hiera-eyaml-twofac 0.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 4c443add06611322dd097c1f443c49151fed7446
+  data.tar.gz: cb0d1664ec347550d5cdace5f8eeb82226ddf7b9
+SHA512:
+  metadata.gz: 0e53ea4fb8afd71e61a3c8483ecac4a2daeeaf13de7672777dba2c13d5dfe3a7140e42c38e60c282459549bc8e64f94c3c35189abbf77aa99a0f50cb80c20e46
+  data.tar.gz: 0f07b294518b9ff8a506d69ee09951aec54e7bec6ac1a834682884562628e9906e20ca7a66771c51b34eea78cdf10895a7cf8921d42e895fc0dfe677f14e6050

data/.gitignore

@@ -0,0 +1 @@
+.ruby-version

data/Gemfile

@@ -0,0 +1,10 @@
+source 'https://rubygems.org/'
+
+gem "openssl"
+gem "digest"
+gem "highline"
+
+group :development do
+  gem "aruba"
+end
+

data/Gemfile.lock

@@ -0,0 +1,36 @@
+GEM
+  remote: https://rubygems.org/
+  specs:
+    aruba (0.5.3)
+      childprocess (>= 0.3.6)
+      cucumber (>= 1.1.1)
+      rspec-expectations (>= 2.7.0)
+    builder (3.2.2)
+    childprocess (0.3.9)
+      ffi (~> 1.0, >= 1.0.11)
+    cucumber (1.3.10)
+      builder (>= 2.1.2)
+      diff-lcs (>= 1.1.3)
+      gherkin (~> 2.12)
+      multi_json (>= 1.7.5, < 2.0)
+      multi_test (>= 0.0.2)
+    diff-lcs (1.2.5)
+    digest (0.0.1)
+    ffi (1.9.3)
+    gherkin (2.12.2)
+      multi_json (~> 1.3)
+    highline (1.6.21)
+    multi_json (1.8.2)
+    multi_test (0.0.2)
+    openssl (1.0.0.beta)
+    rspec-expectations (2.14.4)
+      diff-lcs (>= 1.1.3, < 2.0)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  aruba
+  digest
+  highline
+  openssl

data/LICENSE.txt

@@ -0,0 +1,22 @@
+
+The MIT License (MIT)
+
+Copyright (c) 2013 GTMTech Ltd
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of
+this software and associated documentation files (the "Software"), to deal in
+the Software without restriction, including without limitation the rights to
+use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+the Software, and to permit persons to whom the Software is furnished to do so,
+subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+

data/README.md

@@ -0,0 +1,43 @@
+hiera-eyaml-twofac
+==================
+
+This is a plugin encryptor for the hiera-eyaml project (hosted https://github.com/TomPoulton/hiera-eyaml/).
+
+It encrypts using the pkcs7 encryption type (much like the existing encryptor) - however it also requires an interactive password to be supplied at runtime. This makes it fairly useless in puppet scenarios, however eyaml as a tool is useful in other scenarios. 
+
+Usage:
+
+```
+$ gem install hiera-eyaml-twofac
+```
+
+Then see hiera-eyaml documentation for how to use the eyaml tool to encrypt using the 'TWOFAC' encryption_type.
+
+Authors
+=======
+
+- [Geoff Meakin](http://github.com/gtmtechltd)
+
+License
+=======
+
+The MIT License (MIT)
+
+Copyright (c) 2013 GTMTech Ltd
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of
+this software and associated documentation files (the "Software"), to deal in
+the Software without restriction, including without limitation the rights to
+use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+the Software, and to permit persons to whom the Software is furnished to do so,
+subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/Rakefile

@@ -0,0 +1 @@
+require "bundler/gem_tasks"

data/hiera-eyaml-twofac.gemspec

@@ -0,0 +1,19 @@
+# -*- encoding: utf-8 -*-
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'hiera/backend/eyaml/encryptors/twofac'
+
+Gem::Specification.new do |gem|
+  gem.name          = "hiera-eyaml-twofac"
+  gem.version       = Hiera::Backend::Eyaml::Encryptors::Twofac::VERSION
+  gem.description   = "PKCS7 + AES256 2-factor encryptor for use with hiera-eyaml"
+  gem.summary       = "Encryption plugin for hiera-eyaml backend for Hiera"
+  gem.author        = "Geoff Meakin"
+  gem.license       = "MIT"
+
+  gem.homepage      = "http://github.com/gtmtechltd/hiera-eyaml-twofac"
+  gem.files         = `git ls-files`.split($/)
+  gem.executables   = gem.files.grep(%r{^bin/}).map{ |f| File.basename(f) }
+  gem.test_files    = gem.files.grep(%r{^(test|spec|features)/})
+  gem.require_paths = ["lib"]
+end

