opensecret 0.0.962 → 0.0.988

data/lib/interprete/open.rb

@@ -0,0 +1,148 @@
+#!/usr/bin/ruby
+	
+module OpenSecret
+
+  require 'openssl'
+
+  # The <tt>open use case</tt> allows us to add (put), subtract (del)ete, change
+  # (update) and list the secrets within an envelope (outer path) at a given
+  # position (inner path), whether that envelope exists or not.
+  #
+  # Also see the <b>reopen</b> command which only differs from open in that it
+  # fails if the path specified does not exist in either the sealed or session
+  # envelopes.
+  #
+  # == The Open Path Parameter
+  #
+  # Open must be called with a single <b>path</b> parameter with an optional
+  # single colon separating the outer (path to envelope) from the inner (path
+  # within envelope).
+  #
+  #    ops open aws.credentials:s3reader
+  #
+  # The outer and inner paths can contain forward slashes that segment the path.
+  #
+  #    ops open production/aws.credentials:s3/s3reader
+  #    ops put access_key ABCD1234
+  #    ops put secret_key FGHIJ56789
+  #    ops put region_key eu-central-1
+  #    ops seal
+  #
+  #
+  # == Before Opening a Path
+  #
+  # To open a path these conditions must be true.
+  #
+  # - the OPS_KEY environment variable must have been set for the session
+  # - either <tt>ops begin</tt> or <tt>ops init</tt> must have been issued
+  # - the external drive (eg usb key) must be configured and accessible
+  #
+  #
+  # == After Opening a Path
+  #
+  # After a path is opened we can
+  #
+  # - <tt>open</tt> to relative or absolutely change the path
+  # - <tt>put</tt> key/value data
+  # - <tt>add</tt> a single value
+  # - <tt>drop</tt> the value at the opened path
+  # - <tt>mod</tt> change (modify) value at path
+  # - <tt>seal</tt> to permanently write opened envelopes
+  #
+  # == Observable Value
+  #
+  #     $ opensecret open home/wifi
+  #
+  # The observable value delivered by +[open]+ boils down to
+  #
+  # - an openkey (eg asdfx1234) and corresponding open encryption key
+  # - open encryption key written to <tt>~/.opensecret/open.keys/asdfx1234.x.txt</tt>
+  # - the opened path (ending in filename) written to session.cache base in [safe]
+  # - the INI string (were the file to be decrypted) would look like the below
+  #
+  #     [session]
+  #     base.path = home/wifi
+  #
+  class Open < Command
+
+    attr_writer :open_path
+
+    # The activities performed by the executing open use case is to
+    #
+    def execute
+
+      instantiate_collateral
+      @domain_name = @collateral.domain_name
+
+      param_outer_path = @open_path.split(":").first
+      param_inner_path = @open_path.split(":").last
+
+      index = get_session_dictionary
+      index.put OUTER_PATH, param_outer_path
+      index.put INNER_PATH, param_inner_path
+
+      index.write( create_session_dict_lock )
+
+      puts ""
+      puts index.to_s
+      puts ""
+
+      exit
+
+
+
+      last_fwdslash_index = param_outer_path.rindex "/"
+      folder_path = param_outer_path[0 .. last_fwdslash_index]
+      file_word = param_outer_path[last_fwdslash_index .. -1]
+
+      session_tree_dir = @collateral.session_envelopes_path
+      session_folder_path = File.join session_tree_dir, folder_path
+
+      FileUtils.mkdir_p session_folder_path
+      open_id = ToolBelt::Engineer.strong_key @p[:open_idlen]
+      open_key = ToolBelt::Engineer.strong_key @p[:open_keylen]
+
+      file_name = file_word + ".#{open_id}.os.txt"
+      file_key = File.join folder_path, file_name
+
+      Mapper::Settings.write @p[:open_name], @p[:open_idname], open_id
+      Mapper::Settings.write @p[:open_name], @p[:open_keyname], open_key
+      Mapper::Settings.write @p[:open_name], @p[:open_pathname], file_key
+
+      puts ""
+      puts "---------------------------"
+      puts "success | envelope opened"
+      puts "---------------------------"
+      puts ""
+      puts "envelope path => #{param_outer_path}"
+      puts "envelope file => #{nickname file_key}"
+      puts "time [opened] => #{@c[:global][:stamp_23]}"
+      puts ""
+      puts "------------------"
+      puts "now put secrets"
+      puts "------------------"
+      puts ""
+      puts "ops put virgin/ssid VM68256973"
+      puts "ops put virgin/password Wn5lsfixjfy"
+      puts ""
+
+
+    end
+
+
+    # Perform pre-conditional validations in preparation to executing the main flow
+    # of events for this use case. This method may throw the below exceptions.
+    #
+    # @raise [SafeDirNotConfigured] if the safe's url has not been configured
+    # @raise [EmailAddrNotConfigured] if the email address has not been configured
+    # @raise [StoreUrlNotConfigured] if the crypt store url is not configured
+    def pre_validation
+
+
+    end
+
+
+  end
+
+
+end

data/lib/{plugins/usecases → interprete}/put.rb

@@ -71,10 +71,9 @@ module OpenSecret
   # - <b>look</b>
   # - <b>peep</b> and
   # - <b>peek</b>
-  class Put < SecretsUseCase
+  class Put < Command
 
     attr_writer :secret_id, :secret_value
-    @@context_name = "opensecret"
 
     # The <b>put use case</b> follows <b>open</b> and it adds secrets into an
     # <em>(encrypted at rest)</em> envelope. Put can be called many times to
@@ -101,6 +100,22 @@ module OpenSecret
     # - a new session id and encryption key is generated and used to re-encrypt
     def execute
 
+      #### is this needed
+      #### is this needed
+      #### is this needed
+      #### is this needed
+      #### is this needed
+      #### is this needed
+      #### is this needed
+      #########      instantiate_collateral
+      #### is this needed
+      #### is this needed
+      #### is this needed
+      #### is this needed
+      #### is this needed
+      #### is this needed
+
+
       envelope = get_envelope
 
       secret_ids = @secret_id.split("/")
@@ -110,8 +125,8 @@ module OpenSecret
         envelope[secret_ids.first] = { secret_ids.last => @secret_value }
       end
 
-      new_encryption_key = Engineer.strong_key @c[:open][:open_keylen]
-      OpenSession::Attributes.stash @@context_name, @c[:open][:open_name], @c[:open][:open_keyname], new_encryption_key
+      new_encryption_key = ToolBelt::Engineer.strong_key @c[:open][:open_keylen]
+      Mapper::Settings.write @c[:open][:open_name], @c[:open][:open_keyname], new_encryption_key
       envelope.write new_encryption_key
 
     end
@@ -133,5 +148,3 @@ module OpenSecret
 
 
 end
-
-

data/lib/{plugins/usecases → interprete}/safe.rb

@@ -14,7 +14,7 @@ module OpenSecret
   # Stash the path into the host machine's configuration file and proceed
   # to create the path directory chain if it does not already exist.
   #
-  class Safe < SecretsUseCase
+  class Safe < Command
 
     attr_writer :safe_path
     @@context_name = "opensecret"
@@ -85,6 +85,7 @@ module OpenSecret
 
     end
 
+
   end
 
 

data/lib/{plugins/usecases/lock.rb → interprete/seal.rb}

@@ -26,13 +26,11 @@ module OpenSecret
   #
   # @example
   #
-  #     $ opensecret lock
+  #     $ ops seal
   #
-  class Lock < SecretsUseCase
-
-    attr_writer :secret_id, :secret_value
-    @@context_name = "opensecret"
+  class Seal < Command
 
+    attr_writer :envelope_path
 
     # The <tt>lock use case</tt> is called after {OpenSecret::Open} and {OpenSecret::Put}
     # and its effect is to dispatch the doubly encrypted materrial to the configured storage
@@ -67,20 +65,22 @@ module OpenSecret
     # - deletion of {Open}ed session data to locate and decrypt envelope
     def execute
 
-      rel_filepath = OpenSession::Attributes.instance.get_value @@context_name, @c[:open][:open_name], @c[:open][:open_pathname]
-      master_public_key = OpenSSL::PKey::RSA.new ( Base64.urlsafe_decode64( OpenSession::Attributes.instance.get_value @c[:global][:name], @c[:global][:name], "public.key" ) )
+      instantiate_collateral
+
+      rel_filepath = Mapper::Settings.read @c[:open][:open_name], @c[:open][:open_pathname]
+      master_public_key = OpenSSL::PKey::RSA.new ( @collateral.read_public_key )
 
-      main_store = ColdStore.new @c[:global][:store_mainpath]
-      keys_store = ColdStore.new @c[:global][:store_keyspath]
+      keys_store = Store::ColdStore.new( @collateral.frontend_keystore_path )
+      main_store = Store::ColdStore.new( @collateral.backend_cryptstore_path )
 
       envelope = get_envelope
       asym_key = OpenSSL::PKey::RSA.new @c[:global][:bit_key_size]
-      lockdown = Cipher.encrypt_it( asym_key.public_key, envelope.to_json )
-      lockedup = Cipher.encrypt_it( master_public_key, asym_key.export )
+      lockdown = ToolBelt::Cipher.encrypt_it( asym_key.public_key, envelope.to_json )
+      lockedup = ToolBelt::Cipher.encrypt_it( master_public_key, asym_key.export )
 
       ##### ###################################### #####
       ##### ###################################### #####
-        ### Now put the CRYPTS into [Cold] Storage ###
+      ### Now put the CRYPTS into [Cold] Storage ###
       ##### ###################################### #####
       ##### ###################################### #####
 
@@ -93,28 +93,6 @@ module OpenSecret
       puts "================================================================="
       puts ""
 
-#############################################################################################
-#############################################################################################
-
-=begin
-      Crypto.print_secret_env_var @p[:env_var_name], machine_key
-      GitFlow.do_clone_repo @p[:public_gitrepo], @p[:local_gitrepo]
-      FileUtils.mkdir_p @p[:public_keydir]
-      File.write @p[:public_keypath], public_key_text
-      GitFlow.push @p[:local_gitrepo], @p[:public_keyname], @c[:time][:stamp]
-=end
-
-
-# key4_pem = File.read 'private.secure.pem'
-# pass_phrase = 'superduperpasswordistoBeENTEREDRIGHT1234HereandRightNOW'
-# key4 = OpenSSL::PKey::RSA.new key4_pem, pass_phrase
-# decrypted_text = key4.private_decrypt(Base64.urlsafe_decode64(encrypted_string))
-
-# print "\nHey we have done the decryption.\n", "\n"
-# print decrypted_text, "\n"
-
-#############################################################################################
-#############################################################################################
 
     end
 
@@ -137,3 +115,15 @@ module OpenSecret
 end
 
 
+#############################################################################################
+#############################################################################################
+
+=begin
+      GitFlow.do_clone_repo @p[:public_gitrepo], @p[:local_gitrepo]
+      FileUtils.mkdir_p @p[:public_keydir]
+      File.write @p[:public_keypath], public_key_text
+      GitFlow.push @p[:local_gitrepo], @p[:public_keyname], @c[:time][:stamp]
+=end
+
+#############################################################################################
+#############################################################################################

data/lib/interprete/set.rb

@@ -0,0 +1,46 @@
+#!/usr/bin/ruby
+	
+module OpenSecret
+
+  require 'openssl'
+
+  # The <b>set <em>use case</em></b> is the generic tool for setting configuration
+  # directives inside the ops workstation INI formatted file.
+  #
+  # The mirror of this use case is <b><em>unset</em></b>.
+  #
+  # == Observable Value
+  #
+  # The configuration directive will eithe be created (or will overwrite) an existing
+  # directive with the same path.
+  #
+  # The configuration file is printed to inform the user of the current state.
+  #
+  # == Alternative / Error Flows
+  #
+  # Error - if the directive path is not composed of two (fwd slash separated) parts
+  # Error - if the directive path and/or value contains (or not) unacceptable characters
+  #
+  class Set < Command
+
+    attr_writer :domain_name
+
+
+    # The <b>use <em>use case</em></b> is borrowed from the database world and it denotes
+    # the domain to be used <b>for now (and evermore)</b> for this workstation until another
+    # use command is issued.
+    #
+    # The parameter domain_name must be set after an object instance is acquired but
+    # before the execute method runs.
+    def execute
+    end
+
+
+    def pre_validation
+    end
+
+
+  end
+
+
+end

data/lib/interprete/use.rb

@@ -0,0 +1,43 @@
+#!/usr/bin/ruby
+	
+module OpenSecret
+
+  require 'openssl'
+
+  # The <b>use <em>use case</em></b> borrowed from the database world denotes which
+  # domain will be used <b>for now (and evermore)</b> on the workstation until another
+  # use command is issued.
+  #
+  # == Observable Value
+  #
+  # The workstation configuration file will point to the domain name specified
+  # marking it as the current and correct domain to use.
+  #
+  # == Alternative / Error Flows
+  #
+  # Error - if the domain name is not listed in the configuration file.
+  # Error - if the (dictionary) path to the domain's base does not exist
+  #
+  class Use < Command
+
+    attr_writer :domain_name
+
+
+    # The <b>use <em>use case</em></b> is borrowed from the database world and it denotes
+    # the domain to be used <b>for now (and evermore)</b> for this workstation until another
+    # use command is issued.
+    #
+    # The parameter domain_name must be set after an object instance is acquired but
+    # before the execute method runs.
+    def execute
+    end
+
+
+    def pre_validation
+    end
+
+
+  end
+
+
+end

data/lib/interpreter.rb

@@ -0,0 +1,165 @@
+require "thor"
+require "fileutils"
+
+require "session/time.stamp"
+require "logging/gem.logging"
+require "session/require.gem"
+
+# Include the logger mixins so that every class can enjoy "import free"
+# logging through pointers to the (extended) log behaviour.
+include OpenLogger
+
+# This standard out sync command flushes text destined for STDOUT immediately,
+# without waiting either for a full cache or script completion.
+$stdout.sync = true
+
+# Recursively require all gems that are either in or under the directory
+# that this code is executing from. Only use this tool if your library is
+# relatively small but highly interconnected. In these instances it raises
+# productivity and reduces harassing "not found" exceptions.
+OpenSession::RecursivelyRequire.now( __FILE__ )
+
+
+# This command line processor extends the Thor gem CLI tools in order to
+#
+# - read the posted commands, options and switches
+# - maps the incoming string data to objects
+# - assert that the mandatory options exist
+# - assert the type of each parameter
+# - ensure that the parameter values are in range
+# - delegate processing to the registered handlers
+#
+class Interpreter < Thor
+
+  log.info(x) {"opensecret session initiated at [#{OpenSession::Stamp.yyjjj_hhmm_sst}]." }
+
+  # This class option allows every CLI call the option to include
+  # a --debug  boolean switch which will up the verbosity of the
+  # content logged to the file .opensecret/opensecret.log
+  class_option :debug, :type => :boolean
+
+  # Description of the init configuration call.
+  desc "init <domain_name>, <base_path>", "initialize domain with (optional) frontend path"
+
+  # If confident that command history cannot be exploited to gain the
+  # human password or if the agent running opensecret is itself a script,
+  # the <tt>with</tt> option can be used to convey the password.
+  option :with
+
+  # Initialize the credentials manager, collect the human password and
+  # manufacture the strong asymmetric public / private keypair.
+  #
+  # @param domain_name [String] the domain the software operates under
+  # @param base_path [String] the path to the base operating directory
+  def init domain_name, base_path = nil
+    init_uc = OpenSecret::Init.new
+    init_uc.master_p4ss = options[:with] if options[:with]
+    init_uc.domain_name = domain_name
+    init_uc.base_path = base_path unless base_path.nil?
+    init_uc.flow_of_events
+  end
+
+
+  # Description of the seal use case command line call.
+  desc "seal", "Seal away the (secret stuffed) envelope into key and crypt stores."
+
+  # Seal away the (secret stuffed) envelope into key and crypt stores.
+  def seal
+    OpenSecret::Seal.new.flow_of_events
+  end
+
+
+  # Description of the begin use case command line call.
+  desc "begin", "Begin interacting with your opensecret database."
+
+  # If confident that command history cannot be exploited to gain the
+  # human password or if the agent running opensecret is itself a script,
+  # the <tt>with</tt> option can be used to convey the password.
+  option :with
+
+  # Begin interacting with your opensecret database.
+  def begin
+    begin_uc = OpenSecret::Begin.new
+    begin_uc.master_p4ss = options[:with] if options[:with]
+    begin_uc.flow_of_events
+  end
+
+
+  # Description of the opensecret key use case.
+  desc "key", "Produce an encrypted session key tied to the workstation and shell environment."
+
+  # The<b>key</b> use cases prints out an encrypted session key tied
+  # to the workstation and shell environment.
+  def key
+    OpenSecret::Key.new.flow_of_events
+  end
+
+
+  # Description of the open use case command.
+  desc "open OPEN_PATH", "OPEN_PATH to envelope of secrets to stuff and then lock."
+
+  # Open up a conduit from which we can add, subtract, update and list secrets
+  # before they are committed (and pushed) into permanent locked storage.
+  #
+  # @param open_path [String] the path to USB key for storing encrypted keys
+  def open open_path
+
+    open_uc = OpenSecret::Open.new
+    open_uc.open_path = open_path
+    open_uc.flow_of_events
+
+  end
+
+
+  # Description of the export use case command.
+  desc "export OPEN_PATH", "OPEN_PATH to locked secrets to open for reading or stuffing."
+
+  # If confident that command history cannot be exploited to gain the human password
+  # or if the agent running opensecret is itself a script, the <tt>with</tt> option can
+  # be used to convey the password.
+  option :with
+
+  # Export a secrets envelope at the specified outer path so that we can read, put
+  # and discard secrets.
+  #
+  # This use case requires the human (agent) password unless the <tt>--no-human-password</tt>
+  # flag was posted along with the <tt>init</tt> command.
+  #
+  # There are two ways to provide the password (for the <b><em>my/gadgets</em></b> group)
+  #
+  # - <tt>opensecret export my/gadgets</tt> and respond to the password prompt (or)
+  # - <tt>opensecret export my/gadgets --with="hUM4n-0pen$3cr3t"</tt>
+  #
+  # If providing the password on the command line, one must be confident that the shell's
+  # command history cannot be exploited to capture it.
+  #
+  # @param open_path [String] the path to the (previously) locked secrets in frozen storage.
+  def export open_path
+
+    export_uc = OpenSecret::Export.new
+    export_uc.open_path = open_path
+    export_uc.master_p4ss = options[:with] if options[:with]
+    export_uc.flow_of_events
+
+  end
+
+
+  # Description of the put secret command.
+  desc "put <secret_id> <secret_value>", "put secret like login/username into opened context."
+
+  # Put a secret with an id like login/username and a value like joebloggs into the
+  # context (eg work/laptop) that was opened with the open command.
+  #
+  # @param secret_id [String] the id of the secret to put into the opened context
+  # @param secret_value [String] the value of the secret to put into the opened context
+  def put secret_id, secret_value
+
+    put_uc = OpenSecret::Put.new
+    put_uc.secret_id = secret_id
+    put_uc.secret_value = secret_value
+    put_uc.flow_of_events
+
+  end
+
+
+end