cheffish 0.1

data/lib/chef/resource/chef_user.rb

@@ -0,0 +1,51 @@
+require 'cheffish'
+require 'chef/resource/lwrp_base'
+
+class Chef::Resource::ChefUser < Chef::Resource::LWRPBase
+  self.resource_name = 'chef_user'
+
+  actions :create, :delete, :nothing
+  default_action :create
+
+  # Grab environment from with_environment
+  def initialize(*args)
+    super
+    chef_server Cheffish.enclosing_chef_server
+  end
+
+  # Client attributes
+  attribute :name, :kind_of => String, :regex => Cheffish::NAME_REGEX, :name_attribute => true
+  attribute :admin, :kind_of => [TrueClass, FalseClass]
+  attribute :email, :kind_of => String
+  attribute :external_authentication_uid
+  attribute :recovery_authentication_enabled, :kind_of => [TrueClass, FalseClass]
+  attribute :password, :kind_of => String # Hmm.  There is no way to idempotentize this.
+  #attribute :salt  # TODO server doesn't support sending or receiving these, but it's the only way to backup / restore a user
+  #attribute :hashed_password
+  #attribute :hash_type
+
+  # Input key
+  attribute :source_key # String or OpenSSL::PKey::*
+  attribute :source_key_path, :kind_of => String
+  attribute :source_key_pass_phrase
+
+  # Output public key (if so desired)
+  attribute :output_key_path, :kind_of => String
+  attribute :output_key_format, :kind_of => Symbol, :default => :openssh, :equal_to => [ :pem, :der, :openssh ]
+
+  # If this is set, client is not patchy
+  attribute :complete, :kind_of => [TrueClass, FalseClass]
+
+  attribute :raw_json, :kind_of => Hash
+  attribute :chef_server, :kind_of => Hash
+
+  # Proc that runs just before the resource executes.  Called with (resource)
+  def before(&block)
+    block ? @before = block : @before
+  end
+
+  # Proc that runs after the resource completes.  Called with (resource, json, private_key, public_key)
+  def after(&block)
+    block ? @after = block : @after
+  end
+end

data/lib/chef/resource/in_parallel.rb

@@ -0,0 +1,6 @@
+
+
+class Chef::Resource::InParallel < Chef::Resource
+  def initialize(&block)
+  end
+end

data/lib/chef/resource/private_key.rb

@@ -0,0 +1,39 @@
+require 'openssl/cipher'
+require 'chef/resource/lwrp_base'
+
+class Chef::Resource::PrivateKey < Chef::Resource::LWRPBase
+  self.resource_name = 'private_key'
+
+  actions :create, :delete, :regenerate, :nothing
+  default_action :create
+
+  # Path to private key.  Set to :none to create the key in memory and not on disk.
+  attribute :path, :kind_of => [ String, Symbol ], :name_attribute => true
+  attribute :format, :kind_of => Symbol, :default => :pem, :equal_to => [ :pem, :der ]
+  attribute :type, :kind_of => Symbol, :default => :rsa, :equal_to => [ :rsa, :dsa ] # TODO support :ec
+  # These specify an optional public_key you can spit out if you want.
+  attribute :public_key_path, :kind_of => String
+  attribute :public_key_format, :kind_of => Symbol, :default => :openssh, :equal_to => [ :openssh, :pem, :der ]
+  # Specify this if you want to copy another private key but give it a different format / password
+  attribute :source_key
+  attribute :source_key_path, :kind_of => String
+  attribute :source_key_pass_phrase
+
+  # RSA and DSA
+  attribute :size, :kind_of => Integer, :default => 2048
+
+  # RSA-only
+  attribute :exponent, :kind_of => Integer # For RSA
+
+  # PEM-only
+  attribute :pass_phrase, :kind_of => String
+  attribute :cipher, :kind_of => String, :default => 'DES-EDE3-CBC', :equal_to => OpenSSL::Cipher.ciphers
+
+  # Set this to regenerate the key if it does not have the desired characteristics (like size, type, etc.)
+  attribute :regenerate_if_different, :kind_of => [TrueClass, FalseClass]
+
+  # Proc that runs after the resource completes.  Called with (resource, private_key)
+  def after(&block)
+    block ? @after = block : @after
+  end
+end

data/lib/chef/resource/public_key.rb

@@ -0,0 +1,16 @@
+require 'openssl/cipher'
+require 'chef/resource/lwrp_base'
+
+class Chef::Resource::PublicKey < Chef::Resource::LWRPBase
+  self.resource_name = 'public_key'
+
+  actions :create, :delete, :nothing
+  default_action :create
+
+  attribute :path, :kind_of => String, :name_attribute => true
+  attribute :format, :kind_of => Symbol, :default => :openssh, :equal_to => [ :pem, :der, :openssh ]
+
+  attribute :source_key
+  attribute :source_key_path, :kind_of => String
+  attribute :source_key_pass_phrase
+end

data/lib/cheffish.rb

@@ -0,0 +1,245 @@
+require 'chef/run_list/run_list_item'
+require 'cheffish/inline_resource'
+
+module Cheffish
+  NAME_REGEX = /^[.\-[:alnum:]_]+$/
+
+  @@enclosing_data_bag = nil
+  def self.enclosing_data_bag
+    @@enclosing_data_bag
+  end
+  def self.enclosing_data_bag=(name)
+    @@enclosing_data_bag = name
+  end
+
+  @@enclosing_environment = nil
+  def self.enclosing_environment
+    @@enclosing_environment
+  end
+  def self.enclosing_environment=(name)
+    @@enclosing_environment = name
+  end
+
+  @@enclosing_data_bag_item_encryption = nil
+  def self.enclosing_data_bag_item_encryption
+    @@enclosing_data_bag_item_encryption
+  end
+  def self.enclosing_data_bag_item_encryption=(options)
+    @@enclosing_data_bag_item_encryption = options
+  end
+
+  def self.inline_resource(provider, &block)
+    InlineResource.new(provider).instance_eval(&block)
+  end
+
+  @@enclosing_chef_server = nil
+  def self.enclosing_chef_server
+    @@enclosing_chef_server || {
+      :chef_server_url => Chef::Config[:chef_server_url],
+      :options => {
+        :client_name => Chef::Config[:node_name],
+        :signing_key_filename => Chef::Config[:client_key]
+      }
+    }
+  end
+  def self.enclosing_chef_server=(chef_server)
+    @@enclosing_chef_server = chef_server
+  end
+
+  def self.reset
+    @@enclosing_data_bag = nil
+    @@enclosing_environment = nil
+    @@enclosing_data_bag_item_encryption = nil
+    @@enclosing_chef_server = nil
+  end
+
+  NOT_PASSED=Object.new
+
+  def self.node_attributes(klass)
+    klass.class_eval do
+      attribute :name, :kind_of => String, :regex => Cheffish::NAME_REGEX, :name_attribute => true
+      attribute :chef_environment, :kind_of => String, :regex => Cheffish::NAME_REGEX
+      attribute :run_list, :kind_of => Array # We should let them specify it as a series of parameters too
+      attribute :default_attributes, :kind_of => Hash
+      attribute :normal_attributes, :kind_of => Hash
+      attribute :override_attributes, :kind_of => Hash
+      attribute :automatic_attributes, :kind_of => Hash
+
+      # Specifies that this is a complete specification for the environment (i.e. attributes you don't specify will be
+      # reset to their defaults)
+      attribute :complete, :kind_of => [TrueClass, FalseClass]
+
+      attribute :raw_json, :kind_of => Hash
+      attribute :chef_server, :kind_of => Hash
+
+      # default 'ip_address', '127.0.0.1'
+      # default [ 'pushy', 'port' ], '9000'
+      # default 'ip_addresses' do |existing_value|
+      #   (existing_value || []) + [ '127.0.0.1' ]
+      # end
+      # default 'ip_address', :delete
+      attr_accessor :default_modifiers
+      def default(attribute_path, value=Cheffish.NOT_PASSED, &block)
+        @default_modifiers ||= []
+        if value != Cheffish.NOT_PASSED
+          @default_modifiers << [ attribute_path, value ]
+        elsif block
+          @default_modifiers << [ attribute_path, block ]
+        else
+          raise "default requires either a value or a block"
+        end
+      end
+
+      # normal 'ip_address', '127.0.0.1'
+      # normal [ 'pushy', 'port' ], '9000'
+      # normal 'ip_addresses' do |existing_value|
+      #   (existing_value || []) + [ '127.0.0.1' ]
+      # end
+      # normal 'ip_address', :delete
+      attr_accessor :normal_modifiers
+      def normal(attribute_path, value=NOT_PASSED, &block)
+        @normal_modifiers ||= []
+        if value != NOT_PASSED
+          @normal_modifiers << [ attribute_path, value ]
+        elsif block
+          @normal_modifiers << [ attribute_path, block ]
+        else
+          raise "normal requires either a value or a block"
+        end
+      end
+
+      # override 'ip_address', '127.0.0.1'
+      # override [ 'pushy', 'port' ], '9000'
+      # override 'ip_addresses' do |existing_value|
+      #   (existing_value || []) + [ '127.0.0.1' ]
