chef 15.17.4-universal-mingw32 → 16.0.257-universal-mingw32

data/lib/chef/formatters/doc.rb

@@ -273,7 +273,7 @@ class Chef
       # Called when a resource has no converge actions, e.g., it was already correct.
       def resource_up_to_date(resource, action)
         @up_to_date_resources += 1
-        puts " (up to date)", stream: resource
+        puts " (up to date)", stream: resource unless resource.suppress_up_to_date_messages?
         unindent
       end
 

data/lib/chef/formatters/error_inspectors/node_load_error_inspector.rb

@@ -46,7 +46,7 @@ class Chef
           when Chef::Exceptions::PrivateKeyMissing
             error_description.section("Private Key Not Found:", <<~E)
               Your private key could not be loaded. If the key file exists, ensure that it is
-              readable by #{Chef::Dist::PRODUCT}.
+              readable by #{Chef::Dist::CLIENT}.
             E
             error_description.section("Relevant Config Settings:", <<~E)
               client_key        "#{api_key}"
@@ -99,7 +99,7 @@ class Chef
         # redirect.
         def describe_404_error(error_description)
           error_description.section("Resource Not Found:", <<~E)
-            The #{Chef::Dist::SERVER_PRODUCT} returned a HTTP 404. This usually indicates that your chef_server_url is incorrect.
+            The server returned a HTTP 404. This usually indicates that your chef_server_url is incorrect.
           E
           error_description.section("Relevant Config Settings:", <<~E)
             chef_server_url "#{server_url}"

data/lib/chef/formatters/error_inspectors/registration_error_inspector.rb

@@ -28,7 +28,7 @@ class Chef
             humanize_http_exception(error_description)
           when Errno::ECONNREFUSED, Timeout::Error, Errno::ETIMEDOUT, SocketError
             error_description.section("Network Error:", <<~E)
-              There was a network error connecting to the #{Chef::Dist::SERVER_PRODUCT}:
+              There was a network error connecting to the Chef Server:
               #{exception.message}
             E
             error_description.section("Relevant Config Settings:", <<~E)
@@ -39,14 +39,14 @@ class Chef
           when Chef::Exceptions::PrivateKeyMissing
             error_description.section("Private Key Not Found:", <<~E)
               Your private key could not be loaded. If the key file exists, ensure that it is
-              readable by #{Chef::Dist::PRODUCT}.
+              readable by #{Chef::Dist::CLIENT}.
             E
             error_description.section("Relevant Config Settings:", <<~E)
               validation_key "#{api_key}"
             E
           when Chef::Exceptions::InvalidRedirect
             error_description.section("Invalid Redirect:", <<~E)
-              Change your #{Chef::Dist::SERVER_PRODUCT} location in client.rb to the #{Chef::Dist::SERVER_PRODUCT}'s FQDN to avoid unwanted redirections.
+              Change your server location in client.rb to the server's FQDN to avoid unwanted redirections.
             E
           when EOFError
             describe_eof_error(error_description)
@@ -61,13 +61,13 @@ class Chef
           when Net::HTTPUnauthorized
             if clock_skew?
               error_description.section("Authentication Error:", <<~E)
-                Failed to authenticate to the #{Chef::Dist::SERVER_PRODUCT} (http 401).
+                Failed to authenticate to the chef server (http 401).
                 The request failed because your clock has drifted by more than 15 minutes.
                 Syncing your clock to an NTP Time source should resolve the issue.
               E
             else
               error_description.section("Authentication Error:", <<~E)
-                Failed to authenticate to the #{Chef::Dist::SERVER_PRODUCT} (http 401).
+                Failed to authenticate to the chef server (http 401).
               E
 
               error_description.section("Server Response:", format_rest_error)
@@ -81,7 +81,7 @@ class Chef
             end
           when Net::HTTPForbidden
             error_description.section("Authorization Error:", <<~E)
-              Your validation client is not authorized to create the client for this node on the #{Chef::Dist::SERVER_PRODUCT} (HTTP 403).
+              Your validation client is not authorized to create the client for this node (HTTP 403).
             E
             error_description.section("Possible Causes:", <<~E)
               * There may already be a client named "#{config[:node_name]}"
@@ -94,7 +94,7 @@ class Chef
             error_description.section("Server Response:", format_rest_error)
           when Net::HTTPNotFound
             error_description.section("Resource Not Found:", <<~E)
-              The #{Chef::Dist::SERVER_PRODUCT} returned a HTTP 404. This usually indicates that your chef_server_url configuration is incorrect.
+              The server returned a HTTP 404. This usually indicates that your chef_server_url is incorrect.
             E
             error_description.section("Relevant Config Settings:", <<~E)
               chef_server_url "#{server_url}"

data/lib/chef/formatters/indentable_output_stream.rb

@@ -17,23 +17,14 @@ class Chef
         @semaphore = Mutex.new
       end
 
-      def highline
-        @highline ||= begin
-          require "highline"
-          HighLine.new
+      # pastel.decorate is a lightweight replacement for highline.color
+      def pastel
+        @pastel ||= begin
+          require "pastel"
+          Pastel.new
         end
       end
 
-      # Print text. This will start a new line and indent if necessary
-      # but will not terminate the line (future print and puts statements
-      # will start off where this print left off).
-      #
-      # @param string [String]
-      # @param args [Array<Hash,Symbol>]
-      def color(string, *args)
-        print(string, from_args(args))
-      end
-
       # Print the start of a new line.  This will terminate any existing lines and
       # cause indentation but will not move to the next line yet (future 'print'
       # and 'puts' statements will stay on this line).
@@ -83,7 +74,7 @@ class Chef
       #
       # == Alternative
       #
-      # You may also call print('string', :red) (a list of colors a la Highline.color)
+      # You may also call print('string', :red) (https://github.com/piotrmurach/pastel#3-supported-colors)
       def print(string, *args)
         options = from_args(args)
 
@@ -140,7 +131,7 @@ class Chef
         end
 
         if Chef::Config[:color] && options[:colors]
-          @out.print highline.color(line, *options[:colors])
+          @out.print pastel.decorate(line, *options[:colors])
         else
           @out.print line
         end

data/lib/chef/http.rb

@@ -22,8 +22,7 @@
 #
 
 require "tempfile" unless defined?(Tempfile)
-require "openssl" unless defined?(OpenSSL)
-require "net/http" unless defined?(Net::HTTP)
+require "net/https"
 require "uri" unless defined?(URI)
 require_relative "http/basic_client"
 require_relative "monkey_patches/net_http"

data/lib/chef/http/http_request.rb

@@ -21,6 +21,7 @@
 # limitations under the License.
 #
 require "uri" unless defined?(URI)
+require "cgi" unless defined?(CGI)
 require "net/http" unless defined?(Net::HTTP)
 require_relative "../dist"
 
@@ -176,8 +177,8 @@ class Chef
         @http_request.body = request_body if request_body && @http_request.request_body_permitted?
         # Optionally handle HTTP Basic Authentication
         if url.user
-          user = URI.unescape(url.user)
-          password = URI.unescape(url.password) if url.password
+          user = CGI.unescape(url.user)
+          password = CGI.unescape(url.password) if url.password
           @http_request.basic_auth(user, password)
         end
 

data/lib/chef/knife.rb

@@ -279,12 +279,10 @@ class Chef
 
         if CHEF_ORGANIZATION_MANAGEMENT.include?(args[0])
           list_commands("CHEF ORGANIZATION MANAGEMENT")
-        elsif OPSCODE_HOSTED_CHEF_ACCESS_CONTROL.include?(args[0])
-          list_commands("OPSCODE HOSTED CHEF ACCESS CONTROL")
         elsif category_commands = guess_category(args)
           list_commands(category_commands)
         elsif OFFICIAL_PLUGINS.include?(args[0]) # command was an uninstalled official chef knife plugin
-          ui.info("Use `#{Chef::Dist::EXEC} gem install knife-#{args[0]}` to install the plugin into ChefDK / Chef Workstation")
+          ui.info("Use `#{Chef::Dist::EXEC} gem install knife-#{args[0]}` to install the plugin into Chef Workstation")
         else
           list_commands
         end

data/lib/chef/knife/acl_add.rb

@@ -0,0 +1,57 @@
+#
+# Author:: Steven Danna (steve@chef.io)
+# Author:: Jeremiah Snapp (jeremiah@chef.io)
+# Copyright:: Copyright (c) Chef Software Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require_relative "../knife"
+
+class Chef
+  class Knife
+    class AclAdd < Chef::Knife
+      category "acl"
+      banner "knife acl add MEMBER_TYPE MEMBER_NAME OBJECT_TYPE OBJECT_NAME PERMS"
+
+      deps do
+        require_relative "acl_base"
+        include Chef::Knife::AclBase
+      end
+
+      def run
+        member_type, member_name, object_type, object_name, perms = name_args
+
+        if name_args.length != 5
+          show_usage
+          ui.fatal "You must specify the member type [client|group], member name, object type, object name and perms"
+          exit 1
+        end
+
+        unless %w{client group}.include?(member_type)
+          ui.fatal "ERROR: To enforce best practice, knife-acl can only add a client or a group to an ACL."
+          ui.fatal "       See the knife-acl README for more information."
+          exit 1
+        end
+        validate_perm_type!(perms)
+        validate_member_name!(member_name)
+        validate_object_name!(object_name)
+        validate_object_type!(object_type)
+        validate_member_exists!(member_type, member_name)
+
+        add_to_acl!(member_type, member_name, object_type, object_name, perms)
+      end
+    end
+  end
+end

