diff options
-rw-r--r-- | lib/chef/knife/bootstrap.rb | 2 | ||||
-rw-r--r-- | lib/chef/knife/data_bag_secret_options.rb | 50 | ||||
-rw-r--r-- | lib/chef/knife/data_bag_show.rb | 2 | ||||
-rw-r--r-- | spec/unit/knife/bootstrap_spec.rb | 6 | ||||
-rw-r--r-- | spec/unit/knife/data_bag_secret_options_spec.rb | 6 | ||||
-rw-r--r-- | spec/unit/knife/data_bag_show_spec.rb | 4 |
6 files changed, 39 insertions, 31 deletions
diff --git a/lib/chef/knife/bootstrap.rb b/lib/chef/knife/bootstrap.rb index 6d628f0224..a992cf5779 100644 --- a/lib/chef/knife/bootstrap.rb +++ b/lib/chef/knife/bootstrap.rb @@ -239,7 +239,7 @@ class Chef def render_template template_file = find_template template = IO.read(template_file).chomp - secret = encryption_secret_provided?(false) ? read_secret : nil + secret = encryption_secret_provided_ignore_encrypt_flag? ? read_secret : nil context = Knife::Core::BootstrapContext.new(config, config[:run_list], Chef::Config, secret) Erubis::Eruby.new(template).evaluate(context) end diff --git a/lib/chef/knife/data_bag_secret_options.rb b/lib/chef/knife/data_bag_secret_options.rb index 238d09667c..766006089e 100644 --- a/lib/chef/knife/data_bag_secret_options.rb +++ b/lib/chef/knife/data_bag_secret_options.rb @@ -54,28 +54,12 @@ class Chef :default => false end - ## - # Determine if the user has specified an appropriate secret for encrypting data bag items. - # @returns boolean - def encryption_secret_provided?(need_encrypt_flag = true) - validate_secrets - - return true if has_cl_secret? || has_cl_secret_file? + def encryption_secret_provided? + base_encryption_secret_provided? + end - if need_encrypt_flag - if config[:encrypt] - unless knife_config[:secret] || knife_config[:secret_file] - ui.fatal("No secret or secret_file specified in config, unable to encrypt item.") - exit(1) - end - return true - end - return false - elsif knife_config[:secret] || knife_config[:secret_file] - # Certain situations (show and bootstrap) don't need a --encrypt flag to use the config file secret - return true - end - return false + def encryption_secret_provided_ignore_encrypt_flag? + base_encryption_secret_provided?(false) end def read_secret @@ -109,6 +93,30 @@ class Chef private + ## + # Determine if the user has specified an appropriate secret for encrypting data bag items. + # @returns boolean + def base_encryption_secret_provided?(need_encrypt_flag = true) + validate_secrets + + return true if has_cl_secret? || has_cl_secret_file? + + if need_encrypt_flag + if config[:encrypt] + unless knife_config[:secret] || knife_config[:secret_file] + ui.fatal("No secret or secret_file specified in config, unable to encrypt item.") + exit(1) + end + return true + end + return false + elsif knife_config[:secret] || knife_config[:secret_file] + # Certain situations (show and bootstrap) don't need a --encrypt flag to use the config file secret + return true + end + return false + end + def has_cl_secret? Chef::Config[:knife].has_key?(:cl_secret) end diff --git a/lib/chef/knife/data_bag_show.rb b/lib/chef/knife/data_bag_show.rb index 2f97d36ca3..36715286e8 100644 --- a/lib/chef/knife/data_bag_show.rb +++ b/lib/chef/knife/data_bag_show.rb @@ -36,7 +36,7 @@ class Chef def run display = case @name_args.length when 2 # Bag and Item names provided - secret = encryption_secret_provided?(false) ? read_secret : nil + secret = encryption_secret_provided_ignore_encrypt_flag? ? read_secret : nil raw_data = Chef::DataBagItem.load(@name_args[0], @name_args[1]).raw_data encrypted = encrypted?(raw_data) diff --git a/spec/unit/knife/bootstrap_spec.rb b/spec/unit/knife/bootstrap_spec.rb index 1b1bf3a699..d5c668753e 100644 --- a/spec/unit/knife/bootstrap_spec.rb +++ b/spec/unit/knife/bootstrap_spec.rb @@ -30,7 +30,7 @@ describe Chef::Knife::Bootstrap do k.merge_configs k.ui.stub(:stderr).and_return(stderr) - allow(k).to receive(:encryption_secret_provided?).with(false).and_return(false) + allow(k).to receive(:encryption_secret_provided_ignore_encrypt_flag?).and_return(false) k end @@ -296,13 +296,13 @@ describe Chef::Knife::Bootstrap do end it "creates a secret file" do - expect(knife).to receive(:encryption_secret_provided?).with(false).and_return(true) + expect(knife).to receive(:encryption_secret_provided_ignore_encrypt_flag?).and_return(true) expect(knife).to receive(:read_secret).and_return(secret) rendered_template.should match(%r{#{secret}}) end it "renders the client.rb with an encrypted_data_bag_secret entry" do - expect(knife).to receive(:encryption_secret_provided?).with(false).and_return(true) + expect(knife).to receive(:encryption_secret_provided_ignore_encrypt_flag?).and_return(true) expect(knife).to receive(:read_secret).and_return(secret) rendered_template.should match(%r{encrypted_data_bag_secret\s*"/etc/chef/encrypted_data_bag_secret"}) end diff --git a/spec/unit/knife/data_bag_secret_options_spec.rb b/spec/unit/knife/data_bag_secret_options_spec.rb index b45a95b73a..0a2d8ca4bf 100644 --- a/spec/unit/knife/data_bag_secret_options_spec.rb +++ b/spec/unit/knife/data_bag_secret_options_spec.rb @@ -148,16 +148,16 @@ describe Chef::Knife::DataBagSecretOptions do it "returns true if --encrypt is not provided, :secret is in the config and need_encrypt_flag is false" do Chef::Config[:knife][:secret] = secret - expect(example_db.encryption_secret_provided?(false)).to eq(true) + expect(example_db.encryption_secret_provided_ignore_encrypt_flag?).to eq(true) end it "returns true if --encrypt is not provided, :secret_file is in the config and need_encrypt_flag is false" do Chef::Config[:knife][:secret_file] = secret_file.path - expect(example_db.encryption_secret_provided?(false)).to eq(true) + expect(example_db.encryption_secret_provided_ignore_encrypt_flag?).to eq(true) end it "returns false if --encrypt is not provided and need_encrypt_flag is false" do - expect(example_db.encryption_secret_provided?(false)).to eq(false) + expect(example_db.encryption_secret_provided_ignore_encrypt_flag?).to eq(false) end end diff --git a/spec/unit/knife/data_bag_show_spec.rb b/spec/unit/knife/data_bag_show_spec.rb index 47778bdf15..1125d99c2a 100644 --- a/spec/unit/knife/data_bag_show_spec.rb +++ b/spec/unit/knife/data_bag_show_spec.rb @@ -64,7 +64,7 @@ describe Chef::Knife::DataBagShow do end it "decrypts and displays the encrypted data bag when the secret is provided" do - expect(knife).to receive(:encryption_secret_provided?).with(false).and_return(true) + expect(knife).to receive(:encryption_secret_provided_ignore_encrypt_flag?).and_return(true) expect(knife).to receive(:read_secret).and_return(secret) expect(Chef::DataBagItem).to receive(:load).with(bag_name, item_name).and_return(data_bag_with_encoded_hash) expect(knife.ui).to receive(:info).with("Encrypted data bag detected, decrypting with provided secret.") @@ -78,7 +78,7 @@ qux: http://localhost:4000/data/bag_o_data/qux| end it "displays the encrypted data bag when the secret is not provided" do - expect(knife).to receive(:encryption_secret_provided?).with(false).and_return(false) + expect(knife).to receive(:encryption_secret_provided_ignore_encrypt_flag?).and_return(false) expect(Chef::DataBagItem).to receive(:load).with(bag_name, item_name).and_return(data_bag_with_encoded_hash) expect(knife.ui).to receive(:warn).with("Encrypted data bag detected, but no secret provided for decoding. Displaying encrypted data.") |