mobile-secrets 0.0.4 → 0.0.9

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 96bdba0202a6a478beea1f412bbac5e8abd333af7f3f605dfb7ca6e09fb892de
-  data.tar.gz: 20545830edba12a31d17e141fe4330790fce4110eb401756c497d64c93ea28d5
+  metadata.gz: 0f4f08928281f7ec09b0f307fde69ac6a240fc006cdb398741b94b94906952f6
+  data.tar.gz: 2b28b5fccdd4b442bf229733eaad00e170baee9e4c5505a925761f947929bda8
 SHA512:
-  metadata.gz: 8563eabd178ac86fd1b65da16a1686c275f364e0033b6801536069039a00f66285273629b34f1fb3eda32156d8166155dc43fa0df746880d80d5cc7578b2153f
-  data.tar.gz: 1c5ed3422664c6c8139053994fc7cf6f7f1c43baf0f3e687e581421478bb6a052334befa76c783e71410758d503c5ec0b78ad710fe2ab3e43f61280ef7817b6d
+  metadata.gz: 2f7805f87c8cf0713394b29e4f40da1654661ea736640de9fb59f95b8aff7e2928b5941a67f993af709c3b31cb62f4d1f1fbcbca88bd856303b05ddb9966ed13
+  data.tar.gz: 693fabe5ec237be1fcaf50ca841b60df85dccde3d017bf97e059cffe8ad6b216e8656be7ebef97688fb6e25318e93bfd36cbc09b2752fbd69ba42d39be1f72a3

data/lib/mobile-secrets.rb

@@ -20,14 +20,16 @@ module MobileSecrets
 
     def options
       opt = ""
-      opt << "--init-gpg PATH \t\tInitialize GPG in the directory.\n"
-      opt << "--create-template \t\tCreates a template yml file to configure the MobileSecrets\n"
-      opt << "--import SECRETS_PATH \tAdds MobileSecrets to GPG secrets\n"
-      opt << "--export PATH \t\t\tCreates source file with obfuscated secrets at given PATH\n"
-      opt << "--usage \t\t\tManual for using MobileSecrets.\n\n"
+      opt << "--init-gpg PATH \t\t\tInitialize GPG in the directory.\n"
+      opt << "--create-template \t\t\tCreates a template yml file to configure the MobileSecrets\n"
+      opt << "--import SECRETS_PATH \t\t\tAdds MobileSecrets to GPG secrets\n"
+      opt << "--export PATH opt: ENCRYPTED_FILE_PATH \tCreates source file with obfuscated secrets at given PATH\n"
+      opt << "--encrypt-file FILE PASSWORD \t\tEncrypt a single file with AES\n"
+      opt << "--empty PATH \t\t\t\tGenerates a Secrets file without any data in it\n"
+      opt << "--usage \t\t\t\tManual for using MobileSecrets.\n\n"
       opt << "Examples:\n"
       opt << "--import \"./MobileSecrets.yml\"\n"
-      opt << "--export \"./Project/Src\"\n"
+      opt << "--export \"./Project/Src\\n"
       opt << "--init-gpg \".\""
       opt
     end
@@ -37,7 +39,7 @@ module MobileSecrets
       usage << "1) Create gpg first with --init-gpg \".\"\n"
       usage << "2) Create a template for MobileSecrets with --create-template\n"
       usage << "3) Configure MobileSecrets.yml with your hash key, secrets etc\n"
-      usage << "4) Import edited template to encrypted secret.gpg with --import\n"
+      usage << "4) Import edited template to encrypted secret.gpg with --import ./MobileSecrets.yml\n"
       usage << "5) Export secrets from secrets.gpg to source file with --export and PATH to project\n"
       usage << "6) Add exported source file to the project\n"
     end
@@ -48,18 +50,31 @@ module MobileSecrets
         FileUtils.cp("#{__dir__}/../lib/resources/example.yml", "#{Dir.pwd}#{File::SEPARATOR}MobileSecrets.yml")
       when "--export"
         return print_options if argv_1 == nil
+        encrypted_file_path = argv_2 ||= "secrets.gpg"
 
         secrets_handler = MobileSecrets::SecretsHandler.new
-        secrets_handler.export_secrets argv_1
+        secrets_handler.export_secrets argv_1, argv_2
       when "--init-gpg"
         return print_options if argv_1 == nil
 
