chef-encrypted-attributes 0.1.0

data/lib/chef/encrypted_attribute.rb

@@ -0,0 +1,218 @@
+#
+# Author:: Xabier de Zuazo (<xabier@onddo.com>)
+# Copyright:: Copyright (c) 2014 Onddo Labs, SL. (www.onddo.com)
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require 'chef/encrypted_attribute/config'
+require 'chef/encrypted_attribute/encrypted_mash'
+require 'chef/config'
+require 'chef/mash'
+require 'chef/api_client'
+
+require 'chef/encrypted_attribute/local_node'
+require 'chef/encrypted_attribute/remote_node'
+require 'chef/encrypted_attribute/remote_clients'
+require 'chef/encrypted_attribute/remote_users'
+require 'chef/encrypted_attribute/encrypted_mash/version0'
+require 'chef/encrypted_attribute/encrypted_mash/version1'
+
+Chef::Config[:encrypted_attributes] = Mash.new unless Chef::Config[:encrypted_attributes].kind_of?(Hash)
+
+class Chef
+  class EncryptedAttribute
+
+    def initialize(c=nil)
+      config(c)
+    end
+
+    def config(arg=nil)
+      @config ||= EncryptedAttribute::Config.new(Chef::Config[:encrypted_attributes])
+      @config.update!(arg) unless arg.nil?
+      @config
+    end
+
+    # Decrypts an encrypted attribute from a (encrypted) Hash
+    def load(enc_hs, key=nil)
+      enc_attr = EncryptedMash.json_create(enc_hs)
+      decrypted = enc_attr.decrypt(key || local_key)
+      decrypted['content'] # TODO check this Hash
+    end
+
+    # Decrypts a encrypted attribute from a remote node
+    def load_from_node(name, attr_ary, key=nil)
+      remote_node = RemoteNode.new(name)
+      self.load(remote_node.load_attribute(attr_ary, config.partial_search), key)
+    end
+
+    # Creates an encrypted attribute from a Hash
+    def create(value, keys=nil)
+      decrypted = { 'content' => value }
+
+      enc_attr = EncryptedMash.create(config.version)
+      enc_attr.encrypt(decrypted, target_keys(keys))
+    end
+
+    def create_on_node(name, attr_ary, value)
+      # read the client public key
+      node_public_key = Chef::ApiClient.load(name).public_key
+
+      # create the encrypted attribute
+      enc_attr = self.create(value, [ node_public_key ])
+
+      # save encrypted attribute
+      remote_node = RemoteNode.new(name)
+      remote_node.save_attribute(attr_ary, enc_attr)
+    end
+
+    # Updates the keys for which the attribute is encrypted
+    def update(enc_hs, keys=nil)
+      old_enc_attr = EncryptedMash.json_create(enc_hs)
+      if old_enc_attr.needs_update?(target_keys(keys))
+        hs = old_enc_attr.decrypt(local_key)
+        new_enc_attr = create(hs['content'], keys) # TODO check this Hash
+        enc_hs.replace(new_enc_attr)
+        true
+      else
+        false
+      end
+    end
+
+    def update_on_node(name, attr_ary)
+      # read the client public key
+      node_public_key = Chef::ApiClient.load(name).public_key
+
+      # update the encrypted attribute
+      remote_node = RemoteNode.new(name)
+      enc_hs = remote_node.load_attribute(attr_ary, config.partial_search)
+      updated = update(enc_hs, [ node_public_key ])
+
+      # save encrypted attribute
+      if updated
+        # TODO Node is accessed twice (here and RemoteNode#load_attribute above)
+        remote_node.save_attribute(attr_ary, enc_hs)
+      end
+      updated
+    end
+
+    protected
+
+    def remote_client_keys
+      RemoteClients.get_public_keys(config.client_search, config.partial_search)
+    end
+
+    def remote_user_keys
+      RemoteUsers.get_public_keys(config.users)
+    end
+
+    def target_keys(keys=nil)
+      target_keys = config.keys + remote_client_keys + remote_user_keys
+      target_keys += keys if keys.kind_of?(Array)
+      target_keys
+    end
+
+    def local_key
+      self.class.local_node.key
+    end
+
+    def self.local_node
+      LocalNode.new
+    end
+
+    def self.config(arg)
+      config = EncryptedAttribute::Config.new(Chef::Config[:encrypted_attributes])
+      config.update!(arg)
+      config.keys(config.keys + [ self.local_node.public_key ])
+      config
+    end
+
+    public
+
+    def self.load(hs, c={})
+      Chef::Log.debug("#{self.class.name}: Loading Local Encrypted Attribute from: #{hs.to_s}")
+      enc_attr = EncryptedAttribute.new(self.config(c))
+      result = enc_attr.load(hs)
+      Chef::Log.debug("#{self.class.name}: Local Encrypted Attribute loaded.")
+      result
+    end
+
+    def self.load_from_node(name, attr_ary, c={})
+      Chef::Log.debug("#{self.class.name}: Loading Remote Encrypted Attribute from #{name}: #{attr_ary.to_s}")
+      enc_attr = EncryptedAttribute.new(self.config(c))
+      result = enc_attr.load_from_node(name, attr_ary)
+      Chef::Log.debug("#{self.class.name}: Remote Encrypted Attribute loaded.")
+      result
+    end
+
+    def self.create(value, c={})
+      Chef::Log.debug("#{self.class.name}: Creating Encrypted Attribute.")
+      enc_attr = EncryptedAttribute.new(self.config(c))
+      result = enc_attr.create(value)
+      Chef::Log.debug("#{self.class.name}: Encrypted Attribute created.")
+      result
+    end
+
+    def self.create_on_node(name, attr_ary, value, c={})
+      Chef::Log.debug("#{self.class.name}: Creating Remote Encrypted Attribute on #{name}: #{attr_ary.to_s}")
+      enc_attr = EncryptedAttribute.new(self.config(c))
+      result = enc_attr.create_on_node(name, attr_ary, value)
+      Chef::Log.debug("#{self.class.name}: Encrypted Remote Attribute created.")
+      result
+    end
+
+    def self.update(hs, c={})
+      Chef::Log.debug("#{self.class.name}: Updating Encrypted Attribute: #{hs.to_s}")
+      enc_attr = EncryptedAttribute.new(self.config(c))
+      result = enc_attr.update(hs)
+      if result
+        Chef::Log.debug("#{self.class.name}: Encrypted Attribute updated.")
+      else
+        Chef::Log.debug("#{self.class.name}: Encrypted Attribute not updated.")
+      end
+      result
+    end
+
+    def self.update_on_node(name, attr_ary, c={})
+      Chef::Log.debug("#{self.class.name}: Updating Remote Encrypted Attribute on #{name}: #{attr_ary.to_s}")
+      enc_attr = EncryptedAttribute.new(self.config(c))
+      result = enc_attr.update_on_node(name, attr_ary)
+      if result
+        Chef::Log.debug("#{self.class.name}: Encrypted Remote Attribute updated.")
+      else
+        Chef::Log.debug("#{self.class.name}: Encrypted Remote Attribute not updated.")
+      end
+      result
+    end
+
+    def self.exists?(hs)
+      Chef::Log.debug("#{self.class.name}: Checking if Encrypted Attribute exists here: #{hs.to_s}")
+      result = EncryptedMash.exists?(hs)
+      if result
+        Chef::Log.debug("#{self.class.name}: Encrypted Attribute found.")
+      else
+        Chef::Log.debug("#{self.class.name}: Encrypted Attribute not found.")
+      end
+      result
+    end
+
+    def self.exists_on_node?(name, attr_ary, c={})
+      Chef::Log.debug("#{self.class.name}: Checking if Remote Encrypted Attribute exists on #{name}")
+      remote_node = RemoteNode.new(name)
+      node_attr = remote_node.load_attribute(attr_ary, self.config(c).partial_search)
+      Chef::EncryptedAttribute.exists?(node_attr)
+    end
+
+  end
+end

data/lib/chef/encrypted_attribute/cache_lru.rb

@@ -0,0 +1,74 @@
+#
+# Author:: Xabier de Zuazo (<xabier@onddo.com>)
+# Copyright:: Copyright (c) 2014 Onddo Labs, SL. (www.onddo.com)
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require 'chef/mixin/params_validate'
+
+# Based on https://github.com/SamSaffron/lru_redux
+class Chef
+  class EncryptedAttribute
+    class CacheLru < Hash
+      include ::Chef::Mixin::ParamsValidate
+
+      def initialize(size=nil)
+        super
+        max_size(size)
+      end
+
+      def max_size(arg=nil)
+        set_or_return(
+          :max_size,
+          arg,
+          :kind_of => [ Fixnum ],
+          :default => 1024,
+          :callbacks => begin
+            { 'should not be lower that zero' => lambda { |x| x >= 0 } }
+          end
+        )
+        pop_tail unless arg.nil?
+        @max_size
+      end
+
+      def [](key)
+        if has_key?(key)
+          val = super(key)
+          self[key] = val
+        else
+          nil
+        end
+      end
+
+      def []=(key, val)
+        if max_size > 0 # unnecessary "if", small optimization?
+          delete(key)
+          super(key, val)
+          pop_tail
+        end
+        val
+      end
+
+      protected
+
+      def pop_tail
+        while size > max_size
+          delete(first[0])
+        end
+      end
+
+    end
+  end
+end

data/lib/chef/encrypted_attribute/config.rb

@@ -0,0 +1,200 @@
+#
+# Author:: Xabier de Zuazo (<xabier@onddo.com>)
+# Copyright:: Copyright (c) 2014 Onddo Labs, SL. (www.onddo.com)
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require 'chef/mixin/params_validate'
+
+class Chef
+  class EncryptedAttribute
+    class Config
+      include ::Chef::Mixin::ParamsValidate
+
+      OPTIONS = [
+        :version,
+        :partial_search,
+        :client_search,
+        :users,
+        :keys,
+      ].freeze
+
+      def initialize(config=nil)
+        update!(config) unless config.nil?
+      end
+
+      def version(arg=nil)
+        unless arg.nil? or not arg.kind_of?(String)
+          arg = Integer(arg) rescue arg
+        end
+        set_or_return(
+          :version,
+          arg,
+          :kind_of => [ Fixnum, String ],
+          :default => 1
+        )
+      end
+
+      def partial_search(arg=nil)
+        set_or_return(
+          :partial_search,
+          arg,
+          :kind_of => [ TrueClass, FalseClass ],
+          :default => true
+        )
+      end
+
+      def client_search(arg=nil)
+        unless arg.nil? or not arg.kind_of?(String)
+          arg = [ arg ]
+        end
+        set_or_return(
+          :client_search,
+          arg,
+          :kind_of => Array,
+          :default => [],
+          :callbacks => config_search_array_callbacks
+        )
+      end
+
+      def users(arg=nil)
+        set_or_return(
+          :users,
+          arg,
+          :kind_of => [ String, Array ],
+          :default => [],
+          :callbacks => config_users_arg_callbacks
+        )
+      end
+
+      def keys(arg=nil)
+        set_or_return(
+          :keys,
+          arg,
+          :kind_of => Array,
+          :default => [],
+          :callbacks => config_valid_keys_array_callbacks
+        )
+      end
+
+      def update!(config)
+        if config.kind_of?(self.class)
+          OPTIONS.each do |attr|
+            value = dup_object(config.send(attr))
+            self.instance_variable_set("@#{attr.to_s}", value)
+          end
+        elsif config.kind_of?(Hash)
+          config.each do |attr, value|
+            attr = attr.to_sym if attr.kind_of?(String)
+            if OPTIONS.include?(attr)
+              value = dup_object(value)
+              self.send(attr, value)
+            else
+              Chef::Log.warn("#{self.class.to_s}: configuration method not found: \"#{attr.to_s}\".")
+            end
+          end
+        end
+      end
+
+      def [](key)
+        key = key.to_sym if key.kind_of?(String)
+        if OPTIONS.include?(key)
+          self.send(key)
+        end
+      end
+
+      def []=(key, value)
+        key = key.to_sym if key.kind_of?(String)
+        if OPTIONS.include?(key)
+          self.send(key, value)
+        end
+      end
+
+      protected
+
+      def dup_object(o)
+        o.dup
+      rescue TypeError
+        o
+      end
+
+      def config_valid_search_array?(s_ary)
+        s_ary.each do |s|
+          return false unless s.kind_of?(String)
+        end
+        true
+      end
+
+      def config_search_array_callbacks
+        {
+          'should be a valid array of search patterns' => lambda do |cs|
+            config_valid_search_array?(cs)
+          end
+        }
+      end
+
+      def config_valid_user_arg?(users)
+        return users == '*' if users.kind_of?(String)
+        users.each do |u|
+          return false unless u.kind_of?(String) and u.match(/^[a-z0-9\-_]+$/)
+        end
+        true
+      end
+
+      def config_users_arg_callbacks
+        {
+          'should be a valid array of search patterns' => lambda do |us|
+            config_valid_user_arg?(us)
+          end
+        }
+      end
+
+      def config_valid_key?(k)
+        rsa_k = case k
+        when OpenSSL::PKey::RSA
+          k
+        when String
+          begin
+            OpenSSL::PKey::RSA.new(k)
+          rescue OpenSSL::PKey::RSAError, TypeError
+            nil
+          end
+        else
+          nil
+        end
+        return false if rsa_k.nil?
+        rsa_k.public?
+      end
+
+      def config_valid_keys_array?(k_ary)
+        k_ary.each do |k|
+          unless config_valid_key?(k)
+            return false
+          end
+        end
+        true
+      end
+
+      def config_valid_keys_array_callbacks
+        {
+          'should be a valid array of keys' => lambda do |keys|
+            config_valid_keys_array?(keys)
+          end
+        }
+      end
+
+    end
+  end
+end