chef_fixie_shahid 0.5.2

data/fixie.conf.example

@@ -0,0 +1,8 @@
+
+Fixie.configure do |mapper|
+  mapper.authz_uri = "http://localhost:9463"
+  mapper.superuser_id = "33d88ba14277f812a3ef3989869fb393"
+  mapper.sql_database = 'postgres://opscode_chef:6c6e1a140828be4ac406848e0b6a2ae1e9845e45ac4f48c790168c681c1b4217dc27ab99599130449a2437ab0d2a300bed5d@localhost/opscode_chef'
+end
+
+

data/lib/chef_fixie_shahid.rb

@@ -0,0 +1,28 @@
+#
+# Copyright (c) 2014-2015 Chef Software Inc.
+# License :: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# Author: Mark Anderson <mark@chef.io>
+
+require "sequel"
+require_relative "chef_fixie/config"
+require_relative "chef_fixie/sql"
+require_relative "chef_fixie/sql_objects"
+
+# This doesn't work because of initialization order, figure it out.
+require_relative "chef_fixie/check_org_associations"
+require_relative "chef_fixie/bulk_edit_permissions"
+
+Sequel.extension :inflector

data/lib/chef_fixie_shahid/authz_mapper.rb

@@ -0,0 +1,141 @@
+#
+# Copyright (c) 2014-2015 Chef Software Inc.
+# License :: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# Author: Mark Anderson <mark@chef.io>
+#
+
+require "pp"
+require_relative "config"
+require_relative "authz_objects"
+
+module ChefFixie
+  module AuthzMapper
+
+    #
+    # It would be really awesome if this was integrated with the
+    # AuthzObjectMixin so that when it was mixed in, we automatically
+    # added code to the reverse mapping
+    #
+    #
+    # Much of this might be better folded up into a sql stored procedure
+    #
+
+    def self.included(base)
+      base.extend(ClassMethods)
+    end
+
+    def authz_to_name(authz_id)
+      objects = by_authz_id(authz_id).all(1)
+      scope = :unknown
+      name = :unknown
+      if objects.count == 1
+        object = objects.first
+        name = object.name
+        scope =
+          if object.respond_to?(:org_id)
+            ChefFixie::Sql::Orgs.org_guid_to_name(object.org_id)
+          else
+            :global
+          end
+        [scope, name]
+      else
+        :unknown
+      end
+    end
+
+    class ReverseMapper
+      attr_reader :names, :by_type, :instance
+
+      def initialize
+        # name of object map
+        @names ||= {}
+        @by_type ||= { :actor => {}, :container => {}, :group => {}, :object => {} }
+        # maps class to a pre-created instance for efficiency
+        @instance ||= {}
+      end
+
+      def class_cache(klass)
+        instance[klass] ||= klass.new
+      end
+
+      def register(klass, name, type)
+        names[name] = klass
+        by_type[type][name] = klass
+      end
+
+      def dump
+        pp names
+      end
+
+      def authz_to_name(authz_id, ctype = nil)
+        types = if ctype.nil?
+                  AuthzUtils::TYPES
+                else
+                  [ctype]
+                end
+        types.each do |type|
+          by_type[type].each_pair do |name, klass|
+            result = class_cache(klass).authz_to_name(authz_id)
+            return result if result != :unknown
+          end
+        end
+        :unknown
+      end
+    end
+
+    def self.mapper
+      @mapper ||= ReverseMapper.new
+    end
+
+    def self.register(klass, name, type)
+      mapper.register(klass, name, type)
+    end
+
+    # Translates the json from authz for group membership and acls into a human readable form
+    # This makes some assumptions about the shape of the data structure, but works well enough to
+    # be quite useful
+    def self.struct_to_name(s)
+      mapper = AuthzMapper.mapper
+      if s.kind_of?(Hash)
+        s.keys.inject({}) do |h, k|
+          v = s[k]
+          if v.kind_of?(Array)
+            case k
+            when "actors"
+              h[k] = v.map { |a| mapper.authz_to_name(a, :actor) } #.sort We should sort these, but the way we're returning unknown causes sort
+            when "groups"
+              h[k] = v.map { |a| mapper.authz_to_name(a, :group) } #.sort to fail
+            else
+              h[k] = v
+            end
+          else
+            h[k] = struct_to_name(v)
+          end
+          h
+        end
+      end
+    end
+
+    module ClassMethods
+      # TODO: We should be able to automatically figure out the type somehow.
+      # At minimum should figure out a self check
+      def register_authz(name, type)
+        AuthzMapper.register(self, name, type)
+      end
+    end
+
+  end
+end

data/lib/chef_fixie_shahid/authz_objects.rb

@@ -0,0 +1,295 @@
+#
+# Copyright (c) 2014-2015 Chef Software Inc.
+# License :: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# Author: Mark Anderson <mark@chef.io>
+#
+
+require "pp"
+require "ffi_yajl"
+require "chef/http"
+
+require_relative "config"
+
+module ChefFixie
+
+  class AuthzApi
+    def initialize(user = nil)
+      @requestor_authz = user ? user : ChefFixie.configure { |x| x.superuser_id }
+      @auth_uri ||= ChefFixie.configure { |x| x.authz_uri }
+      @rest = Chef::HTTP.new(@auth_uri)
+    end
+
+    def json_helper(s)
+      if s.kind_of?(Hash)
+        FFI_Yajl::Encoder.encode(s)
+      else
+        s
+      end
+    end
+
+    def get(resource)
+      result = @rest.get(resource,
+                         "Content-Type" => "application/json",
+                         "Accept" => "application/json",
+                         "X-Ops-Requesting-Actor-Id" => @requestor_authz)
+      FFI_Yajl::Parser.parse(result)
+    end
+
+    def put(resource, data)
+      result = @rest.put(resource, json_helper(data),
+                         "Content-Type" => "application/json",
+                         "Accept" => "application/json",
+                         "X-Ops-Requesting-Actor-Id" => @requestor_authz)
+      FFI_Yajl::Parser.parse(result)
+    end
+
+    def post(resource, data)
+      result = @rest.post(resource, json_helper(data),
+                          "Content-Type" => "application/json",
+                          "Accept" => "application/json",
+                          "X-Ops-Requesting-Actor-Id" => @requestor_authz)
+      FFI_Yajl::Parser.parse(result)
+    end
+
+    def delete(resource)
+      result = @rest.delete(resource,
+                            "Content-Type" => "application/json",
+                            "Accept" => "application/json",
+                            "X-Ops-Requesting-Actor-Id" => @requestor_authz)
+      FFI_Yajl::Parser.parse(result)
+    end
+
+  end
+
+  module AuthzUtils
+    TYPES = [:object, :actor, :group, :container] # order is an attempt to optimize by most probable.
+    ACTIONS = [:create, :read, :update, :delete, :grant]
+
+    def to_resource(t)
+      # This is a rails thing... t.to_s.pluralize
+      t.to_s + "s" # hack
+    end
+
+    def get_type(id)
+      TYPES.each do |t|
+        begin
+          r = AuthzApi.get("#{to_resource(t)}/#{id}")
+          return t
+        rescue RestClient::ResourceNotFound => e
+          # expected if not found
+        end
+      end
+      :none
+    end
+
+    def check_action(action)
+      # TODO Improve; stack trace isn't the best way to communicate with the user
+      raise "#{action} not one of #{ACTIONS.join(', ')} " if !ACTIONS.member?(action)
+    end
+
+    def check_actor_or_group(a_or_g)
+      raise "#{a_or_g} not one of :actor or :group" if a_or_g != :actor && a_or_g != :group
+    end
+
+    def resourcify_actor_or_group(a_or_g)
+      return a_or_g if %w{actors groups}.member?(a_or_g)
+      check_actor_or_group(a_or_g)
+      to_resource(a_or_g)
+    end
+
+    def get_authz_id(x)
+      return x.authz_id if x.respond_to?(:authz_id)
+      # if it quacks like an authz id
+      return x if x.is_a?(String) && x =~ /^[[:xdigit:]]{32}$/
+      raise "#{x} doesn't look like an authz_id"
+    end
+  end
+
+  #
+  module AuthzObjectMixin
+    include AuthzUtils # reconsider this mixin; maybe better to refer to those routines explictly
+
+    def self.included(base)
+#      pp :note=>"Include", :base=>base, :super=>(base.superclass rescue :nil)
+#      block = lambda { :object }
+#      base.send(:define_method, :type_me, block )
+#      pp :methods=>(base.methods.sort - Object.methods)
+    end
+
+    def type
+      :object
+    end
+
+    def authz_api
+      @@authz_api_as_superuser ||= AuthzApi.new
+    end
+
+    # we expect to be mixed in with a class that has the authz_id method
+    def prefix
+      "#{to_resource(type)}/#{authz_id}"
+    end
+
+    def is_authorized(action, actor)
+      result = authz_api.get("#{prefix}/acl/#{action}/ace/#{actor.authz_id}")
+      [:unparsed, result] # todo figure this out in more detail
+    end
+
+    def authz_delete
+      authz_api.delete(prefix)
+    end
+
+    def acl_raw
+      authz_api.get("#{prefix}/acl")
+    end
+
+    # Todo: filter this by scope and type
+    def acl
+      ChefFixie::AuthzMapper.struct_to_name(acl_raw)
+    end
+
+    def ace_get_util(action)
+      check_action(action)
+
+      resource = "#{prefix}/acl/#{action}"
+      ace = authz_api.get(resource)
+      [resource, ace]
+    end
+
+    def ace_raw(action)
+      resource, ace = ace_get_util(action)
+      ace
+    end
+
+    # Todo: filter this by scope and type
+    def ace(action)
+      ChefFixie::AuthzMapper.struct_to_name(ace_raw(action))
+    end
+
+    def expand_actions(action)
+      if action == :all
+        action = AuthzUtils::ACTIONS
+      end
+      action.is_a?(Array) ? action : [action]
+    end # add actor or group to acl
+
+    def ace_add_raw(action, actor_or_group, entity)
+      # groups or actors
+      a_or_g_resource = resourcify_actor_or_group(actor_or_group)
+      resource, ace = ace_get_util(action)
+
+      ace[a_or_g_resource] << get_authz_id(entity)
+      ace[a_or_g_resource].uniq!
+      authz_api.put("#{resource}", ace)
+    end
+
+    def ace_add(action, entity)
+      actions = expand_actions(action)
+      actions.each { |a| ace_add_raw(a, entity.type, entity) }
+    end
+
+    def ace_delete_raw(action, actor_or_group, entity)
+      # groups or actors
+      a_or_g_resource = resourcify_actor_or_group(actor_or_group)
+      resource, ace = ace_get_util(action)
+
+      ace[a_or_g_resource] -= [get_authz_id(entity)]
+      ace[a_or_g_resource].uniq!
+      authz_api.put("#{resource}", ace)
+    end
+
+    def ace_delete(action, entity)
+      actions = expand_actions(action)
+      actions.each { |a| ace_delete_raw(a, entity.type, entity) }
+    end
+
+    def ace_member?(action, entity)
+      a_or_g_resource = resourcify_actor_or_group(entity.type)
+      resource, ace = ace_get_util(action)
+      ace[a_or_g_resource].member?(entity.authz_id)
+    end
+
+    def acl_add_from_object(object)
+      src = object.acl_raw
+
+      # this could be made more efficient by refactoring ace_add_raw to split fetch and update, but this works
+      src.each do |action, ace|
+        ace.each do |type, list|
+          list.each do |item|
+            ace_add_raw(action.to_sym, type, item)
+          end
+        end
+      end
+    end
+
+  end
+
+  module AuthzActorMixin
+    include AuthzObjectMixin
+    def type
+      :actor
+    end
+  end
+  module AuthzContainerMixin
+    include AuthzObjectMixin
+    def type
+      :container
+    end
+  end
+  module AuthzGroupMixin
+    include AuthzObjectMixin
+    def type
+      :group
+    end
+
+    # Groups need a little more code to manage members.
+    def group_raw
+      authz_api.get("#{prefix}")
+    end
+
+    # Todo: filter this by scope and type
+    def group
+      ChefFixie::AuthzMapper.struct_to_name(group_raw)
+    end
+
+    def list
+      group
+    end
+
+    def group_add_raw(actor_or_group, entity)
+      entity_resource = to_resource(actor_or_group)
+      authz_api.put("#{prefix}/#{entity_resource}/#{entity.authz_id}", {})
+    end
+
+    def group_add(entity)
+      group_add_raw(entity.type, entity)
+    end
+
+    def group_delete_raw(actor_or_group, entity)
+      entity_resource = to_resource(actor_or_group)
+      authz_api.delete("#{prefix}/#{entity_resource}/#{entity.authz_id}")
+    end
+
+    def group_delete(entity)
+      group_delete_raw(entity.type, entity)
+    end
+
+    def member?(entity)
+      members = group_raw
+      members[resourcify_actor_or_group(entity.type)].member?(entity.authz_id)
+    end
+  end
+
+end