diff --git a/README.md b/README.md index 7260703..aa767d5 100644 --- a/README.md +++ b/README.md @@ -99,6 +99,26 @@ datacat_fragment { 'open ssh': } ``` +Optional: in-catalog encryption +--------------------- +If you have the [`binford2k/node_encrypt`](https://forge.puppetlabs.com/binford2k/node_encrypt) +module installed, then you can transparently encrypt any data element using the +`node_encrypt()` function. **Remember to set `show_diff => false` to keep the +secrets from appearing in your reports!** + +```Puppet +datacat { '/tmp/test': + template_body => "Decrypted value: <%= @data["value"] %>", + show_diff => false, +} +datacat_fragment { 'encryption test': + target => '/tmp/test', + data => { + value => node_encrypt('This string will not be included in the catalog.'), + }, +} +``` + Caveats ------- diff --git a/lib/puppet/provider/datacat_collector/datacat_collector.rb b/lib/puppet/provider/datacat_collector/datacat_collector.rb index c5cbf20..838c984 100644 --- a/lib/puppet/provider/datacat_collector/datacat_collector.rb +++ b/lib/puppet/provider/datacat_collector/datacat_collector.rb @@ -9,6 +9,16 @@ def exists? r.is_a?(Puppet::Type.type(:datacat_fragment)) && ((our_names & [ r[:target] ].flatten).size > 0) end + # decrypt any encrypted fragments + if defined?(Puppet_X::Binford2k::NodeEncrypt) + fragments.each do |fragment| + fragment[:data].each do |key,value| + next unless Puppet_X::Binford2k::NodeEncrypt.encrypted?(value) + fragment[:data][key] = Puppet_X::Binford2k::NodeEncrypt.decrypt(value) + end + end + end + # order fragments on their :order property fragments = fragments.sort { |a,b| a[:order] <=> b[:order] } diff --git a/lib/puppet_x/richardc/datacat.rb b/lib/puppet_x/richardc/datacat.rb index f28fad6..8dc8f6a 100644 --- a/lib/puppet_x/richardc/datacat.rb +++ b/lib/puppet_x/richardc/datacat.rb @@ -1,3 +1,8 @@ +begin + require 'puppet_x/binford2k/node_encrypt' +rescue LoadError +end + module Puppet_X module Richardc class Datacat