Module: Chef::Knife::AclBase
- Defined in:
- lib/chef/knife/acl_base.rb
Constant Summary collapse
- PERM_TYPES =
%w{create read update delete grant}.freeze
- MEMBER_TYPES =
%w{client group user}.freeze
- OBJECT_TYPES =
%w{clients containers cookbook_artifacts cookbooks data environments groups nodes roles policies policy_groups}.freeze
- OBJECT_NAME_SPEC =
/^[\-[:alnum:]_\.]+$/.freeze
Instance Method Summary collapse
- #add_to_acl!(member_type, member_name, object_type, object_name, perms) ⇒ Object
- #add_to_group!(member_type, member_name, group_name) ⇒ Object
- #get_ace(object_type, object_name, perm) ⇒ Object
- #get_acl(object_type, object_name) ⇒ Object
- #is_usag?(gname) ⇒ Boolean
- #remove_from_acl!(member_type, member_name, object_type, object_name, perms) ⇒ Object
- #remove_from_group!(member_type, member_name, group_name) ⇒ Object
- #update_ace!(object_type, object_name, ace_type, ace) ⇒ Object
- #validate_member_exists!(member_type, member_name) ⇒ Object
- #validate_member_name!(name) ⇒ Object
- #validate_member_type!(type) ⇒ Object
- #validate_object_name!(name) ⇒ Object
- #validate_object_type!(type) ⇒ Object
- #validate_perm_type!(perms) ⇒ Object
Instance Method Details
#add_to_acl!(member_type, member_name, object_type, object_name, perms) ⇒ Object
88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 |
# File 'lib/chef/knife/acl_base.rb', line 88 def add_to_acl!(member_type, member_name, object_type, object_name, perms) acl = get_acl(object_type, object_name) perms.split(",").each do |perm| ui.msg "Adding '#{member_name}' to '#{perm}' ACE of '#{object_name}'" ace = acl[perm] case member_type when "client", "user" # Our PUT body depends on the type of reply we get from _acl?detail=granular # When the server replies with json attributes 'users' and 'clients', # we'll want to modify entries under the same keys they arrived.- their presence # in the body tells us that CS will accept them in a PUT. # Older version of chef-server will continue to use 'actors' for a combined list # and expect the same in the body. key = "#{member_type}s" key = "actors" unless ace.key? key next if ace[key].include?(member_name) ace[key] << member_name when "group" next if ace["groups"].include?(member_name) ace["groups"] << member_name end update_ace!(object_type, object_name, perm, ace) end end |
#add_to_group!(member_type, member_name, group_name) ⇒ Object
144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 |
# File 'lib/chef/knife/acl_base.rb', line 144 def add_to_group!(member_type, member_name, group_name) validate_member_exists!(member_type, member_name) existing_group = rest.get_rest("groups/#{group_name}") ui.msg "Adding '#{member_name}' to '#{group_name}' group" unless existing_group["#{member_type}s"].include?(member_name) existing_group["#{member_type}s"] << member_name new_group = { "groupname" => existing_group["groupname"], "orgname" => existing_group["orgname"], "actors" => { "users" => existing_group["users"], "clients" => existing_group["clients"], "groups" => existing_group["groups"], }, } rest.put_rest("groups/#{group_name}", new_group) end end |
#get_ace(object_type, object_name, perm) ⇒ Object
84 85 86 |
# File 'lib/chef/knife/acl_base.rb', line 84 def get_ace(object_type, object_name, perm) get_acl(object_type, object_name)[perm] end |
#get_acl(object_type, object_name) ⇒ Object
80 81 82 |
# File 'lib/chef/knife/acl_base.rb', line 80 def get_acl(object_type, object_name) rest.get_rest("#{object_type}/#{object_name}/_acl?detail=granular") end |
#is_usag?(gname) ⇒ Boolean
76 77 78 |
