veil 0.3.0 → 0.3.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: 6101318787572fead55a5c0c06c46227f840114d
-  data.tar.gz: af7f78cc9004e614ba49757eda9cba8996646f8d
+SHA256:
+  metadata.gz: 3af8aaa1c4ac8737e148057359becae4bc29fcd2e4ba93a5e783f3ea840097e0
+  data.tar.gz: e9de20099a2d0a0288bdbd75f831471d83473ea284dd662b2fc9393bce370432
 SHA512:
-  metadata.gz: 5f50e2f7e67dce633ec09ca5918e37949ed0e073499ac0878050ad40ed598f5a455ed01e635d8fb0bb13238e785b5204ec1ae4d9770bb73bd5067baf8c19c68c
-  data.tar.gz: 241a21af2f050f4c193b6389a9f69673b1f913f24755cb54f7750ad83366cf363dc301278057faf9ed181489ffaa4c698a65684e197f8a1bcd9964470361c9a5
+  metadata.gz: 4c9f9d837b56c7c1bd19283a8442761ef66ce108a09427ac9a42162c21a44465f26fddeb50480c2c44c9dd7d15890d77574116af854f99ea001d870615e2b013
+  data.tar.gz: cce7ba9c026d5ccce2cdaff51974919a7d8d85d8e97fa97e8f6f8a28c2ce2097798250728e1f94b71506711ce5aeb54cafdcdaf5ceefbd064d28bdcb3e7fc806

data/bin/veil-env-helper

@@ -1,10 +1,16 @@
 #!/usr/bin/env ruby
 
 require 'veil'
+require 'json'
 require 'optparse'
 
 options = {
-  secrets_file: "/etc/opscode/private-chef-secrets.json"
+  secrets_file: "/etc/opscode/private-chef-secrets.json",
+  pack: false,
+  use_file: false,
+  debug: false,
+  secrets: [],
+  optional_secrets: []
 }
 
 OptionParser.new do |opts|
@@ -14,8 +20,20 @@ OptionParser.new do |opts|
     options[:debug] = d
   end
 
-  opts.on("-s SECRETS_SPEC", "--secrets SECRETS_SPEC", "A comma seperated list of secrets to put in the environment") do |spec|
-    options[:secrets] = spec.split(",")
+  opts.on("--pack", "Pass secrets in a single CHEF_SECRETS_DATA environment variable") do |p|
+    options[:pack] = p
+  end
+
+  opts.on("--use-file", "Pass secrets via a unlinked file available at the FD specified in CHEF_SECRETS_FD") do |fd|
+    options[:use_file] = fd
+  end
+
+  opts.on("-s SECRET_SPEC", "--secret SECRET_SPEC", "Secret to put in the environment") do |spec|
+    options[:secrets] << spec
+  end
+
+  opts.on("-o SECRET_SPEC", "--optional-secret SECRET_SPEC", "Optional secrets to put in the environment (if it exists)") do |spec|
+    options[:optional_secrets] << spec
   end
 
   opts.on("-f SECRETS_FILE", "--secrets-file SECRETS_FILE", "Location of veil-managed secrets file. Default: /etc/opscode/private-chef-secrets.json") do |file|
@@ -23,25 +41,64 @@ OptionParser.new do |opts|
   end
 end.parse!
 
