muchkeys 0.0.1 → 0.3.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 295bc96c509542f52c01c3a7be03cf95d2507dcc
-  data.tar.gz: 0cd586cb9d7d43e67029f8c9f15fb3979c541480
+  metadata.gz: 3ff8551deefce6e7a842d98364ea5667fa4532e3
+  data.tar.gz: ff2729f7f21a56f51bb9998729c80a7c96d87ec5
 SHA512:
-  metadata.gz: 991c8c9dddc589a1af5da74e80234a7a8152309cfc6b5dbcef2035acdb97b8df33022a182ac8bdebe42064b8358897cbf667a7794decbcc6432b7e1292253a1e
-  data.tar.gz: ea47aa2d9d97676f423c7c8fa68da3b530645468e8be796076364989e37029ec2a335aee10d87c18642d3dae6ebfed5e7800ff9e6e05358b3f3349c6dad356c7
+  metadata.gz: 4d0541d5c159955b22471d808fb2edb0f042e5b3a03fe725deb7ea7c041a3ed5d92f1f5a120223531742da56478976ecde08e833ae0399564a3f4145b26c67e5
+  data.tar.gz: 413f9778cd45d3aed726c7c23c685a032259f870c021c62b2bbd7f72b9f73f1d307ef568ed12263bc873feb3e5dc2524fd5e51d2803012833e6b2fcc947528a2

data/.gitignore

@@ -9,3 +9,6 @@
 /tmp/
 **.un~
 *.gem
+*.swp
+
+tags

data/.rspec

@@ -1,2 +1,3 @@
 --format documentation
 --color
+--order random

data/Guardfile

@@ -1,17 +1,12 @@
-guard :rspec, cmd: "bundle exec rspec" do
-  require "guard/rspec/dsl"
-  dsl = Guard::RSpec::Dsl.new(self)
+guard_options = {
+  cmd: "bundle exec rspec --color --format=doc",
+  all_after_pass: false,
+  all_after_fail: false,
+  all_on_start: false
+}
 
-  # RSpec files
-  rspec = dsl.rspec
-  watch(rspec.spec_helper) { rspec.spec_dir }
-  watch(rspec.spec_support) { rspec.spec_dir }
-  watch(rspec.spec_files)
-
-  # Ruby files
-  ruby = dsl.ruby
-  dsl.watch_spec_files_for(ruby.lib_files)
-
-  # TODO: use the new rspec dsl here, but how?
-  watch(%r{^lib/(.+)\.rb$})     { |m| "spec/#{m[1]}_spec.rb" }
+guard :rspec, guard_options do
+  watch(%r{^spec/.+_spec\.rb$})
+  watch(%r{^lib/(.+)\.rb$})     { |m| "spec/lib/#{m[1]}_spec.rb" }
+  watch('spec/spec_helper.rb')  { "spec" }
 end

data/README.md

@@ -1,11 +1,35 @@
 # MuchKeys
 
-MuchKeys lets you store your ENV key/value settings in consul.  It's primary use is
-in production where it will check to see if a ENV variable exists and then
-look in consul.
+    ─────────▄──────────────▄
+    ────────▌▒█───────────▄▀▒▌
+    ────────▌▒▒▀▄───────▄▀▒▒▒▐
+    ───────▐▄▀▒▒▀▀▀▀▄▄▄▀▒▒▒▒▒▐
+    ─────▄▄▀▒▒▒▒▒▒▒▒▒▒▒█▒▒▄█▒▐
+    ───▄▀▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▀██▀▒▌
+    ──▐▒▒▒▄▄▄▒▒▒▒▒▒▒▒▒▒▒▒▒▀▄▒▒▌
+    ──▌▒▒▐▄█▀▒▒▒▒▄▀█▄▒▒▒▒▒▒▒█▒▐
+    ─▐▒▒▒▒▒▒▒▒▒▒▒▌██▀▒▒▒▒▒▒▒▒▀▄▌
+    ─▌▒▀▄██▄▒▒▒▒▒▒▒▒▒▒▒░░░░▒▒▒▒▌
+    ─▌▀▐▄█▄█▌▄▒▀▒▒▒▒▒▒░░░░░░▒▒▒▐
+    ▐▒▀▐▀▐▀▒▒▄▄▒▄▒▒▒▒▒░░░░░░▒▒▒▒▌
+    ▐▒▒▒▀▀▄▄▒▒▒▄▒▒▒▒▒▒░░░░░░▒▒▒▐
+    ─▌▒▒▒▒▒▒▀▀▀▒▒▒▒▒▒▒▒░░░░▒▒▒▒▌
+    ─▐▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▐
+    ──▀▄▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▄▒▒▒▒▌
+    ────▀▄▒▒▒▒▒▒▒▒▒▒▄▄▄▀▒▒▒▒▄▀
+    ───▐▀▒▀▄▄▄▄▄▄▀▀▀▒▒▒▒▒▄▄▀
+    ──▐▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▀▀
 
