hiera-eyaml-gpg_ruby 0.4

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 5b28ae68e2c44ec9d0affeb33fbd80c20b4c8c91
+  data.tar.gz: f51e6e955b0945a892b16a02c380208de56565a3
+SHA512:
+  metadata.gz: b604dca4f51feb1e09d9bff6a4fd8f611eb49945bd64438103d89f607c927e8ffa056b08ab50a0e7e838e1099e75739f285a0226fb8096c1d8b862f1a11b2c44
+  data.tar.gz: 6e9f289d7b9c55b61ee644e527a7ebee2afe6e0c1143e400511c5e106fda6c70a9359f966cb5039a944da3164e0cc0636c2e0397e51615e5a1095d2feaafe924

data/.gitignore

@@ -0,0 +1,7 @@
+.idea
+*.iml
+*.gradle
+keys/*.pem
+pkg/
+tmp/
+.DS_Store

data/Gemfile

@@ -0,0 +1,8 @@
+source 'https://rubygems.org/'
+
+gem 'hiera-eyaml', ">=1.3.8"
+gem 'gpgme', ">=2.0.0"
+
+group :development do
+  gem "aruba"
+end

data/LICENSE

@@ -0,0 +1,20 @@
+The MIT License (MIT)
+
+Copyright (c) 2013 Simon Hildrew
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of
+this software and associated documentation files (the "Software"), to deal in
+the Software without restriction, including without limitation the rights to
+use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+the Software, and to permit persons to whom the Software is furnished to do so,
+subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,72 @@
+hiera-eyaml-gpg
+===============
+
+GPG encryption backend for the [hiera-eyaml](https://github.com/TomPoulton/hiera-eyaml) module.
+
+Motivation
+----------
+
+The default PKCS#7 encryption scheme used by hiera-eyaml is perfect if only simple
+encryption and decryption is needed.
+
+However, if you are in a sizable team it helps to encrypt and decrypt data with multiple
+keys. This means that each team member can hold their own private key and so can the puppetmaster.
+Equally, each puppet master can have their own key if desired and when you need to rotate 
+keys for either users or puppet masters, re-encrypting your files and changing the key everywhere
+does not need to be done in lockstep.
+
+Requirements
+------------
+
+You'll need a working GPG setup with your own keypair and a public keyring containing any other
+keys that you want to work
+
+To get started, install the hiera-eyaml-gpg gem.
+
+    $ gem install hiera-eyaml-gpg
+
+If you haven't already installed it, this requires and will install the hiera-eyaml gem, which you
+should probably acquint yourself with at https://github.com/TomPoulton/hiera-eyaml.
+
+Note that in order to install the gpgme gem you'll need to have the ruby development package installed
+for your distribution.
+
+How to use
+----------
+
+### Encrypting and editing encrypted data
+
+Once installed you can create encrypted hiera-eyaml blocks that are encrypted using GPG.
+
+    $ eyaml encrypt -n gpg -s "A secret string to encrypt" --gpg-recipients bob@example.com,hiera@example.com
+
+If you do not have a web of trust (i.e. you normally use --always-trust for gpg signing) then you'll need 
+to use the `--gpg-always-trust` option on the command line.
+
+It gets pretty dull to keep on remembering which recipients you should use, so you can put them in a file
+and specify that instead.
+
+    $ eyaml encrypt -n gpg -s "A secret string to encrypt" --gpg-recipients-file hiera-eyaml-gpg.recipients
+
+In fact, when editing a file on disk and neither of the --gpg-recipient options are provided it will
+automatically look for a `hiera-eyaml-gpg.recipients` file in the same directory as the file being edited 
+(or any parent in the tree). The first file discovered will be used allowing different parts of a hiera 
+tree to have different recipients if so desired.
+
+Use `eyaml --help` for more details or look at the hiera-eyaml docs.
+
+### Configuring hiera
+
+Assuming you have a working `hiera` and `hiera-eyaml` then the only option you need to add is to
+configure `:gpg_gnupghome:` in your hiera.yaml (under the `:eyaml:` section). This should be the
+directory that contains the keyring etc for the user that can to decrypt the hiera data. Please note
+that the private GPG key must not have a passphrase.
+
+Authors
+-------
+
+ - Simon Hildrew - Initial code
+ - Geoff Meakins - Created hiera-eyaml plugin framework that made this possible
+
+### Contributors
+ - Walt Javins - Bug fixes

data/Rakefile

@@ -0,0 +1 @@
+require "bundler/gem_tasks"

data/hiera-eyaml-gpg_ruby.gemspec

@@ -0,0 +1,22 @@
+# -*- encoding: utf-8 -*-
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'hiera/backend/eyaml/encryptors/gpg/version'
+
+Gem::Specification.new do |gem|
+  gem.name          = "hiera-eyaml-gpg_ruby"
+  gem.version       = Hiera::Backend::Eyaml::Encryptors::Gpg::VERSION
+  gem.description   = "GPG encryptor for use with hiera-eyaml, in pure Ruby"
+  gem.summary       = "Encryption plugin for hiera-eyaml backend for Hiera, in pure Ruby"
+  gem.author        = "Raphaël Pinson"
+  gem.license       = "MIT"
+
+  gem.homepage      = "http://github.com/raphink/hiera-eyaml-gpg_ruby"
+  gem.files         = `git ls-files`.split($/)
+  gem.executables   = gem.files.grep(%r{^bin/}).map{ |f| File.basename(f) }
+  gem.test_files    = gem.files.grep(%r{^(test|spec|features)/})
+  gem.require_paths = ["lib"]
+
+  gem.add_dependency('hiera-eyaml', '>=1.3.8')
+  gem.add_dependency('ruby_gpg', '>=0.3.0')
+end

data/lib/hiera/backend/eyaml/encryptors/gpg.rb

@@ -0,0 +1,177 @@
+require 'gpgme'
+require 'base64'
+require 'pathname'
+require 'hiera/backend/eyaml/encryptor'
+require 'hiera/backend/eyaml/utils'
+require 'hiera/backend/eyaml/options'
+
+class Hiera
+  module Backend
+    module Eyaml
+      module Encryptors
+
+        class Gpg < Encryptor
+
+          self.tag = "GPG"
+
+          self.options = {
+            :gnupghome => { :desc => "Location of your GNUPGHOME directory",
+                            :type => :string,
+                            :default => "#{ENV[["HOME", "HOMEPATH"].detect { |h| ENV[h] != nil }]}/.gnupg" },
+            :always_trust => { :desc => "Assume that used keys are fully trusted",
+                               :type => :boolean,
+                               :default => false },
+            :recipients => { :desc => "List of recipients (comma separated)",
+                             :type => :string },
+            :recipients_file => { :desc => "File containing a list of recipients (one on each line)",
+                             :type => :string }
+          }
+
+          @@passphrase_cache = Hash.new
+
+          def self.passfunc(hook, uid_hint, passphrase_info, prev_was_bad, fd)
+            begin
+                system('stty -echo')
+
+                unless @@passphrase_cache.has_key?(uid_hint)
+                  @@passphrase_cache[uid_hint] = ask("Enter passphrase for #{uid_hint}: ") { |q| q.echo = '' }
+                  $stderr.puts
+                end
+                passphrase = @@passphrase_cache[uid_hint]
+
+                io = IO.for_fd(fd, 'w')
+                io.puts(passphrase)
+                io.flush
+              ensure
+                (0 ... $_.length).each do |i| $_[i] = ?0 end if $_
+                  system('stty echo')
+              end
+          end
+
+          def self.find_recipients
+            recipient_option = self.option :recipients
+            recipients = if !recipient_option.nil?
+              debug("Using --recipients option")
+              recipient_option.split(",")
+            else
+              recipient_file_option = self.option :recipients_file
+              recipient_file = if !recipient_file_option.nil?
+                debug("Using --recipients-file option")
+                Pathname.new(recipient_file_option)
+              else
+                debug("Searching for any hiera-eyaml-gpg.recipients files in path")
+                # if we are editing a file, look for a hiera-eyaml-gpg.recipients file
+                filename = case Eyaml::Options[:source]
+                when :file
+                  Eyaml::Options[:file]
+                when :eyaml
+                  Eyaml::Options[:eyaml]
+                else
+                  nil
+                end
+
+                if filename.nil?
+                  nil
+                else
+                  path = Pathname.new(filename).realpath.dirname
+                  selected_file = nil
+                  path.descend{|path| path
+                    potential_file = path.join('hiera-eyaml-gpg.recipients')
+                    selected_file = potential_file if potential_file.exist? 
+                  }
+                  debug("Using file at #{selected_file}")
+                  selected_file
+                end
+              end
+
+              unless recipient_file.nil?
+                recipient_file.readlines.map{ |line| line.strip } 
+              else
+                []
+              end
+            end
+          end
+
+          def self.encrypt plaintext
+            gnupghome = self.option :gnupghome
+            GPGME::Engine.home_dir = gnupghome
+            debug("GNUPGHOME is #{gnupghome}")
+
+            ctx = GPGME::Ctx.new
+
+            recipients = self.find_recipients
+            debug("Recipents are #{recipients}")
+
+            raise RecoverableError, 'No recipients provided, don\'t know who to encrypt to' if recipients.empty?
+
+            keys = recipients.map {|r| 
+              key_to_use = ctx.keys(r).first 
+              if key_to_use.nil? 
+                raise RecoverableError, "No key found on keyring for #{r}"
+              end
+              key_to_use
+            }
+            debug("Keys: #{keys}")
+
+            always_trust = self.option(:always_trust)
+            unless always_trust
+              # check validity of recipients (this is possibly naive, but better than the unhelpful
+              # error that it would spit out otherwise)
+              keys.each do |key|
+                unless key.primary_uid.validity >= GPGME::VALIDITY_FULL
+                  raise RecoverableError, "Key #{key.sha} (#{key.email}) not trusted (if key trust is established by another means then specify always-trust)"
+                end
+              end
+            end
+
+            data = GPGME::Data.from_str(plaintext)
+            crypto = GPGME::Crypto.new(:always_trust => always_trust)
+
+            ciphertext = crypto.encrypt(data, :recipients => keys)
+            ciphertext.seek 0
+            ciphertext.read
+          end
+
+          def self.decrypt ciphertext
+            gnupghome = self.option :gnupghome
+            GPGME::Engine.home_dir = gnupghome
+            debug("GNUPGHOME is #{gnupghome}")
+
+            ctx = if hiera?
+              GPGME::Ctx.new
+            else
+              GPGME::Ctx.new(:passphrase_callback => method(:passfunc))
+            end
+
+            if !ctx.keys.empty?
+              raw = GPGME::Data.new(ciphertext)
+              txt = GPGME::Data.new
+
+              begin
+                txt = ctx.decrypt(raw)
+              rescue GPGME::Error::DecryptFailed => e
+                warn("Fatal: Failed to decrypt ciphertext (check settings and that you are a recipient)")
+                raise e
+              rescue Exception => e
+                warn("Warning: General exception decrypting GPG file")
+                raise e
+              end
+
+              txt.seek 0
+              txt.read
+            else
+              warn("No usable keys found in #{gnupghome}. Check :gpg_gnupghome value in hiera.yaml is correct")
+              raise ArgumentError, "No usable keys found in #{gnupghome}. Check :gpg_gnupghome value in hiera.yaml is correct"
+            end
+          end
+
+          def self.create_keys
+            STDERR.puts "The GPG encryptor does not support creation of keys, use the GPG command lines tools instead"
+          end
+
+        end
+
+      end
+    end
+  end
+end

