cheffish 0.7.1 → 0.8
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/lib/chef/provider/chef_acl.rb +434 -0
- data/lib/chef/provider/chef_client.rb +5 -1
- data/lib/chef/provider/chef_container.rb +50 -0
- data/lib/chef/provider/chef_group.rb +78 -0
- data/lib/chef/provider/chef_mirror.rb +138 -0
- data/lib/chef/provider/chef_organization.rb +150 -0
- data/lib/chef/provider/chef_user.rb +6 -1
- data/lib/chef/provider/public_key.rb +0 -1
- data/lib/chef/resource/chef_acl.rb +38 -44
- data/lib/chef/resource/chef_container.rb +18 -0
- data/lib/chef/resource/chef_group.rb +49 -0
- data/lib/chef/resource/chef_mirror.rb +47 -0
- data/lib/chef/resource/chef_organization.rb +64 -0
- data/lib/chef/resource/private_key.rb +6 -1
- data/lib/chef/resource/public_key.rb +5 -0
- data/lib/cheffish/actor_provider_base.rb +14 -9
- data/lib/cheffish/basic_chef_client.rb +18 -2
- data/lib/cheffish/chef_provider_base.rb +7 -0
- data/lib/cheffish/merged_config.rb +10 -2
- data/lib/cheffish/recipe_dsl.rb +34 -8
- data/lib/cheffish/server_api.rb +12 -2
- data/lib/cheffish/version.rb +1 -1
- data/lib/cheffish.rb +2 -2
- data/spec/functional/merged_config_spec.rb +20 -0
- data/spec/integration/chef_acl_spec.rb +914 -0
- data/spec/integration/chef_client_spec.rb +78 -44
- data/spec/integration/chef_container_spec.rb +34 -0
- data/spec/integration/chef_group_spec.rb +324 -0
- data/spec/integration/chef_mirror_spec.rb +244 -0
- data/spec/integration/chef_node_spec.rb +115 -93
- data/spec/integration/chef_organization_spec.rb +244 -0
- data/spec/integration/chef_user_spec.rb +51 -9
- data/spec/support/repository_support.rb +103 -0
- data/spec/support/spec_support.rb +55 -2
- metadata +23 -9
- data/lib/chef/resource/in_parallel.rb +0 -6
@@ -0,0 +1,914 @@
|
|
1
|
+
require 'support/spec_support'
|
2
|
+
require 'chef/resource/chef_acl'
|
3
|
+
require 'chef/provider/chef_acl'
|
4
|
+
require 'chef_zero/version'
|
5
|
+
require 'uri'
|
6
|
+
|
7
|
+
if Gem::Version.new(ChefZero::VERSION) >= Gem::Version.new('3.1')
|
8
|
+
describe Chef::Resource::ChefAcl do
|
9
|
+
extend SpecSupport
|
10
|
+
|
11
|
+
context "Rights attributes" do
|
12
|
+
when_the_chef_server 'has a node named x', :osc_compat => false do
|
13
|
+
node 'x', {}
|
14
|
+
|
15
|
+
it 'Converging chef_acl "nodes/x" changes nothing' do
|
16
|
+
expect {
|
17
|
+
run_recipe do
|
18
|
+
chef_acl 'nodes/x'
|
19
|
+
end
|
20
|
+
}.to update_acls('nodes/x/_acl', {})
|
21
|
+
end
|
22
|
+
|
23
|
+
it 'Converging chef_acl "nodes/x" with "complete true" and no rights raises an error' do
|
24
|
+
expect {
|
25
|
+
run_recipe do
|
26
|
+
chef_acl 'nodes/x' do
|
27
|
+
complete true
|
28
|
+
end
|
29
|
+
end
|
30
|
+
}.to raise_error(RuntimeError)
|
31
|
+
end
|
32
|
+
|
33
|
+
it 'Removing all :grant rights from a node raises an error' do
|
34
|
+
expect {
|
35
|
+
run_recipe do
|
36
|
+
chef_acl 'nodes/x' do
|
37
|
+
remove_rights :grant, :users => 'pivotal', :groups => %w(admins users clients)
|
38
|
+
end
|
39
|
+
end
|
40
|
+
}.to raise_error(RuntimeError)
|
41
|
+
end
|
42
|
+
|
43
|
+
context 'and a user "blarghle"' do
|
44
|
+
user 'blarghle', {}
|
45
|
+
|
46
|
+
it 'Converging chef_acl "nodes/x" with user "blarghle" adds the user' do
|
47
|
+
expect {
|
48
|
+
run_recipe do
|
49
|
+
chef_acl 'nodes/x' do
|
50
|
+
rights :read, :users => 'blarghle'
|
51
|
+
end
|
52
|
+
end
|
53
|
+
}.to update_acls('nodes/x/_acl', 'read' => { 'actors' => %w(blarghle) })
|
54
|
+
end
|
55
|
+
|
56
|
+
it 'Converging chef_acl "nodes/x" with "complete true" removes all ACLs except those specified' do
|
57
|
+
expect {
|
58
|
+
run_recipe do
|
59
|
+
chef_acl 'nodes/x' do
|
60
|
+
rights :grant, :users => 'blarghle'
|
61
|
+
complete true
|
62
|
+
end
|
63
|
+
end
|
64
|
+
}.to update_acls('nodes/x/_acl', {
|
65
|
+
"create"=>{"actors"=>["-pivotal"], "groups"=>["-admins", "-users", "-clients"]},
|
66
|
+
"read" =>{"actors"=>["-pivotal"], "groups"=>["-admins", "-users", "-clients"]},
|
67
|
+
"update"=>{"actors"=>["-pivotal"], "groups"=>["-admins", "-users"]},
|
68
|
+
"delete"=>{"actors"=>["-pivotal"], "groups"=>["-admins", "-users"]},
|
69
|
+
"grant" =>{"actors"=>["-pivotal", "blarghle"], "groups"=>["-admins"]}
|
70
|
+
})
|
71
|
+
end
|
72
|
+
end
|
73
|
+
|
74
|
+
it 'Converging chef_acl "nodes/x" with "complete true" removes all ACLs except those specified in :all' do
|
75
|
+
expect {
|
76
|
+
run_recipe do
|
77
|
+
chef_acl 'nodes/x' do
|
78
|
+
rights :all, :users => 'blarghle'
|
79
|
+
complete true
|
80
|
+
end
|
81
|
+
end
|
82
|
+
}.to update_acls('nodes/x/_acl', {
|
83
|
+
"create"=>{"actors"=>["-pivotal", "blarghle"], "groups"=>["-admins", "-users", "-clients"]},
|
84
|
+
"read" =>{"actors"=>["-pivotal", "blarghle"], "groups"=>["-admins", "-users", "-clients"]},
|
85
|
+
"update"=>{"actors"=>["-pivotal", "blarghle"], "groups"=>["-admins", "-users"]},
|
86
|
+
"delete"=>{"actors"=>["-pivotal", "blarghle"], "groups"=>["-admins", "-users"]},
|
87
|
+
"grant" =>{"actors"=>["-pivotal", "blarghle"], "groups"=>["-admins"]}
|
88
|
+
})
|
89
|
+
end
|
90
|
+
|
91
|
+
context 'and a client "blarghle"' do
|
92
|
+
user 'blarghle', {}
|
93
|
+
|
94
|
+
it 'Converging chef_acl "nodes/x" with client "blarghle" adds the client' do
|
95
|
+
expect {
|
96
|
+
run_recipe do
|
97
|
+
chef_acl 'nodes/x' do
|
98
|
+
rights :read, :clients => 'blarghle'
|
99
|
+
end
|
100
|
+
end
|
101
|
+
}.to update_acls('nodes/x/_acl', 'read' => { 'actors' => %w(blarghle) })
|
102
|
+
end
|
103
|
+
end
|
104
|
+
|
105
|
+
context 'and a group "blarghle"' do
|
106
|
+
group 'blarghle', {}
|
107
|
+
|
108
|
+
it 'Converging chef_acl "nodes/x" with group "blarghle" adds the group' do
|
109
|
+
expect {
|
110
|
+
run_recipe do
|
111
|
+
chef_acl 'nodes/x' do
|
112
|
+
rights :read, :groups => 'blarghle'
|
113
|
+
end
|
114
|
+
end
|
115
|
+
}.to update_acls('nodes/x/_acl', 'read' => { 'groups' => %w(blarghle) })
|
116
|
+
end
|
117
|
+
end
|
118
|
+
|
119
|
+
context 'and multiple users and groups' do
|
120
|
+
user 'u1', {}
|
121
|
+
user 'u2', {}
|
122
|
+
user 'u3', {}
|
123
|
+
client 'c1', {}
|
124
|
+
client 'c2', {}
|
125
|
+
client 'c3', {}
|
126
|
+
group 'g1', {}
|
127
|
+
group 'g2', {}
|
128
|
+
group 'g3', {}
|
129
|
+
|
130
|
+
it 'Converging chef_acl "nodes/x" with multiple groups, users and clients in an acl makes the appropriate changes' do
|
131
|
+
expect {
|
132
|
+
run_recipe do
|
133
|
+
chef_acl 'nodes/x' do
|
134
|
+
rights :create, :users => [ 'u1', 'u2', 'u3' ], :clients => [ 'c1', 'c2', 'c3' ], :groups => [ 'g1', 'g2', 'g3' ]
|
135
|
+
end
|
136
|
+
end
|
137
|
+
}.to update_acls('nodes/x/_acl',
|
138
|
+
'create' => { 'groups' => %w(g1 g2 g3), 'actors' => %w(u1 u2 u3 c1 c2 c3) }
|
139
|
+
)
|
140
|
+
end
|
141
|
+
|
142
|
+
it 'Converging chef_acl "nodes/x" with multiple groups, users and clients across multiple "rights" groups makes the appropriate changes' do
|
143
|
+
expect {
|
144
|
+
run_recipe do
|
145
|
+
chef_acl 'nodes/x' do
|
146
|
+
rights :create, :users => %w(u1), :clients => 'c1', :groups => 'g1'
|
147
|
+
rights :create, :users => %w(u2 u3), :clients => %w(c2 c3), :groups => 'g2'
|
148
|
+
rights :read, :users => 'u1'
|
149
|
+
rights :read, :groups => 'g1'
|
150
|
+
end
|
151
|
+
end
|
152
|
+
}.to update_acls('nodes/x/_acl',
|
153
|
+
'create' => { 'groups' => %w(g1 g2), 'actors' => %w(u1 u2 u3 c1 c2 c3) },
|
154
|
+
'read' => { 'groups' => %w(g1), 'actors' => %w(u1) }
|
155
|
+
)
|
156
|
+
end
|
157
|
+
|
158
|
+
it 'Converging chef_acl "nodes/x" with rights [ :read, :create, :update, :delete, :grant ] modifies all rights' do
|
159
|
+
expect {
|
160
|
+
run_recipe do
|
161
|
+
chef_acl 'nodes/x' do
|
162
|
+
rights [ :create, :read, :update, :delete, :grant ], :users => %w(u1 u2), :clients => 'c1', :groups => 'g1'
|
163
|
+
end
|
164
|
+
end
|
165
|
+
}.to update_acls('nodes/x/_acl',
|
166
|
+
'create' => { 'groups' => %w(g1), 'actors' => %w(u1 u2 c1) },
|
167
|
+
'read' => { 'groups' => %w(g1), 'actors' => %w(u1 u2 c1) },
|
168
|
+
'update' => { 'groups' => %w(g1), 'actors' => %w(u1 u2 c1) },
|
169
|
+
'delete' => { 'groups' => %w(g1), 'actors' => %w(u1 u2 c1) },
|
170
|
+
'grant' => { 'groups' => %w(g1), 'actors' => %w(u1 u2 c1) },
|
171
|
+
)
|
172
|
+
end
|
173
|
+
|
174
|
+
it 'Converging chef_acl "nodes/x" with rights :all modifies all rights' do
|
175
|
+
expect {
|
176
|
+
run_recipe do
|
177
|
+
chef_acl 'nodes/x' do
|
178
|
+
rights :all, :users => %w(u1 u2), :clients => 'c1', :groups => 'g1'
|
179
|
+
end
|
180
|
+
end
|
181
