Drop Ruby 2.2/2.3 support and resolve Chefstyle warnings

Rakefile

@@ -45,5 +45,5 @@ end
 
 # test or the default task runs spec, features, style
 desc "run all tests"
-task default: [:coverage, :features, :style]
+task default: %i{coverage features style}
 task test: :default

chef-vault.gemspec

@@ -1,6 +1,7 @@
 # -*- encoding: utf-8 -*-
 # Chef-Vault Gemspec file
-# Copyright 2013-15, Nordstrom, Inc.
+# Copyright 2013-2015, Nordstrom, Inc.
+# Copyright 2017-2019, Chef Software, Inc.
 
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -17,17 +18,12 @@
 $:.push File.expand_path("../lib", __FILE__)
 require "chef-vault/version"
 
-def self.prerelease?
-  !ENV["TRAVIS_TAG"] || ENV["TRAVIS_TAG"].empty?
-end
-
 Gem::Specification.new do |s|
   s.name             = "chef-vault"
   s.version          = ChefVault::VERSION
-  s.version          = "#{s.version}-pre#{ENV['TRAVIS_BUILD_NUMBER']}" if ENV["TRAVIS"]
   s.authors          = ["Thom May"]
   s.email            = ["[email protected]"]
-  s.summary          = "Data encryption support for Chef using data bags"
+  s.summary          = "Data encryption support for Chef Infra using data bags"
   s.description      = s.summary
   s.homepage         = "https://github.com/chef/chef-vault"
   s.license          = "Apache-2.0"
@@ -36,5 +32,5 @@ Gem::Specification.new do |s|
   s.bindir           = "bin"
   s.executables      = %w{ chef-vault }
 
-  s.required_ruby_version = ">= 2.2.0"
+  s.required_ruby_version = ">= 2.4"
 end

features/step_definitions/chef-vault.rb

@@ -1,25 +1,25 @@
 require "json"
 
-Given(/^I create a vault item '(.+)\/(.+)'( with keys in sparse mode)? containing the JSON '(.+)' encrypted for '(.+)'(?: with '(.+)' as admins?)?$/) do |vault, item, sparse, json, nodelist, admins|
+Given(%r{^I create a vault item '(.+)/(.+)'( with keys in sparse mode)? containing the JSON '(.+)' encrypted for '(.+)'(?: with '(.+)' as admins?)?$}) do |vault, item, sparse, json, nodelist, admins|
   write_file "item.json", json
   query = nodelist.split(/,/).map { |e| "name:#{e}" }.join(" OR ")
   adminarg = admins.nil? ? "-A admin" : "-A #{admins}"
   sparseopt = sparse.nil? ? "" : "-K sparse"
   run_simple "knife vault create #{vault} #{item} -z -c knife.rb #{adminarg} #{sparseopt} -S '#{query}' -J item.json", false
 end
 
-Given(/^I update the vault item '(.+)\/(.+)' to be encrypted for '(.+)'( with the clean option)?$/) do |vault, item, nodelist, cleanopt|
+Given(%r{^I update the vault item '(.+)/(.+)' to be encrypted for '(.+)'( with the clean option)?$}) do |vault, item, nodelist, cleanopt|
   query = nodelist.split(/,/).map { |e| "name:#{e}" }.join(" OR ")
-  run_simple "knife vault update #{vault} #{item} -z -c knife.rb -S '#{query}' #{cleanopt ? '--clean' : ''}"
+  run_simple "knife vault update #{vault} #{item} -z -c knife.rb -S '#{query}' #{cleanopt ? "--clean" : ""}"
 end
 
-Given(/^I remove clients? '(.+)' from vault item '(.+)\/(.+)' with the '(.+)' options?$/) do |nodelist, vault, item, optionlist|
+Given(%r{^I remove clients? '(.+)' from vault item '(.+)/(.+)' with the '(.+)' options?$}) do |nodelist, vault, item, optionlist|
   query = nodelist.split(/,/).map { |e| "name:#{e}" }.join(" OR ")
   options = optionlist.split(/,/).map { |o| "--#{o}" }.join(" ")
   run_simple "knife vault remove #{vault} #{item} -z -c knife.rb -S '#{query}' #{options}"
 end
 
-Given(/^I rotate the keys for vault item '(.+)\/(.+)' with the '(.+)' options?$/) do |vault, item, optionlist|
+Given(%r{^I rotate the keys for vault item '(.+)/(.+)' with the '(.+)' options?$}) do |vault, item, optionlist|
   options = optionlist.split(/,/).map { |o| "--#{o}" }.join(" ")
   run_simple "knife vault rotate keys #{vault} #{item} -c knife.rb -z #{options}"
 end
@@ -29,20 +29,20 @@
   run_simple "knife vault rotate all keys -z -c knife.rb #{options}"
 end
 
-Given(/^I refresh the vault item '(.+)\/(.+)'$/) do |vault, item|
+Given(%r{^I refresh the vault item '(.+)/(.+)'$}) do |vault, item|
   run_simple "knife vault refresh #{vault} #{item} -c knife.rb -z"
 end
 
-Given(/^I refresh the vault item '(.+)\/(.+)' with the '(.+)' options?$/) do |vault, item, optionlist|
+Given(%r{^I refresh the vault item '(.+)/(.+)' with the '(.+)' options?$}) do |vault, item, optionlist|
   options = optionlist.split(/,/).map { |o| "--#{o}" }.join(" ")
   run_simple "knife vault refresh #{vault} #{item} -c knife.rb -z #{options}"
 end
 
-Given(/^I try to decrypt the vault item '(.+)\/(.+)' as '(.+)'$/) do |vault, item, node|
+Given(%r{^I try to decrypt the vault item '(.+)/(.+)' as '(.+)'$}) do |vault, item, node|
   run_simple "knife vault show #{vault} #{item} -z -c knife.rb -u #{node} -k #{node}.pem", false
 end
 
-Then(/^the vault item '(.+)\/(.+)' should( not)? be encrypted for '(.+)'( with keys in sparse mode)?$/) do |vault, item, neg, nodelist, sparse|
+Then(%r{^the vault item '(.+)/(.+)' should( not)? be encrypted for '(.+)'( with keys in sparse mode)?$}) do |vault, item, neg, nodelist, sparse|
   nodes = nodelist.split(/,/)
   command = "knife data bag show #{vault} #{item}_keys -z -c knife.rb -F json"
   run_simple(command)
@@ -67,7 +67,7 @@
   end
 end
 
-Given(/^'(.+)' should( not)? be a client for the vault item '(.+)\/(.+)'$/) do |nodelist, neg, vault, item|
+Given(%r{^'(.+)' should( not)? be a client for the vault item '(.+)/(.+)'$}) do |nodelist, neg, vault, item|
   nodes = nodelist.split(/,/)
   command = "knife data bag show #{vault} #{item}_keys -z -c knife.rb -F json"
   run_simple(command)
@@ -82,7 +82,7 @@
   end
 end
 
-Given(/^'(.+)' should( not)? be an admin for the vault item '(.+)\/(.+)'$/) do |nodelist, neg, vault, item|
+Given(%r{^'(.+)' should( not)? be an admin for the vault item '(.+)/(.+)'$}) do |nodelist, neg, vault, item|
   nodes = nodelist.split(/,/)
   command = "knife data bag show #{vault} #{item}_keys -z -c knife.rb -F json"
   run_simple(command)
@@ -101,7 +101,7 @@
   run_simple("knife vault list")
 end
 
-Given(/^I can('t)? decrypt the vault item '(.+)\/(.+)' as '(.+)'$/) do |neg, vault, item, client|
+Given(%r{^I can('t)? decrypt the vault item '(.+)/(.+)' as '(.+)'$}) do |neg, vault, item, client|
   run_simple "knife vault show #{vault} #{item} -c knife.rb -z -u #{client} -k #{client}.pem", false
   if neg
     expect(last_command_started).not_to have_exit_status(0)
@@ -110,38 +110,38 @@
   end
 end
 
-Given(/^I (try to )?add '(.+)' as an admin for the vault item '(.+)\/(.+)'$/) do |try, newadmin, vault, item|
+Given(%r{^I (try to )?add '(.+)' as an admin for the vault item '(.+)/(.+)'$}) do |try, newadmin, vault, item|
   run_simple "knife vault update #{vault} #{item} -c knife.rb -z -A #{newadmin}", !try
 end
 
