Add chef-vault implementation #minor

crypto.go

@@ -0,0 +1,83 @@
+package chef
+
+// https://github.com/golang/go/issues/23514
+
+import (
+	"crypto/aes"
+	"crypto/cipher"
+	"crypto/rand"
+	"crypto/rsa"
+	"encoding/base64"
+	"io"
+)
+
+// NewCrypter en/decrypts data parsing using aes
+func newCrypter(key []byte) (cipher.AEAD, error) {
+	block, err := aes.NewCipher(key)
+	if err != nil {
+		return nil, err
+	}
+
+	return cipher.NewGCM(block)
+}
+
+func iv() ([]byte, error) {
+	nonce := make([]byte, 12)
+	if _, err := io.ReadFull(rand.Reader, nonce); err != nil {
+		return nil, err
+	}
+	return nonce[:], nil
+}
+
+func generateSecret() *[]byte {
+	secret := make([]byte, 32)
+	rand.Read(secret)
+	return &secret
+}
+
+// EncryptValue data
+func EncryptValue(key, iv, plaintext []byte) (tag []byte, ciphertext []byte, encryptError error) {
+	cipher, err := newCrypter(key)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	// https://sourcegraph.com/github.com/golang/go@52cc9e3762171bd45368b3280554bf12a63f23b2/-/blob/src/crypto/aes/aes_gcm.go#L120-131
+	out := cipher.Seal(make([]byte, 0), iv, plaintext, nil)
+
+	return out[len(out)-cipher.Overhead():], out[:len(out)-cipher.Overhead()], nil
+}
+
+// DecryptValue data
+func DecryptValue(key, iv, tag, ciphertext []byte) ([]byte, error) {
+	// https://sourcegraph.com/github.com/golang/go@52cc9e3762171bd45368b3280554bf12a63f23b2/-/blob/src/crypto/aes/aes_gcm.go#L155
+	cipher, err := newCrypter(key)
+	if err != nil {
+		return nil, err
+	}
+	macData := append(ciphertext, tag...)
+
+	return cipher.Open(nil, iv, macData, nil)
+}
+
+// EncodeSharedSecret encrypts secret with the the specified and key returns a base64 encoded string
+func EncodeSharedSecret(key *rsa.PrivateKey, secret []byte) (string, error) {
+	encryptedSecret, err := rsa.EncryptPKCS1v15(rand.Reader, &key.PublicKey, secret)
+	if err != nil {
+		return "", err
+	}
+
+	return base64.StdEncoding.EncodeToString(encryptedSecret), nil
+}
+
+// DecodeSharedSecret returns the plaintext shared secret encrypted by the key
+func DecodeSharedSecret(key *rsa.PrivateKey, encodedSecret string) ([]byte, error) {
+	// Decode encrypted shared secret
+	encryptedSecret, err := base64.StdEncoding.DecodeString(encodedSecret)
+	if err != nil {
+		return nil, err
+	}
+
+	// Decrypt shared secret
+	return rsa.DecryptPKCS1v15(rand.Reader, key, encryptedSecret)
+}

