hiera-eyaml 3.0.0 → 3.2.2
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.github/workflows/release.yml +24 -0
- data/.github/workflows/test.yml +31 -0
- data/.gitignore +1 -0
- data/CHANGELOG.md +83 -0
- data/Gemfile +3 -3
- data/README.md +105 -15
- data/hiera-eyaml.gemspec +2 -2
- data/lib/hiera/backend/eyaml.rb +1 -1
- data/lib/hiera/backend/eyaml/CLI.rb +3 -7
- data/lib/hiera/backend/eyaml/encryptor.rb +3 -4
- data/lib/hiera/backend/eyaml/encryptors/pkcs7.rb +36 -6
- data/lib/hiera/backend/eyaml/parser/encrypted_tokens.rb +53 -59
- data/lib/hiera/backend/eyaml/subcommands/encrypt.rb +4 -4
- data/lib/hiera/backend/eyaml_backend.rb +13 -6
- metadata +10 -9
- data/.travis.yml +0 -43
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 5bfbd5d31fef9569be60fa1914e921a042203d41c83925cb908173d74963df05
|
4
|
+
data.tar.gz: f93f91ef3fa2c34cef964e7e5b5a3b64dde0e1cc2ddb4ad06a0ea94b251bbf4e
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: e060aeb86e2f48506413629c9664441c4d1b0fa9862be7c7136e414df7e015a477a399b0453893b2b68d92751b6a2893cf5bbb898fdd6aea0d18b91611678761
|
7
|
+
data.tar.gz: de656da85d672bdc7b950c21663140cba2eb5c980abdeed0e7f44961f881ac5193c5e394c5e202b5a32dc78086b0e40bda73ada9b6615add4a7640c717934ee9
|
@@ -0,0 +1,24 @@
|
|
1
|
+
name: Release
|
2
|
+
|
3
|
+
on:
|
4
|
+
create:
|
5
|
+
ref_type: tag
|
6
|
+
|
7
|
+
jobs:
|
8
|
+
release:
|
9
|
+
runs-on: ubuntu-latest
|
10
|
+
if: github.repository == 'voxpupuli/hiera-eyaml'
|
11
|
+
env:
|
12
|
+
BUNDLE_WITHOUT: release
|
13
|
+
steps:
|
14
|
+
- uses: actions/checkout@v2
|
15
|
+
- name: Install Ruby 2.7
|
16
|
+
uses: ruby/setup-ruby@v1
|
17
|
+
with:
|
18
|
+
ruby-version: '2.7'
|
19
|
+
- name: Build gem
|
20
|
+
run: gem build *.gemspec
|
21
|
+
- name: Publish gem
|
22
|
+
run: gem push *.gem
|
23
|
+
env:
|
24
|
+
GEM_HOST_API_KEY: '${{ secrets.RUBYGEMS_AUTH_TOKEN }}'
|
@@ -0,0 +1,31 @@
|
|
1
|
+
name: Test
|
2
|
+
|
3
|
+
on:
|
4
|
+
- pull_request
|
5
|
+
- push
|
6
|
+
|
7
|
+
jobs:
|
8
|
+
test:
|
9
|
+
runs-on: ubuntu-latest
|
10
|
+
strategy:
|
11
|
+
fail-fast: false
|
12
|
+
matrix:
|
13
|
+
ruby:
|
14
|
+
- "2.5"
|
15
|
+
- "2.6"
|
16
|
+
- "2.7"
|
17
|
+
env:
|
18
|
+
BUNDLE_WITHOUT: release
|
19
|
+
PUPPET_VERSION: "~> 6.0"
|
20
|
+
name: Ruby ${{ matrix.ruby }}
|
21
|
+
steps:
|
22
|
+
- uses: actions/checkout@v2
|
23
|
+
- name: Install expect
|
24
|
+
run: sudo apt-get install expect
|
25
|
+
- name: Install Ruby ${{ matrix.ruby }}
|
26
|
+
uses: ruby/setup-ruby@v1
|
27
|
+
with:
|
28
|
+
ruby-version: ${{ matrix.ruby }}
|
29
|
+
bundler-cache: true
|
30
|
+
- name: Run tests
|
31
|
+
run: bundle exec cucumber -f progress
|
data/.gitignore
CHANGED
data/CHANGELOG.md
CHANGED
@@ -2,6 +2,86 @@
|
|
2
2
|
|
3
3
|
All notable changes to this project will be documented in this file.
|
4
4
|
|
5
|
+
## [v3.2.2](https://github.com/voxpupuli/hiera-eyaml/tree/v3.2.2) (2021-05-03)
|
6
|
+
|
7
|
+
[Full Changelog](https://github.com/voxpupuli/hiera-eyaml/compare/v3.2.1...v3.2.2)
|
8
|
+
|
9
|
+
**Fixed bugs:**
|
10
|
+
|
11
|
+
- Using `3.2.1` for editing an eyaml created with `3.2.0` will mess up formatting [\#318](https://github.com/voxpupuli/hiera-eyaml/issues/318)
|
12
|
+
- Fix block formatting when editing [\#319](https://github.com/voxpupuli/hiera-eyaml/pull/319) ([kenyon](https://github.com/kenyon))
|
13
|
+
|
14
|
+
**Closed issues:**
|
15
|
+
|
16
|
+
- Concerns about the encrypted? method [\#316](https://github.com/voxpupuli/hiera-eyaml/issues/316)
|
17
|
+
|
18
|
+
## [v3.2.1](https://github.com/voxpupuli/hiera-eyaml/tree/v3.2.1) (2021-02-16)
|
19
|
+
|
20
|
+
[Full Changelog](https://github.com/voxpupuli/hiera-eyaml/compare/v3.2.0...v3.2.1)
|
21
|
+
|
22
|
+
**Fixed bugs:**
|
23
|
+
|
24
|
+
- remove question mark from regex in encrypted? method [\#313](https://github.com/voxpupuli/hiera-eyaml/pull/313) ([mcka1n](https://github.com/mcka1n))
|
25
|
+
- Fix block folding [\#307](https://github.com/voxpupuli/hiera-eyaml/pull/307) ([kenyon](https://github.com/kenyon))
|
26
|
+
- add step-by-step how-to encrypting multiline values [\#304](https://github.com/voxpupuli/hiera-eyaml/pull/304) ([kBite](https://github.com/kBite))
|
27
|
+
|
28
|
+
**Closed issues:**
|
29
|
+
|
30
|
+
- eyaml edit should produce evenly folded blocks. [\#281](https://github.com/voxpupuli/hiera-eyaml/issues/281)
|
31
|
+
- Support version 4 hiera config [\#213](https://github.com/voxpupuli/hiera-eyaml/issues/213)
|
32
|
+
|
33
|
+
**Merged pull requests:**
|
34
|
+
|
35
|
+
- migrate CI to github actions [\#315](https://github.com/voxpupuli/hiera-eyaml/pull/315) ([bastelfreak](https://github.com/bastelfreak))
|
36
|
+
- gemspec: fix repo url / Drop Puppet 4/5 tests [\#311](https://github.com/voxpupuli/hiera-eyaml/pull/311) ([bastelfreak](https://github.com/bastelfreak))
|
37
|
+
- Unpin highline [\#310](https://github.com/voxpupuli/hiera-eyaml/pull/310) ([lucywyman](https://github.com/lucywyman))
|
38
|
+
|
39
|
+
## [v3.2.0](https://github.com/voxpupuli/hiera-eyaml/tree/v3.2.0) (2020-01-31)
|
40
|
+
|
41
|
+
[Full Changelog](https://github.com/voxpupuli/hiera-eyaml/compare/v3.1.1...v3.2.0)
|
42
|
+
|
43
|
+
**Implemented enhancements:**
|
44
|
+
|
45
|
+
- Permit reading private key from environment variable [\#294](https://github.com/voxpupuli/hiera-eyaml/pull/294) ([nferch](https://github.com/nferch))
|
46
|
+
|
47
|
+
**Fixed bugs:**
|
48
|
+
|
49
|
+
- Version 3.1.0 does not clear the private/public key when options are changed [\#289](https://github.com/voxpupuli/hiera-eyaml/issues/289)
|
50
|
+
|
51
|
+
**Merged pull requests:**
|
52
|
+
|
53
|
+
- \(doc\) Correct order for config file precedence [\#295](https://github.com/voxpupuli/hiera-eyaml/pull/295) ([crayfishx](https://github.com/crayfishx))
|
54
|
+
- \(maint\) Update Gemfile and README for Ruby 2.5/2.4 [\#293](https://github.com/voxpupuli/hiera-eyaml/pull/293) ([glennsarti](https://github.com/glennsarti))
|
55
|
+
|
56
|
+
## [v3.1.1](https://github.com/voxpupuli/hiera-eyaml/tree/v3.1.1) (2019-11-12)
|
57
|
+
|
58
|
+
[Full Changelog](https://github.com/voxpupuli/hiera-eyaml/compare/v3.1.0...v3.1.1)
|
59
|
+
|
60
|
+
**Merged pull requests:**
|
61
|
+
|
62
|
+
- Revert "Cache key strings." [\#290](https://github.com/voxpupuli/hiera-eyaml/pull/290) ([alexjfisher](https://github.com/alexjfisher))
|
63
|
+
|
64
|
+
## [v3.1.0](https://github.com/voxpupuli/hiera-eyaml/tree/v3.1.0) (2019-11-11)
|
65
|
+
|
66
|
+
[Full Changelog](https://github.com/voxpupuli/hiera-eyaml/compare/v3.0.0...v3.1.0)
|
67
|
+
|
68
|
+
**Implemented enhancements:**
|
69
|
+
|
70
|
+
- Should be able to `edit` a new file [\#84](https://github.com/voxpupuli/hiera-eyaml/issues/84)
|
71
|
+
- Cache key strings. [\#191](https://github.com/voxpupuli/hiera-eyaml/pull/191) ([mkulke](https://github.com/mkulke))
|
72
|
+
|
73
|
+
**Closed issues:**
|
74
|
+
|
75
|
+
- Decryption errors should return error code. [\#282](https://github.com/voxpupuli/hiera-eyaml/issues/282)
|
76
|
+
- Release a new version [\#271](https://github.com/voxpupuli/hiera-eyaml/issues/271)
|
77
|
+
|
78
|
+
**Merged pull requests:**
|
79
|
+
|
80
|
+
- \(docs\) Update README with reference to hiera-eyaml-vault [\#287](https://github.com/voxpupuli/hiera-eyaml/pull/287) ([crayfishx](https://github.com/crayfishx))
|
81
|
+
- fix: don't handle cli exceptions early [\#283](https://github.com/voxpupuli/hiera-eyaml/pull/283) ([stuart-warren](https://github.com/stuart-warren))
|
82
|
+
- Adding doc for Google KMS plugin [\#279](https://github.com/voxpupuli/hiera-eyaml/pull/279) ([craigwatson](https://github.com/craigwatson))
|
83
|
+
- catch failed decryption and print a helpful message [\#144](https://github.com/voxpupuli/hiera-eyaml/pull/144) ([GeoffWilliams](https://github.com/GeoffWilliams))
|
84
|
+
|
5
85
|
## [v3.0.0](https://github.com/voxpupuli/hiera-eyaml/tree/v3.0.0) (2019-01-17)
|
6
86
|
|
7
87
|
[Full Changelog](https://github.com/voxpupuli/hiera-eyaml/compare/v2.1.0...v3.0.0)
|
@@ -76,7 +156,10 @@ This is the first release after this project was migrated to Vox Pupuli.
|
|
76
156
|
- \(docs\) Update README with instructions for using Hiera 5 [\#229](https://github.com/voxpupuli/hiera-eyaml/pull/229) ([nfagerlund](https://github.com/nfagerlund))
|
77
157
|
- Attempt to resolve Travis CI issues [\#220](https://github.com/voxpupuli/hiera-eyaml/pull/220) ([rnelson0](https://github.com/rnelson0))
|
78
158
|
- Make it clear that the ID and parens must be deleted, not just the ID [\#188](https://github.com/voxpupuli/hiera-eyaml/pull/188) ([sdotz](https://github.com/sdotz))
|
159
|
+
- Refactor highline import [\#187](https://github.com/voxpupuli/hiera-eyaml/pull/187) ([petems](https://github.com/petems))
|
160
|
+
- Adding hiera-eyaml-kms plugin to readme file [\#184](https://github.com/voxpupuli/hiera-eyaml/pull/184) ([adenot](https://github.com/adenot))
|
79
161
|
- Make output of `eyaml decrypt` valid yaml with multiline values. [\#183](https://github.com/voxpupuli/hiera-eyaml/pull/183) ([peculater](https://github.com/peculater))
|
162
|
+
- Add testing support for puppet 4 [\#181](https://github.com/voxpupuli/hiera-eyaml/pull/181) ([peculater](https://github.com/peculater))
|
80
163
|
|
81
164
|
## v2.1.0 (2016-03-02)
|
82
165
|
|
data/Gemfile
CHANGED
@@ -7,9 +7,9 @@ group :development do
|
|
7
7
|
gem "cucumber", '~> 1.1'
|
8
8
|
gem "rspec-expectations", '~> 3.1.0'
|
9
9
|
gem "hiera-eyaml-plaintext"
|
10
|
-
gem "puppet", ENV['PUPPET_VERSION'] || '
|
11
|
-
gem '
|
12
|
-
gem
|
10
|
+
gem "puppet", ENV['PUPPET_VERSION'] || '>= 7'
|
11
|
+
gem 'github_changelog_generator'
|
12
|
+
gem "activesupport"
|
13
13
|
end
|
14
14
|
|
15
15
|
group :test do
|
data/README.md
CHANGED
@@ -5,7 +5,7 @@ Hiera eyaml
|
|
5
5
|
[![Gem Version](https://img.shields.io/gem/v/hiera-eyaml.svg)](https://rubygems.org/gems/hiera-eyaml)
|
6
6
|
[![Gem Downloads](https://img.shields.io/gem/dt/hiera-eyaml.svg)](https://rubygems.org/gems/hiera-eyaml)
|
7
7
|
|
8
|
-
hiera-eyaml is a backend for Hiera that provides per-value encryption of sensitive data within yaml files
|
8
|
+
hiera-eyaml is a backend for Hiera that provides per-value encryption of sensitive data within yaml files
|
9
9
|
to be used by Puppet.
|
10
10
|
|
11
11
|
-------------------------
|
@@ -18,8 +18,8 @@ Hopefully this will mean more frequent feature updates and bug fixes!
|
|
18
18
|
Advantages over hiera-gpg
|
19
19
|
-------------------------
|
20
20
|
|
21
|
-
A few people found that [hiera-gpg](https://github.com/crayfishx/hiera-gpg) just wasn't cutting it for all use cases,
|
22
|
-
one of the best expressed frustrations was
|
21
|
+
A few people found that [hiera-gpg](https://github.com/crayfishx/hiera-gpg) just wasn't cutting it for all use cases,
|
22
|
+
one of the best expressed frustrations was
|
23
23
|
[written back in June 2013](http://slashdevslashrandom.wordpress.com/2013/06/03/my-griefs-with-hiera-gpg/). So
|
24
24
|
[Tom created an initial version](http://themettlemonkey.wordpress.com/2013/07/15/hiera-eyaml-per-value-encrypted-backend-for-hiera-and-puppet/)
|
25
25
|
and this was refined into an elegant solution over the following months.
|
@@ -28,14 +28,14 @@ Unlike `hiera-gpg`, `hiera-eyaml`:
|
|
28
28
|
|
29
29
|
- only encrypts the values (which allows files to be swiftly reviewed without decryption)
|
30
30
|
- encrypts the value of each key individually (this means that `git diff` is meaningful)
|
31
|
-
- includes a command line tool for encrypting, decrypting, editing and rotating keys (makes it almost as
|
31
|
+
- includes a command line tool for encrypting, decrypting, editing and rotating keys (makes it almost as
|
32
32
|
easy as using clear text files)
|
33
|
-
- uses basic asymmetric encryption (PKCS#7) by default (doesn't require any native libraries that need to
|
33
|
+
- uses basic asymmetric encryption (PKCS#7) by default (doesn't require any native libraries that need to
|
34
34
|
be compiled & allows users without the private key to encrypt values that the puppet master can decrypt)
|
35
|
-
- has a pluggable encryption framework (e.g. GPG encryption ([hiera-eyaml-gpg](https://github.com/sihil/hiera-eyaml-gpg)) can be used
|
35
|
+
- has a pluggable encryption framework (e.g. GPG encryption ([hiera-eyaml-gpg](https://github.com/sihil/hiera-eyaml-gpg)) can be used
|
36
36
|
if you have the need for multiple keys and easier key rotation)
|
37
37
|
|
38
|
-
The Hiera eyaml backend uses yaml formatted files with the .eyaml extension. The encrypted strings are prefixed with the encryption
|
38
|
+
The Hiera eyaml backend uses yaml formatted files with the .eyaml extension. The encrypted strings are prefixed with the encryption
|
39
39
|
method, wrapped with ENC[] and placed in an eyaml file. You can mix your plain values in as well or separate them into different files.
|
40
40
|
Encrypted values can occur within arrays, hashes, nested arrays and nested hashes.
|
41
41
|
|
@@ -93,6 +93,8 @@ The permissions for this folder should allow the puppet user (normally 'puppet')
|
|
93
93
|
-r-------- 1 puppet puppet 1.7K Sep 24 16:24 private_key.pkcs7.pem
|
94
94
|
-r-------- 1 puppet puppet 1.1K Sep 24 16:24 public_key.pkcs7.pem
|
95
95
|
|
96
|
+
You may also load the keypair into an environment variable and use the `pkcs7_private_key_env_var` and `pkcs7_public_key_env_var` options to specify the environment variable names to avoid writing the secret key to disk.
|
97
|
+
|
96
98
|
|
97
99
|
Basic usage
|
98
100
|
-----------
|
@@ -129,8 +131,8 @@ and will encrypt and modified values when you exit the editor.
|
|
129
131
|
|
130
132
|
$ eyaml edit filename.eyaml # Edit an eyaml file in place
|
131
133
|
|
132
|
-
When editing eyaml files, you will see that the unencrypted plaintext is marked to allow the eyaml tool to
|
133
|
-
identify each encrypted block, along with the encryption method. This is used to make sure that the block
|
134
|
+
When editing eyaml files, you will see that the unencrypted plaintext is marked to allow the eyaml tool to
|
135
|
+
identify each encrypted block, along with the encryption method. This is used to make sure that the block
|
134
136
|
is encrypted again only if the clear text value has changed, and is encrypted using the
|
135
137
|
original encryption mechanism (see plugable encryption later).
|
136
138
|
|
@@ -161,7 +163,7 @@ things:
|
|
161
163
|
- nested thing 2.1
|
162
164
|
```
|
163
165
|
|
164
|
-
Whilst editing you can delete existing values and add new one using the same format (as below). Note that it is important to
|
166
|
+
Whilst editing you can delete existing values and add new one using the same format (as below). Note that it is important to
|
165
167
|
omit the number in brackets for new values. If any duplicate IDs are found then the re-encryption process will be abandoned
|
166
168
|
by the eyaml tool.
|
167
169
|
|
@@ -185,6 +187,89 @@ file just like any other eyaml string and your done. If the file is rather
|
|
185
187
|
large, you may wish to use a helper like `xclip` to copy the stdout directly to
|
186
188
|
your clipboard.
|
187
189
|
|
190
|
+
### Encrypting multiline values
|
191
|
+
|
192
|
+
The following step-by-step example shows you how to encrypt multiline values.
|
193
|
+
|
194
|
+
- Copy the YAML text below to a file named `multiline_example.eyaml`
|
195
|
+
```
|
196
|
+
---
|
197
|
+
accounts::key_sets:
|
198
|
+
dummy:
|
199
|
+
private: |
|
200
|
+
---- BEGIN SSH2 ENCRYPTED PRIVATE KEY ----
|
201
|
+
Comment: "dummy-key-hiera-eyaml-issue-rsa-key-20200911"
|
202
|
+
P2/56wAAANwAAAA3aWYtbW9kbntzaWdue3JzYS1wa2NzMS1zaGExfSxlbmNyeXB0e3JzYS
|
203
|
+
1wa2NzMXYyLW9hZXB9fQAAAARub25lAAAAjQAAAIkAAAAGJQAAAP93ZtrMIRZutZ/SZUyw
|
204
|
+
JWwyI4YxNvr5tBt9UnSJ7K0+rQAAAQDohO1ykUahsogS+ymM6o9WEmdROJZpWShCqdv8Dj
|
205
|
+
2roQAAAIDG1G8hY90Xlz/YiFhDZLLWAAAAgOzMWTfAlHbJ4AdEhG5uU/EAAACA+1/AlcSr
|
206
|
+
QEPM5xLW0unCsQ==
|
207
|
+
---- END SSH2 ENCRYPTED PRIVATE KEY ----
|
208
|
+
```
|
209
|
+
|
210
|
+
- Use `edit` to ...
|
211
|
+
- replace '|' with '>',
|
212
|
+
- prepend `DEC::PKCS7[` before the first line,
|
213
|
+
- remove all whitespaces used for indentation,
|
214
|
+
- and append `]!` to the last line of the multiline value.
