chef 12.0.0.alpha.0 → 12.0.0.alpha.1

data/lib/chef/data_bag.rb

@@ -54,16 +54,16 @@ class Chef
 
     def to_hash
       result = {
-        "name" => @name,
+        'name'       => @name,
         'json_class' => self.class.name,
-        "chef_type" => "data_bag",
+        'chef_type'  => 'data_bag',
       }
       result
     end
 
     # Serialize this object as a hash
     def to_json(*a)
-      to_hash.to_json(*a)
+      Chef::JSONCompat.to_json(to_hash, *a)
     end
 
     def chef_server_rest
@@ -83,11 +83,15 @@ class Chef
 
     def self.list(inflate=false)
       if Chef::Config[:solo]
-        unless File.directory?(Chef::Config[:data_bag_path])
-          raise Chef::Exceptions::InvalidDataBagPath, "Data bag path '#{Chef::Config[:data_bag_path]}' is invalid"
-        end
+        paths = Array(Chef::Config[:data_bag_path])
+        names = []
+        paths.each do |path|
+          unless File.directory?(path)
+            raise Chef::Exceptions::InvalidDataBagPath, "Data bag path '#{path}' is invalid"
+          end
 
-        names = Dir.glob(File.join(Chef::Config[:data_bag_path], "*")).map{|f|File.basename(f)}.sort
+          names += Dir.glob(File.join(path, "*")).map{|f|File.basename(f)}.sort
+        end
         names.inject({}) {|h, n| h[n] = n; h}
       else
         if inflate
@@ -105,15 +109,25 @@ class Chef
     # Load a Data Bag by name via either the RESTful API or local data_bag_path if run in solo mode
     def self.load(name)
       if Chef::Config[:solo]
-        unless File.directory?(Chef::Config[:data_bag_path])
-          raise Chef::Exceptions::InvalidDataBagPath, "Data bag path '#{Chef::Config[:data_bag_path]}' is invalid"
-        end
+        paths = Array(Chef::Config[:data_bag_path])
+        data_bag = {}
+        paths.each do |path|
+          unless File.directory?(path)
+            raise Chef::Exceptions::InvalidDataBagPath, "Data bag path '#{path}' is invalid"
+          end
+
+          Dir.glob(File.join(path, name.to_s, "*.json")).inject({}) do |bag, f|
+            item = Chef::JSONCompat.from_json(IO.read(f))
 
-        Dir.glob(File.join(Chef::Config[:data_bag_path], "#{name}", "*.json")).inject({}) do |bag, f|
-          item = Chef::JSONCompat.from_json(IO.read(f))
-          bag[item['id']] = item
-          bag
+            # Check if we have multiple items with similar names (ids) and raise if their content differs
+            if data_bag.has_key?(item["id"]) && data_bag[item["id"]] != item
+              raise Chef::Exceptions::DuplicateDataBagItem, "Data bag '#{name}' has items with the same name '#{item["id"]}' but different content."
+            else
+              data_bag[item["id"]] = item
+            end
+          end
         end
+        return data_bag
       else
         Chef::REST.new(Chef::Config[:chef_server_url]).get_rest("data/#{name}")
       end
@@ -150,4 +164,3 @@ class Chef
 
   end
 end
-

data/lib/chef/data_bag_item.rb

@@ -112,13 +112,13 @@ class Chef
     # Serialize this object as a hash
     def to_json(*a)
       result = {
-        "name" => self.object_name,
+        "name"       => object_name,
         "json_class" => self.class.name,
-        "chef_type" => "data_bag_item",
-        "data_bag" => self.data_bag,
-        "raw_data" => self.raw_data
+        "chef_type"  => "data_bag_item",
+        "data_bag"   => data_bag,
+        "raw_data"   => raw_data
       }
-      result.to_json(*a)
+      Chef::JSONCompat.to_json(result, *a)
     end
 
     def self.from_hash(h)
@@ -210,5 +210,3 @@ class Chef
 
   end
 end
-
-

data/lib/chef/digester.rb

@@ -18,14 +18,11 @@
 # limitations under the License.
 #
 
-require 'digest'
+require 'openssl'
 
 class Chef
   class Digester
-
-    def self.instance
-      @instance ||= new
-    end
+    include Singleton
 
     def self.checksum_for_file(*args)
       instance.checksum_for_file(*args)
@@ -40,7 +37,7 @@ class Chef
     end
 
     def generate_checksum(file)
-      checksum_file(file, Digest::SHA256.new)
+      checksum_file(file, OpenSSL::Digest::SHA256.new)
     end
 
     def self.generate_md5_checksum_for_file(*args)
@@ -48,11 +45,11 @@ class Chef
     end
 
     def generate_md5_checksum_for_file(file)
-      checksum_file(file, Digest::MD5.new)
+      checksum_file(file, OpenSSL::Digest::MD5.new)
     end
 
     def generate_md5_checksum(io)
-      checksum_io(io, Digest::MD5.new)
+      checksum_io(io, OpenSSL::Digest::MD5.new)
     end
 
     private
@@ -70,4 +67,3 @@ class Chef
 
   end
 end
-

data/lib/chef/dsl/recipe.rb

@@ -85,6 +85,20 @@ class Chef
 
         resource = build_resource(type, name, created_at, &resource_attrs_block)
 
+        # Some resources (freebsd_package) can be invoked with multiple names
+        # (package || freebsd_package).
+        # https://github.com/opscode/chef/issues/1773
+        # For these resources we want to make sure
+        # their key in resource collection is same as the name they are declared
+        # as. Since this might be a breaking change for resources that define
+        # customer to_s methods, we are working around the issue by letting
+        # resources know of their created_as_type until this issue is fixed in
+        # Chef 12:
+        # https://github.com/opscode/chef/issues/1817
+        if resource.respond_to?(:created_as_type=)
+          resource.created_as_type = type
+        end
+
         run_context.resource_collection.insert(resource)
         resource
       end

data/lib/chef/encrypted_data_bag_item.rb

@@ -48,6 +48,7 @@ require 'open-uri'
 #
 class Chef::EncryptedDataBagItem
   ALGORITHM = 'aes-256-cbc'
+  AEAD_ALGORITHM = 'aes-256-gcm'
 
   #
   # === Synopsis

data/lib/chef/encrypted_data_bag_item/assertions.rb

@@ -0,0 +1,57 @@
+#
+# Author:: Xabier de Zuazo (<xabier@onddo.com>)
+# Copyright:: Copyright (c) 2014 Onddo Labs, SL.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require 'chef/encrypted_data_bag_item/unacceptable_encrypted_data_bag_item_format'
+require 'chef/encrypted_data_bag_item/unsupported_cipher'
+
+class Chef::EncryptedDataBagItem
+
+  class EncryptedDataBagRequirementsFailure < StandardError
+  end
+
+  module Assertions
+
+    def assert_format_version_acceptable!(format_version)
+      unless format_version.kind_of?(Integer) and format_version >= Chef::Config[:data_bag_decrypt_minimum_version]
+        raise UnacceptableEncryptedDataBagItemFormat,
+          "The encrypted data bag item has format version `#{format_version}', " +
+          "but the config setting 'data_bag_decrypt_minimum_version' requires version `#{Chef::Config[:data_bag_decrypt_minimum_version]}'"
+      end
+    end
+
+    def assert_valid_cipher!(requested_cipher, algorithm)
+      # In the future, chef may support configurable ciphers. For now, only
+      # aes-256-cbc and aes-256-gcm are supported.
+      unless requested_cipher == algorithm
+        raise UnsupportedCipher,
+          "Cipher '#{requested_cipher}' is not supported by this version of Chef. Available ciphers: ['#{ALGORITHM}', '#{AEAD_ALGORITHM}']"
+      end
+    end
+
+    def assert_aead_requirements_met!(algorithm)
+      unless OpenSSL::Cipher.method_defined?(:auth_data=)
+        raise EncryptedDataBagRequirementsFailure, "The used Encrypted Data Bags version requires Ruby >= 1.9"
+      end
+      unless OpenSSL::Cipher.ciphers.include?(algorithm)
+        raise EncryptedDataBagRequirementsFailure, "The used Encrypted Data Bags version requires an OpenSSL version with \"#{algorithm}\" algorithm support"
+      end
+    end
+
+  end
+
+end

data/lib/chef/encrypted_data_bag_item/decryptor.rb

@@ -17,15 +17,14 @@
 #
 
 require 'yaml'
-require 'ffi_yajl'
+require 'chef/json_compat'
 require 'openssl'
 require 'base64'
 require 'digest/sha2'
 require 'chef/encrypted_data_bag_item'
 require 'chef/encrypted_data_bag_item/unsupported_encrypted_data_bag_item_format'
-require 'chef/encrypted_data_bag_item/unacceptable_encrypted_data_bag_item_format'
 require 'chef/encrypted_data_bag_item/decryption_failure'
-require 'chef/encrypted_data_bag_item/unsupported_cipher'
+require 'chef/encrypted_data_bag_item/assertions'
 
 class Chef::EncryptedDataBagItem
 
@@ -37,6 +36,7 @@ class Chef::EncryptedDataBagItem
   # to create an instance of the appropriate strategy for the given encrypted
   # data bag value.
   module Decryptor
+    extend Chef::EncryptedDataBagItem::Assertions
 
     # Detects the encrypted data bag item format version and instantiates a
     # decryptor object for that version. Call #for_decrypted_item on the
@@ -45,6 +45,8 @@ class Chef::EncryptedDataBagItem
       format_version = format_version_of(encrypted_value)
       assert_format_version_acceptable!(format_version)
       case format_version
+      when 3
+        Version3Decryptor.new(encrypted_value, key)
       when 2
         Version2Decryptor.new(encrypted_value, key)
       when 1
@@ -65,15 +67,8 @@ class Chef::EncryptedDataBagItem
       end
     end
 
-    def self.assert_format_version_acceptable!(format_version)
-      unless format_version.kind_of?(Integer) and format_version >= Chef::Config[:data_bag_decrypt_minimum_version]
-        raise UnacceptableEncryptedDataBagItemFormat,
-          "The encrypted data bag item has format version `#{format_version}', " +
-          "but the config setting 'data_bag_decrypt_minimum_version' requires version `#{Chef::Config[:data_bag_decrypt_minimum_version]}'"
-      end
-    end
-
     class Version0Decryptor
+      include Chef::EncryptedDataBagItem::Assertions
 
       attr_reader :encrypted_data
       attr_reader :key
@@ -83,6 +78,11 @@ class Chef::EncryptedDataBagItem
         @key = key
       end
 
+      # Returns the used decryption algorithm
+      def algorithm
+        ALGORITHM
+      end
+
       def for_decrypted_item
         YAML.load(decrypted_data)
       end
@@ -102,7 +102,7 @@ class Chef::EncryptedDataBagItem
 
       def openssl_decryptor
         @openssl_decryptor ||= begin
-          d = OpenSSL::Cipher::Cipher.new(ALGORITHM)
+          d = OpenSSL::Cipher.new(algorithm)
           d.decrypt
           d.pkcs5_keyivgen(key)
           d
@@ -110,7 +110,7 @@ class Chef::EncryptedDataBagItem
       end
     end
 
-    class Version1Decryptor
+    class Version1Decryptor < Version0Decryptor
 
       attr_reader :encrypted_data
       attr_reader :key
@@ -121,8 +121,8 @@ class Chef::EncryptedDataBagItem
       end
 
       def for_decrypted_item
-        FFI_Yajl::Parser.parse(decrypted_data)["json_wrapper"]
-      rescue FFI_Yajl::ParseError
+        Chef::JSONCompat.parse(decrypted_data)["json_wrapper"]
+      rescue Chef::Exceptions::JSON::ParseError
         # convert to a DecryptionFailure error because the most likely scenario
         # here is that the decryption step was unsuccessful but returned bad
         # data rather than raising an error.
@@ -148,24 +148,16 @@ class Chef::EncryptedDataBagItem
 
       def openssl_decryptor
         @openssl_decryptor ||= begin
-          assert_valid_cipher!
-          d = OpenSSL::Cipher::Cipher.new(ALGORITHM)
+          assert_valid_cipher!(@encrypted_data["cipher"], algorithm)
+          d = OpenSSL::Cipher.new(algorithm)
           d.decrypt
-          d.key = Digest::SHA256.digest(key)
+          # We must set key before iv: https://bugs.ruby-lang.org/issues/8221
+          d.key = OpenSSL::Digest::SHA256.digest(key)
           d.iv = iv
           d
         end
       end
 
-      def assert_valid_cipher!
-        # In the future, chef may support configurable ciphers. For now, only
-        # aes-256-cbc is supported.
-        requested_cipher = @encrypted_data["cipher"]
-        unless requested_cipher == ALGORITHM
-          raise UnsupportedCipher,
-            "Cipher '#{requested_cipher}' is not supported by this version of Chef. Available ciphers: ['#{ALGORITHM}']"
-        end
-      end
     end
 
     class Version2Decryptor < Version1Decryptor
@@ -176,7 +168,7 @@ class Chef::EncryptedDataBagItem
       end
 
       def validate_hmac!
-        digest = OpenSSL::Digest::Digest.new("sha256")
+        digest = OpenSSL::Digest.new("sha256")
         raw_hmac = OpenSSL::HMAC.digest(digest, key, @encrypted_data["encrypted_data"])
 
         if candidate_hmac_matches?(raw_hmac)
@@ -197,5 +189,37 @@ class Chef::EncryptedDataBagItem
         valid == 0
       end
     end
+
+    class Version3Decryptor < Version1Decryptor
+
+      def initialize(encrypted_data, key)
+        super
+        assert_aead_requirements_met!(algorithm)
+      end
+
+      # Returns the used decryption algorithm
+      def algorithm
+        AEAD_ALGORITHM
+      end
+
+      def auth_tag
+        auth_tag_b64 = @encrypted_data["auth_tag"]
+        if auth_tag_b64.nil?
+          raise DecryptionFailure, "Error decrypting data bag value: invalid authentication tag. Most likely the data is corrupted"
+        end
+        Base64.decode64(auth_tag_b64)
+      end
+
+      def openssl_decryptor
+        @openssl_decryptor ||= begin
+          d = super
+          d.auth_tag = auth_tag
+          d.auth_data = ''
+          d
+        end
+      end
+
+    end
+
   end
 end

data/lib/chef/encrypted_data_bag_item/encrypted_data_bag_item_assertions.rb

@@ -0,0 +1,37 @@
+#
+# Author:: Xabier de Zuazo (<xabier@onddo.com>)
+# Copyright:: Copyright (c) 2014 Onddo Labs, SL.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+class Chef::EncryptedDataBagItem
+
+  class EncryptedDataBagRequirementsFailure < StandardError
+  end
+
+  module Assertions
+
+    def assert_requirements_met!
+      unless OpenSSL::Cipher.method_defined?(:auth_data=)
+        raise EncryptedDataBagRequirementsFailure, "The used Encrypted Data Bags version requires Ruby >= 1.9"
+      end
+      unless OpenSSL::Cipher.ciphers.include?(algorithm)
+        raise EncryptedDataBagRequirementsFailure, "The used Encrypted Data Bags version requires an OpenSSL version with \"#{algorithm}\" algorithm support"
+      end
+    end
+
+  end
+
+end

data/lib/chef/encrypted_data_bag_item/encryption_failure.rb

@@ -0,0 +1,22 @@
+#
+# Author:: Xabier de Zuazo (<xabier@onddo.com>)
+# Copyright:: Copyright (c) 2014 Onddo Labs, SL.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+class Chef::EncryptedDataBagItem
+  class EncryptionFailure < StandardError
+  end
+end