veil 0.2.0

data/spec/credential_collection/chef_secrets_file_spec.rb

@@ -0,0 +1,142 @@
+require "spec_helper"
+require "tempfile"
+require 'stringio'
+
+describe Veil::CredentialCollection::ChefSecretsFile do
+  let(:hasher) { Veil::Hasher.create }
+  let!(:file) { Tempfile.new("private_chef_secrets.json") }
+  let(:user) { "opscode_user" }
+  let(:group) { "opscode_group" }
+  let(:content) do
+    {
+      "veil" => {
+        "type" => "Veil::CredentialCollection::ChefSecretsFile",
+        "hasher" => {},
+        "credentials" => {}
+      }
+    }
+  end
+  let(:legacy_content) do
+    {
+      "redis_lb" => {
+        "password" => "f1ad3e8b1e47bc81720742a2572b9ff"
+      },
+      "rabbitmq" => {
+        "password" => "f5031e56ae018a7b71ce153086fc88f",
+        "actions_password" => "92609a68d03b50afcc597d7"
+      }
+    }
+  end
+
+  describe "#self.from_file" do
+    context "when the file exists" do
+      context "when it's a valid credential store" do
+        it "returns an instance" do
+          file.write(JSON.pretty_generate(content))
+          file.rewind
+          expect(described_class.from_file(file.path)).to be_instance_of(described_class)
+        end
+      end
+
+      context "when it's not a valid credential store" do
+        it "raises an error" do
+          file.write("not a json chef secrets file")
+          file.rewind
+          expect { described_class.from_file(file.path) }.to raise_error(Veil::InvalidCredentialCollectionFile)
+        end
+      end
+
+      context "when it's a legacy secrets file" do
+        it "imports the legacy file" do
+          file.write(JSON.pretty_generate(legacy_content))
+          file.rewind
+          instance = described_class.from_file(file.path)
+          expect(instance["redis_lb"]["password"].value).to eq("f1ad3e8b1e47bc81720742a2572b9ff")
+          expect(instance["redis_lb"]["password"].version).to eq(0)
+          expect(instance["redis_lb"]["password"].length).to eq(31)
+        end
+      end
+    end
+
+    context "when the file doesn't exist" do
+      it "raises an error" do
+        expect { described_class.from_file("not_a_file") }.to raise_error(Veil::InvalidCredentialCollectionFile)
+      end
+    end
+  end
+
+  describe "#save" do
+    it "saves the content to a machine loadable file" do
+      file.rewind
+      creds = described_class.new(path: file.path)
+      creds.add("redis_lb", "password")
+      creds.add("postgresql", "sql_ro_password")
+      creds.save
+
+      file.rewind
+      new_creds = described_class.from_file(file.path)
+
+      expect(new_creds["redis_lb"]["password"].value).to eq(creds["redis_lb"]["password"].value)
+      expect(new_creds["postgresql"]["sql_ro_password"].value).to eq(creds["postgresql"]["sql_ro_password"].value)
+    end
+
+    context "when using ownership management" do
+      let(:tmpfile) do
+        s = StringIO.new
+        allow(s).to receive(:path).and_return("/tmp/unguessable")
+        s
+      end
+
+      context "when the user is set" do
+        it "gives the file proper permissions" do
+          expect(Tempfile).to receive(:new).with("veil").and_return(tmpfile)
+          expect(FileUtils).to receive(:chown).with(user, user, "/tmp/unguessable")
+          expect(FileUtils).to receive(:mv).with("/tmp/unguessable", file.path)
+
+          creds = described_class.new(path: file.path,
+                                      user: user)
+          creds.add("redis_lb", "password")
+          creds.save
+        end
+      end
+
+      context "when user and group are set" do
+        it "gives the file proper permissions" do
+          expect(Tempfile).to receive(:new).with("veil").and_return(tmpfile)
+          expect(FileUtils).to receive(:chown).with(user, group, "/tmp/unguessable")
+          expect(FileUtils).to receive(:mv).with("/tmp/unguessable", file.path)
+
+          creds = described_class.new(path: file.path,
+                                      user: user,
+                                      group: group)
+          creds.add("redis_lb", "password")
+          creds.save
+        end
+
+        it "gives the file proper permission even when called from_file" do
+          file.puts("{}"); file.rewind
+          expect(Tempfile).to receive(:new).with("veil").and_return(tmpfile)
+          expect(FileUtils).to receive(:chown).with(user, group, "/tmp/unguessable")
+          expect(FileUtils).to receive(:mv).with("/tmp/unguessable", file.path)
+
+          creds = described_class.from_file(file.path,
+                                            user: user,
+                                            group: group)
+          creds.add("redis_lb", "password")
+          creds.save
+        end
+      end
+    end
+
+    it "saves the version number" do
+      allow(FileUtils).to receive(:chown)
+      file.rewind
+      creds = described_class.new(path: file.path, version: 12)
+      creds.save
+
+      file.rewind
+      new_creds = described_class.from_file(file.path)
+      expect(new_creds.version).to eq(12)
+    end
+  end
+end

