def keyring(deployment, keyring_file='~/.nrg-keyring.enc', passphrase=None):
'''
Get keyring for deployment
:param deployment: Deployment name
:type deployment: str
:param keyring_file: Keyring file
:type keyring_file: str
:param passphrase: Passphrase to decrypt keyring
:type passphrase: str
:returns: Deployment keyring
:rtype: dict
'''
if deployment == None:
return keyring_from_env()
if passphrase == None:
if 'NRG_KEYRING_PASS' in os.environ:
passphrase = os.environ['NRG_KEYRING_PASS']
else:
passphrase = gp.getpass('enter keyring passphrase: ')
keyring_file = os.path.expanduser(keyring_file)
with open(keyring_file, 'rb') as fo:
key = crypt.key_from_file(fo, passphrase)
content = b''
for chunk in crypt.decrypt(fo, key):
content += chunk
try:
js = json.loads(content)
except ValueError as e:
raise KeyringError('could not decrypt file {0} (wrong passphrase perhaps?)'.format(keyring_file))
return js[deployment]
def load(f, archive_base=None):
'''load configuration file and keyring'''
logger.debug('loading configuration')
with open(os.path.expanduser(f), 'rb') as fp:
Lochness = _read_config_file(fp)
if archive_base:
Lochness['phoenix_root'] = archive_base
if 'phoenix_root' not in Lochness:
raise ConfigError(
'need either --archive-base or \'phoenix_root\' in config file')
Lochness['phoenix_root'] = os.path.expanduser(Lochness['phoenix_root'])
Lochness['keyring_file'] = os.path.expanduser(Lochness['keyring_file'])
with open(Lochness['keyring_file'], 'rb') as fp:
logger.info('reading keyring file {0}'.format(
Lochness['keyring_file']))
if 'NRG_KEYRING_PASS' in os.environ:
load.passphrase = os.environ['NRG_KEYRING_PASS']
if not load.passphrase:
load.passphrase = gp.getpass('enter passphrase: ')
key = crypt.key_from_file(fp, load.passphrase)
content = b''
for chunk in crypt.decrypt(fp, key):
content += chunk
try:
Lochness['keyring'] = yaml.load(content, Loader=yaml.FullLoader)
except yaml.reader.ReaderError:
raise KeyringError(
'could not decrypt keyring {0} (wrong passphrase?)'.format(
Lochness['keyring_file']))
return Lochness
def load_encrypted_keyring(enc_keyring_loc: str) -> dict:
with open(enc_keyring_loc, 'rb') as fp:
passphrase = gp.getpass('enter passphrase: ')
key = crypt.key_from_file(fp, passphrase)
content = b''
for chunk in crypt.decrypt(fp, key):
content += chunk
keyring_dict = yaml.load(content, Loader=yaml.FullLoader)
return keyring_dict
def main():
parser = ap.ArgumentParser('File encryption/decryption utility')
group1 = parser.add_mutually_exclusive_group(required=True)
group1.add_argument('--decrypt', action='store_true', help='Decrypt file')
group1.add_argument('--encrypt', action='store_true', help='Encrypt file')
parser.add_argument('-o', '--output-file', help='Output file')
parser.add_argument('--debug',
action='store_true',
help='Enable debug messages')
parser.add_argument('file', help='File to encrypt or decrypt')
args = parser.parse_args()
# read passphrase (ask twice for --encrypt)
if 'ENCRYPT_PASS' in os.environ:
passphrase = os.environ['ENCRYPT_PASS']
else:
passphrase = gp.getpass('enter passphrase: ')
if args.encrypt:
reentered = gp.getpass('re-enter passphrase: ')
if passphrase != reentered:
logger.critical('passphrases do not match')
sys.exit(1)
# get file handle
raw = get(args.file)
# get key using file header, or build a new one
if args.decrypt:
key = crypt.key_from_file(raw, passphrase)
else:
key = crypt.kdf(passphrase)
# lock or unlock the file
if args.decrypt:
if not args.output_file:
stdout = os.fdopen(sys.stdout.fileno(), 'wb')
for chunk in crypt.decrypt(raw, key):
stdout.write(chunk)
else:
if overwrite(args.output_file):
logger.info('saving {}'.format(args.output_file))
crypt.decrypt(raw, key, filename=args.output_file)
elif args.encrypt:
if not args.output_file:
stdout = os.fdopen(sys.stdout.fileno(), 'wb')
for chunk in crypt.encrypt(raw, key):
stdout.write(chunk)
else:
if overwrite(args.output_file):
logger.info('saving {}'.format(args.output_file))
crypt.encrypt(raw, key, filename=args.output_file)
def config_load_test(f: 'location', archive_base=None):
'''load configuration file and keyring'''
config.logger.debug('loading configuration')
with open(os.path.expanduser(f), 'rb') as fp:
Lochness = config._read_config_file(fp)
if archive_base:
Lochness['phoenix_root'] = archive_base
if 'phoenix_root' not in Lochness:
raise config.ConfigError('need either --archive-base or '
'\'phoenix_root\' in config file')
if 'BIDS' not in Lochness:
Lochness['BIDS'] = False
Lochness['phoenix_root'] = os.path.expanduser(Lochness['phoenix_root'])
Lochness['keyring_file'] = os.path.expanduser(Lochness['keyring_file'])
# box file pattern strings from the config to string template
# regardless of the selected study in the args
if 'box' in Lochness:
for _, study_dict in Lochness['box'].items():
for _, modality_values in study_dict['file_patterns'].items():
for modality_dict in modality_values:
modality_dict['pattern'] = \
config.string.Template(modality_dict['pattern'])
with open(Lochness['keyring_file'], 'rb') as fp:
config.logger.info(f'reading keyring file {Lochness["keyring_file"]}')
passphrase = ''
key = crypt.key_from_file(fp, passphrase)
content = b''
for chunk in crypt.decrypt(fp, key):
content += chunk
try:
Lochness['keyring'] = config.yaml.load(
content,
Loader=config.yaml.FullLoader)
except config.yaml.reader.ReaderError:
raise config.KeyringError('could not decrypt keyring {0} (wrong passphrase?)'.format(Lochness['keyring_file']))
return Lochness
def load(f: 'location', archive_base=None):
'''load configuration file and keyring'''
logger.debug('loading configuration')
with open(os.path.expanduser(f), 'rb') as fp:
Lochness = _read_config_file(fp)
if archive_base:
Lochness['phoenix_root'] = archive_base
if 'phoenix_root' not in Lochness:
raise ConfigError('need either --archive-base or '
'\'phoenix_root\' in config file')
Lochness['phoenix_root'] = os.path.expanduser(Lochness['phoenix_root'])
Lochness['keyring_file'] = os.path.expanduser(Lochness['keyring_file'])
# box file pattern strings from the config to string template
# regardless of the selected study in the args
if 'box' in Lochness:
for _, study_dict in Lochness['box'].items():
for _, modality_values in study_dict['file_patterns'].items():
for modality_dict in modality_values:
modality_dict['pattern'] = \
string.Template(modality_dict['pattern'])
with open(Lochness['keyring_file'], 'rb') as fp:
logger.info('reading keyring file {0}'.format(
Lochness['keyring_file']))
if 'NRG_KEYRING_PASS' in os.environ:
load.passphrase = os.environ['NRG_KEYRING_PASS']
if not load.passphrase:
load.passphrase = gp.getpass('enter passphrase: ')
key = crypt.key_from_file(fp, load.passphrase)
content = b''
for chunk in crypt.decrypt(fp, key):
content += chunk
try:
Lochness['keyring'] = yaml.load(content, Loader=yaml.FullLoader)
except yaml.reader.ReaderError:
raise KeyringError(
'could not decrypt keyring {0} (wrong passphrase?)'.format(
Lochness['keyring_file']))
return Lochness
def test_write_file():
original = b'''Lorem ipsum dolor sit amet, consectetur adipiscing elit,
sed do eiusmod tempor incididunt ut labore et dolore
magna aliqua. Ut enim ad minim veniam, quis nostrud
exercitation ullamco laboris nisi ut aliquip ex ea commodo
consequat.'''
passphrase = 'foo bar biz bat'
key = crypt.kdf(passphrase)
with tf.NamedTemporaryFile(dir=DIR, prefix='enc', delete=False) as enc_tmp:
crypt.encrypt_to_file(enc_tmp.name, io.BytesIO(original), key)
key = None
with tf.NamedTemporaryFile(dir=DIR, prefix='dec', delete=False) as dec_tmp:
with open(enc_tmp.name, 'rb') as fo:
key = crypt.key_from_file(fo, passphrase)
crypt.decrypt_to_file(dec_tmp.name, fo, key)
os.remove(enc_tmp.name)
with open(dec_tmp.name, 'rb') as fo:
decrypted = fo.read()
os.remove(dec_tmp.name)
assert decrypted == original