diff options
author | danielsdeleo <dan@opscode.com> | 2012-11-16 13:29:49 -0800 |
---|---|---|
committer | danielsdeleo <dan@opscode.com> | 2012-11-16 13:29:49 -0800 |
commit | 8dc20721f1c4afc3e8434516d1ebf3bc0d9264d9 (patch) | |
tree | 9a14ae1a6e3da7be653a0ebb855a8582e31d9a44 | |
parent | 933cbb57c8bda3f1028c597247ec67cca64292c9 (diff) | |
parent | 79e6406c6bfc7d779c2d787553babf4b3a61a569 (diff) | |
download | chef-8dc20721f1c4afc3e8434516d1ebf3bc0d9264d9.tar.gz |
Merge branch 'CHEF-3616-10-stable' into 10-stable
-rw-r--r-- | chef/lib/chef/encrypted_data_bag_item.rb | 14 | ||||
-rw-r--r-- | chef/spec/unit/encrypted_data_bag_item_spec.rb | 13 |
2 files changed, 26 insertions, 1 deletions
diff --git a/chef/lib/chef/encrypted_data_bag_item.rb b/chef/lib/chef/encrypted_data_bag_item.rb index b54a06d9b0..d037334ee5 100644 --- a/chef/lib/chef/encrypted_data_bag_item.rb +++ b/chef/lib/chef/encrypted_data_bag_item.rb @@ -56,6 +56,9 @@ class Chef::EncryptedDataBagItem class DecryptionFailure < StandardError end + class UnsupportedCipher < StandardError + end + #=== Decryptor # For backwards compatibility, Chef implements decryption/deserialization for # older encrypted data bag item formats in addition to the current version. @@ -122,6 +125,7 @@ class Chef::EncryptedDataBagItem def openssl_decryptor @openssl_decryptor ||= begin + assert_valid_cipher! d = OpenSSL::Cipher::Cipher.new(ALGORITHM) d.decrypt d.key = Digest::SHA256.digest(key) @@ -130,6 +134,16 @@ class Chef::EncryptedDataBagItem end end + def assert_valid_cipher! + # In the future, chef may support configurable ciphers. For now, only + # aes-256-cbc is supported. + requested_cipher = @encrypted_data["cipher"] + unless requested_cipher == ALGORITHM + raise UnsupportedCipher, + "Cipher '#{requested_cipher}' is not supported by this version of Chef. Available ciphers: ['#{ALGORITHM}']" + end + end + end class Version0Decryptor diff --git a/chef/spec/unit/encrypted_data_bag_item_spec.rb b/chef/spec/unit/encrypted_data_bag_item_spec.rb index ce12528804..d6d1d4f66f 100644 --- a/chef/spec/unit/encrypted_data_bag_item_spec.rb +++ b/chef/spec/unit/encrypted_data_bag_item_spec.rb @@ -60,7 +60,8 @@ class Version1Encryptor { "encrypted_data" => encrypted_data, "iv" => Base64.encode64(iv), - "version" => 1 + "version" => 1, + "cipher" => ALGORITHM } end @@ -135,6 +136,16 @@ describe Chef::EncryptedDataBagItem::Decryptor do end end + context "and the cipher is not supported" do + before do + @encrypted_value["cipher"] = "aes-256-foo" + end + + it "raises a sensible error" do + lambda { @decryptor.for_decrypted_item }.should raise_error(Chef::EncryptedDataBagItem::UnsupportedCipher) + end + end + end context "when decrypting a version 0 (YAML+aes-256-cbc+no iv) encrypted value" do |