diff options
author | Thom May <thom@may.lt> | 2017-03-08 17:41:22 +0000 |
---|---|---|
committer | GitHub <noreply@github.com> | 2017-03-08 17:41:22 +0000 |
commit | d3247ab49793b525b9de4ae5d0844c60ae8283f5 (patch) | |
tree | 767ea145384d11735a6280fade7500d44a857b21 | |
parent | 416ab0c10f510c7d51d4c6c35741d0cca2a0bc21 (diff) | |
parent | b1dda25b3a74e14ec326bf3fb10b727e6627bb39 (diff) | |
download | chef-d3247ab49793b525b9de4ae5d0844c60ae8283f5.tar.gz |
Merge pull request #5877 from chef/tm/db_encrypt_version
Use v3 data bag encryption
-rw-r--r-- | Gemfile.lock | 2 | ||||
-rw-r--r-- | chef-config/lib/chef-config/config.rb | 9 | ||||
-rw-r--r-- | spec/unit/encrypted_data_bag_item_spec.rb | 12 |
3 files changed, 10 insertions, 13 deletions
diff --git a/Gemfile.lock b/Gemfile.lock index da643a26f1..e0b6e4bb34 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -222,7 +222,7 @@ GEM logify (~> 0.1) mime-types chef-sugar (3.4.0) - chef-zero (5.3.0) + chef-zero (5.3.1) ffi-yajl (~> 2.2) hashie (>= 2.0, < 4.0) mixlib-log (~> 1.3) diff --git a/chef-config/lib/chef-config/config.rb b/chef-config/lib/chef-config/config.rb index 3a55c8233d..bb516942df 100644 --- a/chef-config/lib/chef-config/config.rb +++ b/chef-config/lib/chef-config/config.rb @@ -606,13 +606,10 @@ module ChefConfig end end - # As of Chef 11.0, version "1" is the default encrypted data bag item - # format. Version "2" is available which adds encrypt-then-mac protection. - # To maintain compatibility, versions other than 1 must be opt-in. + # As of Chef 13.0, version "3" is the default encrypted data bag item + # format. # - # Set this to `2` if you have chef-client 11.6.0+ in your infrastructure. - # Set this to `3` if you have chef-client 11.?.0+, ruby 2 and OpenSSL >= 1.0.1 in your infrastructure. (TODO) - default :data_bag_encrypt_version, 1 + default :data_bag_encrypt_version, 3 # When reading data bag items, any supported version is accepted. However, # if all encrypted data bags have been generated with the version 2 format, diff --git a/spec/unit/encrypted_data_bag_item_spec.rb b/spec/unit/encrypted_data_bag_item_spec.rb index a8fb144bf7..14b5d9eb28 100644 --- a/spec/unit/encrypted_data_bag_item_spec.rb +++ b/spec/unit/encrypted_data_bag_item_spec.rb @@ -39,7 +39,7 @@ describe Chef::EncryptedDataBagItem::Encryptor do let(:key) { "passwd" } it "encrypts to format version 1 by default" do - expect(encryptor).to be_a_instance_of(Chef::EncryptedDataBagItem::Encryptor::Version1Encryptor) + expect(encryptor).to be_a_instance_of(Chef::EncryptedDataBagItem::Encryptor::Version3Encryptor) end describe "generating a random IV" do @@ -66,8 +66,8 @@ describe Chef::EncryptedDataBagItem::Encryptor do final_data = encryptor.for_encrypted_item expect(final_data["encrypted_data"]).to eq encryptor.encrypted_data expect(final_data["iv"]).to eq Base64.encode64(encryptor.iv) - expect(final_data["version"]).to eq 1 - expect(final_data["cipher"]).to eq "aes-256-cbc" + expect(final_data["version"]).to eq 3 + expect(final_data["cipher"]).to eq "aes-256-gcm" end end @@ -238,7 +238,7 @@ describe Chef::EncryptedDataBagItem::Decryptor do context "when decrypting a version 1 (JSON+aes-256-cbc+random iv) encrypted value" do let(:encrypted_value) do - Chef::EncryptedDataBagItem::Encryptor.new(plaintext_data, encryption_key).for_encrypted_item + Chef::EncryptedDataBagItem::Encryptor::Version1Encryptor.new(plaintext_data, encryption_key).for_encrypted_item end it "selects the correct strategy for version 1" do @@ -336,7 +336,7 @@ describe Chef::EncryptedDataBagItem do end it "encrypts non-collection objects" do - expect(encoded_data["greeting"]["version"]).to eq 1 + expect(encoded_data["greeting"]["version"]).to eq 3 expect(encoded_data["greeting"]).to have_key("iv") iv = encoded_data["greeting"]["iv"] @@ -346,7 +346,7 @@ describe Chef::EncryptedDataBagItem do end it "encrypts nested values" do - expect(encoded_data["nested"]["version"]).to eq 1 + expect(encoded_data["nested"]["version"]).to eq 3 expect(encoded_data["nested"]).to have_key("iv") iv = encoded_data["nested"]["iv"] |