hiera-crypt 0.1 → 0.2

data/bin/hiera-crypt

@@ -1,3 +1,53 @@
-#!/bin/bash
+#!/usr/bin/env ruby
 
-exec gpg --symmetric --cipher-algo AES256 "$@"
+require 'optparse'
+require_relative '../lib/passwordbox'
+
+password = nil
+input = '-'
+output = '-'
+mode = :encrypt
+
+OptionParser.new do |opts|
+  opts.banner = "Usage: #{$0} [options] [FILE]"
+  opts.on('-f', '--password-file [FILE]', 'Read password from a file') do |f|
+    file_name = File.expand_path(f)
+    password = File.open(file_name, 'r').read.chomp
+  end
+  opts.on('-d', '--decrypt', 'Decrypt instead of encrypting') do |decrypt|
+    mode = :decrypt
+  end
+  opts.on('-o', '--output [FILE]', 'Write result to file instead of stdout') do |f|
+    output = f
+  end
+end.parse!
+
+input = ARGV.first if ARGV.length > 0
+
+def read_password(prompt="Password: ")
+  `stty -echo`
+  STDERR.write(prompt)
+  STDERR.flush
+  STDIN.readline.chomp
+rescue Interrupt
+  exit 1
+ensure
+  STDERR.write("\n")
+  STDERR.flush
+  `stty echo`
+end
+
+password = read_password if password.nil?
+
+crypto = PasswordBox.new(password)
+
+in_file = input == '-' ? STDIN : File.open(input, 'r')
+
+if mode == :encrypt
+  out = crypto.box(in_file.read, :base64)
+elsif mode == :decrypt
+  out = crypto.open(in_file.read, :base64)
+end
+
+out_file = output == '-' ? STDOUT : File.open(output, 'w')
+out_file.write(out)

data/hiera-crypt.gemspec

@@ -4,7 +4,7 @@ $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
 
 Gem::Specification.new do |spec|
   spec.name          = "hiera-crypt"
-  spec.version       = "0.1"
+  spec.version       = "0.2"
   spec.authors       = ["Carl Jackson"]
   spec.email         = ["carl@avtok.com"]
   spec.description   = "Encrypted file backend for Hiera"
@@ -19,7 +19,8 @@ Gem::Specification.new do |spec|
   spec.require_paths = ["lib"]
 
   spec.add_dependency "hiera", "~> 1.2.1"
-  spec.add_dependency "gpgme", "~> 2.0.2"
+  spec.add_dependency "pbkdf2", "~> 0.1.0"
+  spec.add_dependency "rbnacl", "~> 1.1.0"
 
   spec.add_development_dependency "bundler", "~> 1.3"
   spec.add_development_dependency "rake"

data/lib/hiera/backend/crypt_backend.rb

@@ -5,13 +5,11 @@ class Hiera
     class Crypt_backend
       DEBUG_PREFIX = '[crypt backend]'
 
-      def initialize()
+      def initialize(cache=nil)
         unless Hiera::Config.include?(:crypt)
           raise "Expected :crypt section in hiera.yaml"
         end
         conf = Hiera::Config[:crypt]
-        unless conf.include?(:password) || conf.include?(:password_file)
-        end
         password = if conf.include?(:password)
           conf[:password]
         elsif conf.include?(:password_file)
@@ -22,10 +20,10 @@ class Hiera
           raise "Expected either a :password or :password_file"
         end
 
-        @cache = {}
+        @cache = cache || Filecache.new
 
-        require 'gpgme'
-        @crypto = GPGME::Crypto.new(:password => password)
+        require 'passwordbox'
+        @crypto = PasswordBox.new(password)
         debug("Loaded!")
       end
 
@@ -40,11 +38,13 @@ class Hiera
         Backend.datasources(scope, order_override) do |source|
           debug("Looking for data source #{source}")
 
-          file = File.join(Backend.datadir(:crypt, scope), source, "#{key}.gpg")
+          file = File.join(Backend.datadir(:crypt, scope), source, "#{key}.crypt")
           debug("Examining file #{file}")
           next unless File.exist?(file)
 