-It's sort of the opposite of `envconsul` (golang) or similar to `dotenv` designed
-for use in production.
+
+MuchKeys lets you store your application keys in consul and then leverages many conventions to create a
+pleasant API.  Keys in this context can mean application settings, knobs, dials, passwords, api keys
+or anything.  It's primary use is in production where it will check to see if a ENV variable exists first and then
+search consul for a key based on an opinionated hierarchy convention.
+
+You will want to read below about the convention and assumptions first to see if this works for
+you.
+
+MuchKeys also has a way of using encrypted secrets stored in consul.  MuchKeys has a command line interface to help you encrypt or read secrets stored in consul.
 
 
 ## Installation
@@ -18,28 +42,242 @@ gem 'muchkeys'
 
 And then execute:
 
-    $ bundle
+```
+$ bundle
+```
 
 Or install it yourself as:
 
-    $ gem install muchkeys
+```
+$ gem install muchkeys
+```
+
 
 ## Usage
 
+Use a snippet like this below in your YAML config files and anywhere else to use
+a central configuration store while retaining control of your local development environment.
+
+```
+<%= MUCHKEYS['widget_api_key'] %>
+```
+
+Now the `widget_api_key` is coming from a central location.  Devs can override `widget_api_key` with an ENV setting.  `export WIDGET_API_KEY="development_key76"`  MuchKeys defers to ENV when
+it sees one set.
+
+MuchKeys will look in consul (a key/value store) for keys (settings/secrets/knobs to turn).
+It searches in an order of convention.  It is also assuming you want to use git2consul
+to enable your developers to add their own keys.  Git2consul syncs a git repo to consul.
+
+So let's walk through what happens when a developer is adding a new feature to an app.
+The developer is integrating an API from reddit into an app called `feed_reader`.  So now they have a reddit API key
+and this is something new to the app.
+
+* The developer adds twitter_api_key to `.env` from the dotenv gem to control their own development
+  environment.  Staging and production have no idea this has happened.
+* The developer adds/commits a file to `<git2consul repo>/feed_reader/twitter_api_key`
+* git2consul is sync'd to consul and their new key is there.  (This might happen through cron or some other way)
+* They use their key in a configuration file or in the app: `<%= MUCHKEYS['redis_api_key'] %>`
+* When they deploy to staging/production the key is there and the `feed_reader` app doesn't explode.
+* Ops wasn't involved.  Developers are empowered.
+
+
+MuchKeys does this magic through a search order.  It searches consul for the key
+in certain order: (notice that the key isn't prefixed when you look up `twitter_api_key` with
+`MUCHKEYS['twitter_api_key']`)
+
+It will search a consul hierarchy looking for `twitter_api_key` in this search order:
+
+```
+git/feed_reader/secrets
+git/feed_reader/config
+git/shared/secrets
+git/shared/config
+```
+
+The above `feed_reader` is detected from `Rails.application`.  If you don't have a Rails app, then you can set
+the application name in the configure block:
+
 ```
+MuchKeys.configure do |config|
+  config.application_name = "rack_app"
+end
+```
+
+The order and paths that it searches is configurable:
+
+```
+MuchKeys.configure do |config|
+  config.search_paths = %W(
+    app_name/keys app_name/secrets shared/keys shared/secrets
+  )
+end
+```
+
+This would look for keys and settings in consul under these paths instead:
+
+```
+app_name/keys
+app_name/secrets
+shared/keys
+shared/secrets
+```
+
+Anything that has /secrets/ in it is going to be assumed to be a secret.  There is an assumption that you have
+your keys and secrets organized like this (one deep nesting).  This is configurable.
+
+```
+# if you don't put your secrets in something like shared/secrets/
+# but shared/passwords/
+MuchKeys.configure do |config|
+  config.secrets_path_hint = "passwords/"
+end
+```
+
+### Using in a Rails App
+
+Add to your Gemfile.
+```
+gem 'muchkeys'
+```
+
+Run `bundle install`.
+
+If you don't need to change your hostname (production you do not need to) or any other settings, then you are
+done.  If you need to override defaults, create an initializer.
+
+```
+# config/initializers/muchkeys.rb
+MuchKeys.configure do |config|
+  # your settings if desired
+end
+```
+
+Then, use in YAML files, in the app or in other initializers.
+
+```
+# example of centralizing a database password in database.yml
+# blog/config/database.yml
+production:
+  <<: *default
+  username: MUCHKEYS['database_user']      # set in consul at git/blog/config/database_user
+  password: MUCHKEYS['database_password']  # set in consul at git/blog/secrets/database_password
+```
+
+In the above example, `database_password` needs to be encrypted with an SSL certificate
+and then set in consul (paste the PEM text).  The private and public key are needed to decrypt
+and these keys should be stored in `<deploy_user_home>/.keys/blog.pem`.  With these conventions
+set once, you won't have to do anything else.
+
+
+### Encrypted Secrets
+
+Generate an SSL cert or use an existing one.  You will need the private and public key to encrypt and the public key to decrypt.
+
+```bash
+openssl req -new -newkey rsa:4096 -nodes -x509 -keyout /tmp/self_signed_test.pem -out /tmp/self_signed_test.pem
+```
+
+```ruby
+MuchKeys.configure do |config|
+  config.public_key  = "/tmp/self_signed_test.pem"
+  config.private_key = "/tmp/self_signed_test.pem"
+end
+
+puts MuchKeys::Secret.encrypt_string("bacon is just ok").to_s
+# => -----BEGIN PKCS7-----
+# => MIICuwYJKoZIhvcNAQcDoIICrDCCAqgCAQAxggJuMIICagIBADBSMEUxCzAJ ...
+# => ...
+
+# Copy and paste this into consul under a key: ie: secrets/fake
+
+# Now you can fetch the secret with the same public key.
+MuchKeys::Secret.get_consul_secret('secrets/fake')
+# => bacon is just ok
+```
+
+Inside your app:
+```ruby
+# inside a rails initializer or other setup file you have
+MuchKeys.configure do |config|
+  config.consul_url = "http://myrealhost"             # Default is "http://localhost:8500"
+  config.public_key  = "path to public .pem"          # this is only required if you are encrypting secrets
+  config.private_key = "path to private .pem"         # this is only required if you are encrypting secrets
+end
+
+# then inside your YAML or app:
+MuchKeys.fetch_key('number_of_threads')
+# goes to git/config/myapp/number_of_threads in consul
+```
+
+
+## Automagic Certificates
+
+MuchKeys can find certs automatically in `~/.keys`.  `MuchKeys.fetch_key("git/waffles/secrets/a_password")` will try to decrypt `a_password`
+with a cert called `~/.keys/waffles.pem`.  The private key can be in the same file but should be protected
+with file permissions `0600`.
+
+
+## CLI
+
+Example of decrypted an encrypted key:
+
+```
+$ muchkeys -d --public_key=~/.keys/staging.pem --private_key=~/.keys/staging.pem --consul_url=http://consul.domain:8500 --consul_key git/pants/secrets/some_password
+<unencrypted secret is displayed>
+```
+
+### Other Usage
+
+You can fetch individual keys if you want.
+
+```bash
 ruby -e 'require "muchkeys"; puts MuchKeys.fetch_key("mail_server")'
 # => smtp.example.com (from consul)
 ```
 
-```
+```bash
 mail_server=muffin.ninja.local ruby -e 'require "muchkeys"; puts MuchKeys.fetch_key("mail_server")'
 # => muffin.ninja.local (from ENV)
 ```
 
-Use the above in your YAMLs, your configs and your ERBs for maximum fun time.
+### Keys to Store
+
+You will probably just want to store things that change between environments in consul.
+If `database_pool_size` never changes between development and production then don't store it in consul.
+If `sidekiq_number_of_workers` is 1 in development, 2 in staging and 16 in production, then this is a
+good thing to store in consul because you'll have a central place that all app servers can
+read from.
+
+You could store things in rails' `environments/` path but then you'll need to do a deploy
+to change a setting and some things might be shared between apps like URLs, api keys, secrets and scaling settings.
+
+
+### Limits and Caveats
+
+Searching multiple paths in consul is because consul is hierarchical (or can be) and ENV is not.
+Making an easy to use API that looks and behaves like `ENV` was one of the goals to make
+it more familiar to developers.  So worst case, by default, MuchKeys will search consul 4 times
+to find a key.
+
+Encrypted secrets can be slightly more clunky.  Developers may not have signing keys,
+in that case, an admin or someone from ops maybe has to manage the secrets.
+
+
+### Compared to Other Tools
+
+It's sort of the opposite of `envconsul` or similar to `dotenv` designed
+for use in production.
+
+* Dotenv doesn't centralize keys.
+* envconsul has a auto restart the launched process on change feature, this project does not.
+
+
+### Future
+
+It'd be nice if this project wasn't so tied to consul.  I don't think it's impossible to decouple it.  Etcd basically behaves the same afaik so we could add an etcd adapter.
 
 
 ## License
 
 The gem is available as open source under the terms of the [MIT License](http://opensource.org/licenses/MIT).
-

data/Rakefile

@@ -1,6 +1,21 @@
 require "bundler/gem_tasks"
 require "rspec/core/rake_task"
 
-RSpec::Core::RakeTask.new(:spec)
+namespace :spec do
+  desc "Run Unit Tests"
+  RSpec::Core::RakeTask.new(:unit) do |t|
+    t.pattern = 'spec/lib/**/*_spec.rb'
+  end
 
-task :default => :spec
+  desc "Run Feature/Integration Tests"
+  RSpec::Core::RakeTask.new(:features) do |t|
+    t.pattern = 'spec/features/**/*.rb'
+  end
+
+  desc "Run All Tests"
+  RSpec::Core::RakeTask.new(:all) do |t|
+    t.pattern = 'spec/lib/**/*_spec.rb, spec/features/**/*.rb'
+  end
+end
+
+task :default => "spec:all"

data/exe/muchkeys

@@ -0,0 +1,6 @@
+#!/usr/bin/env ruby
+
+require "muchkeys"
+
+cli = MuchKeys::CLI.new ARGV
+cli.run

data/lib/muchkeys/cli/validator.rb

@@ -0,0 +1,41 @@
+require_relative "../errors"
+
+class MuchKeys::CLI::Validator
+
+    def self.validate_primary_mode_option(options)
+      raise MuchKeys::CLIOptionsError, primary_mode_error_message unless options_has_one_mode?(options)
+    end
+
+    def self.validate_encrypt(options)
+      abort "--encrypt needs the --file option passed."        if !options[:file]
+      abort "--encrypt needs the --public_key option passed."  if !options[:public_key]
+    end
+
+    def self.validate_decrypt(options)
+      key_name = options[:consul_key]
+      abort "--decrypt needs the --consul_key option passed." if !key_name
+
+      if !secret_adapter.auto_certificates_exist_for_key?(key_name)
+        certfile_expected = secret_adapter.certfile_name(key_name)
+        abort "--decrypt needs the --public_key option passed or a PEM file needs to be at #{certfile_expected}."  if !options[:public_key]
+        abort "--decrypt needs the --private_key option passed or a PEM file needs to be at #{certfile_expected}." if !options[:private_key]
+      end
+    end
+
+    def self.validate_plain(options)
+      abort "--plain needs the --consul_key option passed." if !options[:consul_key]
+    end
+
+    def self.options_has_one_mode?(options)
+      [ options[:encrypt], options[:decrypt], options[:plain] ].count(true) == 1
+    end
+
+    def self.primary_mode_error_message
+      "You must pass only one and at least one of the following flags: --encrypt, --decrypt, or --plain"
+    end
+
+    def self.secret_adapter
+      MuchKeys::Secret
+    end
+
+end

data/lib/muchkeys/cli.rb

@@ -0,0 +1,103 @@
+require "slop"
+
+module MuchKeys
+  class CLI
+    attr_reader :mode
+
+    def initialize(arguments)
+      # I'd like to not be doing this kind of check
+      # But this is tricky because we need to know
+      # later if help was invoked so we don't execute run with blank options.
+      @help_invoked = false
+      parsed = parse_options(arguments)
+      return if @help_invoked
+
+      begin
+        set_primary_mode
+      rescue MuchKeys::CLIOptionsError => e
+        puts e.message
+        puts @opts
+      end
+
+      configure_muchkeys
+    end
+
+    def parse_options(arguments)
+      @opts = Slop.parse arguments do |o|
+        o.bool "-e", "--encrypt", "Encrypt keys from a file to put in consul."
+        o.bool "-d", "--decrypt", "Decrypt keys from consul."
+        o.bool "-p", "--plain",   "Fetch plaintext key from consul."
+
+        o.string "--consul_url", "Consul server http address", default: "http://localhost:8500"
+        o.string "--private_key", "Location of your private key"
+        o.string "--public_key", "Location of your public key"
+
+        # add -f
+        o.string "--file", "File to encrypt"
+        o.string "-c", "--consul_key", "Consul key to decrypt"
+
+        o.on "-h", "--help" do
+          # Save the fact we ran help so when run() runs, it prints help and exits.
+          @help_invoked = true
+        end
+      end
+    end
+
+    def set_primary_mode(options=@opts)
+      MuchKeys::CLI::Validator.validate_primary_mode_option(options)
+      @mode = select_primary_mode(options)
+    end
+
+    def configure_muchkeys(options=@opts)
+      MuchKeys.configure do |config|
+        config.consul_url  = options[:consul_url]
+        config.public_key  = options[:public_key]
+        config.private_key = options[:private_key]
+      end
+    end
+
+    # this guy figures out the appropriate action to take given CLI options
+    def run
+      if @opts[:help]
+        puts @opts
+        return
+      end
+
+      if @opts[:encrypt]
+        MuchKeys::CLI::Validator.validate_encrypt(file: @opts[:file], public_key: @opts[:public_key])
+        encrypt(@opts[:file], @opts[:public_key])
+      elsif @opts[:decrypt]
+        MuchKeys::CLI::Validator.validate_decrypt(consul_key: @opts[:consul_key], public_key: @opts[:public_key], private_key: @opts[:private_key])
+        decrypt(@opts[:consul_key], @opts[:public_key], @opts[:private_key])
+      elsif @opts[:plain]
+        plain(@opts[:consul_key])
+      end
+    end
+
+    def encrypt(file, public_key)
+      string_to_encrypt = File.read(file)
+      puts secret_adapter.encrypt_string(string_to_encrypt, public_key)
+    end
+
+    def decrypt(consul_key, public_key, private_key)
+      puts MuchKeys.fetch_key(consul_key, public_key:public_key, private_key:private_key)
+    end
+
+    def plain(consul_key)
+      puts MuchKeys.fetch_key(consul_key)
+    end
+
+
+    private
+    def select_primary_mode(options)
+      possible_primary_modes = { encrypt: options[:encrypt], decrypt: options[:decrypt], plain: options[:plain] }
+      primary_mode = possible_primary_modes.select {|k,v| v == true }  # validation has already happened, we can access modes safely
+      primary_mode.keys.first
+    end
+
+    def secret_adapter
+      MuchKeys::Secret
+    end
+
+  end
+end

data/lib/muchkeys/configuration.rb

@@ -0,0 +1,30 @@
+require 'muchkeys'
+require 'uri'
+
+module MuchKeys
+  class Configuration
+    attr_accessor :consul_url, :private_key, :public_key, :application_name, :search_paths, :secrets_hint
+
+    # sensible defaults
+    def initialize
+      @consul_url = "http://localhost:8500"
+    end
+
+    # url parsing sanity check
+    def consul_url=(url)
+      raise URI::InvalidURIError unless url =~ URI::regexp
+      @consul_url = url
+    end
+
+    def attributes
+      {
+        consul_url:  @consul_url,
+        private_key: @private_key,
+        public_key:  @public_key,
+        application_name: @application_name,
+        search_paths: @search_paths,
+        secrets_hint: @secrets_hint
+      }.delete_if {|k,v| v.nil? }
+    end
+  end
+end

data/lib/muchkeys/errors.rb

@@ -1,3 +1,5 @@
 module MuchKeys
-  class InvalidKey < StandardError; end
+  InvalidKey      = Class.new(StandardError)
+  CLIOptionsError = Class.new(StandardError)
+  NoKeysSet       = Class.new(StandardError)
 end

data/lib/muchkeys/key_validator.rb

@@ -0,0 +1,43 @@
+module MuchKeys
+  class KeyValidator
+
+    class << self
+
+      # key should pass validation rules
+      def valid? keyname
