trocla 0.3.0 → 0.5.0

data/lib/trocla/stores/vault.rb

@@ -0,0 +1,78 @@
+# the default vault based store
+class Trocla::Stores::Vault < Trocla::Store
+  attr_reader :vault, :mount, :destroy
+
+  def initialize(config, trocla)
+    super(config, trocla)
+    require 'vault'
+    @mount = (config.delete(:mount) || 'kv')
+    @destroy = (config.delete(:destroy) || false)
+    # load expire support by default
+    @vault = Vault::Client.new(config)
+  end
+
+  def close; end
+
+  def get(key, format)
+    read(key)[format.to_sym]
+  end
+
+  def formats(key)
+    read(key).keys
+  end
+
+  def search(key)
+    arr = key.split('/')
+    regexp = Regexp.new(arr.pop(1)[0].to_s)
+    path = arr.join('/')
+    list = vault.kv(mount).list(path)
+    list.map! do |l|
+      if regexp.match(l)
+        path.empty? ? l : [path, l].join('/')
+      end
+    end
+    list.compact
+  end
+
+  private
+
+  def read(key)
+    k = vault.kv(mount).read(key)
+    k.nil? ? {} : k.data
+  end
+
+  def write(key, value, options = {})
+    vault.kv(mount).write_metadata(key, convert_metadata(options)) unless options.empty?
+    vault.kv(mount).write(key, value)
+  end
+
+  def set_plain(key, value, options)
+    set_format(key, 'plain', value, options)
+  end
+
+  def set_format(key, format, value, options)
+    write(
+      key,
+      read(key).merge({ format.to_sym => value }),
+      options
+    )
+  end
+
+  def delete_all(key)
+    destroy ? vault.kv(mount).destroy(key) : vault.kv(mount).delete(key)
+  end
+
+  def delete_format(key, format)
+    old = read(key)
+    new = old.reject { |k, _| k == format.to_sym }
+    new.empty? ? delete_all(key) : write(key, new)
+    old[format.to_sym]
+  end
+
+  def convert_metadata(metadatas)
+    metadatas.transform_keys!(&:to_sym)
+    metadatas[:delete_version_after] = metadatas.delete(:expire) if metadatas[:expire]
+    %i[random profiles expires length].each { |k| metadatas.delete(k) }
+    metadatas
+  end
+end

data/lib/trocla/stores.rb

@@ -7,7 +7,7 @@ class Trocla::Stores
     end
 
     def all
-      @all ||= Dir[ path '*' ].collect do |store|
+      @all ||= Dir[path '*'].collect do |store|
         File.basename(store, '.rb').downcase
       end
     end
@@ -17,10 +17,11 @@ class Trocla::Stores
     end
 
     private
+
     def stores
       @@stores ||= Hash.new do |hash, store|
         store = store.to_s.downcase
-        if File.exists?(path(store))
+        if File.exist?(path(store))
           require "trocla/stores/#{store}"
           class_name = "Trocla::Stores::#{store.capitalize}"
           hash[store] = (eval class_name)

data/lib/trocla/util.rb

@@ -1,30 +1,30 @@
 require 'securerandom'
 class Trocla
+  # Utils
   class Util
     class << self
-      def random_str(length=12, charset='default')
-        _charsets = charsets[charset] || charsets['default']
-        (1..length).collect{|a| _charsets[SecureRandom.random_number(_charsets.size)] }.join.to_s
+      def random_str(length = 12, charset = 'default')
+        char = charsets[charset] || charsets['default']
+        charsets_size = char.size
+        (1..length).collect { |_| char[rand_num(charsets_size)] }.join.to_s
       end
 
-      def salt(length=8)
-        alphanumeric_size = alphanumeric.size
-        (1..length).collect{|a| alphanumeric[SecureRandom.random_number(alphanumeric_size)] }.join.to_s
+      def salt(length = 8)
+        random_str(length, 'alphanumeric')
       end
 
       private
 
+      def rand_num(n)
+        SecureRandom.random_number(n)
+      end
+
       def charsets
         @charsets ||= begin
           h = {
-            'default'      => chars,
-            'alphanumeric' => alphanumeric,
-            'shellsafe'    => shellsafe,
-            'windowssafe'  => windowssafe,
-            'numeric'      => numeric,
-            'hexadecimal'  => hexadecimal,
-            'consolesafe'  => consolesafe,
-            'typesafe'     => typesafe,
+            'default' => chars, 'alphanumeric' => alphanumeric, 'shellsafe' => shellsafe,
+            'windowssafe' => windowssafe, 'numeric' => numeric, 'hexadecimal' => hexadecimal,
+            'consolesafe' => consolesafe, 'typesafe' => typesafe
           }
           h.each { |k, v| h[k] = v.uniq }
         end
@@ -33,36 +33,47 @@ class Trocla
       def chars
         @chars ||= shellsafe + special_chars
       end
+
       def shellsafe
         @shellsafe ||= alphanumeric + shellsafe_chars
       end
+
       def windowssafe
         @windowssafe ||= alphanumeric + windowssafe_chars
       end
+
       def consolesafe
         @consolesafe ||= alphanumeric + consolesafe_chars
       end
+
       def hexadecimal
         @hexadecimal ||= numeric + ('a'..'f').to_a
       end
+
       def alphanumeric
         @alphanumeric ||= ('a'..'z').to_a + ('A'..'Z').to_a + numeric
       end
+
       def numeric
         @numeric ||= ('0'..'9').to_a
       end
+
       def typesafe
         @typesafe ||= ('a'..'x').to_a - ['i'] - ['l'] + ('A'..'X').to_a - ['I'] - ['L'] + ('1'..'9').to_a
       end
+
       def special_chars
-        @special_chars ||= "*()&![]{}-".split(//)
+        @special_chars ||= '*()&![]{}-'.split(//)
       end
+
       def shellsafe_chars
-        @shellsafe_chars ||= "+%/@=?_.,:".split(//)
+        @shellsafe_chars ||= '+%/@=?_.,:'.split(//)
       end
+
       def windowssafe_chars
-        @windowssafe_chars ||= "+%/@=?_.,".split(//)
+        @windowssafe_chars ||= '+%/@=?_.,'.split(//)
       end
+
       def consolesafe_chars
         @consolesafe_chars ||= '+.-,_'.split(//)
       end

data/lib/trocla/version.rb

@@ -1,20 +1,23 @@
 # encoding: utf-8
+
 class Trocla
+  # VERSION
   class VERSION
     version = {}
     File.read(File.join(File.dirname(__FILE__), '../', 'VERSION')).each_line do |line|
-      type, value = line.chomp.split(":")
+      type, value = line.chomp.split(':')
       next if type =~ /^\s+$/ || value =~ /^\s+$/
+
       version[type] = value
     end
-    
+
     MAJOR = version['major']
     MINOR = version['minor']
     PATCH = version['patch']
     BUILD = version['build']
-    
+
     STRING = [MAJOR, MINOR, PATCH, BUILD].compact.join('.')
-    
+
     def self.version
       STRING
     end

data/lib/trocla.rb

@@ -4,16 +4,17 @@ require 'trocla/formats'
 require 'trocla/encryptions'
 require 'trocla/stores'
 
+# Trocla class
 class Trocla
-  def initialize(config_file=nil)
+  def initialize(config_file = nil)
     if config_file
       @config_file = File.expand_path(config_file)
-    elsif File.exists?(def_config_file=File.expand_path('~/.troclarc.yaml')) || File.exists?(def_config_file=File.expand_path('/etc/troclarc.yaml'))
+    elsif File.exist?(def_config_file = File.expand_path('~/.troclarc.yaml')) || File.exist?(def_config_file = File.expand_path('/etc/troclarc.yaml'))
       @config_file = def_config_file
     end
   end
 
-  def self.open(config_file=nil)
+  def self.open(config_file = nil)
     trocla = Trocla.new(config_file)
 
     if block_given?
@@ -24,70 +25,76 @@ class Trocla
     end
   end
 
-  def password(key,format,options={})
+  def password(key, format, options={})
     # respect a default profile, but let the
     # profiles win over the default options
     options['profiles'] ||= config['options']['profiles']
-    if options['profiles']
-      options = merge_profiles(options['profiles']).merge(options)
-    end
+    options = merge_profiles(options['profiles']).merge(options) if options['profiles']
     options = config['options'].merge(options)
 
     raise "Format #{format} is not supported! Supported formats: #{Trocla::Formats.all.join(', ')}" unless Trocla::Formats::available?(format)
 
-    unless (password=get_password(key,format,options)).nil?
+    unless (password = get_password(key, format, options)).nil?
       return password
     end
 
-    plain_pwd = get_password(key,'plain',options)
+    plain_pwd = get_password(key, 'plain', options)
     if options['random'] && plain_pwd.nil?
-      plain_pwd = Trocla::Util.random_str(options['length'].to_i,options['charset'])
-      set_password(key,'plain',plain_pwd,options) unless format == 'plain'
+      plain_pwd = Trocla::Util.random_str(options['length'].to_i, options['charset'])
+      set_password(key, 'plain', plain_pwd, options) unless format == 'plain'
     elsif !options['random'] && plain_pwd.nil?
       raise "Password must be present as plaintext if you don't want a random password"
     end
-    pwd = self.formats(format).format(plain_pwd,options)
+    pwd = self.formats(format).format(plain_pwd, options)
     # it's possible that meanwhile another thread/process was faster in
     # formating the password. But we want todo that second lookup
     # only for expensive formats
     if self.formats(format).expensive?
-      get_password(key,format,options) || set_password(key, format, pwd, options)
+      get_password(key, format, options) || set_password(key, format, pwd, options)
     else
       set_password(key, format, pwd, options)
     end
   end
 
-  def get_password(key, format, options={})
-    render(format,decrypt(store.get(key,format)),options)
+  def get_password(key, format, options = {})
+    render(format, decrypt(store.get(key, format)), options)
   end
 
-  def reset_password(key,format,options={})
-    set_password(key,format,nil,options)
-    password(key,format,options)
+  def reset_password(key, format, options = {})
+    delete_password(key, format)
+    password(key, format, options)
   end
 
-  def delete_password(key,format=nil,options={})
-    v = store.delete(key,format)
+  def delete_password(key, format = nil, options = {})
+    v = store.delete(key, format)
     if v.is_a?(Hash)
-      Hash[*v.map do |f,encrypted_value|
-        [f,render(format,decrypt(encrypted_value),options)]
+      Hash[*v.map do |f, encrypted_value|
+        [f, render(format, decrypt(encrypted_value), options)]
       end.flatten]
     else
-      render(format,decrypt(v),options)
+      render(format, decrypt(v), options)
     end
   end
 
-  def set_password(key,format,password,options={})
-    store.set(key,format,encrypt(password),options)
-    render(format,password,options)
+  def set_password(key, format, password, options = {})
+    store.set(key, format, encrypt(password), options)
+    render(format, password, options)
+  end
+
+  def available_format(key, options = {})
+    render(false, store.formats(key), options)
+  end
+
+  def search_key(key, options = {})
+    render(false, store.search(key), options)
   end
 
   def formats(format)
-    (@format_cache||={})[format] ||= Trocla::Formats[format].new(self)
+    (@format_cache ||= {})[format] ||= Trocla::Formats[format].new(self)
   end
 
   def encryption
-    @encryption ||= Trocla::Encryptions[config['encryption']].new(config['encryption_options'],self)
+    @encryption ||= Trocla::Encryptions[config['encryption']].new(config['encryption_options'], self)
   end
 
   def config
@@ -99,6 +106,7 @@ class Trocla
   end
 
   private
+
   def store
     @store ||= build_store
   end
@@ -106,19 +114,20 @@ class Trocla
   def build_store
     s = config['store']
     clazz = if s.is_a?(Symbol)
-      Trocla::Stores[s]
-    else
-      require config['store_require'] if config['store_require']
-      eval(s)
-    end
-    clazz.new(config['store_options'],self)
+              Trocla::Stores[s]
+            else
+              require config['store_require'] if config['store_require']
+              eval(s)
+            end
+    clazz.new(config['store_options'], self)
   end
 
   def read_config
     if @config_file.nil?
       default_config
     else
-      raise "Configfile #{@config_file} does not exist!" unless File.exists?(@config_file)
+      raise "Configfile #{@config_file} does not exist!" unless File.exist?(@config_file)
+
       c = default_config.merge(YAML.load(File.read(@config_file)))
       c['profiles'] = default_config['profiles'].merge(c['profiles'])
       # migrate all options to new store options
@@ -136,12 +145,13 @@ class Trocla
 
   def decrypt(value)
     return nil if value.nil?
+
     encryption.decrypt(value)
   end
 
-  def render(format,output,options={})
-    if format && output && f=self.formats(format)
-      f.render(output,options['render']||{})
+  def render(format, output, options = {})
+    if format && output && f = self.formats(format)
+      f.render(output, options['render'] || {})
     else
       output
     end
@@ -149,14 +159,14 @@ class Trocla
 
   def default_config
     require 'yaml'
-    YAML.load(File.read(File.expand_path(File.join(File.dirname(__FILE__),'trocla','default_config.yaml'))))
+    YAML.load(File.read(File.expand_path(File.join(File.dirname(__FILE__), 'trocla', 'default_config.yaml'))))
   end
 
   def merge_profiles(profiles)
-    Array(profiles).inject({}) do |res,profile|
+    Array(profiles).inject({}) do |res, profile|
       raise "No such profile #{profile} defined" unless profile_hash = config['profiles'][profile]
+
       profile_hash.merge(res)
     end
   end
-
 end

data/spec/spec_helper.rb

@@ -1,5 +1,6 @@
 $LOAD_PATH.unshift(File.join(File.dirname(__FILE__), '..', 'lib'))
 $LOAD_PATH.unshift(File.dirname(__FILE__))
+require 'jruby' if Object.const_defined?(:RUBY_ENGINE) and RUBY_ENGINE == 'jruby'
 require 'rspec'
 require 'rspec/pending_for'
 require 'yaml'
@@ -35,6 +36,11 @@ RSpec.shared_examples "encryption_basics" do
       expect(@trocla.get_password('some_pass', 'plain')).to eql('super secret')
     end
 
+    it "resets passwords" do
+      @trocla.set_password('some_pass', 'plain', 'super secret')
+      expect(@trocla.reset_password('some_pass', 'plain')).not_to eql('super secret')
+    end
+
   end
   describe 'deleting' do
     it "plain" do
@@ -225,7 +231,13 @@ RSpec.shared_examples 'store_validation' do |store|
 end
 
 def default_config
-  @default_config ||= YAML.load(File.read(File.expand_path(base_dir+'/lib/trocla/default_config.yaml')))
+  @default_config ||=  begin
+    config_path = [
+      File.expand_path(base_dir+'/lib/trocla/default_config.yaml'),
+      File.expand_path(File.dirname($LOADED_FEATURES.grep(/trocla.rb/)[0])+'/trocla/default_config.yaml'),
+    ].find { |p| File.exists?(p) }
+    YAML.load(File.read(config_path))
+  end
 end
 
 def test_config

data/spec/trocla/formats/pgsql_spec.rb

@@ -0,0 +1,25 @@
+require File.expand_path(File.dirname(__FILE__) + '/../../spec_helper')
+
+describe 'Trocla::Format::Pgsql' do
+  before(:each) do
+    expect_any_instance_of(Trocla).to receive(:read_config).and_return(test_config)
+    @trocla = Trocla.new
+  end
+
+  describe 'default pgsql' do
+    it 'create a pgsql password keypair without options in sha256' do
+      pass = @trocla.password('pgsql_password_sh256', 'pgsql', {})
+      expect(pass).to match(/^SCRAM-SHA-256\$(.*):(.*)\$(.*):/)
+    end
+  end
+
+  describe 'pgsql in md5 encode' do
+    it 'create a pgsql password in md5 encode' do
+      pass = @trocla.password(
+        'pgsql_password_md5', 'pgsql',
+        { 'username' => 'toto', 'encode' => 'md5' }
+      )
+      expect(pass).to match(/^md5/)
+    end
+  end
+end

data/spec/trocla/formats/sshkey_spec.rb

@@ -0,0 +1,52 @@
+require File.expand_path(File.dirname(__FILE__) + '/../../spec_helper')
+
+describe "Trocla::Format::Sshkey" do
+
+  before(:each) do
+    expect_any_instance_of(Trocla).to receive(:read_config).and_return(test_config)
+    @trocla = Trocla.new
+  end
+
+  let(:sshkey_options) do
+    {
+      'type'    => 'rsa',
+      'bits'    => 4096,
+      'comment' => 'My ssh key'
+    }
+  end
+
+  describe "sshkey" do
+    it "is able to create an ssh keypair without options" do
+      sshkey = @trocla.password('my_ssh_keypair', 'sshkey', {})
+      expect(sshkey).to start_with('-----BEGIN RSA PRIVATE KEY-----')
+      expect(sshkey).to match(/ssh-/)
+    end
+
+    it "is able to create an ssh keypair with options" do
+      sshkey = @trocla.password('my_ssh_keypair', 'sshkey', sshkey_options)
+      expect(sshkey).to start_with('-----BEGIN RSA PRIVATE KEY-----')
+      expect(sshkey).to match(/ssh-/)
+      expect(sshkey).to end_with('My ssh key')
+    end
+
+    it 'supports fetching only the priv key' do
+      sshkey = @trocla.password('my_ssh_keypair', 'sshkey', { 'render' => {'privonly' => true }})
+      expect(sshkey).to start_with('-----BEGIN RSA PRIVATE KEY-----')
+      expect(sshkey).not_to match(/ssh-/)
+    end
+
+    it 'supports fetching only the pub key' do
+      sshkey = @trocla.password('my_ssh_keypair', 'sshkey', { 'render' => {'pubonly' => true }})
+      expect(sshkey).to start_with('ssh-rsa')
+      expect(sshkey).not_to match(/-----BEGIN RSA PRIVATE KEY-----/)
+    end
+
+    it "is able to create an ssh keypair with a passphrase" do
+      sshkey = @trocla.password('my_ssh_keypair', 'sshkey', { 'passphrase' => 'spec' })
+      expect(sshkey).to start_with('-----BEGIN RSA PRIVATE KEY-----')
+      expect(sshkey).to match(/ssh-/)
+    end
+
+  end
+
+end

data/spec/trocla/formats/x509_spec.rb

@@ -44,7 +44,9 @@ describe "Trocla::Format::X509" do
       expect(cert.public_key.n.num_bytes * 8).to eq(4096)
       expect((Date.parse(cert.not_after.localtime.to_s) - Date.today).to_i).to eq(365)
       # it's a self signed cert and NOT a CA
-      expect(verify(cert,cert)).to be false
+      # Change of behavior on openssl side: https://github.com/openssl/openssl/issues/15146
+      validates_self_even_if_no_ca = Gem::Version.new(%x{openssl version}.split(' ')[1]) > Gem::Version.new('1.1.1g')
+      expect(verify(cert,cert)).to be validates_self_even_if_no_ca
 
       v = cert.extensions.find{|e| e.oid == 'basicConstraints' }.value
       expect(v).to eq('CA:FALSE')
@@ -136,6 +138,11 @@ describe "Trocla::Format::X509" do
       expect(cert_str).not_to match(/-----BEGIN CERTIFICATE-----/)
       expect(cert_str).to match(/-----BEGIN RSA PRIVATE KEY-----/)
     end
+    it 'supports fetching only the publickey' do
+      pkey_str = @trocla.password('mycert', 'x509', cert_options.merge('render' => {'publickeyonly' => true }))
+      expect(pkey_str).not_to match(/-----BEGIN CERTIFICATE-----/)
+      expect(pkey_str).to match(/-----BEGIN PUBLIC KEY-----/)
+    end
     it 'supports fetching only the cert' do
       cert_str = @trocla.password('mycert', 'x509', cert_options.merge('render' => {'certonly' => true }))
       expect(cert_str).to match(/-----BEGIN CERTIFICATE-----/)

data/spec/trocla_spec.rb

@@ -1,3 +1,4 @@
+# -- encoding : utf-8 --
 require File.expand_path(File.dirname(__FILE__) + '/spec_helper')
 
 describe "Trocla" do
@@ -71,6 +72,9 @@ describe "Trocla" do
           expect(pwd).not_to match(/[={}\[\]\?%\*()&!]+/)
         end
         it 'is possible to combine profiles but first profile wins 3' do
+          # mysql profile uses a 32 long random pwd with shell safe characters
+          # and we want to use a fixed random str here https://github.com/duritong/trocla/issues/55
+          allow(Trocla::Util).to receive(:random_str).with(32,'shellsafe') { "jmNi6+7dsUn@H?vfbXCq=ULEGPW,u:hu" }
           pwd = @trocla.password('some_test3','plain', 'profiles' => ['mysql','login'])
           expect(pwd).not_to be_empty
           expect(pwd.length).to eq(32)
@@ -99,6 +103,11 @@ describe "Trocla" do
         expect(@trocla.get_password('set_test2','md5crypt')).to eq(md5crypt)
         expect(@trocla.get_password('set_test2','plain')).to eq(plain)
       end
+
+      it 'is able to set password with umlauts and other UTF-8 charcters' do
+        expect(myumlaut = @trocla.set_password('set_test_umlaut','plain','Tütü')).to eql('Tütü')
+        expect(@trocla.get_password('set_test_umlaut','plain','Tütü')).to eql('Tütü')
+      end
     end
 
     describe "reset_password" do
@@ -120,6 +129,40 @@ describe "Trocla" do
       end
     end
 
+    describe "search_key" do
+      it "search a specific key" do
+        keys = ['search_key','search_key1','key_search','key_search2']
+        keys.each do |k|
+          @trocla.password(k,'plain')
+        end
+        expect(@trocla.search_key('search_key1').length).to eq(1)
+      end
+      it "ensure search regex is ok" do
+        keys = ['search_key2','search_key3','key_search2','key_search4']
+        keys.each do |k|
+          @trocla.password(k,'plain')
+        end
+        expect(@trocla.search_key('key').length).to eq(4)
+        expect(@trocla.search_key('^search').length).to eq(2)
+        expect(@trocla.search_key('ch.*3').length).to eq(1)
+        expect(@trocla.search_key('ch.*[3-4]$').length).to eq(2)
+        expect(@trocla.search_key('ch.*1')).to be_nil
+      end
+    end
+
+    describe "list_format" do
+      it "list available formats for key" do
+        formats = ['plain','mysql']
+        formats.each do |f|
+          @trocla.password('list_key',f)
+        end
+        expect(@trocla.available_format('list_key')).to eq(formats)
+      end
+      it "no return if key doesn't exist" do
+        expect(@trocla.available_format('list_key1')).to be_nil
+      end
+    end
+
     describe "delete_password" do
       it "deletes all passwords if no format is given" do
         expect(@trocla.password('delete_test1','mysql')).not_to be_nil