         Dotgpg::Cli.new.init(argv_1)
       when "--import"
         return print_options if argv_1 == nil
-
+        gpg_file = argv_2 ||= "secrets.gpg"
         file = IO.read argv_1
-        MobileSecrets::SecretsHandler.new.encrypt "./secrets.gpg", file, nil
+        MobileSecrets::SecretsHandler.new.encrypt gpg_file, file, nil
+      when "--encrypt-file"
+        file = argv_1
+        password = argv_2
+        MobileSecrets::SecretsHandler.new.encrypt_file password, file, "#{file}.enc"
+      when "--empty"
+        return print_options if argv_1 == nil
+        file_path = argv_1
+        
+        MobileSecrets::SourceRenderer.new("swift").render_empty_template "#{file_path}/secrets.swift"
+      when "--edit"
+        return print_options if argv_1 == nil
+        exec("dotgpg edit #{argv_1}")
       when "--usage"
         puts usage
       else

data/lib/resources/SecretsSwift.erb

@@ -0,0 +1,140 @@
+//
+//  Autogenerated file by Mobile Secrets
+//
+
+<% if should_decrypt_files %>import CommonCrypto<% end %>
+import Foundation
+
+// swiftlint:disable all
+class Secrets {
+    static let standard = Secrets()
+    private let bytes: [[UInt8]] = <%= secrets_array.to_s.gsub "],", "],\n                                   "%>
+<% if should_decrypt_files %>
+    private let fileNames: [[UInt8]] = <%= file_names_array.to_s.gsub "],", "],\n                                       "%>
+<% end %>
+
+    private init() {}
+
+    func string(forKey key: String, password: String? = nil) -> String? {
+        let pwdBytes = password == nil ? bytes[0] : password?.map({ c in c.asciiValue ?? 0 })
+        guard let index = bytes.firstIndex(where: { String(data: Data($0), encoding: .utf8) == key }),
+            let pwd = pwdBytes,
+            let value = decrypt(bytes[index + 1], password: pwd) else { return nil }
+
+        return String(data: Data(value), encoding: .utf8)
+    }
+
+    private func decrypt(_ input: [UInt8], password: [UInt8]) -> [UInt8]? {
+        guard !password.isEmpty else { return nil }
+        var output = [UInt8]()
+        for byte in input.enumerated() {
+            output.append(byte.element ^ password[byte.offset % password.count])
+        }
+        return output
+    }
+
+<% if should_decrypt_files %>
+    func decryptFiles(bundle: Bundle = Bundle.main, password: String? = nil) throws {
+        try fileNames.forEach({ (fileNameBytes) in
+            guard let name = String(data: Data(fileNameBytes), encoding: .utf8) else {
+                fatalError("Wrong name in file names")
+            }
+
+            try decryptFile(name, bundle: bundle, password: password)
+        })
+    }
+
+    func decryptFile(_ fileName: String, bundle: Bundle = Bundle.main, password: String? = nil) throws {
+        let password = password == nil ? String(data: Data(bytes[0]), encoding: .utf8) : password
+
+        guard let pwd = password else {
+            fatalError("No password for decryption was provided!")
+        }
+
+        guard let filePath = bundle.path(forResource: fileName, ofType: "enc"),
+            let fileURL = URL(string: "file://" + filePath),
+            let fileData = try? Data(contentsOf: fileURL) else {
+                fatalError("File \(fileName) was not found in bundle!")
+        }
+
+        var outputURL = bundle.bundleURL
+        outputURL.appendPathComponent(fileName)
+
+        do {
+            let aes = try AES(keyString: pwd)
+            let decryptedString = try aes.decrypt(fileData)
+            try decryptedString.write(to: outputURL, atomically: true, encoding: .utf8)
+        } catch let e {
+            throw e
+        }
+    }
+
+    struct AES {
+        enum Error: Swift.Error {
+            case invalidKeySize
+            case encryptionFailed
+            case decryptionFailed
+            case dataToStringFailed
+        }
+
+        private var key: Data
+        private var ivSize: Int = kCCBlockSizeAES128
+        private let options: CCOptions  = CCOptions()
+
+        init(keyString: String) throws {
+            guard keyString.count == kCCKeySizeAES256 else {
+                throw Error.invalidKeySize
+            }
+            self.key = Data(keyString.utf8)
+        }
+
+        func decrypt(_ data: Data) throws -> String {
+            let bufferSize: Int = data.count - ivSize
+            var buffer = Data(count: bufferSize)
+            var numberBytesDecrypted: Int = 0
+
+            do {
+                try key.withUnsafeBytes { keyBytes in
+                    try data.withUnsafeBytes { dataToDecryptBytes in
+                        try buffer.withUnsafeMutableBytes { bufferBytes in
+
+                            guard let keyBytesBaseAddress = keyBytes.baseAddress,
+                                let dataToDecryptBytesBaseAddress = dataToDecryptBytes.baseAddress,
+                                let bufferBytesBaseAddress = bufferBytes.baseAddress else {
+                                    throw Error.encryptionFailed
+                            }
+
+                            let cryptStatus: CCCryptorStatus = CCCrypt( // Stateless, one-shot encrypt operation
+                                CCOperation(kCCDecrypt),                // op: CCOperation
+                                CCAlgorithm(kCCAlgorithmAES),        // alg: CCAlgorithm
+                                options,                                // options: CCOptions
+                                keyBytesBaseAddress,                    // key: the "password"
+                                key.count,                              // keyLength: the "password" size
+                                dataToDecryptBytesBaseAddress,          // iv: Initialization Vector
+                                dataToDecryptBytesBaseAddress + ivSize, // dataIn: Data to decrypt bytes
+                                bufferSize,                             // dataInLength: Data to decrypt size
+                                bufferBytesBaseAddress,                 // dataOut: decrypted Data buffer
+                                bufferSize,                             // dataOutAvailable: decrypted Data buffer size
+                                &numberBytesDecrypted                   // dataOutMoved: the number of bytes written
+                            )
+
+                            guard cryptStatus == CCCryptorStatus(kCCSuccess) else {
+                                throw Error.decryptionFailed
+                            }
+                        }
+                    }
+                }
+            } catch {
+                throw Error.encryptionFailed
+            }
+
+            let decryptedData: Data = buffer[..<numberBytesDecrypted]
+            guard let decryptedString = String(data: decryptedData, encoding: .utf8) else {
+                throw Error.dataToStringFailed
+            }
+
+            return decryptedString
+        }
+  }
+<% end %>
+}

data/lib/resources/SecretsSwiftEmpty.erb

@@ -0,0 +1,31 @@
+//
+//  Autogenerated file by Mobile Secrets
+//
+
+import Foundation
+
+// swiftlint:disable all
+class Secrets {
+    static let standard = Secrets()
+    private let bytes: [[UInt8]] = [[0]]
+
+    private init() {}
+
+    func string(forKey key: String, password: String? = nil) -> String? {
+        let pwdBytes = password == nil ? bytes[0] : password?.map({ c in c.asciiValue ?? 0 })
+        guard let index = bytes.firstIndex(where: { String(data: Data($0), encoding: .utf8) == key }),
+            let pwd = pwdBytes,
+            let value = decrypt(bytes[index + 1], password: pwd) else { return nil }
+
+        return String(data: Data(value), encoding: .utf8)
+    }
+
+    private func decrypt(_ input: [UInt8], password: [UInt8]) -> [UInt8]? {
+        guard !password.isEmpty else { return nil }
+        var output = [UInt8]()
+        for byte in input.enumerated() {
+            output.append(byte.element ^ password[byte.offset % password.count])
+        }
+        return output
+    }
+}

data/lib/resources/example.yml

@@ -1,7 +1,18 @@
 MobileSecrets:
-  hashKey: "KokoBelloKoko" # Key that will be used to hashed the secret values.
-  language: "Swift" # Swift is currently only supported language, Kotlin is coming soon.
-  secrets: # Key-value dictionary for secrets. The key is then referenced in the code to get the secret.
+  # hashKey: Key that will be used to hash the secret values.
+  # For encrypting files the key needs to be 32 chars long as an AES standard.
+  hashKey: "KokoBelloKokoKokoBelloKokoKokoBe"
+  # shouldIncludePassword: By default the password is saved in the code as a series of bytes, however it can also
+  # be fetched from your API, saved in keychain and passed to the Secrets for improving the security.
+  shouldIncludePassword: true
+  # language: Swift is currently only supported language, Kotlin is coming soon.
+  language: "Swift"
+  # Key-value dictionary for secrets. The key is then referenced in the code to get the secret.
+  secrets:
     googleMaps: "123123123"
     firebase: "asdasdasd"
     amazon: "asd123asd123"
+  # Optional, remove files if you do not want to encrypt them
+  files:
+    - tmp.txt
+    - Info.plist

data/lib/src/file_handler.rb

@@ -0,0 +1,20 @@
+require 'openssl'
+
+module MobileSecrets
+  class FileHandler
+
+    def initialize password
+      @password = password
+    end
+
+    def encrypt file
+      file_content = File.read file
+      cipher = OpenSSL::Cipher::AES256.new :CBC
+      cipher.encrypt
+      iv = cipher.random_iv
+      cipher.key = @password
+      cipher_text = iv + cipher.update(file_content) + cipher.final
+      cipher_text
+    end
+  end
+end

data/lib/src/secrets_handler.rb

@@ -1,39 +1,46 @@
 require "dotgpg"
 require "yaml"
+
 require_relative '../src/obfuscator'
+require_relative '../src/file_handler'
+require_relative '../src/source_renderer'
 
 module MobileSecrets
   class SecretsHandler
 
-    def export_secrets path
-      decrypted_config = decrypt_secrets()
-      bytes = process_yaml_config decrypted_config
-      inject_secrets(bytes, "#{path}/secrets.swift")
+    def export_secrets path, from_encrypted_file_name
+      decrypted_config = decrypt_secrets(from_encrypted_file_name)
+      file_names_bytes, secrets_bytes = process_yaml_config decrypted_config
+
+      renderer = MobileSecrets::SourceRenderer.new "swift"
+      renderer.render_template secrets_bytes, file_names_bytes, "#{path}/secrets.swift"
+      decrypted_config
     end
 
     def process_yaml_config yaml_string
       config = YAML.load(yaml_string)["MobileSecrets"]
       hash_key = config["hashKey"]
-      obfuscator = MobileSecrets::Obfuscator.new hash_key
-
-      bytes = [hash_key.bytes]
       secrets_dict = config["secrets"]
+      files = config["files"]
+      should_include_password = config["shouldIncludePassword"]
+      secrets_bytes = should_include_password ? [hash_key.bytes] : []
+      file_names_bytes = []
+      obfuscator = MobileSecrets::Obfuscator.new hash_key
 
       secrets_dict.each do |key, value|
         encrypted = obfuscator.obfuscate(value)
-        bytes << key.bytes << encrypted.bytes
+        secrets_bytes << key.bytes << encrypted.bytes
       end
 
-      bytes
-    end
-
-    def inject_secrets secret_bytes, file
-      template = IO.read "#{__dir__}/../resources/SecretsTemplate.swift"
-      secret_bytes = "#{secret_bytes}".gsub "],", "],\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t"
-      bytes_variable = "private let bytes: [[UInt8]] = #{secret_bytes}"
-      swift_secrets = template.sub "/* SECRET BYTES */", bytes_variable
+      if files
+        abort("Password must be 32 characters long for files encryption.") if hash_key.length != 32
+        files.each do |f|
+          encrypt_file hash_key, f, "#{f}.enc"
+          file_names_bytes << f.bytes
+        end
+      end
 
-      File.open(file, "w") { |f| f.puts swift_secrets }
+      return file_names_bytes, secrets_bytes
     end
 
     def encrypt output_file_path, string, gpg_path
@@ -43,12 +50,20 @@ module MobileSecrets
       dotgpg.encrypt output_file_path, string
     end
 
+    def encrypt_file password, file, output_file_path
+      encryptor = FileHandler.new password
+      abort("Configuration contains file #{file} that cannot be found! Please check your mobile-secrets configuration or add the file into directory.") unless File.exist? file
+      encrypted_content = encryptor.encrypt file
+
+      File.open(output_file_path, "wb") { |f| f.write encrypted_content }
+    end
+
     private
 
-    def decrypt_secrets
-      gpg = Dotgpg::Dir.new "#{Dir.pwd}/"
+    def decrypt_secrets encrypted_file_name
+      gpg = Dotgpg::Dir.closest encrypted_file_name
       output = StringIO.new
-      gpg.decrypt "#{Dir.pwd}/secrets.gpg", output
+      gpg.decrypt "#{Dir.pwd}/#{encrypted_file_name}", output
       output.string
     end
 

data/lib/src/source_renderer.rb

@@ -0,0 +1,36 @@
+require 'erb'
+
+Book = Struct.new(:title, :author)
+module MobileSecrets
+  class SourceRenderer
+
+    def initialize source_type
+      @source_type = source_type.downcase
+    end
+
+    def render_template secrets_bytes, file_names_bytes, output_file_path
+      template = ERB.new(File.read("#{__dir__}/../resources/SecretsSwift.erb"))
+
+      case @source_type
+      when "swift"
+        File.open(output_file_path, "w") do |file|
+           file.puts template.result_with_hash(secrets_array: secrets_bytes,
+              file_names_array: file_names_bytes,
+              should_decrypt_files: file_names_bytes.length > 0)
+         end
+      end
+    end
+    
+    def render_empty_template output_file_path
+      template = File.read("#{__dir__}/../resources/SecretsSwiftEmpty.erb")
+
+      case @source_type
+      when "swift"
+        File.open(output_file_path, "w") do |file|
+           file.puts template
+         end
+      end
+    end
+
+  end
+end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: mobile-secrets
 version: !ruby/object:Gem::Version
-  version: 0.0.4
+  version: 0.0.9
 platform: ruby
 authors:
 - Cyril Cermak
@@ -35,11 +35,13 @@ files:
 - Rakefile
 - bin/mobile-secrets
 - lib/mobile-secrets.rb
-- lib/resources/SecretsTemplate.swift
+- lib/resources/SecretsSwift.erb
+- lib/resources/SecretsSwiftEmpty.erb
 - lib/resources/example.yml
+- lib/src/file_handler.rb
 - lib/src/obfuscator.rb
 - lib/src/secrets_handler.rb
-- test/test_hola.rb
+- lib/src/source_renderer.rb
 homepage: https://github.com/CyrilCermak/mobile-secrets
 licenses:
 - MIT
@@ -59,9 +61,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.6
+rubygems_version: 3.0.8
 signing_key: 
 specification_version: 4
 summary: mobile-secrets tool for handling your mobile secrets
-test_files:
-- test/test_hola.rb
+test_files: []

data/lib/resources/SecretsTemplate.swift

@@ -1,28 +0,0 @@
-//
-//  Autogenerated file by Mobile Secrets
-//
-
-import Foundation
-
-class Secrets {
-    static let standard = Secrets()
-    /* SECRET BYTES */
-
-    private init() {}
-
-    func string(forKey key: String) -> String? {
-      guard let index = bytes.firstIndex(where: { String(data: Data($0), encoding: .utf8) == key }),
-          let value = decrypt(bytes[index + 1]) else { return nil }
-      return String(data: Data(value), encoding: .utf8)
-    }
-
-    private func decrypt(_ input: [UInt8]) -> [UInt8]? {
-        let key = bytes[0]
-        guard !key.isEmpty else { return nil }
-        var output = [UInt8]()
-        for byte in input.enumerated() {
-            output.append(byte.element ^ key[byte.offset % key.count])
-        }
-        return output
-    }
-}

data/test/test_hola.rb

@@ -1,16 +0,0 @@
-require 'test/unit'
-require 'hola'
-
-class HolaTest < Test::Unit::TestCase
-  def test_english_hello
-    assert_equal "hello world", Hola.hi("english")
-  end
-
-  def test_any_hello
-    assert_equal "hello world", Hola.hi("ruby")
-  end
-
-  def test_spanish_hello
-    assert_equal "hola mundo", Hola.hi("spanish")
-  end
-end