puppet-decrypt 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 248058bd4e4965701c01ff8037984487ea5db344
+  data.tar.gz: bfd65eec21ba36b8c3d8081e3f442c4f1adc980c
+SHA512:
+  metadata.gz: e9b7548c7c93147d6aa8a81f4a9a1cf1374ed5cdb18fc4a0ad50530fa956ed316cba19cad58fb0f7e84609a9d04b1cefb262a549a807761cffb4a47a46e25a11
+  data.tar.gz: c2d3f32d32879c01aba7ca764280ec2422e81d3c69841bc256f0333ff90dfa3c7e6ef37341f8f6e593819cf4f5aa27b078bd643c1078be0afca10aae4dcbc699

data/.gitignore

@@ -0,0 +1,17 @@
+*.gem
+*.rbc
+.bundle
+.config
+.yardoc
+Gemfile.lock
+InstalledFiles
+_yardoc
+coverage
+doc/
+lib/bundler/man
+pkg
+rdoc
+spec/reports
+test/tmp
+test/version_tmp
+tmp

data/.rspec

@@ -0,0 +1,3 @@
+--format documentation
+--color
+--backtrace

data/.rvmrc

@@ -0,0 +1 @@
+rvm use --create 1.9.3@puppet-decrypt

data/.travis.yml

@@ -0,0 +1,10 @@
+language: ruby
+rvm:
+  - 1.9.3
+  - 1.9.2
+  - jruby-19mode
+  - 2.0.0
+gemfile:
+  - Gemfile
+  - bundles/puppet_3_0.gemfile
+  - bundles/puppet_2_7.gemfile

data/ChangeLog.md

@@ -0,0 +1,18 @@
+## 0.1.0 (July 10, 2013)
+
+Features:
+
+  - support alternate secret keys
+    - override the key as part of the string in the format ENC:another_key[...]
+    - override the key by passing a hash containing value and secret_key
+
+Bugfixes:
+
+  - Explicitly remove Ruby 1.8.7 support.  Previously it would install but not work with Ruby 1.8.7.
+
+## 0.0.4 (March 8, 2013)
+
+Features:
+
+  - puppet face for encrypting/decrypting secrets
+  - basic puppet function for decrypting a secret, using a master key

data/Gemfile

@@ -0,0 +1,5 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in puppet-decrypt.gemspec
+gem 'puppet'
+gemspec

data/LICENSE.txt

@@ -0,0 +1,16 @@
+Puppet-Decrypt
+
+Copyright (c) 2013 mlincoln
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+

data/Modulefile

@@ -0,0 +1,13 @@
+name    'devopsy/puppet_decrypt'
+version '0.1.0'
+source 'https://github.com/maxlinc/puppet-decrypt'
+author 'Max Lincoln'
+license 'Apache License, Version 2.0'
+summary 'Simple encryption/decryption of secret data for Puppet'
+description 'Simple encryption/decryption of secret data for Puppet'
+project_page 'https://github.com/maxlinc/puppet-decrypt'
+
+## Add dependencies, if any:
+# don't think gem dependencies can be declared...
+# dependency gem 'encryptor'
+

