chef-vault 4.0.1 → 4.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 8c20a420a9d49bc39c1e32679f901e7404ed331ebe1fb5a3781f64316c1733c2
-  data.tar.gz: b328d3d990b89f4378461f319ec208047a518bdfce6231b5b8905c4a9a49c65a
+  metadata.gz: b28e3385a21760fde5fee6cc54c23ec5831773b38ed3c2f80fbfc2bc0e0225b6
+  data.tar.gz: bd9dced0c27555ccb831720d52af9a40283a36ed2defa2cfd94ecd18c1b32295
 SHA512:
-  metadata.gz: 8fc0571def8f7eab2a3bbb57e6ec4d0bd39469a6b5f46668918da3d9c11b8a522760a7c08aa673e780c59bfe4272f56b1f46b4e3634c6f9c666eda0ec3dc0812
-  data.tar.gz: ffcce0b7bb89f24b019d6dce1b41ee8d31c573a4f99ee2d92e3a9f005c8c69ebc2b68207261001b0d4fcb27c1262d1d88d94ff8d84091ae0f7a7ecd57c93c62f
+  metadata.gz: 0c91e1ba8ac02e5030d14e8431dba69ee9fe543b7cbdfb047944ad1291bd08f6b4f62d899fb4cef4dd46439c16b55590136345c45e519c46b00449e09ca8399b
+  data.tar.gz: b5e0b84008e69692e14bb4a2924ab35c8217640c15d7308642d58458290afb1d1755b86271bc24dd23332fea8fad871986d4909aaa6a6045a8a5aeaf7241f606

data/Gemfile

@@ -8,8 +8,6 @@ group :development do
   gem "rake"
   gem "rspec", "~> 3.4"
   gem "aruba", "~> 0.6"
-  gem "simplecov", "~> 0.9"
-  gem "simplecov-console", "~> 0.2.0"
   gem "chef", "~> 14.0" # avoids test failures on license acceptance
 end
 
@@ -22,6 +20,6 @@ end
 group :debug do
   gem "pry"
   gem "pry-byebug"
-  gem "pry-stack_explorer"
+  gem "pry-stack_explorer", "~> 0.4.0" # pin until we drop ruby < 2.6
   gem "rb-readline"
 end

data/bin/chef-vault

@@ -18,7 +18,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-require "optparse"
+require "optparse" unless defined?(OptionParser)
 
 options_config = {
   chef: {
@@ -79,10 +79,10 @@ options_config.each do |option, config|
 end
 
 options_config.each do |option, config|
-  options[option] = options[option] ? options[option] : config[:default]
+  options[option] = options[option] || config[:default]
 end
 
-require "rubygems"
+require "rubygems" unless defined?(Gem)
 $:.unshift(File.join(File.dirname(__FILE__), "..", "lib"))
 require "chef-vault"
 

data/chef-vault.gemspec

@@ -1,4 +1,3 @@
-# -*- encoding: utf-8 -*-
 # Chef-Vault Gemspec file
 # Copyright 2013-2015, Nordstrom, Inc.
 # Copyright 2017-2019, Chef Software, Inc.
@@ -15,7 +14,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-$:.push File.expand_path("../lib", __FILE__)
+$:.push File.expand_path("lib", __dir__)
 require "chef-vault/version"
 
 Gem::Specification.new do |s|

data/lib/chef-vault/actor.rb

@@ -14,7 +14,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-require "json"
+require "json" unless defined?(JSON)
 
 class ChefVault
   class Actor

data/lib/chef-vault/exceptions.rb

@@ -51,5 +51,8 @@ class ChefVault
 
     class V1Format < Exceptions
     end
+
+    class InvalidValue < Exceptions
+    end
   end
 end

data/lib/chef-vault/item.rb

@@ -15,7 +15,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-require "securerandom"
+require "securerandom" unless defined?(SecureRandom)
 require_relative "mixins"
 
 class ChefVault
@@ -340,7 +340,16 @@ class ChefVault
     def self.data_bag_item_type(vault, name)
       # adapted from https://github.com/opscode-cookbooks/chef-vault/blob/v1.3.0/libraries/chef_vault_item.rb
       # and https://github.com/sensu/sensu-chef/blob/2.9.0/libraries/sensu_helpers.rb
-      dbi = Chef::DataBagItem.load(vault, name)
+      begin
+        dbi = Chef::DataBagItem.load(vault, name)
+      rescue Net::HTTPServerException => http_error
+        if http_error.response.code == "404"
+          raise ChefVault::Exceptions::ItemNotFound,
+            "#{vault}/#{name} not found"
+        else
+          raise http_error
+        end
+      end
       encrypted = dbi.detect do |_, v|
         v.is_a?(Hash) && v.key?("encrypted_data")
       end

data/lib/chef-vault/version.rb

@@ -15,6 +15,6 @@
 # limitations under the License.
 
 class ChefVault
-  VERSION = "4.0.1"
+  VERSION = "4.1.0"
   MAJOR, MINOR, TINY = VERSION.split(".")
 end

data/lib/chef/knife/mixin/helper.rb

@@ -39,10 +39,38 @@ class ChefVault
       end
 
       def values_from_json(json)
+        validate_json(json)
         JSON.parse(json)
       rescue JSON::ParserError
         raise JSON::ParserError, "#{json} is not valid JSON!"
       end
+
+      # I/P: json string
+      # Raises `InvalidValue` if any of the json's values contain non-printable characters.
+      def validate_json(json)
+        begin
+          evaled_json = eval(json) # rubocop: disable Security/Eval
+        rescue SyntaxError
+          raise ChefVault::Exceptions::InvalidValue, "#{json} is not valid JSON!"
+        end
+
+        if evaled_json.is_a?(Hash)
+          evaled_json.each do |key, value|
+            next unless printable?(value.to_s)
+
+            msg = "Value '#{value}' of key '#{key}' contains non-printable characters. Check that backslashes are escaped with another backslash (e.g. C:\\\\Windows) in double-quoted strings."
+            raise ChefVault::Exceptions::InvalidValue, msg
+          end
+        end
+      end
+
+      # I/P: String
+      # O/P: true/false
+      # returns true if string is free of non-printable characters (escape sequences)
+      # this returns false for whitespace escape sequences as well, e.g. \n\t
+      def printable?(string)
+        /[^[:print:]]/.match(string)
+      end
     end
   end
 end

data/lib/chef/knife/vault_admins.rb

@@ -26,6 +26,10 @@ class Chef
         vault_admins = Chef::Config[:knife][:vault_admins]
         admin_array = [Chef::Config[:node_name]]
 
+        unless vault_admins.is_a?(Array)
+          ui.warn("Vault admin must be an array")
+        end
+
         if config_admins
           admin_array += [config_admins]
         elsif vault_admins

data/lib/chef/knife/vault_base.rb

@@ -13,6 +13,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+require "set" unless defined?(::Set)
 require "chef/knife"
 require_relative "../../chef-vault"
 
@@ -23,7 +24,7 @@ class Chef
         includer.class_eval do
           deps do
             require "chef/search/query"
-            require File.expand_path("../mixin/helper", __FILE__)
+            require File.expand_path("mixin/helper", __dir__)
             include ChefVault::Mixin::Helper
           end
 
@@ -70,13 +71,19 @@ class Chef
       end
 
       def split_vault_keys(bag)
-        # get all item keys
-        keys = bag.keys.select { |k| k =~ /_keys$/ }
-        # get all sparse keys
-        r = Regexp.union(keys.map { |k| Regexp.new("^#{k.chomp("_keys")}_key_.*") })
-        sparse = bag.keys.select { |k| k =~ r }
-        # the rest
-        items = bag.keys - keys - sparse
+        items = []
+        keys = ::Set.new
+        possible_sparses = ::Set.new
+
+        # spread bag keys into 3 categories: items, keys or possible sparse items
+        bag.each_key do |key|
+          next keys << key if key.end_with?("_keys")
+          next possible_sparses << key if key.include?("_key_")
+
+          items << key
+        end
+        # 2nd pass "sparse" items to avoid false positive when items have "_key" in their name
+        possible_sparses.each { |key| items << key if keys.include?("#{key}_keys") }
         # return item keys and items
         [keys, items]
       end

data/lib/chef/knife/vault_list.rb

@@ -35,7 +35,7 @@ class Chef
         bags.each_key do |bagname|
           vaultbags.push(bagname) if bag_is_vault?(bagname)
         end
-        output vaultbags.join("\n")
+        output vaultbags
       end
     end
   end

data/lib/chef/knife/vault_rotate_all_keys.rb

@@ -45,9 +45,10 @@ class Chef
         end
       end
 
+      # Permalink for regex of replacing '_keys' with '': https://rubular.com/r/5cA5JNSyLfPSfY
       def vault_items(vault)
         Chef::DataBag.load(vault).keys.each_with_object([]) do |key, array|
-          array << key.sub("_keys", "") if key =~ /.+_keys$/
+          array << key.sub(/_keys(?=[^_keys]*$)/, "") if key =~ /.+_keys$/
         end
       end
 

data/lib/chef/knife/vault_show.rb

@@ -90,9 +90,7 @@ class Chef
       def print_keys(vault)
         if bag_is_vault?(vault)
           bag = Chef::DataBag.load(vault)
-          split_vault_keys(bag)[1].each do |item|
-            output item
-          end
+          output split_vault_keys(bag)[1]
         else
           output "data bag #{vault} is not a chef-vault"
         end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: chef-vault
 version: !ruby/object:Gem::Version
-  version: 4.0.1
+  version: 4.1.0
 platform: ruby
 authors:
 - Thom May
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-12-30 00:00:00.000000000 Z
+date: 2020-11-13 00:00:00.000000000 Z
 dependencies: []
 description: Data encryption support for Chef Infra using data bags
 email: