hiera-eyaml 3.0.0 → 3.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +21 -0
- data/README.md +4 -1
- data/lib/hiera/backend/eyaml.rb +1 -1
- data/lib/hiera/backend/eyaml/CLI.rb +3 -7
- data/lib/hiera/backend/eyaml/encryptors/pkcs7.rb +6 -6
- data/lib/hiera/backend/eyaml_backend.rb +12 -5
- metadata +3 -3
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 5b9a21a2c014fd073b1733d4c9c8ac2422b4d011f22f9ceb700834ce13710090
|
|
4
|
+
data.tar.gz: e8672bc02e4f4e9c41c8bba28677a99c06f08b5fd870936b660bb495d6df0e26
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: ac59e7c61933e8db2d074bf267c2d45a8cc3aacc23a2a4b732483529506d9cb089ed144794f1b37e010407646a461ca64cd1fc4f4cb53b9b81a65318d604fbad
|
|
7
|
+
data.tar.gz: f8fe859c0a1a855b0138690362a8e3952f0fa0756540135d314e117668d8936159a3d7862d0bf3e91ce9eba2efa0d30284f301037ecac7683133a5f6dcfb43a8
|
data/CHANGELOG.md
CHANGED
|
@@ -2,6 +2,27 @@
|
|
|
2
2
|
|
|
3
3
|
All notable changes to this project will be documented in this file.
|
|
4
4
|
|
|
5
|
+
## [v3.1.0](https://github.com/voxpupuli/hiera-eyaml/tree/v3.1.0) (2019-11-11)
|
|
6
|
+
|
|
7
|
+
[Full Changelog](https://github.com/voxpupuli/hiera-eyaml/compare/v3.0.0...v3.1.0)
|
|
8
|
+
|
|
9
|
+
**Implemented enhancements:**
|
|
10
|
+
|
|
11
|
+
- Should be able to `edit` a new file [\#84](https://github.com/voxpupuli/hiera-eyaml/issues/84)
|
|
12
|
+
- Cache key strings. [\#191](https://github.com/voxpupuli/hiera-eyaml/pull/191) ([mkulke](https://github.com/mkulke))
|
|
13
|
+
|
|
14
|
+
**Closed issues:**
|
|
15
|
+
|
|
16
|
+
- Decryption errors should return error code. [\#282](https://github.com/voxpupuli/hiera-eyaml/issues/282)
|
|
17
|
+
- Release a new version [\#271](https://github.com/voxpupuli/hiera-eyaml/issues/271)
|
|
18
|
+
|
|
19
|
+
**Merged pull requests:**
|
|
20
|
+
|
|
21
|
+
- \(docs\) Update README with reference to hiera-eyaml-vault [\#287](https://github.com/voxpupuli/hiera-eyaml/pull/287) ([crayfishx](https://github.com/crayfishx))
|
|
22
|
+
- fix: don't handle cli exceptions early [\#283](https://github.com/voxpupuli/hiera-eyaml/pull/283) ([stuart-warren](https://github.com/stuart-warren))
|
|
23
|
+
- Adding doc for Google KMS plugin [\#279](https://github.com/voxpupuli/hiera-eyaml/pull/279) ([craigwatson](https://github.com/craigwatson))
|
|
24
|
+
- catch failed decryption and print a helpful message [\#144](https://github.com/voxpupuli/hiera-eyaml/pull/144) ([GeoffWilliams](https://github.com/GeoffWilliams))
|
|
25
|
+
|
|
5
26
|
## [v3.0.0](https://github.com/voxpupuli/hiera-eyaml/tree/v3.0.0) (2019-01-17)
|
|
6
27
|
|
|
7
28
|
[Full Changelog](https://github.com/voxpupuli/hiera-eyaml/compare/v2.1.0...v3.0.0)
|
data/README.md
CHANGED
|
@@ -365,7 +365,10 @@ This is a list of available plugins:
|
|
|
365
365
|
Note that this plugin mandates the user enter a password. It is useful for non-automated scenarios, and is not advised to be used
|
|
366
366
|
in conjunction with puppet, as it requires entry of a password over a terminal.
|
|
367
367
|
- [hiera-eyaml-kms](https://github.com/adenot/hiera-eyaml-kms) - Encryption using AWS Key Management Service (KMS)
|
|
368
|
-
|
|
368
|
+
- [hiera-eyaml-gkms](https://github.com/craigwatson/hiera-eyaml-gkms) - Encryption using Google Cloud KMS
|
|
369
|
+
- [hiera-eyaml-vault](https://github.com/crayfishx/hiera-eyaml-vault) - Use the transit secrets engine from Vault for providing encryption.
|
|
370
|
+
|
|
371
|
+
|
|
369
372
|
### How-To's:
|
|
370
373
|
|
|
371
374
|
- [How to use different Hiera/Eyaml keys for different environments using the AWS Parameter Store to store the encryption keys for Hiera/Eyaml](https://gist.github.com/FransUrbo/88b26033cb513a8aa569bd5392a427b1).
|
data/lib/hiera/backend/eyaml.rb
CHANGED
|
@@ -42,13 +42,9 @@ class Hiera
|
|
|
42
42
|
def self.execute
|
|
43
43
|
|
|
44
44
|
executor = Eyaml::Options[:executor]
|
|
45
|
-
|
|
46
|
-
|
|
47
|
-
|
|
48
|
-
rescue Exception => e
|
|
49
|
-
LoggingHelper.warn e.message
|
|
50
|
-
LoggingHelper.debug e.backtrace.join("\n")
|
|
51
|
-
end
|
|
45
|
+
|
|
46
|
+
result = executor.execute
|
|
47
|
+
puts result unless result.nil?
|
|
52
48
|
|
|
53
49
|
end
|
|
54
50
|
|
|
@@ -38,8 +38,8 @@ class Hiera
|
|
|
38
38
|
public_key = self.option :public_key
|
|
39
39
|
raise StandardError, "pkcs7_public_key is not defined" unless public_key
|
|
40
40
|
|
|
41
|
-
public_key_pem
|
|
42
|
-
public_key_x509 = OpenSSL::X509::Certificate.new( public_key_pem )
|
|
41
|
+
@public_key_pem ||= File.read public_key
|
|
42
|
+
public_key_x509 = OpenSSL::X509::Certificate.new( @public_key_pem )
|
|
43
43
|
|
|
44
44
|
cipher = OpenSSL::Cipher::AES.new(256, :CBC)
|
|
45
45
|
OpenSSL::PKCS7::encrypt([public_key_x509], plaintext, cipher, OpenSSL::PKCS7::BINARY).to_der
|
|
@@ -54,11 +54,11 @@ class Hiera
|
|
|
54
54
|
raise StandardError, "pkcs7_public_key is not defined" unless public_key
|
|
55
55
|
raise StandardError, "pkcs7_private_key is not defined" unless private_key
|
|
56
56
|
|
|
57
|
-
private_key_pem
|
|
58
|
-
private_key_rsa = OpenSSL::PKey::RSA.new( private_key_pem )
|
|
57
|
+
@private_key_pem ||= File.read private_key
|
|
58
|
+
private_key_rsa = OpenSSL::PKey::RSA.new( @private_key_pem )
|
|
59
59
|
|
|
60
|
-
public_key_pem
|
|
61
|
-
public_key_x509 = OpenSSL::X509::Certificate.new( public_key_pem )
|
|
60
|
+
@public_key_pem ||= File.read public_key
|
|
61
|
+
public_key_x509 = OpenSSL::X509::Certificate.new( @public_key_pem )
|
|
62
62
|
|
|
63
63
|
pkcs7 = OpenSSL::PKCS7.new( ciphertext )
|
|
64
64
|
pkcs7.decrypt(private_key_rsa, public_key_x509)
|
|
@@ -79,12 +79,19 @@ class Hiera
|
|
|
79
79
|
def decrypt(data)
|
|
80
80
|
if encrypted?(data)
|
|
81
81
|
debug("Attempting to decrypt")
|
|
82
|
+
begin
|
|
83
|
+
parser = Eyaml::Parser::ParserFactory.hiera_backend_parser
|
|
84
|
+
tokens = parser.parse(data)
|
|
85
|
+
decrypted = tokens.map{ |token| token.to_plain_text }
|
|
86
|
+
plaintext = decrypted.join
|
|
87
|
+
rescue OpenSSL::PKCS7::PKCS7Error => e
|
|
88
|
+
debug("Caught exception: #{e.class}, #{e.message}\n"\
|
|
89
|
+
"#{e.backtrace.join("\n")}")
|
|
90
|
+
raise "Hiera-eyaml decryption failed, check the "\
|
|
91
|
+
"encrypted data matches the key you are using.\n"\
|
|
92
|
+
"Raw message from system: #{e.message}"
|
|
82
93
|
|
|
83
|
-
|
|
84
|
-
tokens = parser.parse(data)
|
|
85
|
-
decrypted = tokens.map{ |token| token.to_plain_text }
|
|
86
|
-
plaintext = decrypted.join
|
|
87
|
-
|
|
94
|
+
end
|
|
88
95
|
plaintext.chomp
|
|
89
96
|
else
|
|
90
97
|
data
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: hiera-eyaml
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 3.
|
|
4
|
+
version: 3.1.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Tom Poulton
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2019-
|
|
11
|
+
date: 2019-11-11 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: optimist
|
|
@@ -105,7 +105,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
105
105
|
- !ruby/object:Gem::Version
|
|
106
106
|
version: '0'
|
|
107
107
|
requirements: []
|
|
108
|
-
rubygems_version: 3.0.
|
|
108
|
+
rubygems_version: 3.0.6
|
|
109
109
|
signing_key:
|
|
110
110
|
specification_version: 4
|
|
111
111
|
summary: OpenSSL Encryption backend for Hiera
|