gerrit-monitoring/subcommands/encrypt.py

# Copyright (C) 2020 The Android Open Source Project
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

import subprocess

import gnupg


ENCRYPTED_KEYS = [
    "accessToken",
    "apiUrl",
    "caCert",
    "cert",
    "htpasswd",
    "key",
    "password",
    "secret",
]


def encrypt(pgp_identifier, config_path):
    """Encrypt the config file using sops and a PGP key.

    Arguments:
        pgp_identifier {string} -- A unique identifier of the PGP key to be used.
            This can be the fingerprint, keyid or part of the uid (e.g. the email
            address)
        config_path {string} -- The path to the config file to be encrypted

    Raises:
        ValueError: Error, if no (unique) PGP key could be found
    """
    gpg = gnupg.GPG()
    gpg_keys = gpg.list_keys()
    selected_keys = list(
        filter(
            lambda k: pgp_identifier in k["fingerprint"]
            or pgp_identifier in k["keyid"]
            or len([v for v in k["uids"] if pgp_identifier in v]) > 0,
            gpg_keys,
        )
    )

    if not selected_keys:
        raise ValueError("PGP key not found.")

    if len(selected_keys) > 1:
        raise ValueError("Identifier of PGP not unique.")

    command = [
        "sops",
        "--encrypt",
        "--in-place",
        "--encrypted-regex",
        f"({'|'.join(ENCRYPTED_KEYS)})",
        "--pgp",
        selected_keys[0]["fingerprint"],
        config_path,
    ]
    subprocess.check_output(command)
Rewrite the scripts in python The scripts were written in bash. Using bash became quite unwieldy. Python by nature can deal well with yaml and is thus better suited in dealing with the yaml-based configuration files. This change rewrites the original scripts staying as close as possible to the original ones. Right now, the python scripts call subprocesses a lot to work with the tools, which were already used before. At least for yaml- templating there may be better tools that have a python integration, which could be used in the future. Change-Id: Ida16318445a05dcfdada9c7a56a391e4827f02e7 2020-03-13 08:39:41 +00:00			`# Copyright (C) 2020 The Android Open Source Project`
			`#`
			`# Licensed under the Apache License, Version 2.0 (the "License");`
			`# you may not use this file except in compliance with the License.`
			`# You may obtain a copy of the License at`
			`#`
			`# http://www.apache.org/licenses/LICENSE-2.0`
			`#`
			`# Unless required by applicable law or agreed to in writing, software`
			`# distributed under the License is distributed on an "AS IS" BASIS,`
			`# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
			`# See the License for the specific language governing permissions and`
			`# limitations under the License.`

			`import subprocess`

			`import gnupg`


			`ENCRYPTED_KEYS = [`
			`"accessToken",`
			`"apiUrl",`
			`"caCert",`
			`"cert",`
			`"htpasswd",`
			`"key",`
			`"password",`
			`"secret",`
			`]`


			`def encrypt(pgp_identifier, config_path):`
			`"""Encrypt the config file using sops and a PGP key.`

			`Arguments:`
			`pgp_identifier {string} -- A unique identifier of the PGP key to be used.`
			`This can be the fingerprint, keyid or part of the uid (e.g. the email`
			`address)`
			`config_path {string} -- The path to the config file to be encrypted`

			`Raises:`
			`ValueError: Error, if no (unique) PGP key could be found`
			`"""`
			`gpg = gnupg.GPG()`
			`gpg_keys = gpg.list_keys()`
			`selected_keys = list(`
			`filter(`
			`lambda k: pgp_identifier in k["fingerprint"]`
			`or pgp_identifier in k["keyid"]`
			`or len([v for v in k["uids"] if pgp_identifier in v]) > 0,`
			`gpg_keys,`
			`)`
			`)`

			`if not selected_keys:`
			`raise ValueError("PGP key not found.")`

			`if len(selected_keys) > 1:`
			`raise ValueError("Identifier of PGP not unique.")`

			`command = [`
			`"sops",`
			`"--encrypt",`
			`"--in-place",`
			`"--encrypted-regex",`
			`f"({'\|'.join(ENCRYPTED_KEYS)})",`
			`"--pgp",`
			`selected_keys[0]["fingerprint"],`
			`config_path,`
			`]`
			`subprocess.check_output(command)`