secret_store 0.0.1

data/.gitignore

@@ -0,0 +1,6 @@
+*.gem
+.bundle
+Gemfile.lock
+pkg/*
+.rvmrc
+.rspec

data/Gemfile

@@ -0,0 +1,4 @@
+source "http://rubygems.org"
+
+# Specify your gem's dependencies in secret_store.gemspec
+gemspec

data/README.md

@@ -0,0 +1,76 @@
+SecretStore
+===========
+
+Store secrets for your app in a encrypted in a yaml file.
+
+Often when working on a web application, you have the need for storing a
+variety of API keys or secrets to 3rd party services.  However, it's not
+desireable to check those secrets in as plain text to the code respository.
+
+One common way around this is to set such keys in the environment.  This is,
+for example, what [Heroku recommends](https://devcenter.heroku.com/articles/config-vars)
+for use on their platform.  While it works, it can end up cumbersome, is not easily
+replicatable, and can require additional restarts in addition to a code
+deploy depending on the architecture.
+
+Instead, SecretStore encrypts all secrets with one master password, so there's only
+one key to inject into the environment.
+
+Installation
+------------
+
+install it via rubygems:
+
+```
+gem install secret_store
+```
+
+or put it in your Gemfile:
+
+```ruby
+# Gemfile
+gem 'secret_store'
+```
+
+Usage
+-----
+
+```ruby
+require "secret_store"
+
+secret_store = SecretStore.new("master_password", "/path/to/data.yml")
+secret_store.store("some_api_key", "c7dd199")
+secret_store.get("some_api_key") # => "c7dd199"
+secret_store.get("unknown_key") # => raises IndexError
+
+secret_store.store("known_key", "b123fa") => stores
+secret_store.store("known_key", "new_val") => raises error
+secret_store.store("known_key", "new_val", :force) => overwrites stored
+```
+
+For a typical application, it could be desirable to define a
+single SecretStore instance;  for example, in a rails initializer.
+
+How
+---
+
+SecretStore uses [Gibberish](https://github.com/mdp/gibberish/) under the
+hood to AES encrypt secrets in a YAML file.  Gibbersh currently has only
+stdlib and core ruby dependencies, so it makes this code easier to read
+without any extra requirements.
+
+Caveats
+-------
+
+SecretStore code is not recommended for high security (ex: PCI compliance required)
+use.  For your Todos webapp, it's fine!
+
+Credits
+-------
+
+This was inspired by the [passw3rd](https://github.com/oreoshake/passw3rd) gem.
+
+#### Copyright
+
+Copyright (c) (2012) Brendon Murphy. See license.txt for details.
+

data/Rakefile

@@ -0,0 +1,6 @@
+require "bundler/gem_tasks"
+
+require 'rspec/core/rake_task'
+
+RSpec::Core::RakeTask.new(:spec)
+

data/lib/secret_store/version.rb

@@ -0,0 +1,3 @@
+class SecretStore
+  VERSION = "0.0.1"
+end

data/lib/secret_store.rb

@@ -0,0 +1,80 @@
+require "gibberish"
+require "yaml"
+require "secret_store/version"
+
+class SecretStore
+  attr_reader :file_path
+
+  def initialize(password, file_path)
+    self.password = password
+    self.file_path = file_path
+  end
+
+  def store(key, secret, force = false)
+    load_data
+
+    if ! force && @data[key.to_s]
+      raise "Key #{key} already stored"
+    end
+
+    @data.merge!(key.to_s => encrypt(secret))
+    store_data
+    load_data[key]
+  end
+
+  def get(key)
+    ciphertext = @data.fetch(key.to_s)
+    cipher.decrypt(ciphertext)
+  end
+
+  def encrypt(secret)
+    cipher.encrypt(secret).chomp
+  end
+
+  def change_password(new_password)
+    new_data = {}
+
+    @data.each_key do |key|
+      new_data[key] = get(key)
+    end
+
+    self.password = new_password
+
+    new_data.each do |key, plaintext|
+      @data[key] = encrypt(plaintext)
+    end
+
+    store_data
+  end
+
+  private
+
+  def file_path=(file_path)
+    @file_path = file_path
+    load_data
+    @file_path
+  end
+
+  def password=(password)
+    @cipher = nil
+    @password = password
+  end
+
+  def cipher
+    @cipher ||= Gibberish::AES.new(@password)
+  end
+
+  def load_data
+    begin
+      @data = YAML.load_file(file_path) || {}
+    rescue Errno::ENOENT
+      @data = {}
+    end
+  end
+
+  def store_data
+    File.open(@file_path, File::RDWR|File::CREAT|File::LOCK_EX, 0640) do |f|
+      f.puts YAML.dump @data
+    end
+  end
+end

data/secret_store.gemspec

@@ -0,0 +1,24 @@
+# -*- encoding: utf-8 -*-
+$:.push File.expand_path("../lib", __FILE__)
+require "secret_store/version"
+
+Gem::Specification.new do |s|
+  s.name        = "secret_store"
+  s.version     = SecretStore::VERSION
+  s.authors     = ["Brendon Murphy"]
+  s.email       = ["xternal1+github@gmail.com"]
+  s.homepage    = ""
+  s.summary     = %q{Store secrets for your app in a encrypted in a yaml file.}
+  s.description = s.summary
+
+  s.rubyforge_project = "secret_store"
+
+  s.files         = `git ls-files`.split("\n")
+  s.test_files    = `git ls-files -- {spec}/*`.split("\n")
+  s.require_paths = ["lib"]
+
+  s.add_dependency "gibberish"
+
+  s.add_development_dependency "rake"
+  s.add_development_dependency "rspec"
+end

data/spec/secret_store_spec.rb

@@ -0,0 +1,100 @@
+require 'spec_helper'
+
+describe SecretStore, "initializing" do
+  let(:tmpfile) { Tempfile.new("secret_store") }
+
+  it "takes a password and file path" do
+    subject = SecretStore.new("pass", tmpfile.path)
+    subject.file_path.should == tmpfile.path
+  end
+end
+
+describe SecretStore, "storing a secret" do
+  let(:tmpfile) { Tempfile.new("secret_store") }
+  subject { SecretStore.new("the_pass", tmpfile.path) }
+
+  context "when the key is not already stored" do
+    it "stores the value for the key in a yaml data file" do
+      subject.store("foobar", "fizzbuzz")
+      data = YAML.load_file(tmpfile.path)
+      data["foobar"].should_not be_empty
+    end
+
+    it "stores in an encrypted fashion" do
+      subject.store("foobar", "fizzbuzz")
+      data = YAML.load_file(tmpfile.path)
+      data["foobar"].should_not == "fizzbuzz"
+    end
+
+    it "leaves other data in the store file intact" do
+      tmpfile.puts YAML.dump("already" => "here")
+      tmpfile.flush
+      subject.store("foobar", "fizzbuzz")
+      data = YAML.load_file(tmpfile.path)
+      data["already"].should == "here"
+    end
+  end
+
+  context "when the key is already stored" do
+    it "raises if not forced" do
+      subject.store("foobar", "fizzbuzz")
+      lambda {
+        subject.store("foobar", "fizzbuzz")
+      }.should raise_error
+    end
+
+    it "stores if forced" do
+      subject.store("foobar", "fizzbuzz")
+      lambda {
+        subject.store("foobar", "fizzbuzz", :force)
+      }.should_not raise_error
+    end
+  end
+end
+
+describe SecretStore, "getting a secret" do
+  let(:tmpfile) { Tempfile.new("secret_store") }
+  subject { SecretStore.new("the_pass", tmpfile.path) }
+
+  it "returns the decrypted secret" do
+    subject.store("foobar", "fizzbuzz")
+    subject.get("foobar").should == "fizzbuzz"
+  end
+
+  it "raises IndexError if the key is not found" do
+    lambda{
+      subject.get("not_found")
+    }.should raise_error(IndexError)
+  end
+
+  it "raises OpenSSL::Cipher::CipherError if the password for the store is wrong" do
+    subject.store("foobar", "fizzbuzz")
+    with_wrong_pass = SecretStore.new("wrong_pass", tmpfile.path)
+    lambda {
+      with_wrong_pass.get("foobar")
+    }.should raise_error(OpenSSL::Cipher::CipherError)
+  end
+end
+
+describe SecretStore, "changing the password" do
+  let(:tmpfile) { Tempfile.new("secret_store") }
+  subject { SecretStore.new("the_pass", tmpfile.path) }
+
+  it "resets the value for each secret key" do
+    tmpfile.puts YAML.dump("foo" => "bar", "fizz" => "buzz")
+    subject.change_password("new_password")
+    data = YAML.load_file(tmpfile.path)
+    data["foo"].should_not == "bar"
+    data["fizz"].should_not == "buzz"
+  end
+
+  it "leaves you with the ability to get secrets using the new password" do
+    subject.store("foo", "bar")
+    subject.change_password("new_pass")
+
+    subject.get("foo").should == "bar"
+
+    with_new_pass = SecretStore.new("new_pass", tmpfile.path)
+    subject.get("foo").should == "bar"
+  end
+end

data/spec/spec_helper.rb

@@ -0,0 +1,8 @@
+require 'tempfile'
+
+require File.expand_path("../../lib/secret_store", __FILE__)
+
+RSpec.configure do |config|
+  config.mock_with :rspec
+end
+

metadata

@@ -0,0 +1,93 @@
+--- !ruby/object:Gem::Specification
+name: secret_store
+version: !ruby/object:Gem::Version
+  version: 0.0.1
+  prerelease: 
+platform: ruby
+authors:
+- Brendon Murphy
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2012-08-11 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: gibberish
+  requirement: &2160632160 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: *2160632160
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: &2160631720 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: *2160631720
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: &2160631280 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: *2160631280
+description: Store secrets for your app in a encrypted in a yaml file.
+email:
+- xternal1+github@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- .gitignore
+- Gemfile
+- README.md
+- Rakefile
+- lib/secret_store.rb
+- lib/secret_store/version.rb
+- secret_store.gemspec
+- spec/secret_store_spec.rb
+- spec/spec_helper.rb
+homepage: ''
+licenses: []
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+      segments:
+      - 0
+      hash: -1229492496997866402
+required_rubygems_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+      segments:
+      - 0
+      hash: -1229492496997866402
+requirements: []
+rubyforge_project: secret_store
+rubygems_version: 1.8.15
+signing_key: 
+specification_version: 3
+summary: Store secrets for your app in a encrypted in a yaml file.
+test_files: []