chef-vault 1.2.5 → 2.0.1.pre

checksums.yaml

@@ -0,0 +1,15 @@
+---
+!binary "U0hBMQ==":
+  metadata.gz: !binary |-
+    ZDkwMDZmNWZlMDY5MTBlMTAxZWE1ZGJjODg3OGY3OWM3YmQ1NzA5Mw==
+  data.tar.gz: !binary |-
+    NzhlNzg3NzVjNGMzMTEyNDdhOTNkNDU3ODhlOGY3ZTMxZWY0OTc5Nw==
+!binary "U0hBNTEy":
+  metadata.gz: !binary |-
+    ZWMxNTI0YmY3NDdmYzRiM2M4Y2UxNWJiYzNmMGIzNWQ0Y2Q4ZTdlNmEwZGFm
+    OTZhOGIxY2MyMmZhYjBiYTE5YmNmMTgxYWU5ZjU2YjkzYmRmZDU3NTRkMGQx
+    ZWFjZGVkODdkZTBiNWQyNjM2YmU3N2JlYzVlMzE3ODVlOWIxN2E=
+  data.tar.gz: !binary |-
+    M2NmMzU3MjZhYjc0ZmRjYzZmZjY0ZDczNDI1MTA4MTkwN2VkZmYxNWEzYmQ2
+    MDg2OGUyOTcxMjA0OWU5NmRlMDczOTdmM2MyZTlhMTMzMDIzMWJhMzNlZWVj
+    NGNhMzBlN2I1ODIxZjdmZGE4YmExZjQ0Njc2Yjc0NmYwNjNiOGI=

data/Changelog.md

@@ -1,5 +1,22 @@
 ## Unreleased
 
+## v2.0.0 / 2013-08-20
+* Removal of knife encrypt certs
+* Removal of knife encrypt passwords
+* Add knife encrypt create
+* Add knife encrypt update
+* Add knife encrypt remove
+* Add knife encrypt delete
+* Add knife encrypt rotate keys
+* Add knife decrypt
+* Update chef-vault binary to take -v, -i, -a
+* Add ChefVault::Item class
+* Add ChefVault::ItemKeys class
+* Modify ChefVault::User to use ChefVault::Item to maintain backwards compatability
+* Modify ChefVault::Certificate to use ChefVault::Item to maintain backwards compatability
+
+## Released 
+
 ## v1.2.5 / 2013-07-22
 * Update compat to be class ChefVault not module ChefVault to remove knife errors
 * Allow nodes/clients to be used as Admins

data/KNIFE_EXAMPLES.md

@@ -0,0 +1,169 @@
+# knife examples
+
+## encrypt
+knife encrypt [create|update|remove|delete] [VAULT] [ITEM] [VALUES]
+
+These are the commands that are used to take data in json format and encrypt that data into chef-vault style encrypted data bags in chef.
+
+* Vault - This is the name of the vault in which to store the encrypted item.  This is analogous to a chef data bag name
+* Item - The name of the item going in to the vault.  This is analogous to a chef data bag item id
+* Values - This is the json clear text data to be stored in the vault encrypted.  This is analogous to a chef data bag item data
+
+### create
+Creat a vault called passwords and put an item called root in it with the given values for username and password encrypted for clients role:webserver and admins admin1 & admin2
+
+    knife encrypt create passwords root "{username: 'root', password: 'mypassword'}" -S "role:webserver" -A "admin1,admin2"
+
+Creat a vault called passwords and put an item called root in it with the given values for username and password encrypted for clients role:webserver
+
+    knife encrypt create passwords root "{username: 'root', password: 'mypassword'}" -S "role:webserver"
+
+Creat a vault called passwords and put an item called root in it with the given values for username and password encrypted for admins admin1 & admin2
+
+    knife encrypt create passwords root "{username: 'root', password: 'mypassword'}" -A "admin1,admin2"    
+
+Note: A JSON file can be used in place of specifying the values on the command line, see global options below for details
+
+### update
+Update the values in username and password in the vault passwords and item root.  Will overwrite existing values if values already exist!
+
+    knife encrypt update passwords root "{username: 'root', password: 'mypassword'}"
+
+Update the values in username and password in the vault passwords and item root and add admin1 & admin2 to the encrypted admins.  Will overwrite existing values if values already exist!
+
+    knife encrypt update passwords root "{username: 'root', password: 'mypassword'}" -A "admin1,admin2"
+
+Update the values in username and password in the vault passwords and item root and add role:webserver to the encrypted clients.  Will overwrite existing values if values already exist!
+
+    knife encrypt update passwords root "{username: 'root', password: 'mypassword'}" -S "role:webserver"
+
+Update the values in username and password in the vault passwords and item root and add role:webserver to the encrypted clients and admin1 & admin2 to the encrypted admins.  Will overwrite existing values if values already exist!
+
+    knife encrypt update passwords root "{username: 'root', password: 'mypassword'}" -S "role:webserver" -A "admin1,admin2"
+
+Add admin1 & admin2 to encrypted admins for the vault passwords and item root.
+
+    knife encrypt update passwords root -A "admin1,admin2"
+
+Add role:webserver to encrypted clients for the vault passwords and item root.
+
+    knife encrypt update passwords root -S "role:webserver"
+
+Add admin1 & admin2 to encrypted admins and role:webserver to encrypted clients for the vault passwords and item root.
+
+    knife encrypt update passwords root -S "role:webserver" -A "admin1,admin2"
+
+Note: A JSON file can be used in place of specifying the values on the command line, see global options below for details
+
+### remove
+Remove the values in username and password from the vault passwords and item root.
+
+    knife encrypt remove passwords root "{username: 'root', password: 'mypassword'}"
+
+Remove the values in username and password from the vault passwords and item root and remove admin1 & admin2 from the encrypted admins.
+
+    knife encrypt remove passwords root "{username: 'root', password: 'mypassword'}" -A "admin1,admin2"
+
+Remove the values in username and password from the vault passwords and item root and remove role:webserver from the encrypted clients.
+
+    knife encrypt remove passwords root "{username: 'root', password: 'mypassword'}" -S "role:webserver"
+
+Remove the values in username and password from the vault passwords and item root and remove role:webserver from the encrypted clients and admin1 & admin2 from the encrypted admins.
+
+    knife encrypt remove passwords root "{username: 'root', password: 'mypassword'}" -S "role:webserver" -A "admin1,admin2"
+
+Remove admin1 & admin2 from encrypted admins for the vault passwords and item root.
+
+    knife encrypt remove passwords root -A "admin1,admin2"
+
+Remove role:webserver from encrypted clients for the vault passwords and item root.
+
+    knife encrypt remove passwords root -S "role:webserver"
+
+Remove admin1 & admin2 from encrypted admins and role:webserver from encrypted clients for the vault passwords and item root.
+
+    knife encrypt remove passwords root -S "role:webserver" -A "admin1,admin2"
+
+### delete
+Delete the item root from the vault passwords
+
+    knife encrypt delete passwords root
+
+### rotate keys
+Rotate the shared key for the vault passwords and item root.  The shared key is that which is used for the chef encrypted data bag item
+
+    knife encrypt rotate secret passwords root
+
+### global options
+<table>
+  <tr>
+    <th>Short</th>
+    <th>Long</th>
+    <th>Description</th>
+    <th>Default</th>
+    <th>Valid Values</th>
+  </tr>
+  <tr>
+    <td>-S SEARCH</td>
+    <td>--search SEARCH</td>
+    <td>Chef Server SOLR Search Of Nodes</td>
+    <td>nil</td>
+    <td></td>
+  </tr>
+  <tr>
+    <td>-A ADMINS</td>
+    <td>--admins ADMINS</td>
+    <td>Chef clients or users to be vault admins, can be comma list</td>
+    <td>nil</td>
+    <td></td>
+  </tr>
+  <tr>
+    <td>-M MODE</td>
+    <td>--mode MODE</td>
+    <td>Chef mode to run in</td>
+    <td>solo</td>
+    <td>"solo", "client"</td>
+  </tr>
+  <tr>
+    <td>-J FILE</td>
+    <td>--json FILE</td>
+    <td>json file to be used for values, will be merged with VALUES if VALUES is passed</td>
+    <td>nil</td>
+    <td></td>
+  </tr>
+</table>
+
+## decrypt
+knife decrypt [VAULT] [ITEM] [VALUES]
+
+These are the commands that are used to take a chef-vault encrypted item and decrypt the requested values.
+
+* Vault - This is the name of the vault in which to store the encrypted item.  This is analogous to a chef data bag name
+* Item - The name of the item going in to the vault.  This is analogous to a chef data bag item id
+* Values - This is a comma list of values to decrypt from the vault item.  This is analogous to a list of hash keys.
+
+Decrypt the username and password for the item root in the vault passwords.
+
+    knife decrypt passwords root "username, password"
+
+Decrypt the contents for the item user_pem in the vault certs.
+
+    knife decrypt certs user_pem "contents"
+
+### global options
+<table>
+  <tr>
+    <th>Short</th>
+    <th>Long</th>
+    <th>Description</th>
+    <th>Default</th>
+    <th>Valid Values</th>
+  </tr>
+  <tr>
+    <td>-M MODE</td>
+    <td>--mode MODE</td>
+    <td>Chef mode to run in</td>
+    <td>solo</td>
+    <td>"solo", "client"</td>
+  </tr>
+</table>

