chef-flavor-flay 0.4.1 → 1.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 16b50d75fcfefaad5d32a3468c465e9db7aae1f0
-  data.tar.gz: 9aaf7b275e2773953473c5008b8c2c037764d3ff
+  metadata.gz: 6114d63746f15e1bf98e6a80070b68bf7455c5fa
+  data.tar.gz: 7631eba19a6fd5c47bd9d480a9c3477938a6eff2
 SHA512:
-  metadata.gz: 5f7d46a340210e3b9e20ddd9fae12977b6b5a478667c0bdc6e5e5065698aa22ace3071c977743552780679872015bf185949f7a402f5ed4e1e6fde7a257c2922
-  data.tar.gz: cd5beba02c602894984e487be026833e2a85cc6ee9482a68bfbdcec38b82a173c6316b44918b8e6539c6b19ebc029f48b352257c8454ea5c1eec4b7fbe231acd
+  metadata.gz: b9cd09e71dc97912aa44dc829baf3c7fc473308b75a12ea98fa1478102557acf3287bb1505cc08e92ee2b110fbac455240b8337d981bec64dcc3835784c627f4
+  data.tar.gz: e2c72641f9328f4d18e7ac5858764493955a8ccbb16b9b62083fbc36a84eef3ef07360ce7285723db5f0267f829015e01bcfbc6e72c26a406b69c109dab767eb

data/README.md

@@ -1,4 +1,4 @@
-# Flay - A Customizable Chef Cookbook Template
+# Flay - A Customized Chef Cookbook Template with Other Useful Things
 
 [![Build Status](https://travis-ci.org/sweeperio/flay.svg?branch=master)](https://travis-ci.org/sweeperio/flay)
 [![Gem Version](https://badge.fury.io/rb/chef-flavor-flay.svg)](https://badge.fury.io/rb/chef-flavor-flay)
@@ -28,23 +28,7 @@ It's very opinionated and works with the sweeperio infrastructure specifically.
 * Updates all templates to pass `bundle exec rubocop && bundle exec rspec`
 * Adds a travis file for CI that will use the chefdk to run tests
 * Creates a single `test` directory rather than spec/unit and test/integration
-* Adds a _dummy_ `encrypted_data_bag_secret` file for [Test Kitchen]
-* Adds `encrypt_data_bag` rake task for working with encrypted data bags in [Test Kitchen] (see note below)
-
-### Testing Encrypted Data Bags
-
-In order to make testing encrypted data bags easier, there's a convention (and rake task) in place in this template.
-
-The _test/integration/data_bags_ directory should contain subdirectories for each data bag you want to test (just like 
-your chef repo would).
-
-**To create an encrypted data bag item, follow these steps (assuming you're testing ejson/keys):**
-
-* Create `test/integration/data_bags/ejson/keys.plaintext.json` and add your items
-* Run `bundle exec rake encrypt_data_bag[ejson,keys]` (zsh users, you'll need to quote, escape or `unsetopt nomatch`)
-* Notice that `test/integration/data_bags/ejson/keys.json` has been created and contains the encrypted contents
-
-Updating follows the exact same process.
+* Adds a _dummy_ `encrypted_data_bag_secret` file for [Test Kitchen] (see note about testing data bags below)
 
 [Berkshelf]: https://docs.chef.io/berkshelf.html
 [ChefSpec]: https://docs.chef.io/chefspec.html
@@ -72,6 +56,8 @@ Celebrate! :rocket:
 
 * `chef exec flay cookbook my_cookbook`
 * `chef exec flay recipe my_cookbook` (from within the cookbook directory)
+* `chef exec flay encrypt DATA_BAG ITEM (options)`
+* `chef exec flay decrypt DATA_BAG ITEM (options)`
 * `chef exec flay release` (see below)
 
 There are a few other commands available. Run `chef exec flay help` for details.
@@ -91,9 +77,69 @@ It will run:
 * `git tag -a -m "Version #{version}" v#{version}` - unless the tag already exists
 * `git push && git push --tags`
 * `chef exec berks install`
-* `chef exec berks upload --no-ssl-verify`
+* `chef exec berks upload`
+
+### Working With Data Bags
+
+Normally data bags are edited directly on the chef server by using the normal `knife data bag` commands. I'm not fond of
+this practise because there is no history there. If someone changes an item, how do you go back to what it was if
+something goes wrong?
+
+For this reason, I've added a simple knife plugin that exposes 2 new knife commands `data bag encrypt` and `data bag
+decrypt`. These commands work with json files in the `data_bags/` directory of your chef repo. The basic idea is that
+you encrypt the items locally, commit to git and then create/update the items from json files.
+
+For example, suppose you have an unencrypted json file at `data_bags/ejson/keys.json` that defines an item. To encrypt
+this item you can run the following command:
+
+`chef exec knife data bag encrypt ejson keys -w`
+
+This will encrypt the contents using your `encrypted_data_bag_secret` (pulled from chef config/knife.rb).
+
+Similarly there's a `decrypt` version that does the opposite. `knife data bag decrypt ejson keys -w`
+
+Both of these commands support the following options:
+
+* `-w` - whether or not to write the file. If false, the results will be printed to STDOUT, but not written to the file.
+    Default `false`
+* `-s` - The path to your encrypted_data_bag_secret file. Default `Chef::Config[:encrypted_data_bag_secret]`
+* `-p` - The path to your data bag directory. Default `Chef::Config[:data_bag_path]`
+
+For example to use test data bags with a custom secret file you could run:
+
+`chef exec knife data bag encrypt -w -s /some/path/to/secret -p /custom/data_bags/dir`
+
+#### Flay Wrappers
+
+For convenience, there are equivalent commands added to flay that really just wrap the call to these commands.
+
+* `flay encrypt DATA_BAG ITEM` - Will encrypt the data bag and write to the file
+* `flay decrypt DATA_BAG ITEM` - Will decrypt the data bag and write to the file
+
+Both of these support the `--no-write` option to prevent writing the result to the file. There is also the `-t` option,
+we sets the secret file and data bag path to `test/integration/encrypted_data_bag_secret` and
+`test/integration/data_bags` respectively.
+
+### Testing Encrypted Data Bags
+
+The _test/integration/data_bags_ directory should contain subdirectories for each data bag you want to test (just like 
+your chef repo would).
+
+**To create an encrypted data bag item, follow these steps (assuming you're testing ejson/keys):**
+
+* Create `test/integration/data_bags/ejson/keys.json` and add your items
+* Run `chef exec flay encrypt ejson keys -t`
+* Notice that `test/integration/data_bags/ejson/keys.json` contains the encrypted contents
+
+**Updating a data bag**
+
+* Decrypt the data bag using `chef exec flay decrypt ejson keys -t`
+* Notice that `test/integration/data_bags/ejson/keys.json` contains the decrypted contents
+* Update the contents as necessary
+* Run `chef exec flay encrypt ejson keys -t`
+* Notice that `test/integration/data_bags/ejson/keys.json` contains the (updated) encrypted contents
 
-### Example
+### Cookbook Generation Example
 
 ```
 $ chef exec flay generate cookbook chef-demo-flay

data/lib/chef/knife/data_bag_decrypt.rb

@@ -0,0 +1,14 @@
+require_relative "flay_knife_helpers"
+
+class Chef::Knife::DataBagDecrypt < Chef::Knife
+  include Chef::Knife::FlayKnifeHelpers
+
+  banner "knife data bag decrypt DATA_BAG ITEM (options)"
+  category "data bag"
+
+  def run
+    plain_text_bag = Chef::EncryptedDataBagItem.new(data_bag, secret)
+    write_to_file(plain_text_bag) if config.fetch(:write, false)
+    display(plain_text_bag)
+  end
+end

data/lib/chef/knife/data_bag_encrypt.rb

@@ -0,0 +1,14 @@
+require_relative "flay_knife_helpers"
+
+class Chef::Knife::DataBagEncrypt < Chef::Knife
+  include Chef::Knife::FlayKnifeHelpers
+
+  banner "knife data bag encrypt DATA_BAG ITEM (options)"
+  category "data bag"
+
+  def run
+    cipher_text_bag = Chef::EncryptedDataBagItem.encrypt_data_bag_item(data_bag, secret)
+    write_to_file(cipher_text_bag) if config.fetch(:write, false)
+    display(cipher_text_bag)
+  end
+end

data/lib/chef/knife/flay_knife_helpers.rb

@@ -0,0 +1,42 @@
+require "chef"
+require "chef/knife"
+
+module Chef::Knife::FlayKnifeHelpers
+  def self.included(base)
+    base.class_eval do
+      option :data_bag_path, short: "-p", long: "--path", default: nil
+      option :secret_file, short: "-s", long: "--secret-file", default: nil
+      option :write, short: "-w", long: "--write", boolean: true, default: false
+    end
+  end
+
+  private
+
+  def write_to_file(bag)
+    json = JSON.pretty_generate(bag.to_hash)
+    File.open(data_bag_path, "w") { |file| file.write(json) }
+  end
+
+  def display(bag)
+    output(format_for_display(bag))
+  end
+
+  def secret
+    @secret ||= begin
+      path = config.fetch(:secret_file, Chef::Config[:encrypted_data_bag_secret])
+      Chef::EncryptedDataBagItem.load_secret(path)
+    end
+  end
+
+  def data_bag
+    @data_bag ||= Chef::DataBagItem.from_hash(JSON.parse(File.read(data_bag_path)))
+  end
+
+  def data_bag_path
+    @data_bag_path ||= begin
+      base_path = config.fetch(:data_bag_path, Chef::Config[:data_bag_path])
+      bag, item = name_args
+      File.join(base_path, bag, "#{item}.json")
+    end
+  end
+end

data/lib/flay/cli.rb

@@ -1,17 +1,13 @@
 class Flay::CLI < Thor
   include Thor::Actions
+  include Flay::Helpers
 
   package_name "flay"
 
   Flay::Commands::Generate.register_with(self, as: "generate")
   Flay::Commands::Release.register_with(self, as: "release")
 
-  method_option(
-    :chef_path,
-    type: :string,
-    desc: "The path that contains your knife.rb file",
-    default: "~/.chef-sweeper/"
-  )
+  method_option :chef_path, type: :string, desc: "Your .chef/ folder", default: "~/.chef-sweeper/"
   desc "link [--chef-path=PATH]", "symlinks .chef to --chef-path"
   long_desc "Creates a symlink in the current directory from .chef to --chef-path"
   def link
@@ -26,4 +22,34 @@ class Flay::CLI < Thor
   def version
     say "flay version: #{Flay::VERSION}"
   end
+
+  method_option :write, type: :boolean, desc: "Whether or not to write the file", default: true
+  method_option :test, type: :boolean, desc: "Whether or not this is a test data bag", default: false, aliases: "-t"
+  desc "encrypt DATA_BAG ITEM (options)", "encrypt a data bag item"
+  long_desc "Encrypts a data bag item"
+  def encrypt(data_bag, item)
+    cmd = "chef exec knife data bag encrypt #{data_bag} #{item}"
+    cmd << " -w" if options.fetch("write")
+    cmd << " #{test_data_bag_args}" if options.fetch("test")
+
+    shell_exec(cmd)
+  end
+
+  method_option :write, type: :boolean, desc: "Whether or not to write the file", default: true
+  method_option :test, type: :boolean, desc: "Whether or not this is a test data bag", default: false, aliases: "-t"
+  desc "decrypt DATA_BAG ITEM (options)", "decrypt a data bag item"
+  long_desc "Decrypts a data bag item"
+  def decrypt(data_bag, item)
+    cmd = "chef exec knife data bag decrypt #{data_bag} #{item}"
+    cmd << " -w" if options.fetch("write")
+    cmd << " #{test_data_bag_args}" if options.fetch("test")
+
+    shell_exec(cmd)
+  end
+
+  private
+
+  def test_data_bag_args
+    "-s test/integration/encrypted_data_bag_secret -p test/integration/data_bags"
+  end
 end

data/lib/flay/commands/release.rb

@@ -38,7 +38,7 @@ class Flay::Commands::Release < Thor::Group
 
   def berks_upload
     say "Uploading cookbook to chef server...", :green
-    shell_exec("chef exec berks upload --no-ssl-verify")
+    shell_exec("chef exec berks upload")
   end
 
   def all_done

data/lib/flay/version.rb

@@ -1,3 +1,3 @@
 module Flay
-  VERSION = "0.4.1".freeze
+  VERSION = "1.0.0".freeze
 end

data/shared/flavor/flay/files/default/Rakefile

@@ -1,20 +1,7 @@
-require "chef"
 require "foodcritic"
 require "rspec/core/rake_task"
 require "rubocop/rake_task"
 
-# Data Bag Helpers
-SECRET_FILE        = "./test/integration/encrypted_data_bag_secret".freeze
-INPUT_PATH_FORMAT  = "./test/integration/data_bags/%s/%s.plaintext.json".freeze
-OUTPUT_PATH_FORMAT = "./test/integration/data_bags/%s/%s.json".freeze
-
-def raw_bag_item(args)
-  path = format(INPUT_PATH_FORMAT, *args.values_at(:bag, :item))
-  hash = JSON.parse(File.read(path))
-
-  Chef::DataBagItem.from_hash(hash)
-end
-
 RSpec::Core::RakeTask.new { |rspec| rspec.rspec_opts = File.read("./.rspec").split("\n") }
 
 RuboCop::RakeTask.new { |rubocop| rubocop.options = %w(-D) }
@@ -24,19 +11,6 @@ FoodCritic::Rake::LintTask.new do |foodcritic|
   foodcritic.options[:fail_tags] = "any"
 end
 
-desc "encrypts a data bag item for integration tests"
-task :encrypt_data_bag, [:bag, :item] do |_, args|
-  data_bag_item   = raw_bag_item(args)
-  data_bag_secret = Chef::EncryptedDataBagItem.load_secret(SECRET_FILE)
-  encrypted_item  = Chef::EncryptedDataBagItem.encrypt_data_bag_item(data_bag_item, data_bag_secret)
-
-  pretty_json = JSON.pretty_generate(encrypted_item.to_hash)
-  output_path = format(OUTPUT_PATH_FORMAT, *args.values_at(:bag, :item))
-  File.open(output_path, "w") { |file| file.write(pretty_json) }
-
-  puts format("encrypted test data bag: %s", output_path)
-end
-
 desc "Run Rubocop and Foodcritic style checks"
 task style: [:rubocop, :foodcritic]
 

data/shared/flavor/flay/recipes/cookbook.rb

@@ -49,10 +49,6 @@ cookbook_file("#{kitchen_dir}/data_bags/ejson/keys.json") do
   source "test/integration/data_bags/ejson/keys.json"
 end
 
-cookbook_file("#{kitchen_dir}/data_bags/ejson/keys.plaintext.json") do
-  source "test/integration/data_bags/ejson/keys.plaintext.json"
-end
-
 cookbook_file "#{kitchen_dir}/helpers/serverspec/spec_helper.rb" do
   source "test/integration/helpers/serverspec/spec_helper.rb"
   action :create_if_missing

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: chef-flavor-flay
 version: !ruby/object:Gem::Version
-  version: 0.4.1
+  version: 1.0.0
 platform: ruby
 authors:
 - pseudomuto
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2016-01-08 00:00:00.000000000 Z
+date: 2016-01-09 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: chef-gen-flavors
@@ -61,6 +61,9 @@ files:
 - cucumber.yml
 - exe/flay
 - flay.gemspec
+- lib/chef/knife/data_bag_decrypt.rb
+- lib/chef/knife/data_bag_encrypt.rb
+- lib/chef/knife/flay_knife_helpers.rb
 - lib/chef_gen/flavor/flay.rb
 - lib/flay.rb
 - lib/flay/cli.rb
@@ -80,7 +83,6 @@ files:
 - shared/flavor/flay/files/default/test/chef/client.enc
 - shared/flavor/flay/files/default/test/chef/knife.rb
 - shared/flavor/flay/files/default/test/integration/data_bags/ejson/keys.json
-- shared/flavor/flay/files/default/test/integration/data_bags/ejson/keys.plaintext.json
 - shared/flavor/flay/files/default/test/integration/encrypted_data_bag_secret
 - shared/flavor/flay/files/default/test/integration/helpers/serverspec/spec_helper.rb
 - shared/flavor/flay/files/default/test/unit/spec_helper.rb

data/shared/flavor/flay/files/default/test/integration/data_bags/ejson/keys.plaintext.json

@@ -1,7 +0,0 @@
-{
-  "id": "keys",
-  "test": {
-    "public": "12345abc",
-    "private": "cba54321"
-  }
-}