puppet-decrypt 0.1.0 → 0.1.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 248058bd4e4965701c01ff8037984487ea5db344
-  data.tar.gz: bfd65eec21ba36b8c3d8081e3f442c4f1adc980c
+  metadata.gz: 4c098cca8fcd1228c7d2e82d7b8615f7189e77e8
+  data.tar.gz: b2ddb9f7aaa99af9d68812a7d86a95c7d04da32e
 SHA512:
-  metadata.gz: e9b7548c7c93147d6aa8a81f4a9a1cf1374ed5cdb18fc4a0ad50530fa956ed316cba19cad58fb0f7e84609a9d04b1cefb262a549a807761cffb4a47a46e25a11
-  data.tar.gz: c2d3f32d32879c01aba7ca764280ec2422e81d3c69841bc256f0333ff90dfa3c7e6ef37341f8f6e593819cf4f5aa27b078bd643c1078be0afca10aae4dcbc699
+  metadata.gz: b19f454ff00dd36f2f83848c1a4be5df1ec6065b6dcd487364da4c981cce7350c6789862092df40681bcefaa2363e46ee8d4735cb751abec3b6e7400d4a6b0c2
+  data.tar.gz: 45b6964e742c45152804e4d6eac02324702515dcefc49ce87cf7a0eeb0268b744229ae2aec6f99b0a84ac5146de98da15519d6edb31e94c282b4af7c162f4be7

data/.travis.yml

@@ -1,10 +1,21 @@
 language: ruby
+bundler_args: --without debugging
 rvm:
+  - 1.8.7
   - 1.9.3
-  - 1.9.2
   - jruby-19mode
   - 2.0.0
+  - 2.1.0
 gemfile:
   - Gemfile
   - bundles/puppet_3_0.gemfile
   - bundles/puppet_2_7.gemfile
+  - bundles/puppet_edge.gemfile
+matrix:
+  exclude:
+    - rvm: 1.8.7
+      gemfile: bundles/puppet_edge.gemfile
+    - rvm: 2.1.0
+      gemfile: bundles/puppet_3_0.gemfile
+    - rvm: 2.1.0
+      gemfile: bundles/puppet_2_7.gemfile

data/ChangeLog.md

@@ -1,3 +1,11 @@
+## 0.1.1 (Jan 24, 2014)
+
+Enhancements:
+  - Salting to protect against dictionary and rainbow table attacks.
+
+Bugfixes:
+  - Fix Ruby 1.8.7 support.
+
 ## 0.1.0 (July 10, 2013)
 
 Features:

data/Gemfile

@@ -1,5 +1,16 @@
 source 'https://rubygems.org'
 
 # Specify your gem's dependencies in puppet-decrypt.gemspec
-gem 'puppet'
 gemspec
+
+# Not in the gemspec because we're testing multiple versions with appraisal.
+gem 'puppet'
+
+# Things we don't want on Travis
+group :debugging do
+  # just for pushing documentation, requires ruby 1.9+
+  gem 'relish'
+  gem 'pry'
+  gem 'pry-nav'
+end
+

data/bundles/puppet_edge.gemfile

@@ -0,0 +1,5 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in puppet-decrypt.gemspec
+gem 'puppet', :git => 'https://github.com/puppetlabs/puppet'
+gemspec(:path => '../')

data/features/hiera.feature

@@ -1,6 +1,6 @@
 Feature: Puppet works
 
-  Scenario: Default test
+  Scenario: Unsalted (legacy) key
     Given I have the following hiera data:
       """
       ---
@@ -13,11 +13,24 @@ Feature: Puppet works
       """
     Then the output should include "Decrypted: max"
 
+  Scenario: Default test
+    Given I have the following hiera data:
+      """
+      ---
+        db_password: ENC[HOz0/aHCjJTAUlEbM/pqMQ==:QZy2oTvQNhwFMmOARn+Jlw==:aUY1NjBqamp6RWs1UkYvVjVULzNvdz09]
+      """
+    When I execute this puppet manifest:
+      """
+      $password = decrypt(hiera('db_password'))
+      notice("Decrypted: $password")
+      """
+    Then the output should include "Decrypted: max"
+
   Scenario: Overriden key (string)
     Given I have the following hiera data:
       """
       ---
-        db_password: ENC:alt_key[c4S4hMCDv1b7FkZgOBRTOA==]
+        db_password: ENC:alt_key[KgLJnDVF9VeTGGU/vG2KjQ==:NiLhgUn4JL07DI9trGSK8g==:YlVhZDhDSEZsSDV6RnBOdm1FMmVtQT09]
       """
     When I execute this puppet manifest:
       """
@@ -31,7 +44,7 @@ Feature: Puppet works
       """
       ---
         db_password:
-          value: 'ENC[G6MjBDDFcapYLaKBFJvPSg==]'
+          value: 'ENC[AVdi08NXUveKStMSAH4kMQ==:EAHeMe3TvK33gjnDDHV5rQ==:cndoVVBhMWdXQW5HVSsxWDN4OUtRZz09]'
           secretkey: 'features/fixtures/other_secretkeys/secondary_key'
       """
     When I execute this puppet manifest:
@@ -40,4 +53,4 @@ Feature: Puppet works
       $password = decrypt(hiera_hash('db_password'))
       notice("Decrypted: $password")
       """
-    Then the output should include "Decrypted: overridden"
+    Then the output should include "Decrypted: overridden"

data/features/step_definitions/puppet_steps.rb

@@ -12,7 +12,7 @@ When /^I execute this puppet manifest:$/ do |manifest|
   begin
     file.write(manifest)
     file.close
-    ENV['FACTER_HIERA_FILE'] = File.basename(hierafile, '.yaml')
+    ENV['FACTER_HIERA_FILE'] = File.basename(hierafile.path, '.yaml')
     ENV['PUPPET_DECRYPT_KEYDIR'] = 'features/fixtures/secretkeys'
     puppet_version = `bundle exec puppet --version`
     puppet_command = "bundle exec puppet apply --noop #{file.path}"

data/lib/puppet-decrypt.rb

@@ -1,9 +1,13 @@
 require 'puppet-decrypt/version'
+require 'puppet-decrypt/key_loader'
 require 'puppet-decrypt/decryptor'
 require 'encryptor'
 require 'base64'
 
 module Puppet
   module Decrypt
+    def self.key_loader
+      @key_loader ||= Puppet::Decrypt::KeyLoader.new
+    end
   end
 end

data/lib/puppet-decrypt/decryptor.rb

@@ -2,7 +2,7 @@ module Puppet
   module Decrypt
 
     class Decryptor
-      ENCRYPTED_PATTERN = /^ENC:?(?<key>\w*)\[(?<value>.*)\]$/
+      ENCRYPTED_PATTERN = /^ENC:?(\w*)\[(.*)\]$/
       KEY_DIR = ENV['PUPPET_DECRYPT_KEYDIR'] || '/etc/puppet-decrypt'
       DEFAULT_KEY = 'encryptor_secret_key'
       DEFAULT_FILE = File.join(KEY_DIR, DEFAULT_KEY)
@@ -24,31 +24,40 @@ module Puppet
         else
           match = value.match(ENCRYPTED_PATTERN)
           if match
-            value = match[:value]
+            value = match[2]
           end
         end
         if match
-          value = strict_decode64(value)
-          value = value.decrypt(:key => secret_key_digest)
+          value, iv, salt = value.split(':').map{|s| strict_decode64 s }
+          if iv && salt
+            value = value.decrypt(:key => secret_key_digest, :iv => iv, :salt => salt)
+          else
+            $stderr.puts "Warning: re-encrypt with puppet-crypt to use salted passwords"
+            value = value.decrypt(:key => secret_key_digest)
+          end
         end
         value
       end
 
-      def encrypt(value, secret_key_file = nil)
+      def encrypt(value, secret_key_file, salt, iv)
         secret_key_file ||= secret_key_for value
         secret_key_digest = digest_from secret_key_file
-        result = value.encrypt(:key => secret_key_digest)
-        encrypted_value = strict_encode64(result).strip
+        result = value.encrypt(:key => secret_key_digest, :iv => iv, :salt => salt)
+        encrypted_value = [result, iv, salt].map{|v| strict_encode64(v).strip }.join ':'
         encrypted_value = "ENC[#{encrypted_value}]" unless @raw
-        raise "Value can't be encrypted properly" unless decrypt(encrypted_value, secret_key_file) == value
+        raise "Value can't be encrypted properly with salt #{salt}" unless decrypt(encrypted_value, secret_key_file) == value
         encrypted_value
       end
 
       private
+      def load_key(secret_key_file)
+        Puppet::Decrypt.key_loader.load_key secret_key_file
+      end
+
       def secret_key_for(value)
         match = value.match(ENCRYPTED_PATTERN)
         if match
-          key = match[:key]
+          key = match[1]
           key = DEFAULT_KEY if key.empty?
         end
         key ||= DEFAULT_KEY
@@ -56,8 +65,7 @@ module Puppet
       end
 
       def digest_from(secret_key_file)
-        raise "Secret key file: #{secret_key_file} is not readable!" unless File.readable?(secret_key_file)
-        secret_key = File.open(secret_key_file, &:readline).chomp
+        secret_key = load_key secret_key_file
         Digest::SHA256.hexdigest(secret_key)
       end
 

data/lib/puppet-decrypt/key_loader.rb

@@ -0,0 +1,10 @@
+module Puppet
+  module Decrypt
+    class KeyLoader
+      def load_key(secret_key_file)
+        raise "Secret key file: #{secret_key_file} is not readable!" unless File.readable?(secret_key_file)
+        secret_key = File.open(secret_key_file, &:readline).chomp
+      end
+    end
+  end
+end

data/lib/puppet-decrypt/version.rb

@@ -1,5 +1,5 @@
 module Puppet
   module Decrypt
-    VERSION = "0.1.0"
+    VERSION = "0.1.1"
   end
 end

data/lib/puppet/face/crypt.rb

@@ -23,6 +23,14 @@ Puppet::Face.define(:crypt, Puppet::Decrypt::VERSION) do
     summary "The path to the secret key file (default: #{Puppet::Decrypt::Decryptor::DEFAULT_FILE}"
   end
 
+  option "--iv IV" do
+    summary "The initialization vector to use during encryption (default is random)"
+  end
+
+  option "--salt SALT" do
+    summary "The salt to use during encryption (default is random)"
+  end
+
   action :encrypt do
     summary 'Encrypt a secret value.'
     arguments "<plaintext_secret>"
@@ -30,8 +38,10 @@ Puppet::Face.define(:crypt, Puppet::Decrypt::VERSION) do
       This action encrypts a value using the secret key.
     EOT
     when_invoked do |plaintext_secret, options|
+      iv   = options.delete(:iv)   || OpenSSL::Cipher::Cipher.new('aes-256-cbc').random_iv
+      salt = options.delete(:salt) || SecureRandom.base64
       secretkey = options[:secretkey]
-      Puppet::Decrypt::Decryptor.new(options).encrypt(plaintext_secret, secretkey)
+      Puppet::Decrypt::Decryptor.new(options).encrypt(plaintext_secret, secretkey, salt, iv)
     end
   end
 

data/puppet-decrypt.gemspec

@@ -27,13 +27,10 @@ This was done to more easily support multiple keys.  If you are upgrading from a
   gem.test_files    = gem.files.grep(%r{^(test|spec|features)/})
   gem.require_paths = ["lib"]
 
-  gem.add_dependency('encryptor')
+  gem.add_dependency('encryptor', '~> 1.3')
   gem.add_development_dependency('rake')
   gem.add_development_dependency('cucumber')
-  gem.add_development_dependency('relish')
   gem.add_development_dependency('rspec')
   gem.add_development_dependency('rspec-puppet')
   gem.add_development_dependency('puppetlabs_spec_helper')
-  gem.add_development_dependency('pry')
-  gem.add_development_dependency('pry-nav')
 end

data/spec/faces/crypt_spec.rb

@@ -2,24 +2,48 @@
 require 'spec_helper'
 require 'puppet/face'
 
+MINIMUM_IV_LENGTH = 20
 describe Puppet::Face[:crypt, :current] do
+  let(:insecure_opts) do
+    { :salt => '1234567890', :iv => '5'*20 }
+  end
+  # Values above, encoded
+  let(:base64_salt) { 'MTIzNDU2Nzg5MA==' }
+  let(:base64_iv)   { 'NTU1NTU1NTU1NTU1NTU1NTU1NTU=' }
   before :all do
     mock_secret_key(Puppet::Decrypt::Decryptor::DEFAULT_FILE, 'masterkey')
   end
 
   describe 'encrypt' do
     describe 'should encrypt a value' do
+      it 'is decryptable with minimum args' do
+        encrypted = subject.encrypt('flabberghaster')
+        subject.decrypt(encrypted).should == 'flabberghaster'
+      end
+      it 'is decryptable with minimum args with a salt' do
+        salt = SecureRandom.base64
+        encrypted = subject.encrypt('flabberghaster', {:salt => salt})
+        subject.decrypt(encrypted).should == 'flabberghaster'
+      end
+      it 'is decryptable with problematic salt (regexp chars)' do
+        salt = 'R8STny+9cq03ujQGiKDd9w=='
+        encrypted = subject.encrypt('flabberghaster', {:salt => salt})
+        subject.decrypt(encrypted).should == 'flabberghaster'
+      end
       it 'with ENC[...]' do
-        subject.encrypt('flabberghaster').should == 'ENC[3xzy8fiXlaJqv3m+aXIJNA==]'
+        expected_value = "ENC[7u523Z+PpqSm58+BeiN4qw==:#{base64_iv}:#{base64_salt}]"
+        subject.encrypt('flabberghaster', insecure_opts).should == expected_value 
       end
 
       it 'with --raw' do
-        subject.encrypt('flabberghaster', {:raw => true}).should == '3xzy8fiXlaJqv3m+aXIJNA=='
+        expected_value = "7u523Z+PpqSm58+BeiN4qw==:#{base64_iv}:#{base64_salt}"
+        subject.encrypt('flabberghaster', {:raw => true}.merge(insecure_opts)).should == expected_value
       end
 
       it 'with --secretkey' do
         mock_secret_key('/etc/another_key', 'anotherkey')
-        subject.encrypt('flabberghaster', {:secretkey => '/etc/another_key'}).should == 'ENC[8MaZYHPdj9IpnzcuBLlMdg==]'
+        expected_value = "ENC[81crlXmuzSnld3+4YUkQYg==:#{base64_iv}:#{base64_salt}]"
+        subject.encrypt('flabberghaster', {:secretkey => '/etc/another_key'}.merge(insecure_opts)).should == expected_value
       end
     end
   end

data/spec/puppet-decrypt/fake_key_loader.rb

@@ -0,0 +1,24 @@
+module Puppet
+  module Decrypt
+    def self.key_loader=(key_loader)
+      @key_loader = key_loader
+    end
+
+    class FakeKeyLoader
+      def initialize
+        @secrets = {}
+      end
+
+      def add_secret(secret_key_file, secret_key)
+        @secrets[secret_key_file] = secret_key
+      end
+
+      def load_key(secret_key_file)
+        raise "Secret key file: #{secret_key_file} is not readable!" unless @secrets.has_key? secret_key_file
+        secret_key = @secrets[secret_key_file]
+      end
+    end
+  end
+end
+
+Puppet::Decrypt.key_loader = Puppet::Decrypt::FakeKeyLoader.new

data/spec/spec_helper.rb

@@ -1,12 +1,14 @@
 # -*- encoding : utf-8 -*-
 require 'rspec-puppet'
+require 'puppet-decrypt/fake_key_loader'
 require 'puppet-decrypt'
 require 'rspec/mocks'
 
+Puppet::Decrypt.key_loader = Puppet::Decrypt::FakeKeyLoader.new
+
 module SecretKeyHelper
   def mock_secret_key(filename, secret)
-    File.should_receive(:readable?).with(filename).and_return(true)
-    File.should_receive(:open).with(filename).and_return(secret)
+    Puppet::Decrypt.key_loader.add_secret(filename, secret)
   end
 end
 

metadata

@@ -1,139 +1,97 @@
 --- !ruby/object:Gem::Specification
 name: puppet-decrypt
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 0.1.1
 platform: ruby
 authors:
 - mlincoln
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2013-07-12 00:00:00.000000000 Z
+date: 2014-03-09 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: encryptor
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '1.3'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '1.3'
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
   name: cucumber
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
-      - !ruby/object:Gem::Version
-        version: '0'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - '>='
-      - !ruby/object:Gem::Version
-        version: '0'
-- !ruby/object:Gem::Dependency
-  name: relish
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
   name: rspec-puppet
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
   name: puppetlabs_spec_helper
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
-      - !ruby/object:Gem::Version
-        version: '0'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - '>='
-      - !ruby/object:Gem::Version
-        version: '0'
-- !ruby/object:Gem::Dependency
-  name: pry
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - '>='
-      - !ruby/object:Gem::Version
-        version: '0'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - '>='
-      - !ruby/object:Gem::Version
-        version: '0'
-- !ruby/object:Gem::Dependency
-  name: pry-nav
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
 description: A gem for encrypting/decrypting secret values for use with Puppet
@@ -143,10 +101,10 @@ executables: []
 extensions: []
 extra_rdoc_files: []
 files:
-- .gitignore
-- .rspec
-- .rvmrc
-- .travis.yml
+- ".gitignore"
+- ".rspec"
+- ".rvmrc"
+- ".travis.yml"
 - ChangeLog.md
 - Gemfile
 - LICENSE.txt
@@ -155,6 +113,7 @@ files:
 - Rakefile
 - bundles/puppet_2_7.gemfile
 - bundles/puppet_3_0.gemfile
+- bundles/puppet_edge.gemfile
 - features/fixtures/data/overridden_secret_key.yaml
 - features/fixtures/data/simple.yaml
 - features/fixtures/hiera.yaml
@@ -168,6 +127,7 @@ files:
 - features/support/env.rb
 - lib/puppet-decrypt.rb
 - lib/puppet-decrypt/decryptor.rb
+- lib/puppet-decrypt/key_loader.rb
 - lib/puppet-decrypt/version.rb
 - lib/puppet/application/crypt.rb
 - lib/puppet/face/crypt.rb
@@ -175,6 +135,7 @@ files:
 - puppet-decrypt.gemspec
 - spec/faces/crypt_spec.rb
 - spec/functions/decrypt_spec.rb
+- spec/puppet-decrypt/fake_key_loader.rb
 - spec/spec_helper.rb
 homepage: https://github.com/maxlinc/puppet-decrypt
 licenses: []
@@ -192,17 +153,17 @@ require_paths:
 - lib
 required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
-  - - '>='
+  - - ">="
     - !ruby/object:Gem::Version
       version: 1.9.0
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - '>='
+  - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.0.4
+rubygems_version: 2.2.0
 signing_key: 
 specification_version: 4
 summary: A shared secret strategy that works with any data source
@@ -220,4 +181,5 @@ test_files:
 - features/support/env.rb
 - spec/faces/crypt_spec.rb
 - spec/functions/decrypt_spec.rb
+- spec/puppet-decrypt/fake_key_loader.rb
 - spec/spec_helper.rb