fc217f6ce4
Cleaned up all the minor rubocop issues, the ones left relate to complex logic and what I think is a bug in rubocop for nested vs compact modules/class definitions. Change-Id: Ic0c0677de44642e0994c0b95a3c270cbd4749b40
103 lines
3.4 KiB
Ruby
103 lines
3.4 KiB
Ruby
# encoding: UTF-8
|
|
|
|
#
|
|
# Cookbook Name:: openstack-common
|
|
# library:: passwords
|
|
#
|
|
# Copyright 2012-2013, AT&T Services, Inc.
|
|
# Copyright 2014, SUSE Linux, GmbH.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
#
|
|
|
|
# Password methods
|
|
module ::Openstack
|
|
# Library routine that returns an encrypted data bag value
|
|
# for a supplied string. The key used in decrypting the
|
|
# encrypted value should be located at
|
|
# node['openstack']['secret']['key_path'].
|
|
#
|
|
def secret(bag_name, index)
|
|
case node['openstack']['databag_type']
|
|
when 'encrypted'
|
|
encrypted_secret(bag_name, index)
|
|
when 'standard'
|
|
standard_secret(bag_name, index)
|
|
when 'vault' # chef-vault, by convention use "vault_<bag_name>" as bag_name
|
|
vault_secret('vault_' + bag_name, index)
|
|
else
|
|
::Chef::Log.error("Unsupported value for node['openstack']['databag_type']")
|
|
end
|
|
end
|
|
|
|
def encrypted_secret(bag_name, index)
|
|
key_path = node['openstack']['secret']['key_path']
|
|
::Chef::Log.info "Loading encrypted databag #{bag_name}.#{index} using key at #{key_path}"
|
|
secret = ::Chef::EncryptedDataBagItem.load_secret key_path
|
|
::Chef::EncryptedDataBagItem.load(bag_name, index, secret)[index]
|
|
end
|
|
|
|
def standard_secret(bag_name, index)
|
|
::Chef::Log.info "Loading databag #{bag_name}.#{index}"
|
|
::Chef::DataBagItem.load(bag_name, index)[index]
|
|
end
|
|
|
|
def vault_secret(bag_name, index)
|
|
begin
|
|
require 'chef-vault'
|
|
rescue LoadError
|
|
Chef::Log.warn("Missing gem 'chef-vault'")
|
|
end
|
|
::Chef::Log.info "Loading vault secret #{index} from #{bag_name}"
|
|
::ChefVault::Item.load(bag_name, index)[index]
|
|
end
|
|
|
|
# Ease-of-use/standarization routine that returns a secret from the
|
|
# attribute-specified openstack secrets databag.
|
|
def get_secret(key)
|
|
::Chef::Log.warn(
|
|
'The get_secret method is DEPRECATED. '\
|
|
"Use get_password(key, 'token') instead")
|
|
|
|
if node['openstack']['use_databags']
|
|
secret node['openstack']['secret']['secrets_data_bag'], key
|
|
else
|
|
node['openstack']['secret'][key]['token']
|
|
end
|
|
end
|
|
|
|
# Return a password using either data bags or attributes for
|
|
# storage. The storage mechanism used is determined by the
|
|
# node['openstack']['use_databags'] attribute.
|
|
# @param [String] type of password, one of 'user', 'service', 'db' or 'token'
|
|
# @param [String] the identifier of the password (usually the
|
|
# component name, but can also be a token name
|
|
# e.g. openstack_identity_bootstrap_token
|
|
def get_password(type, key)
|
|
unless %w(db user service token).include?(type)
|
|
::Chef::Log.error("Unsupported type for get_password: #{type}")
|
|
return
|
|
end
|
|
|
|
if node['openstack']['use_databags']
|
|
if type == 'token'
|
|
secret node['openstack']['secret']['secrets_data_bag'], key
|
|
else
|
|
secret node['openstack']['secret']["#{type}_passwords_data_bag"], key
|
|
end
|
|
else
|
|
node['openstack']['secret'][key][type]
|
|
end
|
|
end
|
|
end
|