chef-apply 0.1.17 → 0.1.18

data/spec/integration/fixtures/chef_help.out

@@ -0,0 +1,69 @@
+Chef Run is a tool to execute ad-hoc tasks using Chef.
+
+chef-run <TARGET[S]> <RESOURCE> <RESOURCE_NAME> [PROPERTIES] [FLAGS]
+
+  Runs a single <RESOURCE> on the specified <TARGET[S]>.
+  [PROPERTIES] should be specified as key=value.
+
+  For example:
+
+    chef-run web01 service nginx action=restart
+    chef-run web01,web02 service nginx action=restart
+    chef-run web0[1:2] service nginx action=restart
+
+chef-run <TARGET[S]> <RECIPE> [FLAGS]
+
+  Runs a single recipe located at <RECIPE> on the specified <TARGET[S]>.
+
+  For example:
+
+    chef-run web01 path/to/cookbook/recipe.rb
+    chef-run web01,web02 path/to/cookbook
+    chef-run web0[1:2] cookbook_name
+    chef-run web01 cookbook_name::recipe_name
+
+ARGUMENTS:
+  <TARGET[S]>       The hosts or IPs to target. Can also be an SSH or WinRM URLs
+                    in the form:
+
+                    ssh://[USERNAME]@example.com[:PORT]
+  <RESOURCE>        A Chef resource, such as 'user' or 'package'
+  <RESOURCE_NAME>   The name, usually used to specify what 'thing' to set up with
+                    the resource. For example, given resource 'user', 'name' would be
+                    the name of the user you wanted to create.
+  <RECIPE>          The recipe to converge. This can be provided as one of:
+                    1. Full path to a recipe file
+                    2. Cookbook name. First we check the working directory for this
+                       cookbook, then we check in the chef repository path. If a
+                       cookbook is found we run the default recipe.
+                    3. This behaves similarly to 'cookbook name' above, but it also allows
+                       you to specify which recipe to use from the cookbook.
+
+FLAGS:
+    -c, --config PATH                  Location of config file. Default: $HOME/.chef-workstation/config.toml
+        --cookbook-repo-paths PATH     Comma separated list of cookbook repository paths.
+    -h, --help                         Show help and usage for `chef-run`
+    -i, --identity-file PATH           SSH identity file to use when connecting. Keys loaded into ssh-agent will also be used.
+        --[no-]install                 Install Chef client on the target host(s) if it is not installed.
+                                       This defaults to enabled - the installation will be performed
+                                       if there is no Chef client on the target(s).
+        --password <PASSWORD>          Password to use for authentication to the target(s). The same
+                                       password will be used for all targets.
+    -p, --protocol <PROTOCOL>          The protocol to use for connecting to targets.
+                                       The default is 'ssh', and it can be changed in config.toml by
+                                       setting 'connection.default_protocol' to a supported option.
+        --[no-]ssl                     Use SSL for WinRM. Current default: false
+        --[no-]ssl-verify              Verify peer certificate when using SSL for WinRM
+                                       Use --ssl-no-verify when using SSL for WinRM and
+                                       the remote host is using a self-signed certificate.
+                                       Current default: true
+        --[no-]sudo                    Whether to use root permissions on the target. Default: true
+        --sudo-command <COMMAND>       Command to use for administrative/root access. Defaults to 'sudo'.
+        --sudo-options 'OPTIONS...'    Options to use with the sudo command. If there are multiple flags,
+                                       quote them. For example: --sudo-options '-H -P -s'
+        --sudo-password <PASSWORD>     Password to use with the sudo command.  This must be provided if
+                                       password is required for sudo on the target(s). The same sudo password
+                                       will be used for all targets.
+        --user <USER>                  Username to use for authentication to the target(s). The same
+                                       username will be used for all targets.
+    -v, --version                      Show the current version of Chef Run.

data/spec/integration/fixtures/chef_version.out

@@ -0,0 +1 @@
+chef-run: $VERSION

data/spec/integration/spec_helper.rb

@@ -0,0 +1,55 @@
+#
+# Copyright:: Copyright (c) 2018 Chef Software Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require "chef_apply/startup"
+require "chef_apply/version"
+
+# Create the chef configuration directory and touch the config
+# file.
+# this makes sure our output doesn't include
+# an extra line telling us that it's created,
+# causing the first integration test to execute to fail on
+# CI.
+# TODO this is not ideal... let's look at
+# testing the output correctly in both cases,
+# possible forcing a specific test that will also create
+# the directory to run first.
+dir = File.join(Dir.home, ".chef-workstation")
+conf = File.join(dir, "config.toml")
+FileUtils.mkdir_p(dir) unless Dir.exist?(dir)
+FileUtils.touch(conf) unless File.exist?(conf)
+
+# Simple wrapper that runs the CLI and prevents it
+# from aborting all tests with a SystemExit.
+# We could shell out, but this will run a little faster as we
+# accumulate more things to test - and will work better to get
+# accurate simplecov coverage reporting.
+# usage:
+#   expect {run_with_cli("blah")}.to output("blah").to_stdout
+def run_cli_with(args)
+  ChefApply::Startup.new(args.split(" ")).run
+rescue SystemExit
+end
+
+def fixture_content(name)
+  content = File.read(File.join("spec/integration/fixtures", "#{name}.out"))
+  # Replace $VERSION if present - this is updated automatically, so we can't include
+  #                               the literal version value in the fixture without
+  #                               having expeditor update it there too...
+  content.gsub("$VERSION", ChefApply::VERSION).
+    gsub("$HOME", Dir.home)
+end

data/spec/spec_helper.rb

@@ -0,0 +1,114 @@
+#
+# Copyright:: Copyright (c) 2018 Chef Software Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require "bundler/setup"
+require "simplecov"
+require "rspec/expectations"
+require "support/matchers/output_to_terminal"
+
+RemoteExecResult = Struct.new(:exit_status, :stdout, :stderr)
+
+class ChefApply::MockReporter
+  def update(msg); ChefApply::UI::Terminal.output msg; end
+
+  def success(msg); ChefApply::UI::Terminal.output "SUCCESS: #{msg}"; end
+
+  def error(msg); ChefApply::UI::Terminal.output "FAILURE: #{msg}"; end
+end
+
+RSpec::Matchers.define :exit_with_code do |expected_code|
+  actual_code = nil
+  match do |block|
+    begin
+      block.call
+    rescue SystemExit => e
+      actual_code = e.status
+    end
+    actual_code && actual_code == expected_code
+  end
+
+  failure_message do |block|
+    result = actual.nil? ? " did not call exit" : " called exit(#{actual_code})"
+    "expected exit(#{expected_code}) but it #{result}."
+  end
+
+  failure_message_when_negated do |block|
+    "expected exit(#{expected_code}) but it did."
+  end
+
+  description do
+    "expect exit(#{expected_code})"
+  end
+
+  supports_block_expectations do
+    true
+  end
+end
+# TODO would read better to make this a custom matcher.
+# Simulates a recursive string lookup on the Text object
+#
+# assert_string_lookup("tree.tree.tree.leaf", "a returned string")
+# TODO this can be more cleanly expressed as a custom matcher...
+def assert_string_lookup(key, retval = "testvalue")
+  it "should look up string #{key}" do
+    top_level_method, *call_seq = key.split(".")
+    terminal_method = call_seq.pop
+    tmock = double()
+    # Because ordering is important
+    # (eg calling errors.hello is different from hello.errors),
+    # we need to add this individually instead of using
+    # `receive_messages`, which doesn't appear to give a way to
+    # guarantee ordering
+    expect(ChefApply::Text).to receive(top_level_method).
+      and_return(tmock)
+    call_seq.each do |m|
+      expect(tmock).to receive(m).ordered.and_return(tmock)
+    end
+    expect(tmock).to receive(terminal_method).
+      ordered.and_return(retval)
+    subject.call
+  end
+end
+
+RSpec.configure do |config|
+  # Enable flags like --only-failures and --next-failure
+  config.example_status_persistence_file_path = ".rspec_status"
+  config.run_all_when_everything_filtered = true
+  config.filter_run :focus
+
+  # Disable RSpec exposing methods globally on `Module` and `main`
+  config.disable_monkey_patching!
+
+  config.expect_with :rspec do |c|
+    c.syntax = :expect
+  end
+
+  config.mock_with :rspec do |mocks|
+    mocks.verify_partial_doubles = true
+  end
+
+  config.before(:all) do
+    ChefApply::Log.setup "/dev/null", :error
+    ChefApply::UI::Terminal.init(File.open("/dev/null", "w"))
+  end
+end
+
+if ENV["CIRCLE_ARTIFACTS"]
+  dir = File.join(ENV["CIRCLE_ARTIFACTS"], "coverage")
+  SimpleCov.coverage_dir(dir)
+end
+SimpleCov.start

data/spec/support/matchers/output_to_terminal.rb

@@ -0,0 +1,36 @@
+require "rspec/matchers/built_in/output"
+require "chef_apply/ui/terminal"
+
+# Custom behavior for the builtin output matcher
+# to allow it to handle to_terminal, which integrates
+# with our UI::Terminal interface.
+module RSpec
+  module Matchers
+    module BuiltIn
+      class Output < BaseMatcher
+        # @api private
+        # Provides the implementation for `output`.
+        # Not intended to be instantiated directly.
+        def to_terminal
+          @stream_capturer = CaptureTerminal
+          self
+        end
+        module CaptureTerminal
+          def self.name
+            "terminal"
+          end
+
+          def self.capture(block)
+            captured_stream = StringIO.new
+            original_stream = ::ChefApply::UI::Terminal.location
+            ::ChefApply::UI::Terminal.location = captured_stream
+            block.call
+            captured_stream.string
+          ensure
+            ::ChefApply::UI::Terminal.location = original_stream
+          end
+        end
+      end
+    end
+  end
+end

data/spec/unit/action/base_spec.rb

@@ -0,0 +1,89 @@
+#
+# Copyright:: Copyright (c) 2018 Chef Software Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require "spec_helper"
+require "chef_apply/action/base"
+require "chef_apply/telemeter"
+require "chef_apply/target_host"
+
+RSpec.describe ChefApply::Action::Base do
+  let(:family) { "windows" }
+  let(:target_host) do
+    p = double("platform", family: family)
+    instance_double(ChefApply::TargetHost, platform: p)
+  end
+  let(:opts) do
+    { target_host: target_host,
+      other: "something-else" } end
+  subject(:action) { ChefApply::Action::Base.new(opts) }
+
+  context "#initialize" do
+    it "properly initializes exposed attr readers" do
+      expect(action.target_host).to eq target_host
+      expect(action.config).to eq({ other: "something-else" })
+    end
+  end
+
+  context "#run" do
+    it "runs the underlying action, capturing timing via telemetry" do
+      expect(ChefApply::Telemeter).to receive(:timed_action_capture).with(subject).and_yield
+      expect(action).to receive(:perform_action)
+      action.run
+    end
+
+    it "invokes an action handler when actions occur and a handler is provided" do
+      @run_action = nil
+      @args = nil
+      expect(ChefApply::Telemeter).to receive(:timed_action_capture).with(subject).and_yield
+      expect(action).to receive(:perform_action) { action.notify(:test_success, "some arg", "some other arg") }
+      action.run { |action, args| @run_action = action; @args = args }
+      expect(@run_action).to eq :test_success
+      expect(@args).to eq ["some arg", "some other arg"]
+    end
+  end
+
+  shared_examples "check path fetching" do
+    [:chef_client, :cache_path, :read_chef_report, :delete_chef_report, :tempdir, :mktemp, :delete_folder].each do |path|
+      it "correctly returns path #{path}" do
+        expect(action.send(path)).to be_a(String)
+      end
+    end
+  end
+
+  describe "when connecting to a windows target" do
+    include_examples "check path fetching"
+
+    it "correctly returns chef run string" do
+      expect(action.run_chef("a", "b", "c")).to eq(
+        "Set-Location -Path a; " \
+        "chef-client -z --config b --recipe-url c | Out-Null; " \
+        "Set-Location C:/; " \
+        "exit $LASTEXITCODE"
+      )
+    end
+  end
+
+  describe "when connecting to a non-windows target" do
+    let(:family) { "linux" }
+    include_examples "check path fetching"
+
+    it "correctly returns chef run string" do
+      expect(action.run_chef("a", "b", "c")).to eq("bash -c 'cd a; chef-client -z --config a/b --recipe-url a/c'")
+    end
+  end
+
+end

data/spec/unit/action/converge_target_spec.rb

@@ -0,0 +1,292 @@
+#
+# Copyright:: Copyright (c) 2018 Chef Software Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require "spec_helper"
+require "chef_apply/action/converge_target"
+require "chef_apply/target_host"
+require "chef_apply/errors/ccr_failure_mapper"
+require "chef_apply/temp_cookbook"
+
+RSpec.describe ChefApply::Action::ConvergeTarget do
+  let(:archive) { "archive.tgz" }
+  let(:target_host) do
+    p = double("platform", family: "windows")
+    instance_double(ChefApply::TargetHost, platform: p)
+  end
+  let(:local_policy_path) { "/local/policy/path/archive.tgz" }
+  let(:opts) { { target_host: target_host, local_policy_path: local_policy_path } }
+  subject(:action) { ChefApply::Action::ConvergeTarget.new(opts) }
+
+  describe "#create_remote_policy" do
+    let(:remote_folder) { "/tmp/foo" }
+    let(:remote_archive) { File.join(remote_folder, File.basename(archive)) }
+
+    before do
+    end
+
+    it "pushes it to the remote machine" do
+      expect(target_host).to receive(:upload_file).with(local_policy_path, remote_archive)
+      expect(subject.create_remote_policy(local_policy_path, remote_folder)).to eq(remote_archive)
+    end
+
+    it "raises an error if the upload fails" do
+      expect(target_host).to receive(:upload_file).with(local_policy_path, remote_archive).and_raise("foo")
+      err = ChefApply::Action::ConvergeTarget::PolicyUploadFailed
+      expect { subject.create_remote_policy(local_policy_path, remote_folder) }.to raise_error(err)
+    end
+  end
+
+  describe "#create_remote_config" do
+
+    @closed = false # tempfile close indicator
+    let(:remote_folder) { "/tmp/foo" }
+    let(:remote_config) { "#{remote_folder}/workstation.rb" }
+    # TODO - mock this, I think we're leaving things behind in /tmp in test runs.
+    let!(:local_tempfile) { Tempfile.new }
+
+    it "pushes it to the remote machine" do
+      expect(Tempfile).to receive(:new).and_return(local_tempfile)
+      expect(target_host).to receive(:upload_file).with(local_tempfile.path, remote_config)
+      expect(subject.create_remote_config(remote_folder)).to eq(remote_config)
+      # ensure the tempfile is deleted locally
+      expect(local_tempfile.closed?).to eq(true)
+    end
+
+    it "raises an error if the upload fails" do
+      expect(Tempfile).to receive(:new).and_return(local_tempfile)
+      expect(target_host).to receive(:upload_file).with(local_tempfile.path, remote_config).and_raise("foo")
+      err = ChefApply::Action::ConvergeTarget::ConfigUploadFailed
+      expect { subject.create_remote_config(remote_folder) }.to raise_error(err)
+      # ensure the tempfile is deleted locally
+      expect(local_tempfile.closed?).to eq(true)
+    end
+
+    describe "when data_collector is set in config" do
+      before do
+        ChefApply::Config.data_collector.url = "dc.url"
+        ChefApply::Config.data_collector.token = "dc.token"
+      end
+
+      after do
+        ChefApply::Config.reset
+      end
+
+      it "creates a config file with data collector config values" do
+        expect(Tempfile).to receive(:new).and_return(local_tempfile)
+        expect(local_tempfile).to receive(:write).with(<<~EOM
+          local_mode true
+          color false
+          cache_path "\#{ENV['APPDATA']}/chef-workstation"
+          chef_repo_path "\#{ENV['APPDATA']}/chef-workstation"
+          require_relative "reporter"
+          reporter = ChefApply::Reporter.new
+          report_handlers << reporter
+          exception_handlers << reporter
+          data_collector.server_url "dc.url"
+          data_collector.token "dc.token"
+          data_collector.mode :solo
+          data_collector.organization "Chef Workstation"
+        EOM
+        )
+        expect(target_host).to receive(:upload_file).with(local_tempfile.path, remote_config)
+        expect(subject.create_remote_config(remote_folder)).to eq(remote_config)
+      # ensure the tempfile is deleted locally
+        expect(local_tempfile.closed?).to eq(true)
+      end
+    end
+
+    describe "when data_collector is not set" do
+      before do
+        ChefApply::Config.data_collector.url = nil
+        ChefApply::Config.data_collector.token = nil
+      end
+
+      it "creates a config file without data collector config values" do
+        expect(Tempfile).to receive(:new).and_return(local_tempfile)
+        expect(local_tempfile).to receive(:write).with(<<~EOM
+          local_mode true
+          color false
+          cache_path "\#{ENV['APPDATA']}/chef-workstation"
+          chef_repo_path "\#{ENV['APPDATA']}/chef-workstation"
+          require_relative "reporter"
+          reporter = ChefApply::Reporter.new
+          report_handlers << reporter
+          exception_handlers << reporter
+        EOM
+        )
+        expect(target_host).to receive(:upload_file).with(local_tempfile.path, remote_config)
+        expect(subject.create_remote_config(remote_folder)).to eq(remote_config)
+        # ensure the tempfile is deleted locally
+        expect(local_tempfile.closed?).to eq(true)
+      end
+    end
+  end
+
+  describe "#create_remote_handler" do
+    let(:remote_folder) { "/tmp/foo" }
+    let(:remote_reporter) { "#{remote_folder}/reporter.rb" }
+    let!(:local_tempfile) { Tempfile.new }
+
+    it "pushes it to the remote machine" do
+      expect(Tempfile).to receive(:new).and_return(local_tempfile)
+      expect(target_host).to receive(:upload_file).with(local_tempfile.path, remote_reporter)
+      expect(subject.create_remote_handler(remote_folder)).to eq(remote_reporter)
+      # ensure the tempfile is deleted locally
+      expect(local_tempfile.closed?).to eq(true)
+    end
+
+    it "raises an error if the upload fails" do
+      expect(Tempfile).to receive(:new).and_return(local_tempfile)
+      expect(target_host).to receive(:upload_file).with(local_tempfile.path, remote_reporter).and_raise("foo")
+      err = ChefApply::Action::ConvergeTarget::HandlerUploadFailed
+      expect { subject.create_remote_handler(remote_folder) }.to raise_error(err)
+      # ensure the tempfile is deleted locally
+      expect(local_tempfile.closed?).to eq(true)
+    end
+  end
+
+  describe "#upload_trusted_certs" do
+    let(:remote_folder) { "/tmp/foo" }
+    let(:remote_tcd) { File.join(remote_folder, "trusted_certs") }
+    let(:tmpdir) { Dir.mktmpdir }
+    let(:certs_dir) { File.join(tmpdir, "weird/glob/chars[/") }
+
+    before do
+      ChefApply::Config.chef.trusted_certs_dir = certs_dir
+      FileUtils.mkdir_p(certs_dir)
+    end
+
+    after do
+      ChefApply::Config.reset
+      FileUtils.remove_entry tmpdir
+    end
+
+    context "when there are local certificates" do
+      let!(:cert1) { FileUtils.touch(File.join(certs_dir, "1.crt"))[0] }
+      let!(:cert2) { FileUtils.touch(File.join(certs_dir, "2.pem"))[0] }
+
+      it "uploads the local certs" do
+        expect(target_host).to receive(:run_command).with("#{subject.mkdir} #{remote_tcd}", true)
+        expect(target_host).to receive(:upload_file).with(cert1, File.join(remote_tcd, File.basename(cert1)))
+        expect(target_host).to receive(:upload_file).with(cert2, File.join(remote_tcd, File.basename(cert2)))
+        subject.upload_trusted_certs(remote_folder)
+      end
+    end
+
+    context "when there are no local certificates" do
+      it "does not upload any certs" do
+        expect(target_host).to_not receive(:run_command)
+        expect(target_host).to_not receive(:upload_file)
+        subject.upload_trusted_certs(remote_folder)
+      end
+    end
+
+  end
+
+  describe "#perform_action" do
+    let(:remote_folder) { "/tmp/foo" }
+    let(:remote_archive) { File.join(remote_folder, File.basename(archive)) }
+    let(:remote_config) { "#{remote_folder}/workstation.rb" }
+    let(:remote_handler) { "#{remote_folder}/reporter.rb" }
+    let(:tmpdir) { double("tmpdir", exit_status: 0, stdout: remote_folder) }
+    before do
+      expect(target_host).to receive(:run_command!).with(subject.mktemp, true).and_return(tmpdir)
+    end
+    let(:result) { double("command result", exit_status: 0, stdout: "") }
+
+    it "runs the converge and reports back success" do
+      expect(action).to receive(:create_remote_policy).with(local_policy_path, remote_folder).and_return(remote_archive)
+      expect(action).to receive(:create_remote_config).with(remote_folder).and_return(remote_config)
+      expect(action).to receive(:create_remote_handler).with(remote_folder).and_return(remote_handler)
+      expect(action).to receive(:upload_trusted_certs).with(remote_folder)
+      expect(target_host).to receive(:run_command).with(/chef-client.+#{archive}/).and_return(result)
+      expect(target_host).to receive(:run_command!)
+        .with("#{subject.delete_folder} #{remote_folder}")
+        .and_return(result)
+      [:running_chef, :success].each do |n|
+        expect(action).to receive(:notify).with(n)
+      end
+      subject.perform_action
+    end
+
+    context "when chef schedules restart" do
+      let(:result) { double("command result", exit_status: 35) }
+
+      it "runs the converge and reports back reboot" do
+        expect(action).to receive(:create_remote_policy).with(local_policy_path, remote_folder).and_return(remote_archive)
+        expect(action).to receive(:create_remote_config).with(remote_folder).and_return(remote_config)
+        expect(action).to receive(:create_remote_handler).with(remote_folder).and_return(remote_handler)
+        expect(action).to receive(:upload_trusted_certs).with(remote_folder)
+        expect(target_host).to receive(:run_command).with(/chef-client.+#{archive}/).and_return(result)
+        expect(target_host).to receive(:run_command!)
+          .with("#{subject.delete_folder} #{remote_folder}")
+          .and_return(result)
+        [:running_chef, :reboot].each do |n|
+          expect(action).to receive(:notify).with(n)
+        end
+        subject.perform_action
+      end
+    end
+
+    context "when command fails" do
+      let(:result) { double("command result", exit_status: 1, stdout: "", stderr: "") }
+      let(:report_result) { double("report result", exit_status: 0, stdout: '{ "exception": "thing" }') }
+      let(:exception_mapper) { double("mapper") }
+      before do
+        expect(ChefApply::Errors::CCRFailureMapper).to receive(:new).
+          and_return exception_mapper
+      end
+
+      it "reports back failure and reads the remote report" do
+        expect(action).to receive(:create_remote_policy).with(local_policy_path, remote_folder).and_return(remote_archive)
+        expect(action).to receive(:create_remote_config).with(remote_folder).and_return(remote_config)
+        expect(action).to receive(:create_remote_handler).with(remote_folder).and_return(remote_handler)
+        expect(action).to receive(:upload_trusted_certs).with(remote_folder)
+        expect(target_host).to receive(:run_command).with(/chef-client.+#{archive}/).and_return(result)
+        expect(target_host).to receive(:run_command!)
+          .with("#{subject.delete_folder} #{remote_folder}")
+        [:running_chef, :converge_error].each do |n|
+          expect(action).to receive(:notify).with(n)
+        end
+        expect(target_host).to receive(:run_command).with(subject.read_chef_report).and_return(report_result)
+        expect(target_host).to receive(:run_command!).with(subject.delete_chef_report)
+        expect(exception_mapper).to receive(:raise_mapped_exception!)
+        subject.perform_action
+      end
+
+      context "when remote report cannot be read" do
+        let(:report_result) { double("report result", exit_status: 1, stdout: "", stderr: "") }
+        it "reports back failure" do
+          expect(action).to receive(:create_remote_policy).with(local_policy_path, remote_folder).and_return(remote_archive)
+          expect(action).to receive(:create_remote_config).with(remote_folder).and_return(remote_config)
+          expect(action).to receive(:create_remote_handler).with(remote_folder).and_return(remote_handler)
+          expect(action).to receive(:upload_trusted_certs).with(remote_folder)
+          expect(target_host).to receive(:run_command).with(/chef-client.+#{archive}/).and_return(result)
+          expect(target_host).to receive(:run_command!)
+            .with("#{subject.delete_folder} #{remote_folder}")
+          [:running_chef, :converge_error].each do |n|
+            expect(action).to receive(:notify).with(n)
+          end
+          expect(target_host).to receive(:run_command).with(subject.read_chef_report).and_return(report_result)
+          expect(exception_mapper).to receive(:raise_mapped_exception!)
+          subject.perform_action
+        end
+      end
+    end
+  end
+
+end