chef-vault 2.6.1 → 2.7.1

data/features/step_definitions/chef_databagitem.rb

@@ -1,9 +1,9 @@
 Given(/^I create a data bag item '(.+)\/(.+)' containing the JSON '(.+)'$/) do |databag, _, json|
-  write_file 'item.json', json
+  write_file "item.json", json
   run_simple "knife data bag from file #{databag} item.json -z -c knife.rb", false
 end
 
 Given(/^I create an encrypted data bag item '(.+)\/(.+)' containing the JSON '(.+)' with the secret '(.+)'$/) do |databag, _, json, secret|
-  write_file 'item.json', json
+  write_file "item.json", json
   run_simple "knife data bag from file #{databag} item.json -s #{secret} -z -c knife.rb", false
 end

data/features/support/env.rb

@@ -1,8 +1,8 @@
-if ENV['COVERAGE']
-  require 'simplecov'
+if ENV["COVERAGE"]
+  require "simplecov"
 end
 
-require 'aruba/cucumber'
+require "aruba/cucumber"
 
 # Travis runs tests in a limited environment which takes a long time to invoke
 # the knife command.  Up the timeout when we're in a travis build based on the

data/lib/chef-vault.rb

@@ -16,21 +16,21 @@
 # limitations under the License.
 #
 
-require 'chef/search/query'
-require 'chef/version'
-require 'chef/config'
-require 'chef/api_client'
-require 'chef/data_bag_item'
-require 'chef/encrypted_data_bag_item'
-require 'chef/user'
-require 'chef-vault/version'
-require 'chef-vault/exceptions'
-require 'chef-vault/item'
-require 'chef-vault/item_keys'
-require 'chef-vault/user'
-require 'chef-vault/certificate'
-require 'chef-vault/chef_patch/api_client'
-require 'chef-vault/chef_patch/user'
+require "chef/search/query"
+require "chef/version"
+require "chef/config"
+require "chef/api_client"
+require "chef/data_bag_item"
+require "chef/encrypted_data_bag_item"
+require "chef/user"
+require "chef-vault/version"
+require "chef-vault/exceptions"
+require "chef-vault/item"
+require "chef-vault/item_keys"
+require "chef-vault/user"
+require "chef-vault/certificate"
+require "chef-vault/chef_patch/api_client"
+require "chef-vault/chef_patch/user"
 
 class ChefVault
   attr_accessor :vault

data/lib/chef-vault/chef_patch/api_client.rb

@@ -25,15 +25,15 @@ class ChefVault
           response
         else
           client = Chef::ApiClient.new
-          client.name(response['clientname'])
+          client.name(response["clientname"] || response["name"])
 
-          if response['certificate']
-            der = OpenSSL::X509::Certificate.new response['certificate']
+          if response["certificate"]
+            der = OpenSSL::X509::Certificate.new response["certificate"]
             client.public_key der.public_key.to_s
           end
 
-          if response['public_key']
-            der = OpenSSL::PKey::RSA.new response['public_key']
+          if response["public_key"]
+            der = OpenSSL::PKey::RSA.new response["public_key"]
             client.public_key der.public_key.to_s
           end
 

data/lib/chef-vault/chef_patch/user.rb

@@ -21,11 +21,11 @@ class ChefVault
       # set correctly for Chef 10 server
       def superclass.from_hash(user_hash)
         user = Chef::User.new
-        user.name user_hash['username'] ? user_hash['username'] : user_hash['name']
-        user.private_key user_hash['private_key'] if user_hash.key?('private_key')
-        user.password user_hash['password'] if user_hash.key?('password')
-        user.public_key user_hash['public_key']
-        user.admin user_hash['admin']
+        user.name user_hash["username"] ? user_hash["username"] : user_hash["name"]
+        user.private_key user_hash["private_key"] if user_hash.key?("private_key")
+        user.password user_hash["password"] if user_hash.key?("password")
+        user.public_key user_hash["public_key"]
+        user.admin user_hash["admin"]
         user
       end
     end

data/lib/chef-vault/exceptions.rb

@@ -48,5 +48,8 @@ class ChefVault
 
     class IdMismatch < Exceptions
     end
+
+    class V1Format < Exceptions
+    end
   end
 end

data/lib/chef-vault/item.rb

@@ -14,10 +14,13 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-require 'securerandom'
+require "securerandom"
+require "chef-vault/mixins"
 
 class ChefVault
   class Item < Chef::DataBagItem
+    include ChefVault::Mixins
+
     # @!attribute [rw] keys
     #   @return [ChefVault::ItemKeys] the keys associated with this vault
     attr_accessor :keys
@@ -60,7 +63,7 @@ class ChefVault
       @encrypted = false
       opts = {
         :node_name => Chef::Config[:node_name],
-        :client_key_path => Chef::Config[:client_key]
+        :client_key_path => Chef::Config[:client_key],
       }.merge(opts)
       @node_name = opts[:node_name]
       @client_key_path = opts[:client_key_path]
@@ -192,13 +195,13 @@ class ChefVault
       super
     end
 
-    def save(item_id=@raw_data['id'])
+    def save(item_id=@raw_data["id"])
       # validate the format of the id before attempting to save
       validate_id!(item_id)
 
       # ensure that the ID of the vault hasn't changed since the keys
       # data bag item was created
-      keys_id = keys['id'].match(/^(.+)_keys/)[1]
+      keys_id = keys["id"].match(/^(.+)_keys/)[1]
       if keys_id != item_id
         raise ChefVault::Exceptions::IdMismatch,
           "id mismatch - input JSON has id '#{item_id}' but vault item has id '#{keys_id}'"
@@ -217,16 +220,7 @@ class ChefVault
 
       # Now save the encrypted data
       if Chef::Config[:solo]
-        data_bag_path = File.join(Chef::Config[:data_bag_path],
-                                  data_bag)
-        data_bag_item_path = File.join(data_bag_path, item_id)
-
-        FileUtils.mkdir(data_bag_path) unless File.exist?(data_bag_path)
-        File.open("#{data_bag_item_path}.json", 'w') do |file|
-          file.write(JSON.pretty_generate(raw_data))
-        end
-
-        raw_data
+        save_solo(item_id)
       else
         begin
           Chef::DataBag.load(data_bag)
@@ -317,7 +311,7 @@ class ChefVault
       # and https://github.com/sensu/sensu-chef/blob/2.9.0/libraries/sensu_helpers.rb
       dbi = Chef::DataBagItem.load(vault, name)
       encrypted = dbi.detect do |_, v|
-        v.is_a?(Hash) && v.key?('encrypted_data')
+        v.is_a?(Hash) && v.key?("encrypted_data")
       end
 
       # return a symbol describing the type of item we detected
@@ -340,9 +334,9 @@ class ChefVault
       unless search
         raise ChefVault::Exceptions::SearchNotFound,
               "#{vault}/#{item} does not have a stored search_query, "\
-              'probably because it was created with an older version '\
+              "probably because it was created with an older version "\
               "of chef-vault. Use 'knife vault update' to update the "\
-              'databag with the search query.'
+              "databag with the search query."
       end
 
       # a bit of a misnomer; this doesn't remove unknown
@@ -474,14 +468,14 @@ class ChefVault
     # @param client [Chef::ApiClient] the API client to add
     # @return [void]
     def add_client(client)
-      keys.add(client, @secret, 'clients')
+      keys.add(client, @secret, "clients")
     end
 
     # removes a client to the vault item keys
     # @param client_or_node [Chef::ApiClient,Chef::Node] the API client or node to remove
     # @return [void]
     def delete_client_or_node(client_or_node)
-      keys.delete(client_or_node.name, 'clients')
+      keys.delete(client_or_node.name, "clients")
     end
   end
 end

data/lib/chef-vault/item_keys.rb

@@ -14,8 +14,13 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+require "chef-vault/mixins"
+
 class ChefVault
   class ItemKeys < Chef::DataBagItem
+
+    include ChefVault::Mixins
+
     def initialize(vault, name)
       super() # parentheses required to strip off parameters
       @data_bag = vault
@@ -30,6 +35,10 @@ class ChefVault
     end
 
     def add(chef_client, data_bag_shared_secret, type)
+      unless @raw_data.key?(type)
+        raise ChefVault::Exceptions::V1Format,
+              "cannot manage a v1 vault.  See UPGRADE.md for help"
+      end
       public_key = OpenSSL::PKey::RSA.new chef_client.public_key
       self[chef_client.name] =
         Base64.encode64(public_key.public_encrypt(data_bag_shared_secret))
@@ -59,18 +68,9 @@ class ChefVault
       @raw_data["admins"]
     end
 
-    def save(item_id=@raw_data['id'])
+    def save(item_id=@raw_data["id"])
       if Chef::Config[:solo]
-        data_bag_path = File.join(Chef::Config[:data_bag_path],
-                                  data_bag)
-        data_bag_item_path = File.join(data_bag_path, item_id)
-
-        FileUtils.mkdir(data_bag_path) unless File.exist?(data_bag_path)
-        File.open("#{data_bag_item_path}.json", 'w') do |file|
-          file.write(JSON.pretty_generate(raw_data))
-        end
-
-        raw_data
+        save_solo(item_id)
       else
         begin
           Chef::DataBag.load(data_bag)
@@ -117,13 +117,13 @@ class ChefVault
       rescue Net::HTTPServerException => http_error
         if http_error.response.code == "404"
           raise ChefVault::Exceptions::KeysNotFound,
-                "#{vault}/#{name} could not be found"
+            "#{vault}/#{name} could not be found"
         else
           raise http_error
         end
       rescue Chef::Exceptions::ValidationFailed
         raise ChefVault::Exceptions::KeysNotFound,
-              "#{vault}/#{name} could not be found"
+          "#{vault}/#{name} could not be found"
       end
 
       from_data_bag_item(data_bag_item)

data/lib/chef-vault/mixins.rb

@@ -0,0 +1,36 @@
+class ChefVault
+  module Mixins
+    # In Chef 12, Chef Solo can have an array of data_bag paths, rather
+    # than just a string. To cope with that, we'll:
+    #  1. Look for an existing data bag item in any of the configured
+    #     paths and use that by preference
+    #  1. Otherwise, just use the first location in the array
+    def find_solo_path(item_id)
+      if Chef::Config[:data_bag_path].kind_of?(Array)
+        path = Chef::Config[:data_bag_path].find { |dir|
+          File.exist?(File.join(dir, data_bag, "#{item_id}.json"))
+        }
+
+        path ||= Chef::Config[:data_bag_path].first
+        data_bag_path = File.join(path, data_bag)
+      else
+        data_bag_path = File.join(Chef::Config[:data_bag_path],
+                                  data_bag)
+      end
+      data_bag_item_path = File.join(data_bag_path, item_id) + ".json"
+
+      [data_bag_path, data_bag_item_path]
+    end
+
+    def save_solo(item_id=@raw_data["id"])
+      data_bag_path, data_bag_item_path = find_solo_path(item_id)
+
+      FileUtils.mkdir(data_bag_path) unless File.exist?(data_bag_path)
+      File.open(data_bag_item_path, "w") do |file|
+        file.write(JSON.pretty_generate(raw_data))
+      end
+
+      raw_data
+    end
+  end
+end

data/lib/chef-vault/version.rb

@@ -1,5 +1,6 @@
 # Description: ChefVault VERSION file
 # Copyright 2013-15, Nordstrom, Inc.
+# Copyright 2015-2016, Chef Software, Inc.
 
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -14,6 +15,6 @@
 # limitations under the License.
 
 class ChefVault
-  VERSION = '2.6.1'
-  MAJOR, MINOR, TINY = VERSION.split('.')
+  VERSION = "2.7.1"
+  MAJOR, MINOR, TINY = VERSION.split(".")
 end

data/lib/chef/knife/decrypt.rb

@@ -13,8 +13,8 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-require 'chef/knife/vault_base'
-require 'chef/knife/vault_decrypt'
+require "chef/knife/vault_base"
+require "chef/knife/vault_decrypt"
 
 class Chef
   class Knife

data/lib/chef/knife/encrypt_create.rb

@@ -13,8 +13,8 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-require 'chef/knife/vault_base'
-require 'chef/knife/vault_create'
+require "chef/knife/vault_base"
+require "chef/knife/vault_create"
 
 class Chef
   class Knife
@@ -24,23 +24,23 @@ class Chef
       banner "knife encrypt create VAULT ITEM VALUES (options)"
 
