From 0db8359c5898b7e3ceb44b0fc2e8f1ea8a2d38ca Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Thomas=20B=C3=A9trancourt?=
 <thomas.betrancourt@ovhcloud.com>
Date: Wed, 4 Aug 2021 11:22:38 +0000
Subject: [PATCH 1/2] [eyaml] Add eyaml support

---
 Gemfile                            |  1 +
 README.md                          | 27 ++++++++++++++++++++
 lib/puppet/functions/hiera_http.rb | 40 +++++++++++++++++++++++++++++-
 3 files changed, 67 insertions(+), 1 deletion(-)

diff --git a/Gemfile b/Gemfile
index d88019e..70ef106 100644
--- a/Gemfile
+++ b/Gemfile
@@ -1,3 +1,4 @@
 source 'https://rubygems.org'
 gem 'rspec'
+gem 'hiera-eyaml'
 gem 'lookup_http'
diff --git a/README.md b/README.md
index e55d822..ee189a1 100644
--- a/README.md
+++ b/README.md
@@ -106,6 +106,33 @@ The following are optional configuration parameters supported in the `options` h
 
 `headers:`: Hash of headers to send in the request
 
+#### eyaml support
+
+`eyaml:`: When set to true, enable eyaml support (default: false)
+
+`eyaml_options`: Specify a eyaml options
+
+```yaml
+---
+
+version: 5
+
+hierarchy:
+  - name: "Hiera-HTTP lookup"
+    lookup_key: hiera_http
+    uris:
+      - http://localhost:5984/host/%{trusted.certname}
+      - http://localhost:5984/dc/%{facts.location}
+      - http://localhost:5984/role/%{facts.role}
+    options:
+      output: json
+      ignore_404: true
+      eyaml: true
+      eyaml_options:
+        pkcs7_private_key: /etc/puppetlabs/puppet/keys/private_key.pkcs7.pem
+        pkcs7_public_key: /etc/puppetlabs/puppet/keys/public_key.pkcs7.pem
+```
+
 ### Interpolating special tags
 
 Previous versions of this backed allowed the use of variables such as `%{key}` and `%{calling_module}` to be used in the URL, this has changed with Hiera 5. To allow for similar behaviour you can use a number of tags surrounded by `__` to interpolate special variables derived from the key into the `uri` or `uris` option in hiera.yaml. Currently you can interpolate `__KEY__`, `__MODULE__`, `__CLASS__` and `__PARAMETER__`, these tags are derived from parsing the original lookup key.
diff --git a/lib/puppet/functions/hiera_http.rb b/lib/puppet/functions/hiera_http.rb
index fab4bf2..85c7a34 100644
--- a/lib/puppet/functions/hiera_http.rb
+++ b/lib/puppet/functions/hiera_http.rb
@@ -6,6 +6,14 @@
   rescue LoadError => e
     raise Puppet::DataBinding::LookupError, "Must install lookup_http gem to use hiera-http"
   end
+  begin
+    require 'hiera/backend/eyaml/encryptor'
+    require 'hiera/backend/eyaml/utils'
+    require 'hiera/backend/eyaml/options'
+    require 'hiera/backend/eyaml/parser/parser'
+  rescue LoadError => e
+    raise Puppet::DataBinding::LookupError, "Must install hiera-eyaml gem to use hiera-http"
+  end
   require 'uri'
 
   dispatch :lookup_key do
@@ -35,11 +43,39 @@ def lookup_key(key, options, context)
       context.not_found
       return nil
     else
-      return context.interpolate(answer)
+      result = context.interpolate(answer)
+      if options['eyaml']
+        result = decrypt(result, key, options)
+      end
+      return result
     end
 
   end
 
+  def decrypt(result, key, options)
+    if result.is_a?(Hash)
+      result.each do |k, v|
+        result[k] = decrypt(v, "#{key}/#{k}", options)
+      end
+    elsif result.is_a?(Array)
+      result.each_with_index do |v, i|
+        result[i] = decrypt(v, "#{key}[#{i}]", options)
+      end
+    elsif result.is_a?(String)
+      if /.*ENC\[.*\]/ =~ result
+        Hiera::Backend::Eyaml::Options.set(options['eyaml_options'])
+        begin
+          tokens = Hiera::Backend::Eyaml::Parser::ParserFactory.hiera_backend_parser.parse(result)
+          result = tokens.map(&:to_plain_text).join.chomp
+        rescue StandardError => ex
+          raise Puppet::DataBinding::LookupError,
+            _("hiera-eyaml backend error decrypting %{data} when looking up %{key} in %{path}. Error was %{message}") % { data: result, key: key, path: options['path'], message: ex.message }
+        end
+      end
+    end
+    return result
+  end
+
   def return_answer(result, key, options)
 
     # dig defaults to true, dig_key defaults to the value of the 
@@ -147,6 +183,8 @@ def lookup_supported_params
       :use_auth,
       :auth_user,
       :auth_pass,
+      :eyaml,
+      :eyaml_options
     ]
   end
 end

From 50911d9320e46f7f929597f1a2ff0e80ead9afc3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Thomas=20B=C3=A9trancourt?=
 <thomas.betrancourt@ovhcloud.com>
Date: Wed, 4 Aug 2021 11:55:43 +0000
Subject: [PATCH 2/2] bumped to 3.5.0

---
 CHANGELOG.md  | 4 ++++
 metadata.json | 2 +-
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index cb9cf3a..4ddffcd 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 3.5.0
+
+* Enhancement: Backend now utilizes [hiera-eyaml](https://github.com/voxpupuli/hiera-eyaml) to decrypt data.
+
 ## 3.4.0
 
 * Enhancement: Backend now utilizes Hiera's context.interpolate function to add interpolation of values in results.
diff --git a/metadata.json b/metadata.json
index 38aae51..1e4b627 100644
--- a/metadata.json
+++ b/metadata.json
@@ -1,6 +1,6 @@
 {
   "name": "crayfishx-hiera_http",
-  "version": "3.4.0",
+  "version": "3.5.0",
   "author": "Craig Dunn",
   "summary": "Hiera 5 backend to query data lookups over HTTP",
   "license": "Apache 2.0",