Skip to content

Allow gpg renderer to render multiple ciphertexts in a single string #45781

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Feb 2, 2018
Merged

Allow gpg renderer to render multiple ciphertexts in a single string #45781

merged 3 commits into from
Feb 2, 2018

Conversation

ignatk
Copy link
Contributor

@ignatk ignatk commented Jan 30, 2018

What does this PR do?

This PR allows to encode more than one secret in a single pillar value. Moreover, it prevents gpg renderer stripping surrounding unencrypted text.

What issues does this PR fix or reference?

With current behaviour it is not possible to use gpg renderer in the middle of a renderer pipe-chain:

  • you either have to use it first (encrypting the whole file and chaining other renderers afterwards), but it is not very straightforward to modify the pillar structure as you have to decrypt the whole sls, do modifications and encrypt again
  • or use it last in the chain, but then you cannot have pillar values, which contain multiple secrets in a single value. Also, you can't have secrets mixed with plaintext data, because all plaintext data is stripped upon decryption
  • because of the above, you cannot have a renderer, which does additional processing of data chained after gpg renderer, for example:
#!pgp|xml

<foo>
  <bar>
    -----BEGIN PGP MESSAGE-----<super key here>-----END PGP MESSAGE-----
  </bar>
</foo>

Previous Behavior

pillar:

#!yaml|gpg

foo:
  bar: |
    this is my complex pillar value
    it has a password:
    -----BEGIN PGP MESSAGE-----<encrypted password>-----END PGP MESSAGE-----
    and salt:
    -----BEGIN PGP MESSAGE-----<encrypted salt>-----END PGP MESSAGE-----

will be rendered as

foo:
  bar: |
    <decrypted password>

gpg will render only the first ciphertext and strip the rest of plaintext and the second ciphertext

New Behavior

pillar:

#!yaml|gpg

foo:
  bar: |
    this is my complex pillar value
    it has a password:
    -----BEGIN PGP MESSAGE-----<encrypted password>-----END PGP MESSAGE-----
    and salt:
    -----BEGIN PGP MESSAGE-----<encrypted salt>-----END PGP MESSAGE-----

will be rendered as

  bar: |
    this is my complex pillar value
    it has a password:
    <decrypted password>
    and salt:
    <decrypted salt>

Tests written?

Yes

Commits signed with GPG?

No

@ignatk
Copy link
Contributor Author

ignatk commented Feb 2, 2018

rebased on latest develop

@rallytime rallytime merged commit e8ca974 into saltstack:develop Feb 2, 2018
@ignatk ignatk deleted the multisecret branch February 3, 2018 22:25
@DmitryKuzmenko DmitryKuzmenko mentioned this pull request Mar 13, 2018
Closed
@DmitryKuzmenko DmitryKuzmenko mentioned this pull request Mar 14, 2018
Merged
DmitryKuzmenko added a commit to DSRCorporation/salt that referenced this pull request Mar 25, 2018
@DmitryKuzmenko
Fixed GPG pillar decryption.
0f482b7 
1. Returned back the ability to decrypt raw encrypted data containing no
begin/end marks.
2. Remove trailing newlines if decrypted in a new 'multi' way
implemented in saltstack#45781
@max-arnold max-arnold mentioned this pull request Dec 11, 2018
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@terminalmage terminalmage terminalmage approved these changes

@garethgreenaway garethgreenaway garethgreenaway approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@ignatk @terminalmage @garethgreenaway @rallytime