opensecret 0.0.988 → 0.0.9925

data/lib/usecase/id.rb

@@ -0,0 +1,36 @@
+#!/usr/bin/ruby
+	
+module OpenSecret
+
+
+  class Id < Command
+
+
+    def execute
+
+      puts ""
+      puts OpenKey::KeyNow.grab()
+      puts OpenKey::KeyNow.fetch()
+      puts ""
+
+      return
+
+    end
+
+
+    # Perform pre-conditional validations in preparation to executing the main flow
+    # of events for this use case. This method may throw the below exceptions.
+    #
+    # @raise [SafeDirNotConfigured] if the safe's url has not been configured
+    # @raise [EmailAddrNotConfigured] if the email address has not been configured
+    # @raise [StoreUrlNotConfigured] if the crypt store url is not configured
+    def pre_validation
+
+
+    end
+
+
+  end
+
+
+end

data/lib/usecase/import.rb

@@ -0,0 +1,174 @@
+#!/usr/bin/ruby
+	
+module OpenSecret
+
+  require 'openssl'
+
+  # The <b>import use case</b> follows <b>open</b> and it pulls a file into an
+  # <em>(encrypted at rest)</em> <b>envelope</b> while writing metadata about
+  # the file into the opened tree dictionary position.
+  #
+  # == import and reimport commands
+  #
+  # - the import command expects a path parameter and errors if not recvd
+  # - the reimport command is happy with either one or zero parameters
+  #
+  # If the reimport command has no parameters it expects that the opened path
+  # already contains an imported file. It uses the import.path key to locate
+  # the file.
+  #
+  # If the path parameter is given to reimport it uses it and also resets the
+  # import.path key to reflect the path it was given.
+  #
+  # == garbage collect dangling files
+  #
+  # Like dangling envelopes - dangling files will pop up when re-imported.
+  # These are handled by the garbage collection policy which can be to
+  # remove immediately - remove on next login - remove after a time period
+  # or to never remove (manual garbage collection).
+  #
+  class Import < Command
+
+    attr_writer :secret_id, :secret_value
+
+    # The <b>put use case</b> follows <b>open</b> and it adds secrets into an
+    # <em>(encrypted at rest)</em> envelope. Put can be called many times to
+    # add secrets. Finally the <b>lock use case</b> commits all opened secrets
+    # into the configured storage engines.
+    #
+    # Calling <em>put</em> <b>before</b> calling open or <b>after</b> calling lock
+    # is not allowed and will result in an error.
+    #
+    # == Put Pre-Conditions
+    #
+    # When the put use case is called - the below conditions ring true.
+    #
+    # - the <b>folder path</b> ending in ../../my must exist
+    # - a session id, filename and encryption key ( in workstation config )
+    #
+    # == Observable Value
+    #
+    # The observable value delivered by +put+ boils down to
+    #
+    # - a new <b>friends.xyz123abc.os.txt</b> file if this is the first put.
+    # - a new group_name/key_name (like monica/surname) entry is added if required
+    # - a secret value is added against the key or updated if it already exists
+    # - a new session id and encryption key is generated and used to re-encrypt
+    def execute
+
+## @todo - rename appdb_content as master_db
+## @todo - rename appdb_content as master_db
+## @todo - rename appdb_content as master_db
+## @todo - rename appdb_content as master_db
+## @todo - rename appdb_content as master_db
+## @todo - rename appdb_content as master_db
+## @todo - rename appdb_content as master_db
+## @todo - rename appdb_content as master_db
+## @todo - rename appdb_content as master_db
+## @todo - rename appdb_content as master_db
+## @todo - rename appdb_content as master_db
+## @todo - rename appdb_content as master_db
+## @todo - rename appdb_content as master_db
+## @todo - rename appdb_content as master_db
+
+      return unless ops_key_exists?
+      appdb_content = OpenKey::KeyApi.read_app_content()
+
+      puts "---\n"
+      puts "--- The Master Database (Before)\n"
+      puts "---\n"
+      puts JSON.pretty_generate( appdb_content )
+      puts "---\n"
+
+      return if unopened_envelope?( appdb_content )
+
+      envelope_id = ENVELOPE_KEY_PREFIX + appdb_content[ ENV_PATH ]
+      has_content = OpenKey::KeyApi.content_exists?( appdb_content[ envelope_id ] )
+
+      # --
+      # -- To get hold of the content we must either
+      # --
+      # --   a) unlock it using the breadcrumbs or
+      # --   b) start afresh with a new content db
+      # --
+      content_box = OpenKey::KeyApi.content_unlock( appdb_content[ envelope_id ] ) if has_content
+      content_box = OpenKey::KeyDb.new() unless has_content
+      content_hdr = create_header()
+
+      # --
+      # -- If no content envelope exists we need to place
+      # -- an empty one inside the appdb content database.
+      # --
+      appdb_content[ envelope_id ] = {} unless has_content
+
+      # --
+      # -- This is the PUT use case so we append a
+      # --
+      # --   a) key for the new dictionary entry
+      # --   b) value for the new dictionary entry
+      # --
+      # -- into the current content envelope and write
+      # -- the envelope to the content filepath.
+      # --
+      crumbs_dict = appdb_content[ envelope_id ]
+      content_box.create_entry( appdb_content[ KEY_PATH ], @secret_id, @secret_value )
+      OpenKey::KeyApi.content_lock( crumbs_dict, content_box.to_json, content_hdr )
+
+      puts "---\n"
+      puts "--- The Master Database (After)\n"
+      puts "---\n"
+      puts JSON.pretty_generate( appdb_content )
+      puts "---\n"
+
+      # --
+      # -- Three envelope crumbs namely the external ID, the
+      # -- random iv and the crypt key are written afreshinto
+      # -- the master database.
+      # --
+      OpenKey::KeyApi.write_app_content( content_hdr, appdb_content )
+      print_put_success
+
+      return
+
+
+# --->      secret_ids = @secret_id.split("/")
+# --->      if ( envelope.has_key? secret_ids.first )
+# --->        envelope[secret_ids.first][secret_ids.last] = @secret_value
+# --->      else
+# --->        envelope[secret_ids.first] = { secret_ids.last => @secret_value }
+# --->      end
+
+    end
+
+
+    private
+
+
+    def print_put_success
+
+      puts ""
+      puts "Success putting a key/value pair into the open envelope."
+      puts "You can put more in and then close the envelope."
+      puts ""
+      puts "    ops close"
+      puts ""
+
+    end
+
+
+    # Perform pre-conditional validations in preparation to executing the main flow
+    # of events for this use case. This method may throw the below exceptions.
+    #
+    # @raise [SafeDirNotConfigured] if the safe's url has not been configured
+    # @raise [EmailAddrNotConfigured] if the email address has not been configured
+    # @raise [StoreUrlNotConfigured] if the crypt store url is not configured
+    def pre_validation
+
+
+    end
+
+
+  end
+
+
+end

data/lib/usecase/init.rb

@@ -0,0 +1,78 @@
+#!/usr/bin/ruby
+	
+module OpenSecret
+
+  require 'openssl'
+
+  # The <b>init use case</b> initializes opensecret thus preparing it
+  # for the ability to lock secrets, unlock them, transport their keys and
+  # much more.
+  #
+  # opensecret is a <b>(glorified) placeholder</b>. It takes things in now,
+  # keeps them safe and gives them back later, in a <b>helpful manner</b>.
+  #
+  # ---
+  #
+  #    ops init bob@gmail.com $HOME/bob.credentials
+  #
+  #       or
+  #
+  #    xport init bob@gmail.com $HOME/apollo.team.x
+  #
+  # ---
+  #
+  # == Alternat Error Flows
+  #
+  # An error will be thrown
+  #
+  # - if ops can't create or extend the base directory
+  # - if the domain is already in the configuration file
+  # - if domain has non alphanums, excl hyphens, underscores, @ symbols, periods
+  # - if domain does not begin or end with alphanums.
+  # - if non alpha-nums (excl at signs) appear consecutively
+  # - if no alpha-nums appear in the string
+  # - if the domain string's length is less than 5
+  # - if "base.opensecret.io" appears twice (or more) in a directory tree
+  #
+  class Init < Command
+
+    attr_writer :master_p4ss, :domain_name, :base_path
+
+
+    # The init use case prepares <b>opensecret</b> so that you can <b>open</b> an envelope,
+    # <b>put</b> secrets into it and then <b>seal</b> (lock) it. Locking effectively writes
+    # crypted blocks to both keystore and crypt store.
+    #
+    #     ops init apollo@work $HOME/apollo.work.drive
+    #
+    def execute
+
+      return unless ops_key_exists?
+
+      OpenKey::KeyApi.init_app_domain( @domain_name, @base_path )
+      keys_setup = OpenKey::KeyApi.is_domain_keys_setup?( @domain_name )
+
+      if ( keys_setup )
+        print_already_initialized
+        return
+      end
+
+      domain_password = OpenKey::KeyPass.password_from_shell( true )
+      OpenKey::KeyApi.setup_domain_keys( @domain_name, domain_password, create_header() )
+      print_domain_initialized
+
+# -->      unless @base_path.nil?
+# -->        key_api.register_keystore( @base_path )
+# -->      end
+
+    end
+
+
+    def pre_validation
+    end
+
+
+  end
+
+
+end

data/lib/usecase/login.rb

@@ -0,0 +1,70 @@
+#!/usr/bin/ruby
+	
+module OpenSecret
+
+  require 'openssl'
+
+  # The <b>login use case</b> is given the domain name and if needs be
+  # it collects the password then (if correct) logs the user in.
+  #
+  # Here are some key facts about the login command
+  #
+  # - its domain name parameter is mandatory
+  # - it is called at the start of every session
+  # - it is undone by the logout command
+  # - it requires the OPEN_SESSION_TOKEN environment variable
+  # - you can nest login commands thus using multiple domains
+  # - you can call it with a --with=password switch
+  # - you can deliver the password in multiple ways
+  class Login < Command
+
+    attr_writer :master_p4ss, :domain_name
+
+
+    def execute
+
+      return unless ops_key_exists?
+
+      unless ( OpenKey::KeyApi.is_domain_keys_setup?( @domain_name ) )
+        print_not_initialized
+        return
+      end
+
+############## Call [[ KeyApi.is_logged_in? ]] - then print msg and skip password collection below
+############## Call [[ KeyApi.is_logged_in? ]] - then print msg and skip password collection below
+############## Call [[ KeyApi.is_logged_in? ]] - then print msg and skip password collection below
+############## Call [[ KeyApi.is_logged_in? ]] - then print msg and skip password collection below
+############## Call [[ KeyApi.is_logged_in? ]] - then print msg and skip password collection below
+############## Call [[ KeyApi.is_logged_in? ]] - then print msg and skip password collection below
+
+      domain_secret = OpenKey::KeyPass.password_from_shell( false )
+
+############## Use [[ KeyApi.valid_password? ]] and give error if not valid
+############## Use [[ KeyApi.valid_password? ]] and give error if not valid
+############## Use [[ KeyApi.valid_password? ]] and give error if not valid
+############## Use [[ KeyApi.valid_password? ]] and give error if not valid
+############## Use [[ KeyApi.valid_password? ]] and give error if not valid
+
+      OpenKey::KeyApi.do_login( @domain_name, domain_secret, create_header() )
+      print_login_success
+
+    end
+
+
+    # Perform pre-conditional validations in preparation to executing the main flow
+    # of events for this use case. This method may throw the below exceptions.
+    #
+    # @raise [SafeDirNotConfigured] if the safe's url has not been configured
+    # @raise [EmailAddrNotConfigured] if the email address has not been configured
+    # @raise [StoreUrlNotConfigured] if the crypt store url is not configured
+    def pre_validation
+
+    end
+
+
+  end
+
+
+end
+
+

data/lib/usecase/logout.rb

@@ -0,0 +1,30 @@
+#!/usr/bin/ruby
+	
+module OpenSecret
+
+  require 'openssl'
+
+  class Logout < Command
+
+    def execute
+
+    end
+
+
+    # Perform pre-conditional validations in preparation to executing the main flow
+    # of events for this use case. This method may throw the below exceptions.
+    #
+    # @raise [SafeDirNotConfigured] if the safe's url has not been configured
+    # @raise [EmailAddrNotConfigured] if the email address has not been configured
+    # @raise [StoreUrlNotConfigured] if the crypt store url is not configured
+    def pre_validation
+
+    end
+
+
+  end
+
+
+end
+
+

