opensecret 0.0.988 → 0.0.9925

data/lib/interprete/open.rb

@@ -1,148 +0,0 @@
-#!/usr/bin/ruby
-	
-module OpenSecret
-
-  require 'openssl'
-
-  # The <tt>open use case</tt> allows us to add (put), subtract (del)ete, change
-  # (update) and list the secrets within an envelope (outer path) at a given
-  # position (inner path), whether that envelope exists or not.
-  #
-  # Also see the <b>reopen</b> command which only differs from open in that it
-  # fails if the path specified does not exist in either the sealed or session
-  # envelopes.
-  #
-  # == The Open Path Parameter
-  #
-  # Open must be called with a single <b>path</b> parameter with an optional
-  # single colon separating the outer (path to envelope) from the inner (path
-  # within envelope).
-  #
-  #    ops open aws.credentials:s3reader
-  #
-  # The outer and inner paths can contain forward slashes that segment the path.
-  #
-  #    ops open production/aws.credentials:s3/s3reader
-  #    ops put access_key ABCD1234
-  #    ops put secret_key FGHIJ56789
-  #    ops put region_key eu-central-1
-  #    ops seal
-  #
-  #
-  # == Before Opening a Path
-  #
-  # To open a path these conditions must be true.
-  #
-  # - the OPS_KEY environment variable must have been set for the session
-  # - either <tt>ops begin</tt> or <tt>ops init</tt> must have been issued
-  # - the external drive (eg usb key) must be configured and accessible
-  #
-  #
-  # == After Opening a Path
-  #
-  # After a path is opened we can
-  #
-  # - <tt>open</tt> to relative or absolutely change the path
-  # - <tt>put</tt> key/value data
-  # - <tt>add</tt> a single value
-  # - <tt>drop</tt> the value at the opened path
-  # - <tt>mod</tt> change (modify) value at path
-  # - <tt>seal</tt> to permanently write opened envelopes
-  #
-  # == Observable Value
-  #
-  #     $ opensecret open home/wifi
-  #
-  # The observable value delivered by +[open]+ boils down to
-  #
-  # - an openkey (eg asdfx1234) and corresponding open encryption key
-  # - open encryption key written to <tt>~/.opensecret/open.keys/asdfx1234.x.txt</tt>
-  # - the opened path (ending in filename) written to session.cache base in [safe]
-  # - the INI string (were the file to be decrypted) would look like the below
-  #
-  #     [session]
-  #     base.path = home/wifi
-  #
-  class Open < Command
-
-    attr_writer :open_path
-
-    # The activities performed by the executing open use case is to
-    #
-    def execute
-
-      instantiate_collateral
-      @domain_name = @collateral.domain_name
-
-      param_outer_path = @open_path.split(":").first
-      param_inner_path = @open_path.split(":").last
-
-      index = get_session_dictionary
-      index.put OUTER_PATH, param_outer_path
-      index.put INNER_PATH, param_inner_path
-
-      index.write( create_session_dict_lock )
-
-      puts ""
-      puts index.to_s
-      puts ""
-
-      exit
-
-
-
-      last_fwdslash_index = param_outer_path.rindex "/"
-      folder_path = param_outer_path[0 .. last_fwdslash_index]
-      file_word = param_outer_path[last_fwdslash_index .. -1]
-
-      session_tree_dir = @collateral.session_envelopes_path
-      session_folder_path = File.join session_tree_dir, folder_path
-
-      FileUtils.mkdir_p session_folder_path
-      open_id = ToolBelt::Engineer.strong_key @p[:open_idlen]
-      open_key = ToolBelt::Engineer.strong_key @p[:open_keylen]
-
-      file_name = file_word + ".#{open_id}.os.txt"
-      file_key = File.join folder_path, file_name
-
-      Mapper::Settings.write @p[:open_name], @p[:open_idname], open_id
-      Mapper::Settings.write @p[:open_name], @p[:open_keyname], open_key
-      Mapper::Settings.write @p[:open_name], @p[:open_pathname], file_key
-
-      puts ""
-      puts "---------------------------"
-      puts "success | envelope opened"
-      puts "---------------------------"
-      puts ""
-      puts "envelope path => #{param_outer_path}"
-      puts "envelope file => #{nickname file_key}"
-      puts "time [opened] => #{@c[:global][:stamp_23]}"
-      puts ""
-      puts "------------------"
-      puts "now put secrets"
-      puts "------------------"
-      puts ""
-      puts "ops put virgin/ssid VM68256973"
-      puts "ops put virgin/password Wn5lsfixjfy"
-      puts ""
-
-
-    end
-
-
-    # Perform pre-conditional validations in preparation to executing the main flow
-    # of events for this use case. This method may throw the below exceptions.
-    #
-    # @raise [SafeDirNotConfigured] if the safe's url has not been configured
-    # @raise [EmailAddrNotConfigured] if the email address has not been configured
-    # @raise [StoreUrlNotConfigured] if the crypt store url is not configured
-    def pre_validation
-
-
-    end
-
-
-  end
-
-
-end

data/lib/interprete/seal.rb

@@ -1,129 +0,0 @@
-#!/usr/bin/ruby
-	
-module OpenSecret
-
-  require 'openssl'
-
-  # The <tt>lock use case</tt> is called after {OpenSecret::Open} and {OpenSecret::Put}
-  # and its effect is to dispatch the doubly encrypted materrial to the configured storage
-  # platform, be it Git, S3, SSH or just an accessible file-system.
-  #
-  # The 3 core scenarios that this lock use case is equiped to handle are
-  #
-  # - a new source that is as yet uncommitted
-  # - updating (overwriting) an existing source
-  # - requiring the destination to be deleted
-  #
-  # <b>Lock | Observable Value</b>
-  #
-  # The observable value after the lock use case has completed entails
-  #
-  # - a doubly encrypted data envelope placed in the backend store
-  # - a doubly encrypted private key placed in the frontend store
-  # - both stores sync'd with off-machine Git (S3, ...) mirrors
-  # - deletion of the (encrypted) envelope {Open}ed and stuffed with {Put}
-  # - deletion of {Open}ed session data to locate and decrypt envelope
-  #
-  # @example
-  #
-  #     $ ops seal
-  #
-  class Seal < Command
-
-    attr_writer :envelope_path
-
-    # The <tt>lock use case</tt> is called after {OpenSecret::Open} and {OpenSecret::Put}
-    # and its effect is to dispatch the doubly encrypted materrial to the configured storage
-    # platform, be it Git, S3, SSH or just an accessible file-system.
-    #
-    # <b>Main Flow of Events</b>
-    #
-    # To seal the envelope built up by put, file and add amongst others requires
-    # that we
-    #
-    # - get the encrypted envelope
-    # - create a strong asymmetric key
-    # - lock the envelope using opensecret's double encrypt modus operandi
-    # - place the doubly encrypted result into the crypt store
-    # - lock the asymmetric key again with opensecret's double encrypt modus operandi
-    # - place the doubly encrypted result into the key store
-    #
-    # The second double lock of the crypted envelope is done with the public key
-    # aspect of an asymmetric key created here.
-    #
-    # The second double lock of the crypted private key (created here) is done with
-    # the master public key created in the {Init.execute} use case main flow.
-    #
-    # <b>Lock | Observable Value</b>
-    #
-    # The observable value after the lock use case has completed entails
-    #
-    # - a doubly encrypted data envelope placed in the backend store
-    # - a doubly encrypted private key placed in the frontend store
-    # - both stores sync'd with off-machine Git (S3, ...) mirrors
-    # - deletion of the (encrypted) envelope {Open}ed and stuffed with {Put}
-    # - deletion of {Open}ed session data to locate and decrypt envelope
-    def execute
-
-      instantiate_collateral
-
-      rel_filepath = Mapper::Settings.read @c[:open][:open_name], @c[:open][:open_pathname]
-      master_public_key = OpenSSL::PKey::RSA.new ( @collateral.read_public_key )
-
-      keys_store = Store::ColdStore.new( @collateral.frontend_keystore_path )
-      main_store = Store::ColdStore.new( @collateral.backend_cryptstore_path )
-
-      envelope = get_envelope
-      asym_key = OpenSSL::PKey::RSA.new @c[:global][:bit_key_size]
-      lockdown = ToolBelt::Cipher.encrypt_it( asym_key.public_key, envelope.to_json )
-      lockedup = ToolBelt::Cipher.encrypt_it( master_public_key, asym_key.export )
-
-      ##### ###################################### #####
-      ##### ###################################### #####
-      ### Now put the CRYPTS into [Cold] Storage ###
-      ##### ###################################### #####
-      ##### ###################################### #####
-
-      keys_store.write lockedup, rel_filepath
-      main_store.write lockdown, rel_filepath
-
-      puts ""
-      puts "================================================================="
-      puts "[Lock] =>  Now DELETE the session files and configured variables."
-      puts "================================================================="
-      puts ""
-
-
-    end
-
-
-    # Perform pre-conditional validations in preparation to executing the main flow
-    # of events for this use case. This method may throw the below exceptions.
-    #
-    # @raise [SafeDirNotConfigured] if the safe's url has not been configured
-    # @raise [EmailAddrNotConfigured] if the email address has not been configured
-    # @raise [StoreUrlNotConfigured] if the crypt store url is not configured
-    def pre_validation
-
-
-    end
-
-
-  end
-
-
-end
-
-
-#############################################################################################
-#############################################################################################
-
-=begin
-      GitFlow.do_clone_repo @p[:public_gitrepo], @p[:local_gitrepo]
-      FileUtils.mkdir_p @p[:public_keydir]
-      File.write @p[:public_keypath], public_key_text
-      GitFlow.push @p[:local_gitrepo], @p[:public_keyname], @c[:time][:stamp]
-=end
-
-#############################################################################################
-#############################################################################################

data/lib/keytools/digester.rb

@@ -1,245 +0,0 @@
-#!/usr/bin/ruby
-
-module OpenKey
-
-  # If you have a possibly weak human password that you need to either store
-  # or derive a symmetric encryption key from - you use this digester.
-  #
-  # You can safely store the resulting key confident that no known method exists
-  # of deriving the original password from the key. The digester uses the
-  # most recent SHA512 bit hashing algorithm - twice - to mince the key into
-  # something worthless to everyone, but the password originator.
-  #
-  # This key digester knows how to apply one-way functions that dessimate a
-  # (possibly weak) human generated (password) string.
-  #
-  # It should be initialized with a nonce like the count of nanoseconds
-  # since the current second (for low throughput systems).
-  #
-  # ==How to Use the Digester
-  #
-  # <b><em>Generating the Hashed Key</em></b>
-  #
-  # To use the digester you instantiate it with a nonce and then call
-  # the generate method with a possibly weak human key that is required
-  # to contain a minimum of 6 characters.
-  #
-  # The 6 characters excludes any leading or trailing whitespace.
-  #    keydigester = Digester.new "nonce"
-  #    the_key = keydigester.generate "human_k3y"
-  #    output_iv = keydigester.encrypted_iv
-  #
-  # You then read off the encrypted iv (initialization vector).
-  #
-  # <b><em>Re-generating the Hashed Key</em></b>
-  #
-  # To retrieve the same key (perhaps many moons later), you instantiate
-  # another Digester providing the same nonce you gave to the generate
-  # method. You then supply the encrypted iv that you pulled out during
-  # the generate step.
-  #    keydigester = Digester.new "nonce"
-  #    keydigester.encrypted_iv = "axbxcxdx1x2x3x4x"
-  #    the_key = keydigester.regenerate "human_k3y"
-  #
-  # Now when you regenerate the key - you have the original.
-  #
-  #
-  # @example
-  #    keydigester = Digester.new "nonce"
-  #    the_key = keydigester.generate "human_k3y"
-  #    output_iv = keydigester.encrypted_iv
-  #
-  #    keydigester = Digester.new "nonce"
-  #    keydigester.encrypted_iv = "axbxcxdx1x2x3x4x"
-  #    the_key = keydigester.regenerate "human_k3y"
-  class Digester
-
-    attr_accessor :encrypted_iv
-
-    # The golden ratio is the relationship between the human password and the
-    # strengthening amalgam. Two is perhaps too small, three or four is perfect
-    # to strengthen human generated keys whose median tends to gravitate at
-    # around 12 characters.
-    AMALGAM_GOLDEN_RATIO = 3
-
-    # The inner nonce provides a salt of sorts to help with randomizing the
-    # keys and protecting them from pre-configured rainbow tables.
-    INNER_NONCE = "9]w/t$=ON@mUf(+_SoY"
-
-    # The minimum length tolerated for the assumed human provided password.
-    # This number excludes any leading or trailing whitespace which should
-    # be removed before length examination is performed.
-    MIN_HUMAN_KEY_LENGTH = 6
-
-
-    # Initialize this key digester with a nonce like the count of nanoseconds
-    # since the current second (for low throughput systems).
-    #
-    # Note that the same nonce must be provided in order to produce the same
-    # key from calling either {Digester.generate} or {Digester.regenerate}.
-    #
-    # @param the_nonce [String]
-    #    the nonce can be the count of nanoseconds since the current second
-    #    (for low throughput systems).
-    #
-    # @raise [ArgumentError]
-    #    raise an error if the nonce is empty, or consists only of whitespace
-    #    or is too short.
-    def initialize the_nonce
-
-      @nonce = the_nonce.strip.reverse
-
-      raise ArgumentError, "The nonce contains only whitespace." if @nonce.empty?
-      raise ArgumentError, "The nonce is too short." if @nonce.length < MIN_HUMAN_KEY_LENGTH
-
-    end
-
-
-    # Generate a viciously unretrievable nor reversable string from a possible
-    # weak key provided by a human being.
-    #
-    # Due to the fickle nature of human beings we use an amalgam key to frustrate
-    # attempts to derive the original through rainbow tables and replay attacks.
-    #
-    # <b>Getting the Initialization Vector</b>
-    #
-    # After calling this method the encrypted initialization vector generated
-    # must be stored and re-provided to the {Digester.regenerate} method as
-    # and when required.
-    #
-    # @example
-    #    keydigester = Digester.new "nonce"
-    #    the_key = keydigester.generate "human_k3y"
-    #    output_iv = keydigester.encrypted_iv
-    #
-    # @param human_p4ss [String]
-    #
-    #    the key provided by a human being which cannot be less than six
-    #    characters in length. Between 24 and 32 apparently random characters
-    #    involving upper case letters, digits and punctuators.
-    #
-    #    Leading and trailing whitespace is removed from the string if found.
-    #
-    # @raise [ArgumentError] if the (possibly) human sourced password is too short
-    def generate human_p4ss
-
-      human_key = human_p4ss.strip.reverse
-      raise ArgumentError, "The password contains only whitespace." if human_key.empty?
-      raise ArgumentError, "The password is too short." if human_key.length < MIN_HUMAN_KEY_LENGTH
-
-      machine_key = OpenSecret::ToolBelt::Engineer.machine_key human_key.length, AMALGAM_GOLDEN_RATIO
-      snippet = human_key[ human_key.length - MIN_HUMAN_KEY_LENGTH .. -1 ]
-
-      iv_key = [ INNER_NONCE, snippet, @nonce ].join
-      @encrypted_iv = machine_key.encrypt_url_encode( iv_key )
-
-      return hashed_outcome human_key, machine_key
-
-    end
-
-    
-    # Regenerate the viciously unretrievable nor reversable string that has been
-    # generated from a possible weak key provided by a human being.
-    #
-    # The difference between this and the {Digester.generate} method is that
-    # the encrypted initialization vector is provided here. This must first be
-    # decrypted before being fed back into the numerical mincer.
-    #
-    # The same nonce must also be provided in the constructor.
-    #
-    # <b>Setting the Initialization Vector</b>
-    #
-    # Before calling this method the encrypted initialization vector generated
-    # by the generate method needs to be faithfully returned.
-    #
-    # @example
-    #
-    #    keydigester = Digester.new "nonce"
-    #    keydigester.encrypted_iv = "axbxcxdx1x2x3x4x"
-    #    the_key = keydigester.regenerate "human_k3y"
-    #
-    # @param human_p4ss [String]
-    #
-    #    the key provided by a human being which cannot be less than six
-    #    characters in length. Between 24 and 32 apparently random characters
-    #    involving upper case letters, digits and punctuators.
-    #
-    #    Leading and trailing whitespace is removed from the string if found.
-    #
-    # @raise [ArgumentError]
-    #    If the human sourced password is too short.
-    #    Or if it consists solely of whitespace.
-    def regenerate human_p4ss
-
-      human_key = human_p4ss.strip.reverse
-      raise ArgumentError, "The password contains only whitespace." if human_key.empty?
-      raise ArgumentError, "The password is too short." if human_key.length < MIN_HUMAN_KEY_LENGTH
-
-      snippet = human_key[ human_key.length - MIN_HUMAN_KEY_LENGTH .. -1 ]
-      iv_key = [ INNER_NONCE, snippet, @nonce ].join
-      machine_key = @encrypted_iv.url_decode_decrypt( iv_key )
-
-      return hashed_outcome human_key, machine_key
-
-    end
-
-    
-    # This digester alphanumeric hasher employs the SHA512 digest algorithm
-    # to gnash the parameter key and then Base64 encode the result.
-    #
-    # This method removes any non alpha-numeric characeters after a url safe
-    # base 64 encoding and thus guarantees that the resultant string will
-    # not contain
-    #
-    # - any equals signs
-    # - any hyphens
-    # - any underscores
-    #
-    # It is safe to use this method when a result must be stored in environment
-    # variables or other forms (like INI) where an equals sign is frowned upon.
-    #
-    # That said, this method should not be used if one wants to return to the
-    # pre base64 encoded character sequence. By mashing away the non-alphanums
-    # it mashes away any realistic hope of a determinant return to the raw
-    # hashed value.
-    #
-    # @param hash_me [String]
-    #    use a one-way function to mush me into a form that is repeatable but
-    #    non-returnable to the original input.
-    #
-    # @return [String]
-    #    The SHA512 mashed version of the parameter key which is Base64 encoded
-    #    (using the url safe variant) and the result stripped of any non alpha
-    #    numeric characters.
-    #
-    def self.alphanum_hash hash_me
-      return self.alphanum_encoder( OpenSSL::Digest::SHA512.digest( hash_me ) )
-    end
-
-
-    def self.mash hash_me, max_length
-      raise ArgumentError, "Max length #{max_length} is unacceptable." if max_length < 32
-      return self.alphanum_encoder( OpenSSL::Digest::SHA512.digest( hash_me ) )[0 .. (max_length-1)]
-    end
-
-
-    private
-
-
-    def self.alphanum_encoder encode_this
-      return Base64.urlsafe_encode64( encode_this ).delete("=\\-_")
-    end
-
-
-    def hashed_outcome the_human_key, the_machine_key
-      amalgam_key = OpenSecret::ToolBelt::Amalgam.passwords the_human_key, the_machine_key, AMALGAM_GOLDEN_RATIO
-      level1_hash = Digester.alphanum_encoder( OpenSSL::Digest::SHA512.digest( amalgam_key ) )
-      level2_hash = Digester.alphanum_encoder( OpenSSL::Digest::SHA512.digest( @nonce + level1_hash ) )
-      return level2_hash
-    end
-
-
-  end
-
-
-end