chef-vault 4.2.5 → 4.2.9

data/spec/chef-vault/item_keys_spec.rb

@@ -0,0 +1,293 @@
+RSpec.describe ChefVault::ItemKeys do
+  describe "#new" do
+    let(:keys) { ChefVault::ItemKeys.new("foo", "bar") }
+    let(:shared_secret) { "super_secret" }
+    let(:public_key_string) do
+      "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyMXT9IOV9pkQsxsnhSx8\n8RX6GW3caxkjcXFfHg6E7zUVBFAsfw4B1D+eHAks3qrDB7UrUxsmCBXwU4dQHaQy\ngAn5Sv0Jc4CejDNL2EeCBLZ4TF05odHmuzyDdPkSZP6utpR7+uF7SgVQedFGySIB\nih86aM+HynhkJqgJYhoxkrdo/JcWjpk7YEmWb6p4esnvPWOpbcjIoFs4OjavWBOF\niTfpkS0SkygpLi/iQu9RQfd4hDMWCc6yh3Th/1nVMUd+xQCdUK5wxluAWSv8U0zu\nhiIlZNazpCGHp+3QdP3f6rebmQA8pRM8qT5SlOvCYPk79j+IMUVSYrR4/DTZ+VM+\naQIDAQAB\n-----END PUBLIC KEY-----\n"
+    end
+
+    it "'foo' is assigned to @data_bag" do
+      expect(keys.data_bag).to eq "foo"
+    end
+
+    it "sets the keys id to 'bar'" do
+      expect(keys["id"]).to eq "bar"
+    end
+
+    it "initializes the keys[admin] to an empty array" do
+      expect(keys["admins"]).to eq []
+    end
+
+    it "initializes the keys[clients] to an empty array" do
+      expect(keys["admins"]).to eq []
+    end
+
+    shared_context "key mgmt operations" do
+
+      shared_examples_for "proper key management" do
+        let(:chef_key) { ChefVault::Actor.new(type, name) }
+        before do
+          allow(chef_key).to receive(:key) { public_key_string }
+          keys.add(chef_key, shared_secret)
+        end
+
+        describe "#add" do
+          after do
+            keys.delete(chef_key)
+          end
+
+          context "when key is already there" do
+            context "when skip_reencryption is not specified (default to false)" do
+              it "encodes key in the data bag item under the actor's name and the name in the raw data" do
+                expect(described_class).to receive(:encode_key).with(public_key_string, shared_secret).and_return("encrypted_result")
+                keys.add(chef_key, shared_secret)
+                expect(keys[name]).to eq("encrypted_result")
+                expect(keys[type].include?(name)).to eq(true)
+                expect(keys.include?(name)).to eq(true)
+              end
+            end
+
+            context "when skip_reencryption is true" do
+              it "keeps the encoded key in the data bag item under the actor's name and the name in the raw data" do
+                expect(described_class).not_to receive(:encode_key).with(public_key_string, shared_secret)
+                keys.skip_reencryption = true
+                keys.add(chef_key, shared_secret)
+                expect(keys[name]).not_to be_empty
+                expect(keys[type].include?(name)).to eq(true)
+                expect(keys.include?(name)).to eq(true)
+              end
+            end
+          end
+
+          context "when keys not already there" do
+            before do
+              keys.delete(chef_key)
+            end
+            it "stores the encoded key in the data bag item under the actor's name and the name in the raw data" do
+              expect(described_class).to receive(:encode_key).with(public_key_string, shared_secret).and_return("encrypted_result")
+              keys.add(chef_key, shared_secret)
+              expect(keys[name]).to eq("encrypted_result")
+              expect(keys[type].include?(name)).to eq(true)
+              expect(keys.include?(name)).to eq(true)
+            end
+          end
+        end
+
+        describe "#delete" do
+          before do
+            keys.add(chef_key, shared_secret)
+          end
+
+          it "removes the actor's name from the data bag and from the array for the actor's type" do
+            keys.delete(chef_key)
+            expect(keys.has_key?(chef_key.name)).to eq(false)
+            expect(keys[type].include?(name)).to eq(false)
+            expect(keys.include?(name)).to eq(false)
