clarenceb-hiera-eyaml 2.0.1
Sign up to get free protection for your applications and to get access to all the features.
- data/.gitignore +8 -0
- data/.travis.yml +10 -0
- data/Gemfile +17 -0
- data/Gemfile.lock +52 -0
- data/LICENSE.txt +21 -0
- data/PLUGINS.md +4 -0
- data/README.md +322 -0
- data/Rakefile +1 -0
- data/bin/eyaml +13 -0
- data/hiera-eyaml.gemspec +22 -0
- data/lib/hiera/backend/eyaml/CLI.rb +60 -0
- data/lib/hiera/backend/eyaml/commands.rb +21 -0
- data/lib/hiera/backend/eyaml/encryptor.rb +79 -0
- data/lib/hiera/backend/eyaml/encryptors/pkcs7.rb +107 -0
- data/lib/hiera/backend/eyaml/options.rb +35 -0
- data/lib/hiera/backend/eyaml/parser/encrypted_tokens.rb +138 -0
- data/lib/hiera/backend/eyaml/parser/parser.rb +82 -0
- data/lib/hiera/backend/eyaml/parser/token.rb +49 -0
- data/lib/hiera/backend/eyaml/plugins.rb +70 -0
- data/lib/hiera/backend/eyaml/subcommand.rb +126 -0
- data/lib/hiera/backend/eyaml/subcommands/createkeys.rb +29 -0
- data/lib/hiera/backend/eyaml/subcommands/decrypt.rb +81 -0
- data/lib/hiera/backend/eyaml/subcommands/edit.rb +105 -0
- data/lib/hiera/backend/eyaml/subcommands/encrypt.rb +100 -0
- data/lib/hiera/backend/eyaml/subcommands/help.rb +51 -0
- data/lib/hiera/backend/eyaml/subcommands/recrypt.rb +56 -0
- data/lib/hiera/backend/eyaml/subcommands/unknown_command.rb +48 -0
- data/lib/hiera/backend/eyaml/subcommands/version.rb +47 -0
- data/lib/hiera/backend/eyaml/utils.rb +172 -0
- data/lib/hiera/backend/eyaml.rb +48 -0
- data/lib/hiera/backend/eyaml_backend.rb +125 -0
- data/sublime_text/README.md +16 -0
- data/sublime_text/eyaml.sublime-package +0 -0
- data/sublime_text/eyaml.syntax_definition.json +288 -0
- data/tools/regem.sh +9 -0
- metadata +114 -0
data/.gitignore
ADDED
data/.travis.yml
ADDED
data/Gemfile
ADDED
data/Gemfile.lock
ADDED
@@ -0,0 +1,52 @@
|
|
1
|
+
GEM
|
2
|
+
remote: https://rubygems.org/
|
3
|
+
specs:
|
4
|
+
aruba (0.5.3)
|
5
|
+
childprocess (>= 0.3.6)
|
6
|
+
cucumber (>= 1.1.1)
|
7
|
+
rspec-expectations (>= 2.7.0)
|
8
|
+
builder (3.2.2)
|
9
|
+
childprocess (0.3.9)
|
10
|
+
ffi (~> 1.0, >= 1.0.11)
|
11
|
+
cucumber (1.3.10)
|
12
|
+
builder (>= 2.1.2)
|
13
|
+
diff-lcs (>= 1.1.3)
|
14
|
+
gherkin (~> 2.12)
|
15
|
+
multi_json (>= 1.7.5, < 2.0)
|
16
|
+
multi_test (>= 0.0.2)
|
17
|
+
diff-lcs (1.2.5)
|
18
|
+
facter (1.7.3)
|
19
|
+
ffi (1.9.3)
|
20
|
+
ffi (1.9.3-java)
|
21
|
+
gherkin (2.12.2)
|
22
|
+
multi_json (~> 1.3)
|
23
|
+
gherkin (2.12.2-java)
|
24
|
+
multi_json (~> 1.3)
|
25
|
+
hiera (1.2.1)
|
26
|
+
json_pure
|
27
|
+
hiera-eyaml-plaintext (0.5)
|
28
|
+
highline (1.6.20)
|
29
|
+
json_pure (1.8.1)
|
30
|
+
multi_json (1.8.2)
|
31
|
+
multi_test (0.0.2)
|
32
|
+
puppet (3.3.2)
|
33
|
+
facter (~> 1.6)
|
34
|
+
hiera (~> 1.0)
|
35
|
+
rgen (~> 0.6.5)
|
36
|
+
rake (10.1.0)
|
37
|
+
rgen (0.6.6)
|
38
|
+
rspec-expectations (2.14.4)
|
39
|
+
diff-lcs (>= 1.1.3, < 2.0)
|
40
|
+
trollop (2.0)
|
41
|
+
|
42
|
+
PLATFORMS
|
43
|
+
java
|
44
|
+
ruby
|
45
|
+
|
46
|
+
DEPENDENCIES
|
47
|
+
aruba
|
48
|
+
hiera-eyaml-plaintext
|
49
|
+
highline
|
50
|
+
puppet
|
51
|
+
rake
|
52
|
+
trollop
|
data/LICENSE.txt
ADDED
@@ -0,0 +1,21 @@
|
|
1
|
+
|
2
|
+
The MIT License (MIT)
|
3
|
+
|
4
|
+
Copyright (c) 2013 Tom Poulton
|
5
|
+
|
6
|
+
Permission is hereby granted, free of charge, to any person obtaining a copy of
|
7
|
+
