Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

data_bag_item decrypts on desktop but not laptop (workaround available). #8762

Open
taqtiqa-mark opened this issue Jul 21, 2019 · 0 comments

Comments

@taqtiqa-mark
Copy link

commented Jul 21, 2019

Description

The command:

data_bag_item('users', user, IO.read("/home/#{user}/chef/.chef/data_bag_secret.b64"))

decrypts the items on a desktop machine. But NOT on a laptop machine.

The following code works on both machines:

keyfile = "/home/#{user}/chef/.chef/data_bag_secret.b64"
encrypted_path = "/home/#{user}/chef/data_bags/users/#{user}.json"
secret = ::Chef::EncryptedDataBagItem.load_secret(keyfile)
encrypted_data = ::JSON.parse(File.read(encrypted_path))
item = ::Chef::EncryptedDataBagItem.new(encrypted_data, secret).to_hash
puts ::JSON.generate(item)

Chef Version

14.13.11

Platform Version

Ubuntu 18.04 on both machines.

Replication Case

Gemfile.lock and Berksfile.lock attached

#
# Cookbook Name:: desktop
# Recipe::        default
#
# Copyright 2019, TAQTIQA LLC
#
# All rights reserved - Do Not Redistribute
#

# Load the keys of the items in the 'users' data bag
users    = data_bag('users')
desktops = data_bag('desktops')

# mkpasswd --method=sha-512 --salt=<....>

chef_gem 'chef-vault' do
  compile_time true if respond_to?(:compile_time)
end

require 'chef-vault'

users.each do |user|

    case ChefVault::Item.data_bag_item_type('users', user)
        when :normal
            item = Chef::DataBagItem.load('users', user)
        when :encrypted
            # This works on the desktop. BUT NOT the laptop....
            #
            item = data_bag_item('users', user, IO.read("/home/#{user}/chef/.chef/data_bag_secret.b64"))
            
            # 
            # WTF: This works on both laptop and desktop....
            #
            # keyfile = "/home/#{user}/chef/.chef/data_bag_secret.b64"
            # encrypted_path = "/home/#{user}/chef/data_bags/users/#{user}.json"
            # secret = ::Chef::EncryptedDataBagItem.load_secret(keyfile)
            # encrypted_data = ::JSON.parse(File.read(encrypted_path))
            # item = ::Chef::EncryptedDataBagItem.new(encrypted_data, secret).to_hash
            # puts ::JSON.generate(item)
        when :vault
            item = ChefVault::Item.load('users', user)
    end
  
    log(item.inspect)

end

Client Output

Please contact me directly for log files, per below.

Desktop

Decrypted items from:

bundle exec knife zero bootstrap localhost --overwrite --sudo -VVV 2>&1 |tee /tmp/desktop.log

Laptop

Encrypted items from:

bundle exec knife zero bootstrap localhost --overwrite --sudo -VVV 2>&1 |tee /tmp/laptop.log

Stacktrace

Please contact me directly for log files with en/decrypted data removed.

lock.zip

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
1 participant
You can’t perform that action at this time.