data/README.md

@@ -0,0 +1,166 @@
+**Table of Contents**  *generated with [DocToc](http://doctoc.herokuapp.com/)*
+
+- [Puppet-Decrypt](#puppet-decrypt)
+	- [Comparison with Hiera-GPG](#comparison-with-hiera-gpg)
+	- [Installation](#installation)
+		- [Via Gem](#via-gem)
+		- [Installing as a Module](#installing-as-a-module)
+	- [Usage](#usage)
+		- [Basic Usage](#basic-usage)
+		- [Overriding the secret key](#overriding-the-secret-key)
+	- [Contributing](#contributing)
+
+[![Build Status](https://secure.travis-ci.org/maxlinc/puppet-decrypt.png?branch=master)](http://travis-ci.org/maxlinc/puppet-decrypt)
+[![Dependency Status](https://gemnasium.com/maxlinc/puppet-decrypt.png?travis)](https://gemnasium.com/maxlinc/puppet-decrypt)
+[![Code Climate](https://codeclimate.com/github/maxlinc/puppet-decrypt.png)](https://codeclimate.com/github/maxlinc/puppet-decrypt)
+
+# Puppet-Decrypt
+
+*Notice: The default secret key location is now /etc/puppet-decrypt/encryptor_secret_key*
+
+Puppet Decrypt is a gem that gives puppet the ability to encrypt and decrypt strings.  This is useful for making sure secret data - like database passwords - remains secret.  It uses a model similar to [jasypt Encrypting Application Configuration Files](http://www.jasypt.org/encrypting-configuration.html) or [Maven Password Encryption](http://maven.apache.org/guides/mini/guide-encryption.html).  It is a simple alternative to the [Secret variables in Puppet with Hiera and GPG](http://www.craigdunn.org/2011/10/secret-variables-in-puppet-with-hiera-and-gpg/) approach.
+
+## Comparison with Hiera-GPG
+
+Advantages:
+
+* Store encrypted secret variables and related non-secret variables in the same file.
+* Version control friendly - you can easily see when a variable was added, changed, or removed even if you don't know the exact value.
+* Works with any data source.  Combine it with Hiera, extlookup, external node classifiers, exported resources, or any other source of data.
+* Simple administration - no keyring management.
+
+Disadvantages:
+
+* Uses a shared secret instead of asymetric keypairs.  This means that the "master password" is shared by all admins.  It is also shared by all machines that need to decrypt the same value (usually machines in the same environment).
+* Less integrated with Hiera.  You need to wrap calls as decrypt(hiera('my_db_password')).
+
+The shared secret "master password" may seem more difficult to grant and revoke access than the asymetric keypair approach used by hiera-gpg.  However both systems are protecting shared secret data!  So if you want to fully revoke someone's access you need to change or revoke their decryption key (which is easier with hiera-gpg) *AND* to change any secrets that key protected (e.g.: your production database passwords).
+
+## Installation
+
+### Via Gem
+
+It should be possible to install via a Gem in Puppet 3+.  However, this method is easier, but does seem to have some quirks.  If you have any issues, try installing as a module instead.
+
+Add this line to your application's Gemfile:
+
+    gem 'puppet-decrypt'
+
+And then execute:
+
+    $ bundle
+
+Or install it yourself as:
+
+    $ gem install puppet-decrypt
+
+### Installing as a Module
+
+If installing as a module, you'll need to deal with the Gem prerequisites manually.
+
+``` shell
+$ gem install encryptor
+```
+
+Puppet Decrypt can be installed with the puppet module subcommand, which is included in Puppet 2.7.14 and later.
+
+``` shell
+$ sudo puppet module install puppet_decrypt
+```
+The command will tell you where it is installing the module; take note:
+
+``` shell
+$ sudo puppet module install devopsy/puppet_decrypt
+warning: iconv couldn't be loaded, which is required for UTF-8/UTF-16 conversions
+Preparing to install into /etc/puppet/modules ...
+Downloading from http://forge.puppetlabs.com ...
+Installing -- do not interrupt ...
+/etc/puppet/modules
+└── devopsy-puppet_decrypt (v0.1.0)
+```
+
+After installing it, you must add the lib directory of the module to your $RUBYLIB. Add the following to your .profile file (replacing /etc/puppet/modules with the directory from the install command, if necessary), then run source ~/.profile to re-load it in the current shell:
+
+``` shell
+export RUBYLIB=/etc/puppet/modules/puppet_decrypt/lib:$RUBYLIB
+```
+
+You can verify that it is installed and usable by running:
+
+``` shell
+# puppet help crypt
+```
+
+## Usage
+
+### Basic Usage
+Put the secret key in /etc/puppet-decrypt/encryptor_secret_key on machines where puppet needs to decrypt the value.  Make sure the file's read permissions are restricted!
+
+Use the puppet face to encrypt a value
+
+``` shell
+$ puppet crypt encrypt my_secret_value
+ENC[ANN3I3AWxXWmr5QAW3qgxw==]
+```
+
+Or to decrypt a value
+``` shell
+$ puppet crypt decrypt ENC[ANN3I3AWxXWmr5QAW3qgxw==]
+my_secret_value
+```
+
+Put that value into hiera, extlookup, or any other data source you want.  Hiera example:
+``` yaml
+database_password: ENC[ANN3I3AWxXWmr5QAW3qgxw==]
+```
+
+In your puppet code, load the value normally and then pass it to decrypt.
+``` ruby
+decrypt(hiera('database_password'))
+```
+
+### Overriding the secret key
+
+Puppet Decrypt now supports using more than just the default secret key location.  You can easily use multiple secret keys for the same project.
+
+For the Puppet face, you just use the --secretkey option to pass an alternate secret key location.
+
+``` shell
+$ echo 'example' > alt_key.txt
+$ puppet crypt encrypt abc123 --secretkey alt_key
+ENC[c4S4hMCDv1b7FkZgOBRTOA==]
+$ puppet crypt decrypt ENC[c4S4hMCDv1b7FkZgOBRTOA==] --secretkey alt_key
+abc123
+```
+
+There are two ways to use the alternate keys from the function.  You can pass it it as part of the string in this format:
+``` yaml
+database_password: ENC:alt_key[c4S4hMCDv1b7FkZgOBRTOA==]
+```
+
+If you do that, instead of using the default secret key, it will look for alt_key in the same directory.  So instead of
+/etc/puppet-decrypt/encryptor_secret_key it will use /etc/puppet-decrypt/alt_key.
+
+Alternately, you can pass a hash to the function, containing a value and a secret key, like this:
+``` yaml
+db_password:
+  value: 'ENC[G6MjBDDFcapYLaKBFJvPSg==]'
+  secretkey: '/any/path/you/another/key'
+```
+
+This has the advantage of letting you place keys in alternate directories, not just /etc/puppet-decrypt.
+
+If you use this alongside hiera, you can just switch the lookup from hiera to hiera-hash:
+``` ruby
+decrypt(hiera_hash('db_password'))
+```
+
+See [features/hiera.feature](features/hiera.feature) for complete examples.
+
+## Contributing
+
+1. Fork it
+2. Create your feature branch (`git checkout -b my-new-feature`)
+3. Commit your changes (`git commit -am 'Add some feature'`)
+4. Push to the branch (`git push origin my-new-feature`)
+5. Create new Pull Request

