chef 10.34.6 → 11.0.0.beta.0

data/spec/support/shared/functional/securable_resource.rb

@@ -24,162 +24,186 @@
 require 'etc'
 
 shared_context "setup correct permissions" do
-  context "on unix", :unix_only do
-    context "with root", :requires_root do
-      before :each do
-        File.chown(Etc.getpwnam('nobody').uid, 1337, path)
-        File.chmod(0776, path)
-        now = Time.now.to_i
-        File.utime(now - 9000, now - 9000, path)
-      end
-    end
 
-    context "without root", :requires_unprivileged_user do
-      before :each do
-        File.chmod(0776, path)
-        now = Time.now.to_i
-        File.utime(now - 9000, now - 9000, path)
-      end
-    end
+  # I could not get this to work with :requires_unprivileged_user for whatever
+  # reason. The setup when running as root is the same as non-root, except we
+  # also do a chown, so this sets up correct context for either case.
+  before :each, :unix_only do
+    File.chmod(0776, path)
+    now = Time.now.to_i
+    File.utime(now - 9000, now - 9000, path)
+  end
+
+  # Root only context.
+  before :each, :unix_only, :requires_root do
+    File.chown(Etc.getpwnam('nobody').uid, 1337, path)
   end
 
   # FIXME: windows
 end
 
 shared_context "setup broken permissions" do
-  context "on unix", :unix_only do
-    context "with root", :requires_root do
-      before :each do
-        File.chown(0, 0, path)
-        File.chmod(0644, path)
-      end
-    end
-  
-    context "without root", :requires_unprivileged_user do
-      before :each do
-        File.chmod(0644, path)
-      end
-    end
+
+  before :each, :unix_only do
+    File.chmod(0644, path)
+  end
+
+  before :each, :unix_only, :requires_root do
+    File.chown(0, 0, path)
   end
 
   # FIXME: windows
 end
 
-shared_context "use Windows permissions", :windows_only do
+shared_examples_for "a securable resource" do
+  context "on Unix", :unix_only do
+    let(:expected_user_name) { 'nobody' }
+    let(:expected_uid) { Etc.getpwnam(expected_user_name).uid }
+    let(:desired_gid) { 1337 }
+    let(:expected_gid) { 1337 }
 
-  if windows?
-    SID ||= Chef::ReservedNames::Win32::Security::SID
-    ACE ||= Chef::ReservedNames::Win32::Security::ACE
-  end
+    pending "should set an owner (Rerun specs under root)", :requires_unprivileged_user => true
+    pending "should set a group (Rerun specs under root)",  :requires_unprivileged_user => true
 
-  def get_security_descriptor(path)
-    Chef::ReservedNames::Win32::Security.get_named_security_info(path)
-  end
+    describe "when setting the owner", :requires_root do
+      before do
+        resource.owner expected_user_name
+        resource.run_action(:create)
+      end
 
-  def explicit_aces
-    descriptor.dacl.select { |ace| ace.explicit? }
-  end
+      it "should set an owner" do
+        File.lstat(path).uid.should == expected_uid
+      end
+
+      it "is marked as updated only if changes are made" do
+        resource.updated_by_last_action?.should == expect_updated?
+      end
 
-  def extract_ace_properties(aces)
-    hashes = []
-    aces.each do |ace|
-      hashes << { :mask => ace.mask, :type => ace.type, :flags => ace.flags }
     end
-    hashes
-  end
 
-  # Standard expected rights
-  let(:expected_read_perms) do
-    {
-      :generic => Chef::ReservedNames::Win32::API::Security::GENERIC_READ,
-      :specific => Chef::ReservedNames::Win32::API::Security::FILE_GENERIC_READ,
-    }
-  end
+    describe "when setting the group", :requires_root do
+      before do
+        resource.group desired_gid
+        resource.run_action(:create)
+      end
 
-  let(:expected_read_execute_perms) do
-    {
-      :generic => Chef::ReservedNames::Win32::API::Security::GENERIC_READ | Chef::ReservedNames::Win32::API::Security::GENERIC_EXECUTE,
-      :specific => Chef::ReservedNames::Win32::API::Security::FILE_GENERIC_READ | Chef::ReservedNames::Win32::API::Security::FILE_GENERIC_EXECUTE
-    }
-  end
+      it "should set a group" do
+        File.lstat(path).gid.should == expected_gid
+      end
 
-  let(:expected_write_perms) do
-    {
-      :generic => Chef::ReservedNames::Win32::API::Security::GENERIC_WRITE,
-      :specific => Chef::ReservedNames::Win32::API::Security::FILE_GENERIC_WRITE
-    }
-  end
+      it "is marked as updated only if changes are made" do
+        resource.updated_by_last_action?.should == expect_updated?
+      end
 
-  let(:expected_modify_perms) do
-    {
-      :generic => Chef::ReservedNames::Win32::API::Security::GENERIC_READ | Chef::ReservedNames::Win32::API::Security::GENERIC_WRITE | Chef::ReservedNames::Win32::API::Security::GENERIC_EXECUTE | Chef::ReservedNames::Win32::API::Security::DELETE,
-      :specific => Chef::ReservedNames::Win32::API::Security::FILE_GENERIC_READ | Chef::ReservedNames::Win32::API::Security::FILE_GENERIC_WRITE | Chef::ReservedNames::Win32::API::Security::FILE_GENERIC_EXECUTE | Chef::ReservedNames::Win32::API::Security::DELETE
-    }
-  end
+    end
 
-  let(:expected_full_control_perms) do
-    {
-      :generic => Chef::ReservedNames::Win32::API::Security::GENERIC_ALL,
-      :specific => Chef::ReservedNames::Win32::API::Security::FILE_ALL_ACCESS
-    }
-  end
+    describe "when setting the permissions from octal given as a String" do
+      before do
+        @mode_string = '776'
+        resource.mode @mode_string
+        resource.run_action(:create)
+      end
+
+      it "should set permissions as specified" do
+        pending('Linux does not support lchmod', :if => resource.instance_of?(Chef::Resource::Link) && !os_x? && !freebsd?) do
+          (File.lstat(path).mode & 007777).should == (@mode_string.oct & 007777)
+        end
+      end
 
-  RSpec::Matchers.define :have_expected_properties do |mask, type, flags|
-    match do |ace|
-      ace.mask == mask
-      ace.type == type
-      ace.flags == flags
+      it "is marked as updated only if changes are made" do
+        resource.updated_by_last_action?.should == expect_updated?
+      end
     end
-  end
 
-  def descriptor
-    get_security_descriptor(path)
+    describe "when setting permissions from a literal octal Integer" do
+      before do
+        @mode_integer = 0776
+        resource.mode @mode_integer
+        resource.run_action(:create)
+      end
+
+      it "should set permissions in numeric form as a ruby-interpreted octal" do
+        pending('Linux does not support lchmod', :if => resource.instance_of?(Chef::Resource::Link) && !os_x? && !freebsd?) do
+          (File.lstat(path).mode & 007777).should == (@mode_integer & 007777)
+        end
+      end
+
+      it "is marked as updated only if changes are made" do
+        resource.updated_by_last_action?.should == expect_updated?
+      end
+    end
   end
-end
 
-shared_examples_for "a securable resource" do
-  context "on Unix", :unix_only do
-    let(:expected_user_name) { 'nobody' }
-    let(:expected_uid) { Etc.getpwnam(expected_user_name).uid }
-    let(:desired_gid) { 1337 }
-    let(:expected_gid) { 1337 }
+  context "on Windows", :windows_only do
 
-    pending "should set an owner (Rerun specs under root)", :requires_unprivileged_user => true
-    pending "should set a group (Rerun specs under root)",  :requires_unprivileged_user => true
+    if windows?
+      SID = Chef::ReservedNames::Win32::Security::SID
+      ACE = Chef::ReservedNames::Win32::Security::ACE
+    end
 
-    it "should set an owner", :requires_root do
-      resource.owner expected_user_name
-      resource.run_action(:create)
-      File.lstat(path).uid.should == expected_uid
+    def get_security_descriptor(path)
+      Chef::ReservedNames::Win32::Security.get_named_security_info(path)
     end
 
-    it "should set a group", :requires_root do
-      resource.group desired_gid
-      resource.run_action(:create)
-      File.lstat(path).gid.should == expected_gid
+    def explicit_aces
+      descriptor.dacl.select { |ace| ace.explicit? }
     end
 
-    it "should set permissions in string form as an octal number" do
-      mode_string = '776'
-      resource.mode mode_string
-      resource.run_action(:create)
-      pending('Linux does not support lchmod', :if => resource.instance_of?(Chef::Resource::Link) && !os_x? && !freebsd?) do
-        (File.lstat(path).mode & 007777).should == (mode_string.oct & 007777)
-      end
+    def extract_ace_properties(aces)
+      hashes = []
+        aces.each do |ace|
+          hashes << { :mask => ace.mask, :type => ace.type, :flags => ace.flags }
+        end
+      hashes
     end
 
-    it "should set permissions in numeric form as a ruby-interpreted octal" do
-      mode_integer = 0776
-      resource.mode mode_integer
-      resource.run_action(:create)
-      pending('Linux does not support lchmod', :if => resource.instance_of?(Chef::Resource::Link) && !os_x? && !freebsd?) do
-        (File.lstat(path).mode & 007777).should == (mode_integer & 007777)
+    # Standard expected rights
+    let(:expected_read_perms) do
+      {
+        :generic => Chef::ReservedNames::Win32::API::Security::GENERIC_READ,
+        :specific => Chef::ReservedNames::Win32::API::Security::FILE_GENERIC_READ,
+      }
+    end
+
+    let(:expected_read_execute_perms) do
+      {
+        :generic => Chef::ReservedNames::Win32::API::Security::GENERIC_READ | Chef::ReservedNames::Win32::API::Security::GENERIC_EXECUTE,
+        :specific => Chef::ReservedNames::Win32::API::Security::FILE_GENERIC_READ | Chef::ReservedNames::Win32::API::Security::FILE_GENERIC_EXECUTE
+      }
+    end
+
+    let(:expected_write_perms) do
+      {
+        :generic => Chef::ReservedNames::Win32::API::Security::GENERIC_WRITE,
+        :specific => Chef::ReservedNames::Win32::API::Security::FILE_GENERIC_WRITE
+      }
+    end
+
+    let(:expected_modify_perms) do
+      {
+        :generic => Chef::ReservedNames::Win32::API::Security::GENERIC_READ | Chef::ReservedNames::Win32::API::Security::GENERIC_WRITE | Chef::ReservedNames::Win32::API::Security::GENERIC_EXECUTE | Chef::ReservedNames::Win32::API::Security::DELETE,
+        :specific => Chef::ReservedNames::Win32::API::Security::FILE_GENERIC_READ | Chef::ReservedNames::Win32::API::Security::FILE_GENERIC_WRITE | Chef::ReservedNames::Win32::API::Security::FILE_GENERIC_EXECUTE | Chef::ReservedNames::Win32::API::Security::DELETE
+      }
+    end
+
+    let(:expected_full_control_perms) do
+      {
+        :generic => Chef::ReservedNames::Win32::API::Security::GENERIC_ALL,
+        :specific => Chef::ReservedNames::Win32::API::Security::FILE_ALL_ACCESS
+      }
+    end
+
+    RSpec::Matchers.define :have_expected_properties do |mask, type, flags|
+      match do |ace|
+        ace.mask == mask
+        ace.type == type
+        ace.flags == flags
       end
     end
-  end
 
-  context "on Windows", :windows_only do
-    include_context "use Windows permissions"
+    def descriptor
+      get_security_descriptor(path)
+    end
 
     before(:each) do
       resource.run_action(:delete)
@@ -329,7 +353,7 @@ shared_examples_for "a securable resource" do
 
     context "with a mode attribute" do
       if windows?
-        Security ||= Chef::ReservedNames::Win32::API::Security
+        Security = Chef::ReservedNames::Win32::API::Security
       end
 
       it "respects mode in string form as an octal number" do

data/spec/support/shared/functional/securable_resource_with_reporting.rb

@@ -0,0 +1,375 @@
+
+shared_examples_for "a securable resource with reporting" do
+
+  let(:current_resource) do
+    provider = resource.provider_for_action(resource.action)
+    provider.load_current_resource
+    provider.current_resource
+  end
+
+  # Default mode varies based on implementation. Providers that use a tempfile
+  # will default to 0600. Providers that use File.open will default to 0666 -
+  # umask
+  # let(:default_mode) { ((0100666 - File.umask) & 07777).to_s(8) }
+
+  describe "reading file security metadata for reporting on unix", :unix_only => true do
+    context "when the target file doesn't exist" do
+      before do
+        resource.action(:create)
+      end
+
+      it "has empty values for file metadata in 'current_resource'" do
+        current_resource.owner.should be_nil
+        current_resource.group.should be_nil
+        current_resource.mode.should be_nil
+      end
+
+      context "and no security metadata is specified in new_resource" do
+        it "sets the metadata values on the new_resource as strings after creating" do
+          resource.run_action(:create)
+          # TODO: most stable way to specify?
+          resource.owner.should == Etc.getpwuid(Process.uid).name
+          resource.group.should == Etc.getgrgid(Process.gid).name
+          resource.mode.should == "0#{default_mode}"
+        end
+      end
+
+      context "and owner is specified with a String (username) in new_resource", :requires_root => true do
+
+        # TODO/bug: duplicated from the "securable resource" tests
+        let(:expected_user_name) { 'nobody' }
+
+        before do
+          resource.owner(expected_user_name)
+          resource.run_action(:create)
+        end
+
+        it "sets the owner on new_resource to the username (String) of the desired owner" do
+          resource.owner.should == expected_user_name
+        end
+
+      end
+
+      context "and owner is specified with an Integer (uid) in new_resource", :requires_root => true do
+
+        # TODO: duplicated from "securable resource"
+        let(:expected_user_name) { 'nobody' }
+        let(:expected_uid) { Etc.getpwnam(expected_user_name).uid }
+        let(:desired_gid) { 1337 }
+        let(:expected_gid) { 1337 }
+
+        before do
+          resource.owner(expected_uid)
+          resource.run_action(:create)
+        end
+
+        it "sets the owner on new_resource to the uid (Integer) of the desired owner" do
+          resource.owner.should == expected_uid
+        end
+      end
+
+      context "and group is specified with a String (group name)", :requires_root => true do
+
+        let(:expected_group_name) { Etc.getgrent.name }
+
+        before do
+          resource.group(expected_group_name)
+          resource.run_action(:create)
+        end
+
+        it "sets the group on new_resource to the group name (String) of the group" do
+          resource.group.should == expected_group_name
+        end
+
+      end
+
+      context "and group is specified with an Integer (gid)", :requires_root => true do
+        let(:expected_gid) { Etc.getgrent.gid }
+
+        before do
+          resource.group(expected_gid)
+          resource.run_action(:create)
+        end
+
+        it "sets the group on new_resource to the gid (Integer)" do
+          resource.group.should == expected_gid
+        end
+
+      end
+
+      context "and mode is specified as a String" do
+        # Need full permission for owner here or else remote directory gets
+        # into trouble trying to manage nested directories
+        let(:set_mode) { "0740" }
+        let(:expected_mode) { "0740" }
+
+        before do
+          resource.mode(set_mode)
+          resource.run_action(:create)
+        end
+
+        it "sets mode on the new_resource as a String" do
+          resource.mode.should == expected_mode
+        end
+      end
+
+      context "and mode is specified as an Integer" do
+        let(:set_mode) { 00740 }
+
+        let(:expected_mode) { "0740" }
+        before do
+          resource.mode(set_mode)
+          resource.run_action(:create)
+        end
+
+        it "sets mode on the new resource as a String" do
+          resource.mode.should == expected_mode
+        end
+      end
+    end
+
+    context "when the target file exists" do
+      before do
+        FileUtils.touch(resource.path)
+        resource.action(:create)
+      end
+
+      context "and no security metadata is specified in new_resource" do
+        it "sets the current values on current resource as strings" do
+          # TODO: most stable way to specify?
+          current_resource.owner.should == Etc.getpwuid(Process.uid).name
+          current_resource.group.should == Etc.getgrgid(Process.gid).name
+          current_resource.mode.should == "0#{((0100666 - File.umask) & 07777).to_s(8)}"
+        end
+      end
+
+      context "and owner is specified with a String (username) in new_resource" do
+
+        let(:expected_user_name) { Etc.getpwuid(Process.uid).name }
+
+        before do
+          resource.owner(expected_user_name)
+        end
+
+        it "sets the owner on new_resource to the username (String) of the desired owner" do
+          current_resource.owner.should == expected_user_name
+        end
+
+      end
+
+      context "and owner is specified with an Integer (uid) in new_resource" do
+
+        let(:expected_uid) { Process.uid }
+
+        before do
+          resource.owner(expected_uid)
+        end
+
+        it "sets the owner on new_resource to the uid (Integer) of the desired owner" do
+          current_resource.owner.should == expected_uid
+        end
+      end
+
+      context "and group is specified with a String (group name)" do
+
+        let(:expected_group_name) { Etc.getgrgid(Process.gid).name }
+
+        before do
+          resource.group(expected_group_name)
+        end
+
+        it "sets the group on new_resource to the group name (String) of the group" do
+          current_resource.group.should == expected_group_name
+        end
+
+      end
+
+      context "and group is specified with an Integer (gid)" do
+        let(:expected_gid) { Process.gid }
+
+        before do
+          resource.group(expected_gid)
+        end
+
+        it "sets the group on new_resource to the gid (Integer)" do
+          current_resource.group.should == expected_gid
+        end
+
+      end
+
+      context "and mode is specified as a String" do
+        let(:default_create_mode) { (0100666 - File.umask) }
+        let(:expected_mode) { "0#{(default_create_mode & 07777).to_s(8)}" }
+
+        before do
+          resource.mode(expected_mode)
+        end
+
+        it "sets mode on the new_resource as a String" do
+          current_resource.mode.should == expected_mode
+        end
+      end
+
+      context "and mode is specified as an Integer" do
+        let(:set_mode) { (0100666 - File.umask) & 07777 }
+        let(:expected_mode) { "0#{set_mode.to_s(8)}" }
+
+        before do
+          resource.mode(set_mode)
+        end
+
+        it "sets mode on the new resource as a String" do
+          current_resource.mode.should == expected_mode
+        end
+      end
+    end
+  end
+
+  describe "reading file security metadata for reporting on windows", :windows_only do
+
+    before do
+      pending "windows reporting not yet fully supported"
+    end
+
+    ALL_EXPANDED_PERMISSIONS = ["generic read",
+                                "generic write",
+                                "generic execute",
+                                "generic all",
+                                "delete",
+                                "read permissions",
+                                "change permissions",
+                                "take ownership",
+                                "synchronize",
+                                "access system security",
+                                "read data / list directory",
+                                "write data / add file",
+                                "append data / add subdirectory",
+                                "read extended attributes",
+                                "write extended attributes",
+                                "execute / traverse",
+                                "delete child",
+                                "read attributes",
+                                "write attributes"]
+
+
+    context "when the target file doesn't exist" do
+
+      # Windows reporting data should look like this (+/- ish):
+      # { "owner" => "bob", "checksum" => "ffff", "access control" => { "bob" => { "permissions" => ["perm1", "perm2", ...], "flags" => [] }}}
+
+
+      before do
+        resource.action(:create)
+      end
+
+      it "has empty values for file metadata in 'current_resource'" do
+        current_resource.owner.should be_nil
+        current_resource.expanded_rights.should be_nil
+      end
+
+      context "and no security metadata is specified in new_resource" do
+        it "sets the metadata values on the new_resource as strings after creating" do
+          resource.run_action(:create)
+          # TODO: most stable way to specify?
+          resource.owner.should == etc.getpwuid(process.uid).name
+          resource.state[:expanded_rights].should == { "CURRENTUSER" => { "permissions" => ALL_EXPANDED_PERMISSIONS, "flags" => [] }}
+          resource.state[:expanded_deny_rights].should == {}
+          resource.state[:inherits].should be_true
+        end
+      end
+
+
+      context "and owner is specified with a string (username) in new_resource" do
+
+        # TODO/bug: duplicated from the "securable resource" tests
+        let(:expected_user_name) { 'Guest' }
+
+        before do
+          resource.owner(expected_user_name)
+          resource.run_action(:create)
+        end
+
+        it "sets the owner on new_resource to the username (string) of the desired owner" do
+          resource.owner.should == expected_user_name
+        end
+
+      end
+
+      context "and owner is specified with a fully qualified domain user" do
+
+        # TODO: duplicated from "securable resource"
+        let(:expected_user_name) { 'domain\user' }
+
+        before do
+          resource.owner(expected_user_name)
+          resource.run_action(:create)
+        end
+
+        it "sets the owner on new_resource to the fully qualified name of the desired owner" do
+          resource.owner.should == expected_user_name
+        end
+      end
+
+    end
+
+    context "when the target file exists" do
+      before do
+        FileUtils.touch(resource.path)
+        resource.action(:create)
+      end
+
+      context "and no security metadata is specified in new_resource" do
+        it "sets the current values on current resource as strings" do
+          # TODO: most stable way to specify?
+          current_resource.owner.should == etc.getpwuid(process.uid).name
+          current_resource.expanded_rights.should == { "CURRENTUSER" => ALL_EXPANDED_PERMISSIONS }
+        end
+      end
+
+      context "and owner is specified with a string (username) in new_resource" do
+
+        let(:expected_user_name) { etc.getpwuid(process.uid).name }
+
+        before do
+          resource.owner(expected_user_name)
+        end
+
+        it "sets the owner on current_resource to the username (string) of the desired owner" do
+          current_resource.owner.should == expected_user_name
+        end
+
+      end
+
+      context "and owner is specified as a fully qualified 'domain\\user' in new_resource" do
+
+        let(:expected_user_name) { 'domain\user' }
+
+        before do
+          resource.owner(expected_user_name)
+        end
+
+        it "sets the owner on current_resource to the fully qualified name of the desired owner" do
+          current_resource.owner.should == expected_uid
+        end
+      end
+
+      context "and access rights are specified on the new_resource" do
+        # TODO: before do blah
+
+        it "sets the expanded_rights on the current resource" do
+          pending
+        end
+      end
+
+      context "and no access rights are specified on the current resource" do
+        # TODO: before do blah
+
+        it "sets the expanded rights on the current resource" do
+          pending
+        end
+      end
+
+
+    end
+  end
+end