knife-acl-1.0.3/0000755000175000017500000000000013011360372013564 5ustar stefanorstefanorknife-acl-1.0.3/LICENSE0000644000175000017500000002514213011360372014575 0ustar stefanorstefanor Apache License Version 2.0, January 2004 http://www.apache.org/licenses/ TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 1. Definitions. "License" shall mean the terms and conditions for use, reproduction, and distribution as defined by Sections 1 through 9 of this document. "Licensor" shall mean the copyright owner or entity authorized by the copyright owner that is granting the License. "Legal Entity" shall mean the union of the acting entity and all other entities that control, are controlled by, or are under common control with that entity. For the purposes of this definition, "control" means (i) the power, direct or indirect, to cause the direction or management of such entity, whether by contract or otherwise, or (ii) ownership of fifty percent (50%) or more of the outstanding shares, or (iii) beneficial ownership of such entity. "You" (or "Your") shall mean an individual or Legal Entity exercising permissions granted by this License. "Source" form shall mean the preferred form for making modifications, including but not limited to software source code, documentation source, and configuration files. "Object" form shall mean any form resulting from mechanical transformation or translation of a Source form, including but not limited to compiled object code, generated documentation, and conversions to other media types. "Work" shall mean the work of authorship, whether in Source or Object form, made available under the License, as indicated by a copyright notice that is included in or attached to the work (an example is provided in the Appendix below). "Derivative Works" shall mean any work, whether in Source or Object form, that is based on (or derived from) the Work and for which the editorial revisions, annotations, elaborations, or other modifications represent, as a whole, an original work of authorship. For the purposes of this License, Derivative Works shall not include works that remain separable from, or merely link (or bind by name) to the interfaces of, the Work and Derivative Works thereof. "Contribution" shall mean any work of authorship, including the original version of the Work and any modifications or additions to that Work or Derivative Works thereof, that is intentionally submitted to Licensor for inclusion in the Work by the copyright owner or by an individual or Legal Entity authorized to submit on behalf of the copyright owner. For the purposes of this definition, "submitted" means any form of electronic, verbal, or written communication sent to the Licensor or its representatives, including but not limited to communication on electronic mailing lists, source code control systems, and issue tracking systems that are managed by, or on behalf of, the Licensor for the purpose of discussing and improving the Work, but excluding communication that is conspicuously marked or otherwise designated in writing by the copyright owner as "Not a Contribution." "Contributor" shall mean Licensor and any individual or Legal Entity on behalf of whom a Contribution has been received by Licensor and subsequently incorporated within the Work. 2. Grant of Copyright License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare Derivative Works of, publicly display, publicly perform, sublicense, and distribute the Work and such Derivative Works in Source or Object form. 3. Grant of Patent License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable (except as stated in this section) patent license to make, have made, use, offer to sell, sell, import, and otherwise transfer the Work, where such license applies only to those patent claims licensable by such Contributor that are necessarily infringed by their Contribution(s) alone or by combination of their Contribution(s) with the Work to which such Contribution(s) was submitted. If You institute patent litigation against any entity (including a cross-claim or counterclaim in a lawsuit) alleging that the Work or a Contribution incorporated within the Work constitutes direct or contributory patent infringement, then any patent licenses granted to You under this License for that Work shall terminate as of the date such litigation is filed. 4. Redistribution. You may reproduce and distribute copies of the Work or Derivative Works thereof in any medium, with or without modifications, and in Source or Object form, provided that You meet the following conditions: (a) You must give any other recipients of the Work or Derivative Works a copy of this License; and (b) You must cause any modified files to carry prominent notices stating that You changed the files; and (c) You must retain, in the Source form of any Derivative Works that You distribute, all copyright, patent, trademark, and attribution notices from the Source form of the Work, excluding those notices that do not pertain to any part of the Derivative Works; and (d) If the Work includes a "NOTICE" text file as part of its distribution, then any Derivative Works that You distribute must include a readable copy of the attribution notices contained within such NOTICE file, excluding those notices that do not pertain to any part of the Derivative Works, in at least one of the following places: within a NOTICE text file distributed as part of the Derivative Works; within the Source form or documentation, if provided along with the Derivative Works; or, within a display generated by the Derivative Works, if and wherever such third-party notices normally appear. The contents of the NOTICE file are for informational purposes only and do not modify the License. You may add Your own attribution notices within Derivative Works that You distribute, alongside or as an addendum to the NOTICE text from the Work, provided that such additional attribution notices cannot be construed as modifying the License. You may add Your own copyright statement to Your modifications and may provide additional or different license terms and conditions for use, reproduction, or distribution of Your modifications, or for any such Derivative Works as a whole, provided Your use, reproduction, and distribution of the Work otherwise complies with the conditions stated in this License. 