data/lib/hiera/backend/eyaml/encryptors/gpg/eyaml_init.rb

@@ -0,0 +1,3 @@
+require 'hiera/backend/eyaml/encryptors/gpg'
+
+Hiera::Backend::Eyaml::Encryptors::Gpg.register

data/lib/hiera/backend/eyaml/encryptors/gpg/version.rb

@@ -0,0 +1,11 @@
+class Hiera
+  module Backend
+    module Eyaml
+      module Encryptors
+        module Gpg
+          VERSION = "0.4"
+        end
+      end
+    end
+  end
+end

data/tools/regem.sh

@@ -0,0 +1,6 @@
+#!/bin/bash
+
+gem uninstall hiera-eyaml-gpg
+rake build
+gem install pkg/hiera-eyaml-gpg
+eyaml -v

metadata

@@ -0,0 +1,81 @@
+--- !ruby/object:Gem::Specification
+name: hiera-eyaml-gpg_ruby
+version: !ruby/object:Gem::Version
+  version: '0.4'
+platform: ruby
+authors:
+- Raphaël Pinson
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2015-02-12 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: hiera-eyaml
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.3.8
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.3.8
+- !ruby/object:Gem::Dependency
+  name: ruby_gpg
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.3.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.3.0
+description: GPG encryptor for use with hiera-eyaml, in pure Ruby
+email: 
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- Gemfile
+- LICENSE
+- README.md
+- Rakefile
+- hiera-eyaml-gpg_ruby.gemspec
+- lib/hiera/backend/eyaml/encryptors/gpg.rb
+- lib/hiera/backend/eyaml/encryptors/gpg/eyaml_init.rb
+- lib/hiera/backend/eyaml/encryptors/gpg/version.rb
+- tools/regem.sh
+homepage: http://github.com/raphink/hiera-eyaml-gpg_ruby
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.2.2
+signing_key: 
+specification_version: 4
+summary: Encryption plugin for hiera-eyaml backend for Hiera, in pure Ruby
+test_files: []