mobile-secrets 0.0.5 → 0.0.6

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: c1bb1e6c36ce56b0181aab583f65c8b6935ac47b74ae52f7e3cb5a2bb27ad73f
-  data.tar.gz: f475935731fc3fb87a1f8cac527dabec2553c2a4f297fdc3e626bddb8e27921b
+  metadata.gz: 22e621754c652265b906fb99949160cba7f05f169e1a742bed477cc93213d8ef
+  data.tar.gz: 6cf400c9265bb3bbc3e8b0f3e969d4139f86643063a00fbfb49f957ecdbd5580
 SHA512:
-  metadata.gz: 0f0906f30fab6cc56ba9f0f3ce263d4fa3027b6bda2fcf7654b0494b1f495694e8bf42591ec16cb0db48eed974c9812d89ecd47f185111d5ac8b191c34ee38dc
-  data.tar.gz: e08c129ba0d265079c9c9a9e7d9207f2e7a1060f76691b22bf344d466a57716493f018c35204077ad8dd48d7bfa7b148d819bf5be81685217b127f5910c01e46
+  metadata.gz: 6856b5a3cf2b2885c30837eaaa6b3eb731d852ea0299bb505b2efa585103b537b7cdecf0f244acdff9b2d68266d7dae3f8a65648e4a448f29543e519e45dc9fc
+  data.tar.gz: 31602061ae1ba76be8171fdeac0539d29522bf643ab5268628187fac5e898d193d47cdce7025a9189353bf269e4451495874a04c960740c38f8933d2d560ace8

data/lib/mobile-secrets.rb

@@ -24,6 +24,7 @@ module MobileSecrets
       opt << "--create-template \t\tCreates a template yml file to configure the MobileSecrets\n"
       opt << "--import SECRETS_PATH \tAdds MobileSecrets to GPG secrets\n"
       opt << "--export PATH \t\t\tCreates source file with obfuscated secrets at given PATH\n"
+      opt << "--encrypt-file \t\t\tEncrypt a single file with AES"
       opt << "--usage \t\t\tManual for using MobileSecrets.\n\n"
       opt << "Examples:\n"
       opt << "--import \"./MobileSecrets.yml\"\n"
@@ -37,7 +38,7 @@ module MobileSecrets
       usage << "1) Create gpg first with --init-gpg \".\"\n"
       usage << "2) Create a template for MobileSecrets with --create-template\n"
       usage << "3) Configure MobileSecrets.yml with your hash key, secrets etc\n"
-      usage << "4) Import edited template to encrypted secret.gpg with --import\n"
+      usage << "4) Import edited template to encrypted secret.gpg with --import ./MobileSecrets.yml\n"
       usage << "5) Export secrets from secrets.gpg to source file with --export and PATH to project\n"
       usage << "6) Add exported source file to the project\n"
     end
@@ -60,6 +61,10 @@ module MobileSecrets
 
         file = IO.read argv_1
         MobileSecrets::SecretsHandler.new.encrypt "./secrets.gpg", file, nil
+      when "--encrypt-file"
+        file = argv_1
+        password = argv_2
+        MobileSecrets::SecretsHandler.new.encrypt_file password, file, "#{file}.enc"
       when "--usage"
         puts usage
       else

data/lib/resources/SecretsSwift.erb

@@ -0,0 +1,139 @@
+//
+//  Autogenerated file by Mobile Secrets
+//
+
+<% if should_decrypt_files %>import CommonCrypto<% end %>
+import Foundation
+
+class Secrets {
+    static let standard = Secrets()
+    private let bytes: [[UInt8]] = <%= secrets_array.to_s.gsub "],", "],\n                                   "%>
+<% if should_decrypt_files %>
+    private let fileNames: [[UInt8]] = <%= file_names_array.to_s.gsub "],", "],\n                                       "%>
+<% end %>
+
+    private init() {}
+
+    func string(forKey key: String, password: String? = nil) -> String? {
+        let pwdBytes = password == nil ? bytes[0] : password?.map({ c in c.asciiValue ?? 0 })
+        guard let index = bytes.firstIndex(where: { String(data: Data($0), encoding: .utf8) == key }),
+            let pwd = pwdBytes,
+            let value = decrypt(bytes[index + 1], password: pwd) else { return nil }
+
+        return String(data: Data(value), encoding: .utf8)
+    }
+
+    private func decrypt(_ input: [UInt8], password: [UInt8]) -> [UInt8]? {
+        guard !password.isEmpty else { return nil }
+        var output = [UInt8]()
+        for byte in input.enumerated() {
+            output.append(byte.element ^ password[byte.offset % password.count])
+        }
+        return output
+    }
+
+<% if should_decrypt_files %>
+    func decryptFiles(bundle: Bundle = Bundle.main, password: String? = nil) throws {
+        try fileNames.forEach({ (fileNameBytes) in
+            guard let name = String(data: Data(fileNameBytes), encoding: .utf8) else {
+                fatalError("Wrong name in file names")
+            }
+
+            try decryptFile(name, bundle: bundle, password: password)
+        })
+    }
+
+    func decryptFile(_ fileName: String, bundle: Bundle = Bundle.main, password: String? = nil) throws {
+        let password = password == nil ? String(data: Data(bytes[0]), encoding: .utf8) : password
+
+        guard let pwd = password else {
+            fatalError("No password for decryption was provided!")
+        }
+
+        guard let filePath = bundle.path(forResource: fileName, ofType: "enc"),
+            let fileURL = URL(string: "file://" + filePath),
+            let fileData = try? Data(contentsOf: fileURL) else {
+                fatalError("File \(fileName) was not found in bundle!")
+        }
+
+        var outputURL = bundle.bundleURL
+        outputURL.appendPathComponent(fileName)
+
+        do {
+            let aes = try AES(keyString: pwd)
+            let decryptedString = try aes.decrypt(fileData)
+            try decryptedString.write(to: outputURL, atomically: true, encoding: .utf8)
+        } catch let e {
+            throw e
+        }
+    }
+
+    struct AES {
+        enum Error: Swift.Error {
+            case invalidKeySize
+            case encryptionFailed
+            case decryptionFailed
+            case dataToStringFailed
+        }
+
+        private var key: Data
+        private var ivSize: Int = kCCBlockSizeAES128
+        private let options: CCOptions  = CCOptions()
+
+        init(keyString: String) throws {
+            guard keyString.count == kCCKeySizeAES256 else {
+                throw Error.invalidKeySize
+            }
+            self.key = Data(keyString.utf8)
+        }
+
+        func decrypt(_ data: Data) throws -> String {
+            let bufferSize: Int = data.count - ivSize
+            var buffer = Data(count: bufferSize)
+            var numberBytesDecrypted: Int = 0
+
+            do {
+                try key.withUnsafeBytes { keyBytes in
+                    try data.withUnsafeBytes { dataToDecryptBytes in
+                        try buffer.withUnsafeMutableBytes { bufferBytes in
+
+                            guard let keyBytesBaseAddress = keyBytes.baseAddress,
+                                let dataToDecryptBytesBaseAddress = dataToDecryptBytes.baseAddress,
+                                let bufferBytesBaseAddress = bufferBytes.baseAddress else {
+                                    throw Error.encryptionFailed
+                            }
+
+                            let cryptStatus: CCCryptorStatus = CCCrypt( // Stateless, one-shot encrypt operation
+                                CCOperation(kCCDecrypt),                // op: CCOperation
+                                CCAlgorithm(kCCAlgorithmAES),        // alg: CCAlgorithm
+                                options,                                // options: CCOptions
+                                keyBytesBaseAddress,                    // key: the "password"
+                                key.count,                              // keyLength: the "password" size
+                                dataToDecryptBytesBaseAddress,          // iv: Initialization Vector
+                                dataToDecryptBytesBaseAddress + ivSize, // dataIn: Data to decrypt bytes
+                                bufferSize,                             // dataInLength: Data to decrypt size
+                                bufferBytesBaseAddress,                 // dataOut: decrypted Data buffer
+                                bufferSize,                             // dataOutAvailable: decrypted Data buffer size
+                                &numberBytesDecrypted                   // dataOutMoved: the number of bytes written
+                            )
+
+                            guard cryptStatus == CCCryptorStatus(kCCSuccess) else {
+                                throw Error.decryptionFailed
+                            }
+                        }
+                    }
+                }
+            } catch {
+                throw Error.encryptionFailed
+            }
+
+            let decryptedData: Data = buffer[..<numberBytesDecrypted]
+            guard let decryptedString = String(data: decryptedData, encoding: .utf8) else {
+                throw Error.dataToStringFailed
+            }
+
+            return decryptedString
+        }
+  }
+<% end %>
+}

