chef 0.10.8 → 0.10.10.beta.1

data/lib/chef/cookbook/metadata.rb

@@ -91,7 +91,7 @@ class Chef
       #
       # === Returns
       # metadata<Chef::Cookbook::Metadata>
-      def initialize(cookbook=nil, maintainer='Your Name', maintainer_email='youremail@example.com', license='Apache v2.0')
+      def initialize(cookbook=nil, maintainer='YOUR_COMPANY_NAME', maintainer_email='YOUR_EMAIL', license='none')
         @cookbook = cookbook
         @name = cookbook ? cookbook.name : ""
         @long_description = ""

data/lib/chef/cookbook/syntax_check.rb

@@ -112,7 +112,7 @@ class Chef
         result = shell_out("erubis -x #{erb_file} | ruby -c")
         result.error!
         true
-      rescue Chef::Exceptions::ShellCommandFailed
+      rescue Mixlib::ShellOut::ShellCommandFailed
         file_relative_path = erb_file[/^#{Regexp.escape(cookbook_path+File::Separator)}(.*)/, 1]
         Chef::Log.fatal("Erb template #{file_relative_path} has a syntax error:")
         result.stderr.each_line { |l| Chef::Log.fatal(l.chomp) }
@@ -124,7 +124,7 @@ class Chef
         result = shell_out("ruby -c #{ruby_file}")
         result.error!
         true
-      rescue Chef::Exceptions::ShellCommandFailed
+      rescue Mixlib::ShellOut::ShellCommandFailed
         file_relative_path = ruby_file[/^#{Regexp.escape(cookbook_path+File::Separator)}(.*)/, 1]
         Chef::Log.fatal("Cookbook file #{file_relative_path} has a ruby syntax error:")
         result.stderr.each_line { |l| Chef::Log.fatal(l.chomp) }

data/lib/chef/cookbook_version.rb

@@ -875,10 +875,15 @@ class Chef
       chef_server_rest.get_rest("cookbooks/#{name}/#{version}")
     end
 
+    # The API returns only a single version of each cookbook in the result from the cookbooks method
     def self.list
       chef_server_rest.get_rest('cookbooks')
     end
 
+    def self.list_all_versions
+      chef_server_rest.get_rest('cookbooks?num_versions=all')
+    end
+
     ##
     # Given a +cookbook_name+, get a list of all versions that exist on the
     # server.

data/lib/chef/daemon.rb

@@ -40,7 +40,7 @@ class Chef
             exit if fork
             Process.setsid
             exit if fork
-            Chef::Log.info("Forked, in #{Process.pid}. Priveleges: #{Process.euid} #{Process.egid}")
+            Chef::Log.info("Forked, in #{Process.pid}. Privileges: #{Process.euid} #{Process.egid}")
             File.umask Chef::Config[:umask]
             $stdin.reopen("/dev/null")
             $stdout.reopen("/dev/null", "a")

data/lib/chef/exceptions.rb

@@ -49,6 +49,7 @@ class Chef
     class ConfigurationError < ArgumentError; end
     class RedirectLimitExceeded < RuntimeError; end
     class AmbiguousRunlistSpecification < ArgumentError; end
+    class CookbookFrozen < ArgumentError; end
     class CookbookNotFound < RuntimeError; end
     # Cookbook loader used to raise an argument error when cookbook not found.
     # for back compat, need to raise an error that inherits from ArgumentError
@@ -56,7 +57,6 @@ class Chef
     class AttributeNotFound < RuntimeError; end
     class InvalidCommandOption < RuntimeError; end
     class CommandTimeout < RuntimeError; end
-    class ShellCommandFailed < RuntimeError; end
     class RequestedUIDUnavailable < RuntimeError; end
     class InvalidHomeDirectory < ArgumentError; end
     class DsclCommandFailed < RuntimeError; end
@@ -74,6 +74,8 @@ class Chef
     class InvalidDataBagItemID < ArgumentError; end
     class InvalidDataBagName < ArgumentError; end
     class EnclosingDirectoryDoesNotExist < ArgumentError; end
+    # Errors originating from calls to the Win32 API
+    class Win32APIError < RuntimeError; end
 
     class ObsoleteDependencySyntax < ArgumentError; end
     class InvalidDataBagPath < ArgumentError; end
@@ -89,6 +91,10 @@ class Chef
     # match OP VERSION. ArgumentError?
     class InvalidVersionConstraint < ArgumentError; end
 
+    # Backcompat with Chef::ShellOut code:
+    require 'mixlib/shellout/exceptions'
+    class ShellCommandFailed < Mixlib::ShellOut::ShellCommandFailed; end
+
     class CookbookVersionSelection
 
       # Compound exception: In run_list expansion and resolution,

data/lib/chef/file_access_control.rb

@@ -25,13 +25,18 @@ class Chef
   # FileAccessControl objects set the owner, group and mode of +file+ to
   # the values specified by a value object, usually a Chef::Resource.
   class FileAccessControl
-    UINT = (1 << 32)
-    UID_MAX = (1 << 32) - 10
-  
+
+    if RUBY_PLATFORM =~ /mswin|mingw|windows/
+      require 'chef/file_access_control/windows'
+      include FileAccessControl::Windows
+    else
+      require 'chef/file_access_control/unix'
+      include FileAccessControl::Unix
+    end
+
     attr_reader :resource
-  
     attr_reader :file
-  
+
     # FileAccessControl objects set the owner, group and mode of +file+ to
     # the values specified by +resource+. +file+ is completely independent
     # of any file or path attribute on +resource+, so it is possible to set
@@ -46,92 +51,13 @@ class Chef
       @resource, @file = resource, file
       @modified = false
     end
-  
+
     def modified?
       @modified
     end
-  
-    def set_all
-      set_owner
-      set_group
-      set_mode
-    end
-  
-    # Workaround the fact that Ruby's Etc module doesn't believe in negative
-    # uids, so negative uids show up as the diminished radix complement of
-    # a uint. For example, a uid of -2 is reported as 4294967294
-    def diminished_radix_complement(int)
-      if int > UID_MAX
-        int - UINT
-      else
-        int
-      end
-    end
-  
-    def target_uid
-      return nil if resource.owner.nil?
-      if resource.owner.kind_of?(String)
-        diminished_radix_complement( Etc.getpwnam(resource.owner).uid )
-      elsif resource.owner.kind_of?(Integer)
-        resource.owner
-      else
-        Chef::Log.error("The `owner` parameter of the #@resource resource is set to an invalid value (#{resource.owner.inspect})")
-        raise ArgumentError, "cannot resolve #{resource.owner.inspect} to uid, owner must be a string or integer"
-      end
-    rescue ArgumentError
-      raise Chef::Exceptions::UserIDNotFound, "cannot determine user id for '#{resource.owner}', does the user exist on this system?"
-    end
-  
-    def set_owner
-      if (uid = target_uid) && (uid != stat.uid)
-        File.chown(uid, nil, file)
-        Chef::Log.info("#{log_string} owner changed to #{uid}")
-        modified
-      end
-    end
-  
-    def target_gid
-      return nil if resource.group.nil?
-      if resource.group.kind_of?(String)
-        diminished_radix_complement( Etc.getgrnam(resource.group).gid )
-      elsif resource.group.kind_of?(Integer)
-        resource.group
-      else
-        Chef::Log.error("The `group` parameter of the #@resource resource is set to an invalid value (#{resource.owner.inspect})")
-        raise ArgumentError, "cannot resolve #{resource.group.inspect} to gid, group must be a string or integer"
-      end
-    rescue ArgumentError
-      raise Chef::Exceptions::GroupIDNotFound, "cannot determine group id for '#{resource.group}', does the group exist on this system?"
-    end
-  
-    def set_group
-      if (gid = target_gid) && (gid != stat.gid)
-        File.chown(nil, gid, file)
-        Chef::Log.info("#{log_string} group changed to #{gid}")
-        modified
-      end
-    end
 
-    def target_mode
-      return nil if resource.mode.nil?
-      (resource.mode.respond_to?(:oct) ? resource.mode.oct : resource.mode.to_i) & 007777
-    end
-
-    def set_mode
-      if (mode = target_mode) && (mode != (stat.mode & 007777))
-        File.chmod(target_mode, file)
-        Chef::Log.info("#{log_string} mode changed to #{mode.to_s(8)}")
-        modified
-      end
-    end
-  
-
-    def stat
-      @stat ||= ::File.stat(file)
-    end
-  
     private
-  
+
     def modified
       @modified = true
     end
@@ -139,6 +65,6 @@ class Chef
     def log_string
       @resource || @file
     end
-  
+
   end
 end

data/lib/chef/file_access_control/unix.rb

@@ -0,0 +1,119 @@
+#
+# Author:: Adam Jacob (<adam@opscode.com>)
+# Author:: Daniel DeLeo (<dan@opscode.com>)
+# Author:: Seth Chisamore (<schisamo@opscode.com>)
+# Copyright:: Copyright (c) 2008-2011 Opscode, Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require 'chef/log'
+
+class Chef
+  class FileAccessControl
+    module Unix
+      UINT = (1 << 32)
+      UID_MAX = (1 << 32) - 10
+
+      def set_all
+        set_owner
+        set_group
+        set_mode unless resource.instance_of?(Chef::Resource::Link)
+      end
+
+      # Workaround the fact that Ruby's Etc module doesn't believe in negative
+      # uids, so negative uids show up as the diminished radix complement of
+      # a uint. For example, a uid of -2 is reported as 4294967294
+      def diminished_radix_complement(int)
+        if int > UID_MAX
+          int - UINT
+        else
+          int
+        end
+      end
+
+      def target_uid
+        return nil if resource.owner.nil?
+        if resource.owner.kind_of?(String)
+          diminished_radix_complement( Etc.getpwnam(resource.owner).uid )
+        elsif resource.owner.kind_of?(Integer)
+          resource.owner
+        else
+          Chef::Log.error("The `owner` parameter of the #@resource resource is set to an invalid value (#{resource.owner.inspect})")
+          raise ArgumentError, "cannot resolve #{resource.owner.inspect} to uid, owner must be a string or integer"
+        end
+      rescue ArgumentError
+        raise Chef::Exceptions::UserIDNotFound, "cannot determine user id for '#{resource.owner}', does the user exist on this system?"
+      end
+
+      def set_owner
+        if (uid = target_uid) && (uid != stat.uid)
+          chown(uid, nil, file)
+          Chef::Log.info("#{log_string} owner changed to #{uid}")
+          modified
+        end
+      end
+
+      def target_gid
+        return nil if resource.group.nil?
+        if resource.group.kind_of?(String)
+          diminished_radix_complement( Etc.getgrnam(resource.group).gid )
+        elsif resource.group.kind_of?(Integer)
+          resource.group
+        else
+          Chef::Log.error("The `group` parameter of the #@resource resource is set to an invalid value (#{resource.owner.inspect})")
+          raise ArgumentError, "cannot resolve #{resource.group.inspect} to gid, group must be a string or integer"
+        end
+      rescue ArgumentError
+        raise Chef::Exceptions::GroupIDNotFound, "cannot determine group id for '#{resource.group}', does the group exist on this system?"
+      end
+
+      def set_group
+        if (gid = target_gid) && (gid != stat.gid)
+          chown(nil, gid, file)
+          Chef::Log.info("#{log_string} group changed to #{gid}")
+          modified
+        end
+      end
+
+      # TODO rename this to a more generic target_permissions
+      def target_mode
+        return nil if resource.mode.nil?
+        (resource.mode.respond_to?(:oct) ? resource.mode.oct : resource.mode.to_i) & 007777
+      end
+
+      # TODO rename this to a more generic set_permissions
+      def set_mode
+        if (mode = target_mode) && (mode != (stat.mode & 007777))
+          File.chmod(target_mode, file)
+          Chef::Log.info("#{log_string} mode changed to #{mode.to_s(8)}")
+          modified
+        end
+      end
+
+      def stat
+        @stat ||= ::File.stat(file)
+      end
+
+      private
+      def chown(uid, gid, file)
+        if resource.instance_of?(Chef::Resource::Link)
+          File.lchown(uid, gid, file)
+        else
+          File.chown(uid, gid, file)
+        end
+      end
+    end
+  end
+end

data/lib/chef/file_access_control/windows.rb

@@ -0,0 +1,257 @@
+#
+# Author:: John Keiser (<jkeiser@opscode.com>)
+# Author:: Seth Chisamore (<schisamo@opscode.com>)
+# Copyright:: Copyright 2011 Opscode, Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require 'chef/win32/security'
+
+class Chef
+  class FileAccessControl
+    module Windows
+      include Chef::Win32::API::Security
+
+      Security = Chef::Win32::Security
+      ACL = Security::ACL
+      ACE = Security::ACE
+      SID = Security::SID
+
+      def set_all
+        set_owner
+        set_group
+        set_dacl
+      end
+
+      private
+
+      # Compare the actual ACL on a resource with the ACL we want.  This
+      # ignores explicit ACLs on the target, and does mask prediction (if you
+      # set GENERIC_WRITE, Windows will flip on a whole bunch of other rights
+      # on the file when you save the ACL)
+      def acls_equal(target_acl, actual_acl)
+        if actual_acl.nil?
+          return target_acl.nil?
+        end
+
+        actual_acl = actual_acl.select { |ace| !ace.inherited? }
+        # When ACLs apply to children, Windows splits them on the file system into two ACLs:
+        # one specific applying to this container, and one generic applying to children.
+        new_target_acl = []
+        target_acl.each do |target_ace|
+          if target_ace.flags & INHERIT_ONLY_ACE == 0
+            self_ace = target_ace.dup
+            self_ace.flags = 0
+            self_ace.mask = securable_object.predict_rights_mask(target_ace.mask)
+            new_target_acl << self_ace
+          end
+          if target_ace.flags & (CONTAINER_INHERIT_ACE | OBJECT_INHERIT_ACE) != 0
+            children_ace = target_ace.dup
+            children_ace.flags |= INHERIT_ONLY_ACE
+            new_target_acl << children_ace
+          end
+        end
+        return actual_acl == new_target_acl
+      end
+
+      def existing_descriptor
+        securable_object.security_descriptor
+      end
+
+      def get_sid(value)
+        if value.kind_of?(String)
+          SID.from_account(value)
+        elsif value.kind_of?(SID)
+          value
+        else
+          raise "Must specify username, group or SID: #{value}"
+        end
+      end
+
+      def securable_object
+        @securable_object ||= begin
+          if file.kind_of?(String)
+            so = Chef::Win32::Security::SecurableObject.new(file.dup)
+          end
+          raise ArgumentError, "'file' must be a valid path or object of type 'Chef::Win32::Security::SecurableObject'" unless so.kind_of? Chef::Win32::Security::SecurableObject
+          so
+        end
+      end
+
+      def set_dacl
+        dacl = target_dacl
+        existing_dacl = existing_descriptor.dacl
+        inherits = target_inherits
+        if ! inherits.nil? && inherits != existing_descriptor.dacl_inherits?
+          # We have to set DACL along with inherits.  If rights were not
+          # specified, we need to change only inherited ACLs and leave
+          # explicit ACLs alone.
+          if dacl.nil? && !existing_dacl.nil?
+            dacl = ACL.create(existing_dacl.select { |ace| !ace.inherited? })
+          end
+          securable_object.set_dacl(dacl, inherits)
+          Chef::Log.info("#{log_string} permissions changed to #{dacl} with inherits of #{inherits}")
+          modified
+        elsif dacl && !acls_equal(dacl, existing_dacl)
+          securable_object.dacl = dacl
+          Chef::Log.info("#{log_string} permissions changed to #{dacl}")
+          modified
+        end
+      end
+
+      def set_group
+        if (group = target_group) && (group != existing_descriptor.group)
+          Chef::Log.info("#{log_string} group changed to #{group}")
+          securable_object.group = group
+          modified
+        end
+      end
+
+      def set_owner
+        if (owner = target_owner) && (owner != existing_descriptor.owner)
+          Chef::Log.info("#{log_string} owner changed to #{owner}")
+          securable_object.owner = owner
+          modified
+        end
+      end
+
+      def mode_ace(sid, mode)
+        mask = 0
+        mask |= GENERIC_READ if mode & 4 != 0
+        mask |= (GENERIC_WRITE | DELETE) if mode & 2 != 0
+        mask |= GENERIC_EXECUTE if mode & 1 != 0
+        return [] if mask == 0
+        [ ACE.access_allowed(sid, mask) ]
+      end
+
+      def calculate_mask(permissions)
+        mask = 0
+        [ permissions ].flatten.each do |permission|
+          case permission
+          when :full_control
+            mask |= GENERIC_ALL
+          when :modify
+            mask |= GENERIC_WRITE | GENERIC_READ | GENERIC_EXECUTE | DELETE
+          when :read
+            mask |= GENERIC_READ
+          when :read_execute
+            mask |= GENERIC_READ | GENERIC_EXECUTE
+          when :write
+            mask |= GENERIC_WRITE
+          else
+            # Otherwise, assume it's an integer specifying the actual flags
+            mask |= permission
+          end
+        end
+        mask
+      end
+
+      def calculate_flags(rights)
+        # Handle inheritance flags
+        flags = 0
+        case rights[:applies_to_children]
+        when :containers_only
+          flags |= CONTAINER_INHERIT_ACE
+        when :objects_only
+          flags |= OBJECT_INHERIT_ACE
+        when true
+          flags |= CONTAINER_INHERIT_ACE
+          flags |= OBJECT_INHERIT_ACE
+        when nil
+          flags |= CONTAINER_INHERIT_ACE
+          flags |= OBJECT_INHERIT_ACE
+        end
+
+        if rights[:applies_to_self] == false
+          flags |= INHERIT_ONLY_ACE
+        end
+
+        if rights[:one_level_deep]
+          flags |= NO_PROPAGATE_INHERIT_ACE
+        end
+        flags
+      end
+
+      def target_dacl
+        return nil if resource.rights.nil? && resource.deny_rights.nil? && resource.mode.nil?
+        acls = nil
+
+        if !resource.deny_rights.nil?
+          acls = [] if acls.nil?
+
+          resource.deny_rights.each do |rights|
+            mask = calculate_mask(rights[:permissions])
+            [ rights[:principals] ].flatten.each do |principal|
+              sid = get_sid(principal)
+              flags = calculate_flags(rights)
+              acls.push ACE.access_denied(sid, mask, flags)
+            end
+          end
+        end
+
+        if !resource.rights.nil?
+          acls = [] if acls.nil?
+
+          resource.rights.each do |rights|
+            mask = calculate_mask(rights[:permissions])
+            [ rights[:principals] ].flatten.each do |principal|
+              sid = get_sid(principal)
+              flags = calculate_flags(rights)
+              acls.push ACE.access_allowed(sid, mask, flags)
+            end
+          end
+        end
+
+        if !resource.mode.nil?
+          acls = [] if acls.nil?
+
+          mode = (resource.mode.respond_to?(:oct) ? resource.mode.oct : resource.mode.to_i) & 0777
+
+          owner = target_owner
+          if owner
+            acls += mode_ace(owner, (mode & 0700) >> 6)
+          elsif mode & 0700 != 0
+            raise "Mode #{mode.to_s(8)} includes bits for the owner, but owner is not specified"
+          end
+
+          group = target_group
+          if group
+            acls += mode_ace(group, (mode & 070) >> 3)
+          elsif mode & 070 != 0
+            raise "Mode #{mode.to_s(8)} includes bits for the group, but group is not specified"
+          end
+
+          acls += mode_ace(SID.Everyone, (mode & 07))
+        end
+
+        acls.nil? ? nil : Chef::Win32::Security::ACL.create(acls)
+      end
+
+      def target_group
+        return nil if resource.group.nil?
+        sid = get_sid(resource.group)
+      end
+
+      def target_inherits
+        resource.inherits
+      end
+
+      def target_owner
+        return nil if resource.owner.nil?
+        sid = get_sid(resource.owner)
+      end
+    end
+  end
+end