ssssh 1.2.1 → 1.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 57877ffbc03d544f42eceb77b1fe9338b1e0fe4d
-  data.tar.gz: e71ad0783b84aa82fcfff5ed0860f57fb6822933
+  metadata.gz: ec83c64bc73fb62f33c58e3d27dc8cef20b26d7c
+  data.tar.gz: 1aa27d50991b8b39e64c9cfe283ba933eba4c774
 SHA512:
-  metadata.gz: 3d0550f1fa05c306452820add990a42a1535b47760b21741b864c566c116e3c19f1e77128b5668fb5d52ec01465a31df2692e034cb07069244e8935fcabb46ad
-  data.tar.gz: cd814ab824fc3c116ae44c5d1df5961e1680613c1c91457f51d368f5412007a65fc2d72f3f7224de31d84d86df72591c62ba5e56e521cfd0260d03d139009134
+  metadata.gz: 7c541acd7989e44f795e47e273ec33efce13dfea19a6136d48f12cab94d637aa65d1ee803417dc8b2048acb32144c174c670e83dcf64dd5acb503bce37f7952a
+  data.tar.gz: 0d34316967b4225e652ec721a7cce6133379440e8a9c3230ed79c643361eb371b8eac5935aa7cbcd53829bfa8a71d9d8c54a92078aedad09123c0c4c3d6e35ff

data/.rubocop.yml

@@ -0,0 +1,47 @@
+Eval:
+  Exclude:
+    - "Rakefile"
+
+Metrics/AbcSize:
+  Enabled: false
+
+Metrics/LineLength:
+  Max: 120
+
+Metrics/MethodLength:
+  Max: 30
+
+Style/ClassAndModuleChildren:
+  EnforcedStyle: nested
+  Exclude:
+    - "spec/**/*"
+
+Style/Documentation:
+  Exclude:
+    - "spec/**/*"
+
+Style/EmptyLinesAroundBlockBody:
+  Enabled: false
+
+Style/EmptyLinesAroundClassBody:
+  EnforcedStyle: empty_lines
+
+Style/EmptyLinesAroundModuleBody:
+  Enabled: false
+
+Style/Encoding:
+  EnforcedStyle: when_needed
+  Enabled: true
+
+Style/FileName:
+  Exclude:
+    - "bin/*"
+
+Style/HashSyntax:
+  EnforcedStyle: hash_rockets
+
+Style/StringLiterals:
+  EnforcedStyle: double_quotes
+
+Style/WordArray:
+  Enabled: false

data/Gemfile

@@ -1,6 +1,7 @@
-source 'https://rubygems.org'
+source "https://rubygems.org"
 
 # Specify your gem's dependencies in ssssh.gemspec
 gemspec
 
 gem "pry"
+gem "rubocop"

data/README.md

@@ -20,6 +20,34 @@ Naturally, suitable AWS credentials must be provided (via environment variables,
 
 "ssssh" can only encrypt small amounts of data; up to 4 KB.
 
+## Use as a command shim
+
+"ssssh exec" is a command shim that makes it easy to use secrets transported
+via the (Unix) process environment.  It decrypts any environment variables
+prefixed by "`KMS_ENCRYPTED_`", and executes a specified command.
+
+For example:
+
+```
+$ export KMS_ENCRYPTED_DB_PASSWORD=$(ssssh encrypt alias/app-secrets 'seasame')
+$ ssssh exec -- env | grep PASSWORD
+KMS_ENCRYPTED_DB_PASSWORD=CiAbQLOo2VC4QTV/Ng986wsDSJ0srAe6oZnLyzRT6pDFWRKOAQEBAgB4G0CzqNlQuEE1fzYPfOsLA0idLKwHuqGZy8s0U+qQxVkAAABlMGMGCSqGSIb3DQEHBqBWMFQCAQAwTwYJKoZIhvcNAQcBMB4GCWCGSAFlAwQBLjARBAzfFR0tsHRq18JUhMcCARCAImvuMNYuHUut3BT7sZs9a31qWcmOBUBXYEsD+kx2GxUxBPE=
+DB_PASSWORD=seasame
+```
+
+In this example, "ssssh exec":
+
+- found `$KMS_ENCRYPTED_DB_PASSWORD` in the environment
+- decrypted the contents
+- put the result in `$DB_PASSWORD`
+- executed `env`
+
+"ssssh exec" works well as an entrypoint for Docker images, e.g.
+
+    # Include "ssssh" to decode KMS_ENCRYPTED_STUFF
+    RUN gem install ssssh
+    ENTRYPOINT ["ssssh", "exec", "--"]
+
 ## See also
 
 If you'd rather install a Python interpreter than a Ruby one, secrets may also be decrypted using the AWS CLI.
@@ -27,8 +55,17 @@ If you'd rather install a Python interpreter than a Ruby one, secrets may also b
     base64 -d < secrets.encrypted > /tmp/secrets.bin
     aws kms decrypt --ciphertext-blob fileb:///tmp/secrets.bin --output text --query Plaintext | base64 -d > secrets.txt
 
+If you'd rather not install an interpreter at all, there's a Go-lang port of "ssssh":
+
+* https://github.com/realestate-com-au/shush
+
 ## Changes
 
+### 1.3.0 (2016-10-26)
+
+* Add `ssssh exec` subcommand.
+* Add support for `$KMS_ENCRYPTION_CONTEXT`.
+
 ### 1.2.0 (2015-04-27)
 
 * Add support for encryption contexts (`--context` option).

data/Rakefile

@@ -1,2 +1 @@
 require "bundler/gem_tasks"
-

data/bin/ssssh

@@ -12,7 +12,8 @@ Clamp do
 
   option ["-C", "--context"], "KEY=VALUE",
          "add to encryption context\n  (may be specified multiple times)",
-         :multivalued => true
+         :multivalued => true,
+         :environment_variable => "KMS_ENCRYPTION_CONTEXT"
 
   option ["--region"], "REGION", "AWS region",
          :environment_variable => "AWS_REGION", :required => true
@@ -41,8 +42,8 @@ Clamp do
     parameter "[PLAINTEXT]", "plaintext", :default => "STDIN"
 
     def execute
-      result = Base64.encode64(encrypt(plaintext, key_id))
-      result.gsub!("\n", "") unless wrap?
+      result = encrypt(plaintext, key_id)
+      result.delete!("\n") unless wrap?
       puts result
     end
 
@@ -60,7 +61,7 @@ Clamp do
 
     def execute
       return if ciphertext.empty?
-      puts decrypt(Base64.decode64(ciphertext))
+      puts decrypt(ciphertext)
     end
 
     private
@@ -71,6 +72,46 @@ Clamp do
 
   end
 
+  subcommand "exec", "Execute a command" do
+
+    option "--prefix", "PREFIX", "environment variable prefix",
+           :default => "KMS_ENCRYPTED_"
+
+    parameter "COMMAND ...", "command to execute", :attribute_name => :command
+
+    def execute
+      exec(decrypted_env, *command)
+    end
+
+    private
+
+    def decrypted_env
+      {}.tap do |result|
+        ENV.each do |name, ciphertext|
+          next unless name.start_with?(prefix)
+          begin
+            plaintext_name = name[prefix.length .. -1]
+            plaintext = decrypt(ciphertext)
+            result[plaintext_name] = plaintext
+          rescue Aws::KMS::Errors::InvalidCiphertextException => e
+            signal_error("cannot decrypt $#{name}; invalid ciphertext", :status => 1)
+          end
+        end
+      end
+    end
+
+  end
+
+  def run(*args)
+    super(*args)
+  rescue Aws::Errors::MissingCredentialsError
+    signal_error "no credentials provided"
+  rescue Aws::KMS::Errors::InvalidCiphertextException => e
+    signal_error("invalid ciphertext", :status => 1)
+  rescue Aws::KMS::Errors::ServiceError => e
+    signal_error(e.message, :status => 9)
+  end
+
   protected
 
   def default_region
@@ -90,7 +131,7 @@ Clamp do
       :session_token => session_token,
       :region => region,
       :logger => logger, :log_level => :debug
-    }.reject { |k,v| v.nil? || v == "" }
+    }.reject { |_k, v| v.nil? || v == "" }
   end
 
   def ec2_instance_metadata
@@ -107,10 +148,6 @@ Clamp do
 
   def with_kms
     yield Aws::KMS::Client.new(aws_config)
-  rescue Aws::KMS::Errors::InvalidCiphertextException
-    signal_error("Invalid Ciphertext", :status => 1)
-  rescue Aws::KMS::Errors::ServiceError => e
-    signal_error(e.message, :status => 9)
   end
 
