secret-keeper 0.2.5 → 2.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 8693d3499b65d7db741098ae2daeb82d5def5cc6b26d105ddb7308ac7e56bd76
-  data.tar.gz: dc784b7d2155a5b2bfbe31210b29f9016109b9308ad27ec26161fb8f90558533
+  metadata.gz: 993613940fe2fd54b0db8ea676aeaeb82a1de574b6d986a904f14e166d9826a2
+  data.tar.gz: 92c2b76672090397d60871cf438fc597877351ae74c09cd4f43d927d2c3de0b1
 SHA512:
-  metadata.gz: b49b2c0d43777d0b31dcb4fcc4ae39e656836e83edd119698c2a4e5e90b91a2a91e30dfc5ae8a9cb41f130f9109f95f3965a62ada02bcdfce3a831585e964a84
-  data.tar.gz: cc0cc6b3c9ed69e424a7013677e9d44e1f31cb85c7e3d318b19524bbf8384f2240b68753be548a5e0415a1398251c3213ab69479ad50dc95f48835670843b4f0
+  metadata.gz: a3c9d114ab4bcd7b0958ff3fa999e2b2ffb3c4bda4eeab15e54841daa9596d24ec6c7323893d07995e8fe6f4c7fb47ccc082e88b5c89513fe12010a350ba1b84
+  data.tar.gz: 9a6e63acc12ef13e56237e8dde65e28b45a47423a700b71c6d79486fabcf89dbd3f13426f26e23ab08f54a9ca09fb186b00bcdefab19f6a3c1bc1e27c8682719

data/README.md

@@ -12,6 +12,16 @@ with bundler, write follwing line in your Gemfile
 
     gem 'secret-keeper', require: false
 
+## Upgrade from v1 to v2
+
+The *remove_production* parameter of *decrypt_files* has been removed after version 2.0.0.
+If you wants to remove *production* settings after decrypt files, you can set *remove_production* option to *true* in *secret-keeper.yml*:
+
+```
+  options:
+    remove_production: false
+```
+
 ## Usage
 setup files need to be encrypted in config/secret-keeper.yml
 
@@ -19,6 +29,10 @@ setup files need to be encrypted in config/secret-keeper.yml
     development:
       ev_name: SECRET_KEEPER
       cipher: AES-256-CBC
+      options:
+        slience: false
+        remove_production: false
+        remove_source: false
       tasks:
         -
           encrypt_from: example/database.yml
@@ -55,16 +69,18 @@ decrypt files based on your tasks defined in config/secret-keeper.yml
     #   * example/secrets.yml.enc --> example/secrets.yml, ok
     # Done!
 
-decrypt files and remove production configs
-
-    irb> SecretKeeper.decrypt_files
-    # Decrypting...
-    # remove production configs after decrypted
-    #   * example/database.yml.enc --> example/database.yml, ok
-    #   * example/secrets.yml.enc --> example/secrets.yml, ok
-    # Done!
-
 ## Available Ciphers
 
     irb> require 'openssl'
     irb> OpenSSL::Cipher.ciphers
+
+## Options
+
+* slience
+When this option set to *true*, the tasks will run in slience mode. Messages will not show no screen. Default is *false*.
+
+* remove_production
+When this option set to *true*, the *production* settings in the decrypted files will be removed after the decryption task. Default is *false*.
+
+* remove_source
+When this option set to *true*, the source file will be removed after either encrypt or decrypt tasks. Default is *false*.

data/lib/secret-keeper.rb

@@ -2,43 +2,55 @@ require 'openssl'
 require 'yaml'
 
 class SecretKeeper
+  attr_reader :tasks, :options
+
   def self.encrypt_files
+    printer = ['Encrypting...']
     sk = SecretKeeper.new
-    puts 'Encrypting...'
+    printer << '(production config removed)' if sk.options['remove_production']
+    printer << '(source files removed)' if sk.options['remove_source']
     ok_queue = []
     sk.tasks.each do |task|
-      from = task['encrypt_from']
+      from = File.exists?(task['encrypt_from']) ? task['encrypt_from'] : task['decrypt_to']
       to = task['encrypt_to']
 
       result = sk.encrypt_file(from, to)
+      if result == :ok
+        result = sk.remove_file(from) if sk.options['remove_source']
+      end
+
       ok_queue << result if result == :ok
-      puts "  * #{from} --> #{to}, #{result}"
+      printer << "  * #{from} --> #{to}, #{result}"
     end
     success = ok_queue.count == sk.tasks.count
-    puts success ? 'Done!' : 'Failed!'
+    printer << (success ? 'Done!' : 'Failed!')
+    printer.each{ |row| puts row } unless sk.options['slience']
     success
   end
 
-  def self.decrypt_files(remove_production=false)
+  def self.decrypt_files
+    printer = ['Decrypting...']
     sk = SecretKeeper.new
-    puts 'Decrypting...'
-    puts 'remove production configs after decrypted' if remove_production
+    printer << '(production config removed)' if sk.options['remove_production']
+    printer << '(source files removed)' if sk.options['remove_source']
+
     ok_queue = []
     sk.tasks.each do |task|
       from = task['decrypt_from'] || task['encrypt_to']
       to = task['decrypt_to'] || task['encrypt_from']
 
       result = sk.decrypt_file(from, to)
-
-      if result == :ok && remove_production
-        result = sk.remove_production_config(to)
+      if result == :ok
+        result = sk.remove_production_config(to) if sk.options['remove_production']
+        result = sk.remove_file(from) if sk.options['remove_source']
       end
 
       ok_queue << result if result == :ok
-      puts "  * #{from} --> #{to}, #{result}"
+      printer << "  * #{from} --> #{to}, #{result}"
     end
     success = ok_queue.count == sk.tasks.count
-    puts success ? 'Done!' : 'Failed!'
+    printer << (success ? 'Done!' : 'Failed!')
+    printer.each{ |row| puts row } unless sk.options['slience']
     success
   end
 
@@ -51,13 +63,11 @@ class SecretKeeper
     ev_name = config['ev_name'] || 'SECRET_KEEPER'
     fail "environment variable #{ev_name} not exist" if ENV[ev_name].nil?
 
-    @cipher_digest = ENV[ev_name]
     @tasks = config['tasks']
-    @using_cipher = OpenSSL::Cipher.new(config['cipher'])
-  end
+    @using_cipher = OpenSSL::Cipher.new(config['cipher'] || 'AES-256-CBC')
+    @cipher_key = Digest::SHA2.hexdigest(ENV[ev_name])[0...@using_cipher.key_len]
 
-  def tasks
-    @tasks
+    @options = config['options']
   end
 
   def encrypt_file(from_file, to_file)
@@ -70,7 +80,7 @@ class SecretKeeper
 
   def decrypt_file(from_file, to_file)
     decrypted = File.open(from_file, 'rb') { |f| decrypt(f.read) }
-    File.open(to_file, 'w') { |f| f.write(decrypted) }
+    File.open(to_file, 'w') { |f| f.write(decrypted.force_encoding('UTF-8')) }
     :ok
   rescue => e
     e
@@ -86,19 +96,24 @@ class SecretKeeper
     e
   end
 
+  def remove_file(file_path)
+    File.delete(file_path)
+    :ok
+  rescue => e
+    e
+  end
+
   private
 
   def encrypt(data)
     cipher = @using_cipher.encrypt
-    key_size_range = 0..(cipher.key_len-1)
-    cipher.key = Digest::SHA2.hexdigest(@cipher_digest)[key_size_range]
+    cipher.key = @cipher_key
     cipher.update(data) + cipher.final
   end
 
   def decrypt(data)
     cipher = @using_cipher.decrypt
-    key_size_range = 0..(cipher.key_len-1)
-    cipher.key = Digest::SHA2.hexdigest(@cipher_digest)[key_size_range]
+    cipher.key = @cipher_key
     cipher.update(data) + cipher.final
   end
 end

data/spec/secret-keeper_spec.rb

@@ -1,6 +1,12 @@
 describe SecretKeeper do
   before(:each) do
     ENV['SECRET_KEEPER'] = 'PASSWORD_HERE'
+    FileUtils.copy_entry('./example', './example_backup')
+  end
+
+  after(:each) do
+    FileUtils.rm_r('./example')
+    FileUtils.mv('./example_backup', './example')
   end
 
   describe '.encrypt_files' do
@@ -8,6 +14,24 @@ describe SecretKeeper do
       result = SecretKeeper.encrypt_files
       expect(result).to eq(true)
     end
+
+    it 'should return true on remove_source true' do
+      options = {
+        'slience' => true,
+        'remove_production' => false,
+        'remove_source' => true
+      }
+      allow_any_instance_of(SecretKeeper).to receive(:options).and_return(options)
+
+      result = SecretKeeper.encrypt_files
+      expect(result).to eq(true)
+      SecretKeeper.new.tasks.each do |task|
+        source_file = task['encrypt_from']
+        target_file = task['encrypt_to']
+        expect(File.exists?(source_file)).to eq(false)
+        expect(File.exists?(target_file)).to eq(true)
+      end
+    end
   end
 
   describe '.decrypt_files' do
@@ -19,12 +43,58 @@ describe SecretKeeper do
       expect(hash['production']['secret_key_base']).to eq('339f639f4fe35c5ffaa47ace973260b12e51b0b4fe1f65effd283a5f054f47594b24bd565779e351a20dfd4ada4f777958f0417b305c06cdedbde392b8e1fd07')
     end
 
-    it 'should return true on remove_production true' do
-      result = SecretKeeper.decrypt_files(ENV['RAILS_ENV'] != 'production')
+    it 'should return true on remove_production true and remove_source false' do
+      options = {
+        'slience' => true,
+        'remove_production' => true,
+        'remove_source' => false
+      }
+      allow_any_instance_of(SecretKeeper).to receive(:options).and_return(options)
+
+      result = SecretKeeper.decrypt_files
+      expect(result).to eq(true)
+      hash = YAML.load_file('example/secrets.yml')
+      expect(hash['development']['secret_key_base']).to eq('e8310af93d52f174f475940c41fbfb90417b300ebc19e1b24bd5639f4fe35c5ffaa5775a347ace9732958f656a47f6bb8e1fd0760b12e51b0b4fe1f65ef0a1d6')
+      expect(hash['production']).to be_nil
+    end
+
+    it 'should return true on remove_production false and remove_source true' do
+      options = {
+        'slience' => true,
+        'remove_production' => false,
+        'remove_source' => true
+      }
+      allow_any_instance_of(SecretKeeper).to receive(:options).and_return(options)
+
+      result = SecretKeeper.decrypt_files
+      expect(result).to eq(true)
+      SecretKeeper.new.tasks.each do |task|
+        source_file = task['decrypt_from'] || task['encrypt_to']
+        target_file = task['decrypt_to'] || task['encrypt_from']
+        expect(File.exists?(source_file)).to eq(false)
+        expect(File.exists?(target_file)).to eq(true)
+      end
+    end
+
+    it 'should return true on remove_production true and remove_source true' do
+      options = {
+        'slience' => true,
+        'remove_production' => true,
+        'remove_source' => true
+      }
+      allow_any_instance_of(SecretKeeper).to receive(:options).and_return(options)
+
+      result = SecretKeeper.decrypt_files
       expect(result).to eq(true)
       hash = YAML.load_file('example/secrets.yml')
       expect(hash['development']['secret_key_base']).to eq('e8310af93d52f174f475940c41fbfb90417b300ebc19e1b24bd5639f4fe35c5ffaa5775a347ace9732958f656a47f6bb8e1fd0760b12e51b0b4fe1f65ef0a1d6')
       expect(hash['production']).to be_nil
+      SecretKeeper.new.tasks.each do |task|
+        source_file = task['decrypt_from'] || task['encrypt_to']
+        target_file = task['decrypt_to'] || task['encrypt_from']
+        expect(File.exists?(source_file)).to eq(false)
+        expect(File.exists?(target_file)).to eq(true)
+      end
     end
 
     it 'should be false, if SECRET_KEEPER incorrect' do

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: secret-keeper
 version: !ruby/object:Gem::Version
-  version: 0.2.5
+  version: 2.0.0
 platform: ruby
 authors:
 - Ray Lee
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-06-17 00:00:00.000000000 Z
+date: 2022-05-27 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rspec
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.0'
+        version: '3.9'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.0'
+        version: '3.9'
 description: A Secret keeper
 email: ray-lee@kdanmobile.com
 executables: []
@@ -34,7 +34,7 @@ files:
 - README.md
 - lib/secret-keeper.rb
 - spec/secret-keeper_spec.rb
-homepage: https://github.com/redtear1115/secret-keeper
+homepage: https://github.com/kdan-mobile-software-ltd/secret-keeper
 licenses:
 - MIT
 metadata: {}
@@ -47,14 +47,14 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: 2.3.1
+      version: 2.7.0
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.1
+rubygems_version: 3.2.32
 signing_key: 
 specification_version: 4
 summary: Keep all your secret files within openssl