berkshelf 3.0.0.beta7 → 3.0.0.beta8

data/lib/berkshelf/locations/base.rb

@@ -0,0 +1,75 @@
+module Berkshelf
+  class BaseLocation
+    attr_reader :dependency
+    attr_reader :options
+
+    def initialize(dependency, options = {})
+      @dependency = dependency
+      @options    = options
+    end
+
+    # Determine if this revision is installed.
+    #
+    # @return [Boolean]
+    def installed?
+      raise AbstractFunction,
+        "#installed? must be implemented on #{self.class.name}!"
+    end
+
+    # Install the given cookbook. Subclasses that implement this method should
+    # perform all the installation and validation steps required.
+    #
+    # @return [void]
+    def install
+      raise AbstractFunction,
+        "#install must be implemented on #{self.class.name}!"
+    end
+
+    # The cached cookbook for this location.
+    #
+    # @return [CachedCookbook]
+    def cached_cookbook
+      raise AbstractFunction,
+        "#cached_cookbook must be implemented on #{self.class.name}!"
+    end
+
+    # The lockfile representation of this location.
+    #
+    # @return [string]
+    def to_lock
+      raise AbstractFunction,
+        "#to_lock must be implemented on #{self.class.name}!"
+    end
+
+    # Ensure the given {CachedCookbook} is valid
+    #
+    # @param [String] path
+    #   the path to the possible cookbook
+    #
+    # @raise [NotACookbook]
+    #   if the cookbook at the path does not have a metadata
+    # @raise [CookbookValidationFailure]
+    #   if given CachedCookbook does not satisfy the constraint of the location
+    # @raise [MismatcheCookboookName]
+    #   if the cookbook does not have a name or if the name is different
+    #
+    # @return [true]
+    def validate_cached!(path)
+      unless File.cookbook?(path)
+        raise NotACookbook.new(path)
+      end
+
+      cookbook = CachedCookbook.from_path(path)
+
+      unless @dependency.version_constraint.satisfies?(cookbook.version)
+        raise CookbookValidationFailure.new(dependency, cookbook)
+      end
+
+      unless @dependency.name == cookbook.cookbook_name
+        raise MismatchedCookbookName.new(dependency, cookbook)
+      end
+
+      true
+    end
+  end
+end

data/lib/berkshelf/locations/git.rb

@@ -0,0 +1,196 @@
+require 'buff/shell_out'
+
+module Berkshelf
+  class GitLocation < BaseLocation
+    class GitError < BerkshelfError; status_code(400); end
+
+    class GitNotInstalled < GitError
+      def initialize
+        super 'You need to install Git before you can download ' \
+          'cookbooks from git repositories. For more information, please ' \
+          'see the Git docs: http://git-scm.org.'
+      end
+    end
+
+    class GitCommandError < GitError
+      def initialize(command, path, stderr = nil)
+        out =  "Git error: command `git #{command}` failed. If this error "
+        out << "persists, try removing the cache directory at '#{path}'."
+
+        if stderr
+          out << "Output from the command:\n\n"
+          out << stderr
+        end
+
+        super(out)
+      end
+    end
+
+    attr_reader :uri
+    attr_reader :branch
+    attr_reader :tag
+    attr_reader :ref
+    attr_reader :revision
+    attr_reader :rel
+
+    def initialize(dependency, options = {})
+      super
+
+      @uri      = options[:git]
+      @branch   = options[:branch]
+      @tag      = options[:tag]
+      @ref      = options[:ref]
+      @revision = options[:revision]
+      @rel      = options[:rel]
+
+      # The revision to parse
+      @rev_parse = options[:ref] || options[:branch] || options[:tag] || 'master'
+    end
+
+    # @see BaseLoation#installed?
+    def installed?
+      revision && install_path.exist?
+    end
+
+    # Install this git cookbook into the cookbook store. This method leverages
+    # a cached git copy and a scratch directory to prevent bad cookbooks from
+    # making their way into the cookbook store.
+    #
+    # @see BaseLOcation#install
+    def install
+      scratch_path = Pathname.new(Dir.mktmpdir)
+
+      if cached?
+        Dir.chdir(cache_path) do
+          git %|fetch --force --tags #{uri} "refs/heads/*:refs/heads/*"|
+        end
+      else
+        git %|clone #{uri} "#{cache_path}" --bare --no-hardlinks|
+      end
+
+      Dir.chdir(cache_path) do
+        @revision ||= git %|rev-parse #{@rev_parse}|
+      end
+
+      # Clone into a scratch directory for validations
+      git %|clone --no-checkout "#{cache_path}" "#{scratch_path}"|
+
+      # Make sure the scratch directory is up-to-date and account for rel paths
+      Dir.chdir(scratch_path) do
+        git %|fetch --force --tags "#{cache_path}"|
+        git %|reset --hard #{@revision}|
+
+        if rel
+          git %|filter-branch --subdirectory-filter "#{rel}" --force|
+        end
+      end
+
+      # Validate the scratched path is a valid cookbook
+      validate_cached!(scratch_path)
+
+      # If we got this far, we should copy
+      FileUtils.rm_rf(install_path) if install_path.exist?
+      FileUtils.cp_r(scratch_path, install_path)
+      install_path.chmod(0777 & ~File.umask)
+    ensure
+      # Ensure the scratch directory is cleaned up
+      FileUtils.rm_rf(scratch_path)
+    end
+
+    # @see BaseLocation#cached_cookbook
+    def cached_cookbook
+      if installed?
+        @cached_cookbook ||= CachedCookbook.from_path(install_path)
+      else
+        nil
+      end
+    end
+
+    def ==(other)
+      other.is_a?(GitLocation) &&
+      other.uri == uri &&
+      other.branch == branch &&
+      other.tag == tag &&
+      other.shortref == shortref &&
+      other.rel == rel
+    end
+
+    def to_s
+      info = tag || branch || shortref || @rev_parse
+
+      if rel
+        "#{uri} (at #{info}/#{rel})"
+      else
+        "#{uri} (at #{info})"
+      end
+    end
+
+    def to_lock
+      out =  "    git: #{uri}\n"
+      out << "    revision: #{revision}\n"
+      out << "    ref: #{shortref}\n"  if shortref
+      out << "    branch: #{branch}\n" if branch
+      out << "    tag: #{tag}\n"       if tag
+      out << "    rel: #{rel}\n"       if rel
+      out
+    end
+
+    protected
+
+    # The short ref (if one was given).
+    #
+    # @return [String, nil]
+    def shortref
+      ref && ref[0...7]
+    end
+
+    private
+
+    # Perform a git command.
+    #
+    # @param [String] command
+    #   the command to run
+    # @param [Boolean] error
+    #   whether to raise error if the command fails
+    #
+    # @raise [String]
+    #   the +$stdout+ from the command
+    def git(command, error = true)
+      unless Berkshelf.which('git') || Berkshelf.which('git.exe')
+        raise GitNotInstalled.new
+      end
+
+      response = Buff::ShellOut.shell_out(%|git #{command}|)
+
+      if error && !response.success?
+        raise GitCommandError.new(command, cache_path, stderr = response.stderr)
+      end
+
+      response.stdout.strip
+    end
+
+    # Determine if this git repo has already been downloaded.
+    #
+    # @return [Boolean]
+    def cached?
+      cache_path.exist?
+    end
+
+    # The path where this cookbook would live in the store, if it were
+    # installed.
+    #
+    # @return [Pathname, nil]
+    def install_path
+      Berkshelf.cookbook_store.storage_path
+        .join("#{dependency.name}-#{revision}")
+    end
+
+    # The path where this git repository is cached.
+    #
+    # @return [Pathname]
+    def cache_path
+      Pathname.new(Berkshelf.berkshelf_path)
+        .join('.cache', 'git', Digest::SHA1.hexdigest(uri))
+    end
+  end
+end

data/lib/berkshelf/locations/github.rb

@@ -0,0 +1,8 @@
+module Berkshelf
+  class GithubLocation < GitLocation
+    def initialize(dependency, options = {})
+      options[:git] = "git://github.com/#{options.delete(:github)}.git"
+      super
+    end
+  end
+end

data/lib/berkshelf/locations/path.rb

@@ -0,0 +1,78 @@
+module Berkshelf
+  class PathLocation < BaseLocation
+    # Technically path locations are always installed, but this method
+    # intentionally returns +false+ to force validation of the cookbook at the
+    # path.
+    #
+    # @see BaseLocation#installed?
+    def installed?
+      false
+    end
+
+    # The installation for a path location is actually just a noop
+    #
+    # @see BaseLocation#install
+    def install
+      validate_cached!(expanded_path)
+    end
+
+    # @see BaseLocation#cached_cookbook
+    def cached_cookbook
+      @cached_cookbook ||= CachedCookbook.from_path(expanded_path)
+    end
+
+    # Returns true if the location is a metadata location. By default, no
+    # locations are the metadata location.
+    #
+    # @return [Boolean]
+    def metadata?
+      !!options[:metadata]
+    end
+
+    # Return this PathLocation's path relative to the associated Berksfile. It
+    # is actually the path reative to the associated Berksfile's parent
+    # directory.
+    #
+    # @return [String]
+    #   the relative path relative to the target
+    def relative_path
+      my_path     = Pathname.new(options[:path]).expand_path
+      target_path = Pathname.new(dependency.berksfile.filepath).expand_path
+      target_path = target_path.dirname if target_path.file?
+
+      new_path = my_path.relative_path_from(target_path).to_s
+
+      return new_path if new_path.index('.') == 0
+      "./#{new_path}"
+    end
+
+    # The fully expanded path of this cookbook on disk, relative to the
+    # Berksfile.
+    #
+    # @return [String]
+    def expanded_path
+      parent = File.expand_path(File.dirname(dependency.berksfile.filepath))
+      File.expand_path(relative_path, parent)
+    end
+
+    def ==(other)
+      other.is_a?(PathLocation) &&
+      other.metadata? == metadata? &&
+      other.relative_path == relative_path
+    end
+
+    def to_lock
+      out =  "    path: #{relative_path}\n"
+      out << "    metadata: true\n" if metadata?
+      out
+    end
+
+    def to_s
+      "source at #{relative_path}"
+    end
+
+    def inspect
+      "#<Berkshelf::PathLocation metadata: #{metadata?}, path: #{relative_path}>"
+    end
+  end
+end

