hea-scripts 1.0.0b1__tar.gz

hea_scripts-1.0.0b1/LICENSE

@@ -0,0 +1,169 @@
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship made available under
+      the License, as indicated by a copyright notice that is included in
+      or attached to the work (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean, as submitted to the Licensor for inclusion
+      in the Work by the copyright owner or by an individual or Legal Entity
+      authorized to submit on behalf of the copyright owner. For the purposes
+      of this definition, "submitted" means any form of electronic, verbal,
+      or written communication sent to the Licensor or its representatives,
+      including but not limited to communication on electronic mailing lists,
+      source code control systems, and issue tracking systems that are managed
+      by, or on behalf of, the Licensor for the purpose of adding to,
+      discussing, and improving the Work, but excluding communication that is
+      conspicuously marked or designated in writing by the copyright owner as
+      "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any Legal Entity on behalf of
+      whom a Contribution has been received by the Licensor and included
+      within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent contributions
+      Licensors or Contributors that are necessarily infringed by their
+      Contribution(s) alone or by the combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a cross-claim
+      or counterclaim in a lawsuit) alleging that the Work or any Contributor
+      Contribution constitutes direct or contributory patent infringement,
+      then any patent licenses granted to You under this License for that
+      Work shall terminate as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or Derivative
+          Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, You must include a readable copy of the
+          attribution notices contained within such NOTICE file, in
+          at least one of the following places: within a NOTICE text
+          file distributed as part of the Derivative Works; within
+          the Source form or documentation, if provided along with the
+          Derivative Works; or, within a display generated by the
+          Derivative Works, if and wherever such third-party notices
+          normally appear. The contents of the NOTICE file are for
+          informational purposes only and do not modify the License.
+          You may add Your own attribution notices within Derivative
+          Works that You distribute, alongside or in addition to the
+          NOTICE text from the Work, provided that such additional
+          attribution notices cannot be construed as modifying the
+          License.
+
+      You may add Your own license statement for Your modifications and
+      may provide additional grant of rights to use, copy, modify, merge,
+      publish, distribute, sublicense, and/or sell copies of the
+      Contribution, either on a nonexclusive basis or otherwise.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or reproducing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or exemplary damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or all other
+      commercial damages or losses), even if such Contributor has been
+      advised of the possibility of such damages.
+
+   9. Accepting Warranty or Liability. While redistributing the Work or
+      Derivative Works thereof, You may choose to offer, and charge a fee
+      for, acceptance of support, warranty, indemnity, or other liability
+      obligations and/or rights consistent with this License. However, in
+      accepting such obligations, You may offer such obligations only on
+      Your own behalf and on a full behalf of all other Contributors, and
+      only if You agree to indemnify, defend, and hold each Contributor
+      harmless for any liability incurred by, or claims asserted against,
+      such Contributor by reason of your accepting any such warranty or
+      additional liability.
+
+   END OF TERMS AND CONDITIONS

hea_scripts-1.0.0b1/PKG-INFO

@@ -0,0 +1,112 @@
+Metadata-Version: 2.4
+Name: hea-scripts
+Version: 1.0.0b1
+Summary: A collection of scripts for the HEA project.
+Author-email: "Comprehensive Oncology Data and Engineering Shared Resource (CODE), Huntsman Cancer Institute, Salt Lake City, UT" <Andrew.Post@hci.utah.edu>
+License-Expression: Apache-2.0
+Classifier: Development Status :: 4 - Beta
+Classifier: Environment :: Console
+Classifier: Intended Audience :: System Administrators
+Classifier: Natural Language :: English
+Classifier: Operating System :: OS Independent
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3 :: Only
+Classifier: Programming Language :: Python :: 3.10
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Programming Language :: Python :: Implementation :: CPython
+Classifier: Topic :: Security :: Cryptography
+Classifier: Topic :: System :: Systems Administration
+Classifier: Topic :: Scientific/Engineering
+Classifier: Topic :: Scientific/Engineering :: Bio-Informatics
+Classifier: Topic :: Scientific/Engineering :: Information Analysis
+Classifier: Topic :: Scientific/Engineering :: Medical Science Apps.
+Requires-Python: >=3.10
+Description-Content-Type: text/markdown
+License-File: LICENSE
+Requires-Dist: cryptography~=44.0.0
+Provides-Extra: dev
+Requires-Dist: pytest~=8.0; extra == "dev"
+Requires-Dist: mypy~=2.1; extra == "dev"
+Requires-Dist: build~=1.5; extra == "dev"
+Requires-Dist: coverage~=7.14.1; extra == "dev"
+Requires-Dist: twine~=6.2.0; extra == "dev"
+Requires-Dist: tox~=4.55.0; extra == "dev"
+Dynamic: license-file
+
+# HEA Scripts
+
+Contains scripts for configuring a Health Enterprise Analytics (HEA) deployment. The primary scripts handle Fernet symmetric encryption of secrets stored in `.env` files.
+
+## Setup
+
+Install the package in editable mode (the dev container does this automatically):
+
+```sh
+pip install --user -e .
+```
+
+Requires Python 3.10 - 3.12.
+
+## Usage
+
+### Generate an encryption key
+
+```sh
+hea-gen-encryption-key
+```
+
+Save the printed key in your `.env` file as `HEA_ENCRYPTION_KEY`, or in a dedicated file (recommended) referenced by `HEA_ENCRYPTION_KEY_FILE`. If using a file, restrict its permissions:
+
+```sh
+chmod 600 hea_encryption_key.txt
+```
+
+### Encrypt / decrypt a value
+
+```sh
+# Encrypt a literal value
+hea-encryption --encrypt <value>
+
+# Encrypt a property already in .env (result is written to stdout with {crypt} prefix)
+hea-encryption --encrypt -p <PROPERTY_NAME>
+
+# Decrypt a token
+hea-encryption --decrypt <token>
+
+# Read input from a file
+hea-encryption --encrypt -f <file>
+hea-encryption --decrypt -f <file>
+
+# Write output to a file instead of stdout
+hea-encryption --encrypt <value> -o <output_file>
+```
+
+## Configuration
+
+Scripts expect a `.env` file in the working directory. The encryption key is resolved in this order:
+
+1. `HEA_ENCRYPTION_KEY_FILE` environment variable (path to key file)
+2. `HEA_ENCRYPTION_KEY_FILE` in `.env` (path to key file)
+3. `HEA_ENCRYPTION_KEY` environment variable (inline key)
+4. `HEA_ENCRYPTION_KEY` in `.env` (inline key)
+
+Encrypted values stored in `.env` use the format:
+
+```
+PROPERTY={crypt}<fernet-token>
+```
+
+## Contributing
+
+Install the package with the `dev` optional dependencies to get pytest:
+
+```sh
+pip install --user -e ".[dev]"
+```
+
+Run the tests:
+
+```sh
+python -m pytest tests/
+```

hea_scripts-1.0.0b1/README.md

@@ -0,0 +1,76 @@
+# HEA Scripts
+
+Contains scripts for configuring a Health Enterprise Analytics (HEA) deployment. The primary scripts handle Fernet symmetric encryption of secrets stored in `.env` files.
+
+## Setup
+
+Install the package in editable mode (the dev container does this automatically):
+
+```sh
+pip install --user -e .
+```
+
+Requires Python 3.10 - 3.12.
+
+## Usage
+
+### Generate an encryption key
+
+```sh
+hea-gen-encryption-key
+```
+
+Save the printed key in your `.env` file as `HEA_ENCRYPTION_KEY`, or in a dedicated file (recommended) referenced by `HEA_ENCRYPTION_KEY_FILE`. If using a file, restrict its permissions:
+
+```sh
+chmod 600 hea_encryption_key.txt
+```
+
+### Encrypt / decrypt a value
+
+```sh
+# Encrypt a literal value
+hea-encryption --encrypt <value>
+
+# Encrypt a property already in .env (result is written to stdout with {crypt} prefix)
+hea-encryption --encrypt -p <PROPERTY_NAME>
+
+# Decrypt a token
+hea-encryption --decrypt <token>
+
+# Read input from a file
+hea-encryption --encrypt -f <file>
+hea-encryption --decrypt -f <file>
+
+# Write output to a file instead of stdout
+hea-encryption --encrypt <value> -o <output_file>
+```
+
+## Configuration
+
+Scripts expect a `.env` file in the working directory. The encryption key is resolved in this order:
+
+1. `HEA_ENCRYPTION_KEY_FILE` environment variable (path to key file)
+2. `HEA_ENCRYPTION_KEY_FILE` in `.env` (path to key file)
+3. `HEA_ENCRYPTION_KEY` environment variable (inline key)
+4. `HEA_ENCRYPTION_KEY` in `.env` (inline key)
+
+Encrypted values stored in `.env` use the format:
+
+```
+PROPERTY={crypt}<fernet-token>
+```
+
+## Contributing
+
+Install the package with the `dev` optional dependencies to get pytest:
+
+```sh
+pip install --user -e ".[dev]"
+```
+
+Run the tests:
+
+```sh
+python -m pytest tests/
+```

hea_scripts-1.0.0b1/pyproject.toml

@@ -0,0 +1,67 @@
+[build-system]
+requires = ["setuptools>=75.2.0"]
+build-backend = "setuptools.build_meta"
+
+[project]
+name = "hea-scripts"
+version = "1.0.0b1"
+readme = "README.md"
+description = "A collection of scripts for the HEA project."
+authors = [
+  { name = "Comprehensive Oncology Data and Engineering Shared Resource (CODE), Huntsman Cancer Institute, Salt Lake City, UT", email = "Andrew.Post@hci.utah.edu" }
+]
+requires-python = ">=3.10"
+license = "Apache-2.0"
+license-files = ["LICENSE"]
+dependencies = [
+  "cryptography~=44.0.0"
+]
+
+classifiers = [
+  "Development Status :: 4 - Beta",
+  "Environment :: Console",
+  "Intended Audience :: System Administrators",
+  "Natural Language :: English",
+  "Operating System :: OS Independent",
+  "Programming Language :: Python :: 3",
+  "Programming Language :: Python :: 3 :: Only",
+  "Programming Language :: Python :: 3.10",
+  "Programming Language :: Python :: 3.11",
+  "Programming Language :: Python :: 3.12",
+  "Programming Language :: Python :: Implementation :: CPython",
+  "Topic :: Security :: Cryptography",
+  "Topic :: System :: Systems Administration",
+  "Topic :: Scientific/Engineering",
+  "Topic :: Scientific/Engineering :: Bio-Informatics",
+  "Topic :: Scientific/Engineering :: Information Analysis",
+  "Topic :: Scientific/Engineering :: Medical Science Apps."
+]
+
+[project.optional-dependencies]
+dev = ["pytest~=8.0", "mypy~=2.1", "build~=1.5", "coverage~=7.14.1", "twine~=6.2.0", "tox~=4.55.0"]
+
+[project.scripts]
+hea-encryption = "hea.scripts.encryption:main"
+hea-gen-encryption-key = "hea.scripts.gen_encryption_key:generate_key"
+
+[tool.setuptools.packages.find]
+where = ["src"]
+namespaces = true
+
+[tool.tox]
+env_list = ["3.10", "3.11", "3.12"]
+
+[tool.tox.env_run_base]
+deps = [".[dev]"]
+commands = [["pytest"]]
+
+[tool.pytest.ini_options]
+testpaths = ["tests"]
+addopts = "--junitxml=pytest-test-report.xml"
+
+[tool.mypy]
+python_version = "3.12"
+strict = true
+mypy_path = "src"
+explicit_package_bases = true
+files = ["src/hea"]

hea_scripts-1.0.0b1/setup.cfg

@@ -0,0 +1,4 @@
+[egg_info]
+tag_build = 
+tag_date = 0
+

hea_scripts-1.0.0b1/src/hea/scripts/encryption.py

@@ -0,0 +1,79 @@
+from cryptography.fernet import Fernet
+from argparse import ArgumentParser
+from hea.scripts.scriptlib import parse_hea_encryption_key, get_env_data_as_dict
+import sys
+
+ENCODING = 'utf-8'
+
+
+def main() -> None:
+    parser = ArgumentParser(description='Encrypt or decrypt data using a symmetric key. Writes to stdout. Input data is '
+                            'assumed to be UTF-8 encoded text, and output is also in UTF-8. An encryption key must be '
+                            'specified in the .env file using either the HEA_ENCRYPTION_KEY or HEA_ENCRYPTION_KEY_FILE '
+                            'properties.')
+    group = parser.add_mutually_exclusive_group(required=True)
+    group.add_argument('-e', '--encrypt', action='store_true', help='Encrypt the input data.')
+    group.add_argument('-d', '--decrypt', action='store_true', help='Decrypt the input data.')
+    parser.add_argument('-f', '--file', action='store_true', help='If provided, input is a file from which to read input.')
+    parser.add_argument('-p', '--property', help='Process a property from the .env file')
+    parser.add_argument('-o', '--output-file', help='If provided, output will be written to the specified file instead of stdout.')
+    parser.add_argument('input', help='The input data to encrypt or decrypt. If -, reads from stdin or the .env.')
+
+    args = parser.parse_args()
+
+    dot_env = get_env_data_as_dict('.env')
+
+    try:
+        key = parse_hea_encryption_key(dot_env)
+    except Exception as e:
+        print(f'Error parsing HEA encryption key: {e}', file=sys.stderr)
+        sys.exit(1)
+
+    fernet = Fernet(key)
+
+    def encrypt_data(data: str) -> str:
+        return fernet.encrypt(data.encode(ENCODING)).decode(ENCODING)
+
+    def decrypt_data(token: str) -> str:
+        return fernet.decrypt(token.encode(ENCODING)).decode(ENCODING)
+
+    if args.encrypt:
+        if args.file:
+            with open(args.input, 'r') as infile:
+                input_data = infile.read()
+        elif args.property:
+            if args.property not in dot_env:
+                print(f'Property {args.property} not found in .env file.', file=sys.stderr)
+                sys.exit(2)
+            input_data = dot_env[args.property].strip()
+        elif args.input == '-':
+            input_data = sys.stdin.readline().strip()
+        else:
+            input_data = args.input
+        result = encrypt_data(input_data)
+        if args.property:
+            result = '{crypt}' + result
+    elif args.decrypt:
+        if args.file:
+            with open(args.input, 'r') as infile:
+                token = infile.read().strip()
+        elif args.property:
+            if args.property not in dot_env:
+                print(f'Property {args.property} not found in .env file.', file=sys.stderr)
+                sys.exit(2)
+            token = dot_env[args.property].strip().removeprefix('{crypt}')
+        elif args.input == '-':
+            token = sys.stdin.readline().strip()
+        else:
+            token = args.input
+        result = decrypt_data(token)
+
+    if args.output_file:
+        with open(args.output_file, 'w') as outfile:
+            outfile.write(result)
+    else:
+        print(result)
+
+
+if __name__ == '__main__':
+    main()

hea_scripts-1.0.0b1/src/hea/scripts/gen_encryption_key.py

@@ -0,0 +1,18 @@
+from cryptography.fernet import Fernet
+from argparse import ArgumentParser
+
+
+def generate_key() -> None:
+    parser = ArgumentParser(description='Generates a new symmetric key for encrypting secrets.')
+    _ = parser.parse_args()
+
+    print("Generating encryption key...")
+    print("Save this key in your .env file as HEA_ENCRYPTION_KEY to enable password encryption for stored credentials. "
+          "For better security, save the key in a file outside of the HEA directory tree called hea_encryption_key.txt. "
+          "Ensure it is only readable by the user running HEA -- for example, assuming you are the user running docker "
+          "compose, on Linux you can run 'chmod 600 <the file> after creating it.")
+    print("Key:", Fernet.generate_key().decode('utf-8'))
+
+
+if __name__ == '__main__':
+    generate_key()

hea_scripts-1.0.0b1/src/hea/scripts/scriptlib.py

@@ -0,0 +1,39 @@
+from string import whitespace
+import os
+from cryptography.fernet import Fernet
+
+
+def get_env_data_as_dict(path: str) -> dict[str, str]:
+    with open(path, 'r') as f:
+        return dict((k, v.strip("'\" ")) for k, v in (line.strip().split('=', maxsplit=1) for line in f.readlines()
+                    if not line.startswith('#') and not line.startswith(tuple(w for w in whitespace))))
+
+
+def parse_hea_encryption_key(dot_env: dict[str, str]) -> bytes:
+    if 'HEA_ENCRYPTION_KEY_FILE' in os.environ:
+        path = os.path.expanduser(os.environ['HEA_ENCRYPTION_KEY_FILE'])
+        with open(path, 'rb') as key_file:
+            print('Using encryption key from file (environment variable)...')
+            return key_file.read().strip()
+    elif 'HEA_ENCRYPTION_KEY_FILE' in dot_env:
+        path = os.path.expanduser(dot_env['HEA_ENCRYPTION_KEY_FILE'])
+        with open(path, 'rb') as key_file:
+            print('Using encryption key from file...')
+            return key_file.read().strip()
+    elif result := os.environ.get('HEA_ENCRYPTION_KEY', '').encode('utf-8'):
+        print('Using encryption key from environment variable (environment variable)...')
+        return result
+    elif result := dot_env.get('HEA_ENCRYPTION_KEY', '').encode('utf-8'):
+        print('Using encryption key from environment variable...')
+        return result
+    else:
+        raise ValueError('HEA_ENCRYPTION_KEY is not set and HEA_ENCRYPTION_KEY_FILE does not exist or is empty.')
+
+
+def decrypt(encrypted_password: str, dot_env: dict[str, str]) -> str:
+    if encrypted_password.startswith('{crypt}'):
+        fernet = Fernet(parse_hea_encryption_key(dot_env))
+        print('Decrypting MongoDB password...')
+        return fernet.decrypt(encrypted_password[len('{crypt}'):]).decode('utf-8')
+    else:
+        return encrypted_password

hea_scripts-1.0.0b1/src/hea_scripts.egg-info/PKG-INFO

@@ -0,0 +1,112 @@
+Metadata-Version: 2.4
+Name: hea-scripts
+Version: 1.0.0b1
+Summary: A collection of scripts for the HEA project.
+Author-email: "Comprehensive Oncology Data and Engineering Shared Resource (CODE), Huntsman Cancer Institute, Salt Lake City, UT" <Andrew.Post@hci.utah.edu>
+License-Expression: Apache-2.0
+Classifier: Development Status :: 4 - Beta
+Classifier: Environment :: Console
+Classifier: Intended Audience :: System Administrators
+Classifier: Natural Language :: English
+Classifier: Operating System :: OS Independent
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3 :: Only
+Classifier: Programming Language :: Python :: 3.10
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Programming Language :: Python :: Implementation :: CPython
+Classifier: Topic :: Security :: Cryptography
+Classifier: Topic :: System :: Systems Administration
+Classifier: Topic :: Scientific/Engineering
+Classifier: Topic :: Scientific/Engineering :: Bio-Informatics
+Classifier: Topic :: Scientific/Engineering :: Information Analysis
+Classifier: Topic :: Scientific/Engineering :: Medical Science Apps.
+Requires-Python: >=3.10
+Description-Content-Type: text/markdown
+License-File: LICENSE
+Requires-Dist: cryptography~=44.0.0
+Provides-Extra: dev
+Requires-Dist: pytest~=8.0; extra == "dev"
+Requires-Dist: mypy~=2.1; extra == "dev"
+Requires-Dist: build~=1.5; extra == "dev"
+Requires-Dist: coverage~=7.14.1; extra == "dev"
+Requires-Dist: twine~=6.2.0; extra == "dev"
+Requires-Dist: tox~=4.55.0; extra == "dev"
+Dynamic: license-file
+
+# HEA Scripts
+
+Contains scripts for configuring a Health Enterprise Analytics (HEA) deployment. The primary scripts handle Fernet symmetric encryption of secrets stored in `.env` files.
+
+## Setup
+
+Install the package in editable mode (the dev container does this automatically):
+
+```sh
+pip install --user -e .
+```
+
+Requires Python 3.10 - 3.12.
+
+## Usage
+
+### Generate an encryption key
+
+```sh
+hea-gen-encryption-key
+```
+
+Save the printed key in your `.env` file as `HEA_ENCRYPTION_KEY`, or in a dedicated file (recommended) referenced by `HEA_ENCRYPTION_KEY_FILE`. If using a file, restrict its permissions:
+
+```sh
+chmod 600 hea_encryption_key.txt
+```
+
+### Encrypt / decrypt a value
+
+```sh
+# Encrypt a literal value
+hea-encryption --encrypt <value>
+
+# Encrypt a property already in .env (result is written to stdout with {crypt} prefix)
+hea-encryption --encrypt -p <PROPERTY_NAME>
+
+# Decrypt a token
+hea-encryption --decrypt <token>
+
+# Read input from a file
+hea-encryption --encrypt -f <file>
+hea-encryption --decrypt -f <file>
+
+# Write output to a file instead of stdout
+hea-encryption --encrypt <value> -o <output_file>
+```
+
+## Configuration
+
+Scripts expect a `.env` file in the working directory. The encryption key is resolved in this order:
+
+1. `HEA_ENCRYPTION_KEY_FILE` environment variable (path to key file)
+2. `HEA_ENCRYPTION_KEY_FILE` in `.env` (path to key file)
+3. `HEA_ENCRYPTION_KEY` environment variable (inline key)
+4. `HEA_ENCRYPTION_KEY` in `.env` (inline key)
+
+Encrypted values stored in `.env` use the format:
+
+```
+PROPERTY={crypt}<fernet-token>
+```
+
+## Contributing
+
+Install the package with the `dev` optional dependencies to get pytest:
+
+```sh
+pip install --user -e ".[dev]"
+```
+
+Run the tests:
+
+```sh
+python -m pytest tests/
+```

hea_scripts-1.0.0b1/src/hea_scripts.egg-info/SOURCES.txt

@@ -0,0 +1,15 @@
+LICENSE
+README.md
+pyproject.toml
+src/hea/scripts/__init__.py
+src/hea/scripts/encryption.py
+src/hea/scripts/gen_encryption_key.py
+src/hea/scripts/scriptlib.py
+src/hea_scripts.egg-info/PKG-INFO
+src/hea_scripts.egg-info/SOURCES.txt
+src/hea_scripts.egg-info/dependency_links.txt
+src/hea_scripts.egg-info/entry_points.txt
+src/hea_scripts.egg-info/requires.txt
+src/hea_scripts.egg-info/top_level.txt
+tests/test_encryption.py
+tests/test_scriptlib.py

hea_scripts-1.0.0b1/src/hea_scripts.egg-info/dependency_links.txt

@@ -0,0 +1 @@
+

hea_scripts-1.0.0b1/src/hea_scripts.egg-info/entry_points.txt

@@ -0,0 +1,3 @@
+[console_scripts]
+hea-encryption = hea.scripts.encryption:main
+hea-gen-encryption-key = hea.scripts.gen_encryption_key:generate_key

hea_scripts-1.0.0b1/src/hea_scripts.egg-info/requires.txt

@@ -0,0 +1,9 @@
+cryptography~=44.0.0
+
+[dev]
+pytest~=8.0
+mypy~=2.1
+build~=1.5
+coverage~=7.14.1
+twine~=6.2.0
+tox~=4.55.0

hea_scripts-1.0.0b1/src/hea_scripts.egg-info/top_level.txt

@@ -0,0 +1 @@
+hea

hea_scripts-1.0.0b1/tests/test_encryption.py

@@ -0,0 +1,101 @@
+import io
+import sys
+import pytest
+from pathlib import Path
+from cryptography.fernet import Fernet
+from hea.scripts.encryption import main
+
+
+@pytest.fixture
+def env_file(tmp_path: Path) -> tuple[Path, bytes]:
+    key = Fernet.generate_key()
+    p = tmp_path / ".env"
+    p.write_text(f"HEA_ENCRYPTION_KEY={key.decode()}\n")
+    return tmp_path, key
+
+
+def test_encrypt_decrypt_roundtrip(
+    env_file: tuple[Path, bytes],
+    monkeypatch: pytest.MonkeyPatch,
+    capsys: pytest.CaptureFixture[str],
+) -> None:
+    work_dir, key = env_file
+    monkeypatch.chdir(work_dir)
+
+    monkeypatch.setattr(sys, "argv", ["hea-encryption", "--encrypt", "mysecret"])
+    main()
+    token = capsys.readouterr().out.splitlines()[-1]
+
+    monkeypatch.setattr(sys, "argv", ["hea-encryption", "--decrypt", token])
+    main()
+    assert capsys.readouterr().out.splitlines()[-1] == "mysecret"
+
+
+def test_encrypt_from_stdin(
+    env_file: tuple[Path, bytes],
+    monkeypatch: pytest.MonkeyPatch,
+    capsys: pytest.CaptureFixture[str],
+) -> None:
+    work_dir, _ = env_file
+    monkeypatch.chdir(work_dir)
+    monkeypatch.setattr(sys, "argv", ["hea-encryption", "--encrypt", "-"])
+    monkeypatch.setattr("sys.stdin", io.StringIO("mysecret\n"))
+    main()
+    assert capsys.readouterr().out.strip() != ""
+
+
+def test_encrypt_property_adds_crypt_prefix(
+    env_file: tuple[Path, bytes],
+    monkeypatch: pytest.MonkeyPatch,
+    capsys: pytest.CaptureFixture[str],
+) -> None:
+    work_dir, key = env_file
+    (work_dir / ".env").write_text(
+        f"HEA_ENCRYPTION_KEY={key.decode()}\nMY_PASS=secret\n"
+    )
+    monkeypatch.chdir(work_dir)
+    monkeypatch.setattr(sys, "argv", ["hea-encryption", "--encrypt", "-p", "MY_PASS", "-"])
+    main()
+    assert capsys.readouterr().out.splitlines()[-1].startswith("{crypt}")
+
+
+def test_decrypt_property_strips_crypt_prefix(
+    env_file: tuple[Path, bytes],
+    monkeypatch: pytest.MonkeyPatch,
+    capsys: pytest.CaptureFixture[str],
+) -> None:
+    work_dir, key = env_file
+    fernet = Fernet(key)
+    token = fernet.encrypt(b"secret").decode()
+    (work_dir / ".env").write_text(
+        f"HEA_ENCRYPTION_KEY={key.decode()}\nMY_PASS={{crypt}}{token}\n"
+    )
+    monkeypatch.chdir(work_dir)
+    monkeypatch.setattr(sys, "argv", ["hea-encryption", "--decrypt", "-p", "MY_PASS", "-"])
+    main()
+    assert capsys.readouterr().out.splitlines()[-1] == "secret"
+
+
+def test_missing_property_exits(
+    env_file: tuple[Path, bytes],
+    monkeypatch: pytest.MonkeyPatch,
+) -> None:
+    work_dir, _ = env_file
+    monkeypatch.chdir(work_dir)
+    monkeypatch.setattr(sys, "argv", ["hea-encryption", "--encrypt", "-p", "MISSING", "-"])
+    with pytest.raises(SystemExit) as exc:
+        main()
+    assert exc.value.code == 2
+
+
+def test_output_file(
+    env_file: tuple[Path, bytes],
+    monkeypatch: pytest.MonkeyPatch,
+    tmp_path: Path,
+) -> None:
+    work_dir, _ = env_file
+    monkeypatch.chdir(work_dir)
+    out_file = tmp_path / "out.txt"
+    monkeypatch.setattr(sys, "argv", ["hea-encryption", "--encrypt", "hello", "-o", str(out_file)])
+    main()
+    assert out_file.read_text() != ""

hea_scripts-1.0.0b1/tests/test_scriptlib.py

@@ -0,0 +1,103 @@
+import pytest
+from collections.abc import Callable
+from pathlib import Path
+from cryptography.fernet import Fernet
+from hea.scripts.scriptlib import get_env_data_as_dict, parse_hea_encryption_key, decrypt
+
+
+@pytest.fixture
+def key() -> bytes:
+    return Fernet.generate_key()
+
+
+@pytest.fixture
+def dot_env_file(tmp_path: Path) -> Callable[[str], str]:
+    def _write(contents: str) -> str:
+        p = tmp_path / ".env"
+        p.write_text(contents)
+        return str(p)
+    return _write
+
+
+class TestGetEnvDataAsDict:
+    def test_parses_key_value_pairs(self, dot_env_file: Callable[[str], str]) -> None:
+        path = dot_env_file("FOO=bar\nBAZ=qux\n")
+        assert get_env_data_as_dict(path) == {"FOO": "bar", "BAZ": "qux"}
+
+    def test_strips_double_quotes(self, dot_env_file: Callable[[str], str]) -> None:
+        path = dot_env_file('FOO="bar"\n')
+        assert get_env_data_as_dict(path)["FOO"] == "bar"
+
+    def test_strips_single_quotes(self, dot_env_file: Callable[[str], str]) -> None:
+        path = dot_env_file("FOO='bar'\n")
+        assert get_env_data_as_dict(path)["FOO"] == "bar"
+
+    def test_ignores_comments(self, dot_env_file: Callable[[str], str]) -> None:
+        path = dot_env_file("# comment\nFOO=bar\n")
+        assert get_env_data_as_dict(path) == {"FOO": "bar"}
+
+    def test_ignores_blank_lines(self, dot_env_file: Callable[[str], str]) -> None:
+        path = dot_env_file("\nFOO=bar\n\n")
+        assert get_env_data_as_dict(path) == {"FOO": "bar"}
+
+    def test_value_with_equals_sign(self, dot_env_file: Callable[[str], str]) -> None:
+        path = dot_env_file("FOO=bar=baz\n")
+        assert get_env_data_as_dict(path)["FOO"] == "bar=baz"
+
+
+class TestParseHEAEncryptionKey:
+    def test_reads_key_from_dot_env(self, dot_env_file: Callable[[str], str], key: bytes) -> None:
+        path = dot_env_file(f"HEA_ENCRYPTION_KEY={key.decode()}\n")
+        dot_env = get_env_data_as_dict(path)
+        assert parse_hea_encryption_key(dot_env) == key
+
+    def test_reads_key_from_env_var(self, monkeypatch: pytest.MonkeyPatch, key: bytes) -> None:
+        monkeypatch.setenv("HEA_ENCRYPTION_KEY", key.decode())
+        assert parse_hea_encryption_key({}) == key
+
+    def test_reads_key_from_key_file_in_dot_env(
+        self, tmp_path: Path, dot_env_file: Callable[[str], str], key: bytes
+    ) -> None:
+        key_file = tmp_path / "hea_encryption_key.txt"
+        key_file.write_bytes(key)
+        path = dot_env_file(f"HEA_ENCRYPTION_KEY_FILE={key_file}\n")
+        dot_env = get_env_data_as_dict(path)
+        assert parse_hea_encryption_key(dot_env) == key
+
+    def test_reads_key_from_key_file_env_var(
+        self, tmp_path: Path, monkeypatch: pytest.MonkeyPatch, key: bytes
+    ) -> None:
+        key_file = tmp_path / "hea_encryption_key.txt"
+        key_file.write_bytes(key)
+        monkeypatch.setenv("HEA_ENCRYPTION_KEY_FILE", str(key_file))
+        assert parse_hea_encryption_key({}) == key
+
+    def test_key_file_env_var_takes_priority_over_dot_env(
+        self, tmp_path: Path, monkeypatch: pytest.MonkeyPatch, dot_env_file: Callable[[str], str]
+    ) -> None:
+        key_env = Fernet.generate_key()
+        key_file_val = Fernet.generate_key()
+        key_file = tmp_path / "hea_encryption_key.txt"
+        key_file.write_bytes(key_file_val)
+        monkeypatch.setenv("HEA_ENCRYPTION_KEY_FILE", str(key_file))
+        path = dot_env_file(f"HEA_ENCRYPTION_KEY={key_env.decode()}\n")
+        dot_env = get_env_data_as_dict(path)
+        assert parse_hea_encryption_key(dot_env) == key_file_val
+
+    def test_raises_when_no_key(self) -> None:
+        with pytest.raises(ValueError, match="HEA_ENCRYPTION_KEY"):
+            parse_hea_encryption_key({})
+
+
+class TestDecrypt:
+    def test_passthrough_when_no_prefix(self, dot_env_file: Callable[[str], str], key: bytes) -> None:
+        path = dot_env_file(f"HEA_ENCRYPTION_KEY={key.decode()}\n")
+        dot_env = get_env_data_as_dict(path)
+        assert decrypt("plaintext", dot_env) == "plaintext"
+
+    def test_decrypts_crypt_prefixed_value(self, dot_env_file: Callable[[str], str], key: bytes) -> None:
+        fernet = Fernet(key)
+        token = fernet.encrypt(b"secret").decode()
+        path = dot_env_file(f"HEA_ENCRYPTION_KEY={key.decode()}\n")
+        dot_env = get_env_data_as_dict(path)
+        assert decrypt("{crypt}" + token, dot_env) == "secret"