secure_data_bag 2.2.0 → 3.0.0

data/lib/secure_data_bag/dsl/data_query.rb

@@ -13,19 +13,19 @@ module SecureDataBag
           Chef::DataBag.validate_name!(bag.to_s)
           SecureDataBag::Item.validate_id!(item)
           SecureDataBag::Item.load(bag, item)
-        rescue Exception
+        rescue StandardError
           Chef::Log.error("Failed to load secure data bag item: #{bag.inspect} #{item.inspect}")
           raise
         end
+
+        node.run_state[:secure_data_bag][bag][item] ||= data_bag_item if cache
+        data_bag_item
       end
 
-      def secure_data_bag_item!(item, fields=[])
-        secure = SecureDataBag::Item.from_item item
-        secure.encoded_fields.concat(Array(fields))
+      def secure_data_bag_item!(item, metadata = {})
+        secure = SecureDataBag::Item.from_item(item, metadata)
         secure
       end
     end
   end
 end
-
-

data/lib/secure_data_bag/encryptor.rb

@@ -0,0 +1,185 @@
+require 'secure_data_bag/exceptions'
+
+module SecureDataBag
+  module Encryptor
+    # Instantiate an Encryptor object responsable for encrypting the
+    # raw_hash with the secret.
+    #
+    # The optional metadata may contain hints as to how we should encrypt the
+    # raw_hash. Should hints not be provided, this will do it's best to
+    # detect the appropriate defaults.
+    #
+    # @param raw_hash [Hash] the raw hash to encrypt
+    # @param secret [String] the secret to encrypt with
+    # @param metadata [Hash] the optional metdata to configure the encryptor
+    # @return [SecureDataBag::NestedDecryptor] the object capable of decrypting
+    # @since 3.0.0
+    def self.new(raw_hash, secret, metadata = {})
+      metadata = Mash.new(metadata)
+      format = (metadata[:encryption_format] || metadata[:decryption_format])
+      case format
+      when 'encrypted'
+        SecureDataBag::FlatEncryptor.new(raw_hash, secret, metadata)
+      else
+        SecureDataBag::NestedEncryptor.new(raw_hash, secret, metadata)
+      end
+    end
+  end
+
+  # Encryptor object responsable for encrypting the raw_hash with the
+  # secret. This object is just a wrapper around
+  # Chef::EncryptedDataBagItem.
+  #
+  # @since 3.0.0
+  class FlatEncryptor
+    # The keys to encrypt
+    # @since 3.0.0
+    attr_reader :encrypted_keys
+
+    # The encrypted hash generated
+    # @since 3.0.0
+    attr_reader :encrypted_hash
+
+    # The decrypted hash to encrypt
+    # @since 3.0.0
+    attr_reader :decrypted_hash
+
+    # The metadata used to create the encrypted_hash
+    attr_reader :metadata
+
+    # Initializer
+    # @param decrypted_hash [Hash,String] the encrypted hash to encrypt
+    # @param secret [String] the secret to encrypt with
+    # @param metadata [Hash] optional metadata
+    # @since 3.0.0
+    def initialize(decrypted_hash, secret, metadata = {})
+      @secret = secret
+      @metadata = metadata
+      @encrypted_hash = {}
+      @encrypted_keys = []
+      @decrypted_hash = decrypted_hash
+    end
+
+    # Method called to encrpt the data structure and return it.
+    # @return [Hash] the encrypted value
+    # @since 3.0.0
+    def encrypt!
+      @encrypted_hash = encrypt
+    end
+
+    # Method called to encrpt the data structure and return it.
+    # @return [Hash] the encrypted value
+    # @since 3.0.0
+    def encrypt
+      ## NO WORKY
+      ## NO WORKY
+      ## NO WORKY
+      ## NO WORKY
+      ## NO WORKY
+      ## NO WORKY
+      Chef::EncryptedDataBagItem.encrypt_data_bag_item(
+        @decrypted_hash,
+        @secret
+      )
+    end
+
+    # Method name preserved for compatibility with
+    # Chef::EncryptedDataBagItem::Encryptor.
+    # @since 3.0.0
+    alias :for_encrypted_item :encrypt!
+  end
+
+  # Encryptor object responsable for encrypting the raw_hash with the
+  # secret. This object will recursively step through the raw_hash, looking for
+  # keys matching `encrypted_keys` and encrypt their values.
+  #
+  # @since 3.0.0
+  class NestedEncryptor
+    # The keys to encrypt
+    # @since 3.0.0
+    attr_reader :encrypted_keys
+
+    # The encrypted hash generated
+    # @since 3.0.0
+    attr_reader :encrypted_hash
+
+    # The decrypted hash to encrypt
+    # @since 3.0.0
+    attr_reader :decrypted_hash
+
+    # The metadata used to create the encrypted_hash
+    attr_reader :metadata
+
+    # Initializer
+    # @param decrypted_hash [Hash,String] the encrypted hash to encrypt
+    # @param secret [String] the secret to encrypt with
+    # @param metadata [Hash] optional metadata
+    # @since 3.0.0
+    def initialize(decrypted_hash, secret, metadata = {})
+      @secret = secret
+      @metadata = metadata
+      @encrypted_hash = {}
+      @encrypted_keys = case metadata[:encryption_format]
+                        when 'plain' then @encrypted_keys = []
+                        else metadata[:encrypted_keys] || []
+                        end
+      @decrypted_hash = decrypted_hash
+    end
+
+    # Method called to encrpt the data structure and return it.
+    # @return [Hash] the encrypted value
+    # @since 3.0.0
+    def encrypt!
+      @encrypted_hash = encrypt
+    end
+
+    # Method called to encrpt the data structure and return it.
+    # @return [Hash] the encrypted value
+    # @since 3.0.0
+    def encrypt
+      encrypt_data(@decrypted_hash)
+    end
+
+    # Method name preserved for compatibility with
+    # Chef::EncryptedDataBagItem::Encryptor.
+    # @since 3.0.0
+    alias :for_encrypted_item :encrypt!
+
+    private
+
+    # Recursively encrypt hash values where keys match encryptable_key?
+    # @param raw_hash [Hash] the hash to encrypt
+    # @return [Hash] the encrypted hash
+    # @since 3.0.0
+    def encrypt_data(raw_hash)
+      encrypted_hash = Mash.new
+
+      raw_hash.each do |key, value|
+        value = if encryptable_key?(key)
+                  encrypt_value(value)
+                elsif value.is_a?(Hash)
+                  encrypt_data(value)
+                else value
+                end
+        encrypted_hash[key] = value
+      end
+
+      encrypted_hash
+    end
+
+    # Determine whether the hash key should be encrypted
+    # @return [Boolean]
+    # @since 3.0.0
+    def encryptable_key?(key)
+      @encrypted_keys.include?(key)
+    end
+
+    # Encrypt a single value
+    # @return [Hash] the encrypted value
+    # @since 3.0.0
+    def encrypt_value(value)
+      Chef::EncryptedDataBagItem::Encryptor
+        .new(value, @secret).for_encrypted_item
+    end
+  end
+end

data/lib/secure_data_bag/exceptions.rb

@@ -0,0 +1,4 @@
+module SecureDataBag
+  class UnsupportedSecureDataBagItemFormat < StandardError
+  end
+end

data/lib/secure_data_bag/item.rb

@@ -1,192 +1,240 @@
-
-require 'open-uri'
 require 'chef/data_bag_item'
 require 'chef/encrypted_data_bag_item'
-require 'chef/encrypted_data_bag_item/encryptor'
-require 'chef/encrypted_data_bag_item/decryptor'
+require 'secure_data_bag/constants'
+require 'secure_data_bag/decryptor'
+require 'secure_data_bag/encryptor'
 
 module SecureDataBag
-  #
-  # SecureDataBagItem extends the standard DataBagItem by providing it
-  # with encryption / decryption capabilities.
-  #
-  # Although it does provide methods which may be used to specifically perform
-  # crypto functions, it should be used the same way.
-  #
-
   class Item < Chef::DataBagItem
-    def initialize(opts={})
-      # Chef 12.3 introduced the new option
-      begin super(chef_server_rest: opts.delete(:chef_server_rest))
-      rescue ArgumentError; super()
+    class << self
+      # Class method used to load the secret key from path
+      # @param path [String] the optional path to the file
+      # @return [String] the secret
+      # @since 3.0.0
+      def load_secret(path = nil)
+        path ||= (
+          Chef::Config[:knife][:secure_data_bag][:secret_file] ||
+          Chef::Config[:encrypted_data_bag_secret]
+        )
+        Chef::EncryptedDataBagItem.load_secret(path)
       end
 
-      secret_path     opts[:secret_path] if opts[:secret_path]
-      secret          opts[:secret] if opts[:secret]
-      encoded_fields  opts[:fields] if opts[:fields]
+      # Load a data_bag_item and convert into the a SecureDataBag::Item.
+      # @param data_bag [String] the data_bag to load the item from
+      # @param name [String] the data_bag_item id
+      # @param opts [Hash] optional options to pass to SecureDataBag::Item.new
+      # @return [SecureDataBag::Item]
+      # @since 3.0.0
+      def load(data_bag, name, opts = {})
+        data = {
+          'data_bag' => data_bag,
+          'id' => name
+        }.merge(
+          Chef::DataBagItem.load(data_bag, name).to_hash
+        )
+        item = from_hash(data, opts)
+        item
+      end
 
-      self.raw_data = opts[:data] if opts[:data]
-      self
-    end
+      # Create a new SecureDataBag::Item from a hash and optional options.
+      # @param hash [Hash] the data
+      # @param opts [Hash] the optional options to pass to Item.new
+      # @return [SecureDataBag::Item]
+      # @since 3.0.0
+      def from_hash(hash, opts = {})
+        data = hash.dup
+        data.delete('chef_type')
+        data.delete('json_class')
+
+        metadata = Mash.new(data.delete(SecureDataBag::METADATA_KEY) || {})
+        metadata = metadata.merge(opts)
+
+        item = new(metadata)
+        item.data_bag(data.delete('data_bag')) if data.key?('data_bag')
+        item.raw_data = data.key?('raw_data') ? data['raw_data'] : data
+        item
+      end
 
-    #
-    # Path to encryption key file
-    #
-    def secret_path(arg=nil)
-      set_or_return :secret_path, arg, 
-        kind_of: String,
-        default: self.class.secret_path
+      # Create a new SecureDataBag::Item from a DataBagItem.
+      # @param data_bag_item [Chef::DataBagItem] the item to create from
+      # @param opts [Hash] the optional options ot pass to Item.new
+      # @return [SecureDataBag::Item]
+      # @since 3.0.0
+      def from_item(data_bag_item, opts = {})
+        data = data_bag_item.to_hash
+        from_hash(data, opts)
+      end
     end
 
-    def self.secret_path(arg=nil)
-      arg || 
-      Chef::Config[:knife][:secure_data_bag][:secret_file] ||
-      Chef::Config[:encrypted_data_bag_secret]
-    end
+    # Initializer
+    # @param opts [Hash] optional options to configure the SecureDataBag::Item
+    #        opts[:data] the initial data to set
+    #        opts[:secret] the secret key to use when encrypting/decrypting
+    #        opts[:secret_path] the path to the secret key
+    #        opts[:encrypted_keys] an array of keys to encrypt
+    #        opts[:format] the SecureDataBag::Item format to enforce
+    # @since 3.0.0
+    def initialize(opts = {})
+      opts = Mash.new(opts)
 
-    #
-    # Content of encryption secret
-    #
-    def secret(arg=nil)
-      @secret = arg unless arg.nil?
-      @secret ||= load_secret
-    end
+      # Initiate the APIClient in Chef 12.3+
+      begin super(chef_server_rest: opts.delete(:chef_server_rest))
+      rescue ArgumentError; super()
+      end
 
-    def load_secret
-      @secret = self.class.load_secret(secret_path)
-    end
+      # Optionally define the Item vesion
+      @version = opts[:version] || SecureDataBag::VERSION
 
-    def self.load_secret(path=nil)
-      Chef::EncryptedDataBagItem.load_secret(secret_path(path))
-    end
+      # Optionally define the Item formats
+      @encryption_format = opts[:encryption_format]
+      @decryption_format = opts[:decryption_format]
 
-    #
-    # Fetch databag item via DataBagItem and then optionally decrypt
-    #
-    def self.load(data_bag, name, opts={})
-      data = super(data_bag, name)
-      new(opts.merge(data:data.to_hash))
-    end
+      # Optionally provide the shared secret
+      @secret = opts[:secret] if opts[:secret]
 
-    #
-    # Setter for @raw_data
-    # - ensure the data we receive is a Mash to support symbols
-    # - pass it to DataBagItem for additional validation
-    # - ensure the data has the encryption hash
-    # - decode the data
-    #
-    def raw_data=(data)
-      data = Mash.new(data)
-      super(data)
-      decode_data!
-    end
+      # Optionally provide a path to the shared secret. If not provided, the
+      # secret loader will automatically attempt to select one.
+      @secret_path = opts[:secret_path]
 
-    #
-    # Fields we wish to encode
-    #
-    def encoded_fields(arg=nil)
-      @encoded_fields = Array(arg).map{|s|s.to_s}.uniq if arg
-      @encoded_fields ||= Chef::Config[:knife][:secure_data_bag][:fields] ||
-                          Array.new
-    end
+      # Optionally provide a list of keys that should be encrypted or attempt
+      # to determine it based on configuration options.
+      @encrypted_keys = (
+        opts[:encrypted_keys] ||
+        Chef::Config[:knife][:secure_data_bag][:encrypted_keys] ||
+        []
+      ).uniq
 
-    #
-    # Raw Data decoder methods
-    #
-    def decode_data!
-      @raw_data = decoded_data
-      @raw_data
+      self.raw_data = opts[:data] if opts[:data]
+      self
     end
 
-    def decoded_data
-      if encoded_value?(@raw_data) then decode_value(@raw_data)
-      else decode_hash(@raw_data)
-      end
-    end
+    # Array of hash keys which should be encrypted when encrypting this item.
+    # For previously decrypted items, this will contain the keys which has
+    # previously been encrypted.
+    # @since 3.0.0
+    attr_accessor :encrypted_keys
 
-    def decode_hash(hash)
-      hash.each do |k,v|
-        v = if encoded_value?(v)
-              encoded_fields(encoded_fields + [k])
-              decode_value(v)
-            elsif v.is_a?(Hash)
-              decode_hash(v)
-            else v
-            end
-        hash[k] = v
-      end
-      hash
-    end
+    # Format to enforce when encrypting this Item. This item will automatically
+    # be updated when importing encrypted data.
+    # @since 3.0.0
+    attr_accessor :encryption_format
 
-    def decode_value(value)
-      Chef::EncryptedDataBagItem::Decryptor.
-        for(value, secret).for_decrypted_item
-    end
+    # Format to enforce when decrypting this Item. This item will automatically
+    # be updated when importing decrypted data.
+    # @since 3.0.0
+    attr_accessor :decryption_format
 
-    def encoded_value?(value)
-      value.is_a?(Hash) and value.key?(:encrypted_data)
+    # Fetch, Set or optionally Load the shared secret
+    # @param arg [String] optionally set the shared set
+    # @return [String] the shared secret
+    # @since 3.0.0
+    def secret(arg = nil)
+      @secret = arg unless arg.nil?
+      @secret ||= load_secret
     end
 
-    #
-    # Raw Data encoded methods
-    #
-    def encode_data!
-      @raw_data = encoded_data
-      @raw_data
+    # Hash representing the metadata associated to this Item
+    # @return [Hash] the metadata
+    # @since 3.0.0
+    def metadata
+      Mash.new(
+        encryption_format: @encryption_format,
+        decryption_format: @decryption_format,
+        encrypted_keys: @encrypted_keys,
+        version: @version
+      )
+    end
+
+    # Override the default setter to first ensure that the data is a Mash and
+    # then to automatically decrypt the data.
+    # @param new_data [Hash] the potentially encrypted data
+    # @since 3.0.0
+    def raw_data=(new_data)
+      new_data = Mash.new(new_data)
+      new_data.delete(SecureDataBag::METADATA_KEY)
+      super(decrypt_data!(new_data))
+    end
+
+    # Export this SecureDataBag::Item to it's raw_data
+    # @param opts [Hash] the optional options
+    # @return [Hash]
+    # @since 3.0.0
+    def to_data(opts = {})
+      opts = Mash.new(opts)
+      result = encrypt_data(raw_data)
+      result[SecureDataBag::METADATA_KEY] = metadata if opts[:metadata]
+      result
     end
 
-    def encoded_data
-      encode_hash(@raw_data.dup)
+    # Export this SecureDataBag::Item to a Chef::DataBagItem compatible hash
+    # @param opts [Hash] the optional options
+    # @return [Hash]
+    # @since 3.0.0
+    def to_hash(opts = {})
+      opts = Mash.new(opts)
+      result = to_data(opts)
+      result['chef_type'] = 'data_bag_item'
+      result['data_bag'] = data_bag.to_s
+      result
     end
 
-    def encode_hash(hash)
-      hash.each do |k,v|
-        v = if encoded_fields.include?(k) then encode_value(v)
-            elsif v.is_a?(Hash) then encode_hash(v)
-            else v
-            end
-        hash[k] = v
-      end
-      hash
+    # Export this SecureDataBag::Item to a Chef::DataBagItem compatible json
+    # @return [String]
+    # @since 3.0.0
+    def to_json(*a)
+      result = {
+        'name' => object_name,
+        'json_class' => 'Chef::DataBagItem',
+        'chef_type' => 'data_bag_item',
+        'data_bag' => data_bag.to_s,
+        'raw_data' => encrypt_data(raw_data)
+      }
+      result.to_json(*a)
     end
 
-    def encode_value(value)
-      Chef::EncryptedDataBagItem::Encryptor.
-        new(value, secret).for_encrypted_item
+    private
+
+    # Load the shared secret from the configured secret_path (or auto-detect
+    # the path if undefined).
+    # @return [String] the shared secret
+    # @since 3.0.0
+    def load_secret
+      @secret = self.class.load_secret(@secret_path)
     end
 
-    #
-    # Transitions
-    #
-    def self.from_hash(h, opts={})
-      item = new(opts.merge(data:h))
-      item
+    # Decrypt the data, save the both the decrypted_keys and format for
+    # possible re-encryption, and return the descrypted hash.
+    # @param data [Hash] the potentially encrypted hash
+    # @param save [Boolean] whether to save the encrypted keys and format
+    # @return [Hash] the decrypted hash
+    # @since 3.0.0
+    def decrypt_data(data, save: false)
+      decryptor = SecureDataBag::Decryptor.for(data, secret, metadata)
+      decryptor.decrypt!
+      @encrypted_keys.concat(decryptor.decrypted_keys).uniq! if save
+      @decryption_format = decryptor.format if save
+      decryptor.decrypted_hash
     end
 
-    def self.from_item(h, opts={})
-      item = self.from_hash(h.to_hash, opts)
-      item.data_bag h.data_bag
-      item.encoded_fields h.encoded_fields if h.respond_to?(:encoded_fields)
-      item
+    def decrypt_data!(data)
+      decrypt_data(data, save: true)
     end
 
-    def to_hash(opts={})
-      result = opts[:encoded] ? encoded_data : @raw_data
-      result["chef_type"] = "data_bag_item"
-      result["data_bag"] = data_bag
-      result
+    # Encrypt the data and save the encrypted_keys.
+    # @param data [Hash] the hash to encrypt
+    # @param save [Boolean] whether to save the encrypted keys
+    # @return [Hash] the encrypted hash
+    # @since 3.0.0
+    def encrypt_data(data, _save: false)
+      encryptor = SecureDataBag::Encryptor.new(data, secret, metadata)
+      encryptor.encrypt!
+      encryptor.encrypted_hash
     end
 
-    def to_json(*a)
-      result = {
-        name: self.object_name,
-        json_class: "Chef::DataBagItem",
-        chef_type: "data_bag_item",
-        data_bag: data_bag,
-        raw_data: encoded_data
-      }
-      result.to_json(*a)
+    def encrypt_data!(data)
+      encrypt_data(data, save: true)
     end
   end
 end
 
+SecureDataBagItem = SecureDataBag::Item