hiera-eyaml 2.1.0 → 3.0.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +5 -5
- data/.gitignore +7 -0
- data/.travis.yml +33 -20
- data/CHANGELOG.md +115 -0
- data/Gemfile +3 -4
- data/{CHANGES.md → HISTORY.md} +9 -15
- data/README.md +102 -16
- data/Rakefile +13 -0
- data/hiera-eyaml.gemspec +1 -1
- data/lib/hiera/backend/eyaml.rb +1 -1
- data/lib/hiera/backend/eyaml/CLI.rb +1 -1
- data/lib/hiera/backend/eyaml/encryptors/pkcs7.rb +15 -4
- data/lib/hiera/backend/eyaml/parser/encrypted_tokens.rb +44 -2
- data/lib/hiera/backend/eyaml/subcommand.rb +15 -8
- data/lib/hiera/backend/eyaml/subcommands/decrypt.rb +10 -3
- data/lib/hiera/backend/eyaml/subcommands/edit.rb +23 -10
- data/lib/hiera/backend/eyaml/subcommands/encrypt.rb +2 -2
- data/lib/hiera/backend/eyaml/subcommands/recrypt.rb +9 -3
- data/lib/hiera/backend/eyaml/utils.rb +10 -1
- data/lib/hiera/backend/eyaml_backend.rb +14 -1
- data/tools/regem.sh +1 -1
- metadata +10 -10
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
|
-
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
2
|
+
SHA256:
|
3
|
+
metadata.gz: 6fde1d8051eb21831b79c698fd423e9a4a08b824d2360e9ff6812d7992bc0388
|
4
|
+
data.tar.gz: 51f03df435163ec479f4e843d83c3c5d1c04c0581901bbe0f578d06314e3f625
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 8363cd6de0401411ba832d79e3a7ce5df9e1b3a9a6a9d532d7b3e935e7a98a10ff29be65acd36a953494a3923e090c0cd8cfc594f63ff56d39f38e881553d874
|
7
|
+
data.tar.gz: 6f34d66445e374ea6c6c7c6d34c50f20a14d76eef48732b661bad86ce793a362564b93538f896d85c219ee415a33b222b0d15e4c770d0ee6013428091c0d1649
|
data/.gitignore
CHANGED
data/.travis.yml
CHANGED
@@ -1,30 +1,43 @@
|
|
1
|
+
---
|
2
|
+
dist: trusty
|
1
3
|
language: ruby
|
2
|
-
|
3
|
-
- "1.8.7-p374"
|
4
|
-
- "1.9.3"
|
5
|
-
- "2.0.0"
|
6
|
-
- "2.1.5"
|
7
|
-
- "2.2.3"
|
8
|
-
env:
|
9
|
-
- PUPPET_VERSION=3.7.5
|
10
|
-
- PUPPET_VERSION=3.8.4
|
11
|
-
- PUPPET_VERSION=4.2.2
|
4
|
+
cache: bundler
|
12
5
|
sudo: false
|
6
|
+
before_install:
|
7
|
+
- bundle -v
|
8
|
+
- rm Gemfile.lock || true
|
9
|
+
- gem update --system $RUBYGEMS_VERSION
|
10
|
+
- gem update bundler
|
11
|
+
- gem --version
|
12
|
+
- bundle -v
|
13
13
|
addons:
|
14
14
|
apt:
|
15
15
|
packages:
|
16
16
|
- expect
|
17
17
|
script:
|
18
18
|
bundle exec cucumber -f progress
|
19
|
+
matrix:
|
20
|
+
include:
|
21
|
+
- rvm: 2.1.9
|
22
|
+
env: PUPPET_VERSION="~> 4.0" RUBYGEMS_VERSION=2.7.8
|
23
|
+
- rvm: 2.4.2
|
24
|
+
env: PUPPET_VERSION="~> 5.0"
|
19
25
|
notifications:
|
20
26
|
email: false
|
21
|
-
|
22
|
-
|
23
|
-
|
24
|
-
|
25
|
-
|
26
|
-
|
27
|
-
|
28
|
-
-
|
29
|
-
|
30
|
-
|
27
|
+
irc:
|
28
|
+
on_success: always
|
29
|
+
on_failure: always
|
30
|
+
channels:
|
31
|
+
- "chat.freenode.org#voxpupuli-notifications"
|
32
|
+
branches:
|
33
|
+
only:
|
34
|
+
- master
|
35
|
+
- /^v\d/
|
36
|
+
deploy:
|
37
|
+
provider: rubygems
|
38
|
+
api_key:
|
39
|
+
secure: 'W6a8A3KfxNydnbK4qhpL4S4KBUnadw8eGr1s8vqeOc8gXlc/qkj/DET9jWpgaEsdnEN/ALJL0WEksYJCHDpdeJv1qKaidFg5dC5l+qZ5gdVHRoKKVFkVlt8WDHe5UdP+bI2vUHWQ/1c04P92+jU9SJ0afTU1xUFn4d3AWCgwmdk='
|
40
|
+
gem: hiera-eyaml
|
41
|
+
on:
|
42
|
+
tags: true
|
43
|
+
repo: voxpupuli/hiera-eyaml
|
data/CHANGELOG.md
ADDED
@@ -0,0 +1,115 @@
|
|
1
|
+
# Changelog
|
2
|
+
|
3
|
+
All notable changes to this project will be documented in this file.
|
4
|
+
|
5
|
+
## [v3.0.0](https://github.com/voxpupuli/hiera-eyaml/tree/v3.0.0) (2019-01-17)
|
6
|
+
|
7
|
+
[Full Changelog](https://github.com/voxpupuli/hiera-eyaml/compare/v2.1.0...v3.0.0)
|
8
|
+
|
9
|
+
This is the first release after this project was migrated to Vox Pupuli.
