chef 11.10.0.alpha.1 → 11.10.0.rc.0

data/lib/chef/knife/ssh.rb

@@ -64,10 +64,14 @@ class Chef
         :long => "--ssh-user USERNAME",
         :description => "The ssh username"
 
-      option :ssh_password,
-        :short => "-P PASSWORD",
-        :long => "--ssh-password PASSWORD",
-        :description => "The ssh password"
+      option :ssh_password_ng,
+        :short => "-P [PASSWORD]",
+        :long => "--ssh-password [PASSWORD]",
+        :description => "The ssh password - will prompt if flag is specified but no password is given",
+        # default to a value that can not be a password (boolean)
+        # so we can effectively test if this parameter was specified
+        # without a vlaue
+        :default => false
 
       option :ssh_port,
         :short => "-p PORT",
@@ -432,6 +436,31 @@ class Chef
                              Chef::Config[:knife][:ssh_user])
       end
 
+      # This is a bit overly complicated because of the way we want knife ssh to work with -P causing a password prompt for
+      # the user, but we have to be conscious that this code gets included in knife bootstrap and knife * server create as
+      # well.  We want to change the semantics so that the default is false and 'nil' means -P without an argument on the
+      # command line.  But the other utilities expect nil to be the default and we can't prompt in that case. So we effectively
+      # use ssh_password_ng to determine if we're coming from knife ssh or from the other utilities.  The other utilties can
+      # also be patched to use ssh_password_ng easily as long they follow the convention that the default is false.
+      def configure_password
+        if config.has_key?(:ssh_password_ng) && config[:ssh_password_ng].nil?
+          # If the parameter is called on the command line with no value
+          # it will set :ssh_password_ng = nil
+          # This is where we want to trigger a prompt for password
+          config[:ssh_password] = get_password
+        else
+          # if ssh_password_ng is false then it has not been set at all, and we may be in knife ec2 and still
+          # using an old config[:ssh_password].  this is backwards compatibility.  all knife cloud plugins should
+          # be updated to use ssh_password_ng with a default of false and ssh_password should be retired, (but
+          # we'll still need to use the ssh_password out of knife.rb if we find that).
+          ssh_password = config.has_key?(:ssh_password_ng) ? config[:ssh_password_ng] : config[:ssh_password]
+          # Otherwise, the password has either been specified on the command line,
+          # in knife.rb, or key based auth will be attempted
+          config[:ssh_password] = get_stripped_unfrozen_value(ssh_password ||
+                             Chef::Config[:knife][:ssh_password])
+        end
+      end
+
       def configure_identity_file
         config[:identity_file] = get_stripped_unfrozen_value(config[:identity_file] ||
                              Chef::Config[:knife][:ssh_identity_file])
@@ -448,6 +477,7 @@ class Chef
 
         configure_attribute
         configure_user
+        configure_password
         configure_identity_file
         configure_gateway
         configure_session

data/lib/chef/mixin/path_sanity.rb

@@ -22,6 +22,7 @@ class Chef
 
       def enforce_path_sanity(env=ENV)
         if Chef::Config[:enforce_path_sanity]
+          env["PATH"] = "" if env["PATH"].nil?
           path_separator = Chef::Platform.windows? ? ';' : ':'
           existing_paths = env["PATH"].split(path_separator)
           # ensure the Ruby and Gem bindirs are included

data/lib/chef/monologger.rb

@@ -48,9 +48,9 @@ class MonoLogger < Logger
         @dev = log
       else
         @dev = open_logfile(log)
-        @dev.sync = true
         @filename = log
       end
+      @dev.sync = true
     end
 
     def write(message)
@@ -75,7 +75,6 @@ class MonoLogger < Logger
 
     def create_logfile(filename)
       logdev = open(filename, (File::WRONLY | File::APPEND | File::CREAT))
-      logdev.sync = true
       add_log_header(logdev)
       logdev
     end

data/lib/chef/node.rb

@@ -247,6 +247,13 @@ class Chef
       run_list.include?(recipe_name) || Array(self[:recipes]).include?(recipe_name)
     end
 
+    # used by include_recipe to add recipes to the expanded run_list to be
+    # saved back to the node and be searchable
+    def loaded_recipe(cookbook, recipe)
+      fully_qualified_recipe = "#{cookbook}::#{recipe}"
+      automatic_attrs[:recipes] << fully_qualified_recipe unless Array(self[:recipes]).include?(fully_qualified_recipe)
+    end
+
     # Returns true if this Node expects a given role, false if not.
     def role?(role_name)
       run_list.include?("role[#{role_name}]")

data/lib/chef/policy_builder.rb

@@ -0,0 +1,49 @@
+#
+# Author:: Daniel DeLeo (<dan@getchef.com>)
+# Copyright:: Copyright 2008-2014 Chef Software, Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require 'chef/policy_builder/expand_node_object'
+require 'chef/policy_builder/policyfile'
+
+class Chef
+
+  # PolicyBuilder contains classes that handles fetching policy from server or
+  # disk and resolving any indirection (e.g. expanding run_list).
+  #
+  # INPUTS
+  # * event stream object
+  # * node object/run_list
+  # * json_attribs
+  # * override_runlist
+  #
+  # OUTPUTS
+  # * mutated node object (implicit)
+  # * a new RunStatus (probably doesn't need to be here)
+  # * cookbooks sync'd to disk
+  # * cookbook_hash is stored in run_context
+  module PolicyBuilder
+
+    def self.strategy
+      if Chef::Config[:use_policyfile]
+        Policyfile
+      else
+        ExpandNodeObject
+      end
+    end
+
+  end
+end

