chef-vault 3.4.2 → 4.0.11

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: ae942cd10e48bec9d688f5c91e12853ebd257a2664768444d3f9f472e391dcc3
-  data.tar.gz: 04dc8c57516c24949b014cbb7e2e259dea2f9e7458505bccb87b6ab0698db1f4
+  metadata.gz: a31b1dc1d2889fdab403f6f55a662c744529586f116d4d3f87196595fedc245c
+  data.tar.gz: '079f1cabc8c809b0a98b30b0e19181e88ea205317387ec1eef8a396c43476d56'
 SHA512:
-  metadata.gz: 6dad5ce4503b40fe2866c9c89d34ab45e56c8cbbac9bc98a4a2716584b1898277e4d2b177ff133b4959b7fee722d9a6b22fcd318c39d0703eb54bd657fa0f637
-  data.tar.gz: 18706d51d76afd1929e09a79a618b9a174604b37b22e778bed552620061f8826919d239ecf47a63b03ef729495b558fc0002640dac19e37d8d74c2cbd4d3c4b3
+  metadata.gz: 50b6f9f0261bfd2f98aecdb0f84ec2c7b9aa775d31982ab2985a758cf423bf2af128e10f69de353129d3e74ce92d5f0579fafcdb3764abd6344a5de7b1e8ac84
+  data.tar.gz: b6a488022c267e9c9709ec16ac835b45a833a11445c20af6b833f50e2d650bc5f6d9949baabce01f3502168b16c7ad1b676856d683e63914122e3a380a18fe99

data/Gemfile

@@ -1,14 +1,25 @@
-source "https://rubygems.org/"
+source "https://rubygems.org"
 
 gemspec
 
 group :development do
-  gem "chefstyle", git: "https://github.com/chef/chefstyle.git"
+  gem "chefstyle"
   gem "chef-zero"
   gem "rake"
   gem "rspec", "~> 3.4"
   gem "aruba", "~> 0.6"
-  gem "simplecov", "~> 0.9"
-  gem "simplecov-console", "~> 0.2"
-  gem "chef"
+  gem "chef", "~> 14.0" # avoids test failures on license acceptance
+end
+
+group :docs do
+  gem "yard"
+  gem "redcarpet"
+  gem "github-markup"
+end
+
+group :debug do
+  gem "pry"
+  gem "pry-byebug"
+  gem "pry-stack_explorer", "~> 0.4.0" # pin until we drop ruby < 2.6
+  gem "rb-readline"
 end

data/bin/chef-vault

@@ -18,7 +18,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-require "optparse"
+require "optparse" unless defined?(OptionParser)
 
 options_config = {
   chef: {
@@ -82,7 +82,7 @@ options_config.each do |option, config|
   options[option] = options[option] ? options[option] : config[:default]
 end
 
-require "rubygems"
+require "rubygems" unless defined?(Gem)
 $:.unshift(File.join(File.dirname(__FILE__), "..", "lib"))
 require "chef-vault"
 

data/chef-vault.gemspec

@@ -1,6 +1,6 @@
-# -*- encoding: utf-8 -*-
 # Chef-Vault Gemspec file
-# Copyright 2013-15, Nordstrom, Inc.
+# Copyright 2013-2015, Nordstrom, Inc.
+# Copyright 2017-2019, Chef Software, Inc.
 
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -17,24 +17,19 @@
 $:.push File.expand_path("../lib", __FILE__)
 require "chef-vault/version"
 
-def self.prerelease?
-  !ENV["TRAVIS_TAG"] || ENV["TRAVIS_TAG"].empty?
-end
-
 Gem::Specification.new do |s|
   s.name             = "chef-vault"
   s.version          = ChefVault::VERSION
-  s.version          = "#{s.version}-pre#{ENV['TRAVIS_BUILD_NUMBER']}" if ENV["TRAVIS"]
   s.authors          = ["Thom May"]
   s.email            = ["thom@chef.io"]
-  s.summary          = "Data encryption support for Chef using data bags"
+  s.summary          = "Data encryption support for Chef Infra using data bags"
   s.description      = s.summary
   s.homepage         = "https://github.com/chef/chef-vault"
   s.license          = "Apache-2.0"
-  s.files            = %w{LICENSE README.md Gemfile} + Dir.glob("*.gemspec") + `git ls-files`.split("\n").select { |f| f =~ %r{^(?:bin/|lib/)}i }
+  s.files            = %w{LICENSE Gemfile} + Dir.glob("*.gemspec") + `git ls-files`.split("\n").select { |f| f =~ %r{^(?:bin/|lib/)}i }
   s.require_paths    = ["lib"]
   s.bindir           = "bin"
   s.executables      = %w{ chef-vault }
 
-  s.required_ruby_version = ">= 2.2.0"
+  s.required_ruby_version = ">= 2.4"
 end

data/lib/chef-vault.rb

@@ -23,14 +23,14 @@ require "chef/api_client"
 require "chef/data_bag_item"
 require "chef/encrypted_data_bag_item"
 require "chef/user"
-require "chef-vault/version"
-require "chef-vault/exceptions"
-require "chef-vault/item"
-require "chef-vault/item_keys"
-require "chef-vault/user"
-require "chef-vault/certificate"
-require "chef-vault/chef_api"
-require "chef-vault/actor"
+require_relative "chef-vault/version"
+require_relative "chef-vault/exceptions"
+require_relative "chef-vault/item"
+require_relative "chef-vault/item_keys"
+require_relative "chef-vault/user"
+require_relative "chef-vault/certificate"
+require_relative "chef-vault/chef_api"
+require_relative "chef-vault/actor"
 
 require "mixlib/log"
 

data/lib/chef-vault/actor.rb

@@ -14,7 +14,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-require "json"
+require "json" unless defined?(JSON)
 
 class ChefVault
   class Actor
@@ -27,6 +27,7 @@ class ChefVault
       if actor_type != "clients" && actor_type != "admins"
         raise "You must pass either 'clients' or 'admins' as the first argument to ChefVault::Actor.new."
       end
+
       @type = actor_type
       @name = actor_name
     end
@@ -52,7 +53,7 @@ class ChefVault
           case http_error.response.code
           when "404"
             raise ChefVault::Exceptions::AdminNotFound,
-                  "FATAL: Could not find default key for #{name} in users or clients!"
+              "FATAL: Could not find default key for #{name} in users or clients!"
           when "403"
             print_forbidden_error
             raise http_error
@@ -73,7 +74,7 @@ class ChefVault
         raise http_error
       elsif http_error.response.code.eql?("404")
         raise ChefVault::Exceptions::ClientNotFound,
-              "#{name} is not a valid chef client and/or node"
+          "#{name} is not a valid chef client and/or node"
       else
         raise http_error
       end
@@ -115,6 +116,7 @@ class ChefVault
     # If the keys endpoint doesn't exist, try getting it directly from the V0 chef object.
     rescue Net::HTTPServerException => http_error
       raise http_error unless http_error.response.code.eql?("404")
+
       if request_actor_type.eql?("clients")
         chef_api_client.load(name).public_key
       else

data/lib/chef-vault/item.rb

@@ -15,8 +15,8 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-require "securerandom"
-require "chef-vault/mixins"
+require "securerandom" unless defined?(SecureRandom)
+require_relative "mixins"
 
 class ChefVault
   class Item < Chef::DataBagItem
@@ -131,6 +131,10 @@ class ChefVault
       end
     end
 
+    def mode(mode)
+      keys.mode(mode) if mode
+    end
+
     def admins(admin_string, action = :add)
       admin_string.split(",").each do |admin|
         admin.strip!
@@ -142,7 +146,7 @@ class ChefVault
           keys.delete(admin_key)
         else
           raise ChefVault::Exceptions::KeysActionNotValid,
-                "#{action} is not a valid action"
+            "#{action} is not a valid action"
         end
       end
     end
@@ -157,7 +161,7 @@ class ChefVault
 
     def secret
       if @keys.include?(@node_name) && !@keys[@node_name].nil?
-        private_key = OpenSSL::PKey::RSA.new(File.open(@client_key_path).read())
+        private_key = OpenSSL::PKey::RSA.new(File.open(@client_key_path).read)
         begin
           private_key.private_decrypt(Base64.decode64(@keys[@node_name]))
         rescue OpenSSL::PKey::RSAError
@@ -268,7 +272,7 @@ class ChefVault
 
       if Chef::Config[:solo_legacy_mode]
         data_bag_path = File.join(Chef::Config[:data_bag_path],
-                                  data_bag)
+          data_bag)
         data_bag_item_path = File.join(data_bag_path, @raw_data["id"])
 
