hiera-eyaml-gpg 0.1

data/.gitignore

@@ -0,0 +1,7 @@
+.idea
+*.iml
+*.gradle
+keys/*.pem
+pkg/
+tmp/
+.DS_Store

data/Gemfile

@@ -0,0 +1,8 @@
+source 'https://rubygems.org/'
+
+gem 'hiera-eyaml', ">=1.3.4"
+gem 'gpgme', ">=2.0.0"
+
+group :development do
+  gem "aruba"
+end

data/LICENSE

@@ -0,0 +1,20 @@
+The MIT License (MIT)
+
+Copyright (c) 2013 Simon Hildrew
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of
+this software and associated documentation files (the "Software"), to deal in
+the Software without restriction, including without limitation the rights to
+use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+the Software, and to permit persons to whom the Software is furnished to do so,
+subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,16 @@
+hiera-eyaml-gpg
+===============
+
+GPG encryprion backend for the [hiera-eyaml](https://github.com/TomPoulton/hiera-eyaml) module.
+
+Motivation
+----------
+
+The default PKCS#7 encryption scheme used by hiera-eyaml is perfect if only simple
+encryption and decryption is needed.
+
+However, if you are in a sizable team it helps to encrypt and decrypt data with multiple
+keys. This means that each team member can hold their own private key and so can the puppetmaster.
+Equally, each puppet master can have their own key if desired and when you need to rotate 
+keys for either users or puppet masters, re-encrypting your files and changing the key everywhere
+does not need to be done in lockstep.

data/Rakefile

@@ -0,0 +1 @@
+require "bundler/gem_tasks"

data/hiera-eyaml-gpg.gemspec

@@ -0,0 +1,22 @@
+# -*- encoding: utf-8 -*-
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'hiera/backend/eyaml/encryptors/gpg/version'
+
+Gem::Specification.new do |gem|
+  gem.name          = "hiera-eyaml-gpg"
+  gem.version       = Hiera::Backend::Eyaml::Encryptors::Gpg::VERSION
+  gem.description   = "GPG encryptor for use with hiera-eyaml"
+  gem.summary       = "Encryption plugin for hiera-eyaml backend for Hiera"
+  gem.author        = "Simon Hildrew"
+  gem.license       = "MIT"
+
+  gem.homepage      = "http://github.com/sihil/hiera-eyaml-gpg"
+  gem.files         = `git ls-files`.split($/)
+  gem.executables   = gem.files.grep(%r{^bin/}).map{ |f| File.basename(f) }
+  gem.test_files    = gem.files.grep(%r{^(test|spec|features)/})
+  gem.require_paths = ["lib"]
+
+  gem.add_dependency('hiera-eyaml', '>=1.3.4')
+  gem.add_dependency('gpgme', '>=2.0.0')
+end

data/lib/hiera/backend/eyaml/encryptors/gpg/eyaml_init.rb

@@ -0,0 +1,3 @@
+require 'hiera/backend/eyaml/encryptors/gpg'
+
+Hiera::Backend::Eyaml::Encryptors::Gpg.register

data/lib/hiera/backend/eyaml/encryptors/gpg/version.rb

@@ -0,0 +1,11 @@
+class Hiera
+  module Backend
+    module Eyaml
+      module Encryptors
+        module Gpg
+          VERSION = "0.1"
+        end
+      end
+    end
+  end
+end

data/lib/hiera/backend/eyaml/encryptors/gpg.rb

@@ -0,0 +1,161 @@
+require 'gpgme'
+require 'base64'
+require 'pathname'
+require 'hiera/backend/eyaml/encryptor'
+require 'hiera/backend/eyaml/utils'
+require 'hiera/backend/eyaml/options'
+
+class Hiera
+  module Backend
+    module Eyaml
+      module Encryptors
+
+        class Gpg < Encryptor
+
+          self.tag = "GPG"
+
+          self.options = {
+            :gnupghome => { :desc => "Location of your GNUPGHOME directory",
+                            :type => :string,
+                            :default => "#{ENV[["HOME", "HOMEPATH"].detect { |h| ENV[h] != nil }]}/.gnupg" },
+            :always_trust => { :desc => "Assume that used keys are fully trusted",
+                               :type => :boolean,
+                               :default => false },
+            :recipients => { :desc => "List of recipients (comma separated)",
+                             :type => :string },
+            :recipients_file => { :desc => "File containing a list of recipients (one on each line)",
+                             :type => :string }
+          }
+
+          def self.passfunc(hook, uid_hint, passphrase_info, prev_was_bad, fd)
+            begin
+                system('stty -echo')
+                passphrase = ask("Enter passphrase for #{uid_hint}: ") { |q| q.echo = '*' }
+                io = IO.for_fd(fd, 'w')
+                io.puts(passphrase)
+                io.flush
+              ensure
+                (0 ... $_.length).each do |i| $_[i] = ?0 end if $_
+                  system('stty echo')
+              end
+              $stderr.puts
+          end
+
+          def self.find_recipients
+            recipient_option = self.option :recipients
+            recipients = if !recipient_option.nil?
+              debug("Using --recipients option")
+              recipient_option.split(",")
+            else
+              recipient_file_option = self.option :recipients_file
+              recipient_file = if !recipient_file_option.nil?
+                debug("Using --recipients-file option")
+                Pathname.new(recipient_file_option)
+              else
+                debug("Searching for any hiera-eyaml-gpg.recipents files in path")
+                # if we are editing a file, look for a hiera-eyaml-gpg.recipients file
+                filename = case Eyaml::Options[:source]
+                when :file
+                  Eyaml::Options[:file]
+                when :eyaml
+                  Eyaml::Options[:eyaml]
+                else
+                  nil
+                end
+
+                if filename.nil?
+                  nil
+                else
+                  path = Pathname.new(filename).realpath.dirname
+                  selected_file = nil
+                  path.descend{|path| path
+                    potential_file = path.join('hiera-eyaml-gpg.recipients')
+                    selected_file = potential_file if potential_file.exist? 
+                  }
+                  debug("Using file at #{selected_file}")
+                  selected_file
+                end
+              end
+
+              unless recipient_file.nil?
+                recipient_file.readlines.map{ |line| line.strip } 
+              else
+                []
+              end
+            end
+          end
+
+          def self.encrypt plaintext
+            ENV["GNUPGHOME"] = self.option :gnupghome
+            debug("GNUPGHOME is #{ENV['GNUPGHOME']}")
+
+            ctx = GPGME::Ctx.new
+
+            recipients = self.find_recipients
+            debug("Recipents are #{recipients}")
+
+            raise ArgumentError, 'No recipients provided, don\'t know who to encrypt to' if recipients.empty?
+
+            keys = recipients.map {|r| ctx.keys(r).first }
+            debug("Keys: #{keys}")
+
+            always_trust = self.option(:always_trust)
+            unless always_trust
+              # check validity of recipients (this is possibly naive, but better than the unhelpful
+              # error that it would spit out otherwise)
+              keys.each do |key|
+                unless key.primary_uid.validity >= GPGME::VALIDITY_FULL
+                  raise StandardError, "Key #{key.sha} (#{key.email}) not trusted (if key trust is established by another means then specify always-trust)"
+                end
+              end
+            end
+
+            data = GPGME::Data.from_str(plaintext)
+            crypto = GPGME::Crypto.new(:always_trust => always_trust)
+
+            ciphertext = crypto.encrypt(data, :recipients => keys)
+            ciphertext.seek 0
+            ciphertext.read
+          end
+
+          def self.decrypt ciphertext
+            ENV["GNUPGHOME"] = self.option :gnupghome
+            debug("GNUPGHOME is #{ENV['GNUPGHOME']}")
+
+            ctx = if hiera?
+              GPGME::Ctx.new
+            else
+              GPGME::Ctx.new(:passphrase_callback => method(:passfunc))
+            end
+
+            if !ctx.keys.empty?
+              raw = GPGME::Data.new(ciphertext)
+              txt = GPGME::Data.new
+
+              begin
+                txt = ctx.decrypt(raw)
+              rescue GPGME::Error::DecryptFailed => e
+                warn("Fatal: Failed to decrypt ciphertext (check settings and that you are a recipient)")
+                raise e
+              rescue Exception => e
+                warn("Warning: General exception decrypting GPG file")
+                raise e
+              end
+
+              txt.seek 0
+              txt.read
+            else
+              warn("No usable keys found in #{ENV['GNUPGHOME']}. Check :gpgpghome value in hiera.yaml is correct")
+            end
+          end
+
+          def self.create_keys
+            STDERR.puts "The GPG encryptor does not support creation of keys, use the GPG command lines tools instead"
+          end
+
+        end
+
+      end
+    end
+  end
+end

data/tools/regem.sh

@@ -0,0 +1,6 @@
+#!/bin/bash
+
+gem uninstall hiera-eyaml-gpg
+rake build
+gem install pkg/hiera-eyaml-gpg
+eyaml -v

metadata

@@ -0,0 +1,87 @@
+--- !ruby/object:Gem::Specification
+name: hiera-eyaml-gpg
+version: !ruby/object:Gem::Version
+  version: '0.1'
+  prerelease: 
+platform: ruby
+authors:
+- Simon Hildrew
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2013-09-11 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: hiera-eyaml
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: 1.3.4
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: 1.3.4
+- !ruby/object:Gem::Dependency
+  name: gpgme
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: 2.0.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: 2.0.0
+description: GPG encryptor for use with hiera-eyaml
+email: 
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- .gitignore
+- Gemfile
+- LICENSE
+- README.md
+- Rakefile
+- hiera-eyaml-gpg.gemspec
+- lib/hiera/backend/eyaml/encryptors/gpg.rb
+- lib/hiera/backend/eyaml/encryptors/gpg/eyaml_init.rb
+- lib/hiera/backend/eyaml/encryptors/gpg/version.rb
+- tools/regem.sh
+homepage: http://github.com/sihil/hiera-eyaml-gpg
+licenses:
+- MIT
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 1.8.23
+signing_key: 
+specification_version: 3
+summary: Encryption plugin for hiera-eyaml backend for Hiera
+test_files: []