hiera-eyaml 1.1.4 → 1.3.1

data/lib/hiera/backend/eyaml/encryptors/pkcs7.rb

@@ -0,0 +1,99 @@
+require 'openssl'
+require 'hiera/backend/eyaml/encryptor'
+require 'hiera/backend/eyaml/utils'
+require 'hiera/backend/eyaml/options'
+
+class Hiera
+  module Backend
+    module Eyaml
+      module Encryptors
+
+        class Pkcs7 < Encryptor
+
+          self.options = {
+            :private_key => { :desc => "Private key directory", 
+                              :type => :string, 
+                              :default => "./keys/private_key.pkcs7.pem" },
+            :public_key => { :desc => "Public key directory",  
+                             :type => :string, 
+                             :default => "./keys/public_key.pkcs7.pem" }
+          }
+
+          self.tag = "PKCS7"
+
+          def self.encrypt plaintext
+
+            public_key = self.option :public_key
+            raise StandardError, "pkcs7_public_key is not defined" unless public_key
+
+            public_key_pem = File.read public_key 
+            public_key_x509 = OpenSSL::X509::Certificate.new( public_key_pem )
+
+            cipher = OpenSSL::Cipher::AES.new(256, :CBC)
+            OpenSSL::PKCS7::encrypt([public_key_x509], plaintext, cipher, OpenSSL::PKCS7::BINARY).to_der
+            
+          end
+
+          def self.decrypt ciphertext
+
+            public_key = self.option :public_key
+            private_key = self.option :private_key
+            raise StandardError, "pkcs7_public_key is not defined" unless public_key
+            raise StandardError, "pkcs7_private_key is not defined" unless private_key
+
+            private_key_pem = File.read private_key
+            private_key_rsa = OpenSSL::PKey::RSA.new( private_key_pem )
+
+            public_key_pem = File.read public_key
+            public_key_x509 = OpenSSL::X509::Certificate.new( public_key_pem )
+
+            pkcs7 = OpenSSL::PKCS7.new( ciphertext )
+            pkcs7.decrypt(private_key_rsa, public_key_x509)
+
+          end
+
+          def self.create_keys
+
+            # Try to do equivalent of:
+            # openssl req -x509 -nodes -days 100000 -newkey rsa:2048 -keyout privatekey.pem -out publickey.pem -subj '/'
+
+            public_key = self.option :public_key
+            private_key = self.option :private_key
+
+            key = OpenSSL::PKey::RSA.new(2048)
+            Utils.write_important_file :filename => private_key, :content => key.to_pem
+
+            name = OpenSSL::X509::Name.parse("/")
+            cert = OpenSSL::X509::Certificate.new()
+            cert.serial = 0
+            cert.version = 2
+            cert.not_before = Time.now
+            cert.not_after = Time.now + 50 * 365 * 24 * 60 * 60
+            cert.public_key = key.public_key
+
+            ef = OpenSSL::X509::ExtensionFactory.new
+            ef.subject_certificate = cert
+            ef.issuer_certificate = cert
+            cert.extensions = [
+              ef.create_extension("basicConstraints","CA:TRUE", true),
+              ef.create_extension("subjectKeyIdentifier", "hash"),
+            ]
+            cert.add_extension ef.create_extension("authorityKeyIdentifier",
+                                                   "keyid:always,issuer:always")
+
+            cert.sign key, OpenSSL::Digest::SHA1.new
+
+            Utils.write_important_file :filename => public_key, :content => cert.to_pem
+            puts "Keys created OK"
+
+          end
+
+        end
+
+      end
+
+    end
+
+  end
+
+end

data/lib/hiera/backend/eyaml/options.rb

@@ -0,0 +1,32 @@
+class Hiera
+  module Backend
+    module Eyaml
+      class Options
+
+        def self.[]= key, value
+          @@options ||= {}
+          @@options[ key.to_sym ] = value
+        end
+
+        def self.[] key
+          @@options ||= {}
+          @@options[ key.to_sym ]
+        end
+
+        def self.set hash
+          @@options = {}
+          hash.each do |k, v|
+            @@options[ k.to_sym ] = v
+          end
+        end
+
+        def self.debug
+          @@options.each do |k, v|
+            puts "#{k.class.name}:#{k} = #{v.class.name}:#{v}"
+          end
+        end
+
+      end
+    end
+  end
+end

data/lib/hiera/backend/eyaml/plugins.rb

@@ -0,0 +1,65 @@
+require 'rubygems'
+
+class Hiera
+  module Backend
+    module Eyaml
+      class Plugins
+
+        @@plugins = []
+        @@options = {}
+
+        def self.register_options args
+          options_hash = args[ :options ]
+          plugin = args[ :plugin ]
+          options_hash.each do |key, value|
+            @@options.merge!({ "#{plugin}_#{key}" => value })
+          end
+        end
+
+        def self.options
+          @@options
+        end
+
+        def self.find
+
+          this_version = Gem::Version.create(Hiera::Backend::Eyaml::VERSION)
+          index = Gem::VERSION >= "1.8.0" ? Gem::Specification : Gem.source_index
+
+          [index].flatten.each do |source|
+            specs = Gem::VERSION >= "1.6.0" ? source.latest_specs(true) : source.latest_specs
+
+            specs.each do |spec|
+              next if @@plugins.include? spec
+
+              # If this gem depends on Vagrant, verify this is a valid release of
+              # Vagrant for this gem to load into.
+              dependency = spec.dependencies.find { |d| d.name == "hiera-eyaml" }
+              next if dependency && !dependency.requirement.satisfied_by?( this_version )
+
+              file = nil
+              if Gem::VERSION >= "1.8.0"
+                file = spec.matches_for_glob("**/eyaml_init.rb").first
+              else
+                file = Gem.searcher.matching_files(spec, "eyaml_init.rb").first
+              end
+
+              next unless file
+
+              @@plugins << spec
+              load file
+            end
+
+          end
+
+          @@plugins
+
+        end
+
+        def self.plugins
+          @@plugins
+        end
+
+      end
+    end
+  end
+end

data/lib/hiera/backend/eyaml/utils.rb

@@ -0,0 +1,83 @@
+require 'highline/import'
+require 'tempfile'
+
+class Hiera
+  module Backend
+    module Eyaml
+      class Utils
+
+        def self.read_password
+          ask("Enter password: ") {|q| q.echo = "*" }
+        end
+
+        def self.confirm? message
+          result = ask("#{message} (y/N): ")
+          if result.downcase == "y" or result.downcase == "yes"
+            true
+          else
+            false
+          end
+        end
+
+        def self.camelcase string
+          return string if string !~ /_/ && string =~ /[A-Z]+.*/
+          string.split('_').map{|e| e.capitalize}.join
+        end
+
+        def self.find_editor
+          editor = ENV['EDITOR']
+          editor ||= %w{ /usr/bin/sensible-editor /usr/bin/editor /usr/bin/vim /usr/bin/vi }.collect {|e| e if FileTest.executable? e}.compact.first
+          raise StandardError, "Editor not found. Please set your EDITOR env variable" if editor.nil?
+          editor
+        end
+
+        def self.secure_file_delete args
+          file = File.open(args[:file], 'r+')
+          num_bytes = args[:num_bytes]
+          [0xff, 0x55, 0xaa, 0x00].each do |byte|
+            file.seek(0, IO::SEEK_SET)
+            num_bytes.times { file.print(byte.chr) }
+            file.fsync
+          end
+          File.delete file
+        end
+
+        def self.write_tempfile data_to_write
+          file = Tempfile.open('eyaml_edit')
+          path = file.path
+
+          file.puts data_to_write
+          file.close
+
+          path
+        end
+
+        def self.write_important_file args
+          filename = args[ :filename ]
+          content = args[ :content ]
+          if File.file? "#{filename}"
+             raise StandardError, "User aborted" unless Utils::confirm? "Are you sure you want to overwrite \"#{filename}\"?"
+          end
+          open( "#{filename}", "w" ) do |io|
+            io.write(content)
+          end
+        end
+
+        def self.ensure_key_dir_exists key_file
+          key_dir = File.dirname key_file
+
+          unless File.directory? key_dir
+            begin
+              Dir.mkdir key_dir
+              puts "Created key directory: #{key_dir}"
+            rescue
+              raise StandardError, "Cannot create key directory: #{key_dir}"
+            end
+          end
+
+        end
+
+      end
+    end
+  end
+end

data/lib/hiera/backend/eyaml_backend.rb

@@ -1,129 +1,124 @@
-class Hiera
-    module Backend
-        class Eyaml_backend
-
-            def initialize
-                require 'openssl'
-                require 'base64'
-            end
+require 'hiera/backend/eyaml/encryptor'
+require 'hiera/backend/eyaml/actions/decrypt_action'
+require 'hiera/backend/eyaml/utils'
+require 'yaml'
 
-            def lookup(key, scope, order_override, resolution_type)
-    
-                debug("Lookup called for key #{key}")
-                answer = nil
-    
-                Backend.datasources(scope, order_override) do |source|
-                    eyaml_file = Backend.datafile(:eyaml, scope, source, "eyaml") || next
-
-                    debug("Processing datasource: #{eyaml_file}")
-
-                    data = YAML.load(File.read( eyaml_file ))
-
-                    next if !data
-                    next if data.empty?
-                    debug ("Data contains valid YAML")
-
-                    next unless data.include?(key)
-                    debug ("Key #{key} found in YAML document")
-
-                    parsed_answer = parse_answer(data[key], scope)
-
-                    begin
-                        case resolution_type
-                        when :array
-                            debug("Appending answer array")
-                            raise Exception, "Hiera type mismatch: expected Array and got #{parsed_answer.class}" unless parsed_answer.kind_of? Array or parsed_answer.kind_of? String
-                            answer ||= []
-                            answer << parsed_answer
-                        when :hash
-                            debug("Merging answer hash")
-                            raise Exception, "Hiera type mismatch: expected Hash and got #{parsed_answer.class}" unless parsed_answer.kind_of? Hash
-                            answer ||= {}
-                            answer = parsed_answer.merge answer
-                        else
-                            debug("Assigning answer variable")
-                            answer = parsed_answer
-                            break
-                        end
-                    rescue NoMethodError
-                        raise Exception, "Resolution type is #{resolution_type} but parsed_answer is a #{parsed_answer.class}"
-                    end
-                end
-    
-                return answer
-            end
-
-            def parse_answer(data, scope, extra_data={})
-                if data.is_a?(Numeric) or data.is_a?(TrueClass) or data.is_a?(FalseClass)
-                    # Can't be encrypted
-                    return data
-                elsif data.is_a?(String)
-                    parsed_string = Backend.parse_string(data, scope)
-                    return decrypt(parsed_string, scope)
-                elsif data.is_a?(Hash)
-                    answer = {}
-                    data.each_pair do |key, val|
-                        answer[key] = parse_answer(val, scope, extra_data)
-                    end
-                    return answer
-                elsif data.is_a?(Array)
-                    answer = []
-                    data.each do |item|
-                        answer << parse_answer(item, scope, extra_data)
-                    end
-                    return answer
-                end
+class Hiera
+  module Backend
+    class Eyaml_backend
+      
+      def initialize
+      end
+
+      def lookup(key, scope, order_override, resolution_type)
+
+        debug("Lookup called for key #{key}")
+        answer = nil
+
+        Backend.datasources(scope, order_override) do |source|
+          eyaml_file = Backend.datafile(:eyaml, scope, source, "eyaml") || next
+
+          debug("Processing datasource: #{eyaml_file}")
+
+          data = YAML.load(File.read( eyaml_file ))
+
+          next if data.nil? or data.empty?
+          debug ("Data contains valid YAML")
+
+          next unless data.include?(key)
+          debug ("Key #{key} found in YAML document")
+
+          parsed_answer = parse_answer(key, data[key], scope)
+
+          begin
+            case resolution_type
+            when :array
+              debug("Appending answer array")
+              raise Exception, "Hiera type mismatch: expected Array and got #{parsed_answer.class}" unless parsed_answer.kind_of? Array or parsed_answer.kind_of? String
+              answer ||= []
+              answer << parsed_answer
+            when :hash
+              debug("Merging answer hash")
+              raise Exception, "Hiera type mismatch: expected Hash and got #{parsed_answer.class}" unless parsed_answer.kind_of? Hash
+              answer ||= {}
+              answer = parsed_answer.merge answer
+            else
+              debug("Assigning answer variable")
+              answer = parsed_answer
+              break
             end
+          rescue NoMethodError
+            raise Exception, "Resolution type is #{resolution_type} but parsed_answer is a #{parsed_answer.class}"
+          end
+        end
 
