chef-encrypted-attributes 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 4457a367d12530c417f70d98a8a605e38da1c87b
+  data.tar.gz: 0ea836eb01e192f6dfcb851764b85c2fe0ed7798
+SHA512:
+  metadata.gz: 4db3eb8c4777c354b74885f85e480525a02fb90877d563ce4c056060b79680fe199767bff212e7a6eb3c7d479cc40c2b50525aab3d0b8da5eceb87f34d148570
+  data.tar.gz: bc645990a5ee3bc2ac9134710a8bc6013f7325f9d0ee0ac2df543ec14e41c224fce8736461df1b87d5d4cd5d4bdee5030167bf6170eee39bb0f712297291221a

data/API.md

@@ -0,0 +1,163 @@
+# Chef::EncryptedAttribute API Documentation
+
+`Chef::EncryptedAttribute` has some static methods intended to be used from cookbooks.
+
+## Static Methods
+
+### Chef::EncryptedAttribute.load(hs [, config])
+
+Reads an encrypted attribute from a hash, usually a node attribute.
+
+* `hs` - An encrypted hash, usually a node attribute. For example: `node["myapp"]["ftp_password"]`.
+* `config` - A configuration hash (optional). For example: `{ :partial_search => false }`.
+
+Returns the attribute in clear text, decrypted.
+
+An exception is thrown if the attribute cannot be decrypted or no encrypted attribute is found.
+
+### Chef::EncryptedAttribute.create(value [, config])
+
+Creates an encrypted attribute. The returned value should be saved in a node attribute, like `node.normal[...] = `.
+
+* `value` - The value to be encrypted. Can be a boolean, a number, a string, an array or a hash (the value will be converted to JSON internally).
+* `config` - A configuration hash (optional). For example: `{ :client_search => "admin:true" }`.
+
+Returns the encrypted attribute.
+
+An exception is thrown if any error arises in the encryption process.
+
+### Chef::EncryptedAttribute.update(hs [, config])
+
+Updates who can read the attribute. This is intended to be used to update to the new nodes returned by the `:client_search` or perhaps global configuration changes.
+
+For example, in case new nodes are added or some are removed, and the clients returned by `:client_search` are different, this `#update` method will decrypt the attribute and encrypt it again for the new nodes (or remove the old ones).
+
+If an update is made, the shared secrets are regenerated.
+
+* `hs` - This must be a node encrypted attribute, this attribute will be updated, so it is mandatory to specify the type (usually `normal`). For example: `node.normal["myapp"]["ftp_password"]`.
+* `config` - A configuration hash (optional). Surely you want this `#update` method to use the same `config` that the `#create` call.
+
+Returns `true` if the encrypted attribute has been updated, `false` if not.
+
+An exception is thrown if there is any error in the updating process.
+
+### Chef::EncryptedAttribute.exists?(hs)
+
+Checks whether an encrypted attribute exists.
+
+* `hs` - An encrypted hash, usually a node attribute. The attribute type can be specified but is not necessary. For example: `node["myapp"]["ftp_password"]`.
+
+Returns `true` if an encrypted attribute is found, `false` if not.
+
+### Chef::EncryptedAttribute.load_from_node(name, attr_ary [, config])
+
+Reads an encrypted attribute from a remote node.
+
+* `name` - The node name.
+* `attr_ary` - The attribute path as *array of strings*. For example: `[ "myapp", "ftp_password" ]`.
+* `config` - A configuration hash (optional). For example: `{ :partial_search => false }`.
+
+An exception is thrown if the attribute cannot be decrypted or no encrypted attribute is found.
+
+### Chef::EncryptedAttribute.create_on_node(name, attr_ary, value [, config])
+
+Creates an encrypted attribute on a remote node.
+
+* `name` - The node name.
+* `attr_ary` - The attribute path as *array of strings*. For example: `[ "myapp", "ftp_password" ]`.
+* `value` - The value to be encrypted. Can be a boolean, a number, a string, an array or a hash (the value will be converted to JSON internally).
+* `config` - A configuration hash (optional). For example: `{ :client_search => "admin:true" }`.
+
+An exception is thrown if any error arises in the encryption process.
+
+This method **requires admin privileges**. So in most cases, cannot be used from cookbooks.
+
+### Chef::EncryptedAttribute.update_on_node(name, attr_ary [, config])
+
+Updates who can read the attribute.
+
+* `name` - The node name.
