clc-cheffish 0.8.clc

Sign up to get free protection for your applications and to get access to all the features.
Files changed (63) hide show
  1. checksums.yaml +7 -0
  2. data/LICENSE +201 -0
  3. data/README.md +4 -0
  4. data/Rakefile +23 -0
  5. data/lib/chef/provider/chef_acl.rb +434 -0
  6. data/lib/chef/provider/chef_client.rb +48 -0
  7. data/lib/chef/provider/chef_container.rb +50 -0
  8. data/lib/chef/provider/chef_data_bag.rb +50 -0
  9. data/lib/chef/provider/chef_data_bag_item.rb +273 -0
  10. data/lib/chef/provider/chef_environment.rb +78 -0
  11. data/lib/chef/provider/chef_group.rb +78 -0
  12. data/lib/chef/provider/chef_mirror.rb +138 -0
  13. data/lib/chef/provider/chef_node.rb +82 -0
  14. data/lib/chef/provider/chef_organization.rb +150 -0
  15. data/lib/chef/provider/chef_resolved_cookbooks.rb +41 -0
  16. data/lib/chef/provider/chef_role.rb +79 -0
  17. data/lib/chef/provider/chef_user.rb +53 -0
  18. data/lib/chef/provider/private_key.rb +219 -0
  19. data/lib/chef/provider/public_key.rb +82 -0
  20. data/lib/chef/resource/chef_acl.rb +65 -0
  21. data/lib/chef/resource/chef_client.rb +44 -0
  22. data/lib/chef/resource/chef_container.rb +18 -0
  23. data/lib/chef/resource/chef_data_bag.rb +18 -0
  24. data/lib/chef/resource/chef_data_bag_item.rb +114 -0
  25. data/lib/chef/resource/chef_environment.rb +71 -0
  26. data/lib/chef/resource/chef_group.rb +49 -0
  27. data/lib/chef/resource/chef_mirror.rb +47 -0
  28. data/lib/chef/resource/chef_node.rb +18 -0
  29. data/lib/chef/resource/chef_organization.rb +64 -0
  30. data/lib/chef/resource/chef_resolved_cookbooks.rb +31 -0
  31. data/lib/chef/resource/chef_role.rb +104 -0
  32. data/lib/chef/resource/chef_user.rb +51 -0
  33. data/lib/chef/resource/private_key.rb +44 -0
  34. data/lib/chef/resource/public_key.rb +21 -0
  35. data/lib/cheffish.rb +222 -0
  36. data/lib/cheffish/actor_provider_base.rb +131 -0
  37. data/lib/cheffish/basic_chef_client.rb +115 -0
  38. data/lib/cheffish/chef_provider_base.rb +231 -0
  39. data/lib/cheffish/chef_run_data.rb +19 -0
  40. data/lib/cheffish/chef_run_listener.rb +28 -0
  41. data/lib/cheffish/key_formatter.rb +109 -0
  42. data/lib/cheffish/merged_config.rb +94 -0
  43. data/lib/cheffish/recipe_dsl.rb +147 -0
  44. data/lib/cheffish/server_api.rb +52 -0
  45. data/lib/cheffish/version.rb +3 -0
  46. data/lib/cheffish/with_pattern.rb +21 -0
  47. data/spec/functional/fingerprint_spec.rb +64 -0
  48. data/spec/functional/merged_config_spec.rb +20 -0
  49. data/spec/integration/chef_acl_spec.rb +914 -0
  50. data/spec/integration/chef_client_spec.rb +110 -0
  51. data/spec/integration/chef_container_spec.rb +34 -0
  52. data/spec/integration/chef_group_spec.rb +324 -0
  53. data/spec/integration/chef_mirror_spec.rb +244 -0
  54. data/spec/integration/chef_node_spec.rb +211 -0
  55. data/spec/integration/chef_organization_spec.rb +244 -0
  56. data/spec/integration/chef_user_spec.rb +90 -0
  57. data/spec/integration/private_key_spec.rb +446 -0
  58. data/spec/integration/recipe_dsl_spec.rb +29 -0
  59. data/spec/support/key_support.rb +29 -0
  60. data/spec/support/repository_support.rb +103 -0
  61. data/spec/support/spec_support.rb +176 -0
  62. data/spec/unit/get_private_key_spec.rb +93 -0
  63. metadata +162 -0
checksums.yaml ADDED
@@ -0,0 +1,7 @@
1
+ ---
2
+ SHA1:
3
+ metadata.gz: 579bebaf5cce935439331e89b3ce39236e012bbf
4
+ data.tar.gz: ce355bc6e80774b6a17a44640a832fb4f5b82bb7
5
+ SHA512:
6
+ metadata.gz: 573774848e4ed345c30677ffc381824853053857bc024a02372148aaffc5d9026c1238cb4a43c2edd07846d787717e6f6a43f81c1589ff265b664a1a2929e87c
7
+ data.tar.gz: 00f427b83499d5b73c374e4468a95340be2b8e4fad6d61e4edd2135c4ce86fcfa6f28e77849f280a69bbe60eda417839699ac28edcc3db705fcafe51e887813c
data/LICENSE ADDED
@@ -0,0 +1,201 @@
1
+ Apache License
2
+ Version 2.0, January 2004
3
+ http://www.apache.org/licenses/
4
+
5
+ TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
6
+
7
+ 1. Definitions.
8
+
9
+ "License" shall mean the terms and conditions for use, reproduction,
10
+ and distribution as defined by Sections 1 through 9 of this document.
11
+
12
+ "Licensor" shall mean the copyright owner or entity authorized by
13
+ the copyright owner that is granting the License.
14
+
15
+ "Legal Entity" shall mean the union of the acting entity and all
16
+ other entities that control, are controlled by, or are under common
17
+ control with that entity. For the purposes of this definition,
18
+ "control" means (i) the power, direct or indirect, to cause the
19
+ direction or management of such entity, whether by contract or
20
+ otherwise, or (ii) ownership of fifty percent (50%) or more of the
21
+ outstanding shares, or (iii) beneficial ownership of such entity.
22
+
23
+ "You" (or "Your") shall mean an individual or Legal Entity
24
+ exercising permissions granted by this License.
25
+
26
+ "Source" form shall mean the preferred form for making modifications,
27
+ including but not limited to software source code, documentation
28
+ source, and configuration files.
29
+
30
+ "Object" form shall mean any form resulting from mechanical
31
+ transformation or translation of a Source form, including but
32
+ not limited to compiled object code, generated documentation,
33
+ and conversions to other media types.
34
+
35
+ "Work" shall mean the work of authorship, whether in Source or
36
+ Object form, made available under the License, as indicated by a
37
+ copyright notice that is included in or attached to the work
38
+ (an example is provided in the Appendix below).
39
+
40
+ "Derivative Works" shall mean any work, whether in Source or Object
41
+ form, that is based on (or derived from) the Work and for which the
42
+ editorial revisions, annotations, elaborations, or other modifications
43
+ represent, as a whole, an original work of authorship. For the purposes
44
+ of this License, Derivative Works shall not include works that remain
45
+ separable from, or merely link (or bind by name) to the interfaces of,
46
+ the Work and Derivative Works thereof.
47
+
48
+ "Contribution" shall mean any work of authorship, including
49
+ the original version of the Work and any modifications or additions
50
+ to that Work or Derivative Works thereof, that is intentionally
51
+ submitted to Licensor for inclusion in the Work by the copyright owner
52
+ or by an individual or Legal Entity authorized to submit on behalf of
53
+ the copyright owner. For the purposes of this definition, "submitted"
54
+ means any form of electronic, verbal, or written communication sent
55
+ to the Licensor or its representatives, including but not limited to
56
+ communication on electronic mailing lists, source code control systems,
57
+ and issue tracking systems that are managed by, or on behalf of, the
58
+ Licensor for the purpose of discussing and improving the Work, but
59
+ excluding communication that is conspicuously marked or otherwise
60
+ designated in writing by the copyright owner as "Not a Contribution."
61
+
62
+ "Contributor" shall mean Licensor and any individual or Legal Entity
63
+ on behalf of whom a Contribution has been received by Licensor and
64
+ subsequently incorporated within the Work.
65
+
66
+ 2. Grant of Copyright License. Subject to the terms and conditions of
67
+ this License, each Contributor hereby grants to You a perpetual,
68
+ worldwide, non-exclusive, no-charge, royalty-free, irrevocable
69
+ copyright license to reproduce, prepare Derivative Works of,
70
+ publicly display, publicly perform, sublicense, and distribute the
71
+ Work and such Derivative Works in Source or Object form.
72
+
73
+ 3. Grant of Patent License. Subject to the terms and conditions of
74
+ this License, each Contributor hereby grants to You a perpetual,
75
+ worldwide, non-exclusive, no-charge, royalty-free, irrevocable
76
+ (except as stated in this section) patent license to make, have made,
77
+ use, offer to sell, sell, import, and otherwise transfer the Work,
78
+ where such license applies only to those patent claims licensable
79
+ by such Contributor that are necessarily infringed by their
80
+ Contribution(s) alone or by combination of their Contribution(s)
81
+ with the Work to which such Contribution(s) was submitted. If You
82
+ institute patent litigation against any entity (including a
83
+ cross-claim or counterclaim in a lawsuit) alleging that the Work
84
+ or a Contribution incorporated within the Work constitutes direct
85
+ or contributory patent infringement, then any patent licenses
86
+ granted to You under this License for that Work shall terminate
87
+ as of the date such litigation is filed.
88
+
89
+ 4. Redistribution. You may reproduce and distribute copies of the
90
+ Work or Derivative Works thereof in any medium, with or without
91
+ modifications, and in Source or Object form, provided that You
92
+ meet the following conditions:
93
+
94
+ (a) You must give any other recipients of the Work or
95
+ Derivative Works a copy of this License; and
96
+
97
+ (b) You must cause any modified files to carry prominent notices
98
+ stating that You changed the files; and
99
+
100
+ (c) You must retain, in the Source form of any Derivative Works
101
+ that You distribute, all copyright, patent, trademark, and
102
+ attribution notices from the Source form of the Work,
103
+ excluding those notices that do not pertain to any part of
104
+ the Derivative Works; and
105
+
106
+ (d) If the Work includes a "NOTICE" text file as part of its
107
+ distribution, then any Derivative Works that You distribute must
108
+ include a readable copy of the attribution notices contained
109
+ within such NOTICE file, excluding those notices that do not
110
+ pertain to any part of the Derivative Works, in at least one
111
+ of the following places: within a NOTICE text file distributed
112
+ as part of the Derivative Works; within the Source form or
113
+ documentation, if provided along with the Derivative Works; or,
114
+ within a display generated by the Derivative Works, if and
115
+ wherever such third-party notices normally appear. The contents
116
+ of the NOTICE file are for informational purposes only and
117
+ do not modify the License. You may add Your own attribution
118
+ notices within Derivative Works that You distribute, alongside
119
+ or as an addendum to the NOTICE text from the Work, provided
120
+ that such additional attribution notices cannot be construed
121
+ as modifying the License.
122
+
123
+ You may add Your own copyright statement to Your modifications and
124
+ may provide additional or different license terms and conditions
125
+ for use, reproduction, or distribution of Your modifications, or
126
+ for any such Derivative Works as a whole, provided Your use,
127
+ reproduction, and distribution of the Work otherwise complies with
128
+ the conditions stated in this License.
129
+
130
+ 5. Submission of Contributions. Unless You explicitly state otherwise,
131
+ any Contribution intentionally submitted for inclusion in the Work
132
+ by You to the Licensor shall be under the terms and conditions of
133
+ this License, without any additional terms or conditions.
134
+ Notwithstanding the above, nothing herein shall supersede or modify
135
+ the terms of any separate license agreement you may have executed
136
+ with Licensor regarding such Contributions.
137
+
138
+ 6. Trademarks. This License does not grant permission to use the trade
139
+ names, trademarks, service marks, or product names of the Licensor,
140
+ except as required for reasonable and customary use in describing the
141
+ origin of the Work and reproducing the content of the NOTICE file.
142
+
143
+ 7. Disclaimer of Warranty. Unless required by applicable law or
144
+ agreed to in writing, Licensor provides the Work (and each
145
+ Contributor provides its Contributions) on an "AS IS" BASIS,
146
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
147
+ implied, including, without limitation, any warranties or conditions
148
+ of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
149
+ PARTICULAR PURPOSE. You are solely responsible for determining the
150
+ appropriateness of using or redistributing the Work and assume any
151
+ risks associated with Your exercise of permissions under this License.
152
+
153
+ 8. Limitation of Liability. In no event and under no legal theory,
154
+ whether in tort (including negligence), contract, or otherwise,
155
+ unless required by applicable law (such as deliberate and grossly
156
+ negligent acts) or agreed to in writing, shall any Contributor be
157
+ liable to You for damages, including any direct, indirect, special,
158
+ incidental, or consequential damages of any character arising as a
159
+ result of this License or out of the use or inability to use the
160
+ Work (including but not limited to damages for loss of goodwill,
161
+ work stoppage, computer failure or malfunction, or any and all
162
+ other commercial damages or losses), even if such Contributor
163
+ has been advised of the possibility of such damages.
164
+
165
+ 9. Accepting Warranty or Additional Liability. While redistributing
166
+ the Work or Derivative Works thereof, You may choose to offer,
167
+ and charge a fee for, acceptance of support, warranty, indemnity,
168
+ or other liability obligations and/or rights consistent with this
169
+ License. However, in accepting such obligations, You may act only
170
+ on Your own behalf and on Your sole responsibility, not on behalf
171
+ of any other Contributor, and only if You agree to indemnify,
172
+ defend, and hold each Contributor harmless for any liability
173
+ incurred by, or claims asserted against, such Contributor by reason
174
+ of your accepting any such warranty or additional liability.
175
+
176
+ END OF TERMS AND CONDITIONS
177
+
178
+ APPENDIX: How to apply the Apache License to your work.
179
+
180
+ To apply the Apache License to your work, attach the following
181
+ boilerplate notice, with the fields enclosed by brackets "[]"
182
+ replaced with your own identifying information. (Don't include
183
+ the brackets!) The text should be enclosed in the appropriate
184
+ comment syntax for the file format. We also recommend that a
185
+ file or class name and description of purpose be included on the
186
+ same "printed page" as the copyright notice for easier
187
+ identification within third-party archives.
188
+
189
+ Copyright [yyyy] [name of copyright owner]
190
+
191
+ Licensed under the Apache License, Version 2.0 (the "License");
192
+ you may not use this file except in compliance with the License.
193
+ You may obtain a copy of the License at
194
+
195
+ http://www.apache.org/licenses/LICENSE-2.0
196
+
197
+ Unless required by applicable law or agreed to in writing, software
198
+ distributed under the License is distributed on an "AS IS" BASIS,
199
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
200
+ See the License for the specific language governing permissions and
201
+ limitations under the License.
data/README.md ADDED
@@ -0,0 +1,4 @@
1
+ Cheffish
2
+ ========
3
+
4
+ This library lets you manipulate Chef in Chef.
data/Rakefile ADDED
@@ -0,0 +1,23 @@
1
+ require 'bundler'
2
+ require 'rubygems'
3
+ require 'rubygems/package_task'
4
+ require 'rdoc/task'
5
+ require 'rspec/core/rake_task'
6
+
7
+ Bundler::GemHelper.install_tasks
8
+
9
+ task :default => :spec
10
+
11
+ desc "Run specs"
12
+ RSpec::Core::RakeTask.new(:spec) do |spec|
13
+ spec.pattern = 'spec/**/*_spec.rb'
14
+ end
15
+
16
+ gem_spec = eval(File.read("cheffish.gemspec"))
17
+
18
+ RDoc::Task.new do |rdoc|
19
+ rdoc.rdoc_dir = 'rdoc'
20
+ rdoc.title = "cheffish #{gem_spec.version}"
21
+ rdoc.rdoc_files.include('README*')
22
+ rdoc.rdoc_files.include('lib/**/*.rb')
23
+ end
@@ -0,0 +1,434 @@
1
+ require 'cheffish/chef_provider_base'
2
+ require 'chef/resource/chef_acl'
3
+ require 'chef/chef_fs/data_handler/acl_data_handler'
4
+ require 'chef/chef_fs/parallelizer'
5
+ require 'uri'
6
+
7
+ class Chef::Provider::ChefAcl < Cheffish::ChefProviderBase
8
+
9
+ def whyrun_supported?
10
+ true
11
+ end
12
+
13
+ action :create do
14
+ if new_resource.remove_rights && new_resource.complete
15
+ Chef::Log.warn("'remove_rights' is redundant when 'complete' is specified: all rights not specified in a 'rights' declaration will be removed.")
16
+ end
17
+ # Verify that we're not destroying all hope of ACL recovery here
18
+ if new_resource.complete && (!new_resource.rights || !new_resource.rights.any? { |r| r[:permissions].include?(:all) || r[:permissions].include?(:grant) })
19
+ # NOTE: if superusers exist, this should turn into a warning.
20
+ raise "'complete' specified on chef_acl resource, but no GRANT permissions were granted. I'm sorry Dave, I can't let you remove all access to an object with no hope of recovery."
21
+ end
22
+
23
+ # Find all matching paths so we can update them (resolve * and **)
24
+ paths = match_paths(new_resource.path)
25
+ if paths.size == 0 && !new_resource.path.split('/').any? { |p| p == '*' }
26
+ raise "Path #{new_resource.path} cannot have an ACL set on it!"
27
+ end
28
+
29
+ # Go through the matches and update the ACLs for them
30
+ paths.each do |path|
31
+ create_acl(path)
32
+ end
33
+ end
34
+
35
+ # Update the ACL if necessary.
36
+ def create_acl(path)
37
+ changed = false
38
+ # There may not be an ACL path for some valid paths (/ and /organizations,
39
+ # for example). We want to recurse into these, but we don't want to try to
40
+ # update nonexistent ACLs for them.
41
+ acl = acl_path(path)
42
+ if acl
43
+ # It's possible to make a custom container
44
+ current_json = current_acl(acl)
45
+ if current_json
46
+
47
+ # Compare the desired and current json for the ACL, and update if different.
48
+ modify = {}
49
+ desired_acl(acl).each do |permission, desired_json|
50
+ differences = json_differences(current_json[permission], desired_json)
51
+
52
+ if differences.size > 0
53
+ # Verify we aren't trying to destroy grant permissions
54
+ if permission == 'grant' && desired_json['actors'] == [] && desired_json['groups'] == []
55
+ # NOTE: if superusers exist, this should turn into a warning.
56
+ raise "chef_acl attempted to remove all actors from GRANT! I'm sorry Dave, I can't let you remove access to an object with no hope of recovery."
57
+ end
58
+ modify[differences] ||= {}
59
+ modify[differences][permission] = desired_json
60
+ end
61
+ end
62
+
63
+ if modify.size > 0
64
+ changed = true
65
+ description = [ "update acl #{path} at #{rest_url(path)}" ] + modify.map do |diffs, permissions|
66
+ diffs.map { |diff| " #{permissions.keys.join(', ')}:#{diff}" }
67
+ end.flatten(1)
68
+ converge_by description do
69
+ modify.values.each do |permissions|
70
+ permissions.each do |permission, desired_json|
71
+ rest.put(rest_url("#{acl}/#{permission}"), { permission => desired_json })
72
+ end
73
+ end
74
+ end
75
+ end
76
+ end
77
+ end
78
+
79
+ # If we have been asked to recurse, do so.
80
+ # If recurse is on_change, then we will recurse if there is no ACL, or if
81
+ # the ACL has changed.
82
+ if new_resource.recursive == true || (new_resource.recursive == :on_change && (!acl || changed))
83
+ children, error = list(path, '*')
84
+ Chef::ChefFS::Parallelizer.parallel_do(children) do |child|
85
+ next if child.split('/')[-1] == 'containers'
86
+ create_acl(child)
87
+ end
88
+ # containers mess up our descent, so we do them last
89
+ Chef::ChefFS::Parallelizer.parallel_do(children) do |child|
90
+ next if child.split('/')[-1] != 'containers'
91
+ create_acl(child)
92
+ end
93
+
94
+ end
95
+ end
96
+
97
+ # Get the current ACL for the given path
98
+ def current_acl(acl_path)
99
+ @current_acls ||= {}
100
+ if !@current_acls.has_key?(acl_path)
101
+ @current_acls[acl_path] = begin
102
+ rest.get(rest_url(acl_path))
103
+ rescue Net::HTTPServerException => e
104
+ unless e.response.code == '404' && new_resource.path.split('/').any? { |p| p == '*' }
105
+ raise
106
+ end
107
+ end
108
+ end
109
+ @current_acls[acl_path]
110
+ end
111
+
112
+ # Get the desired acl for the given acl path
113
+ def desired_acl(acl_path)
114
+ result = new_resource.raw_json ? new_resource.raw_json.dup : {}
115
+
116
+ # Calculate the JSON based on rights
117
+ add_rights(acl_path, result)
118
+
119
+ if new_resource.complete
120
+ result = Chef::ChefFS::DataHandler::AclDataHandler.new.normalize(result, nil)
121
+ else
122
+ # If resource is incomplete, use current json to fill any holes
123
+ current_acl(acl_path).each do |permission, perm_hash|
124
+ if !result[permission]
125
+ result[permission] = perm_hash.dup
126
+ else
127
+ result[permission] = result[permission].dup
128
+ perm_hash.each do |type, actors|
129
+ if !result[permission][type]
130
+ result[permission][type] = actors
131
+ else
132
+ result[permission][type] = result[permission][type].dup
133
+ result[permission][type] |= actors
134
+ end
135
+ end
136
+ end
137
+ end
138
+
139
+ remove_rights(result)
140
+ end
141
+ result
142
+ end
143
+
144
+ def add_rights(acl_path, json)
145
+ if new_resource.rights
146
+ new_resource.rights.each do |rights|
147
+ if rights[:permissions].delete(:all)
148
+ rights[:permissions] |= current_acl(acl_path).keys
149
+ end
150
+
151
+ Array(rights[:permissions]).each do |permission|
152
+ ace = json[permission.to_s] ||= {}
153
+ # WTF, no distinction between users and clients? The Chef API doesn't
154
+ # let us distinguish, so we have no choice :/ This means that:
155
+ # 1. If you specify :users => 'foo', and client 'foo' exists, it will
156
+ # pick that (whether user 'foo' exists or not)
157
+ # 2. If you specify :clients => 'foo', and user 'foo' exists but
158
+ # client 'foo' does not, it will pick user 'foo' and put it in the
159
+ # ACL
160
+ # 3. If an existing item has user 'foo' on it and you specify :clients
161
+ # => 'foo' instead, idempotence will not notice that anything needs
162
+ # to be updated and nothing will happen.
163
+ if rights[:users]
164
+ ace['actors'] ||= []
165
+ ace['actors'] |= Array(rights[:users])
166
+ end
167
+ if rights[:clients]
168
+ ace['actors'] ||= []
169
+ ace['actors'] |= Array(rights[:clients])
170
+ end
171
+ if rights[:groups]
172
+ ace['groups'] ||= []
173
+ ace['groups'] |= Array(rights[:groups])
174
+ end
175
+ end
176
+ end
177
+ end
178
+ end
179
+
180
+ def remove_rights(json)
181
+ if new_resource.remove_rights
182
+ new_resource.remove_rights.each do |rights|
183
+ rights[:permissions].each do |permission|
184
+ if permission == :all
185
+ json.each_key do |key|
186
+ ace = json[key] = json[key.dup]
187
+ ace['actors'] = ace['actors'] - Array(rights[:users]) if rights[:users] && ace['actors']
188
+ ace['actors'] = ace['actors'] - Array(rights[:clients]) if rights[:clients] && ace['actors']
189
+ ace['groups'] = ace['groups'] - Array(rights[:groups]) if rights[:groups] && ace['groups']
190
+ end
191
+ else
192
+ ace = json[permission.to_s] = json[permission.to_s].dup
193
+ if ace
194
+ ace['actors'] = ace['actors'] - Array(rights[:users]) if rights[:users] && ace['actors']
195
+ ace['actors'] = ace['actors'] - Array(rights[:clients]) if rights[:clients] && ace['actors']
196
+ ace['groups'] = ace['groups'] - Array(rights[:groups]) if rights[:groups] && ace['groups']
197
+ end
198
+ end
199
+ end
200
+ end
201
+ end
202
+ end
203
+
204
+ def load_current_resource
205
+ end
206
+
207
+ #
208
+ # Matches chef_acl paths like nodes, nodes/*.
209
+ #
210
+ # == Examples
211
+ # match_paths('nodes'): [ 'nodes' ]
212
+ # match_paths('nodes/*'): [ 'nodes/x', 'nodes/y', 'nodes/z' ]
213
+ # match_paths('*'): [ 'clients', 'environments', 'nodes', 'roles', ... ]
214
+ # match_paths('/'): [ '/' ]
215
+ # match_paths(''): [ '' ]
216
+ # match_paths('/*'): [ '/organizations', '/users' ]
217
+ # match_paths('/organizations/*/*'): [ '/organizations/foo/clients', '/organizations/foo/environments', ..., '/organizations/bar/clients', '/organizations/bar/environments', ... ]
218
+ #
219
+ def match_paths(path)
220
+ # Turn multiple slashes into one
221
+ # nodes//x -> nodes/x
222
+ path = path.gsub(/[\/]+/, '/')
223
+ # If it's absolute, start the matching with /. If it's relative, start with '' (relative root).
224
+ if path[0] == '/'
225
+ matches = [ '/' ]
226
+ else
227
+ matches = [ '' ]
228
+ end
229
+
230
+ # Split the path, and get rid of the empty path at the beginning and end
231
+ # (/a/b/c/ -> [ 'a', 'b', 'c' ])
232
+ parts = path.split('/').select { |x| x != '' }.to_a
233
+
234
+ # Descend until we find the matches:
235
+ # path = 'a/b/c'
236
+ # parts = [ 'a', 'b', 'c' ]
237
+ # Starting matches = [ '' ]
238
+ parts.each_with_index do |part, index|
239
+ # For each match, list <match>/<part> and set matches to that.
240
+ #
241
+ # Example: /*/foo
242
+ # 1. To start,
243
+ # matches = [ '/' ], part = '*'.
244
+ # list('/', '*') = [ '/organizations, '/users' ]
245
+ # 2. matches = [ '/organizations', '/users' ], part = 'foo'
246
+ # list('/organizations', 'foo') = [ '/organizations/foo' ]
247
+ # list('/users', 'foo') = [ '/users/foo' ]
248
+ #
249
+ # Result: /*/foo = [ '/organizations/foo', '/users/foo' ]
250
+ #
251
+ matches = Chef::ChefFS::Parallelizer.parallelize(matches) do |path|
252
+ found, error = list(path, part)
253
+ if error
254
+ if parts[0..index-1].all? { |p| p != '*' }
255
+ raise error
256
+ end
257
+ []
258
+ else
259
+ found
260
+ end
261
+ end.flatten(1).to_a
262
+ end
263
+
264
+ matches
265
+ end
266
+
267
+ #
268
+ # Takes a normal path and finds the Chef path to get / set its ACL.
269
+ #
270
+ # nodes/x -> nodes/x/_acl
271
+ # nodes -> containers/nodes/_acl
272
+ # '' -> organizations/_acl (the org acl)
273
+ # /organizations/foo -> /organizations/foo/organizations/_acl
274
+ # /users/foo -> /users/foo/_acl
275
+ # /organizations/foo/nodes/x -> /organizations/foo/nodes/x/_acl
276
+ #
277
+ def acl_path(path)
278
+ parts = path.split('/').select { |x| x != '' }.to_a
279
+ prefix = (path[0] == '/') ? '/' : ''
280
+
281
+ case parts.size
282
+ when 0
283
+ # /, empty (relative root)
284
+ # The root of the server has no publicly visible ACLs. Only nodes/*, etc.
285
+ if prefix == ''
286
+ ::File.join('organizations', '_acl')
287
+ end
288
+
289
+ when 1
290
+ # nodes, roles, etc.
291
+ # The top level organizations and users containers have no publicly
292
+ # visible ACLs. Only nodes/*, etc.
293
+ if prefix == ''
294
+ ::File.join('containers', path, '_acl')
295
+ end
296
+
297
+ when 2
298
+ # /organizations/NAME, /users/NAME, nodes/NAME, roles/NAME, etc.
299
+ if prefix == '/' && parts[0] == 'organizations'
300
+ ::File.join(path, 'organizations', '_acl')
301
+ else
302
+ ::File.join(path, '_acl')
303
+ end
304
+
305
+ when 3
306
+ # /organizations/NAME/nodes, cookbooks/NAME/VERSION, etc.
307
+ if prefix == '/'
308
+ ::File.join('/', parts[0], parts[1], 'containers', parts[2], '_acl')
309
+ else
310
+ ::File.join(parts[0], parts[1], '_acl')
311
+ end
312
+
313
+ when 4
314
+ # /organizations/NAME/nodes/NAME, cookbooks/NAME/VERSION/BLAH
315
+ # /organizations/NAME/nodes/NAME, cookbooks/NAME/VERSION, etc.
316
+ if prefix == '/'
317
+ ::File.join(path, '_acl')
318
+ else
319
+ ::File.join(parts[0], parts[1], '_acl')
320
+ end
321
+
322
+ else
323
+ # /organizations/NAME/cookbooks/NAME/VERSION/..., cookbooks/NAME/VERSION/A/B/...
324
+ if prefix == '/'
325
+ ::File.join('/', parts[0], parts[1], parts[2], parts[3], '_acl')
326
+ else
327
+ ::File.join(parts[0], parts[1], '_acl')
328
+ end
329
+ end
330
+ end
331
+
332
+ #
333
+ # Lists the securable children under a path (the ones that either have ACLs
334
+ # or have children with ACLs).
335
+ #
336
+ # list('nodes', 'x') -> [ 'nodes/x' ]
337
+ # list('nodes', '*') -> [ 'nodes/x', 'nodes/y', 'nodes/z' ]
338
+ # list('', '*') -> [ 'clients', 'environments', 'nodes', 'roles', ... ]
339
+ # list('/', '*') -> [ '/organizations']
340
+ # list('cookbooks', 'x') -> [ 'cookbooks/x' ]
341
+ # list('cookbooks/x', '*') -> [ ] # Individual cookbook versions do not have their own ACLs
342
+ # list('/organizations/foo/nodes', '*') -> [ '/organizations/foo/nodes/x', '/organizations/foo/nodes/y' ]
343
+ #
344
+ # The list of children of an organization is == the list of containers. If new
345
+ # containers are added, the list of children will grow. This allows the system
346
+ # to extend to new types of objects and allow cheffish to work with them.
347
+ #
348
+ def list(path, child)
349
+ # TODO make ChefFS understand top level organizations and stop doing this altogether.
350
+ parts = path.split('/').select { |x| x != '' }.to_a
351
+ absolute = (path[0] == '/')
352
+ if absolute && parts[0] == 'organizations'
353
+ return [ [], "ACLs cannot be set on children of #{path}" ] if parts.size > 3
354
+ else
355
+ return [ [], "ACLs cannot be set on children of #{path}" ] if parts.size > 1
356
+ end
357
+
358
+ error = nil
359
+
360
+ if child == '*'
361
+ case parts.size
362
+ when 0
363
+ # /*, *
364
+ if absolute
365
+ results = [ "/organizations", "/users" ]
366
+ else
367
+ results, error = rest_list("containers")
368
+ end
369
+
370
+ when 1
371
+ # /organizations/*, /users/*, roles/*, nodes/*, etc.
372
+ results, error = rest_list(path)
373
+ if !error
374
+ results = results.map { |result| ::File.join(path, result) }
375
+ end
376
+
377
+ when 2
378
+ # /organizations/NAME/*
379
+ results, error = rest_list(::File.join(path, 'containers'))
380
+ if !error
381
+ results = results.map { |result| ::File.join(path, result) }
382
+ end
383
+
384
+ when 3
385
+ # /organizations/NAME/TYPE/*
386
+ results, error = rest_list(path)
387
+ if !error
388
+ results = results.map { |result| ::File.join(path, result) }
389
+ end
390
+ end
391
+
392
+ else
393
+ if child == 'data_bags' &&
394
+ (parts.size == 0 || (parts.size == 2 && parts[0] == 'organizations'))
395
+ child = 'data'
396
+ end
397
+
398
+ if absolute
399
+ # /<child>, /users/<child>, /organizations/<child>, /organizations/foo/<child>, /organizations/foo/nodes/<child> ...
400
+ results = [ ::File.join('/', parts[0..2], child) ]
401
+ elsif parts.size == 0
402
+ # <child> (nodes, roles, etc.)
403
+ results = [ child ]
404
+ else
405
+ # nodes/<child>, roles/<child>, etc.
406
+ results = [ ::File.join(parts[0], child) ]
407
+ end
408
+ end
409
+
410
+ [ results, error ]
411
+ end
412
+
413
+ def rest_url(path)
414
+ path[0] == '/' ? URI.join(rest.url, path) : path
415
+ end
416
+
417
+ def rest_list(path)
418
+ begin
419
+ # All our rest lists are hashes where the keys are the names
420
+ [ rest.get(rest_url(path)).keys, nil ]
421
+ rescue Net::HTTPServerException => e
422
+ if e.response.code == '405' || e.response.code == '404'
423
+ parts = path.split('/').select { |p| p != '' }.to_a
424
+
425
+ # We KNOW we expect these to exist. Other containers may or may not.
426
+ unless (parts.size == 1 || (parts.size == 3 && parts[0] == 'organizations')) &&
427
+ %w(clients containers cookbooks data environments groups nodes roles).include?(parts[-1])
428
+ return [ [], "Cannot get list of #{path}: HTTP response code #{e.response.code}" ]
429
+ end
430
+ end
431
+ raise
432
+ end
433
+ end
434
+ end