chef-vault 1.2.5 → 2.0.1.pre

data/lib/chef-vault.rb

@@ -17,19 +17,23 @@
 #
 
 require 'chef'
+require 'chef/user'
+require 'chef-vault/version'
+require 'chef-vault/exceptions'
+require 'chef-vault/item'
+require 'chef-vault/item_keys'
 require 'chef-vault/user'
 require 'chef-vault/certificate'
-require 'chef-vault/version'
-require 'chef-vault/chef/offline'
+require 'chef-vault/chef_patch/api_client'
+require 'chef-vault/chef_patch/user'
 
 class ChefVault
 
-  attr_accessor :data_bag
-  attr_accessor :chef_config_file
+  attr_accessor :vault
 
-  def initialize(data_bag, chef_config_file=nil)
-    @data_bag = data_bag
-    @chef_config_file = chef_config_file
+  def initialize(vault, chef_config_file=nil)
+    @vault = vault
+    ChefVault.load_config(chef_config_file) if chef_config_file
   end
 
   def version
@@ -37,10 +41,14 @@ class ChefVault
   end
 
   def user(username)
-    ChefVault::User.new(data_bag, username, chef_config_file)
+    ChefVault::User.new(vault, username)
   end
 
   def certificate(name)
-    ChefVault::Certificate.new(data_bag, name, chef_config_file)
+    ChefVault::Certificate.new(vault, name)
+  end
+
+  def self.load_config(chef_config_file)
+    Chef::Config.from_file(chef_config_file)
   end
 end

data/lib/chef-vault/certificate.rb

@@ -15,38 +15,17 @@
 
 class ChefVault
   class Certificate
-    attr_accessor :name
-
-    def initialize(data_bag, name, chef_config_file)
-      @name = name
-      @data_bag = data_bag
+    def initialize(vault, name)
+      @item = ChefVault::Item.load(vault, name)
+    end
 
-      if chef_config_file
-        chef = ChefVault::ChefOffline.new(chef_config_file)
-        chef.connect
-      end
+    def [](key)
+      @item[key]
     end
 
     def decrypt_contents
-      # use the private client_key file to create a decryptor
-      private_key = open(Chef::Config[:client_key]).read
-      private_key = OpenSSL::PKey::RSA.new(private_key)
-      
-      begin
-        keys = Chef::DataBagItem.load(@data_bag, "#{name}_keys")
-      rescue
-        throw "Could not find data bag item #{name}_keys in data bag #{@data_bag}"
-      end
-
-      unless keys[Chef::Config[:node_name]]
-        throw "#{name} is not encrypted for you!  Rebuild the certificate data bag"
-      end
-
-      node_key = Base64.decode64(keys[Chef::Config[:node_name]])
-      shared_secret = private_key.private_decrypt(node_key)
-      certificate = Chef::EncryptedDataBagItem.load(@data_bag, @name, shared_secret)
-
-      certificate["contents"]
+      puts "WARNING: This method is deprecated, please switch to item['value'] calls"
+      @item["contents"]
     end
   end
 end

data/lib/chef-vault/chef_patch/api_client.rb

@@ -0,0 +1,40 @@
+# Author:: Kevin Moser <kevin.moser@nordstrom.com>
+# Copyright:: Copyright 2013, Nordstrom, Inc.
+# License:: Apache License, Version 2.0
+
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+
+#     http://www.apache.org/licenses/LICENSE-2.0
+
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+class ChefVault
+  module ChefPatch
+    class ApiClient < Chef::ApiClient
+      # Fix an issue where core Chef::ApiClient does not load
+      # the private key for Chef 10
+      def self.load(name)
+        response = http_api.get("clients/#{name}")
+        if response.kind_of?(Chef::ApiClient)
+          response
+        else
+          client = Chef::ApiClient.new
+          client.name(response['clientname'])
+
+          if response['certificate']
+            der = OpenSSL::X509::Certificate.new response['certificate']
+            client.public_key der.public_key.to_s
+          end
+
+          client
+        end
+      end
+    end
+  end
+end

data/lib/chef-vault/chef_patch/user.rb

@@ -0,0 +1,33 @@
+# Author:: Kevin Moser <kevin.moser@nordstrom.com>
+# Copyright:: Copyright 2013, Nordstrom, Inc.
+# License:: Apache License, Version 2.0
+
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+
+#     http://www.apache.org/licenses/LICENSE-2.0
+
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+class ChefVault
+  module ChefPatch
+    class User < Chef::User
+      # def from_hash for our implementation because name is not being
+      # set correctly for Chef 10 server
+      def superclass.from_hash(user_hash)
+        user = Chef::User.new
+        user.name user_hash['username'] ? user_hash['username'] : user_hash['name']
+        user.private_key user_hash['private_key'] if user_hash.key?('private_key')
+        user.password user_hash['password'] if user_hash.key?('password')
+        user.public_key user_hash['public_key']
+        user.admin user_hash['admin']
+        user
+      end
+    end
+  end
+end

data/lib/chef-vault/exceptions.rb

@@ -0,0 +1,27 @@
+# Author:: Kevin Moser <kevin.moser@nordstrom.com>
+# Copyright:: Copyright 2013, Nordstrom, Inc.
+# License:: Apache License, Version 2.0
+
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+
+#     http://www.apache.org/licenses/LICENSE-2.0
+
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+class ChefVault::Exceptions
+  class SecretDecryption < RuntimeError; end
+  class NoKeysDefined < RuntimeError; end
+  class ItemNotEncrypted < RuntimeError; end
+  class KeysActionNotValue < RuntimeError; end
+  class AdminNotFound < RuntimeError; end
+  class ClientNotFound < RuntimeError; end
+  class KeysNotFound < RuntimeError; end
+  class ItemNotFound < RuntimeError; end
+  class ItemAlreadyExists < RuntimeError; end
+end

data/lib/chef-vault/item.rb

@@ -0,0 +1,243 @@
+# Author:: Kevin Moser <kevin.moser@nordstrom.com>
+# Copyright:: Copyright 2013, Nordstrom, Inc.
+# License:: Apache License, Version 2.0
+
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+
+#     http://www.apache.org/licenses/LICENSE-2.0
+
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+class ChefVault::Item < Chef::DataBagItem
+  attr_accessor :keys
+  attr_accessor :encrypted_data_bag_item
+
+  def initialize(vault, name)
+    super() # Don't pass parameters
+    @data_bag = vault
+    @raw_data["id"] = name
+    @keys = ChefVault::ItemKeys.new(vault, "#{name}_keys")
+    @secret = generate_secret
+    @encrypted = false
+  end
+
+  def load_keys(vault, keys)
+    @keys = ChefVault::ItemKeys.load(vault, keys)
+    @secret = secret
+  end
+
+  def clients(search=nil, action=:add)
+    if search
+      results_returned = false
+
+      query = Chef::Search::Query.new
+      query.search(:node, search)[0].each do |node|
+        results_returned = true
+
+        case action
+        when :add
+          begin
+            keys.add(ChefVault::ChefPatch::ApiClient.load(node.name), @secret, "clients")
+          rescue Net::HTTPServerException => http_error
+            if http_error.response.code == "404"
+              raise ChefVault::Exceptions::ClientNotFound,
+                    "#{node.name} is not a valid chef client and/or node"
+            else
+              raise http_error
+            end
+          end
+        when :delete
+          keys.delete(node.name, "clients")
+        else
+          raise ChefVault::Exceptions::KeysActionNotValid,
+                "#{action} is not a valid action"
+        end
+      end
+
+      unless results_returned
+        puts "WARNING: No clients were returned from search, you may not have "\
+             "got what you expected!!"
+      end
+    else
+      keys.clients
+    end
+  end
+
+  def admins(admins=nil, action=:add)
+    if admins
+      admins.split(",").each do |admin|
+        admin.strip!
+        case action
+        when :add
+          begin
+            keys.add(ChefVault::ChefPatch::User.load(admin), @secret, "admins")
+          rescue Net::HTTPServerException => http_error
+            if http_error.response.code == "404"
+              raise ChefVault::Exceptions::AdminNotFound,
+                    "#{admin} is not a valid chef admin"
+            else
+              raise http_error
+            end
+          end
+        when :delete
+          keys.delete(admin, "admins")
+        else
+          raise ChefVault::Exceptions::KeysActionNotValid,
+                "#{action} is not a valid action"
+        end
+      end
+    else
+      keys.admins
+    end
+  end
+
+  def remove(key)
+    @raw_data.delete(key)
+  end
+
+  def secret
+    if @keys.include?(Chef::Config[:node_name])
+      private_key = OpenSSL::PKey::RSA.new(open(Chef::Config[:client_key]).read())
+      private_key.private_decrypt(Base64.decode64(@keys[Chef::Config[:node_name]]))
+    else
+      raise ChefVault::Exceptions::SecretDecryption, 
+            "#{data_bag}/#{id} is not encrypted with your public key.  "\
+            "Contact an administrator of the vault item to encrypt for you!"
+    end
+  end
+
+  def rotate_keys!
+    @secret = generate_secret
+
+    unless clients.empty?
+      clients.each do |client|
+        clients("name:#{client}")
+      end
+    end
+
+    unless admins.empty?
+      admins.each do |admin|
+        admins(admin)
+      end
+    end
+
+    save
+    reload_raw_data
+  end
+
+  def generate_secret
+    OpenSSL::PKey::RSA.new(245).to_pem.lines.to_a[1..-2].join
+  end
+
+  def []=(key, value)
+    reload_raw_data if @encrypted
+    super
+  end
+
+  def [](key)
+    reload_raw_data if @encrypted
+    super
+  end
+
+  def save(item_id=@raw_data['id'])
+    # save the keys first, raising an error if no keys were defined
+    if keys.admins.empty? && keys.clients.empty?
+      raise ChefVault::Exceptions::NoKeysDefined, 
+            "No keys defined for #{item_id}"
+    end
+
+    keys.save
+
+    # Make sure the item is encrypted before saving
+    encrypt! unless @encrypted
+
+    # Now save the encrypted data
+    if Chef::Config[:solo]
+      data_bag_path = File.join(Chef::Config[:data_bag_path],
+                                data_bag)
+      data_bag_item_path = File.join(data_bag_path, item_id)
+
+      FileUtils.mkdir(data_bag_path) unless File.exists?(data_bag_path)
+      File.open("#{data_bag_item_path}.json",'w') do |file| 
+        file.write(JSON.pretty_generate(self))
+      end
+      
+      self
+    else
+      begin
+        chef_data_bag = Chef::DataBag.load(data_bag)
+      rescue Net::HTTPServerException => http_error
+        if http_error.response.code == "404"
+          chef_data_bag = Chef::DataBag.new
+          chef_data_bag.name data_bag
+          chef_data_bag.create
+        end
+      end
+
+      super
+    end
+  end
+
+  def to_json(*a)
+    json = super
+    json.gsub(self.class.name, self.class.superclass.name)
+  end
+
+  def destroy
+    keys.destroy
+
+    if Chef::Config[:solo]
+      data_bag_path = File.join(Chef::Config[:data_bag_path],
+                                data_bag)
+      data_bag_item_path = File.join(data_bag_path, @raw_data["id"])
+
+      FileUtils.rm("#{data_bag_item_path}.json")
+
+      nil
+    else
+      super(data_bag, id)
+    end
+  end    
+
+  def self.load(vault, name)
+    item = new(vault, name)
+    item.load_keys(vault, "#{name}_keys")
+  
+    begin
+      item.raw_data = 
+        Chef::EncryptedDataBagItem.load(vault, name, item.secret).to_hash
+    rescue Net::HTTPServerException => http_error
+      if http_error.response.code == "404"
+        raise ChefVault::Exceptions::ItemNotFound,
+              "#{vault}/#{name} could not be found"
+      else
+        raise http_error
+      end
+    rescue Chef::Exceptions::ValidationFailed
+      raise ChefVault::Exceptions::ItemNotFound,
+            "#{vault}/#{name} could not be found"
+    end
+
+    item
+  end
+
+  private
+  def encrypt!
+    @raw_data = Chef::EncryptedDataBagItem.encrypt_data_bag_item(self, @secret)
+    @encrypted = true
+  end
+
+  def reload_raw_data
+    @raw_data = 
+      Chef::EncryptedDataBagItem.load(@data_bag, @raw_data["id"], secret).to_hash
+    @encrypted = false
+
+    @raw_data
+  end
+end

data/lib/chef-vault/item_keys.rb

@@ -0,0 +1,121 @@
+# Author:: Kevin Moser <kevin.moser@nordstrom.com>
+# Copyright:: Copyright 2013, Nordstrom, Inc.
+# License:: Apache License, Version 2.0
+
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+
+#     http://www.apache.org/licenses/LICENSE-2.0
+
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+class ChefVault::ItemKeys < Chef::DataBagItem
+  def initialize(vault, name)
+    super() # parenthesis required to strip off parameters
+    @data_bag = vault
+    @raw_data["id"] = name
+    @raw_data["admins"] = []
+    @raw_data["clients"] = []
+  end
+
+  def include?(key)
+    @raw_data.keys.include?(key)
+  end
+
+  def add(chef_client, data_bag_shared_secret, type)
+    public_key = OpenSSL::PKey::RSA.new chef_client.public_key
+    self[chef_client.name] = 
+      Base64.encode64(public_key.public_encrypt(data_bag_shared_secret))
+    
+    @raw_data[type] << chef_client.name unless @raw_data[type].include?(chef_client.name)
+    @raw_data[type]
+  end
+
+  def delete(chef_client, type)
+    raw_data.delete(chef_client)
+    raw_data[type].delete(chef_client)
+  end
+
+  def clients
+    @raw_data["clients"]
+  end
+
+  def admins
+    @raw_data["admins"]
+  end
+
+  def save(item_id=@raw_data['id'])
+    if Chef::Config[:solo]
+      data_bag_path = File.join(Chef::Config[:data_bag_path],
+                                data_bag)
+      data_bag_item_path = File.join(data_bag_path, item_id)
+
+      FileUtils.mkdir(data_bag_path) unless File.exists?(data_bag_path)
+      File.open("#{data_bag_item_path}.json",'w') do |file| 
+        file.write(JSON.pretty_generate(self))
+      end
+
+      self
+    else
+      begin
+        chef_data_bag = Chef::DataBag.load(data_bag)
+      rescue Net::HTTPServerException => http_error
+        if http_error.response.code == "404"
+          chef_data_bag = Chef::DataBag.new
+          chef_data_bag.name data_bag
+          chef_data_bag.create
+        end
+      end
+      
+      super
+    end
+  end
+
+  def destroy
+    if Chef::Config[:solo]
+      data_bag_path = File.join(Chef::Config[:data_bag_path],
+                                data_bag)
+      data_bag_item_path = File.join(data_bag_path, @raw_data["id"])
+
+      FileUtils.rm("#{data_bag_item_path}.json")
+
+      nil
+    else
+      super(data_bag, id)
+    end
+  end  
+
+  def to_json(*a)
+    json = super
+    json.gsub(self.class.name, self.class.superclass.name)
+  end
+
+  def self.from_data_bag_item(data_bag_item)
+    item = new(data_bag_item.data_bag, data_bag_item.name)
+    item.raw_data = data_bag_item.raw_data
+    item
+  end
+
+  def self.load(vault, name)
+    begin
+      data_bag_item = Chef::DataBagItem.load(vault, name)
+    rescue Net::HTTPServerException => http_error
+      if http_error.response.code == "404"
+        raise ChefVault::Exceptions::KeysNotFound,
+              "#{vault}/#{name} could not be found"
+      else
+        raise http_error
+      end
+    rescue Chef::Exceptions::ValidationFailed
+      raise ChefVault::Exceptions::KeysNotFound,
+            "#{vault}/#{name} could not be found"
+    end
+
+    from_data_bag_item(data_bag_item)
+  end
+end