|
+
}.to update_acls('nodes/x/_acl',
|
182
|
+
'create' => { 'groups' => %w(g1), 'actors' => %w(u1 u2 c1) },
|
183
|
+
'read' => { 'groups' => %w(g1), 'actors' => %w(u1 u2 c1) },
|
184
|
+
'update' => { 'groups' => %w(g1), 'actors' => %w(u1 u2 c1) },
|
185
|
+
'delete' => { 'groups' => %w(g1), 'actors' => %w(u1 u2 c1) },
|
186
|
+
'grant' => { 'groups' => %w(g1), 'actors' => %w(u1 u2 c1) },
|
187
|
+
)
|
188
|
+
end
|
189
|
+
end
|
190
|
+
|
191
|
+
it 'Converging chef_acl "nodes/y" throws a 404' do
|
192
|
+
expect {
|
193
|
+
run_recipe do
|
194
|
+
chef_acl 'nodes/y'
|
195
|
+
end
|
196
|
+
}.to raise_error(Net::HTTPServerException)
|
197
|
+
end
|
198
|
+
end
|
199
|
+
|
200
|
+
when_the_chef_server 'has a node named x with user blarghle in its acl', :osc_compat => false do
|
201
|
+
user 'blarghle', {}
|
202
|
+
node 'x', {} do
|
203
|
+
acl 'read' => { 'actors' => %w(blarghle) }
|
204
|
+
end
|
205
|
+
|
206
|
+
it 'Converging chef_acl "nodes/x" with that user changes nothing' do
|
207
|
+
expect {
|
208
|
+
run_recipe do
|
209
|
+
chef_acl 'nodes/x' do
|
210
|
+
rights :read, :users => 'blarghle'
|
211
|
+
end
|
212
|
+
end
|
213
|
+
}.to update_acls('nodes/x/_acl', {})
|
214
|
+
end
|
215
|
+
end
|
216
|
+
|
217
|
+
when_the_chef_server 'has a node named x with users foo and bar in all its acls', :osc_compat => false do
|
218
|
+
user 'foo', {}
|
219
|
+
user 'bar', {}
|
220
|
+
node 'x', {} do
|
221
|
+
acl 'create' => { 'actors' => %w(foo bar) },
|
222
|
+
'read' => { 'actors' => %w(foo bar) },
|
223
|
+
'update' => { 'actors' => %w(foo bar) },
|
224
|
+
'delete' => { 'actors' => %w(foo bar) },
|
225
|
+
'grant' => { 'actors' => %w(foo bar) }
|
226
|
+
end
|
227
|
+
|
228
|
+
it 'Converging chef_acl "nodes/x" with remove_rights :all removes foo from everything' do
|
229
|
+
expect {
|
230
|
+
run_recipe do
|
231
|
+
chef_acl 'nodes/x' do
|
232
|
+
remove_rights :all, :users => 'foo'
|
233
|
+
end
|
234
|
+
end
|
235
|
+
}.to update_acls('nodes/x/_acl',
|
236
|
+
'create' => { 'actors' => %w(-foo) },
|
237
|
+
'read' => { 'actors' => %w(-foo) },
|
238
|
+
'update' => { 'actors' => %w(-foo) },
|
239
|
+
'delete' => { 'actors' => %w(-foo) },
|
240
|
+
'grant' => { 'actors' => %w(-foo) },
|
241
|
+
)
|
242
|
+
end
|
243
|
+
end
|
244
|
+
|
245
|
+
context 'recursive' do
|
246
|
+
when_the_chef_server 'has a nodes container with user blarghle in its acl', :osc_compat => false do
|
247
|
+
user 'blarghle', {}
|
248
|
+
acl_for 'containers/nodes', 'read' => { 'actors' => %w(blarghle) }
|
249
|
+
node 'x', {} do
|
250
|
+
acl 'read' => { 'actors' => [] }
|
251
|
+
end
|
252
|
+
|
253
|
+
it 'Converging chef_acl "nodes" makes no changes' do
|
254
|
+
expect {
|
255
|
+
run_recipe do
|
256
|
+
chef_acl 'nodes' do
|
257
|
+
rights :read, :users => 'blarghle'
|
258
|
+
end
|
259
|
+
end
|
260
|
+
}.to update_acls([ 'containers/nodes/_acl', 'nodes/x/_acl' ], {})
|
261
|
+
end
|
262
|
+
|
263
|
+
it 'Converging chef_acl "nodes" with recursive :on_change makes no changes' do
|
264
|
+
expect {
|
265
|
+
run_recipe do
|
266
|
+
chef_acl 'nodes' do
|
267
|
+
rights :read, :users => 'blarghle'
|
268
|
+
recursive :on_change
|
269
|
+
end
|
270
|
+
end
|
271
|
+
}.to update_acls([ 'containers/nodes/_acl', 'nodes/x/_acl' ], {})
|
272
|
+
end
|
273
|
+
|
274
|
+
it 'Converging chef_acl "nodes" with recursive true changes nodes/x\'s acls' do
|
275
|
+
expect {
|
276
|
+
run_recipe do
|
277
|
+
chef_acl 'nodes' do
|
278
|
+
rights :read, :users => 'blarghle'
|
279
|
+
recursive true
|
280
|
+
end
|
281
|
+
end
|
282
|
+
}.to update_acls('nodes/x/_acl', 'read' => { 'actors' => %w(blarghle) })
|
283
|
+
end
|
284
|
+
|
285
|
+
it 'Converging chef_acl "" with recursive false does not change nodes/x\'s acls' do
|
286
|
+
expect {
|
287
|
+
run_recipe do
|
288
|
+
chef_acl '' do
|
289
|
+
rights :read, :users => 'blarghle'
|
290
|
+
recursive false
|
291
|
+
end
|
292
|
+
end
|
293
|
+
}.to update_acls([ 'containers/nodes/_acl', 'nodes/x/_acl' ], {})
|
294
|
+
end
|
295
|
+
|
296
|
+
it 'Converging chef_acl "" with recursive :on_change does not change nodes/x\'s acls' do
|
297
|
+
expect {
|
298
|
+
run_recipe do
|
299
|
+
chef_acl '' do
|
300
|
+
rights :read, :users => 'blarghle'
|
301
|
+
recursive :on_change
|
302
|
+
end
|
303
|
+
end
|
304
|
+
}.to update_acls([ 'containers/nodes/_acl', 'nodes/x/_acl' ], {})
|
305
|
+
end
|
306
|
+
|
307
|
+
it 'Converging chef_acl "" with recursive true changes nodes/x\'s acls' do
|
308
|
+
expect {
|
309
|
+
run_recipe do
|
310
|
+
chef_acl '' do
|
311
|
+
rights :read, :users => 'blarghle'
|
312
|
+
recursive true
|
313
|
+
end
|
314
|
+
end
|
315
|
+
}.to update_acls([ '/organizations/_acl', 'nodes/x/_acl' ], 'read' => { 'actors' => %w(blarghle) })
|
316
|
+
end
|
317
|
+
end
|
318
|
+
end
|
319
|
+
end
|
320
|
+
|
321
|
+
context 'ACLs on each type of thing' do
|
322
|
+
when_the_chef_server 'has an organization named foo', :osc_compat => false, :single_org => false do
|
323
|
+
organization 'foo' do
|
324
|
+
user 'u', {}
|
325
|
+
client 'x', {}
|
326
|
+
container 'x', {}
|
327
|
+
cookbook 'x', '1.0.0', {}
|
328
|
+
data_bag 'x', { 'y' => {} }
|
329
|
+
environment 'x', {}
|
330
|
+
group 'x', {}
|
331
|
+
node 'x', {}
|
332
|
+
role 'x', {}
|
333
|
+
sandbox 'x', {}
|
334
|
+
user 'x', {}
|
335
|
+
end
|
336
|
+
|
337
|
+
organization 'bar' do
|
338
|
+
user 'u', {}
|
339
|
+
node 'x', {}
|
340
|
+
end
|
341
|
+
|
342
|
+
context 'and the chef server URL points at /organizations/foo' do
|
343
|
+
before :each do
|
344
|
+
Chef::Config.chef_server_url = URI.join(Chef::Config.chef_server_url, '/organizations/foo').to_s
|
345
|
+
end
|
346
|
+
|
347
|
+
context 'relative paths' do
|
348
|
+
it "chef_acl 'nodes/x' changes the acls" do
|
349
|
+
expect {
|
350
|
+
run_recipe do
|
351
|
+
chef_acl "nodes/x" do
|
352
|
+
rights :read, :users => 'u'
|
353
|
+
end
|
354
|
+
end
|
355
|
+
}.to update_acls("nodes/x/_acl", 'read' => { 'actors' => %w(u) })
|
356
|
+
end
|
357
|
+
|
358
|
+
it "chef_acl '*/*' changes the acls" do
|
359
|
+
expect {
|
360
|
+
run_recipe do
|
361
|
+
chef_acl "*/*" do
|
362
|
+
rights :read, :users => 'u'
|
363
|
+
end
|
364
|
+
end
|
365
|
+
}.to update_acls(%w(clients containers cookbooks data environments groups nodes roles).map { |type| "/organizations/foo/#{type}/x/_acl" },
|
366
|
+
'read' => { 'actors' => %w(u) })
|
367
|
+
end
|
368
|
+
end
|
369
|
+
|
370
|
+
context 'absolute paths' do
|
371
|
+
%w(clients containers cookbooks data environments groups nodes roles sandboxes).each do |type|
|
372
|
+
it "chef_acl '/organizations/foo/#{type}/x' changes the acl" do
|
373
|
+
expect {
|
374
|
+
run_recipe do
|
375
|
+
chef_acl "/organizations/foo/#{type}/x" do
|
376
|
+
rights :read, :users => 'u'
|
377
|
+
end
|
378
|
+
end
|
379
|
+
}.to update_acls("/organizations/foo/#{type}/x/_acl", 'read' => { 'actors' => %w(u) })
|
380
|
+
end
|
381
|
+
end
|
382
|
+
|
383
|
+
%w(clients containers cookbooks data environments groups nodes roles sandboxes).each do |type|
|
384
|
+
it "chef_acl '/organizations/foo/#{type}/x' changes the acl" do
|
385
|
+
expect {
|
386
|
+
run_recipe do
|
387
|
+
chef_acl "/organizations/foo/#{type}/x" do
|
388
|
+
rights :read, :users => 'u'
|
389
|
+
end
|
390
|
+
end
|
391
|
+
}.to update_acls("/organizations/foo/#{type}/x/_acl", 'read' => { 'actors' => %w(u) })
|
392
|
+
end
|
393
|
+
end
|
394
|
+
|
395
|
+
%w(clients containers cookbooks data environments groups nodes roles).each do |type|
|
396
|
+
it "chef_acl '/*/*/#{type}/*' changes the acl" do
|
397
|
+
expect {
|
398
|
+
run_recipe do
|
399
|
+
chef_acl "/*/*/#{type}/*" do
|
400
|
+
rights :read, :users => 'u'
|
401
|
+
end
|
402
|
+
end
|
403
|
+
}.to update_acls("/organizations/foo/#{type}/x/_acl", 'read' => { 'actors' => %w(u) })
|
404
|
+
end
|
405
|
+
end
|
406
|
+
|
407
|
+
it "chef_acl '/*/*/*/x' changes the acls" do
|
408
|
+
expect {
|
409
|
+
run_recipe do
|
410
|
+
chef_acl "/*/*/*/x" do
|
411
|
+
rights :read, :users => 'u'
|
412
|
+
end
|
413
|
+
end
|
414
|
+
}.to update_acls(%w(clients containers cookbooks data environments groups nodes roles sandboxes).map { |type| "/organizations/foo/#{type}/x/_acl" },
|
415
|
+
'read' => { 'actors' => %w(u) })
|
416
|
+
end
|
417
|
+
|
418
|
+
it "chef_acl '/*/*/*/*' changes the acls" do
|
419
|
+
expect {
|
420
|
+
run_recipe do
|
421
|
+
chef_acl "/*/*/*/*" do
|
422
|
+
rights :read, :users => 'u'
|
423
|
+
end
|
424
|
+
end
|
425
|
+
}.to update_acls(%w(clients containers cookbooks data environments groups nodes roles).map { |type| "/organizations/foo/#{type}/x/_acl" },
|
426
|
+
'read' => { 'actors' => %w(u) })
|
427
|
+
end
|
428
|
+
|
429
|
+
it 'chef_acl "/organizations/foo/data_bags/x" changes the acl' do
|
430
|
+
expect {
|
431
|
+
run_recipe do
|
432
|
+
chef_acl '/organizations/foo/data_bags/x' do
|
433
|
+
rights :read, :users => 'u'
|
434
|
+
end
|
435
|
+
end
|
436
|
+
}.to update_acls('/organizations/foo/data/x/_acl', 'read' => { 'actors' => %w(u) })
|
437
|
+
end
|
438
|
+
|
439
|
+
it 'chef_acl "/*/*/data_bags/*" changes the acl' do
|
440
|
+
expect {
|
441
|
+
run_recipe do
|
442
|
+
chef_acl '/*/*/data_bags/*' do
|
443
|
+
rights :read, :users => 'u'
|
444
|
+
end
|
445
|
+
end
|
446
|
+
}.to update_acls('/organizations/foo/data/x/_acl', 'read' => { 'actors' => %w(u) })
|
447
|
+
end
|
448
|
+
|
449
|
+
it "chef_acl '/organizations/foo/cookbooks/x/1.0.0' raises an error" do
|
450
|
+
expect {
|
451
|
+
run_recipe do
|
452
|
+
chef_acl "/organizations/foo/cookbooks/x/1.0.0" do
|
453
|
+
rights :read, :users => 'u'
|
454
|
+
end
|
455
|
+
end
|
456
|
+
}.to raise_error(/ACLs cannot be set on children of \/organizations\/foo\/cookbooks\/x/)
|
457
|
+
end
|
458
|
+
|
459
|
+
it "chef_acl '/organizations/foo/cookbooks/*/*' raises an error" do
|
460
|
+
pending
|
461
|
+
expect {
|
462
|
+
run_recipe do
|
463
|
+
chef_acl "/organizations/foo/cookbooks/*/*" do
|
464
|
+
rights :read, :users => 'u'
|
465
|
+
end
|
466
|
+
end
|
467
|
+
}.to raise_error(/ACLs cannot be set on children of \/organizations\/foo\/cookbooks\/*/)
|
468
|
+
end
|
469
|
+
|
470
|
+
it 'chef_acl "/organizations/foo/data/x/y" raises an error' do
|
471
|
+
expect {
|
472
|
+
run_recipe do
|
473
|
+
chef_acl '/organizations/foo/data/x/y' do
|
474
|
+
rights :read, :users => 'u'
|
475
|
+
end
|
476
|
+
end
|
477
|
+
}.to raise_error(/ACLs cannot be set on children of \/organizations\/foo\/data\/x/)
|
478
|
+
end
|
479
|
+
|
480
|
+
it 'chef_acl "/organizations/foo/data/*/*" raises an error' do
|
481
|
+
pending
|
482
|
+
expect {
|
483
|
+
run_recipe do
|
484
|
+
chef_acl '/organizations/foo/data/*/*' do
|
485
|
+
rights :read, :users => 'u'
|
486
|
+
end
|
487
|
+
end
|
488
|
+
}.to raise_error(/ACLs cannot be set on children of \/organizations\/foo\/data\/*/)
|
489
|
+
end
|
490
|
+
|
491
|
+
it 'chef_acl "/organizations/foo" changes the acl' do
|
492
|
+
expect {
|
493
|
+
run_recipe do
|
494
|
+
chef_acl '/organizations/foo' do
|
495
|
+
rights :read, :users => 'u'
|
496
|
+
end
|
497
|
+
end
|
498
|
+
}.to update_acls([ '/organizations/foo/organizations/_acl', '/organizations/foo/nodes/x/_acl' ], 'read' => { 'actors' => %w(u) })
|
499
|
+
end
|
500
|
+
|
501
|
+
it 'chef_acl "/organizations/*" changes the acl' do
|
502
|
+
expect {
|
503
|
+
run_recipe do
|
504
|
+
chef_acl '/organizations/*' do
|
505
|
+
rights :read, :users => 'u'
|
506
|
+
end
|
507
|
+
end
|
508
|
+
}.to update_acls([ '/organizations/foo/organizations/_acl', '/organizations/foo/nodes/x/_acl' ], 'read' => { 'actors' => %w(u) })
|
509
|
+
end
|
510
|
+
|
511
|
+
it 'chef_acl "/users/x" changes the acl' do
|
512
|
+
expect {
|
513
|
+
run_recipe do
|
514
|
+
chef_acl '/users/x' do
|
515
|
+
rights :read, :users => 'u'
|
516
|
+
end
|
517
|
+
end
|
518
|
+
}.to update_acls('/users/x/_acl', 'read' => { 'actors' => %w(u) })
|
519
|
+
end
|
520
|
+
|
521
|
+
it 'chef_acl "/users/*" changes the acl' do
|
522
|
+
expect {
|
523
|
+
run_recipe do
|
524
|
+
chef_acl '/users/*' do
|
525
|
+
rights :read, :users => 'u'
|
526
|
+
end
|
527
|
+
end
|
528
|
+
}.to update_acls('/users/x/_acl', 'read' => { 'actors' => %w(u) })
|
529
|
+
end
|
530
|
+
|
531
|
+
it 'chef_acl "/*/x" changes the acl' do
|
532
|
+
expect {
|
533
|
+
run_recipe do
|
534
|
+
chef_acl '/*/x' do
|
535
|
+
rights :read, :users => 'u'
|
536
|
+
end
|
537
|
+
end
|
538
|
+
}.to update_acls('/users/x/_acl', 'read' => { 'actors' => %w(u) })
|
539
|
+
end
|
540
|
+
|
541
|
+
it 'chef_acl "/*/*" changes the acl' do
|
542
|
+
expect {
|
543
|
+
run_recipe do
|
544
|
+
chef_acl '/*/*' do
|
545
|
+
rights :read, :users => 'u'
|
546
|
+
end
|
547
|
+
end
|
548
|
+
}.to update_acls([ '/organizations/foo/organizations/_acl', '/users/x/_acl' ],
|
549
|
+
'read' => { 'actors' => %w(u) })
|
550
|
+
end
|
551
|
+
end
|
552
|
+
end
|
553
|
+
|
554
|
+
context 'and the chef server URL points at /organizations/bar' do
|
555
|
+
before :each do
|
556
|
+
Chef::Config.chef_server_url = URI.join(Chef::Config.chef_server_url.to_s, '/organizations/bar').to_s
|
557
|
+
end
|
558
|
+
|
559
|
+
it "chef_acl '/organizations/foo/nodes/*' changes the acl" do
|
560
|
+
expect {
|
561
|
+
run_recipe do
|
562
|
+
chef_acl "/organizations/foo/nodes/*" do
|
563
|
+
rights :read, :users => 'u'
|
564
|
+
end
|
565
|
+
end
|
566
|
+
}.to update_acls("/organizations/foo/nodes/x/_acl", 'read' => { 'actors' => %w(u) })
|
567
|
+
expect {}.not_to update_acls("/organizations/bar/nodes/x/_acl", 'read' => { 'actors' => %w(u) })
|
568
|
+
end
|
569
|
+
end
|
570
|
+
|
571
|
+
context 'and the chef server URL points at /' do
|
572
|
+
before :each do
|
573
|
+
Chef::Config.chef_server_url = URI.join(Chef::Config.chef_server_url.to_s, '/').to_s
|
574
|
+
end
|
575
|
+
|
576
|
+
it "chef_acl '/organizations/foo/nodes/*' changes the acl" do
|
577
|
+
expect {
|
578
|
+
run_recipe do
|
579
|
+
chef_acl "/organizations/foo/nodes/*" do
|
580
|
+
rights :read, :users => 'u'
|
581
|
+
end
|
582
|
+
end
|
583
|
+
}.to update_acls("/organizations/foo/nodes/x/_acl", 'read' => { 'actors' => %w(u) })
|
584
|
+
expect {}.not_to update_acls("/organizations/bar/nodes/x/_acl", 'read' => { 'actors' => %w(u) })
|
585
|
+
end
|
586
|
+
end
|
587
|
+
end
|
588
|
+
|
589
|
+
when_the_chef_server 'has a user "u" in single org mode', :osc_compat => false do
|
590
|
+
user 'u', {}
|
591
|
+
client 'x', {}
|
592
|
+
container 'x', {}
|
593
|
+
cookbook 'x', '1.0.0', {}
|
594
|
+
data_bag 'x', { 'y' => {} }
|
595
|
+
environment 'x', {}
|
596
|
+
group 'x', {}
|
597
|
+
node 'x', {}
|
598
|
+
role 'x', {}
|
599
|
+
sandbox 'x', {}
|
600
|
+
user 'x', {}
|
601
|
+
|
602
|
+
%w(clients containers cookbooks data environments groups nodes roles sandboxes).each do |type|
|
603
|
+
it "chef_acl #{type}/x' changes the acl" do
|
604
|
+
expect {
|
605
|
+
run_recipe do
|
606
|
+
chef_acl "#{type}/x" do
|
607
|
+
rights :read, :users => 'u'
|
608
|
+
end
|
609
|
+
end
|
610
|
+
}.to update_acls("#{type}/x/_acl", 'read' => { 'actors' => %w(u) })
|
611
|
+
end
|
612
|
+
end
|
613
|
+
|
614
|
+
%w(clients containers cookbooks data environments groups nodes roles).each do |type|
|
615
|
+
it "chef_acl '#{type}/*' changes the acl" do
|
616
|
+
expect {
|
617
|
+
run_recipe do
|
618
|
+
chef_acl "#{type}/*" do
|
619
|
+
rights :read, :users => 'u'
|
620
|
+
end
|
621
|
+
end
|
622
|
+
}.to update_acls("#{type}/x/_acl", 'read' => { 'actors' => %w(u) })
|
623
|
+
end
|
624
|
+
end
|
625
|
+
|
626
|
+
it "chef_acl '*/x' changes the acls" do
|
627
|
+
expect {
|
628
|
+
run_recipe do
|
629
|
+
chef_acl "*/x" do
|
630
|
+
rights :read, :users => 'u'
|
631
|
+
end
|
632
|
+
end
|
633
|
+
}.to update_acls(%w(clients containers cookbooks data environments groups nodes roles sandboxes).map { |type| "#{type}/x/_acl" },
|
634
|
+
'read' => { 'actors' => %w(u) })
|
635
|
+
end
|
636
|
+
|
637
|
+
it "chef_acl '*/*' changes the acls" do
|
638
|
+
expect {
|
639
|
+
run_recipe do
|
640
|
+
chef_acl "*/*" do
|
641
|
+
rights :read, :users => 'u'
|
642
|
+
end
|
643
|
+
end
|
644
|
+
}.to update_acls(%w(clients containers cookbooks data environments groups nodes roles).map { |type| "#{type}/x/_acl" },
|
645
|
+
'read' => { 'actors' => %w(u) })
|
646
|
+
end
|
647
|
+
|
648
|
+
it "chef_acl 'groups/*' changes the acl" do
|
649
|
+
expect {
|
650
|
+
run_recipe do
|
651
|
+
chef_acl "groups/*" do
|
652
|
+
rights :read, :users => 'u'
|
653
|
+
end
|
654
|
+
end
|
655
|
+
}.to update_acls(%w(admins billing-admins clients users x).map { |n| "groups/#{n}/_acl" },
|
656
|
+
'read' => { 'actors' => %w(u) })
|
657
|
+
end
|
658
|
+
|
659
|
+
it 'chef_acl "data_bags/x" changes the acl' do
|
660
|
+
expect {
|
661
|
+
run_recipe do
|
662
|
+
chef_acl 'data_bags/x' do
|
663
|
+
rights :read, :users => 'u'
|
664
|
+
end
|
665
|
+
end
|
666
|
+
}.to update_acls('data/x/_acl', 'read' => { 'actors' => %w(u) })
|
667
|
+
end
|
668
|
+
|
669
|
+
it 'chef_acl "data_bags/*" changes the acl' do
|
670
|
+
expect {
|
671
|
+
run_recipe do
|
672
|
+
chef_acl 'data_bags/*' do
|
673
|
+
rights :read, :users => 'u'
|
674
|
+
end
|
675
|
+
end
|
676
|
+
}.to update_acls('data/x/_acl', 'read' => { 'actors' => %w(u) })
|
677
|
+
end
|
678
|
+
|
679
|
+
it 'chef_acl "" changes the organization acl' do
|
680
|
+
expect {
|
681
|
+
run_recipe do
|
682
|
+
chef_acl '' do
|
683
|
+
rights :read, :users => 'u'
|
684
|
+
end
|
685
|
+
end
|
686
|
+
}.to update_acls([ '/organizations/_acl', 'nodes/x/_acl' ], 'read' => { 'actors' => %w(u) })
|
687
|
+
end
|
688
|
+
end
|
689
|
+
end
|
690
|
+
|
691
|
+
context 'ACLs on each container type' do
|
692
|
+
when_the_chef_server 'has an organization named foo', :osc_compat => false, :single_org => false do
|
693
|
+
organization 'foo' do
|
694
|
+
user 'u', {}
|
695
|
+
client 'x', {}
|
696
|
+
container 'x', {}
|
697
|
+
cookbook 'x', '1.0.0', {}
|
698
|
+
data_bag 'x', { 'y' => {} }
|
699
|
+
environment 'x', {}
|
700
|
+
group 'x', {}
|
701
|
+
node 'x', {}
|
702
|
+
role 'x', {}
|
703
|
+
sandbox 'x', {}
|
704
|
+
user 'x', {}
|
705
|
+
end
|
706
|
+
|
707
|
+
%w(clients containers cookbooks data environments groups nodes roles sandboxes).each do |type|
|
708
|
+
it "chef_acl '/organizations/foo/#{type}' changes the acl" do
|
709
|
+
expect {
|
710
|
+
run_recipe do
|
711
|
+
chef_acl "/organizations/foo/#{type}" do
|
712
|
+
rights :read, :users => 'u'
|
713
|
+
end
|
714
|
+
end
|
715
|
+
}.to update_acls("/organizations/foo/containers/#{type}/_acl", 'read' => { 'actors' => %w(u) })
|
716
|
+
end
|
717
|
+
end
|
718
|
+
|
719
|
+
%w(clients containers cookbooks data environments groups nodes roles).each do |type|
|
720
|
+
it "chef_acl '/*/*/#{type}' changes the acl" do
|
721
|
+
expect {
|
722
|
+
run_recipe do
|
723
|
+
chef_acl "/*/*/#{type}" do
|
724
|
+
rights :read, :users => 'u'
|
725
|
+
end
|
726
|
+
end
|
727
|
+
}.to update_acls("/organizations/foo/containers/#{type}/_acl", 'read' => { 'actors' => %w(u) })
|
728
|
+
end
|
729
|
+
end
|
730
|
+
|
731
|
+
it "chef_acl '/*/*/*' changes the acls" do
|
732
|
+
expect {
|
733
|
+
run_recipe do
|
734
|
+
chef_acl "/*/*/*" do
|
735
|
+
rights :read, :users => 'u'
|
736
|
+
end
|
737
|
+
end
|
738
|
+
}.to update_acls(%w(clients containers cookbooks data environments groups nodes roles sandboxes).map { |type| "/organizations/foo/containers/#{type}/_acl" },
|
739
|
+
'read' => { 'actors' => %w(u) })
|
740
|
+
end
|
741
|
+
|
742
|
+
it 'chef_acl "/organizations/foo/data_bags" changes the acl' do
|
743
|
+
expect {
|
744
|
+
run_recipe do
|
745
|
+
chef_acl '/organizations/foo/data_bags' do
|
746
|
+
rights :read, :users => 'u'
|
747
|
+
end
|
748
|
+
end
|
749
|
+
}.to update_acls('/organizations/foo/containers/data/_acl', 'read' => { 'actors' => %w(u) })
|
750
|
+
end
|
751
|
+
|
752
|
+
it 'chef_acl "/*/*/data_bags" changes the acl' do
|
753
|
+
expect {
|
754
|
+
run_recipe do
|
755
|
+
chef_acl '/*/*/data_bags' do
|
756
|
+
rights :read, :users => 'u'
|
757
|
+
end
|
758
|
+
end
|
759
|
+
}.to update_acls('/organizations/foo/containers/data/_acl', 'read' => { 'actors' => %w(u) })
|
760
|
+
end
|
761
|
+
end
|
762
|
+
|
763
|
+
when_the_chef_server 'has a user "u" in single org mode', :osc_compat => false do
|
764
|
+
user 'u', {}
|
765
|
+
client 'x', {}
|
766
|
+
container 'x', {}
|
767
|
+
cookbook 'x', '1.0.0', {}
|
768
|
+
data_bag 'x', { 'y' => {} }
|
769
|
+
environment 'x', {}
|
770
|
+
group 'x', {}
|
771
|
+
node 'x', {}
|
772
|
+
role 'x', {}
|
773
|
+
sandbox 'x', {}
|
774
|
+
user 'x', {}
|
775
|
+
|
776
|
+
%w(clients containers cookbooks data environments groups nodes roles sandboxes).each do |type|
|
777
|
+
it "chef_acl #{type}' changes the acl" do
|
778
|
+
expect {
|
779
|
+
run_recipe do
|
780
|
+
chef_acl "#{type}" do
|
781
|
+
rights :read, :users => 'u'
|
782
|
+
end
|
783
|
+
end
|
784
|
+
}.to update_acls("containers/#{type}/_acl", 'read' => { 'actors' => %w(u) })
|
785
|
+
end
|
786
|
+
end
|
787
|
+
|
788
|
+
it "chef_acl '*' changes the acls" do
|
789
|
+
expect {
|
790
|
+
run_recipe do
|
791
|
+
chef_acl "*" do
|
792
|
+
rights :read, :users => 'u'
|
793
|
+
end
|
794
|
+
end
|
795
|
+
}.to update_acls(%w(clients containers cookbooks data environments groups nodes roles sandboxes).map { |type| "containers/#{type}/_acl" },
|
796
|
+
'read' => { 'actors' => %w(u) })
|
797
|
+
end
|
798
|
+
end
|
799
|
+
end
|
800
|
+
|
801
|
+
context 'remove_rights' do
|
802
|
+
when_the_chef_server 'has a node "x" with "u", "c" and "g" in its acl', :osc_compat => false do
|
803
|
+
user 'u', {}
|
804
|
+
user 'u2', {}
|
805
|
+
client 'c', {}
|
806
|
+
client 'c2', {}
|
807
|
+
group 'g', {}
|
808
|
+
group 'g2', {}
|
809
|
+
node 'x', {} do
|
810
|
+
acl 'create' => { 'actors' => [ 'u', 'c' ], 'groups' => [ 'g' ] },
|
811
|
+
'read' => { 'actors' => [ 'u', 'c' ], 'groups' => [ 'g' ] },
|
812
|
+
'update' => { 'actors' => [ 'u', 'c' ], 'groups' => [ 'g' ] }
|
813
|
+
end
|
814
|
+
|
815
|
+
it 'chef_acl with remove_rights "u" removes the user\'s rights' do
|
816
|
+
expect {
|
817
|
+
run_recipe do
|
818
|
+
chef_acl "nodes/x" do
|
819
|
+
remove_rights :read, :users => 'u'
|
820
|
+
end
|
821
|
+
end
|
822
|
+
}.to update_acls("nodes/x/_acl", 'read' => { 'actors' => %w(-u) })
|
823
|
+
end
|
824
|
+
|
825
|
+
it 'chef_acl with remove_rights "c" removes the client\'s rights' do
|
826
|
+
expect {
|
827
|
+
run_recipe do
|
828
|
+
chef_acl "nodes/x" do
|
829
|
+
remove_rights :read, :clients => 'c'
|
830
|
+
end
|
831
|
+
end
|
832
|
+
}.to update_acls("nodes/x/_acl", 'read' => { 'actors' => %w(-c) })
|
833
|
+
end
|
834
|
+
|
835
|
+
it 'chef_acl with remove_rights "g" removes the group\'s rights' do
|
836
|
+
expect {
|
837
|
+
run_recipe do
|
838
|
+
chef_acl "nodes/x" do
|
839
|
+
remove_rights :read, :groups => 'g'
|
840
|
+
end
|
841
|
+
end
|
842
|
+
}.to update_acls("nodes/x/_acl", 'read' => { 'groups' => %w(-g) })
|
843
|
+
end
|
844
|
+
|
845
|
+
it 'chef_acl with remove_rights [ :create, :read ], "u", "c", "g" removes all three' do
|
846
|
+
expect {
|
847
|
+
run_recipe do
|
848
|
+
chef_acl "nodes/x" do
|
849
|
+
remove_rights [ :create, :read ], :users => 'u', :clients => 'c', :groups => 'g'
|
850
|
+
end
|
851
|
+
end
|
852
|
+
}.to update_acls("nodes/x/_acl", 'create' => { 'actors' => %w(-u -c), 'groups' => %w(-g) }, 'read' => { 'actors' => %w(-u -c), 'groups' => %w(-g) })
|
853
|
+
end
|
854
|
+
|
855
|
+
it 'chef_acl with remove_rights "u2", "c2", "g2" has no effect' do
|
856
|
+
expect {
|
857
|
+
run_recipe do
|
858
|
+
chef_acl "nodes/x" do
|
859
|
+
remove_rights :read, :users => 'u2', :clients => 'c2', :groups => 'g2'
|
860
|
+
end
|
861
|
+
end
|
862
|
+
}.to update_acls("nodes/x/_acl", {})
|
863
|
+
end
|
864
|
+
end
|
865
|
+
end
|
866
|
+
|
867
|
+
when_the_chef_server 'has a node named data_bags', :osc_compat => false do
|
868
|
+
user 'blarghle', {}
|
869
|
+
node 'data_bags', {}
|
870
|
+
|
871
|
+
it 'Converging chef_acl "nodes/data_bags" with user "blarghle" adds the user' do
|
872
|
+
expect {
|
873
|
+
run_recipe do
|
874
|
+
chef_acl 'nodes/data_bags' do
|
875
|
+
rights :read, :users => 'blarghle'
|
876
|
+
end
|
877
|
+
end
|
878
|
+
}.to update_acls('nodes/data_bags/_acl', 'read' => { 'actors' => %w(blarghle) })
|
879
|
+
end
|
880
|
+
end
|
881
|
+
|
882
|
+
when_the_chef_server 'has a node named data_bags in multi-org mode', :osc_compat => false, :single_org => false do
|
883
|
+
user 'blarghle', {}
|
884
|
+
organization 'foo' do
|
885
|
+
node 'data_bags', {}
|
886
|
+
end
|
887
|
+
|
888
|
+
it 'Converging chef_acl "/organizations/foo/nodes/data_bags" with user "blarghle" adds the user' do
|
889
|
+
expect {
|
890
|
+
run_recipe do
|
891
|
+
chef_acl '/organizations/foo/nodes/data_bags' do
|
892
|
+
rights :read, :users => 'blarghle'
|
893
|
+
end
|
894
|
+
end
|
895
|
+
}.to update_acls('/organizations/foo/nodes/data_bags/_acl', 'read' => { 'actors' => %w(blarghle) })
|
896
|
+
end
|
897
|
+
end
|
898
|
+
|
899
|
+
when_the_chef_server 'has a user named data_bags in multi-org mode', :osc_compat => false, :single_org => false do
|
900
|
+
user 'data_bags', {}
|
901
|
+
user 'blarghle', {}
|
902
|
+
|
903
|
+
it 'Converging chef_acl "/users/data_bags" with user "blarghle" adds the user' do
|
904
|
+
expect {
|
905
|
+
run_recipe do
|
906
|
+
chef_acl '/users/data_bags' do
|
907
|
+
rights :read, :users => 'blarghle'
|
908
|
+
end
|
909
|
+
end
|
910
|
+
}.to update_acls('/users/data_bags/_acl', 'read' => { 'actors' => %w(blarghle) })
|
911
|
+
end
|
912
|
+
end
|
913
|
+
end
|
914
|
+
end
|