muchkeys 0.5.0 → 0.7.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 78189f815bc07abd0764251e38f50d803325dd32
-  data.tar.gz: d1c41a5c3a82c5f2e97b4a434ee25f38ffaa7cff
+  metadata.gz: e81c8deded76555843a5242334ae71417521d1f3
+  data.tar.gz: 3c71a228e84eb175b81cec46fa903140dcf76006
 SHA512:
-  metadata.gz: bb82cbe29730794b1bcc05005b9761b24723fc58fd551b70a7f3743ddd266ce9cebdd97b54ad9fdd783651c8785c3cb831835554c078039e19b8a1a7e9244bc3
-  data.tar.gz: 2ba20955c3daec345019303d176081881fa9da8a69837f4a2e1b7196635414d5d5eae1fd0be45651fb86c399aed3482a3c582b411b7bcdec2418c09503377777
+  metadata.gz: c635fa24d92c441d5e777238c3beed8472942704a8efb0d907e504ec2f72f08ad6ab6c5ee02ffe61bd81405b277c414a8341d1041e998cde631b85b7b16a896d
+  data.tar.gz: 572192537944c62a1960be30603f9be0cc0e6de4a5383af8f4c271a47d9395a1a5cf30137d65260c6f667bff813e3617c061415f860b59ed25ca7e24f122815c

data/Dockerfile

@@ -0,0 +1,16 @@
+# pull our ruby version
+FROM ruby:2.3.1-alpine
+MAINTAINER goldstarevents
+
+RUN apk update && apk add bash build-base git gcc abuild binutils binutils-doc gcc-doc
+RUN gem install bundler
+
+WORKDIR /gem/
+ADD . /gem/
+RUN bundle install
+
+VOLUME .:/gem/
+
+ENTRYPOINT ["bundle", "exec"]
+CMD ["rake", "-T"]
+

data/README.md

@@ -1,4 +1,4 @@
-# MuchKeys
+# Muchkeys
 
     ─────────▄──────────────▄
     ────────▌▒█───────────▄▀▒▌
@@ -21,7 +21,7 @@
     ──▐▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▀▀
 
 
-MuchKeys lets you store your application keys in consul and then leverages many conventions to create a
+Muchkeys lets you store your application keys in consul and then leverages many conventions to create a
 pleasant API.  Keys in this context can mean application settings, knobs, dials, passwords, api keys
 or anything.  It's primary use is in production where it will check to see if a ENV variable exists first and then
 search consul for a key based on an opinionated hierarchy convention.
@@ -29,7 +29,7 @@ search consul for a key based on an opinionated hierarchy convention.
 You will want to read below about the convention and assumptions first to see if this works for
 you.
 
-MuchKeys also has a way of using encrypted secrets stored in consul.  MuchKeys has a command line interface to help you encrypt or read secrets stored in consul.
+Muchkeys also has a way of using encrypted secrets stored in consul.  Muchkeys has a command line interface to help you encrypt or read secrets stored in consul.
 
 
 ## Installation
@@ -62,10 +62,10 @@ a central configuration store while retaining control of your local development
 <%= MUCHKEYS['widget_api_key'] %>
 ```
 
-Now the `widget_api_key` is coming from a central location.  Devs can override `widget_api_key` with an ENV setting.  `export WIDGET_API_KEY="development_key76"`  MuchKeys defers to ENV when
+Now the `widget_api_key` is coming from a central location.  Devs can override `widget_api_key` with an ENV setting.  `export WIDGET_API_KEY="development_key76"`  Muchkeys defers to ENV when
 it sees one set.
 
-MuchKeys will look in consul (a key/value store) for keys (settings/secrets/knobs to turn).
+Muchkeys will look in consul (a key/value store) for keys (settings/secrets/knobs to turn).
 It searches in an order of convention.  It is also assuming you want to use git2consul
 to enable your developers to add their own keys.  Git2consul syncs a git repo to consul.
 
@@ -82,7 +82,7 @@ and this is something new to the app.
 * Ops wasn't involved.  Developers are empowered.
 
 
-MuchKeys does this magic through a search order.  It searches consul for the key
+Muchkeys does this magic through a search order.  It searches consul for the key
 in certain order: (notice that the key isn't prefixed when you look up `twitter_api_key` with
 `MUCHKEYS['twitter_api_key']`)
 
@@ -99,7 +99,7 @@ The above `feed_reader` is detected from `Rails.application`.  If you don't have
 the application name in the configure block:
 
 ```
-MuchKeys.configure do |config|
+Muchkeys.configure do |config|
   config.application_name = "rack_app"
 end
 ```
@@ -107,7 +107,7 @@ end
 The order and paths that it searches is configurable:
 
 ```
-MuchKeys.configure do |config|
+Muchkeys.configure do |config|
   config.search_paths = %W(
     app_name/keys app_name/secrets shared/keys shared/secrets
   )
@@ -129,7 +129,7 @@ your keys and secrets organized like this (one deep nesting).  This is configura
 ```
 # if you don't put your secrets in something like shared/secrets/
 # but shared/passwords/
-MuchKeys.configure do |config|
+Muchkeys.configure do |config|
   config.secrets_path_hint = "passwords/"
 end
 ```
@@ -148,7 +148,7 @@ done.  If you need to override defaults, create an initializer.
 
 ```
 # config/initializers/muchkeys.rb
-MuchKeys.configure do |config|
+Muchkeys.configure do |config|
   # your settings if desired
 end
 ```
@@ -179,12 +179,12 @@ openssl req -new -newkey rsa:4096 -nodes -x509 -keyout /tmp/self_signed_test.pem
 ```
 
 ```ruby
-MuchKeys.configure do |config|
+Muchkeys.configure do |config|
   config.public_key  = "/tmp/self_signed_test.pem"
   config.private_key = "/tmp/self_signed_test.pem"
 end
 
-puts MuchKeys::Secret.encrypt_string("bacon is just ok").to_s
+puts Muchkeys::Secret.encrypt_string("bacon is just ok").to_s
 # => -----BEGIN PKCS7-----
 # => MIICuwYJKoZIhvcNAQcDoIICrDCCAqgCAQAxggJuMIICagIBADBSMEUxCzAJ ...
 # => ...
@@ -192,28 +192,28 @@ puts MuchKeys::Secret.encrypt_string("bacon is just ok").to_s
 # Copy and paste this into consul under a key: ie: secrets/fake
 
 # Now you can fetch the secret with the same public key.
-MuchKeys::Secret.get_consul_secret('secrets/fake')
+Muchkeys::Secret.get_consul_secret('secrets/fake')
 # => bacon is just ok
 ```
 
 Inside your app:
 ```ruby
 # inside a rails initializer or other setup file you have
-MuchKeys.configure do |config|
+Muchkeys.configure do |config|
   config.consul_url = "http://myrealhost"             # Default is "http://localhost:8500"
   config.public_key  = "path to public .pem"          # this is only required if you are encrypting secrets
   config.private_key = "path to private .pem"         # this is only required if you are encrypting secrets
 end
 
 # then inside your YAML or app:
-MuchKeys.fetch_key('number_of_threads')
+Muchkeys.fetch_key('number_of_threads')
 # goes to git/config/myapp/number_of_threads in consul
 ```
 
 
 ## Automagic Certificates
 
-MuchKeys can find certs automatically in `~/.keys`.  `MuchKeys.fetch_key("git/waffles/secrets/a_password")` will try to decrypt `a_password`
+Muchkeys can find certs automatically in `~/.keys`.  `Muchkeys.fetch_key("git/waffles/secrets/a_password")` will try to decrypt `a_password`
 with a cert called `~/.keys/waffles.pem`.  The private key can be in the same file but should be protected
 with file permissions `0600`.
 
@@ -232,12 +232,12 @@ $ muchkeys -d --public_key=~/.keys/staging.pem --private_key=~/.keys/staging.pem
 You can fetch individual keys if you want.
 
 ```bash
-ruby -e 'require "muchkeys"; puts MuchKeys.fetch_key("mail_server")'
+ruby -e 'require "muchkeys"; puts Muchkeys.fetch_key("mail_server")'
 # => smtp.example.com (from consul)
 ```
 
 ```bash
-mail_server=muffin.ninja.local ruby -e 'require "muchkeys"; puts MuchKeys.fetch_key("mail_server")'
+mail_server=muffin.ninja.local ruby -e 'require "muchkeys"; puts Muchkeys.fetch_key("mail_server")'
 # => muffin.ninja.local (from ENV)
 ```
 
@@ -257,7 +257,7 @@ to change a setting and some things might be shared between apps like URLs, api
 
 Searching multiple paths in consul is because consul is hierarchical (or can be) and ENV is not.
 Making an easy to use API that looks and behaves like `ENV` was one of the goals to make
-it more familiar to developers.  So worst case, by default, MuchKeys will search consul 4 times
+it more familiar to developers.  So worst case, by default, Muchkeys will search consul 4 times
 to find a key.
 
 Encrypted secrets can be slightly more clunky.  Developers may not have signing keys,

data/circle.yml

@@ -1,10 +1,26 @@
 machine:
-  ruby:
-    version: 2.1.6
+  pre:
+    - curl -sSL https://s3.amazonaws.com/circle-downloads/install-circleci-docker.sh | bash -s -- 1.10.0
+  services:
+    - docker
   timezone:
     Etc/GMT
 
-checkout:
-  post:
-    - gem install bundler -v 1.12.4
+dependencies:
+  override:
+    - docker login -e $DOCKER_EMAIL -u $DOCKER_USER -p $DOCKER_PASS quay.io
+    - sudo apt-get install python-dev
+    - sudo pip install --upgrade docker-compose==1.8.0
 
+database:
+  override:
+    - echo "no db for you"
+
+test:
+  pre:
+    - docker-compose build
+  override:
+    - docker-compose run default bash -c -l "bundle exec rspec":
+        parallel: true
+        files:
+          - spec/**/*_spec.rb

data/docker-compose.yml

@@ -0,0 +1,15 @@
+version: '2'
+services:
+
+  consul:
+    image: consul
+    ports:
+      - '8500:8500'
+
+  default:
+    build: .
+    command: bash -l -c 'sleep 2 && bundle exec rspec spec'
+    links:
+      - consul
+    volumes:
+      - .:/gem/

data/exe/muchkeys

@@ -2,4 +2,4 @@
 
 require "muchkeys"
 
-MuchKeys::CLI.start
+Muchkeys::CLI.start

data/lib/muchkeys/application_client.rb

@@ -0,0 +1,151 @@
+require "active_support/configurable"
+require "active_support/core_ext/object/blank"
+require "active_support/core_ext/module/delegation"
+require "active_support/core_ext/hash"
+require "active_support/core_ext/enumerable"
+
+class Muchkeys::ApplicationClient
+  attr_accessor :config, :secret_adapter, :key_validator, :client
+
+  delegate :certfile_name, :encrypt_string, :decrypt_string, :is_secret?, to: :secret_adapter
+  delegate :valid_key_name?, to: :key_validator
+  delegate :application_name, :consul_url, to: :config
+
+  def initialize(config = Muchkeys.config)
+    @config = config
+    @secret_adapter = Muchkeys::Secret.new(self)
+    @key_validator = Muchkeys::KeyValidator.new(self)
+    @client = Muchkeys::ConsulClient.new(self)
+  end
+
+  def allow_unsafe_operation
+    client.unsafe = true
+    yield
+  ensure
+    client.unsafe = false
+  end
+
+  def set_app_key(key, value, type: nil, **options)
+    set_key(key, value, scope: :application, type: type, **options)
+  end
+
+  def set_shared_key(key, value, type: nil, **options)
+    set_key(key, value, scope: :shared, type: type, **options)
+  end
+
+  def set_key(key, value, scope: nil, type: nil, **options)
+    if scope && type
+      key = construct_key_path(key, scope, type) || key
+    end
+
+    if type == :secret
+      value = secret_adapter.encrypt_string(value.chomp, config.public_key).to_s
+    end
+
+    client.put(value, key, **options)
+  end
+
+  def delete_key(key)
+    client.delete(key)
+  end
+
+  def first(key_name)
+    # http://stackoverflow.com/questions/17853912/ruby-enumerables-is-there-a-detect-for-results-of-block-evaluation
+    # weirdly, this seems to be the most straightforward method of doing this
+    # without a monkey patch, as there is neither a core method that returns
+    # the first non-nil result of evaluating the block, or a lazy compact
+    search_paths(key_name).detect { |path| v = fetch_key(path) and break v }
+  end
+
+  def all(key_name)
+    search_paths(key_name).map { |path| fetch_key(path) }.compact
+  end
+
+  def search_paths(key_name = nil)
+    application_search_paths.map { |p| [p, key_name].join('/') }
+  end
+
+  def fetch_key(key_name, public_key: nil, private_key: nil)
+    if is_secret?(key_name)
+      fetch_secret_key(key_name, public_key, private_key)
+    else
+      fetch_plain_key(key_name)
+    end
+  end
+
+  def known_keys
+    @known_keys ||= application_search_paths
+      .map { |path| client.get(path, recursive: true) }
+      .compact
+      .each_with_object([]) { |response, keys| keys << parse_recurse_response(response) }
+      .flatten
+      .uniq
+  end
+
+  def each_path
+    known_keys.each do |key|
+      search_paths(key).each do |path|
+        yield path if fetch_key(path)
+      end
+    end
+  end
+
+  def verify_keys(*required_keys)
+    if (required_keys - known_keys).any?
+      # if there are any required keys (in the .env file) that are not known
+      # about by the app's consul space, raise an error
+      raise Muchkeys::KeyNotSet, "Consul isn't set with any keys for #{required_keys - known_keys}."
+    end
+  end
+
+  private
+
+  def application_search_paths
+    @application_search_paths ||= config.search_paths.collect { |path|
+      path % { application_name: config.application_name }
+    }
+  end
+
+  def construct_key_path(key, scope, type)
+    found_paths = application_search_paths.select { |path|
+      case
+      when scope == :application && type == :secret
+        path.include?(application_name) && is_secret?(path)
+      when scope == :application && type == :config
+        path.include?(application_name) && !is_secret?(path)
+      when scope == :shared && type == :secret
+        !path.include?(application_name) && is_secret?(path)
+      when scope == :shared && type == :config
+        !path.include?(application_name) && !is_secret?(path)
+      else
+        false
+      end
+    }
+
+    raise AmbigousPath, "This key could go in multiple folders, please provide full path" if found_paths.many?
+
+    [found_paths.first, key].join("/")
+  end
+
+  def parse_recurse_response(response)
+    JSON.parse(response)
+      .collect { |r| r['Key'].rpartition("/").last }
+      .reject(&:empty?)
+  end
+
+  def fetch_plain_key(key_name)
+    client.get(key_name).presence
+  end
+
+  def fetch_secret_key(key_name, public_key=nil, private_key=nil)
+    result = fetch_plain_key(key_name)
+
+    # Don't try to decrypt if the value is nil
+    return nil if result.blank?
+
+    public_pem  = public_key || certfile_name(key_name)
+    private_pem = private_key || certfile_name(key_name)
+
+    decrypt_string(result, public_pem, private_pem)
+  end
+end

data/lib/muchkeys/cli.rb

@@ -1,50 +1,145 @@
 require 'thor'
 
-module MuchKeys
+module Muchkeys
   class CLI < Thor
     include Thor::Actions
 
     map %w[--version -v] => :__version
 
-    class_option :consule_url, type: :string, default: 'http://localhost:8500'
+    class_option :consul_url, type: :string, default: 'http://localhost:8500'
 
     desc "encrypt FILE", "encrypt keys from a file to put in consul"
     method_option :public_key, type: :string, required: true
     def encrypt(file)
-      say MuchKeysExecutor.encrypt(file, options[:public_key])
+      Muchkeys.configure { |c| c.consul_url = options[:consul_url] }
+      say MuchkeysExecutor.encrypt(file, options[:public_key])
     end
 
     desc "decrypt KEY", "decrypt keys from consul"
     method_option :public_key, type: :string, required: true
     method_option :private_key, type: :string, required: true
     def decrypt(consul_key)
-      say MuchKeysExecutor.decrypt(consul_key, options[:public_key], options[:private_key])
+      Muchkeys.configure { |c| c.consul_url = options[:consul_url] }
+      say MuchkeysExecutor.decrypt(consul_key, options[:public_key], options[:private_key])
+    end
+
+    desc "check", "ensure that all keys in .env in CWD are present in consul"
+    def check(app_name)
+      Muchkeys.configure { |c| c.consul_url = options[:consul_url] }
+      say MuchkeysExecutor.check(app_name)
+    end
+
+    desc "list", "list all keys in Application"
+    def list(app_name)
+      Muchkeys.configure { |c| c.consul_url = options[:consul_url] }
+      say MuchkeysExecutor.list(app_name)
     end
 
     desc "fetch KEY", "fetch plaintext key from consul"
     def fetch(consul_key)
-      say MuchKeysExecutor.fetch(consul_key)
+      Muchkeys.configure { |c| c.consul_url = options[:consul_url] }
+      say MuchkeysExecutor.fetch(consul_key)
+    end
+
+    desc "store DATA KEY", "store data a particular key"
+    method_option :public_key, type: :string
+    method_option :private_key, type: :string
+    def store(data, consul_key)
+      Muchkeys.configure { |c| c.consul_url = options[:consul_url] }
+      say MuchkeysExecutor.store(consul_key, data, public_key: options[:public_key], private_key: options[:private_key])
+    end
+
+    desc "wipeout", "clear Consul"
+    method_option :app_name, type: :string
+    def wipeout
+      Muchkeys.configure { |c| c.consul_url = options[:consul_url] }
+      unless yes?("Really clear consul instance at #{Muchkeys.config.consul_url}?", Thor::Shell::Color::RED)
+        say "Nothing done!"
+      else
+        say MuchkeysExecutor.wipeout(app_name: options[:app_name])
+      end
+    end
+
+    desc "delete", "remove key"
+    def delete(key)
+      Muchkeys.configure { |c| c.consul_url = options[:consul_url] }
+      say MuchkeysExecutor.delete(key)
     end
 
     desc "--version", "Print the version"
     def __version
-      say MuchKeys::VERSION
+      Muchkeys.configure { |c| c.consul_url = options[:consul_url] }
+      say Muchkeys::VERSION
     end
 
-    module MuchKeysExecutor
+    module MuchkeysExecutor
       extend self
 
       def encrypt(file, public_key)
         string_to_encrypt = File.read(file)
-        MuchKeys::Secret.encrypt_string(string_to_encrypt, public_key)
+        Muchkeys::ApplicationClient.new.secret_adapter.encrypt_string(string_to_encrypt.chomp, public_key)
       end
 
       def decrypt(consul_key, public_key, private_key)
-        MuchKeys.fetch_key(consul_key, public_key: public_key, private_key:private_key)
+        Muchkeys::ApplicationClient.new.fetch_key(consul_key, public_key: public_key, private_key: private_key)
+      end
+
+      def store(consul_key, data, public_key: nil, private_key: nil)
+        Muchkeys.configure { |c| c.public_key = public_key; c.private_key = private_key }
+        app = Muchkeys::ApplicationClient.new(Muchkeys.config)
+
+        if data == "-"
+          data = $stdin.read
+        end
+
+        app.allow_unsafe_operation do
+          if public_key && private_key
+            app.set_key(consul_key, data, type: :secret)
+            "Secret '#{data}' stored in #{consul_key}"
+          else
+            app.set_key(consul_key, data)
+            "'#{data}' stored in #{consul_key}"
+          end
+        end
+      end
+
+      def list(app_name)
+        Muchkeys.configure { |c| c.application_name = app_name }
+        keys = Muchkeys::ApplicationClient.new(Muchkeys.config).known_keys
+
+        keys.join("\n")
+      end
+
+      def check(app_name)
+        Muchkeys.configure { |c| c.application_name = app_name }
+        Muchkeys::ApplicationClient.new(Muchkeys.config).verify_keys(*Muchkeys.env_keys)
+
+        "All keys present and accounted for."
+      end
+
+      def wipeout(app_name: nil)
+        Muchkeys.configure { |c| c.application_name = app_name }
+        app = Muchkeys::ApplicationClient.new
+        app.allow_unsafe_operation do
+          app.each_path do |path|
+            app.delete_key(path)
+          end
+        end
+
+        "Everything deleted!"
+      end
+
+      def delete(consul_key)
+        app = Muchkeys::ApplicationClient.new
+        app.allow_unsafe_operation do
+          app.delete_key(consul_key)
+        end
+
+        "Key #{consul_key} deleted"
       end
 
       def fetch(consul_key)
-        MuchKeys.fetch_key(consul_key)
+        Muchkeys::ApplicationClient.new.fetch_key(consul_key)
       end
     end
   end

data/lib/muchkeys/consul_client.rb

@@ -0,0 +1,51 @@
+class Muchkeys::ConsulClient
+  delegate :config, to: :application
+  class SafetyViolation < StandardError; end
+
+  attr_accessor :application
+
+  def initialize(application)
+    @application = application
+  end
+
+  def unsafe=(toggle)
+    @unsafe = toggle
+  end
+
+  def get(key, recursive: false)
+    url = recursive ? consul_recurse_url(key) : consul_key_url(key)
+    response = Net::HTTP.get_response(url)
+
+    if response.code == "200"
+      response.body
+    else
+      nil
+    end
+  rescue Errno::ECONNREFUSED
+    nil
+  end
+
+  def put(value, key, **options)
+    url = consul_insert_key_url(key, **options)
+    raise SafetyViolation unless @unsafe
+    Net::HTTP.new(url.host, url.port).send_request('PUT', url.request_uri, value)
+  end
+
+  def delete(key)
+    url = consul_key_url(key)
+    raise SafetyViolation unless @unsafe
+    Net::HTTP.new(url.host, url.port).send_request('DELETE', url.request_uri)
+  end
+
+  def consul_key_url(key_name)
+    URI("#{config.consul_url}/v1/kv/#{key_name}?raw")
+  end
+
+  def consul_recurse_url(path)
+    URI("#{config.consul_url}/v1/kv/#{path}?recurse")
+  end
+
+  def consul_insert_key_url(key_name, **query)
+    URI("#{config.consul_url}/v1/kv/#{key_name}?#{query.to_query}")
+  end
+end

data/lib/muchkeys/key_validator.rb

@@ -1,43 +1,47 @@
-module MuchKeys
+module Muchkeys
   class KeyValidator
+    attr_accessor :app_client
+    delegate :config, to: :app_client
 
-    class << self
-
-      # key should pass validation rules
-      def valid? keyname
-        exists?(keyname) &&
-        secret_key_has_namespace?(keyname)
-      end
+    def initialize(app_client)
+      @app_client = app_client
+    end
 
-      def secret_key_namespace keyname
-        match = keyname.match(/^secrets\/(.*?)\/.*/)
-        if match
-          match[1]
-        else
-          ""
-        end
-      end
 
-      def secret_key_has_namespace? keyname
-        if is_secret?(keyname)
-          namespace = secret_key_namespace(keyname)
-          exists?(namespace)
-        else
-          # a plain key passes, it doesn't need a namespace
-          true
-        end
+    # key should pass validation rules
+    def valid?(keyname)
+      exists?(keyname) &&
+        secret_key_has_namespace?(keyname)
+    end
+    alias_method :valid_key_name?, :valid?
+
+    def secret_key_namespace(keyname)
+      match = keyname.match(/^secrets\/(.*?)\/.*/)
+      if match
+        match[1]
+      else
+        ""
       end
+    end
 
-      def is_secret? keyname
-        keyname.match(/^secret/) != nil
+    def secret_key_has_namespace?(keyname)
+      if is_secret?(keyname)
+        namespace = secret_key_namespace(keyname)
+        exists?(namespace)
+      else
+        # a plain key passes, it doesn't need a namespace
+        true
       end
+    end
 
+    def is_secret?(keyname)
+      keyname.match(/^secret/) != nil
+    end
 
-      private
-      def exists? keyname
-        !keyname.nil? && !keyname.empty?
-      end
+    private
 
+    def exists?(keyname)
+      !keyname.nil? && !keyname.empty?
     end
   end
 end

data/lib/muchkeys/rails.rb

@@ -1,19 +1,18 @@
-class MuchKeys::Rails < Rails::Railtie
-  config.before_configuration do
-    MuchKeys.configure do |config|
-      config.application_name = Rails.application.class.parent_name.underscore
-    end
-
-    MuchKeys.populate_environment!(*env_keys)
-  end
+module Muchkeys
+  class Rails < Rails::Railtie
+    config.before_configuration do
+      app_config = YAML.load(File.read(::Rails.root.join("config", "muchkeys.yml")))
+      Muchkeys.configure do |config|
+        config.application_name ||= app_config[:application_name] || ::Rails.application.class.parent_name.underscore
+        config.consul_url       ||= app_config[:consul_url] || "http://localhost:8500"
+        config.keys_dir         ||= app_config[:keys_dir]
+        config.private_key      ||= app_config[:private_key]
+        config.public_key       ||= app_config[:public_key]
+        config.search_paths     ||= app_config[:search_paths]
+        config.secrets_hint     ||= app_config[:secrets_hint]
+      end
 
-
-  def env_keys
-    # parse all environments found in .env and populate them from consul
-    unless File.exists?(Rails.root.join(".env"))
-      raise IOError, ".env files are required for Muchkeys ENV injection to work"
+      Muchkeys.populate_environment!(*Muchkeys.env_keys)
     end
-
-    File.read(Rails.root.join(".env")).each_line.map { |x| x.split("=")[0] }
   end
 end

data/lib/muchkeys/secret.rb

@@ -1,65 +1,69 @@
+require 'active_support/core_ext/module/delegation'
 require 'openssl'
 require 'net/http'
-require 'muchkeys/configuration'
-require 'muchkeys/errors'
 
-
-class MuchKeys::Secret
+class Muchkeys::Secret
   CIPHER_SUITE = "AES-256-CFB"
 
-  class << self
+  attr_accessor :app_client
+
+  delegate :config, to: :app_client
 
-    # the path that clues MuchKeys that this path contains secrets
-    def secrets_path_hint
-      MuchKeys.configuration.secrets_hint || "secrets/"
-    end
+  def initialize(app_client)
+    @app_client = app_client
+  end
 
-    def encrypt_string(val, public_key)
-      cipher = OpenSSL::Cipher.new CIPHER_SUITE
-      cert   = OpenSSL::X509::Certificate.new File.read(public_key)
-      OpenSSL::PKCS7::encrypt([cert], val, cipher, OpenSSL::PKCS7::BINARY)
-    end
+  # the path that clues Muchkeys that this path contains secrets
+  def secrets_path_hint
+    config.secrets_hint || "secrets"
+  end
 
-    # turn a key_name into a SSL cert file name by convention
-    def certfile_name(key_name)
-      key_parts = key_name.match /(.*)\/#{secrets_path_hint}(.*)/
-      raise MuchKeys::InvalidKey, "#{key_name} doesn't look like a secret" if key_parts.nil?
-      key_base = key_parts[1].gsub(/^git\//, "")
-      MuchKeys.configuration.public_key || "#{ENV['HOME']}/.keys/#{key_base}.pem"
-    end
+   def encrypt_string(val, public_key)
+    cipher = OpenSSL::Cipher.new CIPHER_SUITE
+    cert   = OpenSSL::X509::Certificate.new File.read(public_key)
+    OpenSSL::PKCS7::encrypt([cert], val, cipher, OpenSSL::PKCS7::BINARY)
+  end
 
-    def is_secret?(key_name)
-      key_name.match(/\/#{secrets_path_hint}/) != nil
-    end
+  # turn a key_name into a SSL cert file name by convention
+  def certfile_name(key_name)
+    key_parts = key_name.match /(.*)\/#{secrets_path_hint}(.*)/
+    # FIXME this already checked in the secretes validator, we don't need to
+    # check it again
+    raise Muchkeys::InvalidKey, "#{key_name} doesn't look like a secret" if key_parts.nil?
+    key_base = key_parts[1].gsub(/^git\//, "")
+    config.public_key || "#{ENV['HOME']}/.keys/#{key_base}.pem"
+  end
 
-    def auto_certificates_exist_for_key?(key)
-      file_exists?(secret_adapter.certfile_name(key))
-    end
+  def is_secret?(key_name)
+    key_name.match(/\/#{secrets_path_hint}/) != nil
+  end
 
-    def decrypt_string(val, public_key, private_key)
-      cert = OpenSSL::X509::Certificate.new(read_ssl_key(public_key))
-      key  = OpenSSL::PKey::RSA.new(read_ssl_key(private_key))
-      OpenSSL::PKCS7.new(val).decrypt(key, cert)
-    end
+  def auto_certificates_exist_for_key?(key)
+    file_exists?(certfile_name(key))
+  end
 
-    private
+  def decrypt_string(val, public_key = nil, private_key = nil)
+    cert = OpenSSL::X509::Certificate.new(read_ssl_key(public_key))
+    key  = OpenSSL::PKey::RSA.new(read_ssl_key(private_key))
+    OpenSSL::PKCS7.new(val).decrypt(key, cert)
+  end
 
-    def read_ssl_key(file_name)
-      File.read file_name
-    end
+  private
 
-    # Why would we even do this?  For stubbing.
-    def file_exists?(path)
-      File.exist? path
-    end
+  def read_ssl_key(file_name)
+    File.read(file_name)
+  end
 
-    def key_validator
-      MuchKeys::KeyValidator
-    end
+  # Why would we even do this?  For stubbing.
+  def file_exists?(path)
+    File.exist?(path)
+  end
 
-    def secret_adapter
-      MuchKeys::Secret
-    end
+  def key_validator
+    Muchkeys::KeyValidator
+  end
 
+  def secret_adapter
+    Muchkeys::Secret
   end
 end

data/lib/muchkeys/version.rb

@@ -1,3 +1,3 @@
-module MuchKeys
-  VERSION = "0.5.0"
+module Muchkeys
+  VERSION = "0.7.0"
 end

data/lib/muchkeys.rb

@@ -1,175 +1,67 @@
-require "muchkeys/version"
-require "muchkeys/errors"
-require "muchkeys/configuration"
-require "muchkeys/secret"
-require "muchkeys/key_validator"
-require "muchkeys/cli"
-
+require "active_support/configurable"
 require "net/http"
+require "json"
 
-if defined? Rails
+if defined? ::Rails
   require 'muchkeys/rails'
 end
 
-module MuchKeys
-
-  # revealing intention
-  module BlankKey; false; end
-
-
-  class << self
-    attr_accessor :configuration
-
-    def configure
-      self.configuration ||= MuchKeys::Configuration.new
-      if block_given?
-        yield configuration
-      end
-    end
-
-    def populate_environment!(*keys)
-      keys.each do |key|
-        ENV[key] = MuchKeys.find_first(key)
-      end
-      nil
-    end
-
-    # this is the entry point to the ENV-like object that devs will use
-    def find_first(key_name)
-      unless MuchKeys.configuration.search_paths
-        raise MuchKeys::UnknownApplication, "Can't detect app name and application_name isn't set." if !application_name
-      end
-
-      consul_paths_to_search = search_order(application_name, key_name)
-
-      # search consul in a specific order until we find something
-      response = nil
-      consul_paths_to_search.detect do |consul_path|
-        response = fetch_key(consul_path)
-        response if response != MuchKeys::BlankKey
-      end
-
-      if response == BlankKey
-        raise MuchKeys::NoKeysSet, "Bailing.  Consul isn't set with any keys for #{key_name}."
-      end
-
-      response
-    end
-
-    def fetch_key(key_name, public_key:nil, private_key:nil)
-      return ENV[key_name] unless ENV[key_name].nil?
-
-      if secret_adapter.is_secret?(key_name)
-        raise InvalidKey unless validate_key_name(key_name)
-
-        # configure automatic certificates
-        public_key  = find_certfile_for_key(key_name) if public_key.nil?
-        private_key = find_certfile_for_key(key_name) if private_key.nil?
-
-        response = fetch_secret_key(key_name, public_key, private_key)
-      else
-        response = fetch_plain_key(key_name)
-      end
-
-      # otherwise, we got consul data so return that
-      response
-    end
-
-    def search_order(application_name, key_name)
-      if MuchKeys.configuration.search_paths
-        search_paths = MuchKeys.configuration.search_paths.collect do |path|
-          "#{path}/#{key_name}"
-        end
-      else
-        search_paths = [
-          "git/#{application_name}/secrets/#{key_name}",
-          "git/#{application_name}/config/#{key_name}",
-          "git/shared/secrets/#{key_name}",
-          "git/shared/config/#{key_name}"
-        ]
-      end
+module Muchkeys
+  class InvalidKey < StandardError; end
+  class CLIOptionsError < StandardError; end
+  class KeyNotSet < StandardError; end
+  class UnknownApplication < StandardError; end
+  class AmbigousPath < StandardError; end
 
-      search_paths
-    end
-
-
-    private
-    def consul_url(key_name)
-      URI("#{configuration.consul_url}/v1/kv/#{key_name}?raw")
-    end
-
-    def fetch_plain_key(key_name)
-      url = consul_url(key_name)
-      begin
-        response = Net::HTTP.get_response url
+  autoload :KeyValidator, 'muchkeys/key_validator'
+  autoload :ApplicationClient, 'muchkeys/application_client'
+  autoload :Secret, 'muchkeys/secret'
+  autoload :CLI, 'muchkeys/cli'
+  autoload :ConsulClient, 'muchkeys/consul_client'
 
-        return MuchKeys::BlankKey if !response.body || response.body.empty?
-        response.body
-      rescue Errno::ECONNREFUSED
-        return nil
-      end
-    end
+  include ActiveSupport::Configurable
 
-    def fetch_secret_key(key_name, public_pem=nil, private_pem=nil)
-      result = fetch_plain_key(key_name)
+  config_accessor :application_name
 
-      # we hit a key that doesn't exist, so don't try to decrypt it
-      return MuchKeys::BlankKey if result == MuchKeys::BlankKey || result.nil?
-
-      secret_adapter.decrypt_string(result, public_pem, private_pem)
-    end
-
-    def find_certfile_for_key(key_name)
-      secret_adapter.certfile_name key_name
-    end
+  config_accessor :consul_url do
+    'http://localhost:8500'
+  end
 
-    def secret_adapter
-      MuchKeys::Secret
-    end
+  config_accessor :private_key
+  config_accessor :public_key
+  config_accessor :application_name
+  config_accessor :secrets_hint
+  config_accessor :search_paths do
+    %w(git/%{application_name}/secrets
+       git/%{application_name}/config
+       git/shared/secrets
+       git/shared/config)
+  end
 
-    def validate_key_name(key_name)
-      MuchKeys::KeyValidator.valid? key_name
+  def self.env_keys
+    # parse all environments found in .env and populate them from consul
+    if defined? ::Rails
+      check_dir = ::Rails.root
+    else
+      check_dir = Pathname.getwd
     end
 
-    # Detecting Rails app names is a known quantity.
-    # Rack apps need to set the name through config.
-    def application_name
-      return configuration.application_name if configuration.application_name
-
-      if defined?(Rails)
-        # Rails.application looks something like "Monorail::Application"
-        application_name = Rails.application.class.to_s.split("::").first
-      else
-        return false
-      end
-
-      snakecase(application_name)
-    end
 
-    # MyApp should become my_app
-    def snakecase(string)
-      string.gsub(/::/, '/').
-        gsub(/([A-Z]+)([A-Z][a-z])/,'\1_\2').
-        gsub(/([a-z\d])([A-Z])/,'\1_\2').
-        tr("-", "_").
-        downcase
+    unless File.exists?(check_dir.join(".env"))
+      raise IOError, ".env files are required for Muchkeys ENV injection to work"
     end
 
+    File.read(check_dir.join(".env")).each_line.select(&:presence).map { |x| x.split("=")[0] }
   end
-end
-
-# default configure the gem on gem load
-MuchKeys.configuration ||= MuchKeys::Configuration.new
-
 
-# This interface looks like ENV which is more friendly to devs
-class MUCHKEYS
+  def self.populate_environment!(*required_keys)
+    app = ApplicationClient.new(config)
+    app.verify_keys(*required_keys)
 
-  def self.[](key_name)
-    # if an ENV key is set, use that first
-    return ENV[key_name] unless ENV[key_name].nil?
+    app.known_keys.each do |key|
+      ENV[key] ||= app.first(key)
+    end
 
-    MuchKeys.find_first(key_name)
+    nil
   end
-
 end

data/muchkeys.gemspec

@@ -5,12 +5,12 @@ require 'muchkeys/version'
 
 Gem::Specification.new do |spec|
   spec.name          = "muchkeys"
-  spec.version       = MuchKeys::VERSION
+  spec.version       = Muchkeys::VERSION
   spec.authors       = ["Pat O'Brien", "Chris Dillon"]
   spec.email         = ["pobrien@goldstar.com", "cdillon@goldstar.com"]
 
-  spec.summary       = %q{MuchKeys fetches keys from the ENV and then falls back to consul}
-  spec.description   = %q{MuchKeys can handle app configuration and appsecrets}
+  spec.summary       = %q{Muchkeys fetches keys from the ENV and then falls back to consul}
+  spec.description   = %q{Muchkeys can handle app configuration and appsecrets}
   spec.homepage      = "https://www.goldstar.com"
   spec.license       = "MIT"
 
@@ -20,11 +20,10 @@ Gem::Specification.new do |spec|
   spec.require_paths = ["lib"]
 
   spec.add_runtime_dependency "thor"
+  spec.add_runtime_dependency "activesupport", "< 5.1"
 
   spec.add_development_dependency "bundler", "~> 1.10"
   spec.add_development_dependency "rake", "~> 10.0"
   spec.add_development_dependency "rspec", "~> 3.3"
-  spec.add_development_dependency "webmock", "~> 1.20"
-  spec.add_development_dependency "vcr", "~> 2.9"
   spec.add_development_dependency "aruba", "~> 0.14.2"
 end

data/secret.txt

@@ -0,0 +1 @@
+it's a seekwet

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: muchkeys
 version: !ruby/object:Gem::Version
-  version: 0.5.0
+  version: 0.7.0
 platform: ruby
 authors:
 - Pat O'Brien
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2016-09-28 00:00:00.000000000 Z
+date: 2016-12-20 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: thor
@@ -25,6 +25,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: activesupport
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '5.1'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '5.1'
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
@@ -67,34 +81,6 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '3.3'
-- !ruby/object:Gem::Dependency
-  name: webmock
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '1.20'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '1.20'
-- !ruby/object:Gem::Dependency
-  name: vcr
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '2.9'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '2.9'
 - !ruby/object:Gem::Dependency
   name: aruba
   requirement: !ruby/object:Gem::Requirement
@@ -109,7 +95,7 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: 0.14.2
-description: MuchKeys can handle app configuration and appsecrets
+description: Muchkeys can handle app configuration and appsecrets
 email:
 - pobrien@goldstar.com
 - cdillon@goldstar.com
@@ -122,22 +108,25 @@ files:
 - ".rspec"
 - ".ruby-version"
 - ".travis.yml"
+- Dockerfile
 - Gemfile
 - Guardfile
 - LICENSE.txt
 - README.md
 - Rakefile
 - circle.yml
+- docker-compose.yml
 - exe/muchkeys
 - lib/muchkeys.rb
+- lib/muchkeys/application_client.rb
 - lib/muchkeys/cli.rb
-- lib/muchkeys/configuration.rb
-- lib/muchkeys/errors.rb
+- lib/muchkeys/consul_client.rb
 - lib/muchkeys/key_validator.rb
 - lib/muchkeys/rails.rb
 - lib/muchkeys/secret.rb
 - lib/muchkeys/version.rb
 - muchkeys.gemspec
+- secret.txt
 homepage: https://www.goldstar.com
 licenses:
 - MIT
@@ -161,5 +150,5 @@ rubyforge_project:
 rubygems_version: 2.5.1
 signing_key: 
 specification_version: 4
-summary: MuchKeys fetches keys from the ENV and then falls back to consul
+summary: Muchkeys fetches keys from the ENV and then falls back to consul
 test_files: []

data/lib/muchkeys/configuration.rb

@@ -1,30 +0,0 @@
-require 'muchkeys'
-require 'uri'
-
-module MuchKeys
-  class Configuration
-    attr_accessor :consul_url, :private_key, :public_key, :application_name, :search_paths, :secrets_hint
-
-    # sensible defaults
-    def initialize
-      @consul_url = "http://localhost:8500"
-    end
-
-    # url parsing sanity check
-    def consul_url=(url)
-      raise URI::InvalidURIError unless url =~ URI::regexp
-      @consul_url = url
-    end
-
-    def attributes
-      {
-        consul_url:  @consul_url,
-        private_key: @private_key,
-        public_key:  @public_key,
-        application_name: @application_name,
-        search_paths: @search_paths,
-        secrets_hint: @secrets_hint
-      }.delete_if {|k,v| v.nil? }
-    end
-  end
-end

data/lib/muchkeys/errors.rb

@@ -1,6 +0,0 @@
-module MuchKeys
-  InvalidKey         = Class.new(StandardError)
-  CLIOptionsError    = Class.new(StandardError)
-  NoKeysSet          = Class.new(StandardError)
-  UnknownApplication = Class.new(StandardError)
-end