chef-vault 2.4.0 → 2.5.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.rubocop.yml +1 -0
- data/.rubocop_todo.yml +97 -0
- data/Changelog.md +34 -0
- data/DEMO.md +13 -6
- data/README.md +9 -4
- data/Rakefile +47 -10
- data/THEORY.md +361 -0
- data/bin/chef-vault +5 -5
- data/chef-vault.gemspec +11 -2
- data/features/clean_unknown_clients.feature +28 -3
- data/features/step_definitions/chef-databag.rb +5 -0
- data/features/step_definitions/chef-repo.rb +46 -8
- data/features/step_definitions/chef-vault.rb +69 -15
- data/features/support/env.rb +2 -2
- data/features/vault_create.feature +54 -0
- data/features/vault_list.feature +26 -0
- data/features/vault_show.feature +46 -0
- data/features/vault_update.feature +17 -0
- data/features/wrong_private_key.feature +14 -0
- data/lib/chef-vault.rb +0 -1
- data/lib/chef-vault/certificate.rb +1 -1
- data/lib/chef-vault/chef_patch/api_client.rb +1 -1
- data/lib/chef-vault/chef_patch/user.rb +1 -1
- data/lib/chef-vault/exceptions.rb +33 -12
- data/lib/chef-vault/item.rb +262 -209
- data/lib/chef-vault/item_keys.rb +90 -88
- data/lib/chef-vault/user.rb +1 -1
- data/lib/chef-vault/version.rb +2 -2
- data/lib/chef/knife/decrypt.rb +1 -2
- data/lib/chef/knife/encrypt_create.rb +1 -2
- data/lib/chef/knife/encrypt_delete.rb +1 -2
- data/lib/chef/knife/encrypt_remove.rb +1 -2
- data/lib/chef/knife/encrypt_rotate_keys.rb +1 -2
- data/lib/chef/knife/encrypt_update.rb +1 -2
- data/lib/chef/knife/mixin/compat.rb +3 -3
- data/lib/chef/knife/mixin/helper.rb +6 -8
- data/lib/chef/knife/vault_admins.rb +1 -2
- data/lib/chef/knife/vault_base.rb +2 -2
- data/lib/chef/knife/vault_create.rb +3 -4
- data/lib/chef/knife/vault_decrypt.rb +3 -4
- data/lib/chef/knife/vault_delete.rb +2 -4
- data/lib/chef/knife/vault_download.rb +1 -2
- data/lib/chef/knife/vault_edit.rb +3 -6
- data/lib/chef/knife/vault_list.rb +53 -0
- data/lib/chef/knife/vault_refresh.rb +1 -2
- data/lib/chef/knife/vault_remove.rb +3 -7
- data/lib/chef/knife/vault_rotate_all_keys.rb +2 -4
- data/lib/chef/knife/vault_rotate_keys.rb +2 -4
- data/lib/chef/knife/vault_show.rb +4 -5
- data/lib/chef/knife/vault_update.rb +7 -9
- data/spec/chef-vault/certificate_spec.rb +0 -2
- data/spec/chef-vault/item_spec.rb +77 -1
- data/spec/chef-vault/user_spec.rb +0 -2
- data/spec/chef-vault_spec.rb +1 -1
- data/spec/spec_helper.rb +1 -3
- metadata +38 -14
data/lib/chef-vault/item_keys.rb
CHANGED
@@ -1,5 +1,5 @@
|
|
1
1
|
# Author:: Kevin Moser <kevin.moser@nordstrom.com>
|
2
|
-
# Copyright:: Copyright 2013, Nordstrom, Inc.
|
2
|
+
# Copyright:: Copyright 2013-15, Nordstrom, Inc.
|
3
3
|
# License:: Apache License, Version 2.0
|
4
4
|
|
5
5
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
@@ -14,117 +14,119 @@
|
|
14
14
|
# See the License for the specific language governing permissions and
|
15
15
|
# limitations under the License.
|
16
16
|
|
17
|
-
class ChefVault
|
18
|
-
|
19
|
-
|
20
|
-
|
21
|
-
|
22
|
-
|
23
|
-
|
24
|
-
|
25
|
-
|
17
|
+
class ChefVault
|
18
|
+
class ItemKeys < Chef::DataBagItem
|
19
|
+
def initialize(vault, name)
|
20
|
+
super() # parenthesis required to strip off parameters
|
21
|
+
@data_bag = vault
|
22
|
+
@raw_data["id"] = name
|
23
|
+
@raw_data["admins"] = []
|
24
|
+
@raw_data["clients"] = []
|
25
|
+
@raw_data["search_query"] = []
|
26
|
+
end
|
26
27
|
|
27
|
-
|
28
|
-
|
29
|
-
|
28
|
+
def include?(key)
|
29
|
+
@raw_data.keys.include?(key)
|
30
|
+
end
|
30
31
|
|
31
|
-
|
32
|
-
|
33
|
-
|
34
|
-
|
32
|
+
def add(chef_client, data_bag_shared_secret, type)
|
33
|
+
public_key = OpenSSL::PKey::RSA.new chef_client.public_key
|
34
|
+
self[chef_client.name] =
|
35
|
+
Base64.encode64(public_key.public_encrypt(data_bag_shared_secret))
|
35
36
|
|
36
|
-
|
37
|
-
|
38
|
-
|
37
|
+
@raw_data[type] << chef_client.name unless @raw_data[type].include?(chef_client.name)
|
38
|
+
@raw_data[type]
|
39
|
+
end
|
39
40
|
|
40
|
-
|
41
|
-
|
42
|
-
|
43
|
-
|
41
|
+
def delete(chef_client, type)
|
42
|
+
raw_data.delete(chef_client)
|
43
|
+
raw_data[type].delete(chef_client)
|
44
|
+
end
|
44
45
|
|
45
|
-
|
46
|
-
|
47
|
-
|
48
|
-
|
49
|
-
|
46
|
+
def search_query(search_query=nil)
|
47
|
+
if search_query
|
48
|
+
@raw_data["search_query"] = search_query
|
49
|
+
else
|
50
|
+
@raw_data["search_query"]
|
51
|
+
end
|
50
52
|
end
|
51
|
-
end
|
52
53
|
|
53
|
-
|
54
|
-
|
55
|
-
|
54
|
+
def clients
|
55
|
+
@raw_data["clients"]
|
56
|
+
end
|
56
57
|
|
57
|
-
|
58
|
-
|
59
|
-
|
58
|
+
def admins
|
59
|
+
@raw_data["admins"]
|
60
|
+
end
|
60
61
|
|
61
|
-
|
62
|
-
|
63
|
-
|
64
|
-
|
65
|
-
|
62
|
+
def save(item_id=@raw_data['id'])
|
63
|
+
if Chef::Config[:solo]
|
64
|
+
data_bag_path = File.join(Chef::Config[:data_bag_path],
|
65
|
+
data_bag)
|
66
|
+
data_bag_item_path = File.join(data_bag_path, item_id)
|
66
67
|
|
67
|
-
|
68
|
-
|
69
|
-
|
70
|
-
|
68
|
+
FileUtils.mkdir(data_bag_path) unless File.exist?(data_bag_path)
|
69
|
+
File.open("#{data_bag_item_path}.json", 'w') do |file|
|
70
|
+
file.write(JSON.pretty_generate(raw_data))
|
71
|
+
end
|
71
72
|
|
72
|
-
|
73
|
-
|
74
|
-
|
75
|
-
|
76
|
-
|
77
|
-
|
78
|
-
|
79
|
-
|
80
|
-
|
73
|
+
raw_data
|
74
|
+
else
|
75
|
+
begin
|
76
|
+
Chef::DataBag.load(data_bag)
|
77
|
+
rescue Net::HTTPServerException => http_error
|
78
|
+
if http_error.response.code == "404"
|
79
|
+
chef_data_bag = Chef::DataBag.new
|
80
|
+
chef_data_bag.name data_bag
|
81
|
+
chef_data_bag.create
|
82
|
+
end
|
81
83
|
end
|
82
|
-
end
|
83
84
|
|
84
|
-
|
85
|
+
super
|
86
|
+
end
|
85
87
|
end
|
86
|
-
end
|
87
88
|
|
88
|
-
|
89
|
-
|
90
|
-
|
91
|
-
|
92
|
-
|
89
|
+
def destroy
|
90
|
+
if Chef::Config[:solo]
|
91
|
+
data_bag_path = File.join(Chef::Config[:data_bag_path],
|
92
|
+
data_bag)
|
93
|
+
data_bag_item_path = File.join(data_bag_path, @raw_data["id"])
|
93
94
|
|
94
|
-
|
95
|
+
FileUtils.rm("#{data_bag_item_path}.json")
|
95
96
|
|
96
|
-
|
97
|
-
|
98
|
-
|
97
|
+
nil
|
98
|
+
else
|
99
|
+
super(data_bag, id)
|
100
|
+
end
|
99
101
|
end
|
100
|
-
end
|
101
102
|
|
102
|
-
|
103
|
-
|
104
|
-
|
105
|
-
|
103
|
+
def to_json(*a)
|
104
|
+
json = super
|
105
|
+
json.gsub(self.class.name, self.class.superclass.name)
|
106
|
+
end
|
106
107
|
|
107
|
-
|
108
|
-
|
109
|
-
|
110
|
-
|
111
|
-
|
108
|
+
def self.from_data_bag_item(data_bag_item)
|
109
|
+
item = new(data_bag_item.data_bag, data_bag_item.name)
|
110
|
+
item.raw_data = data_bag_item.raw_data
|
111
|
+
item
|
112
|
+
end
|
112
113
|
|
113
|
-
|
114
|
-
|
115
|
-
|
116
|
-
|
117
|
-
|
114
|
+
def self.load(vault, name)
|
115
|
+
begin
|
116
|
+
data_bag_item = Chef::DataBagItem.load(vault, name)
|
117
|
+
rescue Net::HTTPServerException => http_error
|
118
|
+
if http_error.response.code == "404"
|
119
|
+
raise ChefVault::Exceptions::KeysNotFound,
|
120
|
+
"#{vault}/#{name} could not be found"
|
121
|
+
else
|
122
|
+
raise http_error
|
123
|
+
end
|
124
|
+
rescue Chef::Exceptions::ValidationFailed
|
118
125
|
raise ChefVault::Exceptions::KeysNotFound,
|
119
126
|
"#{vault}/#{name} could not be found"
|
120
|
-
else
|
121
|
-
raise http_error
|
122
127
|
end
|
123
|
-
rescue Chef::Exceptions::ValidationFailed
|
124
|
-
raise ChefVault::Exceptions::KeysNotFound,
|
125
|
-
"#{vault}/#{name} could not be found"
|
126
|
-
end
|
127
128
|
|
128
|
-
|
129
|
+
from_data_bag_item(data_bag_item)
|
130
|
+
end
|
129
131
|
end
|
130
132
|
end
|
data/lib/chef-vault/user.rb
CHANGED
data/lib/chef-vault/version.rb
CHANGED
@@ -1,5 +1,5 @@
|
|
1
1
|
# Description: ChefVault VERSION file
|
2
|
-
# Copyright 2013, Nordstrom, Inc.
|
2
|
+
# Copyright 2013-15, Nordstrom, Inc.
|
3
3
|
|
4
4
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
5
5
|
# you may not use this file except in compliance with the License.
|
@@ -14,6 +14,6 @@
|
|
14
14
|
# limitations under the License.
|
15
15
|
|
16
16
|
class ChefVault
|
17
|
-
VERSION = "2.
|
17
|
+
VERSION = "2.5.0"
|
18
18
|
MAJOR, MINOR, TINY = VERSION.split('.')
|
19
19
|
end
|
data/lib/chef/knife/decrypt.rb
CHANGED
@@ -1,5 +1,5 @@
|
|
1
1
|
# Description: Chef-Vault Decrypt class
|
2
|
-
# Copyright 2013, Nordstrom, Inc.
|
2
|
+
# Copyright 2013-15, Nordstrom, Inc.
|
3
3
|
|
4
4
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
5
5
|
# you may not use this file except in compliance with the License.
|
@@ -19,7 +19,6 @@ require 'chef/knife/vault_decrypt'
|
|
19
19
|
class Chef
|
20
20
|
class Knife
|
21
21
|
class Decrypt < VaultDecrypt
|
22
|
-
|
23
22
|
include Knife::VaultBase
|
24
23
|
|
25
24
|
banner "knife decrypt VAULT ITEM [VALUES] (options)"
|
@@ -1,5 +1,5 @@
|
|
1
1
|
# Description: Chef-Vault EncryptCreate class
|
2
|
-
# Copyright 2013, Nordstrom, Inc.
|
2
|
+
# Copyright 2013-15, Nordstrom, Inc.
|
3
3
|
|
4
4
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
5
5
|
# you may not use this file except in compliance with the License.
|
@@ -19,7 +19,6 @@ require 'chef/knife/vault_create'
|
|
19
19
|
class Chef
|
20
20
|
class Knife
|
21
21
|
class EncryptCreate < VaultCreate
|
22
|
-
|
23
22
|
include Knife::VaultBase
|
24
23
|
|
25
24
|
banner "knife encrypt create VAULT ITEM VALUES (options)"
|
@@ -1,5 +1,5 @@
|
|
1
1
|
# Description: Chef-Vault EncryptDelete class
|
2
|
-
# Copyright 2013, Nordstrom, Inc.
|
2
|
+
# Copyright 2013-15, Nordstrom, Inc.
|
3
3
|
|
4
4
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
5
5
|
# you may not use this file except in compliance with the License.
|
@@ -19,7 +19,6 @@ require 'chef/knife/vault_delete'
|
|
19
19
|
class Chef
|
20
20
|
class Knife
|
21
21
|
class EncryptDelete < VaultDelete
|
22
|
-
|
23
22
|
include Knife::VaultBase
|
24
23
|
|
25
24
|
banner "knife encrypt delete VAULT ITEM (options)"
|
@@ -1,5 +1,5 @@
|
|
1
1
|
# Description: Chef-Vault EncryptRemove class
|
2
|
-
# Copyright 2013, Nordstrom, Inc.
|
2
|
+
# Copyright 2013-15, Nordstrom, Inc.
|
3
3
|
|
4
4
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
5
5
|
# you may not use this file except in compliance with the License.
|
@@ -19,7 +19,6 @@ require 'chef/knife/vault_remove'
|
|
19
19
|
class Chef
|
20
20
|
class Knife
|
21
21
|
class EncryptRemove < VaultRemove
|
22
|
-
|
23
22
|
include Knife::VaultBase
|
24
23
|
|
25
24
|
banner "knife encrypt remove VAULT ITEM VALUES (options)"
|
@@ -1,5 +1,5 @@
|
|
1
1
|
# Description: Chef-Vault EncryptRotateKeys class
|
2
|
-
# Copyright 2013, Nordstrom, Inc.
|
2
|
+
# Copyright 2013-15, Nordstrom, Inc.
|
3
3
|
|
4
4
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
5
5
|
# you may not use this file except in compliance with the License.
|
@@ -19,7 +19,6 @@ require 'chef/knife/vault_rotate_keys'
|
|
19
19
|
class Chef
|
20
20
|
class Knife
|
21
21
|
class EncryptRotateKeys < VaultRotateKeys
|
22
|
-
|
23
22
|
include Knife::VaultBase
|
24
23
|
|
25
24
|
banner "knife encrypt rotate keys VAULT ITEM (options)"
|
@@ -1,5 +1,5 @@
|
|
1
1
|
# Description: Chef-Vault EncryptUpdate class
|
2
|
-
# Copyright 2013, Nordstrom, Inc.
|
2
|
+
# Copyright 2013-15, Nordstrom, Inc.
|
3
3
|
|
4
4
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
5
5
|
# you may not use this file except in compliance with the License.
|
@@ -19,7 +19,6 @@ require 'chef/knife/vault_update'
|
|
19
19
|
class Chef
|
20
20
|
class Knife
|
21
21
|
class EncryptUpdate < VaultUpdate
|
22
|
-
|
23
22
|
include Knife::VaultBase
|
24
23
|
|
25
24
|
option :search,
|
@@ -13,17 +13,17 @@
|
|
13
13
|
# See the License for the specific language governing permissions and
|
14
14
|
# limitations under the License.
|
15
15
|
|
16
|
-
# Make a wraper to chef10/11 "shef/shell" changes
|
16
|
+
# Make a wraper to chef10/11 "shef/shell" changes
|
17
17
|
|
18
18
|
class ChefVault
|
19
19
|
module Mixin
|
20
20
|
module KnifeCompat
|
21
21
|
require 'chef/version'
|
22
22
|
def extend_context_object(obj)
|
23
|
-
if Chef::VERSION.to_i >= 11
|
23
|
+
if Chef::VERSION.to_i >= 11
|
24
24
|
require "chef/shell/ext"
|
25
25
|
Shell::Extensions.extend_context_object(obj)
|
26
|
-
else
|
26
|
+
else
|
27
27
|
require 'chef/shef/ext'
|
28
28
|
Shef::Extensions.extend_context_object(obj)
|
29
29
|
end
|
@@ -28,23 +28,21 @@ class ChefVault
|
|
28
28
|
values = {}
|
29
29
|
values.merge!(values_from_file(file)) if file
|
30
30
|
values.merge!(values_from_json(json)) if json
|
31
|
-
|
31
|
+
|
32
32
|
values
|
33
33
|
end
|
34
34
|
|
35
35
|
def values_from_file(file)
|
36
|
-
json = File.open(file){ |
|
36
|
+
json = File.open(file){ |fh| fh.read() }
|
37
37
|
|
38
38
|
values_from_json(json)
|
39
39
|
end
|
40
40
|
|
41
41
|
def values_from_json(json)
|
42
|
-
|
43
|
-
|
44
|
-
|
45
|
-
raise JSON::ParserError, "#{json} is not valid JSON!"
|
46
|
-
end
|
42
|
+
JSON.parse(json)
|
43
|
+
rescue JSON::ParserError
|
44
|
+
raise JSON::ParserError, "#{json} is not valid JSON!"
|
47
45
|
end
|
48
46
|
end
|
49
47
|
end
|
50
|
-
end
|
48
|
+
end
|
@@ -1,5 +1,5 @@
|
|
1
1
|
# Description: Chef-Vault VaultAdmins module
|
2
|
-
# Copyright 2014, Nordstrom, Inc.
|
2
|
+
# Copyright 2014-15, Nordstrom, Inc.
|
3
3
|
|
4
4
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
5
5
|
# you may not use this file except in compliance with the License.
|
@@ -19,7 +19,6 @@ require 'chef-vault'
|
|
19
19
|
class Chef
|
20
20
|
class Knife
|
21
21
|
module VaultAdmins
|
22
|
-
|
23
22
|
private
|
24
23
|
|
25
24
|
def admins
|
@@ -1,5 +1,5 @@
|
|
1
1
|
# Description: Chef-Vault VaultBase module
|
2
|
-
# Copyright 2013, Nordstrom, Inc.
|
2
|
+
# Copyright 2013-15, Nordstrom, Inc.
|
3
3
|
|
4
4
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
5
5
|
# you may not use this file except in compliance with the License.
|
@@ -33,7 +33,7 @@ class Chef
|
|
33
33
|
:short => '-M MODE',
|
34
34
|
:long => '--mode MODE',
|
35
35
|
:description => 'Chef mode to run in default - solo',
|
36
|
-
:proc =>
|
36
|
+
:proc => proc { |i| Chef::Config[:knife][:vault_mode] = i }
|
37
37
|
end
|
38
38
|
end
|
39
39
|
|
@@ -1,5 +1,5 @@
|
|
1
1
|
# Description: Chef-Vault VaultCreate class
|
2
|
-
# Copyright 2014, Nordstrom, Inc.
|
2
|
+
# Copyright 2014-15, Nordstrom, Inc.
|
3
3
|
|
4
4
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
5
5
|
# you may not use this file except in compliance with the License.
|
@@ -19,7 +19,6 @@ require 'chef/knife/vault_admins'
|
|
19
19
|
class Chef
|
20
20
|
class Knife
|
21
21
|
class VaultCreate < Knife
|
22
|
-
|
23
22
|
include Chef::Knife::VaultBase
|
24
23
|
include Chef::Knife::VaultAdmins
|
25
24
|
|
@@ -62,7 +61,7 @@ class Chef
|
|
62
61
|
"use 'knife vault remove' 'knife vault update' "\
|
63
62
|
"or 'knife vault edit' to make changes."
|
64
63
|
rescue ChefVault::Exceptions::KeysNotFound,
|
65
|
-
|
64
|
+
ChefVault::Exceptions::ItemNotFound
|
66
65
|
vault_item = ChefVault::Item.new(vault, item)
|
67
66
|
|
68
67
|
if values || json_file || file
|
@@ -75,7 +74,7 @@ class Chef
|
|
75
74
|
vault_item["file-content"] = File.open(file) { |f| f.read() }
|
76
75
|
end
|
77
76
|
else
|
78
|
-
vault_json = edit_data(
|
77
|
+
vault_json = edit_data({})
|
79
78
|
vault_json.each do |key, value|
|
80
79
|
vault_item[key] = value
|
81
80
|
end
|
@@ -1,5 +1,5 @@
|
|
1
1
|
# Description: Chef-Vault VaultDecrypt class
|
2
|
-
# Copyright 2013, Nordstrom, Inc.
|
2
|
+
# Copyright 2013-15, Nordstrom, Inc.
|
3
3
|
|
4
4
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
5
5
|
# you may not use this file except in compliance with the License.
|
@@ -18,7 +18,6 @@ require 'chef/knife/vault_base'
|
|
18
18
|
class Chef
|
19
19
|
class Knife
|
20
20
|
class VaultDecrypt < Knife
|
21
|
-
|
22
21
|
include Chef::Knife::VaultBase
|
23
22
|
|
24
23
|
banner "knife vault decrypt VAULT ITEM [VALUES] (options)"
|
@@ -42,14 +41,14 @@ class Chef
|
|
42
41
|
vault_item = ChefVault::Item.load(vault, item).raw_data
|
43
42
|
|
44
43
|
if values
|
45
|
-
included_values = %
|
44
|
+
included_values = %w(id)
|
46
45
|
|
47
46
|
values.split(",").each do |value|
|
48
47
|
value.strip! # remove white space
|
49
48
|
included_values << value
|
50
49
|
end
|
51
50
|
|
52
|
-
output(Hash[vault_item.find_all{|k,
|
51
|
+
output(Hash[vault_item.find_all{|k, _| included_values.include?(k)}])
|
53
52
|
else
|
54
53
|
output(vault_item)
|
55
54
|
end
|