clarenceb-hiera-eyaml 2.0.1

data/lib/hiera/backend/eyaml/encryptors/pkcs7.rb

@@ -0,0 +1,107 @@
+require 'openssl'
+require 'hiera/backend/eyaml/encryptor'
+require 'hiera/backend/eyaml/utils'
+require 'hiera/backend/eyaml/options'
+
+class Hiera
+  module Backend
+    module Eyaml
+      module Encryptors
+
+        class Pkcs7 < Encryptor
+
+          self.options = {
+            :private_key => { :desc => "Path to private key", 
+                              :type => :string, 
+                              :default => "./keys/private_key.pkcs7.pem" },
+            :public_key => { :desc => "Path to public key",  
+                             :type => :string, 
+                             :default => "./keys/public_key.pkcs7.pem" }
+          }
+
+          self.tag = "PKCS7"
+
+          def self.encrypt plaintext
+
+            public_key = self.option :public_key
+            raise StandardError, "pkcs7_public_key is not defined" unless public_key
+
+            public_key_pem = File.read public_key 
+            public_key_x509 = OpenSSL::X509::Certificate.new( public_key_pem )
+
+            cipher = OpenSSL::Cipher::AES.new(256, :CBC)
+            OpenSSL::PKCS7::encrypt([public_key_x509], plaintext, cipher, OpenSSL::PKCS7::BINARY).to_der
+            
+          end
+
+          def self.decrypt ciphertext
+
+            public_key = self.option :public_key
+            private_key = self.option :private_key
+            raise StandardError, "pkcs7_public_key is not defined" unless public_key
+            raise StandardError, "pkcs7_private_key is not defined" unless private_key
+
+            private_key_pem = File.read private_key
+            private_key_rsa = OpenSSL::PKey::RSA.new( private_key_pem )
+
+            public_key_pem = File.read public_key
+            public_key_x509 = OpenSSL::X509::Certificate.new( public_key_pem )
+
+            pkcs7 = OpenSSL::PKCS7.new( ciphertext )
+            pkcs7.decrypt(private_key_rsa, public_key_x509)
+
+          end
+
+          def self.create_keys
+
+            # Try to do equivalent of:
+            # openssl req -x509 -nodes -days 100000 -newkey rsa:2048 -keyout privatekey.pem -out publickey.pem -subj '/'
+
+            public_key = self.option :public_key
+            private_key = self.option :private_key
+
+            key = OpenSSL::PKey::RSA.new(2048)
+            Utils.ensure_key_dir_exists private_key
+            Utils.write_important_file :filename => private_key, :content => key.to_pem, :mode => 0600
+
+            name = OpenSSL::X509::Name.parse("/DC=org/DC=example/CN=eyaml")
+            cert = OpenSSL::X509::Certificate.new()
+            cert.serial = 0
+            cert.version = 2
+            cert.subject = name
+            cert.issuer = cert.subject
+            cert.not_before = Time.now
+            cert.not_after = if 1.size == 8       # 64bit
+              Time.now + 50 * 365 * 24 * 60 * 60
+            else                                  # 32bit
+              Time.at(0x7fffffff)
+            end
+            cert.public_key = key.public_key
+
+            ef = OpenSSL::X509::ExtensionFactory.new
+            ef.subject_certificate = cert
+            ef.issuer_certificate = cert
+            cert.extensions = [
+              ef.create_extension("basicConstraints","CA:TRUE", true),
+              ef.create_extension("subjectKeyIdentifier", "hash"),
+            ]
+            cert.add_extension ef.create_extension("authorityKeyIdentifier",
+                                                   "keyid:always,issuer:always")
+
+            cert.sign key, OpenSSL::Digest::SHA1.new
+
+            Utils.ensure_key_dir_exists public_key
+            Utils.write_important_file :filename => public_key, :content => cert.to_pem
+            puts "Keys created OK"
+
+          end
+
+        end
+
+      end
+
+    end
+
+  end
+
+end

data/lib/hiera/backend/eyaml/options.rb

@@ -0,0 +1,35 @@
+class Hiera
+  module Backend
+    module Eyaml
+      class Options
+
+        def self.[]= key, value
+          @@options ||= {}
+          @@options[ key.to_sym ] = value
+        end
+
+        def self.[] key
+          @@options ||= {}
+          @@options[ key.to_sym ]
+        end
+
+        def self.set hash
+          @@options = {}
+          hash.each do |k, v|
+            @@options[ k.to_sym ] = v
+          end
+        end
+
+        def self.debug
+          Utils::debug "Dump of eyaml tool options dict:"
+          Utils::debug "--------------------------------"
+          @@options.each do |k, v|
+            Utils::debug sprintf "%18s %-18s = %-18s %-18s", "(#{k.class.name})", k.to_s, v.to_s, "(#{v.class.name})"
+          end
+          Utils::debug "--------------------------------"
+        end
+
+      end
+    end
+  end
+end

data/lib/hiera/backend/eyaml/parser/encrypted_tokens.rb

@@ -0,0 +1,138 @@
+require 'hiera/backend/eyaml/parser/token'
+require 'hiera/backend/eyaml/utils'
+require 'hiera/backend/eyaml/encryptor'
+require 'hiera/backend/eyaml'
+
+
+class Hiera
+  module Backend
+    module Eyaml
+      module Parser
+        class EncToken < Token
+          attr_reader :format, :cipher, :encryptor, :indentation, :plain_text, :id
+          def self.encrypted_value(format, encryption_scheme, cipher, match, indentation = '')
+            decryptor = Encryptor.find encryption_scheme
+            plain_text = decryptor.decrypt( decryptor.decode cipher )
+            EncToken.new(format, plain_text, decryptor, cipher, match, indentation)
+          end
+          def self.decrypted_value(format, plain_text, encryption_scheme, match, id, indentation = '')
+            encryptor = Encryptor.find encryption_scheme
+            cipher = encryptor.encode( encryptor.encrypt plain_text )
+            id_number = id.nil? ? nil : id.gsub(/\(|\)/, "").to_i
+            EncToken.new(format, plain_text, encryptor, cipher, match, indentation, id_number)
+          end
+
+          def initialize(format, plain_text, encryptor, cipher, match = '', indentation = '', id = nil)
+            @format = format
+            @plain_text = plain_text
+            @encryptor = encryptor
+            @cipher = cipher
+            @indentation = indentation
+            @id = id
+            super(match)
+          end
+
+          def to_encrypted(args={})
+            label = args[:label]
+            label_string = label.nil? ? '' : "#{label}: "
+            format = args[:format].nil? ? @format : args[:format]
+            case format
+              when :block
+                # strip any white space
+                @cipher = @cipher.gsub(/ /m, "")
+                # normalize indentation
+                ciphertext = @cipher.gsub(/\n/, "\n" + @indentation)
+                chevron = (args[:use_chevron].nil? || args[:use_chevron]) ? ">\n" : ''
+                "#{label_string}#{chevron}" + @indentation + "ENC[#{@encryptor.tag},#{ciphertext}]"
+              when :string
+                ciphertext = @cipher.gsub(/\n/, "")
+                "#{label_string}ENC[#{@encryptor.tag},#{ciphertext}]"
+              else
+                raise "#{@format} is not a valid format"
+            end
+          end
+
+          def to_decrypted(args={})
+            label = args[:label]
+            label_string = label.nil? ? '' : "#{label}: "
+            format = args[:format].nil? ? @format : args[:format]
+            index = args[:index].nil? ? '' : "(#{args[:index]})"
+            case format
+              when :block
+                chevron = (args[:use_chevron].nil? || args[:use_chevron]) ? ">\n" : ''
+                "#{label_string}#{chevron}" + indentation + "DEC#{index}::#{@encryptor.tag}[" + @plain_text + "]!"
+              when :string
+                "#{label_string}DEC#{index}::#{@encryptor.tag}[" + @plain_text + "]!"
+              else
+                raise "#{@format} is not a valid format"
+            end
+          end
+
+          def to_plain_text
+            @plain_text
+          end
+
+        end
+
+        class EncTokenType < TokenType
+          def create_enc_token(match, type, enc_comma, cipher, indentation = '')
+            encryption_scheme = enc_comma.nil? ? Eyaml.default_encryption_scheme : enc_comma.split(",").first
+            EncToken.encrypted_value(type, encryption_scheme, cipher, match, indentation)
+          end
+        end
+
+        class EncHieraTokenType < EncTokenType
+          def initialize
+            @regex = /ENC\[(\w+,)?([a-zA-Z0-9\+\/ =\n]+?)\]/
+            @string_token_type = EncStringTokenType.new()
+          end
+          def create_token(string)
+            @string_token_type.create_token(string.gsub(/[ \n]/, ''))
+          end
+        end
+
+        class EncStringTokenType < EncTokenType
+          def initialize
+            @regex = /ENC\[(\w+,)?([a-zA-Z0-9\+\/=]+?)\]/
+          end
+          def create_token(string)
+            md = @regex.match(string)
+            self.create_enc_token(string, :string, md[1], md[2])
+          end
+        end
+
+        class EncBlockTokenType < EncTokenType
+          def initialize
+            @regex = />\n(\s*)ENC\[(\w+,)?([a-zA-Z0-9\+\/ =\n]+?)\]/
+          end
+          def create_token(string)
+            md = @regex.match(string)
+            self.create_enc_token(string, :block, md[2], md[3], md[1])
+          end
+        end
+
+        class DecStringTokenType < TokenType
+          def initialize
+            @regex = /DEC(\(\d+\))?::(\w+)\[(.+?)\]\!/
+          end
+          def create_token(string)
+            md = @regex.match(string)
+            EncToken.decrypted_value(:string, md[3], md[2], string, md[1])
+          end
+        end
+
+        class DecBlockTokenType < TokenType
+          def initialize
+            @regex = />\n(\s*)DEC(\(\d+\))?::(\w+)\[(.+?)\]\!/m
+          end
+          def create_token(string)
+            md = @regex.match(string)
+            EncToken.decrypted_value(:block, md[4], md[3], string, md[2], md[1])
+            EncToken.decrypted_value(:block, md[4], md[3], string, md[2], md[1])
+          end
+        end
+
+      end
+    end
+  end
+end

data/lib/hiera/backend/eyaml/parser/parser.rb

@@ -0,0 +1,82 @@
+require 'strscan'
+require 'hiera/backend/eyaml/parser/token'
+require 'hiera/backend/eyaml/parser/encrypted_tokens'
+
+class Hiera
+  module Backend
+    module Eyaml
+      module Parser
+        class ParserFactory
+          def self.encrypted_parser
+            enc_string = EncStringTokenType.new()
+            enc_block = EncBlockTokenType.new()
+            Parser.new([enc_string, enc_block])
+          end
+
+          def self.decrypted_parser
+            dec_string = DecStringTokenType.new()
+            dec_block = DecBlockTokenType.new()
+            Parser.new([dec_string, dec_block])
+          end
+
+          def self.hiera_backend_parser
+            enc_hiera = EncHieraTokenType.new()
+            Parser.new([enc_hiera])
+          end
+        end
+
+        class Parser
+          attr_reader :token_types
+
+          def initialize(token_types)
+            @token_types = token_types
+          end
+
+          def parse text
+            parse_scanner(StringScanner.new(text)).reverse
+          end
+
+          def parse_scanner s
+            if s.eos?
+              []
+            else
+              # Check if the scanner currently matches a regex
+              current_match = @token_types.find { |token_type|
+                s.match?(token_type.regex)
+              }
+
+              token =
+                  if current_match.nil?
+                    # No regex matches here. Find the earliest match.
+                    next_match_indexes = @token_types.map { |token_type|
+                      next_match = s.check_until(token_type.regex)
+                      if next_match.nil?
+                        nil
+                      else
+                        next_match.length - s.matched.length
+                      end
+                    }.reject { |i| i.nil? }
+                    non_match_size =
+                        if next_match_indexes.length == 0
+                          s.rest_size
+                        else
+                          next_match_indexes.min
+                        end
+                    non_match = s.peek(non_match_size)
+                    # advance scanner
+                    s.pos = s.pos + non_match_size
+                    NonMatchToken.new(non_match)
+                  else
+                    # A regex matches so create a token and do a recursive call with the advanced scanner
+                    current_match.create_token s.scan(current_match.regex)
+                  end
+
+              self.parse_scanner(s) << token
+            end
+          end
+
+        end
+      end
+    end
+  end
+end

data/lib/hiera/backend/eyaml/parser/token.rb

@@ -0,0 +1,49 @@
+class Hiera
+  module Backend
+    module Eyaml
+      module Parser
+        class TokenType
+          attr_reader :regex
+          @regex
+          def create_token string
+            raise 'Abstract method called'
+          end
+        end
+
+        class Token
+          attr_reader :match
+          def initialize(match)
+            @match = match
+          end
+          def to_encrypted(args={})
+            raise 'Abstract method called'
+          end
+          def to_decrypted(args={})
+            raise 'Abstract method called'
+          end
+          def to_plain_text
+            raise 'Abstract method called'
+          end
+          def to_s
+            "#{self.class.name}:#{@match}"
+          end
+        end
+
+        class NonMatchToken < Token
+          def initialize(non_match)
+            super(non_match)
+          end
+          def to_encrypted(args={})
+            @match
+          end
+          def to_decrypted(args={})
+            @match
+          end
+          def to_plain_text
+            @match
+          end
+        end
+      end
+    end
+  end
+end

data/lib/hiera/backend/eyaml/plugins.rb

@@ -0,0 +1,70 @@
+require 'rubygems'
+
+class Hiera
+  module Backend
+    module Eyaml
+      class Plugins
+
+        @@plugins = []
+        @@commands = []
+        @@options = []
+
+        def self.register_options args
+          options = args[ :options ]
+          plugin = args[ :plugin ]
+          options.each do |name, option_hash|
+            new_option = {:name => "#{plugin}_#{name}"}
+            new_option.merge! option_hash
+            @@options << new_option
+          end
+        end
+
+        def self.options
+          @@options
+        end
+
+        def self.find
+
+          this_version = Gem::Version.create(Hiera::Backend::Eyaml::VERSION)
+          index = Gem::VERSION >= "1.8.0" ? Gem::Specification : Gem.source_index
+
+          [index].flatten.each do |source|
+            specs = Gem::VERSION >= "1.6.0" ? source.latest_specs(true) : source.latest_specs
+
+            specs.each do |spec|
+              next if @@plugins.include? spec
+
+              dependency = spec.dependencies.find { |d| d.name == "hiera-eyaml" }
+              next if dependency && !dependency.requirement.satisfied_by?( this_version )
+
+              file = nil
+              if Gem::VERSION >= "1.8.0"
+                file = spec.matches_for_glob("**/eyaml_init.rb").first
+              else
+                file = Gem.searcher.matching_files(spec, "**/eyaml_init.rb").first
+              end
+
+              next unless file
+
+              @@plugins << spec
+              load file
+            end
+
+          end
+
+          @@plugins
+
+        end
+
+        def self.plugins
+          @@plugins
+        end
+
+        def self.commands
+          @@commands
+        end
+
+      end
+    end
+  end
+end

data/lib/hiera/backend/eyaml/subcommand.rb

@@ -0,0 +1,126 @@
+require 'base64'
+# require 'hiera/backend/eyaml/subcommands/unknown_command'
+
+class Hiera
+  module Backend
+    module Eyaml
+
+      class Subcommand
+
+        class << self
+          attr_accessor :global_options, :options, :helptext
+        end
+
+        @@global_options = [
+           {:name          => :encrypt_method,
+              :description => "Override default encryption and decryption method (default is PKCS7)", 
+              :short       => 'n', 
+              :default     => "pkcs7"},
+           {:name          => :version,
+              :description => "Show version information"},
+           {:name          => :verbose,
+              :description => "Be more verbose",
+              :short       => 'v'},
+           {:name          => :quiet,
+              :description => "Be less verbose",
+              :short       => 'q'},
+           {:name          => :help,
+              :description => "Information on how to use this command",
+              :short       => 'h'}
+          ]
+        
+        def self.all_options 
+          options = @@global_options.dup
+          options += self.options if self.options
+          options += Plugins.options
+          options
+        end
+
+        def self.attach_option opt
+          self.suboptions += opt
+        end
+
+        def self.find commandname = "unknown_command"
+          begin
+            require "hiera/backend/eyaml/subcommands/#{commandname.downcase}"
+          rescue Exception => e
+            require "hiera/backend/eyaml/subcommands/unknown_command"
+            return Hiera::Backend::Eyaml::Subcommands::UnknownCommand
+          end          
+          command_module = Module.const_get('Hiera').const_get('Backend').const_get('Eyaml').const_get('Subcommands')
+          command_class = Utils.find_closest_class :parent_class => command_module, :class_name => commandname
+          command_class || Hiera::Backend::Eyaml::Subcommands::UnknownCommand
+        end
+
+        def self.parse
+
+          me = self
+
+          options = Trollop::options do
+
+            version "Hiera-eyaml version " + Hiera::Backend::Eyaml::VERSION.to_s
+            banner ["eyaml #{me.prettyname}: #{me.description}", me.helptext, "Options:"].compact.join("\n\n")
+
+            me.all_options.each do |available_option|
+
+              skeleton = {:description => "",
+                          :short => :none}
+
+              skeleton.merge! available_option
+              opt skeleton[:name], 
+                  skeleton[:desc] || skeleton[:description],  #legacy plugins 
+                  :short => skeleton[:short], 
+                  :default => skeleton[:default], 
+                  :type => skeleton[:type]
+
+            end
+
+            stop_on Eyaml.subcommands
+
+          end
+
+          if options[:verbose]
+            Hiera::Backend::Eyaml.verbosity_level += 1
+          end
+
+          if options[:quiet]
+            Hiera::Backend::Eyaml.verbosity_level = 0
+          end
+
+          if options[:encrypt_method]
+            Hiera::Backend::Eyaml.default_encryption_scheme = options[:encrypt_method]
+          end
+
+          options
+
+        end
+
+        def self.validate args
+          args
+        end
+
+        def self.description
+          "no description"
+        end
+
+        def self.helptext
+          "Usage: eyaml #{self.prettyname} [options]"
+        end
+
+        def self.execute
+          raise StandardError, "This command is not implemented yet (#{self.to_s.split('::').last})"
+        end
+
+        def self.prettyname
+          Utils.snakecase self.to_s.split('::').last
+        end
+
+        def self.hidden?
+          false
+        end
+
+      end
+
+    end
+  end
+end

data/lib/hiera/backend/eyaml/subcommands/createkeys.rb

@@ -0,0 +1,29 @@
+require 'hiera/backend/eyaml/subcommand'
+
+class Hiera
+  module Backend
+    module Eyaml
+      module Subcommands
+
+        class Createkeys < Subcommand
+
+          def self.options 
+            []
+          end
+
+          def self.description
+            "create a set of keys with which to encrypt/decrypt eyaml data"
+          end
+
+          def self.execute
+            encryptor = Encryptor.find Eyaml.default_encryption_scheme
+            encryptor.create_keys
+            nil
+          end
+
+        end
+
+      end
+    end
+  end
+end