data/Rakefile

@@ -0,0 +1,12 @@
+require 'bundler/gem_tasks'
+require 'rspec/core/rake_task'
+require 'cucumber'
+require 'cucumber/rake/task'
+
+RSpec::Core::RakeTask.new(:spec)
+
+task :default => [:spec, :integration]
+
+Cucumber::Rake::Task.new(:integration) do |t|
+  t.cucumber_opts = "features --format pretty"
+end

data/bundles/puppet_2_7.gemfile

@@ -0,0 +1,6 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in puppet-decrypt.gemspec
+gem 'puppet', '~> 2.7.0'
+gem 'hiera-puppet'
+gemspec(:path => '../')

data/bundles/puppet_3_0.gemfile

@@ -0,0 +1,5 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in puppet-decrypt.gemspec
+gem 'puppet', '~> 3.0.0'
+gemspec(:path => '../')

data/features/fixtures/data/overridden_secret_key.yaml

@@ -0,0 +1,4 @@
+---
+db_password:
+  value: 'ENC[blablabla==]'
+  secretkey: '/etc/some_other_key'

data/features/fixtures/data/simple.yaml

@@ -0,0 +1,2 @@
+---
+db_password: 'ENC[okoNBVDGyHQaQQPKnTTJvA==]'

data/features/fixtures/hiera.yaml

@@ -0,0 +1,8 @@
+---
+:backends: yaml
+:yaml:
+  :datadir: features/fixtures/data
+:hierarchy:
+  - '%{::hiera_file}'
+  - common
+:logger: console

data/features/fixtures/manifests/overridden_secret_key.pp.bak

@@ -0,0 +1,5 @@
+$decrypted = decrypt(hiera('db_password'))
+notice($decrypted)
+unless($decrypted == 'expected') {
+  fail("Expected 'expected', found $unexpected")
+}

data/features/fixtures/manifests/simple.pp

@@ -0,0 +1,6 @@
+$decrypted = decrypt(hiera('db_password'))
+notice($decrypted)
+$expected = 'blablabla'
+unless($decrypted == $expected) {
+  fail("Expected '$expected', found $unexpected")
+}

data/features/fixtures/other_secretkeys/secondary_key

@@ -0,0 +1,11 @@
+1ExtSQ4kg4a4rsp7J0RlquK5Y+h5b4TeEzHX24sDxURY4LLX6J5bwTZueg1PBhiI
+EenV11LGhRvUDrw53dG7j+UuMxGJv/R2cdnGxq1ztjN1ozp8xSRUTcbzpd9uijLe
+FhEZHVjAIzBNj9RLl13Dw5zVPvxRuPcQBsnRIyG8YMMCgZMgZ90yBMhJmp5M3hw/
+q88nDZGlZeclkIg+9QTtjywz4crvHpnQrC1ViyaIVT+lZfHPMg4TipXlDXPrlFea
+x/X7v/EYXvSvY6gSVs7/ZAfFnC1K30nCaPnAbIiwsdjh7t3dV7ymHY/TvXfZQHGO
+BXMFu9jdJl+nptZZp/4x4xb569s0do1Y/Z6DHqeIi31pS4hwjw8j6zHWpPrnTgRw
+vcv0Di3iCjFAbTbSadgFuuybUCeZQArRYO0J03IKHNqW9UWim7tN08LOmvGuoQKf
+6IAhKT0Yc4y1Mk6jtDsPlkxJvdVzTRlv07FnWWi3R2kkLWqdeFz6YB8PDCSLMXL0
+qNDDOfv1MuUfKlGgqigIkbMpbqd6KUU1qLQ0js1RTq9iO6XR8wHIXqKX5r0Mp0D6
+aMO1a7gvjHJFqr3nkeZvDAbGeJMJtx99OrfuUH8FImvJZ22jOP4plcC1U1u2VZGp
+Rx2AoLYyiWuzP948FmvruvXMn7WxvDrU7N/wF52L3/Q=

data/features/fixtures/secretkeys/alt_key

@@ -0,0 +1 @@
+example

data/features/fixtures/secretkeys/encryptor_secret_key

@@ -0,0 +1,11 @@
+idZdWf3d7s97FVG0iytPj03c2LhrumdUqk4T+aa1VVzp8vFmtQb7Vyy7SbjV4v4y
+CLEat8x8jFb7IBl2yjW3KmC0TW1q1cKaeP8eHuYeqm9ZIQoUtDH+q+8KM5xso358
+PAkDtxJcFmcRvD2SL47WYTd+xFjYEW5VxWhGCcNi/FRlmRSLL29sBcRGfJNhPBit
+j3PiXxPrNIu4E1Ikm94C911x4YD/PO5yNOuhDQW5rs1z8G8TGmzXV64Vxg7rYcXc
+8XK0auzDm+qTdSpP6vaLhFROcGgFVzFu5WWHZ0dpRL1UfDdjlQbHojRCfb4jZB+I
+bXTS5BQFzClttcPYSwf44am3zwYCuLeZ5oWif2sxPBwUIubzPIoBObcdj/uIjljx
+BBPcoPDW+zIbghVWxjoHkLinRdqtXQzMCS0pp8znRsT7v5mp7FZvzMLDO6belz+Q
+LEd3YefLkOFU6B7kJq7XDrVP18G691SwhY08rSq0LyNlwEZ4E9ZD6hrUduHd3Bs7
+yGNhGjvAEItfDv7MBcavkLZSO/q1QElbz5B7/3aiu2HPRfUmS/hiywJ3S1cxZp8Y
+wVr0kqIxRxMoNfl4IqCaRsvlwGBeTHmpXqkcviQsQOuddMStGXKKptrXKxvhn4ca
+72SUKYg7mvyCWD44mAxJyTfTso93Pkn95klRtyBunu0=

data/features/hiera.feature

@@ -0,0 +1,43 @@
+Feature: Puppet works
+
+  Scenario: Default test
+    Given I have the following hiera data:
+      """
+      ---
+        db_password: ENC[wx0qTorBqPrTrgkbzYirlA==]
+      """
+    When I execute this puppet manifest:
+      """
+      $password = decrypt(hiera('db_password'))
+      notice("Decrypted: $password")
+      """
+    Then the output should include "Decrypted: max"
+
+  Scenario: Overriden key (string)
+    Given I have the following hiera data:
+      """
+      ---
+        db_password: ENC:alt_key[c4S4hMCDv1b7FkZgOBRTOA==]
+      """
+    When I execute this puppet manifest:
+      """
+      $password = decrypt(hiera('db_password'))
+      notice("Decrypted: $password")
+      """
+    Then the output should include "Decrypted: abc123"
+
+  Scenario: Overridden key (hash)
+    Given I have the following hiera data:
+      """
+      ---
+        db_password:
+          value: 'ENC[G6MjBDDFcapYLaKBFJvPSg==]'
+          secretkey: 'features/fixtures/other_secretkeys/secondary_key'
+      """
+    When I execute this puppet manifest:
+      """
+      notice(hiera_hash('db_password'))
+      $password = decrypt(hiera_hash('db_password'))
+      notice("Decrypted: $password")
+      """
+    Then the output should include "Decrypted: overridden"

