chef-vault 3.3.0 → 4.1.11

data/spec/chef-vault/item_spec.rb

@@ -1,360 +0,0 @@
-require "openssl"
-
-RSpec.describe ChefVault::Item do
-  subject(:item) { ChefVault::Item.new("foo", "bar") }
-
-  before do
-    item["foo"] = "bar"
-    http_response = double("http_response")
-    allow(http_response).to receive(:code).and_return("404")
-    non_existing = Net::HTTPServerException.new("http error message", http_response)
-
-    allow(Chef::DataBagItem).to receive(:load).with(anything, /_key_/).and_raise(non_existing)
-  end
-
-  describe "vault probe predicates" do
-    before do
-      # a normal data bag item
-      @db = { "foo" => "..." }
-      @dbi = Chef::DataBagItem.new
-      @dbi.data_bag("normal")
-      @dbi.raw_data = { "id" => "foo", "foo" => "bar" }
-      allow(@db).to receive(:load).with("foo").and_return(@dbi)
-      allow(Chef::DataBag).to receive(:load).with("normal").and_return(@db)
-      allow(Chef::DataBagItem).to receive(:load).with("normal", "foo").and_return(@dbi)
-
-      # an encrypted data bag item (non-vault)
-      @encdb = { "foo" => "..." }
-      @encdbi = Chef::DataBagItem.new
-      @encdbi.data_bag("encrypted")
-      @encdbi.raw_data = {
-        "id" => "foo",
-        "foo" => { "encrypted_data" => "..." },
-      }
-      allow(@encdb).to receive(:load).with("foo").and_return(@encdbi)
-      allow(Chef::DataBag).to receive(:load).with("encrypted").and_return(@encdb)
-      allow(Chef::DataBagItem).to receive(:load).with("encrypted", "foo").and_return(@encdbi)
-
-      # two items that make up a vault
-      @vaultdb = { "foo" => "...", "foo_keys" => "..." }
-      @vaultdbi = Chef::DataBagItem.new
-      @vaultdbi.data_bag("vault")
-      @vaultdbi.raw_data = {
-        "id" => "foo",
-        "foo" => { "encrypted_data" => "..." },
-      }
-      allow(@vaultdb).to receive(:load).with("foo").and_return(@vaultdbi)
-      @vaultdbki = Chef::DataBagItem.new
-      @vaultdbki.data_bag("vault")
-      @vaultdbki.raw_data = { "id" => "foo_keys" }
-      allow(@vaultdb).to receive(:load).with("foo_keys").and_return(@vaultdbki)
-      allow(Chef::DataBag).to receive(:load).with("vault").and_return(@vaultdb)
-      allow(Chef::DataBagItem).to receive(:load).with("vault", "foo").and_return(@vaultdbi)
-    end
-
-    describe "::vault?" do
-      it "should detect a vault item" do
-        expect(ChefVault::Item.vault?("vault", "foo")).to be_truthy
-      end
-
-      it "should detect non-vault items" do
-        expect(ChefVault::Item.vault?("normal", "foo")).not_to be_truthy
-        expect(ChefVault::Item.vault?("encrypted", "foo")).not_to be_truthy
-      end
-    end
-
-    describe "::data_bag_item_type" do
-      it "should detect a vault item" do
-        expect(ChefVault::Item.data_bag_item_type("vault", "foo")).to eq(:vault)
-      end
-
-      it "should detect an encrypted data bag item" do
-        expect(ChefVault::Item.data_bag_item_type("encrypted", "foo")).to eq(:encrypted)
-      end
-
-      it "should detect a normal data bag item" do
-        expect(ChefVault::Item.data_bag_item_type("normal", "foo")).to eq(:normal)
-      end
-    end
-  end
-
-  describe "::new" do
-    it "item[keys] is an instance of ChefVault::ItemKeys" do
-      expect(item.keys).to be_an_instance_of(ChefVault::ItemKeys)
-    end
-
-    it "the item's 'vault' parameter is assigned to data_bag" do
-      expect(item.data_bag).to eq "foo"
-    end
-
-    it "the vault item name is assiged to the data bag ['id']" do
-      expect(item["id"]).to eq "bar"
-    end
-
-    it "creates a corresponding 'keys' data bag with an '_keys' id" do
-      expect(item.keys["id"]).to eq "bar_keys"
-    end
-
-    it "sets the item keys data bag to 'foo'" do
-      expect(item.keys.data_bag).to eq "foo"
-    end
-
-    it "defaults the node name" do
-      item = ChefVault::Item.new("foo", "bar")
-      expect(item.node_name).to eq(Chef::Config[:node_name])
-    end
-
-    it "defaults the client key path" do
-      item = ChefVault::Item.new("foo", "bar")
-      expect(item.client_key_path).to eq(Chef::Config[:client_key])
-    end
-
-    it "allows for a node name override" do
-      item = ChefVault::Item.new("foo", "bar", node_name: "baz")
-      expect(item.node_name).to eq("baz")
-    end
-
-    it "allows for a client key path override" do
