Merge pull request #1 from envato/initial-impl

Initial implementation

.gitignore

@@ -0,0 +1 @@
+/build/

.go-version

@@ -0,0 +1 @@
+1.12.9

Dockerfile

@@ -0,0 +1,6 @@
+FROM golang:1.12-alpine
+ENV GO111MODULE=on
+WORKDIR /go/src/github.com/envato/ejsonkms
+COPY . .
+RUN apk add git gcc musl-dev
+RUN go get

LICENSE.txt

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2019 Envato
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

Makefile

@@ -0,0 +1,23 @@
+NAME=ejsonkms
+VERSION=$(shell cat VERSION)
+GOFILES=$(shell find . -type f -name '*.go')
+
+.PHONY: default all binaries clean
+
+default: all
+all: binaries
+binaries: build/bin/linux-amd64 build/bin/darwin-amd64
+
+build/bin/linux-amd64: $(GOFILES)
+	mkdir -p "$(@D)"
+	GOOS=linux GOARCH=amd64 go build \
+	-ldflags '-s -w -X main.version="$(VERSION)"' \
+	-o "$@"
+
+build/bin/darwin-amd64: $(GOFILES)
+	GOOS=darwin GOARCH=amd64 go build \
+	-ldflags '-s -w -X main.version="$(VERSION)"' \
+	-o "$@"
+
+clean:
+	rm -rf build

README.md

@@ -1,3 +1,52 @@
 # ejsonkms
 
-`ejsonkms` is a tool to based on the [ejson library](https://github.com/Shopify/ejson) with integration with AWS KMS.
+`ejsonkms` combines the [ejson library](https://github.com/Shopify/ejson) with [AWS Key Management
+Service](https://aws.amazon.com/kms/) to simplify deployments on AWS. The EJSON private key is encrypted with
+KMS and stored inside the EJSON file as `_private_key_enc`. Access to decrypt secrets can be controlled with IAM
+permissions on the KMS key.
+
+## Usage
+
+Generating an EJSON file:
+
+```
+$ ejsonkms keygen --aws-region us-east-1 --kms-key-id bc436485-5092-42b8-92a3-0aa8b93536dc -o secrets.ejson
+Private Key: ae5969d1fb70faab76198ee554bf91d2fffc44d027ea3d804a7c7f92876d518b
+$ cat secrets.ejson
+{
+  "_public_key": "6b8280f86aff5f48773f63d60e655e2f3dd0dd7c14f5fecb5df22936e5a3be52",
+  "_private_key_enc": "S2Fybjphd3M6a21zOnVzLWVhc3QtMToxMTExMjIyMjMzMzM6a2V5L2JjNDM2NDg1LTUwOTItNDJiOC05MmEzLTBhYThiOTM1MzZkYwAAAAAycRX5OBx6xGuYOPAmDJ1FombB1lFybMP42s7PGmoa24bAesPMMZtI9V0w0p0lEgLeeSvYdsPuoPROa4bwnQxJB28eC6fHgfWgY7jgDWY9uP/tgzuWL3zuIaq+9Q=="
+}
+```
+
+Encrypting:
+
+```
+$ ejsonkms encrypt secrets.ejson
+```
+
+Decrypting:
+
+```
+$ ejsonkms decrypt secrets.ejson
+{
+  "_public_key": "6b8280f86aff5f48773f63d60e655e2f3dd0dd7c14f5fecb5df22936e5a3be52",
+  "_private_key_enc": "S2Fybjphd3M6a21zOnVzLWVhc3QtMToxMTExMjIyMjMzMzM6a2V5L2JjNDM2NDg1LTUwOTItNDJiOC05MmEzLTBhYThiOTM1MzZkYwAAAAAycRX5OBx6xGuYOPAmDJ1FombB1lFybMP42s7PGmoa24bAesPMMZtI9V0w0p0lEgLeeSvYdsPuoPROa4bwnQxJB28eC6fHgfWgY7jgDWY9uP/tgzuWL3zuIaq+9Q==",
+  "environment": {
+    "my_secret": "secret123"
+  }
+}
+```
+
+Exporting shell variables (from [ejson2env](https://github.com/Shopify/ejson2env)):
+
+```
+$ exports=$(ejsonkms env secrets.ejson)
+$ echo $exports
+export my_secret=secret123
+$ eval $exports
+$ echo my_secret
+secret123
+```
+
+Note that only secrets under the "environment" key will be exported using the `env` command.

VERSION

@@ -0,0 +1 @@
+0.1.0

actions.go

@@ -0,0 +1,106 @@
+package main
+
+import (
+	"encoding/json"
+	"fmt"
+	"os"
+
+	"github.com/Shopify/ejson"
+)
+
+func encryptAction(args []string) error {
+	if len(args) < 1 {
+		return fmt.Errorf("at least one file path must be given")
+	}
+	for _, filePath := range args {
+		n, err := ejson.EncryptFileInPlace(filePath)
+		if err != nil {
+			return err
+		}
+		fmt.Printf("Wrote %d bytes to %s.\n", n, filePath)
+	}
+	return nil
+}
+
+func decryptAction(args []string, awsRegion, outFile string) error {
+	if len(args) != 1 {
+		return fmt.Errorf("exactly one file path must be given")
+	}
+	ejsonFilePath := args[0]
+
+	decrypted, err := Decrypt(ejsonFilePath, awsRegion)
+	if err != nil {
+		return err
+	}
+
+	target := os.Stdout
+	if outFile != "" {
+		target, err = os.Create(outFile)
+		if err != nil {
+			return err
+		}
+		defer target.Close()
+	}
+
+	_, err = target.Write(decrypted)
+	return err
+}
+
+// ejsonKmsFile - an ejson file
+type ejsonKmsFile struct {
+	PublicKey     string `json:"_public_key"`
+	PrivateKeyEnc string `json:"_private_key_enc"`
+}
+
+func keygenAction(args []string, kmsKeyID, awsRegion, outFile string) error {
+	ejsonKmsKeys, err := Keygen(kmsKeyID, awsRegion)
+	if err != nil {
+		return err
+	}
+
+	ejsonKmsFile := ejsonKmsFile{
+		PublicKey:     ejsonKmsKeys.PublicKey,
+		PrivateKeyEnc: ejsonKmsKeys.PrivateKeyEnc,
+	}
+
+	ejsonFile, err := json.MarshalIndent(ejsonKmsFile, "", "  ")
+	if err != nil {
+		return err
+	}
+
+	fmt.Println("Private Key:", ejsonKmsKeys.PrivateKey)
+	target := os.Stdout
+	if outFile != "" {
+		target, err = os.Create(outFile)
+		if err != nil {
+			return err
+		}
+		defer func() { _ = target.Close() }()
+	} else {
+		fmt.Println("EJSON File:")
+	}
+
+	_, err = target.Write(ejsonFile)
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
+func envAction(ejsonFilePath, awsRegion string, quiet bool) error {
+	exportFunc := ExportEnv
+	if quiet {
+		exportFunc = ExportQuiet
+	}
+	privateKeyEnc, err := findPrivateKeyEnc(ejsonFilePath)
+	if err != nil {
+		return err
+	}
+
+	kmsDecryptedPrivateKey, err := decryptPrivateKeyWithKMS(privateKeyEnc, awsRegion)
+	if err != nil {
+		return err
+	}
+
+	return ExportSecrets(ejsonFilePath, kmsDecryptedPrivateKey, exportFunc)
+}

actions_test.go

@@ -0,0 +1,38 @@
+package main
+
+import (
+	"bytes"
+	"os"
+	"testing"
+
+	. "github.com/smartystreets/goconvey/convey"
+)
+
+func TestEnv(t *testing.T) {
+	outputBuffer := new(bytes.Buffer)
+	output = outputBuffer
+
+	// ensure that output returns to os.Stdout
+	defer func() {
+		output = os.Stdout
+	}()
+
+	Convey("Env", t, func() {
+		err := envAction("testdata/test.ejson", "us-east-1", false)
+
+		Convey("should return decrypted values as shell exports", func() {
+			So(err, ShouldBeNil)
+			actualOutput := outputBuffer.String()
+			So(actualOutput, ShouldContainSubstring, "export my_secret=secret123")
+		})
+	})
+
+	Convey("Env with no private key", t, func() {
+		err := envAction("testdata/test_no_private_key.ejson", "us-east-1", false)
+
+		Convey("should fail", func() {
+			So(err, ShouldNotBeNil)
+			So(err.Error(), ShouldContainSubstring, "Missing _private_key_enc")
+		})
+	})
+}

docker-compose.yml

@@ -0,0 +1,21 @@
+version: "3"
+services:
+  awskms:
+    image: "nsmithuk/local-kms"
+    environment:
+      REGION: us-east-1
+    volumes:
+      - "./local_kms/seed.yaml:/init/seed.yaml"
+    expose:
+      - 8080
+  tests:
+    build: .
+    volumes:
+      - "./:/go/src/github.com/envato/ejsonkms"
+    command: ["go", "test"]
+    environment:
+      AWS_ACCESS_KEY_ID: '123'
+      AWS_SECRET_ACCESS_KEY: xyz
+      FAKE_AWSKMS_URL: http://awskms:8080
+    links:
+      - awskms

ejsonkms.go

@@ -0,0 +1,87 @@
+package main
+
+import (
+	"encoding/json"
+	"errors"
+	"io/ioutil"
+	"os"
+
+	"github.com/Shopify/ejson"
+)
+
+// EjsonKmsKeys - keys used in an EjsonKms file
+type EjsonKmsKeys struct {
+	PublicKey     string `json:"_public_key"`
+	PrivateKeyEnc string `json:"_private_key_enc"`
+	PrivateKey    string
+}
+
+// Keygen generates keys and prepares an EJSON file with them
+func Keygen(kmsKeyID, awsRegion string) (EjsonKmsKeys, error) {
+	var ejsonKmsKeys EjsonKmsKeys
+	pub, priv, err := ejson.GenerateKeypair()
+	if err != nil {
+		return ejsonKmsKeys, err
+	}
+
+	privKeyEnc, err := encryptPrivateKeyWithKMS(priv, kmsKeyID, awsRegion)
+	if err != nil {
+		return ejsonKmsKeys, err
+	}
+
+	ejsonKmsKeys = EjsonKmsKeys{
+		PublicKey:     pub,
+		PrivateKeyEnc: privKeyEnc,
+		PrivateKey:    priv,
+	}
+
+	return ejsonKmsKeys, nil
+}
+
+// Decrypt decrypts an EJSON file
+func Decrypt(ejsonFilePath, awsRegion string) ([]byte, error) {
+	privateKeyEnc, err := findPrivateKeyEnc(ejsonFilePath)
+	if err != nil {
+		return nil, err
+	}
+
+	kmsDecryptedPrivateKey, err := decryptPrivateKeyWithKMS(privateKeyEnc, awsRegion)
+	if err != nil {
+		return nil, err
+	}
+
+	decrypted, err := ejson.DecryptFile(ejsonFilePath, "", kmsDecryptedPrivateKey)
+	if err != nil {
+		return nil, err
+	}
+
+	return decrypted, nil
+}
+
+func findPrivateKeyEnc(ejsonFilePath string) (key string, err error) {
+	var (
+		ejsonKmsKeys EjsonKmsKeys
+	)
+
+	file, err := os.Open(ejsonFilePath)
+	if err != nil {
+		return "", err
+	}
+	defer file.Close()
+
+	data, err := ioutil.ReadAll(file)
+	if err != nil {
+		return "", err
+	}
+
+	err = json.Unmarshal(data, &ejsonKmsKeys)
+	if err != nil {
+		return "", err
+	}
+
+	if len(ejsonKmsKeys.PrivateKeyEnc) == 0 {
+		return "", errors.New("missing _private_key_enc field")
+	}
+
+	return ejsonKmsKeys.PrivateKeyEnc, nil
+}