knife-ec-backup 3.0.5 → 3.0.8

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: b15fe8682fd2e275bc2d321c69be3082a145b3f90559dc90d9d26afbbb356d24
-  data.tar.gz: 8cd7ecb92d4de14b4ab740d8cb072f798ceff4b901da50d474b08f334705f3e8
+  metadata.gz: ce4846181eee9032e990d6cf91f487f330c14008839a356ecaac094d1aba7d51
+  data.tar.gz: 92561a6aa7f68c1c05fc05ce9125031ce2baf8f6793bc37507de9fa07ce30026
 SHA512:
-  metadata.gz: e19516b065248e9f1fd7dbefc48b4563a861821ad25ce05afab2c248a2eff8ce950aa5ee59c360fefcca98c0cbca91cba6d8ec1fb5b4e80ba653a2c3c2ae560e
-  data.tar.gz: 64d57fed9dc70dc9f8cc868842d68e64b2d3a7ee5adc06b0254e2c313a3c4e6d632d561785a7b18f3cb488f625b85c8d7d85280f73cd6e0017510477483d8a69
+  metadata.gz: d9c42d8b652b129d1fe87ae7f73346837847f92c9c2c89f8e7e12f3fb6bc0bc5c4ebab5691f799484ae5c0588c5e1da4b426228b495cb8566c59cbcb96cb81a8
+  data.tar.gz: fa6b5c5710fda71c349c844caec6bdb0b52bc9a564f5295accf4b85b86128e01d74cb9116b9e318b1ece8addc63cb5f2eb24e2473d142ee923862337f74588ef

data/README.md

@@ -2,14 +2,6 @@
 [![Build status](https://badge.buildkite.com/4bc85427aab66accafbd7abb2932b9dd7f9208162c5be33488.svg?branch=main)](https://buildkite.com/chef-oss/chef-knife-ec-backup-main-verify)
 [![Gem Version](https://badge.fury.io/rb/knife-ec-backup.svg)](https://badge.fury.io/rb/knife-ec-backup)
 
-**Umbrella Project**: [Knife](https://github.com/chef/chef-oss-practices/blob/main/projects/knife.md)
-
-**Project State**: [Active](https://github.com/chef/chef-oss-practices/blob/main/repo-management/repo-states.md#active)
-
-**Issues [Response Time Maximum](https://github.com/chef/chef-oss-practices/blob/main/repo-management/repo-states.md)**: 14 days
-
-**Pull Request [Response Time Maximum](https://github.com/chef/chef-oss-practices/blob/main/repo-management/repo-states.md)**: 14 days
-
 ## Description
 
 knife-ec-backup can backup and restore the data in a Chef Infra
@@ -124,6 +116,9 @@ The following options are supported across all subcommands:
   * `--dry-run`:
     Report what actions would be taken without performing any. (default: false)
 
+  * `--skip-frozen-cookbook-status`:
+    Skip backing up and restoring cookbook frozen status. When this option is used, cookbook frozen status will not be preserved during backup/restore operations. (default: false)
+
 ### knife ec backup DEST_DIR (options)
 
 *Path*: If you have Chef Infra Client installed on this server, you may need to invoke this as `/opt/opscode/bin/knife ec backup BACKUP_DIRECTORY`
@@ -183,6 +178,7 @@ The format of the repository is based on the `knife-essentials` (`knife download
           <name>.json
         cookbooks
           <name>-<version>
+            status.json (contains frozen status information)
         data_bags
           <bag name>
             <item name>
@@ -272,6 +268,37 @@ Restores all data from the specified DEST_DIR to a Chef Infra Server. DEST_DIR s
     Only download/restore objects in the named organization. Global
     objects such as users will still be downloaded/restored.
 