data/features/step_definitions/puppet_steps.rb

@@ -0,0 +1,31 @@
+require 'tempfile'
+
+Given /^I have the following hiera data:$/ do |hieradata|
+  hierafile = Thread.current[:hierafile]
+  hierafile.write(hieradata)
+  hierafile.close
+end
+
+When /^I execute this puppet manifest:$/ do |manifest|
+  hierafile = Thread.current[:hierafile]
+  file = Tempfile.new('test_manifest')
+  begin
+    file.write(manifest)
+    file.close
+    ENV['FACTER_HIERA_FILE'] = File.basename(hierafile, '.yaml')
+    ENV['PUPPET_DECRYPT_KEYDIR'] = 'features/fixtures/secretkeys'
+    puppet_version = `bundle exec puppet --version`
+    puppet_command = "bundle exec puppet apply --noop #{file.path}"
+    puppet_command = "#{puppet_command} --hiera_config=features/fixtures/hiera.yaml" if puppet_version.match /^3/
+    puppet_command = "#{puppet_command} --confdir=features/fixtures" if puppet_version.match /^2/
+    @output = `#{puppet_command}`
+    puts @output
+  ensure
+    file.unlink
+  end
+  $?.success?
+end
+
+Then /^the output should include "([^"]*)"$/ do |content|
+  @output.should include content
+end

data/features/support/env.rb

@@ -0,0 +1,10 @@
+Around do | scenario, block |
+  hierafile = Tempfile.new(['hierafile', '.yaml'], 'features/fixtures/data')
+  Thread.current[:hierafile] = hierafile
+  begin
+    block.call
+  ensure
+    hierafile.close
+    hierafile.unlink
+  end
+end

data/lib/puppet-decrypt.rb

@@ -0,0 +1,9 @@
+require 'puppet-decrypt/version'
+require 'puppet-decrypt/decryptor'
+require 'encryptor'
+require 'base64'
+
+module Puppet
+  module Decrypt
+  end
+end

data/lib/puppet-decrypt/decryptor.rb

@@ -0,0 +1,83 @@
+module Puppet
+  module Decrypt
+
+    class Decryptor
+      ENCRYPTED_PATTERN = /^ENC:?(?<key>\w*)\[(?<value>.*)\]$/
+      KEY_DIR = ENV['PUPPET_DECRYPT_KEYDIR'] || '/etc/puppet-decrypt'
+      DEFAULT_KEY = 'encryptor_secret_key'
+      DEFAULT_FILE = File.join(KEY_DIR, DEFAULT_KEY)
+
+      def initialize(options = {})
+        @raw = options[:raw] || false
+      end
+
+      def decrypt_hash(hash)
+        puts "Decrypting value: #{hash['value']}, secretkey: #{hash['secretkey']}"
+        decrypt(hash['value'], hash['secretkey'])
+      end
+
+      def decrypt(value, secret_key_file)
+        secret_key_file ||= secret_key_for value
+        secret_key_digest = digest_from secret_key_file
+        if @raw
+          match = true
+        else
+          match = value.match(ENCRYPTED_PATTERN)
+          if match
+            value = match[:value]
+          end
+        end
+        if match
+          value = strict_decode64(value)
+          value = value.decrypt(:key => secret_key_digest)
+        end
+        value
+      end
+
+      def encrypt(value, secret_key_file = nil)
+        secret_key_file ||= secret_key_for value
+        secret_key_digest = digest_from secret_key_file
+        result = value.encrypt(:key => secret_key_digest)
+        encrypted_value = strict_encode64(result).strip
+        encrypted_value = "ENC[#{encrypted_value}]" unless @raw
+        raise "Value can't be encrypted properly" unless decrypt(encrypted_value, secret_key_file) == value
+        encrypted_value
+      end
+
+      private
+      def secret_key_for(value)
+        match = value.match(ENCRYPTED_PATTERN)
+        if match
+          key = match[:key]
+          key = DEFAULT_KEY if key.empty?
+        end
+        key ||= DEFAULT_KEY
+        File.join(KEY_DIR, key)
+      end
+
+      def digest_from(secret_key_file)
+        raise "Secret key file: #{secret_key_file} is not readable!" unless File.readable?(secret_key_file)
+        secret_key = File.open(secret_key_file, &:readline).chomp
+        Digest::SHA256.hexdigest(secret_key)
+      end
+
+      # Backported for ruby 1.8.7
+      def strict_decode64(str)
+        return Base64.strict_decode64(str) if Base64.respond_to? :strict_decode64
+
+        unless str.include?("\n")
+          Base64.decode64(str)
+        else
+          raise(ArgumentError,"invalid base64")
+        end
+      end
+
+      # Backported for ruby 1.8.7
+      def strict_encode64(bin)
+        return Base64.strict_encode64(bin) if Base64.respond_to? :strict_encode64
+        Base64.encode64(bin).tr("\n",'')
+      end
+
+    end
+  end
+end

data/lib/puppet-decrypt/version.rb

@@ -0,0 +1,5 @@
+module Puppet
+  module Decrypt
+    VERSION = "0.1.0"
+  end
+end

data/lib/puppet/application/crypt.rb

@@ -0,0 +1,5 @@
+require 'puppet/face'
+require 'puppet/application/face_base'
+ 
+class Puppet::Application::Crypt < Puppet::Application::FaceBase
+end

data/lib/puppet/face/crypt.rb

@@ -0,0 +1,49 @@
+require 'puppet-decrypt'
+require 'puppet/face'
+require 'stringio'
+
+Puppet::Face.define(:crypt, Puppet::Decrypt::VERSION) do
+  copyright "Max Lincoln", 2013
+  license   "MIT; see LICENSE"
+
+  summary "Encrypt or decrypt secret values."
+  description <<-EOT
+    This subcommand provides a command line interface to encrypt or decrypt values
+    that are intended for use with the puppet decrypt function.
+  EOT
+
+  option "--raw" do
+    summary  "Use raw parse/display"
+    description <<-EOT
+      Parse or display the value in raw format, instead of using ENC[...] block
+    EOT
+  end
+
+  option "--secretkey SECRET_KEY_PATH" do
+    summary "The path to the secret key file (default: #{Puppet::Decrypt::Decryptor::DEFAULT_FILE}"
+  end
+
+  action :encrypt do
+    summary 'Encrypt a secret value.'
+    arguments "<plaintext_secret>"
+    description <<-EOT
+      This action encrypts a value using the secret key.
+    EOT
+    when_invoked do |plaintext_secret, options|
+      secretkey = options[:secretkey]
+      Puppet::Decrypt::Decryptor.new(options).encrypt(plaintext_secret, secretkey)
+    end
+  end
+
+  action :decrypt do
+    summary 'Decrypt a secret value.'
+    arguments "<encrypted_secret>"
+    description <<-EOT
+      This action decrypts a value using the secret key.
+    EOT
+    when_invoked do |encrypted_secret, options|
+      secretkey = options[:secretkey]
+      Puppet::Decrypt::Decryptor.new(options).decrypt(encrypted_secret, secretkey)
+    end
+  end
+end

data/lib/puppet/parser/functions/decrypt.rb

@@ -0,0 +1,15 @@
+require 'puppet-decrypt'
+
+module Puppet::Parser::Functions
+  newfunction(:decrypt, :type => :rvalue) do |args|
+    options = {}
+    decrypt_args = {}
+    if args[0].is_a? String
+      decrypt_args['value'] = args[0]
+    else
+      decrypt_args = args[0]
+      puts "Using hash: #{decrypt_args}"
+    end
+    Puppet::Decrypt::Decryptor.new(options).decrypt_hash(decrypt_args)
+  end
+end

data/puppet-decrypt.gemspec

@@ -0,0 +1,39 @@
+# -*- encoding: utf-8 -*-
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'puppet-decrypt/version'
+
+Gem::Specification.new do |gem|
+  gem.name          = "puppet-decrypt"
+  gem.version       = Puppet::Decrypt::VERSION
+  gem.authors       = ["mlincoln"]
+  gem.email         = ["max@devopsy.com"]
+  gem.description   = %q{A gem for encrypting/decrypting secret values for use with Puppet}
+  gem.summary       = %q{A shared secret strategy that works with any data source}
+  gem.homepage      = "https://github.com/maxlinc/puppet-decrypt"
+  gem.required_ruby_version = '>= 1.9.0'
+  notice = """
+
+Notice: The default master key location is now /etc/puppet-decrypt/encryptor_secret_key
+
+This was done to more easily support multiple keys.  If you are upgrading from a version older than
+0.1.0 you should move /etc/encryptor_secret_key to /etc/puppet-decrypt/encryptor_secret_key.
+
+"""
+  gem.post_install_message = notice
+
+  gem.files         = `git ls-files`.split($/)
+  gem.executables   = gem.files.grep(%r{^bin/}).map{ |f| File.basename(f) }
+  gem.test_files    = gem.files.grep(%r{^(test|spec|features)/})
+  gem.require_paths = ["lib"]
+
+  gem.add_dependency('encryptor')
+  gem.add_development_dependency('rake')
+  gem.add_development_dependency('cucumber')
+  gem.add_development_dependency('relish')
+  gem.add_development_dependency('rspec')
+  gem.add_development_dependency('rspec-puppet')
+  gem.add_development_dependency('puppetlabs_spec_helper')
+  gem.add_development_dependency('pry')
+  gem.add_development_dependency('pry-nav')
+end

data/spec/faces/crypt_spec.rb

@@ -0,0 +1,43 @@
+# -*- encoding : utf-8 -*-
+require 'spec_helper'
+require 'puppet/face'
+
+describe Puppet::Face[:crypt, :current] do
+  before :all do
+    mock_secret_key(Puppet::Decrypt::Decryptor::DEFAULT_FILE, 'masterkey')
+  end
+
+  describe 'encrypt' do
+    describe 'should encrypt a value' do
+      it 'with ENC[...]' do
+        subject.encrypt('flabberghaster').should == 'ENC[3xzy8fiXlaJqv3m+aXIJNA==]'
+      end
+
+      it 'with --raw' do
+        subject.encrypt('flabberghaster', {:raw => true}).should == '3xzy8fiXlaJqv3m+aXIJNA=='
+      end
+
+      it 'with --secretkey' do
+        mock_secret_key('/etc/another_key', 'anotherkey')
+        subject.encrypt('flabberghaster', {:secretkey => '/etc/another_key'}).should == 'ENC[8MaZYHPdj9IpnzcuBLlMdg==]'
+      end
+    end
+  end
+
+  describe 'decrypt' do
+    describe 'should decrypt a value' do
+      it 'with ENC[...]' do
+        subject.decrypt('ENC[3xzy8fiXlaJqv3m+aXIJNA==]').should == 'flabberghaster'
+      end
+
+      it 'with --raw' do
+        subject.decrypt('3xzy8fiXlaJqv3m+aXIJNA==', {:raw => true}).should == 'flabberghaster'
+      end
+
+      it 'with --secretkey' do
+        mock_secret_key('/etc/another_key', 'anotherkey')
+        subject.decrypt('ENC[8MaZYHPdj9IpnzcuBLlMdg==]', {:secretkey => '/etc/another_key'}).should == 'flabberghaster'
+      end
+    end
+  end
+end

data/spec/functions/decrypt_spec.rb

@@ -0,0 +1,53 @@
+# -*- encoding : utf-8 -*-
+require 'spec_helper'
+
+describe 'decrypt' do
+  before(:all) do
+    mock_secret_key(Puppet::Decrypt::Decryptor::DEFAULT_FILE, 'masterkey')
+  end
+
+  let(:node) { 'testhost.example.com' }
+  extdata_path = File.expand_path(File.join(File.dirname(__FILE__), '../../puppet/manifests/extdata'))
+  let(:pre_condition) { "$extlookup_datadir = '#{extdata_path}' $extlookup_precedence = ['common', 'env_vagrant']" }
+
+  context "unencrypted key" do
+    it { should run.with_params('blah').and_return("blah") }
+  end
+
+  context "encrypted key" do
+    it "should decrypt exact matches" do
+      should run.with_params('ENC[3xzy8fiXlaJqv3m+aXIJNA==]').and_return("flabberghaster")
+    end
+
+    it "should not decrypt partial matches" do
+      should run.with_params('fooENC[3xzy8fiXlaJqv3m+aXIJNA==]bar').and_return('fooENC[3xzy8fiXlaJqv3m+aXIJNA==]bar')
+    end
+  end
+
+  context "with secret key in string" do
+    it "should decrypt exact matches" do
+      mock_secret_key('/etc/puppet-decrypt/another_key', 'anotherkey')
+      should run.with_params('ENC:another_key[8MaZYHPdj9IpnzcuBLlMdg==]').and_return('flabberghaster')
+    end
+
+    it "should not decrypt partial matches" do
+      should run.with_params('fooENC:max[3xzy8fiXlaJqv3m+aXIJNA==]bar').and_return('fooENC:max[3xzy8fiXlaJqv3m+aXIJNA==]bar')
+    end
+  end
+
+  context "with secret key file" do
+    it "should decrypt exact matches" do
+      mock_secret_key('/etc/another_key', 'anotherkey')
+      should run.with_params({ 'value' => 'ENC[8MaZYHPdj9IpnzcuBLlMdg==]', 'secretkey' => '/etc/another_key'}).and_return('flabberghaster')
+    end
+
+    it "should override a key in the string" do
+      mock_secret_key('/etc/another_key', 'anotherkey')
+      should run.with_params({ 'value' => 'ENC:max[8MaZYHPdj9IpnzcuBLlMdg==]', 'secretkey' => '/etc/another_key'}).and_return('flabberghaster')
+    end
+
+    it "should not decrypt partial matches" do
+      should run.with_params({ 'value' => 'fooENC[3xzy8fiXlaJqv3m+aXIJNA==]bar', 'secretkey' => '/etc/another_key'}).and_return('fooENC[3xzy8fiXlaJqv3m+aXIJNA==]bar')
+    end
+  end
+end

