tfa 0.0.14 → 0.0.15

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 165a204703e889ae75bcd6592b7c0461acab1ab105b938d8d0211e50f74b96d8
-  data.tar.gz: 1af5e8d49c650b8caf622d83ef1693177da89b1df433b24f267c1132d40e869f
+  metadata.gz: 4986f1db7a233768d23cc39c31e8c7f7257c5291b99edc2bb62256dee75c75a6
+  data.tar.gz: 9b1421af345917ceee7775fb3f74abef84e7e33394af904199c4a1fbe66fbbb0
 SHA512:
-  metadata.gz: 252e06668172e271dd76af579c888fe4906dfe57ec0e2c1f02fec0ac82cf1152c847c16e01e77416cdb1e7c5b4562e96df64de7c3765a57a2813904f58b5e47b
-  data.tar.gz: 21b407384b87ae6cd58f5ad0593c274880231830772c939fc234208d88082cd88edb0fd1907df195e15067a1ddd9f47502da0682ad7447b80c05f5b267d588e8
+  metadata.gz: 32a5d58eddc632ed57af8f8701bd65b61fd3fcc1373ea8ad121f9dbdc650a5351bf62217a66e05a41a57fd6936a67f5855d4322e6243390150452c9cc30a8695
+  data.tar.gz: 347a0f07c968bb4b295f0c2caac950a71b68baee36b677efd91d2e8fb360ed9a15201acc9ee8fb26cb1e028d89e51b1508314e60f96d7bf5c719ec385ebd2755

data/README.md

@@ -2,7 +2,6 @@
 
 [![Build Status](https://travis-ci.org/mokhan/tfa.svg?branch=v0.0.2)](https://travis-ci.org/mokhan/tfa)
 [![Code Climate](https://codeclimate.com/github/mokhan/tfa.png)](https://codeclimate.com/github/mokhan/tfa)
-[![Gitter chat](https://badges.gitter.im/mokhan/tfa.png)](https://gitter.im/mokhan/tfa)
 
 This CLI helps to manage your one time passwords for different accounts/environments.
 The goal of this tool is to help you generate one time passwords quickly

data/bin/console

@@ -0,0 +1,14 @@
+#!/usr/bin/env ruby
+
+require "bundler/setup"
+require 'tfa'
+
+# You can add fixtures and/or initialization code here to make experimenting
+# with your gem easier. You can also use a different console, if you like.
+
+# (If you use this, don't forget to add pry to your Gemfile!)
+# require "pry"
+# Pry.start
+
+require "irb"
+IRB.start(__FILE__)

data/bin/setup

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+set -euo pipefail
+IFS=$'\n\t'
+set -vx
+
+bundle install
+
+# Do any other automated setup that you need to do here

data/exe/tfa

@@ -0,0 +1,9 @@
+#!/usr/bin/env ruby
+require 'tfa'
+
+begin
+  result = TFA::CLI.start(ARGV)
+  puts result unless result.is_a?(IO)
+rescue OpenSSL::Cipher::CipherError => error
+  puts error.message
+end

data/lib/tfa.rb

@@ -1,7 +1,13 @@
+require "base64"
+require "digest"
+require "json"
+require "openssl"
 require "pstore"
 require "rotp"
-require "openssl"
-require "tfa/version"
-require "tfa/totp_command"
-require "tfa/storage"
+require "yaml/store"
+
 require "tfa/cli"
+require "tfa/secure_storage"
+require "tfa/storage"
+require "tfa/totp_command"
+require "tfa/version"

data/lib/tfa/cli.rb

@@ -4,11 +4,12 @@ module TFA
   class CLI < Thor
     package_name "TFA"
     class_option :filename
+    class_option :directory
+    class_option :passphrase
 
     desc "add NAME SECRET", "add a new secret to the database"
     def add(name, secret)
-      secret = clean(secret)
-      storage.save(name, secret)
+      storage.save(name, clean(secret))
       "Added #{name}"
     end
 
@@ -32,10 +33,70 @@ module TFA
       TotpCommand.new(storage).run('', secret)
     end
 
+    desc "upgrade", "upgrade the database."
+    def upgrade
+      if !File.exist?(pstore_path)
+        say_status :error, "Unable to detect #{pstore_path}", :red
+        return
+      end
+      if File.exist?(secure_path)
+        say_status :error, "The new database format was detected.", :red
+        return
+      end
+
+      if yes? "Upgrade to #{secure_path}?"
+        secure_storage
+        pstore_storage.each do |row|
+          row.each do |name, secret|
+            secure_storage.save(name, secret) if yes?("Migrate `#{name}`?")
+          end
+        end
+        File.delete(pstore_path) if yes?("Delete `#{pstore_path}`?")
+      end
+    end
+
+    desc "encrypt", "encrypts the tfa database"
+    def encrypt
+      return unless ensure_upgraded!
+
+      secure_storage.encrypt!
+    end
+
+    desc "decrypt", "decrypts the tfa database"
+    def decrypt
+      return unless ensure_upgraded!
+
+      secure_storage.decrypt!
+    end
+
     private
 
     def storage
-      @storage ||= Storage.new(filename: options[:filename] || 'tfa')
+      File.exist?(pstore_path) ? pstore_storage : secure_storage
+    end
+
+    def pstore_storage
+      @pstore_storage ||= Storage.new(pstore_path)
+    end
+
+    def secure_storage
+      @secure_storage ||= SecureStorage.new(Storage.new(secure_path), ->{ passphrase })
+    end
+
+    def filename
+      options[:filename] || '.tfa'
+    end
+
+    def directory
+      options[:directory] || Dir.home
+    end
+
+    def pstore_path
+      File.join(directory, "#{filename}.pstore")
+    end
+
+    def secure_path
+      File.join(directory, filename)
     end
 
     def clean(secret)
@@ -45,5 +106,26 @@ module TFA
         secret
       end
     end
+
+    def passphrase
+      @passphrase ||=
+        begin
+          result = options[:passphrase] || ask("Enter passphrase:\n", echo: false)
+          raise "Invalid Passphrase" if result.nil? || result.strip.empty?
+          result
+        end
+    end
+
+    def ensure_upgraded!
+      return true if upgraded?
+
+      error = "Use the `upgrade` command to upgrade your database."
+      say_status :error, error, :red
+      false
+    end
+
+    def upgraded?
+      !File.exist?(pstore_path) && File.exist?(secure_path)
+    end
   end
 end

data/lib/tfa/secure_storage.rb

@@ -0,0 +1,72 @@
+module TFA
+  class SecureStorage
+    def initialize(original, passphrase_request)
+      @original = original
+      @passphrase_request = passphrase_request
+    end
+
+    def encrypt!(algorithm = "AES-256-CBC")
+      cipher = OpenSSL::Cipher.new(algorithm)
+      cipher.encrypt
+      cipher.key = digest
+      cipher.iv = iv = cipher.random_iv
+      plain_text = IO.read(@original.path)
+      json = JSON.generate(
+        algorithm: algorithm,
+        iv: Base64.encode64(iv),
+        cipher_text: Base64.encode64(cipher.update(plain_text) + cipher.final),
+      )
+      IO.write(@original.path, json)
+    end
+
+    def decrypt!
+      data = JSON.parse(IO.read(@original.path), symbolize_names: true)
+      decipher = OpenSSL::Cipher.new(data[:algorithm])
+      decipher.decrypt
+      decipher.key = digest
+      decipher.iv = Base64.decode64(data[:iv])
+      plain_text = decipher.update(Base64.decode64(data[:cipher_text]))
+      IO.write(@original.path, plain_text + decipher.final)
+    end
+
+    def encrypted?
+      return false unless File.exist?(@original.path)
+      JSON.parse(IO.read(@original.path))
+      true
+    rescue JSON::ParserError
+      false
+    end
+
+    private
+
+    def method_missing(name, *args, &block)
+      super unless @original.respond_to?(name)
+
+      was_encrypted = encrypted?
+      if was_encrypted
+        encrypted_content = IO.read(@original.path)
+        decrypt!
+        original_sha256 = Digest::SHA256.file(@original.path)
+      end
+      result = @original.public_send(name, *args, &block)
+      if was_encrypted
+        new_sha256 = Digest::SHA256.file(@original.path)
+
+        if original_sha256 == new_sha256
+          IO.write(@original.path, encrypted_content)
+        else
+          encrypt!
+        end
+      end
+      result
+    end
+
+    def respond_to_missing?(method, *)
+      @original.respond_to?(method)
+    end
+
+    def digest
+      @digest ||= Digest::SHA256.digest(@passphrase_request.call)
+    end
+  end
+end

data/lib/tfa/storage.rb

@@ -1,9 +1,16 @@
 module TFA
   class Storage
     include Enumerable
-
-    def initialize(options)
-      @storage = PStore.new(File.join(Dir.home, ".#{options[:filename]}.pstore"))
+    attr_reader :path
+
+    def initialize(path)
+      @path = path
+      @storage =
+        if ".pstore" == File.extname(path)
+          PStore.new(path)
+        else
+          YAML::Store.new(path)
+        end
     end
 
     def each

data/lib/tfa/version.rb

@@ -1,3 +1,3 @@
 module TFA
-  VERSION = "0.0.14".freeze
+  VERSION = "0.0.15".freeze
 end

data/tfa.gemspec

@@ -13,14 +13,18 @@ Gem::Specification.new do |spec|
   spec.homepage      = "https://github.com/mokhan/tfa/"
   spec.license       = "MIT"
 
-  spec.files         = `git ls-files -z`.split("\x0")
-  spec.executables   = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
+  spec.files         = `git ls-files -z`.split("\x0").reject do |f|
+    f.match(%r{^(test|spec|features)/})
+  end
+  spec.bindir        = "exe"
+  spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
   spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
   spec.require_paths = ["lib"]
+  spec.required_ruby_version = "~> 2.0"
 
-  spec.add_dependency "rotp"
-  spec.add_dependency "thor"
+  spec.add_dependency "rotp", "~> 3.3"
+  spec.add_dependency "thor", "~> 0.20"
   spec.add_development_dependency "bundler", "~> 1.6"
-  spec.add_development_dependency "rake"
-  spec.add_development_dependency "rspec"
+  spec.add_development_dependency "rake", "~> 12.3"
+  spec.add_development_dependency "rspec", "~> 3.7"
 end

metadata

@@ -1,43 +1,43 @@
 --- !ruby/object:Gem::Specification
 name: tfa
 version: !ruby/object:Gem::Version
-  version: 0.0.14
+  version: 0.0.15
 platform: ruby
 authors:
 - mo khan
 autorequire: 
-bindir: bin
+bindir: exe
 cert_chain: []
-date: 2018-02-09 00:00:00.000000000 Z
+date: 2018-02-17 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rotp
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '3.3'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '3.3'
 - !ruby/object:Gem::Dependency
   name: thor
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '0.20'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '0.20'
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
@@ -56,30 +56,30 @@ dependencies:
   name: rake
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '12.3'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '12.3'
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '3.7'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '3.7'
 description: A CLI to manage your time based one time passwords.
 email:
 - mo@mokhan.ca
@@ -95,16 +95,15 @@ files:
 - LICENSE.txt
 - README.md
 - Rakefile
-- bin/tfa
+- bin/console
+- bin/setup
+- exe/tfa
 - lib/tfa.rb
 - lib/tfa/cli.rb
+- lib/tfa/secure_storage.rb
 - lib/tfa/storage.rb
 - lib/tfa/totp_command.rb
 - lib/tfa/version.rb
-- spec/lib/cli_spec.rb
-- spec/lib/console_spec.rb
-- spec/lib/totp_command_spec.rb
-- spec/spec_helper.rb
 - tfa.gemspec
 homepage: https://github.com/mokhan/tfa/
 licenses:
@@ -116,9 +115,9 @@ require_paths:
 - lib
 required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ">="
+  - - "~>"
     - !ruby/object:Gem::Version
-      version: '0'
+      version: '2.0'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
@@ -126,12 +125,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.7.3
+rubygems_version: 2.7.5
 signing_key: 
 specification_version: 4
 summary: A CLI to manage your time based one time passwords.
-test_files:
-- spec/lib/cli_spec.rb
-- spec/lib/console_spec.rb
-- spec/lib/totp_command_spec.rb
-- spec/spec_helper.rb
+test_files: []

