chef-zero 4.8.0 → 4.9.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/Gemfile +8 -4
- data/Rakefile +20 -10
- data/bin/chef-zero +12 -12
- data/chef-zero.gemspec +24 -24
- data/lib/chef_zero.rb +1 -1
- data/lib/chef_zero/chef_data/acl_path.rb +16 -16
- data/lib/chef_zero/chef_data/cookbook_data.rb +24 -24
- data/lib/chef_zero/chef_data/data_normalizer.rb +120 -120
- data/lib/chef_zero/chef_data/default_creator.rb +145 -145
- data/lib/chef_zero/data_store/data_already_exists_error.rb +1 -1
- data/lib/chef_zero/data_store/data_not_found_error.rb +2 -2
- data/lib/chef_zero/data_store/default_facade.rb +5 -5
- data/lib/chef_zero/data_store/interface_v1.rb +1 -1
- data/lib/chef_zero/data_store/interface_v2.rb +1 -1
- data/lib/chef_zero/data_store/memory_store.rb +4 -4
- data/lib/chef_zero/data_store/memory_store_v2.rb +8 -8
- data/lib/chef_zero/data_store/raw_file_store.rb +10 -10
- data/lib/chef_zero/data_store/v1_to_v2_adapter.rb +9 -9
- data/lib/chef_zero/data_store/v2_to_v1_adapter.rb +5 -5
- data/lib/chef_zero/endpoints/acl_endpoint.rb +6 -6
- data/lib/chef_zero/endpoints/acls_endpoint.rb +5 -5
- data/lib/chef_zero/endpoints/actor_default_key_endpoint.rb +1 -1
- data/lib/chef_zero/endpoints/actor_endpoint.rb +20 -20
- data/lib/chef_zero/endpoints/actor_key_endpoint.rb +1 -1
- data/lib/chef_zero/endpoints/actor_keys_endpoint.rb +5 -6
- data/lib/chef_zero/endpoints/actors_endpoint.rb +12 -12
- data/lib/chef_zero/endpoints/authenticate_user_endpoint.rb +10 -10
- data/lib/chef_zero/endpoints/container_endpoint.rb +4 -4
- data/lib/chef_zero/endpoints/containers_endpoint.rb +3 -3
- data/lib/chef_zero/endpoints/cookbook_artifact_endpoint.rb +1 -1
- data/lib/chef_zero/endpoints/cookbook_artifact_identifier_endpoint.rb +1 -1
- data/lib/chef_zero/endpoints/cookbook_artifacts_endpoint.rb +1 -1
- data/lib/chef_zero/endpoints/cookbook_endpoint.rb +5 -5
- data/lib/chef_zero/endpoints/cookbook_version_endpoint.rb +20 -16
- data/lib/chef_zero/endpoints/cookbooks_base.rb +13 -13
- data/lib/chef_zero/endpoints/cookbooks_endpoint.rb +4 -4
- data/lib/chef_zero/endpoints/data_bag_endpoint.rb +12 -12
- data/lib/chef_zero/endpoints/data_bag_item_endpoint.rb +6 -6
- data/lib/chef_zero/endpoints/data_bags_endpoint.rb +5 -5
- data/lib/chef_zero/endpoints/dummy_endpoint.rb +0 -2
- data/lib/chef_zero/endpoints/environment_cookbook_endpoint.rb +6 -6
- data/lib/chef_zero/endpoints/environment_cookbook_versions_endpoint.rb +16 -16
- data/lib/chef_zero/endpoints/environment_cookbooks_endpoint.rb +6 -6
- data/lib/chef_zero/endpoints/environment_endpoint.rb +3 -3
- data/lib/chef_zero/endpoints/environment_nodes_endpoint.rb +6 -6
- data/lib/chef_zero/endpoints/environment_recipes_endpoint.rb +4 -4
- data/lib/chef_zero/endpoints/environment_role_endpoint.rb +8 -8
- data/lib/chef_zero/endpoints/file_store_file_endpoint.rb +2 -2
- data/lib/chef_zero/endpoints/group_endpoint.rb +4 -4
- data/lib/chef_zero/endpoints/groups_endpoint.rb +3 -3
- data/lib/chef_zero/endpoints/license_endpoint.rb +5 -5
- data/lib/chef_zero/endpoints/node_endpoint.rb +3 -4
- data/lib/chef_zero/endpoints/node_identifiers_endpoint.rb +7 -7
- data/lib/chef_zero/endpoints/nodes_endpoint.rb +3 -4
- data/lib/chef_zero/endpoints/not_found_endpoint.rb +2 -2
- data/lib/chef_zero/endpoints/organization_association_request_endpoint.rb +2 -2
- data/lib/chef_zero/endpoints/organization_association_requests_endpoint.rb +6 -6
- data/lib/chef_zero/endpoints/organization_authenticate_user_endpoint.rb +8 -8
- data/lib/chef_zero/endpoints/organization_endpoint.rb +10 -10
- data/lib/chef_zero/endpoints/organization_user_base.rb +2 -2
- data/lib/chef_zero/endpoints/organization_user_default_key_endpoint.rb +1 -1
- data/lib/chef_zero/endpoints/organization_user_endpoint.rb +5 -5
- data/lib/chef_zero/endpoints/organization_user_key_endpoint.rb +2 -2
- data/lib/chef_zero/endpoints/organization_user_keys_endpoint.rb +1 -1
- data/lib/chef_zero/endpoints/organization_users_endpoint.rb +12 -12
- data/lib/chef_zero/endpoints/organization_validator_key_endpoint.rb +6 -6
- data/lib/chef_zero/endpoints/organizations_endpoint.rb +12 -13
- data/lib/chef_zero/endpoints/policies_endpoint.rb +2 -2
- data/lib/chef_zero/endpoints/policy_endpoint.rb +1 -1
- data/lib/chef_zero/endpoints/policy_group_endpoint.rb +6 -6
- data/lib/chef_zero/endpoints/policy_group_policy_endpoint.rb +3 -4
- data/lib/chef_zero/endpoints/policy_groups_endpoint.rb +4 -4
- data/lib/chef_zero/endpoints/policy_revision_endpoint.rb +1 -1
- data/lib/chef_zero/endpoints/policy_revisions_endpoint.rb +1 -1
- data/lib/chef_zero/endpoints/principal_endpoint.rb +15 -15
- data/lib/chef_zero/endpoints/rest_list_endpoint.rb +4 -4
- data/lib/chef_zero/endpoints/rest_object_endpoint.rb +4 -4
- data/lib/chef_zero/endpoints/role_endpoint.rb +3 -3
- data/lib/chef_zero/endpoints/role_environments_endpoint.rb +3 -3
- data/lib/chef_zero/endpoints/sandbox_endpoint.rb +8 -8
- data/lib/chef_zero/endpoints/sandboxes_endpoint.rb +9 -9
- data/lib/chef_zero/endpoints/search_endpoint.rb +51 -49
- data/lib/chef_zero/endpoints/searches_endpoint.rb +2 -2
- data/lib/chef_zero/endpoints/server_api_version_endpoint.rb +2 -2
- data/lib/chef_zero/endpoints/system_recovery_endpoint.rb +8 -8
- data/lib/chef_zero/endpoints/user_association_request_endpoint.rb +12 -12
- data/lib/chef_zero/endpoints/user_association_requests_count_endpoint.rb +4 -4
- data/lib/chef_zero/endpoints/user_association_requests_endpoint.rb +4 -4
- data/lib/chef_zero/endpoints/user_organizations_endpoint.rb +5 -5
- data/lib/chef_zero/endpoints/version_endpoint.rb +1 -1
- data/lib/chef_zero/log.rb +1 -1
- data/lib/chef_zero/rest_base.rb +25 -25
- data/lib/chef_zero/rest_request.rb +11 -11
- data/lib/chef_zero/rest_router.rb +30 -30
- data/lib/chef_zero/rspec.rb +33 -33
- data/lib/chef_zero/server.rb +188 -189
- data/lib/chef_zero/socketless_server_map.rb +2 -3
- data/lib/chef_zero/solr/query/binary_operator.rb +8 -8
- data/lib/chef_zero/solr/query/phrase.rb +1 -1
- data/lib/chef_zero/solr/query/range_query.rb +2 -2
- data/lib/chef_zero/solr/query/regexpable_query.rb +1 -0
- data/lib/chef_zero/solr/query/term.rb +5 -5
- data/lib/chef_zero/solr/query/unary_operator.rb +4 -4
- data/lib/chef_zero/solr/solr_doc.rb +4 -4
- data/lib/chef_zero/solr/solr_parser.rb +34 -33
- data/lib/chef_zero/version.rb +1 -1
- data/spec/run_oc_pedant.rb +61 -60
- data/spec/search_spec.rb +11 -11
- data/spec/server_spec.rb +35 -35
- data/spec/socketless_server_map_spec.rb +1 -3
- data/spec/support/oc_pedant.rb +20 -21
- metadata +2 -2
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
require
|
|
1
|
+
require "chef_zero/chef_data/acl_path"
|
|
2
2
|
|
|
3
3
|
module ChefZero
|
|
4
4
|
module ChefData
|
|
@@ -24,8 +24,8 @@ module ChefZero
|
|
|
24
24
|
attr_reader :creators
|
|
25
25
|
attr_reader :deleted
|
|
26
26
|
|
|
27
|
-
PERMISSIONS = %w
|
|
28
|
-
DEFAULT_SUPERUSERS = %w
|
|
27
|
+
PERMISSIONS = %w{create read update delete grant}
|
|
28
|
+
DEFAULT_SUPERUSERS = %w{pivotal}
|
|
29
29
|
|
|
30
30
|
def clear
|
|
31
31
|
@creators = { [] => @superusers }
|
|
@@ -35,7 +35,7 @@ module ChefZero
|
|
|
35
35
|
def deleted(path)
|
|
36
36
|
# acl deletes mean nothing, they are entirely subservient to their
|
|
37
37
|
# parent object
|
|
38
|
-
if path[0] ==
|
|
38
|
+
if path[0] == "acls" || (path[0] == "organizations" && path[2] == "acls")
|
|
39
39
|
return false
|
|
40
40
|
end
|
|
41
41
|
|
|
@@ -54,7 +54,7 @@ module ChefZero
|
|
|
54
54
|
def created(path, creator, create_parents)
|
|
55
55
|
# If a parent has been deleted, we will need to clear that.
|
|
56
56
|
deleted_index = nil
|
|
57
|
-
0.upto(path.size-1) do |index|
|
|
57
|
+
0.upto(path.size - 1) do |index|
|
|
58
58
|
deleted_index = index if @deleted[path[0..index]]
|
|
59
59
|
end
|
|
60
60
|
|
|
@@ -78,32 +78,32 @@ module ChefZero
|
|
|
78
78
|
return nil if deleted?(path)
|
|
79
79
|
|
|
80
80
|
result = case path[0]
|
|
81
|
-
|
|
82
|
-
|
|
83
|
-
|
|
84
|
-
|
|
85
|
-
|
|
86
|
-
|
|
87
|
-
|
|
88
|
-
|
|
89
|
-
|
|
90
|
-
|
|
91
|
-
|
|
92
|
-
|
|
93
|
-
|
|
94
|
-
|
|
95
|
-
|
|
96
|
-
|
|
97
|
-
|
|
98
|
-
|
|
99
|
-
|
|
100
|
-
|
|
101
|
-
|
|
102
|
-
|
|
103
|
-
|
|
104
|
-
|
|
105
|
-
|
|
106
|
-
|
|
81
|
+
when "acls"
|
|
82
|
+
# /acls/*
|
|
83
|
+
object_path = AclPath.get_object_path(path)
|
|
84
|
+
if data_exists?(object_path)
|
|
85
|
+
default_acl(path)
|
|
86
|
+
end
|
|
87
|
+
|
|
88
|
+
when "containers"
|
|
89
|
+
if path.size == 2 && exists?(path)
|
|
90
|
+
{}
|
|
91
|
+
end
|
|
92
|
+
|
|
93
|
+
when "users"
|
|
94
|
+
if path.size == 2 && data.exists?(path)
|
|
95
|
+
# User is empty user
|
|
96
|
+
{}
|
|
97
|
+
end
|
|
98
|
+
|
|
99
|
+
when "organizations"
|
|
100
|
+
if path.size >= 2
|
|
101
|
+
# /organizations/*/**
|
|
102
|
+
if data.exists_dir?(path[0..1])
|
|
103
|
+
get_org_default(path)
|
|
104
|
+
end
|
|
105
|
+
end
|
|
106
|
+
end
|
|
107
107
|
|
|
108
108
|
result
|
|
109
109
|
end
|
|
@@ -112,24 +112,24 @@ module ChefZero
|
|
|
112
112
|
return nil if deleted?(path)
|
|
113
113
|
|
|
114
114
|
if path.size == 0
|
|
115
|
-
return %w
|
|
115
|
+
return %w{containers users organizations acls}
|
|
116
116
|
end
|
|
117
117
|
|
|
118
118
|
case path[0]
|
|
119
|
-
when
|
|
119
|
+
when "acls"
|
|
120
120
|
if path.size == 1
|
|
121
|
-
[
|
|
121
|
+
[ "root" ] + (data.list(path + [ "containers" ]) - [ "organizations" ])
|
|
122
122
|
else
|
|
123
123
|
data.list(AclPath.get_object_path(path))
|
|
124
124
|
end
|
|
125
125
|
|
|
126
|
-
when
|
|
127
|
-
|
|
126
|
+
when "containers"
|
|
127
|
+
%w{containers users organizations}
|
|
128
128
|
|
|
129
|
-
when
|
|
129
|
+
when "users"
|
|
130
130
|
superusers
|
|
131
131
|
|
|
132
|
-
when
|
|
132
|
+
when "organizations"
|
|
133
133
|
if path.size == 1
|
|
134
134
|
single_org ? [ single_org ] : []
|
|
135
135
|
elsif path.size >= 2 && data.exists_dir?(path[0..1])
|
|
@@ -147,32 +147,32 @@ module ChefZero
|
|
|
147
147
|
protected
|
|
148
148
|
|
|
149
149
|
DEFAULT_ORG_SPINE = {
|
|
150
|
-
|
|
151
|
-
|
|
152
|
-
|
|
153
|
-
|
|
154
|
-
|
|
155
|
-
|
|
156
|
-
|
|
150
|
+
"clients" => {},
|
|
151
|
+
"cookbook_artifacts" => {},
|
|
152
|
+
"cookbooks" => {},
|
|
153
|
+
"data" => {},
|
|
154
|
+
"environments" => %w{_default},
|
|
155
|
+
"file_store" => {
|
|
156
|
+
"checksums" => {},
|
|
157
157
|
},
|
|
158
|
-
|
|
159
|
-
|
|
160
|
-
|
|
161
|
-
|
|
162
|
-
|
|
163
|
-
|
|
164
|
-
|
|
165
|
-
|
|
166
|
-
|
|
167
|
-
|
|
168
|
-
|
|
158
|
+
"nodes" => {},
|
|
159
|
+
"policies" => {},
|
|
160
|
+
"policy_groups" => {},
|
|
161
|
+
"roles" => {},
|
|
162
|
+
"sandboxes" => {},
|
|
163
|
+
"users" => {},
|
|
164
|
+
|
|
165
|
+
"org" => {},
|
|
166
|
+
"containers" => %w{clients containers cookbook_artifacts cookbooks data environments groups nodes policies policy_groups roles sandboxes},
|
|
167
|
+
"groups" => %w{admins billing-admins clients users},
|
|
168
|
+
"association_requests" => {},
|
|
169
169
|
}
|
|
170
170
|
|
|
171
171
|
def list_org_default(path)
|
|
172
|
-
if path.size >= 3 && path[2] ==
|
|
172
|
+
if path.size >= 3 && path[2] == "acls"
|
|
173
173
|
if path.size == 3
|
|
174
174
|
# /organizations/ORG/acls
|
|
175
|
-
return [
|
|
175
|
+
return [ "root" ] + data.list(path[0..1] + [ "containers" ])
|
|
176
176
|
elsif path.size == 4
|
|
177
177
|
# /organizations/ORG/acls/TYPE
|
|
178
178
|
return data.list(path[0..1] + [ path[3] ])
|
|
@@ -182,27 +182,27 @@ module ChefZero
|
|
|
182
182
|
end
|
|
183
183
|
|
|
184
184
|
value = DEFAULT_ORG_SPINE
|
|
185
|
-
2.upto(path.size-1) do |index|
|
|
185
|
+
2.upto(path.size - 1) do |index|
|
|
186
186
|
value = nil if @deleted[path[0..index]]
|
|
187
187
|
break if !value
|
|
188
188
|
value = value[path[index]]
|
|
189
189
|
end
|
|
190
190
|
|
|
191
191
|
result = if value.is_a?(Hash)
|
|
192
|
-
|
|
193
|
-
|
|
194
|
-
|
|
195
|
-
|
|
192
|
+
value.keys
|
|
193
|
+
elsif value
|
|
194
|
+
value
|
|
195
|
+
end
|
|
196
196
|
|
|
197
197
|
if path.size == 3
|
|
198
|
-
if path[2] ==
|
|
198
|
+
if path[2] == "clients"
|
|
199
199
|
result << "#{path[1]}-validator"
|
|
200
200
|
if osc_compat
|
|
201
201
|
result << "#{path[1]}-webui"
|
|
202
202
|
end
|
|
203
|
-
elsif path[2] ==
|
|
203
|
+
elsif path[2] == "users"
|
|
204
204
|
if osc_compat
|
|
205
|
-
result <<
|
|
205
|
+
result << "admin"
|
|
206
206
|
end
|
|
207
207
|
end
|
|
208
208
|
end
|
|
@@ -211,11 +211,11 @@ module ChefZero
|
|
|
211
211
|
end
|
|
212
212
|
|
|
213
213
|
def get_org_default(path)
|
|
214
|
-
if path[2] ==
|
|
214
|
+
if path[2] == "acls"
|
|
215
215
|
get_org_acl_default(path)
|
|
216
216
|
|
|
217
217
|
elsif path.size >= 4
|
|
218
|
-
if path[2] ==
|
|
218
|
+
if path[2] == "containers" && path.size == 4
|
|
219
219
|
if exists?(path)
|
|
220
220
|
return {}
|
|
221
221
|
else
|
|
@@ -226,40 +226,40 @@ module ChefZero
|
|
|
226
226
|
# /organizations/(*)/clients/\1-validator
|
|
227
227
|
# /organizations/*/environments/_default
|
|
228
228
|
# /organizations/*/groups/{admins,billing-admins,clients,users}
|
|
229
|
-
case path[2..-1].join(
|
|
229
|
+
case path[2..-1].join("/")
|
|
230
230
|
when "clients/#{path[1]}-validator"
|
|
231
|
-
{
|
|
231
|
+
{ "validator" => "true" }
|
|
232
232
|
|
|
233
233
|
when "clients/#{path[1]}-webui", "users/admin"
|
|
234
234
|
if osc_compat
|
|
235
|
-
{
|
|
235
|
+
{ "admin" => "true" }
|
|
236
236
|
end
|
|
237
237
|
|
|
238
238
|
when "environments/_default"
|
|
239
239
|
{ "description" => "The default Chef environment" }
|
|
240
240
|
|
|
241
241
|
when "groups/admins"
|
|
242
|
-
admins = data.list(path[0..1] + [
|
|
243
|
-
user = FFI_Yajl::Parser.parse(data.get(path[0..1] + [
|
|
244
|
-
user[
|
|
242
|
+
admins = data.list(path[0..1] + [ "users" ]).select do |name|
|
|
243
|
+
user = FFI_Yajl::Parser.parse(data.get(path[0..1] + [ "users", name ]), :create_additions => false)
|
|
244
|
+
user["admin"]
|
|
245
245
|
end
|
|
246
|
-
admins += data.list(path[0..1] + [
|
|
247
|
-
client = FFI_Yajl::Parser.parse(data.get(path[0..1] + [
|
|
248
|
-
client[
|
|
246
|
+
admins += data.list(path[0..1] + [ "clients" ]).select do |name|
|
|
247
|
+
client = FFI_Yajl::Parser.parse(data.get(path[0..1] + [ "clients", name ]), :create_additions => false)
|
|
248
|
+
client["admin"]
|
|
249
249
|
end
|
|
250
250
|
admins += @creators[path[0..1]] if @creators[path[0..1]]
|
|
251
|
-
{
|
|
251
|
+
{ "actors" => admins.uniq }
|
|
252
252
|
|
|
253
253
|
when "groups/billing-admins"
|
|
254
254
|
{}
|
|
255
255
|
|
|
256
256
|
when "groups/clients"
|
|
257
|
-
{
|
|
257
|
+
{ "clients" => data.list(path[0..1] + [ "clients" ]) }
|
|
258
258
|
|
|
259
259
|
when "groups/users"
|
|
260
|
-
users = data.list(path[0..1] + [
|
|
260
|
+
users = data.list(path[0..1] + [ "users" ])
|
|
261
261
|
users |= @creators[path[0..1]] if @creators[path[0..1]]
|
|
262
|
-
{
|
|
262
|
+
{ "users" => users }
|
|
263
263
|
|
|
264
264
|
when "org"
|
|
265
265
|
{}
|
|
@@ -273,70 +273,70 @@ module ChefZero
|
|
|
273
273
|
# The actual things containers correspond to don't have to exist, as long as the container does
|
|
274
274
|
return nil if !data_exists?(object_path)
|
|
275
275
|
basic_acl =
|
|
276
|
-
case path[3..-1].join(
|
|
277
|
-
when
|
|
276
|
+
case path[3..-1].join("/")
|
|
277
|
+
when "root", "containers/containers", "containers/groups"
|
|
278
278
|
{
|
|
279
|
-
|
|
280
|
-
|
|
281
|
-
|
|
282
|
-
|
|
283
|
-
|
|
279
|
+
"create" => { "groups" => %w{admins} },
|
|
280
|
+
"read" => { "groups" => %w{admins users} },
|
|
281
|
+
"update" => { "groups" => %w{admins} },
|
|
282
|
+
"delete" => { "groups" => %w{admins} },
|
|
283
|
+
"grant" => { "groups" => %w{admins} },
|
|
284
284
|
}
|
|
285
|
-
when
|
|
285
|
+
when "containers/environments", "containers/roles", "containers/policy_groups", "containers/policies"
|
|
286
286
|
{
|
|
287
|
-
|
|
288
|
-
|
|
289
|
-
|
|
290
|
-
|
|
291
|
-
|
|
287
|
+
"create" => { "groups" => %w{admins users} },
|
|
288
|
+
"read" => { "groups" => %w{admins users clients} },
|
|
289
|
+
"update" => { "groups" => %w{admins users} },
|
|
290
|
+
"delete" => { "groups" => %w{admins users} },
|
|
291
|
+
"grant" => { "groups" => %w{admins} },
|
|
292
292
|
}
|
|
293
|
-
when
|
|
293
|
+
when "containers/cookbooks", "containers/cookbook_artifacts", "containers/data"
|
|
294
294
|
{
|
|
295
|
-
|
|
296
|
-
|
|
297
|
-
|
|
298
|
-
|
|
299
|
-
|
|
295
|
+
"create" => { "groups" => %w{admins users clients} },
|
|
296
|
+
"read" => { "groups" => %w{admins users clients} },
|
|
297
|
+
"update" => { "groups" => %w{admins users clients} },
|
|
298
|
+
"delete" => { "groups" => %w{admins users clients} },
|
|
299
|
+
"grant" => { "groups" => %w{admins} },
|
|
300
300
|
}
|
|
301
|
-
when
|
|
301
|
+
when "containers/nodes"
|
|
302
302
|
{
|
|
303
|
-
|
|
304
|
-
|
|
305
|
-
|
|
306
|
-
|
|
307
|
-
|
|
303
|
+
"create" => { "groups" => %w{admins users clients} },
|
|
304
|
+
"read" => { "groups" => %w{admins users clients} },
|
|
305
|
+
"update" => { "groups" => %w{admins users} },
|
|
306
|
+
"delete" => { "groups" => %w{admins users} },
|
|
307
|
+
"grant" => { "groups" => %w{admins} },
|
|
308
308
|
}
|
|
309
|
-
when
|
|
309
|
+
when "containers/clients"
|
|
310
310
|
{
|
|
311
|
-
|
|
312
|
-
|
|
313
|
-
|
|
314
|
-
|
|
315
|
-
|
|
311
|
+
"create" => { "groups" => %w{admins} },
|
|
312
|
+
"read" => { "groups" => %w{admins users} },
|
|
313
|
+
"update" => { "groups" => %w{admins} },
|
|
314
|
+
"delete" => { "groups" => %w{admins users} },
|
|
315
|
+
"grant" => { "groups" => %w{admins} },
|
|
316
316
|
}
|
|
317
|
-
when
|
|
317
|
+
when "containers/sandboxes"
|
|
318
318
|
{
|
|
319
|
-
|
|
320
|
-
|
|
321
|
-
|
|
322
|
-
|
|
323
|
-
|
|
319
|
+
"create" => { "groups" => %w{admins users} },
|
|
320
|
+
"read" => { "groups" => %w{admins} },
|
|
321
|
+
"update" => { "groups" => %w{admins} },
|
|
322
|
+
"delete" => { "groups" => %w{admins} },
|
|
323
|
+
"grant" => { "groups" => %w{admins} },
|
|
324
324
|
}
|
|
325
|
-
when
|
|
325
|
+
when "groups/admins", "groups/clients", "groups/users"
|
|
326
326
|
{
|
|
327
|
-
|
|
328
|
-
|
|
329
|
-
|
|
330
|
-
|
|
331
|
-
|
|
327
|
+
"create" => { "groups" => %w{admins} },
|
|
328
|
+
"read" => { "groups" => %w{admins} },
|
|
329
|
+
"update" => { "groups" => %w{admins} },
|
|
330
|
+
"delete" => { "groups" => %w{admins} },
|
|
331
|
+
"grant" => { "groups" => %w{admins} },
|
|
332
332
|
}
|
|
333
|
-
when
|
|
333
|
+
when "groups/billing-admins"
|
|
334
334
|
{
|
|
335
|
-
|
|
336
|
-
|
|
337
|
-
|
|
338
|
-
|
|
339
|
-
|
|
335
|
+
"create" => { "groups" => %w{} },
|
|
336
|
+
"read" => { "groups" => %w{billing-admins} },
|
|
337
|
+
"update" => { "groups" => %w{billing-admins} },
|
|
338
|
+
"delete" => { "groups" => %w{} },
|
|
339
|
+
"grant" => { "groups" => %w{} },
|
|
340
340
|
}
|
|
341
341
|
else
|
|
342
342
|
{}
|
|
@@ -352,10 +352,10 @@ module ChefZero
|
|
|
352
352
|
if path
|
|
353
353
|
|
|
354
354
|
# Non-validator clients own themselves.
|
|
355
|
-
if path.size == 4 && path[0] ==
|
|
355
|
+
if path.size == 4 && path[0] == "organizations" && path[2] == "clients"
|
|
356
356
|
begin
|
|
357
357
|
client = FFI_Yajl::Parser.parse(data.get(path), :create_additions => false)
|
|
358
|
-
if !client[
|
|
358
|
+
if !client["validator"]
|
|
359
359
|
owners |= [ path[3] ]
|
|
360
360
|
end
|
|
361
361
|
rescue
|
|
@@ -367,7 +367,7 @@ module ChefZero
|
|
|
367
367
|
@creators[path].each do |creator|
|
|
368
368
|
begin
|
|
369
369
|
client = FFI_Yajl::Parser.parse(data.get(path[0..2] + [ creator ]), :create_additions => false)
|
|
370
|
-
next if client[
|
|
370
|
+
next if client["validator"]
|
|
371
371
|
rescue
|
|
372
372
|
end
|
|
373
373
|
owners |= [ creator ]
|
|
@@ -380,7 +380,7 @@ module ChefZero
|
|
|
380
380
|
#ANGRY
|
|
381
381
|
# Non-default containers do not get superusers added to them,
|
|
382
382
|
# because reasons.
|
|
383
|
-
unless path.size == 4 && path[0] ==
|
|
383
|
+
unless path.size == 4 && path[0] == "organizations" && path[2] == "containers" && !exists?(path)
|
|
384
384
|
owners += superusers
|
|
385
385
|
end
|
|
386
386
|
end
|
|
@@ -389,21 +389,21 @@ module ChefZero
|
|
|
389
389
|
owners
|
|
390
390
|
end
|
|
391
391
|
|
|
392
|
-
def default_acl(acl_path, acl={})
|
|
392
|
+
def default_acl(acl_path, acl = {})
|
|
393
393
|
owners = nil
|
|
394
394
|
container_acl = nil
|
|
395
395
|
PERMISSIONS.each do |perm|
|
|
396
396
|
acl[perm] ||= {}
|
|
397
|
-
acl[perm][
|
|
397
|
+
acl[perm]["actors"] ||= begin
|
|
398
398
|
owners ||= get_owners(acl_path)
|
|
399
399
|
end
|
|
400
|
-
acl[perm][
|
|
400
|
+
acl[perm]["groups"] ||= begin
|
|
401
401
|
# When we create containers, we don't merge groups (not sure why).
|
|
402
|
-
if acl_path[0] ==
|
|
402
|
+
if acl_path[0] == "organizations" && acl_path[3] == "containers"
|
|
403
403
|
[]
|
|
404
404
|
else
|
|
405
405
|
container_acl ||= get_container_acl(acl_path) || {}
|
|
406
|
-
(container_acl[perm] ? container_acl[perm][
|
|
406
|
+
(container_acl[perm] ? container_acl[perm]["groups"] : []) || []
|
|
407
407
|
end
|
|
408
408
|
end
|
|
409
409
|
end
|
|
@@ -432,15 +432,15 @@ module ChefZero
|
|
|
432
432
|
when 0, 1
|
|
433
433
|
return true
|
|
434
434
|
when 2
|
|
435
|
-
return path[0] ==
|
|
435
|
+
return path[0] == "organizations" || (path[0] == "acls" && path[1] != "root")
|
|
436
436
|
when 3
|
|
437
437
|
# If it has a container, it is a directory.
|
|
438
|
-
return path[0] ==
|
|
439
|
-
|
|
438
|
+
return path[0] == "organizations" &&
|
|
439
|
+
(path[2] == "acls" || data.exists?(path[0..1] + [ "containers", path[2] ]))
|
|
440
440
|
when 4
|
|
441
|
-
return path[0] ==
|
|
442
|
-
(path[2] ==
|
|
443
|
-
%w
|
|
441
|
+
return path[0] == "organizations" && (
|
|
442
|
+
(path[2] == "acls" && path[1] != "root") ||
|
|
443
|
+
%w{cookbooks cookbook_artifacts data policies policy_groups}.include?(path[2]))
|
|
444
444
|
else
|
|
445
445
|
return false
|
|
446
446
|
end
|