cheffish 0.7.1 → 0.8

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (37) hide show
  1. checksums.yaml +4 -4
  2. data/lib/chef/provider/chef_acl.rb +434 -0
  3. data/lib/chef/provider/chef_client.rb +5 -1
  4. data/lib/chef/provider/chef_container.rb +50 -0
  5. data/lib/chef/provider/chef_group.rb +78 -0
  6. data/lib/chef/provider/chef_mirror.rb +138 -0
  7. data/lib/chef/provider/chef_organization.rb +150 -0
  8. data/lib/chef/provider/chef_user.rb +6 -1
  9. data/lib/chef/provider/public_key.rb +0 -1
  10. data/lib/chef/resource/chef_acl.rb +38 -44
  11. data/lib/chef/resource/chef_container.rb +18 -0
  12. data/lib/chef/resource/chef_group.rb +49 -0
  13. data/lib/chef/resource/chef_mirror.rb +47 -0
  14. data/lib/chef/resource/chef_organization.rb +64 -0
  15. data/lib/chef/resource/private_key.rb +6 -1
  16. data/lib/chef/resource/public_key.rb +5 -0
  17. data/lib/cheffish/actor_provider_base.rb +14 -9
  18. data/lib/cheffish/basic_chef_client.rb +18 -2
  19. data/lib/cheffish/chef_provider_base.rb +7 -0
  20. data/lib/cheffish/merged_config.rb +10 -2
  21. data/lib/cheffish/recipe_dsl.rb +34 -8
  22. data/lib/cheffish/server_api.rb +12 -2
  23. data/lib/cheffish/version.rb +1 -1
  24. data/lib/cheffish.rb +2 -2
  25. data/spec/functional/merged_config_spec.rb +20 -0
  26. data/spec/integration/chef_acl_spec.rb +914 -0
  27. data/spec/integration/chef_client_spec.rb +78 -44
  28. data/spec/integration/chef_container_spec.rb +34 -0
  29. data/spec/integration/chef_group_spec.rb +324 -0
  30. data/spec/integration/chef_mirror_spec.rb +244 -0
  31. data/spec/integration/chef_node_spec.rb +115 -93
  32. data/spec/integration/chef_organization_spec.rb +244 -0
  33. data/spec/integration/chef_user_spec.rb +51 -9
  34. data/spec/support/repository_support.rb +103 -0
  35. data/spec/support/spec_support.rb +55 -2
  36. metadata +23 -9
  37. data/lib/chef/resource/in_parallel.rb +0 -6
@@ -0,0 +1,914 @@
1
+ require 'support/spec_support'
2
+ require 'chef/resource/chef_acl'
3
+ require 'chef/provider/chef_acl'
4
+ require 'chef_zero/version'
5
+ require 'uri'
6
+
7
+ if Gem::Version.new(ChefZero::VERSION) >= Gem::Version.new('3.1')
8
+ describe Chef::Resource::ChefAcl do
9
+ extend SpecSupport
10
+
11
+ context "Rights attributes" do
12
+ when_the_chef_server 'has a node named x', :osc_compat => false do
13
+ node 'x', {}
14
+
15
+ it 'Converging chef_acl "nodes/x" changes nothing' do
16
+ expect {
17
+ run_recipe do
18
+ chef_acl 'nodes/x'
19
+ end
20
+ }.to update_acls('nodes/x/_acl', {})
21
+ end
22
+
23
+ it 'Converging chef_acl "nodes/x" with "complete true" and no rights raises an error' do
24
+ expect {
25
+ run_recipe do
26
+ chef_acl 'nodes/x' do
27
+ complete true
28
+ end
29
+ end
30
+ }.to raise_error(RuntimeError)
31
+ end
32
+
33
+ it 'Removing all :grant rights from a node raises an error' do
34
+ expect {
35
+ run_recipe do
36
+ chef_acl 'nodes/x' do
37
+ remove_rights :grant, :users => 'pivotal', :groups => %w(admins users clients)
38
+ end
39
+ end
40
+ }.to raise_error(RuntimeError)
41
+ end
42
+
43
+ context 'and a user "blarghle"' do
44
+ user 'blarghle', {}
45
+
46
+ it 'Converging chef_acl "nodes/x" with user "blarghle" adds the user' do
47
+ expect {
48
+ run_recipe do
49
+ chef_acl 'nodes/x' do
50
+ rights :read, :users => 'blarghle'
51
+ end
52
+ end
53
+ }.to update_acls('nodes/x/_acl', 'read' => { 'actors' => %w(blarghle) })
54
+ end
55
+
56
+ it 'Converging chef_acl "nodes/x" with "complete true" removes all ACLs except those specified' do
57
+ expect {
58
+ run_recipe do
59
+ chef_acl 'nodes/x' do
60
+ rights :grant, :users => 'blarghle'
61
+ complete true
62
+ end
63
+ end
64
+ }.to update_acls('nodes/x/_acl', {
65
+ "create"=>{"actors"=>["-pivotal"], "groups"=>["-admins", "-users", "-clients"]},
66
+ "read" =>{"actors"=>["-pivotal"], "groups"=>["-admins", "-users", "-clients"]},
67
+ "update"=>{"actors"=>["-pivotal"], "groups"=>["-admins", "-users"]},
68
+ "delete"=>{"actors"=>["-pivotal"], "groups"=>["-admins", "-users"]},
69
+ "grant" =>{"actors"=>["-pivotal", "blarghle"], "groups"=>["-admins"]}
70
+ })
71
+ end
72
+ end
73
+
74
+ it 'Converging chef_acl "nodes/x" with "complete true" removes all ACLs except those specified in :all' do
75
+ expect {
76
+ run_recipe do
77
+ chef_acl 'nodes/x' do
78
+ rights :all, :users => 'blarghle'
79
+ complete true
80
+ end
81
+ end
82
+ }.to update_acls('nodes/x/_acl', {
83
+ "create"=>{"actors"=>["-pivotal", "blarghle"], "groups"=>["-admins", "-users", "-clients"]},
84
+ "read" =>{"actors"=>["-pivotal", "blarghle"], "groups"=>["-admins", "-users", "-clients"]},
85
+ "update"=>{"actors"=>["-pivotal", "blarghle"], "groups"=>["-admins", "-users"]},
86
+ "delete"=>{"actors"=>["-pivotal", "blarghle"], "groups"=>["-admins", "-users"]},
87
+ "grant" =>{"actors"=>["-pivotal", "blarghle"], "groups"=>["-admins"]}
88
+ })
89
+ end
90
+
91
+ context 'and a client "blarghle"' do
92
+ user 'blarghle', {}
93
+
94
+ it 'Converging chef_acl "nodes/x" with client "blarghle" adds the client' do
95
+ expect {
96
+ run_recipe do
97
+ chef_acl 'nodes/x' do
98
+ rights :read, :clients => 'blarghle'
99
+ end
100
+ end
101
+ }.to update_acls('nodes/x/_acl', 'read' => { 'actors' => %w(blarghle) })
102
+ end
103
+ end
104
+
105
+ context 'and a group "blarghle"' do
106
+ group 'blarghle', {}
107
+
108
+ it 'Converging chef_acl "nodes/x" with group "blarghle" adds the group' do
109
+ expect {
110
+ run_recipe do
111
+ chef_acl 'nodes/x' do
112
+ rights :read, :groups => 'blarghle'
113
+ end
114
+ end
115
+ }.to update_acls('nodes/x/_acl', 'read' => { 'groups' => %w(blarghle) })
116
+ end
117
+ end
118
+
119
+ context 'and multiple users and groups' do
120
+ user 'u1', {}
121
+ user 'u2', {}
122
+ user 'u3', {}
123
+ client 'c1', {}
124
+ client 'c2', {}
125
+ client 'c3', {}
126
+ group 'g1', {}
127
+ group 'g2', {}
128
+ group 'g3', {}
129
+
130
+ it 'Converging chef_acl "nodes/x" with multiple groups, users and clients in an acl makes the appropriate changes' do
131
+ expect {
132
+ run_recipe do
133
+ chef_acl 'nodes/x' do
134
+ rights :create, :users => [ 'u1', 'u2', 'u3' ], :clients => [ 'c1', 'c2', 'c3' ], :groups => [ 'g1', 'g2', 'g3' ]
135
+ end
136
+ end
137
+ }.to update_acls('nodes/x/_acl',
138
+ 'create' => { 'groups' => %w(g1 g2 g3), 'actors' => %w(u1 u2 u3 c1 c2 c3) }
139
+ )
140
+ end
141
+
142
+ it 'Converging chef_acl "nodes/x" with multiple groups, users and clients across multiple "rights" groups makes the appropriate changes' do
143
+ expect {
144
+ run_recipe do
145
+ chef_acl 'nodes/x' do
146
+ rights :create, :users => %w(u1), :clients => 'c1', :groups => 'g1'
147
+ rights :create, :users => %w(u2 u3), :clients => %w(c2 c3), :groups => 'g2'
148
+ rights :read, :users => 'u1'
149
+ rights :read, :groups => 'g1'
150
+ end
151
+ end
152
+ }.to update_acls('nodes/x/_acl',
153
+ 'create' => { 'groups' => %w(g1 g2), 'actors' => %w(u1 u2 u3 c1 c2 c3) },
154
+ 'read' => { 'groups' => %w(g1), 'actors' => %w(u1) }
155
+ )
156
+ end
157
+
158
+ it 'Converging chef_acl "nodes/x" with rights [ :read, :create, :update, :delete, :grant ] modifies all rights' do
159
+ expect {
160
+ run_recipe do
161
+ chef_acl 'nodes/x' do
162
+ rights [ :create, :read, :update, :delete, :grant ], :users => %w(u1 u2), :clients => 'c1', :groups => 'g1'
163
+ end
164
+ end
165
+ }.to update_acls('nodes/x/_acl',
166
+ 'create' => { 'groups' => %w(g1), 'actors' => %w(u1 u2 c1) },
167
+ 'read' => { 'groups' => %w(g1), 'actors' => %w(u1 u2 c1) },
168
+ 'update' => { 'groups' => %w(g1), 'actors' => %w(u1 u2 c1) },
169
+ 'delete' => { 'groups' => %w(g1), 'actors' => %w(u1 u2 c1) },
170
