yaml_recrypt 0.1.0 → 0.1.1

Sign up to get free protection for your applications and to get access to all the features.
Files changed (6) hide show
  1. checksums.yaml +4 -4
  2. data/README.md +47 -13
  3. data/exe/yaml_recrypt +4 -1
  4. data/lib/yaml_recrypt/version.rb +1 -1
  5. data/lib/yaml_recrypt.rb +7 -3
  6. metadata +1 -1
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: a30e4be74e940b9c90604e9d891effdb2cf31016
4
- data.tar.gz: 5a04d0a1cbb68392a0f48b476fe580b9b2213558
3
+ metadata.gz: 706a7b37ab2e8fa258932696bf423a90eff36ba5
4
+ data.tar.gz: 3e98b9b601e5174e2406e5741463d34f7a9e6668
5
5
  SHA512:
6
- metadata.gz: c028c2bf60febd192258dad786327b195ec55701b1cd3aaea3b45f443a04082c87d27822379263e6ec7ed4ec43dc0655aff445691e33c8755c21e8b2960420f1
7
- data.tar.gz: a1bb7f8c0fedbcbdebb5fdc2f039267683bb6977c39c41a38e577471cfdfe2c0b00e51e473eeab781902b5057aff5cbb12fd14d638bb82b3addedc12e4ba14e9
6
+ metadata.gz: 9ba6efca12ddc88d3e81938232eed6e367602937e8bf7f4add01e25ab18be6a02366b485e547c00f3abe4c785ae674942442dce71e56a4754dfe2ea9bf199d1c
7
+ data.tar.gz: c81e67c223ab326fb5c5fc4f336794a92432831cd6334bae3849806b0e519a05595d8608bae310eec979bcc2d89b3c96d5b33eb5c84ad80d325fa7d427e137d4
data/README.md CHANGED
@@ -1,8 +1,7 @@
1
1
  [![Build Status](https://travis-ci.org/GeoffWilliams/yaml_recrypt.svg?branch=master)](https://travis-ci.org/GeoffWilliams/yaml_recrypt)
2
2
  # YamlRecrypt
3
3
 
4
- Handy small tool for parsing YAML files and finding the keys that are encrypted with GPG. These can then be decrypted and then rencrypted with eyaml before saving the file again. This can be useful if you have 300 or so GPG encrypted hiera values and you realise that Hiera-GPG is [EOLed](https://github.com/crayfishx/hiera-gpg) and may or may not work
5
-
4
+ Handy small tool for parsing YAML files and finding the keys that are currently encrypted with [hiera-eyaml-gpg](https://github.com/sihil/hiera-eyaml-gpg/)(not to be confused with [hiera-gpg](https://github.com/crayfishx/hiera-gpg) which encrypts entire yaml fies). While `hiera-eyaml-gpg` is a cool idea, the complexities of GPG can negate some of its benefits in practice , so this tool was developed to allow conversion to regular eyaml.
6
5
 
7
6
  ## Installation
8
7
 
@@ -22,14 +21,49 @@ Or install it yourself as:
22
21
 
23
22
  ## Usage
24
23
 
25
- TODO: Write usage instructions here
26
-
27
- ## Development
28
-
29
- After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake spec` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
30
-
31
- To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
32
-
33
- ## Contributing
34
-
35
- Bug reports and pull requests are welcome on GitHub at https://github.com/[USERNAME]/yaml_recrypt.
24
+ ### Re-encrypting your hiera data
25
+ At present, `yaml_recrypt` only offers one mode of operation which is to recursively process files in the current directory, decrypting any `hiera-eyaml-gpg` data and then re-encrypting it with plain hiera-eyaml.
26
+
27
+ To do this, `yaml_recrypt` needs:
28
+ * Some data to decrypt
29
+ * Your GPG PKI (directory of gpg keychains, etc - usually at `~/.gpg`)
30
+ * Your hiera-eyaml public key (usually at `/etc/puppetlabs/puppet/keys`)
31
+
32
+ `yaml_recrypt` should not be run inside the `/etc/puppet*` directory to avoid the risk of updating files which are currently in use. Ideally, data should be copied off the puppet server for rencryption (eg a workstation - must be running Linux) as:
33
+ * This prevents altering the `gems` installed on the production master
34
+ * The conversion can be done in a safe and controlled environment
35
+ * Files can be easilty deleted afterwards
36
+
37
+ A conversion workflow should look something like this:
38
+ 1. Obtain the existing hiera data (tar + scp on master or git checkout if your using version control)
39
+ 2. Obtain GPG keychain from master (need the entire directory described in the `:gpg_gnupghome:` key in `hiera.yaml`)
40
+ 3. Obtain the hiera-eyaml public key from the (new?) master
41
+ 4. Run the conversion:
42
+ ```shell
43
+ yaml_recrypt convert --gpg-home gpghome/ --eyaml-pub-key keys/public_key.pkcs7.pem
44
+ ```
45
+ Worked example:
46
+ ```shell
47
+ cd /home/geoff/tmp/hieradata
48
+ yaml_recrypt convert --gpg-home /home/geoff/tmp/gpghome --eyaml-pub-key /home/geoff/tmp/keys/public_key.pkcs7.pem
49
+ ```
50
+ 5. Check results and commit changed data back to git
51
+ 6. When happy with conversion results, don't forget to remove the old GPG keychain files from your system - it's a security risk, to leave they lying around
52
+
53
+ ## Development and Contributing
54
+ There are a few additional things this codebase could be extended to cover if there's interest:
55
+ * hiera-gpg (whole file encrypted) to hiera-eyaml
56
+ * hiera-eyaml to hiera-eyaml-gpg
57
+ * hiera-eyaml to ...something else
58
+ * something else... to hiera-eyaml
59
+
60
+ Bug reports and pull requests are welcome on GitHub at https://github.com/GeoffWilliams/yaml_recrypt.
61
+
62
+ There are no plans to develop this software beyond its initial capabilities.
63
+
64
+ ## Acknowledgement
65
+ Contains adapted sourcecode from:
66
+ * [hiera-eyaml](https://github.com/voxpupuli/hiera-eyaml)
67
+ * [hiera-eyaml-gpg](https://github.com/sihil/hiera-eyaml-gpg/)
68
+
69
+ See the file `LICENCE` for licencing information (MIT)
data/exe/yaml_recrypt CHANGED
@@ -3,7 +3,10 @@ require 'escort'
3
3
  require 'yaml_recrypt'
4
4
  require 'yaml_recrypt/version'
5
5
 
6
- #ARGV.unshift('convert')
6
+ # help message if nothing selected
7
+ if ARGV.size == 0
8
+ ARGV.unshift('help')
9
+ end
7
10
  Escort::App.create do |app|
8
11
  app.version YamlRecrypt::VERSION
9
12
  app.summary "yaml_recrypt"
data/lib/yaml_recrypt/version.rb CHANGED
@@ -1,3 +1,3 @@
1
1
  module YamlRecrypt
2
- VERSION = "0.1.0"
2
+ VERSION = "0.1.1"
3
3
  end
data/lib/yaml_recrypt.rb CHANGED
@@ -10,17 +10,21 @@ require 'gpgme'
10
10
  require 'openssl'
11
11
 
12
12
  module YamlRecrypt
13
- GPG_MAGIC = "-----BEGIN PGP MESSAGE-----"
14
- BACKUP_EXT = "orig"
13
+ GPG_MAGIC = "-----BEGIN PGP MESSAGE-----"
14
+ BACKUP_EXT = "orig"
15
+ # match /etc/puppet and /etc/puppetlabs to protect all customers
16
+ REAL_PUPPET_DIR = "/etc/puppet"
15
17
 
16
18
  def self.recrypt_file(filename, gpg_home, eyaml_pub_key)
19
+ if filename.start_with? REAL_PUPPET_DIR
20
+ abort("Detected being run from the #{REAL_PUPPET_DIR}*! Refusing to run to avoid trashing live puppet master")
21
+ end
17
22
  Escort::Logger.output.puts "Processing #{filename}"
18
23
 
19
24
  # load the yaml into a hash
20
25
  hash_wip = YAML.load(File.readlines(filename).join("\n"))
21
26
 
22
27
  # descend every key until a string (or terminal) is reached
23
- #converted =
24
28
  replaced, converted = descend(gpg_home, eyaml_pub_key, hash_wip)
25
29
 
26
30
  if replaced > 0
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: yaml_recrypt
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.1.0
4
+ version: 0.1.1
5
5
  platform: ruby
6
6
  authors:
7
7
  - Geoff Williams