[chef] Re: Is it possible to perform compound searches of encrypted data bags?

[Daniel DeLeo < >]

On Friday, November 8, 2013 at 1:44 PM, Clif Smith wrote:

I support numerous applications and am wanting to store the credentials to those apps in data bags and then search for them within cookbooks using the application and environment so I can reuse the recipe. For example, for app1 in the production environment I’d have the following data bag item in the users data bag:

... 

While I’m able to search for it without decrypting:

chef > app_creds = search(:users, "app1:* AND production:*")

=> [data_bag_item["users", "app1up", {"id"=>"app1up", "app1"=>{"encrypted_data"=>"OhQVqYCC+4wFXXyy1HL7dHqJUtdQGpl3TLJWgC2FWCg=\n", "iv"=>"3WZrbIjQNRkuW3wr7yjfuA==\n", "version"=>1, "cipher"=>"aes-256-cbc"}, "production"=>{"encrypted_data"=>"r2tqUuPP6wFtX44tOwkURhRHuKP5vggUvgPXJrO42uQ=\n", "iv"=>"FyA0plsx6+5EowuNdkiMZw==\n", "version"=>1, "cipher"=>"aes-256-cbc"}, "password"=>{"encrypted_data"=>"6OZzWcDCdVAUSGhcdZhM8Gzd/OuvoweiMzeeGyHEczI=\n", "iv"=>"pkX1LAVWNeukHbEmzzNTpw==\n", "version"=>1, "cipher"=>"aes-256-cbc"}}]]

I’m unable to search and decrypt it:

chef > app_creds = Chef::EncryptedDataBagItem.load(:users, "app1:* AND production:*")

You can’t just stick search syntax in there, as the arguments you pass in are used to construct a URL like https://yourchef.example.com/data/DATA_BAG/ITEM whereas search goes to /search.

You should be able to convert the data bag items with encrypted values to EncryptedDataBagItem objects doing something like:

secret = Chef::EncryptedDataBagItem.load_secret

enc_app_creds = search(:users, "app1:* AND production:*”)

app_creds = enc_app_creds.map { |enc_item|  Chef::EncryptedDataBagItem.new(enc_item, secret) }

I haven’t tried this out so there could be some additional munging required, but it should get you started.

-- 

Daniel DeLeo