with_cred 0.0.1 → 0.0.3

data/.gitignore

@@ -1,3 +1,4 @@
+log/
 *.gem
 *.rbc
 .bundle

data/Gemfile

@@ -2,3 +2,5 @@ source 'https://rubygems.org'
 
 # Specify your gem's dependencies in with_cred.gemspec
 gemspec
+gem 'rspec'
+eval File.read(File.expand_path('../spec/dummy/Gemfile', __FILE__))

data/README.md

@@ -1,8 +1,14 @@
 # WithCred
 
-Put your credentials in a standard convenient place. This place is an
-encrypted tarball, which should be decrypted on deploy. If you like, you
-can commit them into your CVS, but this is not recommended
+Put your credentials in a standard convenient place. This place is
+1) An encrypted tarball, which could decrypt on deploy. If you like, you
+can commit them into your SCM/VCS, but this is not recommended.
+2) A series of unencrypted YAML files. Like above, but you can't commit
+them into your SCM/VCS
+3) An encrypted environment variable and a password. This gem helps you
+encrypt your credentials on deployment with capistrano and run commands
+with the credentials as environment variables. The credentials may never
+be persistently stored.
 
 ## Installation
 
@@ -22,7 +28,7 @@ Or install it yourself as:
 
 (1) Add the directory credentials/ and credentials.* to your .gitignore
 (2) Put your facebook credentials as follows in
-credentials/facebook.yaml
+credentials/production/facebook.yaml
 api_token: "DEADBEEF543254738o25y437"
 api_secret: "FEEBDAED3215432543523452"
 (3) Add `config.credentials_mode = "production"` to your config/environments/production.rb
@@ -31,21 +37,39 @@ api_secret: "FEEBDAED3215432543523452"
 WithCred.entials(:facebook) do |credentials|
   #Set up the facebook API stuff
 end
+
+The credentials_mode is independent from Rails.env. If you want your
+credentials to be available to all credentials_mode s, then you should
+put your yaml in credentials/
 ```
 
 Tasks
 ```
 # Decrypt, asking for password
+```
 rake credentials:decrypt
 
 # Decrypt, Looking in the file /etc/yourapp/.secret for the password
+```
 rake credentials:decrypt[/etc/yourapp/.secret]
 
 # Encrypt, asking for the password
+```
 rake credentials:encrypt
 
 # Encrypt, Looking in the file /etc/yourapp/.secret for the password
-rake credentials:encrypt[/etc/yourapp/.secret]
+```
+rake [[credentials:encrypt[/etc/yourapp/.secret]]]
+
+# Output a lockfile, for credentials compatability checking. Use the
+  lockfile to check compatability of credentials with the app. Check
+this file into your VCS/SCM.
+```
+rake credentials:lock
+
+# Check that the credentials match what we expect from the lockfile.
+```
+rake credentials:check
 
 ## Contributing
 

data/lib/with_cred/capistrano.rb

@@ -0,0 +1,43 @@
+# Can't figure out how to require this file only for capistrano tasks.
+# It's not required by default, so feel free to copypasta
+
+Capistrano::Configuration.instance(:must_exist).load do
+
+  def with_credentials_run(*args)
+    pwd = ENV['PASSWORD']
+    cred = WithCred.encrypted
+
+    if pwd
+      args[0] = "ENCRYPTED_CREDENTIALS='#{cred}' ; #{args[0]}"
+    end
+
+    if cred
+      args[0] = "PASSWORD='#{pwd}' ; #{args[0]}"
+    end
+
+    run(*args)
+  end
+
+
+  namespace :credentials do
+    desc "ask for credentials password"
+    task :password_prompt do
+      ENV['PASSWORD'] = Capistrano::CLI.password_prompt("Please enter password to decrypt credentials.")
+    end
+
+    desc "check"
+    task :check do
+      credentials.password_prompt
+      with_credentials_run "bundle exec rake credentials:check"
+    end
+
+    desc "lock"
+    task :lock do
+      credentials.password_prompt
+      WithCred.lock
+    end
+
+  end
+
+end
+

data/lib/with_cred/railtie.rb

@@ -6,6 +6,10 @@ module WithCred
       rake_tasks do
         Dir[File.expand_path('../tasks/*.rake', __FILE__)].each { |f| load f }
       end
+
+      config.before_configuration do
+        WithCred.configure
+      end
     end
   end
 end

data/lib/with_cred/recipes.rb

@@ -0,0 +1,10 @@
+Capistrano::Configuration.instance.load do
+
+  namespace :password do
+    desc "ask for credentials password"
+    task :prompt do
+      WithCred::Deployment.password = Capistrano::CLI.password_prompt("Please enter password to decrypt credentials.")
+    end
+  end
+
+end

data/lib/with_cred/tasks/credentials.rake

@@ -20,4 +20,22 @@ namespace :credentials do
 
   end
 
+  desc "Encrypt for use as an environment variable"
+  task :env_encrypt do |t, args|
+    password = ENV['PASSWORD']
+    raise "Please supply a password as an environment variable" unless password
+
+    puts WithCred.encrypted
+  end
+
+  desc "Check that the environment variable credentials are correct"
+  task :check => :environment do
+    WithCred.check!
+  end
+
+  desc "Output a lockfile unique to the credentials set"
+  task :lock => :environment do
+    WithCred.lock
+  end
+
 end

data/lib/with_cred/version.rb

@@ -1,3 +1,3 @@
 module WithCred
-  VERSION = "0.0.1"
+  VERSION = "0.0.3"
 end

data/lib/with_cred.rb

@@ -1,28 +1,189 @@
 require "with_cred/version"
+require "with_cred/railtie" if defined?(::Rails)
+#require "with_cred/capistrano" if defined?(::Capistrano)
+require "base64"
+require "encryptor"
 
 class CredentialsNotFoundError < StandardError ; end
 
 module WithCred
-  def self.entials_for(file)
 
-    # This method ignores the block if the credentials are required, and we are not supposed to need them.
-    # Passes the credentials into the block as read from the credentials YAML file at "#{Rails.root}/credentials/#{file}.yaml"
+  class InvalidCredentialsError < StandardError ; end
 
-    if (allowed = (Rails.application.config.credentials_mode == "production"))
+  class Configuration
+    attr_accessor :credentials_dir, :credententials_mode, :credentials_hash, :password
 
-      credentials = nil
+    def initialize
+      @algorithm = 'aes-256-cbc'
+      @credentials_hash = {}
+    end
+
+    def add_from_encrypted(ciphertext)
+      if ciphertext && ciphertext.length > 0
+        encrypted_binary = Base64.urlsafe_decode64(ciphertext)
+        decrypted_yaml = Encryptor.decrypt(encrypted_binary, :key => @password, :algorithm => @algorithm)
+        decrypted_hash = YAML::load(decrypted_yaml)
+        @credentials_hash.merge!(decrypted_hash)
+      end
+    end
+
+    def encrypted
+      Base64.urlsafe_encode64(encrypted_binary)
+    end
+
+    def encrypted_binary
+      Encryptor.encrypt(sorted_credentials_hash.to_yaml, :key => @password, :algorithm => @algorithm)
+    end
+
+    def check!(fp)
+      check(fp) || raise(InvalidCredentialsError.new("The fingerprints do not match"))
+    end
+
+    def check(fp)
+      fingerprint == fp
+    end
+
+    def fingerprint
+      Digest::SHA256.hexdigest(Base64.urlsafe_decode64(encrypted))
+    end
+
+    def add_credentials(path = [], leaf = {})
+
+      key = path.pop
+
+      twig = path.inject(@credentials_hash) do |hash, key|
+        hash[key.to_sym] ||= {}
+      end
+
+      twig[key.to_sym] = leaf
+
+    end
+
+    def credentials_for_mode(mode)
+      our_mode_credentials = @credentials_hash[mode.to_sym] || {}
+      all_mode_credentials = @credentials_hash[:_all] || {}
+      all_mode_credentials.merge(our_mode_credentials)
+    end
+
+    def sorted_credentials_hash
+      def sorter(h)
+        result = {}
+        h.keys.sort.each do |k|
+          if h[k].is_a?(Hash)
+            result[k] = sorter(h[k])
+          else
+            result[k] = h[k]
+          end
+        end
+        result
+      end
+
+      sorter(@credentials_hash)
+    end
+  end
+
+  class ApplicationConfiguration < Configuration
+
+    attr_accessor :credentials_dir, :credentials_mode
+
+    def initialize
+
+      super
+      if defined?(::Rails)
+        @src_root = ::Rails.root
+      else
+        @src_root = ENV['PWD']
+      end
+
+      if defined?(::Rails) && ::Rails.application.config.respond_to?(:credentials_mode)
+        @credentials_mode = ::Rails.application.config.credentials_mode
+      else
+        @credentials_mode = "production"
+      end
+
+      @credentials_dir = File.join(@src_root, 'credentials')
+
+      self.password = ENV['PASSWORD']
+      self.add_from_encrypted(ENV['ENCRYPTED_CREDENTIALS'])
+      add_from_files
+
+    end
+
+    def add_from_files
+      all_credentials_files = Dir[File.join(@credentials_dir, "**", "*.yaml")]
+
+      all_credentials_files.each do |path|
+
+        hash_path =
+          path.gsub(/\.[^\.]*$/, '').
+          gsub(/^#{self.credentials_dir}/, '').
+          split('/').
+          reject{|tok| tok.length == 0}
+
+        if File.join(File.dirname(path), "") == File.join(self.credentials_dir, "")
+          hash_path.unshift(:_all)
+        end
+
+        credentials = YAML::load_file(path)
+
+        add_credentials(hash_path, credentials)
+      end
+    end
+
+    def check!(fp = nil)
+      super(fp || File.read(lock_file_name))
+    end
+
+    def lock
+      File.open(lock_file_name, 'w') do |f|
+        f.write fingerprint
+      end
+    end
+
+    def credentials_for_current_mode
+      credentials_for_mode(@credentials_mode)
+    end
+
+    private
+    def lock_file_name
+      File.join(@src_root, 'credentials.lock')
+    end
 
-      begin
-        credentials = YAML::load_file("#{Rails.root}/credentials/#{file.to_s}.yaml")
-      rescue
-        raise CredentialsNotFoundError
+  end
+
+  class << self
+    attr_accessor :application_config
+
+    [:encrypted, :check!, :lock].each do |m|
+      define_method m do |*args, &block|
+        self.application_config.public_send(m, *args, &block)
       end
+    end
+  end
+
+  def self.configure
+    self.application_config ||= ApplicationConfiguration.new
+    yield application_config if block_given?
+  end
+
+  def self.deconfigure
+    self.application_config = nil
+  end
+
+  def self.entials_for(*hash_path)
 
-      yield credentials
+    hash_place = application_config.credentials_for_current_mode
+
+    # Delve
+    hash_path.each do |key|
+      key = key.to_sym
+      hash_place[key] ||= {}
+      hash_place = hash_place[key]
     end
 
-    return allowed
+    yield hash_place
 
   end
+
 end
 

data/spec/dummy/Gemfile

@@ -0,0 +1,9 @@
+source 'https://rubygems.org'
+
+gem 'rails', '3.2.13'
+
+# Bundle edge Rails instead:
+# gem 'rails', :git => 'git://github.com/rails/rails.git'
+
+gem 'sqlite3'
+gem 'capistrano'

data/spec/dummy/Rakefile

@@ -0,0 +1,7 @@
+#!/usr/bin/env rake
+# Add your own tasks in files placed in lib/tasks ending in .rake,
+# for example lib/tasks/capistrano.rake, and they will automatically be available to Rake.
+
+require File.expand_path('../config/application', __FILE__)
+
+Dummy::Application.load_tasks

data/spec/dummy/config/application.rb

@@ -0,0 +1,16 @@
+require File.expand_path('../boot', __FILE__)
+
+require 'rails'
+
+if defined?(Bundler)
+  # If you precompile assets before deploying to production, use this line
+  Bundler.require(*Rails.groups(:assets => %w(development test)))
+  # If you want your assets lazily compiled in production, use this line
+  # Bundler.require(:default, :assets, Rails.env)
+end
+
+module Dummy
+  class Application < Rails::Application
+    config.credentials_mode = "development"
+  end
+end

data/spec/dummy/config/boot.rb

@@ -0,0 +1,6 @@
+require 'rubygems'
+
+# Set up gems listed in the Gemfile.
+ENV['BUNDLE_GEMFILE'] ||= File.expand_path('../../Gemfile', __FILE__)
+
+require 'bundler/setup' if File.exists?(ENV['BUNDLE_GEMFILE'])

data/spec/dummy/config/environment.rb

@@ -0,0 +1,5 @@
+# Load the rails application
+require File.expand_path('../application', __FILE__)
+
+# Initialize the rails application
+Dummy::Application.initialize!

data/spec/dummy/config/environments/development.rb

@@ -0,0 +1,3 @@
+Dummy::Application.configure do
+  config.active_support.deprecation = :log
+end

data/spec/dummy/config.ru

@@ -0,0 +1,4 @@
+# This file is used by Rack-based servers to start the application.
+
+require ::File.expand_path('../config/environment',  __FILE__)
+run Dummy::Application

data/spec/dummy/credentials/development/twitter/api.yaml

@@ -0,0 +1 @@
+:secret: some_token

data/spec/dummy/credentials/github.yaml

@@ -0,0 +1 @@
+:password: developer

data/spec/dummy/log/development.log

@@ -0,0 +1 @@
+Connecting to database specified by database.yml

data/spec/env_credentials_spec.rb

@@ -0,0 +1,53 @@
+require 'spec_helper'
+
+describe WithCred do
+  context 'from environment variables' do
+    let(:password) { 'secret' }
+    let(:credentials) {
+      {
+        :development => {
+          :merchant_account => {
+            :api_key => "secret"
+          }
+        },
+        :_all => {
+          :gateway => {
+            :name => 'swipe'
+          }
+        }
+      }.to_yaml
+    }
+    let(:encrypted_credentials) {
+      Base64.urlsafe_encode64(Encryptor.encrypt(credentials, :key => password, :algorithm => 'aes-256-cbc'))
+    }
+
+    before do
+      ENV['ENCRYPTED_CREDENTIALS'] = encrypted_credentials
+      ENV['PASSWORD'] = password
+
+      # Simulate process reload
+      WithCred.configure
+    end
+
+    after do
+      WithCred.deconfigure
+    end
+
+    it "decrypts the credentials" do
+      WithCred.entials_for(:merchant_account) do |c|
+        c[:api_key].should == "secret"
+      end
+    end
+
+    it "allows credentials for all environments" do
+      WithCred.entials_for(:gateway) do |c|
+        c[:name].should == "swipe"
+      end
+    end
+
+    after do
+      ENV['ENCRYPTED_CREDENTIALS'] = nil
+      ENV['PASSWORD'] = nil
+    end
+  end
+end

data/spec/spec_helper.rb

@@ -0,0 +1,8 @@
+require 'rubygems'
+require 'bundler/setup'
+
+require File.expand_path('../dummy/config/environment.rb', __FILE__)
+
+RSpec.configure do |config|
+  WithCred.deconfigure
+end

data/spec/with_cred_spec.rb

@@ -0,0 +1,19 @@
+require 'spec_helper'
+
+
+describe WithCred do
+
+  context "in a rails app" do
+    context "config" do
+      let(:config) {
+        config = WithCred::ApplicationConfiguration.new
+      }
+      it "configures based on credentials_mode" do
+        config.credentials_mode.should == "development"
+        config.credentials_dir.should == File.join(Rails.root, "credentials")
+      end
+    end
+  end
+
+
+end

