hiera-eyaml 3.0.0 → 3.2.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 6fde1d8051eb21831b79c698fd423e9a4a08b824d2360e9ff6812d7992bc0388
-  data.tar.gz: 51f03df435163ec479f4e843d83c3c5d1c04c0581901bbe0f578d06314e3f625
+  metadata.gz: 5bfbd5d31fef9569be60fa1914e921a042203d41c83925cb908173d74963df05
+  data.tar.gz: f93f91ef3fa2c34cef964e7e5b5a3b64dde0e1cc2ddb4ad06a0ea94b251bbf4e
 SHA512:
-  metadata.gz: 8363cd6de0401411ba832d79e3a7ce5df9e1b3a9a6a9d532d7b3e935e7a98a10ff29be65acd36a953494a3923e090c0cd8cfc594f63ff56d39f38e881553d874
-  data.tar.gz: 6f34d66445e374ea6c6c7c6d34c50f20a14d76eef48732b661bad86ce793a362564b93538f896d85c219ee415a33b222b0d15e4c770d0ee6013428091c0d1649
+  metadata.gz: e060aeb86e2f48506413629c9664441c4d1b0fa9862be7c7136e414df7e015a477a399b0453893b2b68d92751b6a2893cf5bbb898fdd6aea0d18b91611678761
+  data.tar.gz: de656da85d672bdc7b950c21663140cba2eb5c980abdeed0e7f44961f881ac5193c5e394c5e202b5a32dc78086b0e40bda73ada9b6615add4a7640c717934ee9

data/.github/workflows/release.yml

@@ -0,0 +1,24 @@
+name: Release
+
+on:
+  create:
+    ref_type: tag
+
+jobs:
+  release:
+    runs-on: ubuntu-latest
+    if: github.repository == 'voxpupuli/hiera-eyaml'
+    env:
+      BUNDLE_WITHOUT: release
+    steps:
+      - uses: actions/checkout@v2
+      - name: Install Ruby 2.7
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: '2.7'
+      - name: Build gem
+        run: gem build *.gemspec
+      - name: Publish gem
+        run: gem push *.gem
+        env:
+          GEM_HOST_API_KEY: '${{ secrets.RUBYGEMS_AUTH_TOKEN }}'

data/.github/workflows/test.yml

@@ -0,0 +1,31 @@
+name: Test
+
+on:
+  - pull_request
+  - push
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        ruby:
+          - "2.5"
+          - "2.6"
+          - "2.7"
+    env:
+      BUNDLE_WITHOUT: release
+      PUPPET_VERSION: "~> 6.0"
+    name: Ruby ${{ matrix.ruby }}
+    steps:
+      - uses: actions/checkout@v2
+      - name: Install expect
+        run: sudo apt-get install expect
+      - name: Install Ruby ${{ matrix.ruby }}
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: ${{ matrix.ruby }}
+          bundler-cache: true
+      - name: Run tests
+        run: bundle exec cucumber -f progress

data/.gitignore

@@ -16,3 +16,4 @@ features/sandbox/puppet-hiera-merge/reports
 features/sandbox/puppet-hiera-merge/state
 features/sandbox/puppet/reports
 features/sandbox/puppet/state
+.vendor/

data/CHANGELOG.md

@@ -2,6 +2,86 @@
 
 All notable changes to this project will be documented in this file.
 
+## [v3.2.2](https://github.com/voxpupuli/hiera-eyaml/tree/v3.2.2) (2021-05-03)
+
+[Full Changelog](https://github.com/voxpupuli/hiera-eyaml/compare/v3.2.1...v3.2.2)
+
+**Fixed bugs:**
+
+- Using `3.2.1` for editing an eyaml created with `3.2.0` will mess up formatting [\#318](https://github.com/voxpupuli/hiera-eyaml/issues/318)
+- Fix block formatting when editing [\#319](https://github.com/voxpupuli/hiera-eyaml/pull/319) ([kenyon](https://github.com/kenyon))
+
+**Closed issues:**
+
+- Concerns about the encrypted? method [\#316](https://github.com/voxpupuli/hiera-eyaml/issues/316)
+
+## [v3.2.1](https://github.com/voxpupuli/hiera-eyaml/tree/v3.2.1) (2021-02-16)
+
+[Full Changelog](https://github.com/voxpupuli/hiera-eyaml/compare/v3.2.0...v3.2.1)
+
+**Fixed bugs:**
+
+- remove question mark from regex in encrypted? method [\#313](https://github.com/voxpupuli/hiera-eyaml/pull/313) ([mcka1n](https://github.com/mcka1n))
+- Fix block folding [\#307](https://github.com/voxpupuli/hiera-eyaml/pull/307) ([kenyon](https://github.com/kenyon))
+- add step-by-step how-to encrypting multiline values [\#304](https://github.com/voxpupuli/hiera-eyaml/pull/304) ([kBite](https://github.com/kBite))
+
+**Closed issues:**
+
+- eyaml edit should produce evenly folded blocks. [\#281](https://github.com/voxpupuli/hiera-eyaml/issues/281)
+- Support version 4 hiera config [\#213](https://github.com/voxpupuli/hiera-eyaml/issues/213)
+
+**Merged pull requests:**
+
+- migrate CI to github actions [\#315](https://github.com/voxpupuli/hiera-eyaml/pull/315) ([bastelfreak](https://github.com/bastelfreak))
+- gemspec: fix repo url / Drop Puppet 4/5 tests [\#311](https://github.com/voxpupuli/hiera-eyaml/pull/311) ([bastelfreak](https://github.com/bastelfreak))
+- Unpin highline [\#310](https://github.com/voxpupuli/hiera-eyaml/pull/310) ([lucywyman](https://github.com/lucywyman))
+
+## [v3.2.0](https://github.com/voxpupuli/hiera-eyaml/tree/v3.2.0) (2020-01-31)
+
+[Full Changelog](https://github.com/voxpupuli/hiera-eyaml/compare/v3.1.1...v3.2.0)
+
+**Implemented enhancements:**
+
+- Permit reading private key from environment variable [\#294](https://github.com/voxpupuli/hiera-eyaml/pull/294) ([nferch](https://github.com/nferch))
+
+**Fixed bugs:**
+
+- Version 3.1.0 does not clear the private/public key when options are changed [\#289](https://github.com/voxpupuli/hiera-eyaml/issues/289)
+
+**Merged pull requests:**
+
+- \(doc\) Correct order for config file precedence [\#295](https://github.com/voxpupuli/hiera-eyaml/pull/295) ([crayfishx](https://github.com/crayfishx))
+- \(maint\) Update Gemfile and README for Ruby 2.5/2.4 [\#293](https://github.com/voxpupuli/hiera-eyaml/pull/293) ([glennsarti](https://github.com/glennsarti))
+
+## [v3.1.1](https://github.com/voxpupuli/hiera-eyaml/tree/v3.1.1) (2019-11-12)
+
+[Full Changelog](https://github.com/voxpupuli/hiera-eyaml/compare/v3.1.0...v3.1.1)
+
+**Merged pull requests:**
+
+- Revert "Cache key strings." [\#290](https://github.com/voxpupuli/hiera-eyaml/pull/290) ([alexjfisher](https://github.com/alexjfisher))
+
+## [v3.1.0](https://github.com/voxpupuli/hiera-eyaml/tree/v3.1.0) (2019-11-11)
+
+[Full Changelog](https://github.com/voxpupuli/hiera-eyaml/compare/v3.0.0...v3.1.0)
+
+**Implemented enhancements:**
+
+- Should be able to `edit` a new file [\#84](https://github.com/voxpupuli/hiera-eyaml/issues/84)
+- Cache key strings. [\#191](https://github.com/voxpupuli/hiera-eyaml/pull/191) ([mkulke](https://github.com/mkulke))
+
+**Closed issues:**
+
+- Decryption errors should return error code. [\#282](https://github.com/voxpupuli/hiera-eyaml/issues/282)
+- Release a new version [\#271](https://github.com/voxpupuli/hiera-eyaml/issues/271)
+
+**Merged pull requests:**
+
+- \(docs\) Update README with reference to hiera-eyaml-vault [\#287](https://github.com/voxpupuli/hiera-eyaml/pull/287) ([crayfishx](https://github.com/crayfishx))
+- fix: don't handle cli exceptions early [\#283](https://github.com/voxpupuli/hiera-eyaml/pull/283) ([stuart-warren](https://github.com/stuart-warren))
+- Adding doc for Google KMS plugin [\#279](https://github.com/voxpupuli/hiera-eyaml/pull/279) ([craigwatson](https://github.com/craigwatson))
+- catch failed decryption and print a helpful message [\#144](https://github.com/voxpupuli/hiera-eyaml/pull/144) ([GeoffWilliams](https://github.com/GeoffWilliams))
+
 ## [v3.0.0](https://github.com/voxpupuli/hiera-eyaml/tree/v3.0.0) (2019-01-17)
 
 [Full Changelog](https://github.com/voxpupuli/hiera-eyaml/compare/v2.1.0...v3.0.0)
@@ -76,7 +156,10 @@ This is the first release after this project was migrated to Vox Pupuli.
 - \(docs\) Update README with instructions for using Hiera 5 [\#229](https://github.com/voxpupuli/hiera-eyaml/pull/229) ([nfagerlund](https://github.com/nfagerlund))
 - Attempt to resolve Travis CI issues [\#220](https://github.com/voxpupuli/hiera-eyaml/pull/220) ([rnelson0](https://github.com/rnelson0))
 - Make it clear that the ID and parens must be deleted, not just the ID [\#188](https://github.com/voxpupuli/hiera-eyaml/pull/188) ([sdotz](https://github.com/sdotz))
+- Refactor highline import [\#187](https://github.com/voxpupuli/hiera-eyaml/pull/187) ([petems](https://github.com/petems))
+- Adding hiera-eyaml-kms plugin to readme file [\#184](https://github.com/voxpupuli/hiera-eyaml/pull/184) ([adenot](https://github.com/adenot))
 - Make output of `eyaml decrypt` valid yaml with multiline values. [\#183](https://github.com/voxpupuli/hiera-eyaml/pull/183) ([peculater](https://github.com/peculater))
+- Add testing support for puppet 4 [\#181](https://github.com/voxpupuli/hiera-eyaml/pull/181) ([peculater](https://github.com/peculater))
 
 ## v2.1.0 (2016-03-02)
 

data/Gemfile

@@ -7,9 +7,9 @@ group :development do
   gem "cucumber", '~> 1.1'
   gem "rspec-expectations", '~> 3.1.0'
   gem "hiera-eyaml-plaintext"
-  gem "puppet", ENV['PUPPET_VERSION'] || '~> 5.0'
-  gem 'json_pure', '<= 2.0.1' if RUBY_VERSION < '2.0.0'
-  gem 'github_changelog_generator',  :require => false, :git => 'https://github.com/github-changelog-generator/github-changelog-generator' if RUBY_VERSION >= '2.2.2'
+  gem "puppet", ENV['PUPPET_VERSION'] || '>= 7'
+  gem 'github_changelog_generator'
+  gem "activesupport"
 end
 
 group :test do

data/README.md

@@ -5,7 +5,7 @@ Hiera eyaml
 [![Gem Version](https://img.shields.io/gem/v/hiera-eyaml.svg)](https://rubygems.org/gems/hiera-eyaml)
 [![Gem Downloads](https://img.shields.io/gem/dt/hiera-eyaml.svg)](https://rubygems.org/gems/hiera-eyaml)
 
-hiera-eyaml is a backend for Hiera that provides per-value encryption of sensitive data within yaml files 
+hiera-eyaml is a backend for Hiera that provides per-value encryption of sensitive data within yaml files
 to be used by Puppet.
 
 -------------------------
@@ -18,8 +18,8 @@ Hopefully this will mean more frequent feature updates and bug fixes!
 Advantages over hiera-gpg
 -------------------------
 
-A few people found that [hiera-gpg](https://github.com/crayfishx/hiera-gpg) just wasn't cutting it for all use cases, 
-one of the best expressed frustrations was 
+A few people found that [hiera-gpg](https://github.com/crayfishx/hiera-gpg) just wasn't cutting it for all use cases,
+one of the best expressed frustrations was
 [written back in June 2013](http://slashdevslashrandom.wordpress.com/2013/06/03/my-griefs-with-hiera-gpg/). So
 [Tom created an initial version](http://themettlemonkey.wordpress.com/2013/07/15/hiera-eyaml-per-value-encrypted-backend-for-hiera-and-puppet/)
 and this was refined into an elegant solution over the following months.
@@ -28,14 +28,14 @@ Unlike `hiera-gpg`, `hiera-eyaml`:
 
  - only encrypts the values (which allows files to be swiftly reviewed without decryption)
  - encrypts the value of each key individually (this means that `git diff` is meaningful)
- - includes a command line tool for encrypting, decrypting, editing and rotating keys (makes it almost as 
+ - includes a command line tool for encrypting, decrypting, editing and rotating keys (makes it almost as
    easy as using clear text files)
- - uses basic asymmetric encryption (PKCS#7) by default (doesn't require any native libraries that need to 
+ - uses basic asymmetric encryption (PKCS#7) by default (doesn't require any native libraries that need to
    be compiled & allows users without the private key to encrypt values that the puppet master can decrypt)
- - has a pluggable encryption framework (e.g. GPG encryption ([hiera-eyaml-gpg](https://github.com/sihil/hiera-eyaml-gpg)) can be used 
+ - has a pluggable encryption framework (e.g. GPG encryption ([hiera-eyaml-gpg](https://github.com/sihil/hiera-eyaml-gpg)) can be used
    if you have the need for multiple keys and easier key rotation)
 
-The Hiera eyaml backend uses yaml formatted files with the .eyaml extension. The encrypted strings are prefixed with the encryption 
+The Hiera eyaml backend uses yaml formatted files with the .eyaml extension. The encrypted strings are prefixed with the encryption
 method, wrapped with ENC[] and placed in an eyaml file. You can mix your plain values in as well or separate them into different files.
 Encrypted values can occur within arrays, hashes, nested arrays and nested hashes.
 
@@ -93,6 +93,8 @@ The permissions for this folder should allow the puppet user (normally 'puppet')
     -r-------- 1 puppet puppet 1.7K Sep 24 16:24 private_key.pkcs7.pem
     -r-------- 1 puppet puppet 1.1K Sep 24 16:24 public_key.pkcs7.pem
 
+You may also load the keypair into an environment variable and use the `pkcs7_private_key_env_var` and `pkcs7_public_key_env_var` options to specify the environment variable names to avoid writing the secret key to disk.
+
 
 Basic usage
 -----------
@@ -129,8 +131,8 @@ and will encrypt and modified values when you exit the editor.
 
     $ eyaml edit filename.eyaml         # Edit an eyaml file in place
 
-When editing eyaml files, you will see that the unencrypted plaintext is marked to allow the eyaml tool to 
-identify each encrypted block, along with the encryption method. This is used to make sure that the block 
+When editing eyaml files, you will see that the unencrypted plaintext is marked to allow the eyaml tool to
+identify each encrypted block, along with the encryption method. This is used to make sure that the block
 is encrypted again only if the clear text value has changed, and is encrypted using the
 original encryption mechanism (see plugable encryption later).
 
@@ -161,7 +163,7 @@ things:
         - nested thing 2.1
 ```
 
-Whilst editing you can delete existing values and add new one using the same format (as below). Note that it is important to 
+Whilst editing you can delete existing values and add new one using the same format (as below). Note that it is important to
 omit the number in brackets for new values. If any duplicate IDs are found then the re-encryption process will be abandoned
 by the eyaml tool.
 
@@ -185,6 +187,89 @@ file just like any other eyaml string and your done.  If the file is rather
 large, you may wish to use a helper like `xclip` to copy the stdout directly to
 your clipboard.
 
+### Encrypting multiline values
+
+The following step-by-step example shows you how to encrypt multiline values.
+
+- Copy the YAML text below to a file named `multiline_example.eyaml`
+```
+---
+accounts::key_sets:
+  dummy:
+    private: |
+      ---- BEGIN SSH2 ENCRYPTED PRIVATE KEY ----
+      Comment: "dummy-key-hiera-eyaml-issue-rsa-key-20200911"
+      P2/56wAAANwAAAA3aWYtbW9kbntzaWdue3JzYS1wa2NzMS1zaGExfSxlbmNyeXB0e3JzYS
+      1wa2NzMXYyLW9hZXB9fQAAAARub25lAAAAjQAAAIkAAAAGJQAAAP93ZtrMIRZutZ/SZUyw
+      JWwyI4YxNvr5tBt9UnSJ7K0+rQAAAQDohO1ykUahsogS+ymM6o9WEmdROJZpWShCqdv8Dj
+      2roQAAAIDG1G8hY90Xlz/YiFhDZLLWAAAAgOzMWTfAlHbJ4AdEhG5uU/EAAACA+1/AlcSr
+      QEPM5xLW0unCsQ==
+      ---- END SSH2 ENCRYPTED PRIVATE KEY ----
+```
+
+- Use `edit` to ...
+  - replace '|' with '>',
+  - prepend `DEC::PKCS7[` before the first line,
+  - remove all whitespaces used for indentation,
+  - and append `]!` to the last line of the multiline value.
+
+`eyaml edit multiline_example.eyaml`
+```
+---
+accounts::key_sets:
+  dummy:
+    private: >
+      DEC::PKCS7[---- BEGIN SSH2 ENCRYPTED PRIVATE KEY ----
+Comment: "dummy-key-hiera-eyaml-issue-rsa-key-20170123"
+P2/56wAAANwAAAA3aWYtbW9kbntzaWdue3JzYS1wa2NzMS1zaGExfSxlbmNyeXB0e3JzYS
+1wa2NzMXYyLW9hZXB9fQAAAARub25lAAAAjQAAAIkAAAAGJQAAAP93ZtrMIRZutZ/SZUyw
+JWwyI4YxNvr5tBt9UnSJ7K0+rQAAAQDohO1ykUahsogS+ymM6o9WEmdROJZpWShCqdv8Dj
+2roQAAAIDG1G8hY90Xlz/YiFhDZLLWAAAAgOzMWTfAlHbJ4AdEhG5uU/EAAACA+1/AlcSr
+QEPM5xLW0unCsQ==
+---- END SSH2 ENCRYPTED PRIVATE KEY ----]!
+```
+```
+# resulting encrypted file
+---
+accounts::key_sets:
+  dummy:
+    private: >
+      ENC[PKCS7,MIIDTQYJKoZIhvcNAQcDoIIDPjCCAzoCAQAxggEhMIIBHQIBADAFMAACAQEw
+      DQYJKoZIhvcNAQEBBQAEggEAXH7xB1xuzoMAqA/3jSXO0ZUR6+UCb3DsTTj3
+      Lsrcx5oQBnJ/ml7GfBCPxBKfArZunLcnxmSk4hECKXdfgKsVjAa++JQWvtEm
+      HUNTFqvwd76Ku+nMfI9c8g+X+l6obLjzWfJdg3t6Ja7CJKl8UNFtSmbfYKVi
+      nZ0xBubgdY4plLAFcZyD5/A/lNFqwb051TRLbZOIRRfLUlRL7RNkKRC59Aog
+      S5aJXjmqx6vRzFifNK0JFZvYHGD75TiHJ5LFjg4rjgFd43AnK8iNo773ZWP2
+      48Gly5Zx7qVQDCDDi1YBgNFb0NIBQw+kWy7HcPH2REvPnXu/HV2FWvDP3Ond
+      yr2EbTCCAg4GCSqGSIb3DQEHATAdBglghkgBZQMEASoEEH+CjZJ1gKfaQIrr
+      N5zef7OAggHgBmRVsfaoiNEOzhmHZ5SxxZztmpBNtLv7mteaSqSL5o0TtKQh
+      SDgxBhaQmlL51+JM1Jsnvqm57ikZhj7Vtek/vr5DhYhWs0AxttH5rNaw0zKU
+      4bMppVu+SNKCtT+2Qw31x/S7gF7yVl+mwmXhq3qAj9ExWRX3d/8/zTuC61Io
+      f+7O6YUOucZ/m/YPrQnC5v7bDSKlIf1aFaKqukjM3QO8FZlAOHGPvRuWV2Om
+      QIgxQE6F8r+bTkW3KiVIx5FEIthRZ90VS3tz/2wjj77svddBhlid9ov/0ard
+      GGVNGsl1BFpLqxC0mpZXz237cL/aM58naqmX52J6YmC0xQM3DNmahWlYx1HV
+      J/Ogk12pOYPLJB/09OuoHPzKC4WfpB9B7wAC6pghRkO/84cOw6rgSdbzze5W
+      WMPvo181Y74BSBKhJDdO3lWYmEcDyx4TEsMUlpxd9PBDcOHqf9qHviXrwGzO
+      oSm2bUV0Fum5ueU+D2vu3mO0yIQ6fwyvDZLBRjfJV7K/PyDz81feWT6+g38t
+      AC27c0h8wk9b7HYfqG28nZE7F13qrhwCKnOaYLglsmbszNpRrBhfo1IHF6oM
+      YZRZrnrGQg5qQcxMsLq37RAfRgkY0rRLs78EEAhkf4NDxw0A/ovt]
+```
+- Output of `eyaml decrypt -f multiline_example.eyaml`:
+```
+---
+accounts::key_sets:
+  dummy:
+    private: |
+  ---- BEGIN SSH2 ENCRYPTED PRIVATE KEY ----
+  Comment: "dummy-key-hiera-eyaml-issue-rsa-key-20200911"
+  P2/56wAAANwAAAA3aWYtbW9kbntzaWdue3JzYS1wa2NzMS1zaGExfSxlbmNyeXB0e3JzYS
+  1wa2NzMXYyLW9hZXB9fQAAAARub25lAAAAjQAAAIkAAAAGJQAAAP93ZtrMIRZutZ/SZUyw
+  JWwyI4YxNvr5tBt9UnSJ7K0+rQAAAQDohO1ykUahsogS+ymM6o9WEmdROJZpWShCqdv8Dj
+  2roQAAAIDG1G8hY90Xlz/YiFhDZLLWAAAAgOzMWTfAlHbJ4AdEhG5uU/EAAACA+1/AlcSr
+  QEPM5xLW0unCsQ==
+  ---- END SSH2 ENCRYPTED PRIVATE KEY ----
+```
+  - The output *does NOT* have to be valid YAML for usage with Puppet.
 
 Hiera
 -----
@@ -203,7 +288,7 @@ Hierarchy levels that use eyaml must set the following keys:
 * `lookup_key` (must be set to `eyaml_lookup_key`).
 * `path`/`paths`/`glob`/`globs` (choose one).
 * `datadir` (can be omitted if you've set a default).
-* `options` — a hash of eyaml-specific settings; by default, this should include `pkcs7_private_key` and `pkcs7_public_key`, but alternate encryption plugins use alternate options. Anything from the old `:eyaml` config section (except `datadir`) goes here.
+* `options` — a hash of eyaml-specific settings; by default, this should include `pkcs7_private_key` and `pkcs7_public_key`, or `pkcs7_public_key_env_var` and `pkcs7_private_key_env_var`, but alternate encryption plugins use alternate options. Anything from the old `:eyaml` config section (except `datadir`) goes here.
 
     You do not need to specify key names as `:symbols`; normal strings are fine.
 
@@ -321,7 +406,7 @@ Configuration file for eyaml
 
 Default parameters for the eyaml command line tool can be provided by creating a configuration YAML file.
 
-Config files will be read first from `/etc/eyaml/config.yaml`, then from `~/.eyaml/config.yaml` and finally by anything referenced in the `EYAML_CONFIG` environment variable
+Config files will be read first from `~/.eyaml/config.yaml`, then from `/etc/eyaml/config.yaml` and finally by anything referenced in the `EYAML_CONFIG` environment variable
 
 The file takes any long form argument that you can provide on the command line. For example, to override the pkcs7 keys:
 ```yaml
@@ -358,14 +443,17 @@ When editing eyaml files, you will see that the unencrypted plaintext is marked
 This is a list of available plugins:
 
  - [hiera-eyaml-gpg](https://github.com/sihil/hiera-eyaml-gpg) - Provide GPG encryption
- - [hiera-eyaml-plaintext](https://github.com/gtmtechltd/hiera-eyaml-plaintext) - This is a no-op encryption plugin that 
-   simply base64 encodes the values. It exists as an example plugin to create your own and to do integration tests on 
+ - [hiera-eyaml-plaintext](https://github.com/gtmtechltd/hiera-eyaml-plaintext) - This is a no-op encryption plugin that
+   simply base64 encodes the values. It exists as an example plugin to create your own and to do integration tests on
    hiera-eyaml. **THIS SHOULD NOT BE USED IN PRODUCTION**
  - [hiera-eyaml-twofac](https://github.com/gtmtechltd/hiera-eyaml-twofac) - PKCS7 keypair + AES256 symmetric password for two-factor encryption
    Note that this plugin mandates the user enter a password. It is useful for non-automated scenarios, and is not advised to be used
    in conjunction with puppet, as it requires entry of a password over a terminal.
  - [hiera-eyaml-kms](https://github.com/adenot/hiera-eyaml-kms) - Encryption using AWS Key Management Service (KMS)
- 
+ - [hiera-eyaml-gkms](https://github.com/craigwatson/hiera-eyaml-gkms) - Encryption using Google Cloud KMS
+ - [hiera-eyaml-vault](https://github.com/crayfishx/hiera-eyaml-vault) - Use the transit secrets engine from Vault for providing encryption.
+
+
 ### How-To's:
 
  - [How to use different Hiera/Eyaml keys for different environments using the AWS Parameter Store to store the encryption keys for Hiera/Eyaml](https://gist.github.com/FransUrbo/88b26033cb513a8aa569bd5392a427b1).
@@ -408,6 +496,8 @@ Some of us hang out on #hiera-eyaml on freenode, please drop by if you want to s
 Tests
 -----
 
+**NOTE** Some testing requirements are not supported on Windows
+
 In order to run the tests, simply run `cucumber` in the top level directory of the project.
 
 You'll need to have a few requirements installed:

data/hiera-eyaml.gemspec

@@ -11,12 +11,12 @@ Gem::Specification.new do |gem|
   gem.author        = "Tom Poulton"
   gem.license       = "MIT"
 
-  gem.homepage      = "http://github.com/TomPoulton/hiera-eyaml"
+  gem.homepage      = "https://github.com/voxpupuli/hiera-eyaml/"
   gem.files         = `git ls-files`.split($/).reject { |file| file =~ /^features.*$/ }
   gem.executables   = gem.files.grep(%r{^bin/}).map{ |f| File.basename(f) }
   gem.test_files    = gem.files.grep(%r{^(test|spec|features)/})
   gem.require_paths = ["lib"]
 
   gem.add_dependency('optimist')
-  gem.add_dependency('highline', '~> 1.6.19')
+  gem.add_dependency('highline')
 end

data/lib/hiera/backend/eyaml.rb

@@ -2,7 +2,7 @@ class Hiera
   module Backend
     module Eyaml
 
-      VERSION = "3.0.0"
+      VERSION = "3.2.2"
       DESCRIPTION = "Hiera-eyaml is a backend for Hiera which provides OpenSSL encryption/decryption for Hiera properties"
 
       class RecoverableError < StandardError

data/lib/hiera/backend/eyaml/CLI.rb

@@ -42,13 +42,9 @@ class Hiera
         def self.execute
 
           executor = Eyaml::Options[:executor]
-          begin
-            result = executor.execute
-            puts result unless result.nil?
-          rescue Exception => e
-            LoggingHelper.warn e.message
-            LoggingHelper.debug e.backtrace.join("\n")
-          end
+
+          result = executor.execute
+          puts result unless result.nil?
 
         end
 

data/lib/hiera/backend/eyaml/encryptor.rb

@@ -14,7 +14,7 @@ class Hiera
 
         def self.find encryption_scheme = nil
           encryption_scheme = Eyaml.default_encryption_scheme if encryption_scheme.nil?
-          require "hiera/backend/eyaml/encryptors/#{File.basename encryption_scheme.downcase}"          
+          require "hiera/backend/eyaml/encryptors/#{File.basename encryption_scheme.downcase}"
           encryptor_module = Module.const_get('Hiera').const_get('Backend').const_get('Eyaml').const_get('Encryptors')
           encryptor_class = Utils.find_closest_class :parent_class => encryptor_module, :class_name => encryption_scheme
           raise StandardError, "Could not find hiera-eyaml encryptor: #{encryption_scheme}. Try gem install hiera-eyaml-#{encryption_scheme.downcase} ?" if encryptor_class.nil?
@@ -22,14 +22,14 @@ class Hiera
         end
 
         def self.encode binary_string
-          Base64.encode64(binary_string).strip  
+          Base64.strict_encode64(binary_string)
         end
 
         def self.decode string
           Base64.decode64(string)
         end
 
-        def self.encrypt *args 
+        def self.encrypt *args
           raise StandardError, "encrypt() not defined for encryptor plugin: #{self}"
         end
 
@@ -80,4 +80,3 @@ class Hiera
     end
   end
 end
-

data/lib/hiera/backend/eyaml/encryptors/pkcs7.rb

@@ -18,6 +18,10 @@ class Hiera
             :public_key => { :desc => "Path to public key",  
                              :type => :string, 
                              :default => "./keys/public_key.pkcs7.pem" },
+            :private_key_env_var => { :desc => "Name of environment variable to read private key from",
+                                      :type => :string },
+            :public_key_env_var => { :desc => "Name of environment variable to read public key from",
+                                      :type => :string },
             :subject => { :desc => "Subject to use for certificate when creating keys",
                           :type => :string,
                           :default => "/" },
@@ -36,9 +40,18 @@ class Hiera
             LoggingHelper::trace 'PKCS7 encrypt'
 
             public_key = self.option :public_key
-            raise StandardError, "pkcs7_public_key is not defined" unless public_key
+            public_key_env_var = self.option :public_key_env_var
+            raise StandardError, "pkcs7_public_key is not defined" unless public_key or public_key_env_var
 
-            public_key_pem = File.read public_key 
+            if public_key and public_key_env_var
+              warn "both public_key and public_key_env_var specified, using public_key"
+            end
+
+            if public_key_env_var and ENV[public_key_env_var]
+              public_key_pem = ENV[public_key_env_var]
+            else
+              public_key_pem = File.read public_key
+            end
             public_key_x509 = OpenSSL::X509::Certificate.new( public_key_pem )
 
             cipher = OpenSSL::Cipher::AES.new(256, :CBC)
@@ -51,13 +64,30 @@ class Hiera
 
             public_key = self.option :public_key
             private_key = self.option :private_key
-            raise StandardError, "pkcs7_public_key is not defined" unless public_key
-            raise StandardError, "pkcs7_private_key is not defined" unless private_key
+            public_key_env_var = self.option :public_key_env_var
+            private_key_env_var = self.option :private_key_env_var
+            raise StandardError, "pkcs7_public_key is not defined" unless public_key or public_key_env_var
+            raise StandardError, "pkcs7_private_key is not defined" unless private_key or private_key_env_var
+
+            if public_key and public_key_env_var
+              warn "both public_key and public_key_env_var specified, using public_key"
+            end
+            if private_key and private_key_env_var
+              warn "both private_key and private_key_env_var specified, using private_key"
+            end
 
-            private_key_pem = File.read private_key
+            if private_key_env_var and ENV[private_key_env_var]
+              private_key_pem = ENV[private_key_env_var]
+            else
+              private_key_pem = File.read private_key
+            end
             private_key_rsa = OpenSSL::PKey::RSA.new( private_key_pem )
 
-            public_key_pem = File.read public_key
+            if public_key_env_var and ENV[public_key_env_var]
+              public_key_pem = ENV[public_key_env_var]
+            else
+              public_key_pem = File.read public_key
+            end
             public_key_x509 = OpenSSL::X509::Certificate.new( public_key_pem )
 
             pkcs7 = OpenSSL::PKCS7.new( ciphertext )

data/lib/hiera/backend/eyaml/parser/encrypted_tokens.rb

@@ -4,34 +4,36 @@ require 'hiera/backend/eyaml/encryptor'
 require 'hiera/backend/eyaml'
 require 'base64'
 
-
 class Hiera
   module Backend
     module Eyaml
       module Parser
         class EncToken < Token
-          @@tokens_map = Hash.new()
+          @@tokens_map = {}
           @@encrypt_unchanged = true
           attr_reader :format, :cipher, :encryptor, :indentation, :plain_text, :id
+
           def self.encrypted_value(format, encryption_scheme, cipher, match, indentation = '')
             decryptor = Encryptor.find encryption_scheme
-            plain_text = decryptor.decrypt( decryptor.decode cipher )
+            plain_text = decryptor.decrypt(decryptor.decode(cipher))
             EncToken.new(format, plain_text, decryptor, cipher, match, indentation)
           end
+
           def self.decrypted_value(format, plain_text, encryption_scheme, match, id, indentation = '')
             encryptor = Encryptor.find encryption_scheme
-            cipher = encryptor.encode( encryptor.encrypt plain_text )
-            id_number = id.nil? ? nil : id.gsub(/\(|\)/, "").to_i
+            cipher = encryptor.encode(encryptor.encrypt(plain_text))
+            id_number = id.nil? ? nil : id.gsub(/\(|\)/, '').to_i
             EncToken.new(format, plain_text, encryptor, cipher, match, indentation, id_number)
           end
+
           def self.plain_text_value(format, plain_text, encryption_scheme, match, id, indentation = '')
             encryptor = Encryptor.find encryption_scheme
-            id_number = id.gsub(/\(|\)/,"").to_i unless id.nil?
-            EncToken.new(format, plain_text, encryptor, "", match, indentation, id_number)
+            id_number = id.gsub(/\(|\)/, '').to_i unless id.nil?
+            EncToken.new(format, plain_text, encryptor, '', match, indentation, id_number)
           end
 
           def self.tokens_map
-            return @@tokens_map
+            @@tokens_map
           end
 
           def self.set_encrypt_unchanged(encrypt_unchanged)
@@ -39,12 +41,12 @@ class Hiera
           end
 
           def self.encrypt_unchanged
-            return @@encrypt_unchanged
+            @@encrypt_unchanged
           end
 
           def initialize(format, plain_text, encryptor, cipher, match = '', indentation = '', id = nil)
             @format = format
-            @plain_text = Utils.convert_to_utf_8( plain_text )
+            @plain_text = Utils.convert_to_utf_8(plain_text)
             @encryptor = encryptor
             @cipher = cipher
             @indentation = indentation
@@ -52,69 +54,64 @@ class Hiera
             super(match)
           end
 
-          def to_encrypted(args={})
+          def to_encrypted(args = {})
             label = args[:label]
             label_string = label.nil? ? '' : "#{label}: "
             format = args[:format].nil? ? @format : args[:format]
             encryption_method = args[:change_encryption]
-            if encryption_method != nil
+            unless encryption_method.nil?
               @encryptor = Encryptor.find encryption_method
-              @cipher = Base64.encode64(@encryptor.encrypt @plain_text).strip
+              @cipher = Base64.strict_encode64(@encryptor.encrypt(@plain_text))
             end
             case format
-              when :block
-                # strip any white space
-                @cipher = @cipher.gsub(/[ \t]/, "")
-                # normalize indentation
-                ciphertext = @cipher.gsub(/[\n\r]/, "\n" + @indentation)
-                chevron = (args[:use_chevron].nil? || args[:use_chevron]) ? ">\n" : ''
-                "#{label_string}#{chevron}" + @indentation + "ENC[#{@encryptor.tag},#{ciphertext}]"
-              when :string
-                ciphertext = @cipher.gsub(/[\n\r]/, "")
-                "#{label_string}ENC[#{@encryptor.tag},#{ciphertext}]"
-              else
-                raise "#{@format} is not a valid format"
+            when :block
+              @cipher = @cipher.gsub(/\s/, '')
+              chevron = args[:use_chevron].nil? || args[:use_chevron] ? ">\n" : ''
+              "#{label_string}#{chevron}" + @indentation + "ENC[#{@encryptor.tag},#{@cipher}]".scan(/.{1,60}/).join("\n" + @indentation)
+            when :string
+              ciphertext = @cipher.gsub(/[\n\r]/, '')
+              "#{label_string}ENC[#{@encryptor.tag},#{ciphertext}]"
+            else
+              raise "#{@format} is not a valid format"
             end
           end
 
-          def to_decrypted(args={})
+          def to_decrypted(args = {})
             label = args[:label]
             label_string = label.nil? ? '' : "#{label}: "
             format = args[:format].nil? ? @format : args[:format]
             index = args[:index].nil? ? '' : "(#{args[:index]})"
-            if @@encrypt_unchanged == false
-              EncToken.tokens_map[index] = @plain_text
-            end
+            EncToken.tokens_map[index] = @plain_text if @@encrypt_unchanged == false
 
             case format
-              when :block
-                chevron = (args[:use_chevron].nil? || args[:use_chevron]) ? ">\n" : ''
-                "#{label_string}#{chevron}" + indentation + "DEC#{index}::#{@encryptor.tag}[" + @plain_text + "]!"
-              when :string
-                "#{label_string}DEC#{index}::#{@encryptor.tag}[" + @plain_text + "]!"
-              else
-                raise "#{@format} is not a valid format"
+            when :block
+              chevron = args[:use_chevron].nil? || args[:use_chevron] ? ">\n" : ''
+              "#{label_string}#{chevron}" + indentation + "DEC#{index}::#{@encryptor.tag}[" + @plain_text + ']!'
+            when :string
+              "#{label_string}DEC#{index}::#{@encryptor.tag}[" + @plain_text + ']!'
+            else
+              raise "#{@format} is not a valid format"
             end
           end
 
           def to_plain_text
             @plain_text
           end
-
         end
 
         class EncTokenType < TokenType
           def create_enc_token(match, type, enc_comma, cipher, indentation = '')
-            encryption_scheme = enc_comma.nil? ? Eyaml.default_encryption_scheme : enc_comma.split(",").first
+            encryption_scheme = enc_comma.nil? ? Eyaml.default_encryption_scheme : enc_comma.split(',').first
             EncToken.encrypted_value(type, encryption_scheme, cipher, match, indentation)
           end
         end
 
         class EncHieraTokenType < EncTokenType
           def initialize
-            @regex = /ENC\[(\w+,)?([a-zA-Z0-9\+\/ =\n]+?)\]/
-            @string_token_type = EncStringTokenType.new()
+            @regex = %r{ENC\[(\w+,)?([a-zA-Z0-9+/ =\n]+?)\]}
+            @string_token_type = EncStringTokenType.new
           end
+
           def create_token(string)
             @string_token_type.create_token(string.gsub(/\s/, ''))
           end
@@ -122,58 +119,55 @@ class Hiera
 
         class EncStringTokenType < EncTokenType
           def initialize
-            @regex = /ENC\[(\w+,)?([a-zA-Z0-9\+\/=]+?)\]/
+            @regex = %r{ENC\[(\w+,)?([a-zA-Z0-9+/=]+?)\]}
           end
+
           def create_token(string)
             md = @regex.match(string)
-            self.create_enc_token(string, :string, md[1], md[2])
+            create_enc_token(string, :string, md[1], md[2])
           end
         end
 
         class EncBlockTokenType < EncTokenType
           def initialize
-            @regex = />\n(\s*)ENC\[(\w+,)?([a-zA-Z0-9\+\/=\s]+?)\]/
+            @regex = %r{>\n(\s*)ENC\[(\w+,)?([a-zA-Z0-9+/=\s]+?)\]}
           end
+
           def create_token(string)
             md = @regex.match(string)
-            self.create_enc_token(string, :block, md[2], md[3], md[1])
+            create_enc_token(string, :block, md[2], md[3], md[1])
           end
         end
 
         class DecStringTokenType < TokenType
           def initialize
-            @regex = /DEC(\(\d+\))?::(\w+)\[(.+?)\]\!/m
+            @regex = /DEC(\(\d+\))?::(\w+)\[(.+?)\]!/m
           end
+
           def create_token(string)
             md = @regex.match(string)
-            if (EncToken.encrypt_unchanged == false)
-              unless md[1].nil?
-                if md[3] == EncToken.tokens_map[md[1]]
-                  return EncToken.plain_text_value(:string, md[3], md[2], string, md[1])
-                end
-              end
+            if EncToken.encrypt_unchanged == false && !md[1].nil? && (md[3] == EncToken.tokens_map[md[1]])
+              return EncToken.plain_text_value(:string, md[3], md[2], string, md[1])
             end
+
             EncToken.decrypted_value(:string, md[3], md[2], string, md[1])
           end
         end
 
