puppet-syntax 7.0.1 → 7.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: c458096b405b193f2744bcc269314df50710bc6f0d6a42c86395cddceb7091ed
-  data.tar.gz: 28c88220e7b0f978a6672590b31e297b3fc4b63b5ce9fdc7c0565d2f8599cb5f
+  metadata.gz: c3bc359cbcfcfa56f7c5ebe703c2039328ff08bba9b5fe000ece398f8f694bb5
+  data.tar.gz: 768b276e670cb5f39097dd6d7ada811d8c065b7a36f0115b8b12beb413e5f4ed
 SHA512:
-  metadata.gz: 975c1f133c087f92b35e173dfa755a9e3f688f9bfaf0f9bbbecb247238db285bb0997edf549091e6303b8ca11cc6e8ef9296bd2c34d7159cdf10dd6fd6f8cbe3
-  data.tar.gz: 02cb4c1027b2307fa4718716956c877cb40f95792d63fcd4535fcffc248648efb5419542eeb7f918f77a907a1d891215a189f1e4584ff326e301ff4386954c85
+  metadata.gz: af79416abfe17e8685da8c25e3c7b93418279261eeca403686cbc2ba1ef32160c17526582de9ef34031285c81fe0cee6cd0167c5af542755ccb1878e419e08f7
+  data.tar.gz: 963a76a7c5215f642144e34dc92a4611d8bb48bcce0272f10775e2a89061e65cbd4cfd2eb675c676a38748ec6086512ee4e8b28b81ac465c75bc5bef3a47ec72

data/.github/workflows/release.yml

@@ -15,7 +15,7 @@ jobs:
     name: Build the gem
     runs-on: ubuntu-24.04
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
       - name: Install Ruby
         uses: ruby/setup-ruby@v1
         with:
@@ -24,7 +24,7 @@ jobs:
         shell: bash
         run: gem build --verbose *.gemspec
       - name: Upload gem to GitHub cache
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v6
         with:
           name: gem-artifact
           path: '*.gem'
@@ -39,7 +39,7 @@ jobs:
       contents: write # clone repo and create release
     steps:
       - name: Download gem from GitHub cache
-        uses: actions/download-artifact@v5
+        uses: actions/download-artifact@v7
         with:
           name: gem-artifact
       - name: Create Release
@@ -56,7 +56,7 @@ jobs:
       packages: write # publish to rubygems.pkg.github.com
     steps:
       - name: Download gem from GitHub cache
-        uses: actions/download-artifact@v5
+        uses: actions/download-artifact@v7
         with:
           name: gem-artifact
       - name: Publish gem to GitHub packages
@@ -73,7 +73,7 @@ jobs:
       id-token: write # rubygems.org authentication
     steps:
       - name: Download gem from GitHub cache
-        uses: actions/download-artifact@v5
+        uses: actions/download-artifact@v7
         with:
           name: gem-artifact
       - uses: rubygems/configure-rubygems-credentials@v1.0.0
@@ -92,7 +92,7 @@ jobs:
       - release-to-rubygems
     steps:
       - name: Download gem from GitHub cache
-        uses: actions/download-artifact@v5
+        uses: actions/download-artifact@v7
         with:
           name: gem-artifact
       - name: Install Ruby

data/.github/workflows/test.yml

@@ -20,7 +20,7 @@ jobs:
     outputs:
       ruby: ${{ steps.ruby.outputs.versions }}
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
       - name: Install Ruby ${{ matrix.ruby }}
         uses: ruby/setup-ruby@v1
         with:
@@ -45,7 +45,7 @@ jobs:
     env:
       PUPPET_VERSION: ${{ matrix.puppet }}
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
       - name: Install Ruby ${{ matrix.ruby }}
         uses: ruby/setup-ruby@v1
         with:

data/.rubocop.yml

@@ -6,6 +6,3 @@ inherit_gem:
 
 Metrics:
   Enabled: false
-
-AllCops:
-  TargetRubyVersion: 3.2

data/.rubocop_todo.yml

@@ -1,6 +1,6 @@
 # This configuration was generated by
 # `rubocop --auto-gen-config --no-auto-gen-timestamp`
-# using RuboCop version 1.79.2.
+# using RuboCop version 1.81.7.
 # The point is for the user to remove these configuration records
 # one by one as the offenses are removed from the code base.
 # Note that changes in the inspected code, or installation of new
@@ -59,12 +59,17 @@ RSpec/DescribeClass:
     - '**/spec/views/**/*'
     - 'spec/puppet-syntax/tasks/puppet-syntax_spec.rb'
 
-# Offense count: 7
+# Offense count: 8
 # Configuration parameters: CountAsOne.
 RSpec/ExampleLength:
   Max: 17
 
-# Offense count: 31
+# Offense count: 6
+RSpec/LeakyLocalVariable:
+  Exclude:
+    - 'spec/puppet-syntax/tasks/puppet-syntax_spec.rb'
+
+# Offense count: 32
 # Configuration parameters: EnforcedStyle, IgnoreSharedExamples.
 # SupportedStyles: always, named_only
 RSpec/NamedSubject:
@@ -79,8 +84,8 @@ RSpec/RepeatedDescription:
     - 'spec/puppet-syntax/templates_spec.rb'
 
 # Offense count: 4
-# Configuration parameters: Include, CustomTransform, IgnoreMethods, IgnoreMetadata.
-# Include: **/*_spec.rb
+# Configuration parameters: CustomTransform, IgnoreMethods, IgnoreMetadata, InflectorPath, EnforcedInflector.
+# SupportedInflectors: default, active_support
 RSpec/SpecFilePathFormat:
   Exclude:
     - '**/spec/routing/**/*'
@@ -164,7 +169,7 @@ Style/SymbolProc:
     - 'lib/puppet-syntax/manifests.rb'
     - 'lib/puppet-syntax/templates.rb'
 
-# Offense count: 4
+# Offense count: 5
 # This cop supports safe autocorrection (--autocorrect).
 # Configuration parameters: AllowHeredoc, AllowURI, AllowQualifiedName, URISchemes, IgnoreCopDirectives, AllowedPatterns, SplitStrings.
 # URISchemes: http, https

data/CHANGELOG.md

@@ -2,6 +2,14 @@
 
 All notable changes to this project will be documented in this file.
 
+## [v7.1.0](https://github.com/voxpupuli/puppet-syntax/tree/v7.1.0) (2026-02-13)
+
+[Full Changelog](https://github.com/voxpupuli/puppet-syntax/compare/v7.0.1...v7.1.0)
+
+**Implemented enhancements:**
+
+- feature: add support for multiple encoded blocks [\#209](https://github.com/voxpupuli/puppet-syntax/pull/209) ([aba-lrettler](https://github.com/aba-lrettler))
+
 ## [v7.0.1](https://github.com/voxpupuli/puppet-syntax/tree/v7.0.1) (2025-08-14)
 
 [Full Changelog](https://github.com/voxpupuli/puppet-syntax/compare/v7.0.0...v7.0.1)

data/README.md

@@ -15,10 +15,10 @@ Hiera YAML.
 
 Puppet::Syntax is supported with:
 
-- Puppet >= 7.0
-- Ruby >= 2.7
+- OpenVox >= 8.0
+- Ruby >= 3.2
 
-For the specific versions that we test against, see the [GitHub Actions workflow](.github/workflows/test.yml).
+For the specific versions that we test against, see the [GitHub Actions workflow](.github/workflows/test.yml) or the [Gem spec](puppet-syntax.gemspec).
 
 ## Installation
 
@@ -31,7 +31,7 @@ the gem manually.
 gem 'puppet-syntax'
 ```
 
-  And then execute:
+And then execute:
 
 ```sh
 bundle install
@@ -113,7 +113,7 @@ task :test => [
 
 * To test all manifests and templates, relative to the location of the `Rakefile`, run:
 
-```
+```shell
 $ bundle exec rake syntax
 ---> syntax:manifests
 ---> syntax:templates
@@ -122,7 +122,7 @@ $ bundle exec rake syntax
 
 * To return a non-zero exit code and an error message on any failures, run:
 
-```
+```shell
 $ bundle exec rake syntax
 ---> syntax:manifests
 rake aborted!
@@ -149,14 +149,14 @@ By default, this rake task looks for all `.yaml` files in a single module under:
 It will validate the syntax of each Hiera *key*. for values, it will check if
 the interpolation function syntax is correct. Wrong:
 