|
215
|
+
|
216
|
+
`eyaml edit multiline_example.eyaml`
|
217
|
+
```
|
218
|
+
---
|
219
|
+
accounts::key_sets:
|
220
|
+
dummy:
|
221
|
+
private: >
|
222
|
+
DEC::PKCS7[---- BEGIN SSH2 ENCRYPTED PRIVATE KEY ----
|
223
|
+
Comment: "dummy-key-hiera-eyaml-issue-rsa-key-20170123"
|
224
|
+
P2/56wAAANwAAAA3aWYtbW9kbntzaWdue3JzYS1wa2NzMS1zaGExfSxlbmNyeXB0e3JzYS
|
225
|
+
1wa2NzMXYyLW9hZXB9fQAAAARub25lAAAAjQAAAIkAAAAGJQAAAP93ZtrMIRZutZ/SZUyw
|
226
|
+
JWwyI4YxNvr5tBt9UnSJ7K0+rQAAAQDohO1ykUahsogS+ymM6o9WEmdROJZpWShCqdv8Dj
|
227
|
+
2roQAAAIDG1G8hY90Xlz/YiFhDZLLWAAAAgOzMWTfAlHbJ4AdEhG5uU/EAAACA+1/AlcSr
|
228
|
+
QEPM5xLW0unCsQ==
|
229
|
+
---- END SSH2 ENCRYPTED PRIVATE KEY ----]!
|
230
|
+
```
|
231
|
+
```
|
232
|
+
# resulting encrypted file
|
233
|
+
---
|
234
|
+
accounts::key_sets:
|
235
|
+
dummy:
|
236
|
+
private: >
|
237
|
+
ENC[PKCS7,MIIDTQYJKoZIhvcNAQcDoIIDPjCCAzoCAQAxggEhMIIBHQIBADAFMAACAQEw
|
238
|
+
DQYJKoZIhvcNAQEBBQAEggEAXH7xB1xuzoMAqA/3jSXO0ZUR6+UCb3DsTTj3
|
239
|
+
Lsrcx5oQBnJ/ml7GfBCPxBKfArZunLcnxmSk4hECKXdfgKsVjAa++JQWvtEm
|
240
|
+
HUNTFqvwd76Ku+nMfI9c8g+X+l6obLjzWfJdg3t6Ja7CJKl8UNFtSmbfYKVi
|
241
|
+
nZ0xBubgdY4plLAFcZyD5/A/lNFqwb051TRLbZOIRRfLUlRL7RNkKRC59Aog
|
242
|
+
S5aJXjmqx6vRzFifNK0JFZvYHGD75TiHJ5LFjg4rjgFd43AnK8iNo773ZWP2
|
243
|
+
48Gly5Zx7qVQDCDDi1YBgNFb0NIBQw+kWy7HcPH2REvPnXu/HV2FWvDP3Ond
|
244
|
+
yr2EbTCCAg4GCSqGSIb3DQEHATAdBglghkgBZQMEASoEEH+CjZJ1gKfaQIrr
|
245
|
+
N5zef7OAggHgBmRVsfaoiNEOzhmHZ5SxxZztmpBNtLv7mteaSqSL5o0TtKQh
|
246
|
+
SDgxBhaQmlL51+JM1Jsnvqm57ikZhj7Vtek/vr5DhYhWs0AxttH5rNaw0zKU
|
247
|
+
4bMppVu+SNKCtT+2Qw31x/S7gF7yVl+mwmXhq3qAj9ExWRX3d/8/zTuC61Io
|
248
|
+
f+7O6YUOucZ/m/YPrQnC5v7bDSKlIf1aFaKqukjM3QO8FZlAOHGPvRuWV2Om
|
249
|
+
QIgxQE6F8r+bTkW3KiVIx5FEIthRZ90VS3tz/2wjj77svddBhlid9ov/0ard
|
250
|
+
GGVNGsl1BFpLqxC0mpZXz237cL/aM58naqmX52J6YmC0xQM3DNmahWlYx1HV
|
251
|
+
J/Ogk12pOYPLJB/09OuoHPzKC4WfpB9B7wAC6pghRkO/84cOw6rgSdbzze5W
|
252
|
+
WMPvo181Y74BSBKhJDdO3lWYmEcDyx4TEsMUlpxd9PBDcOHqf9qHviXrwGzO
|
253
|
+
oSm2bUV0Fum5ueU+D2vu3mO0yIQ6fwyvDZLBRjfJV7K/PyDz81feWT6+g38t
|
254
|
+
AC27c0h8wk9b7HYfqG28nZE7F13qrhwCKnOaYLglsmbszNpRrBhfo1IHF6oM
|
255
|
+
YZRZrnrGQg5qQcxMsLq37RAfRgkY0rRLs78EEAhkf4NDxw0A/ovt]
|
256
|
+
```
|
257
|
+
- Output of `eyaml decrypt -f multiline_example.eyaml`:
|
258
|
+
```
|
259
|
+
---
|
260
|
+
accounts::key_sets:
|
261
|
+
dummy:
|
262
|
+
private: |
|
263
|
+
---- BEGIN SSH2 ENCRYPTED PRIVATE KEY ----
|
264
|
+
Comment: "dummy-key-hiera-eyaml-issue-rsa-key-20200911"
|
265
|
+
P2/56wAAANwAAAA3aWYtbW9kbntzaWdue3JzYS1wa2NzMS1zaGExfSxlbmNyeXB0e3JzYS
|
266
|
+
1wa2NzMXYyLW9hZXB9fQAAAARub25lAAAAjQAAAIkAAAAGJQAAAP93ZtrMIRZutZ/SZUyw
|
267
|
+
JWwyI4YxNvr5tBt9UnSJ7K0+rQAAAQDohO1ykUahsogS+ymM6o9WEmdROJZpWShCqdv8Dj
|
268
|
+
2roQAAAIDG1G8hY90Xlz/YiFhDZLLWAAAAgOzMWTfAlHbJ4AdEhG5uU/EAAACA+1/AlcSr
|
269
|
+
QEPM5xLW0unCsQ==
|
270
|
+
---- END SSH2 ENCRYPTED PRIVATE KEY ----
|
271
|
+
```
|
272
|
+
- The output *does NOT* have to be valid YAML for usage with Puppet.
|
188
273
|
|
189
274
|
Hiera
|
190
275
|
-----
|
@@ -203,7 +288,7 @@ Hierarchy levels that use eyaml must set the following keys:
|
|
203
288
|
* `lookup_key` (must be set to `eyaml_lookup_key`).
|
204
289
|
* `path`/`paths`/`glob`/`globs` (choose one).
|
205
290
|
* `datadir` (can be omitted if you've set a default).
|
206
|
-
* `options` — a hash of eyaml-specific settings; by default, this should include `pkcs7_private_key` and `pkcs7_public_key`, but alternate encryption plugins use alternate options. Anything from the old `:eyaml` config section (except `datadir`) goes here.
|
291
|
+
* `options` — a hash of eyaml-specific settings; by default, this should include `pkcs7_private_key` and `pkcs7_public_key`, or `pkcs7_public_key_env_var` and `pkcs7_private_key_env_var`, but alternate encryption plugins use alternate options. Anything from the old `:eyaml` config section (except `datadir`) goes here.
|
207
292
|
|
208
293
|
You do not need to specify key names as `:symbols`; normal strings are fine.
|
209
294
|
|
@@ -321,7 +406,7 @@ Configuration file for eyaml
|
|
321
406
|
|
322
407
|
Default parameters for the eyaml command line tool can be provided by creating a configuration YAML file.
|
323
408
|
|
324
|
-
Config files will be read first from
|
409
|
+
Config files will be read first from `~/.eyaml/config.yaml`, then from `/etc/eyaml/config.yaml` and finally by anything referenced in the `EYAML_CONFIG` environment variable
|
325
410
|
|
326
411
|
The file takes any long form argument that you can provide on the command line. For example, to override the pkcs7 keys:
|
327
412
|
```yaml
|
@@ -358,14 +443,17 @@ When editing eyaml files, you will see that the unencrypted plaintext is marked
|
|
358
443
|
This is a list of available plugins:
|
359
444
|
|
360
445
|
- [hiera-eyaml-gpg](https://github.com/sihil/hiera-eyaml-gpg) - Provide GPG encryption
|
361
|
-
- [hiera-eyaml-plaintext](https://github.com/gtmtechltd/hiera-eyaml-plaintext) - This is a no-op encryption plugin that
|
362
|
-
simply base64 encodes the values. It exists as an example plugin to create your own and to do integration tests on
|
446
|
+
- [hiera-eyaml-plaintext](https://github.com/gtmtechltd/hiera-eyaml-plaintext) - This is a no-op encryption plugin that
|
447
|
+
simply base64 encodes the values. It exists as an example plugin to create your own and to do integration tests on
|
363
448
|
hiera-eyaml. **THIS SHOULD NOT BE USED IN PRODUCTION**
|
364
449
|
- [hiera-eyaml-twofac](https://github.com/gtmtechltd/hiera-eyaml-twofac) - PKCS7 keypair + AES256 symmetric password for two-factor encryption
|
365
450
|
Note that this plugin mandates the user enter a password. It is useful for non-automated scenarios, and is not advised to be used
|
366
451
|
in conjunction with puppet, as it requires entry of a password over a terminal.
|
367
452
|
- [hiera-eyaml-kms](https://github.com/adenot/hiera-eyaml-kms) - Encryption using AWS Key Management Service (KMS)
|
368
|
-
|
453
|
+
- [hiera-eyaml-gkms](https://github.com/craigwatson/hiera-eyaml-gkms) - Encryption using Google Cloud KMS
|
454
|
+
- [hiera-eyaml-vault](https://github.com/crayfishx/hiera-eyaml-vault) - Use the transit secrets engine from Vault for providing encryption.
|
455
|
+
|
456
|
+
|
369
457
|
### How-To's:
|
370
458
|
|
371
459
|
- [How to use different Hiera/Eyaml keys for different environments using the AWS Parameter Store to store the encryption keys for Hiera/Eyaml](https://gist.github.com/FransUrbo/88b26033cb513a8aa569bd5392a427b1).
|
@@ -408,6 +496,8 @@ Some of us hang out on #hiera-eyaml on freenode, please drop by if you want to s
|
|
408
496
|
Tests
|
409
497
|
-----
|
410
498
|
|
499
|
+
**NOTE** Some testing requirements are not supported on Windows
|
500
|
+
|
411
501
|
In order to run the tests, simply run `cucumber` in the top level directory of the project.
|
412
502
|
|
413
503
|
You'll need to have a few requirements installed:
|
data/hiera-eyaml.gemspec
CHANGED
@@ -11,12 +11,12 @@ Gem::Specification.new do |gem|
|
|
11
11
|
gem.author = "Tom Poulton"
|
12
12
|
gem.license = "MIT"
|
13
13
|
|
14
|
-
gem.homepage = "
|
14
|
+
gem.homepage = "https://github.com/voxpupuli/hiera-eyaml/"
|
15
15
|
gem.files = `git ls-files`.split($/).reject { |file| file =~ /^features.*$/ }
|
16
16
|
gem.executables = gem.files.grep(%r{^bin/}).map{ |f| File.basename(f) }
|
17
17
|
gem.test_files = gem.files.grep(%r{^(test|spec|features)/})
|
18
18
|
gem.require_paths = ["lib"]
|
19
19
|
|
20
20
|
gem.add_dependency('optimist')
|
21
|
-
gem.add_dependency('highline'
|
21
|
+
gem.add_dependency('highline')
|
22
22
|
end
|
data/lib/hiera/backend/eyaml.rb
CHANGED
@@ -42,13 +42,9 @@ class Hiera
|
|
42
42
|
def self.execute
|
43
43
|
|
44
44
|
executor = Eyaml::Options[:executor]
|
45
|
-
|
46
|
-
|
47
|
-
|
48
|
-
rescue Exception => e
|
49
|
-
LoggingHelper.warn e.message
|
50
|
-
LoggingHelper.debug e.backtrace.join("\n")
|
51
|
-
end
|
45
|
+
|
46
|
+
result = executor.execute
|
47
|
+
puts result unless result.nil?
|
52
48
|
|
53
49
|
end
|
54
50
|
|
@@ -14,7 +14,7 @@ class Hiera
|
|
14
14
|
|
15
15
|
def self.find encryption_scheme = nil
|
16
16
|
encryption_scheme = Eyaml.default_encryption_scheme if encryption_scheme.nil?
|
17
|
-
require "hiera/backend/eyaml/encryptors/#{File.basename encryption_scheme.downcase}"
|
17
|
+
require "hiera/backend/eyaml/encryptors/#{File.basename encryption_scheme.downcase}"
|
18
18
|
encryptor_module = Module.const_get('Hiera').const_get('Backend').const_get('Eyaml').const_get('Encryptors')
|
19
19
|
encryptor_class = Utils.find_closest_class :parent_class => encryptor_module, :class_name => encryption_scheme
|
20
20
|
raise StandardError, "Could not find hiera-eyaml encryptor: #{encryption_scheme}. Try gem install hiera-eyaml-#{encryption_scheme.downcase} ?" if encryptor_class.nil?
|
@@ -22,14 +22,14 @@ class Hiera
|
|
22
22
|
end
|
23
23
|
|
24
24
|
def self.encode binary_string
|
25
|
-
Base64.