 Given(/^I show the keys of the vault '(.+)'$/) do |vault|
   run_simple "knife vault show #{vault} -c knife.rb -z"
 end
 
-Given(/^I check if the data bag item '(.+)\/(.+)' is a vault$/) do |vault, item|
+Given(%r{^I check if the data bag item '(.+)/(.+)' is a vault$}) do |vault, item|
   run_simple "knife vault isvault #{vault} #{item} -c knife.rb -z", false
 end
 
-Given(/^I check the type of the data bag item '(.+)\/(.+)'$/) do |vault, item|
+Given(%r{^I check the type of the data bag item '(.+)/(.+)'$}) do |vault, item|
   run_simple "knife vault itemtype #{vault} #{item} -c knife.rb -z"
 end
 
-Given(/^I downgrade the vault item '(.+)\/(.+)' to v1 syntax/) do |vault, item|
+Given(%r{^I downgrade the vault item '(.+)/(.+)' to v1 syntax}) do |vault, item|
   # v1 syntax doesn't have the admins, clients and search_query keys
   keysfile = "tmp/aruba/data_bags/#{vault}/#{item}_keys.json"
   data = JSON.parse(IO.read(keysfile))
   %w{admins clients search_query}.each { |k| data.key?("raw_data") ? data["raw_data"].delete(k) : data.delete(k) }
   IO.write(keysfile, JSON.generate(data))
 end
 
-Given(/^I can save the JSON object of the encrypted data bag for the vault item '(.+)\/(.+)'$/) do |vault, item|
+Given(%r{^I can save the JSON object of the encrypted data bag for the vault item '(.+)/(.+)'$}) do |vault, item|
   command = "knife data bag show #{vault} #{item} -z -c knife.rb -F json"
   run_simple(command)
   output = last_command_started.stdout
   @saved_encrypted_vault_item = JSON.parse(output)
 end
 
-Given(/^the data bag of the vault item '(.+)\/(.+)' has not been re-encrypted$/) do |vault, item|
+Given(%r{^the data bag of the vault item '(.+)/(.+)' has not been re-encrypted$}) do |vault, item|
   command = "knife data bag show #{vault} #{item} -z -c knife.rb -F json"
   run_simple(command)
   output = last_command_started.stdout

features/step_definitions/chef_databagitem.rb

@@ -1,9 +1,9 @@
-Given(/^I create a data bag item '(.+)\/(.+)' containing the JSON '(.+)'$/) do |databag, _, json|
+Given(%r{^I create a data bag item '(.+)/(.+)' containing the JSON '(.+)'$}) do |databag, _, json|
   write_file "item.json", json
   run_simple "knife data bag from file #{databag} item.json -z -c knife.rb", false
 end
 
-Given(/^I create an encrypted data bag item '(.+)\/(.+)' containing the JSON '(.+)' with the secret '(.+)'$/) do |databag, _, json, secret|
+Given(%r{^I create an encrypted data bag item '(.+)/(.+)' containing the JSON '(.+)' with the secret '(.+)'$}) do |databag, _, json, secret|
   write_file "item.json", json
   run_simple "knife data bag from file #{databag} item.json -s #{secret} -z -c knife.rb", false
 end

hooks/pre-commit

@@ -1,6 +1,6 @@
 #!/usr/bin/env ruby
 output = `bundle exec chefstyle -a`
-if !$?.success?
+unless $?.success?
   puts "pre-commit hook: Tried to run `bundle exec chefstyle -a` to autocleanup errors, but it failed with output:"
   puts output
 end
@@ -12,7 +12,7 @@ corrected = /(\d+) offenses corrected/.match(output)
 exit 0 if detected.nil?
 