-def env_name_from_secret_spec(secret)
+def from_secret_spec(secret, start = {})
   parts = secret.split("=")
-  case parts.length
-  when 1
-    ["CHEF_SECRET_#{parts[0].upcase}", parts[0]]
-  when 2
-    [parts[0].upcase, parts[1]]
+  env_name, secret_name = case parts.length
+                          when 1
+                              ["CHEF_SECRET_#{parts[0].upcase}", parts[0]]
+                          when 2
+                              [parts[0].upcase, parts[1]]
+                          else
+                              raise "Bad secret spec: #{secret}"
+                          end
+
+  start.merge({ args: secret_name.split("."),
+                env_name: env_name,
+                name: secret_name })
+end
+
+veil = Veil::CredentialCollection::ChefSecretsFile.from_file(options[:secrets_file])
+packed_data = Hash.new()
+
+secrets = options[:secrets].map { |spec| from_secret_spec(spec) }
+secrets += options[:optional_secrets].map { |spec| from_secret_spec(spec, { optional: true }) }
+
+secrets.each do |secret|
+  veil_args = secret[:args]
+
+  begin
+    secret_value = veil.get(*veil_args)
+  rescue
+    raise unless secret[:optional]
+    next
+  end
+
+  if options[:pack] || options[:use_file]
+    STDERR.puts "Packing data using #{veil_args.inspect} and #{secret_value}" if options[:debug]
+    if veil_args.length == 2
+      packed_data[veil_args[0]] ||= {}
+      packed_data[veil_args[0]][veil_args[1]] = secret_value
+    elsif veil_args.length == 1
+      packed_data[veil_args[0]] = secret_value
+    elsif !secret[:optional]
+      raise "Invalid secrets name: #{secret[:name]}"
+    end
   else
-    raise "Bad secret spec: #{secret}"
+    STDERR.puts "Setting #{secret[:env_name]}=#{secret_value}" if options[:debug]
+    ENV[secret[:env_name]] = secret_value
   end
 end
 
-veil = Veil::CredentialCollection::ChefSecretsFile.from_file(options[:secrets_file])
-Array(options[:secrets]).each do |secret|
-  env_name, secret_name = env_name_from_secret_spec(secret)
-  veil_args = secret_name.split(".")
-  secret_value = veil.get(*veil_args)
-  STDERR.puts "Setting #{env_name}=#{secret_value}" if options[:debug]
-  ENV[env_name] = secret_value
+if options[:pack] && !options[:use_file]
+  ENV['CHEF_SECRETS_DATA'] = packed_data.to_json
+end
+
+if options[:use_file]
+  rd, wd = IO.pipe
+  wd.puts packed_data.to_json
+  wd.close
+  rd.close_on_exec = false
+  ENV['CHEF_SECRETS_FD'] = rd.to_i.to_s
 end
 
-exec(*ARGV)
+exec(*ARGV, close_others: false)

data/lib/veil/credential_collection.rb

@@ -1,5 +1,7 @@
 require "veil/credential_collection/base"
+require "veil/credential_collection/chef_secrets_fd"
 require "veil/credential_collection/chef_secrets_file"
+require "veil/credential_collection/chef_secrets_env"
 
 module Veil
   class CredentialCollection
@@ -8,6 +10,10 @@ module Veil
       klass = case opts[:provider]
               when 'chef-secrets-file'
                 ChefSecretsFile
+              when 'chef-secrets-env'
+                ChefSecretsEnv
+              when 'chef-secrets-fd'
+                ChefSecretsFd
               else
                 raise UnknownProvider, "Unknown provider: #{opts[:provider]}"
               end

data/lib/veil/credential_collection/base.rb

@@ -176,6 +176,39 @@ module Veil
         end
       end
 
+      def credentials_as_hash
+        hash = Hash.new
+
+        credentials.each do |cred_or_group_name, cred_or_group_attrs|
+          if cred_or_group_attrs.is_a?(Hash)
+            cred_or_group_attrs.each do |name, cred|
+              hash[cred_or_group_name] ||= Hash.new
+              hash[cred_or_group_name][name] = cred.to_hash
+            end
+          else
+            hash[cred_or_group_name] = cred_or_group_attrs.to_hash
+          end
+        end
+
+        hash
+      end
+
+      def credentials_for_export
+        hash = Hash.new
+
+        credentials.each do |namespace, cred_or_creds|
+          if cred_or_creds.is_a?(Veil::Credential)
+            hash[namespace] = cred_or_creds.value
+          else
+            hash[namespace] = {}
+            cred_or_creds.each { |name, cred| hash[namespace][name] = cred.value }
+          end
+        end
+
+        hash
+      end
+      alias_method :legacy_credentials_hash, :credentials_for_export
+
       private
 
       def add_from_params(params)
@@ -222,21 +255,17 @@ module Veil
         expanded
       end
 
-      def credentials_as_hash
-        hash = Hash.new
-
-        credentials.each do |cred_or_group_name, cred_or_group_attrs|
-          if cred_or_group_attrs.is_a?(Hash)
-            cred_or_group_attrs.each do |name, cred|
-              hash[cred_or_group_name] ||= Hash.new
-              hash[cred_or_group_name][name] = cred.to_hash
-            end
-          else
-            hash[cred_or_group_name] = cred_or_group_attrs.to_hash
+      def import_credentials_hash(hash)
+        hash.each do |namespace, creds_hash|
+          credentials[namespace.to_s] ||= Hash.new
+          creds_hash.each do |cred, value|
+            credentials[namespace.to_s][cred.to_s] = Veil::Credential.new(
+              name: cred.to_s,
+              value: value,
+              length: value.length
+            )
           end
         end
-
-        hash
       end
     end
   end

data/lib/veil/credential_collection/chef_secrets_env.rb

@@ -0,0 +1,43 @@
+require "veil/credential_collection/base"
+require "json"
+
+module Veil
+  class CredentialCollection
+    class ChefSecretsEnv < Base
+
+      # Create a new ChefSecretsEnv
+      #
+      # @param [Hash] opts
+      #   a hash of options to pass to the constructor
+      def initialize(opts = {})
+        var_name = opts[:var_name] || 'CHEF_SECRETS_DATA'
+
+        @credentials = {}
+        import_credentials_hash(inflate_secrets_from_environment(var_name))
+      end
+
+      # Unsupported methods
+      def rotate
+        raise NotImplementedError
+      end
+      alias_method :rotate_credentials, :rotate
+      alias_method :save, :rotate
+
+      def inflate_secrets_from_environment(var_name)
+        value = ENV[var_name]
+        unless value
+          msg = "Env var #{var_name} has not been set. This should by done by "\
+            "launching this application via veil-env-wrapper."
+          raise InvalidCredentialCollectionEnv.new(msg)
+        end
+
+        begin
+          JSON.parse(value)
+        rescue JSON::ParserError => e
+          msg = "Env var #{var_name} could not be parsed: #{e.message}"
+          raise InvalidCredentialCollectionEnv.new(msg)
+        end
+      end
+    end
+  end
+end

data/lib/veil/credential_collection/chef_secrets_fd.rb

@@ -0,0 +1,57 @@
+require "veil/exceptions"
+require "veil/credential_collection/base"
+require "json"
+
+module Veil
+  class CredentialCollection
+    class ChefSecretsFd < Base
+
+      # Create a new ChefSecretsFd
+      #
+      # @param [Hash] opts
+      #   ignored
+      def initialize(opts = {})
+        @credentials = {}
+        import_credentials_hash(inflate_secrets_from_fd)
+      end
+
+      # Unsupported methods
+      def rotate
+        raise NotImplementedError
+      end
+      alias_method :rotate_credentials, :rotate
+      alias_method :save, :rotate
+
+      def inflate_secrets_from_fd
+        if ENV['CHEF_SECRETS_FD'].nil?
+          raise InvalidCredentialCollectionFd.new("CHEF_SECRETS_FD not found in environment")
+        end
+
+        fd = ENV['CHEF_SECRETS_FD'].to_i
+        value = nil
+
+        begin
+          file = IO.new(fd, "r")
+          value = file.gets
+        rescue StandardError => e
+          msg = "A problem occured trying to read passed file descriptor: #{e}"
+          raise InvalidCredentialCollectionFd.new(msg)
+        ensure
+          file.close if file
+        end
+
+        if !value
+          msg = "File at CHEF_SECRETS_FD (#{fd}) did not contain any data!"
+          raise InvalidCredentialCollectionFd.new(msg)
+        end
+
+        begin
+          JSON.parse(value)
+        rescue JSON::ParserError => e
+          msg = "Chef secrets data could not be parsed: #{e.message}"
+          raise InvalidCredentialCollectionFd.new(msg)
+        end
+      end
+    end
+  end
+end

data/lib/veil/credential_collection/chef_secrets_file.rb

@@ -48,7 +48,7 @@ module Veil
         opts[:version] = CURRENT_VERSION
         super(opts)
 
-        import_legacy_credentials(hash) if import_existing && legacy
+        import_credentials_hash(hash) if import_existing && legacy
       end
 
