veil 0.2.0 → 0.3.9

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: cfc065388eeda8de97ced25becd31b968eaebd1c
-  data.tar.gz: 4f254696b35ccd7924bb84db6a18b65629570533
+SHA256:
+  metadata.gz: 90b6d3458208ed72b315d558278ff129d88328b61440ef8be942df67737e821c
+  data.tar.gz: 452932d08b0483b6153ea3e7d0eace13acbdcf41b53ed0fecb5ea97aef518dc7
 SHA512:
-  metadata.gz: 858dd8cba868d10bc3559b7ea6e4467a6cbeb9a3316244c0289b87adeef13709306a9c909d8dd8b1a1593b54a3541dd7cda1b3dce6ece469c937db2e83990270
-  data.tar.gz: 831847b81b49f810c5b37e4f7a4211723f9fa84bcf5a26cce62a76ef9861d7288cd31bcfea08992aaee068b001c157ed1757e78311487f98d330cdc68d5fdea7
+  metadata.gz: 16deb81b28bb2dbd252cbd05269f2488296e24689786c037043a2b5ce7d3af0cef583ffe912fdfd22b70c5d9ef4b22acdfa4ee57bdf90865438cfbef2ab35f5e
+  data.tar.gz: 7a20341b3e3061f9907d419fbb37f94b4b0690786b1d90dc943865ce235e620619fef290a315e769d96e6b4ab132b5be2620e970faa41d1f7b6d26bf60e42f73

data/bin/veil-dump-secrets

@@ -0,0 +1,12 @@
+#!/usr/bin/env ruby
+require 'veil'
+require 'json'
+require 'optparse'
+
+OptionParser.new do |opts|
+  opts.banner = "Usage: veil-dump-secrets SECRETS_FILE_PATH"
+end.parse!
+
+secrets_file = ARGV[0]
+veil = Veil::CredentialCollection::ChefSecretsFile.from_file(secrets_file)
+puts veil.credentials_for_export.to_json

data/bin/veil-env-helper

@@ -1,10 +1,16 @@
 #!/usr/bin/env ruby
 
 require 'veil'
+require 'json'
 require 'optparse'
 
 options = {
-  secrets_file: "/etc/opscode/private-chef-secrets.json"
+  secrets_file: "/etc/opscode/private-chef-secrets.json",
+  pack: false,
+  use_file: false,
+  debug: false,
+  secrets: [],
+  optional_secrets: []
 }
 
 OptionParser.new do |opts|
@@ -14,8 +20,20 @@ OptionParser.new do |opts|
     options[:debug] = d
   end
 
-  opts.on("-s SECRETS_SPEC", "--secrets SECRETS_SPEC", "A comma seperated list of secrets to put in the environment") do |spec|
-    options[:secrets] = spec.split(",")
+  opts.on("--pack", "Pass secrets in a single CHEF_SECRETS_DATA environment variable") do |p|
+    options[:pack] = p
+  end
+
+  opts.on("--use-file", "Pass secrets via a unlinked file available at the FD specified in CHEF_SECRETS_FD") do |fd|
+    options[:use_file] = fd
+  end
+
+  opts.on("-s SECRET_SPEC", "--secret SECRET_SPEC", "Secret to put in the environment") do |spec|
+    options[:secrets] << spec
+  end
+
+  opts.on("-o SECRET_SPEC", "--optional-secret SECRET_SPEC", "Optional secrets to put in the environment (if it exists)") do |spec|
+    options[:optional_secrets] << spec
   end
 
   opts.on("-f SECRETS_FILE", "--secrets-file SECRETS_FILE", "Location of veil-managed secrets file. Default: /etc/opscode/private-chef-secrets.json") do |file|
@@ -23,25 +41,64 @@ OptionParser.new do |opts|
   end
 end.parse!
 
-def env_name_from_secret_spec(secret)
+def from_secret_spec(secret, start = {})
   parts = secret.split("=")
-  case parts.length
-  when 1
-    ["CHEF_SECRET_#{parts[0].upcase}", parts[0]]
-  when 2
-    [parts[0].upcase, parts[1]]
+  env_name, secret_name = case parts.length
+                          when 1
+                              ["CHEF_SECRET_#{parts[0].upcase}", parts[0]]
+                          when 2
+                              [parts[0].upcase, parts[1]]
+                          else
+                              raise "Bad secret spec: #{secret}"
+                          end
+
+  start.merge({ args: secret_name.split("."),
+                env_name: env_name,
+                name: secret_name })
+end
+
+veil = Veil::CredentialCollection::ChefSecretsFile.from_file(options[:secrets_file])
+packed_data = Hash.new()
+
+secrets = options[:secrets].map { |spec| from_secret_spec(spec) }
+secrets += options[:optional_secrets].map { |spec| from_secret_spec(spec, { optional: true }) }
+
+secrets.each do |secret|
+  veil_args = secret[:args]
+
+  begin
+    secret_value = veil.get(*veil_args)
+  rescue
+    raise unless secret[:optional]
+    next
+  end
+
+  if options[:pack] || options[:use_file]
+    STDERR.puts "Packing data using #{veil_args.inspect} and #{secret_value}" if options[:debug]
+    if veil_args.length == 2
+      packed_data[veil_args[0]] ||= {}
+      packed_data[veil_args[0]][veil_args[1]] = secret_value
+    elsif veil_args.length == 1
+      packed_data[veil_args[0]] = secret_value
+    elsif !secret[:optional]
+      raise "Invalid secrets name: #{secret[:name]}"
+    end
   else
-    raise "Bad secret spec: #{secret}"
+    STDERR.puts "Setting #{secret[:env_name]}=#{secret_value}" if options[:debug]
+    ENV[secret[:env_name]] = secret_value
   end
 end
 
-veil = Veil::CredentialCollection::ChefSecretsFile.from_file(options[:secrets_file])
-Array(options[:secrets]).each do |secret|
-  env_name, secret_name = env_name_from_secret_spec(secret)
-  veil_args = secret_name.split(".")
-  secret_value = veil.get(*veil_args)
-  STDERR.puts "Setting #{env_name}=#{secret_value}" if options[:debug]
-  ENV[env_name] = secret_value
+if options[:pack] && !options[:use_file]
+  ENV['CHEF_SECRETS_DATA'] = packed_data.to_json
+end
+
+if options[:use_file]
+  rd, wd = IO.pipe
+  wd.puts packed_data.to_json
+  wd.close
+  rd.close_on_exec = false
+  ENV['CHEF_SECRETS_FD'] = rd.to_i.to_s
 end
 
-exec(*ARGV)
+exec(*ARGV, close_others: false)

data/lib/veil/cipher/v1.rb

@@ -0,0 +1,16 @@
+module Veil
+  class Cipher
+    class V1
+      def initialize(_opts = {})
+      end
+
+      def encrypt(plaintext)
+        raise RuntimeError, "Veil::Cipher::V1#encrypt should never be called"
+      end
+
+      def decrypt(anything)
+        anything
+      end
+    end
+  end
+end

data/lib/veil/cipher/v2.rb

@@ -0,0 +1,41 @@
+require "base64"
+require "openssl"
+
+module Veil
+  class Cipher
+    class V2
+      attr_reader :key, :iv, :cipher
+
+      def initialize(opts = {})
+        @cipher = OpenSSL::Cipher.new("aes-256-cbc")
+        @key    = opts[:key] ? Base64.strict_decode64(opts[:key]) : cipher.random_key
+        @iv     = opts[:iv] ? Base64.strict_decode64(opts[:iv]) : cipher.random_iv
+      end
+
+      def encrypt(plaintext)
+        c = cipher
+        c.encrypt
+        c.key = key
+        c.iv = iv
+        Base64.strict_encode64(c.update(plaintext) + c.final)
+      end
+
+      def decrypt(ciphertext)
+        c = cipher
+        c.decrypt
+        c.key = key
+        c.iv = iv
+        JSON.parse(c.update(Base64.strict_decode64(ciphertext)) + c.final, symbolize_names: true)
+      end
+
+      def to_hash
+        {
+          type: self.class.name,
+          key: Base64.strict_encode64(key),
+          iv: Base64.strict_encode64(iv)
+        }
+      end
+      alias_method :to_h, :to_hash
+    end
+  end
+end

data/lib/veil/cipher.rb

@@ -0,0 +1,32 @@
+require "veil/cipher/v1"
+require "veil/cipher/v2"
+
+module Veil
+  class Cipher
+    DEFAULT_DECRYPTOR = Veil::Cipher::V1
+    DEFAULT_ENCRYPTOR = Veil::Cipher::V2
+
+    class << self
+      #
+      # Create a new Cipher instance
+      #
+      # Defaults to using v1 for decryption (noop), v2 for encryption.
+      # If invoked as default, v2 will generate key and iv.
+      #
+      # @param opts Hash<Symbol> a hash of options to pass to the constructor
+      #
+      # @example Veil::Cipher.create(type: "V1")
+      # @example Veil::Cipher.create(type: "V2", key: "blah", iv: "vi")
+      #
+      def create(opts = {})
+        case opts
+        when {}, nil
+          [ DEFAULT_DECRYPTOR.new({}), DEFAULT_ENCRYPTOR.new({}) ]
+        else
+          cipher = const_get(opts[:type])
+          [ cipher.new(opts), cipher.new(opts) ]
+        end
+      end
+    end
+  end
+end

data/lib/veil/credential_collection/base.rb

@@ -1,5 +1,6 @@
-require "veil/hasher"
+require "veil/cipher"
 require "veil/credential"
+require "veil/hasher"
 require "forwardable"
 
 module Veil
@@ -13,13 +14,14 @@ module Veil
 
       extend Forwardable
 
-      attr_reader :credentials, :hasher, :version
+      attr_reader :credentials, :hasher, :version, :decryptor, :encryptor
 
       def_delegators :@credentials, :size, :length, :find, :map, :select, :each, :[], :keys
 
       def initialize(opts = {})
         @hasher = Veil::Hasher.create(opts[:hasher] || {})
-        @credentials = expand_credentials_hash(opts[:credentials] || {})
+        @decryptor, @encryptor = Veil::Cipher.create(opts[:cipher] || {})
+        @credentials = expand_credentials_hash(decryptor.decrypt(opts[:credentials]) || {})
         @version = opts[:version] || 1
       end
 
@@ -28,7 +30,8 @@ module Veil
           type: self.class.name,
           version: version,
           hasher: hasher.to_h,
-          credentials: credentials_as_hash
+          cipher: encryptor.to_h,
+          credentials: encryptor.encrypt(credentials_as_hash.to_json)
         }
       end
       alias_method :to_h, :to_hash
@@ -173,6 +176,39 @@ module Veil
         end
       end
 
+      def credentials_as_hash
+        hash = Hash.new
+
+        credentials.each do |cred_or_group_name, cred_or_group_attrs|
+          if cred_or_group_attrs.is_a?(Hash)
+            cred_or_group_attrs.each do |name, cred|
+              hash[cred_or_group_name] ||= Hash.new
+              hash[cred_or_group_name][name] = cred.to_hash
+            end
+          else
+            hash[cred_or_group_name] = cred_or_group_attrs.to_hash
+          end
+        end
+
+        hash
+      end
+
+      def credentials_for_export
+        hash = Hash.new
+
+        credentials.each do |namespace, cred_or_creds|
+          if cred_or_creds.is_a?(Veil::Credential)
+            hash[namespace] = cred_or_creds.value
+          else
+            hash[namespace] = {}
+            cred_or_creds.each { |name, cred| hash[namespace][name] = cred.value }
+          end
+        end
+
+        hash
+      end
+      alias_method :legacy_credentials_hash, :credentials_for_export
+
       private
 
       def add_from_params(params)
@@ -219,21 +255,17 @@ module Veil
         expanded
       end
 
-      def credentials_as_hash
-        hash = Hash.new
-
-        credentials.each do |cred_or_group_name, cred_or_group_attrs|
-          if cred_or_group_attrs.is_a?(Hash)
-            cred_or_group_attrs.each do |name, cred|
-              hash[cred_or_group_name] ||= Hash.new
-              hash[cred_or_group_name][name] = cred.to_hash
-            end
-          else
-            hash[cred_or_group_name] = cred_or_group_attrs.to_hash
+      def import_credentials_hash(hash)
+        hash.each do |namespace, creds_hash|
+          credentials[namespace.to_s] ||= Hash.new
+          creds_hash.each do |cred, value|
+            credentials[namespace.to_s][cred.to_s] = Veil::Credential.new(
+              name: cred.to_s,
+              value: value,
+              length: value.length
+            )
           end
         end
-
-        hash
       end
     end
   end

data/lib/veil/credential_collection/chef_secrets_env.rb

@@ -0,0 +1,43 @@
+require "veil/credential_collection/base"
+require "json"
+
+module Veil
+  class CredentialCollection
+    class ChefSecretsEnv < Base
+
+      # Create a new ChefSecretsEnv
+      #
+      # @param [Hash] opts
+      #   a hash of options to pass to the constructor
+      def initialize(opts = {})
+        var_name = opts[:var_name] || 'CHEF_SECRETS_DATA'
+
+        @credentials = {}
+        import_credentials_hash(inflate_secrets_from_environment(var_name))
+      end
+
+      # Unsupported methods
+      def rotate
+        raise NotImplementedError
+      end
+      alias_method :rotate_credentials, :rotate
+      alias_method :save, :rotate
+
+      def inflate_secrets_from_environment(var_name)
+        value = ENV[var_name]
+        unless value
+          msg = "Env var #{var_name} has not been set. This should by done by "\
+            "launching this application via veil-env-wrapper."
+          raise InvalidCredentialCollectionEnv.new(msg)
+        end
+
+        begin
+          JSON.parse(value)
+        rescue JSON::ParserError => e
+          msg = "Env var #{var_name} could not be parsed: #{e.message}"
+          raise InvalidCredentialCollectionEnv.new(msg)
+        end
+      end
+    end
+  end
+end

data/lib/veil/credential_collection/chef_secrets_fd.rb

@@ -0,0 +1,57 @@
+require "veil/exceptions"
+require "veil/credential_collection/base"
+require "json"
+
+module Veil
+  class CredentialCollection
+    class ChefSecretsFd < Base
+
+      # Create a new ChefSecretsFd
+      #
+      # @param [Hash] opts
+      #   ignored
+      def initialize(opts = {})
+        @credentials = {}
+        import_credentials_hash(inflate_secrets_from_fd)
+      end
+
+      # Unsupported methods
+      def rotate
+        raise NotImplementedError
+      end
+      alias_method :rotate_credentials, :rotate
+      alias_method :save, :rotate
+
+      def inflate_secrets_from_fd
+        if ENV['CHEF_SECRETS_FD'].nil?
+          raise InvalidCredentialCollectionFd.new("CHEF_SECRETS_FD not found in environment")
+        end
+
+        fd = ENV['CHEF_SECRETS_FD'].to_i
+        value = nil
+
+        begin
+          file = IO.new(fd, "r")
+          value = file.gets
+        rescue StandardError => e
+          msg = "A problem occured trying to read passed file descriptor: #{e}"
+          raise InvalidCredentialCollectionFd.new(msg)
+        ensure
+          file.close if file
+        end
+
+        if !value
+          msg = "File at CHEF_SECRETS_FD (#{fd}) did not contain any data!"
+          raise InvalidCredentialCollectionFd.new(msg)
+        end
+
+        begin
+          JSON.parse(value)
+        rescue JSON::ParserError => e
+          msg = "Chef secrets data could not be parsed: #{e.message}"
+          raise InvalidCredentialCollectionFd.new(msg)
+        end
+      end
+    end
+  end
+end

data/lib/veil/credential_collection/chef_secrets_file.rb

@@ -16,7 +16,9 @@ module Veil
         end
       end
 
-      attr_reader :path, :user, :group
+      CURRENT_VERSION = 2.freeze
+
+      attr_reader :path, :user, :group, :key
 
       # Create a new ChefSecretsFile
       #
@@ -43,10 +45,10 @@ module Veil
 
         @user    = opts[:user]
         @group   = opts[:group] || @user
-        @version = opts[:version] || 1
+        opts[:version] = CURRENT_VERSION
         super(opts)
 
