From 7c76ad709a1d35a3f27a8e191fba0177a7be1e8a Mon Sep 17 00:00:00 2001
From: halida <linjunhalida@gmail.com>
Date: Thu, 2 Apr 2015 21:50:28 +0800
Subject: [PATCH 1/2] add remove_data_bags

---
 README.md            | 8 ++++++++
 littlechef/chef.py   | 7 +++++++
 littlechef/runner.py | 5 +++++
 3 files changed, 20 insertions(+)

diff --git a/README.md b/README.md
index e6aa0fa..fa450f1 100644
--- a/README.md
+++ b/README.md
@@ -203,6 +203,14 @@ This will put the encrypted_data_bag_secret in `/etc/chef/encrypted_data_bag_sec
 Chef-solo will automatically use it wherever you use `Chef::EncryptedDataBagItem.load` in your recipes.
 It will also remove the `/etc/chef/encrypted_data_bag_secret` file from the node at the end of the run.
 
+If you are not comfortable about leaving data bags in the remote node, which will leak sensitive information, you can tell littlechef to delete them all at the end of the run:
+
+```ini
+[userinfo]
+remove_data_bags=true
+```
+
+
 ```ini
 [kitchen]
 autodeploy_chef=true
diff --git a/littlechef/chef.py b/littlechef/chef.py
index 2c32638..cea9b81 100644
--- a/littlechef/chef.py
+++ b/littlechef/chef.py
@@ -394,11 +394,18 @@ def _remove_remote_node_data_bag():
     if exists(node_data_bag_path):
         sudo("rm -rf {0}".format(node_data_bag_path))
 
+def _remove_remote_data_bags():
+    """Remove remote data bags, so it won't leak any sensitive information"""
+    data_bags_path = os.path.join(env.node_work_path, 'data_bags')
+    if exists(data_bags_path):
+        sudo("rm -rf {0}".format(data_bags_path))
 
 def _node_cleanup():
     if env.loglevel is not "debug":
         with hide('running', 'stdout'):
             _remove_remote_node_data_bag()
+            if env.remove_data_bags:
+                _remove_remote_data_bags()
             with settings(warn_only=True):
                 sudo("rm '/etc/chef/node.json'")
                 if env.encrypted_data_bag_secret:
diff --git a/littlechef/runner.py b/littlechef/runner.py
index 7985c64..2538143 100644
--- a/littlechef/runner.py
+++ b/littlechef/runner.py
@@ -444,6 +444,11 @@ def _readconfig():
     except (ConfigParser.NoOptionError, ConfigParser.NoSectionError):
         env.https_proxy = None
 
+    try:
+        env.remove_data_bags = config.get('userinfo', 'remove_data_bags')
+    except ConfigParser.NoOptionError:
+        env.remove_data_bags = None
+        
     # Check for an encrypted_data_bag_secret file and set the env option
     try:
         env.encrypted_data_bag_secret = config.get('userinfo',

From b7f4dcdb7b2a0fae41b94571a37974be34c97b56 Mon Sep 17 00:00:00 2001
From: Halida <linjunhalida@gmail.com>
Date: Thu, 9 Apr 2015 20:17:13 +0800
Subject: [PATCH 2/2] change default remove_data_bags value

---
 littlechef/runner.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/littlechef/runner.py b/littlechef/runner.py
index 2538143..bb76194 100644
--- a/littlechef/runner.py
+++ b/littlechef/runner.py
@@ -447,7 +447,7 @@ def _readconfig():
     try:
         env.remove_data_bags = config.get('userinfo', 'remove_data_bags')
     except ConfigParser.NoOptionError:
-        env.remove_data_bags = None
+        env.remove_data_bags = False
         
     # Check for an encrypted_data_bag_secret file and set the env option
     try: