Class: ChefVault::Actor

Inherits:

Object

• Object
• ChefVault::Actor

Defined in:

lib/chef-vault/actor.rb

Instance Attribute Summary

• #key_string ⇒ Object

  Returns the value of attribute key_string.

• #name ⇒ Object readonly

  Returns the value of attribute name.

• #type ⇒ Object readonly

  Returns the value of attribute type.

Instance Method Summary

• #api ⇒ Object
• #chef_api_client ⇒ Object

  Use API V0 to load the public_key directly from the user object using the chef-client code.

• #chef_user ⇒ Object

  Similar thing as above but for client.

• #get_admin_key ⇒ Object
• #get_client_key ⇒ Object
• #get_key(request_actor_type) ⇒ Object
• #initialize(actor_type, actor_name) ⇒ Actor constructor

  A new instance of Actor.

• #is_admin? ⇒ Boolean
• #is_client? ⇒ Boolean
• #key ⇒ Object
• #print_forbidden_error ⇒ Object

Constructor Details

#initialize(actor_type, actor_name) ⇒ Actor

Returns a new instance of Actor.

# File 'lib/chef-vault/actor.rb', line 26

def initialize(actor_type, actor_name)
  if actor_type != "clients" && actor_type != "admins"
    raise "You must pass either 'clients' or 'admins' as the first argument to ChefVault::Actor.new."
  end

  @type = actor_type
  @name = actor_name
end

Instance Attribute Details

#key_string ⇒ Object

Returns the value of attribute key_string.

# File 'lib/chef-vault/actor.rb', line 22

def key_string
  @key_string
end

#name ⇒ Object (readonly)

Returns the value of attribute name.

# File 'lib/chef-vault/actor.rb', line 24

def name
  @name
end

#type ⇒ Object (readonly)

Returns the value of attribute type.

# File 'lib/chef-vault/actor.rb', line 23

def type
  @type
end

Instance Method Details

#api ⇒ Object

# File 'lib/chef-vault/actor.rb', line 93

def api
  @api ||= ChefVault::ChefApi.new
end

#chef_api_client ⇒ Object

Use API V0 to load the public_key directly from the user object using the chef-client code.

# File 'lib/chef-vault/actor.rb', line 99

def chef_api_client
  @chef_api_client ||= begin
                         require "chef/api_client"
                         Chef::ApiClient
                       end
end

#chef_user ⇒ Object

Similar thing as above but for client.

# File 'lib/chef-vault/actor.rb', line 107

def chef_user
  @chef_user ||= begin
                   require "chef/user"
                   Chef::User
                 end
end

#get_admin_key ⇒ Object

# File 'lib/chef-vault/actor.rb', line 39

def get_admin_key
  # chef vault currently only supports using the default key
  get_key("users")
rescue Net::HTTPClientException => http_error
  # if we failed to find an admin key, attempt to load a client key by the same name
  case http_error.response.code
  when "403"
    print_forbidden_error
    raise http_error
  when "404"
    begin
      ChefVault::Log.warn "The default key for #{name} not found in users, trying client keys."
      get_key("clients")
    rescue Net::HTTPClientException => http_error
      case http_error.response.code
      when "404"
        raise ChefVault::Exceptions::AdminNotFound,
          "FATAL: Could not find default key for #{name} in users or clients!"
      when "403"
        print_forbidden_error
        raise http_error
      else
        raise http_error
      end
    end
  else
    raise http_error
  end
end

#get_client_key ⇒ Object

# File 'lib/chef-vault/actor.rb', line 69

def get_client_key
  get_key("clients")
rescue Net::HTTPClientException => http_error
  if http_error.response.code.eql?("403")
    print_forbidden_error
    raise http_error
  elsif http_error.response.code.eql?("404")
    raise ChefVault::Exceptions::ClientNotFound,
      "#{name} is not a valid chef client and/or node"
  else
    raise http_error
  end
end

#get_key(request_actor_type) ⇒ Object

# File 'lib/chef-vault/actor.rb', line 114

def get_key(request_actor_type)
  api.org_scoped_rest_v1.get("#{request_actor_type}/#{name}/keys/default").fetch("public_key")
# If the keys endpoint doesn't exist, try getting it directly from the V0 chef object.
rescue Net::HTTPClientException => http_error
  raise http_error unless http_error.response.code.eql?("404")

  if request_actor_type.eql?("clients")
    chef_api_client.load(name).public_key
  else
    chef_user.load(name).public_key
  end
end

#is_admin? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/chef-vault/actor.rb', line 87

def is_admin?
  type == "admins"
end

#is_client? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/chef-vault/actor.rb', line 83

def is_client?
  type == "clients"
end

#key ⇒ Object

# File 'lib/chef-vault/actor.rb', line 35

def key
  @key ||= is_admin? ? get_admin_key : get_client_key
end

#print_forbidden_error ⇒ Object

# File 'lib/chef-vault/actor.rb', line 127

def print_forbidden_error
  ChefVault::Log.error "ERROR: You received a 403 FORBIDDEN while requesting an \#{type} key for \#{name}.\n\nIf you are on Chef Server < 12.5:\n  Clients do not have access to all public keys within their org.\n  Either upgrade to Chef Server >= 12.5 or make this request using a user.\n\nIf you are on Chef Server == 12.5.0\n  All clients and users have access to the public keys endpoint. Getting\n  this error on 12.5.0 is unexpected regardless of what your\n  public_key_read_access_group contains.\n\nIf you are on Chef Server > 12.5.1\n  Has your public_key_read_access_group been modified? This group controls\n  read access on public keys within your org. It defaults to the users\n  and client groups, so all org actors should have permission unless\n  the defaults have been changed.\n\n"
end