chef-encrypted-attributes 0.3.0 → 0.4.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- checksums.yaml.gz.sig +0 -0
- data.tar.gz.sig +0 -0
- data/.yardopts +8 -0
- data/CHANGELOG.md +40 -4
- data/CONTRIBUTING.md +7 -6
- data/KNIFE.md +151 -0
- data/README.md +70 -192
- data/Rakefile +27 -14
- data/TESTING.md +18 -7
- data/TODO.md +2 -5
- data/lib/chef-encrypted-attributes.rb +7 -1
- data/lib/chef/encrypted_attribute.rb +282 -121
- data/lib/chef/encrypted_attribute/api.rb +521 -0
- data/lib/chef/encrypted_attribute/assertions.rb +16 -6
- data/lib/chef/encrypted_attribute/cache_lru.rb +54 -13
- data/lib/chef/encrypted_attribute/config.rb +198 -89
- data/lib/chef/encrypted_attribute/encrypted_mash.rb +127 -33
- data/lib/chef/encrypted_attribute/encrypted_mash/version0.rb +236 -48
- data/lib/chef/encrypted_attribute/encrypted_mash/version1.rb +249 -36
- data/lib/chef/encrypted_attribute/encrypted_mash/version2.rb +133 -19
- data/lib/chef/encrypted_attribute/exceptions.rb +19 -3
- data/lib/chef/encrypted_attribute/local_node.rb +15 -4
- data/lib/chef/encrypted_attribute/remote_clients.rb +33 -17
- data/lib/chef/encrypted_attribute/remote_node.rb +84 -29
- data/lib/chef/encrypted_attribute/remote_nodes.rb +62 -11
- data/lib/chef/encrypted_attribute/remote_users.rb +58 -19
- data/lib/chef/encrypted_attribute/search_helper.rb +214 -74
- data/lib/chef/encrypted_attribute/version.rb +3 -1
- data/lib/chef/encrypted_attributes.rb +20 -0
- data/lib/chef/knife/core/config.rb +4 -1
- data/lib/chef/knife/core/encrypted_attribute_base.rb +179 -0
- data/lib/chef/knife/core/encrypted_attribute_depends.rb +43 -0
- data/lib/chef/knife/core/encrypted_attribute_editor_options.rb +125 -61
- data/lib/chef/knife/encrypted_attribute_create.rb +51 -31
- data/lib/chef/knife/encrypted_attribute_delete.rb +32 -40
- data/lib/chef/knife/encrypted_attribute_edit.rb +51 -32
- data/lib/chef/knife/encrypted_attribute_show.rb +30 -55
- data/lib/chef/knife/encrypted_attribute_update.rb +43 -28
- data/spec/benchmark_helper.rb +2 -1
- data/spec/integration_helper.rb +1 -0
- data/spec/spec_helper.rb +21 -7
- metadata +75 -36
- metadata.gz.sig +1 -1
- data/API.md +0 -174
- data/INTERNAL.md +0 -166
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: e6d1bc69146514a06cc1e531b167dcc1181d2076
|
4
|
+
data.tar.gz: f0bd3f332555ff57c8fc1340d855df6ef8c98615
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 3e62b8c12e4dcb98b2fee808e01a8ca27e390cd434e3c4bcb9c53720ed0965ec2ecb6fcb4e9f476c03e645046d1a209912e6941663daa459eaff7534e0271124
|
7
|
+
data.tar.gz: aa3e2077dd7c68289ff0e7c79ffbfc928c5ae3e3dcd94bba77471ec478e7f6ec0bfe29de80f6cf4b5aeeb320ed88ddd8869f95cf2fc701d4830c64d41fb9e6ef
|
checksums.yaml.gz.sig
CHANGED
Binary file
|
data.tar.gz.sig
CHANGED
Binary file
|
data/.yardopts
ADDED
data/CHANGELOG.md
CHANGED
@@ -2,13 +2,49 @@
|
|
2
2
|
|
3
3
|
This file is used to list changes made in each version of `chef-encrypted-attributes`.
|
4
4
|
|
5
|
-
## 0.
|
5
|
+
## 0.4.0 (2014-12-10)
|
6
|
+
|
7
|
+
* Add Chef `12` support.
|
8
|
+
* Read `node['public_key']` instead of client public key when set.
|
9
|
+
* Add *chef/encrypted_attributes* library file.
|
10
|
+
* **Deprecates** *chef-encrypted-attributes* library file.
|
11
|
+
* Replace `yajl` gem by `ffi_yajl` gem.
|
12
|
+
* Gemspec: fix Ruby `< 1.9.3` support (mixlib-shellout `< 1.6.1`).
|
13
|
+
* Rename `InvalidPrivateKey` exception to `InvalidKey`.
|
14
|
+
* Add UTF-8 encoding header to all files.
|
15
|
+
* Big code refactor and clean-up.
|
16
|
+
* Code refactor all clases.
|
17
|
+
* Add `Chef::EncryptedAttribute::API` module.
|
18
|
+
* Clean-up Gemspec and Rakefile files code.
|
19
|
+
|
20
|
+
* Tests:
|
21
|
+
* Review and clean-up all tests.
|
22
|
+
* Integrate tests with `should_not` gem.
|
23
|
+
* Integrate with RuboCop.
|
24
|
+
* Add some knife unit tests.
|
25
|
+
* Update tests to RSpec `3.1`.
|
26
|
+
* Update tests to chef-zero `3.2`.
|
27
|
+
|
28
|
+
* Documentation:
|
29
|
+
* Document all classes and integrate them with yard and inch.
|
30
|
+
* Add KNIFE.md file.
|
31
|
+
* Move INTERNAL.md documentation to gem documentation.
|
32
|
+
* Move API.md documentation to gem documentation.
|
33
|
+
* README:
|
34
|
+
* Multiple fixes and improvements.
|
35
|
+
* Use chef.io domain for links.
|
36
|
+
* Add codeclimate badge.
|
37
|
+
* Add inch-ci documentation badge.
|
38
|
+
* Fix CHANGELOG format.
|
39
|
+
* CONTRIBUTING: add documetation about documentation.
|
40
|
+
|
41
|
+
## 0.3.0 (2014-08-25)
|
6
42
|
|
7
43
|
* gemspec: added the missing CONTRIBUTING.md file
|
8
44
|
* README: replaced exist_on_node? by exist? in users_data_bag example
|
9
45
|
* Added the required `:node_search` option (fixes the `"role:..."` examples).
|
10
46
|
|
11
|
-
## 0.2.0
|
47
|
+
## 0.2.0 (2014-08-12)
|
12
48
|
|
13
49
|
* Deprecate `#exists?` methods in favor of `#exist?` methods
|
14
50
|
* Fixed all RSpec deprecation warnings
|
@@ -20,7 +56,7 @@ This file is used to list changes made in each version of `chef-encrypted-attrib
|
|
20
56
|
* Added gem signing certificate
|
21
57
|
* gemspec: added dev dependency versions with pessimistic operator
|
22
58
|
|
23
|
-
## 0.1.1
|
59
|
+
## 0.1.1 (2014-05-23)
|
24
60
|
|
25
61
|
* gemspec: replaced open-ended chef dependency by `~> 11.4`
|
26
62
|
* Fixed ruby `1.9.2` decryption (uses `PKCS#1` for public key format)
|
@@ -28,6 +64,6 @@ This file is used to list changes made in each version of `chef-encrypted-attrib
|
|
28
64
|
* INTERNAL doc: added `EncryptedMash` class name to the Version0 structure
|
29
65
|
* Added shields.io badges
|
30
66
|
|
31
|
-
## 0.1.0
|
67
|
+
## 0.1.0 (2014-05-21)
|
32
68
|
|
33
69
|
* Initial release of `chef-encrypted-attributes`
|
data/CONTRIBUTING.md
CHANGED
@@ -1,13 +1,14 @@
|
|
1
1
|
Contributing
|
2
2
|
============
|
3
3
|
|
4
|
-
1. [Fork the repository on
|
4
|
+
1. [Fork the repository on GitHub](https://help.github.com/articles/fork-a-repo).
|
5
5
|
2. Create a named feature branch (`$ git checkout -b my-new-feature`).
|
6
6
|
3. Write tests for your change (if applicable).
|
7
7
|
4. Write your change.
|
8
|
-
5.
|
9
|
-
6.
|
10
|
-
7.
|
11
|
-
8.
|
8
|
+
5. Add documentation to your change.
|
9
|
+
6. [Run the tests](https://github.com/onddo/chef-encrypted-attributes/blob/master/TESTING.md), ensuring they all pass (`$ bundle exec rake`). Try as much as possible **not to reduce coverage**.
|
10
|
+
7. Commit your change (`$ git commit -am 'Add some feature'`).
|
11
|
+
8. Push to the branch (`$ git push origin my-new-feature`).
|
12
|
+
9. [Submit a Pull Request using GitHub](https://help.github.com/articles/creating-a-pull-request).
|
12
13
|
|
13
|
-
You can see the [TODO.md](TODO.md) file if you're looking for inspiration.
|
14
|
+
You can see the [TODO.md](https://github.com/onddo/chef-encrypted-attributes/blob/master/TODO.md) file if you're looking for inspiration.
|
data/KNIFE.md
ADDED
@@ -0,0 +1,151 @@
|
|
1
|
+
# Knife Commands
|
2
|
+
|
3
|
+
There are multiple commands to read, create and modify the encrypted attributes. All the commands will grant access privileges to the affected node by default (encrypted attributes are written in Node Attributes). But you will not be allowed to access them by default, so remember to give your own knife user privileges before creating or saving the attribute.
|
4
|
+
|
5
|
+
The `ATTRIBUTE` name must be specified using *dots* notation. For example, for `node['encrypted']['attribute']`, you must specify `"encrypted.attribute"` as knife argument. If the attribute key has a *dot* in its name, you must escape it. For example: `"encrypted.attribute\.with\.dots"`.
|
6
|
+
|
7
|
+
Read the [Chef Users Limitation](http://onddo.github.io/chef-encrypted-attributes/#chef-user-keys-access-limitation) caveat before trying to use any knife command.
|
8
|
+
|
9
|
+
## Installing the Required Gem
|
10
|
+
|
11
|
+
You need to install the `chef-encrypted-attributes` gem before using this knife commands.
|
12
|
+
|
13
|
+
$ gem install chef-encrypted-attributes
|
14
|
+
|
15
|
+
## knife.rb
|
16
|
+
|
17
|
+
Some configuration values can be set in your local `knife.rb` configuration file inside the `knife[:encrypted_attributes]` configuraiton space. For example:
|
18
|
+
|
19
|
+
```ruby
|
20
|
+
knife[:encrypted_attributes][:users] = '*' # allow access to all knife users
|
21
|
+
```
|
22
|
+
|
23
|
+
See the [API Configuration](http://www.rubydoc.info/gems/chef-encrypted-attributes/Chef/EncryptedAttribute/API.html#Configuration) section for more configuration values.
|
24
|
+
|
25
|
+
## knife encrypted attribute show
|
26
|
+
|
27
|
+
Shows the decrypted attribute content.
|
28
|
+
|
29
|
+
$ knife encrypted attribute show NODE ATTRIBUTE (options)
|
30
|
+
|
31
|
+
For example:
|
32
|
+
|
33
|
+
$ knife encrypted attribute show ftp.example.com myapp.ftp_password
|
34
|
+
|
35
|
+
## knife encrypted attribute create
|
36
|
+
|
37
|
+
Creates an encrypted attribute in a node. The attribute cannot already exist.
|
38
|
+
|
39
|
+
$ knife encrypted attribute create NODE ATTRIBUTE (options)
|
40
|
+
|
41
|
+
If the input is in JSON format (`-i`), you can create a JSON in *quirk* mode like `false`, `5` or `"some string"`. You don't need to create an Array or a Hash as the JSON standard forces.
|
42
|
+
|
43
|
+
For example:
|
44
|
+
|
45
|
+
$ export EDITOR=vi
|
46
|
+
$ knife encrypted attribute create ftp.example.com myapp.ftp_password \
|
47
|
+
-U bob -U alice
|
48
|
+
|
49
|
+
## knife encrypted attribute update
|
50
|
+
|
51
|
+
Updates who can read the attribute (for `:client_search` and `:node_search` changes).
|
52
|
+
|
53
|
+
$ knife encrypted attribute update NODE ATTRIBUTE (options)
|
54
|
+
|
55
|
+
**You must be careful to pass the same privilege arguments that you used in its creation** (this will surely be fixed in a future).
|
56
|
+
|
57
|
+
For example:
|
58
|
+
|
59
|
+
$ knife encrypted attribute update ftp.example.com myapp.ftp_password \
|
60
|
+
--client-search admin:true \
|
61
|
+
--node-search role:webapp \
|
62
|
+
-U bob -U alice
|
63
|
+
|
64
|
+
## knife encrypted attribute edit
|
65
|
+
|
66
|
+
Edits an existing encrypted attribute. The attribute must exist.
|
67
|
+
|
68
|
+
$ knife encrypted attribute edit NODE ATTRIBUTE (options)
|
69
|
+
|
70
|
+
If the input is in JSON format (`-i`), you can create a JSON in *quirk* mode like `false`, `5` or `"some string"`. You don't need to create an Array or a Hash as the JSON standard forces.
|
71
|
+
|
72
|
+
**You must be careful to pass the same privilege arguments that you used in its creation** (this will surely be fixed in a future).
|
73
|
+
|
74
|
+
For example:
|
75
|
+
|
76
|
+
$ export EDITOR=vi
|
77
|
+
$ knife encrypted attribute edit ftp.example.com myapp.ftp_password \
|
78
|
+
--client-search admin:true \
|
79
|
+
--node-search role:webapp \
|
80
|
+
-U bob -U alice
|
81
|
+
|
82
|
+
## knife encrypted attribute delete
|
83
|
+
|
84
|
+
Deletes an existing attribute. If you have no privileges to read it, you must use the `--force` flag.
|
85
|
+
|
86
|
+
$ knife encrypted attribute delete NODE ATTRIBUTE (options)
|
87
|
+
|
88
|
+
For example:
|
89
|
+
|
90
|
+
$ knife encrypted attribute delete ftp.example.com myapp.ftp_password --force
|
91
|
+
|
92
|
+
## Knife Options
|
93
|
+
|
94
|
+
<table>
|
95
|
+
<tr>
|
96
|
+
<th>Short</th>
|
97
|
+
<th>Long</th>
|
98
|
+
<th>Description</th>
|
99
|
+
<th>Valid Values</th>
|
100
|
+
<th>Sub-Commands</th>
|
101
|
+
</tr>
|
102
|
+
<tr>
|
103
|
+
<td> </td>
|
104
|
+
<td>--encrypted-attribute-version</td>
|
105
|
+
<td>Encrypted Attribute protocol version to use</td>
|
106
|
+
<td>"0", "1" <em>(default)</em>, "2"</td>
|
107
|
+
<td>create, edit, update</td>
|
108
|
+
</tr>
|
109
|
+
<tr>
|
110
|
+
<td>-P</td>
|
111
|
+
<td>--disable-partial-search</td>
|
112
|
+
<td>Disable partial search</td>
|
113
|
+
<td> </td>
|
114
|
+
<td>create, edit, update</td>
|
115
|
+
</tr>
|
116
|
+
<tr>
|
117
|
+
<td>-C</td>
|
118
|
+
<td>--client-search</td>
|
119
|
+
<td>Client search query. Can be specified multiple times</td>
|
120
|
+
<td> </td>
|
121
|
+
<td>create, edit, update</td>
|
122
|
+
</tr>
|
123
|
+
<tr>
|
124
|
+
<td>-N</td>
|
125
|
+
<td>--node-search</td>
|
126
|
+
<td>Node search query. Can be specified multiple times</td>
|
127
|
+
<td> </td>
|
128
|
+
<td>create, edit, update</td>
|
129
|
+
</tr>
|
130
|
+
<tr>
|
131
|
+
<td>-U</td>
|
132
|
+
<td>--user</td>
|
133
|
+
<td>User name to allow access to. Can be specified multiple times</td>
|
134
|
+
<td> </td>
|
135
|
+
<td>create, edit, update</td>
|
136
|
+
</tr>
|
137
|
+
<tr>
|
138
|
+
<td>-i</td>
|
139
|
+
<td>--input-format</td>
|
140
|
+
<td>Input (<em>EDITOR</em>) format</td>
|
141
|
+
<td>"plain" <em>(default)</em>, "json"</td>
|
142
|
+
<td>create, edit</td>
|
143
|
+
</tr>
|
144
|
+
<tr>
|
145
|
+
<td>-f</td>
|
146
|
+
<td>--force</td>
|
147
|
+
<td>Force the attribute deletion even if you cannot read it</td>
|
148
|
+
<td> </td>
|
149
|
+
<td>delete</td>
|
150
|
+
</tr>
|
151
|
+
</table>
|
data/README.md
CHANGED
@@ -1,12 +1,14 @@
|
|
1
1
|
# Chef-Encrypted-Attributes
|
2
2
|
[![Gem Version](http://img.shields.io/gem/v/chef-encrypted-attributes.svg?style=flat)](http://badge.fury.io/rb/chef-encrypted-attributes)
|
3
3
|
[![Dependency Status](http://img.shields.io/gemnasium/onddo/chef-encrypted-attributes.svg?style=flat)](https://gemnasium.com/onddo/chef-encrypted-attributes)
|
4
|
-
[![
|
5
|
-
[![
|
4
|
+
[![Code Climate](http://img.shields.io/codeclimate/github/onddo/chef-encrypted-attributes.svg?style=flat)](https://codeclimate.com/github/onddo/chef-encrypted-attributes)
|
5
|
+
[![Build Status](http://img.shields.io/travis/onddo/chef-encrypted-attributes/0.4.0.svg?style=flat)](https://travis-ci.org/onddo/chef-encrypted-attributes)
|
6
|
+
[![Coverage Status](http://img.shields.io/coveralls/onddo/chef-encrypted-attributes/0.4.0.svg?style=flat)](https://coveralls.io/r/onddo/chef-encrypted-attributes?branch=0.4.0)
|
7
|
+
[![Inline docs](http://inch-ci.org/github/onddo/chef-encrypted-attributes.svg?branch=0.4.0&style=flat)](http://inch-ci.org/github/onddo/chef-encrypted-attributes)
|
6
8
|
|
7
|
-
[Chef](
|
9
|
+
[Chef](https://www.chef.io/) plugin to add Node encrypted attributes support using client keys.
|
8
10
|
|
9
|
-
We recommend using the [encrypted_attributes
|
11
|
+
We recommend using the [`encrypted_attributes`](https://supermarket.chef.io/cookbooks/encrypted_attributes) cookbook for easy installation.
|
10
12
|
|
11
13
|
## Description
|
12
14
|
|
@@ -18,7 +20,7 @@ Node attributes are encrypted using chef client and user keys with public key in
|
|
18
20
|
|
19
21
|
* Ruby `>= 1.9`
|
20
22
|
* Chef Client `~> 11.4`
|
21
|
-
*
|
23
|
+
* ffi_yajl `~> 1.0` (included with Chef)
|
22
24
|
* If you want to use protocol version 2 to use [GCM](http://en.wikipedia.org/wiki/Galois/Counter_Mode) (disabled by default):
|
23
25
|
* Ruby `>= 2`.
|
24
26
|
* OpenSSL `>= 1.0.1`.
|
@@ -30,8 +32,8 @@ Node attributes are encrypted using chef client and user keys with public key in
|
|
30
32
|
You need to install and include the `chef-encrypted-attributes` gem before using encrypted attributes inside a cookbook.
|
31
33
|
|
32
34
|
```ruby
|
33
|
-
chef_gem
|
34
|
-
require
|
35
|
+
chef_gem 'chef-encrypted-attributes'
|
36
|
+
require 'chef/encrypted_attributes'
|
35
37
|
```
|
36
38
|
|
37
39
|
### Typical Example
|
@@ -39,62 +41,70 @@ require "chef-encrypted-attributes"
|
|
39
41
|
In the following example we save a simple FTP user password.
|
40
42
|
|
41
43
|
```ruby
|
42
|
-
chef_gem
|
43
|
-
require
|
44
|
+
chef_gem 'chef-encrypted-attributes'
|
45
|
+
require 'chef/encrypted_attributes'
|
44
46
|
|
45
|
-
|
47
|
+
# include the #secure_password method
|
48
|
+
Chef::Recipe.send(:include, Opscode::OpenSSL::Password)
|
46
49
|
|
47
|
-
if Chef::EncryptedAttribute.exist?(node[
|
50
|
+
if Chef::EncryptedAttribute.exist?(node['myapp']['ftp_password'])
|
48
51
|
# update with the new keys
|
49
|
-
Chef::EncryptedAttribute.update(node.set[
|
52
|
+
Chef::EncryptedAttribute.update(node.set['myapp']['ftp_password'])
|
50
53
|
|
51
54
|
# read the password
|
52
|
-
ftp_pass = Chef::EncryptedAttribute.load(node[
|
55
|
+
ftp_pass = Chef::EncryptedAttribute.load(node['myapp']['ftp_password'])
|
53
56
|
else
|
54
57
|
# create the password and save it
|
55
58
|
ftp_pass = secure_password
|
56
|
-
node.set[
|
59
|
+
node.set['myapp']['ftp_password'] = Chef::EncryptedAttribute.create(ftp_pass)
|
57
60
|
end
|
58
61
|
|
59
62
|
# use `ftp_pass` for something here ...
|
60
63
|
```
|
61
64
|
|
62
|
-
**Note:** This example requires the [openssl](
|
65
|
+
**Note:** This example requires the [`openssl`](https://supermarket.chef.io/cookbooks/openssl) cookbook.
|
63
66
|
|
64
67
|
### Minimal Write Only Example
|
65
68
|
|
66
69
|
In this example we only need to save some data from the local node and read it from another:
|
67
70
|
|
68
71
|
```ruby
|
69
|
-
chef_gem
|
70
|
-
require
|
72
|
+
chef_gem 'chef-encrypted-attributes'
|
73
|
+
require 'chef/encrypted_attributes'
|
71
74
|
|
72
75
|
# Allow all admin clients to read the attributes encrypted by me
|
73
|
-
Chef::Config[:encrypted_attributes][:client_search] =
|
76
|
+
Chef::Config[:encrypted_attributes][:client_search] = 'admin:true'
|
74
77
|
|
75
78
|
# Allow all webapp nodes to read the attributes encrypted by me
|
76
|
-
Chef::Config[:encrypted_attributes][:node_search] =
|
79
|
+
Chef::Config[:encrypted_attributes][:node_search] = 'role:webapp'
|
77
80
|
|
78
|
-
if Chef::EncryptedAttribute.exist?(node[
|
79
|
-
# when can used #load here as above if we need the `encrypted_data` outside
|
81
|
+
if Chef::EncryptedAttribute.exist?(node['myapp']['encrypted_data'])
|
82
|
+
# when can used #load here as above if we need the `encrypted_data` outside
|
83
|
+
# this `if`
|
80
84
|
|
81
85
|
# update with the new keys
|
82
|
-
Chef::EncryptedAttribute.update(node.set[
|
86
|
+
Chef::EncryptedAttribute.update(node.set['myapp']['encrypted_data'])
|
83
87
|
else
|
84
88
|
# create the data, encrypt and save it
|
85
89
|
data_to_encrypt = # ....
|
86
|
-
node.set[
|
90
|
+
node.set['myapp']['encrypted_data'] =
|
91
|
+
Chef::EncryptedAttribute.create(data_to_encrypt)
|
87
92
|
end
|
88
93
|
```
|
89
94
|
|
90
|
-
Then we can read this attribute from another allowed node (a `
|
95
|
+
Then we can read this attribute from another allowed node (a `'role:webapp'` node):
|
91
96
|
|
92
97
|
```ruby
|
93
|
-
|
94
|
-
|
98
|
+
include_recipe 'encrypted_attributes'
|
99
|
+
# Expose the public key for encryption
|
100
|
+
include_recipe 'encrypted_attributes::expose_key'
|
95
101
|
|
96
|
-
if Chef::EncryptedAttribute.exist_on_node?(
|
97
|
-
|
102
|
+
if Chef::EncryptedAttribute.exist_on_node?(
|
103
|
+
'random.example.com', %w(myapp encrypted_data)
|
104
|
+
)
|
105
|
+
data = Chef::EncryptedAttribute.load_from_node(
|
106
|
+
'random.example.com', %w(myapp encrypted_data)
|
107
|
+
)
|
98
108
|
|
99
109
|
# use `data` for something here ...
|
100
110
|
end
|
@@ -104,7 +114,7 @@ end
|
|
104
114
|
|
105
115
|
### Example Using User Keys Data Bag
|
106
116
|
|
107
|
-
Suppose we want to store users public keys in a data bag and give them access to the attributes. This can be a workaround for the [Chef Users Limitation](
|
117
|
+
Suppose we want to store users public keys in a data bag and give them access to the attributes. This can be a workaround for the [Chef Users Limitation](#chef-user-keys-access-limitation) problem.
|
108
118
|
|
109
119
|
You need to create a Data Bag Item with a content similar to the following:
|
110
120
|
|
@@ -121,13 +131,16 @@ This data bag will contain the user public keys retrieved with `knife user show
|
|
121
131
|
Then, from a recipe, you can read this user keys and allow them to read the attributes.
|
122
132
|
|
123
133
|
```ruby
|
124
|
-
chef_gem
|
125
|
-
require
|
134
|
+
chef_gem 'chef-encrypted-attributes'
|
135
|
+
require 'chef/encrypted_attributes'
|
126
136
|
|
127
|
-
chef_users = Chef::DataBagItem.load(
|
128
|
-
|
137
|
+
chef_users = Chef::DataBagItem.load('global_data_bag', 'chef_users')
|
138
|
+
# remove the data bag "id" to avoid to confuse it with a user:
|
139
|
+
chef_users.delete('id')
|
129
140
|
|
130
|
-
Chef::Log.debug(
|
141
|
+
Chef::Log.debug(
|
142
|
+
"Chef Users able to read the Encrypted Attributes: #{chef_users.keys.inspect}"
|
143
|
+
)
|
131
144
|
Chef::Config[:encrypted_attributes][:keys] = chef_users.values
|
132
145
|
|
133
146
|
# if Chef::EncryptedAttribute.exist?(...)
|
@@ -141,185 +154,50 @@ Chef::Config[:encrypted_attributes][:keys] = chef_users.values
|
|
141
154
|
|
142
155
|
## Chef::EncryptedAttribute API
|
143
156
|
|
144
|
-
See the [API
|
157
|
+
See the [API documentation](http://www.rubydoc.info/gems/chef-encrypted-attributes/Chef/EncryptedAttribute/API.html) for a more detailed information about `Chef::EncryptedAttribute` class and its methods.
|
145
158
|
|
146
|
-
## Chef
|
159
|
+
## Chef User Keys Access Limitation
|
147
160
|
|
148
161
|
Keep in mind that, from a Chef Node, *Chef User* *public keys* are inaccessible. So you have to pass them in raw mode in the recipe if you need any *Chef User* to be able to use the encrypted attributes (this is **required for** example to use the **knife commands** included in this gem, as knife is usually used by *Chef Users*). Summarizing, Chef Node inside a recipe (using its *Chef Client* key) will not be able to retrieve the *Chef Users* *public keys*, so you need to pass them using the `[:keys]` configuration value.
|
149
162
|
|
150
163
|
Chef Nodes (Clients) with *admin* privileges do have access to user public keys, but in most cases this is not a recommended practice.
|
151
164
|
|
152
|
-
|
153
|
-
|
154
|
-
See the [Example Using User Keys Data Bag](README.md#example-using-user-keys-data-bag) section for a workaround.
|
165
|
+
See the [Example Using User Keys Data Bag](#example-using-user-keys-data-bag) section for a workaround. You can use the [`encrypted_attributes::users_data_bag`](https://supermarket.chef.io/cookbooks/encrypted_attributes#encrypted_attributes::users_data_bag) recipe for this.
|
155
166
|
|
156
167
|
**Note:** *Chef Clients* usually are Chef Nodes and *chef-validation*/*chef-webui* keys. *Chef Users* usually are knife users. The main difference between *Chef Users* and *Chef Clients* is that the former are able to log in via *web-ui* (has a password).
|
157
168
|
|
158
|
-
##
|
159
|
-
|
160
|
-
There are multiple commands to read, create and modify the encrypted attributes. All the commands will grant access privileges to the affected node by default (encrypted attributes are written in Node Attributes). But you will not be allowed to access them by default, so remember to give your own knife user privileges before creating or saving the attribute.
|
161
|
-
|
162
|
-
The `ATTRIBUTE` name must be specified using *dots* notation. For example, for `node['encrypted']['attribute']`, you must specify `"encrypted.attribute"` as knife argument. If the attribute key has a *dot* in its name, you must escape it. For example: `"encrypted.attribute\.with\.dots"`.
|
163
|
-
|
164
|
-
Read the [Chef Users Limitation](README.md#chef-users-limitation) caveat before trying to use any knife command.
|
165
|
-
|
166
|
-
### Installing the Required Gem
|
167
|
-
|
168
|
-
You need to install the `chef-encrypted-attributes` gem before using this knife commands.
|
169
|
-
|
170
|
-
$ gem install chef-encrypted-attributes
|
171
|
-
|
172
|
-
### knife.rb
|
173
|
-
|
174
|
-
Some configuration values can be set in your local `knife.rb` configuration file inside the `knife[:encrypted_attributes]` configuraiton space. For example:
|
175
|
-
|
176
|
-
```ruby
|
177
|
-
knife[:encrypted_attributes][:users] = '*' # allow access to all knife users
|
178
|
-
```
|
179
|
-
|
180
|
-
See the [API Configuration](API.md#configuration) section for more configuration values.
|
181
|
-
|
182
|
-
### knife encrypted attribute show
|
183
|
-
|
184
|
-
Shows the decrypted attribute content.
|
185
|
-
|
186
|
-
$ knife encrypted attribute show NODE ATTRIBUTE (options)
|
187
|
-
|
188
|
-
For example:
|
189
|
-
|
190
|
-
$ knife encrypted attribute show ftp.example.com myapp.ftp_password
|
169
|
+
## Chef Client Keys Access Limitation
|
191
170
|
|
192
|
-
|
171
|
+
*Chef Client* *public keys* has a [similar problem to the user keys](#chef-user-keys-access-limitation), you cannot retrieve them from a Chef Node.
|
193
172
|
|
194
|
-
|
173
|
+
To fix this limitation you should expose de *Chef Client* *public key* in the `node['public_key']` attribute. You can include the [`encrypted_attributes::expose_key`](https://supermarket.chef.io/cookbooks/encrypted_attributes#encrypted_attributes::expose_key) recipe for this. You need to include this recipe in the *Chef Nodes* that require read privileges on the encrypted attributes.
|
195
174
|
|
196
|
-
|
175
|
+
Exposing the public key through attributes should not be considered a security breach, so it's not a problem to include it on all machines.
|
197
176
|
|
198
|
-
|
199
|
-
|
200
|
-
For example:
|
201
|
-
|
202
|
-
$ export EDITOR=vi
|
203
|
-
$ knife encrypted attribute create ftp.example.com myapp.ftp_password \
|
204
|
-
-U bob -U alice
|
205
|
-
|
206
|
-
### knife encrypted attribute update
|
207
|
-
|
208
|
-
Updates who can read the attribute (for `:client_search` and `:node_search` changes).
|
209
|
-
|
210
|
-
$ knife encrypted attribute update NODE ATTRIBUTE (options)
|
211
|
-
|
212
|
-
**You must be careful to pass the same privilege arguments that you used in its creation** (this will surely be fixed in a future).
|
213
|
-
|
214
|
-
For example:
|
215
|
-
|
216
|
-
$ knife encrypted attribute update ftp.example.com myapp.ftp_password \
|
217
|
-
--client-search admin:true \
|
218
|
-
--node-search role:webapp \
|
219
|
-
-U bob -U alice
|
220
|
-
|
221
|
-
### knife encrypted attribute edit
|
222
|
-
|
223
|
-
Edits an existing encrypted attribute. The attribute must exist.
|
224
|
-
|
225
|
-
$ knife encrypted attribute edit NODE ATTRIBUTE (options)
|
226
|
-
|
227
|
-
If the input is in JSON format (`-i`), you can create a JSON in *quirk* mode like `false`, `5` or `"some string"`. You don't need to create an Array or a Hash as the JSON standard forces.
|
228
|
-
|
229
|
-
**You must be careful to pass the same privilege arguments that you used in its creation** (this will surely be fixed in a future).
|
230
|
-
|
231
|
-
For example:
|
232
|
-
|
233
|
-
$ export EDITOR=vi
|
234
|
-
$ knife encrypted attribute edit ftp.example.com myapp.ftp_password \
|
235
|
-
--client-search admin:true \
|
236
|
-
--node-search role:webapp \
|
237
|
-
-U bob -U alice
|
238
|
-
|
239
|
-
### knife encrypted attribute delete
|
240
|
-
|
241
|
-
Deletes an existing attribute. If you have no privileges to read it, you must use the `--force` flag.
|
177
|
+
## Knife Commands
|
242
178
|
|
243
|
-
|
179
|
+
See the [KNIFE.md](http://www.rubydoc.info/gems/chef-encrypted-attributes/file/KNIFE.md) file.
|
244
180
|
|
245
|
-
|
181
|
+
## Internal Low Level Documentation
|
246
182
|
|
247
|
-
|
183
|
+
The cryptographic systems used are documented in the following classes:
|
248
184
|
|
249
|
-
|
185
|
+
* [EncryptedMash](http://www.rubydoc.info/gems/chef-encrypted-attributes/Chef/EncryptedAttribute/EncryptedMash)
|
186
|
+
* [EncryptedMash::Version0](http://www.rubydoc.info/gems/chef-encrypted-attributes/Chef/EncryptedAttribute/EncryptedMash/Version0)
|
187
|
+
* [EncryptedMash::Version1](http://www.rubydoc.info/gems/chef-encrypted-attributes/Chef/EncryptedAttribute/EncryptedMash/Version1)
|
188
|
+
* [EncryptedMash::Version2](http://www.rubydoc.info/gems/chef-encrypted-attributes/Chef/EncryptedAttribute/EncryptedMash/Version2)
|
250
189
|
|
251
|
-
|
252
|
-
<tr>
|
253
|
-
<th>Short</th>
|
254
|
-
<th>Long</th>
|
255
|
-
<th>Description</th>
|
256
|
-
<th>Valid Values</th>
|
257
|
-
<th>Sub-Commands</th>
|
258
|
-
</tr>
|
259
|
-
<tr>
|
260
|
-
<td> </td>
|
261
|
-
<td>--encrypted-attribute-version</td>
|
262
|
-
<td>Encrypted Attribute protocol version to use</td>
|
263
|
-
<td>"0", "1" <em>(default)</em>, "2"</td>
|
264
|
-
<td>create, edit, update</td>
|
265
|
-
</tr>
|
266
|
-
<tr>
|
267
|
-
<td>-P</td>
|
268
|
-
<td>--disable-partial-search</td>
|
269
|
-
<td>Disable partial search</td>
|
270
|
-
<td> </td>
|
271
|
-
<td>create, edit, update</td>
|
272
|
-
</tr>
|
273
|
-
<tr>
|
274
|
-
<td>-C</td>
|
275
|
-
<td>--client-search</td>
|
276
|
-
<td>Client search query. Can be specified multiple times</td>
|
277
|
-
<td> </td>
|
278
|
-
<td>create, edit, update</td>
|
279
|
-
</tr>
|
280
|
-
<tr>
|
281
|
-
<td>-N</td>
|
282
|
-
<td>--node-search</td>
|
283
|
-
<td>Node search query. Can be specified multiple times</td>
|
284
|
-
<td> </td>
|
285
|
-
<td>create, edit, update</td>
|
286
|
-
</tr>
|
287
|
-
<tr>
|
288
|
-
<td>-U</td>
|
289
|
-
<td>--user</td>
|
290
|
-
<td>User name to allow access to. Can be specified multiple times</td>
|
291
|
-
<td> </td>
|
292
|
-
<td>create, edit, update</td>
|
293
|
-
</tr>
|
294
|
-
<tr>
|
295
|
-
<td>-i</td>
|
296
|
-
<td>--input-format</td>
|
297
|
-
<td>Input (<em>EDITOR</em>) format</td>
|
298
|
-
<td>"plain" <em>(default)</em>, "json"</td>
|
299
|
-
<td>create, edit</td>
|
300
|
-
</tr>
|
301
|
-
<tr>
|
302
|
-
<td>-f</td>
|
303
|
-
<td>--force</td>
|
304
|
-
<td>Force the attribute deletion even if you cannot read it</td>
|
305
|
-
<td> </td>
|
306
|
-
<td>delete</td>
|
307
|
-
</tr>
|
308
|
-
</table>
|
309
|
-
|
310
|
-
## Internal Documentation
|
311
|
-
|
312
|
-
See the [INTERNAL.md](INTERNAL.md) file for a more low level documentation.
|
190
|
+
See the [official gem documentation](http://www.rubydoc.info/gems/chef-encrypted-attributes/) for more information.
|
313
191
|
|
314
192
|
## Using Signed Gems
|
315
193
|
|
316
194
|
The `chef-encrypted-attributes` gem is cryptographically signed by Onddo Labs's certificate, which identifies as *team@onddo.com*. You can obtain the official signature here:
|
317
195
|
|
318
|
-
https://raw.github.com/onddo/chef-encrypted-attributes/
|
196
|
+
https://raw.github.com/onddo/chef-encrypted-attributes/0.4.0/certs/team_onddo.crt
|
319
197
|
|
320
198
|
To be sure the gem you install has not been tampered with:
|
321
199
|
|
322
|
-
$ gem cert --add <(curl -Ls https://raw.github.com/onddo/chef-encrypted-attributes/
|
200
|
+
$ gem cert --add <(curl -Ls https://raw.github.com/onddo/chef-encrypted-attributes/0.4.0/certs/team_onddo.crt)
|
323
201
|
$ gem install chef-encrypted-attributes -P MediumSecurity
|
324
202
|
|
325
203
|
The *MediumSecurity* trust profile will verify signed gems, but allow the installation of unsigned dependencies. This is necessary because not all of `chef-encrypted-attributes`'s dependencies are signed, so we cannot use *HighSecurity*.
|
@@ -330,7 +208,7 @@ We recommend to remove our certificate after the gem has been successfully verif
|
|
330
208
|
|
331
209
|
## Security Notes
|
332
210
|
|
333
|
-
All the cryptographic systems and algorithms used by `chef-encrypted-attributes` are carefully described in the [internal documentation](
|
211
|
+
All the cryptographic systems and algorithms used by `chef-encrypted-attributes` are carefully described in the [internal documentation](#internal-low-level-documentation) for public review. The code was originally based on *Encrypted Data Bags* and [chef-vault](https://github.com/Nordstrom/chef-vault) implementations, then improved.
|
334
212
|
|
335
213
|
Still, this gem should be considered experimental until audited by professional cryptographers.
|
336
214
|
|
@@ -338,7 +216,7 @@ Still, this gem should be considered experimental until audited by professional
|
|
338
216
|
|
339
217
|
If you have discovered a bug in `chef-encrypted-attributes` of a sensitive nature, i.e. one which can compromise the security of `chef-encrypted-attributes` users, you can report it securely by sending a GPG encrypted message. Please use the following key:
|
340
218
|
|
341
|
-
https://raw.github.com/onddo/chef-encrypted-attributes/
|
219
|
+
https://raw.github.com/onddo/chef-encrypted-attributes/0.4.0/zuazo.gpg
|
342
220
|
|
343
221
|
The key fingerprint is (or should be):
|
344
222
|
|
@@ -346,17 +224,17 @@ The key fingerprint is (or should be):
|
|
346
224
|
|
347
225
|
## Testing
|
348
226
|
|
349
|
-
See [TESTING.md](TESTING.md).
|
227
|
+
See [TESTING.md]((https://github.com/onddo/chef-encrypted-attributes/blob/master/TESTING.md).
|
350
228
|
|
351
229
|
## Contributing
|
352
230
|
|
353
231
|
Please do not hesitate to [open an issue](https://github.com/onddo/chef-encrypted-attributes/issues/new) with any questions or problems.
|
354
232
|
|
355
|
-
See [CONTRIBUTING.md](CONTRIBUTING.md).
|
233
|
+
See [CONTRIBUTING.md](https://github.com/onddo/chef-encrypted-attributes/blob/master/CONTRIBUTING.md).
|
356
234
|
|
357
235
|
## TODO
|
358
236
|
|
359
|
-
See [TODO.md](TODO.md).
|
237
|
+
See [TODO.md](https://github.com/onddo/chef-encrypted-attributes/blob/master/TODO.md).
|
360
238
|
|
361
239
|
## License and Author
|
362
240
|
|