knife-acl 0.0.12 → 1.0.0.beta.1

data/lib/chef/knife/acl_base.rb

@@ -1,6 +1,7 @@
 #
 # Author:: Steven Danna (steve@opscode.com)
-# Copyright:: Copyright 2011--2014 Chef Software, Inc.
+# Author:: Jeremiah Snapp (<jeremiah@chef.io>)
+# Copyright:: Copyright 2011--2015 Chef Software, Inc.
 # License:: Apache License, Version 2.0
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -20,8 +21,8 @@ module OpscodeAcl
   module AclBase
 
     PERM_TYPES = %w(create read update delete grant)
-    ACTOR_TYPES = %w(client group)
-    OBJECT_TYPES = %w(clients groups containers data nodes roles cookbooks sandboxes environments)
+    MEMBER_TYPES = %w(client group user)
+    OBJECT_TYPES = %w(clients containers cookbooks data environments groups nodes roles)
     OBJECT_NAME_SPEC = /^[\-[:alnum:]_\.]+$/
 
     def validate_object_type!(type)
@@ -38,35 +39,41 @@ module OpscodeAcl
       end
     end
 
-    def validate_actor_type!(type)
-      if ! ACTOR_TYPES.include?(type)
-        ui.fatal "Unknown actor type \"#{type}\". The following types are permitted: #{ACTOR_TYPES.join(', ')}"
+    def validate_member_type!(type)
+      if ! MEMBER_TYPES.include?(type)
+        ui.fatal "Unknown member type \"#{type}\". The following types are permitted: #{MEMBER_TYPES.join(', ')}"
         exit 1
       end
     end
 
-    def validate_actor_name!(name)
-      # Same rules apply to object's and actors
+    def validate_member_name!(name)
+      # Same rules apply to objects and members
       validate_object_name!(name)
     end
 
-    def validate_perm_type!(perm)
-      if ! PERM_TYPES.include?(perm)
-        ui.fatal "Invalid permission \"#{perm}\". The following permissions are permitted: #{PERM_TYPES.join(',')}"
-        exit 1
+    def validate_perm_type!(perms)
+      perms.split(',').each do |perm|
+        if ! PERM_TYPES.include?(perm)
+          ui.fatal "Invalid permission \"#{perm}\". The following permissions are permitted: #{PERM_TYPES.join(',')}"
+          exit 1
+        end
       end
+    end
 
+    def validate_member_exists!(member_type, member_name)
+      begin
+        true if rest.get_rest("#{member_type}s/#{member_name}")
+      rescue NameError
+        # ignore "NameError: uninitialized constant Chef::ApiClient" when finding a client
+        true
+      rescue
+        ui.fatal "#{member_type} '#{member_name}' does not exist"
+        exit 1
+      end
     end
 
-    def validate_all_params!
-      # Helper method to valid parameters for commands that modify permisisons
-      # This assumes including class has the necessary accessors
-      # We the validation to ensure we can give the user more helpful error messages.
-      validate_perm_type!(perm)
-      validate_actor_type!(actor_type)
-      validate_actor_name!(actor_name)
-      validate_object_name!(object_name)
-      validate_object_type!(object_type)
+    def is_usag?(gname)
+      gname.length == 32 && gname =~ /^[0-9a-f]+$/
     end
 
     def get_acl(object_type, object_name)
@@ -77,9 +84,85 @@ module OpscodeAcl
       get_acl(object_type, object_name)[perm]
     end
 
+    def add_to_acl!(member_type, member_name, object_type, object_name, perms)
+      acl = get_acl(object_type, object_name)
+      perms.split(',').each do |perm|
+        ui.msg "Adding '#{member_name}' to '#{perm}' ACE of '#{object_name}'"
+        ace = acl[perm]
+
+        case member_type
+        when "client", "user"
+          next if ace['actors'].include?(member_name)
+          ace['actors'] << member_name
+        when "group"
+          next if ace['groups'].include?(member_name)
+          ace['groups'] << member_name
+        end
+
+        update_ace!(object_type, object_name, perm, ace)
+      end
+    end
+
+    def remove_from_acl!(member_type, member_name, object_type, object_name, perms)
+      acl = get_acl(object_type, object_name)
+      perms.split(',').each do |perm|
+        ui.msg "Removing '#{member_name}' from '#{perm}' ACE of '#{object_name}'"
+        ace = acl[perm]
+
+        case member_type
+        when "client", "user"
+          next unless ace['actors'].include?(member_name)
+          ace['actors'].delete(member_name)
+        when "group"
+          next unless ace['groups'].include?(member_name)
+          ace['groups'].delete(member_name)
+        end
+
+        update_ace!(object_type, object_name, perm, ace)
+      end
+    end
+
     def update_ace!(object_type, object_name, ace_type, ace)
       rest.put_rest("#{object_type}/#{object_name}/_acl/#{ace_type}", ace_type => ace)
     end
 
+    def add_to_group!(member_type, member_name, group_name)
+      validate_member_exists!(member_type, member_name)
+      existing_group = rest.get_rest("groups/#{group_name}")
+      ui.msg "Adding '#{member_name}' to '#{group_name}' group"
+      if !existing_group["#{member_type}s"].include?(member_name)
+        existing_group["#{member_type}s"] << member_name
+        new_group = {
+          "groupname" => existing_group["groupname"],
+          "orgname" => existing_group["orgname"],
+          "actors" => {
+            "users" => existing_group["users"],
+            "clients" => existing_group["clients"],
+            "groups" => existing_group["groups"]
+          }
+        }
+        rest.put_rest("groups/#{group_name}", new_group)
+      end
+    end
+
+    def remove_from_group!(member_type, member_name, group_name)
+      validate_member_exists!(member_type, member_name)
+      existing_group = rest.get_rest("groups/#{group_name}")
+      ui.msg "Removing '#{member_name}' from '#{group_name}' group"
+      if existing_group["#{member_type}s"].include?(member_name)
+        existing_group["#{member_type}s"].delete(member_name)
+        new_group = {
+          "groupname" => existing_group["groupname"],
+          "orgname" => existing_group["orgname"],
+          "actors" => {
+            "users" => existing_group["users"],
+            "clients" => existing_group["clients"],
+            "groups" => existing_group["groups"]
+          }
+        }
+        rest.put_rest("groups/#{group_name}", new_group)
+      end
+    end
+
   end
 end

data/lib/chef/knife/acl_bulk_add.rb

@@ -0,0 +1,73 @@
+#
+# Author:: Jeremiah Snapp (jeremiah@chef.io)
+# Copyright:: Copyright 2011--2015 Chef Software, Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+module OpscodeAcl
+  class AclBulkAdd < Chef::Knife
+    category "OPSCODE HOSTED CHEF ACCESS CONTROL"
+    banner "knife acl bulk add MEMBER_TYPE MEMBER_NAME OBJECT_TYPE REGEX PERMS"
+
+    deps do
+      include OpscodeAcl::AclBase
+    end
+
+    def run
+      member_type, member_name, object_type, regex, perms = name_args
+      object_name_matcher = /#{regex}/
+
+      if name_args.length != 5
+        show_usage
+        ui.fatal "You must specify the member type [group], member name, object type, object name REGEX and perms"
+        exit 1
+      end
+
+      unless member_type == 'group'
+        ui.fatal "ERROR: To enforce best practice, knife-acl can only add a group to an ACL."
+        ui.fatal "       See the knife-acl README for more information."
+        exit 1
+      end
+      validate_perm_type!(perms)
+      validate_member_name!(member_name)
+      validate_object_type!(object_type)
+      validate_member_exists!(member_type, member_name)
+
+      if %w(containers groups).include?(object_type)
+        ui.fatal "bulk modifying the ACL of #{object_type} is not permitted"
+        exit 1
+      end
+
+      objects_to_modify = []
+      all_objects = rest.get_rest(object_type)
+      objects_to_modify = all_objects.keys.select { |object_name| object_name =~ object_name_matcher }
+
+      if objects_to_modify.empty?
+        ui.info "No #{object_type} match the expression /#{regex}/"
+        exit 0
+      end
+
+      ui.msg("The ACL of the following #{object_type} will be modified:")
+      ui.msg("")
+      ui.msg(ui.list(objects_to_modify.sort, :columns_down))
+      ui.msg("")
+      ui.confirm("Are you sure you want to modify the ACL of these #{object_type}?")
+
+      objects_to_modify.each do |object_name|
+        add_to_acl!(member_type, member_name, object_type, object_name, perms)
+      end
+    end
+  end
+end

data/lib/chef/knife/acl_bulk_remove.rb

@@ -0,0 +1,78 @@
+#
+# Author:: Jeremiah Snapp (jeremiah@chef.io)
+# Copyright:: Copyright 2011--2015 Chef Software, Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+module OpscodeAcl
+  class AclBulkRemove < Chef::Knife
+    category "OPSCODE HOSTED CHEF ACCESS CONTROL"
+    banner "knife acl bulk remove MEMBER_TYPE MEMBER_NAME OBJECT_TYPE REGEX PERMS"
+
+    deps do
+      include OpscodeAcl::AclBase
+    end
+
+    def run
+      member_type, member_name, object_type, regex, perms = name_args
+      object_name_matcher = /#{regex}/
+
+      if name_args.length != 5
+        show_usage
+        ui.fatal "You must specify the member type [client|group|user], member name, object type, object name REGEX and perms"
+        exit 1
+      end
+
+      if member_name == 'pivotal' && %w(client user).include?(member_type)
+        ui.fatal "ERROR: 'pivotal' is a system user so knife-acl will not remove it from an ACL."
+        exit 1
+      end
+      if member_name == 'admins' && member_type == 'group' && perms.to_s.split(',').include?('grant')
+        ui.fatal "ERROR: knife-acl will not remove the 'admins' group from the 'grant' ACE."
+        ui.fatal "       Removal could prevent future attempts to modify permissions."
+        exit 1
+      end
+      validate_perm_type!(perms)
+      validate_member_type!(member_type)
+      validate_member_name!(member_name)
+      validate_object_type!(object_type)
+      validate_member_exists!(member_type, member_name)
+
+      if %w(containers groups).include?(object_type)
+        ui.fatal "bulk modifying the ACL of #{object_type} is not permitted"
+        exit 1
+      end
+
+      objects_to_modify = []
+      all_objects = rest.get_rest(object_type)
+      objects_to_modify = all_objects.keys.select { |object_name| object_name =~ object_name_matcher }
+
+      if objects_to_modify.empty?
+        ui.info "No #{object_type} match the expression /#{regex}/"
+        exit 0
+      end
+
+      ui.msg("The ACL of the following #{object_type} will be modified:")
+      ui.msg("")
+      ui.msg(ui.list(objects_to_modify.sort, :columns_down))
+      ui.msg("")
+      ui.confirm("Are you sure you want to modify the ACL of these #{object_type}?")
+
+      objects_to_modify.each do |object_name|
+        remove_from_acl!(member_type, member_name, object_type, object_name, perms)
+      end
+    end
+  end
+end

data/lib/chef/knife/acl_remove.rb

@@ -1,6 +1,7 @@
 #
 # Author:: Steven Danna (steve@opscode.com)
-# Copyright:: Copyright 2011--2014 Chef Software, Inc.
+# Author:: Jeremiah Snapp (jeremiah@chef.io)
+# Copyright:: Copyright 2011--2015 Chef Software, Inc.
 # License:: Apache License, Version 2.0
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -19,45 +20,38 @@
 module OpscodeAcl
   class AclRemove < Chef::Knife
     category "OPSCODE HOSTED CHEF ACCESS CONTROL"
-    banner "knife acl remove OBJECT_TYPE OBJECT_NAME PERM ACTOR_TYPE ACTOR_NAME"
-
-    attr_reader :object_type, :object_name, :perm, :actor_type, :actor_name
+    banner "knife acl remove MEMBER_TYPE MEMBER_NAME OBJECT_TYPE OBJECT_NAME PERMS"
 
     deps do
       include OpscodeAcl::AclBase
     end
 
     def run
-      @object_type, @object_name, @perm, @actor_type, @actor_name = name_args
+      member_type, member_name, object_type, object_name, perms = name_args
 
-      if name_args.length < 5
+      if name_args.length != 5
         show_usage
-        ui.fatal "You must specify the object_type, object_name,  perm, actor type (client or group), and actor name"
+        ui.fatal "You must specify the member type [client|group|user], member name, object type, object name and perms"
         exit 1
       end
 
-      validate_all_params!
-      ace = get_ace(object_type, object_name, perm)
-
-      case actor_type
-      when "client"
-        remove_actor_from_ace!(actor_name, ace)
-      when "group"
-        remove_group_from_ace!(actor_name, ace)
-      when "users"
-        # Not Implemented yet, we shouldn't get here.
+      if member_name == 'pivotal' && %w(client user).include?(member_type)
+        ui.fatal "ERROR: 'pivotal' is a system user so knife-acl will not remove it from an ACL."
+        exit 1
       end
-
-      update_ace!(object_type, object_name, perm, ace)
-    end
-
-    def remove_group_from_ace!(name, ace)
-      ace['groups'].delete(name)
-    end
-
-    def remove_actor_from_ace!(name, ace)
-      ace['actors'].delete(name)
+      if member_name == 'admins' && member_type == 'group' && perms.to_s.split(',').include?('grant')
+        ui.fatal "ERROR: knife-acl will not remove the 'admins' group from the 'grant' ACE."
+        ui.fatal "       Removal could prevent future attempts to modify permissions."
+        exit 1
+      end
+      validate_perm_type!(perms)
+      validate_member_type!(member_type)
+      validate_member_name!(member_name)
+      validate_object_name!(object_name)
+      validate_object_type!(object_type)
+      validate_member_exists!(member_type, member_name)
+
+      remove_from_acl!(member_type, member_name, object_type, object_name, perms)
     end
-
   end
 end

data/lib/chef/knife/acl_show.rb

@@ -28,7 +28,7 @@ module OpscodeAcl
     def run
       object_type, object_name = name_args
 
-      if ! object_name || ! object_type
+      if name_args.length != 2
         show_usage
         ui.fatal "You must specify an object type and object name"
         exit 1

data/lib/chef/knife/group_add.rb

@@ -0,0 +1,51 @@
+#
+# Author:: Seth Falcon (<seth@chef.io>)
+# Author:: Jeremiah Snapp (<jeremiah@chef.io>)
+# Copyright:: Copyright 2011--2015 Chef Software, Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+module OpscodeAcl
+  class GroupAdd < Chef::Knife
+    category "OPSCODE HOSTED CHEF ACCESS CONTROL"
+    banner "knife group add MEMBER_TYPE MEMBER_NAME GROUP_NAME"
+
+    deps do
+      include OpscodeAcl::AclBase
+    end
+
+    def run
+      member_type, member_name, group_name = name_args
+
+      if name_args.length != 3
+        show_usage
+        ui.fatal "You must specify member type [client|group|user], member name and group name"
+        exit 1
+      end
+
+      validate_member_name!(group_name)
+      validate_member_type!(member_type)
+      validate_member_name!(member_name)
+
+      if group_name.downcase == "users"
+        ui.fatal "knife-acl can not manage members of the Users group"
+        ui.fatal "please read knife-acl's README.md for more information"
+        exit 1
+      end
+
+      add_to_group!(member_type, member_name, group_name)
+    end
+  end
+end

data/lib/chef/knife/group_create.rb

@@ -1,6 +1,7 @@
 #
 # Author:: Seth Falcon (<seth@opscode.com>)
-# Copyright:: Copyright 2011--2014 Chef Software, Inc.
+# Author:: Jeremiah Snapp (<jeremiah@chef.io>)
+# Copyright:: Copyright 2011--2015 Chef Software, Inc.
 # License:: Apache License, Version 2.0
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -19,21 +20,25 @@
 module OpscodeAcl
   class GroupCreate < Chef::Knife
     category "OPSCODE HOSTED CHEF ACCESS CONTROL"
-    banner "knife group create GROUP"
-    
+    banner "knife group create GROUP_NAME"
+
     deps do
-      require 'yaml'
+      include OpscodeAcl::AclBase
     end
 
     def run
       group_name = name_args[0]
-      if !group_name || group_name.empty?
-        ui.error "must specify a group name"
+
+      if name_args.length != 1
+        show_usage
+        ui.fatal "You must specify group name"
         exit 1
       end
-      group = rest.post_rest("groups", {:groupname => group_name})
-      ui.output group
+
+      validate_member_name!(group_name)
+
+      ui.msg "Creating '#{group_name}' group"
+      rest.post_rest("groups", {:groupname => group_name})
     end
   end
 end
-

data/lib/chef/knife/group_destroy.rb

@@ -1,6 +1,7 @@
 #
 # Author:: Christopher Maier (<cm@opscode.com>)
-# Copyright:: Copyright 2014 Opscode, Inc.
+# Author:: Jeremiah Snapp (<jeremiah@chef.io>)
+# Copyright:: Copyright 2015 Opscode, Inc.
 # License:: Apache License, Version 2.0
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -19,20 +20,29 @@
 module OpscodeAcl
   class GroupDestroy < Chef::Knife
     category "OPSCODE HOSTED CHEF ACCESS CONTROL"
-    banner "knife group destroy GROUP"
+    banner "knife group destroy GROUP_NAME"
 
     deps do
-      require 'yaml'
+      include OpscodeAcl::AclBase
     end
 
     def run
       group_name = name_args[0]
-      if !group_name || group_name.empty?
-        ui.error "must specify a group name"
+
+      if name_args.length != 1
+        show_usage
+        ui.fatal "You must specify group name"
+        exit 1
+      end
+
+      validate_member_name!(group_name)
+
+      if %w(admins billing-admins clients users).include?(group_name.downcase)
+        ui.fatal "the '#{group_name}' group is a special group that should not be destroyed"
         exit 1
       end
-      result = rest.delete_rest("groups/#{group_name}")
-      ui.output result
+      ui.msg "Destroying '#{group_name}' group"
+      rest.delete_rest("groups/#{group_name}")
     end
   end
 end

data/lib/chef/knife/group_list.rb

@@ -1,6 +1,7 @@
 #
 # Author:: Seth Falcon (<seth@opscode.com>)
-# Copyright:: Copyright 2011--2014 Chef Software, Inc.
+# Author:: Jeremiah Snapp (<jeremiah@chef.io>)
+# Copyright:: Copyright 2011--2015 Chef Software, Inc.
 # License:: Apache License, Version 2.0
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -20,21 +21,18 @@ module OpscodeAcl
   class GroupList < Chef::Knife
     category "OPSCODE HOSTED CHEF ACCESS CONTROL"
     banner "knife group list"
-    
+
+    deps do
+      include OpscodeAcl::AclBase
+    end
+
     def run
-      chef_rest = Chef::REST.new(Chef::Config[:chef_server_url])
-      groups = chef_rest.get_rest("groups").keys.sort
-      
+      groups = rest.get_rest("groups").keys.sort
       ui.output(remove_usags(groups))
     end
 
     def remove_usags(groups)
       groups.select { |gname| !is_usag?(gname) }
     end
- 
-    def is_usag?(gname)
-      gname.length == 32 && gname =~ /^[0-9a-f]+$/
-    end
   end
 end
-

data/lib/chef/knife/group_remove.rb

@@ -0,0 +1,51 @@
+#
+# Author:: Seth Falcon (<seth@chef.io>)
+# Author:: Jeremiah Snapp (<jeremiah@chef.io>)
+# Copyright:: Copyright 2011--2015 Chef Software, Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+module OpscodeAcl
+  class GroupRemove < Chef::Knife
+    category "OPSCODE HOSTED CHEF ACCESS CONTROL"
+    banner "knife group remove MEMBER_TYPE MEMBER_NAME GROUP_NAME"
+
+    deps do
+      include OpscodeAcl::AclBase
+    end
+
+    def run
+      member_type, member_name, group_name = name_args
+
+      if name_args.length != 3
+        show_usage
+        ui.fatal "You must specify member type [client|group|user], member name and group name"
+        exit 1
+      end
+
+      validate_member_name!(group_name)
+      validate_member_type!(member_type)
+      validate_member_name!(member_name)
+
+      if group_name.downcase == "users"
+        ui.fatal "knife-acl can not manage members of the Users group"
+        ui.fatal "please read knife-acl's README.md for more information"
+        exit 1
+      end
+
+      remove_from_group!(member_type, member_name, group_name)
+    end
+  end
+end