Adds initial version of stackable bcrypt tool (#19)

soenkeliebau · nightkr · web-flow · commit 8d0fee1c6dee · 2022-01-25T16:19:34.000+01:00
Adds initial version of stackable bcrypt tool. This reads from stdin and outputs the bcrypt hashed value and is expected to be mostly useful for replacing sensitive values in init containers. We tried using https://github.com/bitnami/bcrypt-cli instead but that was incompatible with NiFi's password hashing algo - which is the initial use case. Co-authored-by: Teo Klestrup Röijezon <teo.roijezon@stackable.de>
diff --git a/stackable-bcrypt/Cargo.lock b/stackable-bcrypt/Cargo.lock
diff --git a/stackable-bcrypt/Cargo.toml b/stackable-bcrypt/Cargo.toml
@@ -0,0 +1,10 @@
+[package]
+name = "stackable-bcrypt"
+version = "0.1.0"
+edition = "2021"
+
+# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
+
+[dependencies]
+bcrypt = "0.10"
+clap = { version = "3.0", features = ["derive"] }
diff --git a/stackable-bcrypt/README.md b/stackable-bcrypt/README.md
@@ -0,0 +1,15 @@
+# BCrypt Tool
+
+This is a tiny tool along the same lines as https://github.com/bitnami/bcrypt-cli to enable hashing of a cleartext password with bcrypt on the commandline. The bitnami tool didn't work for our initial use case, as it was incompatible with the salting mechanism used by NiFi for its internal password storage.
+
+Most common use case will be in init containers to hash cleartext passwords from Kubernetes secrets and replace these in config files.
+
+The tool reads from stdin.
+
+## Usage
+
+stackable-bcrypt [OPTIONS] 
+
+OPTIONS:
+-c, --cost <COST>
+[default: 10]
diff --git a/stackable-bcrypt/src/main.rs b/stackable-bcrypt/src/main.rs
@@ -0,0 +1,39 @@
+use clap::Parser;
+use std::io;
+use std::process::exit;
+
+#[derive(Parser)]
+#[clap(
+    about = "bcrypt commandline tool",
+    long_about = "A tiny command line tool to hash a given string using the bcrypt algorithm.\
+        Default cost used is 10, but can be configured. \
+        The output is only the hash, so that this can be used for automation purposes without any parsing.",
+    author
+)]
+struct Opts {
+    #[clap(short, long, default_value = "10")]
+    cost: u8,
+}
+
+fn main() {
+    let opts = Opts::parse();
+
+    // Read from stdin and fail on error
+    let mut input = String::new();
+    io::stdin().read_line(&mut input).unwrap_or_else(|error| {
+        eprintln!("error: {}", error);
+        exit(-1);
+    });
+
+    // Hash what we read
+    match bcrypt::hash(&input, opts.cost.into()) {
+        Ok(hashed) => {
+            println!("{}", hashed);
+            exit(0);
+        }
+        Err(error) => {
+            eprintln!("error: {:?}", error);
+            exit(-1);
+        }
+    }
+}
