chef-vault 3.0.0.rc2 → 3.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: a6dd267f10f94be45c16f2a088e476226b4b0cf5
-  data.tar.gz: 27fc5a1ee95c7be2ad1af5f967d4bbda96427b6a
+  metadata.gz: 52a4a35874db5011ab58dc856935a50d9f5bd0b1
+  data.tar.gz: 3515ba7b52b188fe1851cd2a7d2585b8268f8a9a
 SHA512:
-  metadata.gz: 9397b282b2497e73b1fef2cb86f09f84df98bc9333513cd4648767436e15138f9c9cee187c56854ee3e2197a61ee992e6cdd4f502145b89d194eb428c0ccb07c
-  data.tar.gz: 6a978b6a18e4a1a4b4eb8e3ddd3ce48318126e3f152dd5080ee20e19993afece13540df9b33b9a64b6873b483876c9041653ba91739a64ca3d0bc94b632a4dfd
+  metadata.gz: dda2609409ba281e63da7dacf34063c9efc65e5ad50a0652f11a75d4f97a56346b32e5580cc853d64933e01ec3edddbe2e67b8b48690e6fecd08a7af9cafca6c
+  data.tar.gz: ce93841b5ecbd3176a1cc7b5c4ce04735fddcc6a7b7b70cb9739b61e53a40a84c884676dea5a75bb33930d8d50250da2e5d11caa784b80466c649c3b9a639f3d

data/Changelog.md

@@ -1,7 +1,39 @@
 # Change Log
 
-## [2.9.0](https://github.com/chef/chef-vault/tree/2.9.0) (2016-04-06)
-[Full Changelog](https://github.com/chef/chef-vault/compare/v2.8.0...2.9.0)
+## [v3.0.0](https://github.com/chef/chef-vault/tree/v3.0.0) (2017-04-10)
+[Full Changelog](https://github.com/chef/chef-vault/compare/v2.9.1...v3.0.0)
+
+**Implemented enhancements:**
+
+- Vault creation, list, and destruction in sparse mode [\#252](https://github.com/chef/chef-vault/pull/252) ([rveznaver](https://github.com/rveznaver))
+
+## [v3.0.0.rc2](https://github.com/chef/chef-vault/tree/v3.0.0.rc2) (2016-12-05)
+[Full Changelog](https://github.com/chef/chef-vault/compare/v3.0.0.rc1...v3.0.0.rc2)
+
+**Implemented enhancements:**
+
+- Add feature to save each key in different data bag item [\#246](https://github.com/chef/chef-vault/pull/246) ([rveznaver](https://github.com/rveznaver))
+- Enable testing with Chef Zero [\#244](https://github.com/chef/chef-vault/pull/244) ([rveznaver](https://github.com/rveznaver))
+- Minimize the number of searches [\#243](https://github.com/chef/chef-vault/pull/243) ([thommay](https://github.com/thommay))
+- Optimise queries when finding nodes [\#240](https://github.com/chef/chef-vault/pull/240) ([thommay](https://github.com/thommay))
+
+**Fixed bugs:**
+
+- Use solo\_legacy\_mode fully [\#242](https://github.com/chef/chef-vault/pull/242) ([thommay](https://github.com/thommay))
+- Use legacy solo mode [\#241](https://github.com/chef/chef-vault/pull/241) ([thommay](https://github.com/thommay))
+
+## [v3.0.0.rc1](https://github.com/chef/chef-vault/tree/v3.0.0.rc1) (2016-10-21)
+[Full Changelog](https://github.com/chef/chef-vault/compare/v2.9.0...v3.0.0.rc1)
+
+**Implemented enhancements:**
+
+- Removed deprecated knife commands [\#236](https://github.com/chef/chef-vault/pull/236) ([thommay](https://github.com/thommay))
+- rename ChefKey to Actor [\#234](https://github.com/chef/chef-vault/pull/234) ([thommay](https://github.com/thommay))
+- Move to using a logger for all user output [\#232](https://github.com/chef/chef-vault/pull/232) ([thommay](https://github.com/thommay))
+- Add support for clients [\#227](https://github.com/chef/chef-vault/pull/227) ([svanharmelen](https://github.com/svanharmelen))
+
+## [v2.9.0](https://github.com/chef/chef-vault/tree/v2.9.0) (2016-04-08)
+[Full Changelog](https://github.com/chef/chef-vault/compare/v2.8.0...v2.9.0)
 
 **Implemented enhancements:**
 

data/Gemfile

@@ -6,7 +6,7 @@ group :development do
 end
 
 group :changelog do
-  gem "github_changelog_generator", "1.11.3"
+  gem "github_changelog_generator", git: "https://github.com/chef/github-changelog-generator"
 end
 
 gemspec

data/features/isvault.feature

@@ -8,6 +8,12 @@ Feature: determine if a data bag item is a vault
     And I check if the data bag item 'test/item' is a vault
     Then the exit status should be 0
 
+  Scenario: detect vault item with keys in sparse mode
+    Given a local mode chef repo with nodes 'one,two,three'
+    And I create a vault item 'test/item' with keys in sparse mode containing the JSON '{"foo": "bar"}' encrypted for 'one,two,three'
+    And I check if the data bag item 'test/item' is a vault
+    Then the exit status should be 0
+
   Scenario: detect non-vault item (encrypted data bag)
     Given a local mode chef repo with nodes 'one,two,three'
     And I create an empty data bag 'test'

data/features/step_definitions/chef-vault.rb

@@ -1,10 +1,11 @@
 require "json"
 
-Given(/^I create a vault item '(.+)\/(.+)' containing the JSON '(.+)' encrypted for '(.+)'(?: with '(.+)' as admins?)?$/) do |vault, item, json, nodelist, admins|
+Given(/^I create a vault item '(.+)\/(.+)'( with keys in sparse mode)? containing the JSON '(.+)' encrypted for '(.+)'(?: with '(.+)' as admins?)?$/) do |vault, item, sparse, json, nodelist, admins|
   write_file "item.json", json
   query = nodelist.split(/,/).map { |e| "name:#{e}" }.join(" OR ")
   adminarg = admins.nil? ? "-A admin" : "-A #{admins}"
-  run_simple "knife vault create #{vault} #{item} -z -c knife.rb #{adminarg} -S '#{query}' -J item.json", false
+  sparseopt = sparse.nil? ? "" : "-K sparse"
+  run_simple "knife vault create #{vault} #{item} -z -c knife.rb #{adminarg} #{sparseopt} -S '#{query}' -J item.json", false
 end
 
 Given(/^I update the vault item '(.+)\/(.+)' to be encrypted for '(.+)'( with the clean option)?$/) do |vault, item, nodelist, cleanopt|
@@ -41,18 +42,28 @@ Given(/^I try to decrypt the vault item '(.+)\/(.+)' as '(.+)'$/) do |vault, ite
   run_simple "knife vault show #{vault} #{item} -z -c knife.rb -u #{node} -k #{node}.pem", false
 end
 
-Then(/^the vault item '(.+)\/(.+)' should( not)? be encrypted for '(.+)'$/) do |vault, item, neg, nodelist|
+Then(/^the vault item '(.+)\/(.+)' should( not)? be encrypted for '(.+)'( with keys in sparse mode)?$/) do |vault, item, neg, nodelist, sparse|
   nodes = nodelist.split(/,/)
   command = "knife data bag show #{vault} #{item}_keys -z -c knife.rb -F json"
   run_simple(command)
   output = last_command_started.stdout
   data = JSON.parse(output)
-  nodes.each do |node|
-    if neg
-      expect(data).not_to include(node)
-    else
-      expect(data).to include(node)
+  if sparse
+    expect(data).to include("mode" => "sparse")
+    nodes.each do |node|
+      command = "knife data bag show #{vault} #{item}_key_#{node} -z -c knife.rb -F json"
+      run_simple(command, fail_on_error: false)
+      if neg
+        error = last_command_started.stderr
+        expect(error).to include("ERROR: The object you are looking for could not be found")
+      else
+        data = JSON.parse(last_command_started.stdout)
+        expect(data).to include("id" => "#{item}_key_#{node}")
+      end
     end
+  else
+    expect(data).to include("mode" => "default")
+    nodes.each { |node| neg ? (expect(data).not_to include(node)) : (expect(data).to include(node)) }
   end
 end
 

data/features/vault_create.feature

@@ -46,6 +46,16 @@ Feature: knife vault create
     And 'alice' should be an admin for the vault item 'test/item'
     And 'bob' should not be an admin for the vault item 'test/item'
 
+  Scenario: create vault with several admins in sparse mode
+    Given a local mode chef repo with nodes 'one,two' with admins 'alice,bob'
+    And I create a vault item 'test/item' with keys in sparse mode containing the JSON '{"foo": "bar"}' encrypted for 'one,two,three' with 'alice' as admin
+    Then the vault item 'test/item' should be encrypted for 'one,two' with keys in sparse mode
+    And the vault item 'test/item' should not be encrypted for 'three' with keys in sparse mode
+    And 'one,two' should be a client for the vault item 'test/item'
+    And 'three' should not be a client for the vault item 'test/item'
+    And 'alice' should be an admin for the vault item 'test/item'
+    And 'bob' should not be an admin for the vault item 'test/item'
+
   Scenario: create vault with an unknown admin
     Given a local mode chef repo with nodes 'one,two'
     And I create a vault item 'test/item' containing the JSON '{"foo": "bar"}' encrypted for 'one,two,three' with 'alice' as admin

data/features/vault_list.feature

@@ -10,6 +10,12 @@ Feature: list data bags that are vaults
     And I list the vaults
     Then the output should match /(?m:^test$)/
 
+  Scenario: List bags that are vaults with keys in sparse mode
+    Given a local mode chef repo with nodes 'one,two,three'
+    And I create a vault item 'test/item' with keys in sparse mode containing the JSON '{"foo": "bar"}' encrypted for 'one,two,three'
+    And I list the vaults
+    Then the output should match /(?m:^test$)/
+
   Scenario: Skip data bags that are not vaults
     Given a local mode chef repo with nodes 'one,two,three'
     And I create a vault item 'test/item' containing the JSON '{"foo": "bar"}' encrypted for 'one,two,three'

data/lib/chef-vault/actor.rb

@@ -66,18 +66,16 @@ class ChefVault
     end
 
     def get_client_key
-      begin
-        get_key("clients")
-      rescue Net::HTTPServerException => http_error
-        if http_error.response.code.eql?("403")
-          print_forbidden_error
-          raise http_error
-        elsif http_error.response.code.eql?("404")
-          raise ChefVault::Exceptions::ClientNotFound,
-                "#{name} is not a valid chef client and/or node"
-        else
-          raise http_error
-        end
+      get_key("clients")
+    rescue Net::HTTPServerException => http_error
+      if http_error.response.code.eql?("403")
+        print_forbidden_error
+        raise http_error
+      elsif http_error.response.code.eql?("404")
+        raise ChefVault::Exceptions::ClientNotFound,
+              "#{name} is not a valid chef client and/or node"
+      else
+        raise http_error
       end
     end
 

data/lib/chef-vault/item_keys.rb

@@ -161,14 +161,23 @@ class ChefVault
 
     def destroy
       if Chef::Config[:solo_legacy_mode]
-        data_bag_path = File.join(Chef::Config[:data_bag_path],
-                                  data_bag)
+        data_bag_path = File.join(Chef::Config[:data_bag_path], data_bag)
         data_bag_item_path = File.join(data_bag_path, @raw_data["id"])
-
+        data_bag_sparse_keys_path = File.join(data_bag_path, sparse_id("*"))
+        # destroy all sparse keys
+        FileUtils.rm(Dir.glob("#{data_bag_sparse_keys_path}.json"))
+        # destroy this metadata
         FileUtils.rm("#{data_bag_item_path}.json")
-
         nil
       else
+        # destroy all sparse keys
+        rgx = Regexp.new("^#{sparse_id(".*")}")
+        items = Chef::DataBag.load(data_bag).keys.select { |item| item =~ rgx }
+        items.each do |id|
+          Chef::DataBagItem.from_hash("data_bag" => data_bag, "id" => id)
+                           .destroy(data_bag, id)
+        end
+        # destroy this metadata
         super(data_bag, id)
       end
     end
@@ -205,7 +214,7 @@ class ChefVault
     # @private
 
     def sparse_id(key, item_id = @raw_data["id"])
-      "#{item_id}_key_#{key}"
+      "#{item_id.chomp("_keys")}_key_#{key}"
     end
 
     def sparse_key(sid)

data/lib/chef-vault/version.rb

@@ -15,6 +15,6 @@
 # limitations under the License.
 
 class ChefVault
-  VERSION = "3.0.0.rc2"
+  VERSION = "3.0.0"
   MAJOR, MINOR, TINY = VERSION.split(".")
 end

data/lib/chef/knife/vault_base.rb

@@ -49,8 +49,12 @@ class Chef
 
       def bag_is_vault?(bagname)
         bag = Chef::DataBag.load(bagname)
-        # vaults have at even number of keys >= 2
-        return false unless bag.keys.size >= 2 && 0 == bag.keys.size % 2
+        # a data bag is a vault if and only if:
+        # - it has at least one item with item_keys
+        # - every item has a matching item_keys
+        # - item_keys has zero or more keys in sparse mode
+        # vaults have a number of keys >= 2
+        return false unless bag.keys.size >= 2
         # partition into those that end in _keys
         keylike, notkeylike = split_vault_keys(bag)
         # there must be an equal number of keyline and not-keylike items
@@ -63,8 +67,15 @@ class Chef
       end
 
       def split_vault_keys(bag)
-        # partition into those that end in _keys
-        bag.keys.partition { |k| k =~ /_keys$/ }
+        # get all item keys
+        keys = bag.keys.select { |k| k =~ /_keys$/ }
+        # get all sparse keys
+        r = Regexp.union(keys.map { |k| Regexp.new("^#{k.chomp('_keys')}_key_.*") })
+        sparse = bag.keys.select { |k| k =~ r }
+        # the rest
+        items = bag.keys - keys - sparse
+        # return item keys and items
+        [keys, items]
       end
     end
   end

data/lib/chef/knife/vault_create.rb

@@ -26,6 +26,11 @@ class Chef
 
       banner "knife vault create VAULT ITEM VALUES (options)"
 
+      option :keys_mode,
+        :short => "-K KEYS_MODE",
+        :long => "--keys-mode KEYS_MODE",
+        :description => "Mode in which to save vault keys"
+
       option :search,
         :short => "-S SEARCH",
         :long => "--search SEARCH",
@@ -57,6 +62,7 @@ class Chef
         search = config[:search]
         json_file = config[:json]
         file = config[:file]
+        keys_mode = config[:keys_mode]
 
         set_mode(config[:vault_mode])
 
@@ -91,6 +97,7 @@ class Chef
             vault_item.clients if search
             vault_item.clients(clients) if clients
             vault_item.admins(admins) if admins
+            vault_item.keys.mode(keys_mode) if keys_mode
 
             vault_item.save
           end

data/spec/chef-vault/item_keys_spec.rb

@@ -81,11 +81,8 @@ RSpec.describe ChefVault::ItemKeys do
 
       describe "#save" do
         let(:client_name) { "client_name" }
-        let(:chef_key)    { ChefVault::Actor.new("clients", client_name) }
-
-        before do
-          allow(chef_key).to receive(:key) { public_key_string }
-        end
+        let(:chef_key) { ChefVault::Actor.new("clients", client_name) }
+        before { allow(chef_key).to receive(:key) { public_key_string } }
 
         it "should save the key data" do
           keys.add(chef_key, shared_secret)
@@ -110,6 +107,29 @@ RSpec.describe ChefVault::ItemKeys do
           keys.mode("default")
         end
       end
+
+      describe "#destroy" do
+        let(:client_name) { "client_name" }
+        let(:chef_key) { ChefVault::Actor.new("clients", client_name) }
+        before { allow(chef_key).to receive(:key) { public_key_string } }
+
+        it "should destroy the keys" do
+          keys.add(chef_key, shared_secret)
+          keys.save("bar")
+          keys.destroy
+          expect { Chef::DataBagItem.load("foo", "bar") }.to raise_error(Net::HTTPServerException)
+        end
+
+        it "should destroy the keys in sparse mode" do
+          keys.add(chef_key, shared_secret)
+          keys.mode("sparse")
+          keys.save("bar")
+          keys.destroy
+          expect { Chef::DataBagItem.load("foo", "bar") }.to raise_error(Net::HTTPServerException)
+          expect { Chef::DataBagItem.load("foo", "bar_key_client_name") }.to raise_error(Net::HTTPServerException)
+          keys.mode("default")
+        end
+      end
     end
 
     context "when running with chef-solo" do
@@ -182,6 +202,34 @@ RSpec.describe ChefVault::ItemKeys do
           keys.mode("default")
         end
       end
+
+      describe "#destroy" do
+        let(:client_name) { "client_name" }
+        let(:chef_key) { ChefVault::Actor.new("clients", client_name) }
+        let(:data_bag_path) { Dir.mktmpdir("vault_item_keys") }
+
+        before do
+          Chef::Config[:data_bag_path] = data_bag_path
+          allow(chef_key).to receive(:key) { public_key_string }
+        end
+
+        it "should destroy the keys" do
+          keys.add(chef_key, shared_secret)
+          keys.save("bar")
+          keys.destroy
+          expect(File.exist?(File.join(data_bag_path, "foo", "bar.json"))).to be(false)
+        end
+
+        it "should destroy the keys in sparse mode" do
+          keys.add(chef_key, shared_secret)
+          keys.mode("sparse")
+          keys.save("bar")
+          keys.destroy
+          expect(File.exist?(File.join(data_bag_path, "foo", "bar.json"))).to be(false)
+          expect(File.exist?(File.join(data_bag_path, "foo", "bar_key_client_name.json"))).to be(false)
+          keys.mode("default")
+        end
+      end
     end
   end
 end

data/tasks/github_changelog_generator.rb

@@ -21,10 +21,9 @@ begin
   require "github_changelog_generator/task"
 
   GitHubChangelogGenerator::RakeTask.new :changelog do |config|
-    config.future_release = ChefVault::VERSION
-    config.enhancement_labels = "enhancement,Enhancement,New Feature,Feature".split(",")
-    config.bug_labels = "bug,Bug,Improvement,Upstream Bug".split(",")
-    config.exclude_labels = "duplicate,question,invalid,wontfix,no_changelog,Exclude From Changelog,Question,Discussion".split(",")
+    config.future_release = "v#{ChefVault::VERSION}"
+    config.max_issues = 0
+    config.add_issues_wo_labels = false
   end
 rescue LoadError
   puts "github_changelog_generator is not available. gem install github_changelog_generator to generate changelogs"

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: chef-vault
 version: !ruby/object:Gem::Version
-  version: 3.0.0.rc2
+  version: 3.0.0
 platform: ruby
 authors:
 - Thom May
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2016-12-05 00:00:00.000000000 Z
+date: 2017-04-10 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake
@@ -202,12 +202,12 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: 2.2.0
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ">"
+  - - ">="
     - !ruby/object:Gem::Version
-      version: 1.3.1
+      version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.5.1
+rubygems_version: 2.6.11
 signing_key: 
 specification_version: 4
 summary: Data encryption support for Chef using data bags