Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

knife data bag edit <bag> <item> --encrypt will corrupt unencrypted data bags #8282

Open
lamont-granquist opened this Issue Mar 7, 2019 · 0 comments

Comments

Projects
None yet
1 participant
@lamont-granquist
Copy link
Contributor

lamont-granquist commented Mar 7, 2019

when created with knife data bag create creds whatever --encrypt a knife data bag edit creds whatever --encrypt pops up an editor window to this and works:

{
  "id": "whatever",
  "foo": "bar"
}

when created with knife data bag create creds whatever (no --encrypt) a knife data bag edit creds whatever --encrypt pops up an editor window to this and fails:

{
  "name": "data_bag_item_creds_whatever",
  "json_class": "Chef::DataBagItem",
  "chef_type": "data_bag_item",
  "data_bag": "creds",
  "raw_data": {
    "id": "whatever",
    "foo": "bar"
  }
}

saving it then results in corruption:

% knife data bag show creds whatever
ERROR: Chef::Exceptions::ValidationFailed: Property data_bag's value {"encrypted_data"=>"tP5mvplwGL2TfsJs/G13c6VVn4ldg2hn\n", "iv"=>"7TmYwNI59Xbmuik7\n", "auth_tag"=>"pLJ9cerNIQqHSPnJzOgSSw==\n", "version"=>3, "cipher"=>"aes-256-gcm"} does not match regular expression /^[\-[:alnum:]_]+$/

it looks like knife data bag edit --encrypt is assuming that the data bag is already encrypted and then corrupting a non-encrypted data bag. users expect the data bag to be encrypted (although do they expect it to be magically decrypted if you forget the --encrypt? probably they expect an error in that case).

note that this has nothing to do with the format on disk and this is knife communicating with the chef-server directly and not interacting with the chef-repo/chef-fs/chef-zero.

% knife --version
Chef: 14.11.21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.