Module: Chef::EncryptedDataBagItem::Decryptor

Defined in:: lib/chef/encrypted_data_bag_item/decryptor.rb

Overview

Decryptor

For backwards compatibility, Chef implements decryption/deserialization for older encrypted data bag item formats in addition to the current version. Each decryption/deserialization strategy is implemented as a class in this namespace. For convenience the factory method Decryptor.for() can be used to create an instance of the appropriate strategy for the given encrypted data bag value.

Defined Under Namespace

Classes: Version0Decryptor, Version1Decryptor, Version2Decryptor

Class Method Summary collapse

.assert_format_version_acceptable!(format_version) ⇒ Object
.for(encrypted_value, key) ⇒ Object

Detects the encrypted data bag item format version and instantiates a decryptor object for that version.
.format_version_of(encrypted_value) ⇒ Object

Class Method Details

.assert_format_version_acceptable!(format_version) ⇒ `Object`

# File 'lib/chef/encrypted_data_bag_item/decryptor.rb', line 68

def self.assert_format_version_acceptable!(format_version)
  unless format_version.kind_of?(Integer) and format_version >= Chef::Config[:data_bag_decrypt_minimum_version]
    raise UnacceptableEncryptedDataBagItemFormat,
      "The encrypted data bag item has format version `#{format_version}', " +
      "but the config setting 'data_bag_decrypt_minimum_version' requires version `#{Chef::Config[:data_bag_decrypt_minimum_version]}'"
  end
end

.for(encrypted_value, key) ⇒ `Object`

Detects the encrypted data bag item format version and instantiates a decryptor object for that version. Call #for_decrypted_item on the resulting object to decrypt and deserialize it.

# File 'lib/chef/encrypted_data_bag_item/decryptor.rb', line 44

def self.for(encrypted_value, key)
  format_version = format_version_of(encrypted_value)
  assert_format_version_acceptable!(format_version)
  case format_version
  when 2
    Version2Decryptor.new(encrypted_value, key)
  when 1
    Version1Decryptor.new(encrypted_value, key)
  when 0
    Version0Decryptor.new(encrypted_value, key)
  else
    raise UnsupportedEncryptedDataBagItemFormat,
      "This version of chef does not support encrypted data bag item format version '#{format_version}'"
  end
end

.format_version_of(encrypted_value) ⇒ `Object`

# File 'lib/chef/encrypted_data_bag_item/decryptor.rb', line 60

def self.format_version_of(encrypted_value)
  if encrypted_value.respond_to?(:key?)
    encrypted_value["version"]
  else
    0
  end
end