diff options
Diffstat (limited to 'spec/unit/encrypted_data_bag_item/check_encrypted_spec.rb')
-rw-r--r-- | spec/unit/encrypted_data_bag_item/check_encrypted_spec.rb | 54 |
1 files changed, 13 insertions, 41 deletions
diff --git a/spec/unit/encrypted_data_bag_item/check_encrypted_spec.rb b/spec/unit/encrypted_data_bag_item/check_encrypted_spec.rb index 9476dadb9c..5c21fb0019 100644 --- a/spec/unit/encrypted_data_bag_item/check_encrypted_spec.rb +++ b/spec/unit/encrypted_data_bag_item/check_encrypted_spec.rb @@ -37,61 +37,33 @@ describe Chef::EncryptedDataBagItem::CheckEncrypted do context "when the item is encrypted" do - let(:default_secret) { "abc123SECRET" } - let(:item_name) { "item_name" } - let(:raw_data) do - { - "id" => item_name, - "greeting" => "hello", - "nested" => { - "a1" => [1, 2, 3], - "a2" => { "b1" => true }, - }, - } - end - - let(:version) { 1 } - let(:encoded_data) do - Chef::Config[:data_bag_encrypt_version] = version - Chef::EncryptedDataBagItem.encrypt_data_bag_item(raw_data, default_secret) - end + context "when the item version is unknown (perhaps a future version)" do + let(:data) { { "id" => "test1", "foo" => { "encrypted_data" => "zNry4rkhV55Oltzf38eyHc/DF9a3tg==\n", "iv" => "vN3s6sSQZPKisnCr\n", "auth_tag" => "wDDEXbEMk802jrzKdRKXFQ==\n", "version" => 4, "cipher" => "aes-256-gcm" } } } - it "does not detect encryption when the item version is unknown" do - # It shouldn't be possible for someone to normally encrypt an item with an unknown version - they would have to - # do something funky like encrypting it and then manually changing the version - modified_encoded_data = encoded_data - modified_encoded_data["greeting"]["version"] = 4 - expect(tester.encrypted?(modified_encoded_data)).to eq(false) + it "detects the item is not encrypted" do + expect(tester.encrypted?(data)).to eq(false) + end end shared_examples_for "encryption detected" do it "detects encrypted data bag" do - expect( encryptor ).to receive(:encryptor_keys).at_least(:once).and_call_original - expect(tester.encrypted?(encoded_data)).to eq(true) + expect(tester.encrypted?(data)).to eq(true) end end context "when encryption version is 1" do - include_examples "encryption detected" do - let(:version) { 1 } - let(:encryptor) { Chef::EncryptedDataBagItem::Encryptor::Version1Encryptor } - end + let(:data) { { "id" => "test1", "foo" => { "encrypted_data" => "Vt21byoOCqjA3DGbQ/lc+xAB+Ku/56U1pD/D8jqALM4=\n", "iv" => "ZCOtnZide5/Su5DNBx+qRg==\n", "version" => 1, "cipher" => "aes-256-cbc" } } } + include_examples "encryption detected" end context "when encryption version is 2" do - include_examples "encryption detected" do - let(:version) { 2 } - let(:encryptor) { Chef::EncryptedDataBagItem::Encryptor::Version2Encryptor } - end + let(:data) { { "id" => "test1", "foo" => { "encrypted_data" => "58mIocj2ab0qyhciEVy87Jot3KwPQuWNitWrOQjGm3U=\n", "hmac" => "g0SuXbzs2bKt/EARFawbd26n4XkDAiLjsxcQS/EMKT8=\n", "iv" => "ynzwVUWIKzTOi+TaDaVRrA==\n", "version" => 2, "cipher" => "aes-256-cbc" } } } + include_examples "encryption detected" end - context "when encryption version is 3", :aes_256_gcm_only do - include_examples "encryption detected" do - let(:version) { 3 } - let(:encryptor) { Chef::EncryptedDataBagItem::Encryptor::Version3Encryptor } - end + context "when encryption version is 3" do + let(:data) { { "id" => "test1", "foo" => { "encrypted_data" => "zNry4rkhV55Oltzf38eyHc/DF9a3tg==\n", "iv" => "vN3s6sSQZPKisnCr\n", "auth_tag" => "wDDEXbEMk802jrzKdRKXFQ==\n", "version" => 3, "cipher" => "aes-256-gcm" } } } + include_examples "encryption detected" end - end - end |