Initial implementation

.gitignore

@@ -0,0 +1 @@
+/build/

Dockerfile

@@ -0,0 +1,6 @@
+FROM golang:1.12-alpine
+ENV GO111MODULE=on
+WORKDIR /go/src/github.com/envato/ejsonkms
+COPY . .
+RUN apk add git gcc musl-dev
+RUN go get

Makefile

@@ -0,0 +1,24 @@
+NAME=ejsonkms
+PACKAGE=github.com/envato/ejsonkms
+VERSION=$(shell cat VERSION)
+GOFILES=$(shell find . -type f -name '*.go')
+
+.PHONY: default all binaries clean
+
+default: all
+all: binaries
+binaries: build/bin/linux-amd64 build/bin/darwin-amd64
+
+build/bin/linux-amd64: $(GOFILES)
+	mkdir -p "$(@D)"
+	GOOS=linux GOARCH=amd64 go build \
+	-ldflags '-s -w -X main.version="$(VERSION)"' \
+	-o "$@"
+
+build/bin/darwin-amd64: $(GOFILES)
+	GOOS=darwin GOARCH=amd64 go build \
+	-ldflags '-s -w -X main.version="$(VERSION)"' \
+	-o "$@"
+
+clean:
+	rm -rf build

README.md

@@ -1,3 +1,52 @@
 # ejsonkms
 
-`ejsonkms` is a tool to based on the [ejson library](https://github.com/Shopify/ejson) with integration with AWS KMS.
+`ejsonkms` combines the [ejson library](https://github.com/Shopify/ejson) with [AWS Key Management
+Service](https://aws.amazon.com/kms/) to simplify deployments on AWS. The EJSON private key is encrypted with
+KMS and stored inside the EJSON file as `_private_key_enc`. Access to decrypt secrets can be controlled with IAM
+permissions on the KMS key.
+
+## Usage
+
+Generating an EJSON file:
+
+```
+$ ejsonkms keygen --aws-region us-east-1 --kms-key-id bc436485-5092-42b8-92a3-0aa8b93536dc -o secrets.ejson
+Private Key: ae5969d1fb70faab76198ee554bf91d2fffc44d027ea3d804a7c7f92876d518b
+$ cat secrets.ejson
+{
+  "_public_key": "6b8280f86aff5f48773f63d60e655e2f3dd0dd7c14f5fecb5df22936e5a3be52",
+  "_private_key_enc": "S2Fybjphd3M6a21zOnVzLWVhc3QtMToxMTExMjIyMjMzMzM6a2V5L2JjNDM2NDg1LTUwOTItNDJiOC05MmEzLTBhYThiOTM1MzZkYwAAAAAycRX5OBx6xGuYOPAmDJ1FombB1lFybMP42s7PGmoa24bAesPMMZtI9V0w0p0lEgLeeSvYdsPuoPROa4bwnQxJB28eC6fHgfWgY7jgDWY9uP/tgzuWL3zuIaq+9Q=="
+}
+```
+
+Encrypting:
+
+```
+$ ejsonkms encrypt secrets.ejson
+```
+
+Decrypting:
+
+```
+$ ejsonkms decrypt secrets.ejson
+{
+  "_public_key": "6b8280f86aff5f48773f63d60e655e2f3dd0dd7c14f5fecb5df22936e5a3be52",
+  "_private_key_enc": "S2Fybjphd3M6a21zOnVzLWVhc3QtMToxMTExMjIyMjMzMzM6a2V5L2JjNDM2NDg1LTUwOTItNDJiOC05MmEzLTBhYThiOTM1MzZkYwAAAAAycRX5OBx6xGuYOPAmDJ1FombB1lFybMP42s7PGmoa24bAesPMMZtI9V0w0p0lEgLeeSvYdsPuoPROa4bwnQxJB28eC6fHgfWgY7jgDWY9uP/tgzuWL3zuIaq+9Q==",
+  "environment": {
+    "my_secret": "secret123"
+  }
+}
+```
+
+Exporting shell variables (from [ejson2env](https://github.com/Shopify/ejson2env)):
+
+```
+$ exports=$(ejsonkms env secrets.ejson)
+$ echo $exports
+export my_secret=secret123
+$ eval $exports
+$ echo my_secret
+secret123
+```
+
+Note that only secrets under the "environment" key will be exported using the `env` command.