data/lib/usecase/open.rb

@@ -0,0 +1,126 @@
+#!/usr/bin/ruby
+	
+module OpenSecret
+
+  require 'openssl'
+
+  # The <tt>open use case</tt> allows us to add (put), subtract (del)ete, change
+  # (update) and list the secrets within an envelope (outer path) at a given
+  # position (inner path), whether that envelope exists or not.
+  #
+  # Also see the <b>reopen</b> command which only differs from open in that it
+  # fails if the path specified does not exist in either the sealed or session
+  # envelopes.
+  #
+  # == The Open Path Parameter
+  #
+  # Open must be called with a single <b>path</b> parameter with an optional
+  # single colon separating the outer (path to envelope) from the inner (path
+  # within envelope).
+  #
+  #    ops open aws.credentials:s3reader
+  #
+  # The outer and inner paths can contain forward slashes that segment the path.
+  #
+  #    ops open production/aws.credentials:s3/s3reader
+  #    ops put access_key ABCD1234
+  #    ops put secret_key FGHIJ56789
+  #    ops put region_key eu-central-1
+  #    ops seal
+  #
+  # == Open (Path) Pre-Conditions
+  #
+  # The domain must have been initialized on this machine stating the path to
+  # the base folder that contains the key and crypt material.
+  #
+  # To open a path these conditions must be true.
+  #
+  # - the shell session token must have been set at the session beginning
+  # - a successful <tt>ops login</tt> command must have been issued
+  # - the external drive (eg usb key) must be configured and accessible
+  #
+  # == Observable Value
+  #
+  #     $ ops open home/wifi
+  #
+  # The observable value delivered by +[open]+ boils down to
+  #
+  # - an openkey (eg asdfx1234) and corresponding open encryption key
+  # - open encryption key written to <tt>~/.opensecret/open.keys/asdfx1234.x.txt</tt>
+  # - the opened path (ending in filename) written to session.cache base in [safe]
+  # - the INI string (were the file to be decrypted) would look like the below
+  #
+  #     [session]
+  #     base.path = home/wifi
+  #
+  class Open < Command
+
+    # The two paths that have been posted to the open command.
+    # First is a relative path to the obfuscated envelope and then
+    # the path in envelope to the point of interest.
+    attr_writer :env_path, :key_path
+
+    def execute
+
+      return unless ops_key_exists?
+      appdb_content = OpenKey::KeyApi.read_app_content()
+
+      puts "---\n"
+      puts "--- The Master Database (Before)\n"
+      puts "---\n"
+      puts JSON.pretty_generate( appdb_content )
+      puts "---\n"
+
+      appdb_content[ ENV_PATH ] = @env_path
+      appdb_content[ KEY_PATH ] = @key_path
+
+      puts "---\n"
+      puts "--- The Master Database (After)\n"
+      puts "---\n"
+      puts JSON.pretty_generate( appdb_content )
+      puts "---\n"
+
+      OpenKey::KeyApi.write_app_content( create_header(), appdb_content )
+      print_open_success
+
+      return
+
+    end
+
+
+    private
+
+
+    def print_open_success
+
+      puts ""
+      puts "Success opening a path to a data bucket."
+      puts "You can now put data into a dictionary or"
+      puts "add it to a list or set a scalar value."
+      puts ""
+      puts "    ops put aws.iam.usr joebloggs"
+      puts "    ops put access.key ABCD1234"
+      puts "    ops put secret.key FGHIJ56789"
+      puts "    ops put region.key eu-central-1"
+      puts "    ops close"
+      puts ""
+
+    end
+
+
+    # Perform pre-conditional validations in preparation to executing the main flow
+    # of events for this use case. This method may throw the below exceptions.
+    #
+    # @raise [SafeDirNotConfigured] if the safe's url has not been configured
+    # @raise [EmailAddrNotConfigured] if the email address has not been configured
+    # @raise [StoreUrlNotConfigured] if the crypt store url is not configured
+    def pre_validation
+
+
+    end
+
+
+  end
+
+
+end