chef-encrypted-attributes 0.2.0 → 0.3.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- checksums.yaml.gz.sig +0 -0
- data.tar.gz.sig +0 -0
- data/API.md +4 -2
- data/CHANGELOG.md +6 -0
- data/CONTRIBUTING.md +13 -0
- data/README.md +18 -8
- data/TODO.md +1 -1
- data/lib/chef/encrypted_attribute.rb +9 -5
- data/lib/chef/encrypted_attribute/config.rb +14 -0
- data/lib/chef/encrypted_attribute/exceptions.rb +1 -0
- data/lib/chef/encrypted_attribute/remote_clients.rb +15 -1
- data/lib/chef/encrypted_attribute/remote_nodes.rb +48 -0
- data/lib/chef/encrypted_attribute/version.rb +1 -1
- data/lib/chef/knife/core/encrypted_attribute_editor_options.rb +9 -0
- metadata +4 -2
- metadata.gz.sig +0 -0
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 81a47b4f918da2922455d6f7ad7b30905f62f4b4
|
4
|
+
data.tar.gz: 8addbdca43184f9f8667cb4892caeaa611dbbc29
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 7fbcf0de4167e824004e14ec8f8989f3faa3b802d27d470ac2fbd2c7fd16af34f706286b1b4a605f1427ab2db07f01a66994276b097b4dfa7a139d0255bd70e7
|
7
|
+
data.tar.gz: 2cc100fdfc8c09f5697a46d5c0765ef1815df93974da30ea154baafb4a76921797abe9a83e54edc9e688d02e793dcff82779ed2f307bc90e17aa19d9c0de200a
|
checksums.yaml.gz.sig
CHANGED
Binary file
|
data.tar.gz.sig
CHANGED
Binary file
|
data/API.md
CHANGED
@@ -28,9 +28,9 @@ An exception is thrown if any error arises in the encryption process.
|
|
28
28
|
|
29
29
|
### Chef::EncryptedAttribute.update(hs [, config])
|
30
30
|
|
31
|
-
Updates who can read the attribute. This is intended to be used to update to the new nodes returned by
|
31
|
+
Updates who can read the attribute. This is intended to be used to update to the new nodes returned by `:client_search` and `:node_search` or perhaps global configuration changes.
|
32
32
|
|
33
|
-
For example, in case new nodes are added or some are removed, and the clients returned by `:client_search` are different, this `#update` method will decrypt the attribute and encrypt it again for the new nodes (or remove the old ones).
|
33
|
+
For example, in case new nodes are added or some are removed, and the clients returned by `:client_search` or `:node_search` are different, this `#update` method will decrypt the attribute and encrypt it again for the new nodes (or remove the old ones).
|
34
34
|
|
35
35
|
If an update is made, the shared secrets are regenerated.
|
36
36
|
|
@@ -109,6 +109,7 @@ Both `Chef::Config[:encrypted_attributes]` and method's `config` parameter shoul
|
|
109
109
|
* OpenSSL `>= 1.0.1`.
|
110
110
|
* `:partial_search` - Whether to use Chef Server partial search, enabled by default. It may not work in some old versions of Chef Server.
|
111
111
|
* `:client_search` - Search query for clients allowed to read the encrypted attribute. Can be a simple string or an array of queries to be *OR*-ed.
|
112
|
+
* `:node_search` - Search query for nodes allowed to read the encrypted attribute. Can be a simple string or an array of queries to be *OR*-ed.
|
112
113
|
* `:users` - Array of user names to be allowed to read the encrypted attribute(s). `"*"` to allow access to all users. Keep in mind that only admin clients or admin users are allowed to read user public keys. It is **not recommended** to use this from cookbooks unless you know what you are doing.
|
113
114
|
* `:keys` - raw RSA public keys to be allowed to read encrypted attributes(s), in PEM (string) format. Can be client public keys, user public keys or any other RSA public key.
|
114
115
|
|
@@ -148,6 +149,7 @@ This API uses some LRU caches to avoid making many requests to the Chef Server.
|
|
148
149
|
This are the currently available caches:
|
149
150
|
|
150
151
|
* `Chef::EncryptedAttribute::RemoteClients.cache` - Caches the `:client_search` query results (max_size: `1024`).
|
152
|
+
* `Chef::EncryptedAttribute::RemoteNodes.cache` - Caches the `:node_search` query results (max_size: `1024`).
|
151
153
|
* `Chef::EncryptedAttribute::RemoteUsers.cache` - Caches the Chef Users public keys (max_size: `1024`).
|
152
154
|
* `Chef::EncryptedAttribute::RemoteNode.cache` - Caches the node (encrypted) attributes. Disabled by default (max_size: `0`).
|
153
155
|
|
data/CHANGELOG.md
CHANGED
@@ -2,6 +2,12 @@
|
|
2
2
|
|
3
3
|
This file is used to list changes made in each version of `chef-encrypted-attributes`.
|
4
4
|
|
5
|
+
## 0.3.0:
|
6
|
+
|
7
|
+
* gemspec: added the missing CONTRIBUTING.md file
|
8
|
+
* README: replaced exist_on_node? by exist? in users_data_bag example
|
9
|
+
* Added the required `:node_search` option (fixes the `"role:..."` examples).
|
10
|
+
|
5
11
|
## 0.2.0:
|
6
12
|
|
7
13
|
* Deprecate `#exists?` methods in favor of `#exist?` methods
|
data/CONTRIBUTING.md
ADDED
@@ -0,0 +1,13 @@
|
|
1
|
+
Contributing
|
2
|
+
============
|
3
|
+
|
4
|
+
1. [Fork the repository on Github](https://help.github.com/articles/fork-a-repo).
|
5
|
+
2. Create a named feature branch (`$ git checkout -b my-new-feature`).
|
6
|
+
3. Write tests for your change (if applicable).
|
7
|
+
4. Write your change.
|
8
|
+
5. [Run the tests](TESTING.md), ensuring they all pass (`$ bundle exec rake`). Try as much as possible **not to reduce coverage**.
|
9
|
+
6. Commit your change (`$ git commit -am 'Add some feature'`).
|
10
|
+
7. Push to the branch (`$ git push origin my-new-feature`).
|
11
|
+
8. [Submit a Pull Request using Github](https://help.github.com/articles/creating-a-pull-request).
|
12
|
+
|
13
|
+
You can see the [TODO.md](TODO.md) file if you're looking for inspiration.
|
data/README.md
CHANGED
@@ -1,8 +1,8 @@
|
|
1
1
|
# Chef-Encrypted-Attributes
|
2
2
|
[![Gem Version](http://img.shields.io/gem/v/chef-encrypted-attributes.svg?style=flat)](http://badge.fury.io/rb/chef-encrypted-attributes)
|
3
3
|
[![Dependency Status](http://img.shields.io/gemnasium/onddo/chef-encrypted-attributes.svg?style=flat)](https://gemnasium.com/onddo/chef-encrypted-attributes)
|
4
|
-
[![Build Status](http://img.shields.io/travis/onddo/chef-encrypted-attributes.svg?style=flat)](https://travis-ci.org/onddo/chef-encrypted-attributes)
|
5
|
-
[![Coverage Status](http://img.shields.io/coveralls/onddo/chef-encrypted-attributes.svg?style=flat)](https://coveralls.io/r/onddo/chef-encrypted-attributes?branch=
|
4
|
+
[![Build Status](http://img.shields.io/travis/onddo/chef-encrypted-attributes/0.3.0.svg?style=flat)](https://travis-ci.org/onddo/chef-encrypted-attributes)
|
5
|
+
[![Coverage Status](http://img.shields.io/coveralls/onddo/chef-encrypted-attributes/0.3.0.svg?style=flat)](https://coveralls.io/r/onddo/chef-encrypted-attributes?branch=0.3.0)
|
6
6
|
|
7
7
|
[Chef](http://www.getchef.com) plugin to add Node encrypted attributes support using client keys.
|
8
8
|
|
@@ -12,7 +12,7 @@ We recommend using the [encrypted_attributes cookbook](http://community.opscode.
|
|
12
12
|
|
13
13
|
Node attributes are encrypted using chef client and user keys with public key infrastructure (PKI). You can choose which clients, nodes or users will be able to read the attribute.
|
14
14
|
|
15
|
-
|
15
|
+
*Chef Nodes* with read access can be specified using a `node_search` query. In case new nodes are added or removed, the data will be re-encrypted in the next *Chef Run* of the encrypting node (using the `#update` method shown below). Similarly, a `client_search` query can be used to allow *Chef Clients* to read the attribute.
|
16
16
|
|
17
17
|
## Requirements
|
18
18
|
|
@@ -69,8 +69,11 @@ In this example we only need to save some data from the local node and read it f
|
|
69
69
|
chef_gem "chef-encrypted-attributes"
|
70
70
|
require "chef-encrypted-attributes"
|
71
71
|
|
72
|
+
# Allow all admin clients to read the attributes encrypted by me
|
73
|
+
Chef::Config[:encrypted_attributes][:client_search] = "admin:true"
|
74
|
+
|
72
75
|
# Allow all webapp nodes to read the attributes encrypted by me
|
73
|
-
Chef::Config[:encrypted_attributes][:
|
76
|
+
Chef::Config[:encrypted_attributes][:node_search] = "role:webapp"
|
74
77
|
|
75
78
|
if Chef::EncryptedAttribute.exist?(node["myapp"]["encrypted_data"])
|
76
79
|
# when can used #load here as above if we need the `encrypted_data` outside this `if`
|
@@ -127,7 +130,7 @@ chef_users.delete("id") # remove the data bag "id" to avoid to confuse it with a
|
|
127
130
|
Chef::Log.debug("Admin users able to read the Encrypted Attributes: #{chef_users.keys.inspect}")
|
128
131
|
Chef::Config[:encrypted_attributes][:keys] = chef_users.values
|
129
132
|
|
130
|
-
# if Chef::EncryptedAttribute.
|
133
|
+
# if Chef::EncryptedAttribute.exist?(...)
|
131
134
|
# Chef::EncryptedAttribute.update(...)
|
132
135
|
# else
|
133
136
|
# node.set[...][...] = Chef::EncryptedAttribute.create(...)
|
@@ -202,7 +205,7 @@ For example:
|
|
202
205
|
|
203
206
|
### knife encrypted attribute update
|
204
207
|
|
205
|
-
Updates who can read the attribute (for `:client_search` changes).
|
208
|
+
Updates who can read the attribute (for `:client_search` and `:node_search` changes).
|
206
209
|
|
207
210
|
$ knife encrypted attribute update NODE ATTRIBUTE (options)
|
208
211
|
|
@@ -212,7 +215,7 @@ For example:
|
|
212
215
|
|
213
216
|
$ knife encrypted attribute update ftp.example.com myapp.ftp_password \
|
214
217
|
--client-search admin:true \
|
215
|
-
--
|
218
|
+
--node-search role:webapp \
|
216
219
|
-U bob -U alice
|
217
220
|
|
218
221
|
### knife encrypted attribute edit
|
@@ -230,7 +233,7 @@ For example:
|
|
230
233
|
$ export EDITOR=vi
|
231
234
|
$ knife encrypted attribute edit ftp.example.com myapp.ftp_password \
|
232
235
|
--client-search admin:true \
|
233
|
-
--
|
236
|
+
--node-search role:webapp \
|
234
237
|
-U bob -U alice
|
235
238
|
|
236
239
|
### knife encrypted attribute delete
|
@@ -274,6 +277,13 @@ For example:
|
|
274
277
|
<td> </td>
|
275
278
|
<td>create, edit, update</td>
|
276
279
|
</tr>
|
280
|
+
<tr>
|
281
|
+
<td>-N</td>
|
282
|
+
<td>--node-search</td>
|
283
|
+
<td>Node search query. Can be specified multiple times</td>
|
284
|
+
<td> </td>
|
285
|
+
<td>create, edit, update</td>
|
286
|
+
</tr>
|
277
287
|
<tr>
|
278
288
|
<td>-U</td>
|
279
289
|
<td>--user</td>
|
data/TODO.md
CHANGED
@@ -2,7 +2,7 @@ TODO
|
|
2
2
|
====
|
3
3
|
|
4
4
|
* knife encrypted attribute create/edit from file.
