sekrets 0.4.2

data/bin/sekrets

@@ -0,0 +1,264 @@
+#! /usr/bin/env ruby
+
+Main {
+#
+  synopsis <<-__
+    ~> echo 'plaintext' | sekrets write sekrets.txt --key 42
+
+    ~> sekrets read sekrets.txt --key 42
+
+    ~> sekrets edit sekrets.txt
+  __
+
+  description <<-__
+    TL;DR
+      # create an encrypted config file
+      
+        ruby -r yaml -e'puts {:api_key => 1234}.to_yaml' | sekrets write config/settings.yml.enc --key 42
+
+      # display it
+
+        sekrets read config/settings.yml.enc --key 42
+
+      # edit it
+
+        sekrets edit config/settings.yml.enc --key 42
+
+      # see that it's encrypted
+
+        cat config/settings.yml.enc
+
+      # commit it
+
+        git add config/settings.yml.enc
+
+      # put the decryption key in a file
+        
+        echo 42 > sekrets.key
+
+      # ignore this file in git
+
+        echo sekrets.key >> .gitgnore
+
+      # make sure this file gets deployed on your server
+
+        echo " require 'sekrets/capistrano' " >> Capfile
+
+      # commit and deploy
+
+        git add config/settings.yml.enc
+        git commit -am'encrypted settings yo'
+        git pull && git push && cap staging deploy
+
+      # access these settings in your application code
+
+        settings = Sekrets.settings_for('./config/settings.yml.enc')
+        
+
+    GENERAL
+      sekrets provides commandline tools and a library to manage and access
+      encrypted files in your code base.
+
+      it allows one to check encrypted infomation into a repository and to manage
+      it alongside the rest of the code base.  it elimnates the need to check in
+      unencrypted information, keys, or other sensitive infomation.
+
+      sekrets provides both a general mechanism for managing arbitrary encrypted
+      files and a specific mechanism for managing encrypted config files.
+
+
+    KEY LOOKUP
+      for *all* operations, from the command line or otherwise, sekrets uses the
+      following algorithm to search for a decryption key:
+
+      - any key passed directly as a parameter to a library call will be preferred
+
+      - otherwise the code looks for a companion key file.  for example, given the
+        file 'config/sekrets.yml.enc' sekrets will look for a key at
+        
+          config/sekrets.yml.enc.key
+          
+        and 
+        
+          config/sekrets.yml.enc.k
+          
+        if either of these is found to be non-empty the contents of the file will
+        be used as the decryption key for that file.  you should *never* commit
+        these key files and also add them to your .gitignore - or similar.
+
+      - next a project key file is looked for.  the path of this file is
+        
+          ./sekrets.key
+          
+        normally and, in a rails' application
+
+          RAILS_ROOT/sekrets.key
+
+      - if that is not found sekrets looks for the key in the environment under
+        the env var
+
+          SEKRETS_KEY
+
+        the env var used is configurable in the library
+
+      - next the global key file is search for, the path of this file is
+
+          ~/.sekrets.key
+
+      - finally, if no key has yet been specified or found, the user is prompted
+        to input the key.  prompt only occurs if the user us attached to a tty.
+        so, for example, no prompt will hang and application being started in the
+        background such as a rails' application being managed by passenger.
+     
+
+      see Sekrets.key_for for more details
+
+    KEY DISTRIBUTION
+      sekrets does *not* attempt to solve the key distribution problem for you,
+      with one exception:
+      
+      if you are using capistrano to do a 'vanilla' ssh based deploy a simple
+      recipe is provided which will detect a local keyfile and scp it onto the
+      remote server(s) on deploy.
+
+      sekrets assumes that the local keyfile, if it exists, is correct.
+
+      in plain english the capistrano recipe does:
+
+        scp ./sekrets.key deploy@remote.host.com:/rails_root/current/sekrets.key
+
+      it goes without saying that the local keyfile should *never* be checked in
+      and also should be in .gitignore
+
+      distribution of this key among developers is outside the scope of the
+      library.  likely unencrypted email is the best mechanism for distribution
+      ;-/
+  __
+
+#
+  def run
+    help!
+  end
+
+#
+  mode(:write){
+    argument('output', 'o'){
+      argument :required
+      default STDOUT
+    }
+
+    argument('input', 'i'){
+      argument :required
+      default STDIN
+    }
+
+    option('key', 'k'){
+      argument :required
+    }
+
+    def run
+      Sekrets.openw(params[:output].value) do |output|
+        key = key_for(output)
+
+        Sekrets.openr(params[:input].value) do |input|
+          decrypted = input.read
+          encrypted = Sekrets.encrypt(key, decrypted)
+          output.write(encrypted)
+        end
+      end
+    end
+  }
+
+#
+  mode(:read){
+    argument('input', 'i'){
+      argument :required
+      default STDIN
+    }
+
+    argument('output', 'o'){
+      argument :required
+      default STDOUT
+    }
+
+    option('key', 'k'){
+      argument :required
+    }
+
+    def run
+      Sekrets.openr(params[:input].value) do |input|
+        key = key_for(input)
+
+        Sekrets.openw(params[:output].value) do |output|
+          encrypted = input.read
+          decrypted = Sekrets.decrypt(key, encrypted)
+          output.write(decrypted)
+        end
+      end
+    end
+  }
+
+#
+  mode(:edit){
+    argument(:path)
+
+    option('key', 'k'){
+      argument :required
+    }
+
+    def run
+      path = params[:path].value
+      path = File.expand_path(path)
+
+      key = key_for(path)
+
+      decrypted =
+        if test(?s, path)
+          Sekrets.read(path, :key => key)
+        else
+          ''
+        end
+
+      basename = File.basename(path)
+      encrypted = nil
+
+      Sekrets.tmpdir do
+        IO.binwrite(basename, decrypted)
+
+        command = "#{ Sekrets.editor } #{ basename }"
+
+        system(command)
+
+        if $?.exitstatus == 0
+          content = IO.binread(basename)
+          Sekrets.write(path, content, :key => key)
+        end
+      end
+    end
+  }
+
+#
+  def key_for(arg)
+    options = {}
+
+    if params[:key].given?
+      options[:key] = params[:key].value
+    end
+
+    key = Sekrets.key_for!(arg, options)
+  end
+}
+
+
+BEGIN {
+  require 'pathname'
+  bindir = Pathname.new(__FILE__).dirname.to_s
+  root = File.dirname(bindir)
+  libdir = File.join(root, 'lib')
+  require "#{ libdir }/sekrets.rb"
+  begin
+    require 'pry'
+  rescue Object
+    nil
+  end
+}

data/lib/sekrets/capistrano.rb

@@ -0,0 +1,19 @@
+Capistrano::Configuration.instance(:must_exist).load do
+  namespace :sekrets do
+    task :upload_key do
+      require 'fileutils'
+
+      rails_root = File.expand_path(File.dirname(__FILE__))
+
+      src = File.join(rails_root, 'sekrets.key')
+      dst = File.join(deploy_to, 'sekrets.key')
+
+      if test(?s, src)
+        upload(src, dst, :recursive => true)
+      end
+    end
+  end
+        
+
+  before "deploy:finalize_update", "sekrets:upload_key"
+end

data/lib/sekrets.rb

@@ -0,0 +1,343 @@
+class Sekrets
+#
+  Fattr(:env){ 'SEKRETS_KEY' }
+  Fattr(:editor){ ENV['SEKRETS_EDITOR'] || ENV['EDITOR'] || 'vim' }
+  Fattr(:root){ defined?(Rails.root) ? Rails.root : '.' }
+  Fattr(:project_key){ File.join(root, 'sekrets.key') }
+  Fattr(:global_key){ File.join(File.expand_path('~'), '.sekrets.key') }
+
+#
+  def Sekrets.key_for(*args)
+    options = Map.options_for!(args)
+    path = args.shift || options[:path]
+
+    if options.has_key?(:key)
+      key = options[:key]
+      return(key)
+    end
+
+    path = path_for(path)
+
+    if path
+      keyfiles =
+        Coerce.list_of_strings(
+          [:keyfile, :keyfiles].map{|k| options[k]},
+          %W[ #{ path }.key #{ path }.k ]
+        )
+
+      keyfiles.each do |file|
+        if test(?s, file)
+          key = IO.binread(file).strip
+          return(key)
+        end
+      end
+    end
+
+    if Sekrets.project_key and test(?s, Sekrets.project_key)
+      return IO.binread(Sekrets.project_key).strip
+    end
+
+    env_key = (options[:env] || Sekrets.env).to_s
+    if ENV.has_key?(env_key)
+      key = ENV[env_key]
+      return(key)
+    end
+
+    if Sekrets.global_key and test(?s, Sekrets.global_key)
+      return IO.binread(Sekrets.global_key).strip
+    end
+
+    unless options[:prompt] == false
+      if console?
+        key = Sekrets.ask(path)
+        return(key)
+      end
+    end
+
+    return nil
+  end
+
+#
+  def Sekrets.key_for!(*args, &block)
+    key = Sekrets.key_for(*args, &block)
+    raise(ArgumentError, 'no key!') unless key
+    key
+  end
+
+#
+  def Sekrets.read(*args, &block)
+    options = Map.options_for!(args)
+    path = args.shift || options[:path]
+    key = args.shift || Sekrets.key_for!(path, options)
+
+    return nil unless test(?s, path)
+
+    encrypted = IO.binread(path)
+    decrypted = Sekrets.decrypt(key, encrypted)
+    new(decrypted)
+  end
+
+#
+  def Sekrets.write(*args, &block)
+    options = Map.options_for!(args)
+    path = args.shift || options[:path]
+    content = args.shift || options[:content]
+    key = args.shift || Sekrets.key_for!(path, options)
+
+    dirname, basename = File.split(File.expand_path(path))
+    FileUtils.mkdir_p(dirname)
+
+    encrypted = Sekrets.encrypt(key, content)
+
+    tmp = path + '.tmp'
+    IO.binwrite(tmp, encrypted)
+    FileUtils.mv(tmp, path)
+
+    encrypted
+    new(encrypted)
+  end
+
+#
+  def Sekrets.settings_for(*args, &block)
+    decrypted = read(*args, &block)
+
+    if decrypted
+      expanded = ERB.new(decrypted).result(TOPLEVEL_BINDING)
+      object = YAML.load(expanded)
+      object.is_a?(Hash) ? Map.for(object) : object
+    end
+  end
+
+#
+  def Sekrets.prompt_for(*words)
+    ["sekrets:", words, "> "].flatten.compact.join(' ')
+  end
+
+#
+  def Sekrets.ask(question)
+    @highline ||= HighLine.new
+    @highline.ask(prompt_for(question))
+  end
+
+#
+  def Sekrets.console?
+    STDIN.tty?
+  end
+
+#
+  def Sekrets.tmpdir(&block)
+    dirname = File.join(Dir.tmpdir, 'sekrets', Process.ppid.to_s, Process.pid.to_s, rand.to_s)
+
+    FileUtils.mkdir_p(dirname)
+
+    cleanup = proc do
+      if dirname and test(?d, dirname)
+        FileUtils.rm_rf(dirname)
+      end
+    end
+
+    if block
+      begin
+        Dir.chdir(dirname) do
+          block.call(dirname)
+        end
+      ensure
+        cleanup.call
+      end
+    else
+      at_exit{ cleanup.call }
+      dirname
+    end
+  end
+ 
+#
+  def Sekrets.openw(arg, &block)
+    opened = false
+    atomic_move = proc{}
+
+    io =
+      case
+        when arg.respond_to?(:read)
+          arg
+        when arg.to_s.strip == '-'
+          STDOUT
+        else
+          opened = true
+          path = File.expand_path(arg.to_s)
+          dirname, basename = File.split(path)
+          FileUtils.mkdir_p(dirname)
+          tmp = path + ".sekrets.tmp.#{ Process.ppid }.#{ Process.pid }"
+          at_exit{ FileUtils.rm_f(tmp) }
+          atomic_move = proc{ FileUtils.mv(tmp, path) }
+          open(tmp, 'wb+')
+      end
+
+    close = 
+      proc do
+        io.close if opened
+        atomic_move.call
+      end
+
+    if block
+      begin
+        block.call(io)
+      ensure
+        close.call
+      end
+    else
+      at_exit{ close.call }
+      io
+    end
+  end
+
+#
+  def Sekrets.openr(arg, &block)
+    opened = false
+
+    io =
+      case
+        when arg.respond_to?(:read)
+          arg
+        when arg.to_s.strip == '-'
+          STDIN
+        else
+          opened = true
+          open(arg, 'rb+')
+      end
+
+    close = 
+      proc do
+        io.close if opened
+      end
+
+    if block
+      begin
+        block.call(io)
+      ensure
+        close.call
+      end
+    else
+      at_exit{ close.call }
+      io
+    end
+  end
+
+#
+  def Sekrets.path_for(object)
+    path = nil
+
+    if object.is_a?(String) or object.is_a?(Pathname)
+      return(path = object.to_s)
+    end
+
+    [:original_path, :original_filename, :path, :filename, :pathname].each do |msg|
+      if object.respond_to?(msg)
+        path = object.send(msg)
+        break
+      end
+    end
+
+    path
+  end
+
+#
+  module Blowfish
+    def cipher(mode, key, data)
+      cipher = OpenSSL::Cipher::Cipher.new('bf-cbc').send(mode)
+      cipher.key = Digest::SHA256.digest(key.to_s)
+      cipher.update(data) << cipher.final
+    end
+
+    def encrypt(key, data)
+      cipher(:encrypt, key, data)
+    end
+
+    def decrypt(key, text)
+      cipher(:decrypt, key, text)
+    end
+
+    def cycle(key, data)
+      decrypt(key, encrypt(key, data))
+    end
+
+    def recrypt(old_key, new_key, data)
+      encrypt(new_key, decrypt(old_key, data))
+    end
+
+    extend(self)
+  end
+
+  extend(Blowfish)
+end
+
+
+Sekret = Sekrets
+
+
+
+BEGIN {
+
+  require 'openssl'
+  require 'fileutils'
+  require 'erb'
+  require 'yaml'
+  require 'tmpdir'
+
+  class Sekrets < ::String
+    Version = '0.4.2' unless defined?(Version)
+
+    class << Sekrets
+      def version
+        Sekrets::Version
+      end
+
+      def dependencies
+        {
+          'highline' => [ 'highline' , ' >= 1.6.15'  ] , 
+          'map'      => [ 'map'      , ' >= 6.3.0'   ]  , 
+          'fattr'    => [ 'fattr'    , ' >= 2.2.1'   ]  , 
+          'coerce'   => [ 'coerce'   , ' >= 0.0.3'   ]  , 
+          'main'     => [ 'main'     , ' >= 5.1.1'   ]  , 
+        }
+      end
+
+      def libdir(*args, &block)
+        @libdir ||= File.expand_path(__FILE__).sub(/\.rb$/,'')
+        args.empty? ? @libdir : File.join(@libdir, *args)
+      ensure
+        if block
+          begin
+            $LOAD_PATH.unshift(@libdir)
+            block.call()
+          ensure
+            $LOAD_PATH.shift()
+          end
+        end
+      end
+
+      def load(*libs)
+        libs = libs.join(' ').scan(/[^\s+]+/)
+        Sekrets.libdir{ libs.each{|lib| Kernel.load(lib) } }
+      end
+    end
+  end
+
+  begin
+    require 'rubygems'
+  rescue LoadError
+    nil
+  end
+
+  Sekrets.dependencies.each do |lib, dependency|
+    gem(*dependency) if defined?(gem)
+    require(lib)
+  end
+
+  Sekrets.fattr(:description){
+    <<-__
+
+      foobar
+
+    __
+  }
+}

