Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow encrypting a previously unencrypted data bag #8077

Conversation

vijaymmali1990
Copy link

@vijaymmali1990 vijaymmali1990 commented Dec 21, 2018

Description

After creating an unencrypted data bag, and trying to edit/encrypt, It was raising exception as shown below.
There was a minor miss while editing. If data is not encrypted, we should be returning data only instead of returning the entire item.

// Creating an unencrypted Data Bag
> knife data bag create test box 
Data bag test already exists
Created data_bag_item[box]

// Edit and add encryption
> knife data bag edit test box  --secret 'ab'
Encrypting data bag using provided secret.
Saved data_bag_item[box]

// Raises Exception:
> knife data bag show test box 
ERROR: Chef::Exceptions::ValidationFailed: Property data_bag's value {"encrypted_data"=>"zuDd2Da3eyZiuPehburpE3DD+oJt2TA=\n", "iv"=>"jPNhkdghdNd+IsEP\n", "auth_tag"=>"V772V241NSkUwy+102R6Dg==\n", "version"=>3, "cipher"=>"aes-256-gcm"} does not match regular expression /^[\-[:alnum:]_]+$/

Issues Resolved

Fixes #8282

Check List

@vijaymmali1990 vijaymmali1990 requested a review from a team December 21, 2018 07:08
@vijaymmali1990 vijaymmali1990 force-pushed the Vijay/MSYS-932_Fix_for_unable_to_access_databag_after_update_to_encrypt_data branch from 296c5c3 to d7aacf9 Compare December 21, 2018 07:11
@tas50 tas50 added Type: Bug Does not work as expected. Aspect: UX labels Jan 7, 2019
@Vasu1105
Copy link
Collaborator

@tas50 and @btm This LGTM. Please review it from your side.

@Vasu1105 Vasu1105 requested review from btm and tas50 January 14, 2019 06:13
@tas50 tas50 removed the Aspect: UX label Jan 28, 2019
@vijaymmali1990 vijaymmali1990 force-pushed the Vijay/MSYS-932_Fix_for_unable_to_access_databag_after_update_to_encrypt_data branch from d7aacf9 to 5f07d30 Compare March 7, 2019 11:51
@vijaymmali1990 vijaymmali1990 changed the title MSYS-932 Fix for unable to access data bag after updating to encrypt data Allow encryption to an unencrypted data bag Mar 7, 2019
@vijaymmali1990 vijaymmali1990 force-pushed the Vijay/MSYS-932_Fix_for_unable_to_access_databag_after_update_to_encrypt_data branch from 5f07d30 to 436b4b7 Compare March 7, 2019 12:35
Copy link
Contributor

@btm btm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@lamont-granquist review?

It "smells" a little that it's such a simple fix, but this looks fine. I dug around and I can't find a clear direct regression, but you commented on #4815 that there may have been changes to the data bag hash that caused this.

I do wonder if we could craft up a test in spec/integration/knife/data_bag_show_spec.rb for this condition.

@btm
Copy link
Contributor

btm commented Mar 7, 2019

We had a little further discussion at code review and we could add a missing set of tests to spec/integration/knife/data_bag_edit_spec.rb (the file doesn't exist yet) that fake an editor by modifying JSON directly. We should do that.

@lamont-granquist
Copy link
Contributor

yeah if we had functional tests this would probably break those for the other use case.

and the correct patch should look like a patch to the object model itself, not to knife. so Chef::DataBagItem would need to probably have def self.from_hash modified to be able to accept either format.

but then that also needs to get done for data bags, roles, and environments at a minimum.

and there needs to be some attention made to DRY'ing up this code.

@lamont-granquist
Copy link
Contributor

ah, i think i see now.

i think this fixes #8282 which i just cut, and i deleted all the comments in #4815 which had nothing to do with the original issue. my prior comment only makes sense in the context of where i thought this was addressing what is now #4815.

so, yes, this might fix #8282

could really use some func or integration tests though.

@vijaymmali1990 vijaymmali1990 mentioned this pull request Mar 14, 2019
4 tasks
@vijaymmali1990 vijaymmali1990 changed the title Allow encryption to an unencrypted data bag [WIP] Allow encryption to an unencrypted data bag Mar 19, 2019
@vijaymmali1990 vijaymmali1990 changed the title [WIP] Allow encryption to an unencrypted data bag Allow encryption to an unencrypted data bag Mar 27, 2019
@vijaymmali1990 vijaymmali1990 force-pushed the Vijay/MSYS-932_Fix_for_unable_to_access_databag_after_update_to_encrypt_data branch from 2e71955 to b8b4454 Compare April 17, 2019 09:09
vijaymmali1990 added 2 commits April 17, 2019 14:46
- Added specs for data_bag_create_specs
- Added specs for data_bag_edit_specs
- Added specs for data_bag_show_specs
- Ensured chefstyle

Signed-off-by: vijaymmali1990 <[email protected]>
@vijaymmali1990 vijaymmali1990 force-pushed the Vijay/MSYS-932_Fix_for_unable_to_access_databag_after_update_to_encrypt_data branch from b8b4454 to 2113866 Compare April 17, 2019 09:20
@btm
Copy link
Contributor

btm commented Apr 17, 2019

This has functional tests now. Should be good to go.

@tas50 tas50 changed the title Allow encryption to an unencrypted data bag Allow encrypting a previously unencrypted data bag Apr 17, 2019
@tas50 tas50 merged commit 59c5de1 into chef:master Apr 17, 2019
@btm btm mentioned this pull request Apr 17, 2019
tas50 added a commit that referenced this pull request Apr 17, 2019
@lock
Copy link

lock bot commented May 1, 2019

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

@lock lock bot locked as resolved and limited conversation to collaborators May 1, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
Type: Bug Does not work as expected.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

knife data bag edit <bag> <item> --encrypt will corrupt unencrypted data bags
5 participants