cheffish 4.0.0 → 4.1.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/Gemfile +8 -8
- data/Rakefile +24 -12
- data/cheffish.gemspec +15 -15
- data/lib/chef/resource/chef_acl.rb +63 -63
- data/lib/chef/resource/chef_client.rb +9 -9
- data/lib/chef/resource/chef_container.rb +9 -9
- data/lib/chef/resource/chef_data_bag.rb +9 -9
- data/lib/chef/resource/chef_data_bag_item.rb +27 -27
- data/lib/chef/resource/chef_environment.rb +21 -22
- data/lib/chef/resource/chef_group.rb +19 -19
- data/lib/chef/resource/chef_mirror.rb +32 -17
- data/lib/chef/resource/chef_node.rb +14 -14
- data/lib/chef/resource/chef_organization.rb +29 -30
- data/lib/chef/resource/chef_resolved_cookbooks.rb +7 -7
- data/lib/chef/resource/chef_role.rb +25 -22
- data/lib/chef/resource/chef_user.rb +13 -14
- data/lib/chef/resource/private_key.rb +24 -25
- data/lib/chef/resource/public_key.rb +6 -7
- data/lib/cheffish.rb +17 -17
- data/lib/cheffish/array_property.rb +2 -2
- data/lib/cheffish/base_properties.rb +3 -3
- data/lib/cheffish/base_resource.rb +8 -8
- data/lib/cheffish/basic_chef_client.rb +17 -17
- data/lib/cheffish/chef_actor_base.rb +8 -8
- data/lib/cheffish/chef_run.rb +7 -2
- data/lib/cheffish/chef_run_data.rb +2 -2
- data/lib/cheffish/chef_run_listener.rb +1 -1
- data/lib/cheffish/key_formatter.rb +16 -18
- data/lib/cheffish/merged_config.rb +5 -3
- data/lib/cheffish/node_properties.rb +11 -7
- data/lib/cheffish/recipe_dsl.rb +33 -34
- data/lib/cheffish/rspec.rb +3 -3
- data/lib/cheffish/rspec/chef_run_support.rb +13 -13
- data/lib/cheffish/rspec/matchers.rb +4 -4
- data/lib/cheffish/rspec/matchers/be_idempotent.rb +3 -3
- data/lib/cheffish/rspec/matchers/emit_no_warnings_or_errors.rb +3 -3
- data/lib/cheffish/rspec/matchers/have_updated.rb +3 -3
- data/lib/cheffish/rspec/recipe_run_wrapper.rb +8 -7
- data/lib/cheffish/rspec/repository_support.rb +6 -6
- data/lib/cheffish/server_api.rb +11 -11
- data/lib/cheffish/version.rb +1 -1
- data/spec/functional/fingerprint_spec.rb +12 -12
- data/spec/functional/merged_config_spec.rb +46 -6
- data/spec/functional/server_api_spec.rb +3 -3
- data/spec/integration/chef_acl_spec.rb +489 -489
- data/spec/integration/chef_client_spec.rb +39 -39
- data/spec/integration/chef_container_spec.rb +14 -14
- data/spec/integration/chef_data_bag_item_spec.rb +9 -9
- data/spec/integration/chef_group_spec.rb +219 -219
- data/spec/integration/chef_mirror_spec.rb +228 -228
- data/spec/integration/chef_node_spec.rb +511 -511
- data/spec/integration/chef_organization_spec.rb +126 -126
- data/spec/integration/chef_role_spec.rb +33 -33
- data/spec/integration/chef_user_spec.rb +37 -37
- data/spec/integration/private_key_spec.rb +154 -154
- data/spec/integration/recipe_dsl_spec.rb +10 -10
- data/spec/integration/rspec/converge_spec.rb +49 -49
- data/spec/support/key_support.rb +6 -6
- data/spec/support/spec_support.rb +3 -3
- data/spec/unit/get_private_key_spec.rb +19 -19
- data/spec/unit/recipe_run_wrapper_spec.rb +4 -4
- metadata +3 -3
data/lib/cheffish/server_api.rb
CHANGED
|
@@ -16,15 +16,15 @@
|
|
|
16
16
|
# limitations under the License.
|
|
17
17
|
#
|
|
18
18
|
|
|
19
|
-
require
|
|
20
|
-
require
|
|
21
|
-
require
|
|
22
|
-
require
|
|
23
|
-
require
|
|
24
|
-
require
|
|
25
|
-
require
|
|
26
|
-
if Gem::Version.new(Chef::VERSION) >= Gem::Version.new(
|
|
27
|
-
require
|
|
19
|
+
require "chef/version"
|
|
20
|
+
require "chef/http"
|
|
21
|
+
require "chef/http/authenticator"
|
|
22
|
+
require "chef/http/cookie_manager"
|
|
23
|
+
require "chef/http/decompressor"
|
|
24
|
+
require "chef/http/json_input"
|
|
25
|
+
require "chef/http/json_output"
|
|
26
|
+
if Gem::Version.new(Chef::VERSION) >= Gem::Version.new("11.12")
|
|
27
|
+
require "chef/http/remote_request_id"
|
|
28
28
|
end
|
|
29
29
|
|
|
30
30
|
module Cheffish
|
|
@@ -34,7 +34,7 @@ module Cheffish
|
|
|
34
34
|
def initialize(url, options = {})
|
|
35
35
|
super(url, options)
|
|
36
36
|
root_url = URI.parse(url)
|
|
37
|
-
root_url.path =
|
|
37
|
+
root_url.path = ""
|
|
38
38
|
@root_url = root_url.to_s
|
|
39
39
|
end
|
|
40
40
|
|
|
@@ -45,7 +45,7 @@ module Cheffish
|
|
|
45
45
|
use Chef::HTTP::CookieManager
|
|
46
46
|
use Chef::HTTP::Decompressor
|
|
47
47
|
use Chef::HTTP::Authenticator
|
|
48
|
-
if Gem::Version.new(Chef::VERSION) >= Gem::Version.new(
|
|
48
|
+
if Gem::Version.new(Chef::VERSION) >= Gem::Version.new("11.12")
|
|
49
49
|
use Chef::HTTP::RemoteRequestID
|
|
50
50
|
end
|
|
51
51
|
end
|
data/lib/cheffish/version.rb
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
|
-
require
|
|
2
|
-
require
|
|
1
|
+
require "cheffish/key_formatter"
|
|
2
|
+
require "support/key_support"
|
|
3
3
|
|
|
4
|
-
describe
|
|
4
|
+
describe "Cheffish fingerprint key formatter" do
|
|
5
5
|
|
|
6
6
|