data/lib/chef/policy_builder/expand_node_object.rb

@@ -0,0 +1,230 @@
+#
+# Author:: Adam Jacob (<adam@opscode.com>)
+# Author:: Tim Hinderliter (<tim@opscode.com>)
+# Author:: Christopher Walters (<cw@opscode.com>)
+# Author:: Daniel DeLeo (<dan@getchef.com>)
+# Copyright:: Copyright 2008-2014 Chef Software, Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require 'chef/log'
+require 'chef/rest'
+require 'chef/run_context'
+require 'chef/config'
+require 'chef/node'
+
+class Chef
+  module PolicyBuilder
+
+    # ExpandNodeObject is the "classic" policy builder implementation. It
+    # expands the run_list on a node object and then queries the chef-server
+    # to find the correct set of cookbooks, given version constraints of the
+    # node's environment.
+    class ExpandNodeObject
+
+      attr_reader :events
+      attr_reader :node
+      attr_reader :node_name
+      attr_reader :ohai_data
+      attr_reader :json_attribs
+      attr_reader :override_runlist
+      attr_reader :original_runlist
+      attr_reader :run_context
+      attr_reader :run_list_expansion
+
+      def initialize(node_name, ohai_data, json_attribs, override_runlist, events)
+        @node_name = node_name
+        @ohai_data = ohai_data
+        @json_attribs = json_attribs
+        @override_runlist = override_runlist
+        @events = events
+
+        @node = nil
+        @original_runlist = nil
+        @run_list_expansion = nil
+      end
+
+      def setup_run_context(specific_recipes=nil)
+        if Chef::Config[:solo]
+          Chef::Cookbook::FileVendor.on_create { |manifest| Chef::Cookbook::FileSystemFileVendor.new(manifest, Chef::Config[:cookbook_path]) }
+          cl = Chef::CookbookLoader.new(Chef::Config[:cookbook_path])
+          cl.load_cookbooks
+          cookbook_collection = Chef::CookbookCollection.new(cl)
+          run_context = Chef::RunContext.new(node, cookbook_collection, @events)
+        else
+          Chef::Cookbook::FileVendor.on_create { |manifest| Chef::Cookbook::RemoteFileVendor.new(manifest, api_service) }
+          cookbook_hash = sync_cookbooks
+          cookbook_collection = Chef::CookbookCollection.new(cookbook_hash)
+          run_context = Chef::RunContext.new(node, cookbook_collection, @events)
+        end
+
+        # TODO: this is not the place for this. It should be in Runner or
+        # CookbookCompiler or something.
+        run_context.load(@run_list_expansion)
+        if specific_recipes
+          specific_recipes.each do |recipe_file|
+            run_context.load_recipe_file(recipe_file)
+          end
+        end
+        run_context
+      end
+
+
+      # In client-server operation, loads the node state from the server. In
+      # chef-solo operation, builds a new node object.
+      def load_node
+        events.node_load_start(node_name, Chef::Config)
+        Chef::Log.debug("Building node object for #{node_name}")
+
+        if Chef::Config[:solo]
+          @node = Chef::Node.build(node_name)
+        else
+          @node = Chef::Node.find_or_create(node_name)
+        end
+      rescue Exception => e
+        # TODO: wrap this exception so useful error info can be given to the
+        # user.
+        events.node_load_failed(node_name, e, Chef::Config)
+        raise
+      end
+
+
+      # Applies environment, external JSON attributes, and override run list to
+      # the node, Then expands the run_list.
+      #
+      # === Returns
+      # node<Chef::Node>:: The modified node object. node is modified in place.
+      def build_node
+        # Allow user to override the environment of a node by specifying
+        # a config parameter.
+        if Chef::Config[:environment] && !Chef::Config[:environment].chop.empty?
+          node.chef_environment(Chef::Config[:environment])
+        end
+
+        # consume_external_attrs may add items to the run_list. Save the
+        # expanded run_list, which we will pass to the server later to
+        # determine which versions of cookbooks to use.
+        node.reset_defaults_and_overrides
