chef-vault 4.0.1 → 4.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/Gemfile +1 -3
- data/bin/chef-vault +3 -3
- data/chef-vault.gemspec +1 -2
- data/lib/chef-vault/actor.rb +1 -1
- data/lib/chef-vault/exceptions.rb +3 -0
- data/lib/chef-vault/item.rb +11 -2
- data/lib/chef-vault/version.rb +1 -1
- data/lib/chef/knife/mixin/helper.rb +28 -0
- data/lib/chef/knife/vault_admins.rb +4 -0
- data/lib/chef/knife/vault_base.rb +15 -8
- data/lib/chef/knife/vault_list.rb +1 -1
- data/lib/chef/knife/vault_rotate_all_keys.rb +2 -1
- data/lib/chef/knife/vault_show.rb +1 -3
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: b28e3385a21760fde5fee6cc54c23ec5831773b38ed3c2f80fbfc2bc0e0225b6
|
|
4
|
+
data.tar.gz: bd9dced0c27555ccb831720d52af9a40283a36ed2defa2cfd94ecd18c1b32295
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 0c91e1ba8ac02e5030d14e8431dba69ee9fe543b7cbdfb047944ad1291bd08f6b4f62d899fb4cef4dd46439c16b55590136345c45e519c46b00449e09ca8399b
|
|
7
|
+
data.tar.gz: b5e0b84008e69692e14bb4a2924ab35c8217640c15d7308642d58458290afb1d1755b86271bc24dd23332fea8fad871986d4909aaa6a6045a8a5aeaf7241f606
|
data/Gemfile
CHANGED
|
@@ -8,8 +8,6 @@ group :development do
|
|
|
8
8
|
gem "rake"
|
|
9
9
|
gem "rspec", "~> 3.4"
|
|
10
10
|
gem "aruba", "~> 0.6"
|
|
11
|
-
gem "simplecov", "~> 0.9"
|
|
12
|
-
gem "simplecov-console", "~> 0.2.0"
|
|
13
11
|
gem "chef", "~> 14.0" # avoids test failures on license acceptance
|
|
14
12
|
end
|
|
15
13
|
|
|
@@ -22,6 +20,6 @@ end
|
|
|
22
20
|
group :debug do
|
|
23
21
|
gem "pry"
|
|
24
22
|
gem "pry-byebug"
|
|
25
|
-
gem "pry-stack_explorer"
|
|
23
|
+
gem "pry-stack_explorer", "~> 0.4.0" # pin until we drop ruby < 2.6
|
|
26
24
|
gem "rb-readline"
|
|
27
25
|
end
|
data/bin/chef-vault
CHANGED
|
@@ -18,7 +18,7 @@
|
|
|
18
18
|
# See the License for the specific language governing permissions and
|
|
19
19
|
# limitations under the License.
|
|
20
20
|
|
|
21
|
-
require "optparse"
|
|
21
|
+
require "optparse" unless defined?(OptionParser)
|
|
22
22
|
|
|
23
23
|
options_config = {
|
|
24
24
|
chef: {
|
|
@@ -79,10 +79,10 @@ options_config.each do |option, config|
|
|
|
79
79
|
end
|
|
80
80
|
|
|
81
81
|
options_config.each do |option, config|
|
|
82
|
-
options[option] = options[option]
|
|
82
|
+
options[option] = options[option] || config[:default]
|
|
83
83
|
end
|
|
84
84
|
|
|
85
|
-
require "rubygems"
|
|
85
|
+
require "rubygems" unless defined?(Gem)
|
|
86
86
|
$:.unshift(File.join(File.dirname(__FILE__), "..", "lib"))
|
|
87
87
|
require "chef-vault"
|
|
88
88
|
|
data/chef-vault.gemspec
CHANGED
|
@@ -1,4 +1,3 @@
|
|
|
1
|
-
# -*- encoding: utf-8 -*-
|
|
2
1
|
# Chef-Vault Gemspec file
|
|
3
2
|
# Copyright 2013-2015, Nordstrom, Inc.
|
|
4
3
|
# Copyright 2017-2019, Chef Software, Inc.
|
|
@@ -15,7 +14,7 @@
|
|
|
15
14
|
# See the License for the specific language governing permissions and
|
|
16
15
|
# limitations under the License.
|
|
17
16
|
|
|
18
|
-
$:.push File.expand_path("
|
|
17
|
+
$:.push File.expand_path("lib", __dir__)
|
|
19
18
|
require "chef-vault/version"
|
|
20
19
|
|
|
21
20
|
Gem::Specification.new do |s|
|
data/lib/chef-vault/actor.rb
CHANGED
data/lib/chef-vault/item.rb
CHANGED
|
@@ -15,7 +15,7 @@
|
|
|
15
15
|
# See the License for the specific language governing permissions and
|
|
16
16
|
# limitations under the License.
|
|
17
17
|
|
|
18
|
-
require "securerandom"
|
|
18
|
+
require "securerandom" unless defined?(SecureRandom)
|
|
19
19
|
require_relative "mixins"
|
|
20
20
|
|
|
21
21
|
class ChefVault
|
|
@@ -340,7 +340,16 @@ class ChefVault
|
|
|
340
340
|
def self.data_bag_item_type(vault, name)
|
|
341
341
|
# adapted from https://github.com/opscode-cookbooks/chef-vault/blob/v1.3.0/libraries/chef_vault_item.rb
|
|
342
342
|
# and https://github.com/sensu/sensu-chef/blob/2.9.0/libraries/sensu_helpers.rb
|
|
343
|
-
|
|
343
|
+
begin
|
|
344
|
+
dbi = Chef::DataBagItem.load(vault, name)
|
|
345
|
+
rescue Net::HTTPServerException => http_error
|
|
346
|
+
if http_error.response.code == "404"
|
|
347
|
+
raise ChefVault::Exceptions::ItemNotFound,
|
|
348
|
+
"#{vault}/#{name} not found"
|
|
349
|
+
else
|
|
350
|
+
raise http_error
|
|
351
|
+
end
|
|
352
|
+
end
|
|
344
353
|
encrypted = dbi.detect do |_, v|
|
|
345
354
|
v.is_a?(Hash) && v.key?("encrypted_data")
|
|
346
355
|
end
|
data/lib/chef-vault/version.rb
CHANGED
|
@@ -39,10 +39,38 @@ class ChefVault
|
|
|
39
39
|
end
|
|
40
40
|
|
|
41
41
|
def values_from_json(json)
|
|
42
|
+
validate_json(json)
|
|
42
43
|
JSON.parse(json)
|
|
43
44
|
rescue JSON::ParserError
|
|
44
45
|
raise JSON::ParserError, "#{json} is not valid JSON!"
|
|
45
46
|
end
|
|
47
|
+
|
|
48
|
+
# I/P: json string
|
|
49
|
+
# Raises `InvalidValue` if any of the json's values contain non-printable characters.
|
|
50
|
+
def validate_json(json)
|
|
51
|
+
begin
|
|
52
|
+
evaled_json = eval(json) # rubocop: disable Security/Eval
|
|
53
|
+
rescue SyntaxError
|
|
54
|
+
raise ChefVault::Exceptions::InvalidValue, "#{json} is not valid JSON!"
|
|
55
|
+
end
|
|
56
|
+
|
|
57
|
+
if evaled_json.is_a?(Hash)
|
|
58
|
+
evaled_json.each do |key, value|
|
|
59
|
+
next unless printable?(value.to_s)
|
|
60
|
+
|
|
61
|
+
msg = "Value '#{value}' of key '#{key}' contains non-printable characters. Check that backslashes are escaped with another backslash (e.g. C:\\\\Windows) in double-quoted strings."
|
|
62
|
+
raise ChefVault::Exceptions::InvalidValue, msg
|
|
63
|
+
end
|
|
64
|
+
end
|
|
65
|
+
end
|
|
66
|
+
|
|
67
|
+
# I/P: String
|
|
68
|
+
# O/P: true/false
|
|
69
|
+
# returns true if string is free of non-printable characters (escape sequences)
|
|
70
|
+
# this returns false for whitespace escape sequences as well, e.g. \n\t
|
|
71
|
+
def printable?(string)
|
|
72
|
+
/[^[:print:]]/.match(string)
|
|
73
|
+
end
|
|
46
74
|
end
|
|
47
75
|
end
|
|
48
76
|
end
|
|
@@ -26,6 +26,10 @@ class Chef
|
|
|
26
26
|
vault_admins = Chef::Config[:knife][:vault_admins]
|
|
27
27
|
admin_array = [Chef::Config[:node_name]]
|
|
28
28
|
|
|
29
|
+
unless vault_admins.is_a?(Array)
|
|
30
|
+
ui.warn("Vault admin must be an array")
|
|
31
|
+
end
|
|
32
|
+
|
|
29
33
|
if config_admins
|
|
30
34
|
admin_array += [config_admins]
|
|
31
35
|
elsif vault_admins
|
|
@@ -13,6 +13,7 @@
|
|
|
13
13
|
# See the License for the specific language governing permissions and
|
|
14
14
|
# limitations under the License.
|
|
15
15
|
|
|
16
|
+
require "set" unless defined?(::Set)
|
|
16
17
|
require "chef/knife"
|
|
17
18
|
require_relative "../../chef-vault"
|
|
18
19
|
|
|
@@ -23,7 +24,7 @@ class Chef
|
|
|
23
24
|
includer.class_eval do
|
|
24
25
|
deps do
|
|
25
26
|
require "chef/search/query"
|
|
26
|
-
require File.expand_path("
|
|
27
|
+
require File.expand_path("mixin/helper", __dir__)
|
|
27
28
|
include ChefVault::Mixin::Helper
|
|
28
29
|
end
|
|
29
30
|
|
|
@@ -70,13 +71,19 @@ class Chef
|
|
|
70
71
|
end
|
|
71
72
|
|
|
72
73
|
def split_vault_keys(bag)
|
|
73
|
-
|
|
74
|
-
keys =
|
|
75
|
-
|
|
76
|
-
|
|
77
|
-
|
|
78
|
-
|
|
79
|
-
|
|
74
|
+
items = []
|
|
75
|
+
keys = ::Set.new
|
|
76
|
+
possible_sparses = ::Set.new
|
|
77
|
+
|
|
78
|
+
# spread bag keys into 3 categories: items, keys or possible sparse items
|
|
79
|
+
bag.each_key do |key|
|
|
80
|
+
next keys << key if key.end_with?("_keys")
|
|
81
|
+
next possible_sparses << key if key.include?("_key_")
|
|
82
|
+
|
|
83
|
+
items << key
|
|
84
|
+
end
|
|
85
|
+
# 2nd pass "sparse" items to avoid false positive when items have "_key" in their name
|
|
86
|
+
possible_sparses.each { |key| items << key if keys.include?("#{key}_keys") }
|
|
80
87
|
# return item keys and items
|
|
81
88
|
[keys, items]
|
|
82
89
|
end
|
|
@@ -45,9 +45,10 @@ class Chef
|
|
|
45
45
|
end
|
|
46
46
|
end
|
|
47
47
|
|
|
48
|
+
# Permalink for regex of replacing '_keys' with '': https://rubular.com/r/5cA5JNSyLfPSfY
|
|
48
49
|
def vault_items(vault)
|
|
49
50
|
Chef::DataBag.load(vault).keys.each_with_object([]) do |key, array|
|
|
50
|
-
array << key.sub(
|
|
51
|
+
array << key.sub(/_keys(?=[^_keys]*$)/, "") if key =~ /.+_keys$/
|
|
51
52
|
end
|
|
52
53
|
end
|
|
53
54
|
|
|
@@ -90,9 +90,7 @@ class Chef
|
|
|
90
90
|
def print_keys(vault)
|
|
91
91
|
if bag_is_vault?(vault)
|
|
92
92
|
bag = Chef::DataBag.load(vault)
|
|
93
|
-
split_vault_keys(bag)[1]
|
|
94
|
-
output item
|
|
95
|
-
end
|
|
93
|
+
output split_vault_keys(bag)[1]
|
|
96
94
|
else
|
|
97
95
|
output "data bag #{vault} is not a chef-vault"
|
|
98
96
|
end
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: chef-vault
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 4.0
|
|
4
|
+
version: 4.1.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Thom May
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date:
|
|
11
|
+
date: 2020-11-13 00:00:00.000000000 Z
|
|
12
12
|
dependencies: []
|
|
13
13
|
description: Data encryption support for Chef Infra using data bags
|
|
14
14
|
email:
|