secret_service 0.0.1

data/.gitignore

@@ -0,0 +1,18 @@
+*.gem
+*.rbc
+.bundle
+.config
+.yardoc
+Gemfile.lock
+InstalledFiles
+_yardoc
+coverage
+doc/
+lib/bundler/man
+pkg
+rdoc
+spec/reports
+test/tmp
+test/version_tmp
+tmp
+spec/shared/app_root/config/database.yml

data/.travis.yml

@@ -0,0 +1,15 @@
+language: ruby
+rvm:
+  - "1.8.7"
+  - "1.9.3"
+  - ree
+services:
+  - mysql
+before_script: rake travis_ci:prepare
+script: rake all:bundle all:spec
+notifications:
+  email:
+    - fail@makandra.de
+branches:
+  only:
+    - master

data/Gemfile

@@ -0,0 +1,4 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in secret_service.gemspec
+gemspec

data/LICENSE

@@ -0,0 +1,22 @@
+Copyright (c) 2013 Tobias Kraze
+
+MIT License
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,41 @@
+# SecretService
+
+SecretService allows you to store random secrets in your app (for example the session secret or other shared secrets) more securely.
+
+It does this by distributing the actual secret between your code and your database. That is, the final secret can only be calculated if you know both the secret given in your code and a secret stored in your database. The database part is generated randomly on first use.
+
+As a useful sideeffect this means your different environments (staging / production) will automatically use different secrets.
+
+
+It only works for *random* secrets though, you cannot use it to store access tokens or the like.
+
+
+## Caveat
+
+This currently requires ActiveRecord.
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+    gem 'secret_service'
+
+And then execute:
+
+    $ bundle
+
+## Usage
+
+To get a random secret, simply use
+
+    SecretService.secret("dfa24decafdb058448ac1eadb94e2066381cb92ee301e5a43d556555b61c7ea599e06be870e1d90c655c1b56cea172622d2b04a5e986faed42cbae684c5523c9")
+
+The database entries (and indeed tables) are created on demand.
+
+## Contributing
+
+1. Fork it
+2. Create your feature branch (`git checkout -b my-new-feature`)
+3. Commit your changes (`git commit -am 'Added some feature'`)
+4. Push to the branch (`git push origin my-new-feature`)
+5. Create new Pull Request

data/Rakefile

@@ -0,0 +1,57 @@
+#!/usr/bin/env rake
+require "bundler/gem_tasks"
+
+desc 'Default: Run all specs.'
+task :default => 'all:spec'
+
+
+namespace :travis_ci do
+
+  desc 'Things to do before Travis CI begins'
+  task :prepare do
+    Rake::Task['travis_ci:create_database'].invoke &&
+    Rake::Task['travis_ci:create_database_yml'].invoke
+  end
+
+  desc 'Creates a test database'
+  task :create_database do
+    system("mysql -e 'create database secret_service_test;'")
+  end
+
+  desc 'Creates a database.yml'
+  task :create_database_yml do
+    config_dir = "spec/shared/app_root/config"
+    system("cp #{config_dir}/database.yml.sample #{config_dir}/database.yml")
+  end
+
+end
+
+
+namespace :all do
+
+  desc "Run specs on all spec apps"
+  task :spec do
+    success = true
+    for_each_directory_of('spec/**/Rakefile') do |directory|
+      env = "SPEC=../../#{ENV['SPEC']} " if ENV['SPEC']
+      success &= system("cd #{directory} && BUNDLE_GEMFILE=./Gemfile #{env} bundle exec rake spec")
+    end
+    fail "Tests failed" unless success
+  end
+
+  desc "Bundle all spec apps"
+  task :bundle do
+    for_each_directory_of('spec/**/Gemfile') do |directory|
+      system("cd #{directory} && BUNDLE_GEMFILE=./Gemfile bundle install")
+    end
+  end
+
+end
+
+def for_each_directory_of(path, &block)
+  Dir[path].sort.each do |rakefile|
+    directory = File.dirname(rakefile)
+    puts '', "\033[44m#{directory}\033[0m", ''
+    block.call(directory)
+  end
+end

data/lib/secret_service.rb

@@ -0,0 +1,13 @@
+require "secret_service/version"
+require "secret_service/store"
+
+module SecretService
+  def self.secret(source_secret, options = {})
+    if options[:plain]
+      source_secret
+    else
+      @secrets ||= {}
+      @secrets[source_secret] ||= Store.instance.get(source_secret)
+    end
+  end
+end

data/lib/secret_service/database_store.rb

@@ -0,0 +1,5 @@
+if defined?(ActiveRecord)
+  require 'secret_service/database_store/active_record_store.rb'
+else
+  raise "Secret_service requires ActiveRecord at this time."
+end

data/lib/secret_service/database_store/active_record_store.rb

@@ -0,0 +1,66 @@
+module SecretService
+  module DatabaseStore
+    class ActiveRecordStore
+      TABLE_NAME = '_secret_service_secrets'
+
+      class Secret < ::ActiveRecord::Base
+        if respond_to? :table_name=
+          self.table_name = TABLE_NAME
+        else
+          set_table_name TABLE_NAME
+        end
+      end
+
+
+      def initialize
+        setup_database unless database_set_up?
+      end
+
+      def find(key)
+        secret_record = find_if_present(key)
+        unless secret_record
+          new_secret = yield
+          begin
+            secret_record = Secret.create!(:key => key, :value => new_secret)
+          rescue ::ActiveRecord::StatementInvalid
+            secret_record = find_if_present(key)
+          end
+        end
+        secret_record.value
+      end
+
+      def drop_database
+        # tests need this
+        Secret.connection.drop_table TABLE_NAME
+        Secret.reset_column_information
+      rescue ::ActiveRecord::StatementInvalid
+      end
+
+
+      private
+
+      def setup_database
+        Secret.connection.create_table TABLE_NAME do |table|
+          table.string :key
+          table.string :value
+          table.timestamps
+        end
+        Secret.connection.add_index TABLE_NAME, :key, :unique => true
+      rescue ::ActiveRecord::StatementInvalid
+      end
+
+      def database_set_up?
+        Secret.table_exists?
+      end
+
+      def find_if_present(key)
+        Secret.first(:conditions => {:key => key})
+      end
+    end
+
+
+    def self.get
+      ActiveRecordStore.new
+    end
+  end
+end

data/lib/secret_service/store.rb

@@ -0,0 +1,35 @@
+require 'secret_service/database_store'
+
+require 'securerandom'
+require 'singleton'
+require 'gibberish'
+
+module SecretService
+  class Store
+    include Singleton
+
+    def get(source_secret)
+      hash("#{source_secret}--#{database_secret(source_secret)}")
+    end
+
+    private
+
+    def database_store
+      @database_store ||= DatabaseStore.get
+    end
+
+    def database_secret(source_secret)
+      secret = database_store.find(hash(source_secret)) do
+        generate_secret
+      end
+    end
+
+    def hash(value)
+      Gibberish::SHA256(value)
+    end
+
+    def generate_secret
+      SecureRandom.hex(32)
+    end
+  end
+end

data/lib/secret_service/version.rb

@@ -0,0 +1,3 @@
+module SecretService
+  VERSION = "0.0.1" unless defined?(SecretService::VERSION)
+end

data/secret_service.gemspec

@@ -0,0 +1,19 @@
+# -*- encoding: utf-8 -*-
+require File.expand_path('../lib/secret_service/version', __FILE__)
+
+Gem::Specification.new do |gem|
+  gem.authors       = ["Tobias Kraze"]
+  gem.email         = ["tobias@kraze.eu"]
+  gem.description   = %q{Secret service provides encryption of your application secrets with a server side master password}
+  gem.summary       = gem.description
+  gem.homepage      = ""
+
+  gem.files         = `git ls-files`.split($\)
+  gem.executables   = gem.files.grep(%r{^bin/}).map{ |f| File.basename(f) }
+  gem.test_files    = gem.files.grep(%r{^(test|spec|features)/})
+  gem.name          = "secret_service"
+  gem.require_paths = ["lib"]
+  gem.version       = SecretService::VERSION
+
+  gem.add_dependency('gibberish')
+end

data/spec/rails-2.3/Gemfile

@@ -0,0 +1,10 @@
+source 'https://rubygems.org'
+
+gem 'rails', '~>2.3'
+gem 'rspec', '~>1.3'
+gem 'rspec-rails', '~>1.3'
+gem 'mysql2', '<0.3'
+gem 'ruby-debug', :platforms => :mri_18
+gem 'test-unit', '~>1.2', :platforms => :ruby_19
+
+gem 'secret_service', :path => '../..'

