knife-opc 0.3.2 → 0.4.0

data/lib/chef/knife/opc_org_user_remove.rb

@@ -1,6 +1,6 @@
 #
 # Author:: Marc Paradise (<marc@getchef.com>)
-# Copyright:: Copyright 2014 Chef Software, Inc
+# Copyright:: Copyright 2014-2016 Chef Software, Inc.
 # License:: Apache License, Version 2.0
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -22,8 +22,15 @@ module Opc
     banner "knife opc org user remove ORG_NAME USER_NAME"
     attr_accessor :org_name, :username
 
+    option :force_remove_from_admins,
+    :long => "--force",
+    :short => "-f",
+    :description => "Force removal of user from the organization's admins and billing-admins group."
+
     deps do
-      require 'chef/org'
+      require "chef/org"
+      require "chef/org/group_operations"
+      require "chef/json_compat"
     end
 
     def run
@@ -36,16 +43,61 @@ module Opc
       end
 
       org = Chef::Org.new(@org_name)
+
+      if config[:force_remove_from_admins]
+        if org.actor_delete_would_leave_admins_empty?
+          failure_error_message(org_name, username)
+          ui.msg <<-EOF
+You ran with --force which force removes the user from the admins and billing-admins groups.
+However, removing #{username} from the admins group would leave it empty, which breaks the org.
+Please add another user to org #{org_name} admins group and try again.
+EOF
+          exit 1
+        end
+        remove_user_from_admin_group(org, org_name, username, "admins")
+        remove_user_from_admin_group(org, org_name, username, "billing-admins")
+      end
+
       begin
         org.dissociate_user(@username)
       rescue Net::HTTPServerException => e
         if e.response.code == "404"
           ui.msg "User #{username} is not associated with organization #{org_name}"
           exit 1
+        elsif e.response.code == "403"
+          body = Chef::JSONCompat.from_json(e.response.body)
+          if body.has_key?("error") && body["error"] == "Please remove #{username} from this organization's admins group before removing him or her from the organization."
+            failure_error_message(org_name, username)
+            ui.msg <<-EOF
+User #{username} is in the organization's admin group. Removing users from an organization without removing them from the admins group is not allowed.
+Re-run this command with --force to remove this user from the admins prior to removing it from the organization.
+EOF
+            exit 1
+          else
+            raise e
+          end
         else
           raise e
         end
       end
     end
+
+    def failure_error_message(org_name, username)
+      ui.error "Error removing user #{username} from organization #{org_name}."
+    end
+
+    def remove_user_from_admin_group(org, org_name, username, admin_group_string)
+      org.remove_user_from_group(admin_group_string, username)
+    rescue Net::HTTPServerException => e
+      if e.response.code == "404"
+        ui.warn <<-EOF
+User #{username} is not in the #{admin_group_string} group for organization #{org_name}.
+You probably don't need to pass --force.
+EOF
+      else
+        raise e
+      end
+    end
+
   end
 end

data/lib/chef/knife/opc_user_create.rb

@@ -1,6 +1,6 @@
 #
-# Author:: Steven Danna (<steve@opscode.com>)
-# Copyright:: Copyright 2011 Opscode, Inc.
+# Author:: Steven Danna (<steve@chef.io>)
+# Copyright:: Copyright 2011-2016 Chef Software, Inc.
 # License:: Apache License, Version 2.0
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -15,7 +15,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
-require 'chef/mixin/root_rest'
+require "chef/mixin/root_rest"
 
 module Opc
   class OpcUserCreate < Chef::Knife
@@ -23,14 +23,19 @@ module Opc
     banner "knife opc user create USERNAME FIRST_NAME [MIDDLE_NAME] LAST_NAME EMAIL PASSWORD"
 
     option :filename,
-    :long => '--filename FILENAME',
-    :short => '-f FILENAME',
-    :description => 'Write private key to FILENAME rather than STDOUT'
+    :long => "--filename FILENAME",
+    :short => "-f FILENAME",
+    :description => "Write private key to FILENAME rather than STDOUT"
 
     option :orgname,
-    :long => '--orgname ORGNAME',
-    :short => '-o ORGNAME',
-    :description => 'Associate new user to an organization matching ORGNAME'
+    :long => "--orgname ORGNAME",
+    :short => "-o ORGNAME",
+    :description => "Associate new user to an organization matching ORGNAME"
+
+    option :passwordprompt,
+    :long => "--prompt-for-password",
+    :short => "-p",
+    :description => "Prompt for user password"
 
     include Chef::Mixin::RootRestv0
 
@@ -40,11 +45,18 @@ module Opc
         username, first_name, middle_name, last_name, email, password = @name_args
       when 5
         username, first_name, last_name, email, password = @name_args
+      when 4
+        username, first_name, last_name, email = @name_args
       else
         ui.fatal "Wrong number of arguments"
         show_usage
         exit 1
       end
+      password = prompt_for_password if config[:passwordprompt]
+      unless password
+        ui.fatal "You must either provide a password or use the --prompt-for-password (-p) option"
+        exit 1
+      end
       middle_name ||= ""
 
       user_hash = {
@@ -54,32 +66,36 @@ module Opc
         :last_name =>    last_name,
         :display_name => "#{first_name} #{last_name}",
         :email =>        email,
-        :password =>     password
+        :password =>     password,
       }
 
      # Check the file before creating the user so the api is more transactional.
-     if config[:filename]
-       file = config[:filename]
-       unless File.exists?(file) ? File.writable?(file) : File.writable?(File.dirname(file))
-         ui.fatal "File #{config[:filename]} is not writable.  Check permissions."
-         exit 1
-       end
-     end
+      if config[:filename]
+        file = config[:filename]
+        unless File.exists?(file) ? File.writable?(file) : File.writable?(File.dirname(file))
+          ui.fatal "File #{config[:filename]} is not writable.  Check permissions."
+          exit 1
+        end
+      end
 
       result = root_rest.post("users/", user_hash)
       if config[:filename]
         File.open(config[:filename], "w") do |f|
-          f.print(result['private_key'])
+          f.print(result["private_key"])
         end
       else
-        ui.msg result['private_key']
+        ui.msg result["private_key"]
       end
       if config[:orgname]
-        request_body = {:user => username}
+        request_body = { :user => username }
         response = root_rest.post("organizations/#{config[:orgname]}/association_requests", request_body)
         association_id = response["uri"].split("/").last
-        root_rest.put("users/#{username}/association_requests/#{association_id}", {:response => 'accept'})
+        root_rest.put("users/#{username}/association_requests/#{association_id}", { :response => "accept" })
       end
     end
+
+    def prompt_for_password
+      ui.ask("Please enter the user's password: ") { |q| q.echo = false }
+    end
   end
 end

data/lib/chef/knife/opc_user_delete.rb

@@ -1,6 +1,6 @@
 #
-# Author:: Steven Danna (<steve@opscode.com>)
-# Copyright:: Copyright 2011 Opscode, Inc.
+# Author:: Steven Danna (<steve@chef.io>)
+# Copyright:: Copyright 2011-2016 Chef Software, Inc.
 # License:: Apache License, Version 2.0
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -15,31 +15,130 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
-require 'chef/mixin/root_rest'
+require "chef/mixin/root_rest"
 
 module Opc
   class OpcUserDelete < Chef::Knife
     category "OPSCODE PRIVATE CHEF ORGANIZATION MANAGEMENT"
-    banner "knife opc user delete USERNAME [-d]"
+    banner "knife opc user delete USERNAME [-d] [-R]"
 
     option :no_disassociate_user,
-    :long => "--no-disassociate-user",
-    :short => "-d",
-    :description => "Don't disassociate the user first"
+      :long => "--no-disassociate-user",
+      :short => "-d",
+      :description => "Don't disassociate the user first"
 
+    option :remove_from_admin_groups,
+      long:  "--remove-from-admin-groups",
+      short:  "-R",
+      description: "If the user is a member of any org admin groups, attempt to remove from those groups. Ignored if --no-disassociate-user is set."
+
+    attr_reader :username
     include Chef::Mixin::RootRestv0
 
+    deps do
+      require "chef/org"
+      require "chef/org/group_operations"
+    end
+
     def run
-      username = @name_args[0]
+      @username = @name_args[0]
+      admin_memberships = []
+      unremovable_memberships = []
+
       ui.confirm "Do you want to delete the user #{username}"
+
       unless config[:no_disassociate_user]
-         orgs =  root_rest.get("users/#{username}/organizations")
-         org_names = orgs.map {|o| o['organization']['name']}
-         org_names.each do |org|
-            ui.output root_rest.delete("organizations/#{org}/users/#{username}")
-         end
+        ui.stderr.puts("Checking organization memberships...")
+        orgs = org_memberships(username)
+        if orgs.length > 0
+          ui.stderr.puts("Checking admin group memberships for #{orgs.length} org(s).")
+          admin_memberships, unremovable_memberships = admin_group_memberships(orgs, username)
+        end
+
+        unless admin_memberships.empty?
+          unless config[:remove_from_admin_groups]
+            error_exit_admin_group_member!(username, admin_memberships)
+          end
+
+          unless unremovable_memberships.empty?
+            error_exit_cant_remove_admin_membership!(username, unremovable_memberships)
+          end
+          remove_from_admin_groups(admin_memberships, username)
+        end
+        disassociate_user(orgs, username)
+      end
+
+      delete_user(username)
+    end
+
+    def disassociate_user(orgs, username)
+      orgs.each  { |org| org.dissociate_user(username) }
+    end
+
+    def org_memberships(username)
+      org_data = root_rest.get("users/#{username}/organizations")
+      org_data.map { |org| Chef::Org.new(org["organization"]["name"]) }
+    end
+
+    def remove_from_admin_groups(admin_of, username)
+      admin_of.each do |org|
+        ui.stderr.puts "Removing #{username} from admins group of '#{org.name}'"
+        org.remove_user_from_group("admins", username)
       end
-      ui.output root_rest.delete("users/#{username}")
+    end
+
+    def admin_group_memberships(orgs, username)
+      admin_of = []
+      unremovable = []
+      orgs.each do |org|
+        if org.user_member_of_group?(username, "admins")
+          admin_of << org
+          if org.actor_delete_would_leave_admins_empty?
+            unremovable << org
+          end
+        end
+      end
+      [admin_of, unremovable]
+    end
+
+    def delete_user(username)
+      ui.stderr.puts "Deleting user #{username}."
+      root_rest.delete("users/#{username}")
+    end
+
+    # Error message that says how to removed from org
+    # admin groups before deleting
+    # Further
+    def error_exit_admin_group_member!(username, admin_of)
+      message = "#{username} is in the 'admins' group of the following organization(s):\n\n"
+      admin_of.each { |org| message << "- #{org.name}\n" }
+      message << <<EOM
+
+Run this command again with the --remove-from-admin-groups option to
+remove the user from these admin group(s) automatically.
+
+EOM
+      ui.fatal message
+      exit 1
+    end
+
+    def error_exit_cant_remove_admin_membership!(username, only_admin_of)
+      message = <<EOM
+
+#{username} is the only member of the 'admins' group of the
+following organization(s):
+
+EOM
+      only_admin_of.each { |org| message << "- #{org.name}\n" }
+      message << <<EOM
+
+Removing the only administrator of an organization can break it.
+Assign additional users or groups to the admin group(s) before
+deleting this user.
+
+EOM
+      ui.fatal message
+      exit 1
     end
   end
 end

data/lib/chef/knife/opc_user_edit.rb

@@ -1,6 +1,6 @@
 #
-# Author:: Steven Danna (<steve@opscode.com>)
-# Copyright:: Copyright 2011 Opscode, Inc.
+# Author:: Steven Danna (<steve@chef.io>)
+# Copyright:: Copyright 2011-2016 Chef Software, Inc.
 # License:: Apache License, Version 2.0
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -15,7 +15,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
-require 'chef/mixin/root_rest'
+require "chef/mixin/root_rest"
 
 module Opc
   class OpcUserEdit < Chef::Knife
@@ -23,14 +23,14 @@ module Opc
     banner "knife opc user edit USERNAME"
 
     option :input,
-    :long => '--input FILENAME',
-    :short => '-i FILENAME',
-    :description => 'Name of file to use for PUT or POST'
+    :long => "--input FILENAME",
+    :short => "-i FILENAME",
+    :description => "Name of file to use for PUT or POST"
 
     option :filename,
-    :long => '--filename FILENAME',
-    :short => '-f FILENAME',
-    :description => 'Write private key to FILENAME rather than STDOUT'
+    :long => "--filename FILENAME",
+    :short => "-f FILENAME",
+    :description => "Write private key to FILENAME rather than STDOUT"
 
     include Chef::Mixin::RootRestv0
 
@@ -43,7 +43,7 @@ module Opc
         exit 1
       end
 
-      original_user =  root_rest.get("users/#{user_name}")
+      original_user = root_rest.get("users/#{user_name}")
       if config[:input]
         edited_user = JSON.parse(IO.read(config[:input]))
       else
@@ -52,19 +52,18 @@ module Opc
       if original_user != edited_user
         result = root_rest.put("users/#{user_name}", edited_user)
         ui.msg("Saved #{user_name}.")
-        if ! result['private_key'].nil?
+        if ! result["private_key"].nil?
           if config[:filename]
             File.open(config[:filename], "w") do |f|
-              f.print(result['private_key'])
+              f.print(result["private_key"])
             end
           else
-            ui.msg result['private_key']
+            ui.msg result["private_key"]
           end
         end
       else
         ui.msg("User unchanged, not saving.")
       end
-
     end
   end
 end

data/lib/chef/knife/opc_user_list.rb

@@ -1,6 +1,6 @@
 #
-# Author:: Steven Danna (<steve@opscode.com>)
-# Copyright:: Copyright 2011 Opscode, Inc.
+# Author:: Steven Danna (<steve@chef.io>)
+# Copyright:: Copyright 2011-2016 Chef Software, Inc.
 # License:: Apache License, Version 2.0
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -15,7 +15,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
-require 'chef/mixin/root_rest'
+require "chef/mixin/root_rest"
 
 module Opc
   class OpcUserList < Chef::Knife

data/lib/chef/knife/opc_user_password.rb

@@ -1,6 +1,6 @@
 #
 # Author:: Tyler Cloke (<tyler@getchef.com>)
-# Copyright:: Copyright 2014 Chef, Inc.
+# Copyright:: Copyright 2014-2016 Chef Software, Inc.
 # License:: Apache License, Version 2.0
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -15,7 +15,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
-require 'chef/mixin/root_rest'
+require "chef/mixin/root_rest"
 
 module Opc
   class OpcUserPassword < Chef::Knife
@@ -50,7 +50,7 @@ module Opc
       # true or false, there is no way of knowing if the user is using ldap or not,
       # so we will update the user every time, instead of checking if we are actually
       # changing anything before we PUT.
-      user =  root_rest.get("users/#{user_name}")
+      user = root_rest.get("users/#{user_name}")
 
       user["password"] = password if not password.nil?
 
@@ -64,9 +64,8 @@ module Opc
         root_rest.put("users/#{user_name}", user)
       rescue => e
         raise e
-        exit 1
       end
-      ui.msg user
+
       ui.msg("Authentication info updated for #{user_name}.")
     end
   end