class ManageIQ::Password
Constants
- MASK
- REGEXP
- REGEXP_PASSWORD
- REGEXP_START_LINE
- VERSION
Attributes
encStr[R]
Public Class Methods
decrypt(*args)
click to toggle source
# File lib/manageiq/password.rb, line 55 def self.decrypt(*args) new.decrypt(*args) end
encrypt(*args)
click to toggle source
# File lib/manageiq/password.rb, line 51 def self.encrypt(*args) new.encrypt(*args) end
encrypted?(str)
click to toggle source
# File lib/manageiq/password.rb, line 63 def self.encrypted?(str) return false if str.nil? || str.empty? !!unwrap(str) end
generate_symmetric(filename = nil)
click to toggle source
# File lib/manageiq/password.rb, line 123 def self.generate_symmetric(filename = nil) Key.new.tap { |key| store_key_file(filename, key) if filename } end
key()
click to toggle source
# File lib/manageiq/password.rb, line 106 def self.key @@key ||= load_key_file("v2_key") || begin key_file = File.expand_path("v2_key", key_root) msg = <<-EOS #{key_file} doesn't exist! On an appliance, it should be generated on boot by evmserverd. If you're a developer, you can copy the #{key_file}.dev to #{key_file}. Caution, using the developer key will allow anyone with the public developer key to decrypt the two-way passwords in your database. EOS Kernel.warn msg nil end end
key=(key)
click to toggle source
# File lib/manageiq/password.rb, line 102 def self.key=(key) @@key = key end
key_root()
click to toggle source
# File lib/manageiq/password.rb, line 93 def self.key_root @@key_root ||= ENV["KEY_ROOT"] end
key_root=(key_root)
click to toggle source
# File lib/manageiq/password.rb, line 97 def self.key_root=(key_root) @@key = nil @@key_root = key_root end
md5crypt(str)
click to toggle source
# File lib/manageiq/password.rb, line 68 def self.md5crypt(str) cmd = "openssl passwd -1 -salt \"miq\" \"#{try_decrypt(str)}\"" `#{cmd}`.split("\n").first end
new(str = nil)
click to toggle source
# File lib/manageiq/password.rb, line 19 def initialize(str = nil) return unless str @encStr = encrypt(str) end
recrypt(*args)
click to toggle source
# File lib/manageiq/password.rb, line 59 def self.recrypt(*args) new.recrypt(*args) end
sanitize_string(s)
click to toggle source
# File lib/manageiq/password.rb, line 77 def self.sanitize_string(s) s.gsub(REGEXP_PASSWORD, MASK) end
sanitize_string!(s)
click to toggle source
# File lib/manageiq/password.rb, line 81 def self.sanitize_string!(s) s.gsub!(REGEXP_PASSWORD, MASK) end
sysprep_crypt(str)
click to toggle source
# File lib/manageiq/password.rb, line 73 def self.sysprep_crypt(str) Base64.encode64("#{try_decrypt(str)}AdministratorPassword".encode("UTF-16LE")).delete("\n") end
try_decrypt(str)
click to toggle source
# File lib/manageiq/password.rb, line 85 def self.try_decrypt(str) encrypted?(str) ? decrypt(str) : str end
try_encrypt(str)
click to toggle source
# File lib/manageiq/password.rb, line 89 def self.try_encrypt(str) encrypted?(str) ? str : encrypt(str) end
Protected Class Methods
extract_erb_encrypted_value(value)
click to toggle source
# File lib/manageiq/password.rb, line 157 def self.extract_erb_encrypted_value(value) return $1 if value =~ /\A<%= (?:MiqPassword|DB_PASSWORD|ManageIQ::Password)\.decrypt\(['"]([^'"]+)['"]\) %>\Z/ end
load_key_file(filename)
click to toggle source
# File lib/manageiq/password.rb, line 146 def self.load_key_file(filename) return filename if filename.respond_to?(:decrypt64) # if it is an absolute path, or relative to pwd, leave as is # otherwise, look in key root for it filename = File.expand_path(filename, key_root) unless File.exist?(filename) return nil unless File.exist?(filename) Key.new(*YAML.load_file(filename).values_at(:algorithm, :key, :iv)) end
store_key_file(filename, key)
click to toggle source
# File lib/manageiq/password.rb, line 142 def self.store_key_file(filename, key) File.write(filename, key.to_h.to_yaml) end
unwrap(str)
click to toggle source
# File lib/manageiq/password.rb, line 133 def self.unwrap(str) _unwrap(str) || _unwrap(extract_erb_encrypted_value(str)) end
wrap(encrypted_str)
click to toggle source
# File lib/manageiq/password.rb, line 129 def self.wrap(encrypted_str) "v2:{#{encrypted_str}}" end
Private Class Methods
_unwrap(str)
click to toggle source
# File lib/manageiq/password.rb, line 137 def self._unwrap(str) return str if str.nil? || str.empty? str.match(REGEXP_START_LINE)&.public_send(:[], 1) end
Public Instance Methods
decrypt(str, key = self.class.key)
click to toggle source
# File lib/manageiq/password.rb, line 32 def decrypt(str, key = self.class.key) enc = self.class.unwrap(str) return enc if enc.nil? || enc.empty? begin key.decrypt64(enc).force_encoding('UTF-8') rescue raise PasswordError, "cannot decrypt encrypted string" end end
encrypt(str, key = self.class.key)
click to toggle source
# File lib/manageiq/password.rb, line 25 def encrypt(str, key = self.class.key) return str if str.nil? enc = key.encrypt64(str).delete("\n") unless str.empty? self.class.wrap(enc) end
recrypt(str, prior_key = nil)
click to toggle source
# File lib/manageiq/password.rb, line 43 def recrypt(str, prior_key = nil) return str if str.nil? decrypted_str = decrypt(str, prior_key) if prior_key rescue nil decrypted_str ||= decrypt(str) encrypt(decrypted_str) end