diff options
author | danielsdeleo <dan@opscode.com> | 2014-01-17 18:32:26 -0800 |
---|---|---|
committer | danielsdeleo <dan@opscode.com> | 2014-01-22 15:14:13 -0800 |
commit | 8cf6427638d3d4f50a984d5a9c204d85f275c7bd (patch) | |
tree | 54c9c61b6fe0d7422eff47bdc620fa6928808e3f | |
parent | bd82d42a1f5198f6f712529991e070ce9b9d79a2 (diff) | |
download | chef-8cf6427638d3d4f50a984d5a9c204d85f275c7bd.tar.gz |
Add Policyfile-based policy builder for chef-client
NB: This is experimental and a bit of a hack. There is no server-side
support, so interactions with the server are coded in a "compatibility
mode" using data bag items and Chef 11 style cookbook version APIs.
The Policyfile PolicyBuilder uses a single document from the server as
the authoritative cookbook version set and expanded run list. Enabling
it will disable support for environments and roles. In addition,
chef-solo and override run lists are currently unsupported, though they
could be supported in the future.
-rw-r--r-- | lib/chef/policy_builder.rb | 1 | ||||
-rw-r--r-- | lib/chef/policy_builder/policyfile.rb | 317 | ||||
-rw-r--r-- | spec/unit/policy_builder/policyfile_spec.rb | 344 |
3 files changed, 662 insertions, 0 deletions
diff --git a/lib/chef/policy_builder.rb b/lib/chef/policy_builder.rb index d24681a1ad..2ba3cf839e 100644 --- a/lib/chef/policy_builder.rb +++ b/lib/chef/policy_builder.rb @@ -17,6 +17,7 @@ # require 'chef/policy_builder/expand_node_object' +require 'chef/policy_builder/policyfile' class Chef diff --git a/lib/chef/policy_builder/policyfile.rb b/lib/chef/policy_builder/policyfile.rb new file mode 100644 index 0000000000..9460302edc --- /dev/null +++ b/lib/chef/policy_builder/policyfile.rb @@ -0,0 +1,317 @@ +# +# Author:: Adam Jacob (<adam@opscode.com>) +# Author:: Tim Hinderliter (<tim@opscode.com>) +# Author:: Christopher Walters (<cw@opscode.com>) +# Author:: Daniel DeLeo (<dan@getchef.com>) +# Copyright:: Copyright 2008-2014 Chef Software, Inc. +# License:: Apache License, Version 2.0 +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +require 'chef/log' +require 'chef/rest' +require 'chef/run_context' +require 'chef/config' +require 'chef/node' + +class Chef + module PolicyBuilder + + # Policyfile is an experimental policy builder implementation that gets run + # list and cookbook version information from a single document. + # + # == WARNING + # This implementation is experimental. It may be changed in incompatible + # ways in minor or even patch releases, or even abandoned altogether. If + # using this with other tools, you may be forced to upgrade those tools in + # lockstep with chef-client because of incompatible behavior changes. + # + # == Unsupported Options: + # * override_runlist:: This could potentially be integrated into the + # policyfile, or replaced with a similar feature that has different + # semantics. + # * specific_recipes:: put more design thought into this use case. + # * run_list in json_attribs:: would be ignored anyway, so it raises an error. + # * chef-solo:: not currently supported. Need more design thought around + # how this should work. + class Policyfile + + class UnsupportedFeature < StandardError; end + + class PolicyfileError < StandardError; end + + RunListExpansionIsh = Struct.new(:recipes) + + attr_reader :events + attr_reader :node + attr_reader :node_name + attr_reader :ohai_data + attr_reader :json_attribs + attr_reader :run_context + + def initialize(node_name, ohai_data, json_attribs, override_runlist, events) + @node_name = node_name + @ohai_data = ohai_data + @json_attribs = json_attribs + @events = events + + @node = nil + + Chef::Log.warn("Using experimental Policyfile feature") + + if Chef::Config[:solo] + raise UnsupportedFeature, "Policyfile does not support chef-solo at this time." + end + + if override_runlist + raise UnsupportedFeature, "Policyfile does not support override run lists at this time" + end + + if json_attribs && json_attribs.key?("run_list") + raise UnsupportedFeature, "Policyfile does not support setting the run_list in json data at this time" + end + + if Chef::Config[:environment] && !Chef::Config[:environment].chop.empty? + raise UnsupportedFeature, "Policyfile does not work with Chef Environments" + end + end + + ## API Compat ## + # Methods related to unsupported features + + # Override run_list is not supported. + def original_runlist + nil + end + + # Override run_list is not supported. + def override_runlist + nil + end + + # Policyfile gives you the run_list already expanded, no expansion is + # performed here. + def run_list_expansion + nil + end + + ## PolicyBuilder API ## + + # Loads the node state from the server. + def load_node + events.node_load_start(node_name, Chef::Config) + Chef::Log.debug("Building node object for #{node_name}") + + @node = Chef::Node.find_or_create(node_name) + validate_policyfile + node + rescue Exception => e + events.node_load_failed(node_name, e, Chef::Config) + raise + end + + # Applies environment, external JSON attributes, and override run list to + # the node, Then expands the run_list. + # + # === Returns + # node<Chef::Node>:: The modified node object. node is modified in place. + def build_node + # consume_external_attrs may add items to the run_list. Save the + # expanded run_list, which we will pass to the server later to + # determine which versions of cookbooks to use. + node.reset_defaults_and_overrides + + node.consume_external_attrs(ohai_data, json_attribs) + + apply_policyfile_attributes + + Chef::Log.info("Run List is [#{run_list}]") + Chef::Log.info("Run List expands to [#{run_list_with_versions_for_display.join(', ')}]") + + + events.node_load_completed(node, run_list_with_versions_for_display, Chef::Config) + + node + rescue Exception => e + events.node_load_failed(node_name, e, Chef::Config) + raise + end + + def setup_run_context(specific_recipes=nil) + # TODO: This file vendor stuff is duplicated and initializing it with a + # block traps a reference to this object in a global context which will + # prevent it from getting GC'd. Simplify it. + Chef::Cookbook::FileVendor.on_create { |manifest| Chef::Cookbook::RemoteFileVendor.new(manifest, api_service) } + sync_cookbooks + cookbook_collection = Chef::CookbookCollection.new(cookbooks_to_sync) + run_context = Chef::RunContext.new(node, cookbook_collection, events) + + run_context.load(run_list_expansion_ish) + + run_context + end + + ## Internal Public API ## + + def sync_cookbooks + Chef::Log.debug("Synchronizing cookbooks") + synchronizer = Chef::CookbookSynchronizer.new(cookbooks_to_sync, events) + synchronizer.sync_cookbooks + + # register the file cache path in the cookbook path so that CookbookLoader actually picks up the synced cookbooks + Chef::Config[:cookbook_path] = File.join(Chef::Config[:file_cache_path], "cookbooks") + + cookbooks_to_sync + end + + + def run_list_with_versions_for_display + run_list.map do |recipe_spec| + cookbook, recipe = parse_recipe_spec(recipe_spec) + lock_data = cookbook_lock_for(cookbook) + display = "#{cookbook}::#{recipe}@#{lock_data["version"]} (#{lock_data["identifier"][0...7]})" + display + end + end + + def run_list_expansion_ish + recipes = run_list.map do |recipe_spec| + cookbook, recipe = parse_recipe_spec(recipe_spec) + "#{cookbook}::#{recipe}" + end + RunListExpansionIsh.new(recipes) + end + + def apply_policyfile_attributes + node.run_list(run_list) + node.attributes.role_default = policy["default_attributes"] + node.attributes.role_override = policy["override_attributes"] + end + + def parse_recipe_spec(recipe_spec) + rmatch = recipe_spec.match(/recipe\[([^:]+)::([^:]+)\]/) + if rmatch.nil? + raise PolicyfileError, "invalid recipe specification #{recipe_spec} in Policyfile from #{policyfile_location}" + else + [rmatch[1], rmatch[2]] + end + end + + def cookbook_lock_for(cookbook_name) + cookbook_locks[cookbook_name] + end + + def run_list + policy["run_list"] + end + + def policy + @policy ||= http_api.get(policyfile_location) + end + + def policyfile_location + "data/policyfiles/#{deployment_group}" + end + + # Do some mimimal validation of the policyfile we fetched from the + # server. Compatibility mode relies on using data bags to store policy + # files; therefore no real validation will be performed server-side and + # we need to make additional checks to ensure the data will be formatted + # correctly. + def validate_policyfile + errors = [] + unless run_list + errors << "Policyfile is missing run_list element" + end + unless policy.key?("cookbook_locks") + errors << "Policyfile is missing cookbook_locks element" + end + if run_list.kind_of?(Array) + run_list_errors = run_list.select do |maybe_recipe_spec| + validate_recipe_spec(maybe_recipe_spec) + end + errors += run_list_errors + else + errors << "Policyfile run_list is malformed, must be an array of `recipe[cb_name::recipe_name]` items: #{policy["run_list"]}" + end + + unless errors.empty? + raise PolicyfileError, "Policyfile fetched from #{policyfile_location} was invalid:\n#{errors.join("\n")}" + end + end + + def validate_recipe_spec(recipe_spec) + parse_recipe_spec(recipe_spec) + nil + rescue PolicyfileError => e + e.message + end + + class ConfigurationError < StandardError; end + + def deployment_group + Chef::Config[:deployment_group] or + raise ConfigurationError, "Setting `deployment_group` is not configured." + end + + # Builds a 'cookbook_hash' map of the form + # "COOKBOOK_NAME" => "IDENTIFIER" + # + # This can be passed to a Chef::CookbookSynchronizer object to + # synchronize the cookbooks. + # + # TODO: Currently this makes N API calls to the server to get the + # cookbook objects. With server support (bulk API or the like), this + # should be reduced to a single call. + def cookbooks_to_sync + @cookbook_to_sync ||= begin + events.cookbook_resolution_start(run_list_with_versions_for_display) + + cookbook_versions_by_name = cookbook_locks.inject({}) do |cb_map, (name, lock_data)| + cb_map[name] = manifest_for(name, lock_data) + cb_map + end + events.cookbook_resolution_complete(cookbook_versions_by_name) + + cookbook_versions_by_name + end + rescue Exception => e + # TODO: wrap/munge exception to provide helpful error output + events.cookbook_resolution_failed(run_list_with_versions_for_display, e) + raise + end + + # Fetches the CookbookVersion object for the given name and identifer + # specified in the lock_data. + # TODO: This only implements Chef 11 compatibility mode, which means that + # cookbooks are fetched by the "dotted_decimal_identifier": a + # representation of a SHA1 in the traditional x.y.z version format. + def manifest_for(cookbook_name, lock_data) + xyz_version = lock_data["dotted_decimal_identifier"] + http_api.get("cookbooks/#{cookbook_name}/#{xyz_version}") + end + + def cookbook_locks + policy["cookbook_locks"] + end + + def http_api + @api_service ||= Chef::REST.new(config[:chef_server_url]) + end + + + end + end +end + diff --git a/spec/unit/policy_builder/policyfile_spec.rb b/spec/unit/policy_builder/policyfile_spec.rb new file mode 100644 index 0000000000..7f11cb2e65 --- /dev/null +++ b/spec/unit/policy_builder/policyfile_spec.rb @@ -0,0 +1,344 @@ +# +# Author:: Daniel DeLeo (<dan@getchef.com>) +# Copyright:: Copyright 2014 Chef Software, Inc. +# License:: Apache License, Version 2.0 +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +require 'spec_helper' +require 'chef/policy_builder' + +describe Chef::PolicyBuilder::Policyfile do + + let(:node_name) { "joe_node" } + let(:ohai_data) { {"platform" => "ubuntu", "platform_version" => "13.04", "fqdn" => "joenode.example.com"} } + let(:json_attribs) { {"custom_attr" => "custom_attr_value"} } + let(:override_runlist) { nil } + let(:events) { Chef::EventDispatch::Dispatcher.new } + let(:policy_builder) { Chef::PolicyBuilder::Policyfile.new(node_name, ohai_data, json_attribs, override_runlist, events) } + + # Convert a SHA1 (160 bit) hex string into an x.y.z version number where the + # maximum value is smaller than a postgres BIGINT (signed 64bit, so 63 usable + # bits). This requires enterprise Chef or open source server 11.1.0+ (currently not released) + # + # The SHA1 is devided as follows: + # * "major": first 14 chars (56 bits) + # * "minor": next 14 chars (56 bits) + # * "patch": last 12 chars (48 bits) + def id_to_dotted(sha1_id) + major = sha1_id[0...14] + minor = sha1_id[14...28] + patch = sha1_id[28..40] + decimal_integers =[major, minor, patch].map {|hex| hex.to_i(16) } + decimal_integers.join(".") + end + + + let(:example1_lock_data) do + # based on https://github.com/danielsdeleo/chef-workflow2-prototype/blob/master/skeletons/basic_policy/Policyfile.lock.json + { + "identifier" => "168d2102fb11c9617cd8a981166c8adc30a6e915", + "version" => "2.3.5", + # NOTE: for compatibility mode we include the dotted id in the policyfile to enhance discoverability. + "dotted_decimal_identifier" => id_to_dotted("168d2102fb11c9617cd8a981166c8adc30a6e915"), + "source" => { "path" => "./cookbooks/demo" }, + "scm_identifier"=> { + "vcs"=> "git", + "rev_id"=> "9d5b09026470c322c3cb5ca8a4157c4d2f16cef3", + "remote"=> nil + } + } + end + + let(:example2_lock_data) do + { + "identifier" => "feab40e1fca77c7360ccca1481bb8ba5f919ce3a", + "version" => "4.2.0", + # NOTE: for compatibility mode we include the dotted id in the policyfile to enhance discoverability. + "dotted_decimal_identifier" => id_to_dotted("feab40e1fca77c7360ccca1481bb8ba5f919ce3a"), + "source" => { "api" => "https://community.getchef.com/api/v1/cookbooks/example2" } + } + end + + let(:policyfile_default_attributes) { {"policyfile_default_attr" => "policyfile_default_value"} } + let(:policyfile_override_attributes) { {"policyfile_override_attr" => "policyfile_override_value"} } + + let(:policyfile_run_list) { ["recipe[example1::default]", "recipe[example2::server]"] } + + let(:parsed_policyfile_json) do + { + "run_list" => policyfile_run_list, + + "cookbook_locks" => { + "example1" => example1_lock_data, + "example2" => example2_lock_data + }, + + "default_attributes" => policyfile_default_attributes, + "override_attributes" => policyfile_override_attributes + } + end + + let(:http_api) { double("Chef::REST") } + + let(:err_namespace) { Chef::PolicyBuilder::Policyfile } + + describe "reporting unsupported features" do + + def initialize_pb + Chef::PolicyBuilder::Policyfile.new(node_name, ohai_data, json_attribs, override_runlist, events) + end + + context "chef-solo" do + before { Chef::Config[:solo] = true } + + it "errors on create" do + expect { initialize_pb }.to raise_error(err_namespace::UnsupportedFeature) + end + end + + context "when given an override run_list" do + let(:override_runlist) { "recipe[foo],recipe[bar]" } + + it "errors on create" do + expect { initialize_pb }.to raise_error(err_namespace::UnsupportedFeature) + end + end + + context "when json_attribs contains a run_list" do + let(:json_attribs) { {"run_list" => []} } + + it "errors on create" do + expect { initialize_pb }.to raise_error(err_namespace::UnsupportedFeature) + end + end + + context "when an environment is configured" do + before { Chef::Config[:environment] = "blurch" } + + it "errors when an environment is configured" do + expect { initialize_pb }.to raise_error(err_namespace::UnsupportedFeature) + end + end + + end + + describe "when using compatibility mode" do + + let(:configured_environment) { nil } + + let(:override_runlist) { nil } + let(:primary_runlist) { nil } + + let(:original_default_attrs) { {"default_key" => "default_value"} } + let(:original_override_attrs) { {"override_key" => "override_value"} } + + let(:node) do + node = Chef::Node.new + node.name(node_name) + node.default_attrs = original_default_attrs + node.override_attrs = original_override_attrs + node.run_list(primary_runlist) if primary_runlist + node + end + + before do + # TODO: agree on this name and logic. + Chef::Config[:deployment_group] = "example-policy-stage" + policy_builder.stub(:http_api).and_return(http_api) + end + + context "when the deployment group cannot be loaded" do + let(:error404) { Net::HTTPServerException.new("404 message", :body) } + + before do + Chef::Node.should_receive(:find_or_create).with(node_name).and_return(node) + http_api.should_receive(:get). + with("data/policyfiles/example-policy-stage"). + and_raise(error404) + end + + it "raises an error" do + expect { policy_builder.load_node }.to raise_error(Net::HTTPServerException) + end + + it "sends error message to the event system" do + events.should_receive(:node_load_failed).with(node_name, error404, Chef::Config) + expect { policy_builder.load_node }.to raise_error(Net::HTTPServerException) + end + + end + + describe "when the deployment_group is not configured" do + before do + Chef::Config[:deployment_group] = nil + Chef::Node.should_receive(:find_or_create).with(node_name).and_return(node) + end + + it "errors while loading the node" do + expect { policy_builder.load_node }.to raise_error(err_namespace::ConfigurationError) + end + + + it "passes error information to the event system" do + # TODO: also make sure something acceptable happens with the error formatters + err_class = err_namespace::ConfigurationError + events.should_receive(:node_load_failed).with(node_name, an_instance_of(err_class), Chef::Config) + expect { policy_builder.load_node }.to raise_error(err_class) + end + end + + context "and a deployment_group is configured" do + before do + http_api.should_receive(:get).with("data/policyfiles/example-policy-stage").and_return(parsed_policyfile_json) + end + + it "fetches the policy file from a data bag item" do + expect(policy_builder.policy).to eq(parsed_policyfile_json) + end + + it "extracts the run_list from the policyfile" do + expect(policy_builder.run_list).to eq(policyfile_run_list) + end + + it "extracts the cookbooks and versions for display from the policyfile" do + expected = [ + "example1::default@2.3.5 (168d210)", + "example2::server@4.2.0 (feab40e)" + ] + + expect(policy_builder.run_list_with_versions_for_display).to eq(expected) + end + + it "generates a RunListExpansion-alike object for feeding to the CookbookCompiler" do + expect(policy_builder.run_list_expansion_ish).to respond_to(:recipes) + expect(policy_builder.run_list_expansion_ish.recipes).to eq(["example1::default", "example2::server"]) + end + + + describe "validating the Policyfile.lock" do + + it "errors if the policyfile json contains any non-recipe items" do + parsed_policyfile_json["run_list"] = ["role[foo]"] + expect { policy_builder.validate_policyfile }.to raise_error(err_namespace::PolicyfileError) + end + + it "errors if the policyfile json contains non-fully qualified recipe items" do + parsed_policyfile_json["run_list"] = ["recipe[foo]"] + expect { policy_builder.validate_policyfile }.to raise_error(err_namespace::PolicyfileError) + end + + it "errors if the policyfile doesn't have a run_list key" do + parsed_policyfile_json.delete("run_list") + expect { policy_builder.validate_policyfile }.to raise_error(err_namespace::PolicyfileError) + end + + it "error if the policyfile doesn't have a cookbook_locks key" do + parsed_policyfile_json.delete("cookbook_locks") + expect { policy_builder.validate_policyfile }.to raise_error(err_namespace::PolicyfileError) + end + + it "accepts a valid policyfile" do + policy_builder.validate_policyfile + end + + end + + describe "building the node object" do + + before do + Chef::Node.should_receive(:find_or_create).with(node_name).and_return(node) + + policy_builder.load_node + policy_builder.build_node + end + + it "resets default and override data" do + expect(node["default_key"]).to be_nil + expect(node["override_key"]).to be_nil + end + + it "applies ohai data" do + expect(node.automatic_attrs).to eq(ohai_data) + end + + it "applies attributes from json file" do + expect(node["custom_attr"]).to eq("custom_attr_value") + end + + it "applies attributes from the policyfile" do + expect(node["policyfile_default_attr"]).to eq("policyfile_default_value") + expect(node["policyfile_override_attr"]).to eq("policyfile_override_value") + end + + it "sets the policyfile's run_list on the node object" do + expect(node.run_list).to eq(policyfile_run_list) + end + + end + + + describe "fetching the desired cookbook set" do + + let(:example1_cookbook_object) { double("Chef::CookbookVersion for example1 cookbook") } + let(:example2_cookbook_object) { double("Chef::CookbookVersion for example2 cookbook") } + + let(:expected_cookbook_hash) do + { "example1" => example1_cookbook_object, "example2" => example2_cookbook_object } + end + + let(:example1_xyz_version) { example1_lock_data["dotted_decimal_identifier"] } + let(:example2_xyz_version) { example2_lock_data["dotted_decimal_identifier"] } + + let(:cookbook_synchronizer) { double("Chef::CookbookSynchronizer") } + + before do + Chef::Node.should_receive(:find_or_create).with(node_name).and_return(node) + + policy_builder.load_node + policy_builder.build_node + + http_api.should_receive(:get).with("cookbooks/example1/#{example1_xyz_version}"). + and_return(example1_cookbook_object) + http_api.should_receive(:get).with("cookbooks/example2/#{example2_xyz_version}"). + and_return(example2_cookbook_object) + + Chef::CookbookSynchronizer.stub(:new). + with(expected_cookbook_hash, events). + and_return(cookbook_synchronizer) + end + + it "builds a Hash of the form 'cookbook_name' => Chef::CookbookVersion" do + expect(policy_builder.cookbooks_to_sync).to eq(expected_cookbook_hash) + end + + it "syncs the desired cookbooks via CookbookSynchronizer" do + cookbook_synchronizer.should_receive(:sync_cookbooks) + policy_builder.sync_cookbooks + end + + it "builds a run context" do + cookbook_synchronizer.should_receive(:sync_cookbooks) + Chef::RunContext.any_instance.should_receive(:load).with(policy_builder.run_list_expansion_ish) + run_context = policy_builder.setup_run_context + expect(run_context.node).to eq(node) + expect(run_context.cookbook_collection.keys).to match_array(["example1", "example2"]) + end + + end + end + + end + +end |