cheffish 4.0.0 → 4.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/Gemfile +8 -8
- data/Rakefile +24 -12
- data/cheffish.gemspec +15 -15
- data/lib/chef/resource/chef_acl.rb +63 -63
- data/lib/chef/resource/chef_client.rb +9 -9
- data/lib/chef/resource/chef_container.rb +9 -9
- data/lib/chef/resource/chef_data_bag.rb +9 -9
- data/lib/chef/resource/chef_data_bag_item.rb +27 -27
- data/lib/chef/resource/chef_environment.rb +21 -22
- data/lib/chef/resource/chef_group.rb +19 -19
- data/lib/chef/resource/chef_mirror.rb +32 -17
- data/lib/chef/resource/chef_node.rb +14 -14
- data/lib/chef/resource/chef_organization.rb +29 -30
- data/lib/chef/resource/chef_resolved_cookbooks.rb +7 -7
- data/lib/chef/resource/chef_role.rb +25 -22
- data/lib/chef/resource/chef_user.rb +13 -14
- data/lib/chef/resource/private_key.rb +24 -25
- data/lib/chef/resource/public_key.rb +6 -7
- data/lib/cheffish.rb +17 -17
- data/lib/cheffish/array_property.rb +2 -2
- data/lib/cheffish/base_properties.rb +3 -3
- data/lib/cheffish/base_resource.rb +8 -8
- data/lib/cheffish/basic_chef_client.rb +17 -17
- data/lib/cheffish/chef_actor_base.rb +8 -8
- data/lib/cheffish/chef_run.rb +7 -2
- data/lib/cheffish/chef_run_data.rb +2 -2
- data/lib/cheffish/chef_run_listener.rb +1 -1
- data/lib/cheffish/key_formatter.rb +16 -18
- data/lib/cheffish/merged_config.rb +5 -3
- data/lib/cheffish/node_properties.rb +11 -7
- data/lib/cheffish/recipe_dsl.rb +33 -34
- data/lib/cheffish/rspec.rb +3 -3
- data/lib/cheffish/rspec/chef_run_support.rb +13 -13
- data/lib/cheffish/rspec/matchers.rb +4 -4
- data/lib/cheffish/rspec/matchers/be_idempotent.rb +3 -3
- data/lib/cheffish/rspec/matchers/emit_no_warnings_or_errors.rb +3 -3
- data/lib/cheffish/rspec/matchers/have_updated.rb +3 -3
- data/lib/cheffish/rspec/recipe_run_wrapper.rb +8 -7
- data/lib/cheffish/rspec/repository_support.rb +6 -6
- data/lib/cheffish/server_api.rb +11 -11
- data/lib/cheffish/version.rb +1 -1
- data/spec/functional/fingerprint_spec.rb +12 -12
- data/spec/functional/merged_config_spec.rb +46 -6
- data/spec/functional/server_api_spec.rb +3 -3
- data/spec/integration/chef_acl_spec.rb +489 -489
- data/spec/integration/chef_client_spec.rb +39 -39
- data/spec/integration/chef_container_spec.rb +14 -14
- data/spec/integration/chef_data_bag_item_spec.rb +9 -9
- data/spec/integration/chef_group_spec.rb +219 -219
- data/spec/integration/chef_mirror_spec.rb +228 -228
- data/spec/integration/chef_node_spec.rb +511 -511
- data/spec/integration/chef_organization_spec.rb +126 -126
- data/spec/integration/chef_role_spec.rb +33 -33
- data/spec/integration/chef_user_spec.rb +37 -37
- data/spec/integration/private_key_spec.rb +154 -154
- data/spec/integration/recipe_dsl_spec.rb +10 -10
- data/spec/integration/rspec/converge_spec.rb +49 -49
- data/spec/support/key_support.rb +6 -6
- data/spec/support/spec_support.rb +3 -3
- data/spec/unit/get_private_key_spec.rb +19 -19
- data/spec/unit/recipe_run_wrapper_spec.rb +4 -4
- metadata +3 -3
data/lib/cheffish/server_api.rb
CHANGED
|
@@ -16,15 +16,15 @@
|
|
|
16
16
|
# limitations under the License.
|
|
17
17
|
#
|
|
18
18
|
|
|
19
|
-
require
|
|
20
|
-
require
|
|
21
|
-
require
|
|
22
|
-
require
|
|
23
|
-
require
|
|
24
|
-
require
|
|
25
|
-
require
|
|
26
|
-
if Gem::Version.new(Chef::VERSION) >= Gem::Version.new(
|
|
27
|
-
require
|
|
19
|
+
require "chef/version"
|
|
20
|
+
require "chef/http"
|
|
21
|
+
require "chef/http/authenticator"
|
|
22
|
+
require "chef/http/cookie_manager"
|
|
23
|
+
require "chef/http/decompressor"
|
|
24
|
+
require "chef/http/json_input"
|
|
25
|
+
require "chef/http/json_output"
|
|
26
|
+
if Gem::Version.new(Chef::VERSION) >= Gem::Version.new("11.12")
|
|
27
|
+
require "chef/http/remote_request_id"
|
|
28
28
|
end
|
|
29
29
|
|
|
30
30
|
module Cheffish
|
|
@@ -34,7 +34,7 @@ module Cheffish
|
|
|
34
34
|
def initialize(url, options = {})
|
|
35
35
|
super(url, options)
|
|
36
36
|
root_url = URI.parse(url)
|
|
37
|
-
root_url.path =
|
|
37
|
+
root_url.path = ""
|
|
38
38
|
@root_url = root_url.to_s
|
|
39
39
|
end
|
|
40
40
|
|
|
@@ -45,7 +45,7 @@ module Cheffish
|
|
|
45
45
|
use Chef::HTTP::CookieManager
|
|
46
46
|
use Chef::HTTP::Decompressor
|
|
47
47
|
use Chef::HTTP::Authenticator
|
|
48
|
-
if Gem::Version.new(Chef::VERSION) >= Gem::Version.new(
|
|
48
|
+
if Gem::Version.new(Chef::VERSION) >= Gem::Version.new("11.12")
|
|
49
49
|
use Chef::HTTP::RemoteRequestID
|
|
50
50
|
end
|
|
51
51
|
end
|
data/lib/cheffish/version.rb
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
|
-
require
|
|
2
|
-
require
|
|
1
|
+
require "cheffish/key_formatter"
|
|
2
|
+
require "support/key_support"
|
|
3
3
|
|
|
4
|
-
describe
|
|
4
|
+
describe "Cheffish fingerprint key formatter" do
|
|
5
5
|
|
|
6
6
|
# Sample key: 0x9a6fa4c43b328c3d04c1fbc0498539218b6728e41cd35f6d27d491ef705f0b2083dc1ac977da19f54ba82b044773f20667e9627c543abb3b41b6eb9e4318ca3c68f487bbd0f1c9eea9a3101b7d1d180983c5440ac4183e78e9e256fa687d8aac63b21617a4b02b35bf5e307a3b76961a16cd8493e923536b34cc2b2da8d45220d57ef2243b081b555b84f1da0ade0e896c2aa96911b41430b59eaf75dbffb7eaa7c5b3a686f2d47a24e3b7f1acb0844f84a2fedc63660ae366b800cd9448093d6b1d96503ebb7807b48257e16c3d8a7c9a8cc5dd63116aa673bd9e09754de09358486e743e34c6a3642eeb64b2208efc96df39151572557a75638bd059c21a55 = 0xd6e92677d4e1d2aa6d14f87b5f49ee6916c6b92411536254fae4a21e82eebb0a40600247c701c1c938b21ca9f25b7b330c35fded57b4de3a951e83329a80bdbf2ba138fe2f190bffce43967b5fa93b179367bcd15cb1db7f9e3ab62caca95dc9489b62bc0a10b53841b932455a43409f96eed90dc80abc8cce5593ead8f0a26d * 0xb7f68cd427045788d5e315375f71d3a416784ec2597776a60ed77c821294d9bd66e96658bdcb43072cee0c849d297bd9f94991738f1a0df313ceb51b093a9372f12a61987f40e7a03d773911deb270916a574962ae8ff4f2d8bfcedee1c885e9c3e54212471636a6330b05b78c3a7ddf96b013be389a08ab7971db2f68fb2689
|
|
7
7
|
|
|
@@ -34,27 +34,27 @@ EOF
|
|
|
34
34
|
|
|
35
35
|
def key_to_format(key, format)
|
|
36
36
|
keyobj, f = Cheffish::KeyFormatter.decode(key)
|
|
37
|
-
Cheffish::KeyFormatter.encode(keyobj, {:format => format})
|
|
37
|
+
Cheffish::KeyFormatter.encode(keyobj, { :format => format })
|
|
38
38
|
end
|
|
39
39
|
|
|
40
|
-
context
|
|
40
|
+
context "when computing key fingperprints" do
|
|
41
41
|
|
|
42
|
-
it
|
|
42
|
+
it "computes the PKCS#8 SHA1 private key fingerprint correctly", :pending => (RUBY_VERSION.to_f >= 2.0) do
|
|
43
43
|
expect(key_to_format(sample_private_key, :pkcs8sha1fingerprint)).to eq(
|
|
44
|
-
|
|
44
|
+
"88:7e:3a:bd:26:9f:b5:c5:d8:ae:52:f9:df:0b:64:a4:5c:17:0a:87")
|
|
45
45
|
end
|
|
46
46
|
|
|
47
|
-
it
|
|
47
|
+
it "computes the PKCS#1 MD5 public key fingerprint correctly" do
|
|
48
48
|
expect(key_to_format(sample_public_key, :pkcs1md5fingerprint)).to eq(
|
|
49
|
-
|
|
49
|
+
"1f:e8:da:c1:16:c3:72:7d:90:e2:b7:64:c4:b4:55:20")
|
|
50
50
|
end
|
|
51
51
|
|
|
52
|
-
it
|
|
52
|
+
it "computes the RFC4716 MD5 public key fingerprint correctly" do
|
|
53
53
|
expect(key_to_format(sample_public_key, :rfc4716md5fingerprint)).to eq(
|
|
54
|
-
|
|
54
|
+
"b0:13:4f:da:cf:8c:dc:a7:4a:1f:d2:3a:51:92:cf:6b")
|
|
55
55
|
end
|
|
56
56
|
|
|
57
|
-
it
|
|
57
|
+
it "defaults to the PKCS#1 MD5 public key fingerprint" do
|
|
58
58
|
expect(key_to_format(sample_public_key, :fingerprint)).to eq(
|
|
59
59
|
key_to_format(sample_public_key, :pkcs1md5fingerprint))
|
|
60
60
|
end
|
|
@@ -1,20 +1,60 @@
|
|
|
1
|
-
require
|
|
1
|
+
require "cheffish/merged_config"
|
|
2
2
|
|
|
3
3
|
describe "merged_config" do
|
|
4
4
|
|
|
5
5
|
let(:config) do
|
|
6
|
-
|
|
6
|
+
Cheffish::MergedConfig.new({ :test => "val" })
|
|
7
|
+
end
|
|
8
|
+
|
|
9
|
+
let(:collision) do
|
|
10
|
+
c1 = { :test1 => "c1.1", "test2" => "c1.2" }
|
|
11
|
+
c2 = { "test1" => "c2.1", "test3" => "c2.3" }
|
|
12
|
+
Cheffish::MergedConfig.new(c1, c2)
|
|
13
|
+
end
|
|
14
|
+
|
|
15
|
+
let(:config_mismatch) do
|
|
16
|
+
c1 = { :test => { :test => "val" } }
|
|
17
|
+
c2 = { :test => [2, 3, 4] }
|
|
18
|
+
Cheffish::MergedConfig.new(c1, c2)
|
|
19
|
+
end
|
|
20
|
+
|
|
21
|
+
let(:config_hashes) do
|
|
22
|
+
c1 = { :test => { :test => "val" } }
|
|
23
|
+
c2 = { :test => { :test2 => "val2" } }
|
|
24
|
+
Cheffish::MergedConfig.new(c1, c2)
|
|
7
25
|
end
|
|
8
26
|
|
|
9
27
|
it "returns value in config" do
|
|
10
|
-
expect(config.test).to eq(
|
|
28
|
+
expect(config.test).to eq("val")
|
|
11
29
|
end
|
|
12
30
|
|
|
13
31
|
it "raises a NoMethodError if calling an unknown method with arguments" do
|
|
14
|
-
expect{config.merge({:some =>
|
|
32
|
+
expect { config.merge({ :some => "hash" }) }.to raise_error(NoMethodError)
|
|
15
33
|
end
|
|
16
34
|
|
|
17
35
|
it "has an informative string representation" do
|
|
18
|
-
|
|
36
|
+
expect("#{config}").to eq("{\"test\"=>\"val\"}")
|
|
37
|
+
end
|
|
38
|
+
|
|
39
|
+
it "has indifferent str/sym access" do
|
|
40
|
+
expect(config["test"]).to eq("val")
|
|
41
|
+
end
|
|
42
|
+
|
|
43
|
+
it "respects precedence between the different configs" do
|
|
44
|
+
expect(collision["test1"]).to eq("c1.1")
|
|
45
|
+
expect(collision[:test1]).to eq("c1.1")
|
|
46
|
+
end
|
|
47
|
+
|
|
48
|
+
it "merges the configs" do
|
|
49
|
+
expect(collision[:test2]).to eq("c1.2")
|
|
50
|
+
expect(collision[:test3]).to eq("c2.3")
|
|
51
|
+
end
|
|
52
|
+
|
|
53
|
+
it "handle merged value type mismatch" do
|
|
54
|
+
expect(config_mismatch[:test]).to eq("test" => "val")
|
|
55
|
+
end
|
|
56
|
+
|
|
57
|
+
it "merges values when they're hashes" do
|
|
58
|
+
expect(config_hashes[:test].keys).to eq(%w{test test2})
|
|
19
59
|
end
|
|
20
|
-
end
|
|
60
|
+
end
|
|
@@ -1,13 +1,13 @@
|
|
|
1
|
-
require
|
|
1
|
+
require "cheffish"
|
|
2
2
|
|
|
3
3
|
describe "api version" do
|
|
4
4
|
|
|
5
5
|
let(:server_api) do
|
|
6
|
-
|
|
6
|
+
Cheffish.chef_server_api({ :chef_server_url => "my.chef.server" })
|
|
7
7
|
end
|
|
8
8
|
|
|
9
9
|
it "is pinned to 0" do
|
|
10
|
-
expect(Cheffish::ServerAPI).to receive(:new).with("my.chef.server", {api_version: "0"})
|
|
10
|
+
expect(Cheffish::ServerAPI).to receive(:new).with("my.chef.server", { api_version: "0" })
|
|
11
11
|
server_api
|
|
12
12
|
end
|
|
13
13
|
end
|
|
@@ -1,889 +1,889 @@
|
|
|
1
|
-
require
|
|
2
|
-
require
|
|
3
|
-
require
|
|
4
|
-
require
|
|
1
|
+
require "support/spec_support"
|
|
2
|
+
require "cheffish/rspec/chef_run_support"
|
|
3
|
+
require "chef_zero/version"
|
|
4
|
+
require "uri"
|
|
5
5
|
|
|
6
|
-
if Gem::Version.new(ChefZero::VERSION) >= Gem::Version.new(
|
|
6
|
+
if Gem::Version.new(ChefZero::VERSION) >= Gem::Version.new("3.1")
|
|
7
7
|
describe Chef::Resource::ChefAcl do
|
|
8
8
|
extend Cheffish::RSpec::ChefRunSupport
|
|
9
9
|
|
|
10
10
|
# let(:chef_config) { super().merge(log_level: :debug, stdout: STDOUT, stderr: STDERR, log_location: STDOUT) }
|
|
11
11
|
|
|
12
12
|
context "Rights attributes" do
|
|
13
|
-
when_the_chef_server
|
|
14
|
-
node
|
|
13
|
+
when_the_chef_server "has a node named x", :osc_compat => false do
|
|
14
|
+
node "x", {}
|
|
15
15
|
|
|
16
16
|
it 'Converging chef_acl "nodes/x" changes nothing' do
|
|
17
|
-
expect_recipe
|
|
18
|
-
chef_acl
|
|
19
|
-
|
|
20
|
-
expect(get(
|
|
17
|
+
expect_recipe do
|
|
18
|
+
chef_acl "nodes/x"
|
|
19
|
+
end.to be_up_to_date
|
|
20
|
+
expect(get("nodes/x/_acl")).to partially_match({})
|
|
21
21
|
end
|
|
22
22
|
|
|
23
23
|
it 'Converging chef_acl "nodes/x" with "complete true" and no rights raises an error' do
|
|
24
|
-
expect_converge
|
|
25
|
-
chef_acl
|
|
24
|
+
expect_converge do
|
|
25
|
+
chef_acl "nodes/x" do
|
|
26
26
|
complete true
|
|
27
27
|
end
|
|
28
|
-
|
|
28
|
+
end.to raise_error(RuntimeError)
|
|
29
29
|
end
|
|
30
30
|
|
|
31
|
-
it
|
|
32
|
-
expect_converge
|
|
33
|
-
chef_acl
|
|
34
|
-
remove_rights :grant, users: %w
|
|
31
|
+
it "Removing all :grant rights from a node raises an error" do
|
|
32
|
+
expect_converge do
|
|
33
|
+
chef_acl "nodes/x" do
|
|
34
|
+
remove_rights :grant, users: %w{pivotal}, groups: %w{admins users clients}
|
|
35
35
|
end
|
|
36
|
-
|
|
36
|
+
end.to raise_error(RuntimeError)
|
|
37
37
|
end
|
|
38
38
|
|
|
39
39
|
context 'and a user "blarghle"' do
|
|
40
|
-
user
|
|
40
|
+
user "blarghle", {}
|
|
41
41
|
|
|
42
42
|
it 'Converging chef_acl "nodes/x" with user "blarghle" adds the user' do
|
|
43
|
-
expect_recipe
|
|
44
|
-
chef_acl
|
|
45
|
-
rights :read, users: %w
|
|
43
|
+
expect_recipe do
|
|
44
|
+
chef_acl "nodes/x" do
|
|
45
|
+
rights :read, users: %w{blarghle}
|
|
46
46
|
end
|
|
47
|
-
|
|
48
|
-
expect(get(
|
|
47
|
+
end.to be_updated
|
|
48
|
+
expect(get("nodes/x/_acl")).to partially_match("read" => { "actors" => %w{blarghle} })
|
|
49
49
|
end
|
|
50
50
|
|
|
51
51
|
it 'Converging chef_acl "nodes/x" with "complete true" removes all ACLs except those specified' do
|
|
52
|
-
expect_recipe
|
|
53
|
-
chef_acl
|
|
54
|
-
rights :grant, users: %w
|
|
52
|
+
expect_recipe do
|
|
53
|
+
chef_acl "nodes/x" do
|
|
54
|
+
rights :grant, users: %w{blarghle}
|
|
55
55
|
complete true
|
|
56
56
|
end
|
|
57
|
-
|
|
58
|
-
expect(get(
|
|
59
|
-
"create"=>{"actors"=>[], "groups"=>[]},
|
|
60
|
-
"read"
|
|
61
|
-
"update"=>{"actors"=>[], "groups"=>[]},
|
|
62
|
-
"delete"=>{"actors"=>[], "groups"=>[]},
|
|
63
|
-
"grant" =>{"actors"=>["blarghle"], "groups"=>[]}
|
|
57
|
+
end.to be_updated
|
|
58
|
+
expect(get("nodes/x/_acl")).to eq(
|
|
59
|
+
"create" => { "actors" => [], "groups" => [] },
|
|
60
|
+
"read" => { "actors" => [], "groups" => [] },
|
|
61
|
+
"update" => { "actors" => [], "groups" => [] },
|
|
62
|
+
"delete" => { "actors" => [], "groups" => [] },
|
|
63
|
+
"grant" => { "actors" => ["blarghle"], "groups" => [] }
|
|
64
64
|
)
|
|
65
65
|
end
|
|
66
66
|
end
|
|
67
67
|
|
|
68
68
|
it 'Converging chef_acl "nodes/x" with "complete true" removes all ACLs except those specified in :all' do
|
|
69
|
-
expect_recipe
|
|
70
|
-
chef_acl
|
|
71
|
-
rights :all, users: %w
|
|
69
|
+
expect_recipe do
|
|
70
|
+
chef_acl "nodes/x" do
|
|
71
|
+
rights :all, users: %w{blarghle}
|
|
72
72
|
complete true
|
|
73
73
|
end
|
|
74
|
-
|
|
75
|
-
expect(get(
|
|
76
|
-
"create"=>{"actors"=>["blarghle"], "groups"=>[]},
|
|
77
|
-
"read"
|
|
78
|
-
"update"=>{"actors"=>["blarghle"], "groups"=>[]},
|
|
79
|
-
"delete"=>{"actors"=>["blarghle"], "groups"=>[]},
|
|
80
|
-
"grant" =>{"actors"=>["blarghle"], "groups"=>[]}
|
|
74
|
+
end.to be_updated
|
|
75
|
+
expect(get("nodes/x/_acl")).to eq(
|
|
76
|
+
"create" => { "actors" => ["blarghle"], "groups" => [] },
|
|
77
|
+
"read" => { "actors" => ["blarghle"], "groups" => [] },
|
|
78
|
+
"update" => { "actors" => ["blarghle"], "groups" => [] },
|
|
79
|
+
"delete" => { "actors" => ["blarghle"], "groups" => [] },
|
|
80
|
+
"grant" => { "actors" => ["blarghle"], "groups" => [] }
|
|
81
81
|
)
|
|
82
82
|
end
|
|
83
83
|
|
|
84
84
|
context 'and a client "blarghle"' do
|
|
85
|
-
user
|
|
85
|
+
user "blarghle", {}
|
|
86
86
|
|
|
87
87
|
it 'Converging chef_acl "nodes/x" with client "blarghle" adds the client' do
|
|
88
|
-
expect_recipe
|
|
89
|
-
chef_acl
|
|
90
|
-
rights :read, clients: %w
|
|
88
|
+
expect_recipe do
|
|
89
|
+
chef_acl "nodes/x" do
|
|
90
|
+
rights :read, clients: %w{blarghle}
|
|
91
91
|
end
|
|
92
|
-
|
|
93
|
-
expect(get(
|
|
92
|
+
end.to be_updated
|
|
93
|
+
expect(get("nodes/x/_acl")).to partially_match("read" => { "actors" => %w{blarghle} })
|
|
94
94
|
end
|
|
95
95
|
end
|
|
96
96
|
|
|
97
97
|
context 'and a group "blarghle"' do
|
|
98
|
-
group
|
|
98
|
+
group "blarghle", {}
|
|
99
99
|
|
|
100
100
|
it 'Converging chef_acl "nodes/x" with group "blarghle" adds the group' do
|
|
101
|
-
expect_recipe
|
|
102
|
-
chef_acl
|
|
103
|
-
rights :read, groups: %w
|
|
101
|
+
expect_recipe do
|
|
102
|
+
chef_acl "nodes/x" do
|
|
103
|
+
rights :read, groups: %w{blarghle}
|
|
104
104
|
end
|
|
105
|
-
|
|
106
|
-
expect(get(
|
|
107
|
-
end
|
|
108
|
-
end
|
|
109
|
-
|
|
110
|
-
context
|
|
111
|
-
user
|
|
112
|
-
user
|
|
113
|
-
user
|
|
114
|
-
client
|
|
115
|
-
client
|
|
116
|
-
client
|
|
117
|
-
group
|
|
118
|
-
group
|
|
119
|
-
group
|
|
120
|
-
|
|
121
|
-
it
|
|
122
|
-
expect_recipe
|
|
123
|
-
chef_acl
|
|
124
|
-
rights :create, users:
|
|
105
|
+
end.to be_updated
|
|
106
|
+
expect(get("nodes/x/_acl")).to partially_match("read" => { "groups" => %w{blarghle} })
|
|
107
|
+
end
|
|
108
|
+
end
|
|
109
|
+
|
|
110
|
+
context "and multiple users and groups" do
|
|
111
|
+
user "u1", {}
|
|
112
|
+
user "u2", {}
|
|
113
|
+
user "u3", {}
|
|
114
|
+
client "c1", {}
|
|
115
|
+
client "c2", {}
|
|
116
|
+
client "c3", {}
|
|
117
|
+
group "g1", {}
|
|
118
|
+
group "g2", {}
|
|
119
|
+
group "g3", {}
|
|
120
|
+
|
|
121
|
+
it "Converging chef_acls should ignore order of the values in the acls" do
|
|
122
|
+
expect_recipe do
|
|
123
|
+
chef_acl "nodes/x" do
|
|
124
|
+
rights :create, users: %w{u1 u2 u3}, clients: %w{c1 c2 c3}, groups: %w{g1 g2 g3}
|
|
125
125
|
end
|
|
126
|
-
|
|
127
|
-
expect_recipe
|
|
128
|
-
chef_acl
|
|
129
|
-
rights :create, users:
|
|
126
|
+
end.to be_updated
|
|
127
|
+
expect_recipe do
|
|
128
|
+
chef_acl "nodes/x" do
|
|
129
|
+
rights :create, users: %w{u2 u3 u1}, clients: %w{c3 c2 c1}, groups: %w{g1 g2 g3}
|
|
130
130
|
end
|
|
131
|
-
|
|
131
|
+
end.to be_up_to_date
|
|
132
132
|
end
|
|
133
133
|
|
|
134
134
|
it 'Converging chef_acl "nodes/x" with multiple groups, users and clients in an acl makes the appropriate changes' do
|
|
135
|
-
expect_recipe
|
|
136
|
-
chef_acl
|
|
137
|
-
rights :create, users:
|
|
135
|
+
expect_recipe do
|
|
136
|
+
chef_acl "nodes/x" do
|
|
137
|
+
rights :create, users: %w{u1 u2 u3}, clients: %w{c1 c2 c3}, groups: %w{g1 g2 g3}
|
|
138
138
|
end
|
|
139
|
-
|
|
140
|
-
expect(get(
|
|
141
|
-
|
|
139
|
+
end.to be_updated
|
|
140
|
+
expect(get("nodes/x/_acl")).to partially_match(
|
|
141
|
+
"create" => { "groups" => %w{g1 g2 g3}, "actors" => %w{u1 u2 u3 c1 c2 c3} }
|
|
142
142
|
)
|
|
143
143
|
end
|
|
144
144
|
|
|
145
145
|
it 'Converging chef_acl "nodes/x" with multiple groups, users and clients across multiple "rights" groups makes the appropriate changes' do
|
|
146
|
-
expect_recipe
|
|
147
|
-
chef_acl
|
|
148
|
-
rights :create, users: %w
|
|
149
|
-
rights :create, users: %w
|
|
150
|
-
rights :read, users: %w
|
|
151
|
-
rights :read, groups: %w
|
|
146
|
+
expect_recipe do
|
|
147
|
+
chef_acl "nodes/x" do
|
|
148
|
+
rights :create, users: %w{u1}, clients: %w{c1}, groups: %w{g1}
|
|
149
|
+
rights :create, users: %w{u2 u3}, clients: %w{c2 c3}, groups: %w{g2}
|
|
150
|
+
rights :read, users: %w{u1}
|
|
151
|
+
rights :read, groups: %w{g1}
|
|
152
152
|
end
|
|
153
|
-
|
|
154
|
-
expect(get(
|
|
155
|
-
|
|
156
|
-
|
|
153
|
+
end.to be_updated
|
|
154
|
+
expect(get("nodes/x/_acl")).to partially_match(
|
|
155
|
+
"create" => { "groups" => %w{g1 g2}, "actors" => %w{u1 u2 u3 c1 c2 c3} },
|
|
156
|
+
"read" => { "groups" => %w{g1}, "actors" => %w{u1} }
|
|
157
157
|
)
|
|
158
158
|
end
|
|
159
159
|
|
|
160
160
|
it 'Converging chef_acl "nodes/x" with rights [ :read, :create, :update, :delete, :grant ] modifies all rights' do
|
|
161
|
-
expect_recipe
|
|
162
|
-
chef_acl
|
|
163
|
-
rights [ :create, :read, :update, :delete, :grant ], users:
|
|
161
|
+
expect_recipe do
|
|
162
|
+
chef_acl "nodes/x" do
|
|
163
|
+
rights [ :create, :read, :update, :delete, :grant ], users: %w{u1 u2}, clients: %w{c1}, groups: %w{g1}
|
|
164
164
|
end
|
|
165
|
-
|
|
166
|
-
expect(get(
|
|
167
|
-
|
|
168
|
-
|
|
169
|
-
|
|
170
|
-
|
|
171
|
-
|
|
165
|
+
end.to be_updated
|
|
166
|
+
expect(get("nodes/x/_acl")).to partially_match(
|
|
167
|
+
"create" => { "groups" => %w{g1}, "actors" => %w{u1 u2 c1} },
|
|
168
|
+
"read" => { "groups" => %w{g1}, "actors" => %w{u1 u2 c1} },
|
|
169
|
+
"update" => { "groups" => %w{g1}, "actors" => %w{u1 u2 c1} },
|
|
170
|
+
"delete" => { "groups" => %w{g1}, "actors" => %w{u1 u2 c1} },
|
|
171
|
+
"grant" => { "groups" => %w{g1}, "actors" => %w{u1 u2 c1} }
|
|
172
172
|
)
|
|
173
173
|
end
|
|
174
174
|
|
|
175
175
|
it 'Converging chef_acl "nodes/x" with rights :all modifies all rights' do
|
|
176
|
-
expect_recipe
|
|
177
|
-
chef_acl
|
|
178
|
-
rights :all, users:
|
|
176
|
+
expect_recipe do
|
|
177
|
+
chef_acl "nodes/x" do
|
|
178
|
+
rights :all, users: %w{u1 u2}, clients: %w{c1}, groups: %w{g1}
|
|
179
179
|
end
|
|
180
|
-
|
|
181
|
-
expect(get(
|
|
182
|
-
|
|
183
|
-
|
|
184
|
-
|
|
185
|
-
|
|
186
|
-
|
|
180
|
+
end.to be_updated
|
|
181
|
+
expect(get("nodes/x/_acl")).to partially_match(
|
|
182
|
+
"create" => { "groups" => %w{g1}, "actors" => %w{u1 u2 c1} },
|
|
183
|
+
"read" => { "groups" => %w{g1}, "actors" => %w{u1 u2 c1} },
|
|
184
|
+
"update" => { "groups" => %w{g1}, "actors" => %w{u1 u2 c1} },
|
|
185
|
+
"delete" => { "groups" => %w{g1}, "actors" => %w{u1 u2 c1} },
|
|
186
|
+
"grant" => { "groups" => %w{g1}, "actors" => %w{u1 u2 c1} }
|
|
187
187
|
)
|
|
188
188
|
end
|
|
189
189
|
end
|
|
190
190
|
|
|
191
191
|
it 'Converging chef_acl "nodes/y" throws a 404' do
|
|
192
|
-
expect_converge
|
|
193
|
-
chef_acl
|
|
194
|
-
|
|
192
|
+
expect_converge do
|
|
193
|
+
chef_acl "nodes/y"
|
|
194
|
+
end.to raise_error(Net::HTTPServerException)
|
|
195
195
|
end
|
|
196
196
|
end
|
|
197
197
|
|
|
198
|
-
when_the_chef_server
|
|
199
|
-
user
|
|
200
|
-
node
|
|
201
|
-
acl
|
|
198
|
+
when_the_chef_server "has a node named x with user blarghle in its acl", :osc_compat => false do
|
|
199
|
+
user "blarghle", {}
|
|
200
|
+
node "x", {} do
|
|
201
|
+
acl "read" => { "actors" => %w{blarghle} }
|
|
202
202
|
end
|
|
203
203
|
|
|
204
204
|
it 'Converging chef_acl "nodes/x" with that user changes nothing' do
|
|
205
|
-
expect_recipe
|
|
206
|
-
chef_acl
|
|
207
|
-
rights :read, users: %w
|
|
205
|
+
expect_recipe do
|
|
206
|
+
chef_acl "nodes/x" do
|
|
207
|
+
rights :read, users: %w{blarghle}
|
|
208
208
|
end
|
|
209
|
-
|
|
210
|
-
expect(get(
|
|
209
|
+
end.to be_up_to_date
|
|
210
|
+
expect(get("nodes/x/_acl")).to partially_match({})
|
|
211
211
|
end
|
|
212
212
|
end
|
|
213
213
|
|
|
214
|
-
when_the_chef_server
|
|
215
|
-
user
|
|
216
|
-
user
|
|
217
|
-
node
|
|
218
|
-
acl
|
|
219
|
-
|
|
220
|
-
|
|
221
|
-
|
|
222
|
-
|
|
214
|
+
when_the_chef_server "has a node named x with users foo and bar in all its acls", :osc_compat => false do
|
|
215
|
+
user "foo", {}
|
|
216
|
+
user "bar", {}
|
|
217
|
+
node "x", {} do
|
|
218
|
+
acl "create" => { "actors" => %w{foo bar} },
|
|
219
|
+
"read" => { "actors" => %w{foo bar} },
|
|
220
|
+
"update" => { "actors" => %w{foo bar} },
|
|
221
|
+
"delete" => { "actors" => %w{foo bar} },
|
|
222
|
+
"grant" => { "actors" => %w{foo bar} }
|
|
223
223
|
end
|
|
224
224
|
|
|
225
225
|
it 'Converging chef_acl "nodes/x" with remove_rights :all removes foo from everything' do
|
|
226
|
-
expect_recipe
|
|
227
|
-
chef_acl
|
|
228
|
-
remove_rights :all, users: %w
|
|
229
|
-
end
|
|
230
|
-
|
|
231
|
-
expect(get(
|
|
232
|
-
|
|
233
|
-
|
|
234
|
-
|
|
235
|
-
|
|
236
|
-
|
|
226
|
+
expect_recipe do
|
|
227
|
+
chef_acl "nodes/x" do
|
|
228
|
+
remove_rights :all, users: %w{foo}
|
|
229
|
+
end
|
|
230
|
+
end.to be_updated
|
|
231
|
+
expect(get("nodes/x/_acl")).to partially_match(
|
|
232
|
+
"create" => { "actors" => exclude("foo") },
|
|
233
|
+
"read" => { "actors" => exclude("foo") },
|
|
234
|
+
"update" => { "actors" => exclude("foo") },
|
|
235
|
+
"delete" => { "actors" => exclude("foo") },
|
|
236
|
+
"grant" => { "actors" => exclude("foo") }
|
|
237
237
|
)
|
|
238
238
|
end
|
|
239
239
|
end
|
|
240
240
|
|
|
241
241
|
::RSpec::Matchers.define_negated_matcher :exclude, :include
|
|
242
242
|
|
|
243
|
-
context
|
|
244
|
-
when_the_chef_server
|
|
245
|
-
user
|
|
246
|
-
acl_for
|
|
247
|
-
node
|
|
248
|
-
acl
|
|
243
|
+
context "recursive" do
|
|
244
|
+
when_the_chef_server "has a nodes container with user blarghle in its acl", :osc_compat => false do
|
|
245
|
+
user "blarghle", {}
|
|
246
|
+
acl_for "containers/nodes", "read" => { "actors" => %w{blarghle} }
|
|
247
|
+
node "x", {} do
|
|
248
|
+
acl "read" => { "actors" => [] }
|
|
249
249
|
end
|
|
250
250
|
|
|
251
251
|
it 'Converging chef_acl "nodes" makes no changes' do
|
|
252
|
-
expect
|
|
253
|
-
expect_recipe
|
|
254
|
-
chef_acl
|
|
255
|
-
rights :read, users: %w
|
|
252
|
+
expect do
|
|
253
|
+
expect_recipe do
|
|
254
|
+
chef_acl "nodes" do
|
|
255
|
+
rights :read, users: %w{blarghle}
|
|
256
256
|
end
|
|
257
|
-
|
|
258
|
-
|
|
259
|
-
and not_change { get(
|
|
257
|
+
end.to be_up_to_date
|
|
258
|
+
end.to not_change { get("containers/nodes/_acl") }.
|
|
259
|
+
and not_change { get("nodes/x/_acl") }
|
|
260
260
|
end
|
|
261
261
|
|
|
262
262
|
RSpec::Matchers.define_negated_matcher :not_change, :change
|
|
263
263
|
|
|
264
264
|
it 'Converging chef_acl "nodes" with recursive :on_change makes no changes' do
|
|
265
|
-
expect
|
|
266
|
-
expect_recipe
|
|
267
|
-
chef_acl
|
|
268
|
-
rights :read, users: %w
|
|
265
|
+
expect do
|
|
266
|
+
expect_recipe do
|
|
267
|
+
chef_acl "nodes" do
|
|
268
|
+
rights :read, users: %w{blarghle}
|
|
269
269
|
recursive :on_change
|
|
270
270
|
end
|
|
271
|
-
|
|
272
|
-
|
|
273
|
-
and not_change { get(
|
|
271
|
+
end.to be_up_to_date
|
|
272
|
+
end.to not_change { get("containers/nodes/_acl") }.
|
|
273
|
+
and not_change { get("nodes/x/_acl") }
|
|
274
274
|
end
|
|
275
275
|
|
|
276
276
|
it 'Converging chef_acl "nodes" with recursive true changes nodes/x\'s acls' do
|
|
277
|
-
expect_recipe
|
|
278
|
-
chef_acl
|
|
279
|
-
rights :read, users: %w
|
|
277
|
+
expect_recipe do
|
|
278
|
+
chef_acl "nodes" do
|
|
279
|
+
rights :read, users: %w{blarghle}
|
|
280
280
|
recursive true
|
|
281
281
|
end
|
|
282
|
-
|
|
283
|
-
expect(get(
|
|
282
|
+
end.to be_updated
|
|
283
|
+
expect(get("nodes/x/_acl")).to partially_match("read" => { "actors" => %w{blarghle} })
|
|
284
284
|
end
|
|
285
285
|
|
|
286
286
|
it 'Converging chef_acl "" with recursive false does not change nodes/x\'s acls' do
|
|
287
|
-
expect_recipe
|
|
288
|
-
chef_acl
|
|
289
|
-
rights :read, users: %w
|
|
287
|
+
expect_recipe do
|
|
288
|
+
chef_acl "" do
|
|
289
|
+
rights :read, users: %w{blarghle}
|
|
290
290
|
recursive false
|
|
291
291
|
end
|
|
292
|
-
|
|
293
|
-
expect(get(
|
|
294
|
-
expect(get(
|
|
292
|
+
end.to be_updated
|
|
293
|
+
expect(get("containers/nodes/_acl")).to partially_match({})
|
|
294
|
+
expect(get("nodes/x/_acl")).to partially_match({})
|
|
295
295
|
end
|
|
296
296
|
|
|
297
297
|
it 'Converging chef_acl "" with recursive :on_change does not change nodes/x\'s acls' do
|
|
298
|
-
expect_recipe
|
|
299
|
-
chef_acl
|
|
300
|
-
rights :read, users: %w
|
|
298
|
+
expect_recipe do
|
|
299
|
+
chef_acl "" do
|
|
300
|
+
rights :read, users: %w{blarghle}
|
|
301
301
|
recursive :on_change
|
|
302
302
|
end
|
|
303
|
-
|
|
304
|
-
expect(get(
|
|
305
|
-
expect(get(
|
|
303
|
+
end.to be_updated
|
|
304
|
+
expect(get("containers/nodes/_acl")).to partially_match({})
|
|
305
|
+
expect(get("nodes/x/_acl")).to partially_match({})
|
|
306
306
|
end
|
|
307
307
|
|
|
308
308
|
it 'Converging chef_acl "" with recursive true changes nodes/x\'s acls' do
|
|
309
|
-
expect_recipe
|
|
310
|
-
chef_acl
|
|
311
|
-
rights :read, users: %w
|
|
309
|
+
expect_recipe do
|
|
310
|
+
chef_acl "" do
|
|
311
|
+
rights :read, users: %w{blarghle}
|
|
312
312
|
recursive true
|
|
313
313
|
end
|
|
314
|
-
|
|
315
|
-
expect(get(
|
|
316
|
-
expect(get(
|
|
314
|
+
end.to be_updated
|
|
315
|
+
expect(get("/organizations/_acl")).to partially_match("read" => { "actors" => %w{blarghle} })
|
|
316
|
+
expect(get("nodes/x/_acl")).to partially_match("read" => { "actors" => %w{blarghle} })
|
|
317
317
|
end
|
|
318
318
|
end
|
|
319
319
|
end
|
|
320
320
|
end
|
|
321
321
|
|
|
322
|
-
context
|
|
323
|
-
when_the_chef_server
|
|
324
|
-
organization
|
|
325
|
-
user
|
|
326
|
-
client
|
|
327
|
-
container
|
|
328
|
-
cookbook
|
|
329
|
-
data_bag
|
|
330
|
-
environment
|
|
331
|
-
group
|
|
332
|
-
node
|
|
333
|
-
role
|
|
334
|
-
sandbox
|
|
335
|
-
user
|
|
322
|
+
context "ACLs on each type of thing" do
|
|
323
|
+
when_the_chef_server "has an organization named foo", :osc_compat => false, :single_org => false do
|
|
324
|
+
organization "foo" do
|
|
325
|
+
user "u", {}
|
|
326
|
+
client "x", {}
|
|
327
|
+
container "x", {}
|
|
328
|
+
cookbook "x", "1.0.0", {}
|
|
329
|
+
data_bag "x", { "y" => {} }
|
|
330
|
+
environment "x", {}
|
|
331
|
+
group "x", {}
|
|
332
|
+
node "x", {}
|
|
333
|
+
role "x", {}
|
|
334
|
+
sandbox "x", {}
|
|
335
|
+
user "x", {}
|
|
336
336
|
end
|
|
337
337
|
|
|
338
|
-
organization
|
|
339
|
-
user
|
|
340
|
-
node
|
|
338
|
+
organization "bar" do
|
|
339
|
+
user "u", {}
|
|
340
|
+
node "x", {}
|
|
341
341
|
end
|
|
342
342
|
|
|
343
|
-
context
|
|
343
|
+
context "and the chef server URL points at /organizations/foo" do
|
|
344
344
|
before :each do
|
|
345
|
-
Chef::Config.chef_server_url = URI.join(Chef::Config.chef_server_url,
|
|
345
|
+
Chef::Config.chef_server_url = URI.join(Chef::Config.chef_server_url, "/organizations/foo").to_s
|
|
346
346
|
end
|
|
347
347
|
|
|
348
|
-
context
|
|
348
|
+
context "relative paths" do
|
|
349
349
|
it "chef_acl 'nodes/x' changes the acls" do
|
|
350
|
-
expect_recipe
|
|
350
|
+
expect_recipe do
|
|
351
351
|
chef_acl "nodes/x" do
|
|
352
|
-
rights :read, users: %w
|
|
352
|
+
rights :read, users: %w{u}
|
|
353
353
|
end
|
|
354
|
-
|
|
355
|
-
expect(get("nodes/x/_acl")).to partially_match(
|
|
354
|
+
end.to be_updated
|
|
355
|
+
expect(get("nodes/x/_acl")).to partially_match("read" => { "actors" => %w{u} })
|
|
356
356
|
end
|
|
357
357
|
|
|
358
358
|
it "chef_acl '*/*' changes the acls" do
|
|
359
|
-
expect_recipe
|
|
359
|
+
expect_recipe do
|
|
360
360
|
chef_acl "*/*" do
|
|
361
|
-
rights :read, users: %w
|
|
361
|
+
rights :read, users: %w{u}
|
|
362
362
|
end
|
|
363
|
-
|
|
364
|
-
%w
|
|
363
|
+
end.to be_updated
|
|
364
|
+
%w{clients containers cookbooks data environments groups nodes roles}.each do |type|
|
|
365
365
|
expect(get("/organizations/foo/#{type}/x/_acl")).to partially_match(
|
|
366
|
-
|
|
366
|
+
"read" => { "actors" => %w{u} })
|
|
367
367
|
end
|
|
368
368
|
end
|
|
369
369
|
end
|
|
370
370
|
|
|
371
|
-
context
|
|
372
|
-
%w
|
|
371
|
+
context "absolute paths" do
|
|
372
|
+
%w{clients containers cookbooks data environments groups nodes roles sandboxes}.each do |type|
|
|
373
373
|
it "chef_acl '/organizations/foo/#{type}/x' changes the acl" do
|
|
374
|
-
expect_recipe
|
|
374
|
+
expect_recipe do
|
|
375
375
|
chef_acl "/organizations/foo/#{type}/x" do
|
|
376
|
-
rights :read, users: %w
|
|
376
|
+
rights :read, users: %w{u}
|
|
377
377
|
end
|
|
378
|
-
|
|
379
|
-
expect(get("/organizations/foo/#{type}/x/_acl")).to partially_match(
|
|
378
|
+
end.to be_updated
|
|
379
|
+
expect(get("/organizations/foo/#{type}/x/_acl")).to partially_match("read" => { "actors" => %w{u} })
|
|
380
380
|
end
|
|
381
381
|
end
|
|
382
382
|
|
|
383
|
-
%w
|
|
383
|
+
%w{clients containers cookbooks data environments groups nodes roles sandboxes}.each do |type|
|
|
384
384
|
it "chef_acl '/organizations/foo/#{type}/x' changes the acl" do
|
|
385
|
-
expect_recipe
|
|
385
|
+
expect_recipe do
|
|
386
386
|
chef_acl "/organizations/foo/#{type}/x" do
|
|
387
|
-
rights :read, users: %w
|
|
387
|
+
rights :read, users: %w{u}
|
|
388
388
|
end
|
|
389
|
-
|
|
390
|
-
expect(get("/organizations/foo/#{type}/x/_acl")).to partially_match(
|
|
389
|
+
end.to be_updated
|
|
390
|
+
expect(get("/organizations/foo/#{type}/x/_acl")).to partially_match("read" => { "actors" => %w{u} })
|
|
391
391
|
end
|
|
392
392
|
end
|
|
393
393
|
|
|
394
|
-
%w
|
|
394
|
+
%w{clients containers cookbooks data environments groups nodes roles}.each do |type|
|
|
395
395
|
it "chef_acl '/*/*/#{type}/*' changes the acl" do
|
|
396
|
-
expect_recipe
|
|
396
|
+
expect_recipe do
|
|
397
397
|
chef_acl "/*/*/#{type}/*" do
|
|
398
|
-
rights :read, users: %w
|
|
398
|
+
rights :read, users: %w{u}
|
|
399
399
|
end
|
|
400
|
-
|
|
401
|
-
expect(get("/organizations/foo/#{type}/x/_acl")).to partially_match(
|
|
400
|
+
end.to be_updated
|
|
401
|
+
expect(get("/organizations/foo/#{type}/x/_acl")).to partially_match("read" => { "actors" => %w{u} })
|
|
402
402
|
end
|
|
403
403
|
end
|
|
404
404
|
|
|
405
405
|
it "chef_acl '/*/*/*/x' changes the acls" do
|
|
406
|
-
expect_recipe
|
|
406
|
+
expect_recipe do
|
|
407
407
|
chef_acl "/*/*/*/x" do
|
|
408
|
-
rights :read, users: %w
|
|
408
|
+
rights :read, users: %w{u}
|
|
409
409
|
end
|
|
410
|
-
|
|
411
|
-
%w
|
|
410
|
+
end.to be_updated
|
|
411
|
+
%w{clients containers cookbooks data environments groups nodes roles sandboxes}.each do |type|
|
|
412
412
|
expect(get("/organizations/foo/#{type}/x/_acl")).to partially_match(
|
|
413
|
-
|
|
413
|
+
"read" => { "actors" => %w{u} })
|
|
414
414
|
end
|
|
415
415
|
end
|
|
416
416
|
|
|
417
417
|
it "chef_acl '/*/*/*/*' changes the acls" do
|
|
418
|
-
expect_recipe
|
|
418
|
+
expect_recipe do
|
|
419
419
|
chef_acl "/*/*/*/*" do
|
|
420
|
-
rights :read, users: %w
|
|
420
|
+
rights :read, users: %w{u}
|
|
421
421
|
end
|
|
422
|
-
|
|
423
|
-
%w
|
|
422
|
+
end.to be_updated
|
|
423
|
+
%w{clients containers cookbooks data environments groups nodes roles}.each do |type|
|
|
424
424
|
expect(get("/organizations/foo/#{type}/x/_acl")).to partially_match(
|
|
425
|
-
|
|
425
|
+
"read" => { "actors" => %w{u} })
|
|
426
426
|
end
|
|
427
427
|
end
|
|
428
428
|
|
|
429
429
|
it 'chef_acl "/organizations/foo/data_bags/x" changes the acl' do
|
|
430
|
-
expect_recipe
|
|
431
|
-
chef_acl
|
|
432
|
-
rights :read, users: %w
|
|
430
|
+
expect_recipe do
|
|
431
|
+
chef_acl "/organizations/foo/data_bags/x" do
|
|
432
|
+
rights :read, users: %w{u}
|
|
433
433
|
end
|
|
434
|
-
|
|
435
|
-
expect(get(
|
|
434
|
+
end.to be_updated
|
|
435
|
+
expect(get("/organizations/foo/data/x/_acl")).to partially_match("read" => { "actors" => %w{u} })
|
|
436
436
|
end
|
|
437
437
|
|
|
438
438
|
it 'chef_acl "/*/*/data_bags/*" changes the acl' do
|
|
439
|
-
expect_recipe
|
|
440
|
-
chef_acl
|
|
441
|
-
rights :read, users: %w
|
|
439
|
+
expect_recipe do
|
|
440
|
+
chef_acl "/*/*/data_bags/*" do
|
|
441
|
+
rights :read, users: %w{u}
|
|
442
442
|
end
|
|
443
|
-
|
|
444
|
-
expect(get(
|
|
443
|
+
end.to be_updated
|
|
444
|
+
expect(get("/organizations/foo/data/x/_acl")).to partially_match("read" => { "actors" => %w{u} })
|
|
445
445
|
end
|
|
446
446
|
|
|
447
447
|
it "chef_acl '/organizations/foo/cookbooks/x/1.0.0' raises an error" do
|
|
448
|
-
expect_converge
|
|
448
|
+
expect_converge do
|
|
449
449
|
chef_acl "/organizations/foo/cookbooks/x/1.0.0" do
|
|
450
|
-
rights :read, users: %w
|
|
450
|
+
rights :read, users: %w{u}
|
|
451
451
|
end
|
|
452
|
-
|
|
452
|
+
end.to raise_error(/ACLs cannot be set on children of \/organizations\/foo\/cookbooks\/x/)
|
|
453
453
|
end
|
|
454
454
|
|
|
455
455
|
it "chef_acl '/organizations/foo/cookbooks/*/*' raises an error" do
|
|
456
456
|
pending
|
|
457
|
-
expect_converge
|
|
457
|
+
expect_converge do
|
|
458
458
|
chef_acl "/organizations/foo/cookbooks/*/*" do
|
|
459
|
-
rights :read, users: %w
|
|
459
|
+
rights :read, users: %w{u}
|
|
460
460
|
end
|
|
461
|
-
|
|
461
|
+
end.to raise_error(/ACLs cannot be set on children of \/organizations\/foo\/cookbooks\/*/)
|
|
462
462
|
end
|
|
463
463
|
|
|
464
464
|
it 'chef_acl "/organizations/foo/data/x/y" raises an error' do
|
|
465
|
-
expect_converge
|
|
466
|
-
chef_acl
|
|
467
|
-
rights :read, users: %w
|
|
465
|
+
expect_converge do
|
|
466
|
+
chef_acl "/organizations/foo/data/x/y" do
|
|
467
|
+
rights :read, users: %w{u}
|
|
468
468
|
end
|
|
469
|
-
|
|
469
|
+
end.to raise_error(/ACLs cannot be set on children of \/organizations\/foo\/data\/x/)
|
|
470
470
|
end
|
|
471
471
|
|
|
472
472
|
it 'chef_acl "/organizations/foo/data/*/*" raises an error' do
|
|
473
473
|
pending
|
|
474
|
-
expect_converge
|
|
475
|
-
chef_acl
|
|
476
|
-
rights :read, users: %w
|
|
474
|
+
expect_converge do
|
|
475
|
+
chef_acl "/organizations/foo/data/*/*" do
|
|
476
|
+
rights :read, users: %w{u}
|
|
477
477
|
end
|
|
478
|
-
|
|
478
|
+
end.to raise_error(/ACLs cannot be set on children of \/organizations\/foo\/data\/*/)
|
|
479
479
|
end
|
|
480
480
|
|
|
481
481
|
it 'chef_acl "/organizations/foo" changes the acl' do
|
|
482
|
-
expect_recipe
|
|
483
|
-
chef_acl
|
|
484
|
-
rights :read, users: %w
|
|
482
|
+
expect_recipe do
|
|
483
|
+
chef_acl "/organizations/foo" do
|
|
484
|
+
rights :read, users: %w{u}
|
|
485
485
|
end
|
|
486
|
-
|
|
487
|
-
expect(get(
|
|
488
|
-
expect(get(
|
|
486
|
+
end.to be_updated
|
|
487
|
+
expect(get("/organizations/foo/organizations/_acl")).to partially_match("read" => { "actors" => %w{u} })
|
|
488
|
+
expect(get("/organizations/foo/nodes/x/_acl")).to partially_match("read" => { "actors" => %w{u} })
|
|
489
489
|
end
|
|
490
490
|
|
|
491
491
|
it 'chef_acl "/organizations/*" changes the acl' do
|
|
492
|
-
expect_recipe
|
|
493
|
-
chef_acl
|
|
494
|
-
rights :read, users: %w
|
|
492
|
+
expect_recipe do
|
|
493
|
+
chef_acl "/organizations/*" do
|
|
494
|
+
rights :read, users: %w{u}
|
|
495
495
|
end
|
|
496
|
-
|
|
497
|
-
expect(get(
|
|
498
|
-
expect(get(
|
|
496
|
+
end.to be_updated
|
|
497
|
+
expect(get("/organizations/foo/organizations/_acl")).to partially_match("read" => { "actors" => %w{u} })
|
|
498
|
+
expect(get("/organizations/foo/nodes/x/_acl")).to partially_match("read" => { "actors" => %w{u} })
|
|
499
499
|
end
|
|
500
500
|
|
|
501
501
|
it 'chef_acl "/users/x" changes the acl' do
|
|
502
|
-
expect_recipe
|
|
503
|
-
chef_acl
|
|
504
|
-
rights :read, users: %w
|
|
502
|
+
expect_recipe do
|
|
503
|
+
chef_acl "/users/x" do
|
|
504
|
+
rights :read, users: %w{u}
|
|
505
505
|
end
|
|
506
|
-
|
|
507
|
-
expect(get(
|
|
506
|
+
end.to be_updated
|
|
507
|
+
expect(get("/users/x/_acl")).to partially_match("read" => { "actors" => %w{u} })
|
|
508
508
|
end
|
|
509
509
|
|
|
510
510
|
it 'chef_acl "/users/*" changes the acl' do
|
|
511
|
-
expect_recipe
|
|
512
|
-
chef_acl
|
|
513
|
-
rights :read, users: %w
|
|
511
|
+
expect_recipe do
|
|
512
|
+
chef_acl "/users/*" do
|
|
513
|
+
rights :read, users: %w{u}
|
|
514
514
|
end
|
|
515
|
-
|
|
516
|
-
expect(get(
|
|
515
|
+
end.to be_updated
|
|
516
|
+
expect(get("/users/x/_acl")).to partially_match("read" => { "actors" => %w{u} })
|
|
517
517
|
end
|
|
518
518
|
|
|
519
519
|
it 'chef_acl "/*/x" changes the acl' do
|
|
520
|
-
expect_recipe
|
|
521
|
-
chef_acl
|
|
522
|
-
rights :read, users: %w
|
|
520
|
+
expect_recipe do
|
|
521
|
+
chef_acl "/*/x" do
|
|
522
|
+
rights :read, users: %w{u}
|
|
523
523
|
end
|
|
524
|
-
|
|
525
|
-
expect(get(
|
|
524
|
+
end.to be_updated
|
|
525
|
+
expect(get("/users/x/_acl")).to partially_match("read" => { "actors" => %w{u} })
|
|
526
526
|
end
|
|
527
527
|
|
|
528
528
|
it 'chef_acl "/*/*" changes the acl' do
|
|
529
|
-
expect_recipe
|
|
530
|
-
chef_acl
|
|
531
|
-
rights :read, users: %w
|
|
529
|
+
expect_recipe do
|
|
530
|
+
chef_acl "/*/*" do
|
|
531
|
+
rights :read, users: %w{u}
|
|
532
532
|
end
|
|
533
|
-
|
|
534
|
-
expect(get(
|
|
535
|
-
expect(get(
|
|
533
|
+
end.to be_updated
|
|
534
|
+
expect(get("/organizations/foo/organizations/_acl")).to partially_match("read" => { "actors" => %w{u} })
|
|
535
|
+
expect(get("/users/x/_acl")).to partially_match("read" => { "actors" => %w{u} })
|
|
536
536
|
end
|
|
537
537
|
end
|
|
538
538
|
end
|
|
539
539
|
|
|
540
|
-
context
|
|
540
|
+
context "and the chef server URL points at /organizations/bar" do
|
|
541
541
|
before :each do
|
|
542
|
-
Chef::Config.chef_server_url = URI.join(Chef::Config.chef_server_url.to_s,
|
|
542
|
+
Chef::Config.chef_server_url = URI.join(Chef::Config.chef_server_url.to_s, "/organizations/bar").to_s
|
|
543
543
|
end
|
|
544
544
|
|
|
545
545
|
it "chef_acl '/organizations/foo/nodes/*' changes the acl" do
|
|
546
|
-
expect_recipe
|
|
546
|
+
expect_recipe do
|
|
547
547
|
chef_acl "/organizations/foo/nodes/*" do
|
|
548
|
-
rights :read, users: %w
|
|
548
|
+
rights :read, users: %w{u}
|
|
549
549
|
end
|
|
550
|
-
|
|
551
|
-
expect(get("/organizations/foo/nodes/x/_acl")).to partially_match(
|
|
550
|
+
end.to be_updated
|
|
551
|
+
expect(get("/organizations/foo/nodes/x/_acl")).to partially_match("read" => { "actors" => %w{u} })
|
|
552
552
|
end
|
|
553
553
|
end
|
|
554
554
|
|
|
555
|
-
context
|
|
555
|
+
context "and the chef server URL points at /" do
|
|
556
556
|
before :each do
|
|
557
|
-
Chef::Config.chef_server_url = URI.join(Chef::Config.chef_server_url.to_s,
|
|
557
|
+
Chef::Config.chef_server_url = URI.join(Chef::Config.chef_server_url.to_s, "/").to_s
|
|
558
558
|
end
|
|
559
559
|
|
|
560
560
|
it "chef_acl '/organizations/foo/nodes/*' changes the acl" do
|
|
561
|
-
expect_recipe
|
|
561
|
+
expect_recipe do
|
|
562
562
|
chef_acl "/organizations/foo/nodes/*" do
|
|
563
|
-
rights :read, users: %w
|
|
563
|
+
rights :read, users: %w{u}
|
|
564
564
|
end
|
|
565
|
-
|
|
566
|
-
expect(get("/organizations/foo/nodes/x/_acl")).to partially_match(
|
|
565
|
+
end.to be_updated
|
|
566
|
+
expect(get("/organizations/foo/nodes/x/_acl")).to partially_match("read" => { "actors" => %w{u} })
|
|
567
567
|
end
|
|
568
568
|
end
|
|
569
569
|
end
|
|
570
570
|
|
|
571
571
|
when_the_chef_server 'has a user "u" in single org mode', :osc_compat => false do
|
|
572
|
-
user
|
|
573
|
-
client
|
|
574
|
-
container
|
|
575
|
-
cookbook
|
|
576
|
-
data_bag
|
|
577
|
-
environment
|
|
578
|
-
group
|
|
579
|
-
node
|
|
580
|
-
role
|
|
581
|
-
sandbox
|
|
582
|
-
user
|
|
583
|
-
|
|
584
|
-
%w
|
|
572
|
+
user "u", {}
|
|
573
|
+
client "x", {}
|
|
574
|
+
container "x", {}
|
|
575
|
+
cookbook "x", "1.0.0", {}
|
|
576
|
+
data_bag "x", { "y" => {} }
|
|
577
|
+
environment "x", {}
|
|
578
|
+
group "x", {}
|
|
579
|
+
node "x", {}
|
|
580
|
+
role "x", {}
|
|
581
|
+
sandbox "x", {}
|
|
582
|
+
user "x", {}
|
|
583
|
+
|
|
584
|
+
%w{clients containers cookbooks data environments groups nodes roles sandboxes}.each do |type|
|
|
585
585
|
it "chef_acl #{type}/x' changes the acl" do
|
|
586
|
-
expect_recipe
|
|
586
|
+
expect_recipe do
|
|
587
587
|
chef_acl "#{type}/x" do
|
|
588
|
-
rights :read, users: %w
|
|
588
|
+
rights :read, users: %w{u}
|
|
589
589
|
end
|
|
590
|
-
|
|
591
|
-
expect(get("#{type}/x/_acl")).to partially_match(
|
|
590
|
+
end.to be_updated
|
|
591
|
+
expect(get("#{type}/x/_acl")).to partially_match("read" => { "actors" => %w{u} })
|
|
592
592
|
end
|
|
593
593
|
end
|
|
594
594
|
|
|
595
|
-
%w
|
|
595
|
+
%w{clients containers cookbooks data environments groups nodes roles}.each do |type|
|
|
596
596
|
it "chef_acl '#{type}/*' changes the acl" do
|
|
597
|
-
expect_recipe
|
|
597
|
+
expect_recipe do
|
|
598
598
|
chef_acl "#{type}/*" do
|
|
599
|
-
rights :read, users: %w
|
|
599
|
+
rights :read, users: %w{u}
|
|
600
600
|
end
|
|
601
|
-
|
|
602
|
-
expect(get("#{type}/x/_acl")).to partially_match(
|
|
601
|
+
end.to be_updated
|
|
602
|
+
expect(get("#{type}/x/_acl")).to partially_match("read" => { "actors" => %w{u} })
|
|
603
603
|
end
|
|
604
604
|
end
|
|
605
605
|
|
|
606
606
|
it "chef_acl '*/x' changes the acls" do
|
|
607
|
-
expect_recipe
|
|
607
|
+
expect_recipe do
|
|
608
608
|
chef_acl "*/x" do
|
|
609
|
-
rights :read, users: %w
|
|
609
|
+
rights :read, users: %w{u}
|
|
610
610
|
end
|
|
611
|
-
|
|
612
|
-
%w
|
|
611
|
+
end.to be_updated
|
|
612
|
+
%w{clients containers cookbooks data environments groups nodes roles sandboxes}.each do |type|
|
|
613
613
|
expect(get("#{type}/x/_acl")).to partially_match(
|
|
614
|
-
|
|
614
|
+
"read" => { "actors" => %w{u} })
|
|
615
615
|
end
|
|
616
616
|
end
|
|
617
617
|
|
|
618
618
|
it "chef_acl '*/*' changes the acls" do
|
|
619
|
-
expect_recipe
|
|
619
|
+
expect_recipe do
|
|
620
620
|
chef_acl "*/*" do
|
|
621
|
-
rights :read, users: %w
|
|
621
|
+
rights :read, users: %w{u}
|
|
622
622
|
end
|
|
623
|
-
|
|
624
|
-
%w
|
|
623
|
+
end.to be_updated
|
|
624
|
+
%w{clients containers cookbooks data environments groups nodes roles}.each do |type|
|
|
625
625
|
expect(get("#{type}/x/_acl")).to partially_match(
|
|
626
|
-
|
|
626
|
+
"read" => { "actors" => %w{u} })
|
|
627
627
|
end
|
|
628
628
|
end
|
|
629
629
|
|
|
630
630
|
it "chef_acl 'groups/*' changes the acl" do
|
|
631
|
-
expect_recipe
|
|
631
|
+
expect_recipe do
|
|
632
632
|
chef_acl "groups/*" do
|
|
633
|
-
rights :read, users: %w
|
|
633
|
+
rights :read, users: %w{u}
|
|
634
634
|
end
|
|
635
|
-
|
|
636
|
-
%w
|
|
635
|
+
end.to be_updated
|
|
636
|
+
%w{admins billing-admins clients users x}.each do |n|
|
|
637
637
|
expect(get("groups/#{n}/_acl")).to partially_match(
|
|
638
|
-
|
|
638
|
+
"read" => { "actors" => %w{u} })
|
|
639
639
|
end
|
|
640
640
|
end
|
|
641
641
|
|
|
642
642
|
it 'chef_acl "data_bags/x" changes the acl' do
|
|
643
|
-
expect_recipe
|
|
644
|
-
chef_acl
|
|
645
|
-
rights :read, users: %w
|
|
643
|
+
expect_recipe do
|
|
644
|
+
chef_acl "data_bags/x" do
|
|
645
|
+
rights :read, users: %w{u}
|
|
646
646
|
end
|
|
647
|
-
|
|
648
|
-
expect(get(
|
|
647
|
+
end.to be_updated
|
|
648
|
+
expect(get("data/x/_acl")).to partially_match("read" => { "actors" => %w{u} })
|
|
649
649
|
end
|
|
650
650
|
|
|
651
651
|
it 'chef_acl "data_bags/*" changes the acl' do
|
|
652
|
-
expect_recipe
|
|
653
|
-
chef_acl
|
|
654
|
-
rights :read, users: %w
|
|
652
|
+
expect_recipe do
|
|
653
|
+
chef_acl "data_bags/*" do
|
|
654
|
+
rights :read, users: %w{u}
|
|
655
655
|
end
|
|
656
|
-
|
|
657
|
-
expect(get(
|
|
656
|
+
end.to be_updated
|
|
657
|
+
expect(get("data/x/_acl")).to partially_match("read" => { "actors" => %w{u} })
|
|
658
658
|
end
|
|
659
659
|
|
|
660
660
|
it 'chef_acl "" changes the organization acl' do
|
|
661
|
-
expect_recipe
|
|
662
|
-
chef_acl
|
|
663
|
-
rights :read, users: %w
|
|
661
|
+
expect_recipe do
|
|
662
|
+
chef_acl "" do
|
|
663
|
+
rights :read, users: %w{u}
|
|
664
664
|
end
|
|
665
|
-
|
|
666
|
-
expect(get(
|
|
667
|
-
expect(get(
|
|
665
|
+
end.to be_updated
|
|
666
|
+
expect(get("/organizations/_acl")).to partially_match("read" => { "actors" => %w{u} })
|
|
667
|
+
expect(get("nodes/x/_acl")).to partially_match("read" => { "actors" => %w{u} })
|
|
668
668
|
end
|
|
669
669
|
end
|
|
670
670
|
end
|
|
671
671
|
|
|
672
|
-
context
|
|
673
|
-
when_the_chef_server
|
|
674
|
-
organization
|
|
675
|
-
user
|
|
676
|
-
client
|
|
677
|
-
container
|
|
678
|
-
cookbook
|
|
679
|
-
data_bag
|
|
680
|
-
environment
|
|
681
|
-
group
|
|
682
|
-
node
|
|
683
|
-
role
|
|
684
|
-
sandbox
|
|
685
|
-
user
|
|
686
|
-
end
|
|
687
|
-
|
|
688
|
-
%w
|
|
672
|
+
context "ACLs on each container type" do
|
|
673
|
+
when_the_chef_server "has an organization named foo", :osc_compat => false, :single_org => false do
|
|
674
|
+
organization "foo" do
|
|
675
|
+
user "u", {}
|
|
676
|
+
client "x", {}
|
|
677
|
+
container "x", {}
|
|
678
|
+
cookbook "x", "1.0.0", {}
|
|
679
|
+
data_bag "x", { "y" => {} }
|
|
680
|
+
environment "x", {}
|
|
681
|
+
group "x", {}
|
|
682
|
+
node "x", {}
|
|
683
|
+
role "x", {}
|
|
684
|
+
sandbox "x", {}
|
|
685
|
+
user "x", {}
|
|
686
|
+
end
|
|
687
|
+
|
|
688
|
+
%w{clients containers cookbooks data environments groups nodes roles sandboxes}.each do |type|
|
|
689
689
|
it "chef_acl '/organizations/foo/#{type}' changes the acl" do
|
|
690
|
-
expect_recipe
|
|
690
|
+
expect_recipe do
|
|
691
691
|
chef_acl "/organizations/foo/#{type}" do
|
|
692
|
-
rights :read, users: %w
|
|
692
|
+
rights :read, users: %w{u}
|
|
693
693
|
end
|
|
694
|
-
|
|
695
|
-
expect(get("/organizations/foo/containers/#{type}/_acl")).to partially_match(
|
|
694
|
+
end.to be_updated
|
|
695
|
+
expect(get("/organizations/foo/containers/#{type}/_acl")).to partially_match("read" => { "actors" => %w{u} })
|
|
696
696
|
end
|
|
697
697
|
end
|
|
698
698
|
|
|
699
|
-
%w
|
|
699
|
+
%w{clients containers cookbooks data environments groups nodes roles}.each do |type|
|
|
700
700
|
it "chef_acl '/*/*/#{type}' changes the acl" do
|
|
701
|
-
expect_recipe
|
|
701
|
+
expect_recipe do
|
|
702
702
|
chef_acl "/*/*/#{type}" do
|
|
703
|
-
rights :read, users: %w
|
|
703
|
+
rights :read, users: %w{u}
|
|
704
704
|
end
|
|
705
|
-
|
|
706
|
-
expect(get("/organizations/foo/containers/#{type}/_acl")).to partially_match(
|
|
705
|
+
end.to be_updated
|
|
706
|
+
expect(get("/organizations/foo/containers/#{type}/_acl")).to partially_match("read" => { "actors" => %w{u} })
|
|
707
707
|
end
|
|
708
708
|
end
|
|
709
709
|
|
|
710
710
|
it "chef_acl '/*/*/*' changes the acls" do
|
|
711
|
-
expect_recipe
|
|
711
|
+
expect_recipe do
|
|
712
712
|
chef_acl "/*/*/*" do
|
|
713
|
-
rights :read, users: %w
|
|
713
|
+
rights :read, users: %w{u}
|
|
714
714
|
end
|
|
715
|
-
|
|
716
|
-
%w
|
|
715
|
+
end.to be_updated
|
|
716
|
+
%w{clients containers cookbooks data environments groups nodes roles sandboxes}.each do |type|
|
|
717
717
|
expect(get("/organizations/foo/containers/#{type}/_acl")).to partially_match(
|
|
718
|
-
|
|
718
|
+
"read" => { "actors" => %w{u} })
|
|
719
719
|
end
|
|
720
720
|
end
|
|
721
721
|
|
|
722
722
|
it 'chef_acl "/organizations/foo/data_bags" changes the acl' do
|
|
723
|
-
expect_recipe
|
|
724
|
-
chef_acl
|
|
725
|
-
rights :read, users: %w
|
|
723
|
+
expect_recipe do
|
|
724
|
+
chef_acl "/organizations/foo/data_bags" do
|
|
725
|
+
rights :read, users: %w{u}
|
|
726
726
|
end
|
|
727
|
-
|
|
728
|
-
expect(get(
|
|
727
|
+
end.to be_updated
|
|
728
|
+
expect(get("/organizations/foo/containers/data/_acl")).to partially_match("read" => { "actors" => %w{u} })
|
|
729
729
|
end
|
|
730
730
|
|
|
731
731
|
it 'chef_acl "/*/*/data_bags" changes the acl' do
|
|
732
|
-
expect_recipe
|
|
733
|
-
chef_acl
|
|
734
|
-
rights :read, users: %w
|
|
732
|
+
expect_recipe do
|
|
733
|
+
chef_acl "/*/*/data_bags" do
|
|
734
|
+
rights :read, users: %w{u}
|
|
735
735
|
end
|
|
736
|
-
|
|
737
|
-
expect(get(
|
|
736
|
+
end.to be_updated
|
|
737
|
+
expect(get("/organizations/foo/containers/data/_acl")).to partially_match("read" => { "actors" => %w{u} })
|
|
738
738
|
end
|
|
739
739
|
end
|
|
740
740
|
|
|
741
741
|
when_the_chef_server 'has a user "u" in single org mode', :osc_compat => false do
|
|
742
|
-
user
|
|
743
|
-
client
|
|
744
|
-
container
|
|
745
|
-
cookbook
|
|
746
|
-
data_bag
|
|
747
|
-
environment
|
|
748
|
-
group
|
|
749
|
-
node
|
|
750
|
-
role
|
|
751
|
-
sandbox
|
|
752
|
-
user
|
|
753
|
-
|
|
754
|
-
%w
|
|
742
|
+
user "u", {}
|
|
743
|
+
client "x", {}
|
|
744
|
+
container "x", {}
|
|
745
|
+
cookbook "x", "1.0.0", {}
|
|
746
|
+
data_bag "x", { "y" => {} }
|
|
747
|
+
environment "x", {}
|
|
748
|
+
group "x", {}
|
|
749
|
+
node "x", {}
|
|
750
|
+
role "x", {}
|
|
751
|
+
sandbox "x", {}
|
|
752
|
+
user "x", {}
|
|
753
|
+
|
|
754
|
+
%w{clients containers cookbooks data environments groups nodes roles sandboxes}.each do |type|
|
|
755
755
|
it "chef_acl #{type}' changes the acl" do
|
|
756
|
-
expect_recipe
|
|
756
|
+
expect_recipe do
|
|
757
757
|
chef_acl "#{type}" do
|
|
758
|
-
rights :read, users: %w
|
|
758
|
+
rights :read, users: %w{u}
|
|
759
759
|
end
|
|
760
|
-
|
|
761
|
-
expect(get("containers/#{type}/_acl")).to partially_match(
|
|
760
|
+
end.to be_updated
|
|
761
|
+
expect(get("containers/#{type}/_acl")).to partially_match("read" => { "actors" => %w{u} })
|
|
762
762
|
end
|
|
763
763
|
end
|
|
764
764
|
|
|
765
765
|
it "chef_acl '*' changes the acls" do
|
|
766
|
-
expect_recipe
|
|
766
|
+
expect_recipe do
|
|
767
767
|
chef_acl "*" do
|
|
768
|
-
rights :read, users: %w
|
|
768
|
+
rights :read, users: %w{u}
|
|
769
769
|
end
|
|
770
|
-
|
|
771
|
-
%w
|
|
770
|
+
end.to be_updated
|
|
771
|
+
%w{clients containers cookbooks data environments groups nodes roles sandboxes}.each do |type|
|
|
772
772
|
expect(get("containers/#{type}/_acl")).to partially_match(
|
|
773
|
-
|
|
773
|
+
"read" => { "actors" => %w{u} })
|
|
774
774
|
end
|
|
775
775
|
end
|
|
776
776
|
end
|
|
777
777
|
end
|
|
778
778
|
|
|
779
|
-
context
|
|
779
|
+
context "remove_rights" do
|
|
780
780
|
when_the_chef_server 'has a node "x" with "u", "c" and "g" in its acl', :osc_compat => false do
|
|
781
|
-
user
|
|
782
|
-
user
|
|
783
|
-
client
|
|
784
|
-
client
|
|
785
|
-
group
|
|
786
|
-
group
|
|
787
|
-
node
|
|
788
|
-
acl
|
|
789
|
-
|
|
790
|
-
|
|
781
|
+
user "u", {}
|
|
782
|
+
user "u2", {}
|
|
783
|
+
client "c", {}
|
|
784
|
+
client "c2", {}
|
|
785
|
+
group "g", {}
|
|
786
|
+
group "g2", {}
|
|
787
|
+
node "x", {} do
|
|
788
|
+
acl "create" => { "actors" => %w{u c}, "groups" => [ "g" ] },
|
|
789
|
+
"read" => { "actors" => %w{u c}, "groups" => [ "g" ] },
|
|
790
|
+
"update" => { "actors" => %w{u c}, "groups" => [ "g" ] }
|
|
791
791
|
end
|
|
792
792
|
|
|
793
793
|
it 'chef_acl with remove_rights "u" removes the user\'s rights' do
|
|
794
|
-
expect_recipe
|
|
794
|
+
expect_recipe do
|
|
795
795
|
chef_acl "nodes/x" do
|
|
796
|
-
remove_rights :read, users: %w
|
|
796
|
+
remove_rights :read, users: %w{u}
|
|
797
797
|
end
|
|
798
|
-
|
|
799
|
-
expect(get("nodes/x/_acl")).to partially_match(
|
|
798
|
+
end.to be_updated
|
|
799
|
+
expect(get("nodes/x/_acl")).to partially_match("read" => { "actors" => exclude("u") })
|
|
800
800
|
end
|
|
801
801
|
|
|
802
802
|
it 'chef_acl with remove_rights "c" removes the client\'s rights' do
|
|
803
|
-
expect_recipe
|
|
803
|
+
expect_recipe do
|
|
804
804
|
chef_acl "nodes/x" do
|
|
805
|
-
remove_rights :read, clients: %w
|
|
805
|
+
remove_rights :read, clients: %w{c}
|
|
806
806
|
end
|
|
807
|
-
|
|
808
|
-
expect(get("nodes/x/_acl")).to partially_match(
|
|
807
|
+
end.to be_updated
|
|
808
|
+
expect(get("nodes/x/_acl")).to partially_match("read" => { "actors" => exclude("c") })
|
|
809
809
|
end
|
|
810
810
|
|
|
811
811
|
it 'chef_acl with remove_rights "g" removes the group\'s rights' do
|
|
812
|
-
expect_recipe
|
|
812
|
+
expect_recipe do
|
|
813
813
|
chef_acl "nodes/x" do
|
|
814
|
-
remove_rights :read, groups: %w
|
|
814
|
+
remove_rights :read, groups: %w{g}
|
|
815
815
|
end
|
|
816
|
-
|
|
816
|
+
end.to be_updated
|
|
817
817
|
expect(get("nodes/x/_acl")).to partially_match(
|
|
818
|
-
|
|
818
|
+
"read" => { "groups" => exclude("g") }
|
|
819
819
|
)
|
|
820
820
|
end
|
|
821
821
|
|
|
822
822
|
it 'chef_acl with remove_rights [ :create, :read ], "u", "c", "g" removes all three' do
|
|
823
|
-
expect_recipe
|
|
823
|
+
expect_recipe do
|
|
824
824
|
chef_acl "nodes/x" do
|
|
825
|
-
remove_rights [ :create, :read ], users: %w
|
|
825
|
+
remove_rights [ :create, :read ], users: %w{u}, clients: %w{c}, groups: %w{g}
|
|
826
826
|
end
|
|
827
|
-
|
|
827
|
+
end.to be_updated
|
|
828
828
|
expect(get("nodes/x/_acl")).to partially_match(
|
|
829
|
-
|
|
830
|
-
|
|
829
|
+
"create" => { "actors" => exclude("u").and(exclude("c")), "groups" => exclude("g") },
|
|
830
|
+
"read" => { "actors" => exclude("u").and(exclude("c")), "groups" => exclude("g") }
|
|
831
831
|
)
|
|
832
832
|
end
|
|
833
833
|
|
|
834
834
|
it 'chef_acl with remove_rights "u2", "c2", "g2" has no effect' do
|
|
835
|
-
expect
|
|
836
|
-
expect_recipe
|
|
835
|
+
expect do
|
|
836
|
+
expect_recipe do
|
|
837
837
|
chef_acl "nodes/x" do
|
|
838
|
-
remove_rights :read, users: %w
|
|
838
|
+
remove_rights :read, users: %w{u2}, clients: %w{c2}, groups: %w{g2}
|
|
839
839
|
end
|
|
840
|
-
|
|
841
|
-
|
|
840
|
+
end.to be_up_to_date
|
|
841
|
+
end.not_to change { get("nodes/x/_acl") }
|
|
842
842
|
end
|
|
843
843
|
end
|
|
844
844
|
end
|
|
845
845
|
|
|
846
|
-
when_the_chef_server
|
|
847
|
-
user
|
|
848
|
-
node
|
|
846
|
+
when_the_chef_server "has a node named data_bags", :osc_compat => false do
|
|
847
|
+
user "blarghle", {}
|
|
848
|
+
node "data_bags", {}
|
|
849
849
|
|
|
850
850
|
it 'Converging chef_acl "nodes/data_bags" with user "blarghle" adds the user' do
|
|
851
|
-
expect_recipe
|
|
852
|
-
chef_acl
|
|
853
|
-
rights :read, users: %w
|
|
851
|
+
expect_recipe do
|
|
852
|
+
chef_acl "nodes/data_bags" do
|
|
853
|
+
rights :read, users: %w{blarghle}
|
|
854
854
|
end
|
|
855
|
-
|
|
856
|
-
expect(get(
|
|
855
|
+
end.to be_updated
|
|
856
|
+
expect(get("nodes/data_bags/_acl")).to partially_match("read" => { "actors" => %w{blarghle} })
|
|
857
857
|
end
|
|
858
858
|
end
|
|
859
859
|
|
|
860
|
-
when_the_chef_server
|
|
861
|
-
user
|
|
862
|
-
organization
|
|
863
|
-
node
|
|
860
|
+
when_the_chef_server "has a node named data_bags in multi-org mode", :osc_compat => false, :single_org => false do
|
|
861
|
+
user "blarghle", {}
|
|
862
|
+
organization "foo" do
|
|
863
|
+
node "data_bags", {}
|
|
864
864
|
end
|
|
865
865
|
|
|
866
866
|
it 'Converging chef_acl "/organizations/foo/nodes/data_bags" with user "blarghle" adds the user' do
|
|
867
|
-
expect_recipe
|
|
868
|
-
chef_acl
|
|
869
|
-
rights :read, users: %w
|
|
867
|
+
expect_recipe do
|
|
868
|
+
chef_acl "/organizations/foo/nodes/data_bags" do
|
|
869
|
+
rights :read, users: %w{blarghle}
|
|
870
870
|
end
|
|
871
|
-
|
|
872
|
-
expect(get(
|
|
871
|
+
end.to be_updated
|
|
872
|
+
expect(get("/organizations/foo/nodes/data_bags/_acl")).to partially_match("read" => { "actors" => %w{blarghle} })
|
|
873
873
|
end
|
|
874
874
|
end
|
|
875
875
|
|
|
876
|
-
when_the_chef_server
|
|
877
|
-
user
|
|
878
|
-
user
|
|
876
|
+
when_the_chef_server "has a user named data_bags in multi-org mode", :osc_compat => false, :single_org => false do
|
|
877
|
+
user "data_bags", {}
|
|
878
|
+
user "blarghle", {}
|
|
879
879
|
|
|
880
880
|
it 'Converging chef_acl "/users/data_bags" with user "blarghle" adds the user' do
|
|
881
|
-
expect_recipe
|
|
882
|
-
chef_acl
|
|
883
|
-
rights :read, users: %w
|
|
881
|
+
expect_recipe do
|
|
882
|
+
chef_acl "/users/data_bags" do
|
|
883
|
+
rights :read, users: %w{blarghle}
|
|
884
884
|
end
|
|
885
|
-
|
|
886
|
-
expect(get(
|
|
885
|
+
end.to be_updated
|
|
886
|
+
expect(get("/users/data_bags/_acl")).to partially_match("read" => { "actors" => %w{blarghle} })
|
|
887
887
|
end
|
|
888
888
|
end
|
|
889
889
|
end
|