Comments (22)
I think this might be a duplicate of #24 - although that was never properly resolved.
In your encrypted value, do you have an explicit encryption format? i.e. ENC[PKCS7,AAAAAAA....]
rather than ENC[AAAAAAAA....]
?
from hiera-eyaml.
This looks like the same error as #24, which was fixed by explicitly adding the PKCS7 label to the encryption blocks i.e. ENC[PKCS7,...]
Try that and see if it fixes it!?
from hiera-eyaml.
I've added a test for what I think is this issue in #29. I think that other parts of the pull request might fix the issue as I can't seem to reproduce it.
from hiera-eyaml.
I don't have PKCS7 in the encryption values, but based on the error it's likely that would work around the issue by simply avoiding the need to call a method that doesn't exist. I'll try the updates in 96c86a5 tomorrow and report back.
from hiera-eyaml.
I agree @djmitche :)
Having said that, I think it is a code path issue. A portion of the hiera-eyaml has two code paths (one from the eyaml tool and one from the hiera backend). The paths from eyaml have pretty good test coverage, but those from the hiera backend do not. It seems that the path from hiera doesn't define that method.
The reason that the issue doesn't appear if the PKCS7 encryption type is explicitly specified is that when it is specified it doesn't need to call the method that 'doesn't exist' as far as this code path is concerned.
Let me know how you get on with those updates; but be aware that a lot of the encryption / decryption code has been reworked so you could bump into other issues that also lack test coverage. I hope not though - @gtmtech has done a pretty good job on the test coverage.
from hiera-eyaml.
With that patch applied,
[[email protected] dmitchell]# hiera -c /etc/puppet/hiera.yaml root_pw_hash
WARN: Mon Sep 23 08:32:03 -0700 2013: Cannot load backend eyaml: no such file to load -- hiera/backend/eyaml/parser/parser
nil
which is because that patch doesn't include parser.rb
. I think that's from the otherwise-unrelated sihil-enhance-edit-mode branch, so I pulled that and built a gem, and:
hiera -c /etc/puppet/hiera.yaml root_pw_hash
ENC[MIIB2....mPA==]
(it's a test password anyway, but I'll spare you the base64)
So, something's pretty seriously wrong here. I'm not clear on why it's hard to add the missing method?
from hiera-eyaml.
I'll try and look at this today. Thanks for the information @djmitche - have you said what version of Ruby / Gem you are on? Just wondering if it is 1.8.7 as I've been testing on 1.9.mumble.
I agree, I don't understand why it's so hard either - I imagine it is something to do with yet another weirdness in Ruby that I don't yet understand (there seem to be a huge number of them, partly because it's new for me and partly because it's not the most consistent language). You see, the method (both default_encryption_scheme
in the first case and the parser
file in the latter) exist. The method / file is there, it's just not in scope for the hiera backend (exactly the same call is used in eyaml). The reason I ask if you are on 1.8.7 is that the way rubygem scoping is handled changed as of 1.9 (it seems to become more sane).
from hiera-eyaml.
We probably want to setup up a TravisCI integration to test against multiple versions. Will be good to get which hiera version is being used here too (hiera -v), as I've just done a testcase on the latest code and it seems to work for me. If you can reproduce the error @sihil, can you add a testcase for it that fails?
from hiera-eyaml.
Was that 'latest code' pull request #29 @gtmtech?
from hiera-eyaml.
I was just working off top of tree - commit 67c6d9a , havent taken a look at the pull request yet.
He's using 1.8 BTW from the stacktrace, as otherwise site/ruby should be marked as 1.9.1 .
I'm just going to test 1.8 to see if there's a difference
from hiera-eyaml.
Tested HEAD on 1.8 and 1.9, works on both:
I am doing:
eyaml -c # create keys
ENCRYPTED=$(eyaml -e -s "secret" -o string) # get an encrypted secret
mkdir files
echo "root_pw_hash: ${ENCRYPTED}" > files/default.eyaml
At which point with the following hiera.yaml file, I can't get it to fail at all on either ruby version
# hiera -c ./hiera.yaml root_pw_hash
secret
# hiera -v
1.2.1
hiera.yaml >>
---
:backends:
- yaml
- eyaml
:hierarchy:
- files/defaults
:yaml:
:datadir: ./
:file:
:datadir: ./
:logger: console
:eyaml:
:datadir: ./
:pkcs7_private_key: ./keys/private_key.pkcs7.pem
:pkcs7_public_key: ./keys/public_key.pkcs7.pem
from hiera-eyaml.
I've just tested your pull request too. Works there too. Think more information is required unless you have an insight I dont..
from hiera-eyaml.
Ah I understand now - the PKCS7 tag isn't there. Yes yes OK that should be easy to fix. Was chasing up the wrong tree and didnt read the bug properly DOH
from hiera-eyaml.
Don't think that explains why it doesn't work on the head of pull request #29 - the missing file is a different issue.
Have you tested my pull request on 1.8? I'm looking now.
from hiera-eyaml.
You're right - it doesn't work.... because of the missing PKCS7 tag. But it doesnt work everywhere - 1.8, 1.9, your branch, and the HEAD. Versions are not an issue, it's a functional bug
from hiera-eyaml.
Solution is just to add
require 'hiera/backend/eyaml'
at the top of hiera-eyaml/lib/hiera/backend/eyaml/actions/decrypt_action.rb.
My repo is in a bit of a state so cant do a pull req right now, but this will fix it
from hiera-eyaml.
It's strange though, because I added a test case for this to the very last commit in #29 (96c86a5) and that passes happily.
from hiera-eyaml.
Basically decrypt_action is trying to access a class/module variable that hasnt been required at runtime via hiera -c. Adding the require at the top of decrypt_action will fix the issue
from hiera-eyaml.
So, to summarize, the problem is an incomplete list of requires, such that
when only eyaml_backend.rb is required, everything necessary isn't pulled
in. But during test runs, everything ends up imported well before the test
runs, so you don't see a failure. So this sounds like a correct fix.
In Python, we're pretty careful to require every other module each module
uses. I'm not sure what the best-practice is for Ruby.
from hiera-eyaml.
That's a fair summary @djmitche - it would still be useful to know what versions of Ruby and Hiera you have in your environment.
from hiera-eyaml.
@gtmtech is right - 1.8.7. hiera-1.2.1-rc1
from hiera-eyaml.
I added the require line to the top of decrypt_action so this should be fixed in v1.3.6
I'll close this issue for now to keep things tidy, but we can always reopen it if the problem comes back!
from hiera-eyaml.
Related Issues (20)
- Recrypt shouldn't default to changing encryption
- Automatically convert encrypted values to Sensitive[T] HOT 4
- Error during hiera-eyaml gem installation
- hiera-eyaml Error was PKCS7[Method: 112, Reason: 115, Data: null] when using mutiple public private keys HOT 2
- Concerns about the encrypted? method HOT 2
- Gpg recrypt emits error about missing pkcs7 key HOT 2
- Using `3.2.1` for editing an eyaml created with `3.2.0` will mess up formatting HOT 11
- Subsequent "eyaml encrypt -s test" calls return different signatures HOT 2
- Incompatability with ruby 3.1.0 HOT 7
- lookup example with default parameter if decrypt fails HOT 3
- get return values instead of fatal errors
- Unable to encrypt string that begins with two or more hyphens (dashes) HOT 1
- Ruby >= 2.5.0 silently required since hiera-eyaml v3.2.3?
- Uneeded config warnings when using keys in env vars ([pkcs7] both public_key and public_key_env_var specified, using public_key)
- Allow execution of Puppet functions from Hiera HOT 4
- Allow Hash keys as Array HOT 2
- Encrypt yaml file on my workstation and push to git HOT 1
- Remote Code Execution vulnerability in the hiera-eyaml tool HOT 2
- Release a new version HOT 2
- multi-line yaml broken in decrypt output
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from hiera-eyaml.