kubesealr 0.1.0 → 0.1.1

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 35b04586dd5c804bf697478a11e919da402c87519cdb22bc940c9060b0b07792
4
- data.tar.gz: cfba159bc9ce48fbe5add4a7640bfb3edfa1f66a79617855e22784e5fa60aaf9
3
+ metadata.gz: e7a7de36bca5843043b35eed90dc582ba6717e12c50870ff2ce03f628680acb7
4
+ data.tar.gz: '01896547d9b98c3cb7e5e0836e21626d4a83406a2462ef4b0ebb5abe766d20ce'
5
5
  SHA512:
6
- metadata.gz: 5b199eef47106927b95b724393e1d4bd9bf003bdad5c13b3251b58e600c3afcac53d9824d2c2e922ef8dc1b0ac848acbd7404f8600a7b5f5769b65c49802a9bf
7
- data.tar.gz: 41a52d3229fda407fa074cffae4b8b1af562182142d54c664bce35ae52493f5693d6343d638644bbb729b3f36fd931dbd89c4cdfbae4eed8c1c7a98107034ad9
6
+ metadata.gz: 76cfd1be8a58295d74510419a624c5668fe385d8535be7a068c59436256b5c8ffe6ffd5ae11b62b21bda0b394125d20e508d8f0bf67bd3b480164fc504fcb7e6
7
+ data.tar.gz: d0c7f6ea29a85f176026d6aa590b4a1ebdcd296d953be3e4ec1299436835646434e073d332a86ad07cf6e670ec5ed56e8f165a5cf6edd433a706b418a5696166
@@ -23,7 +23,7 @@ GIT
23
23
  PATH
24
24
  remote: .
25
25
  specs:
26
- kubesealr (0.1.0)
26
+ kubesealr (0.1.1)
27
27
  k8s-ruby
28
28
  openssl-oaep
29
29
 
@@ -92,4 +92,4 @@ DEPENDENCIES
92
92
  rspec (~> 3.0)
93
93
 
94
94
  BUNDLED WITH
95
- 2.2.5
95
+ 2.2.6
@@ -10,11 +10,12 @@ require 'kubeseal/version'
10
10
 
11
11
  class Kubeseal
12
12
  DEFAULT_KEY_FETCHER = lambda do |_|
13
- raise NotImplementedError, "no cert getter passed"
13
+ raise NotImplementedError, "no cluster key-fetcher passed"
14
14
  end
15
15
 
16
- def initialize(&cluster_sealer_key_fetcher)
17
- @cluster_sealer_key_fetcher = cluster_sealer_key_fetcher || DEFAULT_KEY_FETCHER
16
+ def initialize(key_fetcher: nil, resealer: nil)
17
+ @cluster_sealer_key_fetcher = key_fetcher || DEFAULT_KEY_FETCHER
18
+ @cluster_sealer_resealer = resealer
18
19
  end
19
20
 
20
21
  def cluster_sealer_public_key
@@ -94,7 +95,6 @@ class Kubeseal
94
95
  )
95
96
  end
96
97
 
97
- private
98
98
  def seal(plaintext, scope_label)
99
99
  cs_pubkey = self.cluster_sealer_public_key
100
100
 
@@ -126,7 +126,6 @@ class Kubeseal
126
126
  ciphertext_parts.pack('S>A*A*')
127
127
  end
128
128
 
129
- private
130
129
  def unseal(ciphertext, scope_label)
131
130
  cs_privkeys_to_try = self.cluster_sealer_private_keys.dup
132
131
 
@@ -168,6 +167,47 @@ class Kubeseal
168
167
  plaintext
169
168
  end
170
169
 
170
+ def reseal(...)
171
+ if @cluster_sealer_resealer
172
+ reseal_serverside(...)
173
+ else
174
+ reseal_clientside(...)
175
+ end
176
+ end
177
+
178
+ def reseal_clientside(ciphertext, scope_label)
179
+ plaintext = unseal(ciphertext, scope_label)
180
+ seal(plaintext, scope_label)
181
+ end
182
+
183
+ def reseal_serverside(ciphertext, scope_label)
184
+ rc_namespace, rc_name, scope =
185
+ case scope_label.split('/', 2)
186
+ in []
187
+ ["dummy", "dummy", :"cluster-wide"]
188
+ in [ns]
189
+ [ns, "dummy", :"namespace-wide"]
190
+ in [ns, name]
191
+ [ns, name, :strict]
192
+ end
193
+
194
+ rc = build_sealed_secret_rc(
195
+ rc_namespace,
196
+ rc_name,
197
+ 'Opaque',
198
+ armor({'dummy' => ciphertext}, strict: true)
199
+ )
200
+ rc = patch_with_scope(rc, scope)
201
+
202
+ resealed_rc = reseal_wrapped_serverside(rc)
203
+
204
+ Base64.decode64(resealed_rc.dig('spec', 'encryptedData', 'dummy'))
205
+ end
206
+
207
+ def reseal_wrapped_serverside(sealed_secret_rc)
208
+ YAML.load(@cluster_sealer_resealer.call(sealed_secret_rc.to_yaml))
209
+ end
210
+
171
211
  private
172
212
  def label_for(scope, rc_namespace, rc_name)
173
213
  case scope
@@ -248,8 +288,12 @@ class Kubeseal
248
288
  end
249
289
  end
250
290
 
251
- def armor(h)
252
- (h || {}).map{ |k, v| [k, Base64.encode64(v)] }.to_h
291
+ def armor(h, strict: false)
292
+ if strict
293
+ (h || {}).map{ |k, v| [k, Base64.strict_encode64(v)] }.to_h
294
+ else
295
+ (h || {}).map{ |k, v| [k, Base64.encode64(v)] }.to_h
296
+ end
253
297
  end
254
298
 
255
299
  def unarmor(h)
@@ -1,5 +1,5 @@
1
1
  # frozen_string_literal: true
2
2
 
3
3
  class Kubeseal
4
- VERSION = "0.1.0"
4
+ VERSION = "0.1.1"
5
5
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: kubesealr
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.1.0
4
+ version: 0.1.1
5
5
  platform: ruby
6
6
  authors:
7
7
  - Levi Aul
8
8
  autorequire:
9
9
  bindir: exe
10
10
  cert_chain: []
11
- date: 2021-01-20 00:00:00.000000000 Z
11
+ date: 2021-01-22 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: k8s-ruby