 # chefstyle found errors
-if !detected.nil?
+unless detected.nil?
   # get the first result from the capture group that isn't the whole capture
   num_detected = detected.to_a[1].to_i
   num_corrected = if corrected.nil?

lib/chef-vault/actor.rb

@@ -27,6 +27,7 @@ def initialize(actor_type, actor_name)
       if actor_type != "clients" && actor_type != "admins"
         raise "You must pass either 'clients' or 'admins' as the first argument to ChefVault::Actor.new."
       end
+
       @type = actor_type
       @name = actor_name
     end
@@ -52,7 +53,7 @@ def get_admin_key
           case http_error.response.code
           when "404"
             raise ChefVault::Exceptions::AdminNotFound,
-                  "FATAL: Could not find default key for #{name} in users or clients!"
+              "FATAL: Could not find default key for #{name} in users or clients!"
           when "403"
             print_forbidden_error
             raise http_error
@@ -73,7 +74,7 @@ def get_client_key
         raise http_error
       elsif http_error.response.code.eql?("404")
         raise ChefVault::Exceptions::ClientNotFound,
-              "#{name} is not a valid chef client and/or node"
+          "#{name} is not a valid chef client and/or node"
       else
         raise http_error
       end
@@ -115,6 +116,7 @@ def get_key(request_actor_type)
     # If the keys endpoint doesn't exist, try getting it directly from the V0 chef object.
     rescue Net::HTTPServerException => http_error
       raise http_error unless http_error.response.code.eql?("404")
+
       if request_actor_type.eql?("clients")
         chef_api_client.load(name).public_key
       else

lib/chef-vault/item.rb

@@ -146,7 +146,7 @@ def admins(admin_string, action = :add)
           keys.delete(admin_key)
         else
           raise ChefVault::Exceptions::KeysActionNotValid,
-                "#{action} is not a valid action"
+            "#{action} is not a valid action"
         end
       end
     end
@@ -161,7 +161,7 @@ def remove(key)
 
     def secret
       if @keys.include?(@node_name) && !@keys[@node_name].nil?
-        private_key = OpenSSL::PKey::RSA.new(File.open(@client_key_path).read())
+        private_key = OpenSSL::PKey::RSA.new(File.open(@client_key_path).read)
         begin
           private_key.private_decrypt(Base64.decode64(@keys[@node_name]))
         rescue OpenSSL::PKey::RSAError
@@ -272,7 +272,7 @@ def destroy
 
       if Chef::Config[:solo_legacy_mode]
         data_bag_path = File.join(Chef::Config[:data_bag_path],
-                                  data_bag)
+          data_bag)
         data_bag_item_path = File.join(data_bag_path, @raw_data["id"])
 
         FileUtils.rm("#{data_bag_item_path}.json")
@@ -364,10 +364,10 @@ def self.data_bag_item_type(vault, name)
     def refresh(clean_unknown_clients = false)
       if search.empty?
         raise ChefVault::Exceptions::SearchNotFound,
-              "#{@data_bag}/#{@raw_data["id"]} does not have a stored "\
-              "search_query, probably because it was created with an "\
-              "older version of chef-vault. Use 'knife vault update' "\
-              "to update the databag with the search query."
+          "#{@data_bag}/#{@raw_data["id"]} does not have a stored "\
+          "search_query, probably because it was created with an "\
+          "older version of chef-vault. Use 'knife vault update' "\
+          "to update the databag with the search query."
       end
 
       # a bit of a misnomer; this doesn't remove unknown
@@ -438,6 +438,7 @@ def client_exists?(clientname)
       true
     rescue Net::HTTPServerException => http_error
       return false if http_error.response.code == "404"
+
       raise http_error
     end
 

