rapid-vaults 1.1.0 → 1.1.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 16da5a6fcd72e890b88a34822a8d0018c2349988
-  data.tar.gz: fe28a0e78364d8cf28d316937ca632758176ead0
+  metadata.gz: a33025f28dcfc0be205d5a54c706192c06319a94
+  data.tar.gz: 428808ee49e8caa2791983be429fd232bf004e94
 SHA512:
-  metadata.gz: 81c8373c61e40e22fb1489f990d7e3b5ed344c12c3e9382f994d0a2c9bbdf3787cd396735761b8e3439ec9eaff9c97793ae16b2e8cea4f4448db7882eed518ce
-  data.tar.gz: 1df691acfd5120d5ba32669c5e5f03f221d34abd3f8b4fd2884b0b86e4913c294a31d0fb7541d74bd251651f88411fb4838091c557dc69b0e20786f8e4235c77
+  metadata.gz: 0ad2fa93633085305393343d0583c5618047f424b2069854d1e482aa8abbec5b837e0b753a1a706abcd51d5f9035f81d32bafc98cf240fd838925f8991ac8e2c
+  data.tar.gz: 0e19f0774f6b94e63186401f7a37d43e499689d75201bcce153f453c32adf0c2d28cef6e14259147d2aedfa4a967af57c0ded96929d63d57ab7d52f6801d6676

data/README.md

@@ -5,6 +5,10 @@
 - [Usage](#usage)
   - [CLI](#cli)
   - [API](#api)
+  - [Ansible](#ansible)
+  - [Puppet](#puppet)
+  - [Hiera](#hiera)
+  - [Chef](#chef)
 - [Contributing](#contributing)
 
 ## Description
@@ -17,7 +21,7 @@ Ansible-Vault is very similar to Rapid Vaults. Both are streamlined and easy to
 
 ### Non-Comparative Software
 
-Rapid Vaults is not similar to tools like RbNaCl or Hashicorp's Vault. RbNaCl offers advanced encryption techniques by providing bindings to libsodium. Rapid Vaults relies upon AES-256-GCM or GPG. Hashicorp's Vault is Enterprise level software with many powerful features and conveniences. Rapid Vaults is a lightweight and narrowly focused tool.
+Rapid Vaults is not similar to tools like RbNaCl or Hashicorp's Vault. RbNaCl offers advanced encryption techniques by providing bindings to libsodium. Rapid Vaults relies upon AES-256-GCM (OpenSSL) or GPG's algorithms (RSA, SHA-512, etc.). Hashicorp's Vault is Enterprise level software with many powerful features and conveniences. Rapid Vaults is a lightweight and narrowly focused tool.
 
 ## Usage
 
@@ -28,29 +32,30 @@ Note trailing information for each flag/argument for possible differences with u
 ```
 usage: rapid-vaults [options] file
         --gpg                        Use GNUPG/GPG instead of GNUTLS/OpenSSL for encryption/decryption.
-    -g, --generate                   Generate a key and nonce for encryption and decryption (GPG: n/a).
-    -e, --encrypt                    Encrypt a file using a key and nonce and generate a tag (GPG: key only).
-    -d, --decrypt                    Decrypt a file using a key, nonce, and tag (GPG: key only).
-    -k, --key key                    Key file to be used for encryption or decryption.
+    -g, --generate                   Generate a key and nonce for encryption and decryption (GPG: keys only).
+    -e, --encrypt                    Encrypt a file using a key and nonce and generate a tag (GPG: key and pw only).
+    -d, --decrypt                    Decrypt a file using a key, nonce, and tag (GPG: key and pw only).
+    -k, --key key                    Key file to be used for encryption or decryption. (GPG: use GNUPGHOME)
     -n, --nonce nonce                Nonce file to be used for encryption or decryption (GPG: n/a).
     -t, --tag tag                    Tag file to be used for decryption (GPG: n/a).
-    -p, --password password          (optional) Password to be used for encryption or decryption (GPG: required).').
-    -f, --file-password password.txt (optional) Text file containing a password to be used for encryption or decryption (GPG: required).').
+    -p, --password password          (optional) Password to be used for encryption or decryption (GPG: required).
+    -f, --file-password password.txt (optional) Text file containing a password to be used for encryption or decryption (GPG: required).
     --gpgparams                      GPG Key params input file used during generation of keys.
+    -o --outdir                      Optional output directory for generated files (default: pwd). (GPG: optional)
 ```
 
-#### Generate Key and Nonce
+#### Generate Key and Nonce with SSL
 `rapid-vaults -g`
 
 #### Encrypt File with SSL
 
-`rapid-vaults -e -k cert.key -n nonce.txt -p secret unencrypted.txt`
+`rapid-vaults -e -k cert.key -n nonce.txt -p secret -o /output/dir unencrypted.txt`
 
 #### Decrypt a File with SSL
 
-`rapid-vaults -d -k cert.key -n nonce.txt -t tag.txt -p secret encrypted.txt`
+`rapid-vaults -d -k cert.key -n nonce.txt -t tag.txt -p secret -o /output/dir encrypted.txt`
 
-#### Generate Key with GPG
+#### Generate Keys with GPG
 This is the only situation where a `--gpgparams` flag and argument is required or utilized. The file provided as the argument should look like the following:
 
 ```
@@ -72,12 +77,16 @@ The environment variable `GNUPGHOME` must be set in the shell prior to generatin
 #### Encrypt File with GPG
 Currently you set the path to the keys and other files via the environment variable `GNUPGHOME` prior to executing. Otherwise, the code will look in the default directory for the current user.
 
-`rapid-vaults --gpg -e -p password unencrypted.txt`
+`rapid-vaults --gpg -e -p password -o /output/dir unencrypted.txt`
 
 #### Decrypt a File with GPG
 Currently you set the path to the keys and other files via the environment variable `GNUPGHOME` prior to executing. Otherwise, the code will look in the default directory for the current user.
 
-`rapid-vaults --gpg -d -p password encrypted.txt`
+`rapid-vaults --gpg -d -p password -o /output/dir encrypted.txt`
+
+#### Output an Integration
+
+`rapid-vaults --puppet -o /output/dir`
 
 ### API
 
@@ -114,7 +123,7 @@ require 'rapid-vaults'
 
 options = {}
 options[:action] = :decrypt
-options[:file] = '/path/to/data.txt'
+options[:file] = '/path/to/encrypted_data.txt'
 options[:key] = '/path/to/cert.key'
 options[:nonce] = '/path/to/nonce.txt'
 options[:tag] = '/path/to/tag.txt'
@@ -131,7 +140,7 @@ ENV['GNUPGHOME'] = '/home/alice/.gnupg'
 options = {}
 options[:action] = :generate
 options[:algorithm] = :gpgme
-options[:gpgparams] = gpgparams: File.read('gpgparams.txt')
+options[:gpgparams] = File.read('gpgparams.txt')
 RapidVaults::API.main(options)
 ```
 
@@ -156,7 +165,7 @@ Passphrase: abc
 ```ruby
 require 'rapid-vaults'
 
-ENV['GNUPGHOME'] = '/home/bob/.gnupg'
+ENV['GNUPGHOME'] = '/home/bob/.gnupg' # optional
 
 options = {}
 options[:action] = :encrypt
@@ -171,16 +180,32 @@ encrypted_contents = RapidVaults::API.main(options)
 ```ruby
 require 'rapid-vaults'
 
-ENV['GNUPGHOME'] = '/home/chris/.gnupg'
+ENV['GNUPGHOME'] = '/home/chris/.gnupg' # optional
 
 options = {}
 options[:action] = :decrypt
 options[:algorithm] = :gpgme
-options[:file] = '/path/to/data.txt'
+options[:file] = '/path/to/encrypted_data.txt'
 options[:pw] = File.read('/path/to/password.txt')
 decrypted_contents = RapidVaults::API.main(options)
 ```
 
+### Ansible
+
+forthcoming
+
+### Puppet
+
+Puppet bindings are presented as a 2x2 matrix of custom functions for encryption/decryption and SSL/GPG. The custom functions require a non-obsolete version of Puppet. Documentation pertaining to their usage is done via Puppet Strings within the functions. It is highly recommended to wrap the output of the decryption functions within a `Sensitive` data type so that decrypted secrets are not shown in logs.
+
+### Hiera
+
+forthcoming
+
+### Chef
+
+Chef can access Rapid Vaults directly through the native Ruby API. Therefore, the Chef bindings are presented as example methods for doing so.
+
 ## Contributing
 Code should pass all spec tests. New features should involve new spec tests. Adherence to Rubocop and Reek is expected where not overly onerous or where the check is of dubious cost/benefit.
 

data/lib/rapid-vaults.rb

@@ -10,46 +10,67 @@ class RapidVaults
     self.class.process(settings)
 
     # execute desired action and algorithm via dynamic call
-    # public_send("#{settings[:action].capitalize}.#{settings[:algorithm]}".to_sym)
+    # public_send("#{settings[:action].capitalize}.#{settings[:algorithm]}".to_sym, settings)
     case settings[:action]
     when :generate then Generate.public_send(settings[:algorithm], settings)
     when :encrypt then Encrypt.public_send(settings[:algorithm], settings)
     when :decrypt then Decrypt.public_send(settings[:algorithm], settings)
+    when :integrate then Integrate.public_send(settings[:integrate], settings)
     end
   end
 
   # method for processing the settings and inputs
   def self.process(settings)
-    # check for problems with arguments
-    if settings[:algorithm] == :gpgme
-      case settings[:action]
-      when :generate
-        raise 'GPG params file argument required for generation.' unless settings.key?(:gpgparams)
-        return
-      when :decrypt, :encrypt
-        raise 'File and password arguments required for encryption or decryption.' unless settings.key?(:file) && settings.key?(:pw)
-      else raise 'Action must be one of generate, encrypt, or decrypt.'
-      end
-    else
-      case settings[:action]
-      when :generate then return
-      when :encrypt
-        raise 'File, key, and nonce arguments are required for encryption.' unless settings.key?(:file) && settings.key?(:key) && settings.key?(:nonce)
-      when :decrypt
-        raise 'File, key, nonce, and tag arguments are required for decryption.' unless settings.key?(:file) && settings.key?(:key) && settings.key?(:nonce) && settings.key?(:tag)
-      else raise 'Action must be one of generate, encrypt, or decrypt.'
-      end
+    # default to openssl algorithm and `pwd` output directory
+    settings[:outdir] ||= Dir.pwd
+    raise "The output directory #{settings[:outdir]} does not exist or is not a directory!" unless File.directory?(settings[:outdir])
+    settings[:outdir] += '/' unless settings[:outdir][-1] == '/'
+
+    return if settings[:action] == :integrate
+    settings[:algorithm] ||= :openssl
+
+    # check for problems with arguments and inputs
+    public_send("process_#{settings[:algorithm]}".to_sym, settings)
+  end
+
+  # processing openssl
+  def self.process_openssl(settings)
+    private_class_method :method
+    # check arguments
+    case settings[:action]
+    when :generate then return
+    when :encrypt
+      raise 'File, key, and nonce arguments are required for encryption.' unless settings.key?(:file) && settings.key?(:key) && settings.key?(:nonce)
+    when :decrypt
+      raise 'File, key, nonce, and tag arguments are required for decryption.' unless settings.key?(:file) && settings.key?(:key) && settings.key?(:nonce) && settings.key?(:tag)
+    else raise 'Action must be one of generate, encrypt, or decrypt.'
     end
 
-    # check for problems with inputs and read in files
+    # lambda for input processing
+    process_input = ->(input) { File.file?(settings[input]) ? settings[input] = File.read(settings[input]) : (raise "Input #{input} is not an existing file.") }
+
+    # check inputs and read in files
     raise 'Password must be a string.' if settings.key?(:pw) && !settings[:pw].is_a?(String)
-    File.file?(settings[:file]) ? settings[:file] = File.read(settings[:file]) : (raise 'Input file is not an existing file.')
-    # gnugp only uses password and file
-    return if settings[:algorithm] == :gpgme
-    File.file?(settings[:key]) ? settings[:key] = File.read(settings[:key]) : (raise 'Input key is not an existing file.')
-    File.file?(settings[:nonce]) ? settings[:nonce] = File.read(settings[:nonce]) : (raise 'Input nonce is not an existing file.')
+    %i[file key nonce].each(&process_input)
     # only decrypt needs a tag input
-    return unless settings[:action] == :decrypt
-    File.file?(settings[:tag]) ? settings[:tag] = File.read(settings[:tag]) : (raise 'Input tag is not an existing file.')
+    process_input.call(:tag) if settings[:action] == :decrypt
+  end
+
+  # processing gpgme
+  def self.process_gpgme(settings)
+    private_class_method :method
+    # check arguments
+    case settings[:action]
+    when :generate
+      raise 'GPG params file argument required for generation.' unless settings.key?(:gpgparams)
+      return
+    when :decrypt, :encrypt
+      raise 'File and password arguments required for encryption or decryption.' unless settings.key?(:file) && settings.key?(:pw)
+    else raise 'Action must be one of generate, encrypt, or decrypt.'
+    end
+
+    # check inputs and read in files
+    raise 'Password must be a string.' unless settings[:pw].is_a?(String)
+    File.file?(settings[:file]) ? settings[:file] = File.read(settings[:file]) : (raise 'Input file is not an existing file.')
   end
 end

data/lib/rapid-vaults/api.rb

@@ -12,7 +12,6 @@ class RapidVaults::API
   def self.parse(settings)
     # establish settings for api and denote using api
     settings[:ui] = :api
-    settings[:algorithm] = :openssl unless settings.key?(:algorithm)
     settings
   end
 end

data/lib/rapid-vaults/cli.rb

@@ -26,8 +26,6 @@ class RapidVaults::CLI
     settings = {}
     # specify cli being used
     settings[:ui] = :cli
-    # default to openssl algorithm
-    settings[:algorithm] = :openssl
 
     opt_parser = OptionParser.new do |opts|
       # usage
@@ -35,7 +33,7 @@ class RapidVaults::CLI
 
       # base options
       opts.on('--version', 'Display the current version.') do
-        puts 'rapid-vaults 1.1.0'
+        puts 'rapid-vaults 1.1.1'
         exit 0
       end
 
@@ -43,19 +41,24 @@ class RapidVaults::CLI
       opts.on('--gpg', 'Use GNUPG/GPG instead of GNUTLS/OpenSSL for encryption/decryption.') { settings[:algorithm] = :gpgme }
 
       # generate, encrypt, or decrypt
-      opts.on('-g', '--generate', 'Generate a key and nonce for encryption and decryption (GPG: n/a).') { settings[:action] = :generate }
-      opts.on('-e', '--encrypt', 'Encrypt a file using a key and nonce and generate a tag (GPG: key only).') { settings[:action] = :encrypt }
-      opts.on('-d', '--decrypt', 'Decrypt a file using a key, nonce, and tag (GPG: key only).') { settings[:action] = :decrypt }
+      opts.on('-g', '--generate', 'Generate a key and nonce for encryption and decryption (GPG: keys only).') { settings[:action] = :generate }
+      opts.on('-e', '--encrypt', 'Encrypt a file using a key and nonce and generate a tag (GPG: key and pw only).') { settings[:action] = :encrypt }
+      opts.on('-d', '--decrypt', 'Decrypt a file using a key, nonce, and tag (GPG: key and pw only).') { settings[:action] = :decrypt }
 
       # key, nonce, password, and tag
-      opts.on('-k', '--key key', String, 'Key file to be used for encryption or decryption.') { |arg| settings[:key] = arg }
+      opts.on('-k', '--key key', String, 'Key file to be used for encryption or decryption. (GPG: use GNUPGHOME)') { |arg| settings[:key] = arg }
       opts.on('-n', '--nonce nonce', String, 'Nonce file to be used for encryption or decryption (GPG: n/a).') { |arg| settings[:nonce] = arg }
       opts.on('-t', '--tag tag', String, 'Tag file to be used for decryption (GPG: n/a).') { |arg| settings[:tag] = arg }
       opts.on('-p', '--password password', String, '(optional) Password to be used for encryption or decryption (GPG: required).') { |arg| settings[:pw] = arg }
       opts.on('-f', '--file-password password.txt', String, '(optional) Text file containing a password to be used for encryption or decryption (GPG: required).') { |arg| settings[:pw] = File.read(arg) }
 
-      # gpg params file
+      # integrations
+      opts.on('--puppet', String, 'Output files to support Puppet integrations.') { settings[:action] = :integrate; settings[:integrate] = :puppet }
+      opts.on('--chef', String, 'Output files to support Chef integrations.') { settings[:action] = :integrate; settings[:integrate] = :chef }
+
+      # other
       opts.on('--gpgparams params.txt', String, 'GPG Key params input file used during generation of keys.') { |arg| settings[:gpgparams] = File.read(arg) }
+      opts.on('-o --outdir', String, 'Optional output directory for generated files (default: pwd). (GPG: optional)') { |arg| settings[:outdir] = arg }
     end
 
     # parse args and return settings

data/lib/rapid-vaults/decrypt.rb

@@ -17,8 +17,8 @@ class Decrypt
     # output the decryption
     if settings[:ui] == :cli
       # output to file
-      File.write('decrypted.txt', decipher.update(settings[:file]) + decipher.final)
-      puts 'Your decrypted.txt has been written out to the current directory.'
+      File.write("#{settings[:outdir]}decrypted.txt", decipher.update(settings[:file]) + decipher.final)
+      puts "Your decrypted.txt has been written out to #{settings[:outdir]}."
     elsif settings[:ui] == :api
       # output to string
       decipher.update(settings[:file]) + decipher.final
@@ -29,6 +29,9 @@ class Decrypt
   def self.gpgme(settings)
     require 'gpgme'
 
+    # check if GPGHOME env was set
+    puts "Environment variable 'GNUPGHOME' was not set. Files in #{ENV['HOME']}/.gnupg will be used for authentication." unless ENV['GNUPGHOME']
+
     # setup the decryption parameters
     encrypted = GPGME::Data.new(settings[:file])
     crypto = GPGME::Crypto.new(armor: true, pinentry_mode: GPGME::PINENTRY_MODE_LOOPBACK)
@@ -36,8 +39,8 @@ class Decrypt
     # output the decryption
     if settings[:ui] == :cli
       # output to file
-      File.write('decrypted.txt', crypto.decrypt(encrypted, password: settings[:pw]).read)
-      puts 'Your decrypted.txt has been written out to the current directory.'
+      File.write("#{settings[:outdir]}decrypted.txt", crypto.decrypt(encrypted, password: settings[:pw]).read)
+      puts "Your decrypted.txt has been written out to #{settings[:outdir]}."
     elsif settings[:ui] == :api
       # output to string
       crypto.decrypt(encrypted, password: settings[:pw]).read

data/lib/rapid-vaults/encrypt.rb

@@ -13,9 +13,9 @@ class Encrypt
     # output the encryption and associated tag
     if settings[:ui] == :cli
       # output to file
-      File.write('encrypted.txt', cipher.update(settings[:file]) + cipher.final)
-      File.write('tag.txt', cipher.auth_tag)
