chef-vault 4.1.5 → 4.1.11
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/Gemfile +17 -6
- data/chef-vault.gemspec +1 -1
- data/lib/chef/knife/vault_create.rb +7 -4
- data/lib/chef/knife/vault_remove.rb +5 -2
- data/lib/chef/knife/vault_update.rb +7 -4
- data/lib/chef-vault/actor.rb +4 -4
- data/lib/chef-vault/item.rb +18 -5
- data/lib/chef-vault/item_keys.rb +4 -4
- data/lib/chef-vault/version.rb +1 -1
- metadata +3 -3
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 44f75213a45df776972cad854aedf5abb94d7a54fde7a9986caed78930f8790e
|
|
4
|
+
data.tar.gz: aaa272cb7893c232b456ef5148bfc0ff91bc5b53a8ae4e9b573f68edaff78df8
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: ad149c125f2aa41b9e3fd8d07281c65ecec8317bbc5a6daf2b7deb9e6def089820e57ee59ca68b53852f6fffe54cbf8d711e1c40b6ac04629597bc3ef07107c2
|
|
7
|
+
data.tar.gz: 8e0f928a9b4e8dfb6a2800d0d5c65af323cc2f4678b91b2a535b4c450cd71d96ea320b9861638329821ffe5041e025a81e1cf5dbb1cab5bc90bfcd703876afc1
|
data/Gemfile
CHANGED
|
@@ -4,13 +4,22 @@ gemspec
|
|
|
4
4
|
|
|
5
5
|
group :development do
|
|
6
6
|
gem "chefstyle"
|
|
7
|
-
gem "chef-zero"
|
|
8
7
|
gem "rake"
|
|
9
|
-
gem "rspec", "~> 3.4"
|
|
10
|
-
gem "aruba", "~> 0.6"
|
|
11
|
-
gem "chef", "~> 14.0" # avoids test failures on license acceptance
|
|
12
8
|
gem "contracts", "~> 0.16.1" # pin until we drop ruby < 2.7
|
|
13
|
-
|
|
9
|
+
if Gem::Version.new(RUBY_VERSION) < Gem::Version.new("3.0.0")
|
|
10
|
+
gem "chef-zero"
|
|
11
|
+
gem "rspec", "~> 3.4"
|
|
12
|
+
gem "aruba", "~> 0.6"
|
|
13
|
+
gem "chef", "~> 14.0"
|
|
14
|
+
gem "chef-utils", "17.10.0" # pin until we drop ruby 2.5
|
|
15
|
+
else
|
|
16
|
+
gem "chef-zero", ">= 15.0.4"
|
|
17
|
+
gem "chef", "~> 17.0"
|
|
18
|
+
gem "rspec", "~> 3.10.0"
|
|
19
|
+
gem "aruba", "~> 1.1"
|
|
20
|
+
gem "knife", "~> 17.0"
|
|
21
|
+
gem "chef-utils", "17.10.0" # pin until we drop ruby >=3
|
|
22
|
+
end
|
|
14
23
|
end
|
|
15
24
|
|
|
16
25
|
group :docs do
|
|
@@ -22,6 +31,8 @@ end
|
|
|
22
31
|
group :debug do
|
|
23
32
|
gem "pry"
|
|
24
33
|
gem "pry-byebug"
|
|
25
|
-
gem "pry-stack_explorer", "~> 0.
|
|
34
|
+
gem "pry-stack_explorer", "~> 0.6.1" # pin until we drop ruby < 2.6
|
|
26
35
|
gem "rb-readline"
|
|
27
36
|
end
|
|
37
|
+
|
|
38
|
+
gem "simplecov", require: false
|
data/chef-vault.gemspec
CHANGED
|
@@ -14,15 +14,11 @@
|
|
|
14
14
|
# limitations under the License.
|
|
15
15
|
|
|
16
16
|
require_relative "vault_base"
|
|
17
|
-
require_relative "vault_admins"
|
|
18
|
-
require_relative "vault_clients"
|
|
19
17
|
|
|
20
18
|
class Chef
|
|
21
19
|
class Knife
|
|
22
20
|
class VaultCreate < Knife
|
|
23
21
|
include Chef::Knife::VaultBase
|
|
24
|
-
include Chef::Knife::VaultAdmins
|
|
25
|
-
include Chef::Knife::VaultClients
|
|
26
22
|
|
|
27
23
|
banner "knife vault create VAULT ITEM VALUES (options)"
|
|
28
24
|
|
|
@@ -55,6 +51,13 @@ class Chef
|
|
|
55
51
|
long: "--file FILE",
|
|
56
52
|
description: "File to be added to vault item as file-content"
|
|
57
53
|
|
|
54
|
+
deps do
|
|
55
|
+
require_relative "vault_admins"
|
|
56
|
+
require_relative "vault_clients"
|
|
57
|
+
include Chef::Knife::VaultAdmins
|
|
58
|
+
include Chef::Knife::VaultClients
|
|
59
|
+
end
|
|
60
|
+
|
|
58
61
|
def run
|
|
59
62
|
vault = @name_args[0]
|
|
60
63
|
item = @name_args[1]
|
|
@@ -14,13 +14,11 @@
|
|
|
14
14
|
# limitations under the License.
|
|
15
15
|
|
|
16
16
|
require_relative "vault_base"
|
|
17
|
-
require_relative "vault_clients"
|
|
18
17
|
|
|
19
18
|
class Chef
|
|
20
19
|
class Knife
|
|
21
20
|
class VaultRemove < Knife
|
|
22
21
|
include Chef::Knife::VaultBase
|
|
23
|
-
include Chef::Knife::VaultClients
|
|
24
22
|
|
|
25
23
|
banner "knife vault remove VAULT ITEM VALUES (options)"
|
|
26
24
|
|
|
@@ -43,6 +41,11 @@ class Chef
|
|
|
43
41
|
long: "--clean-unknown-clients",
|
|
44
42
|
description: "Remove unknown clients during key rotation"
|
|
45
43
|
|
|
44
|
+
deps do
|
|
45
|
+
require_relative "vault_clients"
|
|
46
|
+
include Chef::Knife::VaultClients
|
|
47
|
+
end
|
|
48
|
+
|
|
46
49
|
def run
|
|
47
50
|
vault = @name_args[0]
|
|
48
51
|
item = @name_args[1]
|
|
@@ -14,15 +14,11 @@
|
|
|
14
14
|
# limitations under the License.
|
|
15
15
|
|
|
16
16
|
require_relative "vault_base"
|
|
17
|
-
require_relative "vault_admins"
|
|
18
|
-
require_relative "vault_clients"
|
|
19
17
|
|
|
20
18
|
class Chef
|
|
21
19
|
class Knife
|
|
22
20
|
class VaultUpdate < Knife
|
|
23
21
|
include Chef::Knife::VaultBase
|
|
24
|
-
include Chef::Knife::VaultAdmins
|
|
25
|
-
include Chef::Knife::VaultClients
|
|
26
22
|
|
|
27
23
|
banner "knife vault update VAULT ITEM VALUES (options)"
|
|
28
24
|
|
|
@@ -59,6 +55,13 @@ class Chef
|
|
|
59
55
|
long: "--keys-mode KEYS_MODE",
|
|
60
56
|
description: "Mode in which to save vault keys"
|
|
61
57
|
|
|
58
|
+
deps do
|
|
59
|
+
require_relative "vault_admins"
|
|
60
|
+
require_relative "vault_clients"
|
|
61
|
+
include Chef::Knife::VaultAdmins
|
|
62
|
+
include Chef::Knife::VaultClients
|
|
63
|
+
end
|
|
64
|
+
|
|
62
65
|
def run
|
|
63
66
|
vault = @name_args[0]
|
|
64
67
|
item = @name_args[1]
|
data/lib/chef-vault/actor.rb
CHANGED
|
@@ -39,7 +39,7 @@ class ChefVault
|
|
|
39
39
|
def get_admin_key
|
|
40
40
|
# chef vault currently only supports using the default key
|
|
41
41
|
get_key("users")
|
|
42
|
-
rescue Net::
|
|
42
|
+
rescue Net::HTTPClientException => http_error
|
|
43
43
|
# if we failed to find an admin key, attempt to load a client key by the same name
|
|
44
44
|
case http_error.response.code
|
|
45
45
|
when "403"
|
|
@@ -49,7 +49,7 @@ class ChefVault
|
|
|
49
49
|
begin
|
|
50
50
|
ChefVault::Log.warn "The default key for #{name} not found in users, trying client keys."
