Disable audit-mode by default.

* Modify command line option --audit-mode to accept parameters enabled, disabled, or audit-only.
* Emit a warning if audit-mode is enabled or audit-only.

2 files changed, 45 insertions, 12 deletions

diff --git a/lib/chef/application/client.rb b/lib/chef/application/client.rb
index b10f818cf4..72b4848669 100644
--- a/lib/chef/application/client.rb
+++ b/lib/chef/application/client.rb
@@ -239,17 +239,10 @@ class Chef::Application::Client < Chef::Application
   end
 
   option :audit_mode,
-    :long           => "--[no-]audit-mode",
-    :description    => "If not specified, run converge and audit phase.  If true, run only audit phase.  If false, run only converge phase.",
-    :boolean        => true,
-    :proc           => lambda { |set|
-      # Convert boolean to config options of :audit_only or :disabled
-      if set
-        :audit_only
-      else
-        :disabled
-      end
-    }
+    :long           => "--audit-mode SETTING",
+    :description    => "Enable audit-mode with `enabled`. Disabled audit-mode with `disabled`. Skip converge and only audit with `audit-only`",
+    :proc           => lambda { |mode| mode.gsub("-", "_").to_sym },
+    :default        => :disabled
 
   IMMEDIATE_RUN_SIGNAL = "1".freeze
 
@@ -288,6 +281,19 @@ class Chef::Application::Client < Chef::Application
       config_fetcher = Chef::ConfigFetcher.new(Chef::Config[:json_attribs])
       @chef_client_json = config_fetcher.fetch_json
     end
+
+    if mode = Chef::Config[:audit_mode]
+      expected_modes = [:enabled, :disabled, :audit_only]
+      unless expected_modes.include?(mode)
+        Chef::Application.fatal!(unrecognized_audit_mode(mode))
+      end
+
+      unless mode == :disabled
+        # This should be removed when audit-mode is enabled by default/no longer
+        # an experimental feature.
+        Chef::Log.warn(audit_mode_experimental_message)
+      end
+    end
   end
 
   def load_config_file
@@ -408,4 +414,26 @@ class Chef::Application::Client < Chef::Application
     "#{"\n  interval  = #{Chef::Config[:interval]} seconds" if Chef::Config[:interval]}" +
     "\nEnable chef-client interval runs by setting `:client_fork = true` in your config file or adding `--fork` to your command line options."
   end
+
+  def audit_mode_settings_explaination
+    "\n* To enable audit mode after converge, use command line option `--audit-mode enabled` or set `:audit_mode = :enabled` in your config file." +
+    "\n* To disable audit mode, use command line option `--audit-mode disabled` or set `:audit_mode = :disabled` in your config file." +
+    "\n* To only run audit mode, use command line option `--audit-mode audit-only` or set `:audit_mode = :audit_only` in your config file." +
+    "\nAudit mode is disabled by default."
+  end
+
+  def unrecognized_audit_mode(mode)
+    "Unrecognized setting #{mode} for audit mode." + audit_mode_settings_explaination
+  end
+
+  def audit_mode_experimental_message
+    msg = if Chef::Config[:audit_mode] == :audit_only
+      "Chef-client has been configured to skip converge and run only audits."
+    else
+      "Chef-client has been configure to run audits after it converges."
+    end
+    msg += " Audit mode is an experimental feature currently under development. API changes may occur. Use at your own risk."
+    msg += audit_mode_settings_explaination
+    return msg
+  end
 end
diff --git a/lib/chef/config.rb b/lib/chef/config.rb
index 19fa272100..9bf9e9d48e 100644
--- a/lib/chef/config.rb
+++ b/lib/chef/config.rb
@@ -321,7 +321,12 @@ class Chef
     default :enable_reporting_url_fatals, false
     # Possible values for :audit_mode
     # :enabled, :disabled, :audit_only,
-    default :audit_mode, :enabled
+    #
+    # TODO: 11 Dec 2014: Currently audit-mode is an experimental feature
+    # and is disabled by default. When users choose to enable audit-mode,
+    # a warning is issued in application/client#reconfigure.
+    # This can be removed when audit-mode is enabled by default.
+    default :audit_mode, :disabled
 
     # Policyfile is an experimental feature where a node gets its run list and
     # cookbook version set from a single document on the server instead of