TrueCar-chef 0.10.0.beta.3

data/lib/chef/encrypted_data_bag_item.rb

@@ -0,0 +1,126 @@
+#
+# Author:: Seth Falcon (<seth@opscode.com>)
+# Copyright:: Copyright 2010 Opscode, Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require 'base64'
+require 'openssl'
+require 'chef/data_bag_item'
+require 'yaml'
+
+# An EncryptedDataBagItem represents a read-only data bag item where
+# all values, except for the value associated with the id key, have
+# been encrypted.
+#
+# EncrypedDataBagItem can be used in recipes to decrypt data bag item
+# members.
+#
+# Data bag item values are assumed to have been encrypted using the
+# default symmetric encryption provided by Encryptor.encrypt where
+# values are converted to YAML prior to encryption.
+#
+# If the shared secret is not specified at initialization or load,
+# then the contents of the file referred to in
+# Chef::Config[:encrypted_data_bag_secret] will be used as the
+# secret.  The default path is /etc/chef/encrypted_data_bag_secret
+#
+# EncryptedDataBagItem is intended to provide a means to avoid storing
+# data bag items in the clear on the Chef server.  This provides some
+# protection against a breach of the Chef server or of Chef server
+# backup data.  Because the secret must be stored in the clear on any
+# node needing access to an EncryptedDataBagItem, this approach
+# provides no protection of data bag items from actors with access to
+# such nodes in the infrastructure.
+#
+class Chef::EncryptedDataBagItem
+  DEFAULT_SECRET_FILE = "/etc/chef/encrypted_data_bag_secret"
+  ALGORITHM = 'aes-256-cbc'
+
+  def initialize(enc_hash, secret)
+    @enc_hash = enc_hash
+    @secret = secret
+  end
+
+  def [](key)
+    value = @enc_hash[key]
+    if key == "id"
+      value
+    else
+      self.class.decrypt_value(value, @secret)
+    end
+  end
+
+  def []=(key, value)
+    raise ArgumentError, "assignment not supported for #{self.class}"
+  end
+
+  def to_hash
+    @enc_hash.keys.inject({}) { |hash, key| hash[key] = self[key]; hash }
+  end
+
+  def self.from_plain_hash(plain_hash, secret)
+    self.new(self.encrypt_data_bag_item(plain_hash, secret), secret)
+  end
+
+  def self.encrypt_data_bag_item(plain_hash, secret)
+    plain_hash.inject({}) do |h, (key, val)|
+      h[key] = if key != "id"
+                 self.encrypt_value(val, secret)
+               else
+                 val
+               end
+      h
+    end
+  end
+
+  def self.load(data_bag, name, secret = nil)
+    path = "data/#{data_bag}/#{name}"
+    raw_hash = Chef::DataBagItem.load(data_bag, name)
+    secret = secret || self.load_secret
+    self.new(raw_hash, secret)
+  end
+
+  def self.encrypt_value(value, key)
+    Base64.encode64(self.cipher(:encrypt, value.to_yaml, key))
+  end
+
+  def self.decrypt_value(value, key)
+    YAML.load(self.cipher(:decrypt, Base64.decode64(value), key))
+  end
+
+  def self.load_secret(path=nil)
+    path = path || Chef::Config[:encrypted_data_bag_secret] || DEFAULT_SECRET_FILE
+    if !File.exists?(path)
+      raise Errno::ENOENT, "file not found '#{path}'"
+    end
+    secret = IO.read(path).strip
+    if secret.size < 1
+      raise ArgumentError, "invalid zero length secret in '#{path}'"
+    end
+    secret
+  end
+
+  protected
+
+  def self.cipher(direction, data, key)
+    cipher = OpenSSL::Cipher::Cipher.new(ALGORITHM)
+    cipher.send(direction)
+    cipher.pkcs5_keyivgen(key)
+    ans = cipher.update(data)
+    ans << cipher.final
+    ans
+  end
+end

data/lib/chef/environment.rb

@@ -0,0 +1,386 @@
+#
+# Author:: Stephen Delano (<stephen@opscode.com>)
+# Author:: Seth Falcon (<seth@opscode.com>)
+# Copyright:: Copyright 2010-2011 Opscode, Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require 'chef/config'
+require 'chef/mixin/params_validate'
+require 'chef/couchdb'
+require 'chef/index_queue'
+require 'chef/version_constraint'
+
+class Chef
+  class Environment
+
+    DEFAULT = "default"
+
+    include Chef::Mixin::ParamsValidate
+    include Chef::Mixin::FromFile
+    include Chef::IndexQueue::Indexable
+
+    COMBINED_COOKBOOK_CONSTRAINT = /(.+)(?:[\s]+)((?:#{Chef::VersionConstraint::OPS.join('|')})(?:[\s]+).+)$/.freeze
+
+    attr_accessor :couchdb, :couchdb_rev
+    attr_reader :couchdb_id
+
+    DESIGN_DOCUMENT = {
+      "version" => 1,
+      "language" => "javascript",
+      "views" => {
+        "all" => {
+          "map" => <<-EOJS
+          function(doc) {
+            if (doc.chef_type == "environment") {
+              emit(doc.name, doc);
+            }
+          }
+          EOJS
+        },
+        "all_id" => {
+          "map" => <<-EOJS
+          function(doc) {
+            if (doc.chef_type == "environment") {
+              emit(doc.name, doc.name);
+            }
+          }
+          EOJS
+        }
+      }
+    }
+
+    def initialize(couchdb=nil)
+      @name = ''
+      @description = ''
+      @attributes = Mash.new
+      @cookbook_versions = Hash.new
+      @couchdb_rev = nil
+      @couchdb_id = nil
+      @couchdb = couchdb || Chef::CouchDB.new
+    end
+
+    def couchdb_id=(value)
+      @couchdb_id = value
+      self.index_id = value
+    end
+
+    def chef_server_rest
+      Chef::REST.new(Chef::Config[:chef_server_url])
+    end
+
+    def self.chef_server_rest
+      Chef::REST.new(Chef::Config[:chef_server_url])
+    end
+
+    def name(arg=nil)
+      set_or_return(
+        :name,
+        arg,
+        { :regex => /^[\-[:alnum:]_]+$/, :kind_of => String }
+      )
+    end
+
+    def description(arg=nil)
+      set_or_return(
+        :description,
+        arg,
+        :kind_of => String
+      )
+    end
+
+    def attributes(arg=nil)
+      set_or_return(
+        :attributes,
+        arg,
+        :kind_of => Hash
+      )
+    end
+
+    def cookbook_versions(arg=nil)
+      set_or_return(
+        :cookbook_versions,
+        arg,
+        {
+          :kind_of => Hash,
+          :callbacks => {
+            "should be a valid set of cookbook version requirements" => lambda { |cv| Chef::Environment.validate_cookbook_versions(cv) }
+          }
+        }
+      )
+    end
+
+    def cookbook(cookbook, version)
+      validate({
+        :version => version
+      },{
+        :version => {
+          :callbacks => { "should be a valid version requirement" => lambda { |v| Chef::Environment.validate_cookbook_version(v) } }
+        }
+      })
+      @cookbook_versions[cookbook] = version
+    end
+
+    def to_hash
+      result = {
+        "name" => @name,
+        "description" => @description,
+        "cookbook_versions" =>  @cookbook_versions,
+        "json_class" => self.class.name,
+        "chef_type" => "environment",
+        "attributes" => @attributes
+      }
+      result["_rev"] = couchdb_rev if couchdb_rev
+      result
+    end
+
+    def to_json(*a)
+      to_hash.to_json(*a)
+    end
+
+    def update_from!(o)
+      description(o.description)
+      cookbook_versions(o.cookbook_versions)
+      attributes(o.attributes)
+      self
+    end
+
+    def update_from_params(params)
+      # reset because everything we need will be in the params, this is necessary because certain constraints
+      # may have been removed in the params and need to be removed from cookbook_versions as well.
+      bkup_cb_versions = cookbook_versions
+      cookbook_versions(Hash.new)
+      valid = true
+
+      begin
+        name(params[:name])
+      rescue Chef::Exceptions::ValidationFailed => e
+        invalid_fields[:name] = e.message
+        valid = false
+      end
+      description(params[:description])
+
+      unless params[:cookbook_version].nil?
+        params[:cookbook_version].each do |index, cookbook_constraint_spec|
+          unless (cookbook_constraint_spec.nil? || cookbook_constraint_spec.size == 0)
+            valid = valid && update_cookbook_constraint_from_param(index, cookbook_constraint_spec)
+          end
+        end
+      end
+
+      unless params[:attributes].nil? || params[:attributes].size == 0
+        attributes(Chef::JSONCompat.from_json(params[:attributes]))
+      end
+
+      valid = validate_required_attrs_present && valid
+      cookbook_versions(bkup_cb_versions) unless valid # restore the old cookbook_versions if valid is false
+      valid
+    end
+
+    def update_cookbook_constraint_from_param(index, cookbook_constraint_spec)
+      valid = true
+      md = cookbook_constraint_spec.match(COMBINED_COOKBOOK_CONSTRAINT)
+      if md.nil? || md[2].nil?
+        valid = false
+        add_cookbook_constraint_error(index, cookbook_constraint_spec)
+      elsif self.class.validate_cookbook_version(md[2])
+        cookbook_versions[md[1]] = md[2]
+      else
+        valid = false
+        add_cookbook_constraint_error(index, cookbook_constraint_spec)
+      end
+      valid
+    end
+
+    def add_cookbook_constraint_error(index, cookbook_constraint_spec)
+      invalid_fields[:cookbook_version] ||= {}
+      invalid_fields[:cookbook_version][index] = "#{cookbook_constraint_spec} is not a valid cookbook constraint"
+    end
+
+    def invalid_fields
+      @invalid_fields ||= {}
+    end
+
+    def validate_required_attrs_present
+      if name.nil? || name.size == 0
+        invalid_fields[:name] ||= "name cannot be empty"
+        false
+      else
+        true
+      end
+    end
+
+
+    def self.json_create(o)
+      environment = new
+      environment.name(o["name"])
+      environment.description(o["description"])
+      environment.cookbook_versions(o["cookbook_versions"])
+      environment.attributes(o["attributes"])
+      environment.couchdb_rev = o["_rev"] if o.has_key?("_rev")
+      environment.couchdb_id = o["_id"] if o.has_key?("_id")
+      environment
+    end
+
+    def self.cdb_list(inflate=false, couchdb=nil)
+      es = (couchdb || Chef::CouchDB.new).list("environments", inflate)
+      lookup = (inflate ? "value" : "key")
+      es["rows"].collect { |e| e[lookup] }
+    end
+
+    def self.list(inflate=false)
+      if inflate
+        # TODO: index the environments and use search to inflate - don't inflate for now :(
+        chef_server_rest.get_rest("environments")
+      else
+        chef_server_rest.get_rest("environments")
+      end
+    end
+
+    def self.cdb_load(name, couchdb=nil)
+      (couchdb || Chef::CouchDB.new).load("environment", name)
+    end
+
+    def self.load(name)
+      chef_server_rest.get_rest("environments/#{name}")
+    end
+
+    def self.exists?(name, couchdb)
+      begin
+        self.cdb_load(name, couchdb)
+      rescue Chef::Exceptions::CouchDBNotFound
+        nil
+      end
+    end
+
+    def cdb_destroy
+      couchdb.delete("environment", @name, couchdb_rev)
+    end
+
+    def destroy
+      chef_server_rest.delete_rest("environments/#{@name}")
+    end
+
+    def cdb_save
+      self.couchdb_rev = couchdb.store("environment", @name, self)["rev"]
+    end
+
+    def save
+      begin
+        chef_server_rest.put_rest("environments/#{@name}", self)
+      rescue Net::HTTPServerException => e
+        raise e unless e.response.code == "404"
+        chef_server_rest.post_rest("environments", self)
+      end
+      self
+    end
+
+    def create
+      chef_server_rest.post_rest("environments", self)
+      self
+    end
+
+    # Set up our CouchDB design document
+    def self.create_design_document(couchdb=nil)
+      (couchdb || Chef::CouchDB.new).create_design_document("environments", DESIGN_DOCUMENT)
+    end
+
+    # Loads the set of Chef::CookbookVersion objects available to a given environment
+    # === Returns
+    # Hash
+    # i.e.
+    # {
+    #   "cookbook_name" => [ Chef::CookbookVersion ... ] ## the array of CookbookVersions is sorted highest to lowest
+    # }
+    #
+    # There will be a key for every cookbook.  If no CookbookVersions
+    # are available for the specified environment the value will be an
+    # empty list.
+    #
+    def self.cdb_load_filtered_cookbook_versions(name, couchdb=nil)
+      version_constraints = cdb_load(name, couchdb).cookbook_versions.inject({}) {|res, (k,v)| res[k] = Chef::VersionConstraint.new(v); res}
+
+      # inject all cookbooks into the hash while filtering out restricted versions, then sort the individual arrays
+      cookbook_list = Chef::CookbookVersion.cdb_list(true, couchdb)
+
+      filtered_list = cookbook_list.inject({}) do |res, cookbook|
+        # FIXME: should cookbook.version return a Chef::Version?
+        version               = Chef::Version.new(cookbook.version)
+        requirement_satisfied = version_constraints.has_key?(cookbook.name) ? version_constraints[cookbook.name].include?(version) : true
+        # we want a key for every cookbook, even if no versions are available
+        res[cookbook.name] ||= []
+        res[cookbook.name] << cookbook if requirement_satisfied
+        res
+      end
+
+      sorted_list = filtered_list.inject({}) do |res, (cookbook_name, versions)|
+        res[cookbook_name] = versions.sort.reverse
+        res
+      end
+
+      sorted_list
+    end
+
+    def self.cdb_load_filtered_recipe_list(name, couchdb=nil)
+      cdb_load_filtered_cookbook_versions(name, couchdb).map do |cb_name, cb|
+        cb.first.recipe_filenames_by_name.keys.map do |recipe|
+          case recipe
+          when DEFAULT
+            cb_name
+          else
+            "#{cb_name}::#{recipe}"
+          end
+        end
+      end.flatten
+    end
+
+    def self.load_filtered_recipe_list(environment)
+      chef_server_rest.get_rest("environments/#{environment}/recipes")
+    end
+
+    def to_s
+      @name
+    end
+
+    def self.validate_cookbook_versions(cv)
+      return false unless cv.kind_of?(Hash)
+      cv.each do |cookbook, version|
+        return false unless Chef::Environment.validate_cookbook_version(version)
+      end
+      true
+    end
+
+    def self.validate_cookbook_version(version)
+      begin
+        Chef::VersionConstraint.new version
+        true
+      rescue ArgumentError
+        false
+      end
+    end
+
+    def self.create_default_environment(couchdb=nil)
+      couchdb = couchdb || Chef::CouchDB.new
+      begin
+        Chef::Environment.cdb_load('_default', couchdb)
+      rescue Chef::Exceptions::CouchDBNotFound
+        env = Chef::Environment.new(couchdb)
+        env.name '_default'
+        env.description 'The default Chef environment'
+        env.cdb_save
+      end
+    end
+  end
+end