Class: Chef::ScanAccessControl

Inherits:
Object
  • Object
show all
Defined in:
lib/chef/scan_access_control.rb

Overview

ScanAccessControl

Reads Access Control Settings on a file and writes them out to a resource (should be the current_resource), attempting to match the style used by the new resource, that is, if users are specified with usernames in new_resource, then the uids from stat will be looked up and usernames will be added to current_resource.

Why?

FileAccessControl objects may operate on a temporary file, in which case we won’t know if the access control settings changed (ex: rendering a template with both a change in content and ownership). For auditing purposes, we need to record the current state of a file system entity. – Not yet sure if this is the optimal way to solve the problem. But it’s progress towards the end goal.

TODO: figure out if all this works with macOS’ negative uids TODO: windows

Instance Attribute Summary collapse

Instance Method Summary collapse

Constructor Details

#initialize(new_resource, current_resource) ⇒ ScanAccessControl

Returns a new instance of ScanAccessControl.



43
44
45
# File 'lib/chef/scan_access_control.rb', line 43

def initialize(new_resource, current_resource)
  @new_resource, @current_resource = new_resource, current_resource
end

Instance Attribute Details

#current_resourceObject (readonly)

Returns the value of attribute current_resource.



41
42
43
# File 'lib/chef/scan_access_control.rb', line 41

def current_resource
  @current_resource
end

#new_resourceObject (readonly)

Returns the value of attribute new_resource.



40
41
42
# File 'lib/chef/scan_access_control.rb', line 40

def new_resource
  @new_resource
end

Instance Method Details

#current_groupObject



93
94
95
96
97
98
99
100
101
102
103
# File 'lib/chef/scan_access_control.rb', line 93

def current_group
  case new_resource.group
  when String, nil
    lookup_gid
  when Integer
    stat.gid
  else
    Chef::Log.error("The `group` parameter of the #{@new_resource} resource is set to an invalid value (#{new_resource.owner.inspect})")
    raise ArgumentError, "cannot resolve #{new_resource.group.inspect} to gid, group must be a string or integer"
  end
end

#current_modeObject



119
120
121
122
123
124
125
126
127
# File 'lib/chef/scan_access_control.rb', line 119

def current_mode
  case new_resource.mode
  when String, Integer, nil
    "0#{(stat.mode & 07777).to_s(8)}"
  else
    Chef::Log.error("The `mode` parameter of the #{@new_resource} resource is set to an invalid value (#{new_resource.mode.inspect})")
    raise ArgumentError, "Invalid value #{new_resource.mode.inspect} for `mode` on resource #{@new_resource}"
  end
end

#current_ownerObject



66
67
68
69
70
71
72
73
74
75
76
# File 'lib/chef/scan_access_control.rb', line 66

def current_owner
  case new_resource.owner
  when String, nil
    lookup_uid
  when Integer
    stat.uid
  else
    Chef::Log.error("The `owner` parameter of the #{@new_resource} resource is set to an invalid value (#{new_resource.owner.inspect})")
    raise ArgumentError, "cannot resolve #{new_resource.owner.inspect} to uid, owner must be a string or integer"
  end
end

#lookup_gidObject



105
106
107
108
109
110
111
112
113
# File 'lib/chef/scan_access_control.rb', line 105

def lookup_gid
  unless (pwent = Etc.getgrgid(stat.gid)).nil?
    pwent.name
  else
    stat.gid
  end
rescue ArgumentError
  stat.gid
end

#lookup_uidObject



78
79
80
81
82
83
84
85
86
# File 'lib/chef/scan_access_control.rb', line 78

def lookup_uid
  unless (pwent = Etc.getpwuid(stat.uid)).nil?
    pwent.name
  else
    stat.uid
  end
rescue ArgumentError
  stat.uid
end

#set_all!Object

Modifies @current_resource, setting the current access control state.



48
49
50
51
52
53
54
55
56
# File 'lib/chef/scan_access_control.rb', line 48

def set_all!
  if ::File.exist?(new_resource.path)
    set_owner
    set_group
    set_mode
  else
    # leave the values as nil.
  end
end

#set_groupObject

Set the group attribute of current_resource to whatever the current state is.



89
90
91
# File 'lib/chef/scan_access_control.rb', line 89

def set_group
  @current_resource.group(current_group)
end

#set_modeObject



115
116
117
# File 'lib/chef/scan_access_control.rb', line 115

def set_mode
  @current_resource.mode(current_mode)
end

#set_ownerObject

Set the owner attribute of current_resource to whatever the current state is. Attempts to match the format given in new_resource: if the new_resource specifies the owner as a string, the username for the uid will be looked up and owner will be set to the username, and vice versa.



62
63
64
# File 'lib/chef/scan_access_control.rb', line 62

def set_owner
  @current_resource.owner(current_owner)
end

#statObject



129
130
131
132
133
134
135
136
# File 'lib/chef/scan_access_control.rb', line 129

def stat
  @stat ||= if @new_resource.instance_of?(Chef::Resource::Link)
              ::File.lstat(@new_resource.path)
            else
              realpath = ::File.realpath(@new_resource.path)
              ::File.stat(realpath)
            end
end