chef_fixie 0.1.0 → 0.5.0

data/lib/chef_fixie/bulk_edit_permissions.rb

@@ -0,0 +1,161 @@
+#
+# Copyright (c) 2015 Chef Software Inc.
+# License :: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# Author: Mark Anderson <mark@chef.io>
+#
+require "sequel"
+
+require_relative "config.rb"
+require_relative "authz_objects.rb"
+require_relative "authz_mapper.rb"
+
+require "pp"
+
+module ChefFixie
+  module BulkEditPermissions
+    def self.orgs
+      @orgs ||= ChefFixie::Sql::Orgs.new
+    end
+
+    def self.users
+      @users ||= ChefFixie::Sql::Users.new
+    end
+
+    def self.assocs
+      @assocs ||= ChefFixie::Sql::Associations.new
+    end
+
+    def self.invites
+      invites ||= ChefFixie::Sql::Invites.new
+    end
+
+    def self.check_permissions(org)
+      org = orgs[org] if org.is_a?(String)
+      admins = org.groups["admins"].authz_id
+      pivotal = users["pivotal"].authz_id
+      errors = Hash.new({})
+      org.each_authz_object do |object|
+        begin
+          acl = object.acl_raw
+        rescue RestClient::ResourceNotFound => e
+          puts "#{object.class} '#{object.name}' id '#{object.id}' missing authz info"
+          # pp :object=>object, :e=>e
+          next
+        end
+        broken_acl = {}
+        # the one special case
+        acl.each do |k, v|
+          list = []
+          list << "pivotal" if !v["actors"].member?(pivotal)
+          # admins doesn't belong to the billing admins group
+          if object.class != ChefFixie::Sql::Group || object.name != "billing-admins"
+            list << "admins" if !v["groups"].member?(admins)
+          end
+          broken_acl[k] = list if !list.empty?
+        end
+        if !broken_acl.empty?
+          classname = object.class
+          errors[classname] = {} if !errors.has_key?(classname)
+          errors[classname][object.name] = broken_acl
+        end
+      end
+      errors
+    end
+
+    def self.ace_add(list, ace_type, entity)
+      list.each do |item|
+        if item.respond_to?(:ace_add)
+          item.ace_add(ace_type, entity)
+        else
+          puts "item.class is not a native authz type"
+          return nil
+        end
+      end
+    end
+
+    def self.ace_delete(list, ace_type, entity)
+      list.each do |item|
+        if item.respond_to?(:ace_delete)
+          item.ace_delete(ace_type, entity)
+        else
+          puts "item.class is not a native authz type"
+          return nil
+        end
+      end
+    end
+
+    def self.do_all_objects(org)
+      org = orgs[org] if org.is_a?(String)
+
+      containers = org.containers.all(:all)
+      # Maybe we should fix up containers first?
+      # fix up objects in containers
+      containers.each do |container|
+        # TODO Write some tests to validate that this stuff
+        # works, since it depends on a lot of name magic...
+        object_type = container.name.to_sym
+#        raise Exception "No such object_type #{object_type}" unless org.respond_to?(object_type)
+        objects = org.send(object_type).all(:all)
+        if block_given?
+          yield objects
+        end
+      end
+    end
+
+    def self.ace_add_all(org, ace_type, entity)
+      org = orgs[org] if org.is_a?(String)
+      org.each_authz_object_by_class do |objects|
+        ace_add(objects, ace_type, entity)
+      end
+    end
+
+    def self.ace_delete_all(org, ace_type, entity)
+      org = orgs[org] if org.is_a?(String)
+      org.each_authz_object_by_class do |objects|
+        ace_delete(objects, ace_type, entity)
+      end
+    end
+
+    def self.add_admin_permissions(org)
+      org = orgs[org] if org.is_a?(String)
+      # rework when ace add takes multiple items...
+      admins = org.groups["admins"]
+      pivotal = users["pivotal"]
+      org.each_authz_object do |object|
+        object.ace_add(:all, pivotal)
+        if object.class != ChefFixie::Sql::Group || object.name != "billing-admins"
+          object.ace_add(:all, admins)
+        end
+      end
+    end
+
+    def self.copy_from_containers(org)
+      org = orgs[org] if org.is_a?(String)
+
+      containers = org.containers.all(:all)
+      containers.each do |c|
+        # don't mess with containers and groups, they are special
+        next if c.name == "containers" || c.name == "groups"
+        org.objects_by_container_type(c.name).each do |obj|
+          obj.acl_add_from_object(c)
+          puts "#{obj.name} from #{c.name}"
+        end
+      end
+      nil
+    end
+
+  end
+end

data/lib/chef_fixie/check_org_associations.rb

@@ -18,46 +18,55 @@
 # Author: Mark Anderson <mark@chef.io>
 #
 
-require 'chef_fixie/config'
-require 'chef_fixie/authz_objects'
-require 'chef_fixie/authz_mapper'
-
-require 'chef_fixie/utility_helpers'
+require_relative "config"
+require_relative "authz_objects"
+require_relative "authz_mapper"
+require_relative "utility_helpers"
 
 module ChefFixie
   module CheckOrgAssociations
     def self.orgs
       @orgs ||= ChefFixie::Sql::Orgs.new
     end
+
     def self.users
       @users ||= ChefFixie::Sql::Users.new
     end
+
     def self.assocs
       @assocs ||= ChefFixie::Sql::Associations.new
     end
+
     def self.invites
       invites ||= ChefFixie::Sql::Invites.new
     end
 
     def self.make_user(user)
       if user.is_a?(String)
-        return users[user]
+        users[user]
       elsif user.is_a?(ChefFixie::Sql::User)
-        return user
+        user
       else
         raise "Expected a user, got a #{user.class}"
       end
     end
+
     def self.make_org(org)
       if org.is_a?(String)
-        return orgs[org]
+        orgs[org]
       elsif org.is_a?(ChefFixie::Sql::Org)
-        return org
+        org
       else
         raise "Expected an org, got a #{org.class}"
       end
     end
 
+    def usag_for_user(org, user)
+      user = make_user(user)
+      org = make_org(org)
+      org.groups[user.id]
+    end
+
     def self.check_association(org, user, global_admins = nil)
       # magic to make usage easier
       org = make_org(org)
@@ -79,7 +88,7 @@ module ChefFixie
         return :user_not_in_usag
       end
 
-      if !org.groups['users'].member?(usag)
+      if !org.groups["users"].member?(usag)
         return :usag_not_in_users
       end
 
@@ -90,7 +99,7 @@ module ChefFixie
       if invites.by_org_id_user_id(org.id, user.id)
         return :zombie_invite
       end
-      return true
+      true
     end
 
     def self.fix_association(org, user, global_admins = nil)
@@ -99,7 +108,7 @@ module ChefFixie
       user = users[user] if user.is_a?(String)
       global_admins ||= org.global_admins
 
-      failure = check_association(org,user,global_admins)
+      failure = check_association(org, user, global_admins)
 
       case failure
       when true
@@ -109,14 +118,14 @@ module ChefFixie
         usag.group_add(user)
       when :usag_not_in_users
         usag = org.groups[user.id]
-        org.groups['users'].group_add(usag)
+        org.groups["users"].group_add(usag)
       when :global_admins_lacks_read
         user.ace_add(:read, global_admins)
       else
         puts "#{org.name} #{user.name} can't fix problem #{failure} yet"
         return false
       end
-      return true
+      true
     end
 
     def self.check_associations(org)
@@ -134,56 +143,54 @@ module ChefFixie
       users_assoc = assocs.by_org_id(org.id).all(:all)
       users_invite = invites.by_org_id(org.id).all(:all)
 
-      user_ids = users_assoc.map {|a| a.user_id }
-      users_in_org = user_ids.map {|i| users.by_id(i).all.first }
-      usernames = users_in_org.map {|u| u.name }
-
+      user_ids = users_assoc.map { |a| a.user_id }
+      users_in_org = user_ids.map { |i| users.by_id(i).all.first }
+      usernames = users_in_org.map { |u| u.name }
 
       # check that users aren't both invited and associated
-      invited_ids = users_invite.map {|a| a.user_id }
+      invited_ids = users_invite.map { |a| a.user_id }
       overlap_ids = user_ids & invited_ids
 
       if !overlap_ids.empty?
-        overlap_names = overlap_ids.map {|i| users.by_id(i).all.first.name rescue "#{i}" }
-        puts "#{orgname} users both associated and invited: #{overlap_names.join(', ') }"
+        overlap_names = overlap_ids.map { |i| users.by_id(i).all.first.name rescue "#{i}" }
+        puts "#{orgname} users both associated and invited: #{overlap_names.join(', ')}"
         success = false
       end
 
       # Check that we don't have zombie USAGs left around (not 100% reliable)
       # because someone could create a group that looks like a USAG
       possible_usags = org.groups.list(:all) - user_ids
-      usags = possible_usags.select {|n| n =~ /^\h+{20}$/ }
+      usags = possible_usags.select { |n| n =~ /^\h+{20}$/ }
       if !usags.empty?
-        puts "#{orgname} Suspicious USAGS without associated user #{usags.join(', ') }"
+        puts "#{orgname} Suspicious USAGS without associated user #{usags.join(', ')}"
       end
 
       # Check group membership for sanity
-      success &= check_group(org, 'billing-admins', usernames)
-      success &= check_group(org, 'admins', usernames)
+      success &= check_group(org, "billing-admins", usernames)
+      success &= check_group(org, "admins", usernames)
 
       # TODO check for non-usags in users!
-      users_members = org.groups['users'].group
-      users_actors = users_members['actors'] - [[:global, "pivotal"]]
+      users_members = org.groups["users"].group
+      users_actors = users_members["actors"] - [[:global, "pivotal"]]
       if !users_actors.empty?
         puts "#{orgname} has actors in it's users group #{users_actors}"
       end
-      non_usags = users_members['groups'].map {|g| g[1] } - user_ids
+      non_usags = users_members["groups"].map { |g| g[1] } - user_ids
       if !non_usags.empty?
         puts "#{orgname} warning: has non usags in it's users group #{non_usags.join(', ')}"
       end
 
-
       # Check individual associations
       users_in_org.each do |user|
-        result = self.check_association(org,user,global_admins)
-        if (result != true)
+        result = check_association(org, user, global_admins)
+        if result != true
           puts "Org #{orgname} Association check failed for #{user.name} #{result}"
           success = false
         end
       end
 
       puts "Org #{orgname} is #{success ? 'ok' : 'bad'} (#{users_in_org.count} users)"
-      return success
+      success
     end
 
     # expect at least one current user to be in admins and billing admins
@@ -193,50 +200,40 @@ module ChefFixie
         puts "#{orgname} Missing group #{groupname}"
         return :no_such_group
       end
-      actors = g.group['actors'].map {|x| x[1] }
+      actors = g.group["actors"].map { |x| x[1] }
       live = actors & users
 
       if live.count == 0
         puts "Org #{org.name} has no active users in #{groupname}"
         return false
       end
-      return true
+      true
     end
 
-
-    ## TODO: Port this
     def self.remove_association(org, user)
       # magic to make usage easier
-      org = orgs[org] if org.is_a?(String)
-      user = users[user] if user.is_a?(String)
+      org = make_org(org)
+      user = make_user(user)
 
       # remove USAG
-      delete_usag_for_user(orgname,username)
+      usag = org.groups[user.id]
+      usag.delete if usag
 
-      # remove read ACE
-      u_aid =  user.authz_id
-      ga = OrgMapper::CouchSupport.doc_from_view("#{orgname}_global_admins", "#{Group}/by_groupname")
-      ga_aid = user_to_authz(ga["_id"])
+      # remove from any groups they are in
+      org.groups.all(:all).each do |g|
+        g.group_delete(user) if g.member?(user)
+      end
 
-      read_ace = OrgMapper::RawAuth.get("actors/#{u_aid}/acl/read")
-      read_ace["groups"] -= [ga_aid]
-      OrgMapper::RawAuth.put("actors/#{u_aid}/acl/read", read_ace)
+      # remove read ACE
+      user.ace_delete(:read, org.global_admins)
 
       # remove association record
+      assoc = assocs.by_org_id_user_id(org.id, user.id)
+      assoc.delete if assoc
 
-      org_assoc = OrgMapper::CouchSupport.associations_for_org(orgname)
-      doc = org_assoc.select {|x| x[:uid] == user.id}.first
-
-      OrgMapper::CouchSupport.delete_account_doc(doc[:id])
-
-      # clean up excess invites
-      invites = OrgMapper::CouchSupport.invites_for_org(orgname)
-      invite_map = invites.inject({}) {|a,e| a[e[:name]] = e; a}
-
-      if invite_map.has_key?(username)
-        invite = invite_map[username]
-        OrgMapper::CouchSupport.delete_account_doc(invite[:id])
-      end
+      # remove any invites
+      invite = invites.by_org_id_user_id(org.id, user.id)
+      invite.delete if invite
     end
   end
 end

data/lib/chef_fixie/config.rb

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2014-2015 Chef Software Inc. 
+# Copyright (c) 2014-2015 Chef Software Inc.
 # License :: Apache License, Version 2.0
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -18,9 +18,10 @@
 #
 # Much of this code was orginally derived from the orgmapper tool, which had many varied authors.
 
-require 'singleton'
-require 'ffi_yajl'
-require 'pathname'
+require "singleton"
+require "ffi_yajl"
+require "pathname"
+require "veil"
 
 module ChefFixie
   def self.configure
@@ -29,11 +30,11 @@ module ChefFixie
 
   def self.load_config(config_file = nil)
     if config_file
-      puts "loading config: #{config_file}..."
+      puts "loading config: #{config_file}..." if ChefFixie::Console.started_from_command_line?
       Kernel.load(config_file)
     else
       path = "/etc/opscode"
-      puts "loading config from #{path}"
+      puts "loading config from #{path}" if ChefFixie::Console.started_from_command_line?
       ChefFixie::Config.instance.load_from_pc(path)
     end
   end
@@ -65,7 +66,7 @@ module ChefFixie
     KEYS = [:authz_uri, :sql_database, :superuser_id, :pivotal_key]
     KEYS.each { |k| attr_accessor k }
 
-    def merge_opts(opts={})
+    def merge_opts(opts = {})
       opts.each do |key, value|
         send("#{key}=".to_sym, value)
       end
@@ -83,7 +84,7 @@ module ChefFixie
         key_len > max ? key_len : max
       end
       KEYS.each do |key|
-        value = send(key) || 'default'
+        value = send(key) || "default"
         txt << "# %#{max_key_len}s: %s" % [key.to_s, value]
       end
       txt.join("\n")
@@ -101,25 +102,28 @@ module ChefFixie
     def load_from_pc(dir = "/etc/opscode")
       configdir = Pathname.new(dir)
 
-      config_files = %w(chef-server-running.json)
+      config_files = %w{chef-server-running.json}
       config = load_json_from_path([configdir], config_files)
 
-      authz_config = config['private_chef']['oc_bifrost']
-      authz_vip = authz_config['vip']
-      authz_port = authz_config['port']
+      secrets = load_secrets_from_path([configdir], %w{private-chef-secrets.json} )
+
+      authz_config = config["private_chef"]["oc_bifrost"]
+      authz_vip = authz_config["vip"]
+      authz_port = authz_config["port"]
       @authz_uri = "http://#{authz_vip}:#{authz_port}"
-      
-      @superuser_id = authz_config['superuser_id']
-
-      sql_config = config['private_chef']['postgresql']
-      
-      sql_user = sql_config['sql_user']
-      sql_pw = sql_config['sql_password']
-      sql_vip = sql_config['vip']
-      sql_port = sql_config['port']
-      
+
+      @superuser_id = dig(secrets, %w{oc_bifrost superuser_id}) || authz_config["superuser_id"]
+
+      sql_config = config["private_chef"]["postgresql"]
+      erchef_config = config["private_chef"]["opscode-erchef"]
+
+      sql_user = sql_config["sql_user"] || erchef_config["sql_user"]
+      sql_pw = dig(secrets, %w{opscode_erchef sql_password}) || sql_config["sql_password"] || erchef_config["sql_password"]
+      sql_vip = sql_config["vip"]
+      sql_port = sql_config["port"]
+
       @sql_database = "postgres://#{sql_user}:#{sql_pw}@#{sql_vip}/opscode_chef"
-      
+
       @pivotal_key = configdir + "pivotal.pem"
     end
 
@@ -135,5 +139,36 @@ module ChefFixie
         end
       end
     end
+
+    def load_secrets_from_path(pathlist, filelist)
+      pathlist.each do |path|
+        filelist.each do |file|
+          configfile = path + file
+          if configfile.file?
+            data = Veil::CredentialCollection::ChefSecretsFile.from_file(configfile)
+            return data
+          end
+        end
+      end
+      nil
+    end
+
+    def dig(hash, list)
+      if hash.respond_to?(:get)
+        hash.get(*list)
+      elsif hash.nil?
+        nil
+      elsif list.empty?
+        hash
+      else
+        element = list.shift
+        if hash.has_key?(element)
+          dig(hash[element], list)
+        else
+          nil
+        end
+      end
+    end
+
   end
 end