Class: Chef::EncryptedDataBagItem::Encryptor

Inherits:

Object

• Object
• Chef::EncryptedDataBagItem::Encryptor

Defined in:

lib/chef/encrypted_data_bag_item.rb

Overview

Implementation class for converting plaintext data bag item values to an encrypted value, including any necessary wrappers and metadata.

Instance Attribute Summary

• #key ⇒ Object readonly

  Returns the value of attribute key.

• #plaintext_data ⇒ Object readonly

  Returns the value of attribute plaintext_data.

Instance Method Summary

• #encrypted_data ⇒ Object

  Encrypts and Base64 encodes serialized_data.

• #for_encrypted_item ⇒ Object

  Returns a wrapped and encrypted version of plaintext_data suitable for using as the value in an encrypted data bag item.

• #initialize(plaintext_data, key, iv = nil) ⇒ Encryptor constructor

  Create a new Encryptor for data, which will be encrypted with the given key.

• #iv ⇒ Object

  Generates or returns the IV.

• #openssl_encryptor ⇒ Object

  Generates (and memoizes) an OpenSSL::Cipher::Cipher object and configures it for the specified iv and encryption key.

• #serialized_data ⇒ Object

  Wraps the data in a single key Hash (JSON Object) and converts to JSON.

Constructor Details

#initialize(plaintext_data, key, iv = nil) ⇒ Encryptor

Create a new Encryptor for data, which will be encrypted with the given key.

Arguments:

• data: An object of any type that can be serialized to json

• key: A String representing the desired passphrase

• iv: The optional iv parameter is intended for testing use only. When

not supplied, Encryptor will use OpenSSL to generate a secure random IV, which is what you want.

# File 'lib/chef/encrypted_data_bag_item.rb', line 79

def initialize(plaintext_data, key, iv=nil)
  @plaintext_data = plaintext_data
  @key = key
  @iv = iv && Base64.decode64(iv)
end

Instance Attribute Details

#key ⇒ Object (readonly)

Returns the value of attribute key.

# File 'lib/chef/encrypted_data_bag_item.rb', line 67

def key
  @key
end

#plaintext_data ⇒ Object (readonly)

Returns the value of attribute plaintext_data.

# File 'lib/chef/encrypted_data_bag_item.rb', line 68

def plaintext_data
  @plaintext_data
end

Instance Method Details

#encrypted_data ⇒ Object

Encrypts and Base64 encodes serialized_data

# File 'lib/chef/encrypted_data_bag_item.rb', line 118

def encrypted_data
  @encrypted_data ||= begin
    enc_data = openssl_encryptor.update(serialized_data)
    enc_data << openssl_encryptor.final
    Base64.encode64(enc_data)
  end
end

#for_encrypted_item ⇒ Object

Returns a wrapped and encrypted version of plaintext_data suitable for using as the value in an encrypted data bag item.

# File 'lib/chef/encrypted_data_bag_item.rb', line 87

def for_encrypted_item
  {
    "encrypted_data" => encrypted_data,
    "iv" => Base64.encode64(iv),
    "version" => 1,
    "cipher" => ALGORITHM
  }
end

#iv ⇒ Object

Generates or returns the IV.

# File 'lib/chef/encrypted_data_bag_item.rb', line 97

def iv
  # Generated IV comes from OpenSSL::Cipher::Cipher#random_iv
  # This gets generated when +openssl_encryptor+ gets created.
  openssl_encryptor if @iv.nil?
  @iv
end

#openssl_encryptor ⇒ Object

Generates (and memoizes) an OpenSSL::Cipher::Cipher object and configures it for the specified iv and encryption key.

# File 'lib/chef/encrypted_data_bag_item.rb', line 106

def openssl_encryptor
  @openssl_encryptor ||= begin
    encryptor = OpenSSL::Cipher::Cipher.new(ALGORITHM)
    encryptor.encrypt
    @iv ||= encryptor.random_iv
    encryptor.iv = @iv
    encryptor.key = Digest::SHA256.digest(key)
    encryptor
  end
end

#serialized_data ⇒ Object

Wraps the data in a single key Hash (JSON Object) and converts to JSON. The wrapper is required because we accept values (such as Integers or Strings) that do not produce valid JSON when serialized without the wrapper.

# File 'lib/chef/encrypted_data_bag_item.rb', line 130

def serialized_data
  Yajl::Encoder.encode(:json_wrapper => plaintext_data)
end