secret_hub 0.0.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 6835039458d739b136ad9d56baf090fe8261f4969d0ba144b7f361a436ca7116
+  data.tar.gz: b404dff3cb2248e124b12b3a5a7a9547a6a88554ae2e043a99b8608d09e850a0
+SHA512:
+  metadata.gz: e78bf842dcaa9455a7bf612b49ced104346c8ccabf6de097add9073a14e9d6bb2095d8b3529ab1a1da7e39b4b82da1d2e3d7f4031f0e64decb8268e1d9a09ffa
+  data.tar.gz: 2dc1e103428e7a226a07a893166aac0922757b2f3224a0962c9f7a1bd2a80f4032a919adcbc62c9dabbcef5c5fd31ed80f77c25349b45d77062b4a7d04b57856

data/README.md

@@ -0,0 +1,24 @@
+SecretHub
+==================================================
+
+[![Gem Version](https://badge.fury.io/rb/secret_hub.svg)](https://badge.fury.io/rb/secret_hub)
+[![Build Status](https://travis-ci.com/DannyBen/secret_hub.svg?branch=master)](https://travis-ci.com/DannyBen/secret_hub)
+[![Maintainability](https://api.codeclimate.com/v1/badges/.../maintainability)](https://codeclimate.com/github/DannyBen/secret_hub/maintainability)
+
+---
+
+Manage GitHub secrets over multiple repositories
+
+---
+
+Installation
+--------------------------------------------------
+
+    $ gem install secret_hub
+
+
+
+Usage
+--------------------------------------------------
+
+TODO

data/bin/secrethub

@@ -0,0 +1,16 @@
+#!/usr/bin/env ruby
+require 'secret_hub'
+require 'secret_hub/cli'
+require 'colsole'
+include Colsole
+
+router = SecretHub::CLI.router
+
+begin
+  exit router.run ARGV
+rescue => e
+  puts e.backtrace.reverse if ENV['DEBUG']
+  say! "!txtred!#{e.class}"
+  say! e.message
+  exit 1
+end

data/lib/secret_hub/cli.rb

@@ -0,0 +1,23 @@
+require 'mister_bin'
+require 'secret_hub/commands/base'
+require 'secret_hub/commands/list'
+require 'secret_hub/commands/save'
+require 'secret_hub/commands/delete'
+require 'secret_hub/commands/bulk'
+
+module SecretHub
+  class CLI
+    def self.router
+      router = MisterBin::Runner.new version: VERSION,
+        header: "GitHub Secret Manager"
+
+      router.route 'list',   to: Commands::List
+      router.route 'save',   to: Commands::Save
+      router.route 'delete', to: Commands::Delete
+      router.route 'bulk',   to: Commands::Bulk
+
+      router
+    end
+  end
+
+end

data/lib/secret_hub/commands/base.rb

@@ -0,0 +1,16 @@
+require 'mister_bin'
+require 'colsole'
+require 'lp'
+
+module SecretHub
+  module Commands
+    class Base < MisterBin::Command
+      include Colsole
+
+      def github
+        @github ||= GitHubClient.new
+      end
+
+    end
+  end
+end

data/lib/secret_hub/commands/bulk.rb

@@ -0,0 +1,105 @@
+require 'yaml'
+
+module SecretHub
+  module Commands
+    class Bulk < Base
+      summary "Update or delete multiple secrets from multiple repositories"
+      
+      usage "secrethub bulk init [CONFIG]"
+      usage "secrethub bulk save [CONFIG --clean]"
+      usage "secrethub bulk clean [CONFIG]"
+      usage "secrethub bulk list [CONFIG]"
+      usage "secrethub bulk (-h|--help)"
+
+      command "init", "Create a sample configuration file in the current directory"
+      command "save", "Save multiple secrets to multiple repositories"
+      command "clean", "Delete secrets from multiple repositories unless they are specified in the config file"
+      command "list", "Show all secrets in all repositories"
+
+      option "-c, --clean", "Also delete any other secret not defined in the config file"
+
+      param "CONFIG", "Path to the configuration file"
+            
+      example "secrethub bulk init"
+      example "secrethub bulk clean"
+      example "secrethub bulk update mysecrets.yml"
+      example "secrethub bulk update --clean"
+
+      def init_command
+        raise SecretHubError, "File #{config_file} already exists" if File.exist? config_file
+
+        content = {
+          "user/repo" => %w[SECRET PASSWORD SECRET_KEY],
+          "user/another-repo" => %w[SECRET SECRET_KEY],
+        }
+
+        File.write config_file, content.to_yaml
+        say "!txtgrn!Saved #{config_file}"
+      end
+
+      def save_command
+        clean = args['--clean']
+
+        config.each do |repo, keys|
+          say "!txtblu!#{repo}"
+          update_repo repo, keys
+          clean_repo repo, keys if clean
+        end
+      end
+
+      def clean_command
+        config.each do |repo, keys|
+          say "!txtblu!#{repo}"
+          clean_repo repo, keys
+        end
+      end
+
+      def list_command
+        config.each do |repo, keys|
+          say "!txtblu!#{repo}"
+          github.secrets(repo).each do |secret|
+            say "!txtpur!#{secret}"
+          end
+        end
+      end
+    
+    private
+
+      def clean_repo(repo, keys)
+        repo_keys = github.secrets repo
+        delete_candidates = repo_keys - keys
+
+        delete_candidates.each do |key|
+          say "delete !txtpur!#{key} "
+          success = github.delete_secret repo, key
+          say "!txtgrn!OK"
+        end
+      end
+
+      def update_repo(repo, keys)
+        keys.each do |key|
+          say "save   !txtpur!#{key} "
+          github.put_secret repo, key, secret_value(key)
+          say "!txtgrn!OK"
+        end
+      end
+
+      def secret_value(key)
+        ENV[key] || raise(EnvironmentError, "Please set the #{key} environment variable")
+      end
+
+      def config_file
+        args['CONFIG'] || 'secrethub.yml'
+      end
+
+      def config
+        raise ConfigurationError, "Config file not found #{config_flie}" unless File.exist? config_file
+        result = YAML.load_file config_file
+        result.each do |key, value|
+          raise ConfigurationError, "Invalid repo #{key}" unless key.include? '/'
+          raise ConfigurationError, "Invalid keys for #{key} - must be an array" unless value.is_a? Array
+        end
+      end
+    end
+  end
+end

data/lib/secret_hub/commands/delete.rb

@@ -0,0 +1,23 @@
+module SecretHub
+  module Commands
+    class Delete < Base
+      summary "Delete a secret from a repository"
+
+      usage "secrethub delete REPO KEY"
+      usage "secrethub delete (-h|--help)"
+
+      param "REPO", "Full name of the GitHub repository (user/repo)"
+      param "KEY", "The name of the secret"
+
+      example "secrethub delete bob/vault PASSWORD"
+
+      def run
+        repo = args['REPO']
+        key = args['KEY']
+        
+        success = github.delete_secret repo, key
+        say "Deleted !txtblu!#{repo} !txtpur!#{key}"
+      end
+    end
+  end
+end

data/lib/secret_hub/commands/list.rb

@@ -0,0 +1,22 @@
+module SecretHub
+  module Commands
+    class List < Base
+      summary "Show secrets for a repository"
+
+      usage "secrethub list REPO"
+      usage "secrethub list (-h|--help)"
+
+      param "REPO", "Full name of the GitHub repository (user/repo)"
+
+      example "secrethub list bob/repo-woth-secrets"
+
+      def run
+        repo = args['REPO']
+        say "!txtblu!#{repo}"
+        github.secrets(repo).each do |secret|
+          say "!txtpur!#{secret}"
+        end
+      end
+    end
+  end
+end

data/lib/secret_hub/commands/save.rb

@@ -0,0 +1,25 @@
+module SecretHub
+  module Commands
+    class Save < Base
+      summary "Create or update a secret in a repository"
+
+      usage "secrethub save REPO KEY VALUE"
+      usage "secrethub save (-h|--help)"
+
+      param "REPO", "Full name of the GitHub repository (user/repo)"
+      param "KEY", "The name of the secret"
+      param "VALUE", "The plain text secret value"
+
+      example "secrethub save bob/vault PASSWORD p4ssw0rd"
+
+      def run
+        repo = args['REPO']
+        key = args['KEY']
+        value = args['VALUE']
+        
+        github.put_secret repo, key, value
+        say "Saved !txtblu!#{repo} !txtpur!#{key}"
+      end
+    end
+  end
+end

data/lib/secret_hub/exceptions.rb

@@ -0,0 +1,14 @@
+module SecretHub
+  SecretHubError = Class.new StandardError
+  ConfigurationError = Class.new SecretHubError
+  EnvironmentError = Class.new SecretHubError
+  
+  class APIError < SecretHubError
+    attr_reader :response
+
+    def initialize(response)
+      @response = response
+      super "[#{response.code}] #{response.body}"
+    end
+  end
+end

data/lib/secret_hub/github_client.rb

@@ -0,0 +1,83 @@
+require 'httparty'
+require 'secret_hub/sodium'
+
+module SecretHub
+  class GitHubClient
+    include Sodium
+    include HTTParty
+
+    def initialize
+      self.class.base_uri ENV['SECRET_HUB_API_BASE'] || 'https://api.github.com'
+    end
+
+    # GET /repos/:owner/:repo/actions/secrets/public-key
+    def public_key(repo)
+      public_keys[repo] ||= get("/repos/#{repo}/actions/secrets/public-key")
+    end
+
+    # GET /repos/:owner/:repo/actions/secrets
+    def secrets(repo)
+      response = get "/repos/#{repo}/actions/secrets"
+      response['secrets'].map { |s| s['name'] }
+    end
+
+    # PUT /repos/:owner/:repo/actions/secrets/:name
+    def put_secret(repo, name, value)
+      secret = encrypt_for_repo repo, value
+      key_id = public_key(repo)['key_id']
+      put "/repos/#{repo}/actions/secrets/#{name}",
+        encrypted_value: secret, 
+        key_id: key_id
+    end
+
+    # DELETE /repos/:owner/:repo/actions/secrets/:name
+    def delete_secret(repo, name)
+      delete "/repos/#{repo}/actions/secrets/#{name}"
+    end
+
+  private
+
+    def public_keys
+      @public_keys ||= {}
+    end
+
+    def encrypt_for_repo(repo, secret)
+      public_key = public_key(repo)['key']
+      encrypt secret, public_key
+    end
+
+    def get(url)
+      response = self.class.get(url, request_options)
+      response.success? or raise APIError, response
+      response.parsed_response
+    end
+
+    def put(url, args = {})
+      options = { body: args.to_json }
+      all_options = request_options.merge options
+      response = self.class.put url, all_options
+      response.success? or raise APIError, response
+    end
+
+    def delete(url)
+      response = self.class.delete url, request_options
+      response.success? or raise APIError, response
+    end
+
+    def request_options
+      { headers: headers }
+    end
+
+    def headers
+      { 
+        "Authorization" => "token #{secret_token}",
+        "User-Agent" =>    "SecretHub Gem"
+      }
+    end
+
+    def secret_token
+      ENV['GITHUB_ACCESS_TOKEN'] || raise(EnvironmentError, "Please set GITHUB_ACCESS_TOKEN")
+    end
+
+  end
+end

data/lib/secret_hub/sodium.rb

@@ -0,0 +1,16 @@
+require "base64"
+require 'rbnacl'
+
+module SecretHub
+  module Sodium
+    def encrypt(secret, public_key)
+      key = Base64.decode64 public_key
+      public_key = RbNaCl::PublicKey.new key
+
+      box = RbNaCl::Boxes::Sealed.from_public_key public_key
+      encrypted_secret = box.encrypt secret
+
+      Base64.strict_encode64 encrypted_secret
+    end
+  end
+end

data/lib/secret_hub/version.rb

@@ -0,0 +1,3 @@
+module SecretHub
+  VERSION = "0.0.1"
+end

data/lib/secret_hub.rb

@@ -0,0 +1,5 @@
+require 'secret_hub/version'
+require 'secret_hub/exceptions'
+require 'secret_hub/github_client'
+
+require 'byebug' if ENV['BYEBUG']

metadata

@@ -0,0 +1,126 @@
+--- !ruby/object:Gem::Specification
+name: secret_hub
+version: !ruby/object:Gem::Version
+  version: 0.0.1
+platform: ruby
+authors:
+- Danny Ben Shitrit
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2020-02-14 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: mister_bin
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.7'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.7'
+- !ruby/object:Gem::Dependency
+  name: colsole
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.7'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.7'
+- !ruby/object:Gem::Dependency
+  name: httparty
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.17'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.17'
+- !ruby/object:Gem::Dependency
+  name: lp
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.2'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.2'
+- !ruby/object:Gem::Dependency
+  name: rbnacl
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '7.1'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '7.1'
+description: Command line interface for managing GitHub secrets in bulk
+email: db@dannyben.com
+executables:
+- secrethub
+extensions: []
+extra_rdoc_files: []
+files:
+- README.md
+- bin/secrethub
+- lib/secret_hub.rb
+- lib/secret_hub/cli.rb
+- lib/secret_hub/commands/base.rb
+- lib/secret_hub/commands/bulk.rb
+- lib/secret_hub/commands/delete.rb
+- lib/secret_hub/commands/list.rb
+- lib/secret_hub/commands/save.rb
+- lib/secret_hub/exceptions.rb
+- lib/secret_hub/github_client.rb
+- lib/secret_hub/sodium.rb
+- lib/secret_hub/version.rb
+homepage: https://github.com/dannyben/secret_hub
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 2.4.0
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.0.3
+signing_key: 
+specification_version: 4
+summary: Manage GitHub secrets over multiple repositories
+test_files: []