MT#58014 Refactor OpenPGP functions into a new functions file

We move some of the OpenPGP support into this file, which we will extend once we switch to use the OpenPGP Stateless OpenPGP support. Change-Id: I56acd993cb394dd8bc12a8da3cf4c78088adb61b
1 year ago · 5d1b3dcc1e
parent c4f6293c5e
commit 5d1b3dcc1e
4 changed files with 58 additions and 18 deletions
--- a/debian/ngcp-ngcpcfg.install
+++ b/debian/ngcp-ngcpcfg.install
@ -2,6 +2,7 @@ etc/ngcp-ngcpcfg/ngcpcfg.cfg etc/ngcp-ngcpcfg/
 functions/init              usr/share/ngcp-ngcpcfg/functions/
 functions/logs              usr/share/ngcp-ngcpcfg/functions/
 functions/main              usr/share/ngcp-ngcpcfg/functions/
+functions/openpgp           usr/share/ngcp-ngcpcfg/functions/
 helper/cat-yml              usr/share/ngcp-ngcpcfg/helper/
 helper/check-for-mysql      usr/share/ngcp-ngcpcfg/helper/
 helper/del-value            usr/share/ngcp-ngcpcfg/helper/
--- a/functions/openpgp
+++ b/functions/openpgp
@ -0,0 +1,35 @@
+#!/bin/bash
+# Filename:      /usr/share/ngcp-ngcpcfg/functions/openpgp
+# Purpose:       helper OpenPGP functions for ngcpcfg
+################################################################################
+
+# OpenPGP subsystem initialization functions {{{
+openpgp_setup() {
+  if ! type -p gpg &>/dev/null ; then
+    log_error "gpg binary not found, exiting."
+    exit 1
+  fi
+}
+
+openpgp_prompt_password() {
+  if ! tty -s; then
+    log_error "Cannot request OpenPGP password (no tty). Aborting."
+    exit 1
+  fi
+
+  GPG_TTY=$(tty)
+  export GPG_TTY
+}
+
+openpgp_reset_password() {
+  :
+}
+
+openpgp_encrypt() {
+  gpg --symmetric
+}
+
+openpgp_decrypt() {
+  gpg --decrypt
+}
+## }}}
--- a/scripts/decrypt
+++ b/scripts/decrypt
@ -14,6 +14,10 @@ if ! [ -r "${FUNCTIONS}"/logs ] ; then
  printf "Error: %s/logs could not be read. Exiting.\n" "${FUNCTIONS}">&2
  exit 1
 fi
+if ! [ -r "${FUNCTIONS}"/openpgp ] ; then
+  printf "Error: %s/openpgp could not be read. Exiting.\n" "${FUNCTIONS}" >&2
+  exit 1
+fi

 # We cannot source ${FUNCTIONS}/main as we are missing a bunch of
 # configuration files that are supposed to be available, therefore we
@ -22,6 +26,7 @@ fi
 timestamp_replacementchars='' # unset by default
 # shellcheck disable=SC1090
 . "${FUNCTIONS}"/logs
+. "${FUNCTIONS}"/openpgp

 setup_shared_config() {
  if ! [ -d /mnt/glusterfs/mgmt-share ] ; then
@ -47,10 +52,7 @@ as soon as glusterfs share is mounted again:
 }

 # main script
-if ! type -p gpg &>/dev/null ; then
-  log_error "gpg binary not found, exiting."
-  exit 1
-fi
+openpgp_setup

 RC=0
 TARGZPGP=
@ -65,10 +67,12 @@ done
 # ensure created files can be read by root only
 umask 066

+openpgp_prompt_password
+
 # For backwards compatibility we switch to the root directory, for old
 # encrypted tarballs that stripped the leading /.
 cd /
-if ! gpg -d "${TARGZPGP}" | tar zxPf - ; then
+if ! openpgp_decrypt <"${TARGZPGP}" | tar zxPf - ; then
  log_error "Error while decrypting or restoring ${TARGZPGP}"
  RC=1
 else
@ -76,6 +80,8 @@ else
  log_info "Now you should be able to run 'ngcpcfg apply' again."
 fi

+openpgp_reset_password
+
 # only for PRO/CARRIER
 if [ -r "${FUNCTIONS}"/ha_features ] ; then
  setup_shared_config
--- a/scripts/encrypt
+++ b/scripts/encrypt
@ -13,9 +13,14 @@ if ! [ -r "${FUNCTIONS}"/main ] ; then
  printf "Error: %s/main could not be read. Exiting.\n" "${FUNCTIONS}" >&2
  exit 1
 fi
+if ! [ -r "${FUNCTIONS}"/openpgp ] ; then
+  printf "Error: %s/openpgp could not be read. Exiting.\n" "${FUNCTIONS}" >&2
+  exit 1
+fi

 # shellcheck disable=SC1090
 . "${FUNCTIONS}"/main
+. "${FUNCTIONS}"/openpgp

 get_config_file_list() {
  for dir in ${CONFIG_POOL} ; do
@ -38,18 +43,7 @@ get_config_file_list() {
 }

 # main script
-if ! type -p gpg &>/dev/null ; then
-  log_error "gpg binary not found, exiting."
-  exit 1
-fi
-
-if ! tty -s; then
-  log_error "Cannot request OpenPGP password (no tty). Aborting."
-  exit 1
-fi
-
-GPG_TTY=$(tty)
-export GPG_TTY
+openpgp_setup

 # ensure created files can be read by root only
 umask 066
@ -65,14 +59,18 @@ fi
 TARGZ=/etc/ngcp-config.tgz
 TARGZPGP="${TARGZ}.pgp"

+openpgp_prompt_password
+
 if tar zcPf - /etc/ngcp-config/ "${FILES[@]}" /etc/.git \
-     | gpg -o "${TARGZPGP}" --symmetric ; then
+     | openpgp_encrypt >"${TARGZPGP}" ; then
  log_info "Successfully created encrypted ngcpcfg configuration archive ${TARGZPGP}"
 else
  log_error "Error while setting up ${TARGZPGP}"
  exit 1
 fi

+openpgp_reset_password
+
 log_info_n "Now really erase all configuration files managed by ngcpcfg? [y/N] "
 a='' ; read -r a
 if [[ "$a" == "y" ]] || [[ "$a" == "Y" ]] ; then