Skip to content

/ salt Public

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow gpg renderer to render multiple ciphertexts in a single string #45781

Merged
merged 3 commits into from Feb 2, 2018
Merged

Allow gpg renderer to render multiple ciphertexts in a single string #45781

merged 3 commits into from Feb 2, 2018

Conversation

@ignatk
Copy link
Contributor

@ignatk ignatk commented Jan 30, 2018

What does this PR do?

This PR allows to encode more than one secret in a single pillar value. Moreover, it prevents gpg renderer stripping surrounding unencrypted text.

What issues does this PR fix or reference?

With current behaviour it is not possible to use gpg renderer in the middle of a renderer pipe-chain:

  • you either have to use it first (encrypting the whole file and chaining other renderers afterwards), but it is not very straightforward to modify the pillar structure as you have to decrypt the whole sls, do modifications and encrypt again
  • or use it last in the chain, but then you cannot have pillar values, which contain multiple secrets in a single value. Also, you can't have secrets mixed with plaintext data, because all plaintext data is stripped upon decryption
  • because of the above, you cannot have a renderer, which does additional processing of data chained after gpg renderer, for example:
#!pgp|xml

<foo>
  <bar>
    -----BEGIN PGP MESSAGE-----<super key here>-----END PGP MESSAGE-----
  </bar>
</foo>

Previous Behavior

pillar:

#!yaml|gpg

foo:
  bar: |
    this is my complex pillar value
    it has a password:
    -----BEGIN PGP MESSAGE-----<encrypted password>-----END PGP MESSAGE-----
    and salt:
    -----BEGIN PGP MESSAGE-----<encrypted salt>-----END PGP MESSAGE-----

will be rendered as

foo:
  bar: |
    <decrypted password>

gpg will render only the first ciphertext and strip the rest of plaintext and the second ciphertext

New Behavior

pillar:

#!yaml|gpg

foo:
  bar: |
    this is my complex pillar value
    it has a password:
    -----BEGIN PGP MESSAGE-----<encrypted password>-----END PGP MESSAGE-----
    and salt:
    -----BEGIN PGP MESSAGE-----<encrypted salt>-----END PGP MESSAGE-----

will be rendered as

  bar: |
    this is my complex pillar value
    it has a password:
    <decrypted password>
    and salt:
    <decrypted salt>

Tests written?

Yes

Commits signed with GPG?

No
ignatk added 2 commits Jan 30, 2018
@ignatk
Allow gpg renderer to render multiple ciphertexts in a single string
18c4229
@ignatk
Add multisecret string tests to gpg renderer unit test
231853a
@ignatk
Merge branch 'develop' into multisecret
0561507
@ignatk
Copy link
Contributor Author

@ignatk ignatk commented Feb 2, 2018

rebased on latest develop

@rallytime rallytime merged commit e8ca974 into saltstack:develop Feb 2, 2018
4 of 10 checks passed
4 of 10 checks passed
default Build finished.
Details
jenkins/PR/salt-pr-docs-n Pull Requests » Salt PR - Docs #14365 — FAILURE
Details
jenkins/PR/salt-pr-linode-cent7-py3 Pull Requests » Salt PR - Linode CentOS 7 - PY3 #1978 — FAILURE
Details
jenkins/PR/salt-pr-linode-ubuntu14-n Pull Requests » Salt PR - Linode Ubuntu14.04 #19579 — FAILURE
Details
jenkins/PR/salt-pr-linode-ubuntu16-py3 Pull Requests » Salt PR - Linode Ubuntu16.04 - PY3 #6532 — FAILURE
Details
jenkins/PR/salt-pr-rs-cent7-n Pull Requests » Salt PR - RS CentOS 7 #16017 — FAILURE
Details
@wip[bot]
WIP ready for review
Details
codeclimate All good!
Details
jenkins/PR/salt-pr-clone Pull Requests » Salt PR - Clone #21997 — SUCCESS
Details
jenkins/PR/salt-pr-lint-n Pull Requests » Salt PR - Code Lint #18972 — SUCCESS
Details
@ignatk ignatk deleted the multisecret branch Feb 3, 2018
@DmitryKuzmenko DmitryKuzmenko mentioned this pull request Mar 13, 2018
Closed
DmitryKuzmenko added a commit to DSRCorporation/salt that referenced this issue Mar 14, 2018
@DmitryKuzmenko
Fixed GPG pillar decryption.
6f49cc9 
1. Returned back the ability to decrypt raw encrypted data containing no
begin/end marks.
2. Remove trailing newlines if decrypted in a new 'multi' way
implemented in saltstack#45781
@DmitryKuzmenko DmitryKuzmenko mentioned this pull request Mar 14, 2018
Merged
DmitryKuzmenko added a commit to DSRCorporation/salt that referenced this issue Mar 25, 2018
@DmitryKuzmenko
Fixed GPG pillar decryption.
0f482b7 
1. Returned back the ability to decrypt raw encrypted data containing no
begin/end marks.
2. Remove trailing newlines if decrypted in a new 'multi' way
implemented in saltstack#45781
@max-arnold max-arnold mentioned this pull request Dec 11, 2018
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@terminalmage terminalmage

@garethgreenaway garethgreenaway

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Linked issues

Successfully merging this pull request may close these issues.

None yet

4 participants
@ignatk @terminalmage @garethgreenaway @rallytime