chef-vault 2.5.0 → 2.6.0

data/THEORY.md

@@ -195,7 +195,7 @@ the vault create throws an error.
 The data bag 'foo' is then fetched (or created if it does
 not already exist).  An encrypted data bag item named 'bar'
 is created, encrypted with the shared secret.  The data bag
-item is save to the Chef server.
+item is saved to the Chef server.
 
 ### Decrypting a Vault using knife
 
@@ -231,7 +231,9 @@ the server 'one'.
 
 Assuming that the recipe contains code such as this:
 
-    chef_gem 'chef-vault'
+    chef_gem 'chef-vault' do
+      compile_time true if respond_to?(:compile_time)
+    end
     require 'chef-vault'
     vaultitem = ChefVault::Item.load('foo', 'bar')
 

data/bin/chef-vault

@@ -89,9 +89,9 @@ require 'chef-vault'
 ChefVault.load_config(options[:chef])
 item = ChefVault::Item.load(options[:vault], options[:item])
 
-puts "#{options[:vault]}/#{options[:item]}"
+$stdout.puts "#{options[:vault]}/#{options[:item]}"
 
 options[:values].split(",").each do |value|
   value.strip! # remove white space
-  puts("\t#{value}: #{item[value]}")
+  $stdout.puts("\t#{value}: #{item[value]}")
 end

data/chef-vault.gemspec

@@ -35,12 +35,12 @@ Gem::Specification.new do |s|
   s.executables      = %w( chef-vault )
 
   s.add_development_dependency 'rake', '~> 10.4'
-  s.add_development_dependency 'rspec', '~> 3.1'
+  s.add_development_dependency 'rspec', '~> 3.2'
   s.add_development_dependency 'rspec-its', '~> 1.1'
   s.add_development_dependency 'aruba', '~> 0.6'
   s.add_development_dependency 'simplecov', '~> 0.9'
   s.add_development_dependency 'simplecov-console', '~> 0.2'
-  s.add_development_dependency 'rubocop', '~> 0.29'
+  s.add_development_dependency 'rubocop', '~> 0.30'
   # Chef 12 and higher pull in Ohai 8, which needs Ruby v2
   # so only in the case of a CI build on ruby v1, we constrain
   # chef to 11 or lower so that we can maintain CI test coverage

data/features/clean_on_refresh.feature

@@ -0,0 +1,28 @@
+Feature: clean unknown clients on vault refresh
+
+  When refreshing a vault, new clients may be added if they match
+  the search query or client list, but old clients that no longer
+  exist will never be removed.  The --clean-unknown-clients switch
+  will cause cause any unknown clients to be removed from the vault
+  item's access list as well
+
+  Scenario: Refresh without clean option
+    Given a local mode chef repo with nodes 'one,two,three'
+    And I create a vault item 'test/item' containing the JSON '{"foo": "bar"}' encrypted for 'one,two,three'
+    Then the vault item 'test/item' should be encrypted for 'one,two,three'
+    And I delete client 'one' from the Chef server
+    And I refresh the vault item 'test/item'
+    And the vault item 'test/item' should be encrypted for 'one,two,three'
+    And 'one,two,three' should be a client for the vault item 'test/item'
+
+  Scenario: Refresh with clean option
+    Given a local mode chef repo with nodes 'one,two,three'
+    And I create a vault item 'test/item' containing the JSON '{"foo": "bar"}' encrypted for 'one,two,three'
+    Then the vault item 'test/item' should be encrypted for 'one,two,three'
+    And I delete client 'one' from the Chef server
+    And I refresh the vault item 'test/item' with the 'clean-unknown-clients' option
+    Then the output should contain "Removing unknown client 'one'"
+    And the vault item 'test/item' should be encrypted for 'two,three'
+    And the vault item 'test/item' should not be encrypted for 'one'
+    And 'two,three' should be a client for the vault item 'test/item'
+    And 'one' should not be a client for the vault item 'test/item'

data/features/isvault.feature

@@ -0,0 +1,24 @@
+Feature: determine if a data bag item is a vault
+
+  If a data bag item is a vault, 'knife vault isvault VAULTNAME ITEMNAME'
+  should exit 0.  Otherwise it should exit 1.
+
+  Scenario: detect vault item
+    Given a local mode chef repo with nodes 'one,two,three'
+    And I create a vault item 'test/item' containing the JSON '{"foo": "bar"}' encrypted for 'one,two,three'
+    And I check if the data bag item 'test/item' is a vault
+    Then the exit status should be 0
+
+  Scenario: detect non-vault item (encrypted data bag)
+    Given a local mode chef repo with nodes 'one,two,three'
+    And I create an empty data bag 'test'
+    And I create an encrypted data bag item 'test/item' containing the JSON '{"id": "item", "foo": "bar"}' with the secret 'sekrit'
+    And I check if the data bag item 'test/item' is a vault
+    Then the exit status should not be 0
+
+  Scenario: detect non-vault item (normal data bag)
+    Given a local mode chef repo with nodes 'one,two,three'
+    And I create an empty data bag 'test'
+    And I create a data bag item 'test/item' containing the JSON '{"id": "item", "foo": "bar"}'
+    And I check if the data bag item 'test/item' is a vault
+    Then the exit status should not be 0

data/features/itemtype.feature

@@ -0,0 +1,25 @@
+Feature: determine the type of a data bag item
+
+  'knife vault itemtype VAULTNAME ITEMNAME' should output one of
+  'normal', 'encrypted', or 'vault' depending on what type of item
+  it detects
+
+  Scenario: detect vault item
+    Given a local mode chef repo with nodes 'one,two,three'
+    And I create a vault item 'test/item' containing the JSON '{"foo": "bar"}' encrypted for 'one,two,three'
+    And I check the type of the data bag item 'test/item'
+    Then the output should match /^vault$/
+
+  Scenario: detect non-vault item (encrypted data bag)
+    Given a local mode chef repo with nodes 'one,two,three'
+    And I create an empty data bag 'test'
+    And I create an encrypted data bag item 'test/item' containing the JSON '{"id": "item", "foo": "bar"}' with the secret 'sekrit'
+    And I check the type of the data bag item 'test/item'
+    Then the output should match /^encrypted$/
+
+  Scenario: detect non-vault item (normal data bag)
+    Given a local mode chef repo with nodes 'one,two,three'
+    And I create an empty data bag 'test'
+    And I create a data bag item 'test/item' containing the JSON '{"id": "item", "foo": "bar"}'
+    And I check the type of the data bag item 'test/item'
+    Then the output should match /^normal$/

data/features/step_definitions/chef-databag.rb

@@ -3,3 +3,7 @@ When /^I create a data bag '(.+)' containing the JSON '(.+)'$/ do |bag, json|
   run_simple "knife data bag create #{bag} -z -c knife.rb -d"
   run_simple "knife data bag from_file #{bag} -z -c knife.rb item.json"
 end
+
+Given(/^I create an empty data bag '(.+)'$/) do |databag|
+  run_simple "knife data bag create #{databag} -z -c knife.rb", false
+end

data/features/step_definitions/chef-vault.rb

@@ -28,6 +28,15 @@ Given(/^I rotate all keys with the '(.+)' options?$/) do |optionlist|
   run_simple "knife vault rotate all keys -z -c knife.rb #{options}"
 end
 
+Given(/^I refresh the vault item '(.+)\/(.+)'$/) do |vault, item|
+  run_simple "knife vault refresh #{vault} #{item} -c knife.rb -z"
+end
+
+Given(/^I refresh the vault item '(.+)\/(.+)' with the '(.+)' options?$/) do |vault, item, optionlist|
+  options = optionlist.split(/,/).map{|o| "--#{o}"}.join(' ')
+  run_simple "knife vault refresh #{vault} #{item} -c knife.rb -z #{options}"
+end
+
 Given(/^I try to decrypt the vault item '(.+)\/(.+)' as '(.+)'$/) do |vault, item, node|
   run_simple "knife vault show #{vault} #{item} -z -c knife.rb -u #{node} -k #{node}.pem", false
 end
@@ -93,3 +102,15 @@ end
 Given(/^I add '(.+)' as an admin for the vault item '(.+)\/(.+)'$/) do |newadmin, vault, item|
   run_simple "knife vault update #{vault} #{item} -c knife.rb -z -A #{newadmin}"
 end
+
+Given(/^I show the keys of the vault '(.+)'$/) do |vault|
+  run_simple "knife vault show #{vault} -c knife.rb -z"
+end
+
+Given(/^I check if the data bag item '(.+)\/(.+)' is a vault$/) do |vault, item|
+  run_simple "knife vault isvault #{vault} #{item} -c knife.rb -z", false
+end
+
+Given(/^I check the type of the data bag item '(.+)\/(.+)'$/) do |vault, item|
+  run_simple "knife vault itemtype #{vault} #{item} -c knife.rb -z"
+end

data/features/step_definitions/chef_databagitem.rb

@@ -0,0 +1,9 @@
+Given(/^I create a data bag item '(.+)\/(.+)' containing the JSON '(.+)'$/) do |databag, _, json|
+  write_file 'item.json', json
+  run_simple "knife data bag from file #{databag} item.json -z -c knife.rb", false
+end
+
+Given(/^I create an encrypted data bag item '(.+)\/(.+)' containing the JSON '(.+)' with the secret '(.+)'$/) do |databag, _, json, secret|
+  write_file 'item.json', json
+  run_simple "knife data bag from file #{databag} item.json -s #{secret} -z -c knife.rb", false
+end

data/features/vault_show_vaultname.feature

@@ -0,0 +1,22 @@
+Feature: knife vault show [VAULTNAME]
+
+  'knife vault show [VAULTNAME]' displays the keys of a vault
+  (i.e. the items that are not suffixed with _keys)
+
+  Scenario: show keys of a vault
+    Given a local mode chef repo with nodes 'one,two,three'
+    And I create a vault item 'test/item' containing the JSON '{"foo": "bar"}' encrypted for 'one,two,three'
+    And I create a vault item 'test/item2' containing the JSON '{"foo": "bar"}' encrypted for 'one,two,three'
+    Then the vault item 'test/item' should be encrypted for 'one,two,three'
+    And 'one,two,three' should be a client for the vault item 'test/item'
+    And I show the keys of the vault 'test'
+    Then the output should match /(?m:^item$)/
+    And the output should match /(?m:^item2$)/
+    And the output should not match /(?m:^item_keys$)/
+    And the output should not match /(?m:^item2_keys$)/
+
+  Scenario: show keys of a data bag that is not a vault
+    Given a local mode chef repo with nodes 'one,two,three'
+    And I create a data bag 'notavault' containing the JSON '{"id": "item", "foo": "bar"}'
+    And I show the keys of the vault 'notavault'
+    Then the output should match /data bag notavault is not a chef-vault/

data/features/vault_update.feature

@@ -1,4 +1,4 @@
-Feature: knife vault create
+Feature: knife vault update
 
   'knife vault update' is used to add clients, or administrators
   and to re-run the search query

data/features/verify_id_matches.feature

@@ -0,0 +1,11 @@
+Feature: knife vault create with mismatched ID
+
+  'knife vault create' creates a vault.  A JSON file can be passed
+  on the command line.  If the vault ID specified on the command line
+  does not match the value of the 'id' key in the JSON file, knife
+  should throw an error
+
+  Scenario: create vault from JSON file with mismatched ID
+    Given a local mode chef repo with nodes 'one,two,three'
+    And I create a vault item 'test/item' containing the JSON '{"id": "eyetem"}' encrypted for 'one,two,three'
+    Then the output should match /id mismatch - input JSON has id 'eyetem' but vault item has id 'item'/

data/lib/chef-vault/certificate.rb

@@ -24,7 +24,7 @@ class ChefVault
     end
 
     def decrypt_contents
-      puts "WARNING: This method is deprecated, please switch to item['value'] calls"
+      $stdout.puts "WARNING: This method is deprecated, please switch to item['value'] calls"
       @item["contents"]
     end
   end

data/lib/chef-vault/exceptions.rb

@@ -45,5 +45,8 @@ class ChefVault
 
     class SearchNotFound < Exceptions
     end
+
+    class IdMismatch < Exceptions
+    end
   end
 end

data/lib/chef-vault/item.rb

@@ -18,16 +18,52 @@ require 'securerandom'
 
 class ChefVault
   class Item < Chef::DataBagItem
+    # @!attribute [rw] keys
+    #   @return [ChefVault::ItemKeys] the keys associated with this vault
     attr_accessor :keys
+
+    # @!attribute [rw] encrypted_data_bag_item
+    #   @return [nil] this attribute is not currently used
     attr_accessor :encrypted_data_bag_item
 
-    def initialize(vault, name)
+    # @!attribute [rw] node_name
+    #   @return [String] the node name that is used to decrypt secrets.
+    #     Defaults to the value of Chef::Config[:node_name]
+    attr_accessor :node_name
+
+    # @!attribute [rw] client_key_path
+    #   @return [String] the path to the private key that is used to
+    #     decrypt secrets.  Defaults to the value of Chef::Config[:client_key]
+    attr_accessor :client_key_path
+
+    # returns the raw keys of the underlying Chef::DataBagItem.  chef-vault v2
+    # defined #keys as a public accessor that returns the ChefVault::ItemKeys
+    # object for the vault.  Ideally, #keys would provide Hash-like behaviour
+    # as it does for Chef::DataBagItem, but this would break the API.  We will
+    # revisit this as part of the 3.x rewrite
+    def_delegator :@raw_data, :keys, :raw_keys
+
+    # constructs a new ChefVault::Item
+    # @param vault [String] the name of the data bag that contains the vault
+    # @param name [String] the name of the item in the vault
+    # @param opts [Hash]
+    # @option opts [String] :node_name  the name of the node to decrypt secrets
+    #   as. Defaults to the :node_name value of Chef::Config
+    # @option opts [String] :client_key_path the name of the node to decrypt
+    #   secrets as.  Defaults to the :client_key value of Chef::Config
+    def initialize(vault, name, opts = {})
       super() # Don't pass parameters
       @data_bag = vault
       @raw_data["id"] = name
       @keys = ChefVault::ItemKeys.new(vault, "#{name}_keys")
       @secret = generate_secret
       @encrypted = false
+      opts = {
+        :node_name => Chef::Config[:node_name],
+        :client_key_path => Chef::Config[:client_key]
+      }.merge(opts)
+      @node_name = opts[:node_name]
+      @client_key_path = opts[:client_key_path]
     end
 
     def load_keys(vault, keys)
@@ -35,23 +71,24 @@ class ChefVault
       @secret = secret
     end
 
-    def clients(search=nil, action=:add)
-      if search
+    def clients(search_or_client=nil, action=:add)
+      if search_or_client.is_a?(Chef::ApiClient)
+        handle_client_action(search_or_client, action)
+      elsif search_or_client
         results_returned = false
-
         query = Chef::Search::Query.new
-        query.search(:node, search)[0].each do |node|
+        query.search(:node, search_or_client)[0].each do |node|
           results_returned = true
-
           case action
           when :add
             begin
-              keys.add(load_client(node.name), @secret, "clients")
+              client = load_client(node.name)
+              add_client(client)
             rescue ChefVault::Exceptions::ClientNotFound
-              $stderr.puts "node '#{node.name}' has no private key; skipping"
+              $stdout.puts "node '#{node.name}' has no private key; skipping"
             end
           when :delete
-            keys.delete(node.name, "clients")
+            delete_client_or_node(node)
           else
             raise ChefVault::Exceptions::KeysActionNotValid,
               "#{action} is not a valid action"
@@ -59,7 +96,7 @@ class ChefVault
         end
 
         unless results_returned
-          puts "WARNING: No clients were returned from search, you may not have "\
+          $stdout.puts "WARNING: No clients were returned from search, you may not have "\
             "got what you expected!!"
         end
       else
@@ -99,10 +136,10 @@ class ChefVault
     end
 
     def secret
-      if @keys.include?(Chef::Config[:node_name])
-        private_key = OpenSSL::PKey::RSA.new(open(Chef::Config[:client_key]).read())
+      if @keys.include?(@node_name)
+        private_key = OpenSSL::PKey::RSA.new(File.open(@client_key_path).read())
         begin
-          private_key.private_decrypt(Base64.decode64(@keys[Chef::Config[:node_name]]))
+          private_key.private_decrypt(Base64.decode64(@keys[@node_name]))
         rescue OpenSSL::PKey::RSAError
           raise ChefVault::Exceptions::SecretDecryption,
             "#{data_bag}/#{id} is encrypted for you, but your private key failed to decrypt the contents.  "\
@@ -159,6 +196,14 @@ class ChefVault
       # validate the format of the id before attempting to save
       validate_id!(item_id)
 
+      # ensure that the ID of the vault hasn't changed since the keys
+      # data bag item was created
+      keys_id = keys['id'].match(/^(.+)_keys/)[1]
+      if keys_id != item_id
+        raise ChefVault::Exceptions::IdMismatch,
+          "id mismatch - input JSON has id '#{item_id}' but vault item has id '#{keys_id}'"
+      end
+
       # save the keys first, raising an error if no keys were defined
       if keys.admins.empty? && keys.clients.empty?
         raise ChefVault::Exceptions::NoKeysDefined,
@@ -218,8 +263,11 @@ class ChefVault
       end
     end
 
-    def self.load(vault, name)
-      item = new(vault, name)
+    # loads an existing vault item
+    # @param (see #initialize)
+    # @option (see #initialize)
+    def self.load(vault, name, opts = {})
+      item = new(vault, name, opts)
       item.load_keys(vault, "#{name}_keys")
 
       begin
@@ -240,6 +288,74 @@ class ChefVault
       item
     end
 
+    # determines if a data bag item looks like a vault
+    # @param vault [String] the name of the data bag
+    # @param name [String] the name of the item in the data bag
+    # @return [Boolean] true if the data bag item looks like a vault
+    def self.vault?(vault, name)
+      :vault == data_bag_item_type(vault, name)
+    end
+
+    # determines whether a data bag item is a vault, an encrypted
+    # data bag item, or a normal data bag item. An item is a vault
+    # if:
+    #
+    # a) the data bag item contains at least one key whose value is
+    #   an hash with the key 'encrypted data'
+    # b) the data bag that contains the item contains a second item
+    #   suffixed with _keys
+    #
+    # if a) is false, the item is a normal data bag
+    # if a) and b) are true, the item is a vault
+    # if a) is true but b) is false, the item is an encrypted data
+    #   bag item
+    # @param vault [String] the name of the data bag
+    # @param name [String] the name of the item in the data bag
+    # @return [Symbol] one of :vault, :encrypted or :normal
+    def self.data_bag_item_type(vault, name)
+      # adapted from https://github.com/opscode-cookbooks/chef-vault/blob/v1.3.0/libraries/chef_vault_item.rb
+      # and https://github.com/sensu/sensu-chef/blob/2.9.0/libraries/sensu_helpers.rb
+      dbi = Chef::DataBagItem.load(vault, name)
+      encrypted = dbi.detect do |_, v|
+        v.is_a?(Hash) && v.key?('encrypted_data')
+      end
+
+      # return a symbol describing the type of item we detected
+      case
+      when encrypted && Chef::DataBag.load(vault).key?("#{name}_keys")
+        :vault
+      when encrypted
+        :encrypted
+      else
+        :normal
+      end
+    end
+
+    # refreshes a vault by re-processing the search query and
+    # adding a secret for any nodes found (including new ones)
+    # @param clean_unknown_clients [Boolean] remove clients that can
+    #   no longer be found
+    # @return [void]
+    def refresh(clean_unknown_clients = false)
+      unless search
+        raise ChefVault::Exceptions::SearchNotFound,
+              "#{vault}/#{item} does not have a stored search_query, "\
+              'probably because it was created with an older version '\
+              "of chef-vault. Use 'knife vault update' to update the "\
+              'databag with the search query.'
+      end
+
+      # a bit of a misnomer; this doesn't remove unknown
+      # admins, just clients which are nodes
+      remove_unknown_nodes if clean_unknown_clients
+
+      # re-process the search query to add new clients
+      clients(search)
+
+      # save the updated vault
+      save
+    end
+
     private
 
     def encrypt!
@@ -261,7 +377,7 @@ class ChefVault
       rescue Net::HTTPServerException => http_error
         if http_error.response.code == "404"
           begin
-            puts "WARNING: #{admin} not found in users, trying clients."
+            $stdout.puts "WARNING: #{admin} not found in users, trying clients."
             admin = load_client(admin)
           rescue ChefVault::Exceptions::ClientNotFound
             raise ChefVault::Exceptions::AdminNotFound,
@@ -291,7 +407,7 @@ class ChefVault
     end
 
     # removes unknown nodes by performing a node search
-    # for each of the existing nodclientses.  If the search
+    # for each of the existing clients.  If the search
     # returns nothing or the client cannot be loaded, then
     # we remove that client from the vault
     # @return [void]
@@ -304,7 +420,7 @@ class ChefVault
       end
       # now delete any flagged clients from the keys data bag
       clients_to_remove.each do |client|
-        puts "Removing unknown client '#{client}'"
+        $stdout.puts "Removing unknown client '#{client}'"
         keys.delete(client, "clients")
       end
     end
@@ -340,5 +456,32 @@ class ChefVault
       end
       true
     end
+
+    # adds or deletes an API client from the vault item keys
+    # @param client [Chef::ApiClient] the API client to operate on
+    # @param action [Symbol] :add or :delete
+    # @return [void]
+    def handle_client_action(client, action)
+      case action
+      when :add
+        add_client(client)
+      when :delete
+        delete_client_or_node(client)
+      end
+    end
+
+    # adds a client to the vault item keys
+    # @param client [Chef::ApiClient] the API client to add
+    # @return [void]
+    def add_client(client)
+      keys.add(client, @secret, 'clients')
+    end
+
+    # removes a client to the vault item keys
+    # @param client_or_node [Chef::ApiClient,Chef::Node] the API client or node to remove
+    # @return [void]
+    def delete_client_or_node(client_or_node)
+      keys.delete(client_or_node.name, 'clients')
+    end
   end
 end