-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathtestcred
executable file
·216 lines (173 loc) · 5.29 KB
/
testcred
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
#! /bin/bash
# Set of functions to handle getting and storing credentials used for testing.
#
# Usage: testcred <function> [credential_name] [credential element]
# where:
# function is init, list, verify, get, or store
#
# Bruce E. Wilson
# wilsonbe@ornl.gov
#
# License: CC0. No rights reserved and no warranties implied.
SCRIPT_NAME=testcred
# Any of these parameters can be overridden by environmental variables
if [ -z $CRED_STORE_DIR ]; then
CRED_STORE_DIR=~/.testingstore
fi
if [ -z $CRED_STORE_KEY_LENGTH ]; then
CRED_STORE_KEY_LENGTH=256
fi
if [ -z $CRED_STORE_KEY_FILE]; then
CRED_STORE_KEY_FILE=teststore.key
fi
if [ -z $CRED_STORE_CIPHER]; then
CRED_STORE_CIPHER=-aes-256-cbc
fi
if [ -z $CRED_STORE_ARMOR]; then
CRED_STORE_ARMOR=CredStore:
fi
print_usage() {
echo "Usage: $SCRIPT_NAME <init|store|get|verify> [credential_name] [credential_element] "
}
getcred() {
# The credential name should be the first argument passed to this function
if [ -z $1 ]; then
echo "$SCRIPT_NAME: Error finding credential name in get routine"
print_usage
exit 2
fi
CRED_NAME=$1
if [ ! -e $CRED_STORE_DIR/$CRED_NAME.u.enc ]; then
echo "Error: Credential $CRED_NAME username file does not exist"
exit 2
fi
if [ ! -e $CRED_STORE_DIR/$CRED_NAME.p.enc ]; then
echo "Error: Credential $CRED_NAME password file does not exist"
exit 2
fi
# What to retrieve is the second argument passed to this function
case $2 in
username)
TARGET_ELEMENT=username
TARGET_FILE=$CRED_STORE_DIR/$CRED_NAME.u.enc
;;
password)
TARGET_ELEMENT=password
TARGET_FILE=$CRED_STORE_DIR/$CRED_NAME.p.enc
;;
*)
echo "$SCRIPT_NAME: Error finding credential element in get routine"
print_usage
exit 2
esac
RETRIEVED_CREDENTIAL=`cat $CRED_STORE_DIR/$CRED_STORE_KEY_FILE | openssl enc -d $CRED_STORE_CIPHER -in $TARGET_FILE -pass stdin`
if [[ $RETRIEVED_CREDENTIAL =~ "$CRED_STORE_ARMOR"* ]] ; then
ACTUAL_CREDENTIAL=${RETRIEVED_CREDENTIAL:${#CRED_STORE_ARMOR}}
echo -n "$ACTUAL_CREDENTIAL"
else
echo "Decryption failure for $CRED_NAME $TARGET_ELEMENT"
exit 2
fi
}
initcred() {
# Check to see if the directory exists
if [ ! -d $CRED_STORE_DIR ] ; then
mkdir $CRED_STORE_DIR
chmod 700 $CRED_STORE_DIR
else
# directory exists, force the permissions
chmod 700 $CRED_STORE_DIR
fi
# Create a file to be the symmetric encryption key.
if [ -e $CRED_STORE_DIR/$CRED_STORE_KEY_FILE ]; then
read -p "Credential key file already exists. Overwrite? [yY]: "
echo
if [[ $REPLY =~ ^[Yy][Ee]*[Ss]* ]]; then
openssl rand -out $CRED_STORE_DIR/$CRED_STORE_KEY_FILE $CRED_STORE_KEY_LENGTH
fi
else
openssl rand -out $CRED_STORE_DIR/$CRED_STORE_KEY_FILE $CRED_STORE_KEY_LENGTH
fi
}
storecred() {
# Get the name of this credential, the username, and then the password
read -p "Enter name for credential: "
CRED_NAME=$REPLY
read -p "Enter username for credential $CRED_USER: "
CRED_USER=$REPLY
read -p "Enter password for credential $CRED_USER: "
CRED_PASS=$REPLY
# Use the key file in the store directory and create $CRED_NAME.u.enc and $CRED_NAME.p.enc
echo "$CRED_STORE_ARMOR$CRED_USER" >$CRED_STORE_DIR/tmp.u.txt
cat $CRED_STORE_DIR/$CRED_STORE_KEY_FILE | openssl enc $CRED_STORE_CIPHER -in $CRED_STORE_DIR/tmp.u.txt -out $CRED_STORE_DIR/$CRED_NAME.u.enc -pass stdin
shred $CRED_STORE_DIR/tmp.u.txt
echo "$CRED_STORE_ARMOR$CRED_PASS" >$CRED_STORE_DIR/tmp.p.txt
cat $CRED_STORE_DIR/$CRED_STORE_KEY_FILE | openssl enc $CRED_STORE_CIPHER -in $CRED_STORE_DIR/tmp.p.txt -out $CRED_STORE_DIR/$CRED_NAME.p.enc -pass stdin
shred $CRED_STORE_DIR/tmp.p.txt
}
verifycredential() {
# The credential name should be the first argument passed to this function
if [ -z $1 ]; then
echo "$SCRIPT_NAME: Error finding credential name in get routine"
print_usage
exit 2
fi
CRED_NAME=$1
if [ ! -e $CRED_STORE_DIR/$CRED_NAME.u.enc ]; then
echo "Error: Credential $CRED_NAME username file does not exist"
exit 2
fi
if [ ! -e $CRED_STORE_DIR/$CRED_NAME.p.enc ]; then
echo "Error: Credential $CRED_NAME password file does not exist"
exit 2
fi
RETRIEVED_USERNAME=`cat $CRED_STORE_DIR/$CRED_STORE_KEY_FILE | openssl enc -d $CRED_STORE_CIPHER -in $CRED_STORE_DIR/$CRED_NAME.u.enc -pass stdin`
RETRIEVED_PASSWORD=`cat $CRED_STORE_DIR/$CRED_STORE_KEY_FILE | openssl enc -d $CRED_STORE_CIPHER -in $CRED_STORE_DIR/$CRED_NAME.p.enc -pass stdin`
if [[ ! $RETRIEVED_USERNAME =~ "$CRED_STORE_ARMOR"* ]] ; then
echo "Decryption failure for $CRED_NAME $TARGET_ELEMENT"
exit 2
fi
if [[ ! $RETRIEVED_PASSWORD =~ "$CRED_STORE_ARMOR"* ]] ; then
echo "Decryption failure for $CRED_NAME $TARGET_ELEMENT"
exit 2
fi
echo "Credential $CRED_NAME validated successfully."
}
verifystore() {
if [ ! -d $CRED_STORE_DIR ]; then
echo "ERROR -- Credential store does not exist. Run $SCRIPT_NAME init."
exit 2
fi
}
#### Main body
case $1 in
init)
initcred
exit 0
;;
store)
verifystore
storecred
exit 0
;;
get)
ARG_CRED_NAME=$2
ARG_CRED_ELEMENT=$3
verifystore
getcred $ARG_CRED_NAME $ARG_CRED_ELEMENT
exit 0
;;
verify)
ARG_CRED_NAME=$2
verifystore
verifycredential $ARG_CRED_NAME
exit 0
;;
*)
print_usage
exit 1
;;
esac
# If we get here, something is wrong.
echo "Logic problem in $SCRIPT_NAME: unexpected exit"
exit 1 # Should never actually get here