cheffish 0.7.1 → 0.8

Sign up to get free protection for your applications and to get access to all the features.
Files changed (37) hide show
  1. checksums.yaml +4 -4
  2. data/lib/chef/provider/chef_acl.rb +434 -0
  3. data/lib/chef/provider/chef_client.rb +5 -1
  4. data/lib/chef/provider/chef_container.rb +50 -0
  5. data/lib/chef/provider/chef_group.rb +78 -0
  6. data/lib/chef/provider/chef_mirror.rb +138 -0
  7. data/lib/chef/provider/chef_organization.rb +150 -0
  8. data/lib/chef/provider/chef_user.rb +6 -1
  9. data/lib/chef/provider/public_key.rb +0 -1
  10. data/lib/chef/resource/chef_acl.rb +38 -44
  11. data/lib/chef/resource/chef_container.rb +18 -0
  12. data/lib/chef/resource/chef_group.rb +49 -0
  13. data/lib/chef/resource/chef_mirror.rb +47 -0
  14. data/lib/chef/resource/chef_organization.rb +64 -0
  15. data/lib/chef/resource/private_key.rb +6 -1
  16. data/lib/chef/resource/public_key.rb +5 -0
  17. data/lib/cheffish/actor_provider_base.rb +14 -9
  18. data/lib/cheffish/basic_chef_client.rb +18 -2
  19. data/lib/cheffish/chef_provider_base.rb +7 -0
  20. data/lib/cheffish/merged_config.rb +10 -2
  21. data/lib/cheffish/recipe_dsl.rb +34 -8
  22. data/lib/cheffish/server_api.rb +12 -2
  23. data/lib/cheffish/version.rb +1 -1
  24. data/lib/cheffish.rb +2 -2
  25. data/spec/functional/merged_config_spec.rb +20 -0
  26. data/spec/integration/chef_acl_spec.rb +914 -0
  27. data/spec/integration/chef_client_spec.rb +78 -44
  28. data/spec/integration/chef_container_spec.rb +34 -0
  29. data/spec/integration/chef_group_spec.rb +324 -0
  30. data/spec/integration/chef_mirror_spec.rb +244 -0
  31. data/spec/integration/chef_node_spec.rb +115 -93
  32. data/spec/integration/chef_organization_spec.rb +244 -0
  33. data/spec/integration/chef_user_spec.rb +51 -9
  34. data/spec/support/repository_support.rb +103 -0
  35. data/spec/support/spec_support.rb +55 -2
  36. metadata +23 -9
  37. data/lib/chef/resource/in_parallel.rb +0 -6
@@ -0,0 +1,914 @@
1
+ require 'support/spec_support'
2
+ require 'chef/resource/chef_acl'
3
+ require 'chef/provider/chef_acl'
4
+ require 'chef_zero/version'
5
+ require 'uri'
6
+
7
+ if Gem::Version.new(ChefZero::VERSION) >= Gem::Version.new('3.1')
8
+ describe Chef::Resource::ChefAcl do
9
+ extend SpecSupport
10
+
11
+ context "Rights attributes" do
12
+ when_the_chef_server 'has a node named x', :osc_compat => false do
13
+ node 'x', {}
14
+
15
+ it 'Converging chef_acl "nodes/x" changes nothing' do
16
+ expect {
17
+ run_recipe do
18
+ chef_acl 'nodes/x'
19
+ end
20
+ }.to update_acls('nodes/x/_acl', {})
21
+ end
22
+
23
+ it 'Converging chef_acl "nodes/x" with "complete true" and no rights raises an error' do
24
+ expect {
25
+ run_recipe do
26
+ chef_acl 'nodes/x' do
27
+ complete true
28
+ end
29
+ end
30
+ }.to raise_error(RuntimeError)
31
+ end
32
+
33
+ it 'Removing all :grant rights from a node raises an error' do
34
+ expect {
35
+ run_recipe do
36
+ chef_acl 'nodes/x' do
37
+ remove_rights :grant, :users => 'pivotal', :groups => %w(admins users clients)
38
+ end
39
+ end
40
+ }.to raise_error(RuntimeError)
41
+ end
42
+
43
+ context 'and a user "blarghle"' do
44
+ user 'blarghle', {}
45
+
46
+ it 'Converging chef_acl "nodes/x" with user "blarghle" adds the user' do
47
+ expect {
48
+ run_recipe do
49
+ chef_acl 'nodes/x' do
50
+ rights :read, :users => 'blarghle'
51
+ end
52
+ end
53
+ }.to update_acls('nodes/x/_acl', 'read' => { 'actors' => %w(blarghle) })
54
+ end
55
+
56
+ it 'Converging chef_acl "nodes/x" with "complete true" removes all ACLs except those specified' do
57
+ expect {
58
+ run_recipe do
59
+ chef_acl 'nodes/x' do
60
+ rights :grant, :users => 'blarghle'
61
+ complete true
62
+ end
63
+ end
64
+ }.to update_acls('nodes/x/_acl', {
65
+ "create"=>{"actors"=>["-pivotal"], "groups"=>["-admins", "-users", "-clients"]},
