Created
November 2, 2021 14:49
-
-
Save wavedocs/6bfcc1a6ea5eebe87dccc9f51ca7955d to your computer and use it in GitHub Desktop.
awx decrypt credentials
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# https://github.com/ansible/awx/blob/devel/awx/main/utils/encryption.py | |
import base64, hashlib, json | |
from cryptography.fernet import Fernet, InvalidToken | |
from cryptography.hazmat.backends import default_backend | |
class Fernet256(Fernet): | |
'''Not techincally Fernet, but uses the base of the Fernet spec and uses AES-256-CBC | |
instead of AES-128-CBC. All other functionality remain identical. | |
''' | |
def __init__(self, key, backend=None): | |
if backend is None: | |
backend = default_backend() | |
key = base64.urlsafe_b64decode(key) | |
if len(key) != 64: | |
raise ValueError( | |
"Fernet key must be 64 url-safe base64-encoded bytes." | |
) | |
self._signing_key = key[:32] | |
self._encryption_key = key[32:] | |
self._backend = backend | |
# this function has been modified to take the secret as a parameter, rather than config | |
def get_encryption_key(field_name, secret, pk=None): | |
''' | |
Generate key for encrypted password based on field name, | |
``settings.SECRET_KEY``, and instance pk (if available). | |
:param pk: (optional) the primary key of the model object; | |
can be omitted in situations where you're encrypting a setting | |
that is not database-persistent (like a read-only setting) | |
''' | |
h = hashlib.sha512() | |
h.update(secret) | |
if pk is not None: | |
h.update(str(pk)) | |
h.update(field_name) | |
return base64.urlsafe_b64encode(h.digest()) | |
def decrypt_value(encryption_key, value): | |
raw_data = value[len('$encrypted$'):] | |
# If the encrypted string contains a UTF8 marker, discard it | |
utf8 = raw_data.startswith('UTF8$') | |
if utf8: | |
raw_data = raw_data[len('UTF8$'):] | |
algo, b64data = raw_data.split('$', 1) | |
if algo != 'AESCBC': | |
raise ValueError('unsupported algorithm: %s' % algo) | |
encrypted = base64.b64decode(b64data) | |
f = Fernet256(encryption_key) | |
value = f.decrypt(encrypted) | |
# If the encrypted string contained a UTF8 marker, decode the data | |
if utf8: | |
value = value.decode('utf-8') | |
return value | |
secret = '' # Put your secret key | |
data = json.loads('') # put your json data from: select * from main_credential; | |
index_name = 'ssh_key_data' | |
pk = 2 # put your value id from select result | |
key = get_encryption_key(index_name, secret, pk) | |
print(decrypt_value(key, data[index_name])) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment