summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authordanielsdeleo <dan@opscode.com>2012-11-16 13:29:49 -0800
committerdanielsdeleo <dan@opscode.com>2012-11-16 13:29:49 -0800
commit8dc20721f1c4afc3e8434516d1ebf3bc0d9264d9 (patch)
tree9a14ae1a6e3da7be653a0ebb855a8582e31d9a44
parent933cbb57c8bda3f1028c597247ec67cca64292c9 (diff)
parent79e6406c6bfc7d779c2d787553babf4b3a61a569 (diff)
downloadchef-8dc20721f1c4afc3e8434516d1ebf3bc0d9264d9.tar.gz
Merge branch 'CHEF-3616-10-stable' into 10-stable
-rw-r--r--chef/lib/chef/encrypted_data_bag_item.rb14
-rw-r--r--chef/spec/unit/encrypted_data_bag_item_spec.rb13
2 files changed, 26 insertions, 1 deletions
diff --git a/chef/lib/chef/encrypted_data_bag_item.rb b/chef/lib/chef/encrypted_data_bag_item.rb
index b54a06d9b0..d037334ee5 100644
--- a/chef/lib/chef/encrypted_data_bag_item.rb
+++ b/chef/lib/chef/encrypted_data_bag_item.rb
@@ -56,6 +56,9 @@ class Chef::EncryptedDataBagItem
class DecryptionFailure < StandardError
end
+ class UnsupportedCipher < StandardError
+ end
+
#=== Decryptor
# For backwards compatibility, Chef implements decryption/deserialization for
# older encrypted data bag item formats in addition to the current version.
@@ -122,6 +125,7 @@ class Chef::EncryptedDataBagItem
def openssl_decryptor
@openssl_decryptor ||= begin
+ assert_valid_cipher!
d = OpenSSL::Cipher::Cipher.new(ALGORITHM)
d.decrypt
d.key = Digest::SHA256.digest(key)
@@ -130,6 +134,16 @@ class Chef::EncryptedDataBagItem
end
end
+ def assert_valid_cipher!
+ # In the future, chef may support configurable ciphers. For now, only
+ # aes-256-cbc is supported.
+ requested_cipher = @encrypted_data["cipher"]
+ unless requested_cipher == ALGORITHM
+ raise UnsupportedCipher,
+ "Cipher '#{requested_cipher}' is not supported by this version of Chef. Available ciphers: ['#{ALGORITHM}']"
+ end
+ end
+
end
class Version0Decryptor
diff --git a/chef/spec/unit/encrypted_data_bag_item_spec.rb b/chef/spec/unit/encrypted_data_bag_item_spec.rb
index ce12528804..d6d1d4f66f 100644
--- a/chef/spec/unit/encrypted_data_bag_item_spec.rb
+++ b/chef/spec/unit/encrypted_data_bag_item_spec.rb
@@ -60,7 +60,8 @@ class Version1Encryptor
{
"encrypted_data" => encrypted_data,
"iv" => Base64.encode64(iv),
- "version" => 1
+ "version" => 1,
+ "cipher" => ALGORITHM
}
end
@@ -135,6 +136,16 @@ describe Chef::EncryptedDataBagItem::Decryptor do
end
end
+ context "and the cipher is not supported" do
+ before do
+ @encrypted_value["cipher"] = "aes-256-foo"
+ end
+
+ it "raises a sensible error" do
+ lambda { @decryptor.for_decrypted_item }.should raise_error(Chef::EncryptedDataBagItem::UnsupportedCipher)
+ end
+ end
+
end
context "when decrypting a version 0 (YAML+aes-256-cbc+no iv) encrypted value" do