RubyGems - secure_conf - Versions diffs - 1.0.0 → 2.1.0 - Mend

secure_conf 1.0.0 → 2.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (11) hide show

checksums.yaml +5 -5
data/README.md +25 -4
data/Rakefile +7 -3
data/exe/secure_conf.rb +135 -0
data/lib/secure_conf/config.rb +33 -13
data/lib/secure_conf/encrypter.rb +14 -6
data/lib/secure_conf/openssh.rb +302 -0
data/lib/secure_conf/storage/yaml.rb +3 -6
data/lib/secure_conf/version.rb +1 -1
data/secure_conf.gemspec +3 -3
metadata +17 -15

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: 5577c49a1bbfcc5e15217e66b508445823bea95e
-  data.tar.gz: 47d482b939a3c124cd7e5112af2c6611a7a13eb2
+SHA256:
+  metadata.gz: abe2a25e6dbe9aac46965807a20fcdcf507db1635961c19f86c9f08b1c68c2e2
+  data.tar.gz: fcbfd1b8c33ab8b0c3a0708a522b1c49ca4ee07009c9af2596ebefe8e58608ed
 SHA512:
-  metadata.gz: 4a3b111bf1d3ca46607d03d76d2324238cbe25bd1c087a58d35d2b827d188ee7f5bbd00f1f5fcc0a95a1fbfcc58f41260c974b395b2f380a6f47586d9432e0b7
-  data.tar.gz: 3aab96dbf9603ecfedc503df1cce653e01d827ca4b470df05a53045e8999a8fdf7a0a98fdfb4498ba36041808dd7bb7cfcd3fecf27310a988c468fa6dea12bd3
+  metadata.gz: a9e1b112d53d48f6e2eaf445f1faea965e4df0d9b092c8022353bcd53b8b212d9df4fc2883ff496c385e5dcdc2296a9aa898b215e7a41cb982793c7d7131abe4
+  data.tar.gz: 90e342f51a1698cad0b71e905f1a481b597fb25c5cdd9aeb281a8d7bee28c0d1fe930abc357ecb0194afbcae5f23366ae6ab986d5a5d1b4a3945b563bf8101f6

data/README.md CHANGED Viewed

@@ -20,12 +20,33 @@ Or install it yourself as:
 ## Usage
-    path = File.expand_path("config.yml", File.dirname(__FILE__))
+    path = File.expand_path("secure.yml", File.dirname(__FILE__))
     config = SecureConf::Config.new(path)
-    p config["enc:aaa"]
-    config["enc:aaa"] = "aaa"
+    config["enc:id"] = "yoshida-eth0"
+    config["enc:pass"] = "himitsu"
+    config["last_access"] = Time.now.to_s
     config.save
+    p config["enc:id"]
+    p config["enc:pass"]
+    p config["last_access"]
+## Usage cli
+    % secure_conf.rb read enc:pass
+    read
+      key: enc:pass
+      val: himitsu
+    % secure_conf.rb --help
+    Usage: secure_conf.rb [options] method [arguments]...
+            --pkey privatekey_path       PrivateKey file path (default: ~/.ssh/id_rsa)
+            --storage storage_path       Storage file path (default: ./secure.yml)
+      methods usage:
+        secure_conf.rb [options] read key
+        secure_conf.rb [options] write key value
+        secure_conf.rb [options] delete key
 ## Development

data/Rakefile CHANGED Viewed

@@ -1,6 +1,10 @@
 require "bundler/gem_tasks"
-require "rspec/core/rake_task"
+require "rake/testtask"
-RSpec::Core::RakeTask.new(:spec)
+Rake::TestTask.new(:test) do |t|
+  t.libs << "test"
+  t.libs << "lib"
+  t.test_files = FileList["test/**/*_test.rb"]
+end
-task :default => :spec
+task :default => :test

data/exe/secure_conf.rb ADDED Viewed

@@ -0,0 +1,135 @@
+#!/bin/ruby
+$LOAD_PATH << File.expand_path("../lib", File.dirname(__FILE__))
+require 'secure_conf'
+require 'optparse'
+class SecureConfCmd
+  def initialize(storage_path, privatekey_path=nil)
+    @storage_path = File.expand_path(storage_path)
+    @privatekey_path = File.expand_path(privatekey_path)
+  end
+  def config
+    unless @config
+      #unless File.file?(@storage_path)
+      #  raise "storage_path is not exist: #{@storage_path}"
+      #end
+      unless File.file?(@privatekey_path)
+        raise "privatekey_path is not exist: #{@privatekey_path}"
+      end
+      pkey = File.open(@privatekey_path, "r") {|f| f.read}
+      @config = SecureConf::Config.new(@storage_path, encrypter: SecureConf::Encrypter.new(pkey), auto_commit: true)
+    end
+    @config
+  end
+  def read(key)
+    val = config[key]
+    puts "read"
+    puts "  key: #{key}"
+    puts "  val: #{val}"
+  end
+  def write(key, value)
+    puts "write"
+    puts "  key: #{key}"
+    puts "  val: #{value}"
+    config[key] = value
+    puts "write ok."
+  end
+  def delete(key)
+    puts "delete"
+    puts "  key: #{key}"
+    config.delete(key)
+    puts "delete ok."
+  end
+end
+# default value
+privatekey_path = "~/.ssh/id_rsa"
+storage_path = "./secure.yml"
+method = nil
+key = nil
+value = nil
+# parser
+parser = OptionParser.new {|o|
+  o.banner = "Usage: #{File.basename($0)} [options] method [arguments]..."
+  o.on('--pkey privatekey_path', "PrivateKey file path (default: #{privatekey_path})") {|v| privatekey_path = v }
+  o.on('--storage storage_path', "Storage file path (default: #{storage_path})") {|v| storage_path = v }
+  o.on_tail(
+    "  methods usage:",
+    "    #{File.basename($0)} [options] read key",
+    "    #{File.basename($0)} [options] write key value",
+    "    #{File.basename($0)} [options] delete key",
+  )
+  o.version = SecureConf::VERSION
+}
+methods = {
+  read: 1,
+  write: 2,
+  delete: 1,
+}
+# parse argv
+begin
+  parser.parse!(ARGV)
+  # method
+  method = ARGV.shift
+  unless method
+    raise ""
+  end
+  method = method.to_sym
+  unless methods.include?(method)
+    raise "not found method: #{method}"
+  end
+  # method argc
+  unless ARGV.length==methods[method]
+    raise "wrong number of method arguments: method=#{method} given=#{ARGV.length} expected=#{methods[method]}"
+  end
+  # key value
+  key = ARGV[0]
+  value = ARGV[1]
+rescue => e
+  if 0<e.message.to_s.length
+    puts e.message
+    puts
+  end
+  puts parser.help
+  exit(1)
+end
+# execute
+cmd = SecureConfCmd.new(storage_path, privatekey_path)
+begin
+  case method
+  when :read
+    cmd.read(key)
+  when :write
+    cmd.write(key, value)
+  when :delete
+    cmd.delete(key)
+  end
+rescue => e
+  puts e
+  puts
+  puts parser.help
+  #puts e.backtrace.join("\n")
+end

data/lib/secure_conf/config.rb CHANGED Viewed

@@ -1,21 +1,33 @@
+require 'delegate'
 module SecureConf
-  class Config < Hash
+  class Config < SimpleDelegator
     attr_reader :path
-    attr_reader :encripter
+    attr_reader :encrypter
     attr_reader :serializer
     attr_reader :storage
     attr_accessor :auto_commit
-    def initialize(path, encripter: nil, serializer: nil, storage: nil, auto_commit: false)
+    def initialize(path, encrypter: nil, serializer: nil, storage: nil, auto_commit: false)
       @path = path
-      @encripter = encripter || SecureConf.default
+      @encrypter = encrypter || SecureConf.default
       @serializer = serializer || Serializer::Marshal
       @storage = storage || Storage.fetch(path)
       @auto_commit = auto_commit
-      self.replace(@storage.load(path))
+      super(@storage.load(path))
+    end
+    # store
+    def plain_store(key, value)
+      __getobj__.store(key, value)
+      save if @auto_commit
     end
-    alias_method :plain_store, :store
+    def secure_store(key, value)
+      value = @serializer.dump(value)
+      plain_store(key, @encrypter.encrypt(value))
+    end
     def store(key, value)
       if key.to_s.start_with?("enc:")
@@ -26,24 +38,32 @@ module SecureConf
     end
     alias_method :[]=, :store
-    def secure_store(key, value)
-      value = @serializer.dump(value)
-      plain_store(key, @encripter.encrypt(value))
-    end
+    # get
-    alias_method :plain_get, :[]
+    def plain_get(key)
+      __getobj__[key]
+    end
     def [](key)
       value = plain_get(key)
       if value && key.to_s.start_with?("enc:")
-        value = @encripter.decrypt(value)
+        value = @encrypter.decrypt(value)
         value = @serializer.load(value)
       end
       value
     end
+    # delete
+    def delete(key)
+      __getobj__.delete(key)
+      save if @auto_commit
+    end
+    # save
     def save
-      @storage.save(path, self)
+      @storage.save(path, __getobj__)
     end
   end
 end

data/lib/secure_conf/encrypter.rb CHANGED Viewed

@@ -1,10 +1,11 @@
 require 'openssl'
 require 'base64'
+require 'secure_conf/openssh'
 module SecureConf
   class Encrypter
     def initialize(pkey=nil, pass=nil)
-      pkey ||= "~/.ssh/id_rsa"
+      pkey ||= File.open(File.expand_path("~/.ssh/id_rsa"), "r") {|f| f.read }
       self.pkey = [pkey, pass]
     end
@@ -13,15 +14,22 @@ module SecureConf
       case pk
       when OpenSSL::PKey::RSA
+        # OpenSSL private key object
         @pkey = pk
+      when OpenSSH::PKey
+        # OpenSSH private key object
+        @pkey = pk.to_openssl
       when String
-        pk2 = File.expand_path(pk)
-        if File.file?(pk2) && File.readable?(pk2)
-          pk = File.read(pk2)
+        pk = pk.strip
+        if pk.start_with?("-----BEGIN OPENSSH PRIVATE KEY-----") && pk.end_with?("-----END OPENSSH PRIVATE KEY-----")
+          # OpenSSH private pem string
+          @pkey = OpenSSH::PKey.new(pk).to_openssl
+        else
+          # OpenSSL private pem string
+          @pkey = OpenSSL::PKey::RSA.new(pk, pass)
         end
-        @pkey = OpenSSL::PKey::RSA.new(pk, pass)
       when Integer
+        # generate
         @pkey = OpenSSL::PKey::RSA.new(pk)
       end
     end

data/lib/secure_conf/openssh.rb ADDED Viewed

@@ -0,0 +1,302 @@
+require 'stringio'
+require 'base64'
+require 'singleton'
+require 'openssl'
+module SecureConf
+  module OpenSSH
+    class PKey
+      def initialize(source)
+        if String===source
+          # pem string
+          @h = parse_pem(source)
+        elsif IO===source || source.respond_to?(:read)
+          # pem io
+          source = source.read
+          @h = parse_pem(source)
+        elsif source.respond_to?(:to_der)
+          # call to_der method
+          der = source.to_der
+          @h = parse_der(der)
+        else
+          # other
+          raise ArgumentError, "unsupported argument type: #{source.class.name}"
+        end
+      end
+      def parse_pem(pem)
+        pem = pem.strip
+        if !pem.start_with?("-----BEGIN OPENSSH PRIVATE KEY-----") || !pem.end_with?("-----END OPENSSH PRIVATE KEY-----")
+          raise FormatError, "invalid pem string"
+        end
+        pem = pem.gsub(/-----(?:BEGIN|END) OPENSSH PRIVATE KEY-----/, "").gsub(/[\r\n]/, "")
+        der = Base64::strict_decode64(pem)
+        parse_der(der)
+      end
+      # sshkey_private_to_blob2
+      # https://github.com/openssh/openssh-portable/blob/master/sshkey.c#L3910
+      def parse_der(der)
+        bio = StringIO.new(der, "rb")
+        h = {}
+        # header
+        h[:header] = bio.read(15)
+        if h[:header]!="openssh-key-v1\0"
+          raise FormatError, "openssh header not found"
+        end
+        # ciphername
+        length = bio.read(4).unpack("N")[0]
+        h[:ciphername] = bio.read(length)
+        if h[:ciphername]!="none"
+          raise FormatError, "ciphername is not 'none': #{h[:ciphername]}"
+        end
+        # kdfname
+        length = bio.read(4).unpack("N")[0]
+        h[:kdfname] = bio.read(length)
+        if h[:kdfname]!="none"
+          raise FormatError, "kdfname is not 'none': #{h[:kdfname]}"
+        end
+        # kdf
+        length = bio.read(4).unpack("N")[0]
+        h[:kdf] = bio.read(length)
+        if h[:kdf]!=""
+          raise FormatError, "kdf is not empty: #{h[:kdfname]}"
+        end
+        # number of keys
+        h[:keys_num] = bio.read(4).unpack("N")[0]
+        if h[:keys_num]!=1
+          raise FormatError, "number of keys is not 1: #{h[:keys_num]}"
+        end
+        # public key
+        length = bio.read(4).unpack("N")[0]
+        publickey = bio.read(length)
+        h[:publickey] = parse_der_publickey(publickey)
+        # rnd+prv+comment+pad
+        length = bio.read(4).unpack("N")[0]
+        privatekey = bio.read(length)
+        h[:privatekey] = parse_der_privatekey(privatekey)
+        # check eof
+        if !bio.eof?
+          raise FormatError, "no eof"
+        end
+        h
+      end
+      # to_blob_buf
+      # https://github.com/openssh/openssh-portable/blob/master/sshkey.c#L828
+      def parse_der_publickey(publickey)
+        bio = StringIO.new(publickey, "rb")
+        h = {}
+        # keytype
+        length = bio.read(4).unpack("N")[0]
+        h[:keytype] = bio.read(length)
+        # content
+        kt = Keytype.fetch(h[:keytype])
+        if !kt
+          raise UnsupportedError, "unsupported keytype: #{h[:keytype]}"
+        end
+        kt.parse_der_public_key_contents(h, bio)
+        # check eof
+        if !bio.eof?
+          raise FormatError, "publickey no eof"
+        end
+        h
+      end
+      # sshkey_private_serialize_opt
+      # https://github.com/openssh/openssh-portable/blob/master/sshkey.c#L3230
+      def parse_der_privatekey(privatekey)
+        bio = StringIO.new(privatekey, "rb")
+        h = {}
+        # checksum
+        h[:checksum] = bio.read(8).unpack("NN")
+        # keytype
+        length = bio.read(4).unpack("N")[0]
+        h[:keytype] = bio.read(length)
+        # content
+        kt = Keytype.fetch(h[:keytype])
+        if !kt
+          raise UnsupportedError, "unsupported keytype: #{h[:keytype]}"
+        end
+        kt.parse_der_private_key_contents(h, bio)
+        # comment
+        length = bio.read(4).unpack("N")[0]
+        h[:comment] = bio.read(length)
+        # padding
+        h[:padding] = bio.read
+        # check eof
+        if !bio.eof?
+          raise FormatError, "privatekey no eof"
+        end
+        h
+      end
+      def keytype
+        Keytype.fetch(@h[:privatekey][:keytype])
+      end
+      def to_openssl
+        keytype.to_openssl(@h)
+      end
+      def to_openssl_pem
+        keytype.to_openssl_pem(@h)
+      end
+      def to_openssl_der
+        keytype.to_openssl_der(@h)
+      end
+    end
+    module Keytype
+      module Base
+        def support?(keytype)
+          raise Error, "not implemented error: #{self.class.name}.support?(keytype)"
+        end
+        def parse_der_public_key_contents(h, bio)
+          raise Error, "not implemented error: #{self.class.name}.parse_der_public_key_contents(h, bio)"
+        end
+        def parse_der_private_key_contents(h, bio)
+          raise Error, "not implemented error: #{self.class.name}.parse_der_private_key_contents(h, bio)"
+        end
+        def to_openssl(h)
+          raise Error, "not implemented error: #{self.class.name}.to_openssl(h)"
+        end
+        def to_openssl_pem(h)
+          raise Error, "not implemented error: #{self.class.name}.to_openssl_pem(h)"
+        end
+        def to_openssl_der(h)
+          raise Error, "not implemented error: #{self.class.name}.to_openssl_der(h)"
+        end
+      end
+      class RSA
+        include Singleton
+        include Base
+        def support?(keytype)
+          keytype=="ssh-rsa"
+        end
+        def parse_der_public_key_contents(h, bio)
+          # e pub0
+          length = bio.read(4).unpack("N")[0]
+          h[:e] = bio.read(length)
+          # n pub1
+          length = bio.read(4).unpack("N")[0]
+          h[:n] = bio.read(length)
+        end
+        def parse_der_private_key_contents(h, bio)
+          # n pub0
+          length = bio.read(4).unpack("N")[0]
+          h[:n] = bio.read(length)
+          # e pub1
+          length = bio.read(4).unpack("N")[0]
+          h[:e] = bio.read(length)
+          # d pri0
+          length = bio.read(4).unpack("N")[0]
+          h[:d] = bio.read(length)
+          # iqmp
+          length = bio.read(4).unpack("N")[0]
+          h[:iqmp] = bio.read(length)
+          # p
+          length = bio.read(4).unpack("N")[0]
+          h[:p] = bio.read(length)
+          # q
+          length = bio.read(4).unpack("N")[0]
+          h[:q] = bio.read(length)
+        end
+        def to_openssl(h)
+          pem = to_openssl_pem(h)
+          OpenSSL::PKey::RSA.new(pem)
+        end
+        def to_openssl_pem(h)
+          der = to_openssl_der(h)
+          b64 = Base64::strict_encode64(der)
+          lines = b64.scan(/.{1,64}/)
+          [
+            "-----BEGIN RSA PRIVATE KEY-----",
+            lines,
+            "-----END RSA PRIVATE KEY-----",
+          ].flatten.join("\n")
+        end
+        def to_openssl_der(h)
+          d = h[:privatekey][:d].unpack("H*")[0].to_i(16)
+          p = h[:privatekey][:p].unpack("H*")[0].to_i(16)
+          q = h[:privatekey][:q].unpack("H*")[0].to_i(16)
+          exponent1 = d % (p - 1)
+          exponent2 = d % (q - 1)
+          OpenSSL::ASN1::Sequence.new([
+            OpenSSL::ASN1::Integer.new(0),
+            OpenSSL::ASN1::Integer.new(h[:privatekey][:n].unpack("H*")[0].to_i(16)),
+            OpenSSL::ASN1::Integer.new(h[:privatekey][:e].unpack("H*")[0].to_i(16)),
+            OpenSSL::ASN1::Integer.new(h[:privatekey][:d].unpack("H*")[0].to_i(16)),
+            OpenSSL::ASN1::Integer.new(p),
+            OpenSSL::ASN1::Integer.new(q),
+            OpenSSL::ASN1::Integer.new(exponent1),
+            OpenSSL::ASN1::Integer.new(exponent2),
+            OpenSSL::ASN1::Integer.new(h[:privatekey][:iqmp].unpack("H*")[0].to_i(16)),
+          ]).to_der
+        end
+      end
+      KEYTYPES = [RSA.instance]
+      def self.fetch(keytype)
+        KEYTYPES.find {|kt| kt.support?(keytype)}
+      end
+    end
+    class Error < StandardError
+    end
+    class FormatError < Error
+    end
+    class UnsupportedError < Error
+    end
+  end
+end

