kubesealr 0.1.0 → 0.1.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 35b04586dd5c804bf697478a11e919da402c87519cdb22bc940c9060b0b07792
4
- data.tar.gz: cfba159bc9ce48fbe5add4a7640bfb3edfa1f66a79617855e22784e5fa60aaf9
3
+ metadata.gz: e7a7de36bca5843043b35eed90dc582ba6717e12c50870ff2ce03f628680acb7
4
+ data.tar.gz: '01896547d9b98c3cb7e5e0836e21626d4a83406a2462ef4b0ebb5abe766d20ce'
5
5
  SHA512:
6
- metadata.gz: 5b199eef47106927b95b724393e1d4bd9bf003bdad5c13b3251b58e600c3afcac53d9824d2c2e922ef8dc1b0ac848acbd7404f8600a7b5f5769b65c49802a9bf
7
- data.tar.gz: 41a52d3229fda407fa074cffae4b8b1af562182142d54c664bce35ae52493f5693d6343d638644bbb729b3f36fd931dbd89c4cdfbae4eed8c1c7a98107034ad9
6
+ metadata.gz: 76cfd1be8a58295d74510419a624c5668fe385d8535be7a068c59436256b5c8ffe6ffd5ae11b62b21bda0b394125d20e508d8f0bf67bd3b480164fc504fcb7e6
7
+ data.tar.gz: d0c7f6ea29a85f176026d6aa590b4a1ebdcd296d953be3e4ec1299436835646434e073d332a86ad07cf6e670ec5ed56e8f165a5cf6edd433a706b418a5696166
@@ -23,7 +23,7 @@ GIT
23
23
  PATH
24
24
  remote: .
25
25
  specs:
26
- kubesealr (0.1.0)
26
+ kubesealr (0.1.1)
27
27
  k8s-ruby
28
28
  openssl-oaep
29
29
 
@@ -92,4 +92,4 @@ DEPENDENCIES
92
92
  rspec (~> 3.0)
93
93
 
94
94
  BUNDLED WITH
95
- 2.2.5
95
+ 2.2.6
@@ -10,11 +10,12 @@ require 'kubeseal/version'
10
10
 
11
11
  class Kubeseal
12
12
  DEFAULT_KEY_FETCHER = lambda do |_|
13
- raise NotImplementedError, "no cert getter passed"
13
+ raise NotImplementedError, "no cluster key-fetcher passed"
14
14
  end
15
15
 
16
- def initialize(&cluster_sealer_key_fetcher)
17
- @cluster_sealer_key_fetcher = cluster_sealer_key_fetcher || DEFAULT_KEY_FETCHER
16
+ def initialize(key_fetcher: nil, resealer: nil)
17
+ @cluster_sealer_key_fetcher = key_fetcher || DEFAULT_KEY_FETCHER
18
+ @cluster_sealer_resealer = resealer
18
19
  end
19
20
 
20
21
  def cluster_sealer_public_key
@@ -94,7 +95,6 @@ class Kubeseal
94
95
  )
95
96
  end
96
97
 
97
- private
98
98
  def seal(plaintext, scope_label)
99
99
  cs_pubkey = self.cluster_sealer_public_key
100
100
 
@@ -126,7 +126,6 @@ class Kubeseal
126
126
  ciphertext_parts.pack('S>A*A*')
127
127
  end
128
128
 
129
- private
130
129
  def unseal(ciphertext, scope_label)
131
130
  cs_privkeys_to_try = self.cluster_sealer_private_keys.dup
132
131
 
@@ -168,6 +167,47 @@ class Kubeseal
168
167
  plaintext
169
168
  end
170
169
 
170
+ def reseal(...)
171
+ if @cluster_sealer_resealer
172
+ reseal_serverside(...)
173
+ else
174
+ reseal_clientside(...)
175
+ end
176
+ end
177
+
178
+ def reseal_clientside(ciphertext, scope_label)
179
+ plaintext = unseal(ciphertext, scope_label)
180
+ seal(plaintext, scope_label)
181
+ end
182
+
183
+ def reseal_serverside(ciphertext, scope_label)
184
+ rc_namespace, rc_name, scope =
185
+ case scope_label.split('/', 2)
186
+ in []
187
+ ["dummy", "dummy", :"cluster-wide"]
188
+ in [ns]
189
+ [ns, "dummy", :"namespace-wide"]
190
+ in [ns, name]
191
+ [ns, name, :strict]
192
+ end
193
+
194
+ rc = build_sealed_secret_rc(
195
+ rc_namespace,
196
+ rc_name,
197
+ 'Opaque',
198
+ armor({'dummy' => ciphertext}, strict: true)
199
+ )
200
+ rc = patch_with_scope(rc, scope)
201
+
202
+ resealed_rc = reseal_wrapped_serverside(rc)
203
+
204
+ Base64.decode64(resealed_rc.dig('spec', 'encryptedData', 'dummy'))
205
+ end
206
+
207
+ def reseal_wrapped_serverside(sealed_secret_rc)
208
+ YAML.load(@cluster_sealer_resealer.call(sealed_secret_rc.to_yaml))
209
+ end
210
+
171
211
  private
172
212
  def label_for(scope, rc_namespace, rc_name)
173
213
  case scope
@@ -248,8 +288,12 @@ class Kubeseal
248
288
  end
249
289
  end
250
290
 
251
- def armor(h)
252
- (h || {}).map{ |k, v| [k, Base64.encode64(v)] }.to_h
291
+ def armor(h, strict: false)
292
+ if strict
293
+ (h || {}).map{ |k, v| [k, Base64.strict_encode64(v)] }.to_h
294
+ else
295
+ (h || {}).map{ |k, v| [k, Base64.encode64(v)] }.to_h
296
+ end
253
297
  end
254
298
 
255
299
  def unarmor(h)
@@ -1,5 +1,5 @@
1
1
  # frozen_string_literal: true
2
2
 
3
3
  class Kubeseal
4
- VERSION = "0.1.0"
4
+ VERSION = "0.1.1"
5
5
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: kubesealr
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.1.0
4
+ version: 0.1.1
5
5
  platform: ruby
6
6
  authors:
7
7
  - Levi Aul
8
8
  autorequire:
9
9
  bindir: exe
10
10
  cert_chain: []
11
- date: 2021-01-20 00:00:00.000000000 Z
11
+ date: 2021-01-22 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: k8s-ruby