chef-vault 2.9.2 → 3.0.0.rc1

data/lib/chef/knife/vault_remove.rb

@@ -14,11 +14,13 @@
 # limitations under the License.
 
 require "chef/knife/vault_base"
+require "chef/knife/vault_clients"
 
 class Chef
   class Knife
     class VaultRemove < Knife
       include Chef::Knife::VaultBase
+      include Chef::Knife::VaultClients
 
       banner "knife vault remove VAULT ITEM VALUES (options)"
 
@@ -27,6 +29,11 @@ class Chef
         :long => "--search SEARCH",
         :description => "Chef SOLR search for clients"
 
+      option :clients,
+        :short => "-C CLIENTS",
+        :long => "--clients CLIENTS",
+        :description => "Chef clients to be added as clients"
+
       option :admins,
         :short => "-A ADMINS",
         :long => "--admins ADMINS",
@@ -47,7 +54,7 @@ class Chef
 
         set_mode(config[:vault_mode])
 
-        if vault && item && ((values || json_file) || (search || admins))
+        if vault && item && ((values || json_file) || (search || clients || admins))
           begin
             vault_item = ChefVault::Item.load(vault, item)
             remove_items = []
@@ -69,6 +76,7 @@ class Chef
             end
 
             vault_item.clients(search, :delete) if search
+            vault_item.clients(clients, :delete) if clients
             vault_item.admins(admins, :delete) if admins
 
             vault_item.rotate_keys!(clean_unknown_clients)

data/lib/chef/knife/vault_rotate_all_keys.rb

@@ -52,7 +52,7 @@ class Chef
       end
 
       def rotate_vault_item_keys(vault, item, clean_unknown_clients)
-        $stdout.puts "Rotating keys for: #{vault} #{item}"
+        ui.info "Rotating keys for: #{vault} #{item}"
         ChefVault::Item.load(vault, item).rotate_keys!(clean_unknown_clients)
       end
     end

data/lib/chef/knife/vault_show.rb

@@ -58,13 +58,13 @@ class Chef
           when "search"
             extra_data["search_query"] = vault_item.search
           when "admins"
-            extra_data["admins"] = vault_item.admins
+            extra_data["admins"] = vault_item.get_admins
           when "clients"
-            extra_data["clients"] = vault_item.clients
+            extra_data["clients"] = vault_item.get_clients
           when "all"
             extra_data["search_query"] = vault_item.search
-            extra_data["admins"] = vault_item.admins
-            extra_data["clients"] = vault_item.clients
+            extra_data["admins"] = vault_item.get_admins
+            extra_data["clients"] = vault_item.get_clients
           end
         end
 

data/lib/chef/knife/vault_update.rb

@@ -15,12 +15,14 @@
 
 require "chef/knife/vault_base"
 require "chef/knife/vault_admins"
+require "chef/knife/vault_clients"
 
 class Chef
   class Knife
     class VaultUpdate < Knife
       include Chef::Knife::VaultBase
       include Chef::Knife::VaultAdmins
+      include Chef::Knife::VaultClients
 
       banner "knife vault update VAULT ITEM VALUES (options)"
 
@@ -29,6 +31,11 @@ class Chef
         :long => "--search SEARCH",
         :description => "Chef SOLR search for clients"
 
+      option :clients,
+        :short => "-C CLIENTS",
+        :long => "--clients CLIENTS",
+        :description => "Chef clients to be added as clients"
+
       option :admins,
         :short => "-A ADMINS",
         :long => "--admins ADMINS",
@@ -58,21 +65,22 @@ class Chef
 
         set_mode(config[:vault_mode])
 
-        if vault && item && ((values || json_file || file) || (search || admins))
+        if vault && item && ((values || json_file || file) || (search || clients || admins))
           begin
             vault_item = ChefVault::Item.load(vault, item)
 
             # Keys management first
             if clean
-              clients = vault_item.clients().clone().sort()
-              clients.each do |client|
-                $stdout.puts "Deleting #{client}"
-                vault_item.keys.delete(client, "clients")
+              vault_clients = vault_item.get_clients.clone().sort()
+              vault_clients.each do |client|
+                ui.info "Deleting #{client}"
+                vault_item.delete_client(client)
               end
             end
 
             vault_item.search(search) if search
             vault_item.clients(search) if search
+            vault_item.clients(clients) if clients
             vault_item.admins(admins) if admins
 
             # Save only the keys if no value is provided, otherwise save the item

data/spec/chef-vault/actor_spec.rb

@@ -0,0 +1,247 @@
+require "spec_helper"
+
+RSpec.describe ChefVault::Actor do
+  let(:actor_name) { "actor" }
+  let(:public_key_string) do
+    "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyMXT9IOV9pkQsxsnhSx8\n8RX6GW3caxkjcXFfHg6E7zUVBFAsfw4B1D+eHAks3qrDB7UrUxsmCBXwU4dQHaQy\ngAn5Sv0Jc4CejDNL2EeCBLZ4TF05odHmuzyDdPkSZP6utpR7+uF7SgVQedFGySIB\nih86aM+HynhkJqgJYhoxkrdo/JcWjpk7YEmWb6p4esnvPWOpbcjIoFs4OjavWBOF\niTfpkS0SkygpLi/iQu9RQfd4hDMWCc6yh3Th/1nVMUd+xQCdUK5wxluAWSv8U0zu\nhiIlZNazpCGHp+3QdP3f6rebmQA8pRM8qT5SlOvCYPk79j+IMUVSYrR4/DTZ+VM+\naQIDAQAB\n-----END PUBLIC KEY-----\n"
+  end
+
+  let(:key_response) do
+    {
+      "name" => "default",
+      "public_key" => "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyMXT9IOV9pkQsxsnhSx8\n8RX6GW3caxkjcXFfHg6E7zUVBFAsfw4B1D+eHAks3qrDB7UrUxsmCBXwU4dQHaQy\ngAn5Sv0Jc4CejDNL2EeCBLZ4TF05odHmuzyDdPkSZP6utpR7+uF7SgVQedFGySIB\nih86aM+HynhkJqgJYhoxkrdo/JcWjpk7YEmWb6p4esnvPWOpbcjIoFs4OjavWBOF\niTfpkS0SkygpLi/iQu9RQfd4hDMWCc6yh3Th/1nVMUd+xQCdUK5wxluAWSv8U0zu\nhiIlZNazpCGHp+3QdP3f6rebmQA8pRM8qT5SlOvCYPk79j+IMUVSYrR4/DTZ+VM+\naQIDAQAB\n-----END PUBLIC KEY-----\n",
+      "expiration_date" => "infinity",
+    }
+  end
+
+  let(:http_response_code) do
+    "404"
+  end
+
+  let(:http_error) do
+    http_response = double("http error")
+    allow(http_response).to receive(:code).and_return(http_response_code)
+    Net::HTTPServerException.new("http error message", http_response)
+  end
+
+  let(:api) { double("api") }
+
+  subject(:chef_key) { described_class.new(actor_type, actor_name) }
+
+  describe "#new" do
+    context "when something besides 'clients' or 'users' is passed" do
+      let(:actor_type) { "charmander" }
+      it "throws an error" do
+        expect { described_class.new("charmander", actor_name) }.to raise_error(RuntimeError)
+      end
+    end
+
+    context "when 'clients' is passed" do
+      it "requests a client key" do
+        expect_any_instance_of(described_class).to receive(:get_client_key)
+        described_class.new("clients", actor_name).key
+      end
+    end
+
+    context "when 'admins' is passed" do
+      it "requests a admin key" do
+        expect_any_instance_of(described_class).to receive(:get_admin_key)
+        described_class.new("admins", actor_name).key
+      end
+    end
+  end
+
+  shared_examples_for "get_key_handling" do
+    context "when the default key exists for the requested client" do
+      it "sets up a valid key" do
+        expect(chef_key).to receive(:get_key).with(request_actor_type).and_return(public_key_string)
