chef-vault 2.9.2 → 3.0.0.rc1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.travis.yml +2 -11
- data/Changelog.md +1 -6
- data/Gemfile +4 -5
- data/KNIFE_EXAMPLES.md +66 -14
- data/LICENSE +201 -177
- data/README.md +74 -4
- data/Rakefile +1 -1
- data/bin/chef-vault +3 -2
- data/chef-vault.gemspec +13 -15
- data/features/clean.feature +0 -1
- data/features/clean_on_refresh.feature +0 -1
- data/features/clean_unknown_clients.feature +0 -1
- data/features/detect_and_warn_v1_vault.feature +0 -1
- data/features/isvault.feature +0 -1
- data/features/itemtype.feature +0 -1
- data/features/vault_create.feature +1 -2
- data/features/vault_list.feature +0 -1
- data/features/vault_show.feature +0 -1
- data/features/vault_show_vaultname.feature +0 -1
- data/features/vault_update.feature +0 -1
- data/features/verify_id_matches.feature +0 -1
- data/features/wrong_private_key.feature +0 -1
- data/hooks/pre-commit +43 -0
- data/lib/chef-vault.rb +10 -2
- data/lib/chef-vault/actor.rb +149 -0
- data/lib/chef-vault/certificate.rb +1 -1
- data/lib/chef-vault/chef_api.rb +39 -0
- data/lib/chef-vault/item.rb +57 -71
- data/lib/chef-vault/item_keys.rb +14 -9
- data/lib/chef-vault/user.rb +1 -1
- data/lib/chef-vault/version.rb +1 -1
- data/lib/chef/knife/vault_base.rb +5 -2
- data/lib/chef/knife/{encrypt_delete.rb → vault_clients.rb} +6 -12
- data/lib/chef/knife/vault_create.rb +9 -1
- data/lib/chef/knife/vault_remove.rb +9 -1
- data/lib/chef/knife/vault_rotate_all_keys.rb +1 -1
- data/lib/chef/knife/vault_show.rb +4 -4
- data/lib/chef/knife/vault_update.rb +13 -5
- data/spec/chef-vault/actor_spec.rb +247 -0
- data/spec/chef-vault/certificate_spec.rb +2 -9
- data/spec/chef-vault/chef_api_spec.rb +39 -0
- data/spec/chef-vault/item_keys_spec.rb +52 -0
- data/spec/chef-vault/item_spec.rb +139 -85
- data/spec/chef-vault/user_spec.rb +2 -9
- data/spec/spec_helper.rb +1 -0
- metadata +36 -42
- data/CONTRIBUTING.md +0 -118
- data/lib/chef-vault/chef_patch/api_client.rb +0 -45
- data/lib/chef-vault/chef_patch/user.rb +0 -33
- data/lib/chef/knife/decrypt.rb +0 -32
- data/lib/chef/knife/encrypt_create.rb +0 -51
- data/lib/chef/knife/encrypt_remove.rb +0 -42
- data/lib/chef/knife/encrypt_rotate_keys.rb +0 -32
- data/lib/chef/knife/encrypt_update.rb +0 -51
- data/lib/chef/knife/mixin/compat.rb +0 -33
- data/lib/chef/knife/vault_decrypt.rb +0 -58
data/CONTRIBUTING.md
DELETED
@@ -1,118 +0,0 @@
|
|
1
|
-
# Contributing to Chef-Vault
|
2
|
-
|
3
|
-
We welcome contributions. Your patch is part of a vibrant open source
|
4
|
-
community which makes Chef-Vault great. These guidelines will help your pull
|
5
|
-
request to be merged sooner.
|
6
|
-
|
7
|
-
### Create an Issue
|
8
|
-
|
9
|
-
Each pull request should have a corresponding [Chef-Vault GitHub
|
10
|
-
issue](https://github.com/chef/chef-vault/issues?state=open). Search the
|
11
|
-
issue list to make sure someone hasn't already submitted a pull request to fix
|
12
|
-
your issue. If not, please create a new issue.
|
13
|
-
|
14
|
-
Later, you'll create a feature branch with this issue number.
