Gitiles
Code Review Sign In
gerrit.hackerspace.pl / hscloud / b094f087448e98ccf93d1b020a61432f025a25ee / . / tools / secretstore.py
blob: 4a31846ba0d88448cc5f8d60ebc0a0e0cae73ceb [file] [log] [blame]
Serge Bazanskia5be0d82018-12-23 01:35:07 +0100[diff] [blame]1#!/usr/bin/env python3
2
3# A little tool to encrypt/decrypt git secrets. Kinda like password-store, but more purpose specific and portable.
4
Sergiusz Bazanski73cef112019-04-07 00:06:23 +0200[diff] [blame]5import logging
6import os
Serge Bazanskia5be0d82018-12-23 01:35:07 +0100[diff] [blame]7import sys
8import subprocess
9
10keys = [
Sergiusz Bazanski711c4a92019-01-13 00:02:10 +0100[diff] [blame]11 "63DFE737F078657CC8A51C00C29ADD73B3563D82", # q3k
12 "482FF104C29294AD1CAF827BA43890A3DE74ECC7", # inf
Sergiusz Bazanski41bd2b52019-01-17 23:37:36 +0100[diff] [blame]13 "F07205946C07EEB2041A72FBC60C64879534F768", # cz2
Sergiusz Bazanski29afb4c2019-05-19 03:10:25 +0200[diff] [blame]14 "0879F9FCA1C836677BB808C870FD60197E195C26", # implr
Serge Bazanskia5be0d82018-12-23 01:35:07 +0100[diff] [blame]15]
16
Sergiusz Bazanski73cef112019-04-07 00:06:23 +0200[diff] [blame]17
18logger = logging.getLogger(__name__)
19
20
Sergiusz Bazanskide061802019-01-13 21:14:02 +0100[diff] [blame]21def encrypt(src, dst):
22 cmd = ['gpg' , '--encrypt', '--armor', '--batch', '--yes', '--output', dst]
23 for k in keys:
24 cmd.append('--recipient')
25 cmd.append(k)
26 cmd.append(src)
27 subprocess.check_call(cmd)
28
29def decrypt(src, dst):
Sergiusz Bazanskia9bb1d52019-04-28 17:13:12 +0200[diff] [blame]30 cmd = ['gpg', '--decrypt', '--batch', '--yes', '--output', dst, src]
Sergiusz Bazanskide061802019-01-13 21:14:02 +0100[diff] [blame]31 subprocess.check_call(cmd)
32
Sergiusz Bazanski73cef112019-04-07 00:06:23 +0200[diff] [blame]33
34class SecretStoreMissing(Exception):
35 pass
36
37
38class SecretStore(object):
39 def __init__(self, plain_root, cipher_root):
40 self.proot = plain_root
41 self.croot = cipher_root
42
43 def exists(self, suffix):
44 p = os.path.join(self.proot, suffix)
45 c = os.path.join(self.croot, suffix)
46 return os.path.exists(c) or os.path.exists(p)
47
48 def plaintext(self, suffix):
Piotr Dobrowolskic10f00b2019-04-09 13:29:21 +0200[diff] [blame]49 p = os.path.join(self.proot, suffix)
50 c = os.path.join(self.croot, suffix)
51
52 if not os.path.exists(p) or os.path.getctime(p) < os.path.getctime(c):
53 logger.info("Decrypting {} ({})...".format(suffix, c))
54 decrypt(c, p)
55
56 return p
Sergiusz Bazanski73cef112019-04-07 00:06:23 +0200[diff] [blame]57
58 def open(self, suffix, mode, *a, **kw):
59 p = os.path.join(self.proot, suffix)
60 c = os.path.join(self.croot, suffix)
61 if 'w' in mode:
Piotr Dobrowolskic10f00b2019-04-09 13:29:21 +0200[diff] [blame]62 return open(p, mode, *a, **kw)
Sergiusz Bazanski73cef112019-04-07 00:06:23 +0200[diff] [blame]63
64 if not self.exists(suffix):
65 raise SecretStoreMissing("Secret {} does not exist".format(suffix))
66
67 if not os.path.exists(p) or os.path.getctime(p) < os.path.getctime(c):
68 logger.info("Decrypting {} ({})...".format(suffix, c))
69 decrypt(c, p)
70
71 return open(p, mode, *a, **kw)
72
73
Serge Bazanskia5be0d82018-12-23 01:35:07 +0100[diff] [blame]74def main():
75 if len(sys.argv) < 3 or sys.argv[1] not in ('encrypt', 'decrypt'):
Sergiusz Bazanskif2a812b2019-01-13 17:51:34 +0100[diff] [blame]76 sys.stderr.write("Usage: {} encrypt/decrypt file\n".format(sys.argv[0]))
77 sys.stderr.flush()
78 return 1
Serge Bazanskia5be0d82018-12-23 01:35:07 +0100[diff] [blame]79
80 action = sys.argv[1]
81 src = sys.argv[2]
82
83 if action == 'encrypt':
Sergiusz Bazanskide061802019-01-13 21:14:02 +0100[diff] [blame]84 encrypt(src, '-')
Serge Bazanskia5be0d82018-12-23 01:35:07 +0100[diff] [blame]85 else:
Sergiusz Bazanskide061802019-01-13 21:14:02 +0100[diff] [blame]86 decrypt(src, '-')
Serge Bazanskia5be0d82018-12-23 01:35:07 +0100[diff] [blame]87
88if __name__ == '__main__':
89 sys.exit(main() or 0)