data/bin/tfa

@@ -1,4 +0,0 @@
-#!/usr/bin/env ruby
-require 'tfa'
-
-puts TFA::CLI.start(ARGV)

data/spec/lib/cli_spec.rb

@@ -1,87 +0,0 @@
-module TFA
-  describe CLI do
-    subject { CLI.new }
-
-    def code_for(secret)
-      ::ROTP::TOTP.new(secret).now
-    end
-
-    let(:dev_secret) { ::ROTP::Base32.random_base32 }
-    let(:prod_secret) { ::ROTP::Base32.random_base32 }
-
-    describe "#add" do
-      context "when a secret is added" do
-        it "adds the secret" do
-          subject.add("development", dev_secret)
-          expect(subject.show("development")).to eql(dev_secret)
-        end
-      end
-
-      context "when a full otpauth string is added" do
-        it "strips out the url for just the secret" do
-          url = "otpauth://totp/email@email.com?secret=#{dev_secret}&issuer="
-
-          subject.add("development", url)
-          expect(subject.show("development")).to eql(dev_secret)
-        end
-      end
-    end
-
-    describe "#show" do
-      context "when a single key is given" do
-        it "returns the secret" do
-          subject.add("development", dev_secret)
-          expect(subject.show("development")).to eql(dev_secret)
-        end
-      end
-
-      context "when no key is given" do
-        it "returns the secret for all keys" do
-          subject.add("development", dev_secret)
-          subject.add("production", prod_secret)
-
-          result = subject.show.to_s
-          expect(result).to include(dev_secret)
-          expect(result).to include(prod_secret)
-        end
-      end
-    end
-
-    describe "#totp" do
-      context "when a single key is given" do
-        it "returns a time based one time password" do
-          subject.add("development", dev_secret)
-          expect(subject.totp("development")).to eql(code_for(dev_secret))
-        end
-      end
-
-      context "when no key is given" do
-        it "returns a time based one time password for all keys" do
-          subject.add("development", dev_secret)
-          subject.add("production", prod_secret)
-
-          result = subject.totp.to_s
-          expect(result).to include(code_for(dev_secret))
-          expect(result).to include(code_for(prod_secret))
-        end
-      end
-    end
-
-    describe "#destroy" do
-      let(:name) { "development" }
-
-      it "removes the secret with the given name" do
-        subject.add(name, dev_secret)
-        subject.destroy(name)
-
-        expect(subject.show(name)).to be_nil
-      end
-    end
-
-    describe "#now" do
-      it "returns a time based one time password for the given secret" do
-        expect(subject.now(dev_secret)).to eql(code_for(dev_secret))
-      end
-    end
-  end
-end

data/spec/lib/console_spec.rb

@@ -1,22 +0,0 @@
-module TFA
-  describe CLI do
-    subject { CLI.new }
-    let(:secret) { ::ROTP::Base32.random_base32 }
-
-    describe "#run" do
-      context "when adding a key" do
-        it "saves a new secret" do
-          subject.add("development", secret)
-          expect(subject.show("development")).to eql(secret)
-        end
-      end
-
-      context "when getting a one time password" do
-        it "creates a totp for a certain key" do
-          subject.add("development", secret)
-          expect(subject.totp("development")).to_not be_nil
-        end
-      end
-    end
-  end
-end

data/spec/lib/totp_command_spec.rb

@@ -1,55 +0,0 @@
-module TFA
-  describe TotpCommand do
-    subject { TotpCommand.new(storage) }
-    let(:storage) { Storage.new(filename: SecureRandom.uuid) }
-
-    def code_for(secret)
-      ::ROTP::TOTP.new(secret).now
-    end
-
-    describe "#run" do
-      context "when a single key is given" do
-        let(:secret) { ::ROTP::Base32.random_base32 }
-
-        it "returns a time based one time password for the authentication secret given" do
-          storage.save("development", secret)
-          expect(subject.run("development")).to eql(code_for(secret))
-        end
-      end
-
-      context "when no arguments are given" do
-        let(:development_secret) { ::ROTP::Base32.random_base32 }
-        let(:staging_secret) { ::ROTP::Base32.random_base32 }
-
-        it "returns the one time password for all keys" do
-          storage.save("development", development_secret)
-          storage.save("staging", staging_secret)
-
-          expect(subject.run(nil)).to match_array([
-            { "development" => code_for(development_secret) },
-            { "staging" => code_for(staging_secret) }
-          ])
-        end
-      end
-
-      context "when the key is not known" do
-        it "returns with nothing" do
-          expect(subject.run(["blah"])).to be_empty
-        end
-      end
-
-      context "when the secret is invalid" do
-        let(:invalid_secret) { "hello world" }
-
-        before :each do
-          storage.save("development", invalid_secret)
-        end
-
-        it "returns an error message" do
-          expected = { "development" => "INVALID SECRET" }
-          expect(subject.run(["development"])).to match_array([expected])
-        end
-      end
-    end
-  end
-end

data/spec/spec_helper.rb

@@ -1,81 +0,0 @@
-# This file was generated by the `rspec --init` command. Conventionally, all
-# specs live under a `spec` directory, which RSpec adds to the `$LOAD_PATH`.
-# The generated `.rspec` file contains `--require spec_helper` which will cause this
-# file to always be loaded, without a need to explicitly require it in any files.
-#
-# Given that it is always loaded, you are encouraged to keep this file as
-# light-weight as possible. Requiring heavyweight dependencies from this file
-# will add to the boot time of your test suite on EVERY test run, even for an
-# individual file that may not need all of that loaded. Instead, make a
-# separate helper file that requires this one and then use it only in the specs
-# that actually need it.
-#
-# The `.rspec` file also contains a few flags that are not defaults but that
-# users commonly want.
-#
-# See http://rubydoc.info/gems/rspec-core/RSpec/Core/Configuration
-require 'tfa'
-require 'securerandom'
-require 'tempfile'
-RSpec.configure do |config|
-# The settings below are suggested to provide a good initial experience
-# with RSpec, but feel free to customize to your heart's content.
-=begin
-  # These two settings work together to allow you to limit a spec run
-  # to individual examples or groups you care about by tagging them with
-  # `:focus` metadata. When nothing is tagged with `:focus`, all examples
-  # get run.
-  config.filter_run :focus
-  config.run_all_when_everything_filtered = true
-
-  # Many RSpec users commonly either run the entire suite or an individual
-  # file, and it's useful to allow more verbose output when running an
-  # individual spec file.
-  if config.files_to_run.one?
-    # Use the documentation formatter for detailed output,
-    # unless a formatter has already been configured
-    # (e.g. via a command-line flag).
-    config.default_formatter = 'doc'
-  end
-
-  # Print the 10 slowest examples and example groups at the
-  # end of the spec run, to help surface which specs are running
-  # particularly slow.
-  config.profile_examples = 10
-
-  # Run specs in random order to surface order dependencies. If you find an
-  # order dependency and want to debug it, you can fix the order by providing
-  # the seed, which is printed after each run.
-  #     --seed 1234
-  config.order = :random
-
-  # Seed global randomization in this process using the `--seed` CLI option.
-  # Setting this allows you to use `--seed` to deterministically reproduce
-  # test failures related to randomization by passing the same `--seed` value
-  # as the one that triggered the failure.
-  Kernel.srand config.seed
-
-  # rspec-expectations config goes here. You can use an alternate
-  # assertion/expectation library such as wrong or the stdlib/minitest
-  # assertions if you prefer.
-  config.expect_with :rspec do |expectations|
-    # Enable only the newer, non-monkey-patching expect syntax.
-    # For more details, see:
-    #   - http://myronmars.to/n/dev-blog/2012/06/rspecs-new-expectation-syntax
-    expectations.syntax = :expect
-  end
-
-  # rspec-mocks config goes here. You can use an alternate test double
-  # library (such as bogus or mocha) by changing the `mock_with` option here.
-  config.mock_with :rspec do |mocks|
-    # Enable only the newer, non-monkey-patching expect syntax.
-    # For more details, see:
-    #   - http://teaisaweso.me/blog/2013/05/27/rspecs-new-message-expectation-syntax/
-    mocks.syntax = :expect
-
-    # Prevents you from mocking or stubbing a method that does not exist on
-    # a real object. This is generally recommended.
-    mocks.verify_partial_doubles = true
-  end
-=end
-end