chef_fixie_shahid 0.5.2

data/lib/chef_fixie_shahid/bulk_edit_permissions.rb

@@ -0,0 +1,161 @@
+#
+# Copyright (c) 2015 Chef Software Inc.
+# License :: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# Author: Mark Anderson <mark@chef.io>
+#
+require "sequel"
+
+require_relative "config.rb"
+require_relative "authz_objects.rb"
+require_relative "authz_mapper.rb"
+
+require "pp"
+
+module ChefFixie
+  module BulkEditPermissions
+    def self.orgs
+      @orgs ||= ChefFixie::Sql::Orgs.new
+    end
+
+    def self.users
+      @users ||= ChefFixie::Sql::Users.new
+    end
+
+    def self.assocs
+      @assocs ||= ChefFixie::Sql::Associations.new
+    end
+
+    def self.invites
+      invites ||= ChefFixie::Sql::Invites.new
+    end
+
+    def self.check_permissions(org)
+      org = orgs[org] if org.is_a?(String)
+      admins = org.groups["admins"].authz_id
+      pivotal = users["pivotal"].authz_id
+      errors = Hash.new({})
+      org.each_authz_object do |object|
+        begin
+          acl = object.acl_raw
+        rescue RestClient::ResourceNotFound => e
+          puts "#{object.class} '#{object.name}' id '#{object.id}' missing authz info"
+          # pp :object=>object, :e=>e
+          next
+        end
+        broken_acl = {}
+        # the one special case
+        acl.each do |k, v|
+          list = []
+          list << "pivotal" if !v["actors"].member?(pivotal)
+          # admins doesn't belong to the billing admins group
+          if object.class != ChefFixie::Sql::Group || object.name != "billing-admins"
+            list << "admins" if !v["groups"].member?(admins)
+          end
+          broken_acl[k] = list if !list.empty?
+        end
+        if !broken_acl.empty?
+          classname = object.class
+          errors[classname] = {} if !errors.has_key?(classname)
+          errors[classname][object.name] = broken_acl
+        end
+      end
+      errors
+    end
+
+    def self.ace_add(list, ace_type, entity)
+      list.each do |item|
+        if item.respond_to?(:ace_add)
+          item.ace_add(ace_type, entity)
+        else
+          puts "item.class is not a native authz type"
+          return nil
+        end
+      end
+    end
+
+    def self.ace_delete(list, ace_type, entity)
+      list.each do |item|
+        if item.respond_to?(:ace_delete)
+          item.ace_delete(ace_type, entity)
+        else
+          puts "item.class is not a native authz type"
+          return nil
+        end
+      end
+    end
+
+    def self.do_all_objects(org)
+      org = orgs[org] if org.is_a?(String)
+
+      containers = org.containers.all(:all)
+      # Maybe we should fix up containers first?
+      # fix up objects in containers
+      containers.each do |container|
+        # TODO Write some tests to validate that this stuff
+        # works, since it depends on a lot of name magic...
+        object_type = container.name.to_sym
+#        raise Exception "No such object_type #{object_type}" unless org.respond_to?(object_type)
+        objects = org.send(object_type).all(:all)
+        if block_given?
+          yield objects
+        end
+      end
+    end
+
+    def self.ace_add_all(org, ace_type, entity)
+      org = orgs[org] if org.is_a?(String)
+      org.each_authz_object_by_class do |objects|
+        ace_add(objects, ace_type, entity)
+      end
+    end
+
+    def self.ace_delete_all(org, ace_type, entity)
+      org = orgs[org] if org.is_a?(String)
+      org.each_authz_object_by_class do |objects|
+        ace_delete(objects, ace_type, entity)
+      end
+    end
+
+    def self.add_admin_permissions(org)
+      org = orgs[org] if org.is_a?(String)
+      # rework when ace add takes multiple items...
+      admins = org.groups["admins"]
+      pivotal = users["pivotal"]
+      org.each_authz_object do |object|
+        object.ace_add(:all, pivotal)
+        if object.class != ChefFixie::Sql::Group || object.name != "billing-admins"
+          object.ace_add(:all, admins)
+        end
+      end
+    end
+
+    def self.copy_from_containers(org)
+      org = orgs[org] if org.is_a?(String)
+
+      containers = org.containers.all(:all)
+      containers.each do |c|
+        # don't mess with containers and groups, they are special
+        next if c.name == "containers" || c.name == "groups"
+        org.objects_by_container_type(c.name).each do |obj|
+          obj.acl_add_from_object(c)
+          puts "#{obj.name} from #{c.name}"
+        end
+      end
+      nil
+    end
+
+  end
+end

data/lib/chef_fixie_shahid/check_org_associations.rb

@@ -0,0 +1,239 @@
+# -*- indent-tabs-mode: nil; fill-column: 110 -*-
+#
+# Copyright (c) 2015 Chef Software Inc.
+# License :: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# Author: Mark Anderson <mark@chef.io>
+#
+
+require_relative "config"
+require_relative "authz_objects"
+require_relative "authz_mapper"
+require_relative "utility_helpers"
+
+module ChefFixie
+  module CheckOrgAssociations
+    def self.orgs
+      @orgs ||= ChefFixie::Sql::Orgs.new
+    end
+
+    def self.users
+      @users ||= ChefFixie::Sql::Users.new
+    end
+
+    def self.assocs
+      @assocs ||= ChefFixie::Sql::Associations.new
+    end
+
+    def self.invites
+      invites ||= ChefFixie::Sql::Invites.new
+    end
+
+    def self.make_user(user)
+      if user.is_a?(String)
+        users[user]
+      elsif user.is_a?(ChefFixie::Sql::User)
+        user
+      else
+        raise "Expected a user, got a #{user.class}"
+      end
+    end
+
+    def self.make_org(org)
+      if org.is_a?(String)
+        orgs[org]
+      elsif org.is_a?(ChefFixie::Sql::Org)
+        org
+      else
+        raise "Expected an org, got a #{org.class}"
+      end
+    end
+
+    def usag_for_user(org, user)
+      user = make_user(user)
+      org = make_org(org)
+      org.groups[user.id]
+    end
+
+    def self.check_association(org, user, global_admins = nil)
+      # magic to make usage easier
+      org = make_org(org)
+      user = make_user(user)
+      global_admins ||= org.global_admins
+
+      # check that the user is associated
+      if !assocs.by_org_id_user_id(org.id, user.id)
+        return :not_associated
+      end
+
+      usag = org.groups[user.id]
+      # check that user has USAG
+      if usag.nil?
+        return :missing_usag
+      end
+
+      if !usag.member?(user)
+        return :user_not_in_usag
+      end
+
+      if !org.groups["users"].member?(usag)
+        return :usag_not_in_users
+      end
+
+      if !user.ace_member?(:read, global_admins)
+        return :global_admins_lacks_read
+      end
+
+      if invites.by_org_id_user_id(org.id, user.id)
+        return :zombie_invite
+      end
+      true
+    end
+
+    def self.fix_association(org, user, global_admins = nil)
+      # magic to make usage easier
+      org = orgs[org] if org.is_a?(String)
+      user = users[user] if user.is_a?(String)
+      global_admins ||= org.global_admins
+
+      failure = check_association(org, user, global_admins)
+
+      case failure
+      when true
+        puts "#{org.name} #{user.name} doesn't need repair"
+      when :user_not_in_usag
+        usag = org.groups[user.id]
+        usag.group_add(user)
+      when :usag_not_in_users
+        usag = org.groups[user.id]
+        org.groups["users"].group_add(usag)
+      when :global_admins_lacks_read
+        user.ace_add(:read, global_admins)
+      else
+        puts "#{org.name} #{user.name} can't fix problem #{failure} yet"
+        return false
+      end
+      true
+    end
+
+    def self.check_associations(org)
+      success = true
+      org = make_org(org)
+      orgname = org.name
+
+      # check that global_admins exists:
+      global_admins = org.global_admins
+      if !global_admins || !global_admins.is_a?(ChefFixie::Sql::Group)
+        puts "#{orgname} Missing global admins group"
+        success = false
+      end
+
+      users_assoc = assocs.by_org_id(org.id).all(:all)
+      users_invite = invites.by_org_id(org.id).all(:all)
+
+      user_ids = users_assoc.map { |a| a.user_id }
+      users_in_org = user_ids.map { |i| users.by_id(i).all.first }
+      usernames = users_in_org.map { |u| u.name }
+
+      # check that users aren't both invited and associated
+      invited_ids = users_invite.map { |a| a.user_id }
+      overlap_ids = user_ids & invited_ids
+
+      if !overlap_ids.empty?