-        import_legacy_credentials(hash) if import_existing && legacy
+        import_credentials_hash(hash) if import_existing && legacy
       end
 
       # Set the secrets file path
@@ -57,11 +59,17 @@ module Veil
         @path = File.expand_path(path)
       end
 
-      # Save the CredentialCollection to file
+      # Save the CredentialCollection to file, encrypt it
       def save
-        FileUtils.mkdir_p(File.dirname(path)) unless File.directory?(File.dirname(path))
+        FileUtils.mkdir_p(File.dirname(path))
 
         f = Tempfile.new("veil") # defaults to mode 0600
+
+        if existing
+          @user  ||= existing.uid
+          @group ||= existing.gid
+        end
+
         FileUtils.chown(user, group, f.path) if user
         f.puts(JSON.pretty_generate(secrets_hash))
         f.flush
@@ -73,32 +81,13 @@ module Veil
 
       # Return the instance as a secrets style hash
       def secrets_hash
-        { "veil" => to_h }.merge(legacy_credentials_hash)
+        { "veil" => to_h }
       end
 
-      # Return the credentials in a legacy chef secrets hash
-      def legacy_credentials_hash
-        hash = Hash.new
-
-        to_h[:credentials].each do |namespace, creds|
-          hash[namespace] = {}
-          creds.each { |name, cred| hash[namespace][name] = cred[:value] }
-        end
-
-        hash
-      end
-
-      def import_legacy_credentials(hash)
-        hash.each do |namespace, creds_hash|
-          credentials[namespace.to_s] ||= Hash.new
-          creds_hash.each do |cred, value|
-            credentials[namespace.to_s][cred.to_s] = Veil::Credential.new(
-              name: cred.to_s,
-              value: value,
-              length: value.length
-            )
-          end
-        end
+      def existing
+        @existing ||= File.stat(path)
+      rescue Errno::ENOENT
+        nil
       end
     end
   end

data/lib/veil/credential_collection.rb

@@ -1,5 +1,7 @@
 require "veil/credential_collection/base"
+require "veil/credential_collection/chef_secrets_fd"
 require "veil/credential_collection/chef_secrets_file"
+require "veil/credential_collection/chef_secrets_env"
 
 module Veil
   class CredentialCollection
@@ -8,6 +10,10 @@ module Veil
       klass = case opts[:provider]
               when 'chef-secrets-file'
                 ChefSecretsFile
+              when 'chef-secrets-env'
+                ChefSecretsEnv
+              when 'chef-secrets-fd'
+                ChefSecretsFd
               else
                 raise UnknownProvider, "Unknown provider: #{opts[:provider]}"
               end

data/lib/veil/exceptions.rb

@@ -3,7 +3,10 @@ module Veil
   class InvalidSecret < StandardError; end
   class InvalidParameter < StandardError; end
   class InvalidHasher < StandardError; end
-  class InvalidCredentialCollectionFile < StandardError; end
+  class InvalidCredentialCollection < StandardError; end
+  class InvalidCredentialCollectionFile < InvalidCredentialCollection; end
+  class InvalidCredentialCollectionEnv <  InvalidCredentialCollection; end
+  class InvalidCredentialCollectionFd <  InvalidCredentialCollection; end
   class MissingParameter < StandardError; end
   class NotImplmented < StandardError; end
   class InvalidCredentialHash < StandardError; end

data/lib/veil/version.rb

@@ -1,3 +1,3 @@
 module Veil
-  VERSION = "0.2.0"
+  VERSION = "0.3.9"
 end

data/spec/cipher/v1_spec.rb

@@ -0,0 +1,15 @@
+require "spec_helper"
+
+describe Veil::Cipher::V1 do
+  describe "#decrypt" do
+    it "does nothing" do
+      expect(described_class.new().decrypt("hi")).to eq("hi")
+    end
+  end
+
+  describe "#encrypt" do
+    it "raises a RuntimeError" do
+      expect { described_class.new().encrypt("hi") }.to raise_error(RuntimeError)
+    end
+  end
+end

data/spec/cipher/v2_spec.rb

@@ -0,0 +1,46 @@
+require "spec_helper"
+require "openssl"
+
+describe Veil::Cipher::V2 do
+  let(:iv64) { Base64.strict_encode64("mondaytue16bytes") }
+  let(:key64) { Base64.strict_encode64("thursdayfridaysaturdaysun32bytes") }
+  let(:ciphertext64) { "qS6SRmgOgSta2jSdD60sJmu83cRgy4DUJ2nKZwStrqs=" }
+  let(:plainhash) { { "chef-server": "test-value" } }
+
+  describe "#new" do
+    it "accepts passed key and iv base64-encoded data" do
+      cipher = described_class.new(iv: iv64, key: key64)
+
+      expect(cipher.iv).to eq("mondaytue16bytes")
+      expect(cipher.key).to eq("thursdayfridaysaturdaysun32bytes")
+    end
+
+    it "generates key and iv data if none was passed" do
+      openssl = double(OpenSSL::Cipher)
+      expect(OpenSSL::Cipher).to receive(:new).and_return(openssl)
+      expect(openssl).to receive(:random_iv).and_return("random iv")
+      expect(openssl).to receive(:random_key).and_return("random key")
+      cipher = described_class.new()
+
+      expect(cipher.iv).to eq("random iv")
+      expect(cipher.key).to eq("random key")
+    end
+  end
+
+  describe "#decrypt" do
+    it "parses decrypted json data" do
+      expect(described_class.new(iv: iv64, key: key64).decrypt(ciphertext64)).to eq(plainhash)
+    end
+  end
+
+  describe "#to_hash" do
+    it "base64-encodes iv and key" do
+      expected = {
+        iv: "bW9uZGF5dHVlMTZieXRlcw==",
+        key: "dGh1cnNkYXlmcmlkYXlzYXR1cmRheXN1bjMyYnl0ZXM=",
+        type: "Veil::Cipher::V2"
+      }
+      expect(described_class.new(iv: iv64, key: key64).to_hash).to eq(expected)
+    end
+  end
+end

data/spec/cipher_spec.rb

@@ -0,0 +1,23 @@
+require "spec_helper"
+
+describe Veil::Cipher do
+  describe "#self.create" do
+    it "defaults to noop decrypt, v2 encrypt" do
+      dec, enc = described_class.create()
+      expect(dec.class).to eq(Veil::Cipher::V1)
+      expect(enc.class).to eq(Veil::Cipher::V2)
+    end
+
+    it "parses the non-namespaced type" do
+      dec, enc = described_class.create(type: "V2")
+      expect(dec.class).to eq(Veil::Cipher::V2)
+      expect(enc.class).to eq(Veil::Cipher::V2)
+    end
+
+    it "parses the complete type" do
+      dec, enc = described_class.create(type: "Veil::Cipher::V2")
+      expect(dec.class).to eq(Veil::Cipher::V2)
+      expect(enc.class).to eq(Veil::Cipher::V2)
+    end
+  end
+end

data/spec/credential_collection/base_spec.rb

@@ -25,10 +25,11 @@ describe Veil::CredentialCollection::Base do
     context "with credential options" do
       it "builds the credentials" do
         subject.add("foo", "bar", length: 22)
-        creds_hash = subject.to_hash[:credentials]
+        creds_hash = subject["foo"]["bar"].to_hash
+        new_instance = described_class.new(credentials: { foo: { bar: creds_hash } })
 
-        new_instance = described_class.new(credentials: creds_hash)
-        expect(new_instance["foo"]["bar"].value).to eq(subject["foo"]["bar"].value)
+        expected = subject["foo"]["bar"].value
+        expect(new_instance["foo"]["bar"].value).to eq(expected)
       end
     end
 

data/spec/credential_collection/chef_secrets_env_spec.rb

@@ -0,0 +1,68 @@
+require 'spec_helper'
+
+describe Veil::CredentialCollection::ChefSecretsEnv do
+  describe "#new" do
+    context "env variable is set" do
+      let(:var_name) { "CHEF_SECRETS_DATA" }
+
+      before(:each) do
+        ENV[var_name] = '{ "secret_service": { "secret_name": "secret_value" } }'
+      end
+
+      it 'reads the secret from the env var CHEF_SECRETS_DATA' do
+        expect(subject.get("secret_service", "secret_name")).to eq("secret_value")
+      end
+
+      context "env variable name is passed" do
+        let(:var_name) { "CHEF_SECRETS_DATA_2" }
+        let(:subject) { described_class.new(var_name: var_name) }
+
+        it 'reads the secret from the passed env var name' do
+          expect(subject.get("secret_service", "secret_name")).to eq("secret_value")
+        end
+      end
+
+      context "env var content cannot be parsed" do
+        before(:each) do
+          ENV[var_name] = '{ "secre '
+        end
+
+        it "re-raises the JSON parse error" do
+          expect{ subject.get("secret_service", "secret_name") }.to raise_error(Veil::InvalidCredentialCollectionEnv)
+        end
+      end
+    end
+
+    context "env variable is not set" do
+      let(:var_name) { "CHEF_SECRETS_DATA" }
+
+      before(:each) do
+        ENV.delete(var_name)
+      end
+
+      it 'raises an exception' do
+        expect{ described_class.new }.to raise_error(Veil::InvalidCredentialCollectionEnv)
+      end
+    end
+
+    context "unsupported methods" do
+      let(:var_name) { "CHEF_SECRETS_DATA" }
+
+      before(:each) do
+        ENV[var_name] = '{}'
+      end
+
+      it 'does not support #rotate' do
+        expect{ subject.rotate }.to raise_error(NotImplementedError)
+      end
+
+      it 'does not support #save' do
+        expect{ subject.save }.to raise_error(NotImplementedError)
+      end
+
+      it 'does not support #rotate_hasher' do
+        expect{ subject.rotate_hasher }.to raise_error(NotImplementedError)
+      end
+    end
+  end
+end

