RubyGems - chef-vault - Versions diffs - 2.5.0 → 2.6.0 - Mend

chef-vault 2.5.0 → 2.6.0

Files changed (43) hide show

checksums.yaml +4 -4
data/.rubocop_todo.yml +5 -1
data/.travis.yml +5 -1
data/Changelog.md +36 -3
data/KNIFE_EXAMPLES.md +49 -74
data/README.md +166 -104
data/THEORY.md +4 -2
data/bin/chef-vault +2 -2
data/chef-vault.gemspec +2 -2
data/features/clean_on_refresh.feature +28 -0
data/features/isvault.feature +24 -0
data/features/itemtype.feature +25 -0
data/features/step_definitions/chef-databag.rb +4 -0
data/features/step_definitions/chef-vault.rb +21 -0
data/features/step_definitions/chef_databagitem.rb +9 -0
data/features/vault_show_vaultname.feature +22 -0
data/features/vault_update.feature +1 -1
data/features/verify_id_matches.feature +11 -0
data/lib/chef-vault/certificate.rb +1 -1
data/lib/chef-vault/exceptions.rb +3 -0
data/lib/chef-vault/item.rb +161 -18
data/lib/chef-vault/user.rb +1 -1
data/lib/chef-vault/version.rb +1 -1
data/lib/chef/knife/decrypt.rb +1 -1
data/lib/chef/knife/encrypt_create.rb +1 -1
data/lib/chef/knife/encrypt_delete.rb +1 -1
data/lib/chef/knife/encrypt_remove.rb +1 -1
data/lib/chef/knife/encrypt_rotate_keys.rb +1 -1
data/lib/chef/knife/encrypt_update.rb +1 -1
data/lib/chef/knife/vault_base.rb +22 -0
data/lib/chef/knife/vault_create.rb +0 -1
data/lib/chef/knife/vault_decrypt.rb +1 -1
data/lib/chef/knife/vault_isvault.rb +43 -0
data/lib/chef/knife/vault_itemtype.rb +43 -0
data/lib/chef/knife/vault_list.rb +7 -18
data/lib/chef/knife/vault_refresh.rb +6 -12
data/lib/chef/knife/vault_rotate_all_keys.rb +1 -1
data/lib/chef/knife/vault_show.rb +15 -1
data/lib/chef/knife/vault_update.rb +1 -1
data/spec/chef-vault/certificate_spec.rb +9 -2
data/spec/chef-vault/item_spec.rb +164 -3
data/spec/chef-vault/user_spec.rb +9 -2
metadata +14 -6

@@ -24,7 +24,7 @@ class ChefVault
     end
     def decrypt_password
-      puts "WARNING: This method is deprecated, please switch to item['value'] calls"
+      $stdout.puts "WARNING: This method is deprecated, please switch to item['value'] calls"
       @item["password"]
     end
   end

data/lib/chef-vault/version.rb CHANGED

@@ -14,6 +14,6 @@
 # limitations under the License.
 class ChefVault
-  VERSION = "2.5.0"
+  VERSION = '2.6.0'
   MAJOR, MINOR, TINY = VERSION.split('.')
 end

data/lib/chef/knife/decrypt.rb CHANGED

@@ -24,7 +24,7 @@ class Chef
       banner "knife decrypt VAULT ITEM [VALUES] (options)"
       def run
-        puts "DEPRECATION WARNING: knife decrypt is deprecated. Please use knife vault decrypt instead."
+        $stdout.puts "DEPRECATION WARNING: knife decrypt is deprecated. Please use knife vault decrypt instead."
         super
       end
     end

data/lib/chef/knife/encrypt_create.rb CHANGED

@@ -43,7 +43,7 @@ class Chef
         :description => 'File to be added to vault item as file-content'
       def run
-        puts "DEPRECATION WARNING: knife encrypt is deprecated. Please use knife vault instead."
+        $stdout.puts "DEPRECATION WARNING: knife encrypt is deprecated. Please use knife vault instead."
         super
       end
     end

data/lib/chef/knife/encrypt_delete.rb CHANGED

@@ -24,7 +24,7 @@ class Chef
       banner "knife encrypt delete VAULT ITEM (options)"
       def run
-        puts "DEPRECATION WARNING: knife encrypt is deprecated. Please use knife vault instead."
+        $stdout.puts "DEPRECATION WARNING: knife encrypt is deprecated. Please use knife vault instead."
         super
       end
     end

data/lib/chef/knife/encrypt_remove.rb CHANGED

@@ -34,7 +34,7 @@ class Chef
         :description => 'Chef users to be added as admins'
       def run
-        puts "DEPRECATION WARNING: knife encrypt is deprecated. Please use knife vault instead."
+        $stdout.puts "DEPRECATION WARNING: knife encrypt is deprecated. Please use knife vault instead."
         super
       end
     end

data/lib/chef/knife/encrypt_rotate_keys.rb CHANGED

@@ -24,7 +24,7 @@ class Chef
       banner "knife encrypt rotate keys VAULT ITEM (options)"
       def run
-        puts "DEPRECATION WARNING: knife encrypt is deprecated. Please use knife vault instead."
+        $stdout.puts "DEPRECATION WARNING: knife encrypt is deprecated. Please use knife vault instead."
         super
       end
     end

data/lib/chef/knife/encrypt_update.rb CHANGED

@@ -43,7 +43,7 @@ class Chef
       banner "knife encrypt update VAULT ITEM VALUES (options)"
       def run
-        puts "DEPRECATION WARNING: knife encrypt is deprecated. Please use knife vault instead."
+        $stdout.puts "DEPRECATION WARNING: knife encrypt is deprecated. Please use knife vault instead."
         super
       end
     end

data/lib/chef/knife/vault_base.rb CHANGED

@@ -41,6 +41,28 @@ class Chef
         super
         exit 1
       end
+      private
+      def bag_is_vault?(bagname)
+        bag = Chef::DataBag.load(bagname)
+        # vaults have at even number of keys >= 2
+        return false unless bag.keys.size >= 2 && 0 == bag.keys.size % 2
+        # partition into those that end in _keys
+        keylike, notkeylike = split_vault_keys(bag)
+        # there must be an equal number of keyline and not-keylike items
+        return false unless keylike.size == notkeylike.size
+        # strip the _keys suffix and check if the sets match
+        keylike.map! { |k| k.gsub(/_keys$/, '') }
+        return false unless keylike.sort == notkeylike.sort
+        # it's (probably) a vault
+        true
+      end
+      def split_vault_keys(bag)
+        # partition into those that end in _keys
+        bag.keys.partition { |k| k =~ /_keys$/ }
+      end
     end
   end
 end

data/lib/chef/knife/vault_create.rb CHANGED

@@ -63,7 +63,6 @@ class Chef
           rescue ChefVault::Exceptions::KeysNotFound,
                  ChefVault::Exceptions::ItemNotFound
             vault_item = ChefVault::Item.new(vault, item)
             if values || json_file || file
               merge_values(values, json_file).each do |key, value|
                 vault_item[key] = value

data/lib/chef/knife/vault_decrypt.rb CHANGED

@@ -23,7 +23,7 @@ class Chef
       banner "knife vault decrypt VAULT ITEM [VALUES] (options)"
       def run
-        puts "DEPRECATION WARNING: knife vault decrypt is deprecated. Please use knife vault show instead."
+        $stdout.puts "DEPRECATION WARNING: knife vault decrypt is deprecated. Please use knife vault show instead."
         vault = @name_args[0]
         item = @name_args[1]
         values = @name_args[2]

data/lib/chef/knife/vault_isvault.rb ADDED

@@ -0,0 +1,43 @@
+# Description: Chef-Vault VaultIsvault class
+# Copyright 2013, Nordstrom, Inc.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#     http://www.apache.org/licenses/LICENSE-2.0
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+require 'chef/knife/vault_base'
+class Chef
+  class Knife
+    class VaultIsvault < Knife
+      include Chef::Knife::VaultBase
+      banner "knife vault isvault VAULT ITEM (options)"
+      option :mode,
+        :short => '-M MODE',
+        :long => '--mode MODE',
+        :description => 'Chef mode to run in default - solo'
+      def run
+        vault = @name_args[0]
+        item = @name_args[1]
+        if vault && item
+          set_mode(config[:vault_mode])
+          exit ChefVault::Item.vault?(vault, item) ? 0 : 1
+        else
+          show_usage
+        end
+      end
+    end
+  end
+end

data/lib/chef/knife/vault_itemtype.rb ADDED

@@ -0,0 +1,43 @@
+# Description: Chef-Vault VaultItemtype class
+# Copyright 2013, Nordstrom, Inc.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#     http://www.apache.org/licenses/LICENSE-2.0
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+require 'chef/knife/vault_base'
+class Chef
+  class Knife
+    class VaultItemtype < Knife
+      include Chef::Knife::VaultBase
+      banner "knife vault itemtype VAULT ITEM (options)"
+      option :mode,
+        :short => '-M MODE',
+        :long => '--mode MODE',
+        :description => 'Chef mode to run in default - solo'
+      def run
+        vault = @name_args[0]
+        item = @name_args[1]
+        if vault && item
+          set_mode(config[:vault_mode])
+          output ChefVault::Item.data_bag_item_type(vault, item)
+        else
+          show_usage
+        end
+      end
+    end
+  end
+end

data/lib/chef/knife/vault_list.rb CHANGED

@@ -1,4 +1,4 @@
-# Description: Chef-Vault VaultShow class
+# Description: Chef-Vault VaultList class
 # Copyright 2013, Nordstrom, Inc.
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -22,7 +22,13 @@ class Chef
       banner "knife vault list (options)"
+      option :mode,
+        :short => '-M MODE',
+        :long => '--mode MODE',
+        :description => 'Chef mode to run in default - solo'
       def run
+        set_mode(config[:vault_mode])
         vaultbags = []
         # iterate over all the data bags
         bags = Chef::DataBag.list
@@ -31,23 +37,6 @@ class Chef
         end
         output vaultbags.join("\n")
       end
-      private
-      def bag_is_vault?(bagname)
-        bag = Chef::DataBag.load(bagname)
-        # vaults have at even number of keys >= 2
-        return false unless bag.keys.size >= 2 && 0 == bag.keys.size % 2
-        # partition into those that end in _keys
-        keylike, notkeylike = bag.keys.partition { |k| k =~ /_keys$/ }
-        # there must be an equal number of keyline and not-keylike items
-        return false unless keylike.size == notkeylike.size
-        # strip the _keys suffix and check if the sets match
-        keylike.map! { |k| k.gsub(/_keys$/, '') }
-        return false unless keylike.sort == notkeylike.sort
-        # it's (probably) a vault
-        true
-      end
     end
   end
 end

data/lib/chef/knife/vault_refresh.rb CHANGED

@@ -22,27 +22,21 @@ class Chef
       banner "knife vault refresh VAULT ITEM"
+      option :clean_unknown_clients,
+        :long => '--clean-unknown-clients',
+        :description => 'Remove unknown clients during refresh'
       def run
         vault = @name_args[0]
         item = @name_args[1]
+        clean = config[:clean_unknown_clients]
         set_mode(config[:vault_mode])
         if vault && item
           begin
             vault_item = ChefVault::Item.load(vault, item)
-            search = vault_item.search
-            unless search
-              raise ChefVault::Exceptions::SearchNotFound,
-                    "#{vault}/#{item} does not have a stored search_query, "\
-                    "probably because it was created with an older version "\
-                    "of chef-vault. Use 'knife vault update' to update the "\
-                    "databag with the search query."
-            end
-            vault_item.clients(search)
-            vault_item.save
+            vault_item.refresh(clean)
           rescue ChefVault::Exceptions::KeysNotFound,
                  ChefVault::Exceptions::ItemNotFound

data/lib/chef/knife/vault_rotate_all_keys.rb CHANGED

@@ -52,7 +52,7 @@ class Chef
       end
       def rotate_vault_item_keys(vault, item, clean_unknown_clients)
-        puts "Rotating keys for: #{vault} #{item}"
+        $stdout.puts "Rotating keys for: #{vault} #{item}"
         ChefVault::Item.load(vault, item).rotate_keys!(clean_unknown_clients)
       end
     end

data/lib/chef/knife/vault_show.rb CHANGED

@@ -20,7 +20,7 @@ class Chef
     class VaultShow < Knife
       include Chef::Knife::VaultBase
-      banner "knife vault show VAULT ITEM [VALUES] (options)"
+      banner "knife vault show VAULT [ITEM] [VALUES] (options)"
       option :mode,
         :short => '-M MODE',
@@ -40,6 +40,9 @@ class Chef
         if vault && item
           set_mode(config[:vault_mode])
           print_values(vault, item, values)
+        elsif vault
+          set_mode(config[:vault_mode])
+          print_keys(vault)
         else
           show_usage
         end
@@ -83,6 +86,17 @@ class Chef
         end
         output(output_data)
       end
+      def print_keys(vault)
+        if bag_is_vault?(vault)
+          bag = Chef::DataBag.load(vault)
+          split_vault_keys(bag)[1].each do |item|
+            output item
+          end
+        else
+          output "data bag #{vault} is not a chef-vault"
+        end
+      end
     end
   end
 end

data/lib/chef/knife/vault_update.rb CHANGED

@@ -74,7 +74,7 @@ class Chef
             if clean
               clients = vault_item.clients().clone().sort()
               clients.each do |client|
-                puts "Deleting #{client}"
+                $stdout.puts "Deleting #{client}"
                 vault_item.keys.delete(client, "clients")
               end
             end

data/spec/chef-vault/certificate_spec.rb CHANGED

@@ -6,6 +6,12 @@ RSpec.describe ChefVault::Certificate do
     allow(ChefVault::Item).to receive(:load).with("foo", "bar"){ item }
     allow(item).to receive(:[]).with("id"){ "bar" }
     allow(item).to receive(:[]).with("contents"){ "baz" }
+    @orig_stdout = $stdout
+    $stdout = File.open(File::NULL, 'w')
+  end
+  after do
+    $stdout = @orig_stdout
   end
   describe '#new' do
@@ -22,8 +28,9 @@ RSpec.describe ChefVault::Certificate do
   describe 'decrypt_contents' do
     it 'echoes warning' do
-      expect(STDOUT).to receive(:puts).with("WARNING: This method is deprecated, please switch to item['value'] calls")
-      cert.decrypt_contents
+      expect { cert.decrypt_contents }
+        .to output("WARNING: This method is deprecated, please switch to item['value'] calls\n")
+        .to_stdout
     end
     it 'returns items contents' do

data/spec/chef-vault/item_spec.rb CHANGED

@@ -51,9 +51,84 @@ module BorkedNodeWithoutPublicKey
 end
 RSpec.describe ChefVault::Item do
+  before do
+    @orig_stdout = $stdout
+    $stdout = File.open(File::NULL, 'w')
+  end
+  after do
+    $stdout = @orig_stdout
+  end
   subject(:item) { ChefVault::Item.new("foo", "bar") }
-  describe '#new' do
+  describe 'vault probe predicates' do
+    before do
+      # a normal data bag item
+      @db = { 'foo' => '...' }
+      @dbi = Chef::DataBagItem.new
+      @dbi.data_bag('normal')
+      @dbi.raw_data = { 'id' => 'foo', 'foo' => 'bar' }
+      allow(@db).to receive(:load).with('foo').and_return(@dbi)
+      allow(Chef::DataBag).to receive(:load).with('normal').and_return(@db)
+      allow(Chef::DataBagItem).to receive(:load).with('normal', 'foo').and_return(@dbi)
+      # an encrypted data bag item (non-vault)
+      @encdb = { 'foo' => '...' }
+      @encdbi = Chef::DataBagItem.new
+      @encdbi.data_bag('encrypted')
+      @encdbi.raw_data = {
+        'id' => 'foo',
+        'foo' => { 'encrypted_data' => '...' }
+      }
+      allow(@encdb).to receive(:load).with('foo').and_return(@encdbi)
+      allow(Chef::DataBag).to receive(:load).with('encrypted').and_return(@encdb)
+      allow(Chef::DataBagItem).to receive(:load).with('encrypted', 'foo').and_return(@encdbi)
+      # two items that make up a vault
+      @vaultdb = { 'foo' => '...', 'foo_keys' => '...' }
+      @vaultdbi = Chef::DataBagItem.new
+      @vaultdbi.data_bag('vault')
+      @vaultdbi.raw_data = {
+        'id' => 'foo',
+        'foo' => { 'encrypted_data' => '...' }
+      }
+      allow(@vaultdb).to receive(:load).with('foo').and_return(@vaultdbi)
+      @vaultdbki = Chef::DataBagItem.new
+      @vaultdbki.data_bag('vault')
+      @vaultdbki.raw_data = { 'id' => 'foo_keys' }
+      allow(@vaultdb).to receive(:load).with('foo_keys').and_return(@vaultdbki)
+      allow(Chef::DataBag).to receive(:load).with('vault').and_return(@vaultdb)
+      allow(Chef::DataBagItem).to receive(:load).with('vault', 'foo').and_return(@vaultdbi)
+    end
+    describe '::vault?' do
+      it 'should detect a vault item' do
+        expect(ChefVault::Item.vault?('vault', 'foo')).to be_truthy
+      end
+      it 'should detect non-vault items' do
+        expect(ChefVault::Item.vault?('normal', 'foo')).not_to be_truthy
+        expect(ChefVault::Item.vault?('encrypted', 'foo')).not_to be_truthy
+      end
+    end
+    describe '::data_bag_item_type' do
+      it 'should detect a vault item' do
+        expect(ChefVault::Item.data_bag_item_type('vault', 'foo')).to eq(:vault)
+      end
+      it 'should detect an encrypted data bag item' do
+        expect(ChefVault::Item.data_bag_item_type('encrypted', 'foo')).to eq(:encrypted)
+      end
+      it 'should detect a normal data bag item' do
+        expect(ChefVault::Item.data_bag_item_type('normal', 'foo')).to eq(:normal)
+      end
+    end
+  end
+  describe '::new' do
     it { should be_an_instance_of ChefVault::Item }
     its(:keys) { should be_an_instance_of ChefVault::ItemKeys }
@@ -65,14 +140,80 @@ RSpec.describe ChefVault::Item do
     specify { expect(item.keys['id']).to eq 'bar_keys' }
     specify { expect(item.keys.data_bag).to eq 'foo' }
+    it 'defaults the node name' do
+      item = ChefVault::Item.new('foo', 'bar')
+      expect(item.node_name).to eq(Chef::Config[:node_name])
+    end
+    it 'defaults the client key path' do
+      item = ChefVault::Item.new('foo', 'bar')
+      expect(item.client_key_path).to eq(Chef::Config[:client_key])
+    end
+    it 'allows for a node name override' do
+      item = ChefVault::Item.new('foo', 'bar', node_name: 'baz')
+      expect(item.node_name).to eq('baz')
+    end
+    it 'allows for a client key path override' do
+      item = ChefVault::Item.new('foo', 'bar', client_key_path: '/foo/client.pem')
+      expect(item.client_key_path).to eq('/foo/client.pem')
+    end
+    it 'allows for both node name and client key overrides' do
+      item = ChefVault::Item.new(
+        'foo', 'bar',
+        node_name: 'baz',
+        client_key_path: '/foo/client.pem'
+      )
+      expect(item.node_name).to eq('baz')
+      expect(item.client_key_path).to eq('/foo/client.pem')
+    end
+  end
+  describe '::load' do
+    it 'allows for both node name and client key overrides' do
+      keys_db = Chef::DataBagItem.new
+      keys_db.raw_data = {
+        'id' => 'bar_keys',
+        'baz' => '...'
+      }
+      allow(ChefVault::ItemKeys)
+        .to receive(:load)
+        .and_return(keys_db)
+      fh = double 'private key handle'
+      allow(fh).to receive(:read).and_return('...')
+      allow(File).to receive(:open).and_return(fh)
+      privkey = double 'private key contents'
+      allow(privkey).to receive(:private_decrypt).and_return('sekrit')
+      allow(OpenSSL::PKey::RSA).to receive(:new).and_return(privkey)
+      allow(Chef::EncryptedDataBagItem).to receive(:load).and_return(
+        'id' => 'bar',
+        'password' => '12345'
+      )
+      item = ChefVault::Item.load(
+        'foo', 'bar',
+        node_name: 'baz',
+        client_key_path: '/foo/client.pem'
+      )
+      expect(item.node_name).to eq('baz')
+      expect(item.client_key_path).to eq('/foo/client.pem')
+    end
   end
   describe '#save' do
     context 'when item["id"] is bar.bar' do
       let(:item) { ChefVault::Item.new("foo", "bar.bar") }
       specify { expect { item.save }.to raise_error }
     end
+    it 'should validate that the id of the vault matches the id of the keys data bag' do
+      item = ChefVault::Item.new('foo', 'bar')
+      item['id'] = 'baz'
+      item.keys['clients'] = %w(admin)
+      expect { item.save }.to raise_error(ChefVault::Exceptions::IdMismatch)
+    end
   end
   describe '#clients' do
@@ -87,7 +228,19 @@ RSpec.describe ChefVault::Item do
     it 'should emit a warning if search returns a node without a public key' do
       # it should however emit a warning that you have a borked node
       expect { @vaultitem.clients('*:*') }
-        .to output(/node 'bar' has no private key; skipping/).to_stderr
+        .to output(/node 'bar' has no private key; skipping/).to_stdout
+    end
+    it 'should accept a client object and not perform a search' do
+      client = Chef::ApiClient.new
+      client.name 'foo'
+      privkey = OpenSSL::PKey::RSA.new(1024)
+      pubkey = privkey.public_key
+      client.public_key(pubkey.to_pem)
+      expect(Chef::Search::Query).not_to receive(:new)
+      expect(ChefVault::ChefPatch::User).not_to receive(:load)
+      @vaultitem.clients(client)
+      expect(@vaultitem.clients).to include('foo')
     end
   end
@@ -99,4 +252,12 @@ RSpec.describe ChefVault::Item do
         .to raise_error(ChefVault::Exceptions::AdminNotFound)
     end
   end
+  describe '#raw_keys' do
+    it 'should return the keys of the underlying data bag item' do
+      item = ChefVault::Item.new('foo', 'bar')
+      item['foo'] = 'bar'
+      expect(item.raw_keys).to eq(%w(id foo))
+    end
+  end
 end