RubyGems - puppet-decrypt - Versions diffs - 0.1.0 → 0.1.1 - Mend

puppet-decrypt 0.1.0 → 0.1.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (17) hide show

checksums.yaml +4 -4
data/.travis.yml +12 -1
data/ChangeLog.md +8 -0
data/Gemfile +12 -1
data/bundles/puppet_edge.gemfile +5 -0
data/features/hiera.feature +17 -4
data/features/step_definitions/puppet_steps.rb +1 -1
data/lib/puppet-decrypt.rb +4 -0
data/lib/puppet-decrypt/decryptor.rb +19 -11
data/lib/puppet-decrypt/key_loader.rb +10 -0
data/lib/puppet-decrypt/version.rb +1 -1
data/lib/puppet/face/crypt.rb +11 -1
data/puppet-decrypt.gemspec +1 -4
data/spec/faces/crypt_spec.rb +27 -3
data/spec/puppet-decrypt/fake_key_loader.rb +24 -0
data/spec/spec_helper.rb +4 -2
metadata +27 -65

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 248058bd4e4965701c01ff8037984487ea5db344
-  data.tar.gz: bfd65eec21ba36b8c3d8081e3f442c4f1adc980c
+  metadata.gz: 4c098cca8fcd1228c7d2e82d7b8615f7189e77e8
+  data.tar.gz: b2ddb9f7aaa99af9d68812a7d86a95c7d04da32e
 SHA512:
-  metadata.gz: e9b7548c7c93147d6aa8a81f4a9a1cf1374ed5cdb18fc4a0ad50530fa956ed316cba19cad58fb0f7e84609a9d04b1cefb262a549a807761cffb4a47a46e25a11
-  data.tar.gz: c2d3f32d32879c01aba7ca764280ec2422e81d3c69841bc256f0333ff90dfa3c7e6ef37341f8f6e593819cf4f5aa27b078bd643c1078be0afca10aae4dcbc699
+  metadata.gz: b19f454ff00dd36f2f83848c1a4be5df1ec6065b6dcd487364da4c981cce7350c6789862092df40681bcefaa2363e46ee8d4735cb751abec3b6e7400d4a6b0c2
+  data.tar.gz: 45b6964e742c45152804e4d6eac02324702515dcefc49ce87cf7a0eeb0268b744229ae2aec6f99b0a84ac5146de98da15519d6edb31e94c282b4af7c162f4be7

data/.travis.yml CHANGED Viewed

@@ -1,10 +1,21 @@
 language: ruby
+bundler_args: --without debugging
 rvm:
+  - 1.8.7
   - 1.9.3
-  - 1.9.2
   - jruby-19mode
   - 2.0.0
+  - 2.1.0
 gemfile:
   - Gemfile
   - bundles/puppet_3_0.gemfile
   - bundles/puppet_2_7.gemfile
+  - bundles/puppet_edge.gemfile
+matrix:
+  exclude:
+    - rvm: 1.8.7
+      gemfile: bundles/puppet_edge.gemfile
+    - rvm: 2.1.0
+      gemfile: bundles/puppet_3_0.gemfile
+    - rvm: 2.1.0
+      gemfile: bundles/puppet_2_7.gemfile

data/ChangeLog.md CHANGED Viewed

@@ -1,3 +1,11 @@
+## 0.1.1 (Jan 24, 2014)
+Enhancements:
+  - Salting to protect against dictionary and rainbow table attacks.
+Bugfixes:
+  - Fix Ruby 1.8.7 support.
 ## 0.1.0 (July 10, 2013)
 Features:

data/Gemfile CHANGED Viewed

@@ -1,5 +1,16 @@
 source 'https://rubygems.org'
 # Specify your gem's dependencies in puppet-decrypt.gemspec
-gem 'puppet'
 gemspec
+# Not in the gemspec because we're testing multiple versions with appraisal.
+gem 'puppet'
+# Things we don't want on Travis
+group :debugging do
+  # just for pushing documentation, requires ruby 1.9+
+  gem 'relish'
+  gem 'pry'
+  gem 'pry-nav'
+end

data/bundles/puppet_edge.gemfile ADDED Viewed

@@ -0,0 +1,5 @@
+source 'https://rubygems.org'
+# Specify your gem's dependencies in puppet-decrypt.gemspec
+gem 'puppet', :git => 'https://github.com/puppetlabs/puppet'
+gemspec(:path => '../')

data/features/hiera.feature CHANGED Viewed

@@ -1,6 +1,6 @@
 Feature: Puppet works
-  Scenario: Default test
+  Scenario: Unsalted (legacy) key
     Given I have the following hiera data:
       """
       ---
@@ -13,11 +13,24 @@ Feature: Puppet works
       """
     Then the output should include "Decrypted: max"
+  Scenario: Default test
+    Given I have the following hiera data:
+      """
+      ---
+        db_password: ENC[HOz0/aHCjJTAUlEbM/pqMQ==:QZy2oTvQNhwFMmOARn+Jlw==:aUY1NjBqamp6RWs1UkYvVjVULzNvdz09]
+      """
+    When I execute this puppet manifest:
+      """
+      $password = decrypt(hiera('db_password'))
+      notice("Decrypted: $password")
+      """
+    Then the output should include "Decrypted: max"
   Scenario: Overriden key (string)
     Given I have the following hiera data:
       """
       ---
-        db_password: ENC:alt_key[c4S4hMCDv1b7FkZgOBRTOA==]
+        db_password: ENC:alt_key[KgLJnDVF9VeTGGU/vG2KjQ==:NiLhgUn4JL07DI9trGSK8g==:YlVhZDhDSEZsSDV6RnBOdm1FMmVtQT09]
       """
     When I execute this puppet manifest:
       """
@@ -31,7 +44,7 @@ Feature: Puppet works
       """
       ---
         db_password:
-          value: 'ENC[G6MjBDDFcapYLaKBFJvPSg==]'
+          value: 'ENC[AVdi08NXUveKStMSAH4kMQ==:EAHeMe3TvK33gjnDDHV5rQ==:cndoVVBhMWdXQW5HVSsxWDN4OUtRZz09]'
           secretkey: 'features/fixtures/other_secretkeys/secondary_key'
       """
     When I execute this puppet manifest:
@@ -40,4 +53,4 @@ Feature: Puppet works
       $password = decrypt(hiera_hash('db_password'))
       notice("Decrypted: $password")
       """
-    Then the output should include "Decrypted: overridden"
+    Then the output should include "Decrypted: overridden"

data/features/step_definitions/puppet_steps.rb CHANGED Viewed

@@ -12,7 +12,7 @@ When /^I execute this puppet manifest:$/ do |manifest|
   begin
     file.write(manifest)
     file.close
-    ENV['FACTER_HIERA_FILE'] = File.basename(hierafile, '.yaml')
+    ENV['FACTER_HIERA_FILE'] = File.basename(hierafile.path, '.yaml')
     ENV['PUPPET_DECRYPT_KEYDIR'] = 'features/fixtures/secretkeys'
     puppet_version = `bundle exec puppet --version`
     puppet_command = "bundle exec puppet apply --noop #{file.path}"

data/lib/puppet-decrypt.rb CHANGED Viewed

@@ -1,9 +1,13 @@
 require 'puppet-decrypt/version'
+require 'puppet-decrypt/key_loader'
 require 'puppet-decrypt/decryptor'
 require 'encryptor'
 require 'base64'
 module Puppet
   module Decrypt
+    def self.key_loader
+      @key_loader ||= Puppet::Decrypt::KeyLoader.new
+    end
   end
 end

data/lib/puppet-decrypt/decryptor.rb CHANGED Viewed

@@ -2,7 +2,7 @@ module Puppet
   module Decrypt
     class Decryptor
-      ENCRYPTED_PATTERN = /^ENC:?(?<key>\w*)\[(?<value>.*)\]$/
+      ENCRYPTED_PATTERN = /^ENC:?(\w*)\[(.*)\]$/
       KEY_DIR = ENV['PUPPET_DECRYPT_KEYDIR'] || '/etc/puppet-decrypt'
       DEFAULT_KEY = 'encryptor_secret_key'
       DEFAULT_FILE = File.join(KEY_DIR, DEFAULT_KEY)
@@ -24,31 +24,40 @@ module Puppet
         else
           match = value.match(ENCRYPTED_PATTERN)
           if match
-            value = match[:value]
+            value = match[2]
           end
         end
         if match
-          value = strict_decode64(value)
-          value = value.decrypt(:key => secret_key_digest)
+          value, iv, salt = value.split(':').map{|s| strict_decode64 s }
+          if iv && salt
+            value = value.decrypt(:key => secret_key_digest, :iv => iv, :salt => salt)
+          else
+            $stderr.puts "Warning: re-encrypt with puppet-crypt to use salted passwords"
+            value = value.decrypt(:key => secret_key_digest)
+          end
         end
         value
       end
-      def encrypt(value, secret_key_file = nil)
+      def encrypt(value, secret_key_file, salt, iv)
         secret_key_file ||= secret_key_for value
         secret_key_digest = digest_from secret_key_file
-        result = value.encrypt(:key => secret_key_digest)
-        encrypted_value = strict_encode64(result).strip
+        result = value.encrypt(:key => secret_key_digest, :iv => iv, :salt => salt)
+        encrypted_value = [result, iv, salt].map{|v| strict_encode64(v).strip }.join ':'
         encrypted_value = "ENC[#{encrypted_value}]" unless @raw
-        raise "Value can't be encrypted properly" unless decrypt(encrypted_value, secret_key_file) == value
+        raise "Value can't be encrypted properly with salt #{salt}" unless decrypt(encrypted_value, secret_key_file) == value
         encrypted_value
       end
       private
+      def load_key(secret_key_file)
+        Puppet::Decrypt.key_loader.load_key secret_key_file
+      end
       def secret_key_for(value)
         match = value.match(ENCRYPTED_PATTERN)
         if match
-          key = match[:key]
+          key = match[1]
           key = DEFAULT_KEY if key.empty?
         end
         key ||= DEFAULT_KEY
@@ -56,8 +65,7 @@ module Puppet
       end
       def digest_from(secret_key_file)
-        raise "Secret key file: #{secret_key_file} is not readable!" unless File.readable?(secret_key_file)
-        secret_key = File.open(secret_key_file, &:readline).chomp
+        secret_key = load_key secret_key_file
         Digest::SHA256.hexdigest(secret_key)
       end

data/lib/puppet-decrypt/key_loader.rb ADDED Viewed

@@ -0,0 +1,10 @@
+module Puppet
+  module Decrypt
+    class KeyLoader
+      def load_key(secret_key_file)
+        raise "Secret key file: #{secret_key_file} is not readable!" unless File.readable?(secret_key_file)
+        secret_key = File.open(secret_key_file, &:readline).chomp
+      end
+    end
+  end
+end

data/lib/puppet-decrypt/version.rb CHANGED Viewed

@@ -1,5 +1,5 @@
 module Puppet
   module Decrypt
-    VERSION = "0.1.0"
+    VERSION = "0.1.1"
   end
 end

data/lib/puppet/face/crypt.rb CHANGED Viewed

@@ -23,6 +23,14 @@ Puppet::Face.define(:crypt, Puppet::Decrypt::VERSION) do
     summary "The path to the secret key file (default: #{Puppet::Decrypt::Decryptor::DEFAULT_FILE}"
   end
+  option "--iv IV" do
+    summary "The initialization vector to use during encryption (default is random)"
+  end
+  option "--salt SALT" do
+    summary "The salt to use during encryption (default is random)"
+  end
   action :encrypt do
     summary 'Encrypt a secret value.'
     arguments "<plaintext_secret>"
@@ -30,8 +38,10 @@ Puppet::Face.define(:crypt, Puppet::Decrypt::VERSION) do
       This action encrypts a value using the secret key.
     EOT
     when_invoked do |plaintext_secret, options|
+      iv   = options.delete(:iv)   || OpenSSL::Cipher::Cipher.new('aes-256-cbc').random_iv
+      salt = options.delete(:salt) || SecureRandom.base64
       secretkey = options[:secretkey]
-      Puppet::Decrypt::Decryptor.new(options).encrypt(plaintext_secret, secretkey)
+      Puppet::Decrypt::Decryptor.new(options).encrypt(plaintext_secret, secretkey, salt, iv)
     end
   end

data/puppet-decrypt.gemspec CHANGED Viewed

@@ -27,13 +27,10 @@ This was done to more easily support multiple keys.  If you are upgrading from a
   gem.test_files    = gem.files.grep(%r{^(test|spec|features)/})
   gem.require_paths = ["lib"]
-  gem.add_dependency('encryptor')
+  gem.add_dependency('encryptor', '~> 1.3')
   gem.add_development_dependency('rake')
   gem.add_development_dependency('cucumber')
-  gem.add_development_dependency('relish')
   gem.add_development_dependency('rspec')
   gem.add_development_dependency('rspec-puppet')
   gem.add_development_dependency('puppetlabs_spec_helper')
-  gem.add_development_dependency('pry')
-  gem.add_development_dependency('pry-nav')
 end

data/spec/faces/crypt_spec.rb CHANGED Viewed

@@ -2,24 +2,48 @@
 require 'spec_helper'
 require 'puppet/face'
+MINIMUM_IV_LENGTH = 20
 describe Puppet::Face[:crypt, :current] do
+  let(:insecure_opts) do
+    { :salt => '1234567890', :iv => '5'*20 }
+  end
+  # Values above, encoded
+  let(:base64_salt) { 'MTIzNDU2Nzg5MA==' }
+  let(:base64_iv)   { 'NTU1NTU1NTU1NTU1NTU1NTU1NTU=' }
   before :all do
     mock_secret_key(Puppet::Decrypt::Decryptor::DEFAULT_FILE, 'masterkey')
   end
   describe 'encrypt' do
     describe 'should encrypt a value' do
+      it 'is decryptable with minimum args' do
+        encrypted = subject.encrypt('flabberghaster')
+        subject.decrypt(encrypted).should == 'flabberghaster'
+      end
+      it 'is decryptable with minimum args with a salt' do
+        salt = SecureRandom.base64
+        encrypted = subject.encrypt('flabberghaster', {:salt => salt})
+        subject.decrypt(encrypted).should == 'flabberghaster'
+      end
+      it 'is decryptable with problematic salt (regexp chars)' do
+        salt = 'R8STny+9cq03ujQGiKDd9w=='
+        encrypted = subject.encrypt('flabberghaster', {:salt => salt})
+        subject.decrypt(encrypted).should == 'flabberghaster'
+      end
       it 'with ENC[...]' do
-        subject.encrypt('flabberghaster').should == 'ENC[3xzy8fiXlaJqv3m+aXIJNA==]'
+        expected_value = "ENC[7u523Z+PpqSm58+BeiN4qw==:#{base64_iv}:#{base64_salt}]"
+        subject.encrypt('flabberghaster', insecure_opts).should == expected_value
       end
       it 'with --raw' do
-        subject.encrypt('flabberghaster', {:raw => true}).should == '3xzy8fiXlaJqv3m+aXIJNA=='
+        expected_value = "7u523Z+PpqSm58+BeiN4qw==:#{base64_iv}:#{base64_salt}"
+        subject.encrypt('flabberghaster', {:raw => true}.merge(insecure_opts)).should == expected_value
       end
       it 'with --secretkey' do
         mock_secret_key('/etc/another_key', 'anotherkey')
-        subject.encrypt('flabberghaster', {:secretkey => '/etc/another_key'}).should == 'ENC[8MaZYHPdj9IpnzcuBLlMdg==]'
+        expected_value = "ENC[81crlXmuzSnld3+4YUkQYg==:#{base64_iv}:#{base64_salt}]"
+        subject.encrypt('flabberghaster', {:secretkey => '/etc/another_key'}.merge(insecure_opts)).should == expected_value
       end
     end
   end

data/spec/puppet-decrypt/fake_key_loader.rb ADDED Viewed

@@ -0,0 +1,24 @@
+module Puppet
+  module Decrypt
+    def self.key_loader=(key_loader)
+      @key_loader = key_loader
+    end
+    class FakeKeyLoader
+      def initialize
+        @secrets = {}
+      end
+      def add_secret(secret_key_file, secret_key)
+        @secrets[secret_key_file] = secret_key
+      end
+      def load_key(secret_key_file)
+        raise "Secret key file: #{secret_key_file} is not readable!" unless @secrets.has_key? secret_key_file
+        secret_key = @secrets[secret_key_file]
+      end
+    end
+  end
+end
+Puppet::Decrypt.key_loader = Puppet::Decrypt::FakeKeyLoader.new

data/spec/spec_helper.rb CHANGED Viewed

@@ -1,12 +1,14 @@
 # -*- encoding : utf-8 -*-
 require 'rspec-puppet'
+require 'puppet-decrypt/fake_key_loader'
 require 'puppet-decrypt'
 require 'rspec/mocks'
+Puppet::Decrypt.key_loader = Puppet::Decrypt::FakeKeyLoader.new
 module SecretKeyHelper
   def mock_secret_key(filename, secret)
-    File.should_receive(:readable?).with(filename).and_return(true)
-    File.should_receive(:open).with(filename).and_return(secret)
+    Puppet::Decrypt.key_loader.add_secret(filename, secret)
   end
 end

metadata CHANGED Viewed

@@ -1,139 +1,97 @@
 --- !ruby/object:Gem::Specification
 name: puppet-decrypt
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 0.1.1
 platform: ruby
 authors:
 - mlincoln
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2013-07-12 00:00:00.000000000 Z
+date: 2014-03-09 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: encryptor
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '1.3'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '1.3'
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
   name: cucumber
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
-      - !ruby/object:Gem::Version
-        version: '0'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - '>='
-      - !ruby/object:Gem::Version
-        version: '0'
-- !ruby/object:Gem::Dependency
-  name: relish
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
   name: rspec-puppet
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
   name: puppetlabs_spec_helper
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
-      - !ruby/object:Gem::Version
-        version: '0'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - '>='
-      - !ruby/object:Gem::Version
-        version: '0'
-- !ruby/object:Gem::Dependency
-  name: pry
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - '>='
-      - !ruby/object:Gem::Version
-        version: '0'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - '>='
-      - !ruby/object:Gem::Version
-        version: '0'
-- !ruby/object:Gem::Dependency
-  name: pry-nav
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
 description: A gem for encrypting/decrypting secret values for use with Puppet
@@ -143,10 +101,10 @@ executables: []
 extensions: []
 extra_rdoc_files: []
 files:
-- .gitignore
-- .rspec
-- .rvmrc
-- .travis.yml
+- ".gitignore"
+- ".rspec"
+- ".rvmrc"
+- ".travis.yml"
 - ChangeLog.md
 - Gemfile
 - LICENSE.txt
@@ -155,6 +113,7 @@ files:
 - Rakefile
 - bundles/puppet_2_7.gemfile
 - bundles/puppet_3_0.gemfile
+- bundles/puppet_edge.gemfile
 - features/fixtures/data/overridden_secret_key.yaml
 - features/fixtures/data/simple.yaml
 - features/fixtures/hiera.yaml
@@ -168,6 +127,7 @@ files:
 - features/support/env.rb
 - lib/puppet-decrypt.rb
 - lib/puppet-decrypt/decryptor.rb
+- lib/puppet-decrypt/key_loader.rb
 - lib/puppet-decrypt/version.rb
 - lib/puppet/application/crypt.rb
 - lib/puppet/face/crypt.rb
@@ -175,6 +135,7 @@ files:
 - puppet-decrypt.gemspec
 - spec/faces/crypt_spec.rb
 - spec/functions/decrypt_spec.rb
+- spec/puppet-decrypt/fake_key_loader.rb
 - spec/spec_helper.rb
 homepage: https://github.com/maxlinc/puppet-decrypt
 licenses: []
@@ -192,17 +153,17 @@ require_paths:
 - lib
 required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
-  - - '>='
+  - - ">="
     - !ruby/object:Gem::Version
       version: 1.9.0
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - '>='
+  - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
 rubyforge_project:
-rubygems_version: 2.0.4
+rubygems_version: 2.2.0
 signing_key:
 specification_version: 4
 summary: A shared secret strategy that works with any data source
@@ -220,4 +181,5 @@ test_files:
 - features/support/env.rb
 - spec/faces/crypt_spec.rb
 - spec/functions/decrypt_spec.rb
+- spec/puppet-decrypt/fake_key_loader.rb
 - spec/spec_helper.rb