Conversation
This isn't intended to be a complete solution yet, but I wanted to give
you a proof of concept I banged out. The encryption is completely
transparent to the end user. To use it, simply pass the parameter of
`encrypted => true` and it's encrypted & decrypted for you.
Example usage:
``` Puppet
datacat_fragment { 'encryption test':
target => $target,
data => {
name => 'fred',
},
encrypted => true,
}
```
|
This does look very cool as a starting place. Thanks. It'll be desirable to extend this to structured data values, though I remember ruby json parsers/emitters are inconsistent between versions when dealing with a simple JSON document like I'll be travelling for the next few days, but will try and pick this up next week. |
|
Yeah, I considered the JSON dance and figured it would be better to just get the POC up to start thinking about. Obviously, this also only works on the CA master too, unless some sort of cert distribution is done. 10am with a couple beers in me[1] wasn't really the time to be making those design decisions though. |
|
Well nuts. @adrienthebo just informed me that The cop-out way would be to call a puppet function on the data being passed in, but I'd like to avoid that if possible. |
|
I wonder if we can do something with |
|
That runs on the client as well: https://github.com/puppetlabs/puppet/blob/master/lib/puppet/transaction.rb#L261 |
|
Are there any other ways that I can crush your hopes and dreams? |
lib/puppet/type/datacat_fragment.rb
Outdated
There was a problem hiding this comment.
s/over the while/in the compiled catalog/
This conditionally loads my node_encrypt library, and then allows users to transparently node_encrypt() any data items.
|
Updated to use my module for encryption. Ping @richardc |
There was a problem hiding this comment.
I'm not keen on this particular check as it smells like it's checking for a magic number, and it also seems too soft. I think I'd sooner have an additional explicit flag on the fragment, something more like:
fragments.each do |fragment|
if fragment[:encrypted]
fragment[:data].each do |key,value|
fragment[:data][key] = Puppet_X::Binford2k::NodeEncrypt.decrypt(value)
end
end
end
Then it's less automagic and more explicit.
There was a problem hiding this comment.
It's checking for the guard string -----BEGIN PKCS7-----. I can't figure a more robust way to do this transparently to the end-user. I'd totally be happy if you found a good way to do this.
I suppose you could require an additional encrypted => true parameter to be set, but that might make it awkward because all values or no values would be marked as encrypted.
There was a problem hiding this comment.
maybe we could do both approaches, flag the fragment with a parameter, then iterate each value like I'm currently doing. Thoughts?
There was a problem hiding this comment.
That's what my code fragment was meant to be showing, unless you mean it could optimistically check if the value looks encrypted so a warning can be issued if it wasn't flagged as being encrypted? More like:
fragments.each do |fragment|
fragment[:data].each do |key,value|
if Puppet_X::Binford2k::NodeEncrypt.encrypted?(value)
if fragment[:encrypted]
fragment[:data][key] = Puppet_X::Binford2k::NodeEncrypt.decrypt(value)
else
warn "Fragment looked encrypted but wasn't flagged as being encrypted"
end
end
end
end
|
Cool that you've found a way, I have one comment on the approach though, I think it's better to fail harder/earlier than to try and maybe decrypt a thing if it looks like it might be encrypted. |
3 participants
This isn't intended to be a complete solution yet, but I wanted to give
you a proof of concept I banged out. The encryption is completely
transparent to the end user. To use it, simply pass the parameter of
encrypted => trueand it's encrypted & decrypted for you.Example usage: