diff options
author | Tim Smith <tsmith84@gmail.com> | 2020-06-11 11:28:04 -0700 |
---|---|---|
committer | Tim Smith <tsmith84@gmail.com> | 2020-07-23 14:38:50 -0700 |
commit | 859e4bdee9d636b51b38537889ad9c2c484e87b9 (patch) | |
tree | e4c9d2dceabb7b297227a82ca1d089963a370bcb | |
parent | 2c3895bb2bb44988a41350d09b351ab02f259a2b (diff) | |
download | chef-859e4bdee9d636b51b38537889ad9c2c484e87b9.tar.gz |
Rename Attribute Whitelist/Blacklist to Allowlist/Blocklist
This is an overdue change. These are not terms we should be using as a company or community. To quote our Code of Conduct (https://community.chef.io/code-of-conduct/). "Be careful in the words that you choose. Be kind to others. Practice empathy." This change aims to do exactly that, while maintaining a level of backwards compatibility so we can transition existing users off the legacy configs.
Signed-off-by: Tim Smith <tsmith@chef.io>
-rw-r--r-- | chef-config/lib/chef-config/config.rb | 35 | ||||
-rw-r--r-- | lib/chef/attribute_allowlist.rb (renamed from lib/chef/whitelist.rb) | 22 | ||||
-rw-r--r-- | lib/chef/attribute_blocklist.rb (renamed from lib/chef/blacklist.rb) | 18 | ||||
-rw-r--r-- | lib/chef/deprecated.rb | 4 | ||||
-rw-r--r-- | lib/chef/node.rb | 48 | ||||
-rw-r--r-- | lib/chef/node_map.rb | 32 | ||||
-rw-r--r-- | spec/unit/node_spec.rb | 24 |
7 files changed, 110 insertions, 73 deletions
diff --git a/chef-config/lib/chef-config/config.rb b/chef-config/lib/chef-config/config.rb index bbf686af18..36953fc328 100644 --- a/chef-config/lib/chef-config/config.rb +++ b/chef-config/lib/chef-config/config.rb @@ -959,23 +959,32 @@ module ChefConfig # default :no_lazy_load, true - # A whitelisted array of attributes you want sent over the wire when node - # data is saved. The default setting is nil, which collects all data. Setting - # to [] will not collect any data for save. - # - default :automatic_attribute_whitelist, nil - default :default_attribute_whitelist, nil - default :normal_attribute_whitelist, nil - default :override_attribute_whitelist, nil - - # A blacklisted array of attributes you do not want to send over the - # wire when node data is saved - # The default setting is nil, which collects all data. Setting to [] will - # still collect all data for save + # A array of attributes you want sent over the wire when node + # data is saved. The default setting is nil, which collects all data. + # NOTE: Setting to [] will not collect ANY data to save. + default :allowed_automatic_attributes, nil + default :allowed_default_attributes, nil + default :allowed_normal_attributes, nil + default :allowed_override_attributes, nil + + # An array of attributes you do not want to send over the + # wire when node data is saved 0 + # The default setting is nil, which collects all data. + # NOTE: Setting to [] will still collect all data to save + default :blocked_automatic_attributes, nil + default :blocked_default_attributes, nil + default :blocked_normal_attributes, nil + default :blocked_override_attributes, nil + + # deprecated config options that will be removed in Chef Infra Client 17 default :automatic_attribute_blacklist, nil default :default_attribute_blacklist, nil default :normal_attribute_blacklist, nil default :override_attribute_blacklist, nil + default :automatic_attribute_whitelist, nil + default :default_attribute_whitelist, nil + default :normal_attribute_whitelist, nil + default :override_attribute_whitelist, nil # Pull down all the rubygems versions from rubygems and cache them the first time we do a gem_package or # chef_gem install. This is memory-expensive and will grow without bounds, but will reduce network diff --git a/lib/chef/whitelist.rb b/lib/chef/attribute_allowlist.rb index 8309580e81..ed1f85c02c 100644 --- a/lib/chef/whitelist.rb +++ b/lib/chef/attribute_allowlist.rb @@ -2,14 +2,14 @@ require_relative "exceptions" class Chef - class Whitelist + class AttributeAllowlist - # filter takes two arguments - the data you want to filter, and a whitelisted array - # of keys you want included. You can capture a subtree of the data to filter by + # filter takes two arguments - the data you want to filter, and an an array of + # keys you want included. You can capture a subtree of the data to filter by # providing a "/"-delimited string of keys. If some key includes "/"-characters, # you must provide an array of keys instead. # - # Whitelist.filter( + # AttributeAllowlist.filter( # { "filesystem" => { # "/dev/disk" => { # "size" => "10mb" @@ -27,18 +27,18 @@ class Chef # }, # ["network/interfaces/eth0", ["filesystem", "/dev/disk"]]) # will capture the eth0 and /dev/disk subtrees. - def self.filter(data, whitelist = nil) - return data if whitelist.nil? + def self.filter(data, allowlist = nil) + return data if allowlist.nil? new_data = {} - whitelist.each do |item| + allowlist.each do |item| add_data(data, new_data, item) end new_data end - # Walk the data has according to the keys provided by the whitelisted item - # and add the data to the whitelisting result. + # Walk the data has according to the keys provided by the allowlisted item + # and add the data to the allowlisting result. def self.add_data(data, new_data, item) parts = to_array(item) @@ -46,7 +46,7 @@ class Chef filtered_data = new_data parts[0..-2].each do |part| unless all_data.key?(part) - Chef::Log.warn("Could not find whitelist attribute #{item}.") + Chef::Log.warn("Could not find allowlist attribute #{item}.") return nil end @@ -58,7 +58,7 @@ class Chef # Note: You can't do all_data[parts[-1]] here because the value # may be false-y unless all_data.key?(parts[-1]) - Chef::Log.warn("Could not find whitelist attribute #{item}.") + Chef::Log.warn("Could not find allowlist attribute #{item}.") return nil end diff --git a/lib/chef/blacklist.rb b/lib/chef/attribute_blocklist.rb index b6c441e460..929d3dfa36 100644 --- a/lib/chef/blacklist.rb +++ b/lib/chef/attribute_blocklist.rb @@ -2,14 +2,14 @@ require_relative "exceptions" class Chef - class Blacklist + class AttributeBlocklist - # filter takes two arguments - the data you want to filter, and a blacklisted array + # filter takes two arguments - the data you want to filter, and an array # of keys you want discarded. You can capture a subtree of the data to filter by # providing a "/"-delimited string of keys. If some key includes "/"-characters, # you must provide an array of keys instead. # - # Blacklist.filter( + # AttributeBlocklist.filter( # { "filesystem" => { # "/dev/disk" => { # "size" => "10mb" @@ -27,17 +27,17 @@ class Chef # }, # ["network/interfaces/eth0", ["filesystem", "/dev/disk"]]) # will exclude the eth0 and /dev/disk subtrees. - def self.filter(data, blacklist = nil) - return data if blacklist.nil? + def self.filter(data, blocklist = nil) + return data if blocklist.nil? - blacklist.each do |item| + blocklist.each do |item| Chef::Log.warn("Removing item #{item}") remove_data(data, item) end data end - # Walk the data according to the keys provided by the blacklisted item + # Walk the data according to the keys provided by the blocklisted item # to get a reference to the item that will be removed. def self.remove_data(data, item) parts = to_array(item) @@ -45,7 +45,7 @@ class Chef item_ref = data parts[0..-2].each do |part| unless item_ref[part] - Chef::Log.warn("Could not find blacklist attribute #{item}.") + Chef::Log.warn("Could not find blocklist attribute #{item}.") return nil end @@ -53,7 +53,7 @@ class Chef end unless item_ref.key?