Run chef with additional permissions

In order to install homebrew, the script needs to
be run as the current user, but it also requires
sudo rights to change the ownership of
/usr/local/bin amongst other things.

Chef is being run in a subprocess and as a result,
there’s no TTY associated with the shell. This
means Homebrew can’t ask for a password when it
runs sudo and the process fails.

This workaround temporarily grants the user the
right to run sudo commands without a password for
the duration of the chef run. It revokes them at
the end, even if chef fails.

There’s some discussion about this here:
sous-chefs/homebrew#105

lib/zz/commands/provision.rb

@@ -3,7 +3,11 @@ module Provision
     class << self
       def execute(args)
         Exec.install_chef unless Exec.chef_installed?
+
+        Exec.grant_permissions
         Exec.run_chef
+      ensure
+        Exec.revoke_permissions
       end
 
       def name

lib/zz/exec.rb

@@ -20,6 +20,20 @@ def chef_installed?
       def run_chef
         execute("chef-solo --config #{Path.chef_config}")
       end
+
+      def grant_permissions(u = ENV["USER"])
+        execute(
+          "echo '#{u} ALL=(ALL) NOPASSWD:ALL' | sudo tee /etc/sudoers.d/#{u}"
+        )
+      end
+
+      def revoke_permissions(u = ENV["USER"])
+        execute("sudo rm -f /etc/sudoers.d/#{u}")
+      end
+
+      def homebrew_installed?
+        execute("which brew")
+      end
     end
   end
 end

lib/zz/path.rb

@@ -32,6 +32,14 @@ def chef_config
       def chef_installer
         "https://www.opscode.com/chef/install.sh"
       end
+
+      def homebrew_remote_installer
+        "https://raw.githubusercontent.com/Homebrew/install/master/install"
+      end
+
+      def homebrew_local_installer
+        to("tmp/hombrew_installer")
+      end
     end
   end
 end

spec/zz/commands/provision_spec.rb

@@ -19,10 +19,20 @@
     subject.execute([])
   end
 
-  it "runs chef" do
-    expect(ZZ::Exec).to receive(:run_chef)
+  it "grants permissions, then runs chef, then revokes permissions" do
+    expect(ZZ::Exec).to receive(:grant_permissions).ordered
+    expect(ZZ::Exec).to receive(:run_chef).ordered
+    expect(ZZ::Exec).to receive(:revoke_permissions).ordered
+
     subject.execute([])
   end
 
+  it "ensures permissions are revoked if something goes wrong" do
+    allow(ZZ::Exec).to receive(:run_chef).and_raise("test")
+    expect(ZZ::Exec).to receive(:revoke_permissions)
+
+    expect { subject.execute([]) }.to raise_error("test")
+  end
+
   pending "--list option the prints the run_list"
 end

spec/zz/exec_spec.rb

@@ -53,4 +53,36 @@
       subject.run_chef
     end
   end
+
+  describe ".grant_permissions" do
+    it "grants the permission to run sudo without a password" do
+      expect(subject).to receive(:execute)
+        .with("echo 'foo ALL=(ALL) NOPASSWD:ALL' | sudo tee /etc/sudoers.d/foo")
+
+      subject.grant_permissions("foo")
+    end
+
+    it "defaults to the current user" do
+      allow(ENV).to receive(:[]).and_return("bar")
+
+      expect(subject).to receive(:execute)
+        .with("echo 'bar ALL=(ALL) NOPASSWD:ALL' | sudo tee /etc/sudoers.d/bar")
+
+      subject.grant_permissions
+    end
+  end
+
+  describe ".revoke_permissions" do
+    it "revokes the permission to run sudo without a password" do
+      expect(subject).to receive(:execute).with("sudo rm -f /etc/sudoers.d/foo")
+      subject.revoke_permissions("foo")
+    end
+
+    it "defaults to the current user" do
+      allow(ENV).to receive(:[]).and_return("bar")
+
+      expect(subject).to receive(:execute).with("sudo rm -f /etc/sudoers.d/bar")
+      subject.revoke_permissions
+    end
+  end
 end