packages feed

keystore-0.8.2.0: keystore.cabal

Name:                   keystore
Version:                0.8.2.0
Synopsis:               Managing stores of secret things
Homepage:               http://github.com/cdornan/keystore
Author:                 Chris Dornan
Maintainer:             chris@chrisdornan.com
Copyright:              Chris Dornan
License:                BSD3
License-file:           LICENSE
Category:               Cryptography
Build-type:             Simple
Description:
  Writing deployment scripts is a critical yet error-prone activity which we
  would rather do in Haskell. One of the most difficult aspect of deployment
  scripts is the management of credentials: they cannot be stored in the
  VCS like almost everything else, but need to be organised and accessed
  while under lock and key. This is the problem that keystore is trying to solve:
  flexible, secure and well-typed deployment scripts.
  .
  /All Haskell/
  .
  This package is written purely in Haskell and all of the cryptographic packages
  it relies upon are written in Haskell.
  .
  /JSON Format/
  .
  It stores everything in a JSON format that has proven to be stable. We can can
  use <http://hackage.haskell.org/package/api-tools migrations> in future
  should the store need to be reorganized.
  .
  /Simple and Flexible Underlying Model/
  .
  * /Named Keys/: every key has an name within the store that is associated
  with some secret data. If the secret data for that key is to be stored then
  it must identify another key in the store that will be used to encrypt the
  data. (Some keys -- the passwords -- will typically be auto-loaded from
  environment variables.)
  * *Functional model*: keys can be deleted and added again but the design
  encourages the retention of the history. The old keys remain available
  but deployment scripts will naturally select the latest version of a key.
  When a key is rotated this merely loads a new generation for the rotated
  key.
  .
  * /Simple Metadata/: oher information, such as the identity of the key
  with its originating system (e.g., the identifier of an AWS IAM key)
  and some arbitrary textual information (the 'comment') may be associated
  with a key and accessible without recourse to the key or password needed
  to access the secret information.
  .
  * /PKS/: the seret may be a RSA provate key with the public key stored
  separately in the cler.
  * *MFA*: a secret may be protected with multiple named keys, all of which
  will be needed to recover the secret text.
  .
  * /Hashing/: all keys can be hashed with an appropriate PBKDF-2 function
  and the hashes stored in the clear. These hashes may be sued to verify
  passwords but also can be inserted directly into configuration files
  for deployment. Precise control of the PBKDF-2 hash paramers is
  avaiable.
  .
  * /Hierarchical Organization/: keys can be stored in different sections
  with each key being protected by a master key for that section. Sections
  can be configured to store the master keys of other sections thereby
  gaining acces to all of the keys in those sections and the keys they
  have access to.
  .
  * /Systems Integration/: keys can automatically loaded from Environment
  variables. Typically a keystore session will start by settingb up an
  environment variable for the deployment section corresponding for
  the node that you need to deploy to. This will provide access to
  precisely the keys whose secrets you need to carry out the deployment
   and no more. It only needs access to the hashes of admin keys then they
  can be placed in separate higher-level @admin@ sections. Provided care
  is taken preparing the environment you will not deploy to the wrong host
  (e.g., a live server rather than a staging server, or the wrong live
  server) because those keys will not be accessible.
  .
  * /Configuration Control/: the parameters controling the encryption and
  hashing functions can be set up independently in each section of the
  store, allowing for heavier hashing to be used on live servers and
  light hashing to be used on development and staging servers where
  authentication needs to be quick.
  .
  * /Keystore Integrity/: the keystore can be signed and every operation
  made to check that the keystore matches its signature (and the public
  signing key matches an independent copy on the client).
  .
  * /External Crypto Operations/: keys in the keystore can be used to sign
  or encrypt external obejcts (provided they can be loaded into memory).
  .
  /The Layers/
  .
  The keystore package has several layers. Most users
  will probably need only the top "batteries-included" layer:
  .
  * @Data.KeyStore.Sections@: this provides a high-level model that allows
  a flexible hierarchical keystore to be set up relatively easily.
  See the 'deploy' example for details.
  .
  * @Data.KeyStore.CLI@ : This provides a stanalone program for inspecting
  and editing your keystores. It can also be embedded into your own
  deployment app. See the @deploy@ example for details.
  .
  * @Data.KeyStore.PasswordManager@ provides a password manager which each
  user can use to setup their own local password store for holding the
  deployment passwords and session tokens used to autheticate the server.
  .
  * @Data.KeyStore.IO@: this library provides general programatic access to
  a keystore through @IO@ primitives. See the source code for the @Sections@
  for an example of this module in use.
  .
  * @Data.KeyStore.KS@: this library provides general programatic access to
  a keystore through functional @KS@ primitives. See the source code for
  the @IO@ for an exteded example this system in action.
  .
  * @Data.KeyStore.Types@: This provides access to keystores at the types
  level.
  .
  /Launch Instructions/
  .
  See the bottom <https://github.com/cdornan/keystore#launch-instructions README>
  on GitHub home page for launch instructions for the deploy example.
Data-files:
    stack.yaml
    stack-8.6.yaml
    examples/deploy/zshenv/.zshrc
    examples/deploy/example-pwstore.dat


Extra-source-files:     changelog
Cabal-version:          >= 1.10

Source-repository head
    type:               git
    location:           https://github.com/cdornan/keystore

Library
    Hs-Source-Dirs:     src

    Exposed-modules:
        Data.KeyStore
        Data.KeyStore.CLI
        Data.KeyStore.CLI.Command
        Data.KeyStore.IO
        Data.KeyStore.IO.IC
        Data.KeyStore.KS
        Data.KeyStore.KS.Configuration
        Data.KeyStore.KS.CPRNG
        Data.KeyStore.KS.Crypto
        Data.KeyStore.KS.KS
        Data.KeyStore.KS.Opt
        Data.KeyStore.KS.Packet
        Data.KeyStore.PasswordManager
        Data.KeyStore.Sections
        Data.KeyStore.Types
        Data.KeyStore.Types.E
        Data.KeyStore.Types.NameAndSafeguard
        Data.KeyStore.Types.PasswordStoreModel
        Data.KeyStore.Types.PasswordStoreSchema
        Data.KeyStore.Types.Schema
        Data.KeyStore.Types.UTC
        Data.KeyStore.Version

    Build-depends:
        api-tools              >= 0.5.2             ,
        asn1-types             >= 0.2.0             ,
        asn1-encoding          >= 0.8.0             ,
        ansi-wl-pprint         >= 0.6.7             ,
        crypto-pubkey          >= 0.2.1             ,
        crypto-random          >= 0.0.7             ,
        aeson                  >= 0.8               ,
        aeson-pretty           >= 0.7               ,
        base                   >= 4.8               ,
        base64-bytestring      >= 1.0               ,
        byteable               >= 0.1               ,
        bytestring             >= 0.9               ,
        cipher-aes             >= 0.2.6             ,
        containers             >= 0.4               ,
        directory              >= 1.2               ,
        filepath               >= 1.3               ,
        lens                   >= 3.9.2             ,
        mtl                    >= 2                 ,
        old-locale             >= 1.0.0.5           ,
        optparse-applicative   >= 0.11.0            ,
        pbkdf                  >= 1.1.1.0           ,
        regex                  >= 1.0.1.3           ,
        regex-compat-tdfa      >= 0.95.1            ,
        safe                   >= 0.3.3             ,
        setenv                 >= 0.1               ,
        text                   >= 0.11.3            ,
        time                   >= 1.5               ,
        unordered-containers   >= 0.2.3.0           ,
        vector                 >= 0.10.0.1

    Default-Language:   Haskell2010

    GHC-Options:
        -Wall -fno-warn-warnings-deprecations


Executable ks
    Hs-Source-Dirs:     main

    Main-is:            ks.hs

    Default-Language:   Haskell2010

    Build-depends:
        base                   >  4 && < 5          ,
        keystore

    GHC-Options:
        -Wall -fno-warn-warnings-deprecations

Executable deploy
    Hs-Source-Dirs:     examples/deploy

    Main-is: deploy.hs

    Default-Language:   Haskell2010

    Other-modules:
        Deploy.Cmd
        Deploy.Deploy
        Deploy.HostSectionKey

    Build-depends:
        api-tools              >= 0.4               ,
        ansi-wl-pprint         >= 0.6.7.1           ,
        aeson                  >= 0.8               ,
        base                   >= 4.8               ,
        bytestring             >= 0.9               ,
        directory              >= 1.0               ,
        filepath               >= 1.1               ,
        keystore                                    ,
        mtl                    >= 2                 ,
        optparse-applicative   >= 0.11.0            ,
        process                >= 1.2.0.0           ,
        raw-strings-qq         >= 1.0.2             ,
        setenv                 >= 0.1               ,
        text                   >= 0.11.3            ,
        unordered-containers   >= 0.2.3.0

    GHC-Options:
        -Wall -fno-warn-warnings-deprecations