chef-vault 3.3.0 → 4.1.11
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +5 -5
- data/Gemfile +32 -6
- data/bin/chef-vault +5 -5
- data/chef-vault.gemspec +7 -26
- data/lib/chef/knife/mixin/helper.rb +29 -1
- data/lib/chef/knife/vault_admins.rb +5 -1
- data/lib/chef/knife/vault_base.rb +23 -13
- data/lib/chef/knife/vault_create.rb +26 -23
- data/lib/chef/knife/vault_delete.rb +4 -2
- data/lib/chef/knife/vault_download.rb +2 -2
- data/lib/chef/knife/vault_edit.rb +4 -4
- data/lib/chef/knife/vault_isvault.rb +4 -4
- data/lib/chef/knife/vault_itemtype.rb +4 -4
- data/lib/chef/knife/vault_list.rb +5 -5
- data/lib/chef/knife/vault_refresh.rb +7 -7
- data/lib/chef/knife/vault_remove.rb +19 -16
- data/lib/chef/knife/vault_rotate_all_keys.rb +5 -4
- data/lib/chef/knife/vault_rotate_keys.rb +3 -3
- data/lib/chef/knife/vault_show.rb +8 -10
- data/lib/chef/knife/vault_update.rb +38 -24
- data/lib/chef-vault/actor.rb +9 -7
- data/lib/chef-vault/chef_api.rb +4 -4
- data/lib/chef-vault/exceptions.rb +3 -0
- data/lib/chef-vault/item.rb +57 -21
- data/lib/chef-vault/item_keys.rb +35 -9
- data/lib/chef-vault/mixins.rb +2 -2
- data/lib/chef-vault/version.rb +1 -1
- data/lib/chef-vault.rb +8 -8
- metadata +8 -135
- data/.github/CODEOWNERS +0 -2
- data/.gitignore +0 -33
- data/.rspec +0 -2
- data/.rubocop.yml +0 -6
- data/.simplecov +0 -6
- data/.travis.yml +0 -19
- data/Changelog.md +0 -134
- data/DEMO.md +0 -60
- data/KNIFE_EXAMPLES.md +0 -256
- data/README.md +0 -333
- data/Rakefile +0 -50
- data/THEORY.md +0 -363
- data/UPGRADE.md +0 -55
- data/appveyor.yml +0 -32
- data/features/clean.feature +0 -23
- data/features/clean_on_refresh.feature +0 -27
- data/features/clean_unknown_clients.feature +0 -45
- data/features/detect_and_warn_v1_vault.feature +0 -14
- data/features/isvault.feature +0 -29
- data/features/itemtype.feature +0 -24
- data/features/step_definitions/chef-databag.rb +0 -9
- data/features/step_definitions/chef-repo.rb +0 -72
- data/features/step_definitions/chef-vault.rb +0 -151
- data/features/step_definitions/chef_databagitem.rb +0 -9
- data/features/support/env.rb +0 -14
- data/features/vault_create.feature +0 -63
- data/features/vault_list.feature +0 -31
- data/features/vault_show.feature +0 -45
- data/features/vault_show_vaultname.feature +0 -21
- data/features/vault_update.feature +0 -18
- data/features/verify_id_matches.feature +0 -10
- data/features/wrong_private_key.feature +0 -13
- data/hooks/pre-commit +0 -43
- data/spec/chef-vault/actor_spec.rb +0 -247
- data/spec/chef-vault/certificate_spec.rb +0 -37
- data/spec/chef-vault/chef_api_spec.rb +0 -39
- data/spec/chef-vault/item_keys_spec.rb +0 -263
- data/spec/chef-vault/item_spec.rb +0 -360
- data/spec/chef-vault/user_spec.rb +0 -36
- data/spec/chef-vault_spec.rb +0 -65
- data/spec/spec_helper.rb +0 -91
- data/tasks/github_changelog_generator.rb +0 -30
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
|
-
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
2
|
+
SHA256:
|
3
|
+
metadata.gz: 44f75213a45df776972cad854aedf5abb94d7a54fde7a9986caed78930f8790e
|
4
|
+
data.tar.gz: aaa272cb7893c232b456ef5148bfc0ff91bc5b53a8ae4e9b573f68edaff78df8
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: ad149c125f2aa41b9e3fd8d07281c65ecec8317bbc5a6daf2b7deb9e6def089820e57ee59ca68b53852f6fffe54cbf8d711e1c40b6ac04629597bc3ef07107c2
|
7
|
+
data.tar.gz: 8e0f928a9b4e8dfb6a2800d0d5c65af323cc2f4678b91b2a535b4c450cd71d96ea320b9861638329821ffe5041e025a81e1cf5dbb1cab5bc90bfcd703876afc1
|
data/Gemfile
CHANGED
@@ -1,12 +1,38 @@
|
|
1
|
-
source "https://rubygems.org
|
1
|
+
source "https://rubygems.org"
|
2
|
+
|
3
|
+
gemspec
|
2
4
|
|
3
5
|
group :development do
|
4
|
-
gem "chefstyle"
|
5
|
-
gem "
|
6
|
+
gem "chefstyle"
|
7
|
+
gem "rake"
|
8
|
+
gem "contracts", "~> 0.16.1" # pin until we drop ruby < 2.7
|
9
|
+
if Gem::Version.new(RUBY_VERSION) < Gem::Version.new("3.0.0")
|
10
|
+
gem "chef-zero"
|
11
|
+
gem "rspec", "~> 3.4"
|
12
|
+
gem "aruba", "~> 0.6"
|
13
|
+
gem "chef", "~> 14.0"
|
14
|
+
gem "chef-utils", "17.10.0" # pin until we drop ruby 2.5
|
15
|
+
else
|
16
|
+
gem "chef-zero", ">= 15.0.4"
|
17
|
+
gem "chef", "~> 17.0"
|
18
|
+
gem "rspec", "~> 3.10.0"
|
19
|
+
gem "aruba", "~> 1.1"
|
20
|
+
gem "knife", "~> 17.0"
|
21
|
+
gem "chef-utils", "17.10.0" # pin until we drop ruby >=3
|
22
|
+
end
|
6
23
|
end
|
7
24
|
|
8
|
-
group :
|
9
|
-
gem "
|
25
|
+
group :docs do
|
26
|
+
gem "yard"
|
27
|
+
gem "redcarpet"
|
28
|
+
gem "github-markup"
|
10
29
|
end
|
11
30
|
|
12
|
-
|
31
|
+
group :debug do
|
32
|
+
gem "pry"
|
33
|
+
gem "pry-byebug"
|
34
|
+
gem "pry-stack_explorer", "~> 0.6.1" # pin until we drop ruby < 2.6
|
35
|
+
gem "rb-readline"
|
36
|
+
end
|
37
|
+
|
38
|
+
gem "simplecov", require: false
|
data/bin/chef-vault
CHANGED
@@ -18,7 +18,7 @@
|
|
18
18
|
# See the License for the specific language governing permissions and
|
19
19
|
# limitations under the License.
|
20
20
|
|
21
|
-
require "optparse"
|
21
|
+
require "optparse" unless defined?(OptionParser)
|
22
22
|
|
23
23
|
options_config = {
|
24
24
|
chef: {
|
@@ -79,20 +79,20 @@ options_config.each do |option, config|
|
|
79
79
|
end
|
80
80
|
|
81
81
|
options_config.each do |option, config|
|
82
|
-
options[option] = options[option]
|
82
|
+
options[option] = options[option] || config[:default]
|
83
83
|
end
|
84
84
|
|
85
|
-
require "rubygems"
|
85
|
+
require "rubygems" unless defined?(Gem)
|
86
86
|
$:.unshift(File.join(File.dirname(__FILE__), "..", "lib"))
|
87
87
|
require "chef-vault"
|
88
88
|
|
89
89
|
ChefVault::Log.init(STDOUT)
|
90
90
|
ChefVault.load_config(options[:chef])
|
91
|
-
item = ChefVault::Item.load(options[:vault], options[:item])
|
91
|
+
item = ChefVault::Item.load(options[:vault], options[:item], options)
|
92
92
|
|
93
93
|
ChefVault::Log.info "#{options[:vault]}/#{options[:item]}"
|
94
94
|
|
95
95
|
options[:values].split(",").each do |value|
|
96
96
|
value.strip! # remove white space
|
97
|
-
ChefVault::Log.info
|
97
|
+
ChefVault::Log.info("\t#{value}: #{item[value]}")
|
98
98
|
end
|
data/chef-vault.gemspec
CHANGED
@@ -1,6 +1,6 @@
|
|
1
|
-
# -*- encoding: utf-8 -*-
|
2
1
|
# Chef-Vault Gemspec file
|
3
|
-
# Copyright 2013-
|
2
|
+
# Copyright 2013-2015, Nordstrom, Inc.
|
3
|
+
# Copyright 2017-2019, Chef Software, Inc.
|
4
4
|
|
5
5
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
6
6
|
# you may not use this file except in compliance with the License.
|
@@ -14,41 +14,22 @@
|
|
14
14
|
# See the License for the specific language governing permissions and
|
15
15
|
# limitations under the License.
|
16
16
|
|
17
|
-
$:.push File.expand_path("
|
17
|
+
$:.push File.expand_path("lib", __dir__)
|
18
18
|
require "chef-vault/version"
|
19
19
|
|
20
|
-
def self.prerelease?
|
21
|
-
!ENV["TRAVIS_TAG"] || ENV["TRAVIS_TAG"].empty?
|
22
|
-
end
|
23
|
-
|
24
20
|
Gem::Specification.new do |s|
|
25
21
|
s.name = "chef-vault"
|
26
22
|
s.version = ChefVault::VERSION
|
27
|
-
s.version = "#{s.version}-pre#{ENV['TRAVIS_BUILD_NUMBER']}" if ENV["TRAVIS"]
|
28
|
-
s.has_rdoc = true
|
29
23
|
s.authors = ["Thom May"]
|
30
24
|
s.email = ["thom@chef.io"]
|
31
|
-
s.summary = "Data encryption support for Chef using data bags"
|
25
|
+
s.summary = "Data encryption support for Chef Infra using data bags"
|
32
26
|
s.description = s.summary
|
33
27
|
s.homepage = "https://github.com/chef/chef-vault"
|
34
|
-
s.license = "Apache
|
35
|
-
s.files = `git ls-files`.split("\n")
|
28
|
+
s.license = "Apache-2.0"
|
29
|
+
s.files = %w{LICENSE Gemfile} + Dir.glob("*.gemspec") + `git ls-files`.split("\n").select { |f| f =~ %r{^(?:bin/|lib/)}i }
|
36
30
|
s.require_paths = ["lib"]
|
37
31
|
s.bindir = "bin"
|
38
32
|
s.executables = %w{ chef-vault }
|
39
33
|
|
40
|
-
s.required_ruby_version = ">= 2.
|
41
|
-
|
42
|
-
s.add_development_dependency "rake", "~> 11.0"
|
43
|
-
s.add_development_dependency "rspec", "~> 3.4"
|
44
|
-
s.add_development_dependency "aruba", "~> 0.6"
|
45
|
-
s.add_development_dependency "simplecov", "~> 0.9"
|
46
|
-
s.add_development_dependency "simplecov-console", "~> 0.2"
|
47
|
-
if ENV.key?("TRAVIS_BUILD") && RUBY_VERSION == "2.1.9"
|
48
|
-
# Test version of Chef with Chef Zero before
|
49
|
-
# /orgs/org/users/user/keys endpoint was added.
|
50
|
-
s.add_development_dependency "chef", "12.8.1"
|
51
|
-
else # Test most current version of Chef on 2.2.2
|
52
|
-
s.add_development_dependency :chef
|
53
|
-
end
|
34
|
+
s.required_ruby_version = ">= 2.6"
|
54
35
|
end
|
@@ -33,16 +33,44 @@ class ChefVault
|
|
33
33
|
end
|
34
34
|
|
35
35
|
def values_from_file(file)
|
36
|
-
json = File.open(file
|
36
|
+
json = File.open(file, &:read)
|
37
37
|
|
38
38
|
values_from_json(json)
|
39
39
|
end
|
40
40
|
|
41
41
|
def values_from_json(json)
|
42
|
+
validate_json(json)
|
42
43
|
JSON.parse(json)
|
43
44
|
rescue JSON::ParserError
|
44
45
|
raise JSON::ParserError, "#{json} is not valid JSON!"
|
45
46
|
end
|
47
|
+
|
48
|
+
# I/P: json string
|
49
|
+
# Raises `InvalidValue` if any of the json's values contain non-printable characters.
|
50
|
+
def validate_json(json)
|
51
|
+
begin
|
52
|
+
evaled_json = eval(json) # rubocop: disable Security/Eval
|
53
|
+
rescue SyntaxError
|
54
|
+
raise ChefVault::Exceptions::InvalidValue, "#{json} is not valid JSON!"
|
55
|
+
end
|
56
|
+
|
57
|
+
if evaled_json.is_a?(Hash)
|
58
|
+
evaled_json.each do |key, value|
|
59
|
+
next unless printable?(value.to_s)
|
60
|
+
|
61
|
+
msg = "Value '#{value}' of key '#{key}' contains non-printable characters. Check that backslashes are escaped with another backslash (e.g. C:\\\\Windows) in double-quoted strings."
|
62
|
+
ChefVault::Log.warn(msg)
|
63
|
+
end
|
64
|
+
end
|
65
|
+
end
|
66
|
+
|
67
|
+
# I/P: String
|
68
|
+
# O/P: true/false
|
69
|
+
# returns true if string is free of non-printable characters (escape sequences)
|
70
|
+
# this returns false for whitespace escape sequences as well, e.g. \n\t
|
71
|
+
def printable?(string)
|
72
|
+
/[^[:print:]]|[[:space:]]/.match(string)
|
73
|
+
end
|
46
74
|
end
|
47
75
|
end
|
48
76
|
end
|
@@ -14,7 +14,7 @@
|
|
14
14
|
# limitations under the License.
|
15
15
|
|
16
16
|
require "chef/knife"
|
17
|
-
|
17
|
+
require_relative "../../chef-vault"
|
18
18
|
|
19
19
|
class Chef
|
20
20
|
class Knife
|
@@ -26,6 +26,10 @@ class Chef
|
|
26
26
|
vault_admins = Chef::Config[:knife][:vault_admins]
|
27
27
|
admin_array = [Chef::Config[:node_name]]
|
28
28
|
|
29
|
+
unless vault_admins.is_a?(Array)
|
30
|
+
ui.warn("Vault admin must be an array")
|
31
|
+
end
|
32
|
+
|
29
33
|
if config_admins
|
30
34
|
admin_array += [config_admins]
|
31
35
|
elsif vault_admins
|
@@ -13,8 +13,9 @@
|
|
13
13
|
# See the License for the specific language governing permissions and
|
14
14
|
# limitations under the License.
|
15
15
|
|
16
|
+
require "set" unless defined?(::Set)
|
16
17
|
require "chef/knife"
|
17
|
-
|
18
|
+
require_relative "../../chef-vault"
|
18
19
|
|
19
20
|
class Chef
|
20
21
|
class Knife
|
@@ -23,15 +24,15 @@ class Chef
|
|
23
24
|
includer.class_eval do
|
24
25
|
deps do
|
25
26
|
require "chef/search/query"
|
26
|
-
require File.expand_path("
|
27
|
+
require File.expand_path("mixin/helper", __dir__)
|
27
28
|
include ChefVault::Mixin::Helper
|
28
29
|
end
|
29
30
|
|
30
31
|
option :vault_mode,
|
31
|
-
:
|
32
|
-
:
|
33
|
-
:
|
34
|
-
:
|
32
|
+
short: "-M MODE",
|
33
|
+
long: "--mode MODE",
|
34
|
+
description: "Chef mode to run in default - solo",
|
35
|
+
proc: proc { |i| Chef::Config[:knife][:vault_mode] = i }
|
35
36
|
end
|
36
37
|
end
|
37
38
|
|
@@ -55,25 +56,34 @@ class Chef
|
|
55
56
|
# - item_keys has zero or more keys in sparse mode
|
56
57
|
# vaults have a number of keys >= 2
|
57
58
|
return false unless bag.keys.size >= 2
|
59
|
+
|
58
60
|
# partition into those that end in _keys
|
59
61
|
keylike, notkeylike = split_vault_keys(bag)
|
60
62
|
# there must be an equal number of keyline and not-keylike items
|
61
63
|
return false unless keylike.size == notkeylike.size
|
64
|
+
|
62
65
|
# strip the _keys suffix and check if the sets match
|
63
66
|
keylike.map! { |k| k.gsub(/_keys$/, "") }
|
64
67
|
return false unless keylike.sort == notkeylike.sort
|
68
|
+
|
65
69
|
# it's (probably) a vault
|
66
70
|
true
|
67
71
|
end
|
68
72
|
|
69
73
|
def split_vault_keys(bag)
|
70
|
-
|
71
|
-
keys =
|
72
|
-
|
73
|
-
|
74
|
-
|
75
|
-
|
76
|
-
|
74
|
+
items = []
|
75
|
+
keys = ::Set.new
|
76
|
+
possible_sparses = ::Set.new
|
77
|
+
|
78
|
+
# spread bag keys into 3 categories: items, keys or possible sparse items
|
79
|
+
bag.each_key do |key|
|
80
|
+
next keys << key if key.end_with?("_keys")
|
81
|
+
next possible_sparses << key if key.include?("_key_")
|
82
|
+
|
83
|
+
items << key
|
84
|
+
end
|
85
|
+
# 2nd pass "sparse" items to avoid false positive when items have "_key" in their name
|
86
|
+
possible_sparses.each { |key| items << key if keys.include?("#{key}_keys") }
|
77
87
|
# return item keys and items
|
78
88
|
[keys, items]
|
79
89
|
end
|
@@ -13,47 +13,50 @@
|
|
13
13
|
# See the License for the specific language governing permissions and
|
14
14
|
# limitations under the License.
|
15
15
|
|
16
|
-
|
17
|
-
require "chef/knife/vault_admins"
|
18
|
-
require "chef/knife/vault_clients"
|
16
|
+
require_relative "vault_base"
|
19
17
|
|
20
18
|
class Chef
|
21
19
|
class Knife
|
22
20
|
class VaultCreate < Knife
|
23
21
|
include Chef::Knife::VaultBase
|
24
|
-
include Chef::Knife::VaultAdmins
|
25
|
-
include Chef::Knife::VaultClients
|
26
22
|
|
27
23
|
banner "knife vault create VAULT ITEM VALUES (options)"
|
28
24
|
|
29
25
|
option :keys_mode,
|
30
|
-
:
|
31
|
-
:
|
32
|
-
:
|
26
|
+
short: "-K KEYS_MODE",
|
27
|
+
long: "--keys-mode KEYS_MODE",
|
28
|
+
description: "Mode in which to save vault keys"
|
33
29
|
|
34
30
|
option :search,
|
35
|
-
:
|
36
|
-
:
|
37
|
-
:
|
31
|
+
short: "-S SEARCH",
|
32
|
+
long: "--search SEARCH",
|
33
|
+
description: "Chef SOLR search for clients"
|
38
34
|
|
39
35
|
option :clients,
|
40
|
-
:
|
41
|
-
:
|
42
|
-
:
|
36
|
+
short: "-C CLIENTS",
|
37
|
+
long: "--clients CLIENTS",
|
38
|
+
description: "Chef clients to be added as clients"
|
43
39
|
|
44
40
|
option :admins,
|
45
|
-
:
|
46
|
-
:
|
47
|
-
:
|
41
|
+
short: "-A ADMINS",
|
42
|
+
long: "--admins ADMINS",
|
43
|
+
description: "Chef users to be added as admins"
|
48
44
|
|
49
45
|
option :json,
|
50
|
-
:
|
51
|
-
:
|
52
|
-
:
|
46
|
+
short: "-J FILE",
|
47
|
+
long: "--json FILE",
|
48
|
+
description: "File containing JSON data to encrypt"
|
53
49
|
|
54
50
|
option :file,
|
55
|
-
:
|
56
|
-
:
|
51
|
+
long: "--file FILE",
|
52
|
+
description: "File to be added to vault item as file-content"
|
53
|
+
|
54
|
+
deps do
|
55
|
+
require_relative "vault_admins"
|
56
|
+
require_relative "vault_clients"
|
57
|
+
include Chef::Knife::VaultAdmins
|
58
|
+
include Chef::Knife::VaultClients
|
59
|
+
end
|
57
60
|
|
58
61
|
def run
|
59
62
|
vault = @name_args[0]
|
@@ -84,7 +87,7 @@ class Chef
|
|
84
87
|
|
85
88
|
if file
|
86
89
|
vault_item["file-name"] = File.basename(file)
|
87
|
-
vault_item["file-content"] = File.open(file
|
90
|
+
vault_item["file-content"] = File.open(file, &:read)
|
88
91
|
end
|
89
92
|
else
|
90
93
|
vault_json = edit_hash({})
|
@@ -13,7 +13,7 @@
|
|
13
13
|
# See the License for the specific language governing permissions and
|
14
14
|
# limitations under the License.
|
15
15
|
|
16
|
-
|
16
|
+
require_relative "vault_base"
|
17
17
|
|
18
18
|
class Chef
|
19
19
|
class Knife
|
@@ -30,13 +30,15 @@ class Chef
|
|
30
30
|
|
31
31
|
if vault && item
|
32
32
|
delete_object(ChefVault::Item, "#{vault}/#{item}", "chef_vault_item") do
|
33
|
+
# rubocop:disable all
|
33
34
|
begin
|
34
35
|
ChefVault::Item.load(vault, item).destroy
|
35
36
|
rescue ChefVault::Exceptions::KeysNotFound,
|
36
|
-
|
37
|
+
ChefVault::Exceptions::ItemNotFound
|
37
38
|
raise ChefVault::Exceptions::ItemNotFound,
|
38
39
|
"#{vault}/#{item} not found."
|
39
40
|
end
|
41
|
+
# rubocop:enable all
|
40
42
|
end
|
41
43
|
else
|
42
44
|
show_usage
|
@@ -13,7 +13,7 @@
|
|
13
13
|
# See the License for the specific language governing permissions and
|
14
14
|
# limitations under the License.
|
15
15
|
|
16
|
-
|
16
|
+
require_relative "vault_base"
|
17
17
|
|
18
18
|
class Chef
|
19
19
|
class Knife
|
@@ -34,7 +34,7 @@ class Chef
|
|
34
34
|
File.open(path, "w") do |file|
|
35
35
|
file.write(vault_item["file-content"])
|
36
36
|
end
|
37
|
-
ui.info("Saved #{vault_item[
|
37
|
+
ui.info("Saved #{vault_item["file-name"]} as #{path}")
|
38
38
|
else
|
39
39
|
show_usage
|
40
40
|
end
|
@@ -13,7 +13,7 @@
|
|
13
13
|
# See the License for the specific language governing permissions and
|
14
14
|
# limitations under the License.
|
15
15
|
|
16
|
-
|
16
|
+
require_relative "vault_base"
|
17
17
|
|
18
18
|
class Chef
|
19
19
|
class Knife
|
@@ -23,9 +23,9 @@ class Chef
|
|
23
23
|
banner "knife vault edit VAULT ITEM (options)"
|
24
24
|
|
25
25
|
option :mode,
|
26
|
-
:
|
27
|
-
:
|
28
|
-
:
|
26
|
+
short: "-M MODE",
|
27
|
+
long: "--mode MODE",
|
28
|
+
description: "Chef mode to run in default - solo"
|
29
29
|
|
30
30
|
def run
|
31
31
|
vault = @name_args[0]
|
@@ -13,7 +13,7 @@
|
|
13
13
|
# See the License for the specific language governing permissions and
|
14
14
|
# limitations under the License.
|
15
15
|
|
16
|
-
|
16
|
+
require_relative "vault_base"
|
17
17
|
|
18
18
|
class Chef
|
19
19
|
class Knife
|
@@ -23,9 +23,9 @@ class Chef
|
|
23
23
|
banner "knife vault isvault VAULT ITEM (options)"
|
24
24
|
|
25
25
|
option :mode,
|
26
|
-
:
|
27
|
-
:
|
28
|
-
:
|
26
|
+
short: "-M MODE",
|
27
|
+
long: "--mode MODE",
|
28
|
+
description: "Chef mode to run in default - solo"
|
29
29
|
|
30
30
|
def run
|
31
31
|
vault = @name_args[0]
|
@@ -13,7 +13,7 @@
|
|
13
13
|
# See the License for the specific language governing permissions and
|
14
14
|
# limitations under the License.
|
15
15
|
|
16
|
-
|
16
|
+
require_relative "vault_base"
|
17
17
|
|
18
18
|
class Chef
|
19
19
|
class Knife
|
@@ -23,9 +23,9 @@ class Chef
|
|
23
23
|
banner "knife vault itemtype VAULT ITEM (options)"
|
24
24
|
|
25
25
|
option :mode,
|
26
|
-
:
|
27
|
-
:
|
28
|
-
:
|
26
|
+
short: "-M MODE",
|
27
|
+
long: "--mode MODE",
|
28
|
+
description: "Chef mode to run in default - solo"
|
29
29
|
|
30
30
|
def run
|
31
31
|
vault = @name_args[0]
|
@@ -13,7 +13,7 @@
|
|
13
13
|
# See the License for the specific language governing permissions and
|
14
14
|
# limitations under the License.
|
15
15
|
|
16
|
-
|
16
|
+
require_relative "vault_base"
|
17
17
|
|
18
18
|
class Chef
|
19
19
|
class Knife
|
@@ -23,9 +23,9 @@ class Chef
|
|
23
23
|
banner "knife vault list (options)"
|
24
24
|
|
25
25
|
option :mode,
|
26
|
-
:
|
27
|
-
:
|
28
|
-
:
|
26
|
+
short: "-M MODE",
|
27
|
+
long: "--mode MODE",
|
28
|
+
description: "Chef mode to run in default - solo"
|
29
29
|
|
30
30
|
def run
|
31
31
|
set_mode(config[:vault_mode])
|
@@ -35,7 +35,7 @@ class Chef
|
|
35
35
|
bags.each_key do |bagname|
|
36
36
|
vaultbags.push(bagname) if bag_is_vault?(bagname)
|
37
37
|
end
|
38
|
-
output vaultbags
|
38
|
+
output vaultbags
|
39
39
|
end
|
40
40
|
end
|
41
41
|
end
|
@@ -13,7 +13,7 @@
|
|
13
13
|
# See the License for the specific language governing permissions and
|
14
14
|
# limitations under the License.
|
15
15
|
|
16
|
-
|
16
|
+
require_relative "vault_base"
|
17
17
|
|
18
18
|
class Chef
|
19
19
|
class Knife
|
@@ -23,12 +23,12 @@ class Chef
|
|
23
23
|
banner "knife vault refresh VAULT ITEM"
|
24
24
|
|
25
25
|
option :clean_unknown_clients,
|
26
|
-
:
|
27
|
-
:
|
26
|
+
long: "--clean-unknown-clients",
|
27
|
+
description: "Remove unknown clients during refresh"
|
28
28
|
|
29
29
|
option :skip_reencryption,
|
30
|
-
:
|
31
|
-
:
|
30
|
+
long: "--skip-reencryption",
|
31
|
+
description: "Skip reencrypt symetrical key for existing clients/admins."
|
32
32
|
|
33
33
|
def run
|
34
34
|
vault = @name_args[0]
|
@@ -47,8 +47,8 @@ class Chef
|
|
47
47
|
ChefVault::Exceptions::ItemNotFound
|
48
48
|
|
49
49
|
raise ChefVault::Exceptions::ItemNotFound,
|
50
|
-
|
51
|
-
|
50
|
+
"#{vault}/#{item} does not exist, "\
|
51
|
+
"use 'knife vault create' to create."
|
52
52
|
end
|
53
53
|
else
|
54
54
|
show_usage
|
@@ -13,35 +13,38 @@
|
|
13
13
|
# See the License for the specific language governing permissions and
|
14
14
|
# limitations under the License.
|
15
15
|
|
16
|
-
|
17
|
-
require "chef/knife/vault_clients"
|
16
|
+
require_relative "vault_base"
|
18
17
|
|
19
18
|
class Chef
|
20
19
|
class Knife
|
21
20
|
class VaultRemove < Knife
|
22
21
|
include Chef::Knife::VaultBase
|
23
|
-
include Chef::Knife::VaultClients
|
24
22
|
|
25
23
|
banner "knife vault remove VAULT ITEM VALUES (options)"
|
26
24
|
|
27
25
|
option :search,
|
28
|
-
:
|
29
|
-
:
|
30
|
-
:
|
26
|
+
short: "-S SEARCH",
|
27
|
+
long: "--search SEARCH",
|
28
|
+
description: "Chef SOLR search for clients"
|
31
29
|
|
32
30
|
option :clients,
|
33
|
-
:
|
34
|
-
:
|
35
|
-
:
|
31
|
+
short: "-C CLIENTS",
|
32
|
+
long: "--clients CLIENTS",
|
33
|
+
description: "Chef clients to be added as clients"
|
36
34
|
|
37
35
|
option :admins,
|
38
|
-
:
|
39
|
-
:
|
40
|
-
:
|
36
|
+
short: "-A ADMINS",
|
37
|
+
long: "--admins ADMINS",
|
38
|
+
description: "Chef users to be added as admins"
|
41
39
|
|
42
40
|
option :clean_unknown_clients,
|
43
|
-
:
|
44
|
-
:
|
41
|
+
long: "--clean-unknown-clients",
|
42
|
+
description: "Remove unknown clients during key rotation"
|
43
|
+
|
44
|
+
deps do
|
45
|
+
require_relative "vault_clients"
|
46
|
+
include Chef::Knife::VaultClients
|
47
|
+
end
|
45
48
|
|
46
49
|
def run
|
47
50
|
vault = @name_args[0]
|
@@ -70,8 +73,8 @@ class Chef
|
|
70
73
|
end
|
71
74
|
|
72
75
|
remove_items.each do |key|
|
73
|
-
key.
|
74
|
-
vault_item.remove(key)
|
76
|
+
key = key.dup
|
77
|
+
vault_item.remove(key.strip)
|
75
78
|
end
|
76
79
|
end
|
77
80
|
|
@@ -13,7 +13,7 @@
|
|
13
13
|
# See the License for the specific language governing permissions and
|
14
14
|
# limitations under the License.
|
15
15
|
|
16
|
-
|
16
|
+
require_relative "vault_base"
|
17
17
|
|
18
18
|
class Chef
|
19
19
|
class Knife
|
@@ -23,8 +23,8 @@ class Chef
|
|
23
23
|
banner "knife vault rotate all keys"
|
24
24
|
|
25
25
|
option :clean_unknown_clients,
|
26
|
-
:
|
27
|
-
:
|
26
|
+
long: "--clean-unknown-clients",
|
27
|
+
description: "Remove unknown clients during key rotation"
|
28
28
|
|
29
29
|
def run
|
30
30
|
clean_unknown_clients = config[:clean_unknown_clients]
|
@@ -45,9 +45,10 @@ class Chef
|
|
45
45
|
end
|
46
46
|
end
|
47
47
|
|
48
|
+
# Permalink for regex of replacing '_keys' with '': https://rubular.com/r/5cA5JNSyLfPSfY
|
48
49
|
def vault_items(vault)
|
49
50
|
Chef::DataBag.load(vault).keys.each_with_object([]) do |key, array|
|
50
|
-
array << key.sub(
|
51
|
+
array << key.sub(/_keys(?=[^_keys]*$)/, "") if key =~ /.+_keys$/
|
51
52
|
end
|
52
53
|
end
|
53
54
|
|