data/lib/resources/example.yml

@@ -1,7 +1,18 @@
 MobileSecrets:
-  hashKey: "KokoBelloKoko" # Key that will be used to hashed the secret values.
-  language: "Swift" # Swift is currently only supported language, Kotlin is coming soon.
-  secrets: # Key-value dictionary for secrets. The key is then referenced in the code to get the secret.
+  # hashKey: Key that will be used to hash the secret values.
+  # For encrypting files the key needs to be 32 chars long as an AES standard.
+  hashKey: "KokoBelloKokoKokoBelloKokoKokoBe"
+  # shouldIncludePassword: By default the password is saved in the code as a series of bytes, however it can also
+  # be fetched from your API, saved in keychain and passed to the Secrets for improving the security.
+  shouldIncludePassword: true
+  # language: Swift is currently only supported language, Kotlin is coming soon.
+  language: "Swift"
+  # Key-value dictionary for secrets. The key is then referenced in the code to get the secret.
+  secrets:
     googleMaps: "123123123"
     firebase: "asdasdasd"
     amazon: "asd123asd123"
+  # Optional, remove files if you do not want to encrypt them
+  files:
+    - tmp.txt
+    - Info.plist

data/lib/src/file_handler.rb

@@ -0,0 +1,20 @@
+require 'openssl'
+
+module MobileSecrets
+  class FileHandler
+
+    def initialize password
+      @password = password
+    end
+
+    def encrypt file
+      file_content = File.read file
+      cipher = OpenSSL::Cipher::AES256.new :CBC
+      cipher.encrypt
+      iv = cipher.random_iv
+      cipher.key = @password
+      cipher_text = iv + cipher.update(file_content) + cipher.final
+      cipher_text
+    end
+  end
+end

data/lib/src/secrets_handler.rb

@@ -1,39 +1,45 @@
 require "dotgpg"
 require "yaml"
+
 require_relative '../src/obfuscator'
+require_relative '../src/file_handler'
+require_relative '../src/source_renderer'
 
 module MobileSecrets
   class SecretsHandler
 
     def export_secrets path
       decrypted_config = decrypt_secrets()
-      bytes = process_yaml_config decrypted_config
-      inject_secrets(bytes, "#{path}/secrets.swift")
+      file_names_bytes, secrets_bytes = process_yaml_config decrypted_config
+
+      renderer = MobileSecrets::SourceRenderer.new "swift"
+      renderer.render_template secrets_bytes, file_names_bytes, "#{path}/secrets.swift"
     end
 
     def process_yaml_config yaml_string
       config = YAML.load(yaml_string)["MobileSecrets"]
       hash_key = config["hashKey"]
-      obfuscator = MobileSecrets::Obfuscator.new hash_key
-
-      bytes = [hash_key.bytes]
       secrets_dict = config["secrets"]
+      files = config["files"]
+      should_include_password = config["shouldIncludePassword"]
+      secrets_bytes = should_include_password ? [hash_key.bytes] : []
+      file_names_bytes = []
+      obfuscator = MobileSecrets::Obfuscator.new hash_key
 
       secrets_dict.each do |key, value|
         encrypted = obfuscator.obfuscate(value)
-        bytes << key.bytes << encrypted.bytes
+        secrets_bytes << key.bytes << encrypted.bytes
       end
 
-      bytes
-    end
-
-    def inject_secrets secret_bytes, file
-      template = IO.read "#{__dir__}/../resources/SecretsTemplate.swift"
-      secret_bytes = "#{secret_bytes}".gsub "],", "],\n                                   " #Formating the array
-      bytes_variable = "private let bytes: [[UInt8]] = #{secret_bytes}"
-      swift_secrets = template.sub "/* SECRET BYTES */", bytes_variable
+      if files
+        abort("Password must be 13 characters long for files encryption.") if hash_key.length != 32
+        files.each do |f|
+          encrypt_file hash_key, f, "#{f}.enc"
+          file_names_bytes << f.bytes
+        end
+      end
 
-      File.open(file, "w") { |f| f.puts swift_secrets }
+      return file_names_bytes, secrets_bytes
     end
 
     def encrypt output_file_path, string, gpg_path
@@ -43,6 +49,13 @@ module MobileSecrets
       dotgpg.encrypt output_file_path, string
     end
 
+    def encrypt_file password, file, output_file_path
+      encryptor = FileHandler.new password
+      encrypted_content = encryptor.encrypt file
+
+      File.open(output_file_path, "wb") { |f| f.write encrypted_content }
+    end
+
     private
 
     def decrypt_secrets

data/lib/src/source_renderer.rb

@@ -0,0 +1,25 @@
+require 'erb'
+
+Book = Struct.new(:title, :author)
+module MobileSecrets
+  class SourceRenderer
+
+    def initialize source_type
+      @source_type = source_type.downcase
+    end
+
+    def render_template secrets_bytes, file_names_bytes, output_file_path
+      template = ERB.new(File.read("#{__dir__}/../resources/SecretsSwift.erb"))
+
+      case @source_type
+      when "swift"
+        File.open(output_file_path, "w") do |file|
+           file.puts template.result_with_hash(secrets_array: secrets_bytes,
+              file_names_array: file_names_bytes,
+              should_decrypt_files: file_names_bytes.length > 0)
+         end
+      end
+    end
+
+  end
+end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: mobile-secrets
 version: !ruby/object:Gem::Version
-  version: 0.0.5
+  version: 0.0.6
 platform: ruby
 authors:
 - Cyril Cermak
@@ -35,10 +35,12 @@ files:
 - Rakefile
 - bin/mobile-secrets
 - lib/mobile-secrets.rb
-- lib/resources/SecretsTemplate.swift
+- lib/resources/SecretsSwift.erb
 - lib/resources/example.yml
+- lib/src/file_handler.rb
 - lib/src/obfuscator.rb
 - lib/src/secrets_handler.rb
+- lib/src/source_renderer.rb
 homepage: https://github.com/CyrilCermak/mobile-secrets
 licenses:
 - MIT

data/lib/resources/SecretsTemplate.swift

@@ -1,28 +0,0 @@
-//
-//  Autogenerated file by Mobile Secrets
-//
-
-import Foundation
-
-class Secrets {
-    static let standard = Secrets()
-    /* SECRET BYTES */
-
-    private init() {}
-
-    func string(forKey key: String) -> String? {
-        guard let index = bytes.firstIndex(where: { String(data: Data($0), encoding: .utf8) == key }),
-            let value = decrypt(bytes[index + 1]) else { return nil }
-        return String(data: Data(value), encoding: .utf8)
-    }
-
-    private func decrypt(_ input: [UInt8]) -> [UInt8]? {
-        let key = bytes[0]
-        guard !key.isEmpty else { return nil }
-        var output = [UInt8]()
-        for byte in input.enumerated() {
-            output.append(byte.element ^ key[byte.offset % key.count])
-        }
-        return output
-    }
-}