Class: Chef::EncryptedDataBagItem
- Defined in:
- lib/chef/encrypted_data_bag_item.rb
Overview
An EncryptedDataBagItem represents a read-only data bag item where all values, except for the value associated with the id key, have been encrypted.
EncrypedDataBagItem can be used in recipes to decrypt data bag item members.
Data bag item values are assumed to have been encrypted using the default symmetric encryption provided by Encryptor.encrypt where values are converted to YAML prior to encryption.
If the shared secret is not specified at initialization or load, then the contents of the file referred to in Chef::Config will be used as the secret. The default path is /etc/chef/encrypted_data_bag_secret
EncryptedDataBagItem is intended to provide a means to avoid storing data bag items in the clear on the Chef server. This provides some protection against a breach of the Chef server or of Chef server backup data. Because the secret must be stored in the clear on any node needing access to an EncryptedDataBagItem, this approach provides no protection of data bag items from actors with access to such nodes in the infrastructure.
Defined Under Namespace
Modules: Decryptor, Encryptor Classes: DecryptionFailure, UnacceptableEncryptedDataBagItemFormat, UnsupportedCipher, UnsupportedEncryptedDataBagItemFormat
Constant Summary collapse
- ALGORITHM =
'aes-256-cbc'
Class Method Summary collapse
- .encrypt_data_bag_item(plain_hash, secret) ⇒ Object
- .load(data_bag, name, secret = nil) ⇒ Object
- .load_secret(path = nil) ⇒ Object
Instance Method Summary collapse
- #[](key) ⇒ Object
- #[]=(key, value) ⇒ Object
-
#initialize(enc_hash, secret) ⇒ EncryptedDataBagItem
constructor
A new instance of EncryptedDataBagItem.
- #to_hash ⇒ Object
Constructor Details
#initialize(enc_hash, secret) ⇒ EncryptedDataBagItem
Returns a new instance of EncryptedDataBagItem.
352 353 354 355 |
# File 'lib/chef/encrypted_data_bag_item.rb', line 352 def initialize(enc_hash, secret) @enc_hash = enc_hash @secret = secret end |
Class Method Details
.encrypt_data_bag_item(plain_hash, secret) ⇒ Object
374 375 376 377 378 379 380 381 382 383 |
# File 'lib/chef/encrypted_data_bag_item.rb', line 374 def self.encrypt_data_bag_item(plain_hash, secret) plain_hash.inject({}) do |h, (key, val)| h[key] = if key != "id" Encryptor.new(val, secret).for_encrypted_item else val end h end end |
.load(data_bag, name, secret = nil) ⇒ Object
385 386 387 388 389 |
# File 'lib/chef/encrypted_data_bag_item.rb', line 385 def self.load(data_bag, name, secret = nil) raw_hash = Chef::DataBagItem.load(data_bag, name) secret = secret || self.load_secret self.new(raw_hash, secret) end |
.load_secret(path = nil) ⇒ Object
391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 |
# File 'lib/chef/encrypted_data_bag_item.rb', line 391 def self.load_secret(path=nil) path ||= Chef::Config[:encrypted_data_bag_secret] secret = case path when /^\w+:\/\// # We have a remote key begin Kernel.open(path).read.strip rescue Errno::ECONNREFUSED raise ArgumentError, "Remote key not available from '#{path}'" rescue OpenURI::HTTPError raise ArgumentError, "Remote key not found at '#{path}'" end else if !File.exist?(path) raise Errno::ENOENT, "file not found '#{path}'" end IO.read(path).strip end if secret.size < 1 raise ArgumentError, "invalid zero length secret in '#{path}'" end secret end |
Instance Method Details
#[](key) ⇒ Object
357 358 359 360 361 362 363 364 |
# File 'lib/chef/encrypted_data_bag_item.rb', line 357 def [](key) value = @enc_hash[key] if key == "id" || value.nil? value else Decryptor.for(value, @secret).for_decrypted_item end end |
#[]=(key, value) ⇒ Object
366 367 368 |
# File 'lib/chef/encrypted_data_bag_item.rb', line 366 def []=(key, value) raise ArgumentError, "assignment not supported for #{self.class}" end |
#to_hash ⇒ Object
370 371 372 |
# File 'lib/chef/encrypted_data_bag_item.rb', line 370 def to_hash @enc_hash.keys.inject({}) { |hash, key| hash[key] = self[key]; hash } end |