RubyGems - secure_conf - Versions diffs - 1.0.0 → 2.1.0 - Mend

secure_conf 1.0.0 → 2.1.0

Files changed (11) hide show

checksums.yaml +5 -5
data/README.md +25 -4
data/Rakefile +7 -3
data/exe/secure_conf.rb +135 -0
data/lib/secure_conf/config.rb +33 -13
data/lib/secure_conf/encrypter.rb +14 -6
data/lib/secure_conf/openssh.rb +302 -0
data/lib/secure_conf/storage/yaml.rb +3 -6
data/lib/secure_conf/version.rb +1 -1
data/secure_conf.gemspec +3 -3
metadata +17 -15

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: 5577c49a1bbfcc5e15217e66b508445823bea95e
-  data.tar.gz: 47d482b939a3c124cd7e5112af2c6611a7a13eb2
+SHA256:
+  metadata.gz: abe2a25e6dbe9aac46965807a20fcdcf507db1635961c19f86c9f08b1c68c2e2
+  data.tar.gz: fcbfd1b8c33ab8b0c3a0708a522b1c49ca4ee07009c9af2596ebefe8e58608ed
 SHA512:
-  metadata.gz: 4a3b111bf1d3ca46607d03d76d2324238cbe25bd1c087a58d35d2b827d188ee7f5bbd00f1f5fcc0a95a1fbfcc58f41260c974b395b2f380a6f47586d9432e0b7
-  data.tar.gz: 3aab96dbf9603ecfedc503df1cce653e01d827ca4b470df05a53045e8999a8fdf7a0a98fdfb4498ba36041808dd7bb7cfcd3fecf27310a988c468fa6dea12bd3
+  metadata.gz: a9e1b112d53d48f6e2eaf445f1faea965e4df0d9b092c8022353bcd53b8b212d9df4fc2883ff496c385e5dcdc2296a9aa898b215e7a41cb982793c7d7131abe4
+  data.tar.gz: 90e342f51a1698cad0b71e905f1a481b597fb25c5cdd9aeb281a8d7bee28c0d1fe930abc357ecb0194afbcae5f23366ae6ab986d5a5d1b4a3945b563bf8101f6

data/README.md CHANGED Viewed

@@ -20,12 +20,33 @@ Or install it yourself as:
 ## Usage
-    path = File.expand_path("config.yml", File.dirname(__FILE__))
+    path = File.expand_path("secure.yml", File.dirname(__FILE__))
     config = SecureConf::Config.new(path)
-    p config["enc:aaa"]
-    config["enc:aaa"] = "aaa"
+    config["enc:id"] = "yoshida-eth0"
+    config["enc:pass"] = "himitsu"
+    config["last_access"] = Time.now.to_s
     config.save
+    p config["enc:id"]
+    p config["enc:pass"]
+    p config["last_access"]
+## Usage cli
+    % secure_conf.rb read enc:pass
+    read
+      key: enc:pass
+      val: himitsu
+    % secure_conf.rb --help
+    Usage: secure_conf.rb [options] method [arguments]...
+            --pkey privatekey_path       PrivateKey file path (default: ~/.ssh/id_rsa)
+            --storage storage_path       Storage file path (default: ./secure.yml)
+      methods usage:
+        secure_conf.rb [options] read key
+        secure_conf.rb [options] write key value
+        secure_conf.rb [options] delete key
 ## Development

data/Rakefile CHANGED Viewed

@@ -1,6 +1,10 @@
 require "bundler/gem_tasks"
-require "rspec/core/rake_task"
+require "rake/testtask"
-RSpec::Core::RakeTask.new(:spec)
+Rake::TestTask.new(:test) do |t|
+  t.libs << "test"
+  t.libs << "lib"
+  t.test_files = FileList["test/**/*_test.rb"]
+end
-task :default => :spec
+task :default => :test

