chef-server-slice 0.7.10

data/app/controllers/exceptions.rb

@@ -0,0 +1,33 @@
+#
+# Author:: Adam Jacob (<adam@opscode.com>)
+# Author:: Christopher Brown (<cb@opscode.com>)
+# Copyright:: Copyright (c) 2008 Opscode, Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+# 
+#     http://www.apache.org/licenses/LICENSE-2.0
+# 
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+class ChefServerSlice::Exceptions < ChefServerSlice::Application
+  
+  provides :html, :json
+  
+  def standard_error
+    Merb.logger.warn(request.content_type)
+    if request.accept =~ /application\/json/
+      display({ "error" => request.exceptions }) 
+    else
+      raise request.exceptions.first 
+    end
+  end
+
+end

data/app/controllers/main.rb

@@ -0,0 +1,7 @@
+class ChefServerSlice::Main < ChefServerSlice::Application
+  
+  def index
+    render
+  end
+  
+end

data/app/controllers/nodes.rb

@@ -0,0 +1,144 @@
+#
+# Author:: Adam Jacob (<adam@opscode.com>)
+# Author:: Christopher Brown (<cb@opscode.com>)
+# Copyright:: Copyright (c) 2008 Opscode, Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+# 
+#     http://www.apache.org/licenses/LICENSE-2.0
+# 
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require 'chef' / 'node'
+
+class ChefServerSlice::Nodes < ChefServerSlice::Application
+  
+  provides :html, :json
+  
+  before :fix_up_node_id
+  before :login_required
+  before :authorized_node, :only => [ :update, :destroy ]
+  
+  def index
+    @node_list = Chef::Node.list 
+    display(@node_list.collect { |n| absolute_slice_url(:node, escape_node_id(n)) })
+  end
+
+  def show
+    begin
+      @node = Chef::Node.load(params[:id])
+    rescue Net::HTTPServerException => e
+      raise NotFound, "Cannot load node #{params[:id]}"
+    end
+    # TODO - might as well expand the run list here, too, rather than take multiple round trips.
+    recipes, defaults, overrides = @node.run_list.expand("couchdb")
+    @node.default = defaults
+    @node.override = overrides
+    display @node
+  end
+
+  def new
+    @node = Chef::Node.new
+    @available_recipes = get_available_recipes 
+    @available_roles = Chef::Role.list.sort
+    @run_list = @node.run_list
+    render
+  end
+
+  def edit
+    begin
+      @node = Chef::Node.load(params[:id])
+    rescue Net::HTTPServerException => e
+      raise NotFound, "Cannot load node #{params[:id]}"
+    end
+    @available_recipes = get_available_recipes 
+    @available_roles = Chef::Role.list.sort
+    @run_list = @node.run_list
+    render
+  end
+
+  def create
+    if params.has_key?("inflated_object")
+      @node = params["inflated_object"]
+      exists = true
+      begin
+        Chef::Node.load(@node.name)
+      rescue Net::HTTPServerException
+        exists = false
+      end
+      raise Forbidden, "Node already exists" if exists
+      self.status = 201
+      @node.save
+      display({ :uri => absolute_slice_url(:node, escape_node_id(@node.name)) })
+    else
+      begin
+        @node = Chef::Node.new
+        @node.name params[:name]
+        @node.attribute = JSON.parse(params[:attributes])
+        @node.run_list params[:for_node]
+        @node.save
+        redirect(slice_url(:nodes), :message => { :notice => "Created Node #{@node.name}" })
+      rescue
+        @node.attribute = JSON.parse(params[:attributes])
+        @available_recipes = get_available_recipes 
+        @available_roles = Chef::Role.list.sort
+        @run_list = params[:for_node] 
+        @_message = { :error => $! }
+        render :new
+      end
+    end
+  end
+
+  def update
+    begin
+      @node = Chef::Node.load(params[:id])
+    rescue Net::HTTPServerException => e
+      raise NotFound, "Cannot load node #{params[:id]}"
+    end
+
+    if params.has_key?("inflated_object")
+      updated = params['inflated_object']
+      @node.run_list.reset(updated.run_list)
+      @node.attribute = updated.attribute
+      @node.save
+      display(@node)
+    else
+      begin
+        @node.run_list.reset(params[:for_node] ? params[:for_node] : [])
+        @node.attribute = JSON.parse(params[:attributes])
+        @node.save
+        @_message = { :notice => "Updated Node" }
+        render :show
+      rescue
+        @available_recipes = get_available_recipes 
+        @available_roles = Chef::Role.list.sort
+        @run_list = Chef::RunList.new
+        @run_list.reset(params[:for_node])
+        render :edit
+      end
+    end
+  end
+
+  def destroy
+    begin
+      @node = Chef::Node.load(params[:id])
+    rescue Net::HTTPServerException => e 
+      raise NotFound, "Cannot load node #{params[:id]}"
+    end
+    @node.destroy
+    if request.accept == 'application/json'
+      display @node
+    else
+      redirect(absolute_slice_url(:nodes), {:message => { :notice => "Node #{params[:id]} deleted successfully" }, :permanent => true})
+    end
+  end
+  
+end

