chef-vault 2.1.0 → 2.2.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +8 -8
- data/.gitignore +2 -0
- data/CONTRIBUTING.md +3 -3
- data/Changelog.md +11 -1
- data/KNIFE_EXAMPLES.md +102 -72
- data/README.md +37 -35
- data/lib/chef-vault/item.rb +30 -18
- data/lib/chef-vault/item_keys.rb +15 -6
- data/lib/chef-vault/version.rb +1 -1
- data/lib/chef/knife/decrypt.rb +33 -0
- data/lib/chef/knife/encrypt_create.rb +25 -74
- data/lib/chef/knife/encrypt_delete.rb +10 -39
- data/lib/chef/knife/encrypt_remove.rb +18 -75
- data/lib/chef/knife/encrypt_rotate_keys.rb +10 -39
- data/lib/chef/knife/encrypt_update.rb +25 -73
- data/lib/chef/knife/vault_base.rb +46 -0
- data/lib/chef/knife/vault_create.rb +95 -0
- data/lib/chef/knife/vault_decrypt.rb +59 -0
- data/lib/chef/knife/vault_delete.rb +49 -0
- data/lib/chef/knife/vault_edit.rb +70 -0
- data/lib/chef/knife/vault_remove.rb +86 -0
- data/lib/chef/knife/vault_rotate_all_keys.rb +57 -0
- data/lib/chef/knife/vault_rotate_keys.rb +49 -0
- data/lib/chef/knife/vault_show.rb +89 -0
- data/lib/chef/knife/vault_update.rb +87 -0
- data/spec/chef-vault_spec.rb +11 -36
- data/spec/item_keys_spec.rb +6 -18
- data/spec/item_spec.rb +16 -21
- metadata +13 -3
- data/lib/chef/knife/Decrypt.rb +0 -71
@@ -13,50 +13,21 @@
|
|
13
13
|
# See the License for the specific language governing permissions and
|
14
14
|
# limitations under the License.
|
15
15
|
|
16
|
-
require 'chef/knife'
|
17
|
-
require 'chef
|
18
|
-
|
19
|
-
class EncryptRotateKeys < Chef::Knife
|
20
|
-
deps do
|
21
|
-
require 'chef/search/query'
|
22
|
-
require File.expand_path('../mixin/compat', __FILE__)
|
23
|
-
require File.expand_path('../mixin/helper', __FILE__)
|
24
|
-
include ChefVault::Mixin::KnifeCompat
|
25
|
-
include ChefVault::Mixin::Helper
|
26
|
-
end
|
27
|
-
|
28
|
-
banner "knife encrypt rotate keys VAULT ITEM --mode MODE"
|
29
|
-
|
30
|
-
option :mode,
|
31
|
-
:short => '-M MODE',
|
32
|
-
:long => '--mode MODE',
|
33
|
-
:description => 'Chef mode to run in default - solo'
|
16
|
+
require 'chef/knife/vault_base'
|
17
|
+
require 'chef/knife/vault_rotate_keys'
|
34
18
|
|
35
|
-
|
36
|
-
|
37
|
-
|
19
|
+
class Chef
|
20
|
+
class Knife
|
21
|
+
class EncryptRotateKeys < VaultRotateKeys
|
38
22
|
|
39
|
-
|
40
|
-
set_mode(config[:mode])
|
23
|
+
include Knife::VaultBase
|
41
24
|
|
42
|
-
|
43
|
-
item = ChefVault::Item.load(vault, item)
|
44
|
-
item.rotate_keys!
|
45
|
-
rescue ChefVault::Exceptions::KeysNotFound,
|
46
|
-
ChefVault::Exceptions::ItemNotFound
|
25
|
+
banner "knife encrypt rotate keys VAULT ITEM (options)"
|
47
26
|
|
48
|
-
|
49
|
-
|
50
|
-
|
27
|
+
def run
|
28
|
+
puts "DEPRECATION WARNING: knife encrypt is deprecated. Please use knife vault instead."
|
29
|
+
super
|
51
30
|
end
|
52
|
-
else
|
53
|
-
show_usage
|
54
31
|
end
|
55
32
|
end
|
56
|
-
|
57
|
-
def show_usage
|
58
|
-
super
|
59
|
-
exit 1
|
60
|
-
end
|
61
33
|
end
|
62
|
-
|
@@ -13,88 +13,40 @@
|
|
13
13
|
# See the License for the specific language governing permissions and
|
14
14
|
# limitations under the License.
|
15
15
|
|
16
|
-
require 'chef/knife'
|
17
|
-
require 'chef
|
16
|
+
require 'chef/knife/vault_base'
|
17
|
+
require 'chef/knife/vault_update'
|
18
18
|
|
19
|
-
class
|
20
|
-
|
21
|
-
|
22
|
-
require File.expand_path('../mixin/compat', __FILE__)
|
23
|
-
require File.expand_path('../mixin/helper', __FILE__)
|
24
|
-
include ChefVault::Mixin::KnifeCompat
|
25
|
-
include ChefVault::Mixin::Helper
|
26
|
-
end
|
27
|
-
|
28
|
-
banner "knife encrypt update VAULT ITEM VALUES "\
|
29
|
-
"--mode MODE --search SEARCH --admins ADMINS --json FILE --file FILE"
|
30
|
-
|
31
|
-
option :mode,
|
32
|
-
:short => '-M MODE',
|
33
|
-
:long => '--mode MODE',
|
34
|
-
:description => 'Chef mode to run in default - solo'
|
35
|
-
|
36
|
-
option :search,
|
37
|
-
:short => '-S SEARCH',
|
38
|
-
:long => '--search SEARCH',
|
39
|
-
:description => 'Chef SOLR search for clients'
|
40
|
-
|
41
|
-
option :admins,
|
42
|
-
:short => '-A ADMINS',
|
43
|
-
:long => '--admins ADMINS',
|
44
|
-
:description => 'Chef users to be added as admins'
|
45
|
-
|
46
|
-
option :json,
|
47
|
-
:short => '-J FILE',
|
48
|
-
:long => '--json FILE',
|
49
|
-
:description => 'File containing JSON data to encrypt'
|
19
|
+
class Chef
|
20
|
+
class Knife
|
21
|
+
class EncryptUpdate < VaultUpdate
|
50
22
|
|
51
|
-
|
52
|
-
:long => '--file FILE',
|
53
|
-
:description => 'File to be added to vault item as file-content'
|
23
|
+
include Knife::VaultBase
|
54
24
|
|
55
|
-
|
56
|
-
|
57
|
-
|
58
|
-
|
59
|
-
search = config[:search]
|
60
|
-
admins = config[:admins]
|
61
|
-
json_file = config[:json]
|
62
|
-
file = config[:file]
|
25
|
+
option :search,
|
26
|
+
:short => '-S SEARCH',
|
27
|
+
:long => '--search SEARCH',
|
28
|
+
:description => 'Chef SOLR search for clients'
|
63
29
|
|
64
|
-
|
30
|
+
option :admins,
|
31
|
+
:short => '-A ADMINS',
|
32
|
+
:long => '--admins ADMINS',
|
33
|
+
:description => 'Chef users to be added as admins'
|
65
34
|
|
66
|
-
|
67
|
-
|
68
|
-
|
35
|
+
option :json,
|
36
|
+
:short => '-J FILE',
|
37
|
+
:long => '--json FILE',
|
38
|
+
:description => 'File containing JSON data to encrypt'
|
69
39
|
|
70
|
-
|
71
|
-
|
72
|
-
|
40
|
+
option :file,
|
41
|
+
:long => '--file FILE',
|
42
|
+
:description => 'File to be added to vault item as file-content'
|
73
43
|
|
74
|
-
|
75
|
-
vault_item["file-name"] = File.basename(file)
|
76
|
-
vault_item["file-content"] = File.open(file){ |file| file.read() }
|
77
|
-
end
|
44
|
+
banner "knife encrypt update VAULT ITEM VALUES (options)"
|
78
45
|
|
79
|
-
|
80
|
-
|
81
|
-
|
82
|
-
vault_item.save
|
83
|
-
rescue ChefVault::Exceptions::KeysNotFound,
|
84
|
-
ChefVault::Exceptions::ItemNotFound
|
85
|
-
|
86
|
-
raise ChefVault::Exceptions::ItemNotFound,
|
87
|
-
"#{vault}/#{item} does not exists, "\
|
88
|
-
"use 'knife encrypt create' to create."
