aspera-cli 4.2.1 → 4.5.0

data/lib/aspera/keychain/encrypted_hash.rb

@@ -0,0 +1,120 @@
+require 'openssl'
+
+module Aspera
+  module Keychain
+    class SimpleCipher
+      def initialize(key)
+        @key=Digest::SHA1.hexdigest(key)[0..23]
+        @cipher = OpenSSL::Cipher.new('DES-EDE3-CBC')
+      end
+
+      def encrypt(value)
+        @cipher.encrypt
+        @cipher.key = @key
+        s = @cipher.update(value) + @cipher.final
+        s.unpack('H*').first
+      end
+
+      def decrypt(value)
+        @cipher.decrypt
+        @cipher.key = @key
+        s = [value].pack('H*').unpack('C*').pack('c*')
+        @cipher.update(s) + @cipher.final
+      end
+    end
+
+    # Manage secrets in a simple Hash
+    class EncryptedHash
+      SEPARATOR='%'
+      private_constant :SEPARATOR
+      def initialize(values)
+        raise "values shall be Hash" unless values.is_a?(Hash)
+        @all_secrets=values
+      end
+
+      def set(options)
+        raise "options shall be Hash" unless options.is_a?(Hash)
+        unsupported=options.keys-[:username,:url,:secret,:description]
+        raise "unsupported options: #{unsupported}" unless unsupported.empty?
+        username=options[:username]
+        raise "options shall have username" if username.nil?
+        url=options[:url]
+        raise "options shall have username" if url.nil?
+        secret=options[:secret]
+        raise "options shall have secret" if secret.nil?
+        key=[url,username].join(SEPARATOR)
+        raise "secret #{key} already exist, delete first" if @all_secrets.has_key?(key)
+        obj={username: username, url: url, secret: SimpleCipher.new(key).encrypt(secret)}
+        obj[:description]=options[:description] if options.has_key?(:description)
+        @all_secrets[key]=obj
+        nil
+      end
+
+      def list
+        result=[]
+        @all_secrets.each do |k,v|
+          case v
+          when String
+            o={username: k, url: '', description: ''}
+          when Hash
+            o=v.clone
+            o.delete(:secret)
+            o[:description]||=''
+          else raise "error"
+          end
+          o[:description]=v[:description] if v.is_a?(Hash) and v[:description].is_a?(String)
+          result.push(o)
+        end
+        return result
+      end
+
+      def delete(options)
+        raise "options shall be Hash" unless options.is_a?(Hash)
+        unsupported=options.keys-[:username,:url]
+        raise "unsupported options: #{unsupported}" unless unsupported.empty?
+        username=options[:username]
+        raise "options shall have username" if username.nil?
+        url=options[:url]
+        key=nil
+        if !url.nil?
+          extk=[url,username].join(SEPARATOR)
+          key=extk if @all_secrets.has_key?(extk)
+        end
+        # backward compatibility: TODO: remove in future ? (make url mandatory ?)
+        key=username if key.nil? and @all_secrets.has_key?(username)
+        raise "no such secret" if key.nil?
+        @all_secrets.delete(key)
+      end
+
+      def get(options)
+        raise "options shall be Hash" unless options.is_a?(Hash)
+        unsupported=options.keys-[:username,:url]
+        raise "unsupported options: #{unsupported}" unless unsupported.empty?
+        username=options[:username]
+        raise "options shall have username" if username.nil?
+        url=options[:url]
+        val=nil
+        if !url.nil?
+          val=@all_secrets[[url,username].join(SEPARATOR)]
+        end
+        # backward compatibility: TODO: remove in future ? (make url mandatory ?)
+        if val.nil?
+          val=@all_secrets[username]
+        end
+        result=options.clone
+        case val
+        when NilClass
+          raise "no such secret"
+        when String
+          result.merge!({secret: val, description: ''})
+        when Hash
+          key=[url,username].join(SEPARATOR)
+          plain=SimpleCipher.new(key).decrypt(val[:secret])
+          result.merge!({secret: plain, description: val[:description]})
+        else raise "error"
+        end
+        return result
+      end
+    end
+  end
+end

data/lib/aspera/keychain/macos_security.rb

@@ -0,0 +1,94 @@
+require 'security'
+
+# enhance the gem to support other keychains
+module Security
+  class Keychain
+    class << self
+      def by_name(name)
+        keychains_from_output(`security list-keychains`).select{|kc|kc.filename.end_with?("/#{name}.keychain-db")}.first
+      end
+    end
+  end
+
+  class Password
+    class << self
+      # add some login to original method
+      alias_method :orig_flags_for_options, :flags_for_options
+      def flags_for_options(options = {})
+        keychain=options.delete(:keychain)
+        url=options.delete(:url)
+        if !url.nil?
+          uri=URI.parse(url)
+          raise 'only https' unless uri.scheme.eql?('https')
+          options[:r]='htps'
+          raise 'host required in URL' if uri.host.nil?
+          options[:s]=uri.host
+          options[:p]=uri.path unless ['','/'].include?(uri.path)
+          options[:P]=uri.port unless uri.port.eql?(443) and !url.include?(':443/')
+        end
+        flags=[orig_flags_for_options(options)]
+        flags.push(keychain.filename) unless keychain.nil?
+        flags.join(' ')
+      end
+    end
+  end
+end
+
+module Aspera
+  module Keychain
+    # keychain based on macOS keychain, using `security` cmmand line
+    class MacosSecurity
+      def initialize(name=nil)
+        if name.nil?
+          @keychain=Security::Keychain.default_keychain
+        else
+          @keychain=Security::Keychain.by_name(name)
+        end
+        raise "no such keychain #{name}" if @keychain.nil?
+      end
+
+      def set(options)
+        raise 'options shall be Hash' unless options.is_a?(Hash)
+        unsupported=options.keys-[:username,:url,:secret,:description]
+        raise "unsupported options: #{unsupported}" unless unsupported.empty?
+        username=options[:username]
+        raise 'options shall have username' if username.nil?
+        url=options[:url]
+        raise 'options shall have url' if url.nil?
+        secret=options[:secret]
+        raise 'options shall have secret' if secret.nil?
+        raise 'set not implemented'
+        self
+      end
+
+      def get(options)
+        raise 'options shall be Hash' unless options.is_a?(Hash)
+        unsupported=options.keys-[:username,:url]
+        raise "unsupported options: #{unsupported}" unless unsupported.empty?
+        username=options[:username]
+        raise 'options shall have username' if username.nil?
+        url=options[:url]
+        raise 'options shall have url' if url.nil?
+        info=Security::InternetPassword.find(keychain: @keychain, url: url, account: username)
+        raise 'not found' if info.nil?
+        result=options.clone
+        result.merge!({secret: info.password, description: info.attributes['icmt']})
+        return result
+      end
+
+      def list
+        raise 'list not implemented'
+      end
+
+      def delete(options)
+        raise 'options shall be Hash' unless options.is_a?(Hash)
+        unsupported=options.keys-[:username,:url]
+        raise "unsupported options: #{unsupported}" unless unsupported.empty?
+        username=options[:username]
+        raise 'options shall have username' if username.nil?
+        url=options[:url]
+        raise 'delete not implemented'
+      end
+    end
+  end
+end

data/lib/aspera/log.rb

@@ -7,33 +7,41 @@ require 'singleton'
 module Aspera
   # Singleton object for logging
   class Log
-
-    public
     include Singleton
+    # class methods
+    class << self
+      # levels are :debug,:info,:warn,:error,fatal,:unknown
+      def levels; Logger::Severity.constants.sort{|a,b|Logger::Severity.const_get(a)<=>Logger::Severity.const_get(b)}.map{|c|c.downcase.to_sym};end
 
-    attr_reader :logger
-    attr_reader :logger_type
-    # levels are :debug,:info,:warn,:error,fatal,:unknown
-    def self.levels; Logger::Severity.constants.sort{|a,b|Logger::Severity.const_get(a)<=>Logger::Severity.const_get(b)}.map{|c|c.downcase.to_sym};end
-
-    # where logs are sent to
-    def self.logtypes; [:stderr,:stdout,:syslog];end
+      # where logs are sent to
+      def logtypes; [:stderr,:stdout,:syslog];end
 
-    # get the logger object of singleton
-    def self.log; self.instance.logger; end
+      # get the logger object of singleton
+      def log; instance.logger;end
 
-    # dump object in debug mode
-    # @param name string or symbol
-    # @param format either pp or json format
-    def self.dump(name,object,format=:json)
-      result=case format
-      when :ruby;PP.pp(object,'')
-      when :json;JSON.pretty_generate(object) rescue PP.pp(object,'')
-      else raise "wrong parameter, expect pp or json"
+      # dump object in debug mode
+      # @param name string or symbol
+      # @param format either pp or json format
+      def dump(name,object,format=:json)
+        self.log.debug() do
+          result=case format
+          when :json
+            JSON.pretty_generate(object) rescue PP.pp(object,'')
+          when :ruby
+            PP.pp(object,'')
+          else
+            raise "wrong parameter, expect pp or json"
+          end
+          "#{name.to_s.green} (#{format})=\n#{result}"
+        end
       end
-      self.log.debug("#{name.to_s.green} (#{format})=\n#{result}")
     end
 
