diff --git a/lib/chef-vault.rb b/lib/chef-vault.rb index 998d8fc..0aad07b 100644 --- a/lib/chef-vault.rb +++ b/lib/chef-vault.rb @@ -30,7 +30,7 @@ require "chef-vault/user" require "chef-vault/certificate" require "chef-vault/chef_api" -require "chef-vault/chef_key" +require "chef-vault/actor" require "mixlib/log" diff --git a/lib/chef-vault/chef_key.rb b/lib/chef-vault/actor.rb similarity index 83% rename from lib/chef-vault/chef_key.rb rename to lib/chef-vault/actor.rb index 52d805f..392e041 100644 --- a/lib/chef-vault/chef_key.rb +++ b/lib/chef-vault/actor.rb @@ -17,18 +17,18 @@ require "json" class ChefVault - class ChefKey + class Actor attr_accessor :key_string - attr_reader :actor_type - attr_reader :actor_name + attr_reader :type + attr_reader :name def initialize(actor_type, actor_name) if actor_type != "clients" && actor_type != "admins" - raise "You must pass either 'clients' or 'admins' as the first argument to ChefVault::ChefKey.new." + raise "You must pass either 'clients' or 'admins' as the first argument to ChefVault::Actor.new." end - @actor_type = actor_type - @actor_name = actor_name + @type = actor_type + @name = actor_name end def key @@ -46,13 +46,13 @@ def get_admin_key raise http_error when "404" begin - ChefVault::Log.warn "The default key for #{actor_name} not found in users, trying client keys." + ChefVault::Log.warn "The default key for #{name} not found in users, trying client keys." get_key("clients") rescue Net::HTTPServerException => http_error case http_error.response.code when "404" raise ChefVault::Exceptions::AdminNotFound, - "FATAL: Could not find default key for #{actor_name} in users or clients!" + "FATAL: Could not find default key for #{name} in users or clients!" when "403" print_forbidden_error raise http_error @@ -74,7 +74,7 @@ def get_client_key raise http_error elsif http_error.response.code.eql?("404") raise ChefVault::Exceptions::ClientNotFound, - "#{actor_name} is not a valid chef client and/or node" + "#{name} is not a valid chef client and/or node" else raise http_error end @@ -82,11 +82,11 @@ def get_client_key end def is_client? - actor_type == "clients" + type == "clients" end def is_admin? - actor_type == "admins" + type == "admins" end # @private @@ -113,20 +113,20 @@ def chef_user end def get_key(request_actor_type) - api.org_scoped_rest_v1.get("#{request_actor_type}/#{actor_name}/keys/default").fetch("public_key") + api.org_scoped_rest_v1.get("#{request_actor_type}/#{name}/keys/default").fetch("public_key") # If the keys endpoint doesn't exist, try getting it directly from the V0 chef object. rescue Net::HTTPServerException => http_error raise http_error unless http_error.response.code.eql?("404") if request_actor_type.eql?("clients") - chef_api_client.load(actor_name).public_key + chef_api_client.load(name).public_key else - chef_user.load(actor_name).public_key + chef_user.load(name).public_key end end def print_forbidden_error ChefVault::Log.error < http_error - if http_error.response.code == "404" - raise ChefVault::Exceptions::ClientNotFound, - "#{client} is not a valid chef client" - else - raise http_error - end - end - - client - end - - def load_public_key(actor_name, type) - ChefVault::ChefKey.new(type, actor_name) + def load_actor(actor_name, type) + ChefVault::Actor.new(type, actor_name) end # removes unknown nodes by performing a node search @@ -417,7 +402,7 @@ def remove_unknown_nodes # now delete any flagged clients from the keys data bag clients_to_remove.each do |client| ChefVault::Log.warn "Removing unknown client '#{client}'" - keys.delete(load_public_key(client, "clients")) + keys.delete(load_actor(client, "clients")) end end @@ -460,8 +445,8 @@ def client_exists?(clientname) def handle_client_action(api_client, action) case action when :add - client_key = load_public_key(api_client.name, "clients") - add_client(client_key) + client = load_actor(api_client.name, "clients") + add_client(client) when :delete delete_client_or_node(api_client) end @@ -470,16 +455,16 @@ def handle_client_action(api_client, action) # adds a client to the vault item keys # @param client [Chef::ApiClient] the API client to add # @return [void] - def add_client(client_key) - keys.add(client_key, @secret) + def add_client(client) + keys.add(client, @secret) end # removes a client to the vault item keys # @param client_or_node [Chef::ApiClient, Chef::Node] the API client or node to remove # @return [void] def delete_client_or_node(client_or_node) - client_key = load_public_key(client_or_node.name, "clients") - keys.delete(client_key) + client = load_actor(client_or_node.name, "clients") + keys.delete(client) end end end diff --git a/lib/chef-vault/item_keys.rb b/lib/chef-vault/item_keys.rb index d9f711d..2fbba52 100644 --- a/lib/chef-vault/item_keys.rb +++ b/lib/chef-vault/item_keys.rb @@ -35,19 +35,19 @@ def include?(key) end def add(chef_key, data_bag_shared_secret) - type = chef_key.actor_type + type = chef_key.type unless @raw_data.key?(type) raise ChefVault::Exceptions::V1Format, "cannot manage a v1 vault. See UPGRADE.md for help" end - self[chef_key.actor_name] = ChefVault::ItemKeys.encode_key(chef_key.key, data_bag_shared_secret) - @raw_data[type] << chef_key.actor_name unless @raw_data[type].include?(chef_key.actor_name) + self[chef_key.name] = ChefVault::ItemKeys.encode_key(chef_key.key, data_bag_shared_secret) + @raw_data[type] << chef_key.name unless @raw_data[type].include?(chef_key.name) @raw_data[type] end def delete(chef_key) - raw_data.delete(chef_key.actor_name) - raw_data[chef_key.actor_type].delete(chef_key.actor_name) + raw_data.delete(chef_key.name) + raw_data[chef_key.type].delete(chef_key.name) end def search_query(search_query = nil) diff --git a/spec/chef-vault/chef_key_spec.rb b/spec/chef-vault/actor_spec.rb similarity index 99% rename from spec/chef-vault/chef_key_spec.rb rename to spec/chef-vault/actor_spec.rb index 4eeecf5..de19936 100644 --- a/spec/chef-vault/chef_key_spec.rb +++ b/spec/chef-vault/actor_spec.rb @@ -1,6 +1,6 @@ require "spec_helper" -RSpec.describe ChefVault::ChefKey do +RSpec.describe ChefVault::Actor do let(:actor_name) { "actor" } let(:public_key_string) do "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyMXT9IOV9pkQsxsnhSx8\n8RX6GW3caxkjcXFfHg6E7zUVBFAsfw4B1D+eHAks3qrDB7UrUxsmCBXwU4dQHaQy\ngAn5Sv0Jc4CejDNL2EeCBLZ4TF05odHmuzyDdPkSZP6utpR7+uF7SgVQedFGySIB\nih86aM+HynhkJqgJYhoxkrdo/JcWjpk7YEmWb6p4esnvPWOpbcjIoFs4OjavWBOF\niTfpkS0SkygpLi/iQu9RQfd4hDMWCc6yh3Th/1nVMUd+xQCdUK5wxluAWSv8U0zu\nhiIlZNazpCGHp+3QdP3f6rebmQA8pRM8qT5SlOvCYPk79j+IMUVSYrR4/DTZ+VM+\naQIDAQAB\n-----END PUBLIC KEY-----\n" diff --git a/spec/chef-vault/item_keys_spec.rb b/spec/chef-vault/item_keys_spec.rb index fddf3ff..ba4f4f7 100644 --- a/spec/chef-vault/item_keys_spec.rb +++ b/spec/chef-vault/item_keys_spec.rb @@ -25,7 +25,7 @@ end shared_examples_for "proper key management" do - let(:chef_key) { ChefVault::ChefKey.new(type, name) } + let(:chef_key) { ChefVault::Actor.new(type, name) } before do allow(chef_key).to receive(:key) { public_key_string } keys.add(chef_key, shared_secret) @@ -51,7 +51,7 @@ it "removes the actor's name from the data bag and from the array for the actor's type" do keys.delete(chef_key) - expect(keys.has_key?(chef_key.actor_name)).to eq(false) + expect(keys.has_key?(chef_key.name)).to eq(false) expect(keys[type].include?(name)).to eq(false) end end diff --git a/spec/chef-vault/item_spec.rb b/spec/chef-vault/item_spec.rb index 4d3c069..8b9af24 100644 --- a/spec/chef-vault/item_spec.rb +++ b/spec/chef-vault/item_spec.rb @@ -192,7 +192,7 @@ client_key = double("client_key", name: "testnode", public_key: OpenSSL::PKey::RSA.new(1024).public_key) - allow(item).to receive(:load_public_key).with("testnode", "clients").and_return(client_key) + allow(item).to receive(:load_actor).with("testnode", "clients").and_return(client_key) expect(item).not_to receive(:save) expect(keys).to receive(:save) @@ -210,24 +210,24 @@ before do # node with valid client proper loads client key allow(node_with_valid_client).to receive(:name).and_return("foo") - allow(item).to receive(:load_public_key).with("foo", "clients").and_return(client_key) + allow(item).to receive(:load_actor).with("foo", "clients").and_return(client_key) privkey = OpenSSL::PKey::RSA.new(1024) pubkey = privkey.public_key allow(client_key).to receive(:key).and_return(pubkey.to_pem) - allow(client_key).to receive(:actor_name).and_return("foo") - allow(client_key).to receive(:actor_type).and_return("clients") + allow(client_key).to receive(:name).and_return("foo") + allow(client_key).to receive(:type).and_return("clients") # node without client throws relevant error on key load allow(node_without_valid_client).to receive(:name).and_return("bar") - allow(item).to receive(:load_public_key).with("bar", "clients").and_raise(ChefVault::Exceptions::ClientNotFound) + allow(item).to receive(:load_actor).with("bar", "clients").and_raise(ChefVault::Exceptions::ClientNotFound) allow(query_result) .to receive(:search) - .with(Symbol, String) - .and_yield(node_with_valid_client).and_yield(node_without_valid_client) + .with(Symbol, String) + .and_yield(node_with_valid_client).and_yield(node_without_valid_client) allow(Chef::Search::Query) .to receive(:new) - .and_return(query_result) + .and_return(query_result) end it "should not blow up when search returns a node without a public key" do @@ -252,10 +252,10 @@ client.name client_name privkey = OpenSSL::PKey::RSA.new(1024) pubkey = privkey.public_key - allow(item).to receive(:load_public_key).with(client_name, "clients").and_return(client_key) + allow(item).to receive(:load_actor).with(client_name, "clients").and_return(client_key) allow(client_key).to receive(:key).and_return(pubkey.to_pem) - allow(client_key).to receive(:actor_name).and_return(client_name) - allow(client_key).to receive(:actor_type).and_return("clients") + allow(client_key).to receive(:name).and_return(client_name) + allow(client_key).to receive(:type).and_return("clients") end context "when no action is passed" do @@ -299,11 +299,10 @@ client.name client_name privkey = OpenSSL::PKey::RSA.new(1024) pubkey = privkey.public_key - allow(item).to receive(:load_client).with("foo").and_return(client) - allow(item).to receive(:load_public_key).with(client_name, "clients").and_return(client_key) + allow(item).to receive(:load_actor).with(client_name, "clients").and_return(client_key) allow(client_key).to receive(:key).and_return(pubkey.to_pem) - allow(client_key).to receive(:actor_name).and_return(client_name) - allow(client_key).to receive(:actor_type).and_return("clients") + allow(client_key).to receive(:name).and_return(client_name) + allow(client_key).to receive(:type).and_return("clients") end context "when no action is passed" do @@ -339,7 +338,7 @@ describe "#admins" do before do - allow(item).to receive(:load_public_key).with("foo", "admins").and_raise(ChefVault::Exceptions::AdminNotFound) + allow(item).to receive(:load_actor).with("foo", "admins").and_raise(ChefVault::Exceptions::AdminNotFound) end it "should blow up if you try to use a node without a public key as an admin" do