RubyGems - opensecret - Versions diffs - 0.0.4 → 0.0.5 - Mend

opensecret 0.0.4 → 0.0.5

Files changed (7) hide show

checksums.yaml +4 -4
data/lib/config.openkey.ini +14 -0
data/lib/opensecret/plugins.io/cipher/crypto.rb +152 -123
data/lib/opensecret/version.rb +1 -1
data/lib/opensecret.rb +63 -11
metadata +2 -2
data/lib/opensecret-domain.ini +0 -23

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: e0d63e217092bc721ad94dfb5ae966875a9fd17d
-  data.tar.gz: 87eff49362703bb87775686c8976398deeeb80f3
+  metadata.gz: 9bc4bfc60cbda290f4cac72f199f16c7edeee9f7
+  data.tar.gz: 5b901aaa8a3d2db04a48bb1244bf9e305e7ab2a6
 SHA512:
-  metadata.gz: 66f8e8cc37da72a39d075b0e89e7786e4d6499212e165c60b8e66ad014418c8905277e478c743d4f138ee3d5396c30e52afa7f165cf3763c82e8540220efca66
-  data.tar.gz: 467e06826f0d175f88f50510da1f6c5c9dca4e5025c3da0f354bb29da5cef6277a8ef58fa92bd47090ab0f25ae2b3a2b5d6de06f99ff4b16147234b5be5ec687
+  metadata.gz: 2e246d8520e068d0dace4ec48221d0cc2a2fbd761e8c06924759912e24e1e9afbdb433e56b1a132983966c178b3ae79fa30ded31fa9e57d287c4d9cf50d844d3
+  data.tar.gz: 8b0cee1a18cb39cfce967b73dd091630d6f8ac923b7d60978a1d61970d157a41f67be672653c19798e25dd3a306002a385ba19a47940e193552665373cffcf5b

data/lib/config.openkey.ini ADDED Viewed

@@ -0,0 +1,14 @@
+[joebloggs@openkey.com]
+type=user
+id=joe
+keydir=/media/usb-key/secrets
+fingerprint=23423x123123
+public.key.signature=13242345dfg
+[blues.band.bloggs]
+type=domain
+members = { pete => "peterpan@simple.com", fx => "admin@fortknox.com" }
+fingerprints = { pete => "x1234ljsdf", fx => "asdfasd1234" }
+store.url=https://www.github.com/joes.hub.account

data/lib/opensecret/plugins.io/cipher/crypto.rb CHANGED Viewed

@@ -1,174 +1,203 @@
 #!/usr/bin/ruby
-# --
-# -- Create dynamic secrets of various flavours including
-# --
-# --   - ssh public/private key secrets
-# --   - secret keys for internal database services
-# --   - hashed SHA256 keys for Jenkins user auth
-# --
-class Crypto
-  # --
-  # -- Get a viable machine password taking into account the human
-  # -- password length and the specified mix_ratio.
-  # --
-  # -- machine password length = human password length * mix_ratio - 1
-  # --
-  def self.get_amalgam_password human_password, machine_password, mix_ratio
-    size_error_msg = "Human pass length times mix_ratio must equal machine pass length."
-    lengths_are_perfect = human_password.length * mix_ratio == machine_password.length
-    raise ArgumentError.new size_error_msg unless lengths_are_perfect
-    machine_passwd_chunk = 0
-    amalgam_passwd_index = 0
-    amalgamated_password = ""
-    human_password.each_char do |passwd_char|
-      amalgamated_password[amalgam_passwd_index] = passwd_char
-      amalgam_passwd_index += 1
-      for i in 0..(mix_ratio-1) do
-        machine_pass_index = machine_passwd_chunk * mix_ratio + i
-        amalgamated_password[amalgam_passwd_index] = machine_password[machine_pass_index]
+module OpenSecret
+  #
+  # Create dynamic secrets of various flavours including
+  #
+  # - ssh public/private key secrets
+  # - secret keys for internal database services
+  # - hashed SHA256 keys for Jenkins user auth
+  #
+  class Crypto
+    # Register two fundamental openkey crypt pointers
+    #
+    # - an openkey domain like &raquo; **lecturers@harvard**
+    # - the url to a backend store like Git, S3 or an SSH accessible drive.
+    #
+    # The domain will be extended to cover verified internet domains.
+    # They will also latch onto LDAP domains so when admins add, revoke
+    # or remove users, their openkey access is adjusted accordingly.
+    #
+    # @param domain [String] the DOMAIN eg lecturers@harvard for your family or work group.
+    # @param store_url [String] the STORE_URL for connecting to the backend storage service
+    #
+    def self.register_domain domain, store_url
+      # -> read config file map
+      # -> create new domain in map
+      # -> add type and store url to map
+      # -> backup configuration
+      # -> overwrite the ini config file
+      puts "hello i am registering this super domain #{domain} at #{store_url}"
+    end
+    # --
+    # -- Get a viable machine password taking into account the human
+    # -- password length and the specified mix_ratio.
+    # --
+    # -- machine password length = human password length * mix_ratio - 1
+    # --
+    def self.get_amalgam_password human_password, machine_password, mix_ratio
+      size_error_msg = "Human pass length times mix_ratio must equal machine pass length."
+      lengths_are_perfect = human_password.length * mix_ratio == machine_password.length
+      raise ArgumentError.new size_error_msg unless lengths_are_perfect
+      machine_passwd_chunk = 0
+      amalgam_passwd_index = 0
+      amalgamated_password = ""
+      human_password.each_char do |passwd_char|
+        amalgamated_password[amalgam_passwd_index] = passwd_char
         amalgam_passwd_index += 1
+        for i in 0..(mix_ratio-1) do
+          machine_pass_index = machine_passwd_chunk * mix_ratio + i
+          amalgamated_password[amalgam_passwd_index] = machine_password[machine_pass_index]
+          amalgam_passwd_index += 1
+        end
+        machine_passwd_chunk += 1
       end
-      machine_passwd_chunk += 1
+      return amalgamated_password
     end
-    return amalgamated_password
-  end
+    # --
+    # -- Get a viable machine password taking into account the human
+    # -- password length and the specified mix_ratio.
+    # --
+    # -- machine password length = human password length * mix_ratio - 1
+    # --
+    def self.get_machine_password human_password_length, mix_ratio
-  # --
-  # -- Get a viable machine password taking into account the human
-  # -- password length and the specified mix_ratio.
-  # --
-  # -- machine password length = human password length * mix_ratio - 1
-  # --
-  def self.get_machine_password human_password_length, mix_ratio
+      machine_raw_secret = engineer_password( human_password_length * ( mix_ratio + 1) )
+      return machine_raw_secret[ 0..( human_password_length * mix_ratio - 1 ) ]
-    machine_raw_secret = engineer_password( human_password_length * ( mix_ratio + 1) )
-    return machine_raw_secret[ 0..( human_password_length * mix_ratio - 1 ) ]
+    end
-  end
+    # --
+    # -- Collect a password from the user with a minimum length
+    # -- specified in the parameter.
+    # --
+    # -- An exception is raised if the minimum length is not at
+    # -- least 8 characters.
+    # --
+    def self.collect_secret minimum_size, prompt_1, prompt_2
-  # --
-  # -- Collect a password from the user with a minimum length
-  # -- specified in the parameter.
-  # --
-  # -- An exception is raised if the minimum length is not at
-  # -- least 8 characters.
-  # --
-  def self.collect_secret minimum_size, prompt_1, prompt_2
+      assert_min_size minimum_size
-    assert_min_size minimum_size
+      sleep(1)
