chef_fixie 0.1.0 → 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 0ad2fbe46207502fef6aebd84a4f65c5143a691d
4
- data.tar.gz: fcf34e96d4579c85ea02442bd7d17358269a8c16
3
+ metadata.gz: 1cc981bb23297717dac0de3676f42ea4422016ad
4
+ data.tar.gz: cfdc771777545508b0d3d195adc668e824ffe4f2
5
5
  SHA512:
6
- metadata.gz: 891bf79ac2dfcac0bc3ab28d3439e54bb1b5431b977a876573ba196c5254e3d5d07a6015f5c859c44427912ebfd732284e51dec9c176cf22a934cb0f3bd5b525
7
- data.tar.gz: 02adb68b623cd13142463329b359f0aaf141eb7b0e095aa1c9ecf82f7b6f826c6140982084fdc3d842f583eaeff0ce8f27f8ffa53de38fbb615857ab71e28d6b
6
+ metadata.gz: 4241554e99a513b1461bd8de38a199cab655f3ac526c276565c7b7ca2a700fc363d183d8b89bd7f5f12308c0c4fe3a82706c781bccc90ba0772c8a94b73a1dd7
7
+ data.tar.gz: 1384e2f28b152c93c83a398940d2bbf5f6b1d052bca96817e429aff860bc22d2e7df84edbcad6f07d439f14a11639044b285c0f8b03caaffb597b53dce218a9f
@@ -1,5 +1,5 @@
1
1
  #!/usr/bin/env ruby
2
2
 
3
- require 'chef_fixie/console'
3
+ require_relative '../lib/chef_fixie/console'
4
4
 
5
- Fixie::Console.start
5
+ ChefFixie::Console.start
@@ -5,7 +5,22 @@ Basics:
5
5
  Underneath everything is the Ruby Sequel library; there are a number
6
6
  of ways to access it.
7
7
 
8
- Check out http://ricostacruz.com/cheatsheets/sequel.html and
8
+ Check out http://ricostacruz.com/cheatsheets/sequel.html or the Sequel
9
+ gem docs for details of the sequel library.
10
+
11
+ Many objects in fixie have the accessor inner, which exposes the
12
+ Sequel selector. This includes:
13
+ * The constants ORGS, USERS, ASSOCIATIONS, and INVITES
14
+ ```ruby
15
+ ORGS.inner.first
16
+ #< @values={:id=>"7ddaee6b42e8f6a0a8e9d5d5efe644f8", :authz_id=>"f46b2e53869968ce115b97d2fd8bfee0", :name=>"ponyville", :full_name=>"ponyville", :assigned_at=>2015-07-21 18:22:34 UTC, :last_updated_by=>"08076ed32f7d5c62721607dd2c309c55", :created_at=>2015-07-21 18:22:34 UTC, :updated_at=>2015-07-21 18:22:34 UTC}>
17
+ ```
18
+ * Any of the by_XXXX accessors
19
+ ```ruby
20
+ ORGS['
21
+
22
+
23
+ ```
9
24
 
10
25
 
11
26
 
@@ -34,3 +49,20 @@ now = Sequel.function(:NOW)
34
49
  ASSOCS.inner.insert(:org_id=>o.id, :user_id=>u.id, :last_updated_by=>pivotal.authz_id,
35
50
  :created_at=>now, :updated_at=>now )
36
51
  ```
52
+
53
+
54
+ * Fixing a group that lost its authz object.
55
+ We've seen the users group in hosted loose it's authz entry
56
+
57
+ ```ruby
58
+ a = Fixie::AuthzApi.new
59
+ # create a new authz group
60
+ g = a.post("groups",{})
61
+ # check that only one group is returned
62
+ ORGS['acme'].groups.by_name('users').inner.all
63
+ # alter the group and insert the new authz id
64
+ ORGS['acme'].groups.by_name('users').inner.update(:authz_id=>g.id)
65
+ ```
66
+
67
+ This does not add the users back to the usergs group, or re-add users
68
+ all the acls that used to have the users group in them.
@@ -0,0 +1,33 @@
1
+ Restoring acl permissions globally
2
+ ============
3
+
4
+ If a key group is deleted (such as users)
5
+
6
+ * Verify that the org has issues
7
+
8
+ * Create/restore the group
9
+ (TBW)
10
+
11
+ * Add the users/groups back to the group
12
+ (TBW)
13
+
14
+ * Set the group ACL appropriately
15
+ ```ruby
16
+ users_group.ace_add([:create,:read,:update,:delete], org.groups['admins'])
17
+ users_group.ace_add([:create,:read,:update,:delete], USERS['pivotal'])
18
+ ``
19
+
20
+ * Restore users to the appropriate container ACLs
21
+ ```ruby
22
+ org = ORGS[THE_ORG]
23
+ cl = %w(cookbooks data nodes roles environments policies policy_groups cookbook_artifacts)
24
+ cl.each {|c| o.containers[c].ace_add([:create,:read,:update,:delete], org.groups['users']) }
25
+ %w(clients).each { |c| org.containers[c].ace_add([:read,:delete], org.groups['users']) }
26
+ %w(groups containers).each { |c| org.containers[c].ace_add([:read], org.groups['users']) }
27
+ %w(sandboxes).each { |c| org.containers[c].ace_add([:create], org.groups['users']) }
28
+ ```
29
+
30
+ * Then update the objects from the containers:
31
+ ```ruby
32
+ Fixie::BulkEditPermissions::copy_from_containers(org)
33
+ ```
@@ -17,11 +17,12 @@
17
17
  # Author: Mark Anderson <mark@chef.io>
18
18
 
19
19
  require 'sequel'
20
- require 'chef_fixie/config'
21
- require 'chef_fixie/sql'
22
- require 'chef_fixie/sql_objects'
20
+ require_relative 'chef_fixie/config'
21
+ require_relative 'chef_fixie/sql'
22
+ require_relative 'chef_fixie/sql_objects'
23
23
 
24
24
  # This doesn't work because of initialization order, figure it out.
25
- require 'chef_fixie/check_org_associations'
25
+ require_relative 'chef_fixie/check_org_associations'
26
+ require_relative 'chef_fixie/bulk_edit_permissions'
26
27
 
27
28
  Sequel.extension :inflector
@@ -18,8 +18,8 @@
18
18
  #
19
19
 
20
20
  require 'pp'
21
- require 'chef_fixie/config'
22
- require 'chef_fixie/authz_objects'
21
+ require_relative 'config'
22
+ require_relative 'authz_objects'
23
23
 
24
24
  module ChefFixie
25
25
  module AuthzMapper
@@ -21,7 +21,7 @@ require 'pp'
21
21
  require 'ffi_yajl'
22
22
  require 'chef/http'
23
23
 
24
- require 'chef_fixie/config'
24
+ require_relative 'config'
25
25
 
26
26
  module ChefFixie
27
27
 
@@ -0,0 +1,157 @@
1
+ #
2
+ # Copyright (c) 2015 Chef Software Inc.
3
+ # License :: Apache License, Version 2.0
4
+ #
5
+ # Licensed under the Apache License, Version 2.0 (the "License");
6
+ # you may not use this file except in compliance with the License.
7
+ # You may obtain a copy of the License at
8
+ #
9
+ # http://www.apache.org/licenses/LICENSE-2.0
10
+ #
11
+ # Unless required by applicable law or agreed to in writing, software
12
+ # distributed under the License is distributed on an "AS IS" BASIS,
13
+ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14
+ # See the License for the specific language governing permissions and
15
+ # limitations under the License.
16
+ #
17
+ # Author: Mark Anderson <mark@chef.io>
18
+ #
19
+ require 'sequel'
20
+
21
+ require_relative 'config.rb'
22
+ require_relative 'authz_objects.rb'
23
+ require_relative 'authz_mapper.rb'
24
+
25
+ require 'pp'
26
+
27
+ module ChefFixie
28
+ module BulkEditPermissions
29
+ def self.orgs
30
+ @orgs ||= ChefFixie::Sql::Orgs.new
31
+ end
32
+ def self.users
33
+ @users ||= ChefFixie::Sql::Users.new
34
+ end
35
+ def self.assocs
36
+ @assocs ||= ChefFixie::Sql::Associations.new
37
+ end
38
+ def self.invites
39
+ invites ||= ChefFixie::Sql::Invites.new
40
+ end
41
+
42
+ def self.check_permissions(org)
43
+ org = orgs[org] if org.is_a?(String)
44
+ admins = org.groups['admins'].authz_id
45
+ pivotal = users['pivotal'].authz_id
46
+ errors = Hash.new({})
47
+ org.each_authz_object do |object|
48
+ begin
49
+ acl = object.acl_raw
50
+ rescue RestClient::ResourceNotFound=>e
51
+ puts "#{object.class} '#{object.name}' id '#{object.id}' missing authz info"
52
+ # pp :object=>object, :e=>e
53
+ next
54
+ end
55
+ broken_acl = {}
56
+ # the one special case
57
+ acl.each do |k,v|
58
+ list = []
59
+ list << "pivotal" if !v['actors'].member?(pivotal)
60
+ # admins doesn't belong to the billing admins group
61
+ if object.class != ChefFixie::Sql::Group || object.name != 'billing-admins'
62
+ list << "admins" if !v['groups'].member?(admins)
63
+ end
64
+ broken_acl[k] = list if !list.empty?
65
+ end
66
+ if !broken_acl.empty?
67
+ classname = object.class
68
+ errors[classname] = {} if !errors.has_key?(classname)
69
+ errors[classname][object.name] = broken_acl
70
+ end
71
+ end
72
+ return errors
73
+ end
74
+
75
+ def self.ace_add(list, ace_type, entity)
76
+ list.each do |item|
77
+ if item.respond_to?(:ace_add)
78
+ item.ace_add(ace_type, entity)
79
+ else
80
+ puts "item.class is not a native authz type"
81
+ return
82
+ end
83
+ end
84
+ end
85
+ def self.ace_delete(list, ace_type, entity)
86
+ list.each do |item|
87
+ if item.respond_to?(:ace_delete)
88
+ item.ace_delete(ace_type, entity)
89
+ else
90
+ puts "item.class is not a native authz type"
91
+ return
92
+ end
93
+ end
94
+ end
95
+
96
+ def self.do_all_objects(org)
97
+ org = orgs[org] if org.is_a?(String)
98
+
99
+ containers = org.containers.all(:all)
100
+ # Maybe we should fix up containers first?
101
+ # fix up objects in containers
102
+ containers.each do |container|
103
+ # TODO Write some tests to validate that this stuff
104
+ # works, since it depends on a lot of name magic...
105
+ object_type = container.name.to_sym
106
+ # raise Exception "No such object_type #{object_type}" unless org.respond_to?(object_type)
107
+ objects = org.send(object_type).all(:all)
108
+ if block_given?
109
+ yield objects
110
+ end
111
+ end
112
+ end
113
+
114
+ def self.ace_add_all(org, ace_type, entity)
115
+ org = orgs[org] if org.is_a?(String)
116
+ org.each_authz_object_by_class do |objects|
117
+ ace_add(objects, ace_type, entity)
118
+ end
119
+ end
120
+
121
+ def self.ace_delete_all(org, ace_type, entity)
122
+ org = orgs[org] if org.is_a?(String)
123
+ org.each_authz_object_by_class do |objects|
124
+ ace_delete(objects, ace_type, entity)
125
+ end
126
+ end
127
+
128
+ def self.add_admin_permissions(org)
129
+ org = orgs[org] if org.is_a?(String)
130
+ # rework when ace add takes multiple items...
131
+ admins = org.groups['admins']
132
+ pivotal = users['pivotal']
133
+ org.each_authz_object do |object|
134
+ object.ace_add(:all, pivotal)
135
+ if object.class != ChefFixie::Sql::Group || object.name != 'billing-admins'
136
+ object.ace_add(:all, admins)
137
+ end
138
+ end
139
+ end
140
+
141
+ def self.copy_from_containers(org)
142
+ org = orgs[org] if org.is_a?(String)
143
+
144
+ containers = org.containers.all(:all)
145
+ containers.each do |c|
146
+ # don't mess with containers and groups, they are special
147
+ next if c.name == "containers" || c.name == "groups"
148
+ org.objects_by_container_type(c.name).each do |obj|
149
+ obj.acl_add_from_object(c)
150
+ puts "#{obj.name} from #{c.name}"
151
+ end
152
+ end
153
+ return
154
+ end
155
+
156
+ end
157
+ end
@@ -18,11 +18,10 @@
18
18
  # Author: Mark Anderson <mark@chef.io>
19
19
  #
20
20
 
21
- require 'chef_fixie/config'
22
- require 'chef_fixie/authz_objects'
23
- require 'chef_fixie/authz_mapper'
24
-
25
- require 'chef_fixie/utility_helpers'
21
+ require_relative 'config'
22
+ require_relative 'authz_objects'
23
+ require_relative 'authz_mapper'
24
+ require_relative 'utility_helpers'
26
25
 
27
26
  module ChefFixie
28
27
  module CheckOrgAssociations
@@ -22,8 +22,8 @@ require 'optparse'
22
22
  require 'pp'
23
23
  require 'pry'
24
24
 
25
- require 'chef_fixie'
26
- require 'chef_fixie/context'
25
+ require_relative '../chef_fixie'
26
+ require_relative 'context'
27
27
 
28
28
  module ChefFixie
29
29
  module Console
@@ -31,7 +31,7 @@ module ChefFixie
31
31
 
32
32
  def start
33
33
  configure
34
- Fixie.setup
34
+ ChefFixie.setup
35
35
  configure_pry
36
36
  Pry.start
37
37
  end
@@ -41,7 +41,7 @@ module ChefFixie
41
41
  if ARGV.first && ARGV[0].chars.first != "-" && config_file = ARGV.shift
42
42
  config_file = File.expand_path(config_file)
43
43
  end
44
- Fixie.load_config(config_file)
44
+ ChefFixie.load_config(config_file)
45
45
 
46
46
  options = {}
47
47
  OptionParser.new do |opt|
@@ -20,7 +20,7 @@ require 'ffi_yajl'
20
20
  require 'uuidtools'
21
21
  require 'sequel'
22
22
 
23
- require 'chef_fixie/config'
23
+ require_relative 'config'
24
24
 
25
25
  Sequel.default_timezone = :utc
26
26
 
@@ -20,9 +20,9 @@
20
20
  require 'pp'
21
21
  require 'sequel'
22
22
 
23
- require 'chef_fixie/config'
24
- require 'chef_fixie/authz_objects'
25
- require 'chef_fixie/authz_mapper'
23
+ require_relative 'config'
24
+ require_relative 'authz_objects'
25
+ require_relative 'authz_mapper'
26
26
 
27
27
  Sequel.extension :inflector
28
28
 
@@ -119,6 +119,42 @@ module ChefFixie
119
119
  ChefFixie::Sql::Groups.new["#{name}_global_admins"]
120
120
  end
121
121
 
122
+ # Iterators for objects in authz; using containers to enumerate things
123
+ # It might be better to metaprogram this up instead,
124
+ #
125
+ # TODO Write some tests to validate that this stuff
126
+ # works, since it depends on a lot of name magic...
127
+
128
+ NAME_FIXUP = {"data" => "data_bags", "sandboxes" => nil}
129
+ def objects_by_container_type(container)
130
+ name = NAME_FIXUP.has_key?(container) ? NAME_FIXUP[container] : container
131
+ return [] if name.nil?
132
+
133
+ object_type = name.to_sym
134
+ # raise Exception "No such object_type #{object_type}" unless respond_to?(object_type)
135
+ send(object_type).all(:all)
136
+ end
137
+
138
+ def each_authz_object_by_class
139
+ containers = self.containers.all(:all)
140
+ containers.each do |container|
141
+ objects = objects_by_container_type(container.name)
142
+ if block_given?
143
+ yield objects
144
+ end
145
+ end
146
+ return
147
+ end
148
+
149
+ def each_authz_object
150
+ each_authz_object_by_class do |objectlist|
151
+ objectlist.each do |object|
152
+ yield object
153
+ end
154
+ end
155
+ return
156
+ end
157
+
122
158
  scoped_type :container, :group, :client,
123
159
  :cookbook_artifact, :cookbook, :data_bag, :environment, :node, :policy, :policy_group , :role
124
160
 
@@ -18,9 +18,9 @@
18
18
  # Author: Mark Anderson <mark@chef.io>
19
19
  #
20
20
 
21
- require 'chef_fixie/config'
22
- require 'chef_fixie/authz_objects'
23
- require 'chef_fixie/authz_mapper'
21
+ require_relative 'config'
22
+ require_relative 'authz_objects'
23
+ require_relative 'authz_mapper'
24
24
 
25
25
  module ChefFixie
26
26
  module UtilityHelpers
@@ -1,3 +1,3 @@
1
1
  module ChefFixie
2
- VERSION = "0.1.0"
2
+ VERSION = "0.2.0"
3
3
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: chef_fixie
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.1.0
4
+ version: 0.2.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Mark Anderson
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2015-08-27 00:00:00.000000000 Z
11
+ date: 2015-09-11 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: chef
@@ -188,6 +188,7 @@ files:
188
188
  - bin/serverspec-init
189
189
  - doc/AccessingSQL.md
190
190
  - doc/AccessingSQL.md~
191
+ - doc/BulkFixup.md
191
192
  - doc/BulkFixup.md~
192
193
  - doc/CommonTasks.md
193
194
  - doc/CommonTasks.md~
@@ -197,6 +198,7 @@ files:
197
198
  - lib/chef_fixie.rb
198
199
  - lib/chef_fixie/authz_mapper.rb
199
200
  - lib/chef_fixie/authz_objects.rb
201
+ - lib/chef_fixie/bulk_edit_permissions.rb
200
202
  - lib/chef_fixie/check_org_associations.rb
201
203
  - lib/chef_fixie/config.rb
202
204
  - lib/chef_fixie/console.rb