chef-vault 2.4.0 → 2.5.0

data/bin/chef-vault

@@ -3,15 +3,15 @@
 # ./chef-vault - Run chef-vault and decrypt based on parameters
 #
 # Author:: Kevin Moser (<kevin.moser@nordstrom.com>)
-# Copyright:: Copyright (c) 2013 Nordstrom, Inc.
+# Copyright:: Copyright (c) 2013-15 Nordstrom, Inc.
 # License:: Apache License, Version 2.0
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
-# 
+#
 #     http://www.apache.org/licenses/LICENSE-2.0
-# 
+#
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
@@ -34,7 +34,7 @@ options_config = {
     description: "Vault to look in",
     default: nil,
     optional: false
-  },  
+  },
   item: {
     short: "i",
     long: "item",
@@ -57,7 +57,7 @@ options_config.each do |option, config|
     banner << "[--#{config[:long]} #{config[:long].upcase}] "
   else
     banner << "--#{config[:long]} #{config[:long].upcase} "
-  end    
+  end
 end
 
 options = {}

data/chef-vault.gemspec

@@ -1,6 +1,6 @@
 # -*- encoding: utf-8 -*-
 # Chef-Vault Gemspec file
-# Copyright 2013, Nordstrom, Inc.
+# Copyright 2013-15, Nordstrom, Inc.
 
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -38,7 +38,16 @@ Gem::Specification.new do |s|
   s.add_development_dependency 'rspec', '~> 3.1'
   s.add_development_dependency 'rspec-its', '~> 1.1'
   s.add_development_dependency 'aruba', '~> 0.6'
-  s.add_development_dependency 'chef', '>= 0.10.10'
   s.add_development_dependency 'simplecov', '~> 0.9'
   s.add_development_dependency 'simplecov-console', '~> 0.2'
+  s.add_development_dependency 'rubocop', '~> 0.29'
+  # Chef 12 and higher pull in Ohai 8, which needs Ruby v2
+  # so only in the case of a CI build on ruby v1, we constrain
+  # chef to 11 or lower so that we can maintain CI test coverage
+  # of older versions
+  if ENV.key?('TRAVIS_BUILD') && RUBY_VERSION =~ /^1/
+    s.add_development_dependency 'chef', '~> 11.18'
+  else
+    s.add_development_dependency 'chef', '>= 0.10.10'
+  end
 end

data/features/clean_unknown_clients.feature

@@ -14,7 +14,11 @@ Feature: clean unknown clients on key rotation
     Then the vault item 'test/item' should be encrypted for 'one,two,three'
     And I delete client 'one' from the Chef server
     And I remove client 'two' from vault item 'test/item' with the 'clean-unknown-clients' option
-    Then the vault item 'test/item' should be encrypted for 'three'
+    Then the output should contain "Removing unknown client 'one'"
+    And the vault item 'test/item' should be encrypted for 'three'
+    And the vault item 'test/item' should not be encrypted for 'one,two'
+    And 'three' should be a client for the vault item 'test/item'
+    And 'one,two' should not be a client for the vault item 'test/item'
 
   Scenario: Prune clients when rotating keys
     Given a local mode chef repo with nodes 'one,two,three'
@@ -22,7 +26,11 @@ Feature: clean unknown clients on key rotation
     Then the vault item 'test/item' should be encrypted for 'one,two,three'
     And I delete client 'one' from the Chef server
     And I rotate the keys for vault item 'test/item' with the 'clean-unknown-clients' option
-    Then the vault item 'test/item' should be encrypted for 'two,three'
+    Then the output should contain "Removing unknown client 'one'"
+    And the vault item 'test/item' should be encrypted for 'two,three'
+    And the vault item 'test/item' should not be encrypted for 'one'
+    And 'two,three' should be a client for the vault item 'test/item'
+    And 'one' should not be a client for the vault item 'test/item'
 
   Scenario: Prune clients when rotating all keys
     Given a local mode chef repo with nodes 'one,two,three'
@@ -30,4 +38,21 @@ Feature: clean unknown clients on key rotation
     Then the vault item 'test/item' should be encrypted for 'one,two,three'
     And I delete clients 'one,two' from the Chef server
     And I rotate all keys with the 'clean-unknown-clients' option
-    Then the vault item 'test/item' should be encrypted for 'three'
+    Then the output should contain "Removing unknown client 'one'"
+    And the output should contain "Removing unknown client 'two'"
+    And the vault item 'test/item' should be encrypted for 'three'
+    And the vault item 'test/item' should not be encrypted for 'one,two'
+    And 'three' should be a client for the vault item 'test/item'
+    And 'one,two' should not be a client for the vault item 'test/item'
+
+  Scenario: Prune clients when node gone but client exists
+    Given a local mode chef repo with nodes 'one,two,three'
+    And I create a vault item 'test/item' containing the JSON '{"foo": "bar"}' encrypted for 'one,two,three'
+    Then the vault item 'test/item' should be encrypted for 'one,two,three'
+    And I delete node 'one' from the Chef server
+    And I rotate the keys for vault item 'test/item' with the 'clean-unknown-clients' option
+    Then the output should contain "Removing unknown client 'one'"
+    And the vault item 'test/item' should be encrypted for 'two,three'
+    And the vault item 'test/item' should not be encrypted for 'one'
+    And 'two,three' should be a client for the vault item 'test/item'
+    And 'one' should not be a client for the vault item 'test/item'

data/features/step_definitions/chef-databag.rb

@@ -0,0 +1,5 @@
+When /^I create a data bag '(.+)' containing the JSON '(.+)'$/ do |bag, json|
+  write_file 'item.json', json
+  run_simple "knife data bag create #{bag} -z -c knife.rb -d"
+  run_simple "knife data bag from_file #{bag} -z -c knife.rb item.json"
+end

data/features/step_definitions/chef-repo.rb

@@ -1,4 +1,4 @@
-Given /^a local mode chef repo with nodes '(.+)'$/ do |nodelist|
+Given(/^a local mode chef repo with nodes '(.+?)'(?: with admins '(.+?)')?$/) do |nodelist, adminlist|
   # create the repo directory hierarchy
   %w(cookbooks clients nodes data_bags).each do |dir|
     create_dir dir
@@ -9,9 +9,13 @@ local_mode true
 chef_repo_path '.'
 chef_zero.enabled true
 EOF
-  # create the admin user and capture its private key
-  in_current_dir do
-      system 'knife client create admin -z -d -a -c knife.rb > admin.pem'
+  # create the admin users and capture their private key we
+  # always create an admin called 'admin' because otherwise subsequent
+  # steps become annoying to determine who the admin is
+  admins = %w(admin)
+  admins.push(adminlist.split(/,/)) if adminlist
+  admins.flatten.each do |admin|
+    create_admin(admin)
   end
   # add the admin key to the knife configuration
   append_to_file 'knife.rb', <<EOF
@@ -20,14 +24,48 @@ client_key 'admin.pem'
 EOF
   # create the requested nodes
   nodelist.split(/,/).each do |node|
-    run_simple "knife client create #{node} -z -d -c knife.rb"
-    run_simple "knife node create #{node} -z -d -c knife.rb"
+    create_client(node)
+    create_node(node)
   end
 end
 
-When /^I delete clients? '(.+)' from the Chef server$/ do |nodelist|
+Given(/^I create an admin named '(.+)'$/) do |admin|
+  create_admin(admin)
+end
+
+Given(/^I delete clients? '(.+)' from the Chef server$/) do |nodelist|
   nodelist.split(/,/).each do |node|
-    run_simple "knife client delete #{node} -z -d -y -c knife.rb"
+    delete_client(node)
   end
 end
 
+Given(/^I regenerate the client key for the node '(.+)'$/) do |node|
+  delete_client(node)
+  create_client(node)
+end
+
+Given(/^I delete nodes? '(.+)' from the Chef server$/) do |nodelist|
+  nodelist.split(/,/).each { |node| delete_node(node) }
+end
+
+def create_node(name)
+  run_simple "knife node create #{name} -z -d -c knife.rb"
+end
+
+def create_admin(admin)
+  create_client(admin, '-a')
+end
+
+def create_client(name, args = nil)
+  command = "knife client create #{name} -z -d -c knife.rb #{args} >#{name}.pem"
+  run_simple command
+  write_file("#{name}.pem", stdout_from(command))
+end
+
+def delete_client(name)
+  run_simple "knife client delete #{name} -y -z -c knife.rb"
+end
+
+def delete_node(name)
+  run_simple "knife node delete #{name} -y -z -c knife.rb"
+end

data/features/step_definitions/chef-vault.rb

@@ -1,41 +1,95 @@
 require 'json'
 
-When /^I create a vault item '(.+)\/(.+)' containing the JSON '(.+)' encrypted for '(.+)'$/ do |vault, item, json, nodelist|
+Given(/^I create a vault item '(.+)\/(.+)' containing the JSON '(.+)' encrypted for '(.+)'(?: with '(.+)' as admins?)?$/) do |vault, item, json, nodelist, admins|
   write_file 'item.json', json
   query = nodelist.split(/,/).map{|e| "name:#{e}"}.join(' OR ')
-  run_simple "knife vault create #{vault} #{item} -z -c knife.rb -A admin -S '#{query}' -J item.json"
+  adminarg = admins.nil? ? '-A admin' : "-A #{admins}"
+  run_simple "knife vault create #{vault} #{item} -z -c knife.rb #{adminarg} -S '#{query}' -J item.json", false
 end
 
-When /^I update the vault item '(.+)\/(.+)' to be encrypted for '(.+)'( with the clean option)?$/ do |vault, item, nodelist, cleanopt|
+Given(/^I update the vault item '(.+)\/(.+)' to be encrypted for '(.+)'( with the clean option)?$/) do |vault, item, nodelist, cleanopt|
   query = nodelist.split(/,/).map{|e| "name:#{e}"}.join(' OR ')
-  run_simple "knife vault update #{vault} #{item} -S '#{query}' #{cleanopt ? '--clean' : ''}"
+  run_simple "knife vault update #{vault} #{item} -z -c knife.rb -S '#{query}' #{cleanopt ? '--clean' : ''}"
 end
 
-When /^I remove clients? '(.+)' from vault item '(.+)\/(.+)' with the '(.+)' options?$/ do |nodelist, vault, item, optionlist|
+Given(/^I remove clients? '(.+)' from vault item '(.+)\/(.+)' with the '(.+)' options?$/) do |nodelist, vault, item, optionlist|
   query = nodelist.split(/,/).map{|e| "name:#{e}"}.join(' OR ')
   options = optionlist.split(/,/).map{|o| "--#{o}"}.join(' ')
-  run_simple "knife vault remove #{vault} #{item} -S '#{query}' #{options}"
+  run_simple "knife vault remove #{vault} #{item} -z -c knife.rb -S '#{query}' #{options}"
 end
 
-When /^I rotate the keys for vault item '(.+)\/(.+)' with the '(.+)' options?$/ do |vault, item, optionlist|
+Given(/^I rotate the keys for vault item '(.+)\/(.+)' with the '(.+)' options?$/) do |vault, item, optionlist|
   options = optionlist.split(/,/).map{|o| "--#{o}"}.join(' ')
-  run_simple "knife vault rotate keys #{vault} #{item} #{options}"
+  run_simple "knife vault rotate keys #{vault} #{item} -c knife.rb -z #{options}"
 end
 
-When /^I rotate all keys with the '(.+)' options?$/ do |optionlist|
+Given(/^I rotate all keys with the '(.+)' options?$/) do |optionlist|
   options = optionlist.split(/,/).map{|o| "--#{o}"}.join(' ')
-  run_simple "knife vault rotate all keys #{options}"
+  run_simple "knife vault rotate all keys -z -c knife.rb #{options}"
 end
 
-Then /^the vault item '(.+)\/(.+)' should( not)? be encrypted for '(.+)'$/ do |vault, item, neg, nodelist|
+Given(/^I try to decrypt the vault item '(.+)\/(.+)' as '(.+)'$/) do |vault, item, node|
+  run_simple "knife vault show #{vault} #{item} -z -c knife.rb -u #{node} -k #{node}.pem", false
+end
+
+Then(/^the vault item '(.+)\/(.+)' should( not)? be encrypted for '(.+)'$/) do |vault, item, neg, nodelist|
   nodes = nodelist.split(/,/)
-  run_simple("knife vault show #{vault} #{item} -z -c knife.rb -p clients -F json")
-  output = output_from("knife vault show #{vault} #{item} -z -c knife.rb -p clients -F json")
+  command = "knife data bag show #{vault} #{item}_keys -z -c knife.rb -F json"
+  run_simple(command)
+  output = stdout_from(command)
+  data = JSON.parse(output)
   nodes.each do |node|
     if neg
-      assert_no_partial_output(node, output)
+      expect(data).not_to include(node)
     else
-      assert_partial_output(node, output)
+      expect(data).to include(node)
     end
   end
 end
+
+Given(/^'(.+)' should( not)? be a client for the vault item '(.+)\/(.+)'$/) do |nodelist, neg, vault, item|
+  nodes = nodelist.split(/,/)
+  command = "knife data bag show #{vault} #{item}_keys -z -c knife.rb -F json"
+  run_simple(command)
+  output = stdout_from(command)
+  data = JSON.parse(output)
+  nodes.each do |node|
+    if neg
+      expect(data['clients']).not_to include(node)
+    else
+      expect(data['clients']).to include(node)
+    end
+  end
+end
+
+Given(/^'(.+)' should( not)? be an admin for the vault item '(.+)\/(.+)'$/) do |nodelist, neg, vault, item|
+  nodes = nodelist.split(/,/)
+  command = "knife data bag show #{vault} #{item}_keys -z -c knife.rb -F json"
+  run_simple(command)
+  output = stdout_from(command)
+  data = JSON.parse(output)
+  nodes.each do |node|
+    if neg
+      expect(data['admins']).not_to include(node)
+    else
+      expect(data['admins']).to include(node)
+    end
+  end
+end
+
+Given(/^I list the vaults$/) do
+  run_simple('knife vault list')
+end
+
+Given(/^I can('t)? decrypt the vault item '(.+)\/(.+)' as '(.+)'$/) do |neg, vault, item, client|
+  run_simple "knife vault show #{vault} #{item} -c knife.rb -z -u #{client} -k #{client}.pem", false
+  if neg
+    assert_not_exit_status(0)
+  else
+    assert_exit_status(0)
+  end
+end
+
+Given(/^I add '(.+)' as an admin for the vault item '(.+)\/(.+)'$/) do |newadmin, vault, item|
+  run_simple "knife vault update #{vault} #{item} -c knife.rb -z -A #{newadmin}"
+end

data/features/support/env.rb

@@ -7,8 +7,8 @@ require 'aruba/cucumber'
 # Travis runs tests in a limited environment which takes a long time to invoke
 # the knife command.  Up the timeout when we're in a travis build based on the
 # environment variable set in .travis.yml
-if ENV['TRAVIS_BUILD']
+#if ENV['TRAVIS_BUILD']
   Before do
     @aruba_timeout_seconds = 15
   end
-end
+#end

data/features/vault_create.feature

@@ -0,0 +1,54 @@
+Feature: knife vault create
+
+  'knife vault create' creates two Chef data bag items: an
+  encrypted data bag item encrypted with a randomized shared
+  secret, and a side-along data bag item suffixed with _keys
+  that contains an set of asymmetrically encrypted copies of
+  the shared secret using the public keys of a set of admins
+  and/or clients
+
+  Scenario: create vault with all known clients
+    Given a local mode chef repo with nodes 'one,two,three'
+    And I create a vault item 'test/item' containing the JSON '{"foo": "bar"}' encrypted for 'one,two,three'
+    Then the vault item 'test/item' should be encrypted for 'one,two,three'
+    And 'one,two,three' should be a client for the vault item 'test/item'
+
+  Scenario: create vault with all unknown clients
+    Given a local mode chef repo with nodes 'two,three'
+    And I delete clients 'two,three' from the Chef server
+    And I create a vault item 'test/item' containing the JSON '{"foo": "bar"}' encrypted for 'two,three'
+    Then the vault item 'test/item' should not be encrypted for 'one,two,three'
+    And the output should contain "node 'two' has no private key; skipping"
+    And the output should contain "node 'three' has no private key; skipping"
+    And 'two,three' should not be a client for the vault item 'test/item'
+
+  Scenario: create vault with mix of known and unknown clients
+    Given a local mode chef repo with nodes 'one,two,three'
+    And I delete client 'three' from the Chef server
+    And I create a vault item 'test/item' containing the JSON '{"foo": "bar"}' encrypted for 'one,two,three'
+    Then the vault item 'test/item' should be encrypted for 'one,two'
+    And the output should contain "node 'three' has no private key; skipping"
+    And 'one,two' should be a client for the vault item 'test/item'
+    And 'three' should not be a client for the vault item 'test/item'
+
+  Scenario: create vault with mix of known and unknown nodes
+    Given a local mode chef repo with nodes 'one,two'
+    And I create a vault item 'test/item' containing the JSON '{"foo": "bar"}' encrypted for 'one,two,three'
+    Then the vault item 'test/item' should be encrypted for 'one,two'
+    And 'one,two' should be a client for the vault item 'test/item'
+    And 'three' should not be a client for the vault item 'test/item'
+
+  Scenario: create vault with several admins
+    Given a local mode chef repo with nodes 'one,two' with admins 'alice,bob'
+    And I create a vault item 'test/item' containing the JSON '{"foo": "bar"}' encrypted for 'one,two,three' with 'alice' as admin
+    Then the vault item 'test/item' should be encrypted for 'one,two'
+    And 'one,two' should be a client for the vault item 'test/item'
+    And 'three' should not be a client for the vault item 'test/item'
+    And 'alice' should be an admin for the vault item 'test/item'
+    And 'bob' should not be an admin for the vault item 'test/item'
+
+  Scenario: create vault with an unknown admin
+    Given a local mode chef repo with nodes 'one,two'
+    And I create a vault item 'test/item' containing the JSON '{"foo": "bar"}' encrypted for 'one,two,three' with 'alice' as admin
+    Then the exit status should not be 0
+    And the output should contain "FATAL: Could not find alice in users or clients!"

data/features/vault_list.feature

@@ -0,0 +1,26 @@
+Feature: list data bags that are vaults
+
+  knife vault list should list all data bags that appear to
+  be vaults.  This is not an exact science; we assume that
+  any data bag containing an even number of items and for
+  which all items are pairs of thing/thing_keys is a vault
+
+  Scenario: List bags that are vaults
+    Given a local mode chef repo with nodes 'one,two,three'
+    And I create a vault item 'test/item' containing the JSON '{"foo": "bar"}' encrypted for 'one,two,three'
+    And I list the vaults
+    Then the output should match /(?m:^test$)/
+
+  Scenario: Skip data bags that are not vaults
+    Given a local mode chef repo with nodes 'one,two,three'
+    And I create a vault item 'test/item' containing the JSON '{"foo": "bar"}' encrypted for 'one,two,three'
+    And I create a data bag 'lessthantwokeys' containing the JSON '{"id": "item", "foo": "bar"}'
+    And I create a data bag 'oddnumberofkeys' containing the JSON '{"id": "item", "one": 1, "two": 2, "three":3}'
+    And I create a data bag 'unbalanced' containing the JSON '{"id": "item", "one": 1, "one_keys": 1, "two_keys": 1, "three_keys": 1}'
+    And I create a data bag 'mismatched' containing the JSON '{"id": "item", "one": 1, "one_keys": 1, "two_keys": 1, "three": 1}'
+    And I list the vaults
+    Then the output should match /(?m:^test$)/
+    And the output should not match /(?m:^lessthantwokeys$)/
+    And the output should not match /(?m:^oddnumberofkeys$)/
+    And the output should not match /(?m:^unbalanced$)/
+    And the output should not match /(?m:^mismatched$)/

data/features/vault_show.feature

@@ -0,0 +1,46 @@
+Feature: knife vault show
+
+  'knife vault show' displays the contents of a Chef encrypted
+  data bag by fetching the asymmetrically encrypted shared
+  secret and decrypting it using the private key of the user
+  or node
+
+  Scenario: successful decrypt as admin
+    Given a local mode chef repo with nodes 'one,two,three' with admins 'alice,bob'
+    And I create a vault item 'test/item' containing the JSON '{"foo": "bar"}' encrypted for 'one,two,three' with 'alice' as admin
+    Then the vault item 'test/item' should be encrypted for 'one,two,three,alice'
+    And 'one,two,three' should be a client for the vault item 'test/item'
+    And 'alice' should be an admin for the vault item 'test/item'
+    And 'bob' should not be an admin for the vault item 'test/item'
+    And I can decrypt the vault item 'test/item' as 'alice'
+    And the output should match /^foo: bar$/
+
+  Scenario: successful decrypt as node
+    Given a local mode chef repo with nodes 'one,two,three' with admins 'alice,bob'
+    And I create a vault item 'test/item' containing the JSON '{"foo": "bar"}' encrypted for 'one,two,three' with 'alice' as admin
+    Then the vault item 'test/item' should be encrypted for 'one,two,three,alice'
+    And 'one,two,three' should be a client for the vault item 'test/item'
+    And 'alice' should be an admin for the vault item 'test/item'
+    And 'bob' should not be an admin for the vault item 'test/item'
+    And I can decrypt the vault item 'test/item' as 'two'
+    And the output should match /^foo: bar$/
+
+  Scenario: failed decrypt as admin
+    Given a local mode chef repo with nodes 'one,two,three' with admins 'alice,bob'
+    And I create a vault item 'test/item' containing the JSON '{"foo": "bar"}' encrypted for 'one,two,three' with 'alice' as admin
+    Then the vault item 'test/item' should be encrypted for 'one,two,three,alice'
+    And 'one,two,three' should be a client for the vault item 'test/item'
+    And 'alice' should be an admin for the vault item 'test/item'
+    And 'bob' should not be an admin for the vault item 'test/item'
+    And I can't decrypt the vault item 'test/item' as 'bob'
+    And the output should contain "test/item is not encrypted with your public key"
+
+  Scenario: failed decrypt as node
+    Given a local mode chef repo with nodes 'one,two,three' with admins 'alice,bob'
+    And I create a vault item 'test/item' containing the JSON '{"foo": "bar"}' encrypted for 'one,two' with 'alice' as admin
+    Then the vault item 'test/item' should be encrypted for 'one,two,alice'
+    And 'one,two' should be a client for the vault item 'test/item'
+    And 'alice' should be an admin for the vault item 'test/item'
+    And 'bob' should not be an admin for the vault item 'test/item'
+    And I can't decrypt the vault item 'test/item' as 'three'
+    And the output should contain "test/item is not encrypted with your public key"

data/features/vault_update.feature

@@ -0,0 +1,17 @@
+Feature: knife vault create
+
+  'knife vault update' is used to add clients, or administrators
+  and to re-run the search query
+
+  Scenario: add admin to a vault
+    Given a local mode chef repo with nodes 'one,two,three' with admins 'alice,bob'
+    And I create a vault item 'test/item' containing the JSON '{"foo": "bar"}' encrypted for 'one,two,three' with 'alice' as admin
+    Then the vault item 'test/item' should be encrypted for 'one,two,three'
+    And 'one,two,three' should be a client for the vault item 'test/item'
+    And 'alice' should be an admin for the vault item 'test/item'
+    And I can decrypt the vault item 'test/item' as 'alice'
+    And I can't decrypt the vault item 'test/item' as 'bob'
+    And I add 'bob' as an admin for the vault item 'test/item'
+    Then 'alice,bob' should be an admin for the vault item 'test/item'
+    And I can decrypt the vault item 'test/item' as 'alice'
+    And I can decrypt the vault item 'test/item' as 'bob'