Class: SymmetricEncryption::CLI

Inherits:

Object

• Object
• SymmetricEncryption::CLI

Defined in:

lib/symmetric_encryption/cli.rb

Constant Summary

KEYSTORES =

%i[aws heroku environment file gcp].freeze

Instance Attribute Summary

• #activate_key ⇒ Object readonly

  Returns the value of attribute activate_key.

• #app_name ⇒ Object readonly

  Returns the value of attribute app_name.

• #cipher_name ⇒ Object readonly

  Returns the value of attribute cipher_name.

• #cleanup_keys ⇒ Object readonly

  Returns the value of attribute cleanup_keys.

• #compress ⇒ Object readonly

  Returns the value of attribute compress.

• #config_file_path ⇒ Object readonly

  Returns the value of attribute config_file_path.

• #decrypt ⇒ Object readonly

  Returns the value of attribute decrypt.

• #encrypt ⇒ Object readonly

  Returns the value of attribute encrypt.

• #environment ⇒ Object readonly

  Returns the value of attribute environment.

• #environments ⇒ Object readonly

  Returns the value of attribute environments.

• #generate ⇒ Object readonly

  Returns the value of attribute generate.

• #key_path ⇒ Object readonly

  Returns the value of attribute key_path.

• #keystore ⇒ Object readonly

  Returns the value of attribute keystore.

• #migrate ⇒ Object readonly

  Returns the value of attribute migrate.

• #new_keys ⇒ Object readonly

  Returns the value of attribute new_keys.

• #output_file_name ⇒ Object readonly

  Returns the value of attribute output_file_name.

• #prompt ⇒ Object readonly

  Returns the value of attribute prompt.

• #random_password ⇒ Object readonly

  Returns the value of attribute random_password.

• #re_encrypt ⇒ Object readonly

  Returns the value of attribute re_encrypt.

• #regions ⇒ Object readonly

  Returns the value of attribute regions.

• #rolling_deploy ⇒ Object readonly

  Returns the value of attribute rolling_deploy.

• #rotate_kek ⇒ Object readonly

  Returns the value of attribute rotate_kek.

• #rotate_keys ⇒ Object readonly

  Returns the value of attribute rotate_keys.

• #show_version ⇒ Object readonly

  Returns the value of attribute show_version.

• #version ⇒ Object readonly

  Returns the value of attribute version.

Class Method Summary

• .run!(argv) ⇒ Object

Instance Method Summary

• #initialize(argv) ⇒ CLI constructor

  A new instance of CLI.

• #parser ⇒ Object
• #run! ⇒ Object

Constructor Details

#initialize(argv) ⇒ CLI

Returns a new instance of CLI.

# File 'lib/symmetric_encryption/cli.rb', line 17

def initialize(argv)
  @version          = current_version
  @environment      = ENV["SYMMETRIC_ENCRYPTION_ENV"] || ENV["RACK_ENV"] || ENV["RAILS_ENV"] || "development"
  @config_file_path = File.expand_path(ENV["SYMMETRIC_ENCRYPTION_CONFIG"] || "config/symmetric-encryption.yml")
  @app_name         = "symmetric-encryption"
  @key_path         = "#{ENV['HOME']}/.symmetric-encryption"
  @cipher_name      = "aes-256-cbc"
  @rolling_deploy   = false
  @prompt           = false
  @show_version     = false
  @keystore         = :file

  if argv.empty?
    puts parser
    exit(-10)
  end
  parser.parse!(argv)
end

Instance Attribute Details

#activate_key ⇒ Object (readonly)

Returns the value of attribute activate_key.

# File 'lib/symmetric_encryption/cli.rb', line 5

def activate_key
  @activate_key
end

#app_name ⇒ Object (readonly)

Returns the value of attribute app_name.

# File 'lib/symmetric_encryption/cli.rb', line 5

def app_name
  @app_name
end

#cipher_name ⇒ Object (readonly)

Returns the value of attribute cipher_name.

# File 'lib/symmetric_encryption/cli.rb', line 5

def cipher_name
  @cipher_name
end

#cleanup_keys ⇒ Object (readonly)

Returns the value of attribute cleanup_keys.

# File 'lib/symmetric_encryption/cli.rb', line 5

def cleanup_keys
  @cleanup_keys
end

#compress ⇒ Object (readonly)

Returns the value of attribute compress.

# File 'lib/symmetric_encryption/cli.rb', line 5

def compress
  @compress
end

#config_file_path ⇒ Object (readonly)

Returns the value of attribute config_file_path.

# File 'lib/symmetric_encryption/cli.rb', line 5

def config_file_path
  @config_file_path
end

#decrypt ⇒ Object (readonly)

Returns the value of attribute decrypt.

# File 'lib/symmetric_encryption/cli.rb', line 5

def decrypt
  @decrypt
end

#encrypt ⇒ Object (readonly)

Returns the value of attribute encrypt.

# File 'lib/symmetric_encryption/cli.rb', line 5

def encrypt
  @encrypt
end

#environment ⇒ Object (readonly)

Returns the value of attribute environment.

# File 'lib/symmetric_encryption/cli.rb', line 5

def environment
  @environment
end

#environments ⇒ Object

Returns the value of attribute environments.

# File 'lib/symmetric_encryption/cli.rb', line 5

def environments
  @environments
end

#generate ⇒ Object (readonly)

Returns the value of attribute generate.

# File 'lib/symmetric_encryption/cli.rb', line 5

def generate
  @generate
end

#key_path ⇒ Object (readonly)

Returns the value of attribute key_path.

# File 'lib/symmetric_encryption/cli.rb', line 5

def key_path
  @key_path
end

#keystore ⇒ Object (readonly)

Returns the value of attribute keystore.

# File 'lib/symmetric_encryption/cli.rb', line 5

def keystore
  @keystore
end

#migrate ⇒ Object (readonly)

Returns the value of attribute migrate.

# File 'lib/symmetric_encryption/cli.rb', line 5

def migrate
  @migrate
end

#new_keys ⇒ Object (readonly)

Returns the value of attribute new_keys.

# File 'lib/symmetric_encryption/cli.rb', line 5

def new_keys
  @new_keys
end

#output_file_name ⇒ Object (readonly)

Returns the value of attribute output_file_name.

# File 'lib/symmetric_encryption/cli.rb', line 5

def output_file_name
  @output_file_name
end

#prompt ⇒ Object (readonly)

Returns the value of attribute prompt.

# File 'lib/symmetric_encryption/cli.rb', line 5

def prompt
  @prompt
end

#random_password ⇒ Object (readonly)

Returns the value of attribute random_password.

# File 'lib/symmetric_encryption/cli.rb', line 5

def random_password
  @random_password
end

#re_encrypt ⇒ Object (readonly)

Returns the value of attribute re_encrypt.

# File 'lib/symmetric_encryption/cli.rb', line 5

def re_encrypt
  @re_encrypt
end

#regions ⇒ Object (readonly)

Returns the value of attribute regions.

# File 'lib/symmetric_encryption/cli.rb', line 5

def regions
  @regions
end

#rolling_deploy ⇒ Object (readonly)

Returns the value of attribute rolling_deploy.

# File 'lib/symmetric_encryption/cli.rb', line 5

def rolling_deploy
  @rolling_deploy
end

#rotate_kek ⇒ Object (readonly)

Returns the value of attribute rotate_kek.

# File 'lib/symmetric_encryption/cli.rb', line 5

def rotate_kek
  @rotate_kek
end

#rotate_keys ⇒ Object (readonly)

Returns the value of attribute rotate_keys.

# File 'lib/symmetric_encryption/cli.rb', line 5

def rotate_keys
  @rotate_keys
end

#show_version ⇒ Object (readonly)

Returns the value of attribute show_version.

# File 'lib/symmetric_encryption/cli.rb', line 5

def show_version
  @show_version
end

#version ⇒ Object (readonly)

Returns the value of attribute version.

# File 'lib/symmetric_encryption/cli.rb', line 5

def version
  @version
end

Class Method Details

.run!(argv) ⇒ Object

# File 'lib/symmetric_encryption/cli.rb', line 13

def self.run!(argv)
  new(argv).run!
end

Instance Method Details

#parser ⇒ Object

# File 'lib/symmetric_encryption/cli.rb', line 72

def parser
  @parser ||= OptionParser.new do |opts|
    opts.banner = <<~BANNER
      Symmetric Encryption v#{VERSION}

        For more information, see: https://encryption.rocketjob.io/

        Note:
          It is recommended to backup the current configuration file, or place it in version control before running
          the configuration manipulation commands below.

      symmetric-encryption [options]
    BANNER

    opts.on "-e", "--encrypt [FILE_NAME]", "Encrypt a file, or read from stdin if no file name is supplied." do |file_name|
      @encrypt = file_name || STDIN
    end

    opts.on "-d", "--decrypt [FILE_NAME]", "Decrypt a file, or read from stdin if no file name is supplied." do |file_name|
      @decrypt = file_name || STDIN
    end

    opts.on "-o", "--output FILE_NAME",
            "Write encrypted or decrypted file to this file, otherwise output goes to stdout." do |file_name|
      @output_file_name = file_name
    end

    opts.on "-P", "--prompt", "When encrypting or decrypting, prompt for a string encrypt or decrypt." do
      @prompt = true
    end

    opts.on "-z", "--compress", "Compress encrypted output file. [Default for encrypting files]" do
      @compress = true
    end

    opts.on "-Z", "--no-compress", "Does not compress the output file. [Default for encrypting strings]" do
      @compress = false
    end

    opts.on "-E", "--env ENVIRONMENT",
            "Environment to use in the config file. Default: SYMMETRIC_ENCRYPTION_ENV || RACK_ENV || RAILS_ENV || 'development'" do |environment|
      @environment = environment
    end

    opts.on "-c", "--config CONFIG_FILE_PATH",
            "File name & path to the Symmetric Encryption configuration file. Default: config/symmetric-encryption.yml or Env var: `SYMMETRIC_ENCRYPTION_CONFIG`" do |path|
      @config_file_path = path
    end

    opts.on "-m", "--migrate", "Migrate configuration file to new format." do
      @migrate = true
    end

    opts.on "-r", "--re-encrypt [PATTERN]",
            'ReEncrypt all files matching the pattern. Default:  "**/*.{yml,rb}"' do |pattern|
      @re_encrypt = pattern || "**/*.{yml,rb}"
    end

    opts.on "-n", "--new-password [SIZE]",
            "Generate a new random password using only characters that are URL-safe base64. Default size is 22." do |size|
      @random_password = (size || 22).to_i
    end

    opts.on "-g", "--generate", "Generate a new configuration file and encryption keys for every environment." do |config|
      @generate = config
    end

    opts.on "-s", "--keystore heroku|environment|file|aws|gcp",
            "Which keystore to use during generation or re-encryption." do |keystore|
      @keystore = (keystore || "file").downcase.to_sym
    end

    opts.on "-B", "--regions [us-east-1,us-east-2,us-west-1,us-west-2]",
            "AWS KMS Regions to encrypt data key with." do |regions|
      @regions = regions.to_s.split(",").collect(&:strip) if regions
    end

    opts.on "-K", "--key-path KEY_PATH",
            "Output path in which to write generated key files. Default: ~/.symmetric-encryption" do |path|
      @key_path = path
    end

    opts.on "-a", "--app-name NAME",
            "Application name to use when generating a new configuration. Default: symmetric-encryption" do |name|
      @app_name = name
    end

    opts.on "-S", "--environments ENVIRONMENTS",
            "Comma separated list of environments for which to generate the config file. Default: development,test,release,production" do |environments|
      @environments = environments.split(",").collect(&:strip).collect(&:to_sym)
    end

    opts.on "-C", "--cipher-name NAME",
            "Name of the cipher to use when generating a new config file, or when rotating keys. Default: aes-256-cbc" do |name|
      @cipher_name = name
    end

    opts.on "-R", "--rotate-keys",
            "Generates a new encryption key version, encryption key files, and updates the configuration file." do
      @rotate_keys = true
    end

    opts.on "-U", "--rotate-kek",
            "Replace the existing key encrypting keys only, the data encryption key is not changed, and updates the configuration file." do
      @rotate_kek = true
    end

    opts.on "-D", "--rolling-deploy",
            "During key rotation, support a rolling deploy by placing the new key second in the list so that it is not activated yet." do
      @rolling_deploy = true
    end

    opts.on "-A", "--activate-key", "Activates the key by moving the key with the highest version to the top." do
      @activate_key = true
    end

    opts.on "-X", "--cleanup-keys",
            "Removes all encryption keys, except the one with the highest version from the configuration file." do
      @cleanup_keys = true
    end

    opts.on "-V", "--key-version NUMBER",
            "Encryption key version to use when encrypting or re-encrypting. Default: (Current global version)." do |number|
      @version = number.to_i
    end

    opts.on "-L", "--ciphers", "List available OpenSSL ciphers." do
      puts "OpenSSL v#{OpenSSL::VERSION}. Available Ciphers:"
      puts OpenSSL::Cipher.ciphers.join("\n")
      exit
    end

    opts.on "-v", "--version", "Display Symmetric Encryption version." do
      @show_version = true
    end

    opts.on("-h", "--help", "Prints this help.") do
      puts opts
      exit
    end
  end
end

#run! ⇒ Object

Raises:

• (ArgumentError)

# File 'lib/symmetric_encryption/cli.rb', line 36

def run!
  raise(ArgumentError, "Cannot cleanup keys and rotate keys at the same time") if cleanup_keys && rotate_keys

  if show_version
    puts "Symmetric Encryption v#{VERSION}"
    puts "OpenSSL v#{OpenSSL::VERSION}"
    puts "Environment: #{environment}"
  elsif encrypt
    load_config
    prompt ? encrypt_string : encrypt_file(encrypt)
  elsif decrypt
    load_config
    prompt ? decrypt_string : decrypt_file(decrypt)
  elsif random_password
    load_config
    gen_random_password(random_password)
  elsif migrate
    run_migrate
  elsif re_encrypt
    load_config
    SymmetricEncryption::Utils::ReEncryptFiles.new(version: version).process_directory(re_encrypt)
  elsif activate_key
    run_activate_key
  elsif rotate_kek
    run_rotate_kek
  elsif rotate_keys
    run_rotate_keys
  elsif cleanup_keys
    run_cleanup_keys
  elsif generate
    generate_new_config
  else
    puts parser
  end
end