chef-encrypted-attributes 0.2.0 → 0.3.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- checksums.yaml.gz.sig +0 -0
- data.tar.gz.sig +0 -0
- data/API.md +4 -2
- data/CHANGELOG.md +6 -0
- data/CONTRIBUTING.md +13 -0
- data/README.md +18 -8
- data/TODO.md +1 -1
- data/lib/chef/encrypted_attribute.rb +9 -5
- data/lib/chef/encrypted_attribute/config.rb +14 -0
- data/lib/chef/encrypted_attribute/exceptions.rb +1 -0
- data/lib/chef/encrypted_attribute/remote_clients.rb +15 -1
- data/lib/chef/encrypted_attribute/remote_nodes.rb +48 -0
- data/lib/chef/encrypted_attribute/version.rb +1 -1
- data/lib/chef/knife/core/encrypted_attribute_editor_options.rb +9 -0
- metadata +4 -2
- metadata.gz.sig +0 -0
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 81a47b4f918da2922455d6f7ad7b30905f62f4b4
|
|
4
|
+
data.tar.gz: 8addbdca43184f9f8667cb4892caeaa611dbbc29
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 7fbcf0de4167e824004e14ec8f8989f3faa3b802d27d470ac2fbd2c7fd16af34f706286b1b4a605f1427ab2db07f01a66994276b097b4dfa7a139d0255bd70e7
|
|
7
|
+
data.tar.gz: 2cc100fdfc8c09f5697a46d5c0765ef1815df93974da30ea154baafb4a76921797abe9a83e54edc9e688d02e793dcff82779ed2f307bc90e17aa19d9c0de200a
|
checksums.yaml.gz.sig
CHANGED
|
Binary file
|
data.tar.gz.sig
CHANGED
|
Binary file
|
data/API.md
CHANGED
|
@@ -28,9 +28,9 @@ An exception is thrown if any error arises in the encryption process.
|
|
|
28
28
|
|
|
29
29
|
### Chef::EncryptedAttribute.update(hs [, config])
|
|
30
30
|
|
|
31
|
-
Updates who can read the attribute. This is intended to be used to update to the new nodes returned by
|
|
31
|
+
Updates who can read the attribute. This is intended to be used to update to the new nodes returned by `:client_search` and `:node_search` or perhaps global configuration changes.
|
|
32
32
|
|
|
33
|
-
For example, in case new nodes are added or some are removed, and the clients returned by `:client_search` are different, this `#update` method will decrypt the attribute and encrypt it again for the new nodes (or remove the old ones).
|
|
33
|
+
For example, in case new nodes are added or some are removed, and the clients returned by `:client_search` or `:node_search` are different, this `#update` method will decrypt the attribute and encrypt it again for the new nodes (or remove the old ones).
|
|
34
34
|
|
|
35
35
|
If an update is made, the shared secrets are regenerated.
|
|
36
36
|
|
|
@@ -109,6 +109,7 @@ Both `Chef::Config[:encrypted_attributes]` and method's `config` parameter shoul
|
|
|
109
109
|
* OpenSSL `>= 1.0.1`.
|
|
110
110
|
* `:partial_search` - Whether to use Chef Server partial search, enabled by default. It may not work in some old versions of Chef Server.
|
|
111
111
|
* `:client_search` - Search query for clients allowed to read the encrypted attribute. Can be a simple string or an array of queries to be *OR*-ed.
|
|
112
|
+
* `:node_search` - Search query for nodes allowed to read the encrypted attribute. Can be a simple string or an array of queries to be *OR*-ed.
|
|
112
113
|
* `:users` - Array of user names to be allowed to read the encrypted attribute(s). `"*"` to allow access to all users. Keep in mind that only admin clients or admin users are allowed to read user public keys. It is **not recommended** to use this from cookbooks unless you know what you are doing.
|
|
113
114
|
* `:keys` - raw RSA public keys to be allowed to read encrypted attributes(s), in PEM (string) format. Can be client public keys, user public keys or any other RSA public key.
|
|
114
115
|
|
|
@@ -148,6 +149,7 @@ This API uses some LRU caches to avoid making many requests to the Chef Server.
|
|
|
148
149
|
This are the currently available caches:
|
|
149
150
|
|
|
150
151
|
* `Chef::EncryptedAttribute::RemoteClients.cache` - Caches the `:client_search` query results (max_size: `1024`).
|
|
152
|
+
* `Chef::EncryptedAttribute::RemoteNodes.cache` - Caches the `:node_search` query results (max_size: `1024`).
|
|
151
153
|
* `Chef::EncryptedAttribute::RemoteUsers.cache` - Caches the Chef Users public keys (max_size: `1024`).
|
|
152
154
|
* `Chef::EncryptedAttribute::RemoteNode.cache` - Caches the node (encrypted) attributes. Disabled by default (max_size: `0`).
|
|
153
155
|
|
data/CHANGELOG.md
CHANGED
|
@@ -2,6 +2,12 @@
|
|
|
2
2
|
|
|
3
3
|
This file is used to list changes made in each version of `chef-encrypted-attributes`.
|
|
4
4
|
|
|
5
|
+
## 0.3.0:
|
|
6
|
+
|
|
7
|
+
* gemspec: added the missing CONTRIBUTING.md file
|
|
8
|
+
* README: replaced exist_on_node? by exist? in users_data_bag example
|
|
9
|
+
* Added the required `:node_search` option (fixes the `"role:..."` examples).
|
|
10
|
+
|
|
5
11
|
## 0.2.0:
|
|
6
12
|
|
|
7
13
|
* Deprecate `#exists?` methods in favor of `#exist?` methods
|
data/CONTRIBUTING.md
ADDED
|
@@ -0,0 +1,13 @@
|
|
|
1
|
+
Contributing
|
|
2
|
+
============
|
|
3
|
+
|
|
4
|
+
1. [Fork the repository on Github](https://help.github.com/articles/fork-a-repo).
|
|
5
|
+
2. Create a named feature branch (`$ git checkout -b my-new-feature`).
|
|
6
|
+
3. Write tests for your change (if applicable).
|
|
7
|
+
4. Write your change.
|
|
8
|
+
5. [Run the tests](TESTING.md), ensuring they all pass (`$ bundle exec rake`). Try as much as possible **not to reduce coverage**.
|
|
9
|
+
6. Commit your change (`$ git commit -am 'Add some feature'`).
|
|
10
|
+
7. Push to the branch (`$ git push origin my-new-feature`).
|
|
11
|
+
8. [Submit a Pull Request using Github](https://help.github.com/articles/creating-a-pull-request).
|
|
12
|
+
|
|
13
|
+
You can see the [TODO.md](TODO.md) file if you're looking for inspiration.
|
data/README.md
CHANGED
|
@@ -1,8 +1,8 @@
|
|
|
1
1
|
# Chef-Encrypted-Attributes
|
|
2
2
|
[](http://badge.fury.io/rb/chef-encrypted-attributes)
|
|
3
3
|
[](https://gemnasium.com/onddo/chef-encrypted-attributes)
|
|
4
|
-
[](https://travis-ci.org/onddo/chef-encrypted-attributes)
|
|
5
|
-
[](https://coveralls.io/r/onddo/chef-encrypted-attributes?branch=
|
|
4
|
+
[](https://travis-ci.org/onddo/chef-encrypted-attributes)
|
|
5
|
+
[](https://coveralls.io/r/onddo/chef-encrypted-attributes?branch=0.3.0)
|
|
6
6
|
|
|
7
7
|
[Chef](http://www.getchef.com) plugin to add Node encrypted attributes support using client keys.
|
|
8
8
|
|
|
@@ -12,7 +12,7 @@ We recommend using the [encrypted_attributes cookbook](http://community.opscode.
|
|
|
12
12
|
|
|
13
13
|
Node attributes are encrypted using chef client and user keys with public key infrastructure (PKI). You can choose which clients, nodes or users will be able to read the attribute.
