diff options
author | Claire McQuin <claire@getchef.com> | 2014-08-15 09:40:26 -0700 |
---|---|---|
committer | Claire McQuin <claire@getchef.com> | 2014-08-15 09:40:26 -0700 |
commit | e271f566512c131bfe5d164428c6f8f378943632 (patch) | |
tree | ecb66cf014ece93442fefbc669aeda9233155bee | |
parent | 5d8c48de6cf44c6360865d125f31ef0897c02259 (diff) | |
download | chef-e271f566512c131bfe5d164428c6f8f378943632.tar.gz |
Add simple DSL method to interact with encrypted data bags.
-rw-r--r-- | lib/chef/dsl/data_query.rb | 10 | ||||
-rw-r--r-- | lib/chef/encrypted_data_bag_item.rb | 3 | ||||
-rw-r--r-- | spec/unit/dsl/data_query_spec.rb | 54 |
3 files changed, 58 insertions, 9 deletions
diff --git a/lib/chef/dsl/data_query.rb b/lib/chef/dsl/data_query.rb index 65e7b185a7..c4ef3cb680 100644 --- a/lib/chef/dsl/data_query.rb +++ b/lib/chef/dsl/data_query.rb @@ -61,6 +61,15 @@ class Chef Log.error("Failed to load data bag item: #{bag.inspect} #{item.inspect}") raise end + + def encrypted_data_bag_item(bag, item, secret = nil) + DataBag.validate_name!(bag.to_s) + DataBagItem.validate_id!(item) + EncryptedDataBagItem.load(bag, item, secret) + rescue Exception + Log.error("Failed to load encrypted data bag item: #{bag.inspect} #{item.inspect}") + raise + end end end end @@ -68,4 +77,3 @@ end # **DEPRECATED** # This used to be part of chef/mixin/language. Load the file to activate the deprecation code. require 'chef/mixin/language' - diff --git a/lib/chef/encrypted_data_bag_item.rb b/lib/chef/encrypted_data_bag_item.rb index f722b5dc38..d3149c3171 100644 --- a/lib/chef/encrypted_data_bag_item.rb +++ b/lib/chef/encrypted_data_bag_item.rb @@ -128,7 +128,8 @@ class Chef::EncryptedDataBagItem def self.load_secret(path=nil) path ||= Chef::Config[:encrypted_data_bag_secret] if !path - raise ArgumentError, "No secret specified to load_secret and no secret found at #{Chef::Config.platform_specific_path('/etc/chef/encrypted_data_bag_secret')}" + raise ArgumentError, "No secret specified to load_secret and no secret found at" \ + " #{Chef::Config[:encrypted_data_bag_secret] || Chef::Config.platform_specific_path('/etc/chef/encrypted_data_bag_secret')}" end secret = case path when /^\w+:\/\// diff --git a/spec/unit/dsl/data_query_spec.rb b/spec/unit/dsl/data_query_spec.rb index e31c0725d6..9002c0a7af 100644 --- a/spec/unit/dsl/data_query_spec.rb +++ b/spec/unit/dsl/data_query_spec.rb @@ -30,6 +30,20 @@ describe Chef::DSL::DataQuery do @language.stub(:node).and_return(@node) end + shared_examples_for "a data bag item" do + it "validates the name of the data bag you're trying to load an item from" do + lambda { invalid_data_bag_name }.should raise_error(Chef::Exceptions::InvalidDataBagName) + end + + it "validates the id of the data bag item you're trying to load" do + lambda { invalid_data_bag_item_id }.should raise_error(Chef::Exceptions::InvalidDataBagItemID) + end + + it "validates that the id of the data bag item is not nil" do + lambda { nil_data_bag_item_id }.should raise_error(Chef::Exceptions::InvalidDataBagItemID) + end + end + describe "when loading data bags and items" do it "lists the items in a data bag" do Chef::DataBag.should_receive(:load).with("bag_name").and_return("item_1" => "http://url_for/item_1", "item_2" => "http://url_for/item_2") @@ -48,19 +62,45 @@ describe Chef::DSL::DataQuery do @language.data_bag_item("bag_name", "item_name").should == @item end - it "validates the name of the data bag you're trying to load an item from" do - lambda {@language.data_bag_item(" %%^& ", "item_name")}.should raise_error(Chef::Exceptions::InvalidDataBagName) + include_examples "a data bag item" do + let(:invalid_data_bag_name) { @language.data_bag_item(" %%^& ", "item_name") } + let(:invalid_data_bag_item_id) { @language.data_bag_item("bag_name", " 987 (*&()") } + let(:nil_data_bag_item_id) { @language.data_bag_item("bag_name", nil) } end - it "validates the id of the data bag item you're trying to load" do - lambda {@language.data_bag_item("bag_name", " 987 (*&()")}.should raise_error(Chef::Exceptions::InvalidDataBagItemID) + end + + describe "when loading an encrypted data bag item" do + + let(:encrypted_data_bag_item) { Chef::EncryptedDataBagItem.new(encoded_data, secret) } + + let(:plaintext_data) {{ + "id" => "item_name", + "greeting" => "hello", + "nested" => { "a1" => [1, 2, 3], "a2" => { "b1" => true }} + }} + + let(:secret) { "abc123SECRET" } + + let(:encoded_data) { Chef::EncryptedDataBagItem.encrypt_data_bag_item(plaintext_data, secret) } + + include_examples "a data bag item" do + let(:invalid_data_bag_name) { @language.encrypted_data_bag_item(" %%^& ", "item_name", secret) } + let(:invalid_data_bag_item_id) { @language.encrypted_data_bag_item("bag_name", " 987 (*&()", secret) } + let(:nil_data_bag_item_id) { @language.encrypted_data_bag_item("bag_name", nil, secret) } end - it "validates that the id of the data bag item is not nil" do - lambda {@language.data_bag_item("bag_name", nil)}.should raise_error(Chef::Exceptions::InvalidDataBagItemID) + it "fetches an encrypted data bag item" do + Chef::EncryptedDataBagItem.should_receive(:load).with("bag_name", "item_name", secret).and_return(encrypted_data_bag_item) + @language.encrypted_data_bag_item("bag_name", "item_name", secret).should == encrypted_data_bag_item end + context "without a secret" do + it "fetches an encrypted data bag item" do + Chef::EncryptedDataBagItem.should_receive(:load).with("bag_name", "item_name", nil).and_return(encrypted_data_bag_item) + @language.encrypted_data_bag_item("bag_name", "item_name").should == encrypted_data_bag_item + end + end end end - |