RubyGems - team-secrets - Versions diffs - 0.1.0 - Mend

team-secrets 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (25) hide show

checksums.yaml +7 -0
data/.gitignore +59 -0
data/.rspec +1 -0
data/.travis.yml +4 -0
data/Gemfile +8 -0
data/Gemfile.lock +32 -0
data/README.md +45 -0
data/Rakefile +7 -0
data/lib/team-secrets/file_manager.rb +31 -0
data/lib/team-secrets/key_helper.rb +20 -0
data/lib/team-secrets/manifest_manager.rb +72 -0
data/lib/team-secrets/master_key.rb +73 -0
data/lib/team-secrets/secret_manager.rb +121 -0
data/lib/team-secrets/user_manager.rb +110 -0
data/lib/team-secrets.rb +448 -0
data/spec/file_manager_spec.rb +57 -0
data/spec/manifest_manager_spec.rb +70 -0
data/spec/master_key_spec.rb +107 -0
data/spec/secret_manager_spec.rb +122 -0
data/spec/support/test_key +30 -0
data/spec/support/test_key.pub +1 -0
data/spec/support/test_key.pub.pem +8 -0
data/spec/user_manager_spec.rb +67 -0
data/team-secrets.gemspec +19 -0
metadata +72 -0

data/lib/team-secrets.rb ADDED Viewed

@@ -0,0 +1,448 @@
+#!/usr/bin/env ruby
+require 'rubygems'
+require 'gli'
+require 'io/console'
+require 'yaml'
+require 'fileutils'
+require 'digest'
+require 'openssl'
+require_relative 'team-secrets/manifest_manager'
+require_relative 'team-secrets/user_manager'
+require_relative 'team-secrets/secret_manager'
+include GLI::App
+program_desc 'Secrets - sharing secrets secretly'
+pre do |global_options,command,options,args|
+    config = File.read('config.yaml') if File.exists?('config.yaml')
+    config = YAML.load(config) || {}
+    unless options.key? :user && !options[:user].nil?
+        if config.key? :user
+            options[:user] = config[:user]
+        else
+            puts 'Your user name was not specified. Use the `-u` flag or put it in config.yaml.'
+            next false
+        end
+    else
+        options[:user] = options[:user].strip
+    end
+    unless options.key? :private && !options[:user].nil?
+        if config.key? :private
+            options[:private] = config[:private]
+        else
+            puts 'Your private key was not specified. Use the `-p` flag or put it in config.yaml.'
+            next false
+        end
+    end
+    true
+end
+valid_user_names = /\A[A-Z0-9_\.]+\Z/i
+desc 'Start a new Secrets repository'
+long_desc 'Create the necessary file structure to create a new Secrets repository'
+skips_pre
+command :init do |c|
+    c.desc 'Your username'
+    c.flag [:u,:user], type: String, must_match: valid_user_names
+    c.desc 'Path to public key (in PEM format)'
+    c.flag [:k,:key_file], type: String
+    c.action do |global_options,options,args|
+        raise 'OpenSSL must be installed and in the PATH' unless system("openssl version")
+        user_name = options[:user]
+        until user_name && (/\A.+\z/i =~ user_name)
+            default = `echo $USER`.chomp
+            print "Your username (no spaces) [#{default}]: "
+            user_name = STDIN.gets.chomp
+            user_name = default if user_name.empty?
+        end
+        key_file = options[:key_file]
+        until key_file && File.exists?(key_file)
+            print 'Path to public key: '
+            key_file = STDIN.gets.chomp
+            puts "File does not exist or cannot be acccessed." unless File.exists?(key_file)
+        end
+        puts "Creating users directory & users.yaml..."
+        users_file = UserManager.new
+        users_file.add user_name, key_file
+        # New master key
+        master_key = users_file.master_key
+        users_file.writeFile 'users.yaml'
+        puts "Creating template secrets.yaml..."
+        secrets_file = SecretManager.new
+        secrets_file.writeFile 'secrets.yaml'
+        puts "Writing manifest.yaml..."
+        manifest = ManifestManager.new master_key
+        manifest.update
+        manifest.writeFile 'manifest.yaml'
+        puts green('Done!')
+        puts 'Now, create a new repository with these files and commit. Your new secrets repo is ready to go.'
+    end
+end
+desc 'Manage users for this Secrets repository'
+long_desc 'Add and remove users or servers who will be able to manage this Secrets repository'
+command :user do |c|
+    c.desc 'Your user name'
+    c.flag [:u,:user], type: String, must_match: valid_user_names
+    c.desc 'Path to your private key'
+    c.flag [:p,:private], type: String
+    c.desc 'Add a new user'
+    c.command :add do |add|
+        add.action do |global_options,options,args|
+            print 'New user\'s name: '
+            new_user = STDIN.gets.chomp
+            raise 'A user name must be specified' if new_user.empty?
+            print 'Path to user\'s public key: '
+            key_file = STDIN.gets.chomp
+            raise "File does not exist or cannot be acccessed." unless File.exists?(key_file)
+            # Check signatures
+            # Use current user's private key to get master key from lock_box
+            # Use master key to get all secrets
+            # Add new user's record & public key
+            # Generate new master key
+            # Encrypt all secrets with new master key
+            # Encrypt master key with each user's public key, placing in lock_box
+            # Update signatures
+        end
+    end
+    c.desc 'List all users'
+    c.command :list do |add|
+        add.action do
+            # List all users
+            users = UserManager.new
+            users.loadFile 'users.yaml'
+            puts "#{users.all.length} users:\n"
+            users.all.each do |user|
+                puts user+"\n"
+            end
+        end
+    end
+    c.desc 'Remove a user'
+    c.command :rm do |add|
+        add.action do |global_options,options,args|
+            print 'User to remove: '
+            new_user = STDIN.gets.chomp
+            raise 'A user name must be specified' if new_user.empty?
+            # Check signatures
+            # Use current user's private key to get master key from lock_box
+            # Use master key to get all secrets
+            # Remove old user's record & public key
+            # Generate new master key
+            # Encrypt all secrets with new master key
+            # Encrypt master key with each user's public key, placing in lock_box
+            # Update signatures
+            master_key = load_master_key(options[:user], options[:private])
+            manifest = ManifestManager.new master_key
+            manifest.validate
+            secrets = SecretManager.new master_key
+            secrets.loadFile 'secrets.yaml'
+            users = UserManager.new master_key
+            remove_data = users.find options[:remove]
+            raise 'User not found for removal' if remove_data.nil?
+            users.remove remove_data[:user]
+            users.writeFile 'users.yaml'
+            master_key = users.master_key
+            secrets.rotateMasterKey master_key
+            secrets.writeFile 'secrets.yaml'
+            manifest.master_key = master_key
+            manifest.update
+            manifest.writeFile 'manifest.yaml'
+            print green('Success! ')
+            puts 'User removed.'
+        end
+    end
+end
+desc 'Manage the secrets in this Secrets repository'
+long_desc 'Add, read and remove secrets that users can retrieve from this Secrets repository'
+command :secret do |c|
+    c.desc 'Your user name'
+    c.arg_name 'user'
+    c.flag [:u,:user], type: String, must_match: valid_user_names
+    c.desc 'Path to your private key'
+    c.arg_name 'private'
+    c.flag [:p,:private], type: String
+    c.desc 'Name of this secret (e.g., SMTP_PASS)'
+    c.arg_name 'name'
+    c.flag [:n,:name], type: String
+    c.desc 'The optional account name (e.g., a username)'
+    c.arg_name 'account', :optional
+    c.flag [:a,:account], type: String
+    c.desc 'Optional tags (e.g., PROD)'
+    c.arg_name 'tags', :optional
+    c.flag [:t,:tags], type: String
+    c.desc 'Any optional notes'
+    c.arg_name 'notes', :optional
+    c.flag [:notes], type: String
+    c.desc 'Add a new secret'
+    c.command :add do |add|
+        add.action do |global_options,options,args|
+            if options[:name].nil?
+                print 'A name for this secret: '
+                options[:name] = STDIN.gets.chomp
+                raise 'A name must be specified' if options[:name].empty?
+            end
+            if options[:account].nil?
+                print 'The secret\'s account name (optional): '
+                options[:account] = STDIN.gets.chomp
+            end
+            if options[:tags].nil?
+                print 'Tags for this secret, space-separated (optional): '
+                options[:tags] = STDIN.gets.chomp
+            end
+            tags = parse_tags(options[:tags])
+            if args.empty?
+                print 'Secret to encrypt: '
+                secret = STDIN.noecho(&:gets)
+                secret = secret.chomp
+                raise 'No secret given' if secret.empty?
+            else
+                secret = args[0]
+            end
+            # Check signatures
+            # Use current user's private key to get master key from lock_box
+            # Add new secret's record
+            # Encrypt secret with master key
+            # Update signatures
+            puts
+            master_key = load_master_key(options[:user], options[:private])
+            manifest = ManifestManager.new master_key
+            manifest.validate
+            secrets = SecretManager.new master_key
+            secrets.loadFile 'secrets.yaml'
+            secrets.add options[:name].strip, secret, options[:account], tags
+            secrets.writeFile 'secrets.yaml'
+            manifest.update
+            manifest.writeFile 'manifest.yaml'
+            print green('Success! ')
+            puts 'New secret has been encrypted and added.'
+        end
+    end
+    c.desc 'List all secrets'
+    c.command :list do |add|
+        add.action do |global_options,options,args|
+            if options[:tags].nil?
+                print 'Tags for this secret, space-separated (optional): '
+                options[:tags] = STDIN.gets.chomp
+            end
+            tags = parse_tags(options[:tags])
+            # Check signatures
+            # List all secrets
+            master_key = load_master_key(options[:user], options[:private])
+            manifest = ManifestManager.new master_key
+            manifest.validate
+            secrets = SecretManager.new master_key
+            secrets.loadFile 'secrets.yaml'
+            all = secrets.getAll tags
+            puts 'All secrets: '
+            all.each {|tag| puts tag}
+        end
+    end
+    c.desc 'Reveal a secret'
+    c.command :show do |add|
+        add.action do |global_options,options,args|
+            if options[:name].nil?
+                print 'The name of the secret: '
+                options[:name] = STDIN.gets.chomp
+                raise 'A name must be specified' if options[:name].empty?
+            end
+            if options[:tags].nil?
+                print 'Tags for this secret, space-separated (optional): '
+                options[:tags] = STDIN.gets.chomp
+            end
+            tags = parse_tags(options[:tags])
+            # Check signatures
+            # Use current user's private key to get master key from lock_box
+            # Decrypt secret with master key
+            master_key = load_master_key(options[:user], options[:private])
+            manifest = ManifestManager.new master_key
+            manifest.validate
+            secrets = SecretManager.new master_key
+            secrets.loadFile 'secrets.yaml'
+            secret_data = secrets.find options[:name].strip, tags
+            secret_data.each do |key, value|
+                next if value.nil?
+                puts key.to_s + ': ' + value.inspect
+            end
+        end
+    end
+    c.desc 'Remove a secret'
+    c.command :rm do |add|
+        add.action do |global_options,options,args|
+            if options[:name].nil?
+                print 'The name of the secret: '
+                options[:name] = STDIN.gets.chomp
+                raise 'A name must be specified' if options[:name].empty?
+            end
+            if options[:tags].nil?
+                print 'Tags for this secret, space-separated (optional): '
+                options[:tags] = STDIN.gets.chomp
+            end
+            tags = parse_tags(options[:tags])
+            # Check signatures
+            # Use current user's private key to get master key from lock_box
+            # Remove secret from listing
+            # Update signatures
+            master_key = load_master_key(options[:user], options[:private])
+            manifest = ManifestManager.new master_key
+            manifest.validate
+            secrets = SecretManager.new master_key
+            secrets.loadFile 'secrets.yaml'
+            removed = secrets.remove options[:name].strip, tags
+            if removed == 0 then
+                puts 'No secrets matched criteria'
+                next
+            end
+            secrets.writeFile 'secrets.yaml'
+            manifest.update
+            manifest.writeFile 'manifest.yaml'
+            print green('Success! ')
+            if (removed == 1)
+                puts removed +' matching secret has been removed.'
+            else
+                puts removed +' matching secrets have been removed.'
+            end
+        end
+    end
+end
+on_error do |exception|
+    # Use GLI error handling for GLI exception
+    next true if exception.class.name.split("::").first == 'GLI'
+    $stderr.puts red(exception.message)
+    false # skip GLI's error handling
+end
+def load_master_key(user, private_key_file)
+    users = UserManager.new
+    users.loadFile 'users.yaml'
+    user_data = users.find user
+    raise "Your user account (#{user}) could not be found" if user_data.nil?
+    master_key = MasterKey.new MasterKey.hex_to_bin(user_data[:lock_box])
+    master_key.decryptWithPrivateKey File.read(private_key_file)
+    master_key
+end
+def parse_tags(tags)
+    return [] if tags.empty?
+    tags = tags.split
+    tags.keep_if {|tag| !tag.empty?}
+    tags.map(&:to_sym)
+end
+def green(string)
+    "\e[32m#{string}\e[0m"
+end
+def red(string)
+    "\e[31m#{string}\e[0m"
+end
+exit run(ARGV)

data/spec/file_manager_spec.rb ADDED Viewed

@@ -0,0 +1,57 @@
+require 'team-secrets/file_manager'
+describe FileManager do
+    it 'can load a file' do
+        fm = FileManager.new
+        fm.loadFile do
+            <<~YAML
+            :YAML: YAML Ain't Markup Language
+            :List:
+              - Item 1
+              - Item 2
+              - Item 3
+            YAML
+        end
+        correct = {
+            YAML: 'YAML Ain\'t Markup Language',
+            List: [
+                'Item 1',
+                'Item 2',
+                'Item 3'
+            ]
+        }
+        expect(fm.data).to eq(correct)
+    end
+    it 'can export a file' do
+        fm = FileManager.new
+        fm.data = {
+            YAML: 'YAML Ain\'t Markup Language',
+            List: [
+                'Item 1',
+                'Item 2',
+                'Item 3'
+            ]
+        }
+        correct = <<~YAML
+            ---
+            :YAML: YAML Ain't Markup Language
+            :List:
+            - Item 1
+            - Item 2
+            - Item 3
+        YAML
+        fm.writeFile do |result|
+            expect(result).to eq(correct)
+        end
+    end
+end

data/spec/manifest_manager_spec.rb ADDED Viewed

@@ -0,0 +1,70 @@
+require 'team-secrets/manifest_manager'
+require 'team-secrets/master_key'
+describe ManifestManager do
+    context 'managing the manifest' do
+        master_key = MasterKey.generate
+        before(:all) do
+            Dir.chdir File.dirname(File.dirname(__FILE__))
+            Dir.mkdir 'tmp' unless File.exists? 'tmp'
+            Dir.chdir 'tmp'
+            File.delete 'manifest.yaml' if File.exists? 'manifest.yaml'
+            File.write('users.yaml', 'Sample 1')
+            File.write('secrets.yaml', 'Sample 2')
+        end
+        after(:all) do
+            File.delete 'manifest.yaml' if File.exists? 'manifest.yaml'
+            File.delete 'users.yaml' if File.exists? 'users.yaml'
+            File.delete 'secrets.yaml' if File.exists? 'secrets.yaml'
+        end
+        it 'can update and write the data' do
+            manifest = ManifestManager.new(master_key)
+            expect(File.exists?('manifest.yaml')).to eq(false)
+            manifest.update
+            manifest.writeFile('manifest.yaml')
+            expect(manifest.validate).to eq(true)
+            expect(File.exists?('manifest.yaml')).to eq(true)
+            written = File.read('manifest.yaml')
+            data_written = YAML.load(written)
+            expect(data_written[:users_file]).to be
+            expect(data_written[:users_file].length).to eq(2)
+            expect(data_written[:users_file][:path]).to eq('users.yaml')
+            expect(data_written[:users_file][:signature]).to match(/\A[0-9a-f]{10,}\z/)
+            expect(data_written[:secrets_file]).to be
+            expect(data_written[:secrets_file].length).to eq(2)
+            expect(data_written[:secrets_file][:path]).to eq('secrets.yaml')
+            expect(data_written[:secrets_file][:signature]).to match(/\A[0-9a-f]{10,}\z/)
+        end
+        it 'can validate the data' do
+            expect(File.exists?('manifest.yaml')).to eq(true)
+            manifest = ManifestManager.new(master_key)
+            manifest.loadFile('manifest.yaml')
+            expect(manifest.validate).to eq(true)
+            File.write('users.yaml', 'Sample 3')
+            expect { manifest.validate }.to raise_error(/signature does not match/)
+        end
+    end
+end

data/spec/master_key_spec.rb ADDED Viewed

@@ -0,0 +1,107 @@
+require 'team-secrets/master_key'
+describe MasterKey do
+    context 'doing hexidecimal conversion' do
+        it 'can convert a string to hexidecimal string' do
+            res = MasterKey.bin_to_hex('Hello!')
+            expect(res).to eq('48656c6c6f21')
+        end
+        it 'can convert a hexidecimal string to binary' do
+            res = MasterKey.hex_to_bin('576f726c6421')
+            expect(res).to eq('World!')
+        end
+        it 'can go to hexidecimal and back' do
+            res = MasterKey.bin_to_hex('Hello World!!')
+            back = MasterKey.hex_to_bin(res)
+            expect(back).to eq('Hello World!!')
+        end
+    end
+    context 'generating AES keys' do
+        it 'can generate a new AES key' do
+            nk = MasterKey.generate
+            expect(nk).to be_a_kind_of(MasterKey)
+            expect(nk.instance_variable_get(:@decrypted).length).to eq(MasterKey::CONFIG[:key_len])
+        end
+        it 'can generate a unique AES key' do
+            nk = MasterKey.generate
+            nk2 = MasterKey.generate
+            expect(nk.instance_variable_get(:@decrypted).length).to eq(MasterKey::CONFIG[:key_len])
+            expect(nk2.instance_variable_get(:@decrypted).length).to eq(MasterKey::CONFIG[:key_len])
+            expect(nk.instance_variable_get(:@decrypted)).to_not eq(nk2.instance_variable_get(:@decrypted))
+        end
+    end
+    context 'encryption with key pair' do
+        it 'can encrypt a new master key with a public key' do
+            mk = MasterKey.generate
+            pub_key = File.read File.expand_path('../support/test_key.pub.pem', __FILE__)
+            mk.encryptWithPublicKey(pub_key)
+            expect(mk.instance_variable_get(:@encrypted).length).to be > 50
+            expect(mk.instance_variable_get(:@decrypted)).to_not eq(mk.instance_variable_get(:@encrypted))
+        end
+        it 'can decrypt a master key with a private key' do
+            enc = '1f1656df3d2d4f9cd2376bc95f06d64003d0ba286699fde326df091f68ed8d2d287a4f09363c18061b124963ceeaa6136803859d9eaf296cf09011e9262efa5e3950b3cd947466115e251cb547afabb52bd0896fcf93c2796a4ce20795d2a5ea7f2eff6910cf7768f2df4a32ee6d95f8d43287e8af304be2648ebaa51f6d20572084e47b39b63a644546bf73fb28bf2610aeaaa68b9385ad90ec0aaf528019ca2e41553b3f2d722d928f930a54128d74c2a6871de3af9e09ff5e26c51a0740c289b49072c424e978e97b86e983792d54c58eb1a9e9821524d443ec6d01589c46260e09a77e6138ade975c75c0d8ec82480fe19514eab861e56dc1b2f756caef7'
+            mk = MasterKey.new(MasterKey.hex_to_bin(enc), true)
+            priv_key = File.read File.expand_path('../support/test_key', __FILE__)
+            mk.decryptWithPrivateKey(priv_key, '12345')
+            expect(mk.instance_variable_get(:@decrypted).length).to be(MasterKey::CONFIG[:key_len])
+            expect(mk.instance_variable_get(:@decrypted)).to_not eq(mk.instance_variable_get(:@encrypted))
+        end
+    end
+    context 'encryption functionality' do
+        it 'can encrypt a string' do
+            mk = MasterKey.new('1234'*8, false)
+            res = mk.encryptSecret('My Secret')
+            expect(res).to_not eq('My Secret')
+        end
+        it 'can not decrypt a string with the wrong key' do
+            mk = MasterKey.new('1234'*8, false)
+            res = mk.encryptSecret('My Secret 2')
+            mk2 = MasterKey.new('0000'*8, false)
+            expect { back = mk2.decryptSecret(res) }.to raise_error(/bad decrypt/)
+        end
+        it 'can encrypt and decrypt a string' do
+            mk = MasterKey.new('1234'*8, false)
+            res = mk.encryptSecret('My Secret 3')
+            mk2 = MasterKey.new('1234'*8, false)
+            back = mk2.decryptSecret(res)
+            expect(back).to eq('My Secret 3')
+        end
+    end
+end