|
10
|
+
|
11
|
+
**Breaking changes:**
|
12
|
+
|
13
|
+
- Upgrading trollop to optimist to remove deprecation warnings [\#268](https://github.com/voxpupuli/hiera-eyaml/pull/268) ([chadlyon](https://github.com/chadlyon))
|
14
|
+
|
15
|
+
**Implemented enhancements:**
|
16
|
+
|
17
|
+
- Don't use SHA1 for the digest [\#257](https://github.com/voxpupuli/hiera-eyaml/issues/257)
|
18
|
+
- Update to make use of Backend.datasourcefiles\(\) [\#92](https://github.com/voxpupuli/hiera-eyaml/issues/92)
|
19
|
+
- allow setting an individual keysize [\#227](https://github.com/voxpupuli/hiera-eyaml/pull/227) ([tuxmea](https://github.com/tuxmea))
|
20
|
+
|
21
|
+
**Fixed bugs:**
|
22
|
+
|
23
|
+
- on OSX, eyaml isn't expanding `~` into /Users/$USER [\#170](https://github.com/voxpupuli/hiera-eyaml/issues/170)
|
24
|
+
- Performance bug: unnecessary double-decryption of blocks [\#182](https://github.com/voxpupuli/hiera-eyaml/pull/182) ([peculater](https://github.com/peculater))
|
25
|
+
|
26
|
+
**Closed issues:**
|
27
|
+
|
28
|
+
- PuppetDB gets base64 encoded string on exported ressources [\#273](https://github.com/voxpupuli/hiera-eyaml/issues/273)
|
29
|
+
- DEPRECATION - trollop gem is deprecated, need to switch to optimist [\#267](https://github.com/voxpupuli/hiera-eyaml/issues/267)
|
30
|
+
- Puppet can't find key on server [\#266](https://github.com/voxpupuli/hiera-eyaml/issues/266)
|
31
|
+
- Re-encryption is broken [\#258](https://github.com/voxpupuli/hiera-eyaml/issues/258)
|
32
|
+
- AWS KMS/IAM integration? [\#234](https://github.com/voxpupuli/hiera-eyaml/issues/234)
|
33
|
+
- Feature Request: Ability to use edit without the private key [\#231](https://github.com/voxpupuli/hiera-eyaml/issues/231)
|
34
|
+
- Not decrypting/working with puppetserver 2.7.2 \(Function lookup\(\) did not find a value for the name\) [\#228](https://github.com/voxpupuli/hiera-eyaml/issues/228)
|
35
|
+
- Allow stronger than 2048 bit keys [\#226](https://github.com/voxpupuli/hiera-eyaml/issues/226)
|
36
|
+
- failed: DataBinding 'hiera': No such file or directory - /var/lib/puppet/keys/private\_key.pkcs7.pem [\#225](https://github.com/voxpupuli/hiera-eyaml/issues/225)
|
37
|
+
- Migrate to Vox Pupuli [\#224](https://github.com/voxpupuli/hiera-eyaml/issues/224)
|
38
|
+
- Allow to `decrypt` while keeping the "DEC::..." [\#217](https://github.com/voxpupuli/hiera-eyaml/issues/217)
|
39
|
+
- secret in the logs [\#216](https://github.com/voxpupuli/hiera-eyaml/issues/216)
|
40
|
+
- eyaml produces base64 string for complex data [\#209](https://github.com/voxpupuli/hiera-eyaml/issues/209)
|
41
|
+
- Hiera-eyaml cannot decrypt with key, plain gpg works [\#206](https://github.com/voxpupuli/hiera-eyaml/issues/206)
|
42
|
+
- Unable to decrypt on remote nodes [\#202](https://github.com/voxpupuli/hiera-eyaml/issues/202)
|
43
|
+
- Backend not found in tests [\#200](https://github.com/voxpupuli/hiera-eyaml/issues/200)
|
44
|
+
- ArgumentError [\#193](https://github.com/voxpupuli/hiera-eyaml/issues/193)
|
45
|
+
- High CPU consumption [\#192](https://github.com/voxpupuli/hiera-eyaml/issues/192)
|
46
|
+
- hiera call from manifeast not able to locate key [\#174](https://github.com/voxpupuli/hiera-eyaml/issues/174)
|
47
|
+
- PE 3.8 - sporadically failing to load eyaml backend. [\#173](https://github.com/voxpupuli/hiera-eyaml/issues/173)
|
48
|
+
- eyaml and templates [\#171](https://github.com/voxpupuli/hiera-eyaml/issues/171)
|
49
|
+
- cucumber failures with puppet 3.7.5 [\#154](https://github.com/voxpupuli/hiera-eyaml/issues/154)
|
50
|
+
- issue with jruby under PE 3.7 [\#150](https://github.com/voxpupuli/hiera-eyaml/issues/150)
|
51
|
+
- hiera eyaml does not work on PE 3.7.2 [\#126](https://github.com/voxpupuli/hiera-eyaml/issues/126)
|
52
|
+
- invalid byte sequence in UTF-8 on encrypted binary [\#124](https://github.com/voxpupuli/hiera-eyaml/issues/124)
|
53
|
+
- having an issue when loding hiera-eyaml [\#117](https://github.com/voxpupuli/hiera-eyaml/issues/117)
|
54
|
+
- Puppet hiera\(\): Cannot load backend eyaml: no such file to load [\#115](https://github.com/voxpupuli/hiera-eyaml/issues/115)
|
55
|
+
- Public/private keys undefined for Vagrant [\#101](https://github.com/voxpupuli/hiera-eyaml/issues/101)
|
56
|
+
- bug in hiera 1.3.2-1 vs rubygem-hiera 1.3.2-1 [\#85](https://github.com/voxpupuli/hiera-eyaml/issues/85)
|
57
|
+
- Errors of yaml and no eyaml files exist. Fine if just eyaml files exist. [\#82](https://github.com/voxpupuli/hiera-eyaml/issues/82)
|
58
|
+
|
59
|
+
**Merged pull requests:**
|
60
|
+
|
61
|
+
- Use UTF-8 as the encoding for plain text data [\#274](https://github.com/voxpupuli/hiera-eyaml/pull/274) ([jarretlavallee](https://github.com/jarretlavallee))
|
62
|
+
- Fix regem.sh shebang, it does not need bash [\#265](https://github.com/voxpupuli/hiera-eyaml/pull/265) ([AMDmi3](https://github.com/AMDmi3))
|
63
|
+
- Allow selection of digest, default to SHA256 [\#261](https://github.com/voxpupuli/hiera-eyaml/pull/261) ([juniorsysadmin](https://github.com/juniorsysadmin))
|
64
|
+
- expand README on whole-file encryption usage [\#260](https://github.com/voxpupuli/hiera-eyaml/pull/260) ([jflorian](https://github.com/jflorian))
|
65
|
+
- Add encrypt-only flag for 'edit' command. [\#256](https://github.com/voxpupuli/hiera-eyaml/pull/256) ([benjunmun](https://github.com/benjunmun))
|
66
|
+
- Test only with current Puppet and Ruby combination [\#254](https://github.com/voxpupuli/hiera-eyaml/pull/254) ([vinzent](https://github.com/vinzent))
|
67
|
+
- Update \#{self.prefix} to match yamllint rules [\#248](https://github.com/voxpupuli/hiera-eyaml/pull/248) ([jordanconway](https://github.com/jordanconway))
|
68
|
+
- Fix badge, link to AWS KMS/IAM integration [\#245](https://github.com/voxpupuli/hiera-eyaml/pull/245) ([rnelson0](https://github.com/rnelson0))
|
69
|
+
- Remove tildes that don't expand from configuration examples [\#242](https://github.com/voxpupuli/hiera-eyaml/pull/242) ([rnelson0](https://github.com/rnelson0))
|
70
|
+
- Disable deprecation warnings [\#241](https://github.com/voxpupuli/hiera-eyaml/pull/241) ([rnelson0](https://github.com/rnelson0))
|
71
|
+
- Add a cache for decrypted values [\#240](https://github.com/voxpupuli/hiera-eyaml/pull/240) ([stlava](https://github.com/stlava))
|
72
|
+
- Suppressing logging of configuration files on init [\#237](https://github.com/voxpupuli/hiera-eyaml/pull/237) ([sigv](https://github.com/sigv))
|
73
|
+
- Update the keys' example directory [\#236](https://github.com/voxpupuli/hiera-eyaml/pull/236) ([sigv](https://github.com/sigv))
|
74
|
+
- Modify edit command to not recrypt unchanged values [\#233](https://github.com/voxpupuli/hiera-eyaml/pull/233) ([ccojocar](https://github.com/ccojocar))
|
75
|
+
- Modify recrypt command to allow recrypting file with different encryp… [\#232](https://github.com/voxpupuli/hiera-eyaml/pull/232) ([ccojocar](https://github.com/ccojocar))
|
76
|
+
- \(docs\) Update README with instructions for using Hiera 5 [\#229](https://github.com/voxpupuli/hiera-eyaml/pull/229) ([nfagerlund](https://github.com/nfagerlund))
|
77
|
+
- Attempt to resolve Travis CI issues [\#220](https://github.com/voxpupuli/hiera-eyaml/pull/220) ([rnelson0](https://github.com/rnelson0))
|
78
|
+
- Make it clear that the ID and parens must be deleted, not just the ID [\#188](https://github.com/voxpupuli/hiera-eyaml/pull/188) ([sdotz](https://github.com/sdotz))
|
79
|
+
- Make output of `eyaml decrypt` valid yaml with multiline values. [\#183](https://github.com/voxpupuli/hiera-eyaml/pull/183) ([peculater](https://github.com/peculater))
|
80
|
+
|
81
|
+
## v2.1.0 (2016-03-02)
|
82
|
+
|
83
|
+
- (#187) - Change the way third party highline library is imported to avoid memory leak when running under puppet server (@petems)
|
84
|
+
- (#181) - Improve test suite to run against a variety of puppet versions (@peculater)
|
85
|
+
|
86
|
+
## v2.0.8 (2015-04-15)
|
87
|
+
|
88
|
+
- (#149) - Fix to tempfile permissions and invalid editor scenario (@elyscape)
|
89
|
+
|
90
|
+
## v2.0.7 (2015-03-04)
|
91
|
+
|
92
|
+
- (#142) - Fixed highline dependency to exclude newer versions that are not compatible with ruby 1.8.7 (@elyscape)
|
93
|
+
- (#136) - \t and \r characters are now supported in encrypted blocks (@elyscape)
|
94
|
+
- (#138) - Added missing tags and new tagging tool (@elyscape)
|
95
|
+
|
96
|
+
## v2.0.6 (2014-12-13)
|
97
|
+
|
98
|
+
- (#131) - Fix another EDITOR bug (#130) that could erase command line flags to the specified editor (@elyscape)
|
99
|
+
|
100
|
+
## v2.0.5 (2014-12-11)
|
101
|
+
|
102
|
+
- (#128) - Fix a bug (#127) that caused `eyaml edit` to break when `$EDITOR` was a command on PATH rather than a path to a command (@elyscape)
|
103
|
+
|
104
|
+
## v2.0.4 (2014-11-24)
|
105
|
+
|
106
|
+
- Add change log
|
107
|
+
- (#118) - Some initial support for spaces in filenames (primarily targeted at windows platforms) (@elyscape)
|
108
|
+
- (#114) - Add new config file resolution so that a system wide /etc/eyaml/config.yaml is processed first (@gtmtech)
|
109
|
+
- (#112) - Improve debugging options and colorise output (@gtmtech)
|
110
|
+
- (#102) - Extension of temp files should be yaml to help editors provide syntax highlighting (@ColinHebert)
|
111
|
+
- (#90), #121, #122 - Add preamble in edit mode to make it easier to remember how to edit (@sihil)
|
112
|
+
- (#96), #111, #116 - Various updates to docs
|
113
|
+
|
114
|
+
|
115
|
+
\* *This Changelog was automatically generated by [github_changelog_generator](https://github.com/github-changelog-generator/github-changelog-generator)*
|
data/Gemfile
CHANGED
@@ -7,12 +7,11 @@ group :development do
|
|
7
7
|
gem "cucumber", '~> 1.1'
|
8
8
|
gem "rspec-expectations", '~> 3.1.0'
|
9
9
|
gem "hiera-eyaml-plaintext"
|
10
|
-
gem "puppet", ENV['PUPPET_VERSION'] || '~>
|
10
|
+
gem "puppet", ENV['PUPPET_VERSION'] || '~> 5.0'
|
11
|
+
gem 'json_pure', '<= 2.0.1' if RUBY_VERSION < '2.0.0'
|
12
|
+
gem 'github_changelog_generator', :require => false, :git => 'https://github.com/github-changelog-generator/github-changelog-generator' if RUBY_VERSION >= '2.2.2'
|
11
13
|
end
|
12
14
|
|
13
15
|
group :test do
|
14
16
|
gem "rake"
|
15
17
|
end
|
16
|
-
|
17
|
-
|
18
|
-
|
data/{CHANGES.md → HISTORY.md}
RENAMED
@@ -1,30 +1,27 @@
|
|
1
|
-
|
2
|
-
==========================
|
1
|
+
## v2.1.0 (2016-03-02)
|
3
2
|
|
4
|
-
|
5
|
-
|
3
|
+
- (#187) - Change the way third party highline library is imported to avoid memory leak when running under puppet server (@petems)
|
4
|
+
- (#181) - Improve test suite to run against a variety of puppet versions (@peculater)
|
5
|
+
|
6
|
+
## v2.0.8 (2015-04-15)
|
6
7
|
|
7
8
|
- (#149) - Fix to tempfile permissions and invalid editor scenario (@elyscape)
|
8
9
|
|
9
|
-
|
10
|
-
-----
|
10
|
+
## v2.0.7 (2015-03-04)
|
11
11
|
|
12
12
|
- (#142) - Fixed highline dependency to exclude newer versions that are not compatible with ruby 1.8.7 (@elyscape)
|
13
13
|
- (#136) - \t and \r characters are now supported in encrypted blocks (@elyscape)
|
14
14
|
- (#138) - Added missing tags and new tagging tool (@elyscape)
|
15
15
|
|
16
|
-
|
17
|
-
-----
|
16
|
+
## v2.0.6 (2014-12-13)
|
18
17
|
|
19
18
|
- (#131) - Fix another EDITOR bug (#130) that could erase command line flags to the specified editor (@elyscape)
|
20
19
|
|
21
|
-
|
22
|
-
-----
|
20
|
+
## v2.0.5 (2014-12-11)
|
23
21
|
|
24
22
|
- (#128) - Fix a bug (#127) that caused `eyaml edit` to break when `$EDITOR` was a command on PATH rather than a path to a command (@elyscape)
|
25
23
|
|
26
|
-
|
27
|
-
-----
|
24
|
+
## v2.0.4 (2014-11-24)
|
28
25
|
|
29
26
|
- Add change log
|
30
27
|
- (#118) - Some initial support for spaces in filenames (primarily targeted at windows platforms) (@elyscape)
|
@@ -33,6 +30,3 @@ Change log for hiera-eyaml
|
|
33
30
|
- (#102) - Extension of temp files should be yaml to help editors provide syntax highlighting (@ColinHebert)
|
34
31
|
- (#90), #121, #122 - Add preamble in edit mode to make it easier to remember how to edit (@sihil)
|
35
32
|
- (#96), #111, #116 - Various updates to docs
|
36
|
-
|
37
|
-
2.0.3
|
38
|
-
-----
|
data/README.md
CHANGED
@@ -1,12 +1,19 @@
|
|
1
1
|
Hiera eyaml
|
2
2
|
===========
|
3
3
|
|
4
|
-
[![Build Status](https://travis-ci.org/
|
4
|
+
[![Build Status](https://travis-ci.org/voxpupuli/hiera-eyaml.png?branch=master)](https://travis-ci.org/voxpupuli/hiera-eyaml)
|
5
|
+
[![Gem Version](https://img.shields.io/gem/v/hiera-eyaml.svg)](https://rubygems.org/gems/hiera-eyaml)
|
6
|
+
[![Gem Downloads](https://img.shields.io/gem/dt/hiera-eyaml.svg)](https://rubygems.org/gems/hiera-eyaml)
|
5
7
|
|
6
8
|
hiera-eyaml is a backend for Hiera that provides per-value encryption of sensitive data within yaml files
|
7
9
|
to be used by Puppet.
|
8
10
|
|
9
|
-
|
11
|
+
-------------------------
|
12
|
+
:new: **hiera-eyaml is now part of voxpupuli**
|
13
|
+
|
14
|
+
hiera-eyaml has a new home https://github.com/voxpupuli/hiera-eyaml.
|
15
|
+
|
16
|
+
Hopefully this will mean more frequent feature updates and bug fixes!
|
10
17
|
|
11
18
|
Advantages over hiera-gpg
|
12
19
|
-------------------------
|
@@ -75,18 +82,21 @@ This creates a public and private key with default names in the default location
|
|
75
82
|
|
76
83
|
Since the point of using this module is to securely store sensitive information, it's important to store these keys securely.
|
77
84
|
If using Hiera with Puppet, Your puppetmaster will need to access these keys to perform decryption when the puppet agent runs on a remote node.
|
78
|
-
So for this reason, a suggested location might be to store them in `/etc/puppet/
|
85
|
+
So for this reason, a suggested location might be to store them in `/etc/puppetlabs/puppet/eyaml` or `/var/lib/puppet/keys` depending on your setup.
|
79
86
|
|
80
87
|
The permissions for this folder should allow the puppet user (normally 'puppet') execute access to the keys directory, read only access to the keys themselves and restrict everyone else:
|
81
88
|
|
82
|
-
$ chown -R puppet:puppet /etc/puppet/
|
83
|
-
$ chmod -R 0500 /etc/puppet/
|
84
|
-
$ chmod 0400 /etc/puppet/
|
85
|
-
$ ls -lha /etc/puppet/
|
89
|
+
$ chown -R puppet:puppet /etc/puppetlabs/puppet/eyaml
|
90
|
+
$ chmod -R 0500 /etc/puppetlabs/puppet/eyaml
|
91
|
+
$ chmod 0400 /etc/puppetlabs/puppet/eyaml/*.pem
|
92
|
+
$ ls -lha /etc/puppetlabs/puppet/eyaml
|
86
93
|
-r-------- 1 puppet puppet 1.7K Sep 24 16:24 private_key.pkcs7.pem
|
87
94
|
-r-------- 1 puppet puppet 1.1K Sep 24 16:24 public_key.pkcs7.pem
|
88
95
|
|
89
96
|
|
97
|
+
Basic usage
|
98
|
+
-----------
|
99
|
+
|
90
100
|
### Encryption
|
91
101
|
|
92
102
|
To encrypt something, you only need the public_key, so distribute that to people creating hiera properties
|
@@ -109,12 +119,13 @@ To test decryption you can also use the eyaml tool if you have both keys
|
|
109
119
|
$ eyaml decrypt -f filename # Decrypt a file
|
110
120
|
$ eyaml decrypt -s 'ENC[PKCS7,.....]' # Decrypt a string
|
111
121
|
|
112
|
-
### Editing eyaml
|
122
|
+
### Editing files with a mixture of eyaml-encrypted and plain-text content
|
113
123
|
|
114
|
-
|
115
|
-
|
116
|
-
|
117
|
-
|
124
|
+
This is, perhaps, the most common use of eyaml where you have created a few
|
125
|
+
eyaml files, with a mixture of encrypted and non-encrypted properties, you can
|
126
|
+
edit the encrypted values in place, using the special edit mode of the eyaml
|
127
|
+
utility. Edit mode opens a decrypted copy of the eyaml file in your `$EDITOR`
|
128
|
+
and will encrypt and modified values when you exit the editor.
|
118
129
|
|
119
130
|
$ eyaml edit filename.eyaml # Edit an eyaml file in place
|
120
131
|
|
@@ -156,11 +167,78 @@ by the eyaml tool.
|
|
156
167
|
|
157
168
|
some_new_key: DEC::PKCS7[a new value to encrypt]!
|
158
169
|
|
170
|
+
### Encrypting an entire file
|
171
|
+
|
172
|
+
While not as common, sometimes you need to encrypt an entire file. Maybe this
|
173
|
+
file is binary data that isn't meant for loading into an editor. One example
|
174
|
+
might be a Kerberos keytab file. No problem! Just encrypt the entire file:
|
175
|
+
|
176
|
+
$ eyaml encrypt -f filename
|
177
|
+
|
178
|
+
As with encrypting short strings on the command-line, the encrypted equivalent
|
179
|
+
will be sent to stdout as an ASCII text string and thus now plays nice with
|
180
|
+
your editor. Notice that the file itself, however, remains unchanged. The
|
181
|
+
output is presented in two blocks: once as a single, long string and once in
|
182
|
+
a nice line-wrapped form. Copy the one of your preference, starting with the
|
183
|
+
`ENC[` and ending at the matching `]`. Paste this into your Puppet or Hiera
|
184
|
+
file just like any other eyaml string and your done. If the file is rather
|
185
|
+
large, you may wish to use a helper like `xclip` to copy the stdout directly to
|
186
|
+
your clipboard.
|
187
|
+
|
159
188
|
|
160
189
|
Hiera
|
161
190
|
-----
|
162
191
|
|
163
|
-
To use eyaml with hiera and puppet, first configure hiera.yaml to use the eyaml backend
|
192
|
+
To use eyaml with hiera and puppet, first configure hiera.yaml to use the eyaml backend.
|
193
|
+
|
194
|
+
Eyaml works with [Hiera 3.x](https://docs.puppet.com/hiera/latest), as well as with [Hiera 5](https://docs.puppet.com/puppet/latest/hiera_intro.html) (Puppet 4.9.3 and later).
|
195
|
+
|
196
|
+
### With Hiera 5
|
197
|
+
|
198
|
+
In Hiera 5, each hierarchy level has one designated backend, as well as its own independent configuration for that backend.
|
199
|
+
|
200
|
+
Hierarchy levels that use eyaml must set the following keys:
|
201
|
+
|
202
|
+
* `name`.
|
203
|
+
* `lookup_key` (must be set to `eyaml_lookup_key`).
|
204
|
+
* `path`/`paths`/`glob`/`globs` (choose one).
|
205
|
+
* `datadir` (can be omitted if you've set a default).
|
206
|
+
* `options` — a hash of eyaml-specific settings; by default, this should include `pkcs7_private_key` and `pkcs7_public_key`, but alternate encryption plugins use alternate options. Anything from the old `:eyaml` config section (except `datadir`) goes here.
|
207
|
+
|
208
|
+
You do not need to specify key names as `:symbols`; normal strings are fine.
|
209
|
+
|
210
|
+
``` yaml
|
211
|
+
---
|
212
|
+
version: 5
|
213
|
+
defaults:
|
214
|
+
datadir: data
|
215
|
+
hierarchy:
|
216
|
+
- name: "Secret data: per-node, per-datacenter, common"
|
217
|
+
lookup_key: eyaml_lookup_key # eyaml backend
|
218
|
+
paths:
|
219
|
+
- "secrets/nodes/%{trusted.certname}.eyaml" # Include explicit file extension
|
220
|
+
- "secrets/location/%{facts.whereami}.eyaml"
|
221
|
+
- "common.eyaml"
|
222
|
+
options:
|
223
|
+
pkcs7_private_key: /etc/puppetlabs/puppet/eyaml/private_key.pkcs7.pem
|
224
|
+
pkcs7_public_key: /etc/puppetlabs/puppet/eyaml/public_key.pkcs7.pem
|
225
|
+
- name: "Normal data"
|
226
|
+
data_hash: yaml_data # Standard yaml backend
|
227
|
+
paths:
|
228
|
+
- "nodes/%{trusted.certname}.yaml"
|
229
|
+
- "location/%{facts.whereami}/%{facts.group}.yaml"
|
230
|
+
- "groups/%{facts.group}.yaml"
|
231
|
+
- "os/%{facts.os.family}.yaml"
|
232
|
+
- "common.yaml"
|
233
|
+
```
|
234
|
+
|
235
|
+
Unlike with Hiera 3, there's no default file extension for eyaml files, so you can specify your own file extension directly in the path name.
|
236
|
+
|
237
|
+
For more details, see the [hiera.yaml (version 5) reference page](https://docs.puppet.com/puppet/latest/hiera_config_yaml_5.html).
|
238
|
+
|
239
|
+
### With Hiera 3
|
240
|
+
|
241
|
+
In Hiera 3, hierarchy levels don't have a backend assigned to them, and Hiera loops through the entire hierarchy for each backend. Options for the backend are set globally, in an `:eyaml` config section.
|
164
242
|
|
165
243
|
```yaml
|
166
244
|
---
|
@@ -180,6 +258,9 @@ To use eyaml with hiera and puppet, first configure hiera.yaml to use the eyaml
|
|
180
258
|
# If using the pkcs7 encryptor (default)
|
181
259
|
:pkcs7_private_key: /path/to/private_key.pkcs7.pem
|
182
260
|
:pkcs7_public_key: /path/to/public_key.pkcs7.pem
|
261
|
+
|
262
|
+
# Optionally cache decrypted data (default: false)
|
263
|
+
:cache_decrypted: false
|
183
264
|
```
|
184
265
|
|
185
266
|
Then, edit your hiera yaml files, and insert your encrypted values. The default eyaml file extension is .eyaml, however this can be configured in the :eyaml block to set :extension,
|
@@ -189,6 +270,8 @@ Then, edit your hiera yaml files, and insert your encrypted values. The default
|
|
189
270
|
:extension: 'yaml'
|
190
271
|
```
|
191
272
|
|
273
|
+
### Data formatting note
|
274
|
+
|
192
275
|
*Important Note:*
|
193
276
|
The eyaml backend will not parse internally json formatted yaml files, whereas the regular yaml backend will.
|
194
277
|
You'll need to ensure any existing yaml files using json format are converted to syntactically correct yaml format.
|
@@ -243,15 +326,15 @@ Config files will be read first from `/etc/eyaml/config.yaml`, then from `~/.eya
|
|
243
326
|
The file takes any long form argument that you can provide on the command line. For example, to override the pkcs7 keys:
|
244
327
|
```yaml
|
245
328
|
---
|
246
|
-
pkcs7_private_key: '
|
247
|
-
pkcs7_public_key: '
|
329
|
+
pkcs7_private_key: './keys/eyaml/private_key.pkcs7.pem'
|
330
|
+
pkcs7_public_key: './keys/eyaml/public_key.pkcs7.pem'
|
248
331
|
```
|
249
332
|
|
250
333
|
Or to override to use GPG by default:
|
251
334
|
```yaml
|
252
335
|
---
|
253
336
|
encrypt_method: 'gpg'
|
254
|
-
gpg_gnupghome: '
|
337
|
+
gpg_gnupghome: './alternative_gnupghome'
|
255
338
|
gpg_recipients: 'sihil@example.com,gtmtech@example.com,tpoulton@example.com'
|
256
339
|
```
|
257
340
|
|
@@ -282,7 +365,10 @@ This is a list of available plugins:
|
|
282
365
|
Note that this plugin mandates the user enter a password. It is useful for non-automated scenarios, and is not advised to be used
|
283
366
|
in conjunction with puppet, as it requires entry of a password over a terminal.
|
284
367
|
- [hiera-eyaml-kms](https://github.com/adenot/hiera-eyaml-kms) - Encryption using AWS Key Management Service (KMS)
|
368
|
+
|
369
|
+
### How-To's:
|
285
370
|
|
371
|
+
- [How to use different Hiera/Eyaml keys for different environments using the AWS Parameter Store to store the encryption keys for Hiera/Eyaml](https://gist.github.com/FransUrbo/88b26033cb513a8aa569bd5392a427b1).
|
286
372
|
|
287
373
|
Notes
|
288
374
|
-----
|
data/Rakefile
CHANGED
@@ -1 +1,14 @@
|
|
1
1
|
require "bundler/gem_tasks"
|
2
|
+
|
3
|
+
begin
|
4
|
+
require 'github_changelog_generator/task'
|
5
|
+
GitHubChangelogGenerator::RakeTask.new :changelog do |config|
|
6
|
+
version = Hiera::Backend::Eyaml::VERSION
|
7
|
+
config.future_release = "v#{version}" if version =~ /^\d+\.\d+.\d+$/
|
8
|
+
config.header = "# Changelog\n\nAll notable changes to this project will be documented in this file."
|
9
|
+
config.exclude_labels = %w{duplicate question invalid wontfix wont-fix skip-changelog}
|
10
|
+
config.user = 'voxpupuli'
|
11
|
+
config.project = 'hiera-eyaml'
|
12
|
+
end
|
13
|
+
rescue LoadError
|
14
|
+
end
|
data/hiera-eyaml.gemspec
CHANGED
data/lib/hiera/backend/eyaml.rb
CHANGED
@@ -21,12 +21,20 @@ class Hiera
|
|
21
21
|
:subject => { :desc => "Subject to use for certificate when creating keys",
|
22
22
|
:type => :string,
|
23
23
|
:default => "/" },
|
24
|
+
:keysize => { :desc => "Key size used for encryption",
|
25
|
+
:type => :integer,
|
26
|
+
:default => 2048 },
|
27
|
+
:digest => { :desc => "Hash function used for PKCS7",
|
28
|
+
:type => :string,
|
29
|
+
:default => "SHA256"},
|
24
30
|
}
|
25
31
|
|
26
32
|
self.tag = "PKCS7"
|
27
33
|
|
28
34
|
def self.encrypt plaintext
|
29
35
|
|
36
|
+
LoggingHelper::trace 'PKCS7 encrypt'
|
37
|
+
|
30
38
|
public_key = self.option :public_key
|
31
39
|
raise StandardError, "pkcs7_public_key is not defined" unless public_key
|
32
40
|
|
@@ -35,11 +43,12 @@ class Hiera
|
|
35
43
|
|
36
44
|
cipher = OpenSSL::Cipher::AES.new(256, :CBC)
|
37
45
|
OpenSSL::PKCS7::encrypt([public_key_x509], plaintext, cipher, OpenSSL::PKCS7::BINARY).to_der
|
38
|
-
|
39
46
|
end
|
40
47
|
|
41
48
|
def self.decrypt ciphertext
|
42
49
|
|
50
|
+
LoggingHelper::trace 'PKCS7 decrypt'
|
51
|
+
|
43
52
|
public_key = self.option :public_key
|
44
53
|
private_key = self.option :private_key
|
45
54
|
raise StandardError, "pkcs7_public_key is not defined" unless public_key
|
@@ -64,8 +73,10 @@ class Hiera
|
|
64
73
|