5. Submission of Contributions. Unless You explicitly state otherwise, any Contribution intentionally submitted for inclusion in the Work by You to the Licensor shall be under the terms and conditions of this License, without any additional terms or conditions. Notwithstanding the above, nothing herein shall supersede or modify the terms of any separate license agreement you may have executed with Licensor regarding such Contributions. 6. Trademarks. This License does not grant permission to use the trade names, trademarks, service marks, or product names of the Licensor, except as required for reasonable and customary use in describing the origin of the Work and reproducing the content of the NOTICE file. 7. Disclaimer of Warranty. Unless required by applicable law or agreed to in writing, Licensor provides the Work (and each Contributor provides its Contributions) on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied, including, without limitation, any warranties or conditions of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. You are solely responsible for determining the appropriateness of using or redistributing the Work and assume any risks associated with Your exercise of permissions under this License. 8. Limitation of Liability. In no event and under no legal theory, whether in tort (including negligence), contract, or otherwise, unless required by applicable law (such as deliberate and grossly negligent acts) or agreed to in writing, shall any Contributor be liable to You for damages, including any direct, indirect, special, incidental, or consequential damages of any character arising as a result of this License or out of the use or inability to use the Work (including but not limited to damages for loss of goodwill, work stoppage, computer failure or malfunction, or any and all other commercial damages or losses), even if such Contributor has been advised of the possibility of such damages. 9. Accepting Warranty or Additional Liability. While redistributing the Work or Derivative Works thereof, You may choose to offer, and charge a fee for, acceptance of support, warranty, indemnity, or other liability obligations and/or rights consistent with this License. However, in accepting such obligations, You may act only on Your own behalf and on Your sole responsibility, not on behalf of any other Contributor, and only if You agree to indemnify, defend, and hold each Contributor harmless for any liability incurred by, or claims asserted against, such Contributor by reason of your accepting any such warranty or additional liability. END OF TERMS AND CONDITIONS APPENDIX: How to apply the Apache License to your work. To apply the Apache License to your work, attach the following boilerplate notice, with the fields enclosed by brackets "[]" replaced with your own identifying information. (Don't include the brackets!) The text should be enclosed in the appropriate comment syntax for the file format. We also recommend that a file or class name and description of purpose be included on the same "printed page" as the copyright notice for easier identification within third-party archives. Copyright [yyyy] [name of copyright owner] Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. knife-acl-1.0.3/README.md0000644000175000017500000003710113011360372015045 0ustar stefanorstefanor# knife-acl ## Description This is a Chef Software, Inc.-supported knife plugin which provides some user/group ACL operations for Chef server. All commands assume a working knife configuration for an admin user of a Chef organization. Reference: 1. [Chef Server Permissions PDF](https://github.com/chef/chef-server/blob/master/doc/ChefServerPermissions_v1.3.pdf) 2. [Chef Server Permissions Docs](https://docs.chef.io/server/server_orgs.html#permissions) 3. [Chef Server Groups Docs](https://docs.chef.io/server/server_orgs.html#groups) ### Installation Install into [Chef DK](https://downloads.chef.io/chef-dk/). chef gem install knife-acl ### _Warning about Users group_ The "Users" group is a special group and should not be managed with knife-acl. As such, knife-acl will give an error if either `knife acl group add user users USER` or `knife acl group remove user users USER` are run. ### Chef Server Roles Based Access Control (RBAC) Summary In the context of the Chef Server's API a container is just the API endpoint used when creating a new object of a particular object type. For example, the container for creating client objects is called `clients` and the container for creating node objects is called `nodes`. Two containers are used when creating (uploading) cookbooks. The `cookbooks` and `sandboxes` containers. Here is a full list of the containers in a Chef Server. - clients - cookbooks - data - environments - groups - nodes - policies - policy_groups - roles - sandboxes The permissions assigned to a container are inherited by the objects that the container creates. When a permission is changed on a container that change will only affect new objects. The change does not propagate to existing objects. For reference and restoral purposes the [Default Permissions for Containers](#default-permissions-for-containers) section of this document contains `knife-acl` commands that will set the default permissions for the admins, clients and users groups on all containers. These can be helpful if you need to restore container permissions back to their default values. #### Permissions Management Best Practice The best practice for managing permissions is to only add clients and groups to an objects' permissions. Adding a user to an objects' permissions is possible by first adding the group to the permissions and then adding the user to the group. This is much easier to maintain when compared to adding individual users to each objects' permissions. To enforce this the `knife acl add` and `knife acl bulk add` commands can only add a client or a group to an objects' permissions. If a group ever needs to be removed from the permissions of all objects the group can simply be deleted. #### Setup Default Read-Only Access for Non-admin Users The "Users" group by default provides regular (non-admin) users a lot of access to modify objects in the Chef Server. Removing the "Users" group from the "create", "update", "delete" and "grant" Access Control Entries (ACEs) of all objects and containers will create a default read-only access for non-admin users. To completely prevent non-admin users from accessing all objects and containers then also remove the "Users" group from the "read" ACE. Admin users will still have default admin access to all objects and containers. **NOTE:** Please note that currently the Chef Manage web UI will appear to allow read-only users to edit some objects. However, the changes are not actually saved and they disappear when the read-only user refreshes the page. ``` knife acl remove group users containers clients create,update,delete,grant knife acl bulk remove group users clients '.*' create,update,delete,grant knife acl remove group users containers sandboxes create,update,delete,grant knife acl remove group users containers cookbooks create,update,delete,grant knife acl bulk remove group users cookbooks '.*' create,update,delete,grant knife acl remove group users containers data create,update,delete,grant knife acl bulk remove group users data '.*' create,update,delete,grant knife acl remove group users containers environments create,update,delete,grant knife acl bulk remove group users environments '.*' create,update,delete,grant knife acl remove group users containers nodes create,update,delete,grant knife acl bulk remove group users nodes '.*' create,update,delete,grant knife acl remove group users containers policies create,update,delete,grant knife acl bulk remove group users policies '.*' create,update,delete,grant knife acl remove group users containers policy_groups create,update,delete,grant knife acl bulk remove group users policy_groups '.*' create,update,delete,grant knife acl remove group users containers roles create,update,delete,grant knife acl bulk remove group users roles '.*' create,update,delete,grant ``` #### Selectively Allow Access You can also create a new group and manage its members with knife-acl or the Manage web interface. Then add this group to the ACEs of all appropriate containers and/or objects according to your requirements. #### Create read-only group with read only access The following set of commands creates a group named `read-only` and gives it `read` access on all objects. ``` knife group create read-only knife acl add group read-only containers clients read knife acl bulk add group read-only clients '.*' read knife acl add group read-only containers sandboxes read knife acl add group read-only containers cookbooks read knife acl bulk add group read-only cookbooks '.*' read knife acl add group read-only containers data read knife acl bulk add group read-only data '.*' read knife acl add group read-only containers environments read knife acl bulk add group read-only environments '.*' read knife acl add group read-only containers nodes read knife acl bulk add group read-only nodes '.*' read knife acl add group read-only containers policies read knife acl bulk add group read-only policies '.*' read knife acl add group read-only containers policy_groups read knife acl bulk add group read-only policy_groups '.*' read knife acl add group read-only containers roles read knife acl bulk add group read-only roles '.*' read ``` # Subcommands ## knife user list Show a list of users associated with your organization ## knife group list List groups in the organization. ## knife group create GROUP_NAME Create a new group `GROUP_NAME` to the organization. ## knife group show GROUP_NAME Show the membership details for `GROUP_NAME`. ## knife group add MEMBER_TYPE MEMBER_NAME GROUP_NAME Add MEMBER_NAME to `GROUP_NAME`. Valid `MEMBER_TYPE` values are - client - group - user ## knife group remove MEMBER_TYPE MEMBER_NAME GROUP_NAME Remove `MEMBER_NAME` from `GROUP_NAME`. See the `knife group add` documentation above for valid `MEMBER_TYPE` values. ## knife group destroy GROUP_NAME Removes group `GROUP_NAME` from the organization. All members of the group (clients, groups and users) remain in the system, only `GROUP_NAME` is removed. The `admins`, `billing-admins`, `clients` and `users` groups are special groups so knife-acl will not allow them to be destroyed. ## knife acl show OBJECT_TYPE OBJECT_NAME Shows the ACL for the specified object. Objects are identified by the combination of their type and name. Valid `OBJECT_TYPE` values are - clients - containers - cookbooks - data - environments - groups - nodes - policies - policy_groups - roles For example, use the following command to obtain the ACL for a node named "web.example.com": knife acl show nodes web.example.com ## knife acl add MEMBER_TYPE MEMBER_NAME OBJECT_TYPE OBJECT_NAME PERMS The best practice is to only add clients and groups to ACLs. To enforce this best practice the `knife acl add` command is only able to add a client or a group to ACLs. Valid `MEMBER_TYPE` values are - client - group Add `MEMBER_NAME` to the `PERMS` access control entry of `OBJECT_NAME`. Objects are specified by the combination of their type and name. Valid `OBJECT_TYPE` values are - clients - containers - cookbooks - data - environments - groups - nodes - policies - policy_groups - roles Valid `PERMS` are: - create - read - update - delete - grant Multiple `PERMS` can be given in a single command by separating them with a comma with no extra spaces. For example, use the following command to give the superusers group the ability to delete and update the node called "web.example.com": knife acl add group superusers nodes web.example.com delete,update ## knife acl bulk add MEMBER_TYPE MEMBER_NAME OBJECT_TYPE REGEX PERMS The best practice is to only add clients and groups to ACLs. To enforce this best practice the `knife acl bulk add` command is only able to add a client or a group to ACLs. Valid `MEMBER_TYPE` values are - client - group Add `MEMBER_NAME` to the `PERMS` access control entry for each object in a set of objects of `OBJECT_TYPE`. The set of objects are specified by matching the objects' names with the given REGEX regular expression surrounded by quotes. See the `knife acl add` documentation above for valid `OBJECT_TYPE` and `PERMS` values. Appending `-y` or `--yes` to the `knife acl bulk add` command will run the command without any prompts for confirmation. For example, use the following command to give the superusers group the ability to delete and update all nodes matching the regular expression 'WIN-.*': knife acl bulk add group superusers nodes 'WIN-.*' delete,update --yes ## knife acl remove MEMBER_TYPE MEMBER_NAME OBJECT_TYPE OBJECT_NAME PERMS Remove `MEMBER_NAME` from the `PERMS` access control entry of `OBJECT_NAME`. Objects are specified by the combination of their type and name. Valid `MEMBER_TYPE` values are - client - group - user Valid `OBJECT_TYPE` values are - clients - containers - cookbooks - data - environments - groups - nodes - policies - policy_groups - roles Valid `PERMS` are: - create - read - update - delete - grant Multiple `PERMS` can be given in a single command by separating them with a comma with no extra spaces. For example, use the following command to remove the superusers group from the delete and update access control entries for the node called "web.example.com": knife acl remove group superusers nodes web.example.com delete,update ## knife acl bulk remove MEMBER_TYPE MEMBER_NAME OBJECT_TYPE REGEX PERMS Remove `MEMBER_NAME` from the `PERMS` access control entry for each object in a set of objects of `OBJECT_TYPE`. The set of objects are specified by matching the objects' names with the given REGEX regular expression surrounded by quotes. See the `knife acl remove` documentation above for valid `MEMBER_TYPE`, `OBJECT_TYPE` and `PERMS` values. Appending `-y` or `--yes` to the `knife acl bulk add` command will run the command without any prompts for confirmation. For example, use the following command to remove the superusers group from the delete and update access control entries for all nodes matching the regular expression 'WIN-.*': knife acl bulk remove group superusers nodes 'WIN-.*' delete,update --yes ## Default Permissions for Containers The following commands will set the default permissions for the admins, clients and users groups on all containers. These can be helpful if you need to restore container permissions back to their default values. ``` knife acl add group admins containers clients create,read,update,delete,grant knife acl remove group clients containers clients create,read,update,delete,grant knife acl add group users containers clients read,delete knife acl remove group users containers clients create,update,grant knife acl add group admins containers cookbook_artifacts create,read,update,delete,grant knife acl add group clients containers cookbook_artifacts read knife acl remove group clients containers cookbook_artifacts create,update,delete,grant knife acl add group users containers cookbook_artifacts create,read,update,delete knife acl remove group users containers cookbook_artifacts grant knife acl add group admins containers cookbooks create,read,update,delete,grant knife acl add group clients containers cookbooks read knife acl remove group clients containers cookbooks create,update,delete,grant knife acl add group users containers cookbooks create,read,update,delete knife acl remove group users containers cookbooks grant knife acl add group admins containers data create,read,update,delete,grant knife acl add group clients containers data read knife acl remove group clients containers data create,update,delete,grant knife acl add group users containers data create,read,update,delete knife acl remove group users containers data grant knife acl add group admins containers environments create,read,update,delete,grant knife acl add group clients containers environments read knife acl remove group clients containers environments create,update,delete,grant knife acl add group users containers environments create,read,update,delete knife acl remove group users containers environments grant knife acl add group admins containers groups create,read,update,delete,grant knife acl remove group clients containers groups create,read,update,delete,grant knife acl add group users containers groups read knife acl remove group users containers groups create,update,delete,grant knife acl add group admins containers nodes create,read,update,delete,grant knife acl add group clients containers nodes create,read knife acl remove group clients containers nodes update,delete,grant knife acl add group users containers nodes create,read,update,delete knife acl remove group users containers nodes grant knife acl add group admins containers policies create,read,update,delete,grant knife acl add group clients containers policies read knife acl remove group clients containers policies create,update,delete,grant knife acl add group users containers policies create,read,update,delete knife acl remove group users containers policies grant knife acl add group admins containers policy_groups create,read,update,delete,grant knife acl add group clients containers policy_groups read knife acl remove group clients containers policy_groups create,update,delete,grant knife acl add group users containers policy_groups create,read,update,delete knife acl remove group users containers policy_groups grant knife acl add group admins containers roles create,read,update,delete,grant knife acl add group clients containers roles read knife acl remove group clients containers roles create,update,delete,grant knife acl add group users containers roles create,read,update,delete knife acl remove group users containers roles grant knife acl add group admins containers sandboxes create,read,update,delete,grant knife acl remove group clients containers sandboxes create,read,update,delete,grant knife acl add group users containers sandboxes create knife acl remove group users containers sandboxes read,update,delete,grant ``` ## LICENSE Unless otherwise specified all works in this repository are Copyright 2013-2016 Chef Software, Inc. ||| | ------------- |-------------:| | Author |Seth Falcon (seth@chef.io)| | Author |Jeremiah Snapp (jeremiah@chef.io)| | Copyright |Copyright (c) 2013-2015 Chef Software, Inc.| | License |Apache License, Version 2.0| Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at [Apache 2.0](http://www.apache.org/licenses/LICENSE-2.0) Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. knife-acl-1.0.3/lib/0000755000175000017500000000000013011360372014332 5ustar stefanorstefanorknife-acl-1.0.3/lib/chef/0000755000175000017500000000000013011360372015237 5ustar stefanorstefanorknife-acl-1.0.3/lib/chef/knife/0000755000175000017500000000000013011360372016333 5ustar stefanorstefanorknife-acl-1.0.3/lib/chef/knife/acl_add.rb0000644000175000017500000000346513011360372020237 0ustar stefanorstefanor# # Author:: Steven Danna (steve@chef.io) # Author:: Jeremiah Snapp (jeremiah@chef.io) # Copyright:: Copyright 2011-2016 Chef Software, Inc. # License:: Apache License, Version 2.0 # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # module OpscodeAcl class AclAdd < Chef::Knife category "OPSCODE HOSTED CHEF ACCESS CONTROL" banner "knife acl add MEMBER_TYPE MEMBER_NAME OBJECT_TYPE OBJECT_NAME PERMS" deps do require 'chef/knife/acl_base' include OpscodeAcl::AclBase end def run member_type, member_name, object_type, object_name, perms = name_args if name_args.length != 5 show_usage ui.fatal "You must specify the member type [client|group], member name, object type, object name and perms" exit 1 end unless %w(client group).include?(member_type) ui.fatal "ERROR: To enforce best practice, knife-acl can only add a client or a group to an ACL." ui.fatal " See the knife-acl README for more information." exit 1 end validate_perm_type!(perms) validate_member_name!(member_name) validate_object_name!(object_name) validate_object_type!(object_type) validate_member_exists!(member_type, member_name) add_to_acl!(member_type, member_name, object_type, object_name, perms) end end end knife-acl-1.0.3/lib/chef/knife/acl_base.rb0000644000175000017500000001437713011360372020425 0ustar stefanorstefanor# # Author:: Steven Danna (steve@chef.io) # Author:: Jeremiah Snapp () # Copyright:: Copyright 2011-2016 Chef Software, Inc. # License:: Apache License, Version 2.0 # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # module OpscodeAcl module AclBase PERM_TYPES = %w(create read update delete grant) unless defined? PERM_TYPES MEMBER_TYPES = %w(client group user) unless defined? MEMBER_TYPES OBJECT_TYPES = %w(clients containers cookbooks data environments groups nodes roles policies policy_groups) unless defined? OBJECT_TYPES OBJECT_NAME_SPEC = /^[\-[:alnum:]_\.]+$/ unless defined? OBJECT_NAME_SPEC def validate_object_type!(type) if ! OBJECT_TYPES.include?(type) ui.fatal "Unknown object type \"#{type}\". The following types are permitted: #{OBJECT_TYPES.join(', ')}" exit 1 end end def validate_object_name!(name) if ! OBJECT_NAME_SPEC.match(name) ui.fatal "Invalid name: #{name}" exit 1 end end def validate_member_type!(type) if ! MEMBER_TYPES.include?(type) ui.fatal "Unknown member type \"#{type}\". The following types are permitted: #{MEMBER_TYPES.join(', ')}" exit 1 end end def validate_member_name!(name) # Same rules apply to objects and members validate_object_name!(name) end def validate_perm_type!(perms) perms.split(',').each do |perm| if ! PERM_TYPES.include?(perm) ui.fatal "Invalid permission \"#{perm}\". The following permissions are permitted: #{PERM_TYPES.join(',')}" exit 1 end end end def validate_member_exists!(member_type, member_name) begin true if rest.get_rest("#{member_type}s/#{member_name}") rescue NameError # ignore "NameError: uninitialized constant Chef::ApiClient" when finding a client true rescue ui.fatal "#{member_type} '#{member_name}' does not exist" exit 1 end end def is_usag?(gname) gname.length == 32 && gname =~ /^[0-9a-f]+$/ end def get_acl(object_type, object_name) rest.get_rest("#{object_type}/#{object_name}/_acl?detail=granular") end def get_ace(object_type, object_name, perm) get_acl(object_type, object_name)[perm] end def add_to_acl!(member_type, member_name, object_type, object_name, perms) acl = get_acl(object_type, object_name) perms.split(',').each do |perm| ui.msg "Adding '#{member_name}' to '#{perm}' ACE of '#{object_name}'" ace = acl[perm] case member_type when "client", "user" # Our PUT body depends on the type of reply we get from _acl?detail=granular # When the server replies with json attributes 'users' and 'clients', # we'll want to modify entries under the same keys they arrived.- their presence # in the body tells us that CS will accept them in a PUT. # Older version of chef-server will continue to use 'actors' for a combined list # and expect the same in the body. key = "#{member_type}s" key = 'actors' unless ace.has_key? key next if ace[key].include?(member_name) ace[key] << member_name when "group" next if ace['groups'].include?(member_name) ace['groups'] << member_name end update_ace!(object_type, object_name, perm, ace) end end def remove_from_acl!(member_type, member_name, object_type, object_name, perms) acl = get_acl(object_type, object_name) perms.split(',').each do |perm| ui.msg "Removing '#{member_name}' from '#{perm}' ACE of '#{object_name}'" ace = acl[perm] case member_type when "client", "user" key = "#{member_type}s" key = 'actors' unless ace.has_key? key next unless ace[key].include?(member_name) ace[key].delete(member_name) when "group" next unless ace['groups'].include?(member_name) ace['groups'].delete(member_name) end update_ace!(object_type, object_name, perm, ace) end end def update_ace!(object_type, object_name, ace_type, ace) rest.put_rest("#{object_type}/#{object_name}/_acl/#{ace_type}", ace_type => ace) end def add_to_group!(member_type, member_name, group_name) validate_member_exists!(member_type, member_name) existing_group = rest.get_rest("groups/#{group_name}") ui.msg "Adding '#{member_name}' to '#{group_name}' group" if !existing_group["#{member_type}s"].include?(member_name) existing_group["#{member_type}s"] << member_name new_group = { "groupname" => existing_group["groupname"], "orgname" => existing_group["orgname"], "actors" => { "users" => existing_group["users"], "clients" => existing_group["clients"], "groups" => existing_group["groups"] } } rest.put_rest("groups/#{group_name}", new_group) end end def remove_from_group!(member_type, member_name, group_name) validate_member_exists!(member_type, member_name) existing_group = rest.get_rest("groups/#{group_name}") ui.msg "Removing '#{member_name}' from '#{group_name}' group" if existing_group["#{member_type}s"].include?(member_name) existing_group["#{member_type}s"].delete(member_name) new_group = { "groupname" => existing_group["groupname"], "orgname" => existing_group["orgname"], "actors" => { "users" => existing_group["users"], "clients" => existing_group["clients"], "groups" => existing_group["groups"] } } rest.put_rest("groups/#{group_name}", new_group) end end end end knife-acl-1.0.3/lib/chef/knife/acl_bulk_add.rb0000644000175000017500000000502713011360372021250 0ustar stefanorstefanor# # Author:: Jeremiah Snapp (jeremiah@chef.io) # Copyright:: Copyright 2011-2016 Chef Software, Inc. # License:: Apache License, Version 2.0 # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # module OpscodeAcl class AclBulkAdd < Chef::Knife category "OPSCODE HOSTED CHEF ACCESS CONTROL" banner "knife acl bulk add MEMBER_TYPE MEMBER_NAME OBJECT_TYPE REGEX PERMS" deps do require 'chef/knife/acl_base' include OpscodeAcl::AclBase end def run member_type, member_name, object_type, regex, perms = name_args object_name_matcher = /#{regex}/ if name_args.length != 5 show_usage ui.fatal "You must specify the member type [client|group], member name, object type, object name REGEX and perms" exit 1 end unless %w(client group).include?(member_type) ui.fatal "ERROR: To enforce best practice, knife-acl can only add a client or a group to an ACL." ui.fatal " See the knife-acl README for more information." exit 1 end validate_perm_type!(perms) validate_member_name!(member_name) validate_object_type!(object_type) validate_member_exists!(member_type, member_name) if %w(containers groups).include?(object_type) ui.fatal "bulk modifying the ACL of #{object_type} is not permitted" exit 1 end objects_to_modify = [] all_objects = rest.get_rest(object_type) objects_to_modify = all_objects.keys.select { |object_name| object_name =~ object_name_matcher } if objects_to_modify.empty? ui.info "No #{object_type} match the expression /#{regex}/" exit 0 end ui.msg("The ACL of the following #{object_type} will be modified:") ui.msg("") ui.msg(ui.list(objects_to_modify.sort, :columns_down)) ui.msg("") ui.confirm("Are you sure you want to modify the ACL of these #{object_type}?") objects_to_modify.each do |object_name| add_to_acl!(member_type, member_name, object_type, object_name, perms) end end end end knife-acl-1.0.3/lib/chef/knife/acl_bulk_remove.rb0000644000175000017500000000551113011360372022013 0ustar stefanorstefanor# # Author:: Jeremiah Snapp (jeremiah@chef.io) # Copyright:: Copyright 2011-2016 Chef Software, Inc. # License:: Apache License, Version 2.0 # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # module OpscodeAcl class AclBulkRemove < Chef::Knife category "OPSCODE HOSTED CHEF ACCESS CONTROL" banner "knife acl bulk remove MEMBER_TYPE MEMBER_NAME OBJECT_TYPE REGEX PERMS" deps do require 'chef/knife/acl_base' include OpscodeAcl::AclBase end def run member_type, member_name, object_type, regex, perms = name_args object_name_matcher = /#{regex}/ if name_args.length != 5 show_usage ui.fatal "You must specify the member type [client|group|user], member name, object type, object name REGEX and perms" exit 1 end if member_name == 'pivotal' && %w(client user).include?(member_type) ui.fatal "ERROR: 'pivotal' is a system user so knife-acl will not remove it from an ACL." exit 1 end if member_name == 'admins' && member_type == 'group' && perms.to_s.split(',').include?('grant') ui.fatal "ERROR: knife-acl will not remove the 'admins' group from the 'grant' ACE." ui.fatal " Removal could prevent future attempts to modify permissions." exit 1 end validate_perm_type!(perms) validate_member_type!(member_type) validate_member_name!(member_name) validate_object_type!(object_type) validate_member_exists!(member_type, member_name) if %w(containers groups).include?(object_type) ui.fatal "bulk modifying the ACL of #{object_type} is not permitted" exit 1 end objects_to_modify = [] all_objects = rest.get_rest(object_type) objects_to_modify = all_objects.keys.select { |object_name| object_name =~ object_name_matcher } if objects_to_modify.empty? ui.info "No #{object_type} match the expression /#{regex}/" exit 0 end ui.msg("The ACL of the following #{object_type} will be modified:") ui.msg("") ui.msg(ui.list(objects_to_modify.sort, :columns_down)) ui.msg("") ui.confirm("Are you sure you want to modify the ACL of these #{object_type}?") objects_to_modify.each do |object_name| remove_from_acl!(member_type, member_name, object_type, object_name, perms) end end end end knife-acl-1.0.3/lib/chef/knife/acl_remove.rb0000644000175000017500000000414713011360372021002 0ustar stefanorstefanor# # Author:: Steven Danna (steve@chef.io) # Author:: Jeremiah Snapp (jeremiah@chef.io) # Copyright:: Copyright 2011-2016 Chef Software, Inc. # License:: Apache License, Version 2.0 # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # module OpscodeAcl class AclRemove < Chef::Knife category "OPSCODE HOSTED CHEF ACCESS CONTROL" banner "knife acl remove MEMBER_TYPE MEMBER_NAME OBJECT_TYPE OBJECT_NAME PERMS" deps do require 'chef/knife/acl_base' include OpscodeAcl::AclBase end def run member_type, member_name, object_type, object_name, perms = name_args if name_args.length != 5 show_usage ui.fatal "You must specify the member type [client|group|user], member name, object type, object name and perms" exit 1 end if member_name == 'pivotal' && %w(client user).include?(member_type) ui.fatal "ERROR: 'pivotal' is a system user so knife-acl will not remove it from an ACL." exit 1 end if member_name == 'admins' && member_type == 'group' && perms.to_s.split(',').include?('grant') ui.fatal "ERROR: knife-acl will not remove the 'admins' group from the 'grant' ACE." ui.fatal " Removal could prevent future attempts to modify permissions." exit 1 end validate_perm_type!(perms) validate_member_type!(member_type) validate_member_name!(member_name) validate_object_name!(object_name) validate_object_type!(object_type) validate_member_exists!(member_type, member_name) remove_from_acl!(member_type, member_name, object_type, object_name, perms) end end end knife-acl-1.0.3/lib/chef/knife/acl_show.rb0000644000175000017500000000313513011360372020461 0ustar stefanorstefanor# # Author:: Steven Danna (steve@chef.io) # Copyright:: Copyright 2011-2016 Chef Software, Inc. # License:: Apache License, Version 2.0 # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # module OpscodeAcl class AclShow < Chef::Knife category "OPSCODE HOSTED CHEF ACCESS CONTROL" banner "knife acl show OBJECT_TYPE OBJECT_NAME" deps do require 'chef/knife/acl_base' include OpscodeAcl::AclBase end def run object_type, object_name = name_args if name_args.length != 2 show_usage ui.fatal "You must specify an object type and object name" exit 1 end validate_object_type!(object_type) validate_object_name!(object_name) acl = get_acl(object_type, object_name) PERM_TYPES.each do |perm| # Filter out the actors field if we have # users and clients. Note that if one is present, # both will be - but we're checking both for completeness. if acl[perm].has_key?('users') && acl[perm].has_key?('clients') acl[perm].delete 'actors' end end ui.output acl end end end knife-acl-1.0.3/lib/chef/knife/group_add.rb0000644000175000017500000000314513011360372020627 0ustar stefanorstefanor# # Author:: Seth Falcon () # Author:: Jeremiah Snapp () # Copyright:: Copyright 2011-2016 Chef Software, Inc. # License:: Apache License, Version 2.0 # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # module OpscodeAcl class GroupAdd < Chef::Knife category "OPSCODE HOSTED CHEF ACCESS CONTROL" banner "knife group add MEMBER_TYPE MEMBER_NAME GROUP_NAME" deps do require 'chef/knife/acl_base' include OpscodeAcl::AclBase end def run member_type, member_name, group_name = name_args if name_args.length != 3 show_usage ui.fatal "You must specify member type [client|group|user], member name and group name" exit 1 end validate_member_name!(group_name) validate_member_type!(member_type) validate_member_name!(member_name) if group_name.downcase == "users" ui.fatal "knife-acl can not manage members of the Users group" ui.fatal "please read knife-acl's README.md for more information" exit 1 end add_to_group!(member_type, member_name, group_name) end end end knife-acl-1.0.3/lib/chef/knife/group_create.rb0000644000175000017500000000242513011360372021342 0ustar stefanorstefanor# # Author:: Seth Falcon () # Author:: Jeremiah Snapp () # Copyright:: Copyright 2011-2016 Chef Software, Inc. # License:: Apache License, Version 2.0 # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # module OpscodeAcl class GroupCreate < Chef::Knife category "OPSCODE HOSTED CHEF ACCESS CONTROL" banner "knife group create GROUP_NAME" deps do require 'chef/knife/acl_base' include OpscodeAcl::AclBase end def run group_name = name_args[0] if name_args.length != 1 show_usage ui.fatal "You must specify group name" exit 1 end validate_member_name!(group_name) ui.msg "Creating '#{group_name}' group" rest.post_rest("groups", {:groupname => group_name}) end end end knife-acl-1.0.3/lib/chef/knife/group_destroy.rb0000644000175000017500000000272613011360372021574 0ustar stefanorstefanor# # Author:: Christopher Maier () # Author:: Jeremiah Snapp () # Copyright:: Copyright 2015-2016 Chef Software, Inc. # License:: Apache License, Version 2.0 # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # module OpscodeAcl class GroupDestroy < Chef::Knife category "OPSCODE HOSTED CHEF ACCESS CONTROL" banner "knife group destroy GROUP_NAME" deps do require 'chef/knife/acl_base' include OpscodeAcl::AclBase end def run group_name = name_args[0] if name_args.length != 1 show_usage ui.fatal "You must specify group name" exit 1 end validate_member_name!(group_name) if %w(admins billing-admins clients users).include?(group_name.downcase) ui.fatal "the '#{group_name}' group is a special group that should not be destroyed" exit 1 end ui.msg "Destroying '#{group_name}' group" rest.delete_rest("groups/#{group_name}") end end end knife-acl-1.0.3/lib/chef/knife/group_list.rb0000644000175000017500000000220613011360372021047 0ustar stefanorstefanor# # Author:: Seth Falcon () # Author:: Jeremiah Snapp () # Copyright:: Copyright 2011-2016 Chef Software, Inc. # License:: Apache License, Version 2.0 # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # module OpscodeAcl class GroupList < Chef::Knife category "OPSCODE HOSTED CHEF ACCESS CONTROL" banner "knife group list" deps do require 'chef/knife/acl_base' include OpscodeAcl::AclBase end def run groups = rest.get_rest("groups").keys.sort ui.output(remove_usags(groups)) end def remove_usags(groups) groups.select { |gname| !is_usag?(gname) } end end end knife-acl-1.0.3/lib/chef/knife/group_remove.rb0000644000175000017500000000316013011360372021371 0ustar stefanorstefanor# # Author:: Seth Falcon () # Author:: Jeremiah Snapp () # Copyright:: Copyright 2011-2016 Chef Software, Inc. # License:: Apache License, Version 2.0 # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # module OpscodeAcl class GroupRemove < Chef::Knife category "OPSCODE HOSTED CHEF ACCESS CONTROL" banner "knife group remove MEMBER_TYPE MEMBER_NAME GROUP_NAME" deps do require 'chef/knife/acl_base' include OpscodeAcl::AclBase end def run member_type, member_name, group_name = name_args if name_args.length != 3 show_usage ui.fatal "You must specify member type [client|group|user], member name and group name" exit 1 end validate_member_name!(group_name) validate_member_type!(member_type) validate_member_name!(member_name) if group_name.downcase == "users" ui.fatal "knife-acl can not manage members of the Users group" ui.fatal "please read knife-acl's README.md for more information" exit 1 end remove_from_group!(member_type, member_name, group_name) end end end knife-acl-1.0.3/lib/chef/knife/group_show.rb0000644000175000017500000000236213011360372021057 0ustar stefanorstefanor# # Author:: Seth Falcon () # Author:: Jeremiah Snapp () # Copyright:: Copyright 2011-2016 Chef Software, Inc. # License:: Apache License, Version 2.0 # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # module OpscodeAcl class GroupShow < Chef::Knife category "OPSCODE HOSTED CHEF ACCESS CONTROL" banner "knife group show GROUP_NAME" deps do require 'chef/knife/acl_base' include OpscodeAcl::AclBase end def run group_name = name_args[0] if name_args.length != 1 show_usage ui.fatal "You must specify group name" exit 1 end validate_member_name!(group_name) group = rest.get_rest("groups/#{group_name}") ui.output group end end end knife-acl-1.0.3/lib/chef/knife/user_dissociate.rb0000644000175000017500000000230513011360372022045 0ustar stefanorstefanor# # Author:: Steven Danna () # Copyright:: Copyright 2011-2016 Chef Software, Inc. # License:: Apache License, Version 2.0 # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # module OpscodeAcl class UserDissociate < Chef::Knife category "OPSCODE HOSTED CHEF ACCESS CONTROL" banner 'knife user dissociate USERNAMES' def run if name_args.length < 1 show_usage ui.fatal("You must specify a username.") exit 1 end users = name_args ui.confirm("Are you sure you want to dissociate the following users: #{users.join(', ')}") users.each do |u| api_endpoint = "users/#{u}" rest.delete_rest(api_endpoint) end end end end knife-acl-1.0.3/lib/chef/knife/user_invite_add.rb0000644000175000017500000000221613011360372022025 0ustar stefanorstefanor# # Author:: Steven Danna () # Copyright:: Copyright 2011-2016 Chef Software, Inc. # License:: Apache License, Version 2.0 # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # module OpscodeAcl class UserInviteAdd < Chef::Knife category "OPSCODE HOSTED CHEF ACCESS CONTROL" banner 'knife user invite add USERNAMES' def run if name_args.length < 1 show_usage ui.fatal("You must specify a username.") exit 1 end users = name_args api_endpoint = "association_requests/" users.each do |u| body = {:user => u} rest.post_rest(api_endpoint, body) end end end end knife-acl-1.0.3/lib/chef/knife/user_invite_list.rb0000644000175000017500000000176313011360372022256 0ustar stefanorstefanor# # Author:: Steven Danna () # Copyright:: Copyright 2011-2016 Chef Software, Inc. # License:: Apache License, Version 2.0 # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # module OpscodeAcl class UserInviteList < Chef::Knife category "OPSCODE HOSTED CHEF ACCESS CONTROL" banner 'knife user invite list' def run api_endpoint = "association_requests/" invited_users = rest.get_rest(api_endpoint).map { |i| i['username'] } ui.output(invited_users) end end end knife-acl-1.0.3/lib/chef/knife/user_invite_recind.rb0000644000175000017500000000373513011360372022550 0ustar stefanorstefanor# # Author:: Steven Danna () # Copyright:: Copyright 2011-2016 Chef Software, Inc. # License:: Apache License, Version 2.0 # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # module OpscodeAcl class UserInviteRecind < Chef::Knife banner 'knife user invite recind [USERNAMES] (options)' category "OPSCODE HOSTED CHEF ACCESS CONTROL" option :all, :short => "-a", :long => "--all", :description => "Recind all invites!" def run if name_args.length < 1 and ! config.has_key?(:all) show_usage ui.fatal("You must specify a username.") exit 1 end # To recind we need to send a DELETE to association_requests/INVITE_ID # For user friendliness we look up the invite ID based on username. @invites = Hash.new usernames = name_args rest.get_rest("association_requests").each { |i| @invites[i['username']] = i['id'] } if config[:all] ui.confirm("Are you sure you want to recind all association requests") @invites.each do |u,i| rest.delete_rest("association_requests/#{i}") end else ui.confirm("Are you sure you want to recind the association requests for: #{usernames.join(', ')}") usernames.each do |u| if @invites.has_key?(u) rest.delete_rest("association_requests/#{@invites[u]}") else ui.fatal("No association request for #{u}.") exit 1 end end end end end end knife-acl-1.0.3/lib/chef/knife/user_list.rb0000644000175000017500000000177713011360372020705 0ustar stefanorstefanor# # Author:: Seth Falcon () # Author:: Jeremiah Snapp () # Copyright:: Copyright 2011-2016 Chef Software, Inc. # License:: Apache License, Version 2.0 # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # module OpscodeAcl class UserList < Chef::Knife category "OPSCODE HOSTED CHEF ACCESS CONTROL" banner "knife user list" deps do require 'pp' end def run users = rest.get_rest("users").map { |u| u["user"]["username"] } pp users.sort end end end knife-acl-1.0.3/lib/chef/knife/user_show.rb0000644000175000017500000000274013011360372020701 0ustar stefanorstefanor# # Author:: Steven Danna () # Copyright:: Copyright 2011-2016 Chef Software, Inc. # License:: Apache License, Version 2.0 # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # module OpscodeAcl class UserShow < Chef::Knife category "OPSCODE HOSTED CHEF ACCESS CONTROL" banner 'knife user show [USERNAME]' # ui.format_for_display has logic to handle displaying # any attributes set in the config[:attribute] Array. attrs_to_show = [] option :attribute, :short => "-a [ATTR]", :long => "--attribute [ATTR]", :proc => lambda {|val| attrs_to_show << val}, :description => "Show attribute ATTR. Use multiple times to show multiple attributes." def run if name_args.length < 1 show_usage ui.fatal "You must specify a username." exit 1 end username = name_args[0] api_endpoint = "users/#{username}" user = rest.get_rest(api_endpoint) ui.output(ui.format_for_display(user)) end end end knife-acl-1.0.3/lib/knife-acl/0000755000175000017500000000000013011360372016163 5ustar stefanorstefanorknife-acl-1.0.3/lib/knife-acl/version.rb0000644000175000017500000000005013011360372020170 0ustar stefanorstefanormodule KnifeACL VERSION = "1.0.3" end knife-acl-1.0.3/knife-acl.gemspec0000644000175000017500000000274113011360372016766 0ustar stefanorstefanor######################################################### # This file has been automatically generated by gem2tgz # ######################################################### # -*- encoding: utf-8 -*- # stub: knife-acl 1.0.3 ruby lib Gem::Specification.new do |s| s.name = "knife-acl" s.version = "1.0.3" s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version= s.require_paths = ["lib"] s.authors = ["Seth Falcon", "Jeremiah Snapp"] s.date = "2016-09-01" s.description = "Knife plugin to manupulate Chef server access control lists" s.email = "support@chef.io" s.extra_rdoc_files = ["LICENSE", "README.md"] s.files = ["LICENSE", "README.md", "lib/chef/knife/acl_add.rb", "lib/chef/knife/acl_base.rb", "lib/chef/knife/acl_bulk_add.rb", "lib/chef/knife/acl_bulk_remove.rb", "lib/chef/knife/acl_remove.rb", "lib/chef/knife/acl_show.rb", "lib/chef/knife/group_add.rb", "lib/chef/knife/group_create.rb", "lib/chef/knife/group_destroy.rb", "lib/chef/knife/group_list.rb", "lib/chef/knife/group_remove.rb", "lib/chef/knife/group_show.rb", "lib/chef/knife/user_dissociate.rb", "lib/chef/knife/user_invite_add.rb", "lib/chef/knife/user_invite_list.rb", "lib/chef/knife/user_invite_recind.rb", "lib/chef/knife/user_list.rb", "lib/chef/knife/user_show.rb", "lib/knife-acl/version.rb"] s.homepage = "https://github.com/chef/knife-acl" s.rubygems_version = "2.5.1" s.summary = "Knife plugin to manupulate Chef server access control lists" end