chef-vault 1.0.1 → 1.1.0

data/README.rdoc

@@ -81,6 +81,27 @@ you can create a new instance of ChefVault.
   cert = vault.certificate("domain.com")
   contents = cert.decrypt_contents
 
+= USAGE STAND ALONE
+
+chef-vault can be used a stand alone binary to decrypt values stored in chef.
+It requires that chef is installed on the system and that you have a valid
+knife.rb.  This is useful if you want to mix chef-vault into non-chef recipe
+code, for example some other script where you want to protect a password.
+
+It does still require that the data bag has been encrypted for the user's or
+client's pem and pushed to the chef server.  It mixes chef into the gem and 
+uses it to go grab the data bag.
+
+Do chef-vault --help for all available options
+
+== Example usage (password)
+
+  chef-vault -u Administrator -k /etc/chef/knife.rb
+
+== Example usage (certificate)
+
+  chef-vault -c wildcard_domain_com -k /etc/chef/knife.rb
+
 = LICENSE:
 
 Author:: Kevin Moser (<kevin.moser@nordstrom.com>)

data/bin/chef-vault

@@ -0,0 +1,91 @@
+#!/usr/bin/env ruby
+#
+# ./chef-vault - Run chef-vault and decrypt based on parameters
+#
+# Author:: Kevin Moser (<kevin.moser@nordstrom.com>)
+# Copyright:: Copyright (c) 2013 Nordstrom, Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+# 
+#     http://www.apache.org/licenses/LICENSE-2.0
+# 
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+require 'optparse'
+
+options_config = {
+  chef: {
+    short: "k",
+    long: "chef-config-file",
+    description: "Chef config file",
+    default: "/etc/chef/knife.rb",
+    optional: false
+  },
+  user: {
+    short: "u",
+    long: "username",
+    description: "Username to decrypt password for",
+    default: nil,
+    optional: true
+  },  
+  cert: {
+    short: "c",
+    long: "certificate",
+    description: "Certificate to decrypt contents of",
+    default: nil,
+    optional: true
+  }
+}
+
+banner = "Usage: chef-vault "
+options_config.each do |option, config|
+  if config[:optional]
+    banner << "[--#{config[:long]} #{config[:long].upcase}] "
+  else
+    banner << "--#{config[:long]} #{config[:long].upcase} "
+  end    
+end
+
+options = {}
+OptionParser.new do |opts|
+  opts.banner = banner
+
+  options_config.each do |option, config|
+    description = "#{config[:description]}"
+    description << " (#{config[:default]})" if config[:default]
+    description << " MANDATORY" unless config[:default]
+    opts.on("-#{config[:short]}", "--#{config[:long]} #{config[:long].upcase}", description) do |opt|
+      options[option] = opt
+    end
+  end
+end.parse!
+
+options_config.each do |option, config|
+  raise OptionParser::MissingArgument if (options[option].nil? && !config[:optional])
+end
+
+options_config.each do |option, config|
+  options[option] = options[option] ? options[option] : config[:default]
+end
+
+require 'rubygems'
+$:.unshift(File.join(File.dirname(__FILE__), "..", "lib"))
+require 'chef-vault'
+
+if options[:user]
+  vault = ChefVault.new("passwords", options[:chef])
+
+  user = vault.user(options[:user])
+  puts user.decrypt_password
+else
+  vault = ChefVault.new("certs", options[:chef])
+  cert = vault.certificate(options[:cert])
+  puts cert.decrypt_contents
+end

data/chef-vault.gemspec

@@ -13,5 +13,8 @@ Gem::Specification.new do |s|
   
   s.files            = `git ls-files`.split("\n")
   s.add_dependency "chef", ">= 0.10.10"
-  s.require_paths = ["lib"]
+  s.require_paths    = ["lib"]
+  
+  s.bindir           = "bin"
+  s.executables      = %w( chef-vault )
 end

data/lib/chef-vault.rb

@@ -20,13 +20,16 @@ require 'chef'
 require 'chef-vault/user'
 require 'chef-vault/certificate'
 require 'chef-vault/version'
+require 'chef-vault/chef/offline'
 
 class ChefVault
 
   attr_accessor :data_bag
+  attr_accessor :chef_config_file
 
-  def initialize(data_bag)
+  def initialize(data_bag, chef_config_file=nil)
     @data_bag = data_bag
+    @chef_config_file = chef_config_file
   end
 
   def version
@@ -34,10 +37,10 @@ class ChefVault
   end
 
   def user(username)
-    ChefVault::User.new(@data_bag, username)
+    ChefVault::User.new(@data_bag, username, @chef_config_file)
   end
 
   def certificate(name)
-    ChefVault::Certificate.new(@data_bag, name)
+    ChefVault::Certificate.new(@data_bag, name, @chef_config_file)
   end
 end

data/lib/chef-vault/certificate.rb

@@ -2,16 +2,26 @@ class ChefVault
   class Certificate
     attr_accessor :name
 
-    def initialize(data_bag, name)
+    def initialize(data_bag, name, chef_config_file)
       @name = name
       @data_bag = data_bag
+
+      if chef_config_file
+        chef = ChefVault::ChefOffline.new(chef_config_file)
+        chef.connect
+      end
     end
 
     def decrypt_contents
       # use the private client_key file to create a decryptor
       private_key = open(Chef::Config[:client_key]).read
       private_key = OpenSSL::PKey::RSA.new(private_key)
-      keys = Chef::DataBagItem.load(@data_bag, "#{name}_keys")
+      
+      begin
+        keys = Chef::DataBagItem.load(@data_bag, "#{name}_keys")
+      rescue
+        throw "Could not find data bag item #{name}_keys in data bag #{@data_bag}"
+      end
 
       unless keys[Chef::Config[:node_name]]
         throw "#{name} is not encrypted for you!  Rebuild the certificate data bag"

data/lib/chef-vault/chef/offline.rb

@@ -0,0 +1,14 @@
+class ChefVault
+  class ChefOffline
+    attr_accessor :config_file
+
+    def initialize(config_file)
+      @config_file = config_file
+    end
+
+    def connect
+      require 'chef'
+      ::Chef::Config.from_file(@config_file)
+    end
+  end
+end

data/lib/chef-vault/user.rb

@@ -2,16 +2,26 @@ class ChefVault
   class User
     attr_accessor :username
 
-    def initialize(data_bag, username)
+    def initialize(data_bag, username, chef_config_file)
       @username = username
       @data_bag = data_bag
+
+      if chef_config_file
+        chef = ChefVault::ChefOffline.new(chef_config_file)
+        chef.connect
+      end
     end
 
     def decrypt_password
       # use the private client_key file to create a decryptor
       private_key = open(Chef::Config[:client_key]).read
       private_key = OpenSSL::PKey::RSA.new(private_key)
-      keys = Chef::DataBagItem.load(@data_bag, "#{username}_keys")
+      
+      begin
+        keys = Chef::DataBagItem.load(@data_bag, "#{username}_keys")
+      rescue
+        throw "Could not find data bag item #{username}_keys in data bag #{@data_bag}"
+      end
 
       unless keys[Chef::Config[:node_name]]
         throw "Password for #{username} is not encrypted for you!  Rebuild the password data bag"

data/lib/chef-vault/version.rb

@@ -1,4 +1,4 @@
 class ChefVault
-  VERSION = "1.0.1"
+  VERSION = "1.1.0"
   MAJOR, MINOR, TINY = VERSION.split('.')
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: chef-vault
 version: !ruby/object:Gem::Version
-  version: 1.0.1
+  version: 1.1.0
   prerelease: 
 platform: ruby
 authors:
@@ -30,15 +30,18 @@ dependencies:
 description: Data encryption support for chef using data bags
 email:
 - kevin.moser@nordstrom.com
-executables: []
+executables:
+- chef-vault
 extensions: []
 extra_rdoc_files: []
 files:
 - .gitignore
 - README.rdoc
+- bin/chef-vault
 - chef-vault.gemspec
 - lib/chef-vault.rb
 - lib/chef-vault/certificate.rb
+- lib/chef-vault/chef/offline.rb
 - lib/chef-vault/user.rb
 - lib/chef-vault/version.rb
 - lib/chef/knife/DecryptCert.rb