From 2b020c1d6e5b919a8acb0fea666b1c4689d1fde9 Mon Sep 17 00:00:00 2001
From: Tim Smith <tsmith84@gmail.com>
Date: Tue, 28 Jan 2020 13:41:13 -0800
Subject: Refactor how CheckEncrypted checks legacy data bags

We no longer have the encryptor classes for v1 and v2 so just hard code the list of keys in the CheckEncrypted class. Also rework the specs to just use data that has been encrypted already. This saves time and let's us check the legacy versions.

Signed-off-by: Tim Smith <tsmith@chef.io>
---
 .../encrypted_data_bag_item/check_encrypted.rb     |  4 +-
 .../check_encrypted_spec.rb                        | 54 ++++++----------------
 2 files changed, 15 insertions(+), 43 deletions(-)

diff --git a/lib/chef/encrypted_data_bag_item/check_encrypted.rb b/lib/chef/encrypted_data_bag_item/check_encrypted.rb
index 6938f3ee79..851d83a6c0 100644
--- a/lib/chef/encrypted_data_bag_item/check_encrypted.rb
+++ b/lib/chef/encrypted_data_bag_item/check_encrypted.rb
@@ -58,9 +58,9 @@ class Chef::EncryptedDataBagItem
 
       case data["version"]
         when 1
-          Chef::EncryptedDataBagItem::Encryptor::Version1Encryptor.encryptor_keys.sort == data.keys.sort
+          %w{ cipher encrypted_data iv version } == data.keys.sort
         when 2
-          Chef::EncryptedDataBagItem::Encryptor::Version2Encryptor.encryptor_keys.sort == data.keys.sort
+          %w{ cipher encrypted_data hmac iv version } == data.keys.sort
         when 3
           Chef::EncryptedDataBagItem::Encryptor::Version3Encryptor.encryptor_keys.sort == data.keys.sort
         else
diff --git a/spec/unit/encrypted_data_bag_item/check_encrypted_spec.rb b/spec/unit/encrypted_data_bag_item/check_encrypted_spec.rb
index 9476dadb9c..5c21fb0019 100644
--- a/spec/unit/encrypted_data_bag_item/check_encrypted_spec.rb
+++ b/spec/unit/encrypted_data_bag_item/check_encrypted_spec.rb
@@ -37,61 +37,33 @@ describe Chef::EncryptedDataBagItem::CheckEncrypted do
 
   context "when the item is encrypted" do
 
-    let(:default_secret) { "abc123SECRET" }
-    let(:item_name) { "item_name" }
-    let(:raw_data) do
-      {
-        "id" => item_name,
-        "greeting" => "hello",
-        "nested" => {
-            "a1" => [1, 2, 3],
-            "a2" => { "b1" => true },
-        },
-    }
-    end
-
-    let(:version) { 1 }
-    let(:encoded_data) do
-      Chef::Config[:data_bag_encrypt_version] = version
-      Chef::EncryptedDataBagItem.encrypt_data_bag_item(raw_data, default_secret)
-    end
+    context "when the item version is unknown (perhaps a future version)" do
+      let(:data) { { "id" => "test1", "foo" => { "encrypted_data" => "zNry4rkhV55Oltzf38eyHc/DF9a3tg==\n", "iv" => "vN3s6sSQZPKisnCr\n", "auth_tag" => "wDDEXbEMk802jrzKdRKXFQ==\n", "version" => 4, "cipher" => "aes-256-gcm" } } }
 
-    it "does not detect encryption when the item version is unknown" do
-      # It shouldn't be possible for someone to normally encrypt an item with an unknown version - they would have to
-      # do something funky like encrypting it and then manually changing the version
-      modified_encoded_data = encoded_data
-      modified_encoded_data["greeting"]["version"] = 4
-      expect(tester.encrypted?(modified_encoded_data)).to eq(false)
+      it "detects the item is not encrypted" do
+        expect(tester.encrypted?(data)).to eq(false)
+      end
     end
 
     shared_examples_for "encryption detected" do
       it "detects encrypted data bag" do
-        expect( encryptor ).to receive(:encryptor_keys).at_least(:once).and_call_original
-        expect(tester.encrypted?(encoded_data)).to eq(true)
+        expect(tester.encrypted?(data)).to eq(true)
       end
     end
 
     context "when encryption version is 1" do
-      include_examples "encryption detected" do
-        let(:version) { 1 }
-        let(:encryptor) { Chef::EncryptedDataBagItem::Encryptor::Version1Encryptor }
-      end
+      let(:data) { { "id" => "test1", "foo" => { "encrypted_data" => "Vt21byoOCqjA3DGbQ/lc+xAB+Ku/56U1pD/D8jqALM4=\n", "iv" => "ZCOtnZide5/Su5DNBx+qRg==\n", "version" => 1, "cipher" => "aes-256-cbc" } } }
+      include_examples "encryption detected"
     end
 
     context "when encryption version is 2" do
-      include_examples "encryption detected" do
-        let(:version) { 2 }
-        let(:encryptor) { Chef::EncryptedDataBagItem::Encryptor::Version2Encryptor }
-      end
+      let(:data) { { "id" => "test1", "foo" => { "encrypted_data" => "58mIocj2ab0qyhciEVy87Jot3KwPQuWNitWrOQjGm3U=\n", "hmac" => "g0SuXbzs2bKt/EARFawbd26n4XkDAiLjsxcQS/EMKT8=\n", "iv" => "ynzwVUWIKzTOi+TaDaVRrA==\n", "version" => 2, "cipher" => "aes-256-cbc" } } }
+      include_examples "encryption detected"
     end
 
-    context "when encryption version is 3", :aes_256_gcm_only do
-      include_examples "encryption detected" do
-        let(:version) { 3 }
-        let(:encryptor) { Chef::EncryptedDataBagItem::Encryptor::Version3Encryptor }
-      end
+    context "when encryption version is 3" do
+      let(:data) { { "id" => "test1", "foo" => { "encrypted_data" => "zNry4rkhV55Oltzf38eyHc/DF9a3tg==\n", "iv" => "vN3s6sSQZPKisnCr\n", "auth_tag" => "wDDEXbEMk802jrzKdRKXFQ==\n", "version" => 3, "cipher" => "aes-256-gcm" } } }
+      include_examples "encryption detected"
     end
-
   end
-
 end
-- 
cgit v1.2.1