secure_data_bag 2.2.0 → 3.0.0

data/lib/secure_data_bag/version.rb

@@ -1,5 +1,3 @@
-
 module SecureDataBag
-  VERSION = "2.2.0"
+  VERSION = '3.0.0'.freeze
 end
-

data/secure_data_bag.gemspec

@@ -4,23 +4,24 @@ $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
 require 'secure_data_bag/version'
 
 Gem::Specification.new do |spec|
-  spec.name          = "secure_data_bag"
+  spec.name          = 'secure_data_bag'
   spec.version       = SecureDataBag::VERSION
-  spec.authors       = ["Jonathan Serafini"]
-  spec.email         = ["jonathan@lightspeedretail.com"]
-  spec.summary       = "Per-field data bag item encryption"
-  spec.description   = "Provides a mechanism to partially encrypt data bag items and therefore ensure that they are searchable"
-  spec.license       = "MIT"
-  spec.homepage      = 
-    "https://github.com/JonathanSerafini/chef-secure_data_bag"
+  spec.authors       = ['Jonathan Serafini']
+  spec.email         = ['jonathan@lightspeedretail.com']
+  spec.summary       = 'Mechanism to partially encryot data bag items'
+  spec.description   = IO.read(File.join(File.dirname(__FILE__), 'README.md'))
+  spec.license       = 'MIT'
+  spec.homepage      =
+    'https://github.com/JonathanSerafini/chef-secure_data_bag'
   spec.files         = `git ls-files -z`.split("\x0")
   spec.executables   = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
   spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
-  spec.require_paths = ["lib"]
+  spec.require_paths = ['lib']
 
-  spec.add_dependency  "chef"
+  spec.add_dependency  'chef'
 
-  spec.add_development_dependency "bundler", "~> 1.6"
-  spec.add_development_dependency "rake"
-  spec.add_development_dependency "rspec"
+  spec.add_development_dependency 'bundler', '~> 1.6'
+  spec.add_development_dependency 'rake'
+  spec.add_development_dependency 'rspec'
+  spec.add_development_dependency 'cookstyle'
 end

data/spec/item_spec.rb

@@ -4,14 +4,14 @@ require 'chef/data_bag_item'
 require 'chef/encrypted_data_bag_item'
 
 describe SecureDataBag::Item do
-  let(:key) { "password" }
-  let(:secret) { "data/secret.pem" }
-  let(:fields) { ["encoded"] }
+  let(:key) { 'password' }
+  let(:secret) { 'data/secret.pem' }
+  let(:fields) { ['encoded'] }
 
-  let(:simple_data) { { "id"=>"test", decoded:"decoded", encoded:"encoded" } }
-  let(:nested_data) { simple_data.merge({ nested:simple_data }) }
+  let(:simple_data) { { 'id' => 'test', decoded: 'decoded', encoded: 'encoded' } }
+  let(:nested_data) { simple_data.merge(nested: simple_data) }
 
-  let(:item) { SecureDataBag::Item.new(key:key, fields:fields) }
+  let(:item) { SecureDataBag::Item.new(key: key, fields: fields) }
 
   let(:dbag_item) do
     dbag_item = Chef::DataBagItem.new
@@ -31,29 +31,28 @@ describe SecureDataBag::Item do
     nested_item
   end
 
-  it "encodes simple data" do
+  it 'encodes simple data' do
     dbag = simple_item
     data = dbag.encoded_data
-    expect(data[:decoded]).to eq("decoded")
-    expect(data[:encoded]).not_to eq("encoded")
+    expect(data[:decoded]).to eq('decoded')
+    expect(data[:encoded]).not_to eq('encoded')
     expect(data[:encoded][:encrypted_data]).not_to eq(nil)
   end
 
-  it "encodes nested data" do
+  it 'encodes nested data' do
     dbag = nested_item
     data = dbag.encoded_data
-    expect(data[:nested][:decoded]).to eq("decoded")
-    expect(data[:nested][:encoded]).not_to eq("encoded")
+    expect(data[:nested][:decoded]).to eq('decoded')
+    expect(data[:nested][:encoded]).not_to eq('encoded')
     expect(data[:nested][:encoded][:encrypted_data]).not_to eq(nil)
   end
 
-  it "decodes encrypted_data_bag_item" do
+  it 'decodes encrypted_data_bag_item' do
     edbag = Chef::EncryptedDataBagItem.encrypt_data_bag_item(dbag_item, key)
     dbag = item
     dbag.raw_data = edbag
     data = dbag.raw_data
-    expect(data[:decoded]).to eq("decoded")
-    expect(data[:encoded]).to eq("encoded")
+    expect(data[:decoded]).to eq('decoded')
+    expect(data[:encoded]).to eq('encoded')
   end
 end
-

data/spec/spec_helper.rb

@@ -14,4 +14,3 @@ RSpec.configure do |config|
     mocks.verify_partial_doubles = true
   end
 end
-

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: secure_data_bag
 version: !ruby/object:Gem::Version
-  version: 2.2.0
+  version: 3.0.0
 platform: ruby
 authors:
 - Jonathan Serafini
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2016-03-26 00:00:00.000000000 Z
+date: 2016-08-11 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: chef
@@ -66,8 +66,103 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
-description: Provides a mechanism to partially encrypt data bag items and therefore
-  ensure that they are searchable
+- !ruby/object:Gem::Dependency
+  name: cookstyle
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: "# SecureDataBag / Knife Secure Bag\n\nKnife Secure Bag provides a consistent
+  interface to DataBagItem, EncryptedDataBagItem as well as the custom created SecureDataBagItem
+  while also providing a few extra handy features to help in your DataBag workflows.
+  \n\nSecureDataBagItem, can not only manage your existing DataBagItems and EncryptedDataBagItems,
+  but it also provides you with a DataBag type which enables you to selectively encrypt
+  only some of the fields in your DataBag thus allowing you to be able to search for
+  the remaining fields. \n\n## Installation\n\nTo build and install the plugin add
+  it your Gemfile or run: \n\n```shell\ngem install secure_data_bag\n```\n\n## Configuration\n\n####
+  Knife Secure Bag\n\nDefaults for the Knife command may be provided in your _knife.rb_
+  file.\n\n```ruby\nknife[:secure_data_bag][:encrypted_keys] = %w(\n  password\n  ssh_keys\n
+  \ ssh_ids\n  public_keys\n  private_keys\n  keys\n  secret\n)\nknife[:secure_data_bag][:secret_file]
+  = \"#{local_dir}/secret.pem\"\nknife[:secure_data_bag][:export_root] = \"#{kitchen_dir}/data_bags\"\nknife[:secure_data_bag][:export_on_upload]
+  = true\nknife[:secure_data_bag][:defaults][:secrets][:export_format] = 'plain'\n```\n\nTo
+  break this up:\n\n`knife[:secure_data_bag][:encrypted_keys] = []`\n\nWhen Knife
+  Secure Bag encrypts a hash with an _encryption format_ of *nested*, it will recursively
+  walk through the hash from the bottom up and encrypt any key found within this array.\n\n`knife[:secure_data_bag][:secret_file]`\n\nWhen
+  encryption is required, the shared secret found at this location will be loaded.
+  \n\n`knife[:secure_data_bag][:export_root]`\n\nWhen exporting a data\\_bag\\_item,
+  files will be created in below this root directory. Typically this would be the
+  data\\_bag folder located within your kitchen.\n\n`knife[:secure_data_bag][:export_on_upload]`\n\nWhen
+  a data\\_bag\\_item is edited using `knife secure bag edit`, it may be automatically
+  exported to the _export\\_root_.\n\n`knife[:secure_data_bag][:defaults][:secrets][:export_format]`\n\nThe
+  configuration file additionally supports the _defaults_ hash which provides default
+  values for all _command line arguments_ that one might use. Of all of them only
+  the _export\\_format_ key is likely to be of much use.\n\n## Examples\n\n#### Chef
+  cookbook recipe\n\n```ruby\nmetadata = {}\n\n# Define the keys we wish to encrypt\nmetadata[:encrypted_keys]
+  = %w(encoded)\n\n# Optionally load a specific shared secret. Otherwise, the global
+  \n# encrypted\\_data\\_bag\\_secret will be automatically used.\nsecret_key = SecureDataBagItem.load_key(\"/path/to/secret\")\n\n#
+  Create a hash of data to use as an exampe\nraw_data = {\n\tid: \"item\", \n  data_bag:
+  \"data_bag\",\n\tencoded: \"my string\", \n\tunencoded: \"other string\"\n}\n\n#
+  Instantiate a SecureDataBagItem from a hash\nitem = SecureDataBagItem.from_hash(data,
+  metadata)\n\n# Or more explicitely\nitem = SecureDataBagItem.from_hash(data, encrypted_keys:
+  %w(encoded))\n\n# Or load from server\nitem = SecureDataBagItem.load(\"data_bag\",
+  \"item\")\n\n# Print the un-encrypted raw data\npp item.raw_data\n\n# Print the
+  un-encrypted `encoded` key\npp item['encoded']\n\n# Print the encrypted hash as
+  a data_bag_item hash\npp item.to_hash\n\n=begin\n{ \n  id:         \"item\", \n
+  \ data_bag:   \"data_bag\",\n  encoded:    {\n    encrypted_data: \"encoded\",\n
+  \   cipher: aes-256-cbc,\n    iv: 13453453dkgfefg==\n    version: 1\n  }\n  unencoded:
+  \ \"other string\",\n}\n=end\n```\n\n## Usage\n\n#### Knife commands\n\nPrint an
+  DataBagItem, EncryptedDataBagItem or SecureDataBagItem, auto-detecting the encryption
+  method used as plain text.\n\n```shell\nknife secure bag show -F js secrets secret_item\n```\n\nPrint
+  an DataBagItem, EncryptedDataBagItem or SecureDataBagItem, auto-detecting the encryption
+  method used as a SecureDataBagItem in encrypted format.\n\n```shell\nknife secure
+  bag show -F js secrets secret_item --enc-format nested\n```\n\nEdit an EncryptedDataBagItem,
+  preserve it's encryption type, and export a copy to the _data\\_bag_ folder in your
+  kitchen.\n\n```shell\nknife secure bag edit secrets secret_item --export\n```\n\n##
+  Knife SubCommands\n\nMost of the SubCommands support the following command-line
+  options:\n\n`--enc-format [plain,encrypted,nested]`\n\nEnsure that, when displaying
+  or uploading the data\\_bag\\_item, we forcibly encrypt the data\\_bag\\_item using
+  the specified format instead of preserving the existing format. \n\nIn this case:
+  \n- plain: refers to a DataBagItem\n- encrypted: refers to an EnrytpedDataBagItem\n-
+  nested: refers to a SecureDataBagItem\n\n`--dec-format [plain,encrypted,nested]`\n\nAttempt
+  to decrypt the data\\_bag\\_item using the given format rather than the auto-detected
+  one. The only real reason to use this is when you wish to specifically select _plain_
+  as the format so as to not decrypt the item.\n\n`--enc-keys key1,key2,key3`\n\nProvide
+  a comma delimited list of hash keys which should be encrypted when encrypting the
+  data\\_bag\\_item. This list will be concatenated with any key names listed in the
+  configuration file or which were previously encrypted. \n\n`--export`\n\nExport
+  the data\\_bag\\_item to json file in either of _export-format_ or _enc-format_.\n\n`--export-format`\n\nOverrides
+  the encryption format only for the _export_ feature.\n\n`--export-root`\n\nRoot
+  directly under which a folder should exist for each _data_bag_ into which to export
+  _data_bag_items_ as json files.\n\nWhen displaying the content of the _data\\_bag\\_item_,
+  an additional key of *_secure_metadata* will be added to the output which contains
+  gem specific metadata such as the encryption formats and any encrypted keys found.
+  This key will _not_ be saved with the item, however it may be manipulated to alter
+  the behavior of the _edit_ or _export_ commands.\n\n#### knife secure bag show DATA_BAG
+  ITEM\n\nThis command functions just like `knife data bag show` and is used to print
+  out the content of either a DataBagItem, EncryptedDataBagItem or SecureDataBagItem.\n\nBy
+  default, it will auto-detect the Item type, and print it's unencrypted version to
+  the terminal. This behavior, however, may be altered using the previously mentioned
+  command line options.\n\n#### knife secure bag open PATH\n\nThis commands functions
+  much like `knife secure bag show`, however it is designed to load a _data\\_bag\\_item_
+  from disk as opposed to loading it from Chef server. This may be of use when view
+  the content of an exported encrypted file.\n\n#### knife secure bag edit DATA_BAG
+  DATA_BAG_ITEM\n\nThis command functions just like `knife data bag edit` and is used
+  to edit either a DataBagItem, EncryptedDataBagItem or a SecureDataBagItem. It supports
+  all of the same options as `knife secure bag show`. \n\n#### knife secure bag from
+  file DATA_BAG PATH\n\nThis command functions just like `knife data bag from file`
+  and is used to upload either a DataBagItem, EncryptedDataBagItem or a SecureDataBagItem.
+  It supports all of the same options as `knife secure bag show`. \n\n## Recipe DSL\n\nThe
+  gem additionally provides a few Recipe DSL methods which may be useful.\n\n```ruby\nload_secure_item
+  = secure_data_bag_item(\n  data_bag_name, \n  data_bag_item, \n  cache: false\n)\n\nload_plain_item
+  = data_bag_item(data_bag_name, data_bag_item)\nconvert_plain_to_secure = secure_data_bag_item!(load_plain_item)\n```\n\n"
 email:
 - jonathan@lightspeedretail.com
 executables: []
@@ -76,18 +171,28 @@ extra_rdoc_files: []
 files:
 - ".gitignore"
 - ".rspec"
+- CHANGELOG.md
 - Gemfile
 - LICENSE.txt
 - README.md
 - Rakefile
 - lib/chef/config.rb
 - lib/chef/dsl/data_query.rb
-- lib/chef/knife/secure_bag_base.rb
 - lib/chef/knife/secure_bag_edit.rb
 - lib/chef/knife/secure_bag_from_file.rb
+- lib/chef/knife/secure_bag_open.rb
 - lib/chef/knife/secure_bag_show.rb
+- lib/chef/knife/secure_data_bag/base_mixin.rb
+- lib/chef/knife/secure_data_bag/defaults_mixin.rb
+- lib/chef/knife/secure_data_bag/export_mixin.rb
+- lib/chef/knife/secure_data_bag/secrets_mixin.rb
 - lib/secure_data_bag.rb
+- lib/secure_data_bag/check_encrypted.rb
+- lib/secure_data_bag/constants.rb
+- lib/secure_data_bag/decryptor.rb
 - lib/secure_data_bag/dsl/data_query.rb
+- lib/secure_data_bag/encryptor.rb
+- lib/secure_data_bag/exceptions.rb
 - lib/secure_data_bag/item.rb
 - lib/secure_data_bag/version.rb
 - secure_data_bag.gemspec
@@ -113,10 +218,10 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.4.5.1
+rubygems_version: 2.2.3
 signing_key: 
 specification_version: 4
-summary: Per-field data bag item encryption
+summary: Mechanism to partially encryot data bag items
 test_files:
 - spec/item_spec.rb
 - spec/spec_helper.rb

data/lib/chef/knife/secure_bag_base.rb

@@ -1,74 +0,0 @@
-
-require 'chef/knife'
-
-class Chef
-  class Knife
-    module SecureBagBase
-      def self.included(includer)
-        includer.class_eval do
-          deps do
-            require 'secure_data_bag'
-          end
-        
-          option :secret,
-            short:  "-s SECRET",
-            long:   "--secret",
-            description: "The secret key to use to encrypt data bag item values"
-
-          option :secret_file,
-            long: "--secret-file SECRET_FILE",
-            description: "A file containing a secret key to use to encrypt data bag item values"
-
-          option :encoded_fields,
-            long: "--encoded-fields FIELD1,FIELD2,FIELD3",
-            description: "List of attribute keys for which to encode values",
-            proc: Proc.new { |s| s.split(',') }
-        end
-      end
-
-      def encoded_fields
-        config[:encoded_fields] || 
-          Chef::Config[:knife][:secure_data_bag][:fields]
-      end
-
-      def secret_file
-        config[:secret_file] ||
-          SecureDataBag::Item.secret_path
-      end
-
-      def secret
-        @secret ||= read_secret
-      end
-
-      def use_encryption
-        true
-      end
-
-      def read_secret
-        if config[:secret] then config[:secret]
-        else SecureDataBag::Item.load_secret(secret_file)
-        end
-      end
-
-      def require_secret
-        if not secret
-          show_usage
-          ui.fatal("A secret or secret_file must be specified")
-          exit 1
-        end
-      end
-
-      def data_for_create(hash={})
-        hash[:id] = @data_bag_item_name
-        hash
-      end
-
-      def data_for_save(hash)
-        @encoded_fields = hash.delete(:_encoded_fields)
-        hash
-      end
-
-    end
-  end
-end
-