+        expect(chef_key.send(method)).to eq(public_key_string)
+      end
+    end
+
+    context "when get_key returns an http error" do
+      before do
+        allow(chef_key).to receive(:get_key).with(request_actor_type).and_raise(http_error)
+      end
+
+      context "when the error code is not 404 or 403" do
+        let(:http_response_code) { "500" }
+
+        it "raises the original error" do
+          expect { chef_key.send(method) }.to raise_error(http_error)
+        end
+      end
+
+      context "when the error code is 403" do
+        let(:http_response_code) { "403" }
+
+        it "prints information for the user to resolve the issue and raises the original error" do
+          expect(chef_key).to receive(:print_forbidden_error)
+          expect { chef_key.send(method) }.to raise_error(http_error)
+        end
+      end
+    end
+  end
+
+  describe "#get_client_key" do
+    let(:request_actor_type) { "clients" }
+    let(:actor_type) { "clients" }
+    let(:method) { :get_client_key }
+
+    it_should_behave_like "get_key_handling"
+
+    context "when get_key returns an http error" do
+      before do
+        allow(chef_key).to receive(:get_key).with(actor_type).and_raise(http_error)
+      end
+
+      context "when the error code is 404" do
+        let(:http_response_code) { "404" }
+
+        it "raises ChefVault::Exceptions::ClientNotFound" do
+          expect { chef_key.get_client_key }.to raise_error(ChefVault::Exceptions::ClientNotFound)
+        end
+      end
+    end
+  end # get_client_key
+
+  describe "#get_admin_key" do
+    let(:request_actor_type) { "users" }
+    let(:actor_type) { "admins" }
+    let(:method) { :get_admin_key }
+
+    it_should_behave_like "get_key_handling"
+
+    context "when the first get_key for users returns an http error" do
+      before do
+        allow(chef_key).to receive(:get_key).with(request_actor_type).and_raise(http_error)
+      end
+
+      context "when the error code from the users get is a 404" do
+        let(:http_response_code) { "404" }
+
+        context "when the second get_key for clients returns an http error" do
+
+          let(:http_error_2) do
+            http_response = double("http error")
+            allow(http_response).to receive(:code).and_return(http_response_code_2)
+            Net::HTTPServerException.new("http error message", http_response)
+          end
+
+          before do
+            allow(chef_key).to receive(:get_key).with("clients").and_raise(http_error_2)
+          end
+
+          context "when it is a 404" do
+            let(:http_response_code_2) { "404" }
+
+            it "rasies ChefVault::Exceptions::AdminNotFound" do
+              expect { chef_key.get_admin_key }.to raise_error(ChefVault::Exceptions::AdminNotFound)
+            end
+          end
+
+          context "when it is a 403" do
+            let(:http_response_code_2) { "403" }
+
+            it "raises the original error" do
+              expect { chef_key.get_admin_key }.to raise_error(http_error_2)
+            end
+          end
+
+          context "when it is not a 404" do
+            let(:http_response_code_2) { "500" }
+
+            it "raises the original error" do
+              expect { chef_key.get_admin_key }.to raise_error(http_error_2)
+            end
+          end
+        end # when the second get_key for clients returns an http error
+
+        context "when the second get_key for clients exists with the same name as the admin requested" do
+          it "strangely returns the client key as an admin key" do
+            expect(chef_key).to receive(:get_key).with(request_actor_type).and_return(public_key_string)
+            expect(chef_key.send(method)).to eq(public_key_string)
+          end
+        end
+      end # when the first get_key for users returns an http erro
+    end
+  end # get_admin_key
+
+  describe "#get_key" do
+
+    shared_examples_for "a properly retrieved and error handled key fetch" do
+      # mock out the API
+      before do
+        allow(chef_key).to receive(:api).and_return(api)
+        [:rest_v0, :rest_v1, :org_scoped_rest_v0, :org_scoped_rest_v1].each do |method|
+          allow(api).to receive(method)
+        end
+      end
+
+      context "when keys/default returns 200 for org scoped endpoint" do
+        before do
+          allow(api.org_scoped_rest_v1).to receive(:get).with("#{request_actor_type}/#{actor_name}/keys/default").and_return(key_response)
+        end
+
+        it "returns the public_key" do
+          expect(chef_key.get_key(request_actor_type)).to eql(public_key_string)
+        end
+
+        it "hits the proper endpoint" do
+          expect(api.org_scoped_rest_v1).to receive(:get).with("#{request_actor_type}/#{actor_name}/keys/default")
+          chef_key.get_key(request_actor_type)
+        end
+      end
+
+      context "when a 500 is returned" do
+        let(:http_response_code) { "500" }
+        before do
+          allow(api.org_scoped_rest_v1).to receive(:get).with("#{request_actor_type}/#{actor_name}/keys/default").and_raise(http_error)
+        end
+
+        it "raises the http error" do
+          expect { chef_key.get_key(request_actor_type) }.to raise_error(http_error)
+        end
+      end
+
+      context "when keys/default returns 404" do
+        let(:http_response_code) { "404" }
+        let(:chef_object) { double("chef object") }
+
+        before do
+          allow(api.org_scoped_rest_v1).to receive(:get).with("#{request_actor_type}/#{actor_name}/keys/default").and_raise(http_error)
+          allow(chef_object_type).to receive(:load).with(actor_name).and_return(chef_object)
+          allow(chef_object).to receive(:public_key).and_return(public_key_string)
+        end
+
+        it "tries to load the object via Chef::<object>_v1" do
+          expect(chef_object_type).to receive(:load).with(actor_name)
+          chef_key.get_key(request_actor_type)
+        end
+
+        context "when the Chef::<object>_v1 object loads properly" do
+          it "returns the public key" do
+            expect(chef_key.get_key(request_actor_type)).to eql(public_key_string)
+          end
+        end
+      end
+    end # shared_examples_for
+
+    context "when a client is passed" do
+      let(:request_actor_type) { "clients" }
+      let(:actor_type) { "clients" }
+      let(:chef_object_type) { Chef::ApiClient }
+
+      it_behaves_like "a properly retrieved and error handled key fetch"
+    end
+
+    context "when an admin is passed" do
+      let(:request_actor_type) { "users" }
+      let(:actor_type) { "admins" }
+      let(:chef_object_type) { Chef::User }
+
+      it_behaves_like "a properly retrieved and error handled key fetch"
+    end
+
+  end
+end

data/spec/chef-vault/certificate_spec.rb

@@ -6,12 +6,6 @@ RSpec.describe ChefVault::Certificate do
     allow(ChefVault::Item).to receive(:load).with("foo", "bar") { item }
     allow(item).to receive(:[]).with("id") { "bar" }
     allow(item).to receive(:[]).with("contents") { "baz" }
-    @orig_stdout = $stdout
-    $stdout = File.open(File::NULL, "w")
-  end
-
-  after do
-    $stdout = @orig_stdout
   end
 
   describe "#new" do
@@ -30,9 +24,8 @@ RSpec.describe ChefVault::Certificate do
 
   describe "decrypt_contents" do
     it "echoes warning" do
-      expect { cert.decrypt_contents }
-        .to output("WARNING: This method is deprecated, please switch to item['value'] calls\n")
-        .to_stdout
+      expect(ChefVault::Log).to receive(:warn).with("This method is deprecated, please switch to item['value'] calls")
+      cert.decrypt_contents
     end
 
     it "returns items contents" do

data/spec/chef-vault/chef_api_spec.rb

@@ -0,0 +1,39 @@
+RSpec.describe ChefVault::ChefApi do
+  let(:root_url) { "https://localhost" }
+  let(:scoped_url) { "https://localhost/organizations/fakeorg" }
+  let(:api_v0_hash) { { :api_version => "0" } }
+  let(:api_v1_hash) { { :api_version => "1" } }
+
+  before do
+    Chef::Config[:chef_server_root] = root_url
+    Chef::Config[:chef_server_url]  = scoped_url
+  end
+
+  describe "#rest_v0" do
+    it "returns an instance of Chef::ServerAPI set to use API version 0 scoped to root" do
+      expect(Chef::ServerAPI).to receive(:new).with(root_url, api_v0_hash)
+      subject.rest_v0
+    end
+  end
+
+  describe "#rest_v1" do
+    it "returns an instance of Chef::ServerAPI set to use API version 0 scoped to root" do
+      expect(Chef::ServerAPI).to receive(:new).with(root_url, api_v1_hash)
+      subject.rest_v1
+    end
+  end
+
+  describe "#org_scoped_rest_v0" do
+    it "returns an instance of Chef::ServerAPI set to use API version 0 scoped to root" do
+      expect(Chef::ServerAPI).to receive(:new).with(scoped_url, api_v0_hash)
+      subject.org_scoped_rest_v0
+    end
+  end
+
+  describe "#org_scoped_rest_v1" do
+    it "returns an instance of Chef::ServerAPI set to use API version 0 scoped to root" do
+      expect(Chef::ServerAPI).to receive(:new).with(scoped_url, api_v1_hash)
+      subject.org_scoped_rest_v1
+    end
+  end
+end

data/spec/chef-vault/item_keys_spec.rb

@@ -1,6 +1,7 @@
 RSpec.describe ChefVault::ItemKeys do
   describe "#new" do
     let(:keys) { ChefVault::ItemKeys.new("foo", "bar") }
+    let(:shared_secret) { "super_secret" }
 
     it "'foo' is assigned to @data_bag" do
       expect(keys.data_bag).to eq "foo"
@@ -18,6 +19,57 @@ RSpec.describe ChefVault::ItemKeys do
       expect(keys["admins"]).to eq []
     end
 
+    describe "key mgmt operations" do
+      let(:public_key_string) do
+        "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyMXT9IOV9pkQsxsnhSx8\n8RX6GW3caxkjcXFfHg6E7zUVBFAsfw4B1D+eHAks3qrDB7UrUxsmCBXwU4dQHaQy\ngAn5Sv0Jc4CejDNL2EeCBLZ4TF05odHmuzyDdPkSZP6utpR7+uF7SgVQedFGySIB\nih86aM+HynhkJqgJYhoxkrdo/JcWjpk7YEmWb6p4esnvPWOpbcjIoFs4OjavWBOF\niTfpkS0SkygpLi/iQu9RQfd4hDMWCc6yh3Th/1nVMUd+xQCdUK5wxluAWSv8U0zu\nhiIlZNazpCGHp+3QdP3f6rebmQA8pRM8qT5SlOvCYPk79j+IMUVSYrR4/DTZ+VM+\naQIDAQAB\n-----END PUBLIC KEY-----\n"
+      end
+
+      shared_examples_for "proper key management" do
+        let(:chef_key) { ChefVault::Actor.new(type, name) }
+        before do
+          allow(chef_key).to receive(:key) { public_key_string }
+          keys.add(chef_key, shared_secret)
+        end
+
+        describe "#add" do
+          after do
+            keys.delete(chef_key)
+          end
+
+          it "stores the encoded key in the data bag item under the actor's name and the name in the raw data" do
+            expect(described_class).to receive(:encode_key).with(public_key_string, shared_secret).and_return("encrypted_result")
+            keys.add(chef_key, shared_secret)
+            expect(keys[name]).to eq("encrypted_result")
+            expect(keys[type].include?(name)).to eq(true)
+          end
+        end
+
+        describe "#delete" do
+          before do
+            keys.add(chef_key, shared_secret)
+          end
+
+          it "removes the actor's name from the data bag and from the array for the actor's type" do
+            keys.delete(chef_key)
+            expect(keys.has_key?(chef_key.name)).to eq(false)
+            expect(keys[type].include?(name)).to eq(false)
+          end
+        end
+      end
+
+      context "when a client is added" do
+        let(:name) { "client_name" }
+        let(:type) { "clients" }
+        it_should_behave_like "proper key management"
+      end
+
+      context "when a admin is added" do
+        let(:name) { "admin_name" }
+        let(:type) { "admins" }
+        it_should_behave_like "proper key management"
+      end
+    end
+
     context "when running with chef-solo" do
       describe "#find_solo_path" do
         context "when data_bag_path is an array" do