puppet-decrypt 0.1.1 → 0.2.0

data/.gitignore

@@ -15,3 +15,5 @@ spec/reports
 test/tmp
 test/version_tmp
 tmp
+.idea
+vendor

data/ChangeLog.md

@@ -1,3 +1,13 @@
+## 0.2.0 (Aug 07, 2014)
+
+Enhancements:
+  - Added an encrypt function (thanks @tioteath!)
+
+Bugfixes:
+  - Fixed handling of absolute paths for to the secret key file (thanks @tioteath!)
+  - Removed unnecessary puts (thanks @tioteath!)
+  - Improved error handling (thanks @tioteath!)
+
 ## 0.1.1 (Jan 24, 2014)
 
 Enhancements:

data/Modulefile

@@ -1,5 +1,5 @@
 name    'devopsy/puppet_decrypt'
-version '0.1.0'
+version '0.1.1'
 source 'https://github.com/maxlinc/puppet-decrypt'
 author 'Max Lincoln'
 license 'Apache License, Version 2.0'

data/README.md

@@ -65,7 +65,7 @@ $ gem install encryptor
 Puppet Decrypt can be installed with the puppet module subcommand, which is included in Puppet 2.7.14 and later.
 
 ``` shell
-$ sudo puppet module install puppet_decrypt
+$ sudo puppet module install devopsy-puppet_decrypt
 ```
 The command will tell you where it is installing the module; take note:
 
@@ -119,6 +119,12 @@ In your puppet code, load the value normally and then pass it to decrypt.
 decrypt(hiera('database_password'))
 ```
 
+Or encrypt a secret passing it to encrypt, if you need to save the secret to
+external storage, for example.
+``` ruby
+$encrypted_secret_to_save = encrypt($data)
+```
+
 ### Overriding the secret key
 
 Puppet Decrypt now supports using more than just the default secret key location.  You can easily use multiple secret keys for the same project.

data/lib/puppet-decrypt/decryptor.rb

@@ -12,8 +12,16 @@ module Puppet
       end
 
       def decrypt_hash(hash)
-        puts "Decrypting value: #{hash['value']}, secretkey: #{hash['secretkey']}"
-        decrypt(hash['value'], hash['secretkey'])
+        decrypt(hash['value'], hash['secretkey']  || hash['secret_key'])
+      end
+
+      def encrypt_hash(hash)
+        secret_key = hash['secretkey'] || hash['secret_key'] ||
+            File.join(KEY_DIR, DEFAULT_KEY)
+        salt = hash['salt'] || SecureRandom.base64
+        iv = hash['iv'] || OpenSSL::Cipher::Cipher.new('aes-256-cbc').random_iv
+
+        encrypt(hash['value'], secret_key, salt, iv)
       end
 
       def decrypt(value, secret_key_file)

data/lib/puppet-decrypt/key_loader.rb

@@ -1,9 +1,27 @@
+require 'pathname'
 module Puppet
   module Decrypt
     class KeyLoader
       def load_key(secret_key_file)
-        raise "Secret key file: #{secret_key_file} is not readable!" unless File.readable?(secret_key_file)
-        secret_key = File.open(secret_key_file, &:readline).chomp
+
+        # Dot not add directory if absolute path provided
+        if Pathname.new(secret_key_file).absolute?
+          full_path = secret_key_file
+        else
+          full_path = File.join(ENV['PUPPET_DECRYPT_KEYDIR'] ||
+              Puppet::Decrypt::Decryptor::KEY_DIR, secret_key_file)
+        end
+
+        # Assume key file is specified as basename
+        if File.readable? full_path
+          secret_key_file = full_path
+        else
+          # Assume key file is specifed as full path
+          raise "Secret key file: #{secret_key_file} is not readable!" unless
+              File.readable? secret_key_file
+        end
+
+        File.open(secret_key_file, &:readline).chomp
       end
     end
   end

data/lib/puppet-decrypt/version.rb

@@ -1,5 +1,5 @@
 module Puppet
   module Decrypt
-    VERSION = "0.1.1"
+    VERSION = "0.2.0"
   end
 end

data/lib/puppet/face/crypt.rb

@@ -41,6 +41,10 @@ Puppet::Face.define(:crypt, Puppet::Decrypt::VERSION) do
       iv   = options.delete(:iv)   || OpenSSL::Cipher::Cipher.new('aes-256-cbc').random_iv
       salt = options.delete(:salt) || SecureRandom.base64
       secretkey = options[:secretkey]
+      unless secretkey.nil?
+        secretkey = File.expand_path(secretkey) if secretkey.start_with? '.'
+      end
+
       Puppet::Decrypt::Decryptor.new(options).encrypt(plaintext_secret, secretkey, salt, iv)
     end
   end
@@ -56,4 +60,4 @@ Puppet::Face.define(:crypt, Puppet::Decrypt::VERSION) do
       Puppet::Decrypt::Decryptor.new(options).decrypt(encrypted_secret, secretkey)
     end
   end
-end
+end

data/lib/puppet/parser/functions/decrypt.rb

@@ -4,12 +4,15 @@ module Puppet::Parser::Functions
   newfunction(:decrypt, :type => :rvalue) do |args|
     options = {}
     decrypt_args = {}
-    if args[0].is_a? String
-      decrypt_args['value'] = args[0]
+
+    if args.first.is_a? String
+      decrypt_args['value'], decrypt_args['secret_key'] = args
+    elsif args.first.is_a? Hash
+      decrypt_args = args.first
     else
-      decrypt_args = args[0]
-      puts "Using hash: #{decrypt_args}"
+      raise TypeError, "Expected String or Hash, given #{args.first.class}"
     end
+
     Puppet::Decrypt::Decryptor.new(options).decrypt_hash(decrypt_args)
   end
 end

data/lib/puppet/parser/functions/encrypt.rb

@@ -0,0 +1,31 @@
+require 'puppet-decrypt'
+
+module Puppet::Parser::Functions
+  newfunction(:encrypt, :type => :rvalue, :doc => <<-'DOC' ) do |args|
+      Encrypt data, using Decryptor.
+
+      This function expects four arguments:
+      - Data to encrypt.
+      - Secret key file path,
+         Puppet::Decrypt::Decryptor::DEFAULT_KEY by default.
+        Can be specified as basename in Puppet::Decrypt::Decryptor::KEY_DIR.
+      - Salt (optional), randomly generated by default.
+      - Initialization vector (optional), randomly generated by default,
+        mainly useful for tests.
+    DOC
+
+    encrypt_args = {}
+
+    if args.first.is_a? String
+      encrypt_args['value'], encrypt_args['secret_key'], encrypt_args['salt'],
+          encrypt_args['iv'] = args
+    elsif args.first.is_a? Hash
