chef-vault 2.6.1 → 2.7.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 297b60d8521397a8eeeded373503b9edb33b3195
-  data.tar.gz: 41a79787ab86193433047cdd6d9df05653ba1bf8
+  metadata.gz: 40dc465e5a495bff36ec9b6aa4c59fe9ff4dc561
+  data.tar.gz: 6f51167bc5d529e6e04ca00029e88336ebdc1984
 SHA512:
-  metadata.gz: 807c5cf031f54b6bff3b505eaa0a832387369d49340fdd96fb0956d35fdc26d96be34695be6ac0a0a1be1d280219f1cf25d3fcfaa680234a37e6a4d6754c50ef
-  data.tar.gz: ea0973774c69df1a76e587d02e075209feee0ac01bfd590be9813889def4a147da057b907a8b66ca3dadbbdbc107f8fd83932ce638fd25ade5b45729098e6cfb
+  metadata.gz: 4c5a1f7080efdfe8794d77e1c291c8c46497ae9eb1cba6cfd5e208307b8019fb9a667ca9e83b7b96ec121c93cfa82b2721b864c221fea39e8cce289be3b921a5
+  data.tar.gz: a184ffb4f80758de736779b408a04faac9d4d11f9e4d91ceabeceb30b13f60f62371eb834ef03a089b6c4a53d7f8723737e2329be5b249aec0c2dd404b28c2ec

data/.rubocop.yml

@@ -1 +1,6 @@
-inherit_from: .rubocop_todo.yml
+AllCops:
+  Exclude:
+    - "spec/data/**/*"
+    - "vendor/**/*"
+    - "pkg/**/*"
+    - "tmp/**/*"

data/.travis.yml

@@ -1,18 +1,17 @@
 language: ruby
+branches:
+  only:
+    - master
 rvm:
-  - "1.9.3-p551"
-  - "2.0.0-p598"
+  - "2.0.0-p647"
   - "2.1.6"
   - "2.2.2"
 install: bundle install --binstubs
 env: TRAVIS_BUILD=true
-matrix:
-  allow_failures:
-    - rvm: "1.9.3-p551"
 notifications:
   webhooks:
     urls:
       - https://webhooks.gitter.im/e/60e610197dad8edc59f9
-    on_success: always
+    on_success: false
     on_failure: always
     on_start: false

data/CONTRIBUTING.md

@@ -7,7 +7,7 @@ request to be merged sooner.
 ### Create an Issue
 
 Each pull request should have a corresponding [Chef-Vault GitHub
-issue](https://github.com/Nordstrom/chef-vault/issues?state=open). Search the
+issue](https://github.com/chef/chef-vault/issues?state=open). Search the
 issue list to make sure someone hasn't already submitted a pull request to fix
 your issue. If not, please create a new issue.
 
@@ -21,7 +21,7 @@ guide](https://help.github.com/articles/fork-a-repo) for more info.
 ```bash
 $ git clone https://github.com/<username>/chef-vault.git
 $ cd chef-vault
-$ git remote add upstream https://github.com/Nordstrom/chef-vault.git
+$ git remote add upstream https://github.com/chef/chef-vault.git
 ```
 
 ### Create a Local Feature Branch

data/Gemfile

@@ -1,3 +1,5 @@
-source 'https://rubygems.org/'
+source "https://rubygems.org/"
+
+gem "chefstyle", git: "https://github.com/chef/chefstyle.git"
 
 gemspec

data/README.md

@@ -2,11 +2,11 @@
 
 [![Gem Version](https://badge.fury.io/rb/chef-vault.png)](http://badge.fury.io/rb/chef-vault)
 
-[![Build Status](https://travis-ci.org/Nordstrom/chef-vault.png?branch=master)](https://travis-ci.org/Nordstrom/chef-vault)
+[![Build Status](https://travis-ci.org/chef/chef-vault.png?branch=master)](https://travis-ci.org/chef/chef-vault)
 
-[![Inline docs](http://inch-ci.org/github/nordstrom/chef-vault.svg?branch=master)](http://inch-ci.org/github/nordstrom/chef-vault)
+[![Inline docs](http://inch-ci.org/github/chef/chef-vault.svg?branch=master)](http://inch-ci.org/github/chef/chef-vault)
 
-[![Code Climate](https://codeclimate.com/github/Nordstrom/chef-vault/badges/gpa.svg)](https://codeclimate.com/github/Nordstrom/chef-vault)
+[![Code Climate](https://codeclimate.com/github/chef/chef-vault/badges/gpa.svg)](https://codeclimate.com/github/chef/chef-vault)
 
 [![Join the chat at https://gitter.im/Nordstrom/chef-vault](https://badges.gitter.im/Join%20Chat.svg)](https://gitter.im/Nordstrom/chef-vault)
 

data/Rakefile

@@ -1,53 +1,49 @@
-require 'bundler/gem_tasks'
+require "bundler/gem_tasks"
 
 # Style Tests
 begin
-  require 'rubocop/rake_task'
+  require "chefstyle"
+  require "rubocop/rake_task"
   RuboCop::RakeTask.new do |t|
-    t.formatters = ['progress']
-    t.options = ['-D']
-    t.patterns = %w(
-      lib/**/*.rb
-      spec/**/*.rb
-      ./Rakefile
-    )
+    t.formatters = ["progress"]
+    t.options = ["-D"]
   end
 
   # style is an alias for rubocop
   task style: :rubocop
 rescue LoadError
-  puts 'Rubocop not available; disabling rubocop tasks'
+  puts "ChefStyle not available; disabling style checking tasks"
 end
 
 # Unit Tests
 begin
-  require 'rspec/core/rake_task'
+  require "rspec/core/rake_task"
   RSpec::Core::RakeTask.new
 
   # Coverage
-  desc 'Generate unit test coverage report'
+  desc "Generate unit test coverage report"
   task :coverage do
-    ENV['COVERAGE'] = 'true'
+    ENV["COVERAGE"] = "true"
     Rake::Task[:spec].invoke
   end
 rescue LoadError
-  puts 'RSpec not available; disabling rspec tasks'
+  puts "RSpec not available; disabling rspec tasks"
   # create a no-op spec task for :default
   task :spec
 end
 
 # Feature Tests
 begin
-  require 'cucumber'
-  require 'cucumber/rake/task'
+  require "cucumber"
+  require "cucumber/rake/task"
   Cucumber::Rake::Task.new(:features)
 rescue LoadError
-  puts 'Cucumber/Aruba not available; disabling feature tasks'
+  puts "Cucumber/Aruba not available; disabling feature tasks"
   # create a no-op spec task for :default
   task :features
 end
 
-# test or the default task runs spec and features
-desc 'run all tests'
-task default: [:spec, :features]
+# test or the default task runs spec, features, style
+desc "run all tests"
+task default: [:spec, :features, :style]
 task test: :default

data/THEORY.md

@@ -48,7 +48,7 @@ These examples assume that I have two nodes in my Chef
 server/organization, named 'one' and 'two'.  I also have
 two administrators named 'alice' and 'bob'.
 
-Given a file named `item.json` containin the following:
+Given a file named `item.json` containing the following:
 
 ```json
 { "foo": "bar" }

data/UPGRADE.md

@@ -0,0 +1,55 @@
+# UPGRADING A v1 VAULT to v2
+
+chef-vault v2 added metadata to the vault to keep track of
+which secrets belong to admins and which belong to admins,
+as well as the search query to use during a `knife vault refresh`
+operation.
+
+You can use chef-vault v2 to decrypt v1 vaults, but the management
+operations are unable to intuit which of the secrets belong to
+clients and which belong to admins.  Fixing this error thus requires
+some manual intervention.
+
+If you attempt to use the management operations (refresh, update, etc.)
+on a v1 vault, you will get this error:
+
+    ChefVault::Exceptions::V1Format: cannot manage a v1 vault.  See UPGRADE.md for help
+
+To fix this, you need to edit the data bag item by hand.   Assuming a
+vault 'foo' with an item 'bar', run:
+
+    knife data bag edit foo bar_keys
+
+This will present you with a JSON representation of the extra data
+bag item managed by chef-vault.  It will have an id key as well as a key
+for every user for whom the vault item is encrypted:
+
+    {
+      "id" : "bar_keys",
+      "james" : "iWdGgm...\n",
+      "one" : "RjJ4rlh....\n",
+      "two" : "NHJlqnfd9...\n",
+      "three" : "GjXkrxq...\n"
+    }
+
+Add keys for 'admins', 'clients' and 'search_query':
+
+    {
+      "id" : "bar_keys",
+      "james" : "iWdGgm...\n",
+      "one" : "RjJ4rlh....\n",
+      "two" : "NHJlqnfd9...\n",
+      "three" : "GjXkrxq...\n",
+      "admins": [],
+      "clients": [],
+      "search_query": ""
+    }
+
+Save the edited data bag and run knife vault update with the appropriate values to populate those keys:
+
+    knife vault update foo bar -S 'name:*' -A james
+
+(set your search query to something appropriate for your environment)
+
+v2.7.0 of chef-vault may add some automation to this step, but for now this
+provides a way to upgrade without breaking your ability to manage things.

data/bin/chef-vault

@@ -18,7 +18,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-require 'optparse'
+require "optparse"
 
 options_config = {
   chef: {
@@ -26,29 +26,29 @@ options_config = {
     long: "chef-config-file",
     description: "Chef config file",
     default: "/etc/chef/knife.rb",
-    optional: false
+    optional: false,
   },
   vault: {
     short: "v",
     long: "vault",
     description: "Vault to look in",
     default: nil,
-    optional: false
+    optional: false,
   },
   item: {
     short: "i",
     long: "item",
     description: "Item to decrypt in vault",
     default: nil,
-    optional: false
+    optional: false,
   },
   values: {
     short: "a",
     long: "values",
     description: "Values of item to decrypt in vault",
     default: nil,
-    optional: false
-  }
+    optional: false,
+  },
 }
 
 banner = "Usage: chef-vault "
@@ -82,9 +82,9 @@ options_config.each do |option, config|
   options[option] = options[option] ? options[option] : config[:default]
 end
 
-require 'rubygems'
+require "rubygems"
 $:.unshift(File.join(File.dirname(__FILE__), "..", "lib"))
-require 'chef-vault'
+require "chef-vault"
 
 ChefVault.load_config(options[:chef])
 item = ChefVault::Item.load(options[:vault], options[:item])

data/chef-vault.gemspec

@@ -14,39 +14,39 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-$:.push File.expand_path('../lib', __FILE__)
-require 'chef-vault/version'
+$:.push File.expand_path("../lib", __FILE__)
+require "chef-vault/version"
 
 Gem::Specification.new do |s|
-  s.name             = 'chef-vault'
+  s.name             = "chef-vault"
   s.version          = ChefVault::VERSION
   s.has_rdoc         = true
-  s.authors          = ['Kevin Moser', 'James FitzGibbon']
-  s.email            = ['techcheftm@nordstrom.com']
-  s.summary          = 'Data encryption support for Chef using data bags'
+  s.authors          = ["Kevin Moser", "James FitzGibbon"]
+  s.email            = ["techcheftm@nordstrom.com"]
+  s.summary          = "Data encryption support for Chef using data bags"
   s.description      = s.summary
-  s.homepage         = 'https://github.com/Nordstrom/chef-vault'
+  s.homepage         = "https://github.com/chef/chef-vault"
 
-  s.license          = 'Apache License, v2.0'
+  s.license          = "Apache License, v2.0"
 
   s.files            = `git ls-files`.split("\n")
-  s.require_paths    = ['lib']
-  s.bindir           = 'bin'
-  s.executables      = %w( chef-vault )
-
-  s.add_development_dependency 'rake', '~> 10.4'
-  s.add_development_dependency 'rspec', '~> 3.2'
-  s.add_development_dependency 'aruba', '~> 0.6'
-  s.add_development_dependency 'simplecov', '~> 0.9'
-  s.add_development_dependency 'simplecov-console', '~> 0.2'
-  s.add_development_dependency 'rubocop', '~> 0.30'
+  s.require_paths    = ["lib"]
+  s.bindir           = "bin"
+  s.executables      = %w{ chef-vault }
+
+  s.add_development_dependency "rake", "~> 10.4"
+  s.add_development_dependency "rspec", "~> 3.2"
+  s.add_development_dependency "aruba", "~> 0.6"
+  s.add_development_dependency "simplecov", "~> 0.9"
+  s.add_development_dependency "simplecov-console", "~> 0.2"
+  s.add_development_dependency "rubocop", "~> 0.30"
   # Chef 12 and higher pull in Ohai 8, which needs Ruby v2
   # so only in the case of a CI build on ruby v1, we constrain
   # chef to 11 or lower so that we can maintain CI test coverage
   # of older versions
-  if ENV.key?('TRAVIS_BUILD') && RUBY_VERSION =~ /^1/
-    s.add_development_dependency 'chef', '~> 11.18'
+  if ENV.key?("TRAVIS_BUILD") && RUBY_VERSION =~ /^1/
+    s.add_development_dependency "chef", "~> 11.18"
   else
-    s.add_development_dependency 'chef', '>= 0.10.10'
+    s.add_development_dependency "chef", ">= 0.10.10"
   end
 end

data/features/detect_and_warn_v1_vault.feature

@@ -0,0 +1,15 @@
+Feature: Detect and Warn for v1 Vaults
+
+  chef-vault can read a v1 vault, but the management commands
+  tend to break when they try to deference v2 fields like
+  clients and admins.  They should detect and warn when trying
+  to access a v1 vault
+
+  Scenario: Add search query to v1 vault
+    Given a local mode chef repo with nodes 'one,two,three'
+    And I create a vault item 'test/item' containing the JSON '{"foo": "bar"}' encrypted for 'one,two,three'
+    Then the vault item 'test/item' should be encrypted for 'one,two,three'
+    And 'one,two,three' should be a client for the vault item 'test/item'
+    And I downgrade the vault item 'test/item' to v1 syntax
+    And I try to add 'bob' as an admin for the vault item 'test/item'
+    Then the output should match /cannot manage a v1 vault.  See UPGRADE.md for help/

data/features/step_definitions/chef-databag.rb

@@ -1,5 +1,5 @@
 When /^I create a data bag '(.+)' containing the JSON '(.+)'$/ do |bag, json|
-  write_file 'item.json', json
+  write_file "item.json", json
   run_simple "knife data bag create #{bag} -z -c knife.rb -d"
   run_simple "knife data bag from_file #{bag} -z -c knife.rb item.json"
 end

data/features/step_definitions/chef-repo.rb

@@ -1,10 +1,10 @@
 Given(/^a local mode chef repo with nodes '(.+?)'(?: with admins '(.+?)')?$/) do |nodelist, adminlist|
   # create the repo directory hierarchy
-  %w(cookbooks clients nodes data_bags).each do |dir|
-    create_dir dir
+  %w{cookbooks clients nodes data_bags}.each do |dir|
+    create_directory dir
   end
   # create a basic knife.rb
-  write_file 'knife.rb', <<EOF
+  write_file "knife.rb", <<EOF
 local_mode true
 chef_repo_path '.'
 chef_zero.enabled true
@@ -12,13 +12,13 @@ EOF
   # create the admin users and capture their private key we
   # always create an admin called 'admin' because otherwise subsequent
   # steps become annoying to determine who the admin is
-  admins = %w(admin)
+  admins = %w{admin}
   admins.push(adminlist.split(/,/)) if adminlist
   admins.flatten.each do |admin|
     create_admin(admin)
   end
   # add the admin key to the knife configuration
-  append_to_file 'knife.rb', <<EOF
+  append_to_file "knife.rb", <<EOF
 node_name 'admin'
 client_key 'admin.pem'
 EOF
@@ -53,13 +53,13 @@ def create_node(name)
 end
 
 def create_admin(admin)
-  create_client(admin, '-a')
+  create_client(admin, "-a")
 end
 
 def create_client(name, args = nil)
   command = "knife client create #{name} -z -d -c knife.rb #{args} >#{name}.pem"
   run_simple command
-  write_file("#{name}.pem", stdout_from(command))
+  write_file("#{name}.pem", last_command_started.stdout)
 end
 
 def delete_client(name)

data/features/step_definitions/chef-vault.rb

@@ -1,30 +1,30 @@
-require 'json'
+require "json"
 
 Given(/^I create a vault item '(.+)\/(.+)' containing the JSON '(.+)' encrypted for '(.+)'(?: with '(.+)' as admins?)?$/) do |vault, item, json, nodelist, admins|
-  write_file 'item.json', json
-  query = nodelist.split(/,/).map{|e| "name:#{e}"}.join(' OR ')
-  adminarg = admins.nil? ? '-A admin' : "-A #{admins}"
+  write_file "item.json", json
+  query = nodelist.split(/,/).map{|e| "name:#{e}"}.join(" OR ")
+  adminarg = admins.nil? ? "-A admin" : "-A #{admins}"
   run_simple "knife vault create #{vault} #{item} -z -c knife.rb #{adminarg} -S '#{query}' -J item.json", false
 end
 
 Given(/^I update the vault item '(.+)\/(.+)' to be encrypted for '(.+)'( with the clean option)?$/) do |vault, item, nodelist, cleanopt|
-  query = nodelist.split(/,/).map{|e| "name:#{e}"}.join(' OR ')
+  query = nodelist.split(/,/).map{|e| "name:#{e}"}.join(" OR ")
   run_simple "knife vault update #{vault} #{item} -z -c knife.rb -S '#{query}' #{cleanopt ? '--clean' : ''}"
 end
 
 Given(/^I remove clients? '(.+)' from vault item '(.+)\/(.+)' with the '(.+)' options?$/) do |nodelist, vault, item, optionlist|
-  query = nodelist.split(/,/).map{|e| "name:#{e}"}.join(' OR ')
-  options = optionlist.split(/,/).map{|o| "--#{o}"}.join(' ')
+  query = nodelist.split(/,/).map{|e| "name:#{e}"}.join(" OR ")
+  options = optionlist.split(/,/).map{|o| "--#{o}"}.join(" ")
   run_simple "knife vault remove #{vault} #{item} -z -c knife.rb -S '#{query}' #{options}"
 end
 
 Given(/^I rotate the keys for vault item '(.+)\/(.+)' with the '(.+)' options?$/) do |vault, item, optionlist|
-  options = optionlist.split(/,/).map{|o| "--#{o}"}.join(' ')
+  options = optionlist.split(/,/).map{|o| "--#{o}"}.join(" ")
   run_simple "knife vault rotate keys #{vault} #{item} -c knife.rb -z #{options}"
 end
 
 Given(/^I rotate all keys with the '(.+)' options?$/) do |optionlist|
-  options = optionlist.split(/,/).map{|o| "--#{o}"}.join(' ')
+  options = optionlist.split(/,/).map{|o| "--#{o}"}.join(" ")
   run_simple "knife vault rotate all keys -z -c knife.rb #{options}"
 end
 
@@ -33,7 +33,7 @@ Given(/^I refresh the vault item '(.+)\/(.+)'$/) do |vault, item|
 end
 
 Given(/^I refresh the vault item '(.+)\/(.+)' with the '(.+)' options?$/) do |vault, item, optionlist|
-  options = optionlist.split(/,/).map{|o| "--#{o}"}.join(' ')
+  options = optionlist.split(/,/).map{|o| "--#{o}"}.join(" ")
   run_simple "knife vault refresh #{vault} #{item} -c knife.rb -z #{options}"
 end
 
@@ -45,7 +45,7 @@ Then(/^the vault item '(.+)\/(.+)' should( not)? be encrypted for '(.+)'$/) do |
   nodes = nodelist.split(/,/)
   command = "knife data bag show #{vault} #{item}_keys -z -c knife.rb -F json"
   run_simple(command)
-  output = stdout_from(command)
+  output = last_command_started.stdout
   data = JSON.parse(output)
   nodes.each do |node|
     if neg
@@ -60,13 +60,13 @@ Given(/^'(.+)' should( not)? be a client for the vault item '(.+)\/(.+)'$/) do |
   nodes = nodelist.split(/,/)
   command = "knife data bag show #{vault} #{item}_keys -z -c knife.rb -F json"
   run_simple(command)
-  output = stdout_from(command)
+  output = last_command_started.stdout
   data = JSON.parse(output)
   nodes.each do |node|
     if neg
-      expect(data['clients']).not_to include(node)
+      expect(data["clients"]).not_to include(node)
     else
-      expect(data['clients']).to include(node)
+      expect(data["clients"]).to include(node)
     end
   end
 end
@@ -75,32 +75,32 @@ Given(/^'(.+)' should( not)? be an admin for the vault item '(.+)\/(.+)'$/) do |
   nodes = nodelist.split(/,/)
   command = "knife data bag show #{vault} #{item}_keys -z -c knife.rb -F json"
   run_simple(command)
-  output = stdout_from(command)
+  output = last_command_started.stdout
   data = JSON.parse(output)
   nodes.each do |node|
     if neg
-      expect(data['admins']).not_to include(node)
+      expect(data["admins"]).not_to include(node)
     else
-      expect(data['admins']).to include(node)
+      expect(data["admins"]).to include(node)
     end
   end
 end
 
 Given(/^I list the vaults$/) do
-  run_simple('knife vault list')
+  run_simple("knife vault list")
 end
 
 Given(/^I can('t)? decrypt the vault item '(.+)\/(.+)' as '(.+)'$/) do |neg, vault, item, client|
   run_simple "knife vault show #{vault} #{item} -c knife.rb -z -u #{client} -k #{client}.pem", false
   if neg
-    assert_not_exit_status(0)
+    expect(last_command_started).not_to have_exit_status(0)
   else
-    assert_exit_status(0)
+    expect(last_command_started).to have_exit_status(0)
   end
 end
 
-Given(/^I add '(.+)' as an admin for the vault item '(.+)\/(.+)'$/) do |newadmin, vault, item|
-  run_simple "knife vault update #{vault} #{item} -c knife.rb -z -A #{newadmin}"
+Given(/^I (try to )?add '(.+)' as an admin for the vault item '(.+)\/(.+)'$/) do |try, newadmin, vault, item|
+  run_simple "knife vault update #{vault} #{item} -c knife.rb -z -A #{newadmin}", !try
 end
 
 Given(/^I show the keys of the vault '(.+)'$/) do |vault|
@@ -114,3 +114,11 @@ end
 Given(/^I check the type of the data bag item '(.+)\/(.+)'$/) do |vault, item|
   run_simple "knife vault itemtype #{vault} #{item} -c knife.rb -z"
 end
+
+Given(/^I downgrade the vault item '(.+)\/(.+)' to v1 syntax/) do |vault, item|
+  # v1 syntax doesn't have the admins, clients and search_query keys
+  keysfile = "tmp/aruba/data_bags/#{vault}/#{item}_keys.json"
+  data = JSON.parse(IO.read(keysfile))
+  %w{admins clients search_query}.each { |k| data.delete(k) }
+  IO.write(keysfile, JSON.generate(data))
+end