data/lib/chef/knife/acl_base.rb

@@ -0,0 +1,183 @@
+#
+# Author:: Steven Danna (steve@chef.io)
+# Author:: Jeremiah Snapp (<jeremiah@chef.io>)
+# Copyright:: Copyright (c) Chef Software Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require_relative "../knife"
+
+class Chef
+  class Knife
+    module AclBase
+
+      PERM_TYPES = %w{create read update delete grant}.freeze unless defined? PERM_TYPES
+      MEMBER_TYPES = %w{client group user}.freeze unless defined? MEMBER_TYPES
+      OBJECT_TYPES = %w{clients containers cookbooks data environments groups nodes roles policies policy_groups}.freeze unless defined? OBJECT_TYPES
+      OBJECT_NAME_SPEC = /^[\-[:alnum:]_\.]+$/.freeze unless defined? OBJECT_NAME_SPEC
+
+      def validate_object_type!(type)
+        unless OBJECT_TYPES.include?(type)
+          ui.fatal "Unknown object type \"#{type}\".  The following types are permitted: #{OBJECT_TYPES.join(", ")}"
+          exit 1
+        end
+      end
+
+      def validate_object_name!(name)
+        unless OBJECT_NAME_SPEC.match(name)
+          ui.fatal "Invalid name: #{name}"
+          exit 1
+        end
+      end
+
+      def validate_member_type!(type)
+        unless MEMBER_TYPES.include?(type)
+          ui.fatal "Unknown member type \"#{type}\". The following types are permitted: #{MEMBER_TYPES.join(", ")}"
+          exit 1
+        end
+      end
+
+      def validate_member_name!(name)
+        # Same rules apply to objects and members
+        validate_object_name!(name)
+      end
+
+      def validate_perm_type!(perms)
+        perms.split(",").each do |perm|
+          unless PERM_TYPES.include?(perm)
+            ui.fatal "Invalid permission \"#{perm}\". The following permissions are permitted: #{PERM_TYPES.join(",")}"
+            exit 1
+          end
+        end
+      end
+
+      def validate_member_exists!(member_type, member_name)
+        true if rest.get_rest("#{member_type}s/#{member_name}")
+      rescue NameError
+        # ignore "NameError: uninitialized constant Chef::ApiClient" when finding a client
+        true
+      rescue
+        ui.fatal "#{member_type} '#{member_name}' does not exist"
+        exit 1
+      end
+
+      def is_usag?(gname)
+        gname.length == 32 && gname =~ /^[0-9a-f]+$/
+      end
+
+      def get_acl(object_type, object_name)
+        rest.get_rest("#{object_type}/#{object_name}/_acl?detail=granular")
+      end
+
+      def get_ace(object_type, object_name, perm)
+        get_acl(object_type, object_name)[perm]
+      end
+
+      def add_to_acl!(member_type, member_name, object_type, object_name, perms)
+        acl = get_acl(object_type, object_name)
+        perms.split(",").each do |perm|
+          ui.msg "Adding '#{member_name}' to '#{perm}' ACE of '#{object_name}'"
+          ace = acl[perm]
+
+          case member_type
+          when "client", "user"
+            # Our PUT body depends on the type of reply we get from _acl?detail=granular
+            # When the server replies with json attributes  'users' and 'clients',
+            # we'll want to modify entries under the same keys they arrived.- their presence
+            # in the body tells us that CS will accept them in a PUT.
+            # Older version of chef-server will continue to use 'actors' for a combined list
+            # and expect the same in the body.
+            key = "#{member_type}s"
+            key = "actors" unless ace.key? key
+            next if ace[key].include?(member_name)
+
+            ace[key] << member_name
+          when "group"
+            next if ace["groups"].include?(member_name)
+
+            ace["groups"] << member_name
+          end
+
+          update_ace!(object_type, object_name, perm, ace)
+        end
+      end
+
+      def remove_from_acl!(member_type, member_name, object_type, object_name, perms)
+        acl = get_acl(object_type, object_name)
+        perms.split(",").each do |perm|
+          ui.msg "Removing '#{member_name}' from '#{perm}' ACE of '#{object_name}'"
+          ace = acl[perm]
+
+          case member_type
+          when "client", "user"
+            key = "#{member_type}s"
+            key = "actors" unless ace.key? key
+            next unless ace[key].include?(member_name)
+
+            ace[key].delete(member_name)
+          when "group"
+            next unless ace["groups"].include?(member_name)
+
+            ace["groups"].delete(member_name)
+          end
+
+          update_ace!(object_type, object_name, perm, ace)
+        end
+      end
+
+      def update_ace!(object_type, object_name, ace_type, ace)
+        rest.put_rest("#{object_type}/#{object_name}/_acl/#{ace_type}", ace_type => ace)
+      end
+
+      def add_to_group!(member_type, member_name, group_name)
+        validate_member_exists!(member_type, member_name)
+        existing_group = rest.get_rest("groups/#{group_name}")
+        ui.msg "Adding '#{member_name}' to '#{group_name}' group"
+        unless existing_group["#{member_type}s"].include?(member_name)
+          existing_group["#{member_type}s"] << member_name
+          new_group = {
+            "groupname" => existing_group["groupname"],
+            "orgname" => existing_group["orgname"],
+            "actors" => {
+              "users" => existing_group["users"],
+              "clients" => existing_group["clients"],
+              "groups" => existing_group["groups"],
+            },
+          }
+          rest.put_rest("groups/#{group_name}", new_group)
+        end
+      end
+
+      def remove_from_group!(member_type, member_name, group_name)
+        validate_member_exists!(member_type, member_name)
+        existing_group = rest.get_rest("groups/#{group_name}")
+        ui.msg "Removing '#{member_name}' from '#{group_name}' group"
+        if existing_group["#{member_type}s"].include?(member_name)
+          existing_group["#{member_type}s"].delete(member_name)
+          new_group = {
+            "groupname" => existing_group["groupname"],
+            "orgname" => existing_group["orgname"],
+            "actors" => {
+              "users" => existing_group["users"],
+              "clients" => existing_group["clients"],
+              "groups" => existing_group["groups"],
+            },
+          }
+          rest.put_rest("groups/#{group_name}", new_group)
+        end
+      end
+    end
+  end
+end

data/lib/chef/knife/acl_bulk_add.rb

@@ -0,0 +1,78 @@
+#
+# Author:: Jeremiah Snapp (jeremiah@chef.io)
+# Copyright:: Copyright (c) Chef Software Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require_relative "../knife"
+
+class Chef
+  class Knife
+    class AclBulkAdd < Chef::Knife
+      category "acl"
+      banner "knife acl bulk add MEMBER_TYPE MEMBER_NAME OBJECT_TYPE REGEX PERMS"
+
+      deps do
+        require_relative "acl_base"
+        include Chef::Knife::AclBase
+      end
+
+      def run
+        member_type, member_name, object_type, regex, perms = name_args
+        object_name_matcher = /#{regex}/
+
+        if name_args.length != 5
+          show_usage
+          ui.fatal "You must specify the member type [client|group], member name, object type, object name REGEX and perms"
+          exit 1
+        end
+
+        unless %w{client group}.include?(member_type)
+          ui.fatal "ERROR: To enforce best practice, knife-acl can only add a client or a group to an ACL."
+          ui.fatal "       See the knife-acl README for more information."
+          exit 1
+        end
+        validate_perm_type!(perms)
+        validate_member_name!(member_name)
+        validate_object_type!(object_type)
+        validate_member_exists!(member_type, member_name)
+
+        if %w{containers groups}.include?(object_type)
+          ui.fatal "bulk modifying the ACL of #{object_type} is not permitted"
+          exit 1
+        end
+
+        objects_to_modify = []
+        all_objects = rest.get_rest(object_type)
+        objects_to_modify = all_objects.keys.select { |object_name| object_name =~ object_name_matcher }
+
+        if objects_to_modify.empty?
+          ui.info "No #{object_type} match the expression /#{regex}/"
+          exit 0
+        end
+
+        ui.msg("The ACL of the following #{object_type} will be modified:")
+        ui.msg("")
+        ui.msg(ui.list(objects_to_modify.sort, :columns_down))
+        ui.msg("")
+        ui.confirm("Are you sure you want to modify the ACL of these #{object_type}?")
+
+        objects_to_modify.each do |object_name|
+          add_to_acl!(member_type, member_name, object_type, object_name, perms)
+        end
+      end
+    end
+  end
+end