pass-confuse 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 3af923b5ac4f833e1f5bdd43e5f97f88bc0c6cb75e2d536885474acce80ccb03
+  data.tar.gz: a11578df878d90a07f65eaa2b6d5c12297cb7d213ed1f2723d267c7f9d521209
+SHA512:
+  metadata.gz: afdefd0506e86c1b99598148947b41030e877282af2cafca13fa80d8ce37e1806518d5a28ffdeac4cd3ddd2978b132d25c58b343e68c2e1e9edae3f7aee335aa
+  data.tar.gz: 446ac7e81d8bd470e5594f25df555fdcf3f0ce40c68ae6134bbc7dfd12c5b3352e024aed8a30aa875c4d141f19e0db32a86d59249edbd0c75f5f60c7e2227d78

data/.gitignore

@@ -0,0 +1,9 @@
+/.bundle/
+/.yardoc
+/Gemfile.lock
+/_yardoc/
+/coverage/
+/doc/
+/pkg/
+/spec/reports/
+/tmp/

data/.rubocop.yml

@@ -0,0 +1,27 @@
+require:
+  - rubocop-rake
+
+AllCops:
+  TargetRubyVersion: 2.7
+  AllowSymlinksInCacheRootDirectory: true
+  NewCops: enable
+  Exclude:
+    - vendor/**/*
+
+Layout/LineLength:
+  Enabled: false
+
+Style/Documentation:
+  Enabled: false
+
+Style/FrozenStringLiteralComment:
+  Enabled: false
+
+Style/TrailingCommaInArrayLiteral:
+  EnforcedStyleForMultiline: comma
+
+Style/TrailingCommaInHashLiteral:
+  EnforcedStyleForMultiline: comma
+
+Style/TrailingCommaInArguments:
+  EnforcedStyleForMultiline: consistent_comma

data/Gemfile

@@ -0,0 +1,4 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in pass-confuse.gemspec
+gemspec

data/README.md

@@ -0,0 +1,49 @@
+# pass-confuse
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+```shell-session
+$ gem install pass-confuse
+```
+
+`pass-confuse` relies on `pass-confused` to be started to work.
+
+`pass-confused` is a background process to mount the virtual filesystem to put configuration files in.
+
+To run `pass-confused`, you can run it manually or use `systemd --user` to handle the service in userland.
+
+In `~/.config/systemd/user/pass-confused.service`:
+
+```
+[Unit]
+Description=Pass Confused service
+
+[Service]
+ExecStart=/usr/bin/pass-confused
+
+[Install]
+WantedBy=default.target
+```
+
+## Usage
+
+To _confuse_ a file:
+
+```
+pass-confuse ~/.my-config-with-secrets.conf
+```
+
+Now, any accesses to `~/.my-config-with-secrets.conf` will trigger a `pass` call.
+
+## Development
+
+After checking out the repo, run `bin/setup` to install dependencies. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
+
+To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
+
+## Contributing
+
+Bug reports and pull requests are welcome on GitHub at https://github.com/opus-codium/pass-confuse.
+

data/Rakefile

@@ -0,0 +1,2 @@
+require 'bundler/gem_tasks'
+task default: :spec

data/bin/console

@@ -0,0 +1,14 @@
+#!/usr/bin/env ruby
+
+require 'bundler/setup'
+require 'pass/confuse'
+
+# You can add fixtures and/or initialization code here to make experimenting
+# with your gem easier. You can also use a different console, if you like.
+
+# (If you use this, don't forget to add pry to your Gemfile!)
+# require "pry"
+# Pry.start
+
+require 'irb'
+IRB.start(__FILE__)

data/bin/setup

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+set -euo pipefail
+IFS=$'\n\t'
+set -vx
+
+bundle install
+
+# Do any other automated setup that you need to do here

data/exe/pass-confuse

@@ -0,0 +1,41 @@
+#!/usr/bin/env ruby
+
+def exit_with_usage
+  puts <<~USAGE
+    Usage: #{$0} FILE
+
+    Convert a regular file into a `confused` one.
+
+    The `confusing` process means:
+      - Moving the file content into `pass`
+      - Symlink the file path to the `confused` area (ie. `~/.confuse`)
+    Any subsequent file path access will trig an access to `pass` using your regular way (e.g. gpg-agent's pin entry)
+  USAGE
+  exit 1
+end
+
+exit_with_usage if ARGV.empty?
+
+filename = ARGV.shift
+
+raise "'#{filename}' does not exist!" unless File.exist? filename
+
+raise "'#{filename}' must be a file!" unless File.file? filename
+
+raise "'#{filename}' must be a regular file! (Already confused file?)" if File.symlink? filename
+
+def relative_path_from_home(filename)
+  filename = File.expand_path(filename)
+  home = File.expand_path '~'
+  require 'pathname'
+  Pathname.new(filename).relative_path_from(home).to_s
+end
+
+@confuse_mountpoint = File.expand_path('~/.confuse')
+confused_path = relative_path_from_home(filename).gsub '..', '__' # Allow confused files from outside of user's home
+confused_path = File.join @confuse_mountpoint, confused_path
+
+require 'fileutils'
+FileUtils.mkdir_p File.dirname(confused_path)
+FileUtils.cp filename, confused_path
+FileUtils.ln_sf confused_path, filename

data/exe/pass-confused

@@ -0,0 +1,103 @@
+#!/usr/bin/env ruby
+
+require 'open3'
+require 'rfusefs'
+
+class ConfuseDir
+  def initialize
+    @password_store_root = File.expand_path '~/.password-store/'
+    raise "Password store directory does not exist: '#{@password_store_root}'" unless File.directory? @password_store_root
+
+    @secure_config_root = "#{@password_store_root}/confuse"
+  end
+
+  def contents(path)
+    return [] unless File.directory? @secure_config_root
+
+    pass_contents(path)
+  end
+
+  def pass_contents(path)
+    files = []
+    secure_config_path = File.join @secure_config_root, path
+    Dir.chdir secure_config_path do
+      files = Dir.glob('*', File::FNM_DOTMATCH).select { |file| File.directory?(file) || (File.file?(file) && file.end_with?('.gpg')) }
+    end
+    files.map { |file| file.delete_suffix '.gpg' }
+  end
+
+  def size(path)
+    # HACK: Always return a static size to avoid `pass` access on files list (e.g. `ls ~/.confuse/`)
+    42
+  end
+
+  def file?(path)
+    File.file? File.join(@secure_config_root, "#{path}.gpg")
+  end
+
+  def directory?(path)
+    File.directory? File.join(@secure_config_root, path)
+  end
+
+  def can_delete?(path)
+    true
+  end
+
+  def delete(path)
+    command = %W{pass rm confuse/#{path}}
+    stdout, status = Open3.capture2(*command)
+    status.success?
+  end
+
+  def read_file(path)
+    `notify-send 'Read access to "#{path}"!'`
+    command = %W{pass show confuse/#{path}}
+    stdout, status = Open3.capture2(*command)
+    stdout
+  end
+
+  def mkdir(path)
+    FileUtils.mkdir File.join(@secure_config_root, path)
+  end
+
+  def rmdir(path)
+    FileUtils.rmdir File.join(@secure_config_root, path)
+  end
+
+  def can_mkdir?(path)
+    true
+  end
+
+  def can_rmdir?(path)
+    true
+  end
+
+  def can_write?(path)
+    true
+  end
+
+  def write_to(path, content)
+    `notify-send 'Write access to "#{path}"!'`
+    command = %W{pass insert -m confuse/#{path}}
+    stdout_and_stderr_str, status = Open3.capture2e(*command, stdin_data: content)
+  end
+end
+
+def exit_with_usage
+  puts <<~USAGE
+    Usage: #{$0}
+
+    Expose a FUSE virtual filesystem to store the config file.
+    This process is supposed to be ran in background.
+  USAGE
+  exit 1
+end
+
+exit_with_usage unless ARGV.empty?
+
+mountpoint = '~/.confuse'
+FuseFS.set_root ConfuseDir.new
+FileUtils.mkdir_p File.expand_path(mountpoint)
+FuseFS.mount_under File.expand_path(mountpoint)
+puts "Running pass-confuse FUSE virtual filesystem with mountpoint: '#{mountpoint}'..."
+FuseFS.run

data/lib/pass/confuse/version.rb

@@ -0,0 +1,5 @@
+module Pass
+  module Confuse
+    VERSION = '0.1.0'.freeze
+  end
+end

data/lib/pass/confuse.rb

@@ -0,0 +1,7 @@
+require 'pass/confuse/version'
+
+module Pass
+  module Confuse
+    class Error < StandardError; end
+  end
+end

data/pass-confuse.gemspec

@@ -0,0 +1,33 @@
+require_relative 'lib/pass/confuse/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = 'pass-confuse'
+  spec.version       = Pass::Confuse::VERSION
+  spec.authors       = ['Romuald Conty']
+  spec.email         = ['romuald@opus-codium.fr']
+
+  spec.summary       = 'Protect config files access'
+  spec.description   = 'Allow any files to be stored and its access protected with `pass`'
+  spec.homepage      = 'https://github.com/opus-codium/pass-confuse'
+  spec.required_ruby_version = Gem::Requirement.new('>= 2.7.0')
+
+  spec.metadata['homepage_uri'] = spec.homepage
+  spec.metadata['source_code_uri'] = 'https://github.com/opus-codium/pass-confuse'
+  spec.metadata['changelog_uri'] = 'https://github.com/opus-codium/pass-confuse/CHANGELOG.md'
+
+  # Specify which files should be added to the gem when it is released.
+  # The `git ls-files -z` loads the files in the RubyGem that have been added into git.
+  spec.files = Dir.chdir(File.expand_path(__dir__)) do
+    `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
+  end
+  spec.bindir        = 'exe'
+  spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
+  spec.require_paths = ['lib']
+
+  spec.add_dependency 'rfusefs'
+  spec.add_development_dependency 'byebug'
+  spec.add_development_dependency 'rake'
+  spec.add_development_dependency 'rubocop'
+  spec.add_development_dependency 'rubocop-rake'
+  spec.metadata['rubygems_mfa_required'] = 'true'
+end

metadata

@@ -0,0 +1,130 @@
+--- !ruby/object:Gem::Specification
+name: pass-confuse
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Romuald Conty
+autorequire: 
+bindir: exe
+cert_chain: []
+date: 2022-01-24 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: rfusefs
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: byebug
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rubocop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rubocop-rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: Allow any files to be stored and its access protected with `pass`
+email:
+- romuald@opus-codium.fr
+executables:
+- pass-confuse
+- pass-confused
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- ".rubocop.yml"
+- Gemfile
+- README.md
+- Rakefile
+- bin/console
+- bin/setup
+- exe/pass-confuse
+- exe/pass-confused
+- lib/pass/confuse.rb
+- lib/pass/confuse/version.rb
+- pass-confuse.gemspec
+homepage: https://github.com/opus-codium/pass-confuse
+licenses: []
+metadata:
+  homepage_uri: https://github.com/opus-codium/pass-confuse
+  source_code_uri: https://github.com/opus-codium/pass-confuse
+  changelog_uri: https://github.com/opus-codium/pass-confuse/CHANGELOG.md
+  rubygems_mfa_required: 'true'
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 2.7.0
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.1.2
+signing_key: 
+specification_version: 4
+summary: Protect config files access
+test_files: []