Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Eyaml support #83

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,3 +1,7 @@
## 3.5.0

* Enhancement: Backend now utilizes [hiera-eyaml](https://github.com/voxpupuli/hiera-eyaml) to decrypt data.

## 3.4.0

* Enhancement: Backend now utilizes Hiera's context.interpolate function to add interpolation of values in results.
Expand Down
1 change: 1 addition & 0 deletions Gemfile
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
source 'https://rubygems.org'
gem 'rspec'
gem 'hiera-eyaml'
gem 'lookup_http'
27 changes: 27 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -106,6 +106,33 @@ The following are optional configuration parameters supported in the `options` h

`headers:`: Hash of headers to send in the request

#### eyaml support

`eyaml:`: When set to true, enable eyaml support (default: false)

`eyaml_options`: Specify a eyaml options

```yaml
---

version: 5

hierarchy:
- name: "Hiera-HTTP lookup"
lookup_key: hiera_http
uris:
- http://localhost:5984/host/%{trusted.certname}
- http://localhost:5984/dc/%{facts.location}
- http://localhost:5984/role/%{facts.role}
options:
output: json
ignore_404: true
eyaml: true
eyaml_options:
pkcs7_private_key: /etc/puppetlabs/puppet/keys/private_key.pkcs7.pem
pkcs7_public_key: /etc/puppetlabs/puppet/keys/public_key.pkcs7.pem
```

### Interpolating special tags

Previous versions of this backed allowed the use of variables such as `%{key}` and `%{calling_module}` to be used in the URL, this has changed with Hiera 5. To allow for similar behaviour you can use a number of tags surrounded by `__` to interpolate special variables derived from the key into the `uri` or `uris` option in hiera.yaml. Currently you can interpolate `__KEY__`, `__MODULE__`, `__CLASS__` and `__PARAMETER__`, these tags are derived from parsing the original lookup key.
Expand Down
40 changes: 39 additions & 1 deletion lib/puppet/functions/hiera_http.rb
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,14 @@
rescue LoadError => e
raise Puppet::DataBinding::LookupError, "Must install lookup_http gem to use hiera-http"
end
begin
require 'hiera/backend/eyaml/encryptor'
require 'hiera/backend/eyaml/utils'
require 'hiera/backend/eyaml/options'
require 'hiera/backend/eyaml/parser/parser'
rescue LoadError => e
raise Puppet::DataBinding::LookupError, "Must install hiera-eyaml gem to use hiera-http"
end
require 'uri'

dispatch :lookup_key do
Expand Down Expand Up @@ -35,11 +43,39 @@ def lookup_key(key, options, context)
context.not_found
return nil
else
return context.interpolate(answer)
result = context.interpolate(answer)
if options['eyaml']
result = decrypt(result, key, options)
end
return result
end

end

def decrypt(result, key, options)
if result.is_a?(Hash)
result.each do |k, v|
result[k] = decrypt(v, "#{key}/#{k}", options)
end
elsif result.is_a?(Array)
result.each_with_index do |v, i|
result[i] = decrypt(v, "#{key}[#{i}]", options)
end
elsif result.is_a?(String)
if /.*ENC\[.*\]/ =~ result
Hiera::Backend::Eyaml::Options.set(options['eyaml_options'])
begin
tokens = Hiera::Backend::Eyaml::Parser::ParserFactory.hiera_backend_parser.parse(result)
result = tokens.map(&:to_plain_text).join.chomp
rescue StandardError => ex
raise Puppet::DataBinding::LookupError,
_("hiera-eyaml backend error decrypting %{data} when looking up %{key} in %{path}. Error was %{message}") % { data: result, key: key, path: options['path'], message: ex.message }
end
end
end
return result
end

def return_answer(result, key, options)

# dig defaults to true, dig_key defaults to the value of the
Expand Down Expand Up @@ -147,6 +183,8 @@ def lookup_supported_params
:use_auth,
:auth_user,
:auth_pass,
:eyaml,
:eyaml_options
]
end
end
Expand Down
2 changes: 1 addition & 1 deletion metadata.json
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "crayfishx-hiera_http",
"version": "3.4.0",
"version": "3.5.0",
"author": "Craig Dunn",
"summary": "Hiera 5 backend to query data lookups over HTTP",
"license": "Apache 2.0",
Expand Down