+* `attr_ary` - The attribute path as *array of strings*. For example: `[ "myapp", "ftp_password" ]`.
+* `config` - A configuration hash (optional). Surely you want this `#update_on_node` method to use the same `config` that the `#create` call.
+
+Returns `true` if the encrypted attribute has been updated, `false` if not.
+
+An exception is thrown if there is any error in the updating process.
+
+This method **requires admin privileges**. So in most cases, cannot be used from cookbooks.
+
+### Chef::EncryptedAttribute.exists_on_node?(name, attr_ary [, config])
+
+Checks whether an encrypted attribute exists in a remote node.
+
+* `name` - The node name.
+* `attr_ary` - The attribute path as *array of strings*. For example: `[ "myapp", "ftp_password" ]`.
+* `config` - A configuration hash (optional). For example: `{ :partial_search => false }`.
+
+Returns `true` if an encrypted attribute is found, `false` if not.
+
+## Configuration
+
+All the methods read the default configuration from the `Chef::Config[:encrypted_attributes]` hash. Most of methods also support setting some configuration parameters as last argument. Both the global and the method argument configuration will be merged.
+
+If the configuration value to be merged is an array or a hash (for example `keys`), the method argument configuration value has preference over the global configuration. Arrays and hashes are not merged.
+
+Both `Chef::Config[:encrypted_attributes]` and methods `config` parameter should be a hash which may have any of the following keys:
+
+* `:version` - `EncryptedMash` format version to use, by default `1` is used which is considered best.
+* `:partial_search` - Whether to use Chef Server partial search, enabled by default. It may not work in some old versions of Chef Server.
+* `:client_search` - Search query for clients allowed to read the encrypted attribute. Can be a simple string or an array of queries to be *OR*-ed.
+* `:users` - Array of user names to be allowed to read the encrypted attribute(s). `"*"` to allow access to all users. Keep in mind that only admin clients or admin users are allowed to read user public keys. It is **not recommended** to use this from cookbooks unless you know what you are doing.
+* `:keys` - raw RSA public keys to be allowed to read encrypted attributes(s), in PEM (string) format. Can be client public keys, user public keys or any other RSA public key.
+
+For example, to disable Partial Search globally:
+
+```ruby
+Chef::Config[:encrypted_attributes][:partial_search] = false
+
+# ftp_pass = Chef::EncryptedAttribute.load(node["myapp"]["ftp_password"])
+# ...
+```
+
+To disable Partial Search locally:
+
+```ruby
+ftp_pass = Chef::EncryptedAttribute.load(node["myapp"]["ftp_password"], { :partial_search => false })
+```
+
+If you want to use knife to work with encrypted attributes, surely you will need to save your Chef User public keys in a Data Bag (there is no need to encrypt them because they are public) and add them to the `:keys` configuration option. See the [Example Using User Keys Data Bag](README.md#example-using-user-keys-data-bag) in the README for more information on this.
+
+## Caches
+
+This API uses some LRU caches to avoid making many requests to the Chef Server. All the caches are global and has the following methods:
+
+* `max_size` - Gets or sets the cache maximum item size.
+* `clear` - To empty the cache.
+* `[]` - To read a cache value (used internally).
+* `[]=` - To set a cache value (used internally).
+
+This are the currently available caches:
+
+* `Chef::EncryptedAttribute::RemoteClients.cache` - Caches the `:client_search` query results (max_size: `1024`).
+* `Chef::EncryptedAttribute::RemoteUsers.cache` - Caches the Chef Users public keys (max_size: `1024`).
+* `Chef::EncryptedAttribute::RemoteNode.cache` - Caches the node (encrypted) attributes. Disabled by default (max_size: `0`).
+
+### Clear All the Caches
+
+You can clear all the caches with the following code:
+
+```ruby
+Chef::EncryptedAttribute::RemoteClients.cache.clear
+Chef::EncryptedAttribute::RemoteUsers.cache.clear
+Chef::EncryptedAttribute::RemoteNode.cache.clear
+```
+
+### Disable All the Caches
+
+You can disable all the caches with the following code:
+
+```ruby
+Chef::EncryptedAttribute::RemoteClients.cache.max_size(0)
+Chef::EncryptedAttribute::RemoteUsers.cache.max_size(0)
+Chef::EncryptedAttribute::RemoteNode.cache.max_size(0)
+```

data/CHANGELOG.md

@@ -0,0 +1,7 @@
+# CHANGELOG for chef-encrypted-attributes
+
+This file is used to list changes made in each version of `chef-encrypted-attributes`.
