diff options
| author | Tim Smith <tsmith84@gmail.com> | 2020-01-28 13:41:13 -0800 |
|---|---|---|
| committer | Tim Smith <tsmith84@gmail.com> | 2020-04-20 19:49:05 -0700 |
| commit | 2b020c1d6e5b919a8acb0fea666b1c4689d1fde9 (patch) | |
| tree | 9fbf6ea764ef1c64b7e684366a21ea1dbdb8a57f | |
| parent | e94a09ecf0b28c6cf0f8b959934698d4255ffddc (diff) | |
| download | chef-remove_legacy_dbag.tar.gz | |
Refactor how CheckEncrypted checks legacy data bagsremove_legacy_dbag
We no longer have the encryptor classes for v1 and v2 so just hard code the list of keys in the CheckEncrypted class. Also rework the specs to just use data that has been encrypted already. This saves time and let's us check the legacy versions.
Signed-off-by: Tim Smith <tsmith@chef.io>
| -rw-r--r-- | lib/chef/encrypted_data_bag_item/check_encrypted.rb | 4 | ||||
| -rw-r--r-- | spec/unit/encrypted_data_bag_item/check_encrypted_spec.rb | 54 |
2 files changed, 15 insertions, 43 deletions
diff --git a/lib/chef/encrypted_data_bag_item/check_encrypted.rb b/lib/chef/encrypted_data_bag_item/check_encrypted.rb index 6938f3ee79..851d83a6c0 100644 --- a/lib/chef/encrypted_data_bag_item/check_encrypted.rb +++ b/lib/chef/encrypted_data_bag_item/check_encrypted.rb @@ -58,9 +58,9 @@ class Chef::EncryptedDataBagItem case data["version"] when 1 - Chef::EncryptedDataBagItem::Encryptor::Version1Encryptor.encryptor_keys.sort == data.keys.sort + %w{ cipher encrypted_data iv version } == data.keys.sort when 2 - Chef::EncryptedDataBagItem::Encryptor::Version2Encryptor.encryptor_keys.sort == data.keys.sort + %w{ cipher encrypted_data hmac iv version } == data.keys.sort when 3 Chef::EncryptedDataBagItem::Encryptor::Version3Encryptor.encryptor_keys.sort == data.keys.sort else diff --git a/spec/unit/encrypted_data_bag_item/check_encrypted_spec.rb b/spec/unit/encrypted_data_bag_item/check_encrypted_spec.rb index 9476dadb9c..5c21fb0019 100644 --- a/spec/unit/encrypted_data_bag_item/check_encrypted_spec.rb +++ b/spec/unit/encrypted_data_bag_item/check_encrypted_spec.rb @@ -37,61 +37,33 @@ describe Chef::EncryptedDataBagItem::CheckEncrypted do context "when the item is encrypted" do - let(:default_secret) { "abc123SECRET" } - let(:item_name) { "item_name" } - let(:raw_data) do - { - "id" => item_name, - "greeting" => "hello", - "nested" => { - "a1" => [1, 2, 3], - "a2" => { "b1" => true }, - }, - } - end - - let(:version) { 1 } - let(:encoded_data) do - Chef::Config[:data_bag_encrypt_version] = version - Chef::EncryptedDataBagItem.encrypt_data_bag_item(raw_data, default_secret) - end + context "when the item version is unknown (perhaps a future version)" do + let(:data) { { "id" => "test1", "foo" => { "encrypted_data" => "zNry4rkhV55Oltzf38eyHc/DF9a3tg==\n", "iv" => "vN3s6sSQZPKisnCr\n", "auth_tag" => "wDDEXbEMk802jrzKdRKXFQ==\n", "version" => 4, "cipher" => "aes-256-gcm" } } } - it "does not detect encryption when the item version is unknown" do - # It shouldn't be possible for someone to normally encrypt an item with an unknown version - they would have to - # do something funky like encrypting it and then manually changing the version - modified_encoded_data = encoded_data - modified_encoded_data["greeting"]["version"] = 4 - expect(tester.encrypted?(modified_encoded_data)).to eq(false) + it "detects the item is not encrypted" do + expect(tester.encrypted?(data)).to eq(false) + end end shared_examples_for "encryption detected" do it "detects encrypted data bag" do - expect( encryptor ).to receive(:encryptor_keys).at_least(:once).and_call_original - expect(tester.encrypted?(encoded_data)).to eq(true) + expect(tester.encrypted?(data)).to eq(true) end end context "when encryption version is 1" do - include_examples "encryption detected" do - let(:version) { 1 } - let(:encryptor) { Chef::EncryptedDataBagItem::Encryptor::Version1Encryptor } - end + let(:data) { { "id" => "test1", "foo" => { "encrypted_data" => "Vt21byoOCqjA3DGbQ/lc+xAB+Ku/56U1pD/D8jqALM4=\n", "iv" => "ZCOtnZide5/Su5DNBx+qRg==\n", "version" => 1, "cipher" => "aes-256-cbc" } } } + include_examples "encryption detected" end context "when encryption version is 2" do - include_examples "encryption detected" do - let(:version) { 2 } - let(:encryptor) { Chef::EncryptedDataBagItem::Encryptor::Version2Encryptor } - end + let(:data) { { "id" => "test1", "foo" => { "encrypted_data" => "58mIocj2ab0qyhciEVy87Jot3KwPQuWNitWrOQjGm3U=\n", "hmac" => "g0SuXbzs2bKt/EARFawbd26n4XkDAiLjsxcQS/EMKT8=\n", "iv" => "ynzwVUWIKzTOi+TaDaVRrA==\n", "version" => 2, "cipher" => "aes-256-cbc" } } } + include_examples "encryption detected" end - context "when encryption version is 3", :aes_256_gcm_only do - include_examples "encryption detected" do - let(:version) { 3 } - let(:encryptor) { Chef::EncryptedDataBagItem::Encryptor::Version3Encryptor } - end + context "when encryption version is 3" do + let(:data) { { "id" => "test1", "foo" => { "encrypted_data" => "zNry4rkhV55Oltzf38eyHc/DF9a3tg==\n", "iv" => "vN3s6sSQZPKisnCr\n", "auth_tag" => "wDDEXbEMk802jrzKdRKXFQ==\n", "version" => 3, "cipher" => "aes-256-gcm" } } } + include_examples "encryption detected" end - end - end |