Class: Chef::EncryptedDataBagItem::Decryptor::Version1Decryptor

Inherits:
Version0Decryptor show all
Defined in:
lib/chef/encrypted_data_bag_item/decryptor.rb

Direct Known Subclasses

Version2Decryptor, Version3Decryptor

Instance Attribute Summary collapse

Instance Method Summary collapse

Methods inherited from Version0Decryptor

#algorithm

Methods included from Assertions

#assert_aead_requirements_met!, #assert_format_version_acceptable!, #assert_requirements_met!, #assert_valid_cipher!

Constructor Details

#initialize(encrypted_data, key) ⇒ Version1Decryptor

Returns a new instance of Version1Decryptor.



121
122
123
124
# File 'lib/chef/encrypted_data_bag_item/decryptor.rb', line 121

def initialize(encrypted_data, key)
  @encrypted_data = encrypted_data
  @key = key
end

Instance Attribute Details

#encrypted_dataObject (readonly)

Returns the value of attribute encrypted_data.



118
119
120
# File 'lib/chef/encrypted_data_bag_item/decryptor.rb', line 118

def encrypted_data
  @encrypted_data
end

#keyObject (readonly)

Returns the value of attribute key.



119
120
121
# File 'lib/chef/encrypted_data_bag_item/decryptor.rb', line 119

def key
  @key
end

Instance Method Details

#decrypted_dataObject



143
144
145
146
147
148
149
150
151
152
# File 'lib/chef/encrypted_data_bag_item/decryptor.rb', line 143

def decrypted_data
  @decrypted_data ||=
    begin
      plaintext = openssl_decryptor.update(encrypted_bytes)
      plaintext << openssl_decryptor.final
    rescue OpenSSL::Cipher::CipherError => e
      # if the key length is less than 255 characters, and it contains slashes, we think it may be a path.
      raise DecryptionFailure, "Error decrypting data bag value: '#{e.message}'. Most likely the provided key is incorrect. #{( @key.length < 255 && @key.include?("/")) ? "You may need to use --secret-file rather than --secret." : ""}"
    end
end

#encrypted_bytesObject



135
136
137
# File 'lib/chef/encrypted_data_bag_item/decryptor.rb', line 135

def encrypted_bytes
  Base64.decode64(@encrypted_data["encrypted_data"])
end

#for_decrypted_itemObject



126
127
128
129
130
131
132
133
# File 'lib/chef/encrypted_data_bag_item/decryptor.rb', line 126

def for_decrypted_item
  Chef::JSONCompat.parse(decrypted_data)["json_wrapper"]
rescue Chef::Exceptions::JSON::ParseError
  # convert to a DecryptionFailure error because the most likely scenario
  # here is that the decryption step was unsuccessful but returned bad
  # data rather than raising an error.
  raise DecryptionFailure, "Error decrypting data bag value. Most likely the provided key is incorrect"
end

#ivObject



139
140
141
# File 'lib/chef/encrypted_data_bag_item/decryptor.rb', line 139

def iv
  Base64.decode64(@encrypted_data["iv"])
end

#openssl_decryptorObject



154
155
156
157
158
159
160
161
162
163
164
165
# File 'lib/chef/encrypted_data_bag_item/decryptor.rb', line 154

def openssl_decryptor
  @openssl_decryptor ||=
    begin
      assert_valid_cipher!(@encrypted_data["cipher"], algorithm)
      d = OpenSSL::Cipher.new(algorithm)
      d.decrypt
      # We must set key before iv: https://bugs.ruby-lang.org/issues/8221
      d.key = OpenSSL::Digest::SHA256.digest(key)
      d.iv = iv
      d
    end
end