   def encryption_context
@@ -118,11 +155,11 @@ Clamp do
   end
 
   def append_to_context_list(context_string)
-    key, value = context_string.split('=')
-    if value.nil?
-      raise ArgumentError, "KEY=VALUE expected"
+    context_string.split(",").each do |pair|
+      key, value = pair.split("=", 2)
+      raise ArgumentError, "KEY=VALUE expected" if value.nil?
+      encryption_context[key] = value
     end
-    encryption_context[key] = value
   end
 
   def encrypt(plaintext, key_id)
@@ -132,14 +169,14 @@ Clamp do
         :plaintext => plaintext,
         :encryption_context => encryption_context
       }
-      kms.encrypt(encryption_params).ciphertext_blob
+      Base64.encode64(kms.encrypt(encryption_params).ciphertext_blob)
     end
   end
 
   def decrypt(ciphertext)
     with_kms do |kms|
       decryption_params = {
-        :ciphertext_blob => ciphertext,
+        :ciphertext_blob => Base64.decode64(ciphertext),
         :encryption_context => encryption_context
       }
       kms.decrypt(decryption_params).plaintext

data/lib/ssssh/version.rb

@@ -1,3 +1,3 @@
 module Ssssh
-  VERSION = "1.2.1"
+  VERSION = "1.3.0".freeze
 end

data/ssssh.gemspec

@@ -1,15 +1,14 @@
-# coding: utf-8
-lib = File.expand_path('../lib', __FILE__)
+lib = File.expand_path("../lib", __FILE__)
 $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
-require 'ssssh/version'
+require "ssssh/version"
 
 Gem::Specification.new do |spec|
 
   spec.name          = "ssssh"
   spec.version       = Ssssh::VERSION
-  spec.summary       = %q{It's a secret!}
-  spec.description   = %q{"ssssh" is a small tool that can be used to encrypt and decrypt secrets, using the AWS "Key Management Service" (KMS).
-}
+  spec.summary       = "It's a secret!"
+  spec.description   = '"ssssh" is a small tool that can be used to encrypt and decrypt secrets, using the AWS "Key Management Service" (KMS).
+'
   spec.license       = "MIT"
 
   spec.authors       = ["Mike Williams"]
@@ -22,10 +21,10 @@ Gem::Specification.new do |spec|
   spec.require_paths = ["lib"]
 
   spec.add_runtime_dependency "aws-sdk-core", "~> 2.0"
-  spec.add_runtime_dependency "clamp", ">= 0.6.4"
+  spec.add_runtime_dependency "clamp", ">= 1.0"
   spec.add_runtime_dependency "multi_json"
 
-  spec.add_development_dependency "bundler", "~> 1.7"
+  spec.add_development_dependency "bundler", "~> 1.13"
   spec.add_development_dependency "rake", "~> 10.0"
 
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: ssssh
 version: !ruby/object:Gem::Version
-  version: 1.2.1
+  version: 1.3.0
 platform: ruby
 authors:
 - Mike Williams
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2015-08-15 00:00:00.000000000 Z
+date: 2016-10-25 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aws-sdk-core
@@ -30,14 +30,14 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 0.6.4
+        version: '1.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 0.6.4
+        version: '1.0'
 - !ruby/object:Gem::Dependency
   name: multi_json
   requirement: !ruby/object:Gem::Requirement
@@ -58,14 +58,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.7'
+        version: '1.13'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.7'
+        version: '1.13'
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
@@ -80,8 +80,10 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '10.0'
-description: |
-  "ssssh" is a small tool that can be used to encrypt and decrypt secrets, using the AWS "Key Management Service" (KMS).
+description: '"ssssh" is a small tool that can be used to encrypt and decrypt secrets,
+  using the AWS "Key Management Service" (KMS).
+
+'
 email:
 - mdub@dogbiscuit.org
 executables:
@@ -90,6 +92,7 @@ extensions: []
 extra_rdoc_files: []
 files:
 - ".gitignore"
+- ".rubocop.yml"
 - Gemfile
 - LICENSE.txt
 - README.md
@@ -117,7 +120,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.4.8
+rubygems_version: 2.6.7
 signing_key: 
 specification_version: 4
 summary: It's a secret!