feat: add chefignore matcher and ACL ACE-merge helpers#35
Merged
Conversation
Relocate two pieces of Chef-domain logic that previously lived (duplicated)
in cinc-cli into this library, which owns the Chef API object model and
Chef-format helpers.
chefignore: new canonical `Chefignore` type with `LoadChefignore(dir)` and
`(*Chefignore).Ignores(relpath)`. It reconciles cinc-cli's two copies — the
cookbook archive copy (path.Match against full path, basename, and ancestor
directories) and the policyfile resolver copy (a File.fnmatch translation).
The former is a superset of the latter for the patterns cookbooks use in
practice, so it preserves the resolver's content-identifier behavior while
also giving cookbook packaging whole-subtree exclusion for bare directory
names like `.kitchen`.
Behavior change: `LocalCookbookFromDir` now honors a cookbook's chefignore
and excludes ignored files from the upload set. Previously it uploaded every
file under the directory — a real bug — so an uploaded cookbook now matches
what knife would send. Covered by TestLocalCookbookFromDir_ExcludesChefignored.
ACL merge: `ACL.ACEFor(perm)`, `ACE.AddMembers`/`RemoveMembers` (dedupe-add /
remove, reporting change), and `ExpandPerm("all")` move the grant/revoke
read-modify-write core into the library, alongside the existing ACL types.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
5 tasks
tas50
added a commit
to tas50/cinc-cli
that referenced
this pull request
Jun 27, 2026
Honor the architecture seam: cinc-api owns the Chef API object model and Chef-domain/format helpers; cinc-cli owns cobra and presentation. Two pieces of Chef-domain logic that lived (duplicated) here now live in cinc-api (github.com/tas50/cinc-api#35, released as v0.11.0) and are consumed instead. chefignore: delete the two duplicate copies — cli/cookbook/chefignore.go and cli/policyfile/resolver/chefignore.go — and route the cookbook archive/build path and the policyfile resolver's identifier computation through cinc's canonical Chefignore (LoadChefignore / Ignores). The canonical matcher keeps the cookbook copy's full-path/basename/ancestor-directory semantics, which is a superset of the resolver's old File.fnmatch copy for the patterns cookbooks use, so the resolver's content identifiers — and thus the golden Policyfile locks — stay byte-identical. acl: replace acl.go's aclPerms/aclPermsFor/aclACE/aclApply internals with the cinc-api methods ExpandPerm, ACL.ACEFor, and ACE.AddMembers/RemoveMembers. The cobra flags (--user/--client/--group), messages, and friendly no-op output are unchanged. Requires cinc-api >= v0.11.0 (pinned). Note: with the cinc-api fix, LocalCookbookFromDir now excludes chefignored files from uploads. Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Relocate two pieces of Chef-domain logic that previously lived duplicated in cinc-cli into this library, which owns the Chef API object model and Chef-format helpers. The companion cinc-cli PR deletes the duplicates and consumes these.
chefignore (new
chefignore.go)A single canonical
Chefignoretype:LoadChefignore(cookbookDir) (*Chefignore, error)— reads the cookbook'schefignore(missing file ignores nothing).(*Chefignore).Ignores(relpath) bool— knife-style matching against the full path, the basename, and every ancestor directory + basename.(*Chefignore).Patterns()— the parsed globs.Reconciliation decision. cinc-cli had two copies with different matching:
cli/cookbook/chefignore.go—path.Matchagainst full path / basename / ancestor dirs.cli/policyfile/resolver/chefignore.go— aFile.fnmatch-with-default-flags translation, matching only the full relative path.I kept the cookbook copy's semantics as canonical because it is a superset of the resolver copy for the patterns cookbooks actually use (
*.bak,*.tmp,spec/*, bare directory names). It preserves the resolver's Policyfile content-identifier output byte-identical (the resolver's golden-lock tests stay green), and it additionally gives cookbook packaging whole-subtree exclusion for a bare directory pattern like.kitchen(which a strictFile.fnmatchwould not exclude). The only behavioral difference between the two copies — a bare directory name excluding its descendants — does not affect any identifier golden because the resolver's own file walk already skips top-level dot-directories.Behavior change (bug fix): cookbook upload honors chefignore
LocalCookbookFromDirnow loads the cookbook's chefignore and excludes ignored files from the upload set (pruning ignored subtrees so their files are never read). Previously it uploaded every file under the directory, so an uploaded cookbook now matches what knife would send. Covered byTestLocalCookbookFromDir_ExcludesChefignored.ACL ACE merge (
acls.go)The grant/revoke read-modify-write core, alongside the existing
ACL/ACEtypes:ACL.ACEFor(perm)— pointer to the ACE field for one permission.ACE.AddMembers(actors, groups)/RemoveMembers(...)— dedupe-add / remove, reporting whether the ACE changed.ExpandPerm("all")→ the five standard permissions; a single valid perm → itself; otherwise an error.Test plan
gofmt -l .cleango vet ./...cleango test ./...passing (new tests: chefignore matcher + parse + reconciled directory-segment cases; ACLExpandPerm/ACEFor/AddMembers/RemoveMembers;LocalCookbookFromDirchefignore exclusion)🤖 Generated with Claude Code