data/spec/yaml_credentials_spec.rb

@@ -0,0 +1,49 @@
+require 'spec_helper'
+
+
+describe WithCred do
+
+  context "in a rails app" do
+    before do
+      WithCred.configure
+    end
+
+    after do
+      WithCred.deconfigure
+    end
+
+    context "credentials from yaml files" do
+      it "loads credentials from a tree of nested files" do
+        WithCred.entials_for(:twitter) do |c|
+          c[:api][:secret].should == "some_token"
+        end
+      end
+    end
+
+    context "retrieving credentials" do
+      it "loads credentials for the correct environment" do
+        WithCred.entials_for(:twitter) do |c|
+          c.should_not be_empty
+        end
+      end
+
+      it "ignores credentials for other environments" do
+        Rails.application.config.stub(:credentials_mode).and_return("production")
+
+        WithCred.deconfigure
+        WithCred.configure
+
+        WithCred.entials_for(:twitter) do |c|
+          c.should be_empty
+        end
+      end
+
+      it "loads root credentials for all environments" do
+        WithCred.entials_for(:github) do |c|
+          c[:password].should == "developer"
+        end
+      end
+    end
+
+  end
+end

data/with_cred.gemspec

@@ -9,11 +9,13 @@ Gem::Specification.new do |gem|
   gem.authors       = ["John Cant"]
   gem.email         = ["a.johncant@gmail.com"]
   gem.description   = %q{Simple credentials storage}
-  gem.summary       = %q{bla}
+  gem.summary       = %q{Credentials as environment variables or as files}
   gem.homepage      = "https://github.com/johncant/with_cred"
 
   gem.files         = `git ls-files`.split($/)
   gem.executables   = gem.files.grep(%r{^bin/}).map{ |f| File.basename(f) }
   gem.test_files    = gem.files.grep(%r{^(test|spec|features)/})
   gem.require_paths = ["lib"]
+
+  gem.add_dependency 'encryptor'
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: with_cred
 version: !ruby/object:Gem::Version
-  version: 0.0.1
+  version: 0.0.3
   prerelease: 
 platform: ruby
 authors:
@@ -9,8 +9,24 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2013-05-03 00:00:00.000000000 Z
-dependencies: []
+date: 2013-05-20 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: encryptor
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
 description: Simple credentials storage
 email:
 - a.johncant@gmail.com
@@ -24,9 +40,25 @@ files:
 - README.md
 - Rakefile
 - lib/with_cred.rb
+- lib/with_cred/capistrano.rb
 - lib/with_cred/railtie.rb
+- lib/with_cred/recipes.rb
 - lib/with_cred/tasks/credentials.rake
 - lib/with_cred/version.rb
+- spec/dummy/Gemfile
+- spec/dummy/Rakefile
+- spec/dummy/config.ru
+- spec/dummy/config/application.rb
+- spec/dummy/config/boot.rb
+- spec/dummy/config/environment.rb
+- spec/dummy/config/environments/development.rb
+- spec/dummy/credentials/development/twitter/api.yaml
+- spec/dummy/credentials/github.yaml
+- spec/dummy/log/development.log
+- spec/env_credentials_spec.rb
+- spec/spec_helper.rb
+- spec/with_cred_spec.rb
+- spec/yaml_credentials_spec.rb
 - with_cred.gemspec
 homepage: https://github.com/johncant/with_cred
 licenses: []
@@ -51,6 +83,20 @@ rubyforge_project:
 rubygems_version: 1.8.24
 signing_key: 
 specification_version: 3
-summary: bla
-test_files: []
+summary: Credentials as environment variables or as files
+test_files:
+- spec/dummy/Gemfile
+- spec/dummy/Rakefile
+- spec/dummy/config.ru
+- spec/dummy/config/application.rb
+- spec/dummy/config/boot.rb
+- spec/dummy/config/environment.rb
+- spec/dummy/config/environments/development.rb
+- spec/dummy/credentials/development/twitter/api.yaml
+- spec/dummy/credentials/github.yaml
+- spec/dummy/log/development.log
+- spec/env_credentials_spec.rb
+- spec/spec_helper.rb
+- spec/with_cred_spec.rb
+- spec/yaml_credentials_spec.rb
 has_rdoc: