cheffish 1.6.0 → 2.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 4289cc92396d079a533cb15440e7179a55f18ba4
-  data.tar.gz: 2dc7c782e3906f0f01306e7bb88c2707eaf94d2e
+  metadata.gz: 06975d4c508e765ad2bd0a254a91344cd1e61f00
+  data.tar.gz: f101d6fe5aa74c19468480c786d27d4f3ac6e3ee
 SHA512:
-  metadata.gz: 9500d8446ad6de7ef42f99907894bf66327363f6c816b9a2a392f0681b45c3f6c04c2a56bea8c4d8aecc1603ab0719704a0dac09a9f9d34a628a3628f101f03f
-  data.tar.gz: d90933e816465955d008d384dc59ba6c0ef6215e0cfe658d8d3bbe19ebf0aac8da141e8fc9bec5b43744aedcab63be580dc99293b170400330536e4b9d60a3c1
+  metadata.gz: cfc31b3af5cc86a27a1c8a99db39826a86fff517c0ecb5be97ba872e95a65d533d3b0760b652e725a2fa2e47640d45cc0dab1c0fc0450f20d9f73b366700fcef
+  data.tar.gz: dbf36a51dbef80937d885d7c48b9765aea6c77bd7142137eaa03e991b23032ff660902b5dea0c2d1cb3a055eeea552880984b7526aa106ba987858808cb4fd9d

data/cheffish.gemspec

@@ -13,6 +13,7 @@ Gem::Specification.new do |s|
   s.homepage = 'http://github.com/chef/cheffish'
 
   s.add_dependency 'chef-zero', '~> 4.3'
+  s.add_dependency 'compat_resource'
 
   s.add_development_dependency 'chef', '~> 12.2'
   s.add_development_dependency 'rake'

data/lib/chef/resource/chef_acl.rb

@@ -1,35 +1,23 @@
 require 'cheffish'
-require 'chef/resource/lwrp_base'
+require 'cheffish/base_resource'
+require 'chef/chef_fs/data_handler/acl_data_handler'
+require 'chef/chef_fs/parallelizer'
+require 'uri'
 
 class Chef
   class Resource
-    class ChefAcl < Chef::Resource::LWRPBase
-      self.resource_name = 'chef_acl'
-
-      actions :create, :nothing
-      default_action :create
-
-      def initialize(*args)
-        super
-        chef_server run_context.cheffish.current_chef_server
-      end
+    class ChefAcl < Cheffish::BaseResource
+      resource_name :chef_acl
 
       # Path of the thing being secured, e.g. nodes, nodes/*, nodes/mynode,
       # */*, **, roles/base, data/secrets, cookbooks/apache2, /users/*,
       # /organizations/foo/nodes/x
-      attribute :path, :kind_of => String, :name_attribute => true
+      property :path, String, name_property: true
 
       # Whether to change things recursively.  true means it will descend all children
       # and make the same modifications to them.  :on_change will only descend if
       # the parent has changed.  :on_change is the default.
-      attribute :recursive, :equal_to => [ true, false, :on_change ], :default => :on_change
-
-      # Specifies that this is a complete specification for the acl (i.e. rights
-      # you don't specify will be reset to their defaults)
-      attribute :complete, :kind_of => [TrueClass, FalseClass]
-
-      attribute :raw_json, :kind_of => Hash
-      attribute :chef_server, :kind_of => Hash
+      property :recursive, [ true, false, :on_change ], default: :on_change
 
       # rights :read, :users => 'jkeiser', :groups => [ 'admins', 'users' ]
       # rights [ :create, :read ], :users => [ 'jkeiser', 'adam' ]
@@ -64,6 +52,438 @@ class Chef
           @remove_rights << args
         end
       end
+
+      action :create do
+        if new_resource.remove_rights && new_resource.complete
+          Chef::Log.warn("'remove_rights' is redundant when 'complete' is specified: all rights not specified in a 'rights' declaration will be removed.")
+        end
+        # Verify that we're not destroying all hope of ACL recovery here
+        if new_resource.complete && (!new_resource.rights || !new_resource.rights.any? { |r| r[:permissions].include?(:all) || r[:permissions].include?(:grant) })
+          # NOTE: if superusers exist, this should turn into a warning.
+          raise "'complete' specified on chef_acl resource, but no GRANT permissions were granted.  I'm sorry Dave, I can't let you remove all access to an object with no hope of recovery."
+        end
+
+        # Find all matching paths so we can update them (resolve * and **)
+        paths = match_paths(new_resource.path)
+        if paths.size == 0 && !new_resource.path.split('/').any? { |p| p == '*' }
+          raise "Path #{new_resource.path} cannot have an ACL set on it!"
+        end
+
+        # Go through the matches and update the ACLs for them
+        paths.each do |path|
+          create_acl(path)
+        end
+      end
+
+      action_class.class_eval do
+        # Update the ACL if necessary.
+        def create_acl(path)
+          changed = false
+          # There may not be an ACL path for some valid paths (/ and /organizations,
+          # for example).  We want to recurse into these, but we don't want to try to
+          # update nonexistent ACLs for them.
+          acl = acl_path(path)
+          if acl
+            # It's possible to make a custom container
+            current_json = current_acl(acl)
+            if current_json
+
+              # Compare the desired and current json for the ACL, and update if different.
+              modify = {}
+              desired_acl(acl).each do |permission, desired_json|
+                differences = json_differences(sort_values(current_json[permission]), sort_values(desired_json))
+
+                if differences.size > 0
+                  # Verify we aren't trying to destroy grant permissions
+                  if permission == 'grant' && desired_json['actors'] == [] && desired_json['groups'] == []
+                    # NOTE: if superusers exist, this should turn into a warning.
+                    raise "chef_acl attempted to remove all actors from GRANT!  I'm sorry Dave, I can't let you remove access to an object with no hope of recovery."
+                  end
+                  modify[differences] ||= {}
+                  modify[differences][permission] = desired_json
+                end
+              end
+
+              if modify.size > 0
+                changed = true
+                description = [ "update acl #{path} at #{rest_url(path)}" ] + modify.map do |diffs, permissions|
+                  diffs.map { |diff| "  #{permissions.keys.join(', ')}:#{diff}" }
+                end.flatten(1)
+                converge_by description do
+                  modify.values.each do |permissions|
+                    permissions.each do |permission, desired_json|
+                      rest.put(rest_url("#{acl}/#{permission}"), { permission => desired_json })
+                    end
+                  end
+                end
+              end
+            end
+          end
+
+          # If we have been asked to recurse, do so.
+          # If recurse is on_change, then we will recurse if there is no ACL, or if
+          # the ACL has changed.
+          if new_resource.recursive == true || (new_resource.recursive == :on_change && (!acl || changed))
+            children, error = list(path, '*')
+            Chef::ChefFS::Parallelizer.parallel_do(children) do |child|
+              next if child.split('/')[-1] == 'containers'
+              create_acl(child)
+            end
+            # containers mess up our descent, so we do them last
+            Chef::ChefFS::Parallelizer.parallel_do(children) do |child|
+              next if child.split('/')[-1] != 'containers'
+              create_acl(child)
+            end
+
+          end
+        end
+
+        # Get the current ACL for the given path
+        def current_acl(acl_path)
+          @current_acls ||= {}
+          if !@current_acls.has_key?(acl_path)