data/app/controllers/openid_consumer.rb

@@ -0,0 +1,133 @@
+#
+# Author:: Adam Jacob (<adam@opscode.com>)
+# Author:: Christopher Brown (<cb@opscode.com>)
+# Copyright:: Copyright (c) 2008 Opscode, Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require 'pathname'
+require 'openid'
+require (Chef::Config[:openid_cstore_couchdb] ?   'openid-store-couchdb' : 'openid/store/filesystem')
+
+class ChefServerSlice::OpenidConsumer < ChefServerSlice::Application
+
+  provides :html, :json
+
+  def index
+    if request.xhr?
+      render :layout => false
+    else
+      render :layout => 'login'
+    end
+  end
+
+  def start
+    oid = params[:openid_identifier]
+    begin
+      oidreq = consumer.begin(oid)
+    rescue OpenID::OpenIDError => e
+      raise BadRequest, "Discovery failed for #{oid}: #{e}"
+    end
+
+    return_to = absolute_slice_url(:openid_consumer_complete)
+    realm = absolute_slice_url(:openid_consumer)
+
+    if oidreq.send_redirect?(realm, return_to, params[:immediate])
+      return redirect(oidreq.redirect_url(realm, return_to, params[:immediate]))
+    else
+      @form_text = oidreq.form_markup(realm, return_to, params[:immediate], {'id' => 'openid_form'})
+      render
+    end
+  end
+
+  def login
+    oid = params[:openid_identifier]
+    raise(Unauthorized, "Sorry, #{oid} is not an authorized OpenID.") unless is_authorized_openid_identifier?(oid, Chef::Config[:authorized_openid_identifiers])
+    raise(Unauthorized, "Sorry, #{oid} is not an authorized OpenID Provider.") unless is_authorized_openid_provider?(oid, Chef::Config[:authorized_openid_providers])
+    start
+  end
+
+  def complete
+    # FIXME - url_for some action is not necessarily the current URL.
+    current_url = absolute_slice_url(:openid_consumer_complete)
+    parameters = params.reject{|k,v| k == "controller" || k == "action"}
+    oidresp = consumer.complete(parameters, current_url)
+    case oidresp.status
+      when OpenID::Consumer::FAILURE
+        raise BadRequest, "Verification failed: #{oidresp.message}" + (oidresp.display_identifier ? " for identifier '#{oidresp.display_identifier}'" : "")
+      when OpenID::Consumer::SUCCESS
+        session[:openid] = oidresp.identity_url
+        if oidresp.display_identifier =~ /openid\/server\/node\/(.+)$/
+          reg_name = $1
+          reg = Chef::OpenIDRegistration.load(reg_name)
+          Chef::Log.error("#{reg_name} is an admin #{reg.admin}")
+          session[:level] = reg.admin ? :admin : :node
+          session[:node_name] = $1
+        else
+          session[:level] = :admin
+        end
+        redirect_back_or_default(absolute_slice_url(:nodes))
+        return "Verification of #{oidresp.display_identifier} succeeded."
+      when OpenID::Consumer::SETUP_NEEDED
+        return "Immediate request failed - Setup Needed"
+      when OpenID::Consumer::CANCEL
+        return "OpenID transaction cancelled."
+      else
+    end
+    redirect absolute_slice_url(:openid_consumer)
+  end
+
+  def logout
+    [:openid,:level,:node_name].each { |n| session.delete(n) }
+    redirect slice_url(:top)
+  end
+
+  private
+  def is_authorized_openid_provider?(openid, authorized_providers)
+    Chef::Log.debug("checking for valid openid provider: openid: #{openid}, authorized providers: #{authorized_providers}")
+    if authorized_providers and openid
+      if authorized_providers.length > 0
+        authorized_providers.detect { |p| Chef::Log.debug("openid: #{openid} (#{openid.class}), p: #{p} (#{p.class})"); openid.match(p) }
+      else
+        true
+      end
+    else
+      true
+    end
+  end
+
+  def is_authorized_openid_identifier?(openid, authorized_identifiers)
+    Chef::Log.debug("checking for valid openid identifier: openid: #{openid}, authorized openids: #{authorized_identifiers}")
+    if authorized_identifiers and openid
+      if authorized_identifiers.length > 0
+        authorized_identifiers.detect { |p| Chef::Log.debug("openid: #{openid} (#{openid.class}), p: #{p} (#{p.class})"); openid == p }
+      else
+        true
+      end
+    else
+      true
+    end
+  end
+
+  def consumer
+    @consumer ||= OpenID::Consumer.new(session,
+                                       if Chef::Config[:openid_cstore_couchdb]
+                                         OpenID::Store::CouchDB.new(Chef::Config[:couchdb_url])
+                                       else
+                                         OpenID::Store::Filesystem.new(Chef::Config[:openid_cstore_path])
+                                       end)
+  end
+
+end

data/app/controllers/openid_register.rb

@@ -0,0 +1,113 @@
+#
+# Author:: Adam Jacob (<adam@opscode.com>)
+# Author:: Christopher Brown (<cb@opscode.com>)
+# Copyright:: Copyright (c) 2008 Opscode, Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+# 
+#     http://www.apache.org/licenses/LICENSE-2.0
+# 
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require 'openid'
+require 'chef' / 'openid_registration'
+
+class ChefServerSlice::OpenidRegister < ChefServerSlice::Application
+
+  provides :html, :json
+  
+  before :fix_up_node_id
+  before :login_required,  :only => [ :index, :update, :destroy, :validate, :admin ]
+  before :authorized_node, :only => [ :update, :destroy, :validate, :admin ]
+
+  def index
+    @headers['X-XRDS-Location'] = Chef::Config[:openid_url] + "/openid/server/server/xrds"
+    @registered_nodes = Chef::OpenIDRegistration.list(true)
+    Chef::Log.debug(@registered_nodes.inspect)
+    display @registered_nodes
+  end
+  
+  def show
+    begin
+      @registered_node = Chef::OpenIDRegistration.load(params[:id])
+    rescue Net::HTTPServerException => e
+      if e.message =~ /^404/
+        raise NotFound, "Cannot load node registration for #{params[:id]}"
+      else
+        raise e
+      end
+    end
+     Chef::Log.debug(@registered_node.inspect)
+     display @registered_node
+  end
+  
+  def create
+    params.has_key?(:id) or raise BadRequest, "You must provide an id to register"
+    params.has_key?(:password) or raise BadRequest, "You must provide a password to register"
+    if Chef::OpenIDRegistration.has_key?(params[:id])
+      raise BadRequest, "You cannot re-register #{params[:id]}!"
+    end
+    @registered_node = Chef::OpenIDRegistration.new
+    @registered_node.name = params[:id]
+    @registered_node.set_password(params[:password])
+    if Chef::Config[:validation_token]
+      if params[:validation_token] == Chef::Config[:validation_token]
+        @registered_node.validated = true
+      else
+        @registered_node.validated = false
+      end
+    else
+      @registered_node.validated = false
+    end
+    @registered_node.save
+    display @registered_node
+  end
+  
+  def update
+    raise BadRequest, "You cannot update your registration -- delete #{params[:id]} and re-register"
+  end
+  
+  def destroy
+    begin
+      r = Chef::OpenIDRegistration.load(params[:id])
+    rescue Exception => e
+      raise BadRequest, "Cannot find the registration for #{params[:id]}"
+    end
+    r.destroy
+    if content_type == :html
+      redirect slice_url(:registrations)
+    else
+      display({ :message => "Deleted registration for #{params[:id]}"})
+    end
+  end
+  
+  def validate
+    begin
+      r = Chef::OpenIDRegistration.load(params[:id])
+    rescue Exception => e
+      raise BadRequest, "Cannot find the registration for #{params[:id]}"
+    end
+    r.validated = r.validated ? false : true
+    r.save
+    redirect slice_url(:registrations)
+  end
+  
+  def admin
+    begin
+      r = Chef::OpenIDRegistration.load(params[:id])
+    rescue Exception => e
+      raise BadRequest, "Cannot find the registration for #{params[:id]}"
+    end
+    r.admin = r.admin ? false : true
+    r.save
+    redirect slice_url(:registrations)
+  end
+end

data/app/controllers/openid_server.rb

@@ -0,0 +1,252 @@
+#
+# Author:: Adam Jacob (<adam@opscode.com>)
+# Author:: Christopher Brown (<cb@opscode.com>)
+# Copyright:: Copyright (c) 2008 Opscode, Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+# 
+#     http://www.apache.org/licenses/LICENSE-2.0
+# 
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require 'pathname'
+
+# load the openid library, first trying rubygems
+#begin
+#  require "rubygems"
+#  require_gem "ruby-openid", ">= 1.0"
+#rescue LoadError
+require "openid"
+require "openid/consumer/discovery"
+require 'json'
+require 'chef' / 'openid_registration'
+#end
+
+class ChefServerSlice::OpenidServer < ChefServerSlice::Application
+
+  provides :html, :json
+
+  include Merb::ChefServerSlice::OpenidServerHelper
+  include OpenID::Server
+  
+  layout nil
+  
+  before :fix_up_node_id
+  after :dump_cookies_and_session
+
+  def index
+        
+    oidreq = server.decode_request(params.reject{|k,v| k == "controller" || k == "action"})
+    
+    # no openid.mode was given
+    unless oidreq
+      return "This is the Chef OpenID server endpoint."
+    end
+
+    oidresp = nil
+
+    if oidreq.kind_of?(CheckIDRequest)
+      identity = oidreq.identity
+
+      if oidresp
+        nil
+      elsif self.is_authorized(identity, oidreq.trust_root)
+        oidresp = oidreq.answer(true, nil, identity)
+      elsif oidreq.immediate
+        server_url = slice_url :openid_server
+        oidresp = oidreq.answer(false, server_url)
+      else
+        if content_type == :json
+          session[:last_oidreq] = oidreq
+          response = { :action => slice_url(:openid_server_decision) }
+          return response.to_json
+        else
+          return show_decision_page(oidreq)
+        end
+      end
+    else
+      oidresp = server.handle_request(oidreq)
+    end
+
+    self.render_response(oidresp)
+  end
+
+  def show_decision_page(oidreq, message="Do you trust this site with your identity?")
+    session[:last_oidreq] = oidreq
+    @oidreq = oidreq
+
+    if message
+      session[:notice] = message
+    end
+
+    render :template => 'openid_server/decide'
+  end
+
+  def node_page
+    unless Chef::OpenIDRegistration.has_key?(params[:id])
+      raise NotFound, "Cannot find registration for #{params[:id]}"
+    end
+    
+    # Yadis content-negotiation: we want to return the xrds if asked for.
+    accept = request.env['HTTP_ACCEPT']
+
+    # This is not technically correct, and should eventually be updated
+    # to do real Accept header parsing and logic.  Though I expect it will work
+    # 99% of the time.
+    if accept and accept.include?('application/xrds+xml')
+      return node_xrds
+    end
+
+    # content negotiation failed, so just render the user page
+    xrds_url = absolute_slice_url(:openid_node_xrds, :id => params[:id])
+    identity_page = <<EOS
+<html><head>
+<meta http-equiv="X-XRDS-Location" content="#{xrds_url}" />
+<link rel="openid.server" href="#{absolute_slice_url(:openid_node, :id => params[:id])}" />
+</head><body><p>OpenID identity page for registration #{params[:id]}</p>
+</body></html>
+EOS
+
+    # Also add the Yadis location header, so that they don't have
+    # to parse the html unless absolutely necessary.
+    @headers['X-XRDS-Location'] = xrds_url
+    render identity_page
+  end
+
+  def node_xrds
+    types = [
+             OpenID::OPENID_2_0_TYPE,
+             OpenID::OPENID_1_0_TYPE
+            ]
+
+    render_xrds(types)
+  end
+
+  def idp_xrds
+    types = [
+             OpenID::OPENID_IDP_2_0_TYPE,
+            ]
+
+    render_xrds(types)
+  end
+
+  def decision
+    oidreq = session[:last_oidreq]
+    session[:last_oidreq] = nil
+
+    if params.has_key?(:cancel)
+      Chef::Log.info("Cancelling OpenID Authentication")
+      return(redirect(oidreq.cancel_url))
+    else      
+      identity = oidreq.identity
+      identity =~ /node\/(.+)$/
+      openid_node = Chef::OpenIDRegistration.load($1)
+      unless openid_node.validated
+        raise Unauthorized, "This nodes registration has not been validated"
+      end
+      if openid_node.password == encrypt_password(openid_node.salt, params[:password])     
+        if session[:approvals] and !session[:approvals].include?(oidreq.trust_root)
+          session[:approvals] << oidreq.trust_root 
+        else
+          session[:approvals] = [oidreq.trust_root]
+        end
+        oidresp = oidreq.answer(true, nil, identity)
+        return self.render_response(oidresp)
+      else
+        raise Unauthorized, "Invalid credentials"
+      end
+    end
+  end
+
+  protected
+
+  def encrypt_password(salt, password)
+    Digest::SHA1.hexdigest("--#{salt}--#{password}--")
+  end
+
+  def server
+    if @server.nil?
+      server_url = absolute_slice_url(:openid_server)
+      if Chef::Config[:openid_store_couchdb]
+        require 'openid-store-couchdb'
+        store = OpenID::Store::CouchDB.new(Chef::Config[:couchdb_url])
+      else
+        require 'openid/store/filesystem'
+        dir = Chef::Config[:openid_store_path]
+        store = OpenID::Store::Filesystem.new(dir)
+      end
+      @server = Server.new(store, server_url)
+    end
+    return @server
+  end
+
+  def approved(trust_root)
+    return false if session[:approvals].nil?
+    return session[:approvals].member?(trust_root)
+  end
+
+  def is_authorized(identity_url, trust_root)
+    return (session[:username] and (identity_url == url_for_user) and self.approved(trust_root))
+  end
+
+  def render_xrds(types)
+    type_str = ""
+
+    types.each { |uri|
+      type_str += "<Type>#{uri}</Type>\n      "
+    }
+
+    yadis = <<EOS
+<?xml version="1.0" encoding="UTF-8"?>
+<xrds:XRDS
+    xmlns:xrds="xri://$xrds"
+    xmlns="xri://$xrd*($v*2.0)">
+  <XRD>
+    <Service priority="0">
+      #{type_str}
+      <URI>#{absolute_slice_url(:openid_server)}</URI>
+    </Service>
+  </XRD>
+</xrds:XRDS>
+EOS
+
+    @headers['content-type'] = 'application/xrds+xml'
+    render yadis
+  end
+
+  def render_response(oidresp)
+    if oidresp.needs_signing
+      signed_response = server.signatory.sign(oidresp)
+    end
+    web_response = server.encode_response(oidresp)
+
+    case web_response.code
+    when HTTP_OK
+      @status = 200
+      render web_response.body
+    when HTTP_REDIRECT
+      redirect web_response.headers['location']
+    else
+      @status = 400
+      render web_response.body
+    end
+  end
+
+  def dump_cookies_and_session
+    unless session.empty? or request.cookies.empty?
+      cookie_size = request.cookies.inject(0) {|sum,c| sum + c[1].length }
+      c, s = request.cookies.inspect, session.inspect
+      Chef::Log.debug("cookie dump (size: #{cookie_size}): #{c}")
+      Chef::Log.debug("session dump #{s}")
+    end
+  end
+
+end