hiera-eyaml 2.1.0 → 3.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: 021e11612889fd5f49208b233150bc0d131ede79
-  data.tar.gz: ae80275145e1170d559991ad329ae3bafb015ab2
+SHA256:
+  metadata.gz: 6fde1d8051eb21831b79c698fd423e9a4a08b824d2360e9ff6812d7992bc0388
+  data.tar.gz: 51f03df435163ec479f4e843d83c3c5d1c04c0581901bbe0f578d06314e3f625
 SHA512:
-  metadata.gz: 37a03638a582c4d88e4be20ed9c41157214c6bd1c3c8d6a061739cf131a394069a7f44504f1046315be471aad7b85cdf525b9b51ed50f92823c53593c7973887
-  data.tar.gz: 7efec4883b74f67cabf25848a0a34aae30de1426c5f5cd4d15ed80e1d24b20145976c7341bb28e22894a81f6e15a5d4c1cc964fd1902cfce986ff4253175138f
+  metadata.gz: 8363cd6de0401411ba832d79e3a7ce5df9e1b3a9a6a9d532d7b3e935e7a98a10ff29be65acd36a953494a3923e090c0cd8cfc594f63ff56d39f38e881553d874
+  data.tar.gz: 6f34d66445e374ea6c6c7c6d34c50f20a14d76eef48732b661bad86ce793a362564b93538f896d85c219ee415a33b222b0d15e4c770d0ee6013428091c0d1649

data/.gitignore

@@ -9,3 +9,10 @@ tmp/
 .ruby-version
 .ruby-gemset
 Gemfile.lock
+.*.sw?
+vendor/
+.bundle/
+features/sandbox/puppet-hiera-merge/reports
+features/sandbox/puppet-hiera-merge/state
+features/sandbox/puppet/reports
+features/sandbox/puppet/state

data/.travis.yml

@@ -1,30 +1,43 @@
+---
+dist: trusty
 language: ruby
-rvm:
-  - "1.8.7-p374"
-  - "1.9.3"
-  - "2.0.0"
-  - "2.1.5"
-  - "2.2.3"
-env:
-  - PUPPET_VERSION=3.7.5
-  - PUPPET_VERSION=3.8.4
-  - PUPPET_VERSION=4.2.2
+cache: bundler
 sudo: false
+before_install:
+  - bundle -v
+  - rm Gemfile.lock || true
+  - gem update --system $RUBYGEMS_VERSION
+  - gem update bundler
+  - gem --version
+  - bundle -v
 addons:
   apt:
     packages:
       - expect
 script:
   bundle exec cucumber -f progress
+matrix:
+  include:
+    - rvm: 2.1.9
+      env: PUPPET_VERSION="~> 4.0" RUBYGEMS_VERSION=2.7.8
+    - rvm: 2.4.2
+      env: PUPPET_VERSION="~> 5.0"
 notifications:
   email: false
-
-matrix:
-  exclude:
-    - rvm: 1.8.7-p374
-      env: PUPPET_VERSION=4.2.2
-    - rvm: 2.2.3
-      env: PUPPET_VERSION=3.7.5
-    - rvm: 2.2.3
-      env: PUPPET_VERSION=3.8.4
-
+  irc:
+    on_success: always
+    on_failure: always
+    channels:
+      - "chat.freenode.org#voxpupuli-notifications"
+branches:
+  only:
+    - master
+    - /^v\d/
+deploy:
+  provider: rubygems
+  api_key:
+    secure: 'W6a8A3KfxNydnbK4qhpL4S4KBUnadw8eGr1s8vqeOc8gXlc/qkj/DET9jWpgaEsdnEN/ALJL0WEksYJCHDpdeJv1qKaidFg5dC5l+qZ5gdVHRoKKVFkVlt8WDHe5UdP+bI2vUHWQ/1c04P92+jU9SJ0afTU1xUFn4d3AWCgwmdk='
+  gem: hiera-eyaml
+  on:
+    tags: true
+    repo: voxpupuli/hiera-eyaml

data/CHANGELOG.md

@@ -0,0 +1,115 @@
+# Changelog
+
+All notable changes to this project will be documented in this file.
+
+## [v3.0.0](https://github.com/voxpupuli/hiera-eyaml/tree/v3.0.0) (2019-01-17)
+
+[Full Changelog](https://github.com/voxpupuli/hiera-eyaml/compare/v2.1.0...v3.0.0)
+
+This is the first release after this project was migrated to Vox Pupuli.
+
+**Breaking changes:**
+
+- Upgrading trollop to optimist to remove deprecation warnings [\#268](https://github.com/voxpupuli/hiera-eyaml/pull/268) ([chadlyon](https://github.com/chadlyon))
+
+**Implemented enhancements:**
+
+- Don't use SHA1 for the digest [\#257](https://github.com/voxpupuli/hiera-eyaml/issues/257)
+- Update to make use of Backend.datasourcefiles\(\) [\#92](https://github.com/voxpupuli/hiera-eyaml/issues/92)
+- allow setting an individual keysize [\#227](https://github.com/voxpupuli/hiera-eyaml/pull/227) ([tuxmea](https://github.com/tuxmea))
+
+**Fixed bugs:**
+
+- on OSX, eyaml isn't expanding `~` into /Users/$USER [\#170](https://github.com/voxpupuli/hiera-eyaml/issues/170)
+- Performance bug: unnecessary double-decryption of blocks [\#182](https://github.com/voxpupuli/hiera-eyaml/pull/182) ([peculater](https://github.com/peculater))
+
+**Closed issues:**
+
+- PuppetDB gets base64 encoded string on exported ressources [\#273](https://github.com/voxpupuli/hiera-eyaml/issues/273)
+- DEPRECATION - trollop gem is deprecated, need to switch to optimist [\#267](https://github.com/voxpupuli/hiera-eyaml/issues/267)
+- Puppet can't find key on server [\#266](https://github.com/voxpupuli/hiera-eyaml/issues/266)
+- Re-encryption is broken [\#258](https://github.com/voxpupuli/hiera-eyaml/issues/258)
+- AWS KMS/IAM integration? [\#234](https://github.com/voxpupuli/hiera-eyaml/issues/234)
+- Feature Request: Ability to use edit without the private key [\#231](https://github.com/voxpupuli/hiera-eyaml/issues/231)
+- Not decrypting/working with puppetserver 2.7.2 \(Function lookup\(\) did not find a value for the name\) [\#228](https://github.com/voxpupuli/hiera-eyaml/issues/228)
+- Allow stronger than 2048 bit keys [\#226](https://github.com/voxpupuli/hiera-eyaml/issues/226)
+- failed: DataBinding 'hiera': No such file or directory - /var/lib/puppet/keys/private\_key.pkcs7.pem [\#225](https://github.com/voxpupuli/hiera-eyaml/issues/225)
+- Migrate to Vox Pupuli [\#224](https://github.com/voxpupuli/hiera-eyaml/issues/224)
+- Allow to `decrypt` while keeping the "DEC::..." [\#217](https://github.com/voxpupuli/hiera-eyaml/issues/217)
+- secret in the logs [\#216](https://github.com/voxpupuli/hiera-eyaml/issues/216)
+- eyaml produces base64 string for complex data [\#209](https://github.com/voxpupuli/hiera-eyaml/issues/209)
+- Hiera-eyaml cannot decrypt with key, plain gpg works [\#206](https://github.com/voxpupuli/hiera-eyaml/issues/206)
+- Unable to decrypt on remote nodes [\#202](https://github.com/voxpupuli/hiera-eyaml/issues/202)
+- Backend not found in tests [\#200](https://github.com/voxpupuli/hiera-eyaml/issues/200)
+- ArgumentError [\#193](https://github.com/voxpupuli/hiera-eyaml/issues/193)
+- High CPU consumption  [\#192](https://github.com/voxpupuli/hiera-eyaml/issues/192)
+- hiera call from manifeast not able to locate key [\#174](https://github.com/voxpupuli/hiera-eyaml/issues/174)
+- PE 3.8  - sporadically failing to load eyaml backend. [\#173](https://github.com/voxpupuli/hiera-eyaml/issues/173)
+- eyaml and templates [\#171](https://github.com/voxpupuli/hiera-eyaml/issues/171)
+- cucumber failures with puppet 3.7.5 [\#154](https://github.com/voxpupuli/hiera-eyaml/issues/154)
+- issue with jruby under PE 3.7 [\#150](https://github.com/voxpupuli/hiera-eyaml/issues/150)
+- hiera eyaml does not work on PE 3.7.2 [\#126](https://github.com/voxpupuli/hiera-eyaml/issues/126)
+- invalid byte sequence in UTF-8 on encrypted binary [\#124](https://github.com/voxpupuli/hiera-eyaml/issues/124)
+- having an issue when loding hiera-eyaml [\#117](https://github.com/voxpupuli/hiera-eyaml/issues/117)
+- Puppet hiera\(\): Cannot load backend eyaml: no such file to load [\#115](https://github.com/voxpupuli/hiera-eyaml/issues/115)
+- Public/private keys undefined for Vagrant [\#101](https://github.com/voxpupuli/hiera-eyaml/issues/101)
+- bug in hiera 1.3.2-1 vs rubygem-hiera 1.3.2-1 [\#85](https://github.com/voxpupuli/hiera-eyaml/issues/85)
+- Errors of yaml and no eyaml files exist. Fine if just eyaml files exist. [\#82](https://github.com/voxpupuli/hiera-eyaml/issues/82)
+
+**Merged pull requests:**
+
+- Use UTF-8 as the encoding for plain text data [\#274](https://github.com/voxpupuli/hiera-eyaml/pull/274) ([jarretlavallee](https://github.com/jarretlavallee))
+- Fix regem.sh shebang, it does not need bash [\#265](https://github.com/voxpupuli/hiera-eyaml/pull/265) ([AMDmi3](https://github.com/AMDmi3))
+- Allow selection of digest, default to SHA256 [\#261](https://github.com/voxpupuli/hiera-eyaml/pull/261) ([juniorsysadmin](https://github.com/juniorsysadmin))
+- expand README on whole-file encryption usage [\#260](https://github.com/voxpupuli/hiera-eyaml/pull/260) ([jflorian](https://github.com/jflorian))
+- Add encrypt-only flag for 'edit' command. [\#256](https://github.com/voxpupuli/hiera-eyaml/pull/256) ([benjunmun](https://github.com/benjunmun))
+- Test only with current Puppet and Ruby combination [\#254](https://github.com/voxpupuli/hiera-eyaml/pull/254) ([vinzent](https://github.com/vinzent))
+- Update \#{self.prefix} to match yamllint rules [\#248](https://github.com/voxpupuli/hiera-eyaml/pull/248) ([jordanconway](https://github.com/jordanconway))
+- Fix badge, link to AWS KMS/IAM integration [\#245](https://github.com/voxpupuli/hiera-eyaml/pull/245) ([rnelson0](https://github.com/rnelson0))
+- Remove tildes that don't expand from configuration examples [\#242](https://github.com/voxpupuli/hiera-eyaml/pull/242) ([rnelson0](https://github.com/rnelson0))
+- Disable deprecation warnings [\#241](https://github.com/voxpupuli/hiera-eyaml/pull/241) ([rnelson0](https://github.com/rnelson0))
+- Add a cache for decrypted values [\#240](https://github.com/voxpupuli/hiera-eyaml/pull/240) ([stlava](https://github.com/stlava))
+- Suppressing logging of configuration files on init [\#237](https://github.com/voxpupuli/hiera-eyaml/pull/237) ([sigv](https://github.com/sigv))
+- Update the keys' example directory [\#236](https://github.com/voxpupuli/hiera-eyaml/pull/236) ([sigv](https://github.com/sigv))
+- Modify edit command to not recrypt unchanged values [\#233](https://github.com/voxpupuli/hiera-eyaml/pull/233) ([ccojocar](https://github.com/ccojocar))
+- Modify recrypt command to allow recrypting file with different encryp… [\#232](https://github.com/voxpupuli/hiera-eyaml/pull/232) ([ccojocar](https://github.com/ccojocar))
+- \(docs\) Update README with instructions for using Hiera 5 [\#229](https://github.com/voxpupuli/hiera-eyaml/pull/229) ([nfagerlund](https://github.com/nfagerlund))
+- Attempt to resolve Travis CI issues [\#220](https://github.com/voxpupuli/hiera-eyaml/pull/220) ([rnelson0](https://github.com/rnelson0))
+- Make it clear that the ID and parens must be deleted, not just the ID [\#188](https://github.com/voxpupuli/hiera-eyaml/pull/188) ([sdotz](https://github.com/sdotz))
+- Make output of `eyaml decrypt` valid yaml with multiline values. [\#183](https://github.com/voxpupuli/hiera-eyaml/pull/183) ([peculater](https://github.com/peculater))
+
+## v2.1.0 (2016-03-02)
+
+ - (#187) - Change the way third party highline library is imported to avoid memory leak when running under puppet server (@petems)
+ - (#181) - Improve test suite to run against a variety of puppet versions (@peculater)
+
+## v2.0.8 (2015-04-15)
+
+ - (#149) - Fix to tempfile permissions and invalid editor scenario (@elyscape)
+
+## v2.0.7 (2015-03-04)
+
+ - (#142) - Fixed highline dependency to exclude newer versions that are not compatible with ruby 1.8.7 (@elyscape)
+ - (#136) - \t and \r characters are now supported in encrypted blocks (@elyscape)
+ - (#138) - Added missing tags and new tagging tool (@elyscape)
+
+## v2.0.6 (2014-12-13)
+
+ - (#131) - Fix another EDITOR bug (#130) that could erase command line flags to the specified editor (@elyscape)
+
+## v2.0.5 (2014-12-11)
+
+ - (#128) - Fix a bug (#127) that caused `eyaml edit` to break when `$EDITOR` was a command on PATH rather than a path to a command (@elyscape)
+
+## v2.0.4 (2014-11-24)
+
+ - Add change log
+ - (#118) - Some initial support for spaces in filenames (primarily targeted at windows platforms) (@elyscape)
+ - (#114) - Add new config file resolution so that a system wide /etc/eyaml/config.yaml is processed first (@gtmtech)
+ - (#112) - Improve debugging options and colorise output (@gtmtech)
+ - (#102) - Extension of temp files should be yaml to help editors provide syntax highlighting (@ColinHebert)
+ - (#90), #121, #122 - Add preamble in edit mode to make it easier to remember how to edit (@sihil)
+ - (#96), #111, #116 - Various updates to docs
+
+
+\* *This Changelog was automatically generated by [github_changelog_generator](https://github.com/github-changelog-generator/github-changelog-generator)*

data/Gemfile

@@ -7,12 +7,11 @@ group :development do
   gem "cucumber", '~> 1.1'
   gem "rspec-expectations", '~> 3.1.0'
   gem "hiera-eyaml-plaintext"
-  gem "puppet", ENV['PUPPET_VERSION'] || '~> 3.8'
+  gem "puppet", ENV['PUPPET_VERSION'] || '~> 5.0'
+  gem 'json_pure', '<= 2.0.1' if RUBY_VERSION < '2.0.0'
+  gem 'github_changelog_generator',  :require => false, :git => 'https://github.com/github-changelog-generator/github-changelog-generator' if RUBY_VERSION >= '2.2.2'
 end
 
 group :test do
   gem "rake"
 end
-
-
-

data/{CHANGES.md → HISTORY.md}

@@ -1,30 +1,27 @@
-Change log for hiera-eyaml
-==========================
+## v2.1.0 (2016-03-02)
 
-2.0.8
------
+ - (#187) - Change the way third party highline library is imported to avoid memory leak when running under puppet server (@petems)
+ - (#181) - Improve test suite to run against a variety of puppet versions (@peculater)
+
+## v2.0.8 (2015-04-15)
 
  - (#149) - Fix to tempfile permissions and invalid editor scenario (@elyscape)
 
-2.0.7
------
+## v2.0.7 (2015-03-04)
 
  - (#142) - Fixed highline dependency to exclude newer versions that are not compatible with ruby 1.8.7 (@elyscape)
  - (#136) - \t and \r characters are now supported in encrypted blocks (@elyscape)
  - (#138) - Added missing tags and new tagging tool (@elyscape)
 
-2.0.6
------
+## v2.0.6 (2014-12-13)
 
  - (#131) - Fix another EDITOR bug (#130) that could erase command line flags to the specified editor (@elyscape)
 
-2.0.5
------
+## v2.0.5 (2014-12-11)
 
  - (#128) - Fix a bug (#127) that caused `eyaml edit` to break when `$EDITOR` was a command on PATH rather than a path to a command (@elyscape)
 
-2.0.4
------
+## v2.0.4 (2014-11-24)
 
  - Add change log
  - (#118) - Some initial support for spaces in filenames (primarily targeted at windows platforms) (@elyscape)
@@ -33,6 +30,3 @@ Change log for hiera-eyaml
  - (#102) - Extension of temp files should be yaml to help editors provide syntax highlighting (@ColinHebert)
  - (#90), #121, #122 - Add preamble in edit mode to make it easier to remember how to edit (@sihil)
  - (#96), #111, #116 - Various updates to docs
-
-2.0.3
------

data/README.md

@@ -1,12 +1,19 @@
 Hiera eyaml
 ===========
 
-[![Build Status](https://travis-ci.org/TomPoulton/hiera-eyaml.png?branch=master)](https://travis-ci.org/TomPoulton/hiera-eyaml)
+[![Build Status](https://travis-ci.org/voxpupuli/hiera-eyaml.png?branch=master)](https://travis-ci.org/voxpupuli/hiera-eyaml)
+[![Gem Version](https://img.shields.io/gem/v/hiera-eyaml.svg)](https://rubygems.org/gems/hiera-eyaml)
+[![Gem Downloads](https://img.shields.io/gem/dt/hiera-eyaml.svg)](https://rubygems.org/gems/hiera-eyaml)
 
 hiera-eyaml is a backend for Hiera that provides per-value encryption of sensitive data within yaml files 
 to be used by Puppet.
 
-:new: *v2.0 - commandline tool syntax has changed, see below for details*
+-------------------------
+:new: **hiera-eyaml is now part of voxpupuli**
+
+hiera-eyaml has a new home https://github.com/voxpupuli/hiera-eyaml.
+
+Hopefully this will mean more frequent feature updates and bug fixes!
 
 Advantages over hiera-gpg
 -------------------------
@@ -75,18 +82,21 @@ This creates a public and private key with default names in the default location
 
 Since the point of using this module is to securely store sensitive information, it's important to store these keys securely.
 If using Hiera with Puppet, Your puppetmaster will need to access these keys to perform decryption when the puppet agent runs on a remote node.
-So for this reason, a suggested location might be to store them in `/etc/puppet/secure/keys` or `/var/lib/puppet/keys` depending on your setup.
+So for this reason, a suggested location might be to store them in `/etc/puppetlabs/puppet/eyaml` or `/var/lib/puppet/keys` depending on your setup.
 
 The permissions for this folder should allow the puppet user (normally 'puppet') execute access to the keys directory, read only access to the keys themselves and restrict everyone else:
 
-    $ chown -R puppet:puppet /etc/puppet/secure/keys
-    $ chmod -R 0500 /etc/puppet/secure/keys
-    $ chmod 0400 /etc/puppet/secure/keys/*.pem
-    $ ls -lha /etc/puppet/secure/keys
+    $ chown -R puppet:puppet /etc/puppetlabs/puppet/eyaml
+    $ chmod -R 0500 /etc/puppetlabs/puppet/eyaml
+    $ chmod 0400 /etc/puppetlabs/puppet/eyaml/*.pem
+    $ ls -lha /etc/puppetlabs/puppet/eyaml
     -r-------- 1 puppet puppet 1.7K Sep 24 16:24 private_key.pkcs7.pem
     -r-------- 1 puppet puppet 1.1K Sep 24 16:24 public_key.pkcs7.pem
 
 
+Basic usage
+-----------
+
 ### Encryption
 
 To encrypt something, you only need the public_key, so distribute that to people creating hiera properties
@@ -109,12 +119,13 @@ To test decryption you can also use the eyaml tool if you have both keys
     $ eyaml decrypt -f filename               # Decrypt a file
     $ eyaml decrypt -s 'ENC[PKCS7,.....]'     # Decrypt a string
 
-### Editing eyaml files
+### Editing files with a mixture of eyaml-encrypted and plain-text content
 
-Once you have created a few eyaml files, with a mixture of encrypted and non-encrypted properties, 
-you can edit the encrypted values in place, using the special edit mode of the eyaml utility. Edit
-mode opens a decrypted copy of the eyaml file in your `$EDITOR` and will encrypt and modified values
-when you exit the editor.
+This is, perhaps, the most common use of eyaml where you have created a few
+eyaml files, with a mixture of encrypted and non-encrypted properties, you can
+edit the encrypted values in place, using the special edit mode of the eyaml
+utility. Edit mode opens a decrypted copy of the eyaml file in your `$EDITOR`
+and will encrypt and modified values when you exit the editor.
 
     $ eyaml edit filename.eyaml         # Edit an eyaml file in place
 
@@ -156,11 +167,78 @@ by the eyaml tool.
 
     some_new_key: DEC::PKCS7[a new value to encrypt]!
 
+### Encrypting an entire file
+
+While not as common, sometimes you need to encrypt an entire file.  Maybe this
+file is binary data that isn't meant for loading into an editor.  One example
+might be a Kerberos keytab file.  No problem!  Just encrypt the entire file:
+
+    $ eyaml encrypt -f filename
+
+As with encrypting short strings on the command-line, the encrypted equivalent
+will be sent to stdout as an ASCII text string and thus now plays nice with
+your editor.  Notice that the file itself, however, remains unchanged.  The
+output is presented in two blocks: once as a single, long string and once in
+a nice line-wrapped form.  Copy the one of your preference, starting with the
+`ENC[` and ending at the matching `]`.  Paste this into your Puppet or Hiera
+file just like any other eyaml string and your done.  If the file is rather
+large, you may wish to use a helper like `xclip` to copy the stdout directly to
+your clipboard.
+
 
 Hiera
 -----
 
-To use eyaml with hiera and puppet, first configure hiera.yaml to use the eyaml backend
+To use eyaml with hiera and puppet, first configure hiera.yaml to use the eyaml backend.
+
+Eyaml works with [Hiera 3.x](https://docs.puppet.com/hiera/latest), as well as with [Hiera 5](https://docs.puppet.com/puppet/latest/hiera_intro.html) (Puppet 4.9.3 and later).
+
+### With Hiera 5
+
+In Hiera 5, each hierarchy level has one designated backend, as well as its own independent configuration for that backend.
+
+Hierarchy levels that use eyaml must set the following keys:
+
+* `name`.
+* `lookup_key` (must be set to `eyaml_lookup_key`).
+* `path`/`paths`/`glob`/`globs` (choose one).
+* `datadir` (can be omitted if you've set a default).
+* `options` — a hash of eyaml-specific settings; by default, this should include `pkcs7_private_key` and `pkcs7_public_key`, but alternate encryption plugins use alternate options. Anything from the old `:eyaml` config section (except `datadir`) goes here.
+
+    You do not need to specify key names as `:symbols`; normal strings are fine.
+
+``` yaml
+---
+version: 5
+defaults:
+  datadir: data
+hierarchy:
+  - name: "Secret data: per-node, per-datacenter, common"
+    lookup_key: eyaml_lookup_key # eyaml backend
+    paths:
+      - "secrets/nodes/%{trusted.certname}.eyaml"  # Include explicit file extension
+      - "secrets/location/%{facts.whereami}.eyaml"
+      - "common.eyaml"
+    options:
+      pkcs7_private_key: /etc/puppetlabs/puppet/eyaml/private_key.pkcs7.pem
+      pkcs7_public_key:  /etc/puppetlabs/puppet/eyaml/public_key.pkcs7.pem
+  - name: "Normal data"
+    data_hash: yaml_data # Standard yaml backend
+    paths:
+      - "nodes/%{trusted.certname}.yaml"
+      - "location/%{facts.whereami}/%{facts.group}.yaml"
+      - "groups/%{facts.group}.yaml"
+      - "os/%{facts.os.family}.yaml"
+      - "common.yaml"
+```
+
+Unlike with Hiera 3, there's no default file extension for eyaml files, so you can specify your own file extension directly in the path name.
+
+For more details, see the [hiera.yaml (version 5) reference page](https://docs.puppet.com/puppet/latest/hiera_config_yaml_5.html).
+
+### With Hiera 3
+
+In Hiera 3, hierarchy levels don't have a backend assigned to them, and Hiera loops through the entire hierarchy for each backend. Options for the backend are set globally, in an `:eyaml` config section.
 
 ```yaml
 ---
@@ -180,6 +258,9 @@ To use eyaml with hiera and puppet, first configure hiera.yaml to use the eyaml
     # If using the pkcs7 encryptor (default)
     :pkcs7_private_key: /path/to/private_key.pkcs7.pem
     :pkcs7_public_key:  /path/to/public_key.pkcs7.pem
+
+    # Optionally cache decrypted data (default: false)
+    :cache_decrypted: false
 ```
 
 Then, edit your hiera yaml files, and insert your encrypted values. The default eyaml file extension is .eyaml, however this can be configured in the :eyaml block to set :extension,
@@ -189,6 +270,8 @@ Then, edit your hiera yaml files, and insert your encrypted values. The default
     :extension: 'yaml'
 ```
 
+### Data formatting note
+
 *Important Note:*
 The eyaml backend will not parse internally json formatted yaml files, whereas the regular yaml backend will.
 You'll need to ensure any existing yaml files using json format are converted to syntactically correct yaml format.
@@ -243,15 +326,15 @@ Config files will be read first from `/etc/eyaml/config.yaml`, then from `~/.eya
 The file takes any long form argument that you can provide on the command line. For example, to override the pkcs7 keys:
 ```yaml
 ---
-pkcs7_private_key: '~/keys/eyaml/private_key.pkcs7.pem'
-pkcs7_public_key: '~/keys/eyaml/public_key.pkcs7.pem'
+pkcs7_private_key: './keys/eyaml/private_key.pkcs7.pem'
+pkcs7_public_key: './keys/eyaml/public_key.pkcs7.pem'
 ```
 
 Or to override to use GPG by default:
 ```yaml
 ---
 encrypt_method: 'gpg'
-gpg_gnupghome: '~/alternative_gnupghome'
+gpg_gnupghome: './alternative_gnupghome'
 gpg_recipients: 'sihil@example.com,gtmtech@example.com,tpoulton@example.com'
 ```
 
@@ -282,7 +365,10 @@ This is a list of available plugins:
    Note that this plugin mandates the user enter a password. It is useful for non-automated scenarios, and is not advised to be used
    in conjunction with puppet, as it requires entry of a password over a terminal.
  - [hiera-eyaml-kms](https://github.com/adenot/hiera-eyaml-kms) - Encryption using AWS Key Management Service (KMS)
+ 
+### How-To's:
 
+ - [How to use different Hiera/Eyaml keys for different environments using the AWS Parameter Store to store the encryption keys for Hiera/Eyaml](https://gist.github.com/FransUrbo/88b26033cb513a8aa569bd5392a427b1).
 
 Notes
 -----

data/Rakefile

@@ -1 +1,14 @@
 require "bundler/gem_tasks"
+
+begin
+  require 'github_changelog_generator/task'
+  GitHubChangelogGenerator::RakeTask.new :changelog do |config|
+    version = Hiera::Backend::Eyaml::VERSION
+    config.future_release = "v#{version}" if version =~ /^\d+\.\d+.\d+$/
+    config.header = "# Changelog\n\nAll notable changes to this project will be documented in this file."
+    config.exclude_labels = %w{duplicate question invalid wontfix wont-fix skip-changelog}
+    config.user = 'voxpupuli'
+    config.project = 'hiera-eyaml'
+  end
+rescue LoadError
+end

data/hiera-eyaml.gemspec

@@ -17,6 +17,6 @@ Gem::Specification.new do |gem|
   gem.test_files    = gem.files.grep(%r{^(test|spec|features)/})
   gem.require_paths = ["lib"]
 
-  gem.add_dependency('trollop', '~> 2.0')
+  gem.add_dependency('optimist')
   gem.add_dependency('highline', '~> 1.6.19')
 end

data/lib/hiera/backend/eyaml.rb

@@ -2,7 +2,7 @@ class Hiera
   module Backend
     module Eyaml
 
-      VERSION = "2.1.0"
+      VERSION = "3.0.0"
       DESCRIPTION = "Hiera-eyaml is a backend for Hiera which provides OpenSSL encryption/decryption for Hiera properties"
 
       class RecoverableError < StandardError

data/lib/hiera/backend/eyaml/CLI.rb

@@ -1,4 +1,4 @@
-require 'trollop'
+require 'optimist'
 require 'hiera/backend/eyaml'
 require 'hiera/backend/eyaml/logginghelper'
 require 'hiera/backend/eyaml/utils'

data/lib/hiera/backend/eyaml/encryptors/pkcs7.rb

@@ -21,12 +21,20 @@ class Hiera
             :subject => { :desc => "Subject to use for certificate when creating keys",
                           :type => :string,
                           :default => "/" },
+            :keysize => { :desc => "Key size used for encryption",
+                          :type => :integer,
+                          :default => 2048 },
+            :digest  => { :desc => "Hash function used for PKCS7",
+                          :type => :string,
+                          :default => "SHA256"},
           }
 
           self.tag = "PKCS7"
 
           def self.encrypt plaintext
 
+            LoggingHelper::trace 'PKCS7 encrypt'
+
             public_key = self.option :public_key
             raise StandardError, "pkcs7_public_key is not defined" unless public_key
 
@@ -35,11 +43,12 @@ class Hiera
 
             cipher = OpenSSL::Cipher::AES.new(256, :CBC)
             OpenSSL::PKCS7::encrypt([public_key_x509], plaintext, cipher, OpenSSL::PKCS7::BINARY).to_der
-            
           end
 
           def self.decrypt ciphertext
 
+            LoggingHelper::trace 'PKCS7 decrypt'
+
             public_key = self.option :public_key
             private_key = self.option :private_key
             raise StandardError, "pkcs7_public_key is not defined" unless public_key
@@ -64,8 +73,10 @@ class Hiera
             public_key = self.option :public_key
             private_key = self.option :private_key
             subject = self.option :subject
+            keysize = self.option :keysize
+            digest = self.option :digest
 
-            key = OpenSSL::PKey::RSA.new(2048)
+            key = OpenSSL::PKey::RSA.new(keysize)
             EncryptHelper.ensure_key_dir_exists private_key
             EncryptHelper.write_important_file :filename => private_key, :content => key.to_pem, :mode => 0600
 
@@ -91,7 +102,7 @@ class Hiera
             cert.add_extension ef.create_extension("authorityKeyIdentifier",
                                                    "keyid:always,issuer:always")
 
-            cert.sign key, OpenSSL::Digest::SHA1.new
+            cert.sign key, OpenSSL::Digest.new(digest)
 
             EncryptHelper.ensure_key_dir_exists public_key
             EncryptHelper.write_important_file :filename => public_key, :content => cert.to_pem
@@ -107,4 +118,4 @@ class Hiera
 
   end
 
-end
+end

data/lib/hiera/backend/eyaml/parser/encrypted_tokens.rb

@@ -2,6 +2,7 @@ require 'hiera/backend/eyaml/parser/token'
 require 'hiera/backend/eyaml/utils'
 require 'hiera/backend/eyaml/encryptor'
 require 'hiera/backend/eyaml'
+require 'base64'
 
 
 class Hiera
@@ -9,6 +10,8 @@ class Hiera
     module Eyaml
       module Parser
         class EncToken < Token
+          @@tokens_map = Hash.new()
+          @@encrypt_unchanged = true
           attr_reader :format, :cipher, :encryptor, :indentation, :plain_text, :id
           def self.encrypted_value(format, encryption_scheme, cipher, match, indentation = '')
             decryptor = Encryptor.find encryption_scheme
@@ -21,10 +24,27 @@ class Hiera
             id_number = id.nil? ? nil : id.gsub(/\(|\)/, "").to_i
             EncToken.new(format, plain_text, encryptor, cipher, match, indentation, id_number)
           end
+          def self.plain_text_value(format, plain_text, encryption_scheme, match, id, indentation = '')
+            encryptor = Encryptor.find encryption_scheme
+            id_number = id.gsub(/\(|\)/,"").to_i unless id.nil?
+            EncToken.new(format, plain_text, encryptor, "", match, indentation, id_number)
+          end
+
+          def self.tokens_map
+            return @@tokens_map
+          end
+
+          def self.set_encrypt_unchanged(encrypt_unchanged)
+            @@encrypt_unchanged = encrypt_unchanged
+          end
+
+          def self.encrypt_unchanged
+            return @@encrypt_unchanged
+          end
 
           def initialize(format, plain_text, encryptor, cipher, match = '', indentation = '', id = nil)
             @format = format
-            @plain_text = plain_text
+            @plain_text = Utils.convert_to_utf_8( plain_text )
             @encryptor = encryptor
             @cipher = cipher
             @indentation = indentation
@@ -36,6 +56,11 @@ class Hiera
             label = args[:label]
             label_string = label.nil? ? '' : "#{label}: "
             format = args[:format].nil? ? @format : args[:format]
+            encryption_method = args[:change_encryption]
+            if encryption_method != nil
+              @encryptor = Encryptor.find encryption_method
+              @cipher = Base64.encode64(@encryptor.encrypt @plain_text).strip
+            end
             case format
               when :block
                 # strip any white space
@@ -57,6 +82,10 @@ class Hiera
             label_string = label.nil? ? '' : "#{label}: "
             format = args[:format].nil? ? @format : args[:format]
             index = args[:index].nil? ? '' : "(#{args[:index]})"
+            if @@encrypt_unchanged == false
+              EncToken.tokens_map[index] = @plain_text
+            end
+
             case format
               when :block
                 chevron = (args[:use_chevron].nil? || args[:use_chevron]) ? ">\n" : ''
@@ -117,6 +146,13 @@ class Hiera
           end
           def create_token(string)
             md = @regex.match(string)
+            if (EncToken.encrypt_unchanged == false)
+              unless md[1].nil?
+                if md[3] == EncToken.tokens_map[md[1]]
+                  return EncToken.plain_text_value(:string, md[3], md[2], string, md[1])
+                end
+              end
+            end
             EncToken.decrypted_value(:string, md[3], md[2], string, md[1])
           end
         end
@@ -127,7 +163,13 @@ class Hiera
           end
           def create_token(string)
             md = @regex.match(string)
-            EncToken.decrypted_value(:block, md[4], md[3], string, md[2], md[1])
+            if (EncToken.encrypt_unchanged == false)
+              unless md[2].nil?
+                if md[4] == EncToken.tokens_map[md[2]]
+                  return EncToken.plain_text_value(:string, md[4], md[3], string, md[2])
+                end
+              end
+            end
             EncToken.decrypted_value(:block, md[4], md[3], string, md[2], md[1])
           end
         end

data/lib/hiera/backend/eyaml/subcommand.rb

@@ -34,12 +34,12 @@ class Hiera
           ]
         
         def self.load_config_file
-          config = {}
+          config = { :options => {}, :sources => [] }
           [ "/etc/eyaml/config.yaml", "#{ENV['HOME']}/.eyaml/config.yaml", "#{ENV['EYAML_CONFIG']}" ].each do |config_file|
             begin
               yaml_contents = YAML.load_file(config_file)
-              LoggingHelper::info "Loaded config from #{config_file}"
-              config.merge! yaml_contents
+              config[:options].merge! yaml_contents
+              config[:sources].push(config_file)
             rescue 
               raise StandardError, "Could not open config file \"#{config_file}\" for reading"
             end if config_file and File.file? config_file
@@ -55,14 +55,14 @@ class Hiera
           config_file = self.load_config_file
           options.map!{ | opt| 
             key_name = "#{opt[:name]}"
-            if config_file.has_key? key_name
-              opt[:default] = config_file[key_name]
+            if config_file[:options].has_key? key_name
+              opt[:default] = config_file[:options][key_name]
               opt
             else
               opt
             end
           }
-          options
+          { :options => options, :sources => config_file[:sources] || [] }
         end
 
         def self.attach_option opt
@@ -84,13 +84,14 @@ class Hiera
         def self.parse
 
           me = self
+          all = self.all_options
 
-          options = Trollop::options do
+          options = Optimist::options do
 
             version "Hiera-eyaml version " + Hiera::Backend::Eyaml::VERSION.to_s
             banner ["eyaml #{me.prettyname}: #{me.description}", me.helptext, "Options:"].compact.join("\n\n")
 
-            me.all_options.each do |available_option|
+            all[:options].each do |available_option|
 
               skeleton = {:description => "",
                           :short => :none}
@@ -124,6 +125,12 @@ class Hiera
             Hiera::Backend::Eyaml.default_encryption_scheme = options[:encrypt_method]
           end
 
+          if all[:sources]
+            all[:sources].each do |source|
+              LoggingHelper::debug "Loaded config from #{source}"
+            end
+          end
+
           options
 
         end

data/lib/hiera/backend/eyaml/subcommands/decrypt.rb

@@ -36,8 +36,8 @@ class Hiera
 
           def self.validate options
             sources = [:eyaml, :password, :string, :file, :stdin].collect {|x| x if options[x]}.compact
-            Trollop::die "You must specify a source" if sources.count.zero?
-            Trollop::die "You can only specify one of (#{sources.join(', ')})" if sources.count > 1
+            Optimist::die "You must specify a source" if sources.count.zero?
+            Optimist::die "You can only specify one of (#{sources.join(', ')})" if sources.count > 1
             options[:source] = sources.first
 
             options[:input_data] = case options[:source]
@@ -61,11 +61,18 @@ class Hiera
                 decrypted = tokens.map{ |token| token.to_decrypted }
                 decrypted.join
               else
+                yamled = false
                 decrypted = tokens.map{ |token|
                   case token.class.name
                     when /::EncToken$/
-                      token.plain_text
+                      if (yamled) then
+                        yamled = false
+                        token.to_plain_text.match(/[\r\n]/) ? "|\n  " + token.to_plain_text.gsub(/([\r\n]+)/, '\1  ') : token.to_plain_text
+                      else
+                        token.to_plain_text
+                      end
                     else
+                      yamled = true
                       token.match
                   end
                 }

data/lib/hiera/backend/eyaml/subcommands/edit.rb

@@ -3,6 +3,7 @@ require 'hiera/backend/eyaml/highlinehelper'
 require 'hiera/backend/eyaml/options'
 require 'hiera/backend/eyaml/parser/parser'
 require 'hiera/backend/eyaml/subcommand'
+require 'hiera/backend/eyaml/parser/encrypted_tokens'
 
 class Hiera
   module Backend
@@ -13,7 +14,11 @@ class Hiera
 
           def self.options
             [{ :name => :no_preamble,
-               :description => "Don't prefix edit sessions with the informative preamble" }]
+               :description => "Don't prefix edit sessions with the informative preamble" },
+             {:name => :no_decrypt,
+              :short => "-d",
+              :description => "Do not decrypt existing encrypted content. New content marked properly will be encrypted."}
+            ]
           end
 
           def self.description
@@ -25,7 +30,7 @@ class Hiera
           end
 
           def self.prefix
-            '#|'
+            '# |'
           end
 
           def self.preamble
@@ -34,8 +39,8 @@ class Hiera
             }).collect{|name| Encryptor.find(name).tag}
 
             preamble = <<-eos
-This is eyaml edit mode. This text (lines starting with #{self.prefix} at the top of the
-file) will be removed when you save and exit.
+This is eyaml edit mode. This text (lines starting with #{self.prefix} at the top of
+the file) will be removed when you save and exit.
  - To edit encrypted values, change the content of the DEC(<num>)::PKCS7[]!
    block#{(tags.size>1) ? " (or #{tags.drop(1).collect {|tag| "DEC(<num>)::#{tag}[]!" }.join(' or ')})." : '.' }
    WARNING: DO NOT change the number in the parentheses.
@@ -51,7 +56,7 @@ eos
           end
 
           def self.validate options
-            Trollop::die "You must specify an eyaml file" if ARGV.empty?
+            Optimist::die "You must specify an eyaml file" if ARGV.empty?
             options[:source] = :eyaml
             options[:eyaml] = ARGV.shift
             if File.exists? options[:eyaml]
@@ -70,10 +75,18 @@ eos
           def self.execute
             editor = EditHelper.find_editor
 
-            encrypted_parser = Parser::ParserFactory.encrypted_parser
-            tokens = encrypted_parser.parse Eyaml::Options[:input_data]
-            decrypted_input = tokens.each_with_index.to_a.map{|(t,index)| t.to_decrypted :index => index}.join
-            decrypted_file_content = Eyaml::Options[:no_preamble] ? decrypted_input : (self.preamble + decrypted_input)
+            Parser::EncToken.set_encrypt_unchanged(false)
+
+            # The 'no_' option has special handling - bypass that and just check if a flag was set.
+            if Eyaml::Options[:no_decrypt_given]
+              decrypted_input = Eyaml::Options[:input_data]
+              decrypted_file_content = Eyaml::Options[:no_preamble] ? decrypted_input : (self.preamble + decrypted_input)
+            else
+              encrypted_parser = Parser::ParserFactory.encrypted_parser
+              tokens = encrypted_parser.parse Eyaml::Options[:input_data]
+              decrypted_input = tokens.each_with_index.to_a.map{|(t,index)| t.to_decrypted :index => index}.join
+              decrypted_file_content = Eyaml::Options[:no_preamble] ? decrypted_input : (self.preamble + decrypted_input)
+            end
 
             begin
               decrypted_file = EditHelper.write_tempfile decrypted_file_content unless decrypted_file
@@ -98,7 +111,7 @@ eos
                 # check that the tokens haven't been copy / pasted
                 used_ids = edited_tokens.find_all{ |t| t.class.name =~ /::EncToken$/ and !t.id.nil? }.map{ |t| t.id }
                 if used_ids.length != used_ids.uniq.length
-                    raise RecoverableError, "A duplicate DEC(ID) was found so I don't know how to proceed. This is probably because you copy and pasted a value - if you do this please delete the ID in parentheses"
+                    raise RecoverableError, "A duplicate DEC(ID) was found so I don't know how to proceed. This is probably because you copy and pasted a value - if you do this please delete the ID and parentheses"
                 end
 
                 # replace untouched values with the source values

data/lib/hiera/backend/eyaml/subcommands/encrypt.rb

@@ -47,8 +47,8 @@ class Hiera
 
           def self.validate options
             sources = [:password, :string, :file, :stdin, :eyaml].collect {|x| x if options[x]}.compact
-            Trollop::die "You must specify a source" if sources.count.zero?
-            Trollop::die "You can only specify one of (#{sources.join(', ')})" if sources.count > 1
+            Optimist::die "You must specify a source" if sources.count.zero?
+            Optimist::die "You can only specify one of (#{sources.join(', ')})" if sources.count > 1
             options[:source] = sources.first
 
             options[:input_data] = case options[:source]

data/lib/hiera/backend/eyaml/subcommands/recrypt.rb

@@ -10,7 +10,12 @@ class Hiera
         class Recrypt < Subcommand
 
           def self.options
-            []
+            [
+                 {:name          => :change_encryption,
+                  :description   => "Specify the new encryption method that should be used for the file",
+                  :short         => 'd',
+                  :default       => "pkcs7"}
+             ]
           end
 
           def self.description
@@ -22,10 +27,11 @@ class Hiera
           end
 
           def self.validate options
-            Trollop::die "You must specify an eyaml file" if ARGV.empty?
+            Optimist::die "You must specify an eyaml file" if ARGV.empty?
             options[:source] = :eyaml
             options[:eyaml] = ARGV.shift
             options[:input_data] = File.read options[:eyaml]
+            @change_encryption = options[:change_encryption]
             options
           end
 
@@ -38,7 +44,7 @@ class Hiera
             decrypted_parser = Parser::ParserFactory.decrypted_parser
             edited_tokens = decrypted_parser.parse(decrypted_input)
 
-            encrypted_output = edited_tokens.map{ |t| t.to_encrypted }.join
+            encrypted_output = edited_tokens.map{ |t| t.to_encrypted({:change_encryption => @change_encryption}) }.join
 
             filename = Eyaml::Options[:eyaml]
             File.open("#{filename}", 'w') { |file|

data/lib/hiera/backend/eyaml/utils.rb

@@ -50,12 +50,21 @@ class Hiera
             candidates << candidate.to_s.split('::').last if parent_class.const_get(candidate).class.to_s == "Class"
           end
           candidates
-        end 
+        end
 
         def self.hiera?
           "hiera".eql? Eyaml::Options[:source]
         end
 
+        def self.convert_to_utf_8 string
+          orig_encoding = string.encoding
+          return string if orig_encoding == Encoding::UTF_8
+
+          return string.dup.force_encoding(Encoding::UTF_8)
+        rescue EncodingError => detail
+          warn "Unable to encode to \"Encoding::UTF_8\" using the original \"#{orig_encoding}\""
+          return string
+        end
       end
     end
   end

data/lib/hiera/backend/eyaml_backend.rb

@@ -15,6 +15,7 @@ class Hiera
       def initialize(cache = nil)
         debug("Hiera eYAML backend starting")
 
+        @decrypted_cache = {}
         @cache     = cache || Filecache.new
         @extension = Config[:eyaml][:extension] || "eyaml"
       end
@@ -128,7 +129,19 @@ class Hiera
       end
 
       def parse_string(data, scope, extra_data={})
-        decrypted_data = decrypt(data)
+        if Eyaml::Options[:cache_decrypted]
+          if not @decrypted_cache.include?(data)
+            decrypted_data = decrypt(data)
+            debug("Adding data to decrypted cache")
+            @decrypted_cache[data] = decrypted_data
+          else
+            debug("Retrieving data from decrypted cache")
+            decrypted_data = @decrypted_cache[data]
+          end
+        else
+          decrypted_data = decrypt(data)
+        end
+
         Backend.parse_string(decrypted_data, scope, extra_data)
       end
     end

data/tools/regem.sh

@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/bin/sh
 
 # ToDo: Remove as 'rake install' task will build and install the latest gem?
 

metadata

@@ -1,29 +1,29 @@
 --- !ruby/object:Gem::Specification
 name: hiera-eyaml
 version: !ruby/object:Gem::Version
-  version: 2.1.0
+  version: 3.0.0
 platform: ruby
 authors:
 - Tom Poulton
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2016-03-02 00:00:00.000000000 Z
+date: 2019-01-17 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
-  name: trollop
+  name: optimist
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '2.0'
+        version: '0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '2.0'
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: highline
   requirement: !ruby/object:Gem::Requirement
@@ -47,8 +47,9 @@ extra_rdoc_files: []
 files:
 - ".gitignore"
 - ".travis.yml"
-- CHANGES.md
+- CHANGELOG.md
 - Gemfile
+- HISTORY.md
 - LICENSE.txt
 - PLUGINS.md
 - README.md
@@ -104,8 +105,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.2.2
+rubygems_version: 3.0.2
 signing_key: 
 specification_version: 4
 summary: OpenSSL Encryption backend for Hiera