chef 11.4.4 → 11.6.0.hotfix.1

data/spec/unit/encrypted_data_bag_item_spec.rb

@@ -19,7 +19,7 @@
 require 'spec_helper'
 require 'chef/encrypted_data_bag_item'
 
-module Version1Encryptor
+module Version0Encryptor
   def self.encrypt_value(plaintext_data, key)
     data = plaintext_data.to_yaml
 
@@ -34,205 +34,300 @@ end
 
 describe Chef::EncryptedDataBagItem::Encryptor  do
 
+  subject(:encryptor) { described_class.new(plaintext_data, key) }
+  let(:plaintext_data) { {"foo" => "bar"} }
+  let(:key) { "passwd" }
+
+  it "encrypts to format version 1 by default" do
+    encryptor.should be_a_kind_of(Chef::EncryptedDataBagItem::Encryptor::Version1Encryptor)
+  end
+
   describe "generating a random IV" do
     it "generates a new IV for each encryption pass" do
-      encryptor1 = Chef::EncryptedDataBagItem::Encryptor.new({"foo" => "bar"}, "passwd")
-      encryptor2 = Chef::EncryptedDataBagItem::Encryptor.new({"foo" => "bar"}, "passwd")
+      encryptor2 = Chef::EncryptedDataBagItem::Encryptor.new(plaintext_data, key)
 
       # No API in ruby OpenSSL to get the iv it used for the encryption back
       # out. Instead we test if the encrypted data is the same. If it *is* the
       # same, we assume the IV was the same each time.
-      encryptor1.encrypted_data.should_not == encryptor2.encrypted_data
+      encryptor.encrypted_data.should_not eq encryptor2.encrypted_data
     end
   end
 
   describe "when encrypting a non-hash non-array value" do
+    let(:plaintext_data) { 5 }
     it "serializes the value in a de-serializable way" do
-      encryptor = Chef::EncryptedDataBagItem::Encryptor.new(5, "passwd")
-      Chef::JSONCompat.from_json(encryptor.serialized_data)["json_wrapper"].should == 5
+      Chef::JSONCompat.from_json(subject.serialized_data)["json_wrapper"].should eq 5
     end
 
   end
 
   describe "wrapping secret values in an envelope" do
     it "wraps the encrypted data in an envelope with the iv and version" do
-      encryptor = Chef::EncryptedDataBagItem::Encryptor.new({"foo" => "bar"}, "passwd")
       final_data = encryptor.for_encrypted_item
-      final_data["encrypted_data"].should == encryptor.encrypted_data
-      final_data["iv"].should == Base64.encode64(encryptor.iv)
-      final_data["version"].should == 1
-      final_data["cipher"].should == "aes-256-cbc"
+      final_data["encrypted_data"].should eq encryptor.encrypted_data
+      final_data["iv"].should eq Base64.encode64(encryptor.iv)
+      final_data["version"].should eq 1
+      final_data["cipher"].should eq"aes-256-cbc"
+    end
+  end
+
+  describe "when using version 2 format" do
+
+    before do
+      @original_config = Chef::Config.hash_dup
+      Chef::Config[:data_bag_encrypt_version] = 2
     end
 
+    after do
+      Chef::Config.configuration = @original_config
+    end
+
+    it "creates a version 2 encryptor" do
+      encryptor.should be_a_kind_of(Chef::EncryptedDataBagItem::Encryptor::Version2Encryptor)
+    end
+
+    it "generates an hmac based on ciphertext including iv" do
+      encryptor2 = Chef::EncryptedDataBagItem::Encryptor.new(plaintext_data, key)
+      encryptor.hmac.should_not eq(encryptor2.hmac)
+    end
+
+    it "includes the hmac in the envelope" do
+      final_data = encryptor.for_encrypted_item
+      final_data["hmac"].should eq(encryptor.hmac)
+    end
   end
 
