Idempotency of machine resource is broken due to v1 vs v0 differences in clients API

[sersut]

Idempotency of machine resource in chef-provisioning is broken when working against Hosted Chef due to the fact that v1 API now does not return public_key but the state comparison in cheffish checks for it.

Repro Steps:

• Have any chef-provisioning recipe with a machine resource
• Run it once with success.
• Run it second time and it will fail with Since Server API v1, all keys must be updated via the keys endpoint.

Details:
The logic here will break when running against v1 API because (pry debug values from that point):

[2] pry(#<Chef::Provider::ChefClient>)> a = new_json
=> {"name"=>"chef-server-backend-1",
 "clientname"=>"chef-server-backend-1",
 "admin"=>false,
 "validator"=>false,
 "chef_type"=>"client",
 "orgname"=>"chef-infra",
 "public_key"=>
  "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA00gA2sz6/Ki3geC99K06\nAoHMThQTlIoop5TJAnKdG9SUzl2ENT8ZD5cV85hiVNjTLQxcBDPBLxn9rMKjSXKF\nhuOkTvoy/PLTKcGKtfmspEv9VsqKqMlrj0TOeYGL02HsaqJ4hTrjpC7AMT7GWPhK\n0JbL8U3gYU3UltZ+gIdIrB3qzvJLXdWqcRR2nb2tEHnOooGXNmVUNr4OTmhsZ+Pk\nL1LqUkHtwh2k2aqRyccjcZkALTXitINLxixEHQzkDIzr7goADrK/sxCJG+s84Dv0\ngBMhF9eBIGacL8Y/Swsgysc7EGBoK1Bxl5BRRGGZcEh5jpag1HUSCd8vUz8bPjIT\nZwIDAQAB\n-----END PUBLIC KEY-----\n"}
[4] pry(#<Chef::Provider::ChefClient>)> b = current_json
=> {"name"=>"chef-server-backend-1",
 "clientname"=>"chef-server-backend-1",
 "admin"=>false,
 "validator"=>false,
 "chef_type"=>"client",
 "orgname"=>"chef-infra"}
[5] pry(#<Chef::Provider::ChefClient>)>

Possible Fix:
Talking to @stevendanna we need to either pin to v0 or update it's calls to be compatible with v1.

Update would probably be to check if the new_json has any public_key and if it does call the /keys endpoint to obtain the current keys and compare them with the ones in current_json and if there are any differences call the /keys endpoint to update them.

Since this is somewhat complicated pinning to v0 might be a temporary fix until we fix this the right hard way.

[poliva83]

@sersut @tyler-ball I am getting 400 errors with Since Server API v1, all keys must be updated via the keys endpoint. response when trying use chef_user lwrp. This is on second convergence, is this related to this issue or different?

[2015-10-16T01:06:59+00:00] DEBUG: Chef::HTTP calling Chef::HTTP::RemoteRequestID#handle_request
[2015-10-16T01:06:59+00:00] DEBUG: Initiating PUT to https://127.0.0.1/users/poliva
[2015-10-16T01:06:59+00:00] DEBUG: ---- HTTP Request Header Data: ----
[2015-10-16T01:06:59+00:00] DEBUG: Content-Type: application/json
[2015-10-16T01:06:59+00:00] DEBUG: Accept: application/json
[2015-10-16T01:06:59+00:00] DEBUG: Accept-Encoding: gzip;q=1.0,deflate;q=0.6,identity;q=0.3
[2015-10-16T01:06:59+00:00] DEBUG: X-OPS-SIGN: algorithm=sha1;version=1.0;
[2015-10-16T01:06:59+00:00] DEBUG: X-OPS-USERID: pivotal
[2015-10-16T01:06:59+00:00] DEBUG: X-OPS-TIMESTAMP: 2015-10-16T01:06:59Z
[2015-10-16T01:06:59+00:00] DEBUG: X-OPS-CONTENT-HASH: 1eXesnFpZwYxcmMhHLOy1iRsLiU=
[2015-10-16T01:06:59+00:00] DEBUG: X-OPS-AUTHORIZATION-1: OHuaOaDJh8FLUUsQMPETH+ts925BEorocSHkieFPHAxoz6rgUVPxHfOmb6UW
[2015-10-16T01:06:59+00:00] DEBUG: X-OPS-AUTHORIZATION-2: 36oE6ZaKM9ReXDaFvOo+pT8vDKpxPuMbPWmPZMkJ36Lw6Sw/x1qFTZmDaToy
[2015-10-16T01:06:59+00:00] DEBUG: X-OPS-AUTHORIZATION-3: jyHaDlwx3OqlIURVYx88DT1jzlPQdxUs5iRpXxHWrQjPdyGW4yuhA+pcfJAQ
[2015-10-16T01:06:59+00:00] DEBUG: X-OPS-AUTHORIZATION-4: asofOLU7ms78MRRpM6SrxxMj9ntGOEYyUxFwb5aynMU3nXw2MpPTiE7Z4HMb
[2015-10-16T01:06:59+00:00] DEBUG: X-OPS-AUTHORIZATION-5: beoKkt2KdaZV1fUpNc5fkSedxFO8gapoZLVtvcz0ce1gnjLe49TmyFzZ3eKk
[2015-10-16T01:06:59+00:00] DEBUG: X-OPS-AUTHORIZATION-6: cURxNHW9l7bh6gAS30kzM18ufyzeElqfikmDM9trsA==
[2015-10-16T01:06:59+00:00] DEBUG: HOST: 127.0.0.1:443
[2015-10-16T01:06:59+00:00] DEBUG: X-Ops-Server-API-Version: 1
[2015-10-16T01:06:59+00:00] DEBUG: X-REMOTE-REQUEST-ID: 7358deb2-2ad2-477a-be9f-efdd81d984a6
[2015-10-16T01:06:59+00:00] DEBUG: Content-Length: 691
[2015-10-16T01:06:59+00:00] DEBUG: ---- End HTTP Request Header Data ----
[2015-10-16T01:06:59+00:00] DEBUG: ---- HTTP Status and Header Data: ----
[2015-10-16T01:06:59+00:00] DEBUG: HTTP 1.1 400 Bad Request
[2015-10-16T01:06:59+00:00] DEBUG: server: openresty/1.7.10.1
[2015-10-16T01:06:59+00:00] DEBUG: date: Fri, 16 Oct 2015 01:06:59 GMT
[2015-10-16T01:06:59+00:00] DEBUG: content-length: 83
[2015-10-16T01:06:59+00:00] DEBUG: connection: close
[2015-10-16T01:06:59+00:00] DEBUG: x-ops-server-api-version: {"min_version":"0","max_version":"1","request_version":"1","response_version":"1"}
[2015-10-16T01:06:59+00:00] DEBUG: x-ops-api-info: flavor=cs;version=12.0.0;oc_erchef=12.2.0
[2015-10-16T01:06:59+00:00] DEBUG: ---- End HTTP Status/Header Data ----
[2015-10-16T01:06:59+00:00] DEBUG: ---- HTTP Response Body ----
[2015-10-16T01:06:59+00:00] DEBUG: {"error":["Since Server API v1, all keys must be updated via the keys endpoint. "]}
[2015-10-16T01:06:59+00:00] DEBUG: ---- End HTTP Response Body -----
[2015-10-16T01:06:59+00:00] DEBUG: ---- HTTP Request Body ----
[2015-10-16T01:06:59+00:00] DEBUG: {"name":"poliva","username":"poliva","display_name":"Phil Oliva","admin":false,"json_class":"Chef::WebUIUser","chef_type":"webui_user","salt":null,"password":"passw0rd","openid":null,"email":"[email protected]","public_key":"-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6xnLYrNO+Kusf6OOpO0Y\nUs8+qof5TP5bOjO0v9x5IwI4pD/Fwd2ZzEi9uEmzAHN8aQXtFOBsNTvBla8Ysloc\ne5IVCdT+QQaJRyKv6NRnUcHpua04DSN87VAuTbCnoPglfPhHBJNE1Ikgn0qfYDCV\nfWD3dNOoNnHyVAm6mTJK6kqbmEwKcDtGd0AzgfUbCwMyK4XbRzwjkcCglOPIdmQ0\n/saoASGunCs2mij0sNB4JGxzbtFxKeHeyXMADkKVU3QdrdqNK0PmcLEHItJifmEy\nrphcGPzY+mxNtwhXjUEV/7QgRJj/m9O6KnfE8P5Iovfm5ff8GYxyHElHRPmq9TBr\nZQIDAQAB\n-----END PUBLIC KEY-----\n"}
[2015-10-16T01:06:59+00:00] DEBUG: ---- End HTTP Request Body ----
[2015-10-16T01:06:59+00:00] DEBUG: Chef::HTTP calling Chef::HTTP::RemoteRequestID#handle_response
[2015-10-16T01:06:59+00:00] DEBUG: Chef::HTTP calling Chef::HTTP::Authenticator#handle_response
[2015-10-16T01:06:59+00:00] DEBUG: Chef::HTTP calling Chef::HTTP::Decompressor#handle_response
[2015-10-16T01:06:59+00:00] DEBUG: Chef::HTTP calling Chef::HTTP::CookieManager#handle_response
[2015-10-16T01:06:59+00:00] DEBUG: Chef::HTTP calling Chef::HTTP::JSONOutput#handle_response
[2015-10-16T01:06:59+00:00] DEBUG: Expected JSON response, but got content-type ''
[2015-10-16T01:06:59+00:00] DEBUG: Chef::HTTP calling Chef::HTTP::JSONInput#handle_response
[2015-10-16T01:06:59+00:00] INFO: HTTP Request Returned 400 Bad Request: error


   ================================================================================
   Error executing action `create` on resource 'chef_user[poliva]'
   ================================================================================

   Net::HTTPServerException
   ------------------------
   400 "Bad Request"

   Resource Declaration:
   ---------------------
   # In /var/chef/cache/cookbooks/bb_chef_server_cluster/recipes/manage_rbac.rb

    40:   chef_user user do
    41:     display_name "#{values['display_name']}"
    42:     email "#{values['email']}"
    43:     password "#{values['password']}"
    44:     source_key "#{values['source_key']}"
    45:     chef_server url_root
    46:     action :nothing
    47:     not_if { values['source_key'].nil? }
    48:     subscribes :create, 'ruby_block[only modify rbac content on master backend]', :immediately
    49:   end
    50: end

   Compiled Resource:
   ------------------
   # Declared in /var/chef/cache/cookbooks/bb_chef_server_cluster/recipes/manage_rbac.rb:40:in `block in from_file'

   chef_user("poliva") do
     action [:nothing]
     retries 0
     retry_delay 2
     default_guard_interpreter :default
     chef_server {:chef_server_url=>"https://127.0.0.1:443", :options=>{:client_name=>"pivotal", :signing_key_filename=>"/etc/opscode/pivotal.pem"}}
     declared_type :chef_user
     cookbook_name "bb_chef_server_cluster"
     recipe_name "manage_rbac"
     display_name "Phil Oliva"
     email "[email protected]"
     password "passw0rd"
     source_key "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDrGctis074q6x/o46k7RhSzz6qh/lM/ls6M7S/3HkjAjikP8XB3ZnMSL24SbMAc3xpBe0U4Gw1O8GVrxiyWhx7khUJ1P5BBolHIq/o1GdRwem5rTgNI3ztUC5NsKeg+CV8+EcEk0TUiSCfSp9gMJV9YPd006g2cfJUCbqZMkrqSpuYTApwO0Z3QDOB9RsLAzIrhdtHPCORwKCU48h2ZDT+xqgBIa6cKzaaKPSw0HgkbHNu0XEp4d7JcwAOQpVTdB2t2o0rQ+ZwsQci0mJ+YTKumFwY/Nj6bE23CFeNQRX/tCBEmP+b07oqd8Tw/kii9+bl9/wZjHIcSUdE+ar1MGtl root@chef-ws-poliva-003"
     not_if { #code block }
   end

[tyler-ball]

Hey @poliva83 - what version of the ChefDK (or Chef and Cheffish) are you using and what version of Chef Server are you using?

[poliva83]

@tyler-ball This was my fault. Since I was passing chef_server attribute to chef_user I have to explicitly set the api version to be v1 in hash. I was using 12.2.0 chef-server I believe when I hit this.