+            @current_acls[acl_path] = begin
+              rest.get(rest_url(acl_path))
+            rescue Net::HTTPServerException => e
+              unless e.response.code == '404' && new_resource.path.split('/').any? { |p| p == '*' }
+                raise
+              end
+            end
+          end
+          @current_acls[acl_path]
+        end
+
+        # Get the desired acl for the given acl path
+        def desired_acl(acl_path)
+          result = new_resource.raw_json ? new_resource.raw_json.dup : {}
+
+          # Calculate the JSON based on rights
+          add_rights(acl_path, result)
+
+          if new_resource.complete
+            result = Chef::ChefFS::DataHandler::AclDataHandler.new.normalize(result, nil)
+          else
+            # If resource is incomplete, use current json to fill any holes
+            current_acl(acl_path).each do |permission, perm_hash|
+              if !result[permission]
+                result[permission] = perm_hash.dup
+              else
+                result[permission] = result[permission].dup
+                perm_hash.each do |type, actors|
+                  if !result[permission][type]
+                    result[permission][type] = actors
+                  else
+                    result[permission][type] = result[permission][type].dup
+                    result[permission][type] |= actors
+                  end
+                end
+              end
+            end
+
+            remove_rights(result)
+          end
+          result
+        end
+
+        def sort_values(json)
+          json.each do |key, value|
+            json[key] = value.sort if value.is_a?(Array)
+          end
+          json
+        end
+
+        def add_rights(acl_path, json)
+          if new_resource.rights
+            new_resource.rights.each do |rights|
+              if rights[:permissions].delete(:all)
+                rights[:permissions] |= current_acl(acl_path).keys
+              end
+
+              Array(rights[:permissions]).each do |permission|
+                ace = json[permission.to_s] ||= {}
+                # WTF, no distinction between users and clients?  The Chef API doesn't
+                # let us distinguish, so we have no choice :/  This means that:
+                # 1. If you specify :users => 'foo', and client 'foo' exists, it will
+                #    pick that (whether user 'foo' exists or not)
+                # 2. If you specify :clients => 'foo', and user 'foo' exists but
+                #    client 'foo' does not, it will pick user 'foo' and put it in the
+                #    ACL
+                # 3. If an existing item has user 'foo' on it and you specify :clients
+                #    => 'foo' instead, idempotence will not notice that anything needs
+                #    to be updated and nothing will happen.
+                if rights[:users]
+                  ace['actors'] ||= []
+                  ace['actors'] |= Array(rights[:users])
+                end
+                if rights[:clients]
+                  ace['actors'] ||= []
+                  ace['actors'] |= Array(rights[:clients])
+                end
+                if rights[:groups]
+                  ace['groups'] ||= []
+                  ace['groups'] |= Array(rights[:groups])
+                end
+              end
+            end
+          end
+        end
+
+        def remove_rights(json)
+          if new_resource.remove_rights
+            new_resource.remove_rights.each do |rights|
+              rights[:permissions].each do |permission|
+                if permission == :all
+                  json.each_key do |key|
+                    ace = json[key] = json[key.dup]
+                    ace['actors'] = ace['actors'] - Array(rights[:users])   if rights[:users]   && ace['actors']
+                    ace['actors'] = ace['actors'] - Array(rights[:clients]) if rights[:clients] && ace['actors']
+                    ace['groups'] = ace['groups'] - Array(rights[:groups])  if rights[:groups]  && ace['groups']
+                  end
+                else
+                  ace = json[permission.to_s] = json[permission.to_s].dup
+                  if ace
+                    ace['actors'] = ace['actors'] - Array(rights[:users])   if rights[:users]   && ace['actors']
+                    ace['actors'] = ace['actors'] - Array(rights[:clients]) if rights[:clients] && ace['actors']
+                    ace['groups'] = ace['groups'] - Array(rights[:groups])  if rights[:groups]  && ace['groups']
+                  end
+                end
+              end
+            end
+          end
+        end
+
+        def load_current_resource
+        end
+
+        #
+        # Matches chef_acl paths like nodes, nodes/*.
+        #
+        # == Examples
+        # match_paths('nodes'): [ 'nodes' ]
+        # match_paths('nodes/*'): [ 'nodes/x', 'nodes/y', 'nodes/z' ]
+        # match_paths('*'): [ 'clients', 'environments', 'nodes', 'roles', ... ]
+        # match_paths('/'): [ '/' ]
+        # match_paths(''): [ '' ]
+        # match_paths('/*'): [ '/organizations', '/users' ]
+        # match_paths('/organizations/*/*'): [ '/organizations/foo/clients', '/organizations/foo/environments', ..., '/organizations/bar/clients', '/organizations/bar/environments', ... ]
+        #
+        def match_paths(path)
+          # Turn multiple slashes into one
+          # nodes//x -> nodes/x
+          path = path.gsub(/[\/]+/, '/')
+          # If it's absolute, start the matching with /.  If it's relative, start with '' (relative root).
+          if path[0] == '/'
+            matches = [ '/' ]
+          else
+            matches = [ '' ]
+          end
+
+          # Split the path, and get rid of the empty path at the beginning and end
+          # (/a/b/c/ -> [ 'a', 'b', 'c' ])
+          parts = path.split('/').select { |x| x != '' }.to_a
+
+          # Descend until we find the matches:
+          # path = 'a/b/c'
+          # parts = [ 'a', 'b', 'c' ]
+          # Starting matches = [ '' ]
+          parts.each_with_index do |part, index|
+            # For each match, list <match>/<part> and set matches to that.
+            #
+            # Example: /*/foo
+            # 1. To start,
+            #    matches = [ '/' ], part = '*'.
+            #    list('/', '*')                = [ '/organizations, '/users' ]
+            # 2. matches = [ '/organizations', '/users' ], part = 'foo'
+            #    list('/organizations', 'foo') = [ '/organizations/foo' ]
+            #    list('/users', 'foo')         = [ '/users/foo' ]
+            #
+            # Result: /*/foo = [ '/organizations/foo', '/users/foo' ]
+            #
+            matches = Chef::ChefFS::Parallelizer.parallelize(matches) do |path|
+              found, error = list(path, part)
+              if error
+                if parts[0..index-1].all? { |p| p != '*' }
+                  raise error
+                end
+                []
+              else
+                found
+              end
+            end.flatten(1).to_a
+          end
+
+          matches
+        end
+
+        #
+        # Takes a normal path and finds the Chef path to get / set its ACL.
+        #
+        # nodes/x -> nodes/x/_acl
+        # nodes -> containers/nodes/_acl
+        # '' -> organizations/_acl (the org acl)
+        # /organizations/foo -> /organizations/foo/organizations/_acl
+        # /users/foo -> /users/foo/_acl
+        # /organizations/foo/nodes/x -> /organizations/foo/nodes/x/_acl
+        #
+        def acl_path(path)
+          parts = path.split('/').select { |x| x != '' }.to_a
+          prefix = (path[0] == '/') ? '/' : ''
+
+          case parts.size
+          when 0
+            # /, empty (relative root)
+            # The root of the server has no publicly visible ACLs.  Only nodes/*, etc.
+            if prefix == ''
+              ::File.join('organizations', '_acl')
+            end
+
+          when 1
+            # nodes, roles, etc.
+            # The top level organizations and users containers have no publicly
+            # visible ACLs.  Only nodes/*, etc.
+            if prefix == ''
+              ::File.join('containers', path, '_acl')
+            end
+
+          when 2
+            # /organizations/NAME, /users/NAME, nodes/NAME, roles/NAME, etc.
+            if prefix == '/' && parts[0] == 'organizations'
+              ::File.join(path, 'organizations', '_acl')
+            else
+              ::File.join(path, '_acl')
+            end
+
+          when 3
+            # /organizations/NAME/nodes, cookbooks/NAME/VERSION, etc.
+            if prefix == '/'
+              ::File.join('/', parts[0], parts[1], 'containers', parts[2], '_acl')
+            else
+              ::File.join(parts[0], parts[1], '_acl')
+            end
+
+          when 4
+            # /organizations/NAME/nodes/NAME, cookbooks/NAME/VERSION/BLAH
+            # /organizations/NAME/nodes/NAME, cookbooks/NAME/VERSION, etc.
+            if prefix == '/'
+              ::File.join(path, '_acl')
+            else
+              ::File.join(parts[0], parts[1], '_acl')
+            end
+
+          else
+            # /organizations/NAME/cookbooks/NAME/VERSION/..., cookbooks/NAME/VERSION/A/B/...
+            if prefix == '/'
+              ::File.join('/', parts[0], parts[1], parts[2], parts[3], '_acl')
+            else
+              ::File.join(parts[0], parts[1], '_acl')
+            end
+          end
+        end
+
+        #
+        # Lists the securable children under a path (the ones that either have ACLs
+        # or have children with ACLs).
+        #
+        # list('nodes', 'x') -> [ 'nodes/x' ]
+        # list('nodes', '*') -> [ 'nodes/x', 'nodes/y', 'nodes/z' ]
+        # list('', '*') -> [ 'clients', 'environments', 'nodes', 'roles', ... ]
+        # list('/', '*') -> [ '/organizations']
+        # list('cookbooks', 'x') -> [ 'cookbooks/x' ]
+        # list('cookbooks/x', '*') -> [ ] # Individual cookbook versions do not have their own ACLs
+        # list('/organizations/foo/nodes', '*') -> [ '/organizations/foo/nodes/x', '/organizations/foo/nodes/y' ]
+        #
+        # The list of children of an organization is == the list of containers.  If new
+        # containers are added, the list of children will grow.  This allows the system
+        # to extend to new types of objects and allow cheffish to work with them.
+        #
+        def list(path, child)
+          # TODO make ChefFS understand top level organizations and stop doing this altogether.
+          parts = path.split('/').select { |x| x != '' }.to_a
+          absolute = (path[0] == '/')
+          if absolute && parts[0] == 'organizations'
+            return [ [], "ACLs cannot be set on children of #{path}" ] if parts.size > 3
+          else
+            return [ [], "ACLs cannot be set on children of #{path}" ] if parts.size > 1
+          end
+
+          error = nil
+
+          if child == '*'
+            case parts.size
+            when 0
+              # /*, *
+              if absolute
+                results = [ "/organizations", "/users" ]
+              else
+                results, error = rest_list("containers")
+              end
+
+            when 1
+              # /organizations/*, /users/*, roles/*, nodes/*, etc.
+              results, error = rest_list(path)
+              if !error
+                results = results.map { |result| ::File.join(path, result) }
+              end
+
+            when 2
+              # /organizations/NAME/*
+              results, error = rest_list(::File.join(path, 'containers'))
+              if !error
+                results = results.map { |result| ::File.join(path, result) }
+              end
+
+            when 3
+              # /organizations/NAME/TYPE/*
+              results, error = rest_list(path)
+              if !error
+                results = results.map { |result| ::File.join(path, result) }
+              end
+            end
+
+          else
+            if child == 'data_bags' &&
+              (parts.size == 0 || (parts.size == 2 && parts[0] == 'organizations'))
+              child = 'data'
+            end
+
+            if absolute
+              # /<child>, /users/<child>, /organizations/<child>, /organizations/foo/<child>, /organizations/foo/nodes/<child> ...
+              results = [ ::File.join('/', parts[0..2], child) ]
+            elsif parts.size == 0
+              # <child> (nodes, roles, etc.)
+              results = [ child ]
+            else
+              # nodes/<child>, roles/<child>, etc.
+              results = [ ::File.join(parts[0], child) ]
+            end
+          end
+
+          [ results, error ]
+        end
+
+        def rest_url(path)
+          path[0] == '/' ? URI.join(rest.url, path) : path
+        end
+
+        def rest_list(path)
+          begin
+            # All our rest lists are hashes where the keys are the names
+            [ rest.get(rest_url(path)).keys, nil ]
+          rescue Net::HTTPServerException => e
+            if e.response.code == '405' || e.response.code == '404'
+              parts = path.split('/').select { |p| p != '' }.to_a
+
+              # We KNOW we expect these to exist.  Other containers may or may not.
+              unless (parts.size == 1 || (parts.size == 3 && parts[0] == 'organizations')) &&
+                %w(clients containers cookbooks data environments groups nodes roles).include?(parts[-1])
+                return [ [], "Cannot get list of #{path}: HTTP response code #{e.response.code}" ]
+              end
+            end
+            raise
+          end
+        end
+      end
+
     end
   end
 end

data/lib/chef/resource/chef_client.rb

@@ -1,38 +1,24 @@
 require 'cheffish'
-require 'chef/resource/lwrp_base'
+require 'cheffish/chef_actor_base'
 
 class Chef
   class Resource
-    class ChefClient < Chef::Resource::LWRPBase
-      self.resource_name = 'chef_client'
-
-      actions :create, :delete, :regenerate_keys, :nothing
-      default_action :create
-
-      def initialize(*args)
-        super
-        chef_server run_context.cheffish.current_chef_server
-      end
+    class ChefClient < Cheffish::ChefActorBase
+      resource_name :chef_client
 
       # Client attributes
-      attribute :name, :kind_of => String, :regex => Cheffish::NAME_REGEX, :name_attribute => true
-      attribute :admin, :kind_of => [TrueClass, FalseClass]
-      attribute :validator, :kind_of => [TrueClass, FalseClass]
+      property :name, Cheffish::NAME_REGEX, name_property: true
+      property :admin, Boolean
+      property :validator, Boolean
 
       # Input key
-      attribute :source_key # String or OpenSSL::PKey::*
-      attribute :source_key_path, :kind_of => String
-      attribute :source_key_pass_phrase
+      property :source_key # String or OpenSSL::PKey::*
+      property :source_key_path, String
+      property :source_key_pass_phrase
 
       # Output public key (if so desired)
-      attribute :output_key_path, :kind_of => String
-      attribute :output_key_format, :kind_of => Symbol, :default => :openssh, :equal_to => [ :pem, :der, :openssh ]
-
-      # If this is set, client is not patchy
-      attribute :complete, :kind_of => [TrueClass, FalseClass]
-
-      attribute :raw_json, :kind_of => Hash
-      attribute :chef_server, :kind_of => Hash
+      property :output_key_path, String
+      property :output_key_format, Symbol, default: :openssh, equal_to: [ :pem, :der, :openssh ]
 
       # Proc that runs just before the resource executes.  Called with (resource)
       def before(&block)
@@ -43,6 +29,45 @@ class Chef
       def after(&block)
         block ? @after = block : @after
       end
+
+      action :create do
+        create_actor
+      end
+
+      action :delete do
+        delete_actor
+      end
+
+      action_class.class_eval do
+        def actor_type
+          'client'
+        end
+
+        def actor_path
+          'clients'
+        end
+
+        #
+        # Helpers
+        #
+
+        def resource_class
+          Chef::Resource::ChefClient
+        end
+
+        def data_handler
+          Chef::ChefFS::DataHandler::ClientDataHandler.new
+        end
+
+        def keys
+          {
+            'name' => :name,
+            'admin' => :admin,
+            'validator' => :validator,
+            'public_key' => :source_key
+          }
+        end
+      end
     end
   end
 end

data/lib/chef/resource/chef_container.rb

@@ -1,22 +1,55 @@
 require 'cheffish'
-require 'chef/resource/lwrp_base'
+require 'cheffish/base_resource'
+require 'chef/chef_fs/data_handler/container_data_handler'
 
 class Chef
   class Resource
-    class ChefContainer < Chef::Resource::LWRPBase
-      self.resource_name = 'chef_container'
+    class ChefContainer < Cheffish::BaseResource
+      resource_name :chef_container
 
-      actions :create, :delete, :nothing
-      default_action :create
+      property :name, Cheffish::NAME_REGEX, name_property: true
 
-      # Grab environment from with_environment
-      def initialize(*args)
-        super
-        chef_server run_context.cheffish.current_chef_server
+      action :create do
+        if !@current_exists
+          converge_by "create container #{new_resource.name} at #{rest.url}" do
+            rest.post("containers", normalize_for_post(new_json))
+          end
+        end
       end
 
-      attribute :name, :kind_of => String, :regex => Cheffish::NAME_REGEX, :name_attribute => true
-      attribute :chef_server, :kind_of => Hash
+      action :delete do
+        if @current_exists
+          converge_by "delete container #{new_resource.name} at #{rest.url}" do
+            rest.delete("containers/#{new_resource.name}")
+          end
+        end
+      end
+
+      action_class.class_eval do
+        def load_current_resource
+          begin
+            @current_exists = rest.get("containers/#{new_resource.name}")
+          rescue Net::HTTPServerException => e
+            if e.response.code == "404"
+              @current_exists = false
+            else
+              raise
+            end
+          end
+        end
+
+        def new_json
+          {}
+        end
+
+        def data_handler
+          Chef::ChefFS::DataHandler::ContainerDataHandler.new
+        end
+
+        def keys
+          { 'containername' => :name, 'containerpath' => :name }
+        end
+      end
     end
   end
 end