mrf 0.0.2

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 5fc41767656e9989ea870601651285a29fe56fae
+  data.tar.gz: 309300c96ba06e96bd5f6cd3d4da521b946257ca
+SHA512:
+  metadata.gz: f03cb839f4233d267a50cdbacaa703a9f99155f198e1e2d12edf389a83dd09677d61c9914827180e750c9e2235498ce02d32aa3a66180277efd655b2a1910699
+  data.tar.gz: df57b7057f34fa6afa6c916fe1e78b218597b390b964466c2d94ff48f5c27c504f7c58476b3b0430fd5bdbba1d529272f87652df1d51d4ff84c0510f57c34ef3

data/Gemfile

@@ -0,0 +1,4 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in mrf.gemspec
+gemspec

data/Gemfile.lock

@@ -0,0 +1,44 @@
+PATH
+  remote: .
+  specs:
+    mrf (0.0.1)
+      capistrano
+      gpgme
+
+GEM
+  remote: https://rubygems.org/
+  specs:
+    capistrano (2.15.5)
+      highline
+      net-scp (>= 1.0.0)
+      net-sftp (>= 2.0.0)
+      net-ssh (>= 2.0.14)
+      net-ssh-gateway (>= 1.1.0)
+    diff-lcs (1.2.4)
+    gpgme (2.0.2)
+    highline (1.6.19)
+    net-scp (1.1.2)
+      net-ssh (>= 2.6.5)
+    net-sftp (2.1.2)
+      net-ssh (>= 2.6.5)
+    net-ssh (2.7.0)
+    net-ssh-gateway (1.2.0)
+      net-ssh (>= 2.6.5)
+    rake (10.1.0)
+    rspec (2.14.1)
+      rspec-core (~> 2.14.0)
+      rspec-expectations (~> 2.14.0)
+      rspec-mocks (~> 2.14.0)
+    rspec-core (2.14.5)
+    rspec-expectations (2.14.2)
+      diff-lcs (>= 1.1.3, < 2.0)
+    rspec-mocks (2.14.3)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  bundler
+  mrf!
+  rake
+  rspec

data/README.md

@@ -0,0 +1,55 @@
+# Mr F
+
+## For british eyes only
+
+A libary for uploading gpg secrets with capistrano.
+
+put your secrets in a gpg encrypted file.
+In rails the default is `config/secrets.{{Rails.env}}.yml.gpg`
+
+Then add mrf to you deploy script like this
+
+```ruby
+require 'mrf/capistrano'
+
+after "deploy", "mrf:upload_secrets"
+```
+
+This will upload the files listed in secrets to the same folder as your secrets
+file but on the server.
+
+## A Example secrets file
+
+```yaml
+database.yml:
+  production:
+    adapter: mysql
+	database: my_db
+	username: 0a1cd3bc-96fa-71d1-4338-27092ca4cfa5
+	password: 070f1f0b-2454-3ffa-4aa2-d6e0652d03fe
+
+other_service.yml:
+  production:
+    password: 115024d2-7c74-326e-c9ec-064f42d08b31
+	username: 1e27a053-60a4-af61-f38d-9f1f123740d6
+```
+
+## Configuration
+
+The above example is the default behavior but you can configure it with `MrF::Project.configure`
+
+```ruby
+MrF::Project.configure do |project|
+  project.project_root = Rails.root
+  project.gpg_passphrase = '1234' # default is to ask you for it with the console
+  project.env = 'sandbox' # default is to use MRF_ENV or RAILS_ENV
+end
+```
+
+## Running the specs
+
+```shell
+bundle install # install deps
+./scripts/import_test_keys
+rake # runs the tests
+```

data/Rakefile

@@ -0,0 +1,29 @@
+begin
+  require 'bundler/setup'
+rescue LoadError
+  puts 'You must `gem install bundler` and `bundle install` to run rake tasks'
+end
+
+require 'rdoc/task'
+
+RDoc::Task.new(:rdoc) do |rdoc|
+  rdoc.rdoc_dir = 'rdoc'
+  rdoc.title    = 'MrF'
+  rdoc.options << '--line-numbers'
+  rdoc.rdoc_files.include('README.rdoc')
+  rdoc.rdoc_files.include('lib/**/*.rb')
+end
+
+Bundler::GemHelper.install_tasks
+
+require 'rake/testtask'
+
+require 'rspec/core'
+require 'rspec/core/rake_task'
+
+RSpec::Core::RakeTask.new do |t|
+  # t.warning = true  # We would like to run with warning true, but capybara gives to many warnings.
+end
+
+desc "Run all specs in spec directory (excluding plugin specs)"
+task :default => :spec

