ncedit 0.1.0 → 0.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 326ad90c579b6ab122bc1aca4e92f2ba9409f556
-  data.tar.gz: 58fb80c7453318166436e8fac0d84a3d57b52c56
+  metadata.gz: af182264e160a6970386cf7c82f89d633562e83b
+  data.tar.gz: de7185420068f8de02cc2eb5eb1aafe57f52d939
 SHA512:
-  metadata.gz: a3053204bc285ae301a4848391e7bf52d46baf3feb4c40c8beac48998710df92888927e4b1fe4072affc4415823b28874bb9cdac81f8631765de60a44567a9ef
-  data.tar.gz: 0d0c2c813e97aad9b2d41a1bf3ae8c9cce8b34ac310c3b8f3ab0b1e98b2ac4a1f8148ac45f8394e21e46e6fdbac4c85d0f17beb24accb7ddd25db3792dd388cb
+  metadata.gz: a8f5623802fd951fc3da86d6613ded5c934af43fdd6fdf01697abe2a5f237d65092ebf4e0520edc7aeb5e6fe12439a16357332c564cea2547205d5db2058b8fb
+  data.tar.gz: 1a7e2ca2245765be503c10572da54a7b59e0d5e1b17857637cbda2df93aee58bc33b40d19cfe88560b5fdac681cba1d84f5a7b7cb66f057c8a29bf26bd719471

data/README.md

@@ -1,19 +1,20 @@
 [![Build Status](https://travis-ci.org/GeoffWilliams/ncedit.svg?branch=master)](https://travis-ci.org/GeoffWilliams/ncedit)
 # ncedit - Puppet Node Classifier CLI editor
 
-ncedit is a small utility program that lets you edit the Puppet Enterprise Node Classifier rules from the commandline.
+ncedit is a small utility program that lets you edit the Puppet Enterprise Node Classifier rules from the command line.
 
-Why would you want to do this given that we have the excellent [node_manager] (https://forge.puppet.com/WhatsARanjit/node_manager) module already on the forge?  Well... lots of reasons.  First off, using puppet code to drive the Node Classifier means that you have to have the `node_manager` module alread installed, which means that you must already have your [classification rules](https://docs.puppet.com/pe/latest/console_classes_groups_getting_started.html) in to reference the module through [Code Manager](https://docs.puppet.com/pe/latest/code_mgr.html).  You could in-theory use Puppet Enterprise's new idempotent installer (just reinstall puppet over the top of itself) to fix this exact issue but then you still have the problem of how to classify your master in order to activate any other new rules (eg node-ttl) you want to use, which are associated with a new [role](https://docs.puppet.com/pe/latest/r_n_p_intro.html) for the Puppet Master.
+Why would you want to do this given that we have the excellent [node_manager](https://forge.puppet.com/WhatsARanjit/node_manager) module already on the forge?  Well... lots of reasons.  First off, using puppet code to drive the Node Classifier means that you have to have the `node_manager` module alread installed, which means that you must already have your [classification rules](https://docs.puppet.com/pe/latest/console_classes_groups_getting_started.html) in to reference the module through [Code Manager](https://docs.puppet.com/pe/latest/code_mgr.html).  You could in-theory use Puppet Enterprise's new idempotent installer (just reinstall puppet over the top of itself) to fix this exact issue but then you still have the problem of how to classify your master in order to activate any other new rules (eg node-ttl) you want to use, which are associated with a new [role](https://docs.puppet.com/pe/latest/r_n_p_intro.html) for the Puppet Master.
 
 That's where this tool comes in since all you need is root shell on the Puppet Master and a YAML or JSON file with the changes you want to make...
 
 ## Features
+You can:
 * Create node groups
 * Add or remove classes
 * Add or remove class parameters
 * Add or remove rules
 
-All from the convenience of the CLI.  This also allows this tool to be called from scripts and other systems in order to setup Puppet Enterprise the way you want and with the minimum of effort.
+...All from the convenience of the CLI.  This also allows this tool to be called from scripts and other systems in order to setup Puppet Enterprise the way you want and with the minimum of effort.
 
 For the moment, the edits to be carried out need to be placed into either a JSON or YAML file for bulk processing.  If there is interest, the tool will be enhanced to allow the above operations to be specified individually on the command line so to avoid the need to write YAML/JSON.
 
@@ -28,7 +29,7 @@ This will install the gem into the Puppet Master's vendored ruby.  You could ins
 ## Usage
 
 ### Node Classifier API access
-ncedit is intended to be run on the Puppet Master as root.  Doing so avoids having to deal with networks, firewalls, whitelists and the Puppet Enterprise RBAC API.  While it would be cool to expand the tool to deal with these issues, its just a whole lot simpler to just run from the Puppet Master so right now that's all thats supported.
+ncedit is intended to be run on the Puppet Master as root.  Doing so avoids having to deal with networks, firewalls, certificate whitelists and the Puppet Enterprise RBAC API.  While it would be cool to expand the tool to deal with these issues, its just a whole lot simpler to just run from the Puppet Master so right now that's all thats supported.
 
 ### Making batch changes
 To avoid the need to repeatedly invoke this tool using say, a bash script, ncedit natively supports reading a file of batch changes to make that is written in either YAML or JSON.
@@ -109,14 +110,65 @@ ncedit  batch --json-file /path/to/batch.json
 ```
 
 ## Making per-item changes
-* coming? (soon?) -- anyone want this?
+If you don't want to go to the hassle of creating a batch file or you have small, dynamic edits you wish to perform, your able to perform individual edits on the command line:
+
+### Add a class to group
+```shell
+ncedit --group-name FOO --class-name BAR
+```
+* Group will be created if it doesn't exist
+* Class MUST exist AND puppet must be aware of it (defeat caching) for the request to be accepted
+
+### Add a parameter to a class for a group
+```shell
+ncedit --group-name FOO --class-name BAR --param-name BAZ --param-value BAS
+```
+* Group will be created if it doesn't exist
+* Class will be added if it isn't already
+* Class MUST exist AND puppet must be aware of it (defeat caching) AND the parameter must exist on the class for the request to be accepted
+
+### Delete a parameter from a class inside a group
+```shell
+ncedit --group-name FOO --class-name BAR --param-name BAZ --delete-param
+```
+* Group will be created if it doesn't exist
+* Class will be added if it isn't already
+* Ensures the parameter `BAZ` is not set
+
+### Delete a class inside a group
+```shell
+ncedit --group-name FOO --class-name BAR --delete-class
+```
+* Group will be created if it doesn't exist
+* Ensures the class `BAR` is not defined
+
+### Replace all rules for group
+```shell
+ncedit --group-name FOO --rule 'JSON_FRAGMENT' --rule-mode replace
+```
+* Group will be created if it doesn't exist
+* Completely replaces existing rules for this group
+* Example JSON_FRAGMENT: `["and",["=",["fact","ipaddress"],"192.168.1.1"]]`
+
+### Append a rule to group
+```shell
+ncedit --group-name FOO --rule 'JSON_FRAGMENT' --rule-mode append
+```
+* Group will be created if it doesn't exist
+* Appends supplied JSON_FRAGMENT to the group's rules
+* Example JSON_FRAGMENT: `["and",["=",["fact","osfamily"],"RedHat"]]`
+* Notice in our example JSON_FRAGMENT that we have *kept* the outer `and` rule.  If we supply a conjuctive different to the rule's current value we will change it for the whole rule
 
 ## Troubleshooting
+* If you cannot install the `ncedit` gem and you are behind a corporate proxy, ensure that you have correctly set your `http_proxy` and `https_proxy` variables on the shell before running `gem install`.