-            def decrypt(value, scope)
+        answer
+      end
+
+      def parse_answer(key, data, scope, extra_data={})
+        if data.is_a?(Numeric) or data.is_a?(TrueClass) or data.is_a?(FalseClass)
+          # Can't be encrypted
+          data
+        elsif data.is_a?(String)
+          parsed_string = Backend.parse_string(data, scope)
+          decrypt(key, parsed_string, scope)
+        elsif data.is_a?(Hash)
+          answer = {}
+          data.each_pair do |key, val|
+            answer[key] = parse_answer(val, scope, extra_data)
+          end
+          answer
+        elsif data.is_a?(Array)
+          answer = []
+          data.each do |item|
+            answer << parse_answer(item, scope, extra_data)
+          end
+          answer
+        end
+      end
 
-                if is_encrypted(value)
+      def deblock block_string
+        block_string.gsub(/[ \n]/, '')
+      end
 
-                    # remove enclosing 'ENC[]'
-                    ciphertext = value[4..-2]
-                    ciphertext_decoded = Base64.decode64(ciphertext)
+      def decrypt(key, value, scope)
 
-                    debug("Decrypting value")
+        if encrypted? value
 
-                    private_key_path = Backend.parse_string(Config[:eyaml][:private_key], scope) || '/etc/hiera/keys/private_key.pem'
-                    public_key_path = Backend.parse_string(Config[:eyaml][:public_key], scope) || '/etc/hiera/keys/public_key.pem'
+          debug "Attempting to decrypt: #{key}"
+          
+          Config[:eyaml].each do |config_key, config_value|
+            config_value = Backend.parse_string(Config[:eyaml][config_key], scope)
+            debug "Setting: #{config_key} = #{config_value}"
+            Eyaml::Options[config_key] = config_value
+          end
 
-                    private_key_pem = File.read( private_key_path )
-                    private_key = OpenSSL::PKey::RSA.new( private_key_pem )
+          Eyaml::Options[:source] = "hiera"
 
-                    public_key_pem = File.read( public_key_path )
-                    public_key = OpenSSL::X509::Certificate.new( public_key_pem )
+          plaintext = value.gsub( /ENC\[([^\]]*)\]/ ) { |match|
+            Eyaml::Options[:input_data] = deblock match.to_s
+            Eyaml::Options[:output] = "raw"
+            Eyaml::Actions::DecryptAction.execute
+          }
 
-                    pkcs7 = OpenSSL::PKCS7.new( ciphertext_decoded )
+          plaintext
 
-                    begin
-                      plaintext = pkcs7.decrypt(private_key, public_key)
-                    rescue
-                      raise Exception, "Hiera eyaml backend: Unable to decrypt hiera data. Do the keys match and are they the same as those used to encrypt?"
-                    end
-        
-                    return plaintext
-    
-                else
-                    return value
-                end
-            end
+        else
+          value
+        end
+      end
 
-            def is_encrypted(value)
-                if value.start_with?('ENC[')
-                    return true
-                else
-                    return false
-                end
-            end
+      def encrypted?(value)
+        if value.match(/.*ENC\[.*?\]/) then true else false end
+      end
 
-            def debug(msg)
-                Hiera.debug("[eyaml_backend]: #{msg}")
-            end
+      def debug(msg)
+        Hiera.debug("[eyaml_backend]: #{msg}")
+      end
 
-            def warn(msg)
-                Hiera.warn("[eyaml_backend]:  #{msg}")
-            end
-        end
+      def warn(msg)
+        Hiera.warn("[eyaml_backend]:  #{msg}")
+      end
     end
+  end
 end