chef_fixie 0.1.0

data/lib/chef_fixie/utility_helpers.rb

@@ -0,0 +1,59 @@
+# -*- indent-tabs-mode: nil; fill-column: 110 -*-
+#
+# Copyright (c) 2015 Chef Software Inc.
+# License :: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# Author: Mark Anderson <mark@chef.io>
+#
+
+require 'chef_fixie/config'
+require 'chef_fixie/authz_objects'
+require 'chef_fixie/authz_mapper'
+
+module ChefFixie
+  module UtilityHelpers
+    def self.orgs
+      @orgs ||= ChefFixie::Sql::Orgs.new
+    end
+    def self.users
+      @users ||= ChefFixie::Sql::Users.new
+    end
+    def self.assocs
+      @assocs ||= ChefFixie::Sql::Associations.new
+    end
+    def self.invites
+      invites ||= ChefFixie::Sql::Invites.new
+    end
+
+    def self.make_user(user)
+      if user.is_a?(String)
+        return users[user]
+      elsif user.is_a?(ChefFixie::Sql::User)
+        return user
+      else
+        raise Exception "Expected a user, got a #{user.class}"
+      end
+    end      
+    def self.make_org(org)
+      if org.is_a?(String)
+        return orgs[org]
+      elsif org.is_a?(ChefFixie::Sql::Org)
+        return org
+      else
+        raise Exception "Expected an org, got a #{org.class}"
+      end
+    end      
+  end
+end

data/lib/chef_fixie/version.rb

@@ -0,0 +1,3 @@
+module ChefFixie
+  VERSION = "0.1.0"
+end

data/spec/chef_fixie/acl_spec.rb

@@ -0,0 +1,83 @@
+
+require 'rspec'
+require "spec_helper"
+require 'chef_fixie'
+require 'chef_fixie/config'
+
+RSpec.describe ChefFixie::Sql::Orgs, "ACL access" do
+  let (:test_org_name) { "ponyville"}
+  let (:orgs) { ChefFixie::Sql::Orgs.new }
+  let (:users) { ChefFixie::Sql::Users.new }
+  let (:test_org) { orgs[test_org_name] }
+
+  # TODO this should use a freshly created object and purge it afterwords.
+  # But we need to write the create object feature still
+  
+  context "Fetch acl for actor (client)" do
+    let (:testclient) { test_org.clients.all.first }
+    let (:testuser) { users['spitfire'] }
+    let (:pivotal) { users['pivotal'] }
+    let (:client_container) { test_org.containers["clients"] }
+    
+    it "We can fetch the acl" do
+      acl = testclient.acl
+      expect(acl.keys).to include(* %w(create read update delete grant))
+    end
+
+    it "we can add a user to an ace" do
+# This requires either a temp object or good cleanup      
+#      acl = testclient.acl
+#      expect(acl["read"]["actors"].not_to include("wonderbolts")
+      
+      testclient.ace_add(:read, testuser)
+
+      acl = testclient.acl
+      expect(acl["read"]["actors"]).to include([:global, testuser.name])
+    end
+    
+    it "we can add then delete a user from an ace" do
+      testclient.ace_add(:read, testuser)
+      acl = testclient.acl
+      expect(acl["read"]["actors"]).to include([:global, testuser.name])
+
+      
+      testclient.ace_delete(:read, testuser)
+
+      acl = testclient.acl
+      expect(acl["read"]["actors"]).not_to include([:global, testuser.name])
+    end
+
+    it "we can copy users from another acl" do
+      testclient.ace_delete(:all, pivotal)
+            
+      testclient.acl_add_from_object(client_container)
+
+      acl = testclient.acl
+      %w(create read update delete grant).each do |action|
+        expect(acl[action]["actors"]).to include([:global, pivotal.name])
+      end
+    end
+     
+  end
+
+  context "ACE Membership" do
+    
+    let (:admingroup) { test_org.groups['admins'] }
+    let (:testobject) { test_org.groups['admins'] }
+    let (:notadmingroup) { test_org.groups['clients'] }
+    let (:adminuser) { users['rainbowdash'] }
+    let (:notadminuser) { users['mary'] }
+    let (:pivotal) { users['pivotal'] }
+    
+    it "Privileged users and groups are part of the read ACE" do
+      expect(testobject.ace_member?(:read, admingroup)).to be true
+      expect(testobject.ace_member?(:read, pivotal)).to be true
+    end
+    it "Unprivileged members are not part of read ACE" do
+      expect(testobject.member?(notadmingroup)).to be false
+      expect(testobject.member?(notadminuser)).to be false
+    end
+  end
+
+
+end

data/spec/chef_fixie/assoc_invite_spec.rb

@@ -0,0 +1,47 @@
+
+require 'rspec'
+require "spec_helper"
+require 'chef_fixie'
+require 'chef_fixie/config'
+
+RSpec.describe ChefFixie::Sql::Associations, "Associations tests" do
+  let (:test_org_name) { "ponyville" }
+  let (:orgs) { ChefFixie::Sql::Orgs.new }
+  let (:test_org) { orgs[test_org_name]}
+
+  let (:users) { ChefFixie::Sql::Users.new }
+  let (:assocs) { ChefFixie::Sql::Associations.new }
+
+
+  context "Basic functionality of association spec" do
+    let ("test_user_name") { "fluttershy" }
+    let ("test_user") { users[test_user_name] }
+    it "Can fetch by user id" do
+      assocs_by_user = assocs.by_user_id(test_user.id).all
+      expect(assocs_by_user).not_to be_nil
+      expect(assocs_by_user.count).to eq(1)
+      expect(assocs_by_user.first.user_id ).to eq(test_user.id)
+      expect(assocs_by_user.first.org_id ).to eq(test_org.id)
+    end
+    it "Can fetch by org id" do
+      assocs_by_org = assocs.by_org_id(test_org.id).all
+      expect(assocs_by_org).not_to be_nil
+      expect(assocs_by_org.count).to be > 1
+      expect(assocs_by_org.first.org_id).to eq(test_org.id)
+    end
+
+    it "Can fetch by both org/user id" do
+      assoc_item = assocs.by_org_id_user_id(test_org.id, test_user.id)
+      expect(assoc_item).not_to be_nil
+      expect(assoc_item.user_id).to eq(test_user.id)
+      expect(assoc_item.org_id).to eq(test_org.id)
+
+      # test user not in org
+      expect(assocs.by_org_id_user_id(test_org.id, users['mary'].id)).to be_nil
+    end
+
+
+  end
+
+
+end

data/spec/chef_fixie/assoc_invite_spec.rb~

@@ -0,0 +1,26 @@
+
+require 'rspec'
+require "spec_helper"
+require 'fixie'
+require 'fixie/config'
+
+RSpec.describe Fixie::Sql::Orgs, "Organizations access" do
+  let (:test_org_name) { "ponyville" }
+  let (:orgs) { Fixie::Sql::Orgs.new }
+  let (:test_org) { orgs[test_org_name]}
+
+  context "Basic functionality of org accessor" do
+
+    it "Org has a name and id" do
+      expect(test_org.name).to eq(test_org_name)
+      expect(test_org.id).not_to be_nil
+    end
+
+    it "Org has a global admins group" do
+      expect(test_org.global_admins.name).to eq(test_org_name + "_global_admins")      
+    end
+    
+  end
+
+
+end