data/spec/credential_collection_spec.rb

@@ -0,0 +1,30 @@
+require "spec_helper"
+
+describe Veil::CredentialCollection do
+  describe 'from_config' do
+    context 'passing provider "chef-secrets-file"' do
+      let(:opts) { { provider: 'chef-secrets-file', something_else: 'config' } }
+
+      it 'instantiates ChefSecretsFile with all options' do
+        expect(Veil::CredentialCollection::ChefSecretsFile).to receive(:new).with(opts)
+        described_class.from_config(opts)
+      end
+    end
+
+    context 'passing anything else as provider' do
+      let(:opts) { { provider: 'vault' } }
+
+      it 'raises an exception' do
+        expect { described_class.from_config(opts) }.to raise_error(Veil::UnknownProvider)
+      end
+    end
+
+    context 'passing an options hash that has no provider' do
+      let(:opts) { { something: 'else' } }
+
+      it 'raises an exception' do
+        expect { described_class.from_config(opts) }.to raise_error(Veil::UnknownProvider)
+      end
+    end
+  end
+end

data/spec/credential_spec.rb

@@ -0,0 +1,94 @@
+require "spec_helper"
+
+describe Veil::Credential do
+  let(:data)        { "heart and lungs" }
+  let(:salt)        { "NaCL" }
+  let(:secret)      { "Black Eagle" }
+  let(:hasher_hash) do
+    {
+      data: data,
+      salt: salt,
+      secret: secret
+    }
+  end
+
+  let(:credential_hash) do
+    {
+      name: "eros",
+      version: 23,
+      value: "some crazy secret",
+      length: 17,
+      group: "portals"
+    }
+  end
+
+  let(:hasher) { Veil::Hasher.create(hasher_hash) }
+
+  subject { described_class.new(name: "eros", value: "thing") }
+
+  describe "self.create" do
+    it "creates an instance from the hash" do
+      cred = described_class.create(credential_hash)
+      expect(cred.name).to eq(credential_hash[:name])
+      expect(cred.version).to eq(credential_hash[:version])
+      expect(cred.value).to eq(credential_hash[:value])
+      expect(cred.length).to eq(credential_hash[:length])
+      expect(cred.group).to eq(credential_hash[:group])
+    end
+  end
+
+  describe "#new" do
+    it "sets a default version to 0" do
+      expect(subject.version).to eq(0)
+    end
+  end
+
+  describe "#rotate!" do
+    it "increments the version and hashes a new value" do
+      cred = described_class.new(group: "foo", name: "bar", version: 2, value: "thing")
+      cred.rotate!(hasher)
+      expect(cred.version).to eq(3)
+      expect(cred.value).to_not eq("thing")
+    end
+
+    context "when the hasher is invalid" do
+      it "raises an invalid hasher error" do
+        expect { subject.rotate!(1) }.to raise_error(Veil::InvalidHasher)
+      end
+    end
+
+    context "when the credential is frozen" do
+      it "raises a runtime error" do
+        cred = described_class.new(group: "foo", name: "bar", version: 3, value: "thing", frozen: true)
+        expect { cred.rotate!(1) }.to raise_error(RuntimeError)
+      end
+    end
+  end
+
+  describe "#rotate" do
+    it "increments the version and hashes a new value" do
+      cred = described_class.new(group: "foo", name: "bar", version: 2, value: "thing")
+      cred.rotate(hasher)
+      expect(cred.version).to eq(3)
+      expect(cred.value).to_not eq("thing")
+    end
+
+    context "when the hasher is invalid" do
+      it "does not rotate the credential" do
+        cred = described_class.new(group: "foo", name: "bar", version: 3, value: "thing", frozen: true)
+        expect(cred.rotate(1)).to eq(false)
+        expect(cred.version).to eq(3)
+        expect(cred.value).to eq("thing")
+      end
+    end
+
+    context "when the credential is frozen" do
+      it "does not rotate the credential" do
+        cred = described_class.new(group: "foo", name: "bar", version: 3, value: "thing", frozen: true)
+        expect(cred.rotate(hasher)).to eq(false)
+        expect(cred.version).to eq(3)
+        expect(cred.value).to eq("thing")
+      end
+    end
+  end
+end

data/spec/hasher/base_spec.rb

@@ -0,0 +1,19 @@
+require "spec_helper"
+require "digest"
+
+describe Veil::Hasher::Base do
+  let(:data) { "let him enter" }
+
+  subject { described_class.new }
+
+  describe "#hex_digest" do
+    it "returns a SHA512 hex digest of the data" do
+      expect(subject.send(:hex_digest, data)).to eq(OpenSSL::Digest::SHA512.hexdigest(data))
+    end
+
+    it "does not use Digest, which uses low level APIs prohibited by FIPS" do
+      expect(Digest::SHA512).not_to receive(:hexdigest)
+      subject.send(:hex_digest, data)
+    end
+  end
+end

