module Chef::Knife::DataBagSecretOptions

Public Class Methods

included(base) click to toggle source

The config object is populated by knife#merge_configs with knife.rb `knife` config values, but they do not overwrite the command line properties. It does mean, however, that `knife` and `–secret-file` passed at the same time populate both `config` and `config`. We cannot differentiate the valid case (`knife` in config file and `–secret-file` on CL) and the invalid case (`–secret` and `–secret-file` on the CL) - thats why I'm storing the CL options in a different config key if they are provided.

# File lib/chef/knife/data_bag_secret_options.rb, line 36
def self.included(base)
  base.option :cl_secret,
    long: "--secret SECRET",
    description: "The secret key to use to encrypt data bag item values. Can also be defaulted in your config with the key 'secret'."

  base.option :cl_secret_file,
    long: "--secret-file SECRET_FILE",
    description: "A file containing the secret key to use to encrypt data bag item values. Can also be defaulted in your config with the key 'secret_file'."

  base.option :encrypt,
    long: "--encrypt",
    description: "If 'secret' or 'secret_file' is present in your config, then encrypt data bags using it.",
    boolean: true,
    default: false
end

Public Instance Methods

encryption_secret_provided?() click to toggle source
# File lib/chef/knife/data_bag_secret_options.rb, line 52
def encryption_secret_provided?
  base_encryption_secret_provided?
end
encryption_secret_provided_ignore_encrypt_flag?() click to toggle source
# File lib/chef/knife/data_bag_secret_options.rb, line 56
def encryption_secret_provided_ignore_encrypt_flag?
  base_encryption_secret_provided?(false)
end
read_secret() click to toggle source
# File lib/chef/knife/data_bag_secret_options.rb, line 60
def read_secret
  # Moving the non 'compile-time' requires into here to speed up knife command loading
  # IE, if we are not running 'knife data bag *' we don't need to load 'chef/encrypted_data_bag_item'
  require "chef/encrypted_data_bag_item" unless defined?(Chef::EncryptedDataBagItem)

  if config[:cl_secret]
    config[:cl_secret]
  elsif config[:cl_secret_file]
    Chef::EncryptedDataBagItem.load_secret(config[:cl_secret_file])
  elsif secret = config[:secret]
    secret
  else
    secret_file = config[:secret_file]
    Chef::EncryptedDataBagItem.load_secret(secret_file)
  end
end
validate_secrets() click to toggle source
# File lib/chef/knife/data_bag_secret_options.rb, line 77
def validate_secrets
  if config[:cl_secret] && config[:cl_secret_file]
    ui.fatal("Please specify only one of --secret, --secret-file")
    exit(1)
  end

  if config[:secret] && config[:secret_file]
    ui.fatal("Please specify only one of 'secret' or 'secret_file' in your config file")
    exit(1)
  end
end

Private Instance Methods

base_encryption_secret_provided?(need_encrypt_flag = true) click to toggle source

Determine if the user has specified an appropriate secret for encrypting data bag items. @return boolean

# File lib/chef/knife/data_bag_secret_options.rb, line 94
def base_encryption_secret_provided?(need_encrypt_flag = true)
  validate_secrets

  return true if config[:cl_secret] || config[:cl_secret_file]

  if need_encrypt_flag
    if config[:encrypt]
      unless config[:secret] || config[:secret_file]
        ui.fatal("No secret or secret_file specified in config, unable to encrypt item.")
        exit(1)
      end
      return true
    end
    return false
  elsif config[:secret] || config[:secret_file]
    # Certain situations (show and bootstrap) don't need a --encrypt flag to use the config file secret
    return true
  end
  false
end
knife_config() click to toggle source
# File lib/chef/knife/data_bag_secret_options.rb, line 115
def knife_config
  Chef.deprecated(:knife_bootstrap_apis, "The `knife_config` bootstrap helper has been deprecated, use the properly merged `config` helper instead")
  Chef::Config.key?(:knife) ? Chef::Config[:knife] : {}
end