Bump to v0.3.0

+# 0.3.0
+
+Add encryption to DB backups.
+
 # 0.2.2
 
 Separated the recipe for loading the schema and user initially.

@@ -5,6 +5,9 @@ This installs MariaDB 10.0 by default and initiates databases and users. It can
 
 The server is assumed to be using an IAM role with S3 bucket read/write access, instead of a physical credentials file.
 
+
+When encryption is enabled for DB backups, the private and public keys are shared across all databases in the `db_map` attribute. Encryption is enabled separately for each individual database (see Usage below).
+
 ## Supported Platforms
 
 Ubuntu 14.04
@@ -84,10 +87,42 @@ Ubuntu 14.04
     <td>If not using EC2 roles, enter AWS creds here</td>
     <td><tt>nil</tt></td>
   </tr>
+  <tr>
+    <td><tt>['cfe-mariadb']['encrypt']['priv_key']</tt></td>
+    <td>String</td>
+    <td>Contents of the private key file used by recipe `reload_from_s3` if encrypted backups are used.</td>
+    <td><tt>nil</tt></td>
+  </tr>
+  <tr>
+    <td><tt>['cfe-mariadb']['encrypt']['pub_key']</tt></td>
+    <td>String</td>
+    <td>Contents of the public key file used by the backup script to encrypt files before uploading to the S3 bucket.</td>
+    <td><tt>nil</tt></td>
+  </tr>
 </table>
 
 ## Usage
 
+### `node['cfe-mariadb']['db_map']`
+
+Example config of a single database:
+
+```json
+{
+  'example_db_name' => {
+    :db_user       => 'example_db_username',
+    :db_pass       => 'supersecret_pass',
+    :bak_filename  => 'example_db_name.sql',
+    :bak_maxcopies => 30
+    :bak_encrypted => false,
+    :char_set      => 'latin1',
+    :collate       => 'latin1_swedish_ci'
+  }
+}
+```
+
+The properties `:bak_encrypted`, `:char_set`, and `:collate` are all optional and their default values are as shown above.
+
 ### cfe-mariadb::default
 
 Include `cfe-mariadb` in your node's `run_list`:

@@ -26,8 +26,9 @@
 #     :bak_filename  => 'example_db_name.sql',
 #     :bak_maxcopies => 30
 ## Optional:
-#     :char_set => 'latin1',
-#     :collate  => 'latin1_swedish_ci'
+#     :char_set      => 'latin1',
+#     :collate       => 'latin1_swedish_ci',
+#     :bak_encrypted => false
 #   }
 # }
 default['cfe-mariadb']['db_map'] = {}
@@ -76,6 +77,28 @@ default['cfe-mariadb']['backup']['logrotate']['options']  = %w{
 #default['cfe-mariadb']['reload']['aws_access_key_id'] = 'MYKEYID'
 #default['cfe-mariadb']['reload']['aws_secret_access_key'] = 'MYSECRETKEY'
 
+# Whether to encrypt the backup DB dumps before storing them in S3.
+#   'priv_key': String. Contents of the private key file.
+#
+#               Used only in recipe 'reload_from_s3' if some/all DB dumps
+#               to be reloaded are encrypted.
+#
+#               File is automatically deleted after the recipe is run.
+#   'pub_key': String. Contents of the public key file.
+#
+#              Used by the backup script to encrypt the DB dump
+#              if ':bak_encrypted' is set to true for that DB.
+#
+#              The key file will be stored in the same directory
+#              as the script as 'pub.key'.
+# NOTE:
+#   Enabling encryption will result in HUGE file sizes and,
+#   depending on how large a database is, can take a LOT of time
+#   during the backup process. That said, it is still recommended to
+#   enforce encryption on DB backups.
+default['cfe-mariadb']['encrypt']['priv_key'] = nil
+default['cfe-mariadb']['encrypt']['pub_key']  = nil
+
 default['mariadb']['server_root_password']   = 'secretpassword'
 default['mariadb']['mysqld']['bind_address'] = '127.0.0.1'
 default['mariadb']['mysqld']['port']         = '3306'

@@ -4,12 +4,13 @@ maintainer_email 'sysadmin @ chromedia.com'
 license          'Apache License'
 description      'Simplifies setup of MariaDB in Chromedia.'
 long_description IO.read(File.join(File.dirname(__FILE__), 'README.md'))
-version          '0.2.2'
+version          '0.3.0'
 
 {
   'mariadb'         => '0.3.1',
   'mysql2_chef_gem' => '1.1.0',
   'database'        => '5.1.2',
+  'openssl'         => '4.4.0',
   'awscli'          => '1.0.1',
   'cron'            => '1.7.4'
 }.each { |cb, ver| depends cb, '~> ' + ver }

@@ -27,6 +27,8 @@ node.default['cfe-mariadb']['backup']['script_dir'] =
   ::File.join(node['mariadb']['configuration']['path'], 'scripts') unless
   node['cfe-mariadb']['backup']['script_dir']
 
+package 'gzip'
+include_recipe 'openssl::upgrade'
 include_recipe 'awscli'
 
 md   = node['cfe-mariadb']
@@ -34,8 +36,21 @@ mdb  = md['backup']
 mdbc = mdb['cron']
 mdbl = mdb['logrotate']
 
+directory mdb['script_dir'] do
+  recursive true
+end
+
+pub_key_file = "#{mdb['script_dir']}/pub.key"
+
+file pub_key_file do
+  content md['encrypt']['pub_key']
+  mode    0600
+  owner   'root'
+  group   'root'
+  only_if { md['encrypt']['pub_key'] }
+end
+
 template "#{mdb['script_dir']}/backup_db_to_s3" do
-  only_if "test -d #{mdb['script_dir']} || mkdir -p #{mdb['script_dir']}"
   variables(
     :db_map        => md['db_map'],
     :db_ip         => node['mariadb']['mysqld']['bind_address'],
@@ -43,7 +58,8 @@ template "#{mdb['script_dir']}/backup_db_to_s3" do
     :s3_region     => md['s3_region'],
     :s3_bucket     => md['s3_bucket'],
     :aws_bin       => mdb['aws_bin'],
-    :mysqldump_bin => mdb['mysqldump_bin']
+    :mysqldump_bin => mdb['mysqldump_bin'],
+    :pub_key_file  => pub_key_file
   )
 end
 

@@ -21,12 +21,25 @@
 # Download the gzip of a MySQL dump from an S3 bucket, 
 # then load it up into a (preferably empty) database.
 
+package 'gzip'
+include_recipe 'openssl::upgrade'
 include_recipe 'awscli'
 
 tmp_dir = ::File.join(Chef::Config[:file_cache_path], 'db_dumps')
 manual_creds = node['cfe-mariadb'].has_key?('reload') &&
                node['cfe-mariadb']['reload'].has_key?('aws_access_key_id')
 
+priv_key_file = "#{tmp_dir}/priv.key"
+
+file priv_key_file do
+  content node['cfe-mariadb']['encrypt']['priv_key'] || ''
+  mode      0600
+  owner     'root'
+  group     'root'
+  sensitive true
+  only_if   "test -d #{tmp_dir} || mkdir -p #{tmp_dir}"
+end
+
 node['cfe-mariadb']['db_map'].each do |dbx|
 
   if dbx.is_a?(Array)
@@ -36,25 +49,30 @@ node['cfe-mariadb']['db_map'].each do |dbx|
     dbx_name = dbx[:db_name]
   end
 
+  keyname = "#{dbx[:bak_filename]}#{dbx[:bak_encrypted] ? '.enc.gz' : '.gz'}"
+  filegz  = "#{tmp_dir}/#{keyname}"
   filesql = "#{tmp_dir}/#{dbx[:bak_filename]}"
-  filegz  = "#{filesql}.gz"
 
   awscli_s3_file filegz do
     region   node['cfe-mariadb']['s3_region']
     bucket   node['cfe-mariadb']['s3_bucket']
-    key      "#{dbx[:bak_filename]}.gz"
+    key      keyname
+    only_if  "test -d #{tmp_dir} || mkdir -p #{tmp_dir}"
     if manual_creds
       aws_access_key_id     node['cfe-mariadb']['reload']['aws_access_key_id']
       aws_secret_access_key node['cfe-mariadb']['reload']['aws_secret_access_key']
     end
-    only_if  "test -d #{tmp_dir} || mkdir -p #{tmp_dir}"
-    notifies :run, "execute[unpack_#{filegz}]", :immediately
   end
 
   execute "unpack_#{filegz}" do
     command  "gzip -d #{filegz}"
-    notifies :run, "execute[reload_#{filesql}]", :immediately
-    action   :nothing
+  end
+
+  execute "decrypt_#{filesql}.enc" do
+    command  "openssl smime -decrypt -binary -inkey #{priv_key_file} "\
+             "-in #{filesql}.enc -out #{filesql} -inform DEM"
+    only_if  { dbx[:bak_encrypted] }
+    notifies :delete, "file[#{filesql}.enc]"
   end
 
   execute "reload_#{filesql}" do
@@ -63,10 +81,17 @@ node['cfe-mariadb']['db_map'].each do |dbx|
               "-p'#{dbx[:db_pass]}' -D #{dbx_name} < #{filesql}"
     notifies  :delete, "file[#{filesql}]"
     sensitive true
-    action    :nothing
+  end
+
+  file "#{filesql}.enc" do
+    action :nothing
   end
 
   file filesql do
     action :nothing
   end
 end
+
+file priv_key_file do
+  action :delete
+end

@@ -19,9 +19,9 @@
 #
 
 mysql2_chef_gem 'default' do
+  provider    Chef::Provider::Mysql2ChefGem::Mariadb
   gem_version '0.4.4'
-  provider Chef::Provider::Mysql2ChefGem::Mariadb
-  action :install
+  action      :install
 end
 
 # Prepare the needed databases and users.

 #!/bin/bash
 # Generated by Chef.
 #
-# Perform mysqldump on databases and upload the 
-# resulting backup files into an S3 bucket.
+# Perform mysqldump on databases, optionally encrypt them,
+# and upload the resulting backup files into an S3 bucket.
+#
+# This script is not meant to be run manually,
+# but instead through a regular cron job.
 
 set -e
 
@@ -19,6 +22,7 @@ region=<%= @s3_region %>
 
 aws_bin=<%= @aws_bin %>
 mysqldump_bin=<%= @mysqldump_bin %>
+pub_key_file=<%= @pub_key_file %>
 
 log_dir=/var/log/backup_db_to_s3
 if [[ ! -d "$log_dir" ]] ; then
@@ -48,9 +52,20 @@ export_db() {
                      -u "$2" -p"$3" "$1" > "${bak_dir}/${4}"
 }
 
-# Compress the backup file with gzip.
+# Encrypt a file using OpenSSL and a given public key.
+# The original file will be replaced by a new file, suffixed with '.enc'.
 # Args:
 #   $1 = dump file filename, e.g. 'mydb.sql'
+encrypt_file() {
+    echo "$(date) : Encrypt file ${1}."
+    openssl smime -encrypt -binary -text -aes256 -in "${bak_dir}/${1}" \
+                  -out "${bak_dir}/${1}.enc" -outform DER "${pub_key_file}"
+    rm "${bak_dir}/${1}"
+}
+
+# Compress the backup file with gzip.
+# Args:
+#   $1 = dump file filename, e.g. 'mydb.sql', 'mydb.sql.enc'
 compress_backup_file() {
     echo "$(date) : Gzip file ${1}."
     gzip "${bak_dir}/${1}"
@@ -58,7 +73,7 @@ compress_backup_file() {
 
 # Rotate the current backups in S3.
 # Args:
-#   $1 = dump file filename, e.g. 'mydb.sql'
+#   $1 = dump file filename, e.g. 'mydb.sql', 'mydb.sql.enc'
 #   $2 = max number of backup files to store at a time
 increment_backup_names() {
     bak_keyname="${1}.gz"
@@ -91,31 +106,37 @@ increment_backup_names() {
 
 # Upload the compressed db backup file.
 # Args:
-#   $1 = dump file filename, e.g. 'mydb.sql'
+#   $1 = dump file filename, e.g. 'mydb.sql', 'mydb.sql.enc'
 upload_to_s3() {
     echo "$(date) : Upload ${1}.gz to S3 bucket ${bucket}."
     "$aws_bin" --region "$region" \
                s3 mv "${bak_dir}/${1}.gz" "s3://${bucket}/${1}.gz"
 }
 
-# First, perform mysqldump on each database.
+# First, perform mysqldump on each database (and encrypt if desired):
+
 <% @db_map.each do |db| -%>
-<%  if db.is_a?(Array) -%>
-<%    db_name = db[0] -%>
-<%    db = db[1] -%>
-<%  else -%>
-<%    db_name = db[:db_name] -%>
-<%  end -%>
+<%   if db.is_a?(Array) -%>
+<%     db_name = db[0] -%>
+<%     db = db[1] -%>
+<%   else -%>
+<%     db_name = db[:db_name] -%>
+<%   end -%>
 export_db <%= db_name %> <%= db[:db_user] %> '<%= db[:db_pass] %>' <%= db[:bak_filename] %>
+<%   if db[:bak_encrypted] -%>
+encrypt_file <%= db[:bak_filename] %>
+<%   end -%>
 <% end -%>
 
-# Then compress and upload the backup files one by one.
+# Then compress and upload the backup files one by one:
+
 <% @db_map.each do |db| -%>
-<%  if db.is_a?(Array) then db = db[1] end -%>
-compress_backup_file <%= db[:bak_filename] %>
-increment_backup_names <%= db[:bak_filename] %> <%= db[:bak_maxcopies] %>
-upload_to_s3 <%= db[:bak_filename] %>
+<%   if db.is_a?(Array) then db = db[1] end -%>
+<%     bfname = db[:bak_encrypted] ? "#{db[:bak_filename]}.enc" : db[:bak_filename] -%>
+compress_backup_file <%= bfname %>
+increment_backup_names <%= bfname %> <%= db[:bak_maxcopies] %>
+upload_to_s3 <%= bfname %>
 
-<% end -%>
+<%  end -%>
 rm "$tmp_file"
 echo "$(date) : Done."