RubyGems - chef-vault - Versions diffs - 2.2.4 → 2.3.0 - Mend

chef-vault 2.2.4 → 2.3.0

Files changed (20) hide show

checksums.yaml +7 -0
data/.travis.yml +5 -1
data/Changelog.md +5 -0
data/KNIFE_EXAMPLES.md +5 -0
data/README.md +11 -2
data/Rakefile +5 -1
data/chef-vault.gemspec +4 -3
data/features/clean.feature +24 -0
data/features/step_definitions/chef-repo.rb +26 -0
data/features/step_definitions/chef-vault.rb +25 -0
data/features/support/env.rb +10 -0
data/lib/chef-vault/version.rb +1 -1
data/lib/chef/knife/vault_download.rb +45 -0
data/lib/chef/knife/vault_update.rb +12 -0
data/spec/chef-vault/certificate_spec.rb +40 -0
data/spec/{item_keys_spec.rb → chef-vault/item_keys_spec.rb} +0 -0
data/spec/{item_spec.rb → chef-vault/item_spec.rb} +0 -0
data/spec/chef-vault/user_spec.rb +40 -0
data/spec/spec_helper.rb +2 -0
metadata +58 -32

checksums.yaml ADDED

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 4351149f0cc1799f646d5770543d739833e780ce
+  data.tar.gz: eb943ba515a6cd941ce240c8568f75a806f23d14
+SHA512:
+  metadata.gz: a566185392ade755d34d44810c64ebab7d8e47db20b2081282004fc3495426d140e72026bd27111e1b0df72ae81b4c984e4e06fa19104ade67ed909fa5951136
+  data.tar.gz: aedb76eb1d0447f4fbc0ce5ba88230d19c9e4f47a7d55015acd1681c1e5f230411472d457d5828a75ca6e7cc91c367448384f0d96bdeed913b1d9133bb8b0d11

data/.travis.yml CHANGED

@@ -1,3 +1,7 @@
 language: ruby
 rvm:
-  - "1.9.3"
+  - "1.9.3-p547"
+  - "2.0.0-p576"
+  - "2.1.3"
+install: bundle install --binstubs
+env: TRAVIS_BUILD=true

data/Changelog.md CHANGED

@@ -1,6 +1,11 @@
 ## Planned (Unreleased)
 ## Released
+## v2.3.0 / 2014-10-22
+* add --clean switch to knife update (thanks to Matt Brimstone)
+* added aruba CLI testing framework (just for --clean option for now)
+* add Ruby 2.0.x and 2.1.x to Travis platforms
 ## v2.2.2 / 2014-06-03
 * Add knife vault refresh command
 * Use node_name as a default admin

data/KNIFE_EXAMPLES.md CHANGED

@@ -132,6 +132,11 @@ Decrypt the entire root item in the passwords vault and open it in json format i
     knife vault edit passwords root
+### download
+Decrypt and download an encrypted file to the specified path.
+    knife vault download certs user_pem ~/downloaded_user_pem
 ### rotate keys
 Rotate the shared key for the vault passwords and item root. The shared key is that which is used for the chef encrypted data bag item.

data/README.md CHANGED

@@ -40,12 +40,13 @@ NOTE: chef-vault 1.0 knife commands are not supported!  Please use chef-vault 2.
     knife vault create VAULT ITEM VALUES
     knife vault edit VAULT ITEM
     knife vault refresh VAULT ITEM
-    knife vault update VAULT ITEM VALUES
+    knife vault update VAULT ITEM VALUES [--clean]
     knife vault remove VAULT ITEM VALUES
     knife vault delete VAULT ITEM
     knife vault rotate keys VAULT ITEM
     knife vault rotate all keys
     knife vault show VAULT ITEM [VALUES]
+    knife vault download VAULT ITEM PATH
 <i>Global Options:</i>
 <table>
@@ -113,6 +114,14 @@ NOTE: chef-vault 1.0 knife commands are not supported!  Please use chef-vault 2.
     <td>"summary", "json", "yaml", "pp"</td>
     <td>show</td>
   </tr>
+  <tr>
+    <td>nil</td>
+    <td>--clean</td>
+    <td>Remove all client keys before re-encrypting with saved or specified search</td>
+    <td>nil</td>
+    <td>nil</td>
+    <td>update</td>
+  </tr>
 </table>
 ## USAGE IN RECIPES
@@ -150,7 +159,7 @@ Author:: Kevin Moser - @moserke<br>
 Author:: Eli Klein - @eliklein<br>
 Author:: Joey Geiger - @jgeiger<br>
 Author:: Joshua Timberman - @jtimberman<br>
-Copyright:: Copyright (c) 2013 Nordstrom, Inc.<br>
+Copyright:: Copyright (c) 2013-14 Nordstrom, Inc.<br>
 License:: Apache License, Version 2.0
 Licensed under the Apache License, Version 2.0 (the "License");

data/Rakefile CHANGED

@@ -1,6 +1,10 @@
 require 'bundler/gem_tasks'
 require 'rspec/core/rake_task'
+require 'cucumber'
+require 'cucumber/rake/task'
 RSpec::Core::RakeTask.new(:spec)
-task default: :spec
+Cucumber::Rake::Task.new(:features)
+task default: [:spec, :features]

data/chef-vault.gemspec CHANGED

@@ -25,7 +25,7 @@ Gem::Specification.new do |s|
   s.email            = ['kevin.moser@nordstrom.com']
   s.summary          = 'Data encryption support for Chef using data bags'
   s.description      = s.summary
-  s.homepage      = 'https://github.com/Nordstrom/chef-vault'
+  s.homepage         = 'https://github.com/Nordstrom/chef-vault'
   s.license          = 'Apache License, v2.0'
@@ -37,6 +37,7 @@ Gem::Specification.new do |s|
   s.add_development_dependency 'bundler', '~> 1.3'
   s.add_development_dependency 'rake'
   s.add_development_dependency 'rspec', '~> 2.14'
-  # needed for rspec
-  s.add_development_dependency 'chef', '~> 11.12'
+  s.add_development_dependency 'rspec-its', '~> 1.0'
+  s.add_development_dependency 'aruba', '~> 0.6'
+  s.add_development_dependency 'chef', '>= 0.10.10'
 end

data/features/clean.feature ADDED

@@ -0,0 +1,24 @@
+Feature: clean client keys
+  When updating a vault item, chef-vault normally performs the
+  saved or specified query and encrypts the item for all nodes
+  returned.  It does not remove old client keys from the vault
+  item keys data bag, which will grow over time.  Using the
+  --clean switch will cause all client keys to be removed from
+  the data bag before encrypting the item for all clients
+  returned by the query
+  Scenario: Do not clean client keys on update
+    Given a local mode chef repo with nodes 'one,two,three'
+    And I create a vault item 'test/item' containing the JSON '{"foo": "bar"}' encrypted for 'one,two'
+    Then the vault item 'test/item' should be encrypted for 'one,two'
+    And I update the vault item 'test/item' to be encrypted for 'two,three'
+    Then the vault item 'test/item' should be encrypted for 'one,two,three'
+  Scenario: Clean client keys on update
+    Given a local mode chef repo with nodes 'one,two,three'
+    And I create a vault item 'test/item' containing the JSON '{"foo": "bar"}' encrypted for 'one,two'
+    Then the vault item 'test/item' should be encrypted for 'one,two'
+    And I update the vault item 'test/item' to be encrypted for 'two,three' with the clean option
+    Then the vault item 'test/item' should be encrypted for 'two,three'
+    And the vault item 'test/item' should not be encrypted for 'one'

data/features/step_definitions/chef-repo.rb ADDED

@@ -0,0 +1,26 @@
+Given /^a local mode chef repo with nodes '(.+)'$/ do |nodelist|
+  # create the repo directory hierarchy
+  %w(cookbooks clients nodes data_bags).each do |dir|
+    create_dir dir
+  end
+  # create a basic knife.rb
+  write_file 'knife.rb', <<EOF
+local_mode true
+chef_repo_path '.'
+chef_zero.enabled true
+EOF
+  # create the admin user and capture its private key
+  in_current_dir do
+      system 'knife client create admin -z -d -a -c knife.rb > admin.pem'
+  end
+  # add the admin key to the knife configuration
+  append_to_file 'knife.rb', <<EOF
+node_name 'admin'
+client_key 'admin.pem'
+EOF
+  # create the requested nodes
+  nodelist.split(/,/).each do |node|
+    run_simple "knife client create #{node} -z -d -c knife.rb"
+    run_simple "knife node create #{node} -z -d -c knife.rb"
+  end
+end

data/features/step_definitions/chef-vault.rb ADDED

@@ -0,0 +1,25 @@
+require 'json'
+When /^I create a vault item '(.+)\/(.+)' containing the JSON '(.+)' encrypted for '(.+)'$/ do |vault, item, json, nodelist|
+  write_file 'item.json', json
+  query = nodelist.split(/,/).map{|e| "name:#{e}"}.join(' OR ')
+  run_simple "knife vault create #{vault} #{item} -z -c knife.rb -A admin -S '#{query}' -J item.json"
+end
+When /^I update the vault item '(.+)\/(.+)' to be encrypted for '(.+)'( with the clean option)?$/ do |vault, item, nodelist, cleanopt|
+  query = nodelist.split(/,/).map{|e| "name:#{e}"}.join(' OR ')
+  run_simple "knife vault update #{vault} #{item} -S '#{query}' #{cleanopt ? '--clean' : ''}"
+end
+Then /^the vault item '(.+)\/(.+)' should( not)? be encrypted for '(.+)'$/ do |vault, item, neg, nodelist|
+  nodes = nodelist.split(/,/)
+  run_simple("knife vault show #{vault} #{item} -z -c knife.rb -p clients -F json")
+  output = output_from("knife vault show #{vault} #{item} -z -c knife.rb -p clients -F json")
+  nodes.each do |node|
+    if neg
+      assert_no_partial_output(node, output)
+    else
+      assert_partial_output(node, output)
+    end
+  end
+end

data/features/support/env.rb ADDED

@@ -0,0 +1,10 @@
+require 'aruba/cucumber'
+# Travis runs tests in a limited environment which takes a long time to invoke
+# the knife command.  Up the timeout when we're in a travis build based on the
+# environment variable set in .travis.yml
+if ENV['TRAVIS_BUILD']
+  Before do
+    @aruba_timeout_seconds = 15
+  end
+end

data/lib/chef-vault/version.rb CHANGED

@@ -14,6 +14,6 @@
 # limitations under the License.
 class ChefVault
-  VERSION = "2.2.4"
+  VERSION = "2.3.0"
   MAJOR, MINOR, TINY = VERSION.split('.')
 end

data/lib/chef/knife/vault_download.rb ADDED

@@ -0,0 +1,45 @@
+# Description: Chef-Vault VaultDownload class
+# Copyright 2014, Nordstrom, Inc.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#     http://www.apache.org/licenses/LICENSE-2.0
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+require 'chef/knife/vault_base'
+class Chef
+  class Knife
+    class VaultDownload < Knife
+      include Chef::Knife::VaultBase
+      banner "knife vault download VAULT ITEM PATH (options)"
+      def run
+        vault = @name_args[0]
+        item = @name_args[1]
+        path = @name_args[2]
+        set_mode(config[:vault_mode])
+        if vault && item && path
+          vault_item = ChefVault::Item.load(vault, item)
+          File.open(path, "w") do |file|
+            file.write(vault_item['file-content'])
+          end
+          ui.info("Saved #{vault_item['file-name']} as #{path}")
+        else
+          show_usage
+        end
+      end
+    end
+  end
+end

data/lib/chef/knife/vault_update.rb CHANGED

@@ -44,6 +44,10 @@ class Chef
         :long => '--file FILE',
         :description => 'File to be added to vault item as file-content'
+      option :clean,
+        :long => '--clean',
+        :description => 'Clean clients before performing search'
       def run
         vault = @name_args[0]
         item = @name_args[1]
@@ -51,6 +55,7 @@ class Chef
         search = config[:search]
         json_file = config[:json]
         file = config[:file]
+        clean = config[:clean]
         set_mode(config[:vault_mode])
@@ -67,6 +72,13 @@ class Chef
               vault_item["file-content"] = File.open(file) { |f| f.read() }
             end
+            if clean
+                clients = vault_item.clients().clone().sort()
+                clients.each do |client|
+                    print "Deleting #{client}\n"
+                    vault_item.keys.delete(client, "clients")
+                end
+            end
             vault_item.search(search) if search
             vault_item.clients(search) if search
             vault_item.admins(admins) if admins

data/spec/chef-vault/certificate_spec.rb ADDED

@@ -0,0 +1,40 @@
+require 'spec_helper'
+describe ChefVault::Certificate do
+  let(:item) { double(ChefVault::Item) }
+  let(:cert) { ChefVault::Certificate.new("foo", "bar") }
+  before do
+    allow(ChefVault::Item).to receive(:load).with("foo", "bar"){ item }
+    allow(item).to receive(:[]).with("id"){ "bar" }
+    allow(item).to receive(:[]).with("contents"){ "baz" }
+  end
+  describe '#new' do
+    it 'loads item' do
+      expect(ChefVault::Item).to receive(:load).with("foo", "bar")
+      ChefVault::Certificate.new("foo", "bar")
+    end
+  end
+  describe '#[]' do
+    specify { cert["id"].should eq "bar" }
+  end
+  describe 'decrypt_contents' do
+    it 'echoes warning' do
+      STDOUT.should_receive(:puts).with("WARNING: This method is deprecated, please switch to item['value'] calls")
+      cert.decrypt_contents
+    end
+    it 'returns items contents' do
+      expect(item).to receive(:[]).with("contents")
+      cert.decrypt_contents.should eq "baz"
+    end
+  end
+end

data/spec/{item_keys_spec.rb → chef-vault/item_keys_spec.rb} RENAMED

File without changes

data/spec/{item_spec.rb → chef-vault/item_spec.rb} RENAMED

File without changes

data/spec/chef-vault/user_spec.rb ADDED

@@ -0,0 +1,40 @@
+require 'spec_helper'
+describe ChefVault::User do
+  let(:item) { double(ChefVault::Item) }
+  let(:user) { ChefVault::User.new("foo", "bar") }
+  before do
+    allow(ChefVault::Item).to receive(:load).with("foo", "bar"){ item }
+    allow(item).to receive(:[]).with("id"){ "bar" }
+    allow(item).to receive(:[]).with("password"){ "baz" }
+  end
+  describe '#new' do
+    it 'loads item' do
+      expect(ChefVault::Item).to receive(:load).with("foo", "bar")
+      ChefVault::User.new("foo", "bar")
+    end
+  end
+  describe '#[]' do
+    specify { user["id"].should eq "bar" }
+  end
+  describe 'decrypt_password' do
+    it 'echoes warning' do
+      STDOUT.should_receive(:puts).with("WARNING: This method is deprecated, please switch to item['value'] calls")
+      user.decrypt_password
+    end
+    it 'returns items password' do
+      expect(item).to receive(:[]).with("password")
+      user.decrypt_password.should eq "baz"
+    end
+  end
+end

data/spec/spec_helper.rb CHANGED

@@ -1,5 +1,7 @@
 require_relative '../lib/chef-vault'
+require 'rspec/its'
 # This file was generated by the `rspec --init` command. Conventionally, all
 # specs live under a `spec` directory, which RSpec adds to the `$LOAD_PATH`.
 # Require this file using `require "spec_helper"` to ensure that it is only

metadata CHANGED

@@ -1,80 +1,99 @@
 --- !ruby/object:Gem::Specification
 name: chef-vault
 version: !ruby/object:Gem::Version
-  version: 2.2.4
-  prerelease:
+  version: 2.3.0
 platform: ruby
 authors:
 - Kevin Moser
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2014-07-17 00:00:00.000000000 Z
+date: 2014-10-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ~>
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '1.3'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ~>
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '1.3'
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ! '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ! '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ~>
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '2.14'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ~>
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '2.14'
+- !ruby/object:Gem::Dependency
+  name: rspec-its
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+- !ruby/object:Gem::Dependency
+  name: aruba
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.6'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.6'
 - !ruby/object:Gem::Dependency
   name: chef
   requirement: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ~>
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '11.12'
+        version: 0.10.10
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ~>
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '11.12'
+        version: 0.10.10
 description: Data encryption support for Chef using data bags
 email:
 - kevin.moser@nordstrom.com
@@ -83,9 +102,9 @@ executables:
 extensions: []
 extra_rdoc_files: []
 files:
-- .gitignore
-- .rspec
-- .travis.yml
+- ".gitignore"
+- ".rspec"
+- ".travis.yml"
 - CONTRIBUTING.md
 - Changelog.md
 - DEMO.md
@@ -96,6 +115,10 @@ files:
 - Rakefile
 - bin/chef-vault
 - chef-vault.gemspec
+- features/clean.feature
+- features/step_definitions/chef-repo.rb
+- features/step_definitions/chef-vault.rb
+- features/support/env.rb
 - lib/chef-vault.rb
 - lib/chef-vault/certificate.rb
 - lib/chef-vault/chef_patch/api_client.rb
@@ -118,6 +141,7 @@ files:
 - lib/chef/knife/vault_create.rb
 - lib/chef/knife/vault_decrypt.rb
 - lib/chef/knife/vault_delete.rb
+- lib/chef/knife/vault_download.rb
 - lib/chef/knife/vault_edit.rb
 - lib/chef/knife/vault_refresh.rb
 - lib/chef/knife/vault_remove.rb
@@ -125,33 +149,35 @@ files:
 - lib/chef/knife/vault_rotate_keys.rb
 - lib/chef/knife/vault_show.rb
 - lib/chef/knife/vault_update.rb
+- spec/chef-vault/certificate_spec.rb
+- spec/chef-vault/item_keys_spec.rb
+- spec/chef-vault/item_spec.rb
+- spec/chef-vault/user_spec.rb
 - spec/chef-vault_spec.rb
-- spec/item_keys_spec.rb
-- spec/item_spec.rb
 - spec/spec_helper.rb
 homepage: https://github.com/Nordstrom/chef-vault
 licenses:
 - Apache License, v2.0
+metadata: {}
 post_install_message:
 rdoc_options: []
 require_paths:
 - lib
 required_ruby_version: !ruby/object:Gem::Requirement
-  none: false
   requirements:
-  - - ! '>='
+  - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 required_rubygems_version: !ruby/object:Gem::Requirement
-  none: false
   requirements:
-  - - ! '>='
+  - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
 rubyforge_project:
-rubygems_version: 1.8.23.2
+rubygems_version: 2.4.1
 signing_key:
-specification_version: 3
+specification_version: 4
 summary: Data encryption support for Chef using data bags
 test_files: []
+has_rdoc: true