Class: ChefVault::Item

Inherits:

Chef::DataBagItem

• Object
• Chef::DataBagItem
• ChefVault::Item

Defined in:

lib/chef-vault/item.rb

Instance Attribute Summary

• #client_key_path ⇒ String

  The path to the private key that is used to decrypt secrets.

• #encrypted_data_bag_item ⇒ nil

  This attribute is not currently used.

• #keys ⇒ ChefVault::ItemKeys

  The keys associated with this vault.

• #node_name ⇒ String

  The node name that is used to decrypt secrets.

Class Method Summary

• .data_bag_item_type(vault, name) ⇒ Symbol

  determines whether a data bag item is a vault, an encrypted data bag item, or a normal data bag item.

• .load(vault, name, opts = {}) ⇒ Object

  loads an existing vault item.

• .vault?(vault, name) ⇒ Boolean

  determines if a data bag item looks like a vault.

Instance Method Summary

• #[](key) ⇒ Object
• #[]=(key, value) ⇒ Object
• #admins(admins = nil, action = :add) ⇒ Object
• #clients(search_or_client = nil, action = :add) ⇒ Object
• #destroy ⇒ Object
• #generate_secret(key_size = 32) ⇒ Object
• #initialize(vault, name, opts = {}) ⇒ Item constructor

  constructs a new ChefVault::Item.

• #load_keys(vault, keys) ⇒ Object
• #refresh(clean_unknown_clients = false) ⇒ void

  refreshes a vault by re-processing the search query and adding a secret for any nodes found (including new ones).

• #remove(key) ⇒ Object
• #rotate_keys!(clean_unknown_clients = false) ⇒ Object
• #save(item_id = ) ⇒ Object
• #search(search_query = nil) ⇒ Object
• #secret ⇒ Object
• #to_json(*a) ⇒ Object

Constructor Details

#initialize(vault, name, opts = {}) ⇒ Item

constructs a new ChefVault::Item

Parameters:

• vault (String) —

  the name of the data bag that contains the vault

• name (String) —

  the name of the item in the vault

• opts (Hash) (defaults to: {})

Options Hash (opts):

• :node_name (String) —

  the name of the node to decrypt secrets as. Defaults to the :node_name value of Chef::Config

• :client_key_path (String) —

  the name of the node to decrypt secrets as. Defaults to the :client_key value of Chef::Config

# File 'lib/chef-vault/item.rb', line 54

def initialize(vault, name, opts = {})
  super() # Don't pass parameters
  @data_bag = vault
  @raw_data["id"] = name
  @keys = ChefVault::ItemKeys.new(vault, "#{name}_keys")
  @secret = generate_secret
  @encrypted = false
  opts = {
    :node_name => Chef::Config[:node_name],
    :client_key_path => Chef::Config[:client_key]
  }.merge(opts)
  @node_name = opts[:node_name]
  @client_key_path = opts[:client_key_path]
end

Instance Attribute Details

#client_key_path ⇒ String

Returns the path to the private key that is used to decrypt secrets. Defaults to the value of Chef::Config.

Returns:

• (String) —

  the path to the private key that is used to decrypt secrets. Defaults to the value of Chef::Config

# File 'lib/chef-vault/item.rb', line 37

def client_key_path
  @client_key_path
end

#encrypted_data_bag_item ⇒ nil

Returns this attribute is not currently used.

Returns:

• (nil) —

  this attribute is not currently used

# File 'lib/chef-vault/item.rb', line 27

def encrypted_data_bag_item
  @encrypted_data_bag_item
end

#keys ⇒ ChefVault::ItemKeys

Returns the keys associated with this vault.

Returns:

• (ChefVault::ItemKeys) —

  the keys associated with this vault

# File 'lib/chef-vault/item.rb', line 23

def keys
  @keys
end

#node_name ⇒ String

Returns the node name that is used to decrypt secrets. Defaults to the value of Chef::Config.

Returns:

• (String) —

  the node name that is used to decrypt secrets. Defaults to the value of Chef::Config

# File 'lib/chef-vault/item.rb', line 32

def node_name
  @node_name
end

Class Method Details

.data_bag_item_type(vault, name) ⇒ Symbol

determines whether a data bag item is a vault, an encrypted data bag item, or a normal data bag item. An item is a vault if:

a) the data bag item contains at least one key whose value is

an hash with the key 'encrypted data'

b) the data bag that contains the item contains a second item

suffixed with _keys

if a) is false, the item is a normal data bag if a) and b) are true, the item is a vault if a) is true but b) is false, the item is an encrypted data

bag item

Parameters:

• vault (String) —

  the name of the data bag

• name (String) —

  the name of the item in the data bag

Returns:

• (Symbol) —

  one of :vault, :encrypted or :normal

# File 'lib/chef-vault/item.rb', line 315

def self.data_bag_item_type(vault, name)
  # adapted from https://github.com/opscode-cookbooks/chef-vault/blob/v1.3.0/libraries/chef_vault_item.rb
  # and https://github.com/sensu/sensu-chef/blob/2.9.0/libraries/sensu_helpers.rb
  dbi = Chef::DataBagItem.load(vault, name)
  encrypted = dbi.detect do |_, v|
    v.is_a?(Hash) && v.key?('encrypted_data')
  end

  # return a symbol describing the type of item we detected
  case
  when encrypted && Chef::DataBag.load(vault).key?("#{name}_keys")
    :vault
  when encrypted
    :encrypted
  else
    :normal
  end
end

.load(vault, name, opts = {}) ⇒ Object

loads an existing vault item

Parameters:

• vault (String) —

  the name of the data bag that contains the vault

• name (String) —

  the name of the item in the vault

• opts (Hash) (defaults to: {})

Options Hash (opts):

• :node_name (String) —

  the name of the node to decrypt secrets as. Defaults to the :node_name value of Chef::Config

• :client_key_path (String) —

  the name of the node to decrypt secrets as. Defaults to the :client_key value of Chef::Config

# File 'lib/chef-vault/item.rb', line 269

def self.load(vault, name, opts = {})
  item = new(vault, name, opts)
  item.load_keys(vault, "#{name}_keys")

  begin
    item.raw_data =
      Chef::EncryptedDataBagItem.load(vault, name, item.secret).to_hash
  rescue Net::HTTPServerException => http_error
    if http_error.response.code == "404"
      raise ChefVault::Exceptions::ItemNotFound,
        "#{vault}/#{name} could not be found"
    else
      raise http_error
    end
  rescue Chef::Exceptions::ValidationFailed
    raise ChefVault::Exceptions::ItemNotFound,
      "#{vault}/#{name} could not be found"
  end

  item
end

.vault?(vault, name) ⇒ Boolean

determines if a data bag item looks like a vault

Parameters:

• vault (String) —

  the name of the data bag

• name (String) —

  the name of the item in the data bag

Returns:

• (Boolean) —

  true if the data bag item looks like a vault

# File 'lib/chef-vault/item.rb', line 295

def self.vault?(vault, name)
  :vault == data_bag_item_type(vault, name)
end

Instance Method Details

#[](key) ⇒ Object

# File 'lib/chef-vault/item.rb', line 190

def [](key)
  reload_raw_data if @encrypted
  super
end

#[]=(key, value) ⇒ Object

# File 'lib/chef-vault/item.rb', line 185

def []=(key, value)
  reload_raw_data if @encrypted
  super
end

#admins(admins = nil, action = :add) ⇒ Object

# File 'lib/chef-vault/item.rb', line 115

def admins(admins=nil, action=:add)
  if admins
    admins.split(",").each do |admin|
      admin.strip!
      case action
      when :add
        keys.add(load_admin(admin), @secret, "admins")
      when :delete
        keys.delete(admin, "admins")
      else
        raise ChefVault::Exceptions::KeysActionNotValid,
          "#{action} is not a valid action"
      end
    end
  else
    keys.admins
  end
end

#clients(search_or_client = nil, action = :add) ⇒ Object

# File 'lib/chef-vault/item.rb', line 74

def clients(search_or_client=nil, action=:add)
  if search_or_client.is_a?(Chef::ApiClient)
    handle_client_action(search_or_client, action)
  elsif search_or_client
    results_returned = false
    query = Chef::Search::Query.new
    query.search(:node, search_or_client)[0].each do |node|
      results_returned = true
      case action
      when :add
        begin
          client = load_client(node.name)
          add_client(client)
        rescue ChefVault::Exceptions::ClientNotFound
          $stdout.puts "node '#{node.name}' has no private key; skipping"
        end
      when :delete
        delete_client_or_node(node)
      else
        raise ChefVault::Exceptions::KeysActionNotValid,
          "#{action} is not a valid action"
      end
    end

    unless results_returned
      $stdout.puts "WARNING: No clients were returned from search, you may not have "\
        "got what you expected!!"
    end
  else
    keys.clients
  end
end

#destroy ⇒ Object

# File 'lib/chef-vault/item.rb', line 250

def destroy
  keys.destroy

  if Chef::Config[:solo]
    data_bag_path = File.join(Chef::Config[:data_bag_path],
                              data_bag)
    data_bag_item_path = File.join(data_bag_path, @raw_data["id"])

    FileUtils.rm("#{data_bag_item_path}.json")

    nil
  else
    super(data_bag, id)
  end
end

#generate_secret(key_size = 32) ⇒ Object

# File 'lib/chef-vault/item.rb', line 179

def generate_secret(key_size=32)
  # Defaults to 32 bytes, as this is the size that a Chef
  # Encrypted Data Bag Item will digest all secrets down to anyway
  SecureRandom.random_bytes(key_size)
end

#load_keys(vault, keys) ⇒ Object

# File 'lib/chef-vault/item.rb', line 69

def load_keys(vault, keys)
  @keys = ChefVault::ItemKeys.load(vault, keys)
  @secret = secret
end

#refresh(clean_unknown_clients = false) ⇒ void

This method returns an undefined value.

refreshes a vault by re-processing the search query and adding a secret for any nodes found (including new ones)

Parameters:

• clean_unknown_clients (Boolean) (defaults to: false) —

  remove clients that can no longer be found

# File 'lib/chef-vault/item.rb', line 339

def refresh(clean_unknown_clients = false)
  unless search
    raise ChefVault::Exceptions::SearchNotFound,
          "#{vault}/#{item} does not have a stored search_query, "\
          'probably because it was created with an older version '\
          "of chef-vault. Use 'knife vault update' to update the "\
          'databag with the search query.'
  end

  # a bit of a misnomer; this doesn't remove unknown
  # admins, just clients which are nodes
  remove_unknown_nodes if clean_unknown_clients

  # re-process the search query to add new clients
  clients(search)

  # save the updated vault
  save
end

#remove(key) ⇒ Object

# File 'lib/chef-vault/item.rb', line 134

def remove(key)
  @raw_data.delete(key)
end

#rotate_keys!(clean_unknown_clients = false) ⇒ Object

# File 'lib/chef-vault/item.rb', line 155

def rotate_keys!(clean_unknown_clients = false)
  @secret = generate_secret

  unless clients.empty?
    # a bit of a misnomer; this doesn't remove unknown
    # admins, just clients which are nodes
    remove_unknown_nodes if clean_unknown_clients
    # re-encrypt the new shared secret for all remaining clients
    clients.each do |client|
      clients("name:#{client}")
    end
  end

  unless admins.empty?
    # re-encrypt the new shared secret for all admins
    admins.each do |admin|
      admins(admin)
    end
  end

  save
  reload_raw_data
end

#save(item_id = ) ⇒ Object

# File 'lib/chef-vault/item.rb', line 195

def save(item_id=@raw_data['id'])
  # validate the format of the id before attempting to save
  validate_id!(item_id)

  # ensure that the ID of the vault hasn't changed since the keys
  # data bag item was created
  keys_id = keys['id'].match(/^(.+)_keys/)[1]
  if keys_id != item_id
    raise ChefVault::Exceptions::IdMismatch,
      "id mismatch - input JSON has id '#{item_id}' but vault item has id '#{keys_id}'"
  end

  # save the keys first, raising an error if no keys were defined
  if keys.admins.empty? && keys.clients.empty?
    raise ChefVault::Exceptions::NoKeysDefined,
      "No keys defined for #{item_id}"
  end

  keys.save

  # Make sure the item is encrypted before saving
  encrypt! unless @encrypted

  # Now save the encrypted data
  if Chef::Config[:solo]
    data_bag_path = File.join(Chef::Config[:data_bag_path],
                              data_bag)
    data_bag_item_path = File.join(data_bag_path, item_id)

    FileUtils.mkdir(data_bag_path) unless File.exist?(data_bag_path)
    File.open("#{data_bag_item_path}.json", 'w') do |file|
      file.write(JSON.pretty_generate(raw_data))
    end

    raw_data
  else
    begin
      Chef::DataBag.load(data_bag)
    rescue Net::HTTPServerException => http_error
      if http_error.response.code == "404"
        chef_data_bag = Chef::DataBag.new
        chef_data_bag.name data_bag
        chef_data_bag.create
      end
    end

    super
  end
end

#search(search_query = nil) ⇒ Object

# File 'lib/chef-vault/item.rb', line 107

def search(search_query=nil)
  if search_query
    keys.search_query(search_query)
  else
    keys.search_query
  end
end

#secret ⇒ Object

# File 'lib/chef-vault/item.rb', line 138

def secret
  if @keys.include?(@node_name)
    private_key = OpenSSL::PKey::RSA.new(File.open(@client_key_path).read())
    begin
      private_key.private_decrypt(Base64.decode64(@keys[@node_name]))
    rescue OpenSSL::PKey::RSAError
      raise ChefVault::Exceptions::SecretDecryption,
        "#{data_bag}/#{id} is encrypted for you, but your private key failed to decrypt the contents.  "\
        "(if you regenerated your client key, have an administrator of the vault run 'knife vault refresh')"
    end
  else
    raise ChefVault::Exceptions::SecretDecryption,
      "#{data_bag}/#{id} is not encrypted with your public key.  "\
      "Contact an administrator of the vault item to encrypt for you!"
  end
end

#to_json(*a) ⇒ Object

# File 'lib/chef-vault/item.rb', line 245

def to_json(*a)
  json = super
  json.gsub(self.class.name, self.class.superclass.name)
end