add support for client_key_contents

README.md

@@ -175,7 +175,8 @@ instead.
 Normally, the value of `Chef::Config[:node_name]` is used to find the
 per-node encrypted secret in the keys data bag item, and the value of
 `Chef::Config[:client_key]` is used to locate the private key to decrypt
-this secret.
+this secret. If `Chef::Config[:client_key_contents]` is defined, it takes
+precedence over the file path specified in `Chef::Config[:client_key]`.
 
 These can be overridden by passing a hash with the keys `:node_name` or
 `:client_key_path` to `ChefVault::Item.load`:

features/step_definitions/chef-repo.rb

@@ -34,6 +34,10 @@
   create_admin(admin)
 end
 
+Given(/^I create( mismatched)? client config for client named '(.+)'$/) do |mismatched, client|
+  create_client_config(client, mismatched)
+end
+
 Given(/^I delete clients? '(.+)' from the Chef server$/) do |nodelist|
   nodelist.split(/,/).each do |node|
     delete_client(node)
@@ -70,3 +74,18 @@ def delete_client(name)
 def delete_node(name)
   run_command_and_stop "knife node delete #{name} -y -z -c config.rb"
 end
+
+def create_client_config(name, mismatched = false)
+  content = <<EOF
+local_mode true
+chef_repo_path '.'
+chef_zero.enabled true
+knife[:vault_mode] = 'client'
+node_name '#{name}'
+client_key_contents IO.read('#{name}.pem')
+EOF
+  write_file("config_#{name}.rb", content)
+  if mismatched
+    append_to_file "config_#{name}.rb", "client_key 'admin.pem'"
+  end
+end

features/step_definitions/chef-vault.rb

@@ -101,8 +101,12 @@
   run_command_and_stop("knife vault list")
 end
 
-Given(%r{^I can('t)? decrypt the vault item '(.+)/(.+)' as '(.+)'$}) do |neg, vault, item, client|
-  run_command_and_stop "knife vault show #{vault} #{item} -c config.rb -z -u #{client} -k #{client}.pem", { fail_on_error: false }
+Given(%r{^I can('t)? decrypt the vault item '(.+)/(.+)' as '(.+)'( using client config)?$}) do |neg, vault, item, client, client_config|
+  if client_config
+    run_command_and_stop "knife vault show #{vault} #{item} -c config_#{client}.rb -z -u #{client}", { fail_on_error: false }
+  else
+    run_command_and_stop "knife vault show #{vault} #{item} -c config.rb -z -u #{client} -k #{client}.pem", { fail_on_error: false }
+  end
   if neg
     expect(last_command_started).not_to have_exit_status(0)
   else

features/vault_show.feature

@@ -14,6 +14,19 @@ Feature: knife vault show
     And I can decrypt the vault item 'test/item' as 'alice'
     And the output should match /^foo: bar$/
 
+  Scenario: successful decrypt as admin using client_key_contents
+    Given a local mode chef repo with nodes 'one,two,three' with admins 'alice,bob'
+    Given I create client config for client named 'alice'
+    Given I create mismatched client config for client named 'bob'
+    And I create a vault item 'test/item' containing the JSON '{"foo": "bar"}' encrypted for 'one,two,three' with 'alice,bob' as admins
+    Then the vault item 'test/item' should be encrypted for 'alice,bob'
+    And 'one,two,three' should be a client for the vault item 'test/item'
+    And 'alice' should be an admin for the vault item 'test/item'
+    And 'bob' should be an admin for the vault item 'test/item'
+    And I can decrypt the vault item 'test/item' as 'alice' using client config
+    And I can decrypt the vault item 'test/item' as 'bob' using client config
+    And the output should match /^foo: bar$/
+
   Scenario: successful decrypt as node
     Given a local mode chef repo with nodes 'one,two,three' with admins 'alice,bob'
     And I create a vault item 'test/item' containing the JSON '{"foo": "bar"}' encrypted for 'one,two,three' with 'alice' as admin

lib/chef-vault/item.rb

@@ -40,6 +40,11 @@ class Item < Chef::DataBagItem
     #     decrypt secrets.  Defaults to the value of Chef::Config[:client_key]
     attr_accessor :client_key_path
 
+    # @!attribute [rw] client_key_contents
+    #   @return [String] the contents of the private key that is used to
+    #     decrypt secrets.  Defaults to the value of Chef::Config[:client_key_contents]
+    attr_accessor :client_key_contents
+
     # returns the raw keys of the underlying Chef::DataBagItem.  chef-vault v2
     # defined #keys as a public accessor that returns the ChefVault::ItemKeys
     # object for the vault.  Ideally, #keys would provide Hash-like behaviour
@@ -58,6 +63,8 @@ class Item < Chef::DataBagItem
     #   as. Defaults to the :node_name value of Chef::Config
     # @option opts [String] :client_key_path the name of the node to decrypt
     #   secrets as.  Defaults to the :client_key value of Chef::Config
+    # @option opts [String] :client_key_contents the private key to decrypt
+    #   secrets as.  Defaults to the :client_key_contents value of Chef::Config
     def initialize(vault, name, opts = {})
       super() # Don't pass parameters
       @data_bag = vault
@@ -68,9 +75,11 @@ def initialize(vault, name, opts = {})
       opts = {
         node_name: Chef::Config[:node_name],
         client_key_path: Chef::Config[:client_key],
+        client_key_contents: Chef::Config[:client_key_contents],
       }.merge(opts)
       @node_name = opts[:node_name]
       @client_key_path = opts[:client_key_path]
+      @client_key_contents = opts[:client_key_contents]
       @current_query = search
     end
 
@@ -163,7 +172,11 @@ def remove(key)
 
     def secret
       if @keys.include?(@node_name) && !@keys[@node_name].nil?
-        private_key = OpenSSL::PKey::RSA.new(File.open(@client_key_path).read)
+        unless @client_key_contents.nil?
+          private_key = OpenSSL::PKey::RSA.new(@client_key_contents)
+        else
+          private_key = OpenSSL::PKey::RSA.new(File.open(@client_key_path).read)
+        end
         begin
           private_key.private_decrypt(Base64.decode64(@keys[@node_name]))
         rescue OpenSSL::PKey::RSAError

spec/chef-vault/item_spec.rb

@@ -121,6 +121,11 @@
       expect(item.client_key_path).to eq(Chef::Config[:client_key])
     end
 
+    it "defaults the client key contents" do
+      item = ChefVault::Item.new("foo", "bar")
+      expect(item.client_key_contents).to eq(Chef::Config[:client_key_contents])
+    end
+
     it "allows for a node name override" do
       item = ChefVault::Item.new("foo", "bar", node_name: "baz")
       expect(item.node_name).to eq("baz")
@@ -131,6 +136,11 @@
       expect(item.client_key_path).to eq("/foo/client.pem")
     end
 
+    it "allows for a client key contents override" do
+      item = ChefVault::Item.new("foo", "bar", client_key_contents: "baz")
+      expect(item.client_key_contents).to eq("baz")
+    end
+
     it "allows for both node name and client key overrides" do
       item = ChefVault::Item.new(
         "foo", "bar",
@@ -140,6 +150,18 @@
       expect(item.node_name).to eq("baz")
       expect(item.client_key_path).to eq("/foo/client.pem")
     end
+
+    it "allows for node name, client key and client key contents overrides" do
+      item = ChefVault::Item.new(
+        "foo", "bar",
+        node_name: "baz",
+        client_key_path: "/foo/client.pem",
+        client_key_contents: "qux"
+      )
+      expect(item.node_name).to eq("baz")
+      expect(item.client_key_path).to eq("/foo/client.pem")
+      expect(item.client_key_contents).to eq("qux")
+    end
   end
 
   describe "::load" do