chef-encrypted-attributes 0.1.0

data/lib/chef/encrypted_attribute/remote_clients.rb

@@ -0,0 +1,46 @@
+#
+# Author:: Xabier de Zuazo (<xabier@onddo.com>)
+# Copyright:: Copyright (c) 2014 Onddo Labs, SL. (www.onddo.com)
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require 'chef/encrypted_attribute/search_helper'
+require 'chef/encrypted_attribute/cache_lru'
+
+class Chef
+  class EncryptedAttribute
+    class RemoteClients
+      extend ::Chef::EncryptedAttribute::SearchHelper
+
+      def self.cache
+        @@cache ||= Chef::EncryptedAttribute::CacheLru.new
+      end
+
+      def self.get_public_keys(search='*:*', partial_search=true)
+        escaped_query = escape_query(search)
+        if cache.has_key?(escaped_query)
+          cache[escaped_query]
+        else
+          cache[escaped_query] = search(:client, search, {
+            'public_key' => [ 'public_key' ]
+          }, 1000, partial_search).map do |client|
+            client['public_key']
+          end.compact
+        end
+      end
+
+    end
+  end
+end

data/lib/chef/encrypted_attribute/remote_node.rb

@@ -0,0 +1,111 @@
+#
+# Author:: Xabier de Zuazo (<xabier@onddo.com>)
+# Copyright:: Copyright (c) 2014 Onddo Labs, SL. (www.onddo.com)
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require 'chef/mixin/params_validate'
+require 'chef/encrypted_attribute/search_helper'
+require 'chef/encrypted_attribute/cache_lru'
+
+class Chef
+  class EncryptedAttribute
+    class RemoteNode
+      include ::Chef::Mixin::ParamsValidate
+      include ::Chef::EncryptedAttribute::SearchHelper
+
+      def initialize(name)
+        name(name)
+      end
+
+      def self.cache
+        @@cache ||= Chef::EncryptedAttribute::CacheLru.new(0) # disabled by default
+      end
+
+      def name(arg=nil)
+        set_or_return(
+          :name,
+          arg,
+          :kind_of => String
+        )
+      end
+
+      def load_attribute(attr_ary, partial_search=true)
+        unless attr_ary.kind_of?(Array)
+          raise ArgumentError, "#{self.class.to_s}##{__method__} attr_ary argument must be an array of strings. You passed #{attr_ary.inspect}."
+        end
+        cache_key = cache_key(name, attr_ary)
+        if self.class.cache.has_key?(cache_key)
+          self.class.cache[cache_key]
+        else
+          keys = { 'value' => attr_ary }
+          res = search(:node, "name:#{@name}", keys, 1, partial_search)
+          self.class.cache[cache_key] = if res.kind_of?(Array) and
+               res[0].kind_of?(Hash) and res[0].has_key?('value')
+              res[0]['value']
+            else
+              nil
+            end
+        end
+      end
+
+      def save_attribute(attr_ary, value)
+        unless attr_ary.kind_of?(Array)
+          raise ArgumentError, "#{self.class.to_s}##{__method__} attr_ary argument must be an array of strings. You passed #{attr_ary.inspect}."
+        end
+        cache_key = cache_key(name, attr_ary)
+
+        node = Chef::Node.load(name)
+        last = attr_ary.pop
+        node_attr = attr_ary.reduce(node.normal) do |a, k|
+          a[k] = Mash.new unless a.has_key?(k)
+          a[k]
+        end
+        node_attr[last] = value
+
+        node.save
+        self.class.cache[cache_key] = value
+      end
+
+      def delete_attribute(attr_ary)
+        unless attr_ary.kind_of?(Array)
+          raise ArgumentError, "#{self.class.to_s}##{__method__} attr_ary argument must be an array of strings. You passed #{attr_ary.inspect}."
+        end
+        cache_key = cache_key(name, attr_ary)
+
+        node = Chef::Node.load(name)
+        last = attr_ary.pop
+        node_attr = attr_ary.reduce(node.normal) do |a, k|
+          a.respond_to?(:has_key?) && a.has_key?(k) ? a[k] : nil
+        end
+        if node_attr.respond_to?(:has_key?) && node_attr.has_key?(last)
+          node_attr.delete(last)
+          node.save
+          self.class.cache.delete(cache_key)
+          true
+        else
+          false
+        end
+      end
+
+      protected
+
+      def cache_key(name, attr_ary)
+        "#{name}:#{attr_ary.inspect}" # TODO ok, this can be improved
+      end
+
+    end
+  end
+end

data/lib/chef/encrypted_attribute/remote_users.rb

@@ -0,0 +1,73 @@
+#
+# Author:: Xabier de Zuazo (<xabier@onddo.com>)
+# Copyright:: Copyright (c) 2014 Onddo Labs, SL. (www.onddo.com)
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require 'chef/user'
+require 'chef/encrypted_attribute/exceptions'
+require 'chef/encrypted_attribute/cache_lru'
+
+class Chef
+  class EncryptedAttribute
+    class RemoteUsers
+
+      def self.cache
+        @@cache ||= Chef::EncryptedAttribute::CacheLru.new
+      end
+
+      def self.get_public_keys(users=[])
+        if users == '*' # users are [a-z0-9\-_]+, cannot be *
+          if cache.has_key?('*')
+            cache['*']
+          else
+            cache['*'] = get_all_public_keys
+          end
+        elsif users.kind_of?(Array)
+          get_users_public_keys(users)
+        elsif not users.nil?
+          raise ArgumentError, "#{self.class.to_s}##{__method__} users argument must be an array or \"*\"."
+        end
+      end
+
+      protected
+
+      def self.get_user_public_key(name)
+        return cache[name] if cache.has_key?(name)
+        user = Chef::User.load(name)
+        cache[name] = user.public_key
+      rescue Net::HTTPServerException => e
+        case e.response.code
+        when '403'
+          raise InsufficientPrivileges, 'Your node needs admin privileges to be able to work with Chef Users.'
+        when '404' # Not Found
+          raise UserNotFound, "Chef User not found: \"#{name}\"."
+        else
+          raise e
+        end
+      end
+
+      def self.get_users_public_keys(users)
+        users.map { |n| get_user_public_key(n) }
+      end
+
+      def self.get_all_public_keys
+        # Chef::User.list(inflate=true) has a bug
+        get_users_public_keys(Chef::User.list.keys)
+      end
+
+    end
+  end
+end

data/lib/chef/encrypted_attribute/search_helper.rb

@@ -0,0 +1,144 @@
+#
+# Author:: Xabier de Zuazo (<xabier@onddo.com>)
+# Copyright:: Copyright (c) 2014 Onddo Labs, SL. (www.onddo.com)
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require 'chef/search/query'
+require 'chef/encrypted_attribute/exceptions'
+
+class Chef
+  class EncryptedAttribute
+    module SearchHelper
+      extend self
+
+      def query
+        Chef::Search::Query.new
+      end
+
+      def escape(str)
+        URI.escape(str.to_s, Regexp.new("[^#{URI::PATTERN::UNRESERVED}]"))
+      end
+
+      def escape_query(query)
+        query_s = if query.kind_of?(Array)
+          query.map do |item|
+            "( #{item} )"
+          end.compact.join(' OR ')
+        else
+          query.to_s
+        end
+        escape(query_s)
+      end
+
+      def valid_search_keys?(keys)
+        return false unless keys.kind_of?(Hash)
+        keys.reduce(true) do |r, (k, v)|
+          r && unless k.kind_of?(String) || k.kind_of?(Symbol) and v.kind_of?(Array)
+            false
+          else
+            v.reduce(true) do |r, x|
+              r and x.kind_of?(String)
+            end
+          end
+        end
+      end
+
+      def empty_search?(query)
+        query.kind_of?(String) && query.empty? or
+        query.kind_of?(Array) && query.count == 0
+      end
+
+      def search(type, query, keys, rows=1000, partial_search=true)
+        return [] if empty_search?(query) # avoid empty searches
+        if partial_search
+          partial_search(type, query, keys, rows)
+        else
+          normal_search(type, query, keys, rows)
+        end
+      end
+
+      def normal_search(type, query, keys, rows=1000)
+        escaped_query = escape_query(query)
+        Chef::Log.info("Normal Search query: #{escaped_query}, keys: #{keys.inspect}")
+        unless valid_search_keys?(keys)
+          raise InvalidSearchKeys, "Invalid search keys: #{keys.inspect}"
+        end
+
+        begin
+          resp = self.query.search(type, escaped_query, nil, 0, rows)[0]
+        rescue Net::HTTPServerException => e
+          if e.response.kind_of?(Net::HTTPResponse) and e.response.code == '404' # Not Found
+            return []
+          else
+            raise SearchFailure, "Partial Search exception #{e.class.name}: #{e.to_s}"
+          end
+        rescue Net::HTTPFatalError => e
+          raise SearchFailure, "Normal Search exception #{e.class.name}: #{e.to_s}"
+        end
+        unless resp.kind_of?(Array)
+          raise SearchFatalError, "Wrong response received from Normal Search: #{resp.inspect}"
+        end
+        # TODO too complex, refactorize
+        resp.map do |row|
+          Hash[keys.map do |key_name, attr_ary|
+            value = attr_ary.reduce(row) do |r, attr|
+              if r.respond_to?(attr.to_sym)
+                r.send(attr.to_sym)
+              elsif r.respond_to?(:has_key?)
+                if r.has_key?(attr.to_s)
+                  r[attr.to_s]
+                end
+              end
+            end
+            [ key_name, value ]
+          end]
+        end
+      end
+
+      def partial_search(type, query, keys, rows=1000)
+        escaped_query = "search/#{escape(type)}?q=#{escape_query(query)}&start=0&rows=#{rows}"
+        Chef::Log.info("Partial Search query: #{escaped_query}, keys: #{keys.inspect}")
+        unless valid_search_keys?(keys)
+          raise InvalidSearchKeys, "Invalid search keys: #{keys.inspect}"
+        end
+
+        rest = Chef::REST.new(Chef::Config[:chef_server_url])
+        begin
+          resp = rest.post_rest(escaped_query, keys)
+        rescue Net::HTTPServerException => e
+          if e.response.kind_of?(Net::HTTPResponse) and e.response.code == '404' # Not Found
+            return []
+          else
+            raise SearchFailure, "Partial Search exception #{e.class.name}: #{e.to_s}"
+          end
+        rescue Net::HTTPFatalError => e
+          raise SearchFailure, "Partial Search exception #{e.class.name}: #{e.to_s}"
+        end
+        unless resp.kind_of?(Hash) and resp.has_key?('rows') and resp['rows'].kind_of?(Array)
+          raise SearchFatalError, "Wrong response received from Partial Search: #{resp.inspect}"
+        end
+        resp['rows'].map do |row|
+          if row.kind_of?(Hash) and row['data'].kind_of?(Hash)
+            row['data']
+          else
+            raise SearchFatalError, "Wrong row format received from Partial Search: #{row.inspect}"
+          end
+        end.compact
+      end
+
+    end
+  end
+end

data/lib/chef/encrypted_attribute/version.rb

@@ -0,0 +1,23 @@
+#
+# Author:: Xabier de Zuazo (<xabier@onddo.com>)
+# Copyright:: Copyright (c) 2014 Onddo Labs, SL. (www.onddo.com)
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+class Chef
+  class EncryptedAttribute
+    VERSION = '0.1.0'
+  end
+end

data/lib/chef/knife/core/config.rb

@@ -0,0 +1,19 @@
+#
+# Author:: Xabier de Zuazo (<xabier@onddo.com>)
+# Copyright:: Copyright (c) 2014 Onddo Labs, SL. (www.onddo.com)
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+Chef::Config[:knife][:encrypted_attributes] = Mash.new unless Chef::Config[:knife][:encrypted_attributes].kind_of?(Hash)

data/lib/chef/knife/core/encrypted_attribute_editor_options.rb

@@ -0,0 +1,100 @@
+#
+# Author:: Xabier de Zuazo (<xabier@onddo.com>)
+# Copyright:: Copyright (c) 2014 Onddo Labs, SL. (www.onddo.com)
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require 'chef/knife/core/config'
+
+class Chef
+  class Knife
+    module Core
+
+      module EncryptedAttributeEditorOptions
+        def self.included(includer)
+          includer.class_eval do
+
+            deps do
+              require 'chef/encrypted_attribute'
+              require 'chef/json_compat'
+            end
+
+            option :encrypted_attribute_version,
+              :long  => '--encrypted-attribute-version VERSION',
+              :description => 'Encrypted Attribute protocol version to use',
+              :proc => lambda { |i| Chef::Config[:knife][:encrypted_attributes][:version] = i }
+
+            option :encrypted_attribute_partial_search,
+              :short => '-P',
+              :long => '--disable-partial-search',
+              :description => 'Disable partial search',
+              :boolean => true,
+              :proc => lambda { |i| Chef::Config[:knife][:encrypted_attributes][:partial_search] = false }
+
+            option :encrypted_attribute_client_search,
+              :short => '-C CLIENT_SEARCH_QUERY',
+              :long => '--client-search CLIENT_SEARCH_QUERY',
+              :description => 'Client search query. Can be specified multiple times',
+              :proc => lambda { |i|
+                Chef::Config[:knife][:encrypted_attributes][:client_search] = [] unless Chef::Config[:knife][:encrypted_attributes][:client_search].kind_of?(Array)
+                Chef::Config[:knife][:encrypted_attributes][:client_search] << i
+              }
+
+            option :encrypted_attribute_users,
+              :short => '-U USER',
+              :long => '--encrypted-attribute-user USER',
+              :description => 'User name to allow access to. Can be specified multiple times',
+              :proc => lambda { |i|
+                Chef::Config[:knife][:encrypted_attributes][:users] = [] unless Chef::Config[:knife][:encrypted_attributes][:users].kind_of?(Array)
+                Chef::Config[:knife][:encrypted_attributes][:users] << i
+              }
+
+            # TODO option :keys
+
+            # Modified Chef::Knife::UI#edit_data method with plain text format support
+            def edit_data(data=nil, format='plain')
+              output = case format
+              when 'JSON', 'json'
+                data.nil? ? {} : Chef::JSONCompat.to_json_pretty(data, {:quirks_mode => true})
+              else
+                data.nil? ? '' : data
+              end
+
+              if !config[:disable_editing]
+                Tempfile.open([ 'knife-edit-', '.json' ]) do |tf|
+                  tf.sync = true
+                  tf.puts output
+                  tf.close
+                  raise 'Please set EDITOR environment variable' unless system("#{config[:editor]} #{tf.path}")
+
+                  output = IO.read(tf.path)
+                  tf.unlink # not needed, but recommended
+                end
+              end
+
+              case format
+              when 'JSON', 'json'
+                Yajl::Parser.parse(output)
+              else
+                output
+              end
+            end # def edit_data
+
+          end # includer.class_eval
+        end # self.included(includer)
+      end # EncryptedAttributeEditorOptions
+    end # Core
+  end # Knife
+end # Chef