1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
|
#
# Author:: Tyler Ball (<tball@chef.io>)
# Copyright:: Copyright (c) Chef Software Inc.
# License:: Apache License, Version 2.0
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
require "mixlib/cli" unless defined?(Mixlib::CLI)
require_relative "../config"
require_relative "../encrypted_data_bag_item/check_encrypted"
class Chef
class Knife
module DataBagSecretOptions
include Mixlib::CLI
include Chef::EncryptedDataBagItem::CheckEncrypted
# The config object is populated by knife#merge_configs with knife.rb `knife[:*]` config values, but they do
# not overwrite the command line properties. It does mean, however, that `knife[:secret]` and `--secret-file`
# passed at the same time populate both `config[:secret]` and `config[:secret_file]`. We cannot differentiate
# the valid case (`knife[:secret]` in config file and `--secret-file` on CL) and the invalid case (`--secret`
# and `--secret-file` on the CL) - thats why I'm storing the CL options in a different config key if they
# are provided.
def self.included(base)
base.option :cl_secret,
long: "--secret SECRET",
description: "The secret key to use to encrypt data bag item values. Can also be defaulted in your config with the key 'secret'."
base.option :cl_secret_file,
long: "--secret-file SECRET_FILE",
description: "A file containing the secret key to use to encrypt data bag item values. Can also be defaulted in your config with the key 'secret_file'."
base.option :encrypt,
long: "--encrypt",
description: "If 'secret' or 'secret_file' is present in your config, then encrypt data bags using it.",
boolean: true,
default: false
end
def encryption_secret_provided?
base_encryption_secret_provided?
end
def encryption_secret_provided_ignore_encrypt_flag?
base_encryption_secret_provided?(false)
end
def read_secret
# Moving the non 'compile-time' requires into here to speed up knife command loading
# IE, if we are not running 'knife data bag *' we don't need to load 'chef/encrypted_data_bag_item'
require_relative "../encrypted_data_bag_item"
if config[:cl_secret]
config[:cl_secret]
elsif config[:cl_secret_file]
Chef::EncryptedDataBagItem.load_secret(config[:cl_secret_file])
elsif secret = config[:secret]
secret
else
secret_file = config[:secret_file]
Chef::EncryptedDataBagItem.load_secret(secret_file)
end
end
def validate_secrets
if config[:cl_secret] && config[:cl_secret_file]
ui.fatal("Please specify only one of --secret, --secret-file")
exit(1)
end
if config[:secret] && config[:secret_file]
ui.fatal("Please specify only one of 'secret' or 'secret_file' in your config file")
exit(1)
end
end
private
##
# Determine if the user has specified an appropriate secret for encrypting data bag items.
# @return boolean
def base_encryption_secret_provided?(need_encrypt_flag = true)
validate_secrets
return true if config[:cl_secret] || config[:cl_secret_file]
if need_encrypt_flag
if config[:encrypt]
unless config[:secret] || config[:secret_file]
ui.fatal("No secret or secret_file specified in config, unable to encrypt item.")
exit(1)
end
return true
end
return false
elsif config[:secret] || config[:secret_file]
# Certain situations (show and bootstrap) don't need a --encrypt flag to use the config file secret
return true
end
false
end
def knife_config
Chef.deprecated(:knife_bootstrap_apis, "The `knife_config` bootstrap helper has been deprecated, use the properly merged `config` helper instead")
Chef::Config.key?(:knife) ? Chef::Config[:knife] : {}
end
end
end
end
|
