veil 0.2.0 → 0.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: cfc065388eeda8de97ced25becd31b968eaebd1c
-  data.tar.gz: 4f254696b35ccd7924bb84db6a18b65629570533
+  metadata.gz: 6101318787572fead55a5c0c06c46227f840114d
+  data.tar.gz: af7f78cc9004e614ba49757eda9cba8996646f8d
 SHA512:
-  metadata.gz: 858dd8cba868d10bc3559b7ea6e4467a6cbeb9a3316244c0289b87adeef13709306a9c909d8dd8b1a1593b54a3541dd7cda1b3dce6ece469c937db2e83990270
-  data.tar.gz: 831847b81b49f810c5b37e4f7a4211723f9fa84bcf5a26cce62a76ef9861d7288cd31bcfea08992aaee068b001c157ed1757e78311487f98d330cdc68d5fdea7
+  metadata.gz: 5f50e2f7e67dce633ec09ca5918e37949ed0e073499ac0878050ad40ed598f5a455ed01e635d8fb0bb13238e785b5204ec1ae4d9770bb73bd5067baf8c19c68c
+  data.tar.gz: 241a21af2f050f4c193b6389a9f69673b1f913f24755cb54f7750ad83366cf363dc301278057faf9ed181489ffaa4c698a65684e197f8a1bcd9964470361c9a5

data/bin/veil-dump-secrets

@@ -0,0 +1,12 @@
+#!/usr/bin/env ruby
+require 'veil'
+require 'json'
+require 'optparse'
+
+OptionParser.new do |opts|
+  opts.banner = "Usage: veil-dump-secrets SECRETS_FILE_PATH"
+end.parse!
+
+secrets_file = ARGV[0]
+veil = Veil::CredentialCollection::ChefSecretsFile.from_file(secrets_file)
+puts veil.credentials_for_export.to_json

data/lib/veil/cipher.rb

@@ -0,0 +1,32 @@
+require "veil/cipher/v1"
+require "veil/cipher/v2"
+
+module Veil
+  class Cipher
+    DEFAULT_DECRYPTOR = Veil::Cipher::V1
+    DEFAULT_ENCRYPTOR = Veil::Cipher::V2
+
+    class << self
+      #
+      # Create a new Cipher instance
+      #
+      # Defaults to using v1 for decryption (noop), v2 for encryption.
+      # If invoked as default, v2 will generate key and iv.
+      #
+      # @param opts Hash<Symbol> a hash of options to pass to the constructor
+      #
+      # @example Veil::Cipher.create(type: "V1")
+      # @example Veil::Cipher.create(type: "V2", key: "blah", iv: "vi")
+      #
+      def create(opts = {})
+        case opts
+        when {}, nil
+          [ DEFAULT_DECRYPTOR.new({}), DEFAULT_ENCRYPTOR.new({}) ]
+        else
+          cipher = const_get(opts[:type])
+          [ cipher.new(opts), cipher.new(opts) ]
+        end
+      end
+    end
+  end
+end

data/lib/veil/cipher/v1.rb

@@ -0,0 +1,16 @@
+module Veil
+  class Cipher
+    class V1
+      def initialize(_opts = {})
+      end
+
+      def encrypt(plaintext)
+        raise RuntimeError, "Veil::Cipher::V1#encrypt should never be called"
+      end
+
+      def decrypt(anything)
+        anything
+      end
+    end
+  end
+end

data/lib/veil/cipher/v2.rb

@@ -0,0 +1,41 @@
+require "base64"
+require "openssl"
+
+module Veil
+  class Cipher
+    class V2
+      attr_reader :key, :iv, :cipher
+
+      def initialize(opts = {})
+        @cipher = OpenSSL::Cipher.new("aes-256-cbc")
+        @key    = opts[:key] ? Base64.strict_decode64(opts[:key]) : cipher.random_key
+        @iv     = opts[:iv] ? Base64.strict_decode64(opts[:iv]) : cipher.random_iv
+      end
+
+      def encrypt(plaintext)
+        c = cipher
+        c.encrypt
+        c.key = key
+        c.iv = iv
+        Base64.strict_encode64(c.update(plaintext) + c.final)
+      end
+
+      def decrypt(ciphertext)
+        c = cipher
+        c.decrypt
+        c.key = key
+        c.iv = iv
+        JSON.parse(c.update(Base64.strict_decode64(ciphertext)) + c.final, symbolize_names: true)
+      end
+
+      def to_hash
+        {
+          type: self.class.name,
+          key: Base64.strict_encode64(key),
+          iv: Base64.strict_encode64(iv)
+        }
+      end
+      alias_method :to_h, :to_hash
+    end
+  end
+end

data/lib/veil/credential_collection/base.rb

@@ -1,5 +1,6 @@
-require "veil/hasher"
+require "veil/cipher"
 require "veil/credential"
+require "veil/hasher"
 require "forwardable"
 
 module Veil
@@ -13,13 +14,14 @@ module Veil
 
       extend Forwardable
 
-      attr_reader :credentials, :hasher, :version
+      attr_reader :credentials, :hasher, :version, :decryptor, :encryptor
 
       def_delegators :@credentials, :size, :length, :find, :map, :select, :each, :[], :keys
 
       def initialize(opts = {})
         @hasher = Veil::Hasher.create(opts[:hasher] || {})
-        @credentials = expand_credentials_hash(opts[:credentials] || {})
+        @decryptor, @encryptor = Veil::Cipher.create(opts[:cipher] || {})
+        @credentials = expand_credentials_hash(decryptor.decrypt(opts[:credentials]) || {})
         @version = opts[:version] || 1
       end
 
@@ -28,7 +30,8 @@ module Veil
           type: self.class.name,
           version: version,
           hasher: hasher.to_h,
-          credentials: credentials_as_hash
+          cipher: encryptor.to_h,
+          credentials: encryptor.encrypt(credentials_as_hash.to_json)
         }
       end
       alias_method :to_h, :to_hash

data/lib/veil/credential_collection/chef_secrets_file.rb

@@ -16,7 +16,9 @@ module Veil
         end
       end
 
-      attr_reader :path, :user, :group
+      CURRENT_VERSION = 2.freeze
+
+      attr_reader :path, :user, :group, :key
 
       # Create a new ChefSecretsFile
       #
@@ -43,7 +45,7 @@ module Veil
 
         @user    = opts[:user]
         @group   = opts[:group] || @user
-        @version = opts[:version] || 1
+        opts[:version] = CURRENT_VERSION
         super(opts)
 
         import_legacy_credentials(hash) if import_existing && legacy
@@ -57,9 +59,9 @@ module Veil
         @path = File.expand_path(path)
       end
 
-      # Save the CredentialCollection to file
+      # Save the CredentialCollection to file, encrypt it
       def save
-        FileUtils.mkdir_p(File.dirname(path)) unless File.directory?(File.dirname(path))
+        FileUtils.mkdir_p(File.dirname(path))
 
         f = Tempfile.new("veil") # defaults to mode 0600
         FileUtils.chown(user, group, f.path) if user
@@ -73,20 +75,24 @@ module Veil
 
       # Return the instance as a secrets style hash
       def secrets_hash
-        { "veil" => to_h }.merge(legacy_credentials_hash)
+        { "veil" => to_h }
       end
 
-      # Return the credentials in a legacy chef secrets hash
-      def legacy_credentials_hash
+      def credentials_for_export
         hash = Hash.new
 
-        to_h[:credentials].each do |namespace, creds|
-          hash[namespace] = {}
-          creds.each { |name, cred| hash[namespace][name] = cred[:value] }
+        credentials.each do |namespace, cred_or_creds|
+          if cred_or_creds.is_a?(Veil::Credential)
+            hash[namespace] = cred_or_creds.value
+          else
+            hash[namespace] = {}
+            cred_or_creds.each { |name, cred| hash[namespace][name] = cred.value }
+          end
         end
 
         hash
       end
+      alias_method :legacy_credentials_hash, :credentials_for_export
 
       def import_legacy_credentials(hash)
         hash.each do |namespace, creds_hash|

data/lib/veil/version.rb

@@ -1,3 +1,3 @@
 module Veil
-  VERSION = "0.2.0"
+  VERSION = "0.3.0"
 end

data/spec/cipher/v1_spec.rb

@@ -0,0 +1,15 @@
+require "spec_helper"
+
+describe Veil::Cipher::V1 do
+  describe "#decrypt" do
+    it "does nothing" do
+      expect(described_class.new().decrypt("hi")).to eq("hi")
+    end
+  end
+
+  describe "#encrypt" do
+    it "raises a RuntimeError" do
+      expect { described_class.new().encrypt("hi") }.to raise_error(RuntimeError)
+    end
+  end
+end

data/spec/cipher/v2_spec.rb

@@ -0,0 +1,46 @@
+require "spec_helper"
+require "openssl"
+
+describe Veil::Cipher::V2 do
+  let(:iv64) { Base64.strict_encode64("mondaytuesdaywednesday") }
+  let(:key64) { Base64.strict_encode64("thursdayfridaysaturdaysundaymonday") }
+  let(:ciphertext64) { "yhHR8ZVUfzRv+4dvcUFlitdmCS3ybi2dGLofzEF1Ibw=" }
+  let(:plainhash) { { "chef-server": "test-value" } }
+
+  describe "#new" do
+    it "accepts passed key and iv base64-encoded data" do
+      cipher = described_class.new(iv: iv64, key: key64)
+
+      expect(cipher.iv).to eq("mondaytuesdaywednesday")
+      expect(cipher.key).to eq("thursdayfridaysaturdaysundaymonday")
+    end
+
+    it "generates key and iv data if none was passed" do
+      openssl = double(OpenSSL::Cipher)
+      expect(OpenSSL::Cipher).to receive(:new).and_return(openssl)
+      expect(openssl).to receive(:random_iv).and_return("random iv")
+      expect(openssl).to receive(:random_key).and_return("random key")
+      cipher = described_class.new()
+
+      expect(cipher.iv).to eq("random iv")
+      expect(cipher.key).to eq("random key")
+    end
+  end
+
+  describe "#decrypt" do
+    it "parses decrypted json data" do
+      expect(described_class.new(iv: iv64, key: key64).decrypt(ciphertext64)).to eq(plainhash)
+    end
+  end
+
+  describe "#to_hash" do
+    it "base64-encodes iv and key" do
+      expected = {
+        iv: "bW9uZGF5dHVlc2RheXdlZG5lc2RheQ==",
+        key: "dGh1cnNkYXlmcmlkYXlzYXR1cmRheXN1bmRheW1vbmRheQ==",
+        type: "Veil::Cipher::V2"
+      }
+      expect(described_class.new(iv: iv64, key: key64).to_hash).to eq(expected)
+    end
+  end
+end

data/spec/cipher_spec.rb

@@ -0,0 +1,23 @@
+require "spec_helper"
+
+describe Veil::Cipher do
+  describe "#self.create" do
+    it "defaults to noop decrypt, v2 encrypt" do
+      dec, enc = described_class.create()
+      expect(dec.class).to eq(Veil::Cipher::V1)
+      expect(enc.class).to eq(Veil::Cipher::V2)
+    end
+
+    it "parses the non-namespaced type" do
+      dec, enc = described_class.create(type: "V2")
+      expect(dec.class).to eq(Veil::Cipher::V2)
+      expect(enc.class).to eq(Veil::Cipher::V2)
+    end
+
+    it "parses the complete type" do
+      dec, enc = described_class.create(type: "Veil::Cipher::V2")
+      expect(dec.class).to eq(Veil::Cipher::V2)
+      expect(enc.class).to eq(Veil::Cipher::V2)
+    end
+  end
+end

data/spec/credential_collection/base_spec.rb

@@ -25,10 +25,11 @@ describe Veil::CredentialCollection::Base do
     context "with credential options" do
       it "builds the credentials" do
         subject.add("foo", "bar", length: 22)
-        creds_hash = subject.to_hash[:credentials]
+        creds_hash = subject["foo"]["bar"].to_hash
+        new_instance = described_class.new(credentials: { foo: { bar: creds_hash } })
 
-        new_instance = described_class.new(credentials: creds_hash)
-        expect(new_instance["foo"]["bar"].value).to eq(subject["foo"]["bar"].value)
+        expected = subject["foo"]["bar"].value
+        expect(new_instance["foo"]["bar"].value).to eq(expected)
       end
     end
 

data/spec/credential_collection/chef_secrets_file_spec.rb

@@ -7,10 +7,12 @@ describe Veil::CredentialCollection::ChefSecretsFile do
   let!(:file) { Tempfile.new("private_chef_secrets.json") }
   let(:user) { "opscode_user" }
   let(:group) { "opscode_group" }
+  let(:version) { 1 }
   let(:content) do
     {
       "veil" => {
         "type" => "Veil::CredentialCollection::ChefSecretsFile",
+        "version" => version,
         "hasher" => {},
         "credentials" => {}
       }
@@ -66,7 +68,7 @@ describe Veil::CredentialCollection::ChefSecretsFile do
   end
 
   describe "#save" do
-    it "saves the content to a machine loadable file" do
+    it "saves the content to a file it can read" do
       file.rewind
       creds = described_class.new(path: file.path)
       creds.add("redis_lb", "password")
@@ -80,6 +82,14 @@ describe Veil::CredentialCollection::ChefSecretsFile do
       expect(new_creds["postgresql"]["sql_ro_password"].value).to eq(creds["postgresql"]["sql_ro_password"].value)
     end
 
+    it "saves the content in an encrypted form" do
+      creds = described_class.new(path: file.path)
+      creds.add("postgresql", "sql_ro_password", value: "kneipenpathos")
+      creds.save
+
+      expect(IO.read(file.path)).to_not match(/kneipenpathos/)
+    end
+
     context "when using ownership management" do
       let(:tmpfile) do
         s = StringIO.new
@@ -128,15 +138,75 @@ describe Veil::CredentialCollection::ChefSecretsFile do
       end
     end
 
-    it "saves the version number" do
+    it "saves the latest version number" do
       allow(FileUtils).to receive(:chown)
       file.rewind
-      creds = described_class.new(path: file.path, version: 12)
+      creds = described_class.new(path: file.path)
       creds.save
 
       file.rewind
       new_creds = described_class.from_file(file.path)
-      expect(new_creds.version).to eq(12)
+      expect(new_creds.version).to eq(2)
+    end
+
+    context "reading an unencrypted file" do
+      let(:existing_content) { <<EOF
+{
+  "veil": {
+    "type": "Veil::CredentialCollection::ChefSecretsFile",
+    "version": 1,
+    "hasher": {
+      "type": "Veil::Hasher::PBKDF2",
+      "secret": "5f6e76ae7f5b631a96f5142b2a4b837e23ab6d204dc9e635fc18783ae8d253596f9cd9b65e295c96cee0b9cd1171cae1ca2e897ca5419106785d99d4a42fe9897f2fc7f537a05d39f19b26aa05500e93d65621ed3cdbb718d3005f808fe04a2e2267c43f5100dfe1a6ab3b6462d7fe57bc3adced263fd8c2c55ddebc2f9067b475868e9fb950bf2ae37889e22c42fd686b168b25410a4fa7689a32686fab76e57cd64482ff411be69a4c9abefc5ed64227fb42db05f3b221ddc18c6bb7ca54625cd8a5426be0d9c2161f09f35a04bd9b07884f4319389801c123d0bd345d4218434d9aee87dbb115c5cc22d1c87ffc447c2a008e89edda7e25453076dd478df0f08d50206724cd055741b7521b889fbf6d12af7946ee069bdb60cf79b14e2dad910bab97ae0ff6a9c1f88556e493df26bff007728317683a14433b30a6b6537095c1a8906a08d8a067a1b2a0443ad6fcf007e6bd70c8a3bbfe571044652d3960fd200d23f046b2493463692b570f1c94dabb05933e8d6bcd7e59a708ac8b385034a32b5b1f20635cb10e8027376f496ee1e8496c3517e24bfab3a840f0994a7fde433dc942be781488e6ebbbc68872467ebd216c71e092b2adae600a50bc2ace312cc8cd7949ddb16b72555c9d511211e22383eb515dad22032e80c11f3193a1b357f1c073e4770e314a960bbeada64b36078cfc18e806c03743a0dcd1f77ef3",
+      "salt": "78a8140351ecbfaee137655377aa15138655dc65a49c53ca5f6ee05c7b9c3db9dbc0e2bfdf14af3a062a1cc513e4e086126cf428890df3caf11d9714729027ac93fbf8b7bd9d8fc734b7b4a84c979b45e804e573f93f5cd6dab0b1cf7e5b6191c0924e61b84e8289065918fa991846e1a0f19f357c497c9fa4c420fda0578c14",
+      "iterations": 10000,
+      "hash_function": "OpenSSL::Digest::SHA512"
+    },
+    "credentials": {
+      "postgresql": {
+        "db_superuser_password": {
+          "type": "Veil::Credential",
+          "name": "db_superuser_password",
+          "group": "postgresql",
+          "value": "37f5c43dd8bab089821e5a49fe0ac17128c6d1878fe632e687889eaaea1980b51b3e3df755d2610cffe6896c1df9f23bdda3",
+          "version": 1,
+          "length": 100,
+          "frozen": false
+        }
+      }
+    }
+  },
+  "postgresql": {
+    "db_superuser_password": "37f5c43dd8bab089821e5a49fe0ac17128c6d1878fe632e687889eaaea1980b51b3e3df755d2610cffe6896c1df9f23bdda3"
+  }
+}
+EOF
+}
+      let(:tempfile) { Tempfile.new("private-chef-secrets").path }
+
+      before(:each) do
+        File.write(tempfile, existing_content)
+      end
+
+      it "reads the secrets" do
+        creds = described_class.new(path: tempfile)
+        expect(creds["postgresql"]["db_superuser_password"].value).to eq("37f5c43dd8bab089821e5a49fe0ac17128c6d1878fe632e687889eaaea1980b51b3e3df755d2610cffe6896c1df9f23bdda3")
+      end
+
+      it "saves the file encrypted" do
+        creds = described_class.new(path: tempfile)
+        creds.save
+
+        expect(IO.read(tempfile)).to_not match("37f5c43dd8bab089821e5a49fe0ac17128c6d1878fe632e687889eaaea1980b51b3e3df755d2610cffe6896c1df9f23bdda3")
+      end
+
+      it "keeps only the veil key of the file's hash" do
+        creds = described_class.new(path: tempfile)
+        creds.save
+
+        json = JSON.parse(IO.read(tempfile))
+        expect(json.keys).to eq(["veil"])
+      end
     end
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: veil
 version: !ruby/object:Gem::Version
-  version: 0.2.0
+  version: 0.3.0
 platform: ruby
 authors:
 - Chef Software, Inc.
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2017-03-13 00:00:00.000000000 Z
+date: 2017-03-15 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bcrypt
@@ -86,6 +86,7 @@ email:
 executables:
 - console
 - setup
+- veil-dump-secrets
 - veil-env-helper
 - veil-ingest-secret
 extensions: []
@@ -94,9 +95,13 @@ files:
 - LICENSE
 - bin/console
 - bin/setup
+- bin/veil-dump-secrets
 - bin/veil-env-helper
 - bin/veil-ingest-secret
 - lib/veil.rb
+- lib/veil/cipher.rb
+- lib/veil/cipher/v1.rb
+- lib/veil/cipher/v2.rb
 - lib/veil/credential.rb
 - lib/veil/credential_collection.rb
 - lib/veil/credential_collection/base.rb
@@ -108,6 +113,9 @@ files:
 - lib/veil/hasher/pbkdf2.rb
 - lib/veil/utils.rb
 - lib/veil/version.rb
+- spec/cipher/v1_spec.rb
+- spec/cipher/v2_spec.rb
+- spec/cipher_spec.rb
 - spec/credential_collection/base_spec.rb
 - spec/credential_collection/chef_secrets_file_spec.rb
 - spec/credential_collection_spec.rb
@@ -139,11 +147,14 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.6.10
+rubygems_version: 2.4.5.2
 signing_key: 
 specification_version: 4
 summary: Veil is a Ruby Gem for generating secure secrets from a shared secret
 test_files:
+- spec/cipher/v1_spec.rb
+- spec/cipher/v2_spec.rb
+- spec/cipher_spec.rb
 - spec/credential_collection/base_spec.rb
 - spec/credential_collection/chef_secrets_file_spec.rb
 - spec/credential_collection_spec.rb