chef-encrypted-attributes 0.7.0 → 0.8.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- checksums.yaml.gz.sig +0 -0
- data.tar.gz.sig +0 -0
- data/CHANGELOG.md +6 -1
- data/README.md +13 -5
- data/Rakefile +1 -1
- data/lib/chef/encrypted_attribute.rb +13 -4
- data/lib/chef/encrypted_attribute/api.rb +10 -3
- data/lib/chef/encrypted_attribute/config.rb +17 -2
- data/lib/chef/encrypted_attribute/encrypted_mash/version2.rb +1 -1
- data/lib/chef/encrypted_attribute/remote_clients.rb +6 -2
- data/lib/chef/encrypted_attribute/remote_node.rb +3 -2
- data/lib/chef/encrypted_attribute/remote_nodes.rb +6 -2
- data/lib/chef/encrypted_attribute/search_helper.rb +4 -4
- data/lib/chef/encrypted_attribute/version.rb +1 -1
- metadata +3 -3
- metadata.gz.sig +0 -0
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: e206a093b2d8ed07fe97cd37c9eeeba215073585
|
4
|
+
data.tar.gz: d0a0b4bb447df79ba59c1c2e65990ca17de7993e
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 1883981d17325eb1306b9c415a4fd721b52d21520299317755128170a7271bb1c1e227e256ad5281e240aac742a6b5861e8b2fd6c17d91a136cf935434eca304
|
7
|
+
data.tar.gz: 8cc84abfea65767303e6e83c4cec84a9a551df4d40243e30deebcb655653a0b6dec490ff798cfbb4ee087f40863a7790e4f9802678182804a6ce21c432f2fa29
|
checksums.yaml.gz.sig
CHANGED
Binary file
|
data.tar.gz.sig
CHANGED
Binary file
|
data/CHANGELOG.md
CHANGED
@@ -2,6 +2,11 @@
|
|
2
2
|
|
3
3
|
This file is used to list changes made in each version of `chef-encrypted-attributes`.
|
4
4
|
|
5
|
+
## 0.8.0 (2015-05-22)
|
6
|
+
|
7
|
+
* Do not limit `RemoteNode#load_attribute` search result to one row (related to [issue #3](https://github.com/onddo/chef-encrypted-attributes/pull/3), thanks [Crystal Hsiung](https://github.com/chhsiung) for the help).
|
8
|
+
* Update opscode and github links to chef.io and chef.
|
9
|
+
|
5
10
|
## 0.7.0 (2015-05-20)
|
6
11
|
|
7
12
|
* Move chef to dev dependency and remove dynamic dependency installation extension (related to [cookbook issue #2](https://github.com/onddo/encrypted_attributes-cookbook/pull/2#issuecomment-101454221) and [issue #2](https://github.com/onddo/chef-encrypted-attributes/pull/2), thanks [Lisa Danz](https://github.com/ldanz) for reporting).
|
@@ -75,7 +80,7 @@ This file is used to list changes made in each version of `chef-encrypted-attrib
|
|
75
80
|
|
76
81
|
* Deprecate `#exists?` methods in favor of `#exist?` methods
|
77
82
|
* Fixed all RSpec deprecation warnings
|
78
|
-
* Added Protocol Version 2 (*disabled by default*): uses [GCM](http://en.wikipedia.org/wiki/Galois/Counter_Mode) as in [Chef 12 Encrypted Data Bags Version 3](https://github.com/
|
83
|
+
* Added Protocol Version 2 (*disabled by default*): uses [GCM](http://en.wikipedia.org/wiki/Galois/Counter_Mode) as in [Chef 12 Encrypted Data Bags Version 3](https://github.com/chef/chef/pull/1591).
