hiera-backend-trocla 0.0.1 → 0.0.2

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 14d2cfd20349151fe5d35196dbee05da463f489d
+  data.tar.gz: f91b2891bee99049b19b7bd9ea574c08c0cf729f
+SHA512:
+  metadata.gz: 38add66677b2061e5a0e5b48abae2565973366946a69ea9aedb5b90bb98313633d56d222fd061d4d86b70846a6acc6e71d1ef71c27fc76be06fd062dea886ba4
+  data.tar.gz: 8f4ba9d24cfd021c9deb5016dc8d0304c873c204864b0c4fda671b572a3169d4b5bb3c0dc9dc0d273d10e0556b11288c0dee6f39aa5dccecfba9860e3ffa3009

data/.travis.yml

@@ -5,3 +5,7 @@ rvm:
   - 2.0.0-p647
   - 2.1.7
   - 2.2.3
+
+addons:
+  code_climate:
+    repo_token: b92d1d07e8d8bcf4b572f169c71e22941841ff7392736e051ff5819663aaf195

data/Gemfile

@@ -1,4 +1,9 @@
 source 'https://rubygems.org'
 
+if RUBY_VERSION.to_f < 1.9
+  gem "moneta", "~> 0.7.20"
+  gem "highline", "~> 1.6.2"
+end
+
 # Specify your gem's dependencies in hiera-backend-trocla.gemspec
 gemspec

data/README.md

@@ -1,12 +1,18 @@
 # Hiera Backend for Trocla
 
 [![Build Status](https://travis-ci.org/ZeroPointEnergy/hiera-backend-trocla.svg)](https://travis-ci.org/ZeroPointEnergy/hiera-backend-trocla)
+[![Code Climate](https://codeclimate.com/github/ZeroPointEnergy/hiera-backend-trocla/badges/gpa.svg)](https://codeclimate.com/github/ZeroPointEnergy/hiera-backend-trocla)
+[![Test Coverage](https://codeclimate.com/github/ZeroPointEnergy/hiera-backend-trocla/badges/coverage.svg)](https://codeclimate.com/github/ZeroPointEnergy/hiera-backend-trocla/coverage)
 
 This is a simple hiera backend to retrieve passwords from trocla.
 
 The idea of this backend is to enable you to use secrets from trocla
 directly from your hiera data via interpolation tokens.
 
+A lot of the ideas for the improvement of this backend came from the 
+[trocla hiera plugin](https://github.com/duritong/puppet-trocla/pull/15)
+from @michaelweiser.
+
 ## Installation
 
 Simply install the gem and hiera will find it automatically
@@ -40,7 +46,7 @@ The trocla hiera backend will resolve all the variables which start with "trocla
 The second part of the variable is used to describe the format, the last part is the variable
 to lookup in trocla.
 
-    torcla_lookup::format::myvar
+    trocla_lookup::format::myvar
 
 You can use the backend via interpolation tokens like this:
 
@@ -89,9 +95,9 @@ Here is how you would use that in hiera:
 
 Trocla takes a hash of options which provides information for the password creation. This
 options can be set directly in hiera globally or for every key. You can also specify options
-specifically for a password format. However, keep in mind that it will only use the options
-of the format which is used first to retrieve a password for a key, because thats when the
-password is generated.
+specifically for a password format. However, keep in mind that trocla will respect most of
+the options only on the initial/first lookup, when the password is created. As most of the
+options only apply for creating a password.
 
     trocla_options:
       length: 16
@@ -107,6 +113,29 @@ password is generated.
 Some formats may require options to be set for creating passwords, like the
 postgresql format. Check the trocla documentation for available options.
 
+Through the options mechanism it is also possible to change the lookup key used for trocla.
+This is especially interesting, if you want to pass 2 different options for the same key,
+e.g. the render option. An example for that is to have trocla use the same key for 2 different
+lookups, so that with the x509 format, once a certificate and once a key is returned.
+
+
+    var_with_x509_cert: "%{hiera('trocla_lookup::x509::my_cert')}"
+    trocla_options::my_cert:
+      x509:
+        CN: 'my-cert'
+        render:
+          certonly: true
+    var_with_x509_key: "%{hiera('trocla_lookup::x509::my_cert_only_key')}"
+    trocla_options::my_cert_only_key:
+      x509:
+        CN: 'my-cert'
+        trocla_key: my_cert
+        render:
+          keyonly: true
+
+This will lookup one trocla key: my_cert, but with different rendering options, so that
+once we only get the certificat, while on the second lookup we get the private key.
+
 ## Contributing
 
 1. Fork it

data/hiera-backend-trocla.gemspec

@@ -10,7 +10,7 @@ Gem::Specification.new do |spec|
   spec.email         = ["zuber@puzzle.ch"]
   spec.description   = %q{This is a hiera backend for the trocla password storage tool}
   spec.summary       = %q{This is a hiera backend for the trocla password storage tool}
-  spec.homepage      = ""
+  spec.homepage      = "https://github.com/ZeroPointEnergy/hiera-backend-trocla"
   spec.license       = "MIT"
 
   spec.files         = `git ls-files`.split($/)
@@ -22,7 +22,7 @@ Gem::Specification.new do |spec|
   spec.add_development_dependency "rake"
   spec.add_development_dependency "hiera"
   spec.add_development_dependency "rspec"
-  spec.add_development_dependency "simplecov"
+  spec.add_development_dependency "codeclimate-test-reporter" if RUBY_VERSION >= '1.9.3'
 
   spec.add_dependency "trocla"
 end

data/lib/hiera/backend/trocla/version.rb

@@ -1,7 +1,7 @@
 class Hiera
   module Backend
     class Trocla
-      VERSION = "0.0.1"
+      VERSION = "0.0.2"
     end
   end
 end

data/lib/hiera/backend/trocla_backend.rb

@@ -35,20 +35,22 @@ class Hiera
       # This is a simple lookup which will return a password for the key
       def trocla_lookup(trocla_key, format, scope, order_override)
         opts = options(trocla_key, format, scope, order_override)
-        @trocla.password(trocla_key, format, opts)
+        @trocla.password(opts.delete('trocla_key')||trocla_key, format, opts)
       end
 
       def trocla_hierarchy(trocla_key, format, scope, order_override)
-        get_password_from_hierarchy(trocla_key, format, scope, order_override) ||
-          set_password_in_hierarchy(trocla_key, format, scope, order_override)
+        opts = options(trocla_key, format, scope, order_override)
+        tk = opts.delete('trocla_key') || trocla_key
+        get_password_from_hierarchy(tk, format, opts, scope, order_override) ||
+          set_password_in_hierarchy(tk, format, opts, scope, order_override)
       end
 
       # Try to retrieve a password from a hierarchy
-      def get_password_from_hierarchy(trocla_key, format, scope, order_override)
+      def get_password_from_hierarchy(trocla_key, format, opts, scope, order_override)
         answer = nil
         Backend.datasources(scope, order_override) do |source|
           key = hierarchical_key(source, trocla_key)
-          answer = @trocla.get_password(key, format)
+          answer = @trocla.get_password(key, format, opts)
           break unless answer.nil?
         end
         return answer
@@ -56,8 +58,7 @@ class Hiera
 
       # Set the password in the hierarchy at the top level or whatever
       # level is specified in the options hash with 'order_override'
-      def set_password_in_hierarchy(trocla_key, format, scope, order_override)
-        opts = options(trocla_key, format, scope, order_override)
+      def set_password_in_hierarchy(trocla_key, format, opts, scope, order_override)
         answer = nil
         Backend.datasources(scope, opts['order_override']) do |source|
           key = hierarchical_key(source, trocla_key)
@@ -71,23 +72,23 @@ class Hiera
         "hiera/#{source}/#{trocla_key}"
       end
 
+      # retrieve options hash and merge the format specific settings into the defaults
+      def options(trocla_key, format, scope, order_override)
+        g_options = global_options(format, scope, order_override)
+        k_options = key_options(trocla_key, format, scope, order_override)
+        g_options.merge(k_options)
+      end
+
       # returns global options for password generation
       def global_options(format, scope, order_override)
         g_options = Backend.lookup('trocla_options', {}, scope, order_override, :hash)
-        g_options.merge(g_options[format] || {})
+        Backend.parse_answer(g_options.merge(g_options[format] || {}), scope)
       end
 
       # returns per key options for password generation
       def key_options(trocla_key, format, scope, order_override)
         k_options = Backend.lookup('trocla_options::' + trocla_key, {}, scope, order_override, :hash)
-        k_options.merge(k_options[format] || {})
-      end
-
-      # retrieve options hash and merge the format specific settings into the defaults
-      def options(trocla_key, format, scope, order_override)
-        g_options = global_options(format, scope, order_override)
-        k_options = key_options(trocla_key, format, scope, order_override)
-        g_options.merge(k_options)
+        Backend.parse_answer(k_options.merge(k_options[format] || {}), scope)
       end
 
     end

data/spec/config/hieradata/defaults.yaml

@@ -8,6 +8,10 @@ trocla_options::special_length:
   plain:
     length: 64
 
+very_long: 128
+trocla_options::special_length2:
+  plain:
+    length: "%{hiera('very_long')}"
 # fixtures for trocla_lookup tests
 normal_var: "test"
 var_with_password: "%{hiera('trocla_lookup::plain::my_secret_password')}"
@@ -23,3 +27,29 @@ trocla_options::same_role:
 
 trocla_options::different_role:
   order_override: "role/%{::role}"
+
+var_with_x509: "%{hiera('trocla_lookup::x509::my_cert')}"
+trocla_options::my_cert:
+  x509:
+    CN: 'my-cert'
+var_with_x509_key: "%{hiera('trocla_lookup::x509::my_cert_only_key')}"
+trocla_options::my_cert_only_key:
+  x509:
+    CN: 'my-cert'
+    trocla_key: my_cert
+    render:
+      keyonly: true
+
+hiera_var_with_x509: "%{hiera('trocla_hierarchy::x509::hiera_my_cert')}"
+trocla_options::hiera_my_cert:
+  order_override: "role/%{::role}"
+  x509:
+    CN: 'my-hiera-cert'
+hiera_var_with_x509_key: "%{hiera('trocla_hierarchy::x509::hiera_my_cert_only_key')}"
+trocla_options::hiera_my_cert_only_key:
+  order_override: "role/%{::role}"
+  x509:
+    CN: 'my-hiera-cert'
+    trocla_key: hiera_my_cert
+    render:
+      keyonly: true

data/spec/config/troclarc.yaml

@@ -1 +1,3 @@
-adapter: :Memory
+store_options:
+  adapter: :Memory
+

data/spec/hiera/backend/trocla_spec.rb

@@ -5,6 +5,7 @@ describe Hiera::Backend::Trocla do
 
   before :each do
     @hiera = Hiera.new(:config => "spec/config/hiera.yaml")
+    @trocla = Trocla.new(@hiera.config[:trocla][:config])
   end
 
   describe 'trocla_lookup' do
@@ -33,6 +34,20 @@ describe Hiera::Backend::Trocla do
       expect{@hiera.lookup('trocla_lookup::unexisting::my_secret_password', nil, nil)}.to raise_error StandardError
       expect{@hiera.lookup('var_with_invalid_format', nil, nil)}.to raise_error StandardError
     end
+
+    it 'will be able to influence the trocla key' do
+      x509 = @hiera.lookup('var_with_x509',nil, nil)
+      expect(x509).to match(/BEGIN RSA PRIVATE KEY/)
+      expect(x509).to match(/BEGIN CERTIFICATE/)
+      x509_key = @hiera.lookup('var_with_x509_key',nil, nil)
+      expect(x509_key).to match(/BEGIN RSA PRIVATE KEY/)
+      expect(x509_key).not_to match(/BEGIN CERTIFICATE/)
+
+      # given that hiera trocla options point to the same
+      # trocla key, it must be the same key
+      expect(OpenSSL::PKey::RSA.new(x509).to_pem).to eql(
+        OpenSSL::PKey::RSA.new(x509_key).to_pem)
+    end
   end
 
   describe 'trocla_hierarchy' do
@@ -67,6 +82,21 @@ describe Hiera::Backend::Trocla do
       password2 = @hiera.lookup('trocla_hierarchy::plain::different_role', nil, scope2)
       expect(password1).not_to eq(password2)
     end
+    it 'will be able to influence the trocla key' do
+      scope1 = {'::clientcert' => 'node01.example.com', '::role' => 'role1'}
+      scope2 = {'::clientcert' => 'node02.example.com', '::role' => 'role1'}
+      x509 = @hiera.lookup('hiera_var_with_x509',nil, scope1)
+      expect(x509).to match(/BEGIN RSA PRIVATE KEY/)
+      expect(x509).to match(/BEGIN CERTIFICATE/)
+      x509_key = @hiera.lookup('hiera_var_with_x509_key',nil, scope2)
+      expect(x509_key).to match(/BEGIN RSA PRIVATE KEY/)
+      expect(x509_key).not_to match(/BEGIN CERTIFICATE/)
+
+      # given that hiera trocla options point to the same
+      # trocla key, it must be the same key
+      expect(OpenSSL::PKey::RSA.new(x509).to_pem).to eql(
+        OpenSSL::PKey::RSA.new(x509_key).to_pem)
+    end
   end
 
   describe 'options hash merging' do
@@ -85,6 +115,10 @@ describe Hiera::Backend::Trocla do
       password = @hiera.lookup('trocla_lookup::plain::special_length', nil, nil)
       expect(password.length).to eq(64)
     end
+    it 'will create a password with the length defined for the key, derived from another option' do
+      password2 = @hiera.lookup('trocla_lookup::plain::special_length2', nil, nil)
+      expect(password2.length).to eq(128)
+    end
   end
 
 end

data/spec/spec_helper.rb

@@ -1,11 +1,8 @@
-require 'simplecov'
-SimpleCov.start do
-  add_filter '/spec/'
-  add_filter '/.bundle/'
-  add_filter '/vendor/'
+if RUBY_VERSION >= '1.9.3'
+  require "codeclimate-test-reporter"
+  CodeClimate::TestReporter.start
 end
 
-
 require 'hiera/backend/trocla'
 
 # This file was generated by the `rspec --init` command. Conventionally, all

metadata

@@ -1,20 +1,18 @@
 --- !ruby/object:Gem::Specification
 name: hiera-backend-trocla
 version: !ruby/object:Gem::Version
-  version: 0.0.1
-  prerelease: 
+  version: 0.0.2
 platform: ruby
 authors:
 - Andreas Zuber
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2015-11-12 00:00:00.000000000 Z
+date: 2016-02-10 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
-    none: false
     requirements:
     - - ~>
       - !ruby/object:Gem::Version
@@ -22,7 +20,6 @@ dependencies:
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
-    none: false
     requirements:
     - - ~>
       - !ruby/object:Gem::Version
@@ -30,81 +27,71 @@ dependencies:
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ! '>='
+    - - '>='
       - !ruby/object:Gem::Version
         version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ! '>='
+    - - '>='
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
   name: hiera
   requirement: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ! '>='
+    - - '>='
       - !ruby/object:Gem::Version
         version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ! '>='
+    - - '>='
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ! '>='
+    - - '>='
       - !ruby/object:Gem::Version
         version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ! '>='
+    - - '>='
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
-  name: simplecov
+  name: codeclimate-test-reporter
   requirement: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ! '>='
+    - - '>='
       - !ruby/object:Gem::Version
         version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ! '>='
+    - - '>='
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
   name: trocla
   requirement: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ! '>='
+    - - '>='
       - !ruby/object:Gem::Version
         version: '0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ! '>='
+    - - '>='
       - !ruby/object:Gem::Version
         version: '0'
 description: This is a hiera backend for the trocla password storage tool
@@ -130,36 +117,29 @@ files:
 - spec/config/troclarc.yaml
 - spec/hiera/backend/trocla_spec.rb
 - spec/spec_helper.rb
-homepage: ''
+homepage: https://github.com/ZeroPointEnergy/hiera-backend-trocla
 licenses:
 - MIT
+metadata: {}
 post_install_message: 
 rdoc_options: []
 require_paths:
 - lib
 required_ruby_version: !ruby/object:Gem::Requirement
-  none: false
   requirements:
-  - - ! '>='
+  - - '>='
     - !ruby/object:Gem::Version
       version: '0'
-      segments:
-      - 0
-      hash: -2728931727301270266
 required_rubygems_version: !ruby/object:Gem::Requirement
-  none: false
   requirements:
-  - - ! '>='
+  - - '>='
     - !ruby/object:Gem::Version
       version: '0'
-      segments:
-      - 0
-      hash: -2728931727301270266
 requirements: []
 rubyforge_project: 
-rubygems_version: 1.8.23
+rubygems_version: 2.2.5
 signing_key: 
-specification_version: 3
+specification_version: 4
 summary: This is a hiera backend for the trocla password storage tool
 test_files:
 - spec/config/hiera.yaml