+ 'grant' => { 'groups' => %w(g1), 'actors' => %w(u1 u2 c1) },
171
+ )
172
+ end
173
+
174
+ it 'Converging chef_acl "nodes/x" with rights :all modifies all rights' do
175
+ expect {
176
+ run_recipe do
177
+ chef_acl 'nodes/x' do
178
+ rights :all, :users => %w(u1 u2), :clients => 'c1', :groups => 'g1'
179
+ end
180
+ end
181
+ }.to update_acls('nodes/x/_acl',
182
+ 'create' => { 'groups' => %w(g1), 'actors' => %w(u1 u2 c1) },
183
+ 'read' => { 'groups' => %w(g1), 'actors' => %w(u1 u2 c1) },
184
+ 'update' => { 'groups' => %w(g1), 'actors' => %w(u1 u2 c1) },
185
+ 'delete' => { 'groups' => %w(g1), 'actors' => %w(u1 u2 c1) },
186
+ 'grant' => { 'groups' => %w(g1), 'actors' => %w(u1 u2 c1) },
187
+ )
188
+ end
189
+ end
190
+
191
+ it 'Converging chef_acl "nodes/y" throws a 404' do
192
+ expect {
193
+ run_recipe do
194
+ chef_acl 'nodes/y'
195
+ end
196
+ }.to raise_error(Net::HTTPServerException)
197
+ end
198
+ end
199
+
200
+ when_the_chef_server 'has a node named x with user blarghle in its acl', :osc_compat => false do
201
+ user 'blarghle', {}
202
+ node 'x', {} do
203
+ acl 'read' => { 'actors' => %w(blarghle) }
204
+ end
205
+
206
+ it 'Converging chef_acl "nodes/x" with that user changes nothing' do
207
+ expect {
208
+ run_recipe do
209
+ chef_acl 'nodes/x' do
210
+ rights :read, :users => 'blarghle'
211
+ end
212
+ end
213
+ }.to update_acls('nodes/x/_acl', {})
214
+ end
215
+ end
216
+
217
+ when_the_chef_server 'has a node named x with users foo and bar in all its acls', :osc_compat => false do
218
+ user 'foo', {}
219
+ user 'bar', {}
220
+ node 'x', {} do
221
+ acl 'create' => { 'actors' => %w(foo bar) },
222
+ 'read' => { 'actors' => %w(foo bar) },
223
+ 'update' => { 'actors' => %w(foo bar) },
224
+ 'delete' => { 'actors' => %w(foo bar) },
225
+ 'grant' => { 'actors' => %w(foo bar) }
226
+ end
227
+
228
+ it 'Converging chef_acl "nodes/x" with remove_rights :all removes foo from everything' do
229
+ expect {
230
+ run_recipe do
231
+ chef_acl 'nodes/x' do
232
+ remove_rights :all, :users => 'foo'
233
+ end
234
+ end
235
+ }.to update_acls('nodes/x/_acl',
236
+ 'create' => { 'actors' => %w(-foo) },
237
+ 'read' => { 'actors' => %w(-foo) },
238
+ 'update' => { 'actors' => %w(-foo) },
239
+ 'delete' => { 'actors' => %w(-foo) },
240
+ 'grant' => { 'actors' => %w(-foo) },
241
+ )
242
+ end
243
+ end
244
+
245
+ context 'recursive' do
246
+ when_the_chef_server 'has a nodes container with user blarghle in its acl', :osc_compat => false do
247
+ user 'blarghle', {}
248
+ acl_for 'containers/nodes', 'read' => { 'actors' => %w(blarghle) }
249
+ node 'x', {} do
250
+ acl 'read' => { 'actors' => [] }
251
+ end
252
+
253
+ it 'Converging chef_acl "nodes" makes no changes' do
254
+ expect {
255
+ run_recipe do
256
+ chef_acl 'nodes' do
257
+ rights :read, :users => 'blarghle'
258
+ end
259
+ end
260
+ }.to update_acls([ 'containers/nodes/_acl', 'nodes/x/_acl' ], {})
261
+ end
262
+
263
+ it 'Converging chef_acl "nodes" with recursive :on_change makes no changes' do
264
+ expect {
265
+ run_recipe do
266
+ chef_acl 'nodes' do
267
+ rights :read, :users => 'blarghle'
268
+ recursive :on_change
269
+ end
270
+ end
271
+ }.to update_acls([ 'containers/nodes/_acl', 'nodes/x/_acl' ], {})
272
+ end
273
+
274
+ it 'Converging chef_acl "nodes" with recursive true changes nodes/x\'s acls' do
275
+ expect {
276
+ run_recipe do
277
+ chef_acl 'nodes' do
278
+ rights :read, :users => 'blarghle'
279
+ recursive true
280
+ end
281
+ end
282
+ }.to update_acls('nodes/x/_acl', 'read' => { 'actors' => %w(blarghle) })
283
+ end
284
+
285
+ it 'Converging chef_acl "" with recursive false does not change nodes/x\'s acls' do
286
+ expect {
287
+ run_recipe do
288
+ chef_acl '' do
289
+ rights :read, :users => 'blarghle'
290
+ recursive false
291
+ end
292
+ end
293
+ }.to update_acls([ 'containers/nodes/_acl', 'nodes/x/_acl' ], {})
294
+ end
295
+
296
+ it 'Converging chef_acl "" with recursive :on_change does not change nodes/x\'s acls' do
297
+ expect {
298
+ run_recipe do
299
+ chef_acl '' do
300
+ rights :read, :users => 'blarghle'
301
+ recursive :on_change
302
+ end
303
+ end
304
+ }.to update_acls([ 'containers/nodes/_acl', 'nodes/x/_acl' ], {})
305
+ end
306
+
307
+ it 'Converging chef_acl "" with recursive true changes nodes/x\'s acls' do
308
+ expect {
309
+ run_recipe do
310
+ chef_acl '' do
311
+ rights :read, :users => 'blarghle'
312
+ recursive true
313
+ end
314
+ end
315
+ }.to update_acls([ '/organizations/_acl', 'nodes/x/_acl' ], 'read' => { 'actors' => %w(blarghle) })
316
+ end
317
+ end
318
+ end
319
+ end
320
+
321
+ context 'ACLs on each type of thing' do
322
+ when_the_chef_server 'has an organization named foo', :osc_compat => false, :single_org => false do
323
+ organization 'foo' do
324
+ user 'u', {}
325
+ client 'x', {}
326
+ container 'x', {}
327
+ cookbook 'x', '1.0.0', {}
328
+ data_bag 'x', { 'y' => {} }
329
+ environment 'x', {}
330
+ group 'x', {}
331
+ node 'x', {}
332
+ role 'x', {}
333
+ sandbox 'x', {}
334
+ user 'x', {}
335
+ end
336
+
337
+ organization 'bar' do
338
+ user 'u', {}
339
+ node 'x', {}
340
+ end
341
+
342
+ context 'and the chef server URL points at /organizations/foo' do
343
+ before :each do
344
+ Chef::Config.chef_server_url = URI.join(Chef::Config.chef_server_url, '/organizations/foo').to_s
345
+ end
346
+
347
+ context 'relative paths' do
348
+ it "chef_acl 'nodes/x' changes the acls" do
349
+ expect {
350
+ run_recipe do
351
+ chef_acl "nodes/x" do
352
+ rights :read, :users => 'u'
353
+ end
354
+ end
355
+ }.to update_acls("nodes/x/_acl", 'read' => { 'actors' => %w(u) })
356
+ end
357
+
358
+ it "chef_acl '*/*' changes the acls" do
359
+ expect {
360
+ run_recipe do
361
+ chef_acl "*/*" do
362
+ rights :read, :users => 'u'
363
+ end
364
+ end
365
+ }.to update_acls(%w(clients containers cookbooks data environments groups nodes roles).map { |type| "/organizations/foo/#{type}/x/_acl" },
366
+ 'read' => { 'actors' => %w(u) })
367
+ end
368
+ end
369
+
370
+ context 'absolute paths' do
371
+ %w(clients containers cookbooks data environments groups nodes roles sandboxes).each do |type|
372
+ it "chef_acl '/organizations/foo/#{type}/x' changes the acl" do
373
+ expect {
374
+ run_recipe do
375
+ chef_acl "/organizations/foo/#{type}/x" do
376
+ rights :read, :users => 'u'
377
+ end
378
+ end
379
+ }.to update_acls("/organizations/foo/#{type}/x/_acl", 'read' => { 'actors' => %w(u) })
380
+ end
381
+ end
382
+
383
+ %w(clients containers cookbooks data environments groups nodes roles sandboxes).each do |type|
384
+ it "chef_acl '/organizations/foo/#{type}/x' changes the acl" do
385
+ expect {
386
+ run_recipe do
387
+ chef_acl "/organizations/foo/#{type}/x" do
388
+ rights :read, :users => 'u'
389
+ end
390
+ end
391
+ }.to update_acls("/organizations/foo/#{type}/x/_acl", 'read' => { 'actors' => %w(u) })
392
+ end
393
+ end
394
+
395
+ %w(clients containers cookbooks data environments groups nodes roles).each do |type|
396
+ it "chef_acl '/*/*/#{type}/*' changes the acl" do
397
+ expect {
398
+ run_recipe do
399
+ chef_acl "/*/*/#{type}/*" do
400
+ rights :read, :users => 'u'
401
+ end
402
+ end
403
+ }.to update_acls("/organizations/foo/#{type}/x/_acl", 'read' => { 'actors' => %w(u) })
404
+ end
405
+ end
406
+
407
+ it "chef_acl '/*/*/*/x' changes the acls" do
408
+ expect {
409
+ run_recipe do
410
+ chef_acl "/*/*/*/x" do
411
+ rights :read, :users => 'u'
412
+ end
413
+ end
414
+ }.to update_acls(%w(clients containers cookbooks data environments groups nodes roles sandboxes).map { |type| "/organizations/foo/#{type}/x/_acl" },
415
+ 'read' => { 'actors' => %w(u) })
416
+ end
417
+
418
