wallet.rb 2.83 KB
Newer Older
Christopher Huhn's avatar
Christopher Huhn committed
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
#
# Cookbook Name:: sys
# File:: providers/wallet.rb
#
# Copyright 2015-2019 GSI Helmholtzzentrum fuer Schwerionenforschung GmbH
#
# Authors:
#  Christopher Huhn   <C.Huhn@gsi.de>
#  Dennis Klein       <d.klein@gsi.de>
#  Matthias Pausch    <m.pausch@gsi.de>
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#

25
26
27
28
29
30
require 'etc'
require 'open3'

use_inline_resources

action :deploy do
Dennis Klein's avatar
Dennis Klein committed
31
  if ! ::File.exist?(new_resource.place) || ! check_keytab()
32
33
34
35
    if check_krb5
      bash "deploy #{new_resource.principal}" do
        cwd "/"
        code <<-EOH
36
37
          # TMPFILE must not exist yet, therefore --dry-run
          TMPFILE=$(mktemp --dry-run)
38

39
          kinit -t /etc/krb5.keytab host/#{node['fqdn']}
40
          wallet get keytab \
41
              "#{new_resource.principal}@#{node['sys']['krb5']['realm'].upcase}" \
42
              -f "$TMPFILE"
43
44
          ret=$?
          if [ $ret = 0 ]; then
45
46
              # in contrast to mv cat follows symlinks:
              cat "$TMPFILE" > "#{new_resource.place}"
47
          fi
48
          rm "$TMPFILE"
49
50
51
52
53
          kdestroy
        EOH
      end
      new_resource.updated_by_last_action(true)
    else
54
55
      log 'no-keytab' do
        level :warn
Christopher Huhn's avatar
Christopher Huhn committed
56
        message "Unable to deploy #{new_resource.principal}: "\
57
58
                'Kerberos not installed or /etc/krb5.keytab missing.'
      end
59
    end
Dennis Klein's avatar
Dennis Klein committed
60
  end
61

Dennis Klein's avatar
Dennis Klein committed
62
63
64
65
66
  unless check_stat()
    file new_resource.place do
      mode new_resource.mode
      owner new_resource.owner
      group new_resource.group
67
    end
Dennis Klein's avatar
Dennis Klein committed
68
    new_resource.updated_by_last_action(true)
69
70
71
72
  end
end

def check_keytab()
73
74
75
76
  check_keytab = "ktutil -k #{new_resource.place} list --keys | grep -q #{new_resource.principal}"
  cmd = Mixlib::ShellOut.new(check_keytab)
  cmd.run_command
  return cmd.exitstatus == 0
77
78
79
80
81
82
83
84
85
end

def check_mode(stat)
  file_mode = sprintf("%o", stat.mode)
  return file_mode.eql?("100#{new_resource.mode[-3..-1]}")
end

def check_owner(stat)
  user = Etc.getpwuid(stat.uid).name
m.pausch's avatar
m.pausch committed
86
  return user.eql?(new_resource.owner)
87
88
89
end

def check_group(stat)
m.pausch's avatar
m.pausch committed
90
  group =  Etc.getgrgid(stat.gid).name
91
92
93
94
  return group.eql?(new_resource.group)
end

def check_stat()
m.pausch's avatar
m.pausch committed
95
  check = false
Dennis Klein's avatar
Dennis Klein committed
96
  if ::File.exist?(new_resource.place)
m.pausch's avatar
m.pausch committed
97
98
99
100
    stat = ::File.stat(new_resource.place)
    check = check_mode(stat) && check_owner(stat) && check_group(stat)
  end
  return check
101
end
102
103

def check_krb5()
104
  ::File.exist?('/etc/krb5.keytab') && ::File.exist?('/usr/bin/kinit')
105
end