       option :search,
-        :short => '-S SEARCH',
-        :long => '--search SEARCH',
-        :description => 'Chef SOLR search for clients'
+        :short => "-S SEARCH",
+        :long => "--search SEARCH",
+        :description => "Chef SOLR search for clients"
 
       option :admins,
-        :short => '-A ADMINS',
-        :long => '--admins ADMINS',
-        :description => 'Chef users to be added as admins'
+        :short => "-A ADMINS",
+        :long => "--admins ADMINS",
+        :description => "Chef users to be added as admins"
 
       option :json,
-        :short => '-J FILE',
-        :long => '--json FILE',
-        :description => 'File containing JSON data to encrypt'
+        :short => "-J FILE",
+        :long => "--json FILE",
+        :description => "File containing JSON data to encrypt"
 
       option :file,
-        :long => '--file FILE',
-        :description => 'File to be added to vault item as file-content'
+        :long => "--file FILE",
+        :description => "File to be added to vault item as file-content"
 
       def run
         $stdout.puts "DEPRECATION WARNING: knife encrypt is deprecated. Please use knife vault instead."

data/lib/chef/knife/encrypt_delete.rb

@@ -13,8 +13,8 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-require 'chef/knife/vault_base'
-require 'chef/knife/vault_delete'
+require "chef/knife/vault_base"
+require "chef/knife/vault_delete"
 
 class Chef
   class Knife

data/lib/chef/knife/encrypt_remove.rb

@@ -13,8 +13,8 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-require 'chef/knife/vault_base'
-require 'chef/knife/vault_remove'
+require "chef/knife/vault_base"
+require "chef/knife/vault_remove"
 
 class Chef
   class Knife
@@ -24,14 +24,14 @@ class Chef
       banner "knife encrypt remove VAULT ITEM VALUES (options)"
 
       option :search,
-        :short => '-S SEARCH',
-        :long => '--search SEARCH',
-        :description => 'Chef SOLR search for clients'
+        :short => "-S SEARCH",
+        :long => "--search SEARCH",
+        :description => "Chef SOLR search for clients"
 
       option :admins,
-        :short => '-A ADMINS',
-        :long => '--admins ADMINS',
-        :description => 'Chef users to be added as admins'
+        :short => "-A ADMINS",
+        :long => "--admins ADMINS",
+        :description => "Chef users to be added as admins"
 
       def run
         $stdout.puts "DEPRECATION WARNING: knife encrypt is deprecated. Please use knife vault instead."

data/lib/chef/knife/encrypt_rotate_keys.rb

@@ -13,8 +13,8 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-require 'chef/knife/vault_base'
-require 'chef/knife/vault_rotate_keys'
+require "chef/knife/vault_base"
+require "chef/knife/vault_rotate_keys"
 
 class Chef
   class Knife

data/lib/chef/knife/encrypt_update.rb

@@ -13,8 +13,8 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-require 'chef/knife/vault_base'
-require 'chef/knife/vault_update'
+require "chef/knife/vault_base"
+require "chef/knife/vault_update"
 
 class Chef
   class Knife
@@ -22,23 +22,23 @@ class Chef
       include Knife::VaultBase
 
       option :search,
-        :short => '-S SEARCH',
-        :long => '--search SEARCH',
-        :description => 'Chef SOLR search for clients'
+        :short => "-S SEARCH",
+        :long => "--search SEARCH",
+        :description => "Chef SOLR search for clients"
 
       option :admins,
-        :short => '-A ADMINS',
-        :long => '--admins ADMINS',
-        :description => 'Chef users to be added as admins'
+        :short => "-A ADMINS",
+        :long => "--admins ADMINS",
+        :description => "Chef users to be added as admins"
 
       option :json,
-        :short => '-J FILE',
-        :long => '--json FILE',
-        :description => 'File containing JSON data to encrypt'
+        :short => "-J FILE",
+        :long => "--json FILE",
+        :description => "File containing JSON data to encrypt"
 
       option :file,
-        :long => '--file FILE',
-        :description => 'File to be added to vault item as file-content'
+        :long => "--file FILE",
+        :description => "File to be added to vault item as file-content"
 
       banner "knife encrypt update VAULT ITEM VALUES (options)"