+  * `--skip-frozen-cookbook-status`:
+    Skip restoring cookbook frozen status. When this option is used, any `status.json` files in the backup will be ignored and cookbook frozen status will not be applied during restore. (default: false)
+
+### knife ec import DIRECTORY (options)
+
+Imports Chef objects (cookbooks, roles, nodes, etc.) into **existing** organizations from the specified DIRECTORY. This command is designed for environments where identity (users and organizations) is managed externally (e.g., by IAM in Chef 360 DSM).
+
+Unlike `restore`, this command:
+- Does **NOT** create users
+- Does **NOT** create organizations (validates they exist)
+- Does **NOT** import user passwords or keys
+- Does **NOT** support direct database access (`--with-user-sql` / `--with-key-sql`)
+
+*Options*
+
+  * `--concurrency THREAD_COUNT`:
+    The maximum number of concurrent requests to make to the Chef
+    Server. (default: 10)
+
+  * `--webui-key`:
+    Used to set the path to the WebUI Key (default: /etc/opscode/webui_priv.pem)
+
+  * `--skip-useracl`:
+    Skip restoring User ACLs.
+
+  * `--only-org ORG`:
+    Only import objects in the named organization.
+
+  * `--skip-frozen-cookbook-status`:
+    Skip restoring cookbook frozen status.
+
 ### knife ec key export [FILENAME]
 
 Create a json representation of the users table from the Chef Infra Server
@@ -290,6 +317,21 @@ assumed to be `key_dump.json`.
 Please note, most users should use `knife ec restore` with the
 `--with-user-sql` option rather than this command.
 
+## Cookbook Frozen Status
+
+This plugin supports backing up and restoring cookbook frozen status. When a cookbook is frozen on the Chef Infra Server, this status is preserved during backup operations by creating a `status.json` file within each cookbook directory that contains the frozen state information.
+
+During restore operations, the plugin will automatically restore the frozen status of cookbooks by reading the `status.json` files and applying the frozen state to the Chef Infra Server using the appropriate API calls.
+
+### Skipping Frozen Status
+
+If you want to skip backing up or restoring cookbook frozen status, you can use the `--skip-frozen-cookbook-status` option with both `knife ec backup` and `knife ec restore` commands. When this option is used:
+
+- During backup: `status.json` files will not be created for cookbooks
+- During restore: Any existing `status.json` files will be ignored and cookbook frozen status will not be applied
+
+This can be useful when migrating between Chef Infra Server versions that may handle frozen cookbooks differently, or when you specifically want to unfreeze all cookbooks during the restore process.
+
 ## Known Bugs
 
 - `knife ec restore` can fail to restore cookbooks, failing with an
@@ -297,3 +339,6 @@ Please note, most users should use `knife ec restore` with the
   concurrency bug in Chef Infra Server. Setting `--concurrency 1` can often
   work around the issue.
 
+# Copyright
+
+See [COPYRIGHT.md](./COPYRIGHT.md).

data/lib/chef/knife/ec_base.rb

@@ -1,6 +1,6 @@
 #
 # Author:: Steven Danna (<steve@getchef.com>)
-# Copyright:: Copyright (c) 2014 Chef Software, Inc.
+# Copyright:: Copyright (c) 2013-2025 Progress Software Corporation and/or its subsidiaries or affiliates. All Rights Reserved.
 # License:: Apache License, Version 2.0
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -118,6 +118,12 @@ class Chef
             :boolean => true | false,
             :default => false,
             :description => 'Report what actions would be taken without performing any.'
+
+          option :skip_frozen_cookbook_status,
+            :long => '--skip-frozen-cookbook-status',
+            :boolean => true | false,
+            :default => false,
+            :description => "This will skip creating a status.json file for each cookbook, which includes the frozen status. This is useful when you dont want to persist cookbook's frozen status."
         end
 
         attr_accessor :dest_dir

data/lib/chef/knife/ec_error_handler.rb

@@ -1,5 +1,5 @@
 # Author:: Jeremy Miller (<jmiller@chef.io>)
-# Copyright:: Copyright (c) 2017 Chef Software, Inc.
+# Copyright:: Copyright (c) 2013-2025 Progress Software Corporation and/or its subsidiaries or affiliates. All Rights Reserved.
 # License:: Apache License, Version 2.0
 #
 # Licensed under the Apache License, Version 2.0 (the "License");

data/lib/chef/knife/ec_import.rb

@@ -0,0 +1,422 @@
+require_relative '../tsorter'
+require_relative '../server'
+require 'securerandom' unless defined?(SecureRandom)
+require 'chef/knife'
+require_relative 'ec_base'
+require 'chef/json_compat'
+require 'chef/chef_fs/config'
+require 'chef/chef_fs/file_system'
+require 'chef/chef_fs/file_pattern'
+require 'chef/chef_fs/command_line'
+require 'chef/chef_fs/data_handler/acl_data_handler'
+
+begin
+  require 'chef/chef_fs/parallelizer'
+rescue LoadError
+  require 'chef-utils/parallel_map' unless defined?(ChefUtils::ParallelMap)
+end
+
+class Chef
+  class Knife
+    class EcImport < Chef::Knife
+
+      include Knife::EcBase
+
+      banner 'knife ec import DIRECTORY'
+
+      # Constants for duplicated strings
+      PUBLIC_KEY_READ_ACCESS_JSON = 'public_key_read_access.json'
+      FROZEN_STATUS_KEY = 'frozen?'
+      ADMIN_GROUPS = ['admins', 'billing-admins'].freeze
+      ADMIN_GROUP_FILES = ['billing-admins.json', 'public_key_read_access.json'].freeze
+      NOT_FOUND_STATUS = '404'
+
+      option :tenant_id_header,
+        :long => '--tenant-id TENANT_ID',
+        :description => 'Tenant identifier added as X-Tenant-Id header for import requests'
+
+      deps do
+      end
+
+      # Helper method to read JSON file from backup directory
+      def read_json_file(path)
+        JSONCompat.from_json(File.read(path))
+      end
+
+      # Helper method to construct organization file path
+      def org_file_path(orgname, *path_parts)
+        File.join(dest_dir, 'organizations', orgname, *path_parts)
+      end
+
+      # Helper method to construct organization URL
+      def org_url(orgname, *path_parts)
+        path = path_parts.join('/')
+        path.empty? ? "organizations/#{orgname}" : "organizations/#{orgname}/#{path}"
+      end
+
+      # Helper method to construct cookbook URL
+      def cookbook_url(org_name, cookbook_name, version, params = nil)
+        url = org_url(org_name, 'cookbooks', cookbook_name, version)
+        params ? "#{url}?#{params}" : url
+      end
+
+      # Helper method to check if public key read access group exists
+      def public_key_read_access_exists?(chef_fs_config, type = 'groups')
+        ::File.exist?(::File.join(chef_fs_config.local_fs.child_paths[type], 'groups', PUBLIC_KEY_READ_ACCESS_JSON))
+      end
+
+      # Helper method to list ChefFS entries with pattern and filter
+      def list_chef_fs_entries(chef_fs_config, pattern, exclude_files = [])
+        Chef::ChefFS::FileSystem.list(chef_fs_config.local_fs, Chef::ChefFS::FilePattern.new(pattern))
+          .select { |entry| !exclude_files.include?(entry.name) }
+      end
+
+      # Helper method to get admin groups based on what exists
+      def get_admin_groups(chef_fs_config)
+        groups = ADMIN_GROUPS.dup
+        groups.push('public_key_read_access') if public_key_read_access_exists?(chef_fs_config, 'groups')
+        groups
+      end
+
+      # Helper method to get admin group ACL paths
+      def get_admin_group_acl_paths(chef_fs_config)
+        acl_paths = ['/acls/groups/billing-admins.json']
+        acl_paths.push('/acls/groups/public_key_read_access.json') if public_key_read_access_exists?(chef_fs_config, 'acls')
+        acl_paths
+      end
+
+      # Override set_client_config! to add Tenant-Id header when provided
+      def set_client_config!
+        super
+        if config[:tenant_id_header]
+          Chef::Config.custom_http_headers = (Chef::Config.custom_http_headers || {}).merge({'Tenant-Id' => config[:tenant_id_header]})
+        end
+      end
+
+      # Override set_skip_user_acl! to avoid calling server.version
+      def set_skip_user_acl!
+        # Skip user ACLs only if explicitly requested via --skip-useracl flag
+        # Default behavior: assume user ACLs are supported
+        config[:skip_useracl] ||= false
+      end
+
+      # Override user_acl_rest to avoid calling server.version
+      def user_acl_rest
+        @user_acl_rest ||= rest
+      end
+
+      def run
+        set_dest_dir_from_args!
+        set_client_config!
+        ensure_webui_key_exists!
+        set_skip_user_acl!
+
+        warn_on_incorrect_clients_group(dest_dir, 'import')
+
+        # Unlike restore, we do NOT restore users or user SQL data
+        # We assume users already exist (managed by IAM)
+
+        for_each_organization do |orgname|
+          ui.msg "Verifying organization[#{orgname}]"
+          
+          # Unlike restore, we do NOT create the organization
+          # We validate it exists instead
+          unless organization_exists?(orgname)
+            ui.error("Organization #{orgname} does not exist. Skipping.")
+            next
+          end
+          
+          # Note: We skip importing invitations and adding users to org
+          # User org membership is now managed by the platform
+          # and invites cannot be acted upon by users
+          upload_org_data(orgname)
+        end
+
+        # Unlike restore, we do NOT restore key SQL data
+
+        if config[:skip_useracl]
+          ui.warn('Skipping user ACL update. To update user ACLs, remove --skip-useracl.')
+        else
+          restore_user_acls
+        end
+
+        completion_banner
+      end
+
+      def organization_exists?(orgname)
+        rest.get(org_url(orgname))
+        true
+      rescue Net::HTTPClientException => ex
+        if ex.response.code == NOT_FOUND_STATUS
+          false
+        else
+          knife_ec_error_handler.add(ex)
+          false
+        end
+      end
+
+      def restore_user_acls
+        ui.msg 'Restoring user ACLs'
+        for_each_user do |name|
+          begin
+            user_acl = read_json_file(File.join(dest_dir, 'user_acls', "#{name}.json"))
+            put_acl(user_acl_rest, "users/#{name}/_acl", user_acl)
+          rescue Chef::Exceptions::JSON::ParseError, JSON::ParserError => ex
+            ui.warn "Failed to parse user ACL for #{name}: #{ex.message}. Skipping."
+            knife_ec_error_handler.add(ex)
+          end
+        end
+      end
+
+      def for_each_user
+        Dir.foreach("#{dest_dir}/users") do |filename|
+          next if filename !~ /(.+)\.json/
+          name = $1
+          # We don't have overwrite_pivotal option, but we should probably still skip pivotal if it's in the backup
+          # to avoid messing with the system user, although we are only doing ACLs here.
+          if name == 'pivotal'
+             # In restore, we skip pivotal unless overwrite_pivotal is true.
+             # Here we don't have that flag, so we should probably always skip pivotal for safety
+             # as we are not managing users.
+             next
+          end
+          yield name
+        end
+      end
+
+      def for_each_organization
+        Dir.foreach("#{dest_dir}/organizations") do |name|
+          next if name == '..' || name == '.' || !File.directory?("#{dest_dir}/organizations/#{name}")
+          next unless (config[:org].nil? || config[:org] == name)
+          yield name
+        end
+      end
+
+      PATHS = %w(chef_repo_path cookbook_path environment_path data_bag_path role_path node_path client_path acl_path group_path container_path)
+      def upload_org_data(name)
+        old_config = Chef::Config.save
+
+        begin
+          # Clear out paths
+          PATHS.each do |path|
+            Chef::Config.delete(path.to_sym)
+          end
+
+          Chef::Config.chef_repo_path = "#{dest_dir}/organizations/#{name}"
+          Chef::Config.versioned_cookbooks = true
+          Chef::Config.chef_server_url = "#{server.root_url}/organizations/#{name}"
+
+          # Upload the admins, public_key_read_access and billing-admins groups and acls
+          ui.msg 'Restoring org admin data'
+          chef_fs_config = Chef::ChefFS::Config.new
+
+          # Handle Admins, Billing Admins and Public Key Read Access separately
+          groups = get_admin_groups(chef_fs_config)
+
+          groups.each do |group|
+            restore_group(chef_fs_config, group, :clients => false)
+          end
+
+          acls_groups_paths = get_admin_group_acl_paths(chef_fs_config)
+
+          acls_groups_paths.each do |acl|
+            chef_fs_copy_pattern(acl, chef_fs_config)
+          end
+
+          # For import command, we default to using 'pivotal' as node_name
+          # since we assume modern Chef Server (version check is skipped)
+          Chef::Config.node_name = config[:skip_version] ? org_admin : 'pivotal'
+
+          # Restore the entire org skipping the admin data and restoring groups and acls last
+          # Also skip:
+          #   - org.json: organization metadata is not managed by import (org must pre-exist)
+          #   - members.json, invitations.json: user-org membership is managed by the platform
+          #   - acls, groups: handled separately below in the correct order
+          ui.msg 'Restoring the rest of the org'
+          chef_fs_config = Chef::ChefFS::Config.new
+          skip_entries = %w(acls groups org.json members.json invitations.json)
+          top_level_paths = chef_fs_config.local_fs.children.select { |entry| !skip_entries.include?(entry.name) }.map { |entry| entry.path }
+
+          # Topologically sort groups for upload
+          unsorted_groups = list_chef_fs_entries(chef_fs_config, '/groups/*', ADMIN_GROUP_FILES)
+                              .filter_map do |entry|
+                                begin
+                                  JSON.parse(entry.read)
+                                rescue JSON::ParserError, Chef::Exceptions::JSON::ParseError => e
+                                  ui.warn "Failed to parse group file #{entry.name}: #{e.message}. Skipping."
+                                  knife_ec_error_handler.add(e)
+                                  nil
+                                end
+                              end
+          group_paths = sort_groups_for_upload(unsorted_groups).map { |group_name| "/groups/#{group_name}.json" }
+
+          group_acl_paths = list_chef_fs_entries(chef_fs_config, '/acls/groups/*', ADMIN_GROUP_FILES)
+                              .map { |entry| entry.path }
+          acl_paths = Chef::ChefFS::FileSystem.list(chef_fs_config.local_fs, Chef::ChefFS::FilePattern.new('/acls/*'))
+                        .select { |entry| entry.name != 'groups' }
+                        .map { |entry| entry.path }
+
+          # Store organization data in a particular order:
+          # - clients must be uploaded before groups (in top_level_paths)
+          # - groups must be uploaded before any acl's
+          # - groups must be uploaded twice to account for Chef Infra Server versions that don't
+          #   accept group members on POST
+          (top_level_paths + group_paths*2 + group_acl_paths + acl_paths).each do |path|
+            chef_fs_copy_pattern(path, chef_fs_config)
+          end
+
+          # Apply frozen status to cookbooks after they are uploaded
+          restore_cookbook_frozen_status(name, chef_fs_config)
+
+          # restore clients to groups, using the pivotal user again
+          Chef::Config[:node_name] = 'pivotal'
+          groups.each do |group|
+            restore_group(Chef::ChefFS::Config.new, group)
+          end
+         ensure
+          Chef::Config.restore(old_config)
+        end
+      end
+
+      def chef_fs_copy_pattern(pattern_str, chef_fs_config)
+        ui.msg "Copying #{pattern_str}"
+        pattern = Chef::ChefFS::FilePattern.new(pattern_str)
+        Chef::ChefFS::FileSystem.copy_to(pattern, chef_fs_config.local_fs,
+                                         chef_fs_config.chef_fs, nil,
+                                         config, ui,
+                                         proc { |entry| chef_fs_config.format_path(entry) })
+      rescue Net::HTTPClientException,
+             Chef::ChefFS::FileSystem::NotFoundError,
+             Chef::ChefFS::FileSystem::OperationFailedError,
+             Chef::Exceptions::JSON::ParseError,
+             JSON::ParserError => ex
+        ui.error "#{pattern_str} failed to copy: #{ex.message}"
+        knife_ec_error_handler.add(ex)
+      end
+
+      def sort_groups_for_upload(groups)
+        Chef::Tsorter.new(group_array_to_sortable_hash(groups)).tsort
+      end
+
+      def group_array_to_sortable_hash(groups)
+        ret = {}
+        groups.each do |group|
+          name = group['name']
+          ret[name] = if group.key?('groups')
+                        group['groups']
+                      else
+                        []
+                      end
+        end
+        ret
+      end
+
+      def restore_group(chef_fs_config, group_name, includes = {:users => true, :clients => true})
+        includes[:users] = true unless includes.key? :users
+        includes[:clients] = true unless includes.key? :clients
+
+        ui.msg "Copying /groups/#{group_name}.json"
+        group = Chef::ChefFS::FileSystem.resolve_path(
+          chef_fs_config.chef_fs,
+          "/groups/#{group_name}.json"
+        )
+
+        # Will throw NotFoundError if JSON file does not exist on disk. See below.
+        members_json = Chef::ChefFS::FileSystem.resolve_path(
+          chef_fs_config.local_fs,
+          "/groups/#{group_name}.json"
+        ).read
+
+        members = JSON.parse(members_json).select do |member|
+          if includes[:users] && includes[:clients]
+            member
+          elsif includes[:users]
+            member == 'users'
+          elsif includes[:clients]
+            member == 'clients'
+          end
+        end
+
+        group.write(members.to_json)
+      rescue Chef::ChefFS::FileSystem::NotFoundError
+        Chef::Log.warn "Could not find #{group.display_path} on disk. Will not restore."
+      rescue JSON::ParserError, Chef::Exceptions::JSON::ParseError => ex
+        ui.warn "Failed to parse group file #{group_name}.json: #{ex.message}. Skipping group restore."
+        knife_ec_error_handler.add(ex)
+      end
+
+      def restore_cookbook_frozen_status(org_name, chef_fs_config)
+        return if config[:skip_frozen_cookbook_status]
+
+        ui.msg 'Restoring cookbook frozen status'
+        cookbooks_path = org_file_path(org_name, 'cookbooks')
+
+        return unless File.directory?(cookbooks_path)
+
+        Dir.foreach(cookbooks_path) do |cookbook_entry|
+          next if cookbook_entry == '.' || cookbook_entry == '..'
+          
+          process_cookbook_frozen_status(cookbooks_path, cookbook_entry, org_name)
+        end
+      end
+
+      def process_cookbook_frozen_status(cookbooks_path, cookbook_entry, org_name)
+        cookbook_path = File.join(cookbooks_path, cookbook_entry)
+        return unless File.directory?(cookbook_path)
+
+        # cookbook_entry is in format "cookbook_name-version"
+        # Extract cookbook name and version
+        # Use character class negation to prevent backtracking (ReDoS)
+        # Match: name-X.Y.Z or name-X.Y.Z.suffix (e.g., mycb-1.0.0 or mycb-1.0.0.beta1)
+        return unless cookbook_entry =~ /^([^-]+(?:-[^-]+)*?)-(\d+\.\d+\.\d+(?:\.[^.]+)*)$/
+        
+        cookbook_name = $1
+        version = $2
+
+        status_file = File.join(cookbook_path, 'status.json')
+        return unless File.exist?(status_file)
+
+        begin
+          status_data = JSON.parse(File.read(status_file))
+          freeze_cookbook(cookbook_name, version, org_name) if status_data['frozen'] == true
+        rescue JSON::ParserError => e
+          ui.warn "Failed to parse status.json for #{cookbook_name} #{version}: #{e.message}"
+        rescue => e
+          ui.warn "Failed to restore frozen status for #{cookbook_name} #{version}: #{e.message}"
+        end
+      end
+
+      def freeze_cookbook(cookbook_name, version, org_name)
+        ui.msg "Freezing cookbook #{cookbook_name} version #{version}"
+
+        # Get the current cookbook manifest
+        manifest = rest.get(cookbook_url(org_name, cookbook_name, version))
+
+        if manifest[FROZEN_STATUS_KEY] # Ignore if already frozen
+          ui.warn "Freezing cookbook #{cookbook_name} version #{version} skipped since it is already frozen!"
+          return
+        end
+
+        rest.put(cookbook_url(org_name, cookbook_name, version, 'freeze=true'), 
+                 manifest.tap { |h| h[FROZEN_STATUS_KEY] = true })
+      rescue Net::HTTPClientException => ex
+        ui.warn "Failed to freeze cookbook #{cookbook_name} #{version}: #{ex.message}"
+        knife_ec_error_handler.add(ex)
+      end
+
+      PERMISSIONS = %w{create read update delete grant}.freeze
+      def put_acl(rest, url, acls)
+        old_acls = rest.get(url)
+        old_acls = Chef::ChefFS::DataHandler::AclDataHandler.new.normalize(old_acls, nil)
+        acls = Chef::ChefFS::DataHandler::AclDataHandler.new.normalize(acls, nil)
+        if acls != old_acls
+          PERMISSIONS.each do |permission|
+            rest.put("#{url}/#{permission}", { permission => acls[permission] })
+          end
+        end
+      rescue Net::HTTPClientException => ex
+        knife_ec_error_handler.add(ex)
+      end
+    end
+  end
+end

data/lib/chef/knife/ec_key_base.rb

@@ -1,6 +1,6 @@
 #
 # Author:: Steven Danna (<steve@getchef.com>)
-# Copyright:: Copyright (c) 2014 Chef Software, Inc.
+# Copyright:: Copyright (c) 2013-2025 Progress Software Corporation and/or its subsidiaries or affiliates. All Rights Reserved.
 # License:: Apache License, Version 2.0
 #
 # Licensed under the Apache License, Version 2.0 (the "License");

data/lib/chef/knife/ec_key_export.rb

@@ -1,6 +1,6 @@
 #
 # Author:: Steven Danna (<steve@getchef.com>)
-# Copyright:: Copyright (c) 2014 Chef Software, Inc.
+# Copyright:: Copyright (c) 2013-2025 Progress Software Corporation and/or its subsidiaries or affiliates. All Rights Reserved.
 # License:: Apache License, Version 2.0
 #
 # Licensed under the Apache License, Version 2.0 (the "License");

data/lib/chef/knife/ec_key_import.rb

@@ -1,6 +1,6 @@
 #
 # Author:: Steven Danna (<steve@getchef.com>)
-# Copyright:: Copyright (c) 2014 Chef Software, Inc.
+# Copyright:: Copyright (c) 2013-2025 Progress Software Corporation and/or its subsidiaries or affiliates. All Rights Reserved.
 # License:: Apache License, Version 2.0
 #
 # Licensed under the Apache License, Version 2.0 (the "License");

data/lib/chef/knife/ec_restore.rb

@@ -298,6 +298,9 @@ class Chef
             chef_fs_copy_pattern(path, chef_fs_config)
           end
 
+          # Apply frozen status to cookbooks after they are uploaded
+          restore_cookbook_frozen_status(name, chef_fs_config)
+
           # restore clients to groups, using the pivotal user again
           Chef::Config[:node_name] = 'pivotal'
           groups.each do |group|
@@ -377,6 +380,61 @@ class Chef
         Chef::Log.warn "Could not find #{group.display_path} on disk. Will not restore."
       end
 
+      # Restore cookbook frozen status from status.json files
+      def restore_cookbook_frozen_status(org_name, chef_fs_config)
+        return if config[:skip_frozen_cookbook_status]
+
+        ui.msg "Restoring cookbook frozen status"
+        cookbooks_path = "#{dest_dir}/organizations/#{org_name}/cookbooks"
+
+        return unless File.directory?(cookbooks_path)
+
+        Dir.foreach(cookbooks_path) do |cookbook_entry|
+          next if cookbook_entry == '.' || cookbook_entry == '..'
+          cookbook_path = File.join(cookbooks_path, cookbook_entry)
+          next unless File.directory?(cookbook_path)
+
+          # cookbook_entry is in format "cookbook_name-version"
+          # Extract cookbook name and version
+          if cookbook_entry =~ /^(.+)-(\d+\.\d+\.\d+.*)$/
+            cookbook_name = $1
+            version = $2
+
+            status_file = File.join(cookbook_path, 'status.json')
+            next unless File.exist?(status_file)
+
+            begin
+              status_data = JSON.parse(File.read(status_file))
+              if status_data['frozen'] == true
+                freeze_cookbook(cookbook_name, version, org_name)
+              end
+            rescue JSON::ParserError => e
+              ui.warn "Failed to parse status.json for #{cookbook_name} #{version}: #{e.message}"
+            rescue => e
+              ui.warn "Failed to restore frozen status for #{cookbook_name} #{version}: #{e.message}"
+            end
+          end
+        end
+      end
+
+      # Freeze a cookbook on the Chef Server
+      def freeze_cookbook(cookbook_name, version, org_name)
+        ui.msg "Freezing cookbook #{cookbook_name} version #{version}"
+
+        # Get the current cookbook manifest
+        manifest = rest.get("organizations/#{org_name}/cookbooks/#{cookbook_name}/#{version}")
+
+        if manifest['frozen?'] # Ignore if already frozen
+          ui.warn "Freezing cookbook #{cookbook_name} version #{version} skipped since it is already frozen!"
+          return
+        end
+
+        rest.put("organizations/#{org_name}/cookbooks/#{cookbook_name}/#{version}?freeze=true", manifest.tap { |h| h["frozen?"] = true })
+      rescue Net::HTTPClientException => ex
+        ui.warn "Failed to freeze cookbook #{cookbook_name} #{version}: #{ex.message}"
+        knife_ec_error_handler.add(ex)
+      end
+
       PERMISSIONS = %w{create read update delete grant}.freeze
       def put_acl(rest, url, acls)
         old_acls = rest.get(url)

data/lib/chef/org_id_cache.rb

@@ -1,6 +1,6 @@
 #
 # Author:: Steven Danna (<steve@chef.io>)
-# Copyright:: Copyright (c) 2015 Chef Software, Inc.
+# Copyright:: Copyright (c) 2013-2025 Progress Software Corporation and/or its subsidiaries or affiliates. All Rights Reserved.
 # License:: Apache License, Version 2.0
 #
 # Licensed under the Apache License, Version 2.0 (the "License");

data/lib/knife_ec_backup/version.rb

@@ -1,4 +1,4 @@
 # when you change this to double quotes, also update .expeditor/update_version.sh
 module KnifeECBackup
-  VERSION = '3.0.5'
+  VERSION = '3.0.8'
 end