chef-rundeck2 0.1.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +7 -0
- data/.gitignore +8 -0
- data/.gitlab-ci.yml +38 -0
- data/.rubocop.yml +12 -0
- data/Gemfile +15 -0
- data/Gemfile.lock +76 -0
- data/LICENSE.txt +21 -0
- data/README.md +98 -0
- data/Rakefile +6 -0
- data/bin/console +17 -0
- data/bin/setup +8 -0
- data/chef-rundeck2.gemspec +44 -0
- data/config/auth.json +13 -0
- data/config/config.json +13 -0
- data/config/projects.json +17 -0
- data/config/state.json +22 -0
- data/exe/chef-rundeck2 +14 -0
- data/lib/chef-rundeck/api.rb +215 -0
- data/lib/chef-rundeck/auth.rb +78 -0
- data/lib/chef-rundeck/chef.rb +193 -0
- data/lib/chef-rundeck/cli.rb +132 -0
- data/lib/chef-rundeck/config.rb +100 -0
- data/lib/chef-rundeck/helpers/configuration.rb +57 -0
- data/lib/chef-rundeck/state.rb +86 -0
- data/lib/chef-rundeck/util.rb +64 -0
- data/lib/chef-rundeck/version.rb +3 -0
- data/lib/chef-rundeck.rb +17 -0
- metadata +198 -0
checksums.yaml
ADDED
@@ -0,0 +1,7 @@
|
|
1
|
+
---
|
2
|
+
SHA1:
|
3
|
+
metadata.gz: 3c1fecc0b9fa95eab60678b1b443f7f68e691e92
|
4
|
+
data.tar.gz: e65a72f264c89b841d3fdc6bd6187e7cdd24a2a4
|
5
|
+
SHA512:
|
6
|
+
metadata.gz: d6c81435eee9815fbdf0714a1bb4366e973fbca1a11590d1531e8422daefa41eef2dcf6be1dd72bb2c55d9f213bcde4f2abed4387f182411e8dfecbdd9a0e25d
|
7
|
+
data.tar.gz: 4c277cb0fb6b603d026d137d12780eafe033d001a51659d4946394efb3870ce2d84f647801f77c1fcb2bdc678577b52745e70a3c1b450b6fcfe15f8af9c5a237
|
data/.gitignore
ADDED
data/.gitlab-ci.yml
ADDED
@@ -0,0 +1,38 @@
|
|
1
|
+
before_script:
|
2
|
+
- ruby -v
|
3
|
+
- which ruby
|
4
|
+
- gem install bundler --no-ri --no-rdoc
|
5
|
+
- bundle install --jobs $(nproc) --path vendor/bundle
|
6
|
+
|
7
|
+
test:Ruby 2.2:
|
8
|
+
image: ruby:2.2
|
9
|
+
cache:
|
10
|
+
group: ruby_2.2
|
11
|
+
paths:
|
12
|
+
- .bundle
|
13
|
+
- vendor/bundle
|
14
|
+
script:
|
15
|
+
- bundle exec rubocop
|
16
|
+
tags:
|
17
|
+
- ruby
|
18
|
+
except:
|
19
|
+
- tags
|
20
|
+
|
21
|
+
release:Ruby 2.2:
|
22
|
+
image: ruby:2.2
|
23
|
+
cache:
|
24
|
+
group: ruby_2.2
|
25
|
+
paths:
|
26
|
+
- .bundle
|
27
|
+
- vendor/bundle
|
28
|
+
script:
|
29
|
+
- bundle exec rubocop
|
30
|
+
- bundle exec rake build
|
31
|
+
artifacts:
|
32
|
+
name: "chef-rundeck2-$CI_BUILD_REF_NAME"
|
33
|
+
paths:
|
34
|
+
- pkg/*.gem
|
35
|
+
tags:
|
36
|
+
- ruby
|
37
|
+
only:
|
38
|
+
- tags
|
data/.rubocop.yml
ADDED
data/Gemfile
ADDED
@@ -0,0 +1,15 @@
|
|
1
|
+
source 'https://rubygems.org'
|
2
|
+
|
3
|
+
gem 'chef-api' # => Chef API Interaction
|
4
|
+
# => gem 'hashie' # => Data Structure
|
5
|
+
# => gem 'logify' # => Logging
|
6
|
+
gem 'mixlib-cli' # => Option Parsing
|
7
|
+
gem 'rack-cache' # => Cache Responses
|
8
|
+
gem 'sinatra' # => Web Server
|
9
|
+
gem 'sinatra-contrib' # => For namespaces
|
10
|
+
|
11
|
+
group :development do
|
12
|
+
