chef-vault 2.2.1 → 2.2.2

data/.gitignore

@@ -1,4 +1,30 @@
+" from https://github.com/github/gitignore/blob/master/Ruby.gitignore
 *.gem
+*.rbc
+/.config
+/coverage/
+/InstalledFiles
+/pkg/
+/spec/reports/
+/test/tmp/
+/test/version_tmp/
+/tmp/
+
+## Documentation cache and generated files:
+/.yardoc/
+/_yardoc/
+/doc/
+/rdoc/
+
+## Environment normalisation:
+/.bundle/
+/lib/bundler/man/
+
+# for a library or gem, you might want to ignore these files since the code is
+# intended to run in multiple environments; otherwise, check them in:
 Gemfile.lock
-vendor
-.bundle
+.ruby-version
+.ruby-gemset
+
+# unless supporting rvm < 1.11.0 or doing something fancy, ignore this:
+.rvmrc

data/Changelog.md

@@ -1,6 +1,11 @@
 ## Planned (Unreleased)
 
 ## Released
+## v2.2.2 / 2014-06-03
+* Add knife vault refresh command
+* Use node_name as a default admin
+* Add DEMO for users
+
 ## v2.2.1 / 2014-02-26
 * Add vault_admins to knife.rb for a default set of vault admins
 

data/DEMO.md

@@ -0,0 +1,53 @@
+# A Short Demo of the Magic of Chef-Vault
+
+##Set up the magic show from a shell on your own workstation
+
+###Put the bunny in the hat
+
+    echo "bunny" > tophat
+
+###Put the hat in the magic show
+
+    export assistant=aug24                   #Change this to your chef id 
+    export role=magician                     #Change this to the role you need to pass the secret to
+    
+    knife vault create magicshow hat \       #Create a hat object in a data bag called magicshow
+       --mode client                 \       #Talk to the chef server rather than local 
+       --file tophat                 \       #Use the hat (file) we put the bunny in
+       --search "role:${role}"       \       #Encrypted for all *current* nodes with the magician role
+       --admins "${assistant}"               #Encrypted for the assistant
+
+###Check the magic show is on the chef server
+
+    knife data bag list
+
+###Check the hat is there (and that nobody can see what's in it)
+    knife data bag show magicshow hat
+
+###Check you can see what's in it
+    knife vault show magicshow hat file-content --mode client
+
+##'Hop' on to a node with a role of 'magician'
+
+###Install required software
+    sudo apt-get install ruby-dev --yes
+    sudo gem install chef-vault --no-ri --no-rdoc
+
+###Get the bunny back out of the hat!
+    sudo chef-shell --client <<EOF
+    require 'chef-vault'
+    puts ChefVault::Item.load('magicshow', 'hat')['file-content']
+    EOF
+
+If you are on a node which is not a magician, an exception will be thrown, 
+and the node cannot see what is in the hat.
+
+#Finally, do a disappearing act.
+
+###Make the hat disappear...
+    knife vault delete magicshow hat --mode client
+    
+###Make the entire magic show disappear...
+    knife data bag delete magicshow
+
+###Thank you!

data/KNIFE_EXAMPLES.md

@@ -142,6 +142,11 @@ Rotate the shared key for all vaults and items. The shared key is that which is
 
     knife vault rotate all keys
 
+### refresh
+This command reads the search_query in the vault item, performs the search, and reapplies the results.
+
+    knife vault refresh VAULT ITEM
+
 ### global options
 <table>
   <tr>

data/README.md

@@ -24,10 +24,13 @@ See KNIFE_EXAMPLES.md for examples of commands
 
 ### knife.rb
 To set 'client' as the default mode, add the following line to the knife.rb file.
-knife[:vault_mode] = 'client'
+
+```knife[:vault_mode] = 'client'```
 
 To set the default list of admins for creating and updating vaults, add the following line to the knife.rb file.
-knife[:vault_admins] = ["example-alice", "example-bob", "example-carol"]
+
+```knife[:vault_admins] = [ 'example-alice', 'example-bob', 'example-carol' ]```
+
 (These values can be overridden on the command line by using -A)
 
 NOTE: chef-vault 1.0 knife commands are not supported!  Please use chef-vault 2.0 commands.
@@ -36,6 +39,7 @@ NOTE: chef-vault 1.0 knife commands are not supported!  Please use chef-vault 2.
 
     knife vault create VAULT ITEM VALUES
     knife vault edit VAULT ITEM
+    knife vault refresh VAULT ITEM
     knife vault update VAULT ITEM VALUES
     knife vault remove VAULT ITEM VALUES
     knife vault delete VAULT ITEM

data/Rakefile

@@ -1,5 +1,6 @@
+require 'bundler/gem_tasks'
 require 'rspec/core/rake_task'
 
 RSpec::Core::RakeTask.new(:spec)
 
-task :default => :spec
+task default: :spec

data/chef-vault.gemspec

@@ -14,28 +14,29 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-$:.push File.expand_path("../lib", __FILE__)
-require "chef-vault/version"
+$:.push File.expand_path('../lib', __FILE__)
+require 'chef-vault/version'
 
 Gem::Specification.new do |s|
-  s.name             = "chef-vault"
+  s.name             = 'chef-vault'
   s.version          = ChefVault::VERSION
   s.has_rdoc         = true
-  s.authors          = ["Kevin Moser"]
-  s.email            = ["kevin.moser@nordstrom.com"]
-  s.summary          = "Data encryption support for chef using data bags"
+  s.authors          = ['Kevin Moser']
+  s.email            = ['kevin.moser@nordstrom.com']
+  s.summary          = 'Data encryption support for Chef using data bags'
   s.description      = s.summary
+  s.homepage      = 'https://github.com/Nordstrom/chef-vault'
+
   s.license          = 'Apache License, v2.0'
 
   s.files            = `git ls-files`.split("\n")
-  s.add_dependency     "chef", ">= 0.10.10"
-
-  # tests
-  s.add_development_dependency 'rake'
-  s.add_development_dependency 'rspec'
+  s.require_paths    = ['lib']
+  s.bindir           = 'bin'
+  s.executables      = %w( chef-vault )
 
-  s.require_paths    = ["lib"]
+  s.add_dependency   'chef', '>= 0.10.10'
 
-  s.bindir           = "bin"
-  s.executables      = %w( chef-vault )
+  s.add_development_dependency 'bundler', '~> 1.3'
+  s.add_development_dependency 'rake'
+  s.add_development_dependency 'rspec', '~> 2.14'
 end

data/lib/chef-vault/exceptions.rb

@@ -24,4 +24,5 @@ class ChefVault::Exceptions
   class KeysNotFound < RuntimeError; end
   class ItemNotFound < RuntimeError; end
   class ItemAlreadyExists < RuntimeError; end
-end
+  class SearchNotFound < RuntimeError; end
+end

data/lib/chef-vault/version.rb

@@ -14,6 +14,6 @@
 # limitations under the License.
 
 class ChefVault
-  VERSION = "2.2.1"
+  VERSION = "2.2.2"
   MAJOR, MINOR, TINY = VERSION.split('.')
 end

data/lib/chef/knife/vault_admins.rb

@@ -0,0 +1,40 @@
+# Description: Chef-Vault VaultAdmins module
+# Copyright 2014, Nordstrom, Inc.
+
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+
+#     http://www.apache.org/licenses/LICENSE-2.0
+
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+require 'chef/knife'
+require 'chef-vault'
+
+class Chef
+  class Knife
+    module VaultAdmins
+
+      private
+
+      def admins
+        config_admins = config[:admins]
+        vault_admins = Chef::Config[:knife][:vault_admins]
+        admin_array = [Chef::Config[:node_name]]
+
+        if config_admins
+          admin_array += [config_admins]
+        elsif vault_admins
+          admin_array += vault_admins
+        end
+
+        admin_array.join(',')
+      end
+    end
+  end
+end

data/lib/chef/knife/vault_create.rb

@@ -1,5 +1,5 @@
 # Description: Chef-Vault VaultCreate class
-# Copyright 2013, Nordstrom, Inc.
+# Copyright 2014, Nordstrom, Inc.
 
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -14,12 +14,14 @@
 # limitations under the License.
 
 require 'chef/knife/vault_base'
+require 'chef/knife/vault_admins'
 
 class Chef
   class Knife
     class VaultCreate < Knife
 
       include Chef::Knife::VaultBase
+      include Chef::Knife::VaultAdmins
 
       banner "knife vault create VAULT ITEM VALUES (options)"
 
@@ -47,7 +49,6 @@ class Chef
         item = @name_args[1]
         values = @name_args[2]
         search = config[:search]
-        admins = config[:admins] || Chef::Config[:knife][:vault_admins].join(',')
         json_file = config[:json]
         file = config[:file]
 
@@ -71,7 +72,7 @@ class Chef
 
               if file
                 vault_item["file-name"] = File.basename(file)
-                vault_item["file-content"] = File.open(file){ |file| file.read() }
+                vault_item["file-content"] = File.open(file) { |f| f.read() }
               end
             else
               vault_json = edit_data(Hash.new)

data/lib/chef/knife/vault_refresh.rb

@@ -0,0 +1,60 @@
+# Description: Chef-Vault VaultReapply class
+# Copyright 2013, Nordstrom, Inc.
+
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+
+#     http://www.apache.org/licenses/LICENSE-2.0
+
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+require 'chef/knife/vault_base'
+
+class Chef
+  class Knife
+    class VaultRefresh < Knife
+
+      include Chef::Knife::VaultBase
+
+      banner "knife vault refresh VAULT ITEM"
+
+      def run
+        vault = @name_args[0]
+        item = @name_args[1]
+
+        set_mode(config[:vault_mode])
+
+        if vault && item
+          begin
+            vault_item = ChefVault::Item.load(vault, item)
+            search = vault_item.search
+
+            unless search
+              raise ChefVault::Exceptions::SearchNotFound,
+                    "#{vault}/#{item} does not have a stored search_query, "\
+                    "probably because it was created with an older version "\
+                    "of chef-vault. Use 'knife vault update' to update the "\
+                    "databag with the search query."
+            end
+
+            vault_item.clients(search)
+            vault_item.save
+          rescue ChefVault::Exceptions::KeysNotFound,
+                 ChefVault::Exceptions::ItemNotFound
+
+            raise ChefVault::Exceptions::ItemNotFound,
+                  "#{vault}/#{item} does not exist, "\
+                  "use 'knife vault create' to create."
+          end
+        else
+          show_usage
+        end
+      end
+    end
+  end
+end

data/lib/chef/knife/vault_update.rb

@@ -1,5 +1,5 @@
 # Description: Chef-Vault VaultUpdate class
-# Copyright 2013, Nordstrom, Inc.
+# Copyright 2014, Nordstrom, Inc.
 
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -14,12 +14,14 @@
 # limitations under the License.
 
 require 'chef/knife/vault_base'
+require 'chef/knife/vault_admins'
 
 class Chef
   class Knife
     class VaultUpdate < Knife
 
       include Chef::Knife::VaultBase
+      include Chef::Knife::VaultAdmins
 
       banner "knife vault update VAULT ITEM VALUES (options)"
 
@@ -47,7 +49,6 @@ class Chef
         item = @name_args[1]
         values = @name_args[2]
         search = config[:search]
-        admins = config[:admins] || Chef::Config[:knife][:vault_admins].join(',')
         json_file = config[:json]
         file = config[:file]
 
@@ -63,7 +64,7 @@ class Chef
 
             if file
               vault_item["file-name"] = File.basename(file)
-              vault_item["file-content"] = File.open(file){ |file| file.read() }
+              vault_item["file-content"] = File.open(file) { |f| f.read() }
             end
 
             vault_item.search(search) if search

metadata

@@ -1,18 +1,20 @@
 --- !ruby/object:Gem::Specification
 name: chef-vault
 version: !ruby/object:Gem::Version
-  version: 2.2.1
+  version: 2.2.2
+  prerelease: 
 platform: ruby
 authors:
 - Kevin Moser
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2014-02-26 00:00:00.000000000 Z
+date: 2014-06-03 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: chef
   requirement: !ruby/object:Gem::Requirement
+    none: false
     requirements:
     - - ! '>='
       - !ruby/object:Gem::Version
@@ -20,13 +22,31 @@ dependencies:
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
+    none: false
     requirements:
     - - ! '>='
       - !ruby/object:Gem::Version
         version: 0.10.10
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '1.3'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '1.3'
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
+    none: false
     requirements:
     - - ! '>='
       - !ruby/object:Gem::Version
@@ -34,6 +54,7 @@ dependencies:
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
+    none: false
     requirements:
     - - ! '>='
       - !ruby/object:Gem::Version
@@ -41,18 +62,20 @@ dependencies:
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement
+    none: false
     requirements:
-    - - ! '>='
+    - - ~>
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '2.14'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
+    none: false
     requirements:
-    - - ! '>='
+    - - ~>
       - !ruby/object:Gem::Version
-        version: '0'
-description: Data encryption support for chef using data bags
+        version: '2.14'
+description: Data encryption support for Chef using data bags
 email:
 - kevin.moser@nordstrom.com
 executables:
@@ -65,6 +88,7 @@ files:
 - .travis.yml
 - CONTRIBUTING.md
 - Changelog.md
+- DEMO.md
 - Gemfile
 - KNIFE_EXAMPLES.md
 - LICENSE
@@ -89,11 +113,13 @@ files:
 - lib/chef/knife/encrypt_update.rb
 - lib/chef/knife/mixin/compat.rb
 - lib/chef/knife/mixin/helper.rb
+- lib/chef/knife/vault_admins.rb
 - lib/chef/knife/vault_base.rb
 - lib/chef/knife/vault_create.rb
 - lib/chef/knife/vault_decrypt.rb
 - lib/chef/knife/vault_delete.rb
 - lib/chef/knife/vault_edit.rb
+- lib/chef/knife/vault_refresh.rb
 - lib/chef/knife/vault_remove.rb
 - lib/chef/knife/vault_rotate_all_keys.rb
 - lib/chef/knife/vault_rotate_keys.rb
@@ -103,28 +129,29 @@ files:
 - spec/item_keys_spec.rb
 - spec/item_spec.rb
 - spec/spec_helper.rb
-homepage: 
+homepage: https://github.com/Nordstrom/chef-vault
 licenses:
 - Apache License, v2.0
-metadata: {}
 post_install_message: 
 rdoc_options: []
 require_paths:
 - lib
 required_ruby_version: !ruby/object:Gem::Requirement
+  none: false
   requirements:
   - - ! '>='
     - !ruby/object:Gem::Version
       version: '0'
 required_rubygems_version: !ruby/object:Gem::Requirement
+  none: false
   requirements:
   - - ! '>='
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.0.7
+rubygems_version: 1.8.23.2
 signing_key: 
-specification_version: 4
-summary: Data encryption support for chef using data bags
+specification_version: 3
+summary: Data encryption support for Chef using data bags
 test_files: []

checksums.yaml

@@ -1,15 +0,0 @@
----
-!binary "U0hBMQ==":
-  metadata.gz: !binary |-
-    ZGZkNTFmZjk4NGQxY2UwMjViZDI1MGM0NTczYWMxMDcyMWUxMGEwZQ==
-  data.tar.gz: !binary |-
-    MjA3MGY0OWY1N2NkMzA2MTNkOWY4OGUzZGQ2YmZmN2NhZDhlYjIwMg==
-!binary "U0hBNTEy":
-  metadata.gz: !binary |-
-    Y2Q2MTI4NGZhN2Y3ZDM0Y2JlNWFkZGQxMzEyMGQ2ZmI3NjU2N2I0MDE1NmRj
-    NzlhNGY2ODIyNmU4YjI2NDg5YjkxYTgxMzIwMzEzOWI2YWZhYzY5YTg5YWJj
-    ZGI4NTA3MGVjNGIyYzU0MzI5ZjE0N2EyZjhiNzgwNGIzY2FlNTE=
-  data.tar.gz: !binary |-
-    YTVmMzRlNTY3NGE5YWY4NzNmMTkyYWRhYjRhNTY5NjQ4YjkwNTc1NzFkYmU2
-    MGY2OTM2ZjE1N2E1YzM0ZjkwOTM4MDFmZjIxOWU5ZWMwZGIyNDRkNTI3Mjlm
-    N2M4MWEzODIwZmE1YmY4NmQzNjhkNmE4OGIxNjg2NDc1MjEyNTk=