manageiq-password 1.0.0 → 1.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 9a506e65c484778a8b89cc16300e5145922de810e612499fe5046015e8668915
-  data.tar.gz: 5322663567882ef7b24f4275d9a6f21e1d967bd086de0afe64dcdf45d67e868d
+  metadata.gz: 169673824deb748589d388452d71ade309bf678d35a30be8e88493cdfd9058c7
+  data.tar.gz: 49c0b253a7ec7a1212ebce03d2e83f3b407b6e6bcad0c49d44cb4889e5968cb2
 SHA512:
-  metadata.gz: 3ea27faaef7f610f5f07f67e19c1b27739c43f418f9662cfbf558d6a05168f0002b8697a1ec782b540b29b99e67a9d25996b03e1ad5cf9044d3644b5b3aaa9cb
-  data.tar.gz: 4b5e896206731cdd5895b1a90165c69af0bbdd789bf86509e2d4e1568a7a3437b794e043094a9183d09612717a67b278b5d32733523e3652698abcb637dd5ad0
+  metadata.gz: 0b72cf25be15763836db8d0779da31bb69c45116a44602a61ad4a7bece0083ae57d60c59fe4c295f26c059c4d1b1c01181efce56fb25ad45d2f731095410f77f
+  data.tar.gz: ca33b0b6939a2a8671f04905ab00d2ba4c48bcc7b7a48611f968fa3f626a25b08f4b21a8b9e3c285c54410820c3432f44aab0153dd62094bb20da67f881f5ce6

data/.travis.yml

@@ -1,5 +1,6 @@
 ---
 language: ruby
+dist: bionic
 cache: bundler
 rvm:
 - 2.6.7

data/CHANGELOG.md

@@ -4,6 +4,15 @@ This project adheres to [Semantic Versioning](http://semver.org/).
 
 ## [Unreleased]
 
+## [1.1.0] - 2021-11-08
+### Added
+- Add manageiq-password CLI [[#23](https://github.com/ManageIQ/manageiq-password/pull/23)]
+
+### Fixed
+- chmod v2_key on creation [[#22](https://github.com/ManageIQ/manageiq-password/pull/22)]
+- Raise an exception when decrypting plaintext [[#26](https://github.com/ManageIQ/manageiq-password/pull/26)]
+- Fix encrypted? and try_decrypt to work with erb strings [[#28](https://github.com/ManageIQ/manageiq-password/pull/28)]
+
 ## [1.0.0] - 2021-05-05
 ### Removed
 - **BREAKING**: Drop support for legacy v0 and v1 keys [[#14](https://github.com/ManageIQ/manageiq-password/pull/14)]
@@ -13,5 +22,6 @@ This project adheres to [Semantic Versioning](http://semver.org/).
     key
 - **BREAKING**: Drop deprecated methods [[#16](https://github.com/ManageIQ/manageiq-password/pull/16)]
 
-[Unreleased]: https://github.com/ManageIQ/more_core_extensions/compare/v1.0.0...HEAD
+[Unreleased]: https://github.com/ManageIQ/more_core_extensions/compare/v1.1.0...HEAD
+[1.1.0]: https://github.com/ManageIQ/more_core_extensions/compare/v1.1.0...v1.0.0
 [1.0.0]: https://github.com/ManageIQ/more_core_extensions/compare/v1.0.0...v0.3.0

data/exe/manageiq-password

@@ -0,0 +1,100 @@
+#!/bin/bash
+
+while [[ "$#" -gt 0 ]]; do
+	case $1 in
+	-d|--decrypt)
+		mode="decrypt"
+		;;
+	-e|--encrypt)
+		mode="encrypt"
+		;;
+	-k|--key)
+		keyfile="$2"
+		shift
+		;;
+	-h|--help|-?)
+		cat <<-EOS >&2
+			Usage: $(basename $0) [--encrypt|--decrypt] [--key KEYFILE]
+
+			Options:
+			-d, --decrypt   Decrypt the value on STDIN (default mode)
+			-e, --encrypt   Encrypt the value on STDIN
+			-k, --key       Path to the key file (default: $(pwd)/certs/v2_key)
+
+			-h, --help, -?  Display help
+		EOS
+		exit 0
+		;;
+	*)
+		echo "ERROR: Unknown parameter passed: $1" >&2
+		exit 1
+		;;
+	esac
+	shift
+done
+
+mode=${mode:-"decrypt"}
+keyfile=${keyfile:-"$(pwd)/certs/v2_key"}
+
+if [ ! -r "$keyfile" ]; then
+	echo "ERROR: Cannot read v2 key file: $keyfile" >&2
+	exit 1
+fi
+
+extractFromKeyfile() {
+	grep :$1: "$keyfile" | cut -d ' ' -f 2
+}
+
+extractAlgorithm() {
+	extractFromKeyfile "algorithm"
+}
+
+extractKey() {
+	extractFromKeyfile "key" | base64 -d | xxd -p -c256
+}
+
+extractIv() {
+	iv=$(extractFromKeyfile "iv" | base64 -d | xxd -p -c256)
+	echo -n "${iv:-"00000000000000000000000000000000"}"
+}
+
+algorithm=$(extractAlgorithm)
+if [ "$algorithm" != "aes-256-cbc" ]; then
+	echo "ERROR: Invalid v2 key file: $keyfile" >&2
+	exit 1
+fi
+
+if [ -n "$DEBUG" ]; then
+	cat <<-EOS >&2
+		==============================================================================
+		Mode:         $mode
+		Key File:     $keyfile
+		Algorithm:    $algorithm
+		IV (Base64):  $(extractFromKeyfile "iv")
+		IV (Hex):     $(extractIv)
+		Key (Base64): $(extractFromKeyfile "key")
+		Key (Hex):    $(extractKey)
+		==============================================================================
+	EOS
+fi
+
+case $mode in
+decrypt)
+	(
+		xargs -L1 echo | \
+		sed 's/^.\{4\}//;s/.$//' | \
+		openssl enc -d -base64 -$algorithm -iv "$(extractIv)" -K "$(extractKey)"
+	) < /dev/stdin
+	;;
+encrypt)
+	(
+		xargs -L1 echo -n | \
+		openssl enc -base64 -$algorithm -iv "$(extractIv)" -K "$(extractKey)" | \
+		sed "s/^/v2:{/;s/$/}/" | \
+		xargs -L1 echo -n
+	) < /dev/stdin
+	;;
+*)
+	echo "ERROR: Invalid mode: $mode" >&2
+	exit 1
+esac

data/lib/manageiq/password/version.rb

@@ -1,5 +1,5 @@
 module ManageIQ
   class Password
-    VERSION = "1.0.0".freeze
+    VERSION = "1.1.0".freeze
   end
 end

data/lib/manageiq/password.rb

@@ -22,15 +22,32 @@ module ManageIQ
       @encStr = encrypt(str)
     end
 
-    def encrypt(str, key = self.class.key)
+    def encrypt(*args)
+      self.class.encrypt(*args)
+    end
+
+    def decrypt(*args)
+      self.class.decrypt(*args)
+    end
+
+    def recrypt(*args)
+      self.class.recrypt(*args)
+    end
+
+    def self.encrypt(str, key = self.key)
       return str if str.nil?
 
       enc = key.encrypt64(str).delete("\n") unless str.empty?
-      self.class.wrap(enc)
+      wrap(enc)
     end
 
-    def decrypt(str, key = self.class.key)
-      enc = self.class.unwrap(str)
+    def self.decrypt(str, key = self.key)
+      str = remove_erb(str)
+      return str if str.nil? || str.empty?
+
+      raise PasswordError, "cannot decrypt plaintext string" unless wrapped?(str)
+
+      enc = unwrap(str)
       return enc if enc.nil? || enc.empty?
 
       begin
@@ -40,7 +57,7 @@ module ManageIQ
       end
     end
 
-    def recrypt(str, prior_key = nil)
+    def self.recrypt(str, prior_key = nil)
       return str if str.nil?
 
       decrypted_str   = decrypt(str, prior_key) if prior_key rescue nil
@@ -48,21 +65,8 @@ module ManageIQ
       encrypt(decrypted_str)
     end
 
-    def self.encrypt(*args)
-      new.encrypt(*args)
-    end
-
-    def self.decrypt(*args)
-      new.decrypt(*args)
-    end
-
-    def self.recrypt(*args)
-      new.recrypt(*args)
-    end
-
     def self.encrypted?(str)
-      return false if str.nil? || str.empty?
-      !!unwrap(str)
+      wrapped?(remove_erb(str))
     end
 
     def self.md5crypt(str)
@@ -83,6 +87,7 @@ module ManageIQ
     end
 
     def self.try_decrypt(str)
+      str = remove_erb(str)
       encrypted?(str) ? decrypt(str) : str
     end
 
@@ -124,26 +129,27 @@ module ManageIQ
       Key.new.tap { |key| store_key_file(filename, key) if filename }
     end
 
-    protected
-
-    def self.wrap(encrypted_str)
+    private_class_method def self.wrap(encrypted_str)
       "v2:{#{encrypted_str}}"
     end
 
-    def self.unwrap(str)
-      _unwrap(str) || _unwrap(extract_erb_encrypted_value(str))
-    end
-
-    private_class_method def self._unwrap(str)
+    private_class_method def self.unwrap(str)
       return str if str.nil? || str.empty?
+
       str.match(REGEXP_START_LINE)&.public_send(:[], 1)
     end
 
-    def self.store_key_file(filename, key)
-      File.write(filename, key.to_h.to_yaml)
+    private_class_method def self.wrapped?(str)
+      return false if str.nil? || str.empty?
+
+      str.match?(REGEXP_START_LINE)
+    end
+
+    private_class_method def self.store_key_file(filename, key)
+      File.write(filename, key.to_h.to_yaml, :perm => 0440)
     end
 
-    def self.load_key_file(filename)
+    private_class_method def self.load_key_file(filename)
       return filename if filename.respond_to?(:decrypt64)
 
       # if it is an absolute path, or relative to pwd, leave as is
@@ -154,8 +160,11 @@ module ManageIQ
       Key.new(*YAML.load_file(filename).values_at(:algorithm, :key, :iv))
     end
 
-    def self.extract_erb_encrypted_value(value)
-      return $1 if value =~ /\A<%= (?:MiqPassword|DB_PASSWORD|ManageIQ::Password)\.decrypt\(['"]([^'"]+)['"]\) %>\Z/
+    private_class_method def self.remove_erb(str)
+      return str if str.nil? || str.empty? || !str.start_with?("<%=")
+
+      match = str.match(/\A<%= (?:MiqPassword|DB_PASSWORD|ManageIQ::Password)\.decrypt\(['"](.+?)['"]\) %>\Z/m)
+      match ? match[1] : str
     end
 
     class Key

data/manageiq-password.gemspec

@@ -18,6 +18,7 @@ Gem::Specification.new do |spec|
   spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
   spec.require_paths = ["lib"]
 
+  spec.add_development_dependency "awesome_spawn"
   spec.add_development_dependency "bundler"
   spec.add_development_dependency "manageiq-style"
   spec.add_development_dependency "rake",          ">= 12.3.3"

metadata

@@ -1,15 +1,29 @@
 --- !ruby/object:Gem::Specification
 name: manageiq-password
 version: !ruby/object:Gem::Version
-  version: 1.0.0
+  version: 1.1.0
 platform: ruby
 authors:
 - ManageIQ Authors
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2021-05-06 00:00:00.000000000 Z
+date: 2021-11-08 00:00:00.000000000 Z
 dependencies:
+- !ruby/object:Gem::Dependency
+  name: awesome_spawn
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
@@ -82,7 +96,8 @@ dependencies:
         version: '0'
 description:
 email:
-executables: []
+executables:
+- manageiq-password
 extensions: []
 extra_rdoc_files: []
 files:
@@ -101,6 +116,7 @@ files:
 - Rakefile
 - bin/console
 - bin/setup
+- exe/manageiq-password
 - lib/manageiq-password.rb
 - lib/manageiq/password.rb
 - lib/manageiq/password/password_mixin.rb
@@ -128,7 +144,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.4
+rubygems_version: 3.1.6
 signing_key:
 specification_version: 4
 summary: A simple encryption util for storing passwords in a database.