def returner(ret):
"""
Send an email with the data
"""
_options = _get_options(ret)
from_addr = _options.get("from")
to_addrs = _options.get("to").split(",")
host = _options.get("host")
port = _options.get("port")
user = _options.get("username")
passwd = _options.get("password")
subject = _options.get("subject") or "Email from Salt"
gpgowner = _options.get("gpgowner")
fields = _options.get("fields").split(",") if "fields" in _options else []
smtp_tls = _options.get("tls")
renderer = _options.get("renderer") or "jinja"
rend = salt.loader.render(__opts__, {})
blacklist = __opts__.get("renderer_blacklist")
whitelist = __opts__.get("renderer_whitelist")
if not port:
port = 25
log.debug("SMTP port has been set to %s", port)
for field in fields:
if field in ret:
subject += " {}".format(ret[field])
subject = compile_template(":string:",
rend,
renderer,
blacklist,
whitelist,
input_data=subject,
**ret)
if isinstance(subject, io.StringIO):
subject = subject.read()
log.debug("smtp_return: Subject is '%s'", subject)
template = _options.get("template")
if template:
content = compile_template(template, rend, renderer, blacklist,
whitelist, **ret)
else:
template = ("id: {{id}}\r\n"
"function: {{fun}}\r\n"
"function args: {{fun_args}}\r\n"
"jid: {{jid}}\r\n"
"return: {{return}}\r\n")
content = compile_template(":string:",
rend,
renderer,
blacklist,
whitelist,
input_data=template,
**ret)
if gpgowner:
if HAS_GNUPG:
gpg = gnupg.GPG(
gnupghome=os.path.expanduser("~{}/.gnupg".format(gpgowner)),
options=["--trust-model always"],
)
encrypted_data = gpg.encrypt(content, to_addrs)
if encrypted_data.ok:
log.debug("smtp_return: Encryption successful")
content = str(encrypted_data)
else:
log.error(
"smtp_return: Encryption failed, only an error message will be sent"
)
content = "Encryption failed, the return data was not sent.\r\n\r\n{}\r\n{}".format(
encrypted_data.status, encrypted_data.stderr)
else:
log.error(
"gnupg python module is required in order to user gpgowner in smtp"
" returner ; ignoring gpgowner configuration for now")
if isinstance(content, io.StringIO):
content = content.read()
message = "From: {}\r\nTo: {}\r\nDate: {}\r\nSubject: {}\r\n\r\n{}".format(
from_addr, ", ".join(to_addrs), formatdate(localtime=True), subject,
content)
log.debug("smtp_return: Connecting to the server...")
server = smtplib.SMTP(host, int(port))
if smtp_tls is True:
server.starttls()
log.debug("smtp_return: TLS enabled")
if user and passwd:
server.login(user, passwd)
log.debug("smtp_return: Authenticated")
# enable logging SMTP session after the login credentials were passed
server.set_debuglevel(1)
server.sendmail(from_addr, to_addrs, message)
log.debug("smtp_return: Message sent.")
server.quit()
def sign(ctx, job_name, gpg_homedir, target_dir, algorithm):
"""Download and sign build artifacts from github releases"""
gpg = gnupg.GPG(gnupghome=gpg_homedir)
# fetch the queue repository
queue = ctx.obj['queue']
queue.fetch()
# query the job's artifacts
job = queue.get(job_name)
target_dir = Path(target_dir).absolute() / job_name
target_dir.mkdir(parents=True, exist_ok=True)
click.echo('Download {}\'s artifacts to {}'.format(job_name, target_dir))
tpl = '{:<10} {:>73}'
task_items = sorted(job.tasks.items())
ntasks = len(task_items)
for i, (task_name, task) in enumerate(task_items, start=1):
assets = queue.github_assets(task)
artifact_dir = target_dir / task_name
artifact_dir.mkdir(exist_ok=True)
basemsg = 'Downloading and signing assets for task {}'.format(
click.style(task_name, bold=True))
click.echo(
'\n{} {:>{size}}'.format(basemsg,
click.style('{}/{}'.format(i, ntasks),
bold=True),
size=89 - (len(basemsg) + 1) +
2 * len(click.style('', bold=True))))
click.echo('-' * 89)
for artifact in task.artifacts:
try:
asset = assets[artifact]
except KeyError:
msg = click.style('[{:>13}]'.format('MISSING'),
fg=COLORS['missing'])
click.echo(tpl.format(msg, artifact))
else:
click.echo(click.style(artifact, bold=True))
# download artifact
artifact_path = artifact_dir / asset.name
asset.download(artifact_path)
# sign the artifact
signature_path = Path(str(artifact_path) + '.asc')
with artifact_path.open('rb') as fp:
gpg.sign_file(fp,
detach=True,
clearsign=False,
binary=False,
output=str(signature_path))
# compute checksums for the artifact
artifact_bytes = artifact_path.read_bytes()
for algo in algorithm:
suffix = '.{}'.format(algo)
checksum_path = Path(str(artifact_path) + suffix)
checksum = '{} {}'.format(hashbytes(artifact_bytes, algo),
artifact_path.name)
checksum_path.write_text(checksum)
msg = click.style('[{:>13}]'.format(
'{} HASHED'.format(algo)),
fg='blue')
click.echo(tpl.format(msg, checksum_path.name))
msg = click.style('[{:>13}]'.format('SIGNED'), fg=COLORS['ok'])
click.echo(tpl.format(msg, str(signature_path.name)))
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
import os
import sys
import fs
from fs import open_fs
import gnupg
gpg = gnupg.GPG(gnupghome="/home/sammy/.gnupg")
home_fs = open_fs(".")
script_to_run = str(sys.argv[1])
with open("../../signatures/" + script_to_run + ".sig", "rb") as f:
verify = gpg.verify_file(f, script_to_run)
print(script_to_run + " ", verify.status)
if verify.status == "signature valid":
print("Signature valid, launching script...")
exec(open(script_to_run).read())
else:
print("Signature invalid or missing, ")
print("aborting script execution")
def main():
# First key: comment in zip file
zf = zipfile.ZipFile('container.zip', 'r')
filename = 'tuenti.docx'
print zf.getinfo(filename).comment
# Extracting:
zf.extract(filename)
# Second key: hidden in one of the files of the doc
zf = zipfile.ZipFile(filename, 'r')
zf.extractall()
tree = ET.parse('docProps/core.xml')
root = tree.getroot()
print root[1].text
# Third key: Lyrics of the mp3
tag = id3.Tag()
tag.parse("tuenti.mp3")
print "KEY3:", tag.lyrics[0].text[1:]
# Fourth key: title of front cover of the mp3
f = File('tuenti.mp3')
artwork = f.tags['APIC:'].data
with open('tuenti.png', 'wb') as img:
img.write(artwork)
image = Image.open('tuenti.png')
print image.info['Title']
# Fifth key: subject of the pdf
data = base64.b64decode(image.info['NextLevel'])
with open('tuenti.pdf', 'wb') as pdf:
pdf.write(data)
with open('tuenti.pdf', 'rb') as pdf:
parser = PDFParser(pdf)
doc = PDFDocument(parser)
print doc.info[0]['Subject'][3::2]
# Sixth key: subtitles of a video in the pdf
os.system('pdfdetach -saveall tuenti.pdf 2> /dev/null')
# The key is given as a subtitle, I guess there is a way to read
# the image and transform it to plain text, but it will take much
# longer than just copying it by hand
print('KEY6: XrBV392qT0DqDSCGuGDStdY6_ADKkD_4')
# Seventh key: first line of uuencoded attached file in the video
# Sorry, it's late and I'm tired of finding python packages
os.system('mkvextract attachments video.mkv 1:tuenti.txt > /dev/null')
with open('tuenti.txt', 'r') as f:
print f.readline()[:-1]
# Eigth key: title of a file in the uudecoded file
os.system('uudecode tuenti.txt > /dev/null')
os.system('gzip -cd ramdisk.cpio.gz | cpio -idmv 2> /dev/null')
for f in os.listdir('.'):
if f[:4] == 'KEY8':
filekey = f
print filekey
# Ninth key: extract the gpg file using the password from filekey
with open(filekey, 'r') as f:
password = f.readline()[12:-1]
gpg = gnupg.GPG()
with open('LastLevel.txt.gpg', 'r') as f:
encrypted_string = str(f.read())
decrypted_data = gpg.decrypt(encrypted_string, passphrase=password)
print decrypted_data.data.splitlines()[0]
All GPG dependent functionality lives here.
"""
import os
import logging
import email.utils
import subprocess
import gnupg
from . import repo
logger = logging.getLogger('github-apt-repose')
gpg = gnupg.GPG()
gpg_group = repo.parser.add_argument_group(
title='GnuPG Options',
description='Options controlling the GPG signing of the APT repository, '
'provide only one.').add_mutually_exclusive_group()
gpg_group.add_argument(
'--gpg-pub-key',
dest='gpg_pub_key',
help='The path to an exported GPG public key of the private key with '
'which to sign the APT repository (default: if present, a previously '
'generated key based on the `--repo-dir` GitHub repository).')
gpg_group.add_argument(
'--gpg-user-id',
dest='gpg_user_id',
help='The GPG `user-id` of the key to sign the APT repository with '
remarks: the following sources have been used:
www.iana.org/assignments/ipv6-address-space/ipv6-address-space.xml
www.iana.org/assignments/ipv6-unicast-address-assignments/ipv6-unicast-address-assignments.xml
remarks: this object is manually maintained
org: ORG-SNIJ1-RIPE
tech-c: JWJS1-RIPE
admin-c: JWJS1-RIPE
mnt-by: SNIJDERS-MNT
mnt-by: SNIJDERS-ROBOT-MNT
changed: [email protected]
source: RIPE"""
rpslobject = header + formatted_prefixes + footer
# sign with PGPKEY-C46D1B1C on irime
gpg = gnupg.GPG(gnupghome='/home/job/.gnupg')
try:
signed_rpslobject = str(gpg.sign(rpslobject,keyid='C46D1B1C',clearsign=True))
print "pass: signed the new object"
except:
print "error: something went wrong with signing"
sys.exit(1)
# email to [email protected]
msg = MIMEText(signed_rpslobject, 'plain')
msg['Subject'] = 'IPv6 Bogons: %s' % timestamp
msg['From'] = '*****@*****.**'
msg['To'] = '*****@*****.**'
s = smtplib.SMTP('localhost')
try:
print signed_rpslobject
import gnupg
from pprint import pprint
gpg = gnupg.GPG(gpgbinary='/usr/bin/gpg')
public_keys = gpg.list_keys()
private_keys = gpg.list_keys(True)
print('public keys:')
pprint(public_keys)
print('private keys:')
pprint(private_keys)
def __init__(self, path):
self.path = path
self.keys_path = os.path.join(path, ".keys")
self._binary = which("gpg")
self._homedir = tempfile.mkdtemp()
self._gpg = gnupg.GPG(binary=self._binary, homedir=self._homedir)
def main(reactor, homedir):
gpg = gnupg.GPG(homedir=homedir, binary=which('gpg')[0])
store = gnupgWrapper(gpg, MemoryStore())
return store.put('dockerbuild', 'silo', 'key', 'dummy')
#!/usr/bin/python
import os
#import fs
#from fs import open_fs
import gnupg
gpg = gnupg.GPG(gnupghome='/root/.gnupg')
#home_fs = open_fs(".")
"""
if os.path.exists("signatures/"):
print("Signatures directory already created")
else:
home_fs.makedir(u"signatures")
print("Created signatures directory")
"""
os.system("mkdir -p signatures")
files_dir = []
files = [f for f in os.listdir(".") if os.path.isfile(f)]
for f in files:
files_dir.append(f)
for x in files_dir:
with open(x, "rb") as f:
stream = gpg.sign_file(f,
passphrase="2V4nwd974tM1",
detach=True,
output=files_dir[files_dir.index(x)] + ".sig")
os.rename(files_dir[files_dir.index(x)] + ".sig",
"signatures/" + files_dir[files_dir.index(x)] + ".sig")
print(x + " ", stream.status)
def configure_iam_certificate(session, dns_domain: str):
iam = session.resource('iam')
cert_name = dns_domain.replace('.', '-')
certs = iam.server_certificates.all()
cert_names = [d.name for d in certs]
if cert_names:
info('Found existing SSL certs: {}'.format(', '.join(cert_names)))
else:
info('No existing SSL certs found...')
if cert_name not in cert_names:
with ActionOnExit('Uploading SSL server certificate..') as act:
dir = os.environ.get('SSLDIR')
if dir and os.path.isdir(dir):
dir += '/'
else:
dir = ''
file = dir + '_.' + dns_domain
try:
with open(file + '.crt') as fd:
cert_body = fd.read()
if os.path.isfile(
file + '.key') and os.path.getsize(file + '.key') > 0:
with open(file + '.key') as fd:
private_key = fd.read()
elif os.path.isfile(file + '.key.gpg') and os.path.getsize(
file + '.key.gpg') > 0:
try:
gpg = gnupg.GPG(gnupghome=os.path.abspath(
os.path.join(os.environ.get('HOME', '~'),
'.gnupg')))
except TypeError:
fatal_error(
'Please install python-gnupg>=0.3.8 and remove gnupg>1.0.0!'
)
with open(file + '.key.gpg', 'rb') as fd:
gpg_obj = gpg.decrypt_file(fd)
if gpg_obj.ok:
private_key = gpg_obj.data
else:
act.error('decryption error: {}'.format(
gpg_obj.stderr))
return
with open(dir + 'trusted_chain_sha256.pem') as fd:
cert_chain = fd.read()
try:
iam.create_server_certificate(
Path='/',
ServerCertificateName=cert_name,
CertificateBody=cert_body,
PrivateKey=private_key,
CertificateChain=cert_chain)
except Exception:
with open(dir + 'trusted_chain.pem') as fd:
cert_chain = fd.read()
iam.create_server_certificate(
Path='/',
ServerCertificateName=cert_name,
CertificateBody=cert_body,
PrivateKey=private_key,
CertificateChain=cert_chain)
except FileNotFoundError as e:
act.error('Could not upload SSL cert: {}'.format(e))
def main():
program_name = 'tabellarius'
allowed_log_levels = ['DEBUG', 'ERROR', 'INFO']
if python_version[0] < 3:
print('ERROR: Your need to use Python 3 to run {0}! Your version: {1}'.
format(program_name, python_version))
parser = ArgumentParser(
prog=program_name,
description='A mail-sorting tool that is less annoying')
# General args
parser.add_argument(
'-V',
action='version',
version='%(prog)s {version}'.format(version=__version__))
parser.add_argument(
'-t',
'--test',
action='store_true',
dest='test',
help=
'Run in test mode, run read-only IMAP commands only (WARNING: Bare Implementation!)',
default=None)
parser.add_argument('-l',
'--loglevel',
action='store',
dest='log_level',
help='Override log level setting ({0})'.format(
', '.join(allowed_log_levels)),
default='')
parser.add_argument(
'--gpg-homedir',
action='store',
dest='gpg_homedir',
help='Override gpg home dir setting (default: ~/.gnupg/)',
default='~/.gnupg/')
parser.add_argument(
'--sleep',
action='store',
dest='imap_sleep_time',
help='Sleep time between IMAP parsing for e-mails (default: 2)',
type=int,
default=2)
parser.add_argument(
'--confdir',
action='store',
dest='confdir',
help='Directory to search for configuration files (default: config/)',
default='config/',
required=True)
parser_results = parser.parse_args()
confdir = parser_results.confdir
test = parser_results.test
log_level = parser_results.log_level.upper()
if log_level and log_level not in allowed_log_levels:
print(
'ERROR: LOG_LEVEL {0} is not supported, supported log levels are: {1}'
.format(log_level, ', '.join(allowed_log_levels)))
exit(127)
gpg_homedir = parser_results.gpg_homedir
imap_sleep_time = parser_results.imap_sleep_time
# Config Parsing
cfg_parser = ConfigParser()
cfg_parser.load(confdir)
validation_error = cfg_parser.validate()
if validation_error:
print('ERROR: Failed to parse config directory. Config is invalid: {}'.
format(validation_error.message))
exit(127)
config = cfg_parser.dump()
if test is not None:
config['settings']['test'] = test
# Logging
logconfig = config.get('settings', {}).get('logging', {})
if log_level:
logconfig['root']['level'] = log_level
logger = Helper().create_logger(program_name, logconfig)
# Let's start working now
logger.debug('Starting new instance of %s', program_name)
logger.debug('Raw configuration: %s', config)
# Setup gnupg if necessary
for acc, acc_settings in config.get('accounts').items():
if 'password_enc' in acc_settings:
import gnupg
gpg_homedir = config.get('settings').get('gpg_homedir',
gpg_homedir)
gpg = gnupg.GPG(
homedir=gpg_homedir,
use_agent=config.get('settings').get('gpg_use_agent', False),
binary=config.get('settings').get('gpg_binary', 'gpg2'))
gpg.encoding = 'utf-8'
# Initialize connection pools
imap_pool = {}
for acc_id, acc_settings in sorted(config.get('accounts').items()):
# Check whether we got a plaintext password
acc_password = acc_settings.get('password')
if not acc_password:
# Switch to GPG-encrypted password
enc_password = None
# Shall we use gpg-agent or use Python's getpass to retreive the plain text password
if config.get('settings').get('gpg_use_agent', False):
enc_password = gpg.decrypt(
message=acc_settings.get('password_enc'))
if not enc_password.ok:
logger.error('%s: Failed to decrypt GPG message: %s',
acc_settings.get('username'),
enc_password.status)
logger.debug('%s: GPG error: %s',
acc_settings.get('username'),
enc_password.stderr)
exit(1)
acc_password = str(enc_password)
else:
acc_password = getpass(
'Please enter the IMAP password for {0} ({1}): '.format(
acc_id, acc_settings.get('username')))
logger.info('%s: Setting up IMAP connection',
acc_settings.get('username'))
imap_pool[acc_id] = IMAP(logger=logger,
server=acc_settings.get('server'),
port=acc_settings.get('port', 143),
starttls=acc_settings.get('starttls', True),
imaps=acc_settings.get('imaps', False),
tlsverify=acc_settings.get('tlsverify', True),
username=acc_settings.get('username'),
password=acc_password,
test=test)
connect = imap_pool[acc_id].connect()
if not connect.code:
logger.error(
'%s: Failed to login, please check your account credentials: %s',
acc_settings.get('username'), connect.data)
exit(127)
else:
logger.info('%s: Sucessfully logged in!',
acc_settings.get('username'))
logger.info('Entering mail-sorting loop')
while True:
for acc_id, acc_settings in sorted(config.get('accounts').items()):
pre_inbox = acc_settings.get('pre_inbox', 'PreInbox')
pre_inbox_search = acc_settings.get('pre_inbox_search', 'ALL')
sort_mailbox = acc_settings.get('sort_mailbox', None)
try:
if not imap_pool[acc_id].mailbox_exists(pre_inbox).data:
imap_pool[acc_id].logger.info(
'%s: Destination mailbox %s doesn\'t exist, creating it for you',
acc_settings.get('username'), pre_inbox)
result = imap_pool[acc_id].create_mailbox(
mailbox=pre_inbox)
if not result.code:
imap_pool[acc_id].logger.error(
'%s: Failed to create the mailbox %s: %s',
acc_settings.get('username'), pre_inbox,
result.data)
return result
mail_uids = imap_pool[acc_id].search_mails(
mailbox=pre_inbox,
criteria=pre_inbox_search,
autocreate_mailbox=True).data
if not mail_uids:
logger.debug('%s: No mails found to sort',
acc_settings.get('username'))
continue
mails = imap_pool[acc_id].fetch_mails(uids=mail_uids,
mailbox=pre_inbox).data
mails_without_match = []
for uid, mail in mails.items():
match = False
if mail.get_message_id() is None:
logger.error(
'Mail with uid={} and subject=\'{}\' doesn\'t have a message-id! Abort..'
.format(uid, mail.get_header('subject')))
exit(1)
for filter_name, filter_settings in Helper().sort_dict(
config.get('filters').get(acc_id)).items():
mail_filter = MailFilter(logger=logger,
imap=imap_pool[acc_id],
mail=mail,
config=filter_settings,
mailbox=pre_inbox)
match = mail_filter.check_rules_match()
if match:
break
if match:
continue
if sort_mailbox:
mails_without_match.append(uid)
else:
imap_pool[acc_id].set_mailflags(
uids=[uid],
mailbox=pre_inbox,
flags=acc_settings.get('unmatched_mail_flags',
['\\FLAGGED']))
if sort_mailbox and mails_without_match:
logger.info(
'%s: Moving mails that did not match any filter to %s',
acc_settings.get('username'), sort_mailbox)
for uid in mails_without_match:
mail = mails[uid]
imap_pool[acc_id].move_mail(
message_ids=[mail.get_message_id()],
source=pre_inbox,
destination=sort_mailbox,
set_flags=[])
# except IMAPClient.Error as e:
# logger.error('%s: Catching exception: %s. This is bad and I am sad. Going to sleep for a few seconds and trying again..',
# acc_settings.get('username'), e)
# sleep(10)
except Exception as e:
trace_info = exc_info()
logger.error(
'%s: Catching unknown exception: %s. Showing stack trace and going to die..',
acc_settings.get('username'), e)
print_exception(*trace_info)
del trace_info
exit(1)
logger.debug(
'All accounts checked, going to sleep for %s seconds before checking again..',
imap_sleep_time)
sleep(imap_sleep_time)
def test_binary_discovery(self):
"""Test that the path to gpg is discovered if unspecified"""
gpg = gnupg.GPG()
self.assertIsNotNone(gpg.binary)
self.assertTrue(os.path.exists(gpg.binary),
"Path does not exist: %s" % gpg.binary)
def init(self):
if self.parameters.gnupg_decrypt:
if gnupg is None:
raise ValueError('gnupg module is not available')
self.gpg = gnupg.GPG(gnupghome=self.parameters.gnupg_homedir)
import gnupg
import os
import common
gpg = gnupg.GPG(use_agent=True)
def list_keys():
keys = gpg.list_keys(True)
if not keys:
raise common.DeltaException("No PGP keys available.")
keys.sort(key=lambda x: x["fingerprint"])
return keys
def has_key(key_id):
return gpg.export_keys(key_id) is not None
def encrypt(file, key, output=None, overwrite=None):
assert output is None or not os.path.exists(output) or overwrite
assert key is not None
if type(file) in (str, bytes):
out = gpg.encrypt(file, [key],
sign=key,
armor=False,
always_trust=True,
output=output)
else:
out = gpg.encrypt_file(file, [key],
sign=key,
def __init__(self):
self._gpg = gnupg.GPG()
self._fingerprint = None
def aptKeyAdd(keyring, pubkey):
gpg = gnupg.GPG(keyring=keyring)
importres = gpg.import_keys(pubkey)
if importres.results[0]['fingerprint'] == None:
raise GPGException(importres.results[0]['text'])
def __init__(self, **kwargs):
"""Get app settings from options, from curdir git, from config file"""
ask_passphrase = kwargs.pop('ask_passphrase', None)
self.sign_drafts = kwargs.pop('sign_drafts', False)
self.force = kwargs.pop('force', False)
self.tag_name = kwargs.pop('tag_name', None)
self.repo = kwargs.pop('repo', None)
self.ppa = kwargs.pop('ppa', None)
self.ppa_upstream_suffix = kwargs.pop('ppa_upstream_suffix', None)
self.token = kwargs.pop('token', None)
self.keyid = kwargs.pop('keyid', None)
self.count = kwargs.pop('count', None)
self.dry_run = kwargs.pop('dry_run', False)
self.no_ppa = kwargs.pop('no_ppa', False)
self.verbose = kwargs.pop('verbose', False)
self.jks_keystore = kwargs.pop('jks_keystore', False)
self.jks_alias = kwargs.pop('jks_alias', False)
self.zipalign_path = kwargs.pop('zipalign_path', False)
self.config = {}
config_data = read_config()
default_repo = config_data.get('default_repo', None)
if default_repo:
if not self.repo:
self.repo = default_repo
for config in config_data.get('repos', []):
config_repo = config.get('repo', None)
if config_repo and config_repo == self.repo:
self.config = config
break
else:
self.config = config_data
if self.config:
self.repo = self.repo or self.config.get('repo', None)
self.ppa = self.ppa or self.config.get('ppa', None)
self.token = self.token or self.config.get('token', None)
self.keyid = self.keyid or self.config.get('keyid', None)
self.count = self.count or self.config.get('count', None) \
or SEARCH_COUNT
self.sign_drafts = self.sign_drafts \
or self.config.get('sign_drafts', False)
self.no_ppa = self.no_ppa \
or self.config.get('no_ppa', False)
self.verbose = self.verbose or self.config.get('verbose', None)
self.jks_keystore = self.jks_keystore \
or self.config.get('jks_keystore', JKS_KEYSTORE)
self.jks_alias = self.jks_alias \
or self.config.get('jks_alias', JKS_ALIAS)
self.zipalign_path = self.zipalign_path \
or self.config.get('zipalign_path', None)
if not self.repo:
print('no repo found, exit')
sys.exit(1)
if self.token:
os.environ['GITHUB_TOKEN'] = self.token
if not os.environ.get('GITHUB_TOKEN', None):
print('GITHUB_TOKEN environment var not set, exit')
sys.exit(1)
if self.keyid:
self.keyid = self.keyid.split('/')[-1]
self.passphrase = None
self.gpg = gnupg.GPG()
if not self.keyid:
print('no keyid set, exit')
sys.exit(1)
keylist = self.gpg.list_keys(True, keys=[self.keyid])
if not keylist:
print('no key with keyid %s found, exit' % self.keyid)
sys.exit(1)
self.uid = ', '.join(keylist[0].get('uids', ['No uid found']))
if ask_passphrase:
while not self.passphrase:
self.read_passphrase()
elif not self.check_key():
while not self.passphrase:
self.read_passphrase()
if self.zipalign_path:
try:
check_call(self.zipalign_path, stderr=FNULL)
except CalledProcessError:
pass
self.read_jks_storepass()
self.read_jks_keypass()
from os.path import expanduser
import gnupg
gpg = gnupg.GPG(gnupghome=expanduser('~/.gnupg/'))
version='GPG-Messenger 1.0')
subparsers = parser.add_subparsers(title="commands")
parser_edit = subparsers.add_parser('edit', help="edits the settings")
parser_edit.add_argument(
"setting",
help=
"specifies which level of settings to edit. Either global or facebook."
)
parser_edit.set_defaults(func=lambda args: setup_settings(args.setting))
args = parser.parse_args(
) #TODO: edit specific parameter without overwriting existing settings file
args.func(args)
if not dev:
sys.exit()
gpg = gnupg.GPG(**global_config["gpg"])
keyid = gpg.list_keys(True)[0]['keyid']
config = load_file(get_path(global_config['backend']), lambda x: json.load(x))
cookies = load_file("cookie.gpg",
lambda x: pickle.loads(gpg.decrypt(x.read()).data))
gpg_keys = load_file("keys.pickle", pickle.load, "rb")
client = make_client()
client.init()
make_thread(f=lambda: client.listen())
def verify(self, message: str) -> bool:
gpg = gnupg.GPG(gnupghome=get_setting('auth.gnupg_keyring'))
result = gpg.verify(message)
return result.valid and result.key_status is None and \
self.format_fingerprint(result.fingerprint) == self.parsed_data['fingerpr']
def test_list_keys_after_generation(self):
"Test that after key generation, the generated key is available"
self.test_list_keys_initial()
self.do_key_generation()
public_keys = self.gpg.list_keys()
self.assertTrue(is_list_with_len(public_keys, 1),
"1-element list expected")
key_info = public_keys[0]
fp = key_info['fingerprint']
self.assertTrue(fp in public_keys.key_map)
self.assertTrue(public_keys.key_map[fp] is key_info)
for _, _, sfp in key_info['subkeys']:
self.assertTrue(sfp in public_keys.key_map)
self.assertTrue(public_keys.key_map[sfp] is key_info)
# now test with sigs=True
public_keys_sigs = self.gpg.list_keys(sigs=True)
self.assertTrue(is_list_with_len(public_keys_sigs, 1),
"1-element list expected")
key_info = public_keys_sigs[0]
fp = key_info['fingerprint']
self.assertTrue(fp in public_keys_sigs.key_map)
self.assertTrue(public_keys_sigs.key_map[fp] is key_info)
self.assertTrue(is_list_with_len(key_info['sigs'], 2))
for siginfo in key_info['sigs']:
self.assertTrue(len(siginfo), 3)
for _, _, sfp in key_info['subkeys']:
self.assertTrue(sfp in public_keys_sigs.key_map)
self.assertTrue(public_keys_sigs.key_map[sfp] is key_info)
private_keys = self.gpg.list_keys(secret=True)
self.assertTrue(is_list_with_len(private_keys, 1),
"1-element list expected")
self.assertEqual(len(private_keys.fingerprints), 1)
# Now do the same test, but using keyring and secret_keyring arguments
if self.gpg.version < (2, 1):
pkn = 'pubring.gpg'
skn = 'secring.gpg'
else:
# On GnuPG >= 2.1, --secret-keyring is obsolete and ignored,
# and the keyring file name has changed.
pkn = 'pubring.kbx'
skn = None
hd = os.path.join(os.getcwd(), 'keys')
if os.name == 'posix':
pkn = os.path.join(hd, pkn)
if skn:
skn = os.path.join(hd, skn)
gpg = gnupg.GPG(gnupghome=hd,
gpgbinary=GPGBINARY,
keyring=pkn,
secret_keyring=skn)
logger.debug('Using keyring and secret_keyring arguments')
public_keys_2 = gpg.list_keys()
self.assertEqual(public_keys_2, public_keys)
private_keys_2 = gpg.list_keys(secret=True)
self.assertEqual(private_keys_2, private_keys)
# generate additional keys so that we can test listing a subset of
# keys
def get_names(key_map):
result = set()
for info in key_map.values():
for uid in info['uids']:
uid = uid.replace(' (A test user (insecure!))', '')
result.add(uid)
return result
result = self.generate_key("Charlie", "Clark", "gamma.com")
self.assertNotEqual(None, result, "Non-null result")
result = self.generate_key("Donna", "Davis", "delta.com")
self.assertNotEqual(None, result, "Non-null result")
public_keys = gpg.list_keys()
self.assertEqual(len(public_keys), 3)
actual = get_names(public_keys.key_map)
expected = set([
'Barbara Brown <*****@*****.**>',
'Charlie Clark <*****@*****.**>',
'Donna Davis <*****@*****.**>'
])
self.assertEqual(actual, expected)
# specify a single key as a string
public_keys = gpg.list_keys(keys='Donna Davis')
actual = get_names(public_keys.key_map)
expected = set(['Donna Davis <*****@*****.**>'])
self.assertEqual(actual, expected)
# specify multiple keys
public_keys = gpg.list_keys(keys=['Donna', 'Barbara'])
actual = get_names(public_keys.key_map)
expected = set([
'Barbara Brown <*****@*****.**>',
'Donna Davis <*****@*****.**>'
])
self.assertEqual(actual, expected)
def main():
available_envs = list(
map(lambda file: re.sub(r"env.(.*).conf.asc", r"\1", file),
filter(lambda file: file.startswith("env"),
os.listdir(aws_config_dir))))
parser = argparse.ArgumentParser(
description="Rolls AWS IAM Access Keys for all or specified env(s)",
epilog="Copyright (C) 2016 Karolis Labrencis <*****@*****.**>")
parser.add_argument("-e", "--env", help="environment name", required=True,
choices=available_envs + ["all"])
parser.add_argument("-s", "--send", help="Send an email with new keys to",
action="store", dest="sendkeysto")
parser.add_argument("-i", "--info", help="Send info about rotation to",
action="store", dest="sendinfoto")
parser.add_argument("-a", "--use-agent", action="store_true", help="Use GPG agent")
parser.add_argument("--gpg-binary", help="GPG binary to use")
parser.add_argument("-d", "--debug", action="store_true", help="Debug mode")
parser.add_argument("-v", "--version", help="Print version", action="version",
version="%(prog)s 1.0")
args = parser.parse_args()
if args.debug:
logging.basicConfig(format=logging.BASIC_FORMAT, level=logging.DEBUG)
logging.info("Debug output.")
if args.env == "all":
args.env = available_envs
else:
args.env = [args.env]
if args.gpg_binary is not None:
gpg = gnupg.GPG(use_agent=args.use_agent, gpgbinary=args.gpg_binary)
else:
gpg = gnupg.GPG(use_agent=args.use_agent)
phrase = get_passphrase(args.use_agent)
msgkeys = MIMEMultipart()
envs = ""
msgbody = ""
for env in args.env:
file_path = os.path.join(os.sep, aws_config_dir, "env.{0}.conf.asc".format(env))
key_id, access_key = get_current_key(env, file_path, gpg, phrase)
if key_id is None:
logging.warning("Skipping environment '{}'".format(env))
continue
client = boto3.client("iam", aws_access_key_id=key_id, aws_secret_access_key=access_key)
current_key_id = \
client.list_access_keys()["AccessKeyMetadata"][0]["AccessKeyId"]
resp = client.create_access_key()
new_id = resp["AccessKey"]["AccessKeyId"]
new_key = resp["AccessKey"]["SecretAccessKey"]
contents = CREDENTIALS_FILE_TPL.format(id=new_id, key=new_key)
private_key = gpg.list_keys(True)
encrypted = gpg.encrypt(contents, private_key[0]["uids"][0])
with open(file_path, "w") as out:
out.write(str(encrypted))
client.delete_access_key(AccessKeyId=current_key_id)
msgbody += "Rolled key for env {}: AccessKeyId={}; CreateDate={}\n".format(
env, "*" * 16 + resp["AccessKey"]["AccessKeyId"][-5:],
resp["AccessKey"]["CreateDate"]
)
if args.sendkeysto:
with open(file_path, "rb") as attach:
part1 = MIMEApplication(attach.read(), Name="env.{0}.conf.asc".format(env))
part1["Content-Disposition"] = 'attachment; filename={}'.format(
"env.{0}.conf.asc".format(env))
msgkeys.attach(part1)
envs += " {0}".format(env)
print(msgbody)
vars = dict()
if args.sendkeysto or args.sendinfoto:
smtpconf = "{}/smtp.cfg.asc".format(aws_config_dir)
srv = get_smtp_conf(smtpconf, gpg, phrase)
if args.sendkeysto:
msgkeys["To"] = args.sendkeysto
msgkeys["From"] = srv[0]
msgkeys["Subject"] = "AWS keys: {}".format(envs)
send(srv, args.sendkeysto, msgkeys.as_string())
if args.sendinfoto:
msginfo = MIMEText(msgbody, "plain", "utf-8")
msginfo["To"] = args.sendinfoto
msginfo["From"] = srv[0]
msginfo["Subject"] = "AWS weekly key(s) rotation: {0}-{1}".format(
today.strftime("%Y%m%d"), future.strftime("%Y%m%d"))
send(srv, args.sendinfoto, msginfo.as_string())
#!/usr/bin/python import gnupg gpg = gnupg.GPG(homedir='/home/ahunt/gpghome', verbose=True, ignore_homedir_permissions=True) input = gpg.gen_key_input(key_type='RSA', key_length=1024, passphrase='secret') keyresult = gpg.gen_key(input)
def handle(self, host, **kwargs):
if settings.GNUPG is None:
raise CommandError(
'GnuPG disabled by "GNUPG = None" in localsettings.py.')
if host not in settings.XMPP_HOSTS:
raise CommandError('%s: Host not named in XMPP_HOSTS setting.' %
host)
if not os.path.exists(settings.GNUPG['gnupghome']):
os.makedirs(settings.GNUPG['gnupghome'], 0o700)
# We create our own instance (and don't use settings.GPG) because it is not defined when
# creating the first key.
gpg = gnupg.GPG(**settings.GNUPG)
# option sanitization
if kwargs['name'] is None:
kwargs['name'] = host
kwargs['type'] = kwargs['type'].upper()
if gpg is not None:
fingerprint = settings.XMPP_HOSTS.get('GPG_FINGERPRINT')
secret_keys = gpg.list_keys(secret=True)
secret_fps = [k['fingerprint'] for k in secret_keys]
if fingerprint and fingerprint in secret_fps and not kwargs[
'force']:
raise CommandError(
'Fingerprint set and found, use --force to force regenration.'
)
email = settings.XMPP_HOSTS[host].get('FROM_EMAIL',
settings.DEFAULT_FROM_EMAIL)
self.stdout.write(
'Generating key for %s <%s>... (takes a long time!)' %
(host, email))
params = gpg.gen_key_input(key_length=kwargs['size'],
key_type=kwargs['type'],
name_real=kwargs['name'],
name_comment='',
name_email=email)
key = gpg.gen_key(params)
if key.fingerprint:
self.stdout.write(
'Fingerprint is "%s", add as "GPG_FINGERPRINT" to the XMPP_HOSTS entry.'
% key.fingerprint)
else:
raise CommandError('Cannot generate key, gpg output was: %s' %
key.stderr)
dest_dir = settings.STATICFILES_DIRS[0]
if not os.path.exists(dest_dir):
os.makedirs(dest_dir)
export = gpg.export_keys(key.fingerprint)
dest_path = os.path.join(dest_dir, '%s.asc' % key.fingerprint)
with open(dest_path, 'w') as stream:
stream.write(export)
self.stdout.write(
'Key exported to %s, use "manage.py collectstatic" to make the keys downloadable.'
% dest_path)
import shutil
import os
import sched, time
import gnupg
s = sched.scheduler(time.time, time.sleep)
gpg = gnupg.GPG(gpgbinary="C:\\path...\\gpg.exe")
input_data = gpg.gen_key_input(
name_email='*****@*****.**',
passphrase='password',
)
key = gpg.gen_key(input_data)
print(key)
ascii_armored_public_keys = gpg.export_keys(key.fingerprint)
ascii_armored_private_keys = gpg.export_keys(
keyids=key.fingerprint,
secret=True,
passphrase='passphrase',
)
# export
with open('mykeyfile.asc', 'w') as f:
f.write(ascii_armored_public_keys)
f.write(ascii_armored_private_keys)
# import
with open('mykeyfile.asc') as f:
key_data = f.read()
import_result = gpg.import_keys(key_data)
for k in import_result.results:
def notify_build():
"""
An endpoint to trigger an update about a build event to be sent.
This will usually be triggered by a webhook from Launchpad
"""
# Verify contents
signature = hmac.new(
flask.current_app.config["SECRET_KEY"].encode("utf-8"),
flask.request.data,
hashlib.sha1,
).hexdigest()
if "X-Hub-Signature" not in flask.request.headers:
return "No X-Hub-Signature provided\n", 403
if not hmac.compare_digest(
signature, flask.request.headers["X-Hub-Signature"].split("=")[1]):
try:
raise HTTPError(400)
except HTTPError:
flask.current_app.extensions["sentry"].captureException(
extra={
"request_headers":
str(flask.request.headers.keys()),
"message":
"x-hub-signature did not match",
"expected_signature":
signature,
"header_contents":
flask.request.headers["X-Hub-Signature"],
"extracted_signature":
flask.request.headers["X-Hub-Signature"].split("=")[1],
})
return "X-Hub-Signature does not match\n", 400
event_content = flask.request.json
status = event_content["status"]
build_url = ("https://api.launchpad.net/devel" +
event_content["livefs_build"])
launchpad = Launchpad(
username=os.environ["LAUNCHPAD_IMAGE_BUILD_USER"],
token=os.environ["LAUNCHPAD_IMAGE_BUILD_TOKEN"],
secret=os.environ["LAUNCHPAD_IMAGE_BUILD_SECRET"],
session=session,
auth_consumer=os.environ["LAUNCHPAD_IMAGE_BUILD_AUTH_CONSUMER"],
)
build = launchpad.request(build_url).json()
author_json = (gnupg.GPG().decrypt(
build["metadata_override"]["_author_data"],
passphrase=flask.current_app.config["SECRET_KEY"],
).data)
if author_json:
author = json.loads(author_json)
else:
return "_author_data could not be decoded\n", 400
email = author["email"]
names = author["name"].split(" ")
board = author["board"]
snaps = ", ".join(build["metadata_override"]["extra_snaps"])
codename = build["distro_series_link"].split("/")[-1]
version = Data().by_codename(codename).version
arch = build["distro_arch_series_link"].split("/")[-1]
build_link = build["web_link"]
build_id = build_link.split("/")[-1]
download_url = None
if status == "Successfully built":
download_url = launchpad.request(
f"{build_url}?ws.op=getFileUrls").json()[0]
session.post(
"https://pages.ubuntu.com/index.php/leadCapture/save",
data={
"FirstName": " ".join(names[:-1]),
"LastName": names[-1] if len(names) > 1 else "",
"Email": email,
"formid": "3546",
"lpId": "2154",
"subId": "30",
"munchkinId": "066-EOV-335",
"imageBuilderVersion": version,
"imageBuilderArchitecture": arch,
"imageBuilderBoard": board,
"imageBuilderSnaps": snaps,
"imageBuilderID": build_id,
"imageBuilderBuildlink": build_link,
"imageBuilderStatus": status,
"imageBuilderDownloadlink": download_url,
},
)
return "Submitted\n", 202
def returner(ret):
'''
Send an email with the data
'''
_options = _get_options(ret)
from_addr = _options.get('from')
to_addrs = _options.get('to').split(',')
host = _options.get('host')
port = _options.get('port')
user = _options.get('username')
passwd = _options.get('password')
subject = _options.get('subject') or 'Email from Salt'
gpgowner = _options.get('gpgowner')
fields = _options.get('fields').split(',') if 'fields' in _options else []
smtp_tls = _options.get('tls')
renderer = _options.get('renderer') or 'jinja'
rend = salt.loader.render(__opts__, {})
blacklist = __opts__.get('renderer_blacklist')
whitelist = __opts__.get('renderer_whitelist')
if not port:
port = 25
log.debug('SMTP port has been set to %s', port)
for field in fields:
if field in ret:
subject += ' {0}'.format(ret[field])
subject = compile_template(':string:',
rend,
renderer,
blacklist,
whitelist,
input_data=subject,
**ret)
if isinstance(subject, six.moves.StringIO):
subject = subject.read()
log.debug("smtp_return: Subject is '%s'", subject)
template = _options.get('template')
if template:
content = compile_template(template, rend, renderer, blacklist,
whitelist, **ret)
else:
template = ('id: {{id}}\r\n'
'function: {{fun}}\r\n'
'function args: {{fun_args}}\r\n'
'jid: {{jid}}\r\n'
'return: {{return}}\r\n')
content = compile_template(':string:',
rend,
renderer,
blacklist,
whitelist,
input_data=template,
**ret)
if gpgowner:
if HAS_GNUPG:
gpg = gnupg.GPG(gnupghome=os.path.expanduser(
'~{0}/.gnupg'.format(gpgowner)),
options=['--trust-model always'])
encrypted_data = gpg.encrypt(content, to_addrs)
if encrypted_data.ok:
log.debug('smtp_return: Encryption successful')
content = six.text_type(encrypted_data)
else:
log.error(
'smtp_return: Encryption failed, only an error message will be sent'
)
content = 'Encryption failed, the return data was not sent.\r\n\r\n{0}\r\n{1}'.format(
encrypted_data.status, encrypted_data.stderr)
else:
log.error(
"gnupg python module is required in order to user gpgowner in smtp returner ; ignoring gpgowner configuration for now"
)
if isinstance(content, six.moves.StringIO):
content = content.read()
message = ('From: {0}\r\n'
'To: {1}\r\n'
'Date: {2}\r\n'
'Subject: {3}\r\n'
'\r\n'
'{4}').format(from_addr, ', '.join(to_addrs),
formatdate(localtime=True), subject, content)
log.debug('smtp_return: Connecting to the server...')
server = smtplib.SMTP(host, int(port))
if smtp_tls is True:
server.starttls()
log.debug('smtp_return: TLS enabled')
if user and passwd:
server.login(user, passwd)
log.debug('smtp_return: Authenticated')
# enable logging SMTP session after the login credentials were passed
server.set_debuglevel(1)
server.sendmail(from_addr, to_addrs, message)
log.debug('smtp_return: Message sent.')
server.quit()
#!/usr/bin/python
import socket, sys, random, gnupg, os, json
from mysql import MySQL
from socket import error
from threading import Thread
config = json.loads(open("config.json").read())
path = config["shell"]["gpgdir"]
port = config["shell"]["port"]
gpg = gnupg.GPG(homedir=path)
connection_data = (config["db"]["host"], config["db"]["port"], config["db"]["user"], config["db"]["pass"], config["db"]["name"], config["db"]["charset"])
def client_handler(connection, fingerprint):
try:
code = random.randrange(0, 999999999999999)
# print(code) # DEBUG
connection.send(b"\033[1mItrago WebTool Emergency Access Shell\033[0m\nPlease decrypt the following message to verify that you are the Administrator ([email protected])!\n")
connection.send(bytes("Encrypted Message:\n%s\n" % str(gpg.encrypt(str(code), fingerprint)),'utf-8'))
connection.send(b"Message: ")
if code == int(str(connection.recv(8192).decode('utf-8')).strip('\r').strip('\n')):
connection.send(b"\n\033[1mEmergency Shell Access Granted\033[0m\n")
while True:
try:
connection.send(b"$ ")
data = str(connection.recv(8192).decode('utf-8')).strip('\r').strip('\n').strip()
if data == "exit" or data == "quit":
connection.close()
break;
elif data == "copyright":
import json
from flask import request, jsonify
from api import app, db
from model import Users, Account, System, Service
import gnupg
import datetime
gpg = gnupg.GPG(gnupghome='/home/brock/api/keytrust')
#unencrypted_string = 'Who are you and how did you get in my house?'
#encrypted_data = gpg.encrypt(unencrypted_string, '*****@*****.**')
#newuser = Users('brock', str(encrypted_data))
'''
input_data = gpg.gen_key_input(key_type="RSA", key_length=2048, name_email=username+"@"+username+".com")
key = gpg.gen_key(input_data)
'''
@app.route('/addcred/<uuid>', methods=['POST'])
def create_cred(uuid):
content = request.json
sys_username = content['username']
sys_password = content['password']
service_id = content['service_id']
encrypted_pass = encrypt_string(sys_password)
acc = Account(datetime.datetime.now(), sys_username, str(encrypted_pass),
service_id)
db.session.add(acc)