secure_yaml 1.0.0

data/.gitignore

@@ -0,0 +1,13 @@
+.*
+!.gitignore
+!.rvmrc
+*.log
+*.iws
+*.orig
+*.iml
+*.ipr
+.idea
+*.ids
+*.gem
+.bundle
+Gemfile.lock

data/.rvmrc

@@ -0,0 +1 @@
+rvm ruby-1.9.3-p194@secure_yaml

data/Gemfile

@@ -0,0 +1,3 @@
+source "http://rubygems.org"
+
+gemspec

data/README.md

@@ -0,0 +1,73 @@
+### Overview
+
+The storage of sensitive information (such as usernames and passwords) within source control is commonly avoided due to security concerns, i.e. an untrusted person gaining access to your code, would have access to your production database password.
+
+This library attempts to address this concern by allowing sensitive information to be stored in YAML files in an encrypted form. Inspired by [Jasypt](http://www.jasypt.org/encrypting-configuration.html).
+<br />
+
+### Usage
+
+<strong>1) Install the secure_yaml gem</strong>
+
+```
+> gem install secure_yaml
+```
+<br />
+
+<strong>2) Encrypt your sensitive properties, and copy them into your YAML file</strong>
+
+The gem provides a simple command line utility called ```encrypt_property_for_yaml``` that prints out the encrypted form of a plain text property.
+
+```
+USAGE: encrypt_property_for_yaml <SECRET_KEY> <PROPERTY_VALUE_TO_ENCRYPT>
+```
+
+For example:
+
+```
+> encrypt_property_for_yaml abc12345678 jdbc:mysql://11.22.33.44:3306/prod
+ENC(1BVzrT18dxWisIKUPkq9k0SB/aKcT70VawodxucI)  <-- copy this value into your YAML file
+```
+
+When completed, your YAML file might look something like the following:
+
+```
+production:
+  db_adapter: mysql
+  db_url: ENC(1BVzrT18dxWisIKUPkq9k0SB/aKcT70VawodxucI)
+  db_username: ENC(4BEzrT18dxdisIKFPkw7k0SB/hKcT80VawodxuwT)
+  db_password: ENC(2BVzrQ79deWisIKUPkq9k8SB/aKcT74CawoExuiP)
+  pool: 5
+  timeout: 5000
+
+```
+
+Note:
+* your YAML file can consist of a combination of plain text and encrypted property values
+* the encrypted properties can be positioned within the YAML at any nested depth.
+
+<br />
+
+<strong>3) Supply the secret key (used by the encryption process in step 2) as an environmental property to your running app</strong>
+
+By default, the expected name of this environmental property is 'PROPERTIES_ENCRYPTION_PASSWORD', but can be overridden if required.
+
+```
+export PROPERTIES_ENCRYPTION_PASSWORD=abc12345678; ruby app.rb
+```
+
+<strong>*** The value of the secret key must NOT be submitted to source control. Knowing the secret key allows a person to easily decrypt your properties.</strong>
+<br />
+
+<strong>4) Load and use the decrypted version of your YAML file within your app</strong>
+
+```ruby
+require 'secure_yaml'
+
+decrypted_yaml = SecureYaml::load(File.open('database.yml'))
+
+# Alternatively, to override the default secret key environmental property name:
+decrypted_yaml = SecureYaml::load(File.open('database.yml'), 'NEW_SECRET_KEY_PROPERTY_NAME')
+```
+
+

data/Rakefile

@@ -0,0 +1,7 @@
+require 'bundler'
+require 'rspec/core/rake_task'
+
+Bundler::GemHelper.install_tasks
+
+desc "run specs"
+RSpec::Core::RakeTask.new

data/bin/encrypt_property_for_yaml

@@ -0,0 +1,5 @@
+#!/usr/bin/env ruby
+
+require "secure_yaml/cli/property_encryption_application"
+
+SecureYaml::PropertyEncryptionApplication.new.execute(ARGV)

data/lib/secure_yaml/cipher.rb

@@ -0,0 +1,32 @@
+require 'openssl'
+require 'digest/sha2'
+require 'base64'
+
+module SecureYaml
+  
+  class Cipher
+
+    def encrypt(secret_key, plain_data)
+      cipher = create_cipher(secret_key)
+      cipher.encrypt
+      Base64.strict_encode64(cipher.update(plain_data) + cipher.final)
+    end
+
+    def decrypt(secret_key, encrypted_data)
+      cipher = create_cipher(secret_key)
+      cipher.decrypt
+      cipher.update(Base64.strict_decode64(encrypted_data)) + cipher.final
+    end
+    
+    private
+
+    def create_cipher(secret_key)
+      cipher = OpenSSL::Cipher.new("AES-256-CFB")
+      cipher.encrypt
+      cipher.key = Digest::SHA2.new(256).digest(secret_key)
+      cipher
+    end
+
+  end
+
+end