-      puts 'Your encrypted.txt and associated tag.txt for this encryption have been generated in your current directory.'
+      File.write("#{settings[:outdir]}encrypted.txt", cipher.update(settings[:file]) + cipher.final)
+      File.write("#{settings[:outdir]}tag.txt", cipher.auth_tag)
+      puts "Your encrypted.txt and associated tag.txt for this encryption have been generated in #{settings[:outdir]}."
     elsif settings[:ui] == :api
       # output to array
       [cipher.update(settings[:file]) + cipher.final, cipher.auth_tag]
@@ -26,14 +26,17 @@ class Encrypt
   def self.gpgme(settings)
     require 'gpgme'
 
+    # check if GPGHOME env was set
+    puts "Environment variable 'GNUPGHOME' was not set. Files in #{ENV['HOME']}/.gnupg will be used for authentication." unless ENV['GNUPGHOME']
+
     # setup the encryption parameters
     crypto = GPGME::Crypto.new(armor: true, pinentry_mode: GPGME::PINENTRY_MODE_LOOPBACK)
 
     # output the encryption and associated tag
     if settings[:ui] == :cli
       # output to file
-      File.write('encrypted.txt', crypto.encrypt(settings[:file], symmetric: true, password: settings[:pw]).read)
-      puts 'Your encrypted.txt for this encryption have been generated in your current directory.'
+      File.write("#{settings[:outdir]}encrypted.txt", crypto.encrypt(settings[:file], symmetric: true, password: settings[:pw]).read)
+      puts "Your encrypted.txt for this encryption have been generated in #{settings[:outdir]}."
     elsif settings[:ui] == :api
       # output to string
       crypto.encrypt(settings[:file], symmetric: true, password: settings[:pw]).read

data/lib/rapid-vaults/generate.rb

@@ -9,9 +9,9 @@ class Generate
 
     if settings[:ui] == :cli
       # output to file
-      File.write('key.txt', cipher.random_key)
-      File.write('nonce.txt', cipher.random_iv)
-      puts 'Your key.txt and nonce.txt have been generated in your current directory.'
+      File.write("#{settings[:outdir]}key.txt", cipher.random_key)
+      File.write("#{settings[:outdir]}nonce.txt", cipher.random_iv)
+      puts "Your key.txt and nonce.txt have been generated in #{settings[:outdir]}."
     elsif settings[:ui] == :api
       # output to string
       [cipher.random_key, cipher.random_iv]
@@ -23,7 +23,7 @@ class Generate
     require 'gpgme'
 
     # ensure we have a place to store these output files
-    raise 'Environment variable GNUPGHOME was not set.' unless ENV['GNUPGHOME']
+    raise 'Environment variable "GNUPGHOME" was not set.' unless ENV['GNUPGHOME']
 
     # create gpg keys
     GPGME::Ctx.new.generate_key(settings[:gpgparams], nil, nil)

data/lib/rapid-vaults/integration.rb

@@ -0,0 +1,20 @@
+# class to output integrations with other software
+class Integration
+  # outputs puppet integrations
+  def self.puppet(settings)
+    # output puppet integrations to output directory
+    %w[gpg ssl].each do |algo|
+      %w[encrypt decrypt].each do |action|
+        content = File.read("#{__dir__}/integrations/puppet_#{algo}_#{action}.rb")
+        File.write("#{settings[:outdir]}puppet_#{algo}_#{action}.rb", content)
+      end
+    end
+  end
+
+  # outputs chef integrations
+  def self.chef(settings)
+    # output chef integrations to output directory
+    content = File.read("#{__dir__}/integrations/chef.rb")
+    File.write("#{settings[:outdir]}chef.rb", content)
+  end
+end

data/lib/rapid-vaults/integrations/chef.rb

@@ -0,0 +1,66 @@
+require 'rapid-vaults'
+
+# returns key, nonce
+def ssl_generate
+  options = {}
+  options[:action] = :generate
+  RapidVaults::API.main(options)
+end
+
+# returns encrypted_contents, tag
+def ssl_encrypt
+  options = {}
+  options[:action] = :encrypt
+  options[:file] = '/path/to/data.txt'
+  options[:key] = '/path/to/cert.key'
+  options[:nonce] = '/path/to/nonce.txt'
+  options[:pw] = File.read('/path/to/password.txt') # optional
+  RapidVaults::API.main(options)
+end
+
+# returns decrypted_contents
+def ssl_decrypt
+  options = {}
+  options[:action] = :decrypt
+  options[:file] = '/path/to/encrypted_data.txt'
+  options[:key] = '/path/to/cert.key'
+  options[:nonce] = '/path/to/nonce.txt'
+  options[:tag] = '/path/to/tag.txt'
+  options[:pw] = File.read('/path/to/password.txt') # optional
+  RapidVaults::API.main(options)
+end
+
+# returns exit code on status of gnupg setup
+def gpg_generate
+  ENV['GNUPGHOME'] = '/home/alice/.gnupg'
+
+  options = {}
+  options[:action] = :generate
+  options[:algorithm] = :gpgme
+  options[:gpgparams] = File.read('gpgparams.txt')
+  RapidVaults::API.main(options)
+end
+
+# returns encrypted_contents
+def gpg_encryot
+  ENV['GNUPGHOME'] = '/home/bob/.gnupg'
+
+  options = {}
+  options[:action] = :encrypt
+  options[:algorithm] = :gpgme
+  options[:file] = '/path/to/data.txt'
+  options[:pw] = File.read('/path/to/password.txt')
+  RapidVaults::API.main(options)
+end
+
+# returns decrypted_contents
+def gpg_decrypt
+  ENV['GNUPGHOME'] = '/home/chris/.gnupg'
+
+  options = {}
+  options[:action] = :decrypt
+  options[:algorithm] = :gpgme
+  options[:file] = '/path/to/encrypted_data.txt'
+  options[:pw] = File.read('/path/to/password.txt')
+  RapidVaults::API.main(options)
+end

data/lib/rapid-vaults/integrations/puppet_gpg_decrypt.rb

@@ -0,0 +1,28 @@
+# mymodule/lib/puppet/functions/gpg_decrypt.rb
+Puppet::Functions.create_function(:'gpg_decrypt') do
+  # Decrypts a file with GnuPG.
+  # @param [String] file The file to decrypt.
+  # @param [String] gpghome The path to the GnuPG home directory containing the credentials.
+  # @param [String] password_file The password file to use for decryption.
+  # @return [String] Returns a string of decrypted contents.
+  # @example Decrypting a file.
+  # gpg_encrypt('/path/to/encrypted_data.txt', '/home/alice/.gnupg', '/path/to/password.txt') => 'decrypted'
+  dispatch :gpg_decrypt do
+    required_param 'String', :file
+    required_param 'String', :gpghome
+    required_param 'String', :password_file
+    return_type 'String'
+  end
+
+  def gpg_decrypt(file, gpghome, password_file)
+    begin
+      require 'rapid-vaults'
+    rescue LoadError
+      raise 'Rapid Vaults is required to be installed on the puppet master to use this custom function!'
+    end
+
+    ENV['GNUPGHOME'] = gpghome
+
+    RapidVaults::API.main(action: :decrypt, algorithm: :gpgme, file: file, pw: password_file)
+  end
+end

data/lib/rapid-vaults/integrations/puppet_gpg_encrypt.rb

@@ -0,0 +1,28 @@
+# mymodule/lib/puppet/functions/gpg_encrypt.rb
+Puppet::Functions.create_function(:'gpg_encrypt') do
+  # Encrypts a file with GnuPG.
+  # @param [String] file The file to encrypt.
+  # @param [String] gpghome The path to the GnuPG home directory containing the credentials.
+  # @param [String] password_file The password file to use for encryption.
+  # @return [String] Returns a string of encrypted contents.
+  # @example Encrypting a file.
+  # gpg_encrypt('/path/to/data.txt', '/home/alice/.gnupg', '/path/to/password.txt') => 'asdnlfi378rth43rt78h4t8b3v844b'
+  dispatch :gpg_encrypt do
+    required_param 'String', :file
+    required_param 'String', :gpghome
+    required_param 'String', :password_file
+    return_type 'String'
+  end
+
+  def gpg_encrypt(file, gpghome, password_file)
+    begin
+      require 'rapid-vaults'
+    rescue LoadError
+      raise 'Rapid Vaults is required to be installed on the puppet master to use this custom function!'
+    end
+
+    ENV['GNUPGHOME'] = gpghome
+
+    RapidVaults::API.main(action: :encrypt, algorithm: :gpgme, file: file, pw: password_file)
+  end
+end

data/lib/rapid-vaults/integrations/puppet_ssl_decrypt.rb

@@ -0,0 +1,34 @@
+# mymodule/lib/puppet/functions/ssl_decrypt.rb
+Puppet::Functions.create_function(:'ssl_decrypt') do
+  # Decrypts a file with OpenSSL.
+  # @param [String] file The file to decrypt.
+  # @param [String] key The key file to use for decryption.
+  # @param [String] nonce The nonce file to use for decryption.
+  # @param [String] tag The tag file to use for decryption.
+  # @param [String] password_file The optional password file to use for decryption.
+  # @return [String] Returns a string of decrypted contents.
+  # @example Decrypting a file.
+  # ssl_decrypt('/path/to/encrypted_data.txt', '/path/to/cert.key', '/path/to/nonce.txt', '/path/to/tag.txt', '/path/to/password.txt') => 'decrypted'
+  dispatch :ssl_decrypt do
+    required_param 'String', :file
+    required_param 'String', :key
+    required_param 'String', :nonce
+    required_param 'String', :tag
+    optional_param 'String', :password_file
+    return_type 'String'
+  end
+
+  def ssl_decrypt(file, key, nonce, tag, password_file = nil)
+    begin
+      require 'rapid-vaults'
+    rescue LoadError
+      raise 'Rapid Vaults is required to be installed on the puppet master to use this custom function!'
+    end
+
+    if password_file.nil?
+      RapidVaults::API.main(action: :decrypt, file: file, key: key, nonce: nonce, tag: tag)
+    else
+      RapidVaults::API.main(action: :encrypt, file: file, key: key, nonce: nonce, tag: tag, pw: File.read(password_file))
+    end
+  end
+end

data/lib/rapid-vaults/integrations/puppet_ssl_encrypt.rb

@@ -0,0 +1,34 @@
+# mymodule/lib/puppet/functions/ssl_encrypt.rb
+Puppet::Functions.create_function(:'ssl_encrypt') do
+  # Encrypts a file with OpenSSL.
+  # @param [String] file The file to encrypt.
+  # @param [String] key The key file to use for encryption.
+  # @param [String] nonce The nonce file to use for encryption.
+  # @param [String] password_file The optional password file to use for encryption.
+  # @return [Hash] Returns a hash. First key-value is the encrypted contents and the second is the tag.
+  # @example Encrypting a file.
+  # ssl_encrypt('/path/to/data.txt', '/path/to/cert.key', '/path/to/nonce.txt', '/path/to/password.txt') => { encrypted_contents => 'asdfnlm34kl5m3lasdf34324fdnfsd', tag => 'fwr32r2ewf' }
+  dispatch :ssl_encrypt do
+    required_param 'String', :file
+    required_param 'String', :key
+    required_param 'String', :nonce
+    optional_param 'String', :password_file
+    return_type 'Hash'
+  end
+
+  def ssl_encrypt(file, key, nonce, password_file = nil)
+    begin
+      require 'rapid-vaults'
+    rescue LoadError
+      raise 'Rapid Vaults is required to be installed on the puppet master to use this custom function!'
+    end
+
+    hash = {}
+    if password_file.nil?
+      hash[:encrypted_contents], hash[:tag] = RapidVaults::API.main(action: :encrypt, file: file, key: key, nonce: nonce)
+    else
+      hash[:encrypted_contents], hash[:tag] = RapidVaults::API.main(action: :encrypt, file: file, key: key, nonce: nonce, pw: File.read(password_file))
+    end
+    hash
+  end
+end

data/spec/rapid-vaults/api_spec.rb

@@ -4,13 +4,13 @@ require_relative '../../lib/rapid-vaults/api'
 describe RapidVaults::API do
   context '.parse' do
     it 'correctly parses the settings for encrypt' do
-      expect(RapidVaults::API.parse(action: :encrypt, file: 'file.txt', key: 'key.txt', nonce: 'nonce.txt', pw: 'secret')).to eq(algorithm: :openssl, ui: :api, action: :encrypt, file: 'file.txt', key: 'key.txt', nonce: 'nonce.txt', pw: 'secret')
+      expect(RapidVaults::API.parse(action: :encrypt, file: 'file.txt', key: 'key.txt', nonce: 'nonce.txt', pw: 'secret')).to eq(ui: :api, action: :encrypt, file: 'file.txt', key: 'key.txt', nonce: 'nonce.txt', pw: 'secret')
     end
     it 'correctly parses the settings for decrypt' do
-      expect(RapidVaults::API.parse(action: :decrypt, file: 'file.txt', key: 'key.txt', nonce: 'nonce.txt', tag: 'tag.txt', pw: 'secret')).to eq(algorithm: :openssl, ui: :api, action: :decrypt, file: 'file.txt', key: 'key.txt', nonce: 'nonce.txt', tag: 'tag.txt', pw: 'secret')
+      expect(RapidVaults::API.parse(action: :decrypt, file: 'file.txt', key: 'key.txt', nonce: 'nonce.txt', tag: 'tag.txt', pw: 'secret')).to eq(ui: :api, action: :decrypt, file: 'file.txt', key: 'key.txt', nonce: 'nonce.txt', tag: 'tag.txt', pw: 'secret')
     end
     it 'correctly parses the settings for generate' do
-      expect(RapidVaults::API.parse(action: :generate)).to eq(algorithm: :openssl, ui: :api, action: :generate)
+      expect(RapidVaults::API.parse(action: :generate)).to eq(ui: :api, action: :generate)
     end
     it 'correctly overrides the algorithm setting' do
       expect(RapidVaults::API.parse(algorithm: :gpgme)).to eq(algorithm: :gpgme, ui: :api)

data/spec/rapid-vaults/cli_spec.rb

@@ -7,16 +7,19 @@ describe RapidVaults::CLI do
       expect(RapidVaults::CLI.parse(%w[--gpg])).to eq(algorithm: :gpgme, ui: :cli)
     end
     it 'correctly parses the user arguments for encrypt' do
-      expect(RapidVaults::CLI.parse(%w[-e -k key.txt -n nonce.txt -p secret file.txt])).to eq(algorithm: :openssl, ui: :cli, action: :encrypt, key: 'key.txt', nonce: 'nonce.txt', pw: 'secret')
+      expect(RapidVaults::CLI.parse(%w[-e -k key.txt -n nonce.txt -p secret file.txt])).to eq(ui: :cli, action: :encrypt, key: 'key.txt', nonce: 'nonce.txt', pw: 'secret')
     end
     it 'correctly parses the arguments for decrypt' do
-      expect(RapidVaults::CLI.parse(%w[-d -k key.txt -n nonce.txt -t tag.txt -p secret file.txt])).to eq(algorithm: :openssl, ui: :cli, action: :decrypt, key: 'key.txt', nonce: 'nonce.txt', tag: 'tag.txt', pw: 'secret')
+      expect(RapidVaults::CLI.parse(%w[-d -k key.txt -n nonce.txt -t tag.txt -p secret file.txt])).to eq(ui: :cli, action: :decrypt, key: 'key.txt', nonce: 'nonce.txt', tag: 'tag.txt', pw: 'secret')
     end
     it 'correctly parses the arguments for openssl generate' do
-      expect(RapidVaults::CLI.parse(%w[-g])).to eq(algorithm: :openssl, ui: :cli, action: :generate)
+      expect(RapidVaults::CLI.parse(%w[-g -o /home/bob])).to eq(ui: :cli, action: :generate, outdir: '/home/bob')
     end
     it 'correctly parses the arguments for gpg generate' do
       expect(RapidVaults::CLI.parse(%W[--gpg -g --gpgparams #{fixtures_dir}/file.yaml])).to eq(algorithm: :gpgme, ui: :cli, action: :generate, gpgparams: "foo: bar\n")
     end
+    it 'correctly parses the arguments for puppet integrations' do
+      expect(RapidVaults::CLI.parse(%w[--puppet -o /dir])).to eq(ui: :cli, action: :integrate, integrate: :puppet, outdir: '/dir')
+    end
   end
 end

data/spec/rapid-vaults/decrypt_spec.rb

@@ -3,15 +3,15 @@ require_relative '../../lib/rapid-vaults/encrypt'
 require_relative '../../lib/rapid-vaults/decrypt'
 
 describe Decrypt do
-  after(:all) do
-    %w[tag.txt encrypted.txt decrypted.txt].each { |file| File.delete(file) }
-  end
-
   context '.openssl' do
     before(:all) do
       Encrypt.openssl(ui: :cli, file: "foo: bar\n", key: '���b+����R�v�Í%("����=8o/���', nonce: 'Ëá!í^Uë^EÜ<83>oã^M')
     end
 
+    after(:all) do
+      %w[tag.txt encrypted.txt decrypted.txt].each { |file| File.delete(file) }
+    end
+
     it 'outputs a decrypted file with the key, nonce, and tag from the cli' do
       Decrypt.openssl(ui: :cli, file: File.read('encrypted.txt'), key: '���b+����R�v�Í%("����=8o/���', nonce: 'Ëá!í^Uë^EÜ<83>oã^M', tag: File.read('tag.txt'))
       expect(File.file?('decrypted.txt')).to be true
@@ -34,6 +34,10 @@ describe Decrypt do
         Encrypt.gpgme(ui: :cli, file: "foo: bar\n", key: '', pw: 'foo')
       end
 
+      after(:all) do
+        %w[encrypted.txt decrypted.txt].each { |file| File.delete(file) }
+      end
+
       it 'outputs a decrypted file with the key from the cli' do
         Decrypt.gpgme(ui: :cli, file: File.read('encrypted.txt'), key: '', pw: 'foo')
         expect(File.file?('decrypted.txt')).to be true

data/spec/rapid-vaults/encrypt_spec.rb

@@ -2,11 +2,11 @@ require_relative '../spec_helper'
 require_relative '../../lib/rapid-vaults/encrypt'
 
 describe Encrypt do
-  after(:all) do
-    %w[tag.txt encrypted.txt].each { |file| File.delete(file) }
-  end
-
   context '.openssl' do
+    after(:all) do
+      %w[tag.txt encrypted.txt].each { |file| File.delete(file) }
+    end
+
     it 'outputs an encrypted file with the key and nonce from the cli' do
       Encrypt.openssl(ui: :cli, file: "foo: bar\n", key: '���b+����R�v�Í%("����=8o/���', nonce: 'Ëá!í^Uë^EÜ<83>oã^M')
       expect(File.file?('tag.txt')).to be true

data/spec/rapid-vaults/generate_spec.rb

@@ -25,7 +25,7 @@ describe Generate do
 
   context '.gpgme' do
     it 'raises an error for a missing GNUPGHOME variable' do
-      expect { Generate.gpgme(gpgparams: File.read("#{fixtures_dir}/gpgparams.txt")) }.to raise_error('Environment variable GNUPGHOME was not set.')
+      expect { Generate.gpgme(gpgparams: File.read("#{fixtures_dir}/gpgparams.txt")) }.to raise_error('Environment variable "GNUPGHOME" was not set.')
     end
     # travis ci cannot support non-interactive gpg
     unless File.directory?('/home/travis')

data/spec/rapid-vaults/integration_spec.rb

@@ -0,0 +1,28 @@
+require_relative '../spec_helper'
+require_relative '../../lib/rapid-vaults/integration'
+
+describe Integration do
+  context '.puppet' do
+    after(:all) do
+      %w[puppet_gpg_decrypt.rb puppet_gpg_encrypt.rb puppet_ssl_decrypt.rb puppet_ssl_encrypt.rb].each { |file| File.delete(file) }
+    end
+
+    it 'outputs the puppet integrations to the specified directory' do
+      Integration.puppet({})
+      %w[puppet_gpg_decrypt.rb puppet_gpg_encrypt.rb puppet_ssl_decrypt.rb puppet_ssl_encrypt.rb].each do |file|
+        expect(File.file?(file)).to be true
+      end
+    end
+  end
+
+  context '.chef' do
+    after(:all) do
+      File.delete('chef.rb')
+    end
+
+    it 'outputs the chef integrations to the specified directory' do
+      Integration.chef({})
+      expect(File.file?('chef.rb')).to be true
+    end
+  end
+end

data/spec/rapid-vaults_spec.rb

@@ -3,20 +3,23 @@ require_relative '../lib/rapid-vaults'
 
 describe RapidVaults do
   context '.process' do
+    it 'raises an error for a nonexistent output directory' do
+      expect { RapidVaults.process(outdir: '/foo/bar/baz') }.to raise_error('The output directory /foo/bar/baz does not exist or is not a directory!')
+    end
     it 'raises an error for a non-string password with openssl' do
-      expect { RapidVaults.process(algorithm: :openssl, action: :encrypt, file: 'a', key: 'b', nonce: 'c', pw: 1) }.to raise_error('Password must be a string.')
+      expect { RapidVaults.process(action: :encrypt, file: 'a', key: 'b', nonce: 'c', pw: 1) }.to raise_error('Password must be a string.')
     end
     it 'raises an error for a missing argument to encrypt with openssl' do
-      expect { RapidVaults.process(algorithm: :openssl, action: :encrypt, file: 'a', key: 'b') }.to raise_error('File, key, and nonce arguments are required for encryption.')
+      expect { RapidVaults.process(action: :encrypt, file: 'a', key: 'b') }.to raise_error('File, key, and nonce arguments are required for encryption.')
     end
     it 'raises an error for a missing argument to decrypt with openssl' do
-      expect { RapidVaults.process(algorithm: :openssl, action: :decrypt, file: 'a', key: 'b', nonce: 'c') }.to raise_error('File, key, nonce, and tag arguments are required for decryption.')
+      expect { RapidVaults.process(action: :decrypt, file: 'a', key: 'b', nonce: 'c') }.to raise_error('File, key, nonce, and tag arguments are required for decryption.')
     end
     it 'raises an error for a missing argument to decrypt with gpgme' do
       expect { RapidVaults.process(algorithm: :gpgme, action: :decrypt, file: 'a') }.to raise_error('File and password arguments required for encryption or decryption.')
     end
     it 'raises an error for a missing action with openssl' do
-      expect { RapidVaults.process(algorithm: :openssl, file: 'a', key: 'b', nonce: 'c', tag: 'd') }.to raise_error('Action must be one of generate, encrypt, or decrypt.')
+      expect { RapidVaults.process(file: 'a', key: 'b', nonce: 'c', tag: 'd') }.to raise_error('Action must be one of generate, encrypt, or decrypt.')
     end
     it 'raises an error for a missing action with gpgme' do
       expect { RapidVaults.process(algorithm: :gpgme, file: 'a', key: 'b') }.to raise_error('Action must be one of generate, encrypt, or decrypt.')
@@ -25,11 +28,15 @@ describe RapidVaults do
       expect { RapidVaults.process(algorithm: :gpgme, action: :generate) }.to raise_error('GPG params file argument required for generation.')
     end
     it 'raises an error for a nonexistent input file' do
-      expect { RapidVaults.process(algorithm: :openssl, action: :encrypt, file: 'a', key: 'b', nonce: 'c', tag: 'd') }.to raise_error('Input file is not an existing file.')
+      expect { RapidVaults.process(action: :encrypt, file: 'a', key: 'b', nonce: 'c', tag: 'd') }.to raise_error('Input file is not an existing file.')
+    end
+    it 'reads in all input files correctly for openssl encryption' do
+      dummy = fixtures_dir + 'file.yaml'
+      expect { RapidVaults.process(action: :encrypt, file: dummy, key: dummy, nonce: dummy, pw: 'password') }.not_to raise_exception
     end
-    it 'reads in all input files correctly for decryption' do
+    it 'reads in all input files correctly for gpgme decryption' do
       dummy = fixtures_dir + 'file.yaml'
-      expect { RapidVaults.process(algorithm: :openssl, action: :encrypt, file: dummy, key: dummy, nonce: dummy, pw: 'password') }.not_to raise_exception
+      expect { RapidVaults.process(algorithm: :gpgme, action: :decrypt, file: dummy, pw: 'password') }.not_to raise_exception
     end
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rapid-vaults
 version: !ruby/object:Gem::Version
-  version: 1.1.0
+  version: 1.1.1
 platform: ruby
 authors:
 - Matt Schuchard
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2018-05-18 00:00:00.000000000 Z
+date: 2018-06-24 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: gpgme
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 2.0.0
+        version: '2.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 2.0.0
+        version: '2.0'
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
@@ -102,6 +102,12 @@ files:
 - lib/rapid-vaults/decrypt.rb
 - lib/rapid-vaults/encrypt.rb
 - lib/rapid-vaults/generate.rb
+- lib/rapid-vaults/integration.rb
+- lib/rapid-vaults/integrations/chef.rb
+- lib/rapid-vaults/integrations/puppet_gpg_decrypt.rb
+- lib/rapid-vaults/integrations/puppet_gpg_encrypt.rb
+- lib/rapid-vaults/integrations/puppet_ssl_decrypt.rb
+- lib/rapid-vaults/integrations/puppet_ssl_encrypt.rb
 - spec/fixtures/file.yaml
 - spec/fixtures/gpgparams.txt
 - spec/rapid-vaults/api_spec.rb
@@ -109,6 +115,7 @@ files:
 - spec/rapid-vaults/decrypt_spec.rb
 - spec/rapid-vaults/encrypt_spec.rb
 - spec/rapid-vaults/generate_spec.rb
+- spec/rapid-vaults/integration_spec.rb
 - spec/rapid-vaults_spec.rb
 - spec/spec_helper.rb
 - spec/system/system_spec.rb
@@ -144,6 +151,7 @@ test_files:
 - spec/rapid-vaults/decrypt_spec.rb
 - spec/rapid-vaults/encrypt_spec.rb
 - spec/rapid-vaults/generate_spec.rb
+- spec/rapid-vaults/integration_spec.rb
 - spec/rapid-vaults_spec.rb
 - spec/spec_helper.rb
 - spec/system/system_spec.rb