66
+ "read" =>{"actors"=>["-pivotal"], "groups"=>["-admins", "-users", "-clients"]},
67
+ "update"=>{"actors"=>["-pivotal"], "groups"=>["-admins", "-users"]},
68
+ "delete"=>{"actors"=>["-pivotal"], "groups"=>["-admins", "-users"]},
69
+ "grant" =>{"actors"=>["-pivotal", "blarghle"], "groups"=>["-admins"]}
70
+ })
71
+ end
72
+ end
73
+
74
+ it 'Converging chef_acl "nodes/x" with "complete true" removes all ACLs except those specified in :all' do
75
+ expect {
76
+ run_recipe do
77
+ chef_acl 'nodes/x' do
78
+ rights :all, :users => 'blarghle'
79
+ complete true
80
+ end
81
+ end
82
+ }.to update_acls('nodes/x/_acl', {
83
+ "create"=>{"actors"=>["-pivotal", "blarghle"], "groups"=>["-admins", "-users", "-clients"]},
84
+ "read" =>{"actors"=>["-pivotal", "blarghle"], "groups"=>["-admins", "-users", "-clients"]},
85
+ "update"=>{"actors"=>["-pivotal", "blarghle"], "groups"=>["-admins", "-users"]},
86
+ "delete"=>{"actors"=>["-pivotal", "blarghle"], "groups"=>["-admins", "-users"]},
87
+ "grant" =>{"actors"=>["-pivotal", "blarghle"], "groups"=>["-admins"]}
88
+ })
89
+ end
90
+
91
+ context 'and a client "blarghle"' do
92
+ user 'blarghle', {}
93
+
94
+ it 'Converging chef_acl "nodes/x" with client "blarghle" adds the client' do
95
+ expect {
96
+ run_recipe do
97
+ chef_acl 'nodes/x' do
98
+ rights :read, :clients => 'blarghle'
99
+ end
100
+ end
101
+ }.to update_acls('nodes/x/_acl', 'read' => { 'actors' => %w(blarghle) })
102
+ end
103
+ end
104
+
105
+ context 'and a group "blarghle"' do
106
+ group 'blarghle', {}
107
+
108
+ it 'Converging chef_acl "nodes/x" with group "blarghle" adds the group' do
109
+ expect {
110
+ run_recipe do
111
+ chef_acl 'nodes/x' do
112
+ rights :read, :groups => 'blarghle'
113
+ end
114
+ end
115
+ }.to update_acls('nodes/x/_acl', 'read' => { 'groups' => %w(blarghle) })
116
+ end
117
+ end
118
+
119
+ context 'and multiple users and groups' do
120
+ user 'u1', {}
121
+ user 'u2', {}
122
+ user 'u3', {}
123
+ client 'c1', {}
124
+ client 'c2', {}
125
+ client 'c3', {}
126
+ group 'g1', {}
127
+ group 'g2', {}
128
+ group 'g3', {}
129
+
130
+ it 'Converging chef_acl "nodes/x" with multiple groups, users and clients in an acl makes the appropriate changes' do
131
+ expect {
132
+ run_recipe do
133
+ chef_acl 'nodes/x' do
134
+ rights :create, :users => [ 'u1', 'u2', 'u3' ], :clients => [ 'c1', 'c2', 'c3' ], :groups => [ 'g1', 'g2', 'g3' ]
135
+ end
136
+ end
137
+ }.to update_acls('nodes/x/_acl',
138
+ 'create' => { 'groups' => %w(g1 g2 g3), 'actors' => %w(u1 u2 u3 c1 c2 c3) }
139
+ )
140
+ end
141
+
142
+ it 'Converging chef_acl "nodes/x" with multiple groups, users and clients across multiple "rights" groups makes the appropriate changes' do
143
+ expect {
144
+ run_recipe do
145
+ chef_acl 'nodes/x' do
146
+ rights :create, :users => %w(u1), :clients => 'c1', :groups => 'g1'
147
+ rights :create, :users => %w(u2 u3), :clients => %w(c2 c3), :groups => 'g2'
148
+ rights :read, :users => 'u1'
149
+ rights :read, :groups => 'g1'
150
+ end
151
+ end
152
+ }.to update_acls('nodes/x/_acl',
153
+ 'create' => { 'groups' => %w(g1 g2), 'actors' => %w(u1 u2 u3 c1 c2 c3) },
154
+ 'read' => { 'groups' => %w(g1), 'actors' => %w(u1) }
155
+ )
156
+ end
157
+
158
+ it 'Converging chef_acl "nodes/x" with rights [ :read, :create, :update, :delete, :grant ] modifies all rights' do
159
+ expect {
160
+ run_recipe do
161
+ chef_acl 'nodes/x' do
162
+ rights [ :create, :read, :update, :delete, :grant ], :users => %w(u1 u2), :clients => 'c1', :groups => 'g1'
163
+ end
164
+ end
165
+ }.to update_acls('nodes/x/_acl',
166
+ 'create' => { 'groups' => %w(g1), 'actors' => %w(u1 u2 c1) },
167
+ 'read' => { 'groups' => %w(g1), 'actors' => %w(u1 u2 c1) },
168
+ 'update' => { 'groups' => %w(g1), 'actors' => %w(u1 u2 c1) },
169
+ 'delete' => { 'groups' => %w(g1), 'actors' => %w(u1 u2 c1) },
170
+ 'grant' => { 'groups' => %w(g1), 'actors' => %w(u1 u2 c1) },
171
+ )
172
+ end
173
+
174
+ it 'Converging chef_acl "nodes/x" with rights :all modifies all rights' do
175
+ expect {
176
+ run_recipe do
177
+ chef_acl 'nodes/x' do
178
+ rights :all, :users => %w(u1 u2), :clients => 'c1', :groups => 'g1'
179
+ end
180
+ end
181
+ }.to update_acls('nodes/x/_acl',
182
+ 'create' => { 'groups' => %w(g1), 'actors' => %w(u1 u2 c1) },
183
+ 'read' => { 'groups' => %w(g1), 'actors' => %w(u1 u2 c1) },
184
+ 'update' => { 'groups' => %w(g1), 'actors' => %w(u1 u2 c1) },
185
+ 'delete' => { 'groups' => %w(g1), 'actors' => %w(u1 u2 c1) },
186
+ 'grant' => { 'groups' => %w(g1), 'actors' => %w(u1 u2 c1) },
187
+ )
188
+ end
189
+ end
190
+
191
+ it 'Converging chef_acl "nodes/y" throws a 404' do
192
+ expect {
193
+ run_recipe do
194
+ chef_acl 'nodes/y'
195
+ end
196
+ }.to raise_error(Net::HTTPServerException)
197
+ end
198
+ end
199
+
200
+ when_the_chef_server 'has a node named x with user blarghle in its acl', :osc_compat => false do
201
+ user 'blarghle', {}
202
+ node 'x', {} do
203
+ acl 'read' => { 'actors' => %w(blarghle) }
204
+ end
205
+
206
+ it 'Converging chef_acl "nodes/x" with that user changes nothing' do
207
+ expect {
208
+ run_recipe do
209
+ chef_acl 'nodes/x' do
210
+ rights :read, :users => 'blarghle'
211
+ end
212
+ end
213
+ }.to update_acls('nodes/x/_acl', {})
214
+ end
215
+ end
216
+
217
+ when_the_chef_server 'has a node named x with users foo and bar in all its acls', :osc_compat => false do
218
+ user 'foo', {}
219
+ user 'bar', {}
220
+ node 'x', {} do
221
+ acl 'create' => { 'actors' => %w(foo bar) },
222
+ 'read' => { 'actors' => %w(foo bar) },
223
+ 'update' => { 'actors' => %w(foo bar) },
224
+ 'delete' => { 'actors' => %w(foo bar) },
225
+ 'grant' => { 'actors' => %w(foo bar) }
226
+ end
227
+
228
+ it 'Converging chef_acl "nodes/x" with remove_rights :all removes foo from everything' do
229
+ expect {
230
+ run_recipe do
231
+ chef_acl 'nodes/x' do
232
+ remove_rights :all, :users => 'foo'
233
+ end
234
+ end
235
+ }.to update_acls('nodes/x/_acl',
236
+ 'create' => { 'actors' => %w(-foo) },
237
+ 'read' => { 'actors' => %w(-foo) },
238
+ 'update' => { 'actors' => %w(-foo) },
239
+ 'delete' => { 'actors' => %w(-foo) },
240
+ 'grant' => { 'actors' => %w(-foo) },
241
+ )
242
+ end
243
+ end
244
+
245
+ context 'recursive' do
246
+ when_the_chef_server 'has a nodes container with user blarghle in its acl', :osc_compat => false do
247
+ user 'blarghle', {}
248
+ acl_for 'containers/nodes', 'read' => { 'actors' => %w(blarghle) }
249
+ node 'x', {} do
250
+ acl 'read' => { 'actors' => [] }
251
+ end
252
+
253
+ it 'Converging chef_acl "nodes" makes no changes' do
254
+ expect {
255
+ run_recipe do
256
+ chef_acl 'nodes' do
257
+ rights :read, :users => 'blarghle'
258
+ end
259
+ end
260
+ }.to update_acls([ 'containers/nodes/_acl', 'nodes/x/_acl' ], {})
261
+ end
262
+
263
+ it 'Converging chef_acl "nodes" with recursive :on_change makes no changes' do
264
+ expect {
265
+ run_recipe do
266
+ chef_acl 'nodes' do
267
+ rights :read, :users => 'blarghle'
268
+ recursive :on_change
269
+ end
270
+ end
271
+ }.to update_acls([ 'containers/nodes/_acl', 'nodes/x/_acl' ], {})
272
+ end
273
+
274
+ it 'Converging chef_acl "nodes" with recursive true changes nodes/x\'s acls' do
275
+ expect {
276
+ run_recipe do
277
+ chef_acl 'nodes' do
278
+ rights :read, :users => 'blarghle'
279
+ recursive true
280
+ end
281
+ end
282
+ }.to update_acls('nodes/x/_acl', 'read' => { 'actors' => %w(blarghle) })
283
+ end
284
+
285
+ it 'Converging chef_acl "" with recursive false does not change nodes/x\'s acls' do
286
+ expect {
287
+ run_recipe do
288
+ chef_acl '' do
289
+ rights :read, :users => 'blarghle'
290
+ recursive false
291
