hiera-eyaml 1.1.4 → 1.3.1

data/features/step_definitions/environment_overrides.rb

@@ -0,0 +1,3 @@
+Given /^my EDITOR is set to \"(.*?)\"$/ do |editor_command|
+  ENV['EDITOR'] = editor_command
+end

data/features/support/env.rb

@@ -0,0 +1,26 @@
+ENV['RUBYLIB'] = File.dirname(__FILE__) + '/../../lib'
+require 'rubygems'
+require 'aruba/config'
+require 'aruba/cucumber'
+require 'fileutils'
+require 'rspec/expectations'
+
+test_files = {}
+Dir["features/sandbox/**/*"].each do |file_name|
+  next unless File.file? file_name
+  read_mode = "r"
+  read_mode = "rb" if file_name =~ /\.bin$/
+  file = File.open(file_name, "r")
+  file_contents = file.read
+  file.close
+  file_name = file_name.slice(17, file_name.length)
+  test_files[file_name] = file_contents
+end
+
+# ENV['EDITOR']="/bin/cat"
+
+Aruba.configure do |config|
+  config.before_cmd do |cmd|
+    SetupSandbox.create_files test_files
+  end
+end

data/features/support/setup_sandbox.rb

@@ -0,0 +1,21 @@
+require 'fileutils'
+
+class SetupSandbox
+
+  def self.create_files test_files
+
+    test_files.each do |test_file, contents|
+      extension = test_file.split('.').last
+      target_dir = File.dirname(test_file)
+      FileUtils.mkdir_p( target_dir ) unless Dir.exists?( target_dir )
+      write_mode = "w"
+      write_mode = "wb" if extension == "bin"
+      File.open(test_file, write_mode) {|input_file|
+        input_file.puts contents
+      } unless File.exists?( test_file )
+      File.chmod(0755, test_file) if extension == "sh"
+    end
+
+  end
+
+end

data/features/valid_encryption.feature

@@ -0,0 +1,12 @@
+Feature: eyaml encrypting is valid
+
+  Scenario: encrypt and decrypt a binary file
+    When I run `bash -c "eyaml -e -o string -f test_input.bin > test_output.txt"`
+    When I run `bash -c "eyaml -d -f test_output.txt > test_output.bin"`
+    When I run `file test_output.bin`
+    Then the output should match /PNG image data/
+
+  Scenario: encrypt and decrypt a simple file
+    When I run `bash -c "eyaml -e -o string -f test_input.txt > test_output.txt"`
+    When I run `eyaml -d -f test_output.txt`
+    Then the output should match /fox jumped over/

data/hiera-eyaml.gemspec

@@ -1,7 +1,7 @@
 # -*- encoding: utf-8 -*-
 lib = File.expand_path('../lib', __FILE__)
 $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
-require 'hiera/backend/version'
+require 'hiera/backend/eyaml'
 
 Gem::Specification.new do |gem|
   gem.name          = "hiera-eyaml"

data/lib/hiera/backend/eyaml.rb

@@ -0,0 +1,19 @@
+class Hiera
+  module Backend
+    module Eyaml
+
+      VERSION = "1.3.1"
+
+      def self.default_encryption_scheme= new_encryption
+        @@default_encryption_scheme = new_encryption
+      end
+
+      def self.default_encryption_scheme
+        @@default_encryption_scheme ||= "PKCS7"
+        @@default_encryption_scheme
+      end
+
+    end
+  end
+end
+

