chef-vault 2.1.0 → 2.2.0

checksums.yaml

@@ -1,15 +1,15 @@
 ---
 !binary "U0hBMQ==":
   metadata.gz: !binary |-
-    MzRiMDI2MTkzOTA2MzcxOTRmNWY0OWNjYmZlZjIzNjYyMDE0ZTdmMw==
+    MDMxOTgyNjE2N2UyYWE3YTcxMTUzZTIzZmNlYTY3NjU2ZDBkNzFkYw==
   data.tar.gz: !binary |-
-    YzllYTQ2OGQyYzcyYjFjOTE4NWYyNTlhOTEyMGNiZDBmOTFmYTMyZA==
+    YjlmNzBhZDFiYzNmODI4MGVlYjljZDk2NGRiY2E4ZDliN2I1ODkzOA==
 !binary "U0hBNTEy":
   metadata.gz: !binary |-
-    ZGM0NmM5Mzg2OTc1MmNlMzA1ZWQyZDY3N2VhYzViNGIzZTNiMjc3NmRhNDNm
-    ODM2M2NhMmExMDljMjc2ODIzMWM3NGJiNzZlODc3MTFjNWE5ZGYxNDQwNWZi
-    NGNhOWM4ZGRjN2JmMTYyYTVjYzJlNmZiZmY1ODI4MmU1NzI1Zjk=
+    YTY0YTFkZWNmOGY0ZTIwZDBmMWIwOGY4YmEwMDI5ZmJhZWRlOWI0MmI4MTYx
+    MGRjNDg2OTdjZDM2OWNiMWMyODk0ZmE5MWU5OGU3YWIyODBjOWY0NTQ5MTc4
+    MjdjNmQ5NjI0MGMyMDU5NzUzYTM3OTQ0ODMxYjYzYzEyZGQ4MWY=
   data.tar.gz: !binary |-
-    YzE2MjY4MzY0N2U5ZjE3NzQ0NmY4YjMyM2Y4ZDI3Yjc5MDVhYTNmYWIwNzU4
-    NWIzOGUwNjMzMmE5NTEyOTk3Mzc2MmRhNjIzN2FjODM4Yzg2ODQ2ZDIwNDlj
-    NjIzNTdhN2E4MDQ0NDQ3MjE1NWU3MWQwODcxMGVlYzAxMDk0NTk=
+    MGY2M2RmODJkNTdhN2FmMzVlMjA5MmNmYzVkZGE3NjMzOTY0MDJlNThlODdj
+    MGY5MmM4NGE1YzAzMTcyMzk2MjhmNjUxNjlkNGM5MmE3ZjNhYzkxYjljYWQ4
+    MTRiNjAzMjQ4MWY2OTk2NjdlMDVlZDQ4OGRkZmZmOWUwYjZmNWI=

data/.gitignore

@@ -1,2 +1,4 @@
 *.gem
 Gemfile.lock
+vendor
+.bundle

data/CONTRIBUTING.md

@@ -7,7 +7,7 @@ request to be merged sooner.
 ### Create an Issue
 
 Each pull request should have a corresponding [Chef-Vault GitHub
-issue](https://github.com/moserke/chef-vault/issues?state=open). Search the
+issue](https://github.com/Nordstrom/chef-vault/issues?state=open). Search the
 issue list to make sure someone hasn't already submitted a pull request to fix
 your issue. If not, please create a new issue.
 
@@ -21,7 +21,7 @@ guide](https://help.github.com/articles/fork-a-repo) for more info.
 ```bash
 $ git clone https://github.com/<username>/chef-vault.git
 $ cd chef-vault
-$ git remote add upstream https://github.com/moserke/chef-vault.git
+$ git remote add upstream https://github.com/Nordstrom/chef-vault.git
 ```
 
 ### Create a Local Feature Branch
@@ -92,7 +92,7 @@ Bug fixes and features should come with RSpec tests. Add your tests in the
 `spec` directory. Look at other tests to see how they should be
 structured (license boilerplate, common includes, etc.).
 
-Run `bundle && rake` to run the test suite.
+Run `bundle install && bundle exec rake` to run the test suite.
 
 Make sure all tests pass.
 

data/Changelog.md

@@ -1,6 +1,16 @@
 ## Planned (Unreleased)
 
-## Released 
+## Released
+## v2.2.0 / 2013-01-21
+* Validate data bag ID before saving
+* Add search_query to vault metadata
+* Refactor knife commands to be knife vault verb
+* Deprecate old knife commands
+* Add knife vault show to deprecate knife decrypt
+* Print admins, clients and search_query in show with -p
+* Add knife vault edit to edit vault items
+* Add mode option for knife.rb
+* Fix more README typos
 
 ## v2.1.0 / 2013-12-23
 * Update README to correct typos

data/KNIFE_EXAMPLES.md

@@ -1,98 +1,146 @@
 # knife examples
 
-## encrypt
-knife encrypt [create|update|remove|delete] VAULT ITEM VALUES
+## vault
+knife vault *\<command\>* VAULT ITEM VALUES
 
-These are the commands that are used to take data in json format and encrypt that data into chef-vault style encrypted data bags in chef.
+These are the commands that are used to take data in JSON format and encrypt that data into chef-vault style encrypted data bags in chef.
 
 * Vault - This is the name of the vault in which to store the encrypted item.  This is analogous to a chef data bag name
 * Item - The name of the item going in to the vault.  This is analogous to a chef data bag item id
-* Values - This is the json clear text data to be stored in the vault encrypted.  This is analogous to a chef data bag item data
+* Values - This is the JSON clear text data to be stored in the vault encrypted.  This is analogous to a chef data bag item data
+
+## vault commands
 
 ### create
-Creat a vault called passwords and put an item called root in it with the given values for username and password encrypted for clients role:webserver and admins admin1 & admin2
+Create a vault called passwords and put an item called root in it with the given values for username and password encrypted for clients role:webserver and admins admin1 & admin2
+
+    knife vault create passwords root '{"username": "root", "password": "mypassword"}' -S "role:webserver" -A "admin1,admin2"
+
+Create a vault called passwords and put an item called root in it with the given values for username and password encrypted for clients role:webserver
 
-    knife encrypt create passwords root "{username: 'root', password: 'mypassword'}" -S "role:webserver" -A "admin1,admin2"
+    knife vault create passwords root '{"username": "root", "password": "mypassword"}' -S "role:webserver"
 
-Creat a vault called passwords and put an item called root in it with the given values for username and password encrypted for clients role:webserver
+Create a vault called passwords and put an item called root in it with the given values for username and password encrypted for admins admin1 & admin2
 
-    knife encrypt create passwords root "{username: 'root', password: 'mypassword'}" -S "role:webserver"
+    knife vault create passwords root '{"username": "root", "password": "mypassword"}' -A "admin1,admin2"
 
-Creat a vault called passwords and put an item called root in it with the given values for username and password encrypted for admins admin1 & admin2
+Create a vault called passwords and put an item called root in it encrypted for admins admin1 & admin2.  *Leaving the data off the command-line will pop an editor to fill out the data*
 
-    knife encrypt create passwords root "{username: 'root', password: 'mypassword'}" -A "admin1,admin2"
+    knife vault create passwords root -A "admin1,admin2"
 
 Note: A JSON file can be used in place of specifying the values on the command line, see global options below for details
 
 ### update
 Update the values in username and password in the vault passwords and item root.  Will overwrite existing values if values already exist!
 
-    knife encrypt update passwords root "{username: 'root', password: 'mypassword'}"
+    knife vault update passwords root '{"username": "root", "password": "mypassword"}'
 
 Update the values in username and password in the vault passwords and item root and add admin1 & admin2 to the encrypted admins.  Will overwrite existing values if values already exist!
 
-    knife encrypt update passwords root "{username: 'root', password: 'mypassword'}" -A "admin1,admin2"
+    knife vault update passwords root '{"username": "root", "password": "mypassword"}' -A "admin1,admin2"
 
 Update the values in username and password in the vault passwords and item root and add role:webserver to the encrypted clients.  Will overwrite existing values if values already exist!
 
-    knife encrypt update passwords root "{username: 'root', password: 'mypassword'}" -S "role:webserver"
+    knife vault update passwords root '{"username": "root", "password": "mypassword"}' -S "role:webserver"
 
 Update the values in username and password in the vault passwords and item root and add role:webserver to the encrypted clients and admin1 & admin2 to the encrypted admins.  Will overwrite existing values if values already exist!
 
-    knife encrypt update passwords root "{username: 'root', password: 'mypassword'}" -S "role:webserver" -A "admin1,admin2"
+    knife vault update passwords root '{"username": "root", "password": "mypassword"}' -S "role:webserver" -A "admin1,admin2"
 
 Add admin1 & admin2 to encrypted admins for the vault passwords and item root.
 
-    knife encrypt update passwords root -A "admin1,admin2"
+    knife vault update passwords root -A "admin1,admin2"
 
 Add role:webserver to encrypted clients for the vault passwords and item root.
 
-    knife encrypt update passwords root -S "role:webserver"
+    knife vault update passwords root -S "role:webserver"
 
 Add admin1 & admin2 to encrypted admins and role:webserver to encrypted clients for the vault passwords and item root.
 
-    knife encrypt update passwords root -S "role:webserver" -A "admin1,admin2"
+    knife vault update passwords root -S "role:webserver" -A "admin1,admin2"
 
 Note: A JSON file can be used in place of specifying the values on the command line, see global options below for details
 
 ### remove
 Remove the values in username and password from the vault passwords and item root.
 
-    knife encrypt remove passwords root "{username: 'root', password: 'mypassword'}"
+    knife vault remove passwords root '{"username": "root", "password": "mypassword"}'
 
 Remove the values in username and password from the vault passwords and item root and remove admin1 & admin2 from the encrypted admins.
 
-    knife encrypt remove passwords root "{username: 'root', password: 'mypassword'}" -A "admin1,admin2"
+    knife vault remove passwords root '{"username": "root", "password": "mypassword"}' -A "admin1,admin2"
 
 Remove the values in username and password from the vault passwords and item root and remove role:webserver from the encrypted clients.
 
-    knife encrypt remove passwords root "{username: 'root', password: 'mypassword'}" -S "role:webserver"
+    knife vault remove passwords root '{"username": "root", "password": "mypassword"}' -S "role:webserver"
 
 Remove the values in username and password from the vault passwords and item root and remove role:webserver from the encrypted clients and admin1 & admin2 from the encrypted admins.
 
-    knife encrypt remove passwords root "{username: 'root', password: 'mypassword'}" -S "role:webserver" -A "admin1,admin2"
+    knife vault remove passwords root '{"username": "root", "password": "mypassword"}' -S "role:webserver" -A "admin1,admin2"
 
 Remove admin1 & admin2 from encrypted admins for the vault passwords and item root.
 
-    knife encrypt remove passwords root -A "admin1,admin2"
+    knife vault remove passwords root -A "admin1,admin2"
 
 Remove role:webserver from encrypted clients for the vault passwords and item root.
 
-    knife encrypt remove passwords root -S "role:webserver"
+    knife vault remove passwords root -S "role:webserver"
 
 Remove admin1 & admin2 from encrypted admins and role:webserver from encrypted clients for the vault passwords and item root.
 
-    knife encrypt remove passwords root -S "role:webserver" -A "admin1,admin2"
+    knife vault remove passwords root -S "role:webserver" -A "admin1,admin2"
 
 ### delete
 Delete the item root from the vault passwords
 
-    knife encrypt delete passwords root
+    knife vault delete passwords root
+
+### show
+knife vault show VAULT ITEM [VALUES]
+
+These are the commands that are used to decrypt a chef-vault encrypted item and show the requested values.
+
+* Vault - This is the name of the vault in which to store the encrypted item.  This is analogous to a chef data bag name
+* Item - The name of the item going in to the vault.  This is analogous to a chef data bag item id
+* Values - This is a comma list of values to decrypt from the vault item.  This is analogous to a list of hash keys.
+
+Show the entire root item in the passwords vault and print in JSON format.
+
+    knife vault show passwords root -Fjson
+
+Show the entire root item in the passwords vault and print in JSON format, including the search query, clients, and admins.
+
+    knife vault show passwords root -Fjson -p all
+
+Show the username and password for the item root in the vault passwords.
+
+    knife vault show passwords root "username, password"
+
+Show the contents for the item user_pem in the vault certs.
+
+    knife vault show certs user_pem "contents"
+
+### edit
+knife vault edit VAULT ITEM
+
+These are the commands that are used to edit a chef-vault encrypted item.
+
+* Vault - This is the name of the vault in which to store the encrypted item.  This is analogous to a chef data bag name
+* Item - The name of the item going in to the vault.  This is analogous to a chef data bag item id
+
+Decrypt the entire root item in the passwords vault and open it in json format in your $EDITOR.  Writing and exiting out the editor will save and encrypt the vault item.
+
+    knife vault edit passwords root
 
 ### rotate keys
-Rotate the shared key for the vault passwords and item root.  The shared key is that which is used for the chef encrypted data bag item
+Rotate the shared key for the vault passwords and item root. The shared key is that which is used for the chef encrypted data bag item.
+
+    knife vault rotate keys passwords root
 
-    knife encrypt rotate secret passwords root
+### rotate all keys
+Rotate the shared key for all vaults and items. The shared key is that which is used for the chef encrypted data bag item.
+
+    knife vault rotate all keys
 
 ### global options
 <table>
@@ -102,6 +150,15 @@ Rotate the shared key for the vault passwords and item root.  The shared key is
     <th>Description</th>
     <th>Default</th>
     <th>Valid Values</th>
+    <th>Sub-Commands</th>
+  </tr>
+  <tr>
+    <td>-M MODE</td>
+    <td>--mode MODE</td>
+    <td>Chef mode to run in</td>
+    <td>solo</td>
+    <td>"solo", "client"</td>
+    <td>all</td>
   </tr>
   <tr>
     <td>-S SEARCH</td>
@@ -109,6 +166,7 @@ Rotate the shared key for the vault passwords and item root.  The shared key is
     <td>Chef Server SOLR Search Of Nodes</td>
     <td>nil</td>
     <td></td>
+    <td>create, remove, update</td>
   </tr>
   <tr>
     <td>-A ADMINS</td>
@@ -116,66 +174,38 @@ Rotate the shared key for the vault passwords and item root.  The shared key is
     <td>Chef clients or users to be vault admins, can be comma list</td>
     <td>nil</td>
     <td></td>
-  </tr>
-  <tr>
-    <td>-M MODE</td>
-    <td>--mode MODE</td>
-    <td>Chef mode to run in</td>
-    <td>solo</td>
-    <td>"solo", "client"</td>
+    <td>create, remove, update</td>
   </tr>
   <tr>
     <td>-J FILE</td>
     <td>--json FILE</td>
-    <td>json file to be used for values, will be merged with VALUES if VALUES is passed</td>
+    <td>JSON file to be used for values, will be merged with VALUES if VALUES is passed</td>
     <td>nil</td>
     <td></td>
+    <td>create, update</td>
   </tr>
-</table>
-
-## decrypt
-knife decrypt VAULT ITEM [VALUES]
-
-These are the commands that are used to take a chef-vault encrypted item and decrypt the requested values.
-
-* Vault - This is the name of the vault in which to store the encrypted item.  This is analogous to a chef data bag name
-* Item - The name of the item going in to the vault.  This is analogous to a chef data bag item id
-* Values - This is a comma list of values to decrypt from the vault item.  This is analogous to a list of hash keys.
-
-Decrypt the entire root item in the passwords vault and print in json
-format.
-
-    knife decrypt passwords root -Fjson
-
-Decrypt the username and password for the item root in the vault passwords.
-
-    knife decrypt passwords root "username, password"
-
-Decrypt the contents for the item user_pem in the vault certs.
-
-    knife decrypt certs user_pem "contents"
-
-### global options
-<table>
   <tr>
-    <th>Short</th>
-    <th>Long</th>
-    <th>Description</th>
-    <th>Default</th>
-    <th>Valid Values</th>
+    <td>nil</td>
+    <td>--file FILE</td>
+    <td>File that chef-vault should encrypt.  It adds "file-content" & "file-name" keys to the vault item</td>
+    <td>nil</td>
+    <td></td>
+    <td>create, update</td>
   </tr>
   <tr>
-    <td>-M MODE</td>
-    <td>--mode MODE</td>
-    <td>Chef mode to run in</td>
-    <td>solo</td>
-    <td>"solo", "client"</td>
+    <td>-p DATA</td>
+    <td>--print DATA</td>
+    <td>Print extra vault data</td>
+    <td>nil</td>
+    <td>"search", "clients", "admins", "all"</td>
+    <td>show</td>
   </tr>
   <tr>
     <td>-F FORMAT</td>
     <td>--format FORMAT</td>
-    <td>Format for output</td>
+    <td>Format for decrypted output</td>
     <td>summary</td>
     <td>"summary", "json", "yaml", "pp"</td>
+    <td>show</td>
   </tr>
 </table>

data/README.md

@@ -22,15 +22,22 @@ Depending on your system's configuration, you may need to run this command with
 ## KNIFE COMMANDS:
 See KNIFE_EXAMPLES.md for examples of commands
 
+### knife.rb
+To set 'client' as the default mode, add the following line to the knife.rb file.
+knife[:vault_mode] = 'client'
+
 NOTE: chef-vault 1.0 knife commands are not supported!  Please use chef-vault 2.0 commands.
 
-### Encrypt
+### Vault
 
-    knife encrypt create VAULT ITEM VALUES
-    knife encrypt update VAULT ITEM VALUES
-    knife encrypt remove VAULT ITEM VALUES
-    knife encrypt delete VAULT ITEM
-    knife encrypt rotate keys VAULT ITEM
+    knife vault create VAULT ITEM VALUES
+    knife vault edit VAULT ITEM
+    knife vault update VAULT ITEM VALUES
+    knife vault remove VAULT ITEM VALUES
+    knife vault delete VAULT ITEM
+    knife vault rotate keys VAULT ITEM
+    knife vault rotate all keys
+    knife vault show VAULT ITEM [VALUES]
 
 <i>Global Options:</i>
 <table>
@@ -40,6 +47,15 @@ NOTE: chef-vault 1.0 knife commands are not supported!  Please use chef-vault 2.
     <th>Description</th>
     <th>Default</th>
     <th>Valid Values</th>
+    <th>Sub-Commands</th>
+  </tr>
+  <tr>
+    <td>-M MODE</td>
+    <td>--mode MODE</td>
+    <td>Chef mode to run in. Can be set in knife.rb</td>
+    <td>solo</td>
+    <td>"solo", "client"</td>
+    <td>all</td>
   </tr>
   <tr>
     <td>-S SEARCH</td>
@@ -47,6 +63,7 @@ NOTE: chef-vault 1.0 knife commands are not supported!  Please use chef-vault 2.
     <td>Chef Server SOLR Search Of Nodes</td>
     <td>nil</td>
     <td></td>
+    <td>create, remove, update</td>
   </tr>
   <tr>
     <td>-A ADMINS</td>
@@ -54,55 +71,39 @@ NOTE: chef-vault 1.0 knife commands are not supported!  Please use chef-vault 2.
     <td>Chef clients or users to be vault admins, can be comma list</td>
     <td>nil</td>
     <td></td>
-  </tr>
-  <tr>
-    <td>-M MODE</td>
-    <td>--mode MODE</td>
-    <td>Chef mode to run in</td>
-    <td>solo</td>
-    <td>"solo", "client"</td>
+    <td>create, remove, update</td>
   </tr>
   <tr>
     <td>-J FILE</td>
     <td>--json FILE</td>
-    <td>json file to be used for values, will be merged with VALUES if VALUES is passed</td>
+    <td>JSON file to be used for values, will be merged with VALUES if VALUES is passed</td>
     <td>nil</td>
     <td></td>
+    <td>create, update</td>
   </tr>
   <tr>
     <td>nil</td>
     <td>--file FILE</td>
-    <td>File that chef-vault should encrypt.  It adds "file-content" & "file-name" keys to the vault item.  This is only valid in create & update</td>
+    <td>File that chef-vault should encrypt.  It adds "file-content" & "file-name" keys to the vault item</td>
     <td>nil</td>
     <td></td>
-</table>
-
-### Decrypt
-
-    knife decrypt VAULT ITEM [VALUES]
-
-<i>Global Options:</i>
-<table>
-  <tr>
-    <th>Short</th>
-    <th>Long</th>
-    <th>Description</th>
-    <th>Default</th>
-    <th>Valid Values</th>
+    <td>create, update</td>
   </tr>
   <tr>
-    <td>-M MODE</td>
-    <td>--mode MODE</td>
-    <td>Chef mode to run in</td>
-    <td>solo</td>
-    <td>"solo", "client"</td>
+    <td>-p DATA</td>
+    <td>--print DATA</td>
+    <td>Print extra vault data</td>
+    <td>nil</td>
+    <td>"search", "clients", "admins", "all"</td>
+    <td>show</td>
   </tr>
   <tr>
     <td>-F FORMAT</td>
     <td>--format FORMAT</td>
-    <td>Format for output</td>
+    <td>Format for decrypted output</td>
     <td>summary</td>
     <td>"summary", "json", "yaml", "pp"</td>
+    <td>show</td>
   </tr>
 </table>
 
@@ -139,6 +140,7 @@ Do `chef-vault --help` for all available options
 
 Author:: Kevin Moser - @moserke<br>
 Author:: Eli Klein - @eliklein<br>
+Author:: Joey Geiger - @jgeiger<br>
 Author:: Joshua Timberman - @jtimberman<br>
 Copyright:: Copyright (c) 2013 Nordstrom, Inc.<br>
 License:: Apache License, Version 2.0