hiera-eyaml 1.1.2 → 1.1.3

data/README.md

@@ -47,9 +47,9 @@ This creates a public and private key with default names in the default location
 
     To encrypt something, you only need the public_key, so distribute that to people creating hiera properties
 
-    $ eyaml -e text                   # Encrypt some text
+    $ eyaml -e filename               # Encrypt a file
+    $ eyaml -e -s text                # Encrypt some text
     $ eyaml -e -p                     # Encrypt a password (prompt for it)
-    $ eyaml -e -f filename            # Encrypt a file
 
 ### Decryption
 
@@ -57,8 +57,8 @@ This creates a public and private key with default names in the default location
 
     To test decryption you can also use the eyaml tool if you have both keys
 
-    $ eyaml -d SOME-ENCRYPTED-TEXT    # Decrypt some text
-    $ eyaml -d -f filename            # Decrypt a file (PEM format)
+    $ eyaml -d filename                  # Decrypt a file (PEM format)
+    $ eyaml -d -s SOME-ENCRYPTED-TEXT    # Decrypt some text
 
 Change the permissions so that the private key is only readable by the user that hiera (puppet) is
 running as.

data/bin/eyaml

@@ -5,8 +5,14 @@ require 'base64'
 require 'trollop'
 require 'highline/import'
 require 'hiera/backend/version'
+require 'tempfile'
 
-def ensureKeyDirExists(key_file)
+ENCRYPTED_BLOCK = />\n( *)ENC\[([a-zA-Z0-9+\/ \n]+)\]/
+ENCRYPTED_STRING = /ENC\[([a-zA-Z0-9+\/]+)\]/
+DECRYPTED_BLOCK = />\n( *)ENC!\[(.+)\]!ENC/
+DECRYPTED_STRING = /ENC!\[(.+)\]!ENC/
+
+def ensure_key_dir_exists(key_file)
   key_dir = File.dirname(key_file)
 
   if !File.directory?(key_dir)
@@ -15,6 +21,73 @@ def ensureKeyDirExists(key_file)
   end
 end
 
+def get_file_input(options)
+  if options[:file]
+    File.read options[:file]
+  else
+    STDIN.read
+  end
+end
+
+def get_input(options)
+  return options[:string] if options[:string]
+
+  if options[:password]
+    ask("Enter password: ") {|q| q.echo = "*" }
+  end
+
+  get_file_input(options)
+end
+
+def encrypt(public_key, plaintext)
+  cipher = OpenSSL::Cipher::AES.new(256, :CBC)
+  ciphertext_binary = OpenSSL::PKCS7::encrypt([public_key], plaintext, cipher, OpenSSL::PKCS7::BINARY).to_der
+  Base64.encode64(ciphertext_binary).strip
+end
+
+def decrypt(public_key, private_key, ciphertext)
+    ciphertext_decoded = Base64.decode64(ciphertext)
+    pkcs7 = OpenSSL::PKCS7.new( ciphertext_decoded )
+    pkcs7.decrypt(private_key, public_key)
+end
+
+def decrypt_eyaml(public_key, private_key, cipher_eyaml)
+  # decrypt blocks first
+  plain_block_eyaml = cipher_eyaml.gsub(ENCRYPTED_BLOCK) { |match|
+    indentation = $1
+    ciphertext = $2.gsub(/[ \n]/, '')
+    plaintext = decrypt(public_key, private_key, ciphertext)
+    ">\n"+indentation+"ENC![" + plaintext + "]!ENC"
+  }
+  # then decrypt strings
+  plain_block_eyaml.gsub(ENCRYPTED_STRING) { |match|
+    plaintext = decrypt(public_key, private_key, $1)
+    "ENC![" + plaintext + "]!ENC"
+  }
+end
+
+def encrypt_eyaml(public_key, plain_eyaml)
+  # encrypt blocks
+  cipher_block_eyaml = plain_eyaml.gsub(DECRYPTED_BLOCK) { |match|
+    indentation = $1
+    ciphertext = encrypt(public_key, $2).gsub(/\n/,"\n"+indentation)
+    ">\n" + indentation + "ENC[" + ciphertext + "]"
+  }
+  # encrypt strings
+  cipher_block_eyaml.gsub(DECRYPTED_STRING) { |match|
+    ciphertext = encrypt(public_key, $1).gsub(/\n/,'')
+    "ENC[" + ciphertext + "]"
+  }
+end
+
+def shred(file, clean_size)
+  [0xff, 0x55, 0xaa, 0x00].each do |byte|
+    file.seek(0, IO::SEEK_SET)
+    clean_size.times { file.print(byte.chr) }
+    file.fsync
+  end
+end
+
 options = Trollop::options do
     
   version "Hiera-eyaml version " + Hiera::Backend::Eyaml::VERSION.to_s
@@ -22,28 +95,33 @@ options = Trollop::options do
 Hiera-eyaml is a backend for Hiera which provides OpenSSL encryption/decryption for Hiera properties
 
 Usage:
-  eyaml [options] [string-to-encrypt]
+  eyaml [options] [file-to-encrypt]
   EOS
   
   opt :createkeys, "Create public and private keys for use encrypting properties", :short => 'c'
+  opt :encrypt, "Encrypt a string, password, file or stdin"
+  opt :decrypt, "Decrypt a string, file or stdin"
+  opt :eyaml, "Assume input is eyaml format"
+  opt :edit, "Edit an encrypted file inplace, implies --eyaml"
   opt :password, "Encrypt a password entered on the terminal", :short => 'p'
-  opt :file, "Encrypt a file instead of a string", :short => 'f', :type => :string 
-  opt :private_key, "Filename of the private_key", :type => :string
-  opt :public_key, "Filename of the public_key", :type => :string
-  opt :encrypt, "Encrypt something"
-  opt :decrypt, "Decrypt something"
+  opt :string, "Encrypt a string provided on the command line", :short => 's', :type => :string 
+  opt :private_key, "Filename of the private_key", :type => :string, :default => "/etc/hiera/keys/private_key.pem"
+  opt :public_key, "Filename of the public_key", :type => :string, :default => "/etc/hiera/keys/public_key.pem"
+  opt :output, "Output mode to use when encrypting (examples, block or string)", :type => :string, :default => "examples"
 end
 
-Trollop::die "You cannot specify --encrypt and --decrypt" if options[:encrypt] and options[:decrypt]
+main_option_count = 0
+main_option_count += 1 if options[:createkeys]
+main_option_count += 1 if options[:encrypt]
+main_option_count += 1 if options[:decrypt]
+main_option_count += 1 if options[:edit]
 
-# Defaults
-options[:private_key] ||= "/etc/hiera/keys/private_key.pem"
-options[:public_key] ||= "/etc/hiera/keys/public_key.pem"
-options[:string] = ARGV.join(' ')
+Trollop::die "You can only specify one main action" if main_option_count > 1
+Trollop::die "You cannot specify --password and --string" if options[:password] and options[:string]
 
-if options[:password]
-  password = ask("Enter password: ") {|q| q.echo = "*" }
-  options[:string] = password
+options[:file] = ARGV[0]
+if options[:file] and (options[:password] or options[:string])
+  $stderr.puts "WARN: file supplied but will be shadowed by string or password"
 end
 
 if options[:createkeys]
@@ -51,15 +129,15 @@ if options[:createkeys]
   # Try to do equivalent of:
   # openssl req -x509 -nodes -days 100000 -newkey rsa:2048 -keyout privatekey.pem -out publickey.pem -subj '/'
 
-  ensureKeyDirExists(options[:private_key])
-  ensureKeyDirExists(options[:public_key])
+  ensure_key_dir_exists(options[:private_key])
+  ensure_key_dir_exists(options[:public_key])
 
   key = OpenSSL::PKey::RSA.new(2048)
   open( options[:private_key], "w" ) do |io|
     io.write(key.to_pem)
   end
 
-  puts "#{options[:private_key]} created."
+  $stderr.puts "#{options[:private_key]} created."
 
   name = OpenSSL::X509::Name.parse("/")
   cert = OpenSSL::X509::Certificate.new()
@@ -85,68 +163,180 @@ if options[:createkeys]
   open( options[:public_key], "w" ) do |io|
     io.write(cert.to_pem)
   end
-  puts "#{options[:public_key]} created."
+  $stderr.puts "#{options[:public_key]} created."
   exit
 end
 
-if options[:encrypt]
+if options[:eyaml]
 
-  plaintext = nil
-  plaintext = options[:string] if options[:string]
-  plaintext = File.read( options[:file] ) if options[:file]
+  if options[:decrypt]
+    # prepare to decrypt blocks
+    private_key_pem = File.read( options[:private_key] )
+    private_key = OpenSSL::PKey::RSA.new( private_key_pem )
 
-  if plaintext.nil?
-    puts "Specify a string or --file to encrypt something. See --help for more usage instructions."
+    public_key_pem = File.read( options[:public_key] )
+    public_key = OpenSSL::X509::Certificate.new( public_key_pem )
+
+    eyaml = get_file_input options
+    plain_eyaml = decrypt_eyaml(public_key, private_key, eyaml)
+
+    puts plain_eyaml
     exit
   end
 
-  public_key_pem = File.read( options[:public_key] )
-  public_key = OpenSSL::X509::Certificate.new( public_key_pem )
+  if options[:encrypt]
+    # prepare to encrypt blocks
+    public_key_pem = File.read( options[:public_key] )
+    public_key = OpenSSL::X509::Certificate.new( public_key_pem )
 
-  cipher = OpenSSL::Cipher::AES.new(256, :CBC)
-  ciphertext_binary = OpenSSL::PKCS7::encrypt([public_key], plaintext, cipher, OpenSSL::PKCS7::BINARY).to_der
-  ciphertext_as_block = Base64.encode64(ciphertext_binary).strip
-  ciphertext_as_string = ciphertext_as_block.split("\n").join('')
+    eyaml = get_file_input options
+    cipher_eyaml = encrypt_yaml(public_key, eyaml)
+    
+    puts eyaml
+    exit
+  end
 
-  puts "string: ENC[#{ciphertext_as_string}]\n\nOR\n\n"
-  puts "block: >"
-  puts "    ENC[" + ciphertext_as_block.gsub(/\n/, "\n    ") + "]"
-  exit
+else
 
-end
+  if options[:encrypt]
+    plaintext = get_input options
 
-if options[:decrypt]
+    if plaintext.nil? or plaintext.length == 0
+      $stderr.puts "Specify a string or --file to encrypt something. See --help for more usage instructions."
+      exit
+    end
 
-  ciphertext = nil
-  ciphertext = options[:string] if options[:string]
-  ciphertext = File.read( options[:file] ) if options[:file]
+    public_key_pem = File.read( options[:public_key] )
+    public_key = OpenSSL::X509::Certificate.new( public_key_pem )
+    
+    ciphertext_as_block = encrypt(public_key, plaintext)
+    ciphertext_as_string = ciphertext_as_block.split("\n").join('')
+
+    case options[:output]
+    when "examples"
+      puts "string: ENC[#{ciphertext_as_string}]\n\nOR\n\n"
+      puts "block: >"
+      puts "    ENC[" + ciphertext_as_block.gsub(/\n/, "\n    ") + "]"
+    when "block"
+      puts "ENC[" + ciphertext_as_block + "]"
+    when "string"
+      puts "ENC[#{ciphertext_as_string}]"
+    else
+      $stderr.puts "Unknown output option: " + options[:output]
+      exit 1
+    end
+    exit
 
-  if ciphertext.start_with? "ENC["
+  end
 
-    ciphertext = ciphertext[4..-2]
-    ciphertext_decoded = Base64.decode64(ciphertext)
+  if options[:decrypt]
 
-    if ciphertext.nil?
-      puts "Specify a string or --file to decrypt something. See --help for more usage instructions."
-      exit
+    ciphertext = get_input options
+    if ciphertext.nil? or ciphertext.length == 0
+      $stderr.puts "Specify a string or --file to decrypt something. See --help for more usage instructions."
+      exit 1
     end
 
-    private_key_pem = File.read( options[:private_key] )
-    private_key = OpenSSL::PKey::RSA.new( private_key_pem )
+    if ciphertext.start_with? "ENC["
 
-    public_key_pem = File.read( options[:public_key] )
-    public_key = OpenSSL::X509::Certificate.new( public_key_pem )
+      ciphertext = ciphertext[4..-2]
 
-    pkcs7 = OpenSSL::PKCS7.new( ciphertext_decoded )
+      private_key_pem = File.read( options[:private_key] )
+      private_key = OpenSSL::PKey::RSA.new( private_key_pem )
+
+      public_key_pem = File.read( options[:public_key] )
+      public_key = OpenSSL::X509::Certificate.new( public_key_pem )
+
+      plaintext = decrypt(public_key, private_key, ciphertext)
+      puts "#{plaintext}"
+      exit
+
+    else
+
+      $stderr.puts "Ciphertext is not an eyaml encrypted string (Does not start with ENC[...])"
+      exit 1
+
+    end
 
-    plaintext = pkcs7.decrypt(private_key, public_key)
-    puts "#{plaintext}"
     exit
 
-  else
+  end
+end
+
 
-    puts "Ciphertext is not an eyaml encrypted string (Does not start with ENC[...])"
+if options[:edit]
+  $stderr.puts "Launching edit mode"
+  # prepare to edit blocks
+  private_key_pem = File.read( options[:private_key] )
+  private_key = OpenSSL::PKey::RSA.new( private_key_pem )
 
+  public_key_pem = File.read( options[:public_key] )
+  public_key = OpenSSL::X509::Certificate.new( public_key_pem )
+
+  original_eyaml = File.read( options[:file] )
+  original_size = original_eyaml.length
+  plain_eyaml = decrypt_eyaml(public_key, private_key, original_eyaml)
+
+  # write temp file
+  plain_file = Tempfile.open('eyaml_edit')
+  plain_file.puts plain_eyaml
+  plain_file.flush
+
+  # open editor
+  $editor = ENV['EDITOR']
+  if $editor == nil
+    %w{/usr/bin/sensible-editor /usr/bin/editor /usr/bin/vim /usr/bin/vi}.each do |editor|
+      if FileTest.executable?(editor)
+        $editor = editor
+        break
+      end
+    end
   end
+  $stderr.puts "Opening decrypted file for editing in " + $editor
+  system($editor, plain_file.path)
+  status = $?
 
-end
+  throw "Process has not exited!?" unless status.exited?
+
+  unless status.exitstatus == 0
+    $syserr.puts "Editor did not exit successfully (exit code #{status.exitstatus}), aborting"
+    exit 1
+  end
+
+  # some editors do not write new content in place, but instead
+  # make a new file and more it in the old file's place.
+  begin
+    reopened_plain_file = File.open(plain_file.path, "r+")
+  rescue Exception => e
+    STDERR.puts e
+    exit 1
+  end
+  new_eyaml = reopened_plain_file.read
+  
+  # make sure nothing is left on disk
+  new_size = new_eyaml.length
+  old_size = plain_eyaml.length
+  clear_size = (new_size > old_size) ? new_size : old_size
+  shred(plain_file, clear_size)
+  plain_file.close true
+  shred(reopened_plain_file, clear_size)
+  reopened_plain_file.close
+
+  if new_eyaml.length == 0
+    $stderr.puts "Replacement content is empty, aborting"
+    exit 1
+  end
+
+  if (new_eyaml == plain_eyaml)
+    $stderr.puts "No changes made, aborting"
+    exit 1
+  end
+
+  # re-encrypt the file again, currently we re-encrypt indiscriminately
+  cipher_eyaml = encrypt_eyaml(public_key, new_eyaml)
+
+  File.open(options[:file], 'w') { |file| 
+    file.write(cipher_eyaml)
+  }
+  exit
+end

data/lib/hiera/backend/version.rb

@@ -1,7 +1,7 @@
 module Hiera
   module Backend
     module Eyaml
-      VERSION = "1.1.2"
+      VERSION = "1.1.3"
     end
   end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: hiera-eyaml
 version: !ruby/object:Gem::Version
-  version: 1.1.2
+  version: 1.1.3
   prerelease: 
 platform: ruby
 authors: