chef-encrypted-attributes 0.7.0 → 0.8.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- checksums.yaml.gz.sig +0 -0
- data.tar.gz.sig +0 -0
- data/CHANGELOG.md +6 -1
- data/README.md +13 -5
- data/Rakefile +1 -1
- data/lib/chef/encrypted_attribute.rb +13 -4
- data/lib/chef/encrypted_attribute/api.rb +10 -3
- data/lib/chef/encrypted_attribute/config.rb +17 -2
- data/lib/chef/encrypted_attribute/encrypted_mash/version2.rb +1 -1
- data/lib/chef/encrypted_attribute/remote_clients.rb +6 -2
- data/lib/chef/encrypted_attribute/remote_node.rb +3 -2
- data/lib/chef/encrypted_attribute/remote_nodes.rb +6 -2
- data/lib/chef/encrypted_attribute/search_helper.rb +4 -4
- data/lib/chef/encrypted_attribute/version.rb +1 -1
- metadata +3 -3
- metadata.gz.sig +0 -0
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: e206a093b2d8ed07fe97cd37c9eeeba215073585
|
4
|
+
data.tar.gz: d0a0b4bb447df79ba59c1c2e65990ca17de7993e
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 1883981d17325eb1306b9c415a4fd721b52d21520299317755128170a7271bb1c1e227e256ad5281e240aac742a6b5861e8b2fd6c17d91a136cf935434eca304
|
7
|
+
data.tar.gz: 8cc84abfea65767303e6e83c4cec84a9a551df4d40243e30deebcb655653a0b6dec490ff798cfbb4ee087f40863a7790e4f9802678182804a6ce21c432f2fa29
|
checksums.yaml.gz.sig
CHANGED
Binary file
|
data.tar.gz.sig
CHANGED
Binary file
|
data/CHANGELOG.md
CHANGED
@@ -2,6 +2,11 @@
|
|
2
2
|
|
3
3
|
This file is used to list changes made in each version of `chef-encrypted-attributes`.
|
4
4
|
|
5
|
+
## 0.8.0 (2015-05-22)
|
6
|
+
|
7
|
+
* Do not limit `RemoteNode#load_attribute` search result to one row (related to [issue #3](https://github.com/onddo/chef-encrypted-attributes/pull/3), thanks [Crystal Hsiung](https://github.com/chhsiung) for the help).
|
8
|
+
* Update opscode and github links to chef.io and chef.
|
9
|
+
|
5
10
|
## 0.7.0 (2015-05-20)
|
6
11
|
|
7
12
|
* Move chef to dev dependency and remove dynamic dependency installation extension (related to [cookbook issue #2](https://github.com/onddo/encrypted_attributes-cookbook/pull/2#issuecomment-101454221) and [issue #2](https://github.com/onddo/chef-encrypted-attributes/pull/2), thanks [Lisa Danz](https://github.com/ldanz) for reporting).
|
@@ -75,7 +80,7 @@ This file is used to list changes made in each version of `chef-encrypted-attrib
|
|
75
80
|
|
76
81
|
* Deprecate `#exists?` methods in favor of `#exist?` methods
|
77
82
|
* Fixed all RSpec deprecation warnings
|
78
|
-
* Added Protocol Version 2 (*disabled by default*): uses [GCM](http://en.wikipedia.org/wiki/Galois/Counter_Mode) as in [Chef 12 Encrypted Data Bags Version 3](https://github.com/
|
83
|
+
* Added Protocol Version 2 (*disabled by default*): uses [GCM](http://en.wikipedia.org/wiki/Galois/Counter_Mode) as in [Chef 12 Encrypted Data Bags Version 3](https://github.com/chef/chef/pull/1591).
