module Chef::Knife::DataBagSecretOptions

Public Class Methods

included(base) click to toggle source

The config object is populated by knife#merge_configs with knife.rb `knife` config values, but they do not overwrite the command line properties. It does mean, however, that `knife` and `–secret-file` passed at the same time populate both `config` and `config`. We cannot differentiate the valid case (`knife` in config file and `–secret-file` on CL) and the invalid case (`–secret` and `–secret-file` on the CL) - thats why I'm storing the CL options in a different config key if they are provided.

# File lib/chef/knife/data_bag_secret_options.rb, line 36
def self.included(base)
  base.option :secret,
         short: "-s SECRET",
         long: "--secret ",
         description: "The secret key to use to encrypt data bag item values. Can also be defaulted in your config with the key 'secret'.",
         # Need to store value from command line in separate variable - knife#merge_configs populates same keys
         # on config object from
         proc: Proc.new { |s| set_cl_secret(s) }

  base.option :secret_file,
         long: "--secret-file SECRET_FILE",
         description: "A file containing the secret key to use to encrypt data bag item values. Can also be defaulted in your config with the key 'secret_file'.",
         proc: Proc.new { |sf| set_cl_secret_file(sf) }

  base.option :encrypt,
         long: "--encrypt",
         description: "If 'secret' or 'secret_file' is present in your config, then encrypt data bags using it.",
         boolean: true,
         default: false
end

Private Class Methods

set_cl_secret(s) click to toggle source
# File lib/chef/knife/data_bag_secret_options.rb, line 124
def self.set_cl_secret(s)
  Chef::Config[:knife][:cl_secret] = s
end
set_cl_secret_file(sf) click to toggle source
# File lib/chef/knife/data_bag_secret_options.rb, line 132
def self.set_cl_secret_file(sf)
  Chef::Config[:knife][:cl_secret_file] = sf
end

Public Instance Methods

encryption_secret_provided?() click to toggle source
# File lib/chef/knife/data_bag_secret_options.rb, line 57
def encryption_secret_provided?
  base_encryption_secret_provided?
end
encryption_secret_provided_ignore_encrypt_flag?() click to toggle source
# File lib/chef/knife/data_bag_secret_options.rb, line 61
def encryption_secret_provided_ignore_encrypt_flag?
  base_encryption_secret_provided?(false)
end
read_secret() click to toggle source
# File lib/chef/knife/data_bag_secret_options.rb, line 65
def read_secret
  # Moving the non 'compile-time' requires into here to speed up knife command loading
  # IE, if we are not running 'knife data bag *' we don't need to load 'chef/encrypted_data_bag_item'
  require_relative "../encrypted_data_bag_item"

  if has_cl_secret?
    config[:secret]
  elsif has_cl_secret_file?
    Chef::EncryptedDataBagItem.load_secret(config[:secret_file])
  elsif secret = knife_config[:secret]
    secret
  else
    secret_file = knife_config[:secret_file]
    Chef::EncryptedDataBagItem.load_secret(secret_file)
  end
end
validate_secrets() click to toggle source
# File lib/chef/knife/data_bag_secret_options.rb, line 82
def validate_secrets
  if has_cl_secret? && has_cl_secret_file?
    ui.fatal("Please specify only one of --secret, --secret-file")
    exit(1)
  end

  if knife_config[:secret] && knife_config[:secret_file]
    ui.fatal("Please specify only one of 'secret' or 'secret_file' in your config file")
    exit(1)
  end
end

Private Instance Methods

base_encryption_secret_provided?(need_encrypt_flag = true) click to toggle source

Determine if the user has specified an appropriate secret for encrypting data bag items. @return boolean

# File lib/chef/knife/data_bag_secret_options.rb, line 99
def base_encryption_secret_provided?(need_encrypt_flag = true)
  validate_secrets

  return true if has_cl_secret? || has_cl_secret_file?

  if need_encrypt_flag
    if config[:encrypt]
      unless knife_config[:secret] || knife_config[:secret_file]
        ui.fatal("No secret or secret_file specified in config, unable to encrypt item.")
        exit(1)
      end
      return true
    end
    return false
  elsif knife_config[:secret] || knife_config[:secret_file]
    # Certain situations (show and bootstrap) don't need a --encrypt flag to use the config file secret
    return true
  end
  false
end
has_cl_secret?() click to toggle source
# File lib/chef/knife/data_bag_secret_options.rb, line 120
def has_cl_secret?
  Chef::Config[:knife].key?(:cl_secret)
end
has_cl_secret_file?() click to toggle source
# File lib/chef/knife/data_bag_secret_options.rb, line 128
def has_cl_secret_file?
  Chef::Config[:knife].key?(:cl_secret_file)
end
knife_config() click to toggle source
# File lib/chef/knife/data_bag_secret_options.rb, line 136
def knife_config
  Chef::Config.key?(:knife) ? Chef::Config[:knife] : {}
end