kstor 0.4.0 → 0.4.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: af39f01820f488e20a4b602f5151e87e07176268cf543aecc90f19bcb6166ec2
-  data.tar.gz: 84352bc5dddd13f4e33c1efac2aae1d360c4a53fb1be24b2fd32d8e61111b770
+  metadata.gz: 2d00405a6f9eaa621194511869f62b80eb9736bfb665e15d87d6e6ac4f0fa6a2
+  data.tar.gz: 4bb86aa9a8cfbfdb868525b9cc93f77d8410146cf99a78c1abe594058aac5ba7
 SHA512:
-  metadata.gz: 646da6b5709b454e971d4a129890c6718ad1b177c614f113fd77556df12bfb4feb7c6d44d8beb4e17af4bb9b44d68c2321acf8c54b42fc5f6bc728d6b4e0a40d
-  data.tar.gz: 71264b16719b3d516ff7c5bdea5fc362bedee48c23ed804401877010a65f5cb7cc75336266c70699bbebc63737ef1f775eb4986193ba7722cb289e1a18c5c709
+  metadata.gz: 13548da3eb9f804f6014995c77485776c775b924def753a2787731644f8358a497a2de02ba0e8fb275dd98c9ae0d0158d9365ebaa32abc2baf329b8c0dd94d00
+  data.tar.gz: fcc75b3d3ff85698ad8ea588ba03967875df4648b306834e907448865587c47edb57d07b56ff8808fad037e337db073b88d5107aa27e9a007208b088c25086aa

data/README.md

@@ -2,6 +2,48 @@
 
 KStor stores and shares secrets among teams of users.
 
-It doesn't work yet.
+It doesn't work yet. No error checks. Glaring holes everywhere. Will empty your
+fridge and scare your cat. Obviously, don't store anything valuable and not
+public in KStor!
 
-This is the server part, supporting a command-line client and a web user interface.
+It has a server and an ugly command-line client. The plan is to have a web user
+interface someday; the command-line client is mostly here to help me do basic
+debugging.
+
+Basic principle means that (when it will be ready), data at rest will always be
+encrypted. To read secret values and metadata, you need user passwords.
+
+User passwords are derived to make secret keys. Secret keys are used to decrypt
+user key pairs (public and private). User private keys are used to decrypt
+group key pairs. Group private keys are used to decrypt secrets. Pfew!
+
+## Basic usage
+
+1. create config file in YAML with the following keys:
+  * database: path to SQLite database file
+  * socket: path to UNIX socket that the server will listen to
+  * nworkers: number of worker threads
+2. copy systemd/kstor.* to ~/.config/systemd/user/ and adjust paths
+3. systemctl --user daemon-reload
+4. systemctl --user start kstor.socket
+5. bundle exec kstor --help
+
+### Available request types
+
+So far I've implemented:
+* group-create
+* secret-create
+* secret-search
+* secret-unlock
+* secret-update-metadata
+* secret-update-value
+* secret-delete
+
+### Notes
+
+On first access, it will create your user in database (login defaults to your
+login). Passwords are asked interactively.
+
+It will store session ID in XDG_RUNTIME_DIR/kstor/session-id .
+
+Each request can be authentified either with login/password or with session ID.

data/lib/kstor/config.rb

@@ -25,8 +25,8 @@ module KStor
     # @!attribute [r] session_life_timeout
     #   @return [Integer] seconds before a session is closed
     DEFAULTS = {
-      'database' => 'data/db.sqlite',
-      'socket' => 'run/kstor-server.socket',
+      'database' => '/var/lib/kstor/kstor.sqlite',
+      'socket' => '/run/kstor-server.socket',
       'nworkers' => 5,
       'session_idle_timeout' => 15 * 60,
       'session_life_timeout' => 4 * 60 * 60
@@ -46,7 +46,7 @@ module KStor
                else
                  {}
                end
-        new(DEFAULTS.merge(hash))
+        new(hash)
       end
     end
 
@@ -54,7 +54,7 @@ module KStor
     #
     # @param hash [Hash] configuration items
     def initialize(hash)
-      @data = hash
+      @data = DEFAULTS.merge(hash)
     end
 
     DEFAULTS.each_key do |k|

data/lib/kstor/controller/authentication.rb

@@ -1,5 +1,11 @@
 # frozen_string_literal: true
 
+require 'kstor/error'
+require 'kstor/log'
+require 'kstor/store'
+require 'kstor/session'
+require 'kstor/model'
+
 module KStor
   module Controller
     # Handle user authentication and sessions.

data/lib/kstor/controller/request_handler.rb

@@ -0,0 +1,50 @@
+# frozen_string_literal: true
+
+require 'rbnacl'
+
+require 'kstor/error'
+require 'kstor/controller/authentication'
+require 'kstor/controller/secret'
+require 'kstor/controller/users'
+
+module KStor
+  module Controller
+    # Request handler.
+    class RequestHandler
+      def initialize(store, session_store)
+        @auth = Controller::Authentication.new(store, session_store)
+        @secret = Controller::Secret.new(store)
+        @user = Controller::User.new(store)
+        @store = store
+      end
+
+      def handle_request(req)
+        user, sid = @auth.authenticate(req)
+        controller = controller_from_request_type(req)
+        resp = @store.transaction { controller.handle_request(user, req) }
+        user.lock
+        resp.session_id = sid
+        resp
+      rescue RbNaClError => e
+        Log.exception(e)
+        Error.for_code('CRYPTO/UNSPECIFIED').response
+      rescue Error => e
+        Log.info(e.message)
+        e.response
+      end
+
+      private
+
+      def controller_from_request_type(req)
+        case req.type
+        when /^secret-(create|delete|search|unlock|update-(meta|value)?)$/
+          @secret
+        when /^group-create$/
+          @user
+        else
+          raise Error.for_code('REQ/UNKNOWN', req.type)
+        end
+      end
+    end
+  end
+end

data/lib/kstor/controller.rb

@@ -7,6 +7,7 @@ require 'kstor/message'
 require 'kstor/controller/authentication'
 require 'kstor/controller/secret'
 require 'kstor/controller/users'
+require 'kstor/controller/request_handler'
 
 module KStor
   # Error: user was not allowed to access application.
@@ -37,44 +38,4 @@ module KStor
     error_code 'REQ/MISSINGARG'
     error_message 'Missing argument %s for request type %s'
   end
-
-  module Controller
-    # Request handler.
-    class RequestHandler
-      def initialize(store, session_store)
-        @auth = Controller::Authentication.new(store, session_store)
-        @secret = Controller::Secret.new(store)
-        @user = Controller::User.new(store)
-        @store = store
-      end
-
-      def handle_request(req)
-        user, sid = @auth.authenticate(req)
-        controller = controller_from_request_type(req)
-        resp = @store.transaction { controller.handle_request(user, req) }
-        user.lock
-        resp.session_id = sid
-        resp
-      rescue RbNaClError => e
-        Log.exception(e)
-        Error.for_code('CRYPTO/UNSPECIFIED').response
-      rescue Error => e
-        Log.info(e.message)
-        e.response
-      end
-
-      private
-
-      def controller_from_request_type(req)
-        case req.type
-        when /^secret-(create|delete|search|unlock|update-(meta|value)?)$/
-          @secret
-        when /^group-create$/
-          @user
-        else
-          raise Error.for_code('REQ/UNKNOWN', req.type)
-        end
-      end
-    end
-  end
 end

data/lib/kstor/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module KStor
-  VERSION = '0.4.0'
+  VERSION = '0.4.2'
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: kstor
 version: !ruby/object:Gem::Version
-  version: 0.4.0
+  version: 0.4.2
 platform: ruby
 authors:
 - Jérémie Pierson
@@ -83,6 +83,8 @@ dependencies:
 description: |2
       KStor stores and shares secrets among teams of users. This is the server
       part, supporting a command-line client and a web user interface.
+
+      Don't use it, it's full of security holes and not even yet functional.
 email: jeremie.pierson@arlol.net
 executables:
 - kstor-srv
@@ -98,6 +100,7 @@ files:
 - lib/kstor/config.rb
 - lib/kstor/controller.rb
 - lib/kstor/controller/authentication.rb
+- lib/kstor/controller/request_handler.rb
 - lib/kstor/controller/secret.rb
 - lib/kstor/controller/users.rb
 - lib/kstor/crypto.rb