|
15
|
-
|
16
|
-
### Fork the Repo
|
17
|
-
|
18
|
-
Fork the Chef-Vault project and check out your copy. See this [GitHub
|
19
|
-
guide](https://help.github.com/articles/fork-a-repo) for more info.
|
20
|
-
|
21
|
-
```bash
|
22
|
-
$ git clone https://github.com/<username>/chef-vault.git
|
23
|
-
$ cd chef-vault
|
24
|
-
$ git remote add upstream https://github.com/chef/chef-vault.git
|
25
|
-
```
|
26
|
-
|
27
|
-
### Create a Local Feature Branch
|
28
|
-
|
29
|
-
Create a feature branch and start hacking:
|
30
|
-
|
31
|
-
```
|
32
|
-
$ git checkout -b my-feature-branch
|
33
|
-
```
|
34
|
-
|
35
|
-
### Code
|
36
|
-
|
37
|
-
Please follow the [Ruby Style
|
38
|
-
Guide](https://github.com/bbatsov/ruby-style-guide) when writing Ruby code for
|
39
|
-
Chef-Vault.
|
40
|
-
|
41
|
-
### Commit
|
42
|
-
|
43
|
-
Make sure git knows your name and email address:
|
44
|
-
|
45
|
-
```bash
|
46
|
-
$ git config --global user.name "Jane Doe"
|
47
|
-
$ git config --global user.email "jane.doe@example.com"
|
48
|
-
```
|
49
|
-
|
50
|
-
Writing good commit messages is important. A commit message should describe what
|
51
|
-
changed and why. Follow these guidelines when writing one:
|
52
|
-
|
53
|
-
1. The first line should be 50 or fewer characters and contain a short
|
54
|
-
description of the change.
|
55
|
-
If this commit fixes/closes an issue, prefix the commit message
|
56
|
-
like this: "Fixes #7: ". Here's a complete example:
|
57
|
-
`Fixes #9: Use getters instead of instance vars`
|
58
|
-
2. Keep the second line blank.
|
59
|
-
3. Wrap all other lines at 72 columns.
|
60
|
-
|
61
|
-
A good commit log looks like this:
|
62
|
-
|
63
|
-
```
|
64
|
-
Fixes #9: Use getters instead of instance vars
|
65
|
-
|
66
|
-
Body of commit message is a few lines of text, explaining things
|
67
|
-
in more detail, possibly giving some background about the issue
|
68
|
-
being fixed, etc etc.
|
69
|
-
|
70
|
-
The body of the commit message can be several paragraphs, and
|
71
|
-
please do proper word-wrap and keep columns shorter than about
|
72
|
-
72 characters or so. That way `git log` will show things
|
73
|
-
nicely even when it is indented.
|
74
|
-
```
|
75
|
-
|
76
|
-
The header line should be meaningful; it is what other people see when they
|
77
|
-
run `git shortlog` or `git log --oneline`.
|
78
|
-
|
79
|
-
### Rebase
|
80
|
-
|
81
|
-
Use `git rebase` (not `git merge`) to sync your work from time to time if
|
82
|
-
upstream/master has moved ahead of you.
|
83
|
-
|
84
|
-
```bash
|
85
|
-
$ git fetch upstream
|
86
|
-
$ git rebase upstream/master
|
87
|
-
```
|
88
|
-
|
89
|
-
### Test
|
90
|
-
|
91
|
-
Bug fixes and features should come with RSpec tests. Add your tests in the
|
92
|
-
`spec` directory. Look at other tests to see how they should be
|
93
|
-
structured (license boilerplate, common includes, etc.).
|
94
|
-
|
95
|
-
Run `bundle install && bundle exec rake` to run the test suite.
|
96
|
-
|
97
|
-
Make sure all tests pass.
|
98
|
-
|
99
|
-
### Push
|
100
|
-
|
101
|
-
```bash
|
102
|
-
$ git push origin my-feature-branch
|
103
|
-
```
|
104
|
-
|
105
|
-
### Create a Pull Request
|
106
|
-
Go to https://github.com/<username>/chef-vault and select your feature branch. Click
|
107
|
-
the 'Pull Request' button and fill out the form.