|
25
|
+
Base64.strict_encode64(binary_string)
|
26
26
|
end
|
27
27
|
|
28
28
|
def self.decode string
|
29
29
|
Base64.decode64(string)
|
30
30
|
end
|
31
31
|
|
32
|
-
def self.encrypt *args
|
32
|
+
def self.encrypt *args
|
33
33
|
raise StandardError, "encrypt() not defined for encryptor plugin: #{self}"
|
34
34
|
end
|
35
35
|
|
@@ -80,4 +80,3 @@ class Hiera
|
|
80
80
|
end
|
81
81
|
end
|
82
82
|
end
|
83
|
-
|
@@ -18,6 +18,10 @@ class Hiera
|
|
18
18
|
:public_key => { :desc => "Path to public key",
|
19
19
|
:type => :string,
|
20
20
|
:default => "./keys/public_key.pkcs7.pem" },
|
21
|
+
:private_key_env_var => { :desc => "Name of environment variable to read private key from",
|
22
|
+
:type => :string },
|
23
|
+
:public_key_env_var => { :desc => "Name of environment variable to read public key from",
|
24
|
+
:type => :string },
|
21
25
|
:subject => { :desc => "Subject to use for certificate when creating keys",
|
22
26
|
:type => :string,
|
23
27
|
:default => "/" },
|
@@ -36,9 +40,18 @@ class Hiera
|
|
36
40
|
LoggingHelper::trace 'PKCS7 encrypt'
|
37
41
|
|
38
42
|
public_key = self.option :public_key
|
39
|
-
|
43
|
+
public_key_env_var = self.option :public_key_env_var
|
44
|
+
raise StandardError, "pkcs7_public_key is not defined" unless public_key or public_key_env_var
|
40
45
|
|
41
|
-
|
46
|
+
if public_key and public_key_env_var
|
47
|
+
warn "both public_key and public_key_env_var specified, using public_key"
|
48
|
+
end
|
49
|
+
|
50
|
+
if public_key_env_var and ENV[public_key_env_var]
|
51
|
+
public_key_pem = ENV[public_key_env_var]
|
52
|
+
else
|
53
|
+
public_key_pem = File.read public_key
|
54
|
+
end
|
42
55
|
public_key_x509 = OpenSSL::X509::Certificate.new( public_key_pem )
|
43
56
|
|
44
57
|
cipher = OpenSSL::Cipher::AES.new(256, :CBC)
|
@@ -51,13 +64,30 @@ class Hiera
|
|
51
64
|
|
52
65
|
public_key = self.option :public_key
|
53
66
|
private_key = self.option :private_key
|
54
|
-
|
55
|
-
|
67
|
+
public_key_env_var = self.option :public_key_env_var
|
68
|
+
private_key_env_var = self.option :private_key_env_var
|
69
|
+
raise StandardError, "pkcs7_public_key is not defined" unless public_key or public_key_env_var
|
70
|
+
raise StandardError, "pkcs7_private_key is not defined" unless private_key or private_key_env_var
|
71
|
+
|
72
|
+
if public_key and public_key_env_var
|
73
|
+
warn "both public_key and public_key_env_var specified, using public_key"
|
74
|
+
end
|
75
|
+
if private_key and private_key_env_var
|
76
|
+
warn "both private_key and private_key_env_var specified, using private_key"
|
77
|
+
end
|
56
78
|
|
57
|
-
|
79
|
+
if private_key_env_var and ENV[private_key_env_var]
|
80
|
+
private_key_pem = ENV[private_key_env_var]
|
81
|
+
else
|
82
|
+
private_key_pem = File.read private_key
|
83
|
+
end
|
58
84
|
private_key_rsa = OpenSSL::PKey::RSA.new( private_key_pem )
|
59
85
|
|
60
|
-
|
86
|
+
if public_key_env_var and ENV[public_key_env_var]
|
87
|
+
public_key_pem = ENV[public_key_env_var]
|
88
|
+
else
|
89
|
+
public_key_pem = File.read public_key
|
90
|
+
end
|
61
91
|
public_key_x509 = OpenSSL::X509::Certificate.new( public_key_pem )
|
62
92
|
|
63
93
|
pkcs7 = OpenSSL::PKCS7.new( ciphertext )
|
@@ -4,34 +4,36 @@ require 'hiera/backend/eyaml/encryptor'
|
|
4
4
|
require 'hiera/backend/eyaml'
|
5
5
|
require 'base64'
|
6
6
|
|
7
|
-
|
8
7
|
class Hiera
|
9
8
|
module Backend
|
10
9
|
module Eyaml
|
11
10
|
module Parser
|
12
11
|
class EncToken < Token
|
13
|
-
@@tokens_map =
|
12
|
+
@@tokens_map = {}
|
14
13
|
@@encrypt_unchanged = true
|
15
14
|
attr_reader :format, :cipher, :encryptor, :indentation, :plain_text, :id
|
15
|
+
|
16
16
|
def self.encrypted_value(format, encryption_scheme, cipher, match, indentation = '')
|
17
17
|
decryptor = Encryptor.find encryption_scheme
|
18
|
-
plain_text = decryptor.decrypt(
|
18
|
+
plain_text = decryptor.decrypt(decryptor.decode(cipher))
|
19
19
|
EncToken.new(format, plain_text, decryptor, cipher, match, indentation)
|
20
20
|
end
|
21
|
+
|
21
22
|
def self.decrypted_value(format, plain_text, encryption_scheme, match, id, indentation = '')
|
22
23
|
encryptor = Encryptor.find encryption_scheme
|
23
|
-
cipher = encryptor.encode(
|
24
|
-
id_number = id.nil? ? nil : id.gsub(/\(|\)/,
|
24
|
+
cipher = encryptor.encode(encryptor.encrypt(plain_text))
|
25
|
+
id_number = id.nil? ? nil : id.gsub(/\(|\)/, '').to_i
|
25
26
|
EncToken.new(format, plain_text, encryptor, cipher, match, indentation, id_number)
|
26
27
|
end
|
28
|
+
|
27
29
|
def self.plain_text_value(format, plain_text, encryption_scheme, match, id, indentation = '')
|
28
30
|
encryptor = Encryptor.find encryption_scheme
|
29
|
-
id_number = id.gsub(/\(|\)/,
|
30
|
-
EncToken.new(format, plain_text, encryptor,
|
31
|
+
id_number = id.gsub(/\(|\)/, '').to_i unless id.nil?
|
32
|
+
EncToken.new(format, plain_text, encryptor, '', match, indentation, id_number)
|
31
33
|
end
|
32
34
|
|
33
35
|
def self.tokens_map
|
34
|
-
|
36
|
+
@@tokens_map
|
35
37
|
end
|
36
38
|
|
37
39
|
def self.set_encrypt_unchanged(encrypt_unchanged)
|
@@ -39,12 +41,12 @@ class Hiera
|
|
39
41
|
end
|
40
42
|
|
41
43
|
def self.encrypt_unchanged
|
42
|
-
|
44
|
+
@@encrypt_unchanged
|
43
45
|
end
|
44
46
|
|
45
47
|
def initialize(format, plain_text, encryptor, cipher, match = '', indentation = '', id = nil)
|
46
48
|
@format = format
|
47
|
-
@plain_text = Utils.convert_to_utf_8(
|
49
|
+
@plain_text = Utils.convert_to_utf_8(plain_text)
|
48
50
|
@encryptor = encryptor
|
49
51
|
@cipher = cipher
|
50
52
|
@indentation = indentation
|
@@ -52,69 +54,64 @@ class Hiera
|
|
52
54
|
super(match)
|
53
55
|
end
|
54
56
|
|
55
|
-
def to_encrypted(args={})
|
57
|
+
def to_encrypted(args = {})
|
56
58
|
label = args[:label]
|
57
59
|
label_string = label.nil? ? '' : "#{label}: "
|
58
60
|
format = args[:format].nil? ? @format : args[:format]
|
59
61
|
encryption_method = args[:change_encryption]
|
60
|
-
|
62
|
+
unless encryption_method.nil?
|
61
63
|
@encryptor = Encryptor.find encryption_method
|
62
|
-
@cipher = Base64.
|
64
|
+
@cipher = Base64.strict_encode64(@encryptor.encrypt(@plain_text))
|
63
65
|
end
|
64
66
|
case format
|
65
|
-
|
66
|
-
|
67
|
-
|
68
|
-
|
69
|
-
|
70
|
-
|
71
|
-
|
72
|
-
|
73
|
-
|
74
|
-
"#{label_string}ENC[#{@encryptor.tag},#{ciphertext}]"
|
75
|
-
else
|
76
|
-
raise "#{@format} is not a valid format"
|
67
|
+
when :block
|
68
|
+
@cipher = @cipher.gsub(/\s/, '')
|
69
|
+
chevron = args[:use_chevron].nil? || args[:use_chevron] ? ">\n" : ''
|
70
|
+
"#{label_string}#{chevron}" + @indentation + "ENC[#{@encryptor.tag},#{@cipher}]".scan(/.{1,60}/).join("\n" + @indentation)
|
71
|
+
when :string
|
72
|
+
ciphertext = @cipher.gsub(/[\n\r]/, '')
|
73
|
+
"#{label_string}ENC[#{@encryptor.tag},#{ciphertext}]"
|
74
|
+
else
|
75
|
+
raise "#{@format} is not a valid format"
|
77
76
|
end
|
78
77
|
end
|
79
78
|
|
80
|
-
def to_decrypted(args={})
|
79
|
+
def to_decrypted(args = {})
|
81
80
|
label = args[:label]
|
82
81
|
label_string = label.nil? ? '' : "#{label}: "
|
83
82
|
format = args[:format].nil? ? @format : args[:format]
|
84
83
|
index = args[:index].nil? ? '' : "(#{args[:index]})"
|
85
|
-
if @@encrypt_unchanged == false
|
86
|
-
EncToken.tokens_map[index] = @plain_text
|
87
|
-
end
|
84
|
+
EncToken.tokens_map[index] = @plain_text if @@encrypt_unchanged == false
|
88
85
|
|
89
86
|
case format
|
90
|
-
|
91
|
-
|
92
|
-
|
93
|
-
|
94
|
-
|
95
|
-
|
96
|
-
|
87
|
+
when :block
|
88
|
+
chevron = args[:use_chevron].nil? || args[:use_chevron] ? ">\n" : ''
|
89
|
+
"#{label_string}#{chevron}" + indentation + "DEC#{index}::#{@encryptor.tag}[" + @plain_text + ']!'
|
90
|
+
when :string
|
91
|
+
"#{label_string}DEC#{index}::#{@encryptor.tag}[" + @plain_text + ']!'
|
92
|
+
else
|
93
|
+
raise "#{@format} is not a valid format"
|
97
94
|
end
|
98
95
|
end
|
99
96
|
|
100
97
|
def to_plain_text
|
101
98
|
@plain_text
|
102
99
|
end
|
103
|
-
|
104
100
|
end
|
105
101
|
|
106
102
|
class EncTokenType < TokenType
|
107
103
|
def create_enc_token(match, type, enc_comma, cipher, indentation = '')
|
108
|
-
encryption_scheme = enc_comma.nil? ? Eyaml.default_encryption_scheme : enc_comma.split(
|
104
|
+
encryption_scheme = enc_comma.nil? ? Eyaml.default_encryption_scheme : enc_comma.split(',').first
|
109
105
|
EncToken.encrypted_value(type, encryption_scheme, cipher, match, indentation)
|
110
106
|
end
|
111
107
|
end
|
112
108
|
|
113
109
|
class EncHieraTokenType < EncTokenType
|
114
110
|
def initialize
|
115
|
-
@regex =
|
116
|
-
@string_token_type = EncStringTokenType.new
|
111
|
+
@regex = %r{ENC\[(\w+,)?([a-zA-Z0-9+/ =\n]+?)\]}
|
112
|
+
@string_token_type = EncStringTokenType.new
|
117
113
|
end
|
114
|
+
|
118
115
|
def create_token(string)
|
119
116
|
@string_token_type.create_token(string.gsub(/\s/, ''))
|
120
117
|
end
|
@@ -122,58 +119,55 @@ class Hiera
|
|
122
119
|
|
123
120
|
class EncStringTokenType < EncTokenType
|
124
121
|
def initialize
|
125
|
-
@regex =
|
122
|
+
@regex = %r{ENC\[(\w+,)?([a-zA-Z0-9+/=]+?)\]}
|
126
123
|
end
|
124
|
+
|
127
125
|
def create_token(string)
|
128
126
|
md = @regex.match(string)
|
129
|
-
|
127
|
+
create_enc_token(string, :string, md[1], md[2])
|
130
128
|
end
|
131
129
|
end
|
132
130
|
|
133
131
|
class EncBlockTokenType < EncTokenType
|
134
132
|
def initialize
|
135
|
-
@regex =
|
133
|
+
@regex = %r{>\n(\s*)ENC\[(\w+,)?([a-zA-Z0-9+/=\s]+?)\]}
|
136
134
|
end
|
135
|
+
|
137
136
|
def create_token(string)
|
138
137
|
md = @regex.match(string)
|
139
|
-
|
138
|
+
create_enc_token(string, :block, md[2], md[3], md[1])
|
140
139
|
end
|
141
140
|
end
|
142
141
|
|
143
142
|
class DecStringTokenType < TokenType
|
144
143
|
def initialize
|
145
|
-
@regex = /DEC(\(\d+\))?::(\w+)\[(.+?)\]
|
144
|
+
@regex = /DEC(\(\d+\))?::(\w+)\[(.+?)\]!/m
|
146
145
|
end
|
146
|
+
|
147
147
|
def create_token(string)
|
148
148
|
md = @regex.match(string)
|
149
|
-
if
|
150
|
-
|
151
|
-
if md[3] == EncToken.tokens_map[md[1]]
|
152
|
-
return EncToken.plain_text_value(:string, md[3], md[2], string, md[1])
|
153
|
-
end
|
154
|
-
end
|
149
|
+
if EncToken.encrypt_unchanged == false && !md[1].nil? && (md[3] == EncToken.tokens_map[md[1]])
|
150
|
+
return EncToken.plain_text_value(:string, md[3], md[2], string, md[1])
|
155
151
|
end
|
152
|
+
|
156
153
|
EncToken.decrypted_value(:string, md[3], md[2], string, md[1])
|
157
154
|
end
|
158
155
|
end
|
159
156
|
|
160
157
|
class DecBlockTokenType < TokenType
|
161
158
|
def initialize
|
162
|
-
@regex = />\n(\s*)DEC(\(\d+\))?::(\w+)\[(.+?)\]
|
159
|
+
@regex = />\n(\s*)DEC(\(\d+\))?::(\w+)\[(.+?)\]!/m
|
163
160
|
end
|
161
|
+
|
164
162
|
def create_token(string)
|
165
163
|
md = @regex.match(string)
|
166
|
-
if
|
167
|
-
|
168
|
-
if md[4] == EncToken.tokens_map[md[2]]
|
169
|
-
return EncToken.plain_text_value(:string, md[4], md[3], string, md[2])
|
170
|
-
end
|
171
|
-
end
|
164
|
+
if EncToken.encrypt_unchanged == false && !md[2].nil? && (md[4] == EncToken.tokens_map[md[2]])
|
165
|
+
return EncToken.plain_text_value(:string, md[4], md[3], string, md[2])
|
172
166
|
end
|
167
|
+
|
173
168
|
EncToken.decrypted_value(:block, md[4], md[3], string, md[2], md[1])
|
174
169
|
end
|
175
170
|
end
|
176
|
-
|
177
171
|
end
|
178
172
|
end
|
179
173
|
end
|
@@ -11,12 +11,12 @@ class Hiera
|
|
11
11
|
class Encrypt < Subcommand
|
12
12
|
|
13
13
|
def self.options
|
14
|
-
[{:name => :password,
|
15
|
-
