chef-vault 3.3.0 → 4.1.11

data/lib/chef/knife/vault_rotate_keys.rb

@@ -13,7 +13,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-require "chef/knife/vault_base"
+require_relative "vault_base"
 
 class Chef
   class Knife
@@ -23,8 +23,8 @@ class Chef
       banner "knife vault rotate keys VAULT ITEM (options)"
 
       option :clean_unknown_clients,
-        :long => "--clean-unknown-clients",
-        :description => "Remove unknown clients during key rotation"
+        long: "--clean-unknown-clients",
+        description: "Remove unknown clients during key rotation"
 
       def run
         vault = @name_args[0]

data/lib/chef/knife/vault_show.rb

@@ -13,7 +13,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-require "chef/knife/vault_base"
+require_relative "vault_base"
 
 class Chef
   class Knife
@@ -23,14 +23,14 @@ class Chef
       banner "knife vault show VAULT [ITEM] [VALUES] (options)"
 
       option :mode,
-        :short => "-M MODE",
-        :long => "--mode MODE",
-        :description => "Chef mode to run in default - solo"
+        short: "-M MODE",
+        long: "--mode MODE",
+        description: "Chef mode to run in default - solo"
 
       option :print,
-        :short => "-p TYPE",
-        :long => "--print TYPE",
-        :description => "Print extra vault data, can be search, admins, clients or all"
+        short: "-p TYPE",
+        long: "--print TYPE",
+        description: "Print extra vault data, can be search, admins, clients or all"
 
       def run
         vault = @name_args[0]
@@ -90,9 +90,7 @@ class Chef
       def print_keys(vault)
         if bag_is_vault?(vault)
           bag = Chef::DataBag.load(vault)
-          split_vault_keys(bag)[1].each do |item|
-            output item
-          end
+          output split_vault_keys(bag)[1]
         else
           output "data bag #{vault} is not a chef-vault"
         end

data/lib/chef/knife/vault_update.rb

@@ -13,46 +13,54 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-require "chef/knife/vault_base"
-require "chef/knife/vault_admins"
-require "chef/knife/vault_clients"
+require_relative "vault_base"
 
 class Chef
   class Knife
     class VaultUpdate < Knife
       include Chef::Knife::VaultBase
-      include Chef::Knife::VaultAdmins
-      include Chef::Knife::VaultClients
 
       banner "knife vault update VAULT ITEM VALUES (options)"
 
       option :search,
-        :short => "-S SEARCH",
-        :long => "--search SEARCH",
-        :description => "Chef SOLR search for clients"
+        short: "-S SEARCH",
+        long: "--search SEARCH",
+        description: "Chef SOLR search for clients"
 
       option :clients,
-        :short => "-C CLIENTS",
-        :long => "--clients CLIENTS",
-        :description => "Chef clients to be added as clients"
+        short: "-C CLIENTS",
+        long: "--clients CLIENTS",
+        description: "Chef clients to be added as clients"
 
       option :admins,
-        :short => "-A ADMINS",
-        :long => "--admins ADMINS",
-        :description => "Chef users to be added as admins"
+        short: "-A ADMINS",
+        long: "--admins ADMINS",
+        description: "Chef users to be added as admins"
 
       option :json,
-        :short => "-J FILE",
-        :long => "--json FILE",
-        :description => "File containing JSON data to encrypt"
+        short: "-J FILE",
+        long: "--json FILE",
+        description: "File containing JSON data to encrypt"
 
       option :file,
-        :long => "--file FILE",
-        :description => "File to be added to vault item as file-content"
+        long: "--file FILE",
+        description: "File to be added to vault item as file-content"
 
       option :clean,
-        :long => "--clean",
-        :description => "Clean clients before performing search"
+        long: "--clean",
+        description: "Clean clients before performing search"
+
+      option :keys_mode,
+        short: "-K KEYS_MODE",
+        long: "--keys-mode KEYS_MODE",
+        description: "Mode in which to save vault keys"
+
+      deps do
+        require_relative "vault_admins"
+        require_relative "vault_clients"
+        include Chef::Knife::VaultAdmins
+        include Chef::Knife::VaultClients
+      end
 
       def run
         vault = @name_args[0]
@@ -62,16 +70,17 @@ class Chef
         json_file = config[:json]
         file = config[:file]
         clean = config[:clean]
+        keys_mode = config[:keys_mode]
 
         set_mode(config[:vault_mode])
 
-        if vault && item && ((values || json_file || file) || (search || clients || admins))
+        if vault && item && ((values || json_file || file) || (search || clients || admins) || (keys_mode))
           begin
             vault_item = ChefVault::Item.load(vault, item)
 
             # Keys management first
             if clean
-              vault_clients = vault_item.get_clients.clone().sort()
+              vault_clients = vault_item.get_clients.clone.sort
               vault_clients.each do |client|
                 ui.info "Deleting #{client}"
                 vault_item.delete_client(client)
@@ -91,7 +100,7 @@ class Chef
 
               if file
                 vault_item["file-name"] = File.basename(file)
-                vault_item["file-content"] = File.open(file) { |f| f.read() }
+                vault_item["file-content"] = File.open(file, &:read)
               end
 
               vault_item.save
@@ -105,6 +114,11 @@ class Chef
               "#{vault}/#{item} does not exist, "\
               "use 'knife vault create' to create."
           end
+
+          if keys_mode
+            vault_item.mode(keys_mode)
+            vault_item.save_keys
+          end
         else
           show_usage
         end

data/lib/chef-vault/actor.rb

@@ -14,7 +14,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-require "json"
+require "json" unless defined?(JSON)
 
 class ChefVault
   class Actor
@@ -27,6 +27,7 @@ class ChefVault
       if actor_type != "clients" && actor_type != "admins"
         raise "You must pass either 'clients' or 'admins' as the first argument to ChefVault::Actor.new."
       end
+
       @type = actor_type
       @name = actor_name
     end
@@ -38,7 +39,7 @@ class ChefVault
     def get_admin_key
       # chef vault currently only supports using the default key
       get_key("users")
-    rescue Net::HTTPServerException => http_error
+    rescue Net::HTTPClientException => http_error
       # if we failed to find an admin key, attempt to load a client key by the same name
       case http_error.response.code
       when "403"
@@ -48,11 +49,11 @@ class ChefVault
         begin
           ChefVault::Log.warn "The default key for #{name} not found in users, trying client keys."
           get_key("clients")
-        rescue Net::HTTPServerException => http_error
+        rescue Net::HTTPClientException => http_error
           case http_error.response.code
           when "404"
             raise ChefVault::Exceptions::AdminNotFound,
-                  "FATAL: Could not find default key for #{name} in users or clients!"
+              "FATAL: Could not find default key for #{name} in users or clients!"
           when "403"
             print_forbidden_error
             raise http_error
@@ -67,13 +68,13 @@ class ChefVault
 
     def get_client_key
       get_key("clients")
-    rescue Net::HTTPServerException => http_error
+    rescue Net::HTTPClientException => http_error
       if http_error.response.code.eql?("403")
         print_forbidden_error
         raise http_error
       elsif http_error.response.code.eql?("404")
         raise ChefVault::Exceptions::ClientNotFound,
-              "#{name} is not a valid chef client and/or node"
+          "#{name} is not a valid chef client and/or node"
       else
         raise http_error
       end
@@ -113,8 +114,9 @@ class ChefVault
     def get_key(request_actor_type)
       api.org_scoped_rest_v1.get("#{request_actor_type}/#{name}/keys/default").fetch("public_key")
     # If the keys endpoint doesn't exist, try getting it directly from the V0 chef object.
-    rescue Net::HTTPServerException => http_error
+    rescue Net::HTTPClientException => http_error
       raise http_error unless http_error.response.code.eql?("404")
+
       if request_actor_type.eql?("clients")
         chef_api_client.load(name).public_key
       else

data/lib/chef-vault/chef_api.rb

@@ -20,19 +20,19 @@ class ChefVault
   class ChefApi
 
     def rest_v0
-      @rest_v0 ||= Chef::ServerAPI.new(Chef::Config[:chef_server_root], { :api_version => "0" })
+      @rest_v0 ||= Chef::ServerAPI.new(Chef::Config[:chef_server_root], { api_version: "0" })
     end
 
     def rest_v1
-      @rest_v1 ||= Chef::ServerAPI.new(Chef::Config[:chef_server_root], { :api_version => "1" })
+      @rest_v1 ||= Chef::ServerAPI.new(Chef::Config[:chef_server_root], { api_version: "1" })
     end
 
     def org_scoped_rest_v0
-      @org_scoped_rest_v0 ||= Chef::ServerAPI.new(Chef::Config[:chef_server_url], { :api_version => "0" })
+      @org_scoped_rest_v0 ||= Chef::ServerAPI.new(Chef::Config[:chef_server_url], { api_version: "0" })
     end
 
     def org_scoped_rest_v1
-      @org_scoped_rest_v1 ||= Chef::ServerAPI.new(Chef::Config[:chef_server_url], { :api_version => "1" })
+      @org_scoped_rest_v1 ||= Chef::ServerAPI.new(Chef::Config[:chef_server_url], { api_version: "1" })
     end
 
   end

data/lib/chef-vault/exceptions.rb

@@ -51,5 +51,8 @@ class ChefVault
 
     class V1Format < Exceptions
     end
+
+    class InvalidValue < Exceptions
+    end
   end
 end

data/lib/chef-vault/item.rb

@@ -15,8 +15,8 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-require "securerandom"
-require "chef-vault/mixins"
+require "securerandom" unless defined?(SecureRandom)
+require_relative "mixins"
 
 class ChefVault
   class Item < Chef::DataBagItem
@@ -40,6 +40,11 @@ class ChefVault
     #     decrypt secrets.  Defaults to the value of Chef::Config[:client_key]
     attr_accessor :client_key_path
 
+    # @!attribute [rw] client_key_contents
+    #   @return [String] the contents of the private key that is used to
+    #     decrypt secrets.  Defaults to the value of Chef::Config[:client_key_contents]
+    attr_accessor :client_key_contents
+
     # returns the raw keys of the underlying Chef::DataBagItem.  chef-vault v2
     # defined #keys as a public accessor that returns the ChefVault::ItemKeys
     # object for the vault.  Ideally, #keys would provide Hash-like behaviour
@@ -58,6 +63,8 @@ class ChefVault
     #   as. Defaults to the :node_name value of Chef::Config
     # @option opts [String] :client_key_path the name of the node to decrypt
     #   secrets as.  Defaults to the :client_key value of Chef::Config
+    # @option opts [String] :client_key_contents the private key to decrypt
+    #   secrets as.  Defaults to the :client_key_contents value of Chef::Config
     def initialize(vault, name, opts = {})
       super() # Don't pass parameters
       @data_bag = vault
@@ -66,11 +73,13 @@ class ChefVault
       @secret = generate_secret
       @encrypted = false
       opts = {
-        :node_name => Chef::Config[:node_name],
-        :client_key_path => Chef::Config[:client_key],
+        node_name: Chef::Config[:node_name],
+        client_key_path: Chef::Config[:client_key],
+        client_key_contents: Chef::Config[:client_key_contents],
       }.merge(opts)
       @node_name = opts[:node_name]
       @client_key_path = opts[:client_key_path]
+      @client_key_contents = opts[:client_key_contents]
       @current_query = search
     end
 
@@ -89,12 +98,14 @@ class ChefVault
         handle_client_action(search_or_client, action)
       else
         search_or_client.each do |name|
+          # rubocop:disable all
           begin
             client = load_actor(name, "clients")
             handle_client_action(client, action)
           rescue ChefVault::Exceptions::ClientNotFound
-            ChefVault::Log.warn "node '#{name}' has no private key; skipping"
+            ChefVault::Log.warn "node '#{name}' has no 'default' public key; skipping"
           end
+          # rubocop:enable all
         end
       end
     end
@@ -131,6 +142,10 @@ class ChefVault
       end
     end
 
+    def mode(mode)
+      keys.mode(mode) if mode
+    end
+
     def admins(admin_string, action = :add)
       admin_string.split(",").each do |admin|
         admin.strip!
@@ -142,7 +157,7 @@ class ChefVault
           keys.delete(admin_key)
         else
           raise ChefVault::Exceptions::KeysActionNotValid,
-                "#{action} is not a valid action"
+            "#{action} is not a valid action"
         end
       end
     end
@@ -156,8 +171,12 @@ class ChefVault
     end
 
     def secret
-      if @keys.include?(@node_name)
-        private_key = OpenSSL::PKey::RSA.new(File.open(@client_key_path).read())
+      if @keys.include?(@node_name) && !@keys[@node_name].nil?
+        unless @client_key_contents.nil?
+          private_key = OpenSSL::PKey::RSA.new(@client_key_contents)
+        else
+          private_key = OpenSSL::PKey::RSA.new(File.open(@client_key_path).read)
+        end
         begin
           private_key.private_decrypt(Base64.decode64(@keys[@node_name]))
         rescue OpenSSL::PKey::RSAError
@@ -225,7 +244,7 @@ class ChefVault
       else
         begin
           Chef::DataBag.load(data_bag)
-        rescue Net::HTTPServerException => http_error
+        rescue Net::HTTPClientException => http_error
           if http_error.response.code == "404"
             chef_data_bag = Chef::DataBag.new
             chef_data_bag.name data_bag
@@ -268,7 +287,7 @@ class ChefVault
 
       if Chef::Config[:solo_legacy_mode]
         data_bag_path = File.join(Chef::Config[:data_bag_path],
-                                  data_bag)
+          data_bag)
         data_bag_item_path = File.join(data_bag_path, @raw_data["id"])
 
         FileUtils.rm("#{data_bag_item_path}.json")
@@ -289,7 +308,7 @@ class ChefVault
       begin
         item.raw_data =
           Chef::EncryptedDataBagItem.load(vault, name, item.secret).to_hash
-      rescue Net::HTTPServerException => http_error
+      rescue Net::HTTPClientException => http_error
         if http_error.response.code == "404"
           raise ChefVault::Exceptions::ItemNotFound,
             "#{vault}/#{name} could not be found"
@@ -300,10 +319,17 @@ class ChefVault
         raise ChefVault::Exceptions::ItemNotFound,
           "#{vault}/#{name} could not be found"
       end
-
+      format_output(opts[:values], item) if opts[:values]
       item
     end
 
+    def self.format_output(values, item)
+      values.split(",").each do |value|
+        value.strip!
+        $stdout.puts("#{value}: #{item[value]}")
+      end
+    end
+
     def delete_client(client_name)
       client_key = load_actor(client_name, "clients")
       keys.delete(client_key)
@@ -336,7 +362,16 @@ class ChefVault
     def self.data_bag_item_type(vault, name)
       # adapted from https://github.com/opscode-cookbooks/chef-vault/blob/v1.3.0/libraries/chef_vault_item.rb
       # and https://github.com/sensu/sensu-chef/blob/2.9.0/libraries/sensu_helpers.rb
-      dbi = Chef::DataBagItem.load(vault, name)
+      begin
+        dbi = Chef::DataBagItem.load(vault, name)
+      rescue Net::HTTPClientException => http_error
+        if http_error.response.code == "404"
+          raise ChefVault::Exceptions::ItemNotFound,
+            "#{vault}/#{name} not found"
+        else
+          raise http_error
+        end
+      end
       encrypted = dbi.detect do |_, v|
         v.is_a?(Hash) && v.key?("encrypted_data")
       end
@@ -358,12 +393,12 @@ class ChefVault
     #   no longer be found
     # @return [void]
     def refresh(clean_unknown_clients = false)
-      unless search
+      if search.empty?
         raise ChefVault::Exceptions::SearchNotFound,
-              "#{vault}/#{item} does not have a stored search_query, "\
-              "probably because it was created with an older version "\
-              "of chef-vault. Use 'knife vault update' to update the "\
-              "databag with the search query."
+          "#{@data_bag}/#{@raw_data["id"]} does not have a stored "\
+          "search_query, probably because it was created with an "\
+          "older version of chef-vault. Use 'knife vault update' "\
+          "to update the databag with the search query."
       end
 
       # a bit of a misnomer; this doesn't remove unknown
@@ -432,13 +467,14 @@ class ChefVault
     def client_exists?(clientname)
       Chef::ApiClient.load(clientname)
       true
-    rescue Net::HTTPServerException => http_error
+    rescue Net::HTTPClientException => http_error
       return false if http_error.response.code == "404"
+
       raise http_error
     end
 
     # adds or deletes an API client from the vault item keys
-    # @param client [Chef::ApiClient] the API client to operate on
+    # @param api_client [Chef::ApiClient] the API client to operate on
     # @param action [Symbol] :add or :delete
     # @return [void]
     def handle_client_action(api_client, action)
@@ -460,7 +496,7 @@ class ChefVault
     end
 
     # removes a client to the vault item keys
-    # @param client_or_node [String] the name of the API client or node to remove
+    # @param name [String] the name of the API client or node to remove
     # @return [void]
     def delete_client_or_node(name)
       client = load_actor(name, "clients")

data/lib/chef-vault/item_keys.rb

@@ -14,7 +14,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-require "chef-vault/mixins"
+require_relative "mixins"
 
 class ChefVault
   class ItemKeys < Chef::DataBagItem
@@ -39,9 +39,11 @@ class ChefVault
     def [](key)
       # return options immediately
       return @raw_data[key] if %w{id admins clients search_query mode}.include?(key)
+
       # check if the key is in the write-back cache
       ckey = @cache[key]
       return ckey unless ckey.nil?
+
       # check if the key is saved in sparse mode
       skey = sparse_key(sparse_id(key)) if sparse?
       if skey
@@ -58,6 +60,7 @@ class ChefVault
       return (ckey ? true : false) unless ckey.nil?
       # check if the key is saved in sparse mode
       return true if sparse? && sparse_key(sparse_id(key))
+
       # fallback to non-sparse mode if sparse key is not found
       @raw_data.keys.include?(key)
     end
@@ -66,10 +69,14 @@ class ChefVault
       type = chef_key.type
       unless @raw_data.key?(type)
         raise ChefVault::Exceptions::V1Format,
-              "cannot manage a v1 vault.  See UPGRADE.md for help"
+          "cannot manage a v1 vault.  See UPGRADE.md for help"
       end
       @cache[chef_key.name] = skip_reencryption ? self[chef_key.name] : nil
-      @cache[chef_key.name] ||= ChefVault::ItemKeys.encode_key(chef_key.key, data_bag_shared_secret)
+      begin
+        @cache[chef_key.name] ||= ChefVault::ItemKeys.encode_key(chef_key.key, data_bag_shared_secret)
+      rescue OpenSSL::PKey::RSAError
+        raise OpenSSL::PKey::RSAError, "While adding #{chef_key.type} an invalid or old (pre chef-server 12) format public key was found for #{chef_key.name}"
+      end
       @raw_data[type] << chef_key.name unless @raw_data[type].include?(chef_key.name)
       @raw_data[type]
     end
@@ -115,7 +122,7 @@ class ChefVault
       unless Chef::Config[:solo_legacy_mode]
         begin
           Chef::DataBag.load(data_bag)
-        rescue Net::HTTPServerException => http_error
+        rescue Net::HTTPClientException => http_error
           if http_error.response.code == "404"
             chef_data_bag = Chef::DataBag.new
             chef_data_bag.name data_bag
@@ -135,8 +142,8 @@ class ChefVault
             begin
               Chef::DataBagItem.from_hash("data_bag" => data_bag,
                                           "id" => sparse_id(key))
-                               .destroy(data_bag, sparse_id(key))
-            rescue Net::HTTPServerException => http_error
+                .destroy(data_bag, sparse_id(key))
+            rescue Net::HTTPClientException => http_error
               raise http_error unless http_error.response.code == "404"
             end
           end
@@ -161,6 +168,25 @@ class ChefVault
           end
         end
       end
+
+      if @raw_data["mode"] == "sparse"
+        @raw_data.each do |key, val|
+          next if %w{ id clients admins search_query mode }.include?(key)
+
+          skey = Chef::DataBagItem.from_hash(
+            "data_bag" => data_bag,
+            "id" => sparse_id(key),
+            key => val
+          )
+          @raw_data.delete(key)
+          if Chef::Config[:solo_legacy_mode]
+            save_solo(skey.id, skey.raw_data)
+          else
+            skey.save
+          end
+        end
+      end
+
       # save raw data
       if Chef::Config[:solo_legacy_mode]
         save_solo(item_id)
@@ -187,7 +213,7 @@ class ChefVault
         items = Chef::DataBag.load(data_bag).keys.select { |item| item =~ rgx }
         items.each do |id|
           Chef::DataBagItem.from_hash("data_bag" => data_bag, "id" => id)
-                           .destroy(data_bag, id)
+            .destroy(data_bag, id)
         end
         # destroy this metadata
         super(data_bag, id)
@@ -208,7 +234,7 @@ class ChefVault
     def self.load(vault, name)
       begin
         data_bag_item = Chef::DataBagItem.load(vault, name)
-      rescue Net::HTTPServerException => http_error
+      rescue Net::HTTPClientException => http_error
         if http_error.response.code == "404"
           raise ChefVault::Exceptions::KeysNotFound,
             "#{vault}/#{name} could not be found"
@@ -239,7 +265,7 @@ class ChefVault
       else
         begin
           Chef::DataBagItem.load(@data_bag, sid)
-        rescue Net::HTTPServerException => http_error
+        rescue Net::HTTPClientException => http_error
           nil if http_error.response.code == "404"
         end
       end

data/lib/chef-vault/mixins.rb

@@ -6,7 +6,7 @@ class ChefVault
     #     paths and use that by preference
     #  1. Otherwise, just use the first location in the array
     def find_solo_path(item_id)
-      if Chef::Config[:data_bag_path].kind_of?(Array)
+      if Chef::Config[:data_bag_path].is_a?(Array)
         path = Chef::Config[:data_bag_path].find do |dir|
           File.exist?(File.join(dir, data_bag, "#{item_id}.json"))
         end
@@ -15,7 +15,7 @@ class ChefVault
         data_bag_path = File.join(path, data_bag)
       else
         data_bag_path = File.join(Chef::Config[:data_bag_path],
-                                  data_bag)
+          data_bag)
       end
       data_bag_item_path = File.join(data_bag_path, item_id) + ".json"
 

data/lib/chef-vault/version.rb

@@ -15,6 +15,6 @@
 # limitations under the License.
 
 class ChefVault
-  VERSION = "3.3.0"
+  VERSION = "4.1.11"
   MAJOR, MINOR, TINY = VERSION.split(".")
 end

data/lib/chef-vault.rb

@@ -23,14 +23,14 @@ require "chef/api_client"
 require "chef/data_bag_item"
 require "chef/encrypted_data_bag_item"
 require "chef/user"
-require "chef-vault/version"
-require "chef-vault/exceptions"
-require "chef-vault/item"
-require "chef-vault/item_keys"
-require "chef-vault/user"
-require "chef-vault/certificate"
-require "chef-vault/chef_api"
-require "chef-vault/actor"
+require_relative "chef-vault/version"
+require_relative "chef-vault/exceptions"
+require_relative "chef-vault/item"
+require_relative "chef-vault/item_keys"
+require_relative "chef-vault/user"
+require_relative "chef-vault/certificate"
+require_relative "chef-vault/chef_api"
+require_relative "chef-vault/actor"
 
 require "mixlib/log"