data/spec/credential_collection/chef_secrets_fd_spec.rb

@@ -0,0 +1,64 @@
+require 'spec_helper'
+
+describe Veil::CredentialCollection::ChefSecretsFd do
+  describe "#new" do
+    let(:content) { '{ "secret_service": { "secret_name": "secret_value" } }' }
+    let(:content_file) {
+      rd, wr = IO.pipe
+      wr.puts content
+      wr.close
+      rd
+    }
+
+    context "env variable is set" do
+      before(:each) do
+        ENV['CHEF_SECRETS_FD'] = content_file.to_i.to_s
+      end
+
+      it 'reads the secret from the passed file descriptor' do
+        expect(subject.get("secret_service", "secret_name")).to eq("secret_value")
+      end
+
+      # TODO(ssd) 2017-03-22: We wanted a test for closing the FD, but
+      # didn't want to fight with ruby today.
+
+      context "env var content cannot be parsed" do
+        let(:content) { '{ "secre ' }
+
+        it "re-raises the JSON parse error" do
+          expect{ subject.get("secret_service", "secret_name") }.to raise_error(Veil::InvalidCredentialCollectionFd)
+        end
+      end
+    end
+
+    context "CHEF_SECRETS_FD is not set" do
+      before(:each) do
+        ENV.delete('CHEF_SECRETS_FD')
+      end
+
+      it 'raises an exception' do
+        expect{ described_class.new }.to raise_error(Veil::InvalidCredentialCollectionFd)
+      end
+    end
+
+    context "unsupported methods" do
+      let(:content) { '{}' }
+
+      before(:each) do
+        ENV['CHEF_SECRETS_FD'] = content_file.to_i.to_s
+      end
+
+      it 'does not support #rotate' do
+        expect{ subject.rotate }.to raise_error(NotImplementedError)
+      end
+
+      it 'does not support #save' do
+        expect{ subject.save }.to raise_error(NotImplementedError)
+      end
+
+      it 'does not support #rotate_hasher' do
+        expect{ subject.rotate_hasher }.to raise_error(NotImplementedError)
+      end
+    end
+  end
+end

data/spec/credential_collection/chef_secrets_file_spec.rb

@@ -7,10 +7,12 @@ describe Veil::CredentialCollection::ChefSecretsFile do
   let!(:file) { Tempfile.new("private_chef_secrets.json") }
   let(:user) { "opscode_user" }
   let(:group) { "opscode_group" }
+  let(:version) { 1 }
   let(:content) do
     {
       "veil" => {
         "type" => "Veil::CredentialCollection::ChefSecretsFile",
+        "version" => version,
         "hasher" => {},
         "credentials" => {}
       }
@@ -66,7 +68,7 @@ describe Veil::CredentialCollection::ChefSecretsFile do
   end
 
   describe "#save" do
-    it "saves the content to a machine loadable file" do
+    it "saves the content to a file it can read" do
       file.rewind
       creds = described_class.new(path: file.path)
       creds.add("redis_lb", "password")
@@ -80,6 +82,14 @@ describe Veil::CredentialCollection::ChefSecretsFile do
       expect(new_creds["postgresql"]["sql_ro_password"].value).to eq(creds["postgresql"]["sql_ro_password"].value)
     end
 
+    it "saves the content in an encrypted form" do
+      creds = described_class.new(path: file.path)
+      creds.add("postgresql", "sql_ro_password", value: "kneipenpathos")
+      creds.save
+
+      expect(IO.read(file.path)).to_not match(/kneipenpathos/)
+    end
+
     context "when using ownership management" do
       let(:tmpfile) do
         s = StringIO.new
@@ -87,56 +97,170 @@ describe Veil::CredentialCollection::ChefSecretsFile do
         s
       end
 
-      context "when the user is set" do
-        it "gives the file proper permissions" do
-          expect(Tempfile).to receive(:new).with("veil").and_return(tmpfile)
-          expect(FileUtils).to receive(:chown).with(user, user, "/tmp/unguessable")
-          expect(FileUtils).to receive(:mv).with("/tmp/unguessable", file.path)
+      context "when the target file does not exist" do
+
+        let(:secrets_file) { double(File) }
+        before(:each) do
+          allow(File).to receive(:stat).with(file.path).and_raise(Errno::ENOENT)
+        end
+
+        context "when the user is not set" do
+          it "does not change any permissions" do
+            expect(Tempfile).to receive(:new).with("veil").and_return(tmpfile)
+            expect(FileUtils).not_to receive(:chown)
+            expect(FileUtils).to receive(:mv).with("/tmp/unguessable", file.path)
+
+            creds = described_class.new(path: file.path)
+            creds.add("redis_lb", "password")
+            creds.save
+          end
+        end
+
+        context "when the user is set" do
+          it "gives the file proper permissions" do
+            expect(Tempfile).to receive(:new).with("veil").and_return(tmpfile)
+            expect(FileUtils).to receive(:chown).with(user, user, "/tmp/unguessable")
+            expect(FileUtils).to receive(:mv).with("/tmp/unguessable", file.path)
 
-          creds = described_class.new(path: file.path,
-                                      user: user)
-          creds.add("redis_lb", "password")
-          creds.save
+            creds = described_class.new(path: file.path,
+                                        user: user)
+            creds.add("redis_lb", "password")
+            creds.save
+          end
         end
       end
 
-      context "when user and group are set" do
-        it "gives the file proper permissions" do
-          expect(Tempfile).to receive(:new).with("veil").and_return(tmpfile)
-          expect(FileUtils).to receive(:chown).with(user, group, "/tmp/unguessable")
-          expect(FileUtils).to receive(:mv).with("/tmp/unguessable", file.path)
-
-          creds = described_class.new(path: file.path,
-                                      user: user,
-                                      group: group)
-          creds.add("redis_lb", "password")
-          creds.save
+      context "when the target file exists" do
+
+        let(:secrets_file) { double(File) }
+        let(:secrets_file_stat) { double(File, uid: 100, gid: 1000) }
+        before(:each) do
+          allow(File).to receive(:stat).with(file.path).and_return(secrets_file_stat)
+        end
+
+        context "when the user is not set" do
+          it "keeps the existing file permissions" do
+            expect(Tempfile).to receive(:new).with("veil").and_return(tmpfile)
+            expect(FileUtils).to receive(:chown).with(100, 1000, "/tmp/unguessable")
+            expect(FileUtils).to receive(:mv).with("/tmp/unguessable", file.path)
+
+            creds = described_class.new(path: file.path)
+            creds.add("redis_lb", "password")
+            creds.save
+          end
+        end
+
+        context "when the user is set" do
+          it "gives the file proper permissions" do
+            expect(Tempfile).to receive(:new).with("veil").and_return(tmpfile)
+            expect(FileUtils).to receive(:chown).with(user, user, "/tmp/unguessable")
+            expect(FileUtils).to receive(:mv).with("/tmp/unguessable", file.path)
+
+            creds = described_class.new(path: file.path,
+                                        user: user)
+            creds.add("redis_lb", "password")
+            creds.save
+          end
         end
 
