class Chef::TidyOrgAcls
Attributes
clients[RW]
groups[RW]
members[RW]
users[RW]
Public Class Methods
new(tidy, org)
click to toggle source
# File lib/chef/tidy_acls.rb, line 9 def initialize(tidy, org) @tidy = tidy @backup_path = @tidy.backup_path @org = org @clients = [] @members = [] @groups = [] @users = [] load_actors end
Public Instance Methods
acl_actors_groups(acl)
click to toggle source
# File lib/chef/tidy_acls.rb, line 58 def acl_actors_groups(acl) actors_seen = [] groups_seen = [] acl_ops.each do |op| acl[op]["actors"].each do |actor| actors_seen.push(actor) unless actors_seen.include?(actor) end acl[op]["groups"].each do |group| groups_seen.push(group) unless groups_seen.include?(group) end end { actors: actors_seen, groups: groups_seen } end
acl_ops()
click to toggle source
# File lib/chef/tidy_acls.rb, line 54 def acl_ops %w{ create read update delete grant } end
add_actor_to_members(actor)
click to toggle source
# File lib/chef/tidy_acls.rb, line 117 def add_actor_to_members(actor) @tidy.ui.stdout.puts "REPAIRING: Invalid actor: #{actor} adding to #{@tidy.members_path(@org)}" user = { user: { username: actor } } @members.push(user) @tidy.write_new_file(@members, @tidy.members_path(@org)) end
add_client_to_org(actor)
click to toggle source
# File lib/chef/tidy_acls.rb, line 112 def add_client_to_org(actor) # TODO @tidy.ui.stdout.puts "ACTION NEEDED: Client referenced in acl non-existent: #{actor}" end
ambiguous_actor?(actor)
click to toggle source
# File lib/chef/tidy_acls.rb, line 90 def ambiguous_actor?(actor) valid_org_member?(actor) && valid_org_client?(actor) end
default_client_acl(client_name)
click to toggle source
# File lib/chef/tidy_acls.rb, line 194 def default_client_acl(client_name) { create: { actors: ["pivotal", "#{@org}-validator", client_name], groups: ["admins"] }, read: { actors: ["pivotal", "#{@org}-validator", client_name], groups: %w{admins users} }, update: { actors: ["pivotal", client_name], groups: ["admins"] }, delete: { actors: ["pivotal", client_name], groups: %w{admins users} }, grant: { actors: ["pivotal", client_name], groups: ["admins"] } } end
default_user_acl(client)
click to toggle source
# File lib/chef/tidy_acls.rb, line 186 def default_user_acl(client) { create: { actors: ["pivotal", client], groups: ["::server-admins"] }, read: { actors: ["pivotal", client], groups: ["::server-admins", "::#{@org}_read_access_group"] }, update: { actors: ["pivotal", client], groups: ["::server-admins"] }, delete: { actors: ["pivotal", client], groups: ["::server-admins"] }, grant: { actors: ["pivotal", client], groups: ["::server-admins"] } } end
ensure_client_read_acls(acl_file)
click to toggle source
# File lib/chef/tidy_acls.rb, line 154 def ensure_client_read_acls(acl_file) acl = @tidy.json_file_to_hash(acl_file, symbolize_names: false) %w{users admins}.each do |group| unless acl["read"]["groups"].include? group @tidy.ui.stdout.puts "REPAIRING: Adding read acl for #{group} in #{acl_file}" acl["read"]["groups"].push(group) end end @tidy.write_new_file(acl, acl_file) end
ensure_global_group_acls(acl_file)
click to toggle source
Appends the proper acls for ::server-admins and the org's read access group if they are missing.
# File lib/chef/tidy_acls.rb, line 139 def ensure_global_group_acls(acl_file) acl = @tidy.json_file_to_hash(acl_file, symbolize_names: false) acl_ops.each do |op| unless acl[op]["groups"].include? "::server-admins" @tidy.ui.stdout.puts "REPAIRING: Adding #{op} acl for ::server-admins in #{acl_file}" acl[op]["groups"].push("::server-admins") end if op == "read" && !acl[op]["groups"].include?("::#{@org}_read_access_group") @tidy.ui.stdout.puts "REPAIRING: Adding #{op} acl for ::#{@org}_read_access_group in #{acl_file}" acl[op]["groups"].push("::#{@org}_read_access_group") end end @tidy.write_new_file(acl, acl_file) end
fix_ambiguous_actor(actor)
click to toggle source
# File lib/chef/tidy_acls.rb, line 107 def fix_ambiguous_actor(actor) @tidy.ui.stdout.puts "REPAIRING: Ambiguous actor! #{actor} removing from #{@tidy.members_path(@org)}" remove_user_from_org(actor) end
invalid_group?(actor)
click to toggle source
# File lib/chef/tidy_acls.rb, line 84 def invalid_group?(actor) @groups.select { |group| group[:name] == actor }.empty? && actor != "::server-admins" && actor != "::#{@org}_read_access_group" end
load_actors()
click to toggle source
# File lib/chef/tidy_acls.rb, line 46 def load_actors load_users load_members load_clients load_groups @tidy.ui.stdout.puts "INFO: #{@org} Actors loaded!" end
load_clients()
click to toggle source
# File lib/chef/tidy_acls.rb, line 32 def load_clients @tidy.ui.stdout.puts "INFO: Loading clients for #{@org}" Dir[::File.join(@tidy.clients_path(@org), "*.json")].each do |client| @clients.push(@tidy.json_file_to_hash(client, symbolize_names: true)) end end
load_groups()
click to toggle source
# File lib/chef/tidy_acls.rb, line 39 def load_groups @tidy.ui.stdout.puts "INFO: Loading groups for #{@org}" Dir[::File.join(@tidy.groups_path(@org), "*.json")].each do |group| @groups.push(@tidy.json_file_to_hash(group, symbolize_names: true)) end end
load_members()
click to toggle source
# File lib/chef/tidy_acls.rb, line 27 def load_members @tidy.ui.stdout.puts "INFO: Loading members for #{@org}" @members = @tidy.json_file_to_hash(@tidy.members_path(@org), symbolize_names: true) end
load_users()
click to toggle source
# File lib/chef/tidy_acls.rb, line 20 def load_users @tidy.ui.stdout.puts "INFO: Loading users" Dir[::File.join(@tidy.users_path, "*.json")].each do |user| @users.push(@tidy.json_file_to_hash(user, symbolize_names: true)) end end
missing_from_members?(actor)
click to toggle source
# File lib/chef/tidy_acls.rb, line 94 def missing_from_members?(actor) valid_global_user?(actor) && !valid_org_member?(actor) && !valid_org_client?(actor) end
missing_org_client?(actor)
click to toggle source
# File lib/chef/tidy_acls.rb, line 98 def missing_org_client?(actor) !valid_global_user?(actor) && !valid_org_member?(actor) && !valid_org_client?(actor) end
org_acls()
click to toggle source
# File lib/chef/tidy_acls.rb, line 102 def org_acls @org_acls ||= Dir[::File.join(@tidy.org_acls_path(@org), "**.json")] + Dir[::File.join(@tidy.org_acls_path(@org), "**", "*.json")] end
remove_group_from_acl(group, acl_file)
click to toggle source
# File lib/chef/tidy_acls.rb, line 129 def remove_group_from_acl(group, acl_file) @tidy.ui.stdout.puts "REPAIRING: Removing invalid group: #{group} from #{acl_file}" acl = @tidy.json_file_to_hash(acl_file, symbolize_names: false) acl_ops.each do |op| acl[op]["groups"].reject! { |the_group| the_group == group } end @tidy.write_new_file(acl, acl_file) end
remove_user_from_org(actor)
click to toggle source
# File lib/chef/tidy_acls.rb, line 124 def remove_user_from_org(actor) @members.reject! { |user| user[:user][:username] == actor } @tidy.write_new_file(@members, @tidy.members_path(@org)) end
valid_global_user?(actor)
click to toggle source
# File lib/chef/tidy_acls.rb, line 80 def valid_global_user?(actor) !@users.select { |user| user[:username] == actor }.empty? end
valid_org_client?(actor)
click to toggle source
# File lib/chef/tidy_acls.rb, line 76 def valid_org_client?(actor) !@clients.select { |client| client[:name] == actor }.empty? end
valid_org_member?(actor)
click to toggle source
# File lib/chef/tidy_acls.rb, line 72 def valid_org_member?(actor) !@members.select { |user| user[:user][:username] == actor }.empty? end
validate_acls()
click to toggle source
# File lib/chef/tidy_acls.rb, line 165 def validate_acls org_acls.each do |acl_file| acl = @tidy.json_file_to_hash(acl_file, symbolize_names: false) actors_groups = acl_actors_groups(acl) actors_groups[:actors].each do |actor| next if actor == "pivotal" if ambiguous_actor?(actor) fix_ambiguous_actor(actor) elsif missing_from_members?(actor) add_actor_to_members(actor) elsif missing_org_client?(actor) add_client_to_org(actor) end end actors_groups[:groups].each do |group| remove_group_from_acl(group, acl_file) if invalid_group?(group) end end end
validate_client_acls()
click to toggle source
# File lib/chef/tidy_acls.rb, line 220 def validate_client_acls @clients.each do |client| client_acl_path = ::File.join(@tidy.org_acls_path(@org), "clients", "#{client[:name]}.json") begin client_acl = @tidy.json_file_to_hash(client_acl_path, symbolize_names: false) rescue Errno::ENOENT @tidy.ui.stdout.puts "REPAIRING: Replacing missing client acl for #{client[:name]} in #{client_acl_path}." @tidy.write_new_file(default_client_acl(client[:name]), client_acl_path, backup = false) client_acl = @tidy.json_file_to_hash(client_acl_path, symbolize_names: false) end ensure_client_read_acls(client_acl_path) end end
validate_user_acls()
click to toggle source
# File lib/chef/tidy_acls.rb, line 202 def validate_user_acls @members.each do |member| user_acl_path = ::File.join(@tidy.user_acls_path, "#{member[:user][:username]}.json") begin user_acl = @tidy.json_file_to_hash(user_acl_path, symbolize_names: false) rescue Errno::ENOENT @tidy.ui.stdout.puts "REPAIRING: Replacing missing user acl for #{member[:user][:username]}." @tidy.write_new_file(default_user_acl(member), user_acl_path, backup = false) user_acl = @tidy.json_file_to_hash(user_acl_path, symbolize_names: false) end ensure_global_group_acls(user_acl_path) actors_groups = acl_actors_groups(user_acl) actors_groups[:groups].each do |group| remove_group_from_acl(group, user_acl_path) if invalid_group?(group) end end end