kosmos/chef
kosmos/chef
8
3
Fork 0
Code Issues 30 Pull Requests 3 Projects 2 Activity

Update nodejs, sudo and users cookbooks

Browse Source
This commit is contained in:
Greg Karékinian 2018-04-17 13:18:09 +02:00
parent ff2f424ddb
commit 157ccdc8b7
37 changed files with 862 additions and 523 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
Berksfile
View File

@ -25,8 +25,8 @@ cookbook 'poise-ruby', '~> 2.4.0'
cookbook 'poise-javascript', '~> 1.2.0'
cookbook 'poise-archive', '~> 1.5.0'
cookbook 'poise-service', '~> 1.5.2'
cookbook 'users', '= 5.1.0'
cookbook 'sudo', '= 3.5.0'
cookbook 'users', '~> 5.3.1'
cookbook 'sudo', '~> 5.3.3'
cookbook 'hostname', '= 0.4.2'
cookbook 'firewall', '= 2.6.2'
cookbook 'chef_nginx', '= 6.1.1'
@ -37,13 +37,13 @@ cookbook 'apt', '= 2.9.2'
cookbook 'git', '= 6.0.0'
cookbook 'hostsfile', '= 2.4.5'
cookbook 'ohai', '= 5.0.4'
cookbook 'nodejs', '~> 5.0.0'
# Deprecated, but wordpress and mediawiki depend on it and it would painful
# to change it without moving the databases
cookbook 'database', '= 6.1.1'
cookbook 'mysql2_chef_gem', '= 1.1.0'
cookbook 'chef_client_updater', '= 1.1.1'
cookbook 'timezone_iii', '= 1.0.4'
cookbook 'nodejs', '= 3.0.0'
cookbook 'ark', '= 3.1.0'
cookbook 'logrotate', '= 2.2.0'
cookbook 'openssl', '= 7.1.0'

17
Berksfile.lock
View File

@ -28,7 +28,7 @@ DEPENDENCIES
mingw (= 2.0.0)
mysql (= 6.1.3)
mysql2_chef_gem (= 1.1.0)
nodejs (= 3.0.0)
nodejs (~> 5.0.0)
ntp (= 3.4.0)
ohai (= 5.0.4)
openssl (= 7.1.0)
@ -47,9 +47,9 @@ DEPENDENCIES
git: https://github.com/phlipper/chef-redis.git
revision: 7476279fc9c8727f082b8d77b5e1922dc2ef437b
ref: v0.5.6
sudo (= 3.5.0)
sudo (~> 5.3.3)
timezone_iii (= 1.0.4)
users (= 5.1.0)
users (~> 5.3.1)
windows (= 3.1.1)
wordpress
git: https://github.com/67P/wordpress-cookbook.git
@ -133,12 +133,9 @@ GRAPH
build-essential (>= 0.0.0)
mariadb (>= 0.0.0)
mysql (>= 6.0)
nodejs (3.0.0)
apt (>= 2.9.1)
ark (>= 0.0.0)
nodejs (5.0.0)
ark (>= 2.0.2)
build-essential (>= 0.0.0)
homebrew (>= 0.0.0)
yum-epel (>= 0.0.0)
ntp (3.4.0)
ohai (5.0.4)
openssl (7.1.0)
@ -187,10 +184,10 @@ GRAPH
windows (>= 1.2.2)
smf (2.2.8)
rbac (>= 1.0.1)
sudo (3.5.0)
sudo (5.3.3)
tar (2.1.1)
timezone_iii (1.0.4)
users (5.1.0)
users (5.3.1)
windows (3.1.1)
ohai (>= 4.0.0)
wordpress (3.1.0)

161
cookbooks/nodejs/CHANGELOG.md Normal file
View File

@ -0,0 +1,161 @@
# NodeJS Cookbook Changelog
## 5.0.0 (2017-11-15)
- nodejs_npm resource has been converted to a custom resource and renamed to npm_package. The existing resource name will continue to function, but over time code should be updated for the new name. This name change has been made so we can eventually merge this resource into the chef-client.
- compat_resource cookbook dependency has been removed and this cookbook instead requires Chef 12.14 or later
- Chef 13 compatibility has been resolved
- The npm_package resource now properly installs packages when the 'package' property is setA
- Speed up npm operations by only returning a list of the desired package instead of every npm package
- Speed up source installation by using multipackage install for the dependencies
- Remove the broken url_valid? helper which didn't work
## 4.0.0 (2017-07-11)
- Updated the cookbook to require Chef 12.1+ and the compat_resource cookbook
- Removed support for io.js which has merged back into the node.js project
- Removed the dependency on homebrew, yum-epel, and apt cookbooks
- Added node['nodejs']['manage_node'] attribute to use only cookbook's LWRP (required to manage node by nvm)
- Updated the default repository URLs to be the 6.X repos
- Added initial support for Suse and Amazon Linux
- Improved architecture detection to support aarch64
- Improved readme with examples for fetching your own binaries
- Added installation of openssl and xz utilities that are needed for the binary install recipe
- Updated the cookbook license string to be an SPDX compliant string
- Set the minimum version of the ark cookbook to 2.0.2 in order to support Suse
- Updated the default version from 6.9.1 to 6.10.2
- Switched to Delivery local mode for testing
- Added Integration testing in Travis CI with kitchen-dokken and ChefDK
## 3.0.0 (2016-11-02)
- Updated the default release to the nodejs 6.9.1\. This requires C++11 extensions to compile, which are only present in GCC 4.8+. Due to this RHEL 5/6 and Ubuntu 12.04 are not supported if using this version.
- Switched the download URLs to the .xz packages since the .tar.gz packages are no longer being created
- Improvements to the readme examples and requirements sections
- Removed installation of apt-transport-https and instead rely on an apt cookbook that will do the same
- Fixed the ChefSpec matchers
- Added Scientific, Oracle, and Amazon as supported distros in the metadata
- Added chef_version metadata
- Removed conflicts and suggests metadata which aren't implemented or recommended for use
- Removed Chef 10 compatibility code
- Switched Integration testing to Inspec from bats
- Added the Apache 2.0 license file to the repo
- Expanded Test Kitchen testing
- Switched from Rubocop to Cookstyle and resolved all warnings
- Switched Travis to testing using ChefDK
## 2.4.4
- Use HTTPS prefix URLs for node download #98
- Update NPM symlink when installing from source #105
- Add support for NPM private modules #107
## v2.4.2
- Fix check version
- Support iojs package install
## v2.4.0
- Move `npm_packages` to his own recipe
- Fix different race conditions when using direct recipe call
- Fix npm recipe
## v2.3.2
- Fix package recipe
## v2.3.0
- Support io.js. Use node['nodejs']['engine'].
- Add MacOS support via homebrew
## v2.2.0
- Add node['nodejs']['keyserver']
- Update arm checksum
- Fix `npm_packages` JSON
## v2.1.0
- Use official nodesource repository
- Add node['nodejs']['npm_packages'] to install npm package with `default` recipe
## v2.0.0
- Travis integration
- Gems updated
- Rewrite cookbook dependencies
- Added complete test-kitchen integration : Rake, rubocop, foodcritic, vagrant, bats testing ...
- Added NodeJS `install_method` option (sources, bins or packages)
- Added NPM `install_method` option (sources or packages)
- NPM version can now be chosen independently from nodejs' embedded version
- Added a `nodejs_npm` LWRP to manage, install and resolve NPM packages
## v1.3.0
- update default versions to the latest: node - v0.10.15 and npm - v1.3.5
- default to package installation of nodejs on smartos ([@wanelo-pair])
- Add Raspberry pi support ([@robertkowalski])
## v1.2.0
- implement installation from package on RedHat - ([@vaskas])
## v1.1.3:
- update default version of node to 0.10.13 - and npm - v1.3.4 ([@jodosha][])
## v1.1.2:
- update default version of node to 0.10.2 - ([@bakins])
- fully migrated to test-kitchen 1.alpha and vagrant 1.1.x/berkshelf 1.3.1
## v1.1.1:
- update default versions to the latest: node - v0.10.0 and npm - v1.2.14
- `make_thread` is now a real attribute - ([@ChrisLundquist])
## v1.1.0:
- rewrite the package install; remove rpm support since there are no longer any packages available anywhere
- add support to install `legacy_packages` from ubuntu repo as well as the latest 0.10.x branch (this is default).
