hiera-gpg 0.1.1 → 1.0.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- data/lib/hiera/backend/gpg_backend.rb +72 -42
- metadata +17 -3
|
@@ -1,60 +1,90 @@
|
|
|
1
1
|
class Hiera
|
|
2
2
|
module Backend
|
|
3
3
|
class Gpg_backend
|
|
4
|
-
def lookup(key, scope, order_override, resolution_type)
|
|
5
|
-
Hiera.debug("loaded gpg_backend")
|
|
6
|
-
answer = Backend.empty_answer(resolution_type)
|
|
7
4
|
|
|
8
|
-
|
|
9
|
-
|
|
10
|
-
|
|
11
|
-
|
|
12
|
-
Hiera.debug("Loading file #{gpgfile}")
|
|
5
|
+
def initialize
|
|
6
|
+
require 'gpgme'
|
|
7
|
+
debug ("Loaded gpg_backend")
|
|
8
|
+
end
|
|
13
9
|
|
|
14
|
-
|
|
15
|
-
|
|
16
|
-
|
|
10
|
+
def debug (msg)
|
|
11
|
+
Hiera.debug("[gpg_backend]: #{msg}")
|
|
12
|
+
end
|
|
17
13
|
|
|
18
|
-
|
|
14
|
+
def warn (msg)
|
|
15
|
+
Hiera.warn("[gpg_backend]: #{msg}")
|
|
16
|
+
end
|
|
19
17
|
|
|
20
|
-
if plain.empty?
|
|
21
|
-
Hiera.debug("GPG decrypt returned empty string")
|
|
22
|
-
next
|
|
23
|
-
end
|
|
24
18
|
|
|
25
|
-
|
|
19
|
+
def lookup(key, scope, order_override, resolution_type)
|
|
26
20
|
|
|
27
|
-
|
|
28
|
-
|
|
21
|
+
debug("Lookup called, key #{key} resolution type is #{resolution_type}")
|
|
22
|
+
answer = Backend.empty_answer(resolution_type)
|
|
29
23
|
|
|
24
|
+
Backend.datasources(scope, order_override) do |source|
|
|
25
|
+
gpgfile = Backend.datafile(:gpg, scope, source, "gpg") || next
|
|
30
26
|
|
|
31
|
-
|
|
32
|
-
|
|
33
|
-
|
|
34
|
-
|
|
35
|
-
|
|
36
|
-
|
|
37
|
-
|
|
38
|
-
|
|
39
|
-
|
|
40
|
-
|
|
41
|
-
|
|
42
|
-
|
|
27
|
+
# This should compute ~ on both *nix and *doze
|
|
28
|
+
homes = ["HOME", "HOMEPATH"]
|
|
29
|
+
real_home = homes.detect { |h| ENV[h] != nil }
|
|
30
|
+
|
|
31
|
+
## key_dir is the location of our GPG private keys
|
|
32
|
+
## default: ~/.gnupg
|
|
33
|
+
key_dir = Config[:gpg][:key_dir] || "#{ENV[real_home]}/.gnupg"
|
|
34
|
+
|
|
35
|
+
plain = decrypt(gpgfile, key_dir)
|
|
36
|
+
next if !plain
|
|
37
|
+
next if plain.empty?
|
|
43
38
|
|
|
44
|
-
|
|
45
|
-
# This should be tied in with the gpgme API, but for now
|
|
46
|
-
# we just shell this out to the gpg command, a future todo
|
|
47
|
-
# is to replace this.
|
|
48
|
-
#
|
|
39
|
+
data = YAML.load(plain)
|
|
49
40
|
|
|
50
|
-
|
|
51
|
-
|
|
52
|
-
|
|
41
|
+
case resolution_type
|
|
42
|
+
when :array
|
|
43
|
+
debug("Appending answer array")
|
|
44
|
+
answer << Backend.parse_answer(data[key], scope)
|
|
45
|
+
else
|
|
46
|
+
debug("Assigning answer variable")
|
|
47
|
+
answer = Backend.parse_answer(data[key], scope)
|
|
53
48
|
end
|
|
54
49
|
|
|
55
|
-
|
|
56
|
-
|
|
57
|
-
|
|
50
|
+
return answer
|
|
51
|
+
|
|
52
|
+
end
|
|
53
|
+
end
|
|
54
|
+
|
|
55
|
+
def decrypt(file, gnupghome)
|
|
56
|
+
|
|
57
|
+
ENV["GNUPGHOME"]=gnupghome
|
|
58
|
+
debug("GNUPGHOME is #{ENV['GNUPGHOME']}")
|
|
59
|
+
|
|
60
|
+
ctx = GPGME::Ctx.new
|
|
61
|
+
|
|
62
|
+
open(file) do |cipher|
|
|
63
|
+
debug("loaded cipher: #{file}")
|
|
64
|
+
|
|
65
|
+
ctx = GPGME::Ctx.new
|
|
66
|
+
|
|
67
|
+
if !ctx.keys.empty?
|
|
68
|
+
raw = GPGME::Data.new(cipher)
|
|
69
|
+
txt = GPGME::Data.new
|
|
70
|
+
|
|
71
|
+
begin
|
|
72
|
+
txt = ctx.decrypt(raw)
|
|
73
|
+
rescue GPGME::Error::DecryptFailed
|
|
74
|
+
warn("Warning: GPG Decryption failed, check your GPG settings")
|
|
75
|
+
rescue
|
|
76
|
+
warn("Warning: General exception decrypting GPG file")
|
|
77
|
+
end
|
|
78
|
+
|
|
79
|
+
txt.seek 0
|
|
80
|
+
result = txt.read
|
|
81
|
+
|
|
82
|
+
debug("result is a #{result.class} ctx #{ctx} txt #{txt}")
|
|
83
|
+
return result
|
|
84
|
+
else
|
|
85
|
+
warn("No usable keys found in #{gnupghome}. Check :key_dir value in hiera.yaml is correct")
|
|
86
|
+
end
|
|
87
|
+
end
|
|
58
88
|
end
|
|
59
89
|
end
|
|
60
90
|
end
|
metadata
CHANGED
|
@@ -3,10 +3,10 @@ name: hiera-gpg
|
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
4
|
prerelease: false
|
|
5
5
|
segments:
|
|
6
|
-
- 0
|
|
7
6
|
- 1
|
|
7
|
+
- 0
|
|
8
8
|
- 1
|
|
9
|
-
version: 0.1
|
|
9
|
+
version: 1.0.1
|
|
10
10
|
platform: ruby
|
|
11
11
|
authors:
|
|
12
12
|
- Craig Dunn
|
|
@@ -14,7 +14,7 @@ autorequire:
|
|
|
14
14
|
bindir: bin
|
|
15
15
|
cert_chain: []
|
|
16
16
|
|
|
17
|
-
date: 2012-03-
|
|
17
|
+
date: 2012-03-19 00:00:00 +00:00
|
|
18
18
|
default_executable:
|
|
19
19
|
dependencies:
|
|
20
20
|
- !ruby/object:Gem::Dependency
|
|
@@ -31,6 +31,20 @@ dependencies:
|
|
|
31
31
|
version: 0.2.0
|
|
32
32
|
type: :runtime
|
|
33
33
|
version_requirements: *id001
|
|
34
|
+
- !ruby/object:Gem::Dependency
|
|
35
|
+
name: gpgme
|
|
36
|
+
prerelease: false
|
|
37
|
+
requirement: &id002 !ruby/object:Gem::Requirement
|
|
38
|
+
requirements:
|
|
39
|
+
- - ">="
|
|
40
|
+
- !ruby/object:Gem::Version
|
|
41
|
+
segments:
|
|
42
|
+
- 2
|
|
43
|
+
- 0
|
|
44
|
+
- 0
|
|
45
|
+
version: 2.0.0
|
|
46
|
+
type: :runtime
|
|
47
|
+
version_requirements: *id002
|
|
34
48
|
description: Hiera backend for storing secret data and decrypting with GPG
|
|
35
49
|
email: craig@craigdunn.org
|
|
36
50
|
executables: []
|