data/spec/rails-2.3/Rakefile

@@ -0,0 +1,11 @@
+require 'rake'
+require 'spec/rake/spectask'
+
+desc 'Default: Run all specs for a specific rails version.'
+task :default => :spec
+
+desc "Run all specs for a specific rails version"
+Spec::Rake::SpecTask.new() do |t|
+  t.spec_opts = ['--options', "\"spec.opts\""]
+  t.spec_files = defined?(SPEC) ? SPEC : FileList['**/*_spec.rb', '../shared/**/*_spec.rb']
+end

data/spec/rails-2.3/app_root/config/boot.rb

@@ -0,0 +1,128 @@
+# Allow customization of the rails framework path
+RAILS_FRAMEWORK_ROOT = (ENV['RAILS_FRAMEWORK_ROOT'] || "#{File.dirname(__FILE__)}/../../../../../../vendor/rails") unless defined?(RAILS_FRAMEWORK_ROOT) 
+
+# Don't change this file!
+# Configure your app in config/environment.rb and config/environments/*.rb
+
+RAILS_ROOT = "#{File.dirname(__FILE__)}/.." unless defined?(RAILS_ROOT)
+
+module Rails
+  class << self
+    def boot!
+      unless booted?
+        preinitialize
+        pick_boot.run
+      end
+    end
+
+    def booted?
+      defined? Rails::Initializer
+    end
+
+    def pick_boot
+      (vendor_rails? ? VendorBoot : GemBoot).new
+    end
+
+    def vendor_rails?
+      File.exist?(RAILS_FRAMEWORK_ROOT)
+    end
+
+    def preinitialize
+      load(preinitializer_path) if File.exist?(preinitializer_path)
+    end
+
+    def preinitializer_path
+      "#{RAILS_ROOT}/config/preinitializer.rb"
+    end
+  end
+
+  class Boot
+    def run
+      load_initializer
+      Rails::Initializer.run(:set_load_path)
+    end
+  end
+
+  class VendorBoot < Boot
+    def load_initializer
+      require "#{RAILS_FRAMEWORK_ROOT}/railties/lib/initializer"
+      Rails::Initializer.run(:install_gem_spec_stubs)
+    end
+  end
+
+  class GemBoot < Boot
+    def load_initializer
+      self.class.load_rubygems
+      load_rails_gem
+      require 'initializer'
+    end
+
+    def load_rails_gem
+      if version = self.class.gem_version
+        gem 'rails', version
+      else
+        gem 'rails'
+      end
+    rescue Gem::LoadError => load_error
+      $stderr.puts %(Missing the Rails #{version} gem. Please `gem install -v=#{version} rails`, update your RAILS_GEM_VERSION setting in config/environment.rb for the Rails version you do have installed, or comment out RAILS_GEM_VERSION to use the latest version installed.)
+      exit 1
+    end
+
+    class << self
+      def rubygems_version
+        Gem::RubyGemsVersion rescue nil
+      end
+
+      def gem_version
+        if defined? RAILS_GEM_VERSION
+          RAILS_GEM_VERSION
+        elsif ENV.include?('RAILS_GEM_VERSION')
+          ENV['RAILS_GEM_VERSION']
+        else
+          parse_gem_version(read_environment_rb)
+        end
+      end
+
+      def load_rubygems
+        require 'rubygems'
+        min_version = '1.1.1'
+        unless rubygems_version >= min_version
+          $stderr.puts %Q(Rails requires RubyGems >= #{min_version} (you have #{rubygems_version}). Please `gem update --system` and try again.)
+          exit 1
+        end
+ 
+      rescue LoadError
+        $stderr.puts %Q(Rails requires RubyGems >= #{min_version}. Please install RubyGems and try again: http://rubygems.rubyforge.org)
+        exit 1
+      end
+
+      def parse_gem_version(text)
+        $1 if text =~ /^[^#]*RAILS_GEM_VERSION\s*=\s*["']([!~<>=]*\s*[\d.]+)["']/
+      end
+
+      private
+        def read_environment_rb
+          environment_rb = "#{RAILS_ROOT}/config/environment.rb"
+          environment_rb = "#{HELPER_RAILS_ROOT}/config/environment.rb" unless File.exists?(environment_rb)
+          File.read(environment_rb)
+        end
+    end
+  end
+end
+
+class Rails::Boot
+  def run
+    load_initializer
+
+    Rails::Initializer.class_eval do
+      def load_gems
+        @bundler_loaded ||= Bundler.require :default, Rails.env
+      end
+    end
+
+    Rails::Initializer.run(:set_load_path)
+  end
+end
+
+# All that for this:
+Rails.boot!