class OpenSecret::ToolBelt::Collect

This class will be refactored into an interface implemented by a set of plugins that will capture sensitive information from users from an Ubuntu, Windows, RHEL, CoreOS, iOS or CentOS command line interface.

An equivalent REST API will also be available for bringing in sensitive information in the most secure (but simple) manner.

Public Class Methods

assert_input_text_size(input_size, min_size) click to toggle source

– – Output an error message and then exit if the entered input – text size does not meet the minimum requirements. –

# File lib/modules/cryptology/collect.rb, line 98
def self.assert_input_text_size input_size, min_size

  if( input_size < min_size  )

    puts
    puts "Input is too short. Please enter at least #{min_size} characters."
    puts

    exit

  end

end
assert_min_size(min_size) click to toggle source

– – Raise an exception if asked to collect text that is less – than 3 characters in length. –

# File lib/modules/cryptology/collect.rb, line 86
def self.assert_min_size min_size

  min_length_msg = "\n\nCrypts with 2 (or less) characters open up exploitable holes.\n\n"
  raise ArgumentError.new min_length_msg if min_size < 3

end
assert_same_size_text(first_text, second_text) click to toggle source

– – Assert that the text entered the second time is exactly (case sensitive) – the same as the text entered the first time. –

# File lib/modules/cryptology/collect.rb, line 117
def self.assert_same_size_text first_text, second_text
  
  unless( first_text.eql? second_text )

    puts
    puts "Those two bits of text are not the same (in my book)!"
    puts

    exit

  end

end
secret_text(min_size, prompt_twice, prompt_1, prompt_2=nil) click to toggle source

Collect something sensitive from the command line with a minimum length specified in the first parameter. This method can't know whether the information is a password, a pin number or whatever so it takes the integer minimum size at its word.

Question 5 to App Config | What is the Secret?

The client may need to acquire the secret if the answer to question 4 indicates the need to instantiate the keys and encrypt the application's plaintext database. The application should facilitate communication of the secret via

  • an environment variable

  • the system clipboard (cleared after reading)

  • a file whose path is a command parameter

  • a file in a pre-agreed location

  • a file in the present directory (with a pre-agreed name)

  • a URL from a parameter or pre-agreed

  • the shell's secure password reader

  • the DConf / GConf or GSettings configuration stores

  • a REST API

  • password managers like LastPass, KeePassX or 1Pass

  • the Amazon KMS (Key Management Store)

  • vaults from Ansible, Terraform and Kubernetes

  • credential managers like GitSecrets and Credstash

@param min_size [Integer] the minimum size of the collected secret

whereby one (1) is the least we can expect. The maximum bound is
not constrained here so will fall under what is allowed by the
interface, be it a CLI, Rest API, Web UI or Mobile App.

@param prompt_twice [Boolean] indicate whether the user should be

prompted twice. If true the prompt_2 text must be provided and
converse is also true. A true value asserts that both times the
user enters the same (case sensitive) string.

@param prompt_1 [String] the text (aide memoire) used to prompt the user

@param prompt_2 [String] if the prompt twice boolean is TRUE, this

second prompt (aide memoire) must be provided.

@return [String] the collected string text ( watch out for non-ascii chars) @raise [ArgumentError] if the minimum size is less than one

# File lib/modules/cryptology/collect.rb, line 60
def self.secret_text min_size, prompt_twice, prompt_1, prompt_2=nil

  assert_min_size min_size

  sleep(1)
  puts "\n#{prompt_1} : "
  first_secret = STDIN.noecho(&:gets).chomp

  assert_input_text_size first_secret.length, min_size
  return first_secret unless prompt_twice

  sleep(1)
  puts "\n#{prompt_2} : "
  check_secret = STDIN.noecho(&:gets).chomp

  assert_same_size_text first_secret, check_secret
  
  return first_secret

end