Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow gpg renderer to render multiple ciphertexts in a single string #45781

Merged
merged 3 commits into from Feb 2, 2018

Conversation

Projects
None yet
4 participants
@secumod
Copy link
Contributor

commented Jan 30, 2018

What does this PR do?

This PR allows to encode more than one secret in a single pillar value. Moreover, it prevents gpg renderer stripping surrounding unencrypted text.

What issues does this PR fix or reference?

With current behaviour it is not possible to use gpg renderer in the middle of a renderer pipe-chain:

  • you either have to use it first (encrypting the whole file and chaining other renderers afterwards), but it is not very straightforward to modify the pillar structure as you have to decrypt the whole sls, do modifications and encrypt again
  • or use it last in the chain, but then you cannot have pillar values, which contain multiple secrets in a single value. Also, you can't have secrets mixed with plaintext data, because all plaintext data is stripped upon decryption
  • because of the above, you cannot have a renderer, which does additional processing of data chained after gpg renderer, for example:
#!pgp|xml

<foo>
  <bar>
    -----BEGIN PGP MESSAGE-----<super key here>-----END PGP MESSAGE-----
  </bar>
</foo>

Previous Behavior

pillar:

#!yaml|gpg

foo:
  bar: |
    this is my complex pillar value
    it has a password:
    -----BEGIN PGP MESSAGE-----<encrypted password>-----END PGP MESSAGE-----
    and salt:
    -----BEGIN PGP MESSAGE-----<encrypted salt>-----END PGP MESSAGE-----

will be rendered as

foo:
  bar: |
    <decrypted password>

gpg will render only the first ciphertext and strip the rest of plaintext and the second ciphertext

New Behavior

pillar:

#!yaml|gpg

foo:
  bar: |
    this is my complex pillar value
    it has a password:
    -----BEGIN PGP MESSAGE-----<encrypted password>-----END PGP MESSAGE-----
    and salt:
    -----BEGIN PGP MESSAGE-----<encrypted salt>-----END PGP MESSAGE-----

will be rendered as

  bar: |
    this is my complex pillar value
    it has a password:
    <decrypted password>
    and salt:
    <decrypted salt>

Tests written?

Yes

Commits signed with GPG?

No

@secumod

This comment has been minimized.

Copy link
Contributor Author

commented Feb 2, 2018

rebased on latest develop

@rallytime rallytime merged commit e8ca974 into saltstack:develop Feb 2, 2018

4 of 10 checks passed

default Build finished.
Details
jenkins/PR/salt-pr-docs-n Pull Requests » Salt PR - Docs #14365 — FAILURE
Details
jenkins/PR/salt-pr-linode-cent7-py3 Pull Requests » Salt PR - Linode CentOS 7 - PY3 #1978 — FAILURE
Details
jenkins/PR/salt-pr-linode-ubuntu14-n Pull Requests » Salt PR - Linode Ubuntu14.04 #19579 — FAILURE
Details
jenkins/PR/salt-pr-linode-ubuntu16-py3 Pull Requests » Salt PR - Linode Ubuntu16.04 - PY3 #6532 — FAILURE
Details
jenkins/PR/salt-pr-rs-cent7-n Pull Requests » Salt PR - RS CentOS 7 #16017 — FAILURE
Details
WIP ready for review
Details
codeclimate All good!
Details
jenkins/PR/salt-pr-clone Pull Requests » Salt PR - Clone #21997 — SUCCESS
Details
jenkins/PR/salt-pr-lint-n Pull Requests » Salt PR - Code Lint #18972 — SUCCESS
Details

@secumod secumod deleted the secumod:multisecret branch Feb 3, 2018

DmitryKuzmenko added a commit to DSRCorporation/salt that referenced this pull request Mar 14, 2018

Fixed GPG pillar decryption.
1. Returned back the ability to decrypt raw encrypted data containing no
begin/end marks.
2. Remove trailing newlines if decrypted in a new 'multi' way
implemented in saltstack#45781

DmitryKuzmenko added a commit to DSRCorporation/salt that referenced this pull request Mar 25, 2018

Fixed GPG pillar decryption.
1. Returned back the ability to decrypt raw encrypted data containing no
begin/end marks.
2. Remove trailing newlines if decrypted in a new 'multi' way
implemented in saltstack#45781
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.