VERSION

@@ -0,0 +1 @@
+0.1.0

actions.go

@@ -0,0 +1,89 @@
+package main
+
+import (
+	"fmt"
+	"os"
+
+	"github.com/Shopify/ejson"
+)
+
+func encryptAction(args []string) error {
+	if len(args) < 1 {
+		return fmt.Errorf("at least one file path must be given")
+	}
+	for _, filePath := range args {
+		n, err := ejson.EncryptFileInPlace(filePath)
+		if err != nil {
+			return err
+		}
+		fmt.Printf("Wrote %d bytes to %s.\n", n, filePath)
+	}
+	return nil
+}
+
+func decryptAction(args []string, awsRegion string, outFile string) error {
+	if len(args) != 1 {
+		return fmt.Errorf("exactly one file path must be given")
+	}
+	ejsonFilePath := args[0]
+
+	decrypted, err := Decrypt(ejsonFilePath, awsRegion)
+	if err != nil {
+		return err
+	}
+
+	target := os.Stdout
+	if outFile != "" {
+		target, err = os.Create(outFile)
+		if err != nil {
+			return err
+		}
+		defer func() { _ = target.Close() }()
+	}
+
+	_, err = target.Write(decrypted)
+	return err
+}
+
+func keygenAction(args []string, kmsKeyID string, awsRegion string, outFile string) error {
+	pub, priv, privKeyEnc, err := Keygen(kmsKeyID, awsRegion)
+	if err != nil {
+		return err
+	}
+
+	fmt.Printf("Private Key: %s\n", priv)
+	target := os.Stdout
+	if outFile != "" {
+		target, err = os.Create(outFile)
+		if err != nil {
+			return err
+		}
+		defer func() { _ = target.Close() }()
+	} else {
+		fmt.Printf("EJSON File:\n")
+	}
+
+	_, err = fmt.Fprintf(target, "{\n  \"_public_key\": \"%s\",\n  \"_private_key_enc\": \"%s\"\n}", pub, privKeyEnc)
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
+func envAction(ejsonFilePath string, quiet bool, awsRegion string) error {
+	exportFunc := ExportEnv
+	if quiet {
+		exportFunc = ExportQuiet
+	}
+	privateKeyEnc, err := findPrivateKeyEnc(ejsonFilePath)
+	if err != nil {
+		return err
+	}
+
+	kmsDecryptedPrivateKey, err := decryptPrivateKeyWithKMS(privateKeyEnc, awsRegion)
+	if err != nil {
+		return err
+	}
+
+	return ExportSecrets(ejsonFilePath, kmsDecryptedPrivateKey, exportFunc)
+}

actions_test.go

@@ -0,0 +1,38 @@
+package main
+
+import (
+	"bytes"
+	"os"
+	"testing"
+
+	. "github.com/smartystreets/goconvey/convey"
+)
+
+func TestEnv(t *testing.T) {
+	outputBuffer := new(bytes.Buffer)
+	output = outputBuffer
+
+	// ensure that output returns to os.Stdout
+	defer func() {
+		output = os.Stdout
+	}()
+
+	Convey("Env", t, func() {
+		err := envAction("testdata/test.ejson", false, "us-east-1")
+
+		Convey("should return decrypted values as shell exports", func() {
+			So(err, ShouldBeNil)
+			actualOutput := outputBuffer.String()
+			So(actualOutput, ShouldContainSubstring, "export my_secret=secret123")
+		})
+	})
+
+	Convey("Env with no private key", t, func() {
+		err := envAction("testdata/test_no_private_key.ejson", false, "us-east-1")
+
+		Convey("should fail", func() {
+			So(err, ShouldNotBeNil)
+			So(err.Error(), ShouldContainSubstring, "Missing _private_key_enc")
+		})
+	})
+}

docker-compose.yml

@@ -0,0 +1,21 @@
+version: "3"
+services:
+  awskms:
+    image: "nsmithuk/local-kms"
+    environment:
+      REGION: us-east-1
+    volumes:
+      - "./local_kms:/init"
+    expose:
+      - 8080
+  tests:
+    build: .
+    volumes:
+      - "./:/go/src/github.com/envato/ejsonkms"
+    command: ["go", "test"]
+    environment:
+      AWS_ACCESS_KEY_ID: '123'
+      AWS_SECRET_ACCESS_KEY: xyz
+      FAKE_AWSKMS_URL: http://awskms:8080
+    links:
+      - awskms

ejsonkms.go

@@ -0,0 +1,78 @@
+package main
+
+import (
+	"encoding/json"
+	"errors"
+	"io/ioutil"
+	"os"
+
+	"github.com/Shopify/ejson"
+)
+
+// Keygen generates keys and prepares an EJSON file with them
+func Keygen(kmsKeyID string, awsRegion string) (string, string, string, error) {
+	pub, priv, err := ejson.GenerateKeypair()
+	if err != nil {
+		return "", "", "", err
+	}
+
+	privKeyEnc, err := encryptPrivateKeyWithKMS(priv, kmsKeyID, awsRegion)
+	if err != nil {
+		return "", "", "", err
+	}
+
+	return pub, priv, privKeyEnc, nil
+}
+
+// Decrypt decrypts an EJSON file
+func Decrypt(ejsonFilePath string, awsRegion string) ([]byte, error) {
+	privateKeyEnc, err := findPrivateKeyEnc(ejsonFilePath)
+	if err != nil {
+		return nil, err
+	}
+
+	kmsDecryptedPrivateKey, err := decryptPrivateKeyWithKMS(privateKeyEnc, awsRegion)
+	if err != nil {
+		return nil, err
+	}
+
+	decrypted, err := ejson.DecryptFile(ejsonFilePath, "", kmsDecryptedPrivateKey)
+	if err != nil {
+		return nil, err
+	}
+
+	return decrypted, nil
+}
+
+func findPrivateKeyEnc(ejsonFilePath string) (key string, err error) {
+	var (
+		obj map[string]interface{}
+		ks  string
+	)
+
+	file, err := os.Open(ejsonFilePath)
+	if err != nil {
+		return "", err
+	}
+	defer file.Close()
+
+	data, err := ioutil.ReadAll(file)
+	if err != nil {
+		return "", err
+	}
+
+	err = json.Unmarshal(data, &obj)
+	if err != nil {
+		return "", err
+	}
+
+	k, ok := obj["_private_key_enc"]
+	if !ok {
+		return "", errors.New("Missing _private_key_enc field")
+	}
+	ks, ok = k.(string)
+	if !ok {
+		return "", errors.New("Couldn't cast _private_key_enc to string")
+	}
+	return ks, nil
+}

ejsonkms_test.go

@@ -0,0 +1,38 @@
+package main
+
+import (
+	"testing"
+
+	. "github.com/smartystreets/goconvey/convey"
+)
+
+func TestKeygen(t *testing.T) {
+	Convey("Keygen", t, func() {
+		pub, priv, privEnc, err := Keygen("bc436485-5092-42b8-92a3-0aa8b93536dc", "us-east-1")
+		Convey("should return three strings that look key-like", func() {
+			So(err, ShouldBeNil)
+			So(pub, ShouldNotEqual, priv)
+			So(pub, ShouldNotContainSubstring, "00000")
+			So(priv, ShouldNotContainSubstring, "00000")
+			So(privEnc, ShouldNotContainSubstring, "00000")
+		})
+	})
+}
+
+func TestDecrypt(t *testing.T) {
+	Convey("Decrypt", t, func() {
+		decrypted, err := Decrypt("testdata/test.ejson", "us-east-1")
+		Convey("should return decrypted values", func() {
+			So(err, ShouldBeNil)
+			json := string(decrypted[:])
+			So(json, ShouldContainSubstring, "\"my_secret\": \"secret123\"")
+		})
+	})
+	Convey("Decrypt with no private key", t, func() {
+		_, err := Decrypt("testdata/test_no_private_key.ejson", "us-east-1")
+		Convey("should fail", func() {
+			So(err, ShouldNotBeNil)
+			So(err.Error(), ShouldContainSubstring, "Missing _private_key_enc")
+		})
+	})
+}