chef-vault 3.3.0 → 4.1.11

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: d9cbc0902bf005a8a2639f98324e234fbd6c2735
-  data.tar.gz: '08ea203ef58f72bb91bbb485c6b2e3e7181d6e2b'
+SHA256:
+  metadata.gz: 44f75213a45df776972cad854aedf5abb94d7a54fde7a9986caed78930f8790e
+  data.tar.gz: aaa272cb7893c232b456ef5148bfc0ff91bc5b53a8ae4e9b573f68edaff78df8
 SHA512:
-  metadata.gz: a41dfe72adcf9118133562a0dd25a21ac64e01eb780729f5e4934244c7aa68d21872efd3e5d9e3c4611b4e1c616951d07ae985ea6c8585ae19a605a1bef83241
-  data.tar.gz: 3b88c79af36019eb8b0e7d8cef4492621fcb7cf2e348d3570c7bf2d7ca59edaefdef6b70ab95337d485679a0824de5017a1010be7be92540d298f332c00d5a1a
+  metadata.gz: ad149c125f2aa41b9e3fd8d07281c65ecec8317bbc5a6daf2b7deb9e6def089820e57ee59ca68b53852f6fffe54cbf8d711e1c40b6ac04629597bc3ef07107c2
+  data.tar.gz: 8e0f928a9b4e8dfb6a2800d0d5c65af323cc2f4678b91b2a535b4c450cd71d96ea320b9861638329821ffe5041e025a81e1cf5dbb1cab5bc90bfcd703876afc1

data/Gemfile

@@ -1,12 +1,38 @@
-source "https://rubygems.org/"
+source "https://rubygems.org"
+
+gemspec
 
 group :development do
-  gem "chefstyle", git: "https://github.com/chef/chefstyle.git"
-  gem "chef-zero"
+  gem "chefstyle"
+  gem "rake"
+  gem "contracts", "~> 0.16.1" # pin until we drop ruby < 2.7
+  if Gem::Version.new(RUBY_VERSION) < Gem::Version.new("3.0.0")
+    gem "chef-zero"
+    gem "rspec", "~> 3.4"
+    gem "aruba", "~> 0.6"
+    gem "chef", "~> 14.0"
+    gem "chef-utils", "17.10.0" # pin until we drop ruby 2.5
+  else
+    gem "chef-zero", ">= 15.0.4"
+    gem "chef", "~> 17.0"
+    gem "rspec", "~> 3.10.0"
+    gem "aruba", "~> 1.1"
+    gem "knife", "~> 17.0"
+    gem "chef-utils", "17.10.0" # pin until we drop ruby >=3
+  end
 end
 
-group :changelog do
-  gem "github_changelog_generator", git: "https://github.com/chef/github-changelog-generator"
+group :docs do
+  gem "yard"
+  gem "redcarpet"
+  gem "github-markup"
 end
 
-gemspec
+group :debug do
+  gem "pry"
+  gem "pry-byebug"
+  gem "pry-stack_explorer", "~> 0.6.1" # pin until we drop ruby < 2.6
+  gem "rb-readline"
+end
+
+gem "simplecov", require: false

data/bin/chef-vault

@@ -18,7 +18,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-require "optparse"
+require "optparse" unless defined?(OptionParser)
 
 options_config = {
   chef: {
@@ -79,20 +79,20 @@ options_config.each do |option, config|
 end
 
 options_config.each do |option, config|
-  options[option] = options[option] ? options[option] : config[:default]
+  options[option] = options[option] || config[:default]
 end
 
-require "rubygems"
+require "rubygems" unless defined?(Gem)
 $:.unshift(File.join(File.dirname(__FILE__), "..", "lib"))
 require "chef-vault"
 
 ChefVault::Log.init(STDOUT)
 ChefVault.load_config(options[:chef])
-item = ChefVault::Item.load(options[:vault], options[:item])
+item = ChefVault::Item.load(options[:vault], options[:item], options)
 
 ChefVault::Log.info "#{options[:vault]}/#{options[:item]}"
 
 options[:values].split(",").each do |value|
   value.strip! # remove white space
-  ChefVault::Log.info ("\t#{value}: #{item[value]}")
+  ChefVault::Log.info("\t#{value}: #{item[value]}")
 end

data/chef-vault.gemspec

@@ -1,6 +1,6 @@
-# -*- encoding: utf-8 -*-
 # Chef-Vault Gemspec file
-# Copyright 2013-15, Nordstrom, Inc.
+# Copyright 2013-2015, Nordstrom, Inc.
+# Copyright 2017-2019, Chef Software, Inc.
 
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -14,41 +14,22 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-$:.push File.expand_path("../lib", __FILE__)
+$:.push File.expand_path("lib", __dir__)
 require "chef-vault/version"
 
-def self.prerelease?
-  !ENV["TRAVIS_TAG"] || ENV["TRAVIS_TAG"].empty?
-end
-
 Gem::Specification.new do |s|
   s.name             = "chef-vault"
   s.version          = ChefVault::VERSION
-  s.version          = "#{s.version}-pre#{ENV['TRAVIS_BUILD_NUMBER']}" if ENV["TRAVIS"]
-  s.has_rdoc         = true
   s.authors          = ["Thom May"]
   s.email            = ["thom@chef.io"]
-  s.summary          = "Data encryption support for Chef using data bags"
+  s.summary          = "Data encryption support for Chef Infra using data bags"
   s.description      = s.summary
   s.homepage         = "https://github.com/chef/chef-vault"
-  s.license          = "Apache License, v2.0"
-  s.files            = `git ls-files`.split("\n")
+  s.license          = "Apache-2.0"
+  s.files            = %w{LICENSE Gemfile} + Dir.glob("*.gemspec") + `git ls-files`.split("\n").select { |f| f =~ %r{^(?:bin/|lib/)}i }
   s.require_paths    = ["lib"]
   s.bindir           = "bin"
   s.executables      = %w{ chef-vault }
 
-  s.required_ruby_version = ">= 2.2.0"
-
-  s.add_development_dependency "rake", "~> 11.0"
-  s.add_development_dependency "rspec", "~> 3.4"
-  s.add_development_dependency "aruba", "~> 0.6"
-  s.add_development_dependency "simplecov", "~> 0.9"
-  s.add_development_dependency "simplecov-console", "~> 0.2"
-  if ENV.key?("TRAVIS_BUILD") && RUBY_VERSION == "2.1.9"
-    # Test version of Chef with Chef Zero before
-    # /orgs/org/users/user/keys endpoint was added.
-    s.add_development_dependency "chef", "12.8.1"
-  else # Test most current version of Chef on 2.2.2
-    s.add_development_dependency :chef
-  end
+  s.required_ruby_version = ">= 2.6"
 end

data/lib/chef/knife/mixin/helper.rb

@@ -33,16 +33,44 @@ class ChefVault
       end
 
       def values_from_file(file)
-        json = File.open(file) { |fh| fh.read() }
+        json = File.open(file, &:read)
 
         values_from_json(json)
       end
 
       def values_from_json(json)
+        validate_json(json)
         JSON.parse(json)
       rescue JSON::ParserError
         raise JSON::ParserError, "#{json} is not valid JSON!"
       end
+
+      # I/P: json string
+      # Raises `InvalidValue` if any of the json's values contain non-printable characters.
+      def validate_json(json)
+        begin
+          evaled_json = eval(json) # rubocop: disable Security/Eval
+        rescue SyntaxError
+          raise ChefVault::Exceptions::InvalidValue, "#{json} is not valid JSON!"
+        end
+
+        if evaled_json.is_a?(Hash)
+          evaled_json.each do |key, value|
+            next unless printable?(value.to_s)
+
+            msg = "Value '#{value}' of key '#{key}' contains non-printable characters. Check that backslashes are escaped with another backslash (e.g. C:\\\\Windows) in double-quoted strings."
+            ChefVault::Log.warn(msg)
+          end
+        end
+      end
+
+      # I/P: String
+      # O/P: true/false
+      # returns true if string is free of non-printable characters (escape sequences)
+      # this returns false for whitespace escape sequences as well, e.g. \n\t
+      def printable?(string)
+        /[^[:print:]]|[[:space:]]/.match(string)
+      end
     end
   end
 end

data/lib/chef/knife/vault_admins.rb

@@ -14,7 +14,7 @@
 # limitations under the License.
 
 require "chef/knife"
-require "chef-vault"
+require_relative "../../chef-vault"
 
 class Chef
   class Knife
@@ -26,6 +26,10 @@ class Chef
         vault_admins = Chef::Config[:knife][:vault_admins]
         admin_array = [Chef::Config[:node_name]]
 
+        unless vault_admins.is_a?(Array)
+          ui.warn("Vault admin must be an array")
+        end
+
         if config_admins
           admin_array += [config_admins]
         elsif vault_admins

data/lib/chef/knife/vault_base.rb

@@ -13,8 +13,9 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+require "set" unless defined?(::Set)
 require "chef/knife"
-require "chef-vault"
+require_relative "../../chef-vault"
 
 class Chef
   class Knife
@@ -23,15 +24,15 @@ class Chef
         includer.class_eval do
           deps do
             require "chef/search/query"
-            require File.expand_path("../mixin/helper", __FILE__)
+            require File.expand_path("mixin/helper", __dir__)
             include ChefVault::Mixin::Helper
           end
 
           option :vault_mode,
-            :short => "-M MODE",
-            :long => "--mode MODE",
-            :description => "Chef mode to run in default - solo",
-            :proc => proc { |i| Chef::Config[:knife][:vault_mode] = i }
+            short: "-M MODE",
+            long: "--mode MODE",
+            description: "Chef mode to run in default - solo",
+            proc: proc { |i| Chef::Config[:knife][:vault_mode] = i }
         end
       end
 
@@ -55,25 +56,34 @@ class Chef
         # - item_keys has zero or more keys in sparse mode
         # vaults have a number of keys >= 2
         return false unless bag.keys.size >= 2
+
         # partition into those that end in _keys
         keylike, notkeylike = split_vault_keys(bag)
         # there must be an equal number of keyline and not-keylike items
         return false unless keylike.size == notkeylike.size
+
         # strip the _keys suffix and check if the sets match
         keylike.map! { |k| k.gsub(/_keys$/, "") }
         return false unless keylike.sort == notkeylike.sort
+
         # it's (probably) a vault
         true
       end
 
       def split_vault_keys(bag)
-        # get all item keys
-        keys = bag.keys.select { |k| k =~ /_keys$/ }
-        # get all sparse keys
-        r = Regexp.union(keys.map { |k| Regexp.new("^#{k.chomp('_keys')}_key_.*") })
-        sparse = bag.keys.select { |k| k =~ r }
-        # the rest
-        items = bag.keys - keys - sparse
+        items = []
+        keys = ::Set.new
+        possible_sparses = ::Set.new
+
+        # spread bag keys into 3 categories: items, keys or possible sparse items
+        bag.each_key do |key|
+          next keys << key if key.end_with?("_keys")
+          next possible_sparses << key if key.include?("_key_")
+
+          items << key
+        end
+        # 2nd pass "sparse" items to avoid false positive when items have "_key" in their name
+        possible_sparses.each { |key| items << key if keys.include?("#{key}_keys") }
         # return item keys and items
         [keys, items]
       end

data/lib/chef/knife/vault_create.rb

@@ -13,47 +13,50 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-require "chef/knife/vault_base"
-require "chef/knife/vault_admins"
-require "chef/knife/vault_clients"
+require_relative "vault_base"
 
 class Chef
   class Knife
     class VaultCreate < Knife
       include Chef::Knife::VaultBase
-      include Chef::Knife::VaultAdmins
-      include Chef::Knife::VaultClients
 
       banner "knife vault create VAULT ITEM VALUES (options)"
 
       option :keys_mode,
-        :short => "-K KEYS_MODE",
-        :long => "--keys-mode KEYS_MODE",
-        :description => "Mode in which to save vault keys"
+        short: "-K KEYS_MODE",
+        long: "--keys-mode KEYS_MODE",
+        description: "Mode in which to save vault keys"
 
       option :search,
-        :short => "-S SEARCH",
-        :long => "--search SEARCH",
-        :description => "Chef SOLR search for clients"
+        short: "-S SEARCH",
+        long: "--search SEARCH",
+        description: "Chef SOLR search for clients"
 
       option :clients,
-        :short => "-C CLIENTS",
-        :long => "--clients CLIENTS",
-        :description => "Chef clients to be added as clients"
+        short: "-C CLIENTS",
+        long: "--clients CLIENTS",
+        description: "Chef clients to be added as clients"
 
       option :admins,
-        :short => "-A ADMINS",
-        :long => "--admins ADMINS",
-        :description => "Chef users to be added as admins"
+        short: "-A ADMINS",
+        long: "--admins ADMINS",
+        description: "Chef users to be added as admins"
 
       option :json,
-        :short => "-J FILE",
-        :long => "--json FILE",
-        :description => "File containing JSON data to encrypt"
+        short: "-J FILE",
+        long: "--json FILE",
+        description: "File containing JSON data to encrypt"
 
       option :file,
-        :long => "--file FILE",
-        :description => "File to be added to vault item as file-content"
+        long: "--file FILE",
+        description: "File to be added to vault item as file-content"
+
+      deps do
+        require_relative "vault_admins"
+        require_relative "vault_clients"
+        include Chef::Knife::VaultAdmins
+        include Chef::Knife::VaultClients
+      end
 
       def run
         vault = @name_args[0]
@@ -84,7 +87,7 @@ class Chef
 
               if file
                 vault_item["file-name"] = File.basename(file)
-                vault_item["file-content"] = File.open(file) { |f| f.read() }
+                vault_item["file-content"] = File.open(file, &:read)
               end
             else
               vault_json = edit_hash({})

data/lib/chef/knife/vault_delete.rb

@@ -13,7 +13,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-require "chef/knife/vault_base"
+require_relative "vault_base"
 
 class Chef
   class Knife
@@ -30,13 +30,15 @@ class Chef
 
         if vault && item
           delete_object(ChefVault::Item, "#{vault}/#{item}", "chef_vault_item") do
+            # rubocop:disable all
             begin
               ChefVault::Item.load(vault, item).destroy
             rescue ChefVault::Exceptions::KeysNotFound,
-                   ChefVault::Exceptions::ItemNotFound
+              ChefVault::Exceptions::ItemNotFound
               raise ChefVault::Exceptions::ItemNotFound,
                 "#{vault}/#{item} not found."
             end
+            # rubocop:enable all
           end
         else
           show_usage

data/lib/chef/knife/vault_download.rb

@@ -13,7 +13,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-require "chef/knife/vault_base"
+require_relative "vault_base"
 
 class Chef
   class Knife
@@ -34,7 +34,7 @@ class Chef
           File.open(path, "w") do |file|
             file.write(vault_item["file-content"])
           end
-          ui.info("Saved #{vault_item['file-name']} as #{path}")
+          ui.info("Saved #{vault_item["file-name"]} as #{path}")
         else
           show_usage
         end

data/lib/chef/knife/vault_edit.rb

@@ -13,7 +13,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-require "chef/knife/vault_base"
+require_relative "vault_base"
 
 class Chef
   class Knife
@@ -23,9 +23,9 @@ class Chef
       banner "knife vault edit VAULT ITEM (options)"
 
       option :mode,
-        :short => "-M MODE",
-        :long => "--mode MODE",
-        :description => "Chef mode to run in default - solo"
+        short: "-M MODE",
+        long: "--mode MODE",
+        description: "Chef mode to run in default - solo"
 
       def run
         vault = @name_args[0]

data/lib/chef/knife/vault_isvault.rb

@@ -13,7 +13,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-require "chef/knife/vault_base"
+require_relative "vault_base"
 
 class Chef
   class Knife
@@ -23,9 +23,9 @@ class Chef
       banner "knife vault isvault VAULT ITEM (options)"
 
       option :mode,
-        :short => "-M MODE",
-        :long => "--mode MODE",
-        :description => "Chef mode to run in default - solo"
+        short: "-M MODE",
+        long: "--mode MODE",
+        description: "Chef mode to run in default - solo"
 
       def run
         vault = @name_args[0]

data/lib/chef/knife/vault_itemtype.rb

@@ -13,7 +13,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-require "chef/knife/vault_base"
+require_relative "vault_base"
 
 class Chef
   class Knife
@@ -23,9 +23,9 @@ class Chef
       banner "knife vault itemtype VAULT ITEM (options)"
 
       option :mode,
-        :short => "-M MODE",
-        :long => "--mode MODE",
-        :description => "Chef mode to run in default - solo"
+        short: "-M MODE",
+        long: "--mode MODE",
+        description: "Chef mode to run in default - solo"
 
       def run
         vault = @name_args[0]

data/lib/chef/knife/vault_list.rb

@@ -13,7 +13,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-require "chef/knife/vault_base"
+require_relative "vault_base"
 
 class Chef
   class Knife
@@ -23,9 +23,9 @@ class Chef
       banner "knife vault list (options)"
 
       option :mode,
-        :short => "-M MODE",
-        :long => "--mode MODE",
-        :description => "Chef mode to run in default - solo"
+        short: "-M MODE",
+        long: "--mode MODE",
+        description: "Chef mode to run in default - solo"
 
       def run
         set_mode(config[:vault_mode])
@@ -35,7 +35,7 @@ class Chef
         bags.each_key do |bagname|
           vaultbags.push(bagname) if bag_is_vault?(bagname)
         end
-        output vaultbags.join("\n")
+        output vaultbags
       end
     end
   end

data/lib/chef/knife/vault_refresh.rb

@@ -13,7 +13,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-require "chef/knife/vault_base"
+require_relative "vault_base"
 
 class Chef
   class Knife
@@ -23,12 +23,12 @@ class Chef
       banner "knife vault refresh VAULT ITEM"
 
       option :clean_unknown_clients,
-        :long => "--clean-unknown-clients",
-        :description => "Remove unknown clients during refresh"
+        long: "--clean-unknown-clients",
+        description: "Remove unknown clients during refresh"
 
       option :skip_reencryption,
-        :long => "--skip-reencryption",
-        :description => "Skip reencrypt symetrical key for existing clients/admins."
+        long: "--skip-reencryption",
+        description: "Skip reencrypt symetrical key for existing clients/admins."
 
       def run
         vault = @name_args[0]
@@ -47,8 +47,8 @@ class Chef
                  ChefVault::Exceptions::ItemNotFound
 
             raise ChefVault::Exceptions::ItemNotFound,
-                  "#{vault}/#{item} does not exist, "\
-                  "use 'knife vault create' to create."
+              "#{vault}/#{item} does not exist, "\
+              "use 'knife vault create' to create."
           end
         else
           show_usage

data/lib/chef/knife/vault_remove.rb

@@ -13,35 +13,38 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-require "chef/knife/vault_base"
-require "chef/knife/vault_clients"
+require_relative "vault_base"
 
 class Chef
   class Knife
     class VaultRemove < Knife
       include Chef::Knife::VaultBase
-      include Chef::Knife::VaultClients
 
       banner "knife vault remove VAULT ITEM VALUES (options)"
 
       option :search,
-        :short => "-S SEARCH",
-        :long => "--search SEARCH",
-        :description => "Chef SOLR search for clients"
+        short: "-S SEARCH",
+        long: "--search SEARCH",
+        description: "Chef SOLR search for clients"
 
       option :clients,
-        :short => "-C CLIENTS",
-        :long => "--clients CLIENTS",
-        :description => "Chef clients to be added as clients"
+        short: "-C CLIENTS",
+        long: "--clients CLIENTS",
+        description: "Chef clients to be added as clients"
 
       option :admins,
-        :short => "-A ADMINS",
-        :long => "--admins ADMINS",
-        :description => "Chef users to be added as admins"
+        short: "-A ADMINS",
+        long: "--admins ADMINS",
+        description: "Chef users to be added as admins"
 
       option :clean_unknown_clients,
-        :long => "--clean-unknown-clients",
-        :description => "Remove unknown clients during key rotation"
+        long: "--clean-unknown-clients",
+        description: "Remove unknown clients during key rotation"
+
+      deps do
+        require_relative "vault_clients"
+        include Chef::Knife::VaultClients
+      end
 
       def run
         vault = @name_args[0]
@@ -70,8 +73,8 @@ class Chef
               end
 
               remove_items.each do |key|
-                key.strip!
-                vault_item.remove(key)
+                key = key.dup
+                vault_item.remove(key.strip)
               end
             end
 

data/lib/chef/knife/vault_rotate_all_keys.rb

@@ -13,7 +13,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-require "chef/knife/vault_base"
+require_relative "vault_base"
 
 class Chef
   class Knife
@@ -23,8 +23,8 @@ class Chef
       banner "knife vault rotate all keys"
 
       option :clean_unknown_clients,
-        :long => "--clean-unknown-clients",
-        :description => "Remove unknown clients during key rotation"
+        long: "--clean-unknown-clients",
+        description: "Remove unknown clients during key rotation"
 
       def run
         clean_unknown_clients = config[:clean_unknown_clients]
@@ -45,9 +45,10 @@ class Chef
         end
       end
 
+      # Permalink for regex of replacing '_keys' with '': https://rubular.com/r/5cA5JNSyLfPSfY
       def vault_items(vault)
         Chef::DataBag.load(vault).keys.each_with_object([]) do |key, array|
-          array << key.sub("_keys", "") if key =~ /.+_keys$/
+          array << key.sub(/_keys(?=[^_keys]*$)/, "") if key =~ /.+_keys$/
         end
       end