Emit a human-friendly error message when the vault is encrypted for a…

… node, but the private key can't decrypt the shared secret Closes #43
chef · Feb 6, 2015 · e7cd3a4 · e7cd3a4
1 parent a82658e
commit e7cd3a4
Show file tree

Hide file tree

Showing 6 changed files with 13 additions and 4 deletions.
diff --git a/Changelog.md b/Changelog.md
@@ -1,4 +1,6 @@
 ## Planned (Unreleased)
+## v2.4.1 / 2015-02-05
+* when decrypting, if the vault is encrypted for the node but decryption fails, emit a more friendly error message than 'OpenSSL::PKey::RSAError: padding check failed'
 
 ## Released
 ## v2.4.0 / 2014-12-03

diff --git a/README.md b/README.md
@@ -167,6 +167,7 @@ Author:: Kevin Moser - @moserke<br>
 Author:: Eli Klein - @eliklein<br>
 Author:: Joey Geiger - @jgeiger<br>
 Author:: Joshua Timberman - @jtimberman<br>
+Author:: James FitzGibbon - @jf647<br>
 
 ## Contributors
 

diff --git a/features/step_definitions/chef-vault.rb b/features/step_definitions/chef-vault.rb
@@ -28,7 +28,7 @@
 end
 
 Given(/^I try to decrypt the vault item '(.+)\/(.+)' as '(.+)'$/) do |vault, item, node|
-  run_simple "knife vault show #{vault} #{item} -z -c knife.rb -u #{node} -k #{node}.pem"
+  run_simple "knife vault show #{vault} #{item} -z -c knife.rb -u #{node} -k #{node}.pem", false
 end
 
 Then(/^the vault item '(.+)\/(.+)' should( not)? be encrypted for '(.+)'$/) do |vault, item, neg, nodelist|

diff --git a/features/wrong_private_key.feature b/features/wrong_private_key.feature
@@ -11,4 +11,4 @@ Feature: Wrong private key during decrypt
     And I create a vault item 'test/item' containing the JSON '{"foo": "bar"}' encrypted for 'one,two'
     And I regenerate the client key for the node 'one'
     And I try to decrypt the vault item 'test/item' as 'one'
-    Then the output should match /unable to decrypt item as 'one'/
+    Then the output should match /is encrypted for you, but your private key failed to decrypt the contents/
diff --git a/lib/chef-vault/item.rb b/lib/chef-vault/item.rb
@@ -96,7 +96,13 @@ def remove(key)
   def secret
     if @keys.include?(Chef::Config[:node_name])
       private_key = OpenSSL::PKey::RSA.new(open(Chef::Config[:client_key]).read())
-      private_key.private_decrypt(Base64.decode64(@keys[Chef::Config[:node_name]]))
+      begin
+        private_key.private_decrypt(Base64.decode64(@keys[Chef::Config[:node_name]]))
+      rescue OpenSSL::PKey::RSAError => e
+        raise ChefVault::Exceptions::SecretDecryption,
+          "#{data_bag}/#{id} is encrypted for you, but your private key failed to decrypt the contents.  "\
+          "(if you regenerated your client key, have an administrator of the vault run 'knife vault refresh')"
+      end
     else
       raise ChefVault::Exceptions::SecretDecryption,
         "#{data_bag}/#{id} is not encrypted with your public key.  "\

diff --git a/lib/chef-vault/version.rb b/lib/chef-vault/version.rb
@@ -14,6 +14,6 @@
 # limitations under the License.
 
 class ChefVault
-  VERSION = "2.4.0"
+  VERSION = "2.4.1"
   MAJOR, MINOR, TINY = VERSION.split('.')
 end