hiera-eyaml-age 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: b410dda98aafc5197a88ce2da1c5b9e946b5262edeed99dc556431d69d8e4801
+  data.tar.gz: e84d835a8e3f8ab55b2209d51ffc24972b969fed00333797f12dee85c83c7479
+SHA512:
+  metadata.gz: e4de4e92ce526c1bd1385b9bfc0facc9ff94b45f5c672e72959ee623be5e37f09ff469d22eb51b4c044398f236a24b1d3347dcecd57e77394ee73a036fbb8200
+  data.tar.gz: 450e0669ae45fd070500042c171c89dc042364847890ea28f9ff8541a2cfbb0cb961e5052a77c6d57e56390386cc03d34a65fa30755e806b1a501f0bcb9236d4

data/.gitignore

@@ -0,0 +1,4 @@
+*.gem
+*.swp
+.bundle/
+vendor/

data/.rubocop.yml

@@ -0,0 +1,53 @@
+AllCops:
+  TargetRubyVersion: 3.3
+  NewCops: enable
+  SuggestExtensions: false
+
+Layout/DotPosition:
+  Enabled: false
+
+Layout/EndOfLine:
+  Enabled: false
+
+Layout/LineLength:
+  Enabled: false
+
+Metrics/AbcSize:
+  Enabled: false
+
+Metrics/BlockLength:
+  Enabled: false
+
+Metrics/ClassLength:
+  Enabled: false
+
+Metrics/CyclomaticComplexity:
+  Enabled: false
+
+Metrics/MethodLength:
+  Enabled: false
+
+Metrics/ParameterLists:
+  Enabled: false
+
+Metrics/PerceivedComplexity:
+  Enabled: false
+
+Style/ClassAndModuleChildren:
+  Enabled: false
+
+Style/IfUnlessModifier:
+  Enabled: false
+
+Style/Documentation:
+  Enabled: false
+
+Style/FrozenStringLiteralComment:
+  Enabled: false
+
+Style/StringLiterals:
+  Enabled: false
+
+# based on https://github.com/voxpupuli/modulesync_config/issues/168
+Style/RegexpLiteral:
+  EnforcedStyle: percent_r

data/Gemfile

@@ -0,0 +1,10 @@
+source ENV['GEM_SOURCE'] || 'https://rubygems.org'
+
+gemspec
+
+group :development do
+  gem 'rake', require: false
+  gem 'rubocop', require: false
+  gem 'syntax', require: false
+  gem 'syntax_tree', require: false
+end

data/Gemfile.lock

@@ -0,0 +1,69 @@
+PATH
+  remote: .
+  specs:
+    hiera-eyaml-age (0.1.0)
+      hiera-eyaml (~> 5.0)
+
+GEM
+  remote: https://rubygems.org/
+  specs:
+    ast (2.4.3)
+    base64 (0.3.0)
+    hiera-eyaml (5.0.1)
+      base64 (~> 0.1)
+      highline (>= 2.1, < 4)
+      optimist (~> 3.1)
+    highline (3.1.2)
+      reline
+    io-console (0.8.2)
+    json (2.19.5)
+    language_server-protocol (3.17.0.5)
+    lint_roller (1.1.0)
+    optimist (3.2.1)
+    parallel (2.1.0)
+    parser (3.3.11.1)
+      ast (~> 2.4.1)
+      racc
+    prettier_print (1.2.1)
+    prism (1.9.0)
+    racc (1.8.1)
+    rainbow (3.1.1)
+    rake (13.4.2)
+    regexp_parser (2.12.0)
+    reline (0.6.3)
+      io-console (~> 0.5)
+    rubocop (1.86.2)
+      json (~> 2.3)
+      language_server-protocol (~> 3.17.0.2)
+      lint_roller (~> 1.1.0)
+      parallel (>= 1.10)
+      parser (>= 3.3.0.2)
+      rainbow (>= 2.2.2, < 4.0)
+      regexp_parser (>= 2.9.3, < 3.0)
+      rubocop-ast (>= 1.49.0, < 2.0)
+      ruby-progressbar (~> 1.7)
+      unicode-display_width (>= 2.4.0, < 4.0)
+    rubocop-ast (1.49.1)
+      parser (>= 3.3.7.2)
+      prism (~> 1.7)
+    ruby-progressbar (1.13.0)
+    syntax (1.2.2)
+    syntax_tree (6.3.0)
+      prettier_print (>= 1.2.0)
+    unicode-display_width (3.2.0)
+      unicode-emoji (~> 4.1)
+    unicode-emoji (4.2.0)
+
+PLATFORMS
+  ruby
+  x86_64-linux-gnu
+
+DEPENDENCIES
+  hiera-eyaml-age!
+  rake
+  rubocop
+  syntax
+  syntax_tree
+
+BUNDLED WITH
+   2.6.7

data/README.md

@@ -0,0 +1,94 @@
+hiera-eyaml-age
+===============
+
+age encryption backend for [hiera-eyaml].
+
+# Motivation
+
+The default PKCS#7 encryption scheme used by `hiera-eyaml` works, but relies upon just a single key.
+
+A solution that allows each team member and Puppet Server to hold their own keys allows for easier rotation.
+
+[hiera-eyaml-gpg] supports each team member using their own keys, but.... it is GPG. Many may not be keen to get a degree in keyring management just to edit hieradata.
+
+[age] supports encrypting to many with individual keys as well, but without the hassle. It offers meaningfully stronger encryption, even introducing post-quantum resistance since v1.3.0.
+
+# Requirements
+
+age [installed] in your `$PATH`.
+
+# Install
+
+```sh
+gem install hiera-eyaml-age
+```
+
+# Configuration
+
+```sh
+# ~/.eyaml/config.yaml
+age_identity_file: '/path/to/your/identity/file'
+age_recipients: '<age_pubkey1>,<age_pubkey2>,...'
+# age_recipients_file: '/path/to/recipients/file/pubkeys/one/per/line.txt'
+# age_binary_path: '/optional/path/directly/to/age'
+```
+
+# Usage
+
+## Encrypting and editing encrypted data
+
+It is recommended to configure `hiera-eyaml` as above to avoid having to pass the necessary arguments each time.
+
+The usual workflow can be as simple as `eyaml edit` and following the instructions at the top of the file:
+
+```sh
+eyaml edit /path/to/hieradata/file.yaml
+```
+
+Or more manually, create encrypted ``hiera-eyaml`` blocks encrypted with age:
+
+```sh
+eyaml encrypt --encrypt-method age --string "My string to encrypt" --age-recipients age126amywumzxvz2d9umnv3796tfsy044ww7pe7rwampammswl0n4rqv4c557,age162268ddynmjurmd7z628rctuh4qfavd84c62sjxhnmq7sw06c3lsmyetzf
+```
+
+Or pass a file containing a list of recipients (one per line, `#` comments ignored):
+
+```sh
+eyaml encrypt --encrypt-method age --string "My string to encrypt" --age-recipients-file /path/to/youur/recipients/file
+```
+
+age recipients can be native age public keys (`age1...`) or SSH public keys (`ssh-ed25519 ...`, `ssh-rsa ...`).
+
+Use `eyaml --help` for more, or see the [hiera-eyaml] docs.
+
+### Configuring hiera
+
+```yaml
+---
+version: 5
+defaults:
+hierarchy:
+  - name: "Per-node data"
+    lookup_key: eyaml_lookup_key
+    options:
+      age_identity_file: /opt/puppetlabs/server/data/puppetserver/.age/identity.txt
+    path: "nodes/%{::trusted.certname}.yaml"
+  - name: "Common data"
+    lookup_key: eyaml_lookup_key
+    options:
+      age_identity_file: /opt/puppetlabs/server/data/puppetserver/.age/identity.txt
+    path: "common.yaml"
+```
+
+### Installing on Puppet server
+
+```sh
+# Puppet agent and Server have separate Ruby environments
+/opt/puppetlabs/puppet/bin/gem install hiera-eyaml-age
+/opt/puppetlabs/server/bin/puppetserver gem install hiera-eyaml-age
+```
+
+[age]: https://age-encryption.org/
+[hiera-eyaml-gpg]: https://github.com/voxpupuli/hiera-eyaml-gpg
+[hiera-eyaml]: https://github.com/voxpupuli/hiera-eyaml
+[installed]: https://age-encryption.org/#installation

data/Rakefile

@@ -0,0 +1,9 @@
+require 'bundler/gem_tasks'
+require 'rubocop/rake_task'
+
+desc 'Run RuboCop on the lib directory'
+RuboCop::RakeTask.new(:rubocop) do |task|
+  task.patterns = ['lib/**/*.rb']
+end
+
+task test: %w[clean rubocop]

data/hiera-eyaml-age.gemspec

@@ -0,0 +1,24 @@
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'hiera/backend/eyaml/encryptors/age/version'
+
+Gem::Specification.new do |gem|
+  gem.name          = 'hiera-eyaml-age'
+  gem.version       = Hiera::Backend::Eyaml::Encryptors::AgeVersion::VERSION
+  gem.description   = 'age encryptor for use with hiera-eyaml'
+  gem.summary       = 'Encryption plugin for hiera-eyaml backend for Hiera'
+  gem.authors       = ['IAS Network']
+  gem.license       = 'MIT'
+  gem.homepage      = 'https://github.com/theias/hiera-eyaml-age'
+  gem.metadata      = {
+    'source_code_uri'   => 'https://github.com/theias/hiera-eyaml-age',
+    'changelog_uri'     => 'https://github.com/theias/hiera-eyaml-age/blob/main/CHANGELOG.md',
+    'bug_tracker_uri'   => 'https://github.com/theias/hiera-eyaml-age/issues',
+  }
+
+  gem.files         = `git ls-files`.split($INPUT_RECORD_SEPARATOR)
+  gem.require_paths = ['lib']
+
+  gem.required_ruby_version = '>= 3.0'
+  gem.add_dependency('hiera-eyaml', '~> 5.0')
+end

data/lib/hiera/backend/eyaml/encryptors/age/eyaml_init.rb

@@ -0,0 +1,3 @@
+require "hiera/backend/eyaml/encryptors/age"
+
+Hiera::Backend::Eyaml::Encryptors::Age.register

data/lib/hiera/backend/eyaml/encryptors/age/version.rb

@@ -0,0 +1,11 @@
+class Hiera
+  module Backend
+    module Eyaml
+      module Encryptors
+        module AgeVersion
+          VERSION = "0.1.0".freeze
+        end
+      end
+    end
+  end
+end

data/lib/hiera/backend/eyaml/encryptors/age.rb

@@ -0,0 +1,125 @@
+require "open3"
+require "hiera/backend/eyaml/encryptor"
+require "hiera/backend/eyaml/utils"
+require "hiera/backend/eyaml/options"
+require "hiera/backend/eyaml/encryptors/age/version"
+
+class Hiera
+  module Backend
+    module Eyaml
+      module Encryptors
+        class Age < Encryptor
+          VERSION = Hiera::Backend::Eyaml::Encryptors::AgeVersion::VERSION
+          self.tag = "AGE"
+
+          self.options = {
+            age_binary_path: {
+              desc: "Full path to the age executable",
+              type: :string,
+              default: "age"
+            },
+            identity_file: {
+              desc: "Path to age identity file for decryption",
+              type: :string
+            },
+            recipients: {
+              desc: "List of recipients (comma separated)",
+              type: :string
+            },
+            recipients_file: {
+              desc: "File containing a list of recipients (one on each line)",
+              type: :string
+            }
+          }
+
+          def self.encrypt(plaintext)
+            recipients = determine_recipients
+            debug("Recipients are #{recipients}")
+
+            if recipients.empty?
+              raise RecoverableError,
+                    "No recipients provided, don't know who to encrypt to"
+            end
+
+            recipient_args =
+              recipients.flat_map { |recipient| ["-r", recipient] }
+
+            stdout, stderr, status =
+              Open3.capture3(
+                option(:age_binary_path),
+                "--encrypt",
+                *recipient_args,
+                stdin_data: plaintext,
+                binmode: true
+              )
+            unless status.success?
+              raise RecoverableError, "age encrypt failed: #{stderr.strip}"
+            end
+
+            stdout
+          end
+
+          def self.decrypt(ciphertext)
+            identity_file = option(:identity_file)
+            debug("age identity file is #{identity_file}")
+
+            if identity_file.nil? || identity_file.empty?
+              raise ArgumentError,
+                    "No age identity file configured, check age_identity_file configuration value is correct"
+            elsif !File.exist?(identity_file)
+              raise ArgumentError,
+                    "Configured age identity file #{identity_file} doesn't exist, check age_identity_file configuration value is correct"
+            end
+
+            stdout, stderr, status =
+              Open3.capture3(
+                option(:age_binary_path),
+                "--decrypt",
+                "--identity",
+                identity_file,
+                stdin_data: ciphertext,
+                binmode: true
+              )
+
+            unless status.success?
+              warn(
+                "Fatal: Failed to decrypt ciphertext (check settings and that you are a recipient)"
+              )
+              raise StandardError, "age decrypt failed: #{stderr.strip}"
+            end
+
+            stdout
+          end
+
+          def self.create_keys
+            warn "The age encryptor does not support creation of keys, use the age command line tools instead"
+          end
+
+          class << self
+            private
+
+            def determine_recipients
+              recipient_option = option :recipients
+
+              unless recipient_option.nil?
+                debug("Using --recipients option")
+                return recipient_option.split(",").map(&:strip)
+              end
+
+              recipients_file_option = option :recipients_file
+              return [] if recipients_file_option.nil?
+
+              debug("Using --recipients-file option")
+              File
+                .readlines(recipients_file_option)
+                .map do |line|
+                  line.strip unless line.start_with?("#") || line.strip.empty?
+                end
+                .compact
+            end
+          end
+        end
+      end
+    end
+  end
+end

metadata

@@ -0,0 +1,65 @@
+--- !ruby/object:Gem::Specification
+name: hiera-eyaml-age
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- IAS Network
+bindir: bin
+cert_chain: []
+date: 1980-01-02 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: hiera-eyaml
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '5.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '5.0'
+description: age encryptor for use with hiera-eyaml
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- ".rubocop.yml"
+- Gemfile
+- Gemfile.lock
+- README.md
+- Rakefile
+- hiera-eyaml-age.gemspec
+- lib/hiera/backend/eyaml/encryptors/age.rb
+- lib/hiera/backend/eyaml/encryptors/age/eyaml_init.rb
+- lib/hiera/backend/eyaml/encryptors/age/version.rb
+homepage: https://github.com/theias/hiera-eyaml-age
+licenses:
+- MIT
+metadata:
+  source_code_uri: https://github.com/theias/hiera-eyaml-age
+  changelog_uri: https://github.com/theias/hiera-eyaml-age/blob/main/CHANGELOG.md
+  bug_tracker_uri: https://github.com/theias/hiera-eyaml-age/issues
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '3.0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.6.7
+specification_version: 4
+summary: Encryption plugin for hiera-eyaml backend for Hiera
+test_files: []