From 21bb3858daab0cc88f2f7f2de1095d147b03c79c Mon Sep 17 00:00:00 2001
From: Eric Herot <eric.github@herot.com>
Date: Wed, 26 Nov 2014 15:30:18 -0500
Subject: [PATCH] Do not use node attributes to store secure objects (it
 defeats the purpose of using encrypted data bags)

---
 providers/group.rb                            | 10 +++++-----
 providers/group_rule.rb                       | 16 ++++++----------
 recipes/default.rb                            | 10 ----------
 .../cookbooks/fake/recipes/add_test.rb        | 19 +++++++++++++++++++
 .../cookbooks/fake/recipes/remove_test.rb     | 19 +++++++++++++++++++
 5 files changed, 49 insertions(+), 25 deletions(-)

diff --git a/providers/group.rb b/providers/group.rb
index 81f6d71..fcffbb7 100644
--- a/providers/group.rb
+++ b/providers/group.rb
@@ -30,17 +30,17 @@ def load_current_resource
   @current_resource =
     Chef::Resource::AwsSecurityGroup.new(@new_resource.groupname)
 
-  %w(groupname
+  %w(aws_access_key_id
+     aws_secret_access_key
+     groupname
      description
      vpcid
      region).each do |attrib|
     @current_resource.send(attrib, @new_resource.send(attrib))
   end
 
-  @current_resource.aws_access_key_id(@new_resource.aws_access_key_id ||
-    node['aws_security']['aws_access_key_id'])
-  @current_resource.aws_secret_access_key(@new_resource.aws_secret_access_key ||
-    node['aws_security']['aws_secret_access_key'])
+  @current_resource.mocking(@new_resource.mocking ||
+                            node['aws_security']['mocking'])
 
   @current_resource.exists = true if security_group
 end
diff --git a/providers/group_rule.rb b/providers/group_rule.rb
index b20114a..6083500 100644
--- a/providers/group_rule.rb
+++ b/providers/group_rule.rb
@@ -37,16 +37,12 @@ def load_current_resource
   @current_resource =
     Chef::Resource::AwsSecurityGroupRule.new(@new_resource.name)
 
-  @current_resource.aws_access_key_id(
-    @new_resource.aws_access_key_id ||
-    node['aws_security']['aws_access_key_id']
-  )
-  @current_resource.aws_secret_access_key(
-    @new_resource.aws_access_key_id ||
-    node['aws_security']['aws_secret_access_key']
-  )
-
-  %w(groupname
+  @current_resource.mocking(@new_resource.mocking ||
+                            node['aws_security']['mocking'])
+
+  %w(aws_access_key_id
+     aws_secret_access_key
+     groupname
      name
      cidr_ip
      group
diff --git a/recipes/default.rb b/recipes/default.rb
index 24e408e..c72a7a6 100644
--- a/recipes/default.rb
+++ b/recipes/default.rb
@@ -22,13 +22,3 @@
 
 include_recipe "fog_gem::chefgem"
 
-
-if node['aws_security']['encrypted_data_bag']
-  databag_item = Chef::EncryptedDataBagItem.load(
-    node['aws_security']['encrypted_data_bag'],
-  	'aws_keys'
-  )
-  node.set['aws_security']['aws_access_key_id'] = databag_item['aws_access_key_id']
-  node.set['aws_security']['aws_secret_access_key'] = databag_item['aws_secret_access_key']
-end
-
diff --git a/test/fixtures/cookbooks/fake/recipes/add_test.rb b/test/fixtures/cookbooks/fake/recipes/add_test.rb
index d4fb95b..7290432 100644
--- a/test/fixtures/cookbooks/fake/recipes/add_test.rb
+++ b/test/fixtures/cookbooks/fake/recipes/add_test.rb
@@ -42,9 +42,16 @@
   )
 end
 
+credentials = Chef::EncryptedDataBagItem.load(
+  node['aws_security']['encrypted_data_bag'],
+  'aws_keys'
+)
+
 aws_security_group 'test' do
   description 'test security group'
   region 'us-west-2'
+  aws_access_key_id credentials['aws_access_key_id']
+  aws_secret_access_key credentials['aws_secret_access_key']
 end
 
 aws_security_group_rule 'test rule 1' do
@@ -54,6 +61,8 @@
   region 'us-west-2'
   port_range '80..80'
   ip_protocol 'tcp'
+  aws_access_key_id credentials['aws_access_key_id']
+  aws_secret_access_key credentials['aws_secret_access_key']
 end
 
 aws_security_group_rule 'test rule 2' do
@@ -62,6 +71,8 @@
   region 'us-west-2'
   port_range '80..80'
   ip_protocol 'udp'
+  aws_access_key_id credentials['aws_access_key_id']
+  aws_secret_access_key credentials['aws_secret_access_key']
 end
 
 aws_security_group_rule 'test rule 3' do
@@ -70,6 +81,8 @@
   region 'us-west-2'
   port_range '80..80'
   ip_protocol 'tcp'
+  aws_access_key_id credentials['aws_access_key_id']
+  aws_secret_access_key credentials['aws_secret_access_key']
 end
 
 aws_security_group_rule 'test rule 3 (duplicate)' do
@@ -78,6 +91,8 @@
   region 'us-west-2'
   port_range '80..80'
   ip_protocol 'tcp'
+  aws_access_key_id credentials['aws_access_key_id']
+  aws_secret_access_key credentials['aws_secret_access_key']
 end
 
 aws_security_group_rule 'test rule 4' do
@@ -86,6 +101,8 @@
   region 'us-west-2'
   port_range '80..80'
   ip_protocol 'tcp'
+  aws_access_key_id credentials['aws_access_key_id']
+  aws_secret_access_key credentials['aws_secret_access_key']
 end
 
 aws_security_group_rule 'test rule 5' do
@@ -93,4 +110,6 @@
   groupname 'test'
   region 'us-west-2'
   ip_protocol 'tcp'
+  aws_access_key_id credentials['aws_access_key_id']
+  aws_secret_access_key credentials['aws_secret_access_key']
 end
diff --git a/test/fixtures/cookbooks/fake/recipes/remove_test.rb b/test/fixtures/cookbooks/fake/recipes/remove_test.rb
index 94cd4d8..d943691 100644
--- a/test/fixtures/cookbooks/fake/recipes/remove_test.rb
+++ b/test/fixtures/cookbooks/fake/recipes/remove_test.rb
@@ -42,6 +42,11 @@
   )
 end
 
+credentials = Chef::EncryptedDataBagItem.load(
+  node['aws_security']['encrypted_data_bag'],
+  'aws_keys'
+)
+
 aws_security_group_rule 'test rule 1' do
   description 'test rule 1'
   cidr_ip '192.168.1.1/32'
@@ -49,6 +54,8 @@
   region 'us-west-2'
   port_range '80..80'
   ip_protocol 'tcp'
+  aws_access_key_id credentials['aws_access_key_id']
+  aws_secret_access_key credentials['aws_secret_access_key']
   action :remove
 end
 
@@ -58,6 +65,8 @@
   region 'us-west-2'
   port_range '80..80'
   ip_protocol 'udp'
+  aws_access_key_id credentials['aws_access_key_id']
+  aws_secret_access_key credentials['aws_secret_access_key']
   action :remove
 end
 
@@ -67,6 +76,8 @@
   region 'us-west-2'
   port_range '80..80'
   ip_protocol 'tcp'
+  aws_access_key_id credentials['aws_access_key_id']
+  aws_secret_access_key credentials['aws_secret_access_key']
   action :remove
 end
 
@@ -76,6 +87,8 @@
   region 'us-west-2'
   port_range '80..80'
   ip_protocol 'tcp'
+  aws_access_key_id credentials['aws_access_key_id']
+  aws_secret_access_key credentials['aws_secret_access_key']
   action :remove
 end
 
@@ -85,6 +98,8 @@
   region 'us-west-2'
   port_range '80..80'
   ip_protocol 'tcp'
+  aws_access_key_id credentials['aws_access_key_id']
+  aws_secret_access_key credentials['aws_secret_access_key']
   action :remove
 end
 
@@ -93,11 +108,15 @@
   groupname 'test'
   region 'us-west-2'
   ip_protocol 'tcp'
+  aws_access_key_id credentials['aws_access_key_id']
+  aws_secret_access_key credentials['aws_secret_access_key']
   action :remove
 end
 
 aws_security_group 'test' do
   description 'test security group'
   region 'us-west-2'
+  aws_access_key_id credentials['aws_access_key_id']
+  aws_secret_access_key credentials['aws_secret_access_key']
   action :remove
 end