+          end
+        end
+      end
+
+      context "when a client is added" do
+        let(:name) { "client_name" }
+        let(:type) { "clients" }
+        it_should_behave_like "proper key management"
+      end
+
+      context "when a admin is added" do
+        let(:name) { "admin_name" }
+        let(:type) { "admins" }
+        it_should_behave_like "proper key management"
+      end
+    end
+
+    context "when running with chef-zero" do
+      let(:server) { chef_zero }
+      before { server.start_background }
+      after  { server.stop }
+
+      include_context "key mgmt operations"
+
+      describe "#save" do
+        let(:client_name) { "client_name" }
+        let(:chef_key) { ChefVault::Actor.new("clients", client_name) }
+        before { allow(chef_key).to receive(:key) { public_key_string } }
+
+        it "should save the key data" do
+          keys.add(chef_key, shared_secret)
+          keys.save("bar")
+          expect(Chef::DataBagItem.load("foo", "bar").to_hash).to include("id" => "bar")
+          expect(keys[client_name]).not_to be_empty
+          keys.delete(chef_key)
+          keys.save("bar")
+          expect(keys[client_name]).to be_nil
+        end
+
+        it "should save the key data in sparse mode" do
+          keys.add(chef_key, shared_secret)
+          keys.mode("sparse")
+          keys.save("bar")
+          expect(Chef::DataBagItem.load("foo", "bar").to_hash).to include("id" => "bar")
+          expect(Chef::DataBagItem.load("foo", "bar_key_client_name").to_hash).to include("id" => "bar_key_client_name")
+          expect(keys[client_name]).not_to be_empty
+          keys.delete(chef_key)
+          keys.save("bar")
+          expect(keys[client_name]).to be_nil
+          keys.mode("default")
+        end
+
+        it "should remove key data in sparse mode" do
+          keys.add(chef_key, shared_secret)
+          keys.save("bar")
+          expect(keys[client_name]).not_to be_empty
+          keys.mode("sparse")
+          keys.save("bar")
+          expect(Chef::DataBagItem.load("foo", "bar").to_hash[client_name]).to be_nil
+          expect(Chef::DataBagItem.load("foo", "bar_key_client_name").to_hash).to include("id" => "bar_key_client_name")
+          expect(Chef::DataBagItem.load("foo", "bar_key_client_name").to_hash["client_name"]).not_to be_empty
+          keys.delete(chef_key)
+          keys.save("bar")
+          expect(keys[client_name]).to be_nil
+          keys.mode("default")
+        end
+      end
+
+      describe "#destroy" do
+        let(:client_name) { "client_name" }
+        let(:chef_key) { ChefVault::Actor.new("clients", client_name) }
+        before { allow(chef_key).to receive(:key) { public_key_string } }
+
+        it "should destroy the keys" do
+          keys.add(chef_key, shared_secret)
+          keys.save("bar")
+          keys.destroy
+          expect { Chef::DataBagItem.load("foo", "bar") }.to raise_error(Net::HTTPClientException)
+        end
+
+        it "should destroy the keys in sparse mode" do
+          keys.add(chef_key, shared_secret)
+          keys.mode("sparse")
+          keys.save("bar")
+          keys.destroy
+          expect { Chef::DataBagItem.load("foo", "bar") }.to raise_error(Net::HTTPClientException)
+          expect { Chef::DataBagItem.load("foo", "bar_key_client_name") }.to raise_error(Net::HTTPClientException)
+          keys.mode("default")
+        end
+      end
+    end
+
+    context "when running with chef-solo" do
+      before { Chef::Config[:solo_legacy_mode] = true  }
+      after  { Chef::Config[:solo_legacy_mode] = false }
+
+      include_context "key mgmt operations"
+
+      describe "#find_solo_path" do
+        context "when data_bag_path is an array" do
+          before do
+            allow(File).to receive(:exist?)
+            Chef::Config[:data_bag_path] = ["/tmp/data_bag", "/tmp/site_data_bag"]
+          end
+
+          it "should return an existing item" do
+            allow(File).to receive(:exist?).with("/tmp/site_data_bag/foo/bar.json").and_return(true)
+            dbp, dbi = keys.find_solo_path("bar")
+            expect(dbp).to eql("/tmp/site_data_bag/foo").or eq("C:/tmp/data_bag/foo")
+            expect(dbi).to eql("/tmp/site_data_bag/foo/bar.json").or eq("C:/tmp/data_bag/foo/bar.json")
+          end
+
+          it "should return the first item if none exist" do
+            dbp, dbi = keys.find_solo_path("bar")
+            expect(dbp).to eql("/tmp/data_bag/foo").or eq("C:/tmp/data_bag/foo")
+            expect(dbi).to eql("/tmp/data_bag/foo/bar.json").or eq("C:/tmp/data_bag/foo/bar.json")
+          end
+        end
+
+        context "when data_bag_path is a string" do
+          it "should return the path to the bag and the item" do
+            Chef::Config[:data_bag_path] = "/tmp/data_bag"
+            dbp, dbi = keys.find_solo_path("bar")
+            expect(dbp).to eql("/tmp/data_bag/foo").or eq("C:/tmp/data_bag/foo")
+            expect(dbi).to eql("/tmp/data_bag/foo/bar.json").or eq("C:/tmp/data_bag/foo/bar.json")
+          end
+        end
+      end
+
+      describe "#save" do
+        let(:client_name)   { "client_name" }
+        let(:chef_key)      { ChefVault::Actor.new("clients", client_name) }
+        let(:data_bag_path) { Dir.mktmpdir("vault_item_keys") }
+
+        before do
+          Chef::Config[:data_bag_path] = data_bag_path
+          allow(chef_key).to receive(:key) { public_key_string }
+        end
+
+        it "should save the key data" do
+          keys.add(chef_key, shared_secret)
+          keys.save("bar")
+          expect(File.read(File.join(data_bag_path, "foo", "bar.json"))).to match(/"id":.*"bar"/)
+          expect(keys[client_name]).not_to be_empty
+          keys.delete(chef_key)
+          keys.save("bar")
+          expect(keys[client_name]).to be_nil
+        end
+
+        it "should save the key data in sparse mode" do
+          keys.add(chef_key, shared_secret)
+          keys.mode("sparse")
+          keys.save("bar")
+          expect(File.read(File.join(data_bag_path, "foo", "bar.json"))).to match(/"id":.*"bar"/)
+          expect(File.read(File.join(data_bag_path, "foo", "bar_key_client_name.json"))).to match(/"id":.*"bar_key_client_name"/)
+          expect(keys[client_name]).not_to be_empty
+          keys.delete(chef_key)
+          keys.save("bar")
+          expect(keys[client_name]).to be_nil
+          keys.mode("default")
+        end
+
+        it "should remove key data in sparse mode" do
+          keys.add(chef_key, shared_secret)
+          keys.save("bar")
+          expect(keys[client_name]).not_to be_empty
+          keys.mode("sparse")
+          keys.save("bar")
+          expect(File.read(File.join(data_bag_path, "foo", "bar.json"))).to match(/"id":.*"bar"/)
+          expect(File.read(File.join(data_bag_path, "foo", "bar_key_client_name.json"))).to match(/"id":.*"bar_key_client_name"/)
+          expect(File.read(File.join(data_bag_path, "foo", "bar_key_client_name.json"))).to match(/"client_name": ".*"/)
+          keys.delete(chef_key)
+          keys.save("bar")
+          expect(keys[client_name]).to be_nil
+          keys.mode("default")
+        end
+      end
+
+      describe "#destroy" do
+        let(:client_name) { "client_name" }
+        let(:chef_key) { ChefVault::Actor.new("clients", client_name) }
+        let(:data_bag_path) { Dir.mktmpdir("vault_item_keys") }
+
+        before do
+          Chef::Config[:data_bag_path] = data_bag_path
+          allow(chef_key).to receive(:key) { public_key_string }
+        end
+
+        it "should destroy the keys" do
+          keys.add(chef_key, shared_secret)
+          keys.save("bar")
+          keys.destroy
+          expect(File.exist?(File.join(data_bag_path, "foo", "bar.json"))).to be(false)
+        end
+
+        it "should destroy the keys in sparse mode" do
+          keys.add(chef_key, shared_secret)
+          keys.mode("sparse")
+          keys.save("bar")
+          keys.destroy
+          expect(File.exist?(File.join(data_bag_path, "foo", "bar.json"))).to be(false)
+          expect(File.exist?(File.join(data_bag_path, "foo", "bar_key_client_name.json"))).to be(false)
+          keys.mode("default")
+        end
+      end
+    end
+  end
+end

data/spec/chef-vault/item_spec.rb

@@ -0,0 +1,394 @@
+require "openssl"
+
+RSpec.describe ChefVault::Item do
+  subject(:item) { ChefVault::Item.new("foo", "bar") }
+  let(:options) { { chef: "bar", values: "foo" } }
+
+  before do
+    item["foo"] = "bar"
+    http_response = double("http_response")
+    allow(http_response).to receive(:code).and_return("404")
+    non_existing = Net::HTTPClientException.new("http error message", http_response)
+
+    allow(Chef::DataBagItem).to receive(:load).with(anything, /_key_/).and_raise(non_existing)
+  end
+
+  describe "vault probe predicates" do
+    before do
+      # a normal data bag item
+      @db = { "foo" => "..." }
+      @dbi = Chef::DataBagItem.new
+      @dbi.data_bag("normal")
+      @dbi.raw_data = { "id" => "foo", "foo" => "bar" }
+      allow(@db).to receive(:load).with("foo").and_return(@dbi)
+      allow(Chef::DataBag).to receive(:load).with("normal").and_return(@db)
+      allow(Chef::DataBagItem).to receive(:load).with("normal", "foo").and_return(@dbi)
+
+      # an encrypted data bag item (non-vault)
+      @encdb = { "foo" => "..." }
+      @encdbi = Chef::DataBagItem.new
+      @encdbi.data_bag("encrypted")
+      @encdbi.raw_data = {
+        "id" => "foo",
+        "foo" => { "encrypted_data" => "..." },
+      }
+      allow(@encdb).to receive(:load).with("foo").and_return(@encdbi)
+      allow(Chef::DataBag).to receive(:load).with("encrypted").and_return(@encdb)
+      allow(Chef::DataBagItem).to receive(:load).with("encrypted", "foo").and_return(@encdbi)
+
+      # two items that make up a vault
+      @vaultdb = { "foo" => "...", "foo_keys" => "..." }
+      @vaultdbi = Chef::DataBagItem.new
+      @vaultdbi.data_bag("vault")
+      @vaultdbi.raw_data = {
+        "id" => "foo",
+        "foo" => { "encrypted_data" => "..." },
+      }
+      allow(@vaultdb).to receive(:load).with("foo").and_return(@vaultdbi)
+      @vaultdbki = Chef::DataBagItem.new
+      @vaultdbki.data_bag("vault")
+      @vaultdbki.raw_data = { "id" => "foo_keys" }
+
+      allow(@vaultdb).to receive(:load).with("foo_keys").and_return(@vaultdbki)
+      allow(Chef::DataBag).to receive(:load).with("vault").and_return(@vaultdb)
+      allow(Chef::DataBagItem).to receive(:load).with("vault", "foo").and_return(@vaultdbi)
+      @orig_stdout = $stdout
+      $stdout = File.open(File::NULL, "w")
+    end
+
+    after do
+      $stdout = @orig_stdout
+    end
+
+    describe "::vault?" do
+      it "should detect a vault item" do
+        expect(ChefVault::Item.vault?("vault", "foo")).to be_truthy
+      end
+
+      it "should detect non-vault items" do
+        expect(ChefVault::Item.vault?("normal", "foo")).not_to be_truthy
+        expect(ChefVault::Item.vault?("encrypted", "foo")).not_to be_truthy
+      end
+    end
+
+    describe "::data_bag_item_type" do
+      it "should detect a vault item" do
+        expect(ChefVault::Item.data_bag_item_type("vault", "foo")).to eq(:vault)
+      end
+
+      it "should detect an encrypted data bag item" do
+        expect(ChefVault::Item.data_bag_item_type("encrypted", "foo")).to eq(:encrypted)
+      end
+
+      it "should detect a normal data bag item" do
+        expect(ChefVault::Item.data_bag_item_type("normal", "foo")).to eq(:normal)
+      end
+
+      it "outputs the loaded item credentials on the stdout" do
+        expect { ChefVault::Item.format_output(options[:values], @dbi) }.to output("foo: bar\n").to_stdout
+      end
+    end
+  end
+
+  describe "::new" do
+    it "item[keys] is an instance of ChefVault::ItemKeys" do
+      expect(item.keys).to be_an_instance_of(ChefVault::ItemKeys)
+    end
+
+    it "the item's 'vault' parameter is assigned to data_bag" do
+      expect(item.data_bag).to eq "foo"
+    end
+
+    it "the vault item name is assiged to the data bag ['id']" do
+      expect(item["id"]).to eq "bar"
+    end
+
+    it "creates a corresponding 'keys' data bag with an '_keys' id" do
+      expect(item.keys["id"]).to eq "bar_keys"
+    end
+
+    it "sets the item keys data bag to 'foo'" do
+      expect(item.keys.data_bag).to eq "foo"
+    end
+
+    it "defaults the node name" do
+      item = ChefVault::Item.new("foo", "bar")
+      expect(item.node_name).to eq(Chef::Config[:node_name])
+    end
+
+    it "defaults the client key path" do
+      item = ChefVault::Item.new("foo", "bar")
+      expect(item.client_key_path).to eq(Chef::Config[:client_key])
+    end
+
+    it "defaults the client key contents" do
+      item = ChefVault::Item.new("foo", "bar")
+      expect(item.client_key_contents).to eq(Chef::Config[:client_key_contents])
+    end
+
+    it "allows for a node name override" do
+      item = ChefVault::Item.new("foo", "bar", node_name: "baz")
+      expect(item.node_name).to eq("baz")
+    end
+
+    it "allows for a client key path override" do
+      item = ChefVault::Item.new("foo", "bar", client_key_path: "/foo/client.pem")
+      expect(item.client_key_path).to eq("/foo/client.pem")
+    end
+
+    it "allows for a client key contents override" do
+      item = ChefVault::Item.new("foo", "bar", client_key_contents: "baz")
+      expect(item.client_key_contents).to eq("baz")
+    end
+
+    it "allows for both node name and client key overrides" do
+      item = ChefVault::Item.new(
+        "foo", "bar",
+        node_name: "baz",
+        client_key_path: "/foo/client.pem"
+      )
+      expect(item.node_name).to eq("baz")
+      expect(item.client_key_path).to eq("/foo/client.pem")
+    end
+
+    it "allows for node name, client key and client key contents overrides" do
+      item = ChefVault::Item.new(
+        "foo", "bar",
+        node_name: "baz",
+        client_key_path: "/foo/client.pem",
+        client_key_contents: "qux"
+      )
+      expect(item.node_name).to eq("baz")
+      expect(item.client_key_path).to eq("/foo/client.pem")
+      expect(item.client_key_contents).to eq("qux")
+    end
+  end
+
+  describe "::load" do
+    it "allows for both node name and client key overrides" do
+      keys_db = Chef::DataBagItem.new
+      keys_db.raw_data = {
+        "id" => "bar_keys",
+        "baz" => "...",
+      }
+      allow(ChefVault::ItemKeys)
+        .to receive(:load)
+        .and_return(keys_db)
+      fh = double "private key handle"
+      allow(fh).to receive(:read).and_return("...")