+        exists?(keyname) &&
+        secret_key_has_namespace?(keyname)
+      end
+
+      def secret_key_namespace keyname
+        match = keyname.match(/^secrets\/(.*?)\/.*/)
+        if match
+          match[1]
+        else
+          ""
+        end
+      end
+
+      def secret_key_has_namespace? keyname
+        if is_secret?(keyname)
+          namespace = secret_key_namespace(keyname)
+          exists?(namespace)
+        else
+          # a plain key passes, it doesn't need a namespace
+          true
+        end
+      end
+
+      def is_secret? keyname
+        keyname.match(/^secret/) != nil
+      end
+
+
+      private
+      def exists? keyname
+        !keyname.nil? && !keyname.empty?
+      end
+
+    end
+  end
+end

data/lib/muchkeys/secret.rb

@@ -0,0 +1,66 @@
+require 'openssl'
+require 'net/http'
+require 'muchkeys/configuration'
+require 'muchkeys/errors'
+
+
+class MuchKeys::Secret
+  CIPHER_SUITE = "AES-256-CFB"
+
+  class << self
+
+    # the path that clues MuchKeys that this path contains secrets
+    def secrets_path_hint
+      MuchKeys.configuration.secrets_hint || "secrets/"
+    end
+
+    def encrypt_string(val, public_key)
+      cipher = OpenSSL::Cipher.new CIPHER_SUITE
+      cert   = OpenSSL::X509::Certificate.new File.read(public_key)
+      OpenSSL::PKCS7::encrypt([cert], val, cipher, OpenSSL::PKCS7::BINARY)
+    end
+
+    # turn a key_name into a SSL cert file name by convention
+    def certfile_name(key_name)
+      key_parts = key_name.match /(.*)\/#{secrets_path_hint}(.*)/
+      raise MuchKeys::InvalidKey, "#{key_name} doesn't look like a secret" if key_parts.nil?
+      key_base = key_parts[1].gsub(/^git\//, "")
+      MuchKeys.configuration.public_key || "#{ENV['HOME']}/.keys/#{key_base}.pem"
+    end
+
+    def is_secret?(key_name)
+      key_name.match(/\/#{secrets_path_hint}/) != nil
+    end
+
+    def auto_certificates_exist_for_key?(key)
+      file_exists?(secret_adapter.certfile_name(key))
+    end
+
+    def decrypt_string(val, public_key, private_key)
+      cert = OpenSSL::X509::Certificate.new(read_ssl_key(public_key))
+      key  = OpenSSL::PKey::RSA.new(read_ssl_key(private_key))
+      OpenSSL::PKCS7.new(val).decrypt(key, cert)
+    end
+
+
+    private
+
+    def read_ssl_key(file_name)
+      File.read file_name
+    end
+
+    # Why would we even do this?  For stubbing.
+    def file_exists?(path)
+      File.exist? path
+    end
+
+    def key_validator
+      MuchKeys::KeyValidator
+    end
+
+    def secret_adapter
+      MuchKeys::Secret
+    end
+
+  end
+end

data/lib/muchkeys/version.rb

@@ -1,3 +1,3 @@
 module MuchKeys
-  VERSION = "0.0.1"
+  VERSION = "0.3.3"
 end

data/lib/muchkeys.rb

@@ -1,59 +1,171 @@
 require "muchkeys/version"
 require "muchkeys/errors"
+require "muchkeys/configuration"
+require "muchkeys/secret"
+require "muchkeys/key_validator"
+require "muchkeys/cli"
+require "muchkeys/cli/validator"
+
 require "net/http"
 
 module MuchKeys
 
   class << self
     attr_accessor :configuration
-  end
 
-  def self.configure
-    @configuration ||= Configuration.new
-    yield(configuration)
-  end
+    def configure
+      self.configuration ||= MuchKeys::Configuration.new
+      if block_given?
+        yield configuration
+      end
+    end
 
-  def self.default_configure
-    configure do
+    def search_order(application_name, key_name)
+      if MuchKeys.configuration.search_paths
+        search_paths = MuchKeys.configuration.search_paths.collect do |path|
+          "#{path}/#{key_name}"
+        end
+      else
+        search_paths = [
+          "git/#{application_name}/secrets/#{key_name}",
+          "git/#{application_name}/config/#{key_name}",
+          "git/shared/secrets/#{key_name}",
+          "git/shared/config/#{key_name}"
+        ]
+      end
     end
-  end
 
-  class Configuration
-    attr_accessor :consul_host
+    def find_first(key_name)
+      return ENV[key_name] unless ENV[key_name].nil?
+
+      unless MuchKeys.configuration.search_paths
+        application_name = detect_app_name
+        return false if !application_name
+      end
 
-    # sensible defaults
-    def initialize
-      @consul_host = 'http://localhost:8500'
+      consul_paths = search_order(application_name, key_name)
+
+      response = nil
+      search_order(application_name, key_name).detect do |consul_path|
+        response = fetch_key(consul_path)
+      end