|
46
|
+
def run
|
47
|
+
puts "DEPRECATION WARNING: knife encrypt is deprecated. Please use knife vault instead."
|
48
|
+
super
|
89
49
|
end
|
90
|
-
else
|
91
|
-
show_usage
|
92
50
|
end
|
93
51
|
end
|
94
|
-
|
95
|
-
def show_usage
|
96
|
-
super
|
97
|
-
exit 1
|
98
|
-
end
|
99
52
|
end
|
100
|
-
|
@@ -0,0 +1,46 @@
|
|
1
|
+
# Description: Chef-Vault VaultBase module
|
2
|
+
# Copyright 2013, Nordstrom, Inc.
|
3
|
+
|
4
|
+
# Licensed under the Apache License, Version 2.0 (the "License");
|
5
|
+
# you may not use this file except in compliance with the License.
|
6
|
+
# You may obtain a copy of the License at
|
7
|
+
|
8
|
+
# http://www.apache.org/licenses/LICENSE-2.0
|
9
|
+
|
10
|
+
# Unless required by applicable law or agreed to in writing, software
|
11
|
+
# distributed under the License is distributed on an "AS IS" BASIS,
|
12
|
+
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
13
|
+
# See the License for the specific language governing permissions and
|
14
|
+
# limitations under the License.
|
15
|
+
|
16
|
+
require 'chef/knife'
|
17
|
+
require 'chef-vault'
|
18
|
+
|
19
|
+
class Chef
|
20
|
+
class Knife
|
21
|
+
module VaultBase
|
22
|
+
def self.included(includer)
|
23
|
+
includer.class_eval do
|
24
|
+
deps do
|
25
|
+
require 'chef/search/query'
|
26
|
+
require File.expand_path('../mixin/compat', __FILE__)
|
27
|
+
require File.expand_path('../mixin/helper', __FILE__)
|
28
|
+
include ChefVault::Mixin::KnifeCompat
|
29
|
+
include ChefVault::Mixin::Helper
|
30
|
+
end
|
31
|
+
|
32
|
+
option :vault_mode,
|
33
|
+
:short => '-M MODE',
|
34
|
+
:long => '--mode MODE',
|
35
|
+
:description => 'Chef mode to run in default - solo',
|
36
|
+
:proc => Proc.new { |i| Chef::Config[:knife][:vault_mode] = i }
|
37
|
+
end
|
38
|
+
end
|
39
|
+
|
40
|
+
def show_usage
|
41
|
+
super
|
42
|
+
exit 1
|
43
|
+
end
|
44
|
+
end
|
45
|
+
end
|
46
|
+
end
|
@@ -0,0 +1,95 @@
|
|
1
|
+
# Description: Chef-Vault VaultCreate class
|
2
|
+
# Copyright 2013, Nordstrom, Inc.
|
3
|
+
|
4
|
+
# Licensed under the Apache License, Version 2.0 (the "License");
|
5
|
+
# you may not use this file except in compliance with the License.
|
6
|
+
# You may obtain a copy of the License at
|
7
|
+
|
8
|
+
# http://www.apache.org/licenses/LICENSE-2.0
|
9
|
+
|
10
|
+
# Unless required by applicable law or agreed to in writing, software
|
11
|
+
# distributed under the License is distributed on an "AS IS" BASIS,
|
12
|
+
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
13
|
+
# See the License for the specific language governing permissions and
|
14
|
+
# limitations under the License.
|
15
|
+
|
16
|
+
require 'chef/knife/vault_base'
|
17
|
+
|
18
|
+
class Chef
|
19
|
+
class Knife
|
20
|
+
class VaultCreate < Knife
|
21
|
+
|
22
|
+
include Chef::Knife::VaultBase
|
23
|
+
|
24
|
+
banner "knife vault create VAULT ITEM VALUES (options)"
|
25
|
+
|
26
|
+
option :search,
|
27
|
+
:short => '-S SEARCH',
|
28
|
+
:long => '--search SEARCH',
|
29
|
+
:description => 'Chef SOLR search for clients'
|
30
|
+
|
31
|
+
option :admins,
|
32
|
+
:short => '-A ADMINS',
|
33
|
+
:long => '--admins ADMINS',
|
34
|
+
:description => 'Chef users to be added as admins'
|
35
|
+
|
36
|
+
option :json,
|
37
|
+
:short => '-J FILE',
|
38
|
+
:long => '--json FILE',
|
39
|
+
:description => 'File containing JSON data to encrypt'
|
40
|
+
|
41
|
+
option :file,
|
42
|
+
:long => '--file FILE',
|
43
|
+
:description => 'File to be added to vault item as file-content'
|
44
|
+
|
45
|
+
def run
|
46
|
+
vault = @name_args[0]
|
47
|
+
item = @name_args[1]
|
48
|
+
values = @name_args[2]
|
49
|
+
search = config[:search]
|
50
|
+
admins = config[:admins]
|
51
|
+
json_file = config[:json]
|
52
|
+
file = config[:file]
|
53
|
+
|
54
|
+
set_mode(config[:vault_mode])
|
55
|
+
|
56
|
+
if vault && item && (search || admins)
|
57
|
+
begin
|
58
|
+
vault_item = ChefVault::Item.load(vault, item)
|
59
|
+
raise ChefVault::Exceptions::ItemAlreadyExists,
|
60
|
+
"#{vault_item.data_bag}/#{vault_item.id} already exists, "\
|
61
|
+
"use 'knife vault remove' 'knife vault update' "\
|
62
|
+
"or 'knife vault edit' to make changes."
|
63
|
+
rescue ChefVault::Exceptions::KeysNotFound,
|
64
|
+
ChefVault::Exceptions::ItemNotFound
|
65
|
+
vault_item = ChefVault::Item.new(vault, item)
|
66
|
+
|
67
|
+
if values || json_file || file
|
68
|
+
merge_values(values, json_file).each do |key, value|
|
69
|
+
vault_item[key] = value
|
70
|
+
end
|
71
|
+
|
72
|
+
if file
|
73
|
+
vault_item["file-name"] = File.basename(file)
|
74
|
+
vault_item["file-content"] = File.open(file){ |file| file.read() }
|
75
|
+
end
|
76
|
+
else
|
77
|
+
vault_json = edit_data(Hash.new)
|
78
|
+
vault_json.each do |key, value|
|
79
|
+
vault_item[key] = value
|
80
|
+
end
|
81
|
+
end
|
82
|
+
|
83
|
+
vault_item.search(search) if search
|
84
|
+
vault_item.clients(search) if search
|
85
|
+
vault_item.admins(admins) if admins
|
86
|
+
|
87
|
+
vault_item.save
|
88
|
+
end
|
89
|
+
else
|
90
|
+
show_usage
|
91
|
+
end
|
92
|
+
end
|
93
|
+
end
|
94
|
+
end
|
95
|
+
end
|
@@ -0,0 +1,59 @@
|
|
1
|
+
# Description: Chef-Vault VaultDecrypt class
|
2
|
+
# Copyright 2013, Nordstrom, Inc.
|
3
|
+
|
4
|
+
# Licensed under the Apache License, Version 2.0 (the "License");
|
5
|
+
# you may not use this file except in compliance with the License.
|
6
|
+
# You may obtain a copy of the License at
|
7
|
+
|
8
|
+
# http://www.apache.org/licenses/LICENSE-2.0
|
9
|
+
|
10
|
+
# Unless required by applicable law or agreed to in writing, software
|
11
|
+
# distributed under the License is distributed on an "AS IS" BASIS,
|
12
|
+
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
13
|
+
# See the License for the specific language governing permissions and
|
14
|
+
# limitations under the License.
|
15
|
+
|
16
|
+
require 'chef/knife/vault_base'
|
17
|
+
|
18
|
+
class Chef
|
19
|
+
class Knife
|
20
|
+
class VaultDecrypt < Knife
|
21
|
+
|
22
|
+
include Chef::Knife::VaultBase
|
23
|
+
|
24
|
+
banner "knife vault decrypt VAULT ITEM [VALUES] (options)"
|
25
|
+
|
26
|
+
def run
|
27
|
+
puts "DEPRECATION WARNING: knife vault decrypt is deprecated. Please use knife vault show instead."
|
28
|
+
vault = @name_args[0]
|
29
|
+
item = @name_args[1]
|
30
|
+
values = @name_args[2]
|
31
|
+
|
32
|
+
if vault && item
|
33
|
+
set_mode(config[:vault_mode])
|
34
|
+
|
35
|
+
print_values(vault, item, values)
|
36
|
+
else
|
37
|
+
show_usage
|
38
|
+
end
|
39
|
+
end
|
40
|
+
|
41
|
+
def print_values(vault, item, values)
|
42
|
+
vault_item = ChefVault::Item.load(vault, item).raw_data
|
43
|
+
|
44
|
+
if values
|
45
|
+
included_values = %W( id )
|
46
|
+
|
47
|
+
values.split(",").each do |value|
|
48
|
+
value.strip! # remove white space
|
49
|
+
included_values << value
|
50
|
+
end
|
51
|
+
|
52
|
+
output(Hash[vault_item.find_all{|k,v| included_values.include?(k)}])
|
53
|
+
else
|
54
|
+
output(vault_item)
|
55
|
+
end
|
56
|
+
end
|
57
|
+
end
|
58
|
+
end
|
59
|
+
end
|
@@ -0,0 +1,49 @@
|
|
1
|
+
# Description: Chef-Vault VaultDelete class
|
2
|
+
# Copyright 2013, Nordstrom, Inc.
|
3
|
+
|
4
|
+
# Licensed under the Apache License, Version 2.0 (the "License");
|
5
|
+
# you may not use this file except in compliance with the License.
|
6
|
+
# You may obtain a copy of the License at
|
7
|
+
|
8
|
+
# http://www.apache.org/licenses/LICENSE-2.0
|
9
|
+
|
10
|
+
# Unless required by applicable law or agreed to in writing, software
|
11
|
+
# distributed under the License is distributed on an "AS IS" BASIS,
|
12
|
+
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
13
|
+
# See the License for the specific language governing permissions and
|
14
|
+
# limitations under the License.
|
15
|
+
|
16
|
+
require 'chef/knife/vault_base'
|
17
|
+
|
18
|
+
class Chef
|
19
|
+
class Knife
|
20
|
+
class VaultDelete < Knife
|
21
|
+
|
22
|
+
include Chef::Knife::VaultBase
|
23
|
+
|
24
|
+
banner "knife vault delete VAULT ITEM (options)"
|
25
|
+
|
26
|
+
def run
|
27
|
+
vault = @name_args[0]
|
28
|
+
item = @name_args[1]
|
29
|
+
|
30
|
+
set_mode(config[:vault_mode])
|
31
|
+
|
32
|
+
if vault && item
|
33
|
+
delete_object(ChefVault::Item, "#{vault}/#{item}", "chef_vault_item") do
|
34
|
+
begin
|
35
|
+
ChefVault::Item.load(vault, item).destroy
|
36
|
+
rescue ChefVault::Exceptions::KeysNotFound,
|
37
|
+
ChefVault::Exceptions::ItemNotFound
|
38
|
+
|
39
|
+
raise ChefVault::Exceptions::ItemNotFound,
|
40
|
+
"#{vault}/#{item} not found."
|
41
|
+
end
|
42
|
+
end
|
43
|
+
else
|
44
|
+
show_usage
|
45
|
+
end
|
46
|
+
end
|
47
|
+
end
|
48
|
+
end
|
49
|
+
end
|
@@ -0,0 +1,70 @@
|
|
1
|
+
# Description: Chef-Vault VaultEdit class
|
2
|
+
# Copyright 2013, Nordstrom, Inc.
|
3
|
+
|
4
|
+
# Licensed under the Apache License, Version 2.0 (the "License");
|
5
|
+
# you may not use this file except in compliance with the License.
|
6
|
+
# You may obtain a copy of the License at
|
7
|
+
|
8
|
+
# http://www.apache.org/licenses/LICENSE-2.0
|
9
|
+
|
10
|
+
# Unless required by applicable law or agreed to in writing, software
|
11
|
+
# distributed under the License is distributed on an "AS IS" BASIS,
|
12
|
+
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
13
|
+
# See the License for the specific language governing permissions and
|
14
|
+
# limitations under the License.
|
15
|
+
|
16
|
+
require 'chef/knife/vault_base'
|
17
|
+
|
18
|
+
class Chef
|
19
|
+
class Knife
|
20
|
+
class VaultEdit < Knife
|
21
|
+
|
22
|
+
include Chef::Knife::VaultBase
|
23
|
+
|
24
|
+
banner "knife vault edit VAULT ITEM (options)"
|
25
|
+
|
26
|
+
option :mode,
|
27
|
+
:short => '-M MODE',
|
28
|
+
:long => '--mode MODE',
|
29
|
+
:description => 'Chef mode to run in default - solo'
|
30
|
+
|
31
|
+
def run
|
32
|
+
vault = @name_args[0]
|
33
|
+
item = @name_args[1]
|
34
|
+
|
35
|
+
set_mode(config[:vault_mode])
|
36
|
+
|
37
|
+
if vault && item
|
38
|
+
begin
|
39
|
+
vault_item = ChefVault::Item.load(vault, item)
|
40
|
+
|
41
|
+
filtered_vault_data = vault_item.raw_data.select{|x| x != 'id'}
|
42
|
+
|
43
|
+
updated_vault_json = edit_data(filtered_vault_data)
|
44
|
+
|
45
|
+
# Clean out contents of existing local vault_item
|
46
|
+
vault_item.raw_data.each do |key, value|
|
47
|
+
vault_item.remove(key) unless key == 'id'
|
48
|
+
end
|
49
|
+
|
50
|
+
# write new vault_item key/value pairs
|
51
|
+
updated_vault_json.each do |key, value|
|
52
|
+
vault_item[key] = value
|
53
|
+
end
|
54
|
+
|
55
|
+
vault_item.save
|
56
|
+
rescue ChefVault::Exceptions::KeysNotFound,
|
57
|
+
ChefVault::Exceptions::ItemNotFound
|
58
|
+
|
59
|
+
raise ChefVault::Exceptions::ItemNotFound,
|
60
|
+
"#{vault}/#{item} does not exist, "\
|
61
|
+
"use 'knife vault create' to create."
|
62
|
+
end
|
63
|
+
else
|
64
|
+
show_usage
|
65
|
+
end
|
66
|
+
end
|
67
|
+
end
|
68
|
+
end
|
69
|
+
end
|
70
|
+
|