 end
 
 describe Chef::EncryptedDataBagItem::Decryptor do
+
+  subject(:decryptor) { described_class.for(encrypted_value, decryption_key) }
+  let(:plaintext_data) { {"foo" => "bar"} }
+  let(:encryption_key) { "passwd" }
+  let(:decryption_key) { encryption_key }
+
+  context "when decrypting a version 2 (JSON+aes-256-cbc+hmac-sha256+random iv) encrypted value" do
+    let(:encrypted_value) do
+      Chef::EncryptedDataBagItem::Encryptor::Version2Encryptor.new(plaintext_data, encryption_key).for_encrypted_item
+    end
+
+    let(:bogus_hmac) do
+      digest = OpenSSL::Digest::Digest.new("sha256")
+      raw_hmac = OpenSSL::HMAC.digest(digest, "WRONG", encrypted_value["encrypted_data"])
+      Base64.encode64(raw_hmac)
+    end
+
+    it "rejects the data if the hmac is wrong" do
+      encrypted_value["hmac"] = bogus_hmac
+      lambda { decryptor.for_decrypted_item }.should raise_error(Chef::EncryptedDataBagItem::DecryptionFailure)
+    end
+
+    it "rejects the data if the hmac is missing" do
+      encrypted_value.delete("hmac")
+      lambda { decryptor.for_decrypted_item }.should raise_error(Chef::EncryptedDataBagItem::DecryptionFailure)
+    end
+
+  end
+
   context "when decrypting a version 1 (JSON+aes-256-cbc+random iv) encrypted value" do
-    before do
-      @encryptor = Chef::EncryptedDataBagItem::Encryptor.new({"foo" => "bar"}, "passwd")
-      @encrypted_value = @encryptor.for_encrypted_item
 
-      @decryptor = Chef::EncryptedDataBagItem::Decryptor.for(@encrypted_value, "passwd")
+    let(:encrypted_value) do
+      Chef::EncryptedDataBagItem::Encryptor.new(plaintext_data, encryption_key).for_encrypted_item
     end
 
     it "selects the correct strategy for version 1" do
-      @decryptor.should be_a_kind_of Chef::EncryptedDataBagItem::Decryptor::Version1Decryptor
+      decryptor.should be_a_kind_of Chef::EncryptedDataBagItem::Decryptor::Version1Decryptor
     end
 
     it "decrypts the encrypted value" do
-      @decryptor.decrypted_data.should == {"json_wrapper" => {"foo" => "bar"}}.to_json
+      decryptor.decrypted_data.should eq({"json_wrapper" => plaintext_data}.to_json)
     end
 
     it "unwraps the encrypted data and returns it" do
-      @decryptor.for_decrypted_item.should == {"foo" => "bar"}
+      decryptor.for_decrypted_item.should eq plaintext_data
     end
 
-    context "and the provided key is incorrect" do
-      before do
-        @decryptor = Chef::EncryptedDataBagItem::Decryptor.for(@encrypted_value, "wrong-passwd")
+    describe "and the decryption step returns invalid data" do
+      it "raises a decryption failure error" do
+        # Over a large number of tests on a variety of systems, we occasionally
+        # see the decryption step "succeed" but return invalid data (e.g., not
+        # the original plain text) [CHEF-3858]
+        decryptor.should_receive(:decrypted_data).and_return("lksajdf")
+        lambda { decryptor.for_decrypted_item }.should raise_error(Chef::EncryptedDataBagItem::DecryptionFailure)
       end
+    end
+
+    context "and the provided key is incorrect" do
+      let(:decryption_key) { "wrong-passwd" }
 
       it "raises a sensible error" do
-        lambda { @decryptor.for_decrypted_item }.should raise_error(Chef::EncryptedDataBagItem::DecryptionFailure)
+        lambda { decryptor.for_decrypted_item }.should raise_error(Chef::EncryptedDataBagItem::DecryptionFailure)
       end
     end
 
     context "and the cipher is not supported" do
-      before do
-        @encrypted_value["cipher"] = "aes-256-foo"
+      let(:encrypted_value) do
+        ev = Chef::EncryptedDataBagItem::Encryptor.new(plaintext_data, encryption_key).for_encrypted_item
+        ev["cipher"] = "aes-256-foo"
+        ev
       end
 
       it "raises a sensible error" do
-        lambda { @decryptor.for_decrypted_item }.should raise_error(Chef::EncryptedDataBagItem::UnsupportedCipher)
+        lambda { decryptor.for_decrypted_item }.should raise_error(Chef::EncryptedDataBagItem::UnsupportedCipher)
+      end
+    end
+
+    context "and version 2 format is required" do
+      before do
+        @original_config = Chef::Config.hash_dup
+        Chef::Config[:data_bag_decrypt_minimum_version] = 2
+      end
+
+      after do
+        Chef::Config.configuration = @original_config
+      end
+
+      it "raises an error attempting to decrypt" do
+        lambda { decryptor }.should raise_error(Chef::EncryptedDataBagItem::UnacceptableEncryptedDataBagItemFormat)
       end
+
     end
 
   end
 
   context "when decrypting a version 0 (YAML+aes-256-cbc+no iv) encrypted value" do
-    before do
-      @encrypted_value = Version1Encryptor.encrypt_value({"foo" => "bar"}, "passwd")
-
-      @decryptor = Chef::EncryptedDataBagItem::Decryptor.for(@encrypted_value, "passwd")
+    let(:encrypted_value) do
+      Version0Encryptor.encrypt_value(plaintext_data, encryption_key)
     end
 
