Compare commits
17 Commits
v1.2015020
...
v1.2015022
| Author | SHA1 | Date | |
|---|---|---|---|
|
ee3b6612ff | ||
|
|
7cfb47c09b | ||
|
|
f18a6a0a8a | ||
|
|
503b26d354 | ||
|
|
27df8eadf0 | ||
|
|
79ae5d33ab | ||
|
63b5dc9de4 | ||
|
|
d4fd6cf8ed | ||
|
|
e5028b0fdb | ||
|
|
9b5af9f85c | ||
|
|
a95a5ef629 | ||
|
|
0e5fdf6fa3 | ||
|
1c69a11cdf | ||
|
|
28b8c413c0 | ||
|
|
86fe5ae352 | ||
|
|
bb6e7e3451 | ||
|
|
de3ec22655 |
20
README.md
20
README.md
@@ -74,6 +74,24 @@ exception of a few specific files, is key to the kind of
|
||||
collaboration that DevOps and modern IT practitioniers
|
||||
need to do.
|
||||
|
||||
Commands:
|
||||
============================
|
||||
|
||||
|
||||
| Name: | Description: |
|
||||
| --- | --- |
|
||||
| `blackbox_addadmin` | Add someone to the list of people that can encrypt/decrypt secrets |
|
||||
| `blackbox_cat` | Decrypt and view the contents of a file |
|
||||
| `blackbox_edit` | Decrypt, run $EDITOR, re-encrypt a file |
|
||||
| `blackbox_edit_start` | Decrypt a file so it can be updated |
|
||||
| `blackbox_edit_end` | Encrypt a file after blackbox_edit_start was used |
|
||||
| `blackbox_initialize` | Enable blackbox for a GIT or HG repo |
|
||||
| `blackbox_postdeploy` | Decrypt all managed files |
|
||||
| `blackbox_register_new_file` | Encrypt a file for the first time |
|
||||
| `blackbox_removeadmin` | Remove someone from the list of people that can encrypt/decrypt secrets |
|
||||
| `blackbox_shred_all_files` | Safely delete any decrypted files |
|
||||
| `blackbox_update_all_file` | Decrypt then re-encrypt all files. Useful after keys are changed |
|
||||
|
||||
Compatibility:
|
||||
============================
|
||||
|
||||
@@ -87,7 +105,7 @@ It has been tested to work with many operating systems.
|
||||
* `hg` -- Mercurial
|
||||
* `svn` -- SubVersion (Thanks, Ben Drasin!)
|
||||
* Operating system
|
||||
* CentOS
|
||||
* CentOS / RedHat
|
||||
* MacOS X
|
||||
* Cygwin (Thanks, Ben Drasin!)
|
||||
|
||||
|
||||
@@ -12,6 +12,11 @@
|
||||
# Where in the VCS repo should the blackbox data be found?
|
||||
: ${BLACKBOXDATA:=keyrings/live} ; # If BLACKBOXDATA not set, set it.
|
||||
|
||||
|
||||
# If $EDITOR is not set, set it to "vi":
|
||||
: ${EDITOR:=vi} ;
|
||||
|
||||
|
||||
# Outputs a string that is the base directory of this VCS repo.
|
||||
# By side-effect, sets the variable VCS_TYPE to either 'git', 'hg',
|
||||
# 'svn' or 'unknown'.
|
||||
@@ -56,7 +61,8 @@ BB_FILES_FILE="blackbox-files.txt"
|
||||
BB_FILES="${KEYRINGDIR}/${BB_FILES_FILE}"
|
||||
SECRING="${KEYRINGDIR}/secring.gpg"
|
||||
PUBRING="${KEYRINGDIR}/pubring.gpg"
|
||||
: ${DECRYPT_UMASK:=o=} ;
|
||||
: ${DECRYPT_UMASK:=0022} ;
|
||||
# : ${DECRYPT_UMASK:=o=} ;
|
||||
|
||||
# Return error if not on cryptlist.
|
||||
function is_on_cryptlist() {
|
||||
|
||||
9
bin/blackbox_list_files
Executable file
9
bin/blackbox_list_files
Executable file
@@ -0,0 +1,9 @@
|
||||
#!/usr/bin/env bash
|
||||
|
||||
#
|
||||
# blackbox_list_files.sh -- List files that black box is tracking
|
||||
#
|
||||
set -e
|
||||
blackbox_home=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )
|
||||
source ${blackbox_home}/_blackbox_common.sh
|
||||
cat "$BB_FILES"
|
||||
@@ -46,6 +46,8 @@ if $SECRETSEXPOSED ; then
|
||||
COMMIT_FILES="$BB_FILES $encrypted_file $unencrypted_file"
|
||||
else
|
||||
COMMIT_FILES="$BB_FILES $encrypted_file"
|
||||
# FIXME(tal): This should be an array so that filenames with
|
||||
# spaces aren't a problem.
|
||||
fi
|
||||
|
||||
# TODO(tlim): This should be moved to _blackbox_common.sh in a
|
||||
@@ -61,7 +63,7 @@ if [[ $VCS_TYPE = 'git' ]]; then
|
||||
fi
|
||||
|
||||
echo 'NOTE: "already tracked!" messages are safe to ignore.'
|
||||
vcs_add $BB_FILES $encrypted_file
|
||||
vcs_add "$BB_FILES" $encrypted_file
|
||||
vcs_commit "registered in blackbox: ${unencrypted_file}" $COMMIT_FILES
|
||||
echo "========== UPDATING VCS: DONE"
|
||||
echo "Local repo updated. Please push when ready."
|
||||
|
||||
@@ -22,7 +22,7 @@ source ${blackbox_home}/_blackbox_common.sh
|
||||
change_to_root
|
||||
|
||||
echo '========== FILES BEING SHREDDED:'
|
||||
for i in $(<$BB_FILES) ; do
|
||||
for i in $(<"$BB_FILES") ; do
|
||||
unencrypted_file=$(get_unencrypted_filename "$i")
|
||||
encrypted_file=$(get_encrypted_filename "$i")
|
||||
if [[ -f "$unencrypted_file" ]]; then
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
#!/usr/bin/env bash
|
||||
|
||||
#
|
||||
# blackbox_update_all_files -- Re-encrypt file after edits.
|
||||
# blackbox_update_all_files -- Decrypt then re-encrypt all files. Useful after keys are changed.
|
||||
#
|
||||
|
||||
set -e
|
||||
@@ -23,7 +23,7 @@ awk <"$BB_FILES" '{ print " " $1 ".gpg" }'
|
||||
|
||||
echo '========== FILES IN THE WAY:'
|
||||
need_warning=false
|
||||
for i in $(<$BB_FILES) ; do
|
||||
for i in $(<"$BB_FILES") ; do
|
||||
unencrypted_file=$(get_unencrypted_filename "$i")
|
||||
encrypted_file=$(get_encrypted_filename "$i")
|
||||
if [[ -f "$unencrypted_file" ]]; then
|
||||
@@ -40,7 +40,7 @@ else
|
||||
fi
|
||||
|
||||
echo '========== RE-ENCRYPTING FILES:'
|
||||
for i in $(<$BB_FILES) ; do
|
||||
for i in $(<"$BB_FILES") ; do
|
||||
unencrypted_file=$(get_unencrypted_filename "$i")
|
||||
encrypted_file=$(get_encrypted_filename "$i")
|
||||
echo ========== PROCESSING "$unencrypted_file"
|
||||
@@ -53,7 +53,7 @@ done
|
||||
fail_if_keychain_has_secrets
|
||||
|
||||
echo '========== COMMITING TO VCS:'
|
||||
vcs_commit 'Re-encrypted keys' $(awk <$BB_FILES '{ print $1 ".gpg" }' )
|
||||
vcs_commit 'Re-encrypted keys' $(awk <"$BB_FILES" '{ print $1 ".gpg" }' )
|
||||
|
||||
VCSCMD=$(which_vcs)
|
||||
echo '========== DONE.'
|
||||
|
||||
@@ -11,3 +11,4 @@ exec bin/blackbox_register_new_file ../bin/blackbox_register_new_file
|
||||
exec bin/blackbox_removeadmin ../bin/blackbox_removeadmin
|
||||
exec bin/blackbox_shred_all_files ../bin/blackbox_shred_all_files
|
||||
exec bin/blackbox_update_all_files ../bin/blackbox_update_all_files
|
||||
exec bin/blackbox_list_files ../bin/blackbox_list_files
|
||||
|
||||
@@ -24,6 +24,8 @@ shift
|
||||
: ${PKGVERSION:=1.0} ;
|
||||
# If there is no iteration setting, assume "1":
|
||||
: ${PKGRELEASE:=1}
|
||||
# If there is no epoch, assume 0
|
||||
: ${PKGEPOCH:=0}
|
||||
|
||||
# The RPM is output here: (should be a place that can be wiped)
|
||||
OUTPUTDIR="${HOME}/rpmbuild-$PACKAGENAME"
|
||||
@@ -37,6 +39,7 @@ rm -rf "$OUTPUTDIR"
|
||||
mkdir -p "$OUTPUTDIR/installroot"
|
||||
|
||||
# Copy the files into place:
|
||||
set -o pipefail # Error out if any manifest is not found.
|
||||
cat """$@""" | while read -a arr ; do
|
||||
PERM="${arr[0]}"
|
||||
case $PERM in
|
||||
@@ -56,12 +59,13 @@ done
|
||||
# Build the RPM:
|
||||
cd "$OUTPUTDIR" && fpm -s dir -t rpm \
|
||||
-a x86_64 \
|
||||
--epoch '0' \
|
||||
-n "${PACKAGENAME}" \
|
||||
--epoch "${PKGEPOCH}" \
|
||||
--version "${PKGVERSION}" \
|
||||
--iteration "${PKGRELEASE}" \
|
||||
${PKGDESCRIPTION:+ --description="${PKGDESCRIPTION}"} \
|
||||
${PKGVENDOR:+ --vendor="${PKGVENDOR}"} \
|
||||
-C "$OUTPUTDIR/installroot" \
|
||||
--description="$PKGDESCRIPTION" \
|
||||
.
|
||||
|
||||
# TeamCity templates for RPMS expect to find
|
||||
|
||||
@@ -12,3 +12,4 @@ exec /usr/blackbox/bin/blackbox_register_new_file ../bin/blackbox_register_new_f
|
||||
exec /usr/blackbox/bin/blackbox_removeadmin ../bin/blackbox_removeadmin
|
||||
exec /usr/blackbox/bin/blackbox_shred_all_files ../bin/blackbox_shred_all_files
|
||||
exec /usr/blackbox/bin/blackbox_update_all_files ../bin/blackbox_update_all_files
|
||||
exec /usr/blackbox/bin/blackbox_list_files ../bin/blackbox_list_files
|
||||
|
||||
Reference in New Issue
Block a user