sanctum 0.8.0

data/lib/sanctum/command/check.rb

@@ -0,0 +1,29 @@
+module Sanctum
+  module Command
+    class Check < Base
+
+      def run
+        targets.each do |target|
+          # Recursively get local files for each prefix specified in sanctum.yaml
+          local_paths = get_local_paths(File.join(File.dirname(config_file), target[:path]))
+          # Read each file
+          local_secrets = read_local_files(local_paths)
+          # Decrypt each secret
+          local_secrets = VaultTransit.decrypt(vault_client, local_secrets, transit_key)
+
+          # Recursively get vault secrets for each prefix specified in sanctum.yaml
+          secrets_list = VaultSecrets.new(vault_client, target[:prefix]).get
+
+          # Only one entry in this hash (which will be the target).
+          tree = secrets_list.values.first
+          # Build local paths based on prefix and paths specified in sanctum.yaml
+          vault_secrets = build_path(tree, [target[:path]])
+          # Join the path array to create a path
+          vault_secrets = join_path(vault_secrets, config_file)
+          compare_secrets(vault_secrets, local_secrets, target[:name])
+        end
+      end
+
+    end
+  end
+end

data/lib/sanctum/command/config.rb

@@ -0,0 +1,34 @@
+require 'fileutils'
+
+module Sanctum
+  module Command
+    # Intentionally not extending Base
+    # This command creates an example config
+    class Config
+      include Colorizer
+      attr_reader :config_path, :example_file
+
+      def initialize(options={}, _args=[])
+        options = {working_dir: Dir.pwd}.merge(options)
+
+        relative_path = File.expand_path File.dirname(__FILE__)
+        @config_path = "#{options[:working_dir]}/sanctum.yaml"
+        @example_file = "#{relative_path}/sanctum.example.yaml"
+      end
+
+      def run
+        raise yellow("config file already exists") if config_exist?
+        create_config_file
+      end
+
+      def config_exist?
+        File.file?(config_path)
+      end
+
+      def create_config_file
+        FileUtils.cp(example_file, config_path)
+      end
+
+    end
+  end
+end

data/lib/sanctum/command/create.rb

@@ -0,0 +1,62 @@
+require 'fileutils'
+require 'json'
+require 'pathname'
+require 'tempfile'
+require 'yaml'
+
+module Sanctum
+  module Command
+    class Create < Base
+
+      def run(&block)
+        if args.one?
+          path = args[0]
+          validate_path(path)
+          create_file(path, &block)
+        else
+          raise ArgumentError, red('Please pass only one path argument')
+        end
+      end
+
+      private
+      def create_file(path)
+        # Calling vault_client will help prevent a race condition where the token is expired
+        # and contents fail to encrypt
+        vault_client
+        tmp_file = Tempfile.new(File.basename(path))
+
+        begin
+          if block_given?
+            yield tmp_file
+          else
+            editor = ENV.fetch('EDITOR', 'vi')
+            raise red("Error with editor") unless system(editor, tmp_file.path)
+          end
+
+          contents = File.read(tmp_file.path)
+          data_hash = {"#{tmp_file.path}" => validate(contents)}
+          write_encrypted_data(vault_client, data_hash, transit_key)
+          tmp_file.close
+
+          FileUtils.cp(tmp_file.path, path)
+        rescue Exception => e
+          # If write_encrypted_data failed, data would fail to write to disk
+          # It would be sad to lose that data, at least this would print the contents to the console.
+          puts red("Contents may have failed to write\nError: #{e}")
+          puts yellow("Contents: \n#{contents}")
+        ensure
+          tmp_file.close
+          secure_erase(tmp_file.path, tmp_file.length)
+          tmp_file.unlink
+        end
+      end
+
+      def validate_path(path)
+        path = Pathname.new(path)
+        raise yellow("File exists, use edit command") if path.exist?
+        path.dirname.mkpath unless path.dirname.exist?
+      end
+
+    end
+  end
+end

data/lib/sanctum/command/diff_helper.rb

@@ -0,0 +1,70 @@
+require 'hashdiff'
+
+module Sanctum
+  module Command
+    module DiffHelper
+
+      def hash_diff(first_hash, second_hash)
+        differences = HashDiff.best_diff(first_hash, second_hash, delimiter: " => ", array_path: true)
+
+        differences.each do |diff|
+          if diff[0] == "+"
+            puts green("#{diff[0].to_s + diff[1].join(" => ").to_s} => #{diff[2]}")
+          else
+            puts red("#{diff[0].to_s + diff[1].join(" => ").to_s} => #{diff[2]}")
+          end
+        end
+        differences
+      end
+
+      def compare_secrets(vault_secrets, local_secrets, name, direction="both")
+        if vault_secrets == local_secrets
+          warn yellow("Target #{name}: contains no differences")
+        else
+          case direction
+          when "pull"
+            puts yellow("Target #{name}: differences pulling from vault")
+            hash_diff(local_secrets, vault_secrets)
+          when "push"
+            puts yellow("Target #{name}: differences pushing to vault")
+            hash_diff(vault_secrets, local_secrets)
+          when "both"
+            puts yellow("Target #{name}: differences pulling from vault")
+            hash_diff(local_secrets, vault_secrets)
+
+            puts yellow("Target #{name}: differences pushing to vault")
+            hash_diff(vault_secrets, local_secrets)
+          end
+        end
+      end
+
+      def confirmed_with_user?
+        puts yellow("\nWould you like to continue?: ")
+        question = STDIN.gets.chomp.upcase
+
+        if ["Y", "YES"].include? question
+          puts yellow("Overwriting differences")
+          true
+        else
+          warn yellow("Skipping....\n")
+          false
+        end
+      end
+
+      # Array is a unique list of paths built from the differences of hash1 and hash2.
+      #   See diff_paths variable in push or pull command
+      # Hash will be all local, or vault secrets.
+      # We then build a new hash that contains only the k,v needed to sync (to or from vault)
+      def only_changes(array, hash)
+        tmp_hash = Hash.new
+        array.each do |a|
+          hash.each do |k, v|
+            tmp_hash[k] = v if a == k
+          end
+        end
+        tmp_hash
+      end
+
+    end
+  end
+end

data/lib/sanctum/command/edit.rb

@@ -0,0 +1,63 @@
+require 'fileutils'
+require 'tempfile'
+require 'yaml'
+require 'json'
+
+module Sanctum
+  module Command
+    class Edit < Base
+
+      def run(&block)
+        if args.one?
+          path = args[0]
+          edit_file(path, &block)
+        else
+          raise ArgumentError, red('Please pass only one path argument')
+        end
+      end
+
+      private
+      def edit_file(path)
+        tmp_file = Tempfile.new(File.basename(path))
+
+        begin
+          encrypted_data_hash = {path => File.read(path)}
+          decrypted_data_hash = decrypt_data(vault_client, encrypted_data_hash, transit_key)
+          decrypted_data_hash.each_value do |v|
+            v = v.to_yaml
+            File.write(tmp_file.path, v)
+          end
+
+          if block_given?
+            yield tmp_file
+          else
+            previous_contents = File.read(tmp_file.path)
+            editor = ENV.fetch('EDITOR', 'vi')
+            raise red("Error with editor") unless system(editor, tmp_file.path )
+          end
+          contents = File.read(tmp_file.path)
+
+          # Only write contents if something changed
+          unless contents == previous_contents
+            data_hash = {"#{tmp_file.path}" => validate(contents)}
+            write_encrypted_data(vault_client, data_hash, transit_key)
+            tmp_file.close
+
+            FileUtils.cp(tmp_file.path, path)
+          end
+
+        rescue Exception => e
+          # If write_encrypted_data failed, data would fail to write to disk
+          # It would be sad to lose that data, at least this would print the contents to the console.
+          puts red("Contents may have failed to write\nError: #{e}")
+          puts yellow("Contents: \n#{contents}")
+        ensure
+          tmp_file.close
+          secure_erase(tmp_file.path, tmp_file.length)
+          tmp_file.unlink
+        end
+      end
+
+    end
+  end
+end

data/lib/sanctum/command/editor_helper.rb

@@ -0,0 +1,58 @@
+require 'securerandom'
+require 'yaml'
+require 'json'
+
+module Sanctum
+  module Command
+    module EditorHelper
+      include Colorizer
+
+      def decrypt_data(vault_client, data, transit_key)
+        VaultTransit.decrypt(vault_client, data, transit_key)
+      end
+
+      def write_encrypted_data(vault_client, data, transit_key)
+        VaultTransit.write_to_file(vault_client, data, transit_key)
+      end
+
+      def validate(contents)
+        validate_json(contents) || validate_yaml(contents) || raise
+      rescue
+        fail red("Invalid Contents")
+      end
+
+      def validate_json(json)
+        JSON.parse(json)
+      rescue JSON::ParserError
+        nil
+      end
+
+      def validate_yaml(yaml)
+        YAML.load(yaml)
+      rescue YAML::SyntaxError
+        nil
+      end
+
+      def write_random_data(file, file_len)
+        max_chunk_len = [file_len, (1024 * 1024 * 2)].max
+
+        3.times do
+          random_data = SecureRandom.random_bytes(max_chunk_len)
+          File.write(file, random_data, 0, mode: 'wb')
+        end
+      end
+
+      def secure_erase(file, file_len)
+        if file_len >= 1
+          begin
+            #Try to use shred if available on system
+            raise red("Failed system shred") unless system("shred", file)
+          rescue
+            write_random_data(file, file_len)
+          end
+        end
+      end
+
+    end
+  end
+end

data/lib/sanctum/command/paths_helper.rb

@@ -0,0 +1,64 @@
+require 'find'
+require 'pathname'
+
+module Sanctum
+  module Command
+    module PathsHelper
+
+      #Helper methods for building, reading and joining paths
+      private
+      def build_path_helper(hash, path = [])
+        if hash.values.any? { |k| !k.is_a?(Hash) }
+          [path, hash]
+        else
+          hash.flat_map do |(key,value)|
+            build_path_helper(value, path+[key])
+          end
+        end
+      end
+
+      public
+      def build_path(hash, path = [])
+        build_path_helper(hash, path).each_slice(2).to_h
+      end
+
+      def join_path(hash, config_file)
+        config_file = Pathname.new(config_file)
+        tmp_hash = Hash.new
+
+        hash.each do |p, v|
+          p = config_file.dirname + Pathname.new(p.join("/"))
+          tmp_hash["#{p}"] = v
+        end
+        tmp_hash
+      end
+
+      def read_local_files(paths)
+        tmp_hash = Hash.new
+        paths.each do |k,v|
+          if File.file?(k)
+            v = File.read(k)
+            tmp_hash["#{k}"] = v
+          end
+        end
+        tmp_hash
+      end
+
+      def get_local_paths(paths)
+        tmp_array = Array.new
+        Find.find(paths) do |path|
+          if FileTest.file?(path)
+            tmp_array << path
+            if File.basename(path).start_with?(?.)
+              Find.prune
+            else
+              next
+            end
+          end
+        end
+        tmp_array
+      end
+
+    end
+  end
+end

data/lib/sanctum/command/pull.rb

@@ -0,0 +1,81 @@
+require 'pathname'
+
+module Sanctum
+  module Command
+    class Pull < Base
+
+      def run
+        targets.each do |target|
+          # Use command line if force: true
+          if options[:cli][:force]
+            force = options[:cli][:force]
+          else
+            force = target.fetch(:force) {options[:sanctum][:force]}
+          end
+
+          # Recursively get vault secrets for each prefix specified in sanctum.yaml
+          secrets_list = VaultSecrets.new(vault_client, target[:prefix]).get
+          secrets_list.each do |k,v|
+
+            vault_secrets = build_vault_secrets(v, [target[:path]])
+            local_secrets = build_local_secrets(vault_secrets)
+
+            #Compare secrets, if there are no differences continue to next target
+            differences = compare_secrets(vault_secrets, local_secrets, target[:name], "pull")
+            next if differences.nil?
+
+            #Get uniq array of HashDiff returned paths
+            diff_paths = differences.map{|x| x[1][0]}.uniq
+
+            #Only sync the differences
+            vault_secrets = only_changes(diff_paths, vault_secrets)
+
+            if force
+              # Write files to disk and encrypt with transit
+              warn red("#{target[:name]}: Forcefully writing differences to disk(pull)")
+              VaultTransit.write_to_file(vault_client, vault_secrets, transit_key)
+            else
+              #Confirm with user, and write to local file if approved
+              next unless confirmed_with_user?
+              VaultTransit.write_to_file(vault_client, vault_secrets, transit_key)
+            end
+          end
+        end
+
+      end
+
+      def create_paths(paths)
+        paths.each do |k,v|
+          k = Pathname.new(k)
+          unless k.dirname.exist?
+            k.dirname.mkpath
+          end
+        end
+      end
+
+      def build_vault_secrets(tree, path)
+        # Build local paths based on vault_prefix(tree) and paths specified in sanctum.yaml
+        vault_secrets = build_path(tree, path)
+
+        # Join the path array to create a path
+        vault_secrets = join_path(vault_secrets, config_file)
+
+        # Ensure local paths exist, relative to sanctum.yaml if they don't create them
+        create_paths(vault_secrets)
+        vault_secrets
+      end
+
+      def build_local_secrets(vault_secrets)
+
+        # read_local_files uses vault_secrets paths to create a new hash with local paths and values.
+        # This means that we will only compare secrets/paths that exist in both vault and locally.
+        # We will not for example, see differences if a file exists locally but not in vault.
+        local_secrets = read_local_files(vault_secrets)
+        # Decrypt local_secrets
+        local_secrets = VaultTransit.decrypt(vault_client, local_secrets, transit_key)
+        local_secrets
+      end
+
+    end
+  end
+end