hiera-eyaml-kms 0.1

Sign up to get free protection for your applications and to get access to all the features.
Files changed (12) hide show
  1. checksums.yaml +7 -0
  2. data/.gitignore +9 -0
  3. data/Gemfile +7 -0
  4. data/Gemfile.lock +30 -0
  5. data/LICENSE.txt +21 -0
  6. data/README.md +63 -0
  7. data/Rakefile +1 -0
  8. data/hiera-eyaml-kms.gemspec +19 -0
  9. data/lib/hiera/backend/eyaml/encryptors/kms.rb +65 -0
  10. data/lib/hiera/backend/eyaml/encryptors/kms/eyaml_init.rb +3 -0
  11. data/tools/regem.sh +17 -0
  12. metadata +53 -0
checksums.yaml ADDED
@@ -0,0 +1,7 @@
1
+ ---
2
+ SHA1:
3
+ metadata.gz: 7e602a14226ec30ad5947431c5fa08a7a4e9d06a
4
+ data.tar.gz: f61d036c16aa49f5a552c46a5902744729f879b2
5
+ SHA512:
6
+ metadata.gz: 5f549ed5e034e0e06364d2b4c8c3726e57de862ba42340db1e192399532af4bedca17b8cddbaaed21f7bb46d496068ee73a8f4c88b435f4733d1efb3ef224ce0
7
+ data.tar.gz: 298684abfb1078b1b0fb851b31facbb37c51b754ca11816475875f15d73a160d3a90fbce8c4193fa3db231dff2097fee915dfa6aee54f9944ea824ef0ab6b5c2
data/.gitignore ADDED
@@ -0,0 +1,9 @@
1
+ .idea
2
+ *.iml
3
+ *.gradle
4
+ keys/*.pem
5
+ pkg/
6
+ tmp/
7
+ .DS_Store
8
+ .ruby-version
9
+ hiera-eyaml-kms-*.gem
data/Gemfile ADDED
@@ -0,0 +1,7 @@
1
+ source 'https://rubygems.org/'
2
+
3
+ gem 'aws-sdk', '~> 2'
4
+
5
+ group :development do
6
+ gem "aruba"
7
+ end
data/Gemfile.lock ADDED
@@ -0,0 +1,30 @@
1
+ GEM
2
+ remote: https://rubygems.org/
3
+ specs:
4
+ aruba (0.5.3)
5
+ childprocess (>= 0.3.6)
6
+ cucumber (>= 1.1.1)
7
+ rspec-expectations (>= 2.7.0)
8
+ builder (3.2.2)
9
+ childprocess (0.3.9)
10
+ ffi (~> 1.0, >= 1.0.11)
11
+ cucumber (1.3.10)
12
+ builder (>= 2.1.2)
13
+ diff-lcs (>= 1.1.3)
14
+ gherkin (~> 2.12)
15
+ multi_json (>= 1.7.5, < 2.0)
16
+ multi_test (>= 0.0.2)
17
+ diff-lcs (1.2.5)
18
+ ffi (1.9.3)
19
+ gherkin (2.12.2)
20
+ multi_json (~> 1.3)
21
+ multi_json (1.8.2)
22
+ multi_test (0.0.2)
23
+ rspec-expectations (2.14.4)
24
+ diff-lcs (>= 1.1.3, < 2.0)
25
+
26
+ PLATFORMS
27
+ ruby
28
+
29
+ DEPENDENCIES
30
+ aruba
data/LICENSE.txt ADDED
@@ -0,0 +1,21 @@
1
+
2
+ The MIT License (MIT)
3
+
4
+ Copyright (c) 2015 Allan Denot
5
+
6
+ Permission is hereby granted, free of charge, to any person obtaining a copy of
7
+ this software and associated documentation files (the "Software"), to deal in
8
+ the Software without restriction, including without limitation the rights to
9
+ use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
10
+ the Software, and to permit persons to whom the Software is furnished to do so,
11
+ subject to the following conditions:
12
+
13
+ The above copyright notice and this permission notice shall be included in all
14
+ copies or substantial portions of the Software.
15
+
16
+ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
17
+ IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
18
+ FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
19
+ COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
20
+ IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
21
+ CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
data/README.md ADDED
@@ -0,0 +1,63 @@
1
+ hiera-eyaml-kms
2
+ ===============
3
+
4
+ This is a plugin encryptor for the hiera-eyaml project (hosted https://github.com/TomPoulton/hiera-eyaml/).
5
+
6
+ *hiera-eyaml-kms encrypts and decrypts Hiera data using AWS KMS.*
7
+
8
+ AWS KMS is a service that encrypts and decrypts data through API calls. Permissions are controlled by IAM. [Read more about AWS KMS](http://docs.aws.amazon.com/kms/latest/developerguide/overview.html).
9
+
10
+ Using KMS avoids having to expose private keys to decrypt information when running Puppet.
11
+
12
+ Requirements
13
+ ------------
14
+
15
+ Since this is a plugin for hiera-eyaml, you need to install it first:
16
+
17
+ ```
18
+ $ gem install hiera-eyaml
19
+ ```
20
+
21
+ You might need to install the aws-sdk for ruby, with the command:
22
+
23
+ ```
24
+ $ gem install aws-sdk
25
+ ```
26
+
27
+ This plugin uses aws-sdk version 2.
28
+
29
+ Installation
30
+ ------------
31
+
32
+ ```
33
+ $ gem install hiera-eyaml-kms
34
+ ```
35
+
36
+ Then see [hiera-eyaml documentation](https://github.com/TomPoulton/hiera-eyaml) for how to use the eyaml tool to encrypt and use the 'KMS' encryption_type for values to be encrypted with this plugin.
37
+
38
+ Configuration
39
+ -------------
40
+
41
+ This plugin adds 2 options to hiera-eyaml:
42
+
43
+ ```
44
+ --kms-key-id=<s> KMS Key ID (default: )
45
+ --kms-aws-region=<s> AWS Region (default: ap-southeast-2)
46
+ ```
47
+
48
+ To avoid passing CLI parameters every call to eyaml, you can create a config file to set the defaults.
49
+
50
+ Config files will be read first from `/etc/eyaml/config.yaml`, then from `~/.eyaml/config.yaml` and finally by anything referenced in the `EYAML_CONFIG` environment variable.
51
+
52
+ Example:
53
+
54
+ ```yaml
55
+ ---
56
+ kms_key_id: '00000000-0000-0000-0000-000000000000'
57
+ kms_aws_region: 'us-west-1'
58
+ ```
59
+
60
+ Authors
61
+ =======
62
+
63
+ - [Allan Denot](http://github.com/adenot)
data/Rakefile ADDED
@@ -0,0 +1 @@
1
+ require "bundler/gem_tasks"
data/hiera-eyaml-kms.gemspec ADDED
@@ -0,0 +1,19 @@
1
+ # -*- encoding: utf-8 -*-
2
+ lib = File.expand_path('../lib', __FILE__)
3
+ $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
4
+ require 'hiera/backend/eyaml/encryptors/kms'
5
+
6
+ Gem::Specification.new do |gem|
7
+ gem.name = "hiera-eyaml-kms"
8
+ gem.version = Hiera::Backend::Eyaml::Encryptors::Kms::VERSION
9
+ gem.description = "AWS KMS encryptor for use with hiera-eyaml"
10
+ gem.summary = "Encryption plugin for hiera-eyaml backend for Hiera"
11
+ gem.author = "Allan Denot"
12
+ gem.license = "MIT"
13
+
14
+ gem.homepage = "http://github.com/adenot/hiera-eyaml-kms"
15
+ gem.files = `git ls-files`.split($/)
16
+ gem.executables = gem.files.grep(%r{^bin/}).map{ |f| File.basename(f) }
17
+ gem.test_files = gem.files.grep(%r{^(test|spec|features)/})
18
+ gem.require_paths = ["lib"]
19
+ end
data/lib/hiera/backend/eyaml/encryptors/kms.rb ADDED
@@ -0,0 +1,65 @@
1
+ require 'openssl'
2
+ require 'hiera/backend/eyaml/encryptor'
3
+ require 'hiera/backend/eyaml/utils'
4
+ require 'hiera/backend/eyaml/options'
5
+ require 'aws-sdk'
6
+
7
+ class Hiera
8
+ module Backend
9
+ module Eyaml
10
+ module Encryptors
11
+
12
+ class Kms < Encryptor
13
+
14
+ self.options = {
15
+ :key_id => { :desc => "KMS Key ID",
16
+ :type => :string,
17
+ :default => "" },
18
+ :aws_region => { :desc => "AWS Region",
19
+ :type => :string,
20
+ :default => "ap-southeast-2" }
21
+ }
22
+
23
+ VERSION = "0.1"
24
+ self.tag = "KMS"
25
+
26
+ def self.encrypt plaintext
27
+ aws_region = self.option :aws_region
28
+ key_id = self.option :key_id
29
+ raise StandardError, "key_id is not defined" unless key_id
30
+
31
+ @kms = ::Aws::KMS::Client.new(
32
+ region: aws_region
33
+ )
34
+
35
+ resp = @kms.encrypt({
36
+ key_id: key_id,
37
+ plaintext: plaintext
38
+ })
39
+
40
+ resp.ciphertext_blob
41
+ end
42
+
43
+ def self.decrypt ciphertext
44
+ aws_region = self.option :aws_region
45
+
46
+ @kms = ::Aws::KMS::Client.new(
47
+ region: aws_region
48
+ )
49
+
50
+ resp = @kms.decrypt({
51
+ ciphertext_blob: ciphertext
52
+ })
53
+
54
+ resp.plaintext
55
+ end
56
+
57
+ end
58
+
59
+ end
60
+
61
+ end
62
+
63
+ end
64
+
65
+ end
data/lib/hiera/backend/eyaml/encryptors/kms/eyaml_init.rb ADDED
@@ -0,0 +1,3 @@
1
+ require 'hiera/backend/eyaml/encryptors/kms'
2
+
3
+ Hiera::Backend::Eyaml::Encryptors::Kms.register
data/tools/regem.sh ADDED
@@ -0,0 +1,17 @@
1
+ #!/bin/bash
2
+
3
+ set -e
4
+
5
+ GEM_NAME="hiera-eyaml-kms"
6
+
7
+ gem uninstall ${GEM_NAME} --executables
8
+ RAKE_OUT=`rake build`
9
+ VERSION=`echo ${RAKE_OUT} | awk '{print $2}'`
10
+ echo Installing version: ${VERSION} ...
11
+ gem install pkg/${GEM_NAME}-${VERSION}.gem --no-ri --no-rdoc
12
+
13
+ if [ ! -z "$(which eyaml)" ];then
14
+ eyaml version
15
+ else
16
+ echo "install hiera-eyaml to see if gem imports correctly"
17
+ fi
metadata ADDED
@@ -0,0 +1,53 @@
1
+ --- !ruby/object:Gem::Specification
2
+ name: hiera-eyaml-kms
3
+ version: !ruby/object:Gem::Version
4
+ version: '0.1'
5
+ platform: ruby
6
+ authors:
7
+ - Allan Denot
8
+ autorequire:
9
+ bindir: bin
10
+ cert_chain: []
11
+ date: 2015-08-26 00:00:00.000000000 Z
12
+ dependencies: []
13
+ description: AWS KMS encryptor for use with hiera-eyaml
14
+ email:
15
+ executables: []
16
+ extensions: []
17
+ extra_rdoc_files: []
18
+ files:
19
+ - .gitignore
20
+ - Gemfile
21
+ - Gemfile.lock
22
+ - LICENSE.txt
23
+ - README.md
24
+ - Rakefile
25
+ - hiera-eyaml-kms.gemspec
26
+ - lib/hiera/backend/eyaml/encryptors/kms.rb
27
+ - lib/hiera/backend/eyaml/encryptors/kms/eyaml_init.rb
28
+ - tools/regem.sh
29
+ homepage: http://github.com/adenot/hiera-eyaml-kms
30
+ licenses:
31
+ - MIT
32
+ metadata: {}
33
+ post_install_message:
34
+ rdoc_options: []
35
+ require_paths:
36
+ - lib
37
+ required_ruby_version: !ruby/object:Gem::Requirement
38
+ requirements:
39
+ - - '>='
40
+ - !ruby/object:Gem::Version
41
+ version: '0'
42
+ required_rubygems_version: !ruby/object:Gem::Requirement
43
+ requirements:
44
+ - - '>='
45
+ - !ruby/object:Gem::Version
46
+ version: '0'
47
+ requirements: []
48
+ rubyforge_project:
49
+ rubygems_version: 2.0.14
50
+ signing_key:
51
+ specification_version: 4
52
+ summary: Encryption plugin for hiera-eyaml backend for Hiera
53
+ test_files: []