+    attr_reader :logger_type
+    attr_reader :logger
+    attr_writer :program_name
+    attr_accessor :log_passwords
+
     # set log level of underlying logger given symbol level
     def level=(new_level)
       @logger.level=Logger::Severity.const_get(new_level.to_sym.upcase)
@@ -44,20 +52,15 @@ module Aspera
       Logger::Severity.constants.each do |name|
         return name.downcase.to_sym if @logger.level.eql?(Logger::Severity.const_get(name))
       end
+      # should not happen
       raise "error"
     end
 
     # change underlying logger, but keep log level
     def logger_type=(new_logtype)
-      current_severity_integer=if @logger.nil?
-        if ENV.has_key?('AS_LOG_LEVEL')
-          ENV['AS_LOG_LEVEL']
-        else
-          Logger::Severity::WARN
-        end
-      else
-        @logger.level
-      end
+      current_severity_integer=@logger.level unless @logger.nil?
+      current_severity_integer=ENV['AS_LOG_LEVEL'] if current_severity_integer.nil? and ENV.has_key?('AS_LOG_LEVEL')
+      current_severity_integer=Logger::Severity::WARN if current_severity_integer.nil?
       case new_logtype
       when :stderr
         @logger = Logger.new(STDERR)
@@ -71,17 +74,27 @@ module Aspera
       end
       @logger.level=current_severity_integer
       @logger_type=new_logtype
+      original_formatter = @logger.formatter || Logger::Formatter.new
+      # update formatter with password hiding
+      @logger.formatter=proc do |severity, datetime, progname, msg|
+        unless @log_passwords
+          msg=msg.gsub(/("[^"]*(password|secret|private_key)[^"]*"=>")([^"]+)(")/){"#{$1}***#{$4}"}
+          msg=msg.gsub(/("[^"]*(secret)[^"]*"=>{)([^}]+)(})/){"#{$1}***#{$4}"}
+          msg=msg.gsub(/((secrets)={)([^}]+)(})/){"#{$1}***#{$4}"}
+        end
+        original_formatter.call(severity, datetime, progname, msg)
+      end
     end
 
-    attr_writer :program_name
-
     private
 
     def initialize
       @logger=nil
       @program_name='aspera'
-      # this sets @logger and @logger_type
+      @log_passwords=false
+      # this sets @logger and @logger_type (self needed to call method instead of local var)
       self.logger_type=:stderr
+      raise "error logger shall be defined" if @logger.nil?
     end
 
   end

data/lib/aspera/node.rb

@@ -1,4 +1,6 @@
+require 'aspera/fasp/default'
 require 'aspera/rest'
+require 'aspera/oauth'
 require 'aspera/log'
 require 'zlib'
 require 'base64'
@@ -10,9 +12,12 @@ module Aspera
     ACCESS_LEVELS=['delete','list','mkdir','preview','read','rename','write']
     MATCH_EXEC_PREFIX='exec:'
 
-    # for information only
-    def self.decode_bearer_token(token)
-      return JSON.parse(Zlib::Inflate.inflate(Base64.decode64(token)).partition('==SIGNATURE==').first)
+    # register node special token decoder
+    Oauth.register_decoder(lambda{|token|JSON.parse(Zlib::Inflate.inflate(Base64.decode64(token)).partition('==SIGNATURE==').first)})
+
+    def self.set_ak_basic_token(ts,ak,secret)
+      raise "ERROR: expected xfer" unless ts['remote_user'].eql?(Fasp::Default::ACCESS_KEY_TRANSFER_USER)
+      ts['token']="Basic #{Base64.strict_encode64("#{ak}:#{secret}")}"
     end
 
     # for access keys: provide expression to match entry in folder
@@ -22,7 +27,7 @@ module Aspera
     def self.file_matcher(match_expression)
       match_expression||="#{MATCH_EXEC_PREFIX}true"
       if match_expression.start_with?(MATCH_EXEC_PREFIX)
-        return eval "lambda{|f|#{match_expression[MATCH_EXEC_PREFIX.length..-1]}}"
+        return eval("lambda{|f|#{match_expression[MATCH_EXEC_PREFIX.length..-1]}}")
       end
       return lambda{|f|f['name'].match(/#{match_expression}/)}
     end