opensecret 0.0.962 → 0.0.988

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 06aed72d992d1b8f9ae2533681c47e20d9974e05
-  data.tar.gz: 04b41b862706f7f98d95f78bdbc18405c0e5b80a
+  metadata.gz: 66c7d8d35a57f8a3cdb9b474e91449ec0e99860a
+  data.tar.gz: 613a5d83b7106f5ba575375a19d2afd2a800349a
 SHA512:
-  metadata.gz: 993f8128c462a648fb3599326cac9ee378a17d8bbaea620aee11223a6b10584205df2c2c68b2856223befccb2a0e02207188ddbd80dfe3e0bd615c6f1d95a66f
-  data.tar.gz: 6684892e42493e09e13549591ef8b048ad95d0b586c4a8f1226e4d1f063fc42401241326a814c35c78699aa2a2d441fceb9f69ea9ce050c909eed090258168dd
+  metadata.gz: b7f868866c2aeaefdf7175bc3908c6fd099c9b012459cabb95ce896bb3cbf97c07669e37fd821463d604e1a8b24096e7ba7522d2976a997e0e868402bae223d2
+  data.tar.gz: e4c370058f6531ba3195d2555b8f1e53e3fbd61d27d8ebbbd5acce7dd71aa243c57e7c2558254aa8ba78a94b434e321494cc196fbcd035aaeef833c88d0faf17

data/README.md

@@ -4,23 +4,24 @@ opensecret [![Build Status](https://secure.travis-ci.org/TwP/inifile.png)](http:
 opensecret | Install and Configure
 -----------
 
-opensecret stashes uncrackable secrets into your Git, S3, DropBox, Google Drive and filesystems backends. You interface with its intuitive Linux, Windows, iOS front ends and it offers SDKs and plugins for Ruby, Python, Go, Java, Jenkins, CodeShip, Ansible, Terraform, Puppet and Chef. Soon, support will be added for database and keystore backends such as MySQL, MongoDB, PostgreSQL, Redis, Memcached and etcd.
+opensecret locks secrets and sensitive data in a simple and highly secure manner. <b><em>It never accesses the cloud</em></b>. It produces files that are precious to you but <b><em>worthless</em></b> to everyone else. As well as the filesystem, you can choose Git, Amazon S3 or a remote drive as your backend store.
 
-**opensecret never accesses the cloud.** It can operate on a wee non-networked laptop if you so wish. opensecret takes a fresh approach to security and challenges common misconceptions - in order to deliver a simple, highly secure credentials management system.
+opensecret takes a fresh approach in its quest to be both simple and highly secure.
 
 
-### opensecret | Install It
+### Install
 
     $ gem install opensecret
 
-### opensecret | Configure It
+### Initialize
+
+    $ opensecret init joe@example.com
+
+It doesn't have to be an email address. <tt>smith.family.info</tt> will do just fine. Choose a memorable (but not easily guessable) password.
+
+### Open envelope | Put secrets | Seal envelope
 
-    $ opensecret safe  /path/to/usb/key/safe
-    $ opensecret email joebloggs@harvard.edu
-    $ opensecret store https://www.eco-platform.co.uk/crypt/lecturers.git
-    $ opensecret init
 
-These directives tell opensecret **where**, **who** and **which** - the order doesn't matter.
 
 - <tt>**keydir**</tt> &raquo; best practise is a usb key drive with your **actual keys**
 - <tt>**name**</tt> &raquo; single word lowercase and short - how your peers call you
@@ -36,7 +37,7 @@ Init(ialize) creates an uncrackable **8192 bit private/public key pair**, locked
 
 Or you can enter the password on the command line.
 
-    $ opensecret init --password="seeKr33t-p4ssw0RD@x"
+    $ opensecret init --password="sEeKr33tp4$$w@RD"
 
 
 ### opensecret | All Done!
@@ -53,6 +54,11 @@ It's simple for Joe but nigh impossible for Susan. That's why you need a USB key
 Your ability to access your own secrets (even after disaster scenarios) is as important as preventing the secrets being accessed. This is why opensecret piggy backs off your (already configured) redundancy and backup solutions.
 
 
+== Export the Session Key
+
+export OPS_KEY=`ops key`
+
+
 opensecret | Lock and Unlock
 -----------
 

data/bin/opensecret

@@ -1,6 +1,5 @@
 #!/usr/bin/env ruby
  
-# --> require 'opensecret/safe'
-require 'opensecret'
- 
-CliInterpreter.start(ARGV)
+require 'interpreter'
+
+Interpreter.start(ARGV)

data/bin/ops

@@ -0,0 +1,5 @@
+#!/usr/bin/env ruby
+ 
+require 'interpreter'
+ 
+Interpreter.start(ARGV)

data/lib/extension/string.rb

@@ -12,6 +12,120 @@
 class String
 
 
+  # Encrypt this string with the parameter symmetric encryption/decryption key
+  # and then return the Base64 (block mode) encoded result.
+  #
+  # @example
+  #    cipher_text  = "Hello crypt world".encrypt_block_encode "ABC123XYZ"
+  #    original_txt = cipher_text.block_decode_decrypt "ABC123XYZ"
+  #    puts original_txt # "Hello crypt world"
+  #
+  # @param crypt_key [String]
+  #    a strong long encryption key that is used to encrypt this string before
+  #    applying the Base64 block encoding.
+  def encrypt_block_encode crypt_key
+    encrypted_text = OpenSecret::ToolBelt::Blowfish.encryptor( self, crypt_key )
+    return Base64.encode64( encrypted_text )
+  end
+
+
+
+  # First apply a  base64 (block mode) decode to this string and then use the
+  # parameter symmetric decryption key to decrypt the result. The output is then
+  # returned within a new string.
+  #
+  # @example
+  #    cipher_text  = "Hello crypt world".decrypt_block_encode "ABC123XYZ"
+  #    original_txt = cipher_text.block_decode_decrypt "ABC123XYZ"
+  #    puts original_txt # "Hello crypt world"
+  #
+  # @param crypt_key [String]
+  #    a strong long decryption key that is used to decrypt this string after
+  #    the  Base64 block decoding has been applied.
+  def block_decode_decrypt crypt_key
+    the_ciphertxt = Base64.decode64( self )
+    return OpenSecret::ToolBelt::Blowfish.decryptor( the_ciphertxt, crypt_key )
+  end
+
+
+
+  # Encrypt this string with the parameter symmetric encryption/decryption key
+  # and then return the Base64 (url safe mode) encoded result.
+  #
+  # The output will be a single line and differs from the block mode with
+  #
+  # - underscores printed instead of forward slash characters
+  # - hyphens printed instead of plus characters
+  # - no (blocked) carriage return or new line characters
+  #
+  # Note however that sometimes one or more equals characters will be printed at
+  # the end of the string by way of padding. In places like environment variables
+  # that are sensitive to the equals character this can be replaced by an <b>@</b>
+  # symbol.
+  #
+  # @example
+  #    cipher_text  = "Hello @:==:@ world".encrypt_url_encode "ABC123XYZ"
+  #    original_txt = cipher_text.url_decode_decrypt "ABC123XYZ"
+  #    puts original_txt # "Hello @:==:@ world"
+  #
+  # @param crypt_key [String]
+  #    a strong long encryption key that is used to encrypt this string before
+  #    applying the Base64 ul safe encoding.
+  def encrypt_url_encode crypt_key
+
+    ## ################################################
+    ## ################################################
+    ## ################################################
+    ## ################################################
+    ## https://www.di-mgt.com.au/cryptokeys.html
+    ## ################################################
+    ## ################################################
+    ## ################################################
+    ## ################################################
+    ## ################################################
+
+    log.info(x){ "Encrypt Length => [ #{self.length} ]" }
+    log.info(x){ "The Key Length => [ #{crypt_key.length} ]" }
+    log.info(x){ "Encrypt String => [ #{self} ]" }
+    log.info(x){ "Encryption Key => [ #{crypt_key} ]" }
+
+    encrypted_text = OpenSecret::ToolBelt::Blowfish.encryptor( self, crypt_key )
+
+    log.info(x){ "Encrypt Result => [ #{encrypted_text} ]" }
+    log.info(x){ "Encrypted Text => [ #{Base64.urlsafe_encode64(encrypted_text)} ]" }
+
+    return Base64.urlsafe_encode64(encrypted_text)
+
+  end
+
+
+
+  # First apply a  base64 (url safe mode) decode to this string and then use the
+  # parameter symmetric decryption key to decrypt the result. The output is then
+  # returned within a new string.
+  #
+  # The input must will be a single line and differs from the block mode with
+  #
+  # - underscores printed instead of forward slash characters
+  # - hyphens printed instead of plus characters
+  # - no (blocked) carriage return or new line characters
+  #
+  # @example
+  #    cipher_text  = "Hello @:==:@ world".encrypt_url_encode "ABC123XYZ"
+  #    original_txt = cipher_text.url_decode_decrypt "ABC123XYZ"
+  #    puts original_txt # "Hello @:==:@ world"
+  #
+  # @param crypt_key [String]
+  #    a strong long decryption key that is used to decrypt this string after
+  #    the Base64 url safe decoding has been applied.
+  def url_decode_decrypt crypt_key
+    the_ciphertxt = Base64.urlsafe_decode64( self )
+    return OpenSecret::ToolBelt::Blowfish.decryptor( the_ciphertxt, crypt_key )
+  end
+
+
+
+
   # Overtly long file paths (eg in logs) can hamper readability so this 
   # <b>human readable filepath converter</b> counters the problem by
   # returning (only) the 2 immediate ancestors of the filepath.

data/lib/factbase/facts.opensecret.io.ini

@@ -3,36 +3,26 @@
 
 name            =  opensecret
 min.passwd.len  =  rb>> 6
-nickname        =  godzilla
 root.domain     =  devopswiki.co.uk
 env.var.name    =  SECRET_MATERIAL
 ratio           =  rb>> 3
 bit.key.size    =  rb>> 8192
 key.cipher      =  rb>> OpenSSL::Cipher::AES256.new(:CBC)
-secret.keydir   =  rb>> OpenSession::Attributes.instance.get_value @s[:name], @s[:name], "safe"
-email.address   =  rb>> OpenSession::Attributes.instance.get_value @s[:name], @s[:name], "email"
-safe.user       =  rb>> File.join @s[:secret_keydir], @s[:email_address]
-master.dirname  =  master.keys
-master.dirpath  =  rb>> File.join @s[:safe_user], @s[:master_dirname]
-
-master.sig.file =  master.signature.os.txt
-master.prv.name =  master.private.key.xx.txt
-master.sig.path =  rb>> File.join @s[:master_dirpath], @s[:master_sig_file]
-master.prv.key  =  rb>> File.join @s[:master_dirpath], @s[:master_prv_name]
-
-stamp.key       =  stamp
+
+domain.now.id   =  current.domain
+front.path.id   =  frontend.path
+machine.key.id  =  machine.p4ssk3y
+time.stamp.id   =  domain.stamp
+user.secret.id  =  user.secret
+
 stamp.14        =  rb>> OpenSession::Stamp.yyjjj_hhmm_sst
 stamp.23        =  rb>> OpenSession::Stamp.yyjjj_hhmm_ss_nanosec
 
-base.path       =  rb>> File.join FilePath.context_path(@s[:name]), @s[:email_address]
-store.keyspath  =  rb>> File.join @s[:base_path], "coldstore.keys"
-store.mainpath  =  rb>> File.join @s[:base_path], "coldstore.main"
-
-machine.key.x   =  os.x
 separator.a     =  %$os$%
-publickey.id    =  public.key
 
 repo.name       =  material_data
+config.file     =  ops.workstation.directive.ini
+session.file    =  ops.session.configuration.ini
 
 prompt.1        =  Enter a Robust Password
 prompt.2        =  Re-enter that Password
@@ -40,8 +30,6 @@ prompt.2        =  Re-enter that Password
 [open]
 
 open.name       =  session
-open.dirname    =  session.material
-open.dirpath    =  rb>> File.join @f[:global][:safe_user], @s[:open_dirname]
 open.idlen      =  rb>> 10
 open.keylen     =  rb>> 56
 open.idname     =  session.id

data/lib/interprete/begin.rb

@@ -0,0 +1,232 @@
+#!/usr/bin/ruby
+	
+module OpenSecret
+
+  require 'openssl'
+
+  # Collecting and immediately <b>locking up the master password</b> is
+  # the sole purpose of the <tt>begin use case</tt>.
+  #
+  # Under certain conditions this {Begin} use case takes the human (key)
+  # password and transforms it using a powerful message digester and then
+  # uses the decrypted form of the <b>OPS_KEY environment variable</b> to
+  # securely encrypt the generated key.
+  #
+  # This use case then writes (or overwrites) into the workstation configuration
+  # under the domain three (3) key/value pairs which are
+  #
+  # - the parent shell id encrypted using the decrypted OPS_KEY form
+  # - the time stamp that will be used as a nonce by future cases
+  # - the generated digested hash encrypted with the decrypted OPS_KEY
+  #
+  # Then the use case prints a success message and exits.
+  #
+  # <b>Laziness | The 4 Conditions Instigating Action</b>
+  #
+  # No state is changed unless 3 conditions are met. We take action only if
+  # all four of the below conditions are true.
+  #
+  # - the encrypted private key is present under the domain's front end drive
+  # - the OPS_KEY is present - Otherwise we report the error and then EXIT
+  # - the decrypted PPID is not present or does not match - Otherwise all is good
+  # - the password is found in at least 1 of 7 places - Otherwise we error EXIT
+  #
+  # If all four conditions are true then we take action and ultimately write
+  # (or overwrite) the 3 key/value pairs stated above into the domain section of
+  # the workstation's configuration file.
+  #
+  # == OPS_KEY environment variable | Pre-Condition
+  #
+  # We cannot securely lock the master password without the uncrackable
+  # <b>48 character session key</b> encrypted so that it is only accessible
+  # by the single shell that opensecret is being called from.
+  #
+  # Therefore it is a pre-requisite that the session key has been created
+  # and locked down by the {key} use case using the below shell command.
+  #
+  #    $ export OPS_KEY=`ops key`   # Export the generated session key
+  #    $ env | grep OPS_KEY         # Check that OPS_KEY indeed exists
+  #
+  # Note the <b>back-ticks</b> surrounding the <tt>ops key</tt> call.
+  #
+  # == Where Does {Begin} Fit?
+  #
+  # The <tt>ops begin</tt> use case is called near the beginning of EVERY
+  # opensecret command session.
+  #
+  # <b>Called Before (once per domain)</b>
+  #
+  #    $ ops init <<domain_name>>, <<drive_path>>
+  #
+  # <b>Called Before (once per session)</b>
+  #
+  # At the beginning of every sitting (session) we must create a session key.
+  #
+  #    $ export OPS_KEY=`ops key`   # Export the generated session key
+  #    $ ops begin                  # Kicks off the opensecret session
+  #
+  # The password will then be retrieved safely via a prompt. Note there are
+  # several other ways to deliver a password securely and/or via non-human
+  # actors <b>like scripts</b>.
+  #
+  # <b>Called After</b>
+  #
+  # A whole plethora of commands such as open, put, seal, post, reopen, read
+  # write, import and export.
+  #
+  # The {end} use case safely cleans up and tears down session keys and data.
+  #
+  #    $ ops end
+  #
+  # When the shell closes OPS_KEY disappears forever. However if you want to
+  # continue using the same shell you can wipe this away.
+  #
+  #    $ unset OPS_KEY           # Delete the shell session key
+  #    $ env | grep OPS_KEY      # Check OPS_KEY is deleted
+  #
+  #    You can also delete every env var created by this shell.
+  #
+  #    $ env -i bash             # Rewind to (after) login variables
+  #
+  #
+  # <b>The 7 Ways to Communicate a Password</b>
+  #
+  # Soon, seven secure methods of password delivery will be implemented and
+  # will include
+  #
+  # - collection from an environment varialbe set before execution
+  # - collection from a (possibly encrypted) local file
+  # - collection key-value stores such as Redis, etcd and Cassandra
+  # - collection via secure (https) including to tokenized S3 urls
+  #
+  class Begin < Command
+
+    attr_writer :outer_path, :master_p4ss, :domain_name
+
+
+    # If <b>4 conditions are met</b> this {Begin} use case takes the human (key)
+    # password and transforms it using a powerful message digester and then
+    # uses the decrypted form of the <b>OPS_KEY environment variable</b> to
+    # securely encrypt the generated key.
+    #
+    # This use case then writes (or overwrites) into the workstation configuration
+    # under the domain three (3) key/value pairs which are
+    #
+    # - the parent shell id encrypted using the decrypted OPS_KEY form
+    # - the time stamp that will be used as a nonce by future cases
+    # - the generated digested hash encrypted with the decrypted OPS_KEY
+    #
+    # Then the use case prints a success message and exits.
+    #
+    # <b>Laziness | The 4 Conditions Instigating Action</b>
+    #
+    # No state is changed unless 3 conditions are met. We take action only if
+    # all four of the below conditions are true.
+    #
+    # - the encrypted private key is present under the domain's front end drive
+    # - the OPS_KEY is present - Otherwise we report the error and then EXIT
+    # - the decrypted PPID is not present or does not match - Otherwise all is good
+    # - the password is found in at least 1 of 7 places - Otherwise we error EXIT
+    #
+    # If all four conditions are true then we take action and ultimately write
+    # (or overwrite) the 3 key/value pairs stated above into the domain section of
+    # the workstation's configuration file.
+    #
+    #
+    # <b>The 7 Ways to Communicate a Password</b>
+    #
+    # Soon, seven secure methods of password delivery will be implemented and
+    # will include
+    #
+    # - collection from an environment varialbe set before execution
+    # - collection from a (possibly encrypted) local file
+    # - collection key-value stores such as Redis, etcd and Cassandra
+    # - collection via secure (https) including to tokenized S3 urls
+    #
+    # <b>Begin | Observable Value</b>
+    #
+    # There are three valuable state changes enacted by this use case.
+    #
+    # - the <b>password for the domain is collected</b> (in one of several ways)
+    # - the <b>session key</b> is acquired from crypted OPS_KEY environment variable
+    # - an <b>encrypted password</b> results from locking password with session key
+    # - the <b>encrypted password</b> is put into the domain's configuration keystore
+    # - a <b>timestamped session folder</b> is created to harbour session artifacts
+    #
+    # <b>Summary </b>
+    #
+    # Observable value is the opensecret domain password locked with a robust
+    # symmetric encryption key that is at least 48 characters in length and
+    # placed into the domain's keystore configuration file.
+    def execute
+
+      hash_dict = OpenKey::Dictionary.create_with_section "/home/apollo/.opensecret.io/tmp.backing.file.txt", "this.section"
+      OpenKey::Key256.generate( "human_secret", hash_dict )
+
+      exit
+
+      for n in 0 .. 63
+
+        bcrypt_key = OpenKey::BCryptKeyGen.new.generate_key("human_secret")
+        bcrypt_len = bcrypt_key.to_s.length
+        pbkdf2_key = OpenKey::Pbkdf2KeyGen.new.generate_key("human_secret")
+        pbkdf2_len = pbkdf2_key.to_s.length
+
+        index = "%02d" % [ n.to_s ]
+
+        puts "---------------------------------------------------------------------"
+        puts "Calculation Number [#{index}]"
+        puts "---------------------------------------------------------------------"
+        puts "Len #{bcrypt_key.to_oc64.length} => #{bcrypt_key.to_oc64}"
+        puts "Len #{bcrypt_len} => #{bcrypt_key.to_s}"
+        puts "Len #{pbkdf2_key.to_oc64.length} => #{pbkdf2_key.to_oc64}"
+        puts "Len #{pbkdf2_len} => #{pbkdf2_key.to_s}"
+
+      end
+
+      exit
+
+
+
+      return unless ops_key_exists?
+
+      instantiate_collateral
+      @domain_name = @collateral.domain_name
+
+      return unless private_key_exists?
+
+      lock_stored = Mapper::Settings.contains_key?( session_id, MASTER_LOCK_KEY_NAME )
+      print_success_initializing if lock_stored
+      return if lock_stored
+
+      unless @master_p4ss
+        @master_p4ss = ToolBelt::Collect.secret_text(
+          @c[:global][:min_passwd_len],
+          false,
+          "Enter Ops Password "
+        )
+      end
+
+      create_crypt_store_locking_key
+      print_success_initializing
+
+    end
+
+
+    # Perform pre-conditional validations in preparation to executing the main flow
+    # of events for this use case. This method may throw the below exceptions.
+    #
+    # @raise [SafeDirNotConfigured] if the safe's url has not been configured
+    # @raise [EmailAddrNotConfigured] if the email address has not been configured
+    # @raise [StoreUrlNotConfigured] if the crypt store url is not configured
+    def pre_validation
+
+    end
+
+
+  end
+
+
+end
+
+