chef 10.28.2 → 10.30.0.rc.0

data/lib/chef/provider/directory.rb

@@ -59,8 +59,8 @@ class Chef
               # find the lowest-level directory in @new_resource.path that already exists
               # make sure we have write permissions to that directory
               is_parent_writable = lambda do |base_dir|
-                base_dir = ::File.dirname(base_dir) 
-                if ::File.exist?(base_dir) 
+                base_dir = ::File.dirname(base_dir)
+                if ::File.exist?(base_dir)
                   ::File.writable?(base_dir)
                 else
                   is_parent_writable.call(base_dir)
@@ -70,27 +70,27 @@ class Chef
             else
               # in why run mode & parent directory does not exist no permissions check is required
               # If not in why run, permissions must be valid and we rely on prior assertion that dir exists
-              if !whyrun_mode? || ::File.exist?(parent_directory) 
+              if !whyrun_mode? || ::File.exist?(parent_directory)
                 ::File.writable?(parent_directory)
               else
                 true
               end
             end
           end
-          a.failure_message(Chef::Exceptions::InsufficientPermissions, 
+          a.failure_message(Chef::Exceptions::InsufficientPermissions,
             "Cannot create #{@new_resource} at #{@new_resource.path} due to insufficient permissions")
         end
 
-        requirements.assert(:delete) do |a| 
-          a.assertion do 
+        requirements.assert(:delete) do |a|
+          a.assertion do
             if ::File.exist?(@new_resource.path)
-              ::File.directory?(@new_resource.path) && ::File.writable?(@new_resource.path) 
+              ::File.directory?(@new_resource.path) && ::File.writable?(@new_resource.path)
             else
               true
             end
           end
           a.failure_message(RuntimeError, "Cannot delete #{@new_resource} at #{@new_resource.path}!")
-          # No why-run handling here: 
+          # No why-run handling here:
           #  * if we don't have permissions, this is unlikely to be changed earlier in the run
           #  * if the target is a file (not a dir), there's no reasonable path by which this would have been changed
         end
@@ -98,14 +98,14 @@ class Chef
 
       def action_create
         unless ::File.exist?(@new_resource.path)
-          converge_by("create new directory #{@new_resource.path}") do 
+          converge_by("create new directory #{@new_resource.path}") do
             if @new_resource.recursive == true
               ::FileUtils.mkdir_p(@new_resource.path)
             else
               ::Dir.mkdir(@new_resource.path)
             end
             Chef::Log.info("#{@new_resource} created directory #{@new_resource.path}")
-          end 
+          end
         end
         set_all_access_controls
       end
@@ -123,6 +123,12 @@ class Chef
           end
         end
       end
+
+      private
+
+      def managing_content?
+        false
+      end
     end
   end
 end

data/lib/chef/provider/file.rb

@@ -48,9 +48,9 @@ class Chef
 
       def diff_current_from_content(new_content)
         result = nil
-        Tempfile.open("chef-diff") do |file| 
+        Tempfile.open("chef-diff") do |file|
           file.write new_content
-          file.close 
+          file.close
           result = diff_current file.path
         end
         result
@@ -96,12 +96,12 @@ class Chef
           # -u: Unified diff format
           result = shell_out("diff -u #{target_path} #{temp_path}" )
         rescue Exception => e
-          # Should *not* receive this, but in some circumstances it seems that 
+          # Should *not* receive this, but in some circumstances it seems that
           # an exception can be thrown even using shell_out instead of shell_out!
           return [ "Could not determine diff. Error: #{e.message}" ]
         end
 
-        # diff will set a non-zero return code even when there's 
+        # diff will set a non-zero return code even when there's
         # valid stdout results, if it encounters something unexpected
         # So as long as we have output, we'll show it.
         if not result.stdout.empty?
@@ -118,7 +118,7 @@ class Chef
         else
           [ "(no diff)" ]
         end
-      end 
+      end
 
       def whyrun_supported?
         true
@@ -132,14 +132,14 @@ class Chef
         @current_resource.path(@new_resource.path)
         if !::File.directory?(@new_resource.path)
           if ::File.exist?(@new_resource.path)
-            if @action != :create_if_missing  
+            if managing_content?
               @current_resource.checksum(checksum(@new_resource.path))
             end
           end
         end
         load_current_resource_attrs
         setup_acl
-        
+
         @current_resource
       end
 
@@ -159,7 +159,7 @@ class Chef
 
           if @new_resource.group.nil?
             @new_resource.group(@current_resource.group)
-          end 
+          end
           if @new_resource.owner.nil?
             @new_resource.owner(@current_resource.owner)
           end
@@ -168,7 +168,7 @@ class Chef
           end
         end
       end
-      
+
       def setup_acl
         @acl_scanner = ScanAccessControl.new(@new_resource, @current_resource)
         @acl_scanner.set_all!
@@ -191,7 +191,7 @@ class Chef
         # Make sure the file is deletable if it exists. Otherwise, fail.
         requirements.assert(:delete) do |a|
           a.assertion do
-            if ::File.exists?(@new_resource.path) 
+            if ::File.exists?(@new_resource.path)
               ::File.writable?(@new_resource.path)
             else
               true
@@ -211,7 +211,7 @@ class Chef
         unless compare_content
           description = []
           description << "update content in file #{@new_resource.path} from #{short_cksum(@current_resource.checksum)} to #{short_cksum(new_resource_content_checksum)}"
-          description << diff_current_from_content(@new_resource.content) 
+          description << diff_current_from_content(@new_resource.content)
           converge_by(description) do
             backup @new_resource.path if ::File.exists?(@new_resource.path)
             ::File.open(@new_resource.path, "w") {|f| f.write @new_resource.content }
@@ -221,10 +221,10 @@ class Chef
       end
 
       # if you are using a tempfile before creating, you must
-      # override the default with the tempfile, since the 
+      # override the default with the tempfile, since the
       # file at @new_resource.path will not be updated on converge
       def update_new_file_state(path=@new_resource.path)
-        if !::File.directory?(path) 
+        if !::File.directory?(path)
           @new_resource.checksum(checksum(path))
         end
 
@@ -247,8 +247,8 @@ class Chef
           desc = "create new file #{@new_resource.path}"
           desc << " with content checksum #{short_cksum(new_resource_content_checksum)}" if new_resource.content
           description << desc
-          description << diff_current_from_content(@new_resource.content) 
-          
+          description << diff_current_from_content(@new_resource.content)
+
           converge_by(description) do
             Chef::Log.info("entered create")
             ::File.open(@new_resource.path, "w+") {|f| f.write @new_resource.content }
@@ -264,7 +264,7 @@ class Chef
 
       def set_all_access_controls
         if access_controls.requires_changes?
-          converge_by(access_controls.describe_changes) do 
+          converge_by(access_controls.describe_changes) do
             access_controls.set_all
             #Update file state with new access values
             update_new_file_state
@@ -282,7 +282,7 @@ class Chef
 
       def action_delete
         if ::File.exists?(@new_resource.path)
-          converge_by("delete file #{@new_resource.path}") do 
+          converge_by("delete file #{@new_resource.path}") do
             backup unless ::File.symlink?(@new_resource.path)
             ::File.delete(@new_resource.path)
             Chef::Log.info("#{@new_resource} deleted file at #{@new_resource.path}")
@@ -342,6 +342,12 @@ class Chef
 
       private
 
+      def managing_content?
+        return true if @new_resource.checksum
+        return true if !@new_resource.content.nil? && @action != :create_if_missing
+        false
+      end
+
       def short_cksum(checksum)
         return "none" if checksum.nil?
         checksum.slice(0,6)

data/lib/chef/provider/group.rb

@@ -6,9 +6,9 @@
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
-# 
+#
 #     http://www.apache.org/licenses/LICENSE-2.0
-# 
+#
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
@@ -36,11 +36,11 @@ class Chef
         super
         @group_exists = true
       end
-      
+
       def load_current_resource
         @current_resource = Chef::Resource::Group.new(@new_resource.name)
         @current_resource.group_name(@new_resource.group_name)
-        
+
         group_info = nil
         begin
           group_info = Etc.getgrnam(@new_resource.group_name)
@@ -48,37 +48,47 @@ class Chef
           @group_exists = false
           Chef::Log.debug("#{@new_resource} group does not exist")
         end
-        
+
         if group_info
           @new_resource.gid(group_info.gid) unless @new_resource.gid
           @current_resource.gid(group_info.gid)
           @current_resource.members(group_info.mem)
         end
-        
+
         @current_resource
       end
 
       def define_resource_requirements
-        requirements.assert(:modify) do |a| 
-          a.assertion { @group_exists } 
+        requirements.assert(:modify) do |a|
+          a.assertion { @group_exists }
           a.failure_message(Chef::Exceptions::Group, "Cannot modify #{@new_resource} - group does not exist!")
           a.whyrun("Group #{@new_resource} does not exist. Unless it would have been created earlier in this run, this attempt to modify it would fail.")
         end
+
+        requirements.assert(:all_actions) do |a|
+          # Make sure that the resource doesn't contain any common
+          # user names in the members and exclude_members properties.
+          if !@new_resource.members.nil? && !@new_resource.excluded_members.nil?
+            common_members = @new_resource.members & @new_resource.excluded_members
+            a.assertion { common_members.empty? }
+            a.failure_message(Chef::Exceptions::ConflictingMembersInGroup, "Attempting to both add and remove users from a group: '#{common_members.join(', ')}'")
+            # No why-run alternative
+          end
+        end
       end
-      
-      # Check to see if a group needs any changes. Populate 
-      # @change_desc with a description of why a change must occur 
+
+      # Check to see if a group needs any changes. Populate
+      # @change_desc with a description of why a change must occur
       #
       # ==== Returns
       # <true>:: If a change is required
       # <false>:: If a change is not required
       def compare_group
-        @change_desc = nil
+        @change_desc = [ ]
         if @new_resource.gid != @current_resource.gid
-          @change_desc = "change gid #{@current_resource.gid} to #{@new_resource.gid}"
-          return true
+          @change_desc << "change gid #{@current_resource.gid} to #{@new_resource.gid}"
         end
-        
+
         if(@new_resource.append)
           missing_members = []
           @new_resource.members.each do |member|
@@ -86,35 +96,44 @@ class Chef
             missing_members << member
           end
           if missing_members.length > 0
-            @change_desc = "add missing member(s): #{missing_members.join(", ")}"
-            return true
+            @change_desc << "add missing member(s): #{missing_members.join(", ")}"
+          end
+
+          members_to_be_removed = []
+          @new_resource.excluded_members.each do |member|
+            if @current_resource.members.include?(member)
+              members_to_be_removed << member
+            end
+          end
+          if members_to_be_removed.length > 0
+            @change_desc << "remove existing member(s): #{members_to_be_removed.join(", ")}"
           end
         else
           if @new_resource.members != @current_resource.members
-            @change_desc = "replace group members with new list of members"
-            return true
+            @change_desc << "replace group members with new list of members"
           end
         end
-        return false
+
+        !@change_desc.empty?
       end
-      
+
       def action_create
         case @group_exists
         when false
-          converge_by("create #{@new_resource}") do 
+          converge_by("create #{@new_resource}") do
             create_group
             Chef::Log.info("#{@new_resource} created")
           end
-        else 
+        else
           if compare_group
-            converge_by(["alter group #{@new_resource}", @change_desc ]) do 
+            converge_by(["alter group #{@new_resource}"] + change_desc) do
               manage_group
               Chef::Log.info("#{@new_resource} altered")
             end
           end
         end
       end
-      
+
       def action_remove
         if @group_exists
           converge_by("remove group #{@new_resource}") do
@@ -123,25 +142,25 @@ class Chef
           end
         end
       end
-      
+
       def action_manage
         if @group_exists && compare_group
-          converge_by(["manage group #{@new_resource}", @change_desc]) do
-            manage_group 
+          converge_by(["manage group #{@new_resource}"] + change_desc) do
+            manage_group
             Chef::Log.info("#{@new_resource} managed")
           end
         end
       end
-      
+
       def action_modify
         if compare_group
-          converge_by(["modify group #{@new_resource}", @change_desc]) do
+          converge_by(["modify group #{@new_resource}"] + change_desc) do
             manage_group
             Chef::Log.info("#{@new_resource} modified")
           end
         end
       end
-      
+
       def create_group
         raise NotImplementedError, "subclasses of Chef::Provider::Group should define #create_group"
       end

data/lib/chef/provider/group/dscl.rb

@@ -73,14 +73,36 @@ class Chef
         end
 
         def set_members
+          # First reset the memberships if the append is not set
           unless @new_resource.append
             Chef::Log.debug("#{@new_resource} removing group members #{@current_resource.members.join(' ')}") unless @current_resource.members.empty?
             safe_dscl("create /Groups/#{@new_resource.group_name} GroupMembers ''") # clear guid list
             safe_dscl("create /Groups/#{@new_resource.group_name} GroupMembership ''") # clear user list
+            @current_resource.members([ ])
           end
-          unless @new_resource.members.empty?
-            Chef::Log.debug("#{@new_resource} setting group members #{@new_resource.members.join(', ')}")
-            safe_dscl("append /Groups/#{@new_resource.group_name} GroupMembership #{@new_resource.members.join(' ')}")
+
+          # Add any members that need to be added
+          if @new_resource.members && !@new_resource.members.empty?
+            members_to_be_added = [ ]
+            @new_resource.members.each do |member|
+              members_to_be_added << member if !@current_resource.members.include?(member)
+            end
+            unless members_to_be_added.empty?
+              Chef::Log.debug("#{@new_resource} setting group members #{members_to_be_added.join(', ')}")
+              safe_dscl("append /Groups/#{@new_resource.group_name} GroupMembership #{members_to_be_added.join(' ')}")
+            end
+          end
+
+          # Remove any members that need to be removed
+          if @new_resource.excluded_members && !@new_resource.excluded_members.empty?
+            members_to_be_removed = [ ]
+            @new_resource.excluded_members.each do |member|
+              members_to_be_removed << member if @current_resource.members.include?(member)
+            end
+            unless members_to_be_removed.empty?
+              Chef::Log.debug("#{@new_resource} removing group members #{members_to_be_removed.join(', ')}")
+              safe_dscl("delete /Groups/#{@new_resource.group_name} GroupMembership #{members_to_be_removed.join(' ')}")
+            end
           end
         end
 
@@ -110,7 +132,7 @@ class Chef
           if @new_resource.gid && (@current_resource.gid != @new_resource.gid)
             set_gid
           end
-          if @new_resource.members && (@current_resource.members != @new_resource.members)
+          if @new_resource.members || @new_resource.excluded_members
             set_members
           end
         end

data/lib/chef/provider/group/gpasswd.rb

@@ -39,25 +39,20 @@ class Chef
           end
         end
 
-        def modify_group_members
-            if(@new_resource.append)
-              unless @new_resource.members.empty?
-                @new_resource.members.each do |member|
-                  Chef::Log.debug("#{@new_resource} appending member #{member} to group #{@new_resource.group_name}")
-                  shell_out!("gpasswd -a #{member} #{@new_resource.group_name}")
-                end
-              else
-                Chef::Log.debug("#{@new_resource} not changing group members, the group has no members to add")
-              end
-            else
-              unless @new_resource.members.empty?
-                Chef::Log.debug("#{@new_resource} setting group members to #{@new_resource.members.join(', ')}")
-                shell_out!("gpasswd -M #{@new_resource.members.join(',')} #{@new_resource.group_name}")
-              else
-                Chef::Log.debug("#{@new_resource} setting group members to: none")
-                shell_out!("gpasswd -M \"\" #{@new_resource.group_name}")
-              end
-            end
+        def set_members(members)
+          unless members.empty?
+            shell_out!("gpasswd -M #{members.join(',')} #{@new_resource.group_name}")
+          else
+            shell_out!("gpasswd -M \"\" #{@new_resource.group_name}")
+          end
+        end
+
+        def add_member(member)
+          shell_out!("gpasswd -a #{member} #{@new_resource.group_name}")
+        end
+
+        def remove_member(member)
+          shell_out!("gpasswd -d #{member} #{@new_resource.group_name}")
         end
       end
     end