+        overlap_names = overlap_ids.map { |i| users.by_id(i).all.first.name rescue "#{i}" }
+        puts "#{orgname} users both associated and invited: #{overlap_names.join(', ')}"
+        success = false
+      end
+
+      # Check that we don't have zombie USAGs left around (not 100% reliable)
+      # because someone could create a group that looks like a USAG
+      possible_usags = org.groups.list(:all) - user_ids
+      usags = possible_usags.select { |n| n =~ /^\h+{20}$/ }
+      if !usags.empty?
+        puts "#{orgname} Suspicious USAGS without associated user #{usags.join(', ')}"
+      end
+
+      # Check group membership for sanity
+      success &= check_group(org, "billing-admins", usernames)
+      success &= check_group(org, "admins", usernames)
+
+      # TODO check for non-usags in users!
+      users_members = org.groups["users"].group
+      users_actors = users_members["actors"] - [[:global, "pivotal"]]
+      if !users_actors.empty?
+        puts "#{orgname} has actors in it's users group #{users_actors}"
+      end
+      non_usags = users_members["groups"].map { |g| g[1] } - user_ids
+      if !non_usags.empty?
+        puts "#{orgname} warning: has non usags in it's users group #{non_usags.join(', ')}"
+      end
+
+      # Check individual associations
+      users_in_org.each do |user|
+        result = check_association(org, user, global_admins)
+        if result != true
+          puts "Org #{orgname} Association check failed for #{user.name} #{result}"
+          success = false
+        end
+      end
+
+      puts "Org #{orgname} is #{success ? 'ok' : 'bad'} (#{users_in_org.count} users)"
+      success
+    end
+
+    # expect at least one current user to be in admins and billing admins
+    def self.check_group(org, groupname, users)
+      g = org.groups[groupname]
+      if g.nil?
+        puts "#{orgname} Missing group #{groupname}"
+        return :no_such_group
+      end
+      actors = g.group["actors"].map { |x| x[1] }
+      live = actors & users
+
+      if live.count == 0
+        puts "Org #{org.name} has no active users in #{groupname}"
+        return false
+      end
+      true
+    end
+
+    def self.remove_association(org, user)
+      # magic to make usage easier
+      org = make_org(org)
+      user = make_user(user)
+
+      # remove USAG
+      usag = org.groups[user.id]
+      usag.delete if usag
+
+      # remove from any groups they are in
+      org.groups.all(:all).each do |g|
+        g.group_delete(user) if g.member?(user)
+      end
+
+      # remove read ACE
+      user.ace_delete(:read, org.global_admins)
+
+      # remove association record
+      assoc = assocs.by_org_id_user_id(org.id, user.id)
+      assoc.delete if assoc
+
+      # remove any invites
+      invite = invites.by_org_id_user_id(org.id, user.id)
+      invite.delete if invite
+    end
+  end
+end

data/lib/chef_fixie_shahid/config.rb

@@ -0,0 +1,174 @@
+#
+# Copyright (c) 2014-2015 Chef Software Inc.
+# License :: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# Author: Mark Anderson <mark@chef.io>
+#
+# Much of this code was orginally derived from the orgmapper tool, which had many varied authors.
+
+require "singleton"
+require "ffi_yajl"
+require "pathname"
+require "veil"
+
+module ChefFixie
+  def self.configure
+    yield Config.instance
+  end
+
+  def self.load_config(config_file = nil)
+    if config_file
+      puts "loading config: #{config_file}..." if ChefFixie::Console.started_from_command_line?
+      Kernel.load(config_file)
+    else
+      path = "/etc/opscode"
+      puts "loading config from #{path}" if ChefFixie::Console.started_from_command_line?
+      ChefFixie::Config.instance.load_from_pc(path)
+    end
+  end
+
+  def self.setup
+    # TODO: do we have to polute global object with this to make it available to the irb instance?
+    Object.const_set(:ORGS, ChefFixie::Sql::Orgs.new)
+    Object.const_set(:USERS, ChefFixie::Sql::Users.new)
+    Object.const_set(:ASSOCS, ChefFixie::Sql::Associations.new)
+    Object.const_set(:INVITES, ChefFixie::Sql::Invites.new)
+
+    # scope this by the global org id?
+    Object.const_set(:GLOBAL_GROUPS, ChefFixie::Sql::Groups.new.by_org_id(ChefFixie::Sql::Orgs::GlobalOrg))
+    Object.const_set(:GLOBAL_CONTAINERS, ChefFixie::Sql::Containers.new.by_org_id(ChefFixie::Sql::Orgs::GlobalOrg))
+  end
+
+  ##
+  # = ChefFixie::Config
+  # configuration for the fixie command.
+  #
+  # ==Example Config File:
+  #
+  #   Fixie.configure do |mapper|
+  #     mapper.authz_uri = 'http://authz.example.com:5959'
+  #   end
+  #
+  class Config
+    include Singleton
+    KEYS = [:authz_uri, :sql_database, :superuser_id, :pivotal_key]
+    KEYS.each { |k| attr_accessor k }
+
+    def merge_opts(opts = {})
+      opts.each do |key, value|
+        send("#{key}=".to_sym, value)
+      end
+    end
+
+    # this is waaay tightly coupled to ::Backend's initialize method
+    def to_ary
+      [couchdb_uri, database, auth_uri, authz_couch, sql_database, superuser_id].compact
+    end
+
+    def to_text
+      txt = ["### ChefFixie::Config"]
+      max_key_len = KEYS.inject(0) do |max, k|
+        key_len = k.to_s.length
+        key_len > max ? key_len : max
+      end
+      KEYS.each do |key|
+        value = send(key) || "default"
+        txt << "# %#{max_key_len}s: %s" % [key.to_s, value]
+      end
+      txt.join("\n")
+    end
+
+    def example_config
+      txt = ["Fixie.configure do |mapper|"]
+      KEYS.each do |key|
+        txt << "  mapper.%s = %s" % [key.to_s, '"something"']
+      end
+      txt << "end"
+      txt.join("\n")
+    end
+
+    def load_from_pc(dir = "/etc/opscode")
+      configdir = Pathname.new(dir)
+
+      config_files = %w{chef-server-running.json}
+      config = load_json_from_path([configdir], config_files)
+
+      secrets = load_secrets_from_path([configdir], %w{private-chef-secrets.json} )
+
+      authz_config = config["private_chef"]["oc_bifrost"]
+      authz_vip = authz_config["vip"]
+      authz_port = authz_config["port"]
+      @authz_uri = "http://#{authz_vip}:#{authz_port}"
+
+      @superuser_id = dig(secrets, %w{oc_bifrost superuser_id}) || authz_config["superuser_id"]
+
+      sql_config = config["private_chef"]["postgresql"]
+      erchef_config = config["private_chef"]["opscode-erchef"]
+
+      sql_user = sql_config["sql_user"] || erchef_config["sql_user"]
+      sql_pw = dig(secrets, %w{opscode_erchef sql_password}) || sql_config["sql_password"] || erchef_config["sql_password"]
+      sql_vip = sql_config["vip"]
+      sql_port = sql_config["port"]
+
+      @sql_database = "postgres://#{sql_user}:#{sql_pw}@#{sql_vip}/opscode_chef"
+
+      @pivotal_key = configdir + "pivotal.pem"
+    end
+
+    def load_json_from_path(pathlist, filelist)
+      parser = FFI_Yajl::Parser.new
+      pathlist.each do |path|
+        filelist.each do |file|
+          configfile = path + file
+          if configfile.file?
+            data = File.read(configfile)
+            return parser.parse(data)
+          end
+        end
+      end
+    end
+
+    def load_secrets_from_path(pathlist, filelist)
+      pathlist.each do |path|
+        filelist.each do |file|
+          configfile = path + file
+          if configfile.file?
+            data = Veil::CredentialCollection::ChefSecretsFile.from_file(configfile)
+            return data
+          end
+        end
+      end
+      nil
+    end
+
+    def dig(hash, list)
+      if hash.respond_to?(:get)
+        hash.get(*list)
+      elsif hash.nil?
+        nil
+      elsif list.empty?
+        hash
+      else
+        element = list.shift
+        if hash.has_key?(element)
+          dig(hash[element], list)
+        else
+          nil
+        end
+      end
+    end
+
+  end
+end