diff options
| author | Tim Smith <tsmith@chef.io> | 2020-07-23 19:49:39 -0700 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2020-07-23 19:49:39 -0700 |
| commit | 80a6c91ce3cb5e17a933b07f0d42535e145b33f4 (patch) | |
| tree | 5facdbf0dc9a29fe8933a0fed30138161e6881eb | |
| parent | 1eb5fbe161422103a4d6bfb79acdcd14bbc7c5bb (diff) | |
| parent | 5da180a5c02aef854a7e7466b9a6bfba063e3705 (diff) | |
| download | chef-80a6c91ce3cb5e17a933b07f0d42535e145b33f4.tar.gz | |
Merge pull request #10199 from chef/blocklist
Rename Attribute Whitelist/Blacklist to Allowed/Blocked
| -rw-r--r-- | chef-config/lib/chef-config/config.rb | 33 | ||||
| -rw-r--r-- | cspell.json | 61 | ||||
| -rw-r--r-- | lib/chef/attribute_allowlist.rb (renamed from lib/chef/whitelist.rb) | 22 | ||||
| -rw-r--r-- | lib/chef/attribute_blocklist.rb (renamed from lib/chef/blacklist.rb) | 18 | ||||
| -rw-r--r-- | lib/chef/deprecated.rb | 4 | ||||
| -rw-r--r-- | lib/chef/node.rb | 48 | ||||
| -rw-r--r-- | lib/chef/node_map.rb | 32 | ||||
| -rw-r--r-- | spec/unit/node_spec.rb | 109 |
8 files changed, 202 insertions, 125 deletions
diff --git a/chef-config/lib/chef-config/config.rb b/chef-config/lib/chef-config/config.rb index 6675bac142..65a24d0ccc 100644 --- a/chef-config/lib/chef-config/config.rb +++ b/chef-config/lib/chef-config/config.rb @@ -962,23 +962,32 @@ module ChefConfig # default :no_lazy_load, true - # A whitelisted array of attributes you want sent over the wire when node - # data is saved. The default setting is nil, which collects all data. Setting - # to [] will not collect any data for save. - # - default :automatic_attribute_whitelist, nil - default :default_attribute_whitelist, nil - default :normal_attribute_whitelist, nil - default :override_attribute_whitelist, nil - - # A blacklisted array of attributes you do not want to send over the + # A array of attributes you want sent over the wire when node + # data is saved. The default setting is nil, which collects all data. + # NOTE: Setting to [] will not collect ANY data to save. + default :allowed_automatic_attributes, nil + default :allowed_default_attributes, nil + default :allowed_normal_attributes, nil + default :allowed_override_attributes, nil + + # An array of attributes you do not want to send over the # wire when node data is saved - # The default setting is nil, which collects all data. Setting to [] will - # still collect all data for save + # The default setting is nil, which collects all data. + # NOTE: Setting to [] will still collect all data to save + default :blocked_automatic_attributes, nil + default :blocked_default_attributes, nil + default :blocked_normal_attributes, nil + default :blocked_override_attributes, nil + + # deprecated config options that will be removed in Chef Infra Client 17 default :automatic_attribute_blacklist, nil default :default_attribute_blacklist, nil default :normal_attribute_blacklist, nil default :override_attribute_blacklist, nil + default :automatic_attribute_whitelist, nil + default :default_attribute_whitelist, nil + default :normal_attribute_whitelist, nil + default :override_attribute_whitelist, nil # Pull down all the rubygems versions from rubygems and cache them the first time we do a gem_package or # chef_gem install. This is memory-expensive and will grow without bounds, but will reduce network diff --git a/cspell.json b/cspell.json index 30f26af8b0..71d2d6328f 100644 --- a/cspell.json +++ b/cspell.json @@ -14,21 +14,16 @@ "dictionaries": ["chef"], // words - list of words to be always considered correct "words": [ - "aarch", "abcz", "Abdulin", "ABORTIFHUNG", "ACCOUNTDISABLE", - "ACLs", - "ACPI", "activationkey", "ADAP", "addlock", "addrs", - "Adhoc", "ADMINI", "adminonly", - "ADODB", "advapi", "Afonov", "agrs", @@ -42,6 +37,10 @@ "Albertson", "Algorta", "Alloc", + "allowlist", + "allowlisted", + "allowlisting", + "allowlists", "allowselfservice", "allprofiles", "alnum", @@ -65,7 +64,6 @@ "arry", "Arțăriși", "artem", - "asdf", "Ásgeirsson", "Ashwini", "ASSIGNPRIMARYTOKEN", @@ -73,8 +71,6 @@ "astring", "attribs", "attrname", - "auditd", - "auditpol", "AUTHN", "AUTHROOT", "AUTHZ", @@ -134,19 +130,18 @@ "bitmask", "bkup", "blockdev", + "blocklist", + "blocklisted", + "blocklists", "bmhatfield", "bobberson", "bobchaos", "bobo", "bobotclown", - "boostrap", - "bootp", "bootproto", "bootstrapper", "bootstrappers", "borat", - "Botman", - "Brightcove", "Brimager", "brodock", "bsearch", @@ -163,9 +158,7 @@ "busybox", "bypassproxy", "bytesize", - "bzip", "cabfile", - "cacert", "cacerts", "Calastone", "CALLGATE", @@ -190,7 +183,6 @@ "cfprefsd", "cgroup", "chadmccune", - "Chamberland", "Chaput", "chardev", "chatops", @@ -208,14 +200,11 @@ "chefdk", "cheffish", "cheffs", - "chefignore", "Chefignore", "chefignored", "chefignores", "chefscriptresult", "CHEFSERVERURL", - "chefspec", - "chefstyle", "cheftest", "CHEFUTILS", "chefzero", @@ -224,18 +213,9 @@ "chgrpmem", "chilcote", "CHINESEBIG", - "Chisamore", "chkconfig", "CHKCONFIG", - "chmod", - "choco", "Chouhan", - "chown", - "chpasswd", - "chroot", - "chuser", - "cidr", - "cinc", "ckbk", "cksum", "cleanpath", @@ -248,10 +228,6 @@ "clientname", "CLOEXEC", "Cloke", - "cloudera", - "Cloudera", - "cmdlet", - "Cmdlet", "cmdlets", "cmds", "CMDS", @@ -303,7 +279,6 @@ "cpjones", "CPPFLAGS", "Crae", - "Cragun", "CREAT", "createhomedir", "Createobject", @@ -326,13 +301,8 @@ "Cxxx", "dacl", "Daemonization", - "daemonize", - "daemonized", "daemonizing", "Daemonizing", - "damacus", - "danielfloyd", - "Danna", "databag", "databags", "Datacenter", @@ -389,12 +359,8 @@ "DFSR", "dgrade", "dgreeninger", - "Dhanesh", - "DHCP", - "Dheeraj", "dhparam", "Dialup", - "Dibowitz", "DIDNT", "diffable", "Diffie", @@ -409,13 +375,11 @@ "distro", "distros", "DMGs", - "dmidecode", "docgen", "dockerd", "dockerenv", "dockerignore", "dockerinit", - "Doherty", "dokken", "Dokken", "domainandname", @@ -433,8 +397,6 @@ "downcases", "downto", "DPAPI", - "Dpkg", - "dracut", "dragonflybsd", "dragonsmith", "Dreamcat", @@ -516,7 +478,6 @@ "executables", "executionpolicy", "execvp", - "exherbo", "exitcode", "exitstatus", "EXTGLOB", @@ -533,7 +494,6 @@ "falsey", "FAPI", "fastestmirror", - "fastmsi", "fastrestart", "faststart", "faststop", @@ -580,15 +540,8 @@ "forwardable", "Forwardable", "forwardslashes", - "fqdn", - "FQDN", "fqdns", - "freakinhippie", - "freebsd", - "fsck", "FSCTL", - "fstab", - "fstype", "fsync", "FUGLY", "fullpath", diff --git a/lib/chef/whitelist.rb b/lib/chef/attribute_allowlist.rb index 8309580e81..18665ce835 100644 --- a/lib/chef/whitelist.rb +++ b/lib/chef/attribute_allowlist.rb @@ -2,14 +2,14 @@ require_relative "exceptions" class Chef - class Whitelist + class AttributeAllowlist - # filter takes two arguments - the data you want to filter, and a whitelisted array - # of keys you want included. You can capture a subtree of the data to filter by + # filter takes two arguments - the data you want to filter, and an array of + # keys you want included. You can capture a subtree of the data to filter by # providing a "/"-delimited string of keys. If some key includes "/"-characters, # you must provide an array of keys instead. # - # Whitelist.filter( + # AttributeAllowlist.filter( # { "filesystem" => { # "/dev/disk" => { # "size" => "10mb" @@ -27,18 +27,18 @@ class Chef # }, # ["network/interfaces/eth0", ["filesystem", "/dev/disk"]]) # will capture the eth0 and /dev/disk subtrees. - def self.filter(data, whitelist = nil) - return data if whitelist.nil? + def self.filter(data, allowlist = nil) + return data if allowlist.nil? new_data = {} - whitelist.each do |item| + allowlist.each do |item| add_data(data, new_data, item) end new_data end - # Walk the data has according to the keys provided by the whitelisted item - # and add the data to the whitelisting result. + # Walk the data has according to the keys provided by the allowlisted item + # and add the data to the allowlisting result. def self.add_data(data, new_data, item) parts = to_array(item) @@ -46,7 +46,7 @@ class Chef filtered_data = new_data parts[0..-2].each do |part| unless all_data.key?(part) - Chef::Log.warn("Could not find whitelist attribute #{item}.") + Chef::Log.warn("Could not find allowlist attribute #{item}.") return nil end @@ -58,7 +58,7 @@ class Chef # Note: You can't do all_data[parts[-1]] here because the value # may be false-y unless all_data.key?(parts[-1]) - Chef::Log.warn("Could not find whitelist attribute #{item}.") + Chef::Log.warn("Could not find allowlist attribute #{item}.") return nil end diff --git a/lib/chef/blacklist.rb b/lib/chef/attribute_blocklist.rb index b6c441e460..929d3dfa36 100644 --- a/lib/chef/blacklist.rb +++ b/lib/chef/attribute_blocklist.rb @@ -2,14 +2,14 @@ require_relative "exceptions" class Chef - class Blacklist + class AttributeBlocklist - # filter takes two arguments - the data you want to filter, and a blacklisted array + # filter takes two arguments - the data you want to filter, and an array # of keys you want discarded. You can capture a subtree of the data to filter by # providing a "/"-delimited string of keys. If some key includes "/"-characters, # you must provide an array of keys instead. # - # Blacklist.filter( + # AttributeBlocklist.filter( # { "filesystem" => { # "/dev/disk" => { # "size" => "10mb" @@ -27,17 +27,17 @@ class Chef # }, # ["network/interfaces/eth0", ["filesystem", "/dev/disk"]]) # will exclude the eth0 and /dev/disk subtrees. - def self.filter(data, blacklist = nil) - return data if blacklist.nil? + def self.filter(data, blocklist = nil) + return data if blocklist.nil? - blacklist.each do |item| + blocklist.each do |item| Chef::Log.warn("Removing item #{item}") remove_data(data, item) end data end - # Walk the data according to the keys provided by the blacklisted item + # Walk the data according to the keys provided by the blocklisted item # to get a reference to the item that will be removed. def self.remove_data(data, item) parts = to_array(item) @@ -45,7 +45,7 @@ class Chef item_ref = data parts[0..-2].each do |part| unless item_ref[part] - Chef::Log.warn("Could not find blacklist attribute #{item}.") + Chef::Log.warn("Could not find blocklist attribute #{item}.") return nil end @@ -53,7 +53,7 @@ class Chef end unless item_ref.key?(parts[-1]) - Chef::Log.warn("Could not find blacklist attribute #{item}.") + Chef::Log.warn("Could not find blocklist attribute #{item}.") return nil end diff --git a/lib/chef/deprecated.rb b/lib/chef/deprecated.rb index 4a2ac69b04..1d167d7aca 100644 --- a/lib/chef/deprecated.rb +++ b/lib/chef/deprecated.rb @@ -245,6 +245,10 @@ class Chef target 31 end + class AttributeBlacklistConfiguration < Base + target 32 + end + class Generic < Base def url "https://docs.chef.io/chef_deprecations_client/" diff --git a/lib/chef/node.rb b/lib/chef/node.rb index e757e93d77..d569eeda38 100644 --- a/lib/chef/node.rb +++ b/lib/chef/node.rb @@ -34,8 +34,8 @@ require_relative "node/attribute" require_relative "mash" require_relative "json_compat" require_relative "search/query" -require_relative "whitelist" -require_relative "blacklist" +require_relative "attribute_allowlist" +require_relative "attribute_blocklist" class Chef class Node @@ -706,21 +706,45 @@ class Chef end end + # a method to handle the renamed configuration from whitelist -> allowed + # and to throw a deprecation warning when the old configuration is set + # + # @param [String] level the attribute level + def allowlist_or_whitelist_config(level) + if Chef::Config["#{level}_attribute_whitelist".to_sym] + Chef.deprecated(:attribute_blacklist_configuration, "Attribute whitelist configurations have been deprecated. Use the allowed_LEVEL_attribute configs instead") + Chef::Config["#{level}_attribute_whitelist".to_sym] + else + Chef::Config["allowed_#{level}_attributes".to_sym] + end + end + + # a method to handle the renamed configuration from blacklist -> blocked + # and to throw a deprecation warning when the old configuration is set + # + # @param [String] level the attribute level + def blocklist_or_blacklist_config(level) + if Chef::Config["#{level}_attribute_blacklist".to_sym] + Chef.deprecated(:attribute_blacklist_configuration, "Attribute blacklist configurations have been deprecated. Use the blocked_LEVEL_attribute configs instead") + Chef::Config["#{level}_attribute_blacklist".to_sym] + else + Chef::Config["blocked_#{level}_attributes".to_sym] + end + end + def data_for_save data = for_json %w{automatic default normal override}.each do |level| - whitelist_config_option = "#{level}_attribute_whitelist".to_sym - whitelist = Chef::Config[whitelist_config_option] - unless whitelist.nil? # nil => save everything - logger.info("Whitelisting #{level} node attributes for save.") - data[level] = Chef::Whitelist.filter(data[level], whitelist) + allowlist = allowlist_or_whitelist_config(level) + unless allowlist.nil? # nil => save everything + logger.info("Allowing #{level} node attributes for save.") + data[level] = Chef::AttributeAllowlist.filter(data[level], allowlist) end - blacklist_config_option = "#{level}_attribute_blacklist".to_sym - blacklist = Chef::Config[blacklist_config_option] - unless blacklist.nil? # nil => remove nothing - logger.info("Blacklisting #{level} node attributes for save") - data[level] = Chef::Blacklist.filter(data[level], blacklist) + blocklist = blocklist_or_blacklist_config(level) + unless blocklist.nil? # nil => remove nothing + logger.info("Blocking #{level} node attributes for save") + data[level] = Chef::AttributeBlocklist.filter(data[level], blocklist) end end data diff --git a/lib/chef/node_map.rb b/lib/chef/node_map.rb index dcf6e8969c..30a0ed6c4e 100644 --- a/lib/chef/node_map.rb +++ b/lib/chef/node_map.rb @@ -212,7 +212,7 @@ class Chef # - no negative matches (!value) # - at least one positive match (value or :all), or no positive filters # - def matches_black_white_list?(node, filters, attribute) + def matches_block_allow_list?(node, filters, attribute) # It's super common for the filter to be nil. Catch that so we don't # spend any time here. return true unless filters[attribute] @@ -220,21 +220,21 @@ class Chef filter_values = Array(filters[attribute]) value = node[attribute] - # Split the blacklist and whitelist - blacklist, whitelist = filter_values.partition { |v| v.is_a?(String) && v.start_with?("!") } + # Split the blocklist and allowlist + blocklist, allowlist = filter_values.partition { |v| v.is_a?(String) && v.start_with?("!") } if attribute == :platform_family - # If any blacklist value matches, we don't match - return false if blacklist.any? { |v| v[1..-1] == value || platform_family_query_helper?(node, v[1..-1]) } + # If any blocklist value matches, we don't match + return false if blocklist.any? { |v| v[1..-1] == value || platform_family_query_helper?(node, v[1..-1]) } - # If the whitelist is empty, or anything matches, we match. - whitelist.empty? || whitelist.any? { |v| v == :all || v == value || platform_family_query_helper?(node, v) } + # If the allowlist is empty, or anything matches, we match. + allowlist.empty? || allowlist.any? { |v| v == :all || v == value || platform_family_query_helper?(node, v) } else - # If any blacklist value matches, we don't match - return false if blacklist.any? { |v| v[1..-1] == value } + # If any blocklist value matches, we don't match + return false if blocklist.any? { |v| v[1..-1] == value } - # If the whitelist is empty, or anything matches, we match. - whitelist.empty? || whitelist.any? { |v| v == :all || v == value } + # If the allowlist is empty, or anything matches, we match. + allowlist.empty? || allowlist.any? { |v| v == :all || v == value } end end @@ -263,9 +263,9 @@ class Chef end def filters_match?(node, filters) - matches_black_white_list?(node, filters, :os) && - matches_black_white_list?(node, filters, :platform_family) && - matches_black_white_list?(node, filters, :platform) && + matches_block_allow_list?(node, filters, :os) && + matches_block_allow_list?(node, filters, :platform_family) && + matches_block_allow_list?(node, filters, :platform) && matches_version_list?(node, filters, :platform_version) && matches_target_mode?(filters) end @@ -314,8 +314,8 @@ class Chef return -1 if !b && a return 0 if !a && !b - # Check for blacklists ('!windows'). Those always come *after* positive - # whitelists. + # Check for blocklists ('!windows'). Those always come *after* positive + # allowlists. a_negated = Array(a).any? { |f| f.is_a?(String) && f.start_with?("!") } b_negated = Array(b).any? { |f| f.is_a?(String) && f.start_with?("!") } return 1 if a_negated && !b_negated diff --git a/spec/unit/node_spec.rb b/spec/unit/node_spec.rb index f2a5528b52..55a858ce04 100644 --- a/spec/unit/node_spec.rb +++ b/spec/unit/node_spec.rb @@ -1483,9 +1483,9 @@ describe Chef::Node do end end - context "with whitelisted attributes configured" do - it "should only save whitelisted attributes (and subattributes)" do - Chef::Config[:default_attribute_whitelist] = [ + context "with allowed attributes configured" do + it "should only save allowed attributes (and subattributes)" do + Chef::Config[:allowed_default_attributes] = [ ["filesystem", "/dev/disk0s2"], "network/interfaces/eth0", ] @@ -1525,8 +1525,8 @@ describe Chef::Node do node.save end - it "should save false-y whitelisted attributes" do - Chef::Config[:default_attribute_whitelist] = [ + it "should save false-y allowed attributes" do + Chef::Config[:allowed_default_attributes] = [ "foo/bar/baz", ] @@ -1560,8 +1560,8 @@ describe Chef::Node do node.save end - it "should not save any attributes if the whitelist is empty" do - Chef::Config[:default_attribute_whitelist] = [] + it "should not save any attributes if the allowed is empty" do + Chef::Config[:allowed_default_attributes] = [] node.default = { "filesystem" => { @@ -1583,8 +1583,52 @@ describe Chef::Node do end end - context "with blacklisted attributes configured" do - it "should only save non-blacklisted attributes (and subattributes)" do + context "with deprecated whitelist attributes configured" do + it "should only save allowed attributes (and subattributes)" do + Chef::Config[:default_attribute_whitelist] = [ + ["filesystem", "/dev/disk0s2"], + "network/interfaces/eth0", + ] + + node.default = { + "filesystem" => { + "/dev/disk0s2" => { "size" => "10mb" }, + "map - autohome" => { "size" => "10mb" }, + }, + "network" => { + "interfaces" => { + "eth0" => {}, + "eth1" => {}, + }, + }, + } + node.automatic = {} + node.normal = {} + node.override = {} + + selected_data = { + "default" => { + "filesystem" => { + "/dev/disk0s2" => { "size" => "10mb" }, + }, + "network" => { + "interfaces" => { + "eth0" => {}, + }, + }, + }, + "automatic" => {}, "normal" => {}, "override" => {} + } + + node.name("picky-monkey") + Chef::Config[:treat_deprecation_warnings_as_errors] = false + expect(@rest).to receive(:put).with("nodes/picky-monkey", hash_including(selected_data)).and_return("foo") + node.save + end + end + + context "with deprecated blacklist attributes configured" do + it "should only save non-blocklisted attributes (and subattributes)" do Chef::Config[:default_attribute_blacklist] = [ ["filesystem", "/dev/disk0s2"], "network/interfaces/eth0", @@ -1620,12 +1664,55 @@ describe Chef::Node do "automatic" => {}, "normal" => {}, "override" => {} } node.name("picky-monkey") + Chef::Config[:treat_deprecation_warnings_as_errors] = false + expect(@rest).to receive(:put).with("nodes/picky-monkey", hash_including(selected_data)).and_return("foo") + node.save + end + end + + context "with blocklisted attributes configured" do + it "should only save non-blocklisted attributes (and subattributes)" do + Chef::Config[:blocked_default_attributes] = [ + ["filesystem", "/dev/disk0s2"], + "network/interfaces/eth0", + ] + + node.default = { + "filesystem" => { + "/dev/disk0s2" => { "size" => "10mb" }, + "map - autohome" => { "size" => "10mb" }, + }, + "network" => { + "interfaces" => { + "eth0" => {}, + "eth1" => {}, + }, + }, + } + node.automatic = {} + node.normal = {} + node.override = {} + + selected_data = { + "default" => { + "filesystem" => { + "map - autohome" => { "size" => "10mb" }, + }, + "network" => { + "interfaces" => { + "eth1" => {}, + }, + }, + }, + "automatic" => {}, "normal" => {}, "override" => {} + } + node.name("picky-monkey") expect(@rest).to receive(:put).with("nodes/picky-monkey", hash_including(selected_data)).and_return("foo") node.save end - it "should save all attributes if the blacklist is empty" do - Chef::Config[:default_attribute_blacklist] = [] + it "should save all attributes if the blocklist is empty" do + Chef::Config[:blocked_default_attributes] = [] node.default = { "filesystem" => { |