RubyGems - hiera-eyaml - Versions diffs - 3.3.0 → 4.0.0 - Mend

hiera-eyaml 3.3.0 → 4.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (39) hide show

checksums.yaml +4 -4
data/.github/dependabot.yml +17 -0
data/.github/workflows/release.yml +2 -2
data/.github/workflows/test.yml +38 -21
data/.rubocop.yml +8 -0
data/.rubocop_todo.yml +416 -0
data/CHANGELOG.md +59 -0
data/Gemfile +13 -14
data/README.md +37 -7
data/Rakefile +11 -4
data/hiera-eyaml.gemspec +17 -15
data/lib/hiera/backend/eyaml/CLI.rb +12 -19
data/lib/hiera/backend/eyaml/commands.rb +2 -6
data/lib/hiera/backend/eyaml/edithelper.rb +24 -19
data/lib/hiera/backend/eyaml/encrypthelper.rb +17 -19
data/lib/hiera/backend/eyaml/encryptor.rb +40 -43
data/lib/hiera/backend/eyaml/encryptors/pkcs7.rb +79 -105
data/lib/hiera/backend/eyaml/highlinehelper.rb +3 -5
data/lib/hiera/backend/eyaml/logginghelper.rb +27 -29
data/lib/hiera/backend/eyaml/options.rb +13 -16
data/lib/hiera/backend/eyaml/parser/encrypted_tokens.rb +2 -2
data/lib/hiera/backend/eyaml/parser/parser.rb +35 -36
data/lib/hiera/backend/eyaml/parser/token.rb +15 -6
data/lib/hiera/backend/eyaml/plugins.rb +13 -18
data/lib/hiera/backend/eyaml/subcommand.rb +72 -74
data/lib/hiera/backend/eyaml/subcommands/createkeys.rb +2 -6
data/lib/hiera/backend/eyaml/subcommands/decrypt.rb +52 -52
data/lib/hiera/backend/eyaml/subcommands/edit.rb +58 -59
data/lib/hiera/backend/eyaml/subcommands/encrypt.rb +65 -69
data/lib/hiera/backend/eyaml/subcommands/help.rb +17 -22
data/lib/hiera/backend/eyaml/subcommands/recrypt.rb +13 -20
data/lib/hiera/backend/eyaml/subcommands/unknown_command.rb +10 -14
data/lib/hiera/backend/eyaml/subcommands/version.rb +4 -9
data/lib/hiera/backend/eyaml/utils.rb +27 -28
data/lib/hiera/backend/eyaml.rb +7 -9
data/lib/hiera/backend/eyaml_backend.rb +34 -28
metadata +63 -14
data/tools/git_tag_release.rb +0 -98
data/tools/regem.sh +0 -11

data/lib/hiera/backend/eyaml/encryptors/pkcs7.rb CHANGED Viewed

@@ -8,144 +8,118 @@ class Hiera
   module Backend
     module Eyaml
       module Encryptors
         class Pkcs7 < Encryptor
           self.options = {
-            :private_key => { :desc => "Path to private key",
-                              :type => :string,
-                              :default => "./keys/private_key.pkcs7.pem" },
-            :public_key => { :desc => "Path to public key",
-                             :type => :string,
-                             :default => "./keys/public_key.pkcs7.pem" },
-            :private_key_env_var => { :desc => "Name of environment variable to read private key from",
-                                      :type => :string },
-            :public_key_env_var => { :desc => "Name of environment variable to read public key from",
-                                      :type => :string },
-            :subject => { :desc => "Subject to use for certificate when creating keys",
-                          :type => :string,
-                          :default => "/" },
-            :keysize => { :desc => "Key size used for encryption",
-                          :type => :integer,
-                          :default => 2048 },
-            :digest  => { :desc => "Hash function used for PKCS7",
-                          :type => :string,
-                          :default => "SHA256"},
+            private_key: { desc: 'Path to private key',
+                           type: :string,
+                           default: './keys/private_key.pkcs7.pem', },
+            public_key: { desc: 'Path to public key',
+                          type: :string,
+                          default: './keys/public_key.pkcs7.pem', },
+            private_key_env_var: { desc: 'Name of environment variable to read private key from',
+                                   type: :string, },
+            public_key_env_var: { desc: 'Name of environment variable to read public key from',
+                                  type: :string, },
+            keysize: { desc: 'Key size used for encryption',
+                       type: :integer,
+                       default: 2048, },
           }
-          self.tag = "PKCS7"
-          def self.encrypt plaintext
+          self.tag = 'PKCS7'
-            LoggingHelper::trace 'PKCS7 encrypt'
+          def self.encrypt(plaintext)
+            LoggingHelper.trace 'PKCS7 encrypt'
-            public_key = self.option :public_key
-            public_key_env_var = self.option :public_key_env_var
-            raise StandardError, "pkcs7_public_key is not defined" unless public_key or public_key_env_var
-            if public_key and public_key_env_var
-              warn "both public_key and public_key_env_var specified, using public_key"
-            end
-            if public_key_env_var and ENV[public_key_env_var]
-              public_key_pem = ENV[public_key_env_var]
+            public_key_pem = load_public_key_pem
+            if public_key_pem.include? 'BEGIN CERTIFICATE'
+              public_key_x509 = OpenSSL::X509::Certificate.new(public_key_pem)
+            elsif public_key_pem.include? 'BEGIN PUBLIC KEY'
+              public_key_rsa = OpenSSL::PKey::RSA.new(public_key_pem)
+              public_key_x509 = OpenSSL::X509::Certificate.new
+              public_key_x509.public_key = public_key_rsa.public_key
             else
-              public_key_pem = File.read public_key
+              raise StandardError, "file #{public_key_pem} cannot be used to encrypt - invalid public key format"
             end
-            public_key_x509 = OpenSSL::X509::Certificate.new( public_key_pem )
-            cipher = OpenSSL::Cipher::AES.new(256, :CBC)
-            OpenSSL::PKCS7::encrypt([public_key_x509], plaintext, cipher, OpenSSL::PKCS7::BINARY).to_der
+            cipher = OpenSSL::Cipher.new('aes-256-cbc')
+            OpenSSL::PKCS7.encrypt([public_key_x509], plaintext, cipher, OpenSSL::PKCS7::BINARY).to_der
           end
-          def self.decrypt ciphertext
-            LoggingHelper::trace 'PKCS7 decrypt'
+          def self.decrypt(ciphertext)
+            LoggingHelper.trace 'PKCS7 decrypt'
-            public_key = self.option :public_key
-            private_key = self.option :private_key
-            public_key_env_var = self.option :public_key_env_var
-            private_key_env_var = self.option :private_key_env_var
-            raise StandardError, "pkcs7_public_key is not defined" unless public_key or public_key_env_var
-            raise StandardError, "pkcs7_private_key is not defined" unless private_key or private_key_env_var
+            private_key_pem = load_private_key_pem
+            private_key_rsa = OpenSSL::PKey::RSA.new(private_key_pem)
-            if public_key and public_key_env_var
-              warn "both public_key and public_key_env_var specified, using public_key"
-            end
-            if private_key and private_key_env_var
-              warn "both private_key and private_key_env_var specified, using private_key"
-            end
+            public_key_pem = load_public_key_pem
+            public_key_x509 = OpenSSL::X509::Certificate.new(public_key_pem)
-            if private_key_env_var and ENV[private_key_env_var]
-              private_key_pem = ENV[private_key_env_var]
-            else
-              private_key_pem = File.read private_key
-            end
-            private_key_rsa = OpenSSL::PKey::RSA.new( private_key_pem )
-            if public_key_env_var and ENV[public_key_env_var]
-              public_key_pem = ENV[public_key_env_var]
-            else
-              public_key_pem = File.read public_key
-            end
-            public_key_x509 = OpenSSL::X509::Certificate.new( public_key_pem )
-            pkcs7 = OpenSSL::PKCS7.new( ciphertext )
+            pkcs7 = OpenSSL::PKCS7.new(ciphertext)
             pkcs7.decrypt(private_key_rsa, public_key_x509)
           end
           def self.create_keys
+            # Do equivalent of:
+            # openssl req -x509 -nodes -newkey rsa:2048 -keyout privatekey.pem -out publickey.pem -batch
-            # Try to do equivalent of:
-            # openssl req -x509 -nodes -days 100000 -newkey rsa:2048 -keyout privatekey.pem -out publickey.pem -subj '/'
-            public_key = self.option :public_key
-            private_key = self.option :private_key
-            subject = self.option :subject
-            keysize = self.option :keysize
-            digest = self.option :digest
+            public_key = option :public_key
+            private_key = option :private_key
+            keysize = option :keysize
             key = OpenSSL::PKey::RSA.new(keysize)
             EncryptHelper.ensure_key_dir_exists private_key
-            EncryptHelper.write_important_file :filename => private_key, :content => key.to_pem, :mode => 0600
+            EncryptHelper.write_important_file filename: private_key, content: key.to_pem, mode: 0o600
-            cert = OpenSSL::X509::Certificate.new()
-            cert.subject = OpenSSL::X509::Name.parse(subject)
-            cert.serial = 1
-            cert.version = 2
+            cert = OpenSSL::X509::Certificate.new
+            # In JRuby implementation of openssl, not_before and not_after
+            # are required to sign cert with key and digest. Signing the
+            # certificate is only required for Ruby 2.7 to call cert.to_pem.
             cert.not_before = Time.now
-            cert.not_after = if 1.size == 8       # 64bit
-              Time.now + 50 * 365 * 24 * 60 * 60
-            else                                  # 32bit
-              Time.at(0x7fffffff)
-            end
+            cert.not_after = if 1.size == 8 # 64bit
+                               Time.now + (50 * 365 * 24 * 60 * 60)
+                             else # 32bit
+                               Time.at(0x7fffffff)
+                             end
             cert.public_key = key.public_key
+            cert.sign key, OpenSSL::Digest.new('SHA256')
-            ef = OpenSSL::X509::ExtensionFactory.new
-            ef.subject_certificate = cert
-            ef.issuer_certificate = cert
-            cert.extensions = [
-              ef.create_extension("basicConstraints","CA:TRUE", true),
-              ef.create_extension("subjectKeyIdentifier", "hash"),
-            ]
-            cert.add_extension ef.create_extension("authorityKeyIdentifier",
-                                                   "keyid:always,issuer:always")
+            EncryptHelper.ensure_key_dir_exists public_key
+            EncryptHelper.write_important_file filename: public_key, content: cert.to_pem
+            LoggingHelper.info 'Keys created OK'
+          end
-            cert.sign key, OpenSSL::Digest.new(digest)
+          def self.load_ANY_key_pem(optname_key, optname_env_var)
+            opt_key = option(optname_key.to_sym)
+            opt_key_env_var = option(optname_env_var.to_sym)
-            EncryptHelper.ensure_key_dir_exists public_key
-            EncryptHelper.write_important_file :filename => public_key, :content => cert.to_pem
-            LoggingHelper.info "Keys created OK"
+            if opt_key and opt_key_env_var
+              warn "both #{optname_key} and #{optname_env_var} specified, using #{optname_env_var}"
+            end
+            if opt_key_env_var
+              raise StandardError, "env #{opt_key_env_var} is not set" unless ENV[opt_key_env_var]
+              opt_key_pem = ENV.fetch(opt_key_env_var, nil)
+            elsif opt_key
+              raise StandardError, "file #{opt_key} does not exist" unless File.exist? opt_key
+              opt_key_pem = File.read opt_key
+            else
+              raise StandardError, "pkcs7_#{optname_key} is not defined" unless opt_key or opt_key_env_var
+            end
+            opt_key_pem
           end
-        end
+          def self.load_public_key_pem
+            load_ANY_key_pem('public_key', 'public_key_env_var')
+          end
+          def self.load_private_key_pem
+            load_ANY_key_pem('private_key', 'private_key_env_var')
+          end
+        end
       end
     end
   end
 end

data/lib/hiera/backend/eyaml/highlinehelper.rb CHANGED Viewed

@@ -4,20 +4,18 @@ class Hiera
   module Backend
     module Eyaml
       class HighlineHelper
         def self.read_password
-          ask("Enter password: ") {|q| q.echo = "*" }
+          ask('Enter password: ') { |q| q.echo = '*' }
         end
-        def self.confirm? message
+        def self.confirm?(message)
           result = ask("#{message} (y/N): ")
-          if result.downcase == "y" or result.downcase == "yes"
+          if result.downcase == 'y' or result.downcase == 'yes'
             true
           else
             false
           end
         end
       end
     end
   end

data/lib/hiera/backend/eyaml/logginghelper.rb CHANGED Viewed

@@ -5,14 +5,13 @@ class Hiera
   module Backend
     module Eyaml
       class LoggingHelper
-        def self.structure_message messageinfo
-          message = {:from => "hiera-eyaml-core"}
+        def self.structure_message(messageinfo)
+          message = { from: 'hiera-eyaml-core' }
           case messageinfo.class.to_s
           when 'Hash'
             message.merge!(messageinfo)
           else
-            message.merge!({:msg => messageinfo.to_s})
+            message.merge!({ msg: messageinfo.to_s })
           end
           message[:prefix] = "[#{message[:from]}]"
           message[:spacer] = " #{' ' * message[:from].length} "
@@ -26,54 +25,53 @@ class Hiera
           formatted_output.join "\n"
         end
-        def self.warn messageinfo
-          self.print_message({ :message => self.structure_message( messageinfo ), :hiera_loglevel => :warn, :cli_color => :red })
+        def self.warn(messageinfo)
+          print_message({ message: structure_message(messageinfo), hiera_loglevel: :warn, cli_color: :red })
         end
-        def self.info messageinfo
-          self.print_message({ :message => self.structure_message( messageinfo ), :hiera_loglevel => :debug, :cli_color => :white, :threshold => 0 })
+        def self.info(messageinfo)
+          print_message({ message: structure_message(messageinfo), hiera_loglevel: :debug, cli_color: :white, threshold: 0 })
         end
-        def self.debug messageinfo
-          self.print_message({ :message => self.structure_message( messageinfo ), :hiera_loglevel => :debug, :cli_color => :green, :threshold => 1 })
+        def self.debug(messageinfo)
+          print_message({ message: structure_message(messageinfo), hiera_loglevel: :debug, cli_color: :green, threshold: 1 })
         end
-        def self.trace messageinfo
-          self.print_message({ :message => self.structure_message( messageinfo ), :hiera_loglevel => :debug, :cli_color => :blue, :threshold => 2 })
+        def self.trace(messageinfo)
+          print_message({ message: structure_message(messageinfo), hiera_loglevel: :debug, cli_color: :blue, threshold: 2 })
         end
-        def self.print_message( args )
-          message        = args[:message] ||= ""
+        def self.print_message(args)
+          message        = args[:message] ||= ''
           hiera_loglevel = args[:hiera_loglevel] ||= :debug
           cli_color      = args[:cli_color] ||= :blue
           threshold      = args[:threshold]
-          if self.hiera?
+          if hiera?
             Hiera.send(hiera_loglevel, message) if threshold.nil? or Eyaml.verbosity_level > threshold
-          else
-            STDERR.puts self.colorize( message, cli_color ) if threshold.nil? or Eyaml.verbosity_level > threshold
+          elsif threshold.nil? or Eyaml.verbosity_level > threshold
+            STDERR.puts self.colorize( message, cli_color )
           end
         end
-        def self.colorize message, color
+        def self.colorize(message, color)
           suffix = "\e[0m"
           prefix = case color
-          when :red
-            "\e[31m"
-          when :green
-            "\e[32m"
-          when :blue
-            "\e[34m"
-          else #:white
-            "\e[0m"
-          end
+                   when :red
+                     "\e[31m"
+                   when :green
+                     "\e[32m"
+                   when :blue
+                     "\e[34m"
+                   else # :white
+                     "\e[0m"
+                   end
           "#{prefix}#{message}#{suffix}"
         end
         def self.hiera?
-          "hiera".eql? Eyaml::Options[:source]
+          'hiera'.eql? Eyaml::Options[:source]
         end
       end
     end
   end

data/lib/hiera/backend/eyaml/options.rb CHANGED Viewed

@@ -2,37 +2,34 @@ class Hiera
   module Backend
     module Eyaml
       class Options
-        def self.[]= key, value
+        def self.[]=(key, value)
           @@options ||= {}
-          @@options[ key.to_sym ] = value
+          @@options[key.to_sym] = value
         end
-        def self.[] key
+        def self.[](key)
           @@options ||= {}
-          @@options[ key.to_sym ]
+          @@options[key.to_sym]
         end
-        def self.set hash
+        def self.set(hash)
           @@options = {}
           hash.each do |k, v|
-            @@options[ k.to_sym ] = v
+            @@options[k.to_sym] = v
           end
         end
         def self.trace
-          LoggingHelper::trace "Dump of eyaml tool options dict:"
-          LoggingHelper::trace "--------------------------------"
+          LoggingHelper.trace 'Dump of eyaml tool options dict:'
+          LoggingHelper.trace '--------------------------------'
           @@options.each do |k, v|
-            begin
-              LoggingHelper::trace sprintf "%18s %-18s = %18s %-18s", "(#{k.class.name})", k.to_s, "(#{v.class.name})", v.to_s
-            rescue
-              LoggingHelper::trace sprintf "%18s %-18s = %18s %-18s", "(#{k.class.name})", k.to_s, "(#{v.class.name})", "<unprintable>" # case where v is binary
-            end
+            LoggingHelper.trace format '%18s %-18s = %18s %-18s', "(#{k.class.name})", k.to_s, "(#{v.class.name})",
+                                       v.to_s
+          rescue StandardError
+            LoggingHelper.trace format '%18s %-18s = %18s %-18s', "(#{k.class.name})", k.to_s, "(#{v.class.name})", '<unprintable>' # case where v is binary
           end
-          LoggingHelper::trace "--------------------------------"
+          LoggingHelper.trace '--------------------------------'
         end
       end
     end
   end

data/lib/hiera/backend/eyaml/parser/encrypted_tokens.rb CHANGED Viewed

@@ -66,7 +66,7 @@ class Hiera
             case format
             when :block
               @cipher = @cipher.gsub(/\s/, '')
-              chevron = args[:use_chevron].nil? || args[:use_chevron] ? ">\n" : ''
+              chevron = (args[:use_chevron].nil? || args[:use_chevron]) ? ">\n" : ''
               "#{label_string}#{chevron}" + @indentation + "ENC[#{@encryptor.tag},#{@cipher}]".scan(/.{1,60}/).join("\n" + @indentation)
             when :string
               ciphertext = @cipher.gsub(/[\n\r]/, '')
@@ -85,7 +85,7 @@ class Hiera
             case format
             when :block
-              chevron = args[:use_chevron].nil? || args[:use_chevron] ? ">\n" : ''
+              chevron = (args[:use_chevron].nil? || args[:use_chevron]) ? ">\n" : ''
               "#{label_string}#{chevron}" + indentation + "DEC#{index}::#{@encryptor.tag}[" + @plain_text + ']!'
             when :string
               "#{label_string}DEC#{index}::#{@encryptor.tag}[" + @plain_text + ']!'

data/lib/hiera/backend/eyaml/parser/parser.rb CHANGED Viewed

@@ -8,19 +8,19 @@ class Hiera
       module Parser
         class ParserFactory
           def self.encrypted_parser
-            enc_string = EncStringTokenType.new()
-            enc_block = EncBlockTokenType.new()
+            enc_string = EncStringTokenType.new
+            enc_block = EncBlockTokenType.new
             Parser.new([enc_string, enc_block])
           end
           def self.decrypted_parser
-            dec_string = DecStringTokenType.new()
-            dec_block = DecBlockTokenType.new()
+            dec_string = DecStringTokenType.new
+            dec_block = DecBlockTokenType.new
             Parser.new([dec_string, dec_block])
           end
           def self.hiera_backend_parser
-            enc_hiera = EncHieraTokenType.new()
+            enc_hiera = EncHieraTokenType.new
             Parser.new([enc_hiera])
           end
         end
@@ -32,51 +32,50 @@ class Hiera
             @token_types = token_types
           end
-          def parse text
+          def parse(text)
             parse_scanner(StringScanner.new(text)).reverse
           end
-          def parse_scanner s
+          def parse_scanner(s)
             if s.eos?
               []
             else
               # Check if the scanner currently matches a regex
-              current_match = @token_types.find { |token_type|
+              current_match = @token_types.find do |token_type|
                 s.match?(token_type.regex)
-              }
+              end
               token =
-                  if current_match.nil?
-                    # No regex matches here. Find the earliest match.
-                    next_match_indexes = @token_types.map { |token_type|
-                      next_match = s.check_until(token_type.regex)
-                      if next_match.nil?
-                        nil
-                      else
-                        next_match.length - s.matched.length
-                      end
-                    }.reject { |i| i.nil? }
-                    non_match_size =
-                        if next_match_indexes.length == 0
-                          s.rest_size
-                        else
-                          next_match_indexes.min
-                        end
-                    non_match = s.peek(non_match_size)
-                    # advance scanner
-                    s.pos = s.pos + non_match_size
-                    NonMatchToken.new(non_match)
-                  else
-                    # A regex matches so create a token and do a recursive call with the advanced scanner
-                    current_match.create_token s.scan(current_match.regex)
-                  end
+                if current_match.nil?
+                  # No regex matches here. Find the earliest match.
+                  next_match_indexes = @token_types.map do |token_type|
+                    next_match = s.check_until(token_type.regex)
+                    if next_match.nil?
+                      nil
+                    else
+                      next_match.length - s.matched.length
+                    end
+                  end.reject { |i| i.nil? }
+                  non_match_size =
+                    if next_match_indexes.length == 0
+                      s.rest_size
+                    else
+                      next_match_indexes.min
+                    end
+                  non_match = s.peek(non_match_size)
+                  # advance scanner
+                  s.pos = s.pos + non_match_size
+                  NonMatchToken.new(non_match)
+                else
+                  # A regex matches so create a token and do a recursive call with the advanced scanner
+                  current_match.create_token s.scan(current_match.regex)
+                end
-              self.parse_scanner(s) << token
+              parse_scanner(s) << token
             end
           end
         end
       end
     end
   end
-end
+end

data/lib/hiera/backend/eyaml/parser/token.rb CHANGED Viewed

@@ -4,26 +4,32 @@ class Hiera
       module Parser
         class TokenType
           attr_reader :regex
           @regex
-          def create_token string
+          def create_token(_string)
             raise 'Abstract method called'
           end
         end
         class Token
           attr_reader :match
           def initialize(match)
             @match = match
           end
-          def to_encrypted(args={})
+          def to_encrypted(_args = {})
             raise 'Abstract method called'
           end
-          def to_decrypted(args={})
+          def to_decrypted(_args = {})
             raise 'Abstract method called'
           end
           def to_plain_text
             raise 'Abstract method called'
           end
           def to_s
             "#{self.class.name}:#{@match}"
           end
@@ -33,12 +39,15 @@ class Hiera
           def initialize(non_match)
             super(non_match)
           end
-          def to_encrypted(args={})
+          def to_encrypted(_args = {})
             @match
           end
-          def to_decrypted(args={})
+          def to_decrypted(_args = {})
             @match
           end
           def to_plain_text
             @match
           end
@@ -46,4 +55,4 @@ class Hiera
       end
     end
   end
-end
+end