this software and associated documentation files (the "Software"), to deal in
|
8
|
+
the Software without restriction, including without limitation the rights to
|
9
|
+
use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
|
10
|
+
the Software, and to permit persons to whom the Software is furnished to do so,
|
11
|
+
subject to the following conditions:
|
12
|
+
|
13
|
+
The above copyright notice and this permission notice shall be included in all
|
14
|
+
copies or substantial portions of the Software.
|
15
|
+
|
16
|
+
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
17
|
+
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
|
18
|
+
FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
|
19
|
+
COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
|
20
|
+
IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
|
21
|
+
CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
data/PLUGINS.md
ADDED
data/README.md
ADDED
@@ -0,0 +1,322 @@
|
|
1
|
+
Note
|
2
|
+
====
|
3
|
+
Contains fix for this issue: https://github.com/TomPoulton/hiera-eyaml/pull/62
|
4
|
+
|
5
|
+
See https://github.com/TomPoulton/hiera-eyaml for the original version.
|
6
|
+
|
7
|
+
Hiera eyaml
|
8
|
+
===========
|
9
|
+
|
10
|
+
[![Build Status](https://travis-ci.org/TomPoulton/hiera-eyaml.png?branch=master)](https://travis-ci.org/TomPoulton/hiera-eyaml)
|
11
|
+
|
12
|
+
hiera-eyaml is a backend for Hiera that provides per-value encryption of sensitive data within yaml files
|
13
|
+
to be used by Puppet.
|
14
|
+
|
15
|
+
:new: *v2.0 - commandline tool syntax has changed, see below for details*
|
16
|
+
|
17
|
+
Advantages over hiera-gpg
|
18
|
+
-------------------------
|
19
|
+
|
20
|
+
A few people found that [hiera-gpg](https://github.com/crayfishx/hiera-gpg) just wasn't cutting it for all use cases,
|
21
|
+
one of the best expressed frustrations was
|
22
|
+
[written back in June 2013](http://slashdevslashrandom.wordpress.com/2013/06/03/my-griefs-with-hiera-gpg/). So
|
23
|
+
[Tom created an initial version](http://themettlemonkey.wordpress.com/2013/07/15/hiera-eyaml-per-value-encrypted-backend-for-hiera-and-puppet/)
|
24
|
+
and this was refined into an elegant solution over the following months.
|
25
|
+
|
26
|
+
Unlike `hiera-gpg`, `hiera-eyaml`:
|
27
|
+
|
28
|
+
- only encrypts the values (which allows files to be swiftly reviewed without decryption)
|
29
|
+
- encrypts the value of each key individually (this means that `git diff` is meaningful)
|
30
|
+
- includes a command line tool for encrypting, decrypting, editing and rotating keys (makes it almost as
|
31
|
+
easy as using clear text files)
|
32
|
+
- uses basic asymmetric encryption (PKCS#7) by default (doesn't require any native libraries that need to
|
33
|
+
be compiled & allows users without the private key to encrypt values that the puppet master can decrypt)
|
34
|
+
- has a pluggable encryption framework (e.g. GPG encryption ([hiera-eyaml-gpg](https://github.com/sihil/hiera-eyaml-gpg)) can be used
|
35
|
+
if you have the need for multiple keys and easier key rotation)
|
36
|
+
|
37
|
+
The Hiera eyaml backend uses yaml formatted files with the .eyaml extension. The encrypted strings are prefixed with the encryption
|
38
|
+
method, wrapped with ENC[] and placed in an eyaml file. You can mix your plain values in as well or separate them into different files.
|
39
|
+
Encrypted values can occur within arrays, hashes, nested arrays and nested hashes.
|
40
|
+
|
41
|
+
For instance:
|
42
|
+
|
43
|
+
```yaml
|
44
|
+
---
|
45
|
+
plain-property: You can see me
|
46
|
+
|
47
|
+
encrypted-property: >
|
48
|
+
ENC[PKCS7,Y22exl+OvjDe+drmik2XEeD3VQtl1uZJXFFF2NnrMXDWx0csyqLB/2NOWefv
|
49
|
+
NBTZfOlPvMlAesyr4bUY4I5XeVbVk38XKxeriH69EFAD4CahIZlC8lkE/uDh
|
50
|
+
jJGQfh052eonkungHIcuGKY/5sEbbZl/qufjAtp/ufor15VBJtsXt17tXP4y
|
51
|
+
l5ZP119Fwq8xiREGOL0lVvFYJz2hZc1ppPCNG5lwuLnTekXN/OazNYpf4CMd
|
52
|
+
/HjZFXwcXRtTlzewJLc+/gox2IfByQRhsI/AgogRfYQKocZgFb/DOZoXR7wm
|
53
|
+
IZGeunzwhqfmEtGiqpvJJQ5wVRdzJVpTnANBA5qxeA==]
|
54
|
+
```
|
55
|
+
|
56
|
+
To edit this you can use the command `eyaml edit important.eyaml` which will decrypt the file, fire up an editor with
|
57
|
+
the decrypted values and re-encrypt any edited values when you exit the editor. This tool makes editing your encrypted
|
58
|
+
files as simple as clear text files.
|
59
|
+
|
60
|
+
|
61
|
+
Setup
|
62
|
+
-----
|
63
|
+
|
64
|
+
### Installing hiera-eyaml
|
65
|
+
|
66
|
+
$ gem install hiera-eyaml
|
67
|
+
|
68
|
+
### Generate keys
|
69
|
+
|
70
|
+
The first step is to create a pair of keys:
|
71
|
+
|
72
|
+
$ eyaml createkeys
|
73
|
+
|
74
|
+
This creates a public and private key with default names in the default location. (./keys)
|
75
|
+
|
76
|
+
#### Storing the keys securely when using Puppet
|
77
|
+
|
78
|
+
Since the point of using this module is to securely store sensitive information, it's important to store these keys securely.
|
79
|
+
If using Hiera with Puppet, Your puppetmaster will need to access these keys to perform decryption when the puppet agent runs on a remote node.
|
80
|
+
So for this reason, a suggested location might be to store them in:
|
81
|
+
|
82
|
+
/etc/puppet/secure/keys
|
83
|
+
|
84
|
+
(Using a secure/keys/ subfolder is so that you can still store other secure puppet files in the secure/ folder that might not be related to this module.)
|
85
|
+
|
86
|
+
The permissions for this folder should allow the puppet user (normally 'puppet') execute access to the keys directory, read only access to the keys themselves and restrict everyone else:
|
87
|
+
|
88
|
+
$ chown -R puppet:puppet /etc/puppet/secure/keys
|
89
|
+
$ chmod -R 0500 /etc/puppet/secure/keys
|
90
|
+
$ chmod 0400 /etc/puppet/secure/keys/*.pem
|
91
|
+
$ ls -lha /etc/puppet/secure/keys
|
92
|
+
-r-------- 1 puppet puppet 1.7K Sep 24 16:24 private_key.pkcs7.pem
|
93
|
+
-r-------- 1 puppet puppet 1.1K Sep 24 16:24 public_key.pkcs7.pem
|
94
|
+
|
95
|
+
|
96
|
+
### Encryption
|
97
|
+
|
98
|
+
To encrypt something, you only need the public_key, so distribute that to people creating hiera properties
|
99
|
+
|
100
|
+
$ eyaml encrypt -f filename # Encrypt a file
|
101
|
+
$ eyaml encrypt -s 'hello there' # Encrypt a string
|
102
|
+
$ eyaml encrypt -p # Encrypt a password (prompt for it)
|
103
|
+
|
104
|
+
Use the -l parameter to pass in a label for the encrypted value,
|
105
|
+
|
106
|
+
$ eyaml encrypt -l 'some_easy_to_use_label' -s 'yourSecretString'
|
107
|
+
|
108
|
+
|
109
|
+
### Decryption
|
110
|
+
|
111
|
+
To decrypt something, you need the public_key and the private_key.
|
112
|
+
|
113
|
+
To test decryption you can also use the eyaml tool if you have both keys
|
114
|
+
|
115
|
+
$ eyaml decrypt -f filename # Decrypt a file
|
116
|
+
$ eyaml decrypt -s 'ENC[PKCS7,.....]' # Decrypt a string
|
117
|
+
|
118
|
+
### Editing eyaml files
|
119
|
+
|
120
|
+
Once you have created a few eyaml files, with a mixture of encrypted and non-encrypted properties,
|
121
|
+
you can edit the encrypted values in place, using the special edit mode of the eyaml utility. Edit
|
122
|
+
mode opens a decrypted copy of the eyaml file in your `$EDITOR` and will encrypt and modified values
|
123
|
+
when you exit the editor.
|
124
|
+
|
125
|
+
$ eyaml edit filename.eyaml # Edit an eyaml file in place
|
126
|
+
|
127
|
+
When editing eyaml files, you will see that the unencrypted plaintext is marked to allow the eyaml tool to
|
128
|
+
identify each encrypted block, along with the encryption method. This is used to make sure that the block
|
129
|
+
is encrypted again only if the clear text value has changed, and is encrypted using the
|
130
|
+
original encryption mechanism (see plugable encryption later).
|
131
|
+
|
132
|
+
A decrypted file might look like this:
|
133
|
+
|
134
|
+
```yaml
|
135
|
+
---
|
136
|
+
plain-property: You can see me
|
137
|
+
|
138
|
+
cipher-property : >
|
139
|
+
DEC(1)::PKCS7[You can't see me]!
|
140
|
+
|
141
|
+
environments:
|
142
|
+
development:
|
143
|
+
host: localhost
|
144
|
+
password: password
|
145
|
+
production:
|
146
|
+
host: prod.org.com
|
147
|
+
password: >
|
148
|
+
DEC(2)::PKCS7[securepassword]!
|
149
|
+
|
150
|
+
things:
|
151
|
+
- thing 1
|
152
|
+
- - nested thing 1.0
|
153
|
+
- >
|
154
|
+
DEC(3)::PKCS7[secure nested thing 1.1]!
|
155
|
+
- - nested thing 2.0
|
156
|
+
- nested thing 2.1
|
157
|
+
```
|
158
|
+
|
159
|
+
Whilst editing you can delete existing values and add new one using the same format (as below). Note that it is important to
|
160
|
+
omit the number in brackets for new values. If any duplicate IDs are found then the re-encryption process will be abandoned
|
161
|
+
by the eyaml tool.
|
162
|
+
|
163
|
+
some_new_key: DEC::PKCS7[a new value to encrypt]!
|
164
|
+
|
165
|
+
|
166
|
+
Hiera
|
167
|
+
-----
|
168
|
+
|
169
|
+
To use eyaml with hiera and puppet, first configure hiera.yaml to use the eyaml backend
|
170
|
+
|
171
|
+
```yaml
|
172
|
+
---
|
173
|
+
:backends:
|
174
|
+
- eyaml
|
175
|
+
- yaml
|
176
|
+
|
177
|
+
:hierarchy:
|
178
|
+
- %{environment}
|
179
|
+
- common
|
180
|
+
|
181
|
+
:yaml:
|
182
|
+
:datadir: '/etc/puppet/hieradata'
|
183
|
+
:eyaml:
|
184
|
+
:datadir: '/etc/puppet/hieradata'
|
185
|
+
|
186
|
+
# If using the pkcs7 encryptor (default)
|
187
|
+
:pkcs7_private_key: /path/to/private_key.pkcs7.pem
|
188
|
+
:pkcs7_public_key: /path/to/public_key.pkcs7.pem
|
189
|
+
```
|
190
|
+
|
191
|
+
Then, edit your hiera yaml files, and insert your encrypted values. The default eyaml file extension is .eyaml, however this can be configured in the :eyaml block to set :extension,
|
192
|
+
|
193
|
+
```yaml
|
194
|
+
:eyaml:
|
195
|
+
:extension: 'yaml'
|
196
|
+
```
|
197
|
+
|
198
|
+
*Important Note:*
|
199
|
+
The eyaml backend will not parse internally json formatted yaml files, whereas the regular yaml backend will.
|
200
|
+
You'll need to ensure any existing yaml files using json format are converted to syntactically correct yaml format.
|
201
|
+
|
202
|
+
```yaml
|
203
|
+
---
|
204
|
+
plain-property: You can see me
|
205
|
+
|
206
|
+
cipher-property : >
|
207
|
+
ENC[PKCS7,Y22exl+OvjDe+drmik2XEeD3VQtl1uZJXFFF2NnrMXDWx0csyqLB/2NOWefv
|
208
|
+
NBTZfOlPvMlAesyr4bUY4I5XeVbVk38XKxeriH69EFAD4CahIZlC8lkE/uDh
|
209
|
+
jJGQfh052eonkungHIcuGKY/5sEbbZl/qufjAtp/ufor15VBJtsXt17tXP4y
|
210
|
+
l5ZP119Fwq8xiREGOL0lVvFYJz2hZc1ppPCNG5lwuLnTekXN/OazNYpf4CMd
|
211
|
+
/HjZFXwcXRtTlzewJLc+/gox2IfByQRhsI/AgogRfYQKocZgFb/DOZoXR7wm
|
212
|
+
IZGeunzwhqfmEtGiqpvJJQ5wVRdzJVpTnANBA5qxeA==]
|
213
|
+
|
214
|
+
environments:
|
215
|
+
development:
|
216
|
+
host: localhost
|
217
|
+
password: password
|
218
|
+
production:
|
219
|
+
host: prod.org.com
|
220
|
+
password: >
|
221
|
+
ENC[PKCS7,Y22exl+OvjDe+drmik2XEeD3VQtl1uZJXFFF2NnrMXDWx0csyqLB/2NOWefv
|
222
|
+
NBTZfOlPvMlAesyr4bUY4I5XeVbVk38XKxeriH69EFAD4CahIZlC8lkE/uDh
|
223
|
+
jJGQfh052eonkungHIcuGKY/5sEbbZl/qufjAtp/ufor15VBJtsXt17tXP4y
|
224
|
+
l5ZP119Fwq8xiREGOL0lVvFYJz2hZc1ppPCNG5lwuLnTekXN/OazNYpf4CMd
|
225
|
+
/HjZFXwcXRtTlzewJLc+/gox2IfByQRhsI/AgogRfYQKocZgFb/DOZoXR7wm
|
226
|
+
IZGeunzwhqfmEtGiqpvJJQ5wVRdzJVpTnANBA5qxeA==]
|
227
|
+
|
228
|
+
things:
|
229
|
+
- thing 1
|
230
|
+
- - nested thing 1.0
|
231
|
+
- >
|
232
|
+
ENC[PKCS7,Y22exl+OvjDe+drmik2XEeD3VQtl1uZJXFFF2NnrMXDWx0csyqLB/2NOWefv
|
233
|
+
NBTZfOlPvMlAesyr4bUY4I5XeVbVk38XKxeriH69EFAD4CahIZlC8lkE/uDh
|
234
|
+
jJGQfh052eonkungHIcuGKY/5sEbbZl/qufjAtp/ufor15VBJtsXt17tXP4y
|
235
|
+
l5ZP119Fwq8xiREGOL0lVvFYJz2hZc1ppPCNG5lwuLnTekXN/OazNYpf4CMd
|
236
|
+
/HjZFXwcXRtTlzewJLc+/gox2IfByQRhsI/AgogRfYQKocZgFb/DOZoXR7wm
|
237
|
+
IZGeunzwhqfmEtGiqpvJJQ5wVRdzJVpTnANBA5qxeA==]
|
238
|
+
- - nested thing 2.0
|
239
|
+
- nested thing 2.1
|
240
|
+
```
|
241
|
+
|
242
|
+
|
243
|
+
Pluggable Encryption
|
244
|
+
--------------------
|
245
|
+
|
246
|
+
hiera-eyaml backend is pluggable, so that further encryption types can be added as separate gems to the general mechanism which hiera-eyaml uses. Hiera-eyaml ships with one default mechanism of 'pkcs7', the encryption type widely used to sign smime email messages.
|
247
|
+
|
248
|
+
Other encryption types (if the gems for them have been loaded) can be specified using the following formats:
|
249
|
+
|
250
|
+
ENC[PKCS7,SOME_ENCRYPTED_VALUE] # a PKCS7 encrypted value
|
251
|
+
ENC[GPG,SOME_ENCRYPTED_VALUE] # a GPG encrypted value (hiera-eyaml-gpg)
|
252
|
+
... etc ...
|
253
|
+
|
254
|
+
When editing eyaml files, you will see that the unencrypted plaintext is marked in such a way as to identify the encryption method. This is so that the eyaml tool knows to encrypt it back using the correct method afterwards:
|
255
|
+
|
256
|
+
some_key: DEC(1)::PKCS7[very secret password]!
|
257
|
+
|
258
|
+
### Encryption plugins
|
259
|
+
|
260
|
+
This is a list of available plugins:
|
261
|
+
|
262
|
+
- [hiera-eyaml-gpg](https://github.com/sihil/hiera-eyaml-gpg) - Provide GPG encryption
|
263
|
+
- [hiera-eyaml-plaintext](https://github.com/gtmtech/hiera-eyaml-plaintext) - This is a no-op encryption plugin that
|
264
|
+
simply base64 encodes the values. It exists as an example plugin to create your own and to do integration tests on
|
265
|
+
hiera-eyaml. **THIS SHOULD NOT BE USED IN PRODUCTION**
|
266
|
+
|
267
|
+
|
268
|
+
Notes
|
269
|
+
-----
|
270
|
+
|
271
|
+
If you do not specify an encryption method within ENC[] tags, it will be assumed to be PKCS7
|
272
|
+
|
273
|
+
Also remember that after encrypting your sensitive properties, if anyone has access to your git source,
|
274
|
+
they will see what the property was in previous commits before you encrypted. It's recommended that you
|
275
|
+
roll any passwords when switching from unencrypted to encrypted properties. eg, Developers having write
|
276
|
+
access to a DEV branch will be able to read/view the contents of the PRD branch, as per the design of GIT.
|
277
|
+
|
278
|
+
Github has a great guide on removing sensitive data from repos here:
|
279
|
+
https://help.github.com/articles/remove-sensitive-data
|
280
|
+
|
281
|
+
|
282
|
+
Troubleshooting
|
283
|
+
---------------
|
284
|
+
|
285
|
+
### Installing from behind a corporate/application proxy
|
286
|
+
|
287
|
+
$ export HTTP_PROXY=http://yourcorporateproxy:3128/
|
288
|
+
$ export HTTPS_PROXY=http://yourcorporateproxy:3128/
|
289
|
+
|
290
|
+
then run your install
|
291
|
+
|
292
|
+
$ gem install hiera-eyaml
|
293
|
+
|
294
|
+
|
295
|
+
Issues
|
296
|
+
------
|
297
|
+
|
298
|
+
If you have found a bug then please raise an issue here on github.
|
299
|
+
|
300
|
+
Some of us hang out on #hiera-eyaml on freenode, please drop by if you want to say hi or have a question.
|
301
|
+
|
302
|
+
|
303
|
+
Tests
|
304
|
+
-----
|
305
|
+
|
306
|
+
In order to run the tests, simply run `cucumber` in the top level directory of the project.
|
307
|
+
|
308
|
+
You'll need to have a few requirements installed:
|
309
|
+
|
310
|
+
* `expect` (via yum/apt-get or system package)
|
311
|
+
* `aruba` (gem)
|
312
|
+
* `cucumber` (gem)
|
313
|
+
* `puppet` (gem)
|
314
|
+
|
315
|
+
|
316
|
+
Authors
|
317
|
+
-------
|
318
|
+
|
319
|
+
- [Tom Poulton](http://github.com/TomPoulton) - Initial author. eyaml backend.
|
320
|
+
- [Geoff Meakin](http://github.com/gtmtech) - Major contributor. eyaml command, tests, CI
|
321
|
+
- [Simon Hildrew](http://github.com/sihil) - Contributor. eyaml edit sub command.
|
322
|
+
- [Robert Fielding](http://github.com/rooprob) - Contributor. eyaml recrypt sub command.
|
data/Rakefile
ADDED
@@ -0,0 +1 @@
|
|
1
|
+
require "bundler/gem_tasks"
|
data/bin/eyaml
ADDED
@@ -0,0 +1,13 @@
|
|
1
|
+
#!/usr/bin/env ruby
|
2
|
+
|
3
|
+
require 'rubygems'
|
4
|
+
require 'hiera/backend/eyaml/CLI'
|
5
|
+
require 'hiera/backend/eyaml/plugins'
|
6
|
+
require 'hiera/backend/eyaml/encryptors/pkcs7'
|
7
|
+
|
8
|
+
# Register all plugins
|
9
|
+
Hiera::Backend::Eyaml::Encryptors::Pkcs7.register
|
10
|
+
Hiera::Backend::Eyaml::Plugins.find
|
11
|
+
|
12
|
+
Hiera::Backend::Eyaml::CLI.parse
|
13
|
+
Hiera::Backend::Eyaml::CLI.execute
|
data/hiera-eyaml.gemspec
ADDED
@@ -0,0 +1,22 @@
|
|
1
|
+
# -*- encoding: utf-8 -*-
|
2
|
+
lib = File.expand_path('../lib', __FILE__)
|
3
|
+
$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
|
4
|
+
require 'hiera/backend/eyaml'
|
5
|
+
|
6
|
+
Gem::Specification.new do |gem|
|
7
|
+
gem.name = "clarenceb-hiera-eyaml"
|
8
|
+
gem.version = Hiera::Backend::Eyaml::VERSION
|
9
|
+
gem.description = "Hiera backend for decrypting encrypted yaml properties (Fix for Issue #62)"
|
10
|
+
gem.summary = "OpenSSL Encryption backend for Hiera"
|
11
|
+
gem.author = "Tom Poulton"
|
12
|
+
gem.license = "MIT"
|
13
|
+
|
14
|
+
gem.homepage = "https://github.com/clarenceb/hiera-eyaml"
|
15
|
+
gem.files = `git ls-files`.split($/).reject { |file| file =~ /^features.*$/ }
|
16
|
+
gem.executables = gem.files.grep(%r{^bin/}).map{ |f| File.basename(f) }
|
17
|
+
gem.test_files = gem.files.grep(%r{^(test|spec|features)/})
|
18
|
+
gem.require_paths = ["lib"]
|
19
|
+
|
20
|
+
gem.add_dependency('trollop', '>=2.0')
|
21
|
+
gem.add_dependency('highline', '>=1.6.19')
|
22
|
+
end
|
@@ -0,0 +1,60 @@
|
|
1
|
+
require 'trollop'
|
2
|
+
require 'hiera/backend/eyaml'
|
3
|
+
require 'hiera/backend/eyaml/utils'
|
4
|
+
require 'hiera/backend/eyaml/plugins'
|
5
|
+
require 'hiera/backend/eyaml/options'
|
6
|
+
require 'hiera/backend/eyaml/subcommand'
|
7
|
+
|
8
|
+
class Hiera
|
9
|
+
module Backend
|
10
|
+
module Eyaml
|
11
|
+
class CLI
|
12
|
+
|
13
|
+
def self.parse
|
14
|
+
|
15
|
+
Utils.require_dir 'hiera/backend/eyaml/subcommands'
|
16
|
+
Eyaml.subcommands = Utils.find_all_subclasses_of({ :parent_class => Hiera::Backend::Eyaml::Subcommands }).collect {|classname| Utils.snakecase classname}
|
17
|
+
|
18
|
+
Eyaml.subcommand = ARGV.shift
|
19
|
+
subcommand = case Eyaml.subcommand
|
20
|
+
when nil
|
21
|
+
ARGV.delete_if {true}
|
22
|
+
"unknown_command"
|
23
|
+
when /^\-/
|
24
|
+
ARGV.delete_if {true}
|
25
|
+
"help"
|
26
|
+
else
|
27
|
+
Eyaml.subcommand
|
28
|
+
end
|
29
|
+
|
30
|
+
command_class = Subcommand.find subcommand
|
31
|
+
|
32
|
+
options = command_class.parse
|
33
|
+
options[:executor] = command_class
|
34
|
+
|
35
|
+
options = command_class.validate options
|
36
|
+
Eyaml::Options.set options
|
37
|
+
Eyaml::Options.debug
|
38
|
+
|
39
|
+
end
|
40
|
+
|
41
|
+
def self.execute
|
42
|
+
|
43
|
+
executor = Eyaml::Options[:executor]
|
44
|
+
begin
|
45
|
+
result = executor.execute
|
46
|
+
puts result unless result.nil?
|
47
|
+
rescue Exception => e
|
48
|
+
Utils.warn e.message
|
49
|
+
Utils.info e.backtrace.inspect
|
50
|
+
end
|
51
|
+
|
52
|
+
end
|
53
|
+
|
54
|
+
end
|
55
|
+
|
56
|
+
end
|
57
|
+
|
58
|
+
end
|
59
|
+
|
60
|
+
end
|
@@ -0,0 +1,79 @@
|
|
1
|
+
require 'base64'
|
2
|
+
require 'hiera/backend/eyaml/utils'
|
3
|
+
|
4
|
+
class Hiera
|
5
|
+
module Backend
|
6
|
+
module Eyaml
|
7
|
+
|
8
|
+
class Encryptor
|
9
|
+
|
10
|
+
class << self
|
11
|
+
attr_accessor :options
|
12
|
+
attr_accessor :tag
|
13
|
+
end
|
14
|
+
|
15
|
+
def self.find encryption_scheme = nil
|
16
|
+
encryption_scheme = Eyaml.default_encryption_scheme if encryption_scheme.nil?
|
17
|
+
require "hiera/backend/eyaml/encryptors/#{encryption_scheme.downcase}"
|
18
|
+
encryptor_module = Module.const_get('Hiera').const_get('Backend').const_get('Eyaml').const_get('Encryptors')
|
19
|
+
encryptor_class = Utils.find_closest_class :parent_class => encryptor_module, :class_name => encryption_scheme
|
20
|
+
raise StandardError, "Could not find hiera-eyaml encryptor: #{encryption_scheme}. Try gem install hiera-eyaml-#{encryption_scheme.downcase} ?" if encryptor_class.nil?
|
21
|
+
encryptor_class
|
22
|
+
end
|
23
|
+
|
24
|
+
def self.encode binary_string
|
25
|
+
Base64.encode64(binary_string).strip
|
26
|
+
end
|
27
|
+
|
28
|
+
def self.decode string
|
29
|
+
Base64.decode64(string)
|
30
|
+
end
|
31
|
+
|
32
|
+
def self.encrypt *args
|
33
|
+
raise StandardError, "encrypt() not defined for encryptor plugin: #{self}"
|
34
|
+
end
|
35
|
+
|
36
|
+
def self.decrypt *args
|
37
|
+
raise StandardError, "decrypt() not defined for decryptor plugin: #{self}"
|
38
|
+
end
|
39
|
+
|
40
|
+
protected
|
41
|
+
|
42
|
+
def self.plugin_classname
|
43
|
+
self.to_s.split("::").last.downcase
|
44
|
+
end
|
45
|
+
|
46
|
+
def self.register
|
47
|
+
Hiera::Backend::Eyaml::Plugins.register_options :options => self.options, :plugin => plugin_classname
|
48
|
+
end
|
49
|
+
|
50
|
+
def self.option name
|
51
|
+
Eyaml::Options[ "#{plugin_classname}_#{name}" ] || self.options[ "#{plugin_classname}_#{name}" ]
|
52
|
+
end
|
53
|
+
|
54
|
+
def self.hiera?
|
55
|
+
Utils::hiera?
|
56
|
+
end
|
57
|
+
|
58
|
+
def self.format_message msg
|
59
|
+
"[eyaml_#{plugin_classname}]: #{msg}"
|
60
|
+
end
|
61
|
+
|
62
|
+
def self.debug msg
|
63
|
+
Utils::debug :from => plugin_classname, :msg => msg
|
64
|
+
end
|
65
|
+
|
66
|
+
def self.info msg
|
67
|
+
Utils::info :from => plugin_classname, :msg => msg
|
68
|
+
end
|
69
|
+
|
70
|
+
def self.warn msg
|
71
|
+
Utils::warn :from => plugin_classname, :msg => msg
|
72
|
+
end
|
73
|
+
|
74
|
+
end
|
75
|
+
|
76
|
+
end
|
77
|
+
end
|
78
|
+
end
|
79
|
+
|