RubyGems - opensecret - Versions diffs - 0.0.4 → 0.0.5 - Mend

opensecret 0.0.4 → 0.0.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

checksums.yaml +4 -4
data/lib/config.openkey.ini +14 -0
data/lib/opensecret/plugins.io/cipher/crypto.rb +152 -123
data/lib/opensecret/version.rb +1 -1
data/lib/opensecret.rb +63 -11
metadata +2 -2
data/lib/opensecret-domain.ini +0 -23

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: e0d63e217092bc721ad94dfb5ae966875a9fd17d
-  data.tar.gz: 87eff49362703bb87775686c8976398deeeb80f3
+  metadata.gz: 9bc4bfc60cbda290f4cac72f199f16c7edeee9f7
+  data.tar.gz: 5b901aaa8a3d2db04a48bb1244bf9e305e7ab2a6
 SHA512:
-  metadata.gz: 66f8e8cc37da72a39d075b0e89e7786e4d6499212e165c60b8e66ad014418c8905277e478c743d4f138ee3d5396c30e52afa7f165cf3763c82e8540220efca66
-  data.tar.gz: 467e06826f0d175f88f50510da1f6c5c9dca4e5025c3da0f354bb29da5cef6277a8ef58fa92bd47090ab0f25ae2b3a2b5d6de06f99ff4b16147234b5be5ec687
+  metadata.gz: 2e246d8520e068d0dace4ec48221d0cc2a2fbd761e8c06924759912e24e1e9afbdb433e56b1a132983966c178b3ae79fa30ded31fa9e57d287c4d9cf50d844d3
+  data.tar.gz: 8b0cee1a18cb39cfce967b73dd091630d6f8ac923b7d60978a1d61970d157a41f67be672653c19798e25dd3a306002a385ba19a47940e193552665373cffcf5b

data/lib/config.openkey.ini ADDED Viewed

@@ -0,0 +1,14 @@
+[joebloggs@openkey.com]
+type=user
+id=joe
+keydir=/media/usb-key/secrets
+fingerprint=23423x123123
+public.key.signature=13242345dfg
+[blues.band.bloggs]
+type=domain
+members = { pete => "peterpan@simple.com", fx => "admin@fortknox.com" }
+fingerprints = { pete => "x1234ljsdf", fx => "asdfasd1234" }
+store.url=https://www.github.com/joes.hub.account

data/lib/opensecret/plugins.io/cipher/crypto.rb CHANGED Viewed

@@ -1,174 +1,203 @@
 #!/usr/bin/ruby
-# --
-# -- Create dynamic secrets of various flavours including
-# --
-# --   - ssh public/private key secrets
-# --   - secret keys for internal database services
-# --   - hashed SHA256 keys for Jenkins user auth
-# --
-class Crypto
-  # --
-  # -- Get a viable machine password taking into account the human
-  # -- password length and the specified mix_ratio.
-  # --
-  # -- machine password length = human password length * mix_ratio - 1
-  # --
-  def self.get_amalgam_password human_password, machine_password, mix_ratio
-    size_error_msg = "Human pass length times mix_ratio must equal machine pass length."
-    lengths_are_perfect = human_password.length * mix_ratio == machine_password.length
-    raise ArgumentError.new size_error_msg unless lengths_are_perfect
-    machine_passwd_chunk = 0
-    amalgam_passwd_index = 0
-    amalgamated_password = ""
-    human_password.each_char do |passwd_char|
-      amalgamated_password[amalgam_passwd_index] = passwd_char
-      amalgam_passwd_index += 1
-      for i in 0..(mix_ratio-1) do
-        machine_pass_index = machine_passwd_chunk * mix_ratio + i
-        amalgamated_password[amalgam_passwd_index] = machine_password[machine_pass_index]
+module OpenSecret
+  #
+  # Create dynamic secrets of various flavours including
+  #
+  # - ssh public/private key secrets
+  # - secret keys for internal database services
+  # - hashed SHA256 keys for Jenkins user auth
+  #
+  class Crypto
+    # Register two fundamental openkey crypt pointers
+    #
+    # - an openkey domain like &raquo; **lecturers@harvard**
+    # - the url to a backend store like Git, S3 or an SSH accessible drive.
+    #
+    # The domain will be extended to cover verified internet domains.
+    # They will also latch onto LDAP domains so when admins add, revoke
+    # or remove users, their openkey access is adjusted accordingly.
+    #
+    # @param domain [String] the DOMAIN eg lecturers@harvard for your family or work group.
+    # @param store_url [String] the STORE_URL for connecting to the backend storage service
+    #
+    def self.register_domain domain, store_url
+      # -> read config file map
+      # -> create new domain in map
+      # -> add type and store url to map
+      # -> backup configuration
+      # -> overwrite the ini config file
+      puts "hello i am registering this super domain #{domain} at #{store_url}"
+    end
+    # --
+    # -- Get a viable machine password taking into account the human
+    # -- password length and the specified mix_ratio.
+    # --
+    # -- machine password length = human password length * mix_ratio - 1
+    # --
+    def self.get_amalgam_password human_password, machine_password, mix_ratio
+      size_error_msg = "Human pass length times mix_ratio must equal machine pass length."
+      lengths_are_perfect = human_password.length * mix_ratio == machine_password.length
+      raise ArgumentError.new size_error_msg unless lengths_are_perfect
+      machine_passwd_chunk = 0
+      amalgam_passwd_index = 0
+      amalgamated_password = ""
+      human_password.each_char do |passwd_char|
+        amalgamated_password[amalgam_passwd_index] = passwd_char
         amalgam_passwd_index += 1
+        for i in 0..(mix_ratio-1) do
+          machine_pass_index = machine_passwd_chunk * mix_ratio + i
+          amalgamated_password[amalgam_passwd_index] = machine_password[machine_pass_index]
+          amalgam_passwd_index += 1
+        end
+        machine_passwd_chunk += 1
       end
-      machine_passwd_chunk += 1
+      return amalgamated_password
     end
-    return amalgamated_password
-  end
+    # --
+    # -- Get a viable machine password taking into account the human
+    # -- password length and the specified mix_ratio.
+    # --
+    # -- machine password length = human password length * mix_ratio - 1
+    # --
+    def self.get_machine_password human_password_length, mix_ratio
-  # --
-  # -- Get a viable machine password taking into account the human
-  # -- password length and the specified mix_ratio.
-  # --
-  # -- machine password length = human password length * mix_ratio - 1
-  # --
-  def self.get_machine_password human_password_length, mix_ratio
+      machine_raw_secret = engineer_password( human_password_length * ( mix_ratio + 1) )
+      return machine_raw_secret[ 0..( human_password_length * mix_ratio - 1 ) ]
-    machine_raw_secret = engineer_password( human_password_length * ( mix_ratio + 1) )
-    return machine_raw_secret[ 0..( human_password_length * mix_ratio - 1 ) ]
+    end
-  end
+    # --
+    # -- Collect a password from the user with a minimum length
+    # -- specified in the parameter.
+    # --
+    # -- An exception is raised if the minimum length is not at
+    # -- least 8 characters.
+    # --
+    def self.collect_secret minimum_size, prompt_1, prompt_2
-  # --
-  # -- Collect a password from the user with a minimum length
-  # -- specified in the parameter.
-  # --
-  # -- An exception is raised if the minimum length is not at
-  # -- least 8 characters.
-  # --
-  def self.collect_secret minimum_size, prompt_1, prompt_2
+      assert_min_size minimum_size
-    assert_min_size minimum_size
+      sleep(1)
