cheffish 0.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 0512c4f800b394e72ccee8479c30444f491433c6
+  data.tar.gz: 85a52358428a51a00c4d4f70952cc0d57e76ec82
+SHA512:
+  metadata.gz: ed5ae7503d424bd77886cd56d5e282d113964d7ab79e73def85583aea4071e9cf1ad4556d2c9af0e4d382f873d542f5950d1b7fc0634920589b40ffce76606a4
+  data.tar.gz: ca0aeb3416e9847ca03f9258c5e6f66411bf1bb69ad3e0f83255e601ed13781ceff23cb66e14a6aebe5ee211ccab1cd74186180230c97e8e9dacdf989b04adbd

data/LICENSE

@@ -0,0 +1,201 @@
+                              Apache License
+                        Version 2.0, January 2004
+                     http://www.apache.org/licenses/
+
+TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+1. Definitions.
+
+   "License" shall mean the terms and conditions for use, reproduction,
+   and distribution as defined by Sections 1 through 9 of this document.
+
+   "Licensor" shall mean the copyright owner or entity authorized by
+   the copyright owner that is granting the License.
+
+   "Legal Entity" shall mean the union of the acting entity and all
+   other entities that control, are controlled by, or are under common
+   control with that entity. For the purposes of this definition,
+   "control" means (i) the power, direct or indirect, to cause the
+   direction or management of such entity, whether by contract or
+   otherwise, or (ii) ownership of fifty percent (50%) or more of the
+   outstanding shares, or (iii) beneficial ownership of such entity.
+
+   "You" (or "Your") shall mean an individual or Legal Entity
+   exercising permissions granted by this License.
+
+   "Source" form shall mean the preferred form for making modifications,
+   including but not limited to software source code, documentation
+   source, and configuration files.
+
+   "Object" form shall mean any form resulting from mechanical
+   transformation or translation of a Source form, including but
+   not limited to compiled object code, generated documentation,
+   and conversions to other media types.
+
+   "Work" shall mean the work of authorship, whether in Source or
+   Object form, made available under the License, as indicated by a
+   copyright notice that is included in or attached to the work
+   (an example is provided in the Appendix below).
+
+   "Derivative Works" shall mean any work, whether in Source or Object
+   form, that is based on (or derived from) the Work and for which the
+   editorial revisions, annotations, elaborations, or other modifications
+   represent, as a whole, an original work of authorship. For the purposes
+   of this License, Derivative Works shall not include works that remain
+   separable from, or merely link (or bind by name) to the interfaces of,
+   the Work and Derivative Works thereof.
+
+   "Contribution" shall mean any work of authorship, including
+   the original version of the Work and any modifications or additions
+   to that Work or Derivative Works thereof, that is intentionally
+   submitted to Licensor for inclusion in the Work by the copyright owner
+   or by an individual or Legal Entity authorized to submit on behalf of
+   the copyright owner. For the purposes of this definition, "submitted"
+   means any form of electronic, verbal, or written communication sent
+   to the Licensor or its representatives, including but not limited to
+   communication on electronic mailing lists, source code control systems,
+   and issue tracking systems that are managed by, or on behalf of, the
+   Licensor for the purpose of discussing and improving the Work, but
+   excluding communication that is conspicuously marked or otherwise
+   designated in writing by the copyright owner as "Not a Contribution."
+
+   "Contributor" shall mean Licensor and any individual or Legal Entity
+   on behalf of whom a Contribution has been received by Licensor and
+   subsequently incorporated within the Work.
+
+2. Grant of Copyright License. Subject to the terms and conditions of
+   this License, each Contributor hereby grants to You a perpetual,
+   worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+   copyright license to reproduce, prepare Derivative Works of,
+   publicly display, publicly perform, sublicense, and distribute the
+   Work and such Derivative Works in Source or Object form.
+
+3. Grant of Patent License. Subject to the terms and conditions of
+   this License, each Contributor hereby grants to You a perpetual,
+   worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+   (except as stated in this section) patent license to make, have made,
+   use, offer to sell, sell, import, and otherwise transfer the Work,
+   where such license applies only to those patent claims licensable
+   by such Contributor that are necessarily infringed by their
+   Contribution(s) alone or by combination of their Contribution(s)
+   with the Work to which such Contribution(s) was submitted. If You
+   institute patent litigation against any entity (including a
+   cross-claim or counterclaim in a lawsuit) alleging that the Work
+   or a Contribution incorporated within the Work constitutes direct
+   or contributory patent infringement, then any patent licenses
+   granted to You under this License for that Work shall terminate
+   as of the date such litigation is filed.
+
+4. Redistribution. You may reproduce and distribute copies of the
+   Work or Derivative Works thereof in any medium, with or without
+   modifications, and in Source or Object form, provided that You
+   meet the following conditions:
+
+   (a) You must give any other recipients of the Work or
+       Derivative Works a copy of this License; and
+
+   (b) You must cause any modified files to carry prominent notices
+       stating that You changed the files; and
+
+   (c) You must retain, in the Source form of any Derivative Works
+       that You distribute, all copyright, patent, trademark, and
+       attribution notices from the Source form of the Work,
+       excluding those notices that do not pertain to any part of
+       the Derivative Works; and
+
+   (d) If the Work includes a "NOTICE" text file as part of its
+       distribution, then any Derivative Works that You distribute must
+       include a readable copy of the attribution notices contained
+       within such NOTICE file, excluding those notices that do not
+       pertain to any part of the Derivative Works, in at least one
+       of the following places: within a NOTICE text file distributed
+       as part of the Derivative Works; within the Source form or
+       documentation, if provided along with the Derivative Works; or,
+       within a display generated by the Derivative Works, if and
+       wherever such third-party notices normally appear. The contents
+       of the NOTICE file are for informational purposes only and
+       do not modify the License. You may add Your own attribution
+       notices within Derivative Works that You distribute, alongside
+       or as an addendum to the NOTICE text from the Work, provided
+       that such additional attribution notices cannot be construed
+       as modifying the License.
+
+   You may add Your own copyright statement to Your modifications and
+   may provide additional or different license terms and conditions
+   for use, reproduction, or distribution of Your modifications, or
+   for any such Derivative Works as a whole, provided Your use,
+   reproduction, and distribution of the Work otherwise complies with
+   the conditions stated in this License.
+
+5. Submission of Contributions. Unless You explicitly state otherwise,
+   any Contribution intentionally submitted for inclusion in the Work
+   by You to the Licensor shall be under the terms and conditions of
+   this License, without any additional terms or conditions.
+   Notwithstanding the above, nothing herein shall supersede or modify
+   the terms of any separate license agreement you may have executed
+   with Licensor regarding such Contributions.
+
+6. Trademarks. This License does not grant permission to use the trade
+   names, trademarks, service marks, or product names of the Licensor,
+   except as required for reasonable and customary use in describing the
+   origin of the Work and reproducing the content of the NOTICE file.
+
+7. Disclaimer of Warranty. Unless required by applicable law or
+   agreed to in writing, Licensor provides the Work (and each
+   Contributor provides its Contributions) on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+   implied, including, without limitation, any warranties or conditions
+   of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+   PARTICULAR PURPOSE. You are solely responsible for determining the
+   appropriateness of using or redistributing the Work and assume any
+   risks associated with Your exercise of permissions under this License.
+
+8. Limitation of Liability. In no event and under no legal theory,
+   whether in tort (including negligence), contract, or otherwise,
+   unless required by applicable law (such as deliberate and grossly
+   negligent acts) or agreed to in writing, shall any Contributor be
+   liable to You for damages, including any direct, indirect, special,
+   incidental, or consequential damages of any character arising as a
+   result of this License or out of the use or inability to use the
+   Work (including but not limited to damages for loss of goodwill,
+   work stoppage, computer failure or malfunction, or any and all
+   other commercial damages or losses), even if such Contributor
+   has been advised of the possibility of such damages.
+
+9. Accepting Warranty or Additional Liability. While redistributing
+   the Work or Derivative Works thereof, You may choose to offer,
+   and charge a fee for, acceptance of support, warranty, indemnity,
+   or other liability obligations and/or rights consistent with this
+   License. However, in accepting such obligations, You may act only
+   on Your own behalf and on Your sole responsibility, not on behalf
+   of any other Contributor, and only if You agree to indemnify,
+   defend, and hold each Contributor harmless for any liability
+   incurred by, or claims asserted against, such Contributor by reason
+   of your accepting any such warranty or additional liability.
+
+END OF TERMS AND CONDITIONS
+
+APPENDIX: How to apply the Apache License to your work.
+
+   To apply the Apache License to your work, attach the following
+   boilerplate notice, with the fields enclosed by brackets "[]"
+   replaced with your own identifying information. (Don't include
+   the brackets!)  The text should be enclosed in the appropriate
+   comment syntax for the file format. We also recommend that a
+   file or class name and description of purpose be included on the
+   same "printed page" as the copyright notice for easier
+   identification within third-party archives.
+
+Copyright [yyyy] [name of copyright owner]
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.

data/README.md

@@ -0,0 +1,4 @@
+Cheffish
+========
+
+This library lets you manipulate Chef in Chef.

data/Rakefile

@@ -0,0 +1,23 @@
+require 'bundler'
+require 'rubygems'
+require 'rubygems/package_task'
+require 'rdoc/task'
+require 'rspec/core/rake_task'
+
+Bundler::GemHelper.install_tasks
+
+task :default => :spec
+
+desc "Run specs"
+RSpec::Core::RakeTask.new(:spec) do |spec|
+  spec.pattern = 'spec/**/*_spec.rb'
+end
+
+gem_spec = eval(File.read("cheffish.gemspec"))
+
+RDoc::Task.new do |rdoc|
+  rdoc.rdoc_dir = 'rdoc'
+  rdoc.title = "cheffish #{gem_spec.version}"
+  rdoc.rdoc_files.include('README*')
+  rdoc.rdoc_files.include('lib/**/*.rb')
+end

data/lib/chef/provider/chef_client.rb

@@ -0,0 +1,44 @@
+require 'cheffish/actor_provider_base'
+require 'chef/resource/chef_client'
+require 'chef/chef_fs/data_handler/client_data_handler'
+
+class Chef::Provider::ChefClient < Cheffish::ActorProviderBase
+
+  def whyrun_supported?
+    true
+  end
+
+  def actor_type
+    'client'
+  end
+
+  action :create do
+    create_actor
+  end
+
+  action :delete do
+    delete_actor
+  end
+
+  #
+  # Helpers
+  #
+
+  def resource_class
+    Chef::Resource::ChefClient
+  end
+
+  def data_handler
+    Chef::ChefFS::DataHandler::ClientDataHandler.new
+  end
+
+  def keys
+    {
+      'name' => :name,
+      'admin' => :admin,
+      'validator' => :validator,
+      'public_key' => :source_key
+    }
+  end
+
+end

data/lib/chef/provider/chef_data_bag.rb

@@ -0,0 +1,50 @@
+require 'cheffish/chef_provider_base'
+require 'chef/resource/chef_data_bag'
+
+class Chef::Provider::ChefDataBag < Cheffish::ChefProviderBase
+
+  def whyrun_supported?
+    true
+  end
+
+  action :create do
+    if !current_resource_exists?
+      converge_by "create data bag #{new_resource.name} at #{rest.url}" do
+        rest.post("data", { 'name' => new_resource.name })
+      end
+    end
+  end
+
+  action :delete do
+    if current_resource_exists?
+      converge_by "delete data bag #{new_resource.name} at #{rest.url}" do
+        rest.delete("data/#{new_resource.name}")
+      end
+    end
+  end
+
+  def load_current_resource
+    begin
+      @current_resource = json_to_resource(rest.get("data/#{new_resource.name}"))
+    rescue Net::HTTPServerException => e
+      if e.response.code == "404"
+        @current_resource = not_found_resource
+      else
+        raise
+      end
+    end
+  end
+
+  #
+  # Helpers
+  #
+  # Gives us new_json, current_json, not_found_json, etc.
+
+  def resource_class
+    Chef::Resource::ChefDataBag
+  end
+
+  def json_to_resource(json)
+    Chef::Resource::ChefDataBag.new(json['name'])
+  end
+end

data/lib/chef/provider/chef_data_bag_item.rb

@@ -0,0 +1,273 @@
+require 'cheffish/chef_provider_base'
+require 'chef/resource/chef_data_bag_item'
+require 'chef/chef_fs/data_handler/data_bag_item_data_handler'
+require 'chef/encrypted_data_bag_item'
+
+class Chef::Provider::ChefDataBagItem < Cheffish::ChefProviderBase
+
+  def whyrun_supported?
+    true
+  end
+
+  action :create do
+    differences = calculate_differences
+
+    if current_resource_exists?
+      if differences.size > 0
+        description = [ "update data bag item #{new_resource.id} at #{rest.url}" ] + differences
+        converge_by description do
+          rest.put("data/#{new_resource.data_bag}/#{new_resource.id}", normalize_for_put(new_json))
+        end
+      end
+    else
+      description = [ "create data bag item #{new_resource.id} at #{rest.url}" ] + differences
+      converge_by description do
+        rest.post("data/#{new_resource.data_bag}", normalize_for_post(new_json))
+      end
+    end
+  end
+
+  action :delete do
+    if current_resource_exists?
+      converge_by "delete data bag item #{new_resource.id} at #{rest.url}" do
+        rest.delete("data/#{new_resource.data_bag}/#{new_resource.id}")
+      end
+    end
+  end
+
+  def load_current_resource
+    begin
+      json = rest.get("data/#{new_resource.data_bag}/#{new_resource.id}")
+      resource = Chef::Resource::ChefDataBagItem.new(new_resource.name)
+      resource.raw_data json
+      @current_resource = resource
+    rescue Net::HTTPServerException => e
+      if e.response.code == "404"
+        @current_resource = not_found_resource
+      else
+        raise
+      end
+    end
+
+    # Determine if data bag is encrypted and if so, what its version is
+    first_real_key, first_real_value = (current_resource.raw_data || {}).select { |key, value| key != 'id' && !value.nil? }.first
+    if first_real_value
+      if first_real_value.is_a?(Hash) &&
+         first_real_value['version'].is_a?(Integer) &&
+         first_real_value['version'] > 0 &&
+         first_real_value.has_key?('encrypted_data')
+
+        current_resource.encrypt true
+        current_resource.encryption_version first_real_value['version']
+
+        decrypt_error = nil
+
+        # Check if the desired secret is the one (which it generally should be)
+
+        if new_resource.secret || new_resource.secret_path
+          begin
+            Chef::EncryptedDataBagItem::Decryptor.for(first_real_value, new_secret).for_decrypted_item
+            current_resource.secret new_secret
+          rescue Chef::EncryptedDataBagItem::DecryptionFailure
+            decrypt_error = $!
+          end
+        end
+
+        # If the current secret doesn't work, look through the specified old secrets
+
+        if !current_resource.secret
+          old_secrets = []
+          if new_resource.old_secret
+            old_secrets += Array(new_resource.old_secret)
+          end
+          if new_resource.old_secret_path
+            old_secrets += Array(new_resource.old_secret_path).map do |secret_path|
+              Chef::EncryptedDataBagItem.load_secret(new_resource.old_secret_file)
+            end
+          end
+          old_secrets.each do |secret|
+            begin
+              Chef::EncryptedDataBagItem::Decryptor.for(first_real_value, secret).for_decrypted_item
+              current_resource.secret secret
+            rescue Chef::EncryptedDataBagItem::DecryptionFailure
+              decrypt_error = $!
+            end
+          end
+
+          # If we couldn't figure out the secret, emit a warning (this isn't a fatal flaw unless we
+          # need to reuse one of the values from the data bag)
+          if !current_resource.secret
+            if decrypt_error
+              Chef::Log.warn "Existing data bag is encrypted, but could not decrypt: #{decrypt_error.message}."
+            else
+              Chef::Log.warn "Existing data bag is encrypted, but no secret was specified."
+            end
+          end
+        end
+      end
+    else
+
+      # There are no encryptable values, so pretend encryption is the same as desired
+
+      current_resource.encrypt new_resource.encrypt
+      current_resource.encryption_version new_resource.encryption_version
+      if new_resource.secret || new_resource.secret_path
+        current_resource.secret new_secret
+      end
+    end
+  end
+
+  def new_json
+    @new_json ||= begin
+      if new_encrypt
+        # Encrypt new stuff
+        result = encrypt(new_decrypted, new_secret, new_resource.encryption_version)
+      else
+        result = new_decrypted
+      end
+      result
+    end
+  end
+
+  def new_encrypt
+    new_resource.encrypt.nil? ? current_resource.encrypt : new_resource.encrypt
+  end
+
+  def new_secret
+    @new_secret ||= begin
+      if new_resource.secret
+        new_resource.secret
+      elsif new_resource.secret_path
+        Chef::EncryptedDataBagItem.load_secret(new_resource.secret_path)
+      elsif new_resource.encrypt.nil?
+        current_resource.secret
+      else
+        raise "Data bag item #{new_resource.name} has encryption on but no secret or secret_path is specified"
+      end
+    end
+  end
+
+  def decrypt(json, secret)
+    Chef::EncryptedDataBagItem.new(json, secret).to_hash
+  end
+
+  def encrypt(json, secret, version)
+    old_version = Chef::Config[:data_bag_encrypt_version]
+    Chef::Config[:data_bag_encrypt_version] = version
+    begin
+      Chef::EncryptedDataBagItem.encrypt_data_bag_item(json, secret)
+    ensure
+      Chef::Config[:data_bag_encrypt_version] = old_version
+    end
+  end
+
+  # Get the desired (new) json pre-encryption, for comparison purposes
+  def new_decrypted
+    @new_decrypted ||= begin
+      if new_resource.complete
+        result = new_resource.raw_data || {}
+      else
+        result = current_decrypted.merge(new_resource.raw_data || {})
+      end
+      result['id'] = new_resource.id
+      apply_modifiers(new_resource.raw_data_modifiers, result)
+    end
+  end
+
+  # Get the current json decrypted, for comparison purposes
+  def current_decrypted
+    @current_decrypted ||= begin
+      if current_resource.secret
+        decrypt(current_resource.raw_data || { 'id' => new_resource.id }, current_resource.secret)
+      elsif current_resource.encrypt
+        raise "Could not decrypt current data bag item #{current_resource.name}"
+      else
+        current_resource.raw_data || { 'id' => new_resource.id }
+      end
+    end
+  end
+
+  # Figure out the differences between new and current
+  def calculate_differences
+    if new_encrypt
+      if current_resource.encrypt
+        # Both are encrypted, check if the encryption type is the same
+        description = ''
+        if new_secret != current_resource.secret
+          description << ' with new secret'
+        end
+        if new_resource.encryption_version != current_resource.encryption_version
+          description << " from v#{current_resource.encryption_version} to v#{new_resource.encryption_version} encryption"
+        end
+
+        if description != ''
+          # Encryption is different, we're reencrypting
+          differences = [ "re-encrypt#{description}"]
+        else
+          # Encryption is the same, we're just updating
+          differences = []
+        end
+      else
+        # New stuff should be encrypted, old is not.  Encrypting.
+        differences = [ "encrypt with v#{new_resource.encryption_version} encryption" ]
+      end
+
+      # Get differences in the actual json
+      if current_resource.secret
+        json_differences(current_decrypted, new_decrypted, false, '', differences)
+      elsif current_resource.encrypt
+        # Encryption is different and we can't read the old values.  Only allow the change
+        # if we're overwriting the data bag item
+        if !new_resource.complete
+          raise "Cannot encrypt #{new_resource.name} due to failure to decrypt existing resource.  Set 'complete true' to overwrite or add the old secret as old_secret / old_secret_path."
+        end
+        differences = [ "overwrite data bag item (cannot decrypt old data bag item)"]
+        differences = (new_resource.raw_data.keys & current_resource.raw_data.keys).map { |key| "overwrite #{key}"}
+        differences += (new_resource.raw_data.keys - current_resource.raw_data.keys).map { |key| "add #{key}"}
+        differences += (current_resource.raw_data.keys - new_resource.raw_data.keys).map { |key| "remove #{key}" }
+      else
+        json_differences(current_decrypted, new_decrypted, false, '', differences)
+      end
+    else
+      if current_resource.encrypt
+        # New stuff should not be encrypted, old is.  Decrypting.
+        differences = [ "decrypt data bag item to plaintext" ]
+      else
+        differences = []
+      end
+      json_differences(current_decrypted, new_decrypted, true, '', differences)
+    end
+    differences
+  end
+
+  #
+  # Helpers
+  #
+
+  def resource_class
+    Chef::Resource::ChefDataBagItem
+  end
+
+  def data_handler
+    Chef::ChefFS::DataHandler::DataBagItemDataHandler.new
+  end
+
+  def keys
+    {
+      'id' => :id,
+      'data_bag' => :data_bag,
+      'raw_data' => :raw_data
+    }
+  end
+
+  def not_found_resource
+    resource = super
+    resource.data_bag new_resource.data_bag
+    resource
+  end
+
+  def fake_entry
+    FakeEntry.new("#{new_resource.id}.json", FakeEntry.new(new_resource.data_bag))
+  end
+
+end