opensecret 0.0.2 → 0.0.4

data/lib/opensecret/{safe.rb → delegate.rb}

@@ -1,9 +1,11 @@
 
 module OpenSecret
 
-  class Safe
+  class Delegate
 
-    def verbose_lock
+    def command
+
+      return "hello world"
 
       time = Time.now
       minute = time.min

data/lib/opensecret/eco.do.rb

@@ -0,0 +1,46 @@
+#!/usr/bin/ruby
+
+require 'pp'
+require 'json'
+require 'inifile'
+require 'singleton'
+require 'filesize'
+require 'tmpdir'
+require 'base64'
+require 'date'
+require 'etc'
+require 'optparse'
+require 'securerandom'
+require 'digest'
+require 'net/http'
+require 'net/ssh'
+require 'net/scp'
+require 'aws-sdk'
+require 'aws-sdk-resources'
+require 'nokogiri'
+require 'openssl'
+require 'io/console'
+
+# --
+# -- Require modules that read config and require modules
+# --
+require_relative '../iaas.tool.collection/user.home'
+require_relative '../iaas.tool.collection/throw.error'
+require_relative '../iaas.tool.collection/ruby.require'
+require_relative '../reusable.classes/logs/logging'
+
+
+# --
+# -- Flush logs destined for STDOUT immediately.
+# -- Do not wait for a full cache or script end.
+# --
+$stdout.sync = true
+
+include Logging
+
+log.debug(ere) { "Require of ruby modules has been completed." }
+
+EcoSystems.create
+
+exit
+

data/lib/opensecret/executors/crypt.keys/crypt.keys.ini

@@ -0,0 +1,79 @@
+[crypt.keys]
+
+min.passwd.len  =  e>> 16
+nickname        =  godzilla
+root.domain     =  devopswiki.co.uk
+env.var.name    =  SECRET_MATERIAL
+ratio           =  e>> 3
+bit.key.size    =  e>> 8192
+key.cipher      =  e>> OpenSSL::Cipher.new 'AES-128-CBC'
+secret.keyname  =  e>> @s[:nickname] + dot + @s[:root_domain] + dot + @f[:time][:stamp] + ".txt"
+secret.keydir   =  e>> @f[@i[:workstation]][:secrets_dir]
+secret.keypath  =  e>> File.join @s[:secret_keydir], @s[:secret_keyname]
+
+repo.name       =  material_data
+local.gitrepo   =  e>> File.join @i[:dir], @s[:repo_name]
+public.gitrepo  =  https://www.eco-platform.co.uk/content/material.data.git
+public.dirname  =  public_keys
+
+public.keyroute =  e>> File.join @s[:root_domain], @s[:public_dirname]
+public.keydir   =  e>> File.join @s[:local_gitrepo], @s[:public_keyroute]
+public.keyname  =  e>> "public_key." + @s[:nickname] + dot + @s[:root_domain] + ".txt"
+public.keypath  =  e>> File.join @s[:public_keydir], @s[:public_keyname]
+
+prompt.1        =  Enter a Robust Password
+prompt.2        =  Re-enter that Password
+
+#--
+#-- ------------------------------------------
+#-- How to Add the Secret Material on Windows
+#-- ------------------------------------------
+#--
+#-- Check that the variable is not set.
+#-- $ set
+#--
+#-- Run the commands below and then acquire another
+#-- command prompt or emacs/cygwin window.
+#--
+#-- $ setx SECRET_MATERIAL ABC123
+#-- $ set
+#--
+#-- Check (with last command) on new prompt that the
+#-- environment variable is now set.
+#--
+#-- ----------------------------------------
+#-- How to Add the Secret Material (Linux)
+#-- ----------------------------------------
+#--
+#-- Check that the variable is not set.
+#-- $ printenv | sort
+#--
+#-- Run the commands below and then reboot.
+#-- (Ensure that the whole disk is encrypted so that the
+#-- /etc/environment file cannot be accessed if your desktop
+#-- or laptop is stolen.
+#--
+#-- $ sudo chmod 666 /etc/environment
+#-- $ sudo echo "SECRET_MATERIAL=ABC123" >> /etc/environment
+#-- $ sudo chmod 644 /etc/environment
+#-- $ printenv | sort
+#--
+#-- Check (with last command) after the reboot to ensure
+#-- that the environment variable is now set.
+#--
+#-- ---------------------------------------------------
+#-- How to TEMPORARILY Add the Secret Material (Linux)
+#-- ---------------------------------------------------
+#--
+#-- Check that the variable is not set.
+#-- $ printenv | sort
+#--
+#-- We are only adding for the session (perhaps to test it)
+#-- therefore we simply export. On closing the shell the
+#-- environment variable will be gone.
+#--
+#-- $ export SECRET_MATERIAL=ABC123
+#-- $ printenv | sort
+#--
+#-- Now the environment variable should be temporarily set.
+#--

data/lib/opensecret/executors/crypt.keys/crypt.keys.rb

@@ -0,0 +1,68 @@
+#!/usr/bin/ruby
+	
+# --
+# -- This plugin creates cryptographic keys, installs them and then messages
+# -- and notifies as required.
+# --
+# -- Input
+# --
+# --   [1] - memorable portion of password
+# --   [2] - memorable password entered again for validation
+# --
+# -- Output
+# --
+# --   [1] - machine portion of password to be added as environment variable
+# --   [2] - secured (password locked) private key to put on removable media
+# --   [3] - an open [public key] to be placed on web accessible destination
+# --   [4] - a message detailing that a new keypair is now created/installed
+# --
+class CryptKeys < EcoSystem
+
+
+  def core_provisioning
+
+    log.info(ere) { "# ## ####### ########################################## ## #" }
+    log.info(ere) { "# -- [crypt] ------------------------------------------ -- #" }
+    log.info(ere) { "# -- [crypt] This plugin encrypts a file or string. --- -- #" }
+    log.info(ere) { "# -- [crypt] ------------------------------------------ -- #" }
+    log.info(ere) { "# ## ####### ########################################## ## #" }
+
+    natural_password = Crypto.collect_secret @p[:min_passwd_len], @p[:prompt_1], @p[:prompt_2]
+    machine_password = Crypto.get_machine_password natural_password.length, @p[:ratio]
+    amalgam_password = Crypto.get_amalgam_password natural_password, machine_password, @p[:ratio]
+
+    asymmetric_keys = OpenSSL::PKey::RSA.new @p[:bit_key_size]
+    secured_keytext = asymmetric_keys.export @p[:key_cipher], amalgam_password
+    public_key_text = asymmetric_keys.public_key.to_pem
+
+    Dir.mkdir @p[:secret_keydir] unless File.exists? @p[:secret_keydir]
+    File.write @p[:secret_keypath], secured_keytext
+
+    Crypto.print_secret_env_var @p[:env_var_name], machine_password
+
+    GitFlow.do_clone_repo @p[:public_gitrepo], @p[:local_gitrepo]
+    FileUtils.mkdir_p @p[:public_keydir]
+    File.write @p[:public_keypath], public_key_text
+    GitFlow.push @p[:local_gitrepo], @p[:public_keyname], @c[:time][:stamp]
+
+    exit
+
+
+key4_pem = File.read 'private.secure.pem'
+pass_phrase = 'superduperpasswordistoBeENTEREDRIGHT1234HereandRightNOW'
+key4 = OpenSSL::PKey::RSA.new key4_pem, pass_phrase
+decrypted_text = key4.private_decrypt(Base64.decode64(encrypted_string))
+
+print "\nHey we have done the decryption.\n", "\n"
+print decrypted_text, "\n"
+
+
+
+
+    log.info(ere) { "# -- [crypt] ------------------------------------------ -- #" }
+    log.info(ere) { "# ## ####### ########################################## ## #" }
+
+  end
+
+
+end

data/lib/opensecret/executors/decrypt/decrypt.ini

@@ -0,0 +1,64 @@
+[decrypt]
+
+# ---> secret.id       =  DEVOPS_SECRET_MATERIAL
+# ---> secret.part     =  e>> ENV[@s[:secret_id]]
+# ---> secret.key      =  e>> @s[:secret_part] + CmdLine.instance.key_values[:key]
+# ---> secret.dir      =  e>> @f[@i[:workstation]][:secrets_dir]
+# ---> secret.file     =  e>> "DELETE_" + @f[:time][:stamp] + "_" + CmdLine.instance.key_values[:file]
+# ---> secret.in       =  e>> File.join @s[:secret_dir], CmdLine.instance.key_values[:file]
+# ---> secret.out      =  e>> File.join Dir.tmpdir, @s[:secret_file]
+# ---> secret.crypt    =  e>> File.read(@s[:secret_in]).chomp
+# ---> temporary.dir   =  e>> Dir.tmpdir
+
+
+prompt.1        =  Enter your Key Password
+prompt.2        =  Re-enter the Key Password
+
+min.passwd.len  =  e>> 16
+nickname        =  godzilla
+root.domain     =  devopswiki.co.uk
+env.var.name    =  SECRET_MATERIAL
+machine.secret  =  e>> ENV[@s[:env_var_name]]
+ratio           =  e>> 3
+bit.key.size    =  e>> 8192
+key.cipher      =  e>> OpenSSL::Cipher.new 'AES-128-CBC'
+
+secret.leadtxt  =  e>> @s[:nickname] + dot + @s[:root_domain]
+secret.keyname  =  e>> @s[:secret_leadtxt] + dot + @f[:time][:stamp] + ".txt"
+secret.keydir   =  e>> @f[@i[:workstation]][:secrets_dir]
+secret.rubydir  =  e>> Dir.new @s[:secret_keydir]
+secret.newest   =  e>> @s[:secret_rubydir].ascii_order_file_starting_with @s[:secret_leadtxt]
+secret.keytext  =  e>> File.read @s[:secret_newest]
+
+repo.name       =  material_data
+local.gitrepo   =  e>> File.join @i[:dir], @s[:repo_name]
+public.gitrepo  =  https://www.eco-platform.co.uk/content/material.data.git
+public.dirname  =  public_keys
+
+public.keyroute =  e>> File.join @s[:root_domain], @s[:public_dirname]
+public.keydir   =  e>> File.join @s[:local_gitrepo], @s[:public_keyroute]
+public.keyname  =  e>> "public_key." + @s[:nickname] + dot + @s[:root_domain] + ".txt"
+public.keypath  =  e>> File.join @s[:public_keydir], @s[:public_keyname]
+
+
+# --
+# -- Note that we can only predict the crypt folder from looking at full path.
+# -- This is because the user may enter a path string like the below.
+# --
+# --     --path=dates/bithdays/wife.birthday
+# --
+# -- So we extrapolate the crypt directory from the full file path.
+# -- We also extrapolate the crypt filename from the final segment.
+# --
+crypt.dir.name  =  crypt_files
+crypt.rel.base  =  e>> File.join @s[:root_domain], @s[:crypt_dir_name]
+crypt.rel.path  =  e>> File.join @s[:crypt_rel_base], CmdLine.instance.key_values[:name]
+crypt.sudopath  =  e>> File.join @s[:local_gitrepo], @s[:crypt_rel_path]
+crypt.dir.path  =  e>> File.dirname @s[:crypt_sudopath]
+crypt.filename  =  e>> File.basename(@s[:crypt_sudopath]) + dot + @s[:nickname] + ".crypt.txt"
+crypt.filepath  =  e>> File.join @s[:crypt_dir_path], @s[:crypt_filename]
+
+
+plaintext.name  =  e>> File.basename(@s[:crypt_sudopath]) + dot + @s[:nickname] + ".plain.txt"
+plaintext.file  =  e>> "DELETE_" + @f[:time][:stamp] + "_" + @s[:plaintext_name]
+plaintext.path  =  e>> File.join Dir.tmpdir, @s[:plaintext_file]

data/lib/opensecret/executors/decrypt/decrypt.rb

@@ -0,0 +1,49 @@
+#!/usr/bin/ruby
+	
+# --
+# -- This decryption plugin brings together many elements to
+# -- decrypt text that is a union of the public key and the
+# -- plaintext material.
+# --
+# -- To perform the decryption we
+# --
+# --  [1] - read the human entered relative path to the material
+# --  [2] - request and read the human portion of the password
+# --  [3] - read the machine password in the environment variable
+# --  [4] - amalgamate (join) the human and the machine passwords
+# --  [5] - download the encryptd material from a git repository
+# --  [6] - access the private key from a [local] removable drive
+# --  [7] - unlock the private key with the amalgamated password
+# --  [8] - decrypt the text into the pre-configured destination
+# --
+class Decrypt < EcoSystem
+
+
+  def core_provisioning
+
+    log.info(ere) { "# ## ######### ######################################## ## #" }
+    log.info(ere) { "# -- [decrypt] ---------------------------------------- -- #" }
+    log.info(ere) { "# -- [decrypt] This plugin decrypts a filed string. --- -- #" }
+    log.info(ere) { "# -- [decrypt] ---------------------------------------- -- #" }
+    log.info(ere) { "# ## ######### ######################################## ## #" }
+
+
+    GitFlow.do_clone_repo @p[:public_gitrepo], @p[:local_gitrepo]
+    Throw.if_not_exists @p[:crypt_filepath]
+
+    crypted_material = File.read @p[:crypt_filepath]
+    natural_password = Crypto.collect_secret @p[:min_passwd_len], @p[:prompt_1], @p[:prompt_2]
+    amalgam_password = Crypto.get_amalgam_password natural_password, @p[:machine_secret], @p[:ratio]
+
+    decryption_key = OpenSSL::PKey::RSA.new @p[:secret_keytext], amalgam_password
+    decrypted_text = decryption_key.private_decrypt(Base64.decode64(crypted_material))
+
+    File.write @p[:plaintext_path], decrypted_text
+
+    log.info(ere) { "# -- [decrypt] ------------------------------------------ -- #" }
+    log.info(ere) { "# ## ######### ########################################## ## #" }
+
+  end
+
+
+end

data/lib/opensecret/executors/encrypt/encrypt.ini

@@ -0,0 +1,55 @@
+[encrypt]
+
+prompt.1        =  Enter Secret Text
+prompt.2        =  Re-enter the Text
+
+min.passwd.len  =  e>> 16
+nickname        =  godzilla
+root.domain     =  devopswiki.co.uk
+env.var.name    =  SECRET_MATERIAL
+ratio           =  e>> 3
+bit.key.size    =  e>> 8192
+key.cipher      =  e>> OpenSSL::Cipher.new 'AES-128-CBC'
+secret.keyname  =  e>> @s[:nickname] + dot + @s[:root_domain] + dot + @f[:time][:stamp] + ".txt"
+secret.keydir   =  e>> @f[@i[:workstation]][:secrets_dir]
+secret.keypath  =  e>> File.join @s[:secret_keydir], @s[:secret_keyname]
+
+repo.name       =  material_data
+local.gitrepo   =  e>> File.join @i[:dir], @s[:repo_name]
+public.gitrepo  =  https://www.eco-platform.co.uk/content/material.data.git
+public.dirname  =  public_keys
+
+public.keyroute =  e>> File.join @s[:root_domain], @s[:public_dirname]
+public.keydir   =  e>> File.join @s[:local_gitrepo], @s[:public_keyroute]
+public.keyname  =  e>> "public_key." + @s[:nickname] + dot + @s[:root_domain] + ".txt"
+public.keypath  =  e>> File.join @s[:public_keydir], @s[:public_keyname]
+
+# --
+# -- Note that we can only predict the crypt folder from looking at full path.
+# -- This is because the user may enter a path string like the below.
+# --
+# --     --path=dates/bithdays/wife.birthday
+# --
+# -- So we extrapolate the crypt directory from the full file path.
+# -- We also extrapolate the crypt filename from the final segment.
+# --
+crypt.dir.name  =  crypt_files
+crypt.rel.base  =  e>> File.join @s[:root_domain], @s[:crypt_dir_name]
+crypt.rel.path  =  e>> File.join @s[:crypt_rel_base], CmdLine.instance.key_values[:name]
+crypt.sudopath  =  e>> File.join @s[:local_gitrepo], @s[:crypt_rel_path]
+crypt.dir.path  =  e>> File.dirname @s[:crypt_sudopath]
+crypt.filename  =  e>> File.basename(@s[:crypt_sudopath]) + dot + @s[:nickname] + ".crypt.txt"
+crypt.filepath  =  e>> File.join @s[:crypt_dir_path], @s[:crypt_filename]
+
+
+# -- @todo change input from --name to --path => encrypt --path=dates/bithdays/wife.birthday
+# -- @todo change input from --name to --path => encrypt --path=dates/bithdays/wife.birthday
+# -- @todo change input from --name to --path => encrypt --path=dates/bithdays/wife.birthday
+# -- @todo change input from --name to --path => encrypt --path=dates/bithdays/wife.birthday
+# -- @todo change input from --name to --path => encrypt --path=dates/bithdays/wife.birthday
+# -- @todo change input from --name to --path => encrypt --path=dates/bithdays/wife.birthday
+# -- @todo change input from --name to --path => encrypt --path=dates/bithdays/wife.birthday
+# -- @todo change input from --name to --path => encrypt --path=dates/bithdays/wife.birthday
+# -- @todo change input from --name to --path => encrypt --path=dates/bithdays/wife.birthday
+# -- @todo change input from --name to --path => encrypt --path=dates/bithdays/wife.birthday
+# -- @todo change input from --name to --path => encrypt --path=dates/bithdays/wife.birthday

data/lib/opensecret/executors/encrypt/encrypt.rb

@@ -0,0 +1,82 @@
+#!/usr/bin/ruby
+	
+# --
+# -- This simple [cipher] plugin encrypts either the inputted string or
+# -- file, using the configured public key and writes the cryptic material
+# -- to a file that is checked into a git repository.
+# --
+# -- -----------------------
+# -- Example Parameters
+# -- -----------------------
+# --
+# -- @todo change input from --name to --path => encrypt --path=dates/bithdays/wife.birthday
+# -- @todo change input from --name to --path => encrypt --path=dates/bithdays/wife.birthday
+# -- @todo change input from --name to --path => encrypt --path=dates/bithdays/wife.birthday
+# -- @todo change input from --name to --path => encrypt --path=dates/bithdays/wife.birthday
+# -- @todo change input from --name to --path => encrypt --path=dates/bithdays/wife.birthday
+# -- @todo change input from --name to --path => encrypt --path=dates/bithdays/wife.birthday
+# --
+# --  --name=dates/birthdays      (mandatory)
+# --  --file=/home/joe/laptop.key (optional)
+# --
+# -- ---------------------------------------------
+# -- Escaping - Prefer BACKSLASH to DOUBLE QUOTES
+# -- ---------------------------------------------
+# --
+# -- Sensitive keys and passwords usually contain non standard characters.
+# -- Now you can use either BACKSLASHES or DOUBLE QUOTES to escape them.
+# --
+# -- Prefer backslash to double quotes.
+# --
+# -- Why? Example1 = --text=wow!wow!wee     Will FAIL
+# --      Example2 = --text=wow\!wow\!wee   Will SUCCEED
+# --      Example3 = --text=in(doubt)here   Will FAIL
+# --      Example4 = --text="in(doubt)here" Will SUCCEED
+# --      Example5 = --text="no!way"        Will FAIL
+# --      Example6 = --text="no\!and(oh)my" SUCCEEDS BUT INCLUDES backslash
+# --      Example7 = --text=no\!and\(oh\)my SUCCEEDS (NO backslash)
+# --
+# -- Example 6 will succeed but the decrypted string will include the
+# -- backslash like => no\!and(oh)my
+# --
+# -- Example 7 is the best for when exclamation marks and soft quotes exist.
+# -- Decrypted string is => no!and(oh)my
+# --
+class Encrypt < EcoSystem
+
+  def core_provisioning
+
+    log.info(ere) { "# ## ######### ########################################## ## #" }
+    log.info(ere) { "# -- [encrypt] ------------------------------------------ -- #" }
+    log.info(ere) { "# -- [encrypt] This plugin encrypts a file or string. --- -- #" }
+    log.info(ere) { "# -- [encrypt] ------------------------------------------ -- #" }
+    log.info(ere) { "# ## ######### ########################################## ## #" }
+
+    plaintext_secret = ""
+
+    if CmdLine.include? :file then
+      plaintext_filepath = CmdLine.instance.key_values[:file]
+      Throw.if_not_exists plaintext_filepath
+      plaintext_secret = File.read plaintext_filepath
+    else
+      plaintext_secret = Crypto.collect_secret 3, @p[:prompt_1], @p[:prompt_2]
+    end
+
+    GitFlow.do_clone_repo @p[:public_gitrepo], @p[:local_gitrepo]
+
+    public_key_text = File.read @p[:public_keypath]
+    encryption_key = OpenSSL::PKey::RSA.new public_key_text
+    binary_crypt_text = encryption_key.public_encrypt plaintext_secret
+    crypt_material = Base64.encode64 binary_crypt_text
+
+    FileUtils.mkdir_p @p[:crypt_dir_path]
+    File.write @p[:crypt_filepath], crypt_material
+    GitFlow.push @p[:local_gitrepo], @p[:crypt_filename], @c[:time][:stamp]
+
+    log.info(ere) { "# -- [encrypt] ------------------------------------------ -- #" }
+    log.info(ere) { "# ## ######### ########################################## ## #" }
+
+  end
+
+
+end