(maint) - remove Binford2k module

jordanbreen28 · jordanbreen28 · commit 23befd01ae23 · 2023-06-08T10:46:16.000+01:00
diff --git a/.rubocop_todo.yml b/.rubocop_todo.yml
@@ -59,12 +59,12 @@ RSpec/NamedSubject:
 RSpec/StubbedMock:
   Exclude:
     - 'spec/functions/node_encrypt_spec.rb'
-    - 'spec/unit/puppet_x/binford2k/node_encrypt_spec.rb'
+    - 'spec/unit/puppet_x/node_encrypt_spec.rb'
 
 # Offense count: 1
 # This cop supports unsafe autocorrection (--autocorrect-all).
 # Configuration parameters: EnforcedStyle.
 # SupportedStyles: nested, compact
 Style/ClassAndModuleChildren:
   Exclude:
-    - 'lib/puppet_x/binford2k/node_encrypt.rb'
+    - 'lib/puppet_x/node_encrypt.rb'
diff --git a/lib/puppet/face/node/encrypt.rb b/lib/puppet/face/node/encrypt.rb
@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 
 require 'puppet/face'
-require 'puppet_x/binford2k/node_encrypt'
+require 'puppet_x/node_encrypt'
 
 Puppet::Face.define(:node, '0.0.1') do
   action :encrypt do
@@ -45,7 +45,7 @@
         text = args.join(' ')
       end
 
-      PuppetX::Binford2k::NodeEncrypt.encrypt(text, options[:target])
+      PuppetX::NodeEncrypt.encrypt(text, options[:target])
     end
   end
 
@@ -76,11 +76,11 @@
 
     when_invoked do |options|
       if options.include? :data
-        PuppetX::Binford2k::NodeEncrypt.decrypt(options[:data])
+        PuppetX::NodeEncrypt.decrypt(options[:data])
       elsif options.include? :env
-        PuppetX::Binford2k::NodeEncrypt.decrypt(ENV.fetch(options[:env], nil))
+        PuppetX::NodeEncrypt.decrypt(ENV.fetch(options[:env], nil))
       else
-        PuppetX::Binford2k::NodeEncrypt.decrypt($stdin.read)
+        PuppetX::NodeEncrypt.decrypt($stdin.read)
       end
     end
   end
diff --git a/lib/puppet/functions/node_decrypt.rb b/lib/puppet/functions/node_decrypt.rb
@@ -1,6 +1,6 @@
 # frozen_string_literal: true
 
-require_relative '../../puppet_x/binford2k/node_encrypt'
+require_relative '../../puppet_x/node_encrypt'
 
 # Decrypt data with node_encrypt. This is intended to be used as a
 # Deferred function on the _agent_ via the node_encrypted::secret wrapper.
@@ -12,7 +12,7 @@
 
   def decrypt(content)
     Puppet::Pops::Types::PSensitiveType::Sensitive.new(
-      PuppetX::Binford2k::NodeEncrypt.decrypt(content),
+      PuppetX::NodeEncrypt.decrypt(content),
     )
   end
 end
diff --git a/lib/puppet/functions/node_encrypt.rb b/lib/puppet/functions/node_encrypt.rb
@@ -1,6 +1,6 @@
 # frozen_string_literal: true
 
-require_relative '../../puppet_x/binford2k/node_encrypt'
+require_relative '../../puppet_x/node_encrypt'
 
 # @summary
 #   Encrypt data with node_encrypt.
@@ -16,7 +16,7 @@
 
   def simple_encrypt(content)
     certname = closure_scope['clientcert']
-    PuppetX::Binford2k::NodeEncrypt.encrypt(content, certname)
+    PuppetX::NodeEncrypt.encrypt(content, certname)
   end
 
   def sensitive_encrypt(content)
diff --git a/lib/puppet/parser/functions/node_encrypt.rb b/lib/puppet/parser/functions/node_encrypt.rb
@@ -1,6 +1,6 @@
 # frozen_string_literal: true
 
-require_relative '../../../puppet_x/binford2k/node_encrypt'
+require_relative '../../../puppet_x/node_encrypt'
 
 Puppet::Parser::Functions.newfunction(:node_encrypt,
                                       type: :rvalue,
@@ -14,5 +14,5 @@
   content = content.unwrap if defined?(Puppet::Pops::Types::PSensitiveType::Sensitive) && content.is_a?(Puppet::Pops::Types::PSensitiveType::Sensitive)
 
   certname = lookupvar('clientcert')
-  PuppetX::Binford2k::NodeEncrypt.encrypt(content, certname)
+  PuppetX::NodeEncrypt.encrypt(content, certname)
 end
diff --git a/lib/puppet_x/binford2k/node_encrypt.rb b/lib/puppet_x/binford2k/node_encrypt.rb
diff --git a/lib/puppet_x/node_encrypt.rb b/lib/puppet_x/node_encrypt.rb
@@ -0,0 +1,78 @@
+# frozen_string_literal: true
+
+module PuppetX
+  class NodeEncrypt # rubocop:disable Style/Documentation
+    def self.encrypted?(data)
+      raise ArgumentError, 'Only strings can be encrypted' unless data.instance_of?(String)
+
+      # ridiculously faster than a regex
+      data.start_with?('-----BEGIN PKCS7-----')
+    end
+
+    def self.encrypt(data, destination)
+      raise ArgumentError, 'Can only encrypt strings' unless data.instance_of?(String)
+      raise ArgumentError, 'Need a node name to encrypt for' unless destination.instance_of?(String)
+
+      certpath = Puppet.settings[:hostcert]
+      keypath  = Puppet.settings[:hostprivkey]
+
+      # A dummy password with at least 4 characters is required here
+      # since Ruby 2.4 which enforces a minimum password length
+      # of 4 bytes. This is true even if the key has no password
+      # at all--in which case the password we supply is ignored.
+      # We can pass in a dummy here, since we know the certificate
+      # has no password.
+      key  = OpenSSL::PKey::RSA.new(File.read(keypath), '1234')
+      cert = OpenSSL::X509::Certificate.new(File.read(certpath))
+
+      # if we're on the CA, we've got a copy of the clientcert from the start.
+      # This allows the module to work with no classification at all on single
+      # monolithic server setups
+      destpath = [
+        "#{Puppet.settings[:signeddir]}/#{destination}.pem",
+        "#{Puppet.settings[:certdir]}/#{destination}.pem",
+      ].find { |path| File.exist? path }
+
+      # for safer upgrades, let's default to the known good pathway for now
+      if destpath
+        target = OpenSSL::X509::Certificate.new(File.read(destpath))
+      else
+        # if we don't have a cert, check for it in $facts
+        scope = Puppet.lookup(:global_scope)
+
+        if scope.exist?('clientcert_pem')
+          hostcert = scope.lookupvar('clientcert_pem')
+          target   = OpenSSL::X509::Certificate.new(hostcert)
+        else
+          url = 'https://github.com/puppetlabs/puppetlabs-node_encrypt#automatically-distributing-certificates-to-compile-servers'
+          raise ArgumentError, "Client certificate does not exist. See #{url} for more info."
+        end
+      end
+
+      signed = OpenSSL::PKCS7.sign(cert, key, data, [], OpenSSL::PKCS7::BINARY)
+      cipher = OpenSSL::Cipher.new('AES-128-CFB')
+
+      OpenSSL::PKCS7.encrypt([target], signed.to_der, cipher, OpenSSL::PKCS7::BINARY).to_s
+    end
+
+    def self.decrypt(data)
+      raise ArgumentError, 'Can only decrypt strings' unless data.instance_of?(String)
+
+      cert   = OpenSSL::X509::Certificate.new(File.read(Puppet.settings[:hostcert]))
+      # Same dummy password as above.
+      key    = OpenSSL::PKey::RSA.new(File.read(Puppet.settings[:hostprivkey]), '1234')
+      source = OpenSSL::X509::Certificate.new(File.read(Puppet.settings[:localcacert]))
+
+      store = OpenSSL::X509::Store.new
+      store.add_cert(source)
+
+      blob      = OpenSSL::PKCS7.new(data)
+      decrypted = blob.decrypt(key, cert)
+      verified  = OpenSSL::PKCS7.new(decrypted)
+
+      raise ArgumentError, 'Signature verification failed' unless verified.verify(nil, store, nil, OpenSSL::PKCS7::NOVERIFY)
+
+      verified.data
+    end
+  end
+end
diff --git a/spec/classes/certificates_spec.rb b/spec/classes/certificates_spec.rb
@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 
 require 'spec_helper'
-require 'puppet_x/binford2k/node_encrypt'
+require 'puppet_x/node_encrypt'
 
 describe 'node_encrypt::certificates' do
   before(:each) do
diff --git a/spec/defines/file_spec.rb b/spec/defines/file_spec.rb
@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 
 require 'spec_helper'
-require 'puppet_x/binford2k/node_encrypt'
+require 'puppet_x/node_encrypt'
 
 describe 'node_encrypt::file' do
   context 'when ensuring present' do
@@ -48,7 +48,7 @@
     end
 
     before(:each) do
-      allow(PuppetX::Binford2k::NodeEncrypt).to receive(:decrypt).with('encrypted').and_return('decrypted')
+      allow(PuppetX::NodeEncrypt).to receive(:decrypt).with('encrypted').and_return('decrypted')
     end
 
     it {
diff --git a/spec/functions/node_encrypt_spec.rb b/spec/functions/node_encrypt_spec.rb
@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 
 require 'spec_helper'
-require 'puppet_x/binford2k/node_encrypt'
+require 'puppet_x/node_encrypt'
 
 describe 'node_encrypt' do
   let(:node) { 'testhost.example.com' }
@@ -11,13 +11,13 @@
   end
 
   it 'receives foobar and returns encrypted' do
-    expect(PuppetX::Binford2k::NodeEncrypt).to receive(:encrypt).with('foobar', 'testhost.example.com').and_return('encrypted')
+    expect(PuppetX::NodeEncrypt).to receive(:encrypt).with('foobar', 'testhost.example.com').and_return('encrypted')
     expect(scope.function_node_encrypt(['foobar'])).to eq('encrypted')
   end
 
   if defined?(Puppet::Pops::Types::PSensitiveType::Sensitive)
     it 'receives sensitive value and returns encrypted' do
-      expect(PuppetX::Binford2k::NodeEncrypt).to receive(:encrypt).with('foobar', 'testhost.example.com').and_return('encrypted')
+      expect(PuppetX::NodeEncrypt).to receive(:encrypt).with('foobar', 'testhost.example.com').and_return('encrypted')
       expect(scope.function_node_encrypt([Puppet::Pops::Types::PSensitiveType::Sensitive.new('foobar')])).to eq('encrypted')
     end
   end
diff --git a/spec/unit/puppet_x/node_encrypt_spec.rb b/spec/unit/puppet_x/node_encrypt_spec.rb
@@ -2,7 +2,7 @@
 
 require 'openssl'
 require 'spec_helper'
-require 'puppet_x/binford2k/node_encrypt'
+require 'puppet_x/node_encrypt'
 
 ca_crt_pem = "-----BEGIN CERTIFICATE-----
 MIIGGjCCBAKgAwIBAgIBATANBgkqhkiG9w0BAQsFADBaMVgwVgYDVQQDDE9QdXBw
@@ -252,7 +252,7 @@
 uSI28VzZYavkITj+2D6tMys=
 -----END PKCS7-----"
 
-describe PuppetX::Binford2k::NodeEncrypt do
+describe PuppetX::NodeEncrypt do
   let(:node) { 'testhost.example.com' }
 
   it 'decrypts values which have been encrypted' do
