RubyGems - yaml_vault - Versions diffs - 0.1.0 → 0.2.0 - Mend

yaml_vault 0.1.0 → 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 40d3decc007bc319e9a1a735ccf599dd706ddc5c
-  data.tar.gz: 3f3c1c587bb2e0d9e401a5d9348f5904df040b63
+  metadata.gz: 2a0bdfb9602aac1932efba9fd68eab1083ed2c32
+  data.tar.gz: 2e8f8caede77d7f49d50f0354a39d9809b9cfbe5
 SHA512:
-  metadata.gz: 23bf5c76edb6852b819c8e89cab6325b7ae77b88a4f729e4cb73f04cef470083318929993e9667fedc5aebfe61e8c594d126f4887f6182be0f8d048e6b7638f3
-  data.tar.gz: f01be0901bc36145ac4d05eecc704c72822c5c9e8a570c644064365aae0bf17f5fce6f6b09ab5ccaa6afbec5db0ed53c1cd023428e7a7ebde5a2e99fdc64256d
+  metadata.gz: 1b994e252cb2d603a1bc69944a0d5d575ad1c10e51b10ff834024f6ffe939c935a7483bc8cdd258651b734fcddc394e193f957d351021de0b8ca0f9372daaeec
+  data.tar.gz: 7e2893a031100688009d2a71ac912b816cd85cc45c2bc802bd581aa29728a5f69d6a436d7d3b86515cdb3f065fcdbfae4471aa3431fed61e2912ed15d2ced025

data/.gitignore CHANGED Viewed

@@ -7,3 +7,5 @@
 /pkg/
 /spec/reports/
 /tmp/
+.envrc

data/README.md CHANGED Viewed

@@ -1,6 +1,14 @@
 # YamlVault
+[![Gem Version](https://badge.fury.io/rb/yaml_vault.svg)](https://badge.fury.io/rb/yaml_vault)
-Yaml file encryption/decription helper.
+Yaml file encryption/decryption helper.
+## Encryption Algorithm
+yaml_vault uses ActiveSupport::MessageEncryptor.
+Default cipher is `aes-256-cbc`.
+Default sign digest is `SHA256`.
 ## Installation

