chef-vault 2.1.0 → 2.2.0

data/lib/chef-vault/item.rb

@@ -49,19 +49,27 @@ class ChefVault::Item < Chef::DataBagItem
           keys.delete(node.name, "clients")
         else
           raise ChefVault::Exceptions::KeysActionNotValid,
-                "#{action} is not a valid action"
+            "#{action} is not a valid action"
         end
       end
 
       unless results_returned
         puts "WARNING: No clients were returned from search, you may not have "\
-             "got what you expected!!"
+          "got what you expected!!"
       end
     else
       keys.clients
     end
   end
 
+  def search(search_query=nil)
+    if search_query
+      keys.search_query(search_query)
+    else
+      keys.search_query
+    end
+  end
+
   def admins(admins=nil, action=:add)
     if admins
       admins.split(",").each do |admin|
@@ -73,7 +81,7 @@ class ChefVault::Item < Chef::DataBagItem
           keys.delete(admin, "admins")
         else
           raise ChefVault::Exceptions::KeysActionNotValid,
-                "#{action} is not a valid action"
+            "#{action} is not a valid action"
         end
       end
     else
@@ -90,9 +98,9 @@ class ChefVault::Item < Chef::DataBagItem
       private_key = OpenSSL::PKey::RSA.new(open(Chef::Config[:client_key]).read())
       private_key.private_decrypt(Base64.decode64(@keys[Chef::Config[:node_name]]))
     else
-      raise ChefVault::Exceptions::SecretDecryption, 
-            "#{data_bag}/#{id} is not encrypted with your public key.  "\
-            "Contact an administrator of the vault item to encrypt for you!"
+      raise ChefVault::Exceptions::SecretDecryption,
+        "#{data_bag}/#{id} is not encrypted with your public key.  "\
+        "Contact an administrator of the vault item to encrypt for you!"
     end
   end
 
@@ -132,10 +140,14 @@ class ChefVault::Item < Chef::DataBagItem
   end
 
   def save(item_id=@raw_data['id'])
+
+    # validate the format of the id before attempting to save
+    validate_id!(item_id)
+
     # save the keys first, raising an error if no keys were defined
     if keys.admins.empty? && keys.clients.empty?
-      raise ChefVault::Exceptions::NoKeysDefined, 
-            "No keys defined for #{item_id}"
+      raise ChefVault::Exceptions::NoKeysDefined,
+        "No keys defined for #{item_id}"
     end
 
     keys.save
@@ -150,10 +162,10 @@ class ChefVault::Item < Chef::DataBagItem
       data_bag_item_path = File.join(data_bag_path, item_id)
 
       FileUtils.mkdir(data_bag_path) unless File.exists?(data_bag_path)
-      File.open("#{data_bag_item_path}.json",'w') do |file| 
+      File.open("#{data_bag_item_path}.json",'w') do |file|
         file.write(JSON.pretty_generate(self.raw_data))
       end
-      
+
       self.raw_data
     else
       begin
@@ -189,25 +201,25 @@ class ChefVault::Item < Chef::DataBagItem
     else
       super(data_bag, id)
     end
-  end    
+  end
 
   def self.load(vault, name)
     item = new(vault, name)
     item.load_keys(vault, "#{name}_keys")
-  
+
     begin
-      item.raw_data = 
+      item.raw_data =
         Chef::EncryptedDataBagItem.load(vault, name, item.secret).to_hash
     rescue Net::HTTPServerException => http_error
       if http_error.response.code == "404"
         raise ChefVault::Exceptions::ItemNotFound,
-              "#{vault}/#{name} could not be found"
+          "#{vault}/#{name} could not be found"
       else
         raise http_error
       end
     rescue Chef::Exceptions::ValidationFailed
       raise ChefVault::Exceptions::ItemNotFound,
-            "#{vault}/#{name} could not be found"
+        "#{vault}/#{name} could not be found"
     end
 
     item
@@ -220,7 +232,7 @@ class ChefVault::Item < Chef::DataBagItem
   end
 
   def reload_raw_data
-    @raw_data = 
+    @raw_data =
       Chef::EncryptedDataBagItem.load(@data_bag, @raw_data["id"], secret).to_hash
     @encrypted = false
 
@@ -237,7 +249,7 @@ class ChefVault::Item < Chef::DataBagItem
           admin = load_client(admin)
         rescue ChefVault::Exceptions::ClientNotFound
           raise ChefVault::Exceptions::AdminNotFound,
-                "FATAL: Could not find #{admin} in users or clients!"
+            "FATAL: Could not find #{admin} in users or clients!"
         end
       else
         raise http_error
@@ -253,7 +265,7 @@ class ChefVault::Item < Chef::DataBagItem
     rescue Net::HTTPServerException => http_error
       if http_error.response.code == "404"
         raise ChefVault::Exceptions::ClientNotFound,
-              "#{client} is not a valid chef client and/or node"
+          "#{client} is not a valid chef client and/or node"
       else
         raise http_error
       end

data/lib/chef-vault/item_keys.rb

@@ -21,6 +21,7 @@ class ChefVault::ItemKeys < Chef::DataBagItem
     @raw_data["id"] = name
     @raw_data["admins"] = []
     @raw_data["clients"] = []
+    @raw_data["search_query"] = []
   end
 
   def include?(key)
@@ -29,9 +30,9 @@ class ChefVault::ItemKeys < Chef::DataBagItem
 
   def add(chef_client, data_bag_shared_secret, type)
     public_key = OpenSSL::PKey::RSA.new chef_client.public_key
-    self[chef_client.name] = 
+    self[chef_client.name] =
       Base64.encode64(public_key.public_encrypt(data_bag_shared_secret))
-    
+
     @raw_data[type] << chef_client.name unless @raw_data[type].include?(chef_client.name)
     @raw_data[type]
   end
@@ -41,6 +42,14 @@ class ChefVault::ItemKeys < Chef::DataBagItem
     raw_data[type].delete(chef_client)
   end
 
+  def search_query(search_query=nil)
+    if search_query
+      @raw_data["search_query"] = search_query
+    else
+      @raw_data["search_query"]
+    end
+  end
+
   def clients
     @raw_data["clients"]
   end
@@ -56,7 +65,7 @@ class ChefVault::ItemKeys < Chef::DataBagItem
       data_bag_item_path = File.join(data_bag_path, item_id)
 
       FileUtils.mkdir(data_bag_path) unless File.exists?(data_bag_path)
-      File.open("#{data_bag_item_path}.json",'w') do |file| 
+      File.open("#{data_bag_item_path}.json",'w') do |file|
         file.write(JSON.pretty_generate(self.raw_data))
       end
 
@@ -71,7 +80,7 @@ class ChefVault::ItemKeys < Chef::DataBagItem
           chef_data_bag.create
         end
       end
-      
+
       super
     end
   end
@@ -88,7 +97,7 @@ class ChefVault::ItemKeys < Chef::DataBagItem
     else
       super(data_bag, id)
     end
-  end  
+  end
 
   def to_json(*a)
     json = super
@@ -118,4 +127,4 @@ class ChefVault::ItemKeys < Chef::DataBagItem
 
     from_data_bag_item(data_bag_item)
   end
-end
+end

data/lib/chef-vault/version.rb

@@ -14,6 +14,6 @@
 # limitations under the License.
 
 class ChefVault
-  VERSION = "2.1.0"
+  VERSION = "2.2.0"
   MAJOR, MINOR, TINY = VERSION.split('.')
 end

data/lib/chef/knife/decrypt.rb

@@ -0,0 +1,33 @@
+# Description: Chef-Vault Decrypt class
+# Copyright 2013, Nordstrom, Inc.
+
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+
+#     http://www.apache.org/licenses/LICENSE-2.0
+
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+require 'chef/knife/vault_base'
+require 'chef/knife/vault_decrypt'
+
+class Chef
+  class Knife
+    class Decrypt < VaultDecrypt
+
+      include Knife::VaultBase
+
+      banner "knife decrypt VAULT ITEM [VALUES] (options)"
+
+      def run
+        puts "DEPRECATION WARNING: knife decrypt is deprecated. Please use knife vault decrypt instead."
+        super
+      end
+    end
+  end
+end

data/lib/chef/knife/encrypt_create.rb

@@ -13,89 +13,40 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-require 'chef/knife'
-require 'chef-vault'
+require 'chef/knife/vault_base'
+require 'chef/knife/vault_create'
 
-class EncryptCreate < Chef::Knife
-  deps do
-    require 'chef/search/query'
-    require File.expand_path('../mixin/compat', __FILE__)
-    require File.expand_path('../mixin/helper', __FILE__)
-    include ChefVault::Mixin::KnifeCompat
-    include ChefVault::Mixin::Helper
-  end
-
-  banner "knife encrypt create VAULT ITEM VALUES "\
-        "--mode MODE --search SEARCH --admins ADMINS --json FILE --file FILE"
-
-  option :mode,
-    :short => '-M MODE',
-    :long => '--mode MODE',
-    :description => 'Chef mode to run in default - solo'
-
-  option :search,
-    :short => '-S SEARCH',
-    :long => '--search SEARCH',
-    :description => 'Chef SOLR search for clients'
-
-  option :admins,
-    :short => '-A ADMINS',
-    :long => '--admins ADMINS',
-    :description => 'Chef users to be added as admins'
+class Chef
+  class Knife
+    class EncryptCreate < VaultCreate
 
-  option :json,
-    :short => '-J FILE',
-    :long => '--json FILE',
-    :description => 'File containing JSON data to encrypt'
+      include Knife::VaultBase
 
-  option :file,
-    :long => '--file FILE',
-    :description => 'File to be added to vault item as file-content'
+      banner "knife encrypt create VAULT ITEM VALUES (options)"
 
-  def run
-    vault = @name_args[0]
-    item = @name_args[1]
-    values = @name_args[2]
-    search = config[:search]
-    admins = config[:admins]
-    json_file = config[:json]
-    file = config[:file]
+      option :search,
+        :short => '-S SEARCH',
+        :long => '--search SEARCH',
+        :description => 'Chef SOLR search for clients'
 
-    set_mode(config[:mode])
+      option :admins,
+        :short => '-A ADMINS',
+        :long => '--admins ADMINS',
+        :description => 'Chef users to be added as admins'
 
-    if vault && item && (values || json_file || file) && (search || admins)
-      begin
-        vault_item = ChefVault::Item.load(vault, item)
-        raise ChefVault::Exceptions::ItemAlreadyExists,
-              "#{vault_item.data_bag}/#{vault_item.id} already exists, "\
-              "use 'knife encrypt remove' and "\
-              "'knife encrypt update' to make changes."
-      rescue ChefVault::Exceptions::KeysNotFound,
-             ChefVault::Exceptions::ItemNotFound
-        vault_item = ChefVault::Item.new(vault, item)
+      option :json,
+        :short => '-J FILE',
+        :long => '--json FILE',
+        :description => 'File containing JSON data to encrypt'
 
-        merge_values(values, json_file).each do |key, value|
-          vault_item[key] = value
-        end
+      option :file,
+        :long => '--file FILE',
+        :description => 'File to be added to vault item as file-content'
 
-        if file
-          vault_item["file-name"] = File.basename(file)
-          vault_item["file-content"] = File.open(file){ |file| file.read() }
-        end
-
-        vault_item.clients(search) if search
-        vault_item.admins(admins) if admins
-
-        vault_item.save
+      def run
+        puts "DEPRECATION WARNING: knife encrypt is deprecated. Please use knife vault instead."
+        super
       end
-    else
-      show_usage
     end
   end
-
-  def show_usage
-    super
-    exit 1
-  end
 end
-

data/lib/chef/knife/encrypt_delete.rb

@@ -13,50 +13,21 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-require 'chef/knife'
-require 'chef-vault'
-
-class EncryptDelete < Chef::Knife
-  deps do
-    require 'chef/search/query'
-    require File.expand_path('../mixin/compat', __FILE__)
-    require File.expand_path('../mixin/helper', __FILE__)
-    include ChefVault::Mixin::KnifeCompat
-    include ChefVault::Mixin::Helper
-  end
-
-  banner "knife encrypt delete VAULT ITEM --mode MODE"
-
-  option :mode,
-    :short => '-M MODE',
-    :long => '--mode MODE',
-    :description => 'Chef mode to run in default - solo'
+require 'chef/knife/vault_base'
+require 'chef/knife/vault_delete'
 
-  def run
-    vault = @name_args[0]
-    item = @name_args[1]
+class Chef
+  class Knife
+    class EncryptDelete < VaultDelete
 
-    set_mode(config[:mode])
+      include Knife::VaultBase
 
-    if vault && item
-      delete_object(ChefVault::Item, "#{vault}/#{item}", "chef_vault_item") do
-        begin
-          ChefVault::Item.load(vault, item).destroy
-        rescue ChefVault::Exceptions::KeysNotFound,
-               ChefVault::Exceptions::ItemNotFound
+      banner "knife encrypt delete VAULT ITEM (options)"
 
-          raise ChefVault::Exceptions::ItemNotFound,
-                "#{vault}/#{item} not found."
-        end
+      def run
+        puts "DEPRECATION WARNING: knife encrypt is deprecated. Please use knife vault instead."
+        super
       end
-    else
-      show_usage
     end
   end
-
-  def show_usage
-    super
-    exit 1
-  end
 end
-

data/lib/chef/knife/encrypt_remove.rb

@@ -13,88 +13,31 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-require 'chef/knife'
-require 'chef-vault'
+require 'chef/knife/vault_base'
+require 'chef/knife/vault_remove'
 
-class EncryptRemove < Chef::Knife
-  deps do
-    require 'chef/search/query'
-    require File.expand_path('../mixin/compat', __FILE__)
-    require File.expand_path('../mixin/helper', __FILE__)
-    include ChefVault::Mixin::KnifeCompat
-    include ChefVault::Mixin::Helper
-  end
-
-  banner "knife encrypt remove VAULT ITEM VALUES "\
-        "--mode MODE --search SEARCH --admins ADMINS"
-
-  option :mode,
-    :short => '-M MODE',
-    :long => '--mode MODE',
-    :description => 'Chef mode to run in default - solo'
-
-  option :search,
-    :short => '-S SEARCH',
-    :long => '--search SEARCH',
-    :description => 'Chef SOLR search for clients'
-
-  option :admins,
-    :short => '-A ADMINS',
-    :long => '--admins ADMINS',
-    :description => 'Chef users to be added as admins'
-
-  def run
-    vault = @name_args[0]
-    item = @name_args[1]
-    values = @name_args[2]
-    search = config[:search]
-    admins = config[:admins]
-    json_file = config[:json]
+class Chef
+  class Knife
+    class EncryptRemove < VaultRemove
 
-    set_mode(config[:mode])
+      include Knife::VaultBase
 
-    if vault && item && ((values || json_file) || (search || admins))
-      begin
-        vault_item = ChefVault::Item.load(vault, item)
-        remove_items = []
+      banner "knife encrypt remove VAULT ITEM VALUES (options)"
 
-        if values || json_file
-          begin
-            json = JSON.parse(values)
-            json.each do |key, value|
-              remove_items << key
-            end
-          rescue JSON::ParserError
-            remove_items = values.split(",")
-          rescue Exception => e
-            raise e
-          end
+      option :search,
+        :short => '-S SEARCH',
+        :long => '--search SEARCH',
+        :description => 'Chef SOLR search for clients'
 
-          remove_items.each do |key|
-            key.strip!
-            vault_item.remove(key)
-          end
-        end
+      option :admins,
+        :short => '-A ADMINS',
+        :long => '--admins ADMINS',
+        :description => 'Chef users to be added as admins'
 
-        vault_item.clients(search, :delete) if search
-        vault_item.admins(admins, :delete) if admins
-
-        vault_item.rotate_keys!
-      rescue ChefVault::Exceptions::KeysNotFound,
-             ChefVault::Exceptions::ItemNotFound
-
-        raise ChefVault::Exceptions::ItemNotFound,
-              "#{vault}/#{item} does not exists, "\
-              "use 'knife encrypt create' to create."
+      def run
+        puts "DEPRECATION WARNING: knife encrypt is deprecated. Please use knife vault instead."
+        super
       end
-    else
-      show_usage
     end
   end
-
-  def show_usage
-    super
-    exit 1
-  end
 end
-