## v1.0.4:
- add support for binary installation method ([@JulesAU])
## v1.0.3:
- unreleased
## v1.0.2:
- add smartos support for package install ([@sax])
- support to compile with all processors available (default 2 if unknown) - ([@ChrisLundquist])
- moved to `platform_family` syntax
- ensure npm recipe honours the 'source' or 'package' setting - ([@markbirbeck])
- updated the default versions to the latest stable node/npm
## v1.0.1:
- fixed bug that prevented overwritting the node/npm versions (moved the `src_url`s as local variables instead of attributes) - ([@johannesbecker])
- updated the default versions to the latest node/npm
## v1.0.0:
- added packages installation support ([@smith])
[@bakins]: https://github.com/bakins
[@chrislundquist]: https://github.com/ChrisLundquist
[@gmccue]: https://github.com/gmccue
[@johannesbecker]: https://github.com/johannesbecker
[@julesau]: https://github.com/JulesAU
[@markbirbeck]: https://github.com/markbirbeck
[@predominant]: https://github.com/predominant
[@robertkowalski]: https://github.com/robertkowalski
[@sax]: https://github.com/sax
[@sjlu]: https://github.com/sjlu
[@smith]: https://github.com/smith
[@vaskas]: https://github.com/vaskas
[@wanelo-pair]: https://github.com/wanelo-pair

72
cookbooks/nodejs/README.md
View File

@ -1,8 +1,8 @@
# [nodejs-cookbook](https://github.com/redguide/nodejs)
[![CK Version](http://img.shields.io/cookbook/v/nodejs.svg?branch=master)](https://supermarket.getchef.com/cookbooks/nodejs) [![Build Status](https://img.shields.io/travis/redguide/nodejs.svg)](https://travis-ci.org/redguide/nodejs) [![Gitter chat](https://badges.gitter.im/redguide/nodejs.svg)](https://gitter.im/redguide/nodejs)
[![CK Version](http://img.shields.io/cookbook/v/nodejs.svg?branch=master)](https://supermarket.chef.io/cookbooks/nodejs) [![Build Status](https://img.shields.io/travis/redguide/nodejs.svg)](https://travis-ci.org/redguide/nodejs) [![Gitter chat](https://badges.gitter.im/redguide/nodejs.svg)](https://gitter.im/redguide/nodejs)
Installs node.js/io.js and manages npm
Installs node.js/npm and includes a resource for managing npm packages
## Requirements
@ -10,20 +10,18 @@ Installs node.js/io.js and manages npm
- Debian/Ubuntu
- RHEL/CentOS/Scientific/Amazon/Oracle
- openSUSE
Note: Source installs require GCC 4.8+, which is not included on older distro releases
### Chef
- Chef 11+
- Chef 12.14+
### Cookbooks
- yum-epel
- build-essential
- ark
- apt
- homebrew
## Usage
@ -33,17 +31,6 @@ Include the nodejs recipe to install node on your system based on the default in
include_recipe "nodejs"
```
### Engine
You can select different engine by setting `node['nodejs']['engine']`
```
node['nodejs']['engine'] => 'node' # default
node['nodejs']['engine'] => 'iojs'
```
You can also use recipes `nodejs::nodejs` or `nodejs::iojs`.
### Install methods
#### Package
@ -57,7 +44,7 @@ include_recipe "nodejs"
include_recipe "nodejs::nodejs_from_package"
```
Note that only apt (Ubuntu, Debian) appears to have up to date packages available. Centos, RHEL, etc are non-functional (try `nodejs_from_binary` for those).
By default this will setup deb/rpm repositories from nodesource.com, which include up to date NodeJS packages. If you prefer to use distro provided package you can disable this behavior by setting `node['nodejs']['install_repo']` to `false`.
#### Binary
@ -66,12 +53,19 @@ Install node from official prebuilt binaries:
```chef
node['nodejs']['install_method'] = 'binary'
include_recipe "nodejs"
# Or
include_recipe "nodejs::nodejs_from_binary"
# Or set a specific version of nodejs to be installed
node.default['nodejs']['install_method'] = 'binary'
node.default['nodejs']['version'] = '5.9.0'
node.default['nodejs']['binary']['checksum'] = '99c4136cf61761fac5ac57f80544140a3793b63e00a65d4a0e528c9db328bf40'
# Or fetch the binary from your own location
node.default['nodejs']['install_method'] = 'binary'
node.default['nodejs']['binary']['url'] = 'https://s3.amazonaws.com/my-bucket/node-v7.8.0-linux-x64.tar.gz'
node.default['nodejs']['binary']['checksum'] = '0bd86f2a39221b532172c7d1acb57f0b0cba88c7b82ea74ba9d1208b9f6f9697'
```
#### Source
@ -95,22 +89,24 @@ include_recipe "nodejs::npm"
_Warning:_ This recipe will include the `nodejs` recipe, which by default includes `nodejs::nodejs_from_package` if you did not set `node['nodejs']['install_method']`.
## Custom Resources (Providers)
## Resources
### nodejs_npm
### npm_package
`nodejs_npm` let you install npm packages from various sources:
note: This resource was previously named nodejs_npm. Calls to that resource name will still function, but cookbooks should be updated for the new npm_package resource name.
`npm_package` let you install npm packages from various sources:
- npm registry:
- name: `attribute :package`
- version: `attribute :version` (optional)
- name: `property :package`
- version: `property :version` (optional)
- url: `attribute :url`
- url: `property :url`
- for git use `git://{your_repo}`
- from a json (package.json by default): `attribute :json`
- from a json (package.json by default): `property :json`
- use `true` for default
- use a `String` to specify json file
@ -129,27 +125,27 @@ This LWRP attempts to use vanilla npm as much as possible (no custom wrapper).
### Packages
```ruby
nodejs_npm "express"
npm_package 'express'
nodejs_npm "async" do
version "0.6.2"
npm_package 'async' do
version '0.6.2'
end
nodejs_npm "request" do
url "github mikeal/request"
npm_package 'request' do
url 'github mikeal/request'
end
nodejs_npm "grunt" do
path "/home/random/grunt"
npm_package 'grunt' do
path '/home/random/grunt'
json true
user "random"
user 'random'
end
nodejs_npm "my_private_module" do
path "/home/random/myproject" # The root path to your project, containing a package.json file
npm_package 'my_private_module' do
path '/home/random/myproject' # The root path to your project, containing a package.json file
json true
npm_token "12345-abcde-e5d4c3b2a1"
user "random"
npm_token '12345-abcde-e5d4c3b2a1'
user 'random'
options ['--production'] # Only install dependencies. Skip devDependencies
end
```
@ -186,7 +182,7 @@ Or add packages via attributes (which accept the same attributes as the LWRP abo
**Author:** Marius Ducea (marius@promethost.com) **Author:** Nathan L Smith (nlloyds@gmail.com) **Author:** Guilhem Lettron (guilhem@lettron.fr) **Author:** Barthelemy Vessemont (bvessemont@gmail.com)
**Copyright:** 2008-2016, Chef Software, Inc.
**Copyright:** 2008-2017, Chef Software, Inc.
```
Licensed under the Apache License, Version 2.0 (the "License");

21
cookbooks/nodejs/attributes/default.rb
View File

@ -1,8 +1,8 @@
#
# Cookbook Name:: nodejs
# Cookbook:: nodejs
# Attributes:: nodejs
#
# Copyright 2010-2012, Promet Solutions
# Copyright:: 2010-2017, Promet Solutions
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@ -18,25 +18,24 @@
#
case node['platform_family']
when 'smartos', 'rhel', 'debian', 'fedora', 'mac_os_x'
when 'smartos', 'rhel', 'debian', 'fedora', 'mac_os_x', 'suse', 'amazon'
default['nodejs']['install_method'] = 'package'
else
default['nodejs']['install_method'] = 'source'
end
default['nodejs']['engine'] = 'node' # or iojs
default['nodejs']['version'] = '6.9.1'
default['nodejs']['version'] = '6.10.2'
default['nodejs']['prefix_url']['node'] = 'https://nodejs.org/dist/'
default['nodejs']['prefix_url']['iojs'] = 'https://iojs.org/dist/'
default['nodejs']['source']['url'] = nil # Auto generated
default['nodejs']['source']['checksum'] = '0bdd8d1305777cc8cd206129ea494d6c6ce56001868dd80147aff531d6df0729'
default['nodejs']['source']['checksum'] = '9b897dd6604d50ae5fff25fd14b1c4035462d0598735799e0cfb4f17cb6e0d19'
default['nodejs']['binary']['url'] = nil # Auto generated
default['nodejs']['binary']['checksum']['linux_x64'] = 'd4eb161e4715e11bbef816a6c577974271e2bddae9cf008744627676ff00036a'
default['nodejs']['binary']['checksum']['linux_x86'] = 'f9b2ca03016e45bc35d2441a63a73db94d3e7b92350f15577d796467b9f7efb0'
default['nodejs']['binary']['checksum']['linux_arm64'] = '7aa69b6c8cff578d0d97d5bd4f76941b2fade5476f0408d53828666ee427dd4e'
default['nodejs']['binary']['checksum']['linux_x64'] = '35accd2d9ccac747eff0f236e2843bc2198ba7765e2340441d6230861bae4e1b'
default['nodejs']['binary']['checksum']['linux_x86'] = '6721221fab4e3b3a1be6573900b9e368c7a74ac1c1c3ae982e49c5583e8962e3'
default['nodejs']['binary']['checksum']['linux_arm64'] = '97de0340b6dbf38e3d995df880a94c58d403c3054676d8fc9192b83a3735f0b8'
default['nodejs']['make_threads'] = node['cpu'] ? node['cpu']['total'].to_i : 2
default['nodejs']['manage_node'] = true

1
cookbooks/nodejs/attributes/npm.rb
View File

@ -1,3 +1,2 @@
default['nodejs']['npm']['install_method'] = 'embedded'
default['nodejs']['npm']['version'] = 'latest'

20
cookbooks/nodejs/attributes/packages.rb
View File

@ -1,15 +1,11 @@
include_attribute 'nodejs::default'
include_attribute 'nodejs::repo'
case node['nodejs']['engine']
when 'node'
default['nodejs']['packages'] = value_for_platform_family(
'debian' => node['nodejs']['install_repo'] ? ['nodejs'] : ['nodejs', 'npm', 'nodejs-dev'],
%w(rhel fedora) => ['nodejs', 'nodejs-devel', 'npm'],
'mac_os_x' => ['node'],
'freebsd' => %w(node npm),
'default' => ['nodejs']
)
when 'iojs'
default['nodejs']['packages'] = ['iojs']
end
default['nodejs']['packages'] = value_for_platform_family(
'debian' => node['nodejs']['install_repo'] ? ['nodejs'] : ['nodejs', 'npm', 'nodejs-dev'],
%w(rhel fedora amazon) => node['nodejs']['install_repo'] ? ['nodejs', 'nodejs-devel'] : ['nodejs', 'npm', 'nodejs-dev'],
'suse' => node['platform_version'].to_i < 42 ? ['nodejs', 'nodejs-devel'] : ['nodejs4', 'npm4', 'nodejs4-devel'],
'mac_os_x' => ['node'],
'freebsd' => %w(node npm),
'default' => ['nodejs']
)

32
cookbooks/nodejs/attributes/repo.rb
View File

@ -1,22 +1,12 @@
case node['nodejs']['engine']
when 'node'
case node['platform_family']
when 'debian'
default['nodejs']['install_repo'] = true
default['nodejs']['repo'] = 'https://deb.nodesource.com/node'
default['nodejs']['keyserver'] = 'keyserver.ubuntu.com'
default['nodejs']['key'] = '1655a0ab68576280'
when 'rhel'
default['nodejs']['install_repo'] = true
end
when 'iojs'
case node['platform_family']
when 'debian'
default['nodejs']['install_repo'] = true
default['nodejs']['repo'] = 'https://deb.nodesource.com/iojs_2.x'
default['nodejs']['keyserver'] = 'keyserver.ubuntu.com'
default['nodejs']['key'] = '1655a0ab68576280'
end
case node['platform_family']
when 'debian'
default['nodejs']['install_repo'] = true
default['nodejs']['repo'] = 'https://deb.nodesource.com/node_6.x'
default['nodejs']['keyserver'] = 'keyserver.ubuntu.com'
default['nodejs']['key'] = '1655a0ab68576280'
when 'rhel', 'amazon'
default['nodejs']['install_repo'] = true
release_ver = platform?('amazon') ? 6 : node['platform_version'].to_i
default['nodejs']['repo'] = "https://rpm.nodesource.com/pub_6.x/el/#{release_ver}/$basearch"
default['nodejs']['key'] = 'https://rpm.nodesource.com/pub/el/NODESOURCE-GPG-SIGNING-KEY-EL'
end

18
cookbooks/nodejs/libraries/nodejs_helper.rb
View File

@ -2,7 +2,7 @@ module NodeJs
module Helper
def npm_dist
if node['nodejs']['npm']['url']
return { 'url' => node['nodejs']['npm']['url'] }
{ 'url' => node['nodejs']['npm']['url'] }
else
require 'open-uri'
@ -10,25 +10,21 @@ module NodeJs
result = JSON.parse(URI.parse("https://registry.npmjs.org/npm/#{node['nodejs']['npm']['version']}").read, max_nesting: false)
ret = { 'url' => result['dist']['tarball'], 'version' => result['_npmVersion'], 'shasum' => result['dist']['shasum'] }
Chef::Log.debug("Npm dist #{ret}")
return ret
ret
end
end
def npm_list(path = nil, environment = {})
def npm_list(package, path = nil, environment = {})
require 'json'
cmd = if path
Mixlib::ShellOut.new('npm list -json', cwd: path, environment: environment)
Mixlib::ShellOut.new("npm list #{package} -json", cwd: path, environment: environment)
else
Mixlib::ShellOut.new('npm list -global -json', environment: environment)
Mixlib::ShellOut.new("npm list #{package} -global -json", environment: environment)
end
JSON.parse(cmd.run_command.stdout, max_nesting: false)
end
def url_valid?(list, package)
list.fetch(package, {}).fetch('resolved', '').include?('url')
end
def version_valid?(list, package, version)
(version ? list[package]['version'] == version : true)
end
@ -36,9 +32,9 @@ module NodeJs
def npm_package_installed?(package, version = nil, path = nil, npm_token = nil)
environment = { 'NPM_TOKEN' => npm_token } if npm_token
list = npm_list(path, environment)['dependencies']
list = npm_list(package, path, environment)['dependencies']
# Return true if package installed and installed to good version
!list.nil? && list.key?(package) && version_valid?(list, package, version) && url_valid?(list, package)
!list.nil? && list.key?(package) && version_valid?(list, package, version)
end
end
end

66
cookbooks/nodejs/metadata.json
View File

File diff suppressed because one or more lines are too long

10
cookbooks/nodejs/recipes/default.rb
View File

@ -1,9 +1,9 @@
#
# Author:: Marius Ducea (marius@promethost.com)
# Cookbook Name:: nodejs
# Cookbook:: nodejs
# Recipe:: default
#
# Copyright 2010-2012, Promet Solutions
# Copyright:: 2010-2017, Promet Solutions
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@ -18,6 +18,6 @@
# limitations under the License.
#
include_recipe 'nodejs::install'
include_recipe 'nodejs::npm'
include_recipe 'nodejs::npm_packages'
include_recipe 'nodejs::install' if node['nodejs']['manage_node']
include_recipe 'nodejs::npm' if node['nodejs']['manage_node']
include_recipe 'nodejs::npm_packages' if node['nodejs']['manage_node']

4
cookbooks/nodejs/recipes/install.rb
View File

@ -1,9 +1,9 @@
#
# Author:: Marius Ducea (marius@promethost.com)
# Cookbook Name:: nodejs
# Cookbook:: nodejs
# Recipe:: install
#
# Copyright 2010-2012, Promet Solutions
# Copyright:: 2010-2017, Promet Solutions
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.

24
cookbooks/nodejs/recipes/iojs.rb
View File

@ -1,23 +1 @@
#
# Author:: Marius Ducea (marius@promethost.com)
# Cookbook Name:: nodejs
# Recipe:: iojs
#
# Copyright 2010-2012, Promet Solutions
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
node.default['nodejs']['engine'] = 'iojs'
include_recipe 'nodejs::install'
Chef::Log.fatal('The nodejs::iojs recipe has been deprecated. If you need iojs installation pin to cookbook version 3.0.1.')

8
cookbooks/nodejs/recipes/nodejs.rb
View File

@ -1,9 +1,9 @@
#
# Author:: Marius Ducea (marius@promethost.com)
# Cookbook Name:: nodejs
# Cookbook:: nodejs
# Recipe:: nodejs
#
# Copyright 2010-2012, Promet Solutions
# Copyright:: 2010-2017, Promet Solutions
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@ -18,6 +18,4 @@
# limitations under the License.
#
node.default['nodejs']['engine'] = 'node'
include_recipe 'nodejs::install'
Chef::Log.fatal('The nodejs::nodejs recipe is no longer used. Use nodejs::install to install nodejs instead.')

36
cookbooks/nodejs/recipes/nodejs_from_binary.rb
View File

@ -1,6 +1,6 @@
#
# Author:: Julian Wilde (jules@jules.com.au)
# Cookbook Name:: nodejs
# Cookbook:: nodejs
# Recipe:: install_from_binary
#
# Licensed under the Apache License, Version 2.0 (the "License");
@ -18,29 +18,33 @@
Chef::Recipe.send(:include, NodeJs::Helper)
node.force_override['nodejs']['install_method'] = 'binary' # ~FC019
# Shamelessly borrowed from http://docs.chef.io/dsl_recipe_method_platform.html
# Surely there's a more canonical way to get arch?
arch = if node['kernel']['machine'] =~ /armv6l/
# FIXME: This should really check the version of node we're looking for
# as it seems that they haven't build an `arm-pi` version in a while...
# if it's old, return this, otherwise just return `node['kernel']['machine']`
'arm-pi' # assume a raspberry pi
elsif node['kernel']['machine'] =~ /aarch64/
'arm64'
elsif node['kernel']['machine'] =~ /x86_64/
'x64'
elsif node['kernel']['machine'] =~ /\d86/
'x86'
else
node['kernel']['machine'] =~ /x86_64/ ? 'x64' : 'x86'
node['kernel']['machine']
end
# package_stub is for example: "node-v6.9.1-linux-x64.tar.xz"
version = "v#{node['nodejs']['version']}/"
prefix = node['nodejs']['prefix_url'][node['nodejs']['engine']]
# needed to uncompress the binary
package 'tar' if platform_family?('rhel', 'fedora', 'amazon', 'suse')
if node['nodejs']['engine'] == 'iojs'
filename = "iojs-v#{node['nodejs']['version']}-linux-#{arch}.tar.xz"
archive_name = 'iojs-binary'
binaries = ['bin/iojs', 'bin/node']
else
filename = "node-v#{node['nodejs']['version']}-linux-#{arch}.tar.xz"
archive_name = 'nodejs-binary'
binaries = ['bin/node']
end
# package_stub is for example: "node-v6.9.1-linux-x64.tar.gz"
version = "v#{node['nodejs']['version']}/"
prefix = node['nodejs']['prefix_url']['node']
filename = "node-v#{node['nodejs']['version']}-linux-#{arch}.tar.gz"
archive_name = 'nodejs-binary'
binaries = ['bin/node']
binaries.push('bin/npm') if node['nodejs']['npm']['install_method'] == 'embedded'

8
cookbooks/nodejs/recipes/nodejs_from_package.rb
View File

