-
-
Notifications
You must be signed in to change notification settings - Fork 131
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Empty values confuse eyaml decrypt
#179
Comments
A very quick look at the code, perhaps the A temporary work-around that I found is to set the value to |
That's likely the problem, yeah, but not on that line. I don't believe it's valid to have the encrypted values be blank. Decrypted values, though, should be fine when blank. As such, lines 116 and 126 should probably be changed to use |
Your proposed fix on lines 116 and 126 works. I think that empty values are OK since I use it outside eyaml too. Results with the fix:
This is based on the following versions of hiera-eyaml and hiera-eyaml-gpg:
Thanks. |
I never considered empty strings when I wrote the parsing code, but can't As you both say, I expect that changing the two regex will solve the issue
On Wed, 4 Nov 2015 00:22 Amos Shapira [email protected] wrote:
|
I'll make a PR shortly. |
I've run into some other problems with getting it to register as an empty string vs. a nil value. I have some ideas for how to fix it but it'll take a little bit longer that initially anticipated. |
We've been encountering this as well. :-) |
@RoUS you might be right about the literal value being |
Any movement on this issue? Thanks much in advance. |
@mjburling Thanks for poking this issue. It doesn't look like anyone opened a related PR, yet. Is that something you're interested in doing? If not, I can look into it but it may not happen very soon. Thanks! |
@rnelson0 I came to the same conclusion as @sihil and see no reason for this not to be supported. For my specific use case, it's a crumby default empty-string password for ephemeral environments. For hygiene's sake, I'd like to obscure that fact. If @elyscape could point me toward his/her work toward this issue, I would be interested in continuing to completion. |
@rnelson0 -- I submitted #322 adding tests for blank values and #323 to fix the parsing problem. The fix is trivial: --- a/lib/hiera/backend/eyaml/parser/encrypted_tokens.rb
+++ b/lib/hiera/backend/eyaml/parser/encrypted_tokens.rb
@@ -108,7 +108,7 @@ class Hiera
class EncHieraTokenType < EncTokenType
def initialize
- @regex = %r{ENC\[(\w+,)?([a-zA-Z0-9+/ =\n]+?)\]}
+ @regex = %r{ENC\[(\w+,)?([a-zA-Z0-9+/ =\n]*?)\]}
@string_token_type = EncStringTokenType.new
end
@@ -119,7 +119,7 @@ class Hiera
class EncStringTokenType < EncTokenType
def initialize
- @regex = %r{ENC\[(\w+,)?([a-zA-Z0-9+/=]+?)\]}
+ @regex = %r{ENC\[(\w+,)?([a-zA-Z0-9+/=]*?)\]}
end
def create_token(string) |
@rnelson0 - Can I get a review? |
@rnelson0 @kenyon @bastelfreak -- Is there anybody who is familiar enough with cucumber to help with testing? I modified the tests in #322 but the tests passed, which indicates that either the tests ae inadequate or the reported bug does not actually exist. |
When editing an .eyaml file like this:
The encrypted file shows only the first two keys (truncated for brevity):
And the third key doesn't appear in the encrypted file.
eyaml edit issue-example.eyaml
shows the decrypted file just fine:But notice how the
DEC::GPG
of the third key (key_with_non_empty_value_2
) doesn't have a a number. It feels like it was somehow 'swallowed' by the empty value of the previous key.Then
eyaml decrypt -e issue-example.eyaml
outputs:Which looks OK (except again - the missing number on the third key suggest that something is broken).
But
eyaml decrupt -f issue-example.eyaml
comes up with broken values:I'm trying to use
-f
because it doesn't include the eyaml-specific quoting so I can pass this decrypted .yaml file to regular hiera (e.g. when using master-less setup, or in Packer like image burning scenario).Whether I'm wrong in using
-f
on a .eyaml file or not, the encrypted file seems to be broken.Without looking at the code yet, my hunch is that the regular expression used to match the inside of the decrypted value expects at least one character before the closing
]!
and therefore misses the first one and continues until the end of the next encrypted value.The text was updated successfully, but these errors were encountered: