cheffish 1.6.0 → 2.0.0

data/lib/chef/resource/chef_resolved_cookbooks.rb

@@ -1,18 +1,15 @@
-require 'chef/resource/lwrp_base'
+require 'cheffish/base_resource'
+require 'chef_zero'
 
 class Chef
   class Resource
-    class ChefResolvedCookbooks < Chef::Resource::LWRPBase
-      self.resource_name = 'chef_resolved_cookbooks'
-
-      actions :resolve, :nothing
-      default_action :resolve
+    class ChefResolvedCookbooks < Cheffish::BaseResource
+      resource_name :chef_resolved_cookbooks
 
       def initialize(*args)
         super
         require 'berkshelf'
         berksfile Berkshelf::Berksfile.new('/tmp/Berksfile')
-        chef_server run_context.cheffish.current_chef_server
         @cookbooks_from = []
       end
 
@@ -28,8 +25,42 @@ class Chef
         end
       end
 
-      attribute :berksfile
-      attribute :chef_server
+      property :berksfile
+
+      action :resolve do
+        new_resource.cookbooks_from.each do |path|
+          ::Dir.entries(path).each do |name|
+            if ::File.directory?(::File.join(path, name)) && name != '.' && name != '..'
+              new_resource.berksfile.cookbook name, :path => ::File.join(path, name)
+            end
+          end
+        end
+
+        new_resource.berksfile.install
+
+        # Ridley really really wants a key :/
+        if new_resource.chef_server[:options][:signing_key_filename]
+          new_resource.berksfile.upload(
+            :server_url => new_resource.chef_server[:chef_server_url],
+            :client_name => new_resource.chef_server[:options][:client_name],
+            :client_key => new_resource.chef_server[:options][:signing_key_filename])
+        else
+          file = Tempfile.new('privatekey')
+          begin
+            file.write(ChefZero::PRIVATE_KEY)
+            file.close
+
+            new_resource.berksfile.upload(
+              :server_url => new_resource.chef_server[:chef_server_url],
+              :client_name => new_resource.chef_server[:options][:client_name] || 'me',
+              :client_key => file.path)
+
+          ensure
+            file.close
+            file.unlink
+          end
+        end
+      end
     end
   end
 end

data/lib/chef/resource/chef_role.rb

@@ -1,38 +1,19 @@
 require 'cheffish'
-require 'chef/resource/lwrp_base'
+require 'cheffish/base_resource'
 require 'chef/run_list/run_list_item'
+require 'chef/chef_fs/data_handler/role_data_handler'
 
 class Chef
   class Resource
-    class ChefRole < Chef::Resource::LWRPBase
-      self.resource_name = 'chef_role'
+    class ChefRole < Cheffish::BaseResource
+      resource_name :chef_role
 
-      actions :create, :delete, :nothing
-      default_action :create
-
-      # Grab environment from with_environment
-      def initialize(*args)
-        super
-        chef_server run_context.cheffish.current_chef_server
-      end
-
-      attribute :name, :kind_of => String, :regex => Cheffish::NAME_REGEX, :name_attribute => true
-      attribute :description, :kind_of => String
-      attribute :run_list, :kind_of => Array # We should let them specify it as a series of parameters too
-      attribute :env_run_lists, :kind_of => Hash
-      attribute :default_attributes, :kind_of => Hash
-      attribute :override_attributes, :kind_of => Hash
-
-      # Specifies that this is a complete specification for the environment (i.e. attributes you don't specify will be
-      # reset to their defaults)
-      attribute :complete, :kind_of => [TrueClass, FalseClass]
-
-      attribute :raw_json, :kind_of => Hash
-      attribute :chef_server, :kind_of => Hash
-
-      # `NOT_PASSED` is defined in chef-12.5.0, this guard will ensure we
-      # don't redefine it if it's already there
-      NOT_PASSED=Object.new unless defined?(NOT_PASSED)
+      property :name, Cheffish::NAME_REGEX, name_property: true
+      property :description, String
+      property :run_list, Array # We should let them specify it as a series of parameters too
+      property :env_run_lists, Hash
+      property :default_attributes, Hash
+      property :override_attributes, Hash
 
       # default_attribute 'ip_address', '127.0.0.1'
       # default_attribute [ 'pushy', 'port' ], '9000'
@@ -105,6 +86,77 @@ class Chef
         @run_list_removers ||= []
         @run_list_removers += roles.map { |recipe| Chef::RunList::RunListItem.new("role[#{role}]") }
       end
+
+      action :create do
+        differences = json_differences(current_json, new_json)
+
+        if current_resource_exists?
+          if differences.size > 0
+            description = [ "update role #{new_resource.name} at #{rest.url}" ] + differences
+            converge_by description do
+              rest.put("roles/#{new_resource.name}", normalize_for_put(new_json))
+            end
+          end
+        else
+          description = [ "create role #{new_resource.name} at #{rest.url}" ] + differences
+          converge_by description do
+            rest.post("roles", normalize_for_post(new_json))
+          end
+        end
+      end
+
+      action :delete do
+        if current_resource_exists?
+          converge_by "delete role #{new_resource.name} at #{rest.url}" do
+            rest.delete("roles/#{new_resource.name}")
+          end
+        end
+      end
+
+      action_class.class_eval do
+        def load_current_resource
+          begin
+            @current_resource = json_to_resource(rest.get("roles/#{new_resource.name}"))
+          rescue Net::HTTPServerException => e
+            if e.response.code == "404"
+              @current_resource = not_found_resource
+            else
+              raise
+            end
+          end
+        end
+
+        def augment_new_json(json)
+          # Apply modifiers
+          json['run_list'] = apply_run_list_modifiers(new_resource.run_list_modifiers, new_resource.run_list_removers, json['run_list'])
+          json['default_attributes'] = apply_modifiers(new_resource.default_attribute_modifiers, json['default_attributes'])
+          json['override_attributes'] = apply_modifiers(new_resource.override_attribute_modifiers, json['override_attributes'])
+          json
+        end
+
+        #
+        # Helpers
+        #
+
+        def resource_class
+          Chef::Resource::ChefRole
+        end
+
+        def data_handler
+          Chef::ChefFS::DataHandler::RoleDataHandler.new
+        end
+
+        def keys
+          {
+            'name' => :name,
+            'description' => :description,
+            'run_list' => :run_list,
+            'env_run_lists' => :env_run_lists,
+            'default_attributes' => :default_attributes,
+            'override_attributes' => :override_attributes
+          }
+        end
+      end
     end
   end
 end

data/lib/chef/resource/chef_user.rb

@@ -1,46 +1,31 @@
 require 'cheffish'
-require 'chef/resource/lwrp_base'
+require 'cheffish/chef_actor_base'
 
 class Chef
   class Resource
-    class ChefUser < Chef::Resource::LWRPBase
-      self.resource_name = 'chef_user'
-
-      actions :create, :delete, :nothing
-      default_action :create
-
-      # Grab environment from with_environment
-      def initialize(*args)
-        super
-        chef_server run_context.cheffish.current_chef_server
-      end
+    class ChefUser < Cheffish::ChefActorBase
+      resource_name :chef_user
 
       # Client attributes
-      attribute :name, :kind_of => String, :regex => Cheffish::NAME_REGEX, :name_attribute => true
-      attribute :display_name, :kind_of => String
-      attribute :admin, :kind_of => [TrueClass, FalseClass]
-      attribute :email, :kind_of => String
-      attribute :external_authentication_uid
-      attribute :recovery_authentication_enabled, :kind_of => [TrueClass, FalseClass]
-      attribute :password, :kind_of => String # Hmm.  There is no way to idempotentize this.
-      #attribute :salt  # TODO server doesn't support sending or receiving these, but it's the only way to backup / restore a user
-      #attribute :hashed_password
-      #attribute :hash_type
+      property :name, Cheffish::NAME_REGEX, name_property: true
+      property :display_name, String
+      property :admin, Boolean
+      property :email, String
+      property :external_authentication_uid
+      property :recovery_authentication_enabled, Boolean
+      property :password, String # Hmm.  There is no way to idempotentize this.
+      #property :salt  # TODO server doesn't support sending or receiving these, but it's the only way to backup / restore a user
+      #property :hashed_password
+      #property :hash_type
 
       # Input key
-      attribute :source_key # String or OpenSSL::PKey::*
-      attribute :source_key_path, :kind_of => String
-      attribute :source_key_pass_phrase
+      property :source_key # String or OpenSSL::PKey::*
+      property :source_key_path, String
+      property :source_key_pass_phrase
 
       # Output public key (if so desired)
-      attribute :output_key_path, :kind_of => String
-      attribute :output_key_format, :kind_of => Symbol, :default => :openssh, :equal_to => [ :pem, :der, :openssh ]
-
-      # If this is set, client is not patchy
-      attribute :complete, :kind_of => [TrueClass, FalseClass]
-
-      attribute :raw_json, :kind_of => Hash
-      attribute :chef_server, :kind_of => Hash
+      property :output_key_path, String
+      property :output_key_format, [ :pem, :der, :openssh ], default: :openssh
 
       # Proc that runs just before the resource executes.  Called with (resource)
       def before(&block)
@@ -51,6 +36,52 @@ class Chef
       def after(&block)
         block ? @after = block : @after
       end
+
+
+      action :create do
+        create_actor
+      end
+
+      action :delete do
+        delete_actor
+      end
+
+      action_class.class_eval do
+        #
+        # Helpers
+        #
+        # Gives us new_json, current_json, not_found_json, etc.
+
+        def actor_type
+          'user'
+        end
+
+        def actor_path
+          "#{rest.root_url}/users"
+        end
+
+        def resource_class
+          Chef::Resource::ChefUser
+        end
+
+        def data_handler
+          Chef::ChefFS::DataHandler::UserDataHandler.new
+        end
+
+        def keys
+          {
+            'name' => :name,
+            'username' => :name,
+            'display_name' => :display_name,
+            'admin' => :admin,
+            'email' => :email,
+            'password' => :password,
+            'external_authentication_uid' => :external_authentication_uid,
+            'recovery_authentication_enabled' => :recovery_authentication_enabled,
+            'public_key' => :source_key
+          }
+        end
+      end
     end
   end
 end

data/lib/chef/resource/private_key.rb

@@ -1,38 +1,40 @@
 require 'openssl/cipher'
-require 'chef/resource/lwrp_base'
+require 'cheffish/base_resource'
+require 'openssl'
+require 'cheffish/key_formatter'
 
 class Chef
   class Resource
-    class PrivateKey < Chef::Resource::LWRPBase
-      self.resource_name = 'private_key'
+    class PrivateKey < Cheffish::BaseResource
+      resource_name :private_key
 
-      actions :create, :delete, :regenerate, :nothing
+      allowed_actions :create, :delete, :regenerate, :nothing
       default_action :create
 
       # Path to private key.  Set to :none to create the key in memory and not on disk.
-      attribute :path, :kind_of => [ String, Symbol ], :name_attribute => true
-      attribute :format, :kind_of => Symbol, :default => :pem, :equal_to => [ :pem, :der ]
-      attribute :type, :kind_of => Symbol, :default => :rsa, :equal_to => [ :rsa, :dsa ] # TODO support :ec
+      property :path, [ String, :none ], name_property: true
+      property :format, [ :pem, :der ], default: :pem
+      property :type, [ :rsa, :dsa ], default: :rsa # TODO support :ec
       # These specify an optional public_key you can spit out if you want.
-      attribute :public_key_path, :kind_of => String
-      attribute :public_key_format, :kind_of => Symbol, :default => :openssh, :equal_to => [ :openssh, :pem, :der ]
+      property :public_key_path, String
+      property :public_key_format, [ :openssh, :pem, :der ], default: :openssh
       # Specify this if you want to copy another private key but give it a different format / password
-      attribute :source_key
-      attribute :source_key_path, :kind_of => String
-      attribute :source_key_pass_phrase
+      property :source_key
+      property :source_key_path, String
+      property :source_key_pass_phrase
 
       # RSA and DSA
-      attribute :size, :kind_of => Integer, :default => 2048
+      property :size, Integer, default: 2048
 
       # RSA-only
-      attribute :exponent, :kind_of => Integer # For RSA
+      property :exponent, Integer # For RSA
 
       # PEM-only
-      attribute :pass_phrase, :kind_of => String
-      attribute :cipher, :kind_of => String, :default => 'DES-EDE3-CBC', :equal_to => OpenSSL::Cipher.ciphers
+      property :pass_phrase, String
+      property :cipher, OpenSSL::Cipher.ciphers, default: 'DES-EDE3-CBC'
 
       # Set this to regenerate the key if it does not have the desired characteristics (like size, type, etc.)
-      attribute :regenerate_if_different, :kind_of => [TrueClass, FalseClass]
+      property :regenerate_if_different, Boolean
 
       # Proc that runs after the resource completes.  Called with (resource, private_key)
       def after(&block)
@@ -43,6 +45,217 @@ class Chef
       def load_prior_resource(*args)
         Chef::Log.debug("Overloading #{resource_name}.load_prior_resource with NOOP")
       end
+
+
+      action :create do
+        create_key(false, :create)
+      end
+
+      action :regenerate do
+        create_key(true, :regenerate)
+      end
+
+      action :delete do
+        if current_resource.path
+          converge_by "delete private key #{new_path}" do
+            ::File.unlink(new_path)
+          end
+        end
+      end
+
+      action_class.class_eval do
+        def create_key(regenerate, action)
+          if @should_create_directory
+            Cheffish.inline_resource(self, action) do
+              directory run_context.config[:private_key_write_path]
+            end
+          end
+
+          final_private_key = nil
+          if new_source_key
+            #
+            # Create private key from source
+            #
+            desired_output = encode_private_key(new_source_key)
+            if current_resource.path == :none || desired_output != IO.read(new_path)
+              converge_by "reformat key at #{new_resource.source_key_path} to #{new_resource.format} private key #{new_path} (#{new_resource.pass_phrase ? ", #{new_resource.cipher} password" : ""})" do
+                IO.write(new_path, desired_output)
+              end
+            end
+
+            final_private_key = new_source_key
+
+          else
+            #
+            # Generate a new key
+            #
+            if current_resource.action == [ :delete ] || regenerate ||
+              (new_resource.regenerate_if_different &&
+                (!current_private_key ||
+                 current_resource.size != new_resource.size ||
+                 current_resource.type != new_resource.type))
+
+             case new_resource.type
+              when :rsa
+                if new_resource.exponent
+                  final_private_key = OpenSSL::PKey::RSA.generate(new_resource.size, new_resource.exponent)
+                else
+                  final_private_key = OpenSSL::PKey::RSA.generate(new_resource.size)
+                end
+              when :dsa
+                final_private_key = OpenSSL::PKey::DSA.generate(new_resource.size)
+              end
+
+              generated_key = true
+            elsif !current_private_key
+              raise "Could not read private key from #{current_resource.path}: missing pass phrase?"
+            else
+              final_private_key = current_private_key
+              generated_key = false
+            end
+
+            if generated_key
+              generated_description = " (#{new_resource.size} bits#{new_resource.pass_phrase ? ", #{new_resource.cipher} password" : ""})"
+
+              if new_path != :none
+                action = current_resource.path == :none ? 'create' : 'overwrite'
+                converge_by "#{action} #{new_resource.type} private key #{new_path}#{generated_description}" do
+                  write_private_key(final_private_key)
+                end
+              else
+                converge_by "generate private key#{generated_description}" do
+                end
+              end
+            else
+              # Warn if existing key has different characteristics than expected
+              if current_resource.size != new_resource.size
+                Chef::Log.warn("Mismatched key size!  #{current_resource.path} is #{current_resource.size} bytes, desired is #{new_resource.size} bytes.  Use action :regenerate to force key regeneration.")
+              elsif current_resource.type != new_resource.type
+                Chef::Log.warn("Mismatched key type!  #{current_resource.path} is #{current_resource.type}, desired is #{new_resource.type} bytes.  Use action :regenerate to force key regeneration.")
+              end
+
+              if current_resource.format != new_resource.format
+                converge_by "change format of #{new_resource.type} private key #{new_path} from #{current_resource.format} to #{new_resource.format}" do
+                  write_private_key(current_private_key)
+                end
+              elsif (@current_file_mode & 0077) != 0
+                new_mode = @current_file_mode & 07700
+                converge_by "change mode of private key #{new_path} to #{new_mode.to_s(8)}" do
+                  ::File.chmod(new_mode, new_path)
+                end
+              end
+            end
+          end
+
+          if new_resource.public_key_path
+            public_key_path = new_resource.public_key_path
+            public_key_format = new_resource.public_key_format
+            Cheffish.inline_resource(self, action) do
+              public_key public_key_path do
+                source_key final_private_key
+                format public_key_format
+              end
+            end
+          end
+
+          if new_resource.after
+            new_resource.after.call(new_resource, final_private_key)
+          end
+        end
+
+        def encode_private_key(key)
+          key_format = {}
+          key_format[:format] = new_resource.format if new_resource.format
+          key_format[:pass_phrase] = new_resource.pass_phrase if new_resource.pass_phrase
+          key_format[:cipher] = new_resource.cipher if new_resource.cipher
+          Cheffish::KeyFormatter.encode(key, key_format)
+        end
+
+        def write_private_key(key)
+          ::File.open(new_path, 'w') do |file|
+            file.chmod(0600)
+            file.write(encode_private_key(key))
+          end
+        end
+
+        def new_source_key
+          @new_source_key ||= begin
+            if new_resource.source_key.is_a?(String)
+              source_key, source_key_format = Cheffish::KeyFormatter.decode(new_resource.source_key, new_resource.source_key_pass_phrase)
+              source_key
+            elsif new_resource.source_key
+              new_resource.source_key
+            elsif new_resource.source_key_path
+              source_key, source_key_format = Cheffish::KeyFormatter.decode(IO.read(new_resource.source_key_path), new_resource.source_key_pass_phrase, new_resource.source_key_path)
+              source_key
+            else
+              nil
+            end
+          end
+        end
+
+        attr_reader :current_private_key
+
+        def new_path
+          new_key_with_path[1]
+        end
+
+        def new_key_with_path
+          path = new_resource.path
+          if path.is_a?(Symbol)
+            return [ nil, path ]
+          elsif Pathname.new(path).relative?
+            private_key, private_key_path = Cheffish.get_private_key_with_path(path, run_context.config)
+            if private_key
+              return [ private_key, (private_key_path || :none) ]
+            elsif run_context.config[:private_key_write_path]
+              @should_create_directory = true
+              path = ::File.join(run_context.config[:private_key_write_path], path)
+              return [ nil, path ]
+            else
+              raise "Could not find key #{path} and Chef::Config.private_key_write_path is not set."
+            end
+          elsif ::File.exist?(path)
+            return [ IO.read(path), path ]
+          else
+            return [ nil, path ]
+          end
+        end
+
+        def load_current_resource
+          resource = Chef::Resource::PrivateKey.new(new_resource.name, run_context)
+
+          new_key, new_path = new_key_with_path
+          if new_path != :none && ::File.exist?(new_path)
+            resource.path new_path
+            @current_file_mode = ::File.stat(new_path).mode
+          else
+            resource.path :none
+          end
+
+          if new_key
+            begin
+              key, key_format = Cheffish::KeyFormatter.decode(new_key, new_resource.pass_phrase, new_path)
+              if key
+                @current_private_key = key
+                resource.format key_format[:format]
+                resource.type key_format[:type]
+                resource.size key_format[:size]
+                resource.exponent key_format[:exponent]
+                resource.pass_phrase key_format[:pass_phrase]
+                resource.cipher key_format[:cipher]
+              end
+            rescue
+              # If there's an error reading, we assume format and type are wrong and don't futz with them
+              Chef::Log.warn("Error reading #{new_path}: #{$!}")
+            end
+          else
+            resource.action :delete
+          end
+
+          @current_resource = resource
+        end
+      end
     end
   end
 end