+      puts "\n#{prompt_1} : "
+      first_secret = STDIN.noecho(&:gets).chomp
-    sleep(1)
-    puts "\n#{prompt_1} : "
-    first_secret = STDIN.noecho(&:gets).chomp
+      assert_input_text_size first_secret.length, minimum_size
-    assert_input_text_size first_secret.length, minimum_size
+      sleep(1)
+      puts "\n#{prompt_2} : "
+      check_secret = STDIN.noecho(&:gets).chomp
-    sleep(1)
-    puts "\n#{prompt_2} : "
-    check_secret = STDIN.noecho(&:gets).chomp
+      assert_same_size_text first_secret, check_secret
+      return first_secret
-    assert_same_size_text first_secret, check_secret
-    return first_secret
+    end
-  end
+    # --
+    # -- Engineer a raw password that is similar (approximate) in
+    # -- length to the integer parameter.
+    # --
+    def self.engineer_password approx_length
-  # --
-  # -- Engineer a raw password that is similar (approximate) in
-  # -- length to the integer parameter.
-  # --
-  def self.engineer_password approx_length
+      non_alphanum = SecureRandom.urlsafe_base64(approx_length);
+      return non_alphanum.delete("-_")
-    non_alphanum = SecureRandom.urlsafe_base64(approx_length);
-    return non_alphanum.delete("-_")
+    end
-  end
+    # --
+    # -- Raise an exception if asked to collect text that is less
+    # -- than 3 characters in length.
+    # --
+    def self.assert_min_size minimum_size
-  # --
-  # -- Raise an exception if asked to collect text that is less
-  # -- than 3 characters in length.
-  # --
-  def self.assert_min_size minimum_size
+      min_length_msg = "\n\nCrypts with 2 (or less) characters open up exploitable holes.\n\n"
+      raise ArgumentError.new min_length_msg if minimum_size < 3
-    min_length_msg = "\n\nCrypts with 2 (or less) characters open up exploitable holes.\n\n"
-    raise ArgumentError.new min_length_msg if minimum_size < 3
+    end
-  end
+    # --
+    # -- Output an error message and then exit if the entered input
+    # -- text size does not meet the minimum requirements.
+    # --
+    def self.assert_input_text_size input_size, minimum_size
-  # --
-  # -- Output an error message and then exit if the entered input
-  # -- text size does not meet the minimum requirements.
-  # --
-  def self.assert_input_text_size input_size, minimum_size
+      if( input_size < minimum_size  )
-    if( input_size < minimum_size  )
+        puts
+        puts "Input is too short. Please enter at least #{minimum_size} characters."
+        puts
-      puts
-      puts "Input is too short. Please enter at least #{minimum_size} characters."
-      puts
+        exit
-      exit
+      end
     end
-  end
+    # --
+    # -- Assert that the text entered the second time is exactly (case sensitive)
+    # -- the same as the text entered the first time.
+    # --
+    def self.assert_same_size_text first_text, second_text
+      unless( first_text.eql? second_text )
-  # --
-  # -- Assert that the text entered the second time is exactly (case sensitive)
-  # -- the same as the text entered the first time.
-  # --
-  def self.assert_same_size_text first_text, second_text
-    unless( first_text.eql? second_text )
+        puts
+        puts "Those two bits of text are not the same (in my book)!"
+        puts
-      puts
-      puts "Those two bits of text are not the same (in my book)!"
-      puts
+        exit
-      exit
+      end
     end
-  end
+    # --
+    # -- Print out the machine password that is to be kept as an environment variable
+    # -- on any workstation used for material decryption.
+    # --
+    # -- Remember that neither the human nor machine passwords are required for the
+    # -- encryption phase. That is the beauty of assymetric cryptography - you don't
+    # -- need a private key to encrypt - just the end user's public key.
+    # --
+    def self.print_secret_env_var env_var_name, env_var_value
-  # --
-  # -- Print out the machine password that is to be kept as an environment variable
-  # -- on any workstation used for material decryption.
-  # --
-  # -- Remember that neither the human nor machine passwords are required for the
-  # -- encryption phase. That is the beauty of assymetric cryptography - you don't
-  # -- need a private key to encrypt - just the end user's public key.
-  # --
-  def self.print_secret_env_var env_var_name, env_var_value
+      machine_to_env_txt = "sudo echo \"#{env_var_name}=#{env_var_value}\" >> /etc/environment"
-    machine_to_env_txt = "sudo echo \"#{env_var_name}=#{env_var_value}\" >> /etc/environment"
+      puts
+      puts "@@@ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"
+      puts "@@@ Add as environment variable @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"
+      puts "@@@ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"
+      puts machine_to_env_txt
+      puts "@@@ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"
+      puts
-    puts
-    puts "@@@ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"
-    puts "@@@ Add as environment variable @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"
-    puts "@@@ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"
-    puts machine_to_env_txt
-    puts "@@@ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"
-    puts
+    end
   end
 end

data/lib/opensecret/version.rb CHANGED Viewed

@@ -1,3 +1,3 @@
 module OpenSecret
-  VERSION = "0.0.4"
+  VERSION = "0.0.5"
 end

data/lib/opensecret.rb CHANGED Viewed

@@ -1,13 +1,42 @@
 require "opensecret/version"
 require "thor"
-module OpenSecret
-end
+# # How domains are joined?
+#
+# First the user **wishing to join* must be able to access the domain shared
+# **backend storage** system. The planned list of supported storage systems (each of
+# which is on-lined with a plugin (in plugins.io) is
+#
+# - Git (including GitHub, GitLab, BitBucket, OpenGit and private Git installations).
+# - S3 Buckets from the Amazon Web Services (AWS) cloud.
+# - SSH, SCP, SFTP connected file-systems
+# - network storage including Samba, NFS, VMWare vSAN
+# - GoogleDrive (only Windows has suitable synchronized support).
+# - DropBox
+#
+# Access management is configured EXTERNAL to openkey. OpenKey simply piggybacks
+# the network transport if authorization is granted.
 #
-# This command line processor will
+# ## Use Case - Joining a Domain
+#
+#  - ok will loop encrypting your public key's fingerprint with the public keys of present members
+#  - when they interact ok will ask if they trust the new id/email and key
+#  - if they say yes the fingerprint is imported and held with id/name
+#  - ongoing domainwide checks flag up public key / fingerprint mismatches
+#  - if keys are removed or updated similar questions are asked.
+#
+# # Begging for and Revealing Secrets
+#
+#  - Why beg for a secret - why not just tell someone it?
+#  - It is much more secure to beg for a secret than just have someone reveal it.
+#  - When you beg for a secret - you are sending an encryption key to a single person
+#  - who must possess the private key and they send back the secret encrypted with both
+#  - your specific public key and the encryption key that originated from you.
+#  -
+#  - Any hijacker will need access to a great many things and be very precise with their
+#  - timing in order to serrupticiously subvert the system.
+#
+# ### This command line processor will
 #
 # - read the posted commands, options and switches
 # - maps the incoming string data to objects
@@ -18,15 +47,38 @@ end
 #
 # @note the Thor ruby gem is used for the heavy lifting
 #
+# @example openkey initdomain create friends.joebloggs --secure
+# @example openkey user create id=joe email=joebloggs@openkey.com
+# @example openkey user create id=joe email=joebloggs@openkey.com
+#
+#
 class CommandProcessor < Thor
-  # opensecret init lecturers@cambridge.university
+  desc "init DOMAIN", "DOMAIN eg lecturers@harvard names your friends, family or work group."
+  desc "init STORE_URL", "STORE_URL is backend Git/S3/SSH crypt store. Use https://www.eco-platform.co.uk/crypt.store.git"
+  # Initialize (configure) two fundamental crypt pointers
+  #
+  # - an openkey domain like &raquo; **lecturers@harvard**
+  # - the url to a backend store like Git, S3 or an SSH accessible drive.
+  #
+  # The domain will be extended to cover verified internet domains.
+  # They will also latch onto LDAP domains so when admins add, revoke
+  # or remove users, their openkey access is adjusted accordingly.
+  #
+  # @example openkey user create id=joe email=joebloggs@openkey.com
+  #
+  # @param domain [String] the DOMAIN eg lecturers@harvard for your family or work group.
+  # @param store_url [String] the STORE_URL for connecting to the backend storage service
+  #
+  def init domain, store_url
-  desc "init DOMAIN", "DOMAIN identifies your team, friends, family or business."
-  def init( domain )
+    OpenSecret::Crypto.register_domain domain, store_url
-    puts "You want to create the #{domain} domain.\n"
-    return "goodbye"
+    puts ""
+    puts "New domain configured  => [ #{domain} ]"
+    puts "Crypt store configured => [ #{store_url} ]"
+    puts ""
   end

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: opensecret
 version: !ruby/object:Gem::Version
-  version: 0.0.4
+  version: 0.0.5
 platform: ruby
 authors:
 - Apollo Akora
@@ -99,7 +99,7 @@ files:
 - README.md
 - Rakefile
 - bin/opensecret
-- lib/opensecret-domain.ini
+- lib/config.openkey.ini
 - lib/opensecret.rb
 - lib/opensecret/additions/array.rb
 - lib/opensecret/additions/dir.rb

data/lib/opensecret-domain.ini DELETED Viewed

@@ -1,23 +0,0 @@
-opensecret configure mode="secure"
-opensecret configure mode="secure"
-[@[os|domain.id]]
-secrecy = play      # Options are play | secure | enterprise see website for details.
-[people]
-jack  = jackhiggins@blueyonder.com
-gaz   = gareth.southgate@gmail.com
-jiji  = johnjames23@yahoo.co.uk