hiera-eyaml 1.3.7 → 1.3.8

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 35b1bd91e6c23c3a0c52c99a84aa89c6e6e144ab
-  data.tar.gz: e9f39be021a877caf772a79e0d8e145d138c0ee8
+  metadata.gz: 0794eaaca28f7702c08e251f54f938c06c7856fe
+  data.tar.gz: 505eea5b6e2bc567f5587adabb3c0aaef8b701e2
 SHA512:
-  metadata.gz: 18fc2732feabb0946f769c38adad97d7f1f02bd9a19a7861a70a2ca00b36b8a3d7f3808a8cbed2cf58572329b6b29f3723c5aad0a378fd71e2897b9e2bdcb054
-  data.tar.gz: b93af7d7f78bbf81cadc47656ed8bdd5286935c71ce7c19588f10fccf68016ddaa72b6e2f6b1bd4a2b4c5155bfaa5d40230b506dbdee7f7483effab80a8f5e6d
+  metadata.gz: b995c5e993985e4d38c0b1dfe55c0767057311cf00c75b3d3ac12538dfe7d58a9343a949005f06ccb1d1ea10628ffea2bf13e770d3ea5dad1288e2e09ba30174
+  data.tar.gz: b54b10584df24f60bf148bd62116e9c6b6426e67be16a4c95172b2e1776cd33a30b308dba0a17a7814ceac84268749a35737567147605714e63e85b7ac6f8fbd

data/.travis.yml

@@ -0,0 +1,10 @@
+language: ruby
+rvm:
+  - "1.8.7"
+  - "1.9.2"
+  - "1.9.3"
+before_install:
+  - sudo apt-get update
+  - sudo apt-get install expect
+script:
+  bundle exec cucumber -f progress

data/Gemfile

@@ -9,4 +9,9 @@ group :development do
   gem "puppet"
 end
 
+group :test do
+  gem "rake"
+end
+
+
 

data/Gemfile.lock

@@ -8,7 +8,7 @@ GEM
     builder (3.2.2)
     childprocess (0.3.9)
       ffi (~> 1.0, >= 1.0.11)
-    cucumber (1.3.9)
+    cucumber (1.3.10)
       builder (>= 2.1.2)
       diff-lcs (>= 1.1.3)
       gherkin (~> 2.12)
@@ -21,19 +21,16 @@ GEM
       multi_json (~> 1.3)
     hiera (1.2.1)
       json_pure
-    hiera-eyaml (1.3.4)
-      highline (>= 1.6.19)
-      trollop (>= 2.0)
-    hiera-eyaml-plaintext (0.4)
-      hiera-eyaml (>= 1.3.1)
+    hiera-eyaml-plaintext (0.5)
     highline (1.6.20)
     json_pure (1.8.1)
     multi_json (1.8.2)
     multi_test (0.0.2)
-    puppet (3.3.1)
+    puppet (3.3.2)
       facter (~> 1.6)
       hiera (~> 1.0)
       rgen (~> 0.6.5)
+    rake (10.1.0)
     rgen (0.6.6)
     rspec-expectations (2.14.4)
       diff-lcs (>= 1.1.3, < 2.0)
@@ -47,4 +44,5 @@ DEPENDENCIES
   hiera-eyaml-plaintext
   highline
   puppet
+  rake
   trollop

data/README.md

@@ -1,17 +1,39 @@
-Hiera eYaml
+Hiera eyaml
 ===========
 
-A backend for Hiera that provides per-value asymmetric encryption of sensitive data
-within yaml type files to be used by Puppet.
+[![Build Status](https://travis-ci.org/TomPoulton/hiera-eyaml.png?branch=master)](https://travis-ci.org/TomPoulton/hiera-eyaml)
 
-More info can be found [in this corresponding post](http://themettlemonkey.wordpress.com/2013/07/15/hiera-eyaml-per-value-encrypted-backend-for-hiera-and-puppet/).
+hiera-eyaml is a backend for Hiera that provides per-value encryption of sensitive data within yaml files 
+to be used by Puppet.
 
