secret_hub 0.1.3 → 0.2.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 366ad9f9647c8e1cfbbd9496b99ee1209fcd3a24b9409a59a68e81a880cbe90c
-  data.tar.gz: 79b6bc712815818a9f322d2d7cead7698bfa11179f81c0fac99aa1c90abc5ecb
+  metadata.gz: 55c57ad86eb27ea766d06923f3231e513dcb37da3050c6d1ac22de4831796140
+  data.tar.gz: d653818ddfd5967f66761ad76512a027c0b7e1942c72a3f0b3e91ce4c99a7bc3
 SHA512:
-  metadata.gz: 07b10bd5e5d859b3f732d40470fdf84005b7052ef08f1865f36c5539e9741a2e47736c9513d17d77fca14935d4e08db0aaf8628df5b16de2db81bc62a16a89e6
-  data.tar.gz: 755121d143ca3faf0ed16391b2563827cf7788eaa8ffeb83931c595fba3bed822fc5e8a1eb2d737e010ba404670c57712fc394c41800c66edfafc332d22c0462
+  metadata.gz: 3f7f20c2ac2b71264a73a33fae3436e22968083f3bb00855a5f3f74c0a0e528c80ac6b2d0d9d2a2ab374a19c2345212e1c79bed7601a3244fd8f08c4f981164d
+  data.tar.gz: 8e4b87a3229d977c6c61c5629481517e4cdc945825e0e00b8343f629ab1d4811c6ab1958c6aaedc5258bcd75c9f75b4cde95fbb3cf141b427e7fa9f96f629b3a

data/README.md

@@ -1,5 +1,4 @@
-SecretHub - GitHub Secrets CLI
-==================================================
+# SecretHub - GitHub Secrets CLI
 
 [![Gem Version](https://badge.fury.io/rb/secret_hub.svg)](https://badge.fury.io/rb/secret_hub)
 [![Build Status](https://github.com/DannyBen/secret_hub/workflows/Test/badge.svg)](https://github.com/DannyBen/secret_hub/actions?query=workflow%3ATest)
@@ -8,20 +7,25 @@ SecretHub - GitHub Secrets CLI
 ---
 
 SecretHub lets you easily manage your GitHub secrets from the command line
-with support for bulk operations.
+with support for bulk operations and organization secrets.
 
 ---
 
-Installation
---------------------------------------------------
+## Installation
+
+With Ruby:
 
 ```shell
 $ gem install secret_hub
 ```
 
+Or with Docker:
 
-Prerequisites
---------------------------------------------------
+```shell
+$ alias secrethub='docker run --rm -it -e GITHUB_ACCESS_TOKEN -v "$PWD:/app" dannyben/secrethub'
+```
+
+## Prerequisites
 
 SecretHub is a wrapper around the [GitHub Secrets API][secrets-api]. To use
 it, you need to set up your environment with a
@@ -32,50 +36,57 @@ it, you need to set up your environment with a
 $ export GITHUB_ACCESS_TOKEN=<your access token>
 ```
 
+Give your token the `repo` scope, and for organization secrets, the `admin:org` scope.
 
-Usage
---------------------------------------------------
-
-SecretHub has two families of commands:
+## Usage
 
-1. Commands that operate on a single repository.
-2. Commands that operate on multiple repositories, and multiple secrets.
+SecretHub has three families of commands:
 
-Most commands are self explanatory, and described by the CLI.
+1. `secrethub repo` - manage repository secrets.
+2. `secrethub org` - manage organization secrets.
+3. `secrethub bulk` - manage multiple secrets in multiple repositories using a config file.
 
 ```shell
-$ secrethub --help
-```
+$ secrethub
+GitHub Secret Manager
 
-Single repository operations
---------------------------------------------------
+Commands:
+  repo  Manage repository secrets
+  org   Manage organization secrets
+  bulk  Manage multiple secrets in multiple repositories
 
-### Show the secret keys in a repository
+Run secrethub COMMAND --help for command specific help
 
-```shell
-# secrethub list REPO
-$ secrethub list you/your-repo
-```
 
-### Create or update a secret in a repository
+$ secrethub repo
+Usage:
+  secrethub repo list REPO
+  secrethub repo save REPO KEY [VALUE]
+  secrethub repo delete REPO KEY
+  secrethub repo (-h|--help)
 
-```shell
-# secrethub save REPO KEY VALUE
-$ secrethub list you/your-repo SECRET "there is no spoon"
-```
 