+      allow(File).to receive(:open).and_return(fh)
+      privkey = double "private key contents"
+      allow(privkey).to receive(:private_decrypt).and_return("sekrit")
+      allow(OpenSSL::PKey::RSA).to receive(:new).and_return(privkey)
+      allow(Chef::EncryptedDataBagItem).to receive(:load).and_return(
+        "id" => "bar",
+        "password" => "12345"
+      )
+      item = ChefVault::Item.load(
+        "foo", "bar",
+        node_name: "baz",
+        client_key_path: "/foo/client.pem"
+      )
+      expect(item.node_name).to eq("baz")
+      expect(item.client_key_path).to eq("/foo/client.pem")
+    end
+  end
+
+  describe "#save" do
+    context 'when item["id"] is bar.bar' do
+      let(:item) { ChefVault::Item.new("foo", "bar.bar") }
+      it "raises an error on save with an invalid item['id']" do
+        expect { item.save }.to raise_error(RuntimeError)
+      end
+    end
+
+    it "validates that the id of the vault matches the id of the keys data bag" do
+      item = ChefVault::Item.new("foo", "bar")
+      item["id"] = "baz"
+      item.keys["clients"] = %w{admin}
+      expect { item.save }.to raise_error(ChefVault::Exceptions::IdMismatch)
+    end
+  end
+
+  describe "#refresh" do
+    let(:node) { { "name" => "testnode" } }
+
+    it "saves only the keys" do
+      keys = double("keys",
+        search_query: "*:*",
+        add: nil,
+        admins: [],
+        clients: ["testnode"])
+      allow(keys).to receive(:[]).with("id").and_return("bar_keys")
+      allow(ChefVault::ItemKeys).to receive(:new).and_return(keys)
+
+      item = ChefVault::Item.new("foo", "bar")
+
+      query = double("query")
+      allow(Chef::Search::Query).to receive(:new).and_return(query)
+      allow(query).to receive(:search).and_yield(node)
+
+      client_key = double("client_key",
+        name: "testnode",
+        public_key: OpenSSL::PKey::RSA.new(1024).public_key)
+      allow(item).to receive(:load_actor).with("testnode", "clients").and_return(client_key)
+
+      expect(item).not_to receive(:save)
+      expect(keys).to receive(:save)
+      item.refresh
+    end
+  end
+
+  describe "#clients" do
+    context "when search returns a node with a valid client backing it and one without a valid client" do
+      let(:node_with_valid_client) { { "name" => "foo" } }
+      let(:node_without_valid_client) { { "name" => "bar" } }
+      let(:query_result) { double("chef search results") }
+      let(:client_key) { double("chef key") }
+
+      before do
+        # node with valid client proper loads client key
+        allow(item).to receive(:load_actor).with("foo", "clients").and_return(client_key)
+        privkey = OpenSSL::PKey::RSA.new(1024)
+        pubkey = privkey.public_key
+        allow(client_key).to receive(:key).and_return(pubkey.to_pem)
+        allow(client_key).to receive(:name).and_return("foo")
+        allow(client_key).to receive(:type).and_return("clients")
+
+        # node without client throws relevant error on key load
+        allow(item).to receive(:load_actor).with("bar", "clients").and_raise(ChefVault::Exceptions::ClientNotFound)
+
+        allow(query_result)
+          .to receive(:search)
+          .with(Symbol, String, Hash)
+          .and_yield(node_with_valid_client).and_yield(node_without_valid_client)
+        allow(Chef::Search::Query)
+          .to receive(:new)
+          .and_return(query_result)
+      end
+
+      it "should not blow up when search returns a node without a public key" do
+        # try to set clients when we know a node is missing a public key
+        # this should not die as of v2.4.1
+        expect { item.clients("*:*") }.not_to raise_error
+      end
+
+      it "should emit a warning if search returns a node without a public key" do
+        # it should however emit a warning that you have a borked node
+        expect(ChefVault::Log).to receive(:warn).with(/node 'bar' has no 'default' public key; skipping/)
+        item.clients("*:*")
+      end
+    end
+
+    context "when a Chef::ApiClient is passed" do
+      let(:client) { Chef::ApiClient.new }
+      let(:client_name) { "foo" }
+      let(:client_key) { double("chef key") }
+
+      before do
+        client.name client_name
+        privkey = OpenSSL::PKey::RSA.new(1024)
+        pubkey = privkey.public_key
+        allow(item).to receive(:load_actor).with(client_name, "clients").and_return(client_key)
+        allow(client_key).to receive(:key).and_return(pubkey.to_pem)
+        allow(client_key).to receive(:name).and_return(client_name)
+        allow(client_key).to receive(:type).and_return("clients")
+      end
+
+      context "when no action is passed" do
+        it "default to add and properly add the client" do
+          item.clients(client)
+          expect(item.get_clients).to include(client_name)
+        end
+
+        it "does not perform a query" do
+          expect(Chef::Search::Query).not_to receive(:new)
+          item.clients(client)
+        end
+      end
+
+      context "when the delete action is passed on an existing client" do
+        before do
+          # add the client
+          item.clients(client)
+        end
+
+        it "properly deletes the client" do
+          item.clients(client, :delete)
+          expect(item.get_clients).to_not include(client_name)
+        end
+
+        it "does not perform a query" do
+          expect(Chef::Search::Query).not_to receive(:new)
+          item.clients(client, :delete)
+        end
+      end
+    end
+
+    context "when an Array with named clients is passed" do
+      let(:client) { Chef::ApiClient.new }
+      let(:clients) { [] }
+      let(:client_name) { "foo" }
+      let(:client_key) { double("chef key") }
+
+      before do
+        clients << client_name
+        client.name client_name
+        privkey = OpenSSL::PKey::RSA.new(1024)
+        pubkey = privkey.public_key
+        allow(item).to receive(:load_actor).with(client_name, "clients").and_return(client_key)
+        allow(client_key).to receive(:key).and_return(pubkey.to_pem)
+        allow(client_key).to receive(:name).and_return(client_name)
+        allow(client_key).to receive(:type).and_return("clients")
+      end
+
+      context "when no action is passed" do
+        it "defaults to add and properly adds the client" do
+          item.clients(clients)
+          expect(item.get_clients).to include(client_name)
+        end
+
+        it "does not perform a query" do
+          expect(Chef::Search::Query).not_to receive(:new)
+          item.clients(clients)
+        end
+      end
+
+      context "when the delete action is passed on an existing client" do
+        before do
+          # add the client
+          item.clients(clients)
+        end
+
+        it "properly deletes the client" do
+          item.clients(clients, :delete)
+          expect(item.get_clients).to_not include(client_name)
+        end
+
+        it "does not perform a query" do
+          expect(Chef::Search::Query).not_to receive(:new)
+          item.clients(clients, :delete)
+        end
+      end
+    end
+  end
+
+  describe "#admins" do
+    before do
+      allow(item).to receive(:load_actor).with("foo", "admins").and_raise(ChefVault::Exceptions::AdminNotFound)
+    end
+
+    it "should blow up if you try to use a node without a public key as an admin" do
+      expect { item.admins("foo,bar") }
+        .to raise_error(ChefVault::Exceptions::AdminNotFound)
+    end
+  end
+
+  describe "#raw_keys" do
+    it "should return the keys of the underlying data bag item" do
+      item = ChefVault::Item.new("foo", "bar")
+      item["foo"] = "bar"
+      expect(item.raw_keys).to eq(%w{id foo})
+    end
+  end
+end