secret_hub 0.1.1 → 0.1.6

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: ce4f4c239e9593aa02e1236120dfbcaf2546f6fe36364aab50200cf40b2166f8
-  data.tar.gz: f5ebb5db5db52d32fba5c07136444beadd348f1be4e9dd43af44682881bc1007
+  metadata.gz: e7f29f7f724bd83bc5b9899c90248279f9997bfe5e9e5c5a09f37af679faad12
+  data.tar.gz: 9d8ffac16034c077d0c9f497e919aae03c8673b32e09afdbae0fbf9e08c76ad4
 SHA512:
-  metadata.gz: 5492dca43f4c9eab988e47e0a06889ca5541113bd3ad3551a5c0adb68231c0647bf600d858e135c515e8ade1925115e65578497463cbea60c00fc47e01cc1bf9
-  data.tar.gz: bef918bb30a0eaf1e6ddd0774652c4b9a8355b88a91bf084bb18702fc4c88bf11812e33000a4a83577641718e324587792a54dfe4bcdf92e69418f48add0bb0a
+  metadata.gz: 85bf36c96fe639fdf512a4332cc179ad385009ba06800db5b0aa27a0e92a8dcef8a1dc37af1431d58a94fa921b6bf7b26e58ac826b6f48ab0b2a4dd4e1a70ae1
+  data.tar.gz: 7bd79637ed41dc098098ff42e00226e1c424f1fd711d7ef6ba905a442e57d2052116fc6127f19861b46cbf49b917721e5ded32619e5d89822539495e0d65edbd

data/README.md

@@ -41,38 +41,45 @@ SecretHub has two families of commands:
 1. Commands that operate on a single repository.
 2. Commands that operate on multiple repositories, and multiple secrets.
 
-### Single repository operations
+Most commands are self explanatory, and described by the CLI.
 
-#### Show the secret keys in a repository
+```shell
+$ secrethub --help
+```
+
+Single repository operations
+--------------------------------------------------
+
+### Show the secret keys in a repository
 
 ```shell
 # secrethub list REPO
 $ secrethub list you/your-repo
 ```
 
-#### Create or update a secret in a repository
+### Create or update a secret in a repository
 
 ```shell
 # secrethub save REPO KEY VALUE
 $ secrethub list you/your-repo SECRET "there is no spoon"
 ```
 
-#### Delete a secret from a repository
+### Delete a secret from a repository
 
 ```shell
 # secrethub delete REPO KEY
-$ secrethub list you/your-repo SECRET
+$ secrethub delete you/your-repo SECRET
 ```
 
-### Bulk operations
 
-All the bulk operations function by:
+Bulk operations
+--------------------------------------------------
 
-1. Having a config file specifying the list of repositories, and their
-   expected secret keys.
-2. Having all the secrets set up as environment variables.
+All the bulk operations function by using a simple YAML configuration file.
+The configuration file includes a list of GitHub repositories, each with a
+list of its secrets.
 
-A typical config file looks like this:
+For example:
 
 ```yaml
 # secrethub.yml
@@ -86,24 +93,74 @@ user/another-repo:
 - SECRET_KEY
 ```
 
-#### Create a sample configuration file
+Each list of secrets can either be an array, or a hash.
+
+### Using array syntax
+
+All secrets must be defined as environment variables.
+
+```yaml
+user/repo:
+- SECRET
+- PASSWORD
+```
+
+### Using hash syntax
+
+Each secret may define its value, or leave it blank. When a secret value is
+blank, it will be loaded from the environment.
+
+```yaml
+user/another-repo:
+  SECRET:
+  PASSWORD: p4ssw0rd
+```
+
+### Using YAML anchors
+
+SecretHub ignores any key that does not look like a repository (does not
+include a slash `/`). Using this feature, you can define reusable YAML
+anchors:
+
+```yaml
+docker: &docker
+  DOCKER_USER:
+  DOCKER_PASSWORD:
+
+user/repo:
+  <<: *docker
+  SECRET:
+  PASSWORD: p4ssw0rd
+```
+
+Note that YAML anchors only work with the hash syntax.
+
+
+### Create a sample configuration file
 
 ```shell
 # secrethub bulk init [CONFIG]
 $ secrethub bulk init mysecrets.yml
 ```
 
-#### Show all secrets in all repositories
+### Show the configuration file and its secrets
+
+```shell
+# secrethub bulk show [CONFIG --visible]
+$ secrethub bulk show mysecrets.yml
+```
+
+### Show all secrets stored on GitHub in all repositories
 
 ```shell
 # secrethub bulk list [CONFIG]
 $ secrethub bulk list mysecrets.yml
 ```
 
-#### Save multiple secrets to multiple repositories
+### Save multiple secrets to multiple repositories
 
 ```shell
-# secrethub bulk save [CONFIG --clean]
+# secrethub bulk save [CONFIG --clean --dry --only REPO]
 $ secrethub bulk save mysecrets.yml --clean
 ```
 
@@ -111,7 +168,7 @@ Using the `--clean` flag, you can ensure that the repositories do not have
 any secrets that you are unaware of. This flag will delete any secret that is
 not specified in your config file.
 
-#### Delete secrets from multiple repositories unless they are specified in the config file
+### Delete secrets from multiple repositories unless they are specified in the config file
 
 ```shell
 # secrethub bulk clean [CONFIG]

data/lib/secret_hub.rb

@@ -1,5 +1,6 @@
 require 'secret_hub/version'
 require 'secret_hub/exceptions'
 require 'secret_hub/github_client'
+require 'secret_hub/config'
 
 require 'byebug' if ENV['BYEBUG']

data/lib/secret_hub/cli.rb

@@ -9,7 +9,8 @@ module SecretHub
   class CLI
     def self.router
       router = MisterBin::Runner.new version: VERSION,
-        header: "GitHub Secret Manager"
+        header: "GitHub Secret Manager",
+        footer: "Run !txtpur!secrethub COMMAND --help!txtrst! for command specific help"
 
       router.route 'list',   to: Commands::List
       router.route 'save',   to: Commands::Save

data/lib/secret_hub/commands/bulk.rb

@@ -1,45 +1,58 @@
-require 'yaml'
+require 'fileutils'
+require 'secret_hub/refinements/string_obfuscation'
 
 module SecretHub
   module Commands
     class Bulk < Base
+      using StringObfuscation
+
       summary "Update or delete multiple secrets from multiple repositories"
       
       usage "secrethub bulk init [CONFIG]"
+      usage "secrethub bulk show [CONFIG --visible]"
       usage "secrethub bulk list [CONFIG]"
-      usage "secrethub bulk save [CONFIG --clean]"
-      usage "secrethub bulk clean [CONFIG]"
+      usage "secrethub bulk save [CONFIG --clean --dry --only REPO]"
+      usage "secrethub bulk clean [CONFIG --dry]"
       usage "secrethub bulk (-h|--help)"
 
       command "init", "Create a sample configuration file in the current directory"
+      command "show", "Show the configuration file"
       command "save", "Save multiple secrets to multiple repositories"
       command "clean", "Delete secrets from multiple repositories unless they are specified in the config file"
       command "list", "Show all secrets in all repositories"
 
-      option "-c, --clean", "Also delete any other secret not defined in the config file"
+      option "-c, --clean", "Also delete any other secret not defined in the configuration file"
+      option "-v, --visible", "Also show secret values"
+      option "-d, --dry", "Dry run"
+      option "-o, --only REPO", "Save all secrets to a single repository from the configuration file"
 
       param "CONFIG", "Path to the configuration file [default: secrethub.yml]"
             
       example "secrethub bulk init"
+      example "secrethub bulk show --visible"
       example "secrethub bulk clean"
       example "secrethub bulk list mysecrets.yml"
-      example "secrethub bulk save mysecrets.yml"
+      example "secrethub bulk save mysecrets.yml --dry"
       example "secrethub bulk save --clean"
+      example "secrethub bulk save --only me/my-important-repo"
 
       def init_command
         raise SecretHubError, "File #{config_file} already exists" if File.exist? config_file
