hiera-eyaml 3.1.1 → 3.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 52e473749562bee1ea90166d3a1470d1661b27215493d53b4b955f2a273956f0
-  data.tar.gz: bcede59bf2a9251fe80d35b041db0790037e3f5dabe93783a60edd454337ba23
+  metadata.gz: 5e93c2ee103e419937e800cf29d8cc795848cf89340bb8480508c3b43937c9e7
+  data.tar.gz: f57e685ca3abd2eaa6018dd1ab82a4a93619225f53fa3a5d2fede6064337b2f3
 SHA512:
-  metadata.gz: c5731dc618fa18e0dd8cb4262b7dc5be549dae7d935861e90a4f107ae1d3cc64109543a983f500a2d582efb5e22500f8f9b95aaaae508a3df5027e6cc579cd17
-  data.tar.gz: 2fe8b8c7fabbc6ec255e7019c9516d178ae945a42512434ba1eeb2266aff5964bce4ee2a19d8d00a8011ae1cf577fa4e936e95bb014f114f2b48a853f31768a5
+  metadata.gz: 2d270bb605a92a56a8b188a4f5a8f3b525966ac4bdab284a833bdf2f5ed4b36e0190d709291e5c21e35df0cc986e98e6fda5c18f85de8f7384edc5da0651f4dc
+  data.tar.gz: 108c7c1ec985b9523cbf05bc0493c486e8df42f9f6c23d623c2ac72d485486871f819e8b6691cb800ff0e0e469f45438527fe8beb00237d456b2e408fc5d50f2

data/.travis.yml

@@ -22,6 +22,8 @@ matrix:
       env: PUPPET_VERSION="~> 4.0" RUBYGEMS_VERSION=2.7.8
     - rvm: 2.4.2
       env: PUPPET_VERSION="~> 5.0"
+    - rvm: 2.5.7
+      env: PUPPET_VERSION="~> 6.0"
 notifications:
   email: false
   irc:

data/CHANGELOG.md

@@ -2,6 +2,23 @@
 
 All notable changes to this project will be documented in this file.
 
+## [v3.2.0](https://github.com/voxpupuli/hiera-eyaml/tree/v3.2.0) (2020-01-30)
+
+[Full Changelog](https://github.com/voxpupuli/hiera-eyaml/compare/v3.1.1...v3.2.0)
+
+**Implemented enhancements:**
+
+- Permit reading private key from environment variable [\#294](https://github.com/voxpupuli/hiera-eyaml/pull/294) ([nferch](https://github.com/nferch))
+
+**Fixed bugs:**
+
+- Version 3.1.0 does not clear the private/public key when options are changed [\#289](https://github.com/voxpupuli/hiera-eyaml/issues/289)
+
+**Merged pull requests:**
+
+- \(doc\) Correct order for config file precedence [\#295](https://github.com/voxpupuli/hiera-eyaml/pull/295) ([crayfishx](https://github.com/crayfishx))
+- \(maint\) Update Gemfile and README for Ruby 2.5/2.4 [\#293](https://github.com/voxpupuli/hiera-eyaml/pull/293) ([glennsarti](https://github.com/glennsarti))
+
 ## [v3.1.1](https://github.com/voxpupuli/hiera-eyaml/tree/v3.1.1) (2019-11-12)
 
 [Full Changelog](https://github.com/voxpupuli/hiera-eyaml/compare/v3.1.0...v3.1.1)

data/Gemfile

@@ -2,14 +2,28 @@ source 'https://rubygems.org/'
 
 gemspec
 
+def default_puppet_restriction
+  # Puppet 6 should be the default for Ruby 2.5+
+  # Puppet 5 should be the defualt for Ruby 2.4
+  Gem::Requirement.create('>= 2.5.0').satisfied_by?(Gem::Version.new(RUBY_VERSION.dup)) ? '~> 6.0' : '~> 5.0'
+end
+
+def activesupport_restriction
+  # Active Support 6.x requires ruby 2.5.0+
+  Gem::Requirement.create('>= 2.5.0').satisfied_by?(Gem::Version.new(RUBY_VERSION.dup)) ? '~> 6.0' : '~> 5.0'
+end
+
 group :development do
   gem "aruba", '~> 0.6.2'
   gem "cucumber", '~> 1.1'
   gem "rspec-expectations", '~> 3.1.0'
   gem "hiera-eyaml-plaintext"
-  gem "puppet", ENV['PUPPET_VERSION'] || '~> 5.0'
+  gem "puppet", ENV['PUPPET_VERSION'] || default_puppet_restriction
   gem 'json_pure', '<= 2.0.1' if RUBY_VERSION < '2.0.0'
-  gem 'github_changelog_generator',  :require => false, :git => 'https://github.com/github-changelog-generator/github-changelog-generator' if RUBY_VERSION >= '2.2.2'
+  if RUBY_VERSION >= '2.2.2'
+    gem 'github_changelog_generator',  :require => false, :git => 'https://github.com/voxpupuli/github-changelog-generator', :branch => 'voxpupuli_essential_fixes'
+    gem "activesupport", activesupport_restriction
+  end
 end
 
 group :test do

data/README.md

@@ -5,7 +5,7 @@ Hiera eyaml
 [![Gem Version](https://img.shields.io/gem/v/hiera-eyaml.svg)](https://rubygems.org/gems/hiera-eyaml)
 [![Gem Downloads](https://img.shields.io/gem/dt/hiera-eyaml.svg)](https://rubygems.org/gems/hiera-eyaml)
 
-hiera-eyaml is a backend for Hiera that provides per-value encryption of sensitive data within yaml files 
+hiera-eyaml is a backend for Hiera that provides per-value encryption of sensitive data within yaml files
 to be used by Puppet.
 
 -------------------------
@@ -18,8 +18,8 @@ Hopefully this will mean more frequent feature updates and bug fixes!
 Advantages over hiera-gpg
 -------------------------
 
-A few people found that [hiera-gpg](https://github.com/crayfishx/hiera-gpg) just wasn't cutting it for all use cases, 
-one of the best expressed frustrations was 
+A few people found that [hiera-gpg](https://github.com/crayfishx/hiera-gpg) just wasn't cutting it for all use cases,
+one of the best expressed frustrations was
 [written back in June 2013](http://slashdevslashrandom.wordpress.com/2013/06/03/my-griefs-with-hiera-gpg/). So
 [Tom created an initial version](http://themettlemonkey.wordpress.com/2013/07/15/hiera-eyaml-per-value-encrypted-backend-for-hiera-and-puppet/)
 and this was refined into an elegant solution over the following months.
@@ -28,14 +28,14 @@ Unlike `hiera-gpg`, `hiera-eyaml`:
 
  - only encrypts the values (which allows files to be swiftly reviewed without decryption)
  - encrypts the value of each key individually (this means that `git diff` is meaningful)
- - includes a command line tool for encrypting, decrypting, editing and rotating keys (makes it almost as 
+ - includes a command line tool for encrypting, decrypting, editing and rotating keys (makes it almost as
    easy as using clear text files)
- - uses basic asymmetric encryption (PKCS#7) by default (doesn't require any native libraries that need to 
+ - uses basic asymmetric encryption (PKCS#7) by default (doesn't require any native libraries that need to
    be compiled & allows users without the private key to encrypt values that the puppet master can decrypt)
- - has a pluggable encryption framework (e.g. GPG encryption ([hiera-eyaml-gpg](https://github.com/sihil/hiera-eyaml-gpg)) can be used 
+ - has a pluggable encryption framework (e.g. GPG encryption ([hiera-eyaml-gpg](https://github.com/sihil/hiera-eyaml-gpg)) can be used
    if you have the need for multiple keys and easier key rotation)
 
-The Hiera eyaml backend uses yaml formatted files with the .eyaml extension. The encrypted strings are prefixed with the encryption 
+The Hiera eyaml backend uses yaml formatted files with the .eyaml extension. The encrypted strings are prefixed with the encryption
 method, wrapped with ENC[] and placed in an eyaml file. You can mix your plain values in as well or separate them into different files.
 Encrypted values can occur within arrays, hashes, nested arrays and nested hashes.
 