:description => "Source input is a password entered on the terminal",
|
14
|
+
[{:name => :password,
|
15
|
+
:description => "Source input is a password entered on the terminal",
|
16
16
|
:short => 'p'},
|
17
17
|
{:name => :string,
|
18
18
|
:description => "Source input is a string provided as an argument",
|
19
|
-
:short => 's',
|
19
|
+
:short => 's',
|
20
20
|
:type => :string},
|
21
21
|
{:name => :file,
|
22
22
|
:description => "Source input is a regular file",
|
@@ -78,7 +78,7 @@ class Hiera
|
|
78
78
|
else
|
79
79
|
encryptor = Encryptor.find
|
80
80
|
ciphertext = encryptor.encode( encryptor.encrypt(Eyaml::Options[:input_data]) )
|
81
|
-
token = Parser::EncToken.new(:block, Eyaml::Options[:input_data], encryptor, ciphertext, nil, '
|
81
|
+
token = Parser::EncToken.new(:block, Eyaml::Options[:input_data], encryptor, ciphertext, nil, ' ')
|
82
82
|
case Eyaml::Options[:output]
|
83
83
|
when "block"
|
84
84
|
token.to_encrypted :label => Eyaml::Options[:label], :use_chevron => !Eyaml::Options[:label].nil?, :format => :block
|
@@ -79,12 +79,19 @@ class Hiera
|
|
79
79
|
def decrypt(data)
|
80
80
|
if encrypted?(data)
|
81
81
|
debug("Attempting to decrypt")
|
82
|
+
begin
|
83
|
+
parser = Eyaml::Parser::ParserFactory.hiera_backend_parser
|
84
|
+
tokens = parser.parse(data)
|
85
|
+
decrypted = tokens.map{ |token| token.to_plain_text }
|
86
|
+
plaintext = decrypted.join
|
87
|
+
rescue OpenSSL::PKCS7::PKCS7Error => e
|
88
|
+
debug("Caught exception: #{e.class}, #{e.message}\n"\
|
89
|
+
"#{e.backtrace.join("\n")}")
|
90
|
+
raise "Hiera-eyaml decryption failed, check the "\
|
91
|
+
"encrypted data matches the key you are using.\n"\
|
92
|
+
"Raw message from system: #{e.message}"
|
82
93
|
|
83
|
-
|
84
|
-
tokens = parser.parse(data)
|
85
|
-
decrypted = tokens.map{ |token| token.to_plain_text }
|
86
|
-
plaintext = decrypted.join
|
87
|
-
|
94
|
+
end
|
88
95
|
plaintext.chomp
|
89
96
|
else
|
90
97
|
data
|
@@ -92,7 +99,7 @@ class Hiera
|
|
92
99
|
end
|
93
100
|
|
94
101
|
def encrypted?(data)
|
95
|
-
/.*ENC\[
|
102
|
+
/.*ENC\[.*\]/ =~ data ? true : false
|
96
103
|
end
|
97
104
|
|
98
105
|
def parse_answer(data, scope, extra_data={})
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: hiera-eyaml
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 3.
|
4
|
+
version: 3.2.2
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Tom Poulton
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date:
|
11
|
+
date: 2021-05-03 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: optimist
|
@@ -28,16 +28,16 @@ dependencies:
|
|
28
28
|
name: highline
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|
30
30
|
requirements:
|
31
|
-
- - "
|
31
|
+
- - ">="
|
32
32
|
- !ruby/object:Gem::Version
|
33
|
-
version:
|
33
|
+
version: '0'
|
34
34
|
type: :runtime
|
35
35
|
prerelease: false
|
36
36
|
version_requirements: !ruby/object:Gem::Requirement
|
37
37
|
requirements:
|
38
|
-
- - "
|
38
|
+
- - ">="
|
39
39
|
- !ruby/object:Gem::Version
|
40
|
-
version:
|
40
|
+
version: '0'
|
41
41
|
description: Hiera backend for decrypting encrypted yaml properties
|
42
42
|
email:
|
43
43
|
executables:
|
@@ -45,8 +45,9 @@ executables:
|
|
45
45
|
extensions: []
|
46
46
|
extra_rdoc_files: []
|
47
47
|
files:
|
48
|
+
- ".github/workflows/release.yml"
|
49
|
+
- ".github/workflows/test.yml"
|
48
50
|
- ".gitignore"
|
49
|
-
- ".travis.yml"
|
50
51
|
- CHANGELOG.md
|
51
52
|
- Gemfile
|
52
53
|
- HISTORY.md
|
@@ -86,7 +87,7 @@ files:
|
|
86
87
|
- sublime_text/eyaml.syntax_definition.json
|
87
88
|
- tools/git_tag_release.rb
|
88
89
|
- tools/regem.sh
|
89
|
-
homepage:
|
90
|
+
homepage: https://github.com/voxpupuli/hiera-eyaml/
|
90
91
|
licenses:
|
91
92
|
- MIT
|
92
93
|
metadata: {}
|
@@ -105,7 +106,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
105
106
|
- !ruby/object:Gem::Version
|
106
107
|
version: '0'
|
107
108
|
requirements: []
|
108
|
-
rubygems_version: 3.
|
109
|
+
rubygems_version: 3.1.6
|
109
110
|
signing_key:
|
110
111
|
specification_version: 4
|
111
112
|
summary: OpenSSL Encryption backend for Hiera
|
data/.travis.yml
DELETED
@@ -1,43 +0,0 @@
|
|
1
|
-
---
|
2
|
-
dist: trusty
|
3
|
-
language: ruby
|
4
|
-
cache: bundler
|
5
|
-
sudo: false
|
6
|
-
before_install:
|
7
|
-
- bundle -v
|
8
|
-
- rm Gemfile.lock || true
|
9
|
-
- gem update --system $RUBYGEMS_VERSION
|
10
|
-
- gem update bundler
|
11
|
-
- gem --version
|
12
|
-
- bundle -v
|
13
|
-
addons:
|
14
|
-
apt:
|
15
|
-
packages:
|
16
|
-
- expect
|
17
|
-
script:
|
18
|
-
bundle exec cucumber -f progress
|
19
|
-
matrix:
|
20
|
-
include:
|
21
|
-
- rvm: 2.1.9
|
22
|
-
env: PUPPET_VERSION="~> 4.0" RUBYGEMS_VERSION=2.7.8
|
23
|
-
- rvm: 2.4.2
|
24
|
-
env: PUPPET_VERSION="~> 5.0"
|
25
|
-
notifications:
|
26
|
-
email: false
|
27
|
-
irc:
|
28
|
-
on_success: always
|
29
|
-
on_failure: always
|
30
|
-
channels:
|
31
|
-
- "chat.freenode.org#voxpupuli-notifications"
|
32
|
-
branches:
|
33
|
-
only:
|
34
|
-
- master
|
35
|
-
- /^v\d/
|
36
|
-
deploy:
|
37
|
-
provider: rubygems
|
38
|
-
api_key:
|
39
|
-
secure: 'W6a8A3KfxNydnbK4qhpL4S4KBUnadw8eGr1s8vqeOc8gXlc/qkj/DET9jWpgaEsdnEN/ALJL0WEksYJCHDpdeJv1qKaidFg5dC5l+qZ5gdVHRoKKVFkVlt8WDHe5UdP+bI2vUHWQ/1c04P92+jU9SJ0afTU1xUFn4d3AWCgwmdk='
|
40
|
-
gem: hiera-eyaml
|
41
|
-
on:
|
42
|
-
tags: true
|
43
|
-
repo: voxpupuli/hiera-eyaml
|