simp-cli 1.0.12

data/lib/simp/cli/commands/doc.rb

@@ -0,0 +1,14 @@
+module Simp::Cli::Commands; end
+
+class Simp::Cli::Commands::Doc < Simp::Cli
+  def self.run(args = Array.new)
+    raise "Package 'simp-doc' is not installed, cannot continue" unless system("rpm -q --quiet simp-doc")
+    pupdoc = %x{rpm -ql simp-doc | grep html/index.html$ | head -1}.strip.chomp
+    raise "Could not find the SIMP documentation. Please ensure that you can access '#{pupdoc}'." unless File.exists?(pupdoc)
+    exec("links #{pupdoc}")
+  end
+
+  def self.help
+    puts "Show SIMP documentation in elinks"
+  end
+end

data/lib/simp/cli/commands/passgen.rb

@@ -0,0 +1,128 @@
+module Simp::Cli::Commands; end
+
+class Simp::Cli::Commands::Passgen < Simp::Cli
+  require 'fileutils'
+
+  @target_dir = '/etc/puppet/modules/site/files/gen_passwd'
+  @show_list = false
+  @show_users = Array.new
+  @set_users = Array.new
+  @remove_users = Array.new
+
+  @opt_parser = OptionParser.new do |opts|
+    opts.banner = "\n === The SIMP Passgen Tool === "
+    opts.separator ""
+    opts.separator "The SIMP Passgen Tool is a simple password control utility. It allows the"
+    opts.separator "viewing, setting, and removal of user passwords."
+    opts.separator ""
+    opts.separator "OPTIONS:\n"
+
+    opts.on("-d", "--dir DIRECTORY", "Where the passgen passwords are stored.") do |dir|
+      @target_dir = dir
+    end
+
+    opts.on("-l", "--list", "List possible usernames upon whic to operate") do
+      @show_list = true
+    end
+
+    opts.on("-u", "--user USER1[,USER2,USER3]", Array, "Show password(s) for USERNAME") do |name|
+      @show_users = name
+    end
+
+    opts.on("-s", "--set USER1[,USER2,USER3]", Array, "Set password for USERNAME") do |name|
+      @set_users = name
+    end
+
+    opts.on("-r", "--remove USER1[,USER2,USER3]", Array, "Remove all passwords for USERNAME") do |name|
+      @remove_users = name
+    end
+
+    opts.on("-h", "--help", "Print this message.") do
+      puts opts
+      exit 0
+    end
+  end
+
+  def self.run(args = Array.new)
+    super
+
+    raise "The SIMP Passgen Tool requires at least one argument to work" if args.empty?
+    raise "Target directory '#{@target_dir}' does not exist" unless File.directory?(@target_dir)
+
+    begin
+      Dir.chdir(@target_dir) do
+        @user_names = Dir.glob("*").map { |x| x = File.basename(x, '.last') }.sort.uniq.select do |name|
+          File.ftype("#{@target_dir}/#{name}").eql?("file")
+        end
+      end
+    rescue => err
+      raise "Error occured while accessing '#{@target_dir}':\n  Causing Error: #{err}"
+    end
+
+    if @show_list
+      puts "Usernames:\n\t#{@user_names.join("\n\t")}"
+      puts
+    end
+
+    @show_users.each do |user|
+      if @user_names.include?(user)
+        Dir.chdir(@target_dir) do
+          puts "Username: #{user}"
+          current_password = File.open("#{@target_dir}/#{user}", 'r').gets
+          puts "  Current:  #{current_password}"
+          last_password = nil
+          last_password_file = "#{@target_dir}/#{user}.last"
+          if File.exists?(last_password_file)
+            last_password = File.open(last_password_file, 'r').gets
+          end
+          puts "  Previous: #{lass_password}" if last_password
+        end
+      else
+        raise "Invalid username '#{user}' selected.\n\n Valid: #{@user_names.join(', ')}"
+      end
+      puts
+    end
+
+    @set_users.each do |user|
+      password_filename = "#{@target_dir}/#{user}"
+
+      puts "Username: #{user}"
+      password = Utils.get_password
+      if File.exists?(password_filename)
+        if Utils.yes_or_no("Would you like to rotate the old password?", false)
+          begin
+            FileUtils.mv(password_filename, password_filename + '.last')
+          rescue => err
+            raise "Error occurred while moving '#{password_filename}' to '#{password_filename + '.last'}'\n  Causing Error: #{err}"
+          end
+        end
+      end
+      begin
+        File.open(password_filename, 'w') { |file| file.puts password }
+      rescue => err
+        raise "Error occurred while writing '#{password_filename}'\n  Causing Error: #{err}"
+      end
+      puts
+    end
+
+    @remove_users.each do |user|
+      password_filename = "#{@target_dir}/#{user}"
+
+      if File.exists?(password_filename)
+        if Utils.yes_or_no("Are you sure you want to remove all entries for #{user}?", false)
+          show_password(user)
+
+          last_password_filename = password_filename + '.last'
+          if File.exists?(last_password_filename)
+            File.delete(last_password_filename)
+            puts "#{last_password_filename} deleted"
+          end
+
+          File.delete(password_filename)
+          puts "#{password_filename} deleted"
+        end
+      end
+      puts
+    end
+  end
+end

data/lib/simp/cli/commands/puppeteval.rb

@@ -0,0 +1,82 @@
+module Simp::Cli::Commands; end
+
+class Simp::Cli::Commands::Puppeteval < Simp::Cli
+  require 'facter'
+
+  def self.help
+    puts "This tool gathers metric information for a Puppet run that it will run."
+  end
+
+  def self.run(args = Array.new)
+
+    data = {
+      :facter => Facter.to_hash,
+      :puppet_tags => ['--test','--evaltrace','--summarize'],
+      :cpuinfo => [],
+      :meminfo => {},
+      :summarize => {},
+      :evaltrace => []
+    }
+
+    proc_hash = Hash.new
+    File.open('/proc/cpuinfo', 'r').each do |line|
+      if line =~ /(.*)\s*: (.*)/
+        proc_hash[$1.strip] = $2
+      elsif line =~ /\A\s*\z/
+        data[:cpuinfo] << proc_hash
+        proc_hash = Hash.new
+      end
+    end
+    data[:cpuinfo] << proc_hash if !proc_hash.empty?
+
+    File.open('/proc/meminfo', 'r').each do |line|
+      if line =~ /(.*):\s*([0-9]*( kB)?)/
+        data[:meminfo][$1] = $2
+      end
+    end
+
+    # Wait for puppet to not be currently running...
+    puppet_running = true
+    found_puppet = false
+    while puppet_running do
+      ps_output = %x{/bin/ps aux | /bin/grep puppet}.each_line do |l|
+        if l =~ /\/usr\/s?bin\/puppet(d|\s+agent)/
+          sleep(2)
+          found_puppet = true
+          break
+        end
+      end
+      puppet_running = found_puppet
+      found_puppet = false
+    end
+
+    PTY.spawn("/usr/bin/puppet agent --test --evaltrace  --summarize 2> /dev/null") do |read, write, pid|
+      begin
+        at_summary = false
+        read.each do |line|
+          if at_summary
+            if line =~ /\A(\S+.*):/
+              summary_hash = $1
+              data[:summarize][summary_hash] = Hash.new
+            elsif line =~ /\s+(\S+.*): ([0-9\.]*)/
+              data[:summarize][summary_hash][$1] = $2
+            end
+          end
+          if line =~ /info: (.*): Evaluated in (.*) seconds/
+            data[:evaltrace] << { :resource => $1, :time => $2 }
+          elsif line =~ /notice: Finished catalog run in ([0-9\.]*) seconds/
+            data[:evaltrace] << { :resource => "catalog run", :time => $1 }
+            at_summary = true
+          end
+          puts line
+        end
+      rescue Errno::EIO
+      end
+    end
+
+    FileUtils.mkdir_p("/var/tmp/simp_mit/")
+    File.open( "/var/tmp/simp_mit/simp_#{Time.now.to_i}_#{Socket.gethostname}.yml", 'w') do |file|
+      YAML::dump(data, file)
+    end
+  end
+end

data/lib/simp/cli/commands/runpuppet.rb

@@ -0,0 +1,95 @@
+module Simp::Cli::Commands; end
+
+class Simp::Cli::Commands::Runpuppet < Simp::Cli
+  require 'fileutils'
+
+  @conf_dir = File.expand_path('~/.simp')
+  @host_file = "#{@conf_dir}/hosts"
+  @gen_host_list = true
+  @max_parallel = 10
+  @timeout = -1
+
+  @opt_parser = OptionParser.new do |opts|
+    opts.banner = "\n === The SIMP RunPuppet Tool ==="
+    opts.separator ""
+    opts.separator "The SIMP RunPuppet Tool allows you to run the Puppet agent on a list of hosts."
+    opts.separator ""
+    opts.separator "Some requirements to use the tool:"
+    opts.separator " * the user must have SSH access to all of the list hosts"
+    opts.separator " * the user cannot be root"
+    opts.separator " * each target host must be able to run, with sudo, the following commands:"
+    opts.separator "    - /usr/sbin/puppetd"
+    opts.separator "    - /usr/sbin/puppetca"
+    opts.separator ""
+    opts.separator "OPTIONS:\n"
+
+    opts.on("-H", "--hosts FILE", "FILE containing a list of hosts that Puppet should be run on") do |file|
+      @host_file = file
+      @gen_host_list = false
+    end
+
+    opts.on("-p", "--par NUM", "Maximum number of parallel threads. Defaults to 10.") do |num|
+      @max_parallel = num
+    end
+
+    opts.on("-t", "--timeout SEC", "Set timeout to SEC seconds. Defaults to -1 (no timeout).",
+      "\033[1mWARNING\033[0m: If your Puppet run takes more than SEC seconds, very bad things can happen!",
+      "(i.e. your Puppet run will be killed)") do |sec|
+      @timeout = sec
+    end
+
+    opts.on("-h", "--help", "Print this message") do
+      puts opts
+      exit 0
+    end
+  end
+
+  def self.run(args = Array.new)
+    super
+
+    raise Simp::Runpuppet::Error.new("SIMP RunPuppet cannot be run as 'root'.") if Process.uid == 0
+
+    host_list = Array.new
+    if @gen_host_list
+      host_list = %x{cd /;sudo /usr/sbin/puppetca --list --all}.split("\n").map do |host|
+        host.split(/\(.*\)/).first.split(/\s+/).last.delete('"')
+      end
+    else
+      File.open(@host_file).each_line do |line|
+        host_list << line.chomp
+      end
+    end
+    host_list.compact!
+
+    system("echo '#{ "Please review the lists of hosts to run puppet on:\n - #{host_list.join("\n - ")}" }' | less -F")
+
+    if Utils.yes_or_no("Run Puppet on all of the listed hosts?", false)
+      host_errors = Array.new
+      if @gen_host_list
+        File.open(@host_file, 'w') do
+          host_list.each { |host| file.puts host }
+        end
+      end
+
+      puts "This may take some time..."
+      %x{pssh -f -t #{@timeout} -p #{@max_parallel} -h #{@host_file} -OStrictHostKeyChecking=no "cd /; sudo /usr/sbin/puppetd --test"}.each_line do |line|
+        puts line
+        if line =~ /\[\d+\].*\[FAILURE\]\s([A-Za-z0-9\-\.]+).*/
+          host_errors << $1
+        end
+      end
+
+      if host_errors.empty?
+        puts "Successfully ran Puppet for the #{host_list.size} hosts listed in #{@host_file}."
+      else
+        timestamp = Time.new.strftime("%Y%m%d%H%M")
+        filepath = File.expand_path("#{@conf_dir}/pssh_error#{timestamp}")
+        FileUtils.mkpath(File.dirname(filepath))
+        File.open(filepath, 'w') do file
+          host_errors.each { |err| file.puts err }
+        end
+        raise "Errors while running Puppet, outputting list of hosts with errors to #{@conf_dir}/pssh_error#{timestamp}"
+      end
+    end
+  end
+end

data/lib/simp/cli/config/item.rb

@@ -0,0 +1,456 @@
+require 'highline/import'
+require 'puppet'
+require 'yaml'
+require File.expand_path( 'utils', File.dirname(__FILE__) )
+require 'highline'
+
+module Simp; end
+class Simp::Cli; end
+module Simp::Cli::Config
+  class Item
+    attr_accessor :key, :value, :description, :fact
+    attr_accessor :skip_query, :skip_apply, :skip_yaml, :silent
+    attr_accessor :die_on_apply_fail, :allow_user_apply
+    attr_accessor :config_items
+    attr_accessor :next_items_tree
+    attr_accessor :fail_on_missing_answer
+
+    def initialize(key = nil, description = nil)
+      @key               = key         # answers file key for the config Item
+      @description       = description # A text description of the Item
+      @value             = nil         # value (decided by user)
+      @fact              = nil         # Facter fact to query OS value
+
+      @skip_query        = false       # skip the query and use the default_value
+      @skip_apply        = false       # skip the apply
+      @skip_yaml         = false       # skip yaml output
+      @silent            = false       # no output to stdout/Highline
+      @die_on_apply_fail = false       # halt simp config if apply fails
+      @allow_user_apply  = false       # allow non-superuser to apply
+      @fail_on_missing_answer = false  # error out if @value is not pre-populated
+
+      @config_items      = {}          # a hash of all previous Config::Items
+      # a Hash of additional Items that this Item may need to add to the Queue
+      # the keys of the Has are used to look up the queue
+      # format:
+      #   'answer1' => [ Item1, Item2, .. ]
+      #   'answer2' => [ Item3, Item4, .. ]
+      @next_items_tree   = {}
+    end
+
+    # methods used to infer Item#value
+    # --------------------------------------------------------------------------
+
+    # value of item as read from OS (via Facter)
+    def os_value
+      Facter.value( @fact ) unless @fact.nil?
+    end
+
+
+    # value of Item as read from puppet (via Hiera) #TODO: not used yet
+    def puppet_value; nil; end
+
+
+    # value of Item as recommended by Very Clever Logic (tm)
+    def recommended_value; nil; end
+    # --------------------------------------------------------------------------
+
+
+    # String in yaml answer file format, with comments (if any)
+    def to_yaml_s
+      fail '@key is empty' if "#{@key}".empty?
+
+      x =  "=== #{@key} ===\n"
+      x += "#{(description || 'FIXME: NO DESCRIPTION GIVEN')}\n"
+
+      # comment every line that describes the item:
+      x =  x.each_line.map{ |y| "# #{y}" }.join
+
+      # add yaml (but stripped of frontmatter and first indent)
+      # TODO: should we be using SafeYAML?  http://danieltao.com/safe_yaml/
+      x += { @key => @value }.to_yaml.gsub(/^---\s*\n/m, '').gsub(/^  /, '' )
+      x += "\n"
+
+      if @skip_yaml
+        x.gsub( /^/, '### ' )
+      else
+        x
+      end
+    end
+
+
+    # --------------------------------------------------------------------------
+    #  Pretty stdout/stdin methods
+    # --------------------------------------------------------------------------
+    # print a pretty banner to describe an item
+    def print_banner
+      return if @silent
+      say_blue "=== #{@key} ===", ['BOLD']
+      say_blue description
+      say_blue "    - os value:          #{os_value}"          if os_value
+      say_blue "    - os value:          #{puppet_value}"      if puppet_value
+      say_blue "    - recommended value: #{recommended_value}" if recommended_value
+      say_blue "    - chosen value:      #{@value}"            if @value
+    end
+
+
+    # print a pretty summary of the Item's key+value, printed to stdout
+    def print_summary
+      return if @silent
+      fail '@key is empty' if "#{@key}".empty?
+      say( "#{@key} = '<%= color( %q{#{value}}, BOLD )%>'\n" )
+    end
+
+
+    # choose @value of Item
+    def query
+      extra = query_status
+
+      if @value.nil? && @fail_on_missing_answer
+        say( "<%= color(%q(FATAL: no answer for '), RED) %>" +
+             "<%= color(%q{#{extra}#{@key}}, BOLD,  RED)%>" +
+             "<%= color(%q('; exiting!), RED)%>\n" )
+        exit 1
+      end
+
+      if !@skip_query && @value.nil?
+        print_banner
+        @value = query_ask
+      end
+
+      # summarize the item's status after the query is complete
+      say( "#{extra}#{@key} = '<%= color( %q{#{@value}}, BOLD )%>'\n" ) unless @silent
+    end
+
+
+    def query_status
+      extra = ''
+      if !@value.nil?
+        extra = "<%= color( %q{(answered)}, CYAN, BOLD)%> "
+      elsif @skip_query
+        extra = "<%= color( %q{(noninteractive)}, CYAN, BOLD)%> "
+        @value = default_value
+      end
+      extra
+    end
+
+
+    # ask an interactive question (via stdout/stdin)
+    def query_ask
+      # NOTE: This trailing space at the end of the String obliquely instructs
+      # Highline to keep the prompt on the same line as the question.  If the
+      # String did not end with a space or tab, Highline would move the input
+      # prompt to the next line (which, for our purposes, looks confusing)
+      value = ask( "<%= color('#{@key}', WHITE, BOLD) %>: ",
+                  highline_question_type ) do |q|
+        q.default = default_value unless default_value.to_s.empty?
+
+        # validate input via the validate() method
+        q.validate = lambda{ |x| validate( x )}
+
+        # if the answer is not valid, construct a reply:
+        q.responses[:not_valid] =  "<%= color( %q{Invalid answer!}, RED ) %>\n"
+        q.responses[:not_valid] += "<%= color( %q{#{ (not_valid_message || description) }}, YELLOW) %>\n"
+        q.responses[:not_valid] += "#{q.question}  |#{q.default}|"
+
+        query_extras q
+      end
+      value
+    end
+
+
+    # returns the default answer to Item#query
+    def default_value
+      @value || recommended_value
+    end
+
+
+    def query_extras( q ); q; end
+
+
+    # returns true if x is a valid value
+    def validate( _x )
+      msg =  'ERROR: Item.validate() not implemented!'
+      msg += "\nTODO: cover common type-based validations?"
+      msg += "\nTODO: Offer validation objects?"
+      fail msg
+    end
+
+
+    def next_items
+      @next_items_tree.fetch( @value, [] )
+    end
+
+
+    # optional message to show users when invalid input is entered
+    def not_valid_message; nil; end
+
+
+    # A helper method that highline can use to cast String answers to the ask
+    # in query().  nil means don't cast, Date casts into a date, etc.
+    # A lambda can be used for sanitization.
+    #
+    # Descendants of Item are very likely to override this method.
+    def highline_question_type; nil; end
+
+    # convenience_method to print formatted information
+    def say_blue( msg, options=[] )
+      options = options.unshift( '' ) unless options.empty?
+      say "<%= color(%q{#{msg}}, CYAN #{options.join(', ')}) %>\n" unless @silent
+    end
+    def say_yellow( msg, options=[] )
+      options = options.unshift( '' ) unless options.empty?
+      say "<%= color(%q{#{msg}}, YELLOW #{options.join(', ')}) %>\n" unless @silent
+    end
+    def say_red( msg, options=[] )
+      options = options.unshift( '' ) unless options.empty?
+      say "<%= color(%q{#{msg}}, RED #{options.join(', ')}) %>\n" unless @silent
+    end
+    def say_green( msg, options=[] )
+      options = options.unshift( '' ) unless options.empty?
+      say "<%= color(%q{#{msg}}, GREEN #{options.join(', ')}) %>\n" unless @silent
+    end
+
+
+    def safe_apply; nil; end
+    def apply; nil; end
+  end
+
+
+
+  # A Item that asks for lists instead of Strings
+  #
+  #  note that @value is a Strin
+  class YesNoItem < Item
+    def not_valid_message
+      "enter 'yes' or 'no'"
+    end
+
+    def validate( v )
+      return true if (v.class == TrueClass || v.class == FalseClass)
+      ( v =~ /^(y(es)?|true|false|no?)$/i ) ? true : false
+    end
+
+    # NOTE: Highline should transform the input to a boolean but doesn't.  Why?
+    # REJECTED: Override #query_ask using Highline's #agree? *** no, can't bool
+    def highline_question_type
+      lambda do |str|
+        return true  if ( str =~ /^(y(es)?|true)$/i ? true : false || str.class == TrueClass  )
+        return false if ( str =~ /^(n(o)?|false)$/i ? true : false || str.class == FalseClass )
+        nil
+      end
+    end
+
+    # NOTE: when used from query_ask, the highline_question_type lamba doesn't
+    # always cast internal type of @value to a boolean.  As a workaround, we
+    # cast it here before it is committed to the super's YAML output.
+    def to_yaml_s
+      _value = @value
+      @value = highline_question_type.call @value
+      x = super
+      @value = _value
+      x
+    end
+
+    def next_items
+      @next_items_tree.fetch( highline_question_type.call( @value ), [] )
+    end
+  end
+
+
+
+
+  # An Item that asks for Passwords, with:
+  #   - special validation
+  #   - invisible input
+  #   - optional password generation
+  class PasswordItem < Item
+    attr_accessor :can_generate, :generate_by_default
+    def initialize
+      super
+      @can_generate        = true
+      @generate_by_default = true
+    end
+
+
+    def query_extras( q )
+      q.echo = '*'     # don't print password characters to stdout
+    end
+
+
+    def encrypt( password, salt=nil )
+      say_yellow 'WARNING: password not encrypted; override in child class'
+      password
+    end
+
+
+    def query_generate_password
+      password = false
+      default  = @generate_by_default ? 'yes' : 'no'
+      if agree( "auto-generate a password? " ){ |q| q.default = default }
+        password = Simp::Cli::Config::Utils.generate_password
+        say "<%= color( %q{#{''.ljust(80,'-')}}, GREEN)%>\n"
+        say '<%= color( %q{NOTE: }, GREEN, BOLD)%>' +
+            "<%= color( %q{ the generated password is: }) %>\n"
+        say "\n"
+        say "<%= color( %q{   #{password}}, YELLOW, BOLD )%>  "
+        say "\n"
+        say "\n"
+        say 'Please remember it!'
+        say "<%= color( %q{#{''.ljust(80,'-')}}, GREEN)%>\n"
+        say_blue '*** Press enter to continue ***' , ['BOLD', 'BLINK']
+        ask ''
+      end
+      password
+    end
+
+
+    # ask for the password twice (and verify that both match)
+    def query_ask
+      password = false
+      password = query_generate_password if @can_generate
+
+      while !password
+        answers = []
+        [0,1].each{ |x|
+          say "please enter a password:"     if x == 0
+          say "please confirm the password:" if x == 1
+          answers[x] = super
+        }
+        if answers.first == answers.last
+          password = answers.first
+        else
+          say_yellow( 'WARNING: passwords did not match!  Please try again.' )
+        end
+      end
+
+      encrypt password
+    end
+
+
+    def validate x
+      result = true
+      begin
+        Simp::Cli::Config::Utils.validate_password x
+      rescue Simp::Cli::Config::PasswordError => e
+        say_yellow "WARNING: Invalid Password: #{e.message}"
+        result = false
+      end
+      result
+    end
+  end
+
+
+  # A Item that asks for lists instead of Strings
+  #
+  #  note that @value  is now an Array
+  class ListItem < Item
+    attr_accessor :allow_empty_list
+
+    def initialize
+      super
+      @allow_empty_list = false
+    end
+
+    def not_valid_message
+      extra = 'hit enter to skip'
+      extra = "hit enter to accept default value" if default_value
+      "enter a comma or space-delimited list (#{extra})"
+    end
+
+    def query_extras( q )
+      # NOTE: this is a hack to massage Array input to/from a highline query.
+      # It would probably be better (but more complex) to provide native Array
+      # support for highline.
+      # TODO: Override #query_ask using Highline's #gather?
+      q.default  = q.default.join( " " ) if q.default.is_a? Array
+      reminder = ::HighLine.color( not_valid_message,
+                            ::HighLine.const_get('YELLOW') )
+      q.question = "#{reminder}\n#{q.question}"
+      q
+    end
+
+    def highline_question_type
+      # Convert the String (delimited by comma and/or whitespace) answer into an array
+      lambda { |str|
+        str = str.split(/,\s*|,?\s+/) if str.is_a? String
+        str
+      }
+    end
+
+    # validate the list and each item in the list
+    def validate( list )
+      # reuse the highline lambda to santize input
+      return true  if (@allow_empty_list && list.nil?)
+      list = highline_question_type.call( list ) if !list.is_a? Array
+      return false if !list.is_a?(Array)
+      return false if (!@allow_empty_list && list.empty? )
+      list.each{ |item|
+        return false if !validate_item( item )
+      }
+      true
+    end
+
+    # validate a single list item
+    def validate_item( x )
+      fail 'not implemented!'
+    end
+  end
+
+
+  # mixin that provides common logic for safe_apply()
+  module SafeApplying
+    def safe_apply
+      extra        = ''
+      not_root_msg = ''
+      if !@allow_user_apply
+        not_root_msg = ENV.fetch('USER') == 'root' ? '' : ' [**user is not root**] '
+      end
+
+      if @skip_apply || (not_root_msg.size != 0)
+        extra = "<%= color( %q{(skipping apply#{not_root_msg})}, MAGENTA, BOLD)%> "
+        say( "#{extra}#{@key}" ) unless @silent
+        if !(@value.nil? || @value.class == TrueClass || @value.class == FalseClass || @value.empty?)
+          say( "= '<%= color( %q{#{@value}}, BOLD )%>'\n" ) unless @silent
+        end
+      else
+        extra = "<%= color( %q{(applying changes)}, GREEN, BOLD)%> "
+        say( "#{extra}for #{@key}\n" ) unless @silent
+        begin
+          result = apply
+          if result
+            extra = "<%= color( %q{(change applied)}, GREEN, BOLD)%> "
+          else
+            extra = "<%= color( %q{(change failed)}, RED, BOLD)%> "
+          end
+          say( "#{extra}for #{@key}\n" ) unless @silent
+        rescue Exception => e
+          extra = "<%= color( %q{(change failed)}, RED, BOLD) %> "
+          say( "#{extra}for #{@key}:\n#{e.message}" )
+          say "<%= color( %q{#{e.message.to_s.gsub( /^/, '    ' )}}, RED) %> \n"
+
+          # Some failures should be punished by death
+          fail e if @die_on_apply_fail
+        end
+      end
+    end
+  end
+
+
+  # A special Item that is never interactive, but applies some configuration
+  class ActionItem < Item
+    include Simp::Cli::Config::SafeApplying
+
+    def initialize
+      super
+    end
+
+    # internal method to change the system (returns the result of the apply)
+    def apply; nil; end
+
+    # don't be interactive!
+    def validate( x ); true; end
+    def query;         nil;  end
+    def to_yaml_s;     nil;  end
+  end
+end