class ManageIQ::Password

Constants

MASK
REGEXP
REGEXP_PASSWORD
REGEXP_START_LINE
VERSION

Attributes

encStr[R]

Public Class Methods

decrypt(*args) click to toggle source
# File lib/manageiq/password.rb, line 55
def self.decrypt(*args)
  new.decrypt(*args)
end
encrypt(*args) click to toggle source
# File lib/manageiq/password.rb, line 51
def self.encrypt(*args)
  new.encrypt(*args)
end
encrypted?(str) click to toggle source
# File lib/manageiq/password.rb, line 63
def self.encrypted?(str)
  return false if str.nil? || str.empty?
  !!unwrap(str)
end
generate_symmetric(filename = nil) click to toggle source
# File lib/manageiq/password.rb, line 123
def self.generate_symmetric(filename = nil)
  Key.new.tap { |key| store_key_file(filename, key) if filename }
end
key() click to toggle source
# File lib/manageiq/password.rb, line 106
    def self.key
      @@key ||= load_key_file("v2_key") || begin
        key_file = File.expand_path("v2_key", key_root)
        msg = <<-EOS
  #{key_file} doesn't exist!
  On an appliance, it should be generated on boot by evmserverd.

  If you're a developer, you can copy the #{key_file}.dev to #{key_file}.

  Caution, using the developer key will allow anyone with the public developer key to decrypt the two-way
  passwords in your database.
  EOS
        Kernel.warn msg
        nil
      end
    end
key=(key) click to toggle source
# File lib/manageiq/password.rb, line 102
def self.key=(key)
  @@key = key
end
key_root() click to toggle source
# File lib/manageiq/password.rb, line 93
def self.key_root
  @@key_root ||= ENV["KEY_ROOT"]
end
key_root=(key_root) click to toggle source
# File lib/manageiq/password.rb, line 97
def self.key_root=(key_root)
  @@key = nil
  @@key_root = key_root
end
md5crypt(str) click to toggle source
# File lib/manageiq/password.rb, line 68
def self.md5crypt(str)
  cmd = "openssl passwd -1 -salt \"miq\" \"#{try_decrypt(str)}\""
  `#{cmd}`.split("\n").first
end
new(str = nil) click to toggle source
# File lib/manageiq/password.rb, line 19
def initialize(str = nil)
  return unless str

  @encStr = encrypt(str)
end
recrypt(*args) click to toggle source
# File lib/manageiq/password.rb, line 59
def self.recrypt(*args)
  new.recrypt(*args)
end
sanitize_string(s) click to toggle source
# File lib/manageiq/password.rb, line 77
def self.sanitize_string(s)
  s.gsub(REGEXP_PASSWORD, MASK)
end
sanitize_string!(s) click to toggle source
# File lib/manageiq/password.rb, line 81
def self.sanitize_string!(s)
  s.gsub!(REGEXP_PASSWORD, MASK)
end
sysprep_crypt(str) click to toggle source
# File lib/manageiq/password.rb, line 73
def self.sysprep_crypt(str)
  Base64.encode64("#{try_decrypt(str)}AdministratorPassword".encode("UTF-16LE")).delete("\n")
end
try_decrypt(str) click to toggle source
# File lib/manageiq/password.rb, line 85
def self.try_decrypt(str)
  encrypted?(str) ? decrypt(str) : str
end
try_encrypt(str) click to toggle source
# File lib/manageiq/password.rb, line 89
def self.try_encrypt(str)
  encrypted?(str) ? str : encrypt(str)
end

Protected Class Methods

extract_erb_encrypted_value(value) click to toggle source
# File lib/manageiq/password.rb, line 157
def self.extract_erb_encrypted_value(value)
  return $1 if value =~ /\A<%= (?:MiqPassword|DB_PASSWORD|ManageIQ::Password)\.decrypt\(['"]([^'"]+)['"]\) %>\Z/
end
load_key_file(filename) click to toggle source
# File lib/manageiq/password.rb, line 146
def self.load_key_file(filename)
  return filename if filename.respond_to?(:decrypt64)

  # if it is an absolute path, or relative to pwd, leave as is
  # otherwise, look in key root for it
  filename = File.expand_path(filename, key_root) unless File.exist?(filename)
  return nil unless File.exist?(filename)

  Key.new(*YAML.load_file(filename).values_at(:algorithm, :key, :iv))
end
store_key_file(filename, key) click to toggle source
# File lib/manageiq/password.rb, line 142
def self.store_key_file(filename, key)
  File.write(filename, key.to_h.to_yaml)
end
unwrap(str) click to toggle source
# File lib/manageiq/password.rb, line 133
def self.unwrap(str)
  _unwrap(str) || _unwrap(extract_erb_encrypted_value(str))
end
wrap(encrypted_str) click to toggle source
# File lib/manageiq/password.rb, line 129
def self.wrap(encrypted_str)
  "v2:{#{encrypted_str}}"
end

Private Class Methods

_unwrap(str) click to toggle source
# File lib/manageiq/password.rb, line 137
                     def self._unwrap(str)
  return str if str.nil? || str.empty?
  str.match(REGEXP_START_LINE)&.public_send(:[], 1)
end

Public Instance Methods

decrypt(str, key = self.class.key) click to toggle source
# File lib/manageiq/password.rb, line 32
def decrypt(str, key = self.class.key)
  enc = self.class.unwrap(str)
  return enc if enc.nil? || enc.empty?

  begin
    key.decrypt64(enc).force_encoding('UTF-8')
  rescue
    raise PasswordError, "cannot decrypt encrypted string"
  end
end
encrypt(str, key = self.class.key) click to toggle source
# File lib/manageiq/password.rb, line 25
def encrypt(str, key = self.class.key)
  return str if str.nil?

  enc = key.encrypt64(str).delete("\n") unless str.empty?
  self.class.wrap(enc)
end
recrypt(str, prior_key = nil) click to toggle source
# File lib/manageiq/password.rb, line 43
def recrypt(str, prior_key = nil)
  return str if str.nil?

  decrypted_str   = decrypt(str, prior_key) if prior_key rescue nil
  decrypted_str ||= decrypt(str)
  encrypt(decrypted_str)
end