-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathardanaencrypt.py
executable file
·105 lines (86 loc) · 3.15 KB
/
ardanaencrypt.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
#!/usr/bin/env python
#
# A utility to encrypt passwords for auxiliary Ardana OpenStack
# systems like IPMI.
#
# (c) Copyright 2015 Hewlett Packard Enterprise Development LP
# (c) Copyright 2017 SUSE LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
import os
from subprocess import PIPE, Popen
encryption_env = 'ARDANA_USER_PASSWORD_ENCRYPT_KEY'
legacy_encryption_env = 'HOS_USER_PASSWORD_ENCRYPT_KEY'
class aes256:
prefix = '@ardana_aes256@'
legacy_prefix = '@hos_aes256@'
def __init__(self, key):
pass
def encrypt(self, raw):
return ""
def decrypt(self, cooked):
return ""
class openssl:
prefix = '@ardana@'
legacy_prefix = '@hos@'
def __init__(self, key=None):
pass
def _get_env_key_name(self):
if encryption_env in os.environ and os.environ[encryption_env]:
return encryption_env
elif (legacy_encryption_env in os.environ and
os.environ[legacy_encryption_env]):
return legacy_encryption_env
else:
return encryption_env
def delegate(self, cmd, value):
# Note that I'm passing the environment variable's name to the
# subprocess, not its value.
argv = ('/usr/bin/openssl', 'aes-256-cbc', '-a',
cmd, '-pass', 'env:%s' % self._get_env_key_name())
p = Popen(argv, close_fds=True, stdin=PIPE, stdout=PIPE, stderr=PIPE)
result = p.communicate(input=value)
if p.returncode != 0:
errmsg = result[1].strip()
if errmsg.startswith('bad decrypt'):
errmsg = 'incorrect encryption key'
elif (errmsg.startswith('error reading input file') or
errmsg.startswith('bad magic number')):
errmsg = 'bad input data'
raise OSError('openssl: %s' % errmsg)
return result[0].strip()
def encrypt(self, raw):
return self.delegate('-salt', raw)
def decrypt(self, cooked):
# openssl expects a newline at the end of the string.
if cooked[-1] != '\n':
cooked += '\n'
return self.delegate('-d', cooked)
def main():
import getpass
import sys
obj = openssl()
if len(sys.argv) > 1 and sys.argv[1] == '-d':
value = getpass.getpass('encrypted value? ')
if value.startswith(obj.prefix):
value = value[len(obj.prefix):]
elif value.startswith(obj.legacy_prefix):
value = value[len(obj.legacy_prefix):]
x = obj.decrypt(value)
print x
else:
value = getpass.getpass('unencrypted value? ')
x = obj.encrypt(value)
print obj.prefix + x
if __name__ == '__main__':
main()