-### Delete a secret from a repository
+$ secrethub org
+Usage:
+  secrethub org list ORG
+  secrethub org save ORG KEY [VALUE]
+  secrethub org delete ORG KEY
+  secrethub org (-h|--help)
 
-```shell
-# secrethub delete REPO KEY
-$ secrethub list you/your-repo SECRET
-```
 
+$ secrethub bulk
+Usage:
+  secrethub bulk init [CONFIG]
+  secrethub bulk show [CONFIG --visible]
+  secrethub bulk list [CONFIG]
+  secrethub bulk save [CONFIG --clean --dry --only REPO]
+  secrethub bulk clean [CONFIG --dry]
+  secrethub bulk (-h|--help)
+```
 
-Bulk operations
---------------------------------------------------
+## Bulk operations
 
-All the bulk operations function by using a simple YAML configuration file.
+All the bulk operations use a simple YAML configuration file.
 The configuration file includes a list of GitHub repositories, each with a
 list of its secrets.
 
@@ -127,7 +138,7 @@ docker: &docker
   DOCKER_USER:
   DOCKER_PASSWORD:
 
-user/another-repo:
+user/repo:
   <<: *docker
   SECRET:
   PASSWORD: p4ssw0rd
@@ -136,48 +147,7 @@ user/another-repo:
 Note that YAML anchors only work with the hash syntax.
 
 
-### Create a sample configuration file
-
-```shell
-# secrethub bulk init [CONFIG]
-$ secrethub bulk init mysecrets.yml
-```
-
-### Show the configuration file and its secrets
-
-```shell
-# secrethub bulk show [CONFIG --visible]
-$ secrethub bulk show mysecrets.yml
-```
-
-### Show all secrets stored on GitHub in all repositories
-
-```shell
-# secrethub bulk list [CONFIG]
-$ secrethub bulk list mysecrets.yml
-```
-
-### Save multiple secrets to multiple repositories
-
-```shell
-# secrethub bulk save [CONFIG --clean]
-$ secrethub bulk save mysecrets.yml --clean
-```
-
-Using the `--clean` flag, you can ensure that the repositories do not have
-any secrets that you are unaware of. This flag will delete any secret that is
-not specified in your config file.
-
-### Delete secrets from multiple repositories unless they are specified in the config file
-
-```shell
-# secrethub bulk clean [CONFIG]
-$ secrethub bulk clean mysecrets.yml
-```
-
-
-Contributing / Support
---------------------------------------------------
+## Contributing / Support
 
 If you experience any issue, have a question or a suggestion, or if you wish
 to contribute, feel free to [open an issue][issues].

data/bin/secrethub

@@ -8,6 +8,9 @@ router = SecretHub::CLI.router
 
 begin
   exit router.run ARGV
+rescue Interrupt => e
+  say "\nGoodbye"
+  exit 1
 rescue => e
   puts e.backtrace.reverse if ENV['DEBUG']
   say! "!txtred!#{e.class}"

data/lib/secret_hub/cli.rb

@@ -1,19 +1,18 @@
 require 'mister_bin'
 require 'secret_hub/commands/base'
-require 'secret_hub/commands/list'
-require 'secret_hub/commands/save'
-require 'secret_hub/commands/delete'
+require 'secret_hub/commands/repo'
 require 'secret_hub/commands/bulk'
+require 'secret_hub/commands/org'
 
 module SecretHub
   class CLI
     def self.router
       router = MisterBin::Runner.new version: VERSION,
-        header: "GitHub Secret Manager"
+        header: "GitHub Secret Manager",
+        footer: "Run !txtpur!secrethub COMMAND --help!txtrst! for command specific help"
 
-      router.route 'list',   to: Commands::List
-      router.route 'save',   to: Commands::Save
-      router.route 'delete', to: Commands::Delete
+      router.route 'repo',   to: Commands::Repo
+      router.route 'org',    to: Commands::Org
       router.route 'bulk',   to: Commands::Bulk
 
       router

data/lib/secret_hub/commands/bulk.rb

@@ -6,13 +6,13 @@ module SecretHub
     class Bulk < Base
       using StringObfuscation
 
-      summary "Update or delete multiple secrets from multiple repositories"
+      summary "Manage multiple secrets in multiple repositories"
       
       usage "secrethub bulk init [CONFIG]"
       usage "secrethub bulk show [CONFIG --visible]"
       usage "secrethub bulk list [CONFIG]"
-      usage "secrethub bulk save [CONFIG --clean]"
-      usage "secrethub bulk clean [CONFIG]"
+      usage "secrethub bulk save [CONFIG --clean --dry --only REPO]"
+      usage "secrethub bulk clean [CONFIG --dry]"
       usage "secrethub bulk (-h|--help)"
 
       command "init", "Create a sample configuration file in the current directory"
@@ -23,6 +23,8 @@ module SecretHub
 
       option "-c, --clean", "Also delete any other secret not defined in the configuration file"
       option "-v, --visible", "Also show secret values"
+      option "-d, --dry", "Dry run"
+      option "-o, --only REPO", "Save all secrets to a single repository from the configuration file"
 
       param "CONFIG", "Path to the configuration file [default: secrethub.yml]"
             
@@ -30,8 +32,9 @@ module SecretHub
       example "secrethub bulk show --visible"
       example "secrethub bulk clean"
       example "secrethub bulk list mysecrets.yml"
-      example "secrethub bulk save mysecrets.yml"
+      example "secrethub bulk save mysecrets.yml --dry"
       example "secrethub bulk save --clean"
+      example "secrethub bulk save --only me/my-important-repo"
 
       def init_command
         raise SecretHubError, "File #{config_file} already exists" if File.exist? config_file
@@ -58,45 +61,53 @@ module SecretHub
       end
 
       def save_command
-        clean = args['--clean']
+        dry = args['--dry']
+        only = args['--only']
         skipped = 0
 
         config.each do |repo, secrets|
+          next if only and repo != only
           say "!txtblu!#{repo}"
-          skipped += update_repo repo, secrets
-          clean_repo repo, secrets.keys if clean
+          skipped += update_repo repo, secrets, dry
+          clean_repo repo, secrets.keys, dry if args['--clean']
         end
 
-        say "\nSkipped #{skipped} missing secrets" if skipped > 0
+        puts "\n" if skipped > 0 or dry
+        say "Skipped #{skipped} missing secrets" if skipped > 0
+        say "Dry run, nothing happened" if dry
       end
 
       def clean_command
+        dry = args['--dry']
+
         config.each do |repo, secrets|
           say "!txtblu!#{repo}"
-          clean_repo repo, secrets.keys
+          clean_repo repo, secrets.keys, dry
         end
+
+        say "\nDry run, nothing happened" if dry
       end
 
     private
 
-      def clean_repo(repo, keys)
+      def clean_repo(repo, keys, dry)
         repo_keys = github.secrets repo
         delete_candidates = repo_keys - keys
 
         delete_candidates.each do |key|
           say "delete  !txtpur!#{key}  "
-          success = github.delete_secret repo, key
+          github.delete_secret repo, key unless dry
           say "!txtgrn!OK"
         end
       end
 
-      def update_repo(repo, secrets)
+      def update_repo(repo, secrets, dry)
         skipped = 0
 
         secrets.each do |key, value|
           say "save    !txtpur!#{key}  "
           if value
-            github.put_secret repo, key, value
+            github.put_secret repo, key, value unless dry
             say "!txtgrn!OK"
           else
             say "!txtred!MISSING"

data/lib/secret_hub/commands/org.rb

@@ -0,0 +1,62 @@
+module SecretHub
+  module Commands
+    class Org < Base
+      summary "Manage organization secrets"
+      
+      usage "secrethub org list ORG"
+      usage "secrethub org save ORG KEY [VALUE]"
+      usage "secrethub org delete ORG KEY"
+      usage "secrethub org (-h|--help)"
+
+      command "list", "Show all organization secrets"
+      command "save", "Create or update an organization secret (with private repositories visibility)"
+      command "delete", "Delete an organization secret"
+
+      param "ORG", "Name of the organization"
+      param "KEY", "The name of the secret"
+      param "VALUE", "The plain text secret value. If not provided, it is expected to be set as an environment variable"
+
+      example "secrethub org list myorg"
+      example "secrethub org save myorg PASSWORD"
+      example "secrethub org save myorg PASSWORD s3cr3t"
+      example "secrethub org delete myorg PASSWORD"
+
+      def list_command
+        say "!txtblu!#{org}:"
+        github.org_secrets(org).each do |secret|
+          say "- !txtpur!#{secret}"
+        end
+      end
+
+      def save_command       
+        github.put_org_secret org, key, value
+        say "Saved !txtblu!#{org} !txtpur!#{key}"
+      end
+
+      def delete_command
+        github.delete_org_secret org, key
+        say "Deleted !txtblu!#{org} !txtpur!#{key}"
+      end
+
+    private
+
+      def org
+        args['ORG']
+      end
+
+      def key
+        args['KEY']
+      end
+
+      def value
+        result = args['VALUE'] || ENV[key]
+        if result
+          result
+        else
+          raise InvalidInput, "Please provide a value, either in the command line or in the environment variable '#{key}'"
+        end
+      end
+
+    end
+  end
+end