(parts[-1]) - Chef::Log.warn("Could not find blacklist attribute #{item}.") + Chef::Log.warn("Could not find blocklist attribute #{item}.") return nil end diff --git a/lib/chef/deprecated.rb b/lib/chef/deprecated.rb index 4a2ac69b04..1d167d7aca 100644 --- a/lib/chef/deprecated.rb +++ b/lib/chef/deprecated.rb @@ -245,6 +245,10 @@ class Chef target 31 end + class AttributeBlacklistConfiguration < Base + target 32 + end + class Generic < Base def url "https://docs.chef.io/chef_deprecations_client/" diff --git a/lib/chef/node.rb b/lib/chef/node.rb index e757e93d77..d569eeda38 100644 --- a/lib/chef/node.rb +++ b/lib/chef/node.rb @@ -34,8 +34,8 @@ require_relative "node/attribute" require_relative "mash" require_relative "json_compat" require_relative "search/query" -require_relative "whitelist" -require_relative "blacklist" +require_relative "attribute_allowlist" +require_relative "attribute_blocklist" class Chef class Node @@ -706,21 +706,45 @@ class Chef end end + # a method to handle the renamed configuration from whitelist -> allowed + # and to throw a deprecation warning when the old configuration is set + # + # @param [String] level the attribute level + def allowlist_or_whitelist_config(level) + if Chef::Config["#{level}_attribute_whitelist".to_sym] + Chef.deprecated(:attribute_blacklist_configuration, "Attribute whitelist configurations have been deprecated. Use the allowed_LEVEL_attribute configs instead") + Chef::Config["#{level}_attribute_whitelist".to_sym] + else + Chef::Config["allowed_#{level}_attributes".to_sym] + end + end + + # a method to handle the renamed configuration from blacklist -> blocked + # and to throw a deprecation warning when the old configuration is set + # + # @param [String] level the attribute level + def blocklist_or_blacklist_config(level) + if Chef::Config["#{level}_attribute_blacklist".to_sym] + Chef.deprecated(:attribute_blacklist_configuration, "Attribute blacklist configurations have been deprecated. Use the blocked_LEVEL_attribute configs instead") + Chef::Config["#{level}_attribute_blacklist".to_sym] + else + Chef::Config["blocked_#{level}_attributes".to_sym] + end + end + def data_for_save data = for_json %w{automatic default normal override}.each do |level| - whitelist_config_option = "#{level}_attribute_whitelist".to_sym - whitelist = Chef::Config[whitelist_config_option] - unless whitelist.nil? # nil => save everything - logger.info("Whitelisting #{level} node attributes for save.") - data[level] = Chef::Whitelist.filter(data[level], whitelist) + allowlist = allowlist_or_whitelist_config(level) + unless allowlist.nil? # nil => save everything + logger.info("Allowing #{level} node attributes for save.") + data[level] = Chef::AttributeAllowlist.filter(data[level], allowlist) end - blacklist_config_option = "#{level}_attribute_blacklist".to_sym - blacklist = Chef::Config[blacklist_config_option] - unless blacklist.nil? # nil => remove nothing - logger.info("Blacklisting #{level} node attributes for save") - data[level] = Chef::Blacklist.filter(data[level], blacklist) + blocklist = blocklist_or_blacklist_config(level) + unless blocklist.nil? # nil => remove nothing + logger.info("Blocking #{level} node attributes for save") + data[level] = Chef::AttributeBlocklist.filter(data[level], blocklist) end end data diff --git a/lib/chef/node_map.rb b/lib/chef/node_map.rb index dcf6e8969c..30a0ed6c4e 100644 --- a/lib/chef/node_map.rb +++ b/lib/chef/node_map.rb @@ -212,7 +212,7 @@ class Chef # - no negative matches (!value) # - at least one positive match (value or :all), or no positive filters # - def matches_black_white_list?(node, filters, attribute) + def matches_block_allow_list?(node, filters, attribute) # It's super common for the filter to be nil. Catch that so we don't # spend any time here. return true unless filters[attribute] @@ -220,21 +220,21 @@ class Chef filter_values = Array(filters[attribute]) value = node[attribute] - # Split the blacklist and whitelist - blacklist, whitelist = filter_values.partition { |v| v.is_a?(String) && v.start_with?("!") } + # Split the blocklist and allowlist + blocklist, allowlist = filter_values.partition { |v| v.is_a?(String) && v.start_with?("!") } if attribute == :platform_family - # If any blacklist value matches, we don't match - return false if blacklist.any? { |v| v[1..-1] == value || platform_family_query_helper?(node, v[1..-1]) } + # If any blocklist value matches, we don't match + return false if blocklist.any? { |v| v[1..-1] == value || platform_family_query_helper?(node, v[1..-1]) } - # If the whitelist is empty, or anything matches, we match. - whitelist.empty? || whitelist.any? { |v| v == :all || v == value || platform_family_query_helper?(node, v) } + # If the allowlist is empty, or anything matches, we match. + allowlist.empty? || allowlist.any? { |v| v == :all || v == value || platform_family_query_helper?(node, v) } else - # If any blacklist value matches, we don't match - return false if blacklist.any? { |v| v[1..-1] == value } + # If any blocklist value matches, we don't match + return false if blocklist.any? { |v| v[1..-1] == value } - # If the whitelist is empty, or anything matches, we match. - whitelist.empty? || whitelist.any? { |v| v == :all || v == value } + # If the allowlist is empty, or anything matches, we match. + allowlist.empty? || allowlist.any? { |v| v == :all || v == value } end end @@ -263,9 +263,9 @@ class Chef end def filters_match?(node, filters) - matches_black_white_list?(node, filters, :os) && - matches_black_white_list?(node, filters, :platform_family) && - matches_black_white_list?(node, filters, :platform) && + matches_block_allow_list?(node, filters, :os) && + matches_block_allow_list?(node, filters, :platform_family) && + matches_block_allow_list?(node, filters, :platform) && matches_version_list?(node, filters, :platform_version) && matches_target_mode?(filters) end @@ -314,8 +314,8 @@ class Chef return -1 if !b && a return 0 if !a && !b - # Check for blacklists ('!windows'). Those always come *after* positive - # whitelists. + # Check for blocklists ('!windows'). Those always come *after* positive + # allowlists. a_negated = Array(a).any? { |f| f.is_a?(String) && f.start_with?("!") } b_negated = Array(b).any? { |f| f.is_a?(String) && f.start_with?("!") } return 1 if a_negated && !b_negated diff --git a/spec/unit/node_spec.rb b/spec/unit/node_spec.rb index f2a5528b52..cb2499a7ee 100644 --- a/spec/unit/node_spec.rb +++ b/spec/unit/node_spec.rb @@ -1483,9 +1483,9 @@ describe Chef::Node do end end - context "with whitelisted attributes configured" do - it "should only save whitelisted attributes (and subattributes)" do - Chef::Config[:default_attribute_whitelist] = [ + context "with allowed attributes configured" do + it "should only save allowed attributes (and subattributes)" do + Chef::Config[:allowed_default_attributes] = [ ["filesystem", "/dev/disk0s2"], "network/interfaces/eth0", ] @@ -1525,8 +1525,8 @@ describe Chef::Node do node.save end - it "should save false-y whitelisted attributes" do - Chef::Config[:default_attribute_whitelist] = [ + it "should save false-y allowed attributes" do + Chef::Config[:allowed_default_attributes] = [ "foo/bar/baz", ] @@ -1560,8 +1560,8 @@ describe Chef::Node do node.save end - it "should not save any attributes if the whitelist is empty" do - Chef::Config[:default_attribute_whitelist] = [] + it "should not save any attributes if the allowed is empty" do + Chef::Config[:allowed_default_attributes] = [] node.default = { "filesystem" => { @@ -1583,9 +1583,9 @@ describe Chef::Node do end end - context "with blacklisted attributes configured" do - it "should only save non-blacklisted attributes (and subattributes)" do - Chef::Config[:default_attribute_blacklist] = [ + context "with blocklisted attributes configured" do + it "should only save non-blocklisted attributes (and subattributes)" do + Chef::Config[:blocked_default_attributes] = [ ["filesystem", "/dev/disk0s2"], "network/interfaces/eth0", ] @@ -1624,8 +1624,8 @@ describe Chef::Node do node.save end - it "should save all attributes if the blacklist is empty" do - Chef::Config[:default_attribute_blacklist] = [] + it "should save all attributes if the blocklist is empty" do + Chef::Config[:blocked_default_attributes] = [] node.default = { "filesystem" => { |