Class: Chef::EncryptedDataBagItem::Encryptor::Version1Encryptor

Inherits:

Object

• Object
• Chef::EncryptedDataBagItem::Encryptor::Version1Encryptor

Defined in:

lib/chef/encrypted_data_bag_item/encryptor.rb

Direct Known Subclasses

Version2Encryptor

Instance Attribute Summary

• #key ⇒ Object readonly

  Returns the value of attribute key.

• #plaintext_data ⇒ Object readonly

  Returns the value of attribute plaintext_data.

Instance Method Summary

• #encrypted_data ⇒ Object

  Encrypts and Base64 encodes serialized_data.

• #for_encrypted_item ⇒ Object

  Returns a wrapped and encrypted version of plaintext_data suitable for using as the value in an encrypted data bag item.

• #initialize(plaintext_data, key, iv = nil) ⇒ Version1Encryptor constructor

  Create a new Encryptor for data, which will be encrypted with the given key.

• #iv ⇒ Object

  Generates or returns the IV.

• #openssl_encryptor ⇒ Object

  Generates (and memoizes) an OpenSSL::Cipher::Cipher object and configures it for the specified iv and encryption key.

• #serialized_data ⇒ Object

  Wraps the data in a single key Hash (JSON Object) and converts to JSON.

Constructor Details

#initialize(plaintext_data, key, iv = nil) ⇒ Version1Encryptor

Create a new Encryptor for data, which will be encrypted with the given key.

Arguments:

• data: An object of any type that can be serialized to json

• key: A String representing the desired passphrase

• iv: The optional iv parameter is intended for testing use only. When

not supplied, Encryptor will use OpenSSL to generate a secure random IV, which is what you want.

# File 'lib/chef/encrypted_data_bag_item/encryptor.rb', line 62

def initialize(plaintext_data, key, iv=nil)
  @plaintext_data = plaintext_data
  @key = key
  @iv = iv && Base64.decode64(iv)
end

Instance Attribute Details

#key ⇒ Object (readonly)

Returns the value of attribute key.

# File 'lib/chef/encrypted_data_bag_item/encryptor.rb', line 50

def key
  @key
end

#plaintext_data ⇒ Object (readonly)

Returns the value of attribute plaintext_data.

# File 'lib/chef/encrypted_data_bag_item/encryptor.rb', line 51

def plaintext_data
  @plaintext_data
end

Instance Method Details

#encrypted_data ⇒ Object

Encrypts and Base64 encodes serialized_data

# File 'lib/chef/encrypted_data_bag_item/encryptor.rb', line 101

def encrypted_data
  @encrypted_data ||= begin
    enc_data = openssl_encryptor.update(serialized_data)
    enc_data << openssl_encryptor.final
    Base64.encode64(enc_data)
  end
end

#for_encrypted_item ⇒ Object

Returns a wrapped and encrypted version of plaintext_data suitable for using as the value in an encrypted data bag item.

# File 'lib/chef/encrypted_data_bag_item/encryptor.rb', line 70

def for_encrypted_item
  {
    "encrypted_data" => encrypted_data,
    "iv" => Base64.encode64(iv),
    "version" => 1,
    "cipher" => ALGORITHM
  }
end

#iv ⇒ Object

Generates or returns the IV.

# File 'lib/chef/encrypted_data_bag_item/encryptor.rb', line 80

def iv
  # Generated IV comes from OpenSSL::Cipher::Cipher#random_iv
  # This gets generated when +openssl_encryptor+ gets created.
  openssl_encryptor if @iv.nil?
  @iv
end

#openssl_encryptor ⇒ Object

Generates (and memoizes) an OpenSSL::Cipher::Cipher object and configures it for the specified iv and encryption key.

# File 'lib/chef/encrypted_data_bag_item/encryptor.rb', line 89

def openssl_encryptor
  @openssl_encryptor ||= begin
    encryptor = OpenSSL::Cipher::Cipher.new(ALGORITHM)
    encryptor.encrypt
    @iv ||= encryptor.random_iv
    encryptor.iv = @iv
    encryptor.key = Digest::SHA256.digest(key)
    encryptor
  end
end

#serialized_data ⇒ Object

Wraps the data in a single key Hash (JSON Object) and converts to JSON. The wrapper is required because we accept values (such as Integers or Strings) that do not produce valid JSON when serialized without the wrapper.

# File 'lib/chef/encrypted_data_bag_item/encryptor.rb', line 113

def serialized_data
  FFI_Yajl::Encoder.encode(:json_wrapper => plaintext_data)
end