knife-opc 0.3.2 → 0.4.7

data/lib/chef/knife/opc_user_delete.rb

@@ -1,6 +1,6 @@
 #
-# Author:: Steven Danna (<steve@opscode.com>)
-# Copyright:: Copyright 2011 Opscode, Inc.
+# Author:: Steven Danna (<steve@chef.io>)
+# Copyright:: Copyright 2011-2016 Chef Software, Inc.
 # License:: Apache License, Version 2.0
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -15,31 +15,130 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
-require 'chef/mixin/root_rest'
+require_relative "../mixin/root_rest"
 
 module Opc
   class OpcUserDelete < Chef::Knife
-    category "OPSCODE PRIVATE CHEF ORGANIZATION MANAGEMENT"
-    banner "knife opc user delete USERNAME [-d]"
+    category "CHEF ORGANIZATION MANAGEMENT"
+    banner "knife opc user delete USERNAME [-d] [-R]"
 
     option :no_disassociate_user,
-    :long => "--no-disassociate-user",
-    :short => "-d",
-    :description => "Don't disassociate the user first"
+      long: "--no-disassociate-user",
+      short: "-d",
+      description: "Don't disassociate the user first"
 
+    option :remove_from_admin_groups,
+      long:  "--remove-from-admin-groups",
+      short:  "-R",
+      description: "If the user is a member of any org admin groups, attempt to remove from those groups. Ignored if --no-disassociate-user is set."
+
+    attr_reader :username
     include Chef::Mixin::RootRestv0
 
+    deps do
+      require_relative "../org"
+      require_relative "../org/group_operations"
+    end
+
     def run
-      username = @name_args[0]
+      @username = @name_args[0]
+      admin_memberships = []
+      unremovable_memberships = []
+
       ui.confirm "Do you want to delete the user #{username}"
+
       unless config[:no_disassociate_user]
-         orgs =  root_rest.get("users/#{username}/organizations")
-         org_names = orgs.map {|o| o['organization']['name']}
-         org_names.each do |org|
-            ui.output root_rest.delete("organizations/#{org}/users/#{username}")
-         end
+        ui.stderr.puts("Checking organization memberships...")
+        orgs = org_memberships(username)
+        if orgs.length > 0
+          ui.stderr.puts("Checking admin group memberships for #{orgs.length} org(s).")
+          admin_memberships, unremovable_memberships = admin_group_memberships(orgs, username)
+        end
+
+        unless admin_memberships.empty?
+          unless config[:remove_from_admin_groups]
+            error_exit_admin_group_member!(username, admin_memberships)
+          end
+
+          unless unremovable_memberships.empty?
+            error_exit_cant_remove_admin_membership!(username, unremovable_memberships)
+          end
+          remove_from_admin_groups(admin_memberships, username)
+        end
+        disassociate_user(orgs, username)
+      end
+
+      delete_user(username)
+    end
+
+    def disassociate_user(orgs, username)
+      orgs.each  { |org| org.dissociate_user(username) }
+    end
+
+    def org_memberships(username)
+      org_data = root_rest.get("users/#{username}/organizations")
+      org_data.map { |org| Chef::Org.new(org["organization"]["name"]) }
+    end
+
+    def remove_from_admin_groups(admin_of, username)
+      admin_of.each do |org|
+        ui.stderr.puts "Removing #{username} from admins group of '#{org.name}'"
+        org.remove_user_from_group("admins", username)
       end
-      ui.output root_rest.delete("users/#{username}")
+    end
+
+    def admin_group_memberships(orgs, username)
+      admin_of = []
+      unremovable = []
+      orgs.each do |org|
+        if org.user_member_of_group?(username, "admins")
+          admin_of << org
+          if org.actor_delete_would_leave_admins_empty?
+            unremovable << org
+          end
+        end
+      end
+      [admin_of, unremovable]
+    end
+
+    def delete_user(username)
+      ui.stderr.puts "Deleting user #{username}."
+      root_rest.delete("users/#{username}")
+    end
+
+    # Error message that says how to removed from org
+    # admin groups before deleting
+    # Further
+    def error_exit_admin_group_member!(username, admin_of)
+      message = "#{username} is in the 'admins' group of the following organization(s):\n\n"
+      admin_of.each { |org| message << "- #{org.name}\n" }
+      message << <<~EOM
+
+        Run this command again with the --remove-from-admin-groups option to
+        remove the user from these admin group(s) automatically.
+
+      EOM
+      ui.fatal message
+      exit 1
+    end
+
+    def error_exit_cant_remove_admin_membership!(username, only_admin_of)
+      message = <<~EOM
+
+        #{username} is the only member of the 'admins' group of the
+        following organization(s):
+
+      EOM
+      only_admin_of.each { |org| message << "- #{org.name}\n" }
+      message << <<~EOM
+
+        Removing the only administrator of an organization can break it.
+        Assign additional users or groups to the admin group(s) before
+        deleting this user.
+
+      EOM
+      ui.fatal message
+      exit 1
     end
   end
 end

data/lib/chef/knife/opc_user_edit.rb

@@ -1,6 +1,6 @@
 #
-# Author:: Steven Danna (<steve@opscode.com>)
-# Copyright:: Copyright 2011 Opscode, Inc.
+# Author:: Steven Danna (<steve@chef.io>)
+# Copyright:: Copyright 2011-2016 Chef Software, Inc.
 # License:: Apache License, Version 2.0
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -15,22 +15,22 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
-require 'chef/mixin/root_rest'
+require_relative "../mixin/root_rest"
 
 module Opc
   class OpcUserEdit < Chef::Knife
-    category "OPSCODE PRIVATE CHEF ORGANIZATION MANAGEMENT"
+    category "CHEF ORGANIZATION MANAGEMENT"
     banner "knife opc user edit USERNAME"
 
     option :input,
-    :long => '--input FILENAME',
-    :short => '-i FILENAME',
-    :description => 'Name of file to use for PUT or POST'
+      long: "--input FILENAME",
+      short: "-i FILENAME",
+      description: "Name of file to use for PUT or POST"
 
     option :filename,
-    :long => '--filename FILENAME',
-    :short => '-f FILENAME',
-    :description => 'Write private key to FILENAME rather than STDOUT'
+      long: "--filename FILENAME",
+      short: "-f FILENAME",
+      description: "Write private key to FILENAME rather than STDOUT"
 
     include Chef::Mixin::RootRestv0
 
@@ -43,28 +43,52 @@ module Opc
         exit 1
       end
 
-      original_user =  root_rest.get("users/#{user_name}")
-      if config[:input]
-        edited_user = JSON.parse(IO.read(config[:input]))
-      else
-        edited_user = edit_data(original_user)
-      end
+      original_user = root_rest.get("users/#{user_name}")
+      edited_user = get_updated_user(original_user)
       if original_user != edited_user
         result = root_rest.put("users/#{user_name}", edited_user)
         ui.msg("Saved #{user_name}.")
-        if ! result['private_key'].nil?
+        unless result["private_key"].nil?
           if config[:filename]
             File.open(config[:filename], "w") do |f|
-              f.print(result['private_key'])
+              f.print(result["private_key"])
             end
           else
-            ui.msg result['private_key']
+            ui.msg result["private_key"]
           end
         end
       else
         ui.msg("User unchanged, not saving.")
       end
+    end
+
+    private
 
+    # Check the options for ex: input or filename
+    # Read Or Open file to update user information
+    # return updated user
+    def get_updated_user(original_user)
+      if config[:input]
+        edited_user = JSON.parse(IO.read(config[:input]))
+      elsif config[:filename]
+        file = config[:filename]
+        unless File.exist?(file) ? File.writable?(file) : File.writable?(File.dirname(file))
+          ui.fatal "File #{file} is not writable.  Check permissions."
+          exit 1
+        else
+          output = Chef::JSONCompat.to_json_pretty(original_user)
+          File.open(file, "w") do |f|
+            f.sync = true
+            f.puts output
+            f.close
+            raise "Please set EDITOR environment variable. See https://docs.chef.io/knife_setup/ for details." unless system("#{config[:editor]} #{f.path}")
+
+            edited_user = JSON.parse(IO.read(f.path))
+          end
+        end
+      else
+        edited_user = JSON.parse(edit_data(original_user, false))
+      end
     end
   end
 end

data/lib/chef/knife/opc_user_list.rb

@@ -1,6 +1,6 @@
 #
-# Author:: Steven Danna (<steve@opscode.com>)
-# Copyright:: Copyright 2011 Opscode, Inc.
+# Author:: Steven Danna (<steve@chef.io>)
+# Copyright:: Copyright 2011-2016 Chef Software, Inc.
 # License:: Apache License, Version 2.0
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -15,23 +15,33 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
-require 'chef/mixin/root_rest'
+require_relative "../mixin/root_rest"
 
 module Opc
   class OpcUserList < Chef::Knife
-    category "OPSCODE PRIVATE CHEF ORGANIZATION MANAGEMENT"
+    category "CHEF ORGANIZATION MANAGEMENT"
     banner "knife opc user list"
 
     option :with_uri,
-    :long => "--with-uri",
-    :short => "-w",
-    :description => "Show corresponding URIs"
+      long: "--with-uri",
+      short: "-w",
+      description: "Show corresponding URIs"
+
+    option :all_info,
+      long: "--all-info",
+      short: "-a",
+      description: "Show corresponding details i.e. username, email, first_name, last_name, display_name"
 
     include Chef::Mixin::RootRestv0
 
     def run
-      results = root_rest.get("users")
-      ui.output(ui.format_list_for_display(results))
+      if config[:all_info]
+        results = root_rest.get("users?verbose=true")
+        ui.output results
+      else
+        results = root_rest.get("users")
+        ui.output(ui.format_list_for_display(results))
+      end
     end
   end
 end

data/lib/chef/knife/opc_user_password.rb

@@ -1,6 +1,6 @@
 #
 # Author:: Tyler Cloke (<tyler@getchef.com>)
-# Copyright:: Copyright 2014 Chef, Inc.
+# Copyright:: Copyright 2014-2016 Chef Software, Inc.
 # License:: Apache License, Version 2.0
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -15,17 +15,17 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
-require 'chef/mixin/root_rest'
+require_relative "../mixin/root_rest"
 
 module Opc
   class OpcUserPassword < Chef::Knife
-    category "OPSCODE PRIVATE CHEF ORGANIZATION MANAGEMENT"
+    category "CHEF ORGANIZATION MANAGEMENT"
     banner "knife opc user password USERNAME [PASSWORD | --enable-external-auth]"
 
     option :enable_external_auth,
-    :long => "--enable-external-auth",
-    :short => "-e",
-    :description => "Enable external authentication for this user (such as LDAP)"
+      long: "--enable-external-auth",
+      short: "-e",
+      description: "Enable external authentication for this user (such as LDAP)"
 
     include Chef::Mixin::RootRestv0
 
@@ -34,7 +34,7 @@ module Opc
       # USERNAME PASSWORD or USERNAME --enable-external-auth
       #
       # note that you can't pass USERNAME PASSWORD --enable-external-auth
-      if !((@name_args.length == 2 && !config[:enable_external_auth]) || (@name_args.length == 1 && config[:enable_external_auth]))
+      unless (@name_args.length == 2 && !config[:enable_external_auth]) || (@name_args.length == 1 && config[:enable_external_auth])
         show_usage
         ui.fatal("You must pass two arguments")
         ui.fatal("Note that --enable-external-auth cannot be passed with a password")
@@ -50,9 +50,9 @@ module Opc
       # true or false, there is no way of knowing if the user is using ldap or not,
       # so we will update the user every time, instead of checking if we are actually
       # changing anything before we PUT.
-      user =  root_rest.get("users/#{user_name}")
+      user = root_rest.get("users/#{user_name}")
 
-      user["password"] = password if not password.nil?
+      user["password"] = password unless password.nil?
 
       # if --enable-external-auth was passed, enable it, else disable it.
       # there is never a situation where we would want to enable ldap
@@ -64,9 +64,8 @@ module Opc
         root_rest.put("users/#{user_name}", user)
       rescue => e
         raise e
-        exit 1
       end
-      ui.msg user
+
       ui.msg("Authentication info updated for #{user_name}.")
     end
   end

data/lib/chef/knife/opc_user_show.rb

@@ -1,6 +1,6 @@
 #
-# Author:: Steven Danna (<steve@opscode.com>)
-# Copyright:: Copyright 2011 Opscode, Inc.
+# Author:: Steven Danna (<steve@chef.io>)
+# Copyright:: Copyright 2011-2016 Chef Software, Inc.
 # License:: Apache License, Version 2.0
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -15,25 +15,25 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
-require 'chef/mixin/root_rest'
+require_relative "../mixin/root_rest"
 
 module Opc
   class OpcUserShow < Chef::Knife
-    category "OPSCODE PRIVATE CHEF ORGANIZATION MANAGEMENT"
+    category "CHEF ORGANIZATION MANAGEMENT"
     banner "knife opc user show USERNAME"
 
     option :with_orgs,
-    :long => "--with-orgs",
-    :short => "-l"
+      long: "--with-orgs",
+      short: "-l"
 
     include Chef::Mixin::RootRestv0
 
     def run
       user_name = @name_args[0]
-      results =  root_rest.get("users/#{user_name}")
+      results = root_rest.get("users/#{user_name}")
       if config[:with_orgs]
-        orgs =  root_rest.get("users/#{user_name}/organizations")
-        results["organizations"] = orgs.map {|o| o['organization']['name']}
+        orgs = root_rest.get("users/#{user_name}/organizations")
+        results["organizations"] = orgs.map { |o| o["organization"]["name"] }
       end
       ui.output results
     end

data/lib/chef/mixin/root_rest.rb

@@ -1,6 +1,6 @@
 #
 # Author:: Steven Danna (<steve@chef.io>)
-# Copyright:: Copyright 2011 Chef Software, Inc
+# Copyright:: Copyright 2011-2016 Chef Software, Inc.
 # License:: Apache License, Version 2.0
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -15,7 +15,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
-require 'chef/server_api'
+require "chef/server_api"
 class Chef
   module Mixin
     module RootRestv0
@@ -24,7 +24,7 @@ class Chef
         # Rather than upgrade all of this code to move to v1, the goal is to remove the
         # need for this plugin.  See
         # https://github.com/chef/chef/issues/3517
-        @root_rest ||= Chef::ServerAPI.new(Chef::Config[:chef_server_root], {:api_version => "0"})
+        @root_rest ||= Chef::ServerAPI.new(Chef::Config[:chef_server_root], { api_version: "0" })
       end
     end
   end

data/lib/chef/org.rb

@@ -1,7 +1,7 @@
-require 'chef/json_compat'
-require 'chef/mixin/params_validate'
-require 'chef/rest'
-require 'chef/org/group_operations'
+require "chef/json_compat"
+require "chef/mixin/params_validate"
+require "chef/server_api"
+require_relative "org/group_operations"
 
 class Chef
   class Org
@@ -9,9 +9,9 @@ class Chef
     include Chef::Mixin::ParamsValidate
     include Chef::Org::GroupOperations
 
-    def initialize(name='')
+    def initialize(name = "")
       @name = name
-      @full_name = ''
+      @full_name = ""
       # The Chef API returns the private key of the validator
       # client on create
       @private_key = nil
@@ -19,33 +19,33 @@ class Chef
     end
 
     def chef_rest
-      @chef_rest ||= Chef::REST.new(Chef::Config[:chef_server_root])
+      @chef_rest ||= Chef::ServerAPI.new(Chef::Config[:chef_server_root])
     end
 
-    def name(arg=nil)
+    def name(arg = nil)
       set_or_return(:name, arg,
-                    :regex => /^[a-z0-9\-_]+$/)
+        regex: /^[a-z0-9\-_]+$/)
     end
 
-    def full_name(arg=nil)
+    def full_name(arg = nil)
       set_or_return(:full_name,
-                    arg, :kind_of => String)
+        arg, kind_of: String)
     end
 
-    def private_key(arg=nil)
+    def private_key(arg = nil)
       set_or_return(:private_key,
-                    arg, :kind_of => String)
+        arg, kind_of: String)
     end
 
-    def guid(arg=nil)
+    def guid(arg = nil)
       set_or_return(:guid,
-                    arg, :kind_of => String)
+        arg, kind_of: String)
     end
 
     def to_hash
       result = {
         "name" => @name,
-        "full_name" => @full_name
+        "full_name" => @full_name,
       }
       result["private_key"] = @private_key if @private_key
       result["guid"] = @guid if @guid
@@ -57,15 +57,15 @@ class Chef
     end
 
     def create
-      payload = {:name => self.name, :full_name => self.full_name}
+      payload = { name: name, full_name: full_name }
       new_org = chef_rest.post_rest("organizations", payload)
-      Chef::Org.from_hash(self.to_hash.merge(new_org))
+      Chef::Org.from_hash(to_hash.merge(new_org))
     end
 
     def update
-      payload = {:name => self.name, :full_name => self.full_name}
+      payload = { name: name, full_name: full_name }
       new_org = chef_rest.put_rest("organizations/#{name}", payload)
-      Chef::Org.from_hash(self.to_hash.merge(new_org))
+      Chef::Org.from_hash(to_hash.merge(new_org))
     end
 
     def destroy
@@ -73,22 +73,20 @@ class Chef
     end
 
     def save
-      begin
-        create
-      rescue Net::HTTPServerException => e
-        if e.response.code == "409"
-          update
-        else
-          raise e
-        end
+      create
+    rescue Net::HTTPServerException => e
+      if e.response.code == "409"
+        update
+      else
+        raise e
       end
     end
 
     def associate_user(username)
-      request_body = {:user => username}
+      request_body = { user: username }
       response = chef_rest.post_rest "organizations/#{@name}/association_requests", request_body
       association_id = response["uri"].split("/").last
-      chef_rest.put_rest "users/#{username}/association_requests/#{association_id}", { :response => 'accept' }
+      chef_rest.put_rest "users/#{username}/association_requests/#{association_id}", { response: "accept" }
     end
 
     def dissociate_user(username)
@@ -98,10 +96,10 @@ class Chef
     # Class methods
     def self.from_hash(org_hash)
       org = Chef::Org.new
-      org.name org_hash['name']
-      org.full_name org_hash['full_name']
-      org.private_key org_hash['private_key'] if org_hash.key?('private_key')
-      org.guid org_hash['guid'] if org_hash.key?('guid')
+      org.name org_hash["name"]
+      org.full_name org_hash["full_name"]
+      org.private_key org_hash["private_key"] if org_hash.key?("private_key")
+      org.guid org_hash["guid"] if org_hash.key?("guid")
       org
     end
 
@@ -114,12 +112,12 @@ class Chef
     end
 
     def self.load(org_name)
-      response =  Chef::REST.new(Chef::Config[:chef_server_root]).get_rest("organizations/#{org_name}")
+      response = Chef::ServerAPI.new(Chef::Config[:chef_server_root]).get_rest("organizations/#{org_name}")
       Chef::Org.from_hash(response)
     end
 
-    def self.list(inflate=false)
-      orgs = Chef::REST.new(Chef::Config[:chef_server_root]).get_rest('organizations')
+    def self.list(inflate = false)
+      orgs = Chef::ServerAPI.new(Chef::Config[:chef_server_root]).get_rest("organizations")
       if inflate
         orgs.inject({}) do |org_map, (name, _url)|
           org_map[name] = Chef::Org.load(name)