chef-vault 2.8.0.rc1 → 2.8.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/Changelog.md +4 -0
- data/README.md +1 -2
- data/UPGRADE.md +1 -1
- data/features/step_definitions/chef-vault.rb +7 -7
- data/features/support/env.rb +3 -3
- data/lib/chef-vault.rb +1 -1
- data/lib/chef-vault/item.rb +5 -5
- data/lib/chef-vault/item_keys.rb +2 -2
- data/lib/chef-vault/mixins.rb +1 -1
- data/lib/chef-vault/version.rb +1 -1
- data/lib/chef/knife/mixin/helper.rb +1 -1
- data/lib/chef/knife/vault_decrypt.rb +1 -1
- data/lib/chef/knife/vault_edit.rb +1 -1
- data/lib/chef/knife/vault_rotate_all_keys.rb +1 -1
- data/lib/chef/knife/vault_show.rb +1 -1
- data/spec/chef-vault/certificate_spec.rb +3 -3
- data/spec/chef-vault/user_spec.rb +3 -3
- data/spec/chef-vault_spec.rb +1 -1
- metadata +4 -4
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 750abe3e243a8eed71602426024b73cd60fd4187
|
|
4
|
+
data.tar.gz: d014e5e9965a19cc05a5180b491d1e7938b148cb
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: ce1a778347407af231250a5d98a745f14b17ed6ba0ed05dd5bc562bfa243bfd0669519a20a00cd997dbedff7fc3fa6dc774d6b9c567e621966c7987f3209e06b
|
|
7
|
+
data.tar.gz: d14135ed7acbca9c486e771573afde6af1ccd881cf5603fecaf46e47ca0038514c0e6cd95dfc22803a7088f63f94285495c516dbf149ffe9e3e3add098640a78
|
data/Changelog.md
CHANGED
data/README.md
CHANGED
|
@@ -16,8 +16,7 @@ Gem that allows you to encrypt a Chef Data Bag Item using the public keys of
|
|
|
16
16
|
a list of chef nodes. This allows only those chef nodes to decrypt the
|
|
17
17
|
encrypted values.
|
|
18
18
|
|
|
19
|
-
For a more detailed explanation of how chef-vault works, please refer to
|
|
20
|
-
file THEORY.md.
|
|
19
|
+
For a more detailed explanation of how chef-vault works, please refer to this blog post [Chef Vault – what is it and what can it do for you?](https://www.chef.io/blog/2016/01/21/chef-vault-what-is-it-and-what-can-it-do-for-you/) by Nell Shamrell-Harrington.
|
|
21
20
|
|
|
22
21
|
## INSTALLATION:
|
|
23
22
|
|
data/UPGRADE.md
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
# UPGRADING A v1 VAULT to v2
|
|
2
2
|
|
|
3
3
|
chef-vault v2 added metadata to the vault to keep track of
|
|
4
|
-
which secrets belong to
|
|
4
|
+
which secrets belong to clients and which belong to admins,
|
|
5
5
|
as well as the search query to use during a `knife vault refresh`
|
|
6
6
|
operation.
|
|
7
7
|
|
|
@@ -2,29 +2,29 @@ require "json"
|
|
|
2
2
|
|
|
3
3
|
Given(/^I create a vault item '(.+)\/(.+)' containing the JSON '(.+)' encrypted for '(.+)'(?: with '(.+)' as admins?)?$/) do |vault, item, json, nodelist, admins|
|
|
4
4
|
write_file "item.json", json
|
|
5
|
-
query = nodelist.split(/,/).map{|e| "name:#{e}"}.join(" OR ")
|
|
5
|
+
query = nodelist.split(/,/).map { |e| "name:#{e}" }.join(" OR ")
|
|
6
6
|
adminarg = admins.nil? ? "-A admin" : "-A #{admins}"
|
|
7
7
|
run_simple "knife vault create #{vault} #{item} -z -c knife.rb #{adminarg} -S '#{query}' -J item.json", false
|
|
8
8
|
end
|
|
9
9
|
|
|
10
10
|
Given(/^I update the vault item '(.+)\/(.+)' to be encrypted for '(.+)'( with the clean option)?$/) do |vault, item, nodelist, cleanopt|
|
|
11
|
-
query = nodelist.split(/,/).map{|e| "name:#{e}"}.join(" OR ")
|
|
11
|
+
query = nodelist.split(/,/).map { |e| "name:#{e}" }.join(" OR ")
|
|
12
12
|
run_simple "knife vault update #{vault} #{item} -z -c knife.rb -S '#{query}' #{cleanopt ? '--clean' : ''}"
|
|
13
13
|
end
|
|
14
14
|
|
|
15
15
|
Given(/^I remove clients? '(.+)' from vault item '(.+)\/(.+)' with the '(.+)' options?$/) do |nodelist, vault, item, optionlist|
|
|
16
|
-
query = nodelist.split(/,/).map{|e| "name:#{e}"}.join(" OR ")
|
|
17
|
-
options = optionlist.split(/,/).map{|o| "--#{o}"}.join(" ")
|
|
16
|
+
query = nodelist.split(/,/).map { |e| "name:#{e}" }.join(" OR ")
|
|
17
|
+
options = optionlist.split(/,/).map { |o| "--#{o}" }.join(" ")
|
|
18
18
|
run_simple "knife vault remove #{vault} #{item} -z -c knife.rb -S '#{query}' #{options}"
|
|
19
19
|
end
|
|
20
20
|
|
|
21
21
|
Given(/^I rotate the keys for vault item '(.+)\/(.+)' with the '(.+)' options?$/) do |vault, item, optionlist|
|
|
22
|
-
options = optionlist.split(/,/).map{|o| "--#{o}"}.join(" ")
|
|
22
|
+
options = optionlist.split(/,/).map { |o| "--#{o}" }.join(" ")
|
|
23
23
|
run_simple "knife vault rotate keys #{vault} #{item} -c knife.rb -z #{options}"
|
|
24
24
|
end
|
|
25
25
|
|
|
26
26
|
Given(/^I rotate all keys with the '(.+)' options?$/) do |optionlist|
|
|
27
|
-
options = optionlist.split(/,/).map{|o| "--#{o}"}.join(" ")
|
|
27
|
+
options = optionlist.split(/,/).map { |o| "--#{o}" }.join(" ")
|
|
28
28
|
run_simple "knife vault rotate all keys -z -c knife.rb #{options}"
|
|
29
29
|
end
|
|
30
30
|
|
|
@@ -33,7 +33,7 @@ Given(/^I refresh the vault item '(.+)\/(.+)'$/) do |vault, item|
|
|
|
33
33
|
end
|
|
34
34
|
|
|
35
35
|
Given(/^I refresh the vault item '(.+)\/(.+)' with the '(.+)' options?$/) do |vault, item, optionlist|
|
|
36
|
-
options = optionlist.split(/,/).map{|o| "--#{o}"}.join(" ")
|
|
36
|
+
options = optionlist.split(/,/).map { |o| "--#{o}" }.join(" ")
|
|
37
37
|
run_simple "knife vault refresh #{vault} #{item} -c knife.rb -z #{options}"
|
|
38
38
|
end
|
|
39
39
|
|
data/features/support/env.rb
CHANGED
|
@@ -8,7 +8,7 @@ require "aruba/cucumber"
|
|
|
8
8
|
# the knife command. Up the timeout when we're in a travis build based on the
|
|
9
9
|
# environment variable set in .travis.yml
|
|
10
10
|
#if ENV['TRAVIS_BUILD']
|
|
11
|
-
|
|
12
|
-
|
|
13
|
-
|
|
11
|
+
Before do
|
|
12
|
+
@aruba_timeout_seconds = 15
|
|
13
|
+
end
|
|
14
14
|
#end
|
data/lib/chef-vault.rb
CHANGED
|
@@ -35,7 +35,7 @@ require "chef-vault/chef_patch/user"
|
|
|
35
35
|
class ChefVault
|
|
36
36
|
attr_accessor :vault
|
|
37
37
|
|
|
38
|
-
def initialize(vault, chef_config_file=nil)
|
|
38
|
+
def initialize(vault, chef_config_file = nil)
|
|
39
39
|
@vault = vault
|
|
40
40
|
ChefVault.load_config(chef_config_file) if chef_config_file
|
|
41
41
|
end
|
data/lib/chef-vault/item.rb
CHANGED
|
@@ -74,7 +74,7 @@ class ChefVault
|
|
|
74
74
|
@secret = secret
|
|
75
75
|
end
|
|
76
76
|
|
|
77
|
-
def clients(search_or_client=nil, action
|
|
77
|
+
def clients(search_or_client = nil, action = :add)
|
|
78
78
|
if search_or_client.is_a?(Chef::ApiClient)
|
|
79
79
|
handle_client_action(search_or_client, action)
|
|
80
80
|
elsif search_or_client
|
|
@@ -107,7 +107,7 @@ class ChefVault
|
|
|
107
107
|
end
|
|
108
108
|
end
|
|
109
109
|
|
|
110
|
-
def search(search_query=nil)
|
|
110
|
+
def search(search_query = nil)
|
|
111
111
|
if search_query
|
|
112
112
|
keys.search_query(search_query)
|
|
113
113
|
else
|
|
@@ -115,7 +115,7 @@ class ChefVault
|
|
|
115
115
|
end
|
|
116
116
|
end
|
|
117
117
|
|
|
118
|
-
def admins(admins=nil, action
|
|
118
|
+
def admins(admins = nil, action = :add)
|
|
119
119
|
if admins
|
|
120
120
|
admins.split(",").each do |admin|
|
|
121
121
|
admin.strip!
|
|
@@ -179,7 +179,7 @@ class ChefVault
|
|
|
179
179
|
reload_raw_data
|
|
180
180
|
end
|
|
181
181
|
|
|
182
|
-
def generate_secret(key_size=32)
|
|
182
|
+
def generate_secret(key_size = 32)
|
|
183
183
|
# Defaults to 32 bytes, as this is the size that a Chef
|
|
184
184
|
# Encrypted Data Bag Item will digest all secrets down to anyway
|
|
185
185
|
SecureRandom.random_bytes(key_size)
|
|
@@ -195,7 +195,7 @@ class ChefVault
|
|
|
195
195
|
super
|
|
196
196
|
end
|
|
197
197
|
|
|
198
|
-
def save(item_id
|
|
198
|
+
def save(item_id = @raw_data["id"])
|
|
199
199
|
# validate the format of the id before attempting to save
|
|
200
200
|
validate_id!(item_id)
|
|
201
201
|
|
data/lib/chef-vault/item_keys.rb
CHANGED
|
@@ -52,7 +52,7 @@ class ChefVault
|
|
|
52
52
|
raw_data[type].delete(chef_client)
|
|
53
53
|
end
|
|
54
54
|
|
|
55
|
-
def search_query(search_query=nil)
|
|
55
|
+
def search_query(search_query = nil)
|
|
56
56
|
if search_query
|
|
57
57
|
@raw_data["search_query"] = search_query
|
|
58
58
|
else
|
|
@@ -68,7 +68,7 @@ class ChefVault
|
|
|
68
68
|
@raw_data["admins"]
|
|
69
69
|
end
|
|
70
70
|
|
|
71
|
-
def save(item_id
|
|
71
|
+
def save(item_id = @raw_data["id"])
|
|
72
72
|
if Chef::Config[:solo]
|
|
73
73
|
save_solo(item_id)
|
|
74
74
|
else
|
data/lib/chef-vault/mixins.rb
CHANGED
|
@@ -22,7 +22,7 @@ class ChefVault
|
|
|
22
22
|
[data_bag_path, data_bag_item_path]
|
|
23
23
|
end
|
|
24
24
|
|
|
25
|
-
def save_solo(item_id
|
|
25
|
+
def save_solo(item_id = @raw_data["id"])
|
|
26
26
|
data_bag_path, data_bag_item_path = find_solo_path(item_id)
|
|
27
27
|
|
|
28
28
|
FileUtils.mkdir(data_bag_path) unless File.exist?(data_bag_path)
|
data/lib/chef-vault/version.rb
CHANGED
|
@@ -37,7 +37,7 @@ class Chef
|
|
|
37
37
|
begin
|
|
38
38
|
vault_item = ChefVault::Item.load(vault, item)
|
|
39
39
|
|
|
40
|
-
filtered_vault_data = vault_item.raw_data.select{|x| x != "id"}
|
|
40
|
+
filtered_vault_data = vault_item.raw_data.select { |x| x != "id" }
|
|
41
41
|
|
|
42
42
|
updated_vault_json = edit_data(filtered_vault_data)
|
|
43
43
|
|
|
@@ -76,7 +76,7 @@ class Chef
|
|
|
76
76
|
included_values << value
|
|
77
77
|
end
|
|
78
78
|
|
|
79
|
-
filtered_data = Hash[vault_item.raw_data.find_all{|k, _| included_values.include?(k)}]
|
|
79
|
+
filtered_data = Hash[vault_item.raw_data.find_all { |k, _| included_values.include?(k) }]
|
|
80
80
|
|
|
81
81
|
output_data = filtered_data.merge(extra_data)
|
|
82
82
|
else
|
|
@@ -3,9 +3,9 @@ RSpec.describe ChefVault::Certificate do
|
|
|
3
3
|
let(:cert) { ChefVault::Certificate.new("foo", "bar") }
|
|
4
4
|
|
|
5
5
|
before do
|
|
6
|
-
allow(ChefVault::Item).to receive(:load).with("foo", "bar"){ item }
|
|
7
|
-
allow(item).to receive(:[]).with("id"){ "bar" }
|
|
8
|
-
allow(item).to receive(:[]).with("contents"){ "baz" }
|
|
6
|
+
allow(ChefVault::Item).to receive(:load).with("foo", "bar") { item }
|
|
7
|
+
allow(item).to receive(:[]).with("id") { "bar" }
|
|
8
|
+
allow(item).to receive(:[]).with("contents") { "baz" }
|
|
9
9
|
@orig_stdout = $stdout
|
|
10
10
|
$stdout = File.open(File::NULL, "w")
|
|
11
11
|
end
|
|
@@ -3,9 +3,9 @@ RSpec.describe ChefVault::User do
|
|
|
3
3
|
let(:user) { ChefVault::User.new("foo", "bar") }
|
|
4
4
|
|
|
5
5
|
before do
|
|
6
|
-
allow(ChefVault::Item).to receive(:load).with("foo", "bar"){ item }
|
|
7
|
-
allow(item).to receive(:[]).with("id"){ "bar" }
|
|
8
|
-
allow(item).to receive(:[]).with("password"){ "baz" }
|
|
6
|
+
allow(ChefVault::Item).to receive(:load).with("foo", "bar") { item }
|
|
7
|
+
allow(item).to receive(:[]).with("id") { "bar" }
|
|
8
|
+
allow(item).to receive(:[]).with("password") { "baz" }
|
|
9
9
|
@orig_stdout = $stdout
|
|
10
10
|
$stdout = File.open(File::NULL, "w")
|
|
11
11
|
end
|
data/spec/chef-vault_spec.rb
CHANGED
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: chef-vault
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 2.8.0
|
|
4
|
+
version: 2.8.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Kevin Moser
|
|
@@ -9,7 +9,7 @@ authors:
|
|
|
9
9
|
autorequire:
|
|
10
10
|
bindir: bin
|
|
11
11
|
cert_chain: []
|
|
12
|
-
date: 2016-
|
|
12
|
+
date: 2016-02-09 00:00:00.000000000 Z
|
|
13
13
|
dependencies:
|
|
14
14
|
- !ruby/object:Gem::Dependency
|
|
15
15
|
name: rake
|
|
@@ -207,9 +207,9 @@ required_ruby_version: !ruby/object:Gem::Requirement
|
|
|
207
207
|
version: '0'
|
|
208
208
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
|
209
209
|
requirements:
|
|
210
|
-
- - "
|
|
210
|
+
- - ">="
|
|
211
211
|
- !ruby/object:Gem::Version
|
|
212
|
-
version:
|
|
212
|
+
version: '0'
|
|
213
213
|
requirements: []
|
|
214
214
|
rubyforge_project:
|
|
215
215
|
rubygems_version: 2.4.5.1
|