|
79
84
|
* Added `RequirementsFailure` exception
|
80
85
|
* README, CONTRIBUTING, TODO: multiple documentation improvements
|
81
86
|
* Added some security related sections to the README
|
data/README.md
CHANGED
@@ -2,8 +2,8 @@
|
|
2
2
|
[](http://badge.fury.io/rb/chef-encrypted-attributes)
|
3
3
|
[](https://gemnasium.com/onddo/chef-encrypted-attributes)
|
4
4
|
[](https://codeclimate.com/github/onddo/chef-encrypted-attributes)
|
5
|
-
[](https://travis-ci.org/onddo/chef-encrypted-attributes)
|
6
|
+
[](https://coveralls.io/r/onddo/chef-encrypted-attributes?branch=0.8.0)
|
7
7
|
[](http://inch-ci.org/github/onddo/chef-encrypted-attributes)
|
8
8
|
|
9
9
|
[Chef](https://www.chef.io/) plugin to add Node encrypted attributes support using client keys.
|
@@ -176,6 +176,14 @@ To fix this limitation you should expose de *Chef Client* *public key* in the `n
|
|
176
176
|
|
177
177
|
Exposing the public key through attributes should not be considered a security breach, so it's not a problem to include it on all machines.
|
178
178
|
|
179
|
+
## Maximum Number of Nodes
|
180
|
+
|
181
|
+
This gem is ready to be used with Chef Servers that have less than `1000` nodes by default. You can increase this limit setting the `search_max_rows` configuration option:
|
182
|
+
|
183
|
+
```ruby
|
184
|
+
Chef::Config[:encrypted_attributes][:search_max_rows] = 50_000
|
185
|
+
```
|
186
|
+
|
179
187
|
## Knife Commands
|
180
188
|
|
181
189
|
See the [KNIFE.md](http://www.rubydoc.info/gems/chef-encrypted-attributes/file/KNIFE.md) file.
|
@@ -195,11 +203,11 @@ See the [official gem documentation](http://www.rubydoc.info/gems/chef-encrypted
|
|
195
203
|
|
196
204
|
The `chef-encrypted-attributes` gem is cryptographically signed by Onddo Labs's certificate, which identifies as *team@onddo.com*. You can obtain the official signature here:
|
197
205
|
|
198
|
-
https://raw.github.com/onddo/chef-encrypted-attributes/
|
206
|
+
https://raw.github.com/onddo/chef-encrypted-attributes/0.8.0/certs/team_onddo.crt
|
199
207
|
|
200
208
|
To be sure the gem you install has not been tampered with:
|
201
209
|
|
202
|
-
$ gem cert --add <(curl -Ls https://raw.github.com/onddo/chef-encrypted-attributes/
|
210
|
+
$ gem cert --add <(curl -Ls https://raw.github.com/onddo/chef-encrypted-attributes/0.8.0/certs/team_onddo.crt)
|
203
211
|
$ gem install chef-encrypted-attributes -P MediumSecurity
|
204
212
|
|
205
213
|
The *MediumSecurity* trust profile will verify signed gems, but allow the installation of unsigned dependencies. This is necessary because not all of `chef-encrypted-attributes`'s dependencies are signed, so we cannot use *HighSecurity*.
|
@@ -218,7 +226,7 @@ Still, this gem should be considered experimental until audited by professional
|
|
218
226
|
|
219
227
|
If you have discovered a bug in `chef-encrypted-attributes` of a sensitive nature, i.e. one which can compromise the security of `chef-encrypted-attributes` users, you can report it securely by sending a GPG encrypted message. Please use the following key:
|
220
228
|
|
221
|
-
https://raw.github.com/onddo/chef-encrypted-attributes/
|
229
|
+
https://raw.github.com/onddo/chef-encrypted-attributes/0.8.0/zuazo.gpg
|
222
230
|
|
223
231
|
The key fingerprint is (or should be):
|
224
232
|
|
data/Rakefile
CHANGED
@@ -61,7 +61,7 @@ end
|
|
61
61
|
|
62
62
|
if RUBY_VERSION < '1.9.3'
|
63
63
|
# Integration tests are broken in 1.9.2 due to a chef-zero bug:
|
64
|
-
# https://github.com/
|
64
|
+
# https://github.com/chef/chef-zero/issues/65
|
65
65
|
# RuboCop require Ruby 1.9.3.
|
66
66
|
task default: %w(unit)
|
67
67
|
else
|
@@ -130,7 +130,11 @@ class Chef
|
|
130
130
|
# @raise [InvalidSearchKeys] if search keys structure is wrong.
|
131
131
|
def load_from_node(name, attr_ary, key = nil)
|
132
132
|
remote_node = RemoteNode.new(name)
|
133
|
-
|
133
|
+
enc_hs =
|
134
|
+
remote_node.load_attribute(
|
135
|
+
attr_ary, config.search_max_rows, config.partial_search
|
136
|
+
)
|
137
|
+
load(enc_hs, key)
|
134
138
|
end
|
135
139
|
|
136
140
|
# Creates an encrypted attribute from a Hash.
|
@@ -302,7 +306,10 @@ class Chef
|
|
302
306
|
|
303
307
|
# update the encrypted attribute
|
304
308
|
remote_node = RemoteNode.new(name)
|
305
|
-
enc_hs =
|
309
|
+
enc_hs =
|
310
|
+
remote_node.load_attribute(
|
311
|
+
attr_ary, config.search_max_rows, config.partial_search
|
312
|
+
)
|
306
313
|
updated = update(enc_hs, [node_public_key])
|
307
314
|
|
308
315
|
# save encrypted attribute
|
@@ -327,7 +334,7 @@ class Chef
|
|
327
334
|
# @see #config
|
328
335
|
def remote_client_keys
|
329
336
|
RemoteClients.search_public_keys(
|
330
|
-
config.client_search, config.partial_search
|
337
|
+
config.client_search, config.search_max_rows, config.partial_search
|
331
338
|
)
|
332
339
|
end
|
333
340
|
|
@@ -344,7 +351,9 @@ class Chef
|
|
344
351
|
# @raise [InvalidSearchKeys] if search keys structure is wrong.
|
345
352
|
# @see #config
|
346
353
|
def remote_node_keys
|
347
|
-
RemoteNodes.search_public_keys(
|
354
|
+
RemoteNodes.search_public_keys(
|
355
|
+
config.node_search, config.search_max_rows, config.partial_search
|
356
|
+
)
|
348
357
|
end
|
349
358
|
|
350
359
|
# Gets remote user keys using the configured user list.
|
@@ -35,8 +35,8 @@ class Chef
|
|
35
35
|
# {Chef::EncryptedAttribute} class.
|
36
36
|
#
|
37
37
|
# These methods are intended to be used from Chef
|
38
|
-
# [Recipes](http://docs.
|
39
|
-
# [Resources](https://docs.
|
38
|
+
# [Recipes](http://docs.chef.io/recipes.html) or
|
39
|
+
# [Resources](https://docs.chef.io/resource.html).
|
40
40
|
#
|
41
41
|
# The attributes created by these methods are encrypted **only for the local
|
42
42
|
# node** by default.
|
@@ -73,6 +73,9 @@ class Chef
|
|
73
73
|
# *OR*-ed.
|
74
74
|
# * `:node_search` - Search query for nodes allowed to read the encrypted
|
75
75
|
# attribute. Can be a simple string or an array of queries to be *OR*-ed.
|
76
|
+
# * `:search_max_rows` - Maximum nodes returned by the internal chef
|
77
|
+
# searches. This number should be above the maximum expected nodes in the
|
78
|
+
# Chef Server. Defaults to `1000` nodes.
|
76
79
|
# * `:users` - Array of user names to be allowed to read the encrypted
|
77
80
|
# attribute(s). `"*"` to allow access to all users. Keep in mind that only
|
78
81
|
# admin clients or admin users are allowed to read user public keys. It is
|
@@ -498,8 +501,12 @@ class Chef
|
|
498
501
|
def exist_on_node?(name, attr_ary, c = {})
|
499
502
|
debug("Checking if Remote Encrypted Attribute exists on #{name}")
|
500
503
|
remote_node = RemoteNode.new(name)
|
504
|
+
config_merged = config(c)
|
501
505
|
node_attr =
|
502
|
-
remote_node.load_attribute(
|
506
|
+
remote_node.load_attribute(
|
507
|
+
attr_ary, config_merged.search_max_rows,
|
508
|
+
config_merged.partial_search
|
509
|
+
)
|
503
510
|
Chef::EncryptedAttribute.exist?(node_attr)
|
504
511
|
end
|
505
512
|
|
@@ -32,6 +32,7 @@ class Chef
|
|
32
32
|
:version,
|
33
33
|
:partial_search,
|
34
34
|
:client_search,
|
35
|
+
:search_max_rows,
|
35
36
|
:node_search,
|
36
37
|
:users,
|
37
38
|
:keys
|
@@ -66,7 +67,7 @@ class Chef
|
|
66
67
|
# @param arg [Boolean] whether to enable partial search.
|
67
68
|
# @return [Boolean] partial search usage.
|
68
69
|
# @see
|
69
|
-
# http://docs.
|
70
|
+
# http://docs.chef.io/chef_search.html Chef Search documentation
|
70
71
|
def partial_search(arg = nil)
|
71
72
|
set_or_return(
|
72
73
|
:partial_search, arg, kind_of: [TrueClass, FalseClass], default: true
|
@@ -81,11 +82,25 @@ class Chef
|
|
81
82
|
# @param arg [String, Array<String>] list of client queries to perform.
|
82
83
|
# @return [Array<String>] list of client queries.
|
83
84
|
# @see
|
84
|
-
# http://docs.
|
85
|
+
# http://docs.chef.io/chef_search.html Chef Search documentation
|
85
86
|
def client_search(arg = nil)
|
86
87
|
set_or_return_search_array(:client_search, arg)
|
87
88
|
end
|
88
89
|
|
90
|
+
# Set the maximum number of rows to be returned by internal search
|
91
|
+
# functions.
|
92
|
+
#
|
93
|
+
# You must set this value to your maximum number of nodes in your Chef
|
94
|
+
# Server. Defaults to `1000`.
|
95
|
+
#
|
96
|
+
# @param arg [Integer] maximum rows number.
|
97
|
+
# @return [Integer] maximum rows number.
|
98
|
+
def search_max_rows(arg = nil)
|
99
|
+
set_or_return(
|
100
|
+
:search_max_rows, arg, kind_of: Integer, default: 1000
|
101
|
+
)
|
102
|
+
end
|
103
|
+
|
89
104
|
# Reads or sets node search query.
|
90
105
|
#
|
91
106
|
# This query will return a list of nodes that will be able to read the
|
@@ -32,7 +32,7 @@ class Chef
|
|
32
32
|
# (http://en.wikipedia.org/wiki/Galois/Counter_Mode).
|
33
33
|
#
|
34
34
|
# * This protocol version is based on the [Chef 12 Encrypted Data Bags
|
35
|
-
# Version 3 implementation](https://github.com/
|
35
|
+
# Version 3 implementation](https://github.com/chef/chef/pull/1591).
|
36
36
|
# * To use it, the following **special requirements** must be met:
|
37
37
|
# Ruby `>= 2` and OpenSSL `>= 1.0.1`.
|
38
38
|
# * This implementation can be improved, is not optimized either for
|
@@ -59,16 +59,20 @@ class Chef
|
|
59
59
|
#
|
60
60
|
# @param search [Array<String>, String] search queries to perform, the
|
61
61
|
# query result will be *OR*-ed.
|
62
|
+
# @param rows [Integer] maximum number of rows to return in searches.
|
63
|
+
# @param partial_search [Boolean] whether to use partial search.
|
62
64
|
# @return [Array<String>] list of public keys.
|
63
65
|
# @raise [SearchFailure] if there is a Chef search error.
|
64
66
|
# @raise [SearchFatalError] if the Chef search response is wrong.
|
65
67
|
# @raise [InvalidSearchKeys] if search keys structure is wrong.
|
66
|
-
def self.search_public_keys(
|
68
|
+
def self.search_public_keys(
|
69
|
+
search = '*:*', rows = 1000, partial_search = true
|
70
|
+
)
|
67
71
|
escaped_query = escape_query(search)
|
68
72
|
return cache[escaped_query] if cache.key?(escaped_query)
|
69
73
|
cache[escaped_query] = search(
|
70
74
|
:client, search,
|
71
|
-
{ 'public_key' => %w(public_key) },
|
75
|
+
{ 'public_key' => %w(public_key) }, rows, partial_search
|
72
76
|
).map { |client| client['public_key'] }.compact
|
73
77
|
end
|
74
78
|
end
|
@@ -65,18 +65,19 @@ class Chef
|
|
65
65
|
# Loads a remote node attribute.
|
66
66
|
#
|
67
67
|
# @param attr_ary [Array<String>] node attribute path as Array.
|
68
|
+
# @param rows [Integer] maximum number of rows to return in searches.
|
68
69
|
# @param partial_search [Boolean] whether to use partial search.
|
69
70
|
# @return [Mixed] node attribute value, `nil` if not found.
|
70
71
|
# @raise [ArgumentError] if the attribute path format is wrong.
|
71
72
|
# @raise [SearchFailure] if there is a Chef search error.
|
72
73
|
# @raise [SearchFatalError] if the Chef search response is wrong.
|
73
74
|
# @raise [InvalidSearchKeys] if search keys structure is wrong.
|
74
|
-
def load_attribute(attr_ary, partial_search = true)
|
75
|
+
def load_attribute(attr_ary, rows = 1000, partial_search = true)
|
75
76
|
assert_attribute_array(attr_ary)
|
76
77
|
cache_key = cache_key(name, attr_ary)
|
77
78
|
return self.class.cache[cache_key] if self.class.cache.key?(cache_key)
|
78
79
|
keys = { 'value' => attr_ary }
|
79
|
-
res = search_by_name(:node, @name, keys,
|
80
|
+
res = search_by_name(:node, @name, keys, rows, partial_search)
|
80
81
|
self.class.cache[cache_key] = parse_search_result(res)
|
81
82
|
end
|
82
83
|
|
@@ -76,6 +76,8 @@ class Chef
|
|
76
76
|
#
|
77
77
|
# @param search [Array<String>, String] search queries to perform, the
|
78
78
|
# query result will be *OR*-ed.
|
79
|
+
# @param rows [Integer] maximum number of rows to return in searches.
|
80
|
+
# @param partial_search [Boolean] whether to use partial search.
|
79
81
|
# @return [Array<String>] list of public keys.
|
80
82
|
# @raise [InsufficientPrivileges] if you lack enough privileges to read
|
81
83
|
# the keys from the Chef Server.
|
@@ -84,14 +86,16 @@ class Chef
|
|
84
86
|
# @raise [SearchFailure] if there is a Chef search error.
|
85
87
|
# @raise [SearchFatalError] if the Chef search response is wrong.
|
86
88
|
# @raise [InvalidSearchKeys] if search keys structure is wrong.
|
87
|
-
def self.search_public_keys(
|
89
|
+
def self.search_public_keys(
|
90
|
+
search = '*:*', rows = 1000, partial_search = true
|
91
|
+
)
|
88
92
|
escaped_query = escape_query(search)
|
89
93
|
return cache[escaped_query] if cache.key?(escaped_query)
|
90
94
|
cache[escaped_query] =
|
91
95
|
search(
|
92
96
|
:node, search,
|
93
97
|
{ 'name' => %w(name), 'public_key' => %w(public_key) },
|
94
|
-
|
98
|
+
rows, partial_search
|
95
99
|
).map { |node| get_public_key(node) }.compact
|
96
100
|
end
|
97
101
|
end
|
@@ -138,7 +138,7 @@ class Chef
|
|
138
138
|
# Does a search in the Chef Server.
|
139
139
|
#
|
140
140
|
# @param type [Symbol] search index to use. See [Chef Search Indexes]
|
141
|
-
# (http://docs.
|
141
|
+
# (http://docs.chef.io/chef_search.html#search-indexes).
|
142
142
|
# @param query [Array<String>, String] search query. For example:
|
143
143
|
# `%w(admin:true)`. Results will be *OR*-ed when multiple string queries
|
144
144
|
# are provided.
|
@@ -162,7 +162,7 @@ class Chef
|
|
162
162
|
# Does a search in the Chef Server by node or client name.
|
163
163
|
#
|
164
164
|
# @param type [Symbol] search index to use. See [Chef Search Indexes]
|
165
|
-
# (http://docs.
|
165
|
+
# (http://docs.chef.io/chef_search.html#search-indexes).
|
166
166
|
# @param name [String] node name to search.
|
167
167
|
# @param keys [Hash] search keys structure. For example:
|
168
168
|
# `{ipaddress: %w(ipaddress), mysql_version: %w(mysql version) }`.
|
@@ -252,7 +252,7 @@ class Chef
|
|
252
252
|
# Does a normal (no partial) search in the Chef Server.
|
253
253
|
#
|
254
254
|
# @param type [Symbol] search index to use. See [Chef Search Indexes]
|
255
|
-
# (http://docs.
|
255
|
+
# (http://docs.chef.io/chef_search.html#search-indexes).
|
256
256
|
# @param name [String, nil] searched node name.
|
257
257
|
# @param query [String, Array<String>] search query. For example:
|
258
258
|
# `%w(admin:true)`. Results will be *OR*-ed when multiple string queries
|
@@ -355,7 +355,7 @@ class Chef
|
|
355
355
|
# Does a partial search in the Chef Server.
|
356
356
|
#
|
357
357
|
# @param type [Symbol] search index to use. See [Chef Search Indexes]
|
358
|
-
# (http://docs.
|
358
|
+
# (http://docs.chef.io/chef_search.html#search-indexes).
|
359
359
|
# @param name [String, nil] searched node name.
|
360
360
|
# @param query [String, Array<String>] search query. For example:
|
361
361
|
# `%w(admin:true)`. Results will be *OR*-ed when multiple string queries
|
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: chef-encrypted-attributes
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.
|
4
|
+
version: 0.8.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Onddo Labs, SL.
|
@@ -30,7 +30,7 @@ cert_chain:
|
|
30
30
|
cYe8PqNEkky7ugvF4zU3sB6TW+96XasuwDv1uJmyr35LF15U6Cs83+osMbAKJTmG
|
31
31
|
/vqKzw==
|
32
32
|
-----END CERTIFICATE-----
|
33
|
-
date: 2015-05-
|
33
|
+
date: 2015-05-22 00:00:00.000000000 Z
|
34
34
|
dependencies:
|
35
35
|
- !ruby/object:Gem::Dependency
|
36
36
|
name: chef
|
@@ -259,7 +259,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
259
259
|
version: '0'
|
260
260
|
requirements: []
|
261
261
|
rubyforge_project:
|
262
|
-
rubygems_version: 2.
|
262
|
+
rubygems_version: 2.4.3
|
263
263
|
signing_key:
|
264
264
|
specification_version: 4
|
265
265
|
summary: Chef Encrypted Attributes
|
metadata.gz.sig
CHANGED
Binary file
|