chef_fixie 0.1.0

data/lib/chef_fixie/check_org_associations.rb

@@ -0,0 +1,242 @@
+# -*- indent-tabs-mode: nil; fill-column: 110 -*-
+#
+# Copyright (c) 2015 Chef Software Inc.
+# License :: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# Author: Mark Anderson <mark@chef.io>
+#
+
+require 'chef_fixie/config'
+require 'chef_fixie/authz_objects'
+require 'chef_fixie/authz_mapper'
+
+require 'chef_fixie/utility_helpers'
+
+module ChefFixie
+  module CheckOrgAssociations
+    def self.orgs
+      @orgs ||= ChefFixie::Sql::Orgs.new
+    end
+    def self.users
+      @users ||= ChefFixie::Sql::Users.new
+    end
+    def self.assocs
+      @assocs ||= ChefFixie::Sql::Associations.new
+    end
+    def self.invites
+      invites ||= ChefFixie::Sql::Invites.new
+    end
+
+    def self.make_user(user)
+      if user.is_a?(String)
+        return users[user]
+      elsif user.is_a?(ChefFixie::Sql::User)
+        return user
+      else
+        raise "Expected a user, got a #{user.class}"
+      end
+    end
+    def self.make_org(org)
+      if org.is_a?(String)
+        return orgs[org]
+      elsif org.is_a?(ChefFixie::Sql::Org)
+        return org
+      else
+        raise "Expected an org, got a #{org.class}"
+      end
+    end
+
+    def self.check_association(org, user, global_admins = nil)
+      # magic to make usage easier
+      org = make_org(org)
+      user = make_user(user)
+      global_admins ||= org.global_admins
+
+      # check that the user is associated
+      if !assocs.by_org_id_user_id(org.id, user.id)
+        return :not_associated
+      end
+
+      usag = org.groups[user.id]
+      # check that user has USAG
+      if usag.nil?
+        return :missing_usag
+      end
+
+      if !usag.member?(user)
+        return :user_not_in_usag
+      end
+
+      if !org.groups['users'].member?(usag)
+        return :usag_not_in_users
+      end
+
+      if !user.ace_member?(:read, global_admins)
+        return :global_admins_lacks_read
+      end
+
+      if invites.by_org_id_user_id(org.id, user.id)
+        return :zombie_invite
+      end
+      return true
+    end
+
+    def self.fix_association(org, user, global_admins = nil)
+      # magic to make usage easier
+      org = orgs[org] if org.is_a?(String)
+      user = users[user] if user.is_a?(String)
+      global_admins ||= org.global_admins
+
+      failure = check_association(org,user,global_admins)
+
+      case failure
+      when true
+        puts "#{org.name} #{user.name} doesn't need repair"
+      when :user_not_in_usag
+        usag = org.groups[user.id]
+        usag.group_add(user)
+      when :usag_not_in_users
+        usag = org.groups[user.id]
+        org.groups['users'].group_add(usag)
+      when :global_admins_lacks_read
+        user.ace_add(:read, global_admins)
+      else
+        puts "#{org.name} #{user.name} can't fix problem #{failure} yet"
+        return false
+      end
+      return true
+    end
+
+    def self.check_associations(org)
+      success = true
+      org = make_org(org)
+      orgname = org.name
+
+      # check that global_admins exists:
+      global_admins = org.global_admins
+      if !global_admins || !global_admins.is_a?(ChefFixie::Sql::Group)
+        puts "#{orgname} Missing global admins group"
+        success = false
+      end
+
+      users_assoc = assocs.by_org_id(org.id).all(:all)
+      users_invite = invites.by_org_id(org.id).all(:all)
+
+      user_ids = users_assoc.map {|a| a.user_id }
+      users_in_org = user_ids.map {|i| users.by_id(i).all.first }
+      usernames = users_in_org.map {|u| u.name }
+
+
+      # check that users aren't both invited and associated
+      invited_ids = users_invite.map {|a| a.user_id }
+      overlap_ids = user_ids & invited_ids
+
+      if !overlap_ids.empty?
+        overlap_names = overlap_ids.map {|i| users.by_id(i).all.first.name rescue "#{i}" }
+        puts "#{orgname} users both associated and invited: #{overlap_names.join(', ') }"
+        success = false
+      end
+
+      # Check that we don't have zombie USAGs left around (not 100% reliable)
+      # because someone could create a group that looks like a USAG
+      possible_usags = org.groups.list(:all) - user_ids
+      usags = possible_usags.select {|n| n =~ /^\h+{20}$/ }
+      if !usags.empty?
+        puts "#{orgname} Suspicious USAGS without associated user #{usags.join(', ') }"
+      end
+
+      # Check group membership for sanity
+      success &= check_group(org, 'billing-admins', usernames)
+      success &= check_group(org, 'admins', usernames)
+
+      # TODO check for non-usags in users!
+      users_members = org.groups['users'].group
+      users_actors = users_members['actors'] - [[:global, "pivotal"]]
+      if !users_actors.empty?
+        puts "#{orgname} has actors in it's users group #{users_actors}"
+      end
+      non_usags = users_members['groups'].map {|g| g[1] } - user_ids
+      if !non_usags.empty?
+        puts "#{orgname} warning: has non usags in it's users group #{non_usags.join(', ')}"
+      end
+
+
+      # Check individual associations
+      users_in_org.each do |user|
+        result = self.check_association(org,user,global_admins)
+        if (result != true)
+          puts "Org #{orgname} Association check failed for #{user.name} #{result}"
+          success = false
+        end
+      end
+
+      puts "Org #{orgname} is #{success ? 'ok' : 'bad'} (#{users_in_org.count} users)"
+      return success
+    end
+
+    # expect at least one current user to be in admins and billing admins
+    def self.check_group(org, groupname, users)
+      g = org.groups[groupname]
+      if g.nil?
+        puts "#{orgname} Missing group #{groupname}"
+        return :no_such_group
+      end
+      actors = g.group['actors'].map {|x| x[1] }
+      live = actors & users
+
+      if live.count == 0
+        puts "Org #{org.name} has no active users in #{groupname}"
+        return false
+      end
+      return true
+    end
+
+
+    ## TODO: Port this
+    def self.remove_association(org, user)
+      # magic to make usage easier
+      org = orgs[org] if org.is_a?(String)
+      user = users[user] if user.is_a?(String)
+
+      # remove USAG
+      delete_usag_for_user(orgname,username)
+
+      # remove read ACE
+      u_aid =  user.authz_id
+      ga = OrgMapper::CouchSupport.doc_from_view("#{orgname}_global_admins", "#{Group}/by_groupname")
+      ga_aid = user_to_authz(ga["_id"])
+
+      read_ace = OrgMapper::RawAuth.get("actors/#{u_aid}/acl/read")
+      read_ace["groups"] -= [ga_aid]
+      OrgMapper::RawAuth.put("actors/#{u_aid}/acl/read", read_ace)
+
+      # remove association record
+
+      org_assoc = OrgMapper::CouchSupport.associations_for_org(orgname)
+      doc = org_assoc.select {|x| x[:uid] == user.id}.first
+
+      OrgMapper::CouchSupport.delete_account_doc(doc[:id])
+
+      # clean up excess invites
+      invites = OrgMapper::CouchSupport.invites_for_org(orgname)
+      invite_map = invites.inject({}) {|a,e| a[e[:name]] = e; a}
+
+      if invite_map.has_key?(username)
+        invite = invite_map[username]
+        OrgMapper::CouchSupport.delete_account_doc(invite[:id])
+      end
+    end
+  end
+end

