Support loading of creds from data bags

.kitchen.yml

@@ -33,4 +33,28 @@ suites:
   run_list:
     - recipe[sumologic::default]
   attributes:
+    sumologic:
+      email: [email protected]
+      password: password123
+- name: databag
+  run_list:
+    - recipe[sumologic::default]
+  attributes:
+    sumologic:
+      use_encrypted_data_bag: true
+      credentials:
+        bag_name: sumo-creds
+        item_name: api-creds
+  data_bags_path: test/integration/data_bags
+- name: databag_encrypted
+  run_list:
+    - recipe[sumologic::default]
+  attributes:
+    sumologic:
+      use_encrypted_data_bag: true
+      credentials:
+        bag_name: sumo-creds
+        item_name: api-creds-encrypt
+        secret_file: '/tmp/kitchen/encrypted_data_bag_secret'
   data_bags_path: 'test/integration/data_bags'
+  encrypted_data_bag_secret_key_path: 'test/integration/default/encrypted_data_bag_secret'

.rubocop_todo.yml

@@ -1,38 +1,38 @@
 # This configuration was generated by `rubocop --auto-gen-config`
-# on 2014-11-19 14:53:27 -0800 using RuboCop version 0.27.1.
+# on 2015-03-06 23:02:43 -0800 using RuboCop version 0.29.1.
 # The point is for the user to remove these configuration records
 # one by one as the offenses are removed from the code base.
 # Note that changes in the inspected code, or installation of new
 # versions of RuboCop, may require this file to be generated again.
 
-# Offense count: 3
+# Offense count: 5
 Metrics/AbcSize:
-  Max: 62
+  Max: 66
 
-# Offense count: 1
+# Offense count: 2
 # Configuration parameters: CountComments.
 Metrics/ClassLength:
-  Max: 125
+  Max: 126
 
 # Offense count: 1
 Metrics/CyclomaticComplexity:
-  Max: 9
+  Max: 8
 
-# Offense count: 29
+# Offense count: 37
 # Configuration parameters: AllowURI, URISchemes.
 Metrics/LineLength:
   Max: 148
 
-# Offense count: 5
+# Offense count: 8
 # Configuration parameters: CountComments.
 Metrics/MethodLength:
-  Max: 43
+  Max: 42
 
-# Offense count: 1
+# Offense count: 2
 Metrics/PerceivedComplexity:
-  Max: 12
+  Max: 9
 
-# Offense count: 3
+# Offense count: 4
 # Cop supports --auto-correct.
 # Configuration parameters: EnforcedStyle, SupportedStyles.
 Style/BracesAroundHashParameters:
@@ -50,7 +50,7 @@ Style/Documentation:
 Style/DoubleNegation:
   Enabled: false
 
-# Offense count: 4
+# Offense count: 2
 # Cop supports --auto-correct.
 # Configuration parameters: EnforcedStyle, SupportedStyles.
 Style/SignalException:

Gemfile

@@ -8,7 +8,7 @@ group :development do
   gem 'foodcritic'
   gem 'fuubar'
   gem 'pry'
-  gem 'rubocop', '~> 0.18'
+  gem 'rubocop', '~> 0.29'
   gem 'travis', '~> 1.6.10'
   gem 'webmock'
 end

README.md

@@ -1,5 +1,4 @@
-Description
-===========
+# Description
 
 Installs the Sumo Logic collector the way we do it at PagerDuty.  Allows you to
 configure the sources to send up; works on Linux x86 and x86-64.  Sets up a
@@ -8,8 +7,7 @@ manually activating or pushing any buttons.
 
 [![Build Status](https://travis-ci.org/PagerDuty/chef-sumologic.svg)](https://travis-ci.org/PagerDuty/chef-sumologic)
 
-Requirements
-============
+# Requirements
 
 Depends on the Opscode `java` cookbook which ensures you have a /usr/bin/java.
 Really that's all you need, so feel free to break that dependency if you
@@ -19,16 +17,14 @@ The cookbook grabs a Sumo Logic tarball from an http server.  Sumo Logic
 provides you download links if you want to use those, but they're ephemeral, so
 I suggest hosting it on a local asset server.
 
-Platform
---------
+## Platform
 
 * Tested on Ubuntu 10.04, 12.04, 14.04
 * Tested on CentOS 5.11, 6.6, 7.0
 * Will need extra work to run in Windows, Solaris.
 * Tested under Chef 11.0.0 and 11.16.4 in Ruby 1.9 and 2.1.3.
 
-Attributes
-==========
+# Attributes
 
 See `attributes/default.rb` for default values.
 
@@ -49,11 +45,11 @@ See `attributes/default.rb` for default values.
 * `node[:sumologic][:collector][:checksum]` - The md5sum of the tarball.
 * `node[:sumologic][:collector][:url]` - The full URL you're downloading the
   collector from.
-* `node[:sumologic][:admin][:email]` - The email of an admin user that will
+* `node[:sumologic][:email]` - The email of an admin user that will
   be invoked to perform unattended installs of collectors.  See Sumo's article
   for more info:
     https://service.sumologic.com/ui/help/Unattended_Installation.htm
-* `node[:sumologic][:admin][:pass]` - The password for the admin's email above.
+* `node[:sumologic][:password]` - The password for the admin's email above.
 * `node[:sumologic][:log_sources][:default_category]` - You can specify a category
   for any of your resources through the sumo\_source definition (see below), but
   this allows you to provide a catch-all that's more descriptive than 'log'.
@@ -64,9 +60,25 @@ See `attributes/default.rb` for default values.
 * `node[:sumologic][:log_sources][:force_timezone]` - Set to *true* to force any
   timestamps parsed out of log files to this timezone, regardless of any
   timezone information they may carry.
+* `node[:sumologic][:credentials][:bag_name]` - Name of the data bag
+* `node[:sumologic][:credentials][:item_name]` - Name of the item within the data bag
+* `node[:sumologic][:credentials][:secret_file]` - Path to the local file containing the encryption secret key.  Needed if the data bag is encrypted.  Typically is located at `/etc/chef/encrypted_data_bag_secret`.
 
-Usage
-=====
+NOTE: Having `node[:sumologic][:credentials]` set will take precidence over `node[:sumologic][:email]` and `node[:sumologic][:password]`
+
+# Data bag
+
+If you set `node[:sumologic][:credentials]`, you must have a data bag setup in the following form:
+
+```
+{
+ "id": "api-creds",
+ "accessID": "[email protected]",
+ "accessKey": "password123"
+}
+```
+
+# Usage
 
 Drop this cookbook with the default recipe onto your servers and you've got
 a collector running.  Want some sources?  Use the sumo\_source definition
@@ -84,20 +96,17 @@ configure all of your sources before restarting sumologic.  It will also
 correctly set the '-o' sumocollector parameter for a sumo restart to force the
 web interface to accept changes to your sources.
 
-Helper Functions
-==============
+# Helper Functions
 
-Sumologic.collector_exists?(node_name, email, pass)
----------------------------------------------------
+## Sumologic.collector_exists?(node_name, email, pass)
 
 This checks whether or not a collector with the given name exists.
 
 * `node_name` - name of the collector to be checked
 * `email` - email to use againt the API
 * `pass` - password for the email above
 
-Changes
-=======
+# Changes
 
 ## v0.0.2
 
@@ -119,8 +128,7 @@ Changes
 * Stop forcing a particular URL to work; users can now use whatever URL they
   please to store their Sumo tarballs.
 
-License and Author
-==================
+# License and Author
 
 * Author:: Grant Ridder (<[email protected]>)
 * Author:: Ranjib Dey (<[email protected]>)

libraries/sumo_source_provider.rb

@@ -15,10 +15,21 @@ def whyrun_supported?
 
       def load_current_resource
         return if node['sumologic']['disabled']
+
+        creds = load_creds
+
+        if creds['accessID'] && creds['accessKey']
+          api_username = creds['accessID']
+          api_password = creds['accessKey']
+        elsif creds['email'] && creds['password']
+          api_username = creds['email']
+          api_password = creds['password']
+        end
+
         @@collector ||= Sumologic::Collector.new(
           name: node.name,
-          api_username: node['sumologic']['userID'],
-          api_password: node['sumologic']['password'],
+          api_username: api_username,
+          api_password: api_password,
           api_timeout: node['sumologic']['api_timeout']
         )
 
@@ -106,6 +117,38 @@ def convergence_description
         end
         description
       end
+
+      # logic modified from https://github.com/SumoLogic/sumologic-collector-chef-cookbook/blob/master/recipes/sumoconf.rb#L34
+      def load_creds
+        if node['sumologic']['credentials']
+          creds = node['sumologic']['credentials']
+          credentials = {}
+
+          if creds[:secret_file]
+            secret = Chef::EncryptedDataBagItem.load_secret(creds[:secret_file])
+            bag = Chef::EncryptedDataBagItem.load(creds[:bag_name], creds[:item_name], secret)
+          else
+            bag = Chef::DataBagItem.load(creds[:bag_name], creds[:item_name])
+          end
+
+          [:accessID, :accessKey, :email, :password].each do |item|
+            credentials[item] = bag[item]
+          end
+
+        else
+          if node['sumologic']['userID']
+            credentials['email'] = node['sumologic']['userID']
+          elsif node['sumologic']['email']
+            credentials['email'] = node['sumologic']['email']
+          end
+
+          %w(accessID accessKey password).each do |item|
+            credentials[item] = node['sumologic'][item]
+          end
+        end
+
+        credentials
+      end
     end
   end
 end

test/integration/data_bags/sumo-creds/api-creds-encrypt.json

@@ -0,0 +1,15 @@
+{
+  "id": "api-creds-encrypt",
+  "accessID": {
+    "encrypted_data": "6WL6jKw9BDl3RjDEjSfU9k6zHr6VCJuWjJU7Tc7s0qFClIklp1ldXBFro9sA\njmtx\n",
+    "iv": "wgYo/+EgWY+M/34cxwlmQA==\n",
+    "version": 1,
+    "cipher": "aes-256-cbc"
+  },
+  "accessKey": {
+    "encrypted_data": "a7MB3m5rzOLhHuJKpZJ+l8eXJk12dJILbiWnbXs/rEg=\n",
+    "iv": "af+kj8cu7aajQmoKi2l89Q==\n",
+    "version": 1,
+    "cipher": "aes-256-cbc"
+  }
+}

test/integration/default/encrypted_data_bag_secret

@@ -0,0 +1,11 @@
+7uYbrZii2tlh2PqcHtN/SGckJ9G6RVUPOSOMXeDHaXCq8u+y+DLWRYDvml8IBoTo
+CARZ6snNkjGvUptLZBtbqBHSILNFMTpe1wgBOdOuwyTRIEpOnJg+e33J+ilQLdoh
+rtytLg7bgI+AEcjJQh2QR3B5jqBK9RYOW7Dv7PTtYyxEpk4azIjGESkGuuB+ztoj
+XQhudhMvoxioShkCqXDQKu5l7bV/j1QbJdu/BlAhiZCDbe4ytjZiWfDizmejH9ux
+V9u/yHMJS88JyB/eiDYo+NbzSusR86p1Rl6x0RzkTs2lrvnhcEweO7MVDHuOolkV
+W6ZMjRxhGdtLCoZnnzIc6GcfFOxEe1RKXIYqkk08/RqbLAKeQmpNY9T80MuaTobE
+i1BvLzxS2ezWVhZXZBPkqzfAmOYCHhU7Kzk97xQvpc/ZQ5Rs28rxhtv9RlL/aCdf
+wsANLU7IBJ1gMug1srgURc7cRqL7oRTkxUeBkXi+qq0zuQXecgusSGbVdGo2SRTh
+U5wKtj/ERxBuxXmQf28vNN6mVNG3mJtOXZJRU1YPHCYVozrL2Fd+Da3NXKXN0VCM
+rIpqx9TKNdXv7l/qEcPyCCaZnnHQ+bXEM56rbSQjBcChPhthwx5fN1G/ztNEErZh
+zNAbnqrpBUwgveW2hSOkO9eU430QkMyZcSFUBSF2QmE=