chef-vault 1.2.0 → 1.2.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -0,0 +1,161 @@
1
+ # Chef-Vault
2
+
3
+ ## DESCRIPTION:
4
+
5
+ Gem that allows you to encrypt passwords and certificates using the public keys of
6
+ a list of chef nodes. This allows only those chef nodes to decrypt the
7
+ password or certificate.
8
+
9
+ ## INSTALLATION:
10
+
11
+ Be sure you are running the latest version Chef. Versions earlier than 0.10.0
12
+ don't support plugins:
13
+
14
+ gem install chef
15
+
16
+ This plugin is distributed as a Ruby Gem. To install it, run:
17
+
18
+ gem install chef-vault
19
+
20
+ Depending on your system's configuration, you may need to run this command with
21
+ root privileges.
22
+
23
+ ## CONFIGURATION:
24
+
25
+ ## KNIFE COMMANDS:
26
+
27
+ This plugin provides the following Knife subcommands.
28
+ Specific command options can be found by invoking the subcommand with a
29
+ <tt>--help</tt> flag
30
+
31
+ ### knife encrypt password
32
+
33
+ Use this knife command to encrypt the username and password that you want to
34
+ protect. Only Chef nodes returned by the `--search` at the time of encryption
35
+ will be able to decrypt the password.
36
+
37
+ ```bash
38
+ $ knife encrypt password --search SEARCH --username USERNAME --password PASSWORD
39
+ --admins ADMINS
40
+ ```
41
+
42
+ In the example below, the `mysql_user`'s password will be encrypted using the
43
+ public keys of the nodes in the `web_server` role. In addition to the servers in
44
+ the `web_server` role, Chef users `alice`, `bob`, and `carol` will also be able
45
+ to decrypt the password, an encrypted data bag item.
46
+
47
+ ```bash
48
+ $ knife encrypt password --search "role:web_server" --username mysql_user
49
+ --password "P@ssw0rd" --admins "alice,bob,carol"
50
+ ```
51
+
52
+ ### knife decrypt password
53
+
54
+ Use this knife command to decrypt the password that is protected. This is
55
+ currently hard-coded to look for an encrypted data bag named "passwords" on the
56
+ Chef server.
57
+
58
+ knife decrypt password --username USERNAME
59
+
60
+ ### knife encrypt cert
61
+
62
+ Use this knife command to encrypt the contents of a certificate that you want to
63
+ protect. Only Chef nodes returned by the `--search` at the time of encryption
64
+ will be able to decrypt the certificate.
65
+
66
+ Typically you will decrypt the contents as part of a recipe and write them out
67
+ to a certificate on your Chef node.
68
+
69
+ ```bash
70
+ $ knife encrypt cert --search SEARCH --cert CERT --password PASSWORD
71
+ --name NAME --admins ADMINS
72
+ ```
73
+
74
+ In the example below, the `~/ssl/web_server_cert.pem` certificate will be
75
+ encrypted using the public keys of the nodes in the `web_server` role. You can
76
+ reference the name of the certificate (`web_public_key`) in a recipe when you
77
+ need to decrypt it. In addition to the servers in the `web_server` role, Chef
78
+ users `alice`, `bob`, and `carol` will also be able to decrypt the contents of
79
+ the certificate, an encrypted data bag item.
80
+
81
+ ```bash
82
+ $ knife encrypt cert --search "role:web_server" --cert
83
+ ~/ssl/web_server_cert.pem --name web_public_key --admins 'alice,bob,carol'
84
+ ```
85
+
86
+ ### knife decrypt cert
87
+
88
+ Use this knife command to decrypt the certificate that is protected. This is
89
+ currently hard-coded to look for an encrypted data bag named `certs` on the Chef
90
+ server.
91
+
92
+ knife decrypt cert --name NAME
93
+
94
+ ## USAGE IN RECIPES
95
+
96
+ To use this gem in a recipe to decrypt data you must first install the gem
97
+ via a chef_gem resource. Once the gem is installed require the gem and then
98
+ you can create a new instance of ChefVault.
99
+
100
+ ### Example Code (password)
101
+
102
+ ```ruby
103
+ chef_gem "chef-vault"
104
+
105
+ require 'chef-vault'
106
+
107
+ vault = ChefVault.new("passwords")
108
+ user = vault.user("mysql_user")
109
+ password = user.decrypt_password
110
+ ```
111
+
112
+ ### Example Code (certificate)
113
+
114
+ ```ruby
115
+ chef_gem "chef-vault"
116
+
117
+ require 'chef-vault'
118
+
119
+ vault = ChefVault.new("certs")
120
+ cert = vault.certificate("web_public_key")
121
+ contents = cert.decrypt_contents
122
+ ```
123
+
124
+ ## USAGE STAND ALONE
125
+
126
+ `chef-vault` can be used a stand alone binary to decrypt values stored in Chef.
127
+ It requires that Chef is installed on the system and that you have a valid
128
+ knife.rb. This is useful if you want to mix `chef-vault` into non-Chef recipe
129
+ code, for example some other script where you want to protect a password.
130
+
131
+ It does still require that the data bag has been encrypted for the user's or
132
+ client's pem and pushed to the Chef server. It mixes Chef into the gem and
133
+ uses it to go grab the data bag.
134
+
135
+ Do `chef-vault --help` for all available options
136
+
137
+ ### Example usage (password)
138
+
139
+ chef-vault -u Administrator -k /etc/chef/knife.rb
140
+
141
+ ### Example usage (certificate)
142
+
143
+ chef-vault -c wildcard_domain_com -k /etc/chef/knife.rb
144
+
145
+ ## License and Author:
146
+
147
+ Author:: Kevin Moser (<kevin.moser@nordstrom.com>)
148
+ Copyright:: Copyright (c) 2013 Nordstrom, Inc.
149
+ License:: Apache License, Version 2.0
150
+
151
+ Licensed under the Apache License, Version 2.0 (the "License");
152
+ you may not use this file except in compliance with the License.
153
+ You may obtain a copy of the License at
154
+
155
+ http://www.apache.org/licenses/LICENSE-2.0
156
+
157
+ Unless required by applicable law or agreed to in writing, software
158
+ distributed under the License is distributed on an "AS IS" BASIS,
159
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
160
+ See the License for the specific language governing permissions and
161
+ limitations under the License.
@@ -1,4 +1,4 @@
1
1
  class ChefVault
2
- VERSION = "1.2.0"
2
+ VERSION = "1.2.1"
3
3
  MAJOR, MINOR, TINY = VERSION.split('.')
4
4
  end
@@ -89,7 +89,7 @@ class EncryptCert < Chef::Knife
89
89
  end
90
90
 
91
91
  # Get the public keys for the admin users, skipping users already in the data bag
92
- public_keys << admins.split(",").map do |user|
92
+ public_keys << admins.split(/[\s,]+/).map do |user|
93
93
  begin
94
94
  if current_dbi_keys[user]
95
95
  puts("INFO: Skipping #{user} as it is already in the data bag")
@@ -87,7 +87,7 @@ class EncryptPassword < Chef::Knife
87
87
  end
88
88
 
89
89
  # Get the public keys for the admin users, skipping users already in the data bag
90
- public_keys << admins.split(",").map do |user|
90
+ public_keys << admins.split(/[\s,]+/).map do |user|
91
91
  begin
92
92
  if current_dbi_keys[user]
93
93
  puts("INFO: Skipping #{user} as it is already in the data bag")
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: chef-vault
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.2.0
4
+ version: 1.2.1
5
5
  prerelease:
6
6
  platform: ruby
7
7
  authors:
@@ -9,7 +9,7 @@ authors:
9
9
  autorequire:
10
10
  bindir: bin
11
11
  cert_chain: []
12
- date: 2013-04-17 00:00:00.000000000 Z
12
+ date: 2013-04-23 00:00:00.000000000 Z
13
13
  dependencies:
14
14
  - !ruby/object:Gem::Dependency
15
15
  name: chef
@@ -36,7 +36,7 @@ extensions: []
36
36
  extra_rdoc_files: []
37
37
  files:
38
38
  - .gitignore
39
- - README.rdoc
39
+ - README.md
40
40
  - bin/chef-vault
41
41
  - chef-vault.gemspec
42
42
  - lib/chef-vault.rb
@@ -1,123 +0,0 @@
1
-
2
- = Chef-Vault
3
-
4
- = DESCRIPTION:
5
-
6
- Gem that allows you to encrypt passwords & certificates using the public key of
7
- a list of chef nodes. This allows only those chef nodes to decrypt the
8
- password or certificate.
9
-
10
- This is supported on both Chef 10 and Chef 11 API.
11
-
12
- = INSTALLATION:
13
-
14
- Be sure you are running the latest version Chef. Versions earlier than 0.10.0
15
- don't support plugins:
16
-
17
- gem install chef
18
-
19
- This plugin is distributed as a Ruby Gem. To install it, run:
20
-
21
- gem install chef-vault
22
-
23
- Depending on your system's configuration, you may need to run this command with
24
- root privileges.
25
-
26
- = CONFIGURATION:
27
-
28
- = KNIFE COMMANDS:
29
-
30
- This plugin provides the following Knife subcommands.
31
- Specific command options can be found by invoking the subcommand with a
32
- <tt>--help</tt> flag
33
-
34
- == knife encrypt password
35
-
36
- Use this knife command to encrypt the username and password that you want to
37
- protect.
38
-
39
- knife encrypt password --search SEARCH --username USERNAME --password PASSWORD --admins ADMINS
40
-
41
- == knife decrypt password
42
-
43
- Use this knife command to dencrypt the password that is protected
44
-
45
- knife decrypt password --username USERNAME
46
-
47
- == knife encrypt cert
48
-
49
- Use this knife command to encrypt the contents of a certificate that you want
50
- to protect.
51
-
52
- knife encrypt cert --search SEARCH --cert CERT --password PASSWORD --name NAME --admins ADMINS
53
-
54
- == knife decrypt cert
55
-
56
- Use this knife command to dencrypt the certificate that is protected
57
-
58
- knife decrypt cert --name NAME
59
-
60
- = USAGE IN RECIPES
61
-
62
- To use this gem in a recipe to decrypt data you must first install the gem
63
- via a chef_gem resource. Once the gem is installed require the gem and then
64
- you can create a new instance of ChefVault.
65
-
66
- == Example Code (password)
67
-
68
- chef_gem "chef-vault"
69
-
70
- require 'chef-vault'
71
-
72
- vault = ChefVault.new("passwords")
73
- user = vault.user("Administrator")
74
- password = user.decrypt_password
75
-
76
- == Example Code (certificate)
77
-
78
- chef_gem "chef-vault"
79
-
80
- require 'chef-vault'
81
-
82
- vault = ChefVault.new("certs")
83
- cert = vault.certificate("domain.com")
84
- contents = cert.decrypt_contents
85
-
86
- = USAGE STAND ALONE
87
-
88
- chef-vault can be used a stand alone binary to decrypt values stored in chef.
89
- It requires that chef is installed on the system and that you have a valid
90
- knife.rb. This is useful if you want to mix chef-vault into non-chef recipe
91
- code, for example some other script where you want to protect a password.
92
-
93
- It does still require that the data bag has been encrypted for the user's or
94
- client's pem and pushed to the chef server. It mixes chef into the gem and
95
- uses it to go grab the data bag.
96
-
97
- Do chef-vault --help for all available options
98
-
99
- == Example usage (password)
100
-
101
- chef-vault -u Administrator -k /etc/chef/knife.rb
102
-
103
- == Example usage (certificate)
104
-
105
- chef-vault -c wildcard_domain_com -k /etc/chef/knife.rb
106
-
107
- = LICENSE:
108
-
109
- Author:: Kevin Moser (<kevin.moser@nordstrom.com>)
110
- Copyright:: Copyright (c) 2013 Nordstrom, Inc.
111
- License:: Apache License, Version 2.0
112
-
113
- Licensed under the Apache License, Version 2.0 (the "License");
114
- you may not use this file except in compliance with the License.
115
- You may obtain a copy of the License at
116
-
117
- http://www.apache.org/licenses/LICENSE-2.0
118
-
119
- Unless required by applicable law or agreed to in writing, software
120
- distributed under the License is distributed on an "AS IS" BASIS,
121
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
122
- See the License for the specific language governing permissions and
123
- limitations under the License.