         FileUtils.rm("#{data_bag_item_path}.json")
@@ -336,7 +340,16 @@ class ChefVault
     def self.data_bag_item_type(vault, name)
       # adapted from https://github.com/opscode-cookbooks/chef-vault/blob/v1.3.0/libraries/chef_vault_item.rb
       # and https://github.com/sensu/sensu-chef/blob/2.9.0/libraries/sensu_helpers.rb
-      dbi = Chef::DataBagItem.load(vault, name)
+      begin
+        dbi = Chef::DataBagItem.load(vault, name)
+      rescue Net::HTTPServerException => http_error
+        if http_error.response.code == "404"
+          raise ChefVault::Exceptions::ItemNotFound,
+            "#{vault}/#{name} not found"
+        else
+          raise http_error
+        end
+      end
       encrypted = dbi.detect do |_, v|
         v.is_a?(Hash) && v.key?("encrypted_data")
       end
@@ -358,12 +371,12 @@ class ChefVault
     #   no longer be found
     # @return [void]
     def refresh(clean_unknown_clients = false)
-      unless search
+      if search.empty?
         raise ChefVault::Exceptions::SearchNotFound,
-              "#{vault}/#{item} does not have a stored search_query, "\
-              "probably because it was created with an older version "\
-              "of chef-vault. Use 'knife vault update' to update the "\
-              "databag with the search query."
+          "#{@data_bag}/#{@raw_data["id"]} does not have a stored "\
+          "search_query, probably because it was created with an "\
+          "older version of chef-vault. Use 'knife vault update' "\
+          "to update the databag with the search query."
       end
 
       # a bit of a misnomer; this doesn't remove unknown
@@ -434,11 +447,12 @@ class ChefVault
       true
     rescue Net::HTTPServerException => http_error
       return false if http_error.response.code == "404"
+
       raise http_error
     end
 
     # adds or deletes an API client from the vault item keys
-    # @param client [Chef::ApiClient] the API client to operate on
+    # @param api_client [Chef::ApiClient] the API client to operate on
     # @param action [Symbol] :add or :delete
     # @return [void]
     def handle_client_action(api_client, action)
@@ -460,7 +474,7 @@ class ChefVault
     end
 
     # removes a client to the vault item keys
-    # @param client_or_node [String] the name of the API client or node to remove
+    # @param name [String] the name of the API client or node to remove
     # @return [void]
     def delete_client_or_node(name)
       client = load_actor(name, "clients")

data/lib/chef-vault/item_keys.rb

@@ -14,7 +14,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-require "chef-vault/mixins"
+require_relative "mixins"
 
 class ChefVault
   class ItemKeys < Chef::DataBagItem
@@ -39,9 +39,11 @@ class ChefVault
     def [](key)
       # return options immediately
       return @raw_data[key] if %w{id admins clients search_query mode}.include?(key)
+
       # check if the key is in the write-back cache
       ckey = @cache[key]
       return ckey unless ckey.nil?
+
       # check if the key is saved in sparse mode
       skey = sparse_key(sparse_id(key)) if sparse?
       if skey
@@ -58,6 +60,7 @@ class ChefVault
       return (ckey ? true : false) unless ckey.nil?
       # check if the key is saved in sparse mode
       return true if sparse? && sparse_key(sparse_id(key))
+
       # fallback to non-sparse mode if sparse key is not found
       @raw_data.keys.include?(key)
     end
@@ -66,10 +69,14 @@ class ChefVault
       type = chef_key.type
       unless @raw_data.key?(type)
         raise ChefVault::Exceptions::V1Format,
-              "cannot manage a v1 vault.  See UPGRADE.md for help"
+          "cannot manage a v1 vault.  See UPGRADE.md for help"
       end
       @cache[chef_key.name] = skip_reencryption ? self[chef_key.name] : nil
-      @cache[chef_key.name] ||= ChefVault::ItemKeys.encode_key(chef_key.key, data_bag_shared_secret)
+      begin
+        @cache[chef_key.name] ||= ChefVault::ItemKeys.encode_key(chef_key.key, data_bag_shared_secret)
+      rescue OpenSSL::PKey::RSAError
+        raise OpenSSL::PKey::RSAError, "While adding #{chef_key.type} an invalid or old (pre chef-server 12) format public key was found for #{chef_key.name}"
+      end
       @raw_data[type] << chef_key.name unless @raw_data[type].include?(chef_key.name)
       @raw_data[type]
     end
@@ -135,7 +142,7 @@ class ChefVault
             begin
               Chef::DataBagItem.from_hash("data_bag" => data_bag,
                                           "id" => sparse_id(key))
-                               .destroy(data_bag, sparse_id(key))
+                .destroy(data_bag, sparse_id(key))
             rescue Net::HTTPServerException => http_error
               raise http_error unless http_error.response.code == "404"
             end
@@ -161,6 +168,25 @@ class ChefVault
           end
         end
       end
+
+      if @raw_data["mode"] == "sparse"
+        @raw_data.each do |key, val|
+          next if %w{ id clients admins search_query mode }.include?(key)
+
+          skey = Chef::DataBagItem.from_hash(
+            "data_bag" => data_bag,
+            "id" => sparse_id(key),
+            key => val
+          )
+          @raw_data.delete(key)
+          if Chef::Config[:solo_legacy_mode]
+            save_solo(skey.id, skey.raw_data)
+          else
+            skey.save
+          end
+        end
+      end
+
       # save raw data
       if Chef::Config[:solo_legacy_mode]
         save_solo(item_id)
@@ -187,7 +213,7 @@ class ChefVault
         items = Chef::DataBag.load(data_bag).keys.select { |item| item =~ rgx }
         items.each do |id|
           Chef::DataBagItem.from_hash("data_bag" => data_bag, "id" => id)
-                           .destroy(data_bag, id)
+            .destroy(data_bag, id)
         end
         # destroy this metadata
         super(data_bag, id)

data/lib/chef-vault/mixins.rb

@@ -6,7 +6,7 @@ class ChefVault
     #     paths and use that by preference
     #  1. Otherwise, just use the first location in the array
     def find_solo_path(item_id)
-      if Chef::Config[:data_bag_path].kind_of?(Array)
+      if Chef::Config[:data_bag_path].is_a?(Array)
         path = Chef::Config[:data_bag_path].find do |dir|
           File.exist?(File.join(dir, data_bag, "#{item_id}.json"))
         end
@@ -15,7 +15,7 @@ class ChefVault
         data_bag_path = File.join(path, data_bag)
       else
         data_bag_path = File.join(Chef::Config[:data_bag_path],
-                                  data_bag)
+          data_bag)
       end
       data_bag_item_path = File.join(data_bag_path, item_id) + ".json"
 

data/lib/chef-vault/version.rb

@@ -15,6 +15,6 @@
 # limitations under the License.
 
 class ChefVault
-  VERSION = "3.4.2"
+  VERSION = "4.0.11"
   MAJOR, MINOR, TINY = VERSION.split(".")
 end

data/lib/chef/knife/mixin/helper.rb

@@ -33,7 +33,7 @@ class ChefVault
       end
 
       def values_from_file(file)
-        json = File.open(file) { |fh| fh.read() }
+        json = File.open(file, &:read)
 
         values_from_json(json)
       end

data/lib/chef/knife/vault_admins.rb

@@ -14,7 +14,7 @@
 # limitations under the License.
 
 require "chef/knife"
-require "chef-vault"
+require_relative "../../chef-vault"
 
 class Chef
   class Knife
@@ -26,6 +26,10 @@ class Chef
         vault_admins = Chef::Config[:knife][:vault_admins]
         admin_array = [Chef::Config[:node_name]]
 
+        if !vault_admins.kind_of?(Array)
+          ui.warn("Vault admin must be an array")
+        end
+
         if config_admins
           admin_array += [config_admins]
         elsif vault_admins

data/lib/chef/knife/vault_base.rb

@@ -14,7 +14,7 @@
 # limitations under the License.
 
 require "chef/knife"
-require "chef-vault"
+require_relative "../../chef-vault"
 
 class Chef
   class Knife
@@ -55,13 +55,16 @@ class Chef
         # - item_keys has zero or more keys in sparse mode
         # vaults have a number of keys >= 2
         return false unless bag.keys.size >= 2
+
         # partition into those that end in _keys
         keylike, notkeylike = split_vault_keys(bag)
         # there must be an equal number of keyline and not-keylike items
         return false unless keylike.size == notkeylike.size
+
         # strip the _keys suffix and check if the sets match
         keylike.map! { |k| k.gsub(/_keys$/, "") }
         return false unless keylike.sort == notkeylike.sort
+
         # it's (probably) a vault
         true
       end
@@ -70,7 +73,7 @@ class Chef
         # get all item keys
         keys = bag.keys.select { |k| k =~ /_keys$/ }
         # get all sparse keys
-        r = Regexp.union(keys.map { |k| Regexp.new("^#{k.chomp('_keys')}_key_.*") })
+        r = Regexp.union(keys.map { |k| Regexp.new("^#{k.chomp("_keys")}_key_.*") })
         sparse = bag.keys.select { |k| k =~ r }
         # the rest
         items = bag.keys - keys - sparse

data/lib/chef/knife/vault_create.rb

@@ -13,9 +13,9 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-require "chef/knife/vault_base"
-require "chef/knife/vault_admins"
-require "chef/knife/vault_clients"
+require_relative "vault_base"
+require_relative "vault_admins"
+require_relative "vault_clients"
 
 class Chef
   class Knife
@@ -84,7 +84,7 @@ class Chef
 
               if file
                 vault_item["file-name"] = File.basename(file)
-                vault_item["file-content"] = File.open(file) { |f| f.read() }
+                vault_item["file-content"] = File.open(file, &:read)
               end
             else
               vault_json = edit_hash({})

data/lib/chef/knife/vault_delete.rb

@@ -13,7 +13,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-require "chef/knife/vault_base"
+require_relative "vault_base"
 
 class Chef
   class Knife

data/lib/chef/knife/vault_download.rb

@@ -13,7 +13,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-require "chef/knife/vault_base"
+require_relative "vault_base"
 
 class Chef
   class Knife
@@ -34,7 +34,7 @@ class Chef
           File.open(path, "w") do |file|
             file.write(vault_item["file-content"])
           end
-          ui.info("Saved #{vault_item['file-name']} as #{path}")
+          ui.info("Saved #{vault_item["file-name"]} as #{path}")
         else
           show_usage
         end

data/lib/chef/knife/vault_edit.rb

@@ -13,7 +13,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-require "chef/knife/vault_base"
+require_relative "vault_base"
 
 class Chef
   class Knife

data/lib/chef/knife/vault_isvault.rb

@@ -13,7 +13,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-require "chef/knife/vault_base"
+require_relative "vault_base"
 
 class Chef
   class Knife

data/lib/chef/knife/vault_itemtype.rb

@@ -13,7 +13,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-require "chef/knife/vault_base"
+require_relative "vault_base"
 
 class Chef
   class Knife

data/lib/chef/knife/vault_list.rb

@@ -13,7 +13,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-require "chef/knife/vault_base"
+require_relative "vault_base"
 
 class Chef
   class Knife

data/lib/chef/knife/vault_refresh.rb

@@ -13,7 +13,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-require "chef/knife/vault_base"
+require_relative "vault_base"
 
 class Chef
   class Knife
@@ -47,8 +47,8 @@ class Chef
                  ChefVault::Exceptions::ItemNotFound
 
             raise ChefVault::Exceptions::ItemNotFound,
-                  "#{vault}/#{item} does not exist, "\
-                  "use 'knife vault create' to create."
+              "#{vault}/#{item} does not exist, "\
+              "use 'knife vault create' to create."
           end
         else
           show_usage

data/lib/chef/knife/vault_remove.rb

@@ -13,8 +13,8 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-require "chef/knife/vault_base"
-require "chef/knife/vault_clients"
+require_relative "vault_base"
+require_relative "vault_clients"
 
 class Chef
   class Knife

data/lib/chef/knife/vault_rotate_all_keys.rb

@@ -13,7 +13,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-require "chef/knife/vault_base"
+require_relative "vault_base"
 
 class Chef
   class Knife
@@ -45,9 +45,10 @@ class Chef
         end
       end
 
+      # Permalink for regex of replacing '_keys' with '': https://rubular.com/r/5cA5JNSyLfPSfY
       def vault_items(vault)
         Chef::DataBag.load(vault).keys.each_with_object([]) do |key, array|
-          array << key.sub("_keys", "") if key =~ /.+_keys$/
+          array << key.sub(/_keys(?=[^_keys]*$)/, "") if key =~ /.+_keys$/
         end
       end
 

data/lib/chef/knife/vault_rotate_keys.rb

@@ -13,7 +13,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-require "chef/knife/vault_base"
+require_relative "vault_base"
 
 class Chef
   class Knife

data/lib/chef/knife/vault_show.rb

@@ -13,7 +13,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-require "chef/knife/vault_base"
+require_relative "vault_base"
 
 class Chef
   class Knife

data/lib/chef/knife/vault_update.rb

@@ -13,9 +13,9 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-require "chef/knife/vault_base"
-require "chef/knife/vault_admins"
-require "chef/knife/vault_clients"
+require_relative "vault_base"
+require_relative "vault_admins"
+require_relative "vault_clients"
 
 class Chef
   class Knife
@@ -54,6 +54,11 @@ class Chef
         long: "--clean",
         description: "Clean clients before performing search"
 
+      option :keys_mode,
+        short: "-K KEYS_MODE",
+        long: "--keys-mode KEYS_MODE",
+        description: "Mode in which to save vault keys"
+
       def run
         vault = @name_args[0]
         item = @name_args[1]
@@ -62,16 +67,17 @@ class Chef
         json_file = config[:json]
         file = config[:file]
         clean = config[:clean]
+        keys_mode = config[:keys_mode]
 
         set_mode(config[:vault_mode])
 
-        if vault && item && ((values || json_file || file) || (search || clients || admins))
+        if vault && item && ((values || json_file || file) || (search || clients || admins) || (keys_mode))
           begin
             vault_item = ChefVault::Item.load(vault, item)
 
             # Keys management first
             if clean
-              vault_clients = vault_item.get_clients.clone().sort()
+              vault_clients = vault_item.get_clients.clone.sort
               vault_clients.each do |client|
                 ui.info "Deleting #{client}"
                 vault_item.delete_client(client)
@@ -91,7 +97,7 @@ class Chef
 
               if file
                 vault_item["file-name"] = File.basename(file)
-                vault_item["file-content"] = File.open(file) { |f| f.read() }
+                vault_item["file-content"] = File.open(file, &:read)
               end
 
               vault_item.save
@@ -105,6 +111,11 @@ class Chef
               "#{vault}/#{item} does not exist, "\
               "use 'knife vault create' to create."
           end
+
+          if keys_mode
+            vault_item.mode(keys_mode)
+            vault_item.save_keys
+          end
         else
           show_usage
         end

metadata

@@ -1,16 +1,16 @@
 --- !ruby/object:Gem::Specification
 name: chef-vault
 version: !ruby/object:Gem::Version
-  version: 3.4.2
+  version: 4.0.11
 platform: ruby
 authors:
 - Thom May
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2018-09-22 00:00:00.000000000 Z
+date: 2020-08-21 00:00:00.000000000 Z
 dependencies: []
-description: Data encryption support for Chef using data bags
+description: Data encryption support for Chef Infra using data bags
 email:
 - thom@chef.io
 executables:
@@ -20,7 +20,6 @@ extra_rdoc_files: []
 files:
 - Gemfile
 - LICENSE
-- README.md
 - bin/chef-vault
 - chef-vault.gemspec
 - lib/chef-vault.rb
@@ -62,16 +61,15 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: 2.2.0
+      version: '2.4'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.7.6
+rubygems_version: 3.0.3
 signing_key: 
 specification_version: 4
-summary: Data encryption support for Chef using data bags
+summary: Data encryption support for Chef Infra using data bags
 test_files: []

data/README.md

@@ -1,307 +0,0 @@
-# Chef-Vault
-
-[![Gem Version](https://badge.fury.io/rb/chef-vault.svg)](http://badge.fury.io/rb/chef-vault)
-
-[![Build Status](https://travis-ci.org/chef/chef-vault.svg?branch=master)](https://travis-ci.org/chef/chef-vault)
-
-[![Inline docs](http://inch-ci.org/github/chef/chef-vault.svg?branch=master)](http://inch-ci.org/github/chef/chef-vault)
-
-[![Code Climate](https://codeclimate.com/github/chef/chef-vault/badges/gpa.svg)](https://codeclimate.com/github/chef/chef-vault)
-
-## DESCRIPTION:
-
-Gem that allows you to encrypt a Chef Data Bag Item using the public keys of
-a list of chef nodes. This allows only those chef nodes to decrypt the
-encrypted values.
-
-For a more detailed explanation of how chef-vault works, please refer to this blog post [Chef Vault – what is it and what can it do for you?](https://www.chef.io/blog/2016/01/21/chef-vault-what-is-it-and-what-can-it-do-for-you/) by Nell Shamrell-Harrington.
-
-## INSTALLATION:
-
-Be sure you are running the latest version Chef. Versions earlier than
-0.10.0 don't support plugins:
-
-    gem install chef
-
-This plugin is distributed as a Ruby Gem. To install it, run:
-
-    gem install chef-vault
-
-Depending on your system's configuration, you may need to run this command
-with root privileges.
-
-## DEVELOPMENT:
-
-### Git Hooks
-
-There is a git pre-commit hook to help you keep your chefstyle up to date.
-If you wish to use it, simply:
-
-```
-mv hooks/pre-commit .git/hooks/
-chmod +x .git/hooks/pre-commit
-```
-
-### Running Your Changes
-
-To run your changes locally:
-
-```
-bundle install
-bundle exec knife vault
-```
-
-### Testing
-
-#### Rspec Tests
-
-There are some unit tests that can be run with:
-
-```
-bundle exec rspec spec/
-```
-
-#### Cucumber Testing
-
-There are cucumber tests. Run the whole suite with:
-
-```
-bundle exec rake features
-```
-
-If you get any failures, you can run the specific feature that failed with:
-
-```
-bundle exec cucumber features/<failed>.feature
-```
-
-If you want to test things out directly, after a failure you can go into the test
-directory and try out the commands that failed:
-
-```
-cd tmp/aruba
-bundle exec knife <your command that failed from test with -c knife.rb>
-```
-
-Optionally add `-VV` to the above to get a full stacktrace.
-
-### Rubocop Errors
-
-If you are seeing rubocop errors in travis for your pull request, run:
-
-`bundle exec chefstyle -a`
-
-This will fix up your rubocop errors automatically, and warn you about any it can't.
-
-## KNIFE COMMANDS:
-
-See KNIFE_EXAMPLES.md for examples of commands
-
-### knife.rb
-
-To set 'client' as the default mode, add the following line to the knife.rb file.
-
-    knife[:vault_mode] = 'client'
-
-To set the default list of admins for creating and updating vaults, add the
-following line to the knife.rb file.
-
-    knife[:vault_admins] = [ 'example-alice', 'example-bob', 'example-carol' ]
-
-(These values can be overridden on the command line by using -A)
-
-NOTE: chef-vault 1.0 knife commands are not supported! Please use chef-vault
-2.0 commands.
-
-### Vault
-
-    knife vault create VAULT ITEM VALUES
-    knife vault edit VAULT ITEM
-    knife vault refresh VAULT ITEM
-    knife vault update VAULT ITEM VALUES [--clean]
-    knife vault remove VAULT ITEM VALUES
-    knife vault delete VAULT ITEM
-    knife vault rotate keys VAULT ITEM
-    knife vault rotate all keys
-    knife vault show VAULT [ITEM] [VALUES]
-    knife vault download VAULT ITEM PATH
-    knife vault isvault VAULT ITEM
-    knife vault itemtype VAULT ITEM
-
-#### Global Options
-
-Short | Long | Description | Default | Valid Values | Sub-Commands
-------|------|-------------|---------|--------------|-------------
--M MODE | --mode MODE | Chef mode to run in. Can be set in knife.rb | solo | solo, client | all
--S SEARCH | --search SEARCH | Chef Server SOLR Search Of Nodes | | | create, remove , update
--C CLIENTS | --clients CLIENTS | Chef clients to be added as clients, can be comma list | | | create, remove , update
--A ADMINS | --admins ADMINS | Chef clients or users to be vault admins, can be comma list | | | create, remove, update
--J FILE | --json FILE | JSON file to be used for values, will be merged with VALUES if VALUES is passed | | | create, update
-| --file FILE | File that chef-vault should encrypt.  It adds "file-content" & "file-name" keys to the vault item | | | create, update
--p DATA | --print DATA | Print extra vault data | | search, clients, admins, all | show
--F FORMAT | --format FORMAT | Format for decrypted output | summary | summary, json, yaml, pp | show
-| --clean-unknown-clients | Remove unknown clients during key rotation | | | refresh, remove, rotate
-| --clean | Clean clients list before performing search | | | refresh, update
-
-## USAGE IN RECIPES
-
-To use this gem in a recipe to decrypt data you must first install the gem
-via a chef_gem resource. Once the gem is installed require the gem and then
-you can create a new instance of ChefVault.
-
-NOTE: chef-vault 1.0 style decryption is supported, however it has been
-deprecated and chef-vault 2.0 decryption should be used instead
-
-### Example Code
-
-    chef_gem 'chef-vault' do
-      compile_time true if respond_to?(:compile_time)
-    end
-
-    require 'chef-vault'
-
-    item = ChefVault::Item.load("passwords", "root")
-    item["password"]
-
-Note that in this case, the gem needs to be installed at compile time
-because the require statement is at the top-level of the recipe.  If
-you move the require of chef-vault and the call to `::load` to
-library or provider code, you can install the gem in the converge phase
-instead.
-
-### Specifying an alternate node name or client key path
-
-Normally, the value of `Chef::Config[:node_name]` is used to find the
-per-node encrypted secret in the keys data bag item, and the value of
-`Chef::Config[:client_key]` is used to locate the private key to decrypt
-this secret.
-
-These can be overridden by passing a hash with the keys `:node_name` or
-`:client_key_path` to `ChefVault::Item.load`:
-
-    item = ChefVault::Item.load(
-      'passwords', 'root',
-      node_name: 'service_foo',
-      client_key_path: '/secure/place/service_foo.pem'
-    )
-    item['password']
-
-The above example assumes that you have transferred
-`/secure/place/service_foo.pem` to your system via a secure channel.
-
-This usage allows you to decrypt a vault using a key shared among several
-nodes, which can be helpful when working in cloud environments or other
-configurations where nodes are created dynamically.
-
-### chef_vault_item helper
-
-The [chef-vault cookbook](https://supermarket.chef.io/cookbooks/chef-vault)
-contains a recipe to install the chef-vault gem and a helper method
-`chef_vault_helper` which makes it easier to test cookbooks that use
-chef-vault using Test Kitchen.
-
-## DETERMINING IF AN ITEM IS A VAULT
-
-ChefVault provides a helper method to determine if a data bag item is a vault,
-which can be helpful if you produce a recipe for community consumption and want
-to support both normal data bags and vaults:
-
-    if ChefVault::Item.vault?('passwords', 'root')
-      item = ChefVault::Item.load('passwords', 'root')
-    else
-      item = Chef::DataBagItem.load('passwords', 'root')
-    end
-
-This functionality is also available from the command line as `knife vault isvault VAULT ITEM`.
-
-## DETERMINING THE TYPE OF A DATA BAG ITEM
-
-ChefVault provides a helper method to determine the type of a data bag item.
-It returns one of the symbols :normal, :encrypted or :vault
-
-    case ChefVault::Item.data_bag_item_type('passwords', 'root')
-    when :normal
-      ...
-    when :encrypted
-      ...
-    when :vault
-      ...
-    end
-
-This functionality is also available from the command line as `knife vault itemtype VAULT ITEM`.
-
-## USAGE STAND ALONE
-
-`chef-vault` can be used as a stand alone binary to decrypt values stored in
-Chef. It requires that Chef is installed on the system and that you have a
-valid knife.rb. This is useful if you want to mix `chef-vault` into non-Chef
-recipe code, for example some other script where you want to protect a
-password.
-
-It does still require that the data bag has been encrypted for the user's or
-client's pem and pushed to the Chef server. It mixes Chef into the gem and
-uses it to go grab the data bag.
-
-Use `chef-vault --help` to see all all available options
-
-### Example usage (password)
-
-    chef-vault -v passwords -i root -a password -k /etc/chef/knife.rb
-
-## TESTING
-
-To use Chef Vault in Test Kitchen, ensure that the `chef-vault` recipe
-is in your `run_list`, and then add the following to your
-suite in `.kitchen.yml`:
-
-```yaml
-data_bags_path: 'path/to/data_bags'
-attributes:
-  chef_vault:
-    databags_fallback: true
-```
-
-You can then use the `chef_vault_item` helper in the aforementioned chef-vault cookbook.
-
-To stub vault items in ChefSpec, use the
-[chef-vault-testfixtures](https://rubygems.org/gems/chef-vault-testfixtures)
-gem.
-
-## Contributing
-
-For information on contributing to this project see <https://github.com/chef/chef/blob/master/CONTRIBUTING.md>
-
-## Authors
-
-Author:: Kevin Moser - @moserke<br>
-Author:: Eli Klein - @eliklein<br>
-Author:: Joey Geiger - @jgeiger<br>
-Author:: Joshua Timberman - @jtimberman<br>
-Author:: James FitzGibbon - @jf647<br>
-Author:: Thom May - @thommay<br>
-
-## Contributors
-
-Contributor:: Matt Brimstone - @brimstone<br>
-Contributor:: Thomas Gschwind - @thg65<br>
-Contributor:: Reto Hermann<br>
-
-## License
-
-Copyright:: Copyright (c) 2013-15 Nordstrom, Inc.<br>
-Copyright:: Copyright (c) 2016 Chef Software, Inc.<br>
-License:: Apache License, Version 2.0
-
-```text
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-```