hiera-eyaml-sshagent 0.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 7e18fd54c6a2bcd67245f1a2ed67d3cd7cfd5264a8726579e7a8d4d18177702e
+  data.tar.gz: 83ef75d39dc548306fc58c4b6fec4c9f7c3c67c08ec90335eae2931940cc58fc
+SHA512:
+  metadata.gz: d4cccba756eaa6295ecacd19604febeb6aafda03e1b35383c495c141b40c9b5a286472c778af7cc02d4039e97d521bd8520b3376d11c2781313dfbd9bec349cb
+  data.tar.gz: 0e59f1211ec5697cd9dc8775b97315ac9dee04b9e114fcb7ccbf05e8d5db225dbce5b31753fc1ac0d6cde4cc29d7b26b1ec927e78cd77808b76e344c0362980d

data/.pre-commit-config.yaml

@@ -0,0 +1,16 @@
+repos:
+-   repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v2.1.0
+    hooks:
+    -   id: trailing-whitespace
+    -   id: end-of-file-fixer
+    -   id: check-yaml
+    -   id: requirements-txt-fixer
+-   repo: local
+    hooks:
+    -   id: rubocop
+        name: rubocop
+        entry: rubocop --auto-correct
+        types: [ruby]
+        language: ruby
+        additional_dependencies: ['rubocop:0.63.1']

data/.rubocop.yml

@@ -0,0 +1,12 @@
+Metrics/AbcSize:
+  Max: 30
+Metrics/BlockLength:
+  Max: 30
+Metrics/CyclomaticComplexity:
+  Max: 10
+Metrics/MethodLength:
+  Max: 30
+Metrics/LineLength:
+  IgnoreCopDirectives: true
+Style/Documentation:
+  Enabled: false

data/.travis.yml

@@ -0,0 +1,8 @@
+language: python
+python: 3.6
+install: pip install pre-commit
+script: pre-commit run --all-files
+cache:
+    directories:
+        - $HOME/.cache/pip
+        - $HOME/.cache/pre-commit

data/Gemfile

@@ -0,0 +1,4 @@
+source 'https://rubygems.org/'
+
+gem 'fernet', '>=2'
+gem 'hiera-eyaml', '>=1.3.8'

data/LICENSE

@@ -0,0 +1,19 @@
+Copyright (c) 2019 Anthony Sottile
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,83 @@
+hiera-eyaml-sshagent
+====================
+
+A [hiera-eyaml] plugin which uses the ssh agent connected to `SSH_AUTH_SOCK`
+to encrypt / decrypt values.
+
+### installation
+
+```bash
+gem install hiera-eyaml-sshagent
+```
+
+### configuring
+
+The plugin takes a single option `sshagent_keyid`:
+
+```yaml
+version: 5
+hierarchy:
+    -   name: "Common secret data"
+        lookup_key: eyaml_lookup_key
+        path: common.eyaml
+        options:
+          sshagent_keyid: /home/asottile/.ssh/id_rsa
+    -   name: "Common data"
+        path: common.yaml
+```
+
+The `keyid` should match what is printed from `ssh-add -l`
+
+### how it works
+
+It is based on code / ideas from the following:
+
+- [blog post demoing ssh agent api in python][blog-post]
+- [initial demo implementation in python][ssh-agent-python]
+- [cryptography stackexchange: Is it safe to derive a password from a signature provided by ssh-agent?][se-is-it-safe]
+- [security stackexchange: Is it possible to use SSH agent for generic data encryption?][se-ssh-agent]
+- [sshcrypt]
+
+#### retrieve symmetric key
+
+This procedure takes a keyid, a 64 byte challenge, and a 16 byte salt.
+
+1. list ssh identities by querying `SSH_AUTH_SOCK`
+2. find the identity matching `keyid`
+3. sign the `challenge` using that identity
+4. use the response blob as a "password" with pbkdf2_hmac (using the salt)
+5. the result is a 32 byte key which will be used with fernet
+
+#### `encrypt(keyid, blob)`
+
+1. generate a 64 byte "challenge" and 16 byte salt
+2. retrieve symmetric key
+3. encrypt with the symmetric key
+4. store a blob of `{challenge, salt, payload}`
+
+#### `decrypt(keyid, blob)`
+
+1. load the stored blob `{challenge, salt, payload}`
+2. retrieve symmetric key
+3. decrypt with symmetric key
+
+### why?
+
+I use a [masterless puppet setup][personal-puppet] to manage my machines.
+
+My current bootstrapping process is:
+
+1. place ssh key on machine
+2. clone the repo
+3. `./run-puppet`
+
+As such, I wanted a `hiera-eyaml` backend which didn't involve typing in more
+passwords or copying around more keys (since I'm already using my ssh key).
+
+[hiera-eyaml]: https://github.com/voxpupuli/hiera-eyaml
+[blog-post]: http://ptspts.blogspot.com/2010/06/how-to-use-ssh-agent-programmatically.html
+[ssh-agent-python]: https://github.com/asottile/ssh-agent-python
+[se-is-it-safe]: https://crypto.stackexchange.com/q/19631/65568
+[se-ssh-agent]: https://security.stackexchange.com/q/55757/197558
+[ssh-crypt]: https://github.com/leighmcculloch/sshcrypt
+[personal-puppet]: https://github.com/asottile/personal-puppet

data/hiera-eyaml-sshagent.gemspec

@@ -0,0 +1,20 @@
+lib = File.expand_path('lib', __dir__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'hiera/backend/eyaml/encryptors/sshagent/version'
+
+Gem::Specification.new do |gem|
+  gem.name          = 'hiera-eyaml-sshagent'
+  gem.version       = Hiera::Backend::Eyaml::Encryptors::SSHAgent::VERSION
+  gem.description   = 'SSH_AUTH_SOCK encryptor for use with hiera-eyaml'
+  gem.summary       = 'Encryption plugin for hiera-eyaml backend for Hiera'
+  gem.author        = 'Anthony Sottile'
+  gem.license       = 'MIT'
+
+  gem.homepage      = 'http://github.com/asottile/hiera-eyaml-sshagent'
+  gem.files         = `git ls-files`.split($INPUT_RECORD_SEPARATOR)
+  gem.test_files    = gem.files.grep(%r{^(test|spec|features)/})
+  gem.require_paths = ['lib']
+
+  gem.add_dependency('fernet', '>=2')
+  gem.add_dependency('hiera-eyaml', '>=1.3.8')
+end

data/lib/hiera/backend/eyaml/encryptors/sshagent.rb

@@ -0,0 +1,156 @@
+require 'base64'
+require 'json'
+require 'socket'
+require 'stringio'
+
+require 'fernet'
+
+class Hiera
+  module Backend
+    module Eyaml
+      module Encryptors
+        class SSHAgent < Encryptor
+          self.tag = 'SSHAGENT'
+
+          SSH2_AGENTC_REQUEST_IDENTITIES = "\x0b".freeze
+          SSH2_AGENT_IDENTITIES_ANSWER = "\x0c".freeze
+          SSH2_AGENTC_SIGN_REQUEST = "\x0d".freeze
+          SSH2_AGENT_SIGN_RESPONSE = "\x0e".freeze
+
+          def self.read_u32(sock)
+            sock.read(4).unpack('L>')[0]
+          end
+
+          def self.read_s(sock)
+            sock.read(read_u32(sock))
+          end
+
+          def self.encode_s(str)
+            [str.size].pack('I>') + str
+          end
+
+          def self.sign(sock, key_blob, challenge)
+            request = (
+              SSH2_AGENTC_SIGN_REQUEST +
+              encode_s(key_blob) +
+              encode_s(challenge) +
+              [0].pack('L>')
+            )
+            sock.write(encode_s(request))
+
+            sio = StringIO.new(read_s(sock))
+            if sio.read(1) != SSH2_AGENT_SIGN_RESPONSE
+              raise 'Expected SSH2_AGENT_SIGN_RESPONSE'
+            end
+
+            sio = StringIO.new(read_s(sio))
+            raise 'Expected ssh-rsa' if read_s(sio) != 'ssh-rsa'
+
+            read_s(sio)
+          end
+
+          def self.get_key_blob(sock, keyid)
+            sock.write(encode_s(SSH2_AGENTC_REQUEST_IDENTITIES))
+
+            sio = StringIO.new(read_s(sock))
+            if sio.read(1) != SSH2_AGENT_IDENTITIES_ANSWER
+              raise 'expected SSH2_AGENT_IDENTITIES_ANSWER'
+            end
+
+            (0...read_u32(sio)).each do
+              key_blob = read_s(sio)
+              key_comment = read_s(sio)
+              break key_blob if key_comment == keyid
+            end
+          end
+
+          class Encrypted
+            attr_reader :challenge
+            attr_reader :salt
+            attr_reader :payload
+
+            def initialize(challenge, salt, payload)
+              @challenge = challenge
+              @salt = salt
+              @payload = payload
+            end
+
+            def to_dct
+              {
+                'challenge' => Base64.strict_encode64(@challenge),
+                'salt' => Base64.strict_encode64(@salt),
+                'payload' => @payload
+              }
+            end
+
+            def self.from_dct(dct)
+              Encrypted.new(
+                Base64.decode64(dct['challenge']),
+                Base64.decode64(dct['salt']),
+                dct['payload']
+              )
+            end
+          end
+
+          def self.get_key(keyid, challenge, salt)
+            signature_blob = Socket.unix(ENV['SSH_AUTH_SOCK']) do |sock|
+              key_blob = get_key_blob(sock, keyid)
+              break sign(sock, key_blob, challenge)
+            end
+
+            kdf = OpenSSL::PKCS5.pbkdf2_hmac(
+              signature_blob,
+              salt,
+              100_000,
+              32,
+              OpenSSL::Digest::SHA256.new
+            )
+            Base64.encode64(kdf)
+          end
+
+          def self.encrypt_contents(keyid, contents)
+            challenge = Random.urandom(64)
+            salt = Random.urandom(16)
+            key = get_key(keyid, challenge, salt)
+            Encrypted.new(challenge, salt, Fernet.generate(key, contents))
+          end
+
+          def self.decrypt_contents(keyid, contents)
+            enc = Encrypted.from_dct(JSON.parse(contents))
+            key = get_key(keyid, enc.challenge, enc.salt)
+            Fernet.verifier(key, enc.payload, enforce_ttl: false).message
+          end
+
+          self.options = {
+            keyid: {
+              desc: 'Key location -- it is the file path from `ssh-add -l`',
+              type: :string
+            }
+          }
+
+          def self.keyid
+            keyid = option :keyid
+            if keyid.nil? || keyid.empty?
+              raise ArgumentError, 'No keyid configured!'
+            end
+
+            keyid
+          end
+
+          def self.encrypt(plaintext)
+            enc = encrypt_contents(keyid, plaintext)
+            JSON.generate(enc.to_dct)
+          end
+
+          def self.decrypt(ciphertext)
+            decrypt_contents(keyid, ciphertext)
+          end
+
+          def self.create_keys
+            STDERR.puts 'This encryptor does not support creation of keys'
+          end
+        end
+      end
+    end
+  end
+end

data/lib/hiera/backend/eyaml/encryptors/sshagent/eyaml_init.rb

@@ -0,0 +1,3 @@
+require 'hiera/backend/eyaml/encryptors/sshagent'
+
+Hiera::Backend::Eyaml::Encryptors::SSHAgent.register

data/lib/hiera/backend/eyaml/encryptors/sshagent/version.rb

@@ -0,0 +1,11 @@
+class Hiera
+  module Backend
+    module Eyaml
+      module Encryptors
+        module SSHAgent
+          VERSION = '0.1'.freeze
+        end
+      end
+    end
+  end
+end

metadata

@@ -0,0 +1,81 @@
+--- !ruby/object:Gem::Specification
+name: hiera-eyaml-sshagent
+version: !ruby/object:Gem::Version
+  version: '0.1'
+platform: ruby
+authors:
+- Anthony Sottile
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2019-02-11 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: fernet
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '2'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '2'
+- !ruby/object:Gem::Dependency
+  name: hiera-eyaml
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.3.8
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.3.8
+description: SSH_AUTH_SOCK encryptor for use with hiera-eyaml
+email: 
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".pre-commit-config.yaml"
+- ".rubocop.yml"
+- ".travis.yml"
+- Gemfile
+- LICENSE
+- README.md
+- hiera-eyaml-sshagent.gemspec
+- lib/hiera/backend/eyaml/encryptors/sshagent.rb
+- lib/hiera/backend/eyaml/encryptors/sshagent/eyaml_init.rb
+- lib/hiera/backend/eyaml/encryptors/sshagent/version.rb
+homepage: http://github.com/asottile/hiera-eyaml-sshagent
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.7.6
+signing_key: 
+specification_version: 4
+summary: Encryption plugin for hiera-eyaml backend for Hiera
+test_files: []