Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

eyaml incorrectly errors when it cannot decrypt a key #35

Open
ghoneycutt opened this issue Apr 20, 2016 · 6 comments
Open

eyaml incorrectly errors when it cannot decrypt a key #35

ghoneycutt opened this issue Apr 20, 2016 · 6 comments
Labels

Comments

@ghoneycutt
Copy link
Member

I am using your software in an environment where multiple people are creating encrypted entries and I am not meant to be able to read their encrypted entries. I would expect that any entries that can be decrypted would be and the rest would just show up encrypted, as they are.

What actually happens is that an error is thrown.

[gpg] Fatal: Failed to decrypt ciphertext (check settings and that you are a recipient)
[hiera-eyaml-core] Decryption failed
$ gem list | grep eyaml
hiera-eyaml (2.1.0)
hiera-eyaml-gpg (0.6)

Here's a trace

[hiera-eyaml-core] /Users/gh/.rvm/gems/ruby-2.1.8/gems/gpgme-2.0.12/lib/gpgme/ctx.rb:428:in `decrypt'
                   /Users/gh/.rvm/gems/ruby-2.1.8/gems/hiera-eyaml-gpg-0.6/lib/hiera/backend/eyaml/encryptors/gpg.rb:183:in `decrypt'
                   /Users/gh/.rvm/gems/ruby-2.1.8/gems/hiera-eyaml-2.1.0/lib/hiera/backend/eyaml/parser/encrypted_tokens.rb:15:in `encrypted_value'
                   /Users/gh/.rvm/gems/ruby-2.1.8/gems/hiera-eyaml-2.1.0/lib/hiera/backend/eyaml/parser/encrypted_tokens.rb:80:in `create_enc_token'
                   /Users/gh/.rvm/gems/ruby-2.1.8/gems/hiera-eyaml-2.1.0/lib/hiera/backend/eyaml/parser/encrypted_tokens.rb:100:in `create_token'
                   /Users/gh/.rvm/gems/ruby-2.1.8/gems/hiera-eyaml-2.1.0/lib/hiera/backend/eyaml/parser/parser.rb:71:in `parse_scanner'
                   /Users/gh/.rvm/gems/ruby-2.1.8/gems/hiera-eyaml-2.1.0/lib/hiera/backend/eyaml/parser/parser.rb:74:in `parse_scanner'
                   /Users/gh/.rvm/gems/ruby-2.1.8/gems/hiera-eyaml-2.1.0/lib/hiera/backend/eyaml/parser/parser.rb:36:in `parse'
                   /Users/gh/.rvm/gems/ruby-2.1.8/gems/hiera-eyaml-2.1.0/lib/hiera/backend/eyaml/subcommands/edit.rb:74:in `execute'
                   /Users/gh/.rvm/gems/ruby-2.1.8/gems/hiera-eyaml-2.1.0/lib/hiera/backend/eyaml/CLI.rb:46:in `execute'
                   /Users/gh/.rvm/gems/ruby-2.1.8/gems/hiera-eyaml-2.1.0/bin/eyaml:21:in `<top (required)>'
                   /Users/gh/.rvm/gems/ruby-2.1.8/bin/eyaml:23:in `load'
                   /Users/gh/.rvm/gems/ruby-2.1.8/bin/eyaml:23:in `<main>'
                   /Users/gh/.rvm/gems/ruby-2.1.8/bin/ruby_executable_hooks:15:in `eval'
                   /Users/gh/.rvm/gems/ruby-2.1.8/bin/ruby_executable_hooks:15:in `<main>'

I think this correlates to https://github.com/sihil/hiera-eyaml-gpg/blob/master/lib/hiera/backend/eyaml/encryptors/gpg.rb#L184 though I'm unsure as to how to fix this.

@sihil
Copy link
Collaborator

sihil commented Apr 20, 2016

Can you give some context to when you are experiencing this?

As you might imagine, returning an encrypted value in a situation where you'd like the decrypted value or a clear failure would potentially be surprising or problematic (you could end up installing an encrypted certificate on a server which would then fail to start correctly).

Within edit mode it does make a certain amount of sense to ignore decryption failures and indeed this should be possible.

Further clarification would help me decide if and how to change the behaviour here.

@ghoneycutt
Copy link
Member Author

Related to voxpupuli/hiera-eyaml#146

Basically we have multiple teams of people that want to encrypt data that is not necessarily meant to be decrypted by others. This is the attraction of using gpg instead of pre-shared secrets.

@lawrencegohar
Copy link

I'd like to chime in that this is a serious pain point for us as well. Hiera data that doesn't pertain to a particular node causes hiera-eyaml-gpg to throw a GPGME::Error::DecryptFailed. This hinders local development, for example, because {global,location,environment}-specific secrets which can be overridden for local development via hiera cause this gem to ignore the specific data that it can decrypt. To make an analogy, this is like giving a friend my keys to water my plants while I'm on vacation. I don't expect him to give up simply because the car key doesn't open the front door to the house.

Perhaps a good compromise would be to ignore DecryptFailed errors unless nothing can be decrypted; e.g. - if the parameter in question ends up nil after the run completes. This would be forgiving enough to accommodate this and similar use cases, while failing when it has no other options to try.

@alexjfisher
Copy link
Member

Would voxpupuli/hiera-eyaml#215 help at all? AFAICT, with that change at least data from parts of the hierarchy that wouldn't ever end up in the final merged hash wouldn't need to be decrypted.

@ghoneycutt
Copy link
Member Author

I don't think that applies because there could be multiple teams (recipient lists) editing values in the same hiera data file.

@ghoneycutt ghoneycutt added the bug label Apr 25, 2019
@JonLoesch
Copy link

Somebody posted in the related issue, reposting here:

You can use eyaml edit --no-decrypt

Not sure if you're still on this issue -- It's been years since I've worked with hiera and I don't have the setup to test it right now. Also, I feel like this is not attempting to decrypt at all rather than ignoring failures to decrypt which may or may not help your use case. In any case, I'm just passing the message along. Cheers!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

5 participants