Fixing #3139 - all properties can now be audited

This provides a full audit trail for any parameter on any resource Puppet can manage. Just use: file { "/my/file": audit => [content, owner] } And Puppet will generate an event any time either of those properties change. This commit also deprecates the 'check' parameter in favor of a new 'audit' parameter. Signed-off-by: Luke Kanies <luke@puppetlabs.com>
author: Luke Kanies <luke@puppetlabs.com> 2010-06-11 11:14:29 -0700
committer: test branch <puppet-dev@googlegroups.com> 2010-02-17 06:50:53 -0800
commit: be7112aff784cec1490af9d809c4950b940287cb (patch)
tree: 87824d93ee42c1cb6e3502841cdc3906e1220cee /lib/puppet/transaction
parent: 986298b270f0a489ccec55b73949cd907e9d445e (diff)
download: puppet-be7112aff784cec1490af9d809c4950b940287cb.tar.gz
puppet-be7112aff784cec1490af9d809c4950b940287cb.tar.xz
puppet-be7112aff784cec1490af9d809c4950b940287cb.zip
3 files changed, 45 insertions, 4 deletions
diff --git a/lib/puppet/transaction/change.rb b/lib/puppet/transaction/change.rb
index 6ecb93c37..605457a21 100644
--- a/lib/puppet/transaction/change.rb
+++ b/lib/puppet/transaction/change.rb
@@ -4,7 +4,11 @@ require 'puppet/transaction/event'
 # Handle all of the work around performing an actual change,
 # including calling 'sync' on the properties and producing events.
 class Puppet::Transaction::Change
-    attr_accessor :is, :should, :property, :proxy
+    attr_accessor :is, :should, :property, :proxy, :auditing
+
+    def auditing?
+        auditing
+    end
 
     # Create our event object.
     def event
@@ -24,6 +28,7 @@ class Puppet::Transaction::Change
     end
 
     def apply
+        return audit_event if auditing?
         return noop_event if noop?
 
         property.sync
@@ -63,6 +68,15 @@ class Puppet::Transaction::Change
 
     private
 
+    def audit_event
+        # This needs to store the appropriate value, and then produce a new event
+        result = event
+        result.message = "audit change: previously recorded value #{property.should_to_s(should)} has been changed to #{property.is_to_s(is)}"
+        result.status = "audit"
+        result.send_log
+        return result
+    end
+
     def noop_event
         result = event
         result.message = "is #{property.is_to_s(is)}, should be #{property.should_to_s(should)} (noop)"
diff --git a/lib/puppet/transaction/event.rb b/lib/puppet/transaction/event.rb
index b962149cf..bc589fe84 100644
--- a/lib/puppet/transaction/event.rb
+++ b/lib/puppet/transaction/event.rb
@@ -13,7 +13,7 @@ class Puppet::Transaction::Event
     attr_accessor :time
     attr_reader :default_log_level
 
-    EVENT_STATUSES = %w{noop success failure}
+    EVENT_STATUSES = %w{noop success failure audit}
 
     def initialize(*args)
         options = args.last.is_a?(Hash) ? args.pop : ATTRIBUTES.inject({}) { |hash, attr| hash[attr] = args.pop; hash }
diff --git a/lib/puppet/transaction/resource_harness.rb b/lib/puppet/transaction/resource_harness.rb
index 17e8dfa79..ae38bcb66 100644
--- a/lib/puppet/transaction/resource_harness.rb
+++ b/lib/puppet/transaction/resource_harness.rb
@@ -19,6 +19,10 @@ class Puppet::Transaction::ResourceHarness
     def apply_changes(status, changes)
         changes.each do |change|
             status << change.apply
+
+            if change.auditing?
+                cache(change.property.resource, change.property.name, change.is)
+            end
         end
         status.changed = true
     end
@@ -40,6 +44,8 @@ class Puppet::Transaction::ResourceHarness
 
         return [] if ! allow_changes?(resource)
 
+        audited = copy_audited_parameters(resource, current)
+
         if param = resource.parameter(:ensure)
             return [] if absent_and_not_being_created?(current, param)
             return [Puppet::Transaction::Change.new(param, current[:ensure])] unless ensure_is_insync?(current, param)
@@ -47,12 +53,33 @@ class Puppet::Transaction::ResourceHarness
         end
 
         resource.properties.reject { |p| p.name == :ensure }.reject do |param|
-            param.should.nil?
+            param.should.nil? 
         end.reject do |param|
             param_is_insync?(current, param)
         end.collect do |param|
-            Puppet::Transaction::Change.new(param, current[param.name])
+            change = Puppet::Transaction::Change.new(param, current[param.name])
+            change.auditing = true if audited.include?(param.name)
+            change
+        end
+    end
+
+    def copy_audited_parameters(resource, current)
+        return [] unless audit = resource[:audit]
+        audit = Array(audit).collect { |p| p.to_sym }
+        audited = []
+        audit.find_all do |param|
+            next if resource[param]
+
+            if value = cached(resource, param)
+                resource[param] = value
+                audited << param
+            else
+                resource.notice "Storing newly-audited value #{current[param]} for #{param}"
+                cache(resource, param, current[param])
+            end
         end
+
+        audited
     end
 
     def evaluate(resource)
author	Luke Kanies <luke@puppetlabs.com>	2010-06-11 11:14:29 -0700
committer	test branch <puppet-dev@googlegroups.com>	2010-02-17 06:50:53 -0800
commit	be7112aff784cec1490af9d809c4950b940287cb (patch)
tree	87824d93ee42c1cb6e3502841cdc3906e1220cee /lib/puppet/transaction
parent	986298b270f0a489ccec55b73949cd907e9d445e (diff)
download	puppet-be7112aff784cec1490af9d809c4950b940287cb.tar.gz puppet-be7112aff784cec1490af9d809c4950b940287cb.tar.xz puppet-be7112aff784cec1490af9d809c4950b940287cb.zip