New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

first pass at simple encryption #17

Open
wants to merge 3 commits into
base: master
from
Jump to file or symbol
Failed to load files and symbols.
+35 −0
Diff settings

Always

Just for now

View
@@ -99,6 +99,26 @@ datacat_fragment { 'open ssh':
}
```
Optional: in-catalog encryption
---------------------
If you have the [`binford2k/node_encrypt`](https://forge.puppetlabs.com/binford2k/node_encrypt)
module installed, then you can transparently encrypt any data element using the
`node_encrypt()` function. **Remember to set `show_diff => false` to keep the
secrets from appearing in your reports!**
```Puppet
datacat { '/tmp/test':
template_body => "Decrypted value: <%= @data["value"] %>",
show_diff => false,
}
datacat_fragment { 'encryption test':
target => '/tmp/test',
data => {
value => node_encrypt('This string will not be included in the catalog.'),
},
}
```
Caveats
-------
@@ -9,6 +9,16 @@ def exists?
r.is_a?(Puppet::Type.type(:datacat_fragment)) && ((our_names & [ r[:target] ].flatten).size > 0)
end
# decrypt any encrypted fragments
if defined?(Puppet_X::Binford2k::NodeEncrypt)
fragments.each do |fragment|
fragment[:data].each do |key,value|
next unless Puppet_X::Binford2k::NodeEncrypt.encrypted?(value)

This comment has been minimized.

@richardc

richardc Jan 4, 2016

Owner

I'm not keen on this particular check as it smells like it's checking for a magic number, and it also seems too soft. I think I'd sooner have an additional explicit flag on the fragment, something more like:

fragments.each do |fragment|
  if fragment[:encrypted]
    fragment[:data].each do |key,value|
      fragment[:data][key] = Puppet_X::Binford2k::NodeEncrypt.decrypt(value)
    end
  end
end

Then it's less automagic and more explicit.

@richardc

richardc Jan 4, 2016

Owner

I'm not keen on this particular check as it smells like it's checking for a magic number, and it also seems too soft. I think I'd sooner have an additional explicit flag on the fragment, something more like:

fragments.each do |fragment|
  if fragment[:encrypted]
    fragment[:data].each do |key,value|
      fragment[:data][key] = Puppet_X::Binford2k::NodeEncrypt.decrypt(value)
    end
  end
end

Then it's less automagic and more explicit.

This comment has been minimized.

@binford2k

binford2k Jan 6, 2016

It's checking for the guard string -----BEGIN PKCS7-----. I can't figure a more robust way to do this transparently to the end-user. I'd totally be happy if you found a good way to do this.

I suppose you could require an additional encrypted => true parameter to be set, but that might make it awkward because all values or no values would be marked as encrypted.

@binford2k

binford2k Jan 6, 2016

It's checking for the guard string -----BEGIN PKCS7-----. I can't figure a more robust way to do this transparently to the end-user. I'd totally be happy if you found a good way to do this.

I suppose you could require an additional encrypted => true parameter to be set, but that might make it awkward because all values or no values would be marked as encrypted.

This comment has been minimized.

@binford2k

binford2k Jan 6, 2016

maybe we could do both approaches, flag the fragment with a parameter, then iterate each value like I'm currently doing. Thoughts?

@binford2k

binford2k Jan 6, 2016

maybe we could do both approaches, flag the fragment with a parameter, then iterate each value like I'm currently doing. Thoughts?

This comment has been minimized.

@richardc

richardc Feb 24, 2016

Owner

That's what my code fragment was meant to be showing, unless you mean it could optimistically check if the value looks encrypted so a warning can be issued if it wasn't flagged as being encrypted? More like:

fragments.each do |fragment|
  fragment[:data].each do |key,value|
    if Puppet_X::Binford2k::NodeEncrypt.encrypted?(value)
      if fragment[:encrypted]
        fragment[:data][key] = Puppet_X::Binford2k::NodeEncrypt.decrypt(value)
      else
        warn "Fragment looked encrypted but wasn't flagged as being encrypted"
      end
    end
  end
end
@richardc

richardc Feb 24, 2016

Owner

That's what my code fragment was meant to be showing, unless you mean it could optimistically check if the value looks encrypted so a warning can be issued if it wasn't flagged as being encrypted? More like:

fragments.each do |fragment|
  fragment[:data].each do |key,value|
    if Puppet_X::Binford2k::NodeEncrypt.encrypted?(value)
      if fragment[:encrypted]
        fragment[:data][key] = Puppet_X::Binford2k::NodeEncrypt.decrypt(value)
      else
        warn "Fragment looked encrypted but wasn't flagged as being encrypted"
      end
    end
  end
end
fragment[:data][key] = Puppet_X::Binford2k::NodeEncrypt.decrypt(value)
end
end
end
# order fragments on their :order property
fragments = fragments.sort { |a,b| a[:order] <=> b[:order] }
@@ -1,3 +1,8 @@
begin
require 'puppet_x/binford2k/node_encrypt'
rescue LoadError
end
module Puppet_X
module Richardc
class Datacat
ProTip! Use n and p to navigate between commits in a pull request.