+ end
292
+ end
293
+ }.to update_acls([ 'containers/nodes/_acl', 'nodes/x/_acl' ], {})
294
+ end
295
+
296
+ it 'Converging chef_acl "" with recursive :on_change does not change nodes/x\'s acls' do
297
+ expect {
298
+ run_recipe do
299
+ chef_acl '' do
300
+ rights :read, :users => 'blarghle'
301
+ recursive :on_change
302
+ end
303
+ end
304
+ }.to update_acls([ 'containers/nodes/_acl', 'nodes/x/_acl' ], {})
305
+ end
306
+
307
+ it 'Converging chef_acl "" with recursive true changes nodes/x\'s acls' do
308
+ expect {
309
+ run_recipe do
310
+ chef_acl '' do
311
+ rights :read, :users => 'blarghle'
312
+ recursive true
313
+ end
314
+ end
315
+ }.to update_acls([ '/organizations/_acl', 'nodes/x/_acl' ], 'read' => { 'actors' => %w(blarghle) })
316
+ end
317
+ end
318
+ end
319
+ end
320
+
321
+ context 'ACLs on each type of thing' do
322
+ when_the_chef_server 'has an organization named foo', :osc_compat => false, :single_org => false do
323
+ organization 'foo' do
324
+ user 'u', {}
325
+ client 'x', {}
326
+ container 'x', {}
327
+ cookbook 'x', '1.0.0', {}
328
+ data_bag 'x', { 'y' => {} }
329
+ environment 'x', {}
330
+ group 'x', {}
331
+ node 'x', {}
332
+ role 'x', {}
333
+ sandbox 'x', {}
334
+ user 'x', {}
335
+ end
336
+
337
+ organization 'bar' do
338
+ user 'u', {}
339
+ node 'x', {}
340
+ end
341
+
342
+ context 'and the chef server URL points at /organizations/foo' do
343
+ before :each do
344
+ Chef::Config.chef_server_url = URI.join(Chef::Config.chef_server_url, '/organizations/foo').to_s
345
+ end
346
+
347
+ context 'relative paths' do
348
+ it "chef_acl 'nodes/x' changes the acls" do
349
+ expect {
350
+ run_recipe do
351
+ chef_acl "nodes/x" do
352
+ rights :read, :users => 'u'
353
+ end
354
+ end
355
+ }.to update_acls("nodes/x/_acl", 'read' => { 'actors' => %w(u) })
356
+ end
357
+
358
+ it "chef_acl '*/*' changes the acls" do
359
+ expect {
360
+ run_recipe do
361
+ chef_acl "*/*" do
362
+ rights :read, :users => 'u'
363
+ end
364
+ end
365
+ }.to update_acls(%w(clients containers cookbooks data environments groups nodes roles).map { |type| "/organizations/foo/#{type}/x/_acl" },
366
+ 'read' => { 'actors' => %w(u) })
367
+ end
368
+ end
369
+
370
+ context 'absolute paths' do
371
+ %w(clients containers cookbooks data environments groups nodes roles sandboxes).each do |type|
372
+ it "chef_acl '/organizations/foo/#{type}/x' changes the acl" do
373
+ expect {
374
+ run_recipe do
375
+ chef_acl "/organizations/foo/#{type}/x" do
376
+ rights :read, :users => 'u'
377
+ end
378
+ end
379
+ }.to update_acls("/organizations/foo/#{type}/x/_acl", 'read' => { 'actors' => %w(u) })
380
+ end
381
+ end
382
+
383
+ %w(clients containers cookbooks data environments groups nodes roles sandboxes).each do |type|
384
+ it "chef_acl '/organizations/foo/#{type}/x' changes the acl" do
385
+ expect {
386
+ run_recipe do
387
+ chef_acl "/organizations/foo/#{type}/x" do
388
+ rights :read, :users => 'u'
389
+ end
390
+ end
391
+ }.to update_acls("/organizations/foo/#{type}/x/_acl", 'read' => { 'actors' => %w(u) })
392
+ end
393
+ end
394
+
395
+ %w(clients containers cookbooks data environments groups nodes roles).each do |type|
396
+ it "chef_acl '/*/*/#{type}/*' changes the acl" do
397
+ expect {
398
+ run_recipe do
399
+ chef_acl "/*/*/#{type}/*" do
400
+ rights :read, :users => 'u'
401
+ end
402
+ end
403
+ }.to update_acls("/organizations/foo/#{type}/x/_acl", 'read' => { 'actors' => %w(u) })
404
+ end
405
+ end
406
+
407
+ it "chef_acl '/*/*/*/x' changes the acls" do
408
+ expect {
409
+ run_recipe do
410
+ chef_acl "/*/*/*/x" do
411
+ rights :read, :users => 'u'
412
+ end
413
+ end
414
+ }.to update_acls(%w(clients containers cookbooks data environments groups nodes roles sandboxes).map { |type| "/organizations/foo/#{type}/x/_acl" },
415
+ 'read' => { 'actors' => %w(u) })
416
+ end
417
+
418
+ it "chef_acl '/*/*/*/*' changes the acls" do
419
+ expect {
420
+ run_recipe do
421
+ chef_acl "/*/*/*/*" do
422
+ rights :read, :users => 'u'
423
+ end
424
+ end
425
+ }.to update_acls(%w(clients containers cookbooks data environments groups nodes roles).map { |type| "/organizations/foo/#{type}/x/_acl" },
426
+ 'read' => { 'actors' => %w(u) })
427
+ end
428
+
429
+ it 'chef_acl "/organizations/foo/data_bags/x" changes the acl' do
430
+ expect {
431
+ run_recipe do
432
+ chef_acl '/organizations/foo/data_bags/x' do
433
+ rights :read, :users => 'u'
434
+ end
435
+ end
436
+ }.to update_acls('/organizations/foo/data/x/_acl', 'read' => { 'actors' => %w(u) })
437
+ end
438
+
439
+ it 'chef_acl "/*/*/data_bags/*" changes the acl' do
440
+ expect {
441
+ run_recipe do
442
+ chef_acl '/*/*/data_bags/*' do
443
+ rights :read, :users => 'u'
444
+ end
445
+ end
446
+ }.to update_acls('/organizations/foo/data/x/_acl', 'read' => { 'actors' => %w(u) })
447
+ end
448
+
449
+ it "chef_acl '/organizations/foo/cookbooks/x/1.0.0' raises an error" do
450
+ expect {
451
+ run_recipe do
452
+ chef_acl "/organizations/foo/cookbooks/x/1.0.0" do
453
+ rights :read, :users => 'u'
454
+ end
455
+ end
456
+ }.to raise_error(/ACLs cannot be set on children of \/organizations\/foo\/cookbooks\/x/)
457
+ end
458
+
459
+ it "chef_acl '/organizations/foo/cookbooks/*/*' raises an error" do
460
+ pending
461
+ expect {
462
+ run_recipe do
463
+ chef_acl "/organizations/foo/cookbooks/*/*" do
464
+ rights :read, :users => 'u'
465
+ end
466
+ end
467
+ }.to raise_error(/ACLs cannot be set on children of \/organizations\/foo\/cookbooks\/*/)
468
+ end
469
+
470
+ it 'chef_acl "/organizations/foo/data/x/y" raises an error' do
471
+ expect {
472
+ run_recipe do
473
+ chef_acl '/organizations/foo/data/x/y' do
474
+ rights :read, :users => 'u'
475
+ end
476
+ end
477
+ }.to raise_error(/ACLs cannot be set on children of \/organizations\/foo\/data\/x/)
478
+ end
479
+
480
+ it 'chef_acl "/organizations/foo/data/*/*" raises an error' do
481
+ pending
482
+ expect {
483
+ run_recipe do
484
+ chef_acl '/organizations/foo/data/*/*' do
485
+ rights :read, :users => 'u'
486
+ end
487
+ end
488
+ }.to raise_error(/ACLs cannot be set on children of \/organizations\/foo\/data\/*/)
489
+ end
490
+
491
+ it 'chef_acl "/organizations/foo" changes the acl' do
492
+ expect {
493
+ run_recipe do
494
+ chef_acl '/organizations/foo' do
495
+ rights :read, :users => 'u'
496
+ end
497
+ end
498
+ }.to update_acls([ '/organizations/foo/organizations/_acl', '/organizations/foo/nodes/x/_acl' ], 'read' => { 'actors' => %w(u) })
499
+ end
500
+
501
+ it 'chef_acl "/organizations/*" changes the acl' do
502
+ expect {
503
+ run_recipe do
504
+ chef_acl '/organizations/*' do
505
+ rights :read, :users => 'u'
506
+ end
507
+ end
508
+ }.to update_acls([ '/organizations/foo/organizations/_acl', '/organizations/foo/nodes/x/_acl' ], 'read' => { 'actors' => %w(u) })
509
+ end
510
+
511
+ it 'chef_acl "/users/x" changes the acl' do
512
+ expect {
513
+ run_recipe do
514
+ chef_acl '/users/x' do
515
+ rights :read, :users => 'u'
516
+ end
517
+ end
518
+ }.to update_acls('/users/x/_acl', 'read' => { 'actors' => %w(u) })
519
+ end
520
+
521
+ it 'chef_acl "/users/*" changes the acl' do
522
+ expect {
523
+ run_recipe do
524
+ chef_acl '/users/*' do
525
+ rights :read, :users => 'u'
526
+ end
527
+ end
528
+ }.to update_acls('/users/x/_acl', 'read' => { 'actors' => %w(u) })
529
+ end
530
+
531
+ it 'chef_acl "/*/x" changes the acl' do
532
+ expect {
533
+ run_recipe do
534
+ chef_acl '/*/x' do
535
+ rights :read, :users => 'u'
536
+ end
537
+ end
538
+ }.to update_acls('/users/x/_acl', 'read' => { 'actors' => %w(u) })
539
+ end
540
+
541
+ it 'chef_acl "/*/*" changes the acl' do
542
+ expect {
543
+ run_recipe do
544
+ chef_acl '/*/*' do
545
+ rights :read, :users => 'u'
546
+ end
547
+ end
548
+ }.to update_acls([ '/organizations/foo/organizations/_acl', '/users/x/_acl' ],
549
+ 'read' => { 'actors' => %w(u) })
550
+ end
551
+ end
552
+ end
553
+
554
+ context 'and the chef server URL points at /organizations/bar' do
555
+ before :each do
556
+ Chef::Config.chef_server_url = URI.join(Chef::Config.chef_server_url.to_s, '/organizations/bar').to_s
557
+ end
558
+
559
+ it "chef_acl '/organizations/foo/nodes/*' changes the acl" do
560
+ expect {
561
+ run_recipe do
562
+ chef_acl "/organizations/foo/nodes/*" do
563
+ rights :read, :users => 'u'
564
+ end
565
+ end
566
+ }.to update_acls("/organizations/foo/nodes/x/_acl", 'read' => { 'actors' => %w(u) })
567
+ expect {}.not_to update_acls("/organizations/bar/nodes/x/_acl", 'read' => { 'actors' => %w(u) })
568
+ end
569
+ end
570
+
571
+ context 'and the chef server URL points at /' do
572
+ before :each do
573
+ Chef::Config.chef_server_url = URI.join(Chef::Config.chef_server_url.to_s, '/').to_s
574
+ end
575
+
576
+ it "chef_acl '/organizations/foo/nodes/*' changes the acl" do
577
+ expect {
578
+ run_recipe do
579
+ chef_acl "/organizations/foo/nodes/*" do
580
+ rights :read, :users => 'u'
581
+ end
582
+ end
583
+ }.to update_acls("/organizations/foo/nodes/x/_acl", 'read' => { 'actors' => %w(u) })
584
+ expect {}.not_to update_acls("/organizations/bar/nodes/x/_acl", 'read' => { 'actors' => %w(u) })
585
+ end
586
+ end
587
+ end
588
+
589
+ when_the_chef_server 'has a user "u" in single org mode', :osc_compat => false do
590
+ user 'u', {}
591
+ client 'x', {}
592
+ container 'x', {}
593
+ cookbook 'x', '1.0.0', {}
594
+ data_bag 'x', { 'y' => {} }
595
+ environment 'x', {}
596
+ group 'x', {}
597
+ node 'x', {}
598
+ role 'x', {}
599
+ sandbox 'x', {}
600
+ user 'x', {}
601
+
602
+ %w(clients containers cookbooks data environments groups nodes roles sandboxes).each do |type|
603
+ it "chef_acl #{type}/x' changes the acl" do
604
+ expect {
605
+ run_recipe do
606
+ chef_acl "#{type}/x" do
607
+ rights :read, :users => 'u'
608
+ end
609
+ end
610
+ }.to update_acls("#{type}/x/_acl", 'read' => { 'actors' => %w(u) })
611
+ end
612
+ end
613
+
614
+ %w(clients containers cookbooks data environments groups nodes roles).each do |type|
615
+ it "chef_acl '#{type}/*' changes the acl" do
616
+ expect {
617
+ run_recipe do
618
+ chef_acl "#{type}/*" do
619
+ rights :read, :users => 'u'
620
+ end
621
+ end
622
+ }.to update_acls("#{type}/x/_acl", 'read' => { 'actors' => %w(u) })
623
+ end
624
+ end
625
+
626
+ it "chef_acl '*/x' changes the acls" do
627
+ expect {
628
+ run_recipe do
629
+ chef_acl "*/x" do
630
+ rights :read, :users => 'u'
631
+ end
632
+ end
633
+ }.to update_acls(%w(clients containers cookbooks data environments groups nodes roles sandboxes).map { |type| "#{type}/x/_acl" },
634
+ 'read' => { 'actors' => %w(u) })
635
+ end
636
+
637
+ it "chef_acl '*/*' changes the acls" do
638
+ expect {
639
+ run_recipe do
640
+ chef_acl "*/*" do
641
+ rights :read, :users => 'u'
642
+ end
643
+ end
644
+ }.to update_acls(%w(clients containers cookbooks data environments groups nodes roles).map { |type| "#{type}/x/_acl" },
645
+ 'read' => { 'actors' => %w(u) })
646
+ end
647
+
648
+ it "chef_acl 'groups/*' changes the acl" do
649
+ expect {
650
+ run_recipe do
651
+ chef_acl "groups/*" do
652
+ rights :read, :users => 'u'
653
+ end
654
+ end
655
+ }.to update_acls(%w(admins billing-admins clients users x).map { |n| "groups/#{n}/_acl" },
656
+ 'read' => { 'actors' => %w(u) })
657
+ end
658
+
659
+ it 'chef_acl "data_bags/x" changes the acl' do
660
+ expect {
661
+ run_recipe do
662
+ chef_acl 'data_bags/x' do
663
+ rights :read, :users => 'u'
664
+ end
665
+ end
666
+ }.to update_acls('data/x/_acl', 'read' => { 'actors' => %w(u) })
667
+ end
668
+
669
+ it 'chef_acl "data_bags/*" changes the acl' do
670
+ expect {
671
+ run_recipe do
672
+ chef_acl 'data_bags/*' do
673
+ rights :read, :users => 'u'
674
+ end
675
+ end
676
+ }.to update_acls('data/x/_acl', 'read' => { 'actors' => %w(u) })
677
+ end
678
+
679
+ it 'chef_acl "" changes the organization acl' do
680
+ expect {
681
+ run_recipe do
682
+ chef_acl '' do
683
+ rights :read, :users => 'u'
684
+ end
685
+ end
686
+ }.to update_acls([ '/organizations/_acl', 'nodes/x/_acl' ], 'read' => { 'actors' => %w(u) })
687
+ end
688
+ end
689
+ end
690
+
691
+ context 'ACLs on each container type' do
692
+ when_the_chef_server 'has an organization named foo', :osc_compat => false, :single_org => false do
693
+ organization 'foo' do
694
+ user 'u', {}
695
+ client 'x', {}
696
+ container 'x', {}
697
+ cookbook 'x', '1.0.0', {}
698
+ data_bag 'x', { 'y' => {} }
699
+ environment 'x', {}
700
+ group 'x', {}
701
+ node 'x', {}
702
+ role 'x', {}
703
+ sandbox 'x', {}
704
+ user 'x', {}
705
+ end
706
+
707
+ %w(clients containers cookbooks data environments groups nodes roles sandboxes).each do |type|
708
+ it "chef_acl '/organizations/foo/#{type}' changes the acl" do
709
+ expect {
710
+ run_recipe do
711
+ chef_acl "/organizations/foo/#{type}" do
712
+ rights :read, :users => 'u'
713
+ end
714
+ end
715
+ }.to update_acls("/organizations/foo/containers/#{type}/_acl", 'read' => { 'actors' => %w(u) })
716
+ end
717
+ end
718
+
719
+ %w(clients containers cookbooks data environments groups nodes roles).each do |type|
720
+ it "chef_acl '/*/*/#{type}' changes the acl" do
721
+ expect {
722
+ run_recipe do
723
+ chef_acl "/*/*/#{type}" do
724
+ rights :read, :users => 'u'
725
+ end
726
+ end
727
+ }.to update_acls("/organizations/foo/containers/#{type}/_acl", 'read' => { 'actors' => %w(u) })
728
+ end
729
+ end
730
+
731
+ it "chef_acl '/*/*/*' changes the acls" do
732
+ expect {
733
+ run_recipe do
734
+ chef_acl "/*/*/*" do
735
+ rights :read, :users => 'u'
736
+ end
737
+ end
738
+ }.to update_acls(%w(clients containers cookbooks data environments groups nodes roles sandboxes).map { |type| "/organizations/foo/containers/#{type}/_acl" },
739
+ 'read' => { 'actors' => %w(u) })
740
+ end
741
+
742
+ it 'chef_acl "/organizations/foo/data_bags" changes the acl' do
743
+ expect {
744
+ run_recipe do
745
+ chef_acl '/organizations/foo/data_bags' do
746
+ rights :read, :users => 'u'
747
+ end
748
+ end
749
+ }.to update_acls('/organizations/foo/containers/data/_acl', 'read' => { 'actors' => %w(u) })
750
+ end
751
+
752
+ it 'chef_acl "/*/*/data_bags" changes the acl' do
753
+ expect {
754
+ run_recipe do
755
+ chef_acl '/*/*/data_bags' do
756
+ rights :read, :users => 'u'
757
+ end
758
+ end
759
+ }.to update_acls('/organizations/foo/containers/data/_acl', 'read' => { 'actors' => %w(u) })
760
+ end
761
+ end
762
+
763
+ when_the_chef_server 'has a user "u" in single org mode', :osc_compat => false do
764
+ user 'u', {}
765
+ client 'x', {}
766
+ container 'x', {}
767
+ cookbook 'x', '1.0.0', {}
768
+ data_bag 'x', { 'y' => {} }
769
+ environment 'x', {}
770
+ group 'x', {}
771
+ node 'x', {}
772
+ role 'x', {}
773
+ sandbox 'x', {}
774
+ user 'x', {}
775
+
776
+ %w(clients containers cookbooks data environments groups nodes roles sandboxes).each do |type|
777
+ it "chef_acl #{type}' changes the acl" do
778
+ expect {
779
+ run_recipe do
780
+ chef_acl "#{type}" do
781
+ rights :read, :users => 'u'
782
+ end
783
+ end
784
+ }.to update_acls("containers/#{type}/_acl", 'read' => { 'actors' => %w(u) })
785
+ end
786
+ end
787
+
788
+ it "chef_acl '*' changes the acls" do
789
+ expect {
790
+ run_recipe do
791
+ chef_acl "*" do
792
+ rights :read, :users => 'u'
793
+ end
794
+ end
795
+ }.to update_acls(%w(clients containers cookbooks data environments groups nodes roles sandboxes).map { |type| "containers/#{type}/_acl" },
796
+ 'read' => { 'actors' => %w(u) })
797
+ end
798
+ end
799
+ end
800
+
801
+ context 'remove_rights' do
802
+ when_the_chef_server 'has a node "x" with "u", "c" and "g" in its acl', :osc_compat => false do
803
+ user 'u', {}
804
+ user 'u2', {}
805
+ client 'c', {}
806
+ client 'c2', {}
807
+ group 'g', {}
808
+ group 'g2', {}
809
+ node 'x', {} do
810
+ acl 'create' => { 'actors' => [ 'u', 'c' ], 'groups' => [ 'g' ] },
811
+ 'read' => { 'actors' => [ 'u', 'c' ], 'groups' => [ 'g' ] },
812
+ 'update' => { 'actors' => [ 'u', 'c' ], 'groups' => [ 'g' ] }
813
+ end
814
+
815
+ it 'chef_acl with remove_rights "u" removes the user\'s rights' do
816
+ expect {
817
+ run_recipe do
818
+ chef_acl "nodes/x" do
819
+ remove_rights :read, :users => 'u'
820
+ end
821
+ end
822
+ }.to update_acls("nodes/x/_acl", 'read' => { 'actors' => %w(-u) })
823
+ end
824
+
825
+ it 'chef_acl with remove_rights "c" removes the client\'s rights' do
826
+ expect {
827
+ run_recipe do
828
+ chef_acl "nodes/x" do
829
+ remove_rights :read, :clients => 'c'
830
+ end
831
+ end
832
+ }.to update_acls("nodes/x/_acl", 'read' => { 'actors' => %w(-c) })
833
+ end
834
+
835
+ it 'chef_acl with remove_rights "g" removes the group\'s rights' do
836
+ expect {
837
+ run_recipe do
838
+ chef_acl "nodes/x" do
839
+ remove_rights :read, :groups => 'g'
840
+ end
841
+ end
842
+ }.to update_acls("nodes/x/_acl", 'read' => { 'groups' => %w(-g) })
843
+ end
844
+
845
+ it 'chef_acl with remove_rights [ :create, :read ], "u", "c", "g" removes all three' do
846
+ expect {
847
+ run_recipe do
848
+ chef_acl "nodes/x" do
849
+ remove_rights [ :create, :read ], :users => 'u', :clients => 'c', :groups => 'g'
850
+ end
851
+ end
852
+ }.to update_acls("nodes/x/_acl", 'create' => { 'actors' => %w(-u -c), 'groups' => %w(-g) }, 'read' => { 'actors' => %w(-u -c), 'groups' => %w(-g) })
853
+ end
854
+
855
+ it 'chef_acl with remove_rights "u2", "c2", "g2" has no effect' do
856
+ expect {
857
+ run_recipe do
858
+ chef_acl "nodes/x" do
859
+ remove_rights :read, :users => 'u2', :clients => 'c2', :groups => 'g2'
860
+ end
861
+ end
862
+ }.to update_acls("nodes/x/_acl", {})
863
+ end
864
+ end
865
+ end
866
+
867
+ when_the_chef_server 'has a node named data_bags', :osc_compat => false do
868
+ user 'blarghle', {}
869
+ node 'data_bags', {}
870
+
871
+ it 'Converging chef_acl "nodes/data_bags" with user "blarghle" adds the user' do
872
+ expect {
873
+ run_recipe do
874
+ chef_acl 'nodes/data_bags' do
875
+ rights :read, :users => 'blarghle'
876
+ end
877
+ end
878
+ }.to update_acls('nodes/data_bags/_acl', 'read' => { 'actors' => %w(blarghle) })
879
+ end
880
+ end
881
+
882
+ when_the_chef_server 'has a node named data_bags in multi-org mode', :osc_compat => false, :single_org => false do
883
+ user 'blarghle', {}
884
+ organization 'foo' do
885
+ node 'data_bags', {}
886
+ end
887
+
888
+ it 'Converging chef_acl "/organizations/foo/nodes/data_bags" with user "blarghle" adds the user' do
889
+ expect {
890
+ run_recipe do
891
+ chef_acl '/organizations/foo/nodes/data_bags' do
892
+ rights :read, :users => 'blarghle'
893
+ end
894
+ end
895
+ }.to update_acls('/organizations/foo/nodes/data_bags/_acl', 'read' => { 'actors' => %w(blarghle) })
896
+ end
897
+ end
898
+
899
+ when_the_chef_server 'has a user named data_bags in multi-org mode', :osc_compat => false, :single_org => false do
900
+ user 'data_bags', {}
901
+ user 'blarghle', {}
902
+
903
+ it 'Converging chef_acl "/users/data_bags" with user "blarghle" adds the user' do
904
+ expect {
905
+ run_recipe do
906
+ chef_acl '/users/data_bags' do
907
+ rights :read, :users => 'blarghle'
908
+ end
909
+ end
910
+ }.to update_acls('/users/data_bags/_acl', 'read' => { 'actors' => %w(blarghle) })
911
+ end
912
+ end
913
+ end
914
+ end