     it "selects the correct strategy for version 0" do
-      @decryptor.should be_a_kind_of(Chef::EncryptedDataBagItem::Decryptor::Version0Decryptor)
+      decryptor.should be_a_kind_of(Chef::EncryptedDataBagItem::Decryptor::Version0Decryptor)
     end
 
     it "decrypts the encrypted value" do
-      @decryptor.for_decrypted_item.should == {"foo" => "bar"}
+      decryptor.for_decrypted_item.should eq plaintext_data
+    end
+
+    context "and version 1 format is required" do
+      before do
+        @original_config = Chef::Config.hash_dup
+        Chef::Config[:data_bag_decrypt_minimum_version] = 1
+      end
+
+      after do
+        Chef::Config.configuration = @original_config
+      end
+
+      it "raises an error attempting to decrypt" do
+        lambda { decryptor }.should raise_error(Chef::EncryptedDataBagItem::UnacceptableEncryptedDataBagItemFormat)
+      end
+
     end
+
   end
 end
 
 describe Chef::EncryptedDataBagItem do
-  before(:each) do
-    @secret = "abc123SECRET"
-    @plain_data = {
+  subject { described_class }
+  let(:encrypted_data_bag_item) { subject.new(encoded_data, secret) }
+  let(:plaintext_data) {{
       "id" => "item_name",
       "greeting" => "hello",
       "nested" => { "a1" => [1, 2, 3], "a2" => { "b1" => true }}
-    }
-    @enc_data = Chef::EncryptedDataBagItem.encrypt_data_bag_item(@plain_data,
-                                                                 @secret)
-  end
-
+  }}
+  let(:secret) { "abc123SECRET" }
+  let(:encoded_data) { subject.encrypt_data_bag_item(plaintext_data, secret) }
 
   describe "encrypting" do
 
-    it "should not encrypt the 'id' key" do
-      @enc_data["id"].should == "item_name"
+    it "doesn't encrypt the 'id' key" do
+      encoded_data["id"].should eq "item_name"
     end
 
-    it "should encrypt non-collection objects" do
-      @enc_data["greeting"]["version"].should == 1
-      @enc_data["greeting"].should have_key("iv")
+    it "encrypts non-collection objects" do
+      encoded_data["greeting"]["version"].should eq 1
+      encoded_data["greeting"].should have_key("iv")
 
-      iv = @enc_data["greeting"]["iv"]
-      encryptor = Chef::EncryptedDataBagItem::Encryptor.new("hello", @secret, iv)
+      iv = encoded_data["greeting"]["iv"]
+      encryptor = Chef::EncryptedDataBagItem::Encryptor.new("hello", secret, iv)
 
-      @enc_data["greeting"]["encrypted_data"].should == encryptor.for_encrypted_item["encrypted_data"]
+      encoded_data["greeting"]["encrypted_data"].should eq(encryptor.for_encrypted_item["encrypted_data"])
     end
 
-    it "should encrypt nested values" do
-      @enc_data["nested"]["version"].should == 1
-      @enc_data["nested"].should have_key("iv")
+    it "encrypts nested values" do
+      encoded_data["nested"]["version"].should eq 1
+      encoded_data["nested"].should have_key("iv")
 
-      iv = @enc_data["nested"]["iv"]
-      encryptor = Chef::EncryptedDataBagItem::Encryptor.new(@plain_data["nested"], @secret, iv)
+      iv = encoded_data["nested"]["iv"]
+      encryptor = Chef::EncryptedDataBagItem::Encryptor.new(plaintext_data["nested"], secret, iv)
 
-      @enc_data["nested"]["encrypted_data"].should == encryptor.for_encrypted_item["encrypted_data"]
+      encoded_data["nested"]["encrypted_data"].should eq(encryptor.for_encrypted_item["encrypted_data"])
     end
 
   end
 
   describe "decrypting" do
-    before(:each) do
-      @enc_data = Chef::EncryptedDataBagItem.encrypt_data_bag_item(@plain_data,
-                                                                   @secret)
-      @eh = Chef::EncryptedDataBagItem.new(@enc_data, @secret)
-    end
 
     it "doesn't try to decrypt 'id'" do
-      @eh["id"].should == @plain_data["id"]
+      encrypted_data_bag_item["id"].should eq(plaintext_data["id"])
     end
 
     it "decrypts 'greeting'" do
-      @eh["greeting"].should == @plain_data["greeting"]
+      encrypted_data_bag_item["greeting"].should eq(plaintext_data["greeting"])
     end
 
     it "decrypts 'nested'" do
-      @eh["nested"].should == @plain_data["nested"]
+      encrypted_data_bag_item["nested"].should eq(plaintext_data["nested"])
     end
 
     it "decrypts everyting via to_hash" do
-      @eh.to_hash.should == @plain_data
+      encrypted_data_bag_item.to_hash.should eq(plaintext_data)
     end
 
     it "handles missing keys gracefully" do
-      @eh["no-such-key"].should be_nil
+      encrypted_data_bag_item["no-such-key"].should be_nil
     end
   end
 
   describe "loading" do
     it "should defer to Chef::DataBagItem.load" do
-      Chef::DataBagItem.stub(:load).with(:the_bag, "my_codes").and_return(@enc_data)
-      edbi = Chef::EncryptedDataBagItem.load(:the_bag, "my_codes", @secret)
-      edbi["greeting"].should == @plain_data["greeting"]
+      Chef::DataBagItem.stub(:load).with(:the_bag, "my_codes").and_return(encoded_data)
+      edbi = Chef::EncryptedDataBagItem.load(:the_bag, "my_codes", secret)
+      edbi["greeting"].should eq(plaintext_data["greeting"])
     end
   end
 
-  describe "load_secret" do
-    it "should read from the default path" do
-      default_path = "/etc/chef/encrypted_data_bag_secret"
-      ::File.stub(:exists?).with(default_path).and_return(true)
-      IO.stub(:read).with(default_path).and_return("opensesame")
-      Chef::EncryptedDataBagItem.load_secret().should == "opensesame"
+  describe ".load_secret" do
+    subject(:loaded_secret) { Chef::EncryptedDataBagItem.load_secret(path) }
+    let(:path) { "/var/mysecret" }
+    let(:secret) { "opensesame" }
+    let(:stubbed_path) { path }
+    before do
+      ::File.stub(:exist?).with(stubbed_path).and_return(true)
+      IO.stub(:read).with(stubbed_path).and_return(secret)
+      Kernel.stub(:open).with(path).and_return(StringIO.new(secret))
     end
 
-    it "should read from Chef::Config[:encrypted_data_bag_secret]" do
-      path = "/var/mysecret"
-      Chef::Config[:encrypted_data_bag_secret] = path
-      ::File.stub(:exists?).with(path).and_return(true)
-      IO.stub(:read).with(path).and_return("opensesame")
-      Chef::EncryptedDataBagItem.load_secret().should == "opensesame"
+    it "reads from a specified path" do
+      loaded_secret.should eq secret
     end
 
-    it "should read from a specified path" do
-      path = "/var/mysecret"
-      ::File.stub(:exists?).with(path).and_return(true)
-      IO.stub(:read).with(path).and_return("opensesame")
-      Chef::EncryptedDataBagItem.load_secret(path).should == "opensesame"
+    context "path argument is nil" do
+      let(:path) { nil }
+      let(:stubbed_path) { "/etc/chef/encrypted_data_bag_secret" }
+
+      it "reads from Chef::Config[:encrypted_data_bag_secret]" do
+        Chef::Config[:encrypted_data_bag_secret] = stubbed_path
+        loaded_secret.should eq secret
+      end
     end
 
-    it "should read from a URL" do
-      path = "http://www.opscode.com/"
-      fake_file = StringIO.new("opensesame")
-      Kernel.stub(:open).with(path).and_return(fake_file)
-      Chef::EncryptedDataBagItem.load_secret(path).should == "opensesame"
+    context "path argument is a URL" do
+      let(:path) { "http://www.opscode.com/" }
+
+      it "reads the URL" do
+        loaded_secret.should eq secret
+      end
     end
   end
 end

data/spec/unit/environment_spec.rb

@@ -2,6 +2,7 @@
 # Author:: Stephen Delano (<stephen@ospcode.com>)
 # Author:: Seth Falcon (<seth@ospcode.com>)
 # Author:: John Keiser (<jkeiser@ospcode.com>)
+# Author:: Kyle Goodwin (<kgoodwin@primerevenue.com>)
 # Copyright:: Copyright 2010-2011 Opscode, Inc.
 # License:: Apache License, Version 2.0
 #
@@ -271,8 +272,27 @@ describe Chef::Environment do
       Chef::Environment.validate_cookbook_version(Chef::CookbookVersion.new("meta")).should == false
       Chef::Environment.validate_cookbook_version("= 1.2.3a").should == false
       Chef::Environment.validate_cookbook_version("= 1").should == false
+      Chef::Environment.validate_cookbook_version("= a").should == false
       Chef::Environment.validate_cookbook_version("= 1.2.3.4").should == false
     end
+
+    describe "in solo mode" do
+      before do
+        Chef::Config[:solo] = true
+      end
+
+      after do
+        Chef::Config[:solo] = false
+      end
+
+      it "should raise and exception" do
+        lambda {
+          Chef::Environment.validate_cookbook_version("= 1.2.3.4")
+        }.should raise_error Chef::Exceptions::IllegalVersionConstraint,
+                             "Environment cookbook version constraints not allowed in chef-solo"
+      end
+    end
+
   end
 
   describe "when updating from a parameter hash" do
@@ -359,4 +379,82 @@ describe Chef::Environment do
     end
   end
 
+  describe "when loading" do
+    describe "in solo mode" do
+      before do
+        Chef::Config[:solo] = true
+        Chef::Config[:environment_path] = '/var/chef/environments'
+      end
+
+      after do
+        Chef::Config[:solo] = false
+      end
+
+      it "should get the environment from the environment_path" do
+        File.should_receive(:directory?).with(Chef::Config[:environment_path]).and_return(true)
+        File.should_receive(:exists?).with(File.join(Chef::Config[:environment_path], 'foo.json')).and_return(false)
+        File.should_receive(:exists?).with(File.join(Chef::Config[:environment_path], 'foo.rb')).exactly(2).times.and_return(true)
+        File.should_receive(:readable?).with(File.join(Chef::Config[:environment_path], 'foo.rb')).and_return(true)
+        role_dsl="name \"foo\"\ndescription \"desc\"\n"
+        IO.should_receive(:read).with(File.join(Chef::Config[:environment_path], 'foo.rb')).and_return(role_dsl)
+        Chef::Environment.load('foo')
+      end
+
+      it "should return a Chef::Environment object from JSON" do
+        File.should_receive(:directory?).with(Chef::Config[:environment_path]).and_return(true)
+        File.should_receive(:exists?).with(File.join(Chef::Config[:environment_path], 'foo.json')).and_return(true)
+        environment_hash = {
+          "name" => "foo",
+          "default_attributes" => {
+            "foo" => {
+              "bar" => 1
+            }
+          },
+          "json_class" => "Chef::Environment",
+          "description" => "desc",
+          "chef_type" => "environment"
+        }
+        IO.should_receive(:read).with(File.join(Chef::Config[:environment_path], 'foo.json')).and_return(JSON.dump(environment_hash))
+        environment = Chef::Environment.load('foo')
+
+        environment.should be_a_kind_of(Chef::Environment)
+        environment.name.should == environment_hash['name']
+        environment.description.should == environment_hash['description']
+        environment.default_attributes.should == environment_hash['default_attributes']
+      end
+
+      it "should return a Chef::Environment object from Ruby DSL" do
+        File.should_receive(:directory?).with(Chef::Config[:environment_path]).and_return(true)
+        File.should_receive(:exists?).with(File.join(Chef::Config[:environment_path], 'foo.json')).and_return(false)
+        File.should_receive(:exists?).with(File.join(Chef::Config[:environment_path], 'foo.rb')).exactly(2).times.and_return(true)
+        File.should_receive(:readable?).with(File.join(Chef::Config[:environment_path], 'foo.rb')).and_return(true)
+        role_dsl="name \"foo\"\ndescription \"desc\"\n"
+        IO.should_receive(:read).with(File.join(Chef::Config[:environment_path], 'foo.rb')).and_return(role_dsl)
+        environment = Chef::Environment.load('foo')
+
+        environment.should be_a_kind_of(Chef::Environment)
+        environment.name.should == 'foo'
+        environment.description.should == 'desc'
+      end
+
+      it 'should raise an error if the configured environment_path is invalid' do
+        File.should_receive(:directory?).with(Chef::Config[:environment_path]).and_return(false)
+
+        lambda {
+          Chef::Environment.load('foo')
+        }.should raise_error Chef::Exceptions::InvalidEnvironmentPath, "Environment path '/var/chef/environments' is invalid"
+      end
+
+      it 'should raise an error if the file does not exist' do
+        File.should_receive(:directory?).with(Chef::Config[:environment_path]).and_return(true)
+        File.should_receive(:exists?).with(File.join(Chef::Config[:environment_path], 'foo.json')).and_return(false)
+        File.should_receive(:exists?).with(File.join(Chef::Config[:environment_path], 'foo.rb')).and_return(false)
+
+        lambda {
+          Chef::Environment.load('foo')
+        }.should raise_error Chef::Exceptions::EnvironmentNotFound, "Environment 'foo' could not be loaded from disk"
+      end
+    end
+  end
+
 end