trocla 0.3.0 → 0.5.0

data/lib/trocla/formats/ssha.rb

@@ -2,8 +2,8 @@
 require 'base64'
 require 'digest'
 class Trocla::Formats::Ssha < Trocla::Formats::Base
-  def format(plain_password,options={})
-     salt = options['salt'] || Trocla::Util.salt(16)
-     "{SSHA}"+Base64.encode64("#{Digest::SHA1.digest("#{plain_password}#{salt}")}#{salt}").chomp
+  def format(plain_password, options = {})
+    salt = options['salt'] || Trocla::Util.salt(16)
+    '{SSHA}' + Base64.encode64("#{Digest::SHA1.digest("#{plain_password}#{salt}")}#{salt}").chomp
   end
 end

data/lib/trocla/formats/sshkey.rb

@@ -0,0 +1,42 @@
+require 'sshkey'
+
+class Trocla::Formats::Sshkey < Trocla::Formats::Base
+  expensive true
+
+  def format(plain_password,options={})
+    if plain_password.match(/-----BEGIN RSA PRIVATE KEY-----.*-----END RSA PRIVATE KEY/m)
+      # Import, validate ssh key
+      begin
+        sshkey = ::SSHKey.new(plain_password)
+      rescue Exception => e
+        raise "SSH key import failed: #{e.message}"
+      end
+      return sshkey.private_key + sshkey.ssh_public_key
+    end
+
+    type = options['type'] || 'rsa'
+    bits = options['bits'] || 2048
+
+    begin
+      sshkey = ::SSHKey.generate(
+        type: type, bits: bits,
+        comment: options['comment'],
+        passphrase: options['passphrase']
+      )
+    rescue Exception => e
+      raise "SSH key creation failed: #{e.message}"
+    end
+
+    sshkey.private_key + sshkey.ssh_public_key
+  end
+
+  def render(output, render_options = {})
+    if render_options['privonly']
+      ::SSHKey.new(output).private_key
+    elsif render_options['pubonly']
+      ::SSHKey.new(output).ssh_public_key
+    else
+      super(output, render_options)
+    end
+  end
+end

data/lib/trocla/formats/wireguard.rb

@@ -0,0 +1,45 @@
+require 'open3'
+require 'yaml'
+
+class Trocla::Formats::Wireguard < Trocla::Formats::Base
+  expensive true
+
+  def format(plain_password, options={})
+    return YAML.safe_load(plain_password) if plain_password.match(/---/)
+
+    wg_priv = nil
+    wg_pub = nil
+    begin
+      Open3.popen3('wg genkey') do |_stdin, stdout, _stderr, _waiter|
+        wg_priv = stdout.read.chomp
+      end
+    rescue SystemCallError => e
+      raise 'trocla wireguard: wg binary not found' if e.message =~ /No such file or directory/
+
+      raise "trocla wireguard: #{e.message}"
+    end
+
+    begin
+      Open3.popen3('wg pubkey') do |stdin, stdout, _stderr, _waiter|
+        stdin.write(wg_priv)
+        stdin.close
+
+        wg_pub = stdout.read.chomp
+      end
+    rescue SystemCallError => e
+      raise "trocla wireguard: #{e.message}"
+    end
+    YAML.dump({ 'wg_priv' => wg_priv, 'wg_pub' => wg_pub })
+  end
+
+  def render(output, render_options = {})
+    data = YAML.safe_load(output)
+    if render_options['privonly']
+      data['wg_priv']
+    elsif render_options['pubonly']
+      data['wg_pub']
+    else
+      'pub: ' + data['wg_pub'] + "\npriv: " + data['wg_priv']
+    end
+  end
+end

data/lib/trocla/formats/x509.rb

@@ -1,8 +1,9 @@
 require 'openssl'
+
+# Trocla::Formats::X509
 class Trocla::Formats::X509 < Trocla::Formats::Base
   expensive true
   def format(plain_password,options={})
-
     if plain_password.match(/-----BEGIN RSA PRIVATE KEY-----.*-----END RSA PRIVATE KEY-----.*-----BEGIN CERTIFICATE-----.*-----END CERTIFICATE-----/m)
       # just an import, don't generate any new keys
       return plain_password
@@ -11,17 +12,17 @@ class Trocla::Formats::X509 < Trocla::Formats::Base
     cn = nil
     if options['subject']
       subject = options['subject']
-      if cna = OpenSSL::X509::Name.parse(subject).to_a.find{|e| e[0] == 'CN' }
+      if cna = OpenSSL::X509::Name.parse(subject).to_a.find { |e| e[0] == 'CN' }
         cn = cna[1]
       end
     elsif options['CN']
       subject = ''
       cn = options['CN']
-      ['C','ST','L','O','OU','CN','emailAddress'].each do |field|
+      ['C', 'ST', 'L', 'O', 'OU', 'CN', 'emailAddress'].each do |field|
         subject << "/#{field}=#{options[field]}" if options[field]
       end
     else
-      raise "You need to pass \"subject\" or \"CN\" as an option to use this format"
+      raise 'You need to pass "subject" or "CN" as an option to use this format'
     end
     hash = options['hash'] || 'sha2'
     sign_with = options['ca']
@@ -33,17 +34,17 @@ class Trocla::Formats::X509 < Trocla::Formats::Base
     key_usages = Array(key_usages) if key_usages
 
     altnames = if become_ca || (an = options['altnames']) && Array(an).empty?
-      []
-    else
-      # ensure that we have the CN with us, but only if it
-      # it's like a hostname.
-      # This might have to be improved.
-      if cn.include?(' ')
-        Array(an).collect { |v| "DNS:#{v}" }.join(', ')
-      else
-        (["DNS:#{cn}"] + Array(an).collect { |v| "DNS:#{v}" }).uniq.join(', ')
-      end
-    end
+                 []
+               else
+                 # ensure that we have the CN with us, but only if it
+                 # it's like a hostname.
+                 # This might have to be improved.
+                 if cn.include?(' ')
+                   Array(an).collect { |v| "DNS:#{v}" }.join(', ')
+                 else
+                   (["DNS:#{cn}"] + Array(an).collect { |v| "DNS:#{v}" }).uniq.join(', ')
+                 end
+               end
 
     begin
       key = mkkey(keysize)
@@ -55,7 +56,7 @@ class Trocla::Formats::X509 < Trocla::Formats::Base
     cert = nil
     if sign_with # certificate signed with CA
       begin
-        ca_str = trocla.get_password(sign_with,'x509')
+        ca_str = trocla.get_password(sign_with, 'x509')
         ca = OpenSSL::X509::Certificate.new(ca_str)
         cakey = OpenSSL::PKey::RSA.new(ca_str)
         caserial = getserial(sign_with)
@@ -72,8 +73,10 @@ class Trocla::Formats::X509 < Trocla::Formats::Base
       end
 
       begin
-        cert = mkcert(caserial, request.subject, ca, request.public_key, days,
-                        altnames, key_usages, name_constraints, become_ca)
+        cert = mkcert(
+          caserial, request.subject, ca, request.public_key, days,
+          altnames, key_usages, name_constraints, become_ca
+        )
         cert.sign(cakey, signature(hash))
         addserial(sign_with, caserial)
       rescue Exception => e
@@ -82,8 +85,10 @@ class Trocla::Formats::X509 < Trocla::Formats::Base
     else # self-signed certificate
       begin
         subj = OpenSSL::X509::Name.parse(subject)
-        cert = mkcert(getserial(subj), subj, nil, key.public_key, days,
-                        altnames, key_usages, name_constraints, become_ca)
+        cert = mkcert(
+          getserial(subj), subj, nil, key.public_key, days,
+          altnames, key_usages, name_constraints, become_ca
+        )
         cert.sign(key, signature(hash))
       rescue Exception => e
         raise "Self-signed certificate #{subject} creation failed: #{e.message}"
@@ -92,32 +97,34 @@ class Trocla::Formats::X509 < Trocla::Formats::Base
     key.to_pem + cert.to_pem
   end
 
-  def render(output,render_options={})
+  def render(output, render_options = {})
     if render_options['keyonly']
       OpenSSL::PKey::RSA.new(output).to_pem
     elsif render_options['certonly']
       OpenSSL::X509::Certificate.new(output).to_pem
+    elsif render_options['publickeyonly']
+      OpenSSL::PKey::RSA.new(output).public_key.to_pem
     else
-      super(output,render_options)
+      super(output, render_options)
     end
   end
 
   private
-  # nice help: https://gist.github.com/mitfik/1922961
 
+  # nice help: https://gist.github.com/mitfik/1922961
   def signature(hash = 'sha2')
     if hash == 'sha1'
-        OpenSSL::Digest::SHA1.new
+      OpenSSL::Digest::SHA1.new
     elsif hash == 'sha224'
-        OpenSSL::Digest::SHA224.new
+      OpenSSL::Digest::SHA224.new
     elsif hash == 'sha2' || hash == 'sha256'
-        OpenSSL::Digest::SHA256.new
+      OpenSSL::Digest::SHA256.new
     elsif hash == 'sha384'
-        OpenSSL::Digest::SHA384.new
+      OpenSSL::Digest::SHA384.new
     elsif hash == 'sha512'
-        OpenSSL::Digest::SHA512.new
+      OpenSSL::Digest::SHA512.new
     else
-        raise "Unrecognized hash: #{hash}"
+      raise "Unrecognized hash: #{hash}"
     end
   end
 
@@ -125,7 +132,7 @@ class Trocla::Formats::X509 < Trocla::Formats::Base
     OpenSSL::PKey::RSA.generate(len)
   end
 
-  def mkreq(subject,public_key)
+  def mkreq(subject, public_key)
     request = OpenSSL::X509::Request.new
     request.subject = subject
     request.public_key = public_key
@@ -133,9 +140,9 @@ class Trocla::Formats::X509 < Trocla::Formats::Base
     request
   end
 
-  def mkcert(serial,subject,issuer,public_key,days,altnames, key_usages = nil, name_constraints = [], become_ca = false)
+  def mkcert(serial, subject, issuer, public_key, days, altnames, key_usages = nil, name_constraints = [], become_ca = false)
     cert = OpenSSL::X509::Certificate.new
-    issuer = cert if issuer == nil
+    issuer = cert if issuer.nil?
     cert.subject = subject
     cert.issuer = issuer.subject
     cert.not_before = Time.now
@@ -147,36 +154,36 @@ class Trocla::Formats::X509 < Trocla::Formats::Base
     ef = OpenSSL::X509::ExtensionFactory.new
     ef.subject_certificate = cert
     ef.issuer_certificate = issuer
-    cert.extensions = [ ef.create_extension("subjectKeyIdentifier", "hash") ]
+    cert.extensions = [ef.create_extension('subjectKeyIdentifier', 'hash')]
 
     if become_ca
-      cert.add_extension ef.create_extension("basicConstraints","CA:TRUE", true)
+      cert.add_extension ef.create_extension('basicConstraints', 'CA:TRUE', true)
       unless (ku = key_usages || ca_key_usages).empty?
-        cert.add_extension ef.create_extension("keyUsage", ku.join(', '), true)
+        cert.add_extension ef.create_extension('keyUsage', ku.join(', '), true)
       end
       if name_constraints && !name_constraints.empty?
-        cert.add_extension ef.create_extension("nameConstraints","permitted;DNS:#{name_constraints.join(',permitted;DNS:')}",true)
+        cert.add_extension ef.create_extension('nameConstraints', "permitted;DNS:#{name_constraints.join(',permitted;DNS:')}", true)
       end
     else
-      cert.add_extension ef.create_extension("subjectAltName", altnames, true) unless altnames.empty?
-      cert.add_extension ef.create_extension("basicConstraints","CA:FALSE", true)
+      cert.add_extension ef.create_extension('subjectAltName', altnames, true) unless altnames.empty?
+      cert.add_extension ef.create_extension('basicConstraints', 'CA:FALSE', true)
       unless (ku = key_usages || cert_key_usages).empty?
-        cert.add_extension ef.create_extension("keyUsage", ku.join(', '), true)
+        cert.add_extension ef.create_extension('keyUsage', ku.join(', '), true)
       end
     end
-    cert.add_extension ef.create_extension("authorityKeyIdentifier", "keyid:always,issuer:always")
+    cert.add_extension ef.create_extension('authorityKeyIdentifier', 'keyid:always,issuer:always')
 
     cert
   end
 
   def getserial(ca)
-    newser = Trocla::Util.random_str(20,'hexadecimal').to_i(16)
+    newser = Trocla::Util.random_str(20, 'hexadecimal').to_i(16)
     all_serials(ca).include?(newser) ? getserial(ca) : newser
   end
 
   def all_serials(ca)
-    if allser = trocla.get_password("#{ca}_all_serials",'plain')
-      YAML.load(allser)
+    if allser = trocla.get_password("#{ca}_all_serials", 'plain')
+      YAML.safe_load(allser)
     else
       []
     end
@@ -184,14 +191,17 @@ class Trocla::Formats::X509 < Trocla::Formats::Base
 
   def addserial(ca,serial)
     serials = all_serials(ca) << serial
-    trocla.set_password("#{ca}_all_serials",'plain',YAML.dump(serials))
+    trocla.set_password("#{ca}_all_serials", 'plain', YAML.dump(serials))
   end
 
   def cert_key_usages
     ['nonRepudiation', 'digitalSignature', 'keyEncipherment']
   end
+
   def ca_key_usages
-    ['keyCertSign', 'cRLSign', 'nonRepudiation',
-      'digitalSignature', 'keyEncipherment' ]
+    [
+      'keyCertSign', 'cRLSign', 'nonRepudiation',
+      'digitalSignature', 'keyEncipherment'
+    ]
   end
 end

data/lib/trocla/formats.rb

@@ -1,13 +1,19 @@
-class Trocla::Formats
+# frozen_string_literal: true
 
+# Trocla::Formats
+class Trocla::Formats
+  # Base
   class Base
     attr_reader :trocla
+
     def initialize(trocla)
       @trocla = trocla
     end
-    def render(output,render_options={})
+
+    def render(output, render_options = {})
       output
     end
+
     def expensive?
       self.class.expensive?
     end
@@ -15,6 +21,7 @@ class Trocla::Formats
       def expensive(is_expensive)
         @expensive = is_expensive
       end
+
       def expensive?
         @expensive == true
       end
@@ -27,7 +34,9 @@ class Trocla::Formats
     end
 
     def all
-      Dir[File.expand_path(File.join(File.dirname(__FILE__),'formats','*.rb'))].collect{|f| File.basename(f,'.rb').downcase }
+      Dir[File.expand_path(
+        File.join(File.dirname(__FILE__), 'formats', '*.rb')
+      )].collect { |f| File.basename(f, '.rb').downcase }
     end
 
     def available?(format)
@@ -35,10 +44,11 @@ class Trocla::Formats
     end
 
     private
+
     def formats
       @@formats ||= Hash.new do |hash, format|
         format = format.downcase
-        if File.exists?(path(format))
+        if File.exist?(path(format))
           require "trocla/formats/#{format}"
           hash[format] = (eval "Trocla::Formats::#{format.capitalize}")
         else
@@ -48,7 +58,7 @@ class Trocla::Formats
     end
 
     def path(format)
-      File.expand_path(File.join(File.dirname(__FILE__),'formats',"#{format}.rb"))
+      File.expand_path(File.join(File.dirname(__FILE__), 'formats', "#{format}.rb"))
     end
   end
 end

data/lib/trocla/store.rb

@@ -1,7 +1,8 @@
 # implements the default store behavior
 class Trocla::Store
   attr_reader :store_config, :trocla
-  def initialize(config,trocla)
+
+  def initialize(config, trocla)
     @store_config = config
     @trocla = trocla
   end
@@ -9,14 +10,13 @@ class Trocla::Store
   # closes the store
   # when called do whatever "closes" your
   # store, e.g. close database connections.
-  def close
-  end
+  def close; end
 
   # should return value for key & format
   # returns nil if nothing or a nil value
   # was found.
   # If a key is expired it must return nil.
-  def get(key,format)
+  def get(key, format)
     raise 'not implemented'
   end
 
@@ -33,11 +33,11 @@ class Trocla::Store
   # amount of seconds a key can live with.
   # This mechanism is expected to be
   # be implemented by the backend.
-  def set(key,format,value,options={})
+  def set(key, format, value, options = {})
     if format == 'plain'
-      set_plain(key,value,options)
+      set_plain(key, value, options)
     else
-      set_format(key,format,value,options)
+      set_format(key, format, value, options)
     end
   end
 
@@ -46,20 +46,31 @@ class Trocla::Store
   # returns value of format or hash of
   # format => value # if everything is
   # deleted.
-  def delete(key,format=nil)
-    format.nil? ? (delete_all(key)||{}) : delete_format(key,format)
+  def delete(key, format = nil)
+    format.nil? ? (delete_all(key) || {}) : delete_format(key, format)
+  end
+
+  # returns all formats for a key
+  def formats(_)
+    raise 'not implemented'
+  end
+
+  # def searches for a key
+  def search(_)
+    raise 'not implemented'
   end
 
   private
+
   # sets a new plain value
   # *must* invalidate all
   # other formats
-  def set_plain(key,value,options)
+  def set_plain(key, value, options)
     raise 'not implemented'
   end
 
   # sets a value of a format
-  def set_format(key,format,value,options)
+  def set_format(key, format, value, options)
     raise 'not implemented'
   end
 
@@ -67,14 +78,14 @@ class Trocla::Store
   # and returns a hash with all
   # formats and values
   # or nil if nothing is found
-  def delete_all(key)
+  def delete_all(_)
     raise 'not implemented'
   end
 
   # deletes the value of the passed
   # key & format and returns the
   # value.
-  def delete_format(key,format)
+  def delete_format(key, format)
     raise 'not implemented'
   end
 end

data/lib/trocla/stores/memory.rb

@@ -1,12 +1,13 @@
 # a simple in memory store just as an example
 class Trocla::Stores::Memory < Trocla::Store
   attr_reader :memory
-  def initialize(config,trocla)
-    super(config,trocla)
+
+  def initialize(config, trocla)
+    super(config, trocla)
     @memory = Hash.new({})
   end
 
-  def get(key,format)
+  def get(key, format)
     unless expired?(key)
       memory[key][format]
     else
@@ -14,31 +15,45 @@ class Trocla::Stores::Memory < Trocla::Store
       nil
     end
   end
-  def set(key,format,value,options={})
-    super(key,format,value,options)
-    set_expires(key,options['expires'])
+
+  def set(key, format, value, options = {})
+    super(key, format, value, options)
+    set_expires(key, options['expires'])
+  end
+
+  def formats(key)
+    memory[key].empty? ? nil : memory[key].keys
+  end
+
+  def search(key)
+    r = memory.keys.grep(/#{key}/)
+    r.empty? ? nil : r
   end
 
   private
-  def set_plain(key,value,options)
+
+  def set_plain(key, value, _)
     memory[key] = { 'plain' => value }
   end
 
-  def set_format(key,format,value,options)
+  def set_format(key, format, value, _)
     memory[key].merge!({ format => value })
   end
 
   def delete_all(key)
     memory.delete(key)
   end
-  def delete_format(key,format)
+
+  def delete_format(key, format)
     old_val = (h = memory[key]).delete(format)
     h.empty? ? memory.delete(key) : memory[key] = h
     set_expires(key,nil)
     old_val
   end
+
   private
-  def set_expires(key,expires)
+
+  def set_expires(key, expires)
     expires = memory[key]['_expires'] if expires.nil?
     if expires && expires > 0
       memory[key]['_expires'] = expires
@@ -48,6 +63,7 @@ class Trocla::Stores::Memory < Trocla::Store
       memory[key].delete('_expires_at')
     end
   end
+
   def expired?(key)
     memory.key?(key) &&
       (a = memory[key]['_expires_at']).is_a?(Time) && \

data/lib/trocla/stores/moneta.rb

@@ -1,27 +1,42 @@
 # the default moneta based store
 class Trocla::Stores::Moneta < Trocla::Store
   attr_reader :moneta
-  def initialize(config,trocla)
-    super(config,trocla)
+
+  def initialize(config, trocla)
+    super(config, trocla)
     require 'moneta'
     # load expire support by default
-    adapter_options = { :expires => true }.merge(
-                          store_config['adapter_options']||{})
-    @moneta = Moneta.new(store_config['adapter'],adapter_options)
+    adapter_options = {
+      :expires => true
+    }.merge(store_config['adapter_options'] || {})
+    @moneta = Moneta.new(store_config['adapter'], adapter_options)
   end
 
   def close
     moneta.close
   end
 
-  def get(key,format)
+  def get(key, format)
     moneta.fetch(key, {})[format]
   end
 
+  def formats(key)
+    r = moneta.fetch(key)
+    r.nil? ? nil : r.keys
+  end
+
+  def search(key)
+    raise 'The search option is not available for any adapter other than Sequel or YAML' unless store_config['adapter'] == :Sequel || store_config['adapter'] == :YAML
+
+    r = search_keys(key)
+    r.empty? ? nil : r
+  end
+
   private
-  def set_plain(key,value,options)
+
+  def set_plain(key, value, options)
     h = { 'plain' => value }
-    mo = moneta_options(key,options)
+    mo = moneta_options(key, options)
     if options['expires'] && options['expires'] > 0
       h['_expires'] = options['expires']
     else
@@ -29,24 +44,28 @@ class Trocla::Stores::Moneta < Trocla::Store
       # expires if nothing is set.
       mo[:expires] = false
     end
-    moneta.store(key,h,mo)
+    moneta.store(key, h, mo)
   end
 
-  def set_format(key,format,value,options)
-    moneta.store(key,
-                 moneta.fetch(key,{}).merge({ format => value }),
-                 moneta_options(key,options))
+  def set_format(key, format, value, options)
+    moneta.store(
+      key,
+      moneta.fetch(key, {}).merge({ format => value }),
+      moneta_options(key, options)
+    )
   end
 
   def delete_all(key)
     moneta.delete(key)
   end
-  def delete_format(key,format)
-    old_val = (h = moneta.fetch(key,{})).delete(format)
-    h.empty? ? moneta.delete(key) : moneta.store(key,h,moneta_options(key,{}))
+
+  def delete_format(key, format)
+    old_val = (h = moneta.fetch(key, {})).delete(format)
+    h.empty? ? moneta.delete(key) : moneta.store(key, h, moneta_options(key, {}))
     old_val
   end
-  def moneta_options(key,options)
+
+  def moneta_options(key, options)
     res = {}
     if options.key?('expires')
       res[:expires] = options['expires']
@@ -55,4 +74,21 @@ class Trocla::Stores::Moneta < Trocla::Store
     end
     res
   end
+
+  def search_keys(key)
+    _moneta = Moneta.new(store_config['adapter'], (store_config['adapter_options'] || {}).merge({ :expires => false }))
+    a = []
+
+    if store_config['adapter'] == :Sequel
+      keys = _moneta.adapter.backend[:trocla].select_order_map { from_base64(:k) }
+    elsif store_config['adapter'] == :YAML
+      keys = _moneta.adapter.backend.transaction(true) { _moneta.adapter.backend.roots }
+    end
+    _moneta.close
+    regexp = Regexp.new("#{key}")
+    keys.each do |k|
+      a << k if regexp.match(k)
+    end
+    a
+  end
 end