data/lib/berkshelf/lockfile.rb

@@ -21,10 +21,10 @@ module Berkshelf
       end
     end
 
-    DEFAULT_FILENAME = 'Berksfile.lock'
+    DEFAULT_FILENAME = 'Berksfile.lock'.freeze
 
-    DEPENDENCIES = 'DEPENDENCIES'
-    GRAPH        = 'GRAPH'
+    DEPENDENCIES = 'DEPENDENCIES'.freeze
+    GRAPH        = 'GRAPH'.freeze
 
     include Berkshelf::Mixin::Logging
 
@@ -79,7 +79,9 @@ module Berkshelf
     #
     #   1. All dependencies defined in the Berksfile are present in this
     #      lockfile
-    #   2. Each dependency's constraint in the Berksfile is still satisifed by
+    #   2. Each dependency's transitive dependencies are contained and locked
+    #      in the lockfile
+    #   3. Each dependency's constraint in the Berksfile is still satisifed by
     #      the currently locked version
     #
     # This method does _not_ account for leaky dependencies (i.e. dependencies
@@ -89,14 +91,78 @@ module Berkshelf
     # @return [Boolean]
     #   true if this lockfile is trusted, false otherwise
     def trusted?
-      berksfile.dependencies.all? do |dependency|
-        locked     = find(dependency)
-        graphed    = graph.find(dependency)
-        constraint = dependency.version_constraint
-
-        locked && graphed &&
-        dependency.location == locked.location &&
-        constraint.satisfies?(graphed.version)
+      Berkshelf.log.info 'Checking if lockfile is trusted'
+
+      checked = {}
+
+      berksfile.dependencies.each do |dependency|
+        Berkshelf.log.debug "Checking #{dependency}"
+
+        checked[dependency.name] = true
+
+        locked = find(dependency)
+        if locked.nil?
+          Berkshelf.log.debug "  Not in lockfile - cannot be trusted!"
+          return false
+        end
+
+        graphed = graph.find(dependency)
+        if graphed.nil?
+          Berkshelf.log.debug "  Not in graph - cannot be trusted!"
+          return false
+        end
+
+        if cookbook = dependency.cached_cookbook
+          Berkshelf.log.debug "  Detected there is a cached cookbook"
+
+          unless (cookbook.dependencies.keys - graphed.dependencies.keys).empty?
+            Berkshelf.log.debug "  Cached cookbook has different dependencies - cannot be trusted!"
+            return false
+          end
+        end
+
+        unless dependency.location == locked.location
+          Berkshelf.log.debug "  Different location - cannot be trusted!"
+          Berkshelf.log.debug "    Dependency location: #{dependency.location.inspect}"
+          Berkshelf.log.debug "    Locked location:     #{locked.location.inspect}"
+          return false
+        end
+
+        unless dependency.version_constraint.satisfies?(graphed.version)
+          Berkshelf.log.debug "  Version constraint is not satisified - cannot be trusted!"
+          return false
+        end
+
+        unless satisfies_transitive?(graphed, checked)
+          Berkshelf.log.debug "  Transitive dependencies not satisfies - cannot be trusted!"
+          return false
+        end
+      end
+
+      true
+    end
+
+    # Recursive helper method for checking if transitive dependencies (i.e.
+    # those dependencies defined in the metadata) are satisfied. This method is
+    # used in calculating the trustworthiness of a lockfile.
+    #
+    # @param [GraphItem] graph_item
+    #   the graph item to check transitive dependencies for
+    # @param [Hash] checked
+    #   the list of already checked dependencies
+    #
+    # @return [Boolean]
+    def satisfies_transitive?(graph_item, checked)
+      graph_item.dependencies.all? do |name, constraint|
+        return true if checked[name]
+
+        checked[name] = true
+
+        graphed = graph.find(name)
+        return false if graphed.nil?
+
+        Solve::Constraint.new(constraint).satisfies?(graphed.version) &&
+        satisfies_transitive?(graphed, checked)
       end
     end
 
@@ -179,7 +245,7 @@ module Berkshelf
     # @raise [DependencyNotFound]
     #   if this lockfile does not have the given dependency
     # @raise [CookbookNotFound]
-    #   if this lockfile has the dependency, but the cookbook is not downloaded
+    #   if this lockfile has the dependency, but the cookbook is not installed
     #
     # @param [String, Dependency] dependency
     #   the dependency or name of the dependency to find
@@ -193,9 +259,10 @@ module Berkshelf
         raise DependencyNotFound.new(Dependency.name(dependency))
       end
 
-      unless locked.downloaded?
-        raise CookbookNotFound, "Could not find cookbook '#{locked.to_s}'. " \
-          "Run `berks install` to download and install the missing cookbook."
+      unless locked.installed?
+        name    = locked.name
+        version = locked.locked_version || locked.version_constraint
+        raise CookbookNotFound.new(name, version, 'in the cookbook store')
       end
 
       locked.cached_cookbook
@@ -221,20 +288,90 @@ module Berkshelf
     # dependencies. Then it uses a recursive algorithm to safely remove any
     # other dependencies from the graph that are no longer needed.
     #
-    # @raise [Berkshelf::CookbookNotFound]
+    # @raise [CookbookNotFound]
     #   if the provided dependency does not exist
     #
     # @param [String] dependency
     #   the name of the cookbook to remove
     def unlock(dependency)
-      unless dependency?(dependency)
-        raise Berkshelf::CookbookNotFound, "'#{dependency}' does not exist in this lockfile!"
-      end
-
       @dependencies.delete(Dependency.name(dependency))
       graph.remove(dependency)
     end
 
+    # Iterate over each top-level dependency defined in the lockfile and
+    # check if that dependency is still defined in the Berksfile.
+    #
+    # If the dependency is no longer present in the Berksfile, it is "safely"
+    # removed using {Lockfile#unlock} and {Lockfile#remove}. This prevents
+    # the lockfile from "leaking" dependencies when they have been removed
+    # from the Berksfile, but still remained locked in the lockfile.
+    #
+    # If the dependency exists, a constraint comparison is conducted to verify
+    # that the locked dependency still satisifes the original constraint. This
+    # handles the edge case where a user has updated or removed a constraint
+    # on a dependency that already existed in the lockfile.
+    #
+    # @raise [OutdatedDependency]
+    #   if the constraint exists, but is no longer satisifed by the existing
+    #   locked version
+    #
+    # @return [Array<Dependency>]
+    def reduce!
+      # Store a list of cookbooks to ungraph
+      to_ungraph = {}
+      to_ignore  = {}
+
+      # Unlock any locked dependencies that are no longer in the Berksfile
+      dependencies.each do |dependency|
+        unless berksfile.has_dependency?(dependency.name)
+          unlock(dependency)
+
+          # Keep a record. We know longer trust these dependencies, but simply
+          # unlocking them does not guarantee their removal from the graph.
+          # Instead, we keep a record of the dependency to unlock it later (in
+          # case it is actually removable because it's parent requirer is also
+          # being removed in this reduction). It's a form of science. Don't
+          # question it too much.
+          to_ungraph[dependency.name] = true
+          to_ignore[dependency.name]  = true
+        end
+      end
+
+      # Remove any transitive dependencies
+      berksfile.dependencies.each do |dependency|
+        graphed = graph.find(dependency)
+        next if graphed.nil?
+
+        unless dependency.version_constraint.satisfies?(graphed.version)
+          raise OutdatedDependency.new(graphed, dependency)
+        end
+
+        if cookbook = dependency.cached_cookbook
+          graphed.dependencies.each do |name, constraint|
+            # Unless the cookbook still depends on this key, we want to queue it
+            # for unlocking. This is the magic that prevents transitive
+            # dependency leaking.
+            unless cookbook.dependencies.has_key?(name)
+              to_ungraph[name] = true
+
+              # We also want to ignore the top-level dependency. We can no
+              # longer trust the graph that we have been given for that
+              # dependency and therefore need to reduce it.
+              to_ignore[dependency.name] = true
+            end
+          end
+        end
+      end
+
+      # Now remove all the unlockable items
+      ignore = to_ungraph.merge(to_ignore).keys
+
+      to_ungraph.each do |name, _|
+        graph.remove(name, ignore: ignore)
+      end
+    end
+
+
     # Write the contents of the current statue of the lockfile to disk. This
     # method uses an atomic file write. A temporary file is created, written,
     # and then copied over the existing one. This ensures any partial updates
@@ -248,14 +385,7 @@ module Berkshelf
 
       tempfile = Tempfile.new(['Berksfile',  '.lock'])
 
-      tempfile.write(DEPENDENCIES)
-      tempfile.write("\n")
-      dependencies.sort.each do |dependency|
-        tempfile.write(dependency.to_lock)
-      end
-
-      tempfile.write("\n")
-      tempfile.write(graph.to_lock)
+      tempfile.write(to_lock)
 
       tempfile.rewind
       tempfile.close
@@ -268,6 +398,17 @@ module Berkshelf
       tempfile.unlink if tempfile
     end
 
+    # @private
+    def to_lock
+      out = "#{DEPENDENCIES}\n"
+      dependencies.sort.each do |dependency|
+        out << dependency.to_lock
+      end
+      out << "\n"
+      out << graph.to_lock
+      out
+    end
+
     # @private
     def to_s
       "#<Berkshelf::Lockfile #{Pathname.new(filepath).basename}>"
@@ -280,313 +421,334 @@ module Berkshelf
 
     private
 
-    # The class responsible for parsing the lockfile and turning it into a
-    # useful data structure.
-    class LockfileParser
-      NAME_VERSION         = '(?! )(.*?)(?: \(([^-]*)(?:-(.*))?\))?'
-      DEPENDENCY_PATTERN   = /^ {2}#{NAME_VERSION}$/
-      DEPENDENCIES_PATTERN = /^ {4}#{NAME_VERSION}$/
-      OPTION_PATTERN       = /^ {4}(.+)\: (.+)/
+      # The class responsible for parsing the lockfile and turning it into a
+      # useful data structure.
+      class LockfileParser
+        NAME_VERSION         = '(?! )(.*?)(?: \(([^-]*)(?:-(.*))?\))?'.freeze
+        DEPENDENCY_PATTERN   = /^ {2}#{NAME_VERSION}$/.freeze
+        DEPENDENCIES_PATTERN = /^ {4}#{NAME_VERSION}$/.freeze
+        OPTION_PATTERN       = /^ {4}(.+)\: (.+)/.freeze
 
-      # Create a new lockfile parser.
-      #
-      # @param [Lockfile]
-      def initialize(lockfile)
-        @lockfile  = lockfile
-        @berksfile = lockfile.berksfile
-      end
-
-      # Parse the lockfile contents, adding the correct things to the lockfile.
-      #
-      # @return [true]
-      def run
-        @parsed_dependencies = {}
+        # Create a new lockfile parser.
+        #
+        # @param [Lockfile]
+        def initialize(lockfile)
+          @lockfile  = lockfile
+          @berksfile = lockfile.berksfile
+        end
 
-        contents = File.read(@lockfile.filepath)
+        # Parse the lockfile contents, adding the correct things to the lockfile.
+        #
+        # @return [true]
+        def run
+          @parsed_dependencies = {}
 
-        if contents.strip.empty?
-          Berkshelf.formatter.warn "Your lockfile at '#{@lockfile.filepath}' " \
-            "is empty. I am going to parse it anyway, but there is a chance " \
-            "that a larger problem is at play. If you manually edited your " \
-            "lockfile, you may have corrupted it."
-        end
+          contents = File.read(@lockfile.filepath)
 
-        if contents.strip[0] == '{'
-          Berkshelf.formatter.warn "It looks like you are using an older " \
-            "version of the lockfile. Attempting to convert..."
-
-          dependencies = "#{Lockfile::DEPENDENCIES}\n"
-          graph        = "#{Lockfile::GRAPH}\n"
-
-          begin
-            hash = JSON.parse(contents)
-          rescue JSON::ParserError
-            Berkshelf.formatter.warn "Could not convert lockfile! This is a " \
-            "problem. You see, previous versions of the lockfile were " \
-            "actually a lie. It lied to you about your version locks, and we " \
-            "are really sorry about that.\n\n" \
-            "Here's the good news - we fixed it!\n\n" \
-            "Here's the bad news - you probably should not trust your old " \
-            "lockfile. You should manually delete your old lockfile and " \
-            "re-run the installer."
+          if contents.strip.empty?
+            Berkshelf.formatter.warn "Your lockfile at '#{@lockfile.filepath}' " \
+              "is empty. I am going to parse it anyway, but there is a chance " \
+              "that a larger problem is at play. If you manually edited your " \
+              "lockfile, you may have corrupted it."
           end
 
-          hash['dependencies'] && hash['dependencies'].sort .each do |name, info|
-            dependencies << "  #{name} (>= 0.0.0)\n"
-            info.each do |key, value|
-              unless key == 'locked_version'
-                dependencies << "    #{key}: #{value}\n"
+          if contents.strip[0] == '{'
+            Berkshelf.formatter.warn "It looks like you are using an older " \
+              "version of the lockfile. Attempting to convert..."
+
+            dependencies = "#{Lockfile::DEPENDENCIES}\n"
+            graph        = "#{Lockfile::GRAPH}\n"
+
+            begin
+              hash = JSON.parse(contents)
+            rescue JSON::ParserError
+              Berkshelf.formatter.warn "Could not convert lockfile! This is a " \
+              "problem. You see, previous versions of the lockfile were " \
+              "actually a lie. It lied to you about your version locks, and we " \
+              "are really sorry about that.\n\n" \
+              "Here's the good news - we fixed it!\n\n" \
+              "Here's the bad news - you probably should not trust your old " \
+              "lockfile. You should manually delete your old lockfile and " \
+              "re-run the installer."
+            end
+
+            hash['dependencies'] && hash['dependencies'].sort .each do |name, info|
+              dependencies << "  #{name} (>= 0.0.0)\n"
+              info.each do |key, value|
+                unless key == 'locked_version'
+                  dependencies << "    #{key}: #{value}\n"
+                end
               end
+
+              graph << "  #{name} (#{info['locked_version']})\n"
             end
 