+      puts "\n#{prompt_1} : "
+      first_secret = STDIN.noecho(&:gets).chomp
-    sleep(1)
-    puts "\n#{prompt_1} : "
-    first_secret = STDIN.noecho(&:gets).chomp
+      assert_input_text_size first_secret.length, minimum_size
-    assert_input_text_size first_secret.length, minimum_size
+      sleep(1)
+      puts "\n#{prompt_2} : "
+      check_secret = STDIN.noecho(&:gets).chomp
-    sleep(1)
-    puts "\n#{prompt_2} : "
-    check_secret = STDIN.noecho(&:gets).chomp
+      assert_same_size_text first_secret, check_secret
+      return first_secret
-    assert_same_size_text first_secret, check_secret
-    return first_secret
+    end
-  end
+    # --
+    # -- Engineer a raw password that is similar (approximate) in
+    # -- length to the integer parameter.
+    # --
+    def self.engineer_password approx_length
-  # --
-  # -- Engineer a raw password that is similar (approximate) in
-  # -- length to the integer parameter.
-  # --
-  def self.engineer_password approx_length
+      non_alphanum = SecureRandom.urlsafe_base64(approx_length);
+      return non_alphanum.delete("-_")
-    non_alphanum = SecureRandom.urlsafe_base64(approx_length);
-    return non_alphanum.delete("-_")
+    end
-  end
+    # --
+    # -- Raise an exception if asked to collect text that is less
+    # -- than 3 characters in length.
+    # --
+    def self.assert_min_size minimum_size
-  # --
-  # -- Raise an exception if asked to collect text that is less
-  # -- than 3 characters in length.
-  # --
-  def self.assert_min_size minimum_size
+      min_length_msg = "\n\nCrypts with 2 (or less) characters open up exploitable holes.\n\n"
+      raise ArgumentError.new min_length_msg if minimum_size < 3
-    min_length_msg = "\n\nCrypts with 2 (or less) characters open up exploitable holes.\n\n"
-    raise ArgumentError.new min_length_msg if minimum_size < 3
+    end
-  end
+    # --
+    # -- Output an error message and then exit if the entered input
+    # -- text size does not meet the minimum requirements.
+    # --
+    def self.assert_input_text_size input_size, minimum_size
-  # --
-  # -- Output an error message and then exit if the entered input
-  # -- text size does not meet the minimum requirements.
-  # --
-  def self.assert_input_text_size input_size, minimum_size
+      if( input_size < minimum_size  )
-    if( input_size < minimum_size  )
+        puts
+        puts "Input is too short. Please enter at least #{minimum_size} characters."
+        puts
-      puts
-      puts "Input is too short. Please enter at least #{minimum_size} characters."
-      puts
+        exit
-      exit
+      end
     end
-  end
+    # --
+    # -- Assert that the text entered the second time is exactly (case sensitive)
+    # -- the same as the text entered the first time.
+    # --
+    def self.assert_same_size_text first_text, second_text
+      unless( first_text.eql? second_text )
-  # --
-  # -- Assert that the text entered the second time is exactly (case sensitive)
-  # -- the same as the text entered the first time.
-  # --
-  def self.assert_same_size_text first_text, second_text
-    unless( first_text.eql? second_text )
+        puts
+        puts "Those two bits of text are not the same (in my book)!"
+        puts
-      puts
-      puts "Those two bits of text are not the same (in my book)!"
-      puts
+        exit
-      exit
+      end
     end
-  end
+    # --
+    # -- Print out the machine password that is to be kept as an environment variable
+    # -- on any workstation used for material decryption.
+    # --
+    # -- Remember that neither the human nor machine passwords are required for the
+    # -- encryption phase. That is the beauty of assymetric cryptography - you don't
+    # -- need a private key to encrypt - just the end user's public key.
+    # --
+    def self.print_secret_env_var env_var_name, env_var_value
-  # --
-  # -- Print out the machine password that is to be kept as an environment variable
-  # -- on any workstation used for material decryption.
-  # --
-  # -- Remember that neither the human nor machine passwords are required for the
-  # -- encryption phase. That is the beauty of assymetric cryptography - you don't
-  # -- need a private key to encrypt - just the end user's public key.
-  # --
-  def self.print_secret_env_var env_var_name, env_var_value
+      machine_to_env_txt = "sudo echo \"#{env_var_name}=#{env_var_value}\" >> /etc/environment"
-    machine_to_env_txt = "sudo echo \"#{env_var_name}=#{env_var_value}\" >> /etc/environment"
+      puts
+      puts "@@@ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"
+      puts "@@@ Add as environment variable @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"
+      puts "@@@ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"
+      puts machine_to_env_txt
+      puts "@@@ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"
+      puts
-    puts
-    puts "@@@ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"
-    puts "@@@ Add as environment variable @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"
-    puts "@@@ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"
-    puts machine_to_env_txt
-    puts "@@@ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"
-    puts
+    end
   end
 end

data/lib/opensecret/version.rb CHANGED Viewed

@@ -1,3 +1,3 @@
 module OpenSecret
-  VERSION = "0.0.4"
+  VERSION = "0.0.5"
 end

data/lib/opensecret.rb CHANGED Viewed

@@ -1,13 +1,42 @@
 require "opensecret/version"
 require "thor"
-module OpenSecret
-end
+# # How domains are joined?
+#
+# First the user **wishing to join* must be able to access the domain shared
+# **backend storage** system. The planned list of supported storage systems (each of
+# which is on-lined with a plugin (in plugins.io) is
+#
+# - Git (including GitHub, GitLab, BitBucket, OpenGit and private Git installations).
+# - S3 Buckets from the Amazon Web Services (AWS) cloud.
+# - SSH, SCP, SFTP connected file-systems
+# - network storage including Samba, NFS, VMWare vSAN
+# - GoogleDrive (only Windows has suitable synchronized support).
+# - DropBox
+#
+# Access management is configured EXTERNAL to openkey. OpenKey simply piggybacks
+# the network transport if authorization is granted.
 #
-# This command line processor will
+# ## Use Case - Joining a Domain
+#
+#  - ok will loop encrypting your public key's fingerprint with the public keys of present members
+#  - when they interact ok will ask if they trust the new id/email and key
+#  - if they say yes the fingerprint is imported and held with id/name
+#  - ongoing domainwide checks flag up public key / fingerprint mismatches
+#  - if keys are removed or updated similar questions are asked.
+#
+# # Begging for and Revealing Secrets
+#
+#  - Why beg for a secret - why not just tell someone it?
+#  - It is much more secure to beg for a secret than just have someone reveal it.
+#  - When you beg for a secret - you are sending an encryption key to a single person
+#  - who must possess the private key and they send back the secret encrypted with both
+#  - your specific public key and the encryption key that originated from you.
+#  -
+#  - Any hijacker will need access to a great many things and be very precise with their
+#  - timing in order to serrupticiously subvert the system.
+#
+# ### This command line processor will
 #
 # - read the posted commands, options and switches
 # - maps the incoming string data to objects
@@ -18,15 +47,38 @@ end
 #
 # @note the Thor ruby gem is used for the heavy lifting
 #
+# @example openkey initdomain create friends.joebloggs --secure
+# @example openkey user create id=joe email=joebloggs@openkey.com
+# @example openkey user create id=joe email=joebloggs@openkey.com
+#
+#
 class CommandProcessor < Thor
-  # opensecret init lecturers@cambridge.university
+  desc "init DOMAIN", "DOMAIN eg lecturers@harvard names your friends, family or work group."
+  desc "init STORE_URL", "STORE_URL is backend Git/S3/SSH crypt store. Use https://www.eco-platform.co.uk/crypt.store.git"
+  # Initialize (configure) two fundamental crypt pointers
+  #
+  # - an openkey domain like &raquo; **lecturers@harvard**
+  # - the url to a backend store like Git, S3 or an SSH accessible drive.
+  #
+  # The domain will be extended to cover verified internet domains.
+  # They will also latch onto LDAP domains so when admins add, revoke
+  # or remove users, their openkey access is adjusted accordingly.
+  #
+  # @example openkey user create id=joe email=joebloggs@openkey.com
+  #
+  # @param domain [String] the DOMAIN eg lecturers@harvard for your family or work group.
+  # @param store_url [String] the STORE_URL for connecting to the backend storage service
+  #
+  def init domain, store_url
-  desc "init DOMAIN", "DOMAIN identifies your team, friends, family or business."
-  def init( domain )
+    OpenSecret::Crypto.register_domain domain, store_url
-    puts "You want to create the #{domain} domain.\n"
-    return "goodbye"
+    puts ""
+    puts "New domain configured  => [ #{domain} ]"
+    puts "Crypt store configured => [ #{store_url} ]"
+    puts ""
   end

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: opensecret
 version: !ruby/object:Gem::Version
-  version: 0.0.4
+  version: 0.0.5
 platform: ruby
 authors:
 - Apollo Akora
@@ -99,7 +99,7 @@ files:
 - README.md
 - Rakefile
 - bin/opensecret
-- lib/opensecret-domain.ini
+- lib/config.openkey.ini
 - lib/opensecret.rb
 - lib/opensecret/additions/array.rb
 - lib/opensecret/additions/dir.rb

data/lib/opensecret-domain.ini DELETED Viewed

@@ -1,23 +0,0 @@
-opensecret configure mode="secure"
-opensecret configure mode="secure"
-[@[os|domain.id]]
-secrecy = play      # Options are play | secure | enterprise see website for details.
-[people]
-jack  = jackhiggins@blueyonder.com
-gaz   = gareth.southgate@gmail.com
-jiji  = johnjames23@yahoo.co.uk