Module: Chef::Knife::DataBagSecretOptions

Includes:
EncryptedDataBagItem::CheckEncrypted, Mixlib::CLI
Included in:
Bootstrap, DataBagCreate, DataBagEdit, DataBagFromFile, DataBagShow
Defined in:
lib/chef/knife/data_bag_secret_options.rb

Class Method Summary collapse

Instance Method Summary collapse

Methods included from EncryptedDataBagItem::CheckEncrypted

#encrypted?

Class Method Details

.included(base) ⇒ Object

The config object is populated by knife#merge_configs with knife.rb knife[:*] config values, but they do not overwrite the command line properties. It does mean, however, that knife[:secret] and --secret-file passed at the same time populate both config[:secret] and config[:secret_file]. We cannot differentiate the valid case (knife[:secret] in config file and --secret-file on CL) and the invalid case (--secret and --secret-file on the CL) - thats why I'm storing the CL options in a different config key if they are provided.


36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
# File 'lib/chef/knife/data_bag_secret_options.rb', line 36

def self.included(base)
  base.option :secret,
         :short => "-s SECRET",
         :long  => "--secret ",
         :description => "The secret key to use to encrypt data bag item values. Can also be defaulted in your config with the key 'secret'",
         # Need to store value from command line in separate variable - knife#merge_configs populates same keys
         # on config object from
         :proc => Proc.new { |s| set_cl_secret(s) }

  base.option :secret_file,
         :long => "--secret-file SECRET_FILE",
         :description => "A file containing the secret key to use to encrypt data bag item values. Can also be defaulted in your config with the key 'secret_file'",
         :proc => Proc.new { |sf| set_cl_secret_file(sf) }

  base.option :encrypt,
         :long => "--encrypt",
         :description => "If 'secret' or 'secret_file' is present in your config, then encrypt data bags using it",
         :boolean => true,
         :default => false
end

Instance Method Details

#encryption_secret_provided?Boolean

Returns:

  • (Boolean)

57
58
59
# File 'lib/chef/knife/data_bag_secret_options.rb', line 57

def encryption_secret_provided?
  base_encryption_secret_provided?
end

#encryption_secret_provided_ignore_encrypt_flag?Boolean

Returns:

  • (Boolean)

61
62
63
# File 'lib/chef/knife/data_bag_secret_options.rb', line 61

def encryption_secret_provided_ignore_encrypt_flag?
  base_encryption_secret_provided?(false)
end

#read_secretObject


65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
# File 'lib/chef/knife/data_bag_secret_options.rb', line 65

def read_secret
  # Moving the non 'compile-time' requires into here to speed up knife command loading
  # IE, if we are not running 'knife data bag *' we don't need to load 'chef/encrypted_data_bag_item'
  require "chef/encrypted_data_bag_item"

  if has_cl_secret?
    config[:secret]
  elsif has_cl_secret_file?
    Chef::EncryptedDataBagItem.load_secret(config[:secret_file])
  elsif secret = knife_config[:secret]
    secret
  else
    secret_file = knife_config[:secret_file]
    Chef::EncryptedDataBagItem.load_secret(secret_file)
  end
end

#validate_secretsObject


82
83
84
85
86
87
88
89
90
91
92
# File 'lib/chef/knife/data_bag_secret_options.rb', line 82

def validate_secrets
  if has_cl_secret? && has_cl_secret_file?
    ui.fatal("Please specify only one of --secret, --secret-file")
    exit(1)
  end

  if knife_config[:secret] && knife_config[:secret_file]
    ui.fatal("Please specify only one of 'secret' or 'secret_file' in your config file")
    exit(1)
  end
end