Class: Bolt::Plugin::Pkcs7

Inherits:
Secret::Base show all
Defined in:
lib/bolt/plugin/pkcs7.rb

Class Method Summary collapse

Instance Method Summary collapse

Methods inherited from Secret::Base

#decode, #encode, #hooks, #secret_decrypt, #secret_encrypt, #validate_inventory_config

Constructor Details

#initialize(boltdir, options) ⇒ Pkcs7

Returns a new instance of Pkcs7.



28
29
30
31
32
33
34
 
# File 'lib/bolt/plugin/pkcs7.rb', line 28

def initialize(boltdir, options)
  self.class.validate_config(options)
  require 'openssl'
  @boltdir = boltdir
  @options = options || {}
  @logger = Logging.logger[self]
end

Class Method Details

.validate_config(config) ⇒ Object 



9
10
11
12
13
14
15
16
17
18
19
20
21
22
 
# File 'lib/bolt/plugin/pkcs7.rb', line 9

def self.validate_config(config)
  known_keys = %w[private-key public-key keysize]
  known_keys.each do |key|
    unless key.is_a? String
      raise Bolt::ValidationError, "Invalid config for pkcs7 plugin: '#{key}' is not a String"
    end
  end

  config.keys.each do |key|
    unless known_keys.include?(key)
      raise Bolt::ValidationError, "Unpexpected key in pkcs7 plugin config: #{key}"
    end
  end
end

Instance Method Details

#decrypt_value(ciphertext) ⇒ Object 



68
69
70
71
 
# File 'lib/bolt/plugin/pkcs7.rb', line 68

def decrypt_value(ciphertext)
  pkcs7 = OpenSSL::PKCS7.new(ciphertext)
  pkcs7.decrypt(private_key, public_key)
end

#encrypt_value(plaintext) ⇒ Object

The following implementations are intended to be compatible with hiera-eyaml



63
64
65
66
 
# File 'lib/bolt/plugin/pkcs7.rb', line 63

def encrypt_value(plaintext)
  cipher = OpenSSL::Cipher::AES.new(256, :CBC)
  OpenSSL::PKCS7.encrypt([public_key], plaintext, cipher, OpenSSL::PKCS7::BINARY).to_der
end

#keysizeObject 



58
59
60
 
# File 'lib/bolt/plugin/pkcs7.rb', line 58

def keysize
  @options['keysize'] || 2048
end

#nameObject 



24
25
26
 
# File 'lib/bolt/plugin/pkcs7.rb', line 24

def name
  'pkcs7'
end

#private_keyObject 



43
44
45
 
# File 'lib/bolt/plugin/pkcs7.rb', line 43

def private_key
  @private_key ||= OpenSSL::PKey::RSA.new(File.read(private_key_path))
end

#private_key_pathObject 



36
37
38
39
40
41
 
# File 'lib/bolt/plugin/pkcs7.rb', line 36

def private_key_path
  path = @options['private-key'] || 'keys/private_key.pkcs7.pem'
  path = File.absolute_path(path, @boltdir)
  @logger.debug("Using private-key: #{path}")
  path
end

#public_keyObject 



54
55
56
 
# File 'lib/bolt/plugin/pkcs7.rb', line 54

def public_key
  @public_key ||= OpenSSL::X509::Certificate.new(File.read(public_key_path))
end

#public_key_pathObject 



47
48
49
50
51
52
 
# File 'lib/bolt/plugin/pkcs7.rb', line 47

def public_key_path
  path = @options['public-key'] || 'keys/public_key.pkcs7.pem'
  path = File.absolute_path(path, @boltdir)
  @logger.debug("Using public-key: #{path}")
  path
end

#secret_createkeysObject 



73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
 
# File 'lib/bolt/plugin/pkcs7.rb', line 73

def secret_createkeys
  key = OpenSSL::PKey::RSA.new(keysize)

  cert = OpenSSL::X509::Certificate.new
  cert.subject = OpenSSL::X509::Name.parse('/')
  cert.serial = 1
  cert.version = 2
  cert.not_before = Time.now
  cert.not_after = Time.now + 50 * 365 * 24 * 60 * 60
  cert.public_key = key.public_key
  cert.sign(key, OpenSSL::Digest.new('SHA512'))

  @logger.warn("Overwriting private-key '#{private_key_path}'") if File.exist?(private_key_path)
  @logger.warn("Overwriting public-key '#{public_key_path}'") if File.exist?(public_key_path)

  private_keydir = File.dirname(private_key_path)
  FileUtils.mkdir_p(private_keydir) unless File.exist?(private_keydir)
  FileUtils.touch(private_key_path)
  File.chmod(0o600, private_key_path)
  File.write(private_key_path, key.to_pem)

  public_keydir = File.dirname(public_key_path)
  FileUtils.mkdir_p(public_keydir) unless File.exist?(public_keydir)
  File.write(public_key_path, cert.to_pem)
end