Module: OpscodeAcl::AclBase
- Defined in:
- lib/chef/knife/helpers/acl_base.rb
Constant Summary collapse
- PERM_TYPES =
%w{create read update delete grant}.freeze
- MEMBER_TYPES =
%w{client group user}.freeze
- OBJECT_TYPES =
%w{clients containers cookbooks data environments groups nodes roles policies policy_groups}.freeze
- OBJECT_NAME_SPEC =
/^[\-[:alnum:]_\.]+$/.freeze
Instance Method Summary collapse
- #add_to_acl!(member_type, member_name, object_type, object_name, perms) ⇒ Object
- #add_to_group!(member_type, member_name, group_name) ⇒ Object
- #get_ace(object_type, object_name, perm) ⇒ Object
- #get_acl(object_type, object_name) ⇒ Object
- #is_usag?(gname) ⇒ Boolean
- #remove_from_acl!(member_type, member_name, object_type, object_name, perms) ⇒ Object
- #remove_from_group!(member_type, member_name, group_name) ⇒ Object
- #update_ace!(object_type, object_name, ace_type, ace) ⇒ Object
- #validate_member_exists!(member_type, member_name) ⇒ Object
- #validate_member_name!(name) ⇒ Object
- #validate_member_type!(type) ⇒ Object
- #validate_object_name!(name) ⇒ Object
- #validate_object_type!(type) ⇒ Object
- #validate_perm_type!(perms) ⇒ Object
Instance Method Details
#add_to_acl!(member_type, member_name, object_type, object_name, perms) ⇒ Object
85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 |
# File 'lib/chef/knife/helpers/acl_base.rb', line 85 def add_to_acl!(member_type, member_name, object_type, object_name, perms) acl = get_acl(object_type, object_name) perms.split(",").each do |perm| ui.msg "Adding '#{member_name}' to '#{perm}' ACE of '#{object_name}'" ace = acl[perm] case member_type when "client", "user" # Our PUT body depends on the type of reply we get from _acl?detail=granular # When the server replies with json attributes 'users' and 'clients', # we'll want to modify entries under the same keys they arrived.- their presence # in the body tells us that CS will accept them in a PUT. # Older version of chef-server will continue to use 'actors' for a combined list # and expect the same in the body. key = "#{member_type}s" key = "actors" unless ace.key? key next if ace[key].include?(member_name) ace[key] << member_name when "group" next if ace["groups"].include?(member_name) ace["groups"] << member_name end update_ace!(object_type, object_name, perm, ace) end end |
#add_to_group!(member_type, member_name, group_name) ⇒ Object
141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 |
# File 'lib/chef/knife/helpers/acl_base.rb', line 141 def add_to_group!(member_type, member_name, group_name) validate_member_exists!(member_type, member_name) existing_group = rest.get_rest("groups/#{group_name}") ui.msg "Adding '#{member_name}' to '#{group_name}' group" unless existing_group["#{member_type}s"].include?(member_name) existing_group["#{member_type}s"] << member_name new_group = { "groupname" => existing_group["groupname"], "orgname" => existing_group["orgname"], "actors" => { "users" => existing_group["users"], "clients" => existing_group["clients"], "groups" => existing_group["groups"], }, } rest.put_rest("groups/#{group_name}", new_group) end end |
#get_ace(object_type, object_name, perm) ⇒ Object
81 82 83 |
# File 'lib/chef/knife/helpers/acl_base.rb', line 81 def get_ace(object_type, object_name, perm) get_acl(object_type, object_name)[perm] end |
#get_acl(object_type, object_name) ⇒ Object
77 78 79 |
# File 'lib/chef/knife/helpers/acl_base.rb', line 77 def get_acl(object_type, object_name) rest.get_rest("#{object_type}/#{object_name}/_acl?detail=granular") end |
#is_usag?(gname) ⇒ Boolean
73 74 75 |
# File 'lib/chef/knife/helpers/acl_base.rb', line 73 def is_usag?(gname) gname.length == 32 && gname =~ /^[0-9a-f]+$/ end |
#remove_from_acl!(member_type, member_name, object_type, object_name, perms) ⇒ Object
114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 |
# File 'lib/chef/knife/helpers/acl_base.rb', line 114 def remove_from_acl!(member_type, member_name, object_type, object_name, perms) acl = get_acl(object_type, object_name) perms.split(",").each do |perm| ui.msg "Removing '#{member_name}' from '#{perm}' ACE of '#{object_name}'" ace = acl[perm] case member_type when "client", "user" key = "#{member_type}s" key = "actors" unless ace.key? key next unless ace[key].include?(member_name) ace[key].delete(member_name) when "group" next unless ace["groups"].include?(member_name) ace["groups"].delete(member_name) end update_ace!(object_type, object_name, perm, ace) end end |
#remove_from_group!(member_type, member_name, group_name) ⇒ Object
160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 |
# File 'lib/chef/knife/helpers/acl_base.rb', line 160 def remove_from_group!(member_type, member_name, group_name) validate_member_exists!(member_type, member_name) existing_group = rest.get_rest("groups/#{group_name}") ui.msg "Removing '#{member_name}' from '#{group_name}' group" if existing_group["#{member_type}s"].include?(member_name) existing_group["#{member_type}s"].delete(member_name) new_group = { "groupname" => existing_group["groupname"], "orgname" => existing_group["orgname"], "actors" => { "users" => existing_group["users"], "clients" => existing_group["clients"], "groups" => existing_group["groups"], }, } rest.put_rest("groups/#{group_name}", new_group) end end |
#update_ace!(object_type, object_name, ace_type, ace) ⇒ Object
137 138 139 |
# File 'lib/chef/knife/helpers/acl_base.rb', line 137 def update_ace!(object_type, object_name, ace_type, ace) rest.put_rest("#{object_type}/#{object_name}/_acl/#{ace_type}", ace_type => ace) end |
#validate_member_exists!(member_type, member_name) ⇒ Object
63 64 65 66 67 68 69 70 71 |
# File 'lib/chef/knife/helpers/acl_base.rb', line 63 def validate_member_exists!(member_type, member_name) true if rest.get_rest("#{member_type}s/#{member_name}") rescue NameError # ignore "NameError: uninitialized constant Chef::ApiClient" when finding a client true rescue ui.fatal "#{member_type} '#{member_name}' does not exist" exit 1 end |
#validate_member_name!(name) ⇒ Object
49 50 51 52 |
# File 'lib/chef/knife/helpers/acl_base.rb', line 49 def validate_member_name!(name) # Same rules apply to objects and members validate_object_name!(name) end |
#validate_member_type!(type) ⇒ Object
42 43 44 45 46 47 |
# File 'lib/chef/knife/helpers/acl_base.rb', line 42 def validate_member_type!(type) unless MEMBER_TYPES.include?(type) ui.fatal "Unknown member type \"#{type}\". The following types are permitted: #{MEMBER_TYPES.join(", ")}" exit 1 end end |
#validate_object_name!(name) ⇒ Object
35 36 37 38 39 40 |
# File 'lib/chef/knife/helpers/acl_base.rb', line 35 def validate_object_name!(name) unless OBJECT_NAME_SPEC.match(name) ui.fatal "Invalid name: #{name}" exit 1 end end |
#validate_object_type!(type) ⇒ Object
28 29 30 31 32 33 |
# File 'lib/chef/knife/helpers/acl_base.rb', line 28 def validate_object_type!(type) unless OBJECT_TYPES.include?(type) ui.fatal "Unknown object type \"#{type}\". The following types are permitted: #{OBJECT_TYPES.join(", ")}" exit 1 end end |
#validate_perm_type!(perms) ⇒ Object
54 55 56 57 58 59 60 61 |
# File 'lib/chef/knife/helpers/acl_base.rb', line 54 def validate_perm_type!(perms) perms.split(",").each do |perm| unless PERM_TYPES.include?(perm) ui.fatal "Invalid permission \"#{perm}\". The following permissions are permitted: #{PERM_TYPES.join(",")}" exit 1 end end end |