Skip to content

/salt

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow gpg renderer to render multiple ciphertexts in a single string #45781

Merged
merged 3 commits into from Feb 2, 2018
+26 −13

Conversation

Reviewers

@terminalmage terminalmage

@garethgreenaway garethgreenaway

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
4 participants
@secumod @terminalmage @garethgreenaway @rallytime
@secumod
Copy link
Contributor

commented Jan 30, 2018

What does this PR do?

This PR allows to encode more than one secret in a single pillar value. Moreover, it prevents gpg renderer stripping surrounding unencrypted text.

What issues does this PR fix or reference?

With current behaviour it is not possible to use gpg renderer in the middle of a renderer pipe-chain:

  • you either have to use it first (encrypting the whole file and chaining other renderers afterwards), but it is not very straightforward to modify the pillar structure as you have to decrypt the whole sls, do modifications and encrypt again
  • or use it last in the chain, but then you cannot have pillar values, which contain multiple secrets in a single value. Also, you can't have secrets mixed with plaintext data, because all plaintext data is stripped upon decryption
  • because of the above, you cannot have a renderer, which does additional processing of data chained after gpg renderer, for example:
#!pgp|xml

<foo>
  <bar>
    -----BEGIN PGP MESSAGE-----<super key here>-----END PGP MESSAGE-----
  </bar>
</foo>

Previous Behavior

pillar:

#!yaml|gpg

foo:
  bar: |
    this is my complex pillar value
    it has a password:
    -----BEGIN PGP MESSAGE-----<encrypted password>-----END PGP MESSAGE-----
    and salt:
    -----BEGIN PGP MESSAGE-----<encrypted salt>-----END PGP MESSAGE-----

will be rendered as

foo:
  bar: |
    <decrypted password>

gpg will render only the first ciphertext and strip the rest of plaintext and the second ciphertext

New Behavior

pillar:

#!yaml|gpg

foo:
  bar: |
    this is my complex pillar value
    it has a password:
    -----BEGIN PGP MESSAGE-----<encrypted password>-----END PGP MESSAGE-----
    and salt:
    -----BEGIN PGP MESSAGE-----<encrypted salt>-----END PGP MESSAGE-----

will be rendered as

  bar: |
    this is my complex pillar value
    it has a password:
    <decrypted password>
    and salt:
    <decrypted salt>

Tests written?

Yes

Commits signed with GPG?

No

@rallytime rallytime requested review from terminalmage and garethgreenaway Jan 31, 2018

@garethgreenaway

garethgreenaway approved these changes Feb 1, 2018
View changes

@terminalmage

terminalmage approved these changes Feb 2, 2018
View changes

@secumod
Merge branch 'develop' into multisecret
Verified
This commit was created on GitHub.com and signed with a verified signature using GitHub’s key.
GPG key ID: 4AEE18F83AFDEB23 Learn about signing commits
Loading status checks…
0561507
@secumod

This comment has been minimized.

Sign in to view
Copy link
Contributor Author

commented Feb 2, 2018

rebased on latest develop

@rallytime rallytime merged commit e8ca974 into saltstack:develop Feb 2, 2018
4 of 10 checks passed

4 of 10 checks passed

default Build finished.
Details
jenkins/PR/salt-pr-docs-n Pull Requests » Salt PR - Docs #14365 — FAILURE
Details
jenkins/PR/salt-pr-linode-cent7-py3 Pull Requests » Salt PR - Linode CentOS 7 - PY3 #1978 — FAILURE
Details
jenkins/PR/salt-pr-linode-ubuntu14-n Pull Requests » Salt PR - Linode Ubuntu14.04 #19579 — FAILURE
Details
jenkins/PR/salt-pr-linode-ubuntu16-py3 Pull Requests » Salt PR - Linode Ubuntu16.04 - PY3 #6532 — FAILURE
Details
jenkins/PR/salt-pr-rs-cent7-n Pull Requests » Salt PR - RS CentOS 7 #16017 — FAILURE
Details
WIP ready for review
Details
codeclimate All good!
Details
jenkins/PR/salt-pr-clone Pull Requests » Salt PR - Clone #21997 — SUCCESS
Details
jenkins/PR/salt-pr-lint-n Pull Requests » Salt PR - Code Lint #18972 — SUCCESS
Details

@secumod secumod deleted the secumod:multisecret branch Feb 3, 2018

@DmitryKuzmenko DmitryKuzmenko referenced this pull request Mar 13, 2018

Closed

[develop] 4 minion pillar tests failing #828

DmitryKuzmenko added a commit to DSRCorporation/salt that referenced this pull request Mar 14, 2018

@DmitryKuzmenko
Fixed GPG pillar decryption. 
1. Returned back the ability to decrypt raw encrypted data containing no
begin/end marks.
2. Remove trailing newlines if decrypted in a new 'multi' way
implemented in saltstack#45781
Verified
This commit was signed with a verified signature.
@DmitryKuzmenko DmitryKuzmenko Dmitry Kuzmenko
GPG key ID: 4C7CAD30C95651DA Learn about signing commits
6f49cc9

@DmitryKuzmenko DmitryKuzmenko referenced this pull request Mar 14, 2018

Merged

Fixed GPG pillar decryption. #46542

DmitryKuzmenko added a commit to DSRCorporation/salt that referenced this pull request Mar 25, 2018

@DmitryKuzmenko
Fixed GPG pillar decryption. 
1. Returned back the ability to decrypt raw encrypted data containing no
begin/end marks.
2. Remove trailing newlines if decrypted in a new 'multi' way
implemented in saltstack#45781
Verified
This commit was signed with a verified signature.
@DmitryKuzmenko DmitryKuzmenko Dmitry Kuzmenko
GPG key ID: 4C7CAD30C95651DA Learn about signing commits
0f482b7

@max-arnold max-arnold referenced this pull request Dec 11, 2018

Closed

Warnings from salt.pillar.gpg in Fluorine #50809

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.