kafo 0.0.3 → 0.0.4

data/lib/kafo/configuration.rb

@@ -1,28 +1,47 @@
 require 'yaml'
 require 'kafo/puppet_module'
+require 'kafo/password_manager'
 
 class Configuration
   attr_reader :config_file
 
+  def self.application_config_file
+    File.join(Dir.pwd, 'config/kafo.yaml')
+  end
 
-  begin
-    default_hash = YAML.load_file(File.join(Dir.pwd, 'config/kafo.yaml'))
-  rescue => e
-    default_hash = {}
+  def self.save_configuration(configuration)
+    File.write(application_config_file, YAML.dump(configuration))
   end
-  KAFO = {
+
+  def self.configure_application
+    begin
+      configuration = YAML.load_file(application_config_file)
+    rescue => e
+      configuration = {}
+    end
+
+    default           = {
       :log_dir   => '/var/log/kafo',
       :log_level => :info,
       :no_prefix => false,
       :mapping   => {}
-  }.merge(default_hash || {})
+    }
+    
+    result            = default.merge(configuration || {})
+    result[:password] ||= PasswordManager.new.password
+    save_configuration(result)
+
+    result
+  end
+
+  KAFO = configure_application
 
   def initialize(file)
     @logger = Logging.logger.root
     @logger.info "Loading config file #{file}"
 
     begin
-      @data        = YAML.load_file file
+      @data        = YAML.load_file(file)
     rescue Errno::ENOENT => e
       puts "No answers file at #{file} found, can not continue"
       exit(23)

data/lib/kafo/kafo_configure.rb

@@ -138,7 +138,7 @@ class KafoConfigure < Clamp::Command
     ]
     options.push '--noop' if noop?
     begin
-      PTY.spawn("echo include kafo_configure | puppet apply #{options.join(' ')}") do |stdin, stdout, pid|
+      PTY.spawn("echo 'include kafo_configure' | puppet apply #{options.join(' ')}") do |stdin, stdout, pid|
         begin
           stdin.each { |line| puppet_log(line) }
         rescue Errno::EIO

data/lib/kafo/param.rb

@@ -61,5 +61,6 @@ end
 
 require 'kafo/params/boolean'
 require 'kafo/params/string'
+require 'kafo/params/password'
 require 'kafo/params/array'
 require 'kafo/params/integer'

data/lib/kafo/params/password.rb

@@ -0,0 +1,50 @@
+module Params
+  # A password paramater is stored encrypted in answer file using AES 256 in CBC mode
+  #
+  # we use a passphrase that is stored in kafo.yaml for encryption
+  # encrypted password is prefixed with $1$ (for historical reasons, no connection to
+  # Modular Crypt Format)
+  class Password < Param
+    def value=(value)
+      super
+      setup_password if @value.is_a?(::String)
+      @value
+    end
+
+    # if value was not specified and default is nil we generate a random password
+    # also we make sure that we have encrypted version that is to be outputted
+    def value
+      @value = @value_set ? @value : (default || password_manager.password)
+      encrypt if @value.is_a?(::String)
+      @encrypted
+    end
+
+    private
+
+    def setup_password
+      encrypted? ? decrypt : encrypt
+    end
+
+    def encrypted?
+      @value.length > 3 && @value[0..2] == '$1$'
+    end
+
+    def decrypt
+      @encrypted = @value
+      @value = password_manager.aes_decrypt(@value[3..-1], phrase)
+    end
+
+    def encrypt
+      @encrypted = '$1$' + password_manager.aes_encrypt(@value, phrase)
+    end
+
+    def password_manager
+      @password_manager ||= PasswordManager.new
+    end
+
+    def phrase
+      Configuration::KAFO[:password]
+    end
+
+  end
+end

data/lib/kafo/password_manager.rb

@@ -0,0 +1,44 @@
+require 'securerandom'
+require 'digest/sha2'
+require 'openssl'
+require 'base64'
+
+class PasswordManager
+  # generate a random password of lenght n
+  #
+  # on ruby >= 1.9 we use builtin method urlsafe_base64, on olders we use our own
+  # implementation (inspired by urlsafe_base64)
+  #
+  # the result may contain A-Z, a-z, 0-9, “-” and “_”. “=”
+  def password(n = 32)
+    return SecureRandom.urlsafe_base64(n) if SecureRandom.respond_to?(:urlsafe_base64)
+
+    s = [SecureRandom.random_bytes(n)].pack("m*")
+    s.delete!("\n")
+    s.tr!("+/", "-_")
+    s.delete!("=")
+    s
+  end
+
+  def aes_encrypt(text, passphrase)
+    cipher = OpenSSL::Cipher::Cipher.new("aes-256-cbc")
+    cipher.encrypt
+    cipher.key = Digest::SHA2.hexdigest(passphrase)
+    cipher.iv = Digest::SHA2.hexdigest(passphrase + passphrase)
+
+    encrypted = cipher.update(text)
+    encrypted << cipher.final
+    Base64.encode64(encrypted)
+  end
+
+  def aes_decrypt(text, passphrase)
+    cipher = OpenSSL::Cipher::Cipher.new("aes-256-cbc")
+    cipher.decrypt
+    cipher.key = Digest::SHA2.hexdigest(passphrase)
+    cipher.iv = Digest::SHA2.hexdigest(passphrase + passphrase)
+
+    decrypted = cipher.update(Base64.decode64(text))
+    decrypted << cipher.final
+    decrypted
+  end
+end

data/lib/kafo/version.rb

@@ -1,3 +1,3 @@
 module Kafo
-  VERSION = "0.0.3"
+  VERSION = "0.0.4"
 end

data/modules/kafo_configure/lib/puppet/parser/functions/decrypt.rb

@@ -0,0 +1,16 @@
+require File.join(File.dirname(__FILE__), '../../../../../../lib/kafo/password_manager')
+# Decrypts an encrypted password using $kafo_configure::password
+#
+# you can use this function in order to place passwords into your config files
+# in form of a plain text
+module Puppet::Parser::Functions
+  newfunction(:decrypt, :type => :rvalue) do |args|
+    encrypted = args[0]
+    if encrypted =~ /\A\$1\$/
+      PasswordManager.new.aes_decrypt(encrypted[3..-1], lookupvar('::kafo_configure::password'))
+    else
+      raise Puppet::ParseError, 'wrong format of encrypted string, should start with $1$'
+    end
+  end
+end
+

data/modules/kafo_configure/lib/puppet/parser/functions/load_kafo_password.rb

@@ -0,0 +1,8 @@
+# Loads a kafo master password from kafo.yaml
+#
+module Puppet::Parser::Functions
+  newfunction(:load_kafo_password, :type => :rvalue) do |args|
+    YAML.load_file('config/kafo.yaml')[:password]
+  end
+end
+

data/modules/kafo_configure/manifests/init.pp

@@ -8,10 +8,11 @@ class kafo_configure(
   $answers = undef
 ) {
 
-  $params = loadanyyaml($answers,
+  $password = load_kafo_password()
+  $params   = loadanyyaml($answers,
                       "/etc/kafo-configure/answers.yaml",
                       "config/answers.yaml")
-  $keys = hash_keys($params)
+  $keys     = hash_keys($params)
 
   kafo_configure::yaml_to_class { $keys: }
 }

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: kafo
 version: !ruby/object:Gem::Version
-  version: 0.0.3
+  version: 0.0.4
   prerelease: 
 platform: ruby
 authors:
@@ -152,7 +152,9 @@ files:
 - lib/kafo/params/array.rb
 - lib/kafo/params/boolean.rb
 - lib/kafo/params/integer.rb
+- lib/kafo/params/password.rb
 - lib/kafo/params/string.rb
+- lib/kafo/password_manager.rb
 - lib/kafo/puppet_module.rb
 - lib/kafo/puppet_module_parser.rb
 - lib/kafo/string_helper.rb
@@ -161,9 +163,11 @@ files:
 - lib/kafo/version.rb
 - lib/kafo/wizard.rb
 - modules/kafo_configure/lib/puppet/parser/functions/class_name.rb
+- modules/kafo_configure/lib/puppet/parser/functions/decrypt.rb
 - modules/kafo_configure/lib/puppet/parser/functions/dump_values.rb
 - modules/kafo_configure/lib/puppet/parser/functions/hash_keys.rb
 - modules/kafo_configure/lib/puppet/parser/functions/is_hash.rb
+- modules/kafo_configure/lib/puppet/parser/functions/load_kafo_password.rb
 - modules/kafo_configure/lib/puppet/parser/functions/loadanyyaml.rb
 - modules/kafo_configure/manifests/init.pp
 - modules/kafo_configure/manifests/yaml_to_class.pp