+
+      if !response
+        raise MuchKeys::NoKeysSet, "Bailing.  Consul isn't set with any keys for #{key_name}."
+      end
+
+      response
     end
-  end
 
-  def self.fetch_key(key_name)
-    default_configure if !configuration
-    return ENV[key_name] unless ENV[key_name].nil?
+    def fetch_key(key_name, public_key:nil, private_key:nil)
+      return ENV[key_name] unless ENV[key_name].nil?
 
-    response = Net::HTTP.get_response(URI(consul_url(key_name)))
-    handle_response(response)
-    fetch_body(response)
-  end
+      if secret_adapter.is_secret?(key_name)
+        raise InvalidKey unless validate_key_name(key_name)
 
-  def self.consul_url(key_name)
-    converted_key_name = convert_keyname(key_name)
-    "#{configuration.consul_host}/v1/kv/#{converted_key_name}?raw"
-  end
+        # configure automatic certificates
+        public_key  = find_certfile_for_key(key_name) if public_key.nil?
+        private_key = find_certfile_for_key(key_name) if private_key.nil?
 
-  def self.fetch_body(response)
-    response.body
-  end
+        response = fetch_secret_key(key_name, public_key, private_key)
+      else
+        response = fetch_plain_key(key_name)
+      end
+
+      # empty and unset keys from consul are empty strings, so return false
+      # here TODO: UnsetKey would be better here.
+      return false if response == ""
 
-  def self.handle_response(response_code)
-    case response_code
-    when (400..599)
-      raise MuchKeys::InvalidKey
+      # otherwise, we got consul data so return that
+      response
     end
+
+    def consul_url(key_name)
+      URI("#{configuration.consul_url}/v1/kv/#{key_name}?raw")
+    end
+
+    # TODO: inline this
+    def fetch_body(response)
+      response.body
+    end
+
+    def handle_response(response_code)
+      case response_code
+      when (400..599)
+        raise MuchKeys::InvalidKey
+      end
+    end
+
+
+    private
+    def fetch_plain_key(key_name)
+      url = consul_url(key_name)
+      response = Net::HTTP.get_response url
+      handle_response(response)
+      fetch_body(response)
+    end
+
+    def fetch_secret_key(key_name, public_pem=nil, private_pem=nil)
+      result = fetch_plain_key(key_name)
+      # FIXME: omg use a class like MuchKeys::UnsetKey instead of "" as a
+      # return value -- there are other places like this too.
+
+      # we hit a key that doesn't exist, so don't try to decrypt it
+      return "" if !result || result.empty?
+      secret_adapter.decrypt_string(result, public_pem, private_pem)
+    end
+
+    def find_certfile_for_key(key_name)
+      secret_adapter.certfile_name key_name
+    end
+
+    def secret_adapter
+      MuchKeys::Secret
+    end
+
+    def validate_key_name(key_name)
+      MuchKeys::KeyValidator.valid? key_name
+    end
+
+    # Detecting Rails app names is a known quantity.
+    # TODO: figure out how to detect plain Rack apps.  :(
+    def detect_app_name
+      return configuration.application_name if configuration.application_name
+
+      # Rails.application is "Monorail::Application".
+      if defined?(Rails)
+        application_name = Rails.application.class.to_s.split("::").first
+      elsif defined?(Rack)
+        application_name = "Asset_Server"
+      else
+        $stderr.puts "can't detect app name"
+        return
+      end
+
+      snakecase(application_name)
+    end
+
+    # MyApp should become my_app
+    def snakecase(string)
+      string.gsub(/::/, '/').
+        gsub(/([A-Z]+)([A-Z][a-z])/,'\1_\2').
+        gsub(/([a-z\d])([A-Z])/,'\1_\2').
+        tr("-", "_").
+        downcase
+    end
+
   end
+end
+
+# default configure the gem on gem load
+MuchKeys.configuration ||= MuchKeys::Configuration.new
+
+
+# This interface looks like ENV which is more friendly to devs
+class MUCHKEYS
 
-  def self.convert_keyname(key_name)
-    key_name.gsub('___', '/')
+  def self.[](i)
+    MuchKeys.find_first(i)
   end
 
 end

data/muchkeys.gemspec

@@ -9,8 +9,8 @@ Gem::Specification.new do |spec|
   spec.authors       = ["Pat O'Brien", "Chris Dillon"]
   spec.email         = ["pobrien@goldstar.com", "cdillon@goldstar.com"]
 
-  spec.summary       = %q{MuchKeys first fetches keys from the ENV and then falls back to consul}
-  spec.description   = %q{Much keys, such values ...}
+  spec.summary       = %q{MuchKeys fetches keys from the ENV and then falls back to consul}
+  spec.description   = %q{MuchKeys can handle app configuration and appsecrets}
   spec.homepage      = "https://www.goldstar.com"
   spec.license       = "MIT"
 
@@ -19,11 +19,16 @@ Gem::Specification.new do |spec|
   spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
   spec.require_paths = ["lib"]
 
+  # slop 4 was a rewrite and it breaks a few gems:
+  # guard / pry.  This is sad for development but slop4 is better than slop3.
+  spec.add_runtime_dependency "slop", "~> 4.2"
+
   spec.add_development_dependency "bundler", "~> 1.10"
   spec.add_development_dependency "rake", "~> 10.0"
-  spec.add_development_dependency "rspec"
-  spec.add_development_dependency "pry"
-  spec.add_development_dependency "guard"
-  spec.add_development_dependency "guard-rspec"
-  spec.add_development_dependency "fsevents"
+  spec.add_development_dependency "rspec", "~> 3.3"
+  spec.add_development_dependency "webmock", "~> 1.20"
+  spec.add_development_dependency "vcr", "~> 2.9"
+
+  # slop 4 really, really needs this version of pry since they vendored it
+  spec.add_development_dependency "pry", '=0.10.3'
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: muchkeys
 version: !ruby/object:Gem::Version
-  version: 0.0.1
+  version: 0.3.3
 platform: ruby
 authors:
 - Pat O'Brien
@@ -9,111 +9,112 @@ authors:
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2015-07-27 00:00:00.000000000 Z
+date: 2016-04-28 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
-  name: bundler
+  name: slop
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.10'
-  type: :development
+        version: '4.2'
+  type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.10'
+        version: '4.2'
 - !ruby/object:Gem::Dependency
-  name: rake
+  name: bundler
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '10.0'
+        version: '1.10'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '10.0'
+        version: '1.10'
 - !ruby/object:Gem::Dependency
-  name: rspec
+  name: rake
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '10.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '10.0'
 - !ruby/object:Gem::Dependency
-  name: pry
+  name: rspec
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '3.3'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '3.3'
 - !ruby/object:Gem::Dependency
-  name: guard
+  name: webmock
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '1.20'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '1.20'
 - !ruby/object:Gem::Dependency
-  name: guard-rspec
+  name: vcr
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '2.9'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '2.9'
 - !ruby/object:Gem::Dependency
-  name: fsevents
+  name: pry
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - '='
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 0.10.3
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - '='
       - !ruby/object:Gem::Version
-        version: '0'
-description: Much keys, such values ...
+        version: 0.10.3
+description: MuchKeys can handle app configuration and appsecrets
 email:
 - pobrien@goldstar.com
 - cdillon@goldstar.com
-executables: []
+executables:
+- muchkeys
 extensions: []
 extra_rdoc_files: []
 files:
@@ -125,10 +126,14 @@ files:
 - LICENSE.txt
 - README.md
 - Rakefile
-- bin/console
-- bin/setup
+- exe/muchkeys
 - lib/muchkeys.rb
+- lib/muchkeys/cli.rb
+- lib/muchkeys/cli/validator.rb
+- lib/muchkeys/configuration.rb
 - lib/muchkeys/errors.rb
+- lib/muchkeys/key_validator.rb
+- lib/muchkeys/secret.rb
 - lib/muchkeys/version.rb
 - muchkeys.gemspec
 homepage: https://www.goldstar.com
@@ -151,8 +156,9 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.2.3
+rubygems_version: 2.4.5.1
 signing_key: 
 specification_version: 4
-summary: MuchKeys first fetches keys from the ENV and then falls back to consul
+summary: MuchKeys fetches keys from the ENV and then falls back to consul
 test_files: []
+has_rdoc: 

data/bin/console

@@ -1,14 +0,0 @@
-#!/usr/bin/env ruby
-
-require "bundler/setup"
-require "muchkeys"
-
-# You can add fixtures and/or initialization code here to make experimenting
-# with your gem easier. You can also use a different console, if you like.
-
-# (If you use this, don't forget to add pry to your Gemfile!)
-# require "pry"
-# Pry.start
-
-require "irb"
-IRB.start

data/bin/setup

@@ -1,7 +0,0 @@
-#!/bin/bash
-set -euo pipefail
-IFS=$'\n\t'
-
-bundle install
-
-# Do any other automated setup that you need to do here