Version3: added RequirementsFailure exception

zuazo · Aug 11, 2014 · ac097a5 · ac097a5
1 parent 91d3997
commit ac097a5
Show file tree

Hide file tree

Showing 4 changed files with 55 additions and 0 deletions.
diff --git a/lib/chef/encrypted_attribute/assertions.rb b/lib/chef/encrypted_attribute/assertions.rb
@@ -0,0 +1,36 @@
+#
+# Author:: Xabier de Zuazo (<xabier@onddo.com>)
+# Copyright:: Copyright (c) 2014 Onddo Labs, SL. (www.onddo.com)
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require 'chef/encrypted_attribute/exceptions'
+
+class Chef
+  class EncryptedAttribute
+    module Assertions
+
+      def assert_aead_requirements_met!(algorithm)
+        unless OpenSSL::Cipher.method_defined?(:auth_data=)
+          raise RequirementsFailure, 'The used Encrypted Attributes protocol version requires Ruby >= 1.9'
+        end
+        unless OpenSSL::Cipher.ciphers.include?(algorithm)
+          raise RequirementsFailure, "The used Encrypted Attributes protocol version requires an OpenSSL version with \"#{algorithm}\" algorithm support"
+        end
+      end
+
+    end
+  end
+end
diff --git a/lib/chef/encrypted_attribute/encrypted_mash/version2.rb b/lib/chef/encrypted_attribute/encrypted_mash/version2.rb
@@ -18,15 +18,23 @@
 
 require 'chef/encrypted_attribute/encrypted_mash/version0'
 require 'chef/encrypted_attribute/encrypted_mash/version1'
+require 'chef/encrypted_attribute/assertions'
 require 'chef/encrypted_attribute/exceptions'
 
 # Version1 format: using RSA with a shared secret and message authentication (HMAC)
 class Chef
   class EncryptedAttribute
     class EncryptedMash
       class Version2 < Chef::EncryptedAttribute::EncryptedMash::Version1
+        include Chef::EncryptedAttribute::Assertions
+
         ALGORITHM = 'aes-256-gcm'
 
+        def initialize(enc_hs=nil)
+          assert_aead_requirements_met!(ALGORITHM)
+          super
+        end
+
         def encrypt(value, public_keys)
           value_json = json_encode(value)
           public_keys = parse_public_keys(public_keys)

diff --git a/lib/chef/encrypted_attribute/exceptions.rb b/lib/chef/encrypted_attribute/exceptions.rb
@@ -19,6 +19,7 @@
 class Chef
   class EncryptedAttribute
 
+    class RequirementsFailure < StandardError; end
     class UnsupportedEncryptedAttributeFormat < StandardError; end
     class UnacceptableEncryptedAttributeFormat < StandardError; end
     class DecryptionFailure < StandardError; end

diff --git a/spec/unit/encrypted_attribute/encrypted_mash/version2.rb b/spec/unit/encrypted_attribute/encrypted_mash/version2.rb
@@ -42,6 +42,16 @@
       expect(o[@EncryptedMash::JSON_CLASS]).to eql(@EncryptedMashVersion2.to_s)
     end
 
+    it 'should thrown an error if ruby does not support GCM' do
+      OpenSSL::Cipher.should_receive(:method_defined?).with(:auth_data=).and_return(false)
+      expect { @EncryptedMashVersion2.new }.to raise_error(Chef::EncryptedAttribute::RequirementsFailure, /requires Ruby/)
+    end
+
+    it 'should thrown an error if OpenSSL does not support GCM' do
+      OpenSSL::Cipher.should_receive(:ciphers).and_return([])
+      expect { @EncryptedMashVersion2.new }.to raise_error(Chef::EncryptedAttribute::RequirementsFailure, /requires an OpenSSL/)
+    end
+
   end # context #new
 
   context '#encrypt and #can_be_decrypted_by?' do