diff options
author | John Keiser <jkeiser@opscode.com> | 2014-07-24 20:00:28 -0600 |
---|---|---|
committer | John Keiser <jkeiser@opscode.com> | 2014-08-22 09:20:48 -0700 |
commit | c5a81a1d9c2d04c0c3997b1ff75ba231a1ab01d1 (patch) | |
tree | eb7e63a2274f664b9c9d9510e24975cec3dbdd27 | |
parent | e3502878f663c927b847a83cd7391db6695ad3e8 (diff) | |
download | chef-zero-c5a81a1d9c2d04c0c3997b1ff75ba231a1ab01d1.tar.gz |
clients created w/org do not own themselves;
containers created w/org do not follow org rules
-rw-r--r-- | lib/chef_zero/data_store/default_facade.rb | 16 | ||||
-rw-r--r-- | lib/chef_zero/endpoints/acl_base.rb | 19 | ||||
-rw-r--r-- | lib/chef_zero/endpoints/acls_endpoint.rb | 1 | ||||
-rw-r--r-- | spec/run_oc_pedant.rb | 2 |
4 files changed, 20 insertions, 18 deletions
diff --git a/lib/chef_zero/data_store/default_facade.rb b/lib/chef_zero/data_store/default_facade.rb index 7c8406a..6f69a82 100644 --- a/lib/chef_zero/data_store/default_facade.rb +++ b/lib/chef_zero/data_store/default_facade.rb @@ -243,11 +243,17 @@ module ChefZero end def self.owners_of(data, path) -# if is_created_with_org?(path, false) -# return owners_of(data, []) -# else - list_metadata(data, path, 'owners', :recurse_up) -# end + # The objects that were created with the org itself, and containers for + # some reason, have the peculiar property of missing pivotal from their acls. + if is_created_with_org?(path, false) || path[0] == 'organizations' && path[2] == 'containers' + list_metadata(data, path[0..1], 'owners') + else + result = list_metadata(data, path, 'owners', :recurse_up) + if path.size == 4 && path[0] == 'organizations' && path[2] == 'clients' + result |= [ path[3] ] + end + result + end end def self.org_defaults(name, creator, superusers, osc_compat) diff --git a/lib/chef_zero/endpoints/acl_base.rb b/lib/chef_zero/endpoints/acl_base.rb index 4253353..ea2ad81 100644 --- a/lib/chef_zero/endpoints/acl_base.rb +++ b/lib/chef_zero/endpoints/acl_base.rb @@ -8,8 +8,10 @@ module ChefZero # Extended by AclEndpoint and AclsEndpoint class AclBase < RestBase def acl_path(path) - if path[0] == 'organizations' && path.size > 1 + if path[0] == 'organizations' && path.size > 2 acl_path = path[0..1] + [ 'acls' ] + path[2..-1] + elsif path[0] == 'organizations' && path.size == 2 + acl_path = path + %w(acls organizations) else acl_path = [ 'acls' ] + path end @@ -21,23 +23,16 @@ module ChefZero container_acls = get_container_acls(request, path) if container_acls acls = DataNormalizer.merge_container_acls(acls, container_acls) - # If we're grabbing our actors from the container, we still want to - # include superusers, but we don't want to include org owner (who - # should already be in the container anyway) - owners = DataStore::DefaultFacade.owners_of(data_store, []) - else - # We merge owners into every acl, because we're awesome like that. - owners = DataStore::DefaultFacade.owners_of(data_store, path) end + + # We merge owners into every acl, because we're awesome like that. + owners = DataStore::DefaultFacade.owners_of(data_store, path) + %w(create read update delete grant).each do |perm| acls[perm] ||= {} acls[perm]['actors'] ||= [] # The owners of the org and of the server (the superusers) have rights too acls[perm]['actors'] = owners | acls[perm]['actors'] - # Clients have access to themselves - if path.size == 4 && path[0] == 'organizations' && path[2] == 'clients' - acls[perm]['actors'] |= [ path[3] ] - end end acls end diff --git a/lib/chef_zero/endpoints/acls_endpoint.rb b/lib/chef_zero/endpoints/acls_endpoint.rb index ec0fd34..872ecce 100644 --- a/lib/chef_zero/endpoints/acls_endpoint.rb +++ b/lib/chef_zero/endpoints/acls_endpoint.rb @@ -13,6 +13,7 @@ module ChefZero class AclsEndpoint < AclBase def get(request) path = request.rest_path[0..-2] # Strip off _acl + path = path[0..1] if path.size == 3 && path[0] == 'organizations' && path[2] == 'organizations' acls = DataNormalizer.normalize_acls(get_acls(request, path)) json_response(200, acls) end diff --git a/spec/run_oc_pedant.rb b/spec/run_oc_pedant.rb index 43366f2..71a1f4f 100644 --- a/spec/run_oc_pedant.rb +++ b/spec/run_oc_pedant.rb @@ -18,7 +18,7 @@ begin server.start_background else - server = ChefZero::Server.new(:port => 8889, :single_org => false, :log_level => :debug) + server = ChefZero::Server.new(:port => 8889, :single_org => false)#, :log_level => :debug) server.start_background end |