-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathencrypt_credentials.rb
116 lines (96 loc) · 3.19 KB
/
encrypt_credentials.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
#!/usr/bin/ruby
#--
# Nagios API Ruby library
#
# Ruby Gem Name:: secludit-nagios
# Author:: $Author: $
# Copyright::
# License:: Distributes under the same terms as Ruby
# Home:: $Id: encrypt_credentials.rb 1044 2011-03-04 12:51:53Z $
#++
%w[ getoptlong pp base64 openssl].each { |f| require f }
RETURN_CODE_OK = 0
RETURN_CODE_NOK = 1
# specify the options we accept and initialize and the option parser
verbose = 0
credential_file = ''
ret = RETURN_CODE_NOK
use_rsa = false
aws_access_key_id = ''
aws_secret_access_key = ''
enc_aws_access_key_id = ''
enc_aws_secret_access_key = ''
def display_menu
puts "Usage: #{$0} [-v] -s <server> -h <host> -c <credentials>"
puts " --help, -h: This Help"
puts " --verbose, -v: Enable verbose mode"
puts " --access_key_id, -A: Amazon Access Key ID"
puts " --secret_access_key, -S: Amazon Secret Access Key"
puts " --credential_file, -f: Path to a File containing the Amazon EC2 Credentials"
exit
end
opts = GetoptLong.new
# add options
opts.set_options(
[ "--help", "-h", GetoptLong::OPTIONAL_ARGUMENT ], \
[ "--verbose", "-v", GetoptLong::OPTIONAL_ARGUMENT ], \
[ "--access_key_id", "-A", GetoptLong::OPTIONAL_ARGUMENT ], \
[ "--secret_access_key", "-S", GetoptLong::OPTIONAL_ARGUMENT ], \
[ "--credential_file", "-f", GetoptLong::OPTIONAL_ARGUMENT ]
)
# test usage
unless ARGV.length >= 4
display_menu
end
# parse options
opts.each { |opt, arg|
case opt
when '--help'
display_menu
when '--verbose'
verbose = 1
when '--access_key_id'
aws_access_key_id = arg
when '--secret_access_key'
aws_secret_access_key = arg
when '--credential_file'
credential_file = arg
end
}
if verbose == 1
puts "** Encrypting AWS Credentials: access_key_id: #{aws_access_key_id}, secret_access_key: #{aws_secret_access_key}"
end
begin
key_file = "/etc/cloutomate/cloutomate.pem" #TODO: make configurable?
if use_rsa
rsa_pubkey = OpenSSL::PKey::RSA.new(File.read(key_file))
enc_aws_access_key_id = rsa_pubkey.public_encrypt(Base64.encoode(aws_access_key_id))
enc_aws_secret_access_key = rsa_pubkey.public_encrypt(Base64.encoode(aws_secret_access_key))
else
cipher = OpenSSL::Cipher::Cipher.new('bf-cbc')
tmp_data = ''
cipher.encrypt
cipher.key = Digest::SHA256.digest(File.read(key_file))
tmp_data = cipher.update(aws_access_key_id)
tmp_data << cipher.final
enc_aws_access_key_id = Base64.encode64(tmp_data)
tmp_data = ''
cipher.encrypt
cipher.key = Digest::SHA256.digest(File.read(key_file))
tmp_data = cipher.update(aws_secret_access_key)
tmp_data << cipher.final
enc_aws_secret_access_key = Base64.encode64(tmp_data)
end
fd = File.open(credential_file, "w")
fd.syswrite(" ec2_access_id #{enc_aws_access_key_id}")
fd.syswrite(" ec2_access_key #{enc_aws_secret_access_key}")
fd.close
ret = RETURN_CODE_OK
rescue Exception => e
puts "Error occured while encrypting AWS credentials: #{e}"
exit RETURN_CODE_NOK
end
if verbose == 1
puts "==> Encrypted AWS Credentials: access_key_id: #{enc_aws_access_key_id}, secret_access_key: #{enc_aws_secret_access_key}"
end
exit ret