data/exe/secure_conf.rb ADDED Viewed

@@ -0,0 +1,135 @@
+#!/bin/ruby
+$LOAD_PATH << File.expand_path("../lib", File.dirname(__FILE__))
+require 'secure_conf'
+require 'optparse'
+class SecureConfCmd
+  def initialize(storage_path, privatekey_path=nil)
+    @storage_path = File.expand_path(storage_path)
+    @privatekey_path = File.expand_path(privatekey_path)
+  end
+  def config
+    unless @config
+      #unless File.file?(@storage_path)
+      #  raise "storage_path is not exist: #{@storage_path}"
+      #end
+      unless File.file?(@privatekey_path)
+        raise "privatekey_path is not exist: #{@privatekey_path}"
+      end
+      pkey = File.open(@privatekey_path, "r") {|f| f.read}
+      @config = SecureConf::Config.new(@storage_path, encrypter: SecureConf::Encrypter.new(pkey), auto_commit: true)
+    end
+    @config
+  end
+  def read(key)
+    val = config[key]
+    puts "read"
+    puts "  key: #{key}"
+    puts "  val: #{val}"
+  end
+  def write(key, value)
+    puts "write"
+    puts "  key: #{key}"
+    puts "  val: #{value}"
+    config[key] = value
+    puts "write ok."
+  end
+  def delete(key)
+    puts "delete"
+    puts "  key: #{key}"
+    config.delete(key)
+    puts "delete ok."
+  end
+end
+# default value
+privatekey_path = "~/.ssh/id_rsa"
+storage_path = "./secure.yml"
+method = nil
+key = nil
+value = nil
+# parser
+parser = OptionParser.new {|o|
+  o.banner = "Usage: #{File.basename($0)} [options] method [arguments]..."
+  o.on('--pkey privatekey_path', "PrivateKey file path (default: #{privatekey_path})") {|v| privatekey_path = v }
+  o.on('--storage storage_path', "Storage file path (default: #{storage_path})") {|v| storage_path = v }
+  o.on_tail(
+    "  methods usage:",
+    "    #{File.basename($0)} [options] read key",
+    "    #{File.basename($0)} [options] write key value",
+    "    #{File.basename($0)} [options] delete key",
+  )
+  o.version = SecureConf::VERSION
+}
+methods = {
+  read: 1,
+  write: 2,
+  delete: 1,
+}
+# parse argv
+begin
+  parser.parse!(ARGV)
+  # method
+  method = ARGV.shift
+  unless method
+    raise ""
+  end
+  method = method.to_sym
+  unless methods.include?(method)
+    raise "not found method: #{method}"
+  end
+  # method argc
+  unless ARGV.length==methods[method]
+    raise "wrong number of method arguments: method=#{method} given=#{ARGV.length} expected=#{methods[method]}"
+  end
+  # key value
+  key = ARGV[0]
+  value = ARGV[1]
+rescue => e
+  if 0<e.message.to_s.length
+    puts e.message
+    puts
+  end
+  puts parser.help
+  exit(1)
+end
+# execute
+cmd = SecureConfCmd.new(storage_path, privatekey_path)
+begin
+  case method
+  when :read
+    cmd.read(key)
+  when :write
+    cmd.write(key, value)
+  when :delete
+    cmd.delete(key)
+  end
+rescue => e
+  puts e
+  puts
+  puts parser.help
+  #puts e.backtrace.join("\n")
+end

