sanctum 0.8.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: cf7c163a643291aa2598c9aa95282d252e27b1a6dcd98229bc1531f6c74326db
+  data.tar.gz: de8e41efc63ca29c75afa13f09c17962875d30e702b03a4572d706a88099629d
+SHA512:
+  metadata.gz: 2e56cc5a812d15c94a30b344e5c048b2fb829eeaed7c79f0eff42c901f3a148be985ab7593081fbf152a895848121c79275b6d654084f90ae1d3c9c4af2f3077
+  data.tar.gz: 94ea6c9b31d49bea98c4dfcf19f445bc0a60317825de118d544dd05ecbf72021e2f79744e05def3703f356c7670c2a58896f05338c544c125f416f532d579db9

data/.gitignore

@@ -0,0 +1,11 @@
+/.bundle/
+/.yardoc
+/_yardoc/
+/coverage/
+/doc/
+/pkg/
+/spec/reports/
+/tmp/
+
+# rspec failure tracking
+.rspec_status

data/.rspec

@@ -0,0 +1,3 @@
+--format documentation
+--color
+--require spec_helper

data/Gemfile

@@ -0,0 +1,3 @@
+source "https://rubygems.org"
+
+gemspec

data/Gemfile.lock

@@ -0,0 +1,49 @@
+PATH
+  remote: .
+  specs:
+    sanctum (0.8.0)
+      gli (~> 2)
+      hashdiff (~> 0)
+      vault (~> 0)
+
+GEM
+  remote: https://rubygems.org/
+  specs:
+    aws-sigv4 (1.0.2)
+    coderay (1.1.2)
+    diff-lcs (1.3)
+    gli (2.17.1)
+    hashdiff (0.3.7)
+    method_source (0.9.0)
+    pry (0.11.3)
+      coderay (~> 1.1.0)
+      method_source (~> 0.9.0)
+    rake (10.5.0)
+    rspec (3.7.0)
+      rspec-core (~> 3.7.0)
+      rspec-expectations (~> 3.7.0)
+      rspec-mocks (~> 3.7.0)
+    rspec-core (3.7.1)
+      rspec-support (~> 3.7.0)
+    rspec-expectations (3.7.0)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.7.0)
+    rspec-mocks (3.7.0)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.7.0)
+    rspec-support (3.7.1)
+    vault (0.11.0)
+      aws-sigv4
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  bundler (~> 1.16)
+  pry (~> 0)
+  rake (~> 10.0)
+  rspec (~> 3.0)
+  sanctum!
+
+BUNDLED WITH
+   1.16.2

data/LICENSE.txt

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2018 Corban Raun
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,125 @@
+# Sanctum
+Simple and secure filesystem-to-vault KV synchronization. Inspired by [constancy](https://github.com/daveadams/constancy). 
+Local files are encrypted using vaults [transit](https://www.vaultproject.io/api/secret/transit/index.html) backend. 
+This makes maintaining multiple vault secrets for multiple applications simple and secure.
+
+## Usage Example
+Lets say you have a vault instance with a `generic`, or `kv` enabled backend.
+if you were to run, `vault read secrets/cool-app/dev/env` you would see something similar to
+
+```
+Key                 Value
+---                 -----
+refresh_interval    768h
+db_password         heydudeihaveacoolapp
+token               myrandomtoken
+
+```
+
+using the sanctum gem, you could run `sanctum pull`. Depending on the path you specified in the `sanctum.yaml` config file; Your local file system would look similar to
+```
+<path-specified>/cool-app/dev/env
+```
+`env` would contain a `transit` encrypted base64 encoded blob, which you could then edit with `sanctum edit <path-specified>/cool-app/dev/env`. You could then push any changes with
+`sanctum push`.
+
+## Installation
+
+From source:
+
+    $ bundle install && bundle exec rake:install
+
+Or install rubygems:
+
+    $ gem install sanctum
+
+## Usage
+```
+sanctum check  - Checks differences between local files and vault.
+sanctum push   - Push local file changes (if any) to vault.
+sanctum pull   - Pull vault secrets to local files (encrypted).
+sanctum config - Generate an example config file.
+sanctum create - Create an encrypted local file.
+sanctum edit   - Edit an encrypted local file.
+sanctum view   - View an encrypted local file.
+```
+
+
+## Configuration
+**sanctum.yaml is required, run `sanctum config` to generate an example file**
+
+Sanctum will use the **first `sanctum.yaml`** file it comes across when searching backwards through the directory tree from the current working directory. 
+So, typically you may wish to place the config file in the root of your git repository or the base directory of your config file tree.
+
+You can also specify a config file using the -c,--config <filename> command line argument.
+## Variables
+The example `sanctum.yaml` has all options documented, run `sanctum config` to generate an example file. 
+
+The following environment variables are read.
+```
+VAULT_ADDR=
+VAULT_TOKEN=
+```
+
+**Variables order of precedence**
+The higher the number the higher the precedence.(Command line arguments will always win).
+
+1. Default variables (Documented in sanctum.yaml)
+2. Config file
+3. Environment variables
+4. Command line arguments.
+
+
+## Configuration file structure
+The configuration file is a Hash represented in YAML format with three possible top-level keys: `sanctum`, `vault`, and `sync`.
+* The `sanctum` section sets global defaults. 
+  * This section is **NOT** required.
+* The `vault` section specifies the url, token, and transit_key to the Vault REST API endpoint.
+  * url, token, and transit_key are **required** and can be set here or through environment variables.
+* The `sync` section sets the local paths and Vault prefixes you wish to synchronize.
+  * At lease one application/target definition is required.
+
+## Roadmap
+* Better/more Tests
+* Built in Backup features
+* Performance optimizations
+
+## Backup scenario.
+One possible use case for sanctum is for backing up vault secrets. This feature is NOT built in yet.
+The following instructions are for testing purposes only and are not recommended as an actual backup solution.
+See the [Transit Secrets Engine(API)](https://www.vaultproject.io/api/secret/transit/index.html) for command reference.
+
+1. Create a new key with, or enable `allow_plaintext_backup` and `exportable` on the transit key you are using for sanctum. **Once enabled  you cannot disable**
+  * Example: `curl -v --header "X-Vault-Token: $VAULT_TOKEN" --request POST --data '{"allow_plaintext_backup": true, "exportable": true}' $VAULT_ADDR/v1/transit/keys/<my_transit_key>/config`
+2. `sanctum pull` 
+3. Get your transit key
+  * Example: `curl -v --header "X-Vault-Token: $VAULT_TOKEN" --request GET $VAULT_ADDR/v1/transit/backup/<my_transit_key>`
+4. Securely store/ backup your key.
+
+### Restoring:
+If you ever need to restore the key, you can restore using the restore endpoint
+1. `curl -v --header "X-Vault-Token: $VAULT_TOKEN" --data @transit_key.json --request POST $VAULT_ADDR/v1/transit/restore/<my_transit_key>`
+
+transit_key.json would look something like
+```
+{"backup":"<your_long_key>"}
+```
+One thing that is nice, is that you can use this method to restore to a locally running vault instance.
+This would allow you to be able to quickly decrypt local secrets in a disaster recovery event.
+1. run `vault server -dev`
+2. export the new `VAULT_TOKEN` and `$VAULT_ADDR` variables.
+3. Restore the key to your locally running vault instance.
+
+## Development
+Ensure you have the [vault](https://www.vaultproject.io/downloads.html) binary in your path. Tests need this in order to setup a dev vault server(`vault server -dev`)
+After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake spec` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
+
+To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
+
+## Contributing
+
+Bug reports and pull requests are welcome on GitHub at https://github.com/CorbanR/sanctum. This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the [Contributor Covenant](http://contributor-covenant.org) code of conduct.
+
+## License
+
+The gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).

data/Rakefile

@@ -0,0 +1,6 @@
+require 'bundler/gem_tasks'
+require 'rspec/core/rake_task'
+
+RSpec::Core::RakeTask.new(:spec)
+
+task :default => :spec

data/bin/console

@@ -0,0 +1,10 @@
+#!/usr/bin/env ruby
+
+require 'bundler/setup'
+require 'sanctum'
+require 'pry'
+
+Pry.start
+
+require 'irb'
+IRB.start(__FILE__)

data/bin/sanctum

@@ -0,0 +1,3 @@
+#!/usr/bin/env ruby
+require 'sanctum'
+exit Sanctum::CLI.run(ARGV)

data/bin/setup

@@ -0,0 +1,6 @@
+#!/usr/bin/env bash
+set -euo pipefail
+IFS=$'\n\t'
+set -vx
+
+bundle install

data/lib/sanctum.rb

@@ -0,0 +1 @@
+require 'sanctum/cli'

data/lib/sanctum/cli.rb

@@ -0,0 +1,109 @@
+require 'gli'
+require 'sanctum/command'
+require 'sanctum/get_config'
+require 'sanctum/version'
+
+module Sanctum
+  class CLI
+    extend GLI::App
+
+    def self.common_options(c, *opts)
+      opts.map(&:to_sym).each do |opt|
+        case opt
+        when :config
+          c.desc 'specify config file'
+          c.flag :c, :config
+        when :targets
+          c.desc 'Comma seperated list of targets'
+          c.flag :t, :targets
+        when :force
+          c.desc 'Force, will not ask you to confirm differences'
+          c.switch :force
+        else
+          raise "unrecognized option #{opt.inspect}"
+        end
+      end
+    end
+
+    program_desc 'Simple and secure filesystem-to-Vault secrets synchronization'
+
+    version VERSION
+
+    subcommand_option_handling :normal
+    arguments :strict
+
+    desc 'Checks differences that exist'
+    command :check do |c|
+      common_options c, :targets, :config
+      c.action do
+        Command::Check.new(@options_hash).run
+      end
+    end
+
+    desc 'Pull in secrets that already exist in Vault.'
+    command :pull do |c|
+      common_options c, :targets, :config, :force
+      c.action do
+        Command::Pull.new(@options_hash).run
+      end
+    end
+
+    desc 'Synchronize secrets to Vault'
+    command :push do |c|
+      common_options c, :targets, :config, :force
+      c.action do
+        Command::Push.new(@options_hash).run
+      end
+    end
+
+    desc 'Creates example config file'
+    skips_pre
+    command :config do |c|
+      c.action do
+        Command::Config.new.run
+      end
+    end
+
+    desc 'Create an encrypted file'
+    arg_name 'path/to/file'
+    command :create do |c|
+      common_options c, :config
+      c.action do |_,_,args|
+        Command::Create.new(@options_hash, args).run
+      end
+    end
+
+    desc 'View encrypted file[s]'
+    arg_name 'path/to/file'
+    command :view do |c|
+      common_options c, :config
+      c.action do |_,_,args|
+        if args.empty?
+          help_now! "Please specify at least one argument"
+        end
+        Command::View.new(@options_hash, args).run
+      end
+    end
+
+    desc 'Edit an encrypted file'
+    arg_name 'path/to/file'
+    command :edit do |c|
+      common_options c, :config
+
+      c.action do |_,_,args|
+        Command::Edit.new(@options_hash, args).run
+      end
+    end
+
+    pre do |_,_,options,_|
+      @options_hash = GetConfig::ConfigMerge.new(config_file: options[:c], targets: options[:t], force: options[:force]).final_options
+      Colorizer.colorize = @options_hash[:sanctum][:color]
+      true
+    end
+
+    on_error do |exception|
+      true
+    end
+
+  end
+end

data/lib/sanctum/colorize_string.rb

@@ -0,0 +1,44 @@
+module Sanctum
+  module Colorizer
+    def self.colorize=(flag)
+      @colorize = !!flag
+    end
+
+    def self.colorize?
+      @colorize = true if @colorize.nil?
+      @colorize
+    end
+
+    def colorize(color_code, string, colorize: Colorizer.colorize?)
+      if colorize
+        "\e[#{color_code}m#{string}\e[0m"
+      else
+        string
+      end
+    end
+
+    def red(string)
+      colorize(31, string)
+    end
+
+    def green(string)
+      colorize(32, string)
+    end
+
+    def yellow(string)
+      colorize(33, string)
+    end
+
+    def blue(string)
+      colorize(34, string)
+    end
+
+    def pink(string)
+      colorize(35, string)
+    end
+
+    def light_blue(string)
+      colorize(36, string)
+    end
+  end
+end

data/lib/sanctum/command.rb

@@ -0,0 +1,16 @@
+#colorize_string needs to be required first
+require 'sanctum/colorize_string'
+require 'sanctum/vault_client'
+require 'sanctum/vault_secrets'
+require 'sanctum/vault_transit'
+
+#base needs to be required first
+require 'sanctum/command/base'
+
+require 'sanctum/command/check'
+require 'sanctum/command/config'
+require 'sanctum/command/create'
+require 'sanctum/command/edit'
+require 'sanctum/command/pull'
+require 'sanctum/command/push'
+require 'sanctum/command/view'

data/lib/sanctum/command/base.rb

@@ -0,0 +1,30 @@
+require 'sanctum/command/diff_helper'
+require 'sanctum/command/editor_helper'
+require 'sanctum/command/paths_helper'
+
+module Sanctum
+  module Command
+    class Base
+      include Colorizer
+      include DiffHelper
+      include EditorHelper
+      include PathsHelper
+
+      attr_reader :options, :args, :transit_key, :targets, :config_file
+
+      def initialize(options={}, args=[])
+        @options = options.to_h
+        @args = args
+
+        @transit_key = options.fetch(:vault).fetch(:transit_key)
+        @targets = options.fetch(:sync)
+        @config_file = options.fetch(:config_file)
+      end
+
+      def vault_client
+        @vault_client ||= VaultClient.build(options[:vault][:url], options[:vault][:token])
+      end
+
+    end
+  end
+end