add command

itn3000 · itn3000 · commit 8929d86e557c · 2019-07-09T20:42:35.000+09:00
diff --git a/dotnet-ansible-vault-decoder/AnsibleVaultCodec.cs b/dotnet-ansible-vault-decoder/AnsibleVaultCodec.cs
@@ -11,9 +11,9 @@ namespace dotnet_ansible_vault_decoder
 {
     public class AnsibleVaultCodec
     {
-        public void Decode(string vaultFilePath, byte[] password, Stream output)
+        public void Decode(TextReader vaultFileReader, byte[] password, Stream output)
         {
-            var vaultFile = AnsibleVaultFile.Load(vaultFilePath);
+            var vaultFile = AnsibleVaultFile.Load(vaultFileReader);
             var cipher = CipherUtilities.GetCipher("AES/CTR/PKCS7Padding");
             var pbkdf2 = new Rfc2898DeriveBytes(password, vaultFile.Salt, 10000, HashAlgorithmName.SHA256);
             var derived = pbkdf2.GetBytes(32 + 32 + 16);
@@ -22,7 +22,7 @@ public void Decode(string vaultFilePath, byte[] password, Stream output)
             var iv = derived.AsSpan(64, 16).ToArray();
             var hmac256 = new HMACSHA256(hmacKey);
             var actualhmac = hmac256.ComputeHash(vaultFile.EncryptedBytes);
-            if(!actualhmac.AsSpan().SequenceEqual(vaultFile.ExpectedHMac))
+            if (!actualhmac.AsSpan().SequenceEqual(vaultFile.ExpectedHMac))
             {
                 throw new InvalidKeyException("HMAC check error: invalid password");
             }
@@ -31,7 +31,15 @@ public void Decode(string vaultFilePath, byte[] password, Stream output)
             var decrypted = cipher.DoFinal(vaultFile.EncryptedBytes);
             output.Write(decrypted.AsSpan());
         }
-        public void Encode(byte[] data, byte[] password, byte[] salt, TextWriter output, int width)
+        public void Decode(string vaultFilePath, byte[] password, Stream output)
+        {
+            using(var stm = File.OpenRead(vaultFilePath))
+            using(var sr = new StreamReader(stm, Encoding.UTF8))
+            {
+                Decode(sr, password, output);
+            }
+        }
+        public void Encode(byte[] data, byte[] password, byte[] salt, TextWriter output, string label, int width)
         {
             var pbkdf2 = new Rfc2898DeriveBytes(password, salt, 10000, HashAlgorithmName.SHA256);
             var derived = pbkdf2.GetBytes(32 + 32 + 16);
@@ -49,7 +57,7 @@ public void Encode(byte[] data, byte[] password, byte[] salt, TextWriter output,
             var hmac256 = new HMACSHA256(hmacKey);
             vaultFile.EncryptedBytes = encrypted;
             vaultFile.ExpectedHMac = hmac256.ComputeHash(encrypted);
-            AnsibleVaultFile.Save(vaultFile, output, width);
+            AnsibleVaultFile.Save(vaultFile, output, label, width);
         }
     }
 }
diff --git a/dotnet-ansible-vault-decoder/AnsibleVaultFile.cs b/dotnet-ansible-vault-decoder/AnsibleVaultFile.cs
@@ -10,43 +10,59 @@ class AnsibleVaultFile
         const string AnsibleVaultSignature = "$ANSIBLE_VAULT";
         public string Version { get; set; }
         public string Algorithm { get; set; }
+        public string Label { get; set; }
         public byte[] Salt { get; set; }
         public byte[] ExpectedHMac { get; set; }
         public byte[] EncryptedBytes { get; set; }
-        public static AnsibleVaultFile Load(string filePath)
+        public static AnsibleVaultFile Load(TextReader sr)
         {
             var ret = new AnsibleVaultFile();
-            using (var stm = File.OpenRead(filePath))
-            using (var sr = new StreamReader(stm, Encoding.UTF8))
+            var headerString = sr.ReadLine();
+            var header = headerString.Split(';');
+            if (header[0] != AnsibleVaultSignature)
             {
-                var headerString = sr.ReadLine();
-                var header = headerString.Split(';');
-                if (header[0] != AnsibleVaultSignature)
-                {
-                    throw new ArgumentException($"invalid ansible vault header:{headerString}");
-                }
-                ret.Version = header[1];
-                ret.Algorithm = header[2];
-                var bodyBytes = new List<byte>();
-                while (true)
+                throw new ArgumentException($"invalid ansible vault header:{headerString}");
+            }
+            ret.Version = header[1];
+            ret.Algorithm = header[2];
+            if(header.Length > 3)
+            {
+                ret.Label = header[3];
+            }
+            var bodyBytes = new List<byte>();
+            while (true)
+            {
+                var line = sr.ReadLine();
+                if (line == null)
                 {
-                    var line = sr.ReadLine();
-                    if (line == null)
-                    {
-                        break;
-                    }
-                    ByteUtil.ConvertToBytes(line, bodyBytes);
+                    break;
                 }
-                var (salt, expectedhmac, encrypted_bytes) = DecodeBody(bodyBytes.ToArray());
-                ret.Salt = salt;
-                ret.ExpectedHMac = expectedhmac;
-                ret.EncryptedBytes = encrypted_bytes;
+                ByteUtil.ConvertToBytes(line, bodyBytes);
             }
+            var (salt, expectedhmac, encrypted_bytes) = DecodeBody(bodyBytes.ToArray());
+            ret.Salt = salt;
+            ret.ExpectedHMac = expectedhmac;
+            ret.EncryptedBytes = encrypted_bytes;
             return ret;
         }
-        public static void Save(AnsibleVaultFile f, TextWriter output, int width = 80)
+        public static AnsibleVaultFile Load(string filePath)
         {
-            output.WriteLine($"{AnsibleVaultSignature};{f.Version};{f.Algorithm}");
+            using (var stm = File.OpenRead(filePath))
+            using (var sr = new StreamReader(stm, Encoding.UTF8))
+            {
+                return Load(sr);
+            }
+        }
+        public static void Save(AnsibleVaultFile f, TextWriter output, string label, int width = 80)
+        {
+            if(string.IsNullOrEmpty(f.Label))
+            {
+                output.WriteLine($"{AnsibleVaultSignature};{f.Version};{f.Algorithm}");
+            }
+            else
+            {
+                output.WriteLine($"{AnsibleVaultSignature};{f.Version};{f.Algorithm};{f.Label}");
+            }
             var data = new byte[f.Salt.Length + f.ExpectedHMac.Length + f.EncryptedBytes.Length + 2];
             var dataSpan = data.AsSpan();
             f.Salt.AsSpan().CopyTo(dataSpan);
@@ -55,7 +71,7 @@ public static void Save(AnsibleVaultFile f, TextWriter output, int width = 80)
             dataSpan[f.Salt.Length + 1 + f.ExpectedHMac.Length] = 0x0a;
             f.EncryptedBytes.AsSpan().CopyTo(dataSpan.Slice(f.Salt.Length + f.ExpectedHMac.Length + 2));
             Span<char> buffer = stackalloc char[width];
-            while(!dataSpan.IsEmpty)
+            while (!dataSpan.IsEmpty)
             {
                 var len = Math.Min(40, dataSpan.Length);
                 ByteUtil.ConvertToHexChars(dataSpan.Slice(0, len), buffer);
diff --git a/dotnet-ansible-vault-decoder/Program.cs b/dotnet-ansible-vault-decoder/Program.cs
@@ -1,16 +1,138 @@
 ﻿using System;
+using System.IO;
+using System.Text;
+using System.Collections.Generic;
+using System.Linq;
+using System.Security.Cryptography;
+using System.Threading.Tasks;
+using MicroBatchFramework;
 
 namespace dotnet_ansible_vault_decoder
 {
     class Program
     {
-        static void Main(string[] args)
+        static async Task Main(string[] args)
         {
-            Console.WriteLine("Hello World!");
+            await BatchHost.CreateDefaultBuilder().RunBatchEngineAsync(args);
         }
     }
 
-    class EncodingBatch : MicroBatchFramework.BatchBase
+    class EncodeVault : BatchBase
     {
+        Stream GetInputStream(string filePath)
+        {
+            if (!string.IsNullOrEmpty(filePath))
+            {
+                return File.OpenRead(filePath);
+            }
+            else
+            {
+                return Console.OpenStandardInput();
+            }
+        }
+        Stream GetOutputStream(string filePath, bool truncate)
+        {
+            if (!string.IsNullOrEmpty(filePath))
+            {
+                if (truncate)
+                {
+                    return File.Create(filePath);
+                }
+                else
+                {
+                    var ret = File.OpenWrite(filePath);
+                    ret.Seek(0, SeekOrigin.End);
+                    return ret;
+                }
+            }
+            else
+            {
+                return Console.OpenStandardOutput();
+            }
+        }
+        byte[] GetPassword(string password)
+        {
+            if (!string.IsNullOrEmpty(password))
+            {
+                return Encoding.UTF8.GetBytes(password);
+            }
+            else
+            {
+                password = Environment.GetEnvironmentVariable("ANSIBLE_VAULT_PASS");
+                return Encoding.UTF8.GetBytes(password);
+            }
+        }
+        public void Decode(string filePath = null, string password = null, string output = null)
+        {
+            var codec = new AnsibleVaultCodec();
+            using (var stm = GetInputStream(filePath))
+            using (var ostm = GetOutputStream(output, true))
+            {
+                using (var sr = new StreamReader(stm, Encoding.UTF8))
+                {
+                    codec.Decode(sr, GetPassword(password), ostm);
+                }
+            }
+        }
+        string EolOptionToEolString(string eol)
+        {
+            if (string.IsNullOrEmpty(eol))
+            {
+                return null;
+            }
+            if (eol.Equals("crlf", StringComparison.OrdinalIgnoreCase))
+            {
+                return "\r\n";
+            }
+            else if (eol.Equals("lf", StringComparison.OrdinalIgnoreCase))
+            {
+                return "\n";
+            }
+            else if (eol.Equals("cr", StringComparison.OrdinalIgnoreCase))
+            {
+                return "\r";
+            }
+            else
+            {
+                return null;
+            }
+        }
+        byte[] CreateSalt()
+        {
+            using (var rng = RandomNumberGenerator.Create())
+            {
+                var data = new byte[32];
+                rng.GetBytes(data);
+                return data;
+            }
+        }
+        public void Encode(string filePath = null, string password = null, string output = null, string eol = null, string label = null)
+        {
+            var codec = new AnsibleVaultCodec();
+            using (var stm = GetInputStream(filePath))
+            using (var ostm = GetOutputStream(output, true))
+            {
+                using (var sw = new StreamWriter(ostm, new UTF8Encoding(false)))
+                {
+                    var lst = new List<byte>();
+                    var buf = new byte[4096];
+                    while (true)
+                    {
+                        var bytesread = stm.Read(buf, 0, 4096);
+                        if (bytesread <= 0)
+                        {
+                            break;
+                        }
+                        lst.AddRange(buf.Take(bytesread));
+                    }
+                    var eolString = EolOptionToEolString(eol);
+                    if (eolString != null)
+                    {
+                        sw.NewLine = eolString;
+                    }
+                    codec.Encode(lst.ToArray(), GetPassword(password), CreateSalt(), sw, label, 80);
+                }
+            }
+        }
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -11,9 +11,9 @@ namespace dotnet_ansible_vault_decoder`
`11`	`11`	`{`
`12`	`12`	`public class AnsibleVaultCodec`
`13`	`13`	`{`
`14`		`- public void Decode(string vaultFilePath, byte[] password, Stream output)`
	`14`	`+ public void Decode(TextReader vaultFileReader, byte[] password, Stream output)`
`15`	`15`	`{`
`16`		`- var vaultFile = AnsibleVaultFile.Load(vaultFilePath);`
	`16`	`+ var vaultFile = AnsibleVaultFile.Load(vaultFileReader);`
`17`	`17`	`var cipher = CipherUtilities.GetCipher("AES/CTR/PKCS7Padding");`
`18`	`18`	`var pbkdf2 = new Rfc2898DeriveBytes(password, vaultFile.Salt, 10000, HashAlgorithmName.SHA256);`
`19`	`19`	`var derived = pbkdf2.GetBytes(32 + 32 + 16);`
`@@ -22,7 +22,7 @@ public void Decode(string vaultFilePath, byte[] password, Stream output)`
`22`	`22`	`var iv = derived.AsSpan(64, 16).ToArray();`
`23`	`23`	`var hmac256 = new HMACSHA256(hmacKey);`
`24`	`24`	`var actualhmac = hmac256.ComputeHash(vaultFile.EncryptedBytes);`
`25`		`- if(!actualhmac.AsSpan().SequenceEqual(vaultFile.ExpectedHMac))`
	`25`	`+ if (!actualhmac.AsSpan().SequenceEqual(vaultFile.ExpectedHMac))`
`26`	`26`	`{`
`27`	`27`	`throw new InvalidKeyException("HMAC check error: invalid password");`
`28`	`28`	`}`
`@@ -31,7 +31,15 @@ public void Decode(string vaultFilePath, byte[] password, Stream output)`
`31`	`31`	`var decrypted = cipher.DoFinal(vaultFile.EncryptedBytes);`
`32`	`32`	`output.Write(decrypted.AsSpan());`
`33`	`33`	`}`
`34`		`- public void Encode(byte[] data, byte[] password, byte[] salt, TextWriter output, int width)`
	`34`	`+ public void Decode(string vaultFilePath, byte[] password, Stream output)`
	`35`	`+ {`
	`36`	`+ using(var stm = File.OpenRead(vaultFilePath))`
	`37`	`+ using(var sr = new StreamReader(stm, Encoding.UTF8))`
	`38`	`+ {`
	`39`	`+ Decode(sr, password, output);`
	`40`	`+ }`
	`41`	`+ }`
	`42`	`+ public void Encode(byte[] data, byte[] password, byte[] salt, TextWriter output, string label, int width)`
`35`	`43`	`{`
`36`	`44`	`var pbkdf2 = new Rfc2898DeriveBytes(password, salt, 10000, HashAlgorithmName.SHA256);`
`37`	`45`	`var derived = pbkdf2.GetBytes(32 + 32 + 16);`
`@@ -49,7 +57,7 @@ public void Encode(byte[] data, byte[] password, byte[] salt, TextWriter output,`
`49`	`57`	`var hmac256 = new HMACSHA256(hmacKey);`
`50`	`58`	`vaultFile.EncryptedBytes = encrypted;`
`51`	`59`	`vaultFile.ExpectedHMac = hmac256.ComputeHash(encrypted);`
`52`		`- AnsibleVaultFile.Save(vaultFile, output, width);`
	`60`	`+ AnsibleVaultFile.Save(vaultFile, output, label, width);`
`53`	`61`	`}`
`54`	`62`	`}`
`55`	`63`	`}`