knife-server 0.1.0

data/lib/knife/server/ec2_security_group.rb

@@ -0,0 +1,89 @@
+module Knife
+  module Server
+    class Ec2SecurityGroup
+      def initialize(connection, ui)
+        @aws  = connection
+        @ui   = ui
+      end
+
+      def configure_chef_server_group(group_name, options = {})
+        group = find_or_create(group_name, options)
+
+        ip_permissions.each do |p|
+          if permission_exists?(group, p)
+            @ui.msg "Inbound security group rule " +
+              "#{p[:proto]}(#{p[:from]} -> #{p[:to]}) exists"
+          else
+            @ui.msg "Creating inbound security group rule for " +
+              "#{p[:proto]}(#{p[:from]} -> #{p[:to]})"
+            options = permission_options(group, p)
+            @aws.authorize_security_group_ingress(group.name, options)
+          end
+        end
+      end
+
+      def find_or_create(name, options = {})
+        group = @aws.security_groups.find { |g| g.name == name }
+
+        if group.nil?
+          @ui.msg "Creating EC2 security group '#{name}'"
+          @aws.create_security_group(name, options[:description])
+          group = @aws.security_groups.find { |g| g.name == name }
+        else
+          @ui.msg "EC2 security group '#{name}' exists"
+        end
+
+        group
+      end
+
+      private
+
+      def ip_permissions
+        [ {:proto => 'icmp',  :from => -1,  :to => -1},
+          {:proto => 'tcp',   :from => 0,   :to => 65535},
+          {:proto => 'udp',   :from => 0,   :to => 65535},
+          {:proto => 'tcp',   :from => 22,  :to => 22,  :cidr => '0.0.0.0/0'},
+          {:proto => 'tcp',   :from => 443, :to => 443, :cidr => '0.0.0.0/0'},
+          {:proto => 'tcp',   :from => 444, :to => 444, :cidr => '0.0.0.0/0'},
+        ].freeze
+      end
+
+      def permission_exists?(group, perm)
+        group.ip_permissions.find do |p|
+          p['ipProtocol'] == perm[:proto] &&
+            p['fromPort'] == perm[:from] &&
+            p['toPort']   == perm[:to]
+        end
+      end
+
+      def permission_options(group, opts)
+        options = {
+          'IpPermissions' => [
+            {
+              'IpProtocol'  => opts[:proto],
+              'FromPort'    => opts[:from],
+              'ToPort'      => opts[:to]
+            }
+          ]
+        }
+
+        if opts[:cidr]
+          options['IpPermissions'].first['IpRanges'] = [
+            {
+              'CidrIp'    => opts[:cidr]
+            }
+          ]
+        else
+          options['IpPermissions'].first['Groups'] = [
+            {
+              'GroupName' => group.name,
+              'UserId'    => group.owner_id
+            }
+          ]
+        end
+
+        options
+      end
+    end
+  end
+end

data/lib/knife/server/ssh.rb

@@ -0,0 +1,34 @@
+require 'net/ssh'
+
+module Knife
+  module Server
+    class SSH
+      DEFAULT_OPTIONS = { :user => "root", :port => "22" }.freeze
+
+      def initialize(params)
+        options = DEFAULT_OPTIONS.merge(params)
+
+        @host = options.delete(:host)
+        @user = options.delete(:user)
+        @options = options
+      end
+
+      def exec!(cmd)
+        if @user == "root"
+          full_cmd = cmd
+        else
+          full_cmd = [
+            %[sudo USER=root HOME="$(getent passwd root | cut -d : -f 6)"],
+            %[bash -c '#{cmd}']
+          ].join(" ")
+        end
+
+        result = ""
+        Net::SSH.start(@host, @user, @options) do |ssh|
+          result = ssh.exec!(full_cmd)
+        end
+        result
+      end
+    end
+  end
+end

data/lib/knife/server/version.rb

@@ -0,0 +1,5 @@
+module Knife
+  module Server
+    VERSION = "0.1.0"
+  end
+end

data/spec/chef/knife/server_bootstrap_ec2_spec.rb

@@ -0,0 +1,259 @@
+require 'chef/knife/server_bootstrap_ec2'
+require 'chef/knife/ec2_server_create'
+require 'fog'
+require 'net/ssh'
+require 'fakefs/spec_helpers'
+
+describe Chef::Knife::ServerBootstrapEc2 do
+  include FakeFS::SpecHelpers
+
+  before do
+    Chef::Log.logger = Logger.new(StringIO.new)
+    @knife = Chef::Knife::ServerBootstrapEc2.new
+    @stdout = StringIO.new
+    @knife.ui.stub!(:stdout).and_return(@stdout)
+    @stderr = StringIO.new
+    @knife.ui.stub!(:stderr).and_return(@stderr)
+    @knife.config[:chef_node_name] = "yakky"
+  end
+
+  let(:connection) { mock(Fog::Compute::AWS) }
+
+  describe "#ec2_bootstrap" do
+    before do
+      @knife.config[:chef_node_name] = "shave.yak"
+      @knife.config[:ssh_user] = "jdoe"
+      @knife.config[:ssh_port] = "2222"
+      @knife.config[:identity_file] = "~/.ssh/mykey_dsa"
+      @knife.config[:security_groups] = %w{x y z}
+      @knife.config[:tags] = %w{tag1=val1 tag2=val2}
+      @knife.config[:distro] = "distro-praha"
+      @knife.config[:ebs_size] = "42"
+      @knife.config[:webui_password] = "daweb"
+      @knife.config[:amqp_password] = "queueitup"
+
+      ENV['_SPEC_WEBUI_PASSWORD'] = ENV['WEBUI_PASSWORD']
+      ENV['_SPEC_AMQP_PASSWORD'] = ENV['AMQP_PASSWORD']
+    end
+
+    after do
+      ENV['WEBUI_PASSWORD'] = ENV.delete('_SPEC_WEBUI_PASSWORD')
+      ENV['AMQP_PASSWORD'] = ENV.delete('_SPEC_AMQP_PASSWORD')
+    end
+
+    let(:bootstrap) { @knife.ec2_bootstrap }
+
+    it "returns an Ec2ServerCreate instance" do
+      bootstrap.should be_a(Chef::Knife::Ec2ServerCreate)
+    end
+
+    it "configs the bootstrap's chef_node_name" do
+      bootstrap.config[:chef_node_name].should eq("shave.yak")
+    end
+
+    it "configs the bootstrap's ssh_user" do
+      bootstrap.config[:ssh_user].should eq("jdoe")
+    end
+
+    it "configs the bootstrap's ssh_port" do
+      bootstrap.config[:ssh_port].should eq("2222")
+    end
+
+    it "configs the bootstrap's identity_file" do
+      bootstrap.config[:identity_file].should eq("~/.ssh/mykey_dsa")
+    end
+
+    it "configs the bootstrap's security_groups" do
+      bootstrap.config[:security_groups].should eq(["x", "y", "z"])
+    end
+
+    it "configs the bootstrap's ebs_size" do
+      bootstrap.config[:ebs_size].should eq("42")
+    end
+
+    it "configs the bootstrap's tags" do
+      bootstrap.config[:tags].should include("tag1=val1")
+      bootstrap.config[:tags].should include("tag2=val2")
+    end
+
+    it "adds Role=chef_server to the bootstrap's tags" do
+      bootstrap.config[:tags].should include("Role=chef_server")
+    end
+
+    it "configs the bootstrap's distro" do
+      bootstrap.config[:distro].should eq("distro-praha")
+    end
+
+    it "configs the bootstrap's distro to chef-server-debian by default" do
+      @knife.config.delete(:distro)
+
+      bootstrap.config[:distro].should eq("chef-server-debian")
+    end
+
+    it "configs the bootstrap's distro value driven off platform value" do
+      @knife.config.delete(:distro)
+      @knife.config[:platform] = "freebsd"
+
+      bootstrap.config[:distro].should eq("chef-server-freebsd")
+    end
+
+    it "configs the bootstrap's ENV with the webui password" do
+      bootstrap
+      ENV['WEBUI_PASSWORD'].should eq("daweb")
+    end
+
+    it "configs the bootstrap's ENV with the amqp password" do
+      bootstrap
+      ENV['AMQP_PASSWORD'].should eq("queueitup")
+    end
+  end
+
+  describe "#ec2_connection" do
+    before do
+      @before_config = Hash.new
+      @before_config[:knife] = Hash.new
+      [:aws_access_key_id, :aws_secret_access_key, :region].each do |attr|
+        @before_config[:knife][attr] = Chef::Config[:knife][attr]
+      end
+
+      Chef::Config[:knife][:aws_access_key_id] = "key"
+      Chef::Config[:knife][:aws_secret_access_key] = "secret"
+      Chef::Config[:knife][:region] = "hell-south-666"
+    end
+
+    after do
+      [:aws_access_key_id, :aws_secret_access_key, :region].each do |attr|
+        Chef::Config[:knife][attr] = @before_config[:knife][attr]
+      end
+    end
+
+    it "constructs a connection" do
+      Fog::Compute.should_receive(:new).with({
+        :provider => 'AWS',
+        :aws_access_key_id => 'key',
+        :aws_secret_access_key => 'secret',
+        :region => 'hell-south-666'
+      })
+
+      @knife.ec2_connection
+    end
+  end
+
+  describe "#server_dns_name" do
+    before do
+      @knife.config[:chef_node_name] = 'shavemy.yak'
+      @knife.stub(:ec2_connection) { connection }
+    end
+
+    context "when server is found" do
+      before do
+        connection.stub(:servers) { [server] }
+      end
+
+      let(:server) do
+        stub(:dns_name => 'blahblah.aws.compute.com', :state => "running",
+          :tags => {'Name' => 'shavemy.yak', 'Role' => 'chef_server'})
+      end
+
+      it "returns the provisioned dns name" do
+        @knife.server_dns_name.should eq('blahblah.aws.compute.com')
+      end
+
+      it "ignores terminated instances" do
+        server.stub(:state) { "terminated" }
+        @knife.server_dns_name.should be_nil
+      end
+    end
+
+    context "when server is not found" do
+      before do
+        connection.stub(:servers) { [] }
+      end
+
+      it "returns nil" do
+        @knife.server_dns_name.should be_nil
+      end
+    end
+  end
+
+  describe "#run" do
+    before do
+      @before_config = Hash.new
+      [:node_name, :client_key].each do |attr|
+        @before_config[attr] = Chef::Config[attr]
+      end
+      Chef::Config[:node_name] = "smithers"
+      Chef::Config[:client_key] = "/var/tmp/myclientkey.pem"
+
+      @knife.config[:security_groups] = ["mygroup"]
+      @knife.config[:validation_key] = "/var/tmp/validation.pem"
+      @knife.config[:ssh_port] = "2345"
+      @knife.config[:identity_file] = "~/.ssh/mykey_dsa"
+      @knife.stub(:ec2_connection)  { connection }
+      @knife.stub(:server_dns_name)  { "grapes.wrath" }
+      Chef::Knife::Ec2ServerCreate.stub(:new) { bootstrap }
+      Knife::Server::Ec2SecurityGroup.stub(:new) { security_group }
+      Knife::Server::SSH.stub(:new) { ssh }
+      Knife::Server::Credentials.stub(:new) { credentials }
+      security_group.stub(:configure_chef_server_group)
+      credentials.stub(:install_validation_key)
+      credentials.stub(:create_root_client)
+    end
+
+    after do
+      [:node_name, :client_key].each do |attr|
+        Chef::Config[attr] = @before_config[attr]
+      end
+    end
+
+    let(:bootstrap)       { stub(:run => true, :config => Hash.new) }
+    let(:security_group)  { stub }
+    let(:ssh)             { stub }
+    let(:credentials)     { stub.as_null_object }
+
+    it "exits if node_name option is missing" do
+      def @knife.exit(code) ; end
+      @knife.config.delete(:chef_node_name)
+
+      @knife.should_receive(:exit)
+      @knife.run
+    end
+
+    it "configures the ec2 security group" do
+      Knife::Server::Ec2SecurityGroup.should_receive(:new).
+        with(connection, @knife.ui)
+      security_group.should_receive(:configure_chef_server_group).
+        with('mygroup', :description => 'mygroup group')
+
+      @knife.run
+    end
+
+    it "bootstraps an ec2 server" do
+      bootstrap.should_receive(:run)
+      @knife.run
+    end
+
+    it "installs a new validation.pem key from the server" do
+      Knife::Server::SSH.should_receive(:new).
+        with({ :host => "grapes.wrath", :user => "root", :port => "2345" })
+      Knife::Server::Credentials.should_receive(:new).
+        with(ssh, "/etc/chef/validation.pem")
+      credentials.should_receive(:install_validation_key)
+
+      @knife.run
+    end
+
+    it "create a root client key" do
+      credentials.should_receive(:create_root_client)
+
+      @knife.run
+    end
+
+    it "installs a client key" do
+      credentials.should_receive(:install_client_key).
+        with("smithers", "/var/tmp/myclientkey.pem")
+
+      @knife.run
+    end
+  end
+end

data/spec/knife/server/credientials_spec.rb

@@ -0,0 +1,104 @@
+require 'knife/server/credentials'
+require 'fakefs/spec_helpers'
+
+describe Knife::Server::Credentials do
+  include FakeFS::SpecHelpers
+
+  let(:ssh)                 { stub("SSH Client") }
+  let(:validation_key_path) { "/tmp/validation.pem" }
+  let(:client_key_path)     { "/tmp/client.pem" }
+
+  subject do
+    Knife::Server::Credentials.new(ssh, validation_key_path)
+  end
+
+  before do
+    FileUtils.mkdir_p(File.dirname(validation_key_path))
+    FileUtils.mkdir_p(File.dirname(client_key_path))
+    File.new(validation_key_path, "wb")  { |f| f.write("thekey") }
+    File.new(client_key_path, "wb")  { |f| f.write("clientkey") }
+  end
+
+  describe "#install_validation_key" do
+    before do
+      ssh.stub(:exec!).with("cat /etc/chef/validation.pem")  { "newkey" }
+    end
+
+    it "creates a backup of the existing validation key file" do
+      original = File.open("/tmp/validation.pem", "rb") { |f| f.read }
+      subject.install_validation_key("old")
+      backup = File.open("/tmp/validation.old.pem", "rb") { |f| f.read }
+
+      original.should eq(backup)
+    end
+
+    it "skips backup file creation if validation key file does not exist" do
+      FileUtils.rm_f(validation_key_path)
+      subject.install_validation_key("old")
+
+      File.exists?("/tmp/validation.old.pem").should_not be_true
+    end
+
+    it "copies the key back from the server into validation key file" do
+      subject.install_validation_key("old")
+      key_str = File.open("/tmp/validation.pem", "rb") { |f| f.read }
+
+      key_str.should eq("newkey")
+    end
+  end
+
+  describe "#create_root_client" do
+    it "creates an initial client key on the server" do
+      ssh.should_receive(:exec!).with([
+        'knife configure --initial --server-url http://127.0.0.1:4000',
+        '--user root --repository "" --defaults --yes'
+      ].join(" "))
+
+      subject.create_root_client
+    end
+  end
+
+  describe "#install_client_key" do
+    before do
+      ssh.stub(:exec!)
+      ssh.stub(:exec!).with("cat /tmp/chef-client-bob.pem") { "bobkey" }
+    end
+
+    it "creates a user client key on the server" do
+      ssh.should_receive(:exec!).with([
+        "knife client create bob --admin",
+        "--file /tmp/chef-client-bob.pem --disable-editing",
+      ].join(" "))
+
+      subject.install_client_key("bob", client_key_path)
+    end
+
+    it "creates a backup of the existing client key file" do
+      original = File.open("/tmp/client.pem", "rb") { |f| f.read }
+      subject.install_client_key("bob", client_key_path, "old")
+      backup = File.open("/tmp/client.old.pem", "rb") { |f| f.read }
+
+      original.should eq(backup)
+    end
+
+    it "skips backup file creation if client key file does not exist" do
+      FileUtils.rm_f(client_key_path)
+      subject.install_client_key("bob", client_key_path, "old")
+
+      File.exists?("/tmp/client.old.pem").should_not be_true
+    end
+
+    it "copies the key back from the server into client key file" do
+      subject.install_client_key("bob", client_key_path, "old")
+      key_str = File.open("/tmp/client.pem", "rb") { |f| f.read }
+
+      key_str.should eq("bobkey")
+    end
+
+    it "removes the user client key from the server" do
+      ssh.should_receive(:exec!).with("rm -f /tmp/chef-client-bob.pem")
+
+      subject.install_client_key("bob", client_key_path)
+    end
+  end
+end