def _encrypt_or_decrypt_config(config, is_decrypt=False): for config_arr_as_array in ENCRYPTED_CONFIG_ARRAYS: config_arr = config parent_config_arr = None # Because the config isn't flat, this for-loop gets the actual config value out of the config for config_key_part in config_arr_as_array: parent_config_arr = config_arr config_arr = config_arr[config_key_part] if isinstance(config_arr, collections.Sequence) and not isinstance( config_arr, str): for i in range(len(config_arr)): # Check if array of shh key pairs and then decrypt if isinstance(config_arr[i], dict) and 'public_key' in config_arr[i]: config_arr[i] = ConfigService.decrypt_ssh_key_pair(config_arr[i]) if is_decrypt else \ ConfigService.decrypt_ssh_key_pair(config_arr[i], True) else: config_arr[i] = encryptor.dec( config_arr[i]) if is_decrypt else encryptor.enc( config_arr[i]) else: parent_config_arr[config_arr_as_array[-1]] = \ encryptor.dec(config_arr) if is_decrypt else encryptor.enc(config_arr)
def decrypt_flat_config(flat_config, is_island=False): """ Same as decrypt_config but for a flat configuration """ keys = [ config_arr_as_array[2] for config_arr_as_array in ENCRYPTED_CONFIG_ARRAYS ] for key in keys: if isinstance(flat_config[key], collections.Sequence) and not isinstance( flat_config[key], str): # Check if we are decrypting ssh key pair if flat_config[key] and isinstance( flat_config[key][0], dict) and 'public_key' in flat_config[key][0]: flat_config[key] = [ ConfigService.decrypt_ssh_key_pair(item) for item in flat_config[key] ] else: flat_config[key] = [ encryptor.dec(item) for item in flat_config[key] ] else: flat_config[key] = encryptor.dec(flat_config[key]) return flat_config
def decrypt_ssh_key_pair(pair, encrypt=False): if encrypt: pair['public_key'] = encryptor.enc(pair['public_key']) pair['private_key'] = encryptor.enc(pair['private_key']) else: pair['public_key'] = encryptor.dec(pair['public_key']) pair['private_key'] = encryptor.dec(pair['private_key']) return pair
def censor_hash(hash_, plain_chars=5): """ Decrypts and obfuscates hash by only showing a part of it :param hash_: Hash to obfuscate :param plain_chars: How many chars of hash should be shown :return: Obfuscated string """ if not hash_: return "" hash_ = encryptor.dec(hash_) return hash_[0:plain_chars] + ' ...'
def censor_password(password, plain_chars=3, secret_chars=5): """ Decrypts and obfuscates password by changing characters to * :param password: Password or string to obfuscate :param plain_chars: How many plain-text characters should be kept at the start of the string :param secret_chars: How many * symbols should be used to hide the remainder of the password :return: Obfuscated string e.g. Pass**** """ if not password: return "" password = encryptor.dec(password) return password[0:plain_chars] + '*' * secret_chars
def get_config_value(config_key_as_arr, is_initial_config=False, should_decrypt=True): """ Get a specific config value. :param config_key_as_arr: The config key as an array. e.g. ['basic', 'credentials', 'exploit_password_list']. :param is_initial_config: If True, returns the value of the initial config instead of the current config. :param should_decrypt: If True, the value of the config key will be decrypted (if it's in the list of encrypted config values). :return: The value of the requested config key. """ config_key = functools.reduce(lambda x, y: x + '.' + y, config_key_as_arr) config = mongo.db.config.find_one( {'name': 'initial' if is_initial_config else 'newconfig'}, {config_key: 1}) for config_key_part in config_key_as_arr: config = config[config_key_part] if should_decrypt: if config_key_as_arr in ENCRYPTED_CONFIG_ARRAYS: config = [encryptor.dec(x) for x in config] elif config_key_as_arr in ENCRYPTED_CONFIG_STRINGS: config = encryptor.dec(config) return config