data/lib/secure_yaml/cli/property_encryption_application.rb

@@ -0,0 +1,19 @@
+require "secure_yaml"
+
+module SecureYaml
+
+  class PropertyEncryptionApplication
+
+    def execute(command_line_args)
+
+      raise "USAGE: encrypt_property_for_yaml <SECRET_KEY> <PROPERTY_VALUE_TO_ENCRYPT>" unless command_line_args.length == 2
+
+      secret_key = command_line_args[0]
+      plain_text = command_line_args[1]
+
+      puts "#{SecureYaml::ENCRYPTED_PROPERTY_WRAPPER_ID}(#{SecureYaml::Cipher.new.encrypt(secret_key, plain_text)})"
+    end
+
+  end
+
+end

data/lib/secure_yaml/loader.rb

@@ -0,0 +1,17 @@
+require 'secure_yaml/yaml_decrypter'
+
+module SecureYaml
+
+  class Loader
+
+    def initialize(secret_key)
+      @decrypter = YamlDecrypter.new(secret_key)
+    end
+
+    def load(yaml_file)
+      @decrypter.decrypt(YAML::load(yaml_file))
+    end
+
+  end
+
+end

data/lib/secure_yaml/version.rb

@@ -0,0 +1,5 @@
+module SecureYaml
+
+  VERSION = "1.0.0"
+
+end

data/lib/secure_yaml/yaml_decrypter.rb

@@ -0,0 +1,26 @@
+require 'yaml'
+require 'secure_yaml/cipher'
+
+module SecureYaml
+
+  class YamlDecrypter
+
+    def initialize(secret_key, cipher = Cipher.new)
+      @cipher = cipher
+      @secret_key = secret_key
+    end
+
+    def decrypt(yaml)
+      case yaml
+        when Hash
+          yaml.each_with_object({}) {|(key, value), new_hash| new_hash[key] = decrypt(value)}
+        when String
+          yaml.gsub(/^#{ENCRYPTED_PROPERTY_WRAPPER_ID}\((.*)\)$/) {@cipher.decrypt(@secret_key, $1)}
+        else
+          yaml
+      end
+    end
+
+  end
+
+end

data/lib/secure_yaml.rb

@@ -0,0 +1,20 @@
+require 'secure_yaml/loader'
+
+module SecureYaml
+
+  ENCRYPTED_PROPERTY_WRAPPER_ID = 'ENC'
+
+  DEFAULT_SECRET_KEY_PROP_NAME = 'PROPERTIES_ENCRYPTION_PASSWORD'
+
+  def self.load(yaml_file, secret_key_prop_name = DEFAULT_SECRET_KEY_PROP_NAME)
+    SecureYaml::Loader.new(secret_key(secret_key_prop_name)).load(yaml_file)
+  end
+
+  private
+
+  def self.secret_key(secret_key_prop_name)
+    secret_key = ENV[secret_key_prop_name]
+    raise "#{secret_key_prop_name} env property not found" if secret_key.nil?
+  end
+
+end

data/secure_yaml.gemspec

@@ -0,0 +1,26 @@
+# -*- encoding: utf-8 -*-
+$:.push File.expand_path("../lib", __FILE__)
+require "secure_yaml/version"
+
+Gem::Specification.new do |s|
+  s.name        = "secure_yaml"
+  s.version     = SecureYaml::VERSION
+  s.platform    = Gem::Platform::RUBY
+  s.authors     = ["Huw Lewis"]
+  s.email       = ["huwtlewis@gmail.com"]
+  s.homepage    = "https://github.com/qmg-hlewis/secure_yaml"
+  s.summary     = %q{encryption protection for sensitive yaml properties}
+  s.description = %q{encryption protection for sensitive yaml properties}
+
+  s.rubyforge_project = "secure_yaml"
+
+  s.files         = `git ls-files`.split("\n")
+  s.executables   = `git ls-files -- bin/*`.split("\n").map{ |f| File.basename(f) }
+  s.require_paths = ["lib"]
+
+  s.add_development_dependency 'rspec', "~> 2.10"
+  s.add_development_dependency 'rspec-mocks', "~> 2.10"
+  s.add_development_dependency 'bundler', "~> 1.1"
+  s.add_development_dependency 'rake', "~> 0.9"
+
+end

data/spec/secure_yaml/cipher_spec.rb

@@ -0,0 +1,20 @@
+require 'spec_helper'
+
+describe 'Cipher' do
+
+  before(:each) do
+    @cipher = SecureYaml::Cipher.new
+    @secret_key = "abc12345678"
+    @plain_text = "some plain text to encrypt"
+  end
+
+  it 'should decrypt encrypted data' do
+    encrypted = @cipher.encrypt(@secret_key, @plain_text)
+
+    decrypted = @cipher.decrypt(@secret_key, encrypted)
+
+    encrypted.should_not == @plain_text
+    decrypted.should == @plain_text
+  end
+
+end

data/spec/secure_yaml/cli/property_encryption_application_spec.rb

@@ -0,0 +1,30 @@
+require 'spec_helper'
+
+describe 'Property encryption command line interface' do
+
+  before(:each) do
+    @secret_key = 'secret key'
+    @plain_text = 'text to encrypt'
+    @encrypted_text = 'encrypted text'
+  end
+
+  it 'should print encrypted property value for given secret key and plain text' do
+    cipher = double(SecureYaml::Cipher)
+    cipher.stub(:encrypt).with(@secret_key, @plain_text).and_return(@encrypted_text)
+    SecureYaml::Cipher.stub(:new).and_return(cipher)
+
+    $stdout.should_receive(:puts).with("#{SecureYaml::ENCRYPTED_PROPERTY_WRAPPER_ID}(#{@encrypted_text})")
+
+    SecureYaml::PropertyEncryptionApplication.new.execute([@secret_key, @plain_text])
+  end
+
+  it 'should raise error unless secret key and plain text have been included as command line args' do
+    expect {SecureYaml::PropertyEncrypterApplication.new.execute([])}.to raise_error
+    expect {SecureYaml::PropertyEncrypterApplication.new.execute([@secret_key])}.to raise_error
+  end
+
+  it 'should raise error if too many comand line args' do
+    expect {SecureYaml::PropertyEncryptionApplication.new.execute([@secret_key, @plain_text, 'unexpected'])}.to raise_error
+  end
+
+end

data/spec/secure_yaml/loader_spec.rb

@@ -0,0 +1,21 @@
+require 'spec_helper'
+
+describe 'Loader' do
+
+  before(:each) do
+    @encrypted_yaml = {prop: 'encrypted'}
+    @decrypted_yaml = {prop: 'decrytped'}
+    @decrypter = double(SecureYaml::YamlDecrypter)
+    SecureYaml::YamlDecrypter.stub(:new).and_return(@decrypter)
+  end
+
+  it 'should load decrypted yaml file' do
+    YAML.stub(:load).and_return(@encrypted_yaml)
+    @decrypter.stub(:decrypt).with(@encrypted_yaml).and_return(@decrypted_yaml)
+
+    yaml = SecureYaml::Loader.new('').load(double(File))
+
+    yaml.should == @decrypted_yaml
+  end
+
+end

data/spec/secure_yaml/yaml_decrypter_spec.rb

@@ -0,0 +1,55 @@
+require 'spec_helper'
+
+describe 'Yaml decrypter' do
+
+  before(:each) do
+    @secret_key = 'abc12345678'
+    @cipher = double(SecureYaml::Cipher)
+    @decrypter = SecureYaml::YamlDecrypter.new(@secret_key, @cipher)
+    @decrypted_result = 'decrypted data'
+    @plain_text = 'some plain text'
+  end
+
+  it 'should decrypt only marked encrypted properties' do
+    encrypted_data = 'encrypted data'
+    @cipher.stub(:decrypt).with(@secret_key, encrypted_data).and_return(@decrypted_result)
+
+    data = @decrypter.decrypt({:encrypted_prop => "ENC(#{encrypted_data})", :plain_prop => @plain_text})
+
+    data.should == {:encrypted_prop => @decrypted_result, :plain_prop => @plain_text}
+  end
+
+  it 'should decrypt encrypted properties containing parentheses' do
+    encrypted_prop_with_param = 'encrypted )data'
+    @cipher.stub(:decrypt).with(@secret_key, encrypted_prop_with_param).and_return(@decrypted_result)
+
+    data = @decrypter.decrypt({:encrypted_prop => "ENC(#{encrypted_prop_with_param})"})
+
+    data.should == {:encrypted_prop => @decrypted_result}
+  end
+
+  it 'should ignore any encrypted properties in unexpected formats' do
+    unexpected_formats = {:unexpected_1 => 'ENC(text', :unexpected_2 => 'ENCtext)', :unexpected_3 => 'EN(text)'}
+
+    data = @decrypter.decrypt(unexpected_formats)
+
+    data.should == unexpected_formats
+  end
+
+  it 'should recursively encrypt nested properties' do
+    @cipher.stub(:decrypt).and_return(@decrypted_result)
+
+    data = @decrypter.decrypt({:parent_prop => {:nested_prop => 'ENC(text)', :parent_prop_2 => {:nested_prop_2 => 'ENC(text)'}}})
+
+    data.should == {:parent_prop => {:nested_prop => @decrypted_result, :parent_prop_2 => {:nested_prop_2 => @decrypted_result}}}
+  end
+
+  it 'should ignore any property of non-string type' do
+    numeric_prop = {:numeric => 1}
+
+    data = @decrypter.decrypt(numeric_prop)
+
+    data.should == numeric_prop
+  end
+
+end

data/spec/secure_yaml_spec.rb

@@ -0,0 +1,35 @@
+require 'spec_helper'
+
+describe 'SecureYaml' do
+
+  before(:each) do
+    @yaml = {prop: 'test'}
+    loader = double(SecureYaml::Loader)
+    loader.stub(:load).and_return(@yaml)
+    SecureYaml::Loader.stub(:new).and_return(loader)
+  end
+
+  it 'should load decrypted yaml file' do
+    ENV[SecureYaml::DEFAULT_SECRET_KEY_PROP_NAME] = 'secret key'
+
+    yaml = SecureYaml::load(double(File))
+
+    yaml.should == @yaml
+  end
+
+  it 'should raise error on load if secret key env property not set' do
+    ENV[SecureYaml::DEFAULT_SECRET_KEY_PROP_NAME] = nil
+
+    expect {SecureYaml::load(double(File))}.to raise_error
+  end
+
+  it 'should allow use of custom secret key property name' do
+    custom_secret_key_prop_name = 'CUSTOMER_SECRET_KEY_PROP_NAME'
+    ENV[custom_secret_key_prop_name] = 'secret key'
+
+    yaml = SecureYaml::load(double(File), custom_secret_key_prop_name)
+
+    yaml.should == @yaml
+  end
+
+end

data/spec/spec_helper.rb

@@ -0,0 +1,9 @@
+require 'rspec'
+require 'rspec/mocks'
+
+require 'secure_yaml'
+require 'secure_yaml/cli/property_encryption_application'
+
+RSpec.configure do |conf|
+  conf.include RSpec::Mocks::ExampleMethods
+end

metadata

@@ -0,0 +1,129 @@
+--- !ruby/object:Gem::Specification
+name: secure_yaml
+version: !ruby/object:Gem::Version
+  version: 1.0.0
+  prerelease: 
+platform: ruby
+authors:
+- Huw Lewis
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2012-07-20 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '2.10'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '2.10'
+- !ruby/object:Gem::Dependency
+  name: rspec-mocks
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '2.10'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '2.10'
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '1.1'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '1.1'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '0.9'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '0.9'
+description: encryption protection for sensitive yaml properties
+email:
+- huwtlewis@gmail.com
+executables:
+- encrypt_property_for_yaml
+extensions: []
+extra_rdoc_files: []
+files:
+- .gitignore
+- .rvmrc
+- Gemfile
+- README.md
+- Rakefile
+- bin/encrypt_property_for_yaml
+- lib/secure_yaml.rb
+- lib/secure_yaml/cipher.rb
+- lib/secure_yaml/cli/property_encryption_application.rb
+- lib/secure_yaml/loader.rb
+- lib/secure_yaml/version.rb
+- lib/secure_yaml/yaml_decrypter.rb
+- secure_yaml.gemspec
+- spec/secure_yaml/cipher_spec.rb
+- spec/secure_yaml/cli/property_encryption_application_spec.rb
+- spec/secure_yaml/loader_spec.rb
+- spec/secure_yaml/yaml_decrypter_spec.rb
+- spec/secure_yaml_spec.rb
+- spec/spec_helper.rb
+homepage: https://github.com/qmg-hlewis/secure_yaml
+licenses: []
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: secure_yaml
+rubygems_version: 1.8.24
+signing_key: 
+specification_version: 3
+summary: encryption protection for sensitive yaml properties
+test_files: []