# File 'lib/chef/knife/acl_base.rb', line 76 def is_usag?(gname) gname.length == 32 && gname =~ /^[0-9a-f]+$/ end |
#remove_from_acl!(member_type, member_name, object_type, object_name, perms) ⇒ Object
117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 |
# File 'lib/chef/knife/acl_base.rb', line 117 def remove_from_acl!(member_type, member_name, object_type, object_name, perms) acl = get_acl(object_type, object_name) perms.split(",").each do |perm| ui.msg "Removing '#{member_name}' from '#{perm}' ACE of '#{object_name}'" ace = acl[perm] case member_type when "client", "user" key = "#{member_type}s" key = "actors" unless ace.key? key next unless ace[key].include?(member_name) ace[key].delete(member_name) when "group" next unless ace["groups"].include?(member_name) ace["groups"].delete(member_name) end update_ace!(object_type, object_name, perm, ace) end end |
#remove_from_group!(member_type, member_name, group_name) ⇒ Object
163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 |
# File 'lib/chef/knife/acl_base.rb', line 163 def remove_from_group!(member_type, member_name, group_name) validate_member_exists!(member_type, member_name) existing_group = rest.get_rest("groups/#{group_name}") ui.msg "Removing '#{member_name}' from '#{group_name}' group" if existing_group["#{member_type}s"].include?(member_name) existing_group["#{member_type}s"].delete(member_name) new_group = { "groupname" => existing_group["groupname"], "orgname" => existing_group["orgname"], "actors" => { "users" => existing_group["users"], "clients" => existing_group["clients"], "groups" => existing_group["groups"], }, } rest.put_rest("groups/#{group_name}", new_group) end end |
#update_ace!(object_type, object_name, ace_type, ace) ⇒ Object
140 141 142 |
# File 'lib/chef/knife/acl_base.rb', line 140 def update_ace!(object_type, object_name, ace_type, ace) rest.put_rest("#{object_type}/#{object_name}/_acl/#{ace_type}", ace_type => ace) end |
#validate_member_exists!(member_type, member_name) ⇒ Object
66 67 68 69 70 71 72 73 74 |
# File 'lib/chef/knife/acl_base.rb', line 66 def validate_member_exists!(member_type, member_name) true if rest.get_rest("#{member_type}s/#{member_name}") rescue NameError # ignore "NameError: uninitialized constant Chef::ApiClient" when finding a client true rescue ui.fatal "#{member_type} '#{member_name}' does not exist" exit 1 end |
#validate_member_name!(name) ⇒ Object
52 53 54 55 |
# File 'lib/chef/knife/acl_base.rb', line 52 def validate_member_name!(name) # Same rules apply to objects and members validate_object_name!(name) end |
#validate_member_type!(type) ⇒ Object
45 46 47 48 49 50 |
# File 'lib/chef/knife/acl_base.rb', line 45 def validate_member_type!(type) unless MEMBER_TYPES.include?(type) ui.fatal "Unknown member type \"#{type}\". The following types are permitted: #{MEMBER_TYPES.join(", ")}" exit 1 end end |
#validate_object_name!(name) ⇒ Object
38 39 40 41 42 43 |
# File 'lib/chef/knife/acl_base.rb', line 38 def validate_object_name!(name) unless OBJECT_NAME_SPEC.match(name) ui.fatal "Invalid name: #{name}" exit 1 end end |
#validate_object_type!(type) ⇒ Object
31 32 33 34 35 36 |
# File 'lib/chef/knife/acl_base.rb', line 31 def validate_object_type!(type) unless OBJECT_TYPES.include?(type) ui.fatal "Unknown object type \"#{type}\". The following types are permitted: #{OBJECT_TYPES.join(", ")}" exit 1 end end |
#validate_perm_type!(perms) ⇒ Object
57 58 59 60 61 62 63 64 |
# File 'lib/chef/knife/acl_base.rb', line 57 def validate_perm_type!(perms) perms.split(",").each do |perm| unless PERM_TYPES.include?(perm) ui.fatal "Invalid permission \"#{perm}\". The following permissions are permitted: #{PERM_TYPES.join(",")}" exit 1 end end end |