#
# Copyright:: Copyright (c) 2014-2019 Chef Software Inc.
# License:: Apache License, Version 2.0
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
require "pathname" unless defined?(Pathname)
require "fileutils" unless defined?(FileUtils)
require "tmpdir" unless defined?(Dir.mktmpdir)
require "zlib"
require "archive/tar/minitar"
require "chef/cookbook/chefignore"
require_relative "../service_exceptions"
require_relative "../policyfile_lock"
require_relative "../policyfile/storage_config"
module ChefCLI
module PolicyfileServices
class ExportRepo
# Policy groups provide namespaces for policies so that a Chef Infra Server can
# have multiple active iterations of a policy at once, but we don't need
# this when serving a single exported policy via Chef Zero, so hardcode
# it to a "well known" value:
POLICY_GROUP = "local".freeze
include Policyfile::StorageConfigDelegation
attr_reader :storage_config
attr_reader :root_dir
attr_reader :export_dir
def initialize(policyfile: nil, export_dir: nil, root_dir: nil, archive: false, force: false)
@root_dir = root_dir
@export_dir = File.expand_path(export_dir)
@archive = archive
@force_export = force
@policy_data = nil
@policyfile_lock = nil
policyfile_rel_path = policyfile || "Policyfile.rb"
policyfile_full_path = File.expand_path(policyfile_rel_path, root_dir)
@storage_config = Policyfile::StorageConfig.new.use_policyfile(policyfile_full_path)
@staging_dir = nil
end
def archive?
@archive
end
def policy_name
policyfile_lock.name
end
def run
assert_lockfile_exists!
assert_export_dir_clean!
validate_lockfile
write_updated_lockfile
export
end
def policy_data
@policy_data ||= FFI_Yajl::Parser.parse(IO.read(policyfile_lock_expanded_path))
rescue => error
raise PolicyfileExportRepoError.new("Error reading lockfile #{policyfile_lock_expanded_path}", error)
end
def policyfile_lock
@policyfile_lock || validate_lockfile
end
def archive_file_location
return nil unless archive?
filename = "#{policyfile_lock.name}-#{policyfile_lock.revision_id}.tgz"
File.join(export_dir, filename)
end
def export
with_staging_dir do
create_repo_structure
copy_cookbooks
create_policyfile_repo_item
create_policy_group_repo_item
copy_policyfile_lock
create_client_rb
create_readme_md
if archive?
create_archive
else
mv_staged_repo
end
end
rescue => error
msg = "Failed to export policy (in #{policyfile_filename}) to #{export_dir}"
raise PolicyfileExportRepoError.new(msg, error)
end
private
def with_staging_dir
p = Process.pid
t = Time.new.utc.strftime("%Y%m%d%H%M%S")
Dir.mktmpdir("chefcli-export-#{p}-#{t}") do |d|
begin
@staging_dir = d
yield
ensure
@staging_dir = nil
end
end
end
def create_archive
Dir.chdir(staging_dir) do
targets = Find.find(".").collect { |e| e }
Mixlib::Archive.new(archive_file_location).create(targets, gzip: true)
end
end
def staging_dir
@staging_dir
end
def create_repo_structure
FileUtils.mkdir_p(export_dir)
FileUtils.mkdir_p(dot_chef_staging_dir)
FileUtils.mkdir_p(cookbook_artifacts_staging_dir)
FileUtils.mkdir_p(policies_staging_dir)
FileUtils.mkdir_p(policy_groups_staging_dir)
end
def copy_cookbooks
policyfile_lock.cookbook_locks.each do |name, lock|
copy_cookbook(lock)
end
end
def copy_cookbook(lock)
dirname = "#{lock.name}-#{lock.identifier}"
export_path = File.join(staging_dir, "cookbook_artifacts", dirname)
metadata_rb_path = File.join(export_path, "metadata.rb")
FileUtils.mkdir(export_path) unless File.directory?(export_path)
copy_unignored_cookbook_files(lock, export_path)
FileUtils.rm_f(metadata_rb_path)
metadata = lock.cookbook_version.metadata
metadata_json_path = File.join(export_path, "metadata.json")
File.open(metadata_json_path, "wb+") do |f|
f.print(FFI_Yajl::Encoder.encode(metadata.to_hash, pretty: true ))
end
end
def copy_unignored_cookbook_files(lock, export_path)
cookbook_files_to_copy(lock.cookbook_path).each do |rel_path|
full_source_path = File.join(lock.cookbook_path, rel_path)
full_dest_path = File.join(export_path, rel_path)
dest_dirname = File.dirname(full_dest_path)
FileUtils.mkdir_p(dest_dirname) unless File.directory?(dest_dirname)
FileUtils.cp(full_source_path, full_dest_path)
end
end
def cookbook_files_to_copy(cookbook_path)
cookbook = cookbook_loader_for(cookbook_path).cookbook_version
root = Pathname.new(cookbook.root_dir)
cookbook.all_files.map do |full_path|
Pathname.new(full_path).relative_path_from(root).to_s
end
end
def cookbook_loader_for(cookbook_path)
loader = Chef::Cookbook::CookbookVersionLoader.new(cookbook_path, chefignore_for(cookbook_path))
loader.load!
loader
end
def chefignore_for(cookbook_path)
Chef::Cookbook::Chefignore.new(File.join(cookbook_path, "chefignore"))
end
def create_policyfile_repo_item
File.open(policyfile_repo_item_path, "wb+") do |f|
f.print(FFI_Yajl::Encoder.encode(policyfile_lock.to_lock, pretty: true ))
end
end
def create_policy_group_repo_item
data = {
"policies" => {
policyfile_lock.name => {
"revision_id" => policyfile_lock.revision_id,
},
},
}
File.open(policy_group_repo_item_path, "wb+") do |f|
f.print(FFI_Yajl::Encoder.encode(data, pretty: true ))
end
end
def copy_policyfile_lock
File.open(lockfile_staging_path, "wb+") do |f|
f.print(FFI_Yajl::Encoder.encode(policyfile_lock.to_lock, pretty: true ))
end
end
def create_client_rb
File.open(client_rb_staging_path, "wb+") do |f|
f.print( <<~CONFIG )
### Chef Infra Client Configuration ###
# The settings in this file will configure chef to apply the exported policy in
# this directory. To use it, run:
#
# chef-client -z
#
policy_name '#{policy_name}'
policy_group 'local'
use_policyfile true
policy_document_native_api true
# In order to use this repo, you need a version of Chef Infra Client and Chef Zero
# that supports policyfile "native mode" APIs:
current_version = Gem::Version.new(Chef::VERSION)
unless Gem::Requirement.new(">= 12.7").satisfied_by?(current_version)
puts("!" * 80)
puts(<<-MESSAGE)
This Chef Repo requires features introduced in Chef Infra Client 12.7, but you are using
Chef \#{Chef::VERSION}. Please upgrade to Chef Infra Client 12.7 or later.
MESSAGE
puts("!" * 80)
exit!(1)
end
CONFIG
end
end
def create_readme_md
File.open(readme_staging_path, "wb+") do |f|
f.print( <<~README )
# Exported Chef Infra Repository for Policy '#{policy_name}'
Policy revision: #{policyfile_lock.revision_id}
This directory contains all the cookbooks and configuration necessary for Chef
to converge a system using this exported policy. To converge a system with the
exported policy, use a privileged account to run `chef-client -z` from the
directory containing the exported policy.
## Contents:
### Policyfile.lock.json
A copy of the exported policy, used by the `chef push-archive` command.
### .chef/config.rb
A configuration file for Chef Infra Client. This file configures Chef Infra Client to
use the correct `policy_name` and `policy_group` for this exported repository. Chef
Infra Client will use this configuration automatically if you've set your working
directory properly.
### cookbook_artifacts/
All of the cookbooks required by the policy will be stored in this directory.
### policies/
A different copy of the exported policy, used by the `chef-client` command.
### policy_groups/
Policy groups are used by Chef Infra Server to manage multiple revisions of the same
policy. However, exported policies contain only a single policy revision, so
this policy group name is hardcoded to "local" and should not be changed.
README
end
end
def mv_staged_repo
# If we got here, either these dirs are empty/don't exist or force is
# set to true.
FileUtils.rm_rf(cookbook_artifacts_dir)
FileUtils.rm_rf(policies_dir)
FileUtils.rm_rf(policy_groups_dir)
FileUtils.rm_rf(dot_chef_dir)
FileUtils.mv(cookbook_artifacts_staging_dir, export_dir)
FileUtils.mv(policies_staging_dir, export_dir)
FileUtils.mv(policy_groups_staging_dir, export_dir)
FileUtils.mv(lockfile_staging_path, export_dir)
FileUtils.mv(dot_chef_staging_dir, export_dir)
FileUtils.mv(readme_staging_path, export_dir)
end
def validate_lockfile
return @policyfile_lock if @policyfile_lock
@policyfile_lock = ChefCLI::PolicyfileLock.new(storage_config).build_from_lock_data(policy_data)
# TODO: enumerate any cookbook that have been updated
@policyfile_lock.validate_cookbooks!
@policyfile_lock
rescue PolicyfileExportRepoError
raise
rescue => error
raise PolicyfileExportRepoError.new("Invalid lockfile data", error)
end
def write_updated_lockfile
File.open(policyfile_lock_expanded_path, "wb+") do |f|
f.print(FFI_Yajl::Encoder.encode(policyfile_lock.to_lock, pretty: true ))
end
end
def assert_lockfile_exists!
unless File.exist?(policyfile_lock_expanded_path)
raise LockfileNotFound, "No lockfile at #{policyfile_lock_expanded_path} - you need to run `install` before `push`"
end
end
def assert_export_dir_clean!
if !force_export? && !conflicting_fs_entries.empty? && !archive?
msg = "Export dir (#{export_dir}) not clean. Refusing to export. (Conflicting files: #{conflicting_fs_entries.join(", ")})"
raise ExportDirNotEmpty, msg
end
end
def force_export?
@force_export
end
def conflicting_fs_entries
Dir.glob(File.join(cookbook_artifacts_dir, "*")) +
Dir.glob(File.join(policies_dir, "*")) +
Dir.glob(File.join(policy_groups_dir, "*")) +
Dir.glob(File.join(export_dir, "Policyfile.lock.json"))
end
def cookbook_artifacts_dir
File.join(export_dir, "cookbook_artifacts")
end
def policies_dir
File.join(export_dir, "policies")
end
def policy_groups_dir
File.join(export_dir, "policy_groups")
end
def dot_chef_dir
File.join(export_dir, ".chef")
end
def policyfile_repo_item_path
basename = "#{policyfile_lock.name}-#{policyfile_lock.revision_id}"
File.join(staging_dir, "policies", "#{basename}.json")
end
def policy_group_repo_item_path
File.join(staging_dir, "policy_groups", "local.json")
end
def dot_chef_staging_dir
File.join(staging_dir, ".chef")
end
def cookbook_artifacts_staging_dir
File.join(staging_dir, "cookbook_artifacts")
end
def policies_staging_dir
File.join(staging_dir, "policies")
end
def policy_groups_staging_dir
File.join(staging_dir, "policy_groups")
end
def lockfile_staging_path
File.join(staging_dir, "Policyfile.lock.json")
end
def client_rb_staging_path
File.join(dot_chef_staging_dir, "config.rb")
end
def readme_staging_path
File.join(staging_dir, "README.md")
end
end
end
end