chef-vault 2.4.0 → 2.5.0

data/features/wrong_private_key.feature

@@ -0,0 +1,14 @@
+Feature: Wrong private key during decrypt
+
+  https://github.com/Nordstrom/chef-vault/issues/43
+  If a vault is encrypted for a node and then the node's private
+  key is regenerated, the error that comes back from chef-vault
+  should be informative, not a lower-level error from OpenSSL
+  like 'OpenSSL::PKey::RSAError: padding check failed'
+
+  Scenario: Regenerate node key and attempt decrypt
+    Given a local mode chef repo with nodes 'one,two'
+    And I create a vault item 'test/item' containing the JSON '{"foo": "bar"}' encrypted for 'one,two'
+    And I regenerate the client key for the node 'one'
+    And I try to decrypt the vault item 'test/item' as 'one'
+    Then the output should match /is encrypted for you, but your private key failed to decrypt the contents/

data/lib/chef-vault.rb

@@ -28,7 +28,6 @@ require 'chef-vault/chef_patch/api_client'
 require 'chef-vault/chef_patch/user'
 
 class ChefVault
-
   attr_accessor :vault
 
   def initialize(vault, chef_config_file=nil)

data/lib/chef-vault/certificate.rb

@@ -1,5 +1,5 @@
 # Description: ChefVault::Certificate class
-# Copyright 2013, Nordstrom, Inc.
+# Copyright 2013-15, Nordstrom, Inc.
 
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.

data/lib/chef-vault/chef_patch/api_client.rb

@@ -21,7 +21,7 @@ class ChefVault
       # the private key for Chef 10
       def self.load(name)
         response = http_api.get("clients/#{name}")
-        if response.kind_of?(Chef::ApiClient)
+        if response.is_a?(Chef::ApiClient)
           response
         else
           client = Chef::ApiClient.new

data/lib/chef-vault/chef_patch/user.rb

@@ -30,4 +30,4 @@ class ChefVault
       end
     end
   end
-end
+end

data/lib/chef-vault/exceptions.rb

@@ -1,5 +1,5 @@
 # Author:: Kevin Moser <kevin.moser@nordstrom.com>
-# Copyright:: Copyright 2013, Nordstrom, Inc.
+# Copyright:: Copyright 2013-15, Nordstrom, Inc.
 # License:: Apache License, Version 2.0
 
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -14,15 +14,36 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-class ChefVault::Exceptions
-  class SecretDecryption < RuntimeError; end
-  class NoKeysDefined < RuntimeError; end
-  class ItemNotEncrypted < RuntimeError; end
-  class KeysActionNotValue < RuntimeError; end
-  class AdminNotFound < RuntimeError; end
-  class ClientNotFound < RuntimeError; end
-  class KeysNotFound < RuntimeError; end
-  class ItemNotFound < RuntimeError; end
-  class ItemAlreadyExists < RuntimeError; end
-  class SearchNotFound < RuntimeError; end
+class ChefVault
+  class Exceptions < RuntimeError
+    class SecretDecryption < Exceptions
+    end
+
+    class NoKeysDefined < Exceptions
+    end
+
+    class ItemNotEncrypted < Exceptions
+    end
+
+    class KeysActionNotValue < Exceptions
+    end
+
+    class AdminNotFound < Exceptions
+    end
+
+    class ClientNotFound < Exceptions
+    end
+
+    class KeysNotFound < Exceptions
+    end
+
+    class ItemNotFound < Exceptions
+    end
+
+    class ItemAlreadyExists < Exceptions
+    end
+
+    class SearchNotFound < Exceptions
+    end
+  end
 end

data/lib/chef-vault/item.rb

@@ -1,5 +1,5 @@
 # Author:: Kevin Moser <kevin.moser@nordstrom.com>
-# Copyright:: Copyright 2013, Nordstrom, Inc.
+# Copyright:: Copyright 2013-15, Nordstrom, Inc.
 # License:: Apache License, Version 2.0
 
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -16,276 +16,329 @@
 
 require 'securerandom'
 
-class ChefVault::Item < Chef::DataBagItem
-  attr_accessor :keys
-  attr_accessor :encrypted_data_bag_item
-
-  def initialize(vault, name)
-    super() # Don't pass parameters
-    @data_bag = vault
-    @raw_data["id"] = name
-    @keys = ChefVault::ItemKeys.new(vault, "#{name}_keys")
-    @secret = generate_secret
-    @encrypted = false
-  end
+class ChefVault
+  class Item < Chef::DataBagItem
+    attr_accessor :keys
+    attr_accessor :encrypted_data_bag_item
+
+    def initialize(vault, name)
+      super() # Don't pass parameters
+      @data_bag = vault
+      @raw_data["id"] = name
+      @keys = ChefVault::ItemKeys.new(vault, "#{name}_keys")
+      @secret = generate_secret
+      @encrypted = false
+    end
 
-  def load_keys(vault, keys)
-    @keys = ChefVault::ItemKeys.load(vault, keys)
-    @secret = secret
-  end
+    def load_keys(vault, keys)
+      @keys = ChefVault::ItemKeys.load(vault, keys)
+      @secret = secret
+    end
 
-  def clients(search=nil, action=:add)
-    if search
-      results_returned = false
+    def clients(search=nil, action=:add)
+      if search
+        results_returned = false
+
+        query = Chef::Search::Query.new
+        query.search(:node, search)[0].each do |node|
+          results_returned = true
+
+          case action
+          when :add
+            begin
+              keys.add(load_client(node.name), @secret, "clients")
+            rescue ChefVault::Exceptions::ClientNotFound
+              $stderr.puts "node '#{node.name}' has no private key; skipping"
+            end
+          when :delete
+            keys.delete(node.name, "clients")
+          else
+            raise ChefVault::Exceptions::KeysActionNotValid,
+              "#{action} is not a valid action"
+          end
+        end
 
-      query = Chef::Search::Query.new
-      query.search(:node, search)[0].each do |node|
-        results_returned = true
-
-        case action
-        when :add
-          keys.add(load_client(node.name), @secret, "clients")
-        when :delete
-          keys.delete(node.name, "clients")
-        else
-          raise ChefVault::Exceptions::KeysActionNotValid,
-            "#{action} is not a valid action"
+        unless results_returned
+          puts "WARNING: No clients were returned from search, you may not have "\
+            "got what you expected!!"
         end
+      else
+        keys.clients
       end
+    end
 
-      unless results_returned
-        puts "WARNING: No clients were returned from search, you may not have "\
-          "got what you expected!!"
+    def search(search_query=nil)
+      if search_query
+        keys.search_query(search_query)
+      else
+        keys.search_query
       end
-    else
-      keys.clients
     end
-  end
 
-  def search(search_query=nil)
-    if search_query
-      keys.search_query(search_query)
-    else
-      keys.search_query
-    end
-  end
-
-  def admins(admins=nil, action=:add)
-    if admins
-      admins.split(",").each do |admin|
-        admin.strip!
-        case action
-        when :add
-          keys.add(load_admin(admin), @secret, "admins")
-        when :delete
-          keys.delete(admin, "admins")
-        else
-          raise ChefVault::Exceptions::KeysActionNotValid,
-            "#{action} is not a valid action"
+    def admins(admins=nil, action=:add)
+      if admins
+        admins.split(",").each do |admin|
+          admin.strip!
+          case action
+          when :add
+            keys.add(load_admin(admin), @secret, "admins")
+          when :delete
+            keys.delete(admin, "admins")
+          else
+            raise ChefVault::Exceptions::KeysActionNotValid,
+              "#{action} is not a valid action"
+          end
         end
+      else
+        keys.admins
       end
-    else
-      keys.admins
     end
-  end
-
-  def remove(key)
-    @raw_data.delete(key)
-  end
 
-  def secret
-    if @keys.include?(Chef::Config[:node_name])
-      private_key = OpenSSL::PKey::RSA.new(open(Chef::Config[:client_key]).read())
-      private_key.private_decrypt(Base64.decode64(@keys[Chef::Config[:node_name]]))
-    else
-      raise ChefVault::Exceptions::SecretDecryption,
-        "#{data_bag}/#{id} is not encrypted with your public key.  "\
-        "Contact an administrator of the vault item to encrypt for you!"
+    def remove(key)
+      @raw_data.delete(key)
     end
-  end
-
-  def rotate_keys!(clean_unknown_clients=false)
-    @secret = generate_secret
 
-    unless clients.empty?
-      if clean_unknown_clients
-        clients_to_remove=[]
-        clients.each do |client|
-          begin
-            clients("name:#{client}")
-          rescue ChefVault::Exceptions::ClientNotFound
-            clients_to_remove.push(client)
-          end
-        end
-        clients_to_remove.each do |client|
-          puts "Removing unknown client '#{client}'"
-          clients("name:#{client}", :delete)
+    def secret
+      if @keys.include?(Chef::Config[:node_name])
+        private_key = OpenSSL::PKey::RSA.new(open(Chef::Config[:client_key]).read())
+        begin
+          private_key.private_decrypt(Base64.decode64(@keys[Chef::Config[:node_name]]))
+        rescue OpenSSL::PKey::RSAError
+          raise ChefVault::Exceptions::SecretDecryption,
+            "#{data_bag}/#{id} is encrypted for you, but your private key failed to decrypt the contents.  "\
+            "(if you regenerated your client key, have an administrator of the vault run 'knife vault refresh')"
         end
       else
+        raise ChefVault::Exceptions::SecretDecryption,
+          "#{data_bag}/#{id} is not encrypted with your public key.  "\
+          "Contact an administrator of the vault item to encrypt for you!"
+      end
+    end
+
+    def rotate_keys!(clean_unknown_clients = false)
+      @secret = generate_secret
+
+      unless clients.empty?
+        # a bit of a misnomer; this doesn't remove unknown
+        # admins, just clients which are nodes
+        remove_unknown_nodes if clean_unknown_clients
+        # re-encrypt the new shared secret for all remaining clients
         clients.each do |client|
           clients("name:#{client}")
         end
       end
-    end
 
-    unless admins.empty?
-      admins.each do |admin|
-        admins(admin)
+      unless admins.empty?
+        # re-encrypt the new shared secret for all admins
+        admins.each do |admin|
+          admins(admin)
+        end
       end
+
+      save
+      reload_raw_data
     end
 
-    save
-    reload_raw_data
-  end
+    def generate_secret(key_size=32)
+      # Defaults to 32 bytes, as this is the size that a Chef
+      # Encrypted Data Bag Item will digest all secrets down to anyway
+      SecureRandom.random_bytes(key_size)
+    end
 
-  def generate_secret(key_size=32)
-    # Defaults to 32 bytes, as this is the size that a Chef
-    # Encrypted Data Bag Item will digest all secrets down to anyway
-    SecureRandom.random_bytes(key_size)
-  end
+    def []=(key, value)
+      reload_raw_data if @encrypted
+      super
+    end
 
-  def []=(key, value)
-    reload_raw_data if @encrypted
-    super
-  end
+    def [](key)
+      reload_raw_data if @encrypted
+      super
+    end
 
-  def [](key)
-    reload_raw_data if @encrypted
-    super
-  end
+    def save(item_id=@raw_data['id'])
+      # validate the format of the id before attempting to save
+      validate_id!(item_id)
+
+      # save the keys first, raising an error if no keys were defined
+      if keys.admins.empty? && keys.clients.empty?
+        raise ChefVault::Exceptions::NoKeysDefined,
+          "No keys defined for #{item_id}"
+      end
+
+      keys.save
 
-  def save(item_id=@raw_data['id'])
+      # Make sure the item is encrypted before saving
+      encrypt! unless @encrypted
+
+      # Now save the encrypted data
+      if Chef::Config[:solo]
+        data_bag_path = File.join(Chef::Config[:data_bag_path],
+                                  data_bag)
+        data_bag_item_path = File.join(data_bag_path, item_id)
+
+        FileUtils.mkdir(data_bag_path) unless File.exist?(data_bag_path)
+        File.open("#{data_bag_item_path}.json", 'w') do |file|
+          file.write(JSON.pretty_generate(raw_data))
+        end
+
+        raw_data
+      else
+        begin
+          Chef::DataBag.load(data_bag)
+        rescue Net::HTTPServerException => http_error
+          if http_error.response.code == "404"
+            chef_data_bag = Chef::DataBag.new
+            chef_data_bag.name data_bag
+            chef_data_bag.create
+          end
+        end
 
-    # validate the format of the id before attempting to save
-    validate_id!(item_id)
+        super
+      end
+    end
 
-    # save the keys first, raising an error if no keys were defined
-    if keys.admins.empty? && keys.clients.empty?
-      raise ChefVault::Exceptions::NoKeysDefined,
-        "No keys defined for #{item_id}"
+    def to_json(*a)
+      json = super
+      json.gsub(self.class.name, self.class.superclass.name)
     end
 
-    keys.save
+    def destroy
+      keys.destroy
 
-    # Make sure the item is encrypted before saving
-    encrypt! unless @encrypted
+      if Chef::Config[:solo]
+        data_bag_path = File.join(Chef::Config[:data_bag_path],
+                                  data_bag)
+        data_bag_item_path = File.join(data_bag_path, @raw_data["id"])
 
-    # Now save the encrypted data
-    if Chef::Config[:solo]
-      data_bag_path = File.join(Chef::Config[:data_bag_path],
-                                data_bag)
-      data_bag_item_path = File.join(data_bag_path, item_id)
+        FileUtils.rm("#{data_bag_item_path}.json")
 
-      FileUtils.mkdir(data_bag_path) unless File.exists?(data_bag_path)
-      File.open("#{data_bag_item_path}.json",'w') do |file|
-        file.write(JSON.pretty_generate(self.raw_data))
+        nil
+      else
+        super(data_bag, id)
       end
+    end
+
+    def self.load(vault, name)
+      item = new(vault, name)
+      item.load_keys(vault, "#{name}_keys")
 
-      self.raw_data
-    else
       begin
-        chef_data_bag = Chef::DataBag.load(data_bag)
+        item.raw_data =
+          Chef::EncryptedDataBagItem.load(vault, name, item.secret).to_hash
       rescue Net::HTTPServerException => http_error
         if http_error.response.code == "404"
-          chef_data_bag = Chef::DataBag.new
-          chef_data_bag.name data_bag
-          chef_data_bag.create
+          raise ChefVault::Exceptions::ItemNotFound,
+            "#{vault}/#{name} could not be found"
+        else
+          raise http_error
         end
+      rescue Chef::Exceptions::ValidationFailed
+        raise ChefVault::Exceptions::ItemNotFound,
+          "#{vault}/#{name} could not be found"
       end
 
-      super
+      item
     end
-  end
-
-  def to_json(*a)
-    json = super
-    json.gsub(self.class.name, self.class.superclass.name)
-  end
 
-  def destroy
-    keys.destroy
+    private
 
-    if Chef::Config[:solo]
-      data_bag_path = File.join(Chef::Config[:data_bag_path],
-                                data_bag)
-      data_bag_item_path = File.join(data_bag_path, @raw_data["id"])
-
-      FileUtils.rm("#{data_bag_item_path}.json")
-
-      nil
-    else
-      super(data_bag, id)
+    def encrypt!
+      @raw_data = Chef::EncryptedDataBagItem.encrypt_data_bag_item(self, @secret)
+      @encrypted = true
     end
-  end
 
-  def self.load(vault, name)
-    item = new(vault, name)
-    item.load_keys(vault, "#{name}_keys")
+    def reload_raw_data
+      @raw_data =
+        Chef::EncryptedDataBagItem.load(@data_bag, @raw_data["id"], secret).to_hash
+      @encrypted = false
 
-    begin
-      item.raw_data =
-        Chef::EncryptedDataBagItem.load(vault, name, item.secret).to_hash
-    rescue Net::HTTPServerException => http_error
-      if http_error.response.code == "404"
-        raise ChefVault::Exceptions::ItemNotFound,
-          "#{vault}/#{name} could not be found"
-      else
-        raise http_error
-      end
-    rescue Chef::Exceptions::ValidationFailed
-      raise ChefVault::Exceptions::ItemNotFound,
-        "#{vault}/#{name} could not be found"
+      @raw_data
     end
 
-    item
-  end
+    def load_admin(admin)
+      begin
+        admin = ChefVault::ChefPatch::User.load(admin)
+      rescue Net::HTTPServerException => http_error
+        if http_error.response.code == "404"
+          begin
+            puts "WARNING: #{admin} not found in users, trying clients."
+            admin = load_client(admin)
+          rescue ChefVault::Exceptions::ClientNotFound
+            raise ChefVault::Exceptions::AdminNotFound,
+              "FATAL: Could not find #{admin} in users or clients!"
+          end
+        else
+          raise http_error
+        end
+      end
 
-  private
-  def encrypt!
-    @raw_data = Chef::EncryptedDataBagItem.encrypt_data_bag_item(self, @secret)
-    @encrypted = true
-  end
+      admin
+    end
 
-  def reload_raw_data
-    @raw_data =
-      Chef::EncryptedDataBagItem.load(@data_bag, @raw_data["id"], secret).to_hash
-    @encrypted = false
+    def load_client(client)
+      begin
+        client = ChefVault::ChefPatch::ApiClient.load(client)
+      rescue Net::HTTPServerException => http_error
+        if http_error.response.code == "404"
+          raise ChefVault::Exceptions::ClientNotFound,
+            "#{client} is not a valid chef client and/or node"
+        else
+          raise http_error
+        end
+      end
 
-    @raw_data
-  end
+      client
+    end
 
-  def load_admin(admin)
-    begin
-      admin = ChefVault::ChefPatch::User.load(admin)
-    rescue Net::HTTPServerException => http_error
-      if http_error.response.code == "404"
-        begin
-          puts "WARNING: #{admin} not found in users, trying clients."
-          admin = load_client(admin)
-        rescue ChefVault::Exceptions::ClientNotFound
-          raise ChefVault::Exceptions::AdminNotFound,
-            "FATAL: Could not find #{admin} in users or clients!"
-        end
-      else
-        raise http_error
+    # removes unknown nodes by performing a node search
+    # for each of the existing nodclientses.  If the search
+    # returns nothing or the client cannot be loaded, then
+    # we remove that client from the vault
+    # @return [void]
+    def remove_unknown_nodes
+      # build a list of clients to remove so we don't
+      # mutate the clients while iterating over search results
+      clients_to_remove = []
+      clients.each do |nodename|
+        clients_to_remove.push(nodename) unless node_exists?(nodename)
+      end
+      # now delete any flagged clients from the keys data bag
+      clients_to_remove.each do |client|
+        puts "Removing unknown client '#{client}'"
+        keys.delete(client, "clients")
       end
     end
 
-    admin
-  end
+    # checks if a node exists on the Chef server by performing
+    # a search against the node index.  If the search returns no
+    # results, the node does not exist.  If it does return results,
+    # check if there is a matching client
+    # @param nodename [String] the name of the node
+    # @return [Boolean] whether the node exists or not
+    def node_exists?(nodename)
+      # the node does not exist if a search for the node with that
+      # name returns no results
+      query = Chef::Search::Query.new
+      numresults = query.search(:node, "name:#{nodename}")[2]
+      return false unless numresults > 0
+      # if the node search does return results, predicate node
+      # existence on the existence of a like-named client
+      client_exists?(nodename)
+    end
 
-  def load_client(client)
-    begin
-      client = ChefVault::ChefPatch::ApiClient.load(client)
-    rescue Net::HTTPServerException => http_error
-      if http_error.response.code == "404"
-        raise ChefVault::Exceptions::ClientNotFound,
-          "#{client} is not a valid chef client and/or node"
-      else
+    # checks if a client exists on the Chef server.  If we get back
+    # a 404, the client does not exist.  Any other HTTP errors are
+    # re-raised.  Otherwise, the client exists
+    # @param clientname [String] the name of the client
+    # @return [Boolean] whether the client exists or not
+    def client_exists?(clientname)
+      begin
+        ChefVault::ChefPatch::ApiClient.load(clientname)
+      rescue Net::HTTPServerException => http_error
+        return false if http_error.response.code == "404"
         raise http_error
       end
+      true
     end
-
-    client
   end
 end