aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJake Hunsaker <jhunsake@redhat.com>2022-04-19 17:28:07 -0400
committerJake Hunsaker <jhunsake@redhat.com>2022-04-26 09:44:32 -0400
commita705fb1ce4f77d40f1dc40e535d49409d3681ed2 (patch)
tree7003cc072857bda342d350ae28dda429f4ab83f6
parent68bb9d3aeb72726f9a4c13e7e36f71dc56390c63 (diff)
downloadsos-a705fb1ce4f77d40f1dc40e535d49409d3681ed2.tar.gz
[report,collect] Add env var and prompt options for encryption
Adds a new `--encrypt` option that may be used in place of the existing encrypt-related options. If used alongside `--batch`, this new option will cause sos to set encryption options based on the `SOSENCRYPTKEY` or `SOSENCRYPTPASS` environment variables. This allows users to leverage this functionality without potentially leaking the values into `ps`-like output inside the archive. If `--batch` is not used, then this option prompts the user to select the type of method to use and then provide the value in-line, or to use the env var option. Signed-off-by: Jake Hunsaker <jhunsake@redhat.com>
-rw-r--r--man/en/sos-report.121
-rw-r--r--man/en/sos.120
-rw-r--r--sos/__init__.py5
-rw-r--r--sos/component.py40
4 files changed, 86 insertions, 0 deletions
diff --git a/man/en/sos-report.1 b/man/en/sos-report.1
index e3477398..5b2b1d58 100644
--- a/man/en/sos-report.1
+++ b/man/en/sos-report.1
@@ -33,6 +33,7 @@ sos report \- Collect and package diagnostic and support data
[--skip-files files]\fR
[--allow-system-changes]\fR
[-z|--compression-type method]\fR
+ [--encrypt]\fR
[--encrypt-key KEY]\fR
[--encrypt-pass PASS]\fR
[--upload] [--upload-url url] [--upload-user user]\fR
@@ -222,6 +223,26 @@ Run commands even if they can change the system (e.g. load kernel modules).
.B \-z, \--compression-type METHOD
Override the default compression type specified by the active policy.
.TP
+.B \-\-encrypt
+Encrypt the resulting archive, and determine the method by which that encryption
+is done by either a user prompt or environment variables.
+
+When run with \fB--batch\fR, using this option will cause sos to look for either the
+\fBSOSENCRYPTKEY\fR or \fBSOSENCRYPTPASS\fR environment variables. If set, this will
+implicitly enable the \fB--encrypt-key\fR or \fB--encrypt-pass\fR options, respectively,
+to the values set by the environment variable. This enables the use of these options
+without directly setting those options in a config file or command line string. Note that
+use of an encryption key has precedence over a passphrase.
+
+Otherwise, using this option will cause sos to prompt the user to choose the method
+of encryption to use. Choices will be [P]assphrase, [K]ey, [E]nv vars, or [N]o encryption.
+If passphrase or key the user will then be prompted for the respective value, env vars will
+cause sos to source the information in the manner stated above, and choosing no encryption
+will disable encryption.
+
+See the sections on \fB--encrypt-key\fR and \fB--encrypt-pass\fR below for more
+information.
+.TP
.B \--encrypt-key KEY
Encrypts the resulting archive that sosreport produces using GPG. KEY must be
an existing key in the user's keyring as GPG does not allow for keyfiles.
diff --git a/man/en/sos.1 b/man/en/sos.1
index c335b7e1..2d5a9721 100644
--- a/man/en/sos.1
+++ b/man/en/sos.1
@@ -82,6 +82,26 @@ to be set across all components.
.B \-\-batch
Do not prompt interactively, user will not be prompted for any data
.TP
+.B \-\-encrypt
+Encrypt the resulting archive, and determine the method by which that encryption
+is done by either a user prompt or environment variables.
+
+When run with \fB--batch\fR, using this option will cause sos to look for either the
+\fBSOSENCRYPTKEY\fR or \fBSOSENCRYPTPASS\fR environment variables. If set, this will
+implicitly enable the \fB--encrypt-key\fR or \fB--encrypt-pass\fR options, respectively,
+to the values set by the environment variable. This enables the use of these options
+without directly setting those options in a config file or command line string. Note that
+use of an encryption key has precedence over a passphrase.
