Puppet Function: complyadm::decrypt

Defined in:

lib/puppet/functions/complyadm/decrypt.rb

Function type:

Ruby 4.x API

Overview

complyadm::decrypt(String $value, Optional[String] $public_key_path, Optional[String] $private_key_path) ⇒ String[1]

github.com/puppetlabs/puppetlabs-pkcs7/blob/main/tasks/secret_decrypt.rb

Parameters:

• data —

  An encrypted string from hiera-eyaml

• public_key_path (Optional[String]) —

  a relative file path to the public key

• private_key_path (Optional[String]) —

  a relative file path to the public key

• value (String)

Returns:

• (String[1]) —

  Decrypted string

# File 'lib/puppet/functions/complyadm/decrypt.rb', line 8

Puppet::Functions.create_function(:'complyadm::decrypt') do
  # @param data An encrypted string from hiera-eyaml
  # @param public_key_path a relative file path to the public key
  # @param private_key_path a relative file path to the public key
  # @return Decrypted string
  dispatch :decrypt do
    param 'String', :value
    optional_param 'String', :public_key_path
    optional_param 'String', :private_key_path
    return_type 'String[1]'
  end

  def decrypt(value, public_key_path = 'keys/public_key.pkcs7.pem', private_key_path = 'keys/private_key.pkcs7.pem')
    boltdir = call_function('complyadm::bolt_project_dir')
    public_key_path = File.expand_path(public_key_path, boltdir)
    public_key      = OpenSSL::X509::Certificate.new(File.read(public_key_path))
    Puppet.debug("Using public key: #{public_key_path}")

    private_key_path = File.expand_path(private_key_path, boltdir)
    private_key      = OpenSSL::PKey::RSA.new(File.read(private_key_path))
    Puppet.debug("Using private key: #{private_key_path}") 
       
    # Decode the ciphertext
    format = %r{\AENC\[PKCS7,(?<encoded>[\w\s+-=\\\/]+)\]\s*\z}
    match  = format.match(value)
       
    raw = Base64.decode64(match[:encoded])

    # Decrypt the ciphertext
    pkcs7 = OpenSSL::PKCS7.new(raw)
    pkcs7.decrypt(private_key, public_key)
    
  end
end