+      encrypt_args = args.first
+    else
+      raise TypeError, "Expected String or Hash, given #{args.first.class}"
+    end
+
+    Puppet::Decrypt::Decryptor.new.encrypt_hash(encrypt_args)
+
+  end
+end

data/puppet-decrypt.gemspec

@@ -11,7 +11,7 @@ Gem::Specification.new do |gem|
   gem.description   = %q{A gem for encrypting/decrypting secret values for use with Puppet}
   gem.summary       = %q{A shared secret strategy that works with any data source}
   gem.homepage      = "https://github.com/maxlinc/puppet-decrypt"
-  gem.required_ruby_version = '>= 1.9.0'
+  gem.required_ruby_version = '>= 1.8.7'
   notice = """
 
 Notice: The default master key location is now /etc/puppet-decrypt/encryptor_secret_key
@@ -30,7 +30,7 @@ This was done to more easily support multiple keys.  If you are upgrading from a
   gem.add_dependency('encryptor', '~> 1.3')
   gem.add_development_dependency('rake')
   gem.add_development_dependency('cucumber')
-  gem.add_development_dependency('rspec')
+  gem.add_development_dependency('rspec', '~> 2.14.1')
   gem.add_development_dependency('rspec-puppet')
   gem.add_development_dependency('puppetlabs_spec_helper')
 end

data/spec/functions/encrypt_spec.rb

@@ -0,0 +1,63 @@
+# -*- encoding : utf-8 -*-
+require 'spec_helper'
+
+describe 'encrypt' do
+  before(:all) do
+    mock_secret_key(Puppet::Decrypt::Decryptor::DEFAULT_FILE, 'masterkey')
+  end
+
+  let(:node) { 'testhost.example.com' }
+  extdata_path = File.expand_path(File.join(File.dirname(__FILE__),
+      '../../puppet/manifests/extdata'))
+
+  let :pre_condition do
+    "$extlookup_datadir = '#{extdata_path}' $extlookup_precedence = ['common', 'env_vagrant']"
+  end
+
+  let :salt do
+    'test_salt'
+  end
+
+  let :iv do
+    "YS7nvbPsLP+pIJQ0waxV0w=="
+  end
+
+  context "unencrypted key" do
+    it "should encrypt plain string" do
+      subject.call(['blah']).should =~
+          Puppet::Decrypt::Decryptor::ENCRYPTED_PATTERN
+    end
+  end
+
+  context "encrypted key" do
+    it "should encrypt exact matches" do
+      subject.call(["flabberghaster", nil, salt, iv]).should ==
+          'ENC[WnA7ezNPSZx2S01T67TCfA==:WVM3bnZiUHNMUCtwSUpRMHdheFYwdz09:dGVzdF9zYWx0]'
+    end
+  end
+
+  context "with secret key file" do
+    it "should encrypt exact matches" do
+      mock_secret_key('/etc/another_key', 'anotherkey')
+      subject.call(['value' => 'flabberghaster', 'secretkey' =>
+          '/etc/another_key', 'iv' => iv, 'salt' => salt]) =~
+              Puppet::Decrypt::Decryptor::ENCRYPTED_PATTERN
+
+      _, iv_hash, salt_hash = Regexp.last_match[2].split(':')
+      strict_decode64(iv_hash).should == iv
+      strict_decode64(salt_hash).should == salt
+    end
+
+  end
+end
+
+# Backported for ruby 1.8.7
+def strict_decode64(str)
+  return Base64.strict_decode64(str) if Base64.respond_to? :strict_decode64
+
+  if str.include?("\n")
+    raise(ArgumentError,"invalid base64")
+  else
+    Base64.decode64(str)
+  end
+end

metadata

@@ -1,110 +1,124 @@
---- !ruby/object:Gem::Specification
+--- !ruby/object:Gem::Specification 
 name: puppet-decrypt
-version: !ruby/object:Gem::Version
-  version: 0.1.1
+version: !ruby/object:Gem::Version 
+  hash: 23
+  prerelease: 
+  segments: 
+  - 0
+  - 2
+  - 0
+  version: 0.2.0
 platform: ruby
-authors:
+authors: 
 - mlincoln
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2014-03-09 00:00:00.000000000 Z
-dependencies:
-- !ruby/object:Gem::Dependency
-  name: encryptor
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '1.3'
+
+date: 2014-08-07 00:00:00 -04:00
+default_executable: 
+dependencies: 
+- !ruby/object:Gem::Dependency 
+  requirement: &id001 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ~>
+      - !ruby/object:Gem::Version 
+        hash: 9
+        segments: 
+        - 1
+        - 3
+        version: "1.3"
   type: :runtime
+  version_requirements: *id001
   prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '1.3'
-- !ruby/object:Gem::Dependency
-  name: rake
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
+  name: encryptor
+- !ruby/object:Gem::Dependency 
+  requirement: &id002 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
     - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
+      - !ruby/object:Gem::Version 
+        hash: 3
+        segments: 
+        - 0
+        version: "0"
   type: :development
+  version_requirements: *id002
   prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
+  name: rake
+- !ruby/object:Gem::Dependency 
+  requirement: &id003 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
     - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-- !ruby/object:Gem::Dependency
+      - !ruby/object:Gem::Version 
+        hash: 3
+        segments: 
+        - 0
+        version: "0"
+  type: :development
+  version_requirements: *id003
+  prerelease: false
   name: cucumber
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
+- !ruby/object:Gem::Dependency 
+  requirement: &id004 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ~>
+      - !ruby/object:Gem::Version 
+        hash: 53
+        segments: 
+        - 2
+        - 14
+        - 1
+        version: 2.14.1
   type: :development
+  version_requirements: *id004
   prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-- !ruby/object:Gem::Dependency
   name: rspec
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
+- !ruby/object:Gem::Dependency 
+  requirement: &id005 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
     - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
+      - !ruby/object:Gem::Version 
+        hash: 3
+        segments: 
+        - 0
+        version: "0"
   type: :development
+  version_requirements: *id005
   prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-- !ruby/object:Gem::Dependency
   name: rspec-puppet
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
+- !ruby/object:Gem::Dependency 
+  requirement: &id006 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
     - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
+      - !ruby/object:Gem::Version 
+        hash: 3
+        segments: 
+        - 0
+        version: "0"
   type: :development
+  version_requirements: *id006
   prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-- !ruby/object:Gem::Dependency
   name: puppetlabs_spec_helper
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
 description: A gem for encrypting/decrypting secret values for use with Puppet
-email:
+email: 
 - max@devopsy.com
 executables: []
+
 extensions: []
+
 extra_rdoc_files: []
-files:
-- ".gitignore"
-- ".rspec"
-- ".rvmrc"
-- ".travis.yml"
+
+files: 
+- .gitignore
+- .rspec
+- .rvmrc
+- .travis.yml
 - ChangeLog.md
 - Gemfile
 - LICENSE.txt
@@ -132,42 +146,57 @@ files:
 - lib/puppet/application/crypt.rb
 - lib/puppet/face/crypt.rb
 - lib/puppet/parser/functions/decrypt.rb
+- lib/puppet/parser/functions/encrypt.rb
 - puppet-decrypt.gemspec
 - spec/faces/crypt_spec.rb
 - spec/functions/decrypt_spec.rb
+- spec/functions/encrypt_spec.rb
 - spec/puppet-decrypt/fake_key_loader.rb
 - spec/spec_helper.rb
+has_rdoc: true
 homepage: https://github.com/maxlinc/puppet-decrypt
 licenses: []
-metadata: {}
-post_install_message: |2+
-
 
+post_install_message: |+
+  
+  
   Notice: The default master key location is now /etc/puppet-decrypt/encryptor_secret_key
-
+  
   This was done to more easily support multiple keys.  If you are upgrading from a version older than
   0.1.0 you should move /etc/encryptor_secret_key to /etc/puppet-decrypt/encryptor_secret_key.
-
+  
 rdoc_options: []
-require_paths:
+
+require_paths: 
 - lib
-required_ruby_version: !ruby/object:Gem::Requirement
-  requirements:
+required_ruby_version: !ruby/object:Gem::Requirement 
+  none: false
+  requirements: 
   - - ">="
-    - !ruby/object:Gem::Version
-      version: 1.9.0
-required_rubygems_version: !ruby/object:Gem::Requirement
-  requirements:
+    - !ruby/object:Gem::Version 
+      hash: 57
+      segments: 
+      - 1
+      - 8
+      - 7
+      version: 1.8.7
+required_rubygems_version: !ruby/object:Gem::Requirement 
+  none: false
+  requirements: 
   - - ">="
-    - !ruby/object:Gem::Version
-      version: '0'
+    - !ruby/object:Gem::Version 
+      hash: 3
+      segments: 
+      - 0
+      version: "0"
 requirements: []
+
 rubyforge_project: 
-rubygems_version: 2.2.0
+rubygems_version: 1.6.2
 signing_key: 
-specification_version: 4
+specification_version: 3
 summary: A shared secret strategy that works with any data source
-test_files:
+test_files: 
 - features/fixtures/data/overridden_secret_key.yaml
 - features/fixtures/data/simple.yaml
 - features/fixtures/hiera.yaml
@@ -181,5 +210,6 @@ test_files:
 - features/support/env.rb
 - spec/faces/crypt_spec.rb
 - spec/functions/decrypt_spec.rb
+- spec/functions/encrypt_spec.rb
 - spec/puppet-decrypt/fake_key_loader.rb
 - spec/spec_helper.rb

checksums.yaml

@@ -1,7 +0,0 @@
----
-SHA1:
-  metadata.gz: 4c098cca8fcd1228c7d2e82d7b8615f7189e77e8
-  data.tar.gz: b2ddb9f7aaa99af9d68812a7d86a95c7d04da32e
-SHA512:
-  metadata.gz: b19f454ff00dd36f2f83848c1a4be5df1ec6065b6dcd487364da4c981cce7350c6789862092df40681bcefaa2363e46ee8d4735cb751abec3b6e7400d4a6b0c2
-  data.tar.gz: 45b6964e742c45152804e4d6eac02324702515dcefc49ce87cf7a0eeb0268b744229ae2aec6f99b0a84ac5146de98da15519d6edb31e94c282b4af7c162f4be7