chef-vault 3.3.0 → 4.1.11

data/spec/chef-vault/actor_spec.rb

@@ -1,247 +0,0 @@
-require "spec_helper"
-
-RSpec.describe ChefVault::Actor do
-  let(:actor_name) { "actor" }
-  let(:public_key_string) do
-    "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyMXT9IOV9pkQsxsnhSx8\n8RX6GW3caxkjcXFfHg6E7zUVBFAsfw4B1D+eHAks3qrDB7UrUxsmCBXwU4dQHaQy\ngAn5Sv0Jc4CejDNL2EeCBLZ4TF05odHmuzyDdPkSZP6utpR7+uF7SgVQedFGySIB\nih86aM+HynhkJqgJYhoxkrdo/JcWjpk7YEmWb6p4esnvPWOpbcjIoFs4OjavWBOF\niTfpkS0SkygpLi/iQu9RQfd4hDMWCc6yh3Th/1nVMUd+xQCdUK5wxluAWSv8U0zu\nhiIlZNazpCGHp+3QdP3f6rebmQA8pRM8qT5SlOvCYPk79j+IMUVSYrR4/DTZ+VM+\naQIDAQAB\n-----END PUBLIC KEY-----\n"
-  end
-
-  let(:key_response) do
-    {
-      "name" => "default",
-      "public_key" => "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyMXT9IOV9pkQsxsnhSx8\n8RX6GW3caxkjcXFfHg6E7zUVBFAsfw4B1D+eHAks3qrDB7UrUxsmCBXwU4dQHaQy\ngAn5Sv0Jc4CejDNL2EeCBLZ4TF05odHmuzyDdPkSZP6utpR7+uF7SgVQedFGySIB\nih86aM+HynhkJqgJYhoxkrdo/JcWjpk7YEmWb6p4esnvPWOpbcjIoFs4OjavWBOF\niTfpkS0SkygpLi/iQu9RQfd4hDMWCc6yh3Th/1nVMUd+xQCdUK5wxluAWSv8U0zu\nhiIlZNazpCGHp+3QdP3f6rebmQA8pRM8qT5SlOvCYPk79j+IMUVSYrR4/DTZ+VM+\naQIDAQAB\n-----END PUBLIC KEY-----\n",
-      "expiration_date" => "infinity",
-    }
-  end
-
-  let(:http_response_code) do
-    "404"
-  end
-
-  let(:http_error) do
-    http_response = double("http error")
-    allow(http_response).to receive(:code).and_return(http_response_code)
-    Net::HTTPServerException.new("http error message", http_response)
-  end
-
-  let(:api) { double("api") }
-
-  subject(:chef_key) { described_class.new(actor_type, actor_name) }
-
-  describe "#new" do
-    context "when something besides 'clients' or 'users' is passed" do
-      let(:actor_type) { "charmander" }
-      it "throws an error" do
-        expect { described_class.new("charmander", actor_name) }.to raise_error(RuntimeError)
-      end
-    end
-
-    context "when 'clients' is passed" do
-      it "requests a client key" do
-        expect_any_instance_of(described_class).to receive(:get_client_key)
-        described_class.new("clients", actor_name).key
-      end
-    end
-
-    context "when 'admins' is passed" do
-      it "requests a admin key" do
-        expect_any_instance_of(described_class).to receive(:get_admin_key)
-        described_class.new("admins", actor_name).key
-      end
-    end
-  end
-
-  shared_examples_for "get_key_handling" do
-    context "when the default key exists for the requested client" do
-      it "sets up a valid key" do
-        expect(chef_key).to receive(:get_key).with(request_actor_type).and_return(public_key_string)
-        expect(chef_key.send(method)).to eq(public_key_string)
-      end
-    end
-
-    context "when get_key returns an http error" do
-      before do
-        allow(chef_key).to receive(:get_key).with(request_actor_type).and_raise(http_error)
-      end
-
-      context "when the error code is not 404 or 403" do
-        let(:http_response_code) { "500" }
-
-        it "raises the original error" do
-          expect { chef_key.send(method) }.to raise_error(http_error)
-        end
-      end
-
-      context "when the error code is 403" do
-        let(:http_response_code) { "403" }
-
-        it "prints information for the user to resolve the issue and raises the original error" do
-          expect(chef_key).to receive(:print_forbidden_error)
-          expect { chef_key.send(method) }.to raise_error(http_error)
-        end
-      end
-    end
-  end
-
-  describe "#get_client_key" do
-    let(:request_actor_type) { "clients" }
-    let(:actor_type) { "clients" }
-    let(:method) { :get_client_key }
-
-    it_should_behave_like "get_key_handling"
-
-    context "when get_key returns an http error" do
-      before do
-        allow(chef_key).to receive(:get_key).with(actor_type).and_raise(http_error)
-      end
-
-      context "when the error code is 404" do
-        let(:http_response_code) { "404" }
-
-        it "raises ChefVault::Exceptions::ClientNotFound" do
-          expect { chef_key.get_client_key }.to raise_error(ChefVault::Exceptions::ClientNotFound)
-        end
-      end
-    end
-  end # get_client_key
-
-  describe "#get_admin_key" do
-    let(:request_actor_type) { "users" }
-    let(:actor_type) { "admins" }
-    let(:method) { :get_admin_key }
-
-    it_should_behave_like "get_key_handling"
-
-    context "when the first get_key for users returns an http error" do
-      before do
-        allow(chef_key).to receive(:get_key).with(request_actor_type).and_raise(http_error)
-      end
-
-      context "when the error code from the users get is a 404" do
-        let(:http_response_code) { "404" }
-
-        context "when the second get_key for clients returns an http error" do
-
-          let(:http_error_2) do
-            http_response = double("http error")
-            allow(http_response).to receive(:code).and_return(http_response_code_2)
-            Net::HTTPServerException.new("http error message", http_response)
-          end
-
-          before do
-            allow(chef_key).to receive(:get_key).with("clients").and_raise(http_error_2)
-          end
-
-          context "when it is a 404" do
-            let(:http_response_code_2) { "404" }
-
-            it "rasies ChefVault::Exceptions::AdminNotFound" do
-              expect { chef_key.get_admin_key }.to raise_error(ChefVault::Exceptions::AdminNotFound)
-            end
-          end
-
-          context "when it is a 403" do
-            let(:http_response_code_2) { "403" }
-
-            it "raises the original error" do
-              expect { chef_key.get_admin_key }.to raise_error(http_error_2)
-            end
-          end
-
-          context "when it is not a 404" do
-            let(:http_response_code_2) { "500" }
-
-            it "raises the original error" do
-              expect { chef_key.get_admin_key }.to raise_error(http_error_2)
-            end
-          end
-        end # when the second get_key for clients returns an http error
-
-        context "when the second get_key for clients exists with the same name as the admin requested" do
-          it "strangely returns the client key as an admin key" do
-            expect(chef_key).to receive(:get_key).with(request_actor_type).and_return(public_key_string)
-            expect(chef_key.send(method)).to eq(public_key_string)
-          end
-        end
-      end # when the first get_key for users returns an http erro
-    end
-  end # get_admin_key
-
-  describe "#get_key" do
-
-    shared_examples_for "a properly retrieved and error handled key fetch" do
-      # mock out the API
-      before do
-        allow(chef_key).to receive(:api).and_return(api)
-        [:rest_v0, :rest_v1, :org_scoped_rest_v0, :org_scoped_rest_v1].each do |method|
-          allow(api).to receive(method)
-        end
-      end
-
-      context "when keys/default returns 200 for org scoped endpoint" do
-        before do
-          allow(api.org_scoped_rest_v1).to receive(:get).with("#{request_actor_type}/#{actor_name}/keys/default").and_return(key_response)
-        end
-
-        it "returns the public_key" do
-          expect(chef_key.get_key(request_actor_type)).to eql(public_key_string)
-        end
-
-        it "hits the proper endpoint" do
-          expect(api.org_scoped_rest_v1).to receive(:get).with("#{request_actor_type}/#{actor_name}/keys/default")
-          chef_key.get_key(request_actor_type)
-        end
-      end
-
-      context "when a 500 is returned" do
-        let(:http_response_code) { "500" }
-        before do
-          allow(api.org_scoped_rest_v1).to receive(:get).with("#{request_actor_type}/#{actor_name}/keys/default").and_raise(http_error)
-        end
-
-        it "raises the http error" do
-          expect { chef_key.get_key(request_actor_type) }.to raise_error(http_error)
-        end
-      end
-
-      context "when keys/default returns 404" do
-        let(:http_response_code) { "404" }
-        let(:chef_object) { double("chef object") }
-
-        before do
-          allow(api.org_scoped_rest_v1).to receive(:get).with("#{request_actor_type}/#{actor_name}/keys/default").and_raise(http_error)
-          allow(chef_object_type).to receive(:load).with(actor_name).and_return(chef_object)
-          allow(chef_object).to receive(:public_key).and_return(public_key_string)
-        end
-
-        it "tries to load the object via Chef::<object>_v1" do
-          expect(chef_object_type).to receive(:load).with(actor_name)
-          chef_key.get_key(request_actor_type)
-        end
-
-        context "when the Chef::<object>_v1 object loads properly" do
-          it "returns the public key" do
-            expect(chef_key.get_key(request_actor_type)).to eql(public_key_string)
-          end
-        end
-      end
-    end # shared_examples_for
-
-    context "when a client is passed" do
-      let(:request_actor_type) { "clients" }
-      let(:actor_type) { "clients" }
-      let(:chef_object_type) { Chef::ApiClient }
-
-      it_behaves_like "a properly retrieved and error handled key fetch"
-    end
-
-    context "when an admin is passed" do
-      let(:request_actor_type) { "users" }
-      let(:actor_type) { "admins" }
-      let(:chef_object_type) { Chef::User }
-
-      it_behaves_like "a properly retrieved and error handled key fetch"
-    end
-
-  end
-end

data/spec/chef-vault/certificate_spec.rb

@@ -1,37 +0,0 @@
-RSpec.describe ChefVault::Certificate do
-  let(:item) { double(ChefVault::Item) }
-  let(:cert) { ChefVault::Certificate.new("foo", "bar") }
-
-  before do
-    allow(ChefVault::Item).to receive(:load).with("foo", "bar") { item }
-    allow(item).to receive(:[]).with("id") { "bar" }
-    allow(item).to receive(:[]).with("contents") { "baz" }
-  end
-
-  describe "#new" do
-    it "loads item" do
-      expect(ChefVault::Item).to receive(:load).with("foo", "bar")
-
-      ChefVault::Certificate.new("foo", "bar")
-    end
-  end
-
-  describe "#[]" do
-    it "given an 'id' parameter, returns its value" do
-      expect(cert["id"]).to eq "bar"
-    end
-  end
-
-  describe "decrypt_contents" do
-    it "echoes warning" do
-      expect(ChefVault::Log).to receive(:warn).with("This method is deprecated, please switch to item['value'] calls")
-      cert.decrypt_contents
-    end
-
-    it "returns items contents" do
-      expect(item).to receive(:[]).with("contents")
-
-      expect(cert.decrypt_contents).to eq "baz"
-    end
-  end
-end

data/spec/chef-vault/chef_api_spec.rb

@@ -1,39 +0,0 @@
-RSpec.describe ChefVault::ChefApi do
-  let(:root_url) { "https://localhost" }
-  let(:scoped_url) { "https://localhost/organizations/fakeorg" }
-  let(:api_v0_hash) { { :api_version => "0" } }
-  let(:api_v1_hash) { { :api_version => "1" } }
-
-  before do
-    Chef::Config[:chef_server_root] = root_url
-    Chef::Config[:chef_server_url]  = scoped_url
-  end
-
-  describe "#rest_v0" do
-    it "returns an instance of Chef::ServerAPI set to use API version 0 scoped to root" do
-      expect(Chef::ServerAPI).to receive(:new).with(root_url, api_v0_hash)
-      subject.rest_v0
-    end
-  end
-
-  describe "#rest_v1" do
-    it "returns an instance of Chef::ServerAPI set to use API version 0 scoped to root" do
-      expect(Chef::ServerAPI).to receive(:new).with(root_url, api_v1_hash)
-      subject.rest_v1
-    end
-  end
-
-  describe "#org_scoped_rest_v0" do
-    it "returns an instance of Chef::ServerAPI set to use API version 0 scoped to root" do
-      expect(Chef::ServerAPI).to receive(:new).with(scoped_url, api_v0_hash)
-      subject.org_scoped_rest_v0
-    end
-  end
-
-  describe "#org_scoped_rest_v1" do
-    it "returns an instance of Chef::ServerAPI set to use API version 0 scoped to root" do
-      expect(Chef::ServerAPI).to receive(:new).with(scoped_url, api_v1_hash)
-      subject.org_scoped_rest_v1
-    end
-  end
-end

data/spec/chef-vault/item_keys_spec.rb

@@ -1,263 +0,0 @@
-RSpec.describe ChefVault::ItemKeys do
-  describe "#new" do
-    let(:keys) { ChefVault::ItemKeys.new("foo", "bar") }
-    let(:shared_secret) { "super_secret" }
-    let(:public_key_string) do
-      "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyMXT9IOV9pkQsxsnhSx8\n8RX6GW3caxkjcXFfHg6E7zUVBFAsfw4B1D+eHAks3qrDB7UrUxsmCBXwU4dQHaQy\ngAn5Sv0Jc4CejDNL2EeCBLZ4TF05odHmuzyDdPkSZP6utpR7+uF7SgVQedFGySIB\nih86aM+HynhkJqgJYhoxkrdo/JcWjpk7YEmWb6p4esnvPWOpbcjIoFs4OjavWBOF\niTfpkS0SkygpLi/iQu9RQfd4hDMWCc6yh3Th/1nVMUd+xQCdUK5wxluAWSv8U0zu\nhiIlZNazpCGHp+3QdP3f6rebmQA8pRM8qT5SlOvCYPk79j+IMUVSYrR4/DTZ+VM+\naQIDAQAB\n-----END PUBLIC KEY-----\n"
-    end
-
-    it "'foo' is assigned to @data_bag" do
-      expect(keys.data_bag).to eq "foo"
-    end
-
-    it "sets the keys id to 'bar'" do
-      expect(keys["id"]).to eq "bar"
-    end
-
-    it "initializes the keys[admin] to an empty array" do
-      expect(keys["admins"]).to eq []
-    end
-
-    it "initializes the keys[clients] to an empty array" do
-      expect(keys["admins"]).to eq []
-    end
-
-    shared_context "key mgmt operations" do
-
-      shared_examples_for "proper key management" do
-        let(:chef_key) { ChefVault::Actor.new(type, name) }
-        before do
-          allow(chef_key).to receive(:key) { public_key_string }
-          keys.add(chef_key, shared_secret)
-        end
-
-        describe "#add" do
-          after do
-            keys.delete(chef_key)
-          end
-
-          context "when key is already there" do
-            context "when skip_reencryption is not specified (default to false)" do
-              it "encodes key in the data bag item under the actor's name and the name in the raw data" do
-                expect(described_class).to receive(:encode_key).with(public_key_string, shared_secret).and_return("encrypted_result")
-                keys.add(chef_key, shared_secret)
-                expect(keys[name]).to eq("encrypted_result")
-                expect(keys[type].include?(name)).to eq(true)
-                expect(keys.include?(name)).to eq(true)
-              end
-            end
-
-            context "when skip_reencryption is true" do
-              it "keeps the encoded key in the data bag item under the actor's name and the name in the raw data" do
-                expect(described_class).not_to receive(:encode_key).with(public_key_string, shared_secret)
-                keys.skip_reencryption = true
-                keys.add(chef_key, shared_secret)
-                expect(keys[name]).not_to be_empty
-                expect(keys[type].include?(name)).to eq(true)
-                expect(keys.include?(name)).to eq(true)
-              end
-            end
-          end
-
-          context "when keys not already there" do
-            before do
-              keys.delete(chef_key)
-            end
-            it "stores the encoded key in the data bag item under the actor's name and the name in the raw data" do
-              expect(described_class).to receive(:encode_key).with(public_key_string, shared_secret).and_return("encrypted_result")
-              keys.add(chef_key, shared_secret)
-              expect(keys[name]).to eq("encrypted_result")
-              expect(keys[type].include?(name)).to eq(true)
-              expect(keys.include?(name)).to eq(true)
-            end
-          end
-        end
-
-        describe "#delete" do
-          before do
-            keys.add(chef_key, shared_secret)
-          end
-
-          it "removes the actor's name from the data bag and from the array for the actor's type" do
-            keys.delete(chef_key)
-            expect(keys.has_key?(chef_key.name)).to eq(false)
-            expect(keys[type].include?(name)).to eq(false)
-            expect(keys.include?(name)).to eq(false)
-          end
-        end
-      end
-
-      context "when a client is added" do
-        let(:name) { "client_name" }
-        let(:type) { "clients" }
-        it_should_behave_like "proper key management"
-      end
-
-      context "when a admin is added" do
-        let(:name) { "admin_name" }
-        let(:type) { "admins" }
-        it_should_behave_like "proper key management"
-      end
-    end
-
-    context "when running with chef-zero" do
-      let(:server) { chef_zero }
-      before { server.start_background }
-      after  { server.stop }
-
-      include_context "key mgmt operations"
-
-      describe "#save" do
-        let(:client_name) { "client_name" }
-        let(:chef_key) { ChefVault::Actor.new("clients", client_name) }
-        before { allow(chef_key).to receive(:key) { public_key_string } }
-
-        it "should save the key data" do
-          keys.add(chef_key, shared_secret)
-          keys.save("bar")
-          expect(Chef::DataBagItem.load("foo", "bar").to_hash).to include("id" => "bar")
-          expect(keys[client_name]).not_to be_empty
-          keys.delete(chef_key)
-          keys.save("bar")
-          expect(keys[client_name]).to be_nil
-        end
-
-        it "should save the key data in sparse mode" do
-          keys.add(chef_key, shared_secret)
-          keys.mode("sparse")
-          keys.save("bar")
-          expect(Chef::DataBagItem.load("foo", "bar").to_hash).to include("id" => "bar")
-          expect(Chef::DataBagItem.load("foo", "bar_key_client_name").to_hash).to include("id" => "bar_key_client_name")
-          expect(keys[client_name]).not_to be_empty
-          keys.delete(chef_key)
-          keys.save("bar")
-          expect(keys[client_name]).to be_nil
-          keys.mode("default")
-        end
-      end
-
-      describe "#destroy" do
-        let(:client_name) { "client_name" }
-        let(:chef_key) { ChefVault::Actor.new("clients", client_name) }
-        before { allow(chef_key).to receive(:key) { public_key_string } }
-
-        it "should destroy the keys" do
-          keys.add(chef_key, shared_secret)
-          keys.save("bar")
-          keys.destroy
-          expect { Chef::DataBagItem.load("foo", "bar") }.to raise_error(Net::HTTPServerException)
-        end
-
-        it "should destroy the keys in sparse mode" do
-          keys.add(chef_key, shared_secret)
-          keys.mode("sparse")
-          keys.save("bar")
-          keys.destroy
-          expect { Chef::DataBagItem.load("foo", "bar") }.to raise_error(Net::HTTPServerException)
-          expect { Chef::DataBagItem.load("foo", "bar_key_client_name") }.to raise_error(Net::HTTPServerException)
-          keys.mode("default")
-        end
-      end
-    end
-
-    context "when running with chef-solo" do
-      before { Chef::Config[:solo_legacy_mode] = true  }
-      after  { Chef::Config[:solo_legacy_mode] = false }
-
-      include_context "key mgmt operations"
-
-      describe "#find_solo_path" do
-        context "when data_bag_path is an array" do
-          before do
-            allow(File).to receive(:exist?)
