chef-vault 2.9.2 → 3.0.0.rc1

data/lib/chef-vault/certificate.rb

@@ -24,7 +24,7 @@ class ChefVault
     end
 
     def decrypt_contents
-      $stdout.puts "WARNING: This method is deprecated, please switch to item['value'] calls"
+      ChefVault::Log.warn "This method is deprecated, please switch to item['value'] calls"
       @item["contents"]
     end
   end

data/lib/chef-vault/chef_api.rb

@@ -0,0 +1,39 @@
+# Author:: Tyler Cloke <tyler@chef.io>
+# Copyright:: Copyright 2016, Chef Software, Inc.
+# License:: Apache License, Version 2.0
+
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+
+#     http://www.apache.org/licenses/LICENSE-2.0
+
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+require "chef/server_api"
+
+class ChefVault
+  class ChefApi
+
+    def rest_v0
+      @rest_v0 ||= Chef::ServerAPI.new(Chef::Config[:chef_server_root], { :api_version => "0" })
+    end
+
+    def rest_v1
+      @rest_v1 ||= Chef::ServerAPI.new(Chef::Config[:chef_server_root], { :api_version => "1" })
+    end
+
+    def org_scoped_rest_v0
+      @org_scoped_rest_v0 ||= Chef::ServerAPI.new(Chef::Config[:chef_server_url], { :api_version => "0" })
+    end
+
+    def org_scoped_rest_v1
+      @org_scoped_rest_v1 ||= Chef::ServerAPI.new(Chef::Config[:chef_server_url], { :api_version => "1" })
+    end
+
+  end
+end

data/lib/chef-vault/item.rb

@@ -69,15 +69,21 @@ class ChefVault
       @client_key_path = opts[:client_key_path]
     end
 
+    # private
     def load_keys(vault, keys)
       @keys = ChefVault::ItemKeys.load(vault, keys)
       @secret = secret
     end
 
-    def clients(search_or_client = nil, action = :add)
+    def clients(search_or_client, action = :add)
       if search_or_client.is_a?(Chef::ApiClient)
         handle_client_action(search_or_client, action)
-      elsif search_or_client
+      elsif search_or_client.is_a?(Array)
+        search_or_client.each do |name|
+          client = load_actor(name, "clients")
+          handle_client_action(client, action)
+        end
+      else
         results_returned = false
         query = Chef::Search::Query.new
         query.search(:node, search_or_client) do |node|
@@ -85,28 +91,30 @@ class ChefVault
           case action
           when :add
             begin
-              client = load_client(node.name)
-              add_client(client)
+              client_key = load_actor(node.name, "clients")
+              add_client(client_key)
             rescue ChefVault::Exceptions::ClientNotFound
-              $stdout.puts "node '#{node.name}' has no private key; skipping"
+              ChefVault::Log.warn "node '#{node.name}' has no private key; skipping"
             end
           when :delete
             delete_client_or_node(node)
           else
             raise ChefVault::Exceptions::KeysActionNotValid,
-              "#{action} is not a valid action"
+                  "#{action} is not a valid action"
           end
         end
 
         unless results_returned
-          $stdout.puts "WARNING: No clients were returned from search, you may not have "\
-            "got what you expected!!"
+          ChefVault::Log.warn "No clients were returned from search, you may not have "\
+                       "got what you expected!!"
         end
-      else
-        keys.clients
       end
     end
 
+    def get_clients
+      keys.clients
+    end
+
     def search(search_query = nil)
       if search_query
         keys.search_query(search_query)
@@ -115,25 +123,26 @@ class ChefVault
       end
     end
 
-    def admins(admins = nil, action = :add)
-      if admins
-        admins.split(",").each do |admin|
-          admin.strip!
-          case action
-          when :add
-            keys.add(load_admin(admin), @secret, "admins")
-          when :delete
-            keys.delete(admin, "admins")
-          else
-            raise ChefVault::Exceptions::KeysActionNotValid,
-              "#{action} is not a valid action"
-          end
+    def admins(admin_string, action = :add)
+      admin_string.split(",").each do |admin|
+        admin.strip!
+        admin_key = load_actor(admin, "admins")
+        case action
+        when :add
+          keys.add(admin_key, @secret)
+        when :delete
+          keys.delete(admin_key)
+        else
+          raise ChefVault::Exceptions::KeysActionNotValid,
+                "#{action} is not a valid action"
         end
-      else
-        keys.admins
       end
     end
 
+    def get_admins
+      keys.admins
+    end
+
     def remove(key)
       @raw_data.delete(key)
     end
@@ -158,19 +167,19 @@ class ChefVault
     def rotate_keys!(clean_unknown_clients = false)
       @secret = generate_secret
 
-      unless clients.empty?
+      unless get_clients.empty?
         # a bit of a misnomer; this doesn't remove unknown
         # admins, just clients which are nodes
         remove_unknown_nodes if clean_unknown_clients
         # re-encrypt the new shared secret for all remaining clients
-        clients.each do |client|
+        get_clients.each do |client|
           clients("name:#{client}")
         end
       end
 
-      unless admins.empty?
+      unless get_admins.empty?
         # re-encrypt the new shared secret for all admins
-        admins.each do |admin|
+        get_admins.each do |admin|
           admins(admin)
         end
       end
@@ -179,6 +188,7 @@ class ChefVault
       reload_raw_data
     end
 
+    # private
     def generate_secret(key_size = 32)
       # Defaults to 32 bytes, as this is the size that a Chef
       # Encrypted Data Bag Item will digest all secrets down to anyway
@@ -285,6 +295,11 @@ class ChefVault
       item
     end
 
+    def delete_client(client_name)
+      client_key = load_actor(client_name, "clients")
+      keys.delete(client_key)
+    end
+
     # determines if a data bag item looks like a vault
     # @param vault [String] the name of the data bag
     # @param name [String] the name of the item in the data bag
@@ -368,39 +383,8 @@ class ChefVault
       @raw_data
     end
 
-    def load_admin(admin)
-      begin
-        admin = ChefVault::ChefPatch::User.load(admin)
-      rescue Net::HTTPServerException => http_error
-        if http_error.response.code == "404"
-          begin
-            $stdout.puts "WARNING: #{admin} not found in users, trying clients."
-            admin = load_client(admin)
-          rescue ChefVault::Exceptions::ClientNotFound
-            raise ChefVault::Exceptions::AdminNotFound,
-              "FATAL: Could not find #{admin} in users or clients!"
-          end
-        else
-          raise http_error
-        end
-      end
-
-      admin
-    end
-
-    def load_client(client)
-      begin
-        client = ChefVault::ChefPatch::ApiClient.load(client)
-      rescue Net::HTTPServerException => http_error
-        if http_error.response.code == "404"
-          raise ChefVault::Exceptions::ClientNotFound,
-            "#{client} is not a valid chef client and/or node"
-        else
-          raise http_error
-        end
-      end
-
-      client
+    def load_actor(actor_name, type)
+      ChefVault::Actor.new(type, actor_name)
     end
 
     # removes unknown nodes by performing a node search
@@ -412,13 +396,13 @@ class ChefVault
       # build a list of clients to remove so we don't
       # mutate the clients while iterating over search results
       clients_to_remove = []
-      clients.each do |nodename|
+      get_clients.each do |nodename|
         clients_to_remove.push(nodename) unless node_exists?(nodename)
       end
       # now delete any flagged clients from the keys data bag
       clients_to_remove.each do |client|
-        $stdout.puts "Removing unknown client '#{client}'"
-        keys.delete(client, "clients")
+        ChefVault::Log.warn "Removing unknown client '#{client}'"
+        keys.delete(load_actor(client, "clients"))
       end
     end
 
@@ -446,7 +430,7 @@ class ChefVault
     # @return [Boolean] whether the client exists or not
     def client_exists?(clientname)
       begin
-        ChefVault::ChefPatch::ApiClient.load(clientname)
+        Chef::ApiClient.load(clientname)
       rescue Net::HTTPServerException => http_error
         return false if http_error.response.code == "404"
         raise http_error
@@ -458,12 +442,13 @@ class ChefVault
     # @param client [Chef::ApiClient] the API client to operate on
     # @param action [Symbol] :add or :delete
     # @return [void]
-    def handle_client_action(client, action)
+    def handle_client_action(api_client, action)
       case action
       when :add
+        client = load_actor(api_client.name, "clients")
         add_client(client)
       when :delete
-        delete_client_or_node(client)
+        delete_client_or_node(api_client)
       end
     end
 
@@ -471,14 +456,15 @@ class ChefVault
     # @param client [Chef::ApiClient] the API client to add
     # @return [void]
     def add_client(client)
-      keys.add(client, @secret, "clients")
+      keys.add(client, @secret)
     end
 
     # removes a client to the vault item keys
-    # @param client_or_node [Chef::ApiClient,Chef::Node] the API client or node to remove
+    # @param client_or_node [Chef::ApiClient, Chef::Node] the API client or node to remove
     # @return [void]
     def delete_client_or_node(client_or_node)
-      keys.delete(client_or_node.name, "clients")
+      client = load_actor(client_or_node.name, "clients")
+      keys.delete(client)
     end
   end
 end

data/lib/chef-vault/item_keys.rb

@@ -34,22 +34,20 @@ class ChefVault
       @raw_data.keys.include?(key)
     end
 
-    def add(chef_client, data_bag_shared_secret, type)
+    def add(chef_key, data_bag_shared_secret)
+      type = chef_key.type
       unless @raw_data.key?(type)
         raise ChefVault::Exceptions::V1Format,
               "cannot manage a v1 vault.  See UPGRADE.md for help"
       end
-      public_key = OpenSSL::PKey::RSA.new chef_client.public_key
-      self[chef_client.name] =
-        Base64.encode64(public_key.public_encrypt(data_bag_shared_secret))
-
-      @raw_data[type] << chef_client.name unless @raw_data[type].include?(chef_client.name)
+      self[chef_key.name] = ChefVault::ItemKeys.encode_key(chef_key.key, data_bag_shared_secret)
+      @raw_data[type] << chef_key.name unless @raw_data[type].include?(chef_key.name)
       @raw_data[type]
     end
 
-    def delete(chef_client, type)
-      raw_data.delete(chef_client)
-      raw_data[type].delete(chef_client)
+    def delete(chef_key)
+      raw_data.delete(chef_key.name)
+      raw_data[chef_key.type].delete(chef_key.name)
     end
 
     def search_query(search_query = nil)
@@ -128,5 +126,12 @@ class ChefVault
 
       from_data_bag_item(data_bag_item)
     end
+
+    # @private
+
+    def self.encode_key(key_string, data_bag_shared_secret)
+      public_key = OpenSSL::PKey::RSA.new(key_string)
+      Base64.encode64(public_key.public_encrypt(data_bag_shared_secret))
+    end
   end
 end

data/lib/chef-vault/user.rb

@@ -24,7 +24,7 @@ class ChefVault
     end
 
     def decrypt_password
-      $stdout.puts "WARNING: This method is deprecated, please switch to item['value'] calls"
+      ChefVault::Log.warn "This method is deprecated, please switch to item['value'] calls"
       @item["password"]
     end
   end

data/lib/chef-vault/version.rb

@@ -15,6 +15,6 @@
 # limitations under the License.
 
 class ChefVault
-  VERSION = "2.9.2"
+  VERSION = "3.0.0.rc1"
   MAJOR, MINOR, TINY = VERSION.split(".")
 end

data/lib/chef/knife/vault_base.rb

@@ -23,9 +23,7 @@ class Chef
         includer.class_eval do
           deps do
             require "chef/search/query"
-            require File.expand_path("../mixin/compat", __FILE__)
             require File.expand_path("../mixin/helper", __FILE__)
-            include ChefVault::Mixin::KnifeCompat
             include ChefVault::Mixin::Helper
           end
 
@@ -42,6 +40,11 @@ class Chef
         exit 1
       end
 
+      def configure_chef
+        super
+        ChefVault::Log.logger = Chef::Log.logger
+      end
+
       private
 
       def bag_is_vault?(bagname)

data/lib/chef/knife/{encrypt_delete.rb → vault_clients.rb}

@@ -1,5 +1,5 @@
-# Description: Chef-Vault EncryptDelete class
-# Copyright 2013-15, Nordstrom, Inc.
+# Description: Chef-Vault VaultClients module
+# Copyright 2014-15, Nordstrom, Inc.
 
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -13,19 +13,13 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-require "chef/knife/vault_base"
-require "chef/knife/vault_delete"
-
 class Chef
   class Knife
-    class EncryptDelete < VaultDelete
-      include Knife::VaultBase
-
-      banner "knife encrypt delete VAULT ITEM (options)"
+    module VaultClients
+      private
 
-      def run
-        $stdout.puts "DEPRECATION WARNING: knife encrypt is deprecated. Please use knife vault instead."
-        super
+      def clients
+        config[:clients].split(",") if config[:clients]
       end
     end
   end

data/lib/chef/knife/vault_create.rb

@@ -15,12 +15,14 @@
 
 require "chef/knife/vault_base"
 require "chef/knife/vault_admins"
+require "chef/knife/vault_clients"
 
 class Chef
   class Knife
     class VaultCreate < Knife
       include Chef::Knife::VaultBase
       include Chef::Knife::VaultAdmins
+      include Chef::Knife::VaultClients
 
       banner "knife vault create VAULT ITEM VALUES (options)"
 
@@ -29,6 +31,11 @@ class Chef
         :long => "--search SEARCH",
         :description => "Chef SOLR search for clients"
 
+      option :clients,
+        :short => "-C CLIENTS",
+        :long => "--clients CLIENTS",
+        :description => "Chef clients to be added as clients"
+
       option :admins,
         :short => "-A ADMINS",
         :long => "--admins ADMINS",
@@ -53,7 +60,7 @@ class Chef
 
         set_mode(config[:vault_mode])
 
-        if vault && item && (search || admins)
+        if vault && item && (search || clients || admins)
           begin
             vault_item = ChefVault::Item.load(vault, item)
             raise ChefVault::Exceptions::ItemAlreadyExists,
@@ -82,6 +89,7 @@ class Chef
 
             vault_item.search(search) if search
             vault_item.clients(search) if search
+            vault_item.clients(clients) if clients
             vault_item.admins(admins) if admins
 
             vault_item.save