diff options
Diffstat (limited to 'spec/unit/encrypted_data_bag_item_spec.rb')
-rw-r--r-- | spec/unit/encrypted_data_bag_item_spec.rb | 43 |
1 files changed, 8 insertions, 35 deletions
diff --git a/spec/unit/encrypted_data_bag_item_spec.rb b/spec/unit/encrypted_data_bag_item_spec.rb index 15e4057ec3..badb72c161 100644 --- a/spec/unit/encrypted_data_bag_item_spec.rb +++ b/spec/unit/encrypted_data_bag_item_spec.rb @@ -32,10 +32,9 @@ module Version0Encryptor end end -describe Chef::EncryptedDataBagItem::Encryptor do - +describe Chef::EncryptedDataBagItem::Encryptor do subject(:encryptor) { described_class.new(plaintext_data, key) } - let(:plaintext_data) { {"foo" => "bar"} } + let(:plaintext_data) { { "foo" => "bar" } } let(:key) { "passwd" } it "encrypts to format version 1 by default" do @@ -58,7 +57,6 @@ describe Chef::EncryptedDataBagItem::Encryptor do it "serializes the value in a de-serializable way" do expect(Chef::JSONCompat.from_json(encryptor.serialized_data)["json_wrapper"]).to eq 5 end - end describe "wrapping secret values in an envelope" do @@ -72,7 +70,6 @@ describe Chef::EncryptedDataBagItem::Encryptor do end describe "when using version 2 format" do - before do Chef::Config[:data_bag_encrypt_version] = 2 end @@ -98,7 +95,6 @@ describe Chef::EncryptedDataBagItem::Encryptor do end context "on supported platforms", :aes_256_gcm_only, :ruby_20_only do - it "creates a version 3 encryptor" do expect(encryptor).to be_a_instance_of(Chef::EncryptedDataBagItem::Encryptor::Version3Encryptor) end @@ -118,7 +114,6 @@ describe Chef::EncryptedDataBagItem::Encryptor do it "throws an error if auth tag is read before encrypting the data" do expect { encryptor.auth_tag }.to raise_error(Chef::EncryptedDataBagItem::EncryptionFailure) end - end # context on supported platforms context "on unsupported platforms" do @@ -133,26 +128,20 @@ describe Chef::EncryptedDataBagItem::Encryptor do end context "on platforms with old OpenSSL", :openssl_lt_101 do - it "throws an error warning about the OpenSSL version" do expect { encryptor }.to raise_error(Chef::EncryptedDataBagItem::EncryptedDataBagRequirementsFailure, /requires an OpenSSL/) end - end # context on platforms with old OpenSSL - end # context on unsupported platforms - end # when using version 3 format - end describe Chef::EncryptedDataBagItem::Decryptor do - subject(:decryptor) { described_class.for(encrypted_value, decryption_key) } - let(:plaintext_data) { {"foo" => "bar"} } + let(:plaintext_data) { { "foo" => "bar" } } let(:encryption_key) { "passwd" } let(:decryption_key) { encryption_key } - let(:json_wrapped_data) { Chef::JSONCompat.to_json({"json_wrapper" => plaintext_data}) } + let(:json_wrapped_data) { Chef::JSONCompat.to_json({ "json_wrapper" => plaintext_data }) } shared_examples "decryption examples" do it "decrypts the encrypted value" do @@ -165,9 +154,7 @@ describe Chef::EncryptedDataBagItem::Decryptor do end context "when decrypting a version 3 (JSON+aes-256-gcm+random iv+auth tag) encrypted value" do - context "on supported platforms", :aes_256_gcm_only, :ruby_20_only do - let(:encrypted_value) do Chef::EncryptedDataBagItem::Encryptor::Version3Encryptor.new(plaintext_data, encryption_key).for_encrypted_item end @@ -185,7 +172,6 @@ describe Chef::EncryptedDataBagItem::Decryptor do encrypted_value.delete("auth_tag") expect { decryptor.for_decrypted_item }.to raise_error(Chef::EncryptedDataBagItem::DecryptionFailure) end - end # context on supported platforms context "on unsupported platforms" do @@ -199,15 +185,11 @@ describe Chef::EncryptedDataBagItem::Decryptor do end context "on platforms with old OpenSSL", :openssl_lt_101 do - it "throws an error warning about the OpenSSL version" do expect { decryptor }.to raise_error(Chef::EncryptedDataBagItem::EncryptedDataBagRequirementsFailure, /requires an OpenSSL/) end - end # context on unsupported platforms - end # context on platforms with old OpenSSL - end # context when decrypting a version 3 context "when decrypting a version 2 (JSON+aes-256-cbc+hmac-sha256+random iv) encrypted value" do @@ -232,11 +214,9 @@ describe Chef::EncryptedDataBagItem::Decryptor do encrypted_value.delete("hmac") expect { decryptor.for_decrypted_item }.to raise_error(Chef::EncryptedDataBagItem::DecryptionFailure) end - end context "when decrypting a version 1 (JSON+aes-256-cbc+random iv) encrypted value" do - let(:encrypted_value) do Chef::EncryptedDataBagItem::Encryptor.new(plaintext_data, encryption_key).for_encrypted_item end @@ -285,12 +265,10 @@ describe Chef::EncryptedDataBagItem::Decryptor do it "raises an error attempting to decrypt" do expect { decryptor }.to raise_error(Chef::EncryptedDataBagItem::UnacceptableEncryptedDataBagItemFormat) end - end - end - context "when decrypting a version 0 (YAML+aes-256-cbc+no iv) encrypted value", :not_supported_under_fips do + context "when decrypting a version 0 (YAML+aes-256-cbc+no iv) encrypted value", :not_supported_under_fips do let(:encrypted_value) do Version0Encryptor.encrypt_value(plaintext_data, encryption_key) end @@ -311,9 +289,7 @@ describe Chef::EncryptedDataBagItem::Decryptor do it "raises an error attempting to decrypt" do expect { decryptor }.to raise_error(Chef::EncryptedDataBagItem::UnacceptableEncryptedDataBagItemFormat) end - end - end end @@ -321,15 +297,14 @@ describe Chef::EncryptedDataBagItem do subject { described_class } let(:encrypted_data_bag_item) { subject.new(encoded_data, secret) } let(:plaintext_data) {{ - "id" => "item_name", - "greeting" => "hello", - "nested" => { "a1" => [1, 2, 3], "a2" => { "b1" => true }}, + "id" => "item_name", + "greeting" => "hello", + "nested" => { "a1" => [1, 2, 3], "a2" => { "b1" => true } }, }} let(:secret) { "abc123SECRET" } let(:encoded_data) { subject.encrypt_data_bag_item(plaintext_data, secret) } describe "encrypting" do - it "doesn't encrypt the 'id' key" do expect(encoded_data["id"]).to eq "item_name" end @@ -353,11 +328,9 @@ describe Chef::EncryptedDataBagItem do expect(encoded_data["nested"]["encrypted_data"]).to eq(encryptor.for_encrypted_item["encrypted_data"]) end - end describe "decrypting" do - it "doesn't try to decrypt 'id'" do expect(encrypted_data_bag_item["id"]).to eq(plaintext_data["id"]) end |