merge

- _blackbox_common.sh sets the default Blackbox directory
  for the new repositories using the first entry of the
  BLACKBOX_CANDIDATES array. This small change sets the
  first entry to the new .blackbox dir (instead of the keyring/live)

README.md

@@ -22,11 +22,14 @@ Table of Contents
 - [How to use the secrets with Puppet?](#how-to-use-the-secrets-with-puppet)
   - [Entire files](#entire-files)
   - [Small strings](#small-strings)
-- [How to enroll a new file into the system?](#how-to-enroll-a-new-file-into-the-system)
-- [How to remove a file from the system?](#how-to-remove-a-file-from-the-system)
-- [How to indoctrinate a new user into the system?](#how-to-indoctrinate-a-new-user-into-the-system)
-- [How to remove a user from the system?](#how-to-remove-a-user-from-the-system)
-- [Enabling BlackBox For a Repo](#enabling-blackbox-for-a-repo)
+- File Management
+  - [How to enroll a new file into the system?](#how-to-enroll-a-new-file-into-the-system)
+  - [How to remove a file from the system?](#how-to-remove-a-file-from-the-system)
+- User Management
+  - [How to indoctrinate a new user into the system?](#how-to-indoctrinate-a-new-user-into-the-system)
+  - [How to remove a user from the system?](#how-to-remove-a-user-from-the-system)
+- Repo Management
+  - [Enabling BlackBox For a Repo](#enabling-blackbox-for-a-repo)
 - [Set up automated users or “role accounts”](#set-up-automated-users-or-role-accounts)
 - [Replacing expired keys](#replacing-expired-keys)
 - [Some common errors](#some-common-errors)
@@ -50,7 +53,22 @@ Rather than one GPG passphrase for all the files, each person with access has th
 
 Automated processes often need access to all the decrypted files. This is easy too. For example, suppose Git is being used for Puppet files. The master needs access to the decrypted version of all the files. Simply set up a GPG key for the Puppet master (or the role account that pushes new files to the Puppet master) and have that user run `blackbox_postdeploy` after any files are updated.
 
-Getting started is easy. Just `cd` into a Git, Mercurial, Subversion or Perforce repository and run `blackbox_initialize`. After that, if a file is to be encrypted, run `blackbox_register_new_file` and you are done. Add and remove keys with `blackbox_addadmin` and `blackbox_removeadmin`. To view and/or edit a file, run `blackbox_edit`; this will decrypt the file and open with whatever is specified by your $EDITOR environment variable. When you close the editor the file will automatically be encrypted again and the temporary plaintext file will be shredded. If you need to leave the file decrypted while you update you can use the`blackbox_edit_start` to decrypt the file and `blackbox_edit_end` when you want to "put it back in the box."
+Getting started is looks like this.
+First, if you don't have a GPG key, set it up using instructions
+such as:
+[Set up GPG key](https://help.github.com/articles/generating-a-new-gpg-key/).
+Now you are ready to go.
+`cd` into a Git, Mercurial, Subversion
+or Perforce repository and run `blackbox_initialize`. After that,
+if a file is to be encrypted, run `blackbox_register_new_file` and
+you are done. Add and remove keys with `blackbox_addadmin` and
+`blackbox_removeadmin`. To view and/or edit a file, run `blackbox_edit`;
+this will decrypt the file and open with whatever is specified by
+your $EDITOR environment variable. When you close the editor the
+file will automatically be encrypted again and the temporary plaintext
+file will be shredded. If you need to leave the file decrypted while
+you update you can use the`blackbox_edit_start` to decrypt the file
+and `blackbox_edit_end` when you want to "put it back in the box."
 
 Why is this important?
 ======================
@@ -73,6 +91,7 @@ Installation Instructions
 - *The Debian/Ubuntu way*: Check out the repo and make a DEB via `make packages-deb`; now you can distribute the DEB via local methods. (Requires [fpm](https://github.com/jordansissel/fpm).)
 - *The Antigen Way*: Add `antigen bundle StackExchange/blackbox` to your .zshrc
 - *The Zgen Way*: Add `zgen load StackExchange/blackbox` to your .zshrc where you're loading your other plugins.
+- *The Nix Way*: `nix-env -i blackbox`
 
 Commands
 ========
@@ -83,12 +102,14 @@ Commands
 | `blackbox_edit_start <file>`        | Decrypt a file so it can be updated                                     |
 | `blackbox_edit_end <file>`          | Encrypt a file after blackbox_edit_start was used                       |
 | `blackbox_cat <file>`               | Decrypt and view the contents of a file                                 |
+| `blackbox_view <file>`              | Like blackbox_cat but pipes to `less` or $PAGER                         |
 | `blackbox_diff`                     | Diff decrypted files against their original crypted version             |
 | `blackbox_initialize`               | Enable blackbox for a GIT or HG repo                                    |
 | `blackbox_register_new_file <file>` | Encrypt a file for the first time                                       |
 | `blackbox_deregister_file <file>`   | Remove a file from blackbox                                             |
 | `blackbox_list_files`               | List the files maintained by blackbox                                   |
 | `blackbox_list_admins`              | List admins currently authorized for blackbox                           |
+| `blackbox_decrypt_file <file>`      | Decrypt a file                                                          |
 | `blackbox_decrypt_all_files`        | Decrypt all managed files (INTERACTIVE)                                 |
 | `blackbox_postdeploy`               | Decrypt all managed files (batch)                                       |
 | `blackbox_addadmin <gpg-key>`       | Add someone to the list of people that can encrypt/decrypt secrets      |
@@ -348,6 +369,7 @@ Ask someone that already has access to re-encrypt the data files. This gives you
 Pre-check: Verify the new keys look good.
 
 ```
+git pull    # Or whatever is required for your system
 gpg --homedir=.blackbox --list-keys
 ```
 

bin/_blackbox_common.sh

@@ -16,10 +16,13 @@ source "${0%/*}"/_stack_lib.sh
 : "${BLACKBOX_HOME:="$(cd "${0%/*}" ; pwd)"}" ;
 
 # What are the candidates for the blackbox data directory?
+#
+# The order of candidates matter. The first entry of the array
+# sets the default Blackbox directory for all new repositories.
 declare -a BLACKBOXDATA_CANDIDATES
 BLACKBOXDATA_CANDIDATES=(
-  'keyrings/live'
   '.blackbox'
+  'keyrings/live'
 )
 
 # If $EDITOR is not set, set it to "vi":
@@ -89,6 +92,10 @@ SECRING="${KEYRINGDIR}/secring.gpg"
 : "${DECRYPT_UMASK:=0022}" ;
 # : ${DECRYPT_UMASK:=o=} ;
 
+# $BB_FILES file format:
+# Filenames are listed one per line, relative to the base directory of the repo.
+# Each line is listed in "printf %q" format, which escapes special chars.
+
 # Checks if $1 is 0 bytes, and if $1/keyrings
 # is a directory
 function is_blackbox_repo() {
@@ -99,10 +106,18 @@ function is_blackbox_repo() {
   fi
 }
 
-# Return error if not on cryptlist.
+# is_on_cryptlist resturns an error if $1 not on cryptlist.
 function is_on_cryptlist() {
+  # $1: The filename.
   # Assumes $1 does NOT have the .gpg extension
-  file_contains_line "$BB_FILES" "$(vcs_relative_path "$1")"
+
+  # https://github.com/koalaman/shellcheck/wiki/SC2155
+  local name
+  name=$(vcs_relative_path "$1")
+  local encodedname
+  encodedname=$(printf "%q" "$name")
+
+  file_contains_line "$BB_FILES" "$encodedname"
 }
 
 # Exit with error if a file exists.
@@ -140,7 +155,7 @@ function fail_if_not_on_cryptlist() {
 
   if ! is_on_cryptlist "$name" ; then
     echo "ERROR: $name not found in $BB_FILES" >&2
-    echo "PWD=$(/bin/pwd)" >&2
+    echo "PWD=$(/usr/bin/env pwd)" >&2
     echo 'Exiting...' >&2
     exit 1
   fi
@@ -164,16 +179,33 @@ function get_pubring_path() {
   fi
 }
 
-# Output the unencrypted filename.
-function get_unencrypted_filename() {
-  echo "$(dirname "$1")/$(basename "$1" .gpg)" | sed -e 's#^\./##'
+# normalize_filename_arg takes a filename from the command line and
+# outputs the non-encrypted filename.
+function normalize_filename() {
+  # $1: the input from a user
+  # Use this if the user may have entered the encrypted or
+  # non-encrypted filename.
+  local name
+  name=$(vcs_relative_path "$1")
+  echo "$(dirname "$name")/$(basename "$name" .gpg)" | sed -e 's#^\./##'
 }
 
 # Output the encrypted filename.
-function get_encrypted_filename() {
-  echo "$(dirname "$1")/$(basename "$1" .gpg).gpg" | sed -e 's#^\./##'
+function get_gpg_filename() {
+  # $1: normalized file path
+  echo "$1".gpg
 }
 
+## Output the unencrypted filename.
+#function get_unencrypted_filename() {
+#  echo "$(dirname "$1")/$(basename "$1" .gpg)" | sed -e 's#^\./##'
+#}
+#
+## Output the encrypted filename.
+#function get_encrypted_filename() {
+#  echo "$(dirname "$1")/$(basename "$1" .gpg).gpg" | sed -e 's#^\./##'
+#}
+
 # Prepare keychain for use.
 function prepare_keychain() {
   local keyringasc
@@ -196,37 +228,43 @@ function prepare_keychain() {
   echo '========== Importing keychain: DONE' >&2
 }
 
-# Add file to list of encrypted files.
+# add_filename_to_cryptlist adds $1 to the list of encrypted files.
 function add_filename_to_cryptlist() {
+  # $1: The filename.
   # If the name is already on the list, this is a no-op.
-  # However no matter what the datestamp is updated.
-  
+
   # https://github.com/koalaman/shellcheck/wiki/SC2155
   local name
   name=$(vcs_relative_path "$1")
+  local encodedname
+  encodedname=$(printf "%q" "$name")
 
-  if file_contains_line "$BB_FILES" "$name" ; then
+
+  if file_contains_line "$BB_FILES" "$encodedname" ; then
     echo "========== File is registered. No need to add to list."
   else
     echo "========== Adding file to list."
     touch "$BB_FILES"
-    sort -u -o "$BB_FILES" <(echo "$name") "$BB_FILES"
+    sort -u -o "$BB_FILES" <(printf "%q\n" "$name") "$BB_FILES"
   fi
 }
 
-# Removes a file from the list of encrypted files
+# remove_filename_from_cryptlist removes $1 from the list of encrypted files.
 function remove_filename_from_cryptlist() {
+  # $1: The filename.
   # If the name is not already on the list, this is a no-op.
 
   # https://github.com/koalaman/shellcheck/wiki/SC2155
   local name
   name=$(vcs_relative_path "$1")
+  local encodedname
+  encodedname=$(printf "%q" "$name")
 
-  if ! file_contains_line "$BB_FILES" "$name" ; then
+  if ! file_contains_line "$BB_FILES" "$encodedname" ; then
     echo "========== File is not registered. No need to remove from list."
   else
     echo "========== Removing file from list."
-    remove_line "$BB_FILES" "$name"
+    remove_line "$BB_FILES" "$encodedname"
   fi
 }
 

bin/_blackbox_common_test.sh

@@ -6,7 +6,7 @@
 
 set -e
 . "${0%/*}/_blackbox_common.sh"
-. tools/test_functions.sh
+. /Users/tlimoncelli/gitwork/blackbox/tools/test_functions.sh
 
 PHASE 'Test cp-permissions: TestA'
 touch TestA TestB TestC TestD
@@ -22,4 +22,18 @@ assert_file_perm '--wxr--rwx' TestC
 assert_file_perm '----rwx---' TestD  # TestD doesn't change.
 rm -f TestA TestB TestC TestD
 
+PHASE 'Test vcs_relative_path: TestA'
+export REPOBASE='/Users/tlimoncelli/Applications (Parallels)/{fd3049c8-9fdd-48d5-aa16-d31daf3a6879} Applications.localized'
+FILE='Microsoft  Windows Fax and Scan.app/Contents'
+result=$(vcs_relative_path Contents)
+echo result=XXX${result}XXX
+if [[ $FILE != $result ]] ; then
+  echo FAIL
+fi
+
+unencrypted_file=$(get_unencrypted_filename "${result}.gpg")
+echo un=XXX${unencrypted_file}XXX
+encrypted_file=$(get_encrypted_filename "${result}")
+echo en=XXX${encrypted_file}XXX
+
 echo '========== DONE.'

bin/blackbox_cat

@@ -8,7 +8,7 @@ source "${0%/*}/_blackbox_common.sh"
 
 for param in "$@" ; do
   shreddable=0
-  unencrypted_file=$(get_unencrypted_filename "$param")
+  unencrypted_file=$(normalize_filename "$param")
   if [[ ! -e "$unencrypted_file" ]]; then
     "${BLACKBOX_HOME}/blackbox_edit_start" "$param"
     shreddable=1

bin/blackbox_decrypt_file

@@ -0,0 +1,15 @@
+#!/usr/bin/env bash
+
+#
+# blackbox_decrypt_file -- Decrypt one or more blackbox files.
+#
+
+set -e
+source "${0%/*}/_blackbox_common.sh"
+
+if [ $# -eq 0 ]; then
+  echo >&2 "Please provide at least one file to decrypt"
+  exit 1
+fi
+
+"${BLACKBOX_HOME}/blackbox_edit_start" "$@"

bin/blackbox_diff

@@ -13,8 +13,10 @@ prepare_keychain
 modified_files=()
 modifications=()
 echo '========== DIFFING FILES: START'
-while IFS= read <&99 -r unencrypted_file; do
-  unencrypted_file=$(get_unencrypted_filename "$unencrypted_file")
+while IFS= read <&99 -r encodedname; do
+  local name
+  name=$(echo $encodedname)
+  unencrypted_file=$(get_unencrypted_filename "$name")
   encrypted_file=$(get_encrypted_filename "$unencrypted_file")
   fail_if_not_on_cryptlist "$unencrypted_file"
   if [[ -f "$unencrypted_file" ]]; then

bin/blackbox_list_files

@@ -5,4 +5,7 @@
 #
 set -e
 source "${0%/*}/_blackbox_common.sh"
-cat "$BB_FILES"
+
+while IFS= read <&99 -r encodedname; do
+  echo $encodedname
+done 99<"$BB_FILES"

bin/blackbox_postdeploy

@@ -27,8 +27,12 @@ prepare_keychain
 
 # Decrypt:
 echo '========== Decrypting new/changed files: START'
-while IFS= read <&99 -r unencrypted_file; do
-  encrypted_file=$(get_encrypted_filename "$unencrypted_file")
+while IFS= read <&99 -r encodedname; do
+  local name
+  name=$(echo $name)
+
+  encrypted_file=$(get_encrypted_filename "$name")
+  unencrypted_file=$(get_unencrypted_filename "$name")
   decrypt_file_overwrite "$encrypted_file" "$unencrypted_file"
   cp_permissions "$encrypted_file" "$unencrypted_file"
   if [[ ! -z "$FILE_GROUP" ]]; then

bin/blackbox_update_all_files

@@ -12,15 +12,19 @@ disclose_admins
 prepare_keychain
 
 echo '========== ENCRYPTED FILES TO BE RE-ENCRYPTED:'
-while IFS= read <&99 -r unencrypted_file; do
-    echo "    $unencrypted_file.gpg"
+while IFS= read <&99 -r encodedname; do
+  local name
+  name=$(echo $encodedname)
+  echo "    $name.gpg"
 done 99<"$BB_FILES"
 
 echo '========== FILES IN THE WAY:'
 need_warning=false
-while IFS= read <&99 -r unencrypted_file; do
-  unencrypted_file=$(get_unencrypted_filename "$unencrypted_file")
-  encrypted_file=$(get_encrypted_filename "$unencrypted_file")
+while IFS= read <&99 -r encodedname; do
+  local name
+  name=$(echo $encodedname)
+  unencrypted_file=$(get_unencrypted_filename "$name")
+  encrypted_file=$(get_encrypted_filename "$name")
   if [[ -f "$unencrypted_file" ]]; then
     need_warning=true
     echo "    $unencrypted_file"
@@ -35,9 +39,11 @@ else
 fi
 
 echo '========== RE-ENCRYPTING FILES:'
-while IFS= read <&99 -r unencrypted_file; do
-  unencrypted_file=$(get_unencrypted_filename "$unencrypted_file")
-  encrypted_file=$(get_encrypted_filename "$unencrypted_file")
+while IFS= read <&99 -r encodedname; do
+  local name
+  name=$(echo $encodedname)
+  unencrypted_file=$(get_unencrypted_filename "$name")
+  encrypted_file=$(get_encrypted_filename "$name")
   echo ========== PROCESSING '"'$unencrypted_file'"'
   fail_if_not_on_cryptlist "$unencrypted_file"
   decrypt_file_overwrite "$encrypted_file" "$unencrypted_file"

bin/blackbox_view

@@ -0,0 +1,20 @@
+#!/usr/bin/env bash
+
+#
+# blackbox_view -- Decrypt a file, view it, shred it
+#
+set -e
+source "${0%/*}/_blackbox_common.sh"
+
+for param in "$@" ; do
+  shreddable=0
+  unencrypted_file=$(get_unencrypted_filename "$param")
+  if [[ ! -e "$unencrypted_file" ]]; then
+    "${BLACKBOX_HOME}/blackbox_edit_start" "$param"
+    shreddable=1
+  fi
+  ${PAGER:-less} "$unencrypted_file"
+  if [[ $shreddable = 1 ]]; then
+    shred_file "$unencrypted_file"
+  fi
+done

blackbox.plugin.zsh

@@ -1,4 +1,4 @@
-#!/bin/zsh
+#!/usr/bin/env zsh
 # The MIT License (MIT)
 
 # Copyright (c) 2014 Stack Exchange, Inc.

tools/confidence_test.sh

@@ -5,6 +5,9 @@ export PATH="${blackbox_home}:/usr/local/bin:/bin:/usr/bin:/usr/local/sbin:/usr/
 
 export LANG=C.UTF-8  # Required ro "gpg --export" to work properly.
 
+# TODO(tlim): The tests are hardcoded to this directory. This should be fixed.
+export BLACKBOXDATA=keyrings/live
+
 # This script requires many utilities, some are not
 # required by the usual blackbox scripts.  Test to make
 # sure we have them all.

tools/profile.d-usrblackbox-test.sh

@@ -1,4 +1,4 @@
-#!/bin/sh
+#!/usr/bin/env sh
 
 # Test profile.d-usrblackbox.sh
 

tools/test_functions.sh

@@ -47,7 +47,7 @@ function assert_file_missing() {
 function assert_file_exists() {
   if [[ ! -e "$1" ]]; then
     echo "ASSERT FAILED: ${1} should exist."
-    echo "PWD=$(/bin/pwd -P)"
+    echo "PWD=$(/usr/bin/env pwd -P)"
     #echo "LS START"
     #ls -la
     #echo "LS END"