-      item = ChefVault::Item.new("foo", "bar", client_key_path: "/foo/client.pem")
-      expect(item.client_key_path).to eq("/foo/client.pem")
-    end
-
-    it "allows for both node name and client key overrides" do
-      item = ChefVault::Item.new(
-        "foo", "bar",
-        node_name: "baz",
-        client_key_path: "/foo/client.pem"
-      )
-      expect(item.node_name).to eq("baz")
-      expect(item.client_key_path).to eq("/foo/client.pem")
-    end
-  end
-
-  describe "::load" do
-    it "allows for both node name and client key overrides" do
-      keys_db = Chef::DataBagItem.new
-      keys_db.raw_data = {
-        "id" => "bar_keys",
-        "baz" => "...",
-      }
-      allow(ChefVault::ItemKeys)
-        .to receive(:load)
-        .and_return(keys_db)
-      fh = double "private key handle"
-      allow(fh).to receive(:read).and_return("...")
-      allow(File).to receive(:open).and_return(fh)
-      privkey = double "private key contents"
-      allow(privkey).to receive(:private_decrypt).and_return("sekrit")
-      allow(OpenSSL::PKey::RSA).to receive(:new).and_return(privkey)
-      allow(Chef::EncryptedDataBagItem).to receive(:load).and_return(
-        "id" => "bar",
-        "password" => "12345"
-      )
-      item = ChefVault::Item.load(
-        "foo", "bar",
-        node_name: "baz",
-        client_key_path: "/foo/client.pem"
-      )
-      expect(item.node_name).to eq("baz")
-      expect(item.client_key_path).to eq("/foo/client.pem")
-    end
-  end
-
-  describe "#save" do
-    context 'when item["id"] is bar.bar' do
-      let(:item) { ChefVault::Item.new("foo", "bar.bar") }
-      it "raises an error on save with an invalid item['id']" do
-        expect { item.save }.to raise_error(RuntimeError)
-      end
-    end
-
-    it "validates that the id of the vault matches the id of the keys data bag" do
-      item = ChefVault::Item.new("foo", "bar")
-      item["id"] = "baz"
-      item.keys["clients"] = %w{admin}
-      expect { item.save }.to raise_error(ChefVault::Exceptions::IdMismatch)
-    end
-  end
-
-  describe "#refresh" do
-    let(:node) { { "name" => "testnode" } }
-
-    it "saves only the keys" do
-      keys = double("keys",
-                    search_query: "*:*",
-                    add: nil,
-                    admins: [],
-                    clients: ["testnode"])
-      allow(keys).to receive(:[]).with("id").and_return("bar_keys")
-      allow(ChefVault::ItemKeys).to receive(:new).and_return(keys)
-
-      item = ChefVault::Item.new("foo", "bar")
-
-      query = double("query")
-      allow(Chef::Search::Query).to receive(:new).and_return(query)
-      allow(query).to receive(:search).and_yield(node)
-
-      client_key = double("client_key",
-                          name: "testnode",
-                          public_key: OpenSSL::PKey::RSA.new(1024).public_key)
-      allow(item).to receive(:load_actor).with("testnode", "clients").and_return(client_key)
-
-      expect(item).not_to receive(:save)
-      expect(keys).to receive(:save)
-      item.refresh
-    end
-  end
-
-  describe "#clients" do
-    context "when search returns a node with a valid client backing it and one without a valid client" do
-      let(:node_with_valid_client) { { "name" => "foo" } }
-      let(:node_without_valid_client) { { "name" => "bar" } }
-      let(:query_result) { double("chef search results") }
-      let(:client_key) { double("chef key") }
-
-      before do
-        # node with valid client proper loads client key
-        allow(item).to receive(:load_actor).with("foo", "clients").and_return(client_key)
-        privkey = OpenSSL::PKey::RSA.new(1024)
-        pubkey = privkey.public_key
-        allow(client_key).to receive(:key).and_return(pubkey.to_pem)
-        allow(client_key).to receive(:name).and_return("foo")
-        allow(client_key).to receive(:type).and_return("clients")
-
-        # node without client throws relevant error on key load
-        allow(item).to receive(:load_actor).with("bar", "clients").and_raise(ChefVault::Exceptions::ClientNotFound)
-
-        allow(query_result)
-          .to receive(:search)
-          .with(Symbol, String, Hash)
-          .and_yield(node_with_valid_client).and_yield(node_without_valid_client)
-        allow(Chef::Search::Query)
-          .to receive(:new)
-          .and_return(query_result)
-      end
-
-      it "should not blow up when search returns a node without a public key" do
-        # try to set clients when we know a node is missing a public key
-        # this should not die as of v2.4.1
-        expect { item.clients("*:*") }.not_to raise_error
-      end
-
-      it "should emit a warning if search returns a node without a public key" do
-        # it should however emit a warning that you have a borked node
-        expect(ChefVault::Log).to receive(:warn).with(/node 'bar' has no private key; skipping/)
-        item.clients("*:*")
-      end
-    end
-
-    context "when a Chef::ApiClient is passed" do
-      let(:client) { Chef::ApiClient.new }
-      let(:client_name) { "foo" }
-      let(:client_key) { double("chef key") }
-
-      before do
-        client.name client_name
-        privkey = OpenSSL::PKey::RSA.new(1024)
-        pubkey = privkey.public_key
-        allow(item).to receive(:load_actor).with(client_name, "clients").and_return(client_key)
-        allow(client_key).to receive(:key).and_return(pubkey.to_pem)
-        allow(client_key).to receive(:name).and_return(client_name)
-        allow(client_key).to receive(:type).and_return("clients")
-      end
-
-      context "when no action is passed" do
-        it "default to add and properly add the client" do
-          item.clients(client)
-          expect(item.get_clients).to include(client_name)
-        end
-
-        it "does not perform a query" do
-          expect(Chef::Search::Query).not_to receive(:new)
-          item.clients(client)
-        end
-      end
-
-      context "when the delete action is passed on an existing client" do
-        before do
-          # add the client
-          item.clients(client)
-        end
-
-        it "properly deletes the client" do
-          item.clients(client, :delete)
-          expect(item.get_clients).to_not include(client_name)
-        end
-
-        it "does not perform a query" do
-          expect(Chef::Search::Query).not_to receive(:new)
-          item.clients(client, :delete)
-        end
-      end
-    end
-
-    context "when an Array with named clients is passed" do
-      let(:client) { Chef::ApiClient.new }
-      let(:clients) { Array.new }
-      let(:client_name) { "foo" }
-      let(:client_key) { double("chef key") }
-
-      before do
-        clients << client_name
-        client.name client_name
-        privkey = OpenSSL::PKey::RSA.new(1024)
-        pubkey = privkey.public_key
-        allow(item).to receive(:load_actor).with(client_name, "clients").and_return(client_key)
-        allow(client_key).to receive(:key).and_return(pubkey.to_pem)
-        allow(client_key).to receive(:name).and_return(client_name)
-        allow(client_key).to receive(:type).and_return("clients")
-      end
-
-      context "when no action is passed" do
-        it "defaults to add and properly adds the client" do
-          item.clients(clients)
-          expect(item.get_clients).to include(client_name)
-        end
-
-        it "does not perform a query" do
-          expect(Chef::Search::Query).not_to receive(:new)
-          item.clients(clients)
-        end
-      end
-
-      context "when the delete action is passed on an existing client" do
-        before do
-          # add the client
-          item.clients(clients)
-        end
-
-        it "properly deletes the client" do
-          item.clients(clients, :delete)
-          expect(item.get_clients).to_not include(client_name)
-        end
-
-        it "does not perform a query" do
-          expect(Chef::Search::Query).not_to receive(:new)
-          item.clients(clients, :delete)
-        end
-      end
-    end
-  end
-
-  describe "#admins" do
-    before do
-      allow(item).to receive(:load_actor).with("foo", "admins").and_raise(ChefVault::Exceptions::AdminNotFound)
-    end
-
-    it "should blow up if you try to use a node without a public key as an admin" do
-      expect { item.admins("foo,bar") }
-        .to raise_error(ChefVault::Exceptions::AdminNotFound)
-    end
-  end
-
-  describe "#raw_keys" do
-    it "should return the keys of the underlying data bag item" do
-      item = ChefVault::Item.new("foo", "bar")
-      item["foo"] = "bar"
-      expect(item.raw_keys).to eq(%w{id foo})
-    end
-  end
-end

data/spec/chef-vault/user_spec.rb

@@ -1,36 +0,0 @@
-RSpec.describe ChefVault::User do
-  let(:item) { double(ChefVault::Item) }
-  let(:user) { ChefVault::User.new("foo", "bar") }
-
-  before do
-    allow(ChefVault::Item).to receive(:load).with("foo", "bar") { item }
-    allow(item).to receive(:[]).with("id") { "bar" }
-    allow(item).to receive(:[]).with("password") { "baz" }
-  end
-
-  describe "#new" do
-    it "loads item" do
-      expect(ChefVault::Item).to receive(:load).with("foo", "bar")
-
-      ChefVault::User.new("foo", "bar")
-    end
-  end
-
-  describe "#[]" do
-    it "returns the value of the 'id' parameter" do
-      expect(user["id"]).to eq "bar"
-    end
-  end
-
-  describe "decrypt_password" do
-    it "echoes warning" do
-      expect(ChefVault::Log).to receive(:warn).with("This method is deprecated, please switch to item['value'] calls")
-      user.decrypt_password
-    end
-
-    it "returns items password" do
-      expect(item).to receive(:[]).with("password")
-      expect(user.decrypt_password).to eq "baz"
-    end
-  end
-end

data/spec/chef-vault_spec.rb

@@ -1,65 +0,0 @@
-#
-# Helper for configuring the Chef Zero server
-# (inspired by ChefSpec)
-#
-def chef_zero
-  require "socket"
-  require "tmpdir"
-  require "fileutils"
-  require "chef_zero/server"
-  # Find a free TCP port
-  server = TCPServer.new("127.0.0.1", 0)
-  port = server.addr[1].to_i
-  server.close
-  # Define a Chef Zero Server
-  server = ChefZero::Server.new(port: port)
-  # Write the private key
-  tmp = Dir.mktmpdir
-  key = File.join(tmp, "client.pem")
-  File.write(key, ChefZero::PRIVATE_KEY)
-  # Configure the server
-  Chef::Config[:client_key]      = key
-  Chef::Config[:client_name]     = "chefvault"
-  Chef::Config[:node_name]       = "chefvault"
-  Chef::Config[:chef_server_url] = server.url
-  # Exit handlers
-  at_exit { FileUtils.rm_rf(tmp) }
-  at_exit { server.stop if server.running? }
-  server
-end
-
-RSpec.describe ChefVault do
-  let(:vault) { ChefVault.new("foo") }
-
-  describe "#new" do
-    context "with only a vault parameter specified" do
-
-      it "assigns 'foo' to the vault accessor" do
-        expect(vault.vault).to eq "foo"
-      end
-    end
-  end
-
-  context "with a vault and config file parameter specified" do
-    before do
-      allow(IO).to receive(:read).with("knife.rb").and_return("node_name 'myserver'")
-    end
-
-    let(:vault) { ChefVault.new("foo", "knife.rb") }
-
-    it "assigns 'foo' to the vault accessor" do
-      expect(vault.vault).to eq "foo"
-    end
-
-    it "loads the Chef config values" do
-      expect(ChefVault).to receive(:load_config).with("knife.rb")
-      vault
-    end
-  end
-
-  describe "#version" do
-    it "the version method equals VERSION" do
-      expect(vault.version).to eq(ChefVault::VERSION)
-    end
-  end
-end

data/spec/spec_helper.rb

@@ -1,91 +0,0 @@
-require "simplecov" if ENV["COVERAGE"]
-require_relative "../lib/chef-vault"
-
-# This file was generated by the `rspec --init` command. Conventionally, all
-# specs live under a `spec` directory, which RSpec adds to the `$LOAD_PATH`.
-# The generated `.rspec` file contains `--require spec_helper` which will cause this
-# file to always be loaded, without a need to explicitly require it in any files.
-#
-# Given that it is always loaded, you are encouraged to keep this file as
-# light-weight as possible. Requiring heavyweight dependencies from this file
-# will add to the boot time of your test suite on EVERY test run, even for an
-# individual file that may not need all of that loaded. Instead, consider making
-# a separate helper file that requires the additional dependencies and performs
-# the additional setup, and require it from the spec files that actually need it.
-#
-# The `.rspec` file also contains a few flags that are not defaults but that
-# users commonly want.
-#
-# See http://rubydoc.info/gems/rspec-core/RSpec/Core/Configuration
-RSpec.configure do |config|
-  # rspec-expectations config goes here. You can use an alternate
-  # assertion/expectation library such as wrong or the stdlib/minitest
-  # assertions if you prefer.
-  config.expect_with :rspec do |expectations|
-    # This option will default to `true` in RSpec 4. It makes the `description`
-    # and `failure_message` of custom matchers include text for helper methods
-    # defined using `chain`, e.g.:
-    # be_bigger_than(2).and_smaller_than(4).description
-    #   # => "be bigger than 2 and smaller than 4"
-    # ...rather than:
-    #   # => "be bigger than 2"
-    expectations.include_chain_clauses_in_custom_matcher_descriptions = true
-  end
-
-  # rspec-mocks config goes here. You can use an alternate test double
-  # library (such as bogus or mocha) by changing the `mock_with` option here.
-  config.mock_with :rspec do |mocks|
-    # Prevents you from mocking or stubbing a method that does not exist on
-    # a real object. This is generally recommended, and will default to
-    # `true` in RSpec 4.
-    mocks.verify_partial_doubles = true
-    mocks.allow_message_expectations_on_nil = true
-  end
-
-  # The settings below are suggested to provide a good initial experience
-  # with RSpec, but feel free to customize to your heart's content.
-  # These two settings work together to allow you to limit a spec run
-  # to individual examples or groups you care about by tagging them with
-  # `:focus` metadata. When nothing is tagged with `:focus`, all examples
-  # get run.
-  config.filter_run :focus
-  config.run_all_when_everything_filtered = true
-
-  # Limits the available syntax to the non-monkey patched syntax that is recommended.
-  # For more details, see:
-  #   - http://myronmars.to/n/dev-blog/2012/06/rspecs-new-expectation-syntax
-  #   - http://teaisaweso.me/blog/2013/05/27/rspecs-new-message-expectation-syntax/
-  #   - http://myronmars.to/n/dev-blog/2014/05/notable-changes-in-rspec-3#new__config_option_to_disable_rspeccore_monkey_patching
-  config.disable_monkey_patching!
-
-  # This setting enables warnings. It's recommended, but in some cases may
-  # be too noisy due to issues in dependencies.
-  # config.warnings = true
-
-  # Many RSpec users commonly either run the entire suite or an individual
-  # file, and it's useful to allow more verbose output when running an
-  # individual spec file.
-  if config.files_to_run.one?
-    # Use the documentation formatter for detailed output,
-    # unless a formatter has already been configured
-    # (e.g. via a command-line flag).
-    config.default_formatter = "doc"
-  end
-
-  # Print the 10 slowest examples and example groups at the
-  # end of the spec run, to help surface which specs are running
-  # particularly slow.
-  config.profile_examples = 10
-
-  # Run specs in random order to surface order dependencies. If you find an
-  # order dependency and want to debug it, you can fix the order by providing
-  # the seed, which is printed after each run.
-  #     --seed 1234
-  config.order = :random
-
-  # Seed global randomization in this process using the `--seed` CLI option.
-  # Setting this allows you to use `--seed` to deterministically reproduce
-  # test failures related to randomization by passing the same `--seed` value
-  # as the one that triggered the failure.
-  Kernel.srand config.seed
-end

data/tasks/github_changelog_generator.rb

@@ -1,30 +0,0 @@
-#
-# Copyright:: Copyright (c) 2016 Chef Software Inc.
-# License:: Apache License, Version 2.0
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-
-require "chef-vault/version"
-
-begin
-  require "github_changelog_generator/task"
-
-  GitHubChangelogGenerator::RakeTask.new :changelog do |config|
-    config.future_release = "v#{ChefVault::VERSION}"
-    config.max_issues = 0
-    config.add_issues_wo_labels = false
-  end
-rescue LoadError
-  puts "github_changelog_generator is not available. gem install github_changelog_generator to generate changelogs"
-end