Module: Chef::Knife::DataBagSecretOptions

Includes:
EncryptedDataBagItem::CheckEncrypted, Mixlib::CLI
Included in:
Bootstrap, DataBagCreate, DataBagEdit, DataBagFromFile, DataBagShow
Defined in:
lib/chef/knife/data_bag_secret_options.rb

Class Method Summary collapse

Instance Method Summary collapse

Methods included from EncryptedDataBagItem::CheckEncrypted

#encrypted?

Class Method Details

.included(base) ⇒ Object

The config object is populated by knife#merge_configs with knife.rb ‘knife` config values, but they do not overwrite the command line properties. It does mean, however, that `knife` and `–secret-file` passed at the same time populate both `config` and `config`. We cannot differentiate the valid case (`knife` in config file and `–secret-file` on CL) and the invalid case (`–secret` and `–secret-file` on the CL) - thats why I’m storing the CL options in a different config key if they are provided.



36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
 
# File 'lib/chef/knife/data_bag_secret_options.rb', line 36

def self.included(base)
  base.option :secret,
    short: "-s SECRET",
    long: "--secret SECRET",
    description: "The secret key to use to encrypt data bag item values. Can also be defaulted in your config with the key 'secret'.",
    # Need to store value from command line in separate variable - knife#merge_configs populates same keys
    # on config object from
    proc: Proc.new { |s| set_cl_secret(s) }

  base.option :secret_file,
    long: "--secret-file SECRET_FILE",
    description: "A file containing the secret key to use to encrypt data bag item values. Can also be defaulted in your config with the key 'secret_file'.",
    proc: Proc.new { |sf| set_cl_secret_file(sf) }

  base.option :encrypt,
    long: "--encrypt",
    description: "If 'secret' or 'secret_file' is present in your config, then encrypt data bags using it.",
    boolean: true,
    default: false
end

Instance Method Details

#encryption_secret_provided?Boolean

Returns:

  • (Boolean) 


57
58
59
 
# File 'lib/chef/knife/data_bag_secret_options.rb', line 57

def encryption_secret_provided?
  base_encryption_secret_provided?
end

#encryption_secret_provided_ignore_encrypt_flag?Boolean

Returns:

  • (Boolean) 


61
62
63
 
# File 'lib/chef/knife/data_bag_secret_options.rb', line 61

def encryption_secret_provided_ignore_encrypt_flag?
  base_encryption_secret_provided?(false)
end

#read_secretObject 



65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
 
# File 'lib/chef/knife/data_bag_secret_options.rb', line 65

def read_secret
  # Moving the non 'compile-time' requires into here to speed up knife command loading
  # IE, if we are not running 'knife data bag *' we don't need to load 'chef/encrypted_data_bag_item'
  require_relative "../encrypted_data_bag_item"

  if has_cl_secret?
    config[:secret]
  elsif has_cl_secret_file?
    Chef::EncryptedDataBagItem.load_secret(config[:secret_file])
  elsif secret = knife_config[:secret]
    secret
  else
    secret_file = knife_config[:secret_file]
    Chef::EncryptedDataBagItem.load_secret(secret_file)
  end
end

#validate_secretsObject 



82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
 
# File 'lib/chef/knife/data_bag_secret_options.rb', line 82

def validate_secrets
  if has_cl_secret?
    if opt_parser.default_argv.include?("-s")
      ui.warn("Secret short option -s is deprecated and will remove in the future. Please use --secret instead.
")
    end

    if has_cl_secret_file?
      ui.fatal("Please specify only one of --secret, --secret-file")
      exit(1)
    end
  end

  if knife_config[:secret] && knife_config[:secret_file]
    ui.fatal("Please specify only one of 'secret' or 'secret_file' in your config file")
    exit(1)
  end
end