+* Some corporate proxies will attempt to eavesdrop on all SSL connections which will cause downloads to fail.  This can be resolved by installing a CA bundle (be sure you understand the implications of doing so) or domain whitelisting on the proxy itself
 * If the ncedit fails, it will swallow stack traces by default, pass the `--verbosity debug` argument if you need to obtain one.  Note the position of the argument before the command name:
 ```
 bundle exec ncedit --verbosity debug  batch --yaml-file /path/to/batch.yaml
 ```
 * Ensure you are running as `root` to avoid permission errors
+* If your shell can't find `ncedit` after successful installation and you installed into Puppet Enterprise's vendored ruby, make sure that your `PATH` contains `/opt/puppetlabs/puppet/bin` or run ncedit directly: `/opt/puppetlabs/puppet/bin/ncedit`
+* Don't attempt to debug the NC API through the PE console by capturing traffic, it uses a completely different API all of its own (In particular, there is another layer of boolean logic around rules).  Instead, use [NCIO](https://github.com/jeffmccune/ncio) to dump the current state of the NC API or see [Puppet's NC API documentation](https://docs.puppet.com/pe/latest/nc_index.html)
 
 ## Testing
 To run tests:

data/doc/example/batch.json

@@ -3,7 +3,6 @@
     "classes": {
       "puppet_enterprise::profile::master": {
         "code_manager_auto_configure": true,
-
         "r10k_remote": "https://github.com/GeoffWilliams/r10k-control",
         "r10k_private_key": "/etc/puppetlabs/puppetserver/ssh/id-control_repo.rsa"
       }
@@ -12,22 +11,26 @@
       "puppet_enterprise::profile::masterbad"
     ],
     "delete_params": {
-      "puppet_enterprise::profile::redo:": [
-        "badparam"
+      "puppet_enterprise::profile::mcollective::agent": [
+        "stomp_user"
       ]
     }
   },
   "Puppet Masters": {
     "classes": {
-      "r_role::puppet::master_minimal": {
+      "pe_r10k": {
+        "proxy": "proxy.megacorp.com:8080"
       }
     },
     "append_rules": [
       "or",
       [
         "=",
-        "name",
-        "pupper.puppet.com"
+        [
+          "fact",
+          "ipaddress"
+        ],
+        "192.168.0.252"
       ]
     ]
   }

data/doc/example/batch.yaml

@@ -14,14 +14,16 @@
     - "puppet_enterprise::profile::masterbad"
 
   "delete_params":
-    "puppet_enterprise::profile::redo:":
-      - "badparam"
+    "puppet_enterprise::profile::mcollective::agent":
+      - "stomp_user"
 
 "Puppet Masters":
   "classes":
-    "r_role::puppet::master_minimal": {}
+    "pe_r10k":
+      "proxy": "proxy.megacorp.com:8080"
   "append_rules":
     - "or"
     - - "="
-      - "name"
-      - "pupper.puppet.com"
+      - - "fact"
+        - "ipaddress"
+      - "192.168.0.252"

data/exe/ncedit

@@ -11,49 +11,60 @@ Escort::App.create do |app|
   app.summary "ncedit"
   app.description "Edit PE node classification groups"
 
-  # not currently working...
-  # app.command :classes do |command|
-  #   command.summary "Install all known nodes"
-  #   command.description "Install Puppet Enterprise master and agents on all known nodes"
-  #   command.options do |opts|
-  #     opts.opt(:group_name,
-  #       'NC group name',
-  #       :long => '--group-name',
-  #       :type => :string,
-  #     )
-  #     opts.opt(:class_name,
-  #       'NC class name',
-  #       :long => '--class-name',
-  #       :type => :string,
-  #     )
-  #     opts.opt(:param_name,
-  #       'NC parameter name',
-  #       :long => '--param-name',
-  #       :type => :string,
-  #     )
-  #     opts.opt(:param_value,
-  #       'NC parameter value',
-  #       :long => '--param-value',
-  #       :type => :string,
-  #     )
-  #     opts.opt(:delete_class,
-  #       'delete this rule',
-  #       :long    => '--delete-class',
-  #       :type    => :boolean,
-  #       :default => false,
-  #     )
-  #     opts.opt(:delete_param,
-  #       'delete this rule',
-  #       :long    => '--delete-param',
-  #       :type    => :boolean,
-  #       :default => false,
-  #     )
-  #     opts.dependency :param_value, :on => :param_name
-  #   end
-  #   command.action do |options, arguments|
-  #     NCEdit::Cmd::classes(options, arguments)
-  #   end
-  # end
+  app.command :classes do |command|
+    command.summary "Edit classes"
+    command.description "Create/edit/delete class in rule"
+    command.options do |opts|
+      opts.opt(:group_name,
+        'NC group name',
+        :long => '--group-name',
+        :type => :string,
+      )
+      opts.opt(:class_name,
+        'NC class name',
+        :long => '--class-name',
+        :type => :string,
+      )
+      opts.opt(:param_name,
+        'NC parameter name',
+        :long => '--param-name',
+        :type => :string,
+      )
+      opts.opt(:param_value,
+        'NC parameter value',
+        :long => '--param-value',
+        :type => :string,
+      )
+      opts.opt(:delete_class,
+        'Delete this class',
+        :long    => '--delete-class',
+        :type    => :boolean,
+        :default => false,
+      )
+      opts.opt(:delete_param,
+        'Delete this param',
+        :long    => '--delete-param',
+        :type    => :boolean,
+        :default => false,
+      )
+      opts.opt(:rule,
+        'Update the NC group with this rule (JSON fragment)',
+        :long    => '--rule',
+        :type    => :string,
+      )
+      opts.dependency :param_value, :on => :param_name
+
+      opts.opt(:rule_mode,
+        "Processing instruction for rule supplied with --rule (allowed: 'replace', 'append')",
+        :long    => '--rule-mode',
+        :type    => :string,
+      )
+
+    end
+    command.action do |options, arguments|
+      NCEdit::Cmd::classes(options[:global][:commands][:classes][:options])
+    end
+  end
 
   app.command :batch do |command|
     command.summary "Batch processing from YAML/JSON"

data/lib/ncedit/cmd.rb

@@ -99,6 +99,33 @@ module NCEdit
       group
     end
 
+    # to see if our changes were saved or not we need to remove all nillified
+    # keys from both levels (class, parameter) of the class_delta array, since
+    # when we re-read from the NC our nillified data will be completely gone.  A
+    # naive comparison would then report a failure even though the operation
+    # succeeded.  On a practical level we must convert:
+    # {"puppet_enterprise"=>{"proxy"=>nil, "keep"=>"keep"}, "b"=>nil}
+    # ...to...
+    # {"puppet_enterprise"=>{"keep"=>"keep"}}
+    #
+    # @param nc_class The class hash as re-read from the NC API
+    # @param class_delta The class delta we originally requested (with nils for deletes)
+    def self.delta_saved?(nc_class, class_delta)
+      class_delta_reformatted = class_delta.map { |class_name, params|
+        if params == nil
+          # skip classes that are requested to be deleted for the moment since
+          # we will catch them on the outer pass
+      	  params_fixed = params
+        else
+          # remove all individual nullified parameters
+      	  params_fixed = params.reject{|param_name, param_value| param_value == nil}
+        end
+        [class_name,params_fixed]
+      }.to_h.reject { |class_name,params| params == nil}
+
+      nc_class == class_delta_reformatted
+    end
+
     def self.update_group(group_name, classes: nil, rule: nil)
       # group_delta will actually replace all classes/rules with whatever is
       # specified, so we need to merge this with any existing definition if
@@ -126,11 +153,11 @@ module NCEdit
       # now present.  If there was an error, then the user should have
       # previously seen some output since puppetclassify prints some useful
       # debug output
-      saved_group = nc_group(group_name)
-      if saved_group["classes"] == classes and saved_group["rule"] == rule
+      re_read_group = nc_group(group_name)
+      if delta_saved?(re_read_group["classes"], classes) and re_read_group["rule"] == rule
         Escort::Logger.output.puts "changes saved"
       else
-        Escort::Logger.error.error "re-read #{group_name} results in #{saved_group} should have delta of #{group_delta}"
+        Escort::Logger.error.error "re-read #{group_name} results in #{re_read_group} should have delta of #{group_delta}"
         raise "Error saving #{group_name}"
       end
     end
@@ -190,55 +217,73 @@ module NCEdit
       data.each { |group_name, data|
 
         Escort::Logger.output.puts "Processing #{group_name}"
+        group = nc_group(group_name)
 
+        #
+        # delete classes
+        #
         if data.has_key?("delete_classes")
-          if delete_classes(group_name, data["delete_classes"])
-            update_group(group_name, classes: data["delete_classes"])
+          changes = false
+
+          data["delete_classes"].each { |class_name|
+            changes |= ensure_class(group, class_name, delete:true)
+          }
+          if changes
+            update_group(group_name, classes: group["classes"])
           end
         end
 
+        #
+        # delete params
+        #
         if data.has_key?("delete_params")
-          if delete_params(group_name, data["delete_params"])
-            update_group(group_name, classes: data["delete_params"])
+          changes = false
+          data["delete_params"].each { |class_name, delete_params|
+            delete_params.each { | param_name|
+              changes |= ensure_class(group, class_name)
+              changes |= ensure_param(group, class_name, param_name, nil, delete:true)
+            }
+          }
+          if changes
+            update_group(group_name, classes: group["classes"])
           end
         end
 
+        #
+        # classes (and optionally params)
+        #
         if data.has_key?("classes")
-          if ensure_classes_and_params(group_name, data["classes"])
-            update_group(group_name, classes: data["classes"])
+          if ensure_classes_and_params(group, data["classes"])
+            update_group(group_name, classes: group["classes"])
           end
         end
 
+        #
+        # append rules
+        #
         if data.has_key?("append_rules")
-          if ensure_rules(group_name, data["append_rules"])
-            update_group(group_name, rule: data["append_rules"])
+          if ensure_rules(group, data["append_rules"])
+            update_group(group_name, rule: group["rule"])
           end
         end
       }
     end
 
-    def self.delete_class(group, class_name)
-      if group["classes"].delete(class_name)
-        changes = true
-      else
-        changes = false
-      end
 
-      changes
-    end
-
-    def self.delete_param(group, class_name, param_name)
-      if  group["classes"].has_key?(class_name) and
-          group["classes"][class_name].delete(param_name)
+    # Classes are only removed when they have their parameters nilled so we must
+    # formulate special json to allow delete
+    # @see https://docs.puppet.com/pe/latest/nc_groups.html#post-v1groupsid
+    #
+    # Updates `group` to ensure that it now contains `class_name` (or marks it
+    # for deletion).  To commit changes, need to pass the updated
+    # `group['class']` hash to `update_group`
+    def self.ensure_class(group, class_name, delete:false)
+      if group["classes"].has_key?(class_name) and delete
+        # delete class by nilling its parameters
+        group["classes"][class_name] = nil
         changes = true
-      else
-        changes = false
-      end
-      changes
-    end
-
-    def self.ensure_class(group, class_name)
-      if ! group["classes"].has_key?(class_name)
+      elsif ! group["classes"].has_key?(class_name) and ! delete
+        # create class because we are not deleting it and it doesn't exist yet
         group["classes"][class_name] = {}
         changes = true
       else
@@ -248,12 +293,21 @@ module NCEdit
       changes
     end
 
-    def self.ensure_param(group, class_name, param_name, param_value)
+    # Updates `group` to ensure that it now contains `param_name` set to
+    # `param_value` (or marks the parameter it for deletion).  To commit changes
+    # , need to pass the updated `group['class']` hash to `update_group`
+    def self.ensure_param(group, class_name, param_name, param_value, delete:false)
       # ensure parameter set if specified
-      if ! group["classes"][class_name].has_key?(param_name) or
-          group["classes"][class_name][param_name] != param_value
+      if ! delete and (
+            ! group["classes"][class_name].has_key?(param_name) or
+            group["classes"][class_name][param_name] != param_value
+          )
+        # update or add a new parameter
         group["classes"][class_name][param_name] = param_value
         changes = true
+      elsif delete and group["classes"][class_name].has_key?(param_name)
+        group["classes"][class_name][param_name] = nil
+        changes = true
       else
         changes = false
       end
@@ -261,40 +315,19 @@ module NCEdit
       changes
     end
 
-    def self.delete_classes(group_name, data)
-      updated = false
-      if data
-        data.each{ |class_name|
-          Escort::Logger.output.puts "Deleting class: #{group_name}->#{class_name}"
-          updated |= delete_class(nc_group(group_name), class_name)
-        }
-      end
-      updated
-    end
-
-    def self.delete_params(group_name, data)
-      updated = false
-      if data
-        data.each{ |class_name, param_names|
-          param_names.each { |param_name|
-            Escort::Logger.output.puts "Deleting param: #{group_name}->#{class_name}=>#{param_name}"
-            updated |= delete_param(nc_group(group_name), class_name, param_name)
-          }
-        }
-      end
-      updated
-    end
-
-    def self.ensure_classes_and_params(group_name, data)
+    # Updates `group` to ensure that it now contains classes and parameters as
+    # specified in the `data` paramater.  To commit changes, need to pass the
+    # updated `group['class']` hash to `update_group`
+    def self.ensure_classes_and_params(group, data)
       updated = false
       if data
         data.each{ |class_name, params|
-          Escort::Logger.output.puts "ensuring class: #{group_name}->#{class_name}"
-          updated |= ensure_class(nc_group(group_name), class_name)
+          Escort::Logger.output.puts "ensuring class: #{group['name']}->#{class_name}"
+          updated |= ensure_class(group, class_name)
           if params
             params.each { |param_name, param_value|
-              Escort::Logger.output.puts "ensuring param: #{group_name}->#{class_name}->#{param_name}=#{param_value}"
-              updated |= ensure_param(nc_group(group_name), class_name, param_name, param_value)
+              Escort::Logger.output.puts "ensuring param: #{group['name']}->#{class_name}->#{param_name}=#{param_value}"
+              updated |= ensure_param(group, class_name, param_name, param_value)
             }
           end
         }
@@ -313,6 +346,8 @@ module NCEdit
     #
     # Only the rule to be added in should be passed as the rule parameter, eg:
     # ["=", "name", "bob"]
+    #
+    # To commit changes, need to pass the updated `group['rule']` hash to `update_group`
     def self.ensure_rule(group, rule)
       updated = false
 
@@ -321,7 +356,7 @@ module NCEdit
 
       # rules are nested like this, the "or" applies to the whole rule chain:
       # "rule"=>["or", ["=", "name", "bob"], ["=", "name", "hello"]]
-      group["rule"][1].each {|system_rule|
+      group["rule"].drop(1).each {|system_rule|
         if  system_rule[0] == rule[0] and
             system_rule[1] == rule[1] and
             system_rule[2] == rule[2]
@@ -331,33 +366,43 @@ module NCEdit
       }
       if ! found
         Escort::Logger.output.puts "Appending rule: #{rule}"
-        group["rule"][1] << rule
+        group["rule"].push(rule)
         updated = true
       end
 
       updated
     end
 
+    # Modify `group` to ensure the passed in `rules` exist. To commit changes,
+    # need to pass the updated `group['rule']` hash to `update_group`
+    #
     # rules need to arrive like this:
     # ["or", ["=", "name", "pupper.megacorp.com"], ["=", "name", "pupper.megacorp.com"]]
     # since the rule conjunction "or" can only be specified once per rule chain
     # we will replace whatever already exists in the rule with what the user
     # specified
-    def self.ensure_rules(group_name, rules)
+    def self.ensure_rules(group, rules)
       updated = false
-      group = nc_group(group_name)
+
       if ! group["rule"] or group["rule"].empty?
         # no rules yet - just add our new one
-        group["rule"] = [DEFAULT_RULE,[]]
+        group["rule"] = [DEFAULT_RULE]
       end
       updated |= ensure_rule_conjunction(group, rules[0])
-      rules[1].each { |rule|
+      rules.drop(1).each { |rule|
         updated |= ensure_rule(group, rule)
       }
 
       updated
     end
 
+    # Ensure the correct boolean conjunction ('and'/'or' - 'not' is not allowed)
+    # is being used for a given rule chain.  If user tried to append a rule with
+    # a different conjuction to the one currently in use we will change the
+    # conjuction used on the entire chain to match.
+    #
+    # Updates `group` in-place, To commit changes, need to pass the updated
+    # `group['rule']` hash to `update_group`
     def self.ensure_rule_conjunction(group, op)
       updated = false
       if ["and", "or"].include?(op)
@@ -371,5 +416,75 @@ module NCEdit
 
       updated
     end
+
+
+    def self.classes(options)
+      group_name    = options[:group_name]
+      class_name    = options[:class_name]
+      param_name    = options[:param_name]
+      param_value   = options[:param_value]
+      delete_class  = options[:delete_class]
+      delete_param  = options[:delete_param]
+      rule          = options[:rule]
+      rule_mode     = options[:rule_mode]
+
+      rule_change   = false
+      class_change  = false
+
+      if group_name
+        group = nc_group(group_name)
+      else
+        raise "All operations require a valid group_name"
+      end
+
+      rule_modes = ['replace', 'append']
+      if rule and (! rule_modes.include?(rule_mode))
+        raise "Invalid rule mode '#{rule_mode}'.  Allowed: #{rule_modes}"
+      end
+
+      if class_name and delete_class
+        # delete a class from a group
+        Escort::Logger.output.puts "Deleting class #{class_name} from #{group_name}"
+        class_change = ensure_class(group, class_name, delete:true)
+      elsif class_name and param_name and delete_param
+        # delete a parameter from a class
+        Escort::Logger.output.puts "Deleting parameter #{param_name} on #{class_name} from #{group_name}"
+        class_change = ensure_class(group, class_name)
+        class_change |= ensure_param(group, class_name, param_name, nil, delete:true)
+      elsif class_name and param_name and param_value
+        # set a value inside a class
+        Escort::Logger.output.puts "Setting parameter #{param_name} to #{param_value} on #{class_name} in #{group_name}"
+        class_change = ensure_class(group, class_name)
+        class_change |= ensure_param(group, class_name, param_name, param_value)
+      elsif class_name
+        Escort::Logger.output.puts "Adding #{class_name} to #{group_name}"
+        class_change = ensure_class(group, class_name)
+      end
+
+      # process any rule changes separately since they are valid for all actions
+      if rule
+        begin
+          rule_json = JSON.parse(rule)
+        rescue JSON::ParserError
+          raise "Syntax error in data supplied to --rule (must be valid JSON)"
+        end
+
+        if rule_mode == 'replace'
+          if group['rule'] != rule_json
+            group['rule'] = rule_json
+            rule_change = true
+          end
+        else
+          rule_change = ensure_rules(group, rule_json)
+        end
+      end
+
+      # save changes
+      if class_change or rule_change
+        update_group(group_name, classes: group["classes"], rule: group["rule"])
+      else
+        Escort::Logger.output.puts "Already up-to-date"
+      end
+    end
   end
 end

data/lib/ncedit/version.rb

@@ -1,3 +1,3 @@
 module NCEdit
-  VERSION = "0.1.0"
+  VERSION = "0.2.0"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: ncedit
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 0.2.0
 platform: ruby
 authors:
 - Geoff Williams
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2017-03-15 00:00:00.000000000 Z
+date: 2017-04-17 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler