Class: Chef::EncryptedDataBagItem

Inherits:

Object

• Object
• Chef::EncryptedDataBagItem

Defined in:

lib/chef/encrypted_data_bag_item.rb

Overview

An EncryptedDataBagItem represents a read-only data bag item where all values, except for the value associated with the id key, have been encrypted.

EncrypedDataBagItem can be used in recipes to decrypt data bag item members.

Data bag item values are assumed to have been encrypted using the default symmetric encryption provided by Encryptor.encrypt where values are converted to YAML prior to encryption.

If the shared secret is not specified at initialization or load, then the contents of the file referred to in Chef::Config will be used as the secret. The default path is /etc/chef/encrypted_data_bag_secret

EncryptedDataBagItem is intended to provide a means to avoid storing data bag items in the clear on the Chef server. This provides some protection against a breach of the Chef server or of Chef server backup data. Because the secret must be stored in the clear on any node needing access to an EncryptedDataBagItem, this approach provides no protection of data bag items from actors with access to such nodes in the infrastructure.

Constant Summary

DEFAULT_SECRET_FILE =

"/etc/chef/encrypted_data_bag_secret"

ALGORITHM =

'aes-256-cbc'

Class Method Summary

• .decrypt_value(value, key) ⇒ Object
• .encrypt_data_bag_item(plain_hash, secret) ⇒ Object
• .encrypt_value(value, key) ⇒ Object
• .from_plain_hash(plain_hash, secret) ⇒ Object
• .load(data_bag, name, secret = nil) ⇒ Object
• .load_secret(path = nil) ⇒ Object

Instance Method Summary

• #[](key) ⇒ Object
• #[]=(key, value) ⇒ Object
• #initialize(enc_hash, secret) ⇒ EncryptedDataBagItem constructor

  A new instance of EncryptedDataBagItem.

• #to_hash ⇒ Object

Constructor Details

#initialize(enc_hash, secret) ⇒ EncryptedDataBagItem

Returns a new instance of EncryptedDataBagItem.

# File 'lib/chef/encrypted_data_bag_item.rb', line 53

def initialize(enc_hash, secret)
  @enc_hash = enc_hash
  @secret = secret
end

Class Method Details

.decrypt_value(value, key) ⇒ Object

# File 'lib/chef/encrypted_data_bag_item.rb', line 101

def self.decrypt_value(value, key)
  YAML.load(self.cipher(:decrypt, Base64.decode64(value), key))
end

.encrypt_data_bag_item(plain_hash, secret) ⇒ Object

# File 'lib/chef/encrypted_data_bag_item.rb', line 79

def self.encrypt_data_bag_item(plain_hash, secret)
  plain_hash.inject({}) do |h, (key, val)|
    h[key] = if key != "id"
               self.encrypt_value(val, secret)
             else
               val
             end
    h
  end
end

.encrypt_value(value, key) ⇒ Object

# File 'lib/chef/encrypted_data_bag_item.rb', line 97

def self.encrypt_value(value, key)
  Base64.encode64(self.cipher(:encrypt, value.to_yaml, key))
end

.from_plain_hash(plain_hash, secret) ⇒ Object

# File 'lib/chef/encrypted_data_bag_item.rb', line 75

def self.from_plain_hash(plain_hash, secret)
  self.new(self.encrypt_data_bag_item(plain_hash, secret), secret)
end

.load(data_bag, name, secret = nil) ⇒ Object

# File 'lib/chef/encrypted_data_bag_item.rb', line 90

def self.load(data_bag, name, secret = nil)
  path = "data/#{data_bag}/#{name}"
  raw_hash = Chef::DataBagItem.load(data_bag, name)
  secret = secret || self.load_secret
  self.new(raw_hash, secret)
end

.load_secret(path = nil) ⇒ Object

# File 'lib/chef/encrypted_data_bag_item.rb', line 105

def self.load_secret(path=nil)
  path = path || Chef::Config[:encrypted_data_bag_secret] || DEFAULT_SECRET_FILE
  secret = case path
           when /^\w+:\/\//
             # We have a remote key
             begin
               Kernel.open(path).read.strip
             rescue Errno::ECONNREFUSED
               raise ArgumentError, "Remote key not available from '#{path}'"
             rescue OpenURI::HTTPError
               raise ArgumentError, "Remote key not found at '#{path}'"
             end
           else
             if !File.exists?(path)
               raise Errno::ENOENT, "file not found '#{path}'"
             end
             IO.read(path).strip
           end
  if secret.size < 1
    raise ArgumentError, "invalid zero length secret in '#{path}'"
  end
  secret
end

Instance Method Details

#[](key) ⇒ Object

# File 'lib/chef/encrypted_data_bag_item.rb', line 58

def [](key)
  value = @enc_hash[key]
  if key == "id" || value.nil?
    value
  else
    self.class.decrypt_value(value, @secret)
  end
end

#[]=(key, value) ⇒ Object

Raises:

• (ArgumentError)

# File 'lib/chef/encrypted_data_bag_item.rb', line 67

def []=(key, value)
  raise ArgumentError, "assignment not supported for #{self.class}"
end

#to_hash ⇒ Object

# File 'lib/chef/encrypted_data_bag_item.rb', line 71

def to_hash
  @enc_hash.keys.inject({}) { |hash, key| hash[key] = self[key]; hash }
end