chef-vault 2.4.0 → 2.5.0

data/lib/chef/knife/vault_delete.rb

@@ -1,5 +1,5 @@
 # Description: Chef-Vault VaultDelete class
-# Copyright 2013, Nordstrom, Inc.
+# Copyright 2013-15, Nordstrom, Inc.
 
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -18,7 +18,6 @@ require 'chef/knife/vault_base'
 class Chef
   class Knife
     class VaultDelete < Knife
-
       include Chef::Knife::VaultBase
 
       banner "knife vault delete VAULT ITEM (options)"
@@ -34,8 +33,7 @@ class Chef
             begin
               ChefVault::Item.load(vault, item).destroy
             rescue ChefVault::Exceptions::KeysNotFound,
-              ChefVault::Exceptions::ItemNotFound
-
+                   ChefVault::Exceptions::ItemNotFound
               raise ChefVault::Exceptions::ItemNotFound,
                 "#{vault}/#{item} not found."
             end

data/lib/chef/knife/vault_download.rb

@@ -1,5 +1,5 @@
 # Description: Chef-Vault VaultDownload class
-# Copyright 2014, Nordstrom, Inc.
+# Copyright 2014-15, Nordstrom, Inc.
 
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -18,7 +18,6 @@ require 'chef/knife/vault_base'
 class Chef
   class Knife
     class VaultDownload < Knife
-
       include Chef::Knife::VaultBase
 
       banner "knife vault download VAULT ITEM PATH (options)"

data/lib/chef/knife/vault_edit.rb

@@ -1,5 +1,5 @@
 # Description: Chef-Vault VaultEdit class
-# Copyright 2013, Nordstrom, Inc.
+# Copyright 2013-15, Nordstrom, Inc.
 
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -18,7 +18,6 @@ require 'chef/knife/vault_base'
 class Chef
   class Knife
     class VaultEdit < Knife
-
       include Chef::Knife::VaultBase
 
       banner "knife vault edit VAULT ITEM (options)"
@@ -43,7 +42,7 @@ class Chef
             updated_vault_json = edit_data(filtered_vault_data)
 
             # Clean out contents of existing local vault_item
-            vault_item.raw_data.each do |key, value|
+            vault_item.raw_data.each do |key, _|
               vault_item.remove(key) unless key == 'id'
             end
 
@@ -54,8 +53,7 @@ class Chef
 
             vault_item.save
           rescue ChefVault::Exceptions::KeysNotFound,
-            ChefVault::Exceptions::ItemNotFound
-
+                 ChefVault::Exceptions::ItemNotFound
             raise ChefVault::Exceptions::ItemNotFound,
               "#{vault}/#{item} does not exist, "\
               "use 'knife vault create' to create."
@@ -67,4 +65,3 @@ class Chef
     end
   end
 end
-

data/lib/chef/knife/vault_list.rb

@@ -0,0 +1,53 @@
+# Description: Chef-Vault VaultShow class
+# Copyright 2013, Nordstrom, Inc.
+
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+
+#     http://www.apache.org/licenses/LICENSE-2.0
+
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+require 'chef/knife/vault_base'
+
+class Chef
+  class Knife
+    class VaultList < Knife
+      include Chef::Knife::VaultBase
+
+      banner "knife vault list (options)"
+
+      def run
+        vaultbags = []
+        # iterate over all the data bags
+        bags = Chef::DataBag.list
+        bags.each_key do |bagname|
+          vaultbags.push(bagname) if bag_is_vault?(bagname)
+        end
+        output vaultbags.join("\n")
+      end
+
+      private
+
+      def bag_is_vault?(bagname)
+        bag = Chef::DataBag.load(bagname)
+        # vaults have at even number of keys >= 2
+        return false unless bag.keys.size >= 2 && 0 == bag.keys.size % 2
+        # partition into those that end in _keys
+        keylike, notkeylike = bag.keys.partition { |k| k =~ /_keys$/ }
+        # there must be an equal number of keyline and not-keylike items
+        return false unless keylike.size == notkeylike.size
+        # strip the _keys suffix and check if the sets match
+        keylike.map! { |k| k.gsub(/_keys$/, '') }
+        return false unless keylike.sort == notkeylike.sort
+        # it's (probably) a vault
+        true
+      end
+    end
+  end
+end

data/lib/chef/knife/vault_refresh.rb

@@ -1,5 +1,5 @@
 # Description: Chef-Vault VaultReapply class
-# Copyright 2013, Nordstrom, Inc.
+# Copyright 2013-15, Nordstrom, Inc.
 
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -18,7 +18,6 @@ require 'chef/knife/vault_base'
 class Chef
   class Knife
     class VaultRefresh < Knife
-
       include Chef::Knife::VaultBase
 
       banner "knife vault refresh VAULT ITEM"

data/lib/chef/knife/vault_remove.rb

@@ -1,5 +1,5 @@
 # Description: Chef-Vault VaultRemove class
-# Copyright 2013, Nordstrom, Inc.
+# Copyright 2013-15, Nordstrom, Inc.
 
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -18,7 +18,6 @@ require 'chef/knife/vault_base'
 class Chef
   class Knife
     class VaultRemove < Knife
-
       include Chef::Knife::VaultBase
 
       banner "knife vault remove VAULT ITEM VALUES (options)"
@@ -56,13 +55,11 @@ class Chef
             if values || json_file
               begin
                 json = JSON.parse(values)
-                json.each do |key, value|
+                json.each do |key, _|
                   remove_items << key
                 end
               rescue JSON::ParserError
                 remove_items = values.split(",")
-              rescue Exception => e
-                raise e
               end
 
               remove_items.each do |key|
@@ -76,8 +73,7 @@ class Chef
 
             vault_item.rotate_keys!(clean_unknown_clients)
           rescue ChefVault::Exceptions::KeysNotFound,
-            ChefVault::Exceptions::ItemNotFound
-
+                 ChefVault::Exceptions::ItemNotFound
             raise ChefVault::Exceptions::ItemNotFound,
               "#{vault}/#{item} does not exist, "\
               "use 'knife vault create' to create."

data/lib/chef/knife/vault_rotate_all_keys.rb

@@ -1,5 +1,5 @@
 # Description: Chef-Vault VaultRotateAllKeys class
-# Copyright 2013, Nordstrom, Inc.
+# Copyright 2013-15, Nordstrom, Inc.
 
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -18,7 +18,6 @@ require 'chef/knife/vault_base'
 class Chef
   class Knife
     class VaultRotateAllKeys < Knife
-
       include Chef::Knife::VaultBase
 
       banner "knife vault rotate all keys"
@@ -47,9 +46,8 @@ class Chef
       end
 
       def vault_items(vault)
-        Chef::DataBag.load(vault).keys.inject([]) do |array, key|
+        Chef::DataBag.load(vault).keys.each_with_object([]) do |key, array|
           array << key.sub('_keys', '') if key.match(/.+_keys$/)
-          array
         end
       end
 

data/lib/chef/knife/vault_rotate_keys.rb

@@ -1,5 +1,5 @@
 # Description: Chef-Vault VaultRotateKeys class
-# Copyright 2013, Nordstrom, Inc.
+# Copyright 2013-15, Nordstrom, Inc.
 
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -18,7 +18,6 @@ require 'chef/knife/vault_base'
 class Chef
   class Knife
     class VaultRotateKeys < Knife
-
       include Chef::Knife::VaultBase
 
       banner "knife vault rotate keys VAULT ITEM (options)"
@@ -39,8 +38,7 @@ class Chef
             item = ChefVault::Item.load(vault, item)
             item.rotate_keys!(clean_unknown_clients)
           rescue ChefVault::Exceptions::KeysNotFound,
-            ChefVault::Exceptions::ItemNotFound
-
+                 ChefVault::Exceptions::ItemNotFound
             raise ChefVault::Exceptions::ItemNotFound,
               "#{vault}/#{item} does not exist, "\
               "use 'knife vault create' to create."

data/lib/chef/knife/vault_show.rb

@@ -1,5 +1,5 @@
 # Description: Chef-Vault VaultShow class
-# Copyright 2013, Nordstrom, Inc.
+# Copyright 2013-15, Nordstrom, Inc.
 
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -18,7 +18,6 @@ require 'chef/knife/vault_base'
 class Chef
   class Knife
     class VaultShow < Knife
-
       include Chef::Knife::VaultBase
 
       banner "knife vault show VAULT ITEM [VALUES] (options)"
@@ -67,14 +66,14 @@ class Chef
         end
 
         if values
-          included_values = %W( id )
+          included_values = %w(id)
 
           values.split(",").each do |value|
             value.strip! # remove white space
             included_values << value
           end
 
-          filtered_data = Hash[vault_item.raw_data.find_all{|k,v| included_values.include?(k)}]
+          filtered_data = Hash[vault_item.raw_data.find_all{|k, _| included_values.include?(k)}]
 
           output_data = filtered_data.merge(extra_data)
         else
@@ -82,7 +81,7 @@ class Chef
 
           output_data = all_data.merge(extra_data)
         end
-          output(output_data)
+        output(output_data)
       end
     end
   end

data/lib/chef/knife/vault_update.rb

@@ -1,5 +1,5 @@
 # Description: Chef-Vault VaultUpdate class
-# Copyright 2014, Nordstrom, Inc.
+# Copyright 2014-15, Nordstrom, Inc.
 
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -19,7 +19,6 @@ require 'chef/knife/vault_admins'
 class Chef
   class Knife
     class VaultUpdate < Knife
-
       include Chef::Knife::VaultBase
       include Chef::Knife::VaultAdmins
 
@@ -73,11 +72,11 @@ class Chef
             end
 
             if clean
-                clients = vault_item.clients().clone().sort()
-                clients.each do |client|
-                    print "Deleting #{client}\n"
-                    vault_item.keys.delete(client, "clients")
-                end
+              clients = vault_item.clients().clone().sort()
+              clients.each do |client|
+                puts "Deleting #{client}"
+                vault_item.keys.delete(client, "clients")
+              end
             end
             vault_item.search(search) if search
             vault_item.clients(search) if search
@@ -85,8 +84,7 @@ class Chef
 
             vault_item.save
           rescue ChefVault::Exceptions::KeysNotFound,
-            ChefVault::Exceptions::ItemNotFound
-
+                 ChefVault::Exceptions::ItemNotFound
             raise ChefVault::Exceptions::ItemNotFound,
               "#{vault}/#{item} does not exist, "\
               "use 'knife vault create' to create."

data/spec/chef-vault/certificate_spec.rb

@@ -21,7 +21,6 @@ RSpec.describe ChefVault::Certificate do
   end
 
   describe 'decrypt_contents' do
-
     it 'echoes warning' do
       expect(STDOUT).to receive(:puts).with("WARNING: This method is deprecated, please switch to item['value'] calls")
       cert.decrypt_contents
@@ -33,5 +32,4 @@ RSpec.describe ChefVault::Certificate do
       expect(cert.decrypt_contents).to eq 'baz'
     end
   end
-
 end

data/spec/chef-vault/item_spec.rb

@@ -1,8 +1,59 @@
+require 'openssl'
+require 'rspec/core/shared_context'
+
+# it turns out that simulating a node that doesn't have a public
+# key is not a simple thing
+module BorkedNodeWithoutPublicKey
+  extend RSpec::Core::SharedContext
+
+  before do
+    # a node 'foo' with a public key
+    node_foo = double('chef node foo')
+    allow(node_foo).to receive(:name).and_return('foo')
+    client_foo = double('chef apiclient foo')
+    allow(client_foo).to receive(:name).and_return('foo')
+    privkey = OpenSSL::PKey::RSA.new(1024)
+    pubkey = privkey.public_key
+    allow(client_foo).to receive(:public_key).and_return(pubkey.to_pem)
+    # a node 'bar' without a public key
+    node_bar = double('chef node bar')
+    allow(node_bar).to receive(:name).and_return('bar')
+    # fake out searches to return both of our nodes
+    query_result = double('chef search results')
+    allow(query_result)
+      .to receive(:search)
+      .with(Symbol, String)
+      .and_return([[node_foo, node_bar]])
+    allow(Chef::Search::Query)
+      .to receive(:new)
+      .and_return(query_result)
+    # create a new vault item
+    @vaultitem = ChefVault::Item.new('foo', 'bar')
+    @vaultitem['foo'] = 'bar'
+    # make the vault item return the apiclient for foo but raise for bar
+    allow(@vaultitem).to receive(:load_client).with('foo')
+      .and_return(client_foo)
+    allow(@vaultitem).to receive(:load_client).with('bar')
+      .and_raise(ChefVault::Exceptions::ClientNotFound)
+    # make the vault item fall back to 'load-admin-as-client' behaviour
+    http_response = double('http not found')
+    allow(http_response).to receive(:code).and_return('404')
+    http_not_found = Net::HTTPServerException.new('not found', http_response)
+    allow(ChefVault::ChefPatch::User)
+      .to receive(:load)
+      .with('foo')
+      .and_return(client_foo)
+    allow(ChefVault::ChefPatch::User)
+      .to receive(:load)
+      .with('bar')
+      .and_raise(http_not_found)
+  end
+end
+
 RSpec.describe ChefVault::Item do
   subject(:item) { ChefVault::Item.new("foo", "bar") }
 
   describe '#new' do
-
     it { should be_an_instance_of ChefVault::Item }
 
     its(:keys) { should be_an_instance_of ChefVault::ItemKeys }
@@ -23,4 +74,29 @@ RSpec.describe ChefVault::Item do
       specify { expect { item.save }.to raise_error }
     end
   end
+
+  describe '#clients' do
+    include BorkedNodeWithoutPublicKey
+
+    it 'should not blow up when search returns a node without a public key' do
+      # try to set clients when we know a node is missing a public key
+      # this should not die as of v2.4.1
+      expect { @vaultitem.clients('*:*') }.not_to raise_error
+    end
+
+    it 'should emit a warning if search returns a node without a public key' do
+      # it should however emit a warning that you have a borked node
+      expect { @vaultitem.clients('*:*') }
+        .to output(/node 'bar' has no private key; skipping/).to_stderr
+    end
+  end
+
+  describe '#admins' do
+    include BorkedNodeWithoutPublicKey
+
+    it 'should blow up if you try to use a node without a public key as an admin' do
+      expect { @vaultitem.admins('foo,bar') }
+        .to raise_error(ChefVault::Exceptions::AdminNotFound)
+    end
+  end
 end

data/spec/chef-vault/user_spec.rb

@@ -21,7 +21,6 @@ RSpec.describe ChefVault::User do
   end
 
   describe 'decrypt_password' do
-
     it 'echoes warning' do
       expect(STDOUT).to receive(:puts).with("WARNING: This method is deprecated, please switch to item['value'] calls")
       user.decrypt_password
@@ -32,5 +31,4 @@ RSpec.describe ChefVault::User do
       expect(user.decrypt_password).to eq "baz"
     end
   end
-
 end

data/spec/chef-vault_spec.rb

@@ -19,7 +19,7 @@ RSpec.describe ChefVault do
 
       its(:vault) { should eq "foo" }
 
-      specify { expect { Chef::Config[:node_name ].should eq "bar" } }
+      specify { expect { Chef::Config[:node_name].should eq "bar" } }
     end
 
     describe '#version' do

data/spec/spec_helper.rb

@@ -1,6 +1,4 @@
-if ENV['COVERAGE']
-  require 'simplecov'
-end
+require 'simplecov' if ENV['COVERAGE']
 
 require_relative '../lib/chef-vault'