chef-vault 2.6.1 → 2.7.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/.rubocop.yml +6 -1
- data/.travis.yml +5 -6
- data/CONTRIBUTING.md +2 -2
- data/Gemfile +3 -1
- data/README.md +3 -3
- data/Rakefile +16 -20
- data/THEORY.md +1 -1
- data/UPGRADE.md +55 -0
- data/bin/chef-vault +8 -8
- data/chef-vault.gemspec +21 -21
- data/features/detect_and_warn_v1_vault.feature +15 -0
- data/features/step_definitions/chef-databag.rb +1 -1
- data/features/step_definitions/chef-repo.rb +7 -7
- data/features/step_definitions/chef-vault.rb +30 -22
- data/features/step_definitions/chef_databagitem.rb +2 -2
- data/features/support/env.rb +3 -3
- data/lib/chef-vault.rb +15 -15
- data/lib/chef-vault/chef_patch/api_client.rb +5 -5
- data/lib/chef-vault/chef_patch/user.rb +5 -5
- data/lib/chef-vault/exceptions.rb +3 -0
- data/lib/chef-vault/item.rb +13 -19
- data/lib/chef-vault/item_keys.rb +13 -13
- data/lib/chef-vault/mixins.rb +36 -0
- data/lib/chef-vault/version.rb +3 -2
- data/lib/chef/knife/decrypt.rb +2 -2
- data/lib/chef/knife/encrypt_create.rb +13 -13
- data/lib/chef/knife/encrypt_delete.rb +2 -2
- data/lib/chef/knife/encrypt_remove.rb +8 -8
- data/lib/chef/knife/encrypt_rotate_keys.rb +2 -2
- data/lib/chef/knife/encrypt_update.rb +13 -13
- data/lib/chef/knife/mixin/compat.rb +2 -2
- data/lib/chef/knife/vault_admins.rb +3 -3
- data/lib/chef/knife/vault_base.rb +9 -9
- data/lib/chef/knife/vault_create.rb +13 -13
- data/lib/chef/knife/vault_decrypt.rb +2 -2
- data/lib/chef/knife/vault_delete.rb +1 -1
- data/lib/chef/knife/vault_download.rb +2 -2
- data/lib/chef/knife/vault_edit.rb +6 -6
- data/lib/chef/knife/vault_isvault.rb +4 -4
- data/lib/chef/knife/vault_itemtype.rb +4 -4
- data/lib/chef/knife/vault_list.rb +4 -4
- data/lib/chef/knife/vault_refresh.rb +3 -3
- data/lib/chef/knife/vault_remove.rb +9 -9
- data/lib/chef/knife/vault_rotate_all_keys.rb +4 -4
- data/lib/chef/knife/vault_rotate_keys.rb +3 -3
- data/lib/chef/knife/vault_show.rb +12 -12
- data/lib/chef/knife/vault_update.rb +15 -15
- data/spec/chef-vault/certificate_spec.rb +7 -7
- data/spec/chef-vault/item_keys_spec.rb +53 -6
- data/spec/chef-vault/item_spec.rb +110 -110
- data/spec/chef-vault/user_spec.rb +6 -6
- data/spec/chef-vault_spec.rb +10 -10
- data/spec/spec_helper.rb +3 -3
- metadata +7 -6
- data/.rubocop_todo.yml +0 -101
@@ -18,13 +18,13 @@
|
|
18
18
|
class ChefVault
|
19
19
|
module Mixin
|
20
20
|
module KnifeCompat
|
21
|
-
require
|
21
|
+
require "chef/version"
|
22
22
|
def extend_context_object(obj)
|
23
23
|
if Chef::VERSION.to_i >= 11
|
24
24
|
require "chef/shell/ext"
|
25
25
|
Shell::Extensions.extend_context_object(obj)
|
26
26
|
else
|
27
|
-
require
|
27
|
+
require "chef/shef/ext"
|
28
28
|
Shef::Extensions.extend_context_object(obj)
|
29
29
|
end
|
30
30
|
end
|
@@ -13,8 +13,8 @@
|
|
13
13
|
# See the License for the specific language governing permissions and
|
14
14
|
# limitations under the License.
|
15
15
|
|
16
|
-
require
|
17
|
-
require
|
16
|
+
require "chef/knife"
|
17
|
+
require "chef-vault"
|
18
18
|
|
19
19
|
class Chef
|
20
20
|
class Knife
|
@@ -32,7 +32,7 @@ class Chef
|
|
32
32
|
admin_array += vault_admins
|
33
33
|
end
|
34
34
|
|
35
|
-
admin_array.join(
|
35
|
+
admin_array.join(",")
|
36
36
|
end
|
37
37
|
end
|
38
38
|
end
|
@@ -13,8 +13,8 @@
|
|
13
13
|
# See the License for the specific language governing permissions and
|
14
14
|
# limitations under the License.
|
15
15
|
|
16
|
-
require
|
17
|
-
require
|
16
|
+
require "chef/knife"
|
17
|
+
require "chef-vault"
|
18
18
|
|
19
19
|
class Chef
|
20
20
|
class Knife
|
@@ -22,17 +22,17 @@ class Chef
|
|
22
22
|
def self.included(includer)
|
23
23
|
includer.class_eval do
|
24
24
|
deps do
|
25
|
-
require
|
26
|
-
require File.expand_path(
|
27
|
-
require File.expand_path(
|
25
|
+
require "chef/search/query"
|
26
|
+
require File.expand_path("../mixin/compat", __FILE__)
|
27
|
+
require File.expand_path("../mixin/helper", __FILE__)
|
28
28
|
include ChefVault::Mixin::KnifeCompat
|
29
29
|
include ChefVault::Mixin::Helper
|
30
30
|
end
|
31
31
|
|
32
32
|
option :vault_mode,
|
33
|
-
:short =>
|
34
|
-
:long =>
|
35
|
-
:description =>
|
33
|
+
:short => "-M MODE",
|
34
|
+
:long => "--mode MODE",
|
35
|
+
:description => "Chef mode to run in default - solo",
|
36
36
|
:proc => proc { |i| Chef::Config[:knife][:vault_mode] = i }
|
37
37
|
end
|
38
38
|
end
|
@@ -53,7 +53,7 @@ class Chef
|
|
53
53
|
# there must be an equal number of keyline and not-keylike items
|
54
54
|
return false unless keylike.size == notkeylike.size
|
55
55
|
# strip the _keys suffix and check if the sets match
|
56
|
-
keylike.map! { |k| k.gsub(/_keys$/,
|
56
|
+
keylike.map! { |k| k.gsub(/_keys$/, "") }
|
57
57
|
return false unless keylike.sort == notkeylike.sort
|
58
58
|
# it's (probably) a vault
|
59
59
|
true
|
@@ -13,8 +13,8 @@
|
|
13
13
|
# See the License for the specific language governing permissions and
|
14
14
|
# limitations under the License.
|
15
15
|
|
16
|
-
require
|
17
|
-
require
|
16
|
+
require "chef/knife/vault_base"
|
17
|
+
require "chef/knife/vault_admins"
|
18
18
|
|
19
19
|
class Chef
|
20
20
|
class Knife
|
@@ -25,23 +25,23 @@ class Chef
|
|
25
25
|
banner "knife vault create VAULT ITEM VALUES (options)"
|
26
26
|
|
27
27
|
option :search,
|
28
|
-
:short =>
|
29
|
-
:long =>
|
30
|
-
:description =>
|
28
|
+
:short => "-S SEARCH",
|
29
|
+
:long => "--search SEARCH",
|
30
|
+
:description => "Chef SOLR search for clients"
|
31
31
|
|
32
32
|
option :admins,
|
33
|
-
:short =>
|
34
|
-
:long =>
|
35
|
-
:description =>
|
33
|
+
:short => "-A ADMINS",
|
34
|
+
:long => "--admins ADMINS",
|
35
|
+
:description => "Chef users to be added as admins"
|
36
36
|
|
37
37
|
option :json,
|
38
|
-
:short =>
|
39
|
-
:long =>
|
40
|
-
:description =>
|
38
|
+
:short => "-J FILE",
|
39
|
+
:long => "--json FILE",
|
40
|
+
:description => "File containing JSON data to encrypt"
|
41
41
|
|
42
42
|
option :file,
|
43
|
-
:long =>
|
44
|
-
:description =>
|
43
|
+
:long => "--file FILE",
|
44
|
+
:description => "File to be added to vault item as file-content"
|
45
45
|
|
46
46
|
def run
|
47
47
|
vault = @name_args[0]
|
@@ -13,7 +13,7 @@
|
|
13
13
|
# See the License for the specific language governing permissions and
|
14
14
|
# limitations under the License.
|
15
15
|
|
16
|
-
require
|
16
|
+
require "chef/knife/vault_base"
|
17
17
|
|
18
18
|
class Chef
|
19
19
|
class Knife
|
@@ -41,7 +41,7 @@ class Chef
|
|
41
41
|
vault_item = ChefVault::Item.load(vault, item).raw_data
|
42
42
|
|
43
43
|
if values
|
44
|
-
included_values = %w
|
44
|
+
included_values = %w{id}
|
45
45
|
|
46
46
|
values.split(",").each do |value|
|
47
47
|
value.strip! # remove white space
|
@@ -13,7 +13,7 @@
|
|
13
13
|
# See the License for the specific language governing permissions and
|
14
14
|
# limitations under the License.
|
15
15
|
|
16
|
-
require
|
16
|
+
require "chef/knife/vault_base"
|
17
17
|
|
18
18
|
class Chef
|
19
19
|
class Knife
|
@@ -32,7 +32,7 @@ class Chef
|
|
32
32
|
if vault && item && path
|
33
33
|
vault_item = ChefVault::Item.load(vault, item)
|
34
34
|
File.open(path, "w") do |file|
|
35
|
-
file.write(vault_item[
|
35
|
+
file.write(vault_item["file-content"])
|
36
36
|
end
|
37
37
|
ui.info("Saved #{vault_item['file-name']} as #{path}")
|
38
38
|
else
|
@@ -13,7 +13,7 @@
|
|
13
13
|
# See the License for the specific language governing permissions and
|
14
14
|
# limitations under the License.
|
15
15
|
|
16
|
-
require
|
16
|
+
require "chef/knife/vault_base"
|
17
17
|
|
18
18
|
class Chef
|
19
19
|
class Knife
|
@@ -23,9 +23,9 @@ class Chef
|
|
23
23
|
banner "knife vault edit VAULT ITEM (options)"
|
24
24
|
|
25
25
|
option :mode,
|
26
|
-
:short =>
|
27
|
-
:long =>
|
28
|
-
:description =>
|
26
|
+
:short => "-M MODE",
|
27
|
+
:long => "--mode MODE",
|
28
|
+
:description => "Chef mode to run in default - solo"
|
29
29
|
|
30
30
|
def run
|
31
31
|
vault = @name_args[0]
|
@@ -37,13 +37,13 @@ class Chef
|
|
37
37
|
begin
|
38
38
|
vault_item = ChefVault::Item.load(vault, item)
|
39
39
|
|
40
|
-
filtered_vault_data = vault_item.raw_data.select{|x| x !=
|
40
|
+
filtered_vault_data = vault_item.raw_data.select{|x| x != "id"}
|
41
41
|
|
42
42
|
updated_vault_json = edit_data(filtered_vault_data)
|
43
43
|
|
44
44
|
# Clean out contents of existing local vault_item
|
45
45
|
vault_item.raw_data.each do |key, _|
|
46
|
-
vault_item.remove(key) unless key ==
|
46
|
+
vault_item.remove(key) unless key == "id"
|
47
47
|
end
|
48
48
|
|
49
49
|
# write new vault_item key/value pairs
|
@@ -13,7 +13,7 @@
|
|
13
13
|
# See the License for the specific language governing permissions and
|
14
14
|
# limitations under the License.
|
15
15
|
|
16
|
-
require
|
16
|
+
require "chef/knife/vault_base"
|
17
17
|
|
18
18
|
class Chef
|
19
19
|
class Knife
|
@@ -23,9 +23,9 @@ class Chef
|
|
23
23
|
banner "knife vault isvault VAULT ITEM (options)"
|
24
24
|
|
25
25
|
option :mode,
|
26
|
-
:short =>
|
27
|
-
:long =>
|
28
|
-
:description =>
|
26
|
+
:short => "-M MODE",
|
27
|
+
:long => "--mode MODE",
|
28
|
+
:description => "Chef mode to run in default - solo"
|
29
29
|
|
30
30
|
def run
|
31
31
|
vault = @name_args[0]
|
@@ -13,7 +13,7 @@
|
|
13
13
|
# See the License for the specific language governing permissions and
|
14
14
|
# limitations under the License.
|
15
15
|
|
16
|
-
require
|
16
|
+
require "chef/knife/vault_base"
|
17
17
|
|
18
18
|
class Chef
|
19
19
|
class Knife
|
@@ -23,9 +23,9 @@ class Chef
|
|
23
23
|
banner "knife vault itemtype VAULT ITEM (options)"
|
24
24
|
|
25
25
|
option :mode,
|
26
|
-
:short =>
|
27
|
-
:long =>
|
28
|
-
:description =>
|
26
|
+
:short => "-M MODE",
|
27
|
+
:long => "--mode MODE",
|
28
|
+
:description => "Chef mode to run in default - solo"
|
29
29
|
|
30
30
|
def run
|
31
31
|
vault = @name_args[0]
|
@@ -13,7 +13,7 @@
|
|
13
13
|
# See the License for the specific language governing permissions and
|
14
14
|
# limitations under the License.
|
15
15
|
|
16
|
-
require
|
16
|
+
require "chef/knife/vault_base"
|
17
17
|
|
18
18
|
class Chef
|
19
19
|
class Knife
|
@@ -23,9 +23,9 @@ class Chef
|
|
23
23
|
banner "knife vault list (options)"
|
24
24
|
|
25
25
|
option :mode,
|
26
|
-
:short =>
|
27
|
-
:long =>
|
28
|
-
:description =>
|
26
|
+
:short => "-M MODE",
|
27
|
+
:long => "--mode MODE",
|
28
|
+
:description => "Chef mode to run in default - solo"
|
29
29
|
|
30
30
|
def run
|
31
31
|
set_mode(config[:vault_mode])
|
@@ -13,7 +13,7 @@
|
|
13
13
|
# See the License for the specific language governing permissions and
|
14
14
|
# limitations under the License.
|
15
15
|
|
16
|
-
require
|
16
|
+
require "chef/knife/vault_base"
|
17
17
|
|
18
18
|
class Chef
|
19
19
|
class Knife
|
@@ -23,8 +23,8 @@ class Chef
|
|
23
23
|
banner "knife vault refresh VAULT ITEM"
|
24
24
|
|
25
25
|
option :clean_unknown_clients,
|
26
|
-
:long =>
|
27
|
-
:description =>
|
26
|
+
:long => "--clean-unknown-clients",
|
27
|
+
:description => "Remove unknown clients during refresh"
|
28
28
|
|
29
29
|
def run
|
30
30
|
vault = @name_args[0]
|
@@ -13,7 +13,7 @@
|
|
13
13
|
# See the License for the specific language governing permissions and
|
14
14
|
# limitations under the License.
|
15
15
|
|
16
|
-
require
|
16
|
+
require "chef/knife/vault_base"
|
17
17
|
|
18
18
|
class Chef
|
19
19
|
class Knife
|
@@ -23,18 +23,18 @@ class Chef
|
|
23
23
|
banner "knife vault remove VAULT ITEM VALUES (options)"
|
24
24
|
|
25
25
|
option :search,
|
26
|
-
:short =>
|
27
|
-
:long =>
|
28
|
-
:description =>
|
26
|
+
:short => "-S SEARCH",
|
27
|
+
:long => "--search SEARCH",
|
28
|
+
:description => "Chef SOLR search for clients"
|
29
29
|
|
30
30
|
option :admins,
|
31
|
-
:short =>
|
32
|
-
:long =>
|
33
|
-
:description =>
|
31
|
+
:short => "-A ADMINS",
|
32
|
+
:long => "--admins ADMINS",
|
33
|
+
:description => "Chef users to be added as admins"
|
34
34
|
|
35
35
|
option :clean_unknown_clients,
|
36
|
-
:long =>
|
37
|
-
:description =>
|
36
|
+
:long => "--clean-unknown-clients",
|
37
|
+
:description => "Remove unknown clients during key rotation"
|
38
38
|
|
39
39
|
def run
|
40
40
|
vault = @name_args[0]
|
@@ -13,7 +13,7 @@
|
|
13
13
|
# See the License for the specific language governing permissions and
|
14
14
|
# limitations under the License.
|
15
15
|
|
16
|
-
require
|
16
|
+
require "chef/knife/vault_base"
|
17
17
|
|
18
18
|
class Chef
|
19
19
|
class Knife
|
@@ -23,8 +23,8 @@ class Chef
|
|
23
23
|
banner "knife vault rotate all keys"
|
24
24
|
|
25
25
|
option :clean_unknown_clients,
|
26
|
-
:long =>
|
27
|
-
:description =>
|
26
|
+
:long => "--clean-unknown-clients",
|
27
|
+
:description => "Remove unknown clients during key rotation"
|
28
28
|
|
29
29
|
def run
|
30
30
|
clean_unknown_clients = config[:clean_unknown_clients]
|
@@ -47,7 +47,7 @@ class Chef
|
|
47
47
|
|
48
48
|
def vault_items(vault)
|
49
49
|
Chef::DataBag.load(vault).keys.each_with_object([]) do |key, array|
|
50
|
-
array << key.sub(
|
50
|
+
array << key.sub("_keys", "") if key.match(/.+_keys$/)
|
51
51
|
end
|
52
52
|
end
|
53
53
|
|
@@ -13,7 +13,7 @@
|
|
13
13
|
# See the License for the specific language governing permissions and
|
14
14
|
# limitations under the License.
|
15
15
|
|
16
|
-
require
|
16
|
+
require "chef/knife/vault_base"
|
17
17
|
|
18
18
|
class Chef
|
19
19
|
class Knife
|
@@ -23,8 +23,8 @@ class Chef
|
|
23
23
|
banner "knife vault rotate keys VAULT ITEM (options)"
|
24
24
|
|
25
25
|
option :clean_unknown_clients,
|
26
|
-
:long =>
|
27
|
-
:description =>
|
26
|
+
:long => "--clean-unknown-clients",
|
27
|
+
:description => "Remove unknown clients during key rotation"
|
28
28
|
|
29
29
|
def run
|
30
30
|
vault = @name_args[0]
|
@@ -13,7 +13,7 @@
|
|
13
13
|
# See the License for the specific language governing permissions and
|
14
14
|
# limitations under the License.
|
15
15
|
|
16
|
-
require
|
16
|
+
require "chef/knife/vault_base"
|
17
17
|
|
18
18
|
class Chef
|
19
19
|
class Knife
|
@@ -23,14 +23,14 @@ class Chef
|
|
23
23
|
banner "knife vault show VAULT [ITEM] [VALUES] (options)"
|
24
24
|
|
25
25
|
option :mode,
|
26
|
-
:short =>
|
27
|
-
:long =>
|
28
|
-
:description =>
|
26
|
+
:short => "-M MODE",
|
27
|
+
:long => "--mode MODE",
|
28
|
+
:description => "Chef mode to run in default - solo"
|
29
29
|
|
30
30
|
option :print,
|
31
|
-
:short =>
|
32
|
-
:long =>
|
33
|
-
:description =>
|
31
|
+
:short => "-p TYPE",
|
32
|
+
:long => "--print TYPE",
|
33
|
+
:description => "Print extra vault data, can be search, admins, clients or all"
|
34
34
|
|
35
35
|
def run
|
36
36
|
vault = @name_args[0]
|
@@ -55,13 +55,13 @@ class Chef
|
|
55
55
|
|
56
56
|
if config[:print]
|
57
57
|
case config[:print]
|
58
|
-
when
|
58
|
+
when "search"
|
59
59
|
extra_data["search_query"] = vault_item.search
|
60
|
-
when
|
60
|
+
when "admins"
|
61
61
|
extra_data["admins"] = vault_item.admins
|
62
|
-
when
|
62
|
+
when "clients"
|
63
63
|
extra_data["clients"] = vault_item.clients
|
64
|
-
when
|
64
|
+
when "all"
|
65
65
|
extra_data["search_query"] = vault_item.search
|
66
66
|
extra_data["admins"] = vault_item.admins
|
67
67
|
extra_data["clients"] = vault_item.clients
|
@@ -69,7 +69,7 @@ class Chef
|
|
69
69
|
end
|
70
70
|
|
71
71
|
if values
|
72
|
-
included_values = %w
|
72
|
+
included_values = %w{id}
|
73
73
|
|
74
74
|
values.split(",").each do |value|
|
75
75
|
value.strip! # remove white space
|
@@ -13,8 +13,8 @@
|
|
13
13
|
# See the License for the specific language governing permissions and
|
14
14
|
# limitations under the License.
|
15
15
|
|
16
|
-
require
|
17
|
-
require
|
16
|
+
require "chef/knife/vault_base"
|
17
|
+
require "chef/knife/vault_admins"
|
18
18
|
|
19
19
|
class Chef
|
20
20
|
class Knife
|
@@ -25,27 +25,27 @@ class Chef
|
|
25
25
|
banner "knife vault update VAULT ITEM VALUES (options)"
|
26
26
|
|
27
27
|
option :search,
|
28
|
-
:short =>
|
29
|
-
:long =>
|
30
|
-
:description =>
|
28
|
+
:short => "-S SEARCH",
|
29
|
+
:long => "--search SEARCH",
|
30
|
+
:description => "Chef SOLR search for clients"
|
31
31
|
|
32
32
|
option :admins,
|
33
|
-
:short =>
|
34
|
-
:long =>
|
35
|
-
:description =>
|
33
|
+
:short => "-A ADMINS",
|
34
|
+
:long => "--admins ADMINS",
|
35
|
+
:description => "Chef users to be added as admins"
|
36
36
|
|
37
37
|
option :json,
|
38
|
-
:short =>
|
39
|
-
:long =>
|
40
|
-
:description =>
|
38
|
+
:short => "-J FILE",
|
39
|
+
:long => "--json FILE",
|
40
|
+
:description => "File containing JSON data to encrypt"
|
41
41
|
|
42
42
|
option :file,
|
43
|
-
:long =>
|
44
|
-
:description =>
|
43
|
+
:long => "--file FILE",
|
44
|
+
:description => "File to be added to vault item as file-content"
|
45
45
|
|
46
46
|
option :clean,
|
47
|
-
:long =>
|
48
|
-
:description =>
|
47
|
+
:long => "--clean",
|
48
|
+
:description => "Clean clients before performing search"
|
49
49
|
|
50
50
|
def run
|
51
51
|
vault = @name_args[0]
|