public_key = self.option :public_key
|
65
74
|
private_key = self.option :private_key
|
66
75
|
subject = self.option :subject
|
76
|
+
keysize = self.option :keysize
|
77
|
+
digest = self.option :digest
|
67
78
|
|
68
|
-
key = OpenSSL::PKey::RSA.new(
|
79
|
+
key = OpenSSL::PKey::RSA.new(keysize)
|
69
80
|
EncryptHelper.ensure_key_dir_exists private_key
|
70
81
|
EncryptHelper.write_important_file :filename => private_key, :content => key.to_pem, :mode => 0600
|
71
82
|
|
@@ -91,7 +102,7 @@ class Hiera
|
|
91
102
|
cert.add_extension ef.create_extension("authorityKeyIdentifier",
|
92
103
|
"keyid:always,issuer:always")
|
93
104
|
|
94
|
-
cert.sign key, OpenSSL::Digest
|
105
|
+
cert.sign key, OpenSSL::Digest.new(digest)
|
95
106
|
|
96
107
|
EncryptHelper.ensure_key_dir_exists public_key
|
97
108
|
EncryptHelper.write_important_file :filename => public_key, :content => cert.to_pem
|
@@ -107,4 +118,4 @@ class Hiera
|
|
107
118
|
|
108
119
|
end
|
109
120
|
|
110
|
-
end
|
121
|
+
end
|
@@ -2,6 +2,7 @@ require 'hiera/backend/eyaml/parser/token'
|
|
2
2
|
require 'hiera/backend/eyaml/utils'
|
3
3
|
require 'hiera/backend/eyaml/encryptor'
|
4
4
|
require 'hiera/backend/eyaml'
|
5
|
+
require 'base64'
|
5
6
|
|
6
7
|
|
7
8
|
class Hiera
|
@@ -9,6 +10,8 @@ class Hiera
|
|
9
10
|
module Eyaml
|
10
11
|
module Parser
|
11
12
|
class EncToken < Token
|
13
|
+
@@tokens_map = Hash.new()
|
14
|
+
@@encrypt_unchanged = true
|
12
15
|
attr_reader :format, :cipher, :encryptor, :indentation, :plain_text, :id
|
13
16
|
def self.encrypted_value(format, encryption_scheme, cipher, match, indentation = '')
|
14
17
|
decryptor = Encryptor.find encryption_scheme
|
@@ -21,10 +24,27 @@ class Hiera
|
|
21
24
|
id_number = id.nil? ? nil : id.gsub(/\(|\)/, "").to_i
|
22
25
|
EncToken.new(format, plain_text, encryptor, cipher, match, indentation, id_number)
|
23
26
|
end
|
27
|
+
def self.plain_text_value(format, plain_text, encryption_scheme, match, id, indentation = '')
|
28
|
+
encryptor = Encryptor.find encryption_scheme
|
29
|
+
id_number = id.gsub(/\(|\)/,"").to_i unless id.nil?
|
30
|
+
EncToken.new(format, plain_text, encryptor, "", match, indentation, id_number)
|
31
|
+
end
|
32
|
+
|
33
|
+
def self.tokens_map
|
34
|
+
return @@tokens_map
|
35
|
+
end
|
36
|
+
|
37
|
+
def self.set_encrypt_unchanged(encrypt_unchanged)
|
38
|
+
@@encrypt_unchanged = encrypt_unchanged
|
39
|
+
end
|
40
|
+
|
41
|
+
def self.encrypt_unchanged
|
42
|
+
return @@encrypt_unchanged
|
43
|
+
end
|
24
44
|
|
25
45
|
def initialize(format, plain_text, encryptor, cipher, match = '', indentation = '', id = nil)
|
26
46
|
@format = format
|
27
|
-
@plain_text = plain_text
|
47
|
+
@plain_text = Utils.convert_to_utf_8( plain_text )
|
28
48
|
@encryptor = encryptor
|
29
49
|
@cipher = cipher
|
30
50
|
@indentation = indentation
|
@@ -36,6 +56,11 @@ class Hiera
|
|
36
56
|
label = args[:label]
|
37
57
|
label_string = label.nil? ? '' : "#{label}: "
|
38
58
|
format = args[:format].nil? ? @format : args[:format]
|
59
|
+
encryption_method = args[:change_encryption]
|
60
|
+
if encryption_method != nil
|
61
|
+
@encryptor = Encryptor.find encryption_method
|
62
|
+
@cipher = Base64.encode64(@encryptor.encrypt @plain_text).strip
|
63
|
+
end
|
39
64
|
case format
|
40
65
|
when :block
|
41
66
|
# strip any white space
|
@@ -57,6 +82,10 @@ class Hiera
|
|
57
82
|
label_string = label.nil? ? '' : "#{label}: "
|
58
83
|
format = args[:format].nil? ? @format : args[:format]
|
59
84
|
index = args[:index].nil? ? '' : "(#{args[:index]})"
|
85
|
+
if @@encrypt_unchanged == false
|
86
|
+
EncToken.tokens_map[index] = @plain_text
|
87
|
+
end
|
88
|
+
|
60
89
|
case format
|
61
90
|
when :block
|
62
91
|
chevron = (args[:use_chevron].nil? || args[:use_chevron]) ? ">\n" : ''
|
@@ -117,6 +146,13 @@ class Hiera
|
|
117
146
|
end
|
118
147
|
def create_token(string)
|
119
148
|
md = @regex.match(string)
|
149
|
+
if (EncToken.encrypt_unchanged == false)
|
150
|
+
unless md[1].nil?
|
151
|
+
if md[3] == EncToken.tokens_map[md[1]]
|
152
|
+
return EncToken.plain_text_value(:string, md[3], md[2], string, md[1])
|
153
|
+
end
|
154
|
+
end
|
155
|
+
end
|
120
156
|
EncToken.decrypted_value(:string, md[3], md[2], string, md[1])
|
121
157
|
end
|
122
158
|
end
|
@@ -127,7 +163,13 @@ class Hiera
|
|
127
163
|
end
|
128
164
|
def create_token(string)
|
129
165
|
md = @regex.match(string)
|
130
|
-
EncToken.
|
166
|
+
if (EncToken.encrypt_unchanged == false)
|
167
|
+
unless md[2].nil?
|
168
|
+
if md[4] == EncToken.tokens_map[md[2]]
|
169
|
+
return EncToken.plain_text_value(:string, md[4], md[3], string, md[2])
|
170
|
+
end
|
171
|
+
end
|
172
|
+
end
|
131
173
|
EncToken.decrypted_value(:block, md[4], md[3], string, md[2], md[1])
|
132
174
|
end
|
133
175
|
end
|
@@ -34,12 +34,12 @@ class Hiera
|
|
34
34
|
]
|
35
35
|
|
36
36
|
def self.load_config_file
|
37
|
-
config = {}
|
37
|
+
config = { :options => {}, :sources => [] }
|
38
38
|
[ "/etc/eyaml/config.yaml", "#{ENV['HOME']}/.eyaml/config.yaml", "#{ENV['EYAML_CONFIG']}" ].each do |config_file|
|
39
39
|
begin
|
40
40
|
yaml_contents = YAML.load_file(config_file)
|
41
|
-
|
42
|
-
config.
|
41
|
+
config[:options].merge! yaml_contents
|
42
|
+
config[:sources].push(config_file)
|
43
43
|
rescue
|
44
44
|
raise StandardError, "Could not open config file \"#{config_file}\" for reading"
|
45
45
|
end if config_file and File.file? config_file
|
@@ -55,14 +55,14 @@ class Hiera
|
|
55
55
|
config_file = self.load_config_file
|
56
56
|
options.map!{ | opt|
|
57
57
|
key_name = "#{opt[:name]}"
|
58
|
-
if config_file.has_key? key_name
|
59
|
-
opt[:default] = config_file[key_name]
|
58
|
+
if config_file[:options].has_key? key_name
|
59
|
+
opt[:default] = config_file[:options][key_name]
|
60
60
|
opt
|
61
61
|
else
|
62
62
|
opt
|
63
63
|
end
|
64
64
|
}
|
65
|
-
options
|
65
|
+
{ :options => options, :sources => config_file[:sources] || [] }
|
66
66
|
end
|
67
67
|
|
68
68
|
def self.attach_option opt
|
@@ -84,13 +84,14 @@ class Hiera
|
|
84
84
|
def self.parse
|
85
85
|
|
86
86
|
me = self
|
87
|
+
all = self.all_options
|
87
88
|
|
88
|
-
options =
|
89
|
+
options = Optimist::options do
|
89
90
|
|
90
91
|
version "Hiera-eyaml version " + Hiera::Backend::Eyaml::VERSION.to_s
|
91
92
|
banner ["eyaml #{me.prettyname}: #{me.description}", me.helptext, "Options:"].compact.join("\n\n")
|
92
93
|
|
93
|
-
|
94
|
+
all[:options].each do |available_option|
|
94
95
|
|
95
96
|
skeleton = {:description => "",
|
96
97
|
:short => :none}
|
@@ -124,6 +125,12 @@ class Hiera
|
|
124
125
|
Hiera::Backend::Eyaml.default_encryption_scheme = options[:encrypt_method]
|
125
126
|
end
|
126
127
|
|
128
|
+
if all[:sources]
|
129
|
+
all[:sources].each do |source|
|
130
|
+
LoggingHelper::debug "Loaded config from #{source}"
|
131
|
+
end
|
132
|
+
end
|
133
|
+
|
127
134
|
options
|
128
135
|
|
129
136
|
end
|
@@ -36,8 +36,8 @@ class Hiera
|
|
36
36
|
|
37
37
|
def self.validate options
|
38
38
|
sources = [:eyaml, :password, :string, :file, :stdin].collect {|x| x if options[x]}.compact
|
39
|
-
|
40
|
-
|
39
|
+
Optimist::die "You must specify a source" if sources.count.zero?
|
40
|
+
Optimist::die "You can only specify one of (#{sources.join(', ')})" if sources.count > 1
|
41
41
|
options[:source] = sources.first
|
42
42
|
|
43
43
|
options[:input_data] = case options[:source]
|
@@ -61,11 +61,18 @@ class Hiera
|
|
61
61
|
decrypted = tokens.map{ |token| token.to_decrypted }
|
62
62
|
decrypted.join
|
63
63
|
else
|
64
|
+
yamled = false
|
64
65
|
decrypted = tokens.map{ |token|
|
65
66
|
case token.class.name
|
66
67
|
when /::EncToken$/
|
67
|
-
|
68
|
+
if (yamled) then
|
69
|
+
yamled = false
|
70
|
+
token.to_plain_text.match(/[\r\n]/) ? "|\n " + token.to_plain_text.gsub(/([\r\n]+)/, '\1 ') : token.to_plain_text
|
71
|
+
else
|
72
|
+
token.to_plain_text
|
73
|
+
end
|
68
74
|
else
|
75
|
+
yamled = true
|
69
76
|
token.match
|
70
77
|
end
|
71
78
|
}
|
@@ -3,6 +3,7 @@ require 'hiera/backend/eyaml/highlinehelper'
|
|
3
3
|
require 'hiera/backend/eyaml/options'
|
4
4
|
require 'hiera/backend/eyaml/parser/parser'
|
5
5
|
require 'hiera/backend/eyaml/subcommand'
|
6
|
+
require 'hiera/backend/eyaml/parser/encrypted_tokens'
|
6
7
|
|
7
8
|
class Hiera
|
8
9
|
module Backend
|
@@ -13,7 +14,11 @@ class Hiera
|
|
13
14
|
|
14
15
|
def self.options
|
15
16
|
[{ :name => :no_preamble,
|
16
|
-
:description => "Don't prefix edit sessions with the informative preamble" }
|
17
|
+
:description => "Don't prefix edit sessions with the informative preamble" },
|
18
|
+
{:name => :no_decrypt,
|
19
|
+
:short => "-d",
|
20
|
+
:description => "Do not decrypt existing encrypted content. New content marked properly will be encrypted."}
|
21
|
+
]
|
17
22
|
end
|
18
23
|
|
19
24
|
def self.description
|
@@ -25,7 +30,7 @@ class Hiera
|
|
25
30
|
end
|
26
31
|
|
27
32
|
def self.prefix
|
28
|
-
'
|
33
|
+
'# |'
|
29
34
|
end
|
30
35
|
|
31
36
|
def self.preamble
|
@@ -34,8 +39,8 @@ class Hiera
|
|
34
39
|
}).collect{|name| Encryptor.find(name).tag}
|
35
40
|
|
36
41
|
preamble = <<-eos
|
37
|
-
This is eyaml edit mode. This text (lines starting with #{self.prefix} at the top of
|
38
|
-
file) will be removed when you save and exit.
|
42
|
+
This is eyaml edit mode. This text (lines starting with #{self.prefix} at the top of
|
43
|
+
the file) will be removed when you save and exit.
|
39
44
|
- To edit encrypted values, change the content of the DEC(<num>)::PKCS7[]!
|
40
45
|
block#{(tags.size>1) ? " (or #{tags.drop(1).collect {|tag| "DEC(<num>)::#{tag}[]!" }.join(' or ')})." : '.' }
|
41
46
|
WARNING: DO NOT change the number in the parentheses.
|
@@ -51,7 +56,7 @@ eos
|
|
51
56
|
end
|
52
57
|
|
53
58
|
def self.validate options
|
54
|
-
|
59
|
+
Optimist::die "You must specify an eyaml file" if ARGV.empty?
|
55
60
|
options[:source] = :eyaml
|
56
61
|
options[:eyaml] = ARGV.shift
|
57
62
|
if File.exists? options[:eyaml]
|
@@ -70,10 +75,18 @@ eos
|
|
70
75
|
def self.execute
|
71
76
|
editor = EditHelper.find_editor
|
72
77
|
|
73
|
-
|
74
|
-
|
75
|
-
|
76
|
-
|
78
|
+
Parser::EncToken.set_encrypt_unchanged(false)
|
79
|
+
|
80
|
+
# The 'no_' option has special handling - bypass that and just check if a flag was set.
|
81
|
+
if Eyaml::Options[:no_decrypt_given]
|
82
|
+
decrypted_input = Eyaml::Options[:input_data]
|
83
|
+
decrypted_file_content = Eyaml::Options[:no_preamble] ? decrypted_input : (self.preamble + decrypted_input)
|
84
|
+
else
|
85
|
+
encrypted_parser = Parser::ParserFactory.encrypted_parser
|
86
|
+
tokens = encrypted_parser.parse Eyaml::Options[:input_data]
|
87
|
+
decrypted_input = tokens.each_with_index.to_a.map{|(t,index)| t.to_decrypted :index => index}.join
|
88
|
+
decrypted_file_content = Eyaml::Options[:no_preamble] ? decrypted_input : (self.preamble + decrypted_input)
|
89
|
+
end
|
77
90
|
|
78
91
|
begin
|
79
92
|
decrypted_file = EditHelper.write_tempfile decrypted_file_content unless decrypted_file
|
@@ -98,7 +111,7 @@ eos
|
|
98
111
|
# check that the tokens haven't been copy / pasted
|
99
112
|
used_ids = edited_tokens.find_all{ |t| t.class.name =~ /::EncToken$/ and !t.id.nil? }.map{ |t| t.id }
|
100
113
|
if used_ids.length != used_ids.uniq.length
|
101
|
-
raise RecoverableError, "A duplicate DEC(ID) was found so I don't know how to proceed. This is probably because you copy and pasted a value - if you do this please delete the ID
|
114
|
+
raise RecoverableError, "A duplicate DEC(ID) was found so I don't know how to proceed. This is probably because you copy and pasted a value - if you do this please delete the ID and parentheses"
|
102
115
|
end
|
103
116
|
|
104
117
|
# replace untouched values with the source values
|
@@ -47,8 +47,8 @@ class Hiera
|
|
47
47
|
|
48
48
|
def self.validate options
|
49
49
|
sources = [:password, :string, :file, :stdin, :eyaml].collect {|x| x if options[x]}.compact
|
50
|
-
|
51
|
-
|
50
|
+
Optimist::die "You must specify a source" if sources.count.zero?
|
51
|
+
Optimist::die "You can only specify one of (#{sources.join(', ')})" if sources.count > 1
|
52
52
|
options[:source] = sources.first
|
53
53
|
|
54
54
|
options[:input_data] = case options[:source]
|
@@ -10,7 +10,12 @@ class Hiera
|
|
10
10
|
class Recrypt < Subcommand
|
11
11
|
|
12
12
|
def self.options
|
13
|
-
[
|
13
|
+
[
|
14
|
+
{:name => :change_encryption,
|
15
|
+
:description => "Specify the new encryption method that should be used for the file",
|
16
|
+
:short => 'd',
|
17
|
+
:default => "pkcs7"}
|
18
|
+
]
|
14
19
|
end
|
15
20
|
|
16
21
|
def self.description
|
@@ -22,10 +27,11 @@ class Hiera
|
|
22
27
|
end
|
23
28
|
|
24
29
|
def self.validate options
|
25
|
-
|
30
|
+
Optimist::die "You must specify an eyaml file" if ARGV.empty?
|
26
31
|
options[:source] = :eyaml
|
27
32
|
options[:eyaml] = ARGV.shift
|
28
33
|
options[:input_data] = File.read options[:eyaml]
|
34
|
+
@change_encryption = options[:change_encryption]
|
29
35
|
options
|
30
36
|
end
|
31
37
|
|
@@ -38,7 +44,7 @@ class Hiera
|
|
38
44
|
decrypted_parser = Parser::ParserFactory.decrypted_parser
|
39
45
|
edited_tokens = decrypted_parser.parse(decrypted_input)
|
40
46
|
|
41
|
-
encrypted_output = edited_tokens.map{ |t| t.to_encrypted }.join
|
47
|
+
encrypted_output = edited_tokens.map{ |t| t.to_encrypted({:change_encryption => @change_encryption}) }.join
|
42
48
|
|
43
49
|
filename = Eyaml::Options[:eyaml]
|
44
50
|
File.open("#{filename}", 'w') { |file|
|
@@ -50,12 +50,21 @@ class Hiera
|
|
50
50
|
candidates << candidate.to_s.split('::').last if parent_class.const_get(candidate).class.to_s == "Class"
|
51
51
|
end
|
52
52
|
candidates
|
53
|
-
end
|
53
|
+
end
|
54
54
|
|
55
55
|
def self.hiera?
|
56
56
|
"hiera".eql? Eyaml::Options[:source]
|
57
57
|
end
|
58
58
|
|
59
|
+
def self.convert_to_utf_8 string
|
60
|
+
orig_encoding = string.encoding
|
61
|
+
return string if orig_encoding == Encoding::UTF_8
|
62
|
+
|
63
|
+
return string.dup.force_encoding(Encoding::UTF_8)
|
64
|
+
rescue EncodingError => detail
|
65
|
+
warn "Unable to encode to \"Encoding::UTF_8\" using the original \"#{orig_encoding}\""
|
66
|
+
return string
|
67
|
+
end
|
59
68
|
end
|
60
69
|
end
|
61
70
|
end
|
@@ -15,6 +15,7 @@ class Hiera
|
|
15
15
|
def initialize(cache = nil)
|
16
16
|
debug("Hiera eYAML backend starting")
|
17
17
|
|
18
|
+
@decrypted_cache = {}
|
18
19
|
@cache = cache || Filecache.new
|
19
20
|
@extension = Config[:eyaml][:extension] || "eyaml"
|
20
21
|
end
|
@@ -128,7 +129,19 @@ class Hiera
|
|
128
129
|
end
|
129
130
|
|
130
131
|
def parse_string(data, scope, extra_data={})
|
131
|
-
|
132
|
+
if Eyaml::Options[:cache_decrypted]
|
133
|
+
if not @decrypted_cache.include?(data)
|
134
|
+
decrypted_data = decrypt(data)
|
135
|
+
debug("Adding data to decrypted cache")
|
136
|
+
@decrypted_cache[data] = decrypted_data
|
137
|
+
else
|
138
|
+
debug("Retrieving data from decrypted cache")
|
139
|
+
decrypted_data = @decrypted_cache[data]
|
140
|
+
end
|
141
|
+
else
|
142
|
+
decrypted_data = decrypt(data)
|
143
|
+
end
|
144
|
+
|
132
145
|
Backend.parse_string(decrypted_data, scope, extra_data)
|
133
146
|
end
|
134
147
|
end
|
data/tools/regem.sh
CHANGED
metadata
CHANGED
@@ -1,29 +1,29 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: hiera-eyaml
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version:
|
4
|
+
version: 3.0.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Tom Poulton
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date:
|
11
|
+
date: 2019-01-17 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
|
-
name:
|
14
|
+
name: optimist
|
15
15
|
requirement: !ruby/object:Gem::Requirement
|
16
16
|
requirements:
|
17
|
-
- - "
|
17
|
+
- - ">="
|
18
18
|
- !ruby/object:Gem::Version
|
19
|
-
version: '
|
19
|
+
version: '0'
|
20
20
|
type: :runtime
|
21
21
|
prerelease: false
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
23
23
|
requirements:
|
24
|
-
- - "
|
24
|
+
- - ">="
|
25
25
|
- !ruby/object:Gem::Version
|
26
|
-
version: '
|
26
|
+
version: '0'
|
27
27
|
- !ruby/object:Gem::Dependency
|
28
28
|
name: highline
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|
@@ -47,8 +47,9 @@ extra_rdoc_files: []
|
|
47
47
|
files:
|
48
48
|
- ".gitignore"
|
49
49
|
- ".travis.yml"
|
50
|
-
-
|
50
|
+
- CHANGELOG.md
|
51
51
|
- Gemfile
|
52
|
+
- HISTORY.md
|
52
53
|
- LICENSE.txt
|
53
54
|
- PLUGINS.md
|
54
55
|
- README.md
|
@@ -104,8 +105,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
104
105
|
- !ruby/object:Gem::Version
|
105
106
|
version: '0'
|
106
107
|
requirements: []
|
107
|
-
|
108
|
-
rubygems_version: 2.2.2
|
108
|
+
rubygems_version: 3.0.2
|
109
109
|
signing_key:
|
110
110
|
specification_version: 4
|
111
111
|
summary: OpenSSL Encryption backend for Hiera
|