trocla 0.2.0 → 0.4.0

data/lib/VERSION

@@ -1,4 +1,4 @@
 major:0
-minor:2
+minor:4
 patch:0
 build:

data/lib/trocla.rb

@@ -13,6 +13,17 @@ class Trocla
     end
   end
 
+  def self.open(config_file=nil)
+    trocla = Trocla.new(config_file)
+
+    if block_given?
+      yield trocla
+      trocla.close
+    else
+      trocla
+    end
+  end
+
   def password(key,format,options={})
     # respect a default profile, but let the
     # profiles win over the default options
@@ -24,43 +35,59 @@ class Trocla
 
     raise "Format #{format} is not supported! Supported formats: #{Trocla::Formats.all.join(', ')}" unless Trocla::Formats::available?(format)
 
-    unless (password=get_password(key,format)).nil?
+    unless (password=get_password(key,format,options)).nil?
       return password
     end
 
-    plain_pwd = get_password(key,'plain')
+    plain_pwd = get_password(key,'plain',options)
     if options['random'] && plain_pwd.nil?
       plain_pwd = Trocla::Util.random_str(options['length'].to_i,options['charset'])
       set_password(key,'plain',plain_pwd,options) unless format == 'plain'
     elsif !options['random'] && plain_pwd.nil?
       raise "Password must be present as plaintext if you don't want a random password"
     end
-    set_password(key,format,self.formats(format).format(plain_pwd,options),options)
+    pwd = self.formats(format).format(plain_pwd,options)
+    # it's possible that meanwhile another thread/process was faster in
+    # formating the password. But we want todo that second lookup
+    # only for expensive formats
+    if self.formats(format).expensive?
+      get_password(key,format,options) || set_password(key, format, pwd, options)
+    else
+      set_password(key, format, pwd, options)
+    end
   end
 
-  def get_password(key, format)
-    decrypt(store.get(key,format))
+  def get_password(key, format, options={})
+    render(format,decrypt(store.get(key,format)),options)
   end
 
   def reset_password(key,format,options={})
-    set_password(key,format,nil,options)
+    delete_password(key,format)
     password(key,format,options)
   end
 
-  def delete_password(key,format=nil)
+  def delete_password(key,format=nil,options={})
     v = store.delete(key,format)
     if v.is_a?(Hash)
       Hash[*v.map do |f,encrypted_value|
-        [f,decrypt(encrypted_value)]
+        [f,render(format,decrypt(encrypted_value),options)]
       end.flatten]
     else
-      decrypt(v)
+      render(format,decrypt(v),options)
     end
   end
 
   def set_password(key,format,password,options={})
     store.set(key,format,encrypt(password),options)
-    password
+    render(format,password,options)
+  end
+
+  def available_format(key, options={})
+    render(false,store.formats(key),options)
+  end
+
+  def search_key(key, options={})
+    render(false,store.search(key),options)
   end
 
   def formats(format)
@@ -75,6 +102,10 @@ class Trocla
     @config ||= read_config
   end
 
+  def close
+    store.close
+  end
+
   private
   def store
     @store ||= build_store
@@ -116,6 +147,14 @@ class Trocla
     encryption.decrypt(value)
   end
 
+  def render(format,output,options={})
+    if format && output && f=self.formats(format)
+      f.render(output,options['render']||{})
+    else
+      output
+    end
+  end
+
   def default_config
     require 'yaml'
     YAML.load(File.read(File.expand_path(File.join(File.dirname(__FILE__),'trocla','default_config.yaml'))))

data/lib/trocla/default_config.yaml

@@ -21,6 +21,16 @@ profiles:
   login:
     charset: consolesafe
     length: 16
+  x509veryverylong:
+    # 15 years
+    days: 5475
+    # 5475 days
+    expires: 466560000
+  x509verylong:
+    # 10 years
+    days: 3650
+    # 3600 days
+    expires: 311040000
   x509long:
     # 5 years
     days: 1825

