hiera-eyaml 3.0.0 → 3.1.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +21 -0
- data/README.md +4 -1
- data/lib/hiera/backend/eyaml.rb +1 -1
- data/lib/hiera/backend/eyaml/CLI.rb +3 -7
- data/lib/hiera/backend/eyaml/encryptors/pkcs7.rb +6 -6
- data/lib/hiera/backend/eyaml_backend.rb +12 -5
- metadata +3 -3
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 5b9a21a2c014fd073b1733d4c9c8ac2422b4d011f22f9ceb700834ce13710090
|
|
4
|
+
data.tar.gz: e8672bc02e4f4e9c41c8bba28677a99c06f08b5fd870936b660bb495d6df0e26
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: ac59e7c61933e8db2d074bf267c2d45a8cc3aacc23a2a4b732483529506d9cb089ed144794f1b37e010407646a461ca64cd1fc4f4cb53b9b81a65318d604fbad
|
|
7
|
+
data.tar.gz: f8fe859c0a1a855b0138690362a8e3952f0fa0756540135d314e117668d8936159a3d7862d0bf3e91ce9eba2efa0d30284f301037ecac7683133a5f6dcfb43a8
|
data/CHANGELOG.md
CHANGED
|
@@ -2,6 +2,27 @@
|
|
|
2
2
|
|
|
3
3
|
All notable changes to this project will be documented in this file.
|
|
4
4
|
|
|
5
|
+
## [v3.1.0](https://github.com/voxpupuli/hiera-eyaml/tree/v3.1.0) (2019-11-11)
|
|
6
|
+
|
|
7
|
+
[Full Changelog](https://github.com/voxpupuli/hiera-eyaml/compare/v3.0.0...v3.1.0)
|
|
8
|
+
|
|
9
|
+
**Implemented enhancements:**
|
|
10
|
+
|
|
11
|
+
- Should be able to `edit` a new file [\#84](https://github.com/voxpupuli/hiera-eyaml/issues/84)
|
|
12
|
+
- Cache key strings. [\#191](https://github.com/voxpupuli/hiera-eyaml/pull/191) ([mkulke](https://github.com/mkulke))
|
|
13
|
+
|
|
14
|
+
**Closed issues:**
|
|
15
|
+
|
|
16
|
+
- Decryption errors should return error code. [\#282](https://github.com/voxpupuli/hiera-eyaml/issues/282)
|
|
17
|
+
- Release a new version [\#271](https://github.com/voxpupuli/hiera-eyaml/issues/271)
|
|
18
|
+
|
|
19
|
+
**Merged pull requests:**
|
|
20
|
+
|
|
21
|
+
- \(docs\) Update README with reference to hiera-eyaml-vault [\#287](https://github.com/voxpupuli/hiera-eyaml/pull/287) ([crayfishx](https://github.com/crayfishx))
|
|
22
|
+
- fix: don't handle cli exceptions early [\#283](https://github.com/voxpupuli/hiera-eyaml/pull/283) ([stuart-warren](https://github.com/stuart-warren))
|
|
23
|
+
- Adding doc for Google KMS plugin [\#279](https://github.com/voxpupuli/hiera-eyaml/pull/279) ([craigwatson](https://github.com/craigwatson))
|
|
24
|
+
- catch failed decryption and print a helpful message [\#144](https://github.com/voxpupuli/hiera-eyaml/pull/144) ([GeoffWilliams](https://github.com/GeoffWilliams))
|
|
25
|
+
|
|
5
26
|
## [v3.0.0](https://github.com/voxpupuli/hiera-eyaml/tree/v3.0.0) (2019-01-17)
|
|
6
27
|
|
|
7
28
|
[Full Changelog](https://github.com/voxpupuli/hiera-eyaml/compare/v2.1.0...v3.0.0)
|
data/README.md
CHANGED
|
@@ -365,7 +365,10 @@ This is a list of available plugins:
|
|
|
365
365
|
Note that this plugin mandates the user enter a password. It is useful for non-automated scenarios, and is not advised to be used
|
|
366
366
|
in conjunction with puppet, as it requires entry of a password over a terminal.
|
|
367
367
|
- [hiera-eyaml-kms](https://github.com/adenot/hiera-eyaml-kms) - Encryption using AWS Key Management Service (KMS)
|
|
368
|
-
|
|
368
|
+
- [hiera-eyaml-gkms](https://github.com/craigwatson/hiera-eyaml-gkms) - Encryption using Google Cloud KMS
|
|
369
|
+
- [hiera-eyaml-vault](https://github.com/crayfishx/hiera-eyaml-vault) - Use the transit secrets engine from Vault for providing encryption.
|
|
370
|
+
|
|
371
|
+
|
|
369
372
|
### How-To's:
|
|
370
373
|
|
|
371
374
|
- [How to use different Hiera/Eyaml keys for different environments using the AWS Parameter Store to store the encryption keys for Hiera/Eyaml](https://gist.github.com/FransUrbo/88b26033cb513a8aa569bd5392a427b1).
