RubyGems - chef-vault - Versions diffs - 3.3.0.pre.pre414 → 3.3.0.pre.pre415 - Mend

chef-vault 3.3.0.pre.pre414 → 3.3.0.pre.pre415

Files changed (7) hide show

checksums.yaml +4 -4
data/features/clean_on_refresh.feature +1 -1
data/lib/chef-vault/item.rb +4 -0
data/lib/chef-vault/item_keys.rb +6 -1
data/lib/chef/knife/vault_refresh.rb +6 -0
data/spec/chef-vault/item_keys_spec.rb +19 -6
metadata +1 -1

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: b72c5128b62e91852eda944997569ef0513c9546
-  data.tar.gz: 1de6e545dd2a554e510085d0863fe5fadbb5670a
+  metadata.gz: 79869d8868fbe6c3aa6e77654ac338947e788b3a
+  data.tar.gz: e4ab238fd0e427f63a139e414db343949f3e36a7
 SHA512:
-  metadata.gz: 85e471b328e2cca6dbdbbce092950e42f6743c7a95ca1581a00b301adac789b634c0ba41d180eaf7c44db7442180321668dc0e3d373e4e3c6faf43126c225116
-  data.tar.gz: b2fae4d1a5eabc84d7759910360009703c51b98f59f162b244348c225a67bd9b3a38c47434515b60ae428b7f69c501f86cde1be739de2dd272ecee02d04dc644
+  metadata.gz: 555934103a5531e7e985c28d3e499d041c3672c29cccce2ff5d2ba65f0c2bb6832dbefd619a60dd6041974bd3447abd607dba9f52530d7f69aa88617fd1f988d
+  data.tar.gz: 91d2b02f436d9addd25b629b838d43464026c570a6c577781b4b92bdcdbd318b733883c0e32ce5aafbed384d70bd5226d19b20fd3d3bae1404f53cee042242a4

data/features/clean_on_refresh.feature CHANGED

@@ -9,7 +9,7 @@ Feature: clean unknown clients on vault refresh
     Given a local mode chef repo with nodes 'one,two,three'
     And I create a vault item 'test/item' containing the JSON '{"foo": "bar"}' encrypted for 'one,two,three'
     Then the vault item 'test/item' should be encrypted for 'one,two,three'
-    And I delete client 'one' from the Chef server
+    And I delete node 'one' from the Chef server
     And I refresh the vault item 'test/item'
     And the vault item 'test/item' should be encrypted for 'one,two,three'
     And 'one,two,three' should be a client for the vault item 'test/item'

data/lib/chef-vault/item.rb CHANGED

@@ -47,6 +47,9 @@ class ChefVault
     # revisit this as part of the 3.x rewrite
     def_delegator :@raw_data, :keys, :raw_keys
+    # allow to control whether keys are reencrypted or cached
+    def_delegator :keys, :skip_reencryption=
     # constructs a new ChefVault::Item
     # @param vault [String] the name of the data bag that contains the vault
     # @param name [String] the name of the item in the vault
@@ -441,6 +444,7 @@ class ChefVault
     def handle_client_action(api_client, action)
       case action
       when :add
+        # TODO: next line seems to create a client from the api_client (which seems to be identical)
         client = load_actor(api_client.name, "clients")
         add_client(client)
       when :delete

data/lib/chef-vault/item_keys.rb CHANGED

@@ -21,6 +21,10 @@ class ChefVault
     include ChefVault::Mixins
+    # @!attribute [rw] skip_reencryption
+    #   @return [TrueClass,FalseClass] whether symetrical key is reencrypted all the time or re-used from previous computations
+    attr_accessor :skip_reencryption
     def initialize(vault, name)
       super() # parentheses required to strip off parameters
       @data_bag = vault
@@ -64,7 +68,8 @@ class ChefVault
         raise ChefVault::Exceptions::V1Format,
               "cannot manage a v1 vault.  See UPGRADE.md for help"
       end
-      @cache[chef_key.name] = self[chef_key.name] || ChefVault::ItemKeys.encode_key(chef_key.key, data_bag_shared_secret)
+      @cache[chef_key.name] = skip_reencryption ? self[chef_key.name] : nil
+      @cache[chef_key.name] ||= ChefVault::ItemKeys.encode_key(chef_key.key, data_bag_shared_secret)
       @raw_data[type] << chef_key.name unless @raw_data[type].include?(chef_key.name)
       @raw_data[type]
     end

data/lib/chef/knife/vault_refresh.rb CHANGED

@@ -26,16 +26,22 @@ class Chef
         :long => "--clean-unknown-clients",
         :description => "Remove unknown clients during refresh"
+      option :skip_reencryption,
+        :long => "--skip-reencryption",
+        :description => "Skip reencrypt symetrical key for existing clients/admins."
       def run
         vault = @name_args[0]
         item = @name_args[1]
         clean = config[:clean_unknown_clients]
+        skip_reencryption = config[:skip_reencryption]
         set_mode(config[:vault_mode])
         if vault && item
           begin
             vault_item = ChefVault::Item.load(vault, item)
+            vault_item.skip_reencryption = skip_reencryption
             vault_item.refresh(clean)
           rescue ChefVault::Exceptions::KeysNotFound,
                  ChefVault::Exceptions::ItemNotFound

data/spec/chef-vault/item_keys_spec.rb CHANGED

@@ -37,12 +37,25 @@ RSpec.describe ChefVault::ItemKeys do
           end
           context "when key is already there" do
-            it "keeps the encoded key in the data bag item under the actor's name and the name in the raw data" do
-              expect(described_class).not_to receive(:encode_key).with(public_key_string, shared_secret)
-              keys.add(chef_key, shared_secret)
-              expect(keys[name]).not_to be_empty
-              expect(keys[type].include?(name)).to eq(true)
-              expect(keys.include?(name)).to eq(true)
+            context "when skip_reencryption is not specified (default to false)" do
+              it "encodes key in the data bag item under the actor's name and the name in the raw data" do
+                expect(described_class).to receive(:encode_key).with(public_key_string, shared_secret).and_return("encrypted_result")
+                keys.add(chef_key, shared_secret)
+                expect(keys[name]).to eq("encrypted_result")
+                expect(keys[type].include?(name)).to eq(true)
+                expect(keys.include?(name)).to eq(true)
+              end
+            end
+            context "when skip_reencryption is true" do
+              it "keeps the encoded key in the data bag item under the actor's name and the name in the raw data" do
+                expect(described_class).not_to receive(:encode_key).with(public_key_string, shared_secret)
+                keys.skip_reencryption = true
+                keys.add(chef_key, shared_secret)
+                expect(keys[name]).not_to be_empty
+                expect(keys[type].include?(name)).to eq(true)
+                expect(keys.include?(name)).to eq(true)
+              end
             end
           end

metadata CHANGED

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: chef-vault
 version: !ruby/object:Gem::Version
-  version: 3.3.0.pre.pre414
+  version: 3.3.0.pre.pre415
 platform: ruby
 authors:
 - Thom May