hiera-secrets-manager 1.0.0 → 1.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/lib/hiera/backend/secrets_manager_backend.rb +17 -4
- data/spec/secrets_manager_backend_spec.rb +54 -10
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: d957e8bc909ebdfa6cecd07424e9fcc3f3d39f9ba4323ada8fab950ac59ca34e
|
|
4
|
+
data.tar.gz: 2c06f3cf7e450bd190cb0c320eb650b46b4bd6b179323abfff45fc0a2b2377d3
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: bb4ca7d762873a65db8d5a028f0e890be496f9c706f97e55c0b815a0e0bf27e8e4820620093fb2edc529413aec2f58413c7cc80f2844edb6dee9dbd4f3b49158
|
|
7
|
+
data.tar.gz: e9bec7ae36a367ba8784cf3442e5d3da8e547c90e46fa6920ddd101ed0312079f9d58933dd103fb187eb2a97f729c622343e7d27a319c749a5fe384dea49bafc
|
|
@@ -2,6 +2,7 @@ class Hiera
|
|
|
2
2
|
module Backend
|
|
3
3
|
class Secrets_manager_backend
|
|
4
4
|
def initialize
|
|
5
|
+
require 'json'
|
|
5
6
|
require 'aws-sdk-secretsmanager'
|
|
6
7
|
@config = Config
|
|
7
8
|
@client = create_client
|
|
@@ -23,13 +24,19 @@ class Hiera
|
|
|
23
24
|
key_to_query = format_key(key, scope, Config[:secrets_manager])
|
|
24
25
|
|
|
25
26
|
begin
|
|
26
|
-
|
|
27
|
-
|
|
28
|
-
|
|
27
|
+
case resolution_type
|
|
28
|
+
when :array
|
|
29
|
+
Hiera.warn("Hiera Secrets Manager backend does not support arrays.")
|
|
30
|
+
when :hash
|
|
31
|
+
answer = JSON.parse(retrieve_secret(key_to_query))
|
|
32
|
+
else
|
|
33
|
+
answer = retrieve_secret(key_to_query)
|
|
34
|
+
end
|
|
29
35
|
rescue Aws::SecretsManager::Errors::ResourceNotFoundException => error
|
|
30
36
|
Hiera.debug("#{key_to_query} not found: #{error.message}")
|
|
31
37
|
rescue StandardError => error
|
|
32
|
-
Hiera.debug("
|
|
38
|
+
Hiera.debug("Secrets Manager Backend Error:")
|
|
39
|
+
Hiera.debug(error)
|
|
33
40
|
end
|
|
34
41
|
|
|
35
42
|
answer
|
|
@@ -93,6 +100,12 @@ class Hiera
|
|
|
93
100
|
@config[:secrets_manager].include?(key)
|
|
94
101
|
end
|
|
95
102
|
end
|
|
103
|
+
|
|
104
|
+
def retrieve_secret(key)
|
|
105
|
+
response = @client.get_secret_value(secret_id: key)
|
|
106
|
+
Hiera.debug("Retrieved Secret '#{key}' with version '#{response['version_id']}'")
|
|
107
|
+
response['secret_string']
|
|
108
|
+
end
|
|
96
109
|
end
|
|
97
110
|
end
|
|
98
111
|
end
|
|
@@ -160,7 +160,8 @@ class Hiera
|
|
|
160
160
|
.raises(error)
|
|
161
161
|
Hiera
|
|
162
162
|
.expects(:debug)
|
|
163
|
-
.with("
|
|
163
|
+
.with("Secrets Manager Backend Error:")
|
|
164
|
+
.with(error)
|
|
164
165
|
answer = @backend.lookup(secret_name, {}, nil, nil)
|
|
165
166
|
expect(answer).to eq(nil)
|
|
166
167
|
end
|
|
@@ -205,19 +206,62 @@ class Hiera
|
|
|
205
206
|
@backend.lookup(secret_name, scope, nil, nil)
|
|
206
207
|
end
|
|
207
208
|
|
|
208
|
-
|
|
209
|
-
|
|
210
|
-
|
|
211
|
-
|
|
212
|
-
|
|
209
|
+
context 'with illegal characters' do
|
|
210
|
+
%w[: ~ # \\].each do |character|
|
|
211
|
+
it "returns nil if key has illegal character [#{character}] (according to AWS)" do
|
|
212
|
+
@mock_client
|
|
213
|
+
.expects(:get_secret_value)
|
|
214
|
+
.never
|
|
215
|
+
|
|
216
|
+
secret_name = "secret#{character}name"
|
|
217
|
+
|
|
218
|
+
Hiera
|
|
219
|
+
.expects(:debug)
|
|
220
|
+
.with("#{secret_name} contains illegal characters. Skipping lookup.")
|
|
213
221
|
|
|
214
|
-
|
|
222
|
+
@backend.lookup(secret_name, @scope, nil, nil)
|
|
223
|
+
end
|
|
224
|
+
end
|
|
225
|
+
end
|
|
215
226
|
|
|
227
|
+
context 'resolution type' do
|
|
228
|
+
it 'does not support arrays' do
|
|
229
|
+
@mock_client
|
|
230
|
+
.expects(:get_secret_value)
|
|
231
|
+
.never
|
|
216
232
|
Hiera
|
|
217
|
-
|
|
218
|
-
|
|
233
|
+
.expects(:warn)
|
|
234
|
+
.with("Hiera Secrets Manager backend does not support arrays.")
|
|
235
|
+
answer = @backend.lookup('some_secret', {}, nil, :array)
|
|
236
|
+
expect(answer).to eq(nil)
|
|
237
|
+
end
|
|
238
|
+
|
|
239
|
+
it 'parses hashes successfully' do
|
|
240
|
+
secret_name = 'some_secret'
|
|
241
|
+
@mock_client
|
|
242
|
+
.expects(:get_secret_value)
|
|
243
|
+
.with(secret_id: secret_name)
|
|
244
|
+
.returns('secret_string' => '{"foo": "bar"}')
|
|
245
|
+
answer = @backend.lookup(secret_name, {}, nil, :hash)
|
|
246
|
+
expect(answer).to eq({ 'foo' => 'bar' })
|
|
247
|
+
end
|
|
219
248
|
|
|
220
|
-
|
|
249
|
+
it 'should announce if expecting hash and receiving string' do
|
|
250
|
+
secret_name = 'some_secret'
|
|
251
|
+
error = JSON::ParserError.new('unexpected token')
|
|
252
|
+
@mock_client
|
|
253
|
+
.expects(:get_secret_value)
|
|
254
|
+
.with(secret_id: secret_name)
|
|
255
|
+
.returns('secret_string' => 'some string')
|
|
256
|
+
JSON
|
|
257
|
+
.stubs(:parse)
|
|
258
|
+
.raises(error)
|
|
259
|
+
Hiera
|
|
260
|
+
.expects(:debug)
|
|
261
|
+
.with("Secrets Manager Backend Error:")
|
|
262
|
+
.with(error)
|
|
263
|
+
answer = @backend.lookup(secret_name, {}, nil, :hash)
|
|
264
|
+
expect(answer).to eq(nil)
|
|
221
265
|
end
|
|
222
266
|
end
|
|
223
267
|
end
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: hiera-secrets-manager
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.
|
|
4
|
+
version: 1.1.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Unruly
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2018-
|
|
11
|
+
date: 2018-09-03 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: aws-sdk-secretsmanager
|