Add download and diff support for acls

9 files changed, 236 insertions, 3 deletions

diff --git a/lib/chef/chef_fs/data_handler/acl_data_handler.rb b/lib/chef/chef_fs/data_handler/acl_data_handler.rb
new file mode 100644
index 0000000000..5f7d0b6fa5
--- /dev/null
+++ b/lib/chef/chef_fs/data_handler/acl_data_handler.rb
@@ -0,0 +1,13 @@
+require 'chef/chef_fs/data_handler/data_handler_base'
+
+class Chef
+  module ChefFS
+    module DataHandler
+      class AclDataHandler < DataHandlerBase
+        def normalize(node, entry)
+          super(node, {})
+        end
+      end
+    end
+  end
+end
diff --git a/lib/chef/chef_fs/file_system/acl_dir.rb b/lib/chef/chef_fs/file_system/acl_dir.rb
new file mode 100644
index 0000000000..263a5afcb0
--- /dev/null
+++ b/lib/chef/chef_fs/file_system/acl_dir.rb
@@ -0,0 +1,64 @@
+#
+# Author:: John Keiser (<jkeiser@opscode.com>)
+# Copyright:: Copyright (c) 2013 Opscode, Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require 'chef/chef_fs/file_system/base_fs_dir'
+require 'chef/chef_fs/file_system/acl_entry'
+require 'chef/chef_fs/file_system/operation_not_allowed_error'
+
+class Chef
+  module ChefFS
+    module FileSystem
+      class AclDir < BaseFSDir
+        def api_path
+          parent.parent.child(name).api_path
+        end
+
+        def child(name)
+          result = @children.select { |child| child.name == name }.first if @children
+          result ||= can_have_child?(name, false) ?
+                     AclEntry.new(name, self) : NonexistentFSObject.new(name, self)
+        end
+
+        def can_have_child?(name, is_dir)
+          name =~ /\.json$/ && !is_dir
+        end
+
+        def children
+          if @children.nil?
+            # Grab the ACTUAL children (/nodes, /containers, etc.) and get their names
+            names = parent.parent.child(name).children.map { |child| child.dir? ? "#{child.name}.json" : child.name }
+            @children = names.map { |name| AclEntry.new(name, self, true) }
+          end
+          @children
+        end
+
+        def create_child(name, file_contents)
+          raise OperationNotAllowedError.new(:create_child, self)
+        end
+
+        def data_handler
+          parent.data_handler
+        end
+
+        def rest
+          parent.rest
+        end
+      end
+    end
+  end
+end
diff --git a/lib/chef/chef_fs/file_system/acl_entry.rb b/lib/chef/chef_fs/file_system/acl_entry.rb
new file mode 100644
index 0000000000..ed6815ae5f
--- /dev/null
+++ b/lib/chef/chef_fs/file_system/acl_entry.rb
@@ -0,0 +1,42 @@
+#
+# Author:: John Keiser (<jkeiser@opscode.com>)
+# Copyright:: Copyright (c) 2013 Opscode, Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require 'chef/chef_fs/file_system/rest_list_entry'
+require 'chef/chef_fs/file_system/not_found_error'
+require 'chef/chef_fs/file_system/operation_not_allowed_error'
+require 'chef/chef_fs/file_system/operation_failed_error'
+
+class Chef
+  module ChefFS
+    module FileSystem
+      class AclEntry < RestListEntry
+        def api_path
+          "#{super}/_acl"
+        end
+
+        def delete(recurse)
+          raise Chef::ChefFS::FileSystem::OperationNotAllowedError.new(:delete, self, e), "ACLs cannot be deleted."
+        end
+
+        def write(recurse)
+          raise Chef::ChefFS::FileSystem::OperationNotAllowedError.new(:write, self, e), "ACLs are not (yet) supported."
+        end
+      end
+    end
+  end
+end
diff --git a/lib/chef/chef_fs/file_system/acls_dir.rb b/lib/chef/chef_fs/file_system/acls_dir.rb
new file mode 100644
index 0000000000..938bf73fb2
--- /dev/null
+++ b/lib/chef/chef_fs/file_system/acls_dir.rb
@@ -0,0 +1,68 @@
+#
+# Author:: John Keiser (<jkeiser@opscode.com>)
+# Copyright:: Copyright (c) 2013 Opscode, Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require 'chef/chef_fs/file_system/base_fs_dir'
+require 'chef/chef_fs/file_system/acl_dir'
+require 'chef/chef_fs/file_system/cookbooks_acl_dir'
+require 'chef/chef_fs/file_system/acl_entry'
+require 'chef/chef_fs/data_handler/acl_data_handler'
+
+class Chef
+  module ChefFS
+    module FileSystem
+      class AclsDir < BaseFSDir
+        ENTITY_TYPES = %w(clients containers cookbooks data_bags environments groups nodes roles) # we don't read sandboxes, so we don't read their acls
+
+        def initialize(parent)
+          super('acls', parent)
+        end
+
+        def data_handler
+          @data_handler ||= Chef::ChefFS::DataHandler::AclDataHandler.new
+        end
+
+        def api_path
+          parent.api_path
+        end
+
+        def can_have_child?(name, is_dir)
+          is_dir ? ENTITY_TYPES.include(name) : name == 'organization.json'
+        end
+
+        def children
+          if @children.nil?
+            @children = ENTITY_TYPES.map do |entity_type|
+              case entity_type
+              when 'cookbooks'
+                CookbooksAclDir.new(entity_type, self)
+              else
+                AclDir.new(entity_type, self)
+              end
+            end
+            @children << AclEntry.new('organization.json', self, true) # the org acl is retrieved as GET /organizations/ORGNAME/ANYTHINGATALL/_acl
+          end
+          @children
+        end
+
+        def rest
+          parent.rest
+        end
+      end
+    end
+  end
+end
diff --git a/lib/chef/chef_fs/file_system/chef_repository_file_system_root_dir.rb b/lib/chef/chef_fs/file_system/chef_repository_file_system_root_dir.rb
index c64c9ed70d..d86f30de73 100644
--- a/lib/chef/chef_fs/file_system/chef_repository_file_system_root_dir.rb
+++ b/lib/chef/chef_fs/file_system/chef_repository_file_system_root_dir.rb
@@ -28,6 +28,7 @@ require 'chef/chef_fs/data_handler/role_data_handler'
 require 'chef/chef_fs/data_handler/user_data_handler'
 require 'chef/chef_fs/data_handler/group_data_handler'
 require 'chef/chef_fs/data_handler/container_data_handler'
+require 'chef/chef_fs/data_handler/acl_data_handler'
 
 class Chef
   module ChefFS
@@ -96,6 +97,8 @@ class Chef
                 Chef::ChefFS::DataHandler::GroupDataHandler.new
               when 'containers'
                 Chef::ChefFS::DataHandler::ContainerDataHandler.new
+              when 'acls'
+                Chef::ChefFS::DataHandler::AclDataHandler.new
               else
                 raise "Unknown top level path #{name}"
               end
diff --git a/lib/chef/chef_fs/file_system/chef_server_root_dir.rb b/lib/chef/chef_fs/file_system/chef_server_root_dir.rb
index 1ccdca4826..8767be7c6e 100644
--- a/lib/chef/chef_fs/file_system/chef_server_root_dir.rb
+++ b/lib/chef/chef_fs/file_system/chef_server_root_dir.rb
@@ -16,6 +16,7 @@
 # limitations under the License.
 #
 
+require 'chef/chef_fs/file_system/acls_dir'
 require 'chef/chef_fs/file_system/base_fs_dir'
 require 'chef/chef_fs/file_system/rest_list_dir'
 require 'chef/chef_fs/file_system/cookbooks_dir'
@@ -89,6 +90,7 @@ class Chef
               ]
             elsif repo_mode == 'hosted_everything'
               result += [
+                AclsDir.new(self),
                 RestListDir.new("clients", self, nil, Chef::ChefFS::DataHandler::ClientDataHandler.new),
                 RestListDir.new("containers", self, nil, Chef::ChefFS::DataHandler::ContainerDataHandler.new),
                 RestListDir.new("groups", self, nil, Chef::ChefFS::DataHandler::GroupDataHandler.new),
diff --git a/lib/chef/chef_fs/file_system/cookbooks_acl_dir.rb b/lib/chef/chef_fs/file_system/cookbooks_acl_dir.rb
new file mode 100644
index 0000000000..d6246f1e60
--- /dev/null
+++ b/lib/chef/chef_fs/file_system/cookbooks_acl_dir.rb
@@ -0,0 +1,41 @@
+#
+# Author:: John Keiser (<jkeiser@opscode.com>)
+# Copyright:: Copyright (c) 2013 Opscode, Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require 'chef/chef_fs/file_system/acl_dir'
+require 'chef/chef_fs/file_system/acl_entry'
+
+class Chef
+  module ChefFS
+    module FileSystem
+      class CookbooksAclDir < AclDir
+        # If versioned_cookbooks is on, the list of cookbooks will have versions
+        # in them.  But all versions of a cookbook have the same acl, so even if
+        # we have cookbooks/apache2-1.0.0 and cookbooks/apache2-1.1.2, we will
+        # only have one acl: acls/cookbooks/apache2.json.  Thus, the list of
+        # children of acls/cookbooks is a unique list of cookbook *names*.
+        def children
+          if @children.nil?
+            names = parent.parent.child(name).children.map { |child| "#{child.cookbook_name}.json" }
+            @children = names.uniq.map { |name| AclEntry.new(name, self, true) }
+          end
+          @children
+        end
+      end
+    end
+  end
+end
diff --git a/lib/chef/chef_fs/file_system/rest_list_entry.rb b/lib/chef/chef_fs/file_system/rest_list_entry.rb
index 3deb2605b9..517b2004f7 100644
--- a/lib/chef/chef_fs/file_system/rest_list_entry.rb
+++ b/lib/chef/chef_fs/file_system/rest_list_entry.rb
@@ -88,7 +88,7 @@ class Chef
           if $!.response.code == "404"
             raise Chef::ChefFS::FileSystem::NotFoundError.new(self, $!)
           else
-            raise Chef::ChefFS::FileSystem::OperationFailedError.new(:read, self, e)
+            raise Chef::ChefFS::FileSystem::OperationFailedError.new(:read, self, e), "HTTP error reading: #{e}"
           end
         end
 
diff --git a/lib/chef/chef_fs/knife.rb b/lib/chef/chef_fs/knife.rb
index 2bdd97ded3..a9842e5f4e 100644
--- a/lib/chef/chef_fs/knife.rb
+++ b/lib/chef/chef_fs/knife.rb
@@ -40,7 +40,7 @@ class Chef
         Chef::Config[:repo_mode] = config[:repo_mode] if config[:repo_mode]
 
         # --chef-repo-path overrides all other paths
-        path_variables = %w(client_path cookbook_path container_path data_bag_path environment_path group_path node_path role_path user_path)
+        path_variables = %w(acl_path client_path cookbook_path container_path data_bag_path environment_path group_path node_path role_path user_path)
         if config[:chef_repo_path]
           Chef::Config[:chef_repo_path] = config[:chef_repo_path]
           path_variables.each do |variable_name|
@@ -95,7 +95,7 @@ class Chef
           when 'everything'
             object_names = %w(clients cookbooks data_bags environments nodes roles users)
           when 'hosted_everything'
-            object_names = %w(clients cookbooks containers data_bags environments groups nodes roles)
+            object_names = %w(acls clients cookbooks containers data_bags environments groups nodes roles)
           else
             object_names = %w(cookbooks data_bags environments roles)
           end