hiera-eyaml 3.1.1 → 3.2.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.travis.yml +2 -0
- data/CHANGELOG.md +17 -0
- data/Gemfile +16 -2
- data/README.md +18 -14
- data/lib/hiera/backend/eyaml.rb +1 -1
- data/lib/hiera/backend/eyaml/encryptors/pkcs7.rb +36 -6
- metadata +3 -3
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 5e93c2ee103e419937e800cf29d8cc795848cf89340bb8480508c3b43937c9e7
|
4
|
+
data.tar.gz: f57e685ca3abd2eaa6018dd1ab82a4a93619225f53fa3a5d2fede6064337b2f3
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 2d270bb605a92a56a8b188a4f5a8f3b525966ac4bdab284a833bdf2f5ed4b36e0190d709291e5c21e35df0cc986e98e6fda5c18f85de8f7384edc5da0651f4dc
|
7
|
+
data.tar.gz: 108c7c1ec985b9523cbf05bc0493c486e8df42f9f6c23d623c2ac72d485486871f819e8b6691cb800ff0e0e469f45438527fe8beb00237d456b2e408fc5d50f2
|
data/.travis.yml
CHANGED
data/CHANGELOG.md
CHANGED
@@ -2,6 +2,23 @@
|
|
2
2
|
|
3
3
|
All notable changes to this project will be documented in this file.
|
4
4
|
|
5
|
+
## [v3.2.0](https://github.com/voxpupuli/hiera-eyaml/tree/v3.2.0) (2020-01-30)
|
6
|
+
|
7
|
+
[Full Changelog](https://github.com/voxpupuli/hiera-eyaml/compare/v3.1.1...v3.2.0)
|
8
|
+
|
9
|
+
**Implemented enhancements:**
|
10
|
+
|
11
|
+
- Permit reading private key from environment variable [\#294](https://github.com/voxpupuli/hiera-eyaml/pull/294) ([nferch](https://github.com/nferch))
|
12
|
+
|
13
|
+
**Fixed bugs:**
|
14
|
+
|
15
|
+
- Version 3.1.0 does not clear the private/public key when options are changed [\#289](https://github.com/voxpupuli/hiera-eyaml/issues/289)
|
16
|
+
|
17
|
+
**Merged pull requests:**
|
18
|
+
|
19
|
+
- \(doc\) Correct order for config file precedence [\#295](https://github.com/voxpupuli/hiera-eyaml/pull/295) ([crayfishx](https://github.com/crayfishx))
|
20
|
+
- \(maint\) Update Gemfile and README for Ruby 2.5/2.4 [\#293](https://github.com/voxpupuli/hiera-eyaml/pull/293) ([glennsarti](https://github.com/glennsarti))
|
21
|
+
|
5
22
|
## [v3.1.1](https://github.com/voxpupuli/hiera-eyaml/tree/v3.1.1) (2019-11-12)
|
6
23
|
|
7
24
|
[Full Changelog](https://github.com/voxpupuli/hiera-eyaml/compare/v3.1.0...v3.1.1)
|
data/Gemfile
CHANGED
@@ -2,14 +2,28 @@ source 'https://rubygems.org/'
|
|
2
2
|
|
3
3
|
gemspec
|
4
4
|
|
5
|
+
def default_puppet_restriction
|
6
|
+
# Puppet 6 should be the default for Ruby 2.5+
|
7
|
+
# Puppet 5 should be the defualt for Ruby 2.4
|
8
|
+
Gem::Requirement.create('>= 2.5.0').satisfied_by?(Gem::Version.new(RUBY_VERSION.dup)) ? '~> 6.0' : '~> 5.0'
|
9
|
+
end
|
10
|
+
|
11
|
+
def activesupport_restriction
|
12
|
+
# Active Support 6.x requires ruby 2.5.0+
|
13
|
+
Gem::Requirement.create('>= 2.5.0').satisfied_by?(Gem::Version.new(RUBY_VERSION.dup)) ? '~> 6.0' : '~> 5.0'
|
14
|
+
end
|
15
|
+
|
5
16
|
group :development do
|
6
17
|
gem "aruba", '~> 0.6.2'
|
7
18
|
gem "cucumber", '~> 1.1'
|
8
19
|
gem "rspec-expectations", '~> 3.1.0'
|
9
20
|
gem "hiera-eyaml-plaintext"
|
10
|
-
gem "puppet", ENV['PUPPET_VERSION'] ||
|
21
|
+
gem "puppet", ENV['PUPPET_VERSION'] || default_puppet_restriction
|
11
22
|
gem 'json_pure', '<= 2.0.1' if RUBY_VERSION < '2.0.0'
|
12
|
-
|
23
|
+
if RUBY_VERSION >= '2.2.2'
|
24
|
+
gem 'github_changelog_generator', :require => false, :git => 'https://github.com/voxpupuli/github-changelog-generator', :branch => 'voxpupuli_essential_fixes'
|
25
|
+
gem "activesupport", activesupport_restriction
|
26
|
+
end
|
13
27
|
end
|
14
28
|
|
15
29
|
group :test do
|
data/README.md
CHANGED
@@ -5,7 +5,7 @@ Hiera eyaml
|
|
5
5
|
[![Gem Version](https://img.shields.io/gem/v/hiera-eyaml.svg)](https://rubygems.org/gems/hiera-eyaml)
|
6
6
|
[![Gem Downloads](https://img.shields.io/gem/dt/hiera-eyaml.svg)](https://rubygems.org/gems/hiera-eyaml)
|
7
7
|
|
8
|
-
hiera-eyaml is a backend for Hiera that provides per-value encryption of sensitive data within yaml files
|
8
|
+
hiera-eyaml is a backend for Hiera that provides per-value encryption of sensitive data within yaml files
|
9
9
|
to be used by Puppet.
|
10
10
|
|
11
11
|
-------------------------
|
@@ -18,8 +18,8 @@ Hopefully this will mean more frequent feature updates and bug fixes!
|
|
18
18
|
Advantages over hiera-gpg
|
19
19
|
-------------------------
|
20
20
|
|
21
|
-
A few people found that [hiera-gpg](https://github.com/crayfishx/hiera-gpg) just wasn't cutting it for all use cases,
|
22
|
-
one of the best expressed frustrations was
|
21
|
+
A few people found that [hiera-gpg](https://github.com/crayfishx/hiera-gpg) just wasn't cutting it for all use cases,
|
22
|
+
one of the best expressed frustrations was
|
23
23
|
[written back in June 2013](http://slashdevslashrandom.wordpress.com/2013/06/03/my-griefs-with-hiera-gpg/). So
|
24
24
|
[Tom created an initial version](http://themettlemonkey.wordpress.com/2013/07/15/hiera-eyaml-per-value-encrypted-backend-for-hiera-and-puppet/)
|
25
25
|
and this was refined into an elegant solution over the following months.
|
@@ -28,14 +28,14 @@ Unlike `hiera-gpg`, `hiera-eyaml`:
|
|
28
28
|
|
29
29
|
- only encrypts the values (which allows files to be swiftly reviewed without decryption)
|
30
30
|
- encrypts the value of each key individually (this means that `git diff` is meaningful)
|
31
|
-
- includes a command line tool for encrypting, decrypting, editing and rotating keys (makes it almost as
|
31
|
+
- includes a command line tool for encrypting, decrypting, editing and rotating keys (makes it almost as
|
32
32
|
easy as using clear text files)
|
33
|
-
- uses basic asymmetric encryption (PKCS#7) by default (doesn't require any native libraries that need to
|
33
|
+
- uses basic asymmetric encryption (PKCS#7) by default (doesn't require any native libraries that need to
|
34
34
|
be compiled & allows users without the private key to encrypt values that the puppet master can decrypt)
|
35
|
-
- has a pluggable encryption framework (e.g. GPG encryption ([hiera-eyaml-gpg](https://github.com/sihil/hiera-eyaml-gpg)) can be used
|
35
|
+
- has a pluggable encryption framework (e.g. GPG encryption ([hiera-eyaml-gpg](https://github.com/sihil/hiera-eyaml-gpg)) can be used
|
36
36
|
if you have the need for multiple keys and easier key rotation)
|
37
37
|
|
38
|
-
The Hiera eyaml backend uses yaml formatted files with the .eyaml extension. The encrypted strings are prefixed with the encryption
|
38
|
+
The Hiera eyaml backend uses yaml formatted files with the .eyaml extension. The encrypted strings are prefixed with the encryption
|
39
39
|
method, wrapped with ENC[] and placed in an eyaml file. You can mix your plain values in as well or separate them into different files.
|
40
40
|
Encrypted values can occur within arrays, hashes, nested arrays and nested hashes.
|
41
41
|
|
@@ -93,6 +93,8 @@ The permissions for this folder should allow the puppet user (normally 'puppet')
|
|
93
93
|
-r-------- 1 puppet puppet 1.7K Sep 24 16:24 private_key.pkcs7.pem
|
94
94
|
-r-------- 1 puppet puppet 1.1K Sep 24 16:24 public_key.pkcs7.pem
|
95
95
|
|
96
|
+
You may also load the keypair into an environment variable and use the `pkcs7_private_key_env_var` and `pkcs7_public_key_env_var` options to specify the environment variable names to avoid writing the secret key to disk.
|
97
|
+
|
96
98
|
|
97
99
|
Basic usage
|
98
100
|
-----------
|
@@ -129,8 +131,8 @@ and will encrypt and modified values when you exit the editor.
|
|
129
131
|
|
130
132
|
$ eyaml edit filename.eyaml # Edit an eyaml file in place
|
131
133
|
|
132
|
-
When editing eyaml files, you will see that the unencrypted plaintext is marked to allow the eyaml tool to
|
133
|
-
identify each encrypted block, along with the encryption method. This is used to make sure that the block
|
134
|
+
When editing eyaml files, you will see that the unencrypted plaintext is marked to allow the eyaml tool to
|
135
|
+
identify each encrypted block, along with the encryption method. This is used to make sure that the block
|
134
136
|
is encrypted again only if the clear text value has changed, and is encrypted using the
|
135
137
|
original encryption mechanism (see plugable encryption later).
|
136
138
|
|
@@ -161,7 +163,7 @@ things:
|
|
161
163
|
- nested thing 2.1
|
162
164
|
```
|
163
165
|
|
164
|
-
Whilst editing you can delete existing values and add new one using the same format (as below). Note that it is important to
|
166
|
+
Whilst editing you can delete existing values and add new one using the same format (as below). Note that it is important to
|
165
167
|
omit the number in brackets for new values. If any duplicate IDs are found then the re-encryption process will be abandoned
|
166
168
|
by the eyaml tool.
|
167
169
|
|
@@ -203,7 +205,7 @@ Hierarchy levels that use eyaml must set the following keys:
|
|
203
205
|
* `lookup_key` (must be set to `eyaml_lookup_key`).
|
204
206
|
* `path`/`paths`/`glob`/`globs` (choose one).
|
205
207
|
* `datadir` (can be omitted if you've set a default).
|
206
|
-
* `options` — a hash of eyaml-specific settings; by default, this should include `pkcs7_private_key` and `pkcs7_public_key`, but alternate encryption plugins use alternate options. Anything from the old `:eyaml` config section (except `datadir`) goes here.
|
208
|
+
* `options` — a hash of eyaml-specific settings; by default, this should include `pkcs7_private_key` and `pkcs7_public_key`, or `pkcs7_public_key_env_var` and `pkcs7_private_key_env_var`, but alternate encryption plugins use alternate options. Anything from the old `:eyaml` config section (except `datadir`) goes here.
|
207
209
|
|
208
210
|
You do not need to specify key names as `:symbols`; normal strings are fine.
|
209
211
|
|
@@ -321,7 +323,7 @@ Configuration file for eyaml
|
|
321
323
|
|
322
324
|
Default parameters for the eyaml command line tool can be provided by creating a configuration YAML file.
|
323
325
|
|
324
|
-
Config files will be read first from
|
326
|
+
Config files will be read first from `~/.eyaml/config.yaml`, then from `/etc/eyaml/config.yaml` and finally by anything referenced in the `EYAML_CONFIG` environment variable
|
325
327
|
|
326
328
|
The file takes any long form argument that you can provide on the command line. For example, to override the pkcs7 keys:
|
327
329
|
```yaml
|
@@ -358,8 +360,8 @@ When editing eyaml files, you will see that the unencrypted plaintext is marked
|
|
358
360
|
This is a list of available plugins:
|
359
361
|
|
360
362
|
- [hiera-eyaml-gpg](https://github.com/sihil/hiera-eyaml-gpg) - Provide GPG encryption
|
361
|
-
- [hiera-eyaml-plaintext](https://github.com/gtmtechltd/hiera-eyaml-plaintext) - This is a no-op encryption plugin that
|
362
|
-
simply base64 encodes the values. It exists as an example plugin to create your own and to do integration tests on
|
363
|
+
- [hiera-eyaml-plaintext](https://github.com/gtmtechltd/hiera-eyaml-plaintext) - This is a no-op encryption plugin that
|
364
|
+
simply base64 encodes the values. It exists as an example plugin to create your own and to do integration tests on
|
363
365
|
hiera-eyaml. **THIS SHOULD NOT BE USED IN PRODUCTION**
|
364
366
|
- [hiera-eyaml-twofac](https://github.com/gtmtechltd/hiera-eyaml-twofac) - PKCS7 keypair + AES256 symmetric password for two-factor encryption
|
365
367
|
Note that this plugin mandates the user enter a password. It is useful for non-automated scenarios, and is not advised to be used
|
@@ -411,6 +413,8 @@ Some of us hang out on #hiera-eyaml on freenode, please drop by if you want to s
|
|
411
413
|
Tests
|
412
414
|
-----
|
413
415
|
|
416
|
+
**NOTE** Some testing requirements are not supported on Windows
|
417
|
+
|
414
418
|
In order to run the tests, simply run `cucumber` in the top level directory of the project.
|
415
419
|
|
416
420
|
You'll need to have a few requirements installed:
|
data/lib/hiera/backend/eyaml.rb
CHANGED
@@ -18,6 +18,10 @@ class Hiera
|
|
18
18
|
:public_key => { :desc => "Path to public key",
|
19
19
|
:type => :string,
|
20
20
|
:default => "./keys/public_key.pkcs7.pem" },
|
21
|
+
:private_key_env_var => { :desc => "Name of environment variable to read private key from",
|
22
|
+
:type => :string },
|
23
|
+
:public_key_env_var => { :desc => "Name of environment variable to read public key from",
|
24
|
+
:type => :string },
|
21
25
|
:subject => { :desc => "Subject to use for certificate when creating keys",
|
22
26
|
:type => :string,
|
23
27
|
:default => "/" },
|
@@ -36,9 +40,18 @@ class Hiera
|
|
36
40
|
LoggingHelper::trace 'PKCS7 encrypt'
|
37
41
|
|
38
42
|
public_key = self.option :public_key
|
39
|
-
|
43
|
+
public_key_env_var = self.option :public_key_env_var
|
44
|
+
raise StandardError, "pkcs7_public_key is not defined" unless public_key or public_key_env_var
|
40
45
|
|
41
|
-
|
46
|
+
if public_key and public_key_env_var
|
47
|
+
warn "both public_key and public_key_env_var specified, using public_key"
|
48
|
+
end
|
49
|
+
|
50
|
+
if public_key_env_var and ENV[public_key_env_var]
|
51
|
+
public_key_pem = ENV[public_key_env_var]
|
52
|
+
else
|
53
|
+
public_key_pem = File.read public_key
|
54
|
+
end
|
42
55
|
public_key_x509 = OpenSSL::X509::Certificate.new( public_key_pem )
|
43
56
|
|
44
57
|
cipher = OpenSSL::Cipher::AES.new(256, :CBC)
|
@@ -51,13 +64,30 @@ class Hiera
|
|
51
64
|
|
52
65
|
public_key = self.option :public_key
|
53
66
|
private_key = self.option :private_key
|
54
|
-
|
55
|
-
|
67
|
+
public_key_env_var = self.option :public_key_env_var
|
68
|
+
private_key_env_var = self.option :private_key_env_var
|
69
|
+
raise StandardError, "pkcs7_public_key is not defined" unless public_key or public_key_env_var
|
70
|
+
raise StandardError, "pkcs7_private_key is not defined" unless private_key or private_key_env_var
|
71
|
+
|
72
|
+
if public_key and public_key_env_var
|
73
|
+
warn "both public_key and public_key_env_var specified, using public_key"
|
74
|
+
end
|
75
|
+
if private_key and private_key_env_var
|
76
|
+
warn "both private_key and private_key_env_var specified, using private_key"
|
77
|
+
end
|
56
78
|
|
57
|
-
|
79
|
+
if private_key_env_var and ENV[private_key_env_var]
|
80
|
+
private_key_pem = ENV[private_key_env_var]
|
81
|
+
else
|
82
|
+
private_key_pem = File.read private_key
|
83
|
+
end
|
58
84
|
private_key_rsa = OpenSSL::PKey::RSA.new( private_key_pem )
|
59
85
|
|
60
|
-
|
86
|
+
if public_key_env_var and ENV[public_key_env_var]
|
87
|
+
public_key_pem = ENV[public_key_env_var]
|
88
|
+
else
|
89
|
+
public_key_pem = File.read public_key
|
90
|
+
end
|
61
91
|
public_key_x509 = OpenSSL::X509::Certificate.new( public_key_pem )
|
62
92
|
|
63
93
|
pkcs7 = OpenSSL::PKCS7.new( ciphertext )
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: hiera-eyaml
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 3.
|
4
|
+
version: 3.2.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Tom Poulton
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date:
|
11
|
+
date: 2020-01-31 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: optimist
|
@@ -105,7 +105,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
105
105
|
- !ruby/object:Gem::Version
|
106
106
|
version: '0'
|
107
107
|
requirements: []
|
108
|
-
rubygems_version: 3.
|
108
|
+
rubygems_version: 3.1.2
|
109
109
|
signing_key:
|
110
110
|
specification_version: 4
|
111
111
|
summary: OpenSSL Encryption backend for Hiera
|