data/spec/chef_fixie/check_org_associations_spec.rb

@@ -0,0 +1,140 @@
+# -*- indent-tabs-mode: nil; fill-column: 110 -*-
+require 'rspec'
+require "spec_helper"
+require 'chef_fixie'
+require 'chef_fixie/config'
+
+RSpec.describe ChefFixie::CheckOrgAssociations, "Association checker" do
+  let (:test_org_name) { "ponyville"}
+  let (:orgs) { ChefFixie::Sql::Orgs.new }
+  let (:test_org) { orgs[test_org_name] }
+
+  let (:users) { ChefFixie::Sql::Users.new }
+  let (:adminuser) { users['rainbowdash'] }
+  let (:notorguser) { users['mary'] }
+
+  # TODO this should use a freshly created object and purge it afterwords.
+  # But we need to write the create object feature still
+
+  context "Individual user check" do
+    it "Works on expected sane org/user pair" do
+      expect(ChefFixie::CheckOrgAssociations.check_association(test_org, adminuser)).to be true
+      expect(ChefFixie::CheckOrgAssociations.check_association(test_org_name, adminuser.name)).to be true
+    end
+
+  end
+  context "Individual user check" do
+    before :each do
+      expect(ChefFixie::CheckOrgAssociations.check_association(test_org, adminuser)).to be true
+    end
+
+    after :each do
+      usag =  test_org.groups[adminuser.id]
+
+      usag.group_add(adminuser)
+      test_org.groups['users'].group_add(usag)
+
+      adminuser.ace_add(:read, test_org.global_admins)
+
+    end
+
+    it "Detects user not associated" do
+      # break it
+      expect(ChefFixie::CheckOrgAssociations.check_association(test_org, notorguser)).to be :not_associated
+    end
+
+    # TODO: Write missing USAG test, but can't until we can restore the USAG or use disposable org
+
+    it "Detects user missing from usag" do
+      # break it
+      usag =  test_org.groups[adminuser.id]
+      usag.group_delete(adminuser)
+
+      expect(ChefFixie::CheckOrgAssociations.check_association(test_org, adminuser)).to be :user_not_in_usag
+    end
+
+    it "Detects usag missing from users group" do
+      # break it
+      usag =  test_org.groups[adminuser.id]
+      test_org.groups['users'].group_delete(usag)
+
+      expect(ChefFixie::CheckOrgAssociations.check_association(test_org, adminuser)).to be :usag_not_in_users
+    end
+
+    it "Detects global admins missing read" do
+      # break it
+      adminuser.ace_delete(:read, test_org.global_admins)
+
+      expect(ChefFixie::CheckOrgAssociations.check_association(test_org, adminuser)).to be :global_admins_lacks_read
+    end
+
+    # TODO test zombie invite; need some way to create it.
+
+  end
+
+  context "Individual user fixup" do
+    before :each do
+      expect(ChefFixie::CheckOrgAssociations.check_association(test_org, adminuser)).to be true
+    end
+
+    after :each do
+      usag =  test_org.groups[adminuser.id]
+
+      usag.group_add(adminuser)
+      test_org.groups['users'].group_add(usag)
+
+      adminuser.ace_add(:read, test_org.global_admins)
+
+    end
+
+    it "Detects user not associated" do
+      # break it
+      expect(ChefFixie::CheckOrgAssociations.check_association(test_org, notorguser)).to be :not_associated
+    end
+
+    # TODO: Write missing USAG test, but can't until we can restore the USAG or use disposable org
+
+    it "Fixes user missing from usag" do
+      # break it
+      usag =  test_org.groups[adminuser.id]
+      usag.group_delete(adminuser)
+
+      expect(ChefFixie::CheckOrgAssociations.fix_association(test_org, adminuser)).to be true
+      expect(ChefFixie::CheckOrgAssociations.check_association(test_org, adminuser)).to be true
+    end
+
+    it "Fixes usag missing from users group" do
+      # break it
+      usag =  test_org.groups[adminuser.id]
+      test_org.groups['users'].group_delete(usag)
+
+      expect(ChefFixie::CheckOrgAssociations.fix_association(test_org, adminuser)).to be true
+      expect(ChefFixie::CheckOrgAssociations.check_association(test_org, adminuser)).to be true
+    end
+
+    it "Fixes global admins missing read" do
+      # break it
+      adminuser.ace_delete(:read, test_org.global_admins)
+
+      expect(ChefFixie::CheckOrgAssociations.fix_association(test_org, adminuser)).to be true
+      expect(ChefFixie::CheckOrgAssociations.check_association(test_org, adminuser)).to be true
+    end
+
+    # TODO test zombie invite; need some way to create it.
+
+  end
+
+
+  # TODO Break the org and check it!
+  context "Global org check" do
+
+    it "Works on expected sane org" do
+      expect(ChefFixie::CheckOrgAssociations.check_associations("acme")).to be true
+      expect(ChefFixie::CheckOrgAssociations.check_associations(orgs["acme"])).to be true
+    end
+
+  end
+
+  
+
+end

data/spec/chef_fixie/check_org_associations_spec.rb~

@@ -0,0 +1,34 @@
+
+require 'rspec'
+require "spec_helper"
+require 'fixie'
+require 'fixie/config'
+
+RSpec.describe Fixie::Sql::Groups, "Group access" do
+  let (:test_org_name) { "ponyville"}
+  let (:orgs) { Fixie::Sql::Orgs.new }
+  let (:users) { Fixie::Sql::Users.new }
+  let (:test_org) { orgs[test_org_name] }
+
+  # TODO this should use a freshly created object and purge it afterwords.
+  # But we need to write the create object feature still
+  
+  context "Groups" do
+    let (:testgroup) { test_org.groups['admins'] }
+    let (:adminuser) { users['rainbowdash'] }
+    let (:notadminuser) { users['mary'] }
+    
+    it "Members are part of the group" do
+      expect(testgroup.member?(adminuser)).to be true
+    end
+    it "Members are not part of the group" do
+      expect(testgroup.member?(notadminuser)).to be false
+    end
+
+     
+  end
+
+
+
+
+end

data/spec/chef_fixie/groups_spec.rb

@@ -0,0 +1,34 @@
+# -*- indent-tabs-mode: nil; fill-column: 110 -*-
+require 'rspec'
+require "spec_helper"
+require 'chef_fixie'
+require 'chef_fixie/config'
+
+RSpec.describe ChefFixie::Sql::Groups, "Group access" do
+  let (:test_org_name) { "ponyville"}
+  let (:orgs) { ChefFixie::Sql::Orgs.new }
+  let (:users) { ChefFixie::Sql::Users.new }
+  let (:test_org) { orgs[test_org_name] }
+
+  # TODO this should use a freshly created object and purge it afterwords.
+  # But we need to write the create object feature still
+
+  context "Groups" do
+    let (:testgroup) { test_org.groups['admins'] }
+    let (:adminuser) { users['rainbowdash'] }
+    let (:notadminuser) { users['mary'] }
+
+    it "Members are part of the group" do
+      expect(testgroup.member?(adminuser)).to be true
+    end
+    it "Members are not part of the group" do
+      expect(testgroup.member?(notadminuser)).to be false
+    end
+
+
+  end
+
+
+
+
+end

data/spec/chef_fixie/org_spec.rb

@@ -0,0 +1,26 @@
+
+require 'rspec'
+require "spec_helper"
+require 'chef_fixie'
+require 'chef_fixie/config'
+
+RSpec.describe ChefFixie::Sql::Orgs, "Organizations access" do
+  let (:test_org_name) { "ponyville" }
+  let (:orgs) { ChefFixie::Sql::Orgs.new }
+  let (:test_org) { orgs[test_org_name]}
+
+  context "Basic functionality of org accessor" do
+
+    it "Org has a name and id" do
+      expect(test_org.name).to eq(test_org_name)
+      expect(test_org.id).not_to be_nil
+    end
+
+    it "Org has a global admins group" do
+      expect(test_org.global_admins.name).to eq(test_org_name + "_global_admins")
+    end
+
+  end
+
+
+end