zanzibar 0.0.8

data/.gitignore

@@ -0,0 +1,14 @@
+/.bundle/
+/.yardoc
+/Gemfile.lock
+/_yardoc/
+/coverage/
+/doc/
+/pkg/
+/spec/reports/
+/tmp/
+*.bundle
+*.so
+*.o
+*.a
+mkmf.log

data/Gemfile

@@ -0,0 +1,9 @@
+source 'https://rubygems.org'
+
+gem 'savon'
+gem 'savon_spec'
+gem 'rspec'
+gem 'webmock'
+
+# Specify your gem's dependencies in zanzibar.gemspec
+gemspec

data/LICENSE.txt

@@ -0,0 +1,13 @@
+Copyright (c) 2015 Cimpress
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.

data/README.md

@@ -0,0 +1,60 @@
+# Zanzibar
+
+
+Zanzibar is a utility to retrieve secrets from a Secret Server installation. It supports retrieval of a password, public/private key, or secret attachment.
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+```ruby
+gem 'zanzibar'
+```
+
+And then execute:
+
+    $ bundle
+
+Or install it yourself as:
+
+    $ gem install zanzibar
+
+## Usage
+
+In your ruby project, rakefile, etc., create a new Zanzibar object. The constructor takes a hash of optional parameters for the WSDL location, the domain of the Secret Server, a hash of global variables to pass to savon (necessary for windows environments with self-signed certs) and a password for the current user (intended to be passed in through some encryption method, unless you really want a plaintext password there.). All of these parameters are optional and the user will be prompted to enter them if they are missing.
+
+```ruby
+  my_object = Zanzibar::Zanzibar.new(:domain => 'my.domain.net', :wsdl => 'my.scrt.srvr.com/webservices/sswebservice.asmx?wdsl', :pwd => get_encrypted_password_from_somewhere)
+```
+
+Example:
+
+```ruby
+require 'zanzibar'
+
+## Constructor takes hash as argument, all optional :domain, :wsdl, :pwd, :globals
+secrets = Zanzibar::Zanzibar.new(:domain => 'mydomain.net', :wsdl => "https://my.scrt.server/webservices/sswebservice.asmx?wsdl")
+# On windows with self-signed certs,
+# Zanzibar::Zanzibar.new(:domain => 'mydomain.net', :wsdl => "https://my.scrt.server/webservices/sswebservice.asmx?wsdl", :globals => {:ssl_verify_mode => :none})
+
+## Simple password -> takes secret id as argument
+secrets.get_secret(1234)
+
+## Private Key -> takes hash as argument, requires :scrt_id, optional :scrt_item_id, :path
+secrets.download_private_key(:scrt_id => 2345, :path => 'secrets/')
+
+## Public Key -> takes hash as argument, requires :scrt_id, optional :scrt_item_id, :path
+secrets.download_public_key(:scrt_id => 2345, :path => 'secrets/')
+
+## Attachment; only supports secrets with single attachment -> takes hash as argument, requires :scrt_id, optional :scrt_item_id, :path
+secrets.download_attachment(:scrt_id => 3456, :path => 'secrets/')
+
+```
+
+## Contributing
+
+1. Fork it ( https://github.com/Cimpress-MCP/zanzibar/fork )
+2. Create your feature branch (`git checkout -b my-new-feature`)
+3. Commit your changes (`git commit -am 'Add some feature'`)
+4. Push to the branch (`git push origin my-new-feature`)
+5. Create a new Pull Request

data/Rakefile

@@ -0,0 +1,10 @@
+require "bundler/gem_tasks"
+
+task 'test' do
+  Dir.chdir('test')
+  system("rspec zanzibar_spec.rb")
+end
+
+task 'install_dependencies' do
+  system('bundle install')
+end

data/lib/zanzibar.rb

@@ -0,0 +1,209 @@
+require "zanzibar/version"
+require 'savon'
+require 'io/console'
+require 'fileutils'
+
+module Zanzibar
+
+  ##
+  # Class for interacting with Secret Server
+  class Zanzibar
+
+    ##
+    # @param args{:domain, :wsdl, :pwd, :globals{}}
+
+    def initialize(args = {})
+      if args[:wsdl]
+        @@wsdl = args[:wsdl]
+      else
+        @@wsdl = get_wsdl_location
+      end
+      if args[:pwd]
+          @@password = args[:pwd]
+      else
+        @@password = prompt_for_password
+      end
+      if args[:domain]
+        @@domain = args[:domain]
+      else
+        @@domain = prompt_for_domain
+      end
+      args[:globals] = {} unless args[:globals]
+      init_client(args[:globals])
+    end
+
+    ## Initializes the Savon client class variable with the wdsl document location and optional global variables
+    # @param globals{}, optional
+
+    def init_client(globals = {})
+      globals = {} if globals == nil
+      @@client = Savon.client(globals) do
+        wsdl @@wsdl
+      end
+    end
+
+    ## Gets the user's password if none is provided in the constructor.
+    # @return [String] the password for the current user
+
+    def prompt_for_password
+      puts "Please enter password for #{ENV['USER']}:"
+      return STDIN.noecho(&:gets).chomp
+    end
+
+    ## Gets the wsdl document location if none is provided in the constructor
+    # @return [String] the location of the WDSL document
+
+    def get_wsdl_location
+      puts "Enter the URL of the Secret Server WSDL:"
+      return STDIN.gets.chomp
+    end
+
+    ## Gets the domain of the Secret Server installation if none is provided in the constructor
+    # @return [String] the domain of the secret server installation
+
+    def prompt_for_domain
+      puts "Enter the domain of your Secret Server:"
+      return STDIN.gets.chomp
+    end
+
+
+    ## Get an authentication token for interacting with Secret Server. These are only good for about 10 minutes so just get a new one each time.
+    # Will raise an error if there is an issue with the authentication.
+    # @return the authentication token for the current user.
+
+    def get_token
+      begin
+        response = @@client.call(:authenticate, message: { username: ENV['USER'], password: @@password, organization: "", domain: @@domain }).hash
+        if response[:envelope][:body][:authenticate_response][:authenticate_result][:errors]
+          raise "Error generating the authentication token for user #{ENV['USER']}: #{response[:envelope][:body][:authenticate_response][:authenticate_result][:errors][:string]}"
+        end
+        response[:envelope][:body][:authenticate_response][:authenticate_result][:token]
+      rescue Savon::Error => err
+        raise "There was an error generating the authentiaton token for user #{ENV['USER']}: #{err}"
+      end
+    end
+
+    ## Get a secret returned as a hash
+    # Will raise an error if there was an issue getting the secret
+    # @param [Integer] the secret id
+    # @return [Hash] the secret hash retrieved from the wsdl
+
+    def get_secret(scrt_id, token = nil)
+      begin
+        secret = @@client.call(:get_secret, message: { token: token || get_token, secretId: scrt_id}).hash
+        if secret[:envelope][:body][:get_secret_response][:get_secret_result][:errors]
+          raise "There was an error getting secret #{scrt_id}: #{secret[:envelope][:body][:get_secret_response][:get_secret_result][:errors][:string]}"
+        end
+        return secret
+      rescue Savon::Error => err
+        raise "There was an error getting the secret with id #{scrt_id}: #{err}"
+      end
+    end
+
+    ## Retrieve a simple password from a secret
+    # Will raise an error if there are any issues
+    # @param [Integer] the secret id
+    # @return [String] the password for the given secret
+
+    def get_password(scrt_id)
+      begin
+        secret = get_secret(scrt_id)
+        return secret[:envelope][:body][:get_secret_response][:get_secret_result][:secret][:items][:secret_item][1][:value]
+      rescue Savon::Error => err
+        raise "There was an error getting the password for secret #{scrt_id}: #{err}"
+      end
+    end
+
+    ## Get the secret item id that relates to a key file or attachment.
+    # Will raise on error
+    # @param [Integer] the secret id
+    # @param [String] the type of secret item to get, one of privatekey, publickey, attachment
+    # @return [Integer] the secret item id
+
+    def get_scrt_item_id(scrt_id, type, token)
+      secret = get_secret(scrt_id, token)
+      case type
+        when 'privatekey'
+          ## Get private key item id
+          secret[:envelope][:body][:get_secret_response][:get_secret_result][:secret][:items][:secret_item].each do |item|
+            return item[:id] if item[:field_name] == 'Private Key'
+          end
+        when 'publickey'
+          ## Get public key item id
+          secret[:envelope][:body][:get_secret_response][:get_secret_result][:secret][:items][:secret_item].each do |item|
+            return item[:id] if item[:field_name] == 'Public Key'
+          end
+        when 'attachment'
+          ## Get attachment item id. This currently only supports secrets with one attachment.
+          secret[:envelope][:body][:get_secret_response][:get_secret_result][:secret][:items][:secret_item].each do |item|
+            return item[:id] if item[:field_name] == 'Attachment'
+          end
+        else
+          raise "Unknown type, #{type}."
+        end
+    end
+
+    ## Downloads the private key for a secret and places it where Zanzibar is running, or :path if specified
+    # Raise on error
+    # @param [Hash] args, :scrt_id, :scrt_item_id - optional, :path - optional
+
+    def download_private_key(args = {})
+      token = get_token
+      FileUtils.mkdir_p(args[:path]) if args[:path]
+      path = args[:path] ? args[:path] : '.' ## The File.join below doesn't handle nils well, so let's take that possibility away.
+      begin
+        response = @@client.call(:download_file_attachment_by_item_id, message: { token: token, secretId: args[:scrt_id], secretItemId: args[:scrt_item_id] || get_scrt_item_id(args[:scrt_id], 'privatekey', token)}).hash
+        if response[:envelope][:body][:download_file_attachment_by_item_id_response][:download_file_attachment_by_item_id_result][:errors]
+          raise "There was an error getting the private key for secret #{args[:scrt_id]}: #{response[:envelope][:body][:download_file_attachment_by_item_id_response][:download_file_attachment_by_item_id_result][:string]}"
+        end
+        File.open(File.join(path, response[:envelope][:body][:download_file_attachment_by_item_id_response][:download_file_attachment_by_item_id_result][:file_name]), 'wb') do |file|
+          file.puts Base64.decode64(response[:envelope][:body][:download_file_attachment_by_item_id_response][:download_file_attachment_by_item_id_result][:file_attachment])
+        end
+      rescue Savon::Error => err
+        raise "There was an error getting the private key for secret #{args[:scrt_id]}: #{err}"
+      end
+    end
+
+    ## Downloads the public key for a secret and places it where Zanzibar is running, or :path if specified
+    # Raise on error
+    # @param [Hash] args, :scrt_id, :scrt_item_id - optional, :path - optional
+
+    def download_public_key(args = {})
+      token = get_token
+      FileUtils.mkdir_p(args[:path]) if args[:path]
+      path = args[:path] ? args[:path] : '.' ## The File.join below doesn't handle nils well, so let's take that possibility away.
+      begin
+        response = @@client.call(:download_file_attachment_by_item_id, message: { token: token, secretId: args[:scrt_id], secretItemId: args[:scrt_item_id] || get_scrt_item_id(args[:scrt_id], 'publickey', token)}).hash
+        if response[:envelope][:body][:download_file_attachment_by_item_id_response][:download_file_attachment_by_item_id_result][:errors]
+          raise "There was an error getting the public key for secret #{args[:scrt_id]}: #{response[:envelope][:body][:download_file_attachment_by_item_id_response][:download_file_attachment_by_item_id_result][:string]}"
+      end
+        File.open(File.join(path, response[:envelope][:body][:download_file_attachment_by_item_id_response][:download_file_attachment_by_item_id_result][:file_name]), 'wb') do |file|
+          file.puts Base64.decode64(response[:envelope][:body][:download_file_attachment_by_item_id_response][:download_file_attachment_by_item_id_result][:file_attachment])
+        end
+      rescue Savon::Error => err
+        raise "There was an error getting the public key for secret #{args[:scrt_id]}: #{err}"
+      end
+    end
+
+    ## Downloads an attachment for a secret and places it where Zanzibar is running, or :path if specified
+    # Raise on error
+    # @param [Hash] args, :scrt_id, :scrt_item_id - optional, :path - optional
+
+    def download_attachment(args = {})
+      token = get_token
+      FileUtils.mkdir_p(args[:path]) if args[:path]
+      path = args[:path] ? args[:path] : '.' ## The File.join below doesn't handle nils well, so let's take that possibility away.
+      begin
+        response = @@client.call(:download_file_attachment_by_item_id, message: { token: token, secretId: args[:scrt_id], secretItemId: args[:scrt_item_id] || get_scrt_item_id(args[:scrt_id], 'attachment', token)}).hash
+        if response[:envelope][:body][:download_file_attachment_by_item_id_response][:download_file_attachment_by_item_id_result][:errors]
+          raise "There was an error getting the attachment for secret #{args[:scrt_id]}: #{response[:envelope][:body][:download_file_attachment_by_item_id_response][:download_file_attachment_by_item_id_result][:string]}"
+      end
+        File.open(File.join(path, response[:envelope][:body][:download_file_attachment_by_item_id_response][:download_file_attachment_by_item_id_result][:file_name]), 'wb') do |file|
+          file.puts Base64.decode64(response[:envelope][:body][:download_file_attachment_by_item_id_response][:download_file_attachment_by_item_id_result][:file_attachment])
+        end
+      rescue Savon::Error => err
+        raise "There was an error getting the attachment from secret #{args[:scrt_id]}: #{err}"
+      end
+    end
+  end
+end

data/lib/zanzibar/version.rb

@@ -0,0 +1,3 @@
+module Zanzibar
+  VERSION = "0.0.8"
+end

data/test/.rspec

@@ -0,0 +1,2 @@
+--color
+--require spec_helper

data/test/responses/attachment_response.xml

@@ -0,0 +1,12 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
+  <soap:Body>
+    <DownloadFileAttachmentByItemIdResponse xmlns="urn:thesecretserver.com">
+      <DownloadFileAttachmentByItemIdResult>
+        <Errors />
+        <FileAttachment>SSBhbSBhIHNlY3JldCBhdHRhY2htZW50</FileAttachment>
+        <FileName>attachment.txt</FileName>
+      </DownloadFileAttachmentByItemIdResult>
+    </DownloadFileAttachmentByItemIdResponse>
+  </soap:Body>
+</soap:Envelope>

data/test/responses/authenticate_response.xml

@@ -0,0 +1,12 @@
+<?xml version="1.0" encoding="utf-8"?>
+<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
+  <soap:Body>
+    <AuthenticateResponse xmlns="urn:thesecretserver.com">
+      <AuthenticateResult>
+        <Errors>
+        </Errors>
+        <Token>imatoken</Token>
+      </AuthenticateResult>
+    </AuthenticateResponse>
+  </soap:Body>
+</soap:Envelope>

data/test/responses/download_private_key_response.xml

@@ -0,0 +1,12 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
+  <soap:Body>
+    <DownloadFileAttachmentByItemIdResponse xmlns="urn:thesecretserver.com">
+      <DownloadFileAttachmentByItemIdResult>
+        <Errors />
+        <FileAttachment>LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVkgLS0tLS0KemFuemliYXJUZXN0UGFzc3dvcmQKLS0tLS1FTkQgUlNBIFBSSVZBVEUgS0VZLS0tLS0=</FileAttachment>
+        <FileName>zanzi_key</FileName>
+      </DownloadFileAttachmentByItemIdResult>
+    </DownloadFileAttachmentByItemIdResponse>
+  </soap:Body>
+</soap:Envelope>

data/test/responses/download_public_key_response.xml

@@ -0,0 +1,12 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
+  <soap:Body>
+    <DownloadFileAttachmentByItemIdResponse xmlns="urn:thesecretserver.com">
+      <DownloadFileAttachmentByItemIdResult>
+        <Errors />
+        <FileAttachment>MTIzNFB1YmxpY0tleTU2Nzg9PQ==</FileAttachment>
+        <FileName>zanzi_key.pub</FileName>
+      </DownloadFileAttachmentByItemIdResult>
+    </DownloadFileAttachmentByItemIdResponse>
+  </soap:Body>
+</soap:Envelope>

data/test/responses/get_secret_response.xml

@@ -0,0 +1,57 @@
+<?xml version="1.0" encoding="utf-8"?>
+<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
+  <soap:Body>
+    <GetSecretResponse xmlns="urn:thesecretserver.com">
+      <GetSecretResult>
+        <Errors />
+        <Secret>
+          <Name>Zanzi Test Secret</Name>
+          <Items>
+            <SecretItem>
+              <Value>ZanziUser</Value>
+              <Id>15391</Id>
+              <FieldId>284</FieldId>
+              <FieldName>Username</FieldName>
+              <IsFile>false</IsFile>
+              <IsNotes>false</IsNotes>
+              <IsPassword>false</IsPassword>
+              <FieldDisplayName>Username</FieldDisplayName>
+            </SecretItem>
+            <SecretItem>
+              <Value>zanziUserPassword</Value>
+              <Id>15392</Id>
+              <FieldId>285</FieldId>
+              <FieldName>Password</FieldName>
+              <IsFile>false</IsFile>
+              <IsNotes>false</IsNotes>
+              <IsPassword>true</IsPassword>
+              <FieldDisplayName>Password</FieldDisplayName>
+            </SecretItem>
+            <SecretItem>
+              <Value />
+              <Id>15395</Id>
+              <FieldId>287</FieldId>
+              <FieldName>Attachment</FieldName>
+              <IsFile>true</IsFile>
+              <IsNotes>false</IsNotes>
+              <IsPassword>false</IsPassword>
+              <FieldDisplayName>Attachment</FieldDisplayName>
+            </SecretItem>
+          </Items>
+          <Id>1234</Id>
+          <SecretTypeId>6028</SecretTypeId>
+          <FolderId>106</FolderId>
+          <IsWebLauncher>false</IsWebLauncher>
+          <Active>true</Active>
+          <CheckOutMinutesRemaining xsi:nil="true" />
+          <IsCheckedOut xsi:nil="true" />
+          <CheckOutUserDisplayName />
+          <CheckOutUserId xsi:nil="true" />
+          <IsOutOfSync xsi:nil="true" />
+          <IsRestricted>false</IsRestricted>
+          <OutOfSyncReason />
+        </Secret>
+      </GetSecretResult>
+    </GetSecretResponse>
+  </soap:Body>
+</soap:Envelope>