- Add new secrets management library (#1)

ADD: Libraries/dsl.rb to manage secrets
ADD: Test cookbook in tests/fixtures/
ADD: Maintainers.md
UPDATE: README.md
UPDATE: Berksfile to include test cookbook
UPDATE: Gemfile to install 'vault-ruby' gem locally
UPDATE: Metadata to include dependency on chef-vault and gem 'vault'
UPDATE: README.md
ADD: CHANGELOG.md, CONTRIBUTORS.md and MIT LICENSE file
BUMP: Version 1.0.0

.kitchen.yml

@@ -4,10 +4,26 @@ driver:
 
 provisioner:
   name: chef_zero
+  nodes_path: test/fixtures/nodes
+  clients_path: test/fixtures/clients
+  environments_path: test/fixtures/environments
+  data_bags_path: test/fixtures/data_bags
+
+  # You many wish to test your CHEF::Log.<level> messages while using test-kitchen.  Change the below
+  # value to the level of choice.  For cleaner output, comment this option out.
+  log_level: info
+
   # You may wish to disable always updating cookbooks in CI or other testing environments.
   # For example:
   #   always_update_cookbooks: <%= !ENV['CI'] %>
   always_update_cookbooks: true
+  retry_on_exit_code: # https://discourse.chef.io/t/test-kitchen-1-10-0-released/8721
+    - 35 # 35 is the exit code signaling that the node is rebooting
+  max_retries: 2
+  client_rb:
+    environment: test
+    exit_status: :enabled # Opt-in to the standardized exit codes
+    client_fork: false  # Forked instances don't return the real exit code
 
 verifier:
   name: inspec
@@ -19,8 +35,11 @@ platforms:
 suites:
   - name: default
     run_list:
-      - recipe[secrets_management::default]
+      - recipe[secrets_management_test::default]
     verifier:
       inspec_tests:
-        - test/smoke/default
+        - test/smoke/secrets_management_tests
     attributes:
+      hashicorp:
+        token: <%= ENV['VAULT_TOKEN'] %>
+        address: <%= ENV['VAULT_ADDR'] %>

Berksfile

@@ -9,3 +9,7 @@
 source 'https://supermarket.chef.io'
 
 metadata
+
+group :test do
+  cookbook 'secrets_management_test', path: 'test/fixtures/cookbooks/test'
+end

CHANGELOG.md

@@ -0,0 +1,7 @@
+# secrets_management Cookbook CHANGELOG
+
+This file is used to list changes made in each version of the secrets_management cookbook.
+
+## v1.0.0
+
+- Initial release with support for reading Hashicorp Vault, Chef-Vault, and Chef Data bag items

CONTRIBUTING.md

@@ -0,0 +1 @@
+Please refer to https://github.com/chef-cookbooks/community_cookbook_documentation/blob/master/CONTRIBUTING.MD

Gemfile

@@ -6,7 +6,10 @@
 
 source 'https://rubygems.org'
 
+gem 'vault', '~> 0.1'
+
 group :test do
   gem 'fauxhai'
   gem 'tomlrb'
+  gem 'webmock'
 end

LICENSE

@@ -0,0 +1,7 @@
+Copyright 2017 Exosphere Data, LLC
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

README.md

@@ -1,87 +1,122 @@
 # secrets_management
-### _Installs/Configures secrets_management_
+### _A Chef library for global secrets management_
 
-TODO: Enter the cookbook description here.
+This cookbook provides a Ruby library helper to support management of Hashicorp Vault, Chef Vault, and Chef DataBag items.  This cookbook does not include resources or recipes.  The purpose of this project is to simplify the handling of secrets and data management by integrating a single method whereby Hashicorp Vault, Chef Vault, and Chef DataBag items can be managed.
 
-<!-- START doctoc generated TOC please keep comment here to allow auto update -->
-<!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE -->
 **Table of Contents**  *generated with [DocToc](https://github.com/thlorenz/doctoc)*
 