data/spec/spec_helper.rb

@@ -0,0 +1,22 @@
+# -*- encoding : utf-8 -*-
+require 'rspec-puppet'
+require 'puppet-decrypt'
+require 'rspec/mocks'
+
+module SecretKeyHelper
+  def mock_secret_key(filename, secret)
+    File.should_receive(:readable?).with(filename).and_return(true)
+    File.should_receive(:open).with(filename).and_return(secret)
+  end
+end
+
+RSpec::Mocks::setup(self)
+
+RSpec.configure do |c|
+  c.include SecretKeyHelper
+end
+
+if ENV['PUPPET_DEBUG']
+  Puppet::Util::Log.level = :debug
+  Puppet::Util::Log.newdestination(:console)
+end

metadata

@@ -0,0 +1,223 @@
+--- !ruby/object:Gem::Specification
+name: puppet-decrypt
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- mlincoln
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2013-07-12 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: encryptor
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: cucumber
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: relish
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rspec-puppet
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: puppetlabs_spec_helper
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: pry
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: pry-nav
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+description: A gem for encrypting/decrypting secret values for use with Puppet
+email:
+- max@devopsy.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- .gitignore
+- .rspec
+- .rvmrc
+- .travis.yml
+- ChangeLog.md
+- Gemfile
+- LICENSE.txt
+- Modulefile
+- README.md
+- Rakefile
+- bundles/puppet_2_7.gemfile
+- bundles/puppet_3_0.gemfile
+- features/fixtures/data/overridden_secret_key.yaml
+- features/fixtures/data/simple.yaml
+- features/fixtures/hiera.yaml
+- features/fixtures/manifests/overridden_secret_key.pp.bak
+- features/fixtures/manifests/simple.pp
+- features/fixtures/other_secretkeys/secondary_key
+- features/fixtures/secretkeys/alt_key
+- features/fixtures/secretkeys/encryptor_secret_key
+- features/hiera.feature
+- features/step_definitions/puppet_steps.rb
+- features/support/env.rb
+- lib/puppet-decrypt.rb
+- lib/puppet-decrypt/decryptor.rb
+- lib/puppet-decrypt/version.rb
+- lib/puppet/application/crypt.rb
+- lib/puppet/face/crypt.rb
+- lib/puppet/parser/functions/decrypt.rb
+- puppet-decrypt.gemspec
+- spec/faces/crypt_spec.rb
+- spec/functions/decrypt_spec.rb
+- spec/spec_helper.rb
+homepage: https://github.com/maxlinc/puppet-decrypt
+licenses: []
+metadata: {}
+post_install_message: |2+
+
+
+  Notice: The default master key location is now /etc/puppet-decrypt/encryptor_secret_key
+
+  This was done to more easily support multiple keys.  If you are upgrading from a version older than
+  0.1.0 you should move /etc/encryptor_secret_key to /etc/puppet-decrypt/encryptor_secret_key.
+
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - '>='
+    - !ruby/object:Gem::Version
+      version: 1.9.0
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.0.4
+signing_key: 
+specification_version: 4
+summary: A shared secret strategy that works with any data source
+test_files:
+- features/fixtures/data/overridden_secret_key.yaml
+- features/fixtures/data/simple.yaml
+- features/fixtures/hiera.yaml
+- features/fixtures/manifests/overridden_secret_key.pp.bak
+- features/fixtures/manifests/simple.pp
+- features/fixtures/other_secretkeys/secondary_key
+- features/fixtures/secretkeys/alt_key
+- features/fixtures/secretkeys/encryptor_secret_key
+- features/hiera.feature
+- features/step_definitions/puppet_steps.rb
+- features/support/env.rb
+- spec/faces/crypt_spec.rb
+- spec/functions/decrypt_spec.rb
+- spec/spec_helper.rb