gem 'rake'
|
13
|
+
gem 'rspec'
|
14
|
+
gem 'rubocop'
|
15
|
+
end
|
data/Gemfile.lock
ADDED
@@ -0,0 +1,76 @@
|
|
1
|
+
GEM
|
2
|
+
remote: https://rubygems.org/
|
3
|
+
specs:
|
4
|
+
ast (2.3.0)
|
5
|
+
backports (3.6.8)
|
6
|
+
chef-api (0.6.0)
|
7
|
+
logify (~> 0.1)
|
8
|
+
mime-types
|
9
|
+
diff-lcs (1.2.5)
|
10
|
+
logify (0.2.0)
|
11
|
+
mime-types (3.1)
|
12
|
+
mime-types-data (~> 3.2015)
|
13
|
+
mime-types-data (3.2016.0521)
|
14
|
+
mixlib-cli (1.6.0)
|
15
|
+
multi_json (1.12.1)
|
16
|
+
parser (2.3.1.2)
|
17
|
+
ast (~> 2.2)
|
18
|
+
powerpack (0.1.1)
|
19
|
+
rack (1.6.4)
|
20
|
+
rack-cache (1.6.1)
|
21
|
+
rack (>= 0.4)
|
22
|
+
rack-protection (1.5.3)
|
23
|
+
rack
|
24
|
+
rack-test (0.6.3)
|
25
|
+
rack (>= 1.0)
|
26
|
+
rainbow (2.1.0)
|
27
|
+
rake (11.1.2)
|
28
|
+
rspec (3.4.0)
|
29
|
+
rspec-core (~> 3.4.0)
|
30
|
+
rspec-expectations (~> 3.4.0)
|
31
|
+
rspec-mocks (~> 3.4.0)
|
32
|
+
rspec-core (3.4.4)
|
33
|
+
rspec-support (~> 3.4.0)
|
34
|
+
rspec-expectations (3.4.0)
|
35
|
+
diff-lcs (>= 1.2.0, < 2.0)
|
36
|
+
rspec-support (~> 3.4.0)
|
37
|
+
rspec-mocks (3.4.1)
|
38
|
+
diff-lcs (>= 1.2.0, < 2.0)
|
39
|
+
rspec-support (~> 3.4.0)
|
40
|
+
rspec-support (3.4.1)
|
41
|
+
rubocop (0.40.0)
|
42
|
+
parser (>= 2.3.1.0, < 3.0)
|
43
|
+
powerpack (~> 0.1)
|
44
|
+
rainbow (>= 1.99.1, < 3.0)
|
45
|
+
ruby-progressbar (~> 1.7)
|
46
|
+
unicode-display_width (~> 1.0, >= 1.0.1)
|
47
|
+
ruby-progressbar (1.8.1)
|
48
|
+
sinatra (1.4.7)
|
49
|
+
rack (~> 1.5)
|
50
|
+
rack-protection (~> 1.4)
|
51
|
+
tilt (>= 1.3, < 3)
|
52
|
+
sinatra-contrib (1.4.7)
|
53
|
+
backports (>= 2.0)
|
54
|
+
multi_json
|
55
|
+
rack-protection
|
56
|
+
rack-test
|
57
|
+
sinatra (~> 1.4.0)
|
58
|
+
tilt (>= 1.3, < 3)
|
59
|
+
tilt (2.0.4)
|
60
|
+
unicode-display_width (1.0.5)
|
61
|
+
|
62
|
+
PLATFORMS
|
63
|
+
ruby
|
64
|
+
|
65
|
+
DEPENDENCIES
|
66
|
+
chef-api
|
67
|
+
mixlib-cli
|
68
|
+
rack-cache
|
69
|
+
rake
|
70
|
+
rspec
|
71
|
+
rubocop
|
72
|
+
sinatra
|
73
|
+
sinatra-contrib
|
74
|
+
|
75
|
+
BUNDLED WITH
|
76
|
+
1.12.5
|
data/LICENSE.txt
ADDED
@@ -0,0 +1,21 @@
|
|
1
|
+
The MIT License (MIT)
|
2
|
+
|
3
|
+
Copyright (c) 2016 Brian Dwyer - Intelligent Digital Services
|
4
|
+
|
5
|
+
Permission is hereby granted, free of charge, to any person obtaining a copy
|
6
|
+
of this software and associated documentation files (the "Software"), to deal
|
7
|
+
in the Software without restriction, including without limitation the rights
|
8
|
+
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
9
|
+
copies of the Software, and to permit persons to whom the Software is
|
10
|
+
furnished to do so, subject to the following conditions:
|
11
|
+
|
12
|
+
The above copyright notice and this permission notice shall be included in
|
13
|
+
all copies or substantial portions of the Software.
|
14
|
+
|
15
|
+
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
16
|
+
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
17
|
+
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
18
|
+
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
19
|
+
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
20
|
+
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
|
21
|
+
THE SOFTWARE.
|
data/README.md
ADDED
@@ -0,0 +1,98 @@
|
|
1
|
+
# Chef-RunDeck
|
2
|
+
|
3
|
+
Welcome to your new gem! In this directory, you'll find the files you need to be able to package up your Ruby library into a gem. Put your Ruby code in the file `lib/chef-rundeck`. To experiment with that code, run `bin/console` for an interactive prompt.
|
4
|
+
|
5
|
+
TODO: Delete this and the text above, and describe your gem
|
6
|
+
|
7
|
+
## Background
|
8
|
+
This project started out to act as a proxy for administrative Chef Server interactions, namely client/node deletion.
|
9
|
+
|
10
|
+
If you are familiar with Chef & Terraform, you are likely aware that Terraform currently does not remove the client/node pair from the Chef server upon destruction. Additionally, you are likely aware that deletion of client/node objects requires elevated privileges on the Chef server; privileges that the validation client does not provide.
|
11
|
+
To work around this, one might use `knife` configured with administrative client. When combined with RunDeck, the security outlook does not look good as one might easily run a `cat` on the PEM file from the Command interface, allowing them to view the credential. Unless otherwise orchestrated, any/all local commands will run under the context of the RunDeck user, likely the same user with ownership of said PEM file, so using `knife` under the RunDeck context is inherently insecure if the RunDeck is used for other things and/or the Command interface is exposed.
|
12
|
+
|
13
|
+
The idea here is to run this Gem under a different user's context, proxying administrative commands via simple GET/POST requests. The administrative PEM is then owned by a seperate user, preventing one from easily accessing it. Additionally, a simple `state` endpoint can be used to maintain an audit trail of who created what node, and allow said user to then delete the node. Deletion is limited to only member nodes of the `state`, and only by the original creator, unless the user is an administrator. The security here is rather primitive, as the user is passed in as a query parameter, but better than nothing. I had the idea of combining this with a sort of API key unique to the user, but have yet to implement it. The limitation of only deleting nodes belonging to the current `state` is the current stop gap. Also, this means if you have existing nodes, you'll likely want to populate your `state` file with them. A sample state object is available at `config/state.json`.
|
14
|
+
|
15
|
+
**NOTE:** This API should **NOT** be exposed to the world unless you plan to secure it with a reverse-proxy or something. It is intended to only be bound to `localhost` on the same server as RunDeck.
|
16
|
+
|
17
|
+
## RunDeck Options Provider
|
18
|
+
This gem also serves as a RunDeck options provider, delivering node search results in the RunDeck `RESOURCE-JSON` format.
|
19
|
+
* This project **ONLY** uses partial search. You can add additional values to the search filter with the `extras` param (comma-separated) or inside project-specific config (Array).
|
20
|
+
* The search/return is customizable, either by passing query parameters, or by creating project-specific configuration and hitting the project endpoint.
|
21
|
+
* Query parameters will overrule project-specific configuration.
|
22
|
+
* You don't have to pass in a user, granting the ability to set that sort of configuration in the RunDeck project configuration.
|
23
|
+
|
24
|
+
## State Functions
|
25
|
+
* Display the State - GET - http://localhost:9125/chef/v1/state
|
26
|
+
* List the Node's for a User - GET - http://localhost:9125/chef/v1/list/${USERNAME}
|
27
|
+
* Add a node to the State - POST - http://localhost:9125/chef/v1/add/${NODENAME}/${USERNAME} - type=${TYPE} can be specified as query_param in URL or POST Body
|
28
|
+
** Subsequent calls to this endpoint for an existing node will add to the audit trail of the node in it's `Last_Modified:` field. Type cannot be edited after inception.
|
29
|
+
* Delete a node from the State and Chef Server - POST - http://localhost:9125/chef/v1/delete/${NODENAME} - auth_user=${USERNAME} as query_param in URL or POST Body
|
30
|
+
|
31
|
+
|
32
|
+
## Other API Functions
|
33
|
+
### Node Search - Return the Node Object in JSON Format
|
34
|
+
* Exact Case Match - `http://localhost:9125/chef/v1/node/BD-MBPro.local`
|
35
|
+
* Case-Insensitive Match - `http://localhost:9125/chef/v1/node/Bd-MbPrO.lOcAl?regex=1`
|
36
|
+
|
37
|
+
## Node List - JSON Array of all Node Object Name's on the Chef Server (No Search Parameters)
|
38
|
+
* `http://localhost:9125/chef/v1/list`
|
39
|
+
|
40
|
+
## Configuration
|
41
|
+
This project can use a JSON configuration file to seed configuration parameters. Most configuration can also be passed in via the CLI, except Project definitions.
|
42
|
+
* You can (and should) opt to use regular credentials for Unprivileged Chef API calls. This does not have to be a validation client; a regular client can suffice. This is passed in via `chef-api-client-name` & `chef-api-client-key`
|
43
|
+
* Priviledged Chef Server credentials can be passed in via `chef-api-admin-name` and `chef-api-admin-key`. Be sure to keep the permissions tight on the PEM file.
|
44
|
+
|
45
|
+
|
46
|
+
## Running as a Service
|
47
|
+
You'll likely want to run this as a service, `SystemD` or `Upstart` will likely be your friend in this regard.
|
48
|
+
|
49
|
+
## Security
|
50
|
+
You should lock down permissions on all configuration files in this project to only the user which this runs as...
|
51
|
+
|
52
|
+
To run this project securely, **DON'T** run it as the RunDeck user.
|
53
|
+
|
54
|
+
## Caching
|
55
|
+
This leans on `rack-cache` to serve as a caching mechanism. The objective here was to make sure we don't pummel the Chef API with redundant queries.
|
56
|
+
* Timeout can be configured via the `cache_timeout` setting. **Default:** *30 seconds*
|
57
|
+
|
58
|
+
## Credits
|
59
|
+
This Gem leans heavily on Seth Vargo's `ChefAPI` gem. I also took many ideas from his Gem to build this one, as I've never written anything like this before. Thank you, Seth, for both the `ChefAPI` gem and for your consistent high quality contributions to the DevOps community.
|
60
|
+
|
61
|
+
Also, thank you to Adam Jacob for initially developing the `chef-rundeck` gem which served as a baseline for building the Options Provider portion of this one. Thanks for Chef, you've greatly reduce the amount of chaos in my work life!
|
62
|
+
|
63
|
+
|
64
|
+
## Installation
|
65
|
+
|
66
|
+
Add this line to your application's Gemfile:
|
67
|
+
|
68
|
+
```ruby
|
69
|
+
gem 'chef-rundeck2'
|
70
|
+
```
|
71
|
+
|
72
|
+
And then execute:
|
73
|
+
|
74
|
+
$ bundle
|
75
|
+
|
76
|
+
Or install it yourself as:
|
77
|
+
|
78
|
+
$ gem install chef-rundeck2
|
79
|
+
|
80
|
+
## Usage
|
81
|
+
|
82
|
+
TODO: Write usage instructions here
|
83
|
+
|
84
|
+
## Development
|
85
|
+
|
86
|
+
After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake spec` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
|
87
|
+
|
88
|
+
To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
|
89
|
+
|
90
|
+
## Contributing
|
91
|
+
|
92
|
+
Bug reports and pull requests are welcome on GitHub at https://github.com/bdwyertech/chef-rundeck. This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the [Contributor Covenant](http://contributor-covenant.org) code of conduct.
|
93
|
+
|
94
|
+
|
95
|
+
## License
|
96
|
+
|
97
|
+
The gem is available as open source under the terms of the [MIT License](http://opensource.org/licenses/MIT).
|
98
|
+
|
data/Rakefile
ADDED
data/bin/console
ADDED
@@ -0,0 +1,17 @@
|
|
1
|
+
#!/usr/bin/env ruby
|
2
|
+
|
3
|
+
lib = File.expand_path(File.join(File.dirname(__FILE__), '..', 'lib'))
|
4
|
+
$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
|
5
|
+
|
6
|
+
require 'bundler/setup'
|
7
|
+
require 'chef-rundeck'
|
8
|
+
|
9
|
+
# You can add fixtures and/or initialization code here to make experimenting
|
10
|
+
# with your gem easier. You can also use a different console, if you like.
|
11
|
+
|
12
|
+
# (If you use this, don't forget to add pry to your Gemfile!)
|
13
|
+
# require "pry"
|
14
|
+
# Pry.start
|
15
|
+
|
16
|
+
require 'irb'
|
17
|
+
IRB.start
|
data/bin/setup
ADDED
@@ -0,0 +1,44 @@
|
|
1
|
+
# encoding: utf-8
|
2
|
+
# rubocop: disable LineLength
|
3
|
+
|
4
|
+
lib = File.expand_path('../lib', __FILE__)
|
5
|
+
$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
|
6
|
+
require 'chef-rundeck/version'
|
7
|
+
|
8
|
+
Gem::Specification.new do |spec|
|
9
|
+
spec.name = 'chef-rundeck2'
|
10
|
+
spec.version = ChefRunDeck::VERSION
|
11
|
+
spec.authors = ['Brian Dwyer']
|
12
|
+
spec.email = ['bdwyer@IEEE.org']
|
13
|
+
|
14
|
+
spec.summary = %q(Chef Options Provider for RunDeck with Extras)
|
15
|
+
# => spec.description = %q(TODO: Write a longer description or delete this line.)
|
16
|
+
spec.homepage = 'https://github.com/bdwyertech/chef-rundeck2'
|
17
|
+
spec.license = 'MIT'
|
18
|
+
|
19
|
+
# Prevent pushing this gem to RubyGems.org. To allow pushes either set the 'allowed_push_host'
|
20
|
+
# to allow pushing to a single host or delete this section to allow pushing to any host.
|
21
|
+
if spec.respond_to?(:metadata)
|
22
|
+
spec.metadata['allowed_push_host'] = 'https://rubygems.org'
|
23
|
+
else
|
24
|
+
raise 'RubyGems 2.0 or newer is required to protect against public gem pushes.'
|
25
|
+
end
|
26
|
+
|
27
|
+
spec.files = `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
|
28
|
+
spec.bindir = 'exe'
|
29
|
+
spec.executables = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
|
30
|
+
spec.require_paths = ['lib']
|
31
|
+
|
32
|
+
# => Dependencies
|
33
|
+
spec.add_runtime_dependency 'chef-api', '~> 0.6'
|
34
|
+
spec.add_runtime_dependency 'mixlib-cli', '~> 1.6'
|
35
|
+
spec.add_runtime_dependency 'rack-cache', '~> 1.6'
|
36
|
+
spec.add_runtime_dependency 'sinatra', '~> 1.4'
|
37
|
+
spec.add_runtime_dependency 'sinatra-contrib', '~> 1.4'
|
38
|
+
|
39
|
+
# => Development Dependencies
|
40
|
+
spec.add_development_dependency 'bundler', '~> 1.12'
|
41
|
+
spec.add_development_dependency 'rake', '~> 10.0'
|
42
|
+
spec.add_development_dependency 'rspec', '~> 3.0'
|
43
|
+
spec.add_development_dependency 'rubocop'
|
44
|
+
end
|
data/config/auth.json
ADDED
data/config/config.json
ADDED
@@ -0,0 +1,13 @@
|
|
1
|
+
{
|
2
|
+
"cache_timeout": 30,
|
3
|
+
"auth_file": "/tmp/auth.json",
|
4
|
+
"state_file": "/tmp/state.json",
|
5
|
+
"host": "localhost",
|
6
|
+
"port": 9125,
|
7
|
+
"environment": "production",
|
8
|
+
"chef_api_endpoint": "https://chef.contoso.com/organizations/contoso",
|
9
|
+
"chef_api_client": "rundeck-chef-client",
|
10
|
+
"chef_api_client_key": "~/.chef/CHEF_CONTOSO/rundeck-chef-client.pem",
|
11
|
+
"chef_api_admin": "bdwyertech",
|
12
|
+
"chef_api_admin_key": "~/.chef/CHEF_CONTOSO/bdwyer.pem"
|
13
|
+
}
|
data/config/state.json
ADDED
@@ -0,0 +1,22 @@
|
|
1
|
+
[
|
2
|
+
{
|
3
|
+
"name": "Alpha-Bravo",
|
4
|
+
"created": "2016-05-28T12:04:54-04:00",
|
5
|
+
"creator": "bdweezy"
|
6
|
+
},
|
7
|
+
{
|
8
|
+
"name": "alpha-vagrant",
|
9
|
+
"created": "2016-05-28T12:05:45-04:00",
|
10
|
+
"creator": "vagrant"
|
11
|
+
},
|
12
|
+
{
|
13
|
+
"name": "BD-MBPro.local",
|
14
|
+
"created": "2016-05-28T12:04:16-04:00",
|
15
|
+
"creator": "bdweezy"
|
16
|
+
},
|
17
|
+
{
|
18
|
+
"name": "cloud-controller",
|
19
|
+
"created": "2016-05-28T12:05:24-04:00",
|
20
|
+
"creator": "vagrant"
|
21
|
+
}
|
22
|
+
]
|
data/exe/chef-rundeck2
ADDED
@@ -0,0 +1,14 @@
|
|
1
|
+
#!/usr/bin/env ruby
|
2
|
+
# encoding: UTF-8
|
3
|
+
# RunDeck Provider - Chef
|
4
|
+
# Brian Dwyer - Intelligent Digital Services - 5/24/16
|
5
|
+
|
6
|
+
lib = File.expand_path(File.join(File.dirname(__FILE__), '..', 'lib'))
|
7
|
+
$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
|
8
|
+
|
9
|
+
# => Catch Ctrl+C's to avoid stack traces
|
10
|
+
Signal.trap('INT') { abort }
|
11
|
+
|
12
|
+
require 'chef-rundeck'
|
13
|
+
|
14
|
+
ChefRunDeck::CLI.run(ARGV)
|
@@ -0,0 +1,215 @@
|
|
1
|
+
# Encoding: UTF-8
|
2
|
+
# rubocop: disable LineLength
|
3
|
+
#
|
4
|
+
# Gem Name:: chef-rundeck
|
5
|
+
# Module:: API
|
6
|
+
#
|
7
|
+
# Copyright (C) 2016 Brian Dwyer - Intelligent Digital Services
|
8
|
+
#
|
9
|
+
# All rights reserved - Do Not Redistribute
|
10
|
+
#
|
11
|
+
|
12
|
+
# => NOTE: Anything other than a STATUS 200 will trigger an error in the RunDeck plugin due to a hardcode in org.boon.HTTP
|
13
|
+
|
14
|
+
require 'sinatra/base'
|
15
|
+
require 'sinatra/namespace'
|
16
|
+
require 'json'
|
17
|
+
require 'rack/cache'
|
18
|
+
require 'chef-rundeck/auth'
|
19
|
+
require 'chef-rundeck/chef'
|
20
|
+
require 'chef-rundeck/config'
|
21
|
+
require 'chef-rundeck/state'
|
22
|
+
|
23
|
+
# => Chef Options Provider for RunDeck
|
24
|
+
module ChefRunDeck
|
25
|
+
# => HTTP API
|
26
|
+
class API < Sinatra::Base # rubocop: disable ClassLength
|
27
|
+
#######################
|
28
|
+
# => Sinatra <= #
|
29
|
+
#######################
|
30
|
+
|
31
|
+
# => Configure Sinatra
|
32
|
+
enable :logging, :static, :raise_errors # => disable :dump_errors, :show_exceptions
|
33
|
+
set :port, Config.port || 8080
|
34
|
+
set :bind, Config.bind || 'localhost'
|
35
|
+
set :environment, Config.environment || :production
|
36
|
+
|
37
|
+
# => Enable NameSpace Support
|
38
|
+
register Sinatra::Namespace
|
39
|
+
|
40
|
+
if development?
|
41
|
+
require 'sinatra/reloader'
|
42
|
+
register Sinatra::Reloader
|
43
|
+
end
|
44
|
+
|
45
|
+
use Rack::Cache do
|
46
|
+
set :verbose, true
|
47
|
+
set :metastore, 'file:' + File.join(Dir.tmpdir, 'rack', 'meta')
|
48
|
+
set :entitystore, 'file:' + File.join(Dir.tmpdir, 'rack', 'body')
|
49
|
+
end
|
50
|
+
|
51
|
+
########################
|
52
|
+
# => JSON API <= #
|
53
|
+
########################
|
54
|
+
|
55
|
+
# => Current Configuration & Healthcheck Endpoint
|
56
|
+
get '/config' do
|
57
|
+
content_type 'application/json'
|
58
|
+
JSON.pretty_generate(
|
59
|
+
[
|
60
|
+
ChefRunDeck.inspect + ' is up and running!',
|
61
|
+
'Author: ' + Config.author,
|
62
|
+
'Environment: ' + Config.environment.to_s,
|
63
|
+
'Root: ' + Config.root.to_s,
|
64
|
+
'Config File: ' + (Config.config_file if File.exist?(Config.config_file)).to_s,
|
65
|
+
'Auth File: ' + (Config.auth_file if File.exist?(Config.auth_file)).to_s,
|
66
|
+
'State File: ' + (Config.state_file if File.exist?(Config.state_file)).to_s,
|
67
|
+
{ State: State.state.map { |n| n[:name] } },
|
68
|
+
'Params: ' + params.inspect,
|
69
|
+
'Cache Timeout: ' + Config.cache_timeout.to_s,
|
70
|
+
'BRIAN IS COOooooooL',
|
71
|
+
{ AppConfig: Config.options },
|
72
|
+
{ 'Sinatra Info' => env }
|
73
|
+
].compact
|
74
|
+
)
|
75
|
+
end
|
76
|
+
|
77
|
+
get '/state' do
|
78
|
+
content_type 'application/json'
|
79
|
+
State.state.to_json
|
80
|
+
end
|
81
|
+
|
82
|
+
########################
|
83
|
+
# => JSON API <= #
|
84
|
+
########################
|
85
|
+
|
86
|
+
namespace '/chef/v1' do
|
87
|
+
# => Define our common namespace parameters
|
88
|
+
before do
|
89
|
+
# => This is a JSON API
|
90
|
+
content_type 'application/json'
|
91
|
+
# => Grab the Authentication Key if Exists
|
92
|
+
params['auth_key'] ||= env['HTTP_AUTHORIZATION']
|
93
|
+
# => Make the Params Globally Accessible
|
94
|
+
Config.define_setting :query_params, params
|
95
|
+
# => Instantiate the Default Client
|
96
|
+
Chef.api_client
|
97
|
+
# => User Authorization
|
98
|
+
Auth.parse(params['auth_user'])
|
99
|
+
end
|
100
|
+
|
101
|
+
# => Clean Up
|
102
|
+
after do
|
103
|
+
# => Reset the API Client to Default Values
|
104
|
+
Chef.reset!
|
105
|
+
# => Reset Authorization
|
106
|
+
Auth.reset!
|
107
|
+
end
|
108
|
+
|
109
|
+
get '/state' do
|
110
|
+
# => Internal Redirect to Root /state
|
111
|
+
call env.merge('PATH_INFO' => '/state')
|
112
|
+
end
|
113
|
+
|
114
|
+
# => Retrieve a List of Nodes
|
115
|
+
get '/list' do
|
116
|
+
cache_control :public, max_age: Config.cache_timeout
|
117
|
+
Chef.list.to_json
|
118
|
+
end
|
119
|
+
|
120
|
+
# => Deliver Nodes the User is Authorized to Delete
|
121
|
+
get '/list/:user' do |user|
|
122
|
+
# => User is part of this Route, not a Query-Param
|
123
|
+
Auth.parse(user)
|
124
|
+
# => Admins can see all Nodes
|
125
|
+
return State.state.map { |n| n[:name] }.to_json if Auth.admin?
|
126
|
+
# => Determine Role Admin Nodes
|
127
|
+
admin = State.state.select { |n| n[:type] && Auth.auth['roles'].any? { |r| r.to_s.casecmp(n[:type].to_s) == 0 } }.map { |n| n[:name] }
|
128
|
+
# => Find User-Created Nodes
|
129
|
+
created = State.state.select { |n| n[:creator].casecmp(user) == 0 }.map { |n| n[:name] }
|
130
|
+
# => Return the Nodes
|
131
|
+
(admin + created).uniq.to_json
|
132
|
+
end
|
133
|
+
|
134
|
+
# => Check if a Node Exists (Pass regex param for case insensitivity)
|
135
|
+
get '/node/:node' do |node|
|
136
|
+
cache_control :public, max_age: Config.cache_timeout
|
137
|
+
regex = true if params['regex'] == '1'
|
138
|
+
Chef.get_node(node, regex).to_json
|
139
|
+
end
|
140
|
+
|
141
|
+
# => View User Authorization
|
142
|
+
get '/auth' do
|
143
|
+
# => Return User Authorization
|
144
|
+
{
|
145
|
+
User: params['auth_user'],
|
146
|
+
Admin: Auth.admin?,
|
147
|
+
Authorization: Auth.auth,
|
148
|
+
Auth_Key_Match?: Auth.key?
|
149
|
+
}.to_json
|
150
|
+
end
|
151
|
+
|
152
|
+
# => View User Authorization
|
153
|
+
post '/auth' do
|
154
|
+
# => Return User Authorization
|
155
|
+
{
|
156
|
+
User: params['auth_user'],
|
157
|
+
Admin: Auth.admin?,
|
158
|
+
Authorization: Auth.auth,
|
159
|
+
Auth_Key_Match?: Auth.key?
|
160
|
+
}.to_json
|
161
|
+
# => {
|
162
|
+
# => 'Sinatra Info' => env,
|
163
|
+
# => Headers: headers
|
164
|
+
# => }.to_json
|
165
|
+
end
|
166
|
+
|
167
|
+
# => Search for Matching Nodes
|
168
|
+
get '/search' do
|
169
|
+
cache_control :public, max_age: Config.cache_timeout
|
170
|
+
Chef.search.to_json
|
171
|
+
end
|
172
|
+
|
173
|
+
# => View Project-Specific Configuration
|
174
|
+
get '/:project/config' do |project|
|
175
|
+
Chef.project_settings(project).to_json
|
176
|
+
end
|
177
|
+
|
178
|
+
# => Search for Matching Nodes (Project-Specific)
|
179
|
+
get '/:project/search' do |project|
|
180
|
+
cache_control :public, max_age: Config.cache_timeout
|
181
|
+
# => Pass the Project into the Query Parameters
|
182
|
+
Config.query_params['project'] = project
|
183
|
+
# => Search & Return
|
184
|
+
Chef.search.to_json
|
185
|
+
end
|
186
|
+
|
187
|
+
# => Add Node to the State
|
188
|
+
post '/add/:node/:user' do |node, user|
|
189
|
+
status 200
|
190
|
+
State.add_state(node, user, params).to_json
|
191
|
+
end
|
192
|
+
|
193
|
+
# => Delete Node from the Chef Server
|
194
|
+
post '/delete/:node' do |node|
|
195
|
+
unless State.state.any? { |n| n[:name] == node }
|
196
|
+
status 404
|
197
|
+
return "#{node} not found in State".to_json
|
198
|
+
end
|
199
|
+
|
200
|
+
# => Check Authorization
|
201
|
+
if Auth.admin? || Auth.creator?(node) || Auth.role_admin?(Chef.run_list(node)) # => Auth.project_admin?(node)
|
202
|
+
status 200
|
203
|
+
# => Delete the Node
|
204
|
+
Chef.delete(node)
|
205
|
+
# => Remove it from the State
|
206
|
+
State.delete_state(node)
|
207
|
+
"#{node} Successfully Deleted".to_json
|
208
|
+
else
|
209
|
+
status 401
|
210
|
+
return 'Unauthorized'.to_json
|
211
|
+
end
|
212
|
+
end
|
213
|
+
end
|
214
|
+
end
|
215
|
+
end
|