def main():
parser = ap.ArgumentParser('File encryption/decryption utility')
group1 = parser.add_mutually_exclusive_group(required=True)
group1.add_argument('--decrypt', action='store_true', help='Decrypt file')
group1.add_argument('--encrypt', action='store_true', help='Encrypt file')
parser.add_argument('-o', '--output-file', help='Output file')
parser.add_argument('--debug',
action='store_true',
help='Enable debug messages')
parser.add_argument('file', help='File to encrypt or decrypt')
args = parser.parse_args()
# read passphrase (ask twice for --encrypt)
if 'ENCRYPT_PASS' in os.environ:
passphrase = os.environ['ENCRYPT_PASS']
else:
passphrase = gp.getpass('enter passphrase: ')
if args.encrypt:
reentered = gp.getpass('re-enter passphrase: ')
if passphrase != reentered:
logger.critical('passphrases do not match')
sys.exit(1)
# get file handle
raw = get(args.file)
# get key using file header, or build a new one
if args.decrypt:
key = crypt.key_from_file(raw, passphrase)
else:
key = crypt.kdf(passphrase)
# lock or unlock the file
if args.decrypt:
if not args.output_file:
stdout = os.fdopen(sys.stdout.fileno(), 'wb')
for chunk in crypt.decrypt(raw, key):
stdout.write(chunk)
else:
if overwrite(args.output_file):
logger.info('saving {}'.format(args.output_file))
crypt.decrypt(raw, key, filename=args.output_file)
elif args.encrypt:
if not args.output_file:
stdout = os.fdopen(sys.stdout.fileno(), 'wb')
for chunk in crypt.encrypt(raw, key):
stdout.write(chunk)
else:
if overwrite(args.output_file):
logger.info('saving {}'.format(args.output_file))
crypt.encrypt(raw, key, filename=args.output_file)
def keyring(deployment, keyring_file='~/.nrg-keyring.enc', passphrase=None):
'''
Get keyring for deployment
:param deployment: Deployment name
:type deployment: str
:param keyring_file: Keyring file
:type keyring_file: str
:param passphrase: Passphrase to decrypt keyring
:type passphrase: str
:returns: Deployment keyring
:rtype: dict
'''
if deployment == None:
return keyring_from_env()
if passphrase == None:
if 'NRG_KEYRING_PASS' in os.environ:
passphrase = os.environ['NRG_KEYRING_PASS']
else:
passphrase = gp.getpass('enter keyring passphrase: ')
keyring_file = os.path.expanduser(keyring_file)
with open(keyring_file, 'rb') as fo:
key = crypt.key_from_file(fo, passphrase)
content = b''
for chunk in crypt.decrypt(fo, key):
content += chunk
try:
js = json.loads(content)
except ValueError as e:
raise KeyringError('could not decrypt file {0} (wrong passphrase perhaps?)'.format(keyring_file))
return js[deployment]
def load(f, archive_base=None):
'''load configuration file and keyring'''
logger.debug('loading configuration')
with open(os.path.expanduser(f), 'rb') as fp:
Lochness = _read_config_file(fp)
if archive_base:
Lochness['phoenix_root'] = archive_base
if 'phoenix_root' not in Lochness:
raise ConfigError(
'need either --archive-base or \'phoenix_root\' in config file')
Lochness['phoenix_root'] = os.path.expanduser(Lochness['phoenix_root'])
Lochness['keyring_file'] = os.path.expanduser(Lochness['keyring_file'])
with open(Lochness['keyring_file'], 'rb') as fp:
logger.info('reading keyring file {0}'.format(
Lochness['keyring_file']))
if 'NRG_KEYRING_PASS' in os.environ:
load.passphrase = os.environ['NRG_KEYRING_PASS']
if not load.passphrase:
load.passphrase = gp.getpass('enter passphrase: ')
key = crypt.key_from_file(fp, load.passphrase)
content = b''
for chunk in crypt.decrypt(fp, key):
content += chunk
try:
Lochness['keyring'] = yaml.load(content, Loader=yaml.FullLoader)
except yaml.reader.ReaderError:
raise KeyringError(
'could not decrypt keyring {0} (wrong passphrase?)'.format(
Lochness['keyring_file']))
return Lochness
def test_string():
encrypted = b''
decrypted = b''
key = crypt.randkey()
original = b'Hello, World!'
