secure_data_bag 1.1.4 → 2.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 7b6fcbd13a41e6f976656fdbe7bb6e43f02031ae
-  data.tar.gz: a433da64df0447378ea05e5cecda6aa8b24cf1d9
+  metadata.gz: fe94b528cef47838c539b57ce62634072750b5af
+  data.tar.gz: d6c2ca03370f5c26c6888ac411741972b0e631a7
 SHA512:
-  metadata.gz: 6203e56251f529905b373645c7af57f1fe4834a0ff4bf8cb8836613783995224e64a1f259bdbbce2e51e17c06112677800e831cf0d121acb04ffa3343e96c771
-  data.tar.gz: 15134db5f30add0a8bdd30bef9e63ff8b343dec7b60f1a9eb85e45507c23a8b4d202e0ff81aa851629aaf75849cd5ebcee5ba55537d27b875583c64381cc8467
+  metadata.gz: 41ea852190213e90f432c4ade570d6b8280dc1778c2d16ec29316032b81cb47bd78c64ed9679f488ab0e292d28090bfed1c2f00b025f8a14ac725365521c7c9f
+  data.tar.gz: 026d10232c68d57bf8af33a9f6f75af0fda05576c3d28cb7ed6bde634ef751064d7ba674ecc9941044ff83e6673b566eefff8cc354828102104bb19c942c914d

data/.rspec

@@ -0,0 +1,2 @@
+--color
+--require spec_helper

data/README.md

@@ -22,6 +22,8 @@ Or install it yourself as:
 
 For the most part, this behaves exactly like a standard DataBagItem would. Encryption and Decryption of attributes ought to be completely transparent.
 
+SecureDataBagItem is also able to read either standard DataBagItem objects or EncryptedDataBagItem since the encryption mechanism is on a per-key basis and is entirely compatible with EncryptedDataBagItem's format. One caveat, however, is that SecureDataBagItem can not be read by EncryptedDataBagItem.
+
 SecureDataBagItem is also built on Mash rather than Hash so you'll find it more compatible with symbol keys. 
 
 ```
@@ -30,17 +32,17 @@ SecureDataBagItem is also built on Mash rather than Hash so you'll find it more
 
 > data = { id:"databag", "encoded":"my string", "unencoded":"other string" }
 
-> item = SecureDataBagItem.from_hash(data, secret_key)
-> item.raw_data # Unencoded hash with data[:encryption] added
+> item = SecureDataBagItem.from_hash(data, key: secret_key)
+> item.raw_data # Unencoded hash
 { 
   id:         "databag", 
-  encoded:    "my string",
-  unencoded:  "other string", 
-  encryption:{
-    cipher:"aes-256-cbc",
-    iv:nil,
-    encoded_fields:[] 
+  encoded:    {
+    encrypted_data: "encoded",
+    cipher: aes-256-cbc,
+    iv: 13453453dkgfefg==
+    version: 1
   }
+  unencoded:  "other string",
 }
 
 > item.to_hash
@@ -49,54 +51,35 @@ SecureDataBagItem is also built on Mash rather than Hash so you'll find it more
   chef_type:  "data_bag_item",
   data_bag:   "",
   encoded:    "my string",
-  unencoded:  "other string", 
-  encryption:{
-    cipher:"aes-256-cbc",
-    iv:nil,
-    encoded_fields:[] 
-  }
+  unencoded:  "other string"
 }
-
-> item.encode_fields ["encoded"]
-> item.to_hash # Encoded hash compatible with DataBagItem
-{ 
-  id:         "databag", 
-  chef_type:  "data_bag_item",
-  data_bag:   "",
-  encoded:    "[encoded]",
-  unencoded:  "other string", 
-  encryption:{
-    cipher:"aes-256-cbc",
-    iv:nil,
-    encoded_fields:["encoded"]
-  }
-}
-
-> item.raw_data
-{ 
-  id:         "databag", 
-  chef_type:  "data_bag_item",
-  data_bag:   "",
-  encoded:    "my string",
-  unencoded:  "other string", 
-  encryption:{
-    cipher:"aes-256-cbc",
-    iv:nil,
-    encoded_fields:[] 
-  }
-}
-
 ```
 
 A few knife commands are also provided which allow you to create / edit / show / from file any DataBagItem or EncryptedDataBagItem and convert them to SecureDataBag::Item format.
 
 ```
-knife secure bag create data_bag item
+knife secure bag --help
+** SECURE BAG COMMANDS **
+knife secure bag create BAG [ITEM] (options)
+knife secure bag edit BAG [ITEM] (options)
+knife secure bag from file BAG FILE|FLDR [FILE|FLDR] (options)
+knife secure bag show BAG [ITEM] (options)
+```
+
+Additionally it accepts the following command-line options :
 
-knife secure bag edit data_bag item
+```
+--secret-file /path/to/secret.pem
+--secret passcode
+--encoded-fields field_one,field_two,field_three
+```
 
-knife secure bag show data_bag item
+Which may also be configured in knife.rb:
 
-knife secure bag from file data_bag /path/to/item.json
+```
+knife[:secure_data_bag] = {
+  fields: ["password","ssh_keys"],
+  secret_file: "/path/to/secret.pem"
+}
 ```
 

data/lib/chef/config.rb

@@ -0,0 +1,14 @@
+
+require 'chef/config'
+
+class Chef
+  class Config
+    config_context :knife do
+      config_context :secure_data_bag do
+        default :secret_file, nil
+        default :fields, nil
+      end
+    end
+  end
+end
+

data/lib/chef/knife/secure_bag_base.rb

@@ -19,51 +19,65 @@ class Chef
           option :secret_file,
             long: "--secret-file SECRET_FILE",
             description: "A file containing a secret key to use to encrypt data bag item values",
-            proc: Proc.new { |sf| Chef::Config[:knife][:secret_file] = sf }
+            proc: Proc.new { |sf| 
+              Chef::Config[:encrypted_data_bag_secret] = sf 
+            }
 
-          option :encode_fields,
-            long: "--encode-fields FIELD1,FIELD2,FIELD3",
+          option :secure_data_bag_fields,
+            long: "--encoded-fields FIELD1,FIELD2,FIELD3",
             description: "List of attribute keys for which to encode values",
-            default: ""
+            proc: Proc.new { |o|
+              Chef::Config[:knife][:secure_data_bag][:fields] = o.split(",")
+            }
         end
       end
-     
-      def encode_fields_to_array
-        unless config[:encode_fields].is_a?(Array)
-          config[:encode_fields] = config[:encode_fields].split(",")
-        end
+
+      def encoded_fields(arg=nil)
+        config[:secure_data_bag_fields] = arg unless arg.nil?
+        config[:secure_data_bag_fields] || 
+          Chef::Config[:knife][:secure_data_bag][:fields]
       end
 
-      def use_encryption
-        if use_secure_databag then false
-        else
-          if @raw_data["encrypted_data"] or
-              @raw_data.reject { |k,v| k == "id" }.
-              all? { |k,v| v.is_a?(Hash) and v.key? "encrypted_data" }
-          then super
-          else false
-          end
-        end
+      def secret_file
+        config[:secret] ||
+          Chef::Config[:knife][:secure_data_bag][:secret_file] ||
+          Chef::Config[:encrypted_data_bag_secret]
       end
 
-      def use_secure_databag
-        @raw_data["encryption"]
+      def use_encryption
+        true
       end
 
-      def encoded_fields_for(item)
-        [].concat(config[:encode_fields].split(",")).
-          concat(item.encode_fields).
-          uniq
+      def read_secret
+        if config[:secret] then config[:secret]
+        else SecureDataBag::Item.load_secret(secret_file)
+        end
       end
 
       def require_secret
-        if not config[:secret] and not config[:secret_file]
+        if not config[:secret] and not secret_file
           show_usage
           ui.fatal("A secret or secret_file must be specified")
           exit 1
         end
       end
 
+      def data_for_create(hash={})
+        hash[:id] = @data_bag_item_name
+        hash = data_for_edit(hash)
+        hash
+      end
+
+      def data_for_edit(hash)
+        hash[:_encoded_fields] = encoded_fields
+        hash
+      end
+
+      def data_for_save(hash)
+        @encoded_fields = hash.delete(:_encoded_fields)
+        hash
+      end
+
     end
   end
 end

data/lib/chef/knife/secure_bag_create.rb

@@ -21,20 +21,13 @@ class Chef
       end
 
       def create_databag_item
-        create_object({ id: @data_bag_item_name }, 
+        create_object(initial_data, 
                       "data_bag_item[#{@data_bag_item_name}]") do |output|
 
-          @raw_data = output
+          @raw_data = data_for_save(output)
 
-          item =  if use_encryption
-                    item = Chef::EncryptedDataBagItem.
-                      encrypt_data_bag_item(output,read_secret)
-                  else
-                    output
-                  end
-
-          item = SecureDataBag::Item.from_hash(item, read_secret)
-          item.encode_fields encoded_fields_for(item)
+          item = SecureDataBag::Item.from_hash(@raw_data, read_secret)
+          item.encoded_fields(encoded_fields)
           item.data_bag(@data_bag_name)
 
           rest.post_rest("data/#{@data_bag_name}", item.to_hash)

data/lib/chef/knife/secure_bag_edit.rb

@@ -14,32 +14,18 @@ class Chef
         item = Chef::DataBagItem.load(bag, item_name)
         @raw_data = item.to_hash
 
-        if use_encryption
-          item = Chef::EncryptedDataBagItem.load(item, read_secret)
-        end
-
-        item = SecureDataBag::Item.from_item(item, read_secret)
-        hash = item.to_hash(false)
-        # 
-        # Ensure that we display encoded_fields
-        # - generally this would be blank given that all fields are decrypted
-        #
-        hash[:encryption][:encoded_fields] = encoded_fields_for(item)
+        item = SecureDataBag::Item.from_item(item, key:read_secret)
+        hash = item.to_hash(encoded: false)
+        hash = data_for_edit(hash)
         hash
       end
 
       def edit_item(item)
         output = super
+        output = data_for_save(output)
 
-        #
-        # Store the desired fields to encode and set to hash to unencrypted
-        # until we have created the object
-        #
-        encode_fields = output["encryption"]["encoded_fields"]
-        output["encryption"]["encoded_fields"] = []
-
-        item = SecureDataBag::Item.from_hash(output, read_secret)
-        item.encode_fields encode_fields
+        item = SecureDataBag::Item.from_hash(output, key:read_secret)
+        item.encoded_fields encoded_fields
         item.to_hash
       end
     end

data/lib/chef/knife/secure_bag_from_file.rb

@@ -12,7 +12,6 @@ class Chef
         require 'chef/data_bag_item'
         require 'chef/knife/core/object_loader'
         require 'chef/json_compat'
-        require 'chef/encrypted_data_bag_item'
         require 'secure_data_bag'
       end
 
@@ -27,13 +26,7 @@ class Chef
       def load_data_bag_hash(hash)
         @raw_data = hash
 
-        if use_encryption
-          item = Chef::EncryptedDataBagItem.
-                  encrypt_data_bag_item(output, read_secret)
-        end
-
-        item = SecureDataBag::Item.from_hash(hash, read_secret)
-        item.encode_fields encoded_fields_for(item)
+        item = SecureDataBag::Item.from_hash(hash, secret:read_secret)
         item.to_hash
       end
 
@@ -43,9 +36,10 @@ class Chef
         item_paths.each do |item_path|
           item = loader.load_from("#{data_bags_path}", data_bag, item_path)
           item = load_data_bag_hash(item)
-          dbag = Chef::DataBagItem.new
-          dbag.data_bag(data_bag)
+          dbag = SecureDataBag::Item.new(secret:read_secret)
+          dbag.encoded_fields encoded_fields
           dbag.raw_data = item
+          dbag.data_bag(data_bag)
           dbag.save
           ui.info("Updated data_bag_item[#{dbag.data_bag}::#{dbag.id}]")
         end

data/lib/chef/knife/secure_bag_show.rb

@@ -11,16 +11,15 @@ class Chef
       category "secure bag"
 
       def load_item(bag, item_name)
-        item = Chef::DataBagItem.load(bag, item_name)
-        @raw_data = item.raw_data
-
-        if use_encryption
-          item = Chef::EncryptedDataBagItem.new(@raw_data, read_secret)
-        end
-
-        item = SecureDataBag::Item.from_item(item, read_secret)
-        data = item.to_hash(false)
-        data[:encryption][:encoded_fields] = item.encode_fields
+        item = SecureDataBag::Item.load(
+          bag, item_name, 
+          key: read_secret,
+          fields: encoded_fields
+        )
+        item.encoded_fields(encoded_fields)
+
+        data = item.to_hash(encoded:false)
+        data = data_for_edit(data)
         data
       end
 

data/lib/secure_data_bag.rb

@@ -1,6 +1,5 @@
 
+require_relative "chef/config"
 require "secure_data_bag/version"
 require "secure_data_bag/secure_data_bag_item"
-require "secure_data_bag/decryptor"
-require "secure_data_bag/encryptor"
 

data/lib/secure_data_bag/secure_data_bag_item.rb

@@ -1,6 +1,8 @@
 
 require 'open-uri'
 require 'chef/data_bag_item'
+require 'chef/encrypted_data_bag_item/encryptor'
+require 'chef/encrypted_data_bag_item/decryptor'
 
 module SecureDataBag
   #
@@ -12,13 +14,21 @@ module SecureDataBag
   #
 
   class Item < Chef::DataBagItem
-    def initialize(key=nil)
+    def initialize(key:nil, fields:nil, secret:nil, data:nil)
       super()
 
       @secret = Chef::Config[:encrypted_data_bag_secret]
       @key = key
-      @raw_data = {}
-      @encode_fields = ["password"]
+
+      unless data.nil?
+        self.raw_data = data
+      end
+
+      encoded_fields(
+        fields ||
+        Chef::Config[:knife][:secure_data_bag][:fields] ||
+        ["password"]
+      )
     end
 
     #
@@ -39,7 +49,9 @@ module SecureDataBag
     end
 
     def self.load_secret(path=nil)
-      path ||= Chef::Config[:encrypted_data_bag_secret]
+      path ||= 
+        Chef::Config[:knife][:secure_data_bag][:secret_file] ||
+        Chef::Config[:encrypted_data_bag_secret]
 
       unless path
        raise ArgumentError, "No secret specified and no secret found."
@@ -68,20 +80,9 @@ module SecureDataBag
       key
     end
 
-    #
-    # Wrapper for raw_data encryption settings
-    # - always ensure that encryption hash is present
-    # - always ensure encryption settings have defaults
-    #
-
-    def encryption(arg=nil)
-      @raw_data[:encryption] ||= {}
-      @raw_data[:encryption] = arg unless arg.nil?
-      encryption = @raw_data[:encryption]
-      encryption[:iv] = nil if encryption[:iv].nil?
-      encryption[:cipher] = "aes-256-cbc" if encryption[:cipher].nil?
-      encryption[:encoded_fields] = [] if encryption[:encoded_fields].nil?
-      encryption
+    def self.load(data_bag, name, opts={})
+      data = super(data_bag, name)
+      new(data:data.to_hash, **opts)
     end
 
     #
@@ -94,89 +95,98 @@ module SecureDataBag
 
     def raw_data=(data)
       data = Mash.new(data)
-      super data
-      encryption
+      super(data)
       decode_data!
     end
 
     #
-    # Determine whether the data is encoded or not
-    # - yeah, it's pretty naive
+    # Fields we wish to encode
     #
 
-    def encoded?
-      not encryption[:encoded_fields].empty?
+    def encoded_fields(arg=nil)
+      arg = arg.uniq if arg.is_a?(Array)
+      set_or_return(:encoded_fields, arg, kind_of: Array, default:[]).uniq
     end
 
     #
-    # Fields we wish to encode
-    # - this differs from encryption[:encoded_fields] and will get merged
-    #   into the latter upon an encode
+    # Raw Data decoder methods
     #
 
-    def encode_fields(arg=nil)
-      arg = Array(arg).uniq if arg
-      set_or_return(:encode_fields, arg, kind_of: Array).uniq
+    def decode_data!
+      @raw_data = decoded_data
+      @raw_data
     end
 
-    def encoded_fields
-      encryption[:encoded_fields]
+    def decoded_data
+      if encoded_value?(@raw_data) then decode_value(@raw_data)
+      else decode_hash(@raw_data)
+      end
     end
 
-    #
-    # Encoder / Decoder
-    #
+    def decode_hash(hash)
+      hash.each do |k,v|
+        v = if encoded_value?(v) then decode_value(v)
+            elsif v.is_a?(Hash) then decode_hash(v)
+            else v
+            end
+        hash[k] = v
+      end
+      hash
+    end
 
-    def decode_data!
-      #
-      # Ensure that we save previously encoded fields into our list of fields
-      # we wish to encode next time
-      #
-      encode_fields.concat(encryption[:encoded_fields]).uniq!
-      @raw_data = decoded_data if encoded?
-      @raw_data
+    def decode_value(value)
+      Chef::EncryptedDataBagItem::Decryptor.for(value, key).for_decrypted_item
     end
 
-    def decoded_data
-      data = Decryptor.new(raw_data, encryption, key).for_decrypted_item
-      data[:encryption][:encoded_fields] = []
-      data
+    def encoded_value?(value)
+      value.is_a?(Hash) and value.key?(:encrypted_data)
     end
 
+    #
+    # Raw Data encoded methods
+    #
+
     def encode_data!
       @raw_data = encoded_data
+      @raw_data
     end
 
     def encoded_data
-      #
-      # When encoding data we'll merge those fields already encoded during
-      # the previous state, found in encryption[:encoded_fields] with those
-      # which we wish to encode
-      #
-      encryption = self.encryption.dup
-      encryption[:encoded_fields] = @encode_fields.
-        concat(encryption[:encoded_fields]).uniq
-      Encryptor.new(raw_data, encryption, key).for_encrypted_item
+      encode_hash(@raw_data.dup)
+    end
+
+    def encode_hash(hash)
+      hash.each do |k,v|
+        v = if encoded_fields.include?(k) then encode_value(v)
+            elsif v.is_a?(Hash) then encode_hash(v)
+            else v
+            end
+        hash[k] = v
+      end
+      hash
+    end
+
+    def encode_value(value)
+      Chef::EncryptedDataBagItem::Encryptor.new(value, key).for_encrypted_item
     end
 
     #
     # Transitions
     #
 
-    def self.from_hash(h, key=nil)
-      item = new(key)
-      item.raw_data = h
+    def self.from_hash(h, opts={})
+      item = new(data:h, **opts)
       item
     end
 
-    def self.from_item(h, key=nil)
-      item = self.from_hash(h.to_hash, key)
+    def self.from_item(h, opts={})
+      item = self.from_hash(h.to_hash, **opts)
       item.data_bag h.data_bag
       item
     end
 
-    def to_hash(encoded = true)
-      result = encoded ? encoded_data : decoded_data
+    def to_hash(encoded: true)
+      result = encoded ? encoded_data : @raw_data
       result["chef_type"] = "data_bag_item"
       result["data_bag"] = self.data_bag
       result
@@ -187,7 +197,7 @@ module SecureDataBag
         name: self.object_name,
         json_class: "Chef::DataBagItem",
         chef_type: "data_bag_item",
-        data_bag: self.data_bag,
+        data_bag: data_bag,
         raw_data: encoded_data
       }
       result.to_json(*a)

data/lib/secure_data_bag/version.rb

@@ -1,5 +1,5 @@
 
 module SecureDataBag
-  VERSION = "1.1.4"
+  VERSION = "2.0.0"
 end
 

data/secure_data_bag.gemspec

@@ -18,9 +18,10 @@ Gem::Specification.new do |spec|
   spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
   spec.require_paths = ["lib"]
 
-  spec.add_dependency  'chef'
-  spec.add_dependency  'yajl-ruby'
+  spec.add_dependency  "chef"
 
   spec.add_development_dependency "bundler", "~> 1.6"
   spec.add_development_dependency "rake"
+  spec.add_development_dependency "rspec"
+  spec.add_development_dependency "chef"
 end

data/spec/item_spec.rb

@@ -0,0 +1,59 @@
+
+require 'spec_helper'
+require 'chef/data_bag_item'
+require 'chef/encrypted_data_bag_item'
+
+describe SecureDataBag::Item do
+  let(:key) { "password" }
+  let(:secret) { "data/secret.pem" }
+  let(:fields) { ["encoded"] }
+
+  let(:simple_data) { { "id"=>"test", decoded:"decoded", encoded:"encoded" } }
+  let(:nested_data) { simple_data.merge({ nested:simple_data }) }
+
+  let(:item) { SecureDataBag::Item.new(key:key, fields:fields) }
+
+  let(:dbag_item) do
+    dbag_item = Chef::DataBagItem.new
+    dbag_item.raw_data = simple_data
+    dbag_item
+  end
+
+  let(:simple_item) do
+    simple_item = item
+    simple_item.raw_data = simple_data
+    simple_item
+  end
+
+  let(:nested_item) do
+    nested_item = item
+    nested_item.raw_data = nested_data
+    nested_item
+  end
+
+  it "encodes simple data" do
+    dbag = simple_item
+    data = dbag.encoded_data
+    expect(data[:decoded]).to eq("decoded")
+    expect(data[:encoded]).not_to eq("encoded")
+    expect(data[:encoded][:encrypted_data]).not_to eq(nil)
+  end
+
+  it "encodes nested data" do
+    dbag = nested_item
+    data = dbag.encoded_data
+    expect(data[:nested][:decoded]).to eq("decoded")
+    expect(data[:nested][:encoded]).not_to eq("encoded")
+    expect(data[:nested][:encoded][:encrypted_data]).not_to eq(nil)
+  end
+
+  it "decodes encrypted_data_bag_item" do
+    edbag = Chef::EncryptedDataBagItem.encrypt_data_bag_item(dbag_item, key)
+    dbag = item
+    dbag.raw_data = edbag
+    data = dbag.raw_data
+    expect(data[:decoded]).to eq("decoded")
+    expect(data[:encoded]).to eq("encoded")
+  end
+end
+

data/spec/spec_helper.rb

@@ -0,0 +1,17 @@
+
+require 'bundler/setup'
+Bundler.setup
+
+require 'secure_data_bag'
+require 'chef/config'
+
+RSpec.configure do |config|
+  config.expect_with :rspec do |expectations|
+    expectations.include_chain_clauses_in_custom_matcher_descriptions = true
+  end
+
+  config.mock_with :rspec do |mocks|
+    mocks.verify_partial_doubles = true
+  end
+end
+

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: secure_data_bag
 version: !ruby/object:Gem::Version
-  version: 1.1.4
+  version: 2.0.0
 platform: ruby
 authors:
 - Jonathan Serafini
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2014-08-18 00:00:00.000000000 Z
+date: 2014-09-29 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: chef
@@ -25,13 +25,27 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
-  name: yajl-ruby
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '1.6'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '1.6'
+- !ruby/object:Gem::Dependency
+  name: rake
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '>='
       - !ruby/object:Gem::Version
         version: '0'
-  type: :runtime
+  type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
@@ -39,21 +53,21 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
-  name: bundler
+  name: rspec
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - '>='
       - !ruby/object:Gem::Version
-        version: '1.6'
+        version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - '>='
       - !ruby/object:Gem::Version
-        version: '1.6'
+        version: '0'
 - !ruby/object:Gem::Dependency
-  name: rake
+  name: chef
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '>='
@@ -75,10 +89,12 @@ extensions: []
 extra_rdoc_files: []
 files:
 - .gitignore
+- .rspec
 - Gemfile
 - LICENSE.txt
 - README.md
 - Rakefile
+- lib/chef/config.rb
 - lib/chef/dsl/data_query.rb
 - lib/chef/knife/secure_bag_base.rb
 - lib/chef/knife/secure_bag_create.rb
@@ -86,11 +102,11 @@ files:
 - lib/chef/knife/secure_bag_from_file.rb
 - lib/chef/knife/secure_bag_show.rb
 - lib/secure_data_bag.rb
-- lib/secure_data_bag/decryptor.rb
-- lib/secure_data_bag/encryptor.rb
 - lib/secure_data_bag/secure_data_bag_item.rb
 - lib/secure_data_bag/version.rb
 - secure_data_bag.gemspec
+- spec/item_spec.rb
+- spec/spec_helper.rb
 homepage: https://github.com/JonathanSerafini/chef-secure_data_bag
 licenses:
 - MIT
@@ -115,4 +131,6 @@ rubygems_version: 2.1.11
 signing_key: 
 specification_version: 4
 summary: Per-field data bag item encryption
-test_files: []
+test_files:
+- spec/item_spec.rb
+- spec/spec_helper.rb

data/lib/secure_data_bag/decryptor.rb

@@ -1,88 +0,0 @@
-
-require 'yaml'
-require 'yajl'
-require 'openssl'
-require 'base64'
-require 'digest/sha2'
-
-module SecureDataBag
-  class Item
-    class Decryptor
-      class DecryptionFailure < StandardError
-      end
-
-      def initialize(encrypted_hash, encryption, key)
-        @encryption = encryption
-        @encrypted_hash = encrypted_hash
-        @key = key
-        @iv = nil
-      end
-
-      def for_decrypted_item
-        decrypted_hash
-      end
-
-      attr_reader :encrypted_hash
-      attr_reader :encryption
-      attr_reader :key
-
-      def iv
-        @iv ||= begin
-          iv_string = encryption[:iv]
-          Base64.decode64(iv_string)
-        end
-      end
-
-      def decrypted_hash
-        @decrypted_hash ||= begin
-          decrypt_hash(encrypted_hash.dup)
-        end
-      end
-
-      def decrypt_hash(hash)
-        hash.each do |k,v|
-          if encryption[:encoded_fields].include?(k)
-            begin
-              v = decrypt_value(v)
-            rescue Yajl::ParseError
-              raise DecryptionFailure, 
-                "Error decrypting data bag value for #{k}."
-            rescue OpenSSL::Cipher::CipherError => e
-              raise DecryptionFailure, 
-                "Error decrypting data bag value for #{k}: #{e.message}"
-            end
-          elsif v.is_a? Hash
-            v = decrypt_hash(v)
-          end
-          hash[k] = v
-        end
-        hash
-      end
-
-      def decrypt_value(value)
-        if value.is_a? String and not value.empty?
-          value = Base64.decode64(value)
-          value = openssl_decryptor.update(value)
-          value << openssl_decryptor.final
-
-          if value.include? "json_wrapper"
-            value = Yajl::Parser.parse(value)["json_wrapper"]
-          end
-          @openssl_decryptor = nil
-        end
-        value
-      end
-
-      def openssl_decryptor
-        @openssl_decryptor ||= begin
-          d = OpenSSL::Cipher::Cipher.new(encryption[:cipher])
-          d.decrypt
-          d.key = Digest::SHA256.digest(key)
-          d.iv = iv
-          d
-        end
-      end
-    end
-  end
-end
-

data/lib/secure_data_bag/encryptor.rb

@@ -1,88 +0,0 @@
-
-require 'yaml'
-require 'yajl'
-require 'openssl'
-require 'base64'
-require 'digest/sha2'
-
-module SecureDataBag
-  class Item
-    class Encryptor
-      def initialize(unencrypted_hash, encryption, key)
-        @encryption = encryption
-        @unencrypted_hash = unencrypted_hash
-        @encoded_fields = []
-        @key = key
-      end
-
-      def for_encrypted_item
-        data = encrypted_hash
-        encryption_hash = encryption.dup
-        encryption_hash[:iv] = Base64.encode64(encryption_hash[:iv] || "")
-        encryption_hash[:encoded_fields] = encoded_fields.uniq
-        data.merge({encryption:encryption_hash})
-      end
-
-      attr_reader :unencrypted_hash
-      attr_reader :encoded_fields
-      attr_reader :encryption
-      attr_reader :key
-
-      def encrypted_hash
-        @encrypted_data ||= begin
-          encrypt_hash(unencrypted_hash.dup) 
-        end
-      end
-
-      def encrypt_hash(hash)
-        hash.each do |k,v|
-          if encryption[:encoded_fields].include?(k)
-            v = encrypt_value(v)
-            encoded_fields << k
-          elsif v.is_a? Hash
-            v = encrypt_hash(v)
-          end
-          hash[k] = v
-        end
-        hash
-      end
-
-      def encrypt_value(value)
-        value = normalize_value(value)
-
-        if not value.nil? and not value.empty?
-          value = openssl_encryptor.update(value)
-          value << openssl_encryptor.final
-          @openssl_encryptor = nil
-          value = Base64.encode64(value)
-        end
-
-        value
-      end
-
-      def normalize_value(value)
-        if [Hash,Array].any? {|c| value.is_a? c}
-          serialize_value(value)
-        else 
-          value.to_s
-        end
-      end
-
-      def serialize_value(value)
-        Yajl::Encoder.encode(:json_wrapper => value)
-      end
-
-      def openssl_encryptor
-        @openssl_encryptor ||= begin
-          encryptor = OpenSSL::Cipher::Cipher.new(encryption[:cipher])
-          encryptor.encrypt
-          encryption[:iv] ||= encryptor.random_iv
-          encryptor.iv = encryption[:iv]
-          encryptor.key = Digest::SHA256.digest(key)
-          encryptor
-        end
-      end
-    end
-  end
-end
-