chef-vault 3.3.0.pre.pre414 → 3.3.0.pre.pre415

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: b72c5128b62e91852eda944997569ef0513c9546
4
- data.tar.gz: 1de6e545dd2a554e510085d0863fe5fadbb5670a
3
+ metadata.gz: 79869d8868fbe6c3aa6e77654ac338947e788b3a
4
+ data.tar.gz: e4ab238fd0e427f63a139e414db343949f3e36a7
5
5
  SHA512:
6
- metadata.gz: 85e471b328e2cca6dbdbbce092950e42f6743c7a95ca1581a00b301adac789b634c0ba41d180eaf7c44db7442180321668dc0e3d373e4e3c6faf43126c225116
7
- data.tar.gz: b2fae4d1a5eabc84d7759910360009703c51b98f59f162b244348c225a67bd9b3a38c47434515b60ae428b7f69c501f86cde1be739de2dd272ecee02d04dc644
6
+ metadata.gz: 555934103a5531e7e985c28d3e499d041c3672c29cccce2ff5d2ba65f0c2bb6832dbefd619a60dd6041974bd3447abd607dba9f52530d7f69aa88617fd1f988d
7
+ data.tar.gz: 91d2b02f436d9addd25b629b838d43464026c570a6c577781b4b92bdcdbd318b733883c0e32ce5aafbed384d70bd5226d19b20fd3d3bae1404f53cee042242a4
@@ -9,7 +9,7 @@ Feature: clean unknown clients on vault refresh
9
9
  Given a local mode chef repo with nodes 'one,two,three'
10
10
  And I create a vault item 'test/item' containing the JSON '{"foo": "bar"}' encrypted for 'one,two,three'
11
11
  Then the vault item 'test/item' should be encrypted for 'one,two,three'
12
- And I delete client 'one' from the Chef server
12
+ And I delete node 'one' from the Chef server
13
13
  And I refresh the vault item 'test/item'
14
14
  And the vault item 'test/item' should be encrypted for 'one,two,three'
15
15
  And 'one,two,three' should be a client for the vault item 'test/item'
@@ -47,6 +47,9 @@ class ChefVault
47
47
  # revisit this as part of the 3.x rewrite
48
48
  def_delegator :@raw_data, :keys, :raw_keys
49
49
 
50
+ # allow to control whether keys are reencrypted or cached
51
+ def_delegator :keys, :skip_reencryption=
52
+
50
53
  # constructs a new ChefVault::Item
51
54
  # @param vault [String] the name of the data bag that contains the vault
52
55
  # @param name [String] the name of the item in the vault
@@ -441,6 +444,7 @@ class ChefVault
441
444
  def handle_client_action(api_client, action)
442
445
  case action
443
446
  when :add
447
+ # TODO: next line seems to create a client from the api_client (which seems to be identical)
444
448
  client = load_actor(api_client.name, "clients")
445
449
  add_client(client)
446
450
  when :delete
@@ -21,6 +21,10 @@ class ChefVault
21
21
 
22
22
  include ChefVault::Mixins
23
23
 
24
+ # @!attribute [rw] skip_reencryption
25
+ # @return [TrueClass,FalseClass] whether symetrical key is reencrypted all the time or re-used from previous computations
26
+ attr_accessor :skip_reencryption
27
+
24
28
  def initialize(vault, name)
25
29
  super() # parentheses required to strip off parameters
26
30
  @data_bag = vault
@@ -64,7 +68,8 @@ class ChefVault
64
68
  raise ChefVault::Exceptions::V1Format,
65
69
  "cannot manage a v1 vault. See UPGRADE.md for help"
66
70
  end
67
- @cache[chef_key.name] = self[chef_key.name] || ChefVault::ItemKeys.encode_key(chef_key.key, data_bag_shared_secret)
71
+ @cache[chef_key.name] = skip_reencryption ? self[chef_key.name] : nil
72
+ @cache[chef_key.name] ||= ChefVault::ItemKeys.encode_key(chef_key.key, data_bag_shared_secret)
68
73
  @raw_data[type] << chef_key.name unless @raw_data[type].include?(chef_key.name)
69
74
  @raw_data[type]
70
75
  end
@@ -26,16 +26,22 @@ class Chef
26
26
  :long => "--clean-unknown-clients",
27
27
  :description => "Remove unknown clients during refresh"
28
28
 
29
+ option :skip_reencryption,
30
+ :long => "--skip-reencryption",
31
+ :description => "Skip reencrypt symetrical key for existing clients/admins."
32
+
29
33
  def run
30
34
  vault = @name_args[0]
31
35
  item = @name_args[1]
32
36
  clean = config[:clean_unknown_clients]
37
+ skip_reencryption = config[:skip_reencryption]
33
38
 
34
39
  set_mode(config[:vault_mode])
35
40
 
36
41
  if vault && item
37
42
  begin
38
43
  vault_item = ChefVault::Item.load(vault, item)
44
+ vault_item.skip_reencryption = skip_reencryption
39
45
  vault_item.refresh(clean)
40
46
  rescue ChefVault::Exceptions::KeysNotFound,
41
47
  ChefVault::Exceptions::ItemNotFound
@@ -37,12 +37,25 @@ RSpec.describe ChefVault::ItemKeys do
37
37
  end
38
38
 
39
39
  context "when key is already there" do
40
- it "keeps the encoded key in the data bag item under the actor's name and the name in the raw data" do
41
- expect(described_class).not_to receive(:encode_key).with(public_key_string, shared_secret)
42
- keys.add(chef_key, shared_secret)
43
- expect(keys[name]).not_to be_empty
44
- expect(keys[type].include?(name)).to eq(true)
45
- expect(keys.include?(name)).to eq(true)
40
+ context "when skip_reencryption is not specified (default to false)" do
41
+ it "encodes key in the data bag item under the actor's name and the name in the raw data" do
42
+ expect(described_class).to receive(:encode_key).with(public_key_string, shared_secret).and_return("encrypted_result")
43
+ keys.add(chef_key, shared_secret)
44
+ expect(keys[name]).to eq("encrypted_result")
45
+ expect(keys[type].include?(name)).to eq(true)
46
+ expect(keys.include?(name)).to eq(true)
47
+ end
48
+ end
49
+
50
+ context "when skip_reencryption is true" do
51
+ it "keeps the encoded key in the data bag item under the actor's name and the name in the raw data" do
52
+ expect(described_class).not_to receive(:encode_key).with(public_key_string, shared_secret)
53
+ keys.skip_reencryption = true
54
+ keys.add(chef_key, shared_secret)
55
+ expect(keys[name]).not_to be_empty
56
+ expect(keys[type].include?(name)).to eq(true)
57
+ expect(keys.include?(name)).to eq(true)
58
+ end
46
59
  end
47
60
  end
48
61
 
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: chef-vault
3
3
  version: !ruby/object:Gem::Version
4
- version: 3.3.0.pre.pre414
4
+ version: 3.3.0.pre.pre415
5
5
  platform: ruby
6
6
  authors:
7
7
  - Thom May