Merge pull request voxpupuli#233 from cosmincojocar/dianac10-ignore_u…

…nchanged_tokens_on_edit

Modify edit command to not recrypt unchanged values

features/edit.feature

@@ -116,6 +116,18 @@ Feature: eyaml editing
     When I run `eyaml edit test_edit.eyaml`
     Then the stderr should contain "No changes detected"
 
+  Scenario: not modifying the plaintext should result in no encryption
+    Given my EDITOR is set to "sed -i.bak s/simple_array/test_array/g"
+    When I run `bash -c 'cp test_input.yaml test_input.eyaml'`
+    When I run `eyaml edit -t test_input.eyaml`
+    Then the output should not contain "PKCS7 encrypt"
+
+  Scenario: modifying the plaintext should result in an encryption
+    Given my EDITOR is set to "sed -i.bak s/value6/value7/g"
+    When I run `bash -c 'cp test_input.yaml test_input.eyaml'`
+    When I run `eyaml edit -t test_input.eyaml`
+    Then the output should contain "PKCS7 encrypt"
+
   Scenario: editing but not modifying a eyaml file with --no-preamble should be detected
     Given my EDITOR is set to "/usr/bin/env true"
     When I run `bash -c 'cp test_edit.yaml test_edit.eyaml'`

features/sandbox/test_input.yaml

@@ -122,4 +122,3 @@ encrypted_hash_value:
   key6: ENC[PKCS7,MIIBeQYJKoZIhvcNAQcDoIIBajCCAWYCAQAxggEhMIIBHQIBADAFMAACAQAwDQYJKoZIhvcNAQEBBQAEggEAYXaRRYmZJUtU5zo/yVVVknavcsEouVPbs8gXwRXbVK+anEOyWNaFalbA2n16dIhD9kIVbfJ3MiBnUu3m/CbvyTrt4lVpw5r8TRuxjXh8F8C39k9bZbKOgj+zj8OCMfZYgRR3BTXN5fym6BLFQ1oWIaW9GxMc3671OyymudJE230eT1dk8ivx95giFAHQRasAyBVsf0YRuRmH5GVnOiD9zmTNb0eKTcxdGXdVTgc2rGbOlFhQLOS9CHcEryulAtbKH22foUTnYWugFk8SrRpdyS3HViimnSDOfx1ulRPa9TktXaQwR3YED/z4gbQ0x5Gx30tm0lmTYFCSt2FDFd54eTA8BgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBDy/ITSXoe+hXa6ewQlAAefgBCd16Ly4Z9nsitcdMS2fVvz]
 
 multi_encryption: ENC[PLAINTEXT,amFtbXk=] ENC[PKCS7,MIIBeQYJKoZIhvcNAQcDoIIBajCCAWYCAQAxggEhMIIBHQIBADAFMAACAQAwDQYJKoZIhvcNAQEBBQAEggEAKjKPUtDSN+X/n91bpIjhZHW3eLG9efNNWz7unq8ToxQOIMLrQcr3mj+83E1UNhmRu4TSymSz0kFkkPtjWd2TAkAG3PZvUj6ldFeUhbPMAvTOH/Q23hEZfQdI0GmZHTe6YsYBjJwAxEegXfdg1HKzCY3SBZoMTCEu9yFIJKd3slPxw8zPI6GERTg2ZBRWIckv9W9t7EN7nu9liWR0csRPEYwXUiAZlrgdX2r2Fhx/ZzWZ0tWJ55BiYYzE9U9bvSGZOjZJpWU9wUaOhpAhAx9xaIg48CO5THXMvV+8ss/zEMhYHGfhN56Cr69oQRDXGunYKnWT9tgoDCrxMGIrurtBnDA8BgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBntvZSBPjinBRMofJhVxEtgBAd3fhzETLtxJm58bnlM3ci]
-

lib/hiera/backend/eyaml/encryptors/pkcs7.rb

@@ -27,6 +27,8 @@ class Pkcs7 < Encryptor
 
           def self.encrypt plaintext
 
+            LoggingHelper::trace 'PKCS7 encrypt'
+
             public_key = self.option :public_key
             raise StandardError, "pkcs7_public_key is not defined" unless public_key
 
@@ -35,11 +37,12 @@ def self.encrypt plaintext
 
             cipher = OpenSSL::Cipher::AES.new(256, :CBC)
             OpenSSL::PKCS7::encrypt([public_key_x509], plaintext, cipher, OpenSSL::PKCS7::BINARY).to_der
-
           end
 
           def self.decrypt ciphertext
 
+            LoggingHelper::trace 'PKCS7 decrypt'
+
             public_key = self.option :public_key
             private_key = self.option :private_key
             raise StandardError, "pkcs7_public_key is not defined" unless public_key
@@ -107,4 +110,4 @@ def self.create_keys
 
   end
 
-end
+end

lib/hiera/backend/eyaml/parser/encrypted_tokens.rb

@@ -10,6 +10,8 @@ module Backend
     module Eyaml
       module Parser
         class EncToken < Token
+          @@tokens_map = Hash.new()
+          @@encrypt_unchanged = true
           attr_reader :format, :cipher, :encryptor, :indentation, :plain_text, :id
           def self.encrypted_value(format, encryption_scheme, cipher, match, indentation = '')
             decryptor = Encryptor.find encryption_scheme
@@ -22,6 +24,23 @@ def self.decrypted_value(format, plain_text, encryption_scheme, match, id, inden
             id_number = id.nil? ? nil : id.gsub(/\(|\)/, "").to_i
             EncToken.new(format, plain_text, encryptor, cipher, match, indentation, id_number)
           end
+          def self.plain_text_value(format, plain_text, encryption_scheme, match, id, indentation = '')
+            encryptor = Encryptor.find encryption_scheme
+            id_number = id.gsub(/\(|\)/,"").to_i unless id.nil?
+            EncToken.new(format, plain_text, encryptor, "", match, indentation, id_number)
+          end
+
+          def self.tokens_map
+            return @@tokens_map
+          end
+
+          def self.set_encrypt_unchanged(encrypt_unchanged)
+            @@encrypt_unchanged = encrypt_unchanged
+          end
+
+          def self.encrypt_unchanged
+            return @@encrypt_unchanged
+          end
 
           def initialize(format, plain_text, encryptor, cipher, match = '', indentation = '', id = nil)
             @format = format
@@ -63,6 +82,10 @@ def to_decrypted(args={})
             label_string = label.nil? ? '' : "#{label}: "
             format = args[:format].nil? ? @format : args[:format]
             index = args[:index].nil? ? '' : "(#{args[:index]})"
+            if @@encrypt_unchanged == false
+              EncToken.tokens_map[index] = @plain_text
+            end
+
             case format
               when :block
                 chevron = (args[:use_chevron].nil? || args[:use_chevron]) ? ">\n" : ''
@@ -123,6 +146,13 @@ def initialize
           end
           def create_token(string)
             md = @regex.match(string)
+            if (EncToken.encrypt_unchanged == false)
+              unless md[1].nil?
+                if md[3] == EncToken.tokens_map[md[1]]
+                  return EncToken.plain_text_value(:string, md[3], md[2], string, md[1])
+                end
+              end
+            end
             EncToken.decrypted_value(:string, md[3], md[2], string, md[1])
           end
         end
@@ -133,6 +163,13 @@ def initialize
           end
           def create_token(string)
             md = @regex.match(string)
+            if (EncToken.encrypt_unchanged == false)
+              unless md[2].nil?
+                if md[4] == EncToken.tokens_map[md[2]]
+                  return EncToken.plain_text_value(:string, md[4], md[3], string, md[2])
+                end
+              end
+            end
             EncToken.decrypted_value(:block, md[4], md[3], string, md[2], md[1])
             EncToken.decrypted_value(:block, md[4], md[3], string, md[2], md[1])
           end

lib/hiera/backend/eyaml/subcommands/edit.rb

@@ -3,6 +3,7 @@
 require 'hiera/backend/eyaml/options'
 require 'hiera/backend/eyaml/parser/parser'
 require 'hiera/backend/eyaml/subcommand'
+require 'hiera/backend/eyaml/parser/encrypted_tokens'
 
 class Hiera
   module Backend
@@ -70,6 +71,8 @@ def self.validate options
           def self.execute
             editor = EditHelper.find_editor
 
+            Parser::EncToken.set_encrypt_unchanged(false)
+
             encrypted_parser = Parser::ParserFactory.encrypted_parser
             tokens = encrypted_parser.parse Eyaml::Options[:input_data]
             decrypted_input = tokens.each_with_index.to_a.map{|(t,index)| t.to_decrypted :index => index}.join