chef-vault 3.4.3 → 4.0.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 3336f55c18fbd76b1ae137c6fb5abc161cd81a65a0ab4d5a88057be1e157dc41
-  data.tar.gz: 6d82cc44e26f513315e3a6c115ad39ae8d744d2f322321a03cdfb7957b279530
+  metadata.gz: 8c20a420a9d49bc39c1e32679f901e7404ed331ebe1fb5a3781f64316c1733c2
+  data.tar.gz: b328d3d990b89f4378461f319ec208047a518bdfce6231b5b8905c4a9a49c65a
 SHA512:
-  metadata.gz: 4a99251a9323d05cec3a1ec3fd94422caad6aeeadc36185ae8d8bd6e3620a56eea4764d434eb4efb8a8d34297b9f1d4b9929a695d56e1796a1effea4d613dc7c
-  data.tar.gz: 1b925c02741352391a0f94c48a305d4f4dd1bd3e13caedb39df1cc9a890c77cc69afb238205f5864f04c9112d4b53af62b247ae4ceef7830fd72ecc8746dbd79
+  metadata.gz: 8fc0571def8f7eab2a3bbb57e6ec4d0bd39469a6b5f46668918da3d9c11b8a522760a7c08aa673e780c59bfe4272f56b1f46b4e3634c6f9c666eda0ec3dc0812
+  data.tar.gz: ffcce0b7bb89f24b019d6dce1b41ee8d31c573a4f99ee2d92e3a9f005c8c69ebc2b68207261001b0d4fcb27c1262d1d88d94ff8d84091ae0f7a7ecd57c93c62f

data/Gemfile

@@ -1,14 +1,27 @@
-source "https://rubygems.org/"
+source "https://rubygems.org"
 
 gemspec
 
 group :development do
-  gem "chefstyle", git: "https://github.com/chef/chefstyle.git"
+  gem "chefstyle"
   gem "chef-zero"
   gem "rake"
   gem "rspec", "~> 3.4"
   gem "aruba", "~> 0.6"
   gem "simplecov", "~> 0.9"
-  gem "simplecov-console", "~> 0.2"
-  gem "chef"
+  gem "simplecov-console", "~> 0.2.0"
+  gem "chef", "~> 14.0" # avoids test failures on license acceptance
+end
+
+group :docs do
+  gem "yard"
+  gem "redcarpet"
+  gem "github-markup"
+end
+
+group :debug do
+  gem "pry"
+  gem "pry-byebug"
+  gem "pry-stack_explorer"
+  gem "rb-readline"
 end

data/chef-vault.gemspec

@@ -1,6 +1,7 @@
 # -*- encoding: utf-8 -*-
 # Chef-Vault Gemspec file
-# Copyright 2013-15, Nordstrom, Inc.
+# Copyright 2013-2015, Nordstrom, Inc.
+# Copyright 2017-2019, Chef Software, Inc.
 
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -17,17 +18,12 @@
 $:.push File.expand_path("../lib", __FILE__)
 require "chef-vault/version"
 
-def self.prerelease?
-  !ENV["TRAVIS_TAG"] || ENV["TRAVIS_TAG"].empty?
-end
-
 Gem::Specification.new do |s|
   s.name             = "chef-vault"
   s.version          = ChefVault::VERSION
-  s.version          = "#{s.version}-pre#{ENV['TRAVIS_BUILD_NUMBER']}" if ENV["TRAVIS"]
   s.authors          = ["Thom May"]
   s.email            = ["thom@chef.io"]
-  s.summary          = "Data encryption support for Chef using data bags"
+  s.summary          = "Data encryption support for Chef Infra using data bags"
   s.description      = s.summary
   s.homepage         = "https://github.com/chef/chef-vault"
   s.license          = "Apache-2.0"
@@ -36,5 +32,5 @@ Gem::Specification.new do |s|
   s.bindir           = "bin"
   s.executables      = %w{ chef-vault }
 
-  s.required_ruby_version = ">= 2.2.0"
+  s.required_ruby_version = ">= 2.4"
 end

data/lib/chef-vault.rb

@@ -23,14 +23,14 @@ require "chef/api_client"
 require "chef/data_bag_item"
 require "chef/encrypted_data_bag_item"
 require "chef/user"
-require "chef-vault/version"
-require "chef-vault/exceptions"
-require "chef-vault/item"
-require "chef-vault/item_keys"
-require "chef-vault/user"
-require "chef-vault/certificate"
-require "chef-vault/chef_api"
-require "chef-vault/actor"
+require_relative "chef-vault/version"
+require_relative "chef-vault/exceptions"
+require_relative "chef-vault/item"
+require_relative "chef-vault/item_keys"
+require_relative "chef-vault/user"
+require_relative "chef-vault/certificate"
+require_relative "chef-vault/chef_api"
+require_relative "chef-vault/actor"
 
 require "mixlib/log"
 

data/lib/chef-vault/actor.rb

@@ -27,6 +27,7 @@ class ChefVault
       if actor_type != "clients" && actor_type != "admins"
         raise "You must pass either 'clients' or 'admins' as the first argument to ChefVault::Actor.new."
       end
+
       @type = actor_type
       @name = actor_name
     end
@@ -52,7 +53,7 @@ class ChefVault
           case http_error.response.code
           when "404"
             raise ChefVault::Exceptions::AdminNotFound,
-                  "FATAL: Could not find default key for #{name} in users or clients!"
+              "FATAL: Could not find default key for #{name} in users or clients!"
           when "403"
             print_forbidden_error
             raise http_error
@@ -73,7 +74,7 @@ class ChefVault
         raise http_error
       elsif http_error.response.code.eql?("404")
         raise ChefVault::Exceptions::ClientNotFound,
-              "#{name} is not a valid chef client and/or node"
+          "#{name} is not a valid chef client and/or node"
       else
         raise http_error
       end
@@ -115,6 +116,7 @@ class ChefVault
     # If the keys endpoint doesn't exist, try getting it directly from the V0 chef object.
     rescue Net::HTTPServerException => http_error
       raise http_error unless http_error.response.code.eql?("404")
+
       if request_actor_type.eql?("clients")
         chef_api_client.load(name).public_key
       else

data/lib/chef-vault/item.rb

@@ -16,7 +16,7 @@
 # limitations under the License.
 
 require "securerandom"
-require "chef-vault/mixins"
+require_relative "mixins"
 
 class ChefVault
   class Item < Chef::DataBagItem
@@ -131,6 +131,10 @@ class ChefVault
       end
     end
 
+    def mode(mode)
+      keys.mode(mode) if mode
+    end
+
     def admins(admin_string, action = :add)
       admin_string.split(",").each do |admin|
         admin.strip!
@@ -142,7 +146,7 @@ class ChefVault
           keys.delete(admin_key)
         else
           raise ChefVault::Exceptions::KeysActionNotValid,
-                "#{action} is not a valid action"
+            "#{action} is not a valid action"
         end
       end
     end
@@ -157,7 +161,7 @@ class ChefVault
 
     def secret
       if @keys.include?(@node_name) && !@keys[@node_name].nil?
-        private_key = OpenSSL::PKey::RSA.new(File.open(@client_key_path).read())
+        private_key = OpenSSL::PKey::RSA.new(File.open(@client_key_path).read)
         begin
           private_key.private_decrypt(Base64.decode64(@keys[@node_name]))
         rescue OpenSSL::PKey::RSAError
@@ -268,7 +272,7 @@ class ChefVault
 
       if Chef::Config[:solo_legacy_mode]
         data_bag_path = File.join(Chef::Config[:data_bag_path],
-                                  data_bag)
+          data_bag)
         data_bag_item_path = File.join(data_bag_path, @raw_data["id"])
 
         FileUtils.rm("#{data_bag_item_path}.json")
@@ -358,12 +362,12 @@ class ChefVault
     #   no longer be found
     # @return [void]
     def refresh(clean_unknown_clients = false)
-      unless search
+      if search.empty?
         raise ChefVault::Exceptions::SearchNotFound,
-              "#{vault}/#{item} does not have a stored search_query, "\
-              "probably because it was created with an older version "\
-              "of chef-vault. Use 'knife vault update' to update the "\
-              "databag with the search query."
+          "#{@data_bag}/#{@raw_data["id"]} does not have a stored "\
+          "search_query, probably because it was created with an "\
+          "older version of chef-vault. Use 'knife vault update' "\
+          "to update the databag with the search query."
       end
 
       # a bit of a misnomer; this doesn't remove unknown
@@ -434,11 +438,12 @@ class ChefVault
       true
     rescue Net::HTTPServerException => http_error
       return false if http_error.response.code == "404"
+
       raise http_error
     end
 
     # adds or deletes an API client from the vault item keys
-    # @param client [Chef::ApiClient] the API client to operate on
+    # @param api_client [Chef::ApiClient] the API client to operate on
     # @param action [Symbol] :add or :delete
     # @return [void]
     def handle_client_action(api_client, action)
@@ -460,7 +465,7 @@ class ChefVault
     end
 
     # removes a client to the vault item keys
-    # @param client_or_node [String] the name of the API client or node to remove
+    # @param name [String] the name of the API client or node to remove
     # @return [void]
     def delete_client_or_node(name)
       client = load_actor(name, "clients")

data/lib/chef-vault/item_keys.rb

@@ -14,7 +14,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-require "chef-vault/mixins"
+require_relative "mixins"
 
 class ChefVault
   class ItemKeys < Chef::DataBagItem
@@ -39,9 +39,11 @@ class ChefVault
     def [](key)
       # return options immediately
       return @raw_data[key] if %w{id admins clients search_query mode}.include?(key)
+
       # check if the key is in the write-back cache
       ckey = @cache[key]
       return ckey unless ckey.nil?
+
       # check if the key is saved in sparse mode
       skey = sparse_key(sparse_id(key)) if sparse?
       if skey
@@ -58,6 +60,7 @@ class ChefVault
       return (ckey ? true : false) unless ckey.nil?
       # check if the key is saved in sparse mode
       return true if sparse? && sparse_key(sparse_id(key))
+
       # fallback to non-sparse mode if sparse key is not found
       @raw_data.keys.include?(key)
     end
@@ -66,10 +69,14 @@ class ChefVault
       type = chef_key.type
       unless @raw_data.key?(type)
         raise ChefVault::Exceptions::V1Format,
-              "cannot manage a v1 vault.  See UPGRADE.md for help"
+          "cannot manage a v1 vault.  See UPGRADE.md for help"
       end
       @cache[chef_key.name] = skip_reencryption ? self[chef_key.name] : nil
-      @cache[chef_key.name] ||= ChefVault::ItemKeys.encode_key(chef_key.key, data_bag_shared_secret)
+      begin
+        @cache[chef_key.name] ||= ChefVault::ItemKeys.encode_key(chef_key.key, data_bag_shared_secret)
+      rescue OpenSSL::PKey::RSAError
+        raise OpenSSL::PKey::RSAError, "While adding #{chef_key.type} an invalid or old (pre chef-server 12) format public key was found for #{chef_key.name}"
+      end
       @raw_data[type] << chef_key.name unless @raw_data[type].include?(chef_key.name)
       @raw_data[type]
     end
@@ -135,7 +142,7 @@ class ChefVault
             begin
               Chef::DataBagItem.from_hash("data_bag" => data_bag,
                                           "id" => sparse_id(key))
-                               .destroy(data_bag, sparse_id(key))
+                .destroy(data_bag, sparse_id(key))
             rescue Net::HTTPServerException => http_error
               raise http_error unless http_error.response.code == "404"
             end
@@ -161,6 +168,25 @@ class ChefVault
           end
         end
       end
+
+      if @raw_data["mode"] == "sparse"
+        @raw_data.each do |key, val|
+          next if %w{ id clients admins search_query mode }.include?(key)
+
+          skey = Chef::DataBagItem.from_hash(
+            "data_bag" => data_bag,
+            "id" => sparse_id(key),
+            key => val
+          )
+          @raw_data.delete(key)
+          if Chef::Config[:solo_legacy_mode]
+            save_solo(skey.id, skey.raw_data)
+          else
+            skey.save
+          end
+        end
+      end
+
       # save raw data
       if Chef::Config[:solo_legacy_mode]
         save_solo(item_id)
@@ -187,7 +213,7 @@ class ChefVault
         items = Chef::DataBag.load(data_bag).keys.select { |item| item =~ rgx }
         items.each do |id|
           Chef::DataBagItem.from_hash("data_bag" => data_bag, "id" => id)
-                           .destroy(data_bag, id)
+            .destroy(data_bag, id)
         end
         # destroy this metadata
         super(data_bag, id)

data/lib/chef-vault/mixins.rb

@@ -6,7 +6,7 @@ class ChefVault
     #     paths and use that by preference
     #  1. Otherwise, just use the first location in the array
     def find_solo_path(item_id)
-      if Chef::Config[:data_bag_path].kind_of?(Array)
+      if Chef::Config[:data_bag_path].is_a?(Array)
         path = Chef::Config[:data_bag_path].find do |dir|
           File.exist?(File.join(dir, data_bag, "#{item_id}.json"))
         end
@@ -15,7 +15,7 @@ class ChefVault
         data_bag_path = File.join(path, data_bag)
       else
         data_bag_path = File.join(Chef::Config[:data_bag_path],
-                                  data_bag)
+          data_bag)
       end
       data_bag_item_path = File.join(data_bag_path, item_id) + ".json"
 

data/lib/chef-vault/version.rb

@@ -15,6 +15,6 @@
 # limitations under the License.
 
 class ChefVault
-  VERSION = "3.4.3"
+  VERSION = "4.0.1"
   MAJOR, MINOR, TINY = VERSION.split(".")
 end

data/lib/chef/knife/mixin/helper.rb

@@ -33,7 +33,7 @@ class ChefVault
       end
 
       def values_from_file(file)
-        json = File.open(file) { |fh| fh.read() }
+        json = File.open(file, &:read)
 
         values_from_json(json)
       end

data/lib/chef/knife/vault_admins.rb

@@ -14,7 +14,7 @@
 # limitations under the License.
 
 require "chef/knife"
-require "chef-vault"
+require_relative "../../chef-vault"
 
 class Chef
   class Knife

data/lib/chef/knife/vault_base.rb

@@ -14,7 +14,7 @@
 # limitations under the License.
 
 require "chef/knife"
-require "chef-vault"
+require_relative "../../chef-vault"
 
 class Chef
   class Knife
@@ -55,13 +55,16 @@ class Chef
         # - item_keys has zero or more keys in sparse mode
         # vaults have a number of keys >= 2
         return false unless bag.keys.size >= 2
+
         # partition into those that end in _keys
         keylike, notkeylike = split_vault_keys(bag)
         # there must be an equal number of keyline and not-keylike items
         return false unless keylike.size == notkeylike.size
+
         # strip the _keys suffix and check if the sets match
         keylike.map! { |k| k.gsub(/_keys$/, "") }
         return false unless keylike.sort == notkeylike.sort
+
         # it's (probably) a vault
         true
       end
@@ -70,7 +73,7 @@ class Chef
         # get all item keys
         keys = bag.keys.select { |k| k =~ /_keys$/ }
         # get all sparse keys
-        r = Regexp.union(keys.map { |k| Regexp.new("^#{k.chomp('_keys')}_key_.*") })
+        r = Regexp.union(keys.map { |k| Regexp.new("^#{k.chomp("_keys")}_key_.*") })
         sparse = bag.keys.select { |k| k =~ r }
         # the rest
         items = bag.keys - keys - sparse

data/lib/chef/knife/vault_create.rb

@@ -13,9 +13,9 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-require "chef/knife/vault_base"
-require "chef/knife/vault_admins"
-require "chef/knife/vault_clients"
+require_relative "vault_base"
+require_relative "vault_admins"
+require_relative "vault_clients"
 
 class Chef
   class Knife
@@ -84,7 +84,7 @@ class Chef
 
               if file
                 vault_item["file-name"] = File.basename(file)
-                vault_item["file-content"] = File.open(file) { |f| f.read() }
+                vault_item["file-content"] = File.open(file, &:read)
               end
             else
               vault_json = edit_hash({})

data/lib/chef/knife/vault_delete.rb

@@ -13,7 +13,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-require "chef/knife/vault_base"
+require_relative "vault_base"
 
 class Chef
   class Knife

data/lib/chef/knife/vault_download.rb

@@ -13,7 +13,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-require "chef/knife/vault_base"
+require_relative "vault_base"
 
 class Chef
   class Knife
@@ -34,7 +34,7 @@ class Chef
           File.open(path, "w") do |file|
             file.write(vault_item["file-content"])
           end
-          ui.info("Saved #{vault_item['file-name']} as #{path}")
+          ui.info("Saved #{vault_item["file-name"]} as #{path}")
         else
           show_usage
         end

data/lib/chef/knife/vault_edit.rb

@@ -13,7 +13,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-require "chef/knife/vault_base"
+require_relative "vault_base"
 
 class Chef
   class Knife

data/lib/chef/knife/vault_isvault.rb

@@ -13,7 +13,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-require "chef/knife/vault_base"
+require_relative "vault_base"
 
 class Chef
   class Knife

data/lib/chef/knife/vault_itemtype.rb

@@ -13,7 +13,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-require "chef/knife/vault_base"
+require_relative "vault_base"
 
 class Chef
   class Knife

data/lib/chef/knife/vault_list.rb

@@ -13,7 +13,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-require "chef/knife/vault_base"
+require_relative "vault_base"
 
 class Chef
   class Knife

data/lib/chef/knife/vault_refresh.rb

@@ -13,7 +13,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-require "chef/knife/vault_base"
+require_relative "vault_base"
 
 class Chef
   class Knife
@@ -47,8 +47,8 @@ class Chef
                  ChefVault::Exceptions::ItemNotFound
 
             raise ChefVault::Exceptions::ItemNotFound,
-                  "#{vault}/#{item} does not exist, "\
-                  "use 'knife vault create' to create."
+              "#{vault}/#{item} does not exist, "\
+              "use 'knife vault create' to create."
           end
         else
           show_usage

data/lib/chef/knife/vault_remove.rb

@@ -13,8 +13,8 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-require "chef/knife/vault_base"
-require "chef/knife/vault_clients"
+require_relative "vault_base"
+require_relative "vault_clients"
 
 class Chef
   class Knife

data/lib/chef/knife/vault_rotate_all_keys.rb

@@ -13,7 +13,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-require "chef/knife/vault_base"
+require_relative "vault_base"
 
 class Chef
   class Knife

data/lib/chef/knife/vault_rotate_keys.rb

@@ -13,7 +13,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-require "chef/knife/vault_base"
+require_relative "vault_base"
 
 class Chef
   class Knife

data/lib/chef/knife/vault_show.rb

@@ -13,7 +13,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-require "chef/knife/vault_base"
+require_relative "vault_base"
 
 class Chef
   class Knife

data/lib/chef/knife/vault_update.rb

@@ -13,9 +13,9 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-require "chef/knife/vault_base"
-require "chef/knife/vault_admins"
-require "chef/knife/vault_clients"
+require_relative "vault_base"
+require_relative "vault_admins"
+require_relative "vault_clients"
 
 class Chef
   class Knife
@@ -54,6 +54,11 @@ class Chef
         long: "--clean",
         description: "Clean clients before performing search"
 
+      option :keys_mode,
+        short: "-K KEYS_MODE",
+        long: "--keys-mode KEYS_MODE",
+        description: "Mode in which to save vault keys"
+
       def run
         vault = @name_args[0]
         item = @name_args[1]
@@ -62,16 +67,17 @@ class Chef
         json_file = config[:json]
         file = config[:file]
         clean = config[:clean]
+        keys_mode = config[:keys_mode]
 
         set_mode(config[:vault_mode])
 
-        if vault && item && ((values || json_file || file) || (search || clients || admins))
+        if vault && item && ((values || json_file || file) || (search || clients || admins) || (keys_mode))
           begin
             vault_item = ChefVault::Item.load(vault, item)
 
             # Keys management first
             if clean
-              vault_clients = vault_item.get_clients.clone().sort()
+              vault_clients = vault_item.get_clients.clone.sort
               vault_clients.each do |client|
                 ui.info "Deleting #{client}"
                 vault_item.delete_client(client)
@@ -91,7 +97,7 @@ class Chef
 
               if file
                 vault_item["file-name"] = File.basename(file)
-                vault_item["file-content"] = File.open(file) { |f| f.read() }
+                vault_item["file-content"] = File.open(file, &:read)
               end
 
               vault_item.save
@@ -105,6 +111,11 @@ class Chef
               "#{vault}/#{item} does not exist, "\
               "use 'knife vault create' to create."
           end
+
+          if keys_mode
+            vault_item.mode(keys_mode)
+            vault_item.save_keys
+          end
         else
           show_usage
         end

metadata

@@ -1,16 +1,16 @@
 --- !ruby/object:Gem::Specification
 name: chef-vault
 version: !ruby/object:Gem::Version
-  version: 3.4.3
+  version: 4.0.1
 platform: ruby
 authors:
 - Thom May
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2018-10-24 00:00:00.000000000 Z
+date: 2019-12-30 00:00:00.000000000 Z
 dependencies: []
-description: Data encryption support for Chef using data bags
+description: Data encryption support for Chef Infra using data bags
 email:
 - thom@chef.io
 executables:
@@ -61,16 +61,15 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: 2.2.0
+      version: '2.4'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.7.6
+rubygems_version: 3.0.3
 signing_key: 
 specification_version: 4
-summary: Data encryption support for Chef using data bags
+summary: Data encryption support for Chef Infra using data bags
 test_files: []