veil 0.2.0

data/lib/veil/credential_collection/chef_secrets_file.rb

@@ -0,0 +1,105 @@
+require "veil/credential_collection/base"
+require "fileutils"
+require "json"
+require "tempfile"
+
+module Veil
+  class CredentialCollection
+    class ChefSecretsFile < Base
+      class << self
+        def from_file(path, opts = {})
+          unless File.exists?(path)
+            raise InvalidCredentialCollectionFile.new("#{path} does not exist")
+          end
+
+          new(opts.merge(path: path))
+        end
+      end
+
+      attr_reader :path, :user, :group
+
+      # Create a new ChefSecretsFile
+      #
+      # @param [Hash] opts
+      #   a hash of options to pass to the constructor
+      def initialize(opts = {})
+        @path = (opts[:path] && File.expand_path(opts[:path])) || "/etc/opscode/private-chef-secrets.json"
+
+        import_existing = File.exists?(path) && (File.size(path) != 0)
+        legacy = true
+
+        if import_existing
+          begin
+            hash = JSON.parse(IO.read(path), symbolize_names: true)
+          rescue JSON::ParserError, Errno::ENOENT => e
+            raise InvalidCredentialCollectionFile.new("#{path} is not a valid credentials file:\n #{e.message}")
+          end
+
+          if hash.key?(:veil) && hash[:veil][:type] == "Veil::CredentialCollection::ChefSecretsFile"
+            opts = Veil::Utils.symbolize_keys(hash[:veil]).merge(opts)
+            legacy = false
+          end
+        end
+
+        @user    = opts[:user]
+        @group   = opts[:group] || @user
+        @version = opts[:version] || 1
+        super(opts)
+
+        import_legacy_credentials(hash) if import_existing && legacy
+      end
+
+      # Set the secrets file path
+      #
+      # @param [String] path
+      #   a path to the private-chef-secrets.json
+      def path=(path)
+        @path = File.expand_path(path)
+      end
+
+      # Save the CredentialCollection to file
+      def save
+        FileUtils.mkdir_p(File.dirname(path)) unless File.directory?(File.dirname(path))
+
+        f = Tempfile.new("veil") # defaults to mode 0600
+        FileUtils.chown(user, group, f.path) if user
+        f.puts(JSON.pretty_generate(secrets_hash))
+        f.flush
+        f.close
+
+        FileUtils.mv(f.path, path)
+        true
+      end
+
+      # Return the instance as a secrets style hash
+      def secrets_hash
+        { "veil" => to_h }.merge(legacy_credentials_hash)
+      end
+
+      # Return the credentials in a legacy chef secrets hash
+      def legacy_credentials_hash
+        hash = Hash.new
+
+        to_h[:credentials].each do |namespace, creds|
+          hash[namespace] = {}
+          creds.each { |name, cred| hash[namespace][name] = cred[:value] }
+        end
+
+        hash
+      end
+
+      def import_legacy_credentials(hash)
+        hash.each do |namespace, creds_hash|
+          credentials[namespace.to_s] ||= Hash.new
+          creds_hash.each do |cred, value|
+            credentials[namespace.to_s][cred.to_s] = Veil::Credential.new(
+              name: cred.to_s,
+              value: value,
+              length: value.length
+            )
+          end
+        end
+      end
+    end
+  end
+end

data/lib/veil/exceptions.rb

@@ -0,0 +1,15 @@
+module Veil
+  class InvalidSalt < StandardError; end
+  class InvalidSecret < StandardError; end
+  class InvalidParameter < StandardError; end
+  class InvalidHasher < StandardError; end
+  class InvalidCredentialCollectionFile < StandardError; end
+  class MissingParameter < StandardError; end
+  class NotImplmented < StandardError; end
+  class InvalidCredentialHash < StandardError; end
+  class CredentialNotFound < StandardError; end
+  class GroupNotFound < StandardError; end
+  class FileNotFound < StandardError; end
+  class FileNotReadable < StandardError; end
+  class UnknownProvider < StandardError; end
+end

data/lib/veil/hasher.rb

@@ -0,0 +1,29 @@
+require "veil/utils"
+require "veil/hasher/base"
+require "veil/hasher/bcrypt"
+require "veil/hasher/pbkdf2"
+
+module Veil
+  class Hasher
+    DEFAULT_OPTIONS = {
+      type: "Veil::Hasher::PBKDF2",
+      iterations: 10_000,
+      hash_function: "SHA512"
+    }
+
+    class << self
+      #
+      # Create a new Hasher instance
+      #
+      # @param opts Hash<Symbol> a hash of options to pass to the constructor
+      #
+      # @example Veil::Hasher.create(type: "BCrypt", cost: 10)
+      # @example Veil::Hasher.create(type: "PBKDF2", iterations: 1000, hash_function: "SHA256")
+      #
+      def create(opts = {})
+        opts = Veil::Utils.symbolize_keys(DEFAULT_OPTIONS.merge(opts))
+        const_get(opts[:type]).new(opts)
+      end
+    end
+  end
+end

data/lib/veil/hasher/base.rb

@@ -0,0 +1,44 @@
+require "openssl"
+require "veil/exceptions"
+
+module Veil
+  class Hasher
+    class Base
+
+      # Hash the credential group, name and version with the stored secret and salt
+      #
+      # @param [String] group
+      #   The service group name, eg: postgresql
+      #
+      # @param [String] name
+      #   The credential name, eg: sql_password
+      #
+      # @param [Integer] version
+      #   The Credential version, eg: 1
+      #
+      # @return [String] SHA512 hex digest of hashed data
+      def encrypt(group, name, version)
+        raise Veil::NotImplmented.new("#{caller[0]} has not implemented #encrypt")
+      end
+
+      # Return the instance as a Hash
+      #
+      # @return [Hash<Symbol,String>]
+      def to_hash
+        raise Veil::NotImplmented.new("#{caller[0]} has not implemented #to_hash")
+      end
+
+      private
+
+      # Create a SHA512 hex digest
+      #
+      # @param [String] data
+      #   Data to digest
+      #
+      # @return [String]
+      def hex_digest(data)
+        OpenSSL::Digest::SHA512.hexdigest(data)
+      end
+    end
+  end
+end

data/lib/veil/hasher/bcrypt.rb

@@ -0,0 +1,59 @@
+require "veil/hasher/base"
+require "securerandom"
+require "bcrypt"
+
+module Veil
+  class Hasher
+    class BCrypt < Base
+      attr_reader :secret, :salt
+
+      # Create a new BCrypt
+      #
+      # @param [Hash] opts
+      #   a hash of options to pass to the constructor
+      def initialize(opts = {})
+        if opts[:secret] && opts[:salt]
+          if ::BCrypt::Engine.valid_secret?(opts[:secret]) && ::BCrypt::Engine.valid_salt?(opts[:salt])
+            @secret = opts.delete(:secret)
+            @salt = opts.delete(:salt)
+          elsif ::BCrypt::Engine.valid_secret?(opts[:secret])
+            raise Veil::InvalidSalt.new("#{opts[:salt]} is not valid salt")
+          else
+            raise Veil::InvalidSecret.new("#{opts[:secret]} is not valid secret")
+          end
+        else
+          @secret = SecureRandom.hex(512)
+          @salt = ::BCrypt::Engine.generate_salt(opts[:cost] || 10)
+        end
+      end
+
+      # Hash the credential group, name and version with the stored secret and salt
+      #
+      # @param [String] group
+      #   The service group name, eg: postgresql
+      #
+      # @param [String] name
+      #   The credential name, eg: sql_password
+      #
+      # @param [Integer] version
+      #   The Credential version, eg: 1
+      #
+      # @return [String] SHA512 hex digest of hashed data
+      def encrypt(group, name, version)
+        hex_digest(::BCrypt::Engine.hash_secret(hex_digest([secret, group, name, version].join), salt))
+      end
+
+      # Return the instance as a Hash
+      #
+      # @return [Hash<Symbol,String>]
+      def to_hash
+        {
+          type: self.class.name,
+          secret: secret,
+          salt: salt,
+        }
+      end
+      alias_method :to_h, :to_hash
+    end
+  end
+end

data/lib/veil/hasher/pbkdf2.rb

@@ -0,0 +1,54 @@
+require "veil/hasher/base"
+require "securerandom"
+
+module Veil
+  class Hasher
+    class PBKDF2 < Base
+      attr_reader :secret, :salt, :iterations, :hash_function
+
+      # Create a new PBKDF2
+      #
+      # @param [Hash] opts
+      #   a hash of options to pass to the constructor
+      def initialize(opts = {})
+        @secret = opts[:secret] || SecureRandom.hex(512)
+        @salt = opts[:salt] || SecureRandom.hex(128)
+        @iterations = opts[:iterations] || 100_000
+        @hash_function = OpenSSL::Digest.const_get((opts[:hash_function] || "SHA512")).new
+      end
+
+      # Hash data with the stored secret and salt
+      #
+      # @param [String] data
+      #   The service name and version to be encrypted with the shared key
+      #
+      # @param [Hash] opts
+      #   Optional parameter overrides
+      #
+      # @return [String] SHA512 hex digest of hashed data
+      def encrypt(group, name, version)
+        hex_digest(OpenSSL::PKCS5.pbkdf2_hmac(
+          [secret, group, name, version].join,
+          salt,
+          iterations,
+          hash_function.length,
+          hash_function
+        ))
+      end
+
+      # Return the instance as a Hash
+      #
+      # @return [Hash]
+      def to_hash
+        {
+          type: self.class.name,
+          secret: secret,
+          salt: salt,
+          iterations: iterations,
+          hash_function: hash_function.class.name
+        }
+      end
+      alias_method :to_h, :to_hash
+    end
+  end
+end

data/lib/veil/utils.rb

@@ -0,0 +1,25 @@
+module Veil
+  module Utils
+    class << self
+      def symbolize_keys(hash)
+        new_hash = {}
+        hash.keys.each { |k| new_hash[k.to_sym] = hash.delete(k) }
+        new_hash
+      end
+
+      def symbolize_keys!(hash)
+        hash = symbolize_keys(hash)
+      end
+
+      def stringify_keys(hash)
+        new_hash = {}
+        hash.keys.each { |k| new_hash[k.to_s] = hash.delete(k) }
+        new_hash
+      end
+
+      def stringify_keys!(hash)
+        hash = stringify_keys(hash)
+      end
+    end
+  end
+end

data/lib/veil/version.rb

@@ -0,0 +1,3 @@
+module Veil
+  VERSION = "0.2.0"
+end

data/spec/credential_collection/base_spec.rb

@@ -0,0 +1,433 @@
+require "spec_helper"
+
+describe Veil::CredentialCollection::Base do
+  let(:salt)    { "$2a$11$4xS0IHHxU5sOYNNZ5X53Qe" }
+  let(:secret)  { "ultrasecure" }
+  let(:hasher)  { Veil::Hasher.create(type: "BCrypt", secret: secret, salt: salt) }
+
+  subject { described_class.new(hasher: hasher.to_h) }
+
+  describe "#self.create" do
+    it "returns a credential store from the hash" do
+      expect(described_class.create.class).to eq(described_class)
+    end
+  end
+
+  describe "#new" do
+    context "with hasher options" do
+      it "builds the hasher instance" do
+        hasher_hash = subject.hasher.to_h
+        new_instance = described_class.new(hasher: hasher_hash)
+        expect(new_instance.hasher.to_h).to eq(hasher_hash)
+      end
+    end
+
+    context "with credential options" do
+      it "builds the credentials" do
+        subject.add("foo", "bar", length: 22)
+        creds_hash = subject.to_hash[:credentials]
+
+        new_instance = described_class.new(credentials: creds_hash)
+        expect(new_instance["foo"]["bar"].value).to eq(subject["foo"]["bar"].value)
+      end
+    end
+
+    context "with version options" do
+      it "defaults to version 1" do
+        expect(subject.version).to eq(1)
+      end
+
+      it "sets the version" do
+        new_instance = described_class.new(version: 12)
+        expect(new_instance.version).to eq(12)
+      end
+    end
+  end
+
+  describe "#get" do
+    before do
+      subject.add("testkey0", value: "testvalue0")
+      subject.add("testgroup", "testkey1", value: "testvalue1")
+    end
+
+    it "returns the value of a given credential" do
+      expect(subject.get("testkey0")).to eq("testvalue0")
+    end
+
+    it "returns the value of a given credential in a group" do
+      expect(subject.get("testgroup", "testkey1")).to eq("testvalue1")
+    end
+
+    it "raises an error if the credential isn't found" do
+      expect { subject.get("dne") }.to raise_error(Veil::CredentialNotFound)
+    end
+
+    it "raises an error if the group isn't found" do
+      expect { subject.get("dne", "tesetkey") }.to raise_error(Veil::GroupNotFound)
+    end
+
+    it "raises an error if the credential isn't found in the group" do
+      expect { subject.get("testgroup", "dne") }.to raise_error(Veil::CredentialNotFound)
+    end
+
+    it "raises an error if the wrong number of arguments are given" do
+      expect { subject.get("testgroup", "tesetkey", "whoops") }.to raise_error(ArgumentError)
+    end
+  end
+
+  describe "#exist?" do
+    it "returns false if the key does not exist" do
+      expect(subject.exist?("Invalid Key")).to eq(false)
+    end
+
+    it "returns true if the key does exist" do
+      subject.add("testkey0", value: "testvalue0")
+      expect(subject.exist?("testkey0")).to eq(true)
+    end
+  end
+
+  describe "#add_from_file" do
+    context "when the file can be read" do
+      # using this as our input file lets us do less mocking of
+      # file sanity checks.
+      let (:input_file) { "/" }
+      let (:secret_content) { "a secret!" }
+
+      before do
+        allow(File).to receive(:read).with(input_file).and_return secret_content
+      end
+
+      context "with a name" do
+        it "adds the contents of the file as a credential" do
+          subject.add_from_file(input_file, "supersecret")
+          cred = subject["supersecret"]
+          expect(cred).to be_instance_of(Veil::Credential)
+          expect(cred.value).to eq secret_content
+          expect(cred.frozen).to be true
+        end
+      end
+
+      context "with a group and name" do
+        it "adds the contents of the file as a credential" do
+          subject.add_from_file(input_file, "super", "secret")
+          cred = subject["super"]["secret"]
+          expect(cred).to be_instance_of(Veil::Credential)
+          expect(cred.value).to eq secret_content
+          expect(cred.frozen).to be true
+        end
+      end
+    end
+
+    context "when the file can not be read" do
+      let (:input_file) { "/invalid" }
+
+      it "fails with a FileNotReadable error" do
+        expect { subject.add_from_file(input_file, "supersecret") }.to raise_error(Veil::FileNotReadable)
+      end
+    end
+  end
+
+  describe "#add" do
+    it "creates a new credential" do
+      subject.add("cowabunga")
+      expect(subject["cowabunga"]).to be_instance_of(Veil::Credential)
+    end
+
+    context "with a name" do
+      it "creates a new credential the right name" do
+        subject.add("cowabunga")
+        expect(subject["cowabunga"]).to be_instance_of(Veil::Credential)
+        expect(subject["cowabunga"].name).to eq("cowabunga")
+      end
+    end
+
+    context "with a group and name" do
+      it "creates a new credential the right group and name" do
+        subject.add("my_db", "password")
+        expect(subject["my_db"]["password"]).to be_instance_of(Veil::Credential)
+        expect(subject["my_db"]["password"].name).to eq("password")
+      end
+    end
+
+    context "with a name and length" do
+      it "creates a new credential the right name and length" do
+        subject.add("conspiracy", length: 23)
+        expect(subject["conspiracy"]).to be_instance_of(Veil::Credential)
+        expect(subject["conspiracy"].length).to eq(23)
+        expect(subject["conspiracy"].value.length).to eq(23)
+      end
+    end
+
+    context "with a group, name, and length" do
+      it "creates a new credential the right group and name" do
+        subject.add("my_db", "password", length: 15)
+        expect(subject["my_db"]["password"]).to be_instance_of(Veil::Credential)
+        expect(subject["my_db"]["password"].name).to eq("password")
+        expect(subject["my_db"]["password"].length).to eq(15)
+        expect(subject["my_db"]["password"].value.length).to eq(15)
+      end
+    end
+
+    context "with a group, name, default" do
+      it "creates a new credential the right group and name" do
+        subject.add("my_db", "password", value: "super_unison")
+        expect(subject["my_db"]["password"]).to be_instance_of(Veil::Credential)
+        expect(subject["my_db"]["password"].name).to eq("password")
+        expect(subject["my_db"]["password"].value).to eq("super_unison")
+      end
+    end
+
+    context "with a name and default" do
+      it "creates a new credential the right group and name" do
+        subject.add("luau", value: "new_math")
+        expect(subject["luau"]).to be_instance_of(Veil::Credential)
+        expect(subject["luau"].name).to eq("luau")
+        expect(subject["luau"].value).to eq("new_math")
+      end
+    end
+
+    context "when the credential already exists" do
+      it "does not overwrite it" do
+        subject.add("my_db", "password", length: 15)
+        val = subject["my_db"]["password"].value
+        subject.add("my_db", "password", value: "new-password")
+        expect(subject["my_db"]["password"].value).to eq(val)
+      end
+
+      it "returns the existing credential" do
+        subject.add("my_db", "password", length: 15)
+        my_db = subject["my_db"]["password"]
+        expect(subject.add("my_db", "password")).to eq(my_db)
+      end
+
+      context "when force: true is given as param" do
+        it "does overwrite it" do
+          subject.add("my_db", "password", length: 15)
+          subject.add("my_db", "password", value: 'new-password', force: true)
+          expect(subject["my_db"]["password"].value).to eq("new-password")
+        end
+
+        it "returns the new credential" do
+          subject.add("my_db", "password", length: 15)
+          expect(subject.add("my_db", "password", value: "new-password", force: true).value).to eq('new-password')
+        end
+      end
+
+      context "when force: true is given as param and :frozen is not" do
+        it "sets frozen to true" do
+          subject.add("my_db", "password", value: 'new-password', force: true)
+          expect(subject["my_db"]["password"].frozen).to eq(true)
+        end
+      end
+
+      context "when force: true is given as param and :frozen is false" do
+        it "sets frozen to false" do
+          subject.add("my_db", "password", value: 'new-password', force: true, frozen: false)
+          expect(subject["my_db"]["password"].frozen).to eq(false)
+        end
+      end
+
+      context "when force: false is given as param and :frozen is true" do
+        it "sets frozen to true" do
+          subject.add("my_db", "password", value: 'new-password', force: true, frozen: true)
+          expect(subject["my_db"]["password"].frozen).to eq(true)
+        end
+
+      end
+
+      context "when force: false is given as param and :frozen is false" do
+        it "sets frozen to false" do
+          subject.add("my_db", "password", value: 'new-password', force: true, frozen: false)
+          expect(subject["my_db"]["password"].frozen).to eq(false)
+        end
+      end
+    end
+  end
+
+  describe "#remove" do
+    context "with a cred" do
+      context "with a match" do
+        it "returns the value and removes the credential" do
+          subject.add("funk")
+          value = subject["funk"]
+          expect(subject.remove("funk")).to eq(value)
+          expect(subject["funk"]).to be_nil
+        end
+
+        context "when there is not a match" do
+          it "returns nil" do
+            expect(subject.remove("not_a_cred")).to be_nil
+          end
+        end
+      end
+    end
+
+    context "with a group and cred" do
+      context "with a match" do
+        it "returns the value and removes the credential" do
+          subject.add("grandfunk", "railroad")
+          value = subject["grandfunk"]["railroad"]
+          expect(subject.remove("grandfunk", "railroad")).to eq(value)
+          expect(subject["grandfunk"]["railroad"]).to be_nil
+        end
+
+        context "when there is not a match" do
+          it "returns nil" do
+            expect(subject.remove("nested", "thing")).to be_nil
+          end
+        end
+      end
+    end
+  end
+
+  describe "#rotate_hasher" do
+    it "creates a new hasher" do
+      hasher = subject.hasher
+      subject.rotate_hasher
+      expect(subject.hasher).to_not eq(hasher)
+    end
+
+    it "rotates all credentials" do
+      subject.add("foo")
+      foo_val = subject["foo"].value
+      subject.add("bar", "baz", length: 25)
+      baz_val = subject["bar"]["baz"].value
+
+      subject.rotate_hasher
+
+      expect(subject["foo"].value).to_not eq(foo_val)
+      expect(subject["foo"].version).to eq(1)
+      expect(subject["bar"]["baz"].value).to_not eq(baz_val)
+      expect(subject["bar"]["baz"].version).to eq(1)
+    end
+
+    context "with frozen credentials" do
+      it "rotates all credentials that are not frozen" do
+        subject.add("foo")
+        foo_val = subject["foo"].value
+        subject.add("bar", "baz", length: 25)
+        baz_val = subject["bar"]["baz"].value
+        subject.add("qux", "quux", frozen: true)
+        baz_val = subject["qux"]["quux"].value
+
+        subject.rotate_hasher
+
+        expect(subject["foo"].value).to_not eq(foo_val)
+        expect(subject["foo"].version).to eq(1)
+        expect(subject["bar"]["baz"].value).to_not eq(baz_val)
+        expect(subject["bar"]["baz"].version).to eq(1)
+        expect(subject["qux"]["quux"].value).to eq(baz_val)
+        expect(subject["qux"]["quux"].version).to eq(0)
+      end
+    end
+  end
+
+  describe "#rotate_credentials" do
+    it "doesn't create a new hasher" do
+      hasher = subject.hasher
+      subject.rotate_credentials
+      expect(subject.hasher).to eq(hasher)
+    end
+
+    it "rotates all credentials" do
+      subject.add("foo")
+      foo_val = subject["foo"].value
+      subject.add("bar", "baz", length: 25)
+      baz_val = subject["bar"]["baz"].value
+
+      subject.rotate_credentials
+
+      expect(subject["foo"].value).to_not eq(foo_val)
+      expect(subject["foo"].version).to eq(1)
+      expect(subject["bar"]["baz"].value).to_not eq(baz_val)
+      expect(subject["bar"]["baz"].version).to eq(1)
+    end
+
+    context "with frozen credentials" do
+      it "rotates all credentials that are not frozen" do
+        subject.add("foo")
+        foo_val = subject["foo"].value
+        subject.add("bar", "baz", length: 25)
+        baz_val = subject["bar"]["baz"].value
+        subject.add("qux", "quux", frozen: true)
+        baz_val = subject["qux"]["quux"].value
+
+        subject.rotate_credentials
+
+        expect(subject["foo"].value).to_not eq(foo_val)
+        expect(subject["foo"].version).to eq(1)
+        expect(subject["bar"]["baz"].value).to_not eq(baz_val)
+        expect(subject["bar"]["baz"].version).to eq(1)
+        expect(subject["qux"]["quux"].value).to eq(baz_val)
+        expect(subject["qux"]["quux"].version).to eq(0)
+      end
+    end
+  end
+
+  describe "#rotate" do
+    context "when the credential exists" do
+      it "rotates the credential" do
+        subject.add("life_choices")
+        old_val = subject["life_choices"].value
+        old_version = subject["life_choices"].version
+
+        subject.rotate("life_choices")
+        expect(subject["life_choices"].value).to_not eq(old_val)
+        expect(subject["life_choices"].version).to eq(old_version + 1)
+      end
+    end
+
+    context "when the credential does not exist" do
+      it "returns nil" do
+        expect(subject.rotate("not_a_cred")).to be_nil
+      end
+    end
+
+    context "when passed a set name only" do
+      it "rotates each credential" do
+        subject.add("desert", "black_eagle")
+        eagle_val = subject["desert"]["black_eagle"].value
+
+        subject.add("desert", "mercury_six")
+        mercury_val = subject["desert"]["mercury_six"].value
+
+        subject.rotate("desert")
+
+        expect(subject["desert"]["black_eagle"].value).to_not eq(eagle_val)
+        expect(subject["desert"]["black_eagle"].version).to eq(1)
+        expect(subject["desert"]["mercury_six"].value).to_not eq(mercury_val)
+        expect(subject["desert"]["mercury_six"].version).to eq(1)
+      end
+    end
+
+    context "with a frozen credential" do
+      it "does not rotate the credential" do
+        subject.add("mannequin", "republic", frozen: true)
+        old_val = subject["mannequin"]["republic"].value
+
+        subject.rotate("mannequin", "republic")
+
+        expect(subject["mannequin"]["republic"].value).to eq(old_val)
+        expect(subject["mannequin"]["republic"].version).to eq(0)
+      end
+    end
+  end
+
+  describe "#to_hash" do
+    it "returns a valid hash" do
+      subject.add("foo")
+      subject.add("bar", "baz", length: 31)
+      subject.add("saint", "matthew", frozen: true)
+
+      new_instance = described_class.new(subject.to_hash)
+      expect(new_instance["foo"].version).to eq(subject["foo"].version)
+      expect(new_instance["foo"].value).to eq(subject["foo"].value)
+      expect(new_instance["bar"]["baz"].version).to eq(subject["bar"]["baz"].version)
+      expect(new_instance["bar"]["baz"].value).to eq(subject["bar"]["baz"].value)
+      expect(new_instance["bar"]["baz"].length).to eq(subject["bar"]["baz"].length)
+      expect(new_instance["saint"]["matthew"].version).to eq(subject["saint"]["matthew"].version)
+      expect(new_instance["saint"]["matthew"].value).to eq(subject["saint"]["matthew"].value)
+      expect(new_instance["saint"]["matthew"].frozen).to eq(subject["saint"]["matthew"].frozen)
+    end
+  end
+end