Class: Puppet::Decrypt::Decryptor
- Inherits:
-
Object
- Object
- Puppet::Decrypt::Decryptor
- Defined in:
- lib/puppet-decrypt/decryptor.rb
Constant Summary collapse
- ENCRYPTED_PATTERN =
/^ENC:?(\w*)\[(.*)\]$/- KEY_DIR =
ENV['PUPPET_DECRYPT_KEYDIR'] || '/etc/puppet-decrypt'
- DEFAULT_KEY =
'encryptor_secret_key'- DEFAULT_FILE =
File.join(KEY_DIR, DEFAULT_KEY)
Instance Method Summary collapse
- #decrypt(value, secret_key_file) ⇒ Object
- #decrypt_hash(hash) ⇒ Object
- #encrypt(value, secret_key_file, salt, iv) ⇒ Object
-
#initialize(options = {}) ⇒ Decryptor
constructor
A new instance of Decryptor.
Constructor Details
#initialize(options = {}) ⇒ Decryptor
Returns a new instance of Decryptor.
10 11 12 |
# File 'lib/puppet-decrypt/decryptor.rb', line 10 def initialize( = {}) @raw = [:raw] || false end |
Instance Method Details
#decrypt(value, secret_key_file) ⇒ Object
19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 |
# File 'lib/puppet-decrypt/decryptor.rb', line 19 def decrypt(value, secret_key_file) secret_key_file ||= secret_key_for value secret_key_digest = digest_from secret_key_file if @raw match = true else match = value.match(ENCRYPTED_PATTERN) if match value = match[2] end end if match value, iv, salt = value.split(':').map{|s| strict_decode64 s } if iv && salt value = value.decrypt(:key => secret_key_digest, :iv => iv, :salt => salt) else $stderr.puts "Warning: re-encrypt with puppet-crypt to use salted passwords" value = value.decrypt(:key => secret_key_digest) end end value end |
#decrypt_hash(hash) ⇒ Object
14 15 16 17 |
# File 'lib/puppet-decrypt/decryptor.rb', line 14 def decrypt_hash(hash) puts "Decrypting value: #{hash['value']}, secretkey: #{hash['secretkey']}" decrypt(hash['value'], hash['secretkey']) end |
#encrypt(value, secret_key_file, salt, iv) ⇒ Object
42 43 44 45 46 47 48 49 50 |
# File 'lib/puppet-decrypt/decryptor.rb', line 42 def encrypt(value, secret_key_file, salt, iv) secret_key_file ||= secret_key_for value secret_key_digest = digest_from secret_key_file result = value.encrypt(:key => secret_key_digest, :iv => iv, :salt => salt) encrypted_value = [result, iv, salt].map{|v| strict_encode64(v).strip }.join ':' encrypted_value = "ENC[#{encrypted_value}]" unless @raw raise "Value can't be encrypted properly with salt #{salt}" unless decrypt(encrypted_value, secret_key_file) == value encrypted_value end |