data/README.md

@@ -5,14 +5,11 @@
 
 ## DESCRIPTION:
 
-Gem that allows you to encrypt passwords and certificates using the public keys of
-a list of chef nodes. This allows only those chef nodes to decrypt the 
-password or certificate.
+Gem that allows you to encrypt a Chef Data Bag Item using the public keys of a list of chef nodes. This allows only those chef nodes to decrypt the encrypted values.
 
 ## INSTALLATION:
 
-Be sure you are running the latest version Chef. Versions earlier than 0.10.0
-don't support plugins:
+Be sure you are running the latest version Chef. Versions earlier than 0.10.0 don't support plugins:
 
     gem install chef
 
@@ -20,130 +17,110 @@ This plugin is distributed as a Ruby Gem. To install it, run:
 
     gem install chef-vault
 
-Depending on your system's configuration, you may need to run this command with 
-root privileges.
-
-## CONFIGURATION:
+Depending on your system's configuration, you may need to run this command with root privileges.
 
 ## KNIFE COMMANDS:
-
-This plugin provides the following Knife subcommands.  
-Specific command options can be found by invoking the subcommand with a 
-<tt>--help</tt> flag
-
-### knife encrypt password
-
-Use this knife command to encrypt the username and password that you want to
-protect. Only Chef nodes returned by the `--search` at the time of encryption
-will be able to decrypt the password.
-
-```bash
-$ knife encrypt password --search SEARCH --username USERNAME --password PASSWORD
---admins ADMINS
-```
-
-In the example below, the `mysql_user`'s password will be encrypted using the
-public keys of the nodes in the `web_server` role. In addition to the servers in
-the `web_server` role, Chef users `alice`, `bob`, and `carol` will also be able
-to decrypt the password, an encrypted data bag item.
-
-```bash
-$ knife encrypt password --search "role:web_server" --username mysql_user
---password "P@ssw0rd" --admins "alice,bob,carol"
-```
-
-### knife decrypt password
-
-Use this knife command to decrypt the password that is protected. This is
-currently hard-coded to look for an encrypted data bag named "passwords" on the
-Chef server.
-
-    knife decrypt password --username USERNAME
-
-### knife encrypt cert
-
-Use this knife command to encrypt the contents of a certificate that you want to
-protect. Only Chef nodes returned by the `--search` at the time of encryption
-will be able to decrypt the certificate.
-
-Typically you will decrypt the contents as part of a recipe and write them out
-to a certificate on your Chef node.
-
-```bash
-$ knife encrypt cert --search SEARCH --cert CERT --password PASSWORD
---name NAME --admins ADMINS
-```
- 
-In the example below, the `~/ssl/web_server_cert.pem` certificate will be
-encrypted using the public keys of the nodes in the `web_server` role. You can
-reference the name of the certificate (`web_public_key`) in a recipe when you
-need to decrypt it. In addition to the servers in the `web_server` role, Chef
-users `alice`, `bob`, and `carol` will also be able to decrypt the contents of
-the certificate, an encrypted data bag item.
-
-```bash
-$ knife encrypt cert --search "role:web_server" --cert
-~/ssl/web_server_cert.pem --name web_public_key --admins 'alice,bob,carol'
-```
-
-### knife decrypt cert
-
-Use this knife command to decrypt the certificate that is protected. This is
-currently hard-coded to look for an encrypted data bag named `certs` on the Chef
-server.
-
-    knife decrypt cert --name NAME
+See KNIFE_EXAMPLES.md for examples of commands
+
+NOTE: chef-vault 1.0 knife commands are not support!  Please use chef-vault 2.0 commands.
+
+### Encrypt
+
+    knife encrypt create [VAULT] [ITEM] [VALUES]
+    knife encrypt update [VAULT] [ITEM] [VALUES]
+    knife encrypt remove [VAULT] [ITEM] [VAULES]
+    knife encrypt delete [VAULT] [ITEM]
+    knife encrypt rotate keys [VAULT] [ITEM]
+
+<i>Global Options:</i>
+<table>
+  <tr>
+    <th>Short</th>
+    <th>Long</th>
+    <th>Description</th>
+    <th>Default</th>
+    <th>Valid Values</th>
+  </tr>
+  <tr>
+    <td>-S SEARCH</td>
+    <td>--search SEARCH</td>
+    <td>Chef Server SOLR Search Of Nodes</td>
+    <td>nil</td>
+    <td></td>
+  </tr>
+  <tr>
+    <td>-A ADMINS</td>
+    <td>--admins ADMINS</td>
+    <td>Chef clients or users to be vault admins, can be comma list</td>
+    <td>nil</td>
+    <td></td>
+  </tr>
+  <tr>
+    <td>-M MODE</td>
+    <td>--mode MODE</td>
+    <td>Chef mode to run in</td>
+    <td>solo</td>
+    <td>"solo", "client"</td>
+  </tr>
+  <tr>
+    <td>-J FILE</td>
+    <td>--json FILE</td>
+    <td>json file to be used for values, will be merged with VALUES if VALUES is passed</td>
+    <td>nil</td>
+    <td></td>
+  </tr>
+</table>
+
+### Decrypt
+
+    knife decrypt [VAULT] [ITEM] [VALUES]
+
+<i>Global Options:</i>
+<table>
+  <tr>
+    <th>Short</th>
+    <th>Long</th>
+    <th>Description</th>
+    <th>Default</th>
+    <th>Valid Values</th>
+  </tr>
+  <tr>
+    <td>-M MODE</td>
+    <td>--mode MODE</td>
+    <td>Chef mode to run in</td>
+    <td>solo</td>
+    <td>"solo", "client"</td>
+  </tr>
+</table>
 
 ## USAGE IN RECIPES
 
-To use this gem in a recipe to decrypt data you must first install the gem
-via a chef_gem resource.  Once the gem is installed require the gem and then
-you can create a new instance of ChefVault.
+To use this gem in a recipe to decrypt data you must first install the gem via a chef_gem resource.  Once the gem is installed require the gem and then you can create a new instance of ChefVault.
 
-### Example Code (password)
+NOTE: chef-vault 1.0 style decryption is supported, however it has been deprecated and chef-vault 2.0 decryption should be used instead
 
-```ruby
-chef_gem "chef-vault"
-
-require 'chef-vault'
-
-vault    = ChefVault.new("passwords")
-user     = vault.user("mysql_user")
-password = user.decrypt_password
-```
-
-### Example Code (certificate)
+### Example Code
 
 ```ruby
 chef_gem "chef-vault"
 
 require 'chef-vault'
 
-vault    = ChefVault.new("certs")
-cert     = vault.certificate("web_public_key")
-contents = cert.decrypt_contents
+item = ChefVault::Item.load("passwords", "root")
+item["password"]
 ```
 
 ## USAGE STAND ALONE
 
-`chef-vault` can be used a stand alone binary to decrypt values stored in Chef.
-It requires that Chef is installed on the system and that you have a valid
-knife.rb.  This is useful if you want to mix `chef-vault` into non-Chef recipe
-code, for example some other script where you want to protect a password.
+`chef-vault` can be used as a stand alone binary to decrypt values stored in Chef.  It requires that Chef is installed on the system and that you have a valid knife.rb.  This is useful if you want to mix `chef-vault` into non-Chef recipe code, for example some other script where you want to protect a password.
 
-It does still require that the data bag has been encrypted for the user's or
-client's pem and pushed to the Chef server. It mixes Chef into the gem and 
-uses it to go grab the data bag.
+It does still require that the data bag has been encrypted for the user's or client's pem and pushed to the Chef server. It mixes Chef into the gem and uses it to go grab the data bag.
 
 Do `chef-vault --help` for all available options
 
 ### Example usage (password)
 
-  chef-vault -u Administrator -k /etc/chef/knife.rb
-
-### Example usage (certificate)
-
-  chef-vault -c wildcard_domain_com -k /etc/chef/knife.rb
+    chef-vault -v passwords -i root -a password -k /etc/chef/knife.rb
 
 ## License and Author:
 

data/bin/chef-vault

@@ -28,19 +28,26 @@ options_config = {
     default: "/etc/chef/knife.rb",
     optional: false
   },
-  user: {
-    short: "u",
-    long: "username",
-    description: "Username to decrypt password for",
+  vault: {
+    short: "v",
+    long: "vault",
+    description: "Vault to look in",
     default: nil,
-    optional: true
+    optional: false
   },  
-  cert: {
-    short: "c",
-    long: "certificate",
-    description: "Certificate to decrypt contents of",
+  item: {
+    short: "i",
+    long: "item",
+    description: "Item to decrypt in vault",
+    default: nil,
+    optional: false
+  },
+  values: {
+    short: "a",
+    long: "vaules",
+    description: "Values of item to decrypt in vault",
     default: nil,
-    optional: true
+    optional: false
   }
 }
 
@@ -68,7 +75,7 @@ OptionParser.new do |opts|
 end.parse!
 
 options_config.each do |option, config|
-  raise OptionParser::MissingArgument if (options[option].nil? && !config[:optional])
+  raise OptionParser::MissingArgument, option if (options[option].nil? && !config[:optional])
 end
 
 options_config.each do |option, config|
@@ -79,13 +86,12 @@ require 'rubygems'
 $:.unshift(File.join(File.dirname(__FILE__), "..", "lib"))
 require 'chef-vault'
 
-if options[:user]
-  vault = ChefVault.new("passwords", options[:chef])
+ChefVault.load_config(options[:chef])
+item = ChefVault::Item.load(options[:vault], options[:item])
+
+puts "#{options[:vault]}/#{options[:item]}"
 
-  user = vault.user(options[:user])
-  puts user.decrypt_password
-else
-  vault = ChefVault.new("certs", options[:chef])
-  cert = vault.certificate(options[:cert])
-  puts cert.decrypt_contents
+options[:values].split(",").each do |value|
+  value.strip! # remove white space
+  puts("\t#{value}: #{item[value]}")
 end