class SecureDataBag::NestedDecryptor

Decryptor object responsable for decrypting the encrypted_hash with the secret. This functions similarly, to how Chef::EncryptedDataBagItem::Decryptor does, with the caveat that this is meant to decrypt entire objects and not single values.

@since 3.0.0

Attributes

decrypted_hash[R]

The decrypted hash @since 3.0.0

decrypted_keys[R]

The keys found that had to be decrypted in the hash @since 3.0.0

encrypted_hash[R]

The encrypted hash received @since 3.0.0

format[R]

The format of this DataBagItem. May be one of:

  • encrypted refers to an EncryptedDataBagItem

  • nested refers to a SecureDataBagItem with nested values

  • plain refers to a plain DataBagItem

@since 3.0.0

Public Class Methods

new(encrypted_hash, secret, metadata = {}) click to toggle source

Initializer @param encrypted_hash [Hash,String] the encrypted hash to decrypt @param secret [String] the secret to decrypt with @param metadata [Hash] the optional metdata to configure the decryptor @since 3.0.0

# File lib/secure_data_bag/decryptor.rb, line 58
def initialize(encrypted_hash, secret, metadata = {})
  @secret = secret

  @decrypted_keys = []
  @encrypted_hash = encrypted_hash
  @decrypted_hash = {}

  @format = metadata[:decryption_format] ||
    if @encrypted_hash.key?(SecureDataBag::METADATA_KEY)
      'nested'
    elsif encrypted?(@encrypted_hash)
      'encrypted'
    elsif partially_encrypted?(@encrypted_hash)
      'nested'
    else
      'plain'
    end
end

Public Instance Methods

decrypt() click to toggle source

Method called to decrypt the data structure and return it. @return [Mix] the unencrypted value @since 3.0.0

# File lib/secure_data_bag/decryptor.rb, line 87
def decrypt
  decrypt_data(@encrypted_hash)
end
decrypt!() click to toggle source

Method called to decrypt the data structure and return it. @return [Mix] the unencrypted value @since 3.0.0

# File lib/secure_data_bag/decryptor.rb, line 80
def decrypt!
  @decrypted_hash = decrypt
end
Also aliased as: for_decrypted_item
for_decrypted_item()

Method name preserved for compatibility with Chef::EncryptedDataBagItem::Decryptor. @since 3.0.0

Alias for: decrypt!

Private Instance Methods

decrypt_data(raw_hash) click to toggle source

Decrypt a possibly encrypted value @param raw_hash [Hash] a potentially encrypted hash @return [Hash] the unencrypted value @since 3.0.0

# File lib/secure_data_bag/decryptor.rb, line 102
def decrypt_data(raw_hash)
  if looks_like_encrypted?(raw_hash)
    decrypt_value(raw_hash)
  else
    decrypt_hash(raw_hash)
  end
end
decrypt_hash(hash) click to toggle source

Decrypt a hash potentially containing nested encrypted values

Additionally, this method will attempt tovkeep track of the names of each encrypted key.

@param hash [Hash] a potentially encrypted hash @return [Hash] the unencrypted value @since 3.0.0

# File lib/secure_data_bag/decryptor.rb, line 118
def decrypt_hash(hash)
  decrypted_hash = Mash.new

  hash.each do |key, value|
    value = if looks_like_encrypted?(value)
              @decrypted_keys.push(key) unless @decrypted_keys
                                               .include?(key)
              decrypt_value(value)
            elsif value.is_a?(Hash)
              decrypt_hash(value)
            else value
            end
    decrypted_hash[key] = value
  end

  decrypted_hash
end
decrypt_value(value) click to toggle source

Decrypt an encrypted value @param hash [Hash] the encrypted value as a hash @return [Mix] the unencrypted value @since 3.0.0

# File lib/secure_data_bag/decryptor.rb, line 140
def decrypt_value(value)
  case @format
  when 'plain' then value
  else
    Chef::EncryptedDataBagItem::Decryptor
      .for(value, @secret).for_decrypted_item
  end
end