+
+Otherwise, using this option will cause sos to prompt the user to choose the method
+of encryption to use. Choices will be [P]assphrase, [K]ey, [E]nv vars, or [N]o encryption.
+If passphrase or key the user will then be prompted for the respective value, env vars will
+cause sos to source the information in the manner stated above, and choosing no encryption
+will disable encryption.
+
+See the sections on \fB--encrypt-key\fR and \fB--encrypt-pass\fR below for more
+information.
+.TP
.B \--encrypt-key KEY
Encrypts the resulting archive that sosreport produces using GPG. KEY must be
an existing key in the user's keyring as GPG does not allow for keyfiles.
diff --git a/sos/__init__.py b/sos/__init__.py
index 023e57e3..0f64fcea 100644
--- a/sos/__init__.py
+++ b/sos/__init__.py
@@ -159,6 +159,11 @@ class SoS():
# Group to make tarball encryption (via GPG/password) exclusive
encrypt_grp = global_grp.add_mutually_exclusive_group()
+ encrypt_grp.add_argument("--encrypt", default=False,
+ action="store_true",
+ help=("Encrypt the archive, either prompting "
+ "for a password/key or referencing "
+ "an environment variable"))
encrypt_grp.add_argument("--encrypt-key",
help="Encrypt the archive using a GPG "
"key-pair")
diff --git a/sos/component.py b/sos/component.py
index d68a76cb..e568a08a 100644
--- a/sos/component.py
+++ b/sos/component.py
@@ -18,6 +18,7 @@ import time
from argparse import SUPPRESS
from datetime import datetime
+from getpass import getpass
from shutil import rmtree
from pathlib import Path
from sos import __version__
@@ -58,6 +59,7 @@ class SoSComponent():
"compression_type": 'auto',
"config_file": '/etc/sos/sos.conf',
"debug": False,
+ "encrypt": False,
"encrypt_key": None,
"encrypt_pass": None,
"quiet": False,
@@ -266,7 +268,45 @@ class SoSComponent():
print("Failed to finish cleanup: %s\nContents may remain in %s"
% (err, self.tmpdir))
+ def _set_encrypt_from_env_vars(self):
+ msg = ('No encryption environment variables set, archive will not be '
+ 'encrypted')
+ if os.environ.get('SOSENCRYPTKEY'):
+ self.opts.encrypt_key = os.environ.get('SOSENCRYPTKEY')
+ msg = 'Encryption key set via environment variable'
+ elif os.environ.get('SOSENCRYPTPASS'):
+ self.opts.encrypt_pass = os.environ.get('SOSENCRYPTPASS')
+ msg = 'Encryption passphrase set via environment variable'
+ self.soslog.info(msg)
+ self.ui_log.info(msg)
+
+ def _get_encryption_method(self):
+ if not self.opts.batch:
+ _enc = None
+ while _enc not in ('P', 'K', 'E', 'N'):
+ _enc = input((
+ 'Specify encryption method [P]assphrase, [K]ey, [E]nv '
+ 'vars, [N]o encryption: '
+ )).upper()
+ if _enc == 'P':
+ self.opts.encrypt_pass = getpass('Specify encryption '
+ 'passphrase: ')
+ elif _enc == 'K':
+ self.opts.encrypt_key = input('Specify encryption key: ')
+ elif _enc == 'E':
+ self._set_encrypt_from_env_vars()
+ else:
+ self.opts.encrypt_key = None
+ self.opts.encrypt_pass = None
+ self.soslog.info("User specified --encrypt, but chose no "
+ "encryption when prompted.")
+ self.ui_log.warn("Archive will not be encrypted")
+ else:
+ self._set_encrypt_from_env_vars()
+
def setup_archive(self, name=''):
+ if self.opts.encrypt:
+ self._get_encryption_method()
enc_opts = {
'encrypt': True if (self.opts.encrypt_pass or
self.opts.encrypt_key) else False,