secret_hub 0.0.1 → 0.1.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 6835039458d739b136ad9d56baf090fe8261f4969d0ba144b7f361a436ca7116
-  data.tar.gz: b404dff3cb2248e124b12b3a5a7a9547a6a88554ae2e043a99b8608d09e850a0
+  metadata.gz: ba608183188fcc510b16eebb1b02a0a426c69e638f52656c64335ec467ea5042
+  data.tar.gz: 78788d64bdbe84fa632fd2d0fd675622b01fd953ccc1c8c3f2787d4106c2a112
 SHA512:
-  metadata.gz: e78bf842dcaa9455a7bf612b49ced104346c8ccabf6de097add9073a14e9d6bb2095d8b3529ab1a1da7e39b4b82da1d2e3d7f4031f0e64decb8268e1d9a09ffa
-  data.tar.gz: 2dc1e103428e7a226a07a893166aac0922757b2f3224a0962c9f7a1bd2a80f4032a919adcbc62c9dabbcef5c5fd31ed80f77c25349b45d77062b4a7d04b57856
+  metadata.gz: fae95b5ab77f112281debf4a46194aad8aad1fedfd71bcd78c64913a2d8a98b695099a6aceb8b83c3a7096896d3e9487a687cb910c6b3be1a72016cc6127efd4
+  data.tar.gz: 44f948f6467d1d6207204d63bd898603dba654ed298c9af3e2fe91531d844e27b086715158b43fc084efea5f8f11052685a6ef4ba1a6c54dba5b94bbdd9de405

data/README.md

@@ -1,24 +1,189 @@
-SecretHub
+SecretHub - GitHub Secrets CLI
 ==================================================
 
 [![Gem Version](https://badge.fury.io/rb/secret_hub.svg)](https://badge.fury.io/rb/secret_hub)
-[![Build Status](https://travis-ci.com/DannyBen/secret_hub.svg?branch=master)](https://travis-ci.com/DannyBen/secret_hub)
-[![Maintainability](https://api.codeclimate.com/v1/badges/.../maintainability)](https://codeclimate.com/github/DannyBen/secret_hub/maintainability)
+[![Build Status](https://github.com/DannyBen/secret_hub/workflows/Test/badge.svg)](https://github.com/DannyBen/secret_hub/actions?query=workflow%3ATest)
+[![Maintainability](https://api.codeclimate.com/v1/badges/9ac95755c33e105ed998/maintainability)](https://codeclimate.com/github/DannyBen/secret_hub/maintainability)
 
 ---
 
-Manage GitHub secrets over multiple repositories
+SecretHub lets you easily manage your GitHub secrets from the command line
+with support for bulk operations.
 
 ---
 
 Installation
 --------------------------------------------------
 
-    $ gem install secret_hub
+```shell
+$ gem install secret_hub
+```
 
 
+Prerequisites
+--------------------------------------------------
+
+SecretHub is a wrapper around the [GitHub Secrets API][secrets-api]. To use
+it, you need to set up your environment with a
+[GitHub Access Token][access-key]:
+
+
+```shell
+$ export GITHUB_ACCESS_TOKEN=<your access token>
+```
+
 
 Usage
 --------------------------------------------------
 
-TODO
+SecretHub has two families of commands:
+
+1. Commands that operate on a single repository.
+2. Commands that operate on multiple repositories, and multiple secrets.
+
+Most commands are self explanatory, and described by the CLI.
+
+```shell
+$ secrethub --help
+```
+
+Single repository operations
+--------------------------------------------------
+
+### Show the secret keys in a repository
+
+```shell
+# secrethub list REPO
+$ secrethub list you/your-repo
+```
+
+### Create or update a secret in a repository
+
+```shell
+# secrethub save REPO KEY VALUE
+$ secrethub list you/your-repo SECRET "there is no spoon"
+```
+
+### Delete a secret from a repository
+
+```shell
+# secrethub delete REPO KEY
+$ secrethub list you/your-repo SECRET
+```
+
+
+Bulk operations
+--------------------------------------------------
+
+All the bulk operations function by using a simple YAML configuration file.
+The configuration file includes a list of GitHub repositories, each with a
+list of its secrets.
+
+For example:
+
+```yaml
+# secrethub.yml
+user/repo:
+- SECRET
+- PASSWORD
+- SECRET_KEY
+
+user/another-repo:
+- SECRET
+- SECRET_KEY
+```
+
+Each list of secrets can either be an array, or a hash.
+
+### Using array syntax
+
+All secrets must be defined as environment variables.
+
+```yaml
+user/repo:
+- SECRET
+- PASSWORD
+```
+
+### Using hash syntax
+
+Each secret may define its value, or leave it blank. When a secret value is
+blank, it will be loaded from the environment.
+
+```yaml
+user/another-repo:
+  SECRET:
+  PASSWORD: p4ssw0rd
+```
+
+### Using YAML anchors
+
+SecretHub ignores any key that does not look like a repository (does not
+include a slash `/`). Using this feature, you can define reusable YAML
+anchors:
+
+```yaml
+docker: &docker
+  DOCKER_USER:
+  DOCKER_PASSWORD:
+
+user/another-repo:
+  <<: *docker
+  SECRET:
+  PASSWORD: p4ssw0rd
+```
+
+Note that YAML anchors only work with the hash syntax.
+
+
+### Create a sample configuration file
+
+```shell
+# secrethub bulk init [CONFIG]
+$ secrethub bulk init mysecrets.yml
+```
+
+### Show the configuration file and its secrets
+
+```shell
+# secrethub bulk show [CONFIG --visible]
+$ secrethub bulk show mysecrets.yml
+```
+
+### Show all secrets stored on GitHub in all repositories
+
+```shell
+# secrethub bulk list [CONFIG]
+$ secrethub bulk list mysecrets.yml
+```
+
+### Save multiple secrets to multiple repositories
+
+```shell
+# secrethub bulk save [CONFIG --clean]
+$ secrethub bulk save mysecrets.yml --clean
+```
+
+Using the `--clean` flag, you can ensure that the repositories do not have
+any secrets that you are unaware of. This flag will delete any secret that is
+not specified in your config file.
+
+### Delete secrets from multiple repositories unless they are specified in the config file
+
+```shell
+# secrethub bulk clean [CONFIG]
+$ secrethub bulk clean mysecrets.yml
+```
+
+
+Contributing / Support
+--------------------------------------------------
+
+If you experience any issue, have a question or a suggestion, or if you wish
+to contribute, feel free to [open an issue][issues].
+
+---
+
+[secrets-api]: https://developer.github.com/v3/actions/secrets/
+[access-key]: https://github.com/settings/tokens
+[issues]: https://github.com/DannyBen/secret_hub/issues

data/lib/secret_hub.rb

@@ -1,5 +1,6 @@
 require 'secret_hub/version'
 require 'secret_hub/exceptions'
 require 'secret_hub/github_client'
+require 'secret_hub/config'
 
 require 'byebug' if ENV['BYEBUG']

data/lib/secret_hub/commands/bulk.rb

@@ -1,91 +1,126 @@
-require 'yaml'
+require 'fileutils'
+require 'secret_hub/refinements/string_obfuscation'
 
 module SecretHub
   module Commands
     class Bulk < Base
+      using StringObfuscation
+
       summary "Update or delete multiple secrets from multiple repositories"
       
       usage "secrethub bulk init [CONFIG]"
-      usage "secrethub bulk save [CONFIG --clean]"
-      usage "secrethub bulk clean [CONFIG]"
+      usage "secrethub bulk show [CONFIG --visible]"
       usage "secrethub bulk list [CONFIG]"
+      usage "secrethub bulk save [CONFIG --clean --dry]"
+      usage "secrethub bulk clean [CONFIG --dry]"
       usage "secrethub bulk (-h|--help)"
 
       command "init", "Create a sample configuration file in the current directory"
+      command "show", "Show the configuration file"
       command "save", "Save multiple secrets to multiple repositories"
       command "clean", "Delete secrets from multiple repositories unless they are specified in the config file"
       command "list", "Show all secrets in all repositories"
 
-      option "-c, --clean", "Also delete any other secret not defined in the config file"
+      option "-c, --clean", "Also delete any other secret not defined in the configuration file"
+      option "-v, --visible", "Also show secret values"
+      option "-d, --dry", "Dry run"
 
-      param "CONFIG", "Path to the configuration file"
+      param "CONFIG", "Path to the configuration file [default: secrethub.yml]"
             
       example "secrethub bulk init"
+      example "secrethub bulk show --visible"
       example "secrethub bulk clean"
-      example "secrethub bulk update mysecrets.yml"
-      example "secrethub bulk update --clean"
+      example "secrethub bulk list mysecrets.yml"
+      example "secrethub bulk save mysecrets.yml --dry"
+      example "secrethub bulk save --clean"
 
       def init_command
         raise SecretHubError, "File #{config_file} already exists" if File.exist? config_file
+        FileUtils.cp config_template, config_file
+        say "!txtgrn!Saved #{config_file}"
+      end
 
-        content = {
-          "user/repo" => %w[SECRET PASSWORD SECRET_KEY],
-          "user/another-repo" => %w[SECRET SECRET_KEY],
-        }
+      def show_command
+        config.each do |repo, secrets|
+          say "!txtblu!#{repo}:"
+          secrets.each do |key, value|
+            show_secret key, value, args['--visible']
+          end
+        end
+      end
 
-        File.write config_file, content.to_yaml
-        say "!txtgrn!Saved #{config_file}"
+      def list_command
+        config.each_repo do |repo|
+          say "!txtblu!#{repo}:"
+          github.secrets(repo).each do |secret|
+            say "- !txtpur!#{secret}"
+          end
+        end
       end
 
       def save_command
-        clean = args['--clean']
+        dry = args['--dry']
+        skipped = 0
 
-        config.each do |repo, keys|
+        config.each do |repo, secrets|
           say "!txtblu!#{repo}"
-          update_repo repo, keys
-          clean_repo repo, keys if clean
+          skipped += update_repo repo, secrets, dry
+          clean_repo repo, secrets.keys, dry if args['--clean']
         end
+
+        puts "\n" if skipped > 0 or dry
+        say "Skipped #{skipped} missing secrets" if skipped > 0
+        say "Dry run, nothing happened" if dry
       end
 
       def clean_command
-        config.each do |repo, keys|
-          say "!txtblu!#{repo}"
-          clean_repo repo, keys
-        end
-      end
+        dry = args['--dry']
 
-      def list_command
-        config.each do |repo, keys|
+        config.each do |repo, secrets|
           say "!txtblu!#{repo}"
-          github.secrets(repo).each do |secret|
-            say "!txtpur!#{secret}"
-          end
+          clean_repo repo, secrets.keys, dry
         end
+
+        say "\nDry run, nothing happened" if dry
       end
-    
+
     private
 
-      def clean_repo(repo, keys)
+      def clean_repo(repo, keys, dry)
         repo_keys = github.secrets repo
         delete_candidates = repo_keys - keys
 
         delete_candidates.each do |key|
-          say "delete !txtpur!#{key} "
-          success = github.delete_secret repo, key
+          say "delete  !txtpur!#{key}  "
+          github.delete_secret repo, key unless dry
           say "!txtgrn!OK"
         end
       end
 
-      def update_repo(repo, keys)
-        keys.each do |key|
-          say "save   !txtpur!#{key} "
-          github.put_secret repo, key, secret_value(key)
-          say "!txtgrn!OK"
+      def update_repo(repo, secrets, dry)
+        skipped = 0
+
+        secrets.each do |key, value|
+          say "save    !txtpur!#{key}  "
+          if value
+            github.put_secret repo, key, value unless dry
+            say "!txtgrn!OK"
+          else
+            say "!txtred!MISSING"
+            skipped += 1
+          end
         end
+
+        skipped
       end
 
-      def secret_value(key)
-        ENV[key] || raise(EnvironmentError, "Please set the #{key} environment variable")
+      def show_secret(key, value, visible)
+        if value
+          value = value.obfuscate unless visible
+          say "  !txtpur!#{key}: !txtcyn!#{value}"
+        else
+          say "  !txtpur!#{key}: !txtred!*MISSING*"
+        end
       end
 
       def config_file
@@ -93,12 +128,11 @@ module SecretHub
       end
 
       def config
-        raise ConfigurationError, "Config file not found #{config_flie}" unless File.exist? config_file
-        result = YAML.load_file config_file
-        result.each do |key, value|
-          raise ConfigurationError, "Invalid repo #{key}" unless key.include? '/'
-          raise ConfigurationError, "Invalid keys for #{key} - must be an array" unless value.is_a? Array
-        end
+        @config ||= Config.load config_file
+      end
+
+      def config_template
+        File.expand_path '../config-template.yml', __dir__
       end
     end
   end

data/lib/secret_hub/commands/list.rb

@@ -12,9 +12,9 @@ module SecretHub
 
       def run
         repo = args['REPO']
-        say "!txtblu!#{repo}"
+        say "!txtblu!#{repo}:"
         github.secrets(repo).each do |secret|
-          say "!txtpur!#{secret}"
+          say "- !txtpur!#{secret}"
         end
       end
     end

data/lib/secret_hub/config-template.yml

@@ -0,0 +1,19 @@
+# Ignored keys
+# Keys that do not include '/' will be ignored
+# Can be used to set some reusable YAML anchors
+docker: &docker
+  DOCKER_USER:
+  DOCKER_PASSWORD:
+
+# Array syntax
+# All secrets must be defined as environment variables
+user/repo:
+- SECRET
+- PASSWORD
+
+# Hash syntax
+# Empty secrets will be loaded from environment variables
+user/another-repo:
+  <<: *docker
+  SECRET:
+  PASSWORD: p4ssw0rd

data/lib/secret_hub/config.rb

@@ -0,0 +1,49 @@
+require 'yaml'
+
+module SecretHub
+  class Config
+    attr_reader :data
+
+    def self.load(config_file)
+      raise ConfigurationError, "Config file not found #{config_flie}" unless File.exist? config_file
+      new YAML.load_file config_file
+    end
+
+    def initialize(data)
+      @data = data
+    end
+
+    def to_h
+      @to_h ||= to_h!
+    end
+
+    def each(&block)
+      to_h.each &block
+    end
+
+    def each_repo(&block)
+      to_h.keys.each &block
+    end
+
+  private
+
+    def to_h!
+      result = {}
+      data.each do |repo, secrets|
+        next unless repo.include? '/'
+        result[repo] = resolve_secrets secrets
+      end
+      result
+    end
+
+    def resolve_secrets(secrets)
+      secrets = [] unless secrets
+      
+      if secrets.is_a? Hash
+        secrets.map { |key, value| [key, value || ENV[key]] }.to_h
+      elsif secrets.is_a? Array
+        secrets.map { |key| [key, ENV[key]] }.to_h
+      end
+    end
+  end
+end

data/lib/secret_hub/exceptions.rb

@@ -1,7 +1,6 @@
 module SecretHub
   SecretHubError = Class.new StandardError
   ConfigurationError = Class.new SecretHubError
-  EnvironmentError = Class.new SecretHubError
   
   class APIError < SecretHubError
     attr_reader :response

data/lib/secret_hub/github_client.rb

@@ -76,7 +76,7 @@ module SecretHub
     end
 
     def secret_token
-      ENV['GITHUB_ACCESS_TOKEN'] || raise(EnvironmentError, "Please set GITHUB_ACCESS_TOKEN")
+      ENV['GITHUB_ACCESS_TOKEN'] || raise(ConfigurationError, "Please set GITHUB_ACCESS_TOKEN")
     end
 
   end

data/lib/secret_hub/refinements/string_obfuscation.rb

@@ -0,0 +1,23 @@
+require 'string-obfuscator'
+
+module SecretHub
+  module StringObfuscation
+    refine String do
+      def obfuscate
+        text = dup
+        trim = false
+        
+        if text.size > 40
+          trim = true
+          text = text[0..40]
+        end
+        
+        result = StringObfuscator.obfuscate text,
+          percent: 60,
+          min_obfuscated_length: 5
+
+        trim ? "#{result}..." : result
+      end
+    end
+  end
+end

data/lib/secret_hub/version.rb

@@ -1,3 +1,3 @@
 module SecretHub
-  VERSION = "0.0.1"
+  VERSION = "0.1.4"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: secret_hub
 version: !ruby/object:Gem::Version
-  version: 0.0.1
+  version: 0.1.4
 platform: ruby
 authors:
 - Danny Ben Shitrit
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-02-14 00:00:00.000000000 Z
+date: 2020-02-15 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: mister_bin
@@ -80,6 +80,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '7.1'
+- !ruby/object:Gem::Dependency
+  name: string-obfuscator
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.1'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.1'
 description: Command line interface for managing GitHub secrets in bulk
 email: db@dannyben.com
 executables:
@@ -96,8 +110,11 @@ files:
 - lib/secret_hub/commands/delete.rb
 - lib/secret_hub/commands/list.rb
 - lib/secret_hub/commands/save.rb
+- lib/secret_hub/config-template.yml
+- lib/secret_hub/config.rb
 - lib/secret_hub/exceptions.rb
 - lib/secret_hub/github_client.rb
+- lib/secret_hub/refinements/string_obfuscation.rb
 - lib/secret_hub/sodium.rb
 - lib/secret_hub/version.rb
 homepage: https://github.com/dannyben/secret_hub