chef-vault 3.4.1 → 3.4.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 2fbbdd92f6d89bb8f1ca3ed46ab6bca6cdf5c32e7531094759b5f75d649f47aa
-  data.tar.gz: 442a0b134188207c7f3fcadcc419690d1aa1f65ac8b36bbe8bc1d4ed0305cad5
+  metadata.gz: ae942cd10e48bec9d688f5c91e12853ebd257a2664768444d3f9f472e391dcc3
+  data.tar.gz: 04dc8c57516c24949b014cbb7e2e259dea2f9e7458505bccb87b6ab0698db1f4
 SHA512:
-  metadata.gz: e5f7ca73b0048a9b4db5e61cf41f672ecacda7a451159ead664c290f7427cce752af8067aaa14d7fb2cb6a7fc720dd4b6178217b550b0831af689d7c91d1a7e9
-  data.tar.gz: f21a64adcbf5927fa67b028e2519fa5410bd08f1728deeef660400321858be7071481216f715766228a0410c237cada68cfbf2a89b3d02ccb3e822ac2b9bac29
+  metadata.gz: 6dad5ce4503b40fe2866c9c89d34ab45e56c8cbbac9bc98a4a2716584b1898277e4d2b177ff133b4959b7fee722d9a6b22fcd318c39d0703eb54bd657fa0f637
+  data.tar.gz: 18706d51d76afd1929e09a79a618b9a174604b37b22e778bed552620061f8826919d239ecf47a63b03ef729495b558fc0002640dac19e37d8d74c2cbd4d3c4b3

data/README.md

@@ -0,0 +1,307 @@
+# Chef-Vault
+
+[![Gem Version](https://badge.fury.io/rb/chef-vault.svg)](http://badge.fury.io/rb/chef-vault)
+
+[![Build Status](https://travis-ci.org/chef/chef-vault.svg?branch=master)](https://travis-ci.org/chef/chef-vault)
+
+[![Inline docs](http://inch-ci.org/github/chef/chef-vault.svg?branch=master)](http://inch-ci.org/github/chef/chef-vault)
+
+[![Code Climate](https://codeclimate.com/github/chef/chef-vault/badges/gpa.svg)](https://codeclimate.com/github/chef/chef-vault)
+
+## DESCRIPTION:
+
+Gem that allows you to encrypt a Chef Data Bag Item using the public keys of
+a list of chef nodes. This allows only those chef nodes to decrypt the
+encrypted values.
+
+For a more detailed explanation of how chef-vault works, please refer to this blog post [Chef Vault – what is it and what can it do for you?](https://www.chef.io/blog/2016/01/21/chef-vault-what-is-it-and-what-can-it-do-for-you/) by Nell Shamrell-Harrington.
+
+## INSTALLATION:
+
+Be sure you are running the latest version Chef. Versions earlier than
+0.10.0 don't support plugins:
+
+    gem install chef
+
+This plugin is distributed as a Ruby Gem. To install it, run:
+
+    gem install chef-vault
+
+Depending on your system's configuration, you may need to run this command
+with root privileges.
+
+## DEVELOPMENT:
+
+### Git Hooks
+
+There is a git pre-commit hook to help you keep your chefstyle up to date.
+If you wish to use it, simply:
+
+```
+mv hooks/pre-commit .git/hooks/
+chmod +x .git/hooks/pre-commit
+```
+
+### Running Your Changes
+
+To run your changes locally:
+
+```
+bundle install
+bundle exec knife vault
+```
+
+### Testing
+
+#### Rspec Tests
+
+There are some unit tests that can be run with:
+
+```
+bundle exec rspec spec/
+```
+
+#### Cucumber Testing
+
+There are cucumber tests. Run the whole suite with:
+
+```
+bundle exec rake features
+```
+
+If you get any failures, you can run the specific feature that failed with:
+
+```
+bundle exec cucumber features/<failed>.feature
+```
+
+If you want to test things out directly, after a failure you can go into the test
+directory and try out the commands that failed:
+
+```
+cd tmp/aruba
+bundle exec knife <your command that failed from test with -c knife.rb>
+```
+
+Optionally add `-VV` to the above to get a full stacktrace.
+
+### Rubocop Errors
+
+If you are seeing rubocop errors in travis for your pull request, run:
+
+`bundle exec chefstyle -a`
+
+This will fix up your rubocop errors automatically, and warn you about any it can't.
+
+## KNIFE COMMANDS:
+
+See KNIFE_EXAMPLES.md for examples of commands
+
+### knife.rb
+
+To set 'client' as the default mode, add the following line to the knife.rb file.
+
+    knife[:vault_mode] = 'client'
+
+To set the default list of admins for creating and updating vaults, add the
+following line to the knife.rb file.
+
+    knife[:vault_admins] = [ 'example-alice', 'example-bob', 'example-carol' ]
+
+(These values can be overridden on the command line by using -A)
+
+NOTE: chef-vault 1.0 knife commands are not supported! Please use chef-vault
+2.0 commands.
+
+### Vault
+
+    knife vault create VAULT ITEM VALUES
+    knife vault edit VAULT ITEM
+    knife vault refresh VAULT ITEM
+    knife vault update VAULT ITEM VALUES [--clean]
+    knife vault remove VAULT ITEM VALUES
+    knife vault delete VAULT ITEM
+    knife vault rotate keys VAULT ITEM
+    knife vault rotate all keys
+    knife vault show VAULT [ITEM] [VALUES]
+    knife vault download VAULT ITEM PATH
+    knife vault isvault VAULT ITEM
+    knife vault itemtype VAULT ITEM
+
+#### Global Options
+
+Short | Long | Description | Default | Valid Values | Sub-Commands
+------|------|-------------|---------|--------------|-------------
+-M MODE | --mode MODE | Chef mode to run in. Can be set in knife.rb | solo | solo, client | all
+-S SEARCH | --search SEARCH | Chef Server SOLR Search Of Nodes | | | create, remove , update
+-C CLIENTS | --clients CLIENTS | Chef clients to be added as clients, can be comma list | | | create, remove , update
+-A ADMINS | --admins ADMINS | Chef clients or users to be vault admins, can be comma list | | | create, remove, update
+-J FILE | --json FILE | JSON file to be used for values, will be merged with VALUES if VALUES is passed | | | create, update
+| --file FILE | File that chef-vault should encrypt.  It adds "file-content" & "file-name" keys to the vault item | | | create, update
+-p DATA | --print DATA | Print extra vault data | | search, clients, admins, all | show
+-F FORMAT | --format FORMAT | Format for decrypted output | summary | summary, json, yaml, pp | show
+| --clean-unknown-clients | Remove unknown clients during key rotation | | | refresh, remove, rotate
+| --clean | Clean clients list before performing search | | | refresh, update
+
+## USAGE IN RECIPES
+
+To use this gem in a recipe to decrypt data you must first install the gem
+via a chef_gem resource. Once the gem is installed require the gem and then
+you can create a new instance of ChefVault.
+
+NOTE: chef-vault 1.0 style decryption is supported, however it has been
+deprecated and chef-vault 2.0 decryption should be used instead
+
+### Example Code
+
+    chef_gem 'chef-vault' do
+      compile_time true if respond_to?(:compile_time)
+    end
+
+    require 'chef-vault'
+
+    item = ChefVault::Item.load("passwords", "root")
+    item["password"]
+
+Note that in this case, the gem needs to be installed at compile time
+because the require statement is at the top-level of the recipe.  If
+you move the require of chef-vault and the call to `::load` to
+library or provider code, you can install the gem in the converge phase
+instead.
+
+### Specifying an alternate node name or client key path
+
+Normally, the value of `Chef::Config[:node_name]` is used to find the
+per-node encrypted secret in the keys data bag item, and the value of
+`Chef::Config[:client_key]` is used to locate the private key to decrypt
+this secret.
+
+These can be overridden by passing a hash with the keys `:node_name` or
+`:client_key_path` to `ChefVault::Item.load`:
+
+    item = ChefVault::Item.load(
+      'passwords', 'root',
+      node_name: 'service_foo',
+      client_key_path: '/secure/place/service_foo.pem'
+    )
+    item['password']
+
+The above example assumes that you have transferred
+`/secure/place/service_foo.pem` to your system via a secure channel.
+
+This usage allows you to decrypt a vault using a key shared among several
+nodes, which can be helpful when working in cloud environments or other
+configurations where nodes are created dynamically.
+
+### chef_vault_item helper
+
+The [chef-vault cookbook](https://supermarket.chef.io/cookbooks/chef-vault)
+contains a recipe to install the chef-vault gem and a helper method
+`chef_vault_helper` which makes it easier to test cookbooks that use
+chef-vault using Test Kitchen.
+
+## DETERMINING IF AN ITEM IS A VAULT
+
+ChefVault provides a helper method to determine if a data bag item is a vault,
+which can be helpful if you produce a recipe for community consumption and want
+to support both normal data bags and vaults:
+
+    if ChefVault::Item.vault?('passwords', 'root')
+      item = ChefVault::Item.load('passwords', 'root')
+    else
+      item = Chef::DataBagItem.load('passwords', 'root')
+    end
+
+This functionality is also available from the command line as `knife vault isvault VAULT ITEM`.
+
+## DETERMINING THE TYPE OF A DATA BAG ITEM
+
+ChefVault provides a helper method to determine the type of a data bag item.
+It returns one of the symbols :normal, :encrypted or :vault
+
+    case ChefVault::Item.data_bag_item_type('passwords', 'root')
+    when :normal
+      ...
+    when :encrypted
+      ...
+    when :vault
+      ...
+    end
+
+This functionality is also available from the command line as `knife vault itemtype VAULT ITEM`.
+
+## USAGE STAND ALONE
+
+`chef-vault` can be used as a stand alone binary to decrypt values stored in
+Chef. It requires that Chef is installed on the system and that you have a
+valid knife.rb. This is useful if you want to mix `chef-vault` into non-Chef
+recipe code, for example some other script where you want to protect a
+password.
+
+It does still require that the data bag has been encrypted for the user's or
+client's pem and pushed to the Chef server. It mixes Chef into the gem and
+uses it to go grab the data bag.
+
+Use `chef-vault --help` to see all all available options
+
+### Example usage (password)
+
+    chef-vault -v passwords -i root -a password -k /etc/chef/knife.rb
+
+## TESTING
+
+To use Chef Vault in Test Kitchen, ensure that the `chef-vault` recipe
+is in your `run_list`, and then add the following to your
+suite in `.kitchen.yml`:
+
+```yaml
+data_bags_path: 'path/to/data_bags'
+attributes:
+  chef_vault:
+    databags_fallback: true
+```
+
+You can then use the `chef_vault_item` helper in the aforementioned chef-vault cookbook.
+
+To stub vault items in ChefSpec, use the
+[chef-vault-testfixtures](https://rubygems.org/gems/chef-vault-testfixtures)
+gem.
+
+## Contributing
+
+For information on contributing to this project see <https://github.com/chef/chef/blob/master/CONTRIBUTING.md>
+
+## Authors
+
+Author:: Kevin Moser - @moserke<br>
+Author:: Eli Klein - @eliklein<br>
+Author:: Joey Geiger - @jgeiger<br>
+Author:: Joshua Timberman - @jtimberman<br>
+Author:: James FitzGibbon - @jf647<br>
+Author:: Thom May - @thommay<br>
+
+## Contributors
+
+Contributor:: Matt Brimstone - @brimstone<br>
+Contributor:: Thomas Gschwind - @thg65<br>
+Contributor:: Reto Hermann<br>
+
+## License
+
+Copyright:: Copyright (c) 2013-15 Nordstrom, Inc.<br>
+Copyright:: Copyright (c) 2016 Chef Software, Inc.<br>
+License:: Apache License, Version 2.0
+
+```text
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+```

data/chef-vault.gemspec

@@ -0,0 +1,40 @@
+# -*- encoding: utf-8 -*-
+# Chef-Vault Gemspec file
+# Copyright 2013-15, Nordstrom, Inc.
+
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+
+#     http://www.apache.org/licenses/LICENSE-2.0
+
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+$:.push File.expand_path("../lib", __FILE__)
+require "chef-vault/version"
+
+def self.prerelease?
+  !ENV["TRAVIS_TAG"] || ENV["TRAVIS_TAG"].empty?
+end
+
+Gem::Specification.new do |s|
+  s.name             = "chef-vault"
+  s.version          = ChefVault::VERSION
+  s.version          = "#{s.version}-pre#{ENV['TRAVIS_BUILD_NUMBER']}" if ENV["TRAVIS"]
+  s.authors          = ["Thom May"]
+  s.email            = ["thom@chef.io"]
+  s.summary          = "Data encryption support for Chef using data bags"
+  s.description      = s.summary
+  s.homepage         = "https://github.com/chef/chef-vault"
+  s.license          = "Apache-2.0"
+  s.files            = %w{LICENSE README.md Gemfile} + Dir.glob("*.gemspec") + `git ls-files`.split("\n").select { |f| f =~ %r{^(?:bin/|lib/)}i }
+  s.require_paths    = ["lib"]
+  s.bindir           = "bin"
+  s.executables      = %w{ chef-vault }
+
+  s.required_ruby_version = ">= 2.2.0"
+end

data/lib/chef-vault/version.rb

@@ -15,6 +15,6 @@
 # limitations under the License.
 
 class ChefVault
-  VERSION = "3.4.1"
+  VERSION = "3.4.2"
   MAJOR, MINOR, TINY = VERSION.split(".")
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: chef-vault
 version: !ruby/object:Gem::Version
-  version: 3.4.1
+  version: 3.4.2
 platform: ruby
 authors:
 - Thom May
@@ -20,7 +20,9 @@ extra_rdoc_files: []
 files:
 - Gemfile
 - LICENSE
+- README.md
 - bin/chef-vault
+- chef-vault.gemspec
 - lib/chef-vault.rb
 - lib/chef-vault/actor.rb
 - lib/chef-vault/certificate.rb
@@ -50,7 +52,7 @@ files:
 - lib/chef/knife/vault_update.rb
 homepage: https://github.com/chef/chef-vault
 licenses:
-- Apache License, v2.0
+- Apache-2.0
 metadata: {}
 post_install_message: 
 rdoc_options: []