secret_service 0.0.1 → 0.1.0

data/README.md

@@ -1,13 +1,15 @@
 # SecretService
 
-SecretService allows you to store random secrets in your app (for example the session secret or other shared secrets) more securely.
+SecretService allows you to store secrets (for example the session secret or other shared secrets) more securely.
 
-It does this by distributing the actual secret between your code and your database. That is, the final secret can only be calculated if you know both the secret given in your code and a secret stored in your database. The database part is generated randomly on first use.
+It does this by distributing the actual secret between your code and your database. That is, the final secret can only be calculated if you know both the secret given in your code and a secret stored in your database.
 
-As a useful sideeffect this means your different environments (staging / production) will automatically use different secrets.
+Secrets can either be generated randomly on first use, or set using the Raketask.
+
+The Gem does its job by using the secret given in your code to encrypt/decrypt the secret in the database.
 
+As a useful sideeffect this means your different environments (staging / production) will automatically use different secrets.
 
-It only works for *random* secrets though, you cannot use it to store access tokens or the like.
 
 
 ## Caveat
@@ -30,8 +32,29 @@ To get a random secret, simply use
 
     SecretService.secret("dfa24decafdb058448ac1eadb94e2066381cb92ee301e5a43d556555b61c7ea599e06be870e1d90c655c1b56cea172622d2b04a5e986faed42cbae684c5523c9")
 
+You will probably want to use this in your `config/initializers/secret_token.rb` initializer.
+
 The database entries (and indeed tables) are created on demand.
 
+
+## Rake tasks
+
+If you use Rails 2.x, you need to put the following line into your `Rakefile`:
+
+    require 'secret_service/rake_tasks'
+
+If you want to use a specific secret, you can put it into the database by calling
+
+    rake secret_service:store
+
+The secret will be read from STDIN.
+
+To show a previously stored secret, use
+
+    rake secret_service:show SOURCE_SECRET=the_source_secret
+
+where `the_source_secret` is the secret used in the `SecretService.secret(...)` call
+
 ## Contributing
 
 1. Fork it

data/Rakefile

@@ -32,7 +32,7 @@ namespace :all do
   desc "Run specs on all spec apps"
   task :spec do
     success = true
-    for_each_directory_of('spec/**/Rakefile') do |directory|
+    for_each_directory_of('spec/*/Rakefile') do |directory|
       env = "SPEC=../../#{ENV['SPEC']} " if ENV['SPEC']
       success &= system("cd #{directory} && BUNDLE_GEMFILE=./Gemfile #{env} bundle exec rake spec")
     end

data/lib/secret_service/database_store/active_record_store.rb

@@ -9,6 +9,8 @@ module SecretService
         else
           set_table_name TABLE_NAME
         end
+
+        validates_presence_of :key, :value
       end
 
 
@@ -29,6 +31,12 @@ module SecretService
         secret_record.value
       end
 
+      def update(key, value)
+        secret_record = find_if_present(key) || Secret.new(:key => key)
+        secret_record.value = value
+        secret_record.save!
+      end
+
       def drop_database
         # tests need this
         Secret.connection.drop_table TABLE_NAME
@@ -42,7 +50,7 @@ module SecretService
       def setup_database
         Secret.connection.create_table TABLE_NAME do |table|
           table.string :key
-          table.string :value
+          table.text :value
           table.timestamps
         end
         Secret.connection.add_index TABLE_NAME, :key, :unique => true

data/lib/secret_service/rake_tasks.rb

@@ -0,0 +1,34 @@
+namespace :secret_service do
+  desc 'Store a desired secret in the database'
+  task :store => :environment do
+    store = SecretService::Store.new
+    source_secret = ENV['SOURCE_SECRET'] || store.generate_secret
+
+    puts "Enter secret:"
+    final_secret = STDIN.gets.chomp
+
+    store.set(source_secret, final_secret)
+
+    puts "We're done!"
+    puts
+    puts "Retrieve this secret in your app using"
+    puts "  SecretService.secret(#{source_secret.inspect})"
+    puts
+  end
+
+  desc 'Show a previously stored secret'
+  task :show => :environment do
+    store = SecretService::Store.new
+    puts "Enter source secret (as given in your source code):"
+    source_secret = STDIN.gets.chomp
+
+    secret = store.get(source_secret, :only_existing => true)
+    if secret
+      puts "Secret: ", secret
+    else
+      puts "Secret not stored"
+    end
+    puts
+  end
+
+end

data/lib/secret_service/store.rb

@@ -6,30 +6,47 @@ require 'gibberish'
 
 module SecretService
   class Store
-    include Singleton
 
-    def get(source_secret)
-      hash("#{source_secret}--#{database_secret(source_secret)}")
+    def get(source_secret, options = {})
+      decrypt(database_secret(source_secret, options), source_secret)
     end
 
+    def set(source_secret, final_secret)
+      database_store.update(database_key(source_secret), encrypt(final_secret, source_secret))
+    end
+
+    def generate_secret
+      SecureRandom.hex(32)
+    end
+
+
     private
 
     def database_store
       @database_store ||= DatabaseStore.get
     end
 
-    def database_secret(source_secret)
-      secret = database_store.find(hash(source_secret)) do
-        generate_secret
+    def database_secret(source_secret, options = {})
+      secret = database_store.find(database_key(source_secret)) do
+        return nil if options[:only_existing]
+        encrypt(generate_secret, source_secret)
       end
     end
 
-    def hash(value)
-      Gibberish::SHA256(value)
+    def database_key(source_secret)
+      Gibberish::SHA256(source_secret)
     end
 
-    def generate_secret
-      SecureRandom.hex(32)
+    def encrypt(plain_text, key)
+      aes(key).encrypt(plain_text) if plain_text
+    end
+
+    def decrypt(cipher_text, key)
+      aes(key).decrypt(cipher_text) if cipher_text
+    end
+
+    def aes(key)
+      Gibberish::AES.new(key)
     end
   end
 end

data/lib/secret_service/version.rb

@@ -1,3 +1,3 @@
 module SecretService
-  VERSION = "0.0.1" unless defined?(SecretService::VERSION)
+  VERSION = "0.1.0" unless defined?(SecretService::VERSION)
 end

data/lib/secret_service.rb

@@ -2,12 +2,33 @@ require "secret_service/version"
 require "secret_service/store"
 
 module SecretService
-  def self.secret(source_secret, options = {})
-    if options[:plain]
-      source_secret
-    else
+
+  class << self
+
+    def secret(source_secret)
       @secrets ||= {}
-      @secrets[source_secret] ||= Store.instance.get(source_secret)
+      @secrets[source_secret] ||= Store.new.get(source_secret)
+    end
+
+    private
+
+    def store
+      @store ||= Store.new
+    end
+
+    def reset
+      @secrets = nil
+      @store = nil
+    end
+
+  end
+
+  if defined?(Rails::Railtie)
+    class RakeTaskLoader < Rails::Railtie
+      rake_tasks do
+        require 'secret_service/rake_tasks'
+      end
     end
   end
+
 end

data/spec/rails-2.3/Gemfile

@@ -6,5 +6,6 @@ gem 'rspec-rails', '~>1.3'
 gem 'mysql2', '<0.3'
 gem 'ruby-debug', :platforms => :mri_18
 gem 'test-unit', '~>1.2', :platforms => :ruby_19
+gem 'rdoc', :require => false
 
 gem 'secret_service', :path => '../..'

data/spec/rails-2.3/app_root/Rakefile

@@ -0,0 +1,10 @@
+require(File.join(File.dirname(__FILE__), 'config', 'boot'))
+
+require 'rake'
+require 'rake/testtask'
+
+require 'tasks/rails'
+
+require 'secret_service/rake_tasks'
+
+load File.join(File.dirname(__FILE__), '..', '..', 'shared', 'support', 'reconnect_task.rake')

data/spec/rails-2.3/spec/spec_helper.rb

@@ -15,6 +15,6 @@ Dir[File.expand_path(File.join(File.dirname(__FILE__),'support','**','*.rb'))].e
 
 
 Spec::Runner.configure do |config|
-  config.use_transactional_fixtures = true
+  config.use_transactional_fixtures = false
   config.use_instantiated_fixtures  = false
 end

data/spec/rails-3.0/app_root/Rakefile

@@ -0,0 +1,5 @@
+require File.expand_path('../config/application', __FILE__)
+
+SpecApp::Application.load_tasks
+
+load File.join(File.dirname(__FILE__), '..', '..', 'shared', 'support', 'reconnect_task.rake')

data/spec/rails-3.0/spec/spec_helper.rb

@@ -13,6 +13,6 @@ require 'rspec/rails'
 Dir[File.expand_path(File.join(File.dirname(__FILE__),'support','**','*.rb'))].each {|f| require f}
 
 RSpec.configure do |config|
-  config.use_transactional_fixtures = true
+  config.use_transactional_fixtures = false
   config.use_instantiated_fixtures  = false
 end

data/spec/rails-3.2/app_root/Rakefile

@@ -0,0 +1,5 @@
+require File.expand_path('../config/application', __FILE__)
+
+SpecApp::Application.load_tasks
+
+load File.join(File.dirname(__FILE__), '..', '..', 'shared', 'support', 'reconnect_task.rake')

data/spec/rails-3.2/spec/spec_helper.rb

@@ -7,11 +7,10 @@ ENV['RAILS_ROOT'] = 'app_root'
 require "#{File.dirname(__FILE__)}/../app_root/config/environment"
 require 'rspec/rails'
 
-
 # Requires supporting files with custom matchers and macros, etc in ./support/ and its subdirectories.
 Dir[File.expand_path(File.join(File.dirname(__FILE__),'support','**','*.rb'))].each {|f| require f}
 
 RSpec.configure do |config|
-  config.use_transactional_fixtures = true
+  config.use_transactional_fixtures = false
   config.use_instantiated_fixtures  = false
 end

data/spec/shared/secret_service/rake_tasks_spec.rb

@@ -0,0 +1,61 @@
+require 'spec_helper'
+require 'open3'
+
+describe 'Rake tasks' do
+
+  def execute_rake(task, options = {})
+    env = "BUNDLE_GEMFILE=#{File.expand_path(File.join(Rails.root, '..', 'Gemfile'))}"
+    options.fetch(:env, {}).each do |key, value|
+      env << " #{key}=#{value}"
+    end
+    # this is the only way I could make it work in ruby 1.8 and 1.9
+    Open3.popen3("bash -c 'cd #{Rails.root}; #{env} bundle exec rake #{task}'") do |stdin, stdout, stderr, wait_thr|
+      if options[:puts]
+        stdin.puts options[:puts]
+      end
+      stdin.close
+      error = stderr.read
+      STDERR.puts error if error.present?
+      stdout.read
+    end
+  ensure
+    ActiveRecord::Base.connection.reconnect!
+  end
+
+
+  describe 'store' do
+
+    it 'should store the prompted secret under the given key' do
+      output = execute_rake('secret_service:store', :puts => 'the_secret')
+      (output =~ /SecretService\.secret\("(.*)"\)/).should be_true
+      SecretService.secret($1).should == 'the_secret'
+    end
+
+    it 'should allow to set the source secret' do
+      output = execute_rake('secret_service:store', :env => {'SOURCE_SECRET' => 'source_secret'}, :puts => 'the_secret')
+      output.should =~ /SecretService\.secret\("source_secret"\)/
+    end
+
+  end
+
+  describe 'show' do
+
+    it 'should show a previously stored secret' do
+      SecretService::Store.new.set('source_secret', 'secret_secret')
+      output = execute_rake('secret_service:show', :puts => 'source_secret')
+      output.should =~ /secret_secret/
+    end
+
+    it 'should not store a new secret' do
+      output = execute_rake('secret_service:show', :puts => 'source_secret')
+      SecretService::Store.new.get('source_secret', :only_existing => true).should be_nil
+    end
+
+    it 'should tell if the secret does not exist' do
+      output = execute_rake('secret_service:show', :puts => 'source_secret')
+      output.should =~ /Secret not stored/
+    end
+  end
+
+
+end

data/spec/shared/secret_service/secret_service_spec.rb

@@ -4,21 +4,23 @@ describe SecretService do
 
   describe '.secret' do
 
+    let(:store) { double('store') }
+
+    before do
+      SecretService::Store.stub :new => store
+    end
+
     it 'should delegate to the store' do
-      SecretService::Store.instance.should_receive(:get).with('source secret').and_return('final secret')
+      store.should_receive(:get).with('source secret').and_return('final secret')
       SecretService.secret('source secret').should == 'final secret'
     end
 
     it 'should cache' do
-      SecretService::Store.instance.should_receive(:get).exactly(:once).and_return('final secret')
+      store.should_receive(:get).exactly(:once).and_return('final secret')
       SecretService.secret('source secret')
       SecretService.secret('source secret')
     end
 
-    it 'should return the source secret if :plain is true' do
-      SecretService.secret('source secret', :plain => true).should == 'source secret'
-    end
-
   end
 
 end

data/spec/shared/secret_service/store_spec.rb

@@ -51,6 +51,19 @@ describe SecretService::Store do
       secret_record.value.size.should > 10
     end
 
+    context ':only_existing => true' do
+
+      it 'should not make a new secret' do
+        store.get('foobar', :only_existing => true).should be_nil
+      end
+
+      it 'should retrieve an existing secret' do
+        secret = store.get('foobar')
+        store.get('foobar', :existing => true).should == secret
+      end
+
+    end
+
     context 'concurrency' do
 
       def safe_fork
@@ -86,4 +99,26 @@ describe SecretService::Store do
 
   end
 
+  describe '#set' do
+
+    it 'should set the final secret to a given value' do
+      source_secret = 'a6df546'
+      store.set(source_secret, 'final secret')
+      store.get(source_secret).should == 'final secret'
+    end
+
+  end
+
+  describe '#generate_secret' do
+
+    it 'should return a random secret' do
+      store.generate_secret.should_not == store.generate_secret
+    end
+
+    it 'should return a long secret' do
+      store.generate_secret.size.should > 20
+    end
+
+  end
+
 end

data/spec/shared/support/reconnect_task.rake

@@ -0,0 +1,9 @@
+namespace :secret_service do
+  namespace :test do
+    desc 'Reconnect AR'
+    task :reconnect => :environment do
+      # necessary on ruby 1.8, the specs run our rake tasks using fork, which is not safe for AR
+      ActiveRecord::Base.reconnect!
+    end
+  end
+end

data/spec/shared/support/wipe_store.rb

@@ -1,6 +1,6 @@
 module SecretServiceSpec
   def self.wipe_store
-    SecretService.instance_variable_set(:@secrets, nil)
+    SecretService.send(:reset)
     SecretService::DatabaseStore.get.drop_database
   end
 end

metadata

@@ -1,40 +1,47 @@
---- !ruby/object:Gem::Specification
+--- !ruby/object:Gem::Specification 
 name: secret_service
-version: !ruby/object:Gem::Version
-  version: 0.0.1
+version: !ruby/object:Gem::Version 
+  hash: 27
   prerelease: 
+  segments: 
+  - 0
+  - 1
+  - 0
+  version: 0.1.0
 platform: ruby
-authors:
+authors: 
 - Tobias Kraze
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2013-03-01 00:00:00.000000000 Z
-dependencies:
-- !ruby/object:Gem::Dependency
+
+date: 2013-03-08 00:00:00 +01:00
+default_executable: 
+dependencies: 
+- !ruby/object:Gem::Dependency 
   name: gibberish
-  requirement: !ruby/object:Gem::Requirement
-    none: false
-    requirements:
-    - - ! '>='
-      - !ruby/object:Gem::Version
-        version: '0'
-  type: :runtime
   prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
+  requirement: &id001 !ruby/object:Gem::Requirement 
     none: false
-    requirements:
-    - - ! '>='
-      - !ruby/object:Gem::Version
-        version: '0'
-description: Secret service provides encryption of your application secrets with a
-  server side master password
-email:
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        hash: 3
+        segments: 
+        - 0
+        version: "0"
+  type: :runtime
+  version_requirements: *id001
+description: Secret service provides encryption of your application secrets with a server side master password
+email: 
 - tobias@kraze.eu
 executables: []
+
 extensions: []
+
 extra_rdoc_files: []
-files:
+
+files: 
 - .gitignore
 - .travis.yml
 - Gemfile
@@ -44,11 +51,13 @@ files:
 - lib/secret_service.rb
 - lib/secret_service/database_store.rb
 - lib/secret_service/database_store/active_record_store.rb
+- lib/secret_service/rake_tasks.rb
 - lib/secret_service/store.rb
 - lib/secret_service/version.rb
 - secret_service.gemspec
 - spec/rails-2.3/Gemfile
 - spec/rails-2.3/Rakefile
+- spec/rails-2.3/app_root/Rakefile
 - spec/rails-2.3/app_root/config/boot.rb
 - spec/rails-2.3/app_root/config/database.yml
 - spec/rails-2.3/app_root/config/environment.rb
@@ -64,6 +73,7 @@ files:
 - spec/rails-3.0/Gemfile
 - spec/rails-3.0/Rakefile
 - spec/rails-3.0/app_root/.gitignore
+- spec/rails-3.0/app_root/Rakefile
 - spec/rails-3.0/app_root/config/application.rb
 - spec/rails-3.0/app_root/config/boot.rb
 - spec/rails-3.0/app_root/config/database.yml
@@ -84,6 +94,7 @@ files:
 - spec/rails-3.2/Gemfile
 - spec/rails-3.2/Rakefile
 - spec/rails-3.2/app_root/.gitignore
+- spec/rails-3.2/app_root/Rakefile
 - spec/rails-3.2/app_root/config/application.rb
 - spec/rails-3.2/app_root/config/boot.rb
 - spec/rails-3.2/app_root/config/database.yml
@@ -101,37 +112,49 @@ files:
 - spec/shared/app_root/app/controllers/application_controller.rb
 - spec/shared/app_root/config/database.yml.sample
 - spec/shared/app_root/db/consul_test.db
+- spec/shared/secret_service/rake_tasks_spec.rb
 - spec/shared/secret_service/secret_service_spec.rb
 - spec/shared/secret_service/store_spec.rb
+- spec/shared/support/reconnect_task.rake
 - spec/shared/support/wipe_store.rb
-homepage: ''
+has_rdoc: true
+homepage: ""
 licenses: []
+
 post_install_message: 
 rdoc_options: []
-require_paths:
+
+require_paths: 
 - lib
-required_ruby_version: !ruby/object:Gem::Requirement
+required_ruby_version: !ruby/object:Gem::Requirement 
   none: false
-  requirements:
-  - - ! '>='
-    - !ruby/object:Gem::Version
-      version: '0'
-required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      hash: 3
+      segments: 
+      - 0
+      version: "0"
+required_rubygems_version: !ruby/object:Gem::Requirement 
   none: false
-  requirements:
-  - - ! '>='
-    - !ruby/object:Gem::Version
-      version: '0'
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      hash: 3
+      segments: 
+      - 0
+      version: "0"
 requirements: []
+
 rubyforge_project: 
-rubygems_version: 1.8.24
+rubygems_version: 1.3.9.5
 signing_key: 
 specification_version: 3
-summary: Secret service provides encryption of your application secrets with a server
-  side master password
-test_files:
+summary: Secret service provides encryption of your application secrets with a server side master password
+test_files: 
 - spec/rails-2.3/Gemfile
 - spec/rails-2.3/Rakefile
+- spec/rails-2.3/app_root/Rakefile
 - spec/rails-2.3/app_root/config/boot.rb
 - spec/rails-2.3/app_root/config/database.yml
 - spec/rails-2.3/app_root/config/environment.rb
@@ -147,6 +170,7 @@ test_files:
 - spec/rails-3.0/Gemfile
 - spec/rails-3.0/Rakefile
 - spec/rails-3.0/app_root/.gitignore
+- spec/rails-3.0/app_root/Rakefile
 - spec/rails-3.0/app_root/config/application.rb
 - spec/rails-3.0/app_root/config/boot.rb
 - spec/rails-3.0/app_root/config/database.yml
@@ -167,6 +191,7 @@ test_files:
 - spec/rails-3.2/Gemfile
 - spec/rails-3.2/Rakefile
 - spec/rails-3.2/app_root/.gitignore
+- spec/rails-3.2/app_root/Rakefile
 - spec/rails-3.2/app_root/config/application.rb
 - spec/rails-3.2/app_root/config/boot.rb
 - spec/rails-3.2/app_root/config/database.yml
@@ -184,6 +209,8 @@ test_files:
 - spec/shared/app_root/app/controllers/application_controller.rb
 - spec/shared/app_root/config/database.yml.sample
 - spec/shared/app_root/db/consul_test.db
+- spec/shared/secret_service/rake_tasks_spec.rb
 - spec/shared/secret_service/secret_service_spec.rb
 - spec/shared/secret_service/store_spec.rb
+- spec/shared/support/reconnect_task.rake
 - spec/shared/support/wipe_store.rb