-            Chef::Config[:data_bag_path] = ["/tmp/data_bag", "/tmp/site_data_bag"]
-          end
-
-          it "should return an existing item" do
-            expect(File).to receive(:exist?).with("/tmp/site_data_bag/foo/bar.json").and_return(true)
-            dbp, dbi = keys.find_solo_path("bar")
-            expect(dbp).to eql("/tmp/site_data_bag/foo")
-            expect(dbi).to eql("/tmp/site_data_bag/foo/bar.json")
-          end
-
-          it "should return the first item if none exist" do
-            dbp, dbi = keys.find_solo_path("bar")
-            expect(dbp).to eql("/tmp/data_bag/foo")
-            expect(dbi).to eql("/tmp/data_bag/foo/bar.json")
-          end
-        end
-
-        context "when data_bag_path is a string" do
-          it "should return the path to the bag and the item" do
-            Chef::Config[:data_bag_path] = "/tmp/data_bag"
-            dbp, dbi = keys.find_solo_path("bar")
-            expect(dbp).to eql("/tmp/data_bag/foo")
-            expect(dbi).to eql("/tmp/data_bag/foo/bar.json")
-          end
-        end
-      end
-
-      describe "#save" do
-        let(:client_name)   { "client_name" }
-        let(:chef_key)      { ChefVault::Actor.new("clients", client_name) }
-        let(:data_bag_path) { Dir.mktmpdir("vault_item_keys") }
-
-        before do
-          Chef::Config[:data_bag_path] = data_bag_path
-          allow(chef_key).to receive(:key) { public_key_string }
-        end
-
-        it "should save the key data" do
-          keys.add(chef_key, shared_secret)
-          keys.save("bar")
-          expect(File.read(File.join(data_bag_path, "foo", "bar.json"))).to match(/"id":.*"bar"/)
-          expect(keys[client_name]).not_to be_empty
-          keys.delete(chef_key)
-          keys.save("bar")
-          expect(keys[client_name]).to be_nil
-        end
-
-        it "should save the key data in sparse mode" do
-          keys.add(chef_key, shared_secret)
-          keys.mode("sparse")
-          keys.save("bar")
-          expect(File.read(File.join(data_bag_path, "foo", "bar.json"))).to match(/"id":.*"bar"/)
-          expect(File.read(File.join(data_bag_path, "foo", "bar_key_client_name.json"))).to match(/"id":.*"bar_key_client_name"/)
-          expect(keys[client_name]).not_to be_empty
-          keys.delete(chef_key)
-          keys.save("bar")
-          expect(keys[client_name]).to be_nil
-          keys.mode("default")
-        end
-      end
-
-      describe "#destroy" do
-        let(:client_name) { "client_name" }
-        let(:chef_key) { ChefVault::Actor.new("clients", client_name) }
-        let(:data_bag_path) { Dir.mktmpdir("vault_item_keys") }
-
-        before do
-          Chef::Config[:data_bag_path] = data_bag_path
-          allow(chef_key).to receive(:key) { public_key_string }
-        end
-
-        it "should destroy the keys" do
-          keys.add(chef_key, shared_secret)
-          keys.save("bar")
-          keys.destroy
-          expect(File.exist?(File.join(data_bag_path, "foo", "bar.json"))).to be(false)
-        end
-
-        it "should destroy the keys in sparse mode" do
-          keys.add(chef_key, shared_secret)
-          keys.mode("sparse")
-          keys.save("bar")
-          keys.destroy
-          expect(File.exist?(File.join(data_bag_path, "foo", "bar.json"))).to be(false)
-          expect(File.exist?(File.join(data_bag_path, "foo", "bar_key_client_name.json"))).to be(false)
-          keys.mode("default")
-        end
-      end
-    end
-  end
-end