|
data/lib/hiera/backend/eyaml.rb
CHANGED
|
@@ -42,13 +42,9 @@ class Hiera
|
|
|
42
42
|
def self.execute
|
|
43
43
|
|
|
44
44
|
executor = Eyaml::Options[:executor]
|
|
45
|
-
|
|
46
|
-
|
|
47
|
-
|
|
48
|
-
rescue Exception => e
|
|
49
|
-
LoggingHelper.warn e.message
|
|
50
|
-
LoggingHelper.debug e.backtrace.join("\n")
|
|
51
|
-
end
|
|
45
|
+
|
|
46
|
+
result = executor.execute
|
|
47
|
+
puts result unless result.nil?
|
|
52
48
|
|
|
53
49
|
end
|
|
54
50
|
|
|
@@ -38,8 +38,8 @@ class Hiera
|
|
|
38
38
|
public_key = self.option :public_key
|
|
39
39
|
raise StandardError, "pkcs7_public_key is not defined" unless public_key
|
|
40
40
|
|
|
41
|
-
public_key_pem
|
|
42
|
-
public_key_x509 = OpenSSL::X509::Certificate.new( public_key_pem )
|
|
41
|
+
@public_key_pem ||= File.read public_key
|
|
42
|
+
public_key_x509 = OpenSSL::X509::Certificate.new( @public_key_pem )
|
|
43
43
|
|
|
44
44
|
cipher = OpenSSL::Cipher::AES.new(256, :CBC)
|
|
45
45
|
OpenSSL::PKCS7::encrypt([public_key_x509], plaintext, cipher, OpenSSL::PKCS7::BINARY).to_der
|
|
@@ -54,11 +54,11 @@ class Hiera
|
|
|
54
54
|
raise StandardError, "pkcs7_public_key is not defined" unless public_key
|
|
55
55
|
raise StandardError, "pkcs7_private_key is not defined" unless private_key
|
|
56
56
|
|
|
57
|
-
private_key_pem
|
|
58
|
-
private_key_rsa = OpenSSL::PKey::RSA.new( private_key_pem )
|
|
57
|
+
@private_key_pem ||= File.read private_key
|
|
58
|
+
private_key_rsa = OpenSSL::PKey::RSA.new( @private_key_pem )
|
|
59
59
|
|
|
60
|
-
public_key_pem
|
|
61
|
-
public_key_x509 = OpenSSL::X509::Certificate.new( public_key_pem )
|
|
60
|
+
@public_key_pem ||= File.read public_key
|
|
61
|
+
public_key_x509 = OpenSSL::X509::Certificate.new( @public_key_pem )
|
|
62
62
|
|
|
63
63
|
pkcs7 = OpenSSL::PKCS7.new( ciphertext )
|
|
64
64
|
pkcs7.decrypt(private_key_rsa, public_key_x509)
|
|
@@ -79,12 +79,19 @@ class Hiera
|
|
|
79
79
|
def decrypt(data)
|
|
80
80
|
if encrypted?(data)
|
|
81
81
|
debug("Attempting to decrypt")
|
|
82
|
+
begin
|
|
83
|
+
parser = Eyaml::Parser::ParserFactory.hiera_backend_parser
|
|
84
|
+
tokens = parser.parse(data)
|
|
85
|
+
decrypted = tokens.map{ |token| token.to_plain_text }
|
|
86
|
+
plaintext = decrypted.join
|
|
87
|
+
rescue OpenSSL::PKCS7::PKCS7Error => e
|
|
88
|
+
debug("Caught exception: #{e.class}, #{e.message}\n"\
|
|
89
|
+
"#{e.backtrace.join("\n")}")
|
|
90
|
+
raise "Hiera-eyaml decryption failed, check the "\
|
|
91
|
+
"encrypted data matches the key you are using.\n"\
|
|
92
|
+
"Raw message from system: #{e.message}"
|
|
82
93
|
|
|
83
|
-
|
|
84
|
-
tokens = parser.parse(data)
|
|
85
|
-
decrypted = tokens.map{ |token| token.to_plain_text }
|
|
86
|
-
plaintext = decrypted.join
|
|
87
|
-
|
|
94
|
+
end
|
|
88
95
|
plaintext.chomp
|
|
89
96
|
else
|
|
90
97
|
data
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: hiera-eyaml
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 3.
|
|
4
|
+
version: 3.1.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Tom Poulton
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2019-
|
|
11
|
+
date: 2019-11-11 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: optimist
|
|
@@ -105,7 +105,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
105
105
|
- !ruby/object:Gem::Version
|
|
106
106
|
version: '0'
|
|
107
107
|
requirements: []
|
|
108
|
-
rubygems_version: 3.0.
|
|
108
|
+
rubygems_version: 3.0.6
|
|
109
109
|
signing_key:
|
|
110
110
|
specification_version: 4
|
|
111
111
|
summary: OpenSSL Encryption backend for Hiera
|