Module: Chef::Knife::DataBagSecretOptions

Includes:

EncryptedDataBagItem::CheckEncrypted, Mixlib::CLI

Included in:

Bootstrap, DataBagCreate, DataBagEdit, DataBagFromFile, DataBagShow

Defined in:

lib/chef/knife/data_bag_secret_options.rb

Class Method Summary

• .included(base) ⇒ Object

  The config object is populated by knife#merge_configs with knife.rb ‘knife` config values, but they do not overwrite the command line properties.

Instance Method Summary

• #encryption_secret_provided? ⇒ Boolean
• #encryption_secret_provided_ignore_encrypt_flag? ⇒ Boolean
• #read_secret ⇒ Object
• #validate_secrets ⇒ Object

Class Method Details

.included(base) ⇒ Object

The config object is populated by knife#merge_configs with knife.rb ‘knife` config values, but they do not overwrite the command line properties. It does mean, however, that `knife` and `–secret-file` passed at the same time populate both `config` and `config`. We cannot differentiate the valid case (`knife` in config file and `–secret-file` on CL) and the invalid case (`–secret` and `–secret-file` on the CL) - thats why I’m storing the CL options in a different config key if they are provided.

# File 'lib/chef/knife/data_bag_secret_options.rb', line 36

def self.included(base)
  base.option :cl_secret,
    long: "--secret SECRET",
    description: "The secret key to use to encrypt data bag item values. Can also be defaulted in your config with the key 'secret'."

  base.option :cl_secret_file,
    long: "--secret-file SECRET_FILE",
    description: "A file containing the secret key to use to encrypt data bag item values. Can also be defaulted in your config with the key 'secret_file'."

  base.option :encrypt,
    long: "--encrypt",
    description: "If 'secret' or 'secret_file' is present in your config, then encrypt data bags using it.",
    boolean: true,
    default: false
end

Instance Method Details

#encryption_secret_provided? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/chef/knife/data_bag_secret_options.rb', line 52

def encryption_secret_provided?
  base_encryption_secret_provided?
end

#encryption_secret_provided_ignore_encrypt_flag? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/chef/knife/data_bag_secret_options.rb', line 56

def encryption_secret_provided_ignore_encrypt_flag?
  base_encryption_secret_provided?(false)
end

#read_secret ⇒ Object

# File 'lib/chef/knife/data_bag_secret_options.rb', line 60

def read_secret
  # Moving the non 'compile-time' requires into here to speed up knife command loading
  # IE, if we are not running 'knife data bag *' we don't need to load 'chef/encrypted_data_bag_item'
  require "chef/encrypted_data_bag_item" unless defined?(Chef::EncryptedDataBagItem)

  if config[:cl_secret]
    config[:cl_secret]
  elsif config[:cl_secret_file]
    Chef::EncryptedDataBagItem.load_secret(config[:cl_secret_file])
  elsif secret = config[:secret]
    secret
  else
    secret_file = config[:secret_file]
    Chef::EncryptedDataBagItem.load_secret(secret_file)
  end
end

#validate_secrets ⇒ Object

# File 'lib/chef/knife/data_bag_secret_options.rb', line 77

def validate_secrets
  if config[:cl_secret] && config[:cl_secret_file]
    ui.fatal("Please specify only one of --secret, --secret-file")
    exit(1)
  end

  if config[:secret] && config[:secret_file]
    ui.fatal("Please specify only one of 'secret' or 'secret_file' in your config file")
    exit(1)
  end
end