-          plaintext = decrypt(file)
+          plaintext = @cache.read(file, String) do |data|
+            @crypto.open(data, :base64)
+          end
 
           return plaintext if resolution_type == :priority
 
@@ -55,21 +55,6 @@ class Hiera
       end
 
       private
-      def decrypt(file)
-        stat = File.stat(f = File.new(file))
-        info = {:inode => stat.ino, :mtime => stat.mtime, :size => stat.size}
-        @cache.delete(file) if @cache[file] && @cache[file][:info] != info
-
-        debug("Using cached value for #{file}") if @cache.include?(file)
-
-        @cache[file] ||= {
-          :contents => @crypto.decrypt(f).to_s,
-          :info => info
-        }
-
-        @cache[file][:contents]
-      end
-
       def debug(msg)
         Hiera.debug("#{DEBUG_PREFIX} #{msg}")
       end

data/lib/passwordbox.rb

@@ -0,0 +1,70 @@
+require 'rbnacl'
+require 'pbkdf2'
+require 'forwardable'
+
+# A SecretBox that (like RandomNonceBox) automatically generates a suitable
+# nonce, but also which uses PBKDF2 to derive a password of the right length.
+class PasswordBox < Crypto::SecretBox
+  DEFAULT_PBKDF2_ITERS = 5000
+
+  # Create a new PasswordBox
+  #
+  # @param password [String] A password of any length
+  def initialize(password)
+    @password = password
+  end
+
+  # Encrypts the message using a salted key derived from the given password, and
+  # a random nonce.
+  #
+  # @param message [String] The message to encrypt
+  # @param encoding [Symbol] Encoding for the returned ciphertext
+  #
+  # @return [String] The encrypted message
+  def box(message, encoding = :raw)
+    nonce = generate_nonce
+    salt, iters, @key = generate_key
+    ciphertext = super(nonce, message)
+    Crypto::Encoder[encoding].encode(nonce + salt + iters + ciphertext)
+  end
+  alias encrypt box
+
+  # Decrypts the message. Extracts both the encryption nonce and the salt from
+  # the message.
+  #
+  # @param enciphered_message [String] The message to decrypt
+  # @param encoding [Symbol] Encoding for the given ciphertext
+  #
+  # @raise [CryptoError] If the message has been tampered with.
+  #
+  # @return [String] The plaintext of the message
+  def open(enciphered_message, encoding = :raw)
+    decoded = Crypto::Encoder[encoding].decode(enciphered_message)
+    nonce, salt, iters, ciphertext = extract(decoded)
+    @key = generate_key(salt, iters).last
+    super(nonce, ciphertext)
+  end
+  alias decrypt open
+
+  private
+  def generate_nonce
+    Crypto::Random.random_bytes(nonce_bytes)
+  end
+  def generate_key(salt=nil, iters=DEFAULT_PBKDF2_ITERS)
+    salt ||= generate_nonce
+    key = PBKDF2.new(
+      :password => @password,
+      :salt => salt,
+      :iterations => iters,
+      :hash_function => :sha256,
+      :key_length => key_bytes
+    )
+    [salt, [iters].pack("N"), key.bin_string]
+  end
+  def extract(bytes)
+    nonce = bytes.slice!(0, nonce_bytes)
+    salt = bytes.slice!(0, nonce_bytes)
+    iters = bytes.slice!(0, 4).unpack("N").first
+    [nonce, salt, iters, bytes]
+  end
+end