data/spec/hasher/bcrypt_spec.rb

@@ -0,0 +1,48 @@
+require "spec_helper"
+
+describe Veil::Hasher::BCrypt do
+  let(:group)       { "postgresql" }
+  let(:name)        { "sql_ro_password" }
+  let(:version)     { "5" }
+  let(:cost)        { 11 }
+  let(:salt)        { "$2a$11$4xS0IHHxU5sOYZ0Z5X53Qe" }
+  let(:secret)      { "only friends tell each other" }
+
+  subject { described_class.new(secret: secret, salt: salt) }
+
+  describe "#new" do
+    it "builds an instance" do
+      expect(described_class.new.class).to eq(described_class)
+    end
+
+    context "from a hash" do
+      it "builds an identical instance" do
+        new_instance = described_class.new(subject.to_hash)
+        expect(new_instance.encrypt("slow", "forever", 1)).to eq(subject.encrypt("slow", "forever", 1))
+      end
+    end
+  end
+
+  describe "#encrypt" do
+    it "deterministically encrypts data" do
+      encrypted_data = subject.encrypt(group, name, version)
+
+      new_instance = described_class.new(
+        secret: secret,
+        salt: salt,
+      )
+
+      expect(new_instance.encrypt(group, name, version)).to eq(encrypted_data)
+    end
+  end
+
+  describe "#to_hash" do
+    it "returns itself as a hash" do
+      expect(subject.to_hash).to eq({
+        type: "Veil::Hasher::BCrypt",
+        secret: secret,
+        salt: salt,
+      })
+    end
+  end
+end

data/spec/hasher/pbkdf2_spec.rb

@@ -0,0 +1,60 @@
+require "spec_helper"
+
+describe Veil::Hasher::PBKDF2 do
+  let(:group)       { "android" }
+  let(:name)        { "artoo" }
+  let(:version)     { 2 }
+  let(:salt)        { "nacl" }
+  let(:secret)      { "sauce" }
+  let(:iterations)  { 100 }
+  let(:digest)      { "SHA256" }
+
+  subject do
+    described_class.new(
+      secret: secret,
+      salt: salt,
+      iterations: iterations,
+      hash_function: digest
+    )
+  end
+
+  describe "#new" do
+    it "builds an instance" do
+      expect(described_class.new.class).to eq(described_class)
+    end
+
+    context "from a hash" do
+      it "builds an identical instance" do
+        new_instance = described_class.new(subject.to_hash)
+        expect(new_instance.encrypt("slow", "forever", 5)).to eq(subject.encrypt("slow", "forever", 5))
+      end
+    end
+  end
+
+  describe "#encrypt" do
+    it "deterministically encrypts data" do
+      encrypted_data = subject.encrypt(group, name, version)
+
+      new_instance = described_class.new(
+        secret: secret,
+        salt: salt,
+        iterations: iterations,
+        hash_function: digest
+      )
+
+      expect(new_instance.encrypt(group, name, version)).to eq(encrypted_data)
+    end
+  end
+
+  describe "#to_hash" do
+    it "returns itself as a hash" do
+      expect(subject.to_hash).to eq({
+        type: "Veil::Hasher::PBKDF2",
+        secret: secret,
+        salt: salt,
+        iterations: iterations,
+        hash_function: "OpenSSL::Digest::SHA256"
+      })
+    end
+  end
+end

data/spec/hasher_spec.rb

@@ -0,0 +1,34 @@
+require "spec_helper"
+
+describe Veil::Hasher do
+  let(:data)        { "let him enter" }
+  let(:cost)        { 11 }
+  let(:salt)        { "$2a$11$4xS0IHHxU5sOYZ0Z5X53Qe" }
+  let(:secret)      { "super duper secret" }
+  let(:hash) do
+    { type: "Veil::Hasher::BCrypt",
+      secret: secret,
+      salt: salt
+    }
+  end
+
+  describe "#self.create" do
+    context "with opts" do
+      it "returns an instance of the class" do
+        instance = described_class.create(hash)
+        expect(instance.class.name).to eq("Veil::Hasher::BCrypt")
+        expect(instance.secret).to eq(secret)
+        expect(instance.salt).to eq(salt)
+      end
+    end
+
+    context "without opts" do
+      it "returns an instance of the default class" do
+        instance = described_class.create
+        expect(instance.class.name).to eq("Veil::Hasher::PBKDF2")
+        expect(instance.iterations).to eq(10_000)
+        expect(instance.hash_function.class.name).to eq("OpenSSL::Digest::SHA512")
+      end
+    end
+  end
+end

data/spec/spec_helper.rb

@@ -0,0 +1,2 @@
+$LOAD_PATH.unshift File.expand_path("../../lib", __FILE__)
+require "veil"

data/spec/utils_spec.rb

@@ -0,0 +1,25 @@
+require "spec_helper"
+
+describe Veil::Utils do
+  let(:mixed_hash) do
+    {
+      :foo => "bar",
+      bar: "baz",
+      "fizz" => :buzz
+    }
+  end
+
+  let(:symbolized_hash) do
+    {
+      foo: "bar",
+      bar: "baz",
+      fizz: :buzz
+    }
+  end
+
+  describe "#symbolize_keys" do
+    it "symbolizes a hashes keys" do
+      expect(described_class.symbolize_keys(mixed_hash)).to eq(symbolized_hash)
+    end
+  end
+end