data/exe/yaml_vault CHANGED Viewed

@@ -7,35 +7,83 @@ require 'thor'
 class YamlVault::Cli < Thor
   include Thor::Actions
+  class_option :key, aliases: "-k", type: :string, banner: "KEYNAME (format: \"KEY1.INNER_KEY,KEY2\")", desc: "target key", default: "vault"
+  class_option :cryptor, type: :string, enum: %w(simple aws-kms), default: "simple"
+  class_option :salt, aliases: "-s", type: :string
+  class_option :cipher, type: :string, desc: "Encrypt cipher (see. OpenSSL::Cipher.ciphers)", default: "aes-256-cbc"
+  class_option :digest, type: :string, desc: "Sign digest algorithm (see. OpenSSL::Digest.constants)", default: "SHA256"
+  class_option :use_sign_passphrase, type: :boolean, default: false
+  class_option :aws_kms_key_id, type: :string
+  class_option :aws_region, type: :string
+  class_option :aws_access_key_id, type: :string
+  class_option :aws_secret_access_key, type: :string
   desc "encrypt YAML_FILE", "Encrypt yaml file"
   method_option :output, aliases: "-o", type: :string, required: true
-  method_option :key, aliases: "-k", type: :string, desc: "target key (format: \"KEY1.INNER_KEY,KEY2\")", default: "vault"
-  method_option :salt, aliases: "-s", type: :string
-  method_option :passphrase, aliases: "-p", type: :string
-  method_option :cipher, type: :string
   def encrypt(yaml_file)
-    passphrase = ENV["YAML_VAULT_PASSPHRASE"] || options[:passphrase] || ask("Enter passphrase:", echo: false)
-    raise "Please input passphrase" if passphrase.blank?
-    keys = options[:key] ? options[:key].split(/,\s?/).map { |k| k.split(".") } : ["vault"]
-    encrypted_yaml = YamlVault.encrypt_yaml(passphrase, yaml_file, keys, salt: options[:salt], cipher: options[:cipher])
+    passphrase, sign_passphrase = get_passphrase
+    encrypted_yaml = YamlVault::Main.new(
+      yaml_file,
+      target_keys,
+      options[:cryptor],
+      passphrase: passphrase,
+      sign_passphrase: sign_passphrase,
+      salt: options[:salt], cipher: options[:cipher], digest: options[:digest],
+      aws_kms_key_id: options[:aws_kms_key_id],
+      aws_region: options[:aws_region],
+      aws_access_key_id: options[:aws_access_key_id],
+      aws_secret_access_key: options[:aws_secret_access_key]
+    ).encrypt_yaml
     puts "encrypted #{yaml_file} -> #{options[:output]}"
     File.open(options[:output], "w") { |f| f.write encrypted_yaml }
   end
   desc "decrypt YAML_FILE", "Decrypt yaml file"
   method_option :output, aliases: "-o", type: :string, required: true
-  method_option :key, aliases: "-k", type: :string, desc: "target key (format: \"KEY1.INNER_KEY,KEY2\")", default: "vault"
-  method_option :salt, aliases: "-s", type: :string
-  method_option :passphrase, aliases: "-p", type: :string
-  method_option :cipher, type: :string
   def decrypt(yaml_file)
-    passphrase = ENV["YAML_VAULT_PASSPHRASE"] || options[:passphrase] || ask("Enter passphrase:", echo: false)
-    raise "Please input passphrase" if passphrase.blank?
-    keys = options[:key] ? options[:key].split(/,\s?/).map { |k| k.split(".") } : ["vault"]
-    decrypted_yaml = YamlVault.decrypt_yaml(passphrase, yaml_file, keys, salt: options[:salt], cipher: options[:cipher])
+    passphrase, sign_passphrase = get_passphrase
+    decrypted_yaml = YamlVault::Main.new(
+      yaml_file,
+      target_keys,
+      options[:cryptor],
+      passphrase: passphrase,
+      sign_passphrase: sign_passphrase,
+      salt: options[:salt], cipher: options[:cipher], digest: options[:digest],
+      aws_kms_key_id: options[:aws_kms_key_id],
+      aws_region: options[:aws_region],
+      aws_access_key_id: options[:aws_access_key_id],
+      aws_secret_access_key: options[:aws_secret_access_key]
+    ).decrypt_yaml
     puts "decrypted #{yaml_file} -> #{options[:output]}"
     File.open(options[:output], "w") { |f| f.write decrypted_yaml }
   end
+  private
+  def get_passphrase
+    return nil, nil unless options[:cryptor] == "simple"
+    passphrase = ENV["YAML_VAULT_PASSPHRASE"] || ask("Enter passphrase:", echo: false)
+    puts "\n"
+    if ENV["YAML_VAULT_SIGN_PASSPHRASE"]
+      sign_passphrase = ENV["YAML_VAULT_SIGN_PASSPHRASE"]
+    elsif options[:use_sign_passphrase]
+      sign_passphrase = ask("Enter sign passphrase:", echo: false)
+      puts "\n"
+    else
+      sign_passphrase = nil
+    end
+    raise "Please input passphrase" if passphrase.blank?
+    return passphrase, sign_passphrase
+  end
+  def target_keys
+    options[:key] ? options[:key].split(/,\s?/).map { |k| k.split(".") } : ["vault"]
+  end
 end
 YamlVault::Cli.start

data/lib/yaml_vault/version.rb CHANGED Viewed

@@ -1,3 +1,3 @@
 module YamlVault
-  VERSION = "0.1.0"
+  VERSION = "0.2.0"
 end

data/lib/yaml_vault.rb CHANGED Viewed

@@ -1,33 +1,65 @@
 require 'yaml_vault/version'
 require 'yaml'
+require 'base64'
 require 'erb'
 require 'active_support'
 module YamlVault
-  class << self
-    def encrypt_yaml(passphrase, yaml, keys, salt: nil, cipher: nil)
-      process_yaml(passphrase, yaml, keys, salt: salt.to_s, cipher: cipher) do |cryptor, data|
-        do_process(cryptor, data, :encrypt)
+  class Main
+    def initialize(
+      yaml, keys, cryptor_name = nil,
+      passphrase: nil, sign_passphrase: nil, salt: nil, cipher: "aes-256-cbc", digest: "SHA256",
+      aws_kms_key_id: nil, aws_region: nil, aws_access_key_id: nil, aws_secret_access_key: nil
+    )
+      @yaml = yaml
+      @keys = keys
+      @passphrase = passphrase
+      @sign_passphrase = sign_passphrase
+      @salt = salt.to_s
+      @cipher = cipher
+      @digest = digest
+      @aws_kms_key_id = aws_kms_key_id
+      @aws_region = aws_region
+      @aws_access_key_id = aws_access_key_id
+      @aws_secret_access_key = aws_secret_access_key
+      @cryptor = get_cryptor(cryptor_name)
+    end
+    def encrypt_yaml
+      process_yaml do |data|
+        do_process(data, :encrypt)
       end
     end
-    def decrypt_yaml(passphrase, yaml, keys, salt: nil, cipher: nil)
-      process_yaml(passphrase, yaml, keys, salt: salt.to_s, cipher: cipher) do |cryptor, data|
-        do_process(cryptor, data, :decrypt)
+    def decrypt_yaml
+      process_yaml do |data|
+        do_process(data, :decrypt)
       end
     end
     private
-    def process_yaml(passphrase, yaml, keys, salt:, cipher:)
-      cryptor = ValueCryptor.new(passphrase, salt, cipher)
-      data = YAML.load(ERB.new(File.read(yaml)).result)
-      keys.each do |key|
+    def get_cryptor(name)
+      if name == "simple"
+        ValueCryptor::Simple.new(@passphrase, @sign_passphrase, @salt, @cipher, @digest)
+      elsif name == "aws-kms"
+        ValueCryptor::KMS.new(@aws_kms_key_id, region: @aws_region, aws_access_key_id: @aws_access_key_id, aws_secret_access_key: @aws_secret_access_key)
+      else
+        ValueCryptor::Simple.new(@passphrase, @sign_passphrase, @salt, @cipher, @digest)
+      end
+    end
+    def process_yaml
+      data = YAML.load(ERB.new(File.read(@yaml)).result)
+      @keys.each do |key|
         target = key.inject(data) do |t, part|
           t[part]
         end
-        vault_data = yield cryptor, target
+        vault_data = yield target
         target_parent = key[0..-2].inject(data) do |t, part|
           t[part]
@@ -37,42 +69,74 @@ module YamlVault
       data.to_yaml
     end
-    def do_process(cryptor, data, method)
+    def do_process(data, method)
       case data
       when Hash
         data.each do |k, v|
           if v.is_a?(Hash) || v.is_a?(Array)
-            do_process(cryptor, v, method)
+            do_process(v, method)
           else
-            data[k] = cryptor.send(method, v)
+            data[k] = @cryptor.send(method, v)
           end
         end
       when Array
         data.each_with_index do |v, i|
           if v.is_a?(Hash) || v.is_a?(Array)
-            do_process(cryptor, v, method)
+            do_process(v, method)
           else
-            data[i] = cryptor.send(method, v)
+            data[i] = @cryptor.send(method, v)
           end
         end
       else
-        cryptor.send(method, data)
+        @cryptor.send(method, data)
       end
     end
-  end
-  class ValueCryptor
-    def initialize(passphrase, salt, cipher)
-      key = ActiveSupport::KeyGenerator.new(passphrase, cipher: cipher || 'aes-256-cbc').generate_key(salt)
-      @cryptor = ActiveSupport::MessageEncryptor.new(key)
-    end
+    module ValueCryptor
+      class Simple
+        def initialize(passphrase, sign_passphrase, salt, cipher, digest, key_size = 64)
+          key = ActiveSupport::KeyGenerator.new(passphrase).generate_key(salt, key_size)
+          signature_key = ActiveSupport::KeyGenerator.new(sign_passphrase).generate_key(salt, key_size) if sign_passphrase
-    def encrypt(value)
-      @cryptor.encrypt_and_sign(value)
-    end
+          if signature_key
+            @cryptor = ActiveSupport::MessageEncryptor.new(key, signature_key, cipher: cipher, digest: digest)
+          else
+            @cryptor = ActiveSupport::MessageEncryptor.new(key, cipher: cipher, digest: digest)
+          end
+        end
+        def encrypt(value)
+          @cryptor.encrypt_and_sign(value)
+        end
-    def decrypt(value)
-      @cryptor.decrypt_and_verify(value)
+        def decrypt(value)
+          @cryptor.decrypt_and_verify(value)
+        end
+      end
+      class KMS
+        def initialize(key_id, region: nil, aws_access_key_id: nil, aws_secret_access_key: nil)
+          require 'aws-sdk'
+          options = {}
+          options[:region] = region if region
+          options[:access_key_id] = aws_access_key_id if aws_access_key_id
+          options[:secret_access_key] = aws_secret_access_key if aws_secret_access_key
+          @client = Aws::KMS::Client.new(options)
+          @key_id = key_id
+        end
+        def encrypt(value)
+          resp = @client.encrypt(key_id: @key_id, plaintext: YAML.dump(value))
+          Base64.strict_encode64(resp.ciphertext_blob)
+        end
+        def decrypt(value)
+          resp = @client.decrypt(ciphertext_blob: Base64.strict_decode64(value))
+          YAML.load(resp.plaintext)
+        end
+      end
     end
+    private_constant :ValueCryptor
   end
 end

data/yaml_vault.gemspec CHANGED Viewed

@@ -21,6 +21,7 @@ Gem::Specification.new do |spec|
   spec.add_runtime_dependency "activesupport", ">= 4"
   spec.add_runtime_dependency "thor"
+  spec.add_development_dependency "aws-sdk", "~> 2.0"
   spec.add_development_dependency "bundler", "~> 1.11"
   spec.add_development_dependency "rake", "~> 10.0"
   spec.add_development_dependency "rspec", "~> 3.0"

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: yaml_vault
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 0.2.0
 platform: ruby
 authors:
 - joker1007
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2016-03-30 00:00:00.000000000 Z
+date: 2016-05-24 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -38,6 +38,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: aws-sdk
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement