RubyGems - chef-vault - Versions diffs - 2.5.0 → 2.6.0 - Mend

chef-vault 2.5.0 → 2.6.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (43) hide show

checksums.yaml +4 -4
data/.rubocop_todo.yml +5 -1
data/.travis.yml +5 -1
data/Changelog.md +36 -3
data/KNIFE_EXAMPLES.md +49 -74
data/README.md +166 -104
data/THEORY.md +4 -2
data/bin/chef-vault +2 -2
data/chef-vault.gemspec +2 -2
data/features/clean_on_refresh.feature +28 -0
data/features/isvault.feature +24 -0
data/features/itemtype.feature +25 -0
data/features/step_definitions/chef-databag.rb +4 -0
data/features/step_definitions/chef-vault.rb +21 -0
data/features/step_definitions/chef_databagitem.rb +9 -0
data/features/vault_show_vaultname.feature +22 -0
data/features/vault_update.feature +1 -1
data/features/verify_id_matches.feature +11 -0
data/lib/chef-vault/certificate.rb +1 -1
data/lib/chef-vault/exceptions.rb +3 -0
data/lib/chef-vault/item.rb +161 -18
data/lib/chef-vault/user.rb +1 -1
data/lib/chef-vault/version.rb +1 -1
data/lib/chef/knife/decrypt.rb +1 -1
data/lib/chef/knife/encrypt_create.rb +1 -1
data/lib/chef/knife/encrypt_delete.rb +1 -1
data/lib/chef/knife/encrypt_remove.rb +1 -1
data/lib/chef/knife/encrypt_rotate_keys.rb +1 -1
data/lib/chef/knife/encrypt_update.rb +1 -1
data/lib/chef/knife/vault_base.rb +22 -0
data/lib/chef/knife/vault_create.rb +0 -1
data/lib/chef/knife/vault_decrypt.rb +1 -1
data/lib/chef/knife/vault_isvault.rb +43 -0
data/lib/chef/knife/vault_itemtype.rb +43 -0
data/lib/chef/knife/vault_list.rb +7 -18
data/lib/chef/knife/vault_refresh.rb +6 -12
data/lib/chef/knife/vault_rotate_all_keys.rb +1 -1
data/lib/chef/knife/vault_show.rb +15 -1
data/lib/chef/knife/vault_update.rb +1 -1
data/spec/chef-vault/certificate_spec.rb +9 -2
data/spec/chef-vault/item_spec.rb +164 -3
data/spec/chef-vault/user_spec.rb +9 -2
metadata +14 -6

data/lib/chef-vault/user.rb CHANGED

@@ -24,7 +24,7 @@ class ChefVault
     end
     def decrypt_password
-      puts "WARNING: This method is deprecated, please switch to item['value'] calls"
+      $stdout.puts "WARNING: This method is deprecated, please switch to item['value'] calls"
       @item["password"]
     end
   end

data/lib/chef-vault/version.rb CHANGED

@@ -14,6 +14,6 @@
 # limitations under the License.
 class ChefVault
-  VERSION = "2.5.0"
+  VERSION = '2.6.0'
   MAJOR, MINOR, TINY = VERSION.split('.')
 end

data/lib/chef/knife/decrypt.rb CHANGED

@@ -24,7 +24,7 @@ class Chef
       banner "knife decrypt VAULT ITEM [VALUES] (options)"
       def run
-        puts "DEPRECATION WARNING: knife decrypt is deprecated. Please use knife vault decrypt instead."
+        $stdout.puts "DEPRECATION WARNING: knife decrypt is deprecated. Please use knife vault decrypt instead."
         super
       end
     end

data/lib/chef/knife/encrypt_create.rb CHANGED

@@ -43,7 +43,7 @@ class Chef
         :description => 'File to be added to vault item as file-content'
       def run
-        puts "DEPRECATION WARNING: knife encrypt is deprecated. Please use knife vault instead."
+        $stdout.puts "DEPRECATION WARNING: knife encrypt is deprecated. Please use knife vault instead."
         super
       end
     end

data/lib/chef/knife/encrypt_delete.rb CHANGED

@@ -24,7 +24,7 @@ class Chef
       banner "knife encrypt delete VAULT ITEM (options)"
       def run
-        puts "DEPRECATION WARNING: knife encrypt is deprecated. Please use knife vault instead."
+        $stdout.puts "DEPRECATION WARNING: knife encrypt is deprecated. Please use knife vault instead."
         super
       end
     end

data/lib/chef/knife/encrypt_remove.rb CHANGED

@@ -34,7 +34,7 @@ class Chef
         :description => 'Chef users to be added as admins'
       def run
-        puts "DEPRECATION WARNING: knife encrypt is deprecated. Please use knife vault instead."
+        $stdout.puts "DEPRECATION WARNING: knife encrypt is deprecated. Please use knife vault instead."
         super
       end
     end

data/lib/chef/knife/encrypt_rotate_keys.rb CHANGED

@@ -24,7 +24,7 @@ class Chef
       banner "knife encrypt rotate keys VAULT ITEM (options)"
       def run
-        puts "DEPRECATION WARNING: knife encrypt is deprecated. Please use knife vault instead."
+        $stdout.puts "DEPRECATION WARNING: knife encrypt is deprecated. Please use knife vault instead."
         super
       end
     end

data/lib/chef/knife/encrypt_update.rb CHANGED

@@ -43,7 +43,7 @@ class Chef
       banner "knife encrypt update VAULT ITEM VALUES (options)"
       def run
-        puts "DEPRECATION WARNING: knife encrypt is deprecated. Please use knife vault instead."
+        $stdout.puts "DEPRECATION WARNING: knife encrypt is deprecated. Please use knife vault instead."
         super
       end
     end

data/lib/chef/knife/vault_base.rb CHANGED

@@ -41,6 +41,28 @@ class Chef
         super
         exit 1
       end
+      private
+      def bag_is_vault?(bagname)
+        bag = Chef::DataBag.load(bagname)
+        # vaults have at even number of keys >= 2
+        return false unless bag.keys.size >= 2 && 0 == bag.keys.size % 2
+        # partition into those that end in _keys
+        keylike, notkeylike = split_vault_keys(bag)
+        # there must be an equal number of keyline and not-keylike items
+        return false unless keylike.size == notkeylike.size
+        # strip the _keys suffix and check if the sets match
+        keylike.map! { |k| k.gsub(/_keys$/, '') }
+        return false unless keylike.sort == notkeylike.sort
+        # it's (probably) a vault
+        true
+      end
+      def split_vault_keys(bag)
+        # partition into those that end in _keys
+        bag.keys.partition { |k| k =~ /_keys$/ }
+      end
     end
   end
 end

data/lib/chef/knife/vault_create.rb CHANGED

@@ -63,7 +63,6 @@ class Chef
           rescue ChefVault::Exceptions::KeysNotFound,
                  ChefVault::Exceptions::ItemNotFound
             vault_item = ChefVault::Item.new(vault, item)
             if values || json_file || file
               merge_values(values, json_file).each do |key, value|
                 vault_item[key] = value

data/lib/chef/knife/vault_decrypt.rb CHANGED

@@ -23,7 +23,7 @@ class Chef
       banner "knife vault decrypt VAULT ITEM [VALUES] (options)"
       def run
-        puts "DEPRECATION WARNING: knife vault decrypt is deprecated. Please use knife vault show instead."
+        $stdout.puts "DEPRECATION WARNING: knife vault decrypt is deprecated. Please use knife vault show instead."
         vault = @name_args[0]
         item = @name_args[1]
         values = @name_args[2]

data/lib/chef/knife/vault_isvault.rb ADDED

@@ -0,0 +1,43 @@
+# Description: Chef-Vault VaultIsvault class
+# Copyright 2013, Nordstrom, Inc.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#     http://www.apache.org/licenses/LICENSE-2.0
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+require 'chef/knife/vault_base'
+class Chef
+  class Knife
+    class VaultIsvault < Knife
+      include Chef::Knife::VaultBase
+      banner "knife vault isvault VAULT ITEM (options)"
+      option :mode,
+        :short => '-M MODE',
+        :long => '--mode MODE',
+        :description => 'Chef mode to run in default - solo'
+      def run
+        vault = @name_args[0]
+        item = @name_args[1]
+        if vault && item
+          set_mode(config[:vault_mode])
+          exit ChefVault::Item.vault?(vault, item) ? 0 : 1
+        else
+          show_usage
+        end
+      end
+    end
+  end
+end

data/lib/chef/knife/vault_itemtype.rb ADDED

@@ -0,0 +1,43 @@
+# Description: Chef-Vault VaultItemtype class
+# Copyright 2013, Nordstrom, Inc.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#     http://www.apache.org/licenses/LICENSE-2.0
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+require 'chef/knife/vault_base'
+class Chef
+  class Knife
+    class VaultItemtype < Knife
+      include Chef::Knife::VaultBase
+      banner "knife vault itemtype VAULT ITEM (options)"
+      option :mode,
+        :short => '-M MODE',
+        :long => '--mode MODE',
+        :description => 'Chef mode to run in default - solo'
+      def run
+        vault = @name_args[0]
+        item = @name_args[1]
+        if vault && item
+          set_mode(config[:vault_mode])
+          output ChefVault::Item.data_bag_item_type(vault, item)
+        else
+          show_usage
+        end
+      end
+    end
+  end
+end

data/lib/chef/knife/vault_list.rb CHANGED

@@ -1,4 +1,4 @@
-# Description: Chef-Vault VaultShow class
+# Description: Chef-Vault VaultList class
 # Copyright 2013, Nordstrom, Inc.
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -22,7 +22,13 @@ class Chef
       banner "knife vault list (options)"
+      option :mode,
+        :short => '-M MODE',
+        :long => '--mode MODE',
+        :description => 'Chef mode to run in default - solo'
       def run
+        set_mode(config[:vault_mode])
         vaultbags = []
         # iterate over all the data bags
         bags = Chef::DataBag.list
@@ -31,23 +37,6 @@ class Chef
         end
         output vaultbags.join("\n")
       end
-      private
-      def bag_is_vault?(bagname)
-        bag = Chef::DataBag.load(bagname)
-        # vaults have at even number of keys >= 2
-        return false unless bag.keys.size >= 2 && 0 == bag.keys.size % 2
-        # partition into those that end in _keys
-        keylike, notkeylike = bag.keys.partition { |k| k =~ /_keys$/ }
-        # there must be an equal number of keyline and not-keylike items
-        return false unless keylike.size == notkeylike.size
-        # strip the _keys suffix and check if the sets match
-        keylike.map! { |k| k.gsub(/_keys$/, '') }
-        return false unless keylike.sort == notkeylike.sort
-        # it's (probably) a vault
-        true
-      end
     end
   end
 end

data/lib/chef/knife/vault_refresh.rb CHANGED

@@ -22,27 +22,21 @@ class Chef
       banner "knife vault refresh VAULT ITEM"
+      option :clean_unknown_clients,
+        :long => '--clean-unknown-clients',
+        :description => 'Remove unknown clients during refresh'
       def run
         vault = @name_args[0]
         item = @name_args[1]
+        clean = config[:clean_unknown_clients]
         set_mode(config[:vault_mode])
         if vault && item
           begin
             vault_item = ChefVault::Item.load(vault, item)
-            search = vault_item.search
-            unless search
-              raise ChefVault::Exceptions::SearchNotFound,
-                    "#{vault}/#{item} does not have a stored search_query, "\
-                    "probably because it was created with an older version "\
-                    "of chef-vault. Use 'knife vault update' to update the "\
-                    "databag with the search query."
-            end
-            vault_item.clients(search)
-            vault_item.save
+            vault_item.refresh(clean)
           rescue ChefVault::Exceptions::KeysNotFound,
                  ChefVault::Exceptions::ItemNotFound

data/lib/chef/knife/vault_rotate_all_keys.rb CHANGED

@@ -52,7 +52,7 @@ class Chef
       end
       def rotate_vault_item_keys(vault, item, clean_unknown_clients)
-        puts "Rotating keys for: #{vault} #{item}"
+        $stdout.puts "Rotating keys for: #{vault} #{item}"
         ChefVault::Item.load(vault, item).rotate_keys!(clean_unknown_clients)
       end
     end

data/lib/chef/knife/vault_show.rb CHANGED

@@ -20,7 +20,7 @@ class Chef
     class VaultShow < Knife
       include Chef::Knife::VaultBase
-      banner "knife vault show VAULT ITEM [VALUES] (options)"
+      banner "knife vault show VAULT [ITEM] [VALUES] (options)"
       option :mode,
         :short => '-M MODE',
@@ -40,6 +40,9 @@ class Chef
         if vault && item
           set_mode(config[:vault_mode])
           print_values(vault, item, values)
+        elsif vault
+          set_mode(config[:vault_mode])
+          print_keys(vault)
         else
           show_usage
         end
@@ -83,6 +86,17 @@ class Chef
         end
         output(output_data)
       end
+      def print_keys(vault)
+        if bag_is_vault?(vault)
+          bag = Chef::DataBag.load(vault)
+          split_vault_keys(bag)[1].each do |item|
+            output item
+          end
+        else
+          output "data bag #{vault} is not a chef-vault"
+        end
+      end
     end
   end
 end

data/lib/chef/knife/vault_update.rb CHANGED

@@ -74,7 +74,7 @@ class Chef
             if clean
               clients = vault_item.clients().clone().sort()
               clients.each do |client|
-                puts "Deleting #{client}"
+                $stdout.puts "Deleting #{client}"
                 vault_item.keys.delete(client, "clients")
               end
             end

data/spec/chef-vault/certificate_spec.rb CHANGED

@@ -6,6 +6,12 @@ RSpec.describe ChefVault::Certificate do
     allow(ChefVault::Item).to receive(:load).with("foo", "bar"){ item }
     allow(item).to receive(:[]).with("id"){ "bar" }
     allow(item).to receive(:[]).with("contents"){ "baz" }
+    @orig_stdout = $stdout
+    $stdout = File.open(File::NULL, 'w')
+  end
+  after do
+    $stdout = @orig_stdout
   end
   describe '#new' do
@@ -22,8 +28,9 @@ RSpec.describe ChefVault::Certificate do
   describe 'decrypt_contents' do
     it 'echoes warning' do
-      expect(STDOUT).to receive(:puts).with("WARNING: This method is deprecated, please switch to item['value'] calls")
-      cert.decrypt_contents
+      expect { cert.decrypt_contents }
+        .to output("WARNING: This method is deprecated, please switch to item['value'] calls\n")
+        .to_stdout
     end
     it 'returns items contents' do

data/spec/chef-vault/item_spec.rb CHANGED

@@ -51,9 +51,84 @@ module BorkedNodeWithoutPublicKey
 end
 RSpec.describe ChefVault::Item do
+  before do
+    @orig_stdout = $stdout
+    $stdout = File.open(File::NULL, 'w')
+  end
+  after do
+    $stdout = @orig_stdout
+  end
   subject(:item) { ChefVault::Item.new("foo", "bar") }
-  describe '#new' do
+  describe 'vault probe predicates' do
+    before do
+      # a normal data bag item
+      @db = { 'foo' => '...' }
+      @dbi = Chef::DataBagItem.new
+      @dbi.data_bag('normal')
+      @dbi.raw_data = { 'id' => 'foo', 'foo' => 'bar' }
+      allow(@db).to receive(:load).with('foo').and_return(@dbi)
+      allow(Chef::DataBag).to receive(:load).with('normal').and_return(@db)
+      allow(Chef::DataBagItem).to receive(:load).with('normal', 'foo').and_return(@dbi)
+      # an encrypted data bag item (non-vault)
+      @encdb = { 'foo' => '...' }
+      @encdbi = Chef::DataBagItem.new
+      @encdbi.data_bag('encrypted')
+      @encdbi.raw_data = {
+        'id' => 'foo',
+        'foo' => { 'encrypted_data' => '...' }
+      }
+      allow(@encdb).to receive(:load).with('foo').and_return(@encdbi)
+      allow(Chef::DataBag).to receive(:load).with('encrypted').and_return(@encdb)
+      allow(Chef::DataBagItem).to receive(:load).with('encrypted', 'foo').and_return(@encdbi)
+      # two items that make up a vault
+      @vaultdb = { 'foo' => '...', 'foo_keys' => '...' }
+      @vaultdbi = Chef::DataBagItem.new
+      @vaultdbi.data_bag('vault')
+      @vaultdbi.raw_data = {
+        'id' => 'foo',
+        'foo' => { 'encrypted_data' => '...' }
+      }
+      allow(@vaultdb).to receive(:load).with('foo').and_return(@vaultdbi)
+      @vaultdbki = Chef::DataBagItem.new
+      @vaultdbki.data_bag('vault')
+      @vaultdbki.raw_data = { 'id' => 'foo_keys' }
+      allow(@vaultdb).to receive(:load).with('foo_keys').and_return(@vaultdbki)
+      allow(Chef::DataBag).to receive(:load).with('vault').and_return(@vaultdb)
+      allow(Chef::DataBagItem).to receive(:load).with('vault', 'foo').and_return(@vaultdbi)
+    end
+    describe '::vault?' do
+      it 'should detect a vault item' do
+        expect(ChefVault::Item.vault?('vault', 'foo')).to be_truthy
+      end
+      it 'should detect non-vault items' do
+        expect(ChefVault::Item.vault?('normal', 'foo')).not_to be_truthy
+        expect(ChefVault::Item.vault?('encrypted', 'foo')).not_to be_truthy
+      end
+    end
+    describe '::data_bag_item_type' do
+      it 'should detect a vault item' do
+        expect(ChefVault::Item.data_bag_item_type('vault', 'foo')).to eq(:vault)
+      end
+      it 'should detect an encrypted data bag item' do
+        expect(ChefVault::Item.data_bag_item_type('encrypted', 'foo')).to eq(:encrypted)
+      end
+      it 'should detect a normal data bag item' do
+        expect(ChefVault::Item.data_bag_item_type('normal', 'foo')).to eq(:normal)
+      end
+    end
+  end
+  describe '::new' do
     it { should be_an_instance_of ChefVault::Item }
     its(:keys) { should be_an_instance_of ChefVault::ItemKeys }
@@ -65,14 +140,80 @@ RSpec.describe ChefVault::Item do
     specify { expect(item.keys['id']).to eq 'bar_keys' }
     specify { expect(item.keys.data_bag).to eq 'foo' }
+    it 'defaults the node name' do
+      item = ChefVault::Item.new('foo', 'bar')
+      expect(item.node_name).to eq(Chef::Config[:node_name])
+    end
+    it 'defaults the client key path' do
+      item = ChefVault::Item.new('foo', 'bar')
+      expect(item.client_key_path).to eq(Chef::Config[:client_key])
+    end
+    it 'allows for a node name override' do
+      item = ChefVault::Item.new('foo', 'bar', node_name: 'baz')
+      expect(item.node_name).to eq('baz')
+    end
+    it 'allows for a client key path override' do
+      item = ChefVault::Item.new('foo', 'bar', client_key_path: '/foo/client.pem')
+      expect(item.client_key_path).to eq('/foo/client.pem')
+    end
+    it 'allows for both node name and client key overrides' do
+      item = ChefVault::Item.new(
+        'foo', 'bar',
+        node_name: 'baz',
+        client_key_path: '/foo/client.pem'
+      )
+      expect(item.node_name).to eq('baz')
+      expect(item.client_key_path).to eq('/foo/client.pem')
+    end
+  end
+  describe '::load' do
+    it 'allows for both node name and client key overrides' do
+      keys_db = Chef::DataBagItem.new
+      keys_db.raw_data = {
+        'id' => 'bar_keys',
+        'baz' => '...'
+      }
+      allow(ChefVault::ItemKeys)
+        .to receive(:load)
+        .and_return(keys_db)
+      fh = double 'private key handle'
+      allow(fh).to receive(:read).and_return('...')
+      allow(File).to receive(:open).and_return(fh)
+      privkey = double 'private key contents'
+      allow(privkey).to receive(:private_decrypt).and_return('sekrit')
+      allow(OpenSSL::PKey::RSA).to receive(:new).and_return(privkey)
+      allow(Chef::EncryptedDataBagItem).to receive(:load).and_return(
+        'id' => 'bar',
+        'password' => '12345'
+      )
+      item = ChefVault::Item.load(
+        'foo', 'bar',
+        node_name: 'baz',
+        client_key_path: '/foo/client.pem'
+      )
+      expect(item.node_name).to eq('baz')
+      expect(item.client_key_path).to eq('/foo/client.pem')
+    end
   end
   describe '#save' do
     context 'when item["id"] is bar.bar' do
       let(:item) { ChefVault::Item.new("foo", "bar.bar") }
       specify { expect { item.save }.to raise_error }
     end
+    it 'should validate that the id of the vault matches the id of the keys data bag' do
+      item = ChefVault::Item.new('foo', 'bar')
+      item['id'] = 'baz'
+      item.keys['clients'] = %w(admin)
+      expect { item.save }.to raise_error(ChefVault::Exceptions::IdMismatch)
+    end
   end
   describe '#clients' do
@@ -87,7 +228,19 @@ RSpec.describe ChefVault::Item do
     it 'should emit a warning if search returns a node without a public key' do
       # it should however emit a warning that you have a borked node
       expect { @vaultitem.clients('*:*') }
-        .to output(/node 'bar' has no private key; skipping/).to_stderr
+        .to output(/node 'bar' has no private key; skipping/).to_stdout
+    end
+    it 'should accept a client object and not perform a search' do
+      client = Chef::ApiClient.new
+      client.name 'foo'
+      privkey = OpenSSL::PKey::RSA.new(1024)
+      pubkey = privkey.public_key
+      client.public_key(pubkey.to_pem)
+      expect(Chef::Search::Query).not_to receive(:new)
+      expect(ChefVault::ChefPatch::User).not_to receive(:load)
+      @vaultitem.clients(client)
+      expect(@vaultitem.clients).to include('foo')
     end
   end
@@ -99,4 +252,12 @@ RSpec.describe ChefVault::Item do
         .to raise_error(ChefVault::Exceptions::AdminNotFound)
     end
   end
+  describe '#raw_keys' do
+    it 'should return the keys of the underlying data bag item' do
+      item = ChefVault::Item.new('foo', 'bar')
+      item['foo'] = 'bar'
+      expect(item.raw_keys).to eq(%w(id foo))
+    end
+  end
 end