-        it "gives the file proper permission even when called from_file" do
-          file.puts("{}"); file.rewind
-          expect(Tempfile).to receive(:new).with("veil").and_return(tmpfile)
-          expect(FileUtils).to receive(:chown).with(user, group, "/tmp/unguessable")
-          expect(FileUtils).to receive(:mv).with("/tmp/unguessable", file.path)
-
-          creds = described_class.from_file(file.path,
-                                            user: user,
-                                            group: group)
-          creds.add("redis_lb", "password")
-          creds.save
+        context "when user and group are set" do
+          it "gives the file proper permissions" do
+            expect(Tempfile).to receive(:new).with("veil").and_return(tmpfile)
+            expect(FileUtils).to receive(:chown).with(user, group, "/tmp/unguessable")
+            expect(FileUtils).to receive(:mv).with("/tmp/unguessable", file.path)
+
+            creds = described_class.new(path: file.path,
+                                        user: user,
+                                        group: group)
+            creds.add("redis_lb", "password")
+            creds.save
+          end
+
+          it "gives the file proper permission even when called from_file" do
+            file.puts("{}"); file.rewind
+            expect(Tempfile).to receive(:new).with("veil").and_return(tmpfile)
+            expect(FileUtils).to receive(:chown).with(user, group, "/tmp/unguessable")
+            expect(FileUtils).to receive(:mv).with("/tmp/unguessable", file.path)
+
+            creds = described_class.from_file(file.path,
+                                              user: user,
+                                              group: group)
+            creds.add("redis_lb", "password")
+            creds.save
+          end
         end
       end
     end
 
-    it "saves the version number" do
+    it "saves the latest version number" do
       allow(FileUtils).to receive(:chown)
       file.rewind
-      creds = described_class.new(path: file.path, version: 12)
+      creds = described_class.new(path: file.path)
       creds.save
 
       file.rewind
       new_creds = described_class.from_file(file.path)
-      expect(new_creds.version).to eq(12)
+      expect(new_creds.version).to eq(2)
+    end
+
+    context "reading an unencrypted file" do
+      let(:existing_content) { <<EOF
+{
+  "veil": {
+    "type": "Veil::CredentialCollection::ChefSecretsFile",
+    "version": 1,
+    "hasher": {
+      "type": "Veil::Hasher::PBKDF2",
+      "secret": "5f6e76ae7f5b631a96f5142b2a4b837e23ab6d204dc9e635fc18783ae8d253596f9cd9b65e295c96cee0b9cd1171cae1ca2e897ca5419106785d99d4a42fe9897f2fc7f537a05d39f19b26aa05500e93d65621ed3cdbb718d3005f808fe04a2e2267c43f5100dfe1a6ab3b6462d7fe57bc3adced263fd8c2c55ddebc2f9067b475868e9fb950bf2ae37889e22c42fd686b168b25410a4fa7689a32686fab76e57cd64482ff411be69a4c9abefc5ed64227fb42db05f3b221ddc18c6bb7ca54625cd8a5426be0d9c2161f09f35a04bd9b07884f4319389801c123d0bd345d4218434d9aee87dbb115c5cc22d1c87ffc447c2a008e89edda7e25453076dd478df0f08d50206724cd055741b7521b889fbf6d12af7946ee069bdb60cf79b14e2dad910bab97ae0ff6a9c1f88556e493df26bff007728317683a14433b30a6b6537095c1a8906a08d8a067a1b2a0443ad6fcf007e6bd70c8a3bbfe571044652d3960fd200d23f046b2493463692b570f1c94dabb05933e8d6bcd7e59a708ac8b385034a32b5b1f20635cb10e8027376f496ee1e8496c3517e24bfab3a840f0994a7fde433dc942be781488e6ebbbc68872467ebd216c71e092b2adae600a50bc2ace312cc8cd7949ddb16b72555c9d511211e22383eb515dad22032e80c11f3193a1b357f1c073e4770e314a960bbeada64b36078cfc18e806c03743a0dcd1f77ef3",
+      "salt": "78a8140351ecbfaee137655377aa15138655dc65a49c53ca5f6ee05c7b9c3db9dbc0e2bfdf14af3a062a1cc513e4e086126cf428890df3caf11d9714729027ac93fbf8b7bd9d8fc734b7b4a84c979b45e804e573f93f5cd6dab0b1cf7e5b6191c0924e61b84e8289065918fa991846e1a0f19f357c497c9fa4c420fda0578c14",
+      "iterations": 10000,
+      "hash_function": "OpenSSL::Digest::SHA512"
+    },
+    "credentials": {
+      "postgresql": {
+        "db_superuser_password": {
+          "type": "Veil::Credential",
+          "name": "db_superuser_password",
+          "group": "postgresql",
+          "value": "37f5c43dd8bab089821e5a49fe0ac17128c6d1878fe632e687889eaaea1980b51b3e3df755d2610cffe6896c1df9f23bdda3",
+          "version": 1,
+          "length": 100,
+          "frozen": false
+        }
+      }
+    }
+  },
+  "postgresql": {
+    "db_superuser_password": "37f5c43dd8bab089821e5a49fe0ac17128c6d1878fe632e687889eaaea1980b51b3e3df755d2610cffe6896c1df9f23bdda3"
+  }
+}
+EOF
+}
+      let(:tempfile) { Tempfile.new("private-chef-secrets").path }
+
+      before(:each) do
+        File.write(tempfile, existing_content)
+      end
+
+      it "reads the secrets" do
+        creds = described_class.new(path: tempfile)
+        expect(creds["postgresql"]["db_superuser_password"].value).to eq("37f5c43dd8bab089821e5a49fe0ac17128c6d1878fe632e687889eaaea1980b51b3e3df755d2610cffe6896c1df9f23bdda3")
+      end
+
+      it "saves the file encrypted" do
+        creds = described_class.new(path: tempfile)
+        creds.save
+
+        expect(IO.read(tempfile)).to_not match("37f5c43dd8bab089821e5a49fe0ac17128c6d1878fe632e687889eaaea1980b51b3e3df755d2610cffe6896c1df9f23bdda3")
+      end
+
+      it "keeps only the veil key of the file's hash" do
+        creds = described_class.new(path: tempfile)
+        creds.save
+
+        json = JSON.parse(IO.read(tempfile))
+        expect(json.keys).to eq(["veil"])
+      end
     end
   end
 end

data/spec/credential_collection_spec.rb

@@ -11,6 +11,15 @@ describe Veil::CredentialCollection do
       end
     end
 
+    context 'passing provider "chef-secrets-env"' do
+      let(:opts) { { provider: 'chef-secrets-env' } }
+
+      it 'instantiates ChefSecretsFile with all options' do
+        expect(Veil::CredentialCollection::ChefSecretsEnv).to receive(:new).with(opts)
+        described_class.from_config(opts)
+      end
+    end
+
     context 'passing anything else as provider' do
       let(:opts) { { provider: 'vault' } }
 

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: veil
 version: !ruby/object:Gem::Version
-  version: 0.2.0
+  version: 0.3.9
 platform: ruby
 authors:
 - Chef Software, Inc.
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2017-03-13 00:00:00.000000000 Z
+date: 2021-08-16 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bcrypt
@@ -38,20 +38,6 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
-- !ruby/object:Gem::Dependency
-  name: bundler
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
@@ -82,10 +68,9 @@ dependencies:
         version: '3.0'
 description: Veil is a Ruby Gem for generating secure secrets from a shared secret
 email:
-- partnereng@chef.io
+- info@chef.io
 executables:
-- console
-- setup
+- veil-dump-secrets
 - veil-env-helper
 - veil-ingest-secret
 extensions: []
@@ -94,12 +79,18 @@ files:
 - LICENSE
 - bin/console
 - bin/setup
+- bin/veil-dump-secrets
 - bin/veil-env-helper
 - bin/veil-ingest-secret
 - lib/veil.rb
+- lib/veil/cipher.rb
+- lib/veil/cipher/v1.rb
+- lib/veil/cipher/v2.rb
 - lib/veil/credential.rb
 - lib/veil/credential_collection.rb
 - lib/veil/credential_collection/base.rb
+- lib/veil/credential_collection/chef_secrets_env.rb
+- lib/veil/credential_collection/chef_secrets_fd.rb
 - lib/veil/credential_collection/chef_secrets_file.rb
 - lib/veil/exceptions.rb
 - lib/veil/hasher.rb
@@ -108,7 +99,12 @@ files:
 - lib/veil/hasher/pbkdf2.rb
 - lib/veil/utils.rb
 - lib/veil/version.rb
+- spec/cipher/v1_spec.rb
+- spec/cipher/v2_spec.rb
+- spec/cipher_spec.rb
 - spec/credential_collection/base_spec.rb
+- spec/credential_collection/chef_secrets_env_spec.rb
+- spec/credential_collection/chef_secrets_fd_spec.rb
 - spec/credential_collection/chef_secrets_file_spec.rb
 - spec/credential_collection_spec.rb
 - spec/credential_spec.rb
@@ -119,7 +115,7 @@ files:
 - spec/spec_helper.rb
 - spec/utils_spec.rb
 - spec/veil_spec.rb
-homepage: https://github.com/chef/chef-server/
+homepage: https://github.com/chef/chef_secrets/
 licenses:
 - Apache-2.0
 metadata: {}
@@ -138,13 +134,17 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.6.10
+rubygems_version: 3.1.4
 signing_key: 
 specification_version: 4
 summary: Veil is a Ruby Gem for generating secure secrets from a shared secret
 test_files:
+- spec/cipher/v1_spec.rb
+- spec/cipher/v2_spec.rb
+- spec/cipher_spec.rb
 - spec/credential_collection/base_spec.rb
+- spec/credential_collection/chef_secrets_env_spec.rb
+- spec/credential_collection/chef_secrets_fd_spec.rb
 - spec/credential_collection/chef_secrets_file_spec.rb
 - spec/credential_collection_spec.rb
 - spec/credential_spec.rb