data/lib/secure_conf/config.rb CHANGED Viewed

@@ -1,21 +1,33 @@
+require 'delegate'
 module SecureConf
-  class Config < Hash
+  class Config < SimpleDelegator
     attr_reader :path
-    attr_reader :encripter
+    attr_reader :encrypter
     attr_reader :serializer
     attr_reader :storage
     attr_accessor :auto_commit
-    def initialize(path, encripter: nil, serializer: nil, storage: nil, auto_commit: false)
+    def initialize(path, encrypter: nil, serializer: nil, storage: nil, auto_commit: false)
       @path = path
-      @encripter = encripter || SecureConf.default
+      @encrypter = encrypter || SecureConf.default
       @serializer = serializer || Serializer::Marshal
       @storage = storage || Storage.fetch(path)
       @auto_commit = auto_commit
-      self.replace(@storage.load(path))
+      super(@storage.load(path))
+    end
+    # store
+    def plain_store(key, value)
+      __getobj__.store(key, value)
+      save if @auto_commit
     end
-    alias_method :plain_store, :store
+    def secure_store(key, value)
+      value = @serializer.dump(value)
+      plain_store(key, @encrypter.encrypt(value))
+    end
     def store(key, value)
       if key.to_s.start_with?("enc:")
@@ -26,24 +38,32 @@ module SecureConf
     end
     alias_method :[]=, :store
-    def secure_store(key, value)
-      value = @serializer.dump(value)
-      plain_store(key, @encripter.encrypt(value))
-    end
+    # get
-    alias_method :plain_get, :[]
+    def plain_get(key)
+      __getobj__[key]
+    end
     def [](key)
       value = plain_get(key)
       if value && key.to_s.start_with?("enc:")
-        value = @encripter.decrypt(value)
+        value = @encrypter.decrypt(value)
         value = @serializer.load(value)
       end
       value
     end
+    # delete
+    def delete(key)
+      __getobj__.delete(key)
+      save if @auto_commit
+    end
+    # save
     def save
-      @storage.save(path, self)
+      @storage.save(path, __getobj__)
     end
   end
 end

data/lib/secure_conf/encrypter.rb CHANGED Viewed

@@ -1,10 +1,11 @@
 require 'openssl'
 require 'base64'
+require 'secure_conf/openssh'
 module SecureConf
   class Encrypter
     def initialize(pkey=nil, pass=nil)
-      pkey ||= "~/.ssh/id_rsa"
+      pkey ||= File.open(File.expand_path("~/.ssh/id_rsa"), "r") {|f| f.read }
       self.pkey = [pkey, pass]
     end
@@ -13,15 +14,22 @@ module SecureConf
       case pk
       when OpenSSL::PKey::RSA
+        # OpenSSL private key object
         @pkey = pk
+      when OpenSSH::PKey
+        # OpenSSH private key object
+        @pkey = pk.to_openssl
       when String
-        pk2 = File.expand_path(pk)
-        if File.file?(pk2) && File.readable?(pk2)
-          pk = File.read(pk2)
+        pk = pk.strip
+        if pk.start_with?("-----BEGIN OPENSSH PRIVATE KEY-----") && pk.end_with?("-----END OPENSSH PRIVATE KEY-----")
+          # OpenSSH private pem string
+          @pkey = OpenSSH::PKey.new(pk).to_openssl
+        else
+          # OpenSSL private pem string
+          @pkey = OpenSSL::PKey::RSA.new(pk, pass)
         end
-        @pkey = OpenSSL::PKey::RSA.new(pk, pass)
       when Integer
+        # generate
         @pkey = OpenSSL::PKey::RSA.new(pk)
       end
     end

data/lib/secure_conf/openssh.rb ADDED Viewed

@@ -0,0 +1,302 @@
+require 'stringio'
+require 'base64'
+require 'singleton'
+require 'openssl'
+module SecureConf
+  module OpenSSH
+    class PKey
+      def initialize(source)
+        if String===source
+          # pem string
+          @h = parse_pem(source)
+        elsif IO===source || source.respond_to?(:read)
+          # pem io
+          source = source.read
+          @h = parse_pem(source)
+        elsif source.respond_to?(:to_der)
+          # call to_der method
+          der = source.to_der
+          @h = parse_der(der)
+        else
+          # other
+          raise ArgumentError, "unsupported argument type: #{source.class.name}"
+        end
+      end
+      def parse_pem(pem)
+        pem = pem.strip
+        if !pem.start_with?("-----BEGIN OPENSSH PRIVATE KEY-----") || !pem.end_with?("-----END OPENSSH PRIVATE KEY-----")
+          raise FormatError, "invalid pem string"
+        end
+        pem = pem.gsub(/-----(?:BEGIN|END) OPENSSH PRIVATE KEY-----/, "").gsub(/[\r\n]/, "")
+        der = Base64::strict_decode64(pem)
+        parse_der(der)
+      end
+      # sshkey_private_to_blob2
+      # https://github.com/openssh/openssh-portable/blob/master/sshkey.c#L3910
+      def parse_der(der)
+        bio = StringIO.new(der, "rb")
+        h = {}
+        # header
+        h[:header] = bio.read(15)
+        if h[:header]!="openssh-key-v1\0"
+          raise FormatError, "openssh header not found"
+        end
+        # ciphername
+        length = bio.read(4).unpack("N")[0]
+        h[:ciphername] = bio.read(length)
+        if h[:ciphername]!="none"
+          raise FormatError, "ciphername is not 'none': #{h[:ciphername]}"
+        end
+        # kdfname
+        length = bio.read(4).unpack("N")[0]
+        h[:kdfname] = bio.read(length)
+        if h[:kdfname]!="none"
+          raise FormatError, "kdfname is not 'none': #{h[:kdfname]}"
+        end
+        # kdf
+        length = bio.read(4).unpack("N")[0]
+        h[:kdf] = bio.read(length)
+        if h[:kdf]!=""
+          raise FormatError, "kdf is not empty: #{h[:kdfname]}"
+        end
+        # number of keys
+        h[:keys_num] = bio.read(4).unpack("N")[0]
+        if h[:keys_num]!=1
+          raise FormatError, "number of keys is not 1: #{h[:keys_num]}"
+        end
+        # public key
+        length = bio.read(4).unpack("N")[0]
+        publickey = bio.read(length)
+        h[:publickey] = parse_der_publickey(publickey)
+        # rnd+prv+comment+pad
+        length = bio.read(4).unpack("N")[0]
+        privatekey = bio.read(length)
+        h[:privatekey] = parse_der_privatekey(privatekey)
+        # check eof
+        if !bio.eof?
+          raise FormatError, "no eof"
+        end
+        h
+      end
+      # to_blob_buf
+      # https://github.com/openssh/openssh-portable/blob/master/sshkey.c#L828
+      def parse_der_publickey(publickey)
+        bio = StringIO.new(publickey, "rb")
+        h = {}
+        # keytype
+        length = bio.read(4).unpack("N")[0]
+        h[:keytype] = bio.read(length)
+        # content
+        kt = Keytype.fetch(h[:keytype])
+        if !kt
+          raise UnsupportedError, "unsupported keytype: #{h[:keytype]}"
+        end
+        kt.parse_der_public_key_contents(h, bio)
+        # check eof
+        if !bio.eof?
+          raise FormatError, "publickey no eof"
+        end
+        h
+      end
+      # sshkey_private_serialize_opt
+      # https://github.com/openssh/openssh-portable/blob/master/sshkey.c#L3230
+      def parse_der_privatekey(privatekey)
+        bio = StringIO.new(privatekey, "rb")
+        h = {}
+        # checksum
+        h[:checksum] = bio.read(8).unpack("NN")
+        # keytype
+        length = bio.read(4).unpack("N")[0]
+        h[:keytype] = bio.read(length)
+        # content
+        kt = Keytype.fetch(h[:keytype])
+        if !kt
+          raise UnsupportedError, "unsupported keytype: #{h[:keytype]}"
+        end
+        kt.parse_der_private_key_contents(h, bio)
+        # comment
+        length = bio.read(4).unpack("N")[0]
+        h[:comment] = bio.read(length)
+        # padding
+        h[:padding] = bio.read
+        # check eof
+        if !bio.eof?
+          raise FormatError, "privatekey no eof"
+        end
+        h
+      end
+      def keytype
+        Keytype.fetch(@h[:privatekey][:keytype])
+      end
+      def to_openssl
+        keytype.to_openssl(@h)
+      end
+      def to_openssl_pem
+        keytype.to_openssl_pem(@h)
+      end
+      def to_openssl_der
+        keytype.to_openssl_der(@h)
+      end
+    end
+    module Keytype
+      module Base
+        def support?(keytype)
+          raise Error, "not implemented error: #{self.class.name}.support?(keytype)"
+        end
+        def parse_der_public_key_contents(h, bio)
+          raise Error, "not implemented error: #{self.class.name}.parse_der_public_key_contents(h, bio)"
+        end
+        def parse_der_private_key_contents(h, bio)
+          raise Error, "not implemented error: #{self.class.name}.parse_der_private_key_contents(h, bio)"
+        end
+        def to_openssl(h)
+          raise Error, "not implemented error: #{self.class.name}.to_openssl(h)"
+        end
+        def to_openssl_pem(h)
+          raise Error, "not implemented error: #{self.class.name}.to_openssl_pem(h)"
+        end
+        def to_openssl_der(h)
+          raise Error, "not implemented error: #{self.class.name}.to_openssl_der(h)"
+        end
+      end
+      class RSA
+        include Singleton
+        include Base
+        def support?(keytype)
+          keytype=="ssh-rsa"
+        end
+        def parse_der_public_key_contents(h, bio)
+          # e pub0
+          length = bio.read(4).unpack("N")[0]
+          h[:e] = bio.read(length)
+          # n pub1
+          length = bio.read(4).unpack("N")[0]
+          h[:n] = bio.read(length)
+        end
+        def parse_der_private_key_contents(h, bio)
+          # n pub0
+          length = bio.read(4).unpack("N")[0]
+          h[:n] = bio.read(length)
+          # e pub1
+          length = bio.read(4).unpack("N")[0]
+          h[:e] = bio.read(length)
+          # d pri0
+          length = bio.read(4).unpack("N")[0]
+          h[:d] = bio.read(length)
+          # iqmp
+          length = bio.read(4).unpack("N")[0]
+          h[:iqmp] = bio.read(length)
+          # p
+          length = bio.read(4).unpack("N")[0]
+          h[:p] = bio.read(length)
+          # q
+          length = bio.read(4).unpack("N")[0]
+          h[:q] = bio.read(length)
+        end
+        def to_openssl(h)
+          pem = to_openssl_pem(h)
+          OpenSSL::PKey::RSA.new(pem)
+        end
+        def to_openssl_pem(h)
+          der = to_openssl_der(h)
+          b64 = Base64::strict_encode64(der)
+          lines = b64.scan(/.{1,64}/)
+          [
+            "-----BEGIN RSA PRIVATE KEY-----",
+            lines,
+            "-----END RSA PRIVATE KEY-----",
+          ].flatten.join("\n")
+        end
+        def to_openssl_der(h)
+          d = h[:privatekey][:d].unpack("H*")[0].to_i(16)
+          p = h[:privatekey][:p].unpack("H*")[0].to_i(16)
+          q = h[:privatekey][:q].unpack("H*")[0].to_i(16)
+          exponent1 = d % (p - 1)
+          exponent2 = d % (q - 1)
+          OpenSSL::ASN1::Sequence.new([
+            OpenSSL::ASN1::Integer.new(0),
+            OpenSSL::ASN1::Integer.new(h[:privatekey][:n].unpack("H*")[0].to_i(16)),
+            OpenSSL::ASN1::Integer.new(h[:privatekey][:e].unpack("H*")[0].to_i(16)),
+            OpenSSL::ASN1::Integer.new(h[:privatekey][:d].unpack("H*")[0].to_i(16)),
+            OpenSSL::ASN1::Integer.new(p),
+            OpenSSL::ASN1::Integer.new(q),
+            OpenSSL::ASN1::Integer.new(exponent1),
+            OpenSSL::ASN1::Integer.new(exponent2),
+            OpenSSL::ASN1::Integer.new(h[:privatekey][:iqmp].unpack("H*")[0].to_i(16)),
+          ]).to_der
+        end
+      end
+      KEYTYPES = [RSA.instance]
+      def self.fetch(keytype)
+        KEYTYPES.find {|kt| kt.support?(keytype)}
+      end
+    end
+    class Error < StandardError
+    end
+    class FormatError < Error
+    end
+    class UnsupportedError < Error
+    end
+  end
+end

