diff options
| author | danielsdeleo <dan@opscode.com> | 2012-11-16 12:15:35 -0800 |
|---|---|---|
| committer | danielsdeleo <dan@opscode.com> | 2012-11-16 13:16:42 -0800 |
| commit | 79e6406c6bfc7d779c2d787553babf4b3a61a569 (patch) | |
| tree | 9a14ae1a6e3da7be653a0ebb855a8582e31d9a44 | |
| parent | 933cbb57c8bda3f1028c597247ec67cca64292c9 (diff) | |
| download | chef-79e6406c6bfc7d779c2d787553babf4b3a61a569.tar.gz | |
[CHEF-3616] add cipher field to edbi metadata
Adds back compat support for adding the "cipher" field to encrypted data
bag v1 format.
| -rw-r--r-- | chef/lib/chef/encrypted_data_bag_item.rb | 14 | ||||
| -rw-r--r-- | chef/spec/unit/encrypted_data_bag_item_spec.rb | 13 |
2 files changed, 26 insertions, 1 deletions
diff --git a/chef/lib/chef/encrypted_data_bag_item.rb b/chef/lib/chef/encrypted_data_bag_item.rb index b54a06d9b0..d037334ee5 100644 --- a/chef/lib/chef/encrypted_data_bag_item.rb +++ b/chef/lib/chef/encrypted_data_bag_item.rb @@ -56,6 +56,9 @@ class Chef::EncryptedDataBagItem class DecryptionFailure < StandardError end + class UnsupportedCipher < StandardError + end + #=== Decryptor # For backwards compatibility, Chef implements decryption/deserialization for # older encrypted data bag item formats in addition to the current version. @@ -122,6 +125,7 @@ class Chef::EncryptedDataBagItem def openssl_decryptor @openssl_decryptor ||= begin + assert_valid_cipher! d = OpenSSL::Cipher::Cipher.new(ALGORITHM) d.decrypt d.key = Digest::SHA256.digest(key) @@ -130,6 +134,16 @@ class Chef::EncryptedDataBagItem end end + def assert_valid_cipher! + # In the future, chef may support configurable ciphers. For now, only + # aes-256-cbc is supported. + requested_cipher = @encrypted_data["cipher"] + unless requested_cipher == ALGORITHM + raise UnsupportedCipher, + "Cipher '#{requested_cipher}' is not supported by this version of Chef. Available ciphers: ['#{ALGORITHM}']" + end + end + end class Version0Decryptor diff --git a/chef/spec/unit/encrypted_data_bag_item_spec.rb b/chef/spec/unit/encrypted_data_bag_item_spec.rb index ce12528804..d6d1d4f66f 100644 --- a/chef/spec/unit/encrypted_data_bag_item_spec.rb +++ b/chef/spec/unit/encrypted_data_bag_item_spec.rb @@ -60,7 +60,8 @@ class Version1Encryptor { "encrypted_data" => encrypted_data, "iv" => Base64.encode64(iv), - "version" => 1 + "version" => 1, + "cipher" => ALGORITHM } end @@ -135,6 +136,16 @@ describe Chef::EncryptedDataBagItem::Decryptor do end end + context "and the cipher is not supported" do + before do + @encrypted_value["cipher"] = "aes-256-foo" + end + + it "raises a sensible error" do + lambda { @decryptor.for_decrypted_item }.should raise_error(Chef::EncryptedDataBagItem::UnsupportedCipher) + end + end + end context "when decrypting a version 0 (YAML+aes-256-cbc+no iv) encrypted value" do |