Merge pull request #272 from criteo-forks/non_strict_client_check

Assume all nodes matching the search query are valid nodes
chef · May 15, 2017 · f4e5d09 · f4e5d09
2 parents de4a1f9 + 342e9c5
commit f4e5d09
Show file tree

Hide file tree

Showing 3 changed files with 6 additions and 22 deletions.
diff --git a/features/clean_on_refresh.feature b/features/clean_on_refresh.feature
@@ -18,7 +18,7 @@ Feature: clean unknown clients on vault refresh
     Given a local mode chef repo with nodes 'one,two,three'
     And I create a vault item 'test/item' containing the JSON '{"foo": "bar"}' encrypted for 'one,two,three'
     Then the vault item 'test/item' should be encrypted for 'one,two,three'
-    And I delete client 'one' from the Chef server
+    And I delete node 'one' from the Chef server
     And I refresh the vault item 'test/item' with the 'clean-unknown-clients' option
     Then the output should contain "Removing unknown client 'one'"
     And the vault item 'test/item' should be encrypted for 'two,three'

diff --git a/features/clean_unknown_clients.feature b/features/clean_unknown_clients.feature
@@ -1,29 +1,17 @@
 Feature: clean unknown clients on key rotation
   When removing a client from a vault item, chef-vault normally
-  removes the key and then rotates the key.  If a client has been
+  removes the key and then rotates the key.  If a node has been
   deleted in the meantime from the Chef server but not the vault,
   the rotation will fail due to that client's public key missing.
   Using the --clean-unknown-clients switch will cause any clients
   that have been removed to be removed from the vault item's
   access list as well
 
-  Scenario: Prune clients when removing a client
-    Given a local mode chef repo with nodes 'one,two,three'
-    And I create a vault item 'test/item' containing the JSON '{"foo": "bar"}' encrypted for 'one,two,three'
-    Then the vault item 'test/item' should be encrypted for 'one,two,three'
-    And I delete client 'one' from the Chef server
-    And I remove client 'two' from vault item 'test/item' with the 'clean-unknown-clients' option
-    Then the output should contain "Removing unknown client 'one'"
-    And the vault item 'test/item' should be encrypted for 'three'
-    And the vault item 'test/item' should not be encrypted for 'one,two'
-    And 'three' should be a client for the vault item 'test/item'
-    And 'one,two' should not be a client for the vault item 'test/item'
-
   Scenario: Prune clients when rotating keys
     Given a local mode chef repo with nodes 'one,two,three'
     And I create a vault item 'test/item' containing the JSON '{"foo": "bar"}' encrypted for 'one,two,three'
     Then the vault item 'test/item' should be encrypted for 'one,two,three'
-    And I delete client 'one' from the Chef server
+    And I delete node 'one' from the Chef server
     And I rotate the keys for vault item 'test/item' with the 'clean-unknown-clients' option
     Then the output should contain "Removing unknown client 'one'"
     And the vault item 'test/item' should be encrypted for 'two,three'
@@ -35,7 +23,7 @@ Feature: clean unknown clients on key rotation
     Given a local mode chef repo with nodes 'one,two,three'
     And I create a vault item 'test/item' containing the JSON '{"foo": "bar"}' encrypted for 'one,two,three'
     Then the vault item 'test/item' should be encrypted for 'one,two,three'
-    And I delete clients 'one,two' from the Chef server
+    And I delete nodes 'one,two' from the Chef server
     And I rotate all keys with the 'clean-unknown-clients' option
     Then the output should contain "Removing unknown client 'one'"
     And the output should contain "Removing unknown client 'two'"

diff --git a/lib/chef-vault/item.rb b/lib/chef-vault/item.rb
@@ -411,15 +411,11 @@ def remove_unknown_nodes
 
     # checks if a node exists on the Chef server by performing
     # a search against the node index.  If the search returns no
-    # results, the node does not exist.  If it does return results,
-    # check if there is a matching client
+    # results, the node does not exist.
     # @param nodename [String] the name of the node
     # @return [Boolean] whether the node exists or not
     def node_exists?(nodename)
-      # if we don't have a client it really doesn't matter if we have a node.
-      if client_exists?(nodename)
-        search_results.include?(nodename)
-      end
+      search_results.include?(nodename)
     end
 
     # checks if a client exists on the Chef server.  If we get back