|
|
51
51
|
get_key("clients")
|
|
52
|
-
rescue Net::
|
|
52
|
+
rescue Net::HTTPClientException => http_error
|
|
53
53
|
case http_error.response.code
|
|
54
54
|
when "404"
|
|
55
55
|
raise ChefVault::Exceptions::AdminNotFound,
|
|
@@ -68,7 +68,7 @@ class ChefVault
|
|
|
68
68
|
|
|
69
69
|
def get_client_key
|
|
70
70
|
get_key("clients")
|
|
71
|
-
rescue Net::
|
|
71
|
+
rescue Net::HTTPClientException => http_error
|
|
72
72
|
if http_error.response.code.eql?("403")
|
|
73
73
|
print_forbidden_error
|
|
74
74
|
raise http_error
|
|
@@ -114,7 +114,7 @@ class ChefVault
|
|
|
114
114
|
def get_key(request_actor_type)
|
|
115
115
|
api.org_scoped_rest_v1.get("#{request_actor_type}/#{name}/keys/default").fetch("public_key")
|
|
116
116
|
# If the keys endpoint doesn't exist, try getting it directly from the V0 chef object.
|
|
117
|
-
rescue Net::
|
|
117
|
+
rescue Net::HTTPClientException => http_error
|
|
118
118
|
raise http_error unless http_error.response.code.eql?("404")
|
|
119
119
|
|
|
120
120
|
if request_actor_type.eql?("clients")
|
data/lib/chef-vault/item.rb
CHANGED
|
@@ -40,6 +40,11 @@ class ChefVault
|
|
|
40
40
|
# decrypt secrets. Defaults to the value of Chef::Config[:client_key]
|
|
41
41
|
attr_accessor :client_key_path
|
|
42
42
|
|
|
43
|
+
# @!attribute [rw] client_key_contents
|
|
44
|
+
# @return [String] the contents of the private key that is used to
|
|
45
|
+
# decrypt secrets. Defaults to the value of Chef::Config[:client_key_contents]
|
|
46
|
+
attr_accessor :client_key_contents
|
|
47
|
+
|
|
43
48
|
# returns the raw keys of the underlying Chef::DataBagItem. chef-vault v2
|
|
44
49
|
# defined #keys as a public accessor that returns the ChefVault::ItemKeys
|
|
45
50
|
# object for the vault. Ideally, #keys would provide Hash-like behaviour
|
|
@@ -58,6 +63,8 @@ class ChefVault
|
|
|
58
63
|
# as. Defaults to the :node_name value of Chef::Config
|
|
59
64
|
# @option opts [String] :client_key_path the name of the node to decrypt
|
|
60
65
|
# secrets as. Defaults to the :client_key value of Chef::Config
|
|
66
|
+
# @option opts [String] :client_key_contents the private key to decrypt
|
|
67
|
+
# secrets as. Defaults to the :client_key_contents value of Chef::Config
|
|
61
68
|
def initialize(vault, name, opts = {})
|
|
62
69
|
super() # Don't pass parameters
|
|
63
70
|
@data_bag = vault
|
|
@@ -68,9 +75,11 @@ class ChefVault
|
|
|
68
75
|
opts = {
|
|
69
76
|
node_name: Chef::Config[:node_name],
|
|
70
77
|
client_key_path: Chef::Config[:client_key],
|
|
78
|
+
client_key_contents: Chef::Config[:client_key_contents],
|
|
71
79
|
}.merge(opts)
|
|
72
80
|
@node_name = opts[:node_name]
|
|
73
81
|
@client_key_path = opts[:client_key_path]
|
|
82
|
+
@client_key_contents = opts[:client_key_contents]
|
|
74
83
|
@current_query = search
|
|
75
84
|
end
|
|
76
85
|
|
|
@@ -163,7 +172,11 @@ class ChefVault
|
|
|
163
172
|
|
|
164
173
|
def secret
|
|
165
174
|
if @keys.include?(@node_name) && !@keys[@node_name].nil?
|
|
166
|
-
|
|
175
|
+
unless @client_key_contents.nil?