-The Hiera eYaml backend uses yaml formatted files with the .eyaml extension. Simply prefix your
-encrypted string with the encryption method (PKCS7,) wrap it with ENC[] and place it in an eyaml file. You can mix your plain values in as well or separate them into different files.
 
-Example:
+Advantages over hiera-gpg
+-------------------------
 
-<pre>
+A few people found that [hiera-gpg](https://github.com/crayfishx/hiera-gpg) just wasn't cutting it for all use cases, 
+one of the best expressed frustrations was 
+[written back in June 2013](http://slashdevslashrandom.wordpress.com/2013/06/03/my-griefs-with-hiera-gpg/). So
+[Tom created an initial version](http://themettlemonkey.wordpress.com/2013/07/15/hiera-eyaml-per-value-encrypted-backend-for-hiera-and-puppet/)
+and this was refined into an elegant solution over the following months.
+
+Unlike `hiera-gpg`, `hiera-eyaml`:
+
+ - only encrypts the values (which allows files to be swiftly reviewed without decryption)
+ - encrypts the value of each key individually (this means that `git diff` is meaningful)
+ - includes a command line tool for encrypting, decrypting, editing and rotating keys (makes it almost as 
+   easy as using clear text files)
+ - uses basic asymmetric encryption (PKCS#7) by default (doesn't require any native libraries that need to 
+   be compiled & allows users without the private key to encrypt values that the puppet master can decrypt)
+ - has a pluggable encryption framework (e.g. GPG encryption ([hiera-eyaml-gpg](https://github.com/sihil/hiera-eyaml-gpg)) can be used 
+   if you have the need for multiple keys and easier key rotation)
+
+The Hiera eyaml backend uses yaml formatted files with the .eyaml extension. The encrypted strings are prefixed with the encryption 
+method, wrapped with ENC[] and placed in an eyaml file. You can mix your plain values in as well or separate them into different files.
+Encrypted values can occur within arrays, hashes, nested arrays and nested hashes.
+
+For instance:
+
+```yaml
 ---
 plain-property: You can see me
 
@@ -22,24 +44,19 @@ encrypted-property: >
     l5ZP119Fwq8xiREGOL0lVvFYJz2hZc1ppPCNG5lwuLnTekXN/OazNYpf4CMd
     /HjZFXwcXRtTlzewJLc+/gox2IfByQRhsI/AgogRfYQKocZgFb/DOZoXR7wm
     IZGeunzwhqfmEtGiqpvJJQ5wVRdzJVpTnANBA5qxeA==]
-</pre>
+```
+
+To edit this you can use the command `eyaml -i important.eyaml` which will decrypt the file, fire up an editor with
+the decrypted values and re-encrypt any edited values when you exit the editor. This tool makes editing your encrypted
+files as simple as clear text files.
 
-eYaml supports multiple encryption types, and encrypted values can occur within arrays, hashes, nested arrays and nested hashes 
 
 Setup
-=====
+-----
 
 ### Installing hiera-eyaml
 
     $ gem install hiera-eyaml
-    
-#### Installing from behind a corporate/application proxy
-    $ export HTTP_PROXY=http://yourcorporateproxy:3128/
-    $ export HTTPS_PROXY=http://yourcorporateproxy:3128/
-    
-then run your install
- 
-    $ gem install hiera-eyaml
 
 ### Generate keys
 
@@ -54,11 +71,11 @@ This creates a public and private key with default names in the default location
 Since the point of using this module is to securely store sensitive information, it's important to store these keys securely.
 If using Hiera with Puppet, Your puppetmaster will need to access these keys to perform decryption when the puppet agent runs on a remote node.
 So for this reason, a suggested location might be to store them in:
-    
+
     /etc/puppet/secure/keys
-    
+
 (Using a secure/keys/ subfolder is so that you can still store other secure puppet files in the secure/ folder that might not be related to this module.)
- 
+
 The permissions for this folder should allow the puppet user (normally 'puppet') execute access to the keys directory, read only access to the keys themselves and restrict everyone else:
 
     $ chown -R puppet:puppet /etc/puppet/secure/keys
@@ -91,37 +108,60 @@ To test decryption you can also use the eyaml tool if you have both keys
     $ eyaml -d -f filename               # Decrypt a file
     $ eyaml -d -s 'ENC[PKCS7,.....]'     # Decrypt a string
 
-### eYaml files
+### Editing eyaml files
 
-Once you have created a few eyaml files, with a mixture of encrypted and non-encrypted properties, you can edit the encrypted values in place, using the special edit mode of the eyaml utility
+Once you have created a few eyaml files, with a mixture of encrypted and non-encrypted properties, 
+you can edit the encrypted values in place, using the special edit mode of the eyaml utility. Edit
+mode opens a decrypted copy of the eyaml file in your `$EDITOR` and will encrypt and modified values
+when you exit the editor.
 
     $ eyaml -i filename.eyaml         # Edit an eyaml file in place
 
-Multiple Encryption Types
-=========================
+When editing eyaml files, you will see that the unencrypted plaintext is marked to allow the eyaml tool to 
+identify each encrypted block, along with the encryption method. This is used to make sure that the block 
+is encrypted again only if the clear text value has changed, and is encrypted using the
+original encryption mechanism (see plugable encryption later).
 
-hiera-eyaml backend is pluggable, so that further encryption types can be added as separate gems to the general mechanism which hiera-eyaml uses. Hiera-eyaml ships with one default mechanism of 'pkcs7', the encryption type widely used to sign smime email messages. 
+A decrypted file might look like this:
 
-Other encryption types (if the gems for them have been loaded) can be specified using the following formats:
+```yaml
+---
+plain-property: You can see me
 
-<pre>
-    ENC[PKCS7,SOME_ENCRYPTED_VALUE]         # a PKCS7 encrypted value
-    ENC[GPG,SOME_ENCRYPTED_VALUE]           # a GPG encrypted value (hiera-eyaml-gpg)
-    ... etc ...
-</pre>
+cipher-property : >
+    DEC(1)::PKCS7[You can't see me]!
 
-When editing eyaml files, you will see that the unencrypted plaintext is marked in such a way as to identify the encryption method. This is so that the eyaml tool knows to encrypt it back using the correct method afterwards:
+environments:
+    development:
+        host: localhost
+        password: password
+    production:
+        host: prod.org.com
+        password: >
+            DEC(2)::PKCS7[securepassword]!
+
+things:
+    - thing 1
+    -   - nested thing 1.0
+        - >
+            DEC(3)::PKCS7[secure nested thing 1.1]!
+    -   - nested thing 2.0
+        - nested thing 2.1
+```
+
+Whilst editing you can delete existing values and add new one using the same format (as below). Note that it is important to 
+omit the number in brackets for new values. If any duplicate IDs are found then the re-encryption process will be abandoned
+by the eyaml tool.
+
+    some_new_key: DEC::PKCS7[a new value to encrypt]!
 
-<pre>
-some_key: DEC::PKCS7[very secret password]!
-</pre>
 
 Hiera
-=====
+-----
 
 To use eyaml with hiera and puppet, first configure hiera.yaml to use the eyaml backend
 
-<pre>
+```yaml
 ---
 :backends:
     - eyaml
@@ -139,17 +179,20 @@ To use eyaml with hiera and puppet, first configure hiera.yaml to use the eyaml
     # If using the pkcs7 encryptor (default)
     :pkcs7_private_key: /path/to/private_key.pkcs7.pem
     :pkcs7_public_key:  /path/to/public_key.pkcs7.pem
+```
 
-</pre>
-
-Then, edit your hiera yaml files (renaming them with the .eyaml extension), and insert your encrypted values:
+Then, edit your hiera yaml files, and insert your encrypted values. The default eyaml file extension is .eyaml, however this can be configured in the :eyaml block to set :extension,
 
+```yaml
+:eyaml:
+    :extension: 'yaml'
+```
 
-*Important Note:* 
-The eYaml backend will not parse internally json formatted yaml files, whereas the regular yaml backend will. 
+*Important Note:*
+The eyaml backend will not parse internally json formatted yaml files, whereas the regular yaml backend will.
 You'll need to ensure any existing yaml files using json format are converted to syntactically correct yaml format.
 
-<pre>
+```yaml
 ---
 plain-property: You can see me
 
@@ -187,22 +230,36 @@ things:
             IZGeunzwhqfmEtGiqpvJJQ5wVRdzJVpTnANBA5qxeA==]
     -   - nested thing 2.0
         - nested thing 2.1
-</pre>
+```
 
-Tests
-=====
 
-In order to run the tests, simply run `cucumber` in the top level directory of the project.
+Pluggable Encryption
+--------------------
 
-You'll need to have a few requirements installed:
+hiera-eyaml backend is pluggable, so that further encryption types can be added as separate gems to the general mechanism which hiera-eyaml uses. Hiera-eyaml ships with one default mechanism of 'pkcs7', the encryption type widely used to sign smime email messages.
+
+Other encryption types (if the gems for them have been loaded) can be specified using the following formats:
+
+    ENC[PKCS7,SOME_ENCRYPTED_VALUE]         # a PKCS7 encrypted value
+    ENC[GPG,SOME_ENCRYPTED_VALUE]           # a GPG encrypted value (hiera-eyaml-gpg)
+    ... etc ...
+
+When editing eyaml files, you will see that the unencrypted plaintext is marked in such a way as to identify the encryption method. This is so that the eyaml tool knows to encrypt it back using the correct method afterwards:
+
+    some_key: DEC(1)::PKCS7[very secret password]!
+
+### Encryption plugins
+
+This is a list of available plugins:
+
+ - [hiera-eyaml-gpg](https://github.com/sihil/hiera-eyaml-gpg) - Provide GPG encryption
+ - [hiera-eyaml-plaintext](https://github.com/gtmtech/hiera-eyaml-plaintext) - This is a no-op encryption plugin that 
+   simply base64 encodes the values. It exists as an example plugin to create your own and to do integration tests on 
+   hiera-eyaml. **THIS SHOULD NOT BE USED IN PRODUCTION**
 
-  * `expect` (via yum/apt-get or system package)
-  * `aruba` (gem)
-  * `cucumber` (gem)
-  * `puppet` (gem)
 
 Notes
-=====
+-----
 
 If you do not specify an encryption method within ENC[] tags, it will be assumed to be PKCS7
 
@@ -214,8 +271,45 @@ access to a DEV branch will be able to read/view the contents of the PRD branch,
 Github has a great guide on removing sensitive data from repos here:
 https://help.github.com/articles/remove-sensitive-data
 
+
+Troubleshooting
+---------------
+
+### Installing from behind a corporate/application proxy
+
+    $ export HTTP_PROXY=http://yourcorporateproxy:3128/
+    $ export HTTPS_PROXY=http://yourcorporateproxy:3128/
+
+then run your install
+
+    $ gem install hiera-eyaml
+
+
+Issues
+------
+
+If you have found a bug then please raise an issue here on github.
+
+Some of us hang out on #hiera-eyaml on freenode, please drop by if you want to say hi or have a question.
+
+
+Tests
+-----
+
+In order to run the tests, simply run `cucumber` in the top level directory of the project.
+
+You'll need to have a few requirements installed:
+
+  * `expect` (via yum/apt-get or system package)
+  * `aruba` (gem)
+  * `cucumber` (gem)
+  * `puppet` (gem)
+
+
 Authors
-=======
+-------
 
 - [Tom Poulton](http://github.com/TomPoulton) - Initial author. eyaml backend.
-- [Geoff Meakin](http://github.com/gtmtech) - Major contributor. eyaml command.
+- [Geoff Meakin](http://github.com/gtmtech) - Major contributor. eyaml command, tests, CI
+- [Simon Hildrew](http://github.com/sihil) - Contributor. eyaml edit sub command.
+- [Robert Fielding](http://github.com/rooprob) - Contributor. eyaml recrypt sub command.

data/lib/hiera/backend/eyaml.rb

@@ -2,7 +2,10 @@ class Hiera
   module Backend
     module Eyaml
 
-      VERSION = "1.3.7"
+      class RecoverableError < StandardError
+      end
+
+      VERSION = "1.3.8"
 
       def self.default_encryption_scheme= new_encryption
         @@default_encryption_scheme = new_encryption

data/lib/hiera/backend/eyaml/CLI.rb

@@ -4,6 +4,7 @@ require 'hiera/backend/eyaml/utils'
 require 'hiera/backend/eyaml/actions/createkeys_action'
 require 'hiera/backend/eyaml/actions/decrypt_action'
 require 'hiera/backend/eyaml/actions/encrypt_action'
+require 'hiera/backend/eyaml/actions/recrypt_action'
 require 'hiera/backend/eyaml/actions/edit_action'
 require 'hiera/backend/eyaml/plugins'
 require 'hiera/backend/eyaml/options'
@@ -16,25 +17,26 @@ class Hiera
         def self.parse
 
           options = Trollop::options do
-              
+
             version "Hiera-eyaml version " + Hiera::Backend::Eyaml::VERSION.to_s
             banner <<-EOS
 Hiera-eyaml is a backend for Hiera which provides OpenSSL encryption/decryption for Hiera properties
 
 Usage:
-  eyaml [options] 
+  eyaml [options]
   eyaml -i file.eyaml       # edit a file
   eyaml -e -s some-string   # encrypt a string
-  eyaml -e -p               # encrypt a password 
+  eyaml -e -p               # encrypt a password
   eyaml -e -f file.txt      # encrypt a file
   cat file.txt | eyaml -e   # encrypt a file on a pipe
 
-Options:  
+Options:
   EOS
-          
+
             opt :createkeys, "Create public and private keys for use encrypting properties", :short => 'c'
             opt :decrypt, "Decrypt something", :short => 'd'
             opt :encrypt, "Encrypt something", :short => 'e'
+            opt :recrypt, "Recrypt something", :short => 'r', :type => :string
             opt :edit, "Decrypt, Edit, and Reencrypt", :short => 'i', :type => :string
             opt :eyaml, "Source input is an eyaml file", :short => 'y', :type => :string
             opt :password, "Source input is a password entered on the terminal", :short => 'p'
@@ -53,8 +55,8 @@ Options:
 
           end
 
-          actions = [:createkeys, :decrypt, :encrypt, :edit].collect {|x| x if options[x]}.compact
-          sources = [:edit, :eyaml, :password, :string, :file, :stdin].collect {|x| x if options[x]}.compact
+          actions = [:createkeys, :decrypt, :recrypt, :encrypt, :edit].collect {|x| x if options[x]}.compact
+          sources = [:edit, :recrypt, :eyaml, :password, :string, :file, :stdin].collect {|x| x if options[x]}.compact
           # sources << :stdin if STDIN
 
           Trollop::die "You can only specify one of (#{actions.join(', ')})" if actions.count > 1
@@ -84,7 +86,11 @@ Options:
             if options[:edit]
               options[:eyaml] = options[:edit]
               options[:source] = :eyaml
-              File.read options[:edit] 
+              File.read options[:edit]
+            elsif options[:recrypt]
+              options[:eyaml] = options[:recrypt]
+              options[:source] = :eyaml
+              File.read options[:recrypt]
             else
               nil
             end
@@ -104,7 +110,7 @@ Options:
           return_value = action_class.execute
           puts return_value unless return_value.nil?
 
-        end          
+        end
 
       end
 

data/lib/hiera/backend/eyaml/actions/edit_action.rb

@@ -3,6 +3,7 @@ require 'hiera/backend/eyaml/actions/decrypt_action'
 require 'hiera/backend/eyaml/actions/encrypt_action'
 require 'hiera/backend/eyaml/options'
 require 'hiera/backend/eyaml/parser/parser'
+require 'highline/import'
 
 class Hiera
   module Backend
@@ -19,50 +20,61 @@ class Hiera
             decrypted_file = Utils.write_tempfile decrypted_input
 
             editor = Utils.find_editor
-            system editor, decrypted_file
-            status = $?
 
-            raise StandardError, "File was moved by editor" unless File.file? decrypted_file
-            edited_file = File.read decrypted_file
-            Utils.secure_file_delete :file => decrypted_file, :num_bytes => [edited_file.length, decrypted_input.length].max
+            begin
+              system "#{editor} #{decrypted_file}"
+              status = $?
 
-            raise StandardError, "Editor #{editor} has not exited?" unless status.exited?
-            raise StandardError, "Editor did not exit successfully (exit code #{status.exitstatus}), aborting" unless status.exitstatus
+              raise StandardError, "File was moved by editor" unless File.file? decrypted_file
+              edited_file = File.read decrypted_file
 
-            raise StandardError, "Edited file is blank" if edited_file.empty?
+              raise StandardError, "Editor #{editor} has not exited?" unless status.exited?
+              raise StandardError, "Editor did not exit successfully (exit code #{status.exitstatus}), aborting" unless status.exitstatus == 0
 
-            if edited_file == decrypted_input
-              Utils.info "No changes detected, exiting"
-            else
-              decrypted_parser = Parser::ParserFactory.decrypted_parser
-              edited_tokens = decrypted_parser.parse(edited_file)
+              raise StandardError, "Edited file is blank" if edited_file.empty?
 
-              # check that the tokens haven't been copy / pasted
-              used_ids = edited_tokens.find_all{ |t| t.class.name =~ /::EncToken$/ }.map{ |t| t.id }
-              if used_ids.length != used_ids.uniq.length
-                  raise StandardError, "A duplicate DEC(ID) was found so I don't know how to proceed. This is probably because you copy and pasted a value - if you do this please delete the ID in parentheses"
-              end
+              if edited_file == decrypted_input
+                Utils.info "No changes detected, exiting"
+              else
+                decrypted_parser = Parser::ParserFactory.decrypted_parser
+                edited_tokens = decrypted_parser.parse(edited_file)
+
+                # check that the tokens haven't been copy / pasted
+                used_ids = edited_tokens.find_all{ |t| t.class.name =~ /::EncToken$/ and !t.id.nil? }.map{ |t| t.id }
+                if used_ids.length != used_ids.uniq.length
+                    raise RecoverableError, "A duplicate DEC(ID) was found so I don't know how to proceed. This is probably because you copy and pasted a value - if you do this please delete the ID in parentheses"
+                end
 
-              # replace untouched values with the source values
-              edited_denoised_tokens = edited_tokens.map{ |token|
-                if token.class.name =~ /::EncToken$/ && !token.id.nil?
-                  old_token = tokens[token.id]
-                  if old_token.plain_text.eql? token.plain_text
-                    old_token
+                # replace untouched values with the source values
+                edited_denoised_tokens = edited_tokens.map{ |token|
+                  if token.class.name =~ /::EncToken$/ && !token.id.nil?
+                    old_token = tokens[token.id]
+                    if old_token.plain_text.eql? token.plain_text
+                      old_token
+                    else
+                      token
+                    end
                   else
                     token
                   end
-                else
-                  token
-                end
-              }
+                }
 
-              encrypted_output = edited_denoised_tokens.map{ |t| t.to_encrypted }.join
+                encrypted_output = edited_denoised_tokens.map{ |t| t.to_encrypted }.join
 
-              filename = Eyaml::Options[:eyaml]
-              File.open("#{filename}", 'w') { |file|
-                file.write encrypted_output
-              }
+                filename = Eyaml::Options[:eyaml]
+                File.open("#{filename}", 'w') { |file|
+                  file.write encrypted_output
+                }
+              end
+            rescue RecoverableError => e
+              Utils.info e
+              if agree "Return to the editor to try again?"
+                retry
+              else
+                raise e
+              end
+            ensure
+              Utils.secure_file_delete :file => decrypted_file, :num_bytes => [edited_file.length, decrypted_input.length].max
             end
 
             nil

data/lib/hiera/backend/eyaml/actions/recrypt_action.rb

@@ -0,0 +1,44 @@
+require 'hiera/backend/eyaml/utils'
+require 'hiera/backend/eyaml/actions/decrypt_action'
+require 'hiera/backend/eyaml/actions/encrypt_action'
+require 'hiera/backend/eyaml/options'
+require 'hiera/backend/eyaml/parser/parser'
+
+class Hiera
+  module Backend
+    module Eyaml
+      module Actions
+
+        class RecryptAction
+
+          def self.execute
+
+            encrypted_parser = Parser::ParserFactory.encrypted_parser
+            tokens = encrypted_parser.parse Eyaml::Options[:input_data]
+            decrypted_input = tokens.each_with_index.to_a.map{|(t,index)| t.to_decrypted :index => index}.join
+            decrypted_file = Utils.write_tempfile decrypted_input
+
+            edited_file = File.read decrypted_file
+            Utils.secure_file_delete :file => decrypted_file, :num_bytes => [edited_file.length, decrypted_input.length].max
+
+            raise StandardError, "Edited file is blank" if edited_file.empty?
+
+            decrypted_parser = Parser::ParserFactory.decrypted_parser
+            edited_tokens = decrypted_parser.parse(edited_file)
+
+            encrypted_output = edited_tokens.map{ |t| t.to_encrypted }.join
+
+            filename = Eyaml::Options[:eyaml]
+            File.open("#{filename}", 'w') { |file|
+              file.write encrypted_output
+            }
+
+            nil
+          end
+
+        end
+
+      end
+    end
+  end
+end

data/lib/hiera/backend/eyaml/encryptors/pkcs7.rb

@@ -69,7 +69,11 @@ class Hiera
             cert.serial = 0
             cert.version = 2
             cert.not_before = Time.now
-            cert.not_after = Time.now + 50 * 365 * 24 * 60 * 60
+            cert.not_after = if 1.size == 8       # 64bit
+              Time.now + 50 * 365 * 24 * 60 * 60
+            else                                  # 32bit
+              Time.at(0x7fffffff)
+            end
             cert.public_key = key.public_key
 
             ef = OpenSSL::X509::ExtensionFactory.new

data/lib/hiera/backend/eyaml_backend.rb

@@ -7,8 +7,9 @@ require 'yaml'
 class Hiera
   module Backend
     class Eyaml_backend
-      
+
       def initialize
+        @extension = Config[:eyaml][:extension] ? Config[:eyaml][:extension] : "eyaml"
       end
 
       def lookup(key, scope, order_override, resolution_type)
@@ -17,7 +18,7 @@ class Hiera
         answer = nil
 
         Backend.datasources(scope, order_override) do |source|
-          eyaml_file = Backend.datafile(:eyaml, scope, source, "eyaml") || next
+          eyaml_file = Backend.datafile(:eyaml, scope, source, @extension) || next
 
           debug("Processing datasource: #{eyaml_file}")
 
@@ -42,7 +43,7 @@ class Hiera
               debug("Merging answer hash")
               raise Exception, "Hiera type mismatch: expected Hash and got #{parsed_answer.class}" unless parsed_answer.kind_of? Hash
               answer ||= {}
-              answer = parsed_answer.merge answer
+              answer = Backend.merge_answer(parsed_answer,answer)
             else
               debug("Assigning answer variable")
               answer = parsed_answer
@@ -87,7 +88,7 @@ class Hiera
         if encrypted? value
 
           debug "Attempting to decrypt: #{key}"
-          
+
           Config[:eyaml].each do |config_key, config_value|
             config_value = Backend.parse_string(Config[:eyaml][config_key], scope)
             debug "Setting: #{config_key} = #{config_value}"

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: hiera-eyaml
 version: !ruby/object:Gem::Version
-  version: 1.3.7
+  version: 1.3.8
 platform: ruby
 authors:
 - Tom Poulton
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2013-11-14 00:00:00.000000000 Z
+date: 2013-11-25 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: trollop
@@ -46,6 +46,7 @@ extensions: []
 extra_rdoc_files: []
 files:
 - .gitignore
+- .travis.yml
 - Gemfile
 - Gemfile.lock
 - LICENSE.txt
@@ -60,6 +61,7 @@ files:
 - lib/hiera/backend/eyaml/actions/decrypt_action.rb
 - lib/hiera/backend/eyaml/actions/edit_action.rb
 - lib/hiera/backend/eyaml/actions/encrypt_action.rb
+- lib/hiera/backend/eyaml/actions/recrypt_action.rb
 - lib/hiera/backend/eyaml/encryptor.rb
 - lib/hiera/backend/eyaml/encryptors/pkcs7.rb
 - lib/hiera/backend/eyaml/options.rb