+
+## 0.1.0:
+
+* Initial release of `chef-encrypted-attributes`

data/INTERNAL.md

@@ -0,0 +1,111 @@
+# Internal Documentation
+
+## EncryptedAttribute Class
+
+This class contains both static and instance level public methods. Internally, all work with `EncryptedMash` object instances.
+
+The **static methods** are intended to be used from Cookbooks. The attributes are encrypted only for the local node by default. The static `*_on_node` methods can be used also, although they have not been designed for this purpose (have not been tested).
+
+The **instance methods** are intended to be used from `knife` or external libraries. Usually only the `*_from_node/*_on_node` instance methods will be used. These methods will grant access only to the remote node by default.
+
+## EncryptedMash Class
+
+This is the most basic encrypted object, which inherits from `Chef::Mash`.
+
+Currently two `EncryptedMash` versions exists. But you can create your own versions and name it with the `Chef::EncryptedAttribute::EncryptedMash::Version` prefix.
+
+### EncryptedMash::Version0
+
+This is the first version, considered old. Uses public key cryptography (PKI) to encrypt the data. There is no shared secret or HMAC for data integrity checking.
+
+#### EncryptedMash::Version0 Structure
+
+If you try to read this encrypted attribute structure, you can see a `Chef::Mash` attribute with the following content:
+
+```
+└── encrypted_data
+    ├── pub_key_hash1: The data encrypted using PKI for the public key 1 (base64)
+    ├── pub_key_hash2: The data encrypted using PKI for the public key 2 (base64)
+    └── ...
+```
+
+The `public_key_hash1` key value is the *SHA1* of the public key used for encryption.
+
+Its content is the data encoded in *JSON*, then encrypted with the public key, and finally encoded in *base64*. The encryption is done using the *RSA* algorithm (PKI).
+
+### EncryptedMash::Version1 (default)
+
+This is the `EncryptedMash` version used by default. Uses public key cryptography (PKI) to encrypt a shared secret. Then this shared secret is used to encrypt the data.
+
+* This implementation can be improved, is not optimized either for performance or for space.
+* Every time the `EncryptedAttribute` is updated, all the shared secrets are regenerated.
+
+#### EncryptedMash::Version1 Structure
+
+If you try to read this encrypted attribute structure, you can see a *Mash* attribute with the following content:
+
+```
+EncryptedMash
+├── chef_type: "encrypted_attribute" (string).
+├── x_json_class: The used `EncryptedMash` version class name (string).
+├── encrypted_data
+│   ├── cipher: The used PKI algorithm, "aes-256-cbc" (string).
+│   ├── data: PKI encrypted data (base64).
+│   └── iv: Initialization vector (in base64).
+├── encrypted_secret
+│   ├── pub_key_hash1: The shared secrets encrypted for the public key 1 (base64).
+│   ├── pub_key_hash2: The shared secrets encrypted for the public key 2 (base64).
+│   └── ...
+└── hmac
+    ├── cipher: The used HMAC algorithm, currently ignored and always "sha256" (string).
+    └── data: Hash-based message authentication code value (base64).
+```
+
+* `x_json_class` field is used, with the `x_` prefix, to be easily integrated with Chef in the future.
+
+##### EncryptedMash[encrypted_data][data]
+
+The data inside `encrypted_data` is symmetrically encrypted using the secret shared key. The data is converted to *JSON* before the encryption, then encrypted and finally encoded in *base64*. By default, the `"aes-256-cbc"` algorithm is used for encryption.
+
+After decryption, the *JSON* has the following structure:
+
+```
+└── encrypted_data
+    └── data (symmetrically encrypted JSON in base64)
+        └── content: attribute content as a Mash.
+```
+
+* In the future, this structure may contain some metadata like default configuration values.
+
+##### EncryptedMash[encrypted_secret][pub_key_hash1]
+
+The `public_key_hash1` key value is the *SHA1* of the public key used for encryption.
+
+Its content is the encrypted shared secrets in *base64*. The encryption is done using the *RSA* algorithm (PKI).
+
+After decryption, you find the following structure in *JSON*:
+
+```
+└── encrypted_secret
+    └── pub_key_hash1 (PKI encrypted JSON in base64)
+        ├── data: The shared secret used to encrypt the data (base64).
+        └── hmac: The shared secret used for the HMAC calculation (base64).
+```
+
+##### EncryptedMash[hmac][data]
+
+The HMAC data is in *base64*. The hashing algorithm used is `"sha256"`.
+
+The following data is used in a alphabetically sorted *JSON* to calculate the HMAC:
+
+```
+Data to calculate the HMAC from
+├── cipher: The algorithm used for `encrypted_data` encryption ("aes-256-cbc").
+├── data: The `encrypted_data` data content after the encryption (encrypt-then-mac).
+└── iv: The initialization vector used to encrypt the encrypted_data.
+```
+
+* All the data required for decryption is included in the HMAC (except the secret key, of course): `cipher`, `data` and `iv`.
+* The data used to calculate the HMAC is the encrypted data, not the clear text data (**Encrypt-then-MAC**).
+* The secret used to calculate the HMAC is not the same as the secret used to encrypt the data.
+* The secret used to calculate the HMAC is shared inside `encrypted_secret` field with the data secret.

data/LICENSE

@@ -0,0 +1,190 @@
+                              Apache License
+                        Version 2.0, January 2004
+                     http://www.apache.org/licenses/
+
+TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+1. Definitions.
+
+   "License" shall mean the terms and conditions for use, reproduction,
+   and distribution as defined by Sections 1 through 9 of this document.
+
+   "Licensor" shall mean the copyright owner or entity authorized by
+   the copyright owner that is granting the License.
+
+   "Legal Entity" shall mean the union of the acting entity and all
+   other entities that control, are controlled by, or are under common
+   control with that entity. For the purposes of this definition,
+   "control" means (i) the power, direct or indirect, to cause the
+   direction or management of such entity, whether by contract or
+   otherwise, or (ii) ownership of fifty percent (50%) or more of the
+   outstanding shares, or (iii) beneficial ownership of such entity.
+
+   "You" (or "Your") shall mean an individual or Legal Entity
+   exercising permissions granted by this License.
+
+   "Source" form shall mean the preferred form for making modifications,
+   including but not limited to software source code, documentation
+   source, and configuration files.
+
+   "Object" form shall mean any form resulting from mechanical
+   transformation or translation of a Source form, including but
+   not limited to compiled object code, generated documentation,
+   and conversions to other media types.
+
+   "Work" shall mean the work of authorship, whether in Source or
+   Object form, made available under the License, as indicated by a
+   copyright notice that is included in or attached to the work
+   (an example is provided in the Appendix below).
+
+   "Derivative Works" shall mean any work, whether in Source or Object
+   form, that is based on (or derived from) the Work and for which the
+   editorial revisions, annotations, elaborations, or other modifications
+   represent, as a whole, an original work of authorship. For the purposes
+   of this License, Derivative Works shall not include works that remain
+   separable from, or merely link (or bind by name) to the interfaces of,
+   the Work and Derivative Works thereof.
+
+   "Contribution" shall mean any work of authorship, including
+   the original version of the Work and any modifications or additions
+   to that Work or Derivative Works thereof, that is intentionally
+   submitted to Licensor for inclusion in the Work by the copyright owner
+   or by an individual or Legal Entity authorized to submit on behalf of
+   the copyright owner. For the purposes of this definition, "submitted"
+   means any form of electronic, verbal, or written communication sent
+   to the Licensor or its representatives, including but not limited to
+   communication on electronic mailing lists, source code control systems,
+   and issue tracking systems that are managed by, or on behalf of, the
+   Licensor for the purpose of discussing and improving the Work, but
+   excluding communication that is conspicuously marked or otherwise
+   designated in writing by the copyright owner as "Not a Contribution."
+
+   "Contributor" shall mean Licensor and any individual or Legal Entity
+   on behalf of whom a Contribution has been received by Licensor and
+   subsequently incorporated within the Work.
+
+2. Grant of Copyright License. Subject to the terms and conditions of
+   this License, each Contributor hereby grants to You a perpetual,
+   worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+   copyright license to reproduce, prepare Derivative Works of,
+   publicly display, publicly perform, sublicense, and distribute the
+   Work and such Derivative Works in Source or Object form.
+
+3. Grant of Patent License. Subject to the terms and conditions of
+   this License, each Contributor hereby grants to You a perpetual,
+   worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+   (except as stated in this section) patent license to make, have made,
+   use, offer to sell, sell, import, and otherwise transfer the Work,
+   where such license applies only to those patent claims licensable
+   by such Contributor that are necessarily infringed by their
+   Contribution(s) alone or by combination of their Contribution(s)
+   with the Work to which such Contribution(s) was submitted. If You
+   institute patent litigation against any entity (including a
+   cross-claim or counterclaim in a lawsuit) alleging that the Work
+   or a Contribution incorporated within the Work constitutes direct
+   or contributory patent infringement, then any patent licenses
+   granted to You under this License for that Work shall terminate
+   as of the date such litigation is filed.
+
+4. Redistribution. You may reproduce and distribute copies of the
+   Work or Derivative Works thereof in any medium, with or without
+   modifications, and in Source or Object form, provided that You
+   meet the following conditions:
+
+   (a) You must give any other recipients of the Work or
+       Derivative Works a copy of this License; and
+
+   (b) You must cause any modified files to carry prominent notices
+       stating that You changed the files; and
+
+   (c) You must retain, in the Source form of any Derivative Works
+       that You distribute, all copyright, patent, trademark, and
+       attribution notices from the Source form of the Work,
+       excluding those notices that do not pertain to any part of
+       the Derivative Works; and
+
+   (d) If the Work includes a "NOTICE" text file as part of its
+       distribution, then any Derivative Works that You distribute must
+       include a readable copy of the attribution notices contained
+       within such NOTICE file, excluding those notices that do not
+       pertain to any part of the Derivative Works, in at least one
+       of the following places: within a NOTICE text file distributed
+       as part of the Derivative Works; within the Source form or
+       documentation, if provided along with the Derivative Works; or,
+       within a display generated by the Derivative Works, if and
+       wherever such third-party notices normally appear. The contents
+       of the NOTICE file are for informational purposes only and
+       do not modify the License. You may add Your own attribution
+       notices within Derivative Works that You distribute, alongside
+       or as an addendum to the NOTICE text from the Work, provided
+       that such additional attribution notices cannot be construed
+       as modifying the License.
+
+   You may add Your own copyright statement to Your modifications and
+   may provide additional or different license terms and conditions
+   for use, reproduction, or distribution of Your modifications, or
+   for any such Derivative Works as a whole, provided Your use,
+   reproduction, and distribution of the Work otherwise complies with
+   the conditions stated in this License.
+
+5. Submission of Contributions. Unless You explicitly state otherwise,
+   any Contribution intentionally submitted for inclusion in the Work
+   by You to the Licensor shall be under the terms and conditions of
+   this License, without any additional terms or conditions.
+   Notwithstanding the above, nothing herein shall supersede or modify
+   the terms of any separate license agreement you may have executed
+   with Licensor regarding such Contributions.
+
+6. Trademarks. This License does not grant permission to use the trade
+   names, trademarks, service marks, or product names of the Licensor,
+   except as required for reasonable and customary use in describing the
+   origin of the Work and reproducing the content of the NOTICE file.
+
+7. Disclaimer of Warranty. Unless required by applicable law or
+   agreed to in writing, Licensor provides the Work (and each
+   Contributor provides its Contributions) on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+   implied, including, without limitation, any warranties or conditions
+   of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+   PARTICULAR PURPOSE. You are solely responsible for determining the
+   appropriateness of using or redistributing the Work and assume any
+   risks associated with Your exercise of permissions under this License.
+
+8. Limitation of Liability. In no event and under no legal theory,
+   whether in tort (including negligence), contract, or otherwise,
+   unless required by applicable law (such as deliberate and grossly
+   negligent acts) or agreed to in writing, shall any Contributor be
+   liable to You for damages, including any direct, indirect, special,
+   incidental, or consequential damages of any character arising as a
+   result of this License or out of the use or inability to use the
+   Work (including but not limited to damages for loss of goodwill,
+   work stoppage, computer failure or malfunction, or any and all
+   other commercial damages or losses), even if such Contributor
+   has been advised of the possibility of such damages.
+
+9. Accepting Warranty or Additional Liability. While redistributing
+   the Work or Derivative Works thereof, You may choose to offer,
+   and charge a fee for, acceptance of support, warranty, indemnity,
+   or other liability obligations and/or rights consistent with this
+   License. However, in accepting such obligations, You may act only
+   on Your own behalf and on Your sole responsibility, not on behalf
+   of any other Contributor, and only if You agree to indemnify,
+   defend, and hold each Contributor harmless for any liability
+   incurred by, or claims asserted against, such Contributor by reason
+   of your accepting any such warranty or additional liability.
+
+END OF TERMS AND CONDITIONS
+
+Copyright 2014 Onddo Labs, SL. (www.onddo.com)
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.