trocla 0.4.0 → 0.5.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 18cb6a02ca556208840b6370287987e72fc18e01e199b7fe1b5b72c463a91ee4
-  data.tar.gz: d2f8068ab15baf1a5cbbfd3370543ff03ad2f2c1baf564ba43f824589920fcf6
+  metadata.gz: 2d6d84b42cc62b4ab04eea0478d9e4801939c1d31accd0dba4a27e272f56dad2
+  data.tar.gz: 6a322a8ae343b6723476b53e9ff7158adaa8d1537bbb46fbc81ef5ebd5a6cff2
 SHA512:
-  metadata.gz: a5829218248d2d9f7f4f3ddfc5bca4f35f8839871fd18074ede34f9281eae086a79c858987285da7839b5699961b417244fc5d86a696b355a8fd4c96d0145bf8
-  data.tar.gz: fc4c6e7ce2cf53009ee3db4f8791b820dca9c696223567fac1367cc3e80b8558a2b5d430f6a255d0f7e07403f9be06ee3e895310971303dc571be6a82d908404
+  metadata.gz: 9bf44101c733c550f2ca6cd76e9a3788e8e2ac9f44576af255f6ea42271b0cb0cc6c004c6d66c9a4c49e5d74ab647e1cfc8f52bf1c0944176e5e529334effd11
+  data.tar.gz: d8e988c515297525975ca3b2339cfe81ba21444cf45c42637131d3f949871ab6a993f30b62ac2992d8388a2874bf8d4d43fcc9714383ac55fb22ad176f340dbc

data/.github/workflows/ruby.yml

@@ -0,0 +1,24 @@
+---
+name: Ruby
+on: [push, pull_request]
+jobs:
+  spec:
+    runs-on: ubuntu-latest
+    steps:
+      - name: check out repository
+        uses: actions/checkout@v3
+      - name: set up Ruby
+        uses: ruby/setup-ruby@v1
+        with:
+          bundler-cache: true
+          ruby-version: ${{ matrix.ruby }}
+      - name: install dependencies
+        run: bundle install
+      - name: install wireguard
+        run: sudo apt install -y wireguard
+      - name: run rspec
+        run: bundle exec rake spec
+    strategy:
+      fail-fast: false
+      matrix:
+        ruby: [2.5, 2.7, 3.0, 3.1]

data/.rspec

@@ -1 +1 @@
---color
+--color --format documentation

data/CHANGELOG.md

@@ -1,5 +1,16 @@
 # Changelog
 
+## to 0.5.0
+
+* moved from travis ci to github actions (#73) - Thank you [Georg-g](https://github.com/geor-g)
+* Support expire in vault (#71) - Thank you [Steffy Fort](https://github.com/fe80)
+* Syntax improvements (#70) - Thank you [Steffy Fort](https://github.com/fe80)
+* Add SCRAM-SHA-256 postgres support (#69) - Thank you [Steffy Fort](https://github.com/fe80)
+* Support destroying and entry to properly clean up in vault (#68) - Thank you [Steffy Fort](https://github.com/fe80)
+* Support search with vault backend (#67) - Thank you [Steffy Fort](https://github.com/fe80)
+* Add wireguard format (#65) - Thank you [Jonas Genannt](https://github.com/hggh)
+* Expand search path for sample config - Thank you [Anarcat](https://github.com/anarcat)
+
 ## to 0.4.0
 
 * Add vault backend (#61) - Thank you [Steffy Fort](https://github.com/fe80)

data/Gemfile

@@ -1,23 +1,24 @@
-source "http://rubygems.org"
+source 'http://rubygems.org'
 # Add dependencies required to use your gem here.
 # Example:
 #   gem "activesupport", ">= 2.3.5"
 
-gem "moneta", "~> 1.4.0"
-gem "highline", "~> 2.0.0"
+gem 'highline', '~> 2.0.0'
+gem 'moneta', '~> 1.4.0'
 
 if defined?(RUBY_ENGINE) && (RUBY_ENGINE == 'jruby')
   gem 'jruby-openssl'
 end
-gem "bcrypt"
-gem "sshkey"
+gem 'bcrypt'
+gem 'openssl'
+gem 'sshkey'
 
 # Add dependencies to develop your gem here.
 # Include everything needed to run rake, tests, features, etc.
 group :development do
-  gem "rspec"
-  gem "rdoc"
-  gem "jeweler"
-  gem "addressable"
+  gem 'addressable'
+  gem 'jeweler'
+  gem 'rdoc'
+  gem 'rspec'
   gem 'rspec-pending_for'
 end

data/README.md

@@ -165,8 +165,9 @@ options to work properly. These are documented here:
 
 ### pgsql
 
-Password hashes for PostgreSQL servers. Requires the option `username` to be set
-to the username to which the password will be assigned.
+Password hashes for PostgreSQL servers. Since postgesql 10 you can use the sha256 hash, you have two options:
+* Create a ssh256 hash password with option `encode: sha256` (default value)
+* Create a md5 hash, the username is require for the salt key, with option  `encode: md5` and `username: your_user`
 
 ### bcrypt
 
@@ -232,6 +233,17 @@ Output render options are:
     pubonly     If set to true the sshkey format will return only the ssh public key
     privonly    If set to true the sshkey format will return only the ssh private key
 
+### wireguard
+
+This format generate a keypair for WireGuard.
+
+The format requires the wg binary from WireGuard userland utilities.
+
+Output render options are:
+
+    pubonly     If set to true the wireguard format will return only the public key
+    privonly    If set to true the wireguard format will return only the private key
+
 ## Installation
 
 * Debian has trocla within its sid-release: `apt-get install trocla`
@@ -290,6 +302,8 @@ We expect storage backends to implement support for the `expires` option, so tha
 
 New backends should be tested using the provided shared example.
 
+> **WARNING**: Vault backend use metadatas. It's set if an option is define. `expire` is automaticly change to `delete_version_after`, and you can use an interger or [format string](https://www.vaultproject.io/api-docs/secret/kv/kv-v2#parameters)
+
 #### Moneta backends
 
 Trocla uses moneta as its default storage backend and hence can store your passwords in any of moneta's supported backends. By default it uses the yaml backend, which is configured as followed:
@@ -341,6 +355,8 @@ store_options:
   :address: https://vault.local
 ```
 
+With Vault when you delete a key, you don't delete all key content. The metadatas, like history, are still here and the endpoint are not delete. If you prefere to destroy all key content you can add `:destroy: true` in the `store_options:` hash.
+
 ### Backend encryption
 
 By default trocla does not encrypt anything it stores. You might want to let Trocla encrypt all your passwords, at the moment the only supported way is SSL.

data/bin/trocla

@@ -43,25 +43,25 @@ OptionParser.new do |opts|
     options[:ask_password] = false
     options[:password] = pass
   end
-
 end.parse!
 
 def create(options)
-  [ Trocla.new(options.delete(:config_file)).password(
+  [Trocla.new(options.delete(:config_file)).password(
     options.delete(:trocla_key),
     options.delete(:trocla_format),
-    options.merge(YAML.load(options.delete(:other_options).shift.to_s)||{})
-  ) , 0 ]
+    options.merge(YAML.safe_load(options.delete(:other_options).shift.to_s) || {})
+  ), 0]
 end
 
 def get(options)
   res = Trocla.new(options.delete(:config_file)).get_password(
     options.delete(:trocla_key),
     options.delete(:trocla_format),
-    options.merge(YAML.load(options.delete(:other_options).shift.to_s)||{})
+    options.merge(YAML.safe_load(options.delete(:other_options).shift.to_s) || {})
   )
-  [ res, res.nil? ? 1 : 0 ]
+  [res, res.nil? ? 1 : 0]
 end
+
 def set(options)
   if options.delete(:ask_password)
     require 'highline/import'
@@ -69,7 +69,7 @@ def set(options)
     pwd2 = ask('Repeat password: ') { |q| q.echo = 'x' }.to_s
     unless password == pwd2
       STDERR.puts 'Passwords did not match, exiting!'
-      return [ nil, 1 ]
+      return [nil, 1]
     end
   else
     password = options.delete(:password) || STDIN.read.chomp
@@ -78,24 +78,24 @@ def set(options)
   no_format = options.delete('no_format')
   trocla = Trocla.new(options.delete(:config_file))
   value = if no_format
-    password
-  else
-    trocla.formats(format).format(password, (YAML.load(options.delete(:other_options).shift.to_s)||{}))
-  end
+            password
+          else
+            trocla.formats(format).format(password, (YAML.safe_load(options.delete(:other_options).shift.to_s) || {}))
+          end
   trocla.set_password(
     options.delete(:trocla_key),
     format,
     value
   )
-  [ '', 0 ]
+  ['', 0]
 end
 
 def reset(options)
-  [ Trocla.new(options.delete(:config_file)).reset_password(
+  [Trocla.new(options.delete(:config_file)).reset_password(
     options.delete(:trocla_key),
     options.delete(:trocla_format),
-    options.merge(YAML.load(options.delete(:other_options).shift.to_s)||{})
-  ), 0 ]
+    options.merge(YAML.safe_load(options.delete(:other_options).shift.to_s) || {})
+  ), 0]
 end
 
 def delete(options)
@@ -103,19 +103,19 @@ def delete(options)
     options.delete(:trocla_key),
     options.delete(:trocla_format)
   )
-  [ res, res.nil? ? 1 : 0 ]
+  [res, res.nil? ? 1 : 0]
 end
 
 def formats(options)
-  key = (options.delete(:trocla_key) || '' )
+  key = (options.delete(:trocla_key) || '')
   if key.empty?
     "Available formats: #{Trocla::Formats.all.join(', ')}"
   else
     res = Trocla.new(options.delete(:config_file)).available_format(
       key,
-      options.merge(YAML.load(options.delete(:other_options).shift.to_s)||{})
+      options.merge(YAML.safe_load(options.delete(:other_options).shift.to_s) || {})
     )
-    [ res.nil? ? res : res.join(', '), res.nil? ? 1 : 0 ]
+    [res.nil? ? res : res.join(', '), res.nil? ? 1 : 0]
   end
 end
 
@@ -123,7 +123,7 @@ def search(options)
   res = Trocla.new(options.delete(:config_file)).search_key(
     options.delete(:trocla_key)
   )
-  [ res.nil? ? res : res.join("\n"), res.nil? ? 1 : 0 ]
+  [res.nil? ? res : res.join("\n"), res.nil? ? 1 : 0]
 end
 
 def check_format(format_name)
@@ -136,30 +136,30 @@ def check_format(format_name)
   end
 end
 
-actions=['create','get','set','reset','delete','formats','search']
+actions = ['create', 'get', 'set', 'reset', 'delete', 'formats', 'search']
 
 if (action=ARGV.shift) && actions.include?(action)
-    options[:trocla_key] = ARGV.shift
-    options[:trocla_format] = ARGV.shift
-    options[:other_options] = ARGV
-    check_format(options[:trocla_format]) unless ['delete','formats','search'].include?(action)
-    begin
-      result, excode = send(action,options)
-      if result
-        puts result.is_a?(String) ? result : result.inspect
-      end
-    rescue Exception => e
-      unless e.message == 'exit'
-        STDERR.puts "Action failed with the following message: #{e.message}"
-        STDERR.puts '(See full trace by running task with --trace)'
-      end
-      raise e if options[:trace]
-      exit 1
+  options[:trocla_key] = ARGV.shift
+  options[:trocla_format] = ARGV.shift
+  options[:other_options] = ARGV
+  check_format(options[:trocla_format]) unless ['delete','formats','search'].include?(action)
+  begin
+    result, excode = send(action, options)
+    if result
+      puts result.is_a?(String) ? result : result.inspect
     end
-    exit excode.nil? ? 0 : excode
-else
-    STDERR.puts "Please supply one of the following actions: #{actions.join(', ')}"
-    STDERR.puts "Use #{$0} --help to get a list of options for these actions"
+  rescue Exception => e
+    unless e.message == 'exit'
+      STDERR.puts "Action failed with the following message: #{e.message}"
+      STDERR.puts '(See full trace by running task with --trace)'
+    end
+    raise e if options[:trace]
+
     exit 1
+  end
+  exit excode.nil? ? 0 : excode
+else
+  STDERR.puts "Please supply one of the following actions: #{actions.join(', ')}"
+  STDERR.puts "Use #{$0} --help to get a list of options for these actions"
+  exit 1
 end
-

data/lib/VERSION

@@ -1,4 +1,4 @@
 major:0
-minor:4
+minor:5
 patch:0
 build:

data/lib/trocla/default_config.yaml

@@ -7,9 +7,9 @@ store_options:
 
 encryption: :none
 options:
-    random: true
-    length: 16
-    charset: default
+  random: true
+  length: 16
+  charset: default
 
 profiles:
   rootpw:
@@ -44,4 +44,3 @@ profiles:
     days: 2
     # 1 day
     expires: 86400
-

data/lib/trocla/encryptions/none.rb

@@ -7,4 +7,3 @@ class Trocla::Encryptions::None < Trocla::Encryptions::Base
     value
   end
 end
-

data/lib/trocla/encryptions/ssl.rb

@@ -5,7 +5,7 @@ class Trocla::Encryptions::Ssl < Trocla::Encryptions::Base
   def encrypt(value)
     ciphertext = ''
     value.scan(/.{0,#{chunksize}}/m).each do |chunk|
-      ciphertext += Base64.encode64(public_key.public_encrypt(chunk)).gsub("\n",'')+"\n" if chunk
+      ciphertext += Base64.encode64(public_key.public_encrypt(chunk)).gsub("\n", '') + "\n" if chunk
     end
     ciphertext
   end
@@ -21,21 +21,21 @@ class Trocla::Encryptions::Ssl < Trocla::Encryptions::Base
   private
 
   def chunksize
-      public_key.n.num_bytes - 11
+    public_key.n.num_bytes - 11
   end
 
   def private_key
-      @private_key ||= begin
-        file = require_option(:private_key)
-        OpenSSL::PKey::RSA.new(File.read(file), nil)
-      end
+    @private_key ||= begin
+      file = require_option(:private_key)
+      OpenSSL::PKey::RSA.new(File.read(file), nil)
+    end
   end
 
   def public_key
-      @public_key ||= begin
-        file = require_option(:public_key)
-        OpenSSL::PKey::RSA.new(File.read(file), nil)
-      end
+    @public_key ||= begin
+      file = require_option(:public_key)
+      OpenSSL::PKey::RSA.new(File.read(file), nil)
+    end
   end
 
   def option(key)
@@ -45,7 +45,7 @@ class Trocla::Encryptions::Ssl < Trocla::Encryptions::Base
   def require_option(key)
     val = option(key)
     raise "Config error: 'ssl_options' => :#{key} is not defined" if val.nil?
+
     val
   end
 end
-

data/lib/trocla/encryptions.rb

@@ -1,18 +1,24 @@
-class Trocla::Encryptions
+# frozen_string_literal: true
 
+# Trocla::Encryptions
+class Trocla::Encryptions
+  # Base
   class Base
     attr_reader :trocla, :config
+
     def initialize(config, trocla)
       @trocla = trocla
       @config = config
     end
 
-    def encrypt(value)
+    def encrypt(_)
       raise NoMethodError.new("#{self.class.name} needs to implement 'encrypt()'")
+
     end
 
-    def decrypt(value)
+    def decrypt(_)
       raise NoMethodError.new("#{self.class.name} needs to implement 'decrypt()'")
+
     end
   end
 
@@ -22,7 +28,7 @@ class Trocla::Encryptions
     end
 
     def all
-      Dir[ path '*' ].collect do |enc|
+      Dir[path '*'].collect do |enc|
         File.basename(enc, '.rb').downcase
       end
     end
@@ -32,10 +38,11 @@ class Trocla::Encryptions
     end
 
     private
+
     def encryptions
       @@encryptions ||= Hash.new do |hash, encryption|
         encryption = encryption.to_s.downcase
-        if File.exists?( path encryption )
+        if File.exist?(path encryption)
           require "trocla/encryptions/#{encryption}"
           class_name = "Trocla::Encryptions::#{encryption.capitalize}"
           hash[encryption] = (eval class_name)

data/lib/trocla/formats/bcrypt.rb

@@ -1,7 +1,7 @@
 class Trocla::Formats::Bcrypt < Trocla::Formats::Base
   expensive true
   require 'bcrypt'
-  def format(plain_password,options={})
-    BCrypt::Password.create(plain_password, :cost => options['cost']||BCrypt::Engine.cost).to_s
+  def format(plain_password, options = {})
+    BCrypt::Password.create(plain_password, :cost => options['cost'] || BCrypt::Engine.cost).to_s
   end
 end

data/lib/trocla/formats/md5crypt.rb

@@ -1,6 +1,6 @@
 # salted crypt
 class Trocla::Formats::Md5crypt < Trocla::Formats::Base
-  def format(plain_password,options={})
-     plain_password.crypt('$1$' << Trocla::Util.salt << '$')
+  def format(plain_password, options = {})
+    plain_password.crypt('$1$' << Trocla::Util.salt << '$')
   end
 end

data/lib/trocla/formats/mysql.rb

@@ -1,6 +1,6 @@
 class Trocla::Formats::Mysql < Trocla::Formats::Base
   require 'digest/sha1'
-  def format(plain_password,options={})
-    "*" + Digest::SHA1.hexdigest(Digest::SHA1.digest(plain_password)).upcase
+  def format(plain_password, options = {})
+    '*' + Digest::SHA1.hexdigest(Digest::SHA1.digest(plain_password)).upcase
   end
 end

data/lib/trocla/formats/pgsql.rb

@@ -1,7 +1,54 @@
 class Trocla::Formats::Pgsql < Trocla::Formats::Base
   require 'digest/md5'
-  def format(plain_password,options={})
-    raise "You need pass the username as an option to use this format" unless options['username'] 
-    "md5" + Digest::MD5.hexdigest(plain_password + options['username'])
+  require 'openssl'
+  require 'base64'
+  def format(plain_password, options = {})
+    encode = (options['encode'] || 'sha256')
+    case encode
+    when 'md5'
+      raise 'You need pass the username as an option to use this format' unless options['username']
+
+      'md5' + Digest::MD5.hexdigest(plain_password + options['username'])
+    when 'sha256'
+      pg_sha256(plain_password)
+    else
+      raise 'Unkmow encode %s for pgsql password' % [encode]
+    end
+  end
+
+  private
+
+  def pg_sha256(password)
+    salt = OpenSSL::Random.random_bytes(16)
+    digest = digest_key(password, salt)
+    'SCRAM-SHA-256$%s:%s$%s:%s' % [
+      '4096',
+      Base64.strict_encode64(salt),
+      Base64.strict_encode64(client_key(digest)),
+      Base64.strict_encode64(server_key(digest))
+    ]
+  end
+
+  def digest_key(password, salt)
+    OpenSSL::KDF.pbkdf2_hmac(
+      password,
+      salt: salt,
+      iterations: 4096,
+      length: 32,
+      hash: OpenSSL::Digest::SHA256.new
+    )
+  end
+
+  def client_key(digest_key)
+    hmac = OpenSSL::HMAC.new(digest_key, OpenSSL::Digest::SHA256.new)
+    hmac << 'Client Key'
+    hmac.digest
+    OpenSSL::Digest.new('SHA256').digest hmac.digest
+  end
+
+  def server_key(digest_key)
+    hmac = OpenSSL::HMAC.new(digest_key, OpenSSL::Digest::SHA256.new)
+    hmac << 'Server Key'
+    hmac.digest
   end
 end

data/lib/trocla/formats/plain.rb

@@ -1,7 +1,5 @@
 class Trocla::Formats::Plain < Trocla::Formats::Base
-  
-  def format(plain_password,options={})
+  def format(plain_password, options = {})
     plain_password
   end
-  
 end

data/lib/trocla/formats/sha1.rb

@@ -1,7 +1,7 @@
 class Trocla::Formats::Sha1 < Trocla::Formats::Base
   require 'digest/sha1'
   require 'base64'
-  def format(plain_password,options={})
+  def format(plain_password, options = {})
     '{SHA}' + Base64.encode64(Digest::SHA1.digest(plain_password))
   end
 end

data/lib/trocla/formats/sha256crypt.rb

@@ -1,6 +1,6 @@
 # salted crypt
 class Trocla::Formats::Sha256crypt < Trocla::Formats::Base
-  def format(plain_password,options={})
-     plain_password.crypt('$5$' << Trocla::Util.salt << '$')
+  def format(plain_password, options = {})
+    plain_password.crypt('$5$' << Trocla::Util.salt << '$')
   end
 end

data/lib/trocla/formats/sha512crypt.rb

@@ -1,6 +1,6 @@
 # salted crypt
 class Trocla::Formats::Sha512crypt < Trocla::Formats::Base
-  def format(plain_password,options={})
-     plain_password.crypt('$6$' << Trocla::Util.salt << '$')
+  def format(plain_password, options = {})
+    plain_password.crypt('$6$' << Trocla::Util.salt << '$')
   end
 end

data/lib/trocla/formats/ssha.rb

@@ -2,8 +2,8 @@
 require 'base64'
 require 'digest'
 class Trocla::Formats::Ssha < Trocla::Formats::Base
-  def format(plain_password,options={})
-     salt = options['salt'] || Trocla::Util.salt(16)
-     "{SSHA}"+Base64.encode64("#{Digest::SHA1.digest("#{plain_password}#{salt}")}#{salt}").chomp
+  def format(plain_password, options = {})
+    salt = options['salt'] || Trocla::Util.salt(16)
+    '{SSHA}' + Base64.encode64("#{Digest::SHA1.digest("#{plain_password}#{salt}")}#{salt}").chomp
   end
 end

data/lib/trocla/formats/sshkey.rb

@@ -1,11 +1,9 @@
 require 'sshkey'
 
 class Trocla::Formats::Sshkey < Trocla::Formats::Base
-
   expensive true
 
   def format(plain_password,options={})
-
     if plain_password.match(/-----BEGIN RSA PRIVATE KEY-----.*-----END RSA PRIVATE KEY/m)
       # Import, validate ssh key
       begin
@@ -21,9 +19,8 @@ class Trocla::Formats::Sshkey < Trocla::Formats::Base
 
     begin
       sshkey = ::SSHKey.generate(
-        type:       type,
-        bits:       bits,
-        comment:    options['comment'],
+        type: type, bits: bits,
+        comment: options['comment'],
         passphrase: options['passphrase']
       )
     rescue Exception => e
@@ -33,14 +30,13 @@ class Trocla::Formats::Sshkey < Trocla::Formats::Base
     sshkey.private_key + sshkey.ssh_public_key
   end
 
-  def render(output,render_options={})
+  def render(output, render_options = {})
     if render_options['privonly']
       ::SSHKey.new(output).private_key
     elsif render_options['pubonly']
       ::SSHKey.new(output).ssh_public_key
     else
-      super(output,render_options)
+      super(output, render_options)
     end
   end
-
 end

data/lib/trocla/formats/wireguard.rb

@@ -0,0 +1,45 @@
+require 'open3'
+require 'yaml'
+
+class Trocla::Formats::Wireguard < Trocla::Formats::Base
+  expensive true
+
+  def format(plain_password, options={})
+    return YAML.safe_load(plain_password) if plain_password.match(/---/)
+
+    wg_priv = nil
+    wg_pub = nil
+    begin
+      Open3.popen3('wg genkey') do |_stdin, stdout, _stderr, _waiter|
+        wg_priv = stdout.read.chomp
+      end
+    rescue SystemCallError => e
+      raise 'trocla wireguard: wg binary not found' if e.message =~ /No such file or directory/
+
+      raise "trocla wireguard: #{e.message}"
+    end
+
+    begin
+      Open3.popen3('wg pubkey') do |stdin, stdout, _stderr, _waiter|
+        stdin.write(wg_priv)
+        stdin.close
+
+        wg_pub = stdout.read.chomp
+      end
+    rescue SystemCallError => e
+      raise "trocla wireguard: #{e.message}"
+    end
+    YAML.dump({ 'wg_priv' => wg_priv, 'wg_pub' => wg_pub })
+  end
+
+  def render(output, render_options = {})
+    data = YAML.safe_load(output)
+    if render_options['privonly']
+      data['wg_priv']
+    elsif render_options['pubonly']
+      data['wg_pub']
+    else
+      'pub: ' + data['wg_pub'] + "\npriv: " + data['wg_priv']
+    end
+  end
+end