chef_fixie_shahid 0.5.2

data/lib/chef_fixie_shahid/utility_helpers.rb

@@ -0,0 +1,63 @@
+# -*- indent-tabs-mode: nil; fill-column: 110 -*-
+#
+# Copyright (c) 2015 Chef Software Inc.
+# License :: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# Author: Mark Anderson <mark@chef.io>
+#
+
+require_relative "config"
+require_relative "authz_objects"
+require_relative "authz_mapper"
+
+module ChefFixie
+  module UtilityHelpers
+    def self.orgs
+      @orgs ||= ChefFixie::Sql::Orgs.new
+    end
+
+    def self.users
+      @users ||= ChefFixie::Sql::Users.new
+    end
+
+    def self.assocs
+      @assocs ||= ChefFixie::Sql::Associations.new
+    end
+
+    def self.invites
+      invites ||= ChefFixie::Sql::Invites.new
+    end
+
+    def self.make_user(user)
+      if user.is_a?(String)
+        users[user]
+      elsif user.is_a?(ChefFixie::Sql::User)
+        user
+      else
+        raise Exception "Expected a user, got a #{user.class}"
+      end
+    end
+
+    def self.make_org(org)
+      if org.is_a?(String)
+        orgs[org]
+      elsif org.is_a?(ChefFixie::Sql::Org)
+        org
+      else
+        raise Exception "Expected an org, got a #{org.class}"
+      end
+    end
+  end
+end

data/lib/chef_fixie_shahid/version.rb

@@ -0,0 +1,3 @@
+module ChefFixie
+  VERSION = "0.5.2"
+end

data/spec/chef_fixie/acl_spec.rb

@@ -0,0 +1,81 @@
+
+require "rspec"
+require "spec_helper"
+require "chef_fixie"
+require "chef_fixie/config"
+
+RSpec.describe ChefFixie::Sql::Orgs, "ACL access" do
+  let (:test_org_name) { "ponyville" }
+  let (:orgs) { ChefFixie::Sql::Orgs.new }
+  let (:users) { ChefFixie::Sql::Users.new }
+  let (:test_org) { orgs[test_org_name] }
+
+  # TODO this should use a freshly created object and purge it afterwords.
+  # But we need to write the create object feature still
+
+  context "Fetch acl for actor (client)" do
+    let (:testclient) { test_org.clients.all.first }
+    let (:testuser) { users["spitfire"] }
+    let (:pivotal) { users["pivotal"] }
+    let (:client_container) { test_org.containers["clients"] }
+
+    it "We can fetch the acl" do
+      acl = testclient.acl
+      expect(acl.keys).to include(* %w{create read update delete grant})
+    end
+
+    it "we can add a user to an ace" do
+# This requires either a temp object or good cleanup
+#      acl = testclient.acl
+#      expect(acl["read"]["actors"].not_to include("wonderbolts")
+
+      testclient.ace_add(:read, testuser)
+
+      acl = testclient.acl
+      expect(acl["read"]["actors"]).to include([:global, testuser.name])
+    end
+
+    it "we can add then delete a user from an ace" do
+      testclient.ace_add(:read, testuser)
+      acl = testclient.acl
+      expect(acl["read"]["actors"]).to include([:global, testuser.name])
+
+      testclient.ace_delete(:read, testuser)
+
+      acl = testclient.acl
+      expect(acl["read"]["actors"]).not_to include([:global, testuser.name])
+    end
+
+    it "we can copy users from another acl" do
+      testclient.ace_delete(:all, pivotal)
+
+      testclient.acl_add_from_object(client_container)
+
+      acl = testclient.acl
+      %w{create read update delete grant}.each do |action|
+        expect(acl[action]["actors"]).to include([:global, pivotal.name])
+      end
+    end
+
+  end
+
+  context "ACE Membership" do
+
+    let (:admingroup) { test_org.groups["admins"] }
+    let (:testobject) { test_org.groups["admins"] }
+    let (:notadmingroup) { test_org.groups["clients"] }
+    let (:adminuser) { users["rainbowdash"] }
+    let (:notadminuser) { users["mary"] }
+    let (:pivotal) { users["pivotal"] }
+
+    it "Privileged users and groups are part of the read ACE" do
+      expect(testobject.ace_member?(:read, admingroup)).to be true
+      expect(testobject.ace_member?(:read, pivotal)).to be true
+    end
+    it "Unprivileged members are not part of read ACE" do
+      expect(testobject.member?(notadmingroup)).to be false
+      expect(testobject.member?(notadminuser)).to be false
+    end
+  end
+
+end

data/spec/chef_fixie/assoc_invite_spec.rb

@@ -0,0 +1,44 @@
+
+require "rspec"
+require "spec_helper"
+require "chef_fixie"
+require "chef_fixie/config"
+
+RSpec.describe ChefFixie::Sql::Associations, "Associations tests" do
+  let (:test_org_name) { "ponyville" }
+  let (:orgs) { ChefFixie::Sql::Orgs.new }
+  let (:test_org) { orgs[test_org_name] }
+
+  let (:users) { ChefFixie::Sql::Users.new }
+  let (:assocs) { ChefFixie::Sql::Associations.new }
+
+  context "Basic functionality of association spec" do
+    let ("test_user_name") { "fluttershy" }
+    let ("test_user") { users[test_user_name] }
+    it "Can fetch by user id" do
+      assocs_by_user = assocs.by_user_id(test_user.id).all
+      expect(assocs_by_user).not_to be_nil
+      expect(assocs_by_user.count).to eq(1)
+      expect(assocs_by_user.first.user_id ).to eq(test_user.id)
+      expect(assocs_by_user.first.org_id ).to eq(test_org.id)
+    end
+    it "Can fetch by org id" do
+      assocs_by_org = assocs.by_org_id(test_org.id).all
+      expect(assocs_by_org).not_to be_nil
+      expect(assocs_by_org.count).to be > 1
+      expect(assocs_by_org.first.org_id).to eq(test_org.id)
+    end
+
+    it "Can fetch by both org/user id" do
+      assoc_item = assocs.by_org_id_user_id(test_org.id, test_user.id)
+      expect(assoc_item).not_to be_nil
+      expect(assoc_item.user_id).to eq(test_user.id)
+      expect(assoc_item.org_id).to eq(test_org.id)
+
+      # test user not in org
+      expect(assocs.by_org_id_user_id(test_org.id, users["mary"].id)).to be_nil
+    end
+
+  end
+
+end

