shhh 1.3.0

data/lib/shhh/app/keychain.rb

@@ -0,0 +1,135 @@
+require 'shhh'
+require 'shhh/app'
+require 'shhh/errors'
+
+
+module Shhh
+  module App
+    #
+    # This class forms and shells several commands that wrap Mac OS-X +security+ command.
+    # They provide access to storing generic passwords in the KeyChain Access.
+    #
+    class KeyChain
+      class << self
+        attr_accessor :user, :kind, :sub_section
+
+        def configure
+          yield self
+        end
+
+        def validate!
+          raise ArgumentError.new(
+            'User is not defined. Either set $USER in environment, or directly on the class.') unless self.user
+        end
+      end
+
+      configure do
+        self.kind        = 'shhh'
+        self.user        = ENV['USER']
+        self.sub_section = 'generic-password'
+      end
+
+      attr_accessor :key_name, :opts, :stderr_disabled
+
+      def initialize(key_name, opts = {})
+        self.key_name = key_name
+        self.opts     = opts
+        self.class.validate!
+      end
+
+      def add(password)
+        execute command(:add, "-U -w '#{password}' ")
+      end
+
+      def find
+        execute command(:find, ' -g -w ')
+      end
+
+      def delete
+        execute command(:delete)
+      end
+
+      def execute(command)
+        command += ' 2>/dev/null' if stderr_disabled
+        puts "> #{command.yellow.green}" if opts[:verbose]
+        output = `#{command}`
+        result = $?
+        raise Shhh::Errors::ExternalCommandError.new("Command error: #{result}, command: #{command}") unless result.success?
+        output.chomp
+      rescue Errno::ENOENT => e
+        raise Shhh::Errors::ExternalCommandError.new("Command error: #{e.message}, command: #{command}")
+      end
+
+      def stderr_off
+        self.stderr_disabled = true
+      end
+
+      def stderr_on
+        self.stderr_disabled = false
+      end
+
+      private
+
+      def command(action, extras = nil)
+        out = base_command(action)
+        out << extras if extras
+        out = out.join
+        # Do not actually ever run these commands on non MacOSX
+        out = "echo Run this –\"#{out}\", on #{Shhh::App.this_os}?\nAre you sure?" unless Shhh::App.is_osx?
+        out
+      end
+
+      def base_command(action)
+        [
+          "security #{action}-#{self.class.sub_section} ",
+          "-a '#{self.class.user}' ",
+          "-D '#{self.class.kind}' ",
+          "-s '#{self.key_name}' "
+        ]
+      end
+    end
+  end
+end
+
+
+#
+# Usage: add-generic-password [-a account] [-s service] [-w password] [options...] [-A|-T appPath] [keychain]
+#     -a  Specify account name (required)
+#     -c  Specify item creator (optional four-character code)
+#     -C  Specify item type (optional four-character code)
+#     -D  Specify kind (default is "application password")
+#     -G  Specify generic attribute (optional)
+#     -j  Specify comment string (optional)
+#     -l  Specify label (if omitted, service name is used as default label)
+#     -s  Specify service name (required)
+#     -p  Specify password to be added (legacy option, equivalent to -w)
+#     -w  Specify password to be added
+#     -A  Allow any application to access this item without warning (insecure, not recommended!)
+#     -T  Specify an application which may access this item (multiple -T options are allowed)
+#     -U  Update item if it already exists (if omitted, the item cannot already exist)
+#
+# Usage: find-generic-password [-a account] [-s service] [options...] [-g] [keychain...]
+#     -a  Match "account" string
+#     -c  Match "creator" (four-character code)
+#     -C  Match "type" (four-character code)
+#     -D  Match "kind" string
+#     -G  Match "value" string (generic attribute)
+#     -j  Match "comment" string
+#     -l  Match "label" string
+#     -s  Match "service" string
+#     -g  Display the password for the item found
+#     -w  Display only the password on stdout
+# If no keychains are specified to search, the default search list is used.
+#         Find a generic password item.
+#
+# Usage: delete-generic-password [-a account] [-s service] [options...] [keychain...]
+#     -a  Match "account" string
+#     -c  Match "creator" (four-character code)
+#     -C  Match "type" (four-character code)
+#     -D  Match "kind" string
+#     -G  Match "value" string (generic attribute)
+#     -j  Match "comment" string
+#     -l  Match "label" string
+#     -s  Match "service" string
+# If no keychains are specified to search, the default search list is used.
+#         Delete a generic password item.

data/lib/shhh/app/output/file.rb

@@ -0,0 +1,23 @@
+module Shhh
+  module App
+    module Output
+      class File
+        attr_accessor :cli
+
+        def initialize(cli)
+          self.cli = cli
+        end
+
+        def opts
+          cli.opts
+        end
+
+        def output_proc
+          ->(data) {
+            ::File.open(opts[:output], 'w') { |f| f.write(data) }
+          }
+        end
+      end
+    end
+  end
+end

data/lib/shhh/app/output/stdout.rb

@@ -0,0 +1,11 @@
+module Shhh
+  module App
+    module Output
+      class Stdout < File
+        def output_proc
+          ->(argument) { puts argument }
+        end
+      end
+    end
+  end
+end

data/lib/shhh/app/private_key/base64_decoder.rb

@@ -0,0 +1,17 @@
+module Shhh
+  module App
+    module PrivateKey
+      class Base64Decoder < Struct.new(:encoded_key)
+
+        def key
+          return nil if encoded_key.nil?
+          begin
+            Base64.urlsafe_decode64(encoded_key)
+          rescue ArgumentError
+            encoded_key
+          end
+        end
+      end
+    end
+  end
+end

data/lib/shhh/app/private_key/decryptor.rb

@@ -0,0 +1,50 @@
+require_relative 'decryptor'
+module Shhh
+  module App
+    module PrivateKey
+      class Decryptor
+        include Shhh
+
+        attr_accessor :encrypted_key, :input_handler
+
+        def initialize(encrypted_key, input_handler = Shhh::App::Input::Handler)
+          self.encrypted_key = encrypted_key
+          self.input_handler = input_handler
+        end
+
+        def key
+          return nil if encrypted_key.nil?
+          decrypted_key = nil
+          if should_decrypt?
+            begin
+              retries ||= 0
+              decrypted_key = decrypt(password)
+            rescue ::OpenSSL::Cipher::CipherError => e
+              STDERR.puts 'Invalid password. Please try again.'
+              ((retries += 1) < 3) ? retry : raise(Shhh::Errors::InvalidPasswordPrivateKey.new(e))
+            end
+          else
+            decrypted_key = encrypted_key
+          end
+          decrypted_key
+        end
+
+        private
+
+        def should_decrypt?
+          encrypted_key && (encrypted_key.length > 32)
+        end
+
+
+        def decrypt(password)
+          decr_password(encrypted_key, password)
+        end
+
+        def password
+          input_handler.ask
+        end
+
+      end
+    end
+  end
+end

data/lib/shhh/app/private_key/detector.rb

@@ -0,0 +1,34 @@
+module Shhh
+  module App
+    module PrivateKey
+      class Detector < Struct.new(:opts) # :nodoc:
+        @mapping = Hash.new
+        class << self
+          attr_reader :mapping
+
+          def register(argument, proc)
+            self.mapping[argument] = proc
+          end
+        end
+
+        def key
+          self.class.mapping.each_pair do |options_key, key_proc|
+            return key_proc.call(self.opts[options_key]) if self.opts[options_key]
+          end
+          nil
+        end
+      end
+
+      Detector.register :private_key, ->(key) { key }
+      Detector.register :interactive, -> { Input::Handler.prompt('Private Key: ', :magenta) }
+      Detector.register :keychain, ->(key_name) { KeyChain.new(key_name).find }
+      Detector.register :keyfile, ->(file) {
+        begin
+          ::File.read(file)
+        rescue Errno::ENOENT
+          raise Shhh::Errors::FileNotFound.new("Encryption key file #{file} was not found.")
+        end
+      }
+    end
+  end
+end

data/lib/shhh/app/private_key/handler.rb

@@ -0,0 +1,34 @@
+require_relative 'detector'
+require_relative 'base64_decoder'
+require_relative 'decryptor'
+module Shhh
+  module App
+    module PrivateKey
+      # This class figures out what is the private key that is
+      # provided to be used.
+      class Handler
+        include Shhh
+
+        attr_accessor :opts, :key
+
+        def initialize(opts)
+          self.opts = opts
+
+
+          self.key =
+            begin
+              Detector.new(opts).key
+            rescue Shhh::Errors::Error => e
+              if Shhh::App::Args.new(opts).key? && key.nil?
+                raise e
+              end
+            end
+
+          if key && key.length > 45
+            self.key = Decryptor.new(Base64Decoder.new(key).key).key
+          end
+        end
+      end
+    end
+  end
+end

data/lib/shhh/app.rb

@@ -0,0 +1,45 @@
+require 'shhh/data'
+require 'active_support/inflector'
+module Shhh
+  # The +App+ Module is responsible for handing user input and executing commands.
+  # Central class in this module is the +CLI+ class.
+
+  # This module is responsible for printing pretty errors and maintaining the
+  # future exit code class-global variable.
+
+  module App
+    class << self
+      attr_accessor :exit_code
+    end
+
+    self.exit_code = 0
+
+    def self.out
+      STDERR
+    end
+
+    def self.error(
+      config: {},
+      exception: nil,
+      type: nil,
+      details: nil,
+      reason: nil)
+
+      self.out.puts([\
+                    "#{(type || exception.class.name).titleize}:".red.bold.underlined +
+                    (sprintf '  %s', details || exception.message).red.italic,
+                    reason ? "\n#{reason.blue.bold.italic}" : nil].compact.join("\n"))
+      self.out.puts "\n" + exception.backtrace.join("\n").bold.red if exception && config && config[:trace]
+      self.exit_code = 1
+    end
+
+    def self.is_osx?
+      Gem::Platform.local.os.eql?('darwin')
+    end
+    def self.this_os
+      Gem::Platform.local.os
+    end
+  end
+end
+
+Shhh.dir_r 'shhh/app'

data/lib/shhh/cipher_handler.rb

@@ -0,0 +1,45 @@
+require 'base64'
+require_relative 'configuration'
+
+module Shhh
+  #
+  # +CipherHandler+ contains cipher-related utilities necessary to create
+  # ciphers, and seed them with the salt or iV vector,
+  #
+  module CipherHandler
+
+    CREATE_CIPHER = ->(name) { ::OpenSSL::Cipher.new(name) }
+
+    CipherStruct = Struct.new(:cipher, :iv, :salt)
+
+    def create_cipher(direction:,
+                      cipher_name:,
+                      iv: nil,
+                      salt: nil)
+
+      cipher = new_cipher(cipher_name)
+      cipher.send(direction)
+      iv        ||= cipher.random_iv
+      cipher.iv = iv
+      CipherStruct.new(cipher, iv, salt)
+    end
+
+    def new_cipher(cipher_name)
+      CREATE_CIPHER.call(cipher_name)
+    end
+
+    def update_cipher(cipher, value)
+      data = cipher.update(value)
+      data << cipher.final
+      data
+    end
+
+    module ClassMethods
+      def create_private_key
+        key = CREATE_CIPHER.call(Shhh::Configuration.property(:private_key_cipher)).random_key
+        ::Base64.urlsafe_encode64(key)
+      end
+    end
+  end
+end
+

data/lib/shhh/configuration.rb

@@ -0,0 +1,23 @@
+module Shhh
+  # Application configuration Singleton class.
+  # It's values are requested by the library upon encryption or
+  # decryption, or any other operation.
+
+  class Configuration
+    class << self
+      attr_accessor :config
+
+      def configure
+        self.config ||= Configuration.new
+        yield config if block_given?
+      end
+
+      def property(name)
+        self.config.send(name)
+      end
+    end
+
+    attr_accessor :data_cipher, :password_cipher, :private_key_cipher
+    attr_accessor :compression_enabled, :compression_level
+  end
+end

data/lib/shhh/data/decoder.rb

@@ -0,0 +1,28 @@
+require_relative '../errors'
+require 'base64'
+require 'zlib'
+module Shhh
+  module Data
+    class Decoder
+      attr_accessor :data, :data_encoded, :data
+
+      def initialize(data_encoded, compress)
+        self.data_encoded = data_encoded
+        self.data         = begin
+          Base64.urlsafe_decode64(data_encoded)
+        rescue
+          data_encoded
+        end
+
+        if compress.nil? || compress # auto-guess
+          self.data = begin
+            Zlib::Inflate.inflate(data)
+          rescue Zlib::Error => e
+            data
+          end
+        end
+        self.data = Marshal.load(data)
+      end
+    end
+  end
+end

data/lib/shhh/data/encoder.rb

@@ -0,0 +1,24 @@
+require 'base64'
+require 'zlib'
+
+require 'shhh/errors'
+require 'shhh/configuration'
+
+module Shhh
+  module Data
+    class Encoder
+      attr_accessor :data, :data_encoded
+
+      def initialize(data, compress)
+        self.data         = data
+        self.data_encoded = Marshal.dump(data)
+        self.data_encoded = Zlib::Deflate.deflate(data_encoded, compression_level) if compress
+        self.data_encoded = Base64.urlsafe_encode64(data_encoded)
+      end
+
+      def compression_level
+        Shhh::Configuration.config.compression_level
+      end
+    end
+  end
+end

data/lib/shhh/data/wrapper_struct.rb

@@ -0,0 +1,43 @@
+require_relative '../errors'
+module Shhh
+  module Data
+    class WrapperStruct < Struct.new(
+      :encrypted_data,        # [Blob] Binary encrypted data (possibly compressed)
+      :iv,                    # [String] IV used to encrypt the data
+      :cipher_name,           # [String] Name of the cipher used
+      :salt,                  # [Integer] For password-encrypted data this is the salt
+      :version,               # [Integer] Version of the cipher used
+      :compress               # [Boolean] indicates if compression should be applied
+      )
+
+      VERSION = 1
+
+      attr_accessor :compressed
+
+      def initialize(
+        encrypted_data:, # [Blob] Binary encrypted data (possibly compressed)
+        iv:, # [String] IV used to encrypt the data
+        cipher_name:, # [String] Name of the cipher used
+        salt: nil, # [Integer] For password-encrypted data this is the salt
+        version: VERSION, # [Integer] Version of the cipher used
+        compress: Shhh::Configuration.config.compression_enabled
+      )
+        super(encrypted_data, iv, cipher_name, salt, version, compress)
+      end
+
+      def config
+        Shhh::Configuration.config
+      end
+
+      def serialize
+        Marshal.dump(self)
+      end
+
+      def self.deserialize(data)
+        Marshal.load(data)
+      end
+    end
+  end
+end
+
+

data/lib/shhh/data.rb

@@ -0,0 +1,23 @@
+require_relative 'errors'
+require 'base64'
+require 'zlib'
+
+require_relative 'data/wrapper_struct'
+require_relative 'data/encoder'
+require_relative 'data/decoder'
+
+module Shhh
+  # This module is responsible for taking arbitrary data of any format, and safely compressing
+  # the result of `Marshal.dump(data)` using Zlib, and then doing `#urlsafe_encode64` encoding
+  # to convert it to a string,
+  module Data
+    def encode(data, compress = true)
+      Encoder.new(data, compress).data_encoded
+    end
+
+    def decode(data_encoded, compress = nil)
+      Decoder.new(data_encoded, compress).data
+    end
+  end
+end
+

data/lib/shhh/errors.rb

@@ -0,0 +1,27 @@
+module Shhh
+  module Errors
+    # Exceptions superclass for this library.
+    class Shhh::Errors::Error < StandardError; end
+
+    # No secret has been provided for encryption or decryption
+    class NoPrivateKeyFound < Shhh::Errors::Error; end
+    class PasswordsDontMatch < Shhh::Errors::Error; end
+    class PasswordTooShort < Shhh::Errors::Error; end
+    class DataEncodingVersionMismatch< Shhh::Errors::Error; end
+    class EditorExitedAbnormally < Shhh::Errors::Error; end
+    class InvalidEncodingPrivateKey < Shhh::Errors::Error; end
+    class InvalidPasswordPrivateKey < Shhh::Errors::Error; end
+    class FileNotFound < Shhh::Errors::Error; end
+    class ExternalCommandError < Shhh::Errors::Error; end
+
+    # Method was called on an abstract class. Override such methods in
+    # subclasses, and use subclasses for instantiation of objects.
+    class AbstractMethodCalled < ArgumentError
+      def initialize(method, message = nil)
+        super("Abstract method call, on #{method}" + (message || ''))
+      end
+    end
+  end
+end
+
+

data/lib/shhh/extensions/class_methods.rb

@@ -0,0 +1,12 @@
+require 'base64'
+require 'shhh/cipher_handler'
+
+module Shhh
+  module Extensions
+    module ClassMethods
+      def self.extended(klass)
+        klass.extend Shhh::CipherHandler::ClassMethods
+      end
+    end
+  end
+end