chef-vault 2.6.1 → 2.7.1

data/spec/chef-vault/certificate_spec.rb

@@ -7,7 +7,7 @@ RSpec.describe ChefVault::Certificate do
     allow(item).to receive(:[]).with("id"){ "bar" }
     allow(item).to receive(:[]).with("contents"){ "baz" }
     @orig_stdout = $stdout
-    $stdout = File.open(File::NULL, 'w')
+    $stdout = File.open(File::NULL, "w")
   end
 
   after do
@@ -15,7 +15,7 @@ RSpec.describe ChefVault::Certificate do
   end
 
   describe '#new' do
-    it 'loads item' do
+    it "loads item" do
       expect(ChefVault::Item).to receive(:load).with("foo", "bar")
 
       ChefVault::Certificate.new("foo", "bar")
@@ -24,21 +24,21 @@ RSpec.describe ChefVault::Certificate do
 
   describe '#[]' do
     it "given an 'id' parameter, returns its value" do
-      expect(cert['id']).to eq 'bar'
+      expect(cert["id"]).to eq "bar"
     end
   end
 
-  describe 'decrypt_contents' do
-    it 'echoes warning' do
+  describe "decrypt_contents" do
+    it "echoes warning" do
       expect { cert.decrypt_contents }
         .to output("WARNING: This method is deprecated, please switch to item['value'] calls\n")
         .to_stdout
     end
 
-    it 'returns items contents' do
+    it "returns items contents" do
       expect(item).to receive(:[]).with("contents")
 
-      expect(cert.decrypt_contents).to eq 'baz'
+      expect(cert.decrypt_contents).to eq "baz"
     end
   end
 end

data/spec/chef-vault/item_keys_spec.rb

@@ -3,19 +3,66 @@ RSpec.describe ChefVault::ItemKeys do
     let(:keys) { ChefVault::ItemKeys.new("foo", "bar") }
 
     it "'foo' is assigned to @data_bag" do
-      expect(keys.data_bag).to eq 'foo'
+      expect(keys.data_bag).to eq "foo"
     end
 
     it "sets the keys id to 'bar'" do
-      expect(keys["id"]).to eq 'bar'
+      expect(keys["id"]).to eq "bar"
     end
 
-    it 'initializes the keys[admin] to an empty array' do
-      expect(keys['admins']).to eq []
+    it "initializes the keys[admin] to an empty array" do
+      expect(keys["admins"]).to eq []
     end
 
-    it 'initializes the keys[clients] to an empty array' do
-      expect(keys['admins']).to eq []
+    it "initializes the keys[clients] to an empty array" do
+      expect(keys["admins"]).to eq []
+    end
+
+    context "when running with chef-solo" do
+      describe "#find_solo_path" do
+        context "when data_bag_path is an array" do
+          before do
+            allow(File).to receive(:exist?)
+            Chef::Config[:data_bag_path] = ["/tmp/data_bag", "/tmp/site_data_bag"]
+          end
+
+          it "should return an existing item" do
+            expect(File).to receive(:exist?).with("/tmp/site_data_bag/foo/bar.json").and_return(true)
+            dbp, dbi = keys.find_solo_path("bar")
+            expect(dbp).to eql("/tmp/site_data_bag/foo")
+            expect(dbi).to eql("/tmp/site_data_bag/foo/bar.json")
+          end
+
+          it "should return the first item if none exist" do
+            dbp, dbi = keys.find_solo_path("bar")
+            expect(dbp).to eql("/tmp/data_bag/foo")
+            expect(dbi).to eql("/tmp/data_bag/foo/bar.json")
+          end
+        end
+
+        context "when data_bag_path is a string" do
+          it "should return the path to the bag and the item" do
+            Chef::Config[:data_bag_path] = "/tmp/data_bag"
+            dbp, dbi = keys.find_solo_path("bar")
+            expect(dbp).to eql("/tmp/data_bag/foo")
+            expect(dbi).to eql("/tmp/data_bag/foo/bar.json")
+          end
+        end
+      end
+
+      describe "#save" do
+        let(:data_bag_path) { Dir.mktmpdir("vault_item_keys") }
+        before do
+          Chef::Config[:solo] = true
+          Chef::Config[:data_bag_path] = data_bag_path
+        end
+
+        it "should save the key data" do
+          expect(File).to receive(:exist?).with(File.join(data_bag_path, "foo")).and_call_original
+          keys.save("bar")
+          expect(File.read(File.join(data_bag_path, "foo", "bar.json"))).to match(/"id":.*"bar"/)
+        end
+      end
     end
   end
 end

data/spec/chef-vault/item_spec.rb

@@ -1,5 +1,5 @@
-require 'openssl'
-require 'rspec/core/shared_context'
+require "openssl"
+require "rspec/core/shared_context"
 
 # it turns out that simulating a node that doesn't have a public
 # key is not a simple thing
@@ -8,18 +8,18 @@ module BorkedNodeWithoutPublicKey
 
   before do
     # a node 'foo' with a public key
-    node_foo = double('chef node foo')
-    allow(node_foo).to receive(:name).and_return('foo')
-    client_foo = double('chef apiclient foo')
-    allow(client_foo).to receive(:name).and_return('foo')
+    node_foo = double("chef node foo")
+    allow(node_foo).to receive(:name).and_return("foo")
+    client_foo = double("chef apiclient foo")
+    allow(client_foo).to receive(:name).and_return("foo")
     privkey = OpenSSL::PKey::RSA.new(1024)
     pubkey = privkey.public_key
     allow(client_foo).to receive(:public_key).and_return(pubkey.to_pem)
     # a node 'bar' without a public key
-    node_bar = double('chef node bar')
-    allow(node_bar).to receive(:name).and_return('bar')
+    node_bar = double("chef node bar")
+    allow(node_bar).to receive(:name).and_return("bar")
     # fake out searches to return both of our nodes
-    query_result = double('chef search results')
+    query_result = double("chef search results")
     allow(query_result)
       .to receive(:search)
       .with(Symbol, String)
@@ -28,24 +28,24 @@ module BorkedNodeWithoutPublicKey
       .to receive(:new)
       .and_return(query_result)
     # create a new vault item
-    @vaultitem = ChefVault::Item.new('foo', 'bar')
-    @vaultitem['foo'] = 'bar'
+    @vaultitem = ChefVault::Item.new("foo", "bar")
+    @vaultitem["foo"] = "bar"
     # make the vault item return the apiclient for foo but raise for bar
-    allow(@vaultitem).to receive(:load_client).with('foo')
+    allow(@vaultitem).to receive(:load_client).with("foo")
       .and_return(client_foo)
-    allow(@vaultitem).to receive(:load_client).with('bar')
+    allow(@vaultitem).to receive(:load_client).with("bar")
       .and_raise(ChefVault::Exceptions::ClientNotFound)
     # make the vault item fall back to 'load-admin-as-client' behaviour
-    http_response = double('http not found')
-    allow(http_response).to receive(:code).and_return('404')
-    http_not_found = Net::HTTPServerException.new('not found', http_response)
+    http_response = double("http not found")
+    allow(http_response).to receive(:code).and_return("404")
+    http_not_found = Net::HTTPServerException.new("not found", http_response)
     allow(ChefVault::ChefPatch::User)
       .to receive(:load)
-      .with('foo')
+      .with("foo")
       .and_return(client_foo)
     allow(ChefVault::ChefPatch::User)
       .to receive(:load)
-      .with('bar')
+      .with("bar")
       .and_raise(http_not_found)
   end
 end
@@ -53,7 +53,7 @@ end
 RSpec.describe ChefVault::Item do
   before do
     @orig_stdout = $stdout
-    $stdout = File.open(File::NULL, 'w')
+    $stdout = File.open(File::NULL, "w")
   end
 
   after do
@@ -62,151 +62,151 @@ RSpec.describe ChefVault::Item do
 
   subject(:item) { ChefVault::Item.new("foo", "bar") }
 
-  describe 'vault probe predicates' do
+  describe "vault probe predicates" do
     before do
       # a normal data bag item
-      @db = { 'foo' => '...' }
+      @db = { "foo" => "..." }
       @dbi = Chef::DataBagItem.new
-      @dbi.data_bag('normal')
-      @dbi.raw_data = { 'id' => 'foo', 'foo' => 'bar' }
-      allow(@db).to receive(:load).with('foo').and_return(@dbi)
-      allow(Chef::DataBag).to receive(:load).with('normal').and_return(@db)
-      allow(Chef::DataBagItem).to receive(:load).with('normal', 'foo').and_return(@dbi)
+      @dbi.data_bag("normal")
+      @dbi.raw_data = { "id" => "foo", "foo" => "bar" }
+      allow(@db).to receive(:load).with("foo").and_return(@dbi)
+      allow(Chef::DataBag).to receive(:load).with("normal").and_return(@db)
+      allow(Chef::DataBagItem).to receive(:load).with("normal", "foo").and_return(@dbi)
 
       # an encrypted data bag item (non-vault)
-      @encdb = { 'foo' => '...' }
+      @encdb = { "foo" => "..." }
       @encdbi = Chef::DataBagItem.new
-      @encdbi.data_bag('encrypted')
+      @encdbi.data_bag("encrypted")
       @encdbi.raw_data = {
-        'id' => 'foo',
-        'foo' => { 'encrypted_data' => '...' }
+        "id" => "foo",
+        "foo" => { "encrypted_data" => "..." },
       }
-      allow(@encdb).to receive(:load).with('foo').and_return(@encdbi)
-      allow(Chef::DataBag).to receive(:load).with('encrypted').and_return(@encdb)
-      allow(Chef::DataBagItem).to receive(:load).with('encrypted', 'foo').and_return(@encdbi)
+      allow(@encdb).to receive(:load).with("foo").and_return(@encdbi)
+      allow(Chef::DataBag).to receive(:load).with("encrypted").and_return(@encdb)
+      allow(Chef::DataBagItem).to receive(:load).with("encrypted", "foo").and_return(@encdbi)
 
       # two items that make up a vault
-      @vaultdb = { 'foo' => '...', 'foo_keys' => '...' }
+      @vaultdb = { "foo" => "...", "foo_keys" => "..." }
       @vaultdbi = Chef::DataBagItem.new
-      @vaultdbi.data_bag('vault')
+      @vaultdbi.data_bag("vault")
       @vaultdbi.raw_data = {
-        'id' => 'foo',
-        'foo' => { 'encrypted_data' => '...' }
+        "id" => "foo",
+        "foo" => { "encrypted_data" => "..." },
       }
-      allow(@vaultdb).to receive(:load).with('foo').and_return(@vaultdbi)
+      allow(@vaultdb).to receive(:load).with("foo").and_return(@vaultdbi)
       @vaultdbki = Chef::DataBagItem.new
-      @vaultdbki.data_bag('vault')
-      @vaultdbki.raw_data = { 'id' => 'foo_keys' }
-      allow(@vaultdb).to receive(:load).with('foo_keys').and_return(@vaultdbki)
-      allow(Chef::DataBag).to receive(:load).with('vault').and_return(@vaultdb)
-      allow(Chef::DataBagItem).to receive(:load).with('vault', 'foo').and_return(@vaultdbi)
+      @vaultdbki.data_bag("vault")
+      @vaultdbki.raw_data = { "id" => "foo_keys" }
+      allow(@vaultdb).to receive(:load).with("foo_keys").and_return(@vaultdbki)
+      allow(Chef::DataBag).to receive(:load).with("vault").and_return(@vaultdb)
+      allow(Chef::DataBagItem).to receive(:load).with("vault", "foo").and_return(@vaultdbi)
     end
 
-    describe '::vault?' do
-      it 'should detect a vault item' do
-        expect(ChefVault::Item.vault?('vault', 'foo')).to be_truthy
+    describe "::vault?" do
+      it "should detect a vault item" do
+        expect(ChefVault::Item.vault?("vault", "foo")).to be_truthy
       end
 
-      it 'should detect non-vault items' do
-        expect(ChefVault::Item.vault?('normal', 'foo')).not_to be_truthy
-        expect(ChefVault::Item.vault?('encrypted', 'foo')).not_to be_truthy
+      it "should detect non-vault items" do
+        expect(ChefVault::Item.vault?("normal", "foo")).not_to be_truthy
+        expect(ChefVault::Item.vault?("encrypted", "foo")).not_to be_truthy
       end
     end
 
-    describe '::data_bag_item_type' do
-      it 'should detect a vault item' do
-        expect(ChefVault::Item.data_bag_item_type('vault', 'foo')).to eq(:vault)
+    describe "::data_bag_item_type" do
+      it "should detect a vault item" do
+        expect(ChefVault::Item.data_bag_item_type("vault", "foo")).to eq(:vault)
       end
 
-      it 'should detect an encrypted data bag item' do
-        expect(ChefVault::Item.data_bag_item_type('encrypted', 'foo')).to eq(:encrypted)
+      it "should detect an encrypted data bag item" do
+        expect(ChefVault::Item.data_bag_item_type("encrypted", "foo")).to eq(:encrypted)
       end
 
-      it 'should detect a normal data bag item' do
-        expect(ChefVault::Item.data_bag_item_type('normal', 'foo')).to eq(:normal)
+      it "should detect a normal data bag item" do
+        expect(ChefVault::Item.data_bag_item_type("normal", "foo")).to eq(:normal)
       end
     end
   end
 
-  describe '::new' do
-    it 'item[keys] is an instance of ChefVault::ItemKeys' do
+  describe "::new" do
+    it "item[keys] is an instance of ChefVault::ItemKeys" do
       expect(item.keys).to be_an_instance_of(ChefVault::ItemKeys)
     end
 
     it "the item's 'vault' parameter is assigned to data_bag" do
-      expect(item.data_bag).to eq 'foo'
+      expect(item.data_bag).to eq "foo"
     end
 
     it "the vault item name is assiged to the data bag ['id']" do
-      expect(item['id']).to eq 'bar'
+      expect(item["id"]).to eq "bar"
     end
 
     it "creates a corresponding 'keys' data bag with an '_keys' id" do
-      expect(item.keys['id']).to eq 'bar_keys'
+      expect(item.keys["id"]).to eq "bar_keys"
     end
 
     it "sets the item keys data bag to 'foo'" do
-      expect(item.keys.data_bag).to eq 'foo'
+      expect(item.keys.data_bag).to eq "foo"
     end
 
-    it 'defaults the node name' do
-      item = ChefVault::Item.new('foo', 'bar')
+    it "defaults the node name" do
+      item = ChefVault::Item.new("foo", "bar")
       expect(item.node_name).to eq(Chef::Config[:node_name])
     end
 
-    it 'defaults the client key path' do
-      item = ChefVault::Item.new('foo', 'bar')
+    it "defaults the client key path" do
+      item = ChefVault::Item.new("foo", "bar")
       expect(item.client_key_path).to eq(Chef::Config[:client_key])
     end
 
-    it 'allows for a node name override' do
-      item = ChefVault::Item.new('foo', 'bar', node_name: 'baz')
-      expect(item.node_name).to eq('baz')
+    it "allows for a node name override" do
+      item = ChefVault::Item.new("foo", "bar", node_name: "baz")
+      expect(item.node_name).to eq("baz")
     end
 
-    it 'allows for a client key path override' do
-      item = ChefVault::Item.new('foo', 'bar', client_key_path: '/foo/client.pem')
-      expect(item.client_key_path).to eq('/foo/client.pem')
+    it "allows for a client key path override" do
+      item = ChefVault::Item.new("foo", "bar", client_key_path: "/foo/client.pem")
+      expect(item.client_key_path).to eq("/foo/client.pem")
     end
 
-    it 'allows for both node name and client key overrides' do
+    it "allows for both node name and client key overrides" do
       item = ChefVault::Item.new(
-        'foo', 'bar',
-        node_name: 'baz',
-        client_key_path: '/foo/client.pem'
+        "foo", "bar",
+        node_name: "baz",
+        client_key_path: "/foo/client.pem"
       )
-      expect(item.node_name).to eq('baz')
-      expect(item.client_key_path).to eq('/foo/client.pem')
+      expect(item.node_name).to eq("baz")
+      expect(item.client_key_path).to eq("/foo/client.pem")
     end
   end
 
-  describe '::load' do
-    it 'allows for both node name and client key overrides' do
+  describe "::load" do
+    it "allows for both node name and client key overrides" do
       keys_db = Chef::DataBagItem.new
       keys_db.raw_data = {
-        'id' => 'bar_keys',
-        'baz' => '...'
+        "id" => "bar_keys",
+        "baz" => "...",
       }
       allow(ChefVault::ItemKeys)
         .to receive(:load)
         .and_return(keys_db)
-      fh = double 'private key handle'
-      allow(fh).to receive(:read).and_return('...')
+      fh = double "private key handle"
+      allow(fh).to receive(:read).and_return("...")
       allow(File).to receive(:open).and_return(fh)
-      privkey = double 'private key contents'
-      allow(privkey).to receive(:private_decrypt).and_return('sekrit')
+      privkey = double "private key contents"
+      allow(privkey).to receive(:private_decrypt).and_return("sekrit")
       allow(OpenSSL::PKey::RSA).to receive(:new).and_return(privkey)
       allow(Chef::EncryptedDataBagItem).to receive(:load).and_return(
-        'id' => 'bar',
-        'password' => '12345'
+        "id" => "bar",
+        "password" => "12345",
       )
       item = ChefVault::Item.load(
-        'foo', 'bar',
-        node_name: 'baz',
-        client_key_path: '/foo/client.pem'
+        "foo", "bar",
+        node_name: "baz",
+        client_key_path: "/foo/client.pem"
       )
-      expect(item.node_name).to eq('baz')
-      expect(item.client_key_path).to eq('/foo/client.pem')
+      expect(item.node_name).to eq("baz")
+      expect(item.client_key_path).to eq("/foo/client.pem")
     end
   end
 
@@ -219,10 +219,10 @@ RSpec.describe ChefVault::Item do
       end
     end
 
-    it 'validates that the id of the vault matches the id of the keys data bag' do
-      item = ChefVault::Item.new('foo', 'bar')
-      item['id'] = 'baz'
-      item.keys['clients'] = %w(admin)
+    it "validates that the id of the vault matches the id of the keys data bag" do
+      item = ChefVault::Item.new("foo", "bar")
+      item["id"] = "baz"
+      item.keys["clients"] = %w{admin}
       expect { item.save }.to raise_error(ChefVault::Exceptions::IdMismatch)
     end
   end
@@ -230,45 +230,45 @@ RSpec.describe ChefVault::Item do
   describe '#clients' do
     include BorkedNodeWithoutPublicKey
 
-    it 'should not blow up when search returns a node without a public key' do
+    it "should not blow up when search returns a node without a public key" do
       # try to set clients when we know a node is missing a public key
       # this should not die as of v2.4.1
-      expect { @vaultitem.clients('*:*') }.not_to raise_error
+      expect { @vaultitem.clients("*:*") }.not_to raise_error
     end
 
-    it 'should emit a warning if search returns a node without a public key' do
+    it "should emit a warning if search returns a node without a public key" do
       # it should however emit a warning that you have a borked node
-      expect { @vaultitem.clients('*:*') }
+      expect { @vaultitem.clients("*:*") }
         .to output(/node 'bar' has no private key; skipping/).to_stdout
     end
 
-    it 'should accept a client object and not perform a search' do
+    it "should accept a client object and not perform a search" do
       client = Chef::ApiClient.new
-      client.name 'foo'
+      client.name "foo"
       privkey = OpenSSL::PKey::RSA.new(1024)
       pubkey = privkey.public_key
       client.public_key(pubkey.to_pem)
       expect(Chef::Search::Query).not_to receive(:new)
       expect(ChefVault::ChefPatch::User).not_to receive(:load)
       @vaultitem.clients(client)
-      expect(@vaultitem.clients).to include('foo')
+      expect(@vaultitem.clients).to include("foo")
     end
   end
 
   describe '#admins' do
     include BorkedNodeWithoutPublicKey
 
-    it 'should blow up if you try to use a node without a public key as an admin' do
-      expect { @vaultitem.admins('foo,bar') }
+    it "should blow up if you try to use a node without a public key as an admin" do
+      expect { @vaultitem.admins("foo,bar") }
         .to raise_error(ChefVault::Exceptions::AdminNotFound)
     end
   end
 
   describe '#raw_keys' do
-    it 'should return the keys of the underlying data bag item' do
-      item = ChefVault::Item.new('foo', 'bar')
-      item['foo'] = 'bar'
-      expect(item.raw_keys).to eq(%w(id foo))
+    it "should return the keys of the underlying data bag item" do
+      item = ChefVault::Item.new("foo", "bar")
+      item["foo"] = "bar"
+      expect(item.raw_keys).to eq(%w{id foo})
     end
   end
 end