team-secrets 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: e7ac9a7e715809aaea125c89cc5c7a340b7638ae
+  data.tar.gz: 5f420a2dc9e61768dcab3b255fabc60520198b89
+SHA512:
+  metadata.gz: d602632ed1ca49c6cb89ad589fc33bddc20a5ed36899f7121cf81ac0ea6c51ef40835722b631b00f02851d5717ba456d2c182a53f4d77f901ed670db4c7c005b
+  data.tar.gz: 17d5c369d624b4bf9ec4691b12cb21da3dc9edb488032b9799769e5f14d2ee07b2ff263a1bfa7bc9a56ce9f90ea62bab94084a400cf7332f541ad8baed50bf14

data/.gitignore

@@ -0,0 +1,59 @@
+# Script-generated
+*.yml
+*.yaml
+users/
+
+# Mac
+.DS_Store
+
+# General
+*.gem
+*.rbc
+/.config
+/coverage/
+/InstalledFiles
+/pkg/
+/spec/reports/
+/spec/examples.txt
+/test/tmp/
+/test/version_tmp/
+/tmp/
+
+# Used by dotenv library to load environment variables.
+# .env
+
+## Specific to RubyMotion:
+.dat*
+.repl_history
+build/
+*.bridgesupport
+build-iPhoneOS/
+build-iPhoneSimulator/
+
+## Specific to RubyMotion (use of CocoaPods):
+#
+# We recommend against adding the Pods directory to your .gitignore. However
+# you should judge for yourself, the pros and cons are mentioned at:
+# https://guides.cocoapods.org/using/using-cocoapods.html#should-i-check-the-pods-directory-into-source-control
+#
+# vendor/Pods/
+
+## Documentation cache and generated files:
+/.yardoc/
+/_yardoc/
+/doc/
+/rdoc/
+
+## Environment normalization:
+/.bundle/
+/vendor/bundle
+/lib/bundler/man/
+
+# for a library or gem, you might want to ignore these files since the code is
+# intended to run in multiple environments; otherwise, check them in:
+# Gemfile.lock
+# .ruby-version
+# .ruby-gemset
+
+# unless supporting rvm < 1.11.0 or doing something fancy, ignore this:
+.rvmrc

data/.rspec

@@ -0,0 +1 @@
+--color

data/.travis.yml

@@ -0,0 +1,4 @@
+language: ruby
+rvm:
+  - 2.4.0
+os: linux

data/Gemfile

@@ -0,0 +1,8 @@
+source 'https://rubygems.org'
+
+gem "rake"
+
+gem "gli"
+gem "hacer"
+
+gem "rspec"

data/Gemfile.lock

@@ -0,0 +1,32 @@
+GEM
+  remote: https://rubygems.org/
+  specs:
+    diff-lcs (1.2.5)
+    gli (2.14.0)
+    hacer (0.0.3)
+    rake (12.0.0)
+    rspec (3.5.0)
+      rspec-core (~> 3.5.0)
+      rspec-expectations (~> 3.5.0)
+      rspec-mocks (~> 3.5.0)
+    rspec-core (3.5.4)
+      rspec-support (~> 3.5.0)
+    rspec-expectations (3.5.0)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.5.0)
+    rspec-mocks (3.5.0)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.5.0)
+    rspec-support (3.5.0)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  gli
+  hacer
+  rake
+  rspec
+
+BUNDLED WITH
+   1.13.7

data/README.md

@@ -0,0 +1,45 @@
+# Team-Secrets #
+
+[![Build Status](https://travis-ci.org/firelit/secrets.svg?branch=master)](https://travis-ci.org/firelit/secrets)
+
+This is a command line utility for sharing secrets (passwords, api keys, etc) among a team and with servers. Store your passwords in a git repository and track changes without keeping sensitive data laying around all plain-text.
+
+## How It Works ##
+
+All secrets are encrypted with symmetric AES encryption and stored in a YAML file. The encryption key is then encrypted for each user of the system using asymetric public-key encryption. Then each user can decrypt the master key and reveal secrets or add new ones when needed. Everything is signed to prevent tampering and encryption keys are rotated when users are added or removed (so that new users can decrypt past secrets and old users can't decrypt new secrets).
+
+With the tag feature, you can filter credentials which has many different use cases. For isntance, use tags to differentiate between secrets used in different environments, such as `DEV`, `QA` and `PROD`.
+
+## Installing ##
+
+To use, install as a global gem.
+
+```
+gem install team-secrets
+```
+
+## How To Use ##
+
+To start a new repo for your secrets:
+```
+team-secrets init
+```
+
+You'll be the first user and you'll be prompted for a user name to use and the path to your public key. Your public key will be added to the project, along with the initial YAML files.
+
+You can then add new users:
+```
+team-secrets users add
+```
+
+And, new secrets:
+```
+team-secrets secrets add
+```
+
+Then, commit your changes and push to your central repository. Anyone you add will be able to access the secrets and manage users with through their private key.
+
+Retrieve all secrets:
+```
+team-secrets secrets list
+```

data/Rakefile

@@ -0,0 +1,7 @@
+require 'rubygems'
+require 'rake'
+
+require 'rspec/core/rake_task'
+RSpec::Core::RakeTask.new(:default) do |task|
+  task.pattern = 'spec/*.rb'
+end

data/lib/team-secrets/file_manager.rb

@@ -0,0 +1,31 @@
+require 'yaml'
+
+class FileManager
+
+    attr_accessor :data
+
+    def loadFile(file = nil)
+        if block_given?
+            string_data = yield
+        else
+            raise 'No file given' if file.nil?
+            string_data = File.read(file)
+        end
+
+        @data = YAML.load(string_data)
+    end
+
+    def writeFile(file = nil)
+        yaml = @data.to_yaml
+
+        if block_given?
+            yield yaml
+        else
+            raise 'No file given' if file.nil?
+            File.write(file, yaml)
+        end
+
+        yaml
+    end
+
+end

data/lib/team-secrets/key_helper.rb

@@ -0,0 +1,20 @@
+class KeyHelper
+
+	def self.getPublicKey(file_path)
+
+		key_string = File.read(file_path)
+
+	    if (key_string[0..7] == 'ssh-rsa ')
+	      # Test the file conversion
+	      unless system("ssh-keygen -f #{file_path} -e -m pem > /dev/null 2>&1")
+	        raise 'Could not convert ssh-rsa public key to PEM format for OpenSSL'
+	      end
+
+	      key_string = `ssh-keygen -f #{file_path} -e -m pem`
+	    end
+
+	    key_string
+
+	end
+
+end

data/lib/team-secrets/manifest_manager.rb

@@ -0,0 +1,72 @@
+require_relative './file_manager'
+
+class ManifestManager < FileManager
+
+    def initialize(master_key)
+        unless (master_key.decrypted.is_a? String) && master_key.decrypted.length
+            raise 'Master key must be decrypted'
+        end
+
+        @@working_dir = Dir.pwd
+        @master_key = master_key
+        @data = @data || {}
+    end
+
+    def validate
+
+        unless File.exists?(@@working_dir +'/manifest.yaml')
+            raise 'Required manifest.yaml does not exist'
+        end
+
+        loadFile(@@working_dir +'/manifest.yaml')
+
+        unless @data.is_a? Object
+            raise 'No valid data in manifest.yaml'
+        end
+
+        if @data[:secrets_file].nil? || @data[:users_file].nil?
+            raise 'Manifest.yaml must list a secrets_file and users_file'
+        end
+
+        @data.each do |key, value|
+
+            unless value.is_a? Object
+                raise "#{key} does not have required data"
+            end
+
+            unless File.exists?(value[:path])
+                raise "#{key} does not exist"
+            end
+
+            file_string = File.read @data[key][:path]
+            signature = @master_key.sign file_string
+
+            unless signature == value[:signature]
+                raise "#{key} signature does not match"
+            end
+
+        end
+
+        true
+    end
+
+    def update
+        ['users', 'secrets'].each do |file|
+
+            file_name = file +'.yaml'
+            absolute = @@working_dir +'/'+ file_name
+
+            unless File.exists?(absolute)
+                raise "#{file_name}.yaml does not exist, cannot update manifest"
+            end
+
+            signature = @master_key.sign File.read(absolute)
+
+            @data[(file + '_file').to_sym] = {
+                path: file_name,
+                signature: signature
+            }
+
+        end
+    end
+end

