chef-vault 2.3.0 → 2.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 4351149f0cc1799f646d5770543d739833e780ce
-  data.tar.gz: eb943ba515a6cd941ce240c8568f75a806f23d14
+  metadata.gz: 58db597b870524dd9e554ad60f20722c3b95cf9f
+  data.tar.gz: a49a6a5af9bcb52e84830383957205dd1d4862d2
 SHA512:
-  metadata.gz: a566185392ade755d34d44810c64ebab7d8e47db20b2081282004fc3495426d140e72026bd27111e1b0df72ae81b4c984e4e06fa19104ade67ed909fa5951136
-  data.tar.gz: aedb76eb1d0447f4fbc0ce5ba88230d19c9e4f47a7d55015acd1681c1e5f230411472d457d5828a75ca6e7cc91c367448384f0d96bdeed913b1d9133bb8b0d11
+  metadata.gz: 7a420cc9e5b246ffcf9c44f3c00ebac5d339f8fe3c6e7c2bbe4849a8fd126cecd4386831549ec0666836ac9304da7641ff1d9f18d1395058aaca5339798f38ef
+  data.tar.gz: f29af664121f81f45070bef3548894729fd0c6e88afba0f2669edd449876c4a1341738ec8e9d375c30044424a4b22b907cfa0ba74ccb8128a14d3a6ac6f479e5

data/.rspec

@@ -1,2 +1,2 @@
 --color
---format progress
+--require spec_helper

data/.simplecov

@@ -0,0 +1,6 @@
+require 'simplecov-console'
+SimpleCov.formatters = [
+  SimpleCov::Formatter::HTMLFormatter,
+  SimpleCov::Formatter::Console
+]
+SimpleCov.start

data/.travis.yml

@@ -1,7 +1,7 @@
 language: ruby
 rvm:
-  - "1.9.3-p547"
-  - "2.0.0-p576"
-  - "2.1.3"
+  - "1.9.3-p551"
+  - "2.0.0-p598"
+  - "2.1.5"
 install: bundle install --binstubs
 env: TRAVIS_BUILD=true

data/Changelog.md

@@ -1,6 +1,10 @@
 ## Planned (Unreleased)
 
 ## Released
+## v2.4.0 / 2014-12-03
+* add simplecov test coverage configuration (Doug Ireton)
+* add --clean-unknown-clients switch to knife remove/rotate (Thomas Gschwind and Reto Hermann)
+
 ## v2.3.0 / 2014-10-22
 * add --clean switch to knife update (thanks to Matt Brimstone)
 * added aruba CLI testing framework (just for --clean option for now)
@@ -81,4 +85,3 @@
 * Add encrypt cert
 
 ## v0.1.1 / 2013-03-14
-

data/Gemfile

@@ -1,3 +1,3 @@
-source "https://rubygems.org/"
+source 'https://rubygems.org/'
 
 gemspec

data/KNIFE_EXAMPLES.md

@@ -142,11 +142,19 @@ Rotate the shared key for the vault passwords and item root. The shared key is t
 
     knife vault rotate keys passwords root
 
+To remove clients which have been deleted from Chef but not from the vault, add the --clean-unknown-clients switch:
+
+    knife vault rotate keys passwords root --clean-unknown-clients
+
 ### rotate all keys
 Rotate the shared key for all vaults and items. The shared key is that which is used for the chef encrypted data bag item.
 
     knife vault rotate all keys
 
+To remove clients which have been deleted from Chef but not from the vault, add the --clean-unknown-clients switch:
+
+    knife vault rotate keys passwords root --clean-unknown-clients
+
 ### refresh
 This command reads the search_query in the vault item, performs the search, and reapplies the results.
 

data/README.md

@@ -122,6 +122,14 @@ NOTE: chef-vault 1.0 knife commands are not supported!  Please use chef-vault 2.
     <td>nil</td>
     <td>update</td>
   </tr>
+  <tr>
+    <td>nil</td>
+    <td>--clean-unknown-clients</td>
+    <td>Remove unknown clients during key rotation</td>
+    <td>nil</td>
+    <td>nil</td>
+    <td>remove, rotate</td>
+  </tr>
 </table>
 
 ## USAGE IN RECIPES
@@ -153,12 +161,21 @@ Do `chef-vault --help` for all available options
 
     chef-vault -v passwords -i root -a password -k /etc/chef/knife.rb
 
-## License and Author:
+## Authors
 
 Author:: Kevin Moser - @moserke<br>
 Author:: Eli Klein - @eliklein<br>
 Author:: Joey Geiger - @jgeiger<br>
 Author:: Joshua Timberman - @jtimberman<br>
+
+## Contributors
+
+Contributor:: Matt Brimstone (https://github.com/brimstone)
+Contributor:: Thomas Gschwind (https://github.com/thg65)
+Contributor:: Reto Hermann
+
+## License
+
 Copyright:: Copyright (c) 2013-14 Nordstrom, Inc.<br>
 License:: Apache License, Version 2.0
 

data/Rakefile

@@ -8,3 +8,9 @@ RSpec::Core::RakeTask.new(:spec)
 Cucumber::Rake::Task.new(:features)
 
 task default: [:spec, :features]
+
+task :coverage do
+  ENV['COVERAGE'] = '1'
+  Rake::Task[:spec].invoke
+  Rake::Task[:features].invoke
+end

data/chef-vault.gemspec

@@ -34,10 +34,11 @@ Gem::Specification.new do |s|
   s.bindir           = 'bin'
   s.executables      = %w( chef-vault )
 
-  s.add_development_dependency 'bundler', '~> 1.3'
-  s.add_development_dependency 'rake'
-  s.add_development_dependency 'rspec', '~> 2.14'
-  s.add_development_dependency 'rspec-its', '~> 1.0'
+  s.add_development_dependency 'rake', '~> 10.4'
+  s.add_development_dependency 'rspec', '~> 3.1'
+  s.add_development_dependency 'rspec-its', '~> 1.1'
   s.add_development_dependency 'aruba', '~> 0.6'
   s.add_development_dependency 'chef', '>= 0.10.10'
+  s.add_development_dependency 'simplecov', '~> 0.9'
+  s.add_development_dependency 'simplecov-console', '~> 0.2'
 end

data/features/clean_unknown_clients.feature

@@ -0,0 +1,33 @@
+Feature: clean unknown clients on key rotation
+
+  When removing a client from a vault item, chef-vault normally
+  removes the key and then rotates the key.  If a client has been
+  deleted in the meantime from the Chef server but not the vault,
+  the rotation will fail due to that client's public key missing.
+  Using the --clean-unknown-clients switch will cause any clients
+  that have been removed to be removed from the vault item's
+  access list as well
+
+  Scenario: Prune clients when removing a client
+    Given a local mode chef repo with nodes 'one,two,three'
+    And I create a vault item 'test/item' containing the JSON '{"foo": "bar"}' encrypted for 'one,two,three'
+    Then the vault item 'test/item' should be encrypted for 'one,two,three'
+    And I delete client 'one' from the Chef server
+    And I remove client 'two' from vault item 'test/item' with the 'clean-unknown-clients' option
+    Then the vault item 'test/item' should be encrypted for 'three'
+
+  Scenario: Prune clients when rotating keys
+    Given a local mode chef repo with nodes 'one,two,three'
+    And I create a vault item 'test/item' containing the JSON '{"foo": "bar"}' encrypted for 'one,two,three'
+    Then the vault item 'test/item' should be encrypted for 'one,two,three'
+    And I delete client 'one' from the Chef server
+    And I rotate the keys for vault item 'test/item' with the 'clean-unknown-clients' option
+    Then the vault item 'test/item' should be encrypted for 'two,three'
+
+  Scenario: Prune clients when rotating all keys
+    Given a local mode chef repo with nodes 'one,two,three'
+    And I create a vault item 'test/item' containing the JSON '{"foo": "bar"}' encrypted for 'one,two,three'
+    Then the vault item 'test/item' should be encrypted for 'one,two,three'
+    And I delete clients 'one,two' from the Chef server
+    And I rotate all keys with the 'clean-unknown-clients' option
+    Then the vault item 'test/item' should be encrypted for 'three'

data/features/step_definitions/chef-repo.rb

@@ -24,3 +24,10 @@ EOF
     run_simple "knife node create #{node} -z -d -c knife.rb"
   end
 end
+
+When /^I delete clients? '(.+)' from the Chef server$/ do |nodelist|
+  nodelist.split(/,/).each do |node|
+    run_simple "knife client delete #{node} -z -d -y -c knife.rb"
+  end
+end
+

data/features/step_definitions/chef-vault.rb

@@ -11,6 +11,22 @@ When /^I update the vault item '(.+)\/(.+)' to be encrypted for '(.+)'( with the
   run_simple "knife vault update #{vault} #{item} -S '#{query}' #{cleanopt ? '--clean' : ''}"
 end
 
+When /^I remove clients? '(.+)' from vault item '(.+)\/(.+)' with the '(.+)' options?$/ do |nodelist, vault, item, optionlist|
+  query = nodelist.split(/,/).map{|e| "name:#{e}"}.join(' OR ')
+  options = optionlist.split(/,/).map{|o| "--#{o}"}.join(' ')
+  run_simple "knife vault remove #{vault} #{item} -S '#{query}' #{options}"
+end
+
+When /^I rotate the keys for vault item '(.+)\/(.+)' with the '(.+)' options?$/ do |vault, item, optionlist|
+  options = optionlist.split(/,/).map{|o| "--#{o}"}.join(' ')
+  run_simple "knife vault rotate keys #{vault} #{item} #{options}"
+end
+
+When /^I rotate all keys with the '(.+)' options?$/ do |optionlist|
+  options = optionlist.split(/,/).map{|o| "--#{o}"}.join(' ')
+  run_simple "knife vault rotate all keys #{options}"
+end
+
 Then /^the vault item '(.+)\/(.+)' should( not)? be encrypted for '(.+)'$/ do |vault, item, neg, nodelist|
   nodes = nodelist.split(/,/)
   run_simple("knife vault show #{vault} #{item} -z -c knife.rb -p clients -F json")

data/features/support/env.rb

@@ -1,3 +1,7 @@
+if ENV['COVERAGE']
+  require 'simplecov'
+end
+
 require 'aruba/cucumber'
 
 # Travis runs tests in a limited environment which takes a long time to invoke

data/lib/chef-vault/item.rb

@@ -104,12 +104,27 @@ class ChefVault::Item < Chef::DataBagItem
     end
   end
 
-  def rotate_keys!
+  def rotate_keys!(clean_unknown_clients=false)
     @secret = generate_secret
 
     unless clients.empty?
-      clients.each do |client|
-        clients("name:#{client}")
+      if clean_unknown_clients
+        clients_to_remove=[]
+        clients.each do |client|
+          begin
+            clients("name:#{client}")
+          rescue ChefVault::Exceptions::ClientNotFound
+            clients_to_remove.push(client)
+          end
+        end
+        clients_to_remove.each do |client|
+          puts "Removing unknown client '#{client}'"
+          clients("name:#{client}", :delete)
+        end
+      else
+        clients.each do |client|
+          clients("name:#{client}")
+        end
       end
     end
 

data/lib/chef-vault/version.rb

@@ -14,6 +14,6 @@
 # limitations under the License.
 
 class ChefVault
-  VERSION = "2.3.0"
+  VERSION = "2.4.0"
   MAJOR, MINOR, TINY = VERSION.split('.')
 end

data/lib/chef/knife/vault_remove.rb

@@ -33,12 +33,17 @@ class Chef
         :long => '--admins ADMINS',
         :description => 'Chef users to be added as admins'
 
+      option :clean_unknown_clients,
+        :long => '--clean-unknown-clients',
+        :description => 'Remove unknown clients during key rotation'
+
       def run
         vault = @name_args[0]
         item = @name_args[1]
         values = @name_args[2]
         search = config[:search]
         admins = config[:admins]
+        clean_unknown_clients = config[:clean_unknown_clients]
         json_file = config[:json]
 
         set_mode(config[:vault_mode])
@@ -69,7 +74,7 @@ class Chef
             vault_item.clients(search, :delete) if search
             vault_item.admins(admins, :delete) if admins
 
-            vault_item.rotate_keys!
+            vault_item.rotate_keys!(clean_unknown_clients)
           rescue ChefVault::Exceptions::KeysNotFound,
             ChefVault::Exceptions::ItemNotFound
 

data/lib/chef/knife/vault_rotate_all_keys.rb

@@ -23,21 +23,26 @@ class Chef
 
       banner "knife vault rotate all keys"
 
+      option :clean_unknown_clients,
+        :long => '--clean-unknown-clients',
+        :description => 'Remove unknown clients during key rotation'
+
       def run
+        clean_unknown_clients = config[:clean_unknown_clients]
         set_mode(config[:vault_mode])
-        rotate_all_keys
+        rotate_all_keys(clean_unknown_clients)
       end
 
       private
 
-      def rotate_all_keys
+      def rotate_all_keys(clean_unknown_clients=false)
         vaults = Chef::DataBag.list.keys
-        vaults.each { |vault| rotate_vault_keys(vault) }
+        vaults.each { |vault| rotate_vault_keys(vault, clean_unknown_clients) }
       end
 
-      def rotate_vault_keys(vault)
+      def rotate_vault_keys(vault, clean_unknown_clients)
         vault_items(vault).each do |item|
-          rotate_vault_item_keys(vault, item)
+          rotate_vault_item_keys(vault, item, clean_unknown_clients)
         end
       end
 
@@ -48,9 +53,9 @@ class Chef
         end
       end
 
-      def rotate_vault_item_keys(vault, item)
+      def rotate_vault_item_keys(vault, item, clean_unknown_clients)
         puts "Rotating keys for: #{vault} #{item}"
-        ChefVault::Item.load(vault, item).rotate_keys!
+        ChefVault::Item.load(vault, item).rotate_keys!(clean_unknown_clients)
       end
     end
   end

data/lib/chef/knife/vault_rotate_keys.rb

@@ -23,16 +23,21 @@ class Chef
 
       banner "knife vault rotate keys VAULT ITEM (options)"
 
+      option :clean_unknown_clients,
+        :long => '--clean-unknown-clients',
+        :description => 'Remove unknown clients during key rotation'
+
       def run
         vault = @name_args[0]
         item = @name_args[1]
+        clean_unknown_clients = config[:clean_unknown_clients]
 
         if vault && item
           set_mode(config[:vault_mode])
 
           begin
             item = ChefVault::Item.load(vault, item)
-            item.rotate_keys!
+            item.rotate_keys!(clean_unknown_clients)
           rescue ChefVault::Exceptions::KeysNotFound,
             ChefVault::Exceptions::ItemNotFound
 

data/spec/chef-vault/certificate_spec.rb

@@ -1,6 +1,4 @@
-require 'spec_helper'
-
-describe ChefVault::Certificate do
+RSpec.describe ChefVault::Certificate do
   let(:item) { double(ChefVault::Item) }
   let(:cert) { ChefVault::Certificate.new("foo", "bar") }
 
@@ -19,21 +17,20 @@ describe ChefVault::Certificate do
   end
 
   describe '#[]' do
-    specify { cert["id"].should eq "bar" }
+    specify { expect(cert['id']).to eq 'bar' }
   end
 
   describe 'decrypt_contents' do
 
     it 'echoes warning' do
-      STDOUT.should_receive(:puts).with("WARNING: This method is deprecated, please switch to item['value'] calls")
-
+      expect(STDOUT).to receive(:puts).with("WARNING: This method is deprecated, please switch to item['value'] calls")
       cert.decrypt_contents
     end
 
     it 'returns items contents' do
       expect(item).to receive(:[]).with("contents")
 
-      cert.decrypt_contents.should eq "baz"
+      expect(cert.decrypt_contents).to eq 'baz'
     end
   end
 

data/spec/chef-vault/item_keys_spec.rb

@@ -1,6 +1,4 @@
-require 'spec_helper'
-
-describe ChefVault::ItemKeys do
+RSpec.describe ChefVault::ItemKeys do
   describe '#new' do
     subject(:keys) { ChefVault::ItemKeys.new("foo", "bar") }
 
@@ -8,10 +6,10 @@ describe ChefVault::ItemKeys do
 
     its(:data_bag) { should eq "foo" }
 
-    specify { keys["id"].should eq "bar" }
+    specify { expect(keys["id"]).to eq 'bar' }
 
-    specify { keys["admins"].should eq [] }
+    specify { expect(keys["admins"]).to eq [] }
 
-    specify { keys["clients"].should eq [] }
+    specify { expect(keys["clients"]).to eq [] }
   end
 end

data/spec/chef-vault/item_spec.rb

@@ -1,6 +1,4 @@
-require 'spec_helper'
-
-describe ChefVault::Item do
+RSpec.describe ChefVault::Item do
   subject(:item) { ChefVault::Item.new("foo", "bar") }
 
   describe '#new' do
@@ -11,11 +9,11 @@ describe ChefVault::Item do
 
     its(:data_bag) { should eq "foo" }
 
-    specify { item["id"].should eq "bar" }
+    specify { expect(item['id']).to eq 'bar' }
 
-    specify { item.keys["id"].should eq "bar_keys" }
+    specify { expect(item.keys['id']).to eq 'bar_keys' }
 
-    specify { item.keys.data_bag.should eq "foo" }
+    specify { expect(item.keys.data_bag).to eq 'foo' }
   end
 
   describe '#save' do

data/spec/chef-vault/user_spec.rb

@@ -1,6 +1,4 @@
-require 'spec_helper'
-
-describe ChefVault::User do
+RSpec.describe ChefVault::User do
   let(:item) { double(ChefVault::Item) }
   let(:user) { ChefVault::User.new("foo", "bar") }
 
@@ -19,21 +17,19 @@ describe ChefVault::User do
   end
 
   describe '#[]' do
-    specify { user["id"].should eq "bar" }
+    specify { expect(user['id']).to eq 'bar' }
   end
 
   describe 'decrypt_password' do
 
     it 'echoes warning' do
-      STDOUT.should_receive(:puts).with("WARNING: This method is deprecated, please switch to item['value'] calls")
-
+      expect(STDOUT).to receive(:puts).with("WARNING: This method is deprecated, please switch to item['value'] calls")
       user.decrypt_password
     end
 
     it 'returns items password' do
       expect(item).to receive(:[]).with("password")
-
-      user.decrypt_password.should eq "baz"
+      expect(user.decrypt_password).to eq "baz"
     end
   end
 

data/spec/chef-vault_spec.rb

@@ -1,6 +1,4 @@
-require 'spec_helper'
-
-describe ChefVault do
+RSpec.describe ChefVault do
   subject(:vault) { ChefVault.new('foo') }
 
   describe '#new' do
@@ -12,7 +10,7 @@ describe ChefVault do
 
     context 'with a vault and config file parameter specified' do
       before do
-        IO.stub(:read).with('knife.rb').and_return("node_name 'bar'")
+        allow(IO).to receive(:read).with('knife.rb').and_return("node_name 'bar'")
       end
 
       let(:vault) { ChefVault.new('foo', 'knife.rb') }

data/spec/spec_helper.rb

@@ -1,21 +1,94 @@
+if ENV['COVERAGE']
+  require 'simplecov'
+end
+
 require_relative '../lib/chef-vault'
 
 require 'rspec/its'
-
 # This file was generated by the `rspec --init` command. Conventionally, all
 # specs live under a `spec` directory, which RSpec adds to the `$LOAD_PATH`.
-# Require this file using `require "spec_helper"` to ensure that it is only
-# loaded once.
+# The generated `.rspec` file contains `--require spec_helper` which will cause this
+# file to always be loaded, without a need to explicitly require it in any files.
+#
+# Given that it is always loaded, you are encouraged to keep this file as
+# light-weight as possible. Requiring heavyweight dependencies from this file
+# will add to the boot time of your test suite on EVERY test run, even for an
+# individual file that may not need all of that loaded. Instead, consider making
+# a separate helper file that requires the additional dependencies and performs
+# the additional setup, and require it from the spec files that actually need it.
+#
+# The `.rspec` file also contains a few flags that are not defaults but that
+# users commonly want.
 #
 # See http://rubydoc.info/gems/rspec-core/RSpec/Core/Configuration
 RSpec.configure do |config|
-  config.treat_symbols_as_metadata_keys_with_true_values = true
-  config.run_all_when_everything_filtered = true
+  # rspec-expectations config goes here. You can use an alternate
+  # assertion/expectation library such as wrong or the stdlib/minitest
+  # assertions if you prefer.
+  config.expect_with :rspec do |expectations|
+    # This option will default to `true` in RSpec 4. It makes the `description`
+    # and `failure_message` of custom matchers include text for helper methods
+    # defined using `chain`, e.g.:
+    # be_bigger_than(2).and_smaller_than(4).description
+    #   # => "be bigger than 2 and smaller than 4"
+    # ...rather than:
+    #   # => "be bigger than 2"
+    expectations.include_chain_clauses_in_custom_matcher_descriptions = true
+  end
+
+  # rspec-mocks config goes here. You can use an alternate test double
+  # library (such as bogus or mocha) by changing the `mock_with` option here.
+  config.mock_with :rspec do |mocks|
+    # Prevents you from mocking or stubbing a method that does not exist on
+    # a real object. This is generally recommended, and will default to
+    # `true` in RSpec 4.
+    mocks.verify_partial_doubles = true
+  end
+
+  # The settings below are suggested to provide a good initial experience
+  # with RSpec, but feel free to customize to your heart's content.
+  # These two settings work together to allow you to limit a spec run
+  # to individual examples or groups you care about by tagging them with
+  # `:focus` metadata. When nothing is tagged with `:focus`, all examples
+  # get run.
   config.filter_run :focus
+  config.run_all_when_everything_filtered = true
+
+  # Limits the available syntax to the non-monkey patched syntax that is recommended.
+  # For more details, see:
+  #   - http://myronmars.to/n/dev-blog/2012/06/rspecs-new-expectation-syntax
+  #   - http://teaisaweso.me/blog/2013/05/27/rspecs-new-message-expectation-syntax/
+  #   - http://myronmars.to/n/dev-blog/2014/05/notable-changes-in-rspec-3#new__config_option_to_disable_rspeccore_monkey_patching
+  config.disable_monkey_patching!
+
+  # This setting enables warnings. It's recommended, but in some cases may
+  # be too noisy due to issues in dependencies.
+  # config.warnings = true
+
+  # Many RSpec users commonly either run the entire suite or an individual
+  # file, and it's useful to allow more verbose output when running an
+  # individual spec file.
+  if config.files_to_run.one?
+    # Use the documentation formatter for detailed output,
+    # unless a formatter has already been configured
+    # (e.g. via a command-line flag).
+    config.default_formatter = 'doc'
+  end
+
+  # Print the 10 slowest examples and example groups at the
+  # end of the spec run, to help surface which specs are running
+  # particularly slow.
+  config.profile_examples = 10
 
   # Run specs in random order to surface order dependencies. If you find an
   # order dependency and want to debug it, you can fix the order by providing
   # the seed, which is printed after each run.
   #     --seed 1234
-  config.order = 'random'
+  config.order = :random
+
+  # Seed global randomization in this process using the `--seed` CLI option.
+  # Setting this allows you to use `--seed` to deterministically reproduce
+  # test failures related to randomization by passing the same `--seed` value
+  # as the one that triggered the failure.
+  Kernel.srand config.seed
 end

metadata

@@ -1,71 +1,57 @@
 --- !ruby/object:Gem::Specification
 name: chef-vault
 version: !ruby/object:Gem::Version
-  version: 2.3.0
+  version: 2.4.0
 platform: ruby
 authors:
 - Kevin Moser
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2014-10-22 00:00:00.000000000 Z
+date: 2014-12-03 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
-  name: bundler
+  name: rake
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.3'
+        version: '10.4'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.3'
-- !ruby/object:Gem::Dependency
-  name: rake
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
+        version: '10.4'
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.14'
+        version: '3.1'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.14'
+        version: '3.1'
 - !ruby/object:Gem::Dependency
   name: rspec-its
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.0'
+        version: '1.1'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.0'
+        version: '1.1'
 - !ruby/object:Gem::Dependency
   name: aruba
   requirement: !ruby/object:Gem::Requirement
@@ -94,6 +80,34 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: 0.10.10
+- !ruby/object:Gem::Dependency
+  name: simplecov
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.9'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.9'
+- !ruby/object:Gem::Dependency
+  name: simplecov-console
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.2'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.2'
 description: Data encryption support for Chef using data bags
 email:
 - kevin.moser@nordstrom.com
@@ -104,6 +118,7 @@ extra_rdoc_files: []
 files:
 - ".gitignore"
 - ".rspec"
+- ".simplecov"
 - ".travis.yml"
 - CONTRIBUTING.md
 - Changelog.md
@@ -116,6 +131,7 @@ files:
 - bin/chef-vault
 - chef-vault.gemspec
 - features/clean.feature
+- features/clean_unknown_clients.feature
 - features/step_definitions/chef-repo.rb
 - features/step_definitions/chef-vault.rb
 - features/support/env.rb