data/lib/secret_hub/commands/repo.rb

@@ -0,0 +1,61 @@
+module SecretHub
+  module Commands
+    class Repo < Base
+      summary "Manage repository secrets"
+      
+      usage "secrethub repo list REPO"
+      usage "secrethub repo save REPO KEY [VALUE]"
+      usage "secrethub repo delete REPO KEY"
+      usage "secrethub repo (-h|--help)"
+
+      command "list", "Show all repository secrets"
+      command "save", "Create or update a repository secret"
+      command "delete", "Delete a repository secret"
+
+      param "REPO", "Full name of the GitHub repository (user/repo)"
+      param "KEY", "The name of the secret"
+      param "VALUE", "The plain text secret value. If not provided, it is expected to be set as an environment variable"
+
+      example "secrethub repo list me/myrepo"
+      example "secrethub repo save me/myrepo PASSWORD"
+      example "secrethub repo save me/myrepo PASSWORD s3cr3t"
+      example "secrethub repo delete me/myrepo PASSWORD"
+
+      def list_command
+        say "!txtblu!#{repo}:"
+        github.secrets(repo).each do |secret|
+          say "- !txtpur!#{secret}"
+        end
+      end
+
+      def save_command       
+        github.put_secret repo, key, value
+        say "Saved !txtblu!#{repo} !txtpur!#{key}"
+      end
+
+      def delete_command
+        github.delete_secret repo, key
+        say "Deleted !txtblu!#{repo} !txtpur!#{key}"
+      end
+
+    private
+
+      def repo
+        args['REPO']
+      end
+
+      def key
+        args['KEY']
+      end
+
+      def value
+        result = args['VALUE'] || ENV[key]
+        if result
+          result
+        else
+          raise InvalidInput, "Please provide a value, either in the command line or in the environment variable '#{key}'"
+        end
+      end
+    end
+  end
+end

data/lib/secret_hub/config.rb

@@ -5,7 +5,7 @@ module SecretHub
     attr_reader :data
 
     def self.load(config_file)
-      raise ConfigurationError, "Config file not found #{config_flie}" unless File.exist? config_file
+      raise ConfigurationError, "Config file not found #{config_file}" unless File.exist? config_file
       new YAML.load_file config_file
     end
 

data/lib/secret_hub/exceptions.rb

@@ -1,6 +1,7 @@
 module SecretHub
   SecretHubError = Class.new StandardError
   ConfigurationError = Class.new SecretHubError
+  InvalidInput = Class.new SecretHubError
   
   class APIError < SecretHubError
     attr_reader :response

data/lib/secret_hub/github_client.rb

@@ -11,8 +11,15 @@ module SecretHub
     end
 
     # GET /repos/:owner/:repo/actions/secrets/public-key
-    def public_key(repo)
-      public_keys[repo] ||= get("/repos/#{repo}/actions/secrets/public-key")
+    # GET /orgs/:org/actions/secrets/public-key
+    def public_key(repo_or_org)
+      if repo_or_org.include? '/'
+        repo = repo_or_org
+        public_keys[repo_or_org] ||= get("/repos/#{repo}/actions/secrets/public-key")
+      else
+        org = repo_or_org
+        public_keys[repo_or_org] ||= get("/orgs/#{org}/actions/secrets/public-key")
+      end
     end
 
     # GET /repos/:owner/:repo/actions/secrets
@@ -21,28 +28,49 @@ module SecretHub
       response['secrets'].map { |s| s['name'] }
     end
 
+    # GET /orgs/:org/actions/secrets
+    def org_secrets(org)
+      response = get "/orgs/#{org}/actions/secrets"
+      response['secrets'].map { |s| s['name'] }
+    end
+
     # PUT /repos/:owner/:repo/actions/secrets/:name
     def put_secret(repo, name, value)
-      secret = encrypt_for_repo repo, value
+      secret = encrypt_for repo, value
       key_id = public_key(repo)['key_id']
       put "/repos/#{repo}/actions/secrets/#{name}",
         encrypted_value: secret, 
         key_id: key_id
     end
 
+    # PUT /orgs/:org/actions/secrets/:secret_name
+    def put_org_secret(org, name, value)
+      secret = encrypt_for org, value
+      key_id = public_key(org)['key_id']
+      put "/orgs/#{org}/actions/secrets/#{name}",
+        encrypted_value: secret, 
+        key_id: key_id,
+        visibility: 'private'
+    end
+
     # DELETE /repos/:owner/:repo/actions/secrets/:name
     def delete_secret(repo, name)
       delete "/repos/#{repo}/actions/secrets/#{name}"
     end
 
+    # DELETE /orgs/:org/actions/secrets/:secret_name
+    def delete_org_secret(org, name)
+      delete "/orgs/#{org}/actions/secrets/#{name}"
+    end
+
   private
 
     def public_keys
       @public_keys ||= {}
     end
 
-    def encrypt_for_repo(repo, secret)
-      public_key = public_key(repo)['key']
+    def encrypt_for(repo_or_org, secret)
+      public_key = public_key(repo_or_org)['key']
       encrypt secret, public_key
     end
 

data/lib/secret_hub/version.rb

@@ -1,3 +1,3 @@
 module SecretHub
-  VERSION = "0.1.3"
+  VERSION = "0.2.1"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: secret_hub
 version: !ruby/object:Gem::Version
-  version: 0.1.3
+  version: 0.2.1
 platform: ruby
 authors:
 - Danny Ben Shitrit
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-02-15 00:00:00.000000000 Z
+date: 2020-05-18 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: mister_bin
@@ -107,9 +107,8 @@ files:
 - lib/secret_hub/cli.rb
 - lib/secret_hub/commands/base.rb
 - lib/secret_hub/commands/bulk.rb
-- lib/secret_hub/commands/delete.rb
-- lib/secret_hub/commands/list.rb
-- lib/secret_hub/commands/save.rb
+- lib/secret_hub/commands/org.rb
+- lib/secret_hub/commands/repo.rb
 - lib/secret_hub/config-template.yml
 - lib/secret_hub/config.rb
 - lib/secret_hub/exceptions.rb
@@ -136,7 +135,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.3
+rubygems_version: 3.1.2
 signing_key: 
 specification_version: 4
 summary: Manage GitHub secrets over multiple repositories

data/lib/secret_hub/commands/delete.rb

@@ -1,23 +0,0 @@
-module SecretHub
-  module Commands
-    class Delete < Base
-      summary "Delete a secret from a repository"
-
-      usage "secrethub delete REPO KEY"
-      usage "secrethub delete (-h|--help)"
-
-      param "REPO", "Full name of the GitHub repository (user/repo)"
-      param "KEY", "The name of the secret"
-
-      example "secrethub delete bob/vault PASSWORD"
-
-      def run
-        repo = args['REPO']
-        key = args['KEY']
-        
-        success = github.delete_secret repo, key
-        say "Deleted !txtblu!#{repo} !txtpur!#{key}"
-      end
-    end
-  end
-end

data/lib/secret_hub/commands/list.rb

@@ -1,22 +0,0 @@
-module SecretHub
-  module Commands
-    class List < Base
-      summary "Show secrets for a repository"
-
-      usage "secrethub list REPO"
-      usage "secrethub list (-h|--help)"
-
-      param "REPO", "Full name of the GitHub repository (user/repo)"
-
-      example "secrethub list bob/repo-woth-secrets"
-
-      def run
-        repo = args['REPO']
-        say "!txtblu!#{repo}:"
-        github.secrets(repo).each do |secret|
-          say "- !txtpur!#{secret}"
-        end
-      end
-    end
-  end
-end

data/lib/secret_hub/commands/save.rb

@@ -1,25 +0,0 @@
-module SecretHub
-  module Commands
-    class Save < Base
-      summary "Create or update a secret in a repository"
-
-      usage "secrethub save REPO KEY VALUE"
-      usage "secrethub save (-h|--help)"
-
-      param "REPO", "Full name of the GitHub repository (user/repo)"
-      param "KEY", "The name of the secret"
-      param "VALUE", "The plain text secret value"
-
-      example "secrethub save bob/vault PASSWORD p4ssw0rd"
-
-      def run
-        repo = args['REPO']
-        key = args['KEY']
-        value = args['VALUE']
-        
-        github.put_secret repo, key, value
-        say "Saved !txtblu!#{repo} !txtpur!#{key}"
-      end
-    end
-  end
-end