chef-vault 3.3.0 → 4.1.11
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +5 -5
- data/Gemfile +32 -6
- data/bin/chef-vault +5 -5
- data/chef-vault.gemspec +7 -26
- data/lib/chef/knife/mixin/helper.rb +29 -1
- data/lib/chef/knife/vault_admins.rb +5 -1
- data/lib/chef/knife/vault_base.rb +23 -13
- data/lib/chef/knife/vault_create.rb +26 -23
- data/lib/chef/knife/vault_delete.rb +4 -2
- data/lib/chef/knife/vault_download.rb +2 -2
- data/lib/chef/knife/vault_edit.rb +4 -4
- data/lib/chef/knife/vault_isvault.rb +4 -4
- data/lib/chef/knife/vault_itemtype.rb +4 -4
- data/lib/chef/knife/vault_list.rb +5 -5
- data/lib/chef/knife/vault_refresh.rb +7 -7
- data/lib/chef/knife/vault_remove.rb +19 -16
- data/lib/chef/knife/vault_rotate_all_keys.rb +5 -4
- data/lib/chef/knife/vault_rotate_keys.rb +3 -3
- data/lib/chef/knife/vault_show.rb +8 -10
- data/lib/chef/knife/vault_update.rb +38 -24
- data/lib/chef-vault/actor.rb +9 -7
- data/lib/chef-vault/chef_api.rb +4 -4
- data/lib/chef-vault/exceptions.rb +3 -0
- data/lib/chef-vault/item.rb +57 -21
- data/lib/chef-vault/item_keys.rb +35 -9
- data/lib/chef-vault/mixins.rb +2 -2
- data/lib/chef-vault/version.rb +1 -1
- data/lib/chef-vault.rb +8 -8
- metadata +8 -135
- data/.github/CODEOWNERS +0 -2
- data/.gitignore +0 -33
- data/.rspec +0 -2
- data/.rubocop.yml +0 -6
- data/.simplecov +0 -6
- data/.travis.yml +0 -19
- data/Changelog.md +0 -134
- data/DEMO.md +0 -60
- data/KNIFE_EXAMPLES.md +0 -256
- data/README.md +0 -333
- data/Rakefile +0 -50
- data/THEORY.md +0 -363
- data/UPGRADE.md +0 -55
- data/appveyor.yml +0 -32
- data/features/clean.feature +0 -23
- data/features/clean_on_refresh.feature +0 -27
- data/features/clean_unknown_clients.feature +0 -45
- data/features/detect_and_warn_v1_vault.feature +0 -14
- data/features/isvault.feature +0 -29
- data/features/itemtype.feature +0 -24
- data/features/step_definitions/chef-databag.rb +0 -9
- data/features/step_definitions/chef-repo.rb +0 -72
- data/features/step_definitions/chef-vault.rb +0 -151
- data/features/step_definitions/chef_databagitem.rb +0 -9
- data/features/support/env.rb +0 -14
- data/features/vault_create.feature +0 -63
- data/features/vault_list.feature +0 -31
- data/features/vault_show.feature +0 -45
- data/features/vault_show_vaultname.feature +0 -21
- data/features/vault_update.feature +0 -18
- data/features/verify_id_matches.feature +0 -10
- data/features/wrong_private_key.feature +0 -13
- data/hooks/pre-commit +0 -43
- data/spec/chef-vault/actor_spec.rb +0 -247
- data/spec/chef-vault/certificate_spec.rb +0 -37
- data/spec/chef-vault/chef_api_spec.rb +0 -39
- data/spec/chef-vault/item_keys_spec.rb +0 -263
- data/spec/chef-vault/item_spec.rb +0 -360
- data/spec/chef-vault/user_spec.rb +0 -36
- data/spec/chef-vault_spec.rb +0 -65
- data/spec/spec_helper.rb +0 -91
- data/tasks/github_changelog_generator.rb +0 -30
@@ -1,72 +0,0 @@
|
|
1
|
-
Given(/^a local mode chef repo with nodes '(.+?)'(?: with admins '(.+?)')?$/) do |nodelist, adminlist|
|
2
|
-
# create the repo directory hierarchy
|
3
|
-
%w{cookbooks clients nodes data_bags}.each do |dir|
|
4
|
-
create_directory dir
|
5
|
-
end
|
6
|
-
# create a basic knife.rb
|
7
|
-
write_file "knife.rb", <<EOF
|
8
|
-
local_mode true
|
9
|
-
chef_repo_path '.'
