chef-vault 2.1.0 → 2.2.0

data/lib/chef/knife/vault_remove.rb

@@ -0,0 +1,86 @@
+# Description: Chef-Vault VaultRemove class
+# Copyright 2013, Nordstrom, Inc.
+
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+
+#     http://www.apache.org/licenses/LICENSE-2.0
+
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+require 'chef/knife/vault_base'
+
+class Chef
+  class Knife
+    class VaultRemove < Knife
+
+      include Chef::Knife::VaultBase
+
+      banner "knife vault remove VAULT ITEM VALUES (options)"
+
+      option :search,
+        :short => '-S SEARCH',
+        :long => '--search SEARCH',
+        :description => 'Chef SOLR search for clients'
+
+      option :admins,
+        :short => '-A ADMINS',
+        :long => '--admins ADMINS',
+        :description => 'Chef users to be added as admins'
+
+      def run
+        vault = @name_args[0]
+        item = @name_args[1]
+        values = @name_args[2]
+        search = config[:search]
+        admins = config[:admins]
+        json_file = config[:json]
+
+        set_mode(config[:vault_mode])
+
+        if vault && item && ((values || json_file) || (search || admins))
+          begin
+            vault_item = ChefVault::Item.load(vault, item)
+            remove_items = []
+
+            if values || json_file
+              begin
+                json = JSON.parse(values)
+                json.each do |key, value|
+                  remove_items << key
+                end
+              rescue JSON::ParserError
+                remove_items = values.split(",")
+              rescue Exception => e
+                raise e
+              end
+
+              remove_items.each do |key|
+                key.strip!
+                vault_item.remove(key)
+              end
+            end
+
+            vault_item.clients(search, :delete) if search
+            vault_item.admins(admins, :delete) if admins
+
+            vault_item.rotate_keys!
+          rescue ChefVault::Exceptions::KeysNotFound,
+            ChefVault::Exceptions::ItemNotFound
+
+            raise ChefVault::Exceptions::ItemNotFound,
+              "#{vault}/#{item} does not exist, "\
+              "use 'knife vault create' to create."
+          end
+        else
+          show_usage
+        end
+      end
+    end
+  end
+end

data/lib/chef/knife/vault_rotate_all_keys.rb

@@ -0,0 +1,57 @@
+# Description: Chef-Vault VaultRotateAllKeys class
+# Copyright 2013, Nordstrom, Inc.
+
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+
+#     http://www.apache.org/licenses/LICENSE-2.0
+
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+require 'chef/knife/vault_base'
+
+class Chef
+  class Knife
+    class VaultRotateAllKeys < Knife
+
+      include Chef::Knife::VaultBase
+
+      banner "knife vault rotate all keys"
+
+      def run
+        set_mode(config[:vault_mode])
+        rotate_all_keys
+      end
+
+      private
+
+      def rotate_all_keys
+        vaults = Chef::DataBag.list.keys
+        vaults.each { |vault| rotate_vault_keys(vault) }
+      end
+
+      def rotate_vault_keys(vault)
+        vault_items(vault).each do |item|
+          rotate_vault_item_keys(vault, item)
+        end
+      end
+
+      def vault_items(vault)
+        Chef::DataBag.load(vault).keys.inject([]) do |array, key|
+          array << key.sub('_keys', '') if key.match(/.+_keys$/)
+          array
+        end
+      end
+
+      def rotate_vault_item_keys(vault, item)
+        puts "Rotating keys for: #{vault} #{item}"
+        ChefVault::Item.load(vault, item).rotate_keys!
+      end
+    end
+  end
+end

data/lib/chef/knife/vault_rotate_keys.rb

@@ -0,0 +1,49 @@
+# Description: Chef-Vault VaultRotateKeys class
+# Copyright 2013, Nordstrom, Inc.
+
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+
+#     http://www.apache.org/licenses/LICENSE-2.0
+
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+require 'chef/knife/vault_base'
+
+class Chef
+  class Knife
+    class VaultRotateKeys < Knife
+
+      include Chef::Knife::VaultBase
+
+      banner "knife vault rotate keys VAULT ITEM (options)"
+
+      def run
+        vault = @name_args[0]
+        item = @name_args[1]
+
+        if vault && item
+          set_mode(config[:vault_mode])
+
+          begin
+            item = ChefVault::Item.load(vault, item)
+            item.rotate_keys!
+          rescue ChefVault::Exceptions::KeysNotFound,
+            ChefVault::Exceptions::ItemNotFound
+
+            raise ChefVault::Exceptions::ItemNotFound,
+              "#{vault}/#{item} does not exist, "\
+              "use 'knife vault create' to create."
+          end
+        else
+          show_usage
+        end
+      end
+    end
+  end
+end

data/lib/chef/knife/vault_show.rb

@@ -0,0 +1,89 @@
+# Description: Chef-Vault VaultShow class
+# Copyright 2013, Nordstrom, Inc.
+
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+
+#     http://www.apache.org/licenses/LICENSE-2.0
+
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+require 'chef/knife/vault_base'
+
+class Chef
+  class Knife
+    class VaultShow < Knife
+
+      include Chef::Knife::VaultBase
+
+      banner "knife vault show VAULT ITEM [VALUES] (options)"
+
+      option :mode,
+        :short => '-M MODE',
+        :long => '--mode MODE',
+        :description => 'Chef mode to run in default - solo'
+
+      option :print,
+        :short => '-p TYPE',
+        :long => '--print TYPE',
+        :description => 'Print extra vault data, can be search, admins, clients or all'
+
+      def run
+        vault = @name_args[0]
+        item = @name_args[1]
+        values = @name_args[2]
+
+        if vault && item
+          set_mode(config[:vault_mode])
+          print_values(vault, item, values)
+        else
+          show_usage
+        end
+      end
+
+      def print_values(vault, item, values)
+        vault_item = ChefVault::Item.load(vault, item)
+
+        extra_data = {}
+
+        if config[:print]
+          case config[:print]
+          when 'search'
+            extra_data["search_query"] = vault_item.search
+          when 'admins'
+            extra_data["admins"] = vault_item.admins
+          when 'clients'
+            extra_data["clients"] = vault_item.clients
+          when 'all'
+            extra_data["search_query"] = vault_item.search
+            extra_data["admins"] = vault_item.admins
+            extra_data["clients"] = vault_item.clients
+          end
+        end
+
+        if values
+          included_values = %W( id )
+
+          values.split(",").each do |value|
+            value.strip! # remove white space
+            included_values << value
+          end
+
+          filtered_data = Hash[vault_item.raw_data.find_all{|k,v| included_values.include?(k)}]
+
+          output_data = filtered_data.merge(extra_data)
+        else
+          all_data = vault_item.raw_data
+
+          output_data = all_data.merge(extra_data)
+        end
+          output(output_data)
+      end
+    end
+  end
+end

data/lib/chef/knife/vault_update.rb

@@ -0,0 +1,87 @@
+# Description: Chef-Vault VaultUpdate class
+# Copyright 2013, Nordstrom, Inc.
+
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+
+#     http://www.apache.org/licenses/LICENSE-2.0
+
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+require 'chef/knife/vault_base'
+
+class Chef
+  class Knife
+    class VaultUpdate < Knife
+
+      include Chef::Knife::VaultBase
+
+      banner "knife vault update VAULT ITEM VALUES (options)"
+
+      option :search,
+        :short => '-S SEARCH',
+        :long => '--search SEARCH',
+        :description => 'Chef SOLR search for clients'
+
+      option :admins,
+        :short => '-A ADMINS',
+        :long => '--admins ADMINS',
+        :description => 'Chef users to be added as admins'
+
+      option :json,
+        :short => '-J FILE',
+        :long => '--json FILE',
+        :description => 'File containing JSON data to encrypt'
+
+      option :file,
+        :long => '--file FILE',
+        :description => 'File to be added to vault item as file-content'
+
+      def run
+        vault = @name_args[0]
+        item = @name_args[1]
+        values = @name_args[2]
+        search = config[:search]
+        admins = config[:admins]
+        json_file = config[:json]
+        file = config[:file]
+
+        set_mode(config[:vault_mode])
+
+        if vault && item && ((values || json_file || file) || (search || admins))
+          begin
+            vault_item = ChefVault::Item.load(vault, item)
+
+            merge_values(values, json_file).each do |key, value|
+              vault_item[key] = value
+            end
+
+            if file
+              vault_item["file-name"] = File.basename(file)
+              vault_item["file-content"] = File.open(file){ |file| file.read() }
+            end
+
+            vault_item.search(search) if search
+            vault_item.clients(search) if search
+            vault_item.admins(admins) if admins
+
+            vault_item.save
+          rescue ChefVault::Exceptions::KeysNotFound,
+            ChefVault::Exceptions::ItemNotFound
+
+            raise ChefVault::Exceptions::ItemNotFound,
+              "#{vault}/#{item} does not exist, "\
+              "use 'knife vault create' to create."
+          end
+        else
+          show_usage
+        end
+      end
+    end
+  end
+end

data/spec/chef-vault_spec.rb

@@ -1,56 +1,31 @@
 require 'spec_helper'
 
 describe ChefVault do
+  subject(:vault) { ChefVault.new('foo') }
+
   describe '#new' do
     context 'with only a vault parameter specified' do
-      before(:each) do
-        @vault = ChefVault.new('foo')
-      end
-
-      it 'is an instance of ChefVault' do
-        expect(@vault).to be_an_instance_of ChefVault
-      end
+      it { should be_an_instance_of ChefVault }
 
-      it 'sets vault to foo' do
-        expect(@vault.vault).to eq "foo"
-      end
+      its(:vault) { should eq "foo" }
     end
 
     context 'with a vault and config file parameter specified' do
-      before(:each) do
+      before do
         IO.stub(:read).with('knife.rb').and_return("node_name 'bar'")
-        @vault = ChefVault.new('foo', 'knife.rb')
       end
 
-      it 'is an instance of ChefVault' do
-        expect(@vault).to be_an_instance_of ChefVault
-      end
+      let(:vault) { ChefVault.new('foo', 'knife.rb') }
 
-      it 'sets vault to foo' do
-        expect(@vault.vault).to eq "foo"
-      end
+      it { should be_an_instance_of ChefVault }
 
-      it 'sets Chef::Config[:node_name] to bar' do
-        expect(Chef::Config[:node_name]).to eq "bar"
-      end
-    end
-  end
-
-  describe '#version' do
-    it 'returns the version number' do
-      vault = ChefVault.new('foo')
-      expect(vault.version).to eq ChefVault::VERSION
-    end
-  end
+      its(:vault) { should eq "foo" }
 
-  describe '#self.load_config' do
-    before(:each) do
-      IO.stub(:read).with('knife.rb').and_return("node_name 'bar'")
-      ChefVault.load_config("knife.rb")
+      specify { expect { Chef::Config[:node_name ].should eq "bar" } }
     end
 
-    it "sets Chef::Config[:node_name] to bar" do
-      expect(Chef::Config[:node_name]).to eq "bar"
+    describe '#version' do
+      its(:version) { should eq ChefVault::VERSION }
     end
   end
 end

data/spec/item_keys_spec.rb

@@ -2,28 +2,16 @@ require 'spec_helper'
 
 describe ChefVault::ItemKeys do
   describe '#new' do
-    before(:each) do
-      @keys = ChefVault::ItemKeys.new("foo", "bar")
-    end
+    subject(:keys) { ChefVault::ItemKeys.new("foo", "bar") }
 
-    it 'is an instance of ChefVault::ItemKeys' do
-      expect(@keys).to be_an_instance_of ChefVault::ItemKeys
-    end
+    it { should be_an_instance_of ChefVault::ItemKeys }
 
-    it 'sets data_bag to foo' do
-      expect(@keys.data_bag).to eq "foo"
-    end
+    its(:data_bag) { should eq "foo" }
 
-    it 'sets keys["id"] to bar' do
-      expect(@keys["id"]).to eq "bar"
-    end
+    specify { keys["id"].should eq "bar" }
 
-    it 'sets keys["admins"] to []' do
-      expect(@keys["admins"]).to eq []
-    end
+    specify { keys["admins"].should eq [] }
 
-    it 'sets keys["clients"] to []' do
-      expect(@keys["clients"]).to eq []
-    end
+    specify { keys["clients"].should eq [] }
   end
 end