         class DecBlockTokenType < TokenType
           def initialize
-            @regex = />\n(\s*)DEC(\(\d+\))?::(\w+)\[(.+?)\]\!/m
+            @regex = />\n(\s*)DEC(\(\d+\))?::(\w+)\[(.+?)\]!/m
           end
+
           def create_token(string)
             md = @regex.match(string)
-            if (EncToken.encrypt_unchanged == false)
-              unless md[2].nil?
-                if md[4] == EncToken.tokens_map[md[2]]
-                  return EncToken.plain_text_value(:string, md[4], md[3], string, md[2])
-                end
-              end
+            if EncToken.encrypt_unchanged == false && !md[2].nil? && (md[4] == EncToken.tokens_map[md[2]])
+              return EncToken.plain_text_value(:string, md[4], md[3], string, md[2])
             end
+
             EncToken.decrypted_value(:block, md[4], md[3], string, md[2], md[1])
           end
         end
-
       end
     end
   end

data/lib/hiera/backend/eyaml/subcommands/encrypt.rb

@@ -11,12 +11,12 @@ class Hiera
         class Encrypt < Subcommand
 
           def self.options
-            [{:name => :password, 
-              :description => "Source input is a password entered on the terminal", 
+            [{:name => :password,
+              :description => "Source input is a password entered on the terminal",
               :short => 'p'},
              {:name => :string,
               :description => "Source input is a string provided as an argument",
-              :short => 's', 
+              :short => 's',
               :type => :string},
              {:name => :file,
               :description => "Source input is a regular file",
@@ -78,7 +78,7 @@ class Hiera
               else
                 encryptor = Encryptor.find
                 ciphertext = encryptor.encode( encryptor.encrypt(Eyaml::Options[:input_data]) )
-                token = Parser::EncToken.new(:block, Eyaml::Options[:input_data], encryptor, ciphertext, nil, '    ')
+                token = Parser::EncToken.new(:block, Eyaml::Options[:input_data], encryptor, ciphertext, nil, '  ')
                 case Eyaml::Options[:output]
                   when "block"
                     token.to_encrypted :label => Eyaml::Options[:label], :use_chevron => !Eyaml::Options[:label].nil?, :format => :block

data/lib/hiera/backend/eyaml_backend.rb

@@ -79,12 +79,19 @@ class Hiera
       def decrypt(data)
         if encrypted?(data)
           debug("Attempting to decrypt")
+          begin
+            parser = Eyaml::Parser::ParserFactory.hiera_backend_parser
+            tokens = parser.parse(data)
+            decrypted = tokens.map{ |token| token.to_plain_text }
+            plaintext = decrypted.join
+          rescue OpenSSL::PKCS7::PKCS7Error => e
+            debug("Caught exception: #{e.class}, #{e.message}\n"\
+                  "#{e.backtrace.join("\n")}")
+            raise "Hiera-eyaml decryption failed, check the "\
+              "encrypted data matches the key you are using.\n"\
+              "Raw message from system: #{e.message}"
 
-          parser = Eyaml::Parser::ParserFactory.hiera_backend_parser
-          tokens = parser.parse(data)
-          decrypted = tokens.map{ |token| token.to_plain_text }
-          plaintext = decrypted.join
-
+          end
           plaintext.chomp
         else
           data
@@ -92,7 +99,7 @@ class Hiera
       end
 
       def encrypted?(data)
-        /.*ENC\[.*?\]/ =~ data ? true : false
+        /.*ENC\[.*\]/ =~ data ? true : false
       end
 
       def parse_answer(data, scope, extra_data={})

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: hiera-eyaml
 version: !ruby/object:Gem::Version
-  version: 3.0.0
+  version: 3.2.2
 platform: ruby
 authors:
 - Tom Poulton
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-01-17 00:00:00.000000000 Z
+date: 2021-05-03 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: optimist
@@ -28,16 +28,16 @@ dependencies:
   name: highline
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: 1.6.19
+        version: '0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: 1.6.19
+        version: '0'
 description: Hiera backend for decrypting encrypted yaml properties
 email: 
 executables:
@@ -45,8 +45,9 @@ executables:
 extensions: []
 extra_rdoc_files: []
 files:
+- ".github/workflows/release.yml"
+- ".github/workflows/test.yml"
 - ".gitignore"
-- ".travis.yml"
 - CHANGELOG.md
 - Gemfile
 - HISTORY.md
@@ -86,7 +87,7 @@ files:
 - sublime_text/eyaml.syntax_definition.json
 - tools/git_tag_release.rb
 - tools/regem.sh
-homepage: http://github.com/TomPoulton/hiera-eyaml
+homepage: https://github.com/voxpupuli/hiera-eyaml/
 licenses:
 - MIT
 metadata: {}
@@ -105,7 +106,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.2
+rubygems_version: 3.1.6
 signing_key: 
 specification_version: 4
 summary: OpenSSL Encryption backend for Hiera

data/.travis.yml

@@ -1,43 +0,0 @@
----
-dist: trusty
-language: ruby
-cache: bundler
-sudo: false
-before_install:
-  - bundle -v
-  - rm Gemfile.lock || true
-  - gem update --system $RUBYGEMS_VERSION
-  - gem update bundler
-  - gem --version
-  - bundle -v
-addons:
-  apt:
-    packages:
-      - expect
-script:
-  bundle exec cucumber -f progress
-matrix:
-  include:
-    - rvm: 2.1.9
-      env: PUPPET_VERSION="~> 4.0" RUBYGEMS_VERSION=2.7.8
-    - rvm: 2.4.2
-      env: PUPPET_VERSION="~> 5.0"
-notifications:
-  email: false
-  irc:
-    on_success: always
-    on_failure: always
-    channels:
-      - "chat.freenode.org#voxpupuli-notifications"
-branches:
-  only:
-    - master
-    - /^v\d/
-deploy:
-  provider: rubygems
-  api_key:
-    secure: 'W6a8A3KfxNydnbK4qhpL4S4KBUnadw8eGr1s8vqeOc8gXlc/qkj/DET9jWpgaEsdnEN/ALJL0WEksYJCHDpdeJv1qKaidFg5dC5l+qZ5gdVHRoKKVFkVlt8WDHe5UdP+bI2vUHWQ/1c04P92+jU9SJ0afTU1xUFn4d3AWCgwmdk='
-  gem: hiera-eyaml
-  on:
-    tags: true
-    repo: voxpupuli/hiera-eyaml