|
10
|
-
chef_zero.enabled true
|
11
|
-
knife[:vault_mode] = 'client'
|
12
|
-
EOF
|
13
|
-
# create the admin users and capture their private key we
|
14
|
-
# always create an admin called 'admin' because otherwise subsequent
|
15
|
-
# steps become annoying to determine who the admin is
|
16
|
-
admins = %w{admin}
|
17
|
-
admins.push(adminlist.split(/,/)) if adminlist
|
18
|
-
admins.flatten.each do |admin|
|
19
|
-
create_admin(admin)
|
20
|
-
end
|
21
|
-
# add the admin key to the knife configuration
|
22
|
-
append_to_file "knife.rb", <<EOF
|
23
|
-
node_name 'admin'
|
24
|
-
client_key 'admin.pem'
|
25
|
-
EOF
|
26
|
-
# create the requested nodes
|
27
|
-
nodelist.split(/,/).each do |node|
|
28
|
-
create_client(node)
|
29
|
-
create_node(node)
|
30
|
-
end
|
31
|
-
end
|
32
|
-
|
33
|
-
Given(/^I create an admin named '(.+)'$/) do |admin|
|
34
|
-
create_admin(admin)
|
35
|
-
end
|
36
|
-
|
37
|
-
Given(/^I delete clients? '(.+)' from the Chef server$/) do |nodelist|
|
38
|
-
nodelist.split(/,/).each do |node|
|
39
|
-
delete_client(node)
|
40
|
-
end
|
41
|
-
end
|
42
|
-
|
43
|
-
Given(/^I regenerate the client key for the node '(.+)'$/) do |node|
|
44
|
-
delete_client(node)
|
45
|
-
create_client(node)
|
46
|
-
end
|
47
|
-
|
48
|
-
Given(/^I delete nodes? '(.+)' from the Chef server$/) do |nodelist|
|
49
|
-
nodelist.split(/,/).each { |node| delete_node(node) }
|
50
|
-
end
|
51
|
-
|
52
|
-
def create_node(name)
|
53
|
-
run_simple "knife node create #{name} -z -d -c knife.rb"
|
54
|
-
end
|
55
|
-
|
56
|
-
def create_admin(admin)
|
57
|
-
create_client(admin, "-a")
|
58
|
-
end
|
59
|
-
|
60
|
-
def create_client(name, args = nil)
|
61
|
-
command = "knife client create #{name} -z -d -c knife.rb #{args} >#{name}.pem"
|
62
|
-
run_simple command
|
63
|
-
write_file("#{name}.pem", last_command_started.stdout)
|
64
|
-
end
|
65
|
-
|
66
|
-
def delete_client(name)
|
67
|
-
run_simple "knife client delete #{name} -y -z -c knife.rb"
|
68
|
-
end
|
69
|
-
|
70
|
-
def delete_node(name)
|
71
|
-
run_simple "knife node delete #{name} -y -z -c knife.rb"
|
72
|
-
end
|
@@ -1,151 +0,0 @@
|
|
1
|
-
require "json"
|
2
|
-
|
3
|
-
Given(/^I create a vault item '(.+)\/(.+)'( with keys in sparse mode)? containing the JSON '(.+)' encrypted for '(.+)'(?: with '(.+)' as admins?)?$/) do |vault, item, sparse, json, nodelist, admins|
|
4
|
-
write_file "item.json", json
|
5
|
-
query = nodelist.split(/,/).map { |e| "name:#{e}" }.join(" OR ")
|
6
|
-
adminarg = admins.nil? ? "-A admin" : "-A #{admins}"
|
7
|
-
sparseopt = sparse.nil? ? "" : "-K sparse"
|
8
|
-
run_simple "knife vault create #{vault} #{item} -z -c knife.rb #{adminarg} #{sparseopt} -S '#{query}' -J item.json", false
|
9
|
-
end
|
10
|
-
|
11
|
-
Given(/^I update the vault item '(.+)\/(.+)' to be encrypted for '(.+)'( with the clean option)?$/) do |vault, item, nodelist, cleanopt|
|
12
|
-
query = nodelist.split(/,/).map { |e| "name:#{e}" }.join(" OR ")
|
13
|
-
run_simple "knife vault update #{vault} #{item} -z -c knife.rb -S '#{query}' #{cleanopt ? '--clean' : ''}"
|
14
|
-
end
|
15
|
-
|
16
|
-
Given(/^I remove clients? '(.+)' from vault item '(.+)\/(.+)' with the '(.+)' options?$/) do |nodelist, vault, item, optionlist|
|
17
|
-
query = nodelist.split(/,/).map { |e| "name:#{e}" }.join(" OR ")
|
18
|
-
options = optionlist.split(/,/).map { |o| "--#{o}" }.join(" ")
|
19
|
-
run_simple "knife vault remove #{vault} #{item} -z -c knife.rb -S '#{query}' #{options}"
|
20
|
-
end
|
21
|
-
|
22
|
-
Given(/^I rotate the keys for vault item '(.+)\/(.+)' with the '(.+)' options?$/) do |vault, item, optionlist|
|
23
|
-
options = optionlist.split(/,/).map { |o| "--#{o}" }.join(" ")
|
24
|
-
run_simple "knife vault rotate keys #{vault} #{item} -c knife.rb -z #{options}"
|
25
|
-
end
|
26
|
-
|
27
|
-
Given(/^I rotate all keys with the '(.+)' options?$/) do |optionlist|
|
28
|
-
options = optionlist.split(/,/).map { |o| "--#{o}" }.join(" ")
|
29
|
-
run_simple "knife vault rotate all keys -z -c knife.rb #{options}"
|
30
|
-
end
|
31
|
-
|
32
|
-
Given(/^I refresh the vault item '(.+)\/(.+)'$/) do |vault, item|
|
33
|
-
run_simple "knife vault refresh #{vault} #{item} -c knife.rb -z"
|
34
|
-
end
|
35
|
-
|
36
|
-
Given(/^I refresh the vault item '(.+)\/(.+)' with the '(.+)' options?$/) do |vault, item, optionlist|
|
37
|
-
options = optionlist.split(/,/).map { |o| "--#{o}" }.join(" ")
|
38
|
-
run_simple "knife vault refresh #{vault} #{item} -c knife.rb -z #{options}"
|
39
|
-
end
|
40
|
-
|
41
|
-
Given(/^I try to decrypt the vault item '(.+)\/(.+)' as '(.+)'$/) do |vault, item, node|
|
42
|
-
run_simple "knife vault show #{vault} #{item} -z -c knife.rb -u #{node} -k #{node}.pem", false
|
43
|
-
end
|
44
|
-
|
45
|
-
Then(/^the vault item '(.+)\/(.+)' should( not)? be encrypted for '(.+)'( with keys in sparse mode)?$/) do |vault, item, neg, nodelist, sparse|
|
46
|
-
nodes = nodelist.split(/,/)
|
47
|
-
command = "knife data bag show #{vault} #{item}_keys -z -c knife.rb -F json"
|
48
|
-
run_simple(command)
|
49
|
-
output = last_command_started.stdout
|
50
|
-
data = JSON.parse(output)
|
51
|
-
if sparse
|
52
|
-
expect(data).to include("mode" => "sparse")
|
53
|
-
nodes.each do |node|
|
54
|
-
command = "knife data bag show #{vault} #{item}_key_#{node} -z -c knife.rb -F json"
|
55
|
-
run_simple(command, fail_on_error: false)
|
56
|
-
if neg
|
57
|
-
error = last_command_started.stderr
|
58
|
-
expect(error).to include("ERROR: The object you are looking for could not be found")
|
59
|
-
else
|
60
|
-
data = JSON.parse(last_command_started.stdout)
|
61
|
-
expect(data).to include("id" => "#{item}_key_#{node}")
|
62
|
-
end
|
63
|
-
end
|
64
|
-
else
|
65
|
-
expect(data).to include("mode" => "default")
|
66
|
-
nodes.each { |node| neg ? (expect(data).not_to include(node)) : (expect(data).to include(node)) }
|
67
|
-
end
|
68
|
-
end
|
69
|
-
|
70
|
-
Given(/^'(.+)' should( not)? be a client for the vault item '(.+)\/(.+)'$/) do |nodelist, neg, vault, item|
|
71
|
-
nodes = nodelist.split(/,/)
|
72
|
-
command = "knife data bag show #{vault} #{item}_keys -z -c knife.rb -F json"
|
73
|
-
run_simple(command)
|
74
|
-
output = last_command_started.stdout
|
75
|
-
data = JSON.parse(output)
|
76
|
-
nodes.each do |node|
|
77
|
-
if neg
|
78
|
-
expect(data["clients"]).not_to include(node)
|
79
|
-
else
|
80
|
-
expect(data["clients"]).to include(node)
|
81
|
-
end
|
82
|
-
end
|
83
|
-
end
|
84
|
-
|
85
|
-
Given(/^'(.+)' should( not)? be an admin for the vault item '(.+)\/(.+)'$/) do |nodelist, neg, vault, item|
|
86
|
-
nodes = nodelist.split(/,/)
|
87
|
-
command = "knife data bag show #{vault} #{item}_keys -z -c knife.rb -F json"
|
88
|
-
run_simple(command)
|
89
|
-
output = last_command_started.stdout
|
90
|
-
data = JSON.parse(output)
|
91
|
-
nodes.each do |node|
|
92
|
-
if neg
|
93
|
-
expect(data["admins"]).not_to include(node)
|
94
|
-
else
|
95
|
-
expect(data["admins"]).to include(node)
|
96
|
-
end
|
97
|
-
end
|
98
|
-
end
|
99
|
-
|
100
|
-
Given(/^I list the vaults$/) do
|
101
|
-
run_simple("knife vault list")
|
102
|
-
end
|
103
|
-
|
104
|
-
Given(/^I can('t)? decrypt the vault item '(.+)\/(.+)' as '(.+)'$/) do |neg, vault, item, client|
|
105
|
-
run_simple "knife vault show #{vault} #{item} -c knife.rb -z -u #{client} -k #{client}.pem", false
|
106
|
-
if neg
|
107
|
-
expect(last_command_started).not_to have_exit_status(0)
|
108
|
-
else
|
109
|
-
expect(last_command_started).to have_exit_status(0)
|
110
|
-
end
|
111
|
-
end
|
112
|
-
|
113
|
-
Given(/^I (try to )?add '(.+)' as an admin for the vault item '(.+)\/(.+)'$/) do |try, newadmin, vault, item|
|
114
|
-
run_simple "knife vault update #{vault} #{item} -c knife.rb -z -A #{newadmin}", !try
|
115
|
-
end
|
116
|
-
|
117
|
-
Given(/^I show the keys of the vault '(.+)'$/) do |vault|
|
118
|
-
run_simple "knife vault show #{vault} -c knife.rb -z"
|
119
|
-
end
|
120
|
-
|
121
|
-
Given(/^I check if the data bag item '(.+)\/(.+)' is a vault$/) do |vault, item|
|
122
|
-
run_simple "knife vault isvault #{vault} #{item} -c knife.rb -z", false
|
123
|
-
end
|
124
|
-
|
125
|
-
Given(/^I check the type of the data bag item '(.+)\/(.+)'$/) do |vault, item|
|
126
|
-
run_simple "knife vault itemtype #{vault} #{item} -c knife.rb -z"
|
127
|
-
end
|
128
|
-
|
129
|
-
Given(/^I downgrade the vault item '(.+)\/(.+)' to v1 syntax/) do |vault, item|
|
130
|
-
# v1 syntax doesn't have the admins, clients and search_query keys
|
131
|
-
keysfile = "tmp/aruba/data_bags/#{vault}/#{item}_keys.json"
|
132
|
-
data = JSON.parse(IO.read(keysfile))
|
133
|
-
%w{admins clients search_query}.each { |k| data.key?("raw_data") ? data["raw_data"].delete(k) : data.delete(k) }
|
134
|
-
IO.write(keysfile, JSON.generate(data))
|
135
|
-
end
|
136
|
-
|
137
|
-
Given(/^I can save the JSON object of the encrypted data bag for the vault item '(.+)\/(.+)'$/) do |vault, item|
|
138
|
-
command = "knife data bag show #{vault} #{item} -z -c knife.rb -F json"
|
139
|
-
run_simple(command)
|
140
|
-
output = last_command_started.stdout
|
141
|
-
@saved_encrypted_vault_item = JSON.parse(output)
|
142
|
-
end
|
143
|
-
|
144
|
-
Given(/^the data bag of the vault item '(.+)\/(.+)' has not been re-encrypted$/) do |vault, item|
|
145
|
-
command = "knife data bag show #{vault} #{item} -z -c knife.rb -F json"
|
146
|
-
run_simple(command)
|
147
|
-
output = last_command_started.stdout
|
148
|
-
encrypted_vault_item = JSON.parse(output)
|
149
|
-
|
150
|
-
expect(encrypted_vault_item).to eq(@saved_encrypted_vault_item)
|
151
|
-
end
|
@@ -1,9 +0,0 @@
|
|
1
|
-
Given(/^I create a data bag item '(.+)\/(.+)' containing the JSON '(.+)'$/) do |databag, _, json|
|
2
|
-
write_file "item.json", json
|
3
|
-
run_simple "knife data bag from file #{databag} item.json -z -c knife.rb", false
|
4
|
-
end
|
5
|
-
|
6
|
-
Given(/^I create an encrypted data bag item '(.+)\/(.+)' containing the JSON '(.+)' with the secret '(.+)'$/) do |databag, _, json, secret|
|
7
|
-
write_file "item.json", json
|
8
|
-
run_simple "knife data bag from file #{databag} item.json -s #{secret} -z -c knife.rb", false
|
9
|
-
end
|
data/features/support/env.rb
DELETED
@@ -1,14 +0,0 @@
|
|
1
|
-
if ENV["COVERAGE"]
|
2
|
-
require "simplecov"
|
3
|
-
end
|
4
|
-
|
5
|
-
require "aruba/cucumber"
|
6
|
-
|
7
|
-
# Travis runs tests in a limited environment which takes a long time to invoke
|
8
|
-
# the knife command. Up the timeout when we're in a travis build based on the
|
9
|
-
# environment variable set in .travis.yml
|
10
|
-
#if ENV['TRAVIS_BUILD']
|
11
|
-
Before do
|
12
|
-
@aruba_timeout_seconds = 15
|
13
|
-
end
|
14
|
-
#end
|
@@ -1,63 +0,0 @@
|
|
1
|
-
Feature: knife vault create
|
2
|
-
'knife vault create' creates two Chef data bag items: an
|
3
|
-
encrypted data bag item encrypted with a randomized shared
|
4
|
-
secret, and a side-along data bag item suffixed with _keys
|
5
|
-
that contains an set of asymmetrically encrypted copies of
|
6
|
-
the shared secret using the public keys of a set of admins
|
7
|
-
and/or clients
|
8
|
-
|
9
|
-
Scenario: create vault with all known clients
|
10
|
-
Given a local mode chef repo with nodes 'one,two,three'
|
11
|
-
And I create a vault item 'test/item' containing the JSON '{"foo": "bar"}' encrypted for 'one,two,three'
|
12
|
-
Then the vault item 'test/item' should be encrypted for 'one,two,three'
|
13
|
-
And 'one,two,three' should be a client for the vault item 'test/item'
|
14
|
-
|
15
|
-
Scenario: create vault with all unknown clients
|
16
|
-
Given a local mode chef repo with nodes 'two,three'
|
17
|
-
And I delete clients 'two,three' from the Chef server
|
18
|
-
And I create a vault item 'test/item' containing the JSON '{"foo": "bar"}' encrypted for 'two,three'
|
19
|
-
Then the vault item 'test/item' should not be encrypted for 'one,two,three'
|
20
|
-
And the output should contain "node 'two' has no private key; skipping"
|
21
|
-
And the output should contain "node 'three' has no private key; skipping"
|
22
|
-
And 'two,three' should not be a client for the vault item 'test/item'
|
23
|
-
|
24
|
-
Scenario: create vault with mix of known and unknown clients
|
25
|
-
Given a local mode chef repo with nodes 'one,two,three'
|
26
|
-
And I delete client 'three' from the Chef server
|
27
|
-
And I create a vault item 'test/item' containing the JSON '{"foo": "bar"}' encrypted for 'one,two,three'
|
28
|
-
Then the vault item 'test/item' should be encrypted for 'one,two'
|
29
|
-
And the output should contain "node 'three' has no private key; skipping"
|
30
|
-
And 'one,two' should be a client for the vault item 'test/item'
|
31
|
-
And 'three' should not be a client for the vault item 'test/item'
|
32
|
-
|
33
|
-
Scenario: create vault with mix of known and unknown nodes
|
34
|
-
Given a local mode chef repo with nodes 'one,two'
|
35
|
-
And I create a vault item 'test/item' containing the JSON '{"foo": "bar"}' encrypted for 'one,two,three'
|
36
|
-
Then the vault item 'test/item' should be encrypted for 'one,two'
|
37
|
-
And 'one,two' should be a client for the vault item 'test/item'
|
38
|
-
And 'three' should not be a client for the vault item 'test/item'
|
39
|
-
|
40
|
-
Scenario: create vault with several admins
|
41
|
-
Given a local mode chef repo with nodes 'one,two' with admins 'alice,bob'
|
42
|
-
And I create a vault item 'test/item' containing the JSON '{"foo": "bar"}' encrypted for 'one,two,three' with 'alice' as admin
|
43
|
-
Then the vault item 'test/item' should be encrypted for 'one,two'
|
44
|
-
And 'one,two' should be a client for the vault item 'test/item'
|
45
|
-
And 'three' should not be a client for the vault item 'test/item'
|
46
|
-
And 'alice' should be an admin for the vault item 'test/item'
|
47
|
-
And 'bob' should not be an admin for the vault item 'test/item'
|
48
|
-
|
49
|
-
Scenario: create vault with several admins in sparse mode
|
50
|
-
Given a local mode chef repo with nodes 'one,two' with admins 'alice,bob'
|
51
|
-
And I create a vault item 'test/item' with keys in sparse mode containing the JSON '{"foo": "bar"}' encrypted for 'one,two,three' with 'alice' as admin
|
52
|
-
Then the vault item 'test/item' should be encrypted for 'one,two' with keys in sparse mode
|
53
|
-
And the vault item 'test/item' should not be encrypted for 'three' with keys in sparse mode
|
54
|
-
And 'one,two' should be a client for the vault item 'test/item'
|
55
|
-
And 'three' should not be a client for the vault item 'test/item'
|
56
|
-
And 'alice' should be an admin for the vault item 'test/item'
|
57
|
-
And 'bob' should not be an admin for the vault item 'test/item'
|
58
|
-
|
59
|
-
Scenario: create vault with an unknown admin
|
60
|
-
Given a local mode chef repo with nodes 'one,two'
|
61
|
-
And I create a vault item 'test/item' containing the JSON '{"foo": "bar"}' encrypted for 'one,two,three' with 'alice' as admin
|
62
|
-
Then the exit status should not be 0
|
63
|
-
And the output should contain "FATAL: Could not find default key for alice in users or clients!"
|
data/features/vault_list.feature
DELETED
@@ -1,31 +0,0 @@
|
|
1
|
-
Feature: list data bags that are vaults
|
2
|
-
knife vault list should list all data bags that appear to
|
3
|
-
be vaults. This is not an exact science; we assume that
|
4
|
-
any data bag containing an even number of items and for
|
5
|
-
which all items are pairs of thing/thing_keys is a vault
|
6
|
-
|
7
|
-
Scenario: List bags that are vaults
|
8
|
-
Given a local mode chef repo with nodes 'one,two,three'
|
9
|
-
And I create a vault item 'test/item' containing the JSON '{"foo": "bar"}' encrypted for 'one,two,three'
|
10
|
-
And I list the vaults
|
11
|
-
Then the output should match /(?m:^test$)/
|
12
|
-
|
13
|
-
Scenario: List bags that are vaults with keys in sparse mode
|
14
|
-
Given a local mode chef repo with nodes 'one,two,three'
|
15
|
-
And I create a vault item 'test/item' with keys in sparse mode containing the JSON '{"foo": "bar"}' encrypted for 'one,two,three'
|
16
|
-
And I list the vaults
|
17
|
-
Then the output should match /(?m:^test$)/
|
18
|
-
|
19
|
-
Scenario: Skip data bags that are not vaults
|
20
|
-
Given a local mode chef repo with nodes 'one,two,three'
|
21
|
-
And I create a vault item 'test/item' containing the JSON '{"foo": "bar"}' encrypted for 'one,two,three'
|
22
|
-
And I create a data bag 'lessthantwokeys' containing the JSON '{"id": "item", "foo": "bar"}'
|
23
|
-
And I create a data bag 'oddnumberofkeys' containing the JSON '{"id": "item", "one": 1, "two": 2, "three":3}'
|
24
|
-
And I create a data bag 'unbalanced' containing the JSON '{"id": "item", "one": 1, "one_keys": 1, "two_keys": 1, "three_keys": 1}'
|
25
|
-
And I create a data bag 'mismatched' containing the JSON '{"id": "item", "one": 1, "one_keys": 1, "two_keys": 1, "three": 1}'
|
26
|
-
And I list the vaults
|
27
|
-
Then the output should match /(?m:^test$)/
|
28
|
-
And the output should not match /(?m:^lessthantwokeys$)/
|
29
|
-
And the output should not match /(?m:^oddnumberofkeys$)/
|
30
|
-
And the output should not match /(?m:^unbalanced$)/
|
31
|
-
And the output should not match /(?m:^mismatched$)/
|
data/features/vault_show.feature
DELETED
@@ -1,45 +0,0 @@
|
|
1
|
-
Feature: knife vault show
|
2
|
-
'knife vault show' displays the contents of a Chef encrypted
|
3
|
-
data bag by fetching the asymmetrically encrypted shared
|
4
|
-
secret and decrypting it using the private key of the user
|
5
|
-
or node
|
6
|
-
|
7
|
-
Scenario: successful decrypt as admin
|
8
|
-
Given a local mode chef repo with nodes 'one,two,three' with admins 'alice,bob'
|
9
|
-
And I create a vault item 'test/item' containing the JSON '{"foo": "bar"}' encrypted for 'one,two,three' with 'alice' as admin
|
10
|
-
Then the vault item 'test/item' should be encrypted for 'one,two,three,alice'
|
11
|
-
And 'one,two,three' should be a client for the vault item 'test/item'
|
12
|
-
And 'alice' should be an admin for the vault item 'test/item'
|
13
|
-
And 'bob' should not be an admin for the vault item 'test/item'
|
14
|
-
And I can decrypt the vault item 'test/item' as 'alice'
|
15
|
-
And the output should match /^foo: bar$/
|
16
|
-
|
17
|
-
Scenario: successful decrypt as node
|
18
|
-
Given a local mode chef repo with nodes 'one,two,three' with admins 'alice,bob'
|
19
|
-
And I create a vault item 'test/item' containing the JSON '{"foo": "bar"}' encrypted for 'one,two,three' with 'alice' as admin
|
20
|
-
Then the vault item 'test/item' should be encrypted for 'one,two,three,alice'
|
21
|
-
And 'one,two,three' should be a client for the vault item 'test/item'
|
22
|
-
And 'alice' should be an admin for the vault item 'test/item'
|
23
|
-
And 'bob' should not be an admin for the vault item 'test/item'
|
24
|
-
And I can decrypt the vault item 'test/item' as 'two'
|
25
|
-
And the output should match /^foo: bar$/
|
26
|
-
|
27
|
-
Scenario: failed decrypt as admin
|
28
|
-
Given a local mode chef repo with nodes 'one,two,three' with admins 'alice,bob'
|
29
|
-
And I create a vault item 'test/item' containing the JSON '{"foo": "bar"}' encrypted for 'one,two,three' with 'alice' as admin
|
30
|
-
Then the vault item 'test/item' should be encrypted for 'one,two,three,alice'
|
31
|
-
And 'one,two,three' should be a client for the vault item 'test/item'
|
32
|
-
And 'alice' should be an admin for the vault item 'test/item'
|
33
|
-
And 'bob' should not be an admin for the vault item 'test/item'
|
34
|
-
And I can't decrypt the vault item 'test/item' as 'bob'
|
35
|
-
And the output should contain "test/item is not encrypted with your public key"
|
36
|
-
|
37
|
-
Scenario: failed decrypt as node
|
38
|
-
Given a local mode chef repo with nodes 'one,two,three' with admins 'alice,bob'
|
39
|
-
And I create a vault item 'test/item' containing the JSON '{"foo": "bar"}' encrypted for 'one,two' with 'alice' as admin
|
40
|
-
Then the vault item 'test/item' should be encrypted for 'one,two,alice'
|
41
|
-
And 'one,two' should be a client for the vault item 'test/item'
|
42
|
-
And 'alice' should be an admin for the vault item 'test/item'
|
43
|
-
And 'bob' should not be an admin for the vault item 'test/item'
|
44
|
-
And I can't decrypt the vault item 'test/item' as 'three'
|
45
|
-
And the output should contain "test/item is not encrypted with your public key"
|
@@ -1,21 +0,0 @@
|
|
1
|
-
Feature: knife vault show [VAULTNAME]
|
2
|
-
'knife vault show [VAULTNAME]' displays the keys of a vault
|
3
|
-
(i.e. the items that are not suffixed with _keys)
|
4
|
-
|
5
|
-
Scenario: show keys of a vault
|
6
|
-
Given a local mode chef repo with nodes 'one,two,three'
|
7
|
-
And I create a vault item 'test/item' containing the JSON '{"foo": "bar"}' encrypted for 'one,two,three'
|
8
|
-
And I create a vault item 'test/item2' containing the JSON '{"foo": "bar"}' encrypted for 'one,two,three'
|
9
|
-
Then the vault item 'test/item' should be encrypted for 'one,two,three'
|
10
|
-
And 'one,two,three' should be a client for the vault item 'test/item'
|
11
|
-
And I show the keys of the vault 'test'
|
12
|
-
Then the output should match /(?m:^item$)/
|
13
|
-
And the output should match /(?m:^item2$)/
|
14
|
-
And the output should not match /(?m:^item_keys$)/
|
15
|
-
And the output should not match /(?m:^item2_keys$)/
|
16
|
-
|
17
|
-
Scenario: show keys of a data bag that is not a vault
|
18
|
-
Given a local mode chef repo with nodes 'one,two,three'
|
19
|
-
And I create a data bag 'notavault' containing the JSON '{"id": "item", "foo": "bar"}'
|
20
|
-
And I show the keys of the vault 'notavault'
|
21
|
-
Then the output should match /data bag notavault is not a chef-vault/
|
@@ -1,18 +0,0 @@
|
|
1
|
-
Feature: knife vault update
|
2
|
-
'knife vault update' is used to add clients, or administrators
|
3
|
-
and to re-run the search query and update the vault's item values.
|
4
|
-
|
5
|
-
Scenario: add admin to a vault
|
6
|
-
Given a local mode chef repo with nodes 'one,two,three' with admins 'alice,bob'
|
7
|
-
When I create a vault item 'test/item' containing the JSON '{"foo": "bar"}' encrypted for 'one,two,three' with 'alice' as admin
|
8
|
-
Then the vault item 'test/item' should be encrypted for 'one,two,three'
|
9
|
-
And 'one,two,three' should be a client for the vault item 'test/item'
|
10
|
-
And 'alice' should be an admin for the vault item 'test/item'
|
11
|
-
And I can decrypt the vault item 'test/item' as 'alice'
|
12
|
-
But I can't decrypt the vault item 'test/item' as 'bob'
|
13
|
-
And I can save the JSON object of the encrypted data bag for the vault item 'test/item'
|
14
|
-
When I add 'bob' as an admin for the vault item 'test/item'
|
15
|
-
Then 'alice,bob' should be an admin for the vault item 'test/item'
|
16
|
-
And I can decrypt the vault item 'test/item' as 'alice'
|
17
|
-
And I can decrypt the vault item 'test/item' as 'bob'
|
18
|
-
And the data bag of the vault item 'test/item' has not been re-encrypted
|
@@ -1,10 +0,0 @@
|
|
1
|
-
Feature: knife vault create with mismatched ID
|
2
|
-
'knife vault create' creates a vault. A JSON file can be passed
|
3
|
-
on the command line. If the vault ID specified on the command line
|
4
|
-
does not match the value of the 'id' key in the JSON file, knife
|
5
|
-
should throw an error
|
6
|
-
|
7
|
-
Scenario: create vault from JSON file with mismatched ID
|
8
|
-
Given a local mode chef repo with nodes 'one,two,three'
|
9
|
-
And I create a vault item 'test/item' containing the JSON '{"id": "eyetem"}' encrypted for 'one,two,three'
|
10
|
-
Then the output should match /id mismatch - input JSON has id 'eyetem' but vault item has id 'item'/
|
@@ -1,13 +0,0 @@
|
|
1
|
-
Feature: Wrong private key during decrypt
|
2
|
-
https://github.com/Nordstrom/chef-vault/issues/43
|
3
|
-
If a vault is encrypted for a node and then the node's private
|
4
|
-
key is regenerated, the error that comes back from chef-vault
|
5
|
-
should be informative, not a lower-level error from OpenSSL
|
6
|
-
like 'OpenSSL::PKey::RSAError: padding check failed'
|
7
|
-
|
8
|
-
Scenario: Regenerate node key and attempt decrypt
|
9
|
-
Given a local mode chef repo with nodes 'one,two'
|
10
|
-
And I create a vault item 'test/item' containing the JSON '{"foo": "bar"}' encrypted for 'one,two'
|
11
|
-
And I regenerate the client key for the node 'one'
|
12
|
-
And I try to decrypt the vault item 'test/item' as 'one'
|
13
|
-
Then the output should match /is encrypted for you, but your private key failed to decrypt the contents/
|
data/hooks/pre-commit
DELETED
@@ -1,43 +0,0 @@
|
|
1
|
-
#!/usr/bin/env ruby
|
2
|
-
output = `bundle exec chefstyle -a`
|
3
|
-
if !$?.success?
|
4
|
-
puts "pre-commit hook: Tried to run `bundle exec chefstyle -a` to autocleanup errors, but it failed with output:"
|
5
|
-
puts output
|
6
|
-
end
|
7
|
-
|
8
|
-
detected = /(\d+) offenses detected/.match(output)
|
9
|
-
corrected = /(\d+) offenses corrected/.match(output)
|
10
|
-
|
11
|
-
# no errors detected by chefstyle
|
12
|
-
exit 0 if detected.nil?
|
13
|
-
|
14
|
-
# chefstyle found errors
|
15
|
-
if !detected.nil?
|
16
|
-
# get the first result from the capture group that isn't the whole capture
|
17
|
-
num_detected = detected.to_a[1].to_i
|
18
|
-
num_corrected = if corrected.nil?
|
19
|
-
0
|
20
|
-
else
|
21
|
-
corrected.to_a[1].to_i
|
22
|
-
end
|
23
|
-
if num_detected == num_corrected
|
24
|
-
puts <<EOF
|
25
|
-
pre-commit hook: Ran `bundle exec chefstyle -a` to autocleanup errors if any existed and
|
26
|
-
#{num_detected} were detected, but all were cleaned up. `git add` all files that were
|
27
|
-
autoupdated and try commiting again. New git status:
|
28
|
-
|
29
|
-
EOF
|
30
|
-
puts `git status`
|
31
|
-
else
|
32
|
-
puts <<EOF
|
33
|
-
pre-commit hook: Ran `bundle exec chefstyle -a` to autocleanup errors if any existed and
|
34
|
-
#{num_detected} were detected, but #{num_detected - num_corrected} could not be cleaned up
|
35
|
-
automatically. Run:
|
36
|
-
|
37
|
-
bundle exec chefstyle -a
|
38
|
-
|
39
|
-
to see remaining errors to clean up by hand, add all updated files, and try commiting again.
|
40
|
-
EOF
|
41
|
-
end
|
42
|
-
exit 1
|
43
|
-
end
|