data/lib/secure_conf/storage/yaml.rb CHANGED Viewed

@@ -2,11 +2,6 @@ require "yaml"
 module SecureConf
   module Storage
-    def self.fetch(path)
-      ext = File.extname(path).sub(".", "").capitalize
-      const_get(ext)
-    end
     module Yaml
       def self.load(path)
         if File.file?(path)
@@ -19,7 +14,9 @@ module SecureConf
       def self.save(path, obj)
         h = {}
         h.replace(obj)
-        YAML.dump(h, File.open(path, "w"))
+        File.open(path, "w") {|f|
+          YAML.dump(h, f)
+        }
       end
     end
     Yml = Yaml

data/lib/secure_conf/version.rb CHANGED Viewed

@@ -1,3 +1,3 @@
 module SecureConf
-  VERSION = "1.0.0"
+  VERSION = "2.1.0"
 end

data/secure_conf.gemspec CHANGED Viewed

@@ -19,7 +19,7 @@ Gem::Specification.new do |spec|
   spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
   spec.require_paths = ["lib"]
-  spec.add_development_dependency "bundler", "~> 1.12"
-  spec.add_development_dependency "rake", "~> 10.0"
-  spec.add_development_dependency "rspec", "~> 3.0"
+  spec.add_development_dependency "bundler", "~> 2.0"
+  spec.add_development_dependency "rake", "~> 12.0"
+  spec.add_development_dependency "minitest", "~> 5.0"
 end

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: secure_conf
 version: !ruby/object:Gem::Version
-  version: 1.0.0
+  version: 2.1.0
 platform: ruby
 authors:
 - yoshida
-autorequire:
+autorequire:
 bindir: exe
 cert_chain: []
-date: 2016-11-05 00:00:00.000000000 Z
+date: 2022-04-15 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -16,46 +16,47 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.12'
+        version: '2.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.12'
+        version: '2.0'
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '10.0'
+        version: '12.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '10.0'
+        version: '12.0'
 - !ruby/object:Gem::Dependency
-  name: rspec
+  name: minitest
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.0'
+        version: '5.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.0'
+        version: '5.0'
 description: To encrypt the configuration value.
 email:
 - yoshida.eth0@gmail.com
-executables: []
+executables:
+- secure_conf.rb
 extensions: []
 extra_rdoc_files: []
 files:
@@ -68,11 +69,13 @@ files:
 - Rakefile
 - bin/console
 - bin/setup
+- exe/secure_conf.rb
 - lib/secure_conf.rb
 - lib/secure_conf/config.rb
 - lib/secure_conf/core_ext.rb
 - lib/secure_conf/core_ext/string.rb
 - lib/secure_conf/encrypter.rb
+- lib/secure_conf/openssh.rb
 - lib/secure_conf/serializer.rb
 - lib/secure_conf/serializer/json.rb
 - lib/secure_conf/serializer/marshal.rb
@@ -84,7 +87,7 @@ homepage: https://github.com/yoshida-eth0/ruby-secure_conf
 licenses:
 - MIT
 metadata: {}
-post_install_message:
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -99,9 +102,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project:
-rubygems_version: 2.5.1
-signing_key:
+rubygems_version: 3.3.3
+signing_key:
 specification_version: 4
 summary: To encrypt the configuration value.
 test_files: []