data/lib/trocla/formats.rb

@@ -5,6 +5,20 @@ class Trocla::Formats
     def initialize(trocla)
       @trocla = trocla
     end
+    def render(output,render_options={})
+      output
+    end
+    def expensive?
+      self.class.expensive?
+    end
+    class << self
+      def expensive(is_expensive)
+        @expensive = is_expensive
+      end
+      def expensive?
+        @expensive == true
+      end
+    end
   end
 
   class << self

data/lib/trocla/formats/bcrypt.rb

@@ -1,6 +1,7 @@
 class Trocla::Formats::Bcrypt < Trocla::Formats::Base
+  expensive true
   require 'bcrypt'
   def format(plain_password,options={})
-    BCrypt::Password.create(plain_password).to_s
+    BCrypt::Password.create(plain_password, :cost => options['cost']||BCrypt::Engine.cost).to_s
   end
 end

data/lib/trocla/formats/sshkey.rb

@@ -0,0 +1,46 @@
+require 'sshkey'
+
+class Trocla::Formats::Sshkey < Trocla::Formats::Base
+
+  expensive true
+
+  def format(plain_password,options={})
+
+    if plain_password.match(/-----BEGIN RSA PRIVATE KEY-----.*-----END RSA PRIVATE KEY/m)
+      # Import, validate ssh key
+      begin
+        sshkey = ::SSHKey.new(plain_password)
+      rescue Exception => e
+        raise "SSH key import failed: #{e.message}"
+      end
+      return sshkey.private_key + sshkey.ssh_public_key
+    end
+
+    type = options['type'] || 'rsa'
+    bits = options['bits'] || 2048
+
+    begin
+      sshkey = ::SSHKey.generate(
+        type:       type,
+        bits:       bits,
+        comment:    options['comment'],
+        passphrase: options['passphrase']
+      )
+    rescue Exception => e
+      raise "SSH key creation failed: #{e.message}"
+    end
+
+    sshkey.private_key + sshkey.ssh_public_key
+  end
+
+  def render(output,render_options={})
+    if render_options['privonly']
+      ::SSHKey.new(output).private_key
+    elsif render_options['pubonly']
+      ::SSHKey.new(output).ssh_public_key
+    else
+      super(output,render_options)
+    end
+  end
+
+end

data/lib/trocla/formats/x509.rb

@@ -1,5 +1,6 @@
 require 'openssl'
 class Trocla::Formats::X509 < Trocla::Formats::Base
+  expensive true
   def format(plain_password,options={})
 
     if plain_password.match(/-----BEGIN RSA PRIVATE KEY-----.*-----END RSA PRIVATE KEY-----.*-----BEGIN CERTIFICATE-----.*-----END CERTIFICATE-----/m)
@@ -28,6 +29,8 @@ class Trocla::Formats::X509 < Trocla::Formats::Base
     keysize = options['keysize'] || 4096
     days = options['days'].nil? ? 365 : options['days'].to_i
     name_constraints = Array(options['name_constraints'])
+    key_usages = options['key_usages']
+    key_usages = Array(key_usages) if key_usages
 
     altnames = if become_ca || (an = options['altnames']) && Array(an).empty?
       []
@@ -49,6 +52,7 @@ class Trocla::Formats::X509 < Trocla::Formats::Base
       raise "Private key for #{subject} creation failed: #{e.message}"
     end
 
+    cert = nil
     if sign_with # certificate signed with CA
       begin
         ca_str = trocla.get_password(sign_with,'x509')
@@ -68,28 +72,39 @@ class Trocla::Formats::X509 < Trocla::Formats::Base
       end
 
       begin
-        csr_cert = mkcert(caserial, request.subject, ca, request.public_key, days, altnames, name_constraints, become_ca)
-        csr_cert.sign(cakey, signature(hash))
+        cert = mkcert(caserial, request.subject, ca, request.public_key, days,
+                        altnames, key_usages, name_constraints, become_ca)
+        cert.sign(cakey, signature(hash))
         addserial(sign_with, caserial)
       rescue Exception => e
         raise "Certificate #{subject} signing failed: #{e.message}"
       end
-
-      key.to_pem + csr_cert.to_pem
     else # self-signed certificate
       begin
         subj = OpenSSL::X509::Name.parse(subject)
-        cert = mkcert(getserial(subj), subj, nil, key.public_key, days, altnames, name_constraints, become_ca)
+        cert = mkcert(getserial(subj), subj, nil, key.public_key, days,
+                        altnames, key_usages, name_constraints, become_ca)
         cert.sign(key, signature(hash))
       rescue Exception => e
         raise "Self-signed certificate #{subject} creation failed: #{e.message}"
       end
+    end
+    key.to_pem + cert.to_pem
+  end
 
-      key.to_pem + cert.to_pem
+  def render(output,render_options={})
+    if render_options['keyonly']
+      OpenSSL::PKey::RSA.new(output).to_pem
+    elsif render_options['certonly']
+      OpenSSL::X509::Certificate.new(output).to_pem
+    elsif render_options['publickeyonly']
+      OpenSSL::PKey::RSA.new(output).public_key.to_pem
+    else
+      super(output,render_options)
     end
   end
-  private
 
+  private
   # nice help: https://gist.github.com/mitfik/1922961
 
   def signature(hash = 'sha2')
@@ -120,7 +135,7 @@ class Trocla::Formats::X509 < Trocla::Formats::Base
     request
   end
 
-  def mkcert(serial,subject,issuer,public_key,days,altnames, name_constraints = [], become_ca = false)
+  def mkcert(serial,subject,issuer,public_key,days,altnames, key_usages = nil, name_constraints = [], become_ca = false)
     cert = OpenSSL::X509::Certificate.new
     issuer = cert if issuer == nil
     cert.subject = subject
@@ -138,14 +153,18 @@ class Trocla::Formats::X509 < Trocla::Formats::Base
 
     if become_ca
       cert.add_extension ef.create_extension("basicConstraints","CA:TRUE", true)
-      cert.add_extension ef.create_extension("keyUsage", "keyCertSign, cRLSign, nonRepudiation, digitalSignature, keyEncipherment", true)
+      unless (ku = key_usages || ca_key_usages).empty?
+        cert.add_extension ef.create_extension("keyUsage", ku.join(', '), true)
+      end
       if name_constraints && !name_constraints.empty?
         cert.add_extension ef.create_extension("nameConstraints","permitted;DNS:#{name_constraints.join(',permitted;DNS:')}",true)
       end
     else
       cert.add_extension ef.create_extension("subjectAltName", altnames, true) unless altnames.empty?
       cert.add_extension ef.create_extension("basicConstraints","CA:FALSE", true)
-      cert.add_extension ef.create_extension("keyUsage", "nonRepudiation, digitalSignature, keyEncipherment", true)
+      unless (ku = key_usages || cert_key_usages).empty?
+        cert.add_extension ef.create_extension("keyUsage", ku.join(', '), true)
+      end
     end
     cert.add_extension ef.create_extension("authorityKeyIdentifier", "keyid:always,issuer:always")
 
@@ -169,4 +188,12 @@ class Trocla::Formats::X509 < Trocla::Formats::Base
     serials = all_serials(ca) << serial
     trocla.set_password("#{ca}_all_serials",'plain',YAML.dump(serials))
   end
+
+  def cert_key_usages
+    ['nonRepudiation', 'digitalSignature', 'keyEncipherment']
+  end
+  def ca_key_usages
+    ['keyCertSign', 'cRLSign', 'nonRepudiation',
+      'digitalSignature', 'keyEncipherment' ]
+  end
 end

data/lib/trocla/store.rb

@@ -6,6 +6,12 @@ class Trocla::Store
     @trocla = trocla
   end
 
+  # closes the store
+  # when called do whatever "closes" your
+  # store, e.g. close database connections.
+  def close
+  end
+
   # should return value for key & format
   # returns nil if nothing or a nil value
   # was found.
@@ -44,6 +50,16 @@ class Trocla::Store
     format.nil? ? (delete_all(key)||{}) : delete_format(key,format)
   end
 
+  # returns all formats for a key
+  def formats(key)
+    raise 'not implemented'
+  end
+
+  # def searches for a key
+  def search(key)
+    raise 'not implemented'
+  end
+
   private
   # sets a new plain value
   # *must* invalidate all

data/lib/trocla/stores/memory.rb

@@ -19,6 +19,15 @@ class Trocla::Stores::Memory < Trocla::Store
     set_expires(key,options['expires'])
   end
 
+  def formats(key)
+    memory[key].empty? ? nil : memory[key].keys
+  end
+
+  def search(key)
+    r = memory.keys.grep(/#{key}/)
+    r.empty? ? nil : r
+  end
+
   private
   def set_plain(key,value,options)
     memory[key] = { 'plain' => value }

data/lib/trocla/stores/moneta.rb

@@ -10,10 +10,25 @@ class Trocla::Stores::Moneta < Trocla::Store
     @moneta = Moneta.new(store_config['adapter'],adapter_options)
   end
 
+  def close
+    moneta.close
+  end
+
   def get(key,format)
     moneta.fetch(key, {})[format]
   end
 
+  def formats(key)
+    r = moneta.fetch(key)
+    r.nil? ? nil : r.keys
+  end
+
+  def search(key)
+    raise 'The search option is not available for any adapter other than Sequel or YAML' unless store_config['adapter'] == :Sequel || store_config['adapter'] == :YAML
+    r = search_keys(key)
+    r.empty? ? nil : r
+  end
+
   private
   def set_plain(key,value,options)
     h = { 'plain' => value }
@@ -51,4 +66,19 @@ class Trocla::Stores::Moneta < Trocla::Store
     end
     res
   end
+  def search_keys(key)
+    _moneta = Moneta.new(store_config['adapter'], (store_config['adapter_options']||{}).merge({ :expires => false }))
+    a = []
+    if store_config['adapter'] == :Sequel
+      keys = _moneta.adapter.backend[:trocla].select_order_map {from_base64(:k)}
+    elsif store_config['adapter'] == :YAML
+      keys = _moneta.adapter.backend.transaction(true) { _moneta.adapter.backend.roots }
+    end
+    _moneta.close
+    regexp = Regexp.new("#{key}")
+    keys.each do |k|
+      a << k if regexp.match(k)
+    end
+    a
+  end
 end

data/lib/trocla/stores/vault.rb

@@ -0,0 +1,50 @@
+# the default vault based store
+class Trocla::Stores::Vault < Trocla::Store
+  attr_reader :vault, :mount
+  def initialize(config,trocla)
+    super(config,trocla)
+    require 'vault'
+    @mount = (config.delete(:mount) || 'kv')
+    # load expire support by default
+    @vault = Vault::Client.new(config)
+  end
+
+  def close
+  end
+
+  def get(key,format)
+    read(key)[format.to_sym]
+  end
+
+  def formats(key)
+    read(key).keys
+  end
+
+  private
+  def read(key)
+    k = vault.kv(mount).read(key)
+    k.nil? ? {} : k.data
+  end
+
+  def write(key, value)
+    vault.kv(mount).write(key, value)
+  end
+
+  def set_plain(key,value,options)
+    set_format(key,'plain',value,options)
+  end
+
+  def set_format(key,format,value,options)
+    write(key, read(key).merge({format.to_sym => value}))
+  end
+
+  def delete_all(key)
+    vault.kv(mount).delete(key)
+  end
+
+  def delete_format(key,format)
+    old = read(key)
+    write(key, old.reject { |k,v| k == format.to_sym })
+    old[format.to_sym]
+  end
+end