data/lib/mrf/capistrano.rb

@@ -0,0 +1,18 @@
+require 'mrf'
+
+Capistrano::Configuration.instance(:must_exist).load do
+  namespace :mrf do
+
+    desc("Uppload Secrets")
+    task :upload_secrets do
+      secret_path = fetch(:mrf_secrets_path)
+      config_dir = fetch(:mrf_remote_config_dir, File.join(release_path, "config"))
+
+      MrF::Project.new(
+        secrets_path: secret_path
+      ).unpack_secrets.each do |filepath, content|
+        upload(content, File.join(config_dir, filepath))
+      end
+    end
+  end
+end

data/lib/mrf/keyring.rb

@@ -0,0 +1,68 @@
+require 'rubygems'
+require 'bundler'
+require 'gpgme'
+require 'yaml'
+require 'io/console'
+
+module MrF
+  class Keyring
+    attr_accessor :path, :recipients
+    attr_reader :gpg_passphrase
+
+    def initialize (opts = {})
+      @path = opts.fetch(:path)
+      @gpg_passphrase = opts[:gpg_passphrase]
+    end
+
+    def data
+      return @data if @data
+      if File.exists?(path)
+        raw_text = crypto.decrypt(File.open(path), passphrase_callback: method(:passfunc))
+        @data = YAML.load(raw_text.to_s)
+      else
+        @data = {}
+      end
+    end
+
+    def passfunc (obj, uid_hint, passphrase_info, prev_was_bad, fd)
+      # Use known passphrase when given
+      if @gpg_passphrase
+        io = IO.for_fd(fd, 'w')
+        io.puts(@gpg_passphrase)
+        io.flush
+        return
+      end
+
+      # Try from keychain
+      key_id = passphrase_info.split(' ').first
+      key_id = uid_hint[/<[^<>]*>$/].tr("<>", "")
+      dump = `security -q find-generic-password -s "gpg-#{key_id}" -g 2>&1`
+      password = dump[/password: "(.*)"/, 1]
+
+      if password
+        io = IO.for_fd(fd, 'w')
+        io.puts(password)
+        io.flush
+        return
+      end
+
+      # Prompt user
+      begin
+        console = IO.console
+        console.write("Passphrase for #{uid_hint}: ")
+        console.noecho do |noecho|
+          io = IO.for_fd(fd, 'w')
+          io.puts(noecho.gets)
+          io.flush
+        end
+        console.puts
+      ensure
+        (0 ... $_.length).each do |i| $_[i] = ?0 end if $_
+      end
+    end
+
+    def crypto
+      @crypto ||= GPGME::Crypto.new
+    end
+  end
+end

data/lib/mrf/project.rb

@@ -0,0 +1,25 @@
+require 'yaml'
+module MrF
+  class Project
+    attr_accessor :gpg_passphrase
+    attr_accessor :secrets_path
+
+    def initialize (opts={})
+      @secrets_path   = opts.fetch(:secrets_path)
+      @gpg_passphrase = opts.fetch(:gpg_passphrase, nil)
+    end
+
+    def unpack_secrets
+      raise "File not found: #{secrets_path}" unless File.exists?(secrets_path)
+      keyring = Keyring.new(
+        path: secrets_path,
+        gpg_passphrase: gpg_passphrase
+      )
+
+      keyring.data.reduce({}) do |acc, (filename, data)|
+        content = StringIO.new(YAML.dump(data))
+        acc.merge(filename => content)
+      end
+    end
+  end
+end

data/lib/mrf/version.rb

@@ -0,0 +1,3 @@
+module MrF
+  VERSION = "0.0.2"
+end

data/lib/mrf.rb

@@ -0,0 +1,4 @@
+module MrF
+  require_relative 'mrf/keyring'
+  require_relative 'mrf/project'
+end

data/mrf.gemspec

@@ -0,0 +1,30 @@
+# -*- coding: utf-8 -*-
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'mrf/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = "mrf"
+  spec.author           = 'PugglePay Dev'
+  spec.version       = MrF::VERSION
+  spec.summary       = "Rails Application Secrets With GPG"
+  spec.description   = "Rails Application Secrets With GPG"
+  spec.homepage      = "https://github.com/pugglepay/mrf"
+  spec.license       = "MIT"
+  spec.authors       = ["Patrik Kårlin", "Jean-Louis Giordano", "Magnus Rex"]
+  spec.email         = ["dev@pugglepay.com"]
+
+  spec.files         = `git ls-files`.split($/)
+  spec.executables   = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
+  spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
+  spec.require_paths = ["lib"]
+
+  spec.required_ruby_version = '>= 1.9.3'
+
+  spec.add_dependency "gpgme"
+  spec.add_dependency "capistrano"
+
+  spec.add_development_dependency "bundler"
+  spec.add_development_dependency "rake"
+  spec.add_development_dependency 'rspec'
+end

data/scripts/import_test_keys

@@ -0,0 +1,5 @@
+#!/bin/bash
+
+echo "Importing tests keys"
+gpg --import spec/fixtures/tobias.public.key
+gpg --import spec/fixtures/tobias.secret.key

data/spec/fixtures/tobias.public.key

@@ -0,0 +1,20 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v1.4.14 (Darwin)
+
+mI0EUjhKkQEEALty6UZG8oUDqahv3TaLy7iKuDWNg/ha0kO00ygxsKOEuuMTeSBn
+wj1/TGloEVnaQe4Pk6btcfXDU5D0bkQWIMFF4JOh77HPsYu0W4n+UPAtgtUcmJnI
+9Ao6/riRnwX7Trd2vyPY2vIGEqIm9xMgXaXQtawjg6R9ugsBNU5S7VOrABEBAAG0
+LVRvYmlhcyBGdW5rZSAoTXIgRikgPHRvYmlhc0BibHVlbWFuZ3JvdXAub3JnPoi4
+BBMBAgAiBQJSOEqRAhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRBxhAM8
+CRq3AUuzA/sEhWJXT73oS8pVQsZG0c87a9mKXsBH5YvwESTbZsaUWYaNHEFiZ+zh
+NObMk874pKmVKCwDP+F5eXIpiUcvcKAzTUZSLTSCqmpn6mkyG+CzmXmBiZOj2zaK
+4i42LUQXI0t/6hzAyAG0RCbbLOOFGpI6rhpMhuP68buxgZE3JESxlriNBFI4SpEB
+BAC/vA4rhjxY/oKZi6niddzPSofRxvnSCt731sOG1uPVBQeMa9oboAbjKoeb5Rry
+b6anotzGTYhFnoBw9OXa+3vygOql9D5U4JeIaL4VNhv9gyp98FwJgRY/GPfMtRgo
+jxt3uvj3mZM73k5jW8lihS7pyUoG6LrxKUURFNyWmze3dQARAQABiJ8EGAECAAkF
+AlI4SpECGwwACgkQcYQDPAkatwF6uQP9HlGTIqLwrin7Nfh1Jg/+L0+Etl5U/S2M
+JiPjx5MmDXt+fIVt4rpXBnfRswrtVgEnM8IJ7NrnFOJmUEAL8EHJFmJIZZMSJ5zp
+TjLoZKmR2Lx9atanwqQWEeb3K+ImTRSnyD1AujdrVbZ6DMPkJ5RU9JjEQiPsWAQw
+Df1TFjBUAG8=
+=i+s/
+-----END PGP PUBLIC KEY BLOCK-----

data/spec/fixtures/tobias.secret.key

@@ -0,0 +1,35 @@
+-----BEGIN PGP PRIVATE KEY BLOCK-----
+Version: GnuPG v1.4.14 (Darwin)
+
+lQH+BFI4SpEBBAC7culGRvKFA6mob902i8u4irg1jYP4WtJDtNMoMbCjhLrjE3kg
+Z8I9f0xpaBFZ2kHuD5Om7XH1w1OQ9G5EFiDBReCToe+xz7GLtFuJ/lDwLYLVHJiZ
+yPQKOv64kZ8F+063dr8j2NryBhKiJvcTIF2l0LWsI4OkfboLATVOUu1TqwARAQAB
+/gMDAremiA+pJjFcYPk8Ox0ynig50LCn1QuTja77+/ZjGoYsO9e7l11/6YcAGSb6
+e6zKkQqiSXUOLS912pRQk976Xl0mXLzQCLEufkdooh9SrQjfRoZVulwIjtrJj/CC
+r4iCSFyilrZOeSNIVGMXjkvSykHkiKc8XJiC3iXvaZa9nxJZOfvCVOW80NaNwDEv
+h7a1va+vlQAtlkiplXt/n2Y+4TfY2PjZnBC2hXn7FRxj45upOxuTo1B4RSEiN+8q
+IP3jbBSeq11Z7KMJXH/mEKRdjdxSFql9gnhX3XvWMifTULbw5ynur8ZKc8J99kGU
+/NYEo197z5KjvG5iBlHgiv7tGQOcpETaN635X2er95itKwdOhda0chJY2u4TybSn
+ali2e6GVk0qFmv5Q74I/j/YqzCX02K1LOkVsWvFS+7LE/tZejtovFSv8bTnXrxTa
+Q4lEjfIKPXH1Ckw08mLx2FtpQYbSdIrGLZxPmfMsKXH2tC1Ub2JpYXMgRnVua2Ug
+KE1yIEYpIDx0b2JpYXNAYmx1ZW1hbmdyb3VwLm9yZz6IuAQTAQIAIgUCUjhKkQIb
+AwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQcYQDPAkatwFLswP7BIViV0+9
+6EvKVULGRtHPO2vZil7AR+WL8BEk22bGlFmGjRxBYmfs4TTmzJPO+KSplSgsAz/h
+eXlyKYlHL3CgM01GUi00gqpqZ+ppMhvgs5l5gYmTo9s2iuIuNi1EFyNLf+ocwMgB
+tEQm2yzjhRqSOq4aTIbj+vG7sYGRNyREsZadAf0EUjhKkQEEAL+8DiuGPFj+gpmL
+qeJ13M9Kh9HG+dIK3vfWw4bW49UFB4xr2hugBuMqh5vlGvJvpqei3MZNiEWegHD0
+5dr7e/KA6qX0PlTgl4hovhU2G/2DKn3wXAmBFj8Y98y1GCiPG3e6+PeZkzveTmNb
+yWKFLunJSgbouvEpRREU3JabN7d1ABEBAAH+AwMCt6aID6kmMVxgiqLxlLOL1l53
+erOOeSIUMkGG9odtsVNCk/Ot/5nhMGbolZ5tZlCoatwC3T3ZBSbKG6pElTb53sXn
+ORGRUPD/bUxDHLe+6jF8BuW0l/SkpBQ2265MTyF9EQE59JVibm+75nHhA8DZzUaz
+fkKNXcEqQaB2oiBVD+BH5Io51aUFtZTcahSUtK+2GK1IKiSfRA/kF8ZkbjXMURcY
+qil68hGVR6CNXgoCtbDK5TFueGiGu+p9lsrMexmvp+zxPtpQN+ewaWsIajfpcXPg
+evl/Vw/5v/IPMJPMG3qiqZTEPaf/NWdO+wkCd1Q0CsIMiYQbBQmXgh7YOxK5y62q
+J7biPD+G2txFWT1xlDjW9FTIiTp0vOvpD4YQ/ehxyhWgMmDHoSb6ed5pLpAiLkgb
+/1TNVkdeigkRdO/2nu92uLMENJP2QSGKEH0cX5ao8jmiRz84T69pgOH9nyQeyy1C
+pSpEQlhITl0m/YifBBgBAgAJBQJSOEqRAhsMAAoJEHGEAzwJGrcBerkD/R5RkyKi
+8K4p+zX4dSYP/i9PhLZeVP0tjCYj48eTJg17fnyFbeK6VwZ30bMK7VYBJzPCCeza
+5xTiZlBAC/BByRZiSGWTEiec6U4y6GSpkdi8fWrWp8KkFhHm9yviJk0Up8g9QLo3
+a1W2egzD5CeUVPSYxEIj7FgEMA39UxYwVABv
+=NGkh
+-----END PGP PRIVATE KEY BLOCK-----

data/spec/mrf/keyring_spec.rb

@@ -0,0 +1,29 @@
+require 'spec_helper'
+require 'io/console'
+
+
+module MrF
+  describe Keyring do
+    it "can get retrive data from keyring" do
+      keyring = Keyring.new(
+        path: fixture_path('app.yml.gpg'),
+        gpg_passphrase: '1234'
+      )
+
+      expect(keyring.data).to eq('production' => { 'secret' => 'hello' })
+    end
+
+    it "can retrive passphrase from console if no passphrase is given" do
+      console = double("IO::Console")
+      expect(console).to receive(:write).with(
+        "Passphrase for EEF971D578000737 Tobias Funke (Mr F) <tobias@bluemangroup.org>: "
+      )
+      expect(console).to receive(:noecho).and_yield(double("FD", gets: "1234"))
+      expect(console).to receive(:puts)
+      expect(IO).to receive("console").and_return(console)
+
+      keyring = Keyring.new(path: fixture_path('app.yml.gpg'))
+      expect(keyring.data).to eq('production' => { 'secret' => 'hello' })
+    end
+  end
+end

data/spec/mrf/project_spec.rb

@@ -0,0 +1,27 @@
+require 'spec_helper'
+
+module MrF
+  describe Project do
+    before do
+      @project = Project.new(
+        secrets_path: fixture_path("config/secrets.production.yml.gpg"),
+        gpg_passphrase: '1234'
+      )
+    end
+
+    it "can unpack secrets" do
+      files = @project.unpack_secrets
+
+      expect(YAML.load(files["database.yml"].string)).
+        to eq("production" => {"host" => "some_host"})
+
+      expect(YAML.load(files["app.yml"].string)).
+        to eq("production" => {"password" => "some_password"})
+    end
+
+    it "raises error if file does not exist" do
+      @project.secrets_path = "not_found"
+      expect { @project.unpack_secrets }.to raise_error
+    end
+  end
+end

data/spec/spec_helper.rb

@@ -0,0 +1,19 @@
+require 'rspec/autorun'
+
+require_relative '../lib/mrf'
+
+# Load support files
+Dir["#{File.dirname(__FILE__)}/support/**/*.rb"].each { |f| require f }
+
+RSpec.configure do |config|
+  config.mock_with :rspec
+  config.order = "random"
+end
+
+def fixture_path (path)
+  File.join(File.dirname(__FILE__), "fixtures/#{path}")
+end
+
+def fixture (path)
+  File.read(fixture_path(path))
+end

metadata

@@ -0,0 +1,143 @@
+--- !ruby/object:Gem::Specification
+name: mrf
+version: !ruby/object:Gem::Version
+  version: 0.0.2
+platform: ruby
+authors:
+- Patrik Kårlin
+- Jean-Louis Giordano
+- Magnus Rex
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2013-09-23 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: gpgme
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: capistrano
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+description: Rails Application Secrets With GPG
+email:
+- dev@pugglepay.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- Gemfile
+- Gemfile.lock
+- README.md
+- Rakefile
+- lib/mrf.rb
+- lib/mrf/capistrano.rb
+- lib/mrf/keyring.rb
+- lib/mrf/project.rb
+- lib/mrf/version.rb
+- mrf.gemspec
+- scripts/import_test_keys
+- spec/fixtures/app.yml.gpg
+- spec/fixtures/config/secrets.production.yml.gpg
+- spec/fixtures/config/secrets.sandbox.yml.gpg
+- spec/fixtures/tobias.public.key
+- spec/fixtures/tobias.secret.key
+- spec/mrf/keyring_spec.rb
+- spec/mrf/project_spec.rb
+- spec/spec_helper.rb
+homepage: https://github.com/pugglepay/mrf
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - '>='
+    - !ruby/object:Gem::Version
+      version: 1.9.3
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.1.3
+signing_key: 
+specification_version: 4
+summary: Rails Application Secrets With GPG
+test_files:
+- spec/fixtures/app.yml.gpg
+- spec/fixtures/config/secrets.production.yml.gpg
+- spec/fixtures/config/secrets.sandbox.yml.gpg
+- spec/fixtures/tobias.public.key
+- spec/fixtures/tobias.secret.key
+- spec/mrf/keyring_spec.rb
+- spec/mrf/project_spec.rb
+- spec/spec_helper.rb