chef-vault 3.4.0.pre.pre419 → 3.4.0.pre.pre420

data/UPGRADE.md

@@ -1,55 +0,0 @@
-# UPGRADING A v1 VAULT to v2
-
-chef-vault v2 added metadata to the vault to keep track of
-which secrets belong to clients and which belong to admins,
-as well as the search query to use during a `knife vault refresh`
-operation.
-
-You can use chef-vault v2 to decrypt v1 vaults, but the management
-operations are unable to intuit which of the secrets belong to
-clients and which belong to admins.  Fixing this error thus requires
-some manual intervention.
-
-If you attempt to use the management operations (refresh, update, etc.)
-on a v1 vault, you will get this error:
-
-    ChefVault::Exceptions::V1Format: cannot manage a v1 vault.  See UPGRADE.md for help
-
-To fix this, you need to edit the data bag item by hand.   Assuming a
-vault 'foo' with an item 'bar', run:
-
-    knife data bag edit foo bar_keys
-
-This will present you with a JSON representation of the extra data
-bag item managed by chef-vault.  It will have an id key as well as a key
-for every user for whom the vault item is encrypted:
-
-    {
-      "id" : "bar_keys",
-      "james" : "iWdGgm...\n",
-      "one" : "RjJ4rlh....\n",
-      "two" : "NHJlqnfd9...\n",
-      "three" : "GjXkrxq...\n"
-    }
-
-Add keys for 'admins', 'clients' and 'search_query':
-
-    {
-      "id" : "bar_keys",
-      "james" : "iWdGgm...\n",
-      "one" : "RjJ4rlh....\n",
-      "two" : "NHJlqnfd9...\n",
-      "three" : "GjXkrxq...\n",
-      "admins": [],
-      "clients": [],
-      "search_query": ""
-    }
-
-Save the edited data bag and run knife vault update with the appropriate values to populate those keys:
-
-    knife vault update foo bar -S 'name:*' -A james
-
-(set your search query to something appropriate for your environment)
-
-v2.7.0 of chef-vault may add some automation to this step, but for now this
-provides a way to upgrade without breaking your ability to manage things.

data/appveyor.yml

@@ -1,32 +0,0 @@
-version: "master-{build}"
-
-os: Windows Server 2012 R2
-platform:
-  - x64
-
-clone_depth: 1
-skip_tags: true
-skip_branch_with_pr: true
-branches:
-  only:
-    - master
-
-# caching vendor/bundle appears to break horribly in the face of gems checked out of git
-# cache:
-#   - vendor/bundle
-
-install:
-  - ps: iex (irm https://omnitruck.chef.io/install.ps1); Install-Project -Project chefdk -channel stable
-  - bundle config --local path vendor/bundle
-  - SET CI=true
-  - SET BUNDLE_WITHOUT=changelog:style
-
-build_script:
-  - ps: c:\opscode\chefdk\bin\chef.bat shell-init powershell | iex
-  - bundle install || bundle install || bundle install
-
-test_script:
-  - SET SPEC_OPTS=--format progress
-  - c:\opscode\chefdk\bin\chef.bat exec bundle exec rake spec
-  # aruba on windows seems pretty terribadly broken: https://github.com/cucumber/aruba/pull/422
-  # - c:\opscode\chefdk\bin\chef.bat exec bundle exec cucumber

data/chef-vault.gemspec

@@ -1,54 +0,0 @@
-# -*- encoding: utf-8 -*-
-# Chef-Vault Gemspec file
-# Copyright 2013-15, Nordstrom, Inc.
-
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-
-#     http://www.apache.org/licenses/LICENSE-2.0
-
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-$:.push File.expand_path("../lib", __FILE__)
-require "chef-vault/version"
-
-def self.prerelease?
-  !ENV["TRAVIS_TAG"] || ENV["TRAVIS_TAG"].empty?
-end
-
-Gem::Specification.new do |s|
-  s.name             = "chef-vault"
-  s.version          = ChefVault::VERSION
-  s.version          = "#{s.version}-pre#{ENV['TRAVIS_BUILD_NUMBER']}" if ENV["TRAVIS"]
-  s.has_rdoc         = true
-  s.authors          = ["Thom May"]
-  s.email            = ["thom@chef.io"]
-  s.summary          = "Data encryption support for Chef using data bags"
-  s.description      = s.summary
-  s.homepage         = "https://github.com/chef/chef-vault"
-  s.license          = "Apache License, v2.0"
-  s.files            = `git ls-files`.split("\n")
-  s.require_paths    = ["lib"]
-  s.bindir           = "bin"
-  s.executables      = %w{ chef-vault }
-
-  s.required_ruby_version = ">= 2.2.0"
-
-  s.add_development_dependency "rake", "~> 11.0"
-  s.add_development_dependency "rspec", "~> 3.4"
-  s.add_development_dependency "aruba", "~> 0.6"
-  s.add_development_dependency "simplecov", "~> 0.9"
-  s.add_development_dependency "simplecov-console", "~> 0.2"
-  if ENV.key?("TRAVIS_BUILD") && RUBY_VERSION == "2.1.9"
-    # Test version of Chef with Chef Zero before
-    # /orgs/org/users/user/keys endpoint was added.
-    s.add_development_dependency "chef", "12.8.1"
-  else # Test most current version of Chef on 2.2.2
-    s.add_development_dependency :chef
-  end
-end

data/features/clean.feature

@@ -1,23 +0,0 @@
-Feature: clean client keys
-  When updating a vault item, chef-vault normally performs the
-  saved or specified query and encrypts the item for all nodes
-  returned.  It does not remove old client keys from the vault
-  item keys data bag, which will grow over time.  Using the
-  --clean switch will cause all client keys to be removed from
-  the data bag before encrypting the item for all clients
-  returned by the query
-
-  Scenario: Do not clean client keys on update
-    Given a local mode chef repo with nodes 'one,two,three'
-    And I create a vault item 'test/item' containing the JSON '{"foo": "bar"}' encrypted for 'one,two'
-    Then the vault item 'test/item' should be encrypted for 'one,two'
-    And I update the vault item 'test/item' to be encrypted for 'two,three'
-    Then the vault item 'test/item' should be encrypted for 'one,two,three'
-
-  Scenario: Clean client keys on update
-    Given a local mode chef repo with nodes 'one,two,three'
-    And I create a vault item 'test/item' containing the JSON '{"foo": "bar"}' encrypted for 'one,two'
-    Then the vault item 'test/item' should be encrypted for 'one,two'
-    And I update the vault item 'test/item' to be encrypted for 'two,three' with the clean option
-    Then the vault item 'test/item' should be encrypted for 'two,three'
-    And the vault item 'test/item' should not be encrypted for 'one'

data/features/clean_on_refresh.feature

@@ -1,27 +0,0 @@
-Feature: clean unknown clients on vault refresh
-  When refreshing a vault, new clients may be added if they match
-  the search query or client list, but old clients that no longer
-  exist will never be removed.  The --clean-unknown-clients switch
-  will cause cause any unknown clients to be removed from the vault
-  item's access list as well
-
-  Scenario: Refresh without clean option
-    Given a local mode chef repo with nodes 'one,two,three'
-    And I create a vault item 'test/item' containing the JSON '{"foo": "bar"}' encrypted for 'one,two,three'
-    Then the vault item 'test/item' should be encrypted for 'one,two,three'
-    And I delete node 'one' from the Chef server
-    And I refresh the vault item 'test/item'
-    And the vault item 'test/item' should be encrypted for 'one,two,three'
-    And 'one,two,three' should be a client for the vault item 'test/item'
-
-  Scenario: Refresh with clean option
-    Given a local mode chef repo with nodes 'one,two,three'
-    And I create a vault item 'test/item' containing the JSON '{"foo": "bar"}' encrypted for 'one,two,three'
-    Then the vault item 'test/item' should be encrypted for 'one,two,three'
-    And I delete node 'one' from the Chef server
-    And I refresh the vault item 'test/item' with the 'clean-unknown-clients' option
-    Then the output should contain "Removing unknown client 'one'"
-    And the vault item 'test/item' should be encrypted for 'two,three'
-    And the vault item 'test/item' should not be encrypted for 'one'
-    And 'two,three' should be a client for the vault item 'test/item'
-    And 'one' should not be a client for the vault item 'test/item'

data/features/clean_unknown_clients.feature

@@ -1,45 +0,0 @@
-Feature: clean unknown clients on key rotation
-  When removing a client from a vault item, chef-vault normally
-  removes the key and then rotates the key.  If a node has been
-  deleted in the meantime from the Chef server but not the vault,
-  the rotation will fail due to that client's public key missing.
-  Using the --clean-unknown-clients switch will cause any clients
-  that have been removed to be removed from the vault item's
-  access list as well
-
-  Scenario: Prune clients when rotating keys
-    Given a local mode chef repo with nodes 'one,two,three'
-    And I create a vault item 'test/item' containing the JSON '{"foo": "bar"}' encrypted for 'one,two,three'
-    Then the vault item 'test/item' should be encrypted for 'one,two,three'
-    And I delete node 'one' from the Chef server
-    And I rotate the keys for vault item 'test/item' with the 'clean-unknown-clients' option
-    Then the output should contain "Removing unknown client 'one'"
-    And the vault item 'test/item' should be encrypted for 'two,three'
-    And the vault item 'test/item' should not be encrypted for 'one'
-    And 'two,three' should be a client for the vault item 'test/item'
-    And 'one' should not be a client for the vault item 'test/item'
-
-  Scenario: Prune clients when rotating all keys
-    Given a local mode chef repo with nodes 'one,two,three'
-    And I create a vault item 'test/item' containing the JSON '{"foo": "bar"}' encrypted for 'one,two,three'
-    Then the vault item 'test/item' should be encrypted for 'one,two,three'
-    And I delete nodes 'one,two' from the Chef server
-    And I rotate all keys with the 'clean-unknown-clients' option
-    Then the output should contain "Removing unknown client 'one'"
-    And the output should contain "Removing unknown client 'two'"
-    And the vault item 'test/item' should be encrypted for 'three'
-    And the vault item 'test/item' should not be encrypted for 'one,two'
-    And 'three' should be a client for the vault item 'test/item'
-    And 'one,two' should not be a client for the vault item 'test/item'
-
-  Scenario: Prune clients when node gone but client exists
-    Given a local mode chef repo with nodes 'one,two,three'
-    And I create a vault item 'test/item' containing the JSON '{"foo": "bar"}' encrypted for 'one,two,three'
-    Then the vault item 'test/item' should be encrypted for 'one,two,three'
-    And I delete node 'one' from the Chef server
-    And I rotate the keys for vault item 'test/item' with the 'clean-unknown-clients' option
-    Then the output should contain "Removing unknown client 'one'"
-    And the vault item 'test/item' should be encrypted for 'two,three'
-    And the vault item 'test/item' should not be encrypted for 'one'
-    And 'two,three' should be a client for the vault item 'test/item'
-    And 'one' should not be a client for the vault item 'test/item'

data/features/detect_and_warn_v1_vault.feature

@@ -1,14 +0,0 @@
-Feature: Detect and Warn for v1 Vaults
-  chef-vault can read a v1 vault, but the management commands
-  tend to break when they try to reference v2 fields like
-  clients and admins.  They should detect and warn when trying
-  to access a v1 vault
-
-  Scenario: Add search query to v1 vault
-    Given a local mode chef repo with nodes 'one,two,three' with admins 'bob'
-    And I create a vault item 'test/item' containing the JSON '{"foo": "bar"}' encrypted for 'one,two,three'
-    Then the vault item 'test/item' should be encrypted for 'one,two,three'
-    And 'one,two,three' should be a client for the vault item 'test/item'
-    And I downgrade the vault item 'test/item' to v1 syntax
-    And I try to add 'bob' as an admin for the vault item 'test/item'
-    Then the output should match /cannot manage a v1 vault.  See UPGRADE.md for help/

data/features/isvault.feature

@@ -1,29 +0,0 @@
-Feature: determine if a data bag item is a vault
-  If a data bag item is a vault, 'knife vault isvault VAULTNAME ITEMNAME'
-  should exit 0.  Otherwise it should exit 1.
-
-  Scenario: detect vault item
-    Given a local mode chef repo with nodes 'one,two,three'
-    And I create a vault item 'test/item' containing the JSON '{"foo": "bar"}' encrypted for 'one,two,three'
-    And I check if the data bag item 'test/item' is a vault
-    Then the exit status should be 0
-
-  Scenario: detect vault item with keys in sparse mode
-    Given a local mode chef repo with nodes 'one,two,three'
-    And I create a vault item 'test/item' with keys in sparse mode containing the JSON '{"foo": "bar"}' encrypted for 'one,two,three'
-    And I check if the data bag item 'test/item' is a vault
-    Then the exit status should be 0
-
-  Scenario: detect non-vault item (encrypted data bag)
-    Given a local mode chef repo with nodes 'one,two,three'
-    And I create an empty data bag 'test'
-    And I create an encrypted data bag item 'test/item' containing the JSON '{"id": "item", "foo": "bar"}' with the secret 'sekrit'
-    And I check if the data bag item 'test/item' is a vault
-    Then the exit status should not be 0
-
-  Scenario: detect non-vault item (normal data bag)
-    Given a local mode chef repo with nodes 'one,two,three'
-    And I create an empty data bag 'test'
-    And I create a data bag item 'test/item' containing the JSON '{"id": "item", "foo": "bar"}'
-    And I check if the data bag item 'test/item' is a vault
-    Then the exit status should not be 0

