"Fossies" - the Fresh Open Source Software Archive  

Source code changes of the file "salt/renderers/gpg.py" between
salt-3002.1.tar.gz and salt-3002.2.tar.gz

About: SaltStack is a systems management software for data center automation, cloud orchestration, server provisioning, configuration management and more. Community version.

gpg.py  (salt-3002.1):gpg.py  (salt-3002.2)
# -*- coding: utf-8 -*-
r""" r"""
Renderer that will decrypt GPG ciphers Renderer that will decrypt GPG ciphers
Any key in the SLS file can be a GPG cipher, and this renderer will decrypt it Any key in the SLS file can be a GPG cipher, and this renderer will decrypt it
before passing it off to Salt. This allows you to safely store secrets in before passing it off to Salt. This allows you to safely store secrets in
source control, in such a way that only your Salt master can decrypt them and source control, in such a way that only your Salt master can decrypt them and
distribute them only to the minions that need them. distribute them only to the minions that need them.
The typical use-case would be to use ciphers in your pillar data, and keep a The typical use-case would be to use ciphers in your pillar data, and keep a
secret key on your master. You can put the public key in source control so that secret key on your master. You can put the public key in source control so that
skipping to change at line 268 skipping to change at line 267
ciphertext=`python /path/to/script.py` ciphertext=`python /path/to/script.py`
With the entire pillar dictionary now encrypted, it can be included in the CLI With the entire pillar dictionary now encrypted, it can be included in the CLI
pillar data like so: pillar data like so:
.. code-block:: bash .. code-block:: bash
salt myminion state.sls secretstuff pillar_enc=gpg pillar="$ciphertext" salt myminion state.sls secretstuff pillar_enc=gpg pillar="$ciphertext"
""" """
# Import python libs
from __future__ import absolute_import, print_function, unicode_literals
import logging import logging
import os import os
import re import re
from subprocess import PIPE, Popen from subprocess import PIPE, Popen
import salt.syspaths import salt.syspaths
# Import salt libs
import salt.utils.cache import salt.utils.cache
import salt.utils.path import salt.utils.path
import salt.utils.stringio import salt.utils.stringio
import salt.utils.stringutils import salt.utils.stringutils
from salt.exceptions import SaltRenderError from salt.exceptions import SaltRenderError
# Import 3rd-party libs
from salt.ext import six
log = logging.getLogger(__name__) log = logging.getLogger(__name__)
GPG_CIPHERTEXT = re.compile( GPG_CIPHERTEXT = re.compile(
salt.utils.stringutils.to_bytes( salt.utils.stringutils.to_bytes(
r"-----BEGIN PGP MESSAGE-----.*?-----END PGP MESSAGE-----" r"-----BEGIN PGP MESSAGE-----.*?-----END PGP MESSAGE-----"
), ),
re.DOTALL, re.DOTALL,
) )
GPG_CACHE = None GPG_CACHE = None
skipping to change at line 400 skipping to change at line 391
try: try:
ret = salt.utils.stringutils.to_unicode(ret, encoding=encoding) ret = salt.utils.stringutils.to_unicode(ret, encoding=encoding)
except UnicodeDecodeError: except UnicodeDecodeError:
# decrypted data contains some sort of binary data - not our problem # decrypted data contains some sort of binary data - not our problem
pass pass
return ret return ret
def _decrypt_object(obj, translate_newlines=False, encoding=None): def _decrypt_object(obj, translate_newlines=False, encoding=None):
""" """
Recursively try to decrypt any object. If the object is a six.string_types Recursively try to decrypt any object. If the object is a string
(string or unicode), and it contains a valid GPG header, decrypt it, or bytes and it contains a valid GPG header, decrypt it,
otherwise keep going until a string is found. otherwise keep going until a string is found.
""" """
if salt.utils.stringio.is_readable(obj): if salt.utils.stringio.is_readable(obj):
return _decrypt_object(obj.getvalue(), translate_newlines) return _decrypt_object(obj.getvalue(), translate_newlines)
if isinstance(obj, six.string_types): if isinstance(obj, (str, bytes)):
return _decrypt_ciphertexts( return _decrypt_ciphertexts(
obj, translate_newlines=translate_newlines, encoding=encoding obj, translate_newlines=translate_newlines, encoding=encoding
) )
elif isinstance(obj, dict): elif isinstance(obj, dict):
for key, value in six.iteritems(obj): for key, value in obj.items():
obj[key] = _decrypt_object(value, translate_newlines=translate_newli nes) obj[key] = _decrypt_object(value, translate_newlines=translate_newli nes)
return obj return obj
elif isinstance(obj, list): elif isinstance(obj, list):
for key, value in enumerate(obj): for key, value in enumerate(obj):
obj[key] = _decrypt_object(value, translate_newlines=translate_newli nes) obj[key] = _decrypt_object(value, translate_newlines=translate_newli nes)
return obj return obj
else: else:
return obj return obj
def render(gpg_data, saltenv="base", sls="", argline="", **kwargs): def render(gpg_data, saltenv="base", sls="", argline="", **kwargs):
 End of changes. 7 change blocks. 
13 lines changed or deleted 4 lines changed or added

Home  |  About  |  Features  |  All  |  Newest  |  Dox  |  Diffs  |  RSS Feeds  |  Screenshots  |  Comments  |  Imprint  |  Privacy  |  HTTP(S)