zanzibar 0.1.13 → 0.1.15

checksums.yaml

@@ -1,15 +1,15 @@
 ---
 !binary "U0hBMQ==":
   metadata.gz: !binary |-
-    NDRjYjhkOGQwYTY1OGUzMDYzNGM1YWQ2YzI5YjI0YzE1ZGY5MWFmNg==
+    ODVkZWYyOTM0OWZkZjkzNTBjNmNkOWJkNThiYzRkNTc1MGQ4YjJlZQ==
   data.tar.gz: !binary |-
-    ZWUxNDgyMjg0Njg5MmJkMzcwOTU0NzEwNjRjYTkzZGJiYjM3YmQ4ZA==
+    NWJlM2NhM2ZiMWMzMGVjZmQ4YWVkNGY5MjVhODVlMjY5MTVjZTRjNg==
 SHA512:
   metadata.gz: !binary |-
-    ZWIwMjY0NTY1ZGFhYjNmZmQxZWRiMGI2Yzc1MTkxZTI5MmZjYzcyMmY0M2Y3
-    M2Y0Mzc3NjA5NDljNTMxN2FkYmY5MjUyZDM2MDBlZTVlYzVjZGEzMTM1YmY4
-    ODI5ZDM0M2ZjNTllZTJmYjE2MWQ1NGVlNGI3MmQ5Y2EwNzdkNGY=
+    ZjVmNDdiMmVhZTA0MDg5MTNhNWM0OWM2ZTQyMWViNmE5ZjJmNGFkMjIxOWVi
+    Y2FjYjlkYzcyMWUzOGJhMmExOGY3MTljMWZkOTI1ZGEzZWE0Yjc1ZDU5NDE0
+    NDg5YWFkNTllOWNlZDkwNmRlNGI3MTRkNjFhY2QwNWQ2YjMxMGI=
   data.tar.gz: !binary |-
-    Njg3ZTU5MzkyMWZkNDIxZGNlMjU4ODgwZmJiNDExMmNhNWFmODE2ODkxZmFm
-    ZjVlN2NmMTRhMzRmNjk0MWIwMjE5OGQ2MzhhNWNmMzdiYjZkZmIyZmIwNmM0
-    NTg1ZTk1ZDAzMTk2ZmY4YjBhOWNiMmZlMTI0NmM0MTYxNDZlNTI=
+    YmMwZGYyZGZlODEzMjkyN2UxZTc2YzhiMjAzZGZjN2M2OGI2OGZmMWY0ZThl
+    MjdlZjQ4NDc3OWRkMGZkYTNkYjEwM2ZhYWE1ZDkxOTI0YjdkNGNlZGE5N2Zh
+    NDgxOGNkM2I4NTAwZDc0ZGViYWQ4NjZkZGI5MjM4NDMzMDM0ODc=

data/.gitignore

@@ -12,3 +12,6 @@
 *.o
 *.a
 mkmf.log
+secrets/
+Zanzifile
+Zanzifile.resolved

data/.rspec

@@ -1,2 +1,2 @@
 --color
---require spec/spec_helper
+--require spec_helper

data/.rubocop.yml

@@ -0,0 +1,5 @@
+Metrics/ClassLength:
+  Max: 150
+
+Metrics/LineLength:
+  Max: 175

data/Gemfile

@@ -1,16 +1,3 @@
 source 'https://rubygems.org'
 
-gem 'savon'
-
-group :test do
-  gem 'rake'
-  gem 'savon_spec'
-  gem 'rspec'
-  gem 'webmock'
-  gem 'codeclimate-test-reporter'
-  gem 'zanzibar', path: '.'
-  gem 'rubocop'
-end
-
-# Specify your gem's dependencies in zanzibar.gemspec
 gemspec

data/README.md

@@ -21,7 +21,11 @@ Or install it yourself as:
 
 ## Usage
 
-In your ruby project, rakefile, etc., create a new Zanzibar object. The constructor takes a hash of optional parameters for the WSDL location, the domain of the Secret Server, a hash of global variables to pass to savon (necessary for windows environments with self-signed certs) and a password for the current user (intended to be passed in through some encryption method, unless you really want a plaintext password there.). All of these parameters are optional and the user will be prompted to enter them if they are missing.
+In your ruby project, rakefile, etc., create a new Zanzibar object.
+
+The constructor takes a hash of optional parameters for the WSDL location, the domain of the Secret Server, a hash of global variables to pass to savon (necessary for windows environments with self-signed certs) and a password for the current user (intended to be passed in through some encryption method, unless you really want a plaintext password there).
+
+All of these parameters are optional and the user will be prompted to enter them if they are missing.
 
 ```ruby
   my_object = Zanzibar::Zanzibar.new(:domain => 'my.domain.net', :wsdl => 'my.scrt.srvr.com/webservices/sswebservice.asmx?wdsl', :pwd => get_encrypted_password_from_somewhere)
@@ -51,20 +55,78 @@ secrets.download_secret_file(:scrt_id => 2345, :path => 'secrets/', :type => "At
 
 ```
 
+### Providing Credentials
+
+Zanzibar has several ways of finding Secret Server credentials. It will use credentials
+discovered in this order:
+
+* Credentials passed to the initializer
+    * `Zanzibar::Zanzibar.new(:username=>'auser', :password=>'itsmyPassword')`
+* Credentials discovered via the environment
+    * If `ZANZIBAR_USER` exists, it will use that.
+        * If not, it will try `USER`
+    * If `ZANZIBAR_PASSWORD` exists, it will use that.
+* Credentials entered by the user
+    * Zanzibar will prompt the user to enter their password on STDIN
+
 ### Command Line
 
-Zanzibar comes bundled with the `zanzibar` command-line utility that can be used for fetching passwords and downloading keys from outside of Ruby.
+Zanzibar comes bundled with the `zanzibar` command-line utility that can be used
+for fetching passwords and downloading keys from outside of Ruby scripts.
 
-`zanzibar` supports most actions provided by Zanzibar itself. Because it operates on the command-line, it can be used as part of a pipeline or within a bash script.
+`zanzibar` supports most actions provided by Zanzibar itself. Because it operates
+on the command-line, it can be used as part of a pipeline or within a bash script.
 
 ```bash
-# if you don't pipe in a password, you will be prompted to enter one.
+# if ZANZIBAR_PASSWORD is not set, you will be prompted to enter your password.
 # this will download the private key from secret 1984 to the current directory
-cat ./local-password | zanzibar 1984 -s server.example.com -d example.com -t privatekey
+$ ZANZIBAR_PASSWORD=`gpg -d secretpasswd.txt.gpg` zanzibar get 1984 -s server.example.com -d example.com -f "Private Key"
+
+$ ssh user@someremote -i ./private_key
+```
 
-ssh user@someremote -i ./private_key
+#### Zanzifiles
+
+The `zanzibar` command can also perform [bundler](http://bundler.io)-like actions.
+Running `zanzibar init` will generate a `Zanzifile` in the current directory.
+Information about Secret Server and the necessary secret files to be downloaded
+can be added here.
+
+Then `zanzibar bundle` will try to download the secrets named in the file.
+When it downloads a file, it gets added to `Zanzifile.resolved`. And next time
+`zanzibar bundle` is run, if the file exists and the hash matches the one in the
+`resolved` file, it will not attempt to re-download. `zanzibar update` will attempt
+to re-download all secrets.
+
+Note: `zanzibar get` can fetch passwords or files, but `zanzibar bundle` can
+only operate on secret files.
+
+Sample `Zanzifile`:
+
+```yaml
+---
+settings:
+  wsdl: my.scrt.srvr.com/webservices/sswebservice.asmx?wdsl
+  domain: my.domain.net
+  secret_dir: secrets/
+  ignore_ssl: true
+secrets:
+  ssh_key:
+    id: 249
+    label: Private Key
+  encryption_key:
+    id: 483
+    label: Attachment
+  cert_pem:
+    id: 123
+    label: Certificate
+  cert_key:
+    id: 986
+    label: Misc Attachment
 ```
 
+Run `zanzibar help` or `zanzibar help [command]` for more information.
+
 ## Contributing
 
 1. Fork it ( https://github.com/Cimpress-MCP/zanzibar/fork )

data/Rakefile

@@ -1,11 +1,11 @@
-require 'bundler/gem_tasks'
-require 'bundler/setup' # load up our gem environment (incl. local zanzibar)
-require 'rspec/core/rake_task'
-require 'zanzibar/version'
-require 'rubocop/rake_task'
-
-task default: [:test]
-
-RSpec::Core::RakeTask.new(:test)
-
-RuboCop::RakeTask.new
+require 'bundler/gem_tasks'
+require 'bundler/setup' # load up our gem environment (incl. local zanzibar)
+require 'rspec/core/rake_task'
+require 'zanzibar/version'
+require 'rubocop/rake_task'
+
+task default: [:test]
+
+RSpec::Core::RakeTask.new(:test)
+
+RuboCop::RakeTask.new

data/bin/zamioculcas

@@ -1,2 +1,4 @@
 #! ruby
-system("zanzibar #{ARGV.join(" ")}")
+require 'zanzibar/cli'
+
+Zanzibar::Cli.start(ARGV)

data/bin/zanzibar

@@ -1,70 +1,4 @@
 #! ruby
+require 'zanzibar/cli'
 
-require 'zanzibar'
-require 'optparse'
-
-options = {
-  :domain => 'local'
-}
-
-OptionParser.new do |opts|
-  opts.banner = "Usage: zamioculcas -d domain [-w wsdl] [-k] [-p] [secret_id]"
-
-  opts.on("-d", "--domain DOMAIN", "Specify domain") do |v|
-    options[:domain] = v
-  end
-
-  opts.on("-w", "--wsdl WSDL", "Specify WSDL location") do |v|
-    options[:wsdl] = v
-  end
-
-  opts.on("-s", "--server SERVER", "Secret server hostname or IP") do |v|
-    options[:server] = v
-  end
-
-  opts.on("-k", "--no-check-certificate", "Don't run SSL certificate checks") do |v|
-    options[:globals] = {:ssl_verify_mode => :none}
-  end
-
-  opts.on("-p", "--password PASSWORD", "Specify password") do |v|
-    options[:pwd] = v
-  end
-
-  opts.on("-t", "--type TYPE", "Specify the type of secret") do |v|
-    options[:type] = v
-  end
-
-  opts.on("-u", "--user USER", "Specify the username") do |v|
-    options[:username] = v
-  end
-  
-end.parse!
-
-raise OptionParser::MissingArgument if options[:server].nil?
-options[:type] = "password" if options[:type].nil?
-
-unless STDIN.tty? || options[:pwd]
-  options[:pwd] = $stdin.read.strip
-end
-
-secret_id = Integer(ARGV.pop)
-if(!secret_id)
-  fail "no secret!"
-end
-
-unless options[:wsdl] || options[:server].nil?
-  options[:wsdl] = "https://#{options[:server]}/webservices/sswebservice.asmx?wsdl"
-end
-
-scrt = Zanzibar::Zanzibar.new(options)
-
-case options[:type]
-when "password"
-  $stdout.write "#{scrt.get_password(secret_id)}\n"
-when "privatekey"
-  scrt.download_private_key(:scrt_id=>secret_id)
-when "publickey"
-  scrt.download_public_key(:scrt_id=>secret_id)
-else
-  $stderr.write "#{options[:type]} is not a known type."
-end
+Zanzibar::Cli.start(ARGV)

data/lib/zanzibar/actions/base.rb

@@ -0,0 +1,27 @@
+module Zanzibar
+  module Actions
+    # Basic plumbing for all actions
+    class Base
+      attr_accessor :options
+      private :options=
+
+      attr_accessor :logger
+      private :logger=
+
+      def initialize(logger, options = {})
+        self.logger  = logger
+        self.options = options
+      end
+
+      private
+
+      def debug(*args, &block)
+        logger.debug(*args, &block)
+      end
+
+      def source_root
+        @source_root ||= Pathname.new(File.expand_path('../../../../', __FILE__))
+      end
+    end
+  end
+end

data/lib/zanzibar/actions/bundle.rb

@@ -0,0 +1,119 @@
+require 'zanzibar/actions/base'
+require 'zanzibar/error'
+require 'zanzibar'
+
+module Zanzibar
+  module Actions
+    # Download or verify the secrets in a Zanzifile
+    class Bundle < Base
+      attr_accessor :settings
+      attr_accessor :remote_secrets
+      attr_accessor :local_secrets
+      attr_accessor :update
+      attr_accessor :zanzibar
+
+      def initialize(ui, options, args = {})
+        super(ui, options)
+        @update = args[:update]
+      end
+
+      def run
+        ensure_zanzifile
+        load_required_secrets
+        validate_environment
+        load_resolved_secrets if resolved_file?
+        validate_local_secrets unless @update
+        run!
+      end
+
+      private
+
+      def run!
+        if need_secrets?
+          new_secrets = download_remote_secrets
+          update_resolved_file new_secrets
+        else
+          debug { 'No secrets to download...' }
+        end
+      end
+
+      def ensure_zanzifile
+        fail Error, NO_ZANZIFILE_ERROR unless File.exist? ZANZIFILE_NAME
+        debug { "#{ZANZIFILE_NAME} located..." }
+      end
+
+      def resolved_file?
+        File.exist? RESOLVED_NAME
+      end
+
+      def load_required_secrets
+        zanzifile = YAML.load_file(ZANZIFILE_NAME)
+        @settings = zanzifile['settings'] || {}
+        @remote_secrets = zanzifile['secrets'] || {}
+        @local_secrets = {}
+      end
+
+      def validate_environment
+        return unless @settings.empty? || @remote_secrets.empty?
+        fail Error, INVALID_ZANZIFILE_ERROR
+      end
+
+      def load_resolved_secrets
+        @local_secrets = YAML.load_file RESOLVED_NAME
+      end
+
+      def need_secrets?
+        !@remote_secrets.empty?
+      end
+
+      def validate_local_secrets
+        @local_secrets.each do |key, secret|
+          if File.exist?(secret[:path]) && secret[:hash] == Digest::MD5.file(secret[:path]).hexdigest
+            debug { "#{key} found locally, skipping download..." }
+            @remote_secrets.delete key
+          end
+        end
+      end
+
+      def download_remote_secrets
+        args = @settings['ignore_ssl'] ? { ssl_verify_mode: :none } : {}
+
+        downloaded_secrets = {}
+        remote_secrets.each do |key, secret|
+          downloaded_secrets[key] = download_one_secret(secret['id'],
+                                                        secret['label'],
+                                                        @settings['secret_dir'],
+                                                        args)
+
+          debug { "Downloaded secret: #{key} to #{path}..." }
+        end
+
+        downloaded_secrets
+      end
+
+      def download_one_secret(scrt_id, label, path, args)
+        path = zanzibar(args).download_secret_file(scrt_id: scrt_id,
+                                                   type: label,
+                                                   path: path)
+
+        { path: path, hash: Digest::MD5.file(path).hexdigest }
+      end
+
+      def update_resolved_file(new_secrets)
+        @local_secrets.merge! new_secrets
+
+        File.open(RESOLVED_NAME, 'w') do |out|
+          YAML.dump(@local_secrets, out)
+        end
+
+        debug { 'Updated resolved file...' }
+      end
+
+      def zanzibar(args)
+        @zanzibar ||= ::Zanzibar::Zanzibar.new(wsdl: @settings['wsdl'],
+                                               domain: @settings['domain'],
+                                               globals: args)
+      end
+    end
+  end
+end

data/lib/zanzibar/actions/get.rb

@@ -0,0 +1,61 @@
+require 'zanzibar/actions/base'
+require 'zanzibar/error'
+require 'zanzibar'
+require 'zanzibar/defaults'
+
+module Zanzibar
+  module Actions
+    # Fetch a single secret
+    class Get < Base
+      attr_accessor :zanibar_options
+      attr_accessor :scrt_id
+
+      def initialize(ui, options, scrt_id)
+        super(ui, options)
+        @scrt_id = scrt_id
+        @zanzibar_options = {}
+      end
+
+      def run
+        construct_options
+        ensure_options
+
+        fetch_secret(@scrt_id, options['filelabel'])
+      end
+
+      def fetch_secret(scrt_id, label = nil)
+        scrt = ::Zanzibar::Zanzibar.new(@zanzibar_options)
+
+        puts @zanzibar_options
+
+        if label
+          scrt.download_secret_file(scrt_id: scrt_id,
+                                    type: label)
+        else
+          scrt.get_password(scrt_id)
+        end
+      end
+
+      def construct_options
+        @zanzibar_options[:wsdl] = construct_wsdl
+        @zanzibar_options[:globals] = { ssl_verify_mode: :none } if options['ignoressl']
+        @zanzibar_options[:domain] = options['domain']
+        @zanzibar_options[:username] = options['username'] unless options['username'].nil?
+        @zanzibar_options[:domain] = options['domain'] ? options['domain'] : 'local'
+      end
+
+      def construct_wsdl
+        if options['wsdl'].nil? && options['server']
+          DEFAULT_WSDL % options['server']
+        else
+          options['wsdl']
+        end
+      end
+
+      def ensure_options
+        return if @zanzibar_options[:wsdl]
+        fail Error, NO_WSDL_ERROR
+      end
+    end
+  end
+end

data/lib/zanzibar/actions/init.rb

@@ -0,0 +1,40 @@
+require 'zanzibar/actions/base'
+require 'zanzibar/error'
+require 'ostruct'
+require 'erb'
+require 'zanzibar/defaults'
+
+module Zanzibar
+  module Actions
+    # Create a new Zanzifile
+    class Init < Base
+      def run
+        check_for_zanzifile
+        write_template
+      end
+
+      private
+
+      def check_for_zanzifile
+        return unless File.exist?(ZANZIFILE_NAME) && !options['force']
+        fail Error, ALREADY_EXISTS_ERROR
+      end
+
+      def write_template
+        template = TemplateRenderer.new(options)
+
+        File.open(ZANZIFILE_NAME, 'w') do |f|
+          f.write template.render(File.read(source_root.join(TEMPLATE_NAME)))
+        end
+      end
+
+      # Allows us to easily feed our options hash
+      # to an ERB
+      class TemplateRenderer < OpenStruct
+        def render(template)
+          ERB.new(template).result(binding)
+        end
+      end
+    end
+  end
+end

data/lib/zanzibar/actions.rb

@@ -0,0 +1,3 @@
+require 'zanzibar/actions/init'
+require 'zanzibar/actions/bundle'
+require 'zanzibar/actions/get'

data/lib/zanzibar/cli.rb

@@ -0,0 +1,126 @@
+require 'thor'
+require 'thor/actions'
+require 'zanzibar/version'
+require 'zanzibar/cli'
+require 'zanzibar/ui'
+require 'zanzibar/actions'
+require 'zanzibar/error'
+require 'zanzibar/defaults'
+
+module Zanzibar
+  # The `zanzibar` binay/thor application main class
+  class Cli < Thor
+    include Thor::Actions
+
+    attr_accessor :ui
+
+    def initialize(*)
+      super
+      the_shell = (options['no-color'] ? Thor::Shell::Basic.new : shell)
+      @ui = Shell.new(the_shell)
+      @ui.be_quiet! if options['quiet']
+      @ui.debug! if options['verbose']
+
+      debug_header
+    end
+
+    desc 'version', 'Display your Zanzibar verion'
+    def version
+      say "#{APPLICATION_NAME} Version: #{VERSION}"
+    end
+
+    desc 'init', "Create an empty #{ZANZIFILE_NAME} in the current directory."
+    option 'verbose', type: :boolean, default: false, aliases: :v
+    option 'wsdl', type: :string, aliases: :w,
+                   default: DEFAULT_WSDL % DEFAULT_SERVER,
+                   desc: 'The URI of the WSDL file for your Secret Server instance'
+    option 'domain', type: :string, default: 'local', aliases: :d,
+                     desc: 'The logon domain for your Secret Server account'
+    option 'force', type: :boolean, default: false, aliases: :f,
+                    desc: 'Recreate the Zanzifile if one already exists.'
+    option 'secretdir', type: :string, default: 'secrets/', aliases: :s,
+                        desc: 'The directory to which secrets should be downloaded.'
+    option 'ignoressl', type: :boolean, default: 'false', aliases: :k,
+                        desc: 'Don\'t check the SSL certificate of Secret Server'
+    def init
+      run_action { init! }
+    end
+
+    desc 'bundle', "Fetch secrets declared in your #{ZANZIFILE_NAME}"
+    option 'verbose', type: :boolean, default: false, aliases: :v
+    def bundle
+      run_action { bundle! }
+    end
+
+    desc 'plunder', "Alias to `#{APPLICATION_NAME} bundle`", :hide => true
+    alias_method :plunder, :bundle
+
+    desc 'install', "Alias to `#{APPLICATION_NAME} bundle`"
+    alias_method :install, :bundle
+
+    desc 'update', "Redownload all secrets in your #{ZANZIFILE_NAME}"
+    option 'verbose', type: :boolean, default: false, aliases: :v
+    def update
+      run_action { update! }
+    end
+
+    desc 'get SECRETID', 'Fetch a single SECRETID from Secret Server'
+    option 'domain', type: :string, aliases: :d,
+                     desc: 'The logon domain to use when logging in.'
+    option 'server', type: :string, aliases: :s,
+                     desc: 'The Secret Server hostname or IP'
+    option 'wsdl', type: :string, aliases: :w,
+                   desc: 'Full path to the Secret Server WSDL'
+    option 'ignoressl', type: :boolean, aliases: :k,
+                        desc: 'Don\'t verify Secret Server\'s SSL certificate'
+    option 'filelabel', type: :string, aliases: :f,
+                        desc: 'Specify a file (by label) to download'
+    option 'username', type: :string, aliases: :u
+    option 'password', type: :string, aliases: :p
+    def get(scrt_id)
+      run_action { get! scrt_id }
+    end
+
+    private
+
+    def debug_header
+      @ui.debug { "Running #{APPLICATION_NAME} in debug mode..." }
+      @ui.debug { "Ruby Version: #{RUBY_VERSION}" }
+      @ui.debug { "Ruby Platform: #{RUBY_PLATFORM}" }
+      @ui.debug { "#{APPLICATION_NAME} Version: #{VERSION}" }
+    end
+
+    # Run the specified action and rescue errors we
+    # explicitly send back to format them
+    def run_action(&_block)
+      yield
+    rescue ::Zanzibar::Error => e
+      @ui.error e
+      abort "Fatal error: #{e.message}"
+    end
+
+    def init!
+      say "Initializing a new #{ZANZIFILE_NAME} in the current directory..."
+      Actions::Init.new(@ui, options).run
+      say "Your #{ZANZIFILE_NAME} has been created!"
+      say 'You should check the settings and add your secrets.'
+      say 'Then run `zanzibar bundle` to fetch them.'
+    end
+
+    def bundle!
+      say "Checking for secrets declared in your #{ZANZIFILE_NAME}..."
+      Actions::Bundle.new(@ui, options).run
+      say 'Finished downloading secrets!'
+    end
+
+    def update!
+      say "Redownloading all secrets declared in your #{ZANZIFILE_NAME}..."
+      Actions::Bundle.new(@ui, options, update: true).run
+      say 'Finished downloading secrets!'
+    end
+
+    def get!(scrt_id)
+      say Actions::Get.new(@ui, options, scrt_id).run
+    end
+  end
+end

data/lib/zanzibar/defaults.rb

@@ -0,0 +1,14 @@
+# Definitions for various strings used throughout the gem
+module Zanzibar
+  APPLICATION_NAME = Pathname.new($PROGRAM_NAME).basename
+  ZANZIFILE_NAME = 'Zanzifile'
+  RESOLVED_NAME = 'Zanzifile.resolved'
+  TEMPLATE_NAME = 'templates/Zanzifile.erb'
+  DEFAULT_SERVER = 'secret.example.com'
+  DEFAULT_WSDL = 'https://%s/webservices/sswebservice.asmx?wsdl'
+
+  ALREADY_EXISTS_ERROR = "#{ZANZIFILE_NAME} already exists! Aborting..."
+  NO_WSDL_ERROR = 'Could not construct WSDL URL. Please provide either --server or --wsdl'
+  NO_ZANZIFILE_ERROR = "You don't have a #{ZANZIFILE_NAME}! Run `#{APPLICATION_NAME} init` first!"
+  INVALID_ZANZIFILE_ERROR = "Unable to load your #{ZANZIFILE_NAME}. Please ensure it is valid YAML."
+end

data/lib/zanzibar/error.rb

@@ -0,0 +1,6 @@
+module Zanzibar
+  # A standard error with a different name
+  # for identifying errors internal to zanzibar
+  class Error < StandardError
+  end
+end