for chunk in crypt.encrypt(io.BytesIO(original), key):
encrypted += chunk
for chunk in crypt.decrypt(io.BytesIO(encrypted), key):
decrypted += chunk
assert decrypted == original
def load_encrypted_keyring(enc_keyring_loc: str) -> dict:
with open(enc_keyring_loc, 'rb') as fp:
passphrase = gp.getpass('enter passphrase: ')
key = crypt.key_from_file(fp, passphrase)
content = b''
for chunk in crypt.decrypt(fp, key):
content += chunk
keyring_dict = yaml.load(content, Loader=yaml.FullLoader)
return keyring_dict
def test_file():
key = crypt.randkey()
encrypted = b''
decrypted = b''
with open(os.path.join(DIR, 'file.bin'), 'rb') as fo:
original = fo.read()
with open(os.path.join(DIR, 'file.bin'), 'rb') as fo:
for chunk in crypt.encrypt(fo, key):
encrypted += chunk
for chunk in crypt.decrypt(io.BytesIO(encrypted), key):
decrypted += chunk
assert decrypted == original
def main():
parser = ap.ArgumentParser('File encryption/decryption utility')
parser.add_argument('--keyring',
default='~/.nrg-keyring.enc',
type=os.path.expanduser,
help='Keyring file')
group = parser.add_mutually_exclusive_group()
group.add_argument('--phoenix-study',
help='Return passphrase for PHOENIX study')
group.add_argument('--beiwe-study',
help='Return passphrase for Beiwe study')
parser.add_argument('--debug',
action='store_true',
help='Enable debug messages')
args = parser.parse_args()
# read encrypted keyring file
raw = open(args.keyring)
# get salt from raw file header
salt = None
header, _ = crypt.read_header(raw)
salt = header['kdf'].salt
# read passphrase from an env or command line
if 'NRG_KEYRING_PASS' in os.environ:
passphrase = os.environ['NRG_KEYRING_PASS']
else:
passphrase = gp.getpass('enter passphrase: ')
# construct decryption key
key = crypt.kdf(passphrase, salt=salt)
# decrypt the keyring content
content = ''
for chunk in crypt.decrypt(raw, key):
content += chunk
js = json.loads(content)
# return what the user requested
try:
if args.phoenix_study:
sys.stdout.write(js['kitchen']['SECRETS'][args.phoenix_study])
elif args.beiwe_study:
sys.stdout.write(js['beiwe']['SECRETS'][args.beiwe_study])
except KeyError as e:
logger.critical('key not found {0}'.format(e))
sys.exit(1)
def verify(f, content_hash, key=None, compress=False):
'''compute dropbox hash of a local file and compare to content_hash'''
hasher = hash.DropboxContentHasher()
fo = open(f, 'rb')
if compress:
fo = gzip.GzipFile(fileobj=fo, mode='rb')
if key:
fo = crypt.buffer(crypt.decrypt(fo, key, chunk_size=CHUNK_SIZE))
while 1:
buf = fo.read(CHUNK_SIZE)
if not buf:
break
hasher.update(buf)
fo.close()
if hasher.hexdigest() != content_hash:
message = 'hash mismatch detected for {0}'.format(f)
raise DropboxHashError(message, f)
def config_load_test(f: 'location', archive_base=None):
'''load configuration file and keyring'''
config.logger.debug('loading configuration')
with open(os.path.expanduser(f), 'rb') as fp:
Lochness = config._read_config_file(fp)
if archive_base:
Lochness['phoenix_root'] = archive_base
if 'phoenix_root' not in Lochness:
raise config.ConfigError('need either --archive-base or '
'\'phoenix_root\' in config file')
if 'BIDS' not in Lochness:
Lochness['BIDS'] = False
Lochness['phoenix_root'] = os.path.expanduser(Lochness['phoenix_root'])
Lochness['keyring_file'] = os.path.expanduser(Lochness['keyring_file'])
# box file pattern strings from the config to string template
# regardless of the selected study in the args
if 'box' in Lochness:
for _, study_dict in Lochness['box'].items():
for _, modality_values in study_dict['file_patterns'].items():
for modality_dict in modality_values:
modality_dict['pattern'] = \
config.string.Template(modality_dict['pattern'])
with open(Lochness['keyring_file'], 'rb') as fp:
config.logger.info(f'reading keyring file {Lochness["keyring_file"]}')
passphrase = ''
key = crypt.key_from_file(fp, passphrase)
content = b''
for chunk in crypt.decrypt(fp, key):
content += chunk
try:
Lochness['keyring'] = config.yaml.load(
content,
Loader=config.yaml.FullLoader)
except config.yaml.reader.ReaderError:
raise config.KeyringError('could not decrypt keyring {0} (wrong passphrase?)'.format(Lochness['keyring_file']))
return Lochness
def load(f: 'location', archive_base=None):
'''load configuration file and keyring'''
logger.debug('loading configuration')
with open(os.path.expanduser(f), 'rb') as fp:
Lochness = _read_config_file(fp)
if archive_base:
Lochness['phoenix_root'] = archive_base
if 'phoenix_root' not in Lochness:
raise ConfigError('need either --archive-base or '
'\'phoenix_root\' in config file')
Lochness['phoenix_root'] = os.path.expanduser(Lochness['phoenix_root'])
Lochness['keyring_file'] = os.path.expanduser(Lochness['keyring_file'])
# box file pattern strings from the config to string template
# regardless of the selected study in the args
if 'box' in Lochness:
for _, study_dict in Lochness['box'].items():
for _, modality_values in study_dict['file_patterns'].items():
for modality_dict in modality_values:
modality_dict['pattern'] = \
string.Template(modality_dict['pattern'])
with open(Lochness['keyring_file'], 'rb') as fp:
logger.info('reading keyring file {0}'.format(
Lochness['keyring_file']))
if 'NRG_KEYRING_PASS' in os.environ:
load.passphrase = os.environ['NRG_KEYRING_PASS']
if not load.passphrase:
load.passphrase = gp.getpass('enter passphrase: ')
key = crypt.key_from_file(fp, load.passphrase)
content = b''
for chunk in crypt.decrypt(fp, key):
content += chunk
try:
Lochness['keyring'] = yaml.load(content, Loader=yaml.FullLoader)
except yaml.reader.ReaderError:
raise KeyringError(
'could not decrypt keyring {0} (wrong passphrase?)'.format(
Lochness['keyring_file']))
return Lochness