+ it "chef_acl '/*/*/*/*' changes the acls" do
419
+ expect {
420
+ run_recipe do
421
+ chef_acl "/*/*/*/*" do
422
+ rights :read, :users => 'u'
423
+ end
424
+ end
425
+ }.to update_acls(%w(clients containers cookbooks data environments groups nodes roles).map { |type| "/organizations/foo/#{type}/x/_acl" },
426
+ 'read' => { 'actors' => %w(u) })
427
+ end
428
+
429
+ it 'chef_acl "/organizations/foo/data_bags/x" changes the acl' do
430
+ expect {
431
+ run_recipe do
432
+ chef_acl '/organizations/foo/data_bags/x' do
433
+ rights :read, :users => 'u'
434
+ end
435
+ end
436
+ }.to update_acls('/organizations/foo/data/x/_acl', 'read' => { 'actors' => %w(u) })
437
+ end
438
+
439
+ it 'chef_acl "/*/*/data_bags/*" changes the acl' do
440
+ expect {
441
+ run_recipe do
442
+ chef_acl '/*/*/data_bags/*' do
443
+ rights :read, :users => 'u'
444
+ end
445
+ end
446
+ }.to update_acls('/organizations/foo/data/x/_acl', 'read' => { 'actors' => %w(u) })
447
+ end
448
+
449
+ it "chef_acl '/organizations/foo/cookbooks/x/1.0.0' raises an error" do
450
+ expect {
451
+ run_recipe do
452
+ chef_acl "/organizations/foo/cookbooks/x/1.0.0" do
453
+ rights :read, :users => 'u'
454
+ end
455
+ end
456
+ }.to raise_error(/ACLs cannot be set on children of \/organizations\/foo\/cookbooks\/x/)
457
+ end
458
+
459
+ it "chef_acl '/organizations/foo/cookbooks/*/*' raises an error" do
460
+ pending
461
+ expect {
462
+ run_recipe do
463
+ chef_acl "/organizations/foo/cookbooks/*/*" do
464
+ rights :read, :users => 'u'
465
+ end
466
+ end
467
+ }.to raise_error(/ACLs cannot be set on children of \/organizations\/foo\/cookbooks\/*/)
468
+ end
469
+
470
+ it 'chef_acl "/organizations/foo/data/x/y" raises an error' do
471
+ expect {
472
+ run_recipe do
473
+ chef_acl '/organizations/foo/data/x/y' do
474
+ rights :read, :users => 'u'
475
+ end
476
+ end
477
+ }.to raise_error(/ACLs cannot be set on children of \/organizations\/foo\/data\/x/)
478
+ end
479
+
480
+ it 'chef_acl "/organizations/foo/data/*/*" raises an error' do
481
+ pending
482
+ expect {
483
+ run_recipe do
484
+ chef_acl '/organizations/foo/data/*/*' do
485
+ rights :read, :users => 'u'
486
+ end
487
+ end
488
+ }.to raise_error(/ACLs cannot be set on children of \/organizations\/foo\/data\/*/)
489
+ end
490
+
491
+ it 'chef_acl "/organizations/foo" changes the acl' do
492
+ expect {
493
+ run_recipe do
494
+ chef_acl '/organizations/foo' do
495
+ rights :read, :users => 'u'
496
+ end
497
+ end
498
+ }.to update_acls([ '/organizations/foo/organizations/_acl', '/organizations/foo/nodes/x/_acl' ], 'read' => { 'actors' => %w(u) })
499
+ end
500
+
501
+ it 'chef_acl "/organizations/*" changes the acl' do
502
+ expect {
503
+ run_recipe do
504
+ chef_acl '/organizations/*' do
505
+ rights :read, :users => 'u'
506
+ end
507
+ end
508
+ }.to update_acls([ '/organizations/foo/organizations/_acl', '/organizations/foo/nodes/x/_acl' ], 'read' => { 'actors' => %w(u) })
509
+ end
510
+
511
+ it 'chef_acl "/users/x" changes the acl' do
512
+ expect {
513
+ run_recipe do
514
+ chef_acl '/users/x' do
515
+ rights :read, :users => 'u'
516
+ end
517
+ end
518
+ }.to update_acls('/users/x/_acl', 'read' => { 'actors' => %w(u) })
519
+ end
520
+
521
+ it 'chef_acl "/users/*" changes the acl' do
522
+ expect {
523
+ run_recipe do
524
+ chef_acl '/users/*' do
525
+ rights :read, :users => 'u'
526
+ end
527
+ end
528
+ }.to update_acls('/users/x/_acl', 'read' => { 'actors' => %w(u) })
529
+ end
530
+
531
+ it 'chef_acl "/*/x" changes the acl' do
532
+ expect {
533
+ run_recipe do
534
+ chef_acl '/*/x' do
535
+ rights :read, :users => 'u'
536
+ end
537
+ end
538
+ }.to update_acls('/users/x/_acl', 'read' => { 'actors' => %w(u) })
539
+ end
540
+
541
+ it 'chef_acl "/*/*" changes the acl' do
542
+ expect {
543
+ run_recipe do
544
+ chef_acl '/*/*' do
545
+ rights :read, :users => 'u'
546
+ end
547
+ end
548
+ }.to update_acls([ '/organizations/foo/organizations/_acl', '/users/x/_acl' ],
549
+ 'read' => { 'actors' => %w(u) })
550
+ end
551
+ end
552
+ end
553
+
554
+ context 'and the chef server URL points at /organizations/bar' do
555
+ before :each do
556
+ Chef::Config.chef_server_url = URI.join(Chef::Config.chef_server_url.to_s, '/organizations/bar').to_s
557
+ end
558
+
559
+ it "chef_acl '/organizations/foo/nodes/*' changes the acl" do
560
+ expect {
561
+ run_recipe do
562
+ chef_acl "/organizations/foo/nodes/*" do
563
+ rights :read, :users => 'u'
564
+ end
565
+ end
566
+ }.to update_acls("/organizations/foo/nodes/x/_acl", 'read' => { 'actors' => %w(u) })
567
+ expect {}.not_to update_acls("/organizations/bar/nodes/x/_acl", 'read' => { 'actors' => %w(u) })
568
+ end
569
+ end
570
+
571
+ context 'and the chef server URL points at /' do
572
+ before :each do
573
+ Chef::Config.chef_server_url = URI.join(Chef::Config.chef_server_url.to_s, '/').to_s
574
+ end
575
+
576
+ it "chef_acl '/organizations/foo/nodes/*' changes the acl" do
577
+ expect {
578
+ run_recipe do
579
+ chef_acl "/organizations/foo/nodes/*" do
580
+ rights :read, :users => 'u'
581
+ end
582
+ end
583
+ }.to update_acls("/organizations/foo/nodes/x/_acl", 'read' => { 'actors' => %w(u) })
584
+ expect {}.not_to update_acls("/organizations/bar/nodes/x/_acl", 'read' => { 'actors' => %w(u) })
585
+ end
586
+ end
587
+ end
588
+
589
+ when_the_chef_server 'has a user "u" in single org mode', :osc_compat => false do
590
+ user 'u', {}
591
+ client 'x', {}
592
+ container 'x', {}
593
+ cookbook 'x', '1.0.0', {}
594
+ data_bag 'x', { 'y' => {} }
595
+ environment 'x', {}
596
+ group 'x', {}
597
+ node 'x', {}
598
+ role 'x', {}
599
+ sandbox 'x', {}
600
+ user 'x', {}
601
+
602
+ %w(clients containers cookbooks data environments groups nodes roles sandboxes).each do |type|
603
+ it "chef_acl #{type}/x' changes the acl" do
604
+ expect {
605
+ run_recipe do
606
+ chef_acl "#{type}/x" do
607
+ rights :read, :users => 'u'
608
+ end
609
+ end
610
+ }.to update_acls("#{type}/x/_acl", 'read' => { 'actors' => %w(u) })
611
+ end
612
+ end
613
+
614
+ %w(clients containers cookbooks data environments groups nodes roles).each do |type|
615
+ it "chef_acl '#{type}/*' changes the acl" do
616
+ expect {
617
+ run_recipe do
618
+ chef_acl "#{type}/*" do
619
+ rights :read, :users => 'u'
620
+ end
621
+ end
622
+ }.to update_acls("#{type}/x/_acl", 'read' => { 'actors' => %w(u) })
623
+ end
624
+ end
625
+
626
+ it "chef_acl '*/x' changes the acls" do
627
+ expect {
628
+ run_recipe do
629
+ chef_acl "*/x" do
630
+ rights :read, :users => 'u'
631
+ end
632
+ end
633
+ }.to update_acls(%w(clients containers cookbooks data environments groups nodes roles sandboxes).map { |type| "#{type}/x/_acl" },
634
+ 'read' => { 'actors' => %w(u) })
635
+ end
636
+
637
+ it "chef_acl '*/*' changes the acls" do
638
+ expect {
639
+ run_recipe do
640
+ chef_acl "*/*" do
641
+ rights :read, :users => 'u'
642
+ end
643
+ end
644
+ }.to update_acls(%w(clients containers cookbooks data environments groups nodes roles).map { |type| "#{type}/x/_acl" },
645
+ 'read' => { 'actors' => %w(u) })
646
+ end
647
+
648
+ it "chef_acl 'groups/*' changes the acl" do
649
+ expect {
650
+ run_recipe do
651
+ chef_acl "groups/*" do
652
+ rights :read, :users => 'u'
653
+ end
654
+ end
655
+ }.to update_acls(%w(admins billing-admins clients users x).map { |n| "groups/#{n}/_acl" },
656
+ 'read' => { 'actors' => %w(u) })
657
+ end
658
+
659
+ it 'chef_acl "data_bags/x" changes the acl' do
660
+ expect {
661
+ run_recipe do
662
+ chef_acl 'data_bags/x' do
663
+ rights :read, :users => 'u'
664
+ end
665
+ end
666
+ }.to update_acls('data/x/_acl', 'read' => { 'actors' => %w(u) })
667
+ end
668
+
669
+ it 'chef_acl "data_bags/*" changes the acl' do
670
+ expect {
671
+ run_recipe do
672
+ chef_acl 'data_bags/*' do
673
+ rights :read, :users => 'u'
674
+ end
675
+ end
676
+ }.to update_acls('data/x/_acl', 'read' => { 'actors' => %w(u) })
677
+ end
678
+
679
+ it 'chef_acl "" changes the organization acl' do
680
+ expect {
681
+ run_recipe do
682
+ chef_acl '' do
683
+ rights :read, :users => 'u'
684
+ end
685
+ end
686
+ }.to update_acls([ '/organizations/_acl', 'nodes/x/_acl' ], 'read' => { 'actors' => %w(u) })
687
+ end
688
+ end
689
+ end
690
+
691
+ context 'ACLs on each container type' do
692
+ when_the_chef_server 'has an organization named foo', :osc_compat => false, :single_org => false do
693
+ organization 'foo' do
694
+ user 'u', {}
695
+ client 'x', {}
696
+ container 'x', {}
697
+ cookbook 'x', '1.0.0', {}
698
+ data_bag 'x', { 'y' => {} }
699
+ environment 'x', {}
700
+ group 'x', {}
701
+ node 'x', {}
702
+ role 'x', {}
703
+ sandbox 'x', {}
704
+ user 'x', {}
705
+ end
706
+
707
+ %w(clients containers cookbooks data environments groups nodes roles sandboxes).each do |type|
708
+ it "chef_acl '/organizations/foo/#{type}' changes the acl" do
709
+ expect {
710
+ run_recipe do
711
+ chef_acl "/organizations/foo/#{type}" do
712
+ rights :read, :users => 'u'
713
+ end
714
+ end
715
+ }.to update_acls("/organizations/foo/containers/#{type}/_acl", 'read' => { 'actors' => %w(u) })
716
+ end
717
+ end
718
+
719
+ %w(clients containers cookbooks data environments groups nodes roles).each do |type|
720
+ it "chef_acl '/*/*/#{type}' changes the acl" do
721
+ expect {
722
+ run_recipe do
723
+ chef_acl "/*/*/#{type}" do
724
+ rights :read, :users => 'u'
725
+ end
726
+ end
727
+ }.to update_acls("/organizations/foo/containers/#{type}/_acl", 'read' => { 'actors' => %w(u) })
728
+ end
729
+ end
730
+
731
+ it "chef_acl '/*/*/*' changes the acls" do
732
+ expect {
733
+ run_recipe do
734
+ chef_acl "/*/*/*" do
735
+ rights :read, :users => 'u'
736
+ end
737
+ end
738
+ }.to update_acls(%w(clients containers cookbooks data environments groups nodes roles sandboxes).map { |type| "/organizations/foo/containers/#{type}/_acl" },
739
+ 'read' => { 'actors' => %w(u) })
740
+ end
741
+
742
+ it 'chef_acl "/organizations/foo/data_bags" changes the acl' do
743
+ expect {
744
+ run_recipe do
745
+ chef_acl '/organizations/foo/data_bags' do
746
+ rights :read, :users => 'u'
747
+ end
748
+ end
749
+ }.to update_acls('/organizations/foo/containers/data/_acl', 'read' => { 'actors' => %w(u) })
750
+ end
751
+
752
+ it 'chef_acl "/*/*/data_bags" changes the acl' do
753
+ expect {
754
+ run_recipe do
755
+ chef_acl '/*/*/data_bags' do
756
+ rights :read, :users => 'u'
757
+ end
758
+ end
759
+ }.to update_acls('/organizations/foo/containers/data/_acl', 'read' => { 'actors' => %w(u) })
760
+ end
761
+ end
762
+
763
+ when_the_chef_server 'has a user "u" in single org mode', :osc_compat => false do
764
+ user 'u', {}
765
+ client 'x', {}
766
+ container 'x', {}
767
+ cookbook 'x', '1.0.0', {}
768
+ data_bag 'x', { 'y' => {} }
769
+ environment 'x', {}
770
+ group 'x', {}
771
+ node 'x', {}
772
+ role 'x', {}
773
+ sandbox 'x', {}
774
+ user 'x', {}
775
+
776
+ %w(clients containers cookbooks data environments groups nodes roles sandboxes).each do |type|
777
+ it "chef_acl #{type}' changes the acl" do
778
+ expect {
779
+ run_recipe do
780
+ chef_acl "#{type}" do
781
+ rights :read, :users => 'u'
782
+ end
783
+ end
784
+ }.to update_acls("containers/#{type}/_acl", 'read' => { 'actors' => %w(u) })
785
+ end
786
+ end
787
+
788
+ it "chef_acl '*' changes the acls" do
789
+ expect {
790
+ run_recipe do
791
+ chef_acl "*" do
792
+ rights :read, :users => 'u'
793
+ end
794
+ end
795
+ }.to update_acls(%w(clients containers cookbooks data environments groups nodes roles sandboxes).map { |type| "containers/#{type}/_acl" },
