lib/chef-cli/policyfile_lock.rb



#
# Copyright:: Copyright (c) 2014-2018 Chef Software Inc.
# License:: Apache License, Version 2.0
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#

require "digest/sha2" unless defined?(Digest::SHA2)

require_relative "policyfile/storage_config"
require_relative "policyfile/cookbook_locks"
require_relative "policyfile/solution_dependencies"
require_relative "ui"

module ChefCLI

  class PolicyfileLock

    class InstallReport

      attr_reader :ui
      attr_reader :policyfile_lock

      def initialize(ui: nil, policyfile_lock: nil)
        @ui = ui
        @policyfile_lock = policyfile_lock

        @cookbook_name_width = nil
        @cookbook_version_width = nil
      end

      def installing_fixed_version_cookbook(cookbook_spec)
        verb = cookbook_spec.installed? ? "Using     " : "Installing"
        ui.msg("#{verb} #{format_fixed_version_cookbook(cookbook_spec)}")
      end

      def installing_cookbook(cookbook_lock)
        verb = cookbook_lock.installed? ? "Using     " : "Installing"
        ui.msg("#{verb} #{format_cookbook(cookbook_lock)}")
      end

      private

      def format_cookbook(cookbook_lock)
        "#{cookbook_lock.name.ljust(cookbook_name_width)} #{cookbook_lock.version.to_s.ljust(cookbook_version_width)}"
      end

      def cookbook_name_width
        policyfile_lock.cookbook_locks.map { |name, _| name.size }.max
      end

      def cookbook_version_width
        policyfile_lock.cookbook_locks.map { |_, lock| lock.version.size }.max
      end
    end

    RUN_LIST_ITEM_FORMAT = /\Arecipe\[[^\s]+::[^\s]+\]\Z/.freeze

    def self.build(storage_config)
      lock = new(storage_config)
      yield lock
      lock
    end

    def self.build_from_compiler(compiler, storage_config)
      lock = new(storage_config)
      lock.build_from_compiler(compiler)
      lock
    end

    include Policyfile::StorageConfigDelegation

    attr_accessor :name
    attr_accessor :run_list
    attr_accessor :named_run_lists
    attr_accessor :default_attributes
    attr_accessor :override_attributes

    attr_reader :solution_dependencies

    attr_reader :storage_config

    attr_reader :cookbook_locks

    attr_reader :included_policy_locks

    attr_reader :install_report

    def initialize(storage_config, ui: nil)
      @name = nil
      @run_list = []
      @named_run_lists = {}
      @cookbook_locks = {}
      @relative_paths_root = Dir.pwd
      @storage_config = storage_config
      @ui = ui || UI.null

      @default_attributes = {}
      @override_attributes = {}

      @solution_dependencies = Policyfile::SolutionDependencies.new

      @included_policy_locks = []

      @install_report = InstallReport.new(ui: @ui, policyfile_lock: self)
    end

    def lock_data_for(cookbook_name)
      @cookbook_locks[cookbook_name]
    end

    def cached_cookbook(name)
      cached_cookbook = Policyfile::CachedCookbook.new(name, storage_config)
      yield cached_cookbook if block_given?
      @cookbook_locks[name] = cached_cookbook
    end

    def local_cookbook(name)
      local_cookbook = Policyfile::LocalCookbook.new(name, storage_config)
      yield local_cookbook if block_given?
      @cookbook_locks[name] = local_cookbook
    end

    def dependencies
      yield solution_dependencies
    end

    def to_lock
      {}.tap do |lock|
        lock["revision_id"] = revision_id
        lock["name"] = name
        lock["run_list"] = run_list
        lock["named_run_lists"] = named_run_lists unless named_run_lists.empty?
        lock["included_policy_locks"] = included_policy_locks
        lock["cookbook_locks"] = cookbook_locks_for_lockfile
        lock["default_attributes"] = default_attributes
        lock["override_attributes"] = override_attributes
        lock["solution_dependencies"] = solution_dependencies.to_lock
      end
    end

