJkMWFlNDFjM2Q3YzcyNGQ5MGUyZDA2MDYxNzU0MDg0ZDVjNDhiNzM1
+    YTU2OWRmNDMyMThhOGQzMTgzYTA4NTMzMzE0MTlhOWM4OWJiZDBjNDRjYmUz
+    YTg5YjJjZDA0OGQ1NDJjZmUwZjgzYWRhZmM3YTdmZmM2MGE1YWU=
+  data.tar.gz: !binary |-
+    MDE5Zjk0Y2ZiNWZmMTY4MjNhZGM1NWM0YzI4MjFkY2M4OTdlZjVhZDgwYmEy
+    NmY1YWVjYzdlNTBmY2Q2ZmMxM2ZlNDM1MWE5MjQ0MDMyZDYyOGI3MWRiNjYx
+    NzdmYjU0NGY3MDZhODY5OGVlZjQ4Yzk2MzRmYTlhODY4ODY1NTI=

data/.gitignore

@@ -0,0 +1,17 @@
+*.gem
+*.rbc
+*~
+.*.swp
+.DS_Store
+/.bundle
+/.config
+/.yardoc
+/Gemfile.lock
+/InstalledFiles
+/coverage
+/doc/public
+/lib/bundler/man
+/pkg
+/spec/reports
+/tmp
+/vendor/cache

data/.travis.yml

@@ -0,0 +1,13 @@
+---
+bundler_args: --without development_workstation
+script: bundle exec thor spec:ci
+rvm:
+- 1.9.3
+- 2.0.0
+notifications:
+  hipchat:
+    secure: ! 'f83Ygzt9/IIABIe7W0lVEifCw7PIbrHiqQt/JTAawb0G10NgG2Svui9+fMj2
+
+      Byz4WPy0L4wOQ6YS8rV4Tv7tKjioSpUfkXClDlCLG0rFUEh4i/EsWVV+8NJ7
+
+      9ju8aksblSo22OaFGd8ufUPYEhMY/05m/wAVAyxtVqZGANXrPYc='

data/CHANGELOG.md

@@ -0,0 +1,6 @@
+# Changes
+
+## 0.0.1
+
+ * Initial release
+ * Created on Monday, 2013-06-17

data/CONTRIBUTING.md

@@ -0,0 +1,43 @@
+# Contributing
+
+## Developing
+
+1. Fork the repository on GitHub
+2. Create your feature branch (`git checkout -b feature/awesomeness`)
+3. Create your changes.
+   * Add test cases in `spec/`. It's best if you first write a failing
+     test case, commit it, and then fix it in next commit - this makes
+     the whole change easier to review.
+   * Document your changes.
+4. Commit your changes (`git commit -am 'Add more awesomeness'`)
+5. Push to the branch (`git push -u origin feature/awesomeness`)
+6. Create new Pull Request on GitHub
+
+## Testing
+
+### Install what's needed
+
+Make sure you have [http://gembundler.com/](Gem Bundler) version 1.3
+or greater installed.  If in doubt, just use [http://rvm.io/](RVM) or
+[http://rbenv.org/](rbenv).
+
+    $ gem install bundler
+
+Clone the project:
+
+    $ git clone git://github.com/3ofcoins/knife-briefcase.git
+
+Then, run:
+
+    $ cd knife-briefcase
+    $ bundle install
+    
+Bundler will install all the needed gems and their dependencies.
+
+### Running tests
+
+    $ bundle exec thor spec
+    
+To generate test coverage report, tell it to Thor
+    
+    $ bundle exec thor spec --coverage

data/Gemfile

@@ -0,0 +1,13 @@
+source 'https://rubygems.org'
+
+gemspec
+
+# Helpers used with development, but not needed in runtime, build
+# time, or for tests.
+group :development_workstation do
+  gem 'awesome_print'
+  gem 'pry'
+  gem 'pry-debugger'
+  gem 'pry-rescue'
+  gem 'pry-stack_explorer'
+end

data/LICENSE.txt

@@ -0,0 +1,22 @@
+Copyright (c) 2013 Maciej Pasternacki <maciej@3ofcoins.net>
+
+MIT License
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,83 @@
+# Knife Briefcase
+
+This gem is [Knife](http://docs.opscode.com/knife.html) plugin for
+[Opscode Chef](http://www.opscode.com/chef/) that stores GPG-encrypted
+content for people in chef server's data bag.
+
+Its intended use is to share infrastructure-related secrets (such as
+encrypted data bag secret files, SSL private keys, passwords, etc.)
+among the infrastructure team.
+
+This may or may not work nicely with
+[git-annex](http://git-annex.branchable.com/) via
+[_hook_ special remote](http://git-annex.branchable.com/special_remotes/hook/).
+
+## Installation
+
+Add this line to your Chef repository's Gemfile:
+
+    gem 'knife-briefcase', :git => 'git://github.com/3ofcoins/knife-briefcase/'
+
+Or install it yourself:
+
+    $ gem build knife-briefcase.gemspec
+    $ gem install knife-briefcase*.gem
+
+## Usage
+
+`knife briefcase put NAME [FILE]` -- encrypts and signs named `FILE`
+or stdin, and saves it in the data bag with ID `NAME`.
+
+`knife briefcase get NAME [FILE]` -- gets `NAME` from the data bag,
+checks signature, decrypts, and shows the contents on standard output,
+or saves it to `FILE` if provided.
+
+`knife briefcase list` -- lists encrypted items in the data bag.
+
+`knife briefcase delete NAME [NAME [...]]` -- deletes listed `NAME`s
+from the data bag.
+
+> **TODO: it may be good to refuse to delete files that the user is
+> unable to encrypt.** User is able to delete them anyway, using
+> `knife data bag delete`, but it shouldn't be allowed via `knife
+> briefcase` command.
+
+`knife briefcase reload [NAME [NAME [...]]]` -- downloads and decrypts
+listed items, re-encrypts and re-signs them, and saves the
+re-encrypted content back. If no names are provided, all the items are
+re-encrypted. This should be called when briefcase holders list is
+changed, to allow added user to decrypt bag - or to prevent further
+access by removed user.
+
+## Configuration
+
+Following `knife.rb` settings are used:
+
+ - `briefcase_holders` -- array of e-mail addresses that will be GPG
+   recipients of the data
+ - `briefcase_signers` -- e-mail address (or array of e-mail
+   addresses) that will be used to sign encrypted content
+ - `briefcase_data_bag` -- name of the data bag that will be used by
+   default to hold encrypted content. If not provided, `briefcase`
+   data bag will be used. The data bag name can be overriden on
+   command line.
+
+### Example configuration
+
+```ruby
+briefcase_signers `git config --get user.email`.strip
+briefcase_holders [
+  'alice@myproject.com',
+  'bob@myproject.com',
+  'claire@myproject.com',
+  'dave@myproject.com',
+  'erin@myproject.com' ]
+```
+
+## Contributing
+
+See the [CONTRIBUTING.md](CONTRIBUTING.md) file
+
+------------------------------------------------------------------------------
+
+[![Build Status](https://travis-ci.org/3ofcoins/knife-briefcase.png?branch=master)](https://travis-ci.org/3ofcoins/knife-briefcase)

data/Thorfile

@@ -0,0 +1,60 @@
+$:.push File.expand_path('../lib', __FILE__)
+require 'rubygems'
+
+require 'bundler/setup'
+
+require 'rake/testtask'
+require 'thor/rake_compat'
+
+class Default < Thor
+  class Gem < Thor
+    namespace :gem
+
+    include Thor::RakeCompat
+    Bundler::GemHelper.install_tasks
+
+    desc "build", "Build knife-briefcase-#{KnifeBriefcase::VERSION}.gem into the pkg directory"
+    def build
+      Rake::Task["build"].execute
+    end
+
+    desc "release", "Create tag v#{KnifeBriefcase::VERSION} and build and push knife-briefcase-#{KnifeBriefcase::VERSION}.gem to Rubygems"
+    def release
+      Rake::Task["release"].execute
+    end
+
+    desc "install", "Build and install knife-briefcase-#{KnifeBriefcase::VERSION}.gem into system gems"
+    def install
+      Rake::Task["install"].execute
+    end
+  end
+
+  class Test < Thor
+    namespace :test
+    default_command :all
+
+    include Thor::RakeCompat
+
+    Rake::TestTask.new :spec do |task|
+      task.libs << 'spec'
+      task.test_files = FileList['spec/**/*_spec.rb']
+    end
+
+    desc 'spec', 'Run specs'
+    def spec
+      Rake::Task['spec'].execute
+    end
+
+    desc 'all', 'Run all tests'
+    def all
+      invoke(:spec)
+    end
+
+    desc 'ci', 'Run all tests for continuous integration'
+    def ci
+      ENV['CI'] = 'true'
+      invoke(:all)
+    end
+  end
+end
+

data/knife-briefcase.gemspec

@@ -0,0 +1,32 @@
+# -*- mode: ruby; coding: utf-8 -*-
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'knife-briefcase/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = "knife-briefcase"
+  spec.version       = KnifeBriefcase::VERSION
+  spec.authors       = ["Maciej Pasternacki"]
+  spec.email         = ["maciej@pasternacki.net"]
+  spec.description   = 'Knife plugin to store GPG-encrypted data in Chef data bag'
+  spec.summary       = spec.description
+  spec.homepage      = "https://github.com/3ofcoins/knife-briefcase/"
+  spec.license       = "MIT"
+
+  spec.files         = `git ls-files`.split($/)
+  spec.executables   = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
+  spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
+  spec.require_paths = ["lib"]
+
+  spec.add_dependency "chef"
+  spec.add_dependency "gpgme"
+  spec.add_dependency "highline"
+  spec.add_development_dependency "bundler", "~> 1.3"
+  spec.add_development_dependency "chef-zero"
+  spec.add_development_dependency "minitest"
+  spec.add_development_dependency "mocha"
+  spec.add_development_dependency "ridley"
+  spec.add_development_dependency "simplecov"
+  spec.add_development_dependency "thor", "~> 0.18.1"
+  spec.add_development_dependency "wrong", ">= 0.7.0"
+end

data/lib/chef/knife/briefcase_delete.rb

@@ -0,0 +1,14 @@
+require 'knife-briefcase/knife'
+
+class Chef::Knife::BriefcaseDelete < Chef::Knife
+  include KnifeBriefcase::Knife
+  banner "knife briefcase delete NAME [NAME [...]]"
+
+  def run
+    @name_args.each do |item_name|
+      delete_object(Chef::DataBagItem, item_name, 'briefcase_item') do
+        rest.delete_rest("data/#{data_bag_name}/#{item_name}")
+      end
+    end
+  end
+end

data/lib/chef/knife/briefcase_get.rb

@@ -0,0 +1,34 @@
+require 'knife-briefcase/knife'
+
+class Chef::Knife::BriefcaseGet < Chef::Knife
+  include KnifeBriefcase::Knife
+  banner "knife briefcase get NAME [FILE]"
+
+  def run
+    encrypted = Chef::DataBagItem.load(data_bag_name, @name_args[0]).
+      raw_data['content']
+
+    begin
+      crypto.verify(GPGME::Data.from_str(encrypted)) do |sig|
+        if sig.valid?
+          Chef::Log.info(sig.to_s)
+        else
+          Chef::Log.error(sig.to_s)
+          exit 1                  # TODO: --force
+        end
+      end
+    rescue
+      Chef::Log.error("Cannot verify signature: #{$!}")
+      exit 1
+    end
+
+    if file
+      crypto.decrypt(GPGME::Data.from_str(encrypted), :output => File.open(file, 'w+'))
+    else
+      stdout.write(crypto.decrypt(GPGME::Data.from_str(encrypted)))
+    end
+  rescue GPGME::Error::DecryptFailed
+    Chef::Log.fatal("Decryption failed")
+    exit 1
+  end
+end

data/lib/chef/knife/briefcase_list.rb

@@ -0,0 +1,10 @@
+require 'knife-briefcase/knife'
+
+class Chef::Knife::BriefcaseList < Chef::Knife
+  include KnifeBriefcase::Knife
+  banner "knife briefcase list"
+
+  def run
+    output(format_list_for_display(Chef::DataBag.load(data_bag_name)))
+  end
+end

data/lib/chef/knife/briefcase_put.rb

@@ -0,0 +1,32 @@
+require 'knife-briefcase/knife'
+
+class Chef::Knife::BriefcasePut < Chef::Knife
+  include KnifeBriefcase::Knife
+  banner "knife briefcase put NAME [FILE]"
+
+  def run
+    encrypted = crypto.encrypt( GPGME::Data.from_io(file ? File.open(file) : stdin),
+      :recipients => recipients,
+      :sign => !!signers,
+      :signers => signers,
+      :always_trust => true)
+
+    begin
+      rest.post_rest("data", { "name" => data_bag_name })
+      ui.info("Created data_bag[#{data_bag_name}]")
+    rescue Net::HTTPServerException => e
+      raise unless e.to_s =~ /^409/
+      ui.info("data_bag[#{data_bag_name}] already exists")
+    end
+
+    item = Chef::DataBagItem.from_hash(
+      'id' => item_name, 'content' => encrypted.to_s )
+    item.data_bag(data_bag_name)
+    begin
+      rest.post_rest("data/#{data_bag_name}", item)
+    rescue Net::HTTPServerException => e
+      raise unless e.to_s =~ /^409/
+      rest.put_rest("data/#{data_bag_name}/#{item_name}", item)
+    end
+  end
+end

data/lib/chef/knife/briefcase_reload.rb

@@ -0,0 +1,45 @@
+require 'knife-briefcase/knife'
+
+class Chef::Knife::BriefcaseReload < Chef::Knife
+  include KnifeBriefcase::Knife
+  banner "knife briefcase reload [NAME [NAME [...]]]"
+
+  def run
+    item_names = if @name_args.empty?
+                   Chef::DataBag.list(data_bag_name).keys
+                 else
+                   @name_args
+                 end
+
+    item_names.each do |item_name|
+      encrypted = Chef::DataBagItem.load(data_bag_name, item_name).raw_data['content']
+
+      begin
+        crypto.verify(GPGME::Data.from_str(encrypted)) do |sig|
+          if sig.valid?
+            Chef::Log.info(sig.to_s)
+          else
+            Chef::Log.error(sig.to_s)
+            exit 1                  # TODO: --force
+          end
+        end
+      rescue
+        Chef::Log.error("Cannot verify signature: #{$!}")
+        exit 1
+      end
+
+      recrypted = crypto.encrypt(
+        crypto.decrypt(GPGME::Data.from_str(encrypted)),
+
+      :recipients => recipients,
+      :sign => !!signers,
+      :signers => signers,
+      :always_trust => true)
+
+      item = Chef::DataBagItem.from_hash(
+        'id' => item_name, 'content' => recrypted.to_s )
+      item.data_bag(data_bag_name)
+      rest.put_rest("data/#{data_bag_name}/#{item_name}", item)
+    end
+  end
+end