796
+ 'read' => { 'actors' => %w(u) })
797
+ end
798
+ end
799
+ end
800
+
801
+ context 'remove_rights' do
802
+ when_the_chef_server 'has a node "x" with "u", "c" and "g" in its acl', :osc_compat => false do
803
+ user 'u', {}
804
+ user 'u2', {}
805
+ client 'c', {}
806
+ client 'c2', {}
807
+ group 'g', {}
808
+ group 'g2', {}
809
+ node 'x', {} do
810
+ acl 'create' => { 'actors' => [ 'u', 'c' ], 'groups' => [ 'g' ] },
811
+ 'read' => { 'actors' => [ 'u', 'c' ], 'groups' => [ 'g' ] },
812
+ 'update' => { 'actors' => [ 'u', 'c' ], 'groups' => [ 'g' ] }
813
+ end
814
+
815
+ it 'chef_acl with remove_rights "u" removes the user\'s rights' do
816
+ expect {
817
+ run_recipe do
818
+ chef_acl "nodes/x" do
819
+ remove_rights :read, :users => 'u'
820
+ end
821
+ end
822
+ }.to update_acls("nodes/x/_acl", 'read' => { 'actors' => %w(-u) })
823
+ end
824
+
825
+ it 'chef_acl with remove_rights "c" removes the client\'s rights' do
826
+ expect {
827
+ run_recipe do
828
+ chef_acl "nodes/x" do
829
+ remove_rights :read, :clients => 'c'
830
+ end
831
+ end
832
+ }.to update_acls("nodes/x/_acl", 'read' => { 'actors' => %w(-c) })
833
+ end
834
+
835
+ it 'chef_acl with remove_rights "g" removes the group\'s rights' do
836
+ expect {
837
+ run_recipe do
838
+ chef_acl "nodes/x" do
839
+ remove_rights :read, :groups => 'g'
840
+ end
841
+ end
842
+ }.to update_acls("nodes/x/_acl", 'read' => { 'groups' => %w(-g) })
843
+ end
844
+
845
+ it 'chef_acl with remove_rights [ :create, :read ], "u", "c", "g" removes all three' do
846
+ expect {
847
+ run_recipe do
848
+ chef_acl "nodes/x" do
849
+ remove_rights [ :create, :read ], :users => 'u', :clients => 'c', :groups => 'g'
850
+ end
851
+ end
852
+ }.to update_acls("nodes/x/_acl", 'create' => { 'actors' => %w(-u -c), 'groups' => %w(-g) }, 'read' => { 'actors' => %w(-u -c), 'groups' => %w(-g) })
853
+ end
854
+
855
+ it 'chef_acl with remove_rights "u2", "c2", "g2" has no effect' do
856
+ expect {
857
+ run_recipe do
858
+ chef_acl "nodes/x" do
859
+ remove_rights :read, :users => 'u2', :clients => 'c2', :groups => 'g2'
860
+ end
861
+ end
862
+ }.to update_acls("nodes/x/_acl", {})
863
+ end
864
+ end
865
+ end
866
+
867
+ when_the_chef_server 'has a node named data_bags', :osc_compat => false do
868
+ user 'blarghle', {}
869
+ node 'data_bags', {}
870
+
871
+ it 'Converging chef_acl "nodes/data_bags" with user "blarghle" adds the user' do
872
+ expect {
873
+ run_recipe do
874
+ chef_acl 'nodes/data_bags' do
875
+ rights :read, :users => 'blarghle'
876
+ end
877
+ end
878
+ }.to update_acls('nodes/data_bags/_acl', 'read' => { 'actors' => %w(blarghle) })
879
+ end
880
+ end
881
+
882
+ when_the_chef_server 'has a node named data_bags in multi-org mode', :osc_compat => false, :single_org => false do
883
+ user 'blarghle', {}
884
+ organization 'foo' do
885
+ node 'data_bags', {}
886
+ end
887
+
888
+ it 'Converging chef_acl "/organizations/foo/nodes/data_bags" with user "blarghle" adds the user' do
889
+ expect {
890
+ run_recipe do
891
+ chef_acl '/organizations/foo/nodes/data_bags' do
892
+ rights :read, :users => 'blarghle'
893
+ end
894
+ end
895
+ }.to update_acls('/organizations/foo/nodes/data_bags/_acl', 'read' => { 'actors' => %w(blarghle) })
896
+ end
897
+ end
898
+
899
+ when_the_chef_server 'has a user named data_bags in multi-org mode', :osc_compat => false, :single_org => false do
900
+ user 'data_bags', {}
901
+ user 'blarghle', {}
902
+
903
+ it 'Converging chef_acl "/users/data_bags" with user "blarghle" adds the user' do
904
+ expect {
905
+ run_recipe do
906
+ chef_acl '/users/data_bags' do
907
+ rights :read, :users => 'blarghle'
908
+ end
909
+ end
910
+ }.to update_acls('/users/data_bags/_acl', 'read' => { 'actors' => %w(blarghle) })
911
+ end
912
+ end
913
+ end
914
+ end