data/sekrets.gemspec

@@ -0,0 +1,50 @@
+## sekrets.gemspec
+#
+
+Gem::Specification::new do |spec|
+  spec.name = "sekrets"
+  spec.version = "0.4.2"
+  spec.platform = Gem::Platform::RUBY
+  spec.summary = "sekrets"
+  spec.description = "description: sekrets kicks the ass"
+
+  spec.files =
+["README",
+ "Rakefile",
+ "bin",
+ "bin/sekrets",
+ "lib",
+ "lib/sekrets",
+ "lib/sekrets.rb",
+ "lib/sekrets/capistrano.rb",
+ "sekrets.gemspec",
+ "test",
+ "test/lib",
+ "test/lib/testing.rb",
+ "test/sekrets_test.rb"]
+
+  spec.executables = ["sekrets"]
+  
+  spec.require_path = "lib"
+
+  spec.test_files = nil
+
+  
+    spec.add_dependency(*["highline", " >= 1.6.15"])
+  
+    spec.add_dependency(*["map", " >= 6.3.0"])
+  
+    spec.add_dependency(*["fattr", " >= 2.2.1"])
+  
+    spec.add_dependency(*["coerce", " >= 0.0.3"])
+  
+    spec.add_dependency(*["main", " >= 5.1.1"])
+  
+
+  spec.extensions.push(*[])
+
+  spec.rubyforge_project = "codeforpeople"
+  spec.author = "Ara T. Howard"
+  spec.email = "ara.t.howard@gmail.com"
+  spec.homepage = "https://github.com/ahoward/sekrets"
+end