-
Notifications
You must be signed in to change notification settings - Fork 6
/
Copy pathsecret.rkt
114 lines (86 loc) · 3.3 KB
/
secret.rkt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
#lang racket/base
;;;
;;; SECRET
;;;
; This file contains secrets.
; Since the source is publicly available the secrets need to be
; encrypted in the source code. At runtime the keys are decrypted
; using a key stored in the environment.
; Alternatives:
; Store the keys in the environment (environment variables or files).
; The "envy" package can be used to handle environment variables:
; https://lexi-lambda.github.io/envy/envy.html
(provide github-client-id ; see prefs at github.com
github-client-secret
postmark-api-token
(rename-out [aes-decrypt decrypt])
(rename-out [aes-encrypt encrypt]))
;;;
;;; Encryption and decryption of secrets
;;;
(require crypto crypto/libcrypto (only-in file/sha1 hex-string->bytes))
(crypto-factories (list libcrypto-factory))
; We will use AES and we need a random iv (initialization vector).
(define aes-cipher-specifier '(aes ctr))
(define iv #"\316\320\344\354\3p\260\20\353\5N<\347q\331\371")
; Use (generate-cipher-iv '(aes ctr)) to generate another.
(define (new-iv) (generate-cipher-iv aes-cipher-specifier))
(define (new-key)
(bytes->hex-string
(generate-cipher-key aes-cipher-specifier #:size 32)))
; aes-encrypt : string -> string
(define (aes-encrypt plain-text)
(bytes->hex-string
(encrypt aes-cipher-specifier key iv plain-text)))
; aes-decrypt : string -> string
(define (aes-decrypt crypto-text)
(bytes->string/utf-8
(aes-decrypt-bytes crypto-text)))
; aes-decrypt-bytes : string -> bytes
(define (aes-decrypt-bytes crypto-text)
(decrypt aes-cipher-specifier key iv
(hex-string->bytes crypto-text)))
;;;
;;; The key
;;;
; Use (new-key) to generate a new key.
; The key used to decrypt the secrets in this file can be stored
; either in the environment variable "rskey" or in a file "rskey"
; in the user home (i.e. outside this repo).
(define key ; 16, 24 or 32 bytes
(cond [(getenv "RSKEY") => hex-string->bytes]
[(getenv "HOME")
=> (λ (home)
(define p (build-path home ".racket-stories/rskey"))
(cond
[(file-exists? p) (with-input-from-file p
(λ () (hex-string->bytes (read-line))))]
[else
(displayln "No key in either environment or home. Using default."
(current-error-port))
#"A secret key!!!!"]))]
[else
(displayln "No key in either environment or home. Using default."
(current-error-port))
#"A secret key!!!!"])) ; this one is 16 bytes
;;;
;;; Github
;;;
; To authenticate users with Github our app has been given
; a client-id and client-secret, so we can identify ourselves
; to Github. (In this scenario our app is the client).
; In other words this secret is shared between us and Github.
; See
(define github-client-id
(aes-decrypt-bytes "2b158374fc518e1d41e40cca7ba5de867589c7d5"))
(define github-client-secret
(aes-decrypt-bytes
"7e44d624f9048f4812b254c82bf3818075dc95d568c15cd32e38769426914e82b58d49d02db3cf21"))
;;;
;;; Postmark
;;;
; Postmark is used to send "transactional" emails.
; To begin with we use it to send "reset password" emails.
(define postmark-api-token
(aes-decrypt
"7c4e8279fe02dd125bb90ecf2fb88cd27b888fd467c45fce786d24c92492488fbad74a83"))