Adding the ability to encrypt/decrypt type 9 Juniper secrets. This resolves at least part of intentionet#16

Author: ankenyr

netconan/sensitive_item_removal.py

@@ -21,6 +21,7 @@
 from binascii import b2a_hex
 from enum import Enum
 from hashlib import md5
+from netconan.utils import juniper_secrets
 
 # Using passlib for digests not supported by hashlib
 from passlib.hash import cisco_type7, md5_crypt, sha512_crypt
@@ -278,7 +279,7 @@ def _anonymize_value(raw_val, lookup, reserved_words):
         # TODO(https://github.com/intentionet/netconan/issues/16)
         # Encode base anon_val instead of just returning a constant here
         # This value corresponds to encoding: Conan812183
-        anon_val = "$9$0000IRc-dsJGirewg4JDj9At0RhSreK8Xhc"
+        anon_val = juniper_secrets.juniper_encrypt(anon_val)
 
     lookup[val] = anon_val
     logging.debug('Anonymized input "%s" to "%s"', val, anon_val)

netconan/utils/__init__.py

@@ -0,0 +1,122 @@
+"""Encrypts and decryptes Juniper Type 9 hashes."""
+
+import random
+import re
+
+MAGIC = "$9$"
+
+FAMILY = [
+    "QzF3n6/9CAtpu0O",
+    "B1IREhcSyrleKvMW8LXx",
+    "7N-dVbwsY2g4oaJZGUDj",
+    "iHkq.mPf5T"
+]
+
+EXTRA = {c: (3 - fam) for fam, chars in enumerate(FAMILY) for c in chars}
+
+NUM_ALPHA = list("".join(FAMILY).replace('-','')+'-')
+ALPHA_NUM = {char: idx for idx, char in enumerate(NUM_ALPHA)}
+
+ENCODING = [
+    [1, 4, 32],
+    [1, 16, 32],
+    [1, 8, 32],
+    [1, 64],
+    [1, 32],
+    [1, 4, 16, 128],
+    [1, 32, 64]
+]
+
+VALID = f"^{MAGIC}[{''.join(NUM_ALPHA)}]{{4,}}$".replace("$", r"\$", 2)
+
+
+def juniper_decrypt(crypt):
+    """Decrypts a Juniper $9 encrypted secret.
+
+    Args:
+      crypt: String containing the secret to decrypt.
+
+    Returns:
+      String representing the decrypted secret.
+    """
+    if not crypt or not re.search(VALID, crypt):
+        raise ValueError("Invalid Juniper crypt string!")
+
+    chars = crypt[len(MAGIC):]
+    first, chars = _nibble(chars, 1)
+    _, chars = _nibble(chars, EXTRA[first])
+
+    prev = first
+    decrypt = ""
+
+    while chars:
+        decode = ENCODING[len(decrypt) % len(ENCODING)]
+        nibble_len = len(decode)
+        nibble, chars = _nibble(chars, nibble_len)
+        gaps = []
+        for i  in enumerate(nibble):
+            gaps.append(_gap(prev, nibble[i]))
+            prev = nibble[i]
+        decrypt += _gap_decode(gaps, decode)
+    return decrypt
+
+def _nibble(chars, length):
+    nib = chars[:length]
+    chars = chars[length:]
+
+    return nib, chars
+
+def _gap(c1, c2):
+    diff = ALPHA_NUM[c2] - ALPHA_NUM[c1]
+    pos_diff = diff + len(NUM_ALPHA)
+    return pos_diff % len(NUM_ALPHA) - 1
+
+def _gap_decode(gaps, dec):
+    if len(gaps) != len(dec):
+        raise ValueError("Nibble and decode size not the same!")
+
+    num = sum(g * d for g, d in zip(gaps, dec))
+    return chr(num % 256)
+
+def juniper_encrypt(plain, salt=None):
+    """Encrypts a Juniper $9 encrypted secret.
+    
+    Args:
+      plain: String containing the plaintext secret to be encrypted.
+      salt: Optional salt to be used when encrypting the secret.
+    
+    Returns:
+      String representing the encrypted secret.
+    """
+    if salt is None:
+        salt = _randc(1)
+    rand = _randc(EXTRA[salt])
+
+    pos = 0
+    prev = salt
+    crypt = f"{MAGIC}{salt}{rand}"
+    for p in plain:
+        encode = ENCODING[pos % len(ENCODING)]
+        crypt += _gap_encode(p, prev, encode)
+        prev = crypt[-1]
+        pos += 1
+    return crypt
+
+def _randc(count):
+    return ''.join(random.choice(NUM_ALPHA) for _ in range(count))
+
+def _gap_encode(pc, prev, enc):
+    ord_val = ord(pc)
+    crypt = ""
+    gaps = []
+
+    for mod in reversed(enc):
+        gaps.insert(0, ord_val // mod)
+        ord_val %= mod
+
+    for gap in gaps:
+        gap += ALPHA_NUM[prev] + 1
+        prev = NUM_ALPHA[gap % len(NUM_ALPHA)]
+        crypt += prev
+
+    return crypt

netconan/utils/juniper_secrets.py

@@ -73,7 +73,7 @@
     python_requires=">=3.8",
     # What does your project relate to?
     keywords="network configuration anonymizer",
-    packages=["netconan"],
+    packages=["netconan", "netconan.utils"],
     # Alternatively, if you want to distribute just a my_module.py, uncomment
     # this:
     #   py_modules=["my_module"],

setup.py

@@ -0,0 +1,45 @@
+"""Tests Juniper secret encryption/decryption methods."""
+from unittest.mock import MagicMock
+import pytest
+from netconan.utils import juniper_secrets
+
+@pytest.mark.parametrize(
+        "plain_text, expected",
+        [
+            ("abc", "$9$aaZGiq.5zF/"),
+            ("123", "$9$aaZikmfTF69"),
+            ("netconan", "$9$aaGi.-QnAu1Di6Au1yrevWXds"),
+            ("QjEf.WloKY4IBVGik9xeIO9xWN5F7S13",
+             "$9$aaZiq3nCOBRqmApBIyrdbs4ZjQzn/t0zFuBRErlJZUHqP6/tO1h0Ob24aiHQz39pOrevMXdfT01RhrlLX7b4aUjk.fTGU")
+        ]
+)
+def test_juniper_encrypt(plain_text, expected):
+    """Test encryption of secrets."""
+    juniper_secrets._randc = MagicMock(return_value='a')
+    assert juniper_secrets.juniper_encrypt(plain_text) == expected
+
+
+@pytest.mark.parametrize(
+        "encrypted, expected",
+        [
+            ("$9$aaZGiq.5zF/", "abc"),
+            ("$9$aaZikmfTF69", "123"),
+            ("$9$aaGi.-QnAu1Di6Au1yrevWXds", "netconan"),
+            ("$9$aaZiq3nCOBRqmApBIyrdbs4ZjQzn/t0zFuBRErlJZUHqP6/tO1h0Ob24aiHQz39pOrevMXdfT01RhrlLX7b4aUjk.fTGU", "QjEf.WloKY4IBVGik9xeIO9xWN5F7S13")
+        ]
+)
+def test_juniper_decrypt(encrypted, expected):
+    """Test decryption of secrets."""
+    assert juniper_secrets.juniper_decrypt(encrypted) == expected
+
+@pytest.mark.parametrize(
+        "encrypted",
+        [
+            ("abcd"),
+            ("$9$aaGi.Qz6t0IDi/t0IrlKM8x,s")
+        ]
+)
+def test_invalid_juniper_decrypt(encrypted):
+    """Test raising errors when decrypting invalid secrets."""
+    with pytest.raises(ValueError):
+        juniper_secrets.juniper_decrypt(encrypted)