chamber: chamber secure --resecure no longer works

Current Behavior

chamber secure --resecure is described on this page of the docs, linked from this page on re-securing. It seems like a helpful feature for my use case - rotating the keys used to encrypt the config. There are two main use cases for this: security policy mandates rotating keys, and a leak of the key.

Steps to Reproduce

Run chamber secure --resecure on the command line
Receive ERROR: "chamber secure" was called with arguments ["--resecure"]

The option appears not to exist in the task description file, which would explain why it doesn’t work.

Screenshot

Expected Behavior

Chamber should give you the option to recreate the keys. The docs aren’t actually clear on what should happen, actually. At the very least, the docs should be updated to match the gem’s functionality.

Environment

Device: 2021 MacBook Pro
OS: macOS
OS Version: Monterey
Running Ruby via asdf
Other commands with Chamber CLI works

About this issue

Original URL
State: closed
Created 2 years ago
Comments: 15 (5 by maintainers)

Most upvoted comments

@ideasasylum I agree that as a “go small” simply adding a command to decrypt all values may be good enough since you can just re-run chamber secure.

jfelchner on Jun 20, 2022

3.1 has been released with unsecure! 🎉

jfelchner on Mar 7, 2023

I’ve removed resecure from the wiki and added a stub for unsecure for now. I’ll close this in favor of #79

Thanks everyone!

jfelchner on Mar 6, 2023

@ideasasylum I’m updating wikis and finalizing everything for a 3.0 final release in the next day or two. I will release 3.0 with all the deprecations removed and then almost immediately release a 3.1 with your “unsecure” command.

Thank you all for the patience. I’m only one person and don’t have a ton of time to work on this stuff throughout the year.

jfelchner on Mar 6, 2023

@UsAndRufus @ideasasylum I have time blocked out in December for this. I haven’t forgotten about this or #79

jfelchner on Nov 6, 2022

Also just in case you all weren’t aware, chamber will allow you to setup a different key per namespace.

This is actually what I’m doing now to restrict the blast radius the next time this happens

ideasasylum on Jun 20, 2022

Hey all! This has been on my list for quite a while but I think I’ll actually get finished with it this year at some point. Give me a couple more months and we’ll see where we are. I would suggest making sure you’re upgraded to the latest Chamber 2.x version which will give you deprecations since this feature will only be implemented on the 3.x branch.

The primary change has been to consolidate all lookups to a single public method rather than having to do massive amounts of metaprogramming (and relying on hashie) to do the plethora of lookups that Chamber 2.x did.

jfelchner on Jun 20, 2022

To follow up: I did take a stab at this and I think I have something working but I can’t get the test suite to pass locally, even on master. Perhaps I’m missing a key or something @jfelchner?

These are the failing specs for me:

rspec ./spec/lib/chamber/adapters/cloud/circle_ci_spec.rb:14 # Chamber::Adapters::Cloud::CircleCi can retrieve environment variables
rspec ./spec/lib/chamber/adapters/cloud/circle_ci_spec.rb:53 # Chamber::Adapters::Cloud::CircleCi can properly display errors
rspec ./spec/lib/chamber/adapters/cloud/circle_ci_spec.rb:23 # Chamber::Adapters::Cloud::CircleCi can add environment variables
rspec ./spec/lib/chamber/adapters/cloud/circle_ci_spec.rb:38 # Chamber::Adapters::Cloud::CircleCi knows to convert newlines to literal \n strings
rspec ./spec/lib/chamber/adapters/cloud/circle_ci_spec.rb:67 # Chamber::Adapters::Cloud::CircleCi can remove environment variables
rspec ./spec/lib/chamber/adapters/cloud/heroku_spec.rb:45 # Chamber::Adapters::Cloud::Heroku can properly display errors
rspec ./spec/lib/chamber/adapters/cloud/heroku_spec.rb:33 # Chamber::Adapters::Cloud::Heroku knows to convert newlines to literal \n strings
rspec ./spec/lib/chamber/adapters/cloud/heroku_spec.rb:21 # Chamber::Adapters::Cloud::Heroku can add environment variables
rspec ./spec/lib/chamber/adapters/cloud/heroku_spec.rb:56 # Chamber::Adapters::Cloud::Heroku can remove environment variables
rspec ./spec/lib/chamber/adapters/cloud/heroku_spec.rb:14 # Chamber::Adapters::Cloud::Heroku can retrieve environment variables

all with errors like

  10) Chamber::Adapters::Cloud::Heroku can retrieve environment variables
      Failure/Error:
        fail Chamber::Errors::DecryptionFailure,
             "Failed to decrypt #{key} (with an encrypted value of '#{value}') " \
             "in your settings."

      Chamber::Errors::DecryptionFailure:
        Failed to decrypt _secure_api_key (with an encrypted value of 'JL5hAVux4TERpv49QPWxy9H0VC2Rnk7V8/e8+1XOwPcXcoH/a7Lh253UY/v9m8nI/Onb+ZG9nZ082J4M/BmLa+f7jwMEwufIqbUhUah9eKIW8xcxlppBYpl7JVGf2HJF5TfCN44gMQNgGNzboCQXKqRyeGFm4u772Sg9V2gEx/q7qJ6F4jg7v/cltCFLmJfXA2SHA5Dai4p9L4IvMVVJGm34k5j7KOegNqpVWs2RY99cagjPuzc9VM2XSUsXgqcUJdmH8YtPW8Kqkyg0oYlRh6VQWABlWXwTZz74QjTTjqtqfoELIoFTMBDh+cCvuUTAE5m06LhlqauVrB4UnBsd5g==') in your settings.
      # ./lib/chamber/filters/failed_decryption_filter.rb:34:in `block in execute'
      # ./lib/chamber/filters/failed_decryption_filter.rb:27:in `each_pair'
      # ./lib/chamber/filters/failed_decryption_filter.rb:27:in `execute'
      # ./lib/chamber/filters/failed_decryption_filter.rb:29:in `block in execute'
      # ./lib/chamber/filters/failed_decryption_filter.rb:27:in `each_pair'
      # ./lib/chamber/filters/failed_decryption_filter.rb:27:in `execute'
      # ./lib/chamber/filters/failed_decryption_filter.rb:11:in `execute'
      # ./lib/chamber/settings.rb:313:in `block in data'
      # ./lib/chamber/settings.rb:312:in `each'
      # ./lib/chamber/settings.rb:312:in `inject'
      # ./lib/chamber/settings.rb:312:in `data'
      # ./lib/chamber/settings.rb:279:in `method_missing'
      # ./spec/lib/chamber/adapters/cloud/heroku_spec.rb:15:in `block (2 levels) in <module:Cloud>'

ideasasylum on Jun 17, 2022