Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

support multiple encoded blocks #127

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

support multiple encoded blocks #127

wants to merge 2 commits into from

Conversation

wershlak
Copy link

With KMS you have to split materials you wish to encode into 4096 blocks.
hiera-eyaml supports this but puppet-syntax thinks it's a problem.

$ eyaml encrypt -s 'hello '
Ignoring nio4r-2.5.4 because its extensions are not built.  Try: gem pristine nio4r --version 2.5.4
string: ENC[PKCS7,MIIBeQYJKoZIhvcNAQcDoIIBajCCAWYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAkSEgwSCvKHy2fDezZgywZVn4ysNkCnQddnbIBf207lzIpZ5QmDW1BYwFR5VrM7YcEgAcFW8QdmWJSdu9u9X2RMmRK5yv0YCWZXb4j1HqH8WqKHQGrvmDcoLhFQfuXr+NnTFkYab8ZXsW0YNtOqWKBQOI9xgjuwaQ/IvV9EcukhBlrXfAF/w3REA9NhMfwsRHKG/2voBcgogOLKOBC04J99xRg1gCcQxuIGpcM5YJ2rVySGiXRiM/TQl2Rct+Qm0XsZwP26V8XKPVgwQfkPkmaTcczujTW6DOnkIfH1bIh/YF+MYpsiD77UGTJIN/PoSyGtUtMC/I007ViWZZUHb+xzA8BgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBImQOqKmc2Z/gRoWGRUQydgBD3Az8yo5t02FK7gcvZ6wya]

$ eyaml encrypt -s 'world'
Ignoring nio4r-2.5.4 because its extensions are not built.  Try: gem pristine nio4r --version 2.5.4
string: ENC[PKCS7,MIIBeQYJKoZIhvcNAQcDoIIBajCCAWYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAH8m/BE3dS8oYWirjAkGYkciH1+nvCG41+rowvOIJnCES2u36m3LcIBg3+B7V6PdeHWCkdheYodinIwNYWhJbDwgf9Em3z8J9vPh8FS0l9/jabKtbGJA4CWxsgiGtDqJE1oqUfOFaKf5JhjZdWLAywyimMiT8VfGdEmIkWMg6u6fgxOmlslN5lSKAL0Z2yTVya3vfJVq3RHVFQRJ50xQSVWGnhvOu/2p8oMmkbDzg/LxP2kR7akkTbBToAeyYzRgiQExKEG0FuJ97bs/1hNKpaaz1Ttw0zoVHN6ZJHOfyh1ykArxOzhK1iaptrM8iZ8ZxVkUUX54ac40Mg1R7GyX1+TA8BgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBXrUVOjg8m5zQyuBNLF/nGgBDVXfrOsUFUXcmJhLTvyg28]

$ eyaml decrypt -s ENC[PKCS7,MIIBeQYJKoZIhvcNAQcDoIIBajCCAWYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAkSEgwSCvKHy2fDezZgywZVn4ysNkCnQddnbIBf207lzIpZ5QmDW1BYwFR5VrM7YcEgAcFW8QdmWJSdu9u9X2RMmRK5yv0YCWZXb4j1HqH8WqKHQGrvmDcoLhFQfuXr+NnTFkYab8ZXsW0YNtOqWKBQOI9xgjuwaQ/IvV9EcukhBlrXfAF/w3REA9NhMfwsRHKG/2voBcgogOLKOBC04J99xRg1gCcQxuIGpcM5YJ2rVySGiXRiM/TQl2Rct+Qm0XsZwP26V8XKPVgwQfkPkmaTcczujTW6DOnkIfH1bIh/YF+MYpsiD77UGTJIN/PoSyGtUtMC/I007ViWZZUHb+xzA8BgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBImQOqKmc2Z/gRoWGRUQydgBD3Az8yo5t02FK7gcvZ6wya]ENC[PKCS7,MIIBeQYJKoZIhvcNAQcDoIIBajCCAWYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAH8m/BE3dS8oYWirjAkGYkciH1+nvCG41+rowvOIJnCES2u36m3LcIBg3+B7V6PdeHWCkdheYodinIwNYWhJbDwgf9Em3z8J9vPh8FS0l9/jabKtbGJA4CWxsgiGtDqJE1oqUfOFaKf5JhjZdWLAywyimMiT8VfGdEmIkWMg6u6fgxOmlslN5lSKAL0Z2yTVya3vfJVq3RHVFQRJ50xQSVWGnhvOu/2p8oMmkbDzg/LxP2kR7akkTbBToAeyYzRgiQExKEG0FuJ97bs/1hNKpaaz1Ttw0zoVHN6ZJHOfyh1ykArxOzhK1iaptrM8iZ8ZxVkUUX54ac40Mg1R7GyX1+TA8BgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBXrUVOjg8m5zQyuBNLF/nGgBDVXfrOsUFUXcmJhLTvyg28]
Ignoring nio4r-2.5.4 because its extensions are not built.  Try: gem pristine nio4r --version 2.5.4
hello world

I've changed the behavior of the check_eyaml_blob code and added some tests.

@bastelfreak bastelfreak added the enhancement New feature or request label Nov 1, 2020
ekohl
ekohl reviewed Nov 1, 2020
View reviewed changes
Copy link
Member

@ekohl ekohl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The only thing I wonder about is garbage. It will silently ignore parts in strings like blaENC[...].

lib/puppet-syntax/hiera.rb
method = 'PKCS7'
end

encodes = val.scan(/ENC\[.*?\]/)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why .*? as a regex? The ? doesn't make sense to me. Also wondering why you don't drop the ENC part via groups:

[1] pry(main)> 'ENC[PKCS7,aGVsbG8sf&IHdvcmxk==]'.scan(/ENC\[(.+)\]/)
=> [["PKCS7,aGVsbG8sf&IHdvcmxk=="]]
Suggested change
encodes = val.scan(/ENC\[.*?\]/)
encodes = val.scan(/ENC\[(.*)\]/)

You can even already do the splitting here:

Suggested change
encodes = val.scan(/ENC\[.*?\]/)
encodes = val.scan(/ENC\[([^,]+),?(.+)?\]/)

Note I made the last part optional so you can still detect an invalid format.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

https://github.com/voxpupuli/hiera-eyaml/blob/master/lib/hiera/backend/eyaml_backend.rb#L101-L103

The ? didn't really make sense to me either but it seemed appropriate since that's what hiera-eyaml uses.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good point. Looks like it was introduced in voxpupuli/hiera-eyaml@169ae64 where it previously was value.start_with?('ENC[').

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm all for improving it and my preference would be to do a scan once but I didn't find something that works

encodes = val.scan(/ENC\[([^,]+),?(.+)?\]/)

This fails the tests. Take the example ENC[KMS,aGVsbG8sIdGHdvcmxk==]ENC[KMS,aGVsbG8sIdGHdvcmxk==]

Gives us these match groups.

1. | KMS
2. | aGVsbG8sIdGHdvcmxk==]ENC[KMS,aGVsbG8sIdGHdvcmxk==

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This works for me:

data = 'ENC[KMS,aGVsbG8sIdGHdvcmxk==]ENC[KMS,aGVsbG8sIdGHdvcmxk==]'
data.scan(/ENC\[([^,]+),?([^\]]+)?\]/)

Returns [["KMS", "aGVsbG8sIdGHdvcmxk=="], ["KMS", "aGVsbG8sIdGHdvcmxk=="]]

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey @wershlak @ekohl

Following-up your conversation about the question mark ? in the REGEX, it seems that we can remove it right from the upstream project, here is the PR to the change:

voxpupuli/hiera-eyaml#313

Thanks!

@bastelfreak bastelfreak requested a review from ekohl April 26, 2021 20:34
@ekohl
Copy link
Member

ekohl commented Apr 27, 2021

I still think #127 (comment) is a comment that hasn't been answered.

@zilchms
Copy link

zilchms commented Mar 12, 2024

Housekeeping: what is the status on this? :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mcka1n mcka1n mcka1n left review comments

@bastelfreak bastelfreak bastelfreak approved these changes

@sanfrancrisko sanfrancrisko sanfrancrisko approved these changes

@alexjfisher alexjfisher Awaiting requested review from alexjfisher

@ekohl ekohl Awaiting requested review from ekohl

Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@wershlak @ekohl @zilchms @bastelfreak @mcka1n @sanfrancrisko