1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
|
#
# Author:: Seth Falcon (<seth@opscode.com>)
# Copyright:: Copyright 2010-2011 Opscode, Inc.
# License:: Apache License, Version 2.0
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
require "spec_helper"
require "chef/encrypted_data_bag_item"
module Version0Encryptor
def self.encrypt_value(plaintext_data, key)
data = plaintext_data.to_yaml
cipher = OpenSSL::Cipher.new("aes-256-cbc")
cipher.encrypt
cipher.pkcs5_keyivgen(key)
encrypted_bytes = cipher.update(data)
encrypted_bytes << cipher.final
Base64.encode64(encrypted_bytes)
end
end
describe Chef::EncryptedDataBagItem::Encryptor do
subject(:encryptor) { described_class.new(plaintext_data, key) }
let(:plaintext_data) { {"foo" => "bar"} }
let(:key) { "passwd" }
it "encrypts to format version 1 by default" do
expect(encryptor).to be_a_instance_of(Chef::EncryptedDataBagItem::Encryptor::Version1Encryptor)
end
describe "generating a random IV" do
it "generates a new IV for each encryption pass" do
encryptor2 = Chef::EncryptedDataBagItem::Encryptor.new(plaintext_data, key)
# No API in ruby OpenSSL to get the iv is used for the encryption back
# out. Instead we test if the encrypted data is the same. If it *is* the
# same, we assume the IV was the same each time.
expect(encryptor.encrypted_data).not_to eq encryptor2.encrypted_data
end
end
describe "when encrypting a non-hash non-array value" do
let(:plaintext_data) { 5 }
it "serializes the value in a de-serializable way" do
expect(Chef::JSONCompat.from_json(encryptor.serialized_data)["json_wrapper"]).to eq 5
end
end
describe "wrapping secret values in an envelope" do
it "wraps the encrypted data in an envelope with the iv and version" do
final_data = encryptor.for_encrypted_item
expect(final_data["encrypted_data"]).to eq encryptor.encrypted_data
expect(final_data["iv"]).to eq Base64.encode64(encryptor.iv)
expect(final_data["version"]).to eq 1
expect(final_data["cipher"]).to eq "aes-256-cbc"
end
end
describe "when using version 2 format" do
before do
Chef::Config[:data_bag_encrypt_version] = 2
end
it "creates a version 2 encryptor" do
expect(encryptor).to be_a_instance_of(Chef::EncryptedDataBagItem::Encryptor::Version2Encryptor)
end
it "generates an hmac based on ciphertext with different iv" do
encryptor2 = Chef::EncryptedDataBagItem::Encryptor.new(plaintext_data, key)
expect(encryptor.hmac).not_to eq(encryptor2.hmac)
end
it "includes the hmac in the envelope" do
final_data = encryptor.for_encrypted_item
expect(final_data["hmac"]).to eq(encryptor.hmac)
end
end
describe "when using version 3 format" do
before do
Chef::Config[:data_bag_encrypt_version] = 3
end
context "on supported platforms", :aes_256_gcm_only, :ruby_20_only do
it "creates a version 3 encryptor" do
expect(encryptor).to be_a_instance_of(Chef::EncryptedDataBagItem::Encryptor::Version3Encryptor)
end
it "generates different authentication tags" do
encryptor3 = Chef::EncryptedDataBagItem::Encryptor.new(plaintext_data, key)
encryptor.for_encrypted_item # required to generate the auth_tag
encryptor3.for_encrypted_item
expect(encryptor.auth_tag).not_to eq(encryptor3.auth_tag)
end
it "includes the auth_tag in the envelope" do
final_data = encryptor.for_encrypted_item
expect(final_data["auth_tag"]).to eq(Base64::encode64(encryptor.auth_tag))
end
it "throws an error if auth tag is read before encrypting the data" do
expect { encryptor.auth_tag }.to raise_error(Chef::EncryptedDataBagItem::EncryptionFailure)
end
end # context on supported platforms
context "on unsupported platforms" do
let(:aead_algorithm) { Chef::EncryptedDataBagItem::AEAD_ALGORITHM }
it "throws an error warning about the OpenSSL version if it has no GCM support" do
# Force Ruby with AEAD support
allow(OpenSSL::Cipher).to receive(:method_defined?).with(:auth_data=).and_return(true)
# OpenSSL without AEAD support
expect(OpenSSL::Cipher).to receive(:ciphers).and_return([])
expect { encryptor }.to raise_error(Chef::EncryptedDataBagItem::EncryptedDataBagRequirementsFailure, /requires an OpenSSL/)
end
context "on platforms with old OpenSSL", :openssl_lt_101 do
it "throws an error warning about the OpenSSL version" do
expect { encryptor }.to raise_error(Chef::EncryptedDataBagItem::EncryptedDataBagRequirementsFailure, /requires an OpenSSL/)
end
end # context on platforms with old OpenSSL
end # context on unsupported platforms
end # when using version 3 format
end
describe Chef::EncryptedDataBagItem::Decryptor do
subject(:decryptor) { described_class.for(encrypted_value, decryption_key) }
let(:plaintext_data) { {"foo" => "bar"} }
let(:encryption_key) { "passwd" }
let(:decryption_key) { encryption_key }
let(:json_wrapped_data) { Chef::JSONCompat.to_json({"json_wrapper" => plaintext_data}) }
shared_examples "decryption examples" do
it "decrypts the encrypted value" do
expect(decryptor.decrypted_data).to eq(json_wrapped_data)
end
it "unwraps the encrypted data and returns it" do
expect(decryptor.for_decrypted_item).to eq plaintext_data
end
end
context "when decrypting a version 3 (JSON+aes-256-gcm+random iv+auth tag) encrypted value" do
context "on supported platforms", :aes_256_gcm_only, :ruby_20_only do
let(:encrypted_value) do
Chef::EncryptedDataBagItem::Encryptor::Version3Encryptor.new(plaintext_data, encryption_key).for_encrypted_item
end
let(:bogus_auth_tag) { "bogus_auth_tag" }
include_examples "decryption examples"
it "rejects the data if the authentication tag is wrong" do
encrypted_value["auth_tag"] = bogus_auth_tag
expect { decryptor.for_decrypted_item }.to raise_error(Chef::EncryptedDataBagItem::DecryptionFailure)
end
it "rejects the data if the authentication tag is missing" do
encrypted_value.delete("auth_tag")
expect { decryptor.for_decrypted_item }.to raise_error(Chef::EncryptedDataBagItem::DecryptionFailure)
end
end # context on supported platforms
context "on unsupported platforms" do
let(:encrypted_value) do
{
"encrypted_data" => "",
"iv" => "",
"version" => 3,
"cipher" => "aes-256-cbc",
}
end
context "on platforms with old OpenSSL", :openssl_lt_101 do
it "throws an error warning about the OpenSSL version" do
expect { decryptor }.to raise_error(Chef::EncryptedDataBagItem::EncryptedDataBagRequirementsFailure, /requires an OpenSSL/)
end
end # context on unsupported platforms
end # context on platforms with old OpenSSL
end # context when decrypting a version 3
context "when decrypting a version 2 (JSON+aes-256-cbc+hmac-sha256+random iv) encrypted value" do
let(:encrypted_value) do
Chef::EncryptedDataBagItem::Encryptor::Version2Encryptor.new(plaintext_data, encryption_key).for_encrypted_item
end
let(:bogus_hmac) do
digest = OpenSSL::Digest.new("sha256")
raw_hmac = OpenSSL::HMAC.digest(digest, "WRONG", encrypted_value["encrypted_data"])
Base64.encode64(raw_hmac)
end
include_examples "decryption examples"
it "rejects the data if the hmac is wrong" do
encrypted_value["hmac"] = bogus_hmac
expect { decryptor.for_decrypted_item }.to raise_error(Chef::EncryptedDataBagItem::DecryptionFailure)
end
it "rejects the data if the hmac is missing" do
encrypted_value.delete("hmac")
expect { decryptor.for_decrypted_item }.to raise_error(Chef::EncryptedDataBagItem::DecryptionFailure)
end
end
context "when decrypting a version 1 (JSON+aes-256-cbc+random iv) encrypted value" do
let(:encrypted_value) do
Chef::EncryptedDataBagItem::Encryptor.new(plaintext_data, encryption_key).for_encrypted_item
end
it "selects the correct strategy for version 1" do
expect(decryptor).to be_a_instance_of Chef::EncryptedDataBagItem::Decryptor::Version1Decryptor
end
include_examples "decryption examples"
describe "and the decryption step returns invalid data" do
it "raises a decryption failure error" do
# Over a large number of tests on a variety of systems, we occasionally
# see the decryption step "succeed" but return invalid data (e.g., not
# the original plain text) [CHEF-3858]
expect(decryptor).to receive(:decrypted_data).and_return("lksajdf")
expect { decryptor.for_decrypted_item }.to raise_error(Chef::EncryptedDataBagItem::DecryptionFailure)
end
end
context "and the provided key is incorrect" do
let(:decryption_key) { "wrong-passwd" }
it "raises a sensible error" do
expect { decryptor.for_decrypted_item }.to raise_error(Chef::EncryptedDataBagItem::DecryptionFailure)
end
end
context "and the cipher is not supported" do
let(:encrypted_value) do
ev = Chef::EncryptedDataBagItem::Encryptor.new(plaintext_data, encryption_key).for_encrypted_item
ev["cipher"] = "aes-256-foo"
ev
end
it "raises a sensible error" do
expect { decryptor.for_decrypted_item }.to raise_error(Chef::EncryptedDataBagItem::UnsupportedCipher)
end
end
context "and version 2 format is required" do
before do
Chef::Config[:data_bag_decrypt_minimum_version] = 2
end
it "raises an error attempting to decrypt" do
expect { decryptor }.to raise_error(Chef::EncryptedDataBagItem::UnacceptableEncryptedDataBagItemFormat)
end
end
end
context "when decrypting a version 0 (YAML+aes-256-cbc+no iv) encrypted value" do
let(:encrypted_value) do
Version0Encryptor.encrypt_value(plaintext_data, encryption_key)
end
it "selects the correct strategy for version 0" do
expect(decryptor).to be_a_instance_of(Chef::EncryptedDataBagItem::Decryptor::Version0Decryptor)
end
it "decrypts the encrypted value" do
expect(decryptor.for_decrypted_item).to eq plaintext_data
end
context "and version 1 format is required" do
before do
Chef::Config[:data_bag_decrypt_minimum_version] = 1
end
it "raises an error attempting to decrypt" do
expect { decryptor }.to raise_error(Chef::EncryptedDataBagItem::UnacceptableEncryptedDataBagItemFormat)
end
end
end
end
describe Chef::EncryptedDataBagItem do
subject { described_class }
let(:encrypted_data_bag_item) { subject.new(encoded_data, secret) }
let(:plaintext_data) {{
"id" => "item_name",
"greeting" => "hello",
"nested" => { "a1" => [1, 2, 3], "a2" => { "b1" => true }}
}}
let(:secret) { "abc123SECRET" }
let(:encoded_data) { subject.encrypt_data_bag_item(plaintext_data, secret) }
describe "encrypting" do
it "doesn't encrypt the 'id' key" do
expect(encoded_data["id"]).to eq "item_name"
end
it "encrypts non-collection objects" do
expect(encoded_data["greeting"]["version"]).to eq 1
expect(encoded_data["greeting"]).to have_key("iv")
iv = encoded_data["greeting"]["iv"]
encryptor = Chef::EncryptedDataBagItem::Encryptor.new("hello", secret, iv)
expect(encoded_data["greeting"]["encrypted_data"]).to eq(encryptor.for_encrypted_item["encrypted_data"])
end
it "encrypts nested values" do
expect(encoded_data["nested"]["version"]).to eq 1
expect(encoded_data["nested"]).to have_key("iv")
iv = encoded_data["nested"]["iv"]
encryptor = Chef::EncryptedDataBagItem::Encryptor.new(plaintext_data["nested"], secret, iv)
expect(encoded_data["nested"]["encrypted_data"]).to eq(encryptor.for_encrypted_item["encrypted_data"])
end
end
describe "decrypting" do
it "doesn't try to decrypt 'id'" do
expect(encrypted_data_bag_item["id"]).to eq(plaintext_data["id"])
end
it "decrypts 'greeting'" do
expect(encrypted_data_bag_item["greeting"]).to eq(plaintext_data["greeting"])
end
it "decrypts 'nested'" do
expect(encrypted_data_bag_item["nested"]).to eq(plaintext_data["nested"])
end
it "decrypts everyting via to_hash" do
expect(encrypted_data_bag_item.to_hash).to eq(plaintext_data)
end
it "handles missing keys gracefully" do
expect(encrypted_data_bag_item["no-such-key"]).to be_nil
end
end
describe "loading" do
it "should defer to Chef::DataBagItem.load" do
allow(Chef::DataBagItem).to receive(:load).with(:the_bag, "my_codes").and_return(encoded_data)
edbi = Chef::EncryptedDataBagItem.load(:the_bag, "my_codes", secret)
expect(edbi["greeting"]).to eq(plaintext_data["greeting"])
end
end
describe ".load_secret" do
let(:secret) { "opensesame" }
context "when /var/mysecret exists" do
before do
allow(::File).to receive(:exist?).with("/var/mysecret").and_return(true)
allow(IO).to receive(:read).with("/var/mysecret").and_return(secret)
end
it "load_secret('/var/mysecret') reads the secret" do
expect(Chef::EncryptedDataBagItem.load_secret("/var/mysecret")).to eq secret
end
end
context "when /etc/chef/encrypted_data_bag_secret exists" do
before do
path = Chef::Config.platform_specific_path("/etc/chef/encrypted_data_bag_secret")
allow(::File).to receive(:exist?).with(path).and_return(true)
allow(IO).to receive(:read).with(path).and_return(secret)
end
it "load_secret(nil) reads the secret" do
expect(Chef::EncryptedDataBagItem.load_secret(nil)).to eq secret
end
end
context "when /etc/chef/encrypted_data_bag_secret does not exist" do
before do
path = Chef::Config.platform_specific_path("/etc/chef/encrypted_data_bag_secret")
allow(::File).to receive(:exist?).with(path).and_return(false)
end
it "load_secret(nil) emits a reasonable error message" do
expect { Chef::EncryptedDataBagItem.load_secret(nil) }.to raise_error(ArgumentError, /No secret specified and no secret found at #{Chef::Config[:encrypted_data_bag_secret]}/)
end
end
context "path argument is a URL" do
before do
allow(Kernel).to receive(:open).with("http://www.opscode.com/").and_return(StringIO.new(secret))
end
it "reads from the URL" do
expect(Chef::EncryptedDataBagItem.load_secret("http://www.opscode.com/")).to eq secret
end
end
end
end
|
