Class: Chef::Provider::ChefDataBagItem
- Inherits:
-
Cheffish::ChefProviderBase
- Object
- Cheffish::ChefProviderBase
- Chef::Provider::ChefDataBagItem
- Defined in:
- lib/chef/provider/chef_data_bag_item.rb
Instance Method Summary collapse
-
#calculate_differences ⇒ Object
Figure out the differences between new and current.
-
#current_decrypted ⇒ Object
Get the current json decrypted, for comparison purposes.
- #data_handler ⇒ Object
- #decrypt(json, secret) ⇒ Object
- #encrypt(json, secret, version) ⇒ Object
- #fake_entry ⇒ Object
- #keys ⇒ Object
- #load_current_resource ⇒ Object
-
#new_decrypted ⇒ Object
Get the desired (new) json pre-encryption, for comparison purposes.
- #new_encrypt ⇒ Object
- #new_json ⇒ Object
- #new_secret ⇒ Object
- #not_found_resource ⇒ Object
-
#resource_class ⇒ Object
Helpers.
- #whyrun_supported? ⇒ Boolean
Instance Method Details
#calculate_differences ⇒ Object
Figure out the differences between new and current
191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 |
# File 'lib/chef/provider/chef_data_bag_item.rb', line 191 def calculate_differences if new_encrypt if current_resource.encrypt # Both are encrypted, check if the encryption type is the same description = '' if new_secret != current_resource.secret description << ' with new secret' end if new_resource.encryption_version != current_resource.encryption_version description << " from v#{current_resource.encryption_version} to v#{new_resource.encryption_version} encryption" end if description != '' # Encryption is different, we're reencrypting differences = [ "re-encrypt#{description}"] else # Encryption is the same, we're just updating differences = [] end else # New stuff should be encrypted, old is not. Encrypting. differences = [ "encrypt with v#{new_resource.encryption_version} encryption" ] end # Get differences in the actual json if current_resource.secret json_differences(current_decrypted, new_decrypted, false, '', differences) elsif current_resource.encrypt # Encryption is different and we can't read the old values. Only allow the change # if we're overwriting the data bag item if !new_resource.complete raise "Cannot encrypt #{new_resource.name} due to failure to decrypt existing resource. Set 'complete true' to overwrite or add the old secret as old_secret / old_secret_path." end differences = [ "overwrite data bag item (cannot decrypt old data bag item)"] differences = (new_resource.raw_data.keys & current_resource.raw_data.keys).map { |key| "overwrite #{key}"} differences += (new_resource.raw_data.keys - current_resource.raw_data.keys).map { |key| "add #{key}"} differences += (current_resource.raw_data.keys - new_resource.raw_data.keys).map { |key| "remove #{key}" } else json_differences(current_decrypted, new_decrypted, false, '', differences) end else if current_resource.encrypt # New stuff should not be encrypted, old is. Decrypting. differences = [ "decrypt data bag item to plaintext" ] else differences = [] end json_differences(current_decrypted, new_decrypted, true, '', differences) end differences end |
#current_decrypted ⇒ Object
Get the current json decrypted, for comparison purposes
178 179 180 181 182 183 184 185 186 187 188 |
# File 'lib/chef/provider/chef_data_bag_item.rb', line 178 def current_decrypted @current_decrypted ||= begin if current_resource.secret decrypt(current_resource.raw_data || { 'id' => new_resource.id }, current_resource.secret) elsif current_resource.encrypt raise "Could not decrypt current data bag item #{current_resource.name}" else current_resource.raw_data || { 'id' => new_resource.id } end end end |
#data_handler ⇒ Object
251 252 253 |
# File 'lib/chef/provider/chef_data_bag_item.rb', line 251 def data_handler Chef::ChefFS::DataHandler::DataBagItemDataHandler.new end |
#decrypt(json, secret) ⇒ Object
150 151 152 |
# File 'lib/chef/provider/chef_data_bag_item.rb', line 150 def decrypt(json, secret) Chef::EncryptedDataBagItem.new(json, secret).to_hash end |
#encrypt(json, secret, version) ⇒ Object
154 155 156 157 158 159 160 161 162 |
# File 'lib/chef/provider/chef_data_bag_item.rb', line 154 def encrypt(json, secret, version) old_version = Chef::Config[:data_bag_encrypt_version] Chef::Config[:data_bag_encrypt_version] = version begin Chef::EncryptedDataBagItem.encrypt_data_bag_item(json, secret) ensure Chef::Config[:data_bag_encrypt_version] = old_version end end |
#fake_entry ⇒ Object
269 270 271 |
# File 'lib/chef/provider/chef_data_bag_item.rb', line 269 def fake_entry FakeEntry.new("#{new_resource.id}.json", FakeEntry.new(new_resource.data_bag)) end |
#keys ⇒ Object
255 256 257 258 259 260 261 |
# File 'lib/chef/provider/chef_data_bag_item.rb', line 255 def keys { 'id' => :id, 'data_bag' => :data_bag, 'raw_data' => :raw_data } end |
#load_current_resource ⇒ Object
38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 |
# File 'lib/chef/provider/chef_data_bag_item.rb', line 38 def load_current_resource begin json = rest.get("data/#{new_resource.data_bag}/#{new_resource.id}") resource = Chef::Resource::ChefDataBagItem.new(new_resource.name) resource.raw_data json @current_resource = resource rescue Net::HTTPServerException => e if e.response.code == "404" @current_resource = not_found_resource else raise end end # Determine if data bag is encrypted and if so, what its version is first_real_key, first_real_value = (current_resource.raw_data || {}).select { |key, value| key != 'id' && !value.nil? }.first if first_real_value if first_real_value.is_a?(Hash) && first_real_value['version'].is_a?(Integer) && first_real_value['version'] > 0 && first_real_value.has_key?('encrypted_data') current_resource.encrypt true current_resource.encryption_version first_real_value['version'] decrypt_error = nil # Check if the desired secret is the one (which it generally should be) if new_resource.secret || new_resource.secret_path begin Chef::EncryptedDataBagItem::Decryptor.for(first_real_value, new_secret).for_decrypted_item current_resource.secret new_secret rescue Chef::EncryptedDataBagItem::DecryptionFailure decrypt_error = $! end end # If the current secret doesn't work, look through the specified old secrets if !current_resource.secret old_secrets = [] if new_resource.old_secret old_secrets += Array(new_resource.old_secret) end if new_resource.old_secret_path old_secrets += Array(new_resource.old_secret_path).map do |secret_path| Chef::EncryptedDataBagItem.load_secret(new_resource.old_secret_file) end end old_secrets.each do |secret| begin Chef::EncryptedDataBagItem::Decryptor.for(first_real_value, secret).for_decrypted_item current_resource.secret secret rescue Chef::EncryptedDataBagItem::DecryptionFailure decrypt_error = $! end end # If we couldn't figure out the secret, emit a warning (this isn't a fatal flaw unless we # need to reuse one of the values from the data bag) if !current_resource.secret if decrypt_error Chef::Log.warn "Existing data bag is encrypted, but could not decrypt: #{decrypt_error.}." else Chef::Log.warn "Existing data bag is encrypted, but no secret was specified." end end end end else # There are no encryptable values, so pretend encryption is the same as desired current_resource.encrypt new_resource.encrypt current_resource.encryption_version new_resource.encryption_version if new_resource.secret || new_resource.secret_path current_resource.secret new_secret end end end |
#new_decrypted ⇒ Object
Get the desired (new) json pre-encryption, for comparison purposes
165 166 167 168 169 170 171 172 173 174 175 |
# File 'lib/chef/provider/chef_data_bag_item.rb', line 165 def new_decrypted @new_decrypted ||= begin if new_resource.complete result = new_resource.raw_data || {} else result = current_decrypted.merge(new_resource.raw_data || {}) end result['id'] = new_resource.id apply_modifiers(new_resource.raw_data_modifiers, result) end end |
#new_encrypt ⇒ Object
132 133 134 |
# File 'lib/chef/provider/chef_data_bag_item.rb', line 132 def new_encrypt new_resource.encrypt.nil? ? current_resource.encrypt : new_resource.encrypt end |
#new_json ⇒ Object
120 121 122 123 124 125 126 127 128 129 130 |
# File 'lib/chef/provider/chef_data_bag_item.rb', line 120 def new_json @new_json ||= begin if new_encrypt # Encrypt new stuff result = encrypt(new_decrypted, new_secret, new_resource.encryption_version) else result = new_decrypted end result end end |
#new_secret ⇒ Object
136 137 138 139 140 141 142 143 144 145 146 147 148 |
# File 'lib/chef/provider/chef_data_bag_item.rb', line 136 def new_secret @new_secret ||= begin if new_resource.secret new_resource.secret elsif new_resource.secret_path Chef::EncryptedDataBagItem.load_secret(new_resource.secret_path) elsif new_resource.encrypt.nil? current_resource.secret else raise "Data bag item #{new_resource.name} has encryption on but no secret or secret_path is specified" end end end |
#not_found_resource ⇒ Object
263 264 265 266 267 |
# File 'lib/chef/provider/chef_data_bag_item.rb', line 263 def not_found_resource resource = super resource.data_bag new_resource.data_bag resource end |
#resource_class ⇒ Object
Helpers
247 248 249 |
# File 'lib/chef/provider/chef_data_bag_item.rb', line 247 def resource_class Chef::Resource::ChefDataBagItem end |
#whyrun_supported? ⇒ Boolean
8 9 10 |
# File 'lib/chef/provider/chef_data_bag_item.rb', line 8 def whyrun_supported? true end |