diff options
author | Steven Danna <steve@opscode.com> | 2014-12-09 13:27:21 +0000 |
---|---|---|
committer | Bryan McLellan <btm@opscode.com> | 2015-02-17 08:46:37 -0500 |
commit | 9b6f1129364ab39dd272ccffd14bbc82f4c32ace (patch) | |
tree | edf4a8534cef7b646ffc30783c0f3ae08ed6f092 /lib/chef | |
parent | cd7bac6dc131c958c8f6ccac6e50f2dca655dfd9 (diff) | |
download | chef-9b6f1129364ab39dd272ccffd14bbc82f4c32ace.tar.gz |
Implement RFC 027 File Verification
This implements usable-suppliable file content verification per RFC
027. Users can supplie a block, string, or symbol to the `verify`
resource attribute. Blocks will be called, string will be executed as
shell commands (respecing the same options as not_if and only_if), and
symbols can be used to access built-in registered validations.
Diffstat (limited to 'lib/chef')
-rw-r--r-- | lib/chef/exceptions.rb | 1 | ||||
-rw-r--r-- | lib/chef/provider/file.rb | 8 | ||||
-rw-r--r-- | lib/chef/resource/file.rb | 14 | ||||
-rw-r--r-- | lib/chef/resource/file/verification.rb | 118 |
4 files changed, 141 insertions, 0 deletions
diff --git a/lib/chef/exceptions.rb b/lib/chef/exceptions.rb index 38ba984ea7..ecd84c5ba5 100644 --- a/lib/chef/exceptions.rb +++ b/lib/chef/exceptions.rb @@ -90,6 +90,7 @@ class Chef class ConflictingMembersInGroup < ArgumentError; end class InvalidResourceReference < RuntimeError; end class ResourceNotFound < RuntimeError; end + class VerificationNotFound < RuntimeError; end # Can't find a Resource of this type that is valid on this platform. class NoSuchResourceType < NameError diff --git a/lib/chef/provider/file.rb b/lib/chef/provider/file.rb index a9390cc45c..c070d29458 100644 --- a/lib/chef/provider/file.rb +++ b/lib/chef/provider/file.rb @@ -345,6 +345,14 @@ class Chef if new_resource.checksum && tempfile && ( new_resource.checksum != tempfile_checksum ) raise Chef::Exceptions::ChecksumMismatch.new(short_cksum(new_resource.checksum), short_cksum(tempfile_checksum)) end + + if tempfile + new_resource.verify.each do |v| + if ! v.verify(tempfile.path) + raise Chef::Exceptions::ValidationFailed.new "Proposed content for #{new_resource.path} failed verification #{v}" + end + end + end end def do_unlink diff --git a/lib/chef/resource/file.rb b/lib/chef/resource/file.rb index 16491f9bc8..7662731f44 100644 --- a/lib/chef/resource/file.rb +++ b/lib/chef/resource/file.rb @@ -20,6 +20,7 @@ require 'chef/resource' require 'chef/platform/query_helpers' require 'chef/mixin/securable' +require 'chef/resource/file/verification' class Chef class Resource @@ -50,6 +51,7 @@ class Chef @force_unlink = false @manage_symlink_source = nil @diff = nil + @user_verifications = [] end def content(arg=nil) @@ -115,6 +117,18 @@ class Chef :kind_of => [ TrueClass, FalseClass ] ) end + + def verify(command=nil, opts={}, &block) + if ! (command.nil? || [String, Symbol].include?(command.class)) + raise ArgumentError, "verify requires either a string, symbol, or a block" + end + + if command || block_given? + @user_verifications << Verification.new(self, command, opts, &block) + else + @user_verifications + end + end end end end diff --git a/lib/chef/resource/file/verification.rb b/lib/chef/resource/file/verification.rb new file mode 100644 index 0000000000..5e75cbf6a7 --- /dev/null +++ b/lib/chef/resource/file/verification.rb @@ -0,0 +1,118 @@ +# +# Author:: Steven Danna (<steve@chef.io>) +# Copyright:: Copyright (c) 2014 Chef Software, Inc +# License:: Apache License, Version 2.0 +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +require 'chef/exceptions' + +class Chef + class Resource + class File < Chef::Resource + + # + # See RFC 027 for a full specification + # + # File verifications allow user-supplied commands a means of + # preventing file reosurce content deploys. Their intended use + # is to verify the contents of a temporary file before it is + # deployed onto the system. + # + # Similar to not_if and only_if, file verifications can take a + # ruby block, which will be called, or a string, which will be + # executed as a Shell command. + # + # Additonally, Chef or third-party verifications can ship + # "registered verifications" that the user can use by specifying + # a :symbol as the command name. + # + # To create a registered verification, create a class that + # inherits from Chef::Resource::File::Verification and use the + # register class method to give it name. Registered + # verifications are expected to supply a verify instance method + # that takes 2 arguments. + # + # Example: + # class Chef + # class Resource + # class File::Verification::Foo < Chef::Resource::File::Verification + # register :noop + # def verify(path, opts) + # #yolo + # true + # end + # end + # end + # end + # + # + + class Verification + @@registered_verifications = {} + + def self.register(name) + @@registered_verifications[name] = self.name + end + + def self.lookup(name) + c = @@registered_verifications[name] + if c.nil? + raise Chef::Exceptions::VerificationNotFound.new "No file verification for #{name} found." + end + Object.const_get(c) + end + + def initialize(parent_resource, command, opts, &block) + @command, @command_opts = command, opts + @block = block + @parent_resource = parent_resource + end + + def verify(path, opts={}) + Chef::Log.debug("Running verification[#{self}] on #{path}") + if @block + verify_block(path, opts) + elsif @command.is_a?(Symbol) + verify_registered_verification(path, opts) + elsif @command.is_a?(String) + verify_command(path, opts) + end + end + + def verify_block(path, opts) + @block.call(path) + end + + # We reuse Chef::GuardInterpreter in order to support + # the same set of options that the not_if/only_if blocks do + def verify_command(path, opts) + command = @command % {:file => path} + interpreter = if @parent_resource.guard_interpreter == :default + Chef::GuardInterpreter::DefaultGuardInterpreter.new(command, @command_opts) + else + Chef::GuardInterpreter::ResourceGuardInterpreter.new(@parent_resource, command, @command_opts) + end + interpreter.evaluate + end + + def verify_registered_verification(path, opts) + verification_class = Chef::Resource::File::Verification.lookup(@command) + v = verification_class.new(@parent_resource, @command, @command_opts, &@block) + v.verify(path, opts) + end + end + end + end +end |