@@ -93,6 +93,8 @@ The permissions for this folder should allow the puppet user (normally 'puppet')
     -r-------- 1 puppet puppet 1.7K Sep 24 16:24 private_key.pkcs7.pem
     -r-------- 1 puppet puppet 1.1K Sep 24 16:24 public_key.pkcs7.pem
 
+You may also load the keypair into an environment variable and use the `pkcs7_private_key_env_var` and `pkcs7_public_key_env_var` options to specify the environment variable names to avoid writing the secret key to disk.
+
 
 Basic usage
 -----------
@@ -129,8 +131,8 @@ and will encrypt and modified values when you exit the editor.
 
     $ eyaml edit filename.eyaml         # Edit an eyaml file in place
 
-When editing eyaml files, you will see that the unencrypted plaintext is marked to allow the eyaml tool to 
-identify each encrypted block, along with the encryption method. This is used to make sure that the block 
+When editing eyaml files, you will see that the unencrypted plaintext is marked to allow the eyaml tool to
+identify each encrypted block, along with the encryption method. This is used to make sure that the block
 is encrypted again only if the clear text value has changed, and is encrypted using the
 original encryption mechanism (see plugable encryption later).
 
@@ -161,7 +163,7 @@ things:
         - nested thing 2.1
 ```
 
-Whilst editing you can delete existing values and add new one using the same format (as below). Note that it is important to 
+Whilst editing you can delete existing values and add new one using the same format (as below). Note that it is important to
 omit the number in brackets for new values. If any duplicate IDs are found then the re-encryption process will be abandoned
 by the eyaml tool.
 
@@ -203,7 +205,7 @@ Hierarchy levels that use eyaml must set the following keys:
 * `lookup_key` (must be set to `eyaml_lookup_key`).
 * `path`/`paths`/`glob`/`globs` (choose one).
 * `datadir` (can be omitted if you've set a default).
-* `options` — a hash of eyaml-specific settings; by default, this should include `pkcs7_private_key` and `pkcs7_public_key`, but alternate encryption plugins use alternate options. Anything from the old `:eyaml` config section (except `datadir`) goes here.
+* `options` — a hash of eyaml-specific settings; by default, this should include `pkcs7_private_key` and `pkcs7_public_key`, or `pkcs7_public_key_env_var` and `pkcs7_private_key_env_var`, but alternate encryption plugins use alternate options. Anything from the old `:eyaml` config section (except `datadir`) goes here.
 
     You do not need to specify key names as `:symbols`; normal strings are fine.
 
@@ -321,7 +323,7 @@ Configuration file for eyaml
 
 Default parameters for the eyaml command line tool can be provided by creating a configuration YAML file.
 
-Config files will be read first from `/etc/eyaml/config.yaml`, then from `~/.eyaml/config.yaml` and finally by anything referenced in the `EYAML_CONFIG` environment variable
+Config files will be read first from `~/.eyaml/config.yaml`, then from `/etc/eyaml/config.yaml` and finally by anything referenced in the `EYAML_CONFIG` environment variable
 
 The file takes any long form argument that you can provide on the command line. For example, to override the pkcs7 keys:
 ```yaml
@@ -358,8 +360,8 @@ When editing eyaml files, you will see that the unencrypted plaintext is marked
 This is a list of available plugins:
 
  - [hiera-eyaml-gpg](https://github.com/sihil/hiera-eyaml-gpg) - Provide GPG encryption
- - [hiera-eyaml-plaintext](https://github.com/gtmtechltd/hiera-eyaml-plaintext) - This is a no-op encryption plugin that 
-   simply base64 encodes the values. It exists as an example plugin to create your own and to do integration tests on 
+ - [hiera-eyaml-plaintext](https://github.com/gtmtechltd/hiera-eyaml-plaintext) - This is a no-op encryption plugin that
+   simply base64 encodes the values. It exists as an example plugin to create your own and to do integration tests on
    hiera-eyaml. **THIS SHOULD NOT BE USED IN PRODUCTION**
  - [hiera-eyaml-twofac](https://github.com/gtmtechltd/hiera-eyaml-twofac) - PKCS7 keypair + AES256 symmetric password for two-factor encryption
    Note that this plugin mandates the user enter a password. It is useful for non-automated scenarios, and is not advised to be used
@@ -411,6 +413,8 @@ Some of us hang out on #hiera-eyaml on freenode, please drop by if you want to s
 Tests
 -----
 
+**NOTE** Some testing requirements are not supported on Windows
+
 In order to run the tests, simply run `cucumber` in the top level directory of the project.
 
 You'll need to have a few requirements installed:

data/lib/hiera/backend/eyaml.rb

@@ -2,7 +2,7 @@ class Hiera
   module Backend
     module Eyaml
 
-      VERSION = "3.1.1"
+      VERSION = "3.2.0"
       DESCRIPTION = "Hiera-eyaml is a backend for Hiera which provides OpenSSL encryption/decryption for Hiera properties"
 
       class RecoverableError < StandardError

data/lib/hiera/backend/eyaml/encryptors/pkcs7.rb

@@ -18,6 +18,10 @@ class Hiera
             :public_key => { :desc => "Path to public key",  
                              :type => :string, 
                              :default => "./keys/public_key.pkcs7.pem" },
+            :private_key_env_var => { :desc => "Name of environment variable to read private key from",
+                                      :type => :string },
+            :public_key_env_var => { :desc => "Name of environment variable to read public key from",
+                                      :type => :string },
             :subject => { :desc => "Subject to use for certificate when creating keys",
                           :type => :string,
                           :default => "/" },
@@ -36,9 +40,18 @@ class Hiera
             LoggingHelper::trace 'PKCS7 encrypt'
 
             public_key = self.option :public_key
-            raise StandardError, "pkcs7_public_key is not defined" unless public_key
+            public_key_env_var = self.option :public_key_env_var
+            raise StandardError, "pkcs7_public_key is not defined" unless public_key or public_key_env_var
 
-            public_key_pem = File.read public_key 
+            if public_key and public_key_env_var
+              warn "both public_key and public_key_env_var specified, using public_key"
+            end
+
+            if public_key_env_var and ENV[public_key_env_var]
+              public_key_pem = ENV[public_key_env_var]
+            else
+              public_key_pem = File.read public_key
+            end
             public_key_x509 = OpenSSL::X509::Certificate.new( public_key_pem )
 
             cipher = OpenSSL::Cipher::AES.new(256, :CBC)
@@ -51,13 +64,30 @@ class Hiera
 
             public_key = self.option :public_key
             private_key = self.option :private_key
-            raise StandardError, "pkcs7_public_key is not defined" unless public_key
-            raise StandardError, "pkcs7_private_key is not defined" unless private_key
+            public_key_env_var = self.option :public_key_env_var
+            private_key_env_var = self.option :private_key_env_var
+            raise StandardError, "pkcs7_public_key is not defined" unless public_key or public_key_env_var
+            raise StandardError, "pkcs7_private_key is not defined" unless private_key or private_key_env_var
+
+            if public_key and public_key_env_var
+              warn "both public_key and public_key_env_var specified, using public_key"
+            end
+            if private_key and private_key_env_var
+              warn "both private_key and private_key_env_var specified, using private_key"
+            end
 
-            private_key_pem = File.read private_key
+            if private_key_env_var and ENV[private_key_env_var]
+              private_key_pem = ENV[private_key_env_var]
+            else
+              private_key_pem = File.read private_key
+            end
             private_key_rsa = OpenSSL::PKey::RSA.new( private_key_pem )
 
-            public_key_pem = File.read public_key
+            if public_key_env_var and ENV[public_key_env_var]
+              public_key_pem = ENV[public_key_env_var]
+            else
+              public_key_pem = File.read public_key
+            end
             public_key_x509 = OpenSSL::X509::Certificate.new( public_key_pem )
 
             pkcs7 = OpenSSL::PKCS7.new( ciphertext )

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: hiera-eyaml
 version: !ruby/object:Gem::Version
-  version: 3.1.1
+  version: 3.2.0
 platform: ruby
 authors:
 - Tom Poulton
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-11-12 00:00:00.000000000 Z
+date: 2020-01-31 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: optimist
@@ -105,7 +105,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.6
+rubygems_version: 3.1.2
 signing_key: 
 specification_version: 4
 summary: OpenSSL Encryption backend for Hiera