chef-vault 4.2.5 → 4.2.9

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: '0974951af472b372835093b27c8749e84742a232ea3ca1b2431619b833955f33'
-  data.tar.gz: 29b8a342842474dca7ff663addf310b8d1a968e954840c2c2a16bd0e812bbf9d
+  metadata.gz: eee715acb039d8781c64fc31bb0c723a97492adb3b1741757caeeb0a34804434
+  data.tar.gz: 9ff5ee7bf0dcce4664ffb2fa1624fac87ed0db8621f99ebb011f056212dece8a
 SHA512:
-  metadata.gz: 71e4d13486154f085c0b9eed253e473849f9630cf236f36ca653a8a4e8993a932d8b87f443a37283c66b66a955958026348ca74e629d947f87075c0ed01b06c7
-  data.tar.gz: e00903b95732ff8c124d731125f465feda8f0c44a0361b8150bf5ce3bc70c8f36138ed55ce149f33a2651a30b16367f1277fc9e78f7efb9d3c7c94e1da44e2fa
+  metadata.gz: a9381dea8edb554d1e5b697c6fcbdeb35865979ece9f32f77869e03832ffcf16ff67a807505801923fc04141dc8791432891f7cc366d74a9ab25fb83d298770c
+  data.tar.gz: ef6fb7279dc54608780e6ff6741bd258aac1eb3b1683008afd6afaa78c2e27e729aff575e190141a9a6234b875d29d842212291ce042c14332412a0b6f89f902

data/Gemfile

@@ -16,11 +16,15 @@ group :development do
   else
     gem "contracts", "~> 0.17"
     gem "chef-zero", "~> 15.0"
-    gem "chef", ">= 18.5.0"
+    if RUBY_PLATFORM.include?("mingw")
+      gem "chef", ">= 18.10"
+    else
+      gem "chef", ">= 18.10", platforms: [:ruby]
+    end
     gem "rspec", "~> 3.0"
     gem "aruba", "~> 2.3"
-    gem "knife", "~> 18.0"
-    gem "chef-utils", ">= 18.5.0" # pin until we drop ruby >=3
+    gem "knife", "~> 18.10"
+    gem "chef-utils", ">= 18.10", platforms: [:ruby] # pin until we drop ruby >=3
   end
 end
 

data/chef-vault.gemspec

@@ -1,6 +1,6 @@
 # Chef-Vault Gemspec file
 # Copyright 2013-2015, Nordstrom, Inc.
-# Copyright 2017-2019, Chef Software, Inc.
+# Copyright (c) 2013-2025 Progress Software Corporation and/or its subsidiaries or affiliates. All Rights Reserved.
 
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -26,7 +26,10 @@ Gem::Specification.new do |s|
   s.description      = s.summary
   s.homepage         = "https://github.com/chef/chef-vault"
   s.license          = "Apache-2.0"
-  s.files            = %w{LICENSE Gemfile} + Dir.glob("*.gemspec") + `git ls-files`.split("\n").select { |f| f =~ %r{^(?:bin/|lib/)}i }
+  s.files            = %w{LICENSE Gemfile} +
+    Dir.glob("Gemfile*") +
+    Dir.glob("*.gemspec") +
+    Dir.glob("{lib,spec}/**/*", File::FNM_DOTMATCH).reject { |f| File.directory?(f) }
   s.require_paths    = ["lib"]
   s.bindir           = "bin"
   s.executables      = %w{ chef-vault }

data/lib/chef-vault/actor.rb

@@ -1,5 +1,5 @@
 # Author:: Tyler Cloke <tyler@chef.io>
-# Copyright:: Copyright 2016, Chef Software, Inc.
+# Copyright:: Copyright (c) 2013-2025 Progress Software Corporation and/or its subsidiaries or affiliates. All Rights Reserved.
 # License:: Apache License, Version 2.0
 
 # Licensed under the Apache License, Version 2.0 (the "License");

data/lib/chef-vault/chef_api.rb

@@ -1,5 +1,5 @@
 # Author:: Tyler Cloke <tyler@chef.io>
-# Copyright:: Copyright 2016, Chef Software, Inc.
+# Copyright:: Copyright (c) 2013-2025 Progress Software Corporation and/or its subsidiaries or affiliates. All Rights Reserved.
 # License:: Apache License, Version 2.0
 
 # Licensed under the Apache License, Version 2.0 (the "License");

data/lib/chef-vault/item.rb

@@ -1,6 +1,6 @@
 # Author:: Kevin Moser <kevin.moser@nordstrom.com>
 # Copyright:: Copyright 2013-15, Nordstrom, Inc.
-# Copyright:: Copyright 2015-16, Chef Software, Inc.
+# Copyright:: Copyright (c) 2013-2025 Progress Software Corporation and/or its subsidiaries or affiliates. All Rights Reserved.
 # License:: Apache License, Version 2.0
 
 # Licensed under the Apache License, Version 2.0 (the "License");

data/lib/chef-vault/version.rb

@@ -1,6 +1,6 @@
 # Description: ChefVault VERSION file
 # Copyright 2013-15, Nordstrom, Inc.
-# Copyright 2015-2017, Chef Software Inc.
+# Copyright (c) 2013-2025 Progress Software Corporation and/or its subsidiaries or affiliates. All Rights Reserved.
 
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -15,6 +15,6 @@
 # limitations under the License.
 
 class ChefVault
-  VERSION = "4.2.5"
+  VERSION = "4.2.9"
   MAJOR, MINOR, TINY = VERSION.split(".")
 end

data/spec/chef/helper_spec.rb

@@ -0,0 +1,37 @@
+require "spec_helper"
+require "chef/knife/mixin/helper"
+
+RSpec.describe ChefVault::Mixin::Helper do
+  include ChefVault::Mixin::Helper
+
+  before do
+    allow(ChefVault::Log).to receive(:warn)
+  end
+
+  let(:json_base) { { "username": "root" } }
+  let(:valid_json) { '{"username": "root", "password": "abcabc"}' }
+  let(:malformed_json) { '{"username": ' }
+  let(:valid_json_with_special_character) { { "Data": "Null->\u0000<-Byte" } }
+
+  describe "#values_from_json" do
+    it "should raise error when invalid JSON provided" do
+      expect { values_from_json(malformed_json) }.to raise_error(JSON::ParserError)
+    end
+
+    it "should not raise error when valid JSON provided" do
+      expect { values_from_json(valid_json) }.to_not raise_error
+    end
+
+    it "should not raise error if JSON contains tab, newline, or space characters" do
+      ["abc\tabc", "abc\nabc", "abc abc"].each do |pass|
+        json_data_with_slash = json_base.merge("password": pass)
+        expect { values_from_json(json_data_with_slash.to_json) }.to_not raise_error
+      end
+    end
+
+    it "should not warn or error when JSON contains special character sequences" do
+      expect(ChefVault::Log).to_not receive(:warn)
+      expect { values_from_json(valid_json_with_special_character.to_json) }.to_not raise_error
+    end
+  end
+end

data/spec/chef-vault/actor_spec.rb

@@ -0,0 +1,247 @@
+require "spec_helper"
+
+RSpec.describe ChefVault::Actor do
+  let(:actor_name) { "actor" }
+  let(:public_key_string) do
+    "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyMXT9IOV9pkQsxsnhSx8\n8RX6GW3caxkjcXFfHg6E7zUVBFAsfw4B1D+eHAks3qrDB7UrUxsmCBXwU4dQHaQy\ngAn5Sv0Jc4CejDNL2EeCBLZ4TF05odHmuzyDdPkSZP6utpR7+uF7SgVQedFGySIB\nih86aM+HynhkJqgJYhoxkrdo/JcWjpk7YEmWb6p4esnvPWOpbcjIoFs4OjavWBOF\niTfpkS0SkygpLi/iQu9RQfd4hDMWCc6yh3Th/1nVMUd+xQCdUK5wxluAWSv8U0zu\nhiIlZNazpCGHp+3QdP3f6rebmQA8pRM8qT5SlOvCYPk79j+IMUVSYrR4/DTZ+VM+\naQIDAQAB\n-----END PUBLIC KEY-----\n"
+  end
+
+  let(:key_response) do
+    {
+      "name" => "default",
+      "public_key" => "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyMXT9IOV9pkQsxsnhSx8\n8RX6GW3caxkjcXFfHg6E7zUVBFAsfw4B1D+eHAks3qrDB7UrUxsmCBXwU4dQHaQy\ngAn5Sv0Jc4CejDNL2EeCBLZ4TF05odHmuzyDdPkSZP6utpR7+uF7SgVQedFGySIB\nih86aM+HynhkJqgJYhoxkrdo/JcWjpk7YEmWb6p4esnvPWOpbcjIoFs4OjavWBOF\niTfpkS0SkygpLi/iQu9RQfd4hDMWCc6yh3Th/1nVMUd+xQCdUK5wxluAWSv8U0zu\nhiIlZNazpCGHp+3QdP3f6rebmQA8pRM8qT5SlOvCYPk79j+IMUVSYrR4/DTZ+VM+\naQIDAQAB\n-----END PUBLIC KEY-----\n",
+      "expiration_date" => "infinity",
+    }
+  end
+
+  let(:http_response_code) do
+    "404"
+  end
+
+  let(:http_error) do
+    http_response = double("http error")
+    allow(http_response).to receive(:code).and_return(http_response_code)
+    Net::HTTPClientException.new("http error message", http_response)
+  end
+
+  let(:api) { double("api") }
+
+  subject(:chef_key) { described_class.new(actor_type, actor_name) }
+
+  describe "#new" do
+    context "when something besides 'clients' or 'users' is passed" do
+      let(:actor_type) { "charmander" }
+      it "throws an error" do
+        expect { described_class.new("charmander", actor_name) }.to raise_error(RuntimeError)
+      end
+    end
+
+    context "when 'clients' is passed" do
+      it "requests a client key" do
+        expect_any_instance_of(described_class).to receive(:get_client_key)
+        described_class.new("clients", actor_name).key
+      end
+    end
+
+    context "when 'admins' is passed" do
+      it "requests a admin key" do
+        expect_any_instance_of(described_class).to receive(:get_admin_key)
+        described_class.new("admins", actor_name).key
+      end
+    end
+  end
+
+  shared_examples_for "get_key_handling" do
+    context "when the default key exists for the requested client" do
+      it "sets up a valid key" do
+        expect(chef_key).to receive(:get_key).with(request_actor_type).and_return(public_key_string)
+        expect(chef_key.send(method)).to eq(public_key_string)
+      end
+    end
+
+    context "when get_key returns an http error" do
+      before do
+        allow(chef_key).to receive(:get_key).with(request_actor_type).and_raise(http_error)
+      end
+
+      context "when the error code is not 404 or 403" do
+        let(:http_response_code) { "500" }
+
+        it "raises the original error" do
+          expect { chef_key.send(method) }.to raise_error(http_error)
+        end
+      end
+
+      context "when the error code is 403" do
+        let(:http_response_code) { "403" }
+
+        it "prints information for the user to resolve the issue and raises the original error" do
+          expect(chef_key).to receive(:print_forbidden_error)
+          expect { chef_key.send(method) }.to raise_error(http_error)
+        end
+      end
+    end
+  end
+
+  describe "#get_client_key" do
+    let(:request_actor_type) { "clients" }
+    let(:actor_type) { "clients" }
+    let(:method) { :get_client_key }
+
+    it_should_behave_like "get_key_handling"
+
+    context "when get_key returns an http error" do
+      before do
+        allow(chef_key).to receive(:get_key).with(actor_type).and_raise(http_error)
+      end
+
+      context "when the error code is 404" do
+        let(:http_response_code) { "404" }
+
+        it "raises ChefVault::Exceptions::ClientNotFound" do
+          expect { chef_key.get_client_key }.to raise_error(ChefVault::Exceptions::ClientNotFound)
+        end
+      end
+    end
+  end # get_client_key
+
+  describe "#get_admin_key" do
+    let(:request_actor_type) { "users" }
+    let(:actor_type) { "admins" }
+    let(:method) { :get_admin_key }
+
+    it_should_behave_like "get_key_handling"
+
+    context "when the first get_key for users returns an http error" do
+      before do
+        allow(chef_key).to receive(:get_key).with(request_actor_type).and_raise(http_error)
+      end
+
+      context "when the error code from the users get is a 404" do
+        let(:http_response_code) { "404" }
+
+        context "when the second get_key for clients returns an http error" do
+
+          let(:http_error_2) do
+            http_response = double("http error")
+            allow(http_response).to receive(:code).and_return(http_response_code_2)
+            Net::HTTPClientException.new("http error message", http_response)
+          end
+
+          before do
+            allow(chef_key).to receive(:get_key).with("clients").and_raise(http_error_2)
+          end
+
+          context "when it is a 404" do
+            let(:http_response_code_2) { "404" }
+
+            it "rasies ChefVault::Exceptions::AdminNotFound" do
+              expect { chef_key.get_admin_key }.to raise_error(ChefVault::Exceptions::AdminNotFound)
+            end
+          end
+
+          context "when it is a 403" do
+            let(:http_response_code_2) { "403" }
+
+            it "raises the original error" do
+              expect { chef_key.get_admin_key }.to raise_error(http_error_2)
+            end
+          end
+
+          context "when it is not a 404" do
+            let(:http_response_code_2) { "500" }
+
+            it "raises the original error" do
+              expect { chef_key.get_admin_key }.to raise_error(http_error_2)
+            end
+          end
+        end # when the second get_key for clients returns an http error
+
+        context "when the second get_key for clients exists with the same name as the admin requested" do
+          it "strangely returns the client key as an admin key" do
+            expect(chef_key).to receive(:get_key).with(request_actor_type).and_return(public_key_string)
+            expect(chef_key.send(method)).to eq(public_key_string)
+          end
+        end
+      end # when the first get_key for users returns an http erro
+    end
+  end # get_admin_key
+
+  describe "#get_key" do
+
+    shared_examples_for "a properly retrieved and error handled key fetch" do
+      # mock out the API
+      before do
+        allow(chef_key).to receive(:api).and_return(api)
+        %i{rest_v0 rest_v1 org_scoped_rest_v0 org_scoped_rest_v1}.each do |method|
+          allow(api).to receive(method)
+        end
+      end
+
+      context "when keys/default returns 200 for org scoped endpoint" do
+        before do
+          allow(api.org_scoped_rest_v1).to receive(:get).with("#{request_actor_type}/#{actor_name}/keys/default").and_return(key_response)
+        end
+
+        it "returns the public_key" do
+          expect(chef_key.get_key(request_actor_type)).to eql(public_key_string)
+        end
+
+        it "hits the proper endpoint" do
+          expect(api.org_scoped_rest_v1).to receive(:get).with("#{request_actor_type}/#{actor_name}/keys/default")
+          chef_key.get_key(request_actor_type)
+        end
+      end
+
+      context "when a 500 is returned" do
+        let(:http_response_code) { "500" }
+        before do
+          allow(api.org_scoped_rest_v1).to receive(:get).with("#{request_actor_type}/#{actor_name}/keys/default").and_raise(http_error)
+        end
+
+        it "raises the http error" do
+          expect { chef_key.get_key(request_actor_type) }.to raise_error(http_error)
+        end
+      end
+
+      context "when keys/default returns 404" do
+        let(:http_response_code) { "404" }
+        let(:chef_object) { double("chef object") }
+
+        before do
+          allow(api.org_scoped_rest_v1).to receive(:get).with("#{request_actor_type}/#{actor_name}/keys/default").and_raise(http_error)
+          allow(chef_object_type).to receive(:load).with(actor_name).and_return(chef_object)
+          allow(chef_object).to receive(:public_key).and_return(public_key_string)
+        end
+
+        it "tries to load the object via Chef::<object>_v1" do
+          expect(chef_object_type).to receive(:load).with(actor_name)
+          chef_key.get_key(request_actor_type)
+        end
+
+        context "when the Chef::<object>_v1 object loads properly" do
+          it "returns the public key" do
+            expect(chef_key.get_key(request_actor_type)).to eql(public_key_string)
+          end
+        end
+      end
+    end # shared_examples_for
+
+    context "when a client is passed" do
+      let(:request_actor_type) { "clients" }
+      let(:actor_type) { "clients" }
+      let(:chef_object_type) { Chef::ApiClient }
+
+      it_behaves_like "a properly retrieved and error handled key fetch"
+    end
+
+    context "when an admin is passed" do
+      let(:request_actor_type) { "users" }
+      let(:actor_type) { "admins" }
+      let(:chef_object_type) { Chef::User }
+
+      it_behaves_like "a properly retrieved and error handled key fetch"
+    end
+
+  end
+end

data/spec/chef-vault/certificate_spec.rb

@@ -0,0 +1,37 @@
+RSpec.describe ChefVault::Certificate do
+  let(:item) { double(ChefVault::Item) }
+  let(:cert) { ChefVault::Certificate.new("foo", "bar") }
+
+  before do
+    allow(ChefVault::Item).to receive(:load).with("foo", "bar") { item }
+    allow(item).to receive(:[]).with("id") { "bar" }
+    allow(item).to receive(:[]).with("contents") { "baz" }
+  end
+
+  describe "#new" do
+    it "loads item" do
+      expect(ChefVault::Item).to receive(:load).with("foo", "bar")
+
+      ChefVault::Certificate.new("foo", "bar")
+    end
+  end
+
+  describe "#[]" do
+    it "given an 'id' parameter, returns its value" do
+      expect(cert["id"]).to eq "bar"
+    end
+  end
+
+  describe "decrypt_contents" do
+    it "echoes warning" do
+      expect(ChefVault::Log).to receive(:warn).with("This method is deprecated, please switch to item['value'] calls")
+      cert.decrypt_contents
+    end
+
+    it "returns items contents" do
+      expect(item).to receive(:[]).with("contents")
+
+      expect(cert.decrypt_contents).to eq "baz"
+    end
+  end
+end

data/spec/chef-vault/chef_api_spec.rb

@@ -0,0 +1,39 @@
+RSpec.describe ChefVault::ChefApi do
+  let(:root_url) { "https://localhost" }
+  let(:scoped_url) { "https://localhost/organizations/fakeorg" }
+  let(:api_v0_hash) { { api_version: "0" } }
+  let(:api_v1_hash) { { api_version: "1" } }
+
+  before do
+    Chef::Config[:chef_server_root] = root_url
+    Chef::Config[:chef_server_url]  = scoped_url
+  end
+
+  describe "#rest_v0" do
+    it "returns an instance of Chef::ServerAPI set to use API version 0 scoped to root" do
+      expect(Chef::ServerAPI).to receive(:new).with(root_url, api_v0_hash)
+      subject.rest_v0
+    end
+  end
+
+  describe "#rest_v1" do
+    it "returns an instance of Chef::ServerAPI set to use API version 0 scoped to root" do
+      expect(Chef::ServerAPI).to receive(:new).with(root_url, api_v1_hash)
+      subject.rest_v1
+    end
+  end
+
+  describe "#org_scoped_rest_v0" do
+    it "returns an instance of Chef::ServerAPI set to use API version 0 scoped to root" do
+      expect(Chef::ServerAPI).to receive(:new).with(scoped_url, api_v0_hash)
+      subject.org_scoped_rest_v0
+    end
+  end
+
+  describe "#org_scoped_rest_v1" do
+    it "returns an instance of Chef::ServerAPI set to use API version 0 scoped to root" do
+      expect(Chef::ServerAPI).to receive(:new).with(scoped_url, api_v1_hash)
+      subject.org_scoped_rest_v1
+    end
+  end
+end