RubyGems - manageiq-password - Versions diffs - 1.0.0 → 1.2.0 - Mend

manageiq-password 1.0.0 → 1.2.0

Files changed (12) hide show

checksums.yaml +4 -4
data/.github/workflows/ci.yaml +33 -0
data/.rspec +2 -2
data/.whitesource +3 -0
data/CHANGELOG.md +23 -2
data/README.md +4 -3
data/exe/manageiq-password +100 -0
data/lib/manageiq/password/version.rb +1 -1
data/lib/manageiq/password.rb +46 -37
data/manageiq-password.gemspec +2 -1
metadata +24 -7
data/.travis.yml +0 -13

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 9a506e65c484778a8b89cc16300e5145922de810e612499fe5046015e8668915
-  data.tar.gz: 5322663567882ef7b24f4275d9a6f21e1d967bd086de0afe64dcdf45d67e868d
+  metadata.gz: e2afb4581105b776ca6285b4324b2e228774c2f4f6ef0bb19c1947a56fa481ea
+  data.tar.gz: 53e56209872207f7e03656b95a0973000404bbcf79bc3d84690742481503a6e6
 SHA512:
-  metadata.gz: 3ea27faaef7f610f5f07f67e19c1b27739c43f418f9662cfbf558d6a05168f0002b8697a1ec782b540b29b99e67a9d25996b03e1ad5cf9044d3644b5b3aaa9cb
-  data.tar.gz: 4b5e896206731cdd5895b1a90165c69af0bbdd789bf86509e2d4e1568a7a3437b794e043094a9183d09612717a67b278b5d32733523e3652698abcb637dd5ad0
+  metadata.gz: 919c5faa8a027cb296296c37a93fdd684a19614dc733aae01d11852ffef98f5d56ae91c4600b5f412fea42d23bdb30273a9858ddedc497a899310adca4959475
+  data.tar.gz: '0383c3dc4e538f1928c2f485786e8b1e12409d0a6f3726b013bed1c3b2907791db70d16d1c146cd38635ebe6b8e08235d384c752cd48b5a26bae2741d6652c47'

data/.github/workflows/ci.yaml ADDED Viewed

@@ -0,0 +1,33 @@
+name: CI
+on:
+  push:
+  pull_request:
+  schedule:
+  - cron: '0 0 * * 0'
+jobs:
+  ci:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        ruby-version:
+        - '2.7'
+        - '3.0'
+        - '3.1'
+    env:
+      CC_TEST_REPORTER_ID: ${{ secrets.CC_TEST_REPORTER_ID }}
+    steps:
+    - uses: actions/checkout@v4
+    - name: Set up Ruby
+      uses: ruby/setup-ruby@v1
+      with:
+        ruby-version: ${{ matrix.ruby-version }}
+        bundler-cache: true
+      timeout-minutes: 30
+    - name: Run tests
+      run: bundle exec rake
+    - name: Report code coverage
+      if: ${{ github.ref == 'refs/heads/master' && matrix.ruby-version == '3.0' }}
+      continue-on-error: true
+      uses: paambaati/codeclimate-action@v5

data/.rspec CHANGED Viewed

@@ -1,3 +1,3 @@
---format progress
---color
 --require spec_helper
+--color
+--order random

data/.whitesource ADDED Viewed

@@ -0,0 +1,3 @@
+{
+  "settingsInheritedFrom": "ManageIQ/whitesource-config@master"
+}

data/CHANGELOG.md CHANGED Viewed

@@ -4,6 +4,25 @@ This project adheres to [Semantic Versioning](http://semver.org/).
 ## [Unreleased]
+## [1.2.0] - 2023-10-12
+### Added
+- Add Ruby 3.1 support including ruby 3.1's psych 4 default of safe_load [[#37](https://github.com/ManageIQ/manageiq-password/pull/37)]
+### Changed
+- Change .to_s to use a regular attr_reader [[#34](https://github.com/ManageIQ/manageiq-password/pull/34)]
+### Removed
+- Removed support for Ruby 2.5 and 2.6 [[#37](https://github.com/ManageIQ/manageiq-password/pull/37)]
+## [1.1.0] - 2021-11-08
+### Added
+- Add manageiq-password CLI [[#23](https://github.com/ManageIQ/manageiq-password/pull/23)]
+### Fixed
+- chmod v2_key on creation [[#22](https://github.com/ManageIQ/manageiq-password/pull/22)]
+- Raise an exception when decrypting plaintext [[#26](https://github.com/ManageIQ/manageiq-password/pull/26)]
+- Fix encrypted? and try_decrypt to work with erb strings [[#28](https://github.com/ManageIQ/manageiq-password/pull/28)]
 ## [1.0.0] - 2021-05-05
 ### Removed
 - **BREAKING**: Drop support for legacy v0 and v1 keys [[#14](https://github.com/ManageIQ/manageiq-password/pull/14)]
@@ -13,5 +32,7 @@ This project adheres to [Semantic Versioning](http://semver.org/).
     key
 - **BREAKING**: Drop deprecated methods [[#16](https://github.com/ManageIQ/manageiq-password/pull/16)]
-[Unreleased]: https://github.com/ManageIQ/more_core_extensions/compare/v1.0.0...HEAD
-[1.0.0]: https://github.com/ManageIQ/more_core_extensions/compare/v1.0.0...v0.3.0
+[Unreleased]: https://github.com/ManageIQ/manageiq-password/compare/v1.2.0...HEAD
+[1.2.0]: https://github.com/ManageIQ/manageiq-password/compare/v1.1.0...v1.2.0
+[1.1.0]: https://github.com/ManageIQ/manageiq-password/compare/v1.0.0...v1.1.0
+[1.0.0]: https://github.com/ManageIQ/manageiq-password/compare/v0.3.0...v1.0.0

data/README.md CHANGED Viewed

@@ -1,8 +1,9 @@
 # ManageIQ Password
-[![Build Status](https://travis-ci.com/ManageIQ/manageiq-password.svg)](https://travis-ci.com/ManageIQ/manageiq-password)
-[![Maintainability](https://api.codeclimate.com/v1/badges/85064711d083dea96636/maintainability)](https://codeclimate.com/github/ManageIQ/manageiq-password/maintainability)
-[![Test Coverage](https://api.codeclimate.com/v1/badges/85064711d083dea96636/test_coverage)](https://codeclimate.com/github/ManageIQ/manageiq-password/test_coverage)
+[![Gem Version](https://badge.fury.io/rb/manageiq-password.svg)](http://badge.fury.io/rb/manageiq-password)
+[![CI](https://github.com/ManageIQ/manageiq-password/actions/workflows/ci.yaml/badge.svg)](https://github.com/ManageIQ/manageiq-password/actions/workflows/ci.yaml)
+[![Code Climate](https://codeclimate.com/github/ManageIQ/manageiq-password.svg)](https://codeclimate.com/github/ManageIQ/manageiq-password)
+[![Test Coverage](https://codeclimate.com/github/ManageIQ/manageiq-password/badges/coverage.svg)](https://codeclimate.com/github/ManageIQ/manageiq-password/coverage)
 A simple encryption util for storing passwords in a database.

data/exe/manageiq-password ADDED Viewed

@@ -0,0 +1,100 @@
+#!/bin/bash
+while [[ "$#" -gt 0 ]]; do
+	case $1 in
+	-d|--decrypt)
+		mode="decrypt"
+		;;
+	-e|--encrypt)
+		mode="encrypt"
+		;;
+	-k|--key)
+		keyfile="$2"
+		shift
+		;;
+	-h|--help|-?)
+		cat <<-EOS >&2
+			Usage: $(basename $0) [--encrypt|--decrypt] [--key KEYFILE]
+			Options:
+			-d, --decrypt   Decrypt the value on STDIN (default mode)
+			-e, --encrypt   Encrypt the value on STDIN
+			-k, --key       Path to the key file (default: $(pwd)/certs/v2_key)
+			-h, --help, -?  Display help
+		EOS
+		exit 0
+		;;
+	*)
+		echo "ERROR: Unknown parameter passed: $1" >&2
+		exit 1
+		;;
+	esac
+	shift
+done
+mode=${mode:-"decrypt"}
+keyfile=${keyfile:-"$(pwd)/certs/v2_key"}
+if [ ! -r "$keyfile" ]; then
+	echo "ERROR: Cannot read v2 key file: $keyfile" >&2
+	exit 1
+fi
+extractFromKeyfile() {
+	grep :$1: "$keyfile" | cut -d ' ' -f 2
+}
+extractAlgorithm() {
+	extractFromKeyfile "algorithm"
+}
+extractKey() {
+	extractFromKeyfile "key" | base64 -d | xxd -p -c256
+}
+extractIv() {
+	iv=$(extractFromKeyfile "iv" | base64 -d | xxd -p -c256)
+	echo -n "${iv:-"00000000000000000000000000000000"}"
+}
+algorithm=$(extractAlgorithm)
+if [ "$algorithm" != "aes-256-cbc" ]; then
+	echo "ERROR: Invalid v2 key file: $keyfile" >&2
+	exit 1
+fi
+if [ -n "$DEBUG" ]; then
+	cat <<-EOS >&2
+		==============================================================================
+		Mode:         $mode
+		Key File:     $keyfile
+		Algorithm:    $algorithm
+		IV (Base64):  $(extractFromKeyfile "iv")
+		IV (Hex):     $(extractIv)
+		Key (Base64): $(extractFromKeyfile "key")
+		Key (Hex):    $(extractKey)
+		==============================================================================
+	EOS
+fi
+case $mode in
+decrypt)
+	(
+		xargs -L1 echo | \
+		sed 's/^.\{4\}//;s/.$//' | \
+		openssl enc -d -base64 -$algorithm -iv "$(extractIv)" -K "$(extractKey)"
+	) < /dev/stdin
+	;;
+encrypt)
+	(
+		xargs -L1 echo -n | \
+		openssl enc -base64 -$algorithm -iv "$(extractIv)" -K "$(extractKey)" | \
+		sed "s/^/v2:{/;s/$/}/" | \
+		xargs -L1 echo -n
+	) < /dev/stdin
+	;;
+*)
+	echo "ERROR: Invalid mode: $mode" >&2
+	exit 1
+esac

data/lib/manageiq/password/version.rb CHANGED Viewed

@@ -1,5 +1,5 @@
 module ManageIQ
   class Password
-    VERSION = "1.0.0".freeze
+    VERSION = "1.2.0".freeze
   end
 end

data/lib/manageiq/password.rb CHANGED Viewed

@@ -22,15 +22,32 @@ module ManageIQ
       @encStr = encrypt(str)
     end
-    def encrypt(str, key = self.class.key)
+    def encrypt(*args)
+      self.class.encrypt(*args)
+    end
+    def decrypt(*args)
+      self.class.decrypt(*args)
+    end
+    def recrypt(*args)
+      self.class.recrypt(*args)
+    end
+    def self.encrypt(str, key = self.key)
       return str if str.nil?
       enc = key.encrypt64(str).delete("\n") unless str.empty?
-      self.class.wrap(enc)
+      wrap(enc)
     end
-    def decrypt(str, key = self.class.key)
-      enc = self.class.unwrap(str)
+    def self.decrypt(str, key = self.key)
+      str = remove_erb(str)
+      return str if str.nil? || str.empty?
+      raise PasswordError, "cannot decrypt plaintext string" unless wrapped?(str)
+      enc = unwrap(str)
       return enc if enc.nil? || enc.empty?
       begin
@@ -40,7 +57,7 @@ module ManageIQ
       end
     end
-    def recrypt(str, prior_key = nil)
+    def self.recrypt(str, prior_key = nil)
       return str if str.nil?
       decrypted_str   = decrypt(str, prior_key) if prior_key rescue nil
@@ -48,21 +65,8 @@ module ManageIQ
       encrypt(decrypted_str)
     end
-    def self.encrypt(*args)
-      new.encrypt(*args)
-    end
-    def self.decrypt(*args)
-      new.decrypt(*args)
-    end
-    def self.recrypt(*args)
-      new.recrypt(*args)
-    end
     def self.encrypted?(str)
-      return false if str.nil? || str.empty?
-      !!unwrap(str)
+      wrapped?(remove_erb(str))
     end
     def self.md5crypt(str)
@@ -83,6 +87,7 @@ module ManageIQ
     end
     def self.try_decrypt(str)
+      str = remove_erb(str)
       encrypted?(str) ? decrypt(str) : str
     end
@@ -124,26 +129,27 @@ module ManageIQ
       Key.new.tap { |key| store_key_file(filename, key) if filename }
     end
-    protected
-    def self.wrap(encrypted_str)
+    private_class_method def self.wrap(encrypted_str)
       "v2:{#{encrypted_str}}"
     end
-    def self.unwrap(str)
-      _unwrap(str) || _unwrap(extract_erb_encrypted_value(str))
-    end
-    private_class_method def self._unwrap(str)
+    private_class_method def self.unwrap(str)
       return str if str.nil? || str.empty?
       str.match(REGEXP_START_LINE)&.public_send(:[], 1)
     end
-    def self.store_key_file(filename, key)
-      File.write(filename, key.to_h.to_yaml)
+    private_class_method def self.wrapped?(str)
+      return false if str.nil? || str.empty?
+      str.match?(REGEXP_START_LINE)
+    end
+    private_class_method def self.store_key_file(filename, key)
+      File.write(filename, key.to_h.to_yaml, :perm => 0440)
     end
-    def self.load_key_file(filename)
+    private_class_method def self.load_key_file(filename)
       return filename if filename.respond_to?(:decrypt64)
       # if it is an absolute path, or relative to pwd, leave as is
@@ -151,11 +157,15 @@ module ManageIQ
       filename = File.expand_path(filename, key_root) unless File.exist?(filename)
       return nil unless File.exist?(filename)
-      Key.new(*YAML.load_file(filename).values_at(:algorithm, :key, :iv))
+      # Switch to YAML.safe_load_file when we drop ruby 2.7.  Psych 3.2.1 added it.
+      Key.new(*YAML.safe_load(File.read(filename), :permitted_classes => [Symbol, Time]).values_at(:algorithm, :key, :iv))
     end
-    def self.extract_erb_encrypted_value(value)
-      return $1 if value =~ /\A<%= (?:MiqPassword|DB_PASSWORD|ManageIQ::Password)\.decrypt\(['"]([^'"]+)['"]\) %>\Z/
+    private_class_method def self.remove_erb(str)
+      return str if str.nil? || str.empty? || !str.start_with?("<%=")
+      match = str.match(/\A<%= (?:MiqPassword|DB_PASSWORD|ManageIQ::Password)\.decrypt\(['"](.+?)['"]\) %>\Z/m)
+      match ? match[1] : str
     end
     class Key
@@ -166,6 +176,9 @@ module ManageIQ
         Base64.strict_encode64(Digest::SHA256.digest("#{password}#{salt}")[0, GENERATED_KEY_SIZE])
       end
+      attr_reader :key
+      alias to_s key
       def initialize(algorithm = nil, key = nil, iv = nil)
         @algorithm = algorithm || "aes-256-cbc"
         @key       = key || generate_key
@@ -190,10 +203,6 @@ module ManageIQ
         decrypt(Base64.decode64(str))
       end
-      def to_s
-        @key
-      end
       def to_h
         {
           :algorithm => @algorithm,

data/manageiq-password.gemspec CHANGED Viewed

@@ -18,9 +18,10 @@ Gem::Specification.new do |spec|
   spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
   spec.require_paths = ["lib"]
+  spec.add_development_dependency "awesome_spawn"
   spec.add_development_dependency "bundler"
   spec.add_development_dependency "manageiq-style"
   spec.add_development_dependency "rake",          ">= 12.3.3"
   spec.add_development_dependency "rspec",         "~> 3.0"
-  spec.add_development_dependency "simplecov"
+  spec.add_development_dependency "simplecov",     ">= 0.21.2"
 end

metadata CHANGED Viewed

@@ -1,15 +1,29 @@
 --- !ruby/object:Gem::Specification
 name: manageiq-password
 version: !ruby/object:Gem::Version
-  version: 1.0.0
+  version: 1.2.0
 platform: ruby
 authors:
 - ManageIQ Authors
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2021-05-06 00:00:00.000000000 Z
+date: 2023-10-12 00:00:00.000000000 Z
 dependencies:
+- !ruby/object:Gem::Dependency
+  name: awesome_spawn
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
@@ -72,27 +86,29 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 0.21.2
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 0.21.2
 description:
 email:
-executables: []
+executables:
+- manageiq-password
 extensions: []
 extra_rdoc_files: []
 files:
 - ".codeclimate.yml"
+- ".github/workflows/ci.yaml"
 - ".gitignore"
 - ".rspec"
 - ".rubocop.yml"
 - ".rubocop_cc.yml"
 - ".rubocop_local.yml"
-- ".travis.yml"
+- ".whitesource"
 - CHANGELOG.md
 - CODE_OF_CONDUCT.md
 - Gemfile
@@ -101,6 +117,7 @@ files:
 - Rakefile
 - bin/console
 - bin/setup
+- exe/manageiq-password
 - lib/manageiq-password.rb
 - lib/manageiq/password.rb
 - lib/manageiq/password/password_mixin.rb
@@ -128,7 +145,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.4
+rubygems_version: 3.2.33
 signing_key:
 specification_version: 4
 summary: A simple encryption util for storing passwords in a database.

data/.travis.yml DELETED Viewed

@@ -1,13 +0,0 @@
----
-language: ruby
-cache: bundler
-rvm:
-- 2.6.7
-- 2.7.3
-- 3.0.1
-before_script:
-- curl -L https://codeclimate.com/downloads/test-reporter/test-reporter-latest-linux-amd64 > ./cc-test-reporter
-- chmod +x ./cc-test-reporter
-- "./cc-test-reporter before-build"
-after_script:
-- "./cc-test-reporter after-build --exit-code $TRAVIS_TEST_RESULT"