data/lib/secure_conf/storage/yaml.rb CHANGED Viewed

@@ -2,11 +2,6 @@ require "yaml"
 module SecureConf
   module Storage
-    def self.fetch(path)
-      ext = File.extname(path).sub(".", "").capitalize
-      const_get(ext)
-    end
     module Yaml
       def self.load(path)
         if File.file?(path)
@@ -19,7 +14,9 @@ module SecureConf
       def self.save(path, obj)
         h = {}
         h.replace(obj)
-        YAML.dump(h, File.open(path, "w"))
+        File.open(path, "w") {|f|
+          YAML.dump(h, f)
+        }
       end
     end
     Yml = Yaml

data/lib/secure_conf/version.rb CHANGED Viewed

@@ -1,3 +1,3 @@
 module SecureConf
-  VERSION = "1.0.0"
+  VERSION = "2.1.0"
 end

data/secure_conf.gemspec CHANGED Viewed

@@ -19,7 +19,7 @@ Gem::Specification.new do |spec|
   spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
   spec.require_paths = ["lib"]
-  spec.add_development_dependency "bundler", "~> 1.12"
-  spec.add_development_dependency "rake", "~> 10.0"
-  spec.add_development_dependency "rspec", "~> 3.0"
+  spec.add_development_dependency "bundler", "~> 2.0"
+  spec.add_development_dependency "rake", "~> 12.0"
+  spec.add_development_dependency "minitest", "~> 5.0"
 end

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: secure_conf
 version: !ruby/object:Gem::Version
-  version: 1.0.0
+  version: 2.1.0
 platform: ruby
 authors:
 - yoshida
-autorequire:
+autorequire:
 bindir: exe
 cert_chain: []
-date: 2016-11-05 00:00:00.000000000 Z
+date: 2022-04-15 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -16,46 +16,47 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.12'
+        version: '2.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.12'
+        version: '2.0'
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '10.0'
+        version: '12.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '10.0'
+        version: '12.0'
 - !ruby/object:Gem::Dependency
-  name: rspec
+  name: minitest
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.0'
+        version: '5.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.0'
+        version: '5.0'
 description: To encrypt the configuration value.
 email:
 - yoshida.eth0@gmail.com
-executables: []
+executables:
+- secure_conf.rb
 extensions: []
 extra_rdoc_files: []
 files:
@@ -68,11 +69,13 @@ files:
 - Rakefile
 - bin/console
 - bin/setup
+- exe/secure_conf.rb
 - lib/secure_conf.rb
 - lib/secure_conf/config.rb
 - lib/secure_conf/core_ext.rb
 - lib/secure_conf/core_ext/string.rb
 - lib/secure_conf/encrypter.rb
+- lib/secure_conf/openssh.rb
 - lib/secure_conf/serializer.rb
 - lib/secure_conf/serializer/json.rb
 - lib/secure_conf/serializer/marshal.rb
@@ -84,7 +87,7 @@ homepage: https://github.com/yoshida-eth0/ruby-secure_conf
 licenses:
 - MIT
 metadata: {}
-post_install_message:
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -99,9 +102,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project:
-rubygems_version: 2.5.1
-signing_key:
+rubygems_version: 3.3.3
+signing_key:
 specification_version: 4
 summary: To encrypt the configuration value.
 test_files: []