@ -1,11 +1,11 @@
#
# Author:: Nathan L Smith (nlloyds@gmail.com)
# Author:: Marius Ducea (marius@promethost.com)
# Cookbook Name:: nodejs
# Cookbook:: nodejs
# Recipe:: package
#
# Copyright 2012, Cramer Development, Inc.
# Copyright 2013, Opscale
# Copyright:: 2012-2017, Cramer Development, Inc.
# Copyright:: 2013-2017, Opscale
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@ -20,8 +20,6 @@
# limitations under the License.
#
node.force_override['nodejs']['install_method'] = 'package' # ~FC019
include_recipe 'nodejs::repo' if node['nodejs']['install_repo']
unless node['nodejs']['packages']

24
cookbooks/nodejs/recipes/nodejs_from_source.rb
View File

@ -1,9 +1,9 @@
#
# Author:: Marius Ducea (marius@promethost.com)
# Cookbook Name:: nodejs
# Cookbook:: nodejs
# Recipe:: source
#
# Copyright 2010-2012, Promet Solutions
# Copyright:: 2010-2017, Promet Solutions
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@ -20,29 +20,19 @@
Chef::Recipe.send(:include, NodeJs::Helper)
node.force_override['nodejs']['install_method'] = 'source' # ~FC019
include_recipe 'build-essential'
case node['platform_family']
when 'rhel', 'fedora'
package 'openssl-devel'
package 'xz'
when 'rhel', 'fedora', 'amazon'
package %w(openssl-devel tar)
when 'debian'
package 'libssl-dev'
package 'xz-utils'
end
version = "v#{node['nodejs']['version']}/"
prefix = node['nodejs']['prefix_url'][node['nodejs']['engine']]
if node['nodejs']['engine'] == 'iojs'
filename = "iojs-v#{node['nodejs']['version']}.tar.xz"
archive_name = 'iojs-source'
else
filename = "node-v#{node['nodejs']['version']}.tar.xz"
archive_name = 'nodejs-source'
end
prefix = node['nodejs']['prefix_url']['node']
filename = "node-v#{node['nodejs']['version']}.tar.gz"
archive_name = 'nodejs-source'
nodejs_src_url = node['nodejs']['source']['url'] || ::URI.join(prefix, version, filename).to_s

4
cookbooks/nodejs/recipes/npm.rb
View File

@ -1,9 +1,9 @@
#
# Author:: Marius Ducea (marius@promethost.com)
# Cookbook Name:: nodejs
# Cookbook:: nodejs
# Recipe:: npm
#
# Copyright 2010-2012, Promet Solutions
# Copyright:: 2010-2017, Promet Solutions
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.

8
cookbooks/nodejs/recipes/npm_from_source.rb
View File

@ -1,9 +1,9 @@
#
# Author:: Marius Ducea (marius@promethost.com)
# Cookbook Name:: nodejs
# Cookbook:: nodejs
# Recipe:: npm
#
# Copyright 2010-2012, Promet Solutions
# Copyright:: 2010-2017, Promet Solutions
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@ -20,9 +20,7 @@
Chef::Recipe.send(:include, NodeJs::Helper)
node.force_override['nodejs']['npm']['install_method'] = 'source' # ~FC019
include_recipe 'nodejs::install'
include_recipe 'nodejs::nodejs_from_source'
dist = npm_dist

7
cookbooks/nodejs/recipes/npm_packages.rb
View File

@ -1,10 +1,11 @@
node['nodejs']['npm_packages'].each do |pkg|
f = nodejs_npm pkg['name'] do
pkg_action = pkg.key?('action') ? pkg['action'] : :install
f = npm_package "nodejs_npm-#{pkg['name']}-#{pkg_action}" do
action :nothing
package pkg['name']
end
pkg.each do |key, value|
f.send(key, value) unless key == 'name' || key == 'action'
end
action = pkg.key?('action') ? pkg['action'] : :install
f.action(action)
f.action(pkg_action)
end if node['nodejs'].key?('npm_packages')

12
cookbooks/nodejs/recipes/repo.rb
View File

@ -1,6 +1,8 @@
case node['platform_family']
when 'debian'
include_recipe 'apt'
package 'nodejs-apt-transport-https' do
package_name 'apt-transport-https'
end
apt_repository 'node.js' do
uri node['nodejs']['repo']
@ -9,6 +11,10 @@ when 'debian'
keyserver node['nodejs']['keyserver']
key node['nodejs']['key']
end
when 'rhel'
include_recipe 'yum-epel'
when 'rhel', 'amazon'
yum_repository 'node.js' do
description 'nodesource.com nodejs repository'
baseurl node['nodejs']['repo']
gpgkey node['nodejs']['key']
end
end

100
cookbooks/nodejs/resources/npm_package.rb Normal file
View File

@ -0,0 +1,100 @@
#
# Cookbook:: nodejs
# Resource:: npm
#
# Author:: Sergey Balbeko <sergey@balbeko.com>
#
# Copyright:: 2012-2017, Sergey Balbeko
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
resource_name :npm_package
# backwards compatibility for the old resource name
provides :nodejs_npm
property :package, name_property: true
property :version, String
property :path, String
property :url, String
property :json, [String, true]
property :npm_token, String
property :options, Array, default: []
property :user, String
property :group, String
def initialize(*args)
super
@run_context.include_recipe 'nodejs::npm' if node['nodejs']['manage_node']
end
action :install do
execute "install NPM package #{new_resource.package}" do
cwd new_resource.path
command "npm install #{npm_options}"
user new_resource.user
group new_resource.group
environment npm_env_vars
not_if { package_installed? }
end
end
action :uninstall do
execute "uninstall NPM package #{new_resource.package}" do
cwd new_resource.path
command "npm uninstall #{npm_options}"
user new_resource.user
group new_resource.group
environment npm_env_vars
only_if { package_installed? }
end
end
action_class do
include NodeJs::Helper
def npm_env_vars
env_vars = {}
env_vars['HOME'] = ::Dir.home(new_resource.user) if new_resource.user
env_vars['USER'] = new_resource.user if new_resource.user
env_vars['NPM_TOKEN'] = new_resource.npm_token if new_resource.npm_token
env_vars
end
def package_installed?
new_resource.package && npm_package_installed?(new_resource.package, new_resource.version, new_resource.path, new_resource.npm_token)
end
def npm_options
options = ''
options << ' -global' unless new_resource.path
new_resource.options.each do |option|
options << " #{option}"
end
options << " #{npm_package}"
end
def npm_package
if new_resource.json
new_resource.json.is_a?(String) ? new_resource.json : nil
elsif new_resource.url
new_resource.url
elsif new_resource.package
new_resource.version ? "#{new_resource.package}@#{new_resource.version}" : new_resource.package
else
Chef::Log.error("No good options found to install #{new_resource.package}")
end
end
end

88
cookbooks/sudo/CHANGELOG.md
View File

@ -2,6 +2,94 @@
This file is used to list changes made in each version of the sudo cookbook.
## 5.3.3 (2018-03-22)
- Properly deprecate the undocumented visudo_path property for visudo_binary. Without realizing it later on when I went to make a release I changed the behavior of this property. It was never documented in the readme or the changelog so I suspect few people are using it, but just in case we fail hard on the old name now with helpful messaging.
- Properly return true in method that looks for visudo
- Avoid name conflicts between properties and the path helper method
## 5.3.2 (2018-03-22)
- Restore resource behavior on FreeBSD.
## 5.3.1 (2018-03-13)
- Use visudo_path property to override the path to visudo
- Handle poorly deliminated strings in the users property
- Add backwards compatibility for the :delete action
## 5.3.0 (2018-03-13)
- Use the includedir directive on Solaris and macOS in addition to Linux. All three of these platforms support it out of the box on non-EOL releases
- Fail with a useful message in the resource when on FreeBSD since FreeBSD doesn't support sudoers.d`
- Skip / warn if visudo isn't present where we expect it to be instead of failing hard
- Fully support macOS in the resource and recipe
## 5.2.0 (2018-03-13)
- Refactored the resource to use Chef's built in template verification functionality. This avoids a lot of custom work we did in the resource to verify the config file before we wrote it out. Not only does this reduce code complexity/fragility in this cookbook, it removes the double template resource you'd see in converges before.
## 5.1.0 (2018-03-13)
- Rework the readme to with additional documentation on the resource
- Fix a compilation failure if the user was specifying their own template
- Improve the conditions in which the property validation fails
- Renamed the group property to groups with backwards compatibility
- Renamed the user property to users with backwards compatibility
- Change the type of users/groups to Arrays so you can either specify comma separated lists or arrays of users/groups
- Improve the splitting of the list of users/groups to handle spaces before/after the commas
- Properly add % to each group name in arrays as well as comma separated lists. Also support the scenario where one group has a % and the other does not
- Support setting up sudo for both users and groups in the same config. We now combine the users and groups as you would expect
## 5.0.0 (2018-03-11)
- Converted the LWRP to a custom resource
- Changed the package install logic to only try to install sudo when we're on a docker guest where sudo is generally missing. This uses the docker? helper which requires 12.21.3, which is the new minimum Chef version supported by this cookbook
- The property validation logic previously in the resource is now actually run. This prevents combinations of resources that will not work together from being used.
- Reordered the readme to list the resource first as this is the preferred way to use this resource
- Removed the `node['authorization']['sudo']['prefix']` attribute. In the recipe this is automatically determined. In the resource there is a new `config_prefix` property. This should have no impact on users as the proper settings for each OS are still specified.
- Added a new filename name_property is you want to specify the filename as something different than the resource's name. This helps avoid resource cloning issues.
- The `:install` action has been renamed to `:create`, while retaining backwards compatibility with the old name
- Resolved FC085 Foodcritic warning
## 4.0.1 (2018-02-16)
- FIX: in templates the attribute "passwordless" and other with data type String always will be return true
- Add an attribute for setting sudoers.d mode
- Removed the ChefSpec matchers. These are now autogenerated by ChefSpec. If you are seeing matcher failure upgrade to ChefDK 2.4 or later.
## 4.0.0 (2017-11-28)
### Breaking Changes
- sudo .d functionality is now enabled by default on Linux systems. This allows the sudo resource to function with setting `node['authorization']['sudo']['include_sudoers_d']` to true. Only some older / EoL distros this will break sudo functionality so make sure you test this and set it to false if you're running an EoL distro
- The `sysadmin` group is no longer added to sudoers by default anymore. Historically many community cookbooks assumed all admins were in this sysadmins group. We've moved away from that assumption since it was a suprise to many when this group was added. If you rely on this behavior make sure to `node['authorization']['sudo']['groups']` attribute to inlude the sysadmin group.
### Other Changes
- Remove the debian-isms from the sudo.d readme file which is copied onto multiple Linux systems
- Remove an old RHEL 5 example from the readme
- Fix ChefSpec warnings
- Improve Travis testing and add Debian 9 testing
- Setenv for restricted users
- Improve visudo path resolution on non-Debian distros
## 3.5.3 (2017-07-09)
- Add amazon linux to the metadata
- Remove extra spaces in the sudoer template
- Update platform names in the readme
- Replace the HTML table with markdown
## 3.5.2 (2017-06-26)
- Remove totally bogus "supports" attribute from the resource
- Revert "Remove sysadmin from default groups". We'll handle this differently going forward. Sorry for the breakage
## 3.5.1 (2017-06-21)
- Remove sysadmin from default groups as sysadmin is no longer a group we push via the users cookbook.
## 3.5.0 (2017-05-16)
- Add sudo package management to resource

282
cookbooks/sudo/README.md
View File

@ -2,7 +2,7 @@
[![Build Status](https://travis-ci.org/chef-cookbooks/sudo.svg?branch=master)](http://travis-ci.org/chef-cookbooks/sudo) [![Cookbook Version](https://img.shields.io/cookbook/v/sudo.svg)](https://supermarket.chef.io/cookbooks/sudo)
The default recipe installs the `sudo` package and configures the `/etc/sudoers` file. The cookbook also includes a sudo resource to adding and removing individual sudo entries.
The default recipe configures the `/etc/sudoers` file. The cookbook also includes a sudo resource to adding and removing individual sudo entries.
## Requirements
@ -10,31 +10,133 @@ The default recipe installs the `sudo` package and configures the `/etc/sudoers`
- Debian/Ubuntu
- RHEL/CentOS/Scientific/Amazon/Oracle
- Amazon Linux
- FreeBSD
- Mac OS X
- openSUSE / Suse
- macOS
- openSUSE / SUSE Enterprise
### Chef
- Chef 12.1+
- Chef 12.21.3+
### Cookbooks
- None
## Attributes
## Resource
- `node['authorization']['sudo']['groups']` - groups to enable sudo access (default: `[ "sysadmin" ]`)
Use the sudo resource to add or remove individual sudo entries using sudoers.d files.
**Note** Sudo version 1.7.2 or newer is required to use the sudo resource as it relies on the "#includedir" directive introduced in version 1.7.2\. The resource does not enforce installing the version. Supported releases of Ubuntu, Debian and RHEL (6+) all support this feature.
### Actions
- `:create` - Create a sudoers config
- `:delete` - Delete a sudoers config
### Properties
Property | Description | Example Value | Default Value
------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------- | ---------------
`filename` | name of the `/etc/sudoers.d` file | restart-tomcat | resource's name
`commands` | array of commands this sudoer can execute | ['/etc/init.d/tomcat restart'] | ['ALL']
`groups` | group(s) to provide sudo privileges to. This accepts either an array or a comma separated list. Leading % on group names is optional. This property was named 'group' prior to the 5.1 cookbook release. | %admin,superadmin | []
`nopasswd` | allow running sudo without specifying a password sudo | true | false
`noexec` | prevents commands from shelling out | true | false
`runas` | User the command(s) can be run as | root | ALL
`template` | the erb template to render instead of the default | restart-tomcat.erb |
`users` | user(s) to provide sudo privileges to. This accepts either an array or a comma separated. This property was named 'user' prior to the 5.1 cookbook release. list. | [tomcat, webapp] | []
`defaults` | array of defaults this user has | ['!requiretty','env_reset'] |
`setenv` | whether to permit the preserving of environment with `sudo -E` | true | false
`env_keep_add` | array of strings to add to env_keep | ['HOME', 'MY_ENV_VAR MY_OTHER_ENV_VAR'] |
`env_keep_subtract` | array of strings to remove from env_keep | ['DISPLAY', 'MY_SECURE_ENV_VAR'] |
`variables` | the variables to pass to the custom template. Ignored if not using a custom template. | commands: ['/etc/init.d/tomcat restart'] |
**If you use the template property, all other properties will be ignored except for the variables property.**
### Examples
#### user bob sudo privileges for any command
```ruby
sudo 'bob' do
user 'bob'
end
```
#### group sysadmin passwordless sudo privileges for any command
```ruby
sudo "sysadmin" do
group "sysadmin"
nopasswd true
end
```
#### group sysadmin/superadmin and user bob passwordless sudo privileges for any command
```ruby
sudo "sysadmin" do
group ['sysadmin', 'superadmin']
user "bob"
nopasswd true
end
```
### Built-In vs. Provided Templates
The resource provides two methods for templating the sudoers config files:
1. Using the built-in template
2. Using a custom, cookbook-level template
Both methods will create the `/etc/sudoers.d/#{resourcename}` files with the correct permissions.
The resource also performs **fragment validation**. If a sudoer-fragment is not valid, the Chef run will throw an exception and fail. This ensures that your sudoers file is always valid and cannot become corrupt (from this cookbook).
#### Using the Built-in Template
```ruby
sudo 'tomcat' do
user '%tomcat' # or a username
runas 'app_user' # or 'app_user:tomcat'
commands ['/etc/init.d/tomcat restart']
end
```
#### Specifying Your Own Template
```ruby
sudo 'tomcat' do
template 'my_tomcat.erb' # local cookbook template
variables cmds: ['/etc/init.d/tomcat restart']
end
```
In either case, the following file would be generated in `/etc/sudoers.d/tomcat`
```bash
# This file is managed by Chef for node.example.com
# Do NOT modify this file directly.
%tomcat ALL=(app_user) /etc/init.d/tomcat restart
```
## Usage
We highly recommend using the sudo resource to define individual sudo entries, but this cookbook also ships with a recipe that can be included on a run_list and controlled using attributes.
### Attributes
- `node['authorization']['sudo']['groups']` - groups to enable sudo access (default: `[]`)
- `node['authorization']['sudo']['users']` - users to enable sudo access (default: `[]`)
- `node['authorization']['sudo']['passwordless']` - use passwordless sudo (default: `false`)
- `node['authorization']['sudo']['include_sudoers_d']` - include and manage `/etc/sudoers.d` (default: `false`)
- `node['authorization']['sudo']['include_sudoers_d']` - include and manage `/etc/sudoers.d` (default: `true` on Linux systems. Note: older / EOL distros do not support this feature)
- `node['authorization']['sudo']['agent_forwarding']` - preserve `SSH_AUTH_SOCK` when sudoing (default: `false`)
- `node['authorization']['sudo']['sudoers_defaults']` - Array of `Defaults` entries to configure in `/etc/sudoers`
- `node['authorization']['sudo']['setenv']` - Whether to permit preserving of environment with `sudo -E` (default: `false`)
## Usage
### Attributes
### Using the Attributes
To use attributes for defining sudoers, set the attributes above on the node (or role) itself:
@ -115,7 +217,7 @@ _Debian_
node.default['authorization']['sudo']['sudoers_defaults'] = ['env_reset']
```
_Ubuntu 12.04_
_Ubuntu_
```ruby
node.default['authorization']['sudo']['sudoers_defaults'] = [
@ -133,21 +235,6 @@ node.default['authorization']['sudo']['sudoers_defaults'] = [
]
```
_RHEL family 5.x_ The version of sudo in RHEL 5 may not support `+=`, as used in `env_keep`, so its a single string.
```ruby
node.default['authorization']['sudo']['sudoers_defaults'] = [
'!visiblepw',
'env_reset',
'env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR \
LS_COLORS MAIL PS1 PS2 QTDIR USERNAME \
LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION \
LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC \
LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS \
_XKB_CHARSET XAUTHORITY"'
]
```
_RHEL family 6.x_
```ruby
@ -184,148 +271,13 @@ node.default['authorization']['sudo']['sudoers_defaults'] = [
]
```
### Sudo Resource
## Maintainers
**Note** Sudo version 1.7.2 or newer is required to use the sudo LWRP as it relies on the "#includedir" directive introduced in version 1.7.2. The recipe does not enforce installing the version. To use this LWRP, set `node['authorization']['sudo']['include_sudoers_d']` to `true`.
This cookbook is maintained by Chef's Community Cookbook Engineering team. Our goal is to improve cookbook quality and to aid the community in contributing to cookbooks. To learn more about our team, process, and design goals see our [team documentation](https://github.com/chef-cookbooks/community_cookbook_documentation/blob/master/COOKBOOK_TEAM.MD). To learn more about contributing to cookbooks like this see our [contributing documentation](https://github.com/chef-cookbooks/community_cookbook_documentation/blob/master/CONTRIBUTING.MD), or if you have general questions about this cookbook come chat with us in #cookbok-engineering on the [Chef Community Slack](http://community-slack.chef.io/)
There are two ways for rendering a sudoer-fragment using this LWRP:
1. Using the built-in template
2. Using a custom, cookbook-level template
## License
Both methods will create the `/etc/sudoers.d/#{resourcename}` file with the correct permissions.
The LWRP also performs **fragment validation**. If a sudoer-fragment is not valid, the Chef run will throw an exception and fail. This ensures that your sudoers file is always valid and cannot become corrupt (from this cookbook).
Example using the built-in template:
```ruby
sudo 'tomcat' do
user "%tomcat" # or a username
runas 'app_user' # or 'app_user:tomcat'
commands ['/etc/init.d/tomcat restart']
end
```
```ruby
sudo 'tomcat' do
template 'my_tomcat.erb' # local cookbook template
variables :cmds => ['/etc/init.d/tomcat restart']
end
```
In either case, the following file would be generated in `/etc/sudoers.d/tomcat`
```bash
# This file is managed by Chef for node.example.com
# Do NOT modify this file directly.
%tomcat ALL=(app_user) /etc/init.d/tomcat restart
```
#### Resource Properties
<table>
<thead>
<tr>
<th>Attribute</th>
<th>Description</th>
<th>Example</th>
<th>Default</th>
</tr>
</thead>
<tbody>
<tr>
<td>name</td>
<td>name of the `/etc/sudoers.d` file</td>
<td><tt>restart-tomcat</tt></td>
<td>current resource name</td>
</tr>
<tr>
<td>commands</td>
<td>array of commands this sudoer can execute</td>
<td><tt>['/etc/init.d/tomcat restart']</tt></td>
<td><tt>['ALL']</tt></td>
</tr>
<tr>
<td>group</td>
<td>group to provide sudo privileges to, except `%` is prepended to the name in
case it is not already</td>
<td><tt>%admin</tt></td>
<td></td>
</tr>
<tr>
<td>nopasswd</td>
<td>supply a password to invoke sudo</td>
<td><tt>true</tt></td>
<td><tt>false</tt></td>
</tr>
<tr>
<td>noexec</td>
<td>prevents commands from shelling out</td>
<td><tt>true</tt></td>
<td><tt>false</tt></td>
</tr>
<tr>
<td>runas</td>
<td>User the command(s) can be run as</td>
<td><tt>root</tt></td>
<td><tt>ALL</tt></td>
</tr>
<tr>
<td>template</td>
<td>the erb template to render instead of the default</td>
<td><tt>restart-tomcat.erb</tt></td>
<td></td>
</tr>
<tr>
<td>user</td>
<td>user to provide sudo privileges to</td>
<td><tt>tomcat</tt></td>
<td></td>
</tr>
<tr>
<td>defaults</td>
<td>array of defaults this user has</td>
<td><tt>['!requiretty','env_reset']</tt></td>
<td></td>
</tr>
<tr>
<td>setenv</td>
<td>whether to permit the preserving of environment with `sudo -E`</td>
<td><tt>true</tt></td>
<td><tt><false></tt></td>
</tr>
<tr>
<td>env_keep_add</td>
<td>array of strings to add to env_keep</td>
<td><tt>['HOME', 'MY_ENV_VAR MY_OTHER_ENV_VAR']</tt></td>
<td></td>
</tr>
<tr>
<td>env_keep_subtract</td>
<td>array of strings to remove from env_keep</td>
<td><tt>['DISPLAY', 'MY_SECURE_ENV_VAR']</tt></td>
<td></td>
</tr>
<tr>
<td>variables</td>
<td>the variables to pass to the custom template</td>
<td><tt>:commands => ['/etc/init.d/tomcat restart']</tt></td>
<td></td>
</tr>
</tbody>
</table>
**If you use the template attribute, all other attributes will be ignored except for the variables attribute.**
## License & Authors
**Author:** Bryan W. Berry [bryan.berry@gmail.com](mailto:bryan.berry@gmail.com)
**Author:** Cookbook Engineering Team ([cookbooks@chef.io](mailto:cookbooks@chef.io))
**Copyright:** 2008-2016, Chef Software, Inc.
**Copyright:** 2008-2018, Chef Software, Inc.
```
Licensed under the Apache License, Version 2.0 (the "License");

18
cookbooks/sudo/attributes/default.rb
View File

@ -1,8 +1,8 @@
#
# Cookbook:: sudo
# Attribute:: File:: default
# Attribute:: default
#
# Copyright:: 2008-2016, Chef Software, Inc.
# Copyright:: 2008-2018, Chef Software, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@ -17,11 +17,12 @@
# limitations under the License.
#
default['authorization']['sudo']['groups'] = ['sysadmin']
default['authorization']['sudo']['groups'] = []
default['authorization']['sudo']['users'] = []
default['authorization']['sudo']['passwordless'] = false
default['authorization']['sudo']['setenv'] = false
default['authorization']['sudo']['include_sudoers_d'] = false
default['authorization']['sudo']['include_sudoers_d'] = %(solaris2, linux, darwin).include?(node['os']) ? true : false
default['authorization']['sudo']['sudoers_d_mode'] = '0755'
default['authorization']['sudo']['agent_forwarding'] = false
default['authorization']['sudo']['sudoers_defaults'] = ['!lecture,tty_tickets,!fqdn']
default['authorization']['sudo']['command_aliases'] = []
@ -29,12 +30,3 @@ default['authorization']['sudo']['env_keep_add'] = []
default['authorization']['sudo']['env_keep_subtract'] = []
default['authorization']['sudo']['custom_commands']['users'] = []
default['authorization']['sudo']['custom_commands']['groups'] = []
default['authorization']['sudo']['prefix'] = case node['platform_family']
when 'smartos'
'/opt/local/etc'
when 'freebsd'
'/usr/local/etc'
else
'/etc'
end

11
cookbooks/sudo/files/README
View File

@ -1,17 +1,6 @@
#
# As of Debian version 1.7.2p1-1, the default /etc/sudoers file created on
# installation of the package now includes the directive:
#
# #includedir /etc/sudoers.d
#
# This will cause sudo to read and parse any files in the /etc/sudoers.d
# directory that do not end in '~' or contain a '.' character.
#
# Note that there must be at least one file in the sudoers.d directory (this
# one will do), and all files in this directory should be mode 0440.
#
# Note also, that because sudoers contents can vary widely, no attempt is
# made to add this directive to existing sudoers files on upgrade. Feel free
# to add the above directive to the end of your /etc/sudoers file to enable
# this functionality for existing installations if you wish!
#

2
cookbooks/sudo/metadata.json
View File

File diff suppressed because one or more lines are too long

28
cookbooks/sudo/recipes/default.rb
View File

@ -2,7 +2,7 @@
# Cookbook:: sudo
# Recipe:: default
#
# Copyright:: 2008-2016, Chef Software, Inc.
# Copyright:: 2008-2018, Chef Software, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@ -17,27 +17,32 @@
# limitations under the License.
#
prefix = node['authorization']['sudo']['prefix']
package 'sudo' do
not_if 'which sudo'
end
config_prefix = case node['platform_family']
when 'smartos'
'/opt/local/etc'
when 'freebsd'
'/usr/local/etc'
when 'mac_os_x'
'/private/etc'
else
'/etc'
end
if node['authorization']['sudo']['include_sudoers_d']
directory "#{prefix}/sudoers.d" do
mode '0755'
directory "#{config_prefix}/sudoers.d" do
mode node['authorization']['sudo']['sudoers_d_mode']
owner 'root'
group node['root_group']
end
cookbook_file "#{prefix}/sudoers.d/README" do
cookbook_file "#{config_prefix}/sudoers.d/README" do
mode '0440'
owner 'root'
group node['root_group']
end
end
template "#{prefix}/sudoers" do
template "#{config_prefix}/sudoers" do
source 'sudoers.erb'
mode '0440'
owner 'root'
@ -54,6 +59,7 @@ template "#{prefix}/sudoers" do
env_keep_add: node['authorization']['sudo']['env_keep_add'],
env_keep_subtract: node['authorization']['sudo']['env_keep_subtract'],
custom_commands_users: node['authorization']['sudo']['custom_commands']['users'],
custom_commands_groups: node['authorization']['sudo']['custom_commands']['groups']
custom_commands_groups: node['authorization']['sudo']['custom_commands']['groups'],
config_prefix: config_prefix
)
end

176
cookbooks/sudo/resources/default.rb
View File

@ -1,9 +1,15 @@
#
# Author:: Bryan W. Berry (<bryan.berry@gmail.com>)
# Cookbook:: sudo
# Resource:: default
#
# Copyright:: 2011-2016, Bryan w. Berry
# Author:: Bryan W. Berry (<bryan.berry@gmail.com>)
# Author:: Seth Vargo (<sethvargo@gmail.com>)
# Author:: Tim Smith (<tsmith@chef.io>)
#
# Copyright:: 2011-2018, Bryan w. Berry
# Copyright:: 2012-2018, Seth Vargo
# Copyright:: 2015-2018, Chef Software, Inc.
# License:: Apache License, Version 2.0
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@ -17,41 +23,137 @@
# See the License for the specific language governing permissions and
# limitations under the License.
actions :install, :remove
default_action :install
# acording to the sudo man pages sudo will ignore files in an include dir that have a `.` or `~`
# We convert either to `__`
property :filename, String, name_property: true, coerce: proc { |x| x.gsub(/[\.~]/, '__') }
property :users, [String, Array], default: [], coerce: proc { |x| x.is_a?(Array) ? x : x.split(/\s*,\s*/) }
property :groups, [String, Array], default: [], coerce: proc { |x| coerce_groups(x) }
property :commands, Array, default: ['ALL']
property :host, String, default: 'ALL'
property :runas, String, default: 'ALL'
property :nopasswd, [true, false], default: false
property :noexec, [true, false], default: false
property :template, String
property :variables, [Hash, nil], default: nil
property :defaults, Array, default: []
property :command_aliases, Array, default: []
property :setenv, [true, false], default: false
property :env_keep_add, Array, default: []
property :env_keep_subtract, Array, default: []
property :visudo_path, String # legacy placeholder for cookbook users. We raise when used below
property :visudo_binary, String, default: '/usr/sbin/visudo'
property :config_prefix, String, default: lazy { platform_config_prefix }
attribute :user, kind_of: String, default: nil
attribute :group, kind_of: String, default: nil
attribute :commands, kind_of: Array, default: ['ALL']
attribute :host, kind_of: String, default: 'ALL'
attribute :runas, kind_of: String, default: 'ALL'
attribute :nopasswd, equal_to: [true, false], default: false
attribute :noexec, equal_to: [true, false], default: false
attribute :template, kind_of: String, default: nil
attribute :variables, kind_of: Hash, default: nil
attribute :defaults, kind_of: Array, default: []
attribute :command_aliases, kind_of: Array, default: []
attribute :setenv, equal_to: [true, false], default: false
attribute :env_keep_add, kind_of: Array, default: []
attribute :env_keep_subtract, kind_of: Array, default: []
# Set default for the supports attribute in initializer since it is
# a 'reserved' attribute name
def initialize(*args)
super
@action = :install
@supports = { report: true, exception: true }
# handle legacy cookbook property
def after_created
raise "The 'visudo_path' property from the sudo cookbook has been replaced with the 'visudo_binary' property. The path is now more intelligently determined and for most users specifying the path should no longer be necessary. If this resource still cannot determine the path to visudo then provide the full path to the binary with the 'visudo_binary' property." if visudo_path
end
state_attrs :commands,
:group,
:host,
:nopasswd,
:noexec,
:runas,
:template,
:user,
:variables,
:command_aliases,
:env_keep_add,
:env_keep_subtract
# VERY old legacy properties
alias_method :user, :users
alias_method :group, :groups
# make sure each group starts with a %
def coerce_groups(x)
# split strings on the commas with optional spaces on either side
groups = x.is_a?(Array) ? x : x.split(/\s*,\s*/)
# make sure all the groups start with %
groups.map { |g| g[0] == '%' ? g : "%#{g}" }
end
# default config prefix paths based on platform
# @return [String]
def platform_config_prefix
case node['platform_family']
when 'smartos'
'/opt/local/etc'
when 'mac_os_x'
'/private/etc'
when 'freebsd'
'/usr/local/etc'
else
'/etc'
end
end
# Default action - install a single sudoer
action :create do
validate_properties
if docker? # don't even put this into resource collection unless we're in docker
declare_resource(:package, 'sudo') do
action :nothing
not_if 'which sudo'
end.run_action(:install)
end
target = "#{new_resource.config_prefix}/sudoers.d/"
declare_resource(:directory, target) unless ::File.exist?(target)
Chef::Log.warn("#{new_resource.filename} will be rendered, but will not take effect because the #{new_resource.config_prefix}/sudoers config lacks the includedir directive that loads configs from #{new_resource.config_prefix}/sudoers.d/!") if ::File.readlines("#{new_resource.config_prefix}/sudoers").grep(/includedir/).empty?
if new_resource.template
Chef::Log.debug('Template property provided, all other properties ignored.')
declare_resource(:template, "#{target}#{new_resource.filename}") do
source new_resource.template
mode '0440'
variables new_resource.variables
verify "#{new_resource.visudo_binary} -cf %{path}" if visudo_present?
action :create
end
else
declare_resource(:template, "#{target}#{new_resource.filename}") do
source 'sudoer.erb'
cookbook 'sudo'
mode '0440'
variables sudoer: (new_resource.groups + new_resource.users).join(','),
host: new_resource.host,
runas: new_resource.runas,
nopasswd: new_resource.nopasswd,
noexec: new_resource.noexec,
commands: new_resource.commands,
command_aliases: new_resource.command_aliases,
defaults: new_resource.defaults,
setenv: new_resource.setenv,
env_keep_add: new_resource.env_keep_add,
env_keep_subtract: new_resource.env_keep_subtract
verify "#{new_resource.visudo_binary} -cf %{path}" if visudo_present?
action :create
end
end
end
action :install do
Chef::Log.warn('The sudo :install action has been renamed :create. Please update your cookbook code for the new action')
action_create
end
action :remove do
Chef::Log.warn('The sudo :remove action has been renamed :delete. Please update your cookbook code for the new action')
action_delete
end
# Removes a user from the sudoers group
action :delete do
file "#{new_resource.config_prefix}/sudoers.d/#{new_resource.filename}" do
action :delete
end
end
action_class do
# Ensure that the inputs are valid (we cannot just use the resource for this)
def validate_properties
# if group, user, env_keep_add, env_keep_subtract and template are nil, throw an exception
raise 'You must specify users, groups, env_keep_add, env_keep_subtract, or template properties!' if new_resource.users.empty? && new_resource.groups.empty? && new_resource.template.nil? && new_resource.env_keep_add.empty? && new_resource.env_keep_subtract.empty?
# if specifying user or group and template at the same time fail
raise 'You cannot specify users or groups properties and also specify a template. To use your own template pass in all template variables using the variables property.' if (!new_resource.users.empty? || !new_resource.groups.empty?) && !new_resource.template.nil?
end
def visudo_present?
return true if ::File.exist?(new_resource.visudo_binary)
Chef::Log.warn("The visudo binary cannot be found at '#{new_resource.visudo_binary}'. Skipping sudoer file validation. If visudo is on this system you can specify the path using the 'visudo_binary' property.")
end
end

6
cookbooks/sudo/templates/default/sudoer.erb
View File

@ -4,19 +4,15 @@
<% @command_aliases.each do |a| -%>
Cmnd_Alias <%= a[:name].upcase %> = <%= a[:command_list].join(', ') %>
<% end -%>
<% @env_keep_add.each do |env_keep| -%>
Defaults env_keep += "<%= env_keep %>"
<% end -%>
<% @env_keep_subtract.each do |env_keep| -%>
Defaults env_keep -= "<%= env_keep %>"
<% end -%>
<% @commands.each do |command| -%>
<% if @sudoer %><%= @sudoer %> <%= @host %>=(<%= @runas %>) <%= 'NOEXEC:' if @noexec %><%= 'NOPASSWD:' if @nopasswd %><%= 'SETENV:' if @setenv %><%= command %><% end -%>
<% unless @sudoer.empty? %><%= @sudoer %> <%= @host %>=(<%= @runas %>) <%= 'NOEXEC:' if @noexec %><%= 'NOPASSWD:' if @nopasswd.to_s == 'true' %><%= 'SETENV:' if @setenv.to_s == 'true' %><%= command %><% end -%>
<% end -%>
<% unless @defaults.empty? %>
Defaults:<%= @sudoer %> <%= @defaults.join(',') %>
<% end -%>

12
cookbooks/sudo/templates/default/sudoers.erb
View File

@ -4,7 +4,7 @@
<% @sudoers_defaults.each do |defaults| -%>
Defaults <%= defaults %>
<% end -%>
<% if @agent_forwarding -%>
<% if @agent_forwarding.to_s == 'true' -%>
Defaults env_keep+=SSH_AUTH_SOCK
<% end -%>
<% @env_keep_add.each do |env_keep| -%>
@ -19,12 +19,12 @@ root ALL=(ALL) ALL
<% @custom_commands_users.each do |commands| -%>
# Privileges for specific command <%= commands[:command_list].join(', ') %> for user <%= commands[:user] %>
<%= commands[:user] %> ALL = <%= "NOPASSWD:" if commands[:passwordless] %> <%= commands[:command_list].join(', ') %>
<%= commands[:user] %> ALL = <%= "NOPASSWD:" if commands[:passwordless].to_s == 'true' %><%= "SETENV:" if @setenv %> <%= commands[:command_list].join(', ') %>
<% end -%>
<% @custom_commands_groups.each do |commands| -%>
# Privileges for specific command <%= commands[:command_list].join(', ') %> for group <%= commands[:group] %>
%<%= commands[:group] %> ALL = <%= "NOPASSWD:" if commands[:passwordless] %> <%= commands[:command_list].join(', ') %>
%<%= commands[:group] %> ALL = <%= "NOPASSWD:" if commands[:passwordless].to_s == 'true' %><%= "SETENV:" if @setenv %> <%= commands[:command_list].join(', ') %>
<% end -%>
<% @command_aliases.each do |a| -%>
@ -32,13 +32,13 @@ Cmnd_Alias <%= a[:name].upcase %> = <%= a[:command_list].join(', ') %>
<% end -%>
<% @sudoers_users.each do |user| -%>
<%= user %> ALL=(ALL) <%= "NOPASSWD:" if @passwordless %><%= "SETENV:" if @setenv %>ALL
<%= user %> ALL=(ALL) <%= "NOPASSWD:" if @passwordless.to_s == 'true' %><%= "SETENV:" if @setenv.to_s == 'true' %>ALL
<% end -%>
<% @sudoers_groups.each do |group| -%>
# Members of the group '<%= group %>' may gain root privileges
%<%= group %> ALL=(ALL) <%= "NOPASSWD:" if @passwordless %><%= "SETENV:" if @setenv %>ALL
%<%= group %> ALL=(ALL) <%= "NOPASSWD:" if @passwordless.to_s == 'true' %><%= "SETENV:" if @setenv.to_s == 'true' %>ALL
<% end -%>
# This is not a comment; see sudoers(5) for more information on "#include" directives
<%= "#includedir #{node['authorization']['sudo']['prefix']}/sudoers.d" if @include_sudoers_d %>
<%= "#includedir #{@config_prefix}/sudoers.d" if @include_sudoers_d.to_s == 'true' %>

12
cookbooks/sudo/templates/mac_os_x/sudoers.erb
View File

@ -4,7 +4,7 @@
<% @sudoers_defaults.each do |defaults| -%>
Defaults <%= defaults %>
<% end -%>
<% if @agent_forwarding -%>
<% if @agent_forwarding.to_s == 'true' -%>
Defaults env_keep+=SSH_AUTH_SOCK
<% end -%>
@ -12,22 +12,22 @@ Defaults env_keep+=SSH_AUTH_SOCK
root ALL=(ALL) ALL
%admin ALL=(ALL) ALL
<% @sudoers_users.each do |user| -%>
<%= user %> ALL=(ALL) <%= "NOPASSWD:" if @passwordless %><%= "SETENV:" if @setenv %>ALL
<%= user %> ALL=(ALL) <%= "NOPASSWD:" if @passwordless.to_s == 'true' %><%= "SETENV:" if @setenv.to_s == 'true' %>ALL
<% end -%>
<% @custom_commands_users.each do |commands| -%>
# Privileges for specific command <%= commands[:command_list].join(', ') %> for user <%= commands[:user] %>
<%= commands[:user] %> ALL = <%= "NOPASSWD:" if commands[:passwordless] %> <%= commands[:command_list].join(', ') %>
<%= commands[:user] %> ALL = <%= "NOPASSWD:" if commands[:passwordless].to_s == 'true' %> <%= commands[:command_list].join(', ') %>
<% end -%>
<% @custom_commands_groups.each do |commands| -%>
# Privileges for specific command <%= commands[:command_list].join(', ') %> for group <%= commands[:group] %>
%<%= commands[:group] %> ALL = <%= "NOPASSWD:" if commands[:passwordless] %> <%= commands[:command_list].join(', ') %>
%<%= commands[:group] %> ALL = <%= "NOPASSWD:" if commands[:passwordless].to_s == 'true' %> <%= commands[:command_list].join(', ') %>
<% end -%>
<% @sudoers_groups.each do |group| -%>
# Members of the group '<%= group %>' may gain root privileges
%<%= group %> ALL=(ALL) <%= "NOPASSWD:" if @passwordless %><%= "SETENV:" if @setenv %>ALL
%<%= group %> ALL=(ALL) <%= "NOPASSWD:" if @passwordless.to_s == 'true' %><%= "SETENV:" if @setenv.to_s == 'true' %>ALL
<% end -%>
<%= "#includedir #{node['authorization']['sudo']['prefix']}/sudoers.d" if @include_sudoers_d %>
<%= "#includedir #{@config_prefix}/sudoers.d" if @include_sudoers_d.to_s == 'true' %>

23
cookbooks/users/CHANGELOG.md
View File

@ -2,6 +2,29 @@
This file is used to list changes made in each version of the users cookbook.
## 5.3.1 (2017-12-15)
- Remove special case for freebsd in favor of later shell validity check
## 5.3.0 (2017-12-07)
- Add check if user shell exists
- Verify the shell is allowed on AIX
- Add AIX as a supported platform
## 5.2.2 (2017-11-29)
- Add home directory base for solaris
## 5.2.1 (2017-10-31)
- Make sure ssh_keys can be an array or a string by converting strings to an array if they're passed
## 5.2.0 (2017-10-31)
- Require Chef 12.7+ as 12.5 and 12.6 had bugs in their custom resource implementation
- Allow fetching one or more ssh_keys from a url
## 5.1.0 (2017-05-30)
- Keep ssh keys out of the chef logs

5
cookbooks/users/README.md
View File

@ -20,10 +20,11 @@ The following platforms have been tested with Test Kitchen:
- openSUSE / SUSE Linux Enterprises
- FreeBSD / OpenBSD
- Mac OS X
- AIX
### Chef
- Chef 12.5+
- Chef 12.7+
### Cookbooks
@ -98,7 +99,7 @@ A sample user to remove from a system would like like:
- `id`: _String_ specifies the username, as well as the data bag object id.
- `password`: _String_ specifies the user's password.
- `ssh_keys`: _Array_ an array of authorized keys that will be managed by Chef to the user's home directory in .ssh/authorized_keys
- `ssh_keys`: _Array_ an array of authorized keys that will be managed by Chef to the user's home directory in `$HOME/.ssh/authorized_keys`. A key can include an `https` endpoint that returns a line seperated list of keys such as `https://github.com/$GITHUB_USERNAME.keys` this will retrieve all the keys and add it to the array and can be used with static keys as well as dynamic ones.
- `groups`: _Array_ an array of groups that the user will be added to
- `uid`: _Integer_ a unique identifier for the user
- `shell`: _String_ the user's shell

37
cookbooks/users/libraries/helpers.rb
View File

@ -19,6 +19,41 @@ module Users
fs_type(mount) == 'nfs' ? true : false
end
def keys_from_url(url)
host = url.split('/')[0..2].join('/')
path = url.split('/')[3..-1].join('/')
begin
response = Chef::HTTP.new(host).get(path)
response.split("\n")
rescue Net::HTTPServerException => e
p "request: #{host}#{path}, error: #{e}"
end
end
# Determines if the user's shell is valid on the machine, otherwise
# returns the default of /bin/sh
#
# @return [String]
def shell_is_valid?(shell_path)
return false if shell_path.nil? || !File.exist?(shell_path)
# AIX is the only OS that has the concept of 'approved shells'
return true unless platform_family?('aix')
begin
File.open('/etc/security/login.cfg') do |f|
f.each_line do |l|
l.match(/^\s*shells\s*=\s*(.*)/) do |m|
return true if m[1].split(/\s*,\s*/).any? { |entry| entry.eql? shell_path }
end
end
end
rescue
return false
end
false
end
# Validates passed id.
#
# @return [Numeric, String]
@ -33,6 +68,8 @@ module Users
def home_basedir
if platform_family?('mac_os_x')
'/Users'
elsif platform_family?('solaris2')
'/export/home'
else
'/home'
end

2
cookbooks/users/metadata.json
View File

File diff suppressed because one or more lines are too long

24
cookbooks/users/resources/manage.rb
View File

@ -40,11 +40,6 @@ action :create do
users_groups[g] << u['username']
end
# Check if we need to prepend shell with /usr/local/?
if platform_family? 'freebsd'
u['shell'] = (!::File.exist?(u['shell']) && ::File.exist?("/usr/local#{u['shell']}") ? "/usr/local#{u['shell']}" : '/bin/sh')
end
# Set home to location in data bag,
# or a reasonable default ($home_basedir/$user).
home_dir = (u['home'] ? u['home'] : "#{home_basedir}/#{u['username']}")
@ -70,7 +65,7 @@ action :create do
user u['username'] do
uid validate_id(u['uid'])
gid validate_id(u['gid']) if u['gid']
shell u['shell']
shell shell_is_valid?(u['shell']) ? u['shell'] : '/bin/sh'
comment u['comment']
password u['password'] if u['password']
salt u['salt'] if u['salt']
@ -91,6 +86,19 @@ action :create do
only_if { !!(u['ssh_keys'] || u['ssh_private_key'] || u['ssh_public_key']) }
end
# loop over the keys and if we have a URL we should add each key
# from the url response and append it to the list of keys
ssh_keys = []
if u['ssh_keys']
Array(u['ssh_keys']).each do |key|
if key.start_with?('https')
ssh_keys += keys_from_url(key)
else
ssh_keys << key
end
end
end
template "#{home_dir}/.ssh/authorized_keys" do
source 'authorized_keys.erb'
cookbook new_resource.cookbook
@ -98,7 +106,9 @@ action :create do
group validate_id(u['gid']) if u['gid']
mode '0600'
sensitive true
variables ssh_keys: u['ssh_keys']
# ssh_keys should be a combination of u['ssh_keys'] and any keys
# returned from a specified URL
variables ssh_keys: ssh_keys
only_if { !!(u['ssh_keys']) }
end