chef-zero 2.2.1 → 3.0.0.rc.1

data/lib/chef_zero/chef_data/data_normalizer.rb

@@ -0,0 +1,207 @@
+require 'chef_zero'
+require 'chef_zero/rest_base'
+require 'chef_zero/chef_data/default_creator'
+
+module ChefZero
+  module ChefData
+    class DataNormalizer
+      def self.normalize_acls(acls)
+        ChefData::DefaultCreator::PERMISSIONS.each do |perm|
+          acls[perm] ||= {}
+          acls[perm]['actors'] ||= []
+          acls[perm]['groups'] ||= []
+        end
+        acls
+      end
+
+      def self.normalize_client(client, name)
+        client['name'] ||= name
+        client['admin'] ||= false
+        client['admin'] = !!client['admin']
+        client['public_key'] ||= PUBLIC_KEY
+        client['validator'] ||= false
+        client['validator'] = !!client['validator']
+        client['json_class'] ||= "Chef::ApiClient"
+        client['chef_type'] ||= "client"
+        client
+      end
+
+      def self.normalize_container(container, name)
+        container.delete('id')
+        container['containername'] = name
+        container['containerpath'] = name
+        container
+      end
+
+      def self.normalize_user(user, name, identity_keys, osc_compat, method=nil)
+        user[identity_keys.first] ||= name
+        user['public_key'] ||= PUBLIC_KEY
+        user['admin'] ||= false
+        user['admin'] = !!user['admin']
+        user['openid'] ||= nil
+        if !osc_compat
+          if method == 'GET'
+            user.delete('admin')
+            user.delete('password')
+            user.delete('openid')
+          end
+          user['email'] ||= nil
+          user['first_name'] ||= nil
+          user['last_name'] ||= nil
+        end
+        user
+      end
+
+      def self.normalize_data_bag_item(data_bag_item, data_bag_name, id, method)
+        if method == 'DELETE'
+          # TODO SERIOUSLY, WHO DOES THIS MANY EXCEPTIONS IN THEIR INTERFACE
+          if !(data_bag_item['json_class'] == 'Chef::DataBagItem' && data_bag_item['raw_data'])
+            data_bag_item['id'] ||= id
+            data_bag_item = { 'raw_data' => data_bag_item }
+            data_bag_item['chef_type'] ||= 'data_bag_item'
+            data_bag_item['json_class'] ||= 'Chef::DataBagItem'
+            data_bag_item['data_bag'] ||= data_bag_name
+            data_bag_item['name'] ||= "data_bag_item_#{data_bag_name}_#{id}"
+          end
+        else
+          # If it's not already wrapped with raw_data, wrap it.
+          if data_bag_item['json_class'] == 'Chef::DataBagItem' && data_bag_item['raw_data']
+            data_bag_item = data_bag_item['raw_data']
+          end
+          # Argh.  We don't do this on GET, but we do on PUT and POST????
+          if %w(PUT POST).include?(method)
+            data_bag_item['chef_type'] ||= 'data_bag_item'
+            data_bag_item['data_bag'] ||= data_bag_name
+          end
+          data_bag_item['id'] ||= id
+        end
+        data_bag_item
+      end
+
+      def self.normalize_cookbook(endpoint, org_prefix, cookbook, name, version, base_uri, method)
+        # TODO I feel dirty
+        if method != 'PUT'
+          cookbook.each_pair do |key, value|
+            if value.is_a?(Array)
+              value.each do |file|
+                if file.is_a?(Hash) && file.has_key?('checksum')
+                  file['url'] ||= endpoint.build_uri(base_uri, org_prefix + ['file_store', 'checksums', file['checksum']])
+                end
+              end
+            end
+          end
+          cookbook['name'] ||= "#{name}-#{version}"
+          # TODO this feels wrong, but the real chef server doesn't expand this default
+    #      cookbook['version'] ||= version
+          cookbook['cookbook_name'] ||= name
+          cookbook['frozen?'] ||= false
+          cookbook['metadata'] ||= {}
+          cookbook['metadata']['version'] ||= version
+          # Sad to not be expanding defaults just because Chef doesn't :(
+  #        cookbook['metadata']['name'] ||= name
+  #        cookbook['metadata']['description'] ||= "A fabulous new cookbook"
+          cookbook['metadata']['long_description'] ||= ""
+  #        cookbook['metadata']['maintainer'] ||= "YOUR_COMPANY_NAME"
+  #        cookbook['metadata']['maintainer_email'] ||= "YOUR_EMAIL"
+  #        cookbook['metadata']['license'] ||= "none"
+          cookbook['metadata']['dependencies'] ||= {}
+          cookbook['metadata']['attributes'] ||= {}
+          cookbook['metadata']['recipes'] ||= {}
+        end
+        cookbook['json_class'] ||= 'Chef::CookbookVersion'
+        cookbook['chef_type'] ||= 'cookbook_version'
+        if method == 'MIN'
+          cookbook['metadata'].delete('attributes')
+          cookbook['metadata'].delete('long_description')
+        end
+        cookbook
+      end
+
+      def self.normalize_environment(environment, name)
+        environment['name'] ||= name
+        environment['description'] ||= ''
+        environment['cookbook_versions'] ||= {}
+        environment['json_class'] ||= "Chef::Environment"
+        environment['chef_type'] ||= "environment"
+        environment['default_attributes'] ||= {}
+        environment['override_attributes'] ||= {}
+        environment
+      end
+
+      def self.normalize_group(group, name, orgname)
+        group.delete('id')
+        if group['actors'].is_a?(Hash)
+          group['users'] ||= group['actors']['users']
+          group['clients'] ||= group['actors']['clients']
+          group['groups'] ||= group['actors']['groups']
+          group['actors'] = nil
+        end
+        group['users'] ||= []
+        group['clients'] ||= []
+        group['actors'] ||= (group['clients'] + group['users'])
+        group['groups'] ||= []
+        group['orgname'] ||= orgname if orgname
+        group['name'] ||= name
+        group['groupname'] ||= name
+
+        group['users'].uniq!
+        group['clients'].uniq!
+        group['actors'].uniq!
+        group['groups'].uniq!
+        group
+      end
+
+      def self.normalize_node(node, name)
+        node['name'] ||= name
+        node['json_class'] ||= 'Chef::Node'
+        node['chef_type'] ||= 'node'
+        node['chef_environment'] ||= '_default'
+        node['override'] ||= {}
+        node['normal'] ||= {}
+        node['default'] ||= {}
+        node['automatic'] ||= {}
+        node['run_list'] ||= []
+        node['run_list'] = normalize_run_list(node['run_list'])
+        node
+      end
+
+      def self.normalize_organization(org, name)
+        org['name'] ||= name
+        org['full_name'] ||= name
+        org['org_type'] ||= 'Business'
+        org['clientname'] ||= "#{name}-validator"
+        org['billing_plan'] ||= 'platform-free'
+        org
+      end
+
+      def self.normalize_role(role, name)
+        role['name'] ||= name
+        role['description'] ||= ''
+        role['json_class'] ||= 'Chef::Role'
+        role['chef_type'] ||= 'role'
+        role['default_attributes'] ||= {}
+        role['override_attributes'] ||= {}
+        role['run_list'] ||= []
+        role['run_list'] = normalize_run_list(role['run_list'])
+        role['env_run_lists'] ||= {}
+        role['env_run_lists'].each_pair do |env, run_list|
+          role['env_run_lists'][env] = normalize_run_list(run_list)
+        end
+        role
+      end
+
+      def self.normalize_run_list(run_list)
+        run_list.map{|item|
+          case item
+          when /^recipe\[.*\]$/
+            item # explicit recipe
+          when /^role\[.*\]$/
+            item # explicit role
+          else
+            "recipe[#{item}]"
+          end
+        }.uniq
+      end
+    end
+  end
+end

data/lib/chef_zero/chef_data/default_creator.rb

@@ -0,0 +1,446 @@
+require 'chef_zero/chef_data/acl_path'
+
+module ChefZero
+  module ChefData
+    #
+    # The DefaultCreator creates default values when you ask for them.
+    # - It relies on created and deleted being called when things get
+    #   created and deleted, so that it knows the owners of said objects
+    #   and knows to eliminate default values on delete.
+    # - get, list and exists? get data.
+    #
+    class DefaultCreator
+      def initialize(data, single_org, osc_compat, superusers = nil)
+        @data = data
+        @single_org = single_org
+        @osc_compat = osc_compat
+        @superusers = superusers || DEFAULT_SUPERUSERS
+        clear
+      end
+
+      attr_reader :data
+      attr_reader :single_org
+      attr_reader :osc_compat
+      attr_reader :creators
+      attr_reader :deleted
+
+      PERMISSIONS = %w(create read update delete grant)
+      DEFAULT_SUPERUSERS = %w(pivotal)
+
+      def clear
+        @creators = { [] => @superusers }
+        @deleted = {}
+      end
+
+      def deleted(path)
+        # acl deletes mean nothing, they are entirely subservient to their
+        # parent object
+        if path[0] == 'acls' || (path[0] == 'organizations' && path[2] == 'acls')
+          return false
+        end
+
+        result = exists?(path)
+        @deleted[path] = true
+        result
+      end
+
+      def deleted?(path)
+        1.upto(path.size) do |index|
+          return true if @deleted[path[0..-index]]
+        end
+        false
+      end
+
+      def created(path, creator, create_parents)
+        # If a parent has been deleted, we will need to clear that.
+        deleted_index = nil
+        0.upto(path.size-1) do |index|
+          deleted_index = index if @deleted[path[0..index]]
+        end
+
+        # Walk up the tree, setting the creator on anything that doesn't exist
+        # (anything that is either deleted or was never created)
+        while (deleted_index && path.size > deleted_index) || !@creators[path]
+          @creators[path] = creator ? [ creator ] : []
+          @deleted.delete(path)
+          # Only do this once if create_parents is false
+          break if !create_parents || path.size == 0
+
+          path = path[0..-2]
+        end
+      end
+
+      def superusers
+        @creators[[]]
+      end
+
+      def get(path)
+        return nil if deleted?(path)
+
+        result = case path[0]
+        when 'acls'
+          # /acls/*
+          object_path = AclPath.get_object_path(path)
+          if data_exists?(object_path)
+            default_acl(path)
+          end
+
+        when 'containers'
+          if path.size == 2 && exists?(path)
+            {}
+          end
+
+        when 'users'
+          if path.size == 2 && data.exists?(path)
+            # User is empty user
+            {}
+          end
+
+        when 'organizations'
+          if path.size >= 2
+            # /organizations/*/**
+            if data.exists_dir?(path[0..1])
+              get_org_default(path)
+            end
+          end
+        end
+
+        result
+      end
+
+      def list(path)
+        return nil if deleted?(path)
+
+        if path.size == 0
+          return %w(containers users organizations acls)
+        end
+
+        case path[0]
+        when 'acls'
+          if path.size == 1
+            [ 'root' ] + (data.list(path + [ 'containers' ]) - [ 'organizations' ])
+          else
+            data.list(AclPath.get_object_path(path))
+          end
+
+        when 'containers'
+          [ 'containers', 'users', 'organizations' ]
+
+        when 'users'
+          superusers
+
+        when 'organizations'
+          if path.size == 1
+            single_org ? [ single_org ] : []
+          elsif path.size >= 2 && data.exists_dir?(path[0..1])
+            list_org_default(path)
+          end
+        end
+      end
+
+      def exists?(path)
+        return true if path.size == 0
+        parent_list = list(path[0..-2])
+        parent_list && parent_list.include?(path[-1])
+      end
+
+      protected
+
+      DEFAULT_ORG_SPINE = {
+        'clients' => {},
+        'cookbooks' => {},
+        'data' => {},
+        'environments' => %w(_default),
+        'file_store' => {
+          'checksums' => {}
+        },
+        'nodes' => {},
+        'roles' => {},
+        'sandboxes' => {},
+        'users' => {},
+
+        'org' => {},
+        'containers' => %w(clients containers cookbooks data environments groups nodes roles sandboxes),
+        'groups' => %w(admins billing-admins clients users),
+        'association_requests' => {}
+      }
+
+      def list_org_default(path)
+        if path.size >= 3 && path[2] == 'acls'
+          if path.size == 3
+            # /organizations/ORG/acls
+            return [ 'root' ] + data.list(path[0..1] + [ 'containers' ])
+          elsif path.size == 4
+            # /organizations/ORG/acls/TYPE
+            return data.list(path[0..1] + [ path[3] ])
+          else
+            return nil
+          end
+        end
+
+        value = DEFAULT_ORG_SPINE
+        2.upto(path.size-1) do |index|
+          value = nil if @deleted[path[0..index]]
+          break if !value
+          value = value[path[index]]
+        end
+
+        result = if value.is_a?(Hash)
+          value.keys
+        elsif value
+          value
+        end
+
+        if path.size == 3
+          if path[2] == 'clients'
+            result << "#{path[1]}-validator"
+            if osc_compat
+              result << "#{path[1]}-webui"
+            end
+          elsif path[2] == 'users'
+            if osc_compat
+              result << 'admin'
+            end
+          end
+        end
+
+        result
+      end
+
+      def get_org_default(path)
+        if path[2] == 'acls'
+          get_org_acl_default(path)
+
+        elsif path.size >= 4
+          if path[2] == 'containers' && path.size == 4
+            if exists?(path)
+              return {}
+            else
+              return nil
+            end
+          end
+
+          # /organizations/(*)/clients/\1-validator
+          # /organizations/*/environments/_default
+          # /organizations/*/groups/{admins,billing-admins,clients,users}
+          case path[2..-1].join('/')
+          when "clients/#{path[1]}-validator"
+            { 'validator' => 'true' }
+
+          when "clients/#{path[1]}-webui", "users/admin"
+            if osc_compat
+              { 'admin' => 'true' }
+            end
+
+          when "environments/_default"
+            { "description" => "The default Chef environment" }
+
+          when "groups/admins"
+            admins = data.list(path[0..1] + [ 'users' ]).select do |name|
+              user = JSON.parse(data.get(path[0..1] + [ 'users', name ]), :create_additions => false)
+              user['admin']
+            end
+            admins += data.list(path[0..1] + [ 'clients' ]).select do |name|
+              client = JSON.parse(data.get(path[0..1] + [ 'clients', name ]), :create_additions => false)
+              client['admin']
+            end
+            admins += @creators[path[0..1]] if @creators[path[0..1]]
+            { 'actors' => admins.uniq }
+
+          when "groups/billing-admins"
+            {}
+
+          when "groups/clients"
+            { 'clients' => data.list(path[0..1] + [ 'clients' ]) }
+
+          when "groups/users"
+            users = data.list(path[0..1] + [ 'users' ])
+            users |= @creators[path[0..1]] if @creators[path[0..1]]
+            { 'users' => users }
+
+          when "org"
+            {}
+
+          end
+        end
+      end
+
+      def get_org_acl_default(path)
+        object_path = AclPath.get_object_path(path)
+        # The actual things containers correspond to don't have to exist, as long as the container does
+        return nil if object_path[2] != 'containers' && !data_exists?(object_path)
+        basic_acl =
+          case path[3..-1].join('/')
+          when 'root', 'containers/containers', 'containers/groups'
+            {
+              'create' => { 'groups' => %w(admins) },
+              'read'   => { 'groups' => %w(admins users) },
+              'update' => { 'groups' => %w(admins) },
+              'delete' => { 'groups' => %w(admins) },
+              'grant'  => { 'groups' => %w(admins) },
+            }
+          when 'containers/cookbooks', 'containers/environments', 'containers/roles'
+            {
+              'create' => { 'groups' => %w(admins users) },
+              'read'   => { 'groups' => %w(admins users clients) },
+              'update' => { 'groups' => %w(admins users) },
+              'delete' => { 'groups' => %w(admins users) },
+              'grant'  => { 'groups' => %w(admins) },
+            }
+          when 'containers/cookbooks', 'containers/data'
+            {
+              'create' => { 'groups' => %w(admins users clients) },
+              'read'   => { 'groups' => %w(admins users clients) },
+              'update' => { 'groups' => %w(admins users clients) },
+              'delete' => { 'groups' => %w(admins users clients) },
+              'grant'  => { 'groups' => %w(admins) },
+            }
+          when 'containers/nodes'
+            {
+              'create' => { 'groups' => %w(admins users clients) },
+              'read'   => { 'groups' => %w(admins users clients) },
+              'update' => { 'groups' => %w(admins users) },
+              'delete' => { 'groups' => %w(admins users) },
+              'grant'  => { 'groups' => %w(admins) },
+            }
+          when 'containers/clients'
+            {
+              'create' => { 'groups' => %w(admins) },
+              'read'   => { 'groups' => %w(admins users) },
+              'update' => { 'groups' => %w(admins) },
+              'delete' => { 'groups' => %w(admins users) },
+              'grant'  => { 'groups' => %w(admins) },
+            }
+          when 'containers/sandboxes'
+            {
+              'create' => { 'groups' => %w(admins users) },
+              'read'   => { 'groups' => %w(admins) },
+              'update' => { 'groups' => %w(admins) },
+              'delete' => { 'groups' => %w(admins) },
+              'grant'  => { 'groups' => %w(admins) },
+            }
+          when 'groups/admins', 'groups/clients', 'groups/users'
+            {
+              'create' => { 'groups' => %w(admins) },
+              'read'   => { 'groups' => %w(admins) },
+              'update' => { 'groups' => %w(admins) },
+              'delete' => { 'groups' => %w(admins) },
+              'grant'  => { 'groups' => %w(admins) },
+            }
+          when 'groups/billing-admins'
+            {
+              'create' => { 'groups' => %w() },
+              'read'   => { 'groups' => %w(billing-admins) },
+              'update' => { 'groups' => %w(billing-admins) },
+              'delete' => { 'groups' => %w() },
+              'grant'  => { 'groups' => %w() },
+            }
+          else
+            {}
+          end
+
+        default_acl(path, basic_acl)
+      end
+
+      def get_owners(acl_path)
+        owners = []
+
+        path = AclPath.get_object_path(acl_path)
+        if path
+
+          # Non-validator clients own themselves.
+          if path.size == 4 && path[0] == 'organizations' && path[2] == 'clients'
+            begin
+              client = JSON.parse(data.get(path), :create_additions => false)
+              if !client['validator']
+                owners |= [ path[3] ]
+              end
+            rescue
+              owners |= [ path[3] ]
+            end
+
+            # Add creators as owners (except any validator clients).
+            if @creators[path]
+              @creators[path].each do |creator|
+                begin
+                  client = JSON.parse(data.get(path[0..2] + [ creator ]), :create_additions => false)
+                  next if client['validator']
+                rescue
+                end
+                owners |= [ creator ]
+              end
+            end
+          else
+            owners |= @creators[path] if @creators[path]
+          end
+
+          #ANGRY
+          # Non-default containers do not get superusers added to them,
+          # because reasons.
+          unless path.size == 4 && path[0] == 'organizations' && path[2] == 'containers' && !exists?(path)
+            owners |= superusers
+          end
+        end
+
+        owners.uniq
+      end
+
+      def default_acl(acl_path, acl={})
+        owners = nil
+        container_acl = nil
+        PERMISSIONS.each do |perm|
+          acl[perm] ||= {}
+          acl[perm]['actors'] ||= begin
+            owners ||= get_owners(acl_path)
+          end
+          acl[perm]['groups'] ||= begin
+            # When we create containers, we don't merge groups (not sure why).
+            if acl_path[0] == 'organizations' && acl_path[3] == 'containers'
+              []
+            else
+              container_acl ||= get_container_acl(acl_path) || {}
+              (container_acl[perm] ? container_acl[perm]['groups'] : []) || []
+            end
+          end
+        end
+        acl
+      end
+
+      def get_container_acl(acl_path)
+        parent_path = AclPath.parent_acl_data_path(acl_path)
+        if parent_path
+          JSON.parse(data.get(parent_path), :create_additions => false)
+        else
+          nil
+        end
+      end
+
+      def data_exists?(path)
+        if is_dir?(path)
+          data.exists_dir?(path)
+        else
+          data.exists?(path)
+        end
+      end
+
+      def is_dir?(path)
+        case path.size
+        when 0, 1
+          return true
+        when 2
+          return path[0] == 'organizations' || (path[0] == 'acls' && path[1] != 'root')
+        when 3
+          # If it has a container, it is a directory.
+          return path[0] == 'organizations' &&
+            (path[2] == 'acls' || data.exists?(path[0..1] + [ 'containers', path[2] ]))
+        when 4
+          return path[0] == 'organizations' && (
+            (path[2] == 'acls' && path[1] != 'root') ||
+            %w(cookbooks data).include?(path[2]))
+        else
+          return false
+        end
+      end
+    end
+  end
+end