|
79
84
|
* Added `RequirementsFailure` exception
|
80
85
|
* README, CONTRIBUTING, TODO: multiple documentation improvements
|
81
86
|
* Added some security related sections to the README
|
data/README.md
CHANGED
@@ -2,8 +2,8 @@
|
|
2
2
|
[![Gem Version](http://img.shields.io/gem/v/chef-encrypted-attributes.svg?style=flat)](http://badge.fury.io/rb/chef-encrypted-attributes)
|
3
3
|
[![Dependency Status](http://img.shields.io/gemnasium/onddo/chef-encrypted-attributes.svg?style=flat)](https://gemnasium.com/onddo/chef-encrypted-attributes)
|
4
4
|
[![Code Climate](http://img.shields.io/codeclimate/github/onddo/chef-encrypted-attributes.svg?style=flat)](https://codeclimate.com/github/onddo/chef-encrypted-attributes)
|
5
|
-
[![Build Status](http://img.shields.io/travis/onddo/chef-encrypted-attributes/0.
|
6
|
-
[![Coverage Status](http://img.shields.io/coveralls/onddo/chef-encrypted-attributes/0.
|
5
|
+
[![Build Status](http://img.shields.io/travis/onddo/chef-encrypted-attributes/0.8.0.svg?style=flat)](https://travis-ci.org/onddo/chef-encrypted-attributes)
|
6
|
+
[![Coverage Status](http://img.shields.io/coveralls/onddo/chef-encrypted-attributes/0.8.0.svg?style=flat)](https://coveralls.io/r/onddo/chef-encrypted-attributes?branch=0.8.0)
|
7
7
|
[![Inline docs](http://inch-ci.org/github/onddo/chef-encrypted-attributes.svg?branch=master&style=flat)](http://inch-ci.org/github/onddo/chef-encrypted-attributes)
|
8
8
|
|
9
9
|
[Chef](https://www.chef.io/) plugin to add Node encrypted attributes support using client keys.
|
@@ -176,6 +176,14 @@ To fix this limitation you should expose de *Chef Client* *public key* in the `n
|
|
176
176
|
|
177
177
|
Exposing the public key through attributes should not be considered a security breach, so it's not a problem to include it on all machines.
|
178
178
|
|
179
|
+
## Maximum Number of Nodes
|
180
|
+
|
181
|
+
This gem is ready to be used with Chef Servers that have less than `1000` nodes by default. You can increase this limit setting the `search_max_rows` configuration option:
|
182
|
+
|
183
|
+
```ruby
|
184
|
+
Chef::Config[:encrypted_attributes][:search_max_rows] = 50_000
|
185
|
+
```
|
186
|
+
|
179
187
|
## Knife Commands
|
180
188
|
|
181
189
|
See the [KNIFE.md](http://www.rubydoc.info/gems/chef-encrypted-attributes/file/KNIFE.md) file.
|
@@ -195,11 +203,11 @@ See the [official gem documentation](http://www.rubydoc.info/gems/chef-encrypted
|
|
195
203
|
|
196
204
|
The `chef-encrypted-attributes` gem is cryptographically signed by Onddo Labs's certificate, which identifies as *team@onddo.com*. You can obtain the official signature here:
|
197
205
|
|
198
|
-
https://raw.github.com/onddo/chef-encrypted-attributes/
|
206
|
+
https://raw.github.com/onddo/chef-encrypted-attributes/0.8.0/certs/team_onddo.crt
|
199
207
|
|
200
208
|
To be sure the gem you install has not been tampered with:
|
201
209
|
|
202
|
-
$ gem cert --add <(curl -Ls https://raw.github.com/onddo/chef-encrypted-attributes/
|
210
|
+
$ gem cert --add <(curl -Ls https://raw.github.com/onddo/chef-encrypted-attributes/0.8.0/certs/team_onddo.crt)
|
203
211
|
$ gem install chef-encrypted-attributes -P MediumSecurity
|
204
212
|
|
205
213
|
The *MediumSecurity* trust profile will verify signed gems, but allow the installation of unsigned dependencies. This is necessary because not all of `chef-encrypted-attributes`'s dependencies are signed, so we cannot use *HighSecurity*.
|
@@ -218,7 +226,7 @@ Still, this gem should be considered experimental until audited by professional
|
|
218
226
|
|
219
227
|
If you have discovered a bug in `chef-encrypted-attributes` of a sensitive nature, i.e. one which can compromise the security of `chef-encrypted-attributes` users, you can report it securely by sending a GPG encrypted message. Please use the following key:
|
220
228
|
|
221
|
-
https://raw.github.com/onddo/chef-encrypted-attributes/
|
229
|
+
https://raw.github.com/onddo/chef-encrypted-attributes/0.8.0/zuazo.gpg
|
222
230
|
|
223
231
|
The key fingerprint is (or should be):
|
224
232
|
|
data/Rakefile
CHANGED
@@ -61,7 +61,7 @@ end
|
|
61
61
|
|
62
62
|
if RUBY_VERSION < '1.9.3'
|
63
63
|
# Integration tests are broken in 1.9.2 due to a chef-zero bug:
|
64
|
-
# https://github.com/
|
64
|
+
# https://github.com/chef/chef-zero/issues/65
|
65
65
|
# RuboCop require Ruby 1.9.3.
|
66
66
|
task default: %w(unit)
|
67
67
|
else
|
@@ -130,7 +130,11 @@ class Chef
|
|
130
130
|
# @raise [InvalidSearchKeys] if search keys structure is wrong.
|
131
131
|
def load_from_node(name, attr_ary, key = nil)
|
132
132
|
remote_node = RemoteNode.new(name)
|
133
|
-
|
133
|
+
enc_hs =
|
134
|
+
remote_node.load_attribute(
|
135
|
+
attr_ary, config.search_max_rows, config.partial_search
|
136
|
+
)
|
137
|
+
load(enc_hs, key)
|
134
138
|
end
|
135
139
|
|
136
140
|
# Creates an encrypted attribute from a Hash.
|
@@ -302,7 +306,10 @@ class Chef
|
|
302
306
|
|
303
307
|
# update the encrypted attribute
|
304
308
|
remote_node = RemoteNode.new(name)
|
305
|
-
enc_hs =
|
309
|
+
enc_hs =
|
310
|
+
remote_node.load_attribute(
|
311
|
+
attr_ary, config.search_max_rows, config.partial_search
|
312
|
+
)
|
306
313
|
updated = update(enc_hs, [node_public_key])
|
307
314
|
|
308
315
|
# save encrypted attribute
|
@@ -327,7 +334,7 @@ class Chef
|
|
327
334
|
# @see #config
|
328
335
|
def remote_client_keys
|
329
336
|
RemoteClients.search_public_keys(
|
330
|
-
config.client_search, config.partial_search
|
337
|
+
config.client_search, config.search_max_rows, config.partial_search
|
331
338
|
)
|
332
339
|
end
|
333
340
|
|
@@ -344,7 +351,9 @@ class Chef
|
|
344
351
|
# @raise [InvalidSearchKeys] if search keys structure is wrong.
|
345
352
|
# @see #config
|
346
353
|
def remote_node_keys
|
347
|
-
RemoteNodes.search_public_keys(
|
354
|
+
RemoteNodes.search_public_keys(
|
355
|
+
config.node_search, config.search_max_rows, config.partial_search
|
356
|
+
)
|
348
357
|
end
|
349
358
|
|
350
359
|
# Gets remote user keys using the configured user list.
|
@@ -35,8 +35,8 @@ class Chef
|
|
35
35
|
# {Chef::EncryptedAttribute} class.
|
36
36
|
#
|
37
37
|
# These methods are intended to be used from Chef
|
38
|
-
# [Recipes](http://docs.
|
39
|
-
# [Resources](https://docs.
|
38
|
+
# [Recipes](http://docs.chef.io/recipes.html) or
|
39
|
+
# [Resources](https://docs.chef.io/resource.html).
|
40
40
|
#
|
41
41
|
# The attributes created by these methods are encrypted **only for the local
|
42
42
|
# node** by default.
|
@@ -73,6 +73,9 @@ class Chef
|
|
73
73
|
# *OR*-ed.
|
74
74
|
# * `:node_search` - Search query for nodes allowed to read the encrypted
|
75
75
|
# attribute. Can be a simple string or an array of queries to be *OR*-ed.
|
76
|
+
# * `:search_max_rows` - Maximum nodes returned by the internal chef
|
77
|
+
# searches. This number should be above the maximum expected nodes in the
|
78
|
+
# Chef Server. Defaults to `1000` nodes.
|
76
79
|
# * `:users` - Array of user names to be allowed to read the encrypted
|
77
80
|
# attribute(s). `"*"` to allow access to all users. Keep in mind that only
|
78
81
|
# admin clients or admin users are allowed to read user public keys. It is
|
@@ -498,8 +501,12 @@ class Chef
|
|
498
501
|
def exist_on_node?(name, attr_ary, c = {})
|
499
502
|
debug("Checking if Remote Encrypted Attribute exists on #{name}")
|
500
503
|
remote_node = RemoteNode.new(name)
|
504
|
+
config_merged = config(c)
|
501
505
|
node_attr =
|
502
|
-
remote_node.load_attribute(
|
506
|
+
remote_node.load_attribute(
|
507
|
+
attr_ary, config_merged.search_max_rows,
|
508
|
+
config_merged.partial_search
|
509
|
+
)
|
503
510
|
Chef::EncryptedAttribute.exist?(node_attr)
|
504
511
|
end
|
505
512
|
|
@@ -32,6 +32,7 @@ class Chef
|
|
32
32
|
:version,
|
33
33
|
:partial_search,
|
34
34
|
:client_search,
|
35
|
+
:search_max_rows,
|
35
36
|
:node_search,
|
36
37
|
:users,
|
37
38
|
:keys
|
@@ -66,7 +67,7 @@ class Chef
|
|
66
67
|
# @param arg [Boolean] whether to enable partial search.
|
67
68
|
# @return [Boolean] partial search usage.
|
68
69
|
# @see
|
69
|
-
# http://docs.
|
70
|
+
# http://docs.chef.io/chef_search.html Chef Search documentation
|
70
71
|
def partial_search(arg = nil)
|
71
72
|
set_or_return(
|
72
73
|
:partial_search, arg, kind_of: [TrueClass, FalseClass], default: true
|
@@ -81,11 +82,25 @@ class Chef
|
|
81
82
|
# @param arg [String, Array<String>] list of client queries to perform.
|
82
83
|
# @return [Array<String>] list of client queries.
|
83
84
|
# @see
|
84
|
-
# http://docs.
|
85
|
+
# http://docs.chef.io/chef_search.html Chef Search documentation
|
85
86
|
def client_search(arg = nil)
|
86
87
|
set_or_return_search_array(:client_search, arg)
|
87
88
|
end
|
88
89
|
|
90
|
+
# Set the maximum number of rows to be returned by internal search
|
91
|
+
# functions.
|
92
|
+
#
|
93
|
+
# You must set this value to your maximum number of nodes in your Chef
|
94
|
+
# Server. Defaults to `1000`.
|
95
|
+
#
|
96
|
+
# @param arg [Integer] maximum rows number.
|
97
|
+
# @return [Integer] maximum rows number.
|
98
|
+
def search_max_rows(arg = nil)
|
99
|
+
set_or_return(
|
100
|
+
:search_max_rows, arg, kind_of: Integer, default: 1000
|
101
|
+
)
|
102
|
+
end
|
103
|
+
|
89
104
|
# Reads or sets node search query.
|
90
105
|
#
|
91
106
|
# This query will return a list of nodes that will be able to read the
|
@@ -32,7 +32,7 @@ class Chef
|
|
32
32
|
# (http://en.wikipedia.org/wiki/Galois/Counter_Mode).
|
33
33
|
#
|
34
34
|
# * This protocol version is based on the [Chef 12 Encrypted Data Bags
|
35
|
-
# Version 3 implementation](https://github.com/
|
35
|
+
# Version 3 implementation](https://github.com/chef/chef/pull/1591).
|
36
36
|
# * To use it, the following **special requirements** must be met:
|
37
37
|
# Ruby `>= 2` and OpenSSL `>= 1.0.1`.
|
38
38
|
# * This implementation can be improved, is not optimized either for
|
@@ -59,16 +59,20 @@ class Chef
|
|
59
59
|
#
|
60
60
|
# @param search [Array<String>, String] search queries to perform, the
|
61
61
|
# query result will be *OR*-ed.
|
62
|
+
# @param rows [Integer] maximum number of rows to return in searches.
|
63
|
+
# @param partial_search [Boolean] whether to use partial search.
|
62
64
|
# @return [Array<String>] list of public keys.
|
63
65
|
# @raise [SearchFailure] if there is a Chef search error.
|
64
66
|
# @raise [SearchFatalError] if the Chef search response is wrong.
|
65
67
|
# @raise [InvalidSearchKeys] if search keys structure is wrong.
|
66
|
-
def self.search_public_keys(
|
68
|
+
def self.search_public_keys(
|
69
|
+
search = '*:*', rows = 1000, partial_search = true
|
70
|
+
)
|
67
71
|
escaped_query = escape_query(search)
|
68
72
|
return cache[escaped_query] if cache.key?(escaped_query)
|
69
73
|
cache[escaped_query] = search(
|
70
74
|
:client, search,
|
71
|
-
{ 'public_key' => %w(public_key) },
|
75
|
+
{ 'public_key' => %w(public_key) }, rows, partial_search
|
72
76
|
).map { |client| client['public_key'] }.compact
|
73
77
|
end
|
74
78
|
end
|
@@ -65,18 +65,19 @@ class Chef
|
|
65
65
|
# Loads a remote node attribute.
|
66
66
|
#
|
67
67
|
# @param attr_ary [Array<String>] node attribute path as Array.
|
68
|
+
# @param rows [Integer] maximum number of rows to return in searches.
|
68
69
|
# @param partial_search [Boolean] whether to use partial search.
|
69
70
|
# @return [Mixed] node attribute value, `nil` if not found.
|
70
71
|
# @raise [ArgumentError] if the attribute path format is wrong.
|
71
72
|
# @raise [SearchFailure] if there is a Chef search error.
|
72
73
|
# @raise [SearchFatalError] if the Chef search response is wrong.
|
73
74
|
# @raise [InvalidSearchKeys] if search keys structure is wrong.
|
74
|
-
def load_attribute(attr_ary, partial_search = true)
|
75
|
+
def load_attribute(attr_ary, rows = 1000, partial_search = true)
|
75
76
|
assert_attribute_array(attr_ary)
|
76
77
|
cache_key = cache_key(name, attr_ary)
|
77
78
|
return self.class.cache[cache_key] if self.class.cache.key?(cache_key)
|
78
79
|
keys = { 'value' => attr_ary }
|
79
|
-
res = search_by_name(:node, @name, keys,
|
80
|
+
res = search_by_name(:node, @name, keys, rows, partial_search)
|
80
81
|
self.class.cache[cache_key] = parse_search_result(res)
|
81
82
|
end
|
82
83
|
|
@@ -76,6 +76,8 @@ class Chef
|
|
76
76
|
#
|
77
77
|
# @param search [Array<String>, String] search queries to perform, the
|
78
78
|
# query result will be *OR*-ed.
|
79
|
+
# @param rows [Integer] maximum number of rows to return in searches.
|
80
|
+
# @param partial_search [Boolean] whether to use partial search.
|
79
81
|
# @return [Array<String>] list of public keys.
|
80
82
|
# @raise [InsufficientPrivileges] if you lack enough privileges to read
|
81
83
|
# the keys from the Chef Server.
|
@@ -84,14 +86,16 @@ class Chef
|
|
84
86
|
# @raise [SearchFailure] if there is a Chef search error.
|
85
87
|
# @raise [SearchFatalError] if the Chef search response is wrong.
|
86
88
|
# @raise [InvalidSearchKeys] if search keys structure is wrong.
|
87
|
-
def self.search_public_keys(
|
89
|
+
def self.search_public_keys(
|
90
|
+
search = '*:*', rows = 1000, partial_search = true
|
91
|
+
)
|
88
92
|
escaped_query = escape_query(search)
|
89
93
|
return cache[escaped_query] if cache.key?(escaped_query)
|
90
94
|
cache[escaped_query] =
|
91
95
|
search(
|
92
96
|
:node, search,
|
93
97
|
{ 'name' => %w(name), 'public_key' => %w(public_key) },
|
94
|
-
|
98
|
+
rows, partial_search
|
95
99
|
).map { |node| get_public_key(node) }.compact
|
96
100
|
end
|
97
101
|
end
|
@@ -138,7 +138,7 @@ class Chef
|
|
138
138
|
# Does a search in the Chef Server.
|
139
139
|
#
|
140
140
|
# @param type [Symbol] search index to use. See [Chef Search Indexes]
|
141
|
-
# (http://docs.
|
141
|
+
# (http://docs.chef.io/chef_search.html#search-indexes).
|
142
142
|
# @param query [Array<String>, String] search query. For example:
|
143
143
|
# `%w(admin:true)`. Results will be *OR*-ed when multiple string queries
|
144
144
|
# are provided.
|
@@ -162,7 +162,7 @@ class Chef
|
|
162
162
|
# Does a search in the Chef Server by node or client name.
|
163
163
|
#
|
164
164
|
# @param type [Symbol] search index to use. See [Chef Search Indexes]
|
165
|
-
# (http://docs.
|
165
|
+
# (http://docs.chef.io/chef_search.html#search-indexes).
|
166
166
|
# @param name [String] node name to search.
|
167
167
|
# @param keys [Hash] search keys structure. For example:
|
168
168
|
# `{ipaddress: %w(ipaddress), mysql_version: %w(mysql version) }`.
|
@@ -252,7 +252,7 @@ class Chef
|
|
252
252
|
# Does a normal (no partial) search in the Chef Server.
|
253
253
|
#
|
254
254
|
# @param type [Symbol] search index to use. See [Chef Search Indexes]
|
255
|
-
# (http://docs.
|
255
|
+
# (http://docs.chef.io/chef_search.html#search-indexes).
|
256
256
|
# @param name [String, nil] searched node name.
|
257
257
|
# @param query [String, Array<String>] search query. For example:
|
258
258
|
# `%w(admin:true)`. Results will be *OR*-ed when multiple string queries
|
@@ -355,7 +355,7 @@ class Chef
|
|
355
355
|
# Does a partial search in the Chef Server.
|
356
356
|
#
|
357
357
|
# @param type [Symbol] search index to use. See [Chef Search Indexes]
|
358
|
-
# (http://docs.
|
358
|
+
# (http://docs.chef.io/chef_search.html#search-indexes).
|
359
359
|
# @param name [String, nil] searched node name.
|
360
360
|
# @param query [String, Array<String>] search query. For example:
|
361
361
|
# `%w(admin:true)`. Results will be *OR*-ed when multiple string queries
|
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: chef-encrypted-attributes
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.
|
4
|
+
version: 0.8.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Onddo Labs, SL.
|
@@ -30,7 +30,7 @@ cert_chain:
|
|
30
30
|
cYe8PqNEkky7ugvF4zU3sB6TW+96XasuwDv1uJmyr35LF15U6Cs83+osMbAKJTmG
|
31
31
|
/vqKzw==
|
32
32
|
-----END CERTIFICATE-----
|
33
|
-
date: 2015-05-
|
33
|
+
date: 2015-05-22 00:00:00.000000000 Z
|
34
34
|
dependencies:
|
35
35
|
- !ruby/object:Gem::Dependency
|
36
36
|
name: chef
|
@@ -259,7 +259,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
259
259
|
version: '0'
|
260
260
|
requirements: []
|
261
261
|
rubyforge_project:
|
262
|
-
rubygems_version: 2.
|
262
|
+
rubygems_version: 2.4.3
|
263
263
|
signing_key:
|
264
264
|
specification_version: 4
|
265
265
|
summary: Chef Encrypted Attributes
|
metadata.gz.sig
CHANGED
Binary file
|