summaryrefslogtreecommitdiff
path: root/lib
diff options
context:
space:
mode:
Diffstat (limited to 'lib')
-rw-r--r--lib/VERSION4
-rw-r--r--lib/trocla.rb94
-rw-r--r--lib/trocla/default_config.yaml8
-rw-r--r--lib/trocla/formats.rb40
-rw-r--r--lib/trocla/formats/bcrypt.rb6
-rw-r--r--lib/trocla/formats/md5crypt.rb6
-rw-r--r--lib/trocla/formats/mysql.rb6
-rw-r--r--lib/trocla/formats/pgsql.rb7
-rw-r--r--lib/trocla/formats/plain.rb7
-rw-r--r--lib/trocla/formats/sha1.rb7
-rw-r--r--lib/trocla/formats/sha256crypt.rb6
-rw-r--r--lib/trocla/formats/sha512crypt.rb6
-rw-r--r--lib/trocla/formats/ssha.rb9
-rw-r--r--lib/trocla/formats/x509.rb128
-rw-r--r--lib/trocla/util.rb43
-rw-r--r--lib/trocla/version.rb22
16 files changed, 399 insertions, 0 deletions
diff --git a/lib/VERSION b/lib/VERSION
new file mode 100644
index 0000000..158fcec
--- /dev/null
+++ b/lib/VERSION
@@ -0,0 +1,4 @@
+major:0
+minor:0
+patch:11
+build:
diff --git a/lib/trocla.rb b/lib/trocla.rb
new file mode 100644
index 0000000..8d916b2
--- /dev/null
+++ b/lib/trocla.rb
@@ -0,0 +1,94 @@
+require 'trocla/version'
+require 'trocla/util'
+require 'trocla/formats'
+
+class Trocla
+
+ def initialize(config_file=nil)
+ if config_file
+ @config_file = File.expand_path(config_file)
+ elsif File.exists?(def_config_file=File.expand_path('~/.troclarc.yaml')) || File.exists?(def_config_file=File.expand_path('/etc/troclarc.yaml'))
+ @config_file = def_config_file
+ end
+ end
+
+ def password(key,format,options={})
+ options = config['options'].merge(options)
+ raise "Format #{format} is not supported! Supported formats: #{Trocla::Formats.all.join(', ')}" unless Trocla::Formats::available?(format)
+
+ unless (password=get_password(key,format)).nil?
+ return password
+ end
+
+ plain_pwd = get_password(key,'plain')
+ if options['random'] && plain_pwd.nil?
+ plain_pwd = Trocla::Util.random_str(options['length'].to_i,options['charset'])
+ set_password(key,'plain',plain_pwd) unless format == 'plain'
+ elsif !options['random'] && plain_pwd.nil?
+ raise "Password must be present as plaintext if you don't want a random password"
+ end
+ set_password(key,format,self.formats(format).format(plain_pwd,options))
+ end
+
+ def get_password(key,format)
+ cache.fetch(key,{})[format]
+ end
+
+ def reset_password(key,format,options={})
+ set_password(key,format,nil)
+ password(key,format,options)
+ end
+
+ def delete_password(key,format=nil)
+ if format.nil?
+ cache.delete(key)
+ else
+ old_val = (h = cache.fetch(key,{})).delete(format)
+ h.empty? ? cache.delete(key) : cache[key] = h
+ old_val
+ end
+ end
+
+ def set_password(key,format,password)
+ if (format == 'plain')
+ h = (cache[key] = { 'plain' => password })
+ else
+ h = (cache[key] = cache.fetch(key,{}).merge({ format => password }))
+ end
+ h[format]
+ end
+
+ def formats(format)
+ (@format_cache||={})[format] ||= Trocla::Formats[format].new(self)
+ end
+
+ private
+ def cache
+ @cache ||= build_cache
+ end
+
+ def build_cache
+ require 'moneta'
+ lconfig = config
+ Moneta.new(lconfig['adapter'], lconfig['adapter_options']||{})
+ end
+
+ def config
+ @config ||= read_config
+ end
+
+ def read_config
+ if @config_file.nil?
+ default_config
+ else
+ raise "Configfile #{@config_file} does not exist!" unless File.exists?(@config_file)
+ default_config.merge(YAML.load(File.read(@config_file)))
+ end
+ end
+
+ def default_config
+ require 'yaml'
+ YAML.load(File.read(File.expand_path(File.join(File.dirname(__FILE__),'trocla','default_config.yaml'))))
+ end
+
+end
diff --git a/lib/trocla/default_config.yaml b/lib/trocla/default_config.yaml
new file mode 100644
index 0000000..d4037fd
--- /dev/null
+++ b/lib/trocla/default_config.yaml
@@ -0,0 +1,8 @@
+---
+options:
+ random: true
+ length: 12
+ charset: default
+adapter: :YAML
+adapter_options:
+ :file: '/tmp/trocla.yaml'
diff --git a/lib/trocla/formats.rb b/lib/trocla/formats.rb
new file mode 100644
index 0000000..0103c4e
--- /dev/null
+++ b/lib/trocla/formats.rb
@@ -0,0 +1,40 @@
+class Trocla::Formats
+
+ class Base
+ attr_reader :trocla
+ def initialize(trocla)
+ @trocla = trocla
+ end
+ end
+
+ class << self
+ def [](format)
+ formats[format.downcase]
+ end
+
+ def all
+ Dir[File.expand_path(File.join(File.dirname(__FILE__),'formats','*.rb'))].collect{|f| File.basename(f,'.rb').downcase }
+ end
+
+ def available?(format)
+ all.include?(format.downcase)
+ end
+
+ private
+ def formats
+ @@formats ||= Hash.new do |hash, format|
+ format = format.downcase
+ if File.exists?(path(format))
+ require "trocla/formats/#{format}"
+ hash[format] = (eval "Trocla::Formats::#{format.capitalize}")
+ else
+ raise "Format #{format} is not supported!"
+ end
+ end
+ end
+
+ def path(format)
+ File.expand_path(File.join(File.dirname(__FILE__),'formats',"#{format}.rb"))
+ end
+ end
+end
diff --git a/lib/trocla/formats/bcrypt.rb b/lib/trocla/formats/bcrypt.rb
new file mode 100644
index 0000000..4b6fb33
--- /dev/null
+++ b/lib/trocla/formats/bcrypt.rb
@@ -0,0 +1,6 @@
+class Trocla::Formats::Bcrypt < Trocla::Formats::Base
+ require 'bcrypt'
+ def format(plain_password,options={})
+ BCrypt::Password.create(plain_password).to_s
+ end
+end
diff --git a/lib/trocla/formats/md5crypt.rb b/lib/trocla/formats/md5crypt.rb
new file mode 100644
index 0000000..80d2f09
--- /dev/null
+++ b/lib/trocla/formats/md5crypt.rb
@@ -0,0 +1,6 @@
+# salted crypt
+class Trocla::Formats::Md5crypt < Trocla::Formats::Base
+ def format(plain_password,options={})
+ plain_password.crypt('$1$' << Trocla::Util.salt << '$')
+ end
+end
diff --git a/lib/trocla/formats/mysql.rb b/lib/trocla/formats/mysql.rb
new file mode 100644
index 0000000..a097f95
--- /dev/null
+++ b/lib/trocla/formats/mysql.rb
@@ -0,0 +1,6 @@
+class Trocla::Formats::Mysql < Trocla::Formats::Base
+ require 'digest/sha1'
+ def format(plain_password,options={})
+ "*" + Digest::SHA1.hexdigest(Digest::SHA1.digest(plain_password)).upcase
+ end
+end
diff --git a/lib/trocla/formats/pgsql.rb b/lib/trocla/formats/pgsql.rb
new file mode 100644
index 0000000..ef4fed3
--- /dev/null
+++ b/lib/trocla/formats/pgsql.rb
@@ -0,0 +1,7 @@
+class Trocla::Formats::Pgsql < Trocla::Formats::Base
+ require 'digest/md5'
+ def format(plain_password,options={})
+ raise "You need pass the username as an option to use this format" unless options['username']
+ "md5" + Digest::MD5.hexdigest(plain_password + options['username'])
+ end
+end
diff --git a/lib/trocla/formats/plain.rb b/lib/trocla/formats/plain.rb
new file mode 100644
index 0000000..79502e0
--- /dev/null
+++ b/lib/trocla/formats/plain.rb
@@ -0,0 +1,7 @@
+class Trocla::Formats::Plain < Trocla::Formats::Base
+
+ def format(plain_password,options={})
+ plain_password
+ end
+
+end
diff --git a/lib/trocla/formats/sha1.rb b/lib/trocla/formats/sha1.rb
new file mode 100644
index 0000000..1321b35
--- /dev/null
+++ b/lib/trocla/formats/sha1.rb
@@ -0,0 +1,7 @@
+class Trocla::Formats::Sha1 < Trocla::Formats::Base
+ require 'digest/sha1'
+ require 'base64'
+ def format(plain_password,options={})
+ '{SHA}' + Base64.encode64(Digest::SHA1.digest(plain_password))
+ end
+end
diff --git a/lib/trocla/formats/sha256crypt.rb b/lib/trocla/formats/sha256crypt.rb
new file mode 100644
index 0000000..e34c149
--- /dev/null
+++ b/lib/trocla/formats/sha256crypt.rb
@@ -0,0 +1,6 @@
+# salted crypt
+class Trocla::Formats::Sha256crypt < Trocla::Formats::Base
+ def format(plain_password,options={})
+ plain_password.crypt('$5$' << Trocla::Util.salt << '$')
+ end
+end
diff --git a/lib/trocla/formats/sha512crypt.rb b/lib/trocla/formats/sha512crypt.rb
new file mode 100644
index 0000000..47eb11e
--- /dev/null
+++ b/lib/trocla/formats/sha512crypt.rb
@@ -0,0 +1,6 @@
+# salted crypt
+class Trocla::Formats::Sha512crypt < Trocla::Formats::Base
+ def format(plain_password,options={})
+ plain_password.crypt('$6$' << Trocla::Util.salt << '$')
+ end
+end
diff --git a/lib/trocla/formats/ssha.rb b/lib/trocla/formats/ssha.rb
new file mode 100644
index 0000000..a2e0d02
--- /dev/null
+++ b/lib/trocla/formats/ssha.rb
@@ -0,0 +1,9 @@
+# salted crypt
+require 'base64'
+require 'digest'
+class Trocla::Formats::Ssha < Trocla::Formats::Base
+ def format(plain_password,options={})
+ salt = options['salt'] || Trocla::Util.salt(16)
+ "{SSHA}"+Base64.encode64("#{Digest::SHA1.digest("#{plain_password}#{salt}")}#{salt}").chomp
+ end
+end
diff --git a/lib/trocla/formats/x509.rb b/lib/trocla/formats/x509.rb
new file mode 100644
index 0000000..219cd38
--- /dev/null
+++ b/lib/trocla/formats/x509.rb
@@ -0,0 +1,128 @@
+class Trocla::Formats::X509 < Trocla::Formats::Base
+ require 'openssl'
+ def format(plain_password,options={})
+
+ if plain_password.match(/-----BEGIN RSA PRIVATE KEY-----.*-----END RSA PRIVATE KEY-----.*-----BEGIN CERTIFICATE-----.*-----END CERTIFICATE-----/m)
+ # just an import, don't generate any new keys
+ return plain_password
+ end
+
+ if options['subject']
+ subject = options['subject']
+ elsif options['CN']
+ subject = ''
+ ['C','ST','L','O','OU','CN','emailAddress'].each do |field|
+ subject << "/#{field}=#{options[field]}" if options[field]
+ end
+ else
+ raise "You need to pass \"subject\" or \"CN\" as an option to use this format"
+ end
+ sign_with = options['ca'] || nil
+ keysize = options['keysize'] || 2048
+ serial = options['serial'] || 1
+ days = options['days'] || 365
+ altnames = options['altnames'] || nil
+ altnames.collect { |v| "DNS:#{v}" }.join(', ') if altnames
+
+ begin
+ key = mkkey(keysize)
+ rescue Exception => e
+ raise "Private key for #{subject} creation failed: #{e.message}"
+ end
+
+ if sign_with # certificate signed with CA
+ begin
+ ca = OpenSSL::X509::Certificate.new(getca(sign_with))
+ cakey = OpenSSL::PKey::RSA.new(getca(sign_with))
+ caserial = getserial(sign_with, serial)
+ rescue Exception => e
+ raise "Value of #{sign_with} can't be loaded as CA: #{e.message}"
+ end
+
+ begin
+ subj = OpenSSL::X509::Name.parse(subject)
+ request = mkreq(subj, key.public_key)
+ request.sign(key, OpenSSL::Digest::SHA1.new)
+ rescue Exception => e
+ raise "Certificate request #{subject} creation failed: #{e.message}"
+ end
+
+ begin
+ csr_cert = mkcert(caserial, request.subject, ca, request.public_key, days, altnames)
+ csr_cert.sign(cakey, OpenSSL::Digest::SHA1.new)
+ setserial(sign_with, caserial)
+ rescue Exception => e
+ raise "Certificate #{subject} signing failed: #{e.message}"
+ end
+
+ key.send("to_pem") + csr_cert.send("to_pem")
+ else # self-signed certificate
+ begin
+ subj = OpenSSL::X509::Name.parse(subject)
+ cert = mkcert(serial, subj, nil, key.public_key, days, altnames)
+ cert.sign(key, OpenSSL::Digest::SHA1.new)
+ rescue Exception => e
+ raise "Self-signed certificate #{subject} creation failed: #{e.message}"
+ end
+
+ key.send("to_pem") + cert.send("to_pem")
+ end
+ end
+ private
+
+ # nice help: https://gist.github.com/mitfik/1922961
+
+ def mkkey(len)
+ OpenSSL::PKey::RSA.generate(len)
+ end
+
+ def mkreq(subject,public_key)
+ request = OpenSSL::X509::Request.new
+ request.version = 0
+ request.subject = subject
+ request.public_key = public_key
+
+ request
+ end
+
+ def mkcert(serial,subject,issuer,public_key,days,altnames)
+ cert = OpenSSL::X509::Certificate.new
+ issuer = cert if issuer == nil
+ cert.subject = subject
+ cert.issuer = issuer.subject
+ cert.not_before = Time.now
+ cert.not_after = Time.now + days * 24 * 60 * 60
+ cert.public_key = public_key
+ cert.serial = serial
+ cert.version = 2
+
+ ef = OpenSSL::X509::ExtensionFactory.new
+ ef.subject_certificate = cert
+ ef.issuer_certificate = issuer
+ cert.extensions = [ ef.create_extension("subjectKeyIdentifier", "hash") ]
+ cert.add_extension ef.create_extension("basicConstraints","CA:TRUE", true) if subject == issuer
+ cert.add_extension ef.create_extension("basicConstraints","CA:FALSE", true) if subject != issuer
+ cert.add_extension ef.create_extension("keyUsage", "nonRepudiation, digitalSignature, keyEncipherment", true)
+ cert.add_extension ef.create_extension("subjectAltName", altnames, true) if altnames
+ cert.add_extension ef.create_extension("authorityKeyIdentifier", "keyid:always,issuer:always")
+
+ cert
+ end
+
+ def getca(ca)
+ trocla.get_password(ca,'x509')
+ end
+
+ def getserial(ca,serial)
+ newser = trocla.get_password("#{ca}_serial",'plain')
+ if newser
+ newser + 1
+ else
+ serial
+ end
+ end
+
+ def setserial(ca,serial)
+ trocla.set_password("#{ca}_serial",'plain',serial)
+ end
+end
diff --git a/lib/trocla/util.rb b/lib/trocla/util.rb
new file mode 100644
index 0000000..8e94d0d
--- /dev/null
+++ b/lib/trocla/util.rb
@@ -0,0 +1,43 @@
+require 'securerandom'
+class Trocla
+ class Util
+ class << self
+ def random_str(length=12, charset='default')
+ _charsets = charsets[charset] || charsets['default']
+ _charsets_size = _charsets_size
+ (1..length).collect{|a| _charsets[SecureRandom.random_number(_charsets.size)] }.join.to_s
+ end
+
+ def salt(length=8)
+ alphanumeric_size = alphanumeric.size
+ (1..length).collect{|a| alphanumeric[SecureRandom.random_number(alphanumeric_size)] }.join.to_s
+ end
+
+ private
+
+ def charsets
+ @charsets ||= {
+ 'default' => chars,
+ 'alphanumeric' => alphanumeric,
+ 'shellsafe' => shellsafe,
+ }
+ end
+
+ def chars
+ @chars ||= shellsafe + special_chars
+ end
+ def shellsafe
+ @chars ||= alphanumeric + shellsafe_chars
+ end
+ def alphanumeric
+ @alphanumeric ||= ('a'..'z').to_a + ('A'..'Z').to_a + ('0'..'9').to_a
+ end
+ def special_chars
+ @special_chars ||= "*()&![]{}-".split(//)
+ end
+ def shellsafe_chars
+ @shellsafe_chars ||= "+%/@=?_.,:".split(//)
+ end
+ end
+ end
+end
diff --git a/lib/trocla/version.rb b/lib/trocla/version.rb
new file mode 100644
index 0000000..6d9476b
--- /dev/null
+++ b/lib/trocla/version.rb
@@ -0,0 +1,22 @@
+# encoding: utf-8
+class Trocla
+ class VERSION
+ version = {}
+ File.read(File.join(File.dirname(__FILE__), '../', 'VERSION')).each_line do |line|
+ type, value = line.chomp.split(":")
+ next if type =~ /^\s+$/ || value =~ /^\s+$/
+ version[type] = value
+ end
+
+ MAJOR = version['major']
+ MINOR = version['minor']
+ PATCH = version['patch']
+ BUILD = version['build']
+
+ STRING = [MAJOR, MINOR, PATCH, BUILD].compact.join('.')
+
+ def self.version
+ STRING
+ end
+ end
+end