kstor 0.4.1 → 0.4.3
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/README.md +44 -2
- data/lib/kstor/config.rb +4 -4
- data/lib/kstor/controller/authentication.rb +6 -0
- data/lib/kstor/controller/request_handler.rb +50 -0
- data/lib/kstor/controller.rb +1 -40
- data/lib/kstor/version.rb +1 -1
- metadata +2 -1
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 72e1dae661e2cb26fb40e0ac19f066ae35b9eb09605123915f0119a7ed98100c
|
4
|
+
data.tar.gz: 9a10808b3a5e5c6b65babc84281984b5c3aed4974227808db992652eab7542e5
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: ed9c26317bb1765ca766abbc1531b24eb0cf33b6e44820b6c37dee62ea6b1c063bd34cd8c15d0f562dddb7766e7f2d841a87b30d1a8c094c882937790d29819b
|
7
|
+
data.tar.gz: c2c3d2f28793d0a55b62491b1a3bc5950e3b80784e7bb3ba72f996530d6a104d9d6a74d88ab55756d4193cae486dfb5addbe362c40b60bbbf29966fa7f943b62
|
data/README.md
CHANGED
@@ -2,6 +2,48 @@
|
|
2
2
|
|
3
3
|
KStor stores and shares secrets among teams of users.
|
4
4
|
|
5
|
-
It doesn't work yet.
|
5
|
+
It doesn't work yet. No error checks. Glaring holes everywhere. Will empty your
|
6
|
+
fridge and scare your cat. Obviously, don't store anything valuable and not
|
7
|
+
public in KStor!
|
6
8
|
|
7
|
-
|
9
|
+
It has a server and an ugly command-line client. The plan is to have a web user
|
10
|
+
interface someday; the command-line client is mostly here to help me do basic
|
11
|
+
debugging.
|
12
|
+
|
13
|
+
Basic principle means that (when it will be ready), data at rest will always be
|
14
|
+
encrypted. To read secret values and metadata, you need user passwords.
|
15
|
+
|
16
|
+
User passwords are derived to make secret keys. Secret keys are used to decrypt
|
17
|
+
user key pairs (public and private). User private keys are used to decrypt
|
18
|
+
group key pairs. Group private keys are used to decrypt secrets. Pfew!
|
19
|
+
|
20
|
+
## Basic usage
|
21
|
+
|
22
|
+
1. create config file in YAML with the following keys:
|
23
|
+
* database: path to SQLite database file
|
24
|
+
* socket: path to UNIX socket that the server will listen to
|
25
|
+
* nworkers: number of worker threads
|
26
|
+
2. copy systemd/kstor.* to ~/.config/systemd/user/ and adjust paths
|
27
|
+
3. systemctl --user daemon-reload
|
28
|
+
4. systemctl --user start kstor.socket
|
29
|
+
5. bundle exec kstor --help
|
30
|
+
|
31
|
+
### Available request types
|
32
|
+
|
33
|
+
So far I've implemented:
|
34
|
+
* group-create
|
35
|
+
* secret-create
|
36
|
+
* secret-search
|
37
|
+
* secret-unlock
|
38
|
+
* secret-update-metadata
|
39
|
+
* secret-update-value
|
40
|
+
* secret-delete
|
41
|
+
|
42
|
+
### Notes
|
43
|
+
|
44
|
+
On first access, it will create your user in database (login defaults to your
|
45
|
+
login). Passwords are asked interactively.
|
46
|
+
|
47
|
+
It will store session ID in XDG_RUNTIME_DIR/kstor/session-id .
|
48
|
+
|
49
|
+
Each request can be authentified either with login/password or with session ID.
|
data/lib/kstor/config.rb
CHANGED
@@ -25,8 +25,8 @@ module KStor
|
|
25
25
|
# @!attribute [r] session_life_timeout
|
26
26
|
# @return [Integer] seconds before a session is closed
|
27
27
|
DEFAULTS = {
|
28
|
-
'database' => '
|
29
|
-
'socket' => 'run/kstor-server.socket',
|
28
|
+
'database' => '/var/lib/kstor/kstor.sqlite',
|
29
|
+
'socket' => '/run/kstor-server.socket',
|
30
30
|
'nworkers' => 5,
|
31
31
|
'session_idle_timeout' => 15 * 60,
|
32
32
|
'session_life_timeout' => 4 * 60 * 60
|
@@ -46,7 +46,7 @@ module KStor
|
|
46
46
|
else
|
47
47
|
{}
|
48
48
|
end
|
49
|
-
new(
|
49
|
+
new(hash)
|
50
50
|
end
|
51
51
|
end
|
52
52
|
|
@@ -54,7 +54,7 @@ module KStor
|
|
54
54
|
#
|
55
55
|
# @param hash [Hash] configuration items
|
56
56
|
def initialize(hash)
|
57
|
-
@data = hash
|
57
|
+
@data = DEFAULTS.merge(hash)
|
58
58
|
end
|
59
59
|
|
60
60
|
DEFAULTS.each_key do |k|
|
@@ -0,0 +1,50 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
require 'rbnacl'
|
4
|
+
|
5
|
+
require 'kstor/error'
|
6
|
+
require 'kstor/controller/authentication'
|
7
|
+
require 'kstor/controller/secret'
|
8
|
+
require 'kstor/controller/users'
|
9
|
+
|
10
|
+
module KStor
|
11
|
+
module Controller
|
12
|
+
# Request handler.
|
13
|
+
class RequestHandler
|
14
|
+
def initialize(store, session_store)
|
15
|
+
@auth = Controller::Authentication.new(store, session_store)
|
16
|
+
@secret = Controller::Secret.new(store)
|
17
|
+
@user = Controller::User.new(store)
|
18
|
+
@store = store
|
19
|
+
end
|
20
|
+
|
21
|
+
def handle_request(req)
|
22
|
+
user, sid = @auth.authenticate(req)
|
23
|
+
controller = controller_from_request_type(req)
|
24
|
+
resp = @store.transaction { controller.handle_request(user, req) }
|
25
|
+
user.lock
|
26
|
+
resp.session_id = sid
|
27
|
+
resp
|
28
|
+
rescue RbNaClError => e
|
29
|
+
Log.exception(e)
|
30
|
+
Error.for_code('CRYPTO/UNSPECIFIED').response
|
31
|
+
rescue Error => e
|
32
|
+
Log.info(e.message)
|
33
|
+
e.response
|
34
|
+
end
|
35
|
+
|
36
|
+
private
|
37
|
+
|
38
|
+
def controller_from_request_type(req)
|
39
|
+
case req.type
|
40
|
+
when /^secret-(create|delete|search|unlock|update-(meta|value)?)$/
|
41
|
+
@secret
|
42
|
+
when /^group-create$/
|
43
|
+
@user
|
44
|
+
else
|
45
|
+
raise Error.for_code('REQ/UNKNOWN', req.type)
|
46
|
+
end
|
47
|
+
end
|
48
|
+
end
|
49
|
+
end
|
50
|
+
end
|
data/lib/kstor/controller.rb
CHANGED
@@ -7,6 +7,7 @@ require 'kstor/message'
|
|
7
7
|
require 'kstor/controller/authentication'
|
8
8
|
require 'kstor/controller/secret'
|
9
9
|
require 'kstor/controller/users'
|
10
|
+
require 'kstor/controller/request_handler'
|
10
11
|
|
11
12
|
module KStor
|
12
13
|
# Error: user was not allowed to access application.
|
@@ -37,44 +38,4 @@ module KStor
|
|
37
38
|
error_code 'REQ/MISSINGARG'
|
38
39
|
error_message 'Missing argument %s for request type %s'
|
39
40
|
end
|
40
|
-
|
41
|
-
module Controller
|
42
|
-
# Request handler.
|
43
|
-
class RequestHandler
|
44
|
-
def initialize(store, session_store)
|
45
|
-
@auth = Controller::Authentication.new(store, session_store)
|
46
|
-
@secret = Controller::Secret.new(store)
|
47
|
-
@user = Controller::User.new(store)
|
48
|
-
@store = store
|
49
|
-
end
|
50
|
-
|
51
|
-
def handle_request(req)
|
52
|
-
user, sid = @auth.authenticate(req)
|
53
|
-
controller = controller_from_request_type(req)
|
54
|
-
resp = @store.transaction { controller.handle_request(user, req) }
|
55
|
-
user.lock
|
56
|
-
resp.session_id = sid
|
57
|
-
resp
|
58
|
-
rescue RbNaClError => e
|
59
|
-
Log.exception(e)
|
60
|
-
Error.for_code('CRYPTO/UNSPECIFIED').response
|
61
|
-
rescue Error => e
|
62
|
-
Log.info(e.message)
|
63
|
-
e.response
|
64
|
-
end
|
65
|
-
|
66
|
-
private
|
67
|
-
|
68
|
-
def controller_from_request_type(req)
|
69
|
-
case req.type
|
70
|
-
when /^secret-(create|delete|search|unlock|update-(meta|value)?)$/
|
71
|
-
@secret
|
72
|
-
when /^group-create$/
|
73
|
-
@user
|
74
|
-
else
|
75
|
-
raise Error.for_code('REQ/UNKNOWN', req.type)
|
76
|
-
end
|
77
|
-
end
|
78
|
-
end
|
79
|
-
end
|
80
41
|
end
|
data/lib/kstor/version.rb
CHANGED
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: kstor
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.4.
|
4
|
+
version: 0.4.3
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Jérémie Pierson
|
@@ -100,6 +100,7 @@ files:
|
|
100
100
|
- lib/kstor/config.rb
|
101
101
|
- lib/kstor/controller.rb
|
102
102
|
- lib/kstor/controller/authentication.rb
|
103
|
+
- lib/kstor/controller/request_handler.rb
|
103
104
|
- lib/kstor/controller/secret.rb
|
104
105
|
- lib/kstor/controller/users.rb
|
105
106
|
- lib/kstor/crypto.rb
|