lib/chef-vault/item_keys.rb

@@ -39,9 +39,11 @@ def initialize(vault, name)
     def [](key)
       # return options immediately
       return @raw_data[key] if %w{id admins clients search_query mode}.include?(key)
+
       # check if the key is in the write-back cache
       ckey = @cache[key]
       return ckey unless ckey.nil?
+
       # check if the key is saved in sparse mode
       skey = sparse_key(sparse_id(key)) if sparse?
       if skey
@@ -58,6 +60,7 @@ def include?(key)
       return (ckey ? true : false) unless ckey.nil?
       # check if the key is saved in sparse mode
       return true if sparse? && sparse_key(sparse_id(key))
+
       # fallback to non-sparse mode if sparse key is not found
       @raw_data.keys.include?(key)
     end
@@ -66,7 +69,7 @@ def add(chef_key, data_bag_shared_secret)
       type = chef_key.type
       unless @raw_data.key?(type)
         raise ChefVault::Exceptions::V1Format,
-              "cannot manage a v1 vault.  See UPGRADE.md for help"
+          "cannot manage a v1 vault.  See UPGRADE.md for help"
       end
       @cache[chef_key.name] = skip_reencryption ? self[chef_key.name] : nil
       begin
@@ -139,7 +142,7 @@ def save(item_id = @raw_data["id"])
             begin
               Chef::DataBagItem.from_hash("data_bag" => data_bag,
                                           "id" => sparse_id(key))
-                               .destroy(data_bag, sparse_id(key))
+                .destroy(data_bag, sparse_id(key))
             rescue Net::HTTPServerException => http_error
               raise http_error unless http_error.response.code == "404"
             end
@@ -169,10 +172,11 @@ def save(item_id = @raw_data["id"])
       if @raw_data["mode"] == "sparse"
         @raw_data.each do |key, val|
           next if %w{ id clients admins search_query mode }.include?(key)
+
           skey = Chef::DataBagItem.from_hash(
-              "data_bag" => data_bag,
-              "id" => sparse_id(key),
-              key => val
+            "data_bag" => data_bag,
+            "id" => sparse_id(key),
+            key => val
           )
           @raw_data.delete(key)
           if Chef::Config[:solo_legacy_mode]
@@ -209,7 +213,7 @@ def destroy
         items = Chef::DataBag.load(data_bag).keys.select { |item| item =~ rgx }
         items.each do |id|
           Chef::DataBagItem.from_hash("data_bag" => data_bag, "id" => id)
-                           .destroy(data_bag, id)
+            .destroy(data_bag, id)
         end
         # destroy this metadata
         super(data_bag, id)

lib/chef-vault/mixins.rb

@@ -6,7 +6,7 @@ module Mixins
     #     paths and use that by preference
     #  1. Otherwise, just use the first location in the array
     def find_solo_path(item_id)
-      if Chef::Config[:data_bag_path].kind_of?(Array)
+      if Chef::Config[:data_bag_path].is_a?(Array)
         path = Chef::Config[:data_bag_path].find do |dir|
           File.exist?(File.join(dir, data_bag, "#{item_id}.json"))
         end
@@ -15,7 +15,7 @@ def find_solo_path(item_id)
         data_bag_path = File.join(path, data_bag)
       else
         data_bag_path = File.join(Chef::Config[:data_bag_path],
-                                  data_bag)
+          data_bag)
       end
       data_bag_item_path = File.join(data_bag_path, item_id) + ".json"
 

lib/chef/knife/mixin/helper.rb

@@ -33,7 +33,7 @@ def merge_values(json, file)
       end
 
       def values_from_file(file)
-        json = File.open(file) { |fh| fh.read() }
+        json = File.open(file, &:read)
 
         values_from_json(json)
       end

lib/chef/knife/vault_base.rb

@@ -55,13 +55,16 @@ def bag_is_vault?(bagname)
         # - item_keys has zero or more keys in sparse mode
         # vaults have a number of keys >= 2
         return false unless bag.keys.size >= 2
+
         # partition into those that end in _keys
         keylike, notkeylike = split_vault_keys(bag)
         # there must be an equal number of keyline and not-keylike items
         return false unless keylike.size == notkeylike.size
+
         # strip the _keys suffix and check if the sets match
         keylike.map! { |k| k.gsub(/_keys$/, "") }
         return false unless keylike.sort == notkeylike.sort
+
         # it's (probably) a vault
         true
       end
@@ -70,7 +73,7 @@ def split_vault_keys(bag)
         # get all item keys
         keys = bag.keys.select { |k| k =~ /_keys$/ }
         # get all sparse keys
-        r = Regexp.union(keys.map { |k| Regexp.new("^#{k.chomp('_keys')}_key_.*") })
+        r = Regexp.union(keys.map { |k| Regexp.new("^#{k.chomp("_keys")}_key_.*") })
         sparse = bag.keys.select { |k| k =~ r }
         # the rest
         items = bag.keys - keys - sparse