Class: Chef::ScanAccessControl

Inherits:

Object

• Object
• Chef::ScanAccessControl

Defined in:

lib/chef/scan_access_control.rb

Overview

ScanAccessControl

Reads Access Control Settings on a file and writes them out to a resource (should be the current_resource), attempting to match the style used by the new resource, that is, if users are specified with usernames in new_resource, then the uids from stat will be looked up and usernames will be added to current_resource.

Why?

FileAccessControl objects may operate on a temporary file, in which case we won’t know if the access control settings changed (ex: rendering a template with both a change in content and ownership). For auditing purposes, we need to record the current state of a file system entity. – Not yet sure if this is the optimal way to solve the problem. But it’s progress towards the end goal.

TODO: figure out if all this works with macOS’ negative uids TODO: windows

Instance Attribute Summary

• #current_resource ⇒ Object readonly

  Returns the value of attribute current_resource.

• #new_resource ⇒ Object readonly

  Returns the value of attribute new_resource.

Instance Method Summary

• #current_group ⇒ Object
• #current_mode ⇒ Object
• #current_owner ⇒ Object
• #initialize(new_resource, current_resource) ⇒ ScanAccessControl constructor

  A new instance of ScanAccessControl.

• #lookup_gid ⇒ Object
• #lookup_uid ⇒ Object
• #set_all! ⇒ Object

  Modifies @current_resource, setting the current access control state.

• #set_group ⇒ Object

  Set the group attribute of current_resource to whatever the current state is.

• #set_mode ⇒ Object
• #set_owner ⇒ Object

  Set the owner attribute of current_resource to whatever the current state is.

• #stat ⇒ Object

Constructor Details

#initialize(new_resource, current_resource) ⇒ ScanAccessControl

Returns a new instance of ScanAccessControl.

# File 'lib/chef/scan_access_control.rb', line 43

def initialize(new_resource, current_resource)
  @new_resource, @current_resource = new_resource, current_resource
end

Instance Attribute Details

#current_resource ⇒ Object (readonly)

Returns the value of attribute current_resource.

# File 'lib/chef/scan_access_control.rb', line 41

def current_resource
  @current_resource
end

#new_resource ⇒ Object (readonly)

Returns the value of attribute new_resource.

# File 'lib/chef/scan_access_control.rb', line 40

def new_resource
  @new_resource
end

Instance Method Details

#current_group ⇒ Object

# File 'lib/chef/scan_access_control.rb', line 93

def current_group
  case new_resource.group
  when String, nil
    lookup_gid
  when Integer
    stat.gid
  else
    Chef::Log.error("The `group` parameter of the #{@new_resource} resource is set to an invalid value (#{new_resource.owner.inspect})")
    raise ArgumentError, "cannot resolve #{new_resource.group.inspect} to gid, group must be a string or integer"
  end
end

#current_mode ⇒ Object

# File 'lib/chef/scan_access_control.rb', line 119

def current_mode
  case new_resource.mode
  when String, Integer, nil
    "0#{(stat.mode & 07777).to_s(8)}"
  else
    Chef::Log.error("The `mode` parameter of the #{@new_resource} resource is set to an invalid value (#{new_resource.mode.inspect})")
    raise ArgumentError, "Invalid value #{new_resource.mode.inspect} for `mode` on resource #{@new_resource}"
  end
end

#current_owner ⇒ Object

# File 'lib/chef/scan_access_control.rb', line 66

def current_owner
  case new_resource.owner
  when String, nil
    lookup_uid
  when Integer
    stat.uid
  else
    Chef::Log.error("The `owner` parameter of the #{@new_resource} resource is set to an invalid value (#{new_resource.owner.inspect})")
    raise ArgumentError, "cannot resolve #{new_resource.owner.inspect} to uid, owner must be a string or integer"
  end
end

#lookup_gid ⇒ Object

# File 'lib/chef/scan_access_control.rb', line 105

def lookup_gid
  unless (pwent = TargetIO::Etc.getgrgid(stat.gid)).nil?
    pwent.name
  else
    stat.gid
  end
rescue ArgumentError
  stat.gid
end

#lookup_uid ⇒ Object

# File 'lib/chef/scan_access_control.rb', line 78

def lookup_uid
  unless (pwent = TargetIO::Etc.getpwuid(stat.uid)).nil?
    pwent.name
  else
    stat.uid
  end
rescue ArgumentError
  stat.uid
end

#set_all! ⇒ Object

Modifies @current_resource, setting the current access control state.

# File 'lib/chef/scan_access_control.rb', line 48

def set_all!
  if ::TargetIO::File.exist?(new_resource.path)
    set_owner
    set_group
    set_mode
  else
    # leave the values as nil.
  end
end

#set_group ⇒ Object

Set the group attribute of current_resource to whatever the current state is.

# File 'lib/chef/scan_access_control.rb', line 89

def set_group
  @current_resource.group(current_group)
end

#set_mode ⇒ Object

# File 'lib/chef/scan_access_control.rb', line 115

def set_mode
  @current_resource.mode(current_mode)
end

#set_owner ⇒ Object

Set the owner attribute of current_resource to whatever the current state is. Attempts to match the format given in new_resource: if the new_resource specifies the owner as a string, the username for the uid will be looked up and owner will be set to the username, and vice versa.

# File 'lib/chef/scan_access_control.rb', line 62

def set_owner
  @current_resource.owner(current_owner)
end

#stat ⇒ Object

# File 'lib/chef/scan_access_control.rb', line 129

def stat
  @stat ||= if @new_resource.instance_of?(Chef::Resource::Link)
              ::TargetIO::File.lstat(@new_resource.path)
            else
              realpath = ::TargetIO::File.realpath(@new_resource.path)
              ::TargetIO::File.stat(realpath)
            end
end