chef 11.4.4 → 11.6.0.hotfix.1

data/lib/chef/deprecation/provider/remote_file.rb

@@ -0,0 +1,86 @@
+#
+# Author:: Serdar Sutay (<serdar@opscode.com>)
+# Copyright:: Copyright (c) 2013 Opscode, Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+class Chef
+  module Deprecation
+    module Provider
+
+      # == Deprecation::Provider::RemoteFile
+      # This module contains the deprecated functions of
+      # Chef::Provider::RemoteFile. These functions are refactored to different
+      # components. They are frozen and will be removed in Chef 12.
+      #
+      module RemoteFile
+
+        def current_resource_matches_target_checksum?
+          @new_resource.checksum && @current_resource.checksum && @current_resource.checksum =~ /^#{Regexp.escape(@new_resource.checksum)}/
+        end
+
+        def matches_current_checksum?(candidate_file)
+          Chef::Log.debug "#{@new_resource} checking for file existence of #{@new_resource.path}"
+          if ::File.exists?(@new_resource.path)
+            Chef::Log.debug "#{@new_resource} file exists at #{@new_resource.path}"
+            @new_resource.checksum(checksum(candidate_file.path))
+            Chef::Log.debug "#{@new_resource} target checksum: #{@current_resource.checksum}"
+            Chef::Log.debug "#{@new_resource} source checksum: #{@new_resource.checksum}"
+
+            @new_resource.checksum == @current_resource.checksum
+          else
+            Chef::Log.debug "#{@new_resource} creating #{@new_resource.path}"
+            false
+          end
+        end
+
+        def backup_new_resource
+          if ::File.exists?(@new_resource.path)
+            Chef::Log.debug "#{@new_resource} checksum changed from #{@current_resource.checksum} to #{@new_resource.checksum}"
+            backup @new_resource.path
+          end
+        end
+
+        def source_file(source, current_checksum, &block)
+          if absolute_uri?(source)
+            fetch_from_uri(source, &block)
+          elsif !Chef::Config[:solo]
+            fetch_from_chef_server(source, current_checksum, &block)
+          else
+            fetch_from_local_cookbook(source, &block)
+          end
+        end
+
+        def http_client_opts(source)
+          opts={}
+          # CHEF-3140
+          # 1. If it's already compressed, trying to compress it more will
+          # probably be counter-productive.
+          # 2. Some servers are misconfigured so that you GET $URL/file.tgz but
+          # they respond with content type of tar and content encoding of gzip,
+          # which tricks Chef::REST into decompressing the response body. In this
+          # case you'd end up with a tar archive (no gzip) named, e.g., foo.tgz,
+          # which is not what you wanted.
+          if @new_resource.path =~ /gz$/ or source =~ /gz$/
+            opts[:disable_gzip] = true
+          end
+          opts
+        end
+
+      end
+    end
+  end
+end
+

data/lib/chef/deprecation/provider/template.rb

@@ -0,0 +1,63 @@
+#
+# Author:: Serdar Sutay (<serdar@opscode.com>)
+# Copyright:: Copyright (c) 2013 Opscode, Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require 'chef/deprecation/mixin/template'
+
+class Chef
+  module Deprecation
+    module Provider
+
+      # == Deprecation::Provider::Template
+      # This module contains the deprecated functions of
+      # Chef::Provider::Template. These functions are refactored to different
+      # components. They are frozen and will be removed in Chef 12.
+      #
+      module Template
+
+        include Chef::Deprecation::Mixin::Template
+
+        def template_finder
+          @template_finder ||= begin
+            Chef::Provider::TemplateFinder.new(run_context, cookbook_name, node)
+          end
+        end
+
+        def template_location
+          @template_file_cache_location ||= begin
+            template_finder.find(@new_resource.source, :local => @new_resource.local, :cookbook => @new_resource.cookbook)
+          end
+        end
+
+        def resource_cookbook
+          @new_resource.cookbook || @new_resource.cookbook_name
+        end
+
+        def rendered(rendered_template)
+          @new_resource.checksum(checksum(rendered_template.path))
+          Chef::Log.debug("Current content's checksum:  #{@current_resource.checksum}")
+          Chef::Log.debug("Rendered content's checksum: #{@new_resource.checksum}")
+        end
+
+        def content_matches?
+          @current_resource.checksum == @new_resource.checksum
+        end
+
+      end
+    end
+  end
+end

data/lib/chef/deprecation/warnings.rb

@@ -0,0 +1,38 @@
+#
+# Author:: Serdar Sutay (<serdar@opscode.com>)
+# Copyright:: Copyright (c) 2013 Opscode, Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+class Chef
+  module Deprecation
+    module Warnings
+
+      def add_deprecation_warnings_for(method_names)
+        method_names.each do |name|
+          m = instance_method(name)
+          define_method(name) do |*args|
+            Chef::Log.warn "Method '#{name}' of '#{self.class}' is deprecated. It will be removed in Chef 12."
+            Chef::Log.warn "Please update your cookbooks accordingly. Accessed from:"
+            caller[0..3].each {|l| Chef::Log.warn l}
+            super(*args)
+          end
+        end
+      end
+
+    end
+  end
+end
+

data/lib/chef/encrypted_data_bag_item.rb

@@ -48,9 +48,11 @@ require 'open-uri'
 # such nodes in the infrastructure.
 #
 class Chef::EncryptedDataBagItem
-  DEFAULT_SECRET_FILE = "/etc/chef/encrypted_data_bag_secret"
   ALGORITHM = 'aes-256-cbc'
 
+  class UnacceptableEncryptedDataBagItemFormat < StandardError
+  end
+
   class UnsupportedEncryptedDataBagItemFormat < StandardError
   end
 
@@ -62,73 +64,117 @@ class Chef::EncryptedDataBagItem
 
   # Implementation class for converting plaintext data bag item values to an
   # encrypted value, including any necessary wrappers and metadata.
-  class Encryptor
-
-    attr_reader :key
-    attr_reader :plaintext_data
+  module Encryptor
 
-    # Create a new Encryptor for +data+, which will be encrypted with the given
-    # +key+.
+    # "factory" method that creates an encryptor object with the proper class
+    # for the desired encrypted data bag format version.
     #
-    # === Arguments:
-    # * data: An object of any type that can be serialized to json
-    # * key: A String representing the desired passphrase
-    # * iv: The optional +iv+ parameter is intended for testing use only. When
-    # *not* supplied, Encryptor will use OpenSSL to generate a secure random
-    # IV, which is what you want.
-    def initialize(plaintext_data, key, iv=nil)
-      @plaintext_data = plaintext_data
-      @key = key
-      @iv = iv && Base64.decode64(iv)
+    # +Chef::Config[:data_bag_encrypt_version]+ determines which version is used.
+    def self.new(value, secret, iv=nil)
+      format_version = Chef::Config[:data_bag_encrypt_version]
+      case format_version
+      when 1
+        Version1Encryptor.new(value, secret, iv)
+      when 2
+        Version2Encryptor.new(value, secret, iv)
+      else
+        raise UnsupportedEncryptedDataBagItemFormat,
+          "Invalid encrypted data bag format version `#{format_version}'. Supported versions are '1', '2'"
+      end
     end
 
-    # Returns a wrapped and encrypted version of +plaintext_data+ suitable for
-    # using as the value in an encrypted data bag item.
-    def for_encrypted_item
-      {
-        "encrypted_data" => encrypted_data,
-        "iv" => Base64.encode64(iv),
-        "version" => 1,
-        "cipher" => ALGORITHM
-      }
-    end
+    class Version1Encryptor
+      attr_reader :key
+      attr_reader :plaintext_data
+
+      # Create a new Encryptor for +data+, which will be encrypted with the given
+      # +key+.
+      #
+      # === Arguments:
+      # * data: An object of any type that can be serialized to json
+      # * key: A String representing the desired passphrase
+      # * iv: The optional +iv+ parameter is intended for testing use only. When
+      # *not* supplied, Encryptor will use OpenSSL to generate a secure random
+      # IV, which is what you want.
+      def initialize(plaintext_data, key, iv=nil)
+        @plaintext_data = plaintext_data
+        @key = key
+        @iv = iv && Base64.decode64(iv)
+      end
 
-    # Generates or returns the IV.
-    def iv
-      # Generated IV comes from OpenSSL::Cipher::Cipher#random_iv
-      # This gets generated when +openssl_encryptor+ gets created.
-      openssl_encryptor if @iv.nil?
-      @iv
-    end
+      # Returns a wrapped and encrypted version of +plaintext_data+ suitable for
+      # using as the value in an encrypted data bag item.
+      def for_encrypted_item
+        {
+          "encrypted_data" => encrypted_data,
+          "iv" => Base64.encode64(iv),
+          "version" => 1,
+          "cipher" => ALGORITHM
+        }
+      end
 
-    # Generates (and memoizes) an OpenSSL::Cipher::Cipher object and configures
-    # it for the specified iv and encryption key.
-    def openssl_encryptor
-      @openssl_encryptor ||= begin
-        encryptor = OpenSSL::Cipher::Cipher.new(ALGORITHM)
-        encryptor.encrypt
-        @iv ||= encryptor.random_iv
-        encryptor.iv = @iv
-        encryptor.key = Digest::SHA256.digest(key)
-        encryptor
+      # Generates or returns the IV.
+      def iv
+        # Generated IV comes from OpenSSL::Cipher::Cipher#random_iv
+        # This gets generated when +openssl_encryptor+ gets created.
+        openssl_encryptor if @iv.nil?
+        @iv
+      end
+
+      # Generates (and memoizes) an OpenSSL::Cipher::Cipher object and configures
+      # it for the specified iv and encryption key.
+      def openssl_encryptor
+        @openssl_encryptor ||= begin
+          encryptor = OpenSSL::Cipher::Cipher.new(ALGORITHM)
+          encryptor.encrypt
+          @iv ||= encryptor.random_iv
+          encryptor.iv = @iv
+          encryptor.key = Digest::SHA256.digest(key)
+          encryptor
+        end
+      end
+
+      # Encrypts and Base64 encodes +serialized_data+
+      def encrypted_data
+        @encrypted_data ||= begin
+          enc_data = openssl_encryptor.update(serialized_data)
+          enc_data << openssl_encryptor.final
+          Base64.encode64(enc_data)
+        end
       end
-    end
 
-    # Encrypts and Base64 encodes +serialized_data+
-    def encrypted_data
-      @encrypted_data ||= begin
-        enc_data = openssl_encryptor.update(serialized_data)
-        enc_data << openssl_encryptor.final
-        Base64.encode64(enc_data)
+      # Wraps the data in a single key Hash (JSON Object) and converts to JSON.
+      # The wrapper is required because we accept values (such as Integers or
+      # Strings) that do not produce valid JSON when serialized without the
+      # wrapper.
+      def serialized_data
+        Yajl::Encoder.encode(:json_wrapper => plaintext_data)
       end
     end
 
-    # Wraps the data in a single key Hash (JSON Object) and converts to JSON.
-    # The wrapper is required because we accept values (such as Integers or
-    # Strings) that do not produce valid JSON when serialized without the
-    # wrapper.
-    def serialized_data
-      Yajl::Encoder.encode(:json_wrapper => plaintext_data)
+    class Version2Encryptor < Version1Encryptor
+
+      # Returns a wrapped and encrypted version of +plaintext_data+ suitable for
+      # using as the value in an encrypted data bag item.
+      def for_encrypted_item
+        {
+          "encrypted_data" => encrypted_data,
+          "hmac" => hmac,
+          "iv" => Base64.encode64(iv),
+          "version" => 2,
+          "cipher" => ALGORITHM
+        }
+      end
+
+      # Generates an HMAC-SHA2-256 of the encrypted data (encrypt-then-mac)
+      def hmac
+        @hmac ||= begin
+          digest = OpenSSL::Digest::Digest.new("sha256")
+          raw_hmac = OpenSSL::HMAC.digest(digest, key, encrypted_data)
+          Base64.encode64(raw_hmac)
+        end
+      end
+
     end
   end
 
@@ -145,7 +191,11 @@ class Chef::EncryptedDataBagItem
     # decryptor object for that version. Call #for_decrypted_item on the
     # resulting object to decrypt and deserialize it.
     def self.for(encrypted_value, key)
-      case format_version_of(encrypted_value)
+      format_version = format_version_of(encrypted_value)
+      assert_format_version_acceptable!(format_version)
+      case format_version
+      when 2
+        Version2Decryptor.new(encrypted_value, key)
       when 1
         Version1Decryptor.new(encrypted_value, key)
       when 0
@@ -164,6 +214,14 @@ class Chef::EncryptedDataBagItem
       end
     end
 
+    def self.assert_format_version_acceptable!(format_version)
+      unless format_version.kind_of?(Integer) and format_version >= Chef::Config[:data_bag_decrypt_minimum_version]
+        raise UnacceptableEncryptedDataBagItemFormat,
+          "The encrypted data bag item has format version `#{format_version}', " +
+          "but the config setting 'data_bag_decrypt_minimum_version' requires version `#{Chef::Config[:data_bag_decrypt_minimum_version]}'"
+      end
+    end
+
     class Version1Decryptor
 
       attr_reader :encrypted_data
@@ -176,9 +234,13 @@ class Chef::EncryptedDataBagItem
 
       def for_decrypted_item
         Yajl::Parser.parse(decrypted_data)["json_wrapper"]
+      rescue Yajl::ParseError
+        # convert to a DecryptionFailure error because the most likely scenario
+        # here is that the decryption step was unsuccessful but returned bad
+        # data rather than raising an error.
+        raise DecryptionFailure, "Error decrypting data bag value. Most likely the provided key is incorrect"
       end
 
-
       def encrypted_bytes
         Base64.decode64(@encrypted_data["encrypted_data"])
       end
@@ -219,6 +281,36 @@ class Chef::EncryptedDataBagItem
 
     end
 
+    class Version2Decryptor < Version1Decryptor
+
+      def decrypted_data
+        validate_hmac! unless @decrypted_data
+        super
+      end
+
+      def validate_hmac!
+        digest = OpenSSL::Digest::Digest.new("sha256")
+        raw_hmac = OpenSSL::HMAC.digest(digest, key, @encrypted_data["encrypted_data"])
+
+        if candidate_hmac_matches?(raw_hmac)
+          true
+        else
+          raise DecryptionFailure, "Error decrypting data bag value: invalid hmac. Most likely the provided key is incorrect"
+        end
+      end
+
+      private
+
+      def candidate_hmac_matches?(expected_hmac)
+        return false unless @encrypted_data["hmac"]
+        expected_bytes = expected_hmac.bytes.to_a
+        candidate_hmac_bytes = Base64.decode64(@encrypted_data["hmac"]).bytes.to_a
+        valid = expected_bytes.size ^ candidate_hmac_bytes.size
+        expected_bytes.zip(candidate_hmac_bytes) { |x, y| valid |= x ^ y.to_i }
+        valid == 0
+      end
+    end
+
     class Version0Decryptor
 
       attr_reader :encrypted_data
@@ -297,7 +389,7 @@ class Chef::EncryptedDataBagItem
   end
 
   def self.load_secret(path=nil)
-    path = path || Chef::Config[:encrypted_data_bag_secret] || DEFAULT_SECRET_FILE
+    path ||= Chef::Config[:encrypted_data_bag_secret]
     secret = case path
              when /^\w+:\/\//
                # We have a remote key
@@ -309,7 +401,7 @@ class Chef::EncryptedDataBagItem
                  raise ArgumentError, "Remote key not found at '#{path}'"
                end
              else
-               if !File.exists?(path)
+               if !File.exist?(path)
                  raise Errno::ENOENT, "file not found '#{path}'"
                end
                IO.read(path).strip