Class: Puppet::Decrypt::Decryptor

Inherits:

Object

• Object
• Puppet::Decrypt::Decryptor

Defined in:

lib/puppet-decrypt/decryptor.rb

Constant Summary

ENCRYPTED_PATTERN =

/^ENC:?(\w*)\[(.*)\]$/

KEY_DIR =

ENV['PUPPET_DECRYPT_KEYDIR'] || '/etc/puppet-decrypt'

DEFAULT_KEY =

'encryptor_secret_key'

DEFAULT_FILE =

File.join(KEY_DIR, DEFAULT_KEY)

Instance Method Summary

• #decrypt(value, secret_key_file) ⇒ Object
• #decrypt_hash(hash) ⇒ Object
• #encrypt(value, secret_key_file, salt, iv) ⇒ Object
• #encrypt_hash(hash) ⇒ Object
• #initialize(options = {}) ⇒ Decryptor constructor

  A new instance of Decryptor.

Constructor Details

#initialize(options = {}) ⇒ Decryptor

Returns a new instance of Decryptor.

# File 'lib/puppet-decrypt/decryptor.rb', line 10

def initialize(options = {})
  @raw = options[:raw] || false
end

Instance Method Details

#decrypt(value, secret_key_file) ⇒ Object

# File 'lib/puppet-decrypt/decryptor.rb', line 27

def decrypt(value, secret_key_file)
  secret_key_file ||= secret_key_for value
  secret_key_digest = digest_from secret_key_file
  if @raw
    match = true
  else
    match = value.match(ENCRYPTED_PATTERN)
    if match
      value = match[2]
    end
  end
  if match
    value, iv, salt = value.split(':').map{|s| strict_decode64 s }
    if iv && salt
      value = value.decrypt(:key => secret_key_digest, :iv => iv, :salt => salt)
    else
      $stderr.puts "Warning: re-encrypt with puppet-crypt to use salted passwords"
      value = value.decrypt(:key => secret_key_digest)
    end
  end
  value
end

#decrypt_hash(hash) ⇒ Object

# File 'lib/puppet-decrypt/decryptor.rb', line 14

def decrypt_hash(hash)
  decrypt(hash['value'], hash['secretkey']  || hash['secret_key'])
end

#encrypt(value, secret_key_file, salt, iv) ⇒ Object

# File 'lib/puppet-decrypt/decryptor.rb', line 50

def encrypt(value, secret_key_file, salt, iv)
  secret_key_file ||= secret_key_for value
  secret_key_digest = digest_from secret_key_file
  result = value.encrypt(:key => secret_key_digest, :iv => iv, :salt => salt)
  encrypted_value = [result, iv, salt].map{|v| strict_encode64(v).strip }.join ':'
  encrypted_value = "ENC[#{encrypted_value}]" unless @raw
  raise "Value can't be encrypted properly with salt #{salt}" unless decrypt(encrypted_value, secret_key_file) == value
  encrypted_value
end

#encrypt_hash(hash) ⇒ Object

# File 'lib/puppet-decrypt/decryptor.rb', line 18

def encrypt_hash(hash)
  secret_key = hash['secretkey'] || hash['secret_key'] ||
      File.join(KEY_DIR, DEFAULT_KEY)
  salt = hash['salt'] || SecureRandom.base64
  iv = hash['iv'] || OpenSSL::Cipher::Cipher.new('aes-256-cbc').random_iv

  encrypt(hash['value'], secret_key, salt, iv)
end