Add chef-vault implementation #minor

[lanej]

Currently only supports version 3 of the encryption/decryption scheme: See https://github.com/chef/chef/blob/7c9178e5dd4ec7b5a75993c148b087bac6e5b53d/lib/chef/encrypted_data_bag_item/encryptor.rb#L162-L222

• Encrypt data and update a data bag
• Decrypt data with the provided client key
• Add client
• Add admin

Fairly minimal and the testing is weak but I thought I'd share before progressing further.

---

This change is 

[lanej]

It would be great to replace these shell commands : https://github.com/hashicorp/terraform/blob/c0793c84fdbea8c4f3f7597cad57bcca38b21ebf/builtin/provisioners/chef/resource_provisioner.go#L569-L617

[MarkGibbons]

Looks nice. It's taking me while to get up to speed on the code base. I'll try to get this evaluated over the next month.

[lanej]

@MarkGibbons great! LMK what you think and I'll fix the conflicts.

[MarkGibbons]

1. I don't see an already written way to list the available vault items.
   ok - fixed
2. May want to create a databag if it doesn't already exist when creating data bag items. Nothing hard about creating a data bag.
   ok -fixed.

[MarkGibbons]

Nice code, I'm writing examples and testing against a chef server. See https://github.com/go-chef/chef/tree/vault if you want to see. I merged your branch into my vault branch and will merge it once testing and maybe a couple other feature get added.

[MarkGibbons]

Note to self. Figure out if the deleted error message is needed.

[MarkGibbons]

ok

[MarkGibbons]

Version 3 of what? Comment needs to be clearer.

V3 of the encrypted data bag support from chef. PR comments have a nice link.

[MarkGibbons]

Update comments in my version.

[MarkGibbons]

OK

[MarkGibbons]

Trying to understand why vault service is part of the vault item structure.

[MarkGibbons]

Pass the client connection to Item processing. Need to be clear that get is required before decrypt or update.

[MarkGibbons]

ok

[MarkGibbons]

Looks like Create Item creates an empty vault and then Update adds the content. Note to self, verify this and add doc to make it clear.

[MarkGibbons]

Also need to create the data bag before creating the vault items.
OK

[MarkGibbons]

Is this function a total replacement of the contents of the vault item? Figure it out and doc. Any local data concept (knife -m solo concept) or does it always hit the server (knife -m client)

[MarkGibbons]

Not sure what mode does. Looks like the code is always aimed at the server.

[MarkGibbons]

How are the admins, client, search_query set and used? Figure that out, create code examples.

[MarkGibbons]

I think adding user to an item needs to be clearer.
Also may need to handle bad users (old keys).

[MarkGibbons]

I don't believe this code finds chef vault data bags. The vaults don't have the _keys name, the items within the vaults have those names.

[MarkGibbons]

We need to reencrypt the shared secret for the users in admins and clients as is we can't specify admins or clients which makes the feature hard to use. The search feature is also not implemented. I'm looking at adding admins and clients.

[lanej]

I rebased master but it seems that your other branch is pretty far along. This code base has come long way since I opened this PR. Let me know if I can help with anything.

[MarkGibbons]

I'm noodling at adding users, clients and getting the search function to work. In this line

userEncodedSecret, err := EncodeSharedSecret(vs.client.Auth.PrivateKey, sharedSecret) 

in the CreateItem method. I think that is supposed to be a PublicKey. The encode and decode methods in crypt both use the PrivateKey. Both of those things and adding code to deal with multiple users and nodes need to be there IMO. If you have time, cool. Otherwise I'll likely get it. Might take me a while. You can see my branch, local vault branch, to see what I've done already. I've been adding tests against a chef server that gets spun up.

thanks,
Mark

[bhoriuchi]

not sure if this is still an active effort but noticed only v3 supported. i did some similar work on https://github.com/bhoriuchi/go-chef-crypto and have v1 and v2 if interested in adding to this. also one issue i ran into to note is that the ruby base64 package adds new lines every 60 chars when you use knife so https://github.com/bhoriuchi/go-chef-crypto/blob/master/crypto.go#L211-L216 is used to replicate that.

[MarkGibbons]

I'll look at this one again over the next month. The last time I looked at this I went down some really nasty rabbit holes.

[dhubler]

I'm just looking to support encryption/decryption (not vault nec.)
https://docs.chef.io/data_bags/#encrypt
I see @bhoriuchi library and from my perspective, if that was integrated into "go-chef" then I'd have what I need. If that is not possible, would there be a way to provide a "hook" into the current go-chef library for users to combine two libs on their own?

[MarkGibbons]

Adding support for chef vault to this api may be too much effort for too little return.
@dhubler & @bhoriuchi adding better encryption support is something that makes sense. Could the code to do that be turned in to a pull request?

[dhubler]

I don't see why not. Haven't started, but initial thought would be to add go-chef-encrypt as dependency and submit PR with it integrated into go-chef API. If this sounds ok to you, I'll open a separate issue and post PR there.

…

On Thu, Sep 8, 2022 at 9:27 PM Mark Gibbons ***@***.***> wrote: Adding support for chef vault to this api may be too much effort for too little return. @dhubler <https://github.com/dhubler> & @bhoriuchi <https://github.com/bhoriuchi> adding better encryption support is something that makes sense. Could the code to do that be turned in to a pull request? — Reply to this email directly, view it on GitHub <#101 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAACA7T4ODCX6ECNPRCSXULV5KHALANCNFSM4FONAKCA> . You are receiving this because you were mentioned.Message ID: ***@***.***>