data/lib/chef_fixie/config.rb

@@ -0,0 +1,139 @@
+#
+# Copyright (c) 2014-2015 Chef Software Inc. 
+# License :: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# Author: Mark Anderson <mark@chef.io>
+#
+# Much of this code was orginally derived from the orgmapper tool, which had many varied authors.
+
+require 'singleton'
+require 'ffi_yajl'
+require 'pathname'
+
+module ChefFixie
+  def self.configure
+    yield Config.instance
+  end
+
+  def self.load_config(config_file = nil)
+    if config_file
+      puts "loading config: #{config_file}..."
+      Kernel.load(config_file)
+    else
+      path = "/etc/opscode"
+      puts "loading config from #{path}"
+      ChefFixie::Config.instance.load_from_pc(path)
+    end
+  end
+
+  def self.setup
+    # TODO: do we have to polute global object with this to make it available to the irb instance?
+    Object.const_set(:ORGS, ChefFixie::Sql::Orgs.new)
+    Object.const_set(:USERS, ChefFixie::Sql::Users.new)
+    Object.const_set(:ASSOCS, ChefFixie::Sql::Associations.new)
+    Object.const_set(:INVITES, ChefFixie::Sql::Invites.new)
+
+    # scope this by the global org id?
+    Object.const_set(:GLOBAL_GROUPS, ChefFixie::Sql::Groups.new.by_org_id(ChefFixie::Sql::Orgs::GlobalOrg))
+    Object.const_set(:GLOBAL_CONTAINERS, ChefFixie::Sql::Containers.new.by_org_id(ChefFixie::Sql::Orgs::GlobalOrg))
+  end
+
+  ##
+  # = ChefFixie::Config
+  # configuration for the fixie command.
+  #
+  # ==Example Config File:
+  #
+  #   Fixie.configure do |mapper|
+  #     mapper.authz_uri = 'http://authz.example.com:5959'
+  #   end
+  #
+  class Config
+    include Singleton
+    KEYS = [:authz_uri, :sql_database, :superuser_id, :pivotal_key]
+    KEYS.each { |k| attr_accessor k }
+
+    def merge_opts(opts={})
+      opts.each do |key, value|
+        send("#{key}=".to_sym, value)
+      end
+    end
+
+    # this is waaay tightly coupled to ::Backend's initialize method
+    def to_ary
+      [couchdb_uri, database, auth_uri, authz_couch, sql_database, superuser_id].compact
+    end
+
+    def to_text
+      txt = ["### ChefFixie::Config"]
+      max_key_len = KEYS.inject(0) do |max, k|
+        key_len = k.to_s.length
+        key_len > max ? key_len : max
+      end
+      KEYS.each do |key|
+        value = send(key) || 'default'
+        txt << "# %#{max_key_len}s: %s" % [key.to_s, value]
+      end
+      txt.join("\n")
+    end
+
+    def example_config
+      txt = ["Fixie.configure do |mapper|"]
+      KEYS.each do |key|
+        txt << "  mapper.%s = %s" % [key.to_s, '"something"']
+      end
+      txt << "end"
+      txt.join("\n")
+    end
+
+    def load_from_pc(dir = "/etc/opscode")
+      configdir = Pathname.new(dir)
+
+      config_files = %w(chef-server-running.json)
+      config = load_json_from_path([configdir], config_files)
+
+      authz_config = config['private_chef']['oc_bifrost']
+      authz_vip = authz_config['vip']
+      authz_port = authz_config['port']
+      @authz_uri = "http://#{authz_vip}:#{authz_port}"
+      
+      @superuser_id = authz_config['superuser_id']
+
+      sql_config = config['private_chef']['postgresql']
+      
+      sql_user = sql_config['sql_user']
+      sql_pw = sql_config['sql_password']
+      sql_vip = sql_config['vip']
+      sql_port = sql_config['port']
+      
+      @sql_database = "postgres://#{sql_user}:#{sql_pw}@#{sql_vip}/opscode_chef"
+      
+      @pivotal_key = configdir + "pivotal.pem"
+    end
+
+    def load_json_from_path(pathlist, filelist)
+      parser = FFI_Yajl::Parser.new
+      pathlist.each do |path|
+        filelist.each do |file|
+          configfile = path + file
+          if configfile.file?
+            data = File.read(configfile)
+            return parser.parse(data)
+          end
+        end
+      end
+    end
+  end
+end

data/lib/chef_fixie/console.rb

@@ -0,0 +1,91 @@
+#
+# Copyright (c) 2015 Chef Software Inc. 
+# License :: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# Author: Mark Anderson <mark@chef.io>
+#
+# Much of this code was orginally derived from the orgmapper tool, which had many varied authors.
+
+require 'optparse'
+require 'pp'
+require 'pry'
+
+require 'chef_fixie'
+require 'chef_fixie/context'
+
+module ChefFixie
+  module Console
+    extend self
+
+    def start
+      configure
+      Fixie.setup
+      configure_pry
+      Pry.start
+    end
+
+    def configure
+      config_file = nil
+      if ARGV.first && ARGV[0].chars.first != "-" && config_file = ARGV.shift
+        config_file = File.expand_path(config_file)
+      end
+      Fixie.load_config(config_file)
+
+      options = {}
+      OptionParser.new do |opt|
+        opt.banner = "Usage: fixie [config] [options]"
+        opt.on('--authz_uri AUTH_URI', "The URI of the opscode authz service") { |v| options[:authz_uri] =v }
+        opt.on("--sql_database DATABASE", 'The URI of the opscode_chef database') { |v| options[:sql_database] = v }
+        opt.on_tail('-h', '--help', 'Show this message') do
+          puts opt
+          puts "\nExample configuration file:\n\n"
+          puts ChefFixie::Config.instance.example_config
+          puts "\n"
+          exit(1)
+        end
+        opt.parse!(ARGV)
+      end
+      pp :cli_opts => options if ENV["DEBUG"]
+
+      ChefFixie::Config.instance.merge_opts(options)
+      puts ChefFixie::Config.instance.to_text
+    end
+
+    def configure_pry
+      Pry.config.history.file = "~/.fixie_history"
+      Pry.config.prompt_name = "fixie"
+      Pry::Commands.block_command("fixie-help", "Show fixie's help") do
+      output.puts(<<-HALP)
+** ORGS **
+* access with ORGS or ORGS
+* access a specific org: ORGS['orgname']
+
+** USERS **
+* users.find('clownco-org-admin')
+* users.grep :clownco
+* users.usernames
+
+** RAW SQL ACCESS**
+* sql[:users].select(:column, :column).where(:column => "condition").all
+
+** irb Help **
+irb_help
+
+HALP
+      end
+    end
+
+  end
+end