data/test/data/one/data.txt.crypt

@@ -0,0 +1 @@
+Eu5V2p42KnCo2kkWH4VPmXxdpkBUussPJQwX5WzW4sMD/OEIzTjO9GadWin2ZPc/AAATiJoMMuEM1xFefXzu9SdUyfpr0TAhsm4AjV6AysFt7WJifs85wLOl1AI1SDihZKdh9/i9EuQ6odCpmI4O2MTIA61aw+g/v0eAyF3Sz7eWRALpGNz1PF1lNs0xlilDMq1P+Yk9/QtdESzJe+VrnW4TvsV1dEemSa91ctzhonnaxy06zgbljKMEE8UD+j8UUqwHigOzyRvk+iA4tvnnYcR10jJD1KJZYkLvQr8i01MdYXV8OHQNutnoqxQrzAM9H+vi3p3BMDdsvXPswyO0Ym3bdfeXiTno5kMWL/SIw+Y7kmsT9fN5uU2935POO/lBkESZ2pw0AsJSw/P4C2SF5lEpPaSzHVDzMPru1+bg+vUYufDqgLhT1TDRkDs0maIXuS4MmH/PqpTL3/5JbsUT/CLICEdSrWSCclvNw8mA21+Nqx7e9smEc2gPK05C9vGx6o27/+7IsdxTsUmp6SaWIwaPQFbEfRZARScZfouCq6swost9VFw1TnCYZHcf0EfdqVqdGoMP3UcxboQBrKKM0Y3qC/Z2O1pKlpFFAVYj6ZFM9D/hnHRVI+2wB3dTx2FtGpEoBXg2mYK33uOI5uazmSy3Vz9q8a24EgTF5dwduJ2zlXmm6yidu96MxL3w0k3BuB4wbAH5cCW/E+Kkj7T/9c39tcIfKekrgPejna9ONnkWRnkfF2Abh/YiCa5F6omWVc+dBBxpWRyFjLj4/ywkcqi+O7gU40JYIyb8A32z8EIfHk/FeH0zTBbjctBxu9R3zWRxkWy5JzkgHYGuS1oB3IZ8Ki7YZVHDTWmk3Lrm5cP6k2G1SKkLD5G+CuUpSREiC0CSFqmnRTM7WCqYojlB72QZbT8qQffidXjj1dzx2u9Puui0pz4bUOnNNDUaoNbVigJn+H+HpLxrx5CBFByaN/jdKsavayPVxgiSQe0=

data/test/data/two/backup.txt.crypt

@@ -0,0 +1 @@
+MTSajTxKc8nGJ+ZjwEM7uaCoOp8ZSIesT4HhRmcn29FWoyMioPrsz+aylaHdyCxwAAATiOuxY8cDs9uHEZmxmxnX4uMjNFhlQ2j2b9InSonhKeb6MAgE3uUH3bcCkwJ87tjlKeqjzAihD3cnFzcCU8V66gFQsUFa0uTM3olAgYvCe/tvWx4VEe4eO4/igBrcaBQ3JevA06TzRZPV9Ge2PEjr8EocZB2BcWCtjjzeOD/Plk60QaC59nlW3s1T6ZFyFMH/ufmv1MEqXH2dK7RKECRrbCsnp4DGO2SQMMfJoVF3pcGObtalJbf8Q1vM0RVQYZD4q0Yg2EjrXf2vqN12ufnzY9p8uP2P+efwD0xzCCk3BrYd7GbRXwnVbARC3e7mRoVlJfM9GUot1kqZb7rNdBFSD/RVTSoCbUjdqieN8E510SHJzQ121gGm/OVzHIorBZ5FoBgEBrQDzAq9gpNuKEj5c6LQHaXw37ix5DxkMpM3LOnzWb3OALNb2vx28BdIo3Q+uBg/hVDhfDJygDiZJqSHYcamegZLsquqpSyT65x/BDazkqkNKIl33jSnbNWpAyB5kkl+KpnoY0bBWvIdbgoqe4iolJPOEqQlzUeXUzUhh28vn9N/F8tIt7xQPhIHwsa5hmp6zJy7YZ0V2PNfbRcvfmeO4iYHZVGb9wmz9Pwe7DoC8ub80YCz9092NIya/Y3WcMJRF0mZCCe44elT1NgBe6wx9fz52gh9d/dmQPs73QrSoS5bahYh3BucqVs0xsp1YJ4VqGtf0oNpwNaEGVp0bwtFHq0Tdtg2OegGPiNUMiVjTMVLUqb5C6f8NwLDG4JwtqZQAUMYODgWRI1UTNRSEKQcLpzrG1OEwf3MucYOVPed82xmlekGgF5GXBZG/9qbuwBHGBjfYbf30+OUqV2PEIWxPQSN4p0GfPp1pFa/m4cM7WrxYROey3bfcLnvk//qMjE4tHxmaldJd4y1qwrr6CGTzl/UAuMfCss=

data/test/data/two/data.txt.crypt

@@ -0,0 +1 @@
+L531Q4wbmLbrjSHbvUKBs+3cGB+E6lYeTMVCLgKXoMW//E2+6vfjycj+62hKYg6wAAATiIY3gSySt20vPOZxypNd5QIYloZ1JisvMlxE1nLUT6rk9SMF+eW/CFl6IskduAVCh/+H4thRK3uFewGkFUvbRTzcyXcPpKPaezm+SfGDI5gyU0CNv2dAeSZGAQl9YzNiiTkUucbmu4lg5w4mXR4cM5+WdKh0Z9bpt4oBJvXz7RCez35IBQYCZv/iO/YjZ1XZTe4jbfJNWdXzKkQhXj8aANn4kGEUZeUB2L7HMGPMnDEDjCtG/yzgpHhrusM+uiXYfI65+Q5G2zWGUEEwmBkmAKGMeAfgP3MBFUNTH58yxxmZmcxRpE35vqIpGGlsh8QDJwNDr02jhKn1Ebopo77nPy3LXB1oIbAq1bEknTcMWJ9v4yvVwD8knxwKv4b0R4PpoA/vnAtMQGS8jjgS8JkTrh0mxrmHVI4aqXad3UFQ6VEt3OTxlewLYxSxPdv2g5IQhQLCt21nOtDeU/SGAHCsSW4E5zqAVH5sZbekYYES70Z4PiRXqRWYfNhIiiv+asH+Ed8ikvTpqHpvCS9vccADJG1YmN/m55CGt9nCkvMMTMSHrAE8huCAMWaMgOshJ2F5NNwnylxpcLrLsraNTLGP4YyRJYQGsBZdL8SdrR4HteP3yMYUY3KHp+0yCSjGXWMso5QNJVnTX/VAi4yoQh07mocJOOdS0ah93nsv2Z4zmYTeOHzoBaviG2ID6/kD/UHlNawCbb1su1vSg+tfp7EEzF+BZU06LyWXlgZ8Eux1MkmwN/sU8t40rxew5cVIhcE6gxxCyQenumWhCRJJuAT0ukZ0wJjVOdX6ApkDoVRX6t+ZSuLR5/egLIzu0pLdpJFOidSas8j+6Mib89+KWU1ZsNOJ/cyGtO095QEumX+meWIKqKLFBzz8abOLQc7Ces4nOH/EusjmgsJgjawgI997unuMTRhtYpFmoTSSt7Kt54483bIWLK93xYBVspLQAQHou94TvlNnbifsj25/eobwx0nNWbq8lsjbtEhmz3q+dR3s6p0j3tzP61uLaSqqSEDlkYmI2DIa8NsoivOJB6/YsVOCdiMDiXlZc5hSW5OpDl8E7BionNT0MYSvk2uMEJGSXoZYPKfDXsNj0OamZaCI86XKf+9PRKyfvorP0R17KudU0eE19Ac7EfyBrYiDvz5E6wGHg/2Ba6vUM6wudEEf8vPmO0eA5d8AUfy35R43nwo0tpaWoCO2hykVCbm9lbLc2cmtWFv1xY9kttv3qbLc2kPPzIUVL8MoVPaD5fzr+Rr7RUrAGFdANjKzeM5xnjKy64lCGAAKFo0Xs9EBExESoiTBR5RjcaOOpBGhL1+IpQRs5+U2EqUj9WrBZ0DApDlfGB8ygbRxdIJYlnWaUqvAHz7axCiwsFVu9V/UCAjwQ5Q9CHHXVXXXmHB3LaG7Egrr0Xx0hms4Md7tksynHOKDOFb1IjRAmbuyJStA187J/DhCdeINFULMmMn606b6ouO5lCVcphb5WTg7kOZpIaXnYRDCpT4I8PjIHXT/5RgawMQ=

metadata

@@ -1,18 +1,20 @@
 --- !ruby/object:Gem::Specification
 name: hiera-crypt
 version: !ruby/object:Gem::Version
-  version: '0.1'
+  version: '0.2'
+  prerelease: 
 platform: ruby
 authors:
 - Carl Jackson
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2013-07-14 00:00:00.000000000 Z
+date: 2013-08-11 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: hiera
   requirement: !ruby/object:Gem::Requirement
+    none: false
     requirements:
     - - ~>
       - !ruby/object:Gem::Version
@@ -20,27 +22,47 @@ dependencies:
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
+    none: false
     requirements:
     - - ~>
       - !ruby/object:Gem::Version
         version: 1.2.1
 - !ruby/object:Gem::Dependency
-  name: gpgme
+  name: pbkdf2
   requirement: !ruby/object:Gem::Requirement
+    none: false
     requirements:
     - - ~>
       - !ruby/object:Gem::Version
-        version: 2.0.2
+        version: 0.1.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
+    none: false
     requirements:
     - - ~>
       - !ruby/object:Gem::Version
-        version: 2.0.2
+        version: 0.1.0
+- !ruby/object:Gem::Dependency
+  name: rbnacl
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 1.1.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 1.1.0
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
+    none: false
     requirements:
     - - ~>
       - !ruby/object:Gem::Version
@@ -48,6 +70,7 @@ dependencies:
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
+    none: false
     requirements:
     - - ~>
       - !ruby/object:Gem::Version
@@ -55,15 +78,17 @@ dependencies:
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
+    none: false
     requirements:
-    - - '>='
+    - - ! '>='
       - !ruby/object:Gem::Version
         version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
+    none: false
     requirements:
-    - - '>='
+    - - ! '>='
       - !ruby/object:Gem::Version
         version: '0'
 description: Encrypted file backend for Hiera
@@ -82,11 +107,12 @@ files:
 - bin/hiera-crypt
 - hiera-crypt.gemspec
 - lib/hiera/backend/crypt_backend.rb
+- lib/passwordbox.rb
 - test/data/data.txt
 - test/data/data2.txt
-- test/data/one/data.txt.gpg
-- test/data/two/backup.txt.gpg
-- test/data/two/data.txt.gpg
+- test/data/one/data.txt.crypt
+- test/data/two/backup.txt.crypt
+- test/data/two/data.txt.crypt
 - test/everything
 - test/hiera-file.yaml
 - test/hiera-inline.yaml
@@ -94,34 +120,35 @@ files:
 homepage: https://github.com/zenazn/hiera-crypt
 licenses:
 - MIT
-metadata: {}
 post_install_message: 
 rdoc_options: []
 require_paths:
 - lib
 required_ruby_version: !ruby/object:Gem::Requirement
+  none: false
   requirements:
-  - - '>='
+  - - ! '>='
     - !ruby/object:Gem::Version
       version: '0'
 required_rubygems_version: !ruby/object:Gem::Requirement
+  none: false
   requirements:
-  - - '>='
+  - - ! '>='
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.0.0
+rubygems_version: 1.8.23
 signing_key: 
-specification_version: 4
+specification_version: 3
 summary: A data backend for Hiera that returns the decrypted contents of files. Useful
   for secrets.
 test_files:
 - test/data/data.txt
 - test/data/data2.txt
-- test/data/one/data.txt.gpg
-- test/data/two/backup.txt.gpg
-- test/data/two/data.txt.gpg
+- test/data/one/data.txt.crypt
+- test/data/two/backup.txt.crypt
+- test/data/two/data.txt.crypt
 - test/everything
 - test/hiera-file.yaml
 - test/hiera-inline.yaml

checksums.yaml

@@ -1,7 +0,0 @@
----
-SHA1:
-  metadata.gz: f4f9ddadfa2194dd22b7bb21f285ad2aaa1c8f53
-  data.tar.gz: 5c8f3883285be5be667491484cd41a02d8137d08
-SHA512:
-  metadata.gz: da6f2ad40a25a9b6098eeed5a4cfbe8393b7ad7ed9d3d882ccf72454d993b9eb6e60a917aae1ee146f19aa0ccc00262e095be71afb6084f29aee9905601ba3b0
-  data.tar.gz: 95becd1d2756194762e70c1e7f8924a1d808402e419138d9d874eb37a011f11f11b6f46e81bf7ef651e0bf9bdd08710814235cd855707ecf48a7d6c82ff859d0