-```
+```yaml
 foo:
   "%{lookup('baz'):3306}": []
 ```
 
 correct would be:
 
-```
+```yaml
 foo:
   "%{lookup('baz')}:3306": []
 ```

data/lib/puppet-syntax/hiera.rb

@@ -53,29 +53,37 @@ module PuppetSyntax
     end
 
     def check_eyaml_blob(val)
-      return unless /^ENC\[/.match?(val)
-
-      val.sub!('ENC[', '')
+      # strip newlines and extra spaces
       val.gsub!(/\s+/, '')
-      return 'has unterminated eyaml value' unless /\]$/.match?(val)
 
-      val.sub!(/\]$/, '')
-      method, base64 = val.split(',')
-      if base64.nil?
-        base64 = method
-        method = 'PKCS7'
-      end
+      encodes_length = val.scan('ENC[').length
+
+      # Return if there's no encoded material
+      return if encodes_length == 0
+
+      found_encodes = val.scan(/ENC\[([^,\]]+,)?([^\]]+)?\]/)
+
+      return 'has unterminated eyaml value' unless found_encodes.length == encodes_length
 
       known_methods = %w[PKCS7 GPG GKMS KMS TWOFAC SecretBox VAULT GCPKMS RSA SSHAGENT VAULT_RS cli]
-      return "has unknown eyaml method #{method}" unless known_methods.include? method
-      return 'has unpadded or truncated base64 data' unless base64.length % 4 == 0
 
-      # Base64#decode64 will silently ignore characters outside the alphabet,
-      # so we check resulting length of binary data instead
-      pad_length = base64.gsub(/[^=]/, '').length
-      return unless Base64.decode64(base64).length != (base64.length * 3 / 4) - pad_length
+      found_encodes.each do |match|
+        # if no method is found we use the default PKCS7 method
+        method = match[0]
+        method = +'PKCS7' if method.nil?
+        method.delete_suffix!(',')
+        base64 = match[1]
 
-      'has corrupt base64 data'
+        return 'has invalid eyaml encoded format' if base64.nil?
+
+        return "has unknown eyaml method #{method}" unless known_methods.include? method
+
+        return 'has unpadded or truncated base64 data' unless base64.length % 4 == 0
+
+        return 'has corrupt base64 data' unless base64.match?(%r{^[a-zA-Z0-9+/=]+$})
+      end
+      # all good
+      nil
     end
 
     def check(filelist)

data/lib/puppet-syntax/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module PuppetSyntax
-  VERSION = '7.0.1'
+  VERSION = '7.1.0'
 end

data/puppet-syntax.gemspec

@@ -23,5 +23,5 @@ Gem::Specification.new do |spec|
   spec.add_dependency 'openvox', '>= 8', '< 9'
   spec.add_dependency 'rake', '~> 13.1'
 
-  spec.add_development_dependency 'voxpupuli-rubocop', '~> 4.2.0'
+  spec.add_development_dependency 'voxpupuli-rubocop', '~> 5.1.0'
 end

data/spec/fixtures/hiera/hiera_bad.eyaml

@@ -1,11 +1,11 @@
 ---
-acme::warning1: ENC[unknown-method,aGVsbG8sIHdvcmxk]
-acme::warning2: ENC[PKCS7,aGVsbG8sIHdvcmxk
-acme::warning3: ENC[PKCS7,aGVsbG8sIHdvcmxk==]
-acme::warning4: ENC[PKCS7,aGVs!!!!bG8sIHdvcmxk]
+acme::warning1: ENC[unknown-method,aGVsbG8sIHdvcmxk] # unknown method
+acme::warning2: ENC[PKCS7,aGVsbG8sIHdvcmxk # has unterminated eyaml value
+acme::warning3: ENC[PKCS7,aGVsbG8sIHdvcmxk==] # unpadded or truncated base64 data
+acme::warning4: ENC[PKCS7,aGVsbG8sf&IHdvcmxk==] # corrupt base64 data
 acme::warning5:
   key1: foo
-  key2: ENC[PKCS7,aGVs!!!!bG8sIHdvcmxk]
+  key2: ENC[PKCS7,aGVs!!!!bG8sIHdvcmxk] # corrupt base64 data
 acme::warning6:
   hash_key:
     - element1
@@ -17,8 +17,9 @@ acme::warning6:
       ENC[PKCS7,
           aGVs!!!!bG8sIHdvcmxk
       ]
-acme::good1: >
-   ENC[PKCS7,
-     aGVsbG8sIHdvcmxk]
-acme::good2: ENC[GPG,aGVsbG8sIHdvcmxkIQ==]
-acme::good3: ENC[GPG,aGVsbG8sIHdvcmxkISE=]
+    # corrupt base64 data
+acme::warning7: ENC[] # has invalid eyaml encoded format
+acme::warning8: ENC[PKCS7,aGV&&&sbG8sIHdvcmxk] # unpadded or truncated base64 data
+acme::warning9: | # has unterminated eyaml value
+  ENC[aGVsbG8sIHdvcmxk
+  ENC[aGVsbG8sIHdvcmxk]

data/spec/fixtures/hiera/hiera_good.eyaml

@@ -0,0 +1,13 @@
+---
+acme::good1: ENC[KMS,aGVsbG8sIdGHdvcmxk==]
+acme::good2: ENC[PKCS7,aGVsbG8sf3IHdvcmxk==]
+acme::good3: ENC[KMS,aGVsbG8sIdGHdvcmxk==]ENC[KMS,aGVsbG8sIdGHdvcmxk==]
+acme::good4: >
+   ENC[PKCS7,
+     aGVsbG8sIHdvcmxk]
+acme::good5: ENC[GPG,aGVsbG8sIHdvcmxkIQ==]
+acme::good6: ENC[GPG,aGVsbG8sIHdvcmxkISE=]
+acme::good7: |
+    text
+    ENC[GPG,aGVsbG8sIHdvcmxkISE=]
+acme::good8: ENC[aGVsbG8sf3IHdvcmxk==]

data/spec/puppet-syntax/hiera_spec.rb

@@ -71,9 +71,15 @@ describe PuppetSyntax::Hiera do
       expect(res[2]).to match('Key :this_is::warning3: string after a function call but before `}` in the value')
     end
 
+    it 'returns nothing for good eyaml' do
+      files = fixture_hiera('hiera_good.eyaml')
+      res = subject.check(files)
+      expect(res).to eq []
+    end
+
     it 'returns warnings for bad eyaml values' do
       hiera_yaml = 'hiera_bad.eyaml'
-      examples = 6
+      examples = 9
       files = fixture_hiera(hiera_yaml)
       res = subject.check(files)
       (1..examples).each do |n|
@@ -86,6 +92,9 @@ describe PuppetSyntax::Hiera do
       expect(res[3]).to match('Key acme::warning4 has corrupt base64 data')
       expect(res[4]).to match('Key acme::warning5\[\'key2\'\] has corrupt base64 data')
       expect(res[5]).to match('Key acme::warning6\[\'hash_key\'\]\[2\] has corrupt base64 data')
+      expect(res[6]).to match('Key acme::warning7 has invalid eyaml encoded format')
+      expect(res[7]).to match('Key acme::warning8 has unpadded or truncated base64 data')
+      expect(res[8]).to match('Key acme::warning9 has unterminated eyaml value')
     end
 
     it 'handles empty files' do

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: puppet-syntax
 version: !ruby/object:Gem::Version
-  version: 7.0.1
+  version: 7.1.0
 platform: ruby
 authors:
 - Vox Pupuli
@@ -49,14 +49,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 4.2.0
+        version: 5.1.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 4.2.0
+        version: 5.1.0
 description: Syntax checks for Puppet manifests and templates
 email:
 - voxpupuli@groups.io
@@ -92,6 +92,7 @@ files:
 - spec/fixtures/hiera/hiera_bad.yaml
 - spec/fixtures/hiera/hiera_badkey.yaml
 - spec/fixtures/hiera/hiera_badvalue.yaml
+- spec/fixtures/hiera/hiera_good.eyaml
 - spec/fixtures/hiera/hiera_good.yaml
 - spec/fixtures/hiera/hiera_key_empty.yaml
 - spec/fixtures/hiera/hiera_key_no_value.yaml
@@ -138,7 +139,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.6.9
+rubygems_version: 4.0.3
 specification_version: 4
 summary: Syntax checks for Puppet manifests, templates, and Hiera YAML
 test_files: []