hiera-secrets-manager 1.0.0 → 1.1.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/lib/hiera/backend/secrets_manager_backend.rb +17 -4
- data/spec/secrets_manager_backend_spec.rb +54 -10
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: d957e8bc909ebdfa6cecd07424e9fcc3f3d39f9ba4323ada8fab950ac59ca34e
|
|
4
|
+
data.tar.gz: 2c06f3cf7e450bd190cb0c320eb650b46b4bd6b179323abfff45fc0a2b2377d3
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: bb4ca7d762873a65db8d5a028f0e890be496f9c706f97e55c0b815a0e0bf27e8e4820620093fb2edc529413aec2f58413c7cc80f2844edb6dee9dbd4f3b49158
|
|
7
|
+
data.tar.gz: e9bec7ae36a367ba8784cf3442e5d3da8e547c90e46fa6920ddd101ed0312079f9d58933dd103fb187eb2a97f729c622343e7d27a319c749a5fe384dea49bafc
|
|
@@ -2,6 +2,7 @@ class Hiera
|
|
|
2
2
|
module Backend
|
|
3
3
|
class Secrets_manager_backend
|
|
4
4
|
def initialize
|
|
5
|
+
require 'json'
|
|
5
6
|
require 'aws-sdk-secretsmanager'
|
|
6
7
|
@config = Config
|
|
7
8
|
@client = create_client
|
|
@@ -23,13 +24,19 @@ class Hiera
|
|
|
23
24
|
key_to_query = format_key(key, scope, Config[:secrets_manager])
|
|
24
25
|
|
|
25
26
|
begin
|
|
26
|
-
|
|
27
|
-
|
|
28
|
-
|
|
27
|
+
case resolution_type
|
|
28
|
+
when :array
|
|
29
|
+
Hiera.warn("Hiera Secrets Manager backend does not support arrays.")
|
|
30
|
+
when :hash
|
|
31
|
+
answer = JSON.parse(retrieve_secret(key_to_query))
|
|
32
|
+
else
|
|
33
|
+
answer = retrieve_secret(key_to_query)
|
|
34
|
+
end
|
|
29
35
|
rescue Aws::SecretsManager::Errors::ResourceNotFoundException => error
|
|
30
36
|
Hiera.debug("#{key_to_query} not found: #{error.message}")
|
|
31
37
|
rescue StandardError => error
|
|
32
|
-
Hiera.debug("
|
|
38
|
+
Hiera.debug("Secrets Manager Backend Error:")
|
|
39
|
+
Hiera.debug(error)
|
|
33
40
|
end
|
|
34
41
|
|
|
35
42
|
answer
|
|
@@ -93,6 +100,12 @@ class Hiera
|
|
|
93
100
|
@config[:secrets_manager].include?(key)
|
|
94
101
|
end
|
|
95
102
|
end
|
|
103
|
+
|
|
104
|
+
def retrieve_secret(key)
|
|
105
|
+
response = @client.get_secret_value(secret_id: key)
|
|
106
|
+
Hiera.debug("Retrieved Secret '#{key}' with version '#{response['version_id']}'")
|
|
107
|
+
response['secret_string']
|
|
108
|
+
end
|
|
96
109
|
end
|
|
97
110
|
end
|
|
98
111
|
end
|
|
@@ -160,7 +160,8 @@ class Hiera
|
|
|
160
160
|
.raises(error)
|
|
161
161
|
Hiera
|
|
162
162
|
.expects(:debug)
|
|
163
|
-
.with("
|
|
163
|
+
.with("Secrets Manager Backend Error:")
|
|
164
|
+
.with(error)
|
|
164
165
|
answer = @backend.lookup(secret_name, {}, nil, nil)
|
|
165
166
|
expect(answer).to eq(nil)
|
|
166
167
|
end
|
|
@@ -205,19 +206,62 @@ class Hiera
|
|
|
205
206
|
@backend.lookup(secret_name, scope, nil, nil)
|
|
206
207
|
end
|
|
207
208
|
|
|
208
|
-
|
|
209
|
-
|
|
210
|
-
|
|
211
|
-
|
|
212
|
-
|
|
209
|
+
context 'with illegal characters' do
|
|
210
|
+
%w[: ~ # \\].each do |character|
|
|
211
|
+
it "returns nil if key has illegal character [#{character}] (according to AWS)" do
|
|
212
|
+
@mock_client
|
|
213
|
+
.expects(:get_secret_value)
|
|
214
|
+
.never
|
|
215
|
+
|
|
216
|
+
secret_name = "secret#{character}name"
|
|
217
|
+
|
|
218
|
+
Hiera
|
|
219
|
+
.expects(:debug)
|
|
220
|
+
.with("#{secret_name} contains illegal characters. Skipping lookup.")
|
|
213
221
|
|
|
214
|
-
|
|
222
|
+
@backend.lookup(secret_name, @scope, nil, nil)
|
|
223
|
+
end
|
|
224
|
+
end
|
|
225
|
+
end
|
|
215
226
|
|
|
227
|
+
context 'resolution type' do
|
|
228
|
+
it 'does not support arrays' do
|
|
229
|
+
@mock_client
|
|
230
|
+
.expects(:get_secret_value)
|
|
231
|
+
.never
|
|
216
232
|
Hiera
|
|
217
|
-
|
|
218
|
-
|
|
233
|
+
.expects(:warn)
|
|
234
|
+
.with("Hiera Secrets Manager backend does not support arrays.")
|
|
235
|
+
answer = @backend.lookup('some_secret', {}, nil, :array)
|
|
236
|
+
expect(answer).to eq(nil)
|
|
237
|
+
end
|
|
238
|
+
|
|
239
|
+
it 'parses hashes successfully' do
|
|
240
|
+
secret_name = 'some_secret'
|
|
241
|
+
@mock_client
|
|
242
|
+
.expects(:get_secret_value)
|
|
243
|
+
.with(secret_id: secret_name)
|
|
244
|
+
.returns('secret_string' => '{"foo": "bar"}')
|
|
245
|
+
answer = @backend.lookup(secret_name, {}, nil, :hash)
|
|
246
|
+
expect(answer).to eq({ 'foo' => 'bar' })
|
|
247
|
+
end
|
|
219
248
|
|
|
220
|
-
|
|
249
|
+
it 'should announce if expecting hash and receiving string' do
|
|
250
|
+
secret_name = 'some_secret'
|
|
251
|
+
error = JSON::ParserError.new('unexpected token')
|
|
252
|
+
@mock_client
|
|
253
|
+
.expects(:get_secret_value)
|
|
254
|
+
.with(secret_id: secret_name)
|
|
255
|
+
.returns('secret_string' => 'some string')
|
|
256
|
+
JSON
|
|
257
|
+
.stubs(:parse)
|
|
258
|
+
.raises(error)
|
|
259
|
+
Hiera
|
|
260
|
+
.expects(:debug)
|
|
261
|
+
.with("Secrets Manager Backend Error:")
|
|
262
|
+
.with(error)
|
|
263
|
+
answer = @backend.lookup(secret_name, {}, nil, :hash)
|
|
264
|
+
expect(answer).to eq(nil)
|
|
221
265
|
end
|
|
222
266
|
end
|
|
223
267
|
end
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: hiera-secrets-manager
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.
|
|
4
|
+
version: 1.1.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Unruly
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2018-
|
|
11
|
+
date: 2018-09-03 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: aws-sdk-secretsmanager
|