    # Returns a fingerprint of the PolicyfileLock by computing the SHA1 hash of
    # #canonical_revision_string
    def revision_id
      Digest::SHA256.new.hexdigest(canonical_revision_string)
    end

    # Generates a string representation of the lock data in a specialized
    # format suitable for generating a checksum of the lock itself. Only data
    # that modifies the behavior of a chef-client using the lockfile is
    # included in this format; for example, a modification to the source
    # options in a `Policyfile.rb` that yields identical code (such as
    # switching to a github fork at the same revision) will not cause a change
    # in the PolicyfileLock's canonical_revision_string.
    #
    # This format is intended to be used only for generating an identifier for
    # a particular revision of a PolicyfileLock. It should not be used as a
    # serialization format, and is not guaranteed to be a stable interface.
    def canonical_revision_string
      canonical_rev_text = ""

      canonical_rev_text << "name:#{name}\n"

      run_list.each do |item|
        canonical_rev_text << "run-list-item:#{item}\n"
      end

      named_run_lists.each do |name, run_list|
        run_list.each do |item|
          canonical_rev_text << "named-run-list:#{name};run-list-item:#{item}\n"
        end
      end

      cookbook_locks_for_lockfile.each do |name, lock|
        canonical_rev_text << "cookbook:#{name};id:#{lock["identifier"]}\n"
      end

      canonical_rev_text << "default_attributes:#{canonicalize(default_attributes)}\n"

      canonical_rev_text << "override_attributes:#{canonicalize(override_attributes)}\n"

      canonical_rev_text
    end

    def cookbook_locks_for_lockfile
      cookbook_locks.inject({}) do |locks_map, (name, location_spec)|
        location_spec.validate!
        location_spec.gather_profile_data
        locks_map[name] = location_spec.to_lock
        locks_map
      end.sort.to_h
    end

    def validate_cookbooks!
      cookbook_locks.each do |name, cookbook_lock|
        cookbook_lock.validate!
        cookbook_lock.refresh!
      end

      # Check that versions and dependencies are still valid. First we need to
      # refresh the dependency info for everything that has changed, then we
      # check that the new versions and dependencies are valid for the working
      # set of cookbooks. We can't do this in a single loop because the user
      # may have modified two cookbooks such that the versions and constraints
      # are only valid when both changes are considered together.
      cookbook_locks.each do |name, cookbook_lock|
        if cookbook_lock.updated?
          solution_dependencies.update_cookbook_dep(name, cookbook_lock.version, cookbook_lock.dependencies)
        end
      end
      cookbook_locks.each do |name, cookbook_lock|
        if cookbook_lock.updated?
          solution_dependencies.test_conflict!(cookbook_lock.name, cookbook_lock.version)
        end
      end

      true
    end

    def build_from_compiler(compiler)
      @name = compiler.name

      @run_list = compiler.normalized_run_list

      @named_run_lists = compiler.normalized_named_run_lists

      compiler.all_cookbook_location_specs.each do |cookbook_name, spec|
        if spec.mirrors_canonical_upstream?
          cached_cookbook(cookbook_name) do |cached_cb|
            cached_cb.cache_key = spec.cache_key
            cached_cb.origin = spec.uri
            cached_cb.source_options = spec.source_options_for_lock
          end
        else
          local_cookbook(cookbook_name) do |local_cb|
            local_cb.source = spec.relative_path
            local_cb.source_options = spec.source_options_for_lock
          end
        end
      end

      @default_attributes = compiler.default_attributes
      @override_attributes = compiler.override_attributes

      @solution_dependencies = compiler.solution_dependencies

      @included_policy_locks = compiler.included_policies.map do |policy|
        {
          "name" => policy.name,
          "revision_id" => policy.revision_id,
          "source_options" => policy.source_options_for_lock,
        }
      end

      self
    end

    def build_from_lock_data(lock_data)
      set_name_from_lock_data(lock_data)
      set_run_list_from_lock_data(lock_data)
      set_named_run_lists_from_lock_data(lock_data)
      set_cookbook_locks_from_lock_data(lock_data)
      set_attributes_from_lock_data(lock_data)
      set_solution_dependencies_from_lock_data(lock_data)
      set_included_policy_locks_from_lock_data(lock_data)
      self
    end

    def build_from_archive(lock_data)
      set_name_from_lock_data(lock_data)
      set_run_list_from_lock_data(lock_data)
      set_named_run_lists_from_lock_data(lock_data)
      set_cookbook_locks_as_archives_from_lock_data(lock_data)
      set_attributes_from_lock_data(lock_data)
      set_solution_dependencies_from_lock_data(lock_data)
      set_included_policy_locks_from_lock_data(lock_data)
      self
    end

    def install_cookbooks
      # note: duplicates PolicyfileCompiler#ensure_cache_dir_exists
      ensure_cache_dir_exists

      cookbook_locks.each do |cookbook_name, cookbook_lock|
        install_report.installing_cookbook(cookbook_lock)
        cookbook_lock.install_locked
      end
    end

    def ensure_cache_dir_exists
      # note: duplicates PolicyfileCompiler#ensure_cache_dir_exists
      unless File.exist?(cache_path)
        FileUtils.mkdir_p(cache_path)
      end
    end

    private

    # Generates a canonical JSON representation of the attributes. Based on
    # http://wiki.laptop.org/go/Canonical_JSON but not quite as strict, yet.
    #
    # In particular:
    # - String encoding stuff isn't normalized
    # - We allow floats that fit within the range/precision requirements of
    #   IEEE 754-2008 binary64 (double precision) numbers.
    # - +/- Infinity and NaN are banned, but float/numeric size aren't checked.
    #   numerics should be in range [-(2**53)+1, (2**53)-1] to comply with
    #   IEEE 754-2008
    #
    # Recursive, so absurd nesting levels could cause a SystemError. Invalid
    # input will cause an InvalidPolicyfileAttribute exception.
    def canonicalize(attributes)
      unless attributes.is_a?(Hash)
        raise "Top level attributes must be a Hash (you gave: #{attributes})"
      end

      canonicalize_elements(attributes)
    end

    def canonicalize_elements(item)
      case item
      when Hash
        # Hash keys will sort differently based on the encoding, but after a
        # JSON round trip everything will be UTF-8, so we have to normalize the
        # keys to UTF-8 first so that the sort order uses the UTF-8 strings.
        item_with_normalized_keys = item.inject({}) do |normalized_item, (key, value)|
          validate_attr_key(key)
          normalized_item[key.encode("utf-8")] = value
          normalized_item
        end
        elements = item_with_normalized_keys.keys.sort.map do |key|
          k = '"' << key << '":'
          v = canonicalize_elements(item_with_normalized_keys[key])
          k << v
        end
        "{" << elements.join(",") << "}"
      when String
        '"' << item.encode("utf-8") << '"'
      when Array
        elements = item.map { |i| canonicalize_elements(i) }
        "[" << elements.join(",") << "]"
      when Integer
        item.to_s
      when Float
        unless item.finite?
          raise InvalidPolicyfileAttribute, "Floating point numbers cannot be infinite or NaN. You gave #{item.inspect}"
        end

        # Support for floats assumes that any implementation of our JSON
        # canonicalization routine will use IEEE-754 doubles. In decimal terms,
        # doubles give 15-17 digits of precision, so we err on the safe side
        # and only use 15 digits in the string conversion. We use the `g`
        # format, which is a documented-enough "do what I mean" where floats
        # >= 0.1 and < precision are represented as floating point literals, and
        # other numbers use the exponent notation with a lowercase 'e'. Note
        # that both Ruby and Erlang document what their `g` does but have some
        # differences both subtle and non-subtle:
        #
        # ```ruby
        # format("%.15g", 0.1) #=> "0.1"
        # format("%.15g", 1_000_000_000.0) #=> "1000000000"
        # ```
        #
        # Whereas:
        #
        # ```erlang
        # lists:flatten(io_lib:format("~.15g", [0.1])). %=> "0.100000000000000"
        # lists:flatten(io_lib:format("~.15e", [1000000000.0])). %=> "1.00000000000000e+9"
        # ```
        #
        # Other implementations should normalize to ruby's %.15g behavior.
        Kernel.format("%.15g", item)
      when NilClass
        "null"
      when TrueClass
        "true"
      when FalseClass
        "false"
      else
        raise InvalidPolicyfileAttribute,
          "Invalid type in attributes. Only Hash, Array, String, Integer, Float, true, false, and nil are accepted. You gave #{item.inspect} (#{item.class})"
      end
    end

    def validate_attr_key(key)
      unless key.is_a?(String)
        raise InvalidPolicyfileAttribute,
          "Attribute keys must be Strings (other types are not allowed in JSON). You gave: #{key.inspect} (#{key.class})"
      end
    end

    def set_name_from_lock_data(lock_data)
      name_attribute = lock_data["name"]

      raise InvalidLockfile, "lockfile does not have a `name' attribute" if name_attribute.nil?

      unless name_attribute.is_a?(String)
        raise InvalidLockfile, "lockfile's name attribute must be a String (got: #{name_attribute.inspect})"
      end

      if name_attribute.empty?
        raise InvalidLockfile, "lockfile's name attribute cannot be an empty string"
      end

      @name = name_attribute
    end

    def set_run_list_from_lock_data(lock_data)
      run_list_attribute = lock_data["run_list"]

      raise InvalidLockfile, "lockfile does not have a run_list attribute" if run_list_attribute.nil?

      unless run_list_attribute.is_a?(Array)
        raise InvalidLockfile, "lockfile's run_list must be an array of run list items (got: #{run_list_attribute.inspect})"
      end

      bad_run_list_items = run_list_attribute.select { |e| e !~ RUN_LIST_ITEM_FORMAT }

      unless bad_run_list_items.empty?
        msg = "lockfile's run_list items must be formatted like `recipe[$COOKBOOK_NAME::$RECIPE_NAME]'. Invalid items: `#{bad_run_list_items.join("' `")}'"
        raise InvalidLockfile, msg
      end

      @run_list = run_list_attribute
    end

    def set_named_run_lists_from_lock_data(lock_data)
      return unless lock_data.key?("named_run_lists")

      lock_data_named_run_lists = lock_data["named_run_lists"]

      unless lock_data_named_run_lists.is_a?(Hash)
        msg = "lockfile's named_run_lists must be a Hash (JSON object). (got: #{lock_data_named_run_lists.inspect})"
        raise InvalidLockfile, msg
      end

      lock_data_named_run_lists.each do |name, run_list|
        unless name.is_a?(String)
          msg = "Keys in lockfile's named_run_lists must be Strings. (got: #{name.inspect})"
          raise InvalidLockfile, msg
        end
        unless run_list.is_a?(Array)
          msg = "Values in lockfile's named_run_lists must be Arrays. (got: #{run_list.inspect})"
          raise InvalidLockfile, msg
        end
        bad_run_list_items = run_list.select { |e| e !~ RUN_LIST_ITEM_FORMAT }
        unless bad_run_list_items.empty?
          msg = "lockfile's run_list items must be formatted like `recipe[$COOKBOOK_NAME::$RECIPE_NAME]'. Invalid items: `#{bad_run_list_items.join("' `")}'"
          raise InvalidLockfile, msg
        end
      end
      @named_run_lists = lock_data_named_run_lists
    end

    def set_cookbook_locks_from_lock_data(lock_data)
      cookbook_lock_data = lock_data["cookbook_locks"]

      if cookbook_lock_data.nil?
        raise InvalidLockfile, "lockfile does not have a cookbook_locks attribute"
      end

      unless cookbook_lock_data.is_a?(Hash)
        raise InvalidLockfile, "lockfile's cookbook_locks attribute must be a Hash (JSON object). (got: #{cookbook_lock_data.inspect})"
      end