|
|
14
14
|
|
|
15
|
-
|
|
15
|
+
*Chef Nodes* with read access can be specified using a `node_search` query. In case new nodes are added or removed, the data will be re-encrypted in the next *Chef Run* of the encrypting node (using the `#update` method shown below). Similarly, a `client_search` query can be used to allow *Chef Clients* to read the attribute.
|
|
16
16
|
|
|
17
17
|
## Requirements
|
|
18
18
|
|
|
@@ -69,8 +69,11 @@ In this example we only need to save some data from the local node and read it f
|
|
|
69
69
|
chef_gem "chef-encrypted-attributes"
|
|
70
70
|
require "chef-encrypted-attributes"
|
|
71
71
|
|
|
72
|
+
# Allow all admin clients to read the attributes encrypted by me
|
|
73
|
+
Chef::Config[:encrypted_attributes][:client_search] = "admin:true"
|
|
74
|
+
|
|
72
75
|
# Allow all webapp nodes to read the attributes encrypted by me
|
|
73
|
-
Chef::Config[:encrypted_attributes][:
|
|
76
|
+
Chef::Config[:encrypted_attributes][:node_search] = "role:webapp"
|
|
74
77
|
|
|
75
78
|
if Chef::EncryptedAttribute.exist?(node["myapp"]["encrypted_data"])
|
|
76
79
|
# when can used #load here as above if we need the `encrypted_data` outside this `if`
|
|
@@ -127,7 +130,7 @@ chef_users.delete("id") # remove the data bag "id" to avoid to confuse it with a
|
|
|
127
130
|
Chef::Log.debug("Admin users able to read the Encrypted Attributes: #{chef_users.keys.inspect}")
|
|
128
131
|
Chef::Config[:encrypted_attributes][:keys] = chef_users.values
|
|
129
132
|
|
|
130
|
-
# if Chef::EncryptedAttribute.
|
|
133
|
+
# if Chef::EncryptedAttribute.exist?(...)
|
|
131
134
|
# Chef::EncryptedAttribute.update(...)
|
|
132
135
|
# else
|
|
133
136
|
# node.set[...][...] = Chef::EncryptedAttribute.create(...)
|
|
@@ -202,7 +205,7 @@ For example:
|
|
|
202
205
|
|
|
203
206
|
### knife encrypted attribute update
|
|
204
207
|
|
|
205
|
-
Updates who can read the attribute (for `:client_search` changes).
|
|
208
|
+
Updates who can read the attribute (for `:client_search` and `:node_search` changes).
|
|
206
209
|
|
|
207
210
|
$ knife encrypted attribute update NODE ATTRIBUTE (options)
|
|
208
211
|
|
|
@@ -212,7 +215,7 @@ For example:
|
|
|
212
215
|
|
|
213
216
|
$ knife encrypted attribute update ftp.example.com myapp.ftp_password \
|
|
214
217
|
--client-search admin:true \
|
|
215
|
-
--
|
|
218
|
+
--node-search role:webapp \
|
|
216
219
|
-U bob -U alice
|
|
217
220
|
|
|
218
221
|
### knife encrypted attribute edit
|
|
@@ -230,7 +233,7 @@ For example:
|
|
|
230
233
|
$ export EDITOR=vi
|
|
231
234
|
$ knife encrypted attribute edit ftp.example.com myapp.ftp_password \
|
|
232
235
|
--client-search admin:true \
|
|
233
|
-
--
|
|
236
|
+
--node-search role:webapp \
|
|
234
237
|
-U bob -U alice
|
|
235
238
|
|
|
236
239
|
### knife encrypted attribute delete
|
|
@@ -274,6 +277,13 @@ For example:
|
|
|
274
277
|
<td> </td>
|
|
275
278
|
<td>create, edit, update</td>
|
|
276
279
|
</tr>
|
|
280
|
+
<tr>
|
|
281
|
+
<td>-N</td>
|
|
282
|
+
<td>--node-search</td>
|
|
283
|
+
<td>Node search query. Can be specified multiple times</td>
|
|
284
|
+
<td> </td>
|
|
285
|
+
<td>create, edit, update</td>
|
|
286
|
+
</tr>
|
|
277
287
|
<tr>
|
|
278
288
|
<td>-U</td>
|
|
279
289
|
<td>--user</td>
|
data/TODO.md
CHANGED
|
@@ -2,7 +2,7 @@ TODO
|
|
|
2
2
|
====
|
|
3
3
|
|
|
4
4
|
* knife encrypted attribute create/edit from file.
|
|
5
|
-
* Save config inside encrypted data: `:client_search` and `:keys` (including user keys).
|
|
5
|
+
* Save config inside encrypted data: `:client_search`, `:node_search` and `:keys` (including user keys).
|
|
6
6
|
* Chef internal node attribute integration monkey-patch. It may require some `EncryptedMash` class rewrite or adding some methods.
|
|
7
7
|
* Support for Chef `< 11.4` (add `JSONCompat#map_to_rb_obj`, disable `Chef::User` for `< 11.2`, ...).
|
|
8
8
|
* Test with Chef `10`.
|
|
@@ -20,10 +20,10 @@ require 'chef/encrypted_attribute/config'
|
|
|
20
20
|
require 'chef/encrypted_attribute/encrypted_mash'
|
|
21
21
|
require 'chef/config'
|
|
22
22
|
require 'chef/mash'
|
|
23
|
-
require 'chef/api_client'
|
|
24
23
|
|
|
25
24
|
require 'chef/encrypted_attribute/local_node'
|
|
26
25
|
require 'chef/encrypted_attribute/remote_node'
|
|
26
|
+
require 'chef/encrypted_attribute/remote_nodes'
|
|
27
27
|
require 'chef/encrypted_attribute/remote_clients'
|
|
28
28
|
require 'chef/encrypted_attribute/remote_users'
|
|
29
29
|
require 'chef/encrypted_attribute/encrypted_mash/version0'
|
|
@@ -68,7 +68,7 @@ class Chef
|
|
|
68
68
|
|
|
69
69
|
def create_on_node(name, attr_ary, value)
|
|
70
70
|
# read the client public key
|
|
71
|
-
node_public_key =
|
|
71
|
+
node_public_key = RemoteClients.get_public_key(name)
|
|
72
72
|
|
|
73
73
|
# create the encrypted attribute
|
|
74
74
|
enc_attr = self.create(value, [ node_public_key ])
|
|
@@ -93,7 +93,7 @@ class Chef
|
|
|
93
93
|
|
|
94
94
|
def update_on_node(name, attr_ary)
|
|
95
95
|
# read the client public key
|
|
96
|
-
node_public_key =
|
|
96
|
+
node_public_key = RemoteClients.get_public_key(name)
|
|
97
97
|
|
|
98
98
|
# update the encrypted attribute
|
|
99
99
|
remote_node = RemoteNode.new(name)
|
|
@@ -111,7 +111,11 @@ class Chef
|
|
|
111
111
|
protected
|
|
112
112
|
|
|
113
113
|
def remote_client_keys
|
|
114
|
-
RemoteClients.
|
|
114
|
+
RemoteClients.search_public_keys(config.client_search, config.partial_search)
|
|
115
|
+
end
|
|
116
|
+
|
|
117
|
+
def remote_node_keys
|
|
118
|
+
RemoteNodes.search_public_keys(config.node_search, config.partial_search)
|
|
115
119
|
end
|
|
116
120
|
|
|
117
121
|
def remote_user_keys
|
|
@@ -119,7 +123,7 @@ class Chef
|
|
|
119
123
|
end
|
|
120
124
|
|
|
121
125
|
def target_keys(keys=nil)
|
|
122
|
-
target_keys = config.keys + remote_client_keys + remote_user_keys
|
|
126
|
+
target_keys = config.keys + remote_client_keys + remote_node_keys + remote_user_keys
|
|
123
127
|
target_keys += keys if keys.kind_of?(Array)
|
|
124
128
|
target_keys
|
|
125
129
|
end
|
|
@@ -27,6 +27,7 @@ class Chef
|
|
|
27
27
|
:version,
|
|
28
28
|
:partial_search,
|
|
29
29
|
:client_search,
|
|
30
|
+
:node_search,
|
|
30
31
|
:users,
|
|
31
32
|
:keys,
|
|
32
33
|
].freeze
|
|
@@ -69,6 +70,19 @@ class Chef
|
|
|
69
70
|
)
|
|
70
71
|
end
|
|
71
72
|
|
|
73
|
+
def node_search(arg=nil)
|
|
74
|
+
unless arg.nil? or not arg.kind_of?(String)
|
|
75
|
+
arg = [ arg ]
|
|
76
|
+
end
|
|
77
|
+
set_or_return(
|
|
78
|
+
:node_search,
|
|
79
|
+
arg,
|
|
80
|
+
:kind_of => Array,
|
|
81
|
+
:default => [],
|
|
82
|
+
:callbacks => config_search_array_callbacks
|
|
83
|
+
)
|
|
84
|
+
end
|
|
85
|
+
|
|
72
86
|
def users(arg=nil)
|
|
73
87
|
set_or_return(
|
|
74
88
|
:users,
|
|
@@ -16,6 +16,9 @@
|
|
|
16
16
|
# limitations under the License.
|
|
17
17
|
#
|
|
18
18
|
|
|
19
|
+
require 'chef/api_client'
|
|
20
|
+
|
|
21
|
+
require 'chef/encrypted_attribute/exceptions'
|
|
19
22
|
require 'chef/encrypted_attribute/search_helper'
|
|
20
23
|
require 'chef/encrypted_attribute/cache_lru'
|
|
21
24
|
|
|
@@ -28,7 +31,18 @@ class Chef
|
|
|
28
31
|
@@cache ||= Chef::EncryptedAttribute::CacheLru.new
|
|
29
32
|
end
|
|
30
33
|
|
|
31
|
-
def self.
|
|
34
|
+
def self.get_public_key(name)
|
|
35
|
+
Chef::ApiClient.load(name).public_key
|
|
36
|
+
rescue Net::HTTPServerException => e
|
|
37
|
+
case e.response.code
|
|
38
|
+
when '404' # Not Found
|
|
39
|
+
raise ClientNotFound, "Chef Client not found: \"#{name}\"."
|
|
40
|
+
else
|
|
41
|
+
raise e
|
|
42
|
+
end
|
|
43
|
+
end
|
|
44
|
+
|
|
45
|
+
def self.search_public_keys(search='*:*', partial_search=true)
|
|
32
46
|
escaped_query = escape_query(search)
|
|
33
47
|
if cache.has_key?(escaped_query)
|
|
34
48
|
cache[escaped_query]
|
|
@@ -0,0 +1,48 @@
|
|
|
1
|
+
#
|
|
2
|
+
# Author:: Xabier de Zuazo (<xabier@onddo.com>)
|
|
3
|
+
# Copyright:: Copyright (c) 2014 Onddo Labs, SL. (www.onddo.com)
|
|
4
|
+
# License:: Apache License, Version 2.0
|
|
5
|
+
#
|
|
6
|
+
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
7
|
+
# you may not use this file except in compliance with the License.
|
|
8
|
+
# You may obtain a copy of the License at
|
|
9
|
+
#
|
|
10
|
+
# http://www.apache.org/licenses/LICENSE-2.0
|
|
11
|
+
#
|
|
12
|
+
# Unless required by applicable law or agreed to in writing, software
|
|
13
|
+
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
14
|
+
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
15
|
+
# See the License for the specific language governing permissions and
|
|
16
|
+
# limitations under the License.
|
|
17
|
+
#
|
|
18
|
+
|
|
19
|
+
require 'chef/encrypted_attribute/exceptions'
|
|
20
|
+
require 'chef/encrypted_attribute/search_helper'
|
|
21
|
+
require 'chef/encrypted_attribute/cache_lru'
|
|
22
|
+
require 'chef/encrypted_attribute/remote_clients'
|
|
23
|
+
|
|
24
|
+
class Chef
|
|
25
|
+
class EncryptedAttribute
|
|
26
|
+
class RemoteNodes
|
|
27
|
+
extend ::Chef::EncryptedAttribute::SearchHelper
|
|
28
|
+
|
|
29
|
+
def self.cache
|
|
30
|
+
@@cache ||= Chef::EncryptedAttribute::CacheLru.new
|
|
31
|
+
end
|
|
32
|
+
|
|
33
|
+
def self.search_public_keys(search='*:*', partial_search=true)
|
|
34
|
+
escaped_query = escape_query(search)
|
|
35
|
+
if cache.has_key?(escaped_query)
|
|
36
|
+
cache[escaped_query]
|
|
37
|
+
else
|
|
38
|
+
cache[escaped_query] = search(:node, search, {
|
|
39
|
+
'name' => [ 'name' ]
|
|
40
|
+
}, 1000, partial_search).map do |node|
|
|
41
|
+
RemoteClients.get_public_key(node['name'])
|
|
42
|
+
end.compact
|
|
43
|
+
end
|
|
44
|
+
end
|
|
45
|
+
|
|
46
|
+
end
|
|
47
|
+
end
|
|
48
|
+
end
|
|
@@ -52,6 +52,15 @@ class Chef
|
|
|
52
52
|
Chef::Config[:knife][:encrypted_attributes][:client_search] << i
|
|
53
53
|
}
|
|
54
54
|
|
|
55
|
+
option :encrypted_attribute_node_search,
|
|
56
|
+
:short => '-N NODE_SEARCH_QUERY',
|
|
57
|
+
:long => '--node-search NODE_SEARCH_QUERY',
|
|
58
|
+
:description => 'Node search query. Can be specified multiple times',
|
|
59
|
+
:proc => lambda { |i|
|
|
60
|
+
Chef::Config[:knife][:encrypted_attributes][:node_search] = [] unless Chef::Config[:knife][:encrypted_attributes][:node_search].kind_of?(Array)
|
|
61
|
+
Chef::Config[:knife][:encrypted_attributes][:node_search] << i
|
|
62
|
+
}
|
|
63
|
+
|
|
55
64
|
option :encrypted_attribute_users,
|
|
56
65
|
:short => '-U USER',
|
|
57
66
|
:long => '--encrypted-attribute-user USER',
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: chef-encrypted-attributes
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.3.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Onddo Labs, SL.
|
|
@@ -30,7 +30,7 @@ cert_chain:
|
|
|
30
30
|
cYe8PqNEkky7ugvF4zU3sB6TW+96XasuwDv1uJmyr35LF15U6Cs83+osMbAKJTmG
|
|
31
31
|
/vqKzw==
|
|
32
32
|
-----END CERTIFICATE-----
|
|
33
|
-
date: 2014-08-
|
|
33
|
+
date: 2014-08-25 00:00:00.000000000 Z
|
|
34
34
|
dependencies:
|
|
35
35
|
- !ruby/object:Gem::Dependency
|
|
36
36
|
name: yajl-ruby
|
|
@@ -166,6 +166,7 @@ extra_rdoc_files: []
|
|
|
166
166
|
files:
|
|
167
167
|
- API.md
|
|
168
168
|
- CHANGELOG.md
|
|
169
|
+
- CONTRIBUTING.md
|
|
169
170
|
- INTERNAL.md
|
|
170
171
|
- LICENSE
|
|
171
172
|
- README.md
|
|
@@ -185,6 +186,7 @@ files:
|
|
|
185
186
|
- lib/chef/encrypted_attribute/local_node.rb
|
|
186
187
|
- lib/chef/encrypted_attribute/remote_clients.rb
|
|
187
188
|
- lib/chef/encrypted_attribute/remote_node.rb
|
|
189
|
+
- lib/chef/encrypted_attribute/remote_nodes.rb
|
|
188
190
|
- lib/chef/encrypted_attribute/remote_users.rb
|
|
189
191
|
- lib/chef/encrypted_attribute/search_helper.rb
|
|
190
192
|
- lib/chef/encrypted_attribute/version.rb
|
metadata.gz.sig
CHANGED
|
Binary file
|