lib/chef/knife/bootstrap/chef_vault_handler.rb


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157

#
# Author:: Lamont Granquist (<lamont@chef.io>)
# Copyright:: Copyright 2015-2016, Chef Software Inc.
# License:: Apache License, Version 2.0
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
require "chef/knife/bootstrap"

class Chef
  class Knife
    class Bootstrap < Knife
      class ChefVaultHandler
        # @return [Hash] knife merged config, typically @config
        attr_accessor :knife_config

        # @return [Chef::Knife::UI] ui object for output
        attr_accessor :ui

        # @return [Chef::ApiClient] vault client
        attr_reader :client

        # @param knife_config [Hash] knife merged config, typically @config
        # @param ui [Chef::Knife::UI] ui object for output
        def initialize(knife_config: {}, ui: nil)
          @knife_config = knife_config
          @ui           = ui
        end

        # Updates the chef vault items for the newly created client.
        #
        # @param client [Chef::ApiClient] vault client
        def run(client)
          return unless doing_chef_vault?

          sanity_check

          @client = client

          update_bootstrap_vault_json!
        end

        # Iterate through all the vault items to update.  Items may be either a String
        # or an Array of Strings:
        #
        # {
        #   "vault1":  "item",
        #   "vault2":  [ "item1", "item2", "item2" ]
        # }
        #
        def update_bootstrap_vault_json!
          vault_json.each do |vault, items|
            [ items ].flatten.each do |item|
              update_vault(vault, item)
            end
          end
        end

        # @return [Boolean] if we've got chef vault options to act on or not
        def doing_chef_vault?
          !!(bootstrap_vault_json || bootstrap_vault_file || bootstrap_vault_item)
        end

        private

        # warn if the user has given mutual conflicting options
        def sanity_check
          if bootstrap_vault_item && (bootstrap_vault_json || bootstrap_vault_file)
            ui.warn "--vault-item given with --vault-list or --vault-file, ignoring the latter"
          end

          if bootstrap_vault_json && bootstrap_vault_file
            ui.warn "--vault-list given with --vault-file, ignoring the latter"
          end
        end

        # @return [String] string with serialized JSON representing the chef vault items
        def bootstrap_vault_json
          knife_config[:bootstrap_vault_json]
        end

        # @return [String] JSON text in a file representing the chef vault items
        def bootstrap_vault_file
          knife_config[:bootstrap_vault_file]
        end

        # @return [Hash] Ruby object representing the chef vault items to create
        def bootstrap_vault_item
          knife_config[:bootstrap_vault_item]
        end

        # Helper to return a ruby object represeting all the data bags and items
        # to update via chef-vault.
        #
        # @return [Hash] deserialized ruby hash with all the vault items
        def vault_json
          @vault_json ||=
            begin
              if bootstrap_vault_item
                bootstrap_vault_item
              else
                json = bootstrap_vault_json ? bootstrap_vault_json : File.read(bootstrap_vault_file)
                Chef::JSONCompat.from_json(json)
              end
            end
        end

        # Update an individual vault item and save it
        #
        # @param vault [String] name of the chef-vault encrypted data bag
        # @param item [String] name of the chef-vault encrypted item
        def update_vault(vault, item)
          require_chef_vault!
          bootstrap_vault_item = load_chef_bootstrap_vault_item(vault, item)
          bootstrap_vault_item.clients(client)
          bootstrap_vault_item.save
        end

        # Hook to stub out ChefVault
        #
        # @param vault [String] name of the chef-vault encrypted data bag
        # @param item [String] name of the chef-vault encrypted item
        # @returns [ChefVault::Item] ChefVault::Item object
        def load_chef_bootstrap_vault_item(vault, item)
          ChefVault::Item.load(vault, item)
        end

        public :load_chef_bootstrap_vault_item # for stubbing

        # Helper to very lazily require the chef-vault gem
        def require_chef_vault!
          @require_chef_vault ||=
            begin
              error_message = "Knife bootstrap needs version 2.6.0 or higher of the chef-vault gem to configure chef vault items"
              require "chef-vault"
              if Gem::Version.new(ChefVault::VERSION) < Gem::Version.new("2.6.0")
                raise error_message
              end
              true
            rescue LoadError
              raise error_message
            end
        end
      end
    end
  end
end