      lock_data["cookbook_locks"].each do |name, lock_info|
        build_cookbook_lock_from_lock_data(name, lock_info)
      end
    end

    def set_cookbook_locks_as_archives_from_lock_data(lock_data)
      cookbook_lock_data = lock_data["cookbook_locks"]

      if cookbook_lock_data.nil?
        raise InvalidLockfile, "lockfile does not have a cookbook_locks attribute"
      end

      unless cookbook_lock_data.is_a?(Hash)
        raise InvalidLockfile, "lockfile's cookbook_locks attribute must be a Hash (JSON object). (got: #{cookbook_lock_data.inspect})"
      end

      lock_data["cookbook_locks"].each do |name, lock_info|
        build_cookbook_lock_as_archive_from_lock_data(name, lock_info)
      end
    end

    def set_attributes_from_lock_data(lock_data)
      default_attr_data = lock_data["default_attributes"]

      if default_attr_data.nil?
        raise InvalidLockfile, "lockfile does not have a `default_attributes` attribute"
      end

      unless default_attr_data.is_a?(Hash)
        raise InvalidLockfile, "lockfile's `default_attributes` attribute must be a Hash (JSON object). (got: #{default_attr_data.inspect})"
      end

      override_attr_data = lock_data["override_attributes"]

      if override_attr_data.nil?
        raise InvalidLockfile, "lockfile does not have a `override_attributes` attribute"
      end

      unless override_attr_data.is_a?(Hash)
        raise InvalidLockfile, "lockfile's `override_attributes` attribute must be a Hash (JSON object). (got: #{override_attr_data.inspect})"
      end

      @default_attributes   = default_attr_data
      @override_attributes  = override_attr_data
    end

    def set_solution_dependencies_from_lock_data(lock_data)
      soln_deps = lock_data["solution_dependencies"]

      if soln_deps.nil?
        raise InvalidLockfile, "lockfile does not have a solution_dependencies attribute"
      end

      unless soln_deps.is_a?(Hash)
        raise InvalidLockfile, "lockfile's solution_dependencies attribute must be a Hash (JSON object). (got: #{soln_deps.inspect})"
      end

      s = Policyfile::SolutionDependencies.from_lock(lock_data["solution_dependencies"])
      @solution_dependencies = s
    end

    def set_included_policy_locks_from_lock_data(lock_data)
      locks = lock_data["included_policy_locks"]
      if locks.nil?
        @included_policy_locks = []
      else
        locks.each do |lock_info|
          unless %w{revision_id name source_options}.all? { |key| !lock_info[key].nil? }
            raise InvalidLockfile, "lockfile included policy missing one of the required keys"
          end
        end
        @included_policy_locks = locks
      end
    end

    def build_cookbook_lock_from_lock_data(name, lock_info)
      unless lock_info.is_a?(Hash)
        raise InvalidLockfile, "lockfile cookbook_locks entries must be a Hash (JSON object). (got: #{lock_info.inspect})"
      end

      if lock_info["cache_key"].nil?
        local_cookbook(name).build_from_lock_data(lock_info)
      else
        cached_cookbook(name).build_from_lock_data(lock_info)
      end
    end

    def build_cookbook_lock_as_archive_from_lock_data(name, lock_info)
      unless lock_info.is_a?(Hash)
        raise InvalidLockfile, "lockfile cookbook_locks entries must be a Hash (JSON object). (got: #{lock_info.inspect})"
      end

      if lock_info["cache_key"].nil?
        local_cookbook = Policyfile::LocalCookbook.new(name, storage_config)
        local_cookbook.build_from_lock_data(lock_info)
        archived = Policyfile::ArchivedCookbook.new(local_cookbook, storage_config)
        @cookbook_locks[name] = archived
      else
        cached_cookbook = Policyfile::CachedCookbook.new(name, storage_config)
        cached_cookbook.build_from_lock_data(lock_info)
        archived = Policyfile::ArchivedCookbook.new(cached_cookbook, storage_config)
        @cookbook_locks[name] = archived
      end
    end

  end
end