chef-encrypted-attributes 0.1.0

data/lib/chef/encrypted_attribute/encrypted_mash.rb

@@ -0,0 +1,122 @@
+#
+# Author:: Xabier de Zuazo (<xabier@onddo.com>)
+# Copyright:: Copyright (c) 2014 Onddo Labs, SL. (www.onddo.com)
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require 'chef/mash'
+require 'chef/encrypted_attribute/exceptions'
+
+class Chef
+  class EncryptedAttribute
+    class EncryptedMash < Mash
+
+      # This class is oriented to be easily integrable with
+      # chef in the future using JSONCompat
+
+      JSON_CLASS =      'x_json_class'.freeze
+      CHEF_TYPE =       'chef_type'.freeze
+      CHEF_TYPE_VALUE = 'encrypted_attribute'.freeze
+
+      VERSION_PREFIX = "#{self.name}::Version"
+
+      def initialize(enc_hs=nil)
+        super
+        self[JSON_CLASS] = self.class.name
+        self[CHEF_TYPE] = CHEF_TYPE_VALUE
+        update_from!(enc_hs) if enc_hs.kind_of?(Hash)
+      end
+
+      %w{encrypt decrypt can_be_decrypted_by? needs_update?}.each do |meth|
+        define_method(meth) do
+          raise NotImplementedError, "#{self.class.to_s}##{__method__} method not implemented."
+        end
+      end
+
+      def self.exists?(enc_hs)
+        enc_hs.kind_of?(Hash) and
+        enc_hs.has_key?(JSON_CLASS) and
+        enc_hs[JSON_CLASS] =~ /^#{Regexp.escape(Module.nesting[1].name)}/ and
+        enc_hs.has_key?(CHEF_TYPE) and enc_hs[CHEF_TYPE] == CHEF_TYPE_VALUE
+      end
+
+      def self.create(version)
+        klass = version_klass(version)
+        klass.send(:new)
+      end
+
+      # Serialize this object as a Hash
+      def to_json(*a)
+        for_json.to_json(*a)
+      end
+
+      # Returns a Hash for JSON
+      def for_json
+        to_hash
+      end
+
+      # Update the EncryptedMash from Hash
+      def update_from!(enc_hs)
+        unless self.class.exists?(enc_hs)
+          raise UnacceptableEncryptedAttributeFormat, 'Trying to construct invalid encrypted attribute. Maybe it is not encrypted?'
+        end
+        enc_hs = enc_hs.dup
+        enc_hs.delete(JSON_CLASS)
+        enc_hs.delete(CHEF_TYPE)
+        update(enc_hs)
+      end
+
+      # Create an EncryptedMash::Version from JSON Hash
+      def self.json_create(enc_hs)
+        klass = string_to_klass(enc_hs[JSON_CLASS])
+        if klass.nil?
+          raise UnsupportedEncryptedAttributeFormat, "Unknown chef-encrypted-attribute class \"#{enc_hs[JSON_CLASS]}\""
+        end
+        klass.send(:new, enc_hs)
+      end
+
+      protected
+
+      def self.string_to_klass(class_name)
+        unless class_name.kind_of?(String)
+          raise UnacceptableEncryptedAttributeFormat, "Bad chef-encrypted-attribute class name \"#{class_name.inspect}\""
+        end
+        begin
+          if RUBY_VERSION < '1.9'
+            class_name.split('::').inject(Kernel) { |scope, const| scope.const_get(const) }
+          else
+            class_name.split('::').inject(Kernel) { |scope, const| scope.const_get(const, scope === Kernel) }
+          end
+        rescue NameError => e
+          Chef::Log.error(e)
+          nil
+        end
+      end
+
+      def self.version_klass(version)
+        version = version.to_s unless version.kind_of?(String)
+        if version.empty?
+          raise UnacceptableEncryptedAttributeFormat, "Bad chef-encrypted-attribute version \"#{version.inspect}\""
+        end
+        klass = string_to_klass("#{VERSION_PREFIX}#{version}")
+        if klass.nil?
+          raise UnsupportedEncryptedAttributeFormat, "This version of chef-encrypted-attribute does not support encrypted attribute item format version: \"#{version}\""
+        end
+        klass
+      end
+
+    end
+  end
+end

data/lib/chef/encrypted_attribute/encrypted_mash/version0.rb

@@ -0,0 +1,143 @@
+#
+# Author:: Xabier de Zuazo (<xabier@onddo.com>)
+# Copyright:: Copyright (c) 2014 Onddo Labs, SL. (www.onddo.com)
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require 'chef/encrypted_attribute/encrypted_mash'
+require 'chef/encrypted_attribute/exceptions'
+require 'yajl'
+
+# Version0 format: using RSA without shared secret
+class Chef
+  class EncryptedAttribute
+    class EncryptedMash
+      class Version0 < Chef::EncryptedAttribute::EncryptedMash
+
+        def encrypt(value, public_keys)
+          value_json = json_encode(value)
+          public_keys = parse_public_keys(public_keys)
+          self['encrypted_data'] = rsa_encrypt_multi_key(value_json, public_keys)
+          self
+        end
+
+        def decrypt(key)
+          key = parse_decryption_key(key)
+          value_json = rsa_decrypt_multi_key(self['encrypted_data'], key)
+          json_decode(value_json)
+          # we avoid saving the decrypted value, only return it
+        end
+
+        def can_be_decrypted_by?(keys)
+          return false unless encrypted?
+          parse_public_keys(keys).reduce(true) do |r, k|
+            r and data_can_be_decrypted_by_key?(self['encrypted_data'], k)
+          end
+        end
+
+        def needs_update?(keys)
+          keys = parse_public_keys(keys)
+          not can_be_decrypted_by?(keys) && self['encrypted_data'].keys.count == keys.count
+        end
+
+        protected
+
+        def encrypted?
+          has_key?('encrypted_data') and self['encrypted_data'].kind_of?(Hash)
+        end
+
+        def pem_to_key(k)
+          k.kind_of?(OpenSSL::PKey::RSA) ? k : OpenSSL::PKey::RSA.new(k)
+        rescue OpenSSL::PKey::RSAError, TypeError => e
+          raise InvalidPrivateKey, "The provided key is invalid: #{k.inspect}"
+        end
+
+        def parse_public_key(key)
+          key = pem_to_key(key)
+          unless key.public?
+            raise InvalidPublicKey, 'Invalid public key provided.'
+          end
+          key
+        end
+
+        def parse_decryption_key(key)
+          key = pem_to_key(key)
+          unless key.public? and key.private?
+            raise InvalidPrivateKey, 'The provided key for decryption is invalid, a valid public and private key is required.'
+          end
+          unless can_be_decrypted_by?(key) # TODO optimize, node key digest is calculated multiple times
+            raise DecryptionFailure, 'Attribute data cannot be decrypted by the provided key.'
+          end
+          key
+        end
+
+        def parse_public_keys(keys)
+          keys = [ keys ].flatten
+          keys.map do |k|
+            parse_public_key(k)
+          end.uniq { |k| k.public_key.to_s.chomp }
+        end
+
+        def json_encode(o)
+          # TODO This does not check if the object is correct, should be an Array or a Hash
+          Yajl::Encoder.encode(o)
+        end
+
+        def json_decode(o)
+          Yajl::Parser.parse(o.to_s)
+        rescue Yajl::ParseError => e
+          raise DecryptionFailure, "#{e.class.name}: #{e.to_s}"
+        end
+
+        def node_key(public_key)
+          Digest::SHA1.hexdigest(public_key.to_der)
+        end
+
+        def rsa_encrypt_value(value, public_key)
+          Base64.encode64(public_key.public_encrypt(value))
+        rescue OpenSSL::PKey::RSAError => e
+          raise EncryptionFailure, "#{e.class.name}: #{e.to_s}"
+        end
+
+        def rsa_decrypt_value(value, key)
+          key.private_decrypt(Base64.decode64(value.to_s))
+        rescue OpenSSL::PKey::RSAError => e
+          raise DecryptionFailure, "#{e.class.name}: #{e.to_s}"
+        end
+
+        def rsa_encrypt_multi_key(value, public_keys)
+          Mash.new(Hash[
+            public_keys.map do |public_key|
+              [
+                node_key(public_key),
+                rsa_encrypt_value(value, public_key),
+              ]
+            end
+          ])
+        end
+
+        def rsa_decrypt_multi_key(enc_value, key)
+          enc_value = enc_value[node_key(key.public_key)]
+          rsa_decrypt_value(enc_value, key)
+        end
+
+        def data_can_be_decrypted_by_key?(enc_value, key)
+          enc_value.has_key?(node_key(key.public_key))
+        end
+
+      end
+    end
+  end
+end

data/lib/chef/encrypted_attribute/encrypted_mash/version1.rb

@@ -0,0 +1,140 @@
+#
+# Author:: Xabier de Zuazo (<xabier@onddo.com>)
+# Copyright:: Copyright (c) 2014 Onddo Labs, SL. (www.onddo.com)
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require 'chef/encrypted_attribute/encrypted_mash/version0'
+require 'chef/encrypted_attribute/exceptions'
+
+# Version1 format: using RSA with a shared secret and message authentication (HMAC)
+class Chef
+  class EncryptedAttribute
+    class EncryptedMash
+      class Version1 < Chef::EncryptedAttribute::EncryptedMash::Version0
+        SYMM_ALGORITHM = 'aes-256-cbc'
+        HMAC_ALGORITHM = 'sha256'
+
+        def encrypt(value, public_keys)
+          secrets = {}
+          value_json = json_encode(value)
+          public_keys = parse_public_keys(public_keys)
+          # encrypt the data
+          encrypted_data = symmetric_encrypt_value(value_json)
+          secrets['data'] = encrypted_data.delete('secret') # should no include the secret in clear
+          self['encrypted_data'] = encrypted_data
+          # generate hmac (encrypt-then-mac), excluding the secret
+          hmac = generate_hmac(json_encode(self['encrypted_data'].sort))
+          secrets['hmac'] = hmac.delete('secret')
+          self['hmac'] = hmac
+          # encrypt the shared secrets
+          self['encrypted_secret'] = rsa_encrypt_multi_key(json_encode(secrets), public_keys)
+          self
+        end
+
+        def decrypt(key)
+          key = parse_decryption_key(key)
+          enc_value = self['encrypted_data'].dup
+          hmac = self['hmac'].dup
+          # decrypt the shared secrets
+          secrets = json_decode(rsa_decrypt_multi_key(self['encrypted_secret'], key))
+          enc_value['secret'] = secrets['data']
+          hmac['secret'] = secrets['hmac']
+          # check hmac (encrypt-then-mac -> mac-then-decrypt)
+          unless hmac_matches?(hmac, json_encode(self['encrypted_data'].sort))
+            raise DecryptionFailure, 'Error decrypting encrypted attribute: invalid hmac. Most likely the data is corrupted.'
+          end
+          # decrypt the data
+          value_json = symmetric_decrypt_value(enc_value)
+          json_decode(value_json)
+        end
+
+        def can_be_decrypted_by?(keys)
+          return false unless encrypted?
+          parse_public_keys(keys).reduce(true) do |r, k|
+            r and data_can_be_decrypted_by_key?(self['encrypted_secret'], k)
+          end
+        end
+
+        def needs_update?(keys)
+          keys = parse_public_keys(keys)
+          not can_be_decrypted_by?(keys) && self['encrypted_secret'].keys.count == keys.count
+        end
+
+        protected
+
+        def encrypted?
+          super and
+          self['encrypted_data'].has_key?('iv') and
+          self['encrypted_data']['iv'].kind_of?(String) and
+          self['encrypted_data'].has_key?('data') and
+          self['encrypted_data']['data'].kind_of?(String) and
+          self['encrypted_secret'].kind_of?(Hash) and
+          self['hmac'].kind_of?(Hash) and
+          self['hmac'].has_key?('data') and
+          self['hmac']['data'].kind_of?(String)
+        end
+
+        def symmetric_encrypt_value(value, algo=SYMM_ALGORITHM)
+          enc_value = Mash.new({ 'cipher' => algo })
+          begin
+            cipher = OpenSSL::Cipher.new(algo)
+            cipher.encrypt
+            enc_value['iv'] = Base64.encode64(cipher.iv = cipher.random_iv)
+            enc_value['secret'] = Base64.encode64(cipher.key = cipher.random_key)
+            enc_data = cipher.update(value) + cipher.final
+          rescue OpenSSL::Cipher::CipherError => e
+            raise EncryptionFailure, "#{e.class.name}: #{e.to_s}"
+          end
+          enc_value['data'] = Base64.encode64(enc_data)
+          enc_value
+        end
+
+        def symmetric_decrypt_value(enc_value, algo=SYMM_ALGORITHM)
+          cipher = OpenSSL::Cipher.new(enc_value['cipher'] || algo) # TODO maybe it's better to ignore [cipher] ?
+          cipher.decrypt
+          cipher.iv = Base64.decode64(enc_value['iv'])
+          cipher.key = Base64.decode64(enc_value['secret'])
+          cipher.update(Base64.decode64(enc_value['data'])) + cipher.final
+        rescue OpenSSL::Cipher::CipherError => e
+          raise DecryptionFailure, "#{e.class.name}: #{e.to_s}"
+        end
+
+        def generate_hmac(data, algo=HMAC_ALGORITHM)
+          hmac = Mash.new({ 'cipher' => algo }) # [cipher] is ignored, only as info
+          digest = OpenSSL::Digest.new(algo)
+          secret = OpenSSL::Random.random_bytes(digest.block_length)
+          hmac['secret'] = Base64.encode64(secret)
+          hmac['data'] = Base64.encode64(OpenSSL::HMAC.digest(digest, secret, data))
+          hmac
+        rescue OpenSSL::Digest::DigestError, OpenSSL::HMACError, RuntimeError => e
+          # RuntimeError is raised for unsupported algorithms
+          raise MessageAuthenticationFailure, "#{e.class.name}: #{e.to_s}"
+        end
+
+        def hmac_matches?(orig_hmac, data, algo=HMAC_ALGORITHM)
+          digest = OpenSSL::Digest.new(algo)
+          secret = Base64.decode64(orig_hmac['secret'])
+          new_hmac = Base64.encode64(OpenSSL::HMAC.digest(digest, secret, data))
+          orig_hmac['data'] == new_hmac
+        rescue OpenSSL::Digest::DigestError, OpenSSL::HMACError, RuntimeError => e
+          # RuntimeError is raised for unsupported algorithms
+          raise MessageAuthenticationFailure, "#{e.class.name}: #{e.to_s}"
+        end
+
+      end
+    end
+  end
+end

data/lib/chef/encrypted_attribute/exceptions.rb

@@ -0,0 +1,38 @@
+#
+# Author:: Xabier de Zuazo (<xabier@onddo.com>)
+# Copyright:: Copyright (c) 2014 Onddo Labs, SL. (www.onddo.com)
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+class Chef
+  class EncryptedAttribute
+
+    class UnsupportedEncryptedAttributeFormat < StandardError; end
+    class UnacceptableEncryptedAttributeFormat < StandardError; end
+    class DecryptionFailure < StandardError; end
+    class EncryptionFailure < StandardError; end
+    class MessageAuthenticationFailure < StandardError; end
+    class InvalidPublicKey < StandardError; end
+    class InvalidPrivateKey < StandardError; end
+
+    class InsufficientPrivileges < StandardError; end
+    class UserNotFound < StandardError; end
+
+    class SearchFailure < StandardError; end
+    class SearchFatalError < StandardError; end
+    class InvalidSearchKeys < StandardError; end
+
+  end
+end

data/lib/chef/encrypted_attribute/local_node.rb

@@ -0,0 +1,38 @@
+#
+# Author:: Xabier de Zuazo (<xabier@onddo.com>)
+# Copyright:: Copyright (c) 2014 Onddo Labs, SL. (www.onddo.com)
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+class Chef
+  class EncryptedAttribute
+    class LocalNode
+
+      # currently not used
+      def name
+        Chef::Config[:node_name]
+      end
+
+      def key
+        OpenSSL::PKey::RSA.new(open(Chef::Config[:client_key]).read())
+      end
+
+      def public_key
+        key.public_key
+      end
+
+    end
+  end
+end