Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add chef-vault implementation #minor #101

Open
wants to merge 7 commits into
base: master
Choose a base branch
from
Open

Conversation

lanej
Copy link

@lanej lanej commented Aug 8, 2018

Currently only supports version 3 of the encryption/decryption scheme: See https://github.com/chef/chef/blob/7c9178e5dd4ec7b5a75993c148b087bac6e5b53d/lib/chef/encrypted_data_bag_item/encryptor.rb#L162-L222

  • Encrypt data and update a data bag
  • Decrypt data with the provided client key
  • Add client
  • Add admin

Fairly minimal and the testing is weak but I thought I'd share before progressing further.


This change is Reviewable

@lanej
Copy link
Author

lanej commented Aug 8, 2018

@MarkGibbons MarkGibbons self-assigned this May 17, 2019
@MarkGibbons
Copy link
Member

Looks nice. It's taking me while to get up to speed on the code base. I'll try to get this evaluated over the next month.

@lanej
Copy link
Author

lanej commented Jul 22, 2019

@MarkGibbons great! LMK what you think and I'll fix the conflicts.

@MarkGibbons MarkGibbons changed the title Add chef-vault implementation Add chef-vault implementation #minor Jan 8, 2020
@MarkGibbons
Copy link
Member

MarkGibbons commented Jan 13, 2020

  1. I don't see an already written way to list the available vault items.
    ok - fixed
  2. May want to create a databag if it doesn't already exist when creating data bag items. Nothing hard about creating a data bag.
    ok -fixed.

@MarkGibbons
Copy link
Member

Nice code, I'm writing examples and testing against a chef server. See https://github.com/go-chef/chef/tree/vault if you want to see. I merged your branch into my vault branch and will merge it once testing and maybe a couple other feature get added.

@@ -31,7 +31,6 @@ func TestSearch_Get(t *testing.T) {
"users": "http://localhost:4000/search/users",
}
if !reflect.DeepEqual(indexes, wantedIdx) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note to self. Figure out if the deleted error message is needed.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ok

const algorithm string = "aes-256-gcm"
const supportedVersion int = 3

var errUnsupportedVersion = errors.New("Only Version 3 encrypted values are supported")
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Version 3 of what? Comment needs to be clearer.

V3 of the encrypted data bag support from chef. PR comments have a nice link.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Update comments in my version.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OK

Keys *VaultItemKeys
Name string
Vault string
VaultService *VaultService
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Trying to understand why vault service is part of the vault item structure.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pass the client connection to Item processing. Need to be clear that get is required before decrypt or update.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ok

}

// CreateItem creates a vault item and keys databag
func (vs *VaultService) CreateItem(vaultName, itemName string) (*VaultItem, error) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks like Create Item creates an empty vault and then Update adds the content. Note to self, verify this and add doc to make it clear.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also need to create the data bag before creating the vault items.
OK

return item, nil
}

// UpdateItem sets the item data, encrypts with a shared key, and then encrypts the shared key with each authorized client key in the <item>_keys data bag
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this function a total replacement of the contents of the vault item? Figure it out and doc. Any local data concept (knife -m solo concept) or does it always hit the server (knife -m client)

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure what mode does. Looks like the code is always aimed at the server.

return nil, err
}

keysItem := map[string]interface{}{
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How are the admins, client, search_query set and used? Figure that out, create code examples.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think adding user to an item needs to be clearer.
Also may need to handle bad users (old keys).

keys := map[string]bool{}

for name := range *databags {
if vaultName := strings.TrimSuffix(name, "_keys"); vaultName != name {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't believe this code finds chef vault data bags. The vaults don't have the _keys name, the items within the vaults have those names.

databagData := DataBagItem(itemData)

item.DataBagItem = &databagData

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We need to reencrypt the shared secret for the users in admins and clients as is we can't specify admins or clients which makes the feature hard to use. The search feature is also not implemented. I'm looking at adding admins and clients.

lanej added 7 commits January 26, 2020 15:24
Corrected a few spelling mistakes along the way.
Add a compatible client implementation to the chef-vault ruby version.
The testing could be much better.  I will throw the crypto tests I have
in next.  This testing is much more useful with a live chef server.
@lanej
Copy link
Author

lanej commented Jan 26, 2020

I rebased master but it seems that your other branch is pretty far along. This code base has come long way since I opened this PR. Let me know if I can help with anything.

@MarkGibbons
Copy link
Member

I'm noodling at adding users, clients and getting the search function to work. In this line

userEncodedSecret, err := EncodeSharedSecret(vs.client.Auth.PrivateKey, sharedSecret) 

in the CreateItem method. I think that is supposed to be a PublicKey. The encode and decode methods in crypt both use the PrivateKey. Both of those things and adding code to deal with multiple users and nodes need to be there IMO. If you have time, cool. Otherwise I'll likely get it. Might take me a while. You can see my branch, local vault branch, to see what I've done already. I've been adding tests against a chef server that gets spun up.

thanks,
Mark

@bhoriuchi
Copy link

bhoriuchi commented Jun 19, 2022

not sure if this is still an active effort but noticed only v3 supported. i did some similar work on https://github.com/bhoriuchi/go-chef-crypto and have v1 and v2 if interested in adding to this. also one issue i ran into to note is that the ruby base64 package adds new lines every 60 chars when you use knife so https://github.com/bhoriuchi/go-chef-crypto/blob/master/crypto.go#L211-L216 is used to replicate that.

@MarkGibbons
Copy link
Member

I'll look at this one again over the next month. The last time I looked at this I went down some really nasty rabbit holes.

@dhubler
Copy link

dhubler commented Sep 8, 2022

I'm just looking to support encryption/decryption (not vault nec.)
https://docs.chef.io/data_bags/#encrypt
I see @bhoriuchi library and from my perspective, if that was integrated into "go-chef" then I'd have what I need. If that is not possible, would there be a way to provide a "hook" into the current go-chef library for users to combine two libs on their own?

@MarkGibbons
Copy link
Member

Adding support for chef vault to this api may be too much effort for too little return.
@dhubler & @bhoriuchi adding better encryption support is something that makes sense. Could the code to do that be turned in to a pull request?

@dhubler
Copy link

dhubler commented Sep 9, 2022 via email

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants