lib/chef/knife/bootstrap/chef_vault_handler.rb


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165

#
# Author:: Lamont Granquist (<lamont@chef.io>)
# Copyright:: Copyright (c) 2015 Opscode, Inc.
# License:: Apache License, Version 2.0
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#

class Chef
  class Knife
    class Bootstrap < Knife
      class ChefVaultHandler

        # @return [Hash] knife merged config, typically @config
        attr_accessor :knife_config

        # @return [Chef::Knife::UI] ui object for output
        attr_accessor :ui

        # @return [String] name of the node (technically name of the client)
        attr_reader :node_name

        # @param knife_config [Hash] knife merged config, typically @config
        # @param ui [Chef::Knife::UI] ui object for output
        def initialize(knife_config: {}, ui: nil)
          @knife_config = knife_config
          @ui           = ui
        end

        # Updates the chef vault items for the newly created node.
        #
        # @param node_name [String] name of the node (technically name of the client)
        # @todo: node_name should be mandatory (ruby 2.0 compat)
        def run(node_name: nil)
          return unless doing_chef_vault?

          sanity_check

          @node_name = node_name

          ui.info("Updating Chef Vault, waiting for client to be searchable..") while wait_for_client

          update_vault_list!
        end

        # Iterate through all the vault items to update.  Items may be either a String
        # or an Array of Strings:
        #
        # {
        #   "vault1":  "item",
        #   "vault2":  [ "item1", "item2", "item2" ]
        # }
        #
        def update_vault_list!
          vault_json.each do |vault, items|
            [ items ].flatten.each do |item|
              update_vault(vault, item)
            end
          end
        end

        # @return [Boolean] if we've got chef vault options to act on or not
        def doing_chef_vault?
          !!(vault_list || vault_file || vault_item)
        end

        private

        # warn if the user has given mutual conflicting options
        def sanity_check
          if vault_item && (vault_list || vault_file)
            ui.warn "--vault-item given with --vault-list or --vault-file, ignoring the latter"
          end

          if vault_list && vault_file
            ui.warn "--vault-list given with --vault-file, ignoring the latter"
          end
        end

        # @return [String] string with serialized JSON representing the chef vault items
        def vault_list
          knife_config[:vault_list]
        end

        # @return [String] JSON text in a file representing the chef vault items
        def vault_file
          knife_config[:vault_file]
        end

        # @return [Hash] Ruby object representing the chef vault items to create
        def vault_item
          knife_config[:vault_item]
        end

        # Helper to return a ruby object represeting all the data bags and items
        # to update via chef-vault.
        #
        # @return [Hash] deserialized ruby hash with all the vault items
        def vault_json
          @vault_json ||=
            begin
              if vault_item
                vault_item
              else
                json = vault_list ? vault_list : File.read(vault_file)
                Chef::JSONCompat.from_json(json)
              end
            end
        end

        # Update an individual vault item and save it
        #
        # @param vault [String] name of the chef-vault encrypted data bag
        # @param item [String] name of the chef-vault encrypted item
        def update_vault(vault, item)
          require_chef_vault!
          vault_item = load_chef_vault_item(vault, item)
          vault_item.clients("name:#{node_name}")
          vault_item.save
        end

        # Hook to stub out ChefVault
        #
        # @param vault [String] name of the chef-vault encrypted data bag
        # @param item [String] name of the chef-vault encrypted item
        # @returns [ChefVault::Item] ChefVault::Item object
        def load_chef_vault_item(vault, item)
          ChefVault::Item.load(vault, item)
        end

        public :load_chef_vault_item  # for stubbing

        # Helper used to spin waiting for the client to appear in search.
        #
        # @return [Boolean] true if the client is searchable
        def wait_for_client
          sleep 1
          !Chef::Search::Query.new.search(:client, "name:#{node_name}")[0]
        end

        # Helper to very lazily require the chef-vault gem
        def require_chef_vault!
          @require_chef_vault ||=
            begin
              require 'chef-vault'
              true
            rescue LoadError
              raise "Knife bootstrap cannot configure chef vault items when the chef-vault gem is not installed"
            end
        end

      end
    end
  end
end