muchsecrets 0.0.2 → 0.0.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 639350be4d0bce627d623560089b2cc2997657be
-  data.tar.gz: 523849a5697680c7edf53de4978e52d6bde445de
+  metadata.gz: 46a037577a9dd00f6d594cee1d3a7b12f53fd510
+  data.tar.gz: fe3f8ca23d1b1dbc6bfaf51ca70c467b5e878a6e
 SHA512:
-  metadata.gz: f3a45736a0d5a015e5abc406dae0808f1e0805777509e3c4ec26cbb3ce78778a3626487711c5050c9a11f85dc11eb0661acc0f980bd5dc11881ac922c822d950
-  data.tar.gz: 55e41eab84259fa263f20a22fc1b8010b8c7a7f78ac5eff811869b39ef0159f20f5aa4e051339c91dfb600e2e23928d7858bf70dc3aefa7248c2f4afb8b2fcf8
+  metadata.gz: db9a765ec0505bdf95642762527bc4e7bfcc010106d661e0fd822510eefda6342f40320cd40d894c40fc14d630fbefa925735d7551153b2cb0b13ce83f057e48
+  data.tar.gz: 6e4f82f2c02c1567a7fa7897989ae46caf6384131324c4429712346c42f370b818f25be1985688829e65cc637b9fd799bae82cd68feb55550ede64b78cdee649

data/README.md

@@ -11,10 +11,46 @@ What's this useful for? Pulling encrypted secrets from [Consul](https://consul.i
 :$ openssl req -new -newkey rsa:4096 -nodes -x509 -keyout application.pem -out application.pem
 ````
 
-2. store your private key some place safe
+2. store your keypair some place safe.
+
 
 ## Usage ##
 
+Use the command line executable to encrypt:
+```
+:$ muchsecrets --encrypt --publickey shared-production-wc1.pem --string "such_privacy"
+
+-----BEGIN PKCS7-----
+MIIDMwYJKoZIhvcNAQcDoIIDJDCCAyACAQAxggLgMIIC3AIBADCBwzCBtTELMAkG
+A1UEBhMCVVMxDzANBgNVBAgTBk9yZWdvbjERMA8GA1UEBxMIUG9ydGxhbmQxHjAc
+BgNVBAoTFUdvbGRzdGFyIEV2ZW50cywgSW5jLjEeMBwGA1UECxMVc2hhcmVkLXBy
+b2R1Y3Rpb24td2MxMSEwHwYDVQQDExhodHRwczovL3d3dy5nb2xkc3Rhci5jb20x
+HzAdBgkqhkiG9w0BCQEWEG9wc0Bnb2xkc3Rhci5jb20CCQCASRiabrpfIjANBgkq
+hkiG9w0BAQEFAASCAgAxVwDR9gvGQUayj34tJLcwjT5JDYHjf3RTdmf5HDANMgoy
+WrJJY74hx5fskZLuvbptHI4/RDd/uB4LQHAiMel/wK/YSPcUC3rCDsII9L4jOc7o
+K/rz9VPUAiVcGFfE4R1HQkYIcwKsgZg0FiImNZgxRCpx9Gn1YhxxY3+A46fRA2Ym
+JcHJHfvLK0CMMmGU3Q3dTgpD9oZ2UWkWf1dw6XvtpaVs6BJNoA/9PDK6Teik++Om
+gMuzd0VI8mxPoNBiH4GVpZzfKyUDg7zJQtELsTmVbwdae88I4wrIjZNEIg+2GBTC
+wqsG+7jdMuP0YeTsKWLmAzOVyLfJmMzqMAJ5i31jvYFnyeDymjzLvJvly2mW1UdQ
+6dJHFNyneK4uHsE8G5kJ9MoaYrZWtwA1DgaiNjCbaRqTfDScxGyYTE3gvJetU1Lx
+H6wqht2HXzps61zSGAyeEac8CvTyub0ub86tEZ5GD4GU6VqKvEnvtoe/t1NK6E38
+vc0t/lvY9zledBI/z+dp3IumCQcKhxX1V4JKxn3yB2WdXJZbFfg92pf/NtDeHdR8
+PwcYuruEYYK8WF+cNApFsRmeAa+tL1J9f/K+4x65rhRja/fbTQFvWMe3hkybbgql
+BZqnjg5EqoAk/yVoq9joGmjg6ujkezgNJJ0u1pvJi1QRQhA8v7nZ+swpqZ0fxjA3
+BgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEsBBB0gcWyiwNgAVMXLUCSfTrkgAsM77Vi
+DClnGP48kw==
+-----END PKCS7-----
+```
+
+Use the command line to decrypt directly from consul:
+```
+:$ muchsecrets --decrypt --publickey application.pem --privatekey application.pem --consul secrets/wow
+
+foo bar baz
+```
+
+Or you can use it directly from your application.
+
 To encrypt a string:
 ```ruby
 require 'muchsecrets'
@@ -41,13 +77,21 @@ ZQMEASwEEMVOg3shVq9U1O7CzSDJfSyADex+cL6h7RnV1tRwDqI=
 -----END PKCS7-----"
 ```
 
-Push the encrypted string to consul.
+Push the encrypted string to consul/whatever.
 
-To decrypt a raw key value from consul:
+To decrypt a key value directly from consul:
 ```ruby
 require 'muchsecrets'
 wow = MuchSecrets::Secret.new(:public_key => 'application.pem', :private_key => 'application.pem')
-super_secret = wow.get_http_secret('notprod/github_api_key/encrypted?raw')
+super_secret = wow.get_consul_secret('notprod/github_api_key/encrypted') # would fetch http://consul:8500/v1/kv/notprod/github_api_key/encrypted?raw
+# => "such_privacy"
+```
+
+To decrypt a key value directly from a web endpoint:
+```ruby
+require 'muchsecrets'
+wow = MuchSecrets::Secret.new(:public_key => 'application.pem', :private_key => 'application.pem', :base_url => 'http://service:8080')
+super_secret = wow.get_http_secret('notprod/github_api_key/encrypted') # would fetch http://service:8080/notprod/github_api_key/encrypted
 # => "such_privacy"
 ```
 

data/bin/muchsecrets

@@ -0,0 +1,94 @@
+#!/usr/bin/env ruby
+require 'optparse'
+require 'muchsecrets'
+
+options = {}
+
+# Extra options to OptionParser reduce the amount of whitespace it introduces
+# into the help message, making it easier to make the help message fit in a
+# 80x24 window.
+opts = OptionParser.new(nil, 24, '  ')
+
+opts.banner = 'Usage: muchsecrets [options] [--file /path/to/file | --consul path/to/consul/key | --string "really private string"]'
+
+# actions
+opts.on('--encrypt', 'Encrypt it.') do |opt|
+  options[:encrypt] = opt
+end
+opts.on('--decrypt', 'Decrypt it.') do |opt|
+  options[:decrypt] = opt
+end
+
+# options
+opts.on('--consulserver HOST', 'Consul server http address.') do |opt|
+  options[:consulserver] = opt
+end
+opts.on('--privatekey PRIVKEY', 'Location of your private key.') do |opt|
+  options[:privatekey] = opt
+end
+opts.on('--publickey PUBKEY', 'Location of your public key.') do |opt|
+  options[:publickey] = opt
+end
+
+# what to act on
+opts.on('--file FILE', 'File to encrypt.') do |opt|
+  options[:file] = opt
+end
+opts.on('--consul KEY', 'Consul key to decrypt.') do |opt|
+  options[:consul] = opt
+end
+opts.on('--string "STRING"', 'Quoted string to encrypt.') do |opt|
+  options[:string] = opt
+end
+
+opts.on_tail('-h', '--help', 'Show this message.') do
+  puts opts
+  exit
+end
+
+opts.parse!
+
+# Display a usage message if the user did not specify a valid action to perform.
+if options.empty?
+  puts opts
+  exit
+end
+
+# I refuse to encrypt and decrypt at the same time.
+if options[:encrypt] && options[:decrypt]
+  puts "you cannot pass the --encrypt flag at the same time as the --decrypt flag."
+  exit
+# likewise, I refuse to do nothing.
+elsif !options[:encrypt] && !options[:decrypt]
+  puts "you need to pass either --encrypt or --decrypt."
+  exit
+end
+
+# if we get here I guess we can do something.
+if options[:encrypt]
+  # need the public key for encrypting.
+  abort "--encrypt needs the --publickey option passed." if !options[:publickey]
+
+  string_to_encrypt = ""
+
+  if options[:file]
+    string_to_encrypt = File.read(options[:file])
+  elsif options[:string]
+    string_to_encrypt = options[:string].to_s
+  end
+
+  # encrypt and print string
+  wow = MuchSecrets::Secret.new(:public_key => options[:publickey])
+  puts wow.encrypt_string(string_to_encrypt)
+
+elsif options[:decrypt]
+  # need the public and private keys for decrypting.
+  abort "--decrypt needs the --publickey option passed." if !options[:publickey]
+  abort "--decrypt needs the --privatekey options passed." if !options[:privatekey]
+
+  wow = MuchSecrets::Secret.new(:public_key => options[:publickey], :private_key => options[:privatekey])
+  puts wow.get_consul_secret(options[:consul])
+
+end
+
+

data/lib/muchsecrets.rb

@@ -1,3 +1,2 @@
-#require "goldstar/notifications/version"
 require "muchsecrets/secret"
 

data/lib/muchsecrets/secret.rb

@@ -15,6 +15,11 @@ module MuchSecrets
       return decrypt_string(encrypted_secret)
     end
 
+    def get_consul_secret(uri)
+      uri = uri + '?raw'
+      return get_http_secret(uri)
+    end
+
     def encrypt_string(val)
       cert = OpenSSL::X509::Certificate.new(File.read(@public_key))
       return OpenSSL::PKCS7::encrypt([cert], val, @cipher, OpenSSL::PKCS7::BINARY)

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: muchsecrets
 version: !ruby/object:Gem::Version
-  version: 0.0.2
+  version: 0.0.3
 platform: ruby
 authors:
 - Pat O'Brien
@@ -13,12 +13,14 @@ dependencies: []
 description: handles encrypting and decrypting secrets to/from consul.
 email:
 - muchsecrets@tetrisbocks.net
-executables: []
+executables:
+- muchsecrets
 extensions: []
 extra_rdoc_files: []
 files:
 - lib/muchsecrets/secret.rb
 - lib/muchsecrets.rb
+- bin/muchsecrets
 - LICENSE
 - README.md
 homepage: http://github.com/poblahblahblah/muchsecrets