pupistry 1.2.2 → 1.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 191ed356e73fb20bf75c7cf3b42a6d39dec77a9e
-  data.tar.gz: 2379cc4af18613e37b14cf9569347c914b7f34e9
+  metadata.gz: 8c94c39eb6f50371e99762aee5b7546f60f9897d
+  data.tar.gz: 3d23604c96dd8e1a1991e71347ef2481428bf00e
 SHA512:
-  metadata.gz: f941399858b331deb102914b56bbb854a52d97bd7c835dcf82253813c6581b00d50ec31caf72c7f69c2adefe983360f0fbb56a5e49ac4fe1ca40e6bd32192ecb
-  data.tar.gz: 9e66e9dc688d9e8b2b2de57ea04cb48953841a369ebba025f2ad257f505d117e3635ee4703d4634c3017e406418367279d9cdbe84caaefcea49118744c1718ae
+  metadata.gz: 0095ac651397af41960be834d5ed202265920dc1315f3b974b057f5aa5a32a7b132dbb5fd323299f3cfcba6b9b128bc4131bb463e4028d3b4653e1ff19b0746e
+  data.tar.gz: 2552da2af903929b92f115ee24e017be6e2c39af8b27eab850c1f92159ef5165704ff88421fc52f46ef5e34fc88dbbe053864261ddf0f18205220d729bc167cc

data/README.md

@@ -457,6 +457,56 @@ would be from you accidentally sharing your IAM credentials in the wrong place,
 or an exploited build server.
 
 
+# Securing Hirea with HieraCrypt
+
+In a standard Puppet master situation, the Puppet master parses the Hiera data
+and then passes only the values that apply to a particular host to it. But with
+masterless Puppet, all machines get a full copy of Hiera data, which could be a
+major issue if one box gets expoited and the contents leaked. Generally it goes
+against good practise and damanges the isolation ability of VMs if you give all
+the VMs enough information to do some serious damage to themselves.
+
+By default an out-of-the-box Pupistry installation suffers this limitation like
+most master-less Puppet solutions. However, there is an optional feature built
+into Pupistry called "HieraCrypt" which can be used to encrypt data and prevent
+excessive exposure of information to nodes.
+
+The solutions works, by generating a cert on each node you use with the
+`pupistry hieracrypt --generate` parameter and saving the output into your
+puppetcode repository at `hieracrypt/nodes/HOSTNAME`. This output includes a
+x509 cert made against the host's SSH RSA host key and a JSON array of all
+the facter facts on that host that correlate to values inside the hiera.yaml
+file.
+
+When you run Pupistry on your build workstation, it parses the hiera.yaml file
+for each environment and generates a match of files per-node. It then encrypts
+these files and creates an encrypted package for each node that only they can
+decrypt.
+
+For example, if your hiera.yaml file looks like:
+
+    :hierarchy:
+      - "environments/%{::environment}"
+      - "nodes/%{::hostname}"
+      - common
+
+And your hieradata directory looks like:
+
+    hieradata/
+    hieradata/common.yaml
+    hieradata/environments
+    hieradata/nodes
+    hieradata/nodes/testhost.yaml
+
+When Pupistry builds the artifact, it will include the `common.yaml` file for
+all nodes, however the `testhost.yaml` file will only be included for the
+server with that hostname.
+
+All servers still get the encrypted data for all the other nodes as they're
+shipped as part of the artifact, but nodes can only decrypt the data signed
+against their key.
+
+
 # Caveats & Future Plans
 
 ## Use r10k
@@ -498,26 +548,6 @@ decide to do so, a pull request to better support CD systems out-of-the-box
 would be welcome.
 
 
-## Hiera Security Still Sucks
-
-In a standard Puppet master situation, the Puppet master parses the Hiera data
-and then passes only the values that apply to a particular host to it. But with
-masterless Puppet, all machines get a full copy of Hiera data, which could be a
-major issue if one box gets expoited and the contents leaked. Generally it goes
-against good practise and damanges the isolation ability of VMs if you give all
-the VMs enough information to do some serious damage to themselves.
-
-Pupistry does not yet have any solution for it and it remains a fundamental
-limitation of the Puppet masterless approach. Longer term, we could potentially
-craft a solution that customises the artifacts per-machine to fix this security
-gap, but there's no proper solution currently.
-
-If you have an environment where you need to send lots of sensitive values to
-your servers, a traditional master-full Puppet environment may be a better
-solution for this reason. But if you can architect to avoid this or have no
-critical secrets in Hiera, Pupistry should be good for you.
-
-
 ## PuppetDB
 
 There's nothing stopping you from using PuppetDB other than Pupistry has no

data/exe/pupistry

@@ -77,6 +77,7 @@ class CLI < Thor
       artifact = Pupistry::Artifact.new
 
       artifact.fetch_r10k
+      artifact.hieracrypt_encrypt
       artifact.build_artifact
 
       puts '--'
@@ -146,7 +147,7 @@ class CLI < Thor
     #       Pull requests welcome :-) xoxo
 
     Dir.chdir("#{$config['general']['app_cache']}/artifacts/") do
-      unless system "diff -Nuar unpacked.#{artifact_upstream.checksum} unpacked.#{artifact_current.checksum}"
+      unless system "diff -Nuar --exclude hieracrypt unpacked.#{artifact_upstream.checksum} unpacked.#{artifact_current.checksum}"
       end
     end
 
@@ -252,6 +253,31 @@ class CLI < Thor
     end
   end
 
+  ## Hieracrypt Feature
+
+  desc 'hieracrypt', 'Manage the encryption of Hiera data to securely restrict access from nodes'
+  method_option :generate, type: :boolean, desc: 'Generate an export of public cert and facts for Hieracrypt usage.'
+  def hieracrypt
+    # Thor seems to force class options to be defined repeatedly? :-/
+    if options[:verbose]
+      $logger.level = Logger::DEBUG
+    else
+      $logger.level = Logger::INFO
+    end
+
+    if options[:config]
+      Pupistry::Config.load(options[:config])
+    else
+      Pupistry::Config.find_and_load
+    end
+
+    # TODO
+    if options[:generate]
+      Pupistry::HieraCrypt.generate_nodedata
+    else
+      puts "Run `pupistry hieracrypt --generate` on each node to get back a data file to be saved into puppetcode"
+    end
+  end
 
   ## Other Commands
 

data/lib/pupistry.rb

@@ -4,6 +4,7 @@ require 'pupistry/artifact'
 require 'pupistry/bootstrap'
 require 'pupistry/config'
 require 'pupistry/gpg'
+require 'pupistry/hieracrypt'
 require 'pupistry/packer'
 require 'pupistry/storage_aws'
 

data/lib/pupistry/agent.rb

@@ -89,6 +89,7 @@ module Pupistry
 
         artifact.fetch_artifact
         artifact.unpack
+        artifact.hieracrypt_decrypt
 
         unless artifact.install
           $logger.fatal 'An unexpected error happened when installing the latest artifact, cancelling Puppet run'

data/lib/pupistry/artifact.rb

@@ -6,7 +6,6 @@ require 'time'
 require 'digest'
 require 'fileutils'
 require 'base64'
-require 'whichr'
 
 module Pupistry
   # Pupistry::Artifact
@@ -172,6 +171,27 @@ module Pupistry
       end
     end
 
+    def hieracrypt_encrypt
+      # Stub function, since HieraCrypt has no association with the actual
+      # artifact file, but rather the post-r10k checked data, it could be
+      # invoked directly. However it's worth wrapping here incase we ever
+      # do change this behavior.
+
+      Pupistry::HieraCrypt.encrypt_hieradata
+
+    end
+
+    def hieracrypt_decrypt
+      # Decrypt any encrypted Hieradata inside the currently unpacked artifact
+      # before it gets copied to the installation location.
+
+      if defined? @checksum
+        Pupistry::HieraCrypt.decrypt_hieradata $config['general']['app_cache'] + "/artifacts/unpacked.#{@checksum}/puppetcode"
+      else
+        $logger.warn "Tried to request hieracrypt_decrypt on no artifact."
+      end
+
+    end
     def push_artifact
       # The push step involves 2 steps:
       # 1. GPG sign the artifact and write it into the manifest file
@@ -280,15 +300,26 @@ module Pupistry
         # Make sure there is a directory to write artifacts into
         FileUtils.mkdir_p('artifacts')
 
-        # Try to use GNU tar if present to work around weird issues with some
-        # versions of BSD tar when using the tar files with GNU tar subsequently.
-        tar = RubyWhich.new.which('gtar').first || RubyWhich.new.which('gnutar').first || 'tar'
-        $logger.debug "Using tar at #{tar}"
-
         # Build the tar file - we delibertly don't compress in a single step
         # so that we can grab the checksum, since checksum will always differ
         # post-compression.
-        unless system "#{tar} -c --exclude '.git' -f artifacts/artifact.temp.tar puppetcode/*"
+
+        tar = Pupistry::Config.which_tar
+        $logger.debug "Using tar at #{tar}"
+
+        tar += " -c"
+        tar += " --exclude '.git'"
+        if Pupistry::HieraCrypt.is_enabled?
+          # We want to exclude unencrypted hieradata (duh security) and also the node files (which aren't needed)
+          tar += " --exclude 'hieradata'"
+          tar += " --exclude 'hieracrypt/nodes'"
+        else
+          # Hieracrypt is disable, exclude any old out of date encrypted files
+          tar += " --exclude 'hieracrypt/encrypted'"
+        end
+        tar += " -f artifacts/artifact.temp.tar puppetcode/*"
+
+        unless system tar
           $logger.error 'Unable to create tarball'
           fail 'An unexpected error occured when executing tar'
         end
@@ -306,6 +337,11 @@ module Pupistry
           $logger.error "This artifact version (#{@checksum}) has already been built, nothing todo."
           $logger.error "Did you remember to \"git push\" your module changes?"
 
+          # TODO: Unfortunatly Hieracrypt breaks this, since the encrypted Hieradata is different
+          # on every run, which results in the checksum always being different even if nothing in
+          # the repo itself has changed. We need a proper fix for this at some stage, for now it's
+          # covered in the readme notes for HieraCrypt as a flaw.
+
           # Cleanup temp file
           FileUtils.rm($config['general']['app_cache'] + '/artifacts/artifact.temp.tar')
           exit 0
@@ -386,9 +422,7 @@ module Pupistry
       # Unpack the archive file
       FileUtils.mkdir_p($config['general']['app_cache'] + "/artifacts/unpacked.#{@checksum}")
       Dir.chdir($config['general']['app_cache'] + "/artifacts/unpacked.#{@checksum}") do
-        # Try to use GNU tar if present to work around weird issues with some
-        # versions of BSD tar when using the tar files with GNU tar subsequently.
-        tar = RubyWhich.new.which('gtar').first || RubyWhich.new.which('gnutar').first || 'tar'
+        tar = Pupistry::Config.which_tar
         $logger.debug "Using tar at #{tar}"
 
         if system "#{tar} -xf ../artifact.#{@checksum}.tar.gz"

data/lib/pupistry/config.rb

@@ -4,6 +4,7 @@ require 'fileutils'
 require 'tempfile'
 require 'yaml'
 require 'safe_yaml'
+require 'whichr'
 
 module Pupistry
   # Pupistry::Config
@@ -115,6 +116,16 @@ module Pupistry
 
       load(config)
     end
+
+    # Return which tar binary to use.
+    def self.which_tar
+        # Try to use GNU tar if present to work around weird issues with some
+        # versions of BSD tar when using the tar files with GNU tar subsequently.
+        tar = RubyWhich.new.which('gtar').first || RubyWhich.new.which('gnutar').first || 'tar'
+
+        return tar
+    end
+
   end
 end
 # vim:shiftwidth=2:tabstop=2:softtabstop=2:expandtab:smartindent

data/lib/pupistry/hieracrypt.rb

@@ -0,0 +1,412 @@
+# rubocop:disable Style/Documentation, Style/GlobalVars
+require 'rubygems'
+require 'yaml'
+require 'json'
+require 'safe_yaml'
+require 'fileutils'
+require 'base64'
+
+module Pupistry
+  # Pupistry::HieraCrypt
+
+  class HieraCrypt
+
+    # As HieraCrypt is an optional extension, we should provide calling code
+    # an easy way to determine if we're enabled or not.
+    def self.is_enabled?
+      begin
+        if $config['build']['hieracrypt'] == true
+          $logger.debug 'Hieracrypt is enabled.'
+          return true
+        end
+      rescue => ex
+        # Nothing todo, fall back.
+      end
+
+      $logger.debug 'Hieracrypt is disabled.'
+      return false
+    end
+
+
+    # To encrypt the Hieradata against the certs we have, there's a few things
+    # that we need to do.
+    #
+    # 1. Firstly we need to iterate through all the available environments in
+    #    the app_cache/puppetcode directory and for each one, load the Hiera
+    #    rules.
+    #
+    # 2. Secondly (assuming HieraCrypt is even enabled) we must find all the
+    #    node files that contain the cert & fact data.
+    #
+    # 3. Apply the rules to the host and determine which files should go into
+    #    the encrypted hieradata file for that host and copy to a dir.
+    #
+    # 4. Generate the encrypted HieraCrypt file with the files in it, one per
+    #    each node we have.
+    #
+    # 5. Purge the unencrypted hieradata and the working files.
+    #
+    # Run after fetch_r10k and before build_artifact
+    #
+    def self.encrypt_hieradata
+      unless is_enabled?
+        return false
+      end
+      
+      $logger.info "Encrypting Hieradata (HieraCrypt Feature)..."
+
+
+      # Key paths to remember inside puppetcode / BRANCH:
+      #
+      # hieracrypt/nodes/     Where the various per-host files live.
+      # hieradata/hiera.yaml  The Hiera rules
+      # hieradata/*           Any/all Hiera data.
+      #
+      puppetcode = $config['general']['app_cache'] + '/puppetcode'
+
+      
+      # Run through each environment.
+      for env in Dir.glob(puppetcode +'/*')
+        env = File.basename(env)
+
+        if Dir.exists?(puppetcode + '/' + env)
+          $logger.debug "Processing branch: #{env}"
+
+          Dir.chdir(puppetcode + '/' + env) do
+            # Directory env exists, check inside it for a hiera.yaml
+            if File.exists?('hiera.yaml')
+              $logger.debug 'Found hiera file '+ puppetcode + '/' + env + '/hiera.yaml'
+            else
+              $logger.warn "No hiera.yaml could be found for branch #{env}, no logic to encrypt on"
+              return false
+            end
+
+
+            # Iterate through each node in the environment
+            unless Dir.exists?('hieradata')
+              $logger.warn "No hieradata found for branch #{env}, so nothing to encrypt. Skipping."
+              break
+            end
+
+            if Dir.exists?('hieracrypt')
+              $logger.debug 'Found hieracrypt directory'
+            else
+              $logger.warn "No hieracrypt/ directory could be found for branch #{env}, no encryption can take place there."
+              break
+            end
+
+            unless Dir.exists?('hieracrypt/nodes')
+              $logger.warn "No hieracrypt/nodes directory could be found for branch #{env}, no encryption can take place there."
+              break
+            end
+            
+            unless Dir.exists?('hieracrypt/encrypted')
+              # We place the encrypted data files in here.
+              Dir.mkdir('hieracrypt/encrypted')
+            end
+
+            nodes = Dir.glob('hieracrypt/nodes/*')
+
+            if nodes
+              for node in nodes
+                node = File.basename(node)
+
+                $logger.debug "Found node #{node} for environment #{env}, processing now..."
+
+                begin
+                  # We need to load the JSON-based facts that are appended to the
+                  # cert file. However the JSON parser loses it's shit since it
+                  # doesn't like the header of the cert contents, so we need to
+                  # seek past that ourselves.
+                  json_raw = ""
+
+                  IO.readlines("hieracrypt/nodes/#{node}").each do |line|
+                    unless json_raw.empty?
+                      # Subsequent Lines
+                      json_raw += line
+                    end
+
+                    if /{/.match(line)
+                      # We have found the first {, must be a valid JSON line
+                      json_raw += line
+                    end
+                  end
+
+                  # Extract the facts from the json
+                  puppet_facts = JSON.load(json_raw)
+
+                rescue Exception => ex
+                  $logger.fatal "Unable to parse the JSON data for host/node #{node}"
+                  fail 'A fatal error occurred when processing HieraCrypt node data'
+                end
+
+
+                # It's common to use the 'environment' fact in Hiera, however
+                # it's going to have been exported as null, since it wouldn't
+                # have been set at time of generation. Hence, if it is there
+                # and it is null, we should set it to the current environment
+                # since we know exactly what it will be because we're inside
+                # the environment :-)
+
+                if defined? puppet_facts['environment']
+                  if puppet_facts['environment'] == nil
+                    puppet_facts['environment'] = env
+                  end
+                end
+
+                
+                # Apply the Hiera rules to the directory and get back a list of
+                # files that would be matched by Hiera. The way we do this, is
+                # by filling in each line in Hiera and essentially turning them
+                # into a glob-able (is this even a word?) pattern which allows
+                # us to determine what files we need to encrypt for this
+                # particular node.
+
+                # Iterate through the Hiera rules for values
+                hiera_rules = []
+                hiera       = YAML.load_file('hiera.yaml', safe: true, raise_on_unknown_tag: true)
+
+                if defined? hiera[':hierarchy']
+                  if hiera[':hierarchy'].is_a?(Array)
+                    for line in hiera[':hierarchy']
+                      # Match syntax of %{::some_kinda_fact}
+                      line.scan(/%{::([[:word:]]*)}/) do |match|
+                        # Replace fact variable with actual value
+                        unless defined? puppet_facts[match[0]]
+                          $logger.warn "hiera.yaml references fact #{match[0]} but this fact doesn't exist in #{node}'s hieracrypt/node/#{node} JSON."
+                          $logger.warn "Possibly out of date data, re-run `pupistry hieracrypt --generate` on the node"
+                        else
+                          line = line.sub("%{::#{match[0]}}", puppet_facts[match[0]])
+                        end
+                      end
+
+                      # Add processed line to the rules file
+                      hiera_rules.push(line)
+                    end
+                  else
+                    $logger.error "Use the array format of the hierachy entry in Hiera, string format not supported because why would you?"
+                  end
+                end
+
+                # We have the rules from Hiera for this machine, let's run
+                # through them as globs and copy each match to a new location.
+                begin
+                  FileUtils.rm_r "hieracrypt.#{node}"
+                rescue Errno::ENOENT
+                  # Normal error if it doesn't exist yet.
+                end
+
+                FileUtils.mkdir "hieracrypt.#{node}"
+
+                $logger.debug "Copying relevant hiera data files for #{node}..."
+
+                hiera_rules.each do |rule|
+                  for file in Dir.glob("hieradata/#{rule}.*")
+                    $logger.debug " - #{file}"
+
+                    file_rel = file.sub("hieradata/", "")
+                    #FileUtils.mkdir_p  "hieracrypt.#{node}/#{File.dirname(file_rel)}"
+                    FileUtils.mkdir_p  "hieracrypt.#{node}/#{File.dirname(file_rel)}"
+                    FileUtils.cp file, "hieracrypt.#{node}/#{file_rel}"
+                  end
+                end
+
+
+                # Generate the encrypted file
+                tar = Pupistry::Config.which_tar
+                $logger.debug "Using tar at #{tar}"
+
+                unless system "#{tar} -c -z -f hieracrypt.#{node}.tar.gz hieracrypt.#{node}"
+                  $logger.error 'Unable to create tarball'
+                  fail 'An unexpected error occured when executing tar'
+                end
+
+                openssl = "openssl smime -encrypt -binary -aes256 -in hieracrypt.#{node}.tar.gz -out hieracrypt/encrypted/#{node}.tar.gz.enc hieracrypt/nodes/#{node}"
+                $logger.debug "Executing: #{openssl}"
+
+                unless system openssl
+                  $logger.error "Generation of encrypted file failed for node #{node}"
+                  fail 'An unexpected error occured when executing openssl'
+                end
+
+                # Cleanup Unencrypted
+                FileUtils.rm_r "hieracrypt.#{node}.tar.gz"
+                FileUtils.rm_r "hieracrypt.#{node}"
+              end
+            else
+              $logger.warn "No nodes could be found for branch #{env}, no encryption can take place there."
+              break
+            end
+
+            # We don't do the purge of hieradata unencrypted directory here,
+            # instead we tell the artifact creation process to exclude it from
+            # the artifact generation if Hieracrypt is enabled.
+
+          end
+        end
+      end
+
+    end
+
+    # Find & decrypt the data for this server, if any. This should be run
+    # ALWAYS regardless of the Hieracrypt parameter, since we don't want people
+    # to have to worry about rolling it out to clients, we can figure it out
+    # based on what files do (or don't) exist.
+    #
+    # Runs after unpack, but before artifact install. We get the artifact class
+    # to pass through the location to operate inside of.
+    #
+    def self.decrypt_hieradata puppetcode
+      $logger.debug "Decrypting Hieracrypt..."
+      
+      hostname         = get_hostname             # Facter hostname value
+      ssh_host_rsa_key = get_ssh_rsa_private_key  # We generate the SSL cert using the SSH RSA Host key
+
+
+      # Run through each environment.
+      for env in Dir.glob(puppetcode +'/*')
+        env = File.basename(env)
+
+        if Dir.exists?(puppetcode + '/' + env)
+          $logger.debug "Processing branch: #{env}"
+
+          Dir.chdir(puppetcode + '/' + env) do
+            unless Dir.exists?("hieracrypt/encrypted")
+              $logger.debug "Environment #{env} is using unencrypted hieradata."
+            else
+              $logger.debug "Environment #{env} is using HieraCrypt, searching for host..."
+
+              if File.exists?("hieracrypt/encrypted/#{hostname}.tar.gz.enc")
+                $logger.info "Found encrypted Hieradata for #{hostname} in #{env} branch"
+
+                # Perform decryption of this host.
+                openssl = "openssl smime -decrypt -inkey #{ssh_host_rsa_key} < hieracrypt/encrypted/#{hostname}.tar.gz.enc | tar -xz -f -"
+
+                unless system openssl
+                  $logger.error "A fault occured trying to decrypt the data for #{hostname}"
+                end
+
+                # Move unpacked host-specific Hieradata into final location
+                FileUtils.mv "hieracrypt.#{hostname}", "hieradata"
+              else
+                $logger.error "Unable to find a HieraCrypt package for #{hostname} in branch #{env}, this machine will be missing all Hieradata"
+              end
+            end
+          end
+        end
+      end
+
+    end
+
+
+    # Fetch the Puppet facts and the x509 cert from the server and export them
+    # in a combined version for easy cut'n'paste to the puppetcode repo.
+    def self.generate_nodedata
+      $logger.info "Generating an export package of cert and facts..."
+
+      # Setup the cache so we can park various files as we work.
+      cache_dir = $config['general']['app_cache'] +'/hieracrypt'
+
+      unless Dir.exists?(cache_dir)
+        Dir.mkdir(cache_dir)
+      end
+
+      # Generate the SSH public cert.
+      ssh_host_rsa_key = get_ssh_rsa_private_key  # We generate the SSL cert using the SSH RSA Host key
+      cert_days        = '36500'                  # Valid for 100 years
+      subject_string   = '/C=XX/ST=Pupistry/L=Pupistry/O=Pupistry/OU=Pupistry/CN=Pupistry/emailAddress=pupistry@example.com'
+
+      unless File.exists?(ssh_host_rsa_key)
+        $logger.error "Unable to find ssh_host_rsa_key file at: #{ssh_host_rsa_key}, unable to proceed."
+      end
+
+      # TODO: Is there a native library we can use for invoking this and is anyone brave enough to face it? For now
+      # system might be easier.
+      openssl = 'openssl req -x509 -key '+ ssh_host_rsa_key +' -nodes -days '+ cert_days +' -newkey rsa:2048 -out '+ cache_dir +'/server.pem -subj '+ subject_string
+      $logger.debug "Executing: #{openssl}"
+
+      unless system openssl
+        $logger.error "An error occured attempting to execute openssl"
+      end
+
+      # Grab all the facter values
+      puppet_facts = facts_for_hiera($config['agent']['puppetcode'])
+
+      # TODO: Hit facter natively via Rubylibs?
+      unless system 'facter -p -j '+ puppet_facts.join(" ") +' >> '+ cache_dir +'/server.pem 2> /dev/null'
+        $logger.error "An error occur attempting to execute facter"
+      end
+
+      # Output the whole file for the user
+      hostname = get_hostname
+      puts "The following output should be saved into `hieracrypt/nodes/#{hostname}`:"
+      puts IO.read(cache_dir +'/server.pem')
+
+    end
+
+
+    # Iterate through the puppetcode environments for all hiera.yaml files
+    # and suck out all the facts that Hiera cares about. We do this since
+    # we want to selectively return only the facts we need, since it's
+    # pretty common to have facts exposing stuff that's potentially a bit
+    # private and unwanted in the puppetcode repo.
+    #
+    # Returns
+    # Array of Facts
+
+    def self.facts_for_hiera(path)
+      $logger.debug "Searching for facts specified in Hiera rules..."
+            
+      puppet_facts = []
+
+      for env in Dir.entries(path)
+        if Dir.exists?(path + '/' + env)
+          # Directory env exists, check inside it for a hiera.yaml
+          if File.exists?(path + '/' + env + '/hiera.yaml')
+            $logger.debug 'Found hiera file '+ path + '/' + env + '/hiera.yaml, checking for facts'
+
+            # Iterate through the Hiera rules for values
+            hiera = YAML.load_file(path + '/' + env + '/hiera.yaml', safe: true, raise_on_unknown_tag: true)
+
+            if defined? hiera[':hierarchy']
+              if hiera[':hierarchy'].is_a?(Array)
+                for line in hiera[':hierarchy']
+                  # Match syntax of %{::some_kinda_fact}
+                  line.scan(/%{::([[:word:]]*)}/) { |match|
+                    puppet_facts.push(match) unless puppet_facts.include?(match)
+                  }
+                end
+              else
+                $logger.error "Use the array format of the hierachy entry in Hiera, string format not supported because why would you?"
+              end
+            end
+          end
+        end
+      end
+
+      if puppet_facts.count == 0
+        $logger.warn "Couldn't find any facts mentioned in Hiera, possibly missing or very empty/basic hiera.yaml file in puppetcode repo"
+      else
+        $logger.debug "Facts specified in Hiera are: "+ puppet_facts.join(", ")
+      end
+
+      return puppet_facts
+    end
+
+
+
+    def self.get_ssh_rsa_private_key
+      # Currently hard coded
+      return '/etc/ssh/ssh_host_rsa_key'
+    end
+
+    def self.get_hostname
+      # TODO: Ewwww
+      hostname = `facter hostname`
+      return hostname.chomp
+    end
+
+  end
+end
+
+# vim:shiftwidth=2:tabstop=2:softtabstop=2:expandtab:smartindent

data/lib/pupistry/version.rb

@@ -1,3 +1,3 @@
 module Pupistry
-  VERSION = '1.2.2'
+  VERSION = '1.3.0'
 end

data/resources/bootstrap/freebsd-10.erb

@@ -6,7 +6,7 @@
 # Known Issues:
 # * AWS and Digital Ocean issues:
 #   http://www.jethrocarr.com/2015/04/19/freebsd-in-the-cloud/
-# * Puppet and PkgNg issues:
+# * We use Puppet 4 from Ports to avoid limitations in older Puppet 3 release:
 #   https://www.jethrocarr.com/2015/04/22/puppet-3-and-4-on-freebsd/
 # * tcsh makes capturing all the output to syslog difficult, so we don't do it.
 # * We can't rely on Bash, since it's not available in FreeBSD by default.
@@ -16,7 +16,16 @@ setenv PATH /sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin
 
 env ASSUME_ALWAYS_YES=YES pkg bootstrap
 env ASSUME_ALWAYS_YES=YES pkg upgrade --yes
-env ASSUME_ALWAYS_YES=YES pkg install --yes ruby devel/ruby-gems puppet gnupg
+env ASSUME_ALWAYS_YES=YES pkg install --yes ruby devel/ruby-gems gnupg
+
+portsnap fetch
+portsnap extract
+
+cd /usr/ports/ports-mgmt/pkg
+make reinstall BATCH=yes
+
+cd /usr/ports/sysutils/puppet4
+make install BATCH=yes
 
 /usr/local/bin/gem install pupistry
 mkdir -p /usr/local/etc/pupistry

data/settings.example.yaml

@@ -83,3 +83,18 @@ build:
   proxy_uri:
 
 
+  # Enable the HieraCrypt feature
+  #
+  # Note - Once enabled, all your servers must have their definition added,
+  # otherwise they will not recieve any Hiera information as it will no longer
+  # be delivered in an unencrypted form.
+  #
+  # You will want to run `pupistry hieracrypt --generate` on each node to
+  # generate a file which needs to be saved into `hieracrypt/nodes/hostname`
+  # in your puppetcode repo (right alongside the `hieradata/` directory).
+  #
+  # If you later decide to disable hieracrypt, you should remove the entire 
+  # `hieracrypt` directory to avoid confusion.
+  #
+  hieracrypt: false
+

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: pupistry
 version: !ruby/object:Gem::Version
-  version: 1.2.2
+  version: 1.3.0
 platform: ruby
 authors:
 - Jethro Carr
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2015-08-15 00:00:00.000000000 Z
+date: 2016-01-16 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -191,6 +191,7 @@ files:
 - lib/pupistry/bootstrap.rb
 - lib/pupistry/config.rb
 - lib/pupistry/gpg.rb
+- lib/pupistry/hieracrypt.rb
 - lib/pupistry/packer.rb
 - lib/pupistry/storage_aws.rb
 - lib/pupistry/version.rb