summaryrefslogtreecommitdiff
path: root/spec/unit/encrypted_data_bag_item_spec.rb
Commit message (Collapse)AuthorAgeFilesLines
* CHEF-4441: emit reasonable error message when there is no default data bag ↵John Keiser2013-12-031-18/+32
| | | | secret
* Reset configuration before each testJohn Keiser2013-09-161-15/+0
|
* Use Chef::Config.reset in tests instead of save/load configJohn Keiser2013-09-131-6/+6
|
* [CHEF-3615] Make encrypted data bag format configurabledanielsdeleo2013-04-301-2/+51
| | | | | | | | | * Add an option to configure the version used when encrypting data bag items. This allows users to opt-in to newer encrypted data bag formats while the default remains compatible with earlier chef versions. * Add an option to set a minimum valid encrypted data bag item format. This is useful on the client so that, for example, a MITM attacker cannot downgrade a v2 EDBI to v1.
* [CHEF-3615] version 2 encryptor/decryptor for EDBIsdanielsdeleo2013-04-301-26/+41
| | | | | | | | | | | | | | | | Authenticated encryption data bag items will be version 2 of the encrypted data bag item format instead of tacked on to the version 1 format. Authenticated encryption via OpenSSL cipher was considered, but older openssl versions do not have, e.g., aes-256-gcm, so we are implementing encrypt-then-mac with hmac-sha256 on top of existing aes cipher. Code passes tests but is not yet exposed in configuration. TODO: * Allow user to set desired version for encrypt. * Allow user to set minimum required version for decrypt. Without this change, a MITM could simply change the format version to 1 to bypass the hmac.
* [CHEF-3858] ensure invalid key always fails to decryptdanielsdeleo2013-04-301-0/+23
| | | | | | | | | | In Ci, we occasionally see test failures when decryption with an incorrect key does not raise an error, but instead returns garbage. This fixes that issue by adding an HMAC-SHA2-256 of the encrypted data to the version 1 format. For backwards compatibility, decryption will continue if the hmac is missing; therefore, this does not increase the security of encrypted data bag items.
* [CHEF-3858] rescue bad json errors and re-raise as decryption failuresdanielsdeleo2013-04-261-0/+11
|
* [CHEF-4011] s/Version1Decryptor/Version0Decryptor/Seth Chisamore2013-04-111-2/+2
| | | | | | | This properly matches the code in `Chef::EncryptedDataBagItem`: * Version0Decryptor == legacy YAML-based format * Version1Decryptor == preferred JSON-based format
* [CHEF-4011] move default secret file path to Chef::ConfigSeth Chisamore2013-04-111-11/+3
| | | | | | | | | | * Remove references to DEFAULT_SECRET_FILE from `Chef::EncryptedDataBagItem`. * Add new `:encrypted_data_bag_secret` value to `Chef::Config` * Ensure Chef::Config[:encrypted_data_bag_secret] is nil if the secret does not exist at the default path. * Updated test coverage in `config_spec` and `encrypted_data_bag_item_spec`.
* modern RSpec update for encrypted_data_bag_item_specSeth Chisamore2013-04-111-88/+93
| | | | | | | * prefer `subject` and `let` blocks to instance variables and before blocks * `eq` instead of `==` * remove the 'shoulds' from example descriptions
* [CHEF-3616] add cipher field to edbi metadatadanielsdeleo2012-11-161-0/+11
| | | | | | Adds "cipher" to the metadata fields for encrypted data bag items. This enables user-configurable ciphers in the future. Cipher is still hard-coded to aes-256-cbc for now.
* [CHEF-3392] remove unused `from_plain_hash` methoddanielsdeleo2012-11-151-4/+0
|
* [CHEF-3392] JSON serialize encrypted data bags, use random IVdanielsdeleo2012-11-141-6/+115
| | | | | | | * Use JSON instead of YAML to serialize encrypted data bag values before encrypting. * Use a random IV for each encrypted value for resilience against some types of crypto attacks. Fixes CHEF-3480.
* [OC-3564] move core Chef to the repo root \o/ \m/Seth Chisamore2012-10-301-0/+122
The opscode/chef repository now only contains the core Chef library code used by chef-client, knife and chef-solo!
View Lorry Controller Status