|
5
|
-
* Save config inside encrypted data: `:client_search` and `:keys` (including user keys).
|
5
|
+
* Save config inside encrypted data: `:client_search`, `:node_search` and `:keys` (including user keys).
|
6
6
|
* Chef internal node attribute integration monkey-patch. It may require some `EncryptedMash` class rewrite or adding some methods.
|
7
7
|
* Support for Chef `< 11.4` (add `JSONCompat#map_to_rb_obj`, disable `Chef::User` for `< 11.2`, ...).
|
8
8
|
* Test with Chef `10`.
|
@@ -20,10 +20,10 @@ require 'chef/encrypted_attribute/config'
|
|
20
20
|
require 'chef/encrypted_attribute/encrypted_mash'
|
21
21
|
require 'chef/config'
|
22
22
|
require 'chef/mash'
|
23
|
-
require 'chef/api_client'
|
24
23
|
|
25
24
|
require 'chef/encrypted_attribute/local_node'
|
26
25
|
require 'chef/encrypted_attribute/remote_node'
|
26
|
+
require 'chef/encrypted_attribute/remote_nodes'
|
27
27
|
require 'chef/encrypted_attribute/remote_clients'
|
28
28
|
require 'chef/encrypted_attribute/remote_users'
|
29
29
|
require 'chef/encrypted_attribute/encrypted_mash/version0'
|
@@ -68,7 +68,7 @@ class Chef
|
|
68
68
|
|
69
69
|
def create_on_node(name, attr_ary, value)
|
70
70
|
# read the client public key
|
71
|
-
node_public_key =
|
71
|
+
node_public_key = RemoteClients.get_public_key(name)
|
72
72
|
|
73
73
|
# create the encrypted attribute
|
74
74
|
enc_attr = self.create(value, [ node_public_key ])
|
@@ -93,7 +93,7 @@ class Chef
|
|
93
93
|
|
94
94
|
def update_on_node(name, attr_ary)
|
95
95
|
# read the client public key
|
96
|
-
node_public_key =
|
96
|
+
node_public_key = RemoteClients.get_public_key(name)
|
97
97
|
|
98
98
|
# update the encrypted attribute
|
99
99
|
remote_node = RemoteNode.new(name)
|
@@ -111,7 +111,11 @@ class Chef
|
|
111
111
|
protected
|
112
112
|
|
113
113
|
def remote_client_keys
|
114
|
-
RemoteClients.
|
114
|
+
RemoteClients.search_public_keys(config.client_search, config.partial_search)
|
115
|
+
end
|
116
|
+
|
117
|
+
def remote_node_keys
|
118
|
+
RemoteNodes.search_public_keys(config.node_search, config.partial_search)
|
115
119
|
end
|
116
120
|
|
117
121
|
def remote_user_keys
|
@@ -119,7 +123,7 @@ class Chef
|
|
119
123
|
end
|
120
124
|
|
121
125
|
def target_keys(keys=nil)
|
122
|
-
target_keys = config.keys + remote_client_keys + remote_user_keys
|
126
|
+
target_keys = config.keys + remote_client_keys + remote_node_keys + remote_user_keys
|
123
127
|
target_keys += keys if keys.kind_of?(Array)
|
124
128
|
target_keys
|
125
129
|
end
|
@@ -27,6 +27,7 @@ class Chef
|
|
27
27
|
:version,
|
28
28
|
:partial_search,
|
29
29
|
:client_search,
|
30
|
+
:node_search,
|
30
31
|
:users,
|
31
32
|
:keys,
|
32
33
|
].freeze
|
@@ -69,6 +70,19 @@ class Chef
|
|
69
70
|
)
|
70
71
|
end
|
71
72
|
|
73
|
+
def node_search(arg=nil)
|
74
|
+
unless arg.nil? or not arg.kind_of?(String)
|
75
|
+
arg = [ arg ]
|
76
|
+
end
|
77
|
+
set_or_return(
|
78
|
+
:node_search,
|
79
|
+
arg,
|
80
|
+
:kind_of => Array,
|
81
|
+
:default => [],
|
82
|
+
:callbacks => config_search_array_callbacks
|
83
|
+
)
|
84
|
+
end
|
85
|
+
|
72
86
|
def users(arg=nil)
|
73
87
|
set_or_return(
|
74
88
|
:users,
|
@@ -16,6 +16,9 @@
|
|
16
16
|
# limitations under the License.
|
17
17
|
#
|
18
18
|
|
19
|
+
require 'chef/api_client'
|
20
|
+
|
21
|
+
require 'chef/encrypted_attribute/exceptions'
|
19
22
|
require 'chef/encrypted_attribute/search_helper'
|
20
23
|
require 'chef/encrypted_attribute/cache_lru'
|
21
24
|
|
@@ -28,7 +31,18 @@ class Chef
|
|
28
31
|
@@cache ||= Chef::EncryptedAttribute::CacheLru.new
|
29
32
|
end
|
30
33
|
|
31
|
-
def self.
|
34
|
+
def self.get_public_key(name)
|
35
|
+
Chef::ApiClient.load(name).public_key
|
36
|
+
rescue Net::HTTPServerException => e
|
37
|
+
case e.response.code
|
38
|
+
when '404' # Not Found
|
39
|
+
raise ClientNotFound, "Chef Client not found: \"#{name}\"."
|
40
|
+
else
|
41
|
+
raise e
|
42
|
+
end
|
43
|
+
end
|
44
|
+
|
45
|
+
def self.search_public_keys(search='*:*', partial_search=true)
|
32
46
|
escaped_query = escape_query(search)
|
33
47
|
if cache.has_key?(escaped_query)
|
34
48
|
cache[escaped_query]
|
@@ -0,0 +1,48 @@
|
|
1
|
+
#
|
2
|
+
# Author:: Xabier de Zuazo (<xabier@onddo.com>)
|
3
|
+
# Copyright:: Copyright (c) 2014 Onddo Labs, SL. (www.onddo.com)
|
4
|
+
# License:: Apache License, Version 2.0
|
5
|
+
#
|
6
|
+
# Licensed under the Apache License, Version 2.0 (the "License");
|
7
|
+
# you may not use this file except in compliance with the License.
|
8
|
+
# You may obtain a copy of the License at
|
9
|
+
#
|
10
|
+
# http://www.apache.org/licenses/LICENSE-2.0
|
11
|
+
#
|
12
|
+
# Unless required by applicable law or agreed to in writing, software
|
13
|
+
# distributed under the License is distributed on an "AS IS" BASIS,
|
14
|
+
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
15
|
+
# See the License for the specific language governing permissions and
|
16
|
+
# limitations under the License.
|
17
|
+
#
|
18
|
+
|
19
|
+
require 'chef/encrypted_attribute/exceptions'
|
20
|
+
require 'chef/encrypted_attribute/search_helper'
|
21
|
+
require 'chef/encrypted_attribute/cache_lru'
|
22
|
+
require 'chef/encrypted_attribute/remote_clients'
|
23
|
+
|
24
|
+
class Chef
|
25
|
+
class EncryptedAttribute
|
26
|
+
class RemoteNodes
|
27
|
+
extend ::Chef::EncryptedAttribute::SearchHelper
|
28
|
+
|
29
|
+
def self.cache
|
30
|
+
@@cache ||= Chef::EncryptedAttribute::CacheLru.new
|
31
|
+
end
|
32
|
+
|
33
|
+
def self.search_public_keys(search='*:*', partial_search=true)
|
34
|
+
escaped_query = escape_query(search)
|
35
|
+
if cache.has_key?(escaped_query)
|
36
|
+
cache[escaped_query]
|
37
|
+
else
|
38
|
+
cache[escaped_query] = search(:node, search, {
|
39
|
+
'name' => [ 'name' ]
|
40
|
+
}, 1000, partial_search).map do |node|
|
41
|
+
RemoteClients.get_public_key(node['name'])
|
42
|
+
end.compact
|
43
|
+
end
|
44
|
+
end
|
45
|
+
|
46
|
+
end
|
47
|
+
end
|
48
|
+
end
|
@@ -52,6 +52,15 @@ class Chef
|
|
52
52
|
Chef::Config[:knife][:encrypted_attributes][:client_search] << i
|
53
53
|
}
|
54
54
|
|
55
|
+
option :encrypted_attribute_node_search,
|
56
|
+
:short => '-N NODE_SEARCH_QUERY',
|
57
|
+
:long => '--node-search NODE_SEARCH_QUERY',
|
58
|
+
:description => 'Node search query. Can be specified multiple times',
|
59
|
+
:proc => lambda { |i|
|
60
|
+
Chef::Config[:knife][:encrypted_attributes][:node_search] = [] unless Chef::Config[:knife][:encrypted_attributes][:node_search].kind_of?(Array)
|
61
|
+
Chef::Config[:knife][:encrypted_attributes][:node_search] << i
|
62
|
+
}
|
63
|
+
|
55
64
|
option :encrypted_attribute_users,
|
56
65
|
:short => '-U USER',
|
57
66
|
:long => '--encrypted-attribute-user USER',
|
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: chef-encrypted-attributes
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.
|
4
|
+
version: 0.3.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Onddo Labs, SL.
|
@@ -30,7 +30,7 @@ cert_chain:
|
|
30
30
|
cYe8PqNEkky7ugvF4zU3sB6TW+96XasuwDv1uJmyr35LF15U6Cs83+osMbAKJTmG
|
31
31
|
/vqKzw==
|
32
32
|
-----END CERTIFICATE-----
|
33
|
-
date: 2014-08-
|
33
|
+
date: 2014-08-25 00:00:00.000000000 Z
|
34
34
|
dependencies:
|
35
35
|
- !ruby/object:Gem::Dependency
|
36
36
|
name: yajl-ruby
|
@@ -166,6 +166,7 @@ extra_rdoc_files: []
|
|
166
166
|
files:
|
167
167
|
- API.md
|
168
168
|
- CHANGELOG.md
|
169
|
+
- CONTRIBUTING.md
|
169
170
|
- INTERNAL.md
|
170
171
|
- LICENSE
|
171
172
|
- README.md
|
@@ -185,6 +186,7 @@ files:
|
|
185
186
|
- lib/chef/encrypted_attribute/local_node.rb
|
186
187
|
- lib/chef/encrypted_attribute/remote_clients.rb
|
187
188
|
- lib/chef/encrypted_attribute/remote_node.rb
|
189
|
+
- lib/chef/encrypted_attribute/remote_nodes.rb
|
188
190
|
- lib/chef/encrypted_attribute/remote_users.rb
|
189
191
|
- lib/chef/encrypted_attribute/search_helper.rb
|
190
192
|
- lib/chef/encrypted_attribute/version.rb
|
metadata.gz.sig
CHANGED
Binary file
|