-- [secrets_management](#secrets_management)
-  - [Requirements](#requirements)
-    - [Platforms](#platforms)
-    - [Chef](#chef)
-    - [Cookbooks](#cookbooks)
-    - [Data bag](#data-bag)
-  - [Attributes](#attributes)
-  - [Usage](#usage)
-    - [default](#default)
-  - [Upload to Chef Server](#upload-to-chef-server)
-  - [Matchers/Helpers](#matchershelpers)
-    - [Matchers](#matchers)
-    - [Helpers](#helpers)
-  - [Cookbook Testing](#cookbook-testing)
-    - [Before you begin](#before-you-begin)
-    - [Data_bags for Test-Kitchen](#data_bags-for-test-kitchen)
-    - [Rakefile and Tasks](#rakefile-and-tasks)
-    - [Chefspec and Test-Kitchen](#chefspec-and-test-kitchen)
-    - [Compliance Profile](#compliance-profile)
-  - [Copyright:: 2017, Exosphere Data LLC, All Rights Reserved.](#copyright-2017-exosphere-data-llc-all-rights-reserved)
-
-<!-- END doctoc generated TOC please keep comment here to allow auto update -->
+- [Requirements](#requirements)
+  - [Platforms](#platforms)
+  - [Chef](#chef)
+  - [Cookbooks](#cookbooks)
+- [Usage](#usage)
+  - [default](#default)
+- [Libraries](#libraries)
+  - [SecretsManagement::DSL](#secretsmanagementdsl)
+- [Upload to Chef Server](#upload-to-chef-server)
+- [Upload to Private Chef Supermarket](#upload-to-private-chef-supermarket)
+- [Cookbook Testing](#cookbook-testing)
+  - [Before you begin](#before-you-begin)
+  - [Data_bags for Test-Kitchen](#data_bags-for-test-kitchen)
+  - [Rakefile and Tasks](#rakefile-and-tasks)
+  - [Chefspec and Test-Kitchen](#chefspec-and-test-kitchen)
+  - [Test Cookbook (secrets_management_test)](#test-cookbook-secrets_management_test)
+  - [Compliance Profile](#compliance-profile)
+- [Contribute](#contribute)
+- [License & Authors](#license-&-authors)
 
 ## Requirements
 
 ### Platforms
 
-TODO: List all supported Platforms and versions. 
+This resource should work on any Chef supported platform with a Chef Client meeting the minimum requirements.
 
 ### Chef
 
 - 12.5+
 
-TODO: Minimum supported version of CHEF client supported by this cookbook
-
 ### Cookbooks
 
-TODO: Identify any cookbook dependencies
+- chef-vault, '~> 3.0'
 
-### Data bag
+## Usage
+To use the libraries, declare a dependency on this cookbook, and then use the libary as described in the section [SecretsManagement::DSL](#secretsmanagementdsl).
 
-TODO: List all supported data_bag names, model, and items.
+### default
 
-## Attributes
+This is an empty recipe and should _not_ be modified.
 
-TODO: Enter all available node attributes including description, field type, and default value.
+## Libraries
 
+### SecretsManagement::DSL
 
-## Usage
-### default
+#### open_secret_item
+The `open_secret_item` method supports accessing existing Hashicorp Vault, Chef Vault, and Chef DataBag items.  The method supports two possible models for getting the data - `determine_bag_type` or `find_<type>_item`.  By default, the method will attempt to perform the lookup unless the attribute `:type` is sent.
 
-This is an empty recipe and should _not_ be used
+Properties:
 
-TODO: Write descriptions about any included recipes
+| Name          | Description | Type  | Mandatory |
+| ---           | ---         | ---   | ---       |
+| **container** | Path to Hashicorp Vault or the Name of the Chef Vault or DataBag | String | X |
+| **item**      | Item name in Vault or Bag | String | X |
+| type          | Supported values: `vault` (Hashicorp), `chef_vault`, or `data_bag` | String |           |
+| vault         | Hash of supported keys for accessing Hashicorp environment.  Minimum required keys are `address` and `token`. | Hash   |           |
 
-## Upload to Chef Server
-This cookbook should be included in each organization of your CHEF environment.  When importing, leverage Berkshelf:
+_Note: When returning details from Hashicorp Vault, this library will normalize the key names as strings.  By default, the keys will be returned as a symbol.  To keep this output consistent across the ChefVault and DataBag models, the library converts the keys from symbols to strings._
 
-`berks upload`
+#### Examples
 
-_NOTE:_ use the --no-ssl-verify switch if the CHEF server in question has a self-signed SSL certificate.
+```ruby
+# Open a secret item based on testing the options - vault, chef_vault, then data_bag
+bag = open_secret_item('secret', 'item')
+
+# Include a vault object to support looking into Hashicorp as part of the lookup
+bag = open_secret_item('secret', 'item', vault: { 'token' => '1234', 'address' => 'http://192.168.0.1:8200' })
+```
+
+```ruby
+# Look up a data_bag item
+bag = open_secret_item('simple', 'item', type: 'data_bag')
+```
+
+```ruby
+# Lookup a chef_vault item
+bag = open_secret_item('secrets', 'bacon', type: 'chef_vault')
+```
+
+```ruby
+# Lookup a chef_vault item and use the output to access a Hashicorp Vault item
+vault_hash = open_secret_item('vault', 'secret', type: 'chef_vault')
+bag = open_secret_item('secret/chef/os', 'windows', type: 'vault', vault: vault_hash)
+```
 
-`berks upload --no-ssl-verify`
+## Upload to Chef Server
+This cookbook should be included in each organization of your CHEF environment.  When importing, leverage Berkshelf:
 
-## Matchers/Helpers
+`berks upload --except test`
 
-### Matchers
-_Note: Matchers should always be created in `libraries/matchers.rb` and used for validating calls to LWRP_
+_NOTE:_ use the --no-ssl-verify switch if the CHEF server in question has a self-signed SSL certificate.
 
-TODO: Add details about any matcher files included in this cookbook
+`berks upload --no-ssl-verify --except test`
 
+## Upload to Private Chef Supermarket
+_NOTE:_ You must set the following key `knife[:supermarket_site] = 'https://<your-supermarket-server>'`.
 
-### Helpers
+This cookbook should be uploaded to the CHEF Supermarket server.  When importing, leverage Berkshelf vendor command:
 
-TODO: Add details about any helper files included in this cookbook
+```bash
+# From a Linux/Mac host via Bash
+berks vendor .bundle
+for i in `ls .bundle`; do knife cookbook site share $i "Other" -o .bundle; done
+```
+or
+```powershell
+# From a Windows host via PowerShell
+berks vendor .bundle
+foreach ($i in (Get-ChildItem -Path .bundle) ){
+  knife cookbook site share $i "Other" -o .bundle
+}
+```
 
 ## Cookbook Testing
 
@@ -103,16 +138,18 @@ This cookbook requires the use of a data_bag for setting certain values.  Local
 │   ├── cookbooks
 │   │   ├── secrets_management
 │   │   │   ├── .kitchen.yml
-│   ├── data_bags
-│   │   ├── data_bag_name
-│   │   │   ├── data_bag_item.json
+│   │   │   ├── test
+│   │   │   │   ├── fixtures
+│   │   │   │   │   ├── data_bags
+│   │   │   │   │   │   ├── data_bag_name
+│   │   │   │   │   │   │   ├── data_bag_item.json
 
 ```
 
-**Note**: Storing local testing versions of the data_bags at the root of your repo is considered best practice.  This ensures that you only need to maintain a single copy while protecting the cookbook from being accientally committed with the data_bag.  However, if you must change this location, then update the following key in the .kitchen.yml file.  
+**Note**: Storing local testing versions of the data_bags at the root of your repo is considered best practice.  This ensures that you only need to maintain a single copy while protecting the cookbook from being accientally committed with the data_bag.  However, since this cookbook contains no recipes, we have included the test data_bags for Kitchen purposes.  If you must change this location, then update the following key in the .kitchen.yml file.
 
 ```
-data_bags_path: "../../data_bags/"
+data_bags_path: "test/fixtures/data_bags/"
 ```
 
 ### Rakefile and Tasks
@@ -136,10 +173,46 @@ This repo includes a **Rakefile** for common tasks
 2. `berks install`: Installs all cookbook dependencies based on the [Berksfile](Berksfile) and the [metadata.rb](metadata.rb)
 
 3. `rake`: This will run all of the local tests - syntax, lint, unit, and maintainers file.
-4. `rake integration`: This will run all of the kitchen tests 
+4. `rake integration`: This will run all of the kitchen tests
+
+### Test Cookbook (secrets_management_test)
+_a test cookbook for the available LWRPs_
+
+The cookbook secrets_management does not include any executable recipes as it is designed to be an utility cookbook and support other initiatives.  For the purposes of testing and validating this code, we have included a test cookbook with pre-configured recipes.
+
+| **Name** | **Description** |
+| ------------- |-------------|
+| _Default_ | Roll-up recipe to test all of the functionality of the LWRP-specific recipes |
+| _hashivault_ | Test gathering secrets from Hashicorp Vault environments. |
+| _chef_vault_ | Test gathering secrets from ChefVault bags |
+| _data_bag_ | Test gathering secrets from Chef DataBags |
+
 
 ### Compliance Profile
-Included in this cookbook is a set of Inspec profile tests used for supported platforms in Test-Kitchen.  These profiles can also be loaded into Chef Compliance to ensure on-going validation.  The Control files are located at `test/smoke/suite_name`
+Not included as this is a Resource only cookbook with no included recipes.
+
+## Contribute
+ - Fork it
+ - Create your feature branch (git checkout -b my-new-feature)
+ - Commit your changes (git commit -am 'Add some feature')
+ - Push to the branch (git push origin my-new-feature)
+ - Create new Pull Request
+
+## License & Authors
 
+**Author:** Jeremy Goodrum ([[email protected]](mailto:[email protected]))
 
-## Copyright:: 2017, Exosphere Data, LLC, All Rights Reserved.
+**Copyright:** 2017 Exosphere Data, LLC
+
+```text
+Copyright 2017 Exosphere Data, LLC
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of this
+software and associated documentation files (the "Software"), to deal in the Software
+without restriction, including without limitation the rights to use, copy, modify,
+merge, publish, distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+```

attributes/default.rb

@@ -0,0 +1,10 @@
+#
+# Cookbook:: secrets_management
+# Attribute:: default
+#
+# maintainer:: Exosphere Data, LLC
+# maintainer_email:: [email protected]
+#
+# Copyright:: 2017, Exosphere Data, LLC, All Rights Reserved.
+
+default['hashicorp']['refresh_token'] = nil