|
|
176
|
+
private_key = OpenSSL::PKey::RSA.new(@client_key_contents)
|
|
177
|
+
else
|
|
178
|
+
private_key = OpenSSL::PKey::RSA.new(File.open(@client_key_path).read)
|
|
179
|
+
end
|
|
167
180
|
begin
|
|
168
181
|
private_key.private_decrypt(Base64.decode64(@keys[@node_name]))
|
|
169
182
|
rescue OpenSSL::PKey::RSAError
|
|
@@ -231,7 +244,7 @@ class ChefVault
|
|
|
231
244
|
else
|
|
232
245
|
begin
|
|
233
246
|
Chef::DataBag.load(data_bag)
|
|
234
|
-
rescue Net::
|
|
247
|
+
rescue Net::HTTPClientException => http_error
|
|
235
248
|
if http_error.response.code == "404"
|
|
236
249
|
chef_data_bag = Chef::DataBag.new
|
|
237
250
|
chef_data_bag.name data_bag
|
|
@@ -295,7 +308,7 @@ class ChefVault
|
|
|
295
308
|
begin
|
|
296
309
|
item.raw_data =
|
|
297
310
|
Chef::EncryptedDataBagItem.load(vault, name, item.secret).to_hash
|
|
298
|
-
rescue Net::
|
|
311
|
+
rescue Net::HTTPClientException => http_error
|
|
299
312
|
if http_error.response.code == "404"
|
|
300
313
|
raise ChefVault::Exceptions::ItemNotFound,
|
|
301
314
|
"#{vault}/#{name} could not be found"
|
|
@@ -351,7 +364,7 @@ class ChefVault
|
|
|
351
364
|
# and https://github.com/sensu/sensu-chef/blob/2.9.0/libraries/sensu_helpers.rb
|
|
352
365
|
begin
|
|
353
366
|
dbi = Chef::DataBagItem.load(vault, name)
|
|
354
|
-
rescue Net::
|
|
367
|
+
rescue Net::HTTPClientException => http_error
|
|
355
368
|
if http_error.response.code == "404"
|
|
356
369
|
raise ChefVault::Exceptions::ItemNotFound,
|
|
357
370
|
"#{vault}/#{name} not found"
|
|
@@ -454,7 +467,7 @@ class ChefVault
|
|
|
454
467
|
def client_exists?(clientname)
|
|
455
468
|
Chef::ApiClient.load(clientname)
|
|
456
469
|
true
|
|
457
|
-
rescue Net::
|
|
470
|
+
rescue Net::HTTPClientException => http_error
|
|
458
471
|
return false if http_error.response.code == "404"
|
|
459
472
|
|
|
460
473
|
raise http_error
|
data/lib/chef-vault/item_keys.rb
CHANGED
|
@@ -122,7 +122,7 @@ class ChefVault
|
|
|
122
122
|
unless Chef::Config[:solo_legacy_mode]
|
|
123
123
|
begin
|
|
124
124
|
Chef::DataBag.load(data_bag)
|
|
125
|
-
rescue Net::
|
|
125
|
+
rescue Net::HTTPClientException => http_error
|
|
126
126
|
if http_error.response.code == "404"
|
|
127
127
|
chef_data_bag = Chef::DataBag.new
|
|
128
128
|
chef_data_bag.name data_bag
|
|
@@ -143,7 +143,7 @@ class ChefVault
|
|
|
143
143
|
Chef::DataBagItem.from_hash("data_bag" => data_bag,
|
|
144
144
|
"id" => sparse_id(key))
|
|
145
145
|
.destroy(data_bag, sparse_id(key))
|
|
146
|
-
rescue Net::
|
|
146
|
+
rescue Net::HTTPClientException => http_error
|
|
147
147
|
raise http_error unless http_error.response.code == "404"
|
|
148
148
|
end
|
|
149
149
|
end
|
|
@@ -234,7 +234,7 @@ class ChefVault
|
|
|
234
234
|
def self.load(vault, name)
|
|
235
235
|
begin
|
|
236
236
|
data_bag_item = Chef::DataBagItem.load(vault, name)
|
|
237
|
-
rescue Net::
|
|
237
|
+
rescue Net::HTTPClientException => http_error
|
|
238
238
|
if http_error.response.code == "404"
|
|
239
239
|
raise ChefVault::Exceptions::KeysNotFound,
|
|
240
240
|
"#{vault}/#{name} could not be found"
|
|
@@ -265,7 +265,7 @@ class ChefVault
|
|
|
265
265
|
else
|
|
266
266
|
begin
|
|
267
267
|
Chef::DataBagItem.load(@data_bag, sid)
|
|
268
|
-
rescue Net::
|
|
268
|
+
rescue Net::HTTPClientException => http_error
|
|
269
269
|
nil if http_error.response.code == "404"
|
|
270
270
|
end
|
|
271
271
|
end
|
data/lib/chef-vault/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: chef-vault
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 4.1.
|
|
4
|
+
version: 4.1.11
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Thom May
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date:
|
|
11
|
+
date: 2023-02-14 00:00:00.000000000 Z
|
|
12
12
|
dependencies: []
|
|
13
13
|
description: Data encryption support for Chef Infra using data bags
|
|
14
14
|
email:
|
|
@@ -61,7 +61,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
|
|
|
61
61
|
requirements:
|
|
62
62
|
- - ">="
|
|
63
63
|
- !ruby/object:Gem::Version
|
|
64
|
-
version: '2.
|
|
64
|
+
version: '2.6'
|
|
65
65
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
|
66
66
|
requirements:
|
|
67
67
|
- - ">="
|