Chef-zero search on encrypted data bag items


#1

Hi,

I’m looking at updating our ancient setup from Chef solo to use local-mode, but I can’t get search on encrypted data bags working correctly. I’m using chef client version 12.8.1.

Running from /root/simpler, I have a client.rb:

log_level :debug
cookbook_path "/root/simpler/cookbooks"
data_bag_path "/root/simpler/data_bags"
encrypted_data_bag_secret "/root/simpler/encrypted_data_bag_secret"
chef_zero.enabled true
local_mode true

With two data bag items under data_bags/users; data_bags/users/test1.json:

{
  "id":"test1",
  "groups":["deploy"]
}

and data_bags/users/test2.json:

 {
   "id":"test2",
   "groups":{
     "encrypted_data":"deRFkyyBt4g5eMt37S9qt5ITVqg13mcqe1Dc1zP00Q0=\n",
     "iv":"rTL899qpXKHu4kmF1E1qvQ==\n",
     "version":1,
     "cipher":"aes-256-cbc"
   }
}

# knife data bag show users test2 --secret-file encrypted_data_bag_secret -z
WARNING: No knife configuration file found
Encrypted data bag detected, decrypting with provided secret.
groups: deploy
id:     test2

I’m running chef-client with

# chef-client --config client.rb -o users --log_level=debug

Where the users cookbook is just cookbooks/users/recipes/default.rb:

query = "groups:deploy"
# query = "groups:*encrypted*"
users = search(:users, query)
ids = users.map{ |u| u["id"] }
log("found ids") do
  message "#{ids.inspect}"
  level :warn
end

When I use the “groups:deploy” query, only the unencrypted item is found:

[2016-03-24T16:31:34+00:00] DEBUG: #<ChefZero::RestRequest:0x000000047c9bc0 @env={"SCRIPT_NAME"=>"", "SERVER_NAME"=>"localhost", "REQUEST_METHOD"=>"GET", "PATH_INFO"=>"/search/users", "QUERY_STRING"=>"q=groups:deploy&sort=X_CHEF_id_CHEF_X%20asc&start=0", "SERVER_PORT"=>8889, "HTTP_HOST"=>"localhost:8889", "rack.url_scheme"=>"chefzero", "rack.input"=>#<StringIO:0x000000047c9cb0>}, @rest_base_prefix=["organizations", "chef"]>
[2016-03-24T16:31:34+00:00] DEBUG:
[2016-03-24T16:31:34+00:00] DEBUG:
--- RESPONSE (200) ---
{
  "rows": [
    {
      "raw_data": {
        "id": "test1",
        "groups": [
          "deploy"
        ]
      },
      "chef_type": "data_bag_item",
      "json_class": "Chef::DataBagItem",
      "data_bag": "users",
      "name": "data_bag_item_users_test1"
    }
  ],
  "start": 0,
  "total": 1
}

--- END RESPONSE ---

I expected it to return matches for both data bags.

If I switch the query to use “groups:*encrypted*”, the encrypted item is found:

[2016-03-24T16:36:25+00:00] DEBUG: #<ChefZero::RestRequest:0x00000004b43468 @env={"SCRIPT_NAME"=>"", "SERVER_NAME"=>"localhost", "REQUEST_METHOD"=>"GET", "PATH_INFO"=>"/search/users", "QUERY_STRING"=>"q=groups:*encrypted*&sort=X_CHEF_id_CHEF_X%20asc&start=0", "SERVER_PORT"=>8889, "HTTP_HOST"=>"localhost:8889", "rack.url_scheme"=>"chefzero", "rack.input"=>#<StringIO:0x00000004b43530>}, @rest_base_prefix=["organizations", "chef"]>
[2016-03-24T16:36:25+00:00] DEBUG:
[2016-03-24T16:36:25+00:00] DEBUG:
--- RESPONSE (200) ---
{
  "rows": [
    {
      "raw_data": {
        "id": "test2",
        "groups": {
          "encrypted_data": "deRFkyyBt4g5eMt37S9qt5ITVqg13mcqe1Dc1zP00Q0=\n",
          "iv": "rTL899qpXKHu4kmF1E1qvQ==\n",
          "version": 1,
          "cipher": "aes-256-cbc"
        }
      },
      "chef_type": "data_bag_item",
      "json_class": "Chef::DataBagItem",
      "data_bag": "users",
      "name": "data_bag_item_users_test2"
    }
  ],
  "start": 0,
  "total": 1
}

--- END RESPONSE ---

The wildcard query seems to return the encrypted item for other strings matching the data within the “groups” key, e.g. “*aes*” and “*derf*” both match.

The doc on the client.rb encrypted_data_bag_secret setting says that it should be “The subdirectory in which encrypted data bag secrets are located.”, but changing client.rb to point to the directory rather than the file makes no difference to my results.

I’m sure I’m probably missing something obvious, but I can’t work it out.

Cheers,

Jon