data/lib/team-secrets/master_key.rb

@@ -0,0 +1,73 @@
+require 'openssl'
+
+class MasterKey
+
+    attr_reader :encrypted, :decrypted
+
+    CONFIG = {
+      cipher: 'aes-256-cbc',
+      key_len: 32,
+      iv_len: 16
+    }
+
+    def initialize(key, encrypted = true)
+        @defaultCipher = 'AES-256-CBC'
+
+        if (encrypted)
+            @encrypted = key
+        else
+            @decrypted = key
+        end
+    end
+
+    def self.generate
+        cipher = OpenSSL::Cipher.new(CONFIG[:cipher])
+        cipher.encrypt
+        self.new(cipher.random_key, false)
+    end
+
+    def encryptWithPublicKey(public_key)
+        key = OpenSSL::PKey::RSA.new public_key
+        raise 'Not a public key' unless key.public?
+        @encrypted = key.public_encrypt @decrypted
+    end
+
+    def decryptWithPrivateKey(private_key, pass_phrase = nil)
+        key = OpenSSL::PKey::RSA.new private_key, pass_phrase
+        raise 'Not a private key' unless key.private?
+        @decrypted = key.private_decrypt @encrypted
+    end
+
+    def encryptSecret(secret)
+        cipher = OpenSSL::Cipher.new(CONFIG[:cipher])
+        cipher.encrypt
+        cipher.key = @decrypted
+        iv = cipher.random_iv
+        iv + cipher.update(secret) + cipher.final
+    end
+
+    def decryptSecret(secret)
+        decipher = OpenSSL::Cipher.new(CONFIG[:cipher])
+        decipher.decrypt
+        decipher.key = @decrypted
+        iv_len = CONFIG[:iv_len]
+        iv = secret[0..(iv_len-1)]
+        secret = secret[iv_len..-1]
+        decipher.iv = iv
+        decipher.update(secret) + decipher.final
+    end
+
+    def sign(string)
+        raise 'Must first decrypt master key with private key' unless (@decrypted.is_a? String) || @decrypted.length
+        self.class.bin_to_hex OpenSSL::HMAC.digest('sha256', @decrypted, string)
+    end
+
+    def self.bin_to_hex(s)
+        s.each_byte.map { |b| b.to_s(16).rjust(2,'0') }.join
+    end
+
+    def self.hex_to_bin(b)
+        [b].pack('H*')
+    end
+
+end

data/lib/team-secrets/secret_manager.rb

@@ -0,0 +1,121 @@
+require 'openssl'
+require_relative 'file_manager'
+
+class SecretManager < FileManager
+
+    attr_accessor :working_dir, :master_key
+
+    def initialize(master_key = nil)
+        @@working_dir = Dir.pwd
+        @@master_key = master_key unless master_key.nil?
+        @data = @data || []
+    end
+
+    # - name: SEND_GRID
+    #   tags:
+    #    - PROD
+    #    - DEV
+    #   account: my_user_name
+    #   secret: 010b606069e6e63cd24c9cf60d08351775539...
+    #   added: 2017-01-14 09:02:16.906998000 -05:00
+
+    # Add a secret
+    def add(secret_name, secret, account = nil, tags = [], notes = nil)
+        unless find(secret_name, tags, false).empty?
+            raise 'Secret already exists with these tags'
+        end
+
+        tags = [tags] unless tags.is_a? Array
+
+        secret_data = {
+            name: secret_name,
+            tags: tags,
+            account: account, # like the user name or email, if applicable
+            secret: @@master_key.class.bin_to_hex( @@master_key.encryptSecret(secret) ),
+            notes: notes,
+            added: Time.now
+        }
+
+        @data.push secret_data
+    end
+
+    # Remove a secret, must have all tags given
+    def remove(secret_name, tags = [])
+        tags = [tags] unless tags.is_a? Array
+        removed = 0
+
+        @data.keep_if do |secret_data|
+            if (secret_data[:name] == secret_name) && (tags.empty? || (tags - secret_data[:tags]).empty?)
+                removed += 1
+                false
+            else
+                true
+            end
+        end
+
+        removed
+    end
+
+    # Search for a secret, must have all tags given
+    def find(secret_name, tags = [], decrypt = true)
+        tags = [tags] unless tags.is_a? Array
+
+        return_data = []
+        @data.each do |secret_data|
+            if (secret_data[:name] == secret_name)
+                next unless tags.empty? || (tags - secret_data[:tags]).empty?
+                # If no tags or secret has all tags
+
+                this_secret = secret_data.dup
+                if decrypt
+                    this_secret[:secret] = @@master_key.decryptSecret(@@master_key.class.hex_to_bin this_secret[:secret])
+                end
+
+                return_data.push(this_secret)
+            end
+        end
+        return_data
+    end
+
+    # Get decrypted secret, array of secrets if mutliple matches
+    def getSecret(secret_name, tags = [])
+        res = find(secret_name, tags)
+        return nil if res.empty?
+        res = res.map {|x| x[:secret]}
+        return res[0] if res.length == 1
+        res
+    end
+
+    # Change the encryption key for all secrets
+    def rotateMasterKey(new_master_key)
+        @data = @data.map do |secret_data|
+            secret = secret_data[:secret]
+            plain_text = @@master_key.decryptSecret( @@master_key.class.hex_to_bin secret )
+            secret = @@master_key.class.bin_to_hex( new_master_key.encryptSecret(plain_text) )
+            secret_data[:secret] = secret
+            secret_data
+        end
+
+        @@master_key = new_master_key
+    end
+
+    # Get all decrypted secrets
+    def getAll(tags = [])
+        tags = [tags] unless tags.is_a? Array
+        return_data = []
+
+        @data.each do |secret_data|
+            if (tags.empty? || (tags - secret_data[:tags]).empty?) # If no tags or secret has all tags
+                return_data.push(
+                    name: secret_data[:name],
+                    tags: secret_data[:tags] || [],
+                    account: secret_data[:account],
+                    secret: @@master_key.decryptSecret(@@master_key.class.hex_to_bin secret_data[:secret])
+                )
+            end
+        end
+
+        return_data
+    end
+
+end

data/lib/team-secrets/user_manager.rb

@@ -0,0 +1,110 @@
+require_relative './file_manager'
+require_relative './key_helper'
+require_relative './master_key'
+
+class UserManager < FileManager
+
+    attr_accessor :working_dir, :user_dir, :master_key
+
+    HASH_ALG = :sha256
+
+    def initialize(master_key = nil)
+        @@working_dir = Dir.pwd
+        @@user_dir = @@working_dir + '/users'
+        @data = @data || []
+        @master_key = master_key unless master_key.nil?
+    end
+
+    # Add a user
+    #  - Store public key
+    #  - Add to listing
+    def add(user_name, public_key_file)
+        unless find(user_name).nil?
+            raise 'User already exists, delete existing user record to replace'
+        end
+
+        public_key = KeyHelper.getPublicKey(public_key_file)
+        key_file_hash = self.class.calcHash(HASH_ALG, public_key)
+
+        unique_file_name = self.class.calcHash(HASH_ALG, key_file_hash + user_name)
+        key_file = 'users/' + unique_file_name[0..10] + '.pem'
+
+        Dir.mkdir(@@user_dir) unless File.exists?(@@user_dir)
+        File.write(@@working_dir +'/'+ key_file, public_key)
+
+        # - user: george
+        #   public_key: users/eb0545f9010.pem
+        #   added: 2017-01-14 09:02:16.906998000 -05:00
+        #   sha256: eb0545f9010b606069e6e63cd24c9cf60d08351775539d878055cbf3330afafa
+        #   lock_Box: 010b606069e6e63cd24c9cf60d08351775539...
+
+        user_data = {
+            user: user_name,
+            public_key: key_file, # folder & file, relative to working directory
+            added: Time.now,
+            lock_box: 'error - should be replaced'
+        }
+
+        user_data[HASH_ALG] = key_file_hash
+
+        @data.push user_data
+        rotateMasterKey
+
+    end
+
+    # Remove a user
+    #  - Remove public key
+    #  - Remove from listing
+    def remove(user_name)
+        @data = @data.keep_if do |user_data|
+            next true if user_data[:user] != user_name
+            File.delete(@@working_dir +'/'+ user_data[:public_key])
+            false
+        end
+        rotateMasterKey
+    end
+
+    # Search for a user
+    def find(user_name)
+        @data.each do |user_data|
+            return user_data if user_data[:user] == user_name
+        end
+        nil
+    end
+
+    # List all user names
+    def all
+        ret = []
+        @data.each { |user_data| ret.push user_data[:user] }
+        ret
+    end
+
+    # Rotate master key
+    #  - Create a new master key
+    #  - Update all lock boxes
+    def rotateMasterKey
+        @master_key = MasterKey.generate
+
+        @data.map! do |user_data|
+            public_key = getUserKey user_data[:public_key], user_data[HASH_ALG]
+            user_data[:lock_box] = MasterKey.bin_to_hex @master_key.encryptWithPublicKey(public_key)
+            user_data
+        end
+    end
+
+    # Get the user's public key as a string
+    def getUserKey(file_name, check_hash)
+        raise 'User key doesn\'t exist' unless File.exists?(@@working_dir +'/'+ file_name)
+        file_data = File.read(@@working_dir +'/'+ file_name)
+        unless (self.class.calcHash(HASH_ALG, file_data) == check_hash)
+            raise('Key digest mismatch for '+ file_name)
+        end
+        file_data
+    end
+
+    def self.calcHash(algo, string)
+        raise 'Hash algorithim not supported' unless algo == HASH_ALG
+        Digest::SHA256.hexdigest string
+    end
+
+end