crypto_test.go

@@ -0,0 +1,81 @@
+package chef
+
+import (
+	"bytes"
+	"crypto/sha256"
+	"encoding/base64"
+	"encoding/hex"
+	"testing"
+)
+
+var aesDecryptionTests = []struct {
+	cipher   string
+	data     string
+	key      string
+	iv       string
+	tag      string
+	expected string
+}{
+	{
+		"aes-256-gcm",
+		"tg3UG+t43RfVf2hRaPEqU5Vwllu8Uw==\n",
+		"3f5eccf62026458b8038a06daecff4a69640ce3c5e4585aace7243d5a7f01b62",
+		"MQ2DVUphtxAwdTfo",
+		"nsH3unmSGw9hcOG3KpYXpQ==\n",
+		`{"json_wrapper":"bar"}`,
+	},
+}
+
+func TestDecrypt(t *testing.T) {
+	for _, dt := range aesDecryptionTests {
+		// auth_tag = Base64.decode64(tag)
+		authTag, _ := base64.StdEncoding.DecodeString(dt.tag)
+		// data = Base64.decode64(data)
+		data, _ := base64.StdEncoding.DecodeString(dt.data)
+		// iv = Base64.decode64(iv)
+		iv, _ := base64.StdEncoding.DecodeString(dt.iv)
+
+		// key = [key].pack('H*')
+		key, _ := hex.DecodeString(dt.key)
+		// key = OpenSSL::Digest::SHA256.digest(key)
+		cryptKey := sha256.Sum256([]byte(key))
+
+		plaintext, err := DecryptValue(cryptKey[:], iv, authTag, data)
+		if err != nil {
+			t.Fatal(err)
+		}
+
+		if string(plaintext) != dt.expected {
+			t.Fatalf("Expected: %s, Actual: %s\n", dt.expected, plaintext)
+		}
+	}
+}
+
+func TestEncrypt(t *testing.T) {
+	for _, dt := range aesDecryptionTests {
+		// auth_tag = Base64.decode64(tag)
+		authTag, _ := base64.StdEncoding.DecodeString(dt.tag)
+		// data = Base64.decode64(data)
+		data, _ := base64.StdEncoding.DecodeString(dt.data)
+		// iv = Base64.decode64(iv)
+		iv, _ := base64.StdEncoding.DecodeString(dt.iv)
+
+		// key = [key].pack('H*')
+		key, _ := hex.DecodeString(dt.key)
+		// key = OpenSSL::Digest::SHA256.digest(key)
+		cryptKey := sha256.Sum256([]byte(key))
+
+		tag, ciphertext, err := EncryptValue(cryptKey[:], iv, []byte(dt.expected))
+		if err != nil {
+			t.Fatal(err)
+		}
+
+		if !bytes.Equal(ciphertext, data) {
+			t.Fatalf("ciphertext: [expected: %q, actual: %q]\n", hex.EncodeToString(data), hex.EncodeToString(ciphertext))
+		}
+
+		if !bytes.Equal(tag, authTag) {
+			t.Fatalf("tag: [expected: %q, actual: %q]\n", hex.EncodeToString(authTag), hex.EncodeToString(tag))
+		}
+	}
+}

http.go

@@ -58,6 +58,7 @@ type Client struct {
 	Status           *StatusService
 	Universe         *UniverseService
 	Users            *UserService
+	Vaults           *VaultService
 }
 
 // Config contains the configuration options for a chef client. This structure is used primarily in the NewClient() constructor in order to setup a proper client object
@@ -176,6 +177,7 @@ func NewClient(cfg *Config) (*Client, error) {
 	c.Status = &StatusService{client: c}
 	c.Universe = &UniverseService{client: c}
 	c.Users = &UserService{client: c}
+	c.Vaults = &VaultService{client: c}
 	return c, nil
 }
 

http_test.go

@@ -7,8 +7,6 @@ import (
 	"encoding/pem"
 	"errors"
 	"fmt"
-	. "github.com/ctdk/goiardi/chefcrypto"
-	. "github.com/smartystreets/goconvey/convey"
 	"io"
 	"math/big"
 	"net/http"
@@ -18,6 +16,9 @@ import (
 	"strings"
 	"testing"
 	"time"
+
+	. "github.com/ctdk/goiardi/chefcrypto"
+	. "github.com/smartystreets/goconvey/convey"
 )
 
 var (
@@ -562,7 +563,7 @@ func TestDo_badjson(t *testing.T) {
 	defer teardown()
 
 	mux.HandleFunc("/hashrocket", func(w http.ResponseWriter, r *http.Request) {
-		fmt.Fprintf(w, " pigthrusters => 100%% ")
+		fmt.Fprint(w, " pigthrusters => 100% ")
 	})
 
 	stupidData := struct{}{}

node_test.go

@@ -107,7 +107,7 @@ func TestNodesService_Methods(t *testing.T) {
 	// test Put
 	putRes, err := client.Nodes.Put(node)
 	if err != nil {
-		t.Errorf("Nodes.Put returned error %+v", err)
+		t.Errorf("Nodes.Put returned error: %v", err)
 	}
 
 	if !reflect.DeepEqual(putRes, node) {
@@ -117,6 +117,6 @@ func TestNodesService_Methods(t *testing.T) {
 	// test Delete
 	err = client.Nodes.Delete(node.Name)
 	if err != nil {
-		t.Errorf("Nodes.Delete returned error %+v", err)
+		t.Errorf("Nodes.Delete returned error: %v", err)
 	}
 }

principal_test.go

@@ -21,17 +21,17 @@ func TestPrincipalsGet(t *testing.T) {
 
 	p, err := client.Principals.Get("client_node")
 	if err != nil {
-		t.Errorf("GET principal error %+v making request: ", err)
+		t.Errorf("GET principal error making request: %v", err)
 		return
 	}
 
 	if p.Name != "client_node" {
-		t.Errorf("Unexpected principal name: %+v", p.Name)
+		t.Errorf("Unexpected principal name: %v", p.Name)
 	}
 	if p.Type != "client" {
-		t.Errorf("Unexpected principal type: %+v", p.Type)
+		t.Errorf("Unexpected principal type: %v", p.Type)
 	}
 	if p.PublicKey != "-----BEGIN PUBLIC KEY-----No, not really-----END PUBLIC KEY-----" {
-		t.Errorf("Unexpected principal public key: %+v", p.PublicKey)
+		t.Errorf("Unexpected principal public key: %v", p.PublicKey)
 	}
 }

sandbox_test.go

@@ -4,10 +4,11 @@ import (
 	"crypto/md5"
 	"crypto/rand"
 	"fmt"
-	. "github.com/smartystreets/goconvey/convey"
 	"net/http"
 	_ "reflect"
 	"testing"
+
+	. "github.com/smartystreets/goconvey/convey"
 )
 
 // generate random data for sandbox
@@ -51,7 +52,7 @@ func TestSandboxesPost(t *testing.T) {
 	// post the new sums/files to the sandbox
 	_, err := client.Sandboxes.Post(sums)
 	if err != nil {
-		t.Errorf("Sandbox Post error making request: %+v", err)
+		t.Errorf("Sandbox Post error making request: %v", err)
 	}
 }
 
@@ -76,7 +77,7 @@ func TestSandboxesPut(t *testing.T) {
 
 	sandbox, err := client.Sandboxes.Put("f1c560ccb472448e9cfb31ff98134247")
 	if err != nil {
-		t.Errorf("Sandbox Put error making request: %+v", err)
+		t.Errorf("Sandbox Put error making request: %v", err)
 	}
 
 	expected := Sandbox{

search_test.go

@@ -31,7 +31,6 @@ func TestSearch_Get(t *testing.T) {
 		"users":  "http://localhost:4000/search/users",
 	}
 	if !reflect.DeepEqual(indexes, wantedIdx) {
-		t.Errorf("Search.Get returned %+v, want %+v", indexes, wantedIdx)
 	}
 }
 
@@ -78,12 +77,12 @@ func TestSearch_ExecDo(t *testing.T) {
 	// for now we aren't testing the result..
 	_, err = query.Do(client)
 	if err != nil {
-		t.Errorf("Search.Exec failed err: %+v", err)
+		t.Errorf("Search.Exec failed: %v", err)
 	}
 
 	_, err = client.Search.Exec("nodes", "name:latte")
 	if err != nil {
-		t.Errorf("Search.Exec failed err: %+v", err)
+		t.Errorf("Search.Exec failed: %v", err)
 	}
 
 }