data/lib/hiera/backend/eyaml/CLI.rb

@@ -0,0 +1,110 @@
+require 'trollop'
+require 'hiera/backend/eyaml'
+require 'hiera/backend/eyaml/utils'
+require 'hiera/backend/eyaml/actions/createkeys_action'
+require 'hiera/backend/eyaml/actions/decrypt_action'
+require 'hiera/backend/eyaml/actions/encrypt_action'
+require 'hiera/backend/eyaml/actions/edit_action'
+require 'hiera/backend/eyaml/plugins'
+require 'hiera/backend/eyaml/options'
+
+class Hiera
+  module Backend
+    module Eyaml
+      class CLI
+
+        def self.parse
+
+          options = Trollop::options do
+              
+            version "Hiera-eyaml version " + Hiera::Backend::Eyaml::VERSION.to_s
+            banner <<-EOS
+Hiera-eyaml is a backend for Hiera which provides OpenSSL encryption/decryption for Hiera properties
+
+Usage:
+  eyaml [options] 
+  eyaml -i file.eyaml       # edit a file
+  eyaml -e -s some-string   # encrypt a string
+  eyaml -e -p               # encrypt a password 
+  eyaml -e -f file.txt      # encrypt a file
+  cat file.txt | eyaml -e   # encrypt a file on a pipe
+
+Options:  
+  EOS
+          
+            opt :createkeys, "Create public and private keys for use encrypting properties", :short => 'c'
+            opt :decrypt, "Decrypt something"
+            opt :encrypt, "Encrypt something"
+            opt :edit, "Decrypt, Edit, and Reencrypt", :type => :string
+            opt :eyaml, "Source input is an eyaml file", :type => :string
+            opt :password, "Source input is a password entered on the terminal", :short => 'p'
+            opt :string, "Source input is a string provided as an argument", :short => 's', :type => :string
+            opt :file, "Source input is a file", :short => 'f', :type => :string
+            opt :stdin, "Source input it taken from stdin", :short => 'z'
+            opt :encrypt_method, "Override default encryption and decryption method (default is PKCS7)", :short => 'n', :default => "pkcs7"
+            opt :output, "Output format of final result (examples, block, string)", :type => :string, :default => "examples"
+
+            Hiera::Backend::Eyaml::Plugins.options.each do |name, option|
+              opt name, option[:desc], :type => option[:type], :short => option[:short], :default => option[:default]
+            end
+
+          end
+
+          actions = [:createkeys, :decrypt, :encrypt, :edit].collect {|x| x if options[x]}.compact
+          sources = [:edit, :eyaml, :password, :string, :file, :stdin].collect {|x| x if options[x]}.compact
+          # sources << :stdin if STDIN
+
+          Trollop::die "You can only specify one of (#{actions.join(', ')})" if actions.count > 1
+          Trollop::die "You can only specify one of (#{sources.join(', ')})" if sources.count > 1
+          Trollop::die "Creating keys does not require a source to encrypt/decrypt" if actions.first == :createkeys and sources.count > 0
+
+          options[:source] = sources.first
+          options[:action] = actions.first
+          options[:source] = :not_applicable if options[:action] == :createkeys
+
+          Trollop::die "Nothing to do" if options[:source].nil? or options[:action].nil?
+
+          options[:input_data] = case options[:source]
+          when :stdin
+            STDIN.read
+          when :password
+            Utils.read_password
+          when :string
+            options[:string]
+          when :file
+            File.read options[:file]
+          when :eyaml
+            File.read options[:eyaml]
+          when :stdin
+            STDIN.read
+          else
+            if options[:edit]
+              options[:eyaml] = options[:edit]
+              options[:source] = :eyaml
+              File.read options[:edit] 
+            else
+              nil
+            end
+          end
+
+          Eyaml.default_encryption_scheme = options[:encrypt_method].upcase if options[:encrypt_method]
+          Eyaml::Options.set options
+
+        end
+
+        def self.execute
+
+          action = Eyaml::Options[:action]
+          action_class = Module.const_get('Hiera').const_get('Backend').const_get('Eyaml').const_get('Actions').const_get("#{Utils.camelcase action.to_s}Action")
+
+          puts action_class.execute
+
+        end          
+
+      end
+
+    end
+
+  end
+
+end

data/lib/hiera/backend/eyaml/actions/createkeys_action.rb

@@ -0,0 +1,24 @@
+require 'hiera/backend/eyaml/utils'
+require 'hiera/backend/eyaml/options'
+
+class Hiera
+  module Backend
+    module Eyaml
+      module Actions
+
+        class CreatekeysAction
+
+          def self.execute
+
+            encryptor = Encryptor.find Eyaml.default_encryption_scheme
+            encryptor.create_keys
+            nil
+
+          end
+
+        end
+
+      end
+    end
+  end
+end

data/lib/hiera/backend/eyaml/actions/decrypt_action.rb

@@ -0,0 +1,67 @@
+require 'hiera/backend/eyaml/utils'
+require 'hiera/backend/eyaml/options'
+
+class Hiera
+  module Backend
+    module Eyaml
+      module Actions
+
+        class DecryptAction
+
+          REGEX_ENCRYPTED_BLOCK = />\n(\s*)ENC\[(\w+,)?([a-zA-Z0-9\+\/ =\n]+)\]/
+          REGEX_ENCRYPTED_STRING = /ENC\[(\w+,)?([a-zA-Z0-9\+\/=]+)\]/
+
+          def self.execute 
+
+            output_data = case Eyaml::Options[:source]
+            when :eyaml
+              encryptions = []
+
+              # blocks
+              output = Eyaml::Options[:input_data].gsub( REGEX_ENCRYPTED_BLOCK ) { |match|
+                indentation = $1
+                encryption_scheme = parse_encryption_scheme( $2 )
+                decryptor = Encryptor.find encryption_scheme
+                ciphertext = $3.gsub(/[ \n]/, '')
+                plaintext = decryptor.decrypt( decryptor.decode ciphertext )
+                ">\n" + indentation + "DEC::#{decryptor.tag}[" + plaintext + "]!"
+              }
+
+              # strings
+              output.gsub!( REGEX_ENCRYPTED_STRING ) { |match|
+                encryption_scheme = parse_encryption_scheme( $1 )
+                decryptor = Encryptor.find encryption_scheme
+
+                plaintext = decryptor.decrypt( decryptor.decode $2 )
+                "DEC::#{decryptor.tag}[" + plaintext + "]!"
+              }
+
+              output
+            else
+
+              output = Eyaml::Options[:input_data].gsub( REGEX_ENCRYPTED_STRING ) { |match|
+                encryption_scheme = parse_encryption_scheme( $1 )
+                decryptor = Encryptor.find encryption_scheme
+                decryptor.decrypt( decryptor.decode $2 )
+              } 
+
+              output
+            end
+
+            output_data
+
+          end
+
+          protected
+
+            def self.parse_encryption_scheme regex_result
+              regex_result = Eyaml.default_encryption_scheme + "," if regex_result.nil?
+              regex_result.split(",").first
+            end
+
+        end
+
+      end
+    end
+  end
+end

data/lib/hiera/backend/eyaml/actions/edit_action.rb

@@ -0,0 +1,47 @@
+require 'hiera/backend/eyaml/utils'
+require 'hiera/backend/eyaml/actions/decrypt_action'
+require 'hiera/backend/eyaml/actions/encrypt_action'
+require 'hiera/backend/eyaml/options'
+
+class Hiera
+  module Backend
+    module Eyaml
+      module Actions
+  
+        class EditAction
+
+          def self.execute 
+  
+            decrypted_input = DecryptAction.execute 
+            decrypted_file = Utils.write_tempfile decrypted_input
+            editor = Utils.find_editor
+            system editor, decrypted_file
+            status = $?
+            raise StandardError, "Editor #{editor} has not exited?" unless status.exited?
+            raise StandardError, "Editor did not exit successfully (exit code #{status.exitstatus}), aborting" unless status.exitstatus  #TODO: The file is left on the disk
+            raise StandardError, "File was moved by editor" unless File.file? decrypted_file
+
+            edited_file = File.read decrypted_file
+            Utils.secure_file_delete :file => decrypted_file, :num_bytes => [edited_file.length, decrypted_input.length].max
+            raise StandardError, "Edited file is blank" if edited_file.empty?
+            raise StandardError, "No changes" if edited_file == decrypted_input
+
+            Eyaml::Options[:input_data] = edited_file
+            Eyaml::Options[:output] = "raw"
+
+            encrypted_output = EncryptAction.execute
+
+            filename = Eyaml::Options[:eyaml]
+            File.open("#{filename}", 'w') { |file| 
+              file.write encrypted_output
+            }
+
+            true
+          end
+
+        end
+
+      end
+    end
+  end
+end

data/lib/hiera/backend/eyaml/actions/encrypt_action.rb

@@ -0,0 +1,80 @@
+require 'hiera/backend/eyaml/options'
+
+class Hiera
+  module Backend
+    module Eyaml
+      module Actions
+
+        class EncryptAction
+
+          REGEX_DECRYPTED_BLOCK = />\n(\s*)DEC(::\w+)?\[(.+)\]\!/
+          REGEX_DECRYPTED_STRING = /DEC(::\w+)?\[(.+)\]\!/
+
+          def self.execute 
+
+            output_data = case Eyaml::Options[:source]
+            when :eyaml
+              encryptions = []
+
+              # blocks
+              output = Eyaml::Options[:input_data].gsub( REGEX_DECRYPTED_BLOCK ) { |match|
+                indentation = $1
+                encryption_scheme = parse_encryption_scheme( $2 )
+                encryptor = Encryptor.find encryption_scheme
+                ciphertext = encryptor.encode( encryptor.encrypt($3) ).gsub(/\n/, "\n" + indentation)
+                ">\n" + indentation + "ENC[#{encryptor.tag},#{ciphertext}]"
+              }
+
+              # strings
+              output.gsub!( REGEX_DECRYPTED_STRING ) { |match|
+                encryption_scheme = parse_encryption_scheme( $1 )
+                encryptor = Encryptor.find encryption_scheme
+                ciphertext = encryptor.encode( encryptor.encrypt($2) ).gsub(/\n/, "")
+                "ENC[#{encryptor.tag},#{ciphertext}]"
+              }
+
+            else
+              encryptor = Encryptor.find
+              ciphertext = encryptor.encode( encryptor.encrypt(Eyaml::Options[:input_data]) )
+              "ENC[#{encryptor.tag},#{ciphertext}]"
+            end
+
+            self.format :data => output_data, :structure => Eyaml::Options[:output]
+
+          end
+
+          protected
+
+            def self.parse_encryption_scheme regex_result
+              regex_result = "::" + Eyaml.default_encryption_scheme if regex_result.nil?
+              regex_result.split("::").last
+            end
+
+            def self.format args
+              data = args[:data]
+              data_as_block = data.split("\n").join("\n    ")
+              data_as_string = data.split("\n").join("")
+              structure = args[:structure]
+
+              case structure
+              when "examples"
+                "string: #{data_as_string}\n\n" +
+                "OR\n\n" +
+                "block: >\n" +
+                "    #{data_as_block}" 
+              when "block"
+                "    #{data_as_block}" 
+              when "string"
+                "#{data_as_string}"
+              else
+                data.to_s
+              end
+
+            end
+
+        end
+
+      end
+    end
+  end
+end

data/lib/hiera/backend/eyaml/encryptor.rb

@@ -0,0 +1,71 @@
+require 'base64'
+
+class Hiera
+  module Backend
+    module Eyaml
+
+      class Encryptor
+
+        class << self
+          attr_accessor :options
+          attr_accessor :tag
+        end
+
+        def self.find encryption_scheme = nil
+          encryption_scheme = Eyaml.default_encryption_scheme if encryption_scheme.nil?
+          require "hiera/backend/eyaml/encryptors/#{encryption_scheme.downcase}"          
+          encryptor_module = Module.const_get('Hiera').const_get('Backend').const_get('Eyaml').const_get('Encryptors')
+          encryptor_class = self.find_closest_class :parent_class => encryptor_module, :class_name => encryption_scheme
+          raise StandardError, "Could not find hiera-eyaml encryptor: #{encryption_scheme}. Try gem install hiera-eyaml-#{encryption_scheme.downcase} ?" if encryptor_class.nil?
+          encryptor_class
+        end
+
+        def self.encode binary_string
+          Base64.encode64(binary_string).strip  
+        end
+
+        def self.decode string
+          Base64.decode64(string)
+        end
+
+        def self.encrypt *args 
+          raise StandardError, "encrypt() not defined for encryptor plugin: #{self}"
+        end
+
+        def self.decrypt *args
+          raise StandardError, "decrypt() not defined for decryptor plugin: #{self}"
+        end
+
+        protected
+
+          def self.register
+            plugin_classname = self.to_s.split("::").last.downcase
+            Hiera::Backend::Eyaml::Plugins.register_options :options => self.options, :plugin => plugin_classname
+          end
+
+          def self.option name
+            plugin_classname = self.to_s.split("::").last.downcase
+            Eyaml::Options[ "#{plugin_classname}_#{name}" ] || self.options[ "#{plugin_classname}_#{name}" ]
+          end
+
+          def self.find_closest_class args
+            parent_class = args[ :parent_class ]
+            class_name = args[ :class_name ]
+            constants = parent_class.constants
+            candidates = []
+            constants.each do | candidate |
+              candidates << candidate.to_s if candidate.to_s.downcase == class_name.downcase
+            end
+            if candidates.count > 0
+              parent_class.const_get candidates.first
+            else
+              nil
+            end
+          end
+
+      end
+
+    end
+  end
+end
+