lib/symmetric_encryption/cli.rb in symmetric-encryption-4.0.1 vs lib/symmetric_encryption/cli.rb in symmetric-encryption-4.1.0.beta1

@@ -4,11 +4,11 @@
   class CLI
     attr_reader :key_path, :app_name, :encrypt, :config_file_path,
                 :decrypt, :random_password, :new_keys, :generate, :environment,
                 :keystore, :re_encrypt, :version, :output_file_name, :compress,
                 :environments, :cipher_name, :rolling_deploy, :rotate_keys, :rotate_kek, :prompt, :show_version,
-                :cleanup_keys, :activate_key, :migrate
+                :cleanup_keys, :activate_key, :migrate, :regions
 
     KEYSTORES = %i[heroku environment file].freeze
 
     def self.run!(argv)
       new(argv).run!
@@ -17,11 +17,11 @@
     def initialize(argv)
       @version          = current_version
       @environment      = ENV['SYMMETRIC_ENCRYPTION_ENV'] || ENV['RACK_ENV'] || ENV['RAILS_ENV'] || 'development'
       @config_file_path = File.expand_path(ENV['SYMMETRIC_ENCRYPTION_CONFIG'] || 'config/symmetric-encryption.yml')
       @app_name         = 'symmetric-encryption'
-      @key_path         = '/etc/symmetric-encryption'
+      @key_path         = '~/.symmetric-encryption'
       @cipher_name      = 'aes-256-cbc'
       @rolling_deploy   = false
       @prompt           = false
       @show_version     = false
       @keystore         = :file
@@ -125,15 +125,19 @@
 
         opts.on '-g', '--generate', 'Generate a new configuration file and encryption keys for every environment.' do |config|
           @generate = config
         end
 
-        opts.on '-s', '--keystore heroku|environment|file', 'Generate a new configuration file and encryption keys for every environment.' do |keystore|
+        opts.on '-s', '--keystore heroku|environment|file|aws', 'Which keystore to use during generation or re-encryption.' do |keystore|
           @keystore = (keystore || 'file').downcase.to_sym
         end
 
-        opts.on '-K', '--key-path KEY_PATH', 'Output path in which to write generated key files. Default: /etc/symmetric-encryption' do |path|
+        opts.on '-B', '--regions [us-east-1,us-east-2,us-west-1,us-west-2]', 'AWS KMS Regions to encrypt data key with.' do |regions|
+          @regions = regions.to_s.split(',').collect(&:strip) if regions
+        end
+
+        opts.on '-K', '--key-path KEY_PATH', 'Output path in which to write generated key files. Default: ~/.symmetric-encryption' do |path|
           @key_path = path
         end
 
         opts.on '-a', '--app-name NAME', 'Application name to use when generating a new configuration. Default: symmetric-encryption' do |name|
           @app_name = name
@@ -195,30 +199,25 @@
     def load_config
       Config.load!(file_name: config_file_path, env: environment)
     end
 
     def generate_new_config
+      unless KEYSTORES.include?(keystore)
+        puts "Invalid keystore option: #{keystore}, must be one of #{KEYSTORES.join(', ')}"
+        exit(-3)
+      end
+
       config_file_does_not_exist!
       self.environments ||= %i[development test release production]
-      cfg               =
-        if keystore == :file
-          SymmetricEncryption::Keystore::File.new_config(
-            key_path:     key_path,
-            app_name:     app_name,
-            environments: environments,
-            cipher_name:  cipher_name
-          )
-        elsif %i[heroku environment].include?(keystore)
-          SymmetricEncryption::Keystore::Environment.new_config(
-            app_name:     app_name,
-            environments: environments,
-            cipher_name:  cipher_name
-          )
-        else
-          puts "Invalid keystore option: #{keystore}, must be one of #{KEYSTORES.join(', ')}"
-          exit(-3)
-        end
+      args              = {
+        app_name:     app_name,
+        environments: environments,
+        cipher_name:  cipher_name
+      }
+      args[:key_path]   = key_path if key_path
+      args[:regions]    = regions if regions && !regions.empty?
+      cfg               = Keystore.generate_data_keys(keystore, **args)
       Config.write_file(config_file_path, cfg)
       puts "New configuration file created at: #{config_file_path}"
     end
 
     def run_migrate
@@ -226,11 +225,16 @@
       Config.write_file(config_file_path, config)
       puts "Existing configuration file successfully migrated to the new format: #{config_file_path}"
     end
 
     def run_rotate_keys
+      if keystore && KEYSTORES.include?(keystore)
+        puts "Invalid keystore option: #{keystore}, must be one of #{KEYSTORES.join(', ')}"
+        exit(-3)
+      end
+
       config = Config.read_file(config_file_path)
-      SymmetricEncryption::Keystore.rotate_keys!(config, environments: environments || [], app_name: app_name, rolling_deploy: rolling_deploy)
+      SymmetricEncryption::Keystore.rotate_keys!(config, environments: environments || [], app_name: app_name, rolling_deploy: rolling_deploy, keystore: keystore)
       Config.write_file(config_file_path, config)
       puts "Existing configuration file updated with new keys: #{config_file_path}"
     end
 
     def run_rotate_kek