chef_fixie 0.1.0 → 0.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 0ad2fbe46207502fef6aebd84a4f65c5143a691d
-  data.tar.gz: fcf34e96d4579c85ea02442bd7d17358269a8c16
+  metadata.gz: 1cc981bb23297717dac0de3676f42ea4422016ad
+  data.tar.gz: cfdc771777545508b0d3d195adc668e824ffe4f2
 SHA512:
-  metadata.gz: 891bf79ac2dfcac0bc3ab28d3439e54bb1b5431b977a876573ba196c5254e3d5d07a6015f5c859c44427912ebfd732284e51dec9c176cf22a934cb0f3bd5b525
-  data.tar.gz: 02adb68b623cd13142463329b359f0aaf141eb7b0e095aa1c9ecf82f7b6f826c6140982084fdc3d842f583eaeff0ce8f27f8ffa53de38fbb615857ab71e28d6b
+  metadata.gz: 4241554e99a513b1461bd8de38a199cab655f3ac526c276565c7b7ca2a700fc363d183d8b89bd7f5f12308c0c4fe3a82706c781bccc90ba0772c8a94b73a1dd7
+  data.tar.gz: 1384e2f28b152c93c83a398940d2bbf5f6b1d052bca96817e429aff860bc22d2e7df84edbcad6f07d439f14a11639044b285c0f8b03caaffb597b53dce218a9f

data/bin/chef_fixie

@@ -1,5 +1,5 @@
 #!/usr/bin/env ruby
 
-require 'chef_fixie/console'
+require_relative '../lib/chef_fixie/console'
 
-Fixie::Console.start
+ChefFixie::Console.start

data/doc/AccessingSQL.md

@@ -5,7 +5,22 @@ Basics:
 Underneath everything is the Ruby Sequel library; there are a number
 of ways to access it.
 
-Check out http://ricostacruz.com/cheatsheets/sequel.html and 
+Check out http://ricostacruz.com/cheatsheets/sequel.html or the Sequel
+gem docs for details of the sequel library.
+
+Many objects in fixie have the accessor inner, which exposes the
+Sequel selector. This includes:
+* The constants ORGS, USERS, ASSOCIATIONS, and INVITES
+```ruby
+ORGS.inner.first
+#< @values={:id=>"7ddaee6b42e8f6a0a8e9d5d5efe644f8", :authz_id=>"f46b2e53869968ce115b97d2fd8bfee0", :name=>"ponyville", :full_name=>"ponyville", :assigned_at=>2015-07-21 18:22:34 UTC, :last_updated_by=>"08076ed32f7d5c62721607dd2c309c55", :created_at=>2015-07-21 18:22:34 UTC, :updated_at=>2015-07-21 18:22:34 UTC}>
+```
+* Any of the by_XXXX accessors
+```ruby
+ORGS['
+
+
+```
 
 
 
@@ -34,3 +49,20 @@ now = Sequel.function(:NOW)
 ASSOCS.inner.insert(:org_id=>o.id, :user_id=>u.id, :last_updated_by=>pivotal.authz_id,
 	:created_at=>now, :updated_at=>now )
 ```
+
+
+* Fixing a group that lost its authz object.
+We've seen the users group in hosted loose it's authz entry
+
+```ruby
+a = Fixie::AuthzApi.new
+# create a new authz group
+g = a.post("groups",{})
+# check that only one group is returned
+ORGS['acme'].groups.by_name('users').inner.all
+# alter the group and insert the new authz id
+ORGS['acme'].groups.by_name('users').inner.update(:authz_id=>g.id)
+```
+
+This does not add the users back to the usergs group, or re-add users
+all the acls that used to have the users group in them.

data/doc/BulkFixup.md

@@ -0,0 +1,33 @@
+Restoring acl permissions globally
+============
+
+If a key group is deleted (such as users)
+
+* Verify that the org has issues
+
+* Create/restore the group
+(TBW)
+
+* Add the users/groups back to the group
+(TBW)
+
+* Set the group ACL appropriately
+```ruby
+users_group.ace_add([:create,:read,:update,:delete], org.groups['admins'])
+users_group.ace_add([:create,:read,:update,:delete], USERS['pivotal'])
+``
+
+* Restore users to the appropriate container ACLs
+```ruby
+org = ORGS[THE_ORG]
+cl = %w(cookbooks data nodes roles environments policies policy_groups cookbook_artifacts)
+cl.each {|c| o.containers[c].ace_add([:create,:read,:update,:delete], org.groups['users']) }
+%w(clients).each { |c| org.containers[c].ace_add([:read,:delete], org.groups['users']) }
+%w(groups containers).each { |c| org.containers[c].ace_add([:read], org.groups['users']) }
+%w(sandboxes).each { |c| org.containers[c].ace_add([:create], org.groups['users']) }
+```
+
+* Then update the objects from the containers:
+```ruby
+Fixie::BulkEditPermissions::copy_from_containers(org)
+```

data/lib/chef_fixie.rb

@@ -17,11 +17,12 @@
 # Author: Mark Anderson <mark@chef.io>
 
 require 'sequel'
-require 'chef_fixie/config'
-require 'chef_fixie/sql'
-require 'chef_fixie/sql_objects'
+require_relative 'chef_fixie/config'
+require_relative 'chef_fixie/sql'
+require_relative 'chef_fixie/sql_objects'
 
 # This doesn't work because of initialization order, figure it out.
-require 'chef_fixie/check_org_associations'
+require_relative 'chef_fixie/check_org_associations'
+require_relative 'chef_fixie/bulk_edit_permissions'
 
 Sequel.extension :inflector

data/lib/chef_fixie/authz_mapper.rb

@@ -18,8 +18,8 @@
 #
 
 require 'pp'
-require 'chef_fixie/config'
-require 'chef_fixie/authz_objects'
+require_relative 'config'
+require_relative 'authz_objects'
 
 module ChefFixie
   module AuthzMapper

data/lib/chef_fixie/authz_objects.rb

@@ -21,7 +21,7 @@ require 'pp'
 require 'ffi_yajl'
 require 'chef/http'
 
-require 'chef_fixie/config'
+require_relative 'config'
 
 module ChefFixie
 

data/lib/chef_fixie/bulk_edit_permissions.rb

@@ -0,0 +1,157 @@
+#
+# Copyright (c) 2015 Chef Software Inc.
+# License :: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# Author: Mark Anderson <mark@chef.io>
+#
+require 'sequel'
+
+require_relative 'config.rb'
+require_relative 'authz_objects.rb'
+require_relative 'authz_mapper.rb'
+
+require 'pp'
+
+module ChefFixie
+  module BulkEditPermissions
+    def self.orgs
+      @orgs ||= ChefFixie::Sql::Orgs.new
+    end
+    def self.users
+      @users ||= ChefFixie::Sql::Users.new
+    end
+    def self.assocs
+      @assocs ||= ChefFixie::Sql::Associations.new
+    end
+    def self.invites
+      invites ||= ChefFixie::Sql::Invites.new
+    end
+
+    def self.check_permissions(org)
+      org = orgs[org] if org.is_a?(String)
+      admins = org.groups['admins'].authz_id
+      pivotal = users['pivotal'].authz_id
+      errors = Hash.new({})
+      org.each_authz_object do |object|
+        begin 
+          acl = object.acl_raw
+        rescue RestClient::ResourceNotFound=>e
+          puts "#{object.class} '#{object.name}' id '#{object.id}' missing authz info"
+          # pp :object=>object, :e=>e
+          next
+        end
+        broken_acl = {}
+        # the one special case
+        acl.each do |k,v|
+          list = []
+          list << "pivotal" if !v['actors'].member?(pivotal)
+          # admins doesn't belong to the billing admins group
+          if object.class != ChefFixie::Sql::Group || object.name != 'billing-admins'
+            list << "admins" if !v['groups'].member?(admins)
+          end
+          broken_acl[k] = list if !list.empty?
+        end
+        if !broken_acl.empty?
+          classname = object.class
+          errors[classname] = {} if !errors.has_key?(classname)
+          errors[classname][object.name] = broken_acl
+        end
+      end
+      return errors
+    end
+
+    def self.ace_add(list, ace_type, entity)
+      list.each do |item|
+        if item.respond_to?(:ace_add)
+          item.ace_add(ace_type, entity)
+        else
+          puts "item.class is not a native authz type"
+          return
+        end
+      end
+    end
+    def self.ace_delete(list, ace_type, entity)
+      list.each do |item|
+        if item.respond_to?(:ace_delete)
+          item.ace_delete(ace_type, entity)
+        else
+          puts "item.class is not a native authz type"
+          return
+        end
+      end
+    end
+
+    def self.do_all_objects(org)
+      org = orgs[org] if org.is_a?(String)
+
+      containers = org.containers.all(:all)
+      # Maybe we should fix up containers first?
+      # fix up objects in containers
+      containers.each do |container|
+        # TODO Write some tests to validate that this stuff
+        # works, since it depends on a lot of name magic...
+        object_type = container.name.to_sym
+#        raise Exception "No such object_type #{object_type}" unless org.respond_to?(object_type)
+        objects = org.send(object_type).all(:all)
+        if block_given?
+          yield objects
+        end
+      end
+    end
+
+    def self.ace_add_all(org, ace_type, entity)
+      org = orgs[org] if org.is_a?(String)
+      org.each_authz_object_by_class do |objects|
+        ace_add(objects, ace_type, entity)
+      end
+    end
+
+    def self.ace_delete_all(org, ace_type, entity)
+      org = orgs[org] if org.is_a?(String)
+      org.each_authz_object_by_class do |objects|
+        ace_delete(objects, ace_type, entity)
+      end
+    end
+
+    def self.add_admin_permissions(org)
+      org = orgs[org] if org.is_a?(String)
+      # rework when ace add takes multiple items...
+      admins = org.groups['admins']
+      pivotal = users['pivotal']
+      org.each_authz_object do |object|
+        object.ace_add(:all, pivotal)
+        if object.class != ChefFixie::Sql::Group || object.name != 'billing-admins'
+          object.ace_add(:all, admins)
+        end
+      end
+    end
+
+    def self.copy_from_containers(org)
+      org = orgs[org] if org.is_a?(String)
+
+      containers = org.containers.all(:all)
+      containers.each do |c|
+        # don't mess with containers and groups, they are special
+        next if c.name == "containers" || c.name == "groups"
+        org.objects_by_container_type(c.name).each do |obj|
+          obj.acl_add_from_object(c)
+          puts "#{obj.name} from #{c.name}"
+        end
+      end
+      return
+    end
+
+  end
+end

data/lib/chef_fixie/check_org_associations.rb

@@ -18,11 +18,10 @@
 # Author: Mark Anderson <mark@chef.io>
 #
 
-require 'chef_fixie/config'
-require 'chef_fixie/authz_objects'
-require 'chef_fixie/authz_mapper'
-
-require 'chef_fixie/utility_helpers'
+require_relative 'config'
+require_relative 'authz_objects'
+require_relative 'authz_mapper'
+require_relative 'utility_helpers'
 
 module ChefFixie
   module CheckOrgAssociations

data/lib/chef_fixie/console.rb

@@ -22,8 +22,8 @@ require 'optparse'
 require 'pp'
 require 'pry'
 
-require 'chef_fixie'
-require 'chef_fixie/context'
+require_relative '../chef_fixie'
+require_relative 'context'
 
 module ChefFixie
   module Console
@@ -31,7 +31,7 @@ module ChefFixie
 
     def start
       configure
-      Fixie.setup
+      ChefFixie.setup
       configure_pry
       Pry.start
     end
@@ -41,7 +41,7 @@ module ChefFixie
       if ARGV.first && ARGV[0].chars.first != "-" && config_file = ARGV.shift
         config_file = File.expand_path(config_file)
       end
-      Fixie.load_config(config_file)
+      ChefFixie.load_config(config_file)
 
       options = {}
       OptionParser.new do |opt|

data/lib/chef_fixie/sql.rb

@@ -20,7 +20,7 @@ require 'ffi_yajl'
 require 'uuidtools'
 require 'sequel'
 
-require 'chef_fixie/config'
+require_relative 'config'
 
 Sequel.default_timezone = :utc
 

data/lib/chef_fixie/sql_objects.rb

@@ -20,9 +20,9 @@
 require 'pp'
 require 'sequel'
 
-require 'chef_fixie/config'
-require 'chef_fixie/authz_objects'
-require 'chef_fixie/authz_mapper'
+require_relative 'config'
+require_relative 'authz_objects'
+require_relative 'authz_mapper'
 
 Sequel.extension :inflector
 
@@ -119,6 +119,42 @@ module ChefFixie
         ChefFixie::Sql::Groups.new["#{name}_global_admins"]
       end
 
+      # Iterators for objects in authz; using containers to enumerate things
+      # It might be better to metaprogram this up instead,
+      #
+      # TODO Write some tests to validate that this stuff
+      # works, since it depends on a lot of name magic...
+
+      NAME_FIXUP = {"data" => "data_bags", "sandboxes" => nil}
+      def objects_by_container_type(container)
+        name = NAME_FIXUP.has_key?(container) ? NAME_FIXUP[container] : container
+        return [] if name.nil?
+
+        object_type = name.to_sym
+        #        raise Exception "No such object_type #{object_type}" unless respond_to?(object_type)
+        send(object_type).all(:all)
+      end
+
+      def each_authz_object_by_class
+        containers = self.containers.all(:all)
+        containers.each do |container|
+          objects = objects_by_container_type(container.name)
+          if block_given?
+            yield objects
+          end
+        end
+        return
+      end
+
+      def each_authz_object
+        each_authz_object_by_class do |objectlist|
+          objectlist.each do |object|
+            yield object
+          end
+        end
+        return
+      end
+
       scoped_type :container, :group, :client,
                   :cookbook_artifact, :cookbook, :data_bag, :environment, :node, :policy, :policy_group , :role
 

data/lib/chef_fixie/utility_helpers.rb

@@ -18,9 +18,9 @@
 # Author: Mark Anderson <mark@chef.io>
 #
 
-require 'chef_fixie/config'
-require 'chef_fixie/authz_objects'
-require 'chef_fixie/authz_mapper'
+require_relative 'config'
+require_relative 'authz_objects'
+require_relative 'authz_mapper'
 
 module ChefFixie
   module UtilityHelpers

data/lib/chef_fixie/version.rb

@@ -1,3 +1,3 @@
 module ChefFixie
-  VERSION = "0.1.0"
+  VERSION = "0.2.0"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: chef_fixie
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 0.2.0
 platform: ruby
 authors:
 - Mark Anderson
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2015-08-27 00:00:00.000000000 Z
+date: 2015-09-11 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: chef
@@ -188,6 +188,7 @@ files:
 - bin/serverspec-init
 - doc/AccessingSQL.md
 - doc/AccessingSQL.md~
+- doc/BulkFixup.md
 - doc/BulkFixup.md~
 - doc/CommonTasks.md
 - doc/CommonTasks.md~
@@ -197,6 +198,7 @@ files:
 - lib/chef_fixie.rb
 - lib/chef_fixie/authz_mapper.rb
 - lib/chef_fixie/authz_objects.rb
+- lib/chef_fixie/bulk_edit_permissions.rb
 - lib/chef_fixie/check_org_associations.rb
 - lib/chef_fixie/config.rb
 - lib/chef_fixie/console.rb