hiera-eyaml 1.1.0

data/.gitignore

@@ -0,0 +1,5 @@
+.idea
+*.iml
+*.gradle
+keys/*.pem
+pkg/

data/Gemfile

@@ -0,0 +1,5 @@
+source 'https://rubygems.org/'
+
+gem 'highline'
+gem 'trollop'
+

data/Gemfile.lock

@@ -0,0 +1,12 @@
+GEM
+  remote: https://rubygems.org/
+  specs:
+    highline (1.6.19)
+    trollop (2.0)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  highline
+  trollop

data/README.md

@@ -0,0 +1,135 @@
+Hiera eYaml
+===========
+
+A backend for Hiera that provides per-value asymmetric encryption of sensitive data
+within yaml type files to be used by Puppet.
+
+More info can be found [in this corresponding post](http://themettlemonkey.wordpress.com/2013/07/15/hiera-eyaml-per-value-encrypted-backend-for-hiera-and-puppet/).
+
+The Hiera eYaml backend uses yaml formatted files with the .eyaml extension. Simply wrap your
+encrypted string with ENC[] and place it in an eyaml file. You can mix your plain values
+in as well or separate them into different files.
+
+<pre>
+---
+plain-property: You can see me
+
+encrypted-property: >
+    ENC[Y22exl+OvjDe+drmik2XEeD3VQtl1uZJXFFF2NnrMXDWx0csyqLB/2NOWefv
+    NBTZfOlPvMlAesyr4bUY4I5XeVbVk38XKxeriH69EFAD4CahIZlC8lkE/uDh
+    jJGQfh052eonkungHIcuGKY/5sEbbZl/qufjAtp/ufor15VBJtsXt17tXP4y
+    l5ZP119Fwq8xiREGOL0lVvFYJz2hZc1ppPCNG5lwuLnTekXN/OazNYpf4CMd
+    /HjZFXwcXRtTlzewJLc+/gox2IfByQRhsI/AgogRfYQKocZgFb/DOZoXR7wm
+    IZGeunzwhqfmEtGiqpvJJQ5wVRdzJVpTnANBA5qxeA==]
+</pre>
+
+eYaml also supports encrypted values within arrays, hashes, nested arrays and nested hashes 
+(see below for examples)
+
+N.B. when using the multi-line string syntax (i.e. >) **don't wrap encrypted strings with "" or ''**
+
+Setup
+=====
+
+### Installing hiera-eyaml
+
+    $ gem install hiera-eyaml
+
+### Generate keys
+
+The first step is to create a pair of keys on the Puppet master
+
+    $ eyaml -c
+
+This creates a public and private key with default names in the default location. (keys/ directory)
+
+### Encryption
+
+    To encrypt something, you only need the public_key, so distribute that to people creating hiera properties
+
+    $ eyaml -e text                   # Encrypt some text
+    $ eyaml -e -p                     # Encrypt a password (prompt for it)
+    $ eyaml -e -f filename            # Encrypt a file
+
+### Decryption
+
+    To decrypt something, you need the public_key and the private_key on the puppet master.
+
+    To test decryption you can also use the eyaml tool if you have both keys
+
+    $ eyaml -d SOME-ENCRYPTED-TEXT    # Decrypt some text
+    $ eyaml -d -f filename            # Decrypt a file (PEM format)
+
+Change the permissions so that the private key is only readable by the user that hiera (puppet) is
+running as.
+
+### Configure Hiera
+
+Next configure hiera.yaml to use the eyaml backend
+
+<pre>
+---
+:backends:
+    - eyaml
+    - yaml
+
+:hierarchy:
+    - %{environment}
+    - common
+
+:yaml:
+    :datadir: '/etc/puppet/hieradata'
+:eyaml:
+    :datadir: '/etc/puppet/hieradata'
+
+    # Optional. Default is /etc/hiera/keys/private_key.pem
+    :private_key: /new/path/to/key/private_key.pem
+
+    # Optional. Default is /etc/hiera/keys/public_key.pem
+    :public_key:  /new/path/to/key/public_key.pem
+</pre>
+
+### YAML files
+
+  Once the value is encrypted, wrap it with ENC[] and place it in the .eyaml file.
+
+Usages:
+<pre>
+---
+plain-property: You can see me
+
+cipher-property : >
+    ENC[Y22exl+OvjDe+drmik2XEeD3VQtl1uZJXFFF2NnrMXDWx0csyqLB/2NOWefv
+    NBTZfOlPvMlAesyr4bUY4I5XeVbVk38XKxeriH69EFAD4CahIZlC8lkE/uDh
+    jJGQfh052eonkungHIcuGKY/5sEbbZl/qufjAtp/ufor15VBJtsXt17tXP4y
+    l5ZP119Fwq8xiREGOL0lVvFYJz2hZc1ppPCNG5lwuLnTekXN/OazNYpf4CMd
+    /HjZFXwcXRtTlzewJLc+/gox2IfByQRhsI/AgogRfYQKocZgFb/DOZoXR7wm
+    IZGeunzwhqfmEtGiqpvJJQ5wVRdzJVpTnANBA5qxeA==]
+
+environments:
+    development:
+        host: localhost
+        password: password
+    production:
+        host: prod.org.com
+        password: >
+            ENC[Y22exl+OvjDe+drmik2XEeD3VQtl1uZJXFFF2NnrMXDWx0csyqLB/2NOWefv
+            NBTZfOlPvMlAesyr4bUY4I5XeVbVk38XKxeriH69EFAD4CahIZlC8lkE/uDh
+            jJGQfh052eonkungHIcuGKY/5sEbbZl/qufjAtp/ufor15VBJtsXt17tXP4y
+            l5ZP119Fwq8xiREGOL0lVvFYJz2hZc1ppPCNG5lwuLnTekXN/OazNYpf4CMd
+            /HjZFXwcXRtTlzewJLc+/gox2IfByQRhsI/AgogRfYQKocZgFb/DOZoXR7wm
+            IZGeunzwhqfmEtGiqpvJJQ5wVRdzJVpTnANBA5qxeA==]
+
+things:
+    - thing 1
+    -   - nested thing 1.0
+        - >
+            ENC[Y22exl+OvjDe+drmik2XEeD3VQtl1uZJXFFF2NnrMXDWx0csyqLB/2NOWefv
+            NBTZfOlPvMlAesyr4bUY4I5XeVbVk38XKxeriH69EFAD4CahIZlC8lkE/uDh
+            jJGQfh052eonkungHIcuGKY/5sEbbZl/qufjAtp/ufor15VBJtsXt17tXP4y
+            l5ZP119Fwq8xiREGOL0lVvFYJz2hZc1ppPCNG5lwuLnTekXN/OazNYpf4CMd
+            /HjZFXwcXRtTlzewJLc+/gox2IfByQRhsI/AgogRfYQKocZgFb/DOZoXR7wm
+            IZGeunzwhqfmEtGiqpvJJQ5wVRdzJVpTnANBA5qxeA==]
+    -   - nested thing 2.0
+        - nested thing 2.1
+</pre>

data/Rakefile

@@ -0,0 +1 @@
+require "bundler/gem_tasks"

data/bin/eyaml

@@ -0,0 +1,152 @@
+#!/usr/bin/env ruby
+
+require 'openssl'
+require 'base64'
+require 'trollop'
+require 'highline/import'
+require 'hiera/backend/version'
+
+def ensureKeyDirExists(key_file)
+  key_dir = File.dirname(key_file)
+
+  if !File.directory?(key_dir)
+    Dir.mkdir(key_dir)
+    puts "Created #{key_dir} dir for #{key_file}."
+  end
+end
+
+options = Trollop::options do
+    
+  version "Hiera-eyaml version " + Hiera::Backend::Eyaml::VERSION.to_s
+  banner <<-EOS
+Hiera-eyaml is a backend for Hiera which provides OpenSSL encryption/decryption for Hiera properties
+
+Usage:
+  eyaml [options] [string-to-encrypt]
+  EOS
+  
+  opt :createkeys, "Create public and private keys for use encrypting properties", :short => 'c'
+  opt :password, "Encrypt a password entered on the terminal", :short => 'p'
+  opt :file, "Encrypt a file instead of a string", :short => 'f', :type => :string 
+  opt :private_key, "Filename of the private_key", :type => :string
+  opt :public_key, "Filename of the public_key", :type => :string
+  opt :encrypt, "Encrypt something"
+  opt :decrypt, "Decrypt something"
+end
+
+Trollop::die "You cannot specify --encrypt and --decrypt" if options[:encrypt] and options[:decrypt]
+
+# Defaults
+options[:private_key_filename] ||= "/etc/hiera/keys/private_key.pem"
+options[:public_key_filename] ||= "/etc/hiera/keys/public_key.pem"
+options[:string] = ARGV.join(' ')
+
+if options[:password]
+  password = ask("Enter password: ") {|q| q.echo = "*" }
+  options[:string] = password
+end
+
+if options[:createkeys]
+
+  # Try to do equivalent of:
+  # openssl req -x509 -nodes -days 100000 -newkey rsa:2048 -keyout privatekey.pem -out publickey.pem -subj '/'
+
+  ensureKeyDirExists(options[:private_key_filename])
+  ensureKeyDirExists(options[:public_key_filename])
+
+  key = OpenSSL::PKey::RSA.new(2048)
+  open( options[:private_key_filename], "w" ) do |io|
+    io.write(key.to_pem)
+  end
+
+  puts "#{options[:private_key_filename]} created."
+
+  name = OpenSSL::X509::Name.parse("/")
+  cert = OpenSSL::X509::Certificate.new()
+  cert.serial = 0
+  cert.version = 2
+  cert.not_before = Time.now
+  cert.not_after = Time.now + 50 * 365 * 24 * 60 * 60
+  cert.public_key = key.public_key
+
+  ef = OpenSSL::X509::ExtensionFactory.new
+  ef.subject_certificate = cert
+  ef.issuer_certificate = cert
+  cert.extensions = [
+    ef.create_extension("basicConstraints","CA:TRUE", true),
+    ef.create_extension("subjectKeyIdentifier", "hash"),
+    # ef.create_extension("keyUsage", "cRLSign,keyCertSign", true),
+  ]
+  cert.add_extension ef.create_extension("authorityKeyIdentifier",
+                                         "keyid:always,issuer:always")
+
+  cert.sign key, OpenSSL::Digest::SHA1.new
+
+  open( options[:public_key_filename], "w" ) do |io|
+    io.write(cert.to_pem)
+  end
+  puts "#{options[:public_key_filename]} created."
+  exit
+end
+
+if options[:encrypt]
+
+  plaintext = nil
+  plaintext = options[:string] if options[:string]
+  plaintext = File.read( options[:file] ) if options[:file]
+
+  if plaintext.nil?
+    puts "Specify a string or --file to encrypt something. See --help for more usage instructions."
+    exit
+  end
+
+  public_key_pem = File.read( options[:public_key_filename] )
+  public_key = OpenSSL::X509::Certificate.new( public_key_pem )
+
+  cipher = OpenSSL::Cipher::AES.new(256, :CBC)
+  ciphertext_binary = OpenSSL::PKCS7::encrypt([public_key], plaintext, cipher, OpenSSL::PKCS7::BINARY).to_der
+  ciphertext_as_block = Base64.encode64(ciphertext_binary).strip
+  ciphertext_as_string = ciphertext_as_block.split("\n").join('')
+
+  puts "string: ENC[#{ciphertext_as_string}]\n\nOR\n\n"
+  puts "block: >"
+  puts "    ENC[" + ciphertext_as_block.gsub(/\n/, "\n    ") + "]"
+  exit
+
+end
+
+if options[:decrypt]
+
+  ciphertext = nil
+  ciphertext = options[:string] if options[:string]
+  ciphertext = File.read( options[:file] ) if options[:file]
+
+  if ciphertext.start_with? "ENC["
+
+    ciphertext = ciphertext[4..-2]
+    ciphertext_decoded = Base64.decode64(ciphertext)
+
+    if ciphertext.nil?
+      puts "Specify a string or --file to decrypt something. See --help for more usage instructions."
+      exit
+    end
+
+    private_key_pem = File.read( options[:private_key_filename] )
+    private_key = OpenSSL::PKey::RSA.new( private_key_pem )
+
+    public_key_pem = File.read( options[:public_key_filename] )
+    public_key = OpenSSL::X509::Certificate.new( public_key_pem )
+
+    pkcs7 = OpenSSL::PKCS7.new( ciphertext_decoded )
+
+    plaintext = pkcs7.decrypt(private_key, public_key)
+    puts "#{plaintext}"
+    exit
+
+  else
+
+    puts "Ciphertext is not an eyaml encrypted string (Does not start with ENC[...])"
+
+  end
+
+end

data/bin/regem.sh

@@ -0,0 +1,6 @@
+#!/bin/bash
+
+gem uninstall hiera-eyaml --executables
+rake build
+gem install pkg/hiera-eyaml
+eyaml -v

data/hiera-eyaml.gemspec

@@ -0,0 +1,21 @@
+# -*- encoding: utf-8 -*-
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'hiera/backend/version'
+
+Gem::Specification.new do |gem|
+  gem.name          = "hiera-eyaml"
+  gem.version       = Hiera::Backend::Eyaml::VERSION
+  gem.description   = "Hiera backend for decrypting encrypted yaml properties"
+  gem.summary       = "OpenSSL Encryption backend for Hiera"
+  gem.author        = "Tom Poulton"
+
+  gem.homepage      = "http://github.com/TomPoulton/hiera-eyaml"
+  gem.files         = `git ls-files`.split($/)
+  gem.executables   = gem.files.grep(%r{^bin/}).map{ |f| File.basename(f) }
+  gem.test_files    = gem.files.grep(%r{^(test|spec|features)/})
+  gem.require_paths = ["lib"]
+
+  gem.add_dependency('trollop', '>=2.0')
+  gem.add_dependency('highline', '>=1.6.19')
+end

data/lib/hiera/backend/eyaml_backend.rb

@@ -0,0 +1,129 @@
+class Hiera
+    module Backend
+        class Eyaml_backend
+
+            def initialize
+                require 'openssl'
+                require 'base64'
+            end
+
+            def lookup(key, scope, order_override, resolution_type)
+    
+                debug("Lookup called for key #{key}")
+                answer = nil
+    
+                Backend.datasources(scope, order_override) do |source|
+                    eyaml_file = Backend.datafile(:eyaml, scope, source, "eyaml") || next
+
+                    debug("Processing datasource: #{eyaml_file}")
+
+                    data = YAML.load(File.read( eyaml_file ))
+
+                    next if !data
+                    next if data.empty?
+                    debug ("Data contains valid YAML")
+
+                    next unless data.include?(key)
+                    debug ("Key #{key} found in YAML document")
+
+                    parsed_answer = parse_answer(data[key], scope)
+
+                    begin
+                        case resolution_type
+                        when :array
+                            debug("Appending answer array")
+                            raise Exception, "Hiera type mismatch: expected Array and got #{parsed_answer.class}" unless parsed_answer.kind_of? Array or parsed_answer.kind_of? String
+                            answer ||= []
+                            answer << parsed_answer
+                        when :hash
+                            debug("Merging answer hash")
+                            raise Exception, "Hiera type mismatch: expected Hash and got #{parsed_answer.class}" unless parsed_answer.kind_of? Hash
+                            answer ||= {}
+                            answer = parsed_answer.merge answer
+                        else
+                            debug("Assigning answer variable")
+                            answer = parsed_answer
+                            break
+                        end
+                    rescue NoMethodError
+                        raise Exception, "Resolution type is #{resolution_type} but parsed_answer is a #{parsed_answer.class}"
+                    end
+                end
+    
+                return answer
+            end
+
+            def parse_answer(data, scope, extra_data={})
+                if data.is_a?(Numeric) or data.is_a?(TrueClass) or data.is_a?(FalseClass)
+                    # Can't be encrypted
+                    return data
+                elsif data.is_a?(String)
+                    parsed_string = Backend.parse_string(data, scope)
+                    return decrypt(parsed_string, scope)
+                elsif data.is_a?(Hash)
+                    answer = {}
+                    data.each_pair do |key, val|
+                        answer[key] = parse_answer(val, scope, extra_data)
+                    end
+                    return answer
+                elsif data.is_a?(Array)
+                    answer = []
+                    data.each do |item|
+                        answer << parse_answer(item, scope, extra_data)
+                    end
+                    return answer
+                end
+            end
+
+            def decrypt(value, scope)
+
+                if is_encrypted(value)
+
+                    # remove enclosing 'ENC[]'
+                    ciphertext = value[4..-2]
+                    ciphertext_decoded = Base64.decode64(ciphertext)
+
+                    debug("Decrypting value")
+
+                    private_key_path = Backend.parse_string(Config[:eyaml][:private_key], scope) || '/etc/hiera/keys/private_key.pem'
+                    public_key_path = Backend.parse_string(Config[:eyaml][:public_key], scope) || '/etc/hiera/keys/public_key.pem'
+
+                    private_key_pem = File.read( private_key_path )
+                    private_key = OpenSSL::PKey::RSA.new( private_key_pem )
+
+                    public_key_pem = File.read( public_key_path )
+                    public_key = OpenSSL::X509::Certificate.new( public_key_pem )
+
+                    pkcs7 = OpenSSL::PKCS7.new( ciphertext_decoded )
+
+                    begin
+                      plaintext = pkcs7.decrypt(private_key, public_key)
+                    rescue
+                      raise Exception, "Hiera eyaml backend: Unable to decrypt hiera data. Do the keys match and are they the same as those used to encrypt?"
+                    end
+        
+                    return plaintext
+    
+                else
+                    return value
+                end
+            end
+
+            def is_encrypted(value)
+                if value.start_with?('ENC[')
+                    return true
+                else
+                    return false
+                end
+            end
+
+            def debug(msg)
+                Hiera.debug("[eyaml_backend]: #{msg}")
+            end
+
+            def warn(msg)
+                Hiera.warn("[eyaml_backend]:  #{msg}")
+            end
+        end
+    end
+end

data/lib/hiera/backend/version.rb

@@ -0,0 +1,7 @@
+module Hiera
+  module Backend
+    module Eyaml
+      VERSION = "1.1.0"
+    end
+  end
+end

metadata

@@ -0,0 +1,89 @@
+--- !ruby/object:Gem::Specification
+name: hiera-eyaml
+version: !ruby/object:Gem::Version
+  version: 1.1.0
+  prerelease: 
+platform: ruby
+authors:
+- Tom Poulton
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2013-07-19 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: trollop
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '2.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '2.0'
+- !ruby/object:Gem::Dependency
+  name: highline
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: 1.6.19
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: 1.6.19
+description: Hiera backend for decrypting encrypted yaml properties
+email: 
+executables:
+- eyaml
+- regem.sh
+extensions: []
+extra_rdoc_files: []
+files:
+- .gitignore
+- Gemfile
+- Gemfile.lock
+- README.md
+- Rakefile
+- bin/eyaml
+- bin/regem.sh
+- hiera-eyaml.gemspec
+- keys/.keepme
+- lib/hiera/backend/eyaml_backend.rb
+- lib/hiera/backend/version.rb
+homepage: http://github.com/TomPoulton/hiera-eyaml
+licenses: []
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 1.8.25
+signing_key: 
+specification_version: 3
+summary: OpenSSL Encryption backend for Hiera
+test_files: []