Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Get enterprise chef-zero passing oc-chef-pedant #84

Merged
merged 65 commits into from
Aug 22, 2014
Merged

Get enterprise chef-zero passing oc-chef-pedant #84

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
65 commits
Select commit Hold shift + click to select a range
f72e479
Make oc-chef-pedant run
Jul 24, 2014
dd2f819
User key is "username" (not "name") on EC
Jul 24, 2014
914c827
Make the requestor the one who "created" the object.
Jul 24, 2014
902d113
Fix defaults for clients group
Jul 24, 2014
c267b63
ORG/organization/_acl -> ORG/organizations/_acl
Jul 24, 2014
3f401a6
Automatically associate creator with org
Jul 24, 2014
4aa1fcc
Support alternate syntax for groups.actors
Jul 24, 2014
183ce17
Skip USAG tests, we're seriously not gonna make them
Jul 24, 2014
81f8848
Make org creator automatically an admin
Jul 24, 2014
dbb7dbd
Fix default acls to match oc-chef-pedant
Jul 24, 2014
9a44398
Both organization/_acl and organizations/_acl exist
Jul 24, 2014
f14e184
Make _acl wrong method raise 404 instead of 405
Jul 24, 2014
c5d4054
/organizations/ORG/organization/_acl/create should 404
Jul 24, 2014
5c6c2a6
Include both org owner and superuser in org acls
Jul 25, 2014
317d723
Clients have access to themselves
Jul 25, 2014
8261c7a
Fix data acl defaults (was not taking container into account)
Jul 25, 2014
e350287
Allow groups and containers to be indexed by either of 2 keys
Jul 25, 2014
c5a81a1
clients created w/org do not own themselves;
Jul 25, 2014
512267c
Move owners_of to AclBase
Jul 25, 2014
2215d4c
Build full acls for groups; don't give new container objects
Jul 25, 2014
d77274c
Get rid of owner storage, move to explicit container acl model
Jul 25, 2014
ed21f72
Delete acls when object is deleted
Jul 25, 2014
cb18806
Don't merge acls if the user has set acls
Jul 25, 2014
d03a792
Don't merge container/container ACLs for new containers
Jul 25, 2014
050901c
Fix data bags for multi-identity-key change
Jul 25, 2014
d55406b
Fix pedant_users to contain all oc-chef-pedant users
Jul 25, 2014
91768b0
Get association requests passing oc-chef-pedant
Jul 25, 2014
0bccfd7
Move all defaults to DefaultCreator, calculate on fly,
Aug 20, 2014
cdf5a01
Get container endpoints passing oc pedant
Aug 20, 2014
d3c5d4a
Get groups endpoint passing oc chef pedant
Aug 20, 2014
b0556a3
Fix list of /organizations/ORG/acls/containers
Aug 20, 2014
e7f99fb
Let non-validator clients own themselves
Aug 20, 2014
21d8787
Get authenticate_user working
Aug 20, 2014
1d24016
Get organization endpoint passing oc-chef-pedant
Aug 20, 2014
fb4f17f
Report authz id and whether principal is a member of the org
Aug 20, 2014
f16071f
Get principals endpoint passing oc_chef_pedant
Aug 20, 2014
9da161d
Get users endpoint (mostly) up to oc-chef-pedant standards
Aug 20, 2014
3372e86
Get users endpoint passing oc-chef-pedant
Aug 21, 2014
c29e097
Validator clients don't own clients
Aug 21, 2014
bed28bb
Get adapters working with default facade for ChefFS
Aug 21, 2014
57203ee
Give V1ToV2Adapter the ability to deal with / and /orgs
Aug 21, 2014
a4efe10
Make acls endpoints return 405 for disallowed methods
Aug 21, 2014
c02c905
Make /containers/organizations real
Aug 21, 2014
c5db8bb
Fix cookbook ACLs (set can create directories)
Aug 21, 2014
965edb4
Don't set type / membership unless json retrieved
Aug 21, 2014
ebba48b
Verify that the user exists before getting association requests
Aug 21, 2014
f903287
Make association request endpoint match oc-chef-pedant
Aug 22, 2014
25c8afd
Add users to the users group in an org if not already there
Aug 22, 2014
ca68846
Remove /verify_password
Aug 22, 2014
862a5b9
Fix 404 in assoc. request count to be correct
Aug 22, 2014
558451e
Make "already in org" do 409, not 403
Aug 22, 2014
4e1774e
Register created owners even on deleted defaults
Aug 22, 2014
0be3f9a
Update pedant refs to latest
Aug 22, 2014
12e86dc
Move CookbookData and DataNormalizer under ChefData
Aug 22, 2014
43c0e44
Update to latest chef
Aug 22, 2014
4c355c7
Simplify
Aug 22, 2014
e21113a
Add POST /organizations/ORG/users/NAME to add user direct
Aug 22, 2014
e26df58
Add license endpoint
Aug 22, 2014
5a6c93b
Update to latest pedant
Aug 22, 2014
1d31835
Alias ChefData::CookbookData to CookbookData for backcompat
Aug 22, 2014
8e71318
Get rspec data working again for creatorless data
Aug 22, 2014
82e0cca
Fix issue where default objects didn't report their deletion
Aug 22, 2014
cf36294
Update to chef that points at chef-zero 3.0
Aug 22, 2014
a334d4b
Add APIs for enterprisey things
Aug 22, 2014
8df5413
Bump revision to 3.0.0.rc.1
Aug 22, 2014
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,11 @@
Chef Zero CHANGELOG
===================

# 3.0.0.rc.1 (7/22/2014)

- Enterprise Chef support (organizations, ACLs, groups, much more)
- SSL support (@sawanoboly)

# 2.2 (6/18/2014)

- allow port ranges to be passed in as enumerables, which will be tried in sequence until one works: `ChefZero::Server.new(:port => 80.upto(100))`
Expand Down
4 changes: 2 additions & 2 deletions Gemfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,5 +2,5 @@ source 'https://rubygems.org'
gemspec

gem 'rest-client', :github => 'opscode/rest-client'
gem 'chef-pedant', :github => 'opscode/chef-pedant', :ref => '989dc539e6518381043039a9e61b759b30d5ae92'
gem 'chef', :github => 'opscode/chef', :ref => '678b568eb29d8eae51a942e60a7b5e6786d69bdc'
gem 'chef-pedant', :github => 'opscode/chef-pedant', :ref => '3975eaa64b6dfd5eb7f2dcaaf886cda3646a0f8e'
gem 'chef', :github => 'opscode/chef', :ref => 'b2c987e51f96236a5fba188072da5b98c78812f9'
6 changes: 5 additions & 1 deletion Rakefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,11 @@ task :spec do
end

task :pedant do
require File.expand_path('spec/run')
require File.expand_path('spec/run_pedant')
end

task :oc_pedant do
require File.expand_path('spec/run_oc_pedant')
end

task :chef_spec do
Expand Down
2 changes: 1 addition & 1 deletion bin/chef-zero
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -74,7 +74,7 @@ OptionParser.new do |opts|
end.parse!

if options[:data_store]
options[:data_store] = ChefZero::DataStore::DefaultFacade.new(options[:data_store], options[:single_org])
options[:data_store] = ChefZero::DataStore::DefaultFacade.new(options[:data_store], options[:single_org], false)
end

server = ChefZero::Server.new(options)
Expand Down
7 changes: 7 additions & 0 deletions gemfiles/oc-chef-pedant.gemfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
source 'https://rubygems.org'
gemspec :path => '../'

gem 'rest-client', :github => 'opscode/rest-client', :branch => 'lcg/1.6.7-version-lying'
gem 'chef-pedant', :github => 'opscode/chef-pedant', :ref => '3975eaa64b6dfd5eb7f2dcaaf886cda3646a0f8e'
gem 'oc-chef-pedant', :git => 'git@github.com:opscode/oc-chef-pedant', :ref => '3e4f1c14840cd786d67ccf14b56e353fa8fc58ec'
gem 'chef', :github => 'opscode/chef', :ref => 'b2c987e51f96236a5fba188072da5b98c78812f9'
139 changes: 139 additions & 0 deletions lib/chef_zero/chef_data/acl_path.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,139 @@
module ChefZero
module ChefData
# Manages translations between REST and ACL data paths
# and parent paths.
#
# Suggestions
# - make /organizations/ORG/_acl and deprecate organization/_acl and organizations/_acl
# - add endpoints for /containers/(users|organizations|containers)(/_acl)
# - add PUT for */_acl
# - add endpoints for /organizations/ORG/data/containers and /organizations/ORG/cookbooks/containers
# - sane, fully documented ACL model
# - sane inheritance / override model: if actors or groups are explicitly
# specified on X, they are not inherited from X's parent
# - stop adding pivotal to acls (he already has access to what he needs)
module AclPath
ORG_DATA_TYPES = %w(clients cookbooks containers data environments groups nodes roles sandboxes)
TOP_DATA_TYPES = %w(containers organizations users)

# ACL data paths for a partition are:
# / -> /acls/root
# /TYPE -> /acls/containers/TYPE
# /TYPE/NAME -> /acls/TYPE/NAME
#
# The root partition "/" has its own acls, so it looks like this:
#
# / -> /acls/root
# /users -> /acls/containers/users
# /organizations -> /acls/containers/organizations
# /users/schlansky -> /acls/users/schlansky
#
# Each organization is its own partition, so it looks like this:
#
# /organizations/blah -> /organizations/blah/acls/root
# /organizations/blah/roles -> /organizations/blah/acls/containers/roles
# /organizations/blah/roles/web -> /organizations/blah/acls/roles/web
# /organizations/ORG is its own partition. ACLs for anything under it follow

# This method takes a Chef REST path and returns the chef-zero path
# used to look up the ACL. If an object does not have an ACL directly,
# it will return nil. Paths like /organizations/ORG/data/bag/item will
# return nil, because it is the parent path (data/bag) that has an ACL.
def self.get_acl_data_path(path)
# Things under organizations have their own acls hierarchy
if path[0] == 'organizations' && path.size >= 2
under_org = partition_acl_data_path(path[2..-1], ORG_DATA_TYPES)
if under_org
path[0..1] + under_org
end
else
partition_acl_data_path(path, TOP_DATA_TYPES)
end
end

#
# Reverse transform from acl_data_path to path.
# /acls/root -> /
# /acls/** -> /**
# /organizations/ORG/acls/root -> /organizations/ORG
# /organizations/ORG/acls/** -> /organizations/ORG/**
#
# This means that /acls/containers/nodes maps to
# /containers/nodes, not /nodes.
#
def self.get_object_path(acl_data_path)
if acl_data_path[0] == 'acls'
if acl_data_path[1] == 'root'
[]
else
acl_data_path[1..-1]
end
elsif acl_data_path[0] == 'organizations' && acl_data_path[2] == 'acls'
if acl_data_path[3] == 'root'
acl_data_path[0..1]
else
acl_data_path[0..1] + acl_data_path[3..-1]
end
end
end

# Method *assumes* acl_data_path is valid.
# /organizations/BLAH's parent is /organizations
#
# An example traversal up the whole tree:
# /organizations/foo/acls/nodes/mario ->
# /organizations/foo/acls/containers/nodes ->
# /organizations/foo/acls/containers/containers ->
# /organizations/foo/acls/root ->
# /acls/containers/organizations ->
# /acls/containers/containers ->
# /acls/root ->
# nil
def self.parent_acl_data_path(acl_data_path)
if acl_data_path[0] == 'organizations'
under_org = partition_parent_acl_data_path(acl_data_path[2..-1])
if under_org
acl_data_path[0..1] + under_org
else
# ACL data path is /organizations/X/acls/root; therefore parent is "/organizations"
[ 'acls', 'containers', 'organizations' ]
end
else
partition_parent_acl_data_path(acl_data_path)
end
end

private

# /acls/root -> nil
# /acls/containers/containers -> /acls/root
# /acls/TYPE/X -> /acls/containers/TYPE
#
# Method *assumes* acl_data_path is valid.
# Returns nil if the path is /acls/root
def self.partition_parent_acl_data_path(acl_data_path)
if acl_data_path.size == 3
if acl_data_path == %w(acls containers containers)
[ 'acls', 'root' ]
else
[ 'acls', 'containers', acl_data_path[1]]
end
else
nil
end
end

def self.partition_acl_data_path(path, data_types)
if path.size == 0
[ 'acls', 'root']
elsif data_types.include?(path[0])
if path.size == 0
[ 'acls', 'containers', path[0] ]
elsif path.size == 2
[ 'acls', path[0], path[1] ]
end
end
end
end
end
end
Loading