Class: Hippo::SecretManager

Inherits:

Object

• Object
• Hippo::SecretManager

Defined in:

lib/hippo/secret_manager.rb

Constant Summary

CIPHER =

OpenSSL::Cipher.new('aes-256-gcm')

Instance Attribute Summary

• #stage ⇒ Object readonly

  Returns the value of attribute stage.

Instance Method Summary

• #all ⇒ Object
• #create ⇒ void

  Create an empty encrypted example secret file.

• #create_key ⇒ void

  Generate and publish a new secret key to the Kubernetes API.

• #decrypt(value) ⇒ String

  Decrypt the given value value and return it.

• #download_key ⇒ void

  Download the current key from the Kubernetes API and set it as the key for this instance.

• #edit ⇒ Object
• #encrypt(value) ⇒ Object

  Encrypt a given value?.

• #exists? ⇒ Boolean

  Does a secrets file exist for this application.

• #initialize(stage) ⇒ SecretManager constructor

  A new instance of SecretManager.

• #key_available? ⇒ Boolean

  Is there a key availale in this manager?.

• #path ⇒ Object
• #secret(name) ⇒ Object
• #secrets ⇒ Object
• #write_file(contents) ⇒ Object

Constructor Details

#initialize(stage) ⇒ SecretManager

# File 'lib/hippo/secret_manager.rb', line 11

def initialize(stage)
  @stage = stage
end

Instance Attribute Details

#stage ⇒ Object (readonly)

Returns the value of attribute stage.

# File 'lib/hippo/secret_manager.rb', line 9

def stage
  @stage
end

Instance Method Details

#all ⇒ Object

# File 'lib/hippo/secret_manager.rb', line 147

def all
  @all ||= begin
    return {} unless exists?

    unless key_available?
      raise Error, 'No encryption key is available to decrypt secrets'
    end

    YAML.safe_load(decrypt(File.read(path)))
  end
rescue Psych::SyntaxError => e
  raise Error, "Could not parse secrets file: #{e.message}"
end

#create ⇒ void

This method returns an undefined value.

Create an empty encrypted example secret file

# File 'lib/hippo/secret_manager.rb', line 114

def create
  unless key_available?
    raise Error, 'Cannot create secret file because no key is available for encryption'
  end

  return if exists?

  yaml = { 'example' => 'This is an example secret!' }.to_yaml
  FileUtils.mkdir_p(File.dirname(path))
  File.open(path, 'w') { |f| f.write(encrypt(yaml)) }
end

#create_key ⇒ void

This method returns an undefined value.

Generate and publish a new secret key to the Kubernetes API.

# File 'lib/hippo/secret_manager.rb', line 58

def create_key
  if key_available?
    raise Hippo::Error, 'A key already exists on Kubernetes. Remove this first.'
  end

  CIPHER.encrypt
  secret_key = CIPHER.random_key
  secret_key64 = Base64.encode64(secret_key).gsub("\n", '').strip
  od = ObjectDefinition.new({
                              'apiVersion' => 'v1',
                              'kind' => 'Secret',
                              'type' => 'hippo.adam.ac/secret-encryption-key',
                              'metadata' => { 'name' => 'hippo-secret-key' },
                              'data' => { 'key' => secret_key64 }
                            }, @stage)
  @stage.apply([od])
  @key = secret_key
end

#decrypt(value) ⇒ String

Decrypt the given value value and return it

# File 'lib/hippo/secret_manager.rb', line 98

def decrypt(value)
  value = Base64.decode64(value.to_s)
  encrypted_value, salt, iv = value.split('---', 3).map { |s| Base64.decode64(s) }
  Encryptor.decrypt(value: encrypted_value, key: @key, iv: iv, salt: salt).to_s
end

#download_key ⇒ void

This method returns an undefined value.

Download the current key from the Kubernetes API and set it as the key for this instance

# File 'lib/hippo/secret_manager.rb', line 35

def download_key
  return if @key

  value = @stage.get('secret', 'hippo-secret-key').first
  return if value.nil?
  return if value.dig('data', 'key').nil?

  @key = Base64.decode64(Base64.decode64(value['data']['key']))
rescue Hippo::Error => e
  raise unless e.message =~ /not found/
end

#edit ⇒ Object

# File 'lib/hippo/secret_manager.rb', line 126

def edit
  create unless exists?

  unless key_available?
    raise Error, 'Cannot create edit file because no key is available for decryption'
  end

  old_contents = decrypt(File.read(path))
  new_contents = Util.open_in_editor('secret', old_contents)
  if old_contents != new_contents
    write_file(new_contents)
  else
    puts 'No changes detected. Not re-encrypting secret file.'
  end
end

#encrypt(value) ⇒ Object

Encrypt a given value?

# File 'lib/hippo/secret_manager.rb', line 78

def encrypt(value)
  unless key_available?
    raise Error, 'Cannot encrypt values because there is no key'
  end

  CIPHER.encrypt
  iv = CIPHER.random_iv
  salt = SecureRandom.random_bytes(16)
  encrypted_value = Encryptor.encrypt(value: value.to_s, key: @key, iv: iv, salt: salt)
  Base64.encode64([
    Base64.encode64(encrypted_value),
    Base64.encode64(salt),
    Base64.encode64(iv)
  ].join('---'))
end

#exists? ⇒ Boolean

Does a secrets file exist for this application.

# File 'lib/hippo/secret_manager.rb', line 107

def exists?
  File.file?(path)
end

#key_available? ⇒ Boolean

Is there a key availale in this manager?

# File 'lib/hippo/secret_manager.rb', line 50

def key_available?
  download_key
  !@key.nil?
end

#path ⇒ Object

# File 'lib/hippo/secret_manager.rb', line 17

def path
  File.join(@stage.manifest.root, 'secrets', @stage.name + '.yaml')
end

#secret(name) ⇒ Object

# File 'lib/hippo/secret_manager.rb', line 21

def secret(name)
  Secret.new(self, name)
end

#secrets ⇒ Object

# File 'lib/hippo/secret_manager.rb', line 25

def secrets
  Dir[File.join(root, '*.{yml,yaml}')].map do |path|
    secret(path.split('/').last.sub(/\.ya?ml\z/, ''))
  end
end

#write_file(contents) ⇒ Object

# File 'lib/hippo/secret_manager.rb', line 142

def write_file(contents)
  FileUtils.mkdir_p(File.dirname(path))
  File.open(path, 'w') { |f| f.write(encrypt(contents)) }
end