blob: df4f449baa30e211e7327f3d79175b0a8a8cb886 [file] [log] [blame]
James E. Blairc49e5e72017-03-16 14:56:32 -07001#!/usr/bin/env python
2
3# Licensed under the Apache License, Version 2.0 (the "License"); you may
4# not use this file except in compliance with the License. You may obtain
5# a copy of the License at
6#
7# http://www.apache.org/licenses/LICENSE-2.0
8#
9# Unless required by applicable law or agreed to in writing, software
10# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
11# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
12# License for the specific language governing permissions and limitations
13# under the License.
14
15import argparse
Tobias Henkel39d6dcd2017-06-24 21:26:57 +020016import base64
James E. Blair9118c012017-08-03 11:19:16 -070017import math
James E. Blairc49e5e72017-03-16 14:56:32 -070018import os
James E. Blair9118c012017-08-03 11:19:16 -070019import re
James E. Blairc49e5e72017-03-16 14:56:32 -070020import subprocess
21import sys
22import tempfile
James E. Blair9118c012017-08-03 11:19:16 -070023import textwrap
Tobias Henkel39d6dcd2017-06-24 21:26:57 +020024
25# we to import Request and urlopen differently for python 2 and 3
26try:
27 from urllib.request import Request
28 from urllib.request import urlopen
29except ImportError:
30 from urllib2 import Request
31 from urllib2 import urlopen
James E. Blairc49e5e72017-03-16 14:56:32 -070032
33DESCRIPTION = """Encrypt a secret for Zuul.
34
35This program fetches a project-specific public key from a Zuul server and
36uses that to encrypt a secret. The only pre-requisite is an installed
37OpenSSL binary.
38"""
39
40
41def main():
42 parser = argparse.ArgumentParser(description=DESCRIPTION)
43 parser.add_argument('url',
44 help="The base URL of the zuul server and tenant. "
45 "E.g., https://zuul.example.com/tenant-name")
46 # TODO(jeblair,mordred): When projects have canonical names, use that here.
47 # TODO(jeblair): Throw a fit if SSL is not used.
48 parser.add_argument('source',
49 help="The Zuul source of the project.")
50 parser.add_argument('project',
51 help="The name of the project.")
52 parser.add_argument('--infile',
53 default=None,
54 help="A filename whose contents will be encrypted. "
55 "If not supplied, the value will be read from "
56 "standard input.")
57 parser.add_argument('--outfile',
58 default=None,
59 help="A filename to which the encrypted value will be "
60 "written. If not supplied, the value will be written "
61 "to standard output.")
62 args = parser.parse_args()
63
Tobias Henkel39d6dcd2017-06-24 21:26:57 +020064 req = Request("%s/keys/%s/%s.pub" % (
James E. Blairc49e5e72017-03-16 14:56:32 -070065 args.url, args.source, args.project))
Tobias Henkel39d6dcd2017-06-24 21:26:57 +020066 pubkey = urlopen(req)
James E. Blairc49e5e72017-03-16 14:56:32 -070067
68 if args.infile:
69 with open(args.infile) as f:
70 plaintext = f.read()
71 else:
72 plaintext = sys.stdin.read()
73
James E. Blair9118c012017-08-03 11:19:16 -070074 plaintext = plaintext.encode("utf-8")
75
James E. Blairc49e5e72017-03-16 14:56:32 -070076 pubkey_file = tempfile.NamedTemporaryFile(delete=False)
77 try:
78 pubkey_file.write(pubkey.read())
79 pubkey_file.close()
80
James E. Blair9118c012017-08-03 11:19:16 -070081 p = subprocess.Popen(['openssl', 'rsa', '-text',
82 '-pubin', '-in',
James E. Blairc49e5e72017-03-16 14:56:32 -070083 pubkey_file.name],
James E. Blairc49e5e72017-03-16 14:56:32 -070084 stdout=subprocess.PIPE)
James E. Blair9118c012017-08-03 11:19:16 -070085 (stdout, stderr) = p.communicate()
James E. Blairc49e5e72017-03-16 14:56:32 -070086 if p.returncode != 0:
87 raise Exception("Return code %s from openssl" % p.returncode)
James E. Blair9118c012017-08-03 11:19:16 -070088 output = stdout.decode('utf-8')
89 m = re.match(r'^Public-Key: \((\d+) bit\)$', output, re.MULTILINE)
90 nbits = int(m.group(1))
91 nbytes = int(nbits / 8)
92 max_bytes = nbytes - 42 # PKCS1-OAEP overhead
93 chunks = int(math.ceil(float(len(plaintext)) / max_bytes))
94
95 ciphertext_chunks = []
96
97 print("Public key length: {} bits ({} bytes)".format(nbits, nbytes))
98 print("Max plaintext length per chunk: {} bytes".format(max_bytes))
99 print("Input plaintext length: {} bytes".format(len(plaintext)))
100 print("Number of chunks: {}".format(chunks))
101
102 for count in range(chunks):
103 chunk = plaintext[int(count * max_bytes):
104 int((count + 1) * max_bytes)]
105 p = subprocess.Popen(['openssl', 'rsautl', '-encrypt',
106 '-oaep', '-pubin', '-inkey',
107 pubkey_file.name],
108 stdin=subprocess.PIPE,
109 stdout=subprocess.PIPE)
110 (stdout, stderr) = p.communicate(chunk)
111 if p.returncode != 0:
112 raise Exception("Return code %s from openssl" % p.returncode)
113 ciphertext_chunks.append(base64.b64encode(stdout).decode('utf-8'))
114
James E. Blairc49e5e72017-03-16 14:56:32 -0700115 finally:
116 os.unlink(pubkey_file.name)
117
James E. Blair9118c012017-08-03 11:19:16 -0700118 output = textwrap.dedent(
119 '''
120 - secret:
121 name: <name>
122 data:
123 <fieldname>: !encrypted/pkcs1-oaep
124 ''')
125
126 twrap = textwrap.TextWrapper(width=79,
127 initial_indent=' ' * 8,
128 subsequent_indent=' ' * 10)
129 for chunk in ciphertext_chunks:
130 chunk = twrap.fill('- ' + chunk)
131 output += chunk + '\n'
132
James E. Blairc49e5e72017-03-16 14:56:32 -0700133 if args.outfile:
James E. Blair9118c012017-08-03 11:19:16 -0700134 with open(args.outfile, "w") as f:
135 f.write(output)
James E. Blairc49e5e72017-03-16 14:56:32 -0700136 else:
James E. Blair9118c012017-08-03 11:19:16 -0700137 print(output)
James E. Blairc49e5e72017-03-16 14:56:32 -0700138
139
140if __name__ == '__main__':
141 main()