       # Set the secrets file path
@@ -64,6 +64,12 @@ module Veil
         FileUtils.mkdir_p(File.dirname(path))
 
         f = Tempfile.new("veil") # defaults to mode 0600
+
+        if existing
+          @user  ||= existing.uid
+          @group ||= existing.gid
+        end
+
         FileUtils.chown(user, group, f.path) if user
         f.puts(JSON.pretty_generate(secrets_hash))
         f.flush
@@ -78,33 +84,10 @@ module Veil
         { "veil" => to_h }
       end
 
-      def credentials_for_export
-        hash = Hash.new
-
-        credentials.each do |namespace, cred_or_creds|
-          if cred_or_creds.is_a?(Veil::Credential)
-            hash[namespace] = cred_or_creds.value
-          else
-            hash[namespace] = {}
-            cred_or_creds.each { |name, cred| hash[namespace][name] = cred.value }
-          end
-        end
-
-        hash
-      end
-      alias_method :legacy_credentials_hash, :credentials_for_export
-
-      def import_legacy_credentials(hash)
-        hash.each do |namespace, creds_hash|
-          credentials[namespace.to_s] ||= Hash.new
-          creds_hash.each do |cred, value|
-            credentials[namespace.to_s][cred.to_s] = Veil::Credential.new(
-              name: cred.to_s,
-              value: value,
-              length: value.length
-            )
-          end
-        end
+      def existing
+        @existing ||= File.stat(path)
+      rescue Errno::ENOENT
+        nil
       end
     end
   end

data/lib/veil/exceptions.rb

@@ -3,7 +3,10 @@ module Veil
   class InvalidSecret < StandardError; end
   class InvalidParameter < StandardError; end
   class InvalidHasher < StandardError; end
-  class InvalidCredentialCollectionFile < StandardError; end
+  class InvalidCredentialCollection < StandardError; end
+  class InvalidCredentialCollectionFile < InvalidCredentialCollection; end
+  class InvalidCredentialCollectionEnv <  InvalidCredentialCollection; end
+  class InvalidCredentialCollectionFd <  InvalidCredentialCollection; end
   class MissingParameter < StandardError; end
   class NotImplmented < StandardError; end
   class InvalidCredentialHash < StandardError; end

data/lib/veil/version.rb

@@ -1,3 +1,3 @@
 module Veil
-  VERSION = "0.3.0"
+  VERSION = "0.3.2"
 end

data/spec/cipher/v2_spec.rb

@@ -2,17 +2,17 @@ require "spec_helper"
 require "openssl"
 
 describe Veil::Cipher::V2 do
-  let(:iv64) { Base64.strict_encode64("mondaytuesdaywednesday") }
-  let(:key64) { Base64.strict_encode64("thursdayfridaysaturdaysundaymonday") }
-  let(:ciphertext64) { "yhHR8ZVUfzRv+4dvcUFlitdmCS3ybi2dGLofzEF1Ibw=" }
+  let(:iv64) { Base64.strict_encode64("mondaytue16bytes") }
+  let(:key64) { Base64.strict_encode64("thursdayfridaysaturdaysun32bytes") }
+  let(:ciphertext64) { "qS6SRmgOgSta2jSdD60sJmu83cRgy4DUJ2nKZwStrqs=" }
   let(:plainhash) { { "chef-server": "test-value" } }
 
   describe "#new" do
     it "accepts passed key and iv base64-encoded data" do
       cipher = described_class.new(iv: iv64, key: key64)
 
-      expect(cipher.iv).to eq("mondaytuesdaywednesday")
-      expect(cipher.key).to eq("thursdayfridaysaturdaysundaymonday")
+      expect(cipher.iv).to eq("mondaytue16bytes")
+      expect(cipher.key).to eq("thursdayfridaysaturdaysun32bytes")
     end
 
     it "generates key and iv data if none was passed" do
@@ -36,8 +36,8 @@ describe Veil::Cipher::V2 do
   describe "#to_hash" do
     it "base64-encodes iv and key" do
       expected = {
-        iv: "bW9uZGF5dHVlc2RheXdlZG5lc2RheQ==",
-        key: "dGh1cnNkYXlmcmlkYXlzYXR1cmRheXN1bmRheW1vbmRheQ==",
+        iv: "bW9uZGF5dHVlMTZieXRlcw==",
+        key: "dGh1cnNkYXlmcmlkYXlzYXR1cmRheXN1bjMyYnl0ZXM=",
         type: "Veil::Cipher::V2"
       }
       expect(described_class.new(iv: iv64, key: key64).to_hash).to eq(expected)

data/spec/credential_collection/chef_secrets_env_spec.rb

@@ -0,0 +1,68 @@
+require 'spec_helper'
+
+describe Veil::CredentialCollection::ChefSecretsEnv do
+  describe "#new" do
+    context "env variable is set" do
+      let(:var_name) { "CHEF_SECRETS_DATA" }
+
+      before(:each) do
+        ENV[var_name] = '{ "secret_service": { "secret_name": "secret_value" } }'
+      end
+
+      it 'reads the secret from the env var CHEF_SECRETS_DATA' do
+        expect(subject.get("secret_service", "secret_name")).to eq("secret_value")
+      end
+
+      context "env variable name is passed" do
+        let(:var_name) { "CHEF_SECRETS_DATA_2" }
+        let(:subject) { described_class.new(var_name: var_name) }
+
+        it 'reads the secret from the passed env var name' do
+          expect(subject.get("secret_service", "secret_name")).to eq("secret_value")
+        end
+      end
+
+      context "env var content cannot be parsed" do
+        before(:each) do
+          ENV[var_name] = '{ "secre '
+        end
+
+        it "re-raises the JSON parse error" do
+          expect{ subject.get("secret_service", "secret_name") }.to raise_error(Veil::InvalidCredentialCollectionEnv)
+        end
+      end
+    end
+
+    context "env variable is not set" do
+      let(:var_name) { "CHEF_SECRETS_DATA" }
+
+      before(:each) do
+        ENV.delete(var_name)
+      end
+
+      it 'raises an exception' do
+        expect{ described_class.new }.to raise_error(Veil::InvalidCredentialCollectionEnv)
+      end
+    end
+
+    context "unsupported methods" do
+      let(:var_name) { "CHEF_SECRETS_DATA" }
+
+      before(:each) do
+        ENV[var_name] = '{}'
+      end
+
+      it 'does not support #rotate' do
+        expect{ subject.rotate }.to raise_error(NotImplementedError)
+      end
+
+      it 'does not support #save' do
+        expect{ subject.save }.to raise_error(NotImplementedError)
+      end
+
+      it 'does not support #rotate_hasher' do
+        expect{ subject.rotate_hasher }.to raise_error(NotImplementedError)
+      end
+    end
+  end
+end

data/spec/credential_collection/chef_secrets_fd_spec.rb

@@ -0,0 +1,64 @@
+require 'spec_helper'
+
+describe Veil::CredentialCollection::ChefSecretsFd do
+  describe "#new" do
+    let(:content) { '{ "secret_service": { "secret_name": "secret_value" } }' }
+    let(:content_file) {
+      rd, wr = IO.pipe
+      wr.puts content
+      wr.close
+      rd
+    }
+
+    context "env variable is set" do
+      before(:each) do
+        ENV['CHEF_SECRETS_FD'] = content_file.to_i.to_s
+      end
+
+      it 'reads the secret from the passed file descriptor' do
+        expect(subject.get("secret_service", "secret_name")).to eq("secret_value")
+      end
+
+      # TODO(ssd) 2017-03-22: We wanted a test for closing the FD, but
+      # didn't want to fight with ruby today.
+
+      context "env var content cannot be parsed" do
+        let(:content) { '{ "secre ' }
+
+        it "re-raises the JSON parse error" do
+          expect{ subject.get("secret_service", "secret_name") }.to raise_error(Veil::InvalidCredentialCollectionFd)
+        end
+      end
+    end
+
+    context "CHEF_SECRETS_FD is not set" do
+      before(:each) do
+        ENV.delete('CHEF_SECRETS_FD')
+      end
+
+      it 'raises an exception' do
+        expect{ described_class.new }.to raise_error(Veil::InvalidCredentialCollectionFd)
+      end
+    end
+
+    context "unsupported methods" do
+      let(:content) { '{}' }
+
+      before(:each) do
+        ENV['CHEF_SECRETS_FD'] = content_file.to_i.to_s
+      end
+
+      it 'does not support #rotate' do
+        expect{ subject.rotate }.to raise_error(NotImplementedError)
+      end
+
+      it 'does not support #save' do
+        expect{ subject.save }.to raise_error(NotImplementedError)
+      end
+
+      it 'does not support #rotate_hasher' do
+        expect{ subject.rotate_hasher }.to raise_error(NotImplementedError)
+      end
+    end
+  end
+end

data/spec/credential_collection/chef_secrets_file_spec.rb

@@ -97,43 +97,97 @@ describe Veil::CredentialCollection::ChefSecretsFile do
         s
       end
 
-      context "when the user is set" do
-        it "gives the file proper permissions" do
-          expect(Tempfile).to receive(:new).with("veil").and_return(tmpfile)
-          expect(FileUtils).to receive(:chown).with(user, user, "/tmp/unguessable")
-          expect(FileUtils).to receive(:mv).with("/tmp/unguessable", file.path)
-
-          creds = described_class.new(path: file.path,
-                                      user: user)
-          creds.add("redis_lb", "password")
-          creds.save
+      context "when the target file does not exist" do
+
+        let(:secrets_file) { double(File) }
+        before(:each) do
+          allow(File).to receive(:stat).with(file.path).and_raise(Errno::ENOENT)
+        end
+
+        context "when the user is not set" do
+          it "does not change any permissions" do
+            expect(Tempfile).to receive(:new).with("veil").and_return(tmpfile)
+            expect(FileUtils).not_to receive(:chown)
+            expect(FileUtils).to receive(:mv).with("/tmp/unguessable", file.path)
+
+            creds = described_class.new(path: file.path)
+            creds.add("redis_lb", "password")
+            creds.save
+          end
+        end
+
+        context "when the user is set" do
+          it "gives the file proper permissions" do
+            expect(Tempfile).to receive(:new).with("veil").and_return(tmpfile)
+            expect(FileUtils).to receive(:chown).with(user, user, "/tmp/unguessable")
+            expect(FileUtils).to receive(:mv).with("/tmp/unguessable", file.path)
+
+            creds = described_class.new(path: file.path,
+                                        user: user)
+            creds.add("redis_lb", "password")
+            creds.save
+          end
         end
       end
 
-      context "when user and group are set" do
-        it "gives the file proper permissions" do
-          expect(Tempfile).to receive(:new).with("veil").and_return(tmpfile)
-          expect(FileUtils).to receive(:chown).with(user, group, "/tmp/unguessable")
-          expect(FileUtils).to receive(:mv).with("/tmp/unguessable", file.path)
-
-          creds = described_class.new(path: file.path,
-                                      user: user,
-                                      group: group)
-          creds.add("redis_lb", "password")
-          creds.save
+      context "when the target file exists" do
+
+        let(:secrets_file) { double(File) }
+        let(:secrets_file_stat) { double(File, uid: 100, gid: 1000) }
+        before(:each) do
+          allow(File).to receive(:stat).with(file.path).and_return(secrets_file_stat)
         end
 
-        it "gives the file proper permission even when called from_file" do
-          file.puts("{}"); file.rewind
-          expect(Tempfile).to receive(:new).with("veil").and_return(tmpfile)
-          expect(FileUtils).to receive(:chown).with(user, group, "/tmp/unguessable")
-          expect(FileUtils).to receive(:mv).with("/tmp/unguessable", file.path)
-
-          creds = described_class.from_file(file.path,
-                                            user: user,
-                                            group: group)
-          creds.add("redis_lb", "password")
-          creds.save
+        context "when the user is not set" do
+          it "keeps the existing file permissions" do
+            expect(Tempfile).to receive(:new).with("veil").and_return(tmpfile)
+            expect(FileUtils).to receive(:chown).with(100, 1000, "/tmp/unguessable")
+            expect(FileUtils).to receive(:mv).with("/tmp/unguessable", file.path)
+
+            creds = described_class.new(path: file.path)
+            creds.add("redis_lb", "password")
+            creds.save
+          end
+        end
+
+        context "when the user is set" do
+          it "gives the file proper permissions" do
+            expect(Tempfile).to receive(:new).with("veil").and_return(tmpfile)
+            expect(FileUtils).to receive(:chown).with(user, user, "/tmp/unguessable")
+            expect(FileUtils).to receive(:mv).with("/tmp/unguessable", file.path)
+
+            creds = described_class.new(path: file.path,
+                                        user: user)
+            creds.add("redis_lb", "password")
+            creds.save
+          end
+        end
+
+        context "when user and group are set" do
+          it "gives the file proper permissions" do
+            expect(Tempfile).to receive(:new).with("veil").and_return(tmpfile)
+            expect(FileUtils).to receive(:chown).with(user, group, "/tmp/unguessable")
+            expect(FileUtils).to receive(:mv).with("/tmp/unguessable", file.path)
+
+            creds = described_class.new(path: file.path,
+                                        user: user,
+                                        group: group)
+            creds.add("redis_lb", "password")
+            creds.save
+          end
+
+          it "gives the file proper permission even when called from_file" do
+            file.puts("{}"); file.rewind
+            expect(Tempfile).to receive(:new).with("veil").and_return(tmpfile)
+            expect(FileUtils).to receive(:chown).with(user, group, "/tmp/unguessable")
+            expect(FileUtils).to receive(:mv).with("/tmp/unguessable", file.path)
+
+            creds = described_class.from_file(file.path,
+                                              user: user,
+                                              group: group)
+            creds.add("redis_lb", "password")
+            creds.save
+          end
         end
       end
     end

data/spec/credential_collection_spec.rb

@@ -11,6 +11,15 @@ describe Veil::CredentialCollection do
       end
     end
 
+    context 'passing provider "chef-secrets-env"' do
+      let(:opts) { { provider: 'chef-secrets-env' } }
+
+      it 'instantiates ChefSecretsFile with all options' do
+        expect(Veil::CredentialCollection::ChefSecretsEnv).to receive(:new).with(opts)
+        described_class.from_config(opts)
+      end
+    end
+
     context 'passing anything else as provider' do
       let(:opts) { { provider: 'vault' } }
 

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: veil
 version: !ruby/object:Gem::Version
-  version: 0.3.0
+  version: 0.3.2
 platform: ruby
 authors:
 - Chef Software, Inc.
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2017-03-15 00:00:00.000000000 Z
+date: 2020-04-30 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bcrypt
@@ -84,8 +84,6 @@ description: Veil is a Ruby Gem for generating secure secrets from a shared secr
 email:
 - partnereng@chef.io
 executables:
-- console
-- setup
 - veil-dump-secrets
 - veil-env-helper
 - veil-ingest-secret
@@ -105,6 +103,8 @@ files:
 - lib/veil/credential.rb
 - lib/veil/credential_collection.rb
 - lib/veil/credential_collection/base.rb
+- lib/veil/credential_collection/chef_secrets_env.rb
+- lib/veil/credential_collection/chef_secrets_fd.rb
 - lib/veil/credential_collection/chef_secrets_file.rb
 - lib/veil/exceptions.rb
 - lib/veil/hasher.rb
@@ -117,6 +117,8 @@ files:
 - spec/cipher/v2_spec.rb
 - spec/cipher_spec.rb
 - spec/credential_collection/base_spec.rb
+- spec/credential_collection/chef_secrets_env_spec.rb
+- spec/credential_collection/chef_secrets_fd_spec.rb
 - spec/credential_collection/chef_secrets_file_spec.rb
 - spec/credential_collection_spec.rb
 - spec/credential_spec.rb
@@ -127,7 +129,7 @@ files:
 - spec/spec_helper.rb
 - spec/utils_spec.rb
 - spec/veil_spec.rb
-homepage: https://github.com/chef/chef-server/
+homepage: https://github.com/chef/chef_secrets/
 licenses:
 - Apache-2.0
 metadata: {}
@@ -146,8 +148,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.4.5.2
+rubygems_version: 3.0.3
 signing_key: 
 specification_version: 4
 summary: Veil is a Ruby Gem for generating secure secrets from a shared secret
@@ -156,6 +157,8 @@ test_files:
 - spec/cipher/v2_spec.rb
 - spec/cipher_spec.rb
 - spec/credential_collection/base_spec.rb
+- spec/credential_collection/chef_secrets_env_spec.rb
+- spec/credential_collection/chef_secrets_fd_spec.rb
 - spec/credential_collection/chef_secrets_file_spec.rb
 - spec/credential_collection_spec.rb
 - spec/credential_spec.rb