data/features/itemtype.feature

@@ -1,24 +0,0 @@
-Feature: determine the type of a data bag item
-  'knife vault itemtype VAULTNAME ITEMNAME' should output one of
-  'normal', 'encrypted', or 'vault' depending on what type of item
-  it detects
-
-  Scenario: detect vault item
-    Given a local mode chef repo with nodes 'one,two,three'
-    And I create a vault item 'test/item' containing the JSON '{"foo": "bar"}' encrypted for 'one,two,three'
-    And I check the type of the data bag item 'test/item'
-    Then the output should match /^vault$/
-
-  Scenario: detect non-vault item (encrypted data bag)
-    Given a local mode chef repo with nodes 'one,two,three'
-    And I create an empty data bag 'test'
-    And I create an encrypted data bag item 'test/item' containing the JSON '{"id": "item", "foo": "bar"}' with the secret 'sekrit'
-    And I check the type of the data bag item 'test/item'
-    Then the output should match /^encrypted$/
-
-  Scenario: detect non-vault item (normal data bag)
-    Given a local mode chef repo with nodes 'one,two,three'
-    And I create an empty data bag 'test'
-    And I create a data bag item 'test/item' containing the JSON '{"id": "item", "foo": "bar"}'
-    And I check the type of the data bag item 'test/item'
-    Then the output should match /^normal$/

data/features/step_definitions/chef-databag.rb

@@ -1,9 +0,0 @@
-When(/^I create a data bag '(.+)' containing the JSON '(.+)'$/) do |bag, json|
-  write_file "item.json", json
-  run_simple "knife data bag create #{bag} -z -c knife.rb -d"
-  run_simple "knife data bag from_file #{bag} -z -c knife.rb item.json"
-end
-
-Given(/^I create an empty data bag '(.+)'$/) do |databag|
-  run_simple "knife data bag create #{databag} -z -c knife.rb", false
-end

data/features/step_definitions/chef-repo.rb

@@ -1,72 +0,0 @@
-Given(/^a local mode chef repo with nodes '(.+?)'(?: with admins '(.+?)')?$/) do |nodelist, adminlist|
-  # create the repo directory hierarchy
-  %w{cookbooks clients nodes data_bags}.each do |dir|
-    create_directory dir
-  end
-  # create a basic knife.rb
-  write_file "knife.rb", <<EOF
-local_mode true
-chef_repo_path '.'
-chef_zero.enabled true
-knife[:vault_mode] = 'client'
-EOF
-  # create the admin users and capture their private key we
-  # always create an admin called 'admin' because otherwise subsequent
-  # steps become annoying to determine who the admin is
-  admins = %w{admin}
-  admins.push(adminlist.split(/,/)) if adminlist
-  admins.flatten.each do |admin|
-    create_admin(admin)
-  end
-  # add the admin key to the knife configuration
-  append_to_file "knife.rb", <<EOF
-node_name 'admin'
-client_key 'admin.pem'
-EOF
-  # create the requested nodes
-  nodelist.split(/,/).each do |node|
-    create_client(node)
-    create_node(node)
-  end
-end
-
-Given(/^I create an admin named '(.+)'$/) do |admin|
-  create_admin(admin)
-end
-
-Given(/^I delete clients? '(.+)' from the Chef server$/) do |nodelist|
-  nodelist.split(/,/).each do |node|
-    delete_client(node)
-  end
-end
-
-Given(/^I regenerate the client key for the node '(.+)'$/) do |node|
-  delete_client(node)
-  create_client(node)
-end
-
-Given(/^I delete nodes? '(.+)' from the Chef server$/) do |nodelist|
-  nodelist.split(/,/).each { |node| delete_node(node) }
-end
-
-def create_node(name)
-  run_simple "knife node create #{name} -z -d -c knife.rb"
-end
-
-def create_admin(admin)
-  create_client(admin, "-a")
-end
-
-def create_client(name, args = nil)
-  command = "knife client create #{name} -z -d -c knife.rb #{args} >#{name}.pem"
-  run_simple command
-  write_file("#{name}.pem", last_command_started.stdout)
-end
-
-def delete_client(name)
-  run_simple "knife client delete #{name} -y -z -c knife.rb"
-end
-
-def delete_node(name)
-  run_simple "knife node delete #{name} -y -z -c knife.rb"
-end

data/features/step_definitions/chef-vault.rb

@@ -1,151 +0,0 @@
-require "json"
-
-Given(/^I create a vault item '(.+)\/(.+)'( with keys in sparse mode)? containing the JSON '(.+)' encrypted for '(.+)'(?: with '(.+)' as admins?)?$/) do |vault, item, sparse, json, nodelist, admins|
-  write_file "item.json", json
-  query = nodelist.split(/,/).map { |e| "name:#{e}" }.join(" OR ")
-  adminarg = admins.nil? ? "-A admin" : "-A #{admins}"
-  sparseopt = sparse.nil? ? "" : "-K sparse"
-  run_simple "knife vault create #{vault} #{item} -z -c knife.rb #{adminarg} #{sparseopt} -S '#{query}' -J item.json", false
-end
-
-Given(/^I update the vault item '(.+)\/(.+)' to be encrypted for '(.+)'( with the clean option)?$/) do |vault, item, nodelist, cleanopt|
-  query = nodelist.split(/,/).map { |e| "name:#{e}" }.join(" OR ")
-  run_simple "knife vault update #{vault} #{item} -z -c knife.rb -S '#{query}' #{cleanopt ? '--clean' : ''}"
-end
-
-Given(/^I remove clients? '(.+)' from vault item '(.+)\/(.+)' with the '(.+)' options?$/) do |nodelist, vault, item, optionlist|
-  query = nodelist.split(/,/).map { |e| "name:#{e}" }.join(" OR ")
-  options = optionlist.split(/,/).map { |o| "--#{o}" }.join(" ")
-  run_simple "knife vault remove #{vault} #{item} -z -c knife.rb -S '#{query}' #{options}"
-end
-
-Given(/^I rotate the keys for vault item '(.+)\/(.+)' with the '(.+)' options?$/) do |vault, item, optionlist|
-  options = optionlist.split(/,/).map { |o| "--#{o}" }.join(" ")
-  run_simple "knife vault rotate keys #{vault} #{item} -c knife.rb -z #{options}"
-end
-
-Given(/^I rotate all keys with the '(.+)' options?$/) do |optionlist|
-  options = optionlist.split(/,/).map { |o| "--#{o}" }.join(" ")
-  run_simple "knife vault rotate all keys -z -c knife.rb #{options}"
-end
-
-Given(/^I refresh the vault item '(.+)\/(.+)'$/) do |vault, item|
-  run_simple "knife vault refresh #{vault} #{item} -c knife.rb -z"
-end
-
-Given(/^I refresh the vault item '(.+)\/(.+)' with the '(.+)' options?$/) do |vault, item, optionlist|
-  options = optionlist.split(/,/).map { |o| "--#{o}" }.join(" ")
-  run_simple "knife vault refresh #{vault} #{item} -c knife.rb -z #{options}"
-end
-
-Given(/^I try to decrypt the vault item '(.+)\/(.+)' as '(.+)'$/) do |vault, item, node|
-  run_simple "knife vault show #{vault} #{item} -z -c knife.rb -u #{node} -k #{node}.pem", false
-end
-
-Then(/^the vault item '(.+)\/(.+)' should( not)? be encrypted for '(.+)'( with keys in sparse mode)?$/) do |vault, item, neg, nodelist, sparse|
-  nodes = nodelist.split(/,/)
-  command = "knife data bag show #{vault} #{item}_keys -z -c knife.rb -F json"
-  run_simple(command)
-  output = last_command_started.stdout
-  data = JSON.parse(output)
-  if sparse
-    expect(data).to include("mode" => "sparse")
-    nodes.each do |node|
-      command = "knife data bag show #{vault} #{item}_key_#{node} -z -c knife.rb -F json"
-      run_simple(command, fail_on_error: false)
-      if neg
-        error = last_command_started.stderr
-        expect(error).to include("ERROR: The object you are looking for could not be found")
-      else
-        data = JSON.parse(last_command_started.stdout)
-        expect(data).to include("id" => "#{item}_key_#{node}")
-      end
-    end
-  else
-    expect(data).to include("mode" => "default")
-    nodes.each { |node| neg ? (expect(data).not_to include(node)) : (expect(data).to include(node)) }
-  end
-end
-
-Given(/^'(.+)' should( not)? be a client for the vault item '(.+)\/(.+)'$/) do |nodelist, neg, vault, item|
-  nodes = nodelist.split(/,/)
-  command = "knife data bag show #{vault} #{item}_keys -z -c knife.rb -F json"
-  run_simple(command)
-  output = last_command_started.stdout
-  data = JSON.parse(output)
-  nodes.each do |node|
-    if neg
-      expect(data["clients"]).not_to include(node)
-    else
-      expect(data["clients"]).to include(node)
-    end
-  end
-end
-
-Given(/^'(.+)' should( not)? be an admin for the vault item '(.+)\/(.+)'$/) do |nodelist, neg, vault, item|
-  nodes = nodelist.split(/,/)
-  command = "knife data bag show #{vault} #{item}_keys -z -c knife.rb -F json"
-  run_simple(command)
-  output = last_command_started.stdout
-  data = JSON.parse(output)
-  nodes.each do |node|
-    if neg
-      expect(data["admins"]).not_to include(node)
-    else
-      expect(data["admins"]).to include(node)
-    end
-  end
-end
-
-Given(/^I list the vaults$/) do
-  run_simple("knife vault list")
-end
-
-Given(/^I can('t)? decrypt the vault item '(.+)\/(.+)' as '(.+)'$/) do |neg, vault, item, client|
-  run_simple "knife vault show #{vault} #{item} -c knife.rb -z -u #{client} -k #{client}.pem", false
-  if neg
-    expect(last_command_started).not_to have_exit_status(0)
-  else
-    expect(last_command_started).to have_exit_status(0)
-  end
-end
-
-Given(/^I (try to )?add '(.+)' as an admin for the vault item '(.+)\/(.+)'$/) do |try, newadmin, vault, item|
-  run_simple "knife vault update #{vault} #{item} -c knife.rb -z -A #{newadmin}", !try
-end
-
-Given(/^I show the keys of the vault '(.+)'$/) do |vault|
-  run_simple "knife vault show #{vault} -c knife.rb -z"
-end
-
-Given(/^I check if the data bag item '(.+)\/(.+)' is a vault$/) do |vault, item|
-  run_simple "knife vault isvault #{vault} #{item} -c knife.rb -z", false
-end
-
-Given(/^I check the type of the data bag item '(.+)\/(.+)'$/) do |vault, item|
-  run_simple "knife vault itemtype #{vault} #{item} -c knife.rb -z"
-end
-
-Given(/^I downgrade the vault item '(.+)\/(.+)' to v1 syntax/) do |vault, item|
-  # v1 syntax doesn't have the admins, clients and search_query keys
-  keysfile = "tmp/aruba/data_bags/#{vault}/#{item}_keys.json"
-  data = JSON.parse(IO.read(keysfile))
-  %w{admins clients search_query}.each { |k| data.key?("raw_data") ? data["raw_data"].delete(k) : data.delete(k) }
-  IO.write(keysfile, JSON.generate(data))
-end
-
-Given(/^I can save the JSON object of the encrypted data bag for the vault item '(.+)\/(.+)'$/) do |vault, item|
-  command = "knife data bag show #{vault} #{item} -z -c knife.rb -F json"
-  run_simple(command)
-  output = last_command_started.stdout
-  @saved_encrypted_vault_item = JSON.parse(output)
-end
-
-Given(/^the data bag of the vault item '(.+)\/(.+)' has not been re-encrypted$/) do |vault, item|
-  command = "knife data bag show #{vault} #{item} -z -c knife.rb -F json"
-  run_simple(command)
-  output = last_command_started.stdout
-  encrypted_vault_item = JSON.parse(output)
-
-  expect(encrypted_vault_item).to eq(@saved_encrypted_vault_item)
-end