data/lib/hiera/backend/eyaml/encryptors/twofac.rb

@@ -0,0 +1,180 @@
+require 'base64'
+require 'openssl'
+require 'digest'
+require 'hiera/backend/eyaml/encryptor'
+require 'hiera/backend/eyaml/utils'
+require 'hiera/backend/eyaml/options'
+require 'hiera/backend/eyaml/encryptors/twofac_utils/password'
+
+class Hiera
+  module Backend
+    module Eyaml
+      module Encryptors
+
+        class Twofac < Encryptor
+
+          VERSION = "0.1"
+
+          self.tag = "TWOFAC"
+          self.options = {
+            :twofac_private_key => { :desc => "Path to twofac private key", 
+                                     :type => :string, 
+                                     :default => "./keys/private_key.twofac.txt" },
+            :twofac_public_key =>  { :desc => "Path to twofac public key",  
+                                     :type => :string, 
+                                     :default => "./keys/public_key.twofac.pem" },
+            :twofac_subject =>     { :desc => "Subject to use for twofac certificate when creating keys",
+                                     :type => :string,
+                                     :default => "/" },
+          }
+          
+          @@vector = "5geLmxqskV0Ruf1ZeRAwvw=="
+
+          def self.encrypt plaintext
+ 
+            password = Hiera::Backend::Eyaml::Encryptors::TwofacUtils::Password.obtain
+
+            #TODO: delegate this to original pkcs7 plugin
+            public_key = self.option :twofac_public_key
+            raise StandardError, "twofac_public_key is not defined" unless public_key
+
+            public_key_pem = File.read public_key 
+            public_key_x509 = OpenSSL::X509::Certificate.new( public_key_pem )
+
+            cipher = OpenSSL::Cipher::AES.new(256, :CBC)
+            OpenSSL::PKCS7::encrypt([public_key_x509], plaintext, cipher, OpenSSL::PKCS7::BINARY).to_der
+
+          end
+
+          def self.decrypt ciphertext
+
+            password = Hiera::Backend::Eyaml::Encryptors::TwofacUtils::Password.obtain
+
+            #TODO: delegate this to original pkcs7 plugin
+            public_key = self.option :twofac_public_key
+            private_key = self.option :twofac_private_key
+            raise StandardError, "twofac_public_key is not defined" unless public_key
+            raise StandardError, "twofac_private_key is not defined" unless private_key
+
+            begin
+              private_key_input = File.read private_key
+            rescue
+              raise StandardError, "Unable to read contents of keyfile #{private_key}. Check permissions"
+            end
+
+            unless private_key_input.include? "-----BEGIN TWOFAC KEY-----" and private_key_input.include? "-----END TWOFAC KEY-----" 
+              raise StandardError, "Keyfile #{private_key} is not a TWOFAC key file"
+            end
+
+            begin
+              private_key_base64 = private_key_input.split('-----BEGIN TWOFAC KEY-----')[1].split('-----END TWOFAC KEY-----')[0]
+              private_key_aes = Base64.decode64(private_key_base64)
+              private_key_pem = aes_decrypt( password, private_key_aes)
+              private_key_rsa = OpenSSL::PKey::RSA.new( private_key_pem )
+            rescue
+              password = ""
+              private_key_base64 = ""
+              private_key_aes = ""
+              private_key_pem = ""
+              private_key_rsa = ""
+              raise StandardError, "Unable to decrypt keyfile #{private_key} with password"
+            end
+
+            public_key_pem = File.read public_key
+            public_key_x509 = OpenSSL::X509::Certificate.new( public_key_pem )
+
+            begin
+              pkcs7 = OpenSSL::PKCS7.new( ciphertext )
+              pkcs7.decrypt(private_key_rsa, public_key_x509)
+            rescue
+              raise StandardError, "Unable to decipher using supplied key"
+            end
+
+          end
+
+          def self.create_keys
+
+            password = Hiera::Backend::Eyaml::Encryptors::TwofacUtils::Password.obtain
+
+            #TODO: delegate this to original pkcs7 plugin
+
+            # Try to do equivalent of:
+            # openssl req -x509 -nodes -days 100000 -newkey rsa:2048 -keyout privatekey.pem -out publickey.pem -subj '/'
+
+            public_key = self.option :twofac_public_key
+            private_key = self.option :twofac_private_key
+            subject = self.option :twofac_subject
+
+            key = OpenSSL::PKey::RSA.new(2048)
+            Utils.ensure_key_dir_exists private_key
+            pem_data = key.to_pem
+            aes_data = aes_encrypt( password, pem_data )
+            base64_data = Base64.encode64(aes_data).strip
+            output_data = ["-----BEGIN TWOFAC KEY-----", base64_data, "-----END TWOFAC KEY-----"].join("\n")
+
+            Utils.write_important_file :filename => private_key, :content => output_data, :mode => 0600
+
+            password = ""
+            pem_data = ""
+            aes_data = ""
+            base64_data = ""
+
+            cert = OpenSSL::X509::Certificate.new()
+            cert.subject = OpenSSL::X509::Name.parse(subject)
+            cert.serial = 1
+            cert.version = 2
+            cert.not_before = Time.now
+            cert.not_after = if 1.size == 8       # 64bit
+              Time.now + 50 * 365 * 24 * 60 * 60
+            else                                  # 32bit
+              Time.at(0x7fffffff)
+            end
+            cert.public_key = key.public_key
+
+            ef = OpenSSL::X509::ExtensionFactory.new
+            ef.subject_certificate = cert
+            ef.issuer_certificate = cert
+            cert.extensions = [
+              ef.create_extension("basicConstraints","CA:TRUE", true),
+              ef.create_extension("subjectKeyIdentifier", "hash"),
+            ]
+            cert.add_extension ef.create_extension("authorityKeyIdentifier",
+                                                   "keyid:always,issuer:always")
+
+            cert.sign key, OpenSSL::Digest::SHA1.new
+
+            Utils.ensure_key_dir_exists public_key
+            Utils.write_important_file :filename => public_key, :content => cert.to_pem
+            puts "Keys created OK"
+          end
+
+          def self.aes_decrypt(password, data)
+            key = Digest::SHA256.digest password
+            iv = Digest::MD5.digest @@vector
+            aes = OpenSSL::Cipher.new('AES-256-CBC')
+            aes.decrypt
+            aes.key = key
+            aes.iv = iv
+            aes.update(data) + aes.final
+          end
+
+          def self.aes_encrypt(password, data)
+            key = Digest::SHA256.digest password
+            iv = Digest::MD5.digest @@vector
+            aes = OpenSSL::Cipher.new('AES-256-CBC')
+            aes.encrypt
+            aes.key = key
+            aes.iv = iv
+            aes.update(data) + aes.final
+          end
+
+        end
+
+      end
+
+    end
+
+  end
+
+end
+

data/lib/hiera/backend/eyaml/encryptors/twofac/eyaml_init.rb

@@ -0,0 +1,3 @@
+require 'hiera/backend/eyaml/encryptors/twofac'
+
+Hiera::Backend::Eyaml::Encryptors::Twofac.register

data/lib/hiera/backend/eyaml/encryptors/twofac_utils/password.rb

@@ -0,0 +1,27 @@
+require 'highline/import'
+
+class Hiera
+  module Backend
+    module Eyaml
+      module Encryptors
+      	module TwofacUtils
+      	  class Password
+
+            @@password = nil
+
+            def self.obtain
+
+              calling_class = caller[0].split(':').first.split('/').reverse.take(5).join(',')
+              raise StandardError "Refusing to supply password" unless calling_class == "twofac.rb,encryptors,eyaml,backend,hiera"
+              
+              return @@password.dup if @@password
+              @@password = ask("Please enter your twofactor password: ") {|q| q.echo='*' }
+              return @@password.dup
+            end
+
+      	  end
+      	end
+      end
+    end
+  end
+end

data/tools/regem.sh

@@ -0,0 +1,17 @@
+#!/bin/bash
+
+set -e
+
+GEM_NAME="hiera-eyaml-twofac"
+
+gem uninstall ${GEM_NAME} --executables
+RAKE_OUT=`rake build`
+VERSION=`echo ${RAKE_OUT} | awk '{print $2}'`
+echo Installing version: ${VERSION} ...
+gem install pkg/${GEM_NAME}-${VERSION}.gem --no-ri --no-rdoc
+
+if [ ! -z "$(which eyaml)" ];then
+  eyaml version
+else
+  echo "install hiera-eyaml to see if gem imports correctly"
+fi

metadata

@@ -0,0 +1,55 @@
+--- !ruby/object:Gem::Specification
+name: hiera-eyaml-twofac
+version: !ruby/object:Gem::Version
+  version: '0.1'
+platform: ruby
+authors:
+- Geoff Meakin
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2014-11-21 00:00:00.000000000 Z
+dependencies: []
+description: PKCS7 + AES256 2-factor encryptor for use with hiera-eyaml
+email: 
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- .gitignore
+- Gemfile
+- Gemfile.lock
+- LICENSE.txt
+- README.md
+- Rakefile
+- hiera-eyaml-twofac.gemspec
+- lib/hiera/backend/eyaml/encryptors/twofac.rb
+- lib/hiera/backend/eyaml/encryptors/twofac/eyaml_init.rb
+- lib/hiera/backend/eyaml/encryptors/twofac_utils/password.rb
+- pkg/hiera-eyaml-twofac-0.1.gem
+- tools/regem.sh
+homepage: http://github.com/gtmtechltd/hiera-eyaml-twofac
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.0.14
+signing_key: 
+specification_version: 4
+summary: Encryption plugin for hiera-eyaml backend for Hiera
+test_files: []