Class: Chef::EncryptedDataBagItem

Inherits:
Object
  • Object
show all
Defined in:
lib/chef/encrypted_data_bag_item.rb

Overview

An EncryptedDataBagItem represents a read-only data bag item where all values, except for the value associated with the id key, have been encrypted.

EncrypedDataBagItem can be used in recipes to decrypt data bag item members.

Data bag item values are assumed to have been encrypted using the default symmetric encryption provided by Encryptor.encrypt where values are converted to YAML prior to encryption.

If the shared secret is not specified at initialization or load, then the contents of the file referred to in Chef::Config will be used as the secret. The default path is /etc/chef/encrypted_data_bag_secret

EncryptedDataBagItem is intended to provide a means to avoid storing data bag items in the clear on the Chef server. This provides some protection against a breach of the Chef server or of Chef server backup data. Because the secret must be stored in the clear on any node needing access to an EncryptedDataBagItem, this approach provides no protection of data bag items from actors with access to such nodes in the infrastructure.

Constant Summary collapse

DEFAULT_SECRET_FILE =
"/etc/chef/encrypted_data_bag_secret"
ALGORITHM =
'aes-256-cbc'

Class Method Summary collapse

Instance Method Summary collapse

Constructor Details

#initialize(enc_hash, secret) ⇒ EncryptedDataBagItem


53
54
55
56
# File 'lib/chef/encrypted_data_bag_item.rb', line 53

def initialize(enc_hash, secret)
  @enc_hash = enc_hash
  @secret = secret
end

Class Method Details

.decrypt_value(value, key) ⇒ Object


101
102
103
# File 'lib/chef/encrypted_data_bag_item.rb', line 101

def self.decrypt_value(value, key)
  YAML.load(self.cipher(:decrypt, Base64.decode64(value), key))
end

.encrypt_data_bag_item(plain_hash, secret) ⇒ Object


79
80
81
82
83
84
85
86
87
88
# File 'lib/chef/encrypted_data_bag_item.rb', line 79

def self.encrypt_data_bag_item(plain_hash, secret)
  plain_hash.inject({}) do |h, (key, val)|
    h[key] = if key != "id"
               self.encrypt_value(val, secret)
             else
               val
             end
    h
  end
end

.encrypt_value(value, key) ⇒ Object


97
98
99
# File 'lib/chef/encrypted_data_bag_item.rb', line 97

def self.encrypt_value(value, key)
  Base64.encode64(self.cipher(:encrypt, value.to_yaml, key))
end

.from_plain_hash(plain_hash, secret) ⇒ Object


75
76
77
# File 'lib/chef/encrypted_data_bag_item.rb', line 75

def self.from_plain_hash(plain_hash, secret)
  self.new(self.encrypt_data_bag_item(plain_hash, secret), secret)
end

.load(data_bag, name, secret = nil) ⇒ Object


90
91
92
93
94
95
# File 'lib/chef/encrypted_data_bag_item.rb', line 90

def self.load(data_bag, name, secret = nil)
  path = "data/#{data_bag}/#{name}"
  raw_hash = Chef::DataBagItem.load(data_bag, name)
  secret = secret || self.load_secret
  self.new(raw_hash, secret)
end

.load_secret(path = nil) ⇒ Object


105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
# File 'lib/chef/encrypted_data_bag_item.rb', line 105

def self.load_secret(path=nil)
  path = path || Chef::Config[:encrypted_data_bag_secret] || DEFAULT_SECRET_FILE
  secret = case path
           when /^\w+:\/\//
             # We have a remote key
             begin
               Kernel.open(path).read.strip
             rescue Errno::ECONNREFUSED
               raise ArgumentError, "Remote key not available from '#{path}'"
             rescue OpenURI::HTTPError
               raise ArgumentError, "Remote key not found at '#{path}'"
             end
           else
             if !File.exists?(path)
               raise Errno::ENOENT, "file not found '#{path}'"
             end
             IO.read(path).strip
           end
  if secret.size < 1
    raise ArgumentError, "invalid zero length secret in '#{path}'"
  end
  secret
end

Instance Method Details

#[](key) ⇒ Object


58
59
60
61
62
63
64
65
# File 'lib/chef/encrypted_data_bag_item.rb', line 58

def [](key)
  value = @enc_hash[key]
  if key == "id" || value.nil?
    value
  else
    self.class.decrypt_value(value, @secret)
  end
end

#[]=(key, value) ⇒ Object

Raises:

  • (ArgumentError)

67
68
69
# File 'lib/chef/encrypted_data_bag_item.rb', line 67

def []=(key, value)
  raise ArgumentError, "assignment not supported for #{self.class}"
end

#to_hashObject


71
72
73
# File 'lib/chef/encrypted_data_bag_item.rb', line 71

def to_hash
  @enc_hash.keys.inject({}) { |hash, key| hash[key] = self[key]; hash }
end