RubyGems - chef-vault - Versions diffs - 2.2.4 → 2.3.0 - Mend

chef-vault 2.2.4 → 2.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (20) hide show

checksums.yaml +7 -0
data/.travis.yml +5 -1
data/Changelog.md +5 -0
data/KNIFE_EXAMPLES.md +5 -0
data/README.md +11 -2
data/Rakefile +5 -1
data/chef-vault.gemspec +4 -3
data/features/clean.feature +24 -0
data/features/step_definitions/chef-repo.rb +26 -0
data/features/step_definitions/chef-vault.rb +25 -0
data/features/support/env.rb +10 -0
data/lib/chef-vault/version.rb +1 -1
data/lib/chef/knife/vault_download.rb +45 -0
data/lib/chef/knife/vault_update.rb +12 -0
data/spec/chef-vault/certificate_spec.rb +40 -0
data/spec/{item_keys_spec.rb → chef-vault/item_keys_spec.rb} +0 -0
data/spec/{item_spec.rb → chef-vault/item_spec.rb} +0 -0
data/spec/chef-vault/user_spec.rb +40 -0
data/spec/spec_helper.rb +2 -0
metadata +58 -32

checksums.yaml ADDED

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 4351149f0cc1799f646d5770543d739833e780ce
+  data.tar.gz: eb943ba515a6cd941ce240c8568f75a806f23d14
+SHA512:
+  metadata.gz: a566185392ade755d34d44810c64ebab7d8e47db20b2081282004fc3495426d140e72026bd27111e1b0df72ae81b4c984e4e06fa19104ade67ed909fa5951136
+  data.tar.gz: aedb76eb1d0447f4fbc0ce5ba88230d19c9e4f47a7d55015acd1681c1e5f230411472d457d5828a75ca6e7cc91c367448384f0d96bdeed913b1d9133bb8b0d11

data/.travis.yml CHANGED

@@ -1,3 +1,7 @@
 language: ruby
 rvm:
-  - "1.9.3"
+  - "1.9.3-p547"
+  - "2.0.0-p576"
+  - "2.1.3"
+install: bundle install --binstubs
+env: TRAVIS_BUILD=true

data/Changelog.md CHANGED

@@ -1,6 +1,11 @@
 ## Planned (Unreleased)
 ## Released
+## v2.3.0 / 2014-10-22
+* add --clean switch to knife update (thanks to Matt Brimstone)
+* added aruba CLI testing framework (just for --clean option for now)
+* add Ruby 2.0.x and 2.1.x to Travis platforms
 ## v2.2.2 / 2014-06-03
 * Add knife vault refresh command
 * Use node_name as a default admin

data/KNIFE_EXAMPLES.md CHANGED

@@ -132,6 +132,11 @@ Decrypt the entire root item in the passwords vault and open it in json format i
     knife vault edit passwords root
+### download
+Decrypt and download an encrypted file to the specified path.
+    knife vault download certs user_pem ~/downloaded_user_pem
 ### rotate keys
 Rotate the shared key for the vault passwords and item root. The shared key is that which is used for the chef encrypted data bag item.

data/README.md CHANGED

@@ -40,12 +40,13 @@ NOTE: chef-vault 1.0 knife commands are not supported!  Please use chef-vault 2.
     knife vault create VAULT ITEM VALUES
     knife vault edit VAULT ITEM
     knife vault refresh VAULT ITEM
-    knife vault update VAULT ITEM VALUES
+    knife vault update VAULT ITEM VALUES [--clean]
     knife vault remove VAULT ITEM VALUES
     knife vault delete VAULT ITEM
     knife vault rotate keys VAULT ITEM
     knife vault rotate all keys
     knife vault show VAULT ITEM [VALUES]
+    knife vault download VAULT ITEM PATH
 <i>Global Options:</i>
 <table>
@@ -113,6 +114,14 @@ NOTE: chef-vault 1.0 knife commands are not supported!  Please use chef-vault 2.
     <td>"summary", "json", "yaml", "pp"</td>
     <td>show</td>
   </tr>
+  <tr>
+    <td>nil</td>
+    <td>--clean</td>
+    <td>Remove all client keys before re-encrypting with saved or specified search</td>
+    <td>nil</td>
+    <td>nil</td>
+    <td>update</td>
+  </tr>
 </table>
 ## USAGE IN RECIPES
@@ -150,7 +159,7 @@ Author:: Kevin Moser - @moserke<br>
 Author:: Eli Klein - @eliklein<br>
 Author:: Joey Geiger - @jgeiger<br>
 Author:: Joshua Timberman - @jtimberman<br>
-Copyright:: Copyright (c) 2013 Nordstrom, Inc.<br>
+Copyright:: Copyright (c) 2013-14 Nordstrom, Inc.<br>
 License:: Apache License, Version 2.0
 Licensed under the Apache License, Version 2.0 (the "License");

data/Rakefile CHANGED

@@ -1,6 +1,10 @@
 require 'bundler/gem_tasks'
 require 'rspec/core/rake_task'
+require 'cucumber'
+require 'cucumber/rake/task'
 RSpec::Core::RakeTask.new(:spec)
-task default: :spec
+Cucumber::Rake::Task.new(:features)
+task default: [:spec, :features]

data/chef-vault.gemspec CHANGED

@@ -25,7 +25,7 @@ Gem::Specification.new do |s|
   s.email            = ['kevin.moser@nordstrom.com']
   s.summary          = 'Data encryption support for Chef using data bags'
   s.description      = s.summary
-  s.homepage      = 'https://github.com/Nordstrom/chef-vault'
+  s.homepage         = 'https://github.com/Nordstrom/chef-vault'
   s.license          = 'Apache License, v2.0'
@@ -37,6 +37,7 @@ Gem::Specification.new do |s|
   s.add_development_dependency 'bundler', '~> 1.3'
   s.add_development_dependency 'rake'
   s.add_development_dependency 'rspec', '~> 2.14'
-  # needed for rspec
-  s.add_development_dependency 'chef', '~> 11.12'
+  s.add_development_dependency 'rspec-its', '~> 1.0'
+  s.add_development_dependency 'aruba', '~> 0.6'
+  s.add_development_dependency 'chef', '>= 0.10.10'
 end

data/features/clean.feature ADDED

@@ -0,0 +1,24 @@
+Feature: clean client keys
+  When updating a vault item, chef-vault normally performs the
+  saved or specified query and encrypts the item for all nodes
+  returned.  It does not remove old client keys from the vault
+  item keys data bag, which will grow over time.  Using the
+  --clean switch will cause all client keys to be removed from
+  the data bag before encrypting the item for all clients
+  returned by the query
+  Scenario: Do not clean client keys on update
+    Given a local mode chef repo with nodes 'one,two,three'
+    And I create a vault item 'test/item' containing the JSON '{"foo": "bar"}' encrypted for 'one,two'
+    Then the vault item 'test/item' should be encrypted for 'one,two'
+    And I update the vault item 'test/item' to be encrypted for 'two,three'
+    Then the vault item 'test/item' should be encrypted for 'one,two,three'
+  Scenario: Clean client keys on update
+    Given a local mode chef repo with nodes 'one,two,three'
+    And I create a vault item 'test/item' containing the JSON '{"foo": "bar"}' encrypted for 'one,two'
+    Then the vault item 'test/item' should be encrypted for 'one,two'
+    And I update the vault item 'test/item' to be encrypted for 'two,three' with the clean option
+    Then the vault item 'test/item' should be encrypted for 'two,three'
+    And the vault item 'test/item' should not be encrypted for 'one'

data/features/step_definitions/chef-repo.rb ADDED

@@ -0,0 +1,26 @@
+Given /^a local mode chef repo with nodes '(.+)'$/ do |nodelist|
+  # create the repo directory hierarchy
+  %w(cookbooks clients nodes data_bags).each do |dir|
+    create_dir dir
+  end
+  # create a basic knife.rb
+  write_file 'knife.rb', <<EOF
+local_mode true
+chef_repo_path '.'
+chef_zero.enabled true
+EOF
+  # create the admin user and capture its private key
+  in_current_dir do
+      system 'knife client create admin -z -d -a -c knife.rb > admin.pem'
+  end
+  # add the admin key to the knife configuration
+  append_to_file 'knife.rb', <<EOF
+node_name 'admin'
+client_key 'admin.pem'
+EOF
+  # create the requested nodes
+  nodelist.split(/,/).each do |node|
+    run_simple "knife client create #{node} -z -d -c knife.rb"
+    run_simple "knife node create #{node} -z -d -c knife.rb"
+  end
+end

data/features/step_definitions/chef-vault.rb ADDED

@@ -0,0 +1,25 @@
+require 'json'
+When /^I create a vault item '(.+)\/(.+)' containing the JSON '(.+)' encrypted for '(.+)'$/ do |vault, item, json, nodelist|
+  write_file 'item.json', json
+  query = nodelist.split(/,/).map{|e| "name:#{e}"}.join(' OR ')
+  run_simple "knife vault create #{vault} #{item} -z -c knife.rb -A admin -S '#{query}' -J item.json"
+end
+When /^I update the vault item '(.+)\/(.+)' to be encrypted for '(.+)'( with the clean option)?$/ do |vault, item, nodelist, cleanopt|
+  query = nodelist.split(/,/).map{|e| "name:#{e}"}.join(' OR ')
+  run_simple "knife vault update #{vault} #{item} -S '#{query}' #{cleanopt ? '--clean' : ''}"
+end
+Then /^the vault item '(.+)\/(.+)' should( not)? be encrypted for '(.+)'$/ do |vault, item, neg, nodelist|
+  nodes = nodelist.split(/,/)
+  run_simple("knife vault show #{vault} #{item} -z -c knife.rb -p clients -F json")
+  output = output_from("knife vault show #{vault} #{item} -z -c knife.rb -p clients -F json")
+  nodes.each do |node|
+    if neg
+      assert_no_partial_output(node, output)
+    else
+      assert_partial_output(node, output)
+    end
+  end
+end

data/features/support/env.rb ADDED

@@ -0,0 +1,10 @@
+require 'aruba/cucumber'
+# Travis runs tests in a limited environment which takes a long time to invoke
+# the knife command.  Up the timeout when we're in a travis build based on the
+# environment variable set in .travis.yml
+if ENV['TRAVIS_BUILD']
+  Before do
+    @aruba_timeout_seconds = 15
+  end
+end

data/lib/chef-vault/version.rb CHANGED

@@ -14,6 +14,6 @@
 # limitations under the License.
 class ChefVault
-  VERSION = "2.2.4"
+  VERSION = "2.3.0"
   MAJOR, MINOR, TINY = VERSION.split('.')
 end

data/lib/chef/knife/vault_download.rb ADDED

@@ -0,0 +1,45 @@
+# Description: Chef-Vault VaultDownload class
+# Copyright 2014, Nordstrom, Inc.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#     http://www.apache.org/licenses/LICENSE-2.0
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+require 'chef/knife/vault_base'
+class Chef
+  class Knife
+    class VaultDownload < Knife
+      include Chef::Knife::VaultBase
+      banner "knife vault download VAULT ITEM PATH (options)"
+      def run
+        vault = @name_args[0]
+        item = @name_args[1]
+        path = @name_args[2]
+        set_mode(config[:vault_mode])
+        if vault && item && path
+          vault_item = ChefVault::Item.load(vault, item)
+          File.open(path, "w") do |file|
+            file.write(vault_item['file-content'])
+          end
+          ui.info("Saved #{vault_item['file-name']} as #{path}")
+        else
+          show_usage
+        end
+      end
+    end
+  end
+end

data/lib/chef/knife/vault_update.rb CHANGED

@@ -44,6 +44,10 @@ class Chef
         :long => '--file FILE',
         :description => 'File to be added to vault item as file-content'
+      option :clean,
+        :long => '--clean',
+        :description => 'Clean clients before performing search'
       def run
         vault = @name_args[0]
         item = @name_args[1]
@@ -51,6 +55,7 @@ class Chef
         search = config[:search]
         json_file = config[:json]
         file = config[:file]
+        clean = config[:clean]
         set_mode(config[:vault_mode])
@@ -67,6 +72,13 @@ class Chef
               vault_item["file-content"] = File.open(file) { |f| f.read() }
             end
+            if clean
+                clients = vault_item.clients().clone().sort()
+                clients.each do |client|
+                    print "Deleting #{client}\n"
+                    vault_item.keys.delete(client, "clients")
+                end
+            end
             vault_item.search(search) if search
             vault_item.clients(search) if search
             vault_item.admins(admins) if admins

data/spec/chef-vault/certificate_spec.rb ADDED

@@ -0,0 +1,40 @@
+require 'spec_helper'
+describe ChefVault::Certificate do
+  let(:item) { double(ChefVault::Item) }
+  let(:cert) { ChefVault::Certificate.new("foo", "bar") }
+  before do
+    allow(ChefVault::Item).to receive(:load).with("foo", "bar"){ item }
+    allow(item).to receive(:[]).with("id"){ "bar" }
+    allow(item).to receive(:[]).with("contents"){ "baz" }
+  end
+  describe '#new' do
+    it 'loads item' do
+      expect(ChefVault::Item).to receive(:load).with("foo", "bar")
+      ChefVault::Certificate.new("foo", "bar")
+    end
+  end
+  describe '#[]' do
+    specify { cert["id"].should eq "bar" }
+  end
+  describe 'decrypt_contents' do
+    it 'echoes warning' do
+      STDOUT.should_receive(:puts).with("WARNING: This method is deprecated, please switch to item['value'] calls")
+      cert.decrypt_contents
+    end
+    it 'returns items contents' do
+      expect(item).to receive(:[]).with("contents")
+      cert.decrypt_contents.should eq "baz"
+    end
+  end
+end

data/spec/{item_keys_spec.rb → chef-vault/item_keys_spec.rb} RENAMED

File without changes

data/spec/{item_spec.rb → chef-vault/item_spec.rb} RENAMED

File without changes

data/spec/chef-vault/user_spec.rb ADDED

@@ -0,0 +1,40 @@
+require 'spec_helper'
+describe ChefVault::User do
+  let(:item) { double(ChefVault::Item) }
+  let(:user) { ChefVault::User.new("foo", "bar") }
+  before do
+    allow(ChefVault::Item).to receive(:load).with("foo", "bar"){ item }
+    allow(item).to receive(:[]).with("id"){ "bar" }
+    allow(item).to receive(:[]).with("password"){ "baz" }
+  end
+  describe '#new' do
+    it 'loads item' do
+      expect(ChefVault::Item).to receive(:load).with("foo", "bar")
+      ChefVault::User.new("foo", "bar")
+    end
+  end
+  describe '#[]' do
+    specify { user["id"].should eq "bar" }
+  end
+  describe 'decrypt_password' do
+    it 'echoes warning' do
+      STDOUT.should_receive(:puts).with("WARNING: This method is deprecated, please switch to item['value'] calls")
+      user.decrypt_password
+    end
+    it 'returns items password' do
+      expect(item).to receive(:[]).with("password")
+      user.decrypt_password.should eq "baz"
+    end
+  end
+end

data/spec/spec_helper.rb CHANGED

@@ -1,5 +1,7 @@
 require_relative '../lib/chef-vault'
+require 'rspec/its'
 # This file was generated by the `rspec --init` command. Conventionally, all
 # specs live under a `spec` directory, which RSpec adds to the `$LOAD_PATH`.
 # Require this file using `require "spec_helper"` to ensure that it is only

metadata CHANGED

@@ -1,80 +1,99 @@
 --- !ruby/object:Gem::Specification
 name: chef-vault
 version: !ruby/object:Gem::Version
-  version: 2.2.4
-  prerelease:
+  version: 2.3.0
 platform: ruby
 authors:
 - Kevin Moser
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2014-07-17 00:00:00.000000000 Z
+date: 2014-10-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ~>
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '1.3'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ~>
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '1.3'
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ! '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ! '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ~>
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '2.14'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ~>
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '2.14'
+- !ruby/object:Gem::Dependency
+  name: rspec-its
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+- !ruby/object:Gem::Dependency
+  name: aruba
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.6'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.6'
 - !ruby/object:Gem::Dependency
   name: chef
   requirement: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ~>
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '11.12'
+        version: 0.10.10
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ~>
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '11.12'
+        version: 0.10.10
 description: Data encryption support for Chef using data bags
 email:
 - kevin.moser@nordstrom.com
@@ -83,9 +102,9 @@ executables:
 extensions: []
 extra_rdoc_files: []
 files:
-- .gitignore
-- .rspec
-- .travis.yml
+- ".gitignore"
+- ".rspec"
+- ".travis.yml"
 - CONTRIBUTING.md
 - Changelog.md
 - DEMO.md
@@ -96,6 +115,10 @@ files:
 - Rakefile
 - bin/chef-vault
 - chef-vault.gemspec
+- features/clean.feature
+- features/step_definitions/chef-repo.rb
+- features/step_definitions/chef-vault.rb
+- features/support/env.rb
 - lib/chef-vault.rb
 - lib/chef-vault/certificate.rb
 - lib/chef-vault/chef_patch/api_client.rb
@@ -118,6 +141,7 @@ files:
 - lib/chef/knife/vault_create.rb
 - lib/chef/knife/vault_decrypt.rb
 - lib/chef/knife/vault_delete.rb
+- lib/chef/knife/vault_download.rb
 - lib/chef/knife/vault_edit.rb
 - lib/chef/knife/vault_refresh.rb
 - lib/chef/knife/vault_remove.rb
@@ -125,33 +149,35 @@ files:
 - lib/chef/knife/vault_rotate_keys.rb
 - lib/chef/knife/vault_show.rb
 - lib/chef/knife/vault_update.rb
+- spec/chef-vault/certificate_spec.rb
+- spec/chef-vault/item_keys_spec.rb
+- spec/chef-vault/item_spec.rb
+- spec/chef-vault/user_spec.rb
 - spec/chef-vault_spec.rb
-- spec/item_keys_spec.rb
-- spec/item_spec.rb
 - spec/spec_helper.rb
 homepage: https://github.com/Nordstrom/chef-vault
 licenses:
 - Apache License, v2.0
+metadata: {}
 post_install_message:
 rdoc_options: []
 require_paths:
 - lib
 required_ruby_version: !ruby/object:Gem::Requirement
-  none: false
   requirements:
-  - - ! '>='
+  - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 required_rubygems_version: !ruby/object:Gem::Requirement
-  none: false
   requirements:
-  - - ! '>='
+  - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
 rubyforge_project:
-rubygems_version: 1.8.23.2
+rubygems_version: 2.4.1
 signing_key:
-specification_version: 3
+specification_version: 4
 summary: Data encryption support for Chef using data bags
 test_files: []
+has_rdoc: true