secure_data_bag 2.2.0 → 3.0.0

data/lib/chef/knife/secure_bag_open.rb

@@ -0,0 +1,37 @@
+require 'json'
+require 'chef/knife/data_bag_show'
+require_relative 'secure_data_bag/base_mixin'
+require_relative 'secure_data_bag/export_mixin'
+require_relative 'secure_data_bag/secrets_mixin'
+
+class Chef
+  class Knife
+    class SecureBagOpen < Knife::DataBagShow
+      include SecureDataBag::BaseMixin
+      include SecureDataBag::SecretsMixin
+
+      banner 'knife secure bag open PATH'
+      category 'secure bag'
+
+      def run
+        unless ::File.exist?(@name_args[0])
+          ui.fatal('File not found.')
+          show_usage
+          exit 1
+        end
+
+        display_metadata = config_metadata.dup
+        display_metadata[:encryption_format] ||= 'plain'
+
+        data = File.read(@name_args[0])
+        data = JSON.parse(data)
+        item = create_item('local', @name_args[0], data, display_metadata)
+
+        display_data = item.to_hash(metadata: true)
+        display_data = format_for_display(display_data)
+
+        output(display_data)
+      end
+    end
+  end
+end

data/lib/chef/knife/secure_bag_show.rb

@@ -1,46 +1,51 @@
-
-require 'chef/knife/secure_bag_base'
 require 'chef/knife/data_bag_show'
+require_relative 'secure_data_bag/base_mixin'
+require_relative 'secure_data_bag/export_mixin'
+require_relative 'secure_data_bag/secrets_mixin'
+require_relative 'secure_data_bag/defaults_mixin'
 
 class Chef
   class Knife
     class SecureBagShow < Knife::DataBagShow
-      include Knife::SecureBagBase
-
-      banner "knife secure bag show BAG [ITEM] (options)"
-      category "secure bag"
-      
-      option :encoded,
-        long: "--encoded",
-        boolean: true,
-        description: "Whether we wish to display encoded values",
-        default: false
-
-      def load_item(bag, item_name)
-        item = SecureDataBag::Item.load(bag, item_name, 
-          key: read_secret,
-          fields: encoded_fields
-        )
-
-        data = item.to_hash(encoded: config[:encoded])
-        data["_encoded_fields"] = item.encoded_fields
-        data
-      end
+      include SecureDataBag::BaseMixin
+      include SecureDataBag::ExportMixin
+      include SecureDataBag::SecretsMixin
+      include SecureDataBag::DefaultsMixin
+
+      banner 'knife secure bag show BAG [ITEM] (options)'
+      category 'secure bag'
 
       def run
-        display = case @name_args.length
-                  when 2
-                    item = load_item(@name_args[0], @name_args[1])
-                    display = format_for_display(item)
-                  when 1
-                    format_list_for_display(Chef::DataBag.load(@name_args[0]))
-                  else
-                    stdout.puts opt_parser
-                    exit(1)
-                  end
-        output(display)
+        case @name_args.length
+        when 2
+          run_show
+        when 1
+          run_list
+        else
+          stdout.puts opt_parser
+          exit(1)
+        end
+      end
+
+      def run_show
+        config_defaults_for_data_bag!(@name_args[0])
+
+        display_metadata = config_metadata.dup
+        display_metadata[:encryption_format] ||= 'plain'
+
+        item = load_item(@name_args[0], @name_args[1], display_metadata)
+        data = item.to_hash(metadata: true)
+        data = format_for_display(data)
+
+        export!(@name_args[0], @name_args[1], item) if should_export?
+        output(data)
+      end
+
+      def run_list
+        data = Chef::DataBag.load(@name_args[0])
+        data = format_list_for_display(data)
+        output(data)
       end
     end
   end
 end
-

data/lib/chef/knife/secure_data_bag/base_mixin.rb

@@ -0,0 +1,80 @@
+require 'chef/knife'
+
+class Chef
+  class Knife
+    module SecureDataBag
+      module BaseMixin
+        # Steps to execute when the mixin is include.
+        # In this case specifically, add additional command line options
+        # related to exporting.
+        # @since 3.0.0
+        def self.included(base)
+          base.deps do
+            require 'secure_data_bag'
+          end
+
+          base.option :encryption_format,
+            description: 'The format with which to encrypt data. If unset, it will be autodetected.',
+            long: '--enc-format [plain|encrypted|nested]'
+
+          base.option :decryption_format,
+            description: 'The format with which to decrypt data. If unset, it will be autodetected.',
+            long: '--dec-format [plain|encrypted|nested]'
+
+          base.option :encrypted_keys,
+            description: 'Comma delimited list of keys which should be encrypted, in addition to what was previously there',
+            long: '--enc-keys FIELD1,FIELD2,FIELD3',
+            proc: proc { |s| s.split(',') }
+        end
+
+        # Metadata to use when interacting with SecureDataBag containing
+        # overrides specified on the command-line.
+        # @since 3.0.0
+        def config_metadata
+          Mash.new(
+            encryption_format: config[:encryption_format],
+            decryption_format: config[:decryption_format],
+            encrypted_keys: encrypted_keys,
+            secret: secret
+          )
+        end
+
+        # Load a data_bag_item from Chef Server
+        # @param data_bag [String] the data_bag to load from
+        # @param item_name [String] the data_bag_item name to load
+        # @param metadata [Hash] the optional metadata to pass to ::Item
+        # @return [SecureDataBag::Item]
+        # @since 3.0.0
+        def load_item(data_bag, item_name, metadata = {})
+          item = ::SecureDataBag::Item.load(data_bag, item_name, metadata)
+          item
+        end
+
+        # Create a new data_bag_item
+        # @param data_bag [String] the data_bag to load from
+        # @param item_name [String] the data_bag_item name to load
+        # @param data [Hash] the optional raw_data to use
+        # @param metadata [Hash] the optional metadata to pass to ::Item
+        # @return [SecureDataBag::Item]
+        # @since 3.0.0
+        def create_item(data_bag, item_name, data = {}, metadata = {})
+          item = ::SecureDataBag::Item.new(metadata)
+          item.raw_data = { 'id' => item_name }.merge(data)
+          item.data_bag data_bag
+          item
+        end
+
+        private
+
+        # Keys to encrypt which are a result of merging the arrays found within
+        # the the configuration file and provided over the command-line.
+        # @since 3.0.0
+        def encrypted_keys
+          Array(config[:encrypted_keys]).concat(
+            Array(Chef::Config[:knife][:secure_data_bag][:encrypted_keys])
+          ).uniq
+        end
+      end
+    end
+  end
+end

data/lib/chef/knife/secure_data_bag/defaults_mixin.rb

@@ -0,0 +1,32 @@
+require 'chef/knife'
+
+class Chef
+  class Knife
+    module SecureDataBag
+      module DefaultsMixin
+        # Apply Knife config values defined in knife.rb
+        # @param data_bag [String] the data_bag name
+        # @since 3.0.0
+        def config_defaults_for_data_bag!(data_bag)
+          config_defaults_for_data_bags(data_bag).each do |key, value|
+            if options.key?(key.to_sym)
+              config[key.to_sym] ||= value
+            end
+          end
+        end
+
+        private 
+
+        # Defaults configuration hash for a specific data_bag
+        # @param data_bag [String] the data_bag name
+        # @return [Hash] the configuration hash
+        # @since 3.0.0
+        def config_defaults_for_data_bags(data_bag)
+          defaults = Chef::Config[:knife][:secure_data_bag] || {}
+          defaults = defaults[:defaults] || {}
+          defaults[data_bag.to_sym] || {}
+        end
+      end
+    end
+  end
+end

data/lib/chef/knife/secure_data_bag/export_mixin.rb

@@ -0,0 +1,85 @@
+require 'chef/knife'
+
+class Chef
+  class Knife
+    module SecureDataBag
+      module ExportMixin
+        # Steps to execute when the mixin is include.
+        # In this case specifically, add additional command line options
+        # related to exporting.
+        # @since 3.0.0
+        def self.included(base)
+          base.option :export,
+            description: 'Whether to export the data_bag item',
+            long: '--export',
+            boolean: true
+
+          base.option :export_format,
+            description: 'Format to export the data_bag_item as. If unset, this will default to the encryption format.',
+            long: '--export-format'
+
+          base.option :export_root,
+            long: '--export-root PATH',
+            description: 'Path containing data_bag folders and items'
+        end
+
+        # Should knife subcommands save data_bag_items to disk after uploading
+        # them to the Chef server.
+        # @returns [Boolean]
+        # @since 3.0.0
+        def should_export?
+          if config[:export].nil?
+            Chef::Config[:knife][:secure_data_bag][:export_on_upload]
+          else
+            config[:export]
+          end
+        end
+
+        # Export the item to the filesystem.
+        # @param data_bag [String] the data_bag to upload to
+        # @param item_name [String] the data_bag_item id to upload to
+        # @param item [SecureDataBag::Item] the item to upload
+        # @since 3.0.0
+        def export!(data_bag, item_name, item)
+          item.encryption_format = export_format
+          data = item.to_hash
+
+          if export_root.nil?
+            ui.fatal('Export root is not defined')
+            show_usage
+            exit 1
+          end
+
+          export_file_path = export_path(data_bag, item_name)
+          unless ::File.directory?(::File.dirname(export_file_path))
+            ui.fatal("Export directory does not exist: #{export_file_path}")
+            show_usage
+            exit 1
+          end
+
+          ::File.open(export_file_path, 'w') do |f|
+            f.write(Chef::JSONCompat.to_json_pretty(data))
+          end
+
+          display_path = export_file_path.sub(%r{/^#{export_root}/}, '')
+          stdout.puts("Exported to #{display_path}")
+        end
+
+        private
+
+        def export_root
+          config[:export_root] ||
+            Chef::Config[:knife][:secure_data_bag][:export_root]
+        end
+
+        def export_path(data_bag, item_name)
+          ::File.join(export_root, data_bag, item_name) + '.json'
+        end
+
+        def export_format
+          config[:export_format]
+        end
+      end
+    end
+  end
+end

data/lib/chef/knife/secure_data_bag/secrets_mixin.rb

@@ -0,0 +1,57 @@
+class Chef
+  class Knife
+    module SecureDataBag
+      module SecretsMixin
+        # Steps to execute when the mixin is include.
+        # In this case specifically, add additional command line options
+        # related to exporting.
+        # @since 3.0.0
+        def self.included(base)
+          base.option :secret,
+            description: 'The secret key used to (de)encrypt data bag item values',
+            short: '-s SECRET',
+            long: '--secret '
+
+          base.option :secret_file,
+            description: 'The secret key file used to (de)encrypt data bag item values',
+            long: '--secret-file SECRET_FILE'
+        end
+
+        # The shared secret used to encrypt / decrypt data bag items
+        # @return [String] the shared secret
+        # @since 3.0.0
+        def secret
+          @secret ||= begin
+            secret = load_secret
+            unless secret
+              ui.fatal('A secret or secret_file must be specified')
+              show_usage
+              exit 1
+            end
+            secret
+          end
+        end
+
+        private
+
+        # Path to the secret_file
+        # @return [String]
+        # @since 3.0.0
+        def secret_file
+          config[:secret_file] ||
+            Chef::Config[:knife][:secure_data_bag][:secret_file]
+        end
+
+        # Load the shared secret, either from command line parameters or from
+        # a file on the filesystem.
+        # @return [String] the shared secret
+        # @since 3.0.0
+        def load_secret
+          if config[:secret] then config[:secret]
+          else ::SecureDataBag::Item.load_secret(secret_file)
+          end
+        end
+      end
+    end
+  end
+end

data/lib/secure_data_bag.rb

@@ -1,8 +1,6 @@
+require 'secure_data_bag/version'
+require 'secure_data_bag/item'
+require 'secure_data_bag/dsl/data_query'
 
-require "secure_data_bag/version"
-require "secure_data_bag/item"
-require "secure_data_bag/dsl/data_query"
-
-require_relative "chef/config"
-require_relative "chef/dsl/data_query"
-
+require_relative 'chef/config'
+require_relative 'chef/dsl/data_query'

data/lib/secure_data_bag/check_encrypted.rb

@@ -0,0 +1,29 @@
+require 'chef/encrypted_data_bag_item/check_encrypted'
+
+module SecureDataBag
+  # Common code for checking if a data bag appears encrypted
+  module CheckEncrypted
+    include Chef::EncryptedDataBagItem::CheckEncrypted
+
+    # Autodetect whether the item's raw hash appears to be encrypted
+    def partially_encrypted?(raw_data)
+      data = raw_data.reject { |k, _| k == 'id' }
+
+      # Detect whether any of the raw hash keys, or their nested structures
+      # contain encrypted values.
+      data.any? do |_, v|
+        looks_like_partially_encrypted?(v)
+      end
+    end
+
+    private
+
+    # Chef if any of the nested data structures look like they have been
+    # encrypted in a manner compatible with
+    # Chef::EncryptedDataBagItem::Encryptor::VersionXEncryptor.
+    def looks_like_partially_encrypted?(data)
+      return false unless data.is_a?(Hash)
+      looks_like_encrypted?(data) || partially_encrypted?(data)
+    end
+  end
+end

data/lib/secure_data_bag/constants.rb

@@ -0,0 +1,5 @@
+require 'secure_data_bag/version'
+
+module SecureDataBag
+  METADATA_KEY = '_secure_metadata'.freeze
+end

data/lib/secure_data_bag/decryptor.rb

@@ -0,0 +1,149 @@
+require 'secure_data_bag/constants'
+require 'secure_data_bag/check_encrypted'
+
+module SecureDataBag
+  module Decryptor
+    # Instantiate an Decryptor object responsable for decrypting the
+    # encrypted_hash with the secret. As much as possible, this method will
+    # attempt to auto-detect the item format to ensure compatibility.
+    #
+    # Much like with upstream, call #for_encrypted_item on the resulting
+    # object to decrypt and deserialize it.
+    #
+    # @param encrypted_hash [Hash] the encrypted hash to decrypt
+    # @param secret [String]
+    # @param metadata [Hash] the optional metdata to configure the decryptor
+    # @return [SecureDataBag::NestedDecryptor] the object capable of decrypting
+    # @since 3.0.0
+    def self.for(encrypted_hash, secret, metadata = {})
+      metadata = Mash.new(metadata)
+      NestedDecryptor.new(encrypted_hash, secret, metadata)
+    end
+  end
+
+  # Decryptor object responsable for decrypting the encrypted_hash with the
+  # secret. This functions similarly, to how
+  # Chef::EncryptedDataBagItem::Decryptor does, with the caveat that this
+  # is meant to decrypt entire objects and not single values.
+  #
+  # @since 3.0.0
+  class NestedDecryptor
+    include SecureDataBag::CheckEncrypted
+
+    # The encrypted hash received
+    # @since 3.0.0
+    attr_reader :encrypted_hash
+
+    # The keys found that had to be decrypted in the hash
+    # @since 3.0.0
+    attr_reader :decrypted_keys
+
+    # The decrypted hash
+    # @since 3.0.0
+    attr_reader :decrypted_hash
+
+    # The format of this DataBagItem.
+    # May be one of:
+    # - encrypted refers to an EncryptedDataBagItem
+    # - nested refers to a SecureDataBagItem with nested values
+    # - plain refers to a plain DataBagItem
+    # @since 3.0.0
+    attr_reader :format
+
+    # Initializer
+    # @param encrypted_hash [Hash,String] the encrypted hash to decrypt
+    # @param secret [String] the secret to decrypt with
+    # @param metadata [Hash] the optional metdata to configure the decryptor
+    # @since 3.0.0
+    def initialize(encrypted_hash, secret, metadata = {})
+      @secret = secret
+
+      @decrypted_keys = []
+      @encrypted_hash = encrypted_hash
+      @decrypted_hash = {}
+
+      @format = metadata[:decryption_format] ||
+        if @encrypted_hash.key?(SecureDataBag::METADATA_KEY)
+          'nested'
+        elsif encrypted?(@encrypted_hash)
+          'encrypted'
+        elsif partially_encrypted?(@encrypted_hash)
+          'nested'
+        else
+          'plain'
+        end
+    end
+
+    # Method called to decrypt the data structure and return it.
+    # @return [Mix] the unencrypted value
+    # @since 3.0.0
+    def decrypt!
+      @decrypted_hash = decrypt
+    end
+
+    # Method called to decrypt the data structure and return it.
+    # @return [Mix] the unencrypted value
+    # @since 3.0.0
+    def decrypt
+      decrypt_data(@encrypted_hash)
+    end
+
+    # Method name preserved for compatibility with
+    # Chef::EncryptedDataBagItem::Decryptor.
+    # @since 3.0.0
+    alias :for_decrypted_item :decrypt!
+
+    private
+
+    # Decrypt a possibly encrypted value
+    # @param raw_hash [Hash] a potentially encrypted hash
+    # @return [Hash] the unencrypted value
+    # @since 3.0.0
+    def decrypt_data(raw_hash)
+      if looks_like_encrypted?(raw_hash)
+        decrypt_value(raw_hash)
+      else
+        decrypt_hash(raw_hash)
+      end
+    end
+
+    # Decrypt a hash potentially containing nested encrypted values
+    #
+    # Additionally, this method will attempt tovkeep track of the names of
+    # each encrypted key.
+    #
+    # @param hash [Hash] a potentially encrypted hash
+    # @return [Hash] the unencrypted value
+    # @since 3.0.0
+    def decrypt_hash(hash)
+      decrypted_hash = Mash.new
+
+      hash.each do |key, value|
+        value = if looks_like_encrypted?(value)
+                  @decrypted_keys.push(key) unless @decrypted_keys
+                                                   .include?(key)
+                  decrypt_value(value)
+                elsif value.is_a?(Hash)
+                  decrypt_hash(value)
+                else value
+                end
+        decrypted_hash[key] = value
+      end
+
+      decrypted_hash
+    end
+
+    # Decrypt an encrypted value
+    # @param hash [Hash] the encrypted value as a hash
+    # @return [Mix] the unencrypted value
+    # @since 3.0.0
+    def decrypt_value(value)
+      case @format
+      when 'plain' then value
+      else
+        Chef::EncryptedDataBagItem::Decryptor
+          .for(value, @secret).for_decrypted_item
+      end
+    end
+  end
+end