secret_hub 0.1.1 → 0.1.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: ce4f4c239e9593aa02e1236120dfbcaf2546f6fe36364aab50200cf40b2166f8
-  data.tar.gz: f5ebb5db5db52d32fba5c07136444beadd348f1be4e9dd43af44682881bc1007
+  metadata.gz: 828e88613986422e9673539e45727e6de237e6697e596885a652851554236824
+  data.tar.gz: dca45482c12ef6e81e8663407defd185c8f0cce831ef561872c81187af4e63e3
 SHA512:
-  metadata.gz: 5492dca43f4c9eab988e47e0a06889ca5541113bd3ad3551a5c0adb68231c0647bf600d858e135c515e8ade1925115e65578497463cbea60c00fc47e01cc1bf9
-  data.tar.gz: bef918bb30a0eaf1e6ddd0774652c4b9a8355b88a91bf084bb18702fc4c88bf11812e33000a4a83577641718e324587792a54dfe4bcdf92e69418f48add0bb0a
+  metadata.gz: 6d7bee2f48361069776dbc7709f9d9328c0991ae6c8e2c2a20764fab20d36ac50105b1eb61a7f08b8ff3e502fca1c0ef68a68b01d450b159de012141eff16124
+  data.tar.gz: 79926a14f52b2fd06ccbae331fcc6ab863531896a8f8027deb53c12ad5d61f226beccf433e543bb195768311dcb0308cc29f42b95769a61706d0e7acd9e45bae

data/README.md

@@ -41,38 +41,45 @@ SecretHub has two families of commands:
 1. Commands that operate on a single repository.
 2. Commands that operate on multiple repositories, and multiple secrets.
 
-### Single repository operations
+Most commands are self explanatory, and described by the CLI.
 
-#### Show the secret keys in a repository
+```shell
+$ secrethub --help
+```
+
+Single repository operations
+--------------------------------------------------
+
+### Show the secret keys in a repository
 
 ```shell
 # secrethub list REPO
 $ secrethub list you/your-repo
 ```
 
-#### Create or update a secret in a repository
+### Create or update a secret in a repository
 
 ```shell
 # secrethub save REPO KEY VALUE
 $ secrethub list you/your-repo SECRET "there is no spoon"
 ```
 
-#### Delete a secret from a repository
+### Delete a secret from a repository
 
 ```shell
 # secrethub delete REPO KEY
 $ secrethub list you/your-repo SECRET
 ```
 
-### Bulk operations
 
-All the bulk operations function by:
+Bulk operations
+--------------------------------------------------
 
-1. Having a config file specifying the list of repositories, and their
-   expected secret keys.
-2. Having all the secrets set up as environment variables.
+All the bulk operations function by using a simple YAML configuration file.
+The configuration file includes a list of GitHub repositories, each with a
+list of its secrets.
 
-A typical config file looks like this:
+For example:
 
 ```yaml
 # secrethub.yml
@@ -86,21 +93,71 @@ user/another-repo:
 - SECRET_KEY
 ```
 
-#### Create a sample configuration file
+Each list of secrets can either be an array, or a hash.
+
+### Using array syntax
+
+All secrets must be defined as environment variables.
+
+```yaml
+user/repo:
+- SECRET
+- PASSWORD
+```
+
+### Using hash syntax
+
+Each secret may define its value, or leave it blank. When a secret value is
+blank, it will be loaded from the environment.
+
+```yaml
+user/another-repo:
+  SECRET:
+  PASSWORD: p4ssw0rd
+```
+
+### Using YAML anchors
+
+SecretHub ignores any key that does not look like a repository (does not
+include a slash `/`). Using this feature, you can define reusable YAML
+anchors:
+
+```yaml
+docker: &docker
+  DOCKER_USER:
+  DOCKER_PASSWORD:
+
+user/another-repo:
+  <<: *docker
+  SECRET:
+  PASSWORD: p4ssw0rd
+```
+
+Note that YAML anchors only work with the hash syntax.
+
+
+### Create a sample configuration file
 
 ```shell
 # secrethub bulk init [CONFIG]
 $ secrethub bulk init mysecrets.yml
 ```
 
-#### Show all secrets in all repositories
+### Show the configuration file and its secrets
+
+```shell
+# secrethub bulk show [CONFIG --visible]
+$ secrethub bulk show mysecrets.yml
+```
+
+### Show all secrets stored on GitHub in all repositories
 
 ```shell
 # secrethub bulk list [CONFIG]
 $ secrethub bulk list mysecrets.yml
 ```
 
-#### Save multiple secrets to multiple repositories
+### Save multiple secrets to multiple repositories
 
 ```shell
 # secrethub bulk save [CONFIG --clean]
@@ -111,7 +168,7 @@ Using the `--clean` flag, you can ensure that the repositories do not have
 any secrets that you are unaware of. This flag will delete any secret that is
 not specified in your config file.
 
-#### Delete secrets from multiple repositories unless they are specified in the config file
+### Delete secrets from multiple repositories unless they are specified in the config file
 
 ```shell
 # secrethub bulk clean [CONFIG]

data/lib/secret_hub/commands/bulk.rb

@@ -1,26 +1,33 @@
-require 'yaml'
+require 'fileutils'
+require 'secret_hub/refinements/string_obfuscation'
 
 module SecretHub
   module Commands
     class Bulk < Base
+      using StringObfuscation
+
       summary "Update or delete multiple secrets from multiple repositories"
       
       usage "secrethub bulk init [CONFIG]"
+      usage "secrethub bulk show [CONFIG --visible]"
       usage "secrethub bulk list [CONFIG]"
       usage "secrethub bulk save [CONFIG --clean]"
       usage "secrethub bulk clean [CONFIG]"
       usage "secrethub bulk (-h|--help)"
 
       command "init", "Create a sample configuration file in the current directory"
+      command "show", "Show the configuration file"
       command "save", "Save multiple secrets to multiple repositories"
       command "clean", "Delete secrets from multiple repositories unless they are specified in the config file"
       command "list", "Show all secrets in all repositories"
 
-      option "-c, --clean", "Also delete any other secret not defined in the config file"
+      option "-c, --clean", "Also delete any other secret not defined in the configuration file"
+      option "-v, --visible", "Also show secret values"
 
       param "CONFIG", "Path to the configuration file [default: secrethub.yml]"
             
       example "secrethub bulk init"
+      example "secrethub bulk show --visible"
       example "secrethub bulk clean"
       example "secrethub bulk list mysecrets.yml"
       example "secrethub bulk save mysecrets.yml"
@@ -28,18 +35,24 @@ module SecretHub
 
       def init_command
         raise SecretHubError, "File #{config_file} already exists" if File.exist? config_file
+        FileUtils.cp config_template, config_file
+        say "!txtgrn!Saved #{config_file}"
+      end
 
-        content = {
-          "user/repo" => %w[SECRET PASSWORD SECRET_KEY],
-          "user/another-repo" => %w[SECRET SECRET_KEY],
-        }
+      def show_command
+        visible = args['--visible']
 
-        File.write config_file, content.to_yaml
-        say "!txtgrn!Saved #{config_file}"
+        config.each do |repo, secrets|
+          say "!txtblu!#{repo}:"
+          secrets.each do |key, value|
+            value = value.obfuscate unless visible
+            say "  !txtpur!#{key}: !txtcyn!#{value}"
+          end
+        end
       end
 
       def list_command
-        config.each do |repo, keys|
+        config.each_repo do |repo|
           say "!txtblu!#{repo}:"
           github.secrets(repo).each do |secret|
             say "- !txtpur!#{secret}"
@@ -50,17 +63,17 @@ module SecretHub
       def save_command
         clean = args['--clean']
 
-        config.each do |repo, keys|
+        config.each do |repo, secrets|
           say "!txtblu!#{repo}"
-          update_repo repo, keys
-          clean_repo repo, keys if clean
+          update_repo repo, secrets
+          clean_repo repo, secrets.keys if clean
         end
       end
 
       def clean_command
-        config.each do |repo, keys|
+        config.each do |repo, secrets|
           say "!txtblu!#{repo}"
-          clean_repo repo, keys
+          clean_repo repo, secrets.keys
         end
       end
 
@@ -71,32 +84,30 @@ module SecretHub
         delete_candidates = repo_keys - keys
 
         delete_candidates.each do |key|
-          say "delete !txtpur!#{key} "
+          say "delete  !txtpur!#{key}  "
           success = github.delete_secret repo, key
           say "!txtgrn!OK"
         end
       end
 
-      def update_repo(repo, keys)
-        keys.each do |key|
-          say "save   !txtpur!#{key} "
-          github.put_secret repo, key, secret_value(key)
+      def update_repo(repo, secrets)
+        secrets.each do |key, value|
+          say "save    !txtpur!#{key}  "
+          github.put_secret repo, key, value
           say "!txtgrn!OK"
         end
       end
 
-      def secret_value(key)
-        ENV[key] || raise(EnvironmentError, "Please set the #{key} environment variable")
-      end
-
       def config_file
         args['CONFIG'] || 'secrethub.yml'
       end
 
       def config
-        raise ConfigurationError, "Config file not found #{config_flie}" unless File.exist? config_file
-        result = YAML.load_file config_file
-        result.transform_values { |v| v || [] }
+        @config ||= Config.load config_file
+      end
+
+      def config_template
+        File.expand_path '../config-template.yml', __dir__
       end
     end
   end

data/lib/secret_hub/config-template.yml

@@ -0,0 +1,19 @@
+# Ignored keys
+# Keys that do not include '/' will be ignored
+# Can be used to set some reusable YAML anchors
+docker: &docker
+  DOCKER_USER:
+  DOCKER_PASSWORD:
+
+# Array syntax
+# All secrets must be defined as environment variables
+user/repo:
+- SECRET
+- PASSWORD
+
+# Hash syntax
+# Empty secrets will be loaded from environment variables
+user/another-repo:
+  <<: *docker
+  SECRET:
+  PASSWORD: p4ssw0rd

data/lib/secret_hub/config.rb

@@ -0,0 +1,54 @@
+require 'yaml'
+
+module SecretHub
+  class Config
+    attr_reader :data
+
+    def self.load(config_file)
+      raise ConfigurationError, "Config file not found #{config_flie}" unless File.exist? config_file
+      new YAML.load_file config_file
+    end
+
+    def initialize(data)
+      @data = data
+    end
+
+    def to_h
+      @to_h ||= to_h!
+    end
+
+    def each(&block)
+      to_h.each &block
+    end
+
+    def each_repo(&block)
+      to_h.keys.each &block
+    end
+
+  private
+
+    def to_h!
+      result = {}
+      data.each do |repo, secrets|
+        next unless repo.include? '/'
+        result[repo] = resolve_secrets secrets
+      end
+      result
+    end
+
+    def resolve_secrets(secrets)
+      secrets = [] unless secrets
+      
+      if secrets.is_a? Hash
+        secrets.map { |key, value| [key, value || value_from_env(key)] }.to_h
+      elsif secrets.is_a? Array
+        secrets.map { |key| [key, value_from_env(key)] }.to_h
+      end
+
+    end
+
+    def value_from_env(key)
+      ENV[key] || raise(MissingSecretError, "Please set the #{key} environment variable")
+    end
+  end
+end

data/lib/secret_hub/exceptions.rb

@@ -1,7 +1,7 @@
 module SecretHub
   SecretHubError = Class.new StandardError
   ConfigurationError = Class.new SecretHubError
-  EnvironmentError = Class.new SecretHubError
+  MissingSecretError = Class.new SecretHubError
   
   class APIError < SecretHubError
     attr_reader :response

data/lib/secret_hub/github_client.rb

@@ -76,7 +76,7 @@ module SecretHub
     end
 
     def secret_token
-      ENV['GITHUB_ACCESS_TOKEN'] || raise(EnvironmentError, "Please set GITHUB_ACCESS_TOKEN")
+      ENV['GITHUB_ACCESS_TOKEN'] || raise(ConfigurationError, "Please set GITHUB_ACCESS_TOKEN")
     end
 
   end

data/lib/secret_hub/refinements/string_obfuscation.rb

@@ -0,0 +1,23 @@
+require 'string-obfuscator'
+
+module SecretHub
+  module StringObfuscation
+    refine String do
+      def obfuscate
+        text = dup
+        trim = false
+        
+        if text.size > 40
+          trim = true
+          text = text[0..40]
+        end
+        
+        result = StringObfuscator.obfuscate text,
+          percent: 60,
+          min_obfuscated_length: 5
+
+        trim ? "#{result}..." : result
+      end
+    end
+  end
+end

data/lib/secret_hub/version.rb

@@ -1,3 +1,3 @@
 module SecretHub
-  VERSION = "0.1.1"
+  VERSION = "0.1.2"
 end

data/lib/secret_hub.rb

@@ -1,5 +1,6 @@
 require 'secret_hub/version'
 require 'secret_hub/exceptions'
 require 'secret_hub/github_client'
+require 'secret_hub/config'
 
 require 'byebug' if ENV['BYEBUG']

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: secret_hub
 version: !ruby/object:Gem::Version
-  version: 0.1.1
+  version: 0.1.2
 platform: ruby
 authors:
 - Danny Ben Shitrit
@@ -80,6 +80,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '7.1'
+- !ruby/object:Gem::Dependency
+  name: string-obfuscator
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.1'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.1'
 description: Command line interface for managing GitHub secrets in bulk
 email: db@dannyben.com
 executables:
@@ -96,8 +110,11 @@ files:
 - lib/secret_hub/commands/delete.rb
 - lib/secret_hub/commands/list.rb
 - lib/secret_hub/commands/save.rb
+- lib/secret_hub/config-template.yml
+- lib/secret_hub/config.rb
 - lib/secret_hub/exceptions.rb
 - lib/secret_hub/github_client.rb
+- lib/secret_hub/refinements/string_obfuscation.rb
 - lib/secret_hub/sodium.rb
 - lib/secret_hub/version.rb
 homepage: https://github.com/dannyben/secret_hub