Class: Chef::EncryptedDataBagItem
- Inherits:
-
Object
- Object
- Chef::EncryptedDataBagItem
show all
- Defined in:
- lib/chef/encrypted_data_bag_item.rb
Overview
An EncryptedDataBagItem represents a read-only data bag item where all values, except for the value associated with the id key, have been encrypted.
EncrypedDataBagItem can be used in recipes to decrypt data bag item members.
Data bag item values are assumed to have been encrypted using the default symmetric encryption provided by Encryptor.encrypt where values are converted to YAML prior to encryption.
If the shared secret is not specified at initialization or load, then the contents of the file referred to in Chef::Config will be used as the secret. The default path is /etc/chef/encrypted_data_bag_secret
EncryptedDataBagItem is intended to provide a means to avoid storing data bag items in the clear on the Chef server. This provides some protection against a breach of the Chef server or of Chef server backup data. Because the secret must be stored in the clear on any node needing access to an EncryptedDataBagItem, this approach provides no protection of data bag items from actors with access to such nodes in the infrastructure.
Defined Under Namespace
Modules: Decryptor
Classes: DecryptionFailure, UnsupportedCipher, UnsupportedEncryptedDataBagItemFormat
Constant Summary
collapse
- DEFAULT_SECRET_FILE =
"/etc/chef/encrypted_data_bag_secret"
- ALGORITHM =
'aes-256-cbc'
Class Method Summary
collapse
Instance Method Summary
collapse
Constructor Details
Returns a new instance of EncryptedDataBagItem.
187
188
189
190
|
# File 'lib/chef/encrypted_data_bag_item.rb', line 187
def initialize(enc_hash, secret)
@enc_hash = enc_hash
@secret = secret
end
|
Class Method Details
.encrypt_data_bag_item(plain_hash, secret) ⇒ Object
213
214
215
216
217
218
219
220
221
222
|
# File 'lib/chef/encrypted_data_bag_item.rb', line 213
def self.encrypt_data_bag_item(plain_hash, secret)
plain_hash.inject({}) do |h, (key, val)|
h[key] = if key != "id"
self.encrypt_value(val, secret)
else
val
end
h
end
end
|
.encrypt_value(value, key) ⇒ Object
230
231
232
|
# File 'lib/chef/encrypted_data_bag_item.rb', line 230
def self.encrypt_value(value, key)
Base64.encode64(self.cipher(:encrypt, value.to_yaml, key))
end
|
.from_plain_hash(plain_hash, secret) ⇒ Object
209
210
211
|
# File 'lib/chef/encrypted_data_bag_item.rb', line 209
def self.from_plain_hash(plain_hash, secret)
self.new(self.encrypt_data_bag_item(plain_hash, secret), secret)
end
|
.load(data_bag, name, secret = nil) ⇒ Object
224
225
226
227
228
|
# File 'lib/chef/encrypted_data_bag_item.rb', line 224
def self.load(data_bag, name, secret = nil)
raw_hash = Chef::DataBagItem.load(data_bag, name)
secret = secret || self.load_secret
self.new(raw_hash, secret)
end
|
.load_secret(path = nil) ⇒ Object
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
|
# File 'lib/chef/encrypted_data_bag_item.rb', line 234
def self.load_secret(path=nil)
path = path || Chef::Config[:encrypted_data_bag_secret] || DEFAULT_SECRET_FILE
secret = case path
when /^\w+:\/\//
begin
Kernel.open(path).read.strip
rescue Errno::ECONNREFUSED
raise ArgumentError, "Remote key not available from '#{path}'"
rescue OpenURI::HTTPError
raise ArgumentError, "Remote key not found at '#{path}'"
end
else
if !File.exists?(path)
raise Errno::ENOENT, "file not found '#{path}'"
end
IO.read(path).strip
end
if secret.size < 1
raise ArgumentError, "invalid zero length secret in '#{path}'"
end
secret
end
|
Instance Method Details
192
193
194
195
196
197
198
199
|
# File 'lib/chef/encrypted_data_bag_item.rb', line 192
def [](key)
value = @enc_hash[key]
if key == "id" || value.nil?
value
else
Decryptor.for(value, @secret).for_decrypted_item
end
end
|
#[]=(key, value) ⇒ Object
201
202
203
|
# File 'lib/chef/encrypted_data_bag_item.rb', line 201
def []=(key, value)
raise ArgumentError, "assignment not supported for #{self.class}"
end
|
205
206
207
|
# File 'lib/chef/encrypted_data_bag_item.rb', line 205
def to_hash
@enc_hash.keys.inject({}) { |hash, key| hash[key] = self[key]; hash }
end
|