-
-        content = {
-          "user/repo" => %w[SECRET PASSWORD SECRET_KEY],
-          "user/another-repo" => %w[SECRET SECRET_KEY],
-        }
-
-        File.write config_file, content.to_yaml
+        FileUtils.cp config_template, config_file
         say "!txtgrn!Saved #{config_file}"
       end
 
+      def show_command
+        config.each do |repo, secrets|
+          say "!txtblu!#{repo}:"
+          secrets.each do |key, value|
+            show_secret key, value, args['--visible']
+          end
+        end
+      end
+
       def list_command
-        config.each do |repo, keys|
+        config.each_repo do |repo|
           say "!txtblu!#{repo}:"
           github.secrets(repo).each do |secret|
             say "- !txtpur!#{secret}"
@@ -48,45 +61,70 @@ module SecretHub
       end
 
       def save_command
-        clean = args['--clean']
+        dry = args['--dry']
+        only = args['--only']
+        skipped = 0
 
-        config.each do |repo, keys|
+        config.each do |repo, secrets|
+          next if only and repo != only
           say "!txtblu!#{repo}"
-          update_repo repo, keys
-          clean_repo repo, keys if clean
+          skipped += update_repo repo, secrets, dry
+          clean_repo repo, secrets.keys, dry if args['--clean']
         end
+
+        puts "\n" if skipped > 0 or dry
+        say "Skipped #{skipped} missing secrets" if skipped > 0
+        say "Dry run, nothing happened" if dry
       end
 
       def clean_command
-        config.each do |repo, keys|
+        dry = args['--dry']
+
+        config.each do |repo, secrets|
           say "!txtblu!#{repo}"
-          clean_repo repo, keys
+          clean_repo repo, secrets.keys, dry
         end
+
+        say "\nDry run, nothing happened" if dry
       end
 
     private
 
-      def clean_repo(repo, keys)
+      def clean_repo(repo, keys, dry)
         repo_keys = github.secrets repo
         delete_candidates = repo_keys - keys
 
         delete_candidates.each do |key|
-          say "delete !txtpur!#{key} "
-          success = github.delete_secret repo, key
+          say "delete  !txtpur!#{key}  "
+          github.delete_secret repo, key unless dry
           say "!txtgrn!OK"
         end
       end
 
-      def update_repo(repo, keys)
-        keys.each do |key|
-          say "save   !txtpur!#{key} "
-          github.put_secret repo, key, secret_value(key)
-          say "!txtgrn!OK"
+      def update_repo(repo, secrets, dry)
+        skipped = 0
+
+        secrets.each do |key, value|
+          say "save    !txtpur!#{key}  "
+          if value
+            github.put_secret repo, key, value unless dry
+            say "!txtgrn!OK"
+          else
+            say "!txtred!MISSING"
+            skipped += 1
+          end
         end
+
+        skipped
       end
 
-      def secret_value(key)
-        ENV[key] || raise(EnvironmentError, "Please set the #{key} environment variable")
+      def show_secret(key, value, visible)
+        if value
+          value = value.obfuscate unless visible
+          say "  !txtpur!#{key}: !txtcyn!#{value}"
+        else
+          say "  !txtpur!#{key}: !txtred!*MISSING*"
+        end
       end
 
       def config_file
@@ -94,9 +132,11 @@ module SecretHub
       end
 
       def config
-        raise ConfigurationError, "Config file not found #{config_flie}" unless File.exist? config_file
-        result = YAML.load_file config_file
-        result.transform_values { |v| v || [] }
+        @config ||= Config.load config_file
+      end
+
+      def config_template
+        File.expand_path '../config-template.yml', __dir__
       end
     end
   end

data/lib/secret_hub/config-template.yml

@@ -0,0 +1,19 @@
+# Ignored keys
+# Keys that do not include '/' will be ignored
+# Can be used to set some reusable YAML anchors
+docker: &docker
+  DOCKER_USER:
+  DOCKER_PASSWORD:
+
+# Array syntax
+# All secrets must be defined as environment variables
+user/repo:
+- SECRET
+- PASSWORD
+
+# Hash syntax
+# Empty secrets will be loaded from environment variables
+user/another-repo:
+  <<: *docker
+  SECRET:
+  PASSWORD: p4ssw0rd

data/lib/secret_hub/config.rb

@@ -0,0 +1,49 @@
+require 'yaml'
+
+module SecretHub
+  class Config
+    attr_reader :data
+
+    def self.load(config_file)
+      raise ConfigurationError, "Config file not found #{config_file}" unless File.exist? config_file
+      new YAML.load_file config_file
+    end
+
+    def initialize(data)
+      @data = data
+    end
+
+    def to_h
+      @to_h ||= to_h!
+    end
+
+    def each(&block)
+      to_h.each &block
+    end
+
+    def each_repo(&block)
+      to_h.keys.each &block
+    end
+
+  private
+
+    def to_h!
+      result = {}
+      data.each do |repo, secrets|
+        next unless repo.include? '/'
+        result[repo] = resolve_secrets secrets
+      end
+      result
+    end
+
+    def resolve_secrets(secrets)
+      secrets = [] unless secrets
+      
+      if secrets.is_a? Hash
+        secrets.map { |key, value| [key, value || ENV[key]] }.to_h
+      elsif secrets.is_a? Array
+        secrets.map { |key| [key, ENV[key]] }.to_h
+      end
+    end
+  end
+end

data/lib/secret_hub/exceptions.rb

@@ -1,7 +1,6 @@
 module SecretHub
   SecretHubError = Class.new StandardError
   ConfigurationError = Class.new SecretHubError
-  EnvironmentError = Class.new SecretHubError
   
   class APIError < SecretHubError
     attr_reader :response

data/lib/secret_hub/github_client.rb

@@ -76,7 +76,7 @@ module SecretHub
     end
 
     def secret_token
-      ENV['GITHUB_ACCESS_TOKEN'] || raise(EnvironmentError, "Please set GITHUB_ACCESS_TOKEN")
+      ENV['GITHUB_ACCESS_TOKEN'] || raise(ConfigurationError, "Please set GITHUB_ACCESS_TOKEN")
     end
 
   end

data/lib/secret_hub/refinements/string_obfuscation.rb

@@ -0,0 +1,23 @@
+require 'string-obfuscator'
+
+module SecretHub
+  module StringObfuscation
+    refine String do
+      def obfuscate
+        text = dup
+        trim = false
+        
+        if text.size > 40
+          trim = true
+          text = text[0..40]
+        end
+        
+        result = StringObfuscator.obfuscate text,
+          percent: 60,
+          min_obfuscated_length: 5
+
+        trim ? "#{result}..." : result
+      end
+    end
+  end
+end

data/lib/secret_hub/version.rb

@@ -1,3 +1,3 @@
 module SecretHub
-  VERSION = "0.1.1"
+  VERSION = "0.1.6"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: secret_hub
 version: !ruby/object:Gem::Version
-  version: 0.1.1
+  version: 0.1.6
 platform: ruby
 authors:
 - Danny Ben Shitrit
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-02-15 00:00:00.000000000 Z
+date: 2020-04-17 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: mister_bin
@@ -80,6 +80,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '7.1'
+- !ruby/object:Gem::Dependency
+  name: string-obfuscator
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.1'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.1'
 description: Command line interface for managing GitHub secrets in bulk
 email: db@dannyben.com
 executables:
@@ -96,8 +110,11 @@ files:
 - lib/secret_hub/commands/delete.rb
 - lib/secret_hub/commands/list.rb
 - lib/secret_hub/commands/save.rb
+- lib/secret_hub/config-template.yml
+- lib/secret_hub/config.rb
 - lib/secret_hub/exceptions.rb
 - lib/secret_hub/github_client.rb
+- lib/secret_hub/refinements/string_obfuscation.rb
 - lib/secret_hub/sodium.rb
 - lib/secret_hub/version.rb
 homepage: https://github.com/dannyben/secret_hub