+        node.consume_external_attrs(ohai_data, @json_attribs)
+
+        setup_run_list_override
+
+        expand_run_list
+
+        Chef::Log.info("Run List is [#{node.run_list}]")
+        Chef::Log.info("Run List expands to [#{@expanded_run_list_with_versions.join(', ')}]")
+
+        events.node_load_completed(node, @expanded_run_list_with_versions, Chef::Config)
+
+        node
+      end
+
+      # Expands the node's run list. Stores the run_list_expansion object for later use.
+      def expand_run_list
+        @run_list_expansion = if Chef::Config[:solo]
+          node.expand!('disk')
+        else
+          node.expand!('server')
+        end
+
+        # @run_list_expansion is a RunListExpansion.
+        #
+        # Convert @expanded_run_list, which is an
+        # Array of Hashes of the form
+        #   {:name => NAME, :version_constraint => Chef::VersionConstraint },
+        # into @expanded_run_list_with_versions, an
+        # Array of Strings of the form
+        #   "#{NAME}@#{VERSION}"
+        @expanded_run_list_with_versions = @run_list_expansion.recipes.with_version_constraints_strings
+        @run_list_expansion
+      rescue Exception => e
+        # TODO: wrap/munge exception with useful error output.
+        events.run_list_expand_failed(node, e)
+        raise
+      end
+
+      ########################################
+      # Internal public API
+      ########################################
+
+      # Sync_cookbooks eagerly loads all files except files and
+      # templates.  It returns the cookbook_hash -- the return result
+      # from /environments/#{node.chef_environment}/cookbook_versions,
+      # which we will use for our run_context.
+      #
+      # === Returns
+      # Hash:: The hash of cookbooks with download URLs as given by the server
+      def sync_cookbooks
+        Chef::Log.debug("Synchronizing cookbooks")
+
+        begin
+          events.cookbook_resolution_start(@expanded_run_list_with_versions)
+          cookbook_hash = api_service.post("environments/#{node.chef_environment}/cookbook_versions",
+                                         {:run_list => @expanded_run_list_with_versions})
+        rescue Exception => e
+          # TODO: wrap/munge exception to provide helpful error output
+          events.cookbook_resolution_failed(@expanded_run_list_with_versions, e)
+          raise
+        else
+          events.cookbook_resolution_complete(cookbook_hash)
+        end
+
+        synchronizer = Chef::CookbookSynchronizer.new(cookbook_hash, events)
+        synchronizer.sync_cookbooks
+
+        # register the file cache path in the cookbook path so that CookbookLoader actually picks up the synced cookbooks
+        Chef::Config[:cookbook_path] = File.join(Chef::Config[:file_cache_path], "cookbooks")
+
+        cookbook_hash
+      end
+
+      def setup_run_list_override
+        runlist_override_sanity_check!
+        unless(override_runlist.empty?)
+          @original_runlist = node.run_list.run_list_items.dup
+          node.run_list(*override_runlist)
+          Chef::Log.warn "Run List override has been provided."
+          Chef::Log.warn "Original Run List: [#{original_runlist.join(', ')}]"
+          Chef::Log.warn "Overridden Run List: [#{node.run_list}]"
+        end
+      end
+
+      # Ensures runlist override contains RunListItem instances
+      def runlist_override_sanity_check!
+        # Convert to array and remove whitespace
+        if override_runlist.is_a?(String)
+          @override_runlist = override_runlist.split(',').map { |e| e.strip }
+        end
+        @override_runlist = [override_runlist].flatten.compact
+        override_runlist.map! do |item|
+          if(item.is_a?(Chef::RunList::RunListItem))
+            item
+          else
+            Chef::RunList::RunListItem.new(item)
+          end
+        end
+      end
+
+      def api_service
+        @api_service ||= Chef::REST.new(config[:chef_server_url])
+      end
+
+      def config
+        Chef::Config
+      end
+
+    end
+  end
+end

data/lib/chef/policy_builder/policyfile.rb

@@ -0,0 +1,338 @@
+#
+# Author:: Adam Jacob (<adam@opscode.com>)
+# Author:: Tim Hinderliter (<tim@opscode.com>)
+# Author:: Christopher Walters (<cw@opscode.com>)
+# Author:: Daniel DeLeo (<dan@getchef.com>)
+# Copyright:: Copyright 2008-2014 Chef Software, Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require 'chef/log'
+require 'chef/rest'
+require 'chef/run_context'
+require 'chef/config'
+require 'chef/node'
+
+class Chef
+  module PolicyBuilder
+
+    # Policyfile is an experimental policy builder implementation that gets run
+    # list and cookbook version information from a single document.
+    #
+    # == WARNING
+    # This implementation is experimental. It may be changed in incompatible
+    # ways in minor or even patch releases, or even abandoned altogether. If
+    # using this with other tools, you may be forced to upgrade those tools in
+    # lockstep with chef-client because of incompatible behavior changes.
+    #
+    # == Unsupported Options:
+    # * override_runlist:: This could potentially be integrated into the
+    # policyfile, or replaced with a similar feature that has different
+    # semantics.
+    # * specific_recipes:: put more design thought into this use case.
+    # * run_list in json_attribs:: would be ignored anyway, so it raises an error.
+    # * chef-solo:: not currently supported. Need more design thought around
+    # how this should work.
+    class Policyfile
+
+      class UnsupportedFeature < StandardError; end
+
+      class PolicyfileError < StandardError; end
+
+      RunListExpansionIsh = Struct.new(:recipes, :roles)
+
+      attr_reader :events
+      attr_reader :node
+      attr_reader :node_name
+      attr_reader :ohai_data
+      attr_reader :json_attribs
+      attr_reader :run_context
+
+      def initialize(node_name, ohai_data, json_attribs, override_runlist, events)
+        @node_name = node_name
+        @ohai_data = ohai_data
+        @json_attribs = json_attribs
+        @events = events
+
+        @node = nil
+
+        Chef::Log.warn("Using experimental Policyfile feature")
+
+        if Chef::Config[:solo]
+          raise UnsupportedFeature, "Policyfile does not support chef-solo at this time."
+        end
+
+        if override_runlist
+          raise UnsupportedFeature, "Policyfile does not support override run lists at this time"
+        end
+
+        if json_attribs && json_attribs.key?("run_list")
+          raise UnsupportedFeature, "Policyfile does not support setting the run_list in json data at this time"
+        end
+
+        if Chef::Config[:environment] && !Chef::Config[:environment].chop.empty?
+          raise UnsupportedFeature, "Policyfile does not work with Chef Environments"
+        end
+      end
+
+      ## API Compat ##
+      # Methods related to unsupported features
+
+      # Override run_list is not supported.
+      def original_runlist
+        nil
+      end
+
+      # Override run_list is not supported.
+      def override_runlist
+        nil
+      end
+
+      # Policyfile gives you the run_list already expanded, but users of this
+      # class may expect to get a run_list expansion compatible object by
+      # calling this method.
+      #
+      # === Returns
+      # RunListExpansionIsh:: A RunListExpansion duck type
+      def run_list_expansion
+        run_list_expansion_ish
+      end
+
+      ## PolicyBuilder API ##
+
+      # Loads the node state from the server.
+      def load_node
+        events.node_load_start(node_name, Chef::Config)
+        Chef::Log.debug("Building node object for #{node_name}")
+
+        @node = Chef::Node.find_or_create(node_name)
+        validate_policyfile
+        node
+      rescue Exception => e
+        events.node_load_failed(node_name, e, Chef::Config)
+        raise
+      end
+
+      # Applies environment, external JSON attributes, and override run list to
+      # the node, Then expands the run_list.
+      #
+      # === Returns
+      # node<Chef::Node>:: The modified node object. node is modified in place.
+      def build_node
+        # consume_external_attrs may add items to the run_list. Save the
+        # expanded run_list, which we will pass to the server later to
+        # determine which versions of cookbooks to use.
+        node.reset_defaults_and_overrides
+
+        node.consume_external_attrs(ohai_data, json_attribs)
+
+        expand_run_list
+        apply_policyfile_attributes
+
+        Chef::Log.info("Run List is [#{run_list}]")
+        Chef::Log.info("Run List expands to [#{run_list_with_versions_for_display.join(', ')}]")
+
+
+        events.node_load_completed(node, run_list_with_versions_for_display, Chef::Config)
+
+        node
+      rescue Exception => e
+        events.node_load_failed(node_name, e, Chef::Config)
+        raise
+      end
+
+      def setup_run_context(specific_recipes=nil)
+        # TODO: This file vendor stuff is duplicated and initializing it with a
+        # block traps a reference to this object in a global context which will
+        # prevent it from getting GC'd. Simplify it.
+        Chef::Cookbook::FileVendor.on_create { |manifest| Chef::Cookbook::RemoteFileVendor.new(manifest, api_service) }
+        sync_cookbooks
+        cookbook_collection = Chef::CookbookCollection.new(cookbooks_to_sync)
+        run_context = Chef::RunContext.new(node, cookbook_collection, events)
+
+        run_context.load(run_list_expansion_ish)
+
+        run_context
+      end
+
+      def expand_run_list
+        node.run_list(run_list)
+        node.automatic_attrs[:roles] = []
+        node.automatic_attrs[:recipes] = run_list_expansion_ish.recipes
+        run_list_expansion_ish
+      end
+
+      ## Internal Public API ##
+
+      def sync_cookbooks
+        Chef::Log.debug("Synchronizing cookbooks")
+        synchronizer = Chef::CookbookSynchronizer.new(cookbooks_to_sync, events)
+        synchronizer.sync_cookbooks
+
+        # register the file cache path in the cookbook path so that CookbookLoader actually picks up the synced cookbooks
+        Chef::Config[:cookbook_path] = File.join(Chef::Config[:file_cache_path], "cookbooks")
+
+        cookbooks_to_sync
+      end
+
+
+      def run_list_with_versions_for_display
+        run_list.map do |recipe_spec|
+          cookbook, recipe = parse_recipe_spec(recipe_spec)
+          lock_data = cookbook_lock_for(cookbook)
+          display = "#{cookbook}::#{recipe}@#{lock_data["version"]} (#{lock_data["identifier"][0...7]})"
+          display
+        end
+      end
+
+      def run_list_expansion_ish
+        recipes = run_list.map do |recipe_spec|
+          cookbook, recipe = parse_recipe_spec(recipe_spec)
+          "#{cookbook}::#{recipe}"
+        end
+        RunListExpansionIsh.new(recipes, [])
+      end
+
+      def apply_policyfile_attributes
+        node.attributes.role_default = policy["default_attributes"]
+        node.attributes.role_override = policy["override_attributes"]
+      end
+
+      def parse_recipe_spec(recipe_spec)
+        rmatch = recipe_spec.match(/recipe\[([^:]+)::([^:]+)\]/)
+        if rmatch.nil?
+          raise PolicyfileError, "invalid recipe specification #{recipe_spec} in Policyfile from #{policyfile_location}"
+        else
+          [rmatch[1], rmatch[2]]
+        end
+      end
+
+      def cookbook_lock_for(cookbook_name)
+        cookbook_locks[cookbook_name]
+      end
+
+      def run_list
+        policy["run_list"]
+      end
+
+      def policy
+        @policy ||= http_api.get(policyfile_location)
+      rescue Net::HTTPServerException => e
+        raise ConfigurationError, "Error loading policyfile from `#{policyfile_location}': #{e.class} - #{e.message}"
+      end
+
+      def policyfile_location
+        "data/policyfiles/#{deployment_group}"
+      end
+
+      # Do some mimimal validation of the policyfile we fetched from the
+      # server. Compatibility mode relies on using data bags to store policy
+      # files; therefore no real validation will be performed server-side and
+      # we need to make additional checks to ensure the data will be formatted
+      # correctly.
+      def validate_policyfile
+        errors = []
+        unless run_list
+          errors << "Policyfile is missing run_list element"
+        end
+        unless policy.key?("cookbook_locks")
+          errors << "Policyfile is missing cookbook_locks element"
+        end
+        if run_list.kind_of?(Array)
+          run_list_errors = run_list.select do |maybe_recipe_spec|
+            validate_recipe_spec(maybe_recipe_spec)
+          end
+          errors += run_list_errors
+        else
+          errors << "Policyfile run_list is malformed, must be an array of `recipe[cb_name::recipe_name]` items: #{policy["run_list"]}"
+        end
+
+        unless errors.empty?
+          raise PolicyfileError, "Policyfile fetched from #{policyfile_location} was invalid:\n#{errors.join("\n")}"
+        end
+      end
+
+      def validate_recipe_spec(recipe_spec)
+        parse_recipe_spec(recipe_spec)
+        nil
+      rescue PolicyfileError => e
+        e.message
+      end
+
+      class ConfigurationError < StandardError; end
+
+      def deployment_group
+        Chef::Config[:deployment_group] or
+          raise ConfigurationError, "Setting `deployment_group` is not configured."
+      end
+
+      # Builds a 'cookbook_hash' map of the form
+      #   "COOKBOOK_NAME" => "IDENTIFIER"
+      #
+      # This can be passed to a Chef::CookbookSynchronizer object to
+      # synchronize the cookbooks.
+      #
+      # TODO: Currently this makes N API calls to the server to get the
+      # cookbook objects. With server support (bulk API or the like), this
+      # should be reduced to a single call.
+      def cookbooks_to_sync
+        @cookbook_to_sync ||= begin
+          events.cookbook_resolution_start(run_list_with_versions_for_display)
+
+          cookbook_versions_by_name = cookbook_locks.inject({}) do |cb_map, (name, lock_data)|
+            cb_map[name] = manifest_for(name, lock_data)
+            cb_map
+          end
+          events.cookbook_resolution_complete(cookbook_versions_by_name)
+
+          cookbook_versions_by_name
+        end
+      rescue Exception => e
+        # TODO: wrap/munge exception to provide helpful error output
+        events.cookbook_resolution_failed(run_list_with_versions_for_display, e)
+        raise
+      end
+
+      # Fetches the CookbookVersion object for the given name and identifer
+      # specified in the lock_data.
+      # TODO: This only implements Chef 11 compatibility mode, which means that
+      # cookbooks are fetched by the "dotted_decimal_identifier": a
+      # representation of a SHA1 in the traditional x.y.z version format.
+      def manifest_for(cookbook_name, lock_data)
+        xyz_version = lock_data["dotted_decimal_identifier"]
+        http_api.get("cookbooks/#{cookbook_name}/#{xyz_version}")
+      rescue Exception => e
+        message = "Error loading cookbook #{cookbook_name} at version #{xyz_version}: #{e.class} - #{e.message}"
+        err = Chef::Exceptions::CookbookNotFound.new(message)
+        err.set_backtrace(e.backtrace)
+        raise err
+      end
+
+      def cookbook_locks
+        policy["cookbook_locks"]
+      end
+
+      def http_api
+        @api_service ||= Chef::REST.new(config[:chef_server_url])
+      end
+
+      def config
+        Chef::Config
+      end
+
+    end
+  end
+end
+