chef-attribute-validator 0.1.0

checksums.yaml

@@ -0,0 +1,15 @@
+---
+!binary "U0hBMQ==":
+  metadata.gz: !binary |-
+    OGU5Y2Y2ZGFjYWIwNjBjMGVhODFiMTMxYWY0NzY1NzcyMWJlMjk0ZQ==
+  data.tar.gz: !binary |-
+    M2RmYmFjNTFlYTRjZGIyMTY4YTUwNjZmNmIwYTlhNTZkNzI3YTJlOQ==
+SHA512:
+  metadata.gz: !binary |-
+    NzM4NjBlNmY1MzdhNTBhNDAyNTc1YmVhMTdlMjExMTdkN2ZlZGNmMGIzZWJm
+    YmE0NmJkZjhhYzliOTY2ZTI3YzE1OTgyMWQ1NzA3N2NjYzYyNTdiNmRmYTZk
+    NDYwZmMzOGM5OWViNWVmYzJkNTZlMDM5MjZmZTE2MzQxYWExMTg=
+  data.tar.gz: !binary |-
+    ZWQ4NjdiM2Y3Nzk5NGU1NGZlMDdlODBhMTg5ZDAwOWJiMGE2ZTBhMjQ4MGUy
+    YzA1MGJjNzZiMDlhYzdiZTQ5MTljODRkMjNmMGFmZWE3ZDZlYWJhZjQ0NWQ5
+    YTc3ZTcyZTY0YTVkYzQ2Zjk4OWIzZjQwYmRmYjk3NWU2NjU5MDk=

data/.gitignore

@@ -0,0 +1,20 @@
+*~
+*.gem
+*.rbc
+.bundle
+.config
+coverage
+InstalledFiles
+Gemfile.lock
+lib/bundler/man
+pkg
+rdoc
+spec/reports
+test/tmp
+test/version_tmp
+tmp
+
+# YARD artifacts
+.yardoc
+_yardoc
+doc/

data/CHANGES

@@ -0,0 +1,4 @@
+2013-11-10 Clinton Wolfe 0.1.0
+   Initial release
+     Type, Regex, Min/Max Children, Required, and LooksLike checks
+     No wildcards in paths yet, planned for 0.2.0

data/Gemfile

@@ -0,0 +1,2 @@
+source 'https://rubygems.org'
+gemspec

data/LICENSE

@@ -0,0 +1,27 @@
+Copyright (c) 2013, Clinton Wolfe
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without modification,
+are permitted provided that the following conditions are met:
+
+* Redistributions of source code must retain the above copyright notice, this
+  list of conditions and the following disclaimer.
+
+* Redistributions in binary form must reproduce the above copyright notice, this
+  list of conditions and the following disclaimer in the documentation and/or
+  other materials provided with the distribution.
+
+* Neither the name of 'chef-attribute-validator' nor the names of its
+  contributors may be used to endorse or promote products derived from
+  this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
+ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
+ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

data/README.md

@@ -0,0 +1,109 @@
+# Chef::Attribute::Validator
+
+Define, enforce, and handle violations of validation rules for Chef node
+attributes.  The rule definitions are themselves node attributes.  This 
+gem provides the validation engine, and can be used outside of a 
+convergence run; a cookbook (attribute-validator) is planned to perform
+validation during a chef run, at compile or converge time.
+
+## Usage
+
+### Define Rules
+
+Define rules by creating attributes that specify checks to make on node 
+attributes that match a given path.  By default the library looks for rules
+under node['attribute-validator']['rules'], but you can override that.
+
+See Defining Validation Rules.
+
+### From Within a Chef Recipe
+
+To scan for violations of all rules, do:
+
+     require 'chef-attribute-validator'
+     violations = Chef::Attribute::Validator.new(node).validate_all
+
+You can also apply one rule, or rules that match a regex:
+
+     violations = Chef::Attribute::Validator.new(node).validate_rule('rulename')
+     violations = Chef::Attribute::Validator.new(node).validate_matching(/matchme/)
+
+The return value from each is an array, possibly empty.  Each array element is a simple object, with accessors:
+
+     rule_name (string)
+     path (in slash format, see REFERENCING ATTRIBUTES)
+     message
+
+A single rule may have many violations.
+
+## Defining Validation Rules
+
+To define validation rules, create attributes under 
+
+     default['attribute-validator']['rules'][<rulename>]...
+
+Each rule gets a unique name.  Each entry is hash structure with the following keys:
+
+     path - Required.  Slash formatted path of the attributes to check.  
+     enabled - Optional boolean, default true.  Set to false to knock out rule.
+
+The remaining entries describe criteria to enforce on the value of the attribute(s) 
+referenced by 'path'.  You may list zero or more.
+
+     type - Checks type of value.  One of 'string', 'number', 'boolean', 'hash', 'array'.
+     min_children - Integer.  Fails for all but Hash and Array.  For Hash and Array, minimum number of elements to be considered valid.
+     max_children - Integer.  Fails for all but Hash and Array.  For Hash and Array, maximum number of elements to be considered valid.
+     regex - Regexp.  Applies given regex to the value.  Ignored for Hash and Array.  See looks_like for a selection of canned regexen.
+     required - Boolean.  If true, fails if the path matches zero attributes, or the value is nil, or the value is the empty string, or if the value is an empty array or empty hash.  No-op if false (use present => false to enforce absence).
+     looks_like - String, one of 'url', 'ip'. Applies canned regexes (or more sophisticated matchers).
+
+## Referencing Attributes
+
+Attribute locations are described using a syntax similar to shell globs.
+
+Given:
+
+     /foo       - Matches node['foo']
+     /foo/bar   - Matches node['foo']['bar']
+
+## Bugs, Limitations and Roadmap
+
+#### Wildcard syntax not yet supported
+
+I'd like to have at least this:
+
+     /foo/* - Matches node['foo']['bar'], but not node['foo'] or node['foo']['bar']['baz']
+     /foo/c* - Matches node['foo']['car'], but not node['foo']['bar']
+     /foo/?ar - Matches node['foo']['bar'] and node['foo']['bar'] but not node['foo']['bleh']
+
+Possibly eventually support for **, [<charclass>], or {<alternatives>}.
+
+#### Companion cookbook
+
+Simple cookbook named 'attribute-validator' that loads the gem and provides recipes for compile-time and convergence-time violation checking.
+
+### Lame Exceptions
+
+No real exception class, just raising a bare string exception, which could certainly be improved upon.
+
+### Planned checks:
+
+   looks_like/hostname
+   looks_like/email
+   name_regex - Regexp.  Applies given regex to the last element in the attribute path ('basename', if you will)   
+   present - Boolean.  If true, fails if the path matches zero attributes.  If false, fails if the path matches nonzero attributes.  Does not consider nilness, only existence of attribute key(s).  See also required.
+
+#### Probably Slow
+
+
+## Author
+
+Clinton Wolfe
+
+## Contributing
+
+1. Fork it (https://github.com/clintoncwolfe/chef-attribute-validator)
+2. Create your feature branch (`git checkout -b my-new-feature`)
+3. Commit your changes (`git commit -am 'Add some feature'`)
+4. Push to the branch (`git push origin my-new-feature`)
+5. Create new Pull Request at (https://github.com/clintoncwolfe/chef-attribute-validator)

data/Rakefile

@@ -0,0 +1,27 @@
+# -*-ruby-*-
+
+require 'rake'
+#require 'rspec/core/rake_task'
+require "bundler/gem_tasks"
+
+desc "Runs all development tests"
+task :test
+
+
+task :test => [:syntax]
+desc "Checks ruby files for syntax errors"
+task :syntax do |t|
+  Dir.glob('**/*.rb').each do |f|
+    system("/bin/echo -n '#{f}:  '; ruby -c #{f}")
+  end
+end
+
+task :test => [:unit]
+desc "Runs unit tests"
+#RSpec::Core::RakeTask.new(:unit) do |t|
+#  t.pattern = 'test/unit/**/*_spec.rb'
+#  t.rspec_opts = "-fd"
+#end
+
+
+

data/chef-attribute-validator.gemspec

@@ -0,0 +1,25 @@
+# coding: utf-8    # -*-ruby-*-
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'chef-attribute-validator/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = "chef-attribute-validator"
+  spec.version       = Chef::Attribute::Validator::VERSION
+  spec.authors       = ["Clinton Wolfe"]
+  spec.email         = ["clinton@omniti.com"]
+  spec.description   = %q{Define, enforce, and handle violations of validation rules for Chef node attributes.  This gem provides the validation engine, and can be used outside of a convergence run; a cookbook (attribute-validator) is availabel to perform validation during a chef run, at compile or converge time.}
+  spec.summary       = %q{A Rubygem implementing a rule engine for validating Chef node attributes.}
+  spec.homepage      = "https://github.com/clintoncwolfe/chef-attribute-validator"
+  spec.license       = "BSD (3-clause)"
+
+  spec.files         = `git ls-files`.split($/)
+  spec.executables   = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
+  spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
+  spec.require_paths = ["lib"]
+
+  spec.add_development_dependency "bundler", "~> 1.3"
+  spec.add_development_dependency "rake"
+
+  spec.add_runtime_dependency "chef", "~> 11.6.0"  # TODO: test with older chefs
+end

data/lib/chef-attribute-validator.rb

@@ -0,0 +1,52 @@
+require "chef-attribute-validator/version"
+require "chef-attribute-validator/violation"
+require "chef-attribute-validator/rule"
+require "chef-attribute-validator/attribute_set"
+
+class Chef
+  class Attribute
+    class Validator
+      
+      attr_accessor :node
+      attr_accessor :rules
+
+      def initialize(a_node)
+        @node = a_node
+        populate_rules
+      end
+
+      def validate_all
+        violations = []
+        rules.each do |rulename, rule|
+          violations += rule.apply(node)
+        end
+        violations
+      end
+
+      def validate_rule(rulename)
+        unless rules.has_key?(rulename)
+          raise "No such attribute validation rule named '#{rulename}' - have rules: #{rules.keys.sort.join(',')}"
+        end
+        rules[rulename].apply(node)
+      end
+      
+      def validate_matching(rule_regex)
+        violations = []
+        rules.select { |rn,r| rule_regex.match(rn) }.each do |rulename, rule|
+          violations += rule.apply(node)
+        end
+        violations    
+      end
+
+      private
+
+      def populate_rules
+        @rules = {}
+        node['attribute-validator']['rules'].each do |rulename, ruledef|
+          rules[rulename] = Chef::Attribute::Validator::Rule.new(rulename, ruledef)
+        end
+      end
+
+    end
+  end
+end

data/lib/chef-attribute-validator/attribute_set.rb

@@ -0,0 +1,90 @@
+
+require 'forwardable'
+
+class Chef
+  class Attribute
+    class Validator
+
+      class AttributeSet
+        attr_accessor :guts
+        attr_accessor :path
+        attr_accessor :node
+
+        extend Forwardable
+
+        def_delegators :@guts, :size, :each, :empty?, :has_key?, :[], :keys, :select, :reject
+
+        def initialize(a_node, a_path)
+          @guts = {}
+          @path = a_path
+          @node = a_node
+
+          embowel
+        end
+
+        private
+
+        def embowel
+          # Split on /
+          steps = path.split('/')
+
+          # Since we begin with /, the first element is ""
+          if steps[0] == "" then steps.shift end
+
+          # Promote integer strings to integers
+          steps.map! { |s| s.match(/^\d+$/) ? s.to_i : s }
+          
+          # TODO: some ckine of wildcard expansion
+          all_steps = [ steps ]
+
+          all_steps.each do |these_steps|
+            if path_exists_by_steps?(these_steps) then
+              guts['/' + these_steps.join('/')] = fetch_val_by_steps(these_steps)
+            end
+          end
+        end
+
+        def path_exists_by_steps? (the_steps)
+          nv = node
+          steps = the_steps.dup
+          while steps.size > 0 
+            step = steps.shift
+
+            # binding.pry
+            if nv.kind_of?(Chef::Node::ImmutableArray) then
+              # TODO: what if the step isn't an int?
+
+              if nv.size > step then
+                nv = nv[step]
+              else
+                # Array not long enough
+                return false
+              end
+
+            elsif nv.respond_to?(:has_key?) then
+              if nv.has_key?(step) then
+                nv = nv[step]
+              else
+                # No such key
+                return false
+              end
+            else
+              # Must be a scalar?
+              return false
+            end
+          end
+          return true      
+        end
+
+        def fetch_val_by_steps(the_steps)
+          nv = node
+          steps = the_steps.dup
+          while steps.size > 0 
+            nv = nv[steps.shift]
+          end
+          nv
+        end
+      end
+    end
+  end
+end

data/lib/chef-attribute-validator/check.rb

@@ -0,0 +1,56 @@
+class Chef
+  class Attribute
+    class Validator
+      class Check
+        attr_accessor :path_spec
+        attr_accessor :check_arg
+        attr_accessor :rule_name
+
+        def initialize(a_rule, a_check_arg)
+          @path_spec = a_rule.path
+          @rule_name = a_rule.name
+          @check_arg = a_check_arg
+        end
+
+        def self.make(check_name, a_rule, a_check_arg)
+          unless @@check_classes.has_key?(check_name)
+            raise "Unrecognized option or check type '#{check_name}' for attribute validation rule '#{a_rule.name}'"
+          end
+          checker = @@check_classes[check_name].new(a_rule, a_check_arg)
+          checker.validate_check_arg
+          checker
+        end
+
+        def self.list_check_types
+          @@check_classes.keys
+        end
+
+        protected
+
+        def self.register_check (check_name, klass)
+          @@check_classes ||= {}
+          @@check_classes[check_name] = klass
+        end
+
+        def val_scalar?(val)
+          [
+           Float,
+           Integer,
+           NilClass,
+           TrueClass,
+           FalseClass,
+           String,
+          ].any? { |k| val.kind_of?(k) }
+        end
+        
+
+
+
+      end
+    end
+  end
+end
+
+Dir.glob(File.join(File.dirname(__FILE__), 'checks', '*.rb')).each do |check_implementation|
+  require check_implementation
+end

data/lib/chef-attribute-validator/checks/looks_like.rb

@@ -0,0 +1,52 @@
+
+require 'ipaddr'
+require 'uri'
+
+class Chef
+  class Attribute
+    class Validator
+      class Check
+        class LooksLike < Check
+
+          register_check('looks_like', LooksLike)
+
+          def validate_check_arg
+            expected = [
+                        'ip',
+                        'url',
+                       ]
+       
+            unless expected.include?(check_arg)
+              raise "Bad 'looks_like' check argument '#{check_arg}' for rule '#{rule_name}' - expected one of #{expected.join(',')}"
+            end
+          end
+          
+          def check(attrset)
+            violations = []
+            attrset.each do |path, value|
+              if val_scalar?(value) then
+                next if value.nil?
+                case check_arg
+                when 'ip'
+                  begin
+                    IPAddr.new(value)
+                  rescue
+                    violations.push Chef::Attribute::Validator::Violation.new(rule_name, path, "Value '#{value}' does not look like an IP address")
+                  end
+                when 'url'
+                  begin
+                    URI(value)
+                  rescue
+                    violations.push Chef::Attribute::Validator::Violation.new(rule_name, path, "Value '#{value}' does not look like a URL")
+                  end
+                end
+              end
+            end
+            violations
+          end
+
+        end
+      end
+    end
+  end
+end