-            graph << "  #{name} (#{info['locked_version']})\n"
+            contents = "#{dependencies}\n#{graph}"
           end
 
-          contents = "#{dependencies}\n#{graph}"
-        end
+          contents.split(/(?:\r?\n)+/).each do |line|
+            if line == Lockfile::DEPENDENCIES
+              @state = :dependency
+            elsif line == Lockfile::GRAPH
+              @state = :graph
+            else
+              send("parse_#{@state}", line)
+            end
+          end
 
-        contents.split(/(?:\r?\n)+/).each do |line|
-          if line == Lockfile::DEPENDENCIES
-            @state = :dependency
-          elsif line == Lockfile::GRAPH
-            @state = :graph
-          else
-            send("parse_#{@state}", line)
+          @parsed_dependencies.each do |name, options|
+            dependency = Dependency.new(@berksfile, name, options)
+            @lockfile.add(dependency)
           end
-        end
 
-        @parsed_dependencies.each do |name, options|
-          dependency = Dependency.new(@berksfile, name, options)
-          @lockfile.add(dependency)
+          true
         end
 
-        true
-      end
+        private
+
+          # Parse a dependency line.
+          #
+          # @param [String] line
+          def parse_dependency(line)
+            if line =~ DEPENDENCY_PATTERN
+              name, version = $1, $2
+
+              @parsed_dependencies[name] ||= {}
+              @parsed_dependencies[name][:constraint] = version if version
+              @current_dependency = @parsed_dependencies[name]
+            elsif line =~ OPTION_PATTERN
+              key, value = $1, $2
+              @current_dependency[key.to_sym] = value
+            end
+          end
 
-      private
+          # Parse a graph line.
+          #
+          # @param [String] line
+          def parse_graph(line)
+            if line =~ DEPENDENCY_PATTERN
+              name, version = $1, $2
+
+              @lockfile.graph.find(name) || @lockfile.graph.add(name, version)
+              @current_lock = name
+            elsif line =~ DEPENDENCIES_PATTERN
+              name, constraint = $1, $2
+              @lockfile.graph.find(@current_lock).add_dependency(name, constraint)
+            end
+          end
+      end
 
-      # Parse a dependency line.
-      #
-      # @param [String] line
-      def parse_dependency(line)
-        if line =~ DEPENDENCY_PATTERN
-          name, version = $1, $2
-
-          @parsed_dependencies[name] ||= {}
-          @parsed_dependencies[name][:constraint] = version if version
-          @current_dependency = @parsed_dependencies[name]
-        elsif line =~ OPTION_PATTERN
-          key, value = $1, $2
-          @current_dependency[key.to_sym] = value
+      # The class representing an internal graph.
+      class Graph
+        # Create a new Lockfile graph.
+        #
+        # Some clarifying terminology:
+        #
+        #     yum-epel (0.2.0) <- lock
+        #       yum (~> 3.0)   <- dependency
+        #
+        # @return [Graph]
+        def initialize(lockfile)
+          @lockfile  = lockfile
+          @berksfile = lockfile.berksfile
+          @graph     = {}
         end
-      end
 
-      # Parse a graph line.
-      #
-      # @param [String] line
-      def parse_graph(line)
-        if line =~ DEPENDENCY_PATTERN
-          name, version = $1, $2
-
-          @lockfile.graph.find(name) || @lockfile.graph.add(name, version)
-          @current_lock = name
-        elsif line =~ DEPENDENCIES_PATTERN
-          name, constraint = $1, $2
-          @lockfile.graph.find(@current_lock).add_dependency(name, constraint)
+        # The list of locks for this graph. Dependencies are retrieved from the
+        # lockfile, then the Berksfile, and finally a new dependency object is
+        # created if none of those exist.
+        #
+        # @return [Hash<String, Dependency>]
+        #   a key-value hash where the key is the name of the cookbook and the
+        #   value is the locked dependency
+        def locks
+          @graph.sort.inject({}) do |hash, (name, item)|
+            dependency = @lockfile.find(name)  ||
+                         @berksfile && @berksfile.find(name) ||
+                         Dependency.new(@berksfile, name)
+            dependency.locked_version = item.version
+
+            hash[item.name] = dependency
+            hash
+          end
         end
-      end
-    end
 
-    # The class representing an internal graph.
-    class Graph
-      # Create a new Lockfile graph.
-      #
-      # Some clarifying terminology:
-      #
-      #     yum-epel (0.2.0) <- lock
-      #       yum (~> 3.0)   <- dependency
-      #
-      # @return [Graph]
-      def initialize(lockfile)
-        @lockfile  = lockfile
-        @berksfile = lockfile.berksfile
-        @graph     = {}
-      end
+        # Find a given dependency in the graph.
+        #
+        # @param [Dependency, String]
+        #   the name/dependency to find
+        #
+        # @return [GraphItem, nil]
+        #   the item for the name
+        def find(dependency)
+          @graph[Dependency.name(dependency)]
+        end
 
-      # The list of locks for this graph. Dependencies are retrieved from the
-      # lockfile, then the Berksfile, and finally a new dependency object is
-      # created if none of those exist.
-      #
-      # @return [Hash<String, Dependency>]
-      #   a key-value hash where the key is the name of the cookbook and the
-      #   value is the locked dependency
-      def locks
-        @graph.sort.inject({}) do |hash, (name, item)|
-          dependency = @lockfile.find(name)  ||
-                       @berksfile && @berksfile.find(name) ||
-                       Dependency.new(@berksfile, name)
-          dependency.locked_version = item.version
-
-          hash[item.name] = dependency
-          hash
+        # Find if the given lock exists?
+        #
+        # @param [Dependency, String]
+        #   the name/dependency to find
+        #
+        # @return [true, false]
+        def lock?(dependency)
+          !find(dependency).nil?
         end
-      end
+        alias_method :has_lock?, :lock?
 
-      # Find a given dependency in the graph.
-      #
-      # @param [Dependency, String]
-      #   the name/dependency to find
-      #
-      # @return [GraphItem, nil]
-      #   the item for the name
-      def find(dependency)
-        @graph[Dependency.name(dependency)]
-      end
+        # Determine if this graph contains the given dependency. This method is
+        # used by the lockfile when adding or removing dependencies to see if a
+        # dependency can be safely removed.
+        #
+        # @param [Dependency, String] dependency
+        #   the name/dependency to find
+        #
+        # @option options [String, Array<String>] :ignore
+        #   the list of dependencies to ignore
+        def dependency?(dependency, options = {})
+          name   = Dependency.name(dependency)
+          ignore = Hash[*Array(options[:ignore]).map { |i| [i, true] }.flatten]
 
-      # Find if the given lock exists?
-      #
-      # @param [Dependency, String]
-      #   the name/dependency to find
-      #
-      # @return [true, false]
-      def lock?(dependency)
-        !find(dependency).nil?
-      end
-      alias_method :has_lock?, :lock?
+          @graph.values.each do |item|
+            next if ignore[item.name]
 
-      # Determine if this graph contains the given dependency. This method is
-      # used by the lockfile when adding or removing dependencies to see if a
-      # dependency can be safely removed.
-      #
-      # @param [Dependency, String] dependency
-      #   the name/dependency to find
-      def dependency?(dependency)
-        @graph.values.any? do |item|
-          item.dependencies.key?(Dependency.name(dependency))
+            if item.dependencies.key?(name)
+              return true
+            end
+          end
+
+          false
         end
-      end
-      alias_method :has_dependency?, :dependency?
+        alias_method :has_dependency?, :dependency?
 
-      # Add each a new {GraphItem} to the graph.
-      #
-      # @param [#to_s] name
-      #   the name of the cookbook
-      # @param [#to_s] version
-      #   the version of the lock
-      #
-      # @return [GraphItem]
-      def add(name, version)
-        @graph[name.to_s] = GraphItem.new(name, version)
-      end
+        # Add each a new {GraphItem} to the graph.
+        #
+        # @param [#to_s] name
+        #   the name of the cookbook
+        # @param [#to_s] version
+        #   the version of the lock
+        #
+        # @return [GraphItem]
+        def add(name, version)
+          @graph[name.to_s] = GraphItem.new(name, version)
+        end
 
-      # Recursively remove any dependencies from the graph unless they exist as
-      # top-level dependencies or nested dependencies.
-      #
-      # @param [Dependency, String] dependency
-      #   the name/dependency to remove
-      def remove(dependency)
-        name = Dependency.name(dependency)
+        # Recursively remove any dependencies from the graph unless they exist as
+        # top-level dependencies or nested dependencies.
+        #
+        # @param [Dependency, String] dependency
+        #   the name/dependency to remove
+        #
+        # @option options [String, Array<String>] :ignore
+        #   the list of dependencies to ignore
+        def remove(dependency, options = {})
+          name = Dependency.name(dependency)
 
-        return if @lockfile.dependency?(name) || dependency?(name)
+          if @lockfile.dependency?(name)
+            return
+          end
 
-        # Grab the nested dependencies for this particular entry so we can
-        # recurse and try to remove them from the graph.
-        locked = @graph[name]
-        nested_dependencies = locked && locked.dependencies.keys || []
+          if dependency?(name, options)
+            return
+          end
 
-        # Now delete the entry
-        @graph.delete(name)
+          # Grab the nested dependencies for this particular entry so we can
+          # recurse and try to remove them from the graph.
+          locked = @graph[name]
+          nested_dependencies = locked && locked.dependencies.keys || []
 
-        # Recursively try to delete the remaining dependencies for this item
-        nested_dependencies.each(&method(:remove))
-      end
+          # Now delete the entry
+          @graph.delete(name)
 
-      # Update the graph with the given cookbooks. This method destroys the
-      # existing dependency graph with this new result!
-      #
-      # @param [Array<CachedCookbook>]
-      #   the list of cookbooks to populate the graph with
-      def update(cookbooks)
-        @graph = {}
-
-        cookbooks.each do |cookbook|
-          @graph[cookbook.cookbook_name.to_s] = GraphItem.new(
-            cookbook.name,
-            cookbook.version,
-            cookbook.dependencies,
-          )
+          # Recursively try to delete the remaining dependencies for this item
+          nested_dependencies.each(&method(:remove))
         end
-      end
 
-      # Write the contents of the graph to the lockfile format.
-      #
-      # The resulting format looks like:
-      #
-      #     GRAPH
-      #       apache2 (1.8.14)
-      #       yum-epel (0.2.0)
-      #         yum (~> 3.0)
-      #
-      # @example lockfile.graph.to_lock #=> "GRAPH\n  apache2 (1.18.14)\n..."
-      #
-      # @return [String]
-      #
-      def to_lock
-        out = "#{Lockfile::GRAPH}\n"
-        @graph.sort.each do |name, item|
-          out << "  #{name} (#{item.version})\n"
-
-          unless item.dependencies.empty?
-            item.dependencies.sort.each do |name, constraint|
-              out << "    #{name} (#{constraint})\n"
-            end
+        # Update the graph with the given cookbooks. This method destroys the
+        # existing dependency graph with this new result!
+        #
+        # @param [Array<CachedCookbook>]
+        #   the list of cookbooks to populate the graph with
+        def update(cookbooks)
+          @graph = {}
+
+          cookbooks.each do |cookbook|
+            @graph[cookbook.cookbook_name.to_s] = GraphItem.new(
+              cookbook.name,
+              cookbook.version,
+              cookbook.dependencies,
+            )
           end
         end
 
-        out
-      end
-
-      private
-
-      # A single item inside the graph.
-      class GraphItem
-        # The name of the cookbook that corresponds to this graph item.
+        # Write the contents of the graph to the lockfile format.
         #
-        # @return [String]
-        #   the name of the cookbook
-        attr_reader :name
-
-        # The locked version for this graph item.
+        # The resulting format looks like:
+        #
+        #     GRAPH
+        #       apache2 (1.8.14)
+        #       yum-epel (0.2.0)
+        #         yum (~> 3.0)
+        #
+        # @example lockfile.graph.to_lock #=> "GRAPH\n  apache2 (1.18.14)\n..."
         #
         # @return [String]
-        #   the locked version of the graph item (as a string)
-        attr_reader :version
-
-        # The list of dependencies and their constraints.
         #
-        # @return [Hash<String, String>]
-        #   the list of dependencies for this graph item, where the key
-        #   corresponds to the name of the dependency and the value is the
-        #   version constraint.
-        attr_reader :dependencies
-
-        # Create a new graph item.
-        def initialize(name, version, dependencies = {})
-          @name         = name.to_s
-          @version      = version.to_s
-          @dependencies = dependencies
-        end
+        def to_lock
+          out = "#{Lockfile::GRAPH}\n"
+          @graph.sort.each do |name, item|
+            out << "  #{name} (#{item.version})\n"
+
+            unless item.dependencies.empty?
+              item.dependencies.sort.each do |name, constraint|
+                out << "    #{name} (#{constraint})\n"
+              end
+            end
+          end
 
-        # Add a new dependency to the list.
-        #
-        # @param [#to_s] name
-        #   the name to use
-        # @param [#to_s] constraint
-        #   the version constraint to use
-        def add_dependency(name, constraint)
-          @dependencies[name.to_s] = constraint.to_s
+          out
         end
+
+        private
+
+          # A single item inside the graph.
+          class GraphItem
+            # The name of the cookbook that corresponds to this graph item.
+            #
+            # @return [String]
+            #   the name of the cookbook
+            attr_reader :name
+
+            # The locked version for this graph item.
+            #
+            # @return [String]
+            #   the locked version of the graph item (as a string)
+            attr_reader :version
+
+            # The list of dependencies and their constraints.
+            #
+            # @return [Hash<String, String>]
+            #   the list of dependencies for this graph item, where the key
+            #   corresponds to the name of the dependency and the value is the
+            #   version constraint.
+            attr_reader :dependencies
+
+            # Create a new graph item.
+            def initialize(name, version, dependencies = {})
+              @name         = name.to_s
+              @version      = version.to_s
+              @dependencies = dependencies
+            end
+
+            # Add a new dependency to the list.
+            #
+            # @param [#to_s] name
+            #   the name to use
+            # @param [#to_s] constraint
+            #   the version constraint to use
+            def add_dependency(name, constraint)
+              @dependencies[name.to_s] = constraint.to_s
+            end
+          end
       end
-    end
   end
 end