chef-vault 2.6.1 → 2.7.1

Sign up to get free protection for your applications and to get access to all the features.
Files changed (56) hide show
  1. checksums.yaml +4 -4
  2. data/.rubocop.yml +6 -1
  3. data/.travis.yml +5 -6
  4. data/CONTRIBUTING.md +2 -2
  5. data/Gemfile +3 -1
  6. data/README.md +3 -3
  7. data/Rakefile +16 -20
  8. data/THEORY.md +1 -1
  9. data/UPGRADE.md +55 -0
  10. data/bin/chef-vault +8 -8
  11. data/chef-vault.gemspec +21 -21
  12. data/features/detect_and_warn_v1_vault.feature +15 -0
  13. data/features/step_definitions/chef-databag.rb +1 -1
  14. data/features/step_definitions/chef-repo.rb +7 -7
  15. data/features/step_definitions/chef-vault.rb +30 -22
  16. data/features/step_definitions/chef_databagitem.rb +2 -2
  17. data/features/support/env.rb +3 -3
  18. data/lib/chef-vault.rb +15 -15
  19. data/lib/chef-vault/chef_patch/api_client.rb +5 -5
  20. data/lib/chef-vault/chef_patch/user.rb +5 -5
  21. data/lib/chef-vault/exceptions.rb +3 -0
  22. data/lib/chef-vault/item.rb +13 -19
  23. data/lib/chef-vault/item_keys.rb +13 -13
  24. data/lib/chef-vault/mixins.rb +36 -0
  25. data/lib/chef-vault/version.rb +3 -2
  26. data/lib/chef/knife/decrypt.rb +2 -2
  27. data/lib/chef/knife/encrypt_create.rb +13 -13
  28. data/lib/chef/knife/encrypt_delete.rb +2 -2
  29. data/lib/chef/knife/encrypt_remove.rb +8 -8
  30. data/lib/chef/knife/encrypt_rotate_keys.rb +2 -2
  31. data/lib/chef/knife/encrypt_update.rb +13 -13
  32. data/lib/chef/knife/mixin/compat.rb +2 -2
  33. data/lib/chef/knife/vault_admins.rb +3 -3
  34. data/lib/chef/knife/vault_base.rb +9 -9
  35. data/lib/chef/knife/vault_create.rb +13 -13
  36. data/lib/chef/knife/vault_decrypt.rb +2 -2
  37. data/lib/chef/knife/vault_delete.rb +1 -1
  38. data/lib/chef/knife/vault_download.rb +2 -2
  39. data/lib/chef/knife/vault_edit.rb +6 -6
  40. data/lib/chef/knife/vault_isvault.rb +4 -4
  41. data/lib/chef/knife/vault_itemtype.rb +4 -4
  42. data/lib/chef/knife/vault_list.rb +4 -4
  43. data/lib/chef/knife/vault_refresh.rb +3 -3
  44. data/lib/chef/knife/vault_remove.rb +9 -9
  45. data/lib/chef/knife/vault_rotate_all_keys.rb +4 -4
  46. data/lib/chef/knife/vault_rotate_keys.rb +3 -3
  47. data/lib/chef/knife/vault_show.rb +12 -12
  48. data/lib/chef/knife/vault_update.rb +15 -15
  49. data/spec/chef-vault/certificate_spec.rb +7 -7
  50. data/spec/chef-vault/item_keys_spec.rb +53 -6
  51. data/spec/chef-vault/item_spec.rb +110 -110
  52. data/spec/chef-vault/user_spec.rb +6 -6
  53. data/spec/chef-vault_spec.rb +10 -10
  54. data/spec/spec_helper.rb +3 -3
  55. metadata +7 -6
  56. data/.rubocop_todo.yml +0 -101
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 297b60d8521397a8eeeded373503b9edb33b3195
4
- data.tar.gz: 41a79787ab86193433047cdd6d9df05653ba1bf8
3
+ metadata.gz: 40dc465e5a495bff36ec9b6aa4c59fe9ff4dc561
4
+ data.tar.gz: 6f51167bc5d529e6e04ca00029e88336ebdc1984
5
5
  SHA512:
6
- metadata.gz: 807c5cf031f54b6bff3b505eaa0a832387369d49340fdd96fb0956d35fdc26d96be34695be6ac0a0a1be1d280219f1cf25d3fcfaa680234a37e6a4d6754c50ef
7
- data.tar.gz: ea0973774c69df1a76e587d02e075209feee0ac01bfd590be9813889def4a147da057b907a8b66ca3dadbbdbc107f8fd83932ce638fd25ade5b45729098e6cfb
6
+ metadata.gz: 4c5a1f7080efdfe8794d77e1c291c8c46497ae9eb1cba6cfd5e208307b8019fb9a667ca9e83b7b96ec121c93cfa82b2721b864c221fea39e8cce289be3b921a5
7
+ data.tar.gz: a184ffb4f80758de736779b408a04faac9d4d11f9e4d91ceabeceb30b13f60f62371eb834ef03a089b6c4a53d7f8723737e2329be5b249aec0c2dd404b28c2ec
@@ -1 +1,6 @@
1
- inherit_from: .rubocop_todo.yml
1
+ AllCops:
2
+ Exclude:
3
+ - "spec/data/**/*"
4
+ - "vendor/**/*"
5
+ - "pkg/**/*"
6
+ - "tmp/**/*"
@@ -1,18 +1,17 @@
1
1
  language: ruby
2
+ branches:
3
+ only:
4
+ - master
2
5
  rvm:
3
- - "1.9.3-p551"
4
- - "2.0.0-p598"
6
+ - "2.0.0-p647"
5
7
  - "2.1.6"
6
8
  - "2.2.2"
7
9
  install: bundle install --binstubs
8
10
  env: TRAVIS_BUILD=true
9
- matrix:
10
- allow_failures:
11
- - rvm: "1.9.3-p551"
12
11
  notifications:
13
12
  webhooks:
14
13
  urls:
15
14
  - https://webhooks.gitter.im/e/60e610197dad8edc59f9
16
- on_success: always
15
+ on_success: false
17
16
  on_failure: always
18
17
  on_start: false
@@ -7,7 +7,7 @@ request to be merged sooner.
7
7
  ### Create an Issue
8
8
 
9
9
  Each pull request should have a corresponding [Chef-Vault GitHub
10
- issue](https://github.com/Nordstrom/chef-vault/issues?state=open). Search the
10
+ issue](https://github.com/chef/chef-vault/issues?state=open). Search the
11
11
  issue list to make sure someone hasn't already submitted a pull request to fix
12
12
  your issue. If not, please create a new issue.
13
13
 
@@ -21,7 +21,7 @@ guide](https://help.github.com/articles/fork-a-repo) for more info.
21
21
  ```bash
22
22
  $ git clone https://github.com/<username>/chef-vault.git
23
23
  $ cd chef-vault
24
- $ git remote add upstream https://github.com/Nordstrom/chef-vault.git
24
+ $ git remote add upstream https://github.com/chef/chef-vault.git
25
25
  ```
26
26
 
27
27
  ### Create a Local Feature Branch
data/Gemfile CHANGED
@@ -1,3 +1,5 @@
1
- source 'https://rubygems.org/'
1
+ source "https://rubygems.org/"
2
+
3
+ gem "chefstyle", git: "https://github.com/chef/chefstyle.git"
2
4
 
3
5
  gemspec
data/README.md CHANGED
@@ -2,11 +2,11 @@
2
2
 
3
3
  [![Gem Version](https://badge.fury.io/rb/chef-vault.png)](http://badge.fury.io/rb/chef-vault)
4
4
 
5
- [![Build Status](https://travis-ci.org/Nordstrom/chef-vault.png?branch=master)](https://travis-ci.org/Nordstrom/chef-vault)
5
+ [![Build Status](https://travis-ci.org/chef/chef-vault.png?branch=master)](https://travis-ci.org/chef/chef-vault)
6
6
 
7
- [![Inline docs](http://inch-ci.org/github/nordstrom/chef-vault.svg?branch=master)](http://inch-ci.org/github/nordstrom/chef-vault)
7
+ [![Inline docs](http://inch-ci.org/github/chef/chef-vault.svg?branch=master)](http://inch-ci.org/github/chef/chef-vault)
8
8
 
9
- [![Code Climate](https://codeclimate.com/github/Nordstrom/chef-vault/badges/gpa.svg)](https://codeclimate.com/github/Nordstrom/chef-vault)
9
+ [![Code Climate](https://codeclimate.com/github/chef/chef-vault/badges/gpa.svg)](https://codeclimate.com/github/chef/chef-vault)
10
10
 
11
11
  [![Join the chat at https://gitter.im/Nordstrom/chef-vault](https://badges.gitter.im/Join%20Chat.svg)](https://gitter.im/Nordstrom/chef-vault)
12
12
 
data/Rakefile CHANGED
@@ -1,53 +1,49 @@
1
- require 'bundler/gem_tasks'
1
+ require "bundler/gem_tasks"
2
2
 
3
3
  # Style Tests
4
4
  begin
5
- require 'rubocop/rake_task'
5
+ require "chefstyle"
6
+ require "rubocop/rake_task"
6
7
  RuboCop::RakeTask.new do |t|
7
- t.formatters = ['progress']
8
- t.options = ['-D']
9
- t.patterns = %w(
10
- lib/**/*.rb
11
- spec/**/*.rb
12
- ./Rakefile
13
- )
8
+ t.formatters = ["progress"]
9
+ t.options = ["-D"]
14
10
  end
15
11
 
16
12
  # style is an alias for rubocop
17
13
  task style: :rubocop
18
14
  rescue LoadError
19
- puts 'Rubocop not available; disabling rubocop tasks'
15
+ puts "ChefStyle not available; disabling style checking tasks"
20
16
  end
21
17
 
22
18
  # Unit Tests
23
19
  begin
24
- require 'rspec/core/rake_task'
20
+ require "rspec/core/rake_task"
25
21
  RSpec::Core::RakeTask.new
26
22
 
27
23
  # Coverage
28
- desc 'Generate unit test coverage report'
24
+ desc "Generate unit test coverage report"
29
25
  task :coverage do
30
- ENV['COVERAGE'] = 'true'
26
+ ENV["COVERAGE"] = "true"
31
27
  Rake::Task[:spec].invoke
32
28
  end
33
29
  rescue LoadError
34
- puts 'RSpec not available; disabling rspec tasks'
30
+ puts "RSpec not available; disabling rspec tasks"
35
31
  # create a no-op spec task for :default
36
32
  task :spec
37
33
  end
38
34
 
39
35
  # Feature Tests
40
36
  begin
41
- require 'cucumber'
42
- require 'cucumber/rake/task'
37
+ require "cucumber"
38
+ require "cucumber/rake/task"
43
39
  Cucumber::Rake::Task.new(:features)
44
40
  rescue LoadError
45
- puts 'Cucumber/Aruba not available; disabling feature tasks'
41
+ puts "Cucumber/Aruba not available; disabling feature tasks"
46
42
  # create a no-op spec task for :default
47
43
  task :features
48
44
  end
49
45
 
50
- # test or the default task runs spec and features
51
- desc 'run all tests'
52
- task default: [:spec, :features]
46
+ # test or the default task runs spec, features, style
47
+ desc "run all tests"
48
+ task default: [:spec, :features, :style]
53
49
  task test: :default
data/THEORY.md CHANGED
@@ -48,7 +48,7 @@ These examples assume that I have two nodes in my Chef
48
48
  server/organization, named 'one' and 'two'. I also have
49
49
  two administrators named 'alice' and 'bob'.
50
50
 
51
- Given a file named `item.json` containin the following:
51
+ Given a file named `item.json` containing the following:
52
52
 
53
53
  ```json
54
54
  { "foo": "bar" }
@@ -0,0 +1,55 @@
1
+ # UPGRADING A v1 VAULT to v2
2
+
3
+ chef-vault v2 added metadata to the vault to keep track of
4
+ which secrets belong to admins and which belong to admins,
5
+ as well as the search query to use during a `knife vault refresh`
6
+ operation.
7
+
8
+ You can use chef-vault v2 to decrypt v1 vaults, but the management
9
+ operations are unable to intuit which of the secrets belong to
10
+ clients and which belong to admins. Fixing this error thus requires
11
+ some manual intervention.
12
+
13
+ If you attempt to use the management operations (refresh, update, etc.)
14
+ on a v1 vault, you will get this error:
15
+
16
+ ChefVault::Exceptions::V1Format: cannot manage a v1 vault. See UPGRADE.md for help
17
+
18
+ To fix this, you need to edit the data bag item by hand. Assuming a
19
+ vault 'foo' with an item 'bar', run:
20
+
21
+ knife data bag edit foo bar_keys
22
+
23
+ This will present you with a JSON representation of the extra data
24
+ bag item managed by chef-vault. It will have an id key as well as a key
25
+ for every user for whom the vault item is encrypted:
26
+
27
+ {
28
+ "id" : "bar_keys",
29
+ "james" : "iWdGgm...\n",
30
+ "one" : "RjJ4rlh....\n",
31
+ "two" : "NHJlqnfd9...\n",
32
+ "three" : "GjXkrxq...\n"
33
+ }
34
+
35
+ Add keys for 'admins', 'clients' and 'search_query':
36
+
37
+ {
38
+ "id" : "bar_keys",
39
+ "james" : "iWdGgm...\n",
40
+ "one" : "RjJ4rlh....\n",
41
+ "two" : "NHJlqnfd9...\n",
42
+ "three" : "GjXkrxq...\n",
43
+ "admins": [],
44
+ "clients": [],
45
+ "search_query": ""
46
+ }
47
+
48
+ Save the edited data bag and run knife vault update with the appropriate values to populate those keys:
49
+
50
+ knife vault update foo bar -S 'name:*' -A james
51
+
52
+ (set your search query to something appropriate for your environment)
53
+
54
+ v2.7.0 of chef-vault may add some automation to this step, but for now this
55
+ provides a way to upgrade without breaking your ability to manage things.
@@ -18,7 +18,7 @@
18
18
  # See the License for the specific language governing permissions and
19
19
  # limitations under the License.
20
20
 
21
- require 'optparse'
21
+ require "optparse"
22
22
 
23
23
  options_config = {
24
24
  chef: {
@@ -26,29 +26,29 @@ options_config = {
26
26
  long: "chef-config-file",
27
27
  description: "Chef config file",
28
28
  default: "/etc/chef/knife.rb",
29
- optional: false
29
+ optional: false,
30
30
  },
31
31
  vault: {
32
32
  short: "v",
33
33
  long: "vault",
34
34
  description: "Vault to look in",
35
35
  default: nil,
36
- optional: false
36
+ optional: false,
37
37
  },
38
38
  item: {
39
39
  short: "i",
40
40
  long: "item",
41
41
  description: "Item to decrypt in vault",
42
42
  default: nil,
43
- optional: false
43
+ optional: false,
44
44
  },
45
45
  values: {
46
46
  short: "a",
47
47
  long: "values",
48
48
  description: "Values of item to decrypt in vault",
49
49
  default: nil,
50
- optional: false
51
- }
50
+ optional: false,
51
+ },
52
52
  }
53
53
 
54
54
  banner = "Usage: chef-vault "
@@ -82,9 +82,9 @@ options_config.each do |option, config|
82
82
  options[option] = options[option] ? options[option] : config[:default]
83
83
  end
84
84
 
85
- require 'rubygems'
85
+ require "rubygems"
86
86
  $:.unshift(File.join(File.dirname(__FILE__), "..", "lib"))
87
- require 'chef-vault'
87
+ require "chef-vault"
88
88
 
89
89
  ChefVault.load_config(options[:chef])
90
90
  item = ChefVault::Item.load(options[:vault], options[:item])
@@ -14,39 +14,39 @@
14
14
  # See the License for the specific language governing permissions and
15
15
  # limitations under the License.
16
16
 
17
- $:.push File.expand_path('../lib', __FILE__)
18
- require 'chef-vault/version'
17
+ $:.push File.expand_path("../lib", __FILE__)
18
+ require "chef-vault/version"
19
19
 
20
20
  Gem::Specification.new do |s|
21
- s.name = 'chef-vault'
21
+ s.name = "chef-vault"
22
22
  s.version = ChefVault::VERSION
23
23
  s.has_rdoc = true
24
- s.authors = ['Kevin Moser', 'James FitzGibbon']
25
- s.email = ['techcheftm@nordstrom.com']
26
- s.summary = 'Data encryption support for Chef using data bags'
24
+ s.authors = ["Kevin Moser", "James FitzGibbon"]
25
+ s.email = ["techcheftm@nordstrom.com"]
26
+ s.summary = "Data encryption support for Chef using data bags"
27
27
  s.description = s.summary
28
- s.homepage = 'https://github.com/Nordstrom/chef-vault'
28
+ s.homepage = "https://github.com/chef/chef-vault"
29
29
 
30
- s.license = 'Apache License, v2.0'
30
+ s.license = "Apache License, v2.0"
31
31
 
32
32
  s.files = `git ls-files`.split("\n")
33
- s.require_paths = ['lib']
34
- s.bindir = 'bin'
35
- s.executables = %w( chef-vault )
36
-
37
- s.add_development_dependency 'rake', '~> 10.4'
38
- s.add_development_dependency 'rspec', '~> 3.2'
39
- s.add_development_dependency 'aruba', '~> 0.6'
40
- s.add_development_dependency 'simplecov', '~> 0.9'
41
- s.add_development_dependency 'simplecov-console', '~> 0.2'
42
- s.add_development_dependency 'rubocop', '~> 0.30'
33
+ s.require_paths = ["lib"]
34
+ s.bindir = "bin"
35
+ s.executables = %w{ chef-vault }
36
+
37
+ s.add_development_dependency "rake", "~> 10.4"
38
+ s.add_development_dependency "rspec", "~> 3.2"
39
+ s.add_development_dependency "aruba", "~> 0.6"
40
+ s.add_development_dependency "simplecov", "~> 0.9"
41
+ s.add_development_dependency "simplecov-console", "~> 0.2"
42
+ s.add_development_dependency "rubocop", "~> 0.30"
43
43
  # Chef 12 and higher pull in Ohai 8, which needs Ruby v2
44
44
  # so only in the case of a CI build on ruby v1, we constrain
45
45
  # chef to 11 or lower so that we can maintain CI test coverage
46
46
  # of older versions
47
- if ENV.key?('TRAVIS_BUILD') && RUBY_VERSION =~ /^1/
48
- s.add_development_dependency 'chef', '~> 11.18'
47
+ if ENV.key?("TRAVIS_BUILD") && RUBY_VERSION =~ /^1/
48
+ s.add_development_dependency "chef", "~> 11.18"
49
49
  else
50
- s.add_development_dependency 'chef', '>= 0.10.10'
50
+ s.add_development_dependency "chef", ">= 0.10.10"
51
51
  end
52
52
  end
@@ -0,0 +1,15 @@
1
+ Feature: Detect and Warn for v1 Vaults
2
+
3
+ chef-vault can read a v1 vault, but the management commands
4
+ tend to break when they try to deference v2 fields like
5
+ clients and admins. They should detect and warn when trying
6
+ to access a v1 vault
7
+
8
+ Scenario: Add search query to v1 vault
9
+ Given a local mode chef repo with nodes 'one,two,three'
10
+ And I create a vault item 'test/item' containing the JSON '{"foo": "bar"}' encrypted for 'one,two,three'
11
+ Then the vault item 'test/item' should be encrypted for 'one,two,three'
12
+ And 'one,two,three' should be a client for the vault item 'test/item'
13
+ And I downgrade the vault item 'test/item' to v1 syntax
14
+ And I try to add 'bob' as an admin for the vault item 'test/item'
15
+ Then the output should match /cannot manage a v1 vault. See UPGRADE.md for help/
@@ -1,5 +1,5 @@
1
1
  When /^I create a data bag '(.+)' containing the JSON '(.+)'$/ do |bag, json|
2
- write_file 'item.json', json
2
+ write_file "item.json", json
3
3
  run_simple "knife data bag create #{bag} -z -c knife.rb -d"
4
4
  run_simple "knife data bag from_file #{bag} -z -c knife.rb item.json"
5
5
  end
@@ -1,10 +1,10 @@
1
1
  Given(/^a local mode chef repo with nodes '(.+?)'(?: with admins '(.+?)')?$/) do |nodelist, adminlist|
2
2
  # create the repo directory hierarchy
3
- %w(cookbooks clients nodes data_bags).each do |dir|
4
- create_dir dir
3
+ %w{cookbooks clients nodes data_bags}.each do |dir|
4
+ create_directory dir
5
5
  end
6
6
  # create a basic knife.rb
7
- write_file 'knife.rb', <<EOF
7
+ write_file "knife.rb", <<EOF
8
8
  local_mode true
9
9
  chef_repo_path '.'
10
10
  chef_zero.enabled true
@@ -12,13 +12,13 @@ EOF
12
12
  # create the admin users and capture their private key we
13
13
  # always create an admin called 'admin' because otherwise subsequent
14
14
  # steps become annoying to determine who the admin is
15
- admins = %w(admin)
15
+ admins = %w{admin}
16
16
  admins.push(adminlist.split(/,/)) if adminlist
17
17
  admins.flatten.each do |admin|
18
18
  create_admin(admin)
19
19
  end
20
20
  # add the admin key to the knife configuration
21
- append_to_file 'knife.rb', <<EOF
21
+ append_to_file "knife.rb", <<EOF
22
22
  node_name 'admin'
23
23
  client_key 'admin.pem'
24
24
  EOF
@@ -53,13 +53,13 @@ def create_node(name)
53
53
  end
54
54
 
55
55
  def create_admin(admin)
56
- create_client(admin, '-a')
56
+ create_client(admin, "-a")
57
57
  end
58
58
 
59
59
  def create_client(name, args = nil)
60
60
  command = "knife client create #{name} -z -d -c knife.rb #{args} >#{name}.pem"
61
61
  run_simple command
62
- write_file("#{name}.pem", stdout_from(command))
62
+ write_file("#{name}.pem", last_command_started.stdout)
63
63
  end
64
64
 
65
65
  def delete_client(name)
@@ -1,30 +1,30 @@
1
- require 'json'
1
+ require "json"
2
2
 
3
3
  Given(/^I create a vault item '(.+)\/(.+)' containing the JSON '(.+)' encrypted for '(.+)'(?: with '(.+)' as admins?)?$/) do |vault, item, json, nodelist, admins|
4
- write_file 'item.json', json
5
- query = nodelist.split(/,/).map{|e| "name:#{e}"}.join(' OR ')
6
- adminarg = admins.nil? ? '-A admin' : "-A #{admins}"
4
+ write_file "item.json", json
5
+ query = nodelist.split(/,/).map{|e| "name:#{e}"}.join(" OR ")
6
+ adminarg = admins.nil? ? "-A admin" : "-A #{admins}"
7
7
  run_simple "knife vault create #{vault} #{item} -z -c knife.rb #{adminarg} -S '#{query}' -J item.json", false
8
8
  end
9
9
 
10
10
  Given(/^I update the vault item '(.+)\/(.+)' to be encrypted for '(.+)'( with the clean option)?$/) do |vault, item, nodelist, cleanopt|
11
- query = nodelist.split(/,/).map{|e| "name:#{e}"}.join(' OR ')
11
+ query = nodelist.split(/,/).map{|e| "name:#{e}"}.join(" OR ")
12
12
  run_simple "knife vault update #{vault} #{item} -z -c knife.rb -S '#{query}' #{cleanopt ? '--clean' : ''}"
13
13
  end
14
14
 
15
15
  Given(/^I remove clients? '(.+)' from vault item '(.+)\/(.+)' with the '(.+)' options?$/) do |nodelist, vault, item, optionlist|
16
- query = nodelist.split(/,/).map{|e| "name:#{e}"}.join(' OR ')
17
- options = optionlist.split(/,/).map{|o| "--#{o}"}.join(' ')
16
+ query = nodelist.split(/,/).map{|e| "name:#{e}"}.join(" OR ")
17
+ options = optionlist.split(/,/).map{|o| "--#{o}"}.join(" ")
18
18
  run_simple "knife vault remove #{vault} #{item} -z -c knife.rb -S '#{query}' #{options}"
19
19
  end
20
20
 
21
21
  Given(/^I rotate the keys for vault item '(.+)\/(.+)' with the '(.+)' options?$/) do |vault, item, optionlist|
22
- options = optionlist.split(/,/).map{|o| "--#{o}"}.join(' ')
22
+ options = optionlist.split(/,/).map{|o| "--#{o}"}.join(" ")
23
23
  run_simple "knife vault rotate keys #{vault} #{item} -c knife.rb -z #{options}"
24
24
  end
25
25
 
26
26
  Given(/^I rotate all keys with the '(.+)' options?$/) do |optionlist|
27
- options = optionlist.split(/,/).map{|o| "--#{o}"}.join(' ')
27
+ options = optionlist.split(/,/).map{|o| "--#{o}"}.join(" ")
28
28
  run_simple "knife vault rotate all keys -z -c knife.rb #{options}"
29
29
  end
30
30
 
@@ -33,7 +33,7 @@ Given(/^I refresh the vault item '(.+)\/(.+)'$/) do |vault, item|
33
33
  end
34
34
 
35
35
  Given(/^I refresh the vault item '(.+)\/(.+)' with the '(.+)' options?$/) do |vault, item, optionlist|
36
- options = optionlist.split(/,/).map{|o| "--#{o}"}.join(' ')
36
+ options = optionlist.split(/,/).map{|o| "--#{o}"}.join(" ")
37
37
  run_simple "knife vault refresh #{vault} #{item} -c knife.rb -z #{options}"
38
38
  end
39
39
 
@@ -45,7 +45,7 @@ Then(/^the vault item '(.+)\/(.+)' should( not)? be encrypted for '(.+)'$/) do |
45
45
  nodes = nodelist.split(/,/)
46
46
  command = "knife data bag show #{vault} #{item}_keys -z -c knife.rb -F json"
47
47
  run_simple(command)
48
- output = stdout_from(command)
48
+ output = last_command_started.stdout
49
49
  data = JSON.parse(output)
50
50
  nodes.each do |node|
51
51
  if neg
@@ -60,13 +60,13 @@ Given(/^'(.+)' should( not)? be a client for the vault item '(.+)\/(.+)'$/) do |
60
60
  nodes = nodelist.split(/,/)
61
61
  command = "knife data bag show #{vault} #{item}_keys -z -c knife.rb -F json"
62
62
  run_simple(command)
63
- output = stdout_from(command)
63
+ output = last_command_started.stdout
64
64
  data = JSON.parse(output)
65
65
  nodes.each do |node|
66
66
  if neg
67
- expect(data['clients']).not_to include(node)
67
+ expect(data["clients"]).not_to include(node)
68
68
  else
69
- expect(data['clients']).to include(node)
69
+ expect(data["clients"]).to include(node)
70
70
  end
71
71
  end
72
72
  end
@@ -75,32 +75,32 @@ Given(/^'(.+)' should( not)? be an admin for the vault item '(.+)\/(.+)'$/) do |
75
75
  nodes = nodelist.split(/,/)
76
76
  command = "knife data bag show #{vault} #{item}_keys -z -c knife.rb -F json"
77
77
  run_simple(command)
78
- output = stdout_from(command)
78
+ output = last_command_started.stdout
79
79
  data = JSON.parse(output)
80
80
  nodes.each do |node|
81
81
  if neg
82
- expect(data['admins']).not_to include(node)
82
+ expect(data["admins"]).not_to include(node)
83
83
  else
84
- expect(data['admins']).to include(node)
84
+ expect(data["admins"]).to include(node)
85
85
  end
86
86
  end
87
87
  end
88
88
 
89
89
  Given(/^I list the vaults$/) do
90
- run_simple('knife vault list')
90
+ run_simple("knife vault list")
91
91
  end
92
92
 
93
93
  Given(/^I can('t)? decrypt the vault item '(.+)\/(.+)' as '(.+)'$/) do |neg, vault, item, client|
94
94
  run_simple "knife vault show #{vault} #{item} -c knife.rb -z -u #{client} -k #{client}.pem", false
95
95
  if neg
96
- assert_not_exit_status(0)
96
+ expect(last_command_started).not_to have_exit_status(0)
97
97
  else
98
- assert_exit_status(0)
98
+ expect(last_command_started).to have_exit_status(0)
99
99
  end
100
100
  end
101
101
 
102
- Given(/^I add '(.+)' as an admin for the vault item '(.+)\/(.+)'$/) do |newadmin, vault, item|
103
- run_simple "knife vault update #{vault} #{item} -c knife.rb -z -A #{newadmin}"
102
+ Given(/^I (try to )?add '(.+)' as an admin for the vault item '(.+)\/(.+)'$/) do |try, newadmin, vault, item|
103
+ run_simple "knife vault update #{vault} #{item} -c knife.rb -z -A #{newadmin}", !try
104
104
  end
105
105
 
106
106
  Given(/^I show the keys of the vault '(.+)'$/) do |vault|
@@ -114,3 +114,11 @@ end
114
114
  Given(/^I check the type of the data bag item '(.+)\/(.+)'$/) do |vault, item|
115
115
  run_simple "knife vault itemtype #{vault} #{item} -c knife.rb -z"
116
116
  end
117
+
118
+ Given(/^I downgrade the vault item '(.+)\/(.+)' to v1 syntax/) do |vault, item|
119
+ # v1 syntax doesn't have the admins, clients and search_query keys
120
+ keysfile = "tmp/aruba/data_bags/#{vault}/#{item}_keys.json"
121
+ data = JSON.parse(IO.read(keysfile))
122
+ %w{admins clients search_query}.each { |k| data.delete(k) }
123
+ IO.write(keysfile, JSON.generate(data))
124
+ end