+      # end
+      # override 'ip_address', :delete
+      attr_accessor :override_modifiers
+      def override(attribute_path, value=NOT_PASSED, &block)
+        @override_modifiers ||= []
+        if value != NOT_PASSED
+          @override_modifiers << [ attribute_path, value ]
+        elsif block
+          @override_modifiers << [ attribute_path, block ]
+        else
+          raise "override requires either a value or a block"
+        end
+      end
+
+      # automatic 'ip_address', '127.0.0.1'
+      # automatic [ 'pushy', 'port' ], '9000'
+      # automatic 'ip_addresses' do |existing_value|
+      #   (existing_value || []) + [ '127.0.0.1' ]
+      # end
+      # automatic 'ip_address', :delete
+      attr_accessor :automatic_modifiers
+      def automatic(attribute_path, value=NOT_PASSED, &block)
+        @automatic_modifiers ||= []
+        if value != NOT_PASSED
+          @automatic_modifiers << [ attribute_path, value ]
+        elsif block
+          @automatic_modifiers << [ attribute_path, block ]
+        else
+          raise "automatic requires either a value or a block"
+        end
+      end
+
+      # Patchy tags
+      # tag 'webserver', 'apache', 'myenvironment'
+      def tag(*tags)
+        normal 'tags' do |existing_tags|
+          existing_tags ||= []
+          tags.each do |tag|
+            if !existing_tags.include?(tag.to_s)
+              existing_tags << tag.to_s
+            end
+          end
+          existing_tags
+        end
+      end
+      def remove_tag(*tags)
+        normal 'tags' do |existing_tags|
+          if existing_tags
+            tags.each do |tag|
+              existing_tags.delete(tag.to_s)
+            end
+          end
+          existing_tags
+        end
+      end
+
+      # NON-patchy tags
+      # tags :a, :b, :c # removes all other tags
+      def tags(*tags)
+        if tags.size == 0
+          normal('tags')
+        else
+          tags = tags[0] if tags.size == 1 && tags[0].kind_of?(Array)
+          normal 'tags', tags.map { |tag| tag.to_s }
+        end
+      end
+
+
+      alias :attributes :normal_attributes
+      alias :attribute :normal
+
+      # Order matters--if two things here are in the wrong order, they will be flipped in the run list
+      # recipe 'apache', 'mysql'
+      # recipe 'recipe@version'
+      # recipe 'recipe'
+      # role ''
+      attr_accessor :run_list_modifiers
+      attr_accessor :run_list_removers
+      def recipe(*recipes)
+        if recipes.size == 0
+          raise ArgumentError, "At least one recipe must be specified"
+        end
+        @run_list_modifiers ||= []
+        @run_list_modifiers += recipes.map { |recipe| Chef::RunList::RunListItem.new("recipe[#{recipe}]") }
+      end
+      def role(*roles)
+        if roles.size == 0
+          raise ArgumentError, "At least one role must be specified"
+        end
+        @run_list_modifiers ||= []
+        @run_list_modifiers += roles.map { |role| Chef::RunList::RunListItem.new("role[#{role}]") }
+      end
+      def remove_recipe(*recipes)
+        if recipes.size == 0
+          raise ArgumentError, "At least one recipe must be specified"
+        end
+        @run_list_removers ||= []
+        @run_list_removers += recipes.map { |recipe| Chef::RunList::RunListItem.new("recipe[#{recipe}]") }
+      end
+      def remove_role(*roles)
+        if roles.size == 0
+          raise ArgumentError, "At least one role must be specified"
+        end
+        @run_list_removers ||= []
+        @run_list_removers += roles.map { |recipe| Chef::RunList::RunListItem.new("role[#{role}]") }
+      end
+    end
+  end
+end
+
+# Include all recipe objects so require 'cheffish' brings in the whole recipe DSL
+
+require 'cheffish/recipe_dsl'
+require 'chef/resource/chef_client'
+require 'chef/resource/chef_data_bag'
+require 'chef/resource/chef_data_bag_item'
+require 'chef/resource/chef_environment'
+require 'chef/resource/chef_node'
+require 'chef/resource/chef_role'
+require 'chef/resource/chef_user'
+require 'chef/resource/private_key'
+require 'chef/resource/public_key'
+require 'chef/provider/chef_client'
+require 'chef/provider/chef_data_bag'
+require 'chef/provider/chef_data_bag_item'
+require 'chef/provider/chef_environment'
+require 'chef/provider/chef_node'
+require 'chef/provider/chef_role'
+require 'chef/provider/chef_user'
+require 'chef/provider/private_key'
+require 'chef/provider/public_key'

data/lib/cheffish/actor_provider_base.rb

@@ -0,0 +1,120 @@
+require 'cheffish/key_formatter'
+require 'cheffish/chef_provider_base'
+
+class Cheffish::ActorProviderBase < Cheffish::ChefProviderBase
+
+  def create_actor
+    if new_resource.before
+      new_resource.before.call(new_resource)
+    end
+
+    # Create or update the client/user
+    current_public_key = new_json['public_key']
+    differences = json_differences(current_json, new_json)
+    if current_resource_exists?
+      # Update the actor if it's different
+      if differences.size > 0
+        description = [ "update #{actor_type} #{new_resource.name} at #{rest.url}" ] + differences
+        converge_by description do
+          result = rest.put("#{actor_type}s/#{new_resource.name}", normalize_for_put(new_json))
+          current_public_key, current_public_key_format = Cheffish::KeyFormatter.decode(result['public_key']) if result['public_key']
+        end
+      end
+    else
+      # Create the actor if it's missing
+      if !new_public_key
+        raise "You must specify a public key to create a #{actor_type}!  Use the private_key resource to create a key, and pass it in with source_key_path."
+      end
+      description = [ "create #{actor_type} #{new_resource.name} at #{rest.url}" ] + differences
+      converge_by description do
+        result = rest.post("#{actor_type}s", normalize_for_post(new_json))
+        current_public_key, current_public_key_format = Cheffish::KeyFormatter.decode(result['public_key']) if result['public_key']
+      end
+    end
+
+    # Write out the public key
+    if new_resource.output_key_path
+      # TODO use inline_resource
+      key_content = Cheffish::KeyFormatter.encode(current_public_key, { :format => new_resource.output_key_format })
+      if !current_resource.output_key_path
+        action = 'create'
+      elsif key_content != IO.read(current_resource.output_key_path)
+        action = 'overwrite'
+      else
+        action = nil
+      end
+      if action
+        converge_by "#{action} public key #{new_resource.output_key_path}" do
+          IO.write(new_resource.output_key_path, key_content)
+        end
+      end
+      # TODO permissions?
+    end
+
+    if new_resource.after
+      new_resource.after.call(self, new_json, server_private_key, server_public_key)
+    end
+  end
+
+  def delete_actor
+    if current_resource_exists?
+      converge_by "delete #{actor_type} #{new_resource.name} at #{rest.url}" do
+        rest.delete("#{actor_type}s/#{new_resource.name}")
+        Chef::Log.info("#{new_resource} deleted #{actor_type} #{new_resource.name} at #{rest.url}")
+      end
+    end
+    if current_resource.output_key_path
+      converge_by "delete public key #{current_resource.output_key_path}" do
+        ::File.unlink(current_resource.output_key_path)
+      end
+    end
+  end
+
+  def new_public_key
+    @new_public_key ||= begin
+      if new_resource.source_key
+        if new_resource.source_key.is_a?(String)
+          Cheffish::KeyFormatter.decode(new_resource.source_key)
+        elsif new_resource.source_key.private?
+          new_resource.source_key.public_key
+        else
+          new_resource.source_key
+        end
+      elsif new_resource.source_key_path
+        source_key, source_key_format = Cheffish::KeyFormatter.decode(IO.read(new_resource.source_key_path), new_resource.source_key_pass_phrase, new_resource.source_key_path)
+        if source_key.private?
+          source_key.public_key
+        else
+          source_key
+        end
+      else
+        nil
+      end
+    end
+  end
+
+  def augment_new_json(json)
+    if new_public_key
+      json['public_key'] = new_public_key.to_pem
+    end
+    json
+  end
+
+  def load_current_resource
+    begin
+      json = rest.get("#{actor_type}s/#{new_resource.name}")
+      @current_resource = json_to_resource(json)
+    rescue Net::HTTPServerException => e
+      if e.response.code == "404"
+        @current_resource = not_found_resource
+      else
+        raise
+      end
+    end
+
+    if new_resource.output_key_path && ::File.exist?(new_resource.output_key_path)
+      current_resource.output_key_path = new_resource.output_key_path
+    end
+  end
+
+end