diff options
author | Jake Hunsaker <jhunsake@redhat.com> | 2022-04-19 17:28:07 -0400 |
---|---|---|
committer | Jake Hunsaker <jhunsake@redhat.com> | 2022-04-26 09:44:32 -0400 |
commit | a705fb1ce4f77d40f1dc40e535d49409d3681ed2 (patch) | |
tree | 7003cc072857bda342d350ae28dda429f4ab83f6 | |
parent | 68bb9d3aeb72726f9a4c13e7e36f71dc56390c63 (diff) | |
download | sos-a705fb1ce4f77d40f1dc40e535d49409d3681ed2.tar.gz |
[report,collect] Add env var and prompt options for encryption
Adds a new `--encrypt` option that may be used in place of the existing
encrypt-related options. If used alongside `--batch`, this new option
will cause sos to set encryption options based on the `SOSENCRYPTKEY` or
`SOSENCRYPTPASS` environment variables. This allows users to leverage
this functionality without potentially leaking the values into `ps`-like
output inside the archive.
If `--batch` is not used, then this option prompts the user to select
the type of method to use and then provide the value in-line, or to use
the env var option.
Signed-off-by: Jake Hunsaker <jhunsake@redhat.com>
-rw-r--r-- | man/en/sos-report.1 | 21 | ||||
-rw-r--r-- | man/en/sos.1 | 20 | ||||
-rw-r--r-- | sos/__init__.py | 5 | ||||
-rw-r--r-- | sos/component.py | 40 |
4 files changed, 86 insertions, 0 deletions
diff --git a/man/en/sos-report.1 b/man/en/sos-report.1 index e3477398..5b2b1d58 100644 --- a/man/en/sos-report.1 +++ b/man/en/sos-report.1 @@ -33,6 +33,7 @@ sos report \- Collect and package diagnostic and support data [--skip-files files]\fR [--allow-system-changes]\fR [-z|--compression-type method]\fR + [--encrypt]\fR [--encrypt-key KEY]\fR [--encrypt-pass PASS]\fR [--upload] [--upload-url url] [--upload-user user]\fR @@ -222,6 +223,26 @@ Run commands even if they can change the system (e.g. load kernel modules). .B \-z, \--compression-type METHOD Override the default compression type specified by the active policy. .TP +.B \-\-encrypt +Encrypt the resulting archive, and determine the method by which that encryption +is done by either a user prompt or environment variables. + +When run with \fB--batch\fR, using this option will cause sos to look for either the +\fBSOSENCRYPTKEY\fR or \fBSOSENCRYPTPASS\fR environment variables. If set, this will +implicitly enable the \fB--encrypt-key\fR or \fB--encrypt-pass\fR options, respectively, +to the values set by the environment variable. This enables the use of these options +without directly setting those options in a config file or command line string. Note that +use of an encryption key has precedence over a passphrase. + +Otherwise, using this option will cause sos to prompt the user to choose the method +of encryption to use. Choices will be [P]assphrase, [K]ey, [E]nv vars, or [N]o encryption. +If passphrase or key the user will then be prompted for the respective value, env vars will +cause sos to source the information in the manner stated above, and choosing no encryption +will disable encryption. + +See the sections on \fB--encrypt-key\fR and \fB--encrypt-pass\fR below for more +information. +.TP .B \--encrypt-key KEY Encrypts the resulting archive that sosreport produces using GPG. KEY must be an existing key in the user's keyring as GPG does not allow for keyfiles. diff --git a/man/en/sos.1 b/man/en/sos.1 index c335b7e1..2d5a9721 100644 --- a/man/en/sos.1 +++ b/man/en/sos.1 @@ -82,6 +82,26 @@ to be set across all components. .B \-\-batch Do not prompt interactively, user will not be prompted for any data .TP +.B \-\-encrypt +Encrypt the resulting archive, and determine the method by which that encryption +is done by either a user prompt or environment variables. + +When run with \fB--batch\fR, using this option will cause sos to look for either the +\fBSOSENCRYPTKEY\fR or \fBSOSENCRYPTPASS\fR environment variables. If set, this will +implicitly enable the \fB--encrypt-key\fR or \fB--encrypt-pass\fR options, respectively, +to the values set by the environment variable. This enables the use of these options +without directly setting those options in a config file or command line string. Note that +use of an encryption key has precedence over a passphrase. + +Otherwise, using this option will cause sos to prompt the user to choose the method +of encryption to use. Choices will be [P]assphrase, [K]ey, [E]nv vars, or [N]o encryption. +If passphrase or key the user will then be prompted for the respective value, env vars will +cause sos to source the information in the manner stated above, and choosing no encryption +will disable encryption. + +See the sections on \fB--encrypt-key\fR and \fB--encrypt-pass\fR below for more +information. +.TP .B \--encrypt-key KEY Encrypts the resulting archive that sosreport produces using GPG. KEY must be an existing key in the user's keyring as GPG does not allow for keyfiles. diff --git a/sos/__init__.py b/sos/__init__.py index 023e57e3..0f64fcea 100644 --- a/sos/__init__.py +++ b/sos/__init__.py @@ -159,6 +159,11 @@ class SoS(): # Group to make tarball encryption (via GPG/password) exclusive encrypt_grp = global_grp.add_mutually_exclusive_group() + encrypt_grp.add_argument("--encrypt", default=False, + action="store_true", + help=("Encrypt the archive, either prompting " + "for a password/key or referencing " + "an environment variable")) encrypt_grp.add_argument("--encrypt-key", help="Encrypt the archive using a GPG " "key-pair") diff --git a/sos/component.py b/sos/component.py index d68a76cb..e568a08a 100644 --- a/sos/component.py +++ b/sos/component.py @@ -18,6 +18,7 @@ import time from argparse import SUPPRESS from datetime import datetime +from getpass import getpass from shutil import rmtree from pathlib import Path from sos import __version__ @@ -58,6 +59,7 @@ class SoSComponent(): "compression_type": 'auto', "config_file": '/etc/sos/sos.conf', "debug": False, + "encrypt": False, "encrypt_key": None, "encrypt_pass": None, "quiet": False, @@ -266,7 +268,45 @@ class SoSComponent(): print("Failed to finish cleanup: %s\nContents may remain in %s" % (err, self.tmpdir)) + def _set_encrypt_from_env_vars(self): + msg = ('No encryption environment variables set, archive will not be ' + 'encrypted') + if os.environ.get('SOSENCRYPTKEY'): + self.opts.encrypt_key = os.environ.get('SOSENCRYPTKEY') + msg = 'Encryption key set via environment variable' + elif os.environ.get('SOSENCRYPTPASS'): + self.opts.encrypt_pass = os.environ.get('SOSENCRYPTPASS') + msg = 'Encryption passphrase set via environment variable' + self.soslog.info(msg) + self.ui_log.info(msg) + + def _get_encryption_method(self): + if not self.opts.batch: + _enc = None + while _enc not in ('P', 'K', 'E', 'N'): + _enc = input(( + 'Specify encryption method [P]assphrase, [K]ey, [E]nv ' + 'vars, [N]o encryption: ' + )).upper() + if _enc == 'P': + self.opts.encrypt_pass = getpass('Specify encryption ' + 'passphrase: ') + elif _enc == 'K': + self.opts.encrypt_key = input('Specify encryption key: ') + elif _enc == 'E': + self._set_encrypt_from_env_vars() + else: + self.opts.encrypt_key = None + self.opts.encrypt_pass = None + self.soslog.info("User specified --encrypt, but chose no " + "encryption when prompted.") + self.ui_log.warn("Archive will not be encrypted") + else: + self._set_encrypt_from_env_vars() + def setup_archive(self, name=''): + if self.opts.encrypt: + self._get_encryption_method() enc_opts = { 'encrypt': True if (self.opts.encrypt_pass or self.opts.encrypt_key) else False, |