Puppet Function: complyadm::encrypt

Defined in:
lib/puppet/functions/complyadm/encrypt.rb
Function type:
Ruby 4.x API

Overview

complyadm::encrypt(Sensitive[String] $value, Optional[String] $public_key_path)String[1]

leaving the calling code.

Parameters:

  • data

    A puppet Sensitive datatype with the value to encrypt

  • public_key_path (Optional[String])

    a relative file path to the public key

  • value (Sensitive[String])

Returns:

  • (String[1])

    A string ready to go into hiera-eyaml



9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
 
# File 'lib/puppet/functions/complyadm/encrypt.rb', line 9

Puppet::Functions.create_function(:'complyadm::encrypt') do
  # @param data A puppet Sensitive datatype with the value to encrypt
  # @param public_key_path a relative file path to the public key
  # @return A string ready to go into hiera-eyaml
  dispatch :encrypt do
    param 'Sensitive[String]', :value
    optional_param 'String', :public_key_path
    return_type 'String[1]'
  end

  def encrypt(value, public_key_path = 'keys/public_key.pkcs7.pem')
    boltdir = call_function('complyadm::bolt_project_dir')
    public_key_path = File.expand_path(public_key_path, boltdir)
    public_key      = OpenSSL::X509::Certificate.new(File.read(public_key_path))
    Puppet.debug("Using public key: #{public_key_path}")

    # Initialize the cipher
    cipher = OpenSSL::Cipher.new('aes-256-cbc')

    # Encrypt plaintext
    raw = OpenSSL::PKCS7.encrypt([public_key], value.unwrap, cipher, OpenSSL::PKCS7::BINARY).to_der

    # Encode the raw ciphertext
    "ENC[PKCS7,#{Base64.encode64(raw).strip}]"
  end
end