|
108
|
-
|
109
|
-
Pull requests are usually reviewed within a few days. If there are comments
|
110
|
-
to address, apply your changes in a separate commit and push that to your
|
111
|
-
feature branch. Post a comment in the pull request afterwards; GitHub does
|
112
|
-
not send out notifications when you add commits.
|
113
|
-
|
114
|
-
### Thank You
|
115
|
-
Thank you for reading this far. We look forward to your contribution.
|
116
|
-
|
117
|
-
Kevin Moser, Doug Ireton
|
118
|
-
Nordstrom
|
@@ -1,45 +0,0 @@
|
|
1
|
-
# Author:: Kevin Moser <kevin.moser@nordstrom.com>
|
2
|
-
# Copyright:: Copyright 2013, Nordstrom, Inc.
|
3
|
-
# License:: Apache License, Version 2.0
|
4
|
-
|
5
|
-
# Licensed under the Apache License, Version 2.0 (the "License");
|
6
|
-
# you may not use this file except in compliance with the License.
|
7
|
-
# You may obtain a copy of the License at
|
8
|
-
|
9
|
-
# http://www.apache.org/licenses/LICENSE-2.0
|
10
|
-
|
11
|
-
# Unless required by applicable law or agreed to in writing, software
|
12
|
-
# distributed under the License is distributed on an "AS IS" BASIS,
|
13
|
-
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
14
|
-
# See the License for the specific language governing permissions and
|
15
|
-
# limitations under the License.
|
16
|
-
|
17
|
-
class ChefVault
|
18
|
-
module ChefPatch
|
19
|
-
class ApiClient < Chef::ApiClient
|
20
|
-
# Fix an issue where core Chef::ApiClient does not load
|
21
|
-
# the private key for Chef 10
|
22
|
-
def self.load(name)
|
23
|
-
response = http_api.get("clients/#{name}")
|
24
|
-
if response.is_a?(Chef::ApiClient)
|
25
|
-
response
|
26
|
-
else
|
27
|
-
client = Chef::ApiClient.new
|
28
|
-
client.name(response["clientname"] || response["name"])
|
29
|
-
|
30
|
-
if response["certificate"]
|
31
|
-
der = OpenSSL::X509::Certificate.new response["certificate"]
|
32
|
-
client.public_key der.public_key.to_s
|
33
|
-
end
|
34
|
-
|
35
|
-
if response["public_key"]
|
36
|
-
der = OpenSSL::PKey::RSA.new response["public_key"]
|
37
|
-
client.public_key der.public_key.to_s
|
38
|
-
end
|
39
|
-
|
40
|
-
client
|
41
|
-
end
|
42
|
-
end
|
43
|
-
end
|
44
|
-
end
|
45
|
-
end
|
@@ -1,33 +0,0 @@
|
|
1
|
-
# Author:: Kevin Moser <kevin.moser@nordstrom.com>
|
2
|
-
# Copyright:: Copyright 2013, Nordstrom, Inc.
|
3
|
-
# License:: Apache License, Version 2.0
|
4
|
-
|
5
|
-
# Licensed under the Apache License, Version 2.0 (the "License");
|
6
|
-
# you may not use this file except in compliance with the License.
|
7
|
-
# You may obtain a copy of the License at
|
8
|
-
|
9
|
-
# http://www.apache.org/licenses/LICENSE-2.0
|
10
|
-
|
11
|
-
# Unless required by applicable law or agreed to in writing, software
|
12
|
-
# distributed under the License is distributed on an "AS IS" BASIS,
|
13
|
-
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
14
|
-
# See the License for the specific language governing permissions and
|
15
|
-
# limitations under the License.
|
16
|
-
|
17
|
-
class ChefVault
|
18
|
-
module ChefPatch
|
19
|
-
class User < Chef::User
|
20
|
-
# def from_hash for our implementation because name is not being
|
21
|
-
# set correctly for Chef 10 server
|
22
|
-
def superclass.from_hash(user_hash)
|
23
|
-
user = Chef::User.new
|
24
|
-
user.name user_hash["username"] ? user_hash["username"] : user_hash["name"]
|
25
|
-
user.private_key user_hash["private_key"] if user_hash.key?("private_key")
|
26
|
-
user.password user_hash["password"] if user_hash.key?("password")
|
27
|
-
user.public_key user_hash["public_key"]
|
28
|
-
user.admin user_hash["admin"]
|
29
|
-
user
|
30
|
-
end
|
31
|
-
end
|
32
|
-
end
|
33
|
-
end
|
data/lib/chef/knife/decrypt.rb
DELETED
@@ -1,32 +0,0 @@
|
|
1
|
-
# Description: Chef-Vault Decrypt class
|
2
|
-
# Copyright 2013-15, Nordstrom, Inc.
|
3
|
-
|
4
|
-
# Licensed under the Apache License, Version 2.0 (the "License");
|
5
|
-
# you may not use this file except in compliance with the License.
|
6
|
-
# You may obtain a copy of the License at
|
7
|
-
|
8
|
-
# http://www.apache.org/licenses/LICENSE-2.0
|
9
|
-
|
10
|
-
# Unless required by applicable law or agreed to in writing, software
|
11
|
-
# distributed under the License is distributed on an "AS IS" BASIS,
|
12
|
-
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
13
|
-
# See the License for the specific language governing permissions and
|
14
|
-
# limitations under the License.
|
15
|
-
|
16
|
-
require "chef/knife/vault_base"
|
17
|
-
require "chef/knife/vault_decrypt"
|
18
|
-
|
19
|
-
class Chef
|
20
|
-
class Knife
|
21
|
-
class Decrypt < VaultDecrypt
|
22
|
-
include Knife::VaultBase
|
23
|
-
|
24
|
-
banner "knife decrypt VAULT ITEM [VALUES] (options)"
|
25
|
-
|
26
|
-
def run
|
27
|
-
$stdout.puts "DEPRECATION WARNING: knife decrypt is deprecated. Please use knife vault decrypt instead."
|
28
|
-
super
|
29
|
-
end
|
30
|
-
end
|
31
|
-
end
|
32
|
-
end
|
@@ -1,51 +0,0 @@
|
|
1
|
-
# Description: Chef-Vault EncryptCreate class
|
2
|
-
# Copyright 2013-15, Nordstrom, Inc.
|
3
|
-
|
4
|
-
# Licensed under the Apache License, Version 2.0 (the "License");
|
5
|
-
# you may not use this file except in compliance with the License.
|
6
|
-
# You may obtain a copy of the License at
|
7
|
-
|
8
|
-
# http://www.apache.org/licenses/LICENSE-2.0
|
9
|
-
|
10
|
-
# Unless required by applicable law or agreed to in writing, software
|
11
|
-
# distributed under the License is distributed on an "AS IS" BASIS,
|
12
|
-
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
13
|
-
# See the License for the specific language governing permissions and
|
14
|
-
# limitations under the License.
|
15
|
-
|
16
|
-
require "chef/knife/vault_base"
|
17
|
-
require "chef/knife/vault_create"
|
18
|
-
|
19
|
-
class Chef
|
20
|
-
class Knife
|
21
|
-
class EncryptCreate < VaultCreate
|
22
|
-
include Knife::VaultBase
|
23
|
-
|
24
|
-
banner "knife encrypt create VAULT ITEM VALUES (options)"
|
25
|
-
|
26
|
-
option :search,
|
27
|
-
:short => "-S SEARCH",
|
28
|
-
:long => "--search SEARCH",
|
29
|
-
:description => "Chef SOLR search for clients"
|
30
|
-
|
31
|
-
option :admins,
|
32
|
-
:short => "-A ADMINS",
|
33
|
-
:long => "--admins ADMINS",
|
34
|
-
:description => "Chef users to be added as admins"
|
35
|
-
|
36
|
-
option :json,
|
37
|
-
:short => "-J FILE",
|
38
|
-
:long => "--json FILE",
|
39
|
-
:description => "File containing JSON data to encrypt"
|
40
|
-
|
41
|
-
option :file,
|
42
|
-
:long => "--file FILE",
|
43
|
-
:description => "File to be added to vault item as file-content"
|
44
|
-
|
45
|
-
def run
|
46
|
-
$stdout.puts "DEPRECATION WARNING: knife encrypt is deprecated. Please use knife vault instead."
|
47
|
-
super
|
48
|
-
end
|
49
|
-
end
|
50
|
-
end
|
51
|
-
end
|
@@ -1,42 +0,0 @@
|
|
1
|
-
# Description: Chef-Vault EncryptRemove class
|
2
|
-
# Copyright 2013-15, Nordstrom, Inc.
|
3
|
-
|
4
|
-
# Licensed under the Apache License, Version 2.0 (the "License");
|
5
|
-
# you may not use this file except in compliance with the License.
|
6
|
-
# You may obtain a copy of the License at
|
7
|
-
|
8
|
-
# http://www.apache.org/licenses/LICENSE-2.0
|
9
|
-
|
10
|
-
# Unless required by applicable law or agreed to in writing, software
|
11
|
-
# distributed under the License is distributed on an "AS IS" BASIS,
|
12
|
-
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
13
|
-
# See the License for the specific language governing permissions and
|
14
|
-
# limitations under the License.
|
15
|
-
|
16
|
-
require "chef/knife/vault_base"
|
17
|
-
require "chef/knife/vault_remove"
|
18
|
-
|
19
|
-
class Chef
|
20
|
-
class Knife
|
21
|
-
class EncryptRemove < VaultRemove
|
22
|
-
include Knife::VaultBase
|
23
|
-
|
24
|
-
banner "knife encrypt remove VAULT ITEM VALUES (options)"
|
25
|
-
|
26
|
-
option :search,
|
27
|
-
:short => "-S SEARCH",
|
28
|
-
:long => "--search SEARCH",
|
29
|
-
:description => "Chef SOLR search for clients"
|
30
|
-
|
31
|
-
option :admins,
|
32
|
-
:short => "-A ADMINS",
|
33
|
-
:long => "--admins ADMINS",
|
34
|
-
:description => "Chef users to be added as admins"
|
35
|
-
|
36
|
-
def run
|
37
|
-
$stdout.puts "DEPRECATION WARNING: knife encrypt is deprecated. Please use knife vault instead."
|
38
|
-
super
|
39
|
-
end
|
40
|
-
end
|
41
|
-
end
|
42
|
-
end
|
@@ -1,32 +0,0 @@
|
|
1
|
-
# Description: Chef-Vault EncryptRotateKeys class
|
2
|
-
# Copyright 2013-15, Nordstrom, Inc.
|
3
|
-
|
4
|
-
# Licensed under the Apache License, Version 2.0 (the "License");
|
5
|
-
# you may not use this file except in compliance with the License.
|
6
|
-
# You may obtain a copy of the License at
|
7
|
-
|
8
|
-
# http://www.apache.org/licenses/LICENSE-2.0
|
9
|
-
|
10
|
-
# Unless required by applicable law or agreed to in writing, software
|
11
|
-
# distributed under the License is distributed on an "AS IS" BASIS,
|
12
|
-
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
13
|
-
# See the License for the specific language governing permissions and
|
14
|
-
# limitations under the License.
|
15
|
-
|
16
|
-
require "chef/knife/vault_base"
|
17
|
-
require "chef/knife/vault_rotate_keys"
|
18
|
-
|
19
|
-
class Chef
|
20
|
-
class Knife
|
21
|
-
class EncryptRotateKeys < VaultRotateKeys
|
22
|
-
include Knife::VaultBase
|
23
|
-
|
24
|
-
banner "knife encrypt rotate keys VAULT ITEM (options)"
|
25
|
-
|
26
|
-
def run
|
27
|
-
$stdout.puts "DEPRECATION WARNING: knife encrypt is deprecated. Please use knife vault instead."
|
28
|
-
super
|
29
|
-
end
|
30
|
-
end
|
31
|
-
end
|
32
|
-
end
|
@@ -1,51 +0,0 @@
|
|
1
|
-
# Description: Chef-Vault EncryptUpdate class
|
2
|
-
# Copyright 2013-15, Nordstrom, Inc.
|
3
|
-
|
4
|
-
# Licensed under the Apache License, Version 2.0 (the "License");
|
5
|
-
# you may not use this file except in compliance with the License.
|
6
|
-
# You may obtain a copy of the License at
|
7
|
-
|
8
|
-
# http://www.apache.org/licenses/LICENSE-2.0
|
9
|
-
|
10
|
-
# Unless required by applicable law or agreed to in writing, software
|
11
|
-
# distributed under the License is distributed on an "AS IS" BASIS,
|
12
|
-
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
13
|
-
# See the License for the specific language governing permissions and
|
14
|
-
# limitations under the License.
|
15
|
-
|
16
|
-
require "chef/knife/vault_base"
|
17
|
-
require "chef/knife/vault_update"
|
18
|
-
|
19
|
-
class Chef
|
20
|
-
class Knife
|
21
|
-
class EncryptUpdate < VaultUpdate
|
22
|
-
include Knife::VaultBase
|
23
|
-
|
24
|
-
option :search,
|
25
|
-
:short => "-S SEARCH",
|
26
|
-
:long => "--search SEARCH",
|
27
|
-
:description => "Chef SOLR search for clients"
|
28
|
-
|
29
|
-
option :admins,
|
30
|
-
:short => "-A ADMINS",
|
31
|
-
:long => "--admins ADMINS",
|
32
|
-
:description => "Chef users to be added as admins"
|
33
|
-
|
34
|
-
option :json,
|
35
|
-
:short => "-J FILE",
|
36
|
-
:long => "--json FILE",
|
37
|
-
:description => "File containing JSON data to encrypt"
|
38
|
-
|
39
|
-
option :file,
|
40
|
-
:long => "--file FILE",
|
41
|
-
:description => "File to be added to vault item as file-content"
|
42
|
-
|
43
|
-
banner "knife encrypt update VAULT ITEM VALUES (options)"
|
44
|
-
|
45
|
-
def run
|
46
|
-
$stdout.puts "DEPRECATION WARNING: knife encrypt is deprecated. Please use knife vault instead."
|
47
|
-
super
|
48
|
-
end
|
49
|
-
end
|
50
|
-
end
|
51
|
-
end
|
@@ -1,33 +0,0 @@
|
|
1
|
-
# Description: ChefVault::Mixin::KnifeCompat module
|
2
|
-
# Copyright 2013, Nordstrom, Inc.
|
3
|
-
|
4
|
-
# Licensed under the Apache License, Version 2.0 (the "License");
|
5
|
-
# you may not use this file except in compliance with the License.
|
6
|
-
# You may obtain a copy of the License at
|
7
|
-
|
8
|
-
# http://www.apache.org/licenses/LICENSE-2.0
|
9
|
-
|
10
|
-
# Unless required by applicable law or agreed to in writing, software
|
11
|
-
# distributed under the License is distributed on an "AS IS" BASIS,
|
12
|
-
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
13
|
-
# See the License for the specific language governing permissions and
|
14
|
-
# limitations under the License.
|
15
|
-
|
16
|
-
# Make a wraper to chef10/11 "shef/shell" changes
|
17
|
-
|
18
|
-
class ChefVault
|
19
|
-
module Mixin
|
20
|
-
module KnifeCompat
|
21
|
-
require "chef/version"
|
22
|
-
def extend_context_object(obj)
|
23
|
-
if Chef::VERSION.to_i >= 11
|
24
|
-
require "chef/shell/ext"
|
25
|
-
Shell::Extensions.extend_context_object(obj)
|
26
|
-
else
|
27
|
-
require "chef/shef/ext"
|
28
|
-
Shef::Extensions.extend_context_object(obj)
|
29
|
-
end
|
30
|
-
end
|
31
|
-
end
|
32
|
-
end
|
33
|
-
end
|