chef_fixie 0.1.0 → 0.2.0

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 0ad2fbe46207502fef6aebd84a4f65c5143a691d
4
- data.tar.gz: fcf34e96d4579c85ea02442bd7d17358269a8c16
3
+ metadata.gz: 1cc981bb23297717dac0de3676f42ea4422016ad
4
+ data.tar.gz: cfdc771777545508b0d3d195adc668e824ffe4f2
5
5
  SHA512:
6
- metadata.gz: 891bf79ac2dfcac0bc3ab28d3439e54bb1b5431b977a876573ba196c5254e3d5d07a6015f5c859c44427912ebfd732284e51dec9c176cf22a934cb0f3bd5b525
7
- data.tar.gz: 02adb68b623cd13142463329b359f0aaf141eb7b0e095aa1c9ecf82f7b6f826c6140982084fdc3d842f583eaeff0ce8f27f8ffa53de38fbb615857ab71e28d6b
6
+ metadata.gz: 4241554e99a513b1461bd8de38a199cab655f3ac526c276565c7b7ca2a700fc363d183d8b89bd7f5f12308c0c4fe3a82706c781bccc90ba0772c8a94b73a1dd7
7
+ data.tar.gz: 1384e2f28b152c93c83a398940d2bbf5f6b1d052bca96817e429aff860bc22d2e7df84edbcad6f07d439f14a11639044b285c0f8b03caaffb597b53dce218a9f
@@ -1,5 +1,5 @@
1
1
  #!/usr/bin/env ruby
2
2
 
3
- require 'chef_fixie/console'
3
+ require_relative '../lib/chef_fixie/console'
4
4
 
5
- Fixie::Console.start
5
+ ChefFixie::Console.start
@@ -5,7 +5,22 @@ Basics:
5
5
  Underneath everything is the Ruby Sequel library; there are a number
6
6
  of ways to access it.
7
7
 
8
- Check out http://ricostacruz.com/cheatsheets/sequel.html and
8
+ Check out http://ricostacruz.com/cheatsheets/sequel.html or the Sequel
9
+ gem docs for details of the sequel library.
10
+
11
+ Many objects in fixie have the accessor inner, which exposes the
12
+ Sequel selector. This includes:
13
+ * The constants ORGS, USERS, ASSOCIATIONS, and INVITES
14
+ ```ruby
15
+ ORGS.inner.first
16
+ #< @values={:id=>"7ddaee6b42e8f6a0a8e9d5d5efe644f8", :authz_id=>"f46b2e53869968ce115b97d2fd8bfee0", :name=>"ponyville", :full_name=>"ponyville", :assigned_at=>2015-07-21 18:22:34 UTC, :last_updated_by=>"08076ed32f7d5c62721607dd2c309c55", :created_at=>2015-07-21 18:22:34 UTC, :updated_at=>2015-07-21 18:22:34 UTC}>
17
+ ```
18
+ * Any of the by_XXXX accessors
19
+ ```ruby
20
+ ORGS['
21
+
22
+
23
+ ```
9
24
 
10
25
 
11
26
 
@@ -34,3 +49,20 @@ now = Sequel.function(:NOW)
34
49
  ASSOCS.inner.insert(:org_id=>o.id, :user_id=>u.id, :last_updated_by=>pivotal.authz_id,
35
50
  :created_at=>now, :updated_at=>now )
36
51
  ```
52
+
53
+
54
+ * Fixing a group that lost its authz object.
55
+ We've seen the users group in hosted loose it's authz entry
56
+
57
+ ```ruby
58
+ a = Fixie::AuthzApi.new
59
+ # create a new authz group
60
+ g = a.post("groups",{})
61
+ # check that only one group is returned
62
+ ORGS['acme'].groups.by_name('users').inner.all
63
+ # alter the group and insert the new authz id
64
+ ORGS['acme'].groups.by_name('users').inner.update(:authz_id=>g.id)
65
+ ```
66
+
67
+ This does not add the users back to the usergs group, or re-add users
68
+ all the acls that used to have the users group in them.
@@ -0,0 +1,33 @@
1
+ Restoring acl permissions globally
2
+ ============
3
+
4
+ If a key group is deleted (such as users)
5
+
6
+ * Verify that the org has issues
7
+
8
+ * Create/restore the group
9
+ (TBW)
10
+
11
+ * Add the users/groups back to the group
12
+ (TBW)
13
+
14
+ * Set the group ACL appropriately
15
+ ```ruby
16
+ users_group.ace_add([:create,:read,:update,:delete], org.groups['admins'])
17
+ users_group.ace_add([:create,:read,:update,:delete], USERS['pivotal'])
18
+ ``
19
+
20
+ * Restore users to the appropriate container ACLs
21
+ ```ruby
22
+ org = ORGS[THE_ORG]
23
+ cl = %w(cookbooks data nodes roles environments policies policy_groups cookbook_artifacts)
24
+ cl.each {|c| o.containers[c].ace_add([:create,:read,:update,:delete], org.groups['users']) }
25
+ %w(clients).each { |c| org.containers[c].ace_add([:read,:delete], org.groups['users']) }
26
+ %w(groups containers).each { |c| org.containers[c].ace_add([:read], org.groups['users']) }
27
+ %w(sandboxes).each { |c| org.containers[c].ace_add([:create], org.groups['users']) }
28
+ ```
29
+
30
+ * Then update the objects from the containers:
31
+ ```ruby
32
+ Fixie::BulkEditPermissions::copy_from_containers(org)
33
+ ```
@@ -17,11 +17,12 @@
17
17
  # Author: Mark Anderson <mark@chef.io>
18
18
 
19
19
  require 'sequel'
20
- require 'chef_fixie/config'
21
- require 'chef_fixie/sql'
22
- require 'chef_fixie/sql_objects'
20
+ require_relative 'chef_fixie/config'
21
+ require_relative 'chef_fixie/sql'
22
+ require_relative 'chef_fixie/sql_objects'
23
23
 
24
24
  # This doesn't work because of initialization order, figure it out.
25
- require 'chef_fixie/check_org_associations'
25
+ require_relative 'chef_fixie/check_org_associations'
26
+ require_relative 'chef_fixie/bulk_edit_permissions'
26
27
 
27
28
  Sequel.extension :inflector
@@ -18,8 +18,8 @@
18
18
  #
19
19
 
20
20
  require 'pp'
21
- require 'chef_fixie/config'
22
- require 'chef_fixie/authz_objects'
21
+ require_relative 'config'
22
+ require_relative 'authz_objects'
23
23
 
24
24
  module ChefFixie
25
25
  module AuthzMapper
@@ -21,7 +21,7 @@ require 'pp'
21
21
  require 'ffi_yajl'
22
22
  require 'chef/http'
23
23
 
24
- require 'chef_fixie/config'
24
+ require_relative 'config'
25
25
 
26
26
  module ChefFixie
27
27
 
@@ -0,0 +1,157 @@
1
+ #
2
+ # Copyright (c) 2015 Chef Software Inc.
3
+ # License :: Apache License, Version 2.0
4
+ #
5
+ # Licensed under the Apache License, Version 2.0 (the "License");
6
+ # you may not use this file except in compliance with the License.
7
+ # You may obtain a copy of the License at
8
+ #
9
+ # http://www.apache.org/licenses/LICENSE-2.0
10
+ #
11
+ # Unless required by applicable law or agreed to in writing, software
12
+ # distributed under the License is distributed on an "AS IS" BASIS,
13
+ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14
+ # See the License for the specific language governing permissions and
15
+ # limitations under the License.
16
+ #
17
+ # Author: Mark Anderson <mark@chef.io>
18
+ #
19
+ require 'sequel'
20
+
21
+ require_relative 'config.rb'
22
+ require_relative 'authz_objects.rb'
23
+ require_relative 'authz_mapper.rb'
24
+
25
+ require 'pp'
26
+
27
+ module ChefFixie
28
+ module BulkEditPermissions
29
+ def self.orgs
30
+ @orgs ||= ChefFixie::Sql::Orgs.new
31
+ end
32
+ def self.users
33
+ @users ||= ChefFixie::Sql::Users.new
34
+ end
35
+ def self.assocs
36
+ @assocs ||= ChefFixie::Sql::Associations.new
37
+ end
38
+ def self.invites
39
+ invites ||= ChefFixie::Sql::Invites.new
40
+ end
41
+
42
+ def self.check_permissions(org)
43
+ org = orgs[org] if org.is_a?(String)
44
+ admins = org.groups['admins'].authz_id
45
+ pivotal = users['pivotal'].authz_id
46
+ errors = Hash.new({})
47
+ org.each_authz_object do |object|
48
+ begin
49
+ acl = object.acl_raw
50
+ rescue RestClient::ResourceNotFound=>e
51
+ puts "#{object.class} '#{object.name}' id '#{object.id}' missing authz info"
52
+ # pp :object=>object, :e=>e
53
+ next
54
+ end
55
+ broken_acl = {}
56
+ # the one special case
57
+ acl.each do |k,v|
58
+ list = []
59
+ list << "pivotal" if !v['actors'].member?(pivotal)
60
+ # admins doesn't belong to the billing admins group
61
+ if object.class != ChefFixie::Sql::Group || object.name != 'billing-admins'
62
+ list << "admins" if !v['groups'].member?(admins)
63
+ end
64
+ broken_acl[k] = list if !list.empty?
65
+ end
66
+ if !broken_acl.empty?
67
+ classname = object.class
68
+ errors[classname] = {} if !errors.has_key?(classname)
69
+ errors[classname][object.name] = broken_acl
70
+ end
71
+ end
72
+ return errors
73
+ end
74
+
75
+ def self.ace_add(list, ace_type, entity)
76
+ list.each do |item|
77
+ if item.respond_to?(:ace_add)
78
+ item.ace_add(ace_type, entity)
79
+ else
80
+ puts "item.class is not a native authz type"
81
+ return
82
+ end
83
+ end
84
+ end
85
+ def self.ace_delete(list, ace_type, entity)
86
+ list.each do |item|
87
+ if item.respond_to?(:ace_delete)
88
+ item.ace_delete(ace_type, entity)
89
+ else
90
+ puts "item.class is not a native authz type"
91
+ return
92
+ end
93
+ end
94
+ end
95
+
96
+ def self.do_all_objects(org)
97
+ org = orgs[org] if org.is_a?(String)
98
+
99
+ containers = org.containers.all(:all)
100
+ # Maybe we should fix up containers first?
101
+ # fix up objects in containers
102
+ containers.each do |container|
103
+ # TODO Write some tests to validate that this stuff
104
+ # works, since it depends on a lot of name magic...
105
+ object_type = container.name.to_sym
106
+ # raise Exception "No such object_type #{object_type}" unless org.respond_to?(object_type)
107
+ objects = org.send(object_type).all(:all)
108
+ if block_given?
109
+ yield objects
110
+ end
111
+ end
112
+ end
113
+
114
+ def self.ace_add_all(org, ace_type, entity)
115
+ org = orgs[org] if org.is_a?(String)
116
+ org.each_authz_object_by_class do |objects|
117
+ ace_add(objects, ace_type, entity)
118
+ end
119
+ end
120
+
121
+ def self.ace_delete_all(org, ace_type, entity)
122
+ org = orgs[org] if org.is_a?(String)
123
+ org.each_authz_object_by_class do |objects|
124
+ ace_delete(objects, ace_type, entity)
125
+ end
126
+ end
127
+
128
+ def self.add_admin_permissions(org)
129
+ org = orgs[org] if org.is_a?(String)
130
+ # rework when ace add takes multiple items...
131
+ admins = org.groups['admins']
132
+ pivotal = users['pivotal']
133
+ org.each_authz_object do |object|
134
+ object.ace_add(:all, pivotal)
135
+ if object.class != ChefFixie::Sql::Group || object.name != 'billing-admins'
136
+ object.ace_add(:all, admins)
137
+ end
138
+ end
139
+ end
140
+
141
+ def self.copy_from_containers(org)
142
+ org = orgs[org] if org.is_a?(String)
143
+
144
+ containers = org.containers.all(:all)
145
+ containers.each do |c|
146
+ # don't mess with containers and groups, they are special
147
+ next if c.name == "containers" || c.name == "groups"
148
+ org.objects_by_container_type(c.name).each do |obj|
149
+ obj.acl_add_from_object(c)
150
+ puts "#{obj.name} from #{c.name}"
151
+ end
152
+ end
153
+ return
154
+ end
155
+
156
+ end
157
+ end
@@ -18,11 +18,10 @@
18
18
  # Author: Mark Anderson <mark@chef.io>
19
19
  #
20
20
 
21
- require 'chef_fixie/config'
22
- require 'chef_fixie/authz_objects'
23
- require 'chef_fixie/authz_mapper'
24
-
25
- require 'chef_fixie/utility_helpers'
21
+ require_relative 'config'
22
+ require_relative 'authz_objects'
23
+ require_relative 'authz_mapper'
24
+ require_relative 'utility_helpers'
26
25
 
27
26
  module ChefFixie
28
27
  module CheckOrgAssociations
@@ -22,8 +22,8 @@ require 'optparse'
22
22
  require 'pp'
23
23
  require 'pry'
24
24
 
25
- require 'chef_fixie'
26
- require 'chef_fixie/context'
25
+ require_relative '../chef_fixie'
26
+ require_relative 'context'
27
27
 
28
28
  module ChefFixie
29
29
  module Console
@@ -31,7 +31,7 @@ module ChefFixie
31
31
 
32
32
  def start
33
33
  configure
34
- Fixie.setup
34
+ ChefFixie.setup
35
35
  configure_pry
36
36
  Pry.start
37
37
  end
@@ -41,7 +41,7 @@ module ChefFixie
41
41
  if ARGV.first && ARGV[0].chars.first != "-" && config_file = ARGV.shift
42
42
  config_file = File.expand_path(config_file)
43
43
  end
44
- Fixie.load_config(config_file)
44
+ ChefFixie.load_config(config_file)
45
45
 
46
46
  options = {}
47
47
  OptionParser.new do |opt|
@@ -20,7 +20,7 @@ require 'ffi_yajl'
20
20
  require 'uuidtools'
21
21
  require 'sequel'
22
22
 
23
- require 'chef_fixie/config'
23
+ require_relative 'config'
24
24
 
25
25
  Sequel.default_timezone = :utc
26
26
 
@@ -20,9 +20,9 @@
20
20
  require 'pp'
21
21
  require 'sequel'
22
22
 
23
- require 'chef_fixie/config'
24
- require 'chef_fixie/authz_objects'
25
- require 'chef_fixie/authz_mapper'
23
+ require_relative 'config'
24
+ require_relative 'authz_objects'
25
+ require_relative 'authz_mapper'
26
26
 
27
27
  Sequel.extension :inflector
28
28
 
@@ -119,6 +119,42 @@ module ChefFixie
119
119
  ChefFixie::Sql::Groups.new["#{name}_global_admins"]
120
120
  end
121
121
 
122
+ # Iterators for objects in authz; using containers to enumerate things
123
+ # It might be better to metaprogram this up instead,
124
+ #
125
+ # TODO Write some tests to validate that this stuff
126
+ # works, since it depends on a lot of name magic...
127
+
128
+ NAME_FIXUP = {"data" => "data_bags", "sandboxes" => nil}
129
+ def objects_by_container_type(container)
130
+ name = NAME_FIXUP.has_key?(container) ? NAME_FIXUP[container] : container
131
+ return [] if name.nil?
132
+
133
+ object_type = name.to_sym
134
+ # raise Exception "No such object_type #{object_type}" unless respond_to?(object_type)
135
+ send(object_type).all(:all)
136
+ end
137
+
138
+ def each_authz_object_by_class
139
+ containers = self.containers.all(:all)
140
+ containers.each do |container|
141
+ objects = objects_by_container_type(container.name)
142
+ if block_given?
143
+ yield objects
144
+ end
145
+ end
146
+ return
147
+ end
148
+
149
+ def each_authz_object
150
+ each_authz_object_by_class do |objectlist|
151
+ objectlist.each do |object|
152
+ yield object
153
+ end
154
+ end
155
+ return
156
+ end
157
+
122
158
  scoped_type :container, :group, :client,
123
159
  :cookbook_artifact, :cookbook, :data_bag, :environment, :node, :policy, :policy_group , :role
124
160
 
@@ -18,9 +18,9 @@
18
18
  # Author: Mark Anderson <mark@chef.io>
19
19
  #
20
20
 
21
- require 'chef_fixie/config'
22
- require 'chef_fixie/authz_objects'
23
- require 'chef_fixie/authz_mapper'
21
+ require_relative 'config'
22
+ require_relative 'authz_objects'
23
+ require_relative 'authz_mapper'
24
24
 
25
25
  module ChefFixie
26
26
  module UtilityHelpers
@@ -1,3 +1,3 @@
1
1
  module ChefFixie
2
- VERSION = "0.1.0"
2
+ VERSION = "0.2.0"
3
3
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: chef_fixie
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.1.0
4
+ version: 0.2.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Mark Anderson
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2015-08-27 00:00:00.000000000 Z
11
+ date: 2015-09-11 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: chef
@@ -188,6 +188,7 @@ files:
188
188
  - bin/serverspec-init
189
189
  - doc/AccessingSQL.md
190
190
  - doc/AccessingSQL.md~
191
+ - doc/BulkFixup.md
191
192
  - doc/BulkFixup.md~
192
193
  - doc/CommonTasks.md
193
194
  - doc/CommonTasks.md~
@@ -197,6 +198,7 @@ files:
197
198
  - lib/chef_fixie.rb
198
199
  - lib/chef_fixie/authz_mapper.rb
199
200
  - lib/chef_fixie/authz_objects.rb
201
+ - lib/chef_fixie/bulk_edit_permissions.rb
200
202
  - lib/chef_fixie/check_org_associations.rb
201
203
  - lib/chef_fixie/config.rb
202
204
  - lib/chef_fixie/console.rb