chef_fixie 0.3.0 → 1.0.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: a2d39d757f223a6cf8f364906e91d8051ce19a61
-  data.tar.gz: 8cbc7287d4ec7ac58e9a800fd1dd76b23b674d10
+SHA256:
+  metadata.gz: f3de72ac60514bc40b96e932529f1cbcb1bdfd8f799d54b1d20453ff16fb1eaf
+  data.tar.gz: f11fcccb04c1c1222f7c593839155cad4fee1e507ef3d5238e3f10fa07cdc689
 SHA512:
-  metadata.gz: 6970a5ff33b2a6448b57584e5641a99c55837803a67d209b6246bbbe344466f51f445884f1c596f06429e30e27312c8755a93721b471b56043fc99c987b3545d
-  data.tar.gz: f1c93aba31fa3afc3cb3ba952539a052260a6a890b176bc45d0609aaa471182e74f4011b14a3e104b5def87a40c21562bf5a5eb6d777d3e016ef1835e13cdd6d
+  metadata.gz: 30f348f5de0f11aa31534f6160aea0841e333268d41a5fdc10f12d65427acc080a09017b402a7e5491bdf8b9e394eaa1ea9954018aee63b5f31aecd062f8b94f
+  data.tar.gz: 71bd479c159a15d042154de70857cadc6caf905b835429a84546d019514312b4958353c04cccd6478415666a80164fd017da8f05a10438842721f97d8513a318

data/bin/chef_fixie

@@ -1,5 +1,5 @@
 #!/usr/bin/env ruby
 
-require_relative '../lib/chef_fixie/console'
+require_relative "../lib/chef_fixie/console"
 
 ChefFixie::Console.start

data/doc/BulkFixup.md

@@ -15,7 +15,7 @@ If a key group is deleted (such as users)
 ```ruby
 users_group.ace_add([:create,:read,:update,:delete], org.groups['admins'])
 users_group.ace_add([:create,:read,:update,:delete], USERS['pivotal'])
-``
+```
 
 * Restore users to the appropriate container ACLs
 ```ruby

data/doc/CommonTasks.md

@@ -9,12 +9,23 @@ points
 
 First of all, run the automated org association checker:
 
-fixie:0 > Fixie::CheckOrgAssociations.check_associations("acme")
-Org acme is ok (6 users)
+    fixie:0 > Fixie::CheckOrgAssociations.check_associations("acme")
+    Org acme is ok (6 users)
 
 If it reports a problem with a user, you may be able to fix it
 automatically:
 
-fixie:0 > Fixie::CheckOrgAssociations.fix_association("acme", "mary")
+    fixie:0 > Fixie::CheckOrgAssociations.fix_association("acme", "mary")
 
 This might need to be run multiple times to fix all of the errors.
+
+
+Removing a user completely from an org
+-----------
+
+    [1] fixie(main)> ChefFixie::CheckOrgAssociations.remove_association('the_org', 'the_user')
+
+This removes the user from the org, and removes them from all org
+groups. However, if the user has been individually added to an ACL we
+don't fix that up; it would require enumeration of the whole org, and
+that hasn't been implemented.

data/lib/chef_fixie.rb

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2014-2015 Chef Software Inc. 
+# Copyright (c) 2014-2015 Chef Software Inc.
 # License :: Apache License, Version 2.0
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -16,13 +16,13 @@
 #
 # Author: Mark Anderson <mark@chef.io>
 
-require 'sequel'
-require_relative 'chef_fixie/config'
-require_relative 'chef_fixie/sql'
-require_relative 'chef_fixie/sql_objects'
+require "sequel"
+require_relative "chef_fixie/config"
+require_relative "chef_fixie/sql"
+require_relative "chef_fixie/sql_objects"
 
 # This doesn't work because of initialization order, figure it out.
-require_relative 'chef_fixie/check_org_associations'
-require_relative 'chef_fixie/bulk_edit_permissions'
+require_relative "chef_fixie/check_org_associations"
+require_relative "chef_fixie/bulk_edit_permissions"
 
 Sequel.extension :inflector

data/lib/chef_fixie/authz_mapper.rb

@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2014-2015 Chef Software Inc. 
+# Copyright (c) 2014-2015 Chef Software Inc.
 # License :: Apache License, Version 2.0
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -17,9 +17,9 @@
 # Author: Mark Anderson <mark@chef.io>
 #
 
-require 'pp'
-require_relative 'config'
-require_relative 'authz_objects'
+require "pp"
+require_relative "config"
+require_relative "authz_objects"
 
 module ChefFixie
   module AuthzMapper
@@ -32,7 +32,7 @@ module ChefFixie
     #
     # Much of this might be better folded up into a sql stored procedure
     #
-   
+
     def self.included(base)
       base.extend(ClassMethods)
     end
@@ -44,9 +44,9 @@ module ChefFixie
       if objects.count == 1
         object = objects.first
         name = object.name
-        scope = 
-          if object.respond_to?(:org_id) 
-              ChefFixie::Sql::Orgs.org_guid_to_name(object.org_id)
+        scope =
+          if object.respond_to?(:org_id)
+            ChefFixie::Sql::Orgs.org_guid_to_name(object.org_id)
           else
             :global
           end
@@ -57,12 +57,12 @@ module ChefFixie
     end
 
     class ReverseMapper
-      attr_reader :names,:by_type, :instance
-                     
+      attr_reader :names, :by_type, :instance
+
       def initialize
         # name of object map
         @names ||= {}
-        @by_type ||= {:actor=>{}, :container=>{}, :group=>{}, :object=>{}}
+        @by_type ||= { :actor => {}, :container => {}, :group => {}, :object => {} }
         # maps class to a pre-created instance for efficiency
         @instance ||= {}
       end
@@ -75,14 +75,14 @@ module ChefFixie
         names[name] = klass
         by_type[type][name] = klass
       end
-      
+
       def dump
         pp names
       end
 
-      def authz_to_name(authz_id, ctype=nil)
+      def authz_to_name(authz_id, ctype = nil)
         types = if ctype.nil?
-                  AuthzUtils::Types
+                  AuthzUtils::TYPES
                 else
                   [ctype]
                 end
@@ -92,52 +92,50 @@ module ChefFixie
             return result if result != :unknown
           end
         end
-        return :unknown
+        :unknown
       end
     end
 
     def self.mapper
       @mapper ||= ReverseMapper.new
     end
-    
+
     def self.register(klass, name, type)
-      self.mapper.register(klass,name,type)
+      mapper.register(klass, name, type)
     end
 
     # Translates the json from authz for group membership and acls into a human readable form
     # This makes some assumptions about the shape of the data structure, but works well enough to
     # be quite useful
     def self.struct_to_name(s)
-      mapper = AuthzMapper::mapper      
+      mapper = AuthzMapper.mapper
       if s.kind_of?(Hash)
         s.keys.inject({}) do |h, k|
           v = s[k]
           if v.kind_of?(Array)
             case k
-            when 'actors'
-              h[k] = v.map {|a| mapper.authz_to_name(a,:actor) } #.sort We should sort these, but the way we're returning unknown causes sort 
-            when 'groups'
-              h[k] = v.map {|a| mapper.authz_to_name(a,:group) } #.sort to fail
+            when "actors"
+              h[k] = v.map { |a| mapper.authz_to_name(a, :actor) } #.sort We should sort these, but the way we're returning unknown causes sort
+            when "groups"
+              h[k] = v.map { |a| mapper.authz_to_name(a, :group) } #.sort to fail
             else
               h[k] = v
             end
           else
-            h[k] = self.struct_to_name(v)
+            h[k] = struct_to_name(v)
           end
           h
         end
       end
     end
-    
+
     module ClassMethods
       # TODO: We should be able to automatically figure out the type somehow.
       # At minimum should figure out a self check
       def register_authz(name, type)
-        AuthzMapper::register(self,name,type)
+        AuthzMapper.register(self, name, type)
       end
     end
-    
+
   end
 end
-
-  

data/lib/chef_fixie/authz_objects.rb

@@ -17,16 +17,16 @@
 # Author: Mark Anderson <mark@chef.io>
 #
 
-require 'pp'
-require 'ffi_yajl'
-require 'chef/http'
+require "pp"
+require "ffi_yajl"
+require "chef/http"
 
-require_relative 'config'
+require_relative "config"
 
 module ChefFixie
 
   class AuthzApi
-    def initialize(user=nil)
+    def initialize(user = nil)
       @requestor_authz = user ? user : ChefFixie.configure { |x| x.superuser_id }
       @auth_uri ||= ChefFixie.configure { |x| x.authz_uri }
       @rest = Chef::HTTP.new(@auth_uri)
@@ -42,38 +42,41 @@ module ChefFixie
 
     def get(resource)
       result = @rest.get(resource,
-                         'Content-Type'=>'application/json',
-                         'Accept'=>'application/json',
-                         'X-Ops-Requesting-Actor-Id'=>@requestor_authz)
+                         "Content-Type" => "application/json",
+                         "Accept" => "application/json",
+                         "X-Ops-Requesting-Actor-Id" => @requestor_authz)
       FFI_Yajl::Parser.parse(result)
     end
+
     def put(resource, data)
-      result = @rest.put(resource, self.json_helper(data),
-                         'Content-Type'=>'application/json',
-                         'Accept'=>'application/json',
-                         'X-Ops-Requesting-Actor-Id'=>@requestor_authz)
+      result = @rest.put(resource, json_helper(data),
+                         "Content-Type" => "application/json",
+                         "Accept" => "application/json",
+                         "X-Ops-Requesting-Actor-Id" => @requestor_authz)
       FFI_Yajl::Parser.parse(result)
     end
+
     def post(resource, data)
-      result = @rest.post(resource, self.json_helper(data),
-                          'Content-Type'=>'application/json',
-                          'Accept'=>'application/json',
-                          'X-Ops-Requesting-Actor-Id'=>@requestor_authz)
+      result = @rest.post(resource, json_helper(data),
+                          "Content-Type" => "application/json",
+                          "Accept" => "application/json",
+                          "X-Ops-Requesting-Actor-Id" => @requestor_authz)
       FFI_Yajl::Parser.parse(result)
     end
+
     def delete(resource)
       result = @rest.delete(resource,
-                            'Content-Type'=>'application/json',
-                            'Accept'=>'application/json',
-                            'X-Ops-Requesting-Actor-Id'=>@requestor_authz)
+                            "Content-Type" => "application/json",
+                            "Accept" => "application/json",
+                            "X-Ops-Requesting-Actor-Id" => @requestor_authz)
       FFI_Yajl::Parser.parse(result)
     end
 
   end
 
   module AuthzUtils
-    Types = [:object,:actor,:group,:container] # order is an attempt to optimize by most probable.
-    Actions = [:create, :read, :update, :delete, :grant]
+    TYPES = [:object, :actor, :group, :container] # order is an attempt to optimize by most probable.
+    ACTIONS = [:create, :read, :update, :delete, :grant]
 
     def to_resource(t)
       # This is a rails thing... t.to_s.pluralize
@@ -81,20 +84,20 @@ module ChefFixie
     end
 
     def get_type(id)
-      Types.each do |t|
+      TYPES.each do |t|
         begin
-          r = AuthzApi.get("#{self.to_resource(t)}/#{id}")
+          r = AuthzApi.get("#{to_resource(t)}/#{id}")
           return t
-        rescue RestClient::ResourceNotFound=>e
+        rescue RestClient::ResourceNotFound => e
           # expected if not found
         end
       end
-      return :none
+      :none
     end
 
     def check_action(action)
       # TODO Improve; stack trace isn't the best way to communicate with the user
-      raise "#{action} not one of #{Actions.join(', ')} " if !Actions.member?(action)
+      raise "#{action} not one of #{ACTIONS.join(', ')} " if !ACTIONS.member?(action)
     end
 
     def check_actor_or_group(a_or_g)
@@ -102,7 +105,7 @@ module ChefFixie
     end
 
     def resourcify_actor_or_group(a_or_g)
-      return a_or_g if ["actors", "groups"].member?(a_or_g)
+      return a_or_g if %w{actors groups}.member?(a_or_g)
       check_actor_or_group(a_or_g)
       to_resource(a_or_g)
     end
@@ -131,10 +134,9 @@ module ChefFixie
     end
 
     def authz_api
-       @@authz_apiAsSuperUser ||= AuthzApi.new
+      @@authz_api_as_superuser ||= AuthzApi.new
     end
 
-
     # we expect to be mixed in with a class that has the authz_id method
     def prefix
       "#{to_resource(type)}/#{authz_id}"
@@ -152,6 +154,7 @@ module ChefFixie
     def acl_raw
       authz_api.get("#{prefix}/acl")
     end
+
     # Todo: filter this by scope and type
     def acl
       ChefFixie::AuthzMapper.struct_to_name(acl_raw)
@@ -165,11 +168,11 @@ module ChefFixie
       [resource, ace]
     end
 
-
     def ace_raw(action)
-      resource,ace = ace_get_util(action)
+      resource, ace = ace_get_util(action)
       ace
     end
+
     # Todo: filter this by scope and type
     def ace(action)
       ChefFixie::AuthzMapper.struct_to_name(ace_raw(action))
@@ -177,14 +180,11 @@ module ChefFixie
 
     def expand_actions(action)
       if action == :all
-        action = AuthzUtils::Actions
+        action = AuthzUtils::ACTIONS
       end
       action.is_a?(Array) ? action : [action]
-    end
-
+    end # add actor or group to acl
 
-
-    # add actor or group to acl
     def ace_add_raw(action, actor_or_group, entity)
       # groups or actors
       a_or_g_resource = resourcify_actor_or_group(actor_or_group)
@@ -194,9 +194,10 @@ module ChefFixie
       ace[a_or_g_resource].uniq!
       authz_api.put("#{resource}", ace)
     end
+
     def ace_add(action, entity)
       actions = expand_actions(action)
-      actions.each {|a| ace_add_raw(a, entity.type, entity) }
+      actions.each { |a| ace_add_raw(a, entity.type, entity) }
     end
 
     def ace_delete_raw(action, actor_or_group, entity)
@@ -211,7 +212,7 @@ module ChefFixie
 
     def ace_delete(action, entity)
       actions = expand_actions(action)
-      actions.each {|a| ace_delete_raw(a, entity.type, entity) }
+      actions.each { |a| ace_delete_raw(a, entity.type, entity) }
     end
 
     def ace_member?(action, entity)
@@ -220,7 +221,6 @@ module ChefFixie
       ace[a_or_g_resource].member?(entity.authz_id)
     end
 
-
     def acl_add_from_object(object)
       src = object.acl_raw
 
@@ -258,18 +258,21 @@ module ChefFixie
     def group_raw
       authz_api.get("#{prefix}")
     end
+
     # Todo: filter this by scope and type
     def group
       ChefFixie::AuthzMapper.struct_to_name(group_raw)
     end
+
     def list
       group
     end
 
     def group_add_raw(actor_or_group, entity)
       entity_resource = to_resource(actor_or_group)
-      authz_api.put("#{prefix}/#{entity_resource}/#{entity.authz_id}",{})
+      authz_api.put("#{prefix}/#{entity_resource}/#{entity.authz_id}", {})
     end
+
     def group_add(entity)
       group_add_raw(entity.type, entity)
     end
@@ -285,7 +288,7 @@ module ChefFixie
 
     def member?(entity)
       members = group_raw
-      return members[resourcify_actor_or_group(entity.type)].member?(entity.authz_id)
+      members[resourcify_actor_or_group(entity.type)].member?(entity.authz_id)
     end
   end
 

data/lib/chef_fixie/bulk_edit_permissions.rb

@@ -16,50 +16,53 @@
 #
 # Author: Mark Anderson <mark@chef.io>
 #
-require 'sequel'
+require "sequel"
 
-require_relative 'config.rb'
-require_relative 'authz_objects.rb'
-require_relative 'authz_mapper.rb'
+require_relative "config.rb"
+require_relative "authz_objects.rb"
+require_relative "authz_mapper.rb"
 
-require 'pp'
+require "pp"
 
 module ChefFixie
   module BulkEditPermissions
     def self.orgs
       @orgs ||= ChefFixie::Sql::Orgs.new
     end
+
     def self.users
       @users ||= ChefFixie::Sql::Users.new
     end
+
     def self.assocs
       @assocs ||= ChefFixie::Sql::Associations.new
     end
+
     def self.invites
       invites ||= ChefFixie::Sql::Invites.new
     end
 
     def self.check_permissions(org)
       org = orgs[org] if org.is_a?(String)
-      admins = org.groups['admins'].authz_id
-      pivotal = users['pivotal'].authz_id
+      admins = org.groups["admins"].authz_id
+      pivotal = users["pivotal"].authz_id
       errors = Hash.new({})
       org.each_authz_object do |object|
-        begin 
+        begin
           acl = object.acl_raw
-        rescue RestClient::ResourceNotFound=>e
+        rescue RestClient::ResourceNotFound => e
           puts "#{object.class} '#{object.name}' id '#{object.id}' missing authz info"
           # pp :object=>object, :e=>e
           next
         end
         broken_acl = {}
         # the one special case
-        acl.each do |k,v|
+        acl.each do |k, v|
           list = []
-          list << "pivotal" if !v['actors'].member?(pivotal)
+          list << "pivotal" if !v["actors"].member?(pivotal)
           # admins doesn't belong to the billing admins group
-          if object.class != ChefFixie::Sql::Group || object.name != 'billing-admins'
-            list << "admins" if !v['groups'].member?(admins)
+          if object.class != ChefFixie::Sql::Group || object.name != "billing-admins"
+            list << "admins" if !v["groups"].member?(admins)
           end
           broken_acl[k] = list if !list.empty?
         end
@@ -69,7 +72,7 @@ module ChefFixie
           errors[classname][object.name] = broken_acl
         end
       end
-      return errors
+      errors
     end
 
     def self.ace_add(list, ace_type, entity)
@@ -78,17 +81,18 @@ module ChefFixie
           item.ace_add(ace_type, entity)
         else
           puts "item.class is not a native authz type"
-          return
+          return nil
         end
       end
     end
+
     def self.ace_delete(list, ace_type, entity)
       list.each do |item|
         if item.respond_to?(:ace_delete)
           item.ace_delete(ace_type, entity)
         else
           puts "item.class is not a native authz type"
-          return
+          return nil
         end
       end
     end
@@ -128,11 +132,11 @@ module ChefFixie
     def self.add_admin_permissions(org)
       org = orgs[org] if org.is_a?(String)
       # rework when ace add takes multiple items...
-      admins = org.groups['admins']
-      pivotal = users['pivotal']
+      admins = org.groups["admins"]
+      pivotal = users["pivotal"]
       org.each_authz_object do |object|
         object.ace_add(:all, pivotal)
-        if object.class != ChefFixie::Sql::Group || object.name != 'billing-admins'
+        if object.class != ChefFixie::Sql::Group || object.name != "billing-admins"
           object.ace_add(:all, admins)
         end
       end
@@ -150,7 +154,7 @@ module ChefFixie
           puts "#{obj.name} from #{c.name}"
         end
       end
-      return
+      nil
     end
 
   end