data/spec/chef_fixie/check_org_associations_spec.rb

@@ -0,0 +1,137 @@
+# -*- indent-tabs-mode: nil; fill-column: 110 -*-
+require "rspec"
+require "spec_helper"
+require "chef_fixie"
+require "chef_fixie/config"
+
+RSpec.describe ChefFixie::CheckOrgAssociations, "Association checker" do
+  let (:test_org_name) { "ponyville" }
+  let (:orgs) { ChefFixie::Sql::Orgs.new }
+  let (:test_org) { orgs[test_org_name] }
+
+  let (:users) { ChefFixie::Sql::Users.new }
+  let (:adminuser) { users["rainbowdash"] }
+  let (:notorguser) { users["mary"] }
+
+  # TODO this should use a freshly created object and purge it afterwords.
+  # But we need to write the create object feature still
+
+  context "Individual user check" do
+    it "Works on expected sane org/user pair" do
+      expect(ChefFixie::CheckOrgAssociations.check_association(test_org, adminuser)).to be true
+      expect(ChefFixie::CheckOrgAssociations.check_association(test_org_name, adminuser.name)).to be true
+    end
+
+  end
+  context "Individual user check" do
+    before :each do
+      expect(ChefFixie::CheckOrgAssociations.check_association(test_org, adminuser)).to be true
+    end
+
+    after :each do
+      usag = test_org.groups[adminuser.id]
+
+      usag.group_add(adminuser)
+      test_org.groups["users"].group_add(usag)
+
+      adminuser.ace_add(:read, test_org.global_admins)
+
+    end
+
+    it "Detects user not associated" do
+      # break it
+      expect(ChefFixie::CheckOrgAssociations.check_association(test_org, notorguser)).to be :not_associated
+    end
+
+    # TODO: Write missing USAG test, but can't until we can restore the USAG or use disposable org
+
+    it "Detects user missing from usag" do
+      # break it
+      usag = test_org.groups[adminuser.id]
+      usag.group_delete(adminuser)
+
+      expect(ChefFixie::CheckOrgAssociations.check_association(test_org, adminuser)).to be :user_not_in_usag
+    end
+
+    it "Detects usag missing from users group" do
+      # break it
+      usag = test_org.groups[adminuser.id]
+      test_org.groups["users"].group_delete(usag)
+
+      expect(ChefFixie::CheckOrgAssociations.check_association(test_org, adminuser)).to be :usag_not_in_users
+    end
+
+    it "Detects global admins missing read" do
+      # break it
+      adminuser.ace_delete(:read, test_org.global_admins)
+
+      expect(ChefFixie::CheckOrgAssociations.check_association(test_org, adminuser)).to be :global_admins_lacks_read
+    end
+
+    # TODO test zombie invite; need some way to create it.
+
+  end
+
+  context "Individual user fixup" do
+    before :each do
+      expect(ChefFixie::CheckOrgAssociations.check_association(test_org, adminuser)).to be true
+    end
+
+    after :each do
+      usag = test_org.groups[adminuser.id]
+
+      usag.group_add(adminuser)
+      test_org.groups["users"].group_add(usag)
+
+      adminuser.ace_add(:read, test_org.global_admins)
+
+    end
+
+    it "Detects user not associated" do
+      # break it
+      expect(ChefFixie::CheckOrgAssociations.check_association(test_org, notorguser)).to be :not_associated
+    end
+
+    # TODO: Write missing USAG test, but can't until we can restore the USAG or use disposable org
+
+    it "Fixes user missing from usag" do
+      # break it
+      usag =  test_org.groups[adminuser.id]
+      usag.group_delete(adminuser)
+
+      expect(ChefFixie::CheckOrgAssociations.fix_association(test_org, adminuser)).to be true
+      expect(ChefFixie::CheckOrgAssociations.check_association(test_org, adminuser)).to be true
+    end
+
+    it "Fixes usag missing from users group" do
+      # break it
+      usag =  test_org.groups[adminuser.id]
+      test_org.groups["users"].group_delete(usag)
+
+      expect(ChefFixie::CheckOrgAssociations.fix_association(test_org, adminuser)).to be true
+      expect(ChefFixie::CheckOrgAssociations.check_association(test_org, adminuser)).to be true
+    end
+
+    it "Fixes global admins missing read" do
+      # break it
+      adminuser.ace_delete(:read, test_org.global_admins)
+
+      expect(ChefFixie::CheckOrgAssociations.fix_association(test_org, adminuser)).to be true
+      expect(ChefFixie::CheckOrgAssociations.check_association(test_org, adminuser)).to be true
+    end
+
+    # TODO test zombie invite; need some way to create it.
+
+  end
+
+  # TODO Break the org and check it!
+  context "Global org check" do
+
+    it "Works on expected sane org" do
+      expect(ChefFixie::CheckOrgAssociations.check_associations("acme")).to be true
+      expect(ChefFixie::CheckOrgAssociations.check_associations(orgs["acme"])).to be true
+    end
+
+  end
+
+end

data/spec/chef_fixie/groups_spec.rb

@@ -0,0 +1,30 @@
+# -*- indent-tabs-mode: nil; fill-column: 110 -*-
+require "rspec"
+require "spec_helper"
+require "chef_fixie"
+require "chef_fixie/config"
+
+RSpec.describe ChefFixie::Sql::Groups, "Group access" do
+  let (:test_org_name) { "ponyville" }
+  let (:orgs) { ChefFixie::Sql::Orgs.new }
+  let (:users) { ChefFixie::Sql::Users.new }
+  let (:test_org) { orgs[test_org_name] }
+
+  # TODO this should use a freshly created object and purge it afterwords.
+  # But we need to write the create object feature still
+
+  context "Groups" do
+    let (:testgroup) { test_org.groups["admins"] }
+    let (:adminuser) { users["rainbowdash"] }
+    let (:notadminuser) { users["mary"] }
+
+    it "Members are part of the group" do
+      expect(testgroup.member?(adminuser)).to be true
+    end
+    it "Members are not part of the group" do
+      expect(testgroup.member?(notadminuser)).to be false
+    end
+
+  end
+
+end

data/spec/chef_fixie/org_spec.rb

@@ -0,0 +1,25 @@
+
+require "rspec"
+require "spec_helper"
+require "chef_fixie"
+require "chef_fixie/config"
+
+RSpec.describe ChefFixie::Sql::Orgs, "Organizations access" do
+  let (:test_org_name) { "ponyville" }
+  let (:orgs) { ChefFixie::Sql::Orgs.new }
+  let (:test_org) { orgs[test_org_name] }
+
+  context "Basic functionality of org accessor" do
+
+    it "Org has a name and id" do
+      expect(test_org.name).to eq(test_org_name)
+      expect(test_org.id).not_to be_nil
+    end
+
+    it "Org has a global admins group" do
+      expect(test_org.global_admins.name).to eq(test_org_name + "_global_admins")
+    end
+
+  end
+
+end

data/spec/chef_fixie/orgs_spec.rb

@@ -0,0 +1,50 @@
+
+require "rspec"
+require "spec_helper"
+require "chef_fixie"
+require "chef_fixie/config"
+
+RSpec.describe ChefFixie::Sql::Orgs, "Organizations access" do
+  let (:test_org) { "ponyville" }
+
+  context "Basic access to orgs" do
+    let (:orgs) { ChefFixie::Sql::Orgs.new }
+    it "We find more than one org" do
+      expect(orgs.inner.count).to be > 0
+    end
+
+    it "We can list orgs" do
+      # array matcher requires a splat. (I didn't know this )
+      expect(orgs.list).to include( * %w{acme ponyville wonderbolts} )
+    end
+    it "We can list orgs with a limit" do
+      # array matcher requires a splat. (I didn't know this )
+      expect(orgs.list(1)).to eq(:too_many_results)
+    end
+
+    it "We can find an org" do
+      expect(orgs[test_org].name).to eq(test_org)
+    end
+
+  end
+
+  context "Search accessors work correctly" do
+    let (:orgs) { ChefFixie::Sql::Orgs.new }
+    let (:the_org) { orgs[test_org] }
+
+    it "We can find an org by name" do
+      expect(orgs.by_name(test_org).all.count).to eq(1)
+      expect(orgs.by_name(test_org).all.first.name).to eq(the_org.name)
+    end
+
+    # TODO: Automatically extract this from the filter by field
+    %w{name, id, full_name, authz_id}.each do |accessor|
+      it "We can access an org by #{accessor}" do
+        expect(orgs.by_name(test_org).all.count).to eq(1)
+        expect(orgs.by_name(test_org).all.first.name).to eq(the_org.name)
+      end
+    end
+
+  end
+
+end

data/spec/spec_helper.rb

@@ -0,0 +1,40 @@
+# This file was generated by the `rspec --init` command. Conventionally, all
+# specs live under a `spec` directory, which RSpec adds to the `$LOAD_PATH`.
+# Require this file using `require "spec_helper"` to ensure that it is only
+# loaded once.
+#
+# See http://rubydoc.info/gems/rspec-core/RSpec/Core/Configuration
+require "chef_fixie/config"
+
+def load_from_config_example
+  # load from config file
+  config_file = "fixie.conf.example"
+  Kernel.load(config_file)
+end
+
+def load_from_opscode
+  ChefFixie::Config.instance.load_from_pc
+end
+
+RSpec.configure do |config|
+  config.run_all_when_everything_filtered = true
+  config.filter_run :focus
+
+  # Run specs in random order to surface order dependencies. If you find an
+  # order dependency and want to debug it, you can fix the order by providing
+  # the seed, which is printed after each run.
+  #     --seed 1234
+  config.order = "random"
+
+  # configure specs
+
+  load_from_opscode
+  ChefFixie::Config.instance.merge_opts({})
+  puts ChefFixie::Config.instance.to_text
+
+  # Horrible shameful hack TODO FIXME
+  # We can't include a lot of the SQL code until we configure things, because
+  # we inherit from Model e.g.
+  # class Users < Sequel::Model(:users)
+  require "chef_fixie"
+end