knife-annex 0.0.1

checksums.yaml

@@ -0,0 +1,15 @@
+---
+!binary "U0hBMQ==":
+  metadata.gz: !binary |-
+    NjYxZjc4ZjhhNzViZGZhZTA1YTc1MWZlNTFjMWU4ZDg4YjkyNTU2Nw==
+  data.tar.gz: !binary |-
+    MWI2YjEyOTkwMGRjYTUzNWZiMDdjNzQ5OWExMWUzNzg3YmM3ZDk1Ng==
+!binary "U0hBNTEy":
+  metadata.gz: !binary |-
+    ZmE2OTNkZTY3MzY5ZTg0NGQ0NWY2YjE1ZmNiYmJjOGQ0NTllY2U5MzE0OTMx
+    ODJiYTZlZmIxOTlkY2MyZmZkMzQyYWRkMjUzZTY5MjM5NzNhOWEyZDg1MDQ3
+    NzUyN2ZiMDFiMGYxZDIyNzFjOTE4NThjOWFhM2NlNjM1OWNkODc=
+  data.tar.gz: !binary |-
+    M2M2NTQ3YzFiMmI0Njk5MTY0NjRiNTNlM2Q2YzhmZDI1ZGYwMGY4NGQ1MGVi
+    MjM4YzYyNDJhODFhYjk3ZTM3NzNmNDE5ZTcyNGYyNDgzZWNjNDc4NWQ0NTI3
+    MGIxNjA1OWEwNDAxY2NjY2VjZmQ0ZTFiYzI1NzA4NWRiYjhmMjQ=

data/.gitignore

@@ -0,0 +1,17 @@
+*.gem
+*.rbc
+*~
+.*.swp
+.DS_Store
+/.bundle
+/.config
+/.yardoc
+/Gemfile.lock
+/InstalledFiles
+/coverage
+/doc/public
+/lib/bundler/man
+/pkg
+/spec/reports
+/tmp
+/vendor/cache

data/CHANGELOG.md

@@ -0,0 +1,6 @@
+# Changes
+
+## 0.0.1
+
+ * Initial release
+ * Created on Saturday, 2013-09-28

data/CONTRIBUTING.md

@@ -0,0 +1,8 @@
+# Contributing
+
+1. Fork the repository on GitHub
+2. Create your feature branch (`git checkout -b feature/awesomeness`)
+3. Create your changes, document them.
+4. Commit your changes (`git commit -am 'Add more awesomeness'`)
+5. Push to the branch (`git push -u origin feature/awesomeness`)
+6. Create new Pull Request on GitHub

data/Gemfile

@@ -0,0 +1,13 @@
+source 'https://rubygems.org'
+
+gemspec
+
+# Helpers used with development, but not needed in runtime, build
+# time, or for tests.
+group :developer_workstation do
+  gem 'awesome_print'
+  gem 'pry'
+  gem 'pry-debugger'
+  gem 'pry-rescue'
+  gem 'pry-stack_explorer'
+end

data/LICENSE

@@ -0,0 +1,20 @@
+Copyright (C) 2013 Maciej Pasternacki <maciej@3ofcoins.net>
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,59 @@
+# Knife Annex
+
+Knife plugin that implements git-annex hook backend for chef-vault.
+
+ - [git-annex](http://git-annex.branchable.com/)
+ - [git-annex hook](http://git-annex.branchable.com/special_remotes/hook/)
+ - [chef-vault](https://github.com/Nordstrom/chef-vault/)
+
+
+This plugin uses a data bag named `annex` to store
+items encrypted by chef-vault for admin chef users (except the
+`admin` user created by default) available as git-annex files.
+
+This allows keeping shared secret files (such as access keys - think
+Amazon Web Services - or passwords) out of Git repository, store them
+securely encrypted, and still keep convenient git-based access.
+
+## Installation
+
+Add this line to your chef repo's Gemfile:
+
+    gem 'knife-annex'
+
+And then execute:
+
+    $ bundle
+
+Or install it yourself as:
+
+    $ gem install knife-annex
+
+## Usage
+
+Configure the hook type for git-annex:
+
+    $ git config annex.chef-vault-hook 'knife annex'
+
+If you use Bundler with your chef repo, you may need this form:
+
+    $ git config annex.chef-vault-hook 'bundle exec knife annex'
+
+Then, initialise the special remote:
+
+    $ git annex initremote chef-server type=hook hooktype=chef-vault encryption=none
+
+If you're extra paranoid, you can have double encryption by specifying
+`encryption=shared` in the special remote's options.
+
+After that, you can use `chef-server` remote normally with
+git-annex.
+
+When your admin user list changes, you can rekey the data by
+running:
+
+    $ knife annex --rotate-keys
+
+## Contributing
+
+See the [CONTRIBUTING.md](CONTRIBUTING.md) file

data/Thorfile

@@ -0,0 +1,32 @@
+$:.push File.expand_path('../lib', __FILE__)
+require 'rubygems'
+
+require 'bundler/setup'
+
+require 'rake/testtask'
+require 'thor/rake_compat'
+
+class Default < Thor
+  class Gem < Thor
+    namespace :gem
+
+    include Thor::RakeCompat
+    Bundler::GemHelper.install_tasks
+
+    desc "build", "Build knife-annex-#{KnifeAnnex::VERSION}.gem into the pkg directory"
+    def build
+      Rake::Task["build"].execute
+    end
+
+    desc "release", "Create tag v#{KnifeAnnex::VERSION} and build and push knife-annex-#{KnifeAnnex::VERSION}.gem to Rubygems"
+    def release
+      Rake::Task["release"].execute
+    end
+
+    desc "install", "Build and install knife-annex-#{KnifeAnnex::VERSION}.gem into system gems"
+    def install
+      Rake::Task["install"].execute
+    end
+  end
+end
+

data/knife-annex.gemspec

@@ -0,0 +1,24 @@
+# -*- mode: ruby; coding: utf-8 -*-
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'knife-annex/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = "knife-annex"
+  spec.version       = KnifeAnnex::VERSION
+  spec.authors       = ["Maciej Pasternacki"]
+  spec.email         = ["maciej@3ofcoins.net"]
+  spec.description   = 'Knife plugin implementing a git-annex backend in chef-vault'
+  spec.summary       = 'Knife plugin implementing a git-annex backend in chef-vault'
+  spec.homepage      = "https://github.com/3ofcoins/knife-annex/"
+  spec.license       = "MIT"
+
+  spec.files         = `git ls-files`.split($/)
+  spec.executables   = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
+  spec.require_paths = ["lib"]
+
+  spec.add_dependency 'chef-vault', '>= 2.0.0'
+
+  spec.add_development_dependency "bundler", "~> 1.3"
+  spec.add_development_dependency "thor", "~> 0.18.1"
+end

data/lib/chef/knife/annex.rb

@@ -0,0 +1,80 @@
+require 'chef/knife'
+
+class Chef
+  class Knife
+    class Annex < Knife
+      DATA_BAG = 'annex'
+      IGNORE_USERS = ['admin']
+
+      deps do
+        require 'chef/user'
+        require 'chef-vault'
+      end
+
+      banner "knife annex (options)"
+
+      option :rotate_keys,
+             :long => '--rotate-keys',
+             :description => 'Update admin keys on items'
+
+      def admins
+        @admins ||= Chef::User.list.
+          keys.
+          select { |u| !IGNORE_USERS.include?(u) && Chef::User.load(u).admin }
+      end
+
+      def annex_key
+        ENV['ANNEX_KEY'].gsub(/[^[:alnum:]_\-]+/, '_')
+      end
+
+      def annex_file
+        ENV['ANNEX_FILE']
+      end
+
+      def run
+        case ENV['ANNEX_ACTION']
+        when 'store'
+          begin
+            item = ChefVault::Item.load(DATA_BAG, annex_key)
+          rescue ChefVault::Exceptions::KeysNotFound,
+                 ChefVault::Exceptions::ItemNotFound
+            item = ChefVault::Item.new(DATA_BAG, annex_key)
+          end
+          item['data'] = File.read(annex_file)
+          item.admins(admins.join(','))
+          item.save
+        when 'retrieve'
+          item = ChefVault::Item.load(DATA_BAG, annex_key)
+          if annex_file
+            File.write(annex_file, item['data'])
+          else
+            puts item['data']
+          end
+        when 'remove'
+          delete_object(ChefVault::Item, "#{vault}/#{item}", "chef_vault_item") do
+            ChefVault::Item.load(DATA_BAG, annex_key).destroy
+          end
+        when 'checkpresent'
+          begin
+            ChefVault::Item.load(DATA_BAG, annex_key)
+          rescue ChefVault::Exceptions::KeysNotFound,
+                 ChefVault::Exceptions::ItemNotFound
+            # not found, we do nothing
+          else
+            # found
+            puts annex_key
+          end
+        else
+          items = ( @name_args.empty? ?
+            Chef::DataBag.load(DATA_BAG).keys.reject { |k| k =~ /_keys$/ } :
+            @name_args )
+          if config[:rotate_keys]
+            p rotate: items
+          else
+            puts "Use this command as git-annex hook"
+          end
+        end
+      end
+    end
+  end
+end

data/lib/knife-annex.rb

@@ -0,0 +1,2 @@
+require "knife-annex/version"
+

data/lib/knife-annex/version.rb

@@ -0,0 +1,3 @@
+module KnifeAnnex
+  VERSION = "0.0.1"
+end

metadata

@@ -0,0 +1,97 @@
+--- !ruby/object:Gem::Specification
+name: knife-annex
+version: !ruby/object:Gem::Version
+  version: 0.0.1
+platform: ruby
+authors:
+- Maciej Pasternacki
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2013-09-28 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: chef-vault
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: 2.0.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: 2.0.0
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '1.3'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '1.3'
+- !ruby/object:Gem::Dependency
+  name: thor
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 0.18.1
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 0.18.1
+description: Knife plugin implementing a git-annex backend in chef-vault
+email:
+- maciej@3ofcoins.net
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- .gitignore
+- CHANGELOG.md
+- CONTRIBUTING.md
+- Gemfile
+- LICENSE
+- README.md
+- Thorfile
+- knife-annex.gemspec
+- lib/chef/knife/annex.rb
+- lib/knife-annex.rb
+- lib/knife-annex/version.rb
+homepage: https://github.com/3ofcoins/knife-annex/
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.0.5
+signing_key: 
+specification_version: 4
+summary: Knife plugin implementing a git-annex backend in chef-vault
+test_files: []