hiera fails to use eyaml about hiera-eyaml HOT 22 CLOSED

I think this might be a duplicate of #24 - although that was never properly resolved.

In your encrypted value, do you have an explicit encryption format? i.e. ENC[PKCS7,AAAAAAA....] rather than ENC[AAAAAAAA....]?

from hiera-eyaml.

This looks like the same error as #24, which was fixed by explicitly adding the PKCS7 label to the encryption blocks i.e. ENC[PKCS7,...]

Try that and see if it fixes it!?

from hiera-eyaml.

I've added a test for what I think is this issue in #29. I think that other parts of the pull request might fix the issue as I can't seem to reproduce it.

from hiera-eyaml.

I don't have PKCS7 in the encryption values, but based on the error it's likely that would work around the issue by simply avoiding the need to call a method that doesn't exist. I'll try the updates in 96c86a5 tomorrow and report back.

from hiera-eyaml.

I agree @djmitche :)

Having said that, I think it is a code path issue. A portion of the hiera-eyaml has two code paths (one from the eyaml tool and one from the hiera backend). The paths from eyaml have pretty good test coverage, but those from the hiera backend do not. It seems that the path from hiera doesn't define that method.

The reason that the issue doesn't appear if the PKCS7 encryption type is explicitly specified is that when it is specified it doesn't need to call the method that 'doesn't exist' as far as this code path is concerned.

Let me know how you get on with those updates; but be aware that a lot of the encryption / decryption code has been reworked so you could bump into other issues that also lack test coverage. I hope not though - @gtmtech has done a pretty good job on the test coverage.

from hiera-eyaml.

With that patch applied,

[[email protected] dmitchell]# hiera -c /etc/puppet/hiera.yaml root_pw_hash
WARN: Mon Sep 23 08:32:03 -0700 2013: Cannot load backend eyaml: no such file to load -- hiera/backend/eyaml/parser/parser
nil

which is because that patch doesn't include parser.rb. I think that's from the otherwise-unrelated sihil-enhance-edit-mode branch, so I pulled that and built a gem, and:

hiera -c /etc/puppet/hiera.yaml root_pw_hash
ENC[MIIB2....mPA==]

(it's a test password anyway, but I'll spare you the base64)

So, something's pretty seriously wrong here. I'm not clear on why it's hard to add the missing method?

from hiera-eyaml.

I'll try and look at this today. Thanks for the information @djmitche - have you said what version of Ruby / Gem you are on? Just wondering if it is 1.8.7 as I've been testing on 1.9.mumble.

I agree, I don't understand why it's so hard either - I imagine it is something to do with yet another weirdness in Ruby that I don't yet understand (there seem to be a huge number of them, partly because it's new for me and partly because it's not the most consistent language). You see, the method (both default_encryption_scheme in the first case and the parser file in the latter) exist. The method / file is there, it's just not in scope for the hiera backend (exactly the same call is used in eyaml). The reason I ask if you are on 1.8.7 is that the way rubygem scoping is handled changed as of 1.9 (it seems to become more sane).

from hiera-eyaml.

We probably want to setup up a TravisCI integration to test against multiple versions. Will be good to get which hiera version is being used here too (hiera -v), as I've just done a testcase on the latest code and it seems to work for me. If you can reproduce the error @sihil, can you add a testcase for it that fails?

from hiera-eyaml.

Was that 'latest code' pull request #29 @gtmtech?

from hiera-eyaml.

I was just working off top of tree - commit 67c6d9a , havent taken a look at the pull request yet.

He's using 1.8 BTW from the stacktrace, as otherwise site/ruby should be marked as 1.9.1 .
I'm just going to test 1.8 to see if there's a difference

from hiera-eyaml.

Tested HEAD on 1.8 and 1.9, works on both:

I am doing:

eyaml -c  # create keys
ENCRYPTED=$(eyaml -e -s "secret" -o string) # get an encrypted secret
mkdir files
echo "root_pw_hash: ${ENCRYPTED}" > files/default.eyaml

At which point with the following hiera.yaml file, I can't get it to fail at all on either ruby version

# hiera -c ./hiera.yaml root_pw_hash
secret

# hiera -v
1.2.1

hiera.yaml >>

---
:backends:
  - yaml
  - eyaml

:hierarchy:
  - files/defaults

:yaml:
  :datadir: ./

:file:
  :datadir: ./

:logger: console

:eyaml:
  :datadir: ./
  :pkcs7_private_key: ./keys/private_key.pkcs7.pem
  :pkcs7_public_key: ./keys/public_key.pkcs7.pem

from hiera-eyaml.

I've just tested your pull request too. Works there too. Think more information is required unless you have an insight I dont..

from hiera-eyaml.

Ah I understand now - the PKCS7 tag isn't there. Yes yes OK that should be easy to fix. Was chasing up the wrong tree and didnt read the bug properly DOH

from hiera-eyaml.

Don't think that explains why it doesn't work on the head of pull request #29 - the missing file is a different issue.

Have you tested my pull request on 1.8? I'm looking now.

from hiera-eyaml.

You're right - it doesn't work.... because of the missing PKCS7 tag. But it doesnt work everywhere - 1.8, 1.9, your branch, and the HEAD. Versions are not an issue, it's a functional bug

from hiera-eyaml.

Solution is just to add

require 'hiera/backend/eyaml'

at the top of hiera-eyaml/lib/hiera/backend/eyaml/actions/decrypt_action.rb.

My repo is in a bit of a state so cant do a pull req right now, but this will fix it

from hiera-eyaml.

It's strange though, because I added a test case for this to the very last commit in #29 (96c86a5) and that passes happily.

from hiera-eyaml.

Basically decrypt_action is trying to access a class/module variable that hasnt been required at runtime via hiera -c. Adding the require at the top of decrypt_action will fix the issue

from hiera-eyaml.

So, to summarize, the problem is an incomplete list of requires, such that
when only eyaml_backend.rb is required, everything necessary isn't pulled
in. But during test runs, everything ends up imported well before the test
runs, so you don't see a failure. So this sounds like a correct fix.

In Python, we're pretty careful to require every other module each module
uses. I'm not sure what the best-practice is for Ruby.

from hiera-eyaml.

That's a fair summary @djmitche - it would still be useful to know what versions of Ruby and Hiera you have in your environment.

from hiera-eyaml.

@gtmtech is right - 1.8.7. hiera-1.2.1-rc1

from hiera-eyaml.

I added the require line to the top of decrypt_action so this should be fixed in v1.3.6

I'll close this issue for now to keep things tidy, but we can always reopen it if the problem comes back!

from hiera-eyaml.