# Sample key: 0x9a6fa4c43b328c3d04c1fbc0498539218b6728e41cd35f6d27d491ef705f0b2083dc1ac977da19f54ba82b044773f20667e9627c543abb3b41b6eb9e4318ca3c68f487bbd0f1c9eea9a3101b7d1d180983c5440ac4183e78e9e256fa687d8aac63b21617a4b02b35bf5e307a3b76961a16cd8493e923536b34cc2b2da8d45220d57ef2243b081b555b84f1da0ade0e896c2aa96911b41430b59eaf75dbffb7eaa7c5b3a686f2d47a24e3b7f1acb0844f84a2fedc63660ae366b800cd9448093d6b1d96503ebb7807b48257e16c3d8a7c9a8cc5dd63116aa673bd9e09754de09358486e743e34c6a3642eeb64b2208efc96df39151572557a75638bd059c21a55 = 0xd6e92677d4e1d2aa6d14f87b5f49ee6916c6b92411536254fae4a21e82eebb0a40600247c701c1c938b21ca9f25b7b330c35fded57b4de3a951e83329a80bdbf2ba138fe2f190bffce43967b5fa93b179367bcd15cb1db7f9e3ab62caca95dc9489b62bc0a10b53841b932455a43409f96eed90dc80abc8cce5593ead8f0a26d * 0xb7f68cd427045788d5e315375f71d3a416784ec2597776a60ed77c821294d9bd66e96658bdcb43072cee0c849d297bd9f94991738f1a0df313ceb51b093a9372f12a61987f40e7a03d773911deb270916a574962ae8ff4f2d8bfcedee1c885e9c3e54212471636a6330b05b78c3a7ddf96b013be389a08ab7971db2f68fb2689
|
|
7
7
|
|
|
@@ -34,27 +34,27 @@ EOF
|
|
|
34
34
|
|
|
35
35
|
def key_to_format(key, format)
|
|
36
36
|
keyobj, f = Cheffish::KeyFormatter.decode(key)
|
|
37
|
-
Cheffish::KeyFormatter.encode(keyobj, {:format => format})
|
|
37
|
+
Cheffish::KeyFormatter.encode(keyobj, { :format => format })
|
|
38
38
|
end
|
|
39
39
|
|
|
40
|
-
context
|
|
40
|
+
context "when computing key fingperprints" do
|
|
41
41
|
|
|
42
|
-
it
|
|
42
|
+
it "computes the PKCS#8 SHA1 private key fingerprint correctly", :pending => (RUBY_VERSION.to_f >= 2.0) do
|
|
43
43
|
expect(key_to_format(sample_private_key, :pkcs8sha1fingerprint)).to eq(
|
|
44
|
-
|
|
44
|
+
"88:7e:3a:bd:26:9f:b5:c5:d8:ae:52:f9:df:0b:64:a4:5c:17:0a:87")
|
|
45
45
|
end
|
|
46
46
|
|
|
47
|
-
it
|
|
47
|
+
it "computes the PKCS#1 MD5 public key fingerprint correctly" do
|
|
48
48
|
expect(key_to_format(sample_public_key, :pkcs1md5fingerprint)).to eq(
|
|
49
|
-
|
|
49
|
+
"1f:e8:da:c1:16:c3:72:7d:90:e2:b7:64:c4:b4:55:20")
|
|
50
50
|
end
|
|
51
51
|
|
|
52
|
-
it
|
|
52
|
+
it "computes the RFC4716 MD5 public key fingerprint correctly" do
|
|
53
53
|
expect(key_to_format(sample_public_key, :rfc4716md5fingerprint)).to eq(
|
|
54
|
-
|
|
54
|
+
"b0:13:4f:da:cf:8c:dc:a7:4a:1f:d2:3a:51:92:cf:6b")
|
|
55
55
|
end
|
|
56
56
|
|
|
57
|
-
it
|
|
57
|
+
it "defaults to the PKCS#1 MD5 public key fingerprint" do
|
|
58
58
|
expect(key_to_format(sample_public_key, :fingerprint)).to eq(
|
|
59
59
|
key_to_format(sample_public_key, :pkcs1md5fingerprint))
|
|
60
60
|
end
|
|
@@ -1,20 +1,60 @@
|
|
|
1
|
-
require
|
|
1
|
+
require "cheffish/merged_config"
|
|
2
2
|
|
|
3
3
|
describe "merged_config" do
|
|
4
4
|
|
|
5
5
|
let(:config) do
|
|
6
|
-
|
|
6
|
+
Cheffish::MergedConfig.new({ :test => "val" })
|
|
7
|
+
end
|
|
8
|
+
|
|
9
|
+
let(:collision) do
|
|
10
|
+
c1 = { :test1 => "c1.1", "test2" => "c1.2" }
|
|
11
|
+
c2 = { "test1" => "c2.1", "test3" => "c2.3" }
|
|
12
|
+
Cheffish::MergedConfig.new(c1, c2)
|
|
13
|
+
end
|
|
14
|
+
|
|
15
|
+
let(:config_mismatch) do
|
|
16
|
+
c1 = { :test => { :test => "val" } }
|
|
17
|
+
c2 = { :test => [2, 3, 4] }
|
|
18
|
+
Cheffish::MergedConfig.new(c1, c2)
|
|
19
|
+
end
|
|
20
|
+
|
|
21
|
+
let(:config_hashes) do
|
|
22
|
+
c1 = { :test => { :test => "val" } }
|
|
23
|
+
c2 = { :test => { :test2 => "val2" } }
|
|
24
|
+
Cheffish::MergedConfig.new(c1, c2)
|
|
7
25
|
end
|
|
8
26
|
|
|
9
27
|
it "returns value in config" do
|
|
10
|
-
expect(config.test).to eq(
|
|
28
|
+
expect(config.test).to eq("val")
|
|
11
29
|
end
|
|
12
30
|
|
|
13
31
|
it "raises a NoMethodError if calling an unknown method with arguments" do
|
|
14
|
-
expect{config.merge({:some =>
|
|
32
|
+
expect { config.merge({ :some => "hash" }) }.to raise_error(NoMethodError)
|
|
15
33
|
end
|
|
16
34
|
|
|
17
35
|
it "has an informative string representation" do
|
|
18
|
-
|
|
36
|
+
expect("#{config}").to eq("{\"test\"=>\"val\"}")
|
|
37
|
+
end
|
|
38
|
+
|
|
39
|
+
it "has indifferent str/sym access" do
|
|
40
|
+
expect(config["test"]).to eq("val")
|
|
41
|
+
end
|
|
42
|
+
|
|
43
|
+
it "respects precedence between the different configs" do
|
|
44
|
+
expect(collision["test1"]).to eq("c1.1")
|
|
45
|
+
expect(collision[:test1]).to eq("c1.1")
|
|
46
|
+
end
|
|
47
|
+
|
|
48
|
+
it "merges the configs" do
|
|
49
|
+
expect(collision[:test2]).to eq("c1.2")
|
|
50
|
+
expect(collision[:test3]).to eq("c2.3")
|
|
51
|
+
end
|
|
52
|
+
|
|
53
|
+
it "handle merged value type mismatch" do
|
|
54
|
+
expect(config_mismatch[:test]).to eq("test" => "val")
|
|
55
|
+
end
|
|
56
|
+
|
|
57
|
+
it "merges values when they're hashes" do
|
|
58
|
+
expect(config_hashes[:test].keys).to eq(%w{test test2})
|
|
19
59
|
end
|
|
20
|
-
end
|
|
60
|
+
end
|
|
@@ -1,13 +1,13 @@
|
|
|
1
|
-
require
|
|
1
|
+
require "cheffish"
|
|
2
2
|
|
|
3
3
|
describe "api version" do
|
|
4
4
|
|
|
5
5
|
let(:server_api) do
|
|
6
|
-
|
|
6
|
+
Cheffish.chef_server_api({ :chef_server_url => "my.chef.server" })
|
|
7
7
|
end
|
|
8
8
|
|
|
9
9
|
it "is pinned to 0" do
|
|
10
|
-
expect(Cheffish::ServerAPI).to receive(:new).with("my.chef.server", {api_version: "0"})
|
|
10
|
+
expect(Cheffish::ServerAPI).to receive(:new).with("my.chef.server", { api_version: "0" })
|
|
11
11
|
server_api
|
|
12
12
|
end
|
|
13
13
|
end
|
|
@@ -1,889 +1,889 @@
|
|
|
1
|
-
require
|
|
2
|
-
require
|
|
3
|
-
require
|
|
4
|
-
require
|
|
1
|
+
require "support/spec_support"
|
|
2
|
+
require "cheffish/rspec/chef_run_support"
|
|
3
|
+
require "chef_zero/version"
|
|
4
|
+
require "uri"
|
|
5
5
|
|
|
6
|
-
if Gem::Version.new(ChefZero::VERSION) >= Gem::Version.new(
|
|
6
|
+
if Gem::Version.new(ChefZero::VERSION) >= Gem::Version.new("3.1")
|
|
7
7
|
describe Chef::Resource::ChefAcl do
|
|
8
8
|
extend Cheffish::RSpec::ChefRunSupport
|
|
9
9
|
|
|
10
10
|
# let(:chef_config) { super().merge(log_level: :debug, stdout: STDOUT, stderr: STDERR, log_location: STDOUT) }
|
|
11
11
|
|
|
12
12
|
context "Rights attributes" do
|
|
13
|
-
when_the_chef_server
|
|
14
|
-
node
|
|
13
|
+
when_the_chef_server "has a node named x", :osc_compat => false do
|
|
14
|
+
node "x", {}
|
|
15
15
|
|
|
16
16
|
it 'Converging chef_acl "nodes/x" changes nothing' do
|
|
17
|
-
expect_recipe
|
|
18
|
-
chef_acl
|
|
19
|
-
|
|
20
|
-
expect(get(
|
|
17
|
+
expect_recipe do
|
|
18
|
+
chef_acl "nodes/x"
|
|
19
|
+
end.to be_up_to_date
|
|
20
|
+
expect(get("nodes/x/_acl")).to partially_match({})
|
|
21
21
|
end
|
|
22
22
|
|
|
23
23
|
it 'Converging chef_acl "nodes/x" with "complete true" and no rights raises an error' do
|
|
24
|
-
expect_converge
|
|
25
|
-
chef_acl
|
|
24
|
+
expect_converge do
|
|
25
|
+
chef_acl "nodes/x" do
|
|
26
26
|
complete true
|
|
27
27
|
end
|
|
28
|
-
|
|
28
|
+
end.to raise_error(RuntimeError)
|
|
29
29
|
end
|
|
30
30
|
|
|
31
|
-
it
|
|
32
|
-
expect_converge
|
|
33
|
-
chef_acl
|
|
34
|
-
remove_rights :grant, users: %w
|
|
31
|
+
it "Removing all :grant rights from a node raises an error" do
|
|
32
|
+
expect_converge do
|
|
33
|
+
chef_acl "nodes/x" do
|
|
34
|
+
remove_rights :grant, users: %w{pivotal}, groups: %w{admins users clients}
|
|
35
35
|
end
|
|
36
|
-
|
|
36
|
+
end.to raise_error(RuntimeError)
|
|
37
37
|
end
|
|
38
38
|
|
|
39
39
|
context 'and a user "blarghle"' do
|
|
40
|
-
user
|
|
40
|
+
user "blarghle", {}
|
|
41
41
|
|
|
42
42
|
it 'Converging chef_acl "nodes/x" with user "blarghle" adds the user' do
|
|
43
|
-
expect_recipe
|
|
44
|
-
chef_acl
|
|
45
|
-
rights :read, users: %w
|
|
43
|
+
expect_recipe do
|
|
44
|
+
chef_acl "nodes/x" do
|
|
45
|
+
rights :read, users: %w{blarghle}
|
|
46
46
|
end
|
|
47
|
-
|
|
48
|
-
expect(get(
|
|
47
|
+
end.to be_updated
|
|
48
|
+
expect(get("nodes/x/_acl")).to partially_match("read" => { "actors" => %w{blarghle} })
|
|
49
49
|
end
|
|
50
50
|
|
|
51
51
|
it 'Converging chef_acl "nodes/x" with "complete true" removes all ACLs except those specified' do
|
|
52
|
-
expect_recipe
|
|
53
|
-
chef_acl
|
|
54
|
-
rights :grant, users: %w
|
|
52
|
+
expect_recipe do
|
|
53
|
+
chef_acl "nodes/x" do
|
|
54
|
+
rights :grant, users: %w{blarghle}
|
|
55
55
|
complete true
|
|
56
56
|
end
|
|
57
|
-
|
|
58
|
-
expect(get(
|
|
59
|
-
"create"=>{"actors"=>[], "groups"=>[]},
|
|
60
|
-
"read"
|
|
61
|
-
"update"=>{"actors"=>[], "groups"=>[]},
|
|
62
|
-
"delete"=>{"actors"=>[], "groups"=>[]},
|
|
63
|
-
"grant" =>{"actors"=>["blarghle"], "groups"=>[]}
|
|
57
|
+
end.to be_updated
|
|
58
|
+
expect(get("nodes/x/_acl")).to eq(
|
|
59
|
+
"create" => { "actors" => [], "groups" => [] },
|
|
60
|
+
"read" => { "actors" => [], "groups" => [] },
|
|
61
|
+
"update" => { "actors" => [], "groups" => [] },
|
|
62
|
+
"delete" => { "actors" => [], "groups" => [] },
|
|
63
|
+
"grant" => { "actors" => ["blarghle"], "groups" => [] }
|
|
64
64
|
)
|
|
65
65
|
end
|
|
66
66
|
end
|
|
67
67
|
|
|
68
68
|
it 'Converging chef_acl "nodes/x" with "complete true" removes all ACLs except those specified in :all' do
|
|
69
|
-
expect_recipe
|
|
70
|
-
chef_acl
|
|
71
|
-
rights :all, users: %w
|
|
69
|
+
expect_recipe do
|
|
70
|
+
chef_acl "nodes/x" do
|
|
71
|
+
rights :all, users: %w{blarghle}
|
|
72
72
|
complete true
|
|
73
73
|
end
|
|
74
|
-
|
|
75
|
-
expect(get(
|
|
76
|
-
"create"=>{"actors"=>["blarghle"], "groups"=>[]},
|
|
77
|
-
"read"
|
|
78
|
-
"update"=>{"actors"=>["blarghle"], "groups"=>[]},
|
|
79
|
-
"delete"=>{"actors"=>["blarghle"], "groups"=>[]},
|
|
80
|
-
"grant" =>{"actors"=>["blarghle"], "groups"=>[]}
|
|
74
|
+
end.to be_updated
|
|
75
|
+
expect(get("nodes/x/_acl")).to eq(
|
|
76
|
+
"create" => { "actors" => ["blarghle"], "groups" => [] },
|
|
77
|
+
"read" => { "actors" => ["blarghle"], "groups" => [] },
|
|
78
|
+
"update" => { "actors" => ["blarghle"], "groups" => [] },
|
|
79
|
+
"delete" => { "actors" => ["blarghle"], "groups" => [] },
|
|
80
|
+
"grant" => { "actors" => ["blarghle"], "groups" => [] }
|
|
81
81
|
)
|
|
82
82
|
end
|
|
83
83
|
|
|
84
84
|
context 'and a client "blarghle"' do
|
|
85
|
-
user
|
|
85
|
+
user "blarghle", {}
|
|
86
86
|
|
|
87
87
|
it 'Converging chef_acl "nodes/x" with client "blarghle" adds the client' do
|
|
88
|
-
expect_recipe
|
|
89
|
-
chef_acl
|
|
90
|
-
rights :read, clients: %w
|
|
88
|
+
expect_recipe do
|
|
89
|
+
chef_acl "nodes/x" do
|
|
90
|
+
rights :read, clients: %w{blarghle}
|
|
91
91
|
end
|
|
92
|
-
|
|
93
|
-
expect(get(
|
|
92
|
+
end.to be_updated
|
|
93
|
+
expect(get("nodes/x/_acl")).to partially_match("read" => { "actors" => %w{blarghle} })
|
|
94
94
|
end
|
|
95
95
|
end
|
|
96
96
|
|
|
97
97
|
context 'and a group "blarghle"' do
|
|
98
|
-
group
|
|
98
|
+
group "blarghle", {}
|
|
99
99
|
|
|
100
100
|
it 'Converging chef_acl "nodes/x" with group "blarghle" adds the group' do
|
|
101
|
-
expect_recipe
|
|
102
|
-
chef_acl
|
|
103
|
-
rights :read, groups: %w
|
|
101
|
+
expect_recipe do
|
|
102
|
+
chef_acl "nodes/x" do
|
|
103
|
+
rights :read, groups: %w{blarghle}
|
|
104
104
|
end
|
|
105
|
-
|
|
106
|
-
expect(get(
|
|
107
|
-
end
|
|
108
|
-
end
|
|
109
|
-
|
|
110
|
-
context
|
|
111
|
-
user
|
|
112
|
-
user
|
|
113
|
-
user
|
|
114
|
-
client
|
|
115
|
-
client
|
|
116
|
-
client
|
|
117
|
-
group
|
|
118
|
-
group
|
|
119
|
-
group
|
|
120
|
-
|
|
121
|
-
it
|
|
122
|
-
expect_recipe
|
|
123
|
-
chef_acl
|
|
124
|
-
rights :create, users:
|
|
105
|
+
end.to be_updated
|
|
106
|
+
expect(get("nodes/x/_acl")).to partially_match("read" => { "groups" => %w{blarghle} })
|
|
107
|
+
end
|
|
108
|
+
end
|
|
109
|
+
|
|
110
|
+
context "and multiple users and groups" do
|
|
111
|
+
user "u1", {}
|
|
112
|
+
user "u2", {}
|
|
113
|
+
user "u3", {}
|
|
114
|
+
client "c1", {}
|
|
115
|
+
client "c2", {}
|
|
116
|
+
client "c3", {}
|
|
117
|
+
group "g1", {}
|
|
118
|
+
group "g2", {}
|
|
119
|
+
group "g3", {}
|
|
120
|
+
|
|
121
|
+
it "Converging chef_acls should ignore order of the values in the acls" do
|
|
122
|
+
expect_recipe do
|
|
123
|
+
chef_acl "nodes/x" do
|
|
124
|
+
rights :create, users: %w{u1 u2 u3}, clients: %w{c1 c2 c3}, groups: %w{g1 g2 g3}
|
|
125
125
|
end
|
|
126
|
-
|
|
127
|
-
expect_recipe
|
|
128
|
-
chef_acl
|
|
129
|
-
rights :create, users:
|
|
126
|
+
end.to be_updated
|
|
127
|
+
expect_recipe do
|
|
128
|
+
chef_acl "nodes/x" do
|
|
129
|
+
rights :create, users: %w{u2 u3 u1}, clients: %w{c3 c2 c1}, groups: %w{g1 g2 g3}
|
|
130
130
|
end
|
|
131
|
-
|
|
131
|
+
end.to be_up_to_date
|
|
132
132
|
end
|
|
133
133
|
|
|
134
134
|
it 'Converging chef_acl "nodes/x" with multiple groups, users and clients in an acl makes the appropriate changes' do
|
|
135
|
-
expect_recipe
|
|
136
|
-
chef_acl
|
|
137
|
-
rights :create, users:
|
|
135
|
+
expect_recipe do
|
|
136
|
+
chef_acl "nodes/x" do
|
|
137
|
+
rights :create, users: %w{u1 u2 u3}, clients: %w{c1 c2 c3}, groups: %w{g1 g2 g3}
|
|
138
138
|
end
|
|
139
|
-
|
|
140
|
-
expect(get(
|
|
141
|
-
|
|
139
|
+
end.to be_updated
|
|
140
|
+
expect(get("nodes/x/_acl")).to partially_match(
|
|
141
|
+
"create" => { "groups" => %w{g1 g2 g3}, "actors" => %w{u1 u2 u3 c1 c2 c3} }
|
|
142
142
|
)
|
|
143
143
|
end
|
|
144
144
|
|
|
145
145
|
it 'Converging chef_acl "nodes/x" with multiple groups, users and clients across multiple "rights" groups makes the appropriate changes' do
|
|
146
|
-
expect_recipe
|
|
147
|
-
chef_acl
|
|
148
|
-
rights :create, users: %w
|
|
149
|
-
rights :create, users: %w
|
|
150
|
-
rights :read, users: %w
|
|
151
|
-
rights :read, groups: %w
|
|
146
|
+
expect_recipe do
|
|
147
|
+
chef_acl "nodes/x" do
|
|
148
|
+
rights :create, users: %w{u1}, clients: %w{c1}, groups: %w{g1}
|
|
149
|
+
rights :create, users: %w{u2 u3}, clients: %w{c2 c3}, groups: %w{g2}
|
|
150
|
+
rights :read, users: %w{u1}
|
|
151
|
+
rights :read, groups: %w{g1}
|
|
152
152
|
end
|
|
153
|
-
|
|
154
|
-
expect(get(
|
|
155
|
-
|
|
156
|
-
|
|
153
|
+
end.to be_updated
|
|
154
|
+
expect(get("nodes/x/_acl")).to partially_match(
|
|
155
|
+
"create" => { "groups" => %w{g1 g2}, "actors" => %w{u1 u2 u3 c1 c2 c3} },
|
|
156
|
+
"read" => { "groups" => %w{g1}, "actors" => %w{u1} }
|
|
157
157
|
)
|
|
158
158
|
end
|
|
159
159
|
|
|
160
160
|
it 'Converging chef_acl "nodes/x" with rights [ :read, :create, :update, :delete, :grant ] modifies all rights' do
|
|
161
|
-
expect_recipe
|
|
162
|
-
chef_acl
|
|
163
|
-
rights [ :create, :read, :update, :delete, :grant ], users:
|
|
161
|
+
expect_recipe do
|
|
162
|
+
chef_acl "nodes/x" do
|
|
163
|
+
rights [ :create, :read, :update, :delete, :grant ], users: %w{u1 u2}, clients: %w{c1}, groups: %w{g1}
|
|
164
164
|
end
|
|
165
|
-
|
|
166
|
-
expect(get(
|
|
167
|
-
|
|
168
|
-
|
|
169
|
-
|
|
170
|
-
|
|
171
|
-
|
|
165
|
+
end.to be_updated
|
|
166
|
+
expect(get("nodes/x/_acl")).to partially_match(
|
|
167
|
+
"create" => { "groups" => %w{g1}, "actors" => %w{u1 u2 c1} },
|
|
168
|
+
"read" => { "groups" => %w{g1}, "actors" => %w{u1 u2 c1} },
|
|
169
|
+
"update" => { "groups" => %w{g1}, "actors" => %w{u1 u2 c1} },
|
|
170
|
+
"delete" => { "groups" => %w{g1}, "actors" => %w{u1 u2 c1} },
|
|
171
|
+
"grant" => { "groups" => %w{g1}, "actors" => %w{u1 u2 c1} }
|
|
172
172
|
)
|
|
173
173
|
end
|
|
174
174
|
|
|
175
175
|
it 'Converging chef_acl "nodes/x" with rights :all modifies all rights' do
|
|
176
|
-
expect_recipe
|
|
177
|
-
chef_acl
|
|
178
|
-
rights :all, users:
|
|
176
|
+
expect_recipe do
|
|
177
|
+
chef_acl "nodes/x" do
|
|
178
|
+
rights :all, users: %w{u1 u2}, clients: %w{c1}, groups: %w{g1}
|
|
179
179
|
end
|
|
180
|
-
|
|
181
|
-
expect(get(
|
|
182
|
-
|
|
183
|
-
|
|
184
|
-
|
|
185
|
-
|
|
186
|
-
|
|
180
|
+
end.to be_updated
|
|
181
|
+
expect(get("nodes/x/_acl")).to partially_match(
|
|
182
|
+
"create" => { "groups" => %w{g1}, "actors" => %w{u1 u2 c1} },
|
|
183
|
+
"read" => { "groups" => %w{g1}, "actors" => %w{u1 u2 c1} },
|
|
184
|
+
"update" => { "groups" => %w{g1}, "actors" => %w{u1 u2 c1} },
|
|
185
|
+
"delete" => { "groups" => %w{g1}, "actors" => %w{u1 u2 c1} },
|
|
186
|
+
"grant" => { "groups" => %w{g1}, "actors" => %w{u1 u2 c1} }
|
|
187
187
|
)
|
|
188
188
|
end
|
|
189
189
|
end
|
|
190
190
|
|
|
191
191
|
it 'Converging chef_acl "nodes/y" throws a 404' do
|
|
192
|
-
expect_converge
|
|
193
|
-
chef_acl
|
|
194
|
-
|
|
192
|
+
expect_converge do
|
|
193
|
+
chef_acl "nodes/y"
|
|
194
|
+
end.to raise_error(Net::HTTPServerException)
|
|
195
195
|
end
|
|
196
196
|
end
|
|
197
197
|
|
|
198
|
-
when_the_chef_server
|
|
199
|
-
user
|
|
200
|
-
node
|
|
201
|
-
acl
|
|
198
|
+
when_the_chef_server "has a node named x with user blarghle in its acl", :osc_compat => false do
|
|
199
|
+
user "blarghle", {}
|
|
200
|
+
node "x", {} do
|
|
201
|
+
acl "read" => { "actors" => %w{blarghle} }
|
|
202
202
|
end
|
|
203
203
|
|
|
204
204
|
it 'Converging chef_acl "nodes/x" with that user changes nothing' do
|
|
205
|
-
expect_recipe
|
|
206
|
-
chef_acl
|
|
207
|
-
rights :read, users: %w
|
|
205
|
+
expect_recipe do
|
|
206
|
+
chef_acl "nodes/x" do
|
|
207
|
+
rights :read, users: %w{blarghle}
|
|
208
208
|
end
|
|
209
|
-
|
|
210
|
-
expect(get(
|
|
209
|
+
end.to be_up_to_date
|
|
210
|
+
expect(get("nodes/x/_acl")).to partially_match({})
|
|
211
211
|
end
|
|
212
212
|
end
|
|
213
213
|
|
|
214
|
-
when_the_chef_server
|
|
215
|
-
user
|
|
216
|
-
user
|
|
217
|
-
node
|
|
218
|
-
acl
|
|
219
|
-
|
|
220
|
-
|
|
221
|
-
|
|
222
|
-
|
|
214
|
+
when_the_chef_server "has a node named x with users foo and bar in all its acls", :osc_compat => false do
|
|
215
|
+
user "foo", {}
|
|
216
|
+
user "bar", {}
|
|
217
|
+
node "x", {} do
|
|
218
|
+
acl "create" => { "actors" => %w{foo bar} },
|
|
219
|
+
"read" => { "actors" => %w{foo bar} },
|
|
220
|
+
"update" => { "actors" => %w{foo bar} },
|
|
221
|
+
"delete" => { "actors" => %w{foo bar} },
|
|
222
|
+
"grant" => { "actors" => %w{foo bar} }
|
|
223
223
|
end
|
|
224
224
|
|
|
225
225
|
it 'Converging chef_acl "nodes/x" with remove_rights :all removes foo from everything' do
|
|
226
|
-
expect_recipe
|
|
227
|
-
chef_acl
|
|
228
|
-
remove_rights :all, users: %w
|
|
229
|
-
end
|
|
230
|
-
|
|
231
|
-
expect(get(
|
|
232
|
-
|
|
233
|
-
|
|
234
|
-
|
|
235
|
-
|
|
236
|
-
|
|
226
|
+
expect_recipe do
|
|
227
|
+
chef_acl "nodes/x" do
|
|
228
|
+
remove_rights :all, users: %w{foo}
|
|
229
|
+
end
|
|
230
|
+
end.to be_updated
|
|
231
|
+
expect(get("nodes/x/_acl")).to partially_match(
|
|
232
|
+
"create" => { "actors" => exclude("foo") },
|
|
233
|
+
"read" => { "actors" => exclude("foo") },
|
|
234
|
+
"update" => { "actors" => exclude("foo") },
|
|
235
|
+
"delete" => { "actors" => exclude("foo") },
|
|
236
|
+
"grant" => { "actors" => exclude("foo") }
|
|
237
237
|
)
|
|
238
238
|
end
|
|
239
239
|
end
|
|
240
240
|
|
|
241
241
|
::RSpec::Matchers.define_negated_matcher :exclude, :include
|
|
242
242
|
|
|
243
|
-
context
|
|
244
|
-
when_the_chef_server
|
|
245
|
-
user
|
|
246
|
-
acl_for
|
|
247
|
-
node
|
|
248
|
-
acl
|
|
243
|
+
context "recursive" do
|
|
244
|
+
when_the_chef_server "has a nodes container with user blarghle in its acl", :osc_compat => false do
|
|
245
|
+
user "blarghle", {}
|
|
246
|
+
acl_for "containers/nodes", "read" => { "actors" => %w{blarghle} }
|
|
247
|
+
node "x", {} do
|
|
248
|
+
acl "read" => { "actors" => [] }
|
|
249
249
|
end
|
|
250
250
|
|
|
251
251
|
it 'Converging chef_acl "nodes" makes no changes' do
|
|
252
|
-
expect
|
|
253
|
-
expect_recipe
|
|
254
|
-
chef_acl
|
|
255
|
-
rights :read, users: %w
|
|
252
|
+
expect do
|
|
253
|
+
expect_recipe do
|
|
254
|
+
chef_acl "nodes" do
|
|
255
|
+
rights :read, users: %w{blarghle}
|
|
256
256
|
end
|
|
257
|
-
|
|
258
|
-
|
|
259
|
-
and not_change { get(
|
|
257
|
+
end.to be_up_to_date
|
|
258
|
+
end.to not_change { get("containers/nodes/_acl") }.
|
|
259
|
+
and not_change { get("nodes/x/_acl") }
|
|
260
260
|
end
|
|
261
261
|
|
|
262
262
|
RSpec::Matchers.define_negated_matcher :not_change, :change
|
|
263
263
|
|
|
264
264
|
it 'Converging chef_acl "nodes" with recursive :on_change makes no changes' do
|
|
265
|
-
expect
|
|
266
|
-
expect_recipe
|
|
267
|
-
chef_acl
|
|
268
|
-
rights :read, users: %w
|
|
265
|
+
expect do
|
|
266
|
+
expect_recipe do
|
|
267
|
+
chef_acl "nodes" do
|
|
268
|
+
rights :read, users: %w{blarghle}
|
|
269
269
|
recursive :on_change
|
|
270
270
|
end
|
|
271
|
-
|
|
272
|
-
|
|
273
|
-
and not_change { get(
|
|
271
|
+
end.to be_up_to_date
|
|
272
|
+
end.to not_change { get("containers/nodes/_acl") }.
|
|
273
|
+
and not_change { get("nodes/x/_acl") }
|
|
274
274
|
end
|
|
275
275
|
|
|
276
276
|
it 'Converging chef_acl "nodes" with recursive true changes nodes/x\'s acls' do
|
|
277
|
-
expect_recipe
|
|
278
|
-
chef_acl
|
|
279
|
-
rights :read, users: %w
|
|
277
|
+
expect_recipe do
|
|
278
|
+
chef_acl "nodes" do
|
|
279
|
+
rights :read, users: %w{blarghle}
|
|
280
280
|
recursive true
|
|
281
281
|
end
|
|
282
|
-
|
|
283
|
-
expect(get(
|
|
282
|
+
end.to be_updated
|
|
283
|
+
expect(get("nodes/x/_acl")).to partially_match("read" => { "actors" => %w{blarghle} })
|
|
284
284
|
end
|
|
285
285
|
|
|
286
286
|
it 'Converging chef_acl "" with recursive false does not change nodes/x\'s acls' do
|
|
287
|
-
expect_recipe
|
|
288
|
-
chef_acl
|
|
289
|
-
rights :read, users: %w
|
|
287
|
+
expect_recipe do
|
|
288
|
+
chef_acl "" do
|
|
289
|
+
rights :read, users: %w{blarghle}
|
|
290
290
|
recursive false
|
|
291
291
|
end
|
|
292
|
-
|
|
293
|
-
expect(get(
|
|
294
|
-
expect(get(
|
|
292
|
+
end.to be_updated
|
|
293
|
+
expect(get("containers/nodes/_acl")).to partially_match({})
|
|
294
|
+
expect(get("nodes/x/_acl")).to partially_match({})
|
|
295
295
|
end
|
|
296
296
|
|
|
297
297
|
it 'Converging chef_acl "" with recursive :on_change does not change nodes/x\'s acls' do
|
|
298
|
-
expect_recipe
|
|
299
|
-
chef_acl
|
|
300
|
-
rights :read, users: %w
|
|
298
|
+
expect_recipe do
|
|
299
|
+
chef_acl "" do
|
|
300
|
+
rights :read, users: %w{blarghle}
|
|
301
301
|
recursive :on_change
|
|
302
302
|
end
|
|
303
|
-
|
|
304
|
-
expect(get(
|
|
305
|
-
expect(get(
|
|
303
|
+
end.to be_updated
|
|
304
|
+
expect(get("containers/nodes/_acl")).to partially_match({})
|
|
305
|
+
expect(get("nodes/x/_acl")).to partially_match({})
|
|
306
306
|
end
|
|
307
307
|
|
|
308
308
|
it 'Converging chef_acl "" with recursive true changes nodes/x\'s acls' do
|
|
309
|
-
expect_recipe
|
|
310
|
-
chef_acl
|
|
311
|
-
rights :read, users: %w
|
|
309
|
+
expect_recipe do
|
|
310
|
+
chef_acl "" do
|
|
311
|
+
rights :read, users: %w{blarghle}
|
|
312
312
|
recursive true
|
|
313
313
|
end
|
|
314
|
-
|
|
315
|
-
expect(get(
|
|
316
|
-
expect(get(
|
|
314
|
+
end.to be_updated
|
|
315
|
+
expect(get("/organizations/_acl")).to partially_match("read" => { "actors" => %w{blarghle} })
|
|
316
|
+
expect(get("nodes/x/_acl")).to partially_match("read" => { "actors" => %w{blarghle} })
|
|
317
317
|
end
|
|
318
318
|
end
|
|
319
319
|
end
|
|
320
320
|
end
|
|
321
321
|
|
|
322
|
-
context
|
|
323
|
-
when_the_chef_server
|
|
324
|
-
organization
|
|
325
|
-
user
|
|
326
|
-
client
|
|
327
|
-
container
|
|
328
|
-
cookbook
|
|
329
|
-
data_bag
|
|
330
|
-
environment
|
|
331
|
-
group
|
|
332
|
-
node
|
|
333
|
-
role
|
|
334
|
-
sandbox
|
|
335
|
-
user
|
|
322
|
+
context "ACLs on each type of thing" do
|
|
323
|
+
when_the_chef_server "has an organization named foo", :osc_compat => false, :single_org => false do
|
|
324
|
+
organization "foo" do
|
|
325
|
+
user "u", {}
|
|
326
|
+
client "x", {}
|
|
327
|
+
container "x", {}
|
|
328
|
+
cookbook "x", "1.0.0", {}
|
|
329
|
+
data_bag "x", { "y" => {} }
|
|
330
|
+
environment "x", {}
|
|
331
|
+
group "x", {}
|
|
332
|
+
node "x", {}
|
|
333
|
+
role "x", {}
|
|
334
|
+
sandbox "x", {}
|
|
335
|
+
user "x", {}
|
|
336
336
|
end
|
|
337
337
|
|
|
338
|
-
organization
|
|
339
|
-
user
|
|
340
|
-
node
|
|
338
|
+
organization "bar" do
|
|
339
|
+
user "u", {}
|
|
340
|
+
node "x", {}
|
|
341
341
|
end
|
|
342
342
|
|
|
343
|
-
context
|
|
343
|
+
context "and the chef server URL points at /organizations/foo" do
|
|
344
344
|
before :each do
|
|
345
|
-
Chef::Config.chef_server_url = URI.join(Chef::Config.chef_server_url,
|
|
345
|
+
Chef::Config.chef_server_url = URI.join(Chef::Config.chef_server_url, "/organizations/foo").to_s
|
|
346
346
|
end
|
|
347
347
|
|
|
348
|
-
context
|
|
348
|
+
context "relative paths" do
|
|
349
349
|
it "chef_acl 'nodes/x' changes the acls" do
|
|
350
|
-
expect_recipe
|
|
350
|
+
expect_recipe do
|
|
351
351
|
chef_acl "nodes/x" do
|
|
352
|
-
rights :read, users: %w
|
|
352
|
+
rights :read, users: %w{u}
|
|
353
353
|
end
|
|
354
|
-
|
|
355
|
-
expect(get("nodes/x/_acl")).to partially_match(
|
|
354
|
+
end.to be_updated
|
|
355
|
+
expect(get("nodes/x/_acl")).to partially_match("read" => { "actors" => %w{u} })
|
|
356
356
|
end
|
|
357
357
|
|
|
358
358
|
it "chef_acl '*/*' changes the acls" do
|
|
359
|
-
expect_recipe
|
|
359
|
+
expect_recipe do
|
|
360
360
|
chef_acl "*/*" do
|
|
361
|
-
rights :read, users: %w
|
|
361
|
+
rights :read, users: %w{u}
|
|
362
362
|
end
|
|
363
|
-
|
|
364
|
-
%w
|
|
363
|
+
end.to be_updated
|
|
364
|
+
%w{clients containers cookbooks data environments groups nodes roles}.each do |type|
|
|
365
365
|
expect(get("/organizations/foo/#{type}/x/_acl")).to partially_match(
|
|
366
|
-
|
|
366
|
+
"read" => { "actors" => %w{u} })
|
|
367
367
|
end
|
|
368
368
|
end
|
|
369
369
|
end
|
|
370
370
|
|
|
371
|
-
context
|
|
372
|
-
%w
|
|
371
|
+
context "absolute paths" do
|
|
372
|
+
%w{clients containers cookbooks data environments groups nodes roles sandboxes}.each do |type|
|
|
373
373
|
it "chef_acl '/organizations/foo/#{type}/x' changes the acl" do
|
|
374
|
-
expect_recipe
|
|
374
|
+
expect_recipe do
|
|
375
375
|
chef_acl "/organizations/foo/#{type}/x" do
|
|
376
|
-
rights :read, users: %w
|
|
376
|
+
rights :read, users: %w{u}
|
|
377
377
|
end
|
|
378
|
-
|
|
379
|
-
expect(get("/organizations/foo/#{type}/x/_acl")).to partially_match(
|
|
378
|
+
end.to be_updated
|
|
379
|
+
expect(get("/organizations/foo/#{type}/x/_acl")).to partially_match("read" => { "actors" => %w{u} })
|
|
380
380
|
end
|
|
381
381
|
end
|
|
382
382
|
|
|
383
|
-
%w
|
|
383
|
+
%w{clients containers cookbooks data environments groups nodes roles sandboxes}.each do |type|
|
|
384
384
|
it "chef_acl '/organizations/foo/#{type}/x' changes the acl" do
|
|
385
|
-
expect_recipe
|
|
385
|
+
expect_recipe do
|
|
386
386
|
chef_acl "/organizations/foo/#{type}/x" do
|
|
387
|
-
rights :read, users: %w
|
|
387
|
+
rights :read, users: %w{u}
|
|
388
388
|
end
|
|
389
|
-
|
|
390
|
-
expect(get("/organizations/foo/#{type}/x/_acl")).to partially_match(
|
|
389
|
+
end.to be_updated
|
|
390
|
+
expect(get("/organizations/foo/#{type}/x/_acl")).to partially_match("read" => { "actors" => %w{u} })
|
|
391
391
|
end
|
|
392
392
|
end
|
|
393
393
|
|
|
394
|
-
%w
|
|
394
|
+
%w{clients containers cookbooks data environments groups nodes roles}.each do |type|
|
|
395
395
|
it "chef_acl '/*/*/#{type}/*' changes the acl" do
|
|
396
|
-
expect_recipe
|
|
396
|
+
expect_recipe do
|
|
397
397
|
chef_acl "/*/*/#{type}/*" do
|
|
398
|
-
rights :read, users: %w
|
|
398
|
+
rights :read, users: %w{u}
|
|
399
399
|
end
|
|
400
|
-
|
|
401
|
-
expect(get("/organizations/foo/#{type}/x/_acl")).to partially_match(
|
|
400
|
+
end.to be_updated
|
|
401
|
+
expect(get("/organizations/foo/#{type}/x/_acl")).to partially_match("read" => { "actors" => %w{u} })
|
|
402
402
|
end
|
|
403
403
|
end
|
|
404
404
|
|
|
405
405
|
it "chef_acl '/*/*/*/x' changes the acls" do
|
|
406
|
-
expect_recipe
|
|
406
|
+
expect_recipe do
|
|
407
407
|
chef_acl "/*/*/*/x" do
|
|
408
|
-
rights :read, users: %w
|
|
408
|
+
rights :read, users: %w{u}
|
|
409
409
|
end
|
|
410
|
-
|
|
411
|
-
%w
|
|
410
|
+
end.to be_updated
|
|
411
|
+
%w{clients containers cookbooks data environments groups nodes roles sandboxes}.each do |type|
|
|
412
412
|
expect(get("/organizations/foo/#{type}/x/_acl")).to partially_match(
|
|
413
|
-
|
|
413
|
+
"read" => { "actors" => %w{u} })
|
|
414
414
|
end
|
|
415
415
|
end
|
|
416
416
|
|
|
417
417
|
it "chef_acl '/*/*/*/*' changes the acls" do
|
|
418
|
-
expect_recipe
|
|
418
|
+
expect_recipe do
|
|
419
419
|
chef_acl "/*/*/*/*" do
|
|
420
|
-
rights :read, users: %w
|
|
420
|
+
rights :read, users: %w{u}
|
|
421
421
|
end
|
|
422
|
-
|
|
423
|
-
%w
|
|
422
|
+
end.to be_updated
|
|
423
|
+
%w{clients containers cookbooks data environments groups nodes roles}.each do |type|
|
|
424
424
|
expect(get("/organizations/foo/#{type}/x/_acl")).to partially_match(
|
|
425
|
-
|
|
425
|
+
"read" => { "actors" => %w{u} })
|
|
426
426
|
end
|
|
427
427
|
end
|
|
428
428
|
|
|
429
429
|
it 'chef_acl "/organizations/foo/data_bags/x" changes the acl' do
|
|
430
|
-
expect_recipe
|
|
431
|
-
chef_acl
|
|
432
|
-
rights :read, users: %w
|
|
430
|
+
expect_recipe do
|
|
431
|
+
chef_acl "/organizations/foo/data_bags/x" do
|
|
432
|
+
rights :read, users: %w{u}
|
|
433
433
|
end
|
|
434
|
-
|
|
435
|
-
expect(get(
|
|
434
|
+
end.to be_updated
|
|
435
|
+
expect(get("/organizations/foo/data/x/_acl")).to partially_match("read" => { "actors" => %w{u} })
|
|
436
436
|
end
|
|
437
437
|
|
|
438
438
|
it 'chef_acl "/*/*/data_bags/*" changes the acl' do
|
|
439
|
-
expect_recipe
|
|
440
|
-
chef_acl
|
|
441
|
-
rights :read, users: %w
|
|
439
|
+
expect_recipe do
|
|
440
|
+
chef_acl "/*/*/data_bags/*" do
|
|
441
|
+
rights :read, users: %w{u}
|
|
442
442
|
end
|
|
443
|
-
|
|
444
|
-
expect(get(
|
|
443
|
+
end.to be_updated
|
|
444
|
+
expect(get("/organizations/foo/data/x/_acl")).to partially_match("read" => { "actors" => %w{u} })
|
|
445
445
|
end
|
|
446
446
|
|
|
447
447
|
it "chef_acl '/organizations/foo/cookbooks/x/1.0.0' raises an error" do
|
|
448
|
-
expect_converge
|
|
448
|
+
expect_converge do
|
|
449
449
|
chef_acl "/organizations/foo/cookbooks/x/1.0.0" do
|
|
450
|
-
rights :read, users: %w
|
|
450
|
+
rights :read, users: %w{u}
|
|
451
451
|
end
|
|
452
|
-
|
|
452
|
+
end.to raise_error(/ACLs cannot be set on children of \/organizations\/foo\/cookbooks\/x/)
|
|
453
453
|
end
|
|
454
454
|
|
|
455
455
|
it "chef_acl '/organizations/foo/cookbooks/*/*' raises an error" do
|
|
456
456
|
pending
|
|
457
|
-
expect_converge
|
|
457
|
+
expect_converge do
|
|
458
458
|
chef_acl "/organizations/foo/cookbooks/*/*" do
|
|
459
|
-
rights :read, users: %w
|
|
459
|
+
rights :read, users: %w{u}
|
|
460
460
|
end
|
|
461
|
-
|
|
461
|
+
end.to raise_error(/ACLs cannot be set on children of \/organizations\/foo\/cookbooks\/*/)
|
|
462
462
|
end
|
|
463
463
|
|
|
464
464
|
it 'chef_acl "/organizations/foo/data/x/y" raises an error' do
|
|
465
|
-
expect_converge
|
|
466
|
-
chef_acl
|
|
467
|
-
rights :read, users: %w
|
|
465
|
+
expect_converge do
|
|
466
|
+
chef_acl "/organizations/foo/data/x/y" do
|
|
467
|
+
rights :read, users: %w{u}
|
|
468
468
|
end
|
|
469
|
-
|
|
469
|
+
end.to raise_error(/ACLs cannot be set on children of \/organizations\/foo\/data\/x/)
|
|
470
470
|
end
|
|
471
471
|
|
|
472
472
|
it 'chef_acl "/organizations/foo/data/*/*" raises an error' do
|
|
473
473
|
pending
|
|
474
|
-
expect_converge
|
|
475
|
-
chef_acl
|
|
476
|
-
rights :read, users: %w
|
|
474
|
+
expect_converge do
|
|
475
|
+
chef_acl "/organizations/foo/data/*/*" do
|
|
476
|
+
rights :read, users: %w{u}
|
|
477
477
|
end
|
|
478
|
-
|
|
478
|
+
end.to raise_error(/ACLs cannot be set on children of \/organizations\/foo\/data\/*/)
|
|
479
479
|
end
|
|
480
480
|
|
|
481
481
|
it 'chef_acl "/organizations/foo" changes the acl' do
|
|
482
|
-
expect_recipe
|
|
483
|
-
chef_acl
|
|
484
|
-
rights :read, users: %w
|
|
482
|
+
expect_recipe do
|
|
483
|
+
chef_acl "/organizations/foo" do
|
|
484
|
+
rights :read, users: %w{u}
|
|
485
485
|
end
|
|
486
|
-
|
|
487
|
-
expect(get(
|
|
488
|
-
expect(get(
|
|
486
|
+
end.to be_updated
|
|
487
|
+
expect(get("/organizations/foo/organizations/_acl")).to partially_match("read" => { "actors" => %w{u} })
|
|
488
|
+
expect(get("/organizations/foo/nodes/x/_acl")).to partially_match("read" => { "actors" => %w{u} })
|
|
489
489
|
end
|
|
490
490
|
|
|
491
491
|
it 'chef_acl "/organizations/*" changes the acl' do
|
|
492
|
-
expect_recipe
|
|
493
|
-
chef_acl
|
|
494
|
-
rights :read, users: %w
|
|
492
|
+
expect_recipe do
|
|
493
|
+
chef_acl "/organizations/*" do
|
|
494
|
+
rights :read, users: %w{u}
|
|
495
495
|
end
|
|
496
|
-
|
|
497
|
-
expect(get(
|
|
498
|
-
expect(get(
|
|
496
|
+
end.to be_updated
|
|
497
|
+
expect(get("/organizations/foo/organizations/_acl")).to partially_match("read" => { "actors" => %w{u} })
|
|
498
|
+
expect(get("/organizations/foo/nodes/x/_acl")).to partially_match("read" => { "actors" => %w{u} })
|
|
499
499
|
end
|
|
500
500
|
|
|
501
501
|
it 'chef_acl "/users/x" changes the acl' do
|
|
502
|
-
expect_recipe
|
|
503
|
-
chef_acl
|
|
504
|
-
rights :read, users: %w
|
|
502
|
+
expect_recipe do
|
|
503
|
+
chef_acl "/users/x" do
|
|
504
|
+
rights :read, users: %w{u}
|
|
505
505
|
end
|
|
506
|
-
|
|
507
|
-
expect(get(
|
|
506
|
+
end.to be_updated
|
|
507
|
+
expect(get("/users/x/_acl")).to partially_match("read" => { "actors" => %w{u} })
|
|
508
508
|
end
|
|
509
509
|
|
|
510
510
|
it 'chef_acl "/users/*" changes the acl' do
|
|
511
|
-
expect_recipe
|
|
512
|
-
chef_acl
|
|
513
|
-
rights :read, users: %w
|
|
511
|
+
expect_recipe do
|
|
512
|
+
chef_acl "/users/*" do
|
|
513
|
+
rights :read, users: %w{u}
|
|
514
514
|
end
|
|
515
|
-
|
|
516
|
-
expect(get(
|
|
515
|
+
end.to be_updated
|
|
516
|
+
expect(get("/users/x/_acl")).to partially_match("read" => { "actors" => %w{u} })
|
|
517
517
|
end
|
|
518
518
|
|
|
519
519
|
it 'chef_acl "/*/x" changes the acl' do
|
|
520
|
-
expect_recipe
|
|
521
|
-
chef_acl
|
|
522
|
-
rights :read, users: %w
|
|
520
|
+
expect_recipe do
|
|
521
|
+
chef_acl "/*/x" do
|
|
522
|
+
rights :read, users: %w{u}
|
|
523
523
|
end
|
|
524
|
-
|
|
525
|
-
expect(get(
|
|
524
|
+
end.to be_updated
|
|
525
|
+
expect(get("/users/x/_acl")).to partially_match("read" => { "actors" => %w{u} })
|
|
526
526
|
end
|
|
527
527
|
|
|
528
528
|
it 'chef_acl "/*/*" changes the acl' do
|
|
529
|
-
expect_recipe
|
|
530
|
-
chef_acl
|
|
531
|
-
rights :read, users: %w
|
|
529
|
+
expect_recipe do
|
|
530
|
+
chef_acl "/*/*" do
|
|
531
|
+
rights :read, users: %w{u}
|
|
532
532
|
end
|
|
533
|
-
|
|
534
|
-
expect(get(
|
|
535
|
-
expect(get(
|
|
533
|
+
end.to be_updated
|
|
534
|
+
expect(get("/organizations/foo/organizations/_acl")).to partially_match("read" => { "actors" => %w{u} })
|
|
535
|
+
expect(get("/users/x/_acl")).to partially_match("read" => { "actors" => %w{u} })
|
|
536
536
|
end
|
|
537
537
|
end
|
|
538
538
|
end
|
|
539
539
|
|
|
540
|
-
context
|
|
540
|
+
context "and the chef server URL points at /organizations/bar" do
|
|
541
541
|
before :each do
|
|
542
|
-
Chef::Config.chef_server_url = URI.join(Chef::Config.chef_server_url.to_s,
|
|
542
|
+
Chef::Config.chef_server_url = URI.join(Chef::Config.chef_server_url.to_s, "/organizations/bar").to_s
|
|
543
543
|
end
|
|
544
544
|
|
|
545
545
|
it "chef_acl '/organizations/foo/nodes/*' changes the acl" do
|
|
546
|
-
expect_recipe
|
|
546
|
+
expect_recipe do
|
|
547
547
|
chef_acl "/organizations/foo/nodes/*" do
|
|
548
|
-
rights :read, users: %w
|
|
548
|
+
rights :read, users: %w{u}
|
|
549
549
|
end
|
|
550
|
-
|
|
551
|
-
expect(get("/organizations/foo/nodes/x/_acl")).to partially_match(
|
|
550
|
+
end.to be_updated
|
|
551
|
+
expect(get("/organizations/foo/nodes/x/_acl")).to partially_match("read" => { "actors" => %w{u} })
|
|
552
552
|
end
|
|
553
553
|
end
|
|
554
554
|
|
|
555
|
-
context
|
|
555
|
+
context "and the chef server URL points at /" do
|
|
556
556
|
before :each do
|
|
557
|
-
Chef::Config.chef_server_url = URI.join(Chef::Config.chef_server_url.to_s,
|
|
557
|
+
Chef::Config.chef_server_url = URI.join(Chef::Config.chef_server_url.to_s, "/").to_s
|
|
558
558
|
end
|
|
559
559
|
|
|
560
560
|
it "chef_acl '/organizations/foo/nodes/*' changes the acl" do
|
|
561
|
-
expect_recipe
|
|
561
|
+
expect_recipe do
|
|
562
562
|
chef_acl "/organizations/foo/nodes/*" do
|
|
563
|
-
rights :read, users: %w
|
|
563
|
+
rights :read, users: %w{u}
|
|
564
564
|
end
|
|
565
|
-
|
|
566
|
-
expect(get("/organizations/foo/nodes/x/_acl")).to partially_match(
|
|
565
|
+
end.to be_updated
|
|
566
|
+
expect(get("/organizations/foo/nodes/x/_acl")).to partially_match("read" => { "actors" => %w{u} })
|
|
567
567
|
end
|
|
568
568
|
end
|
|
569
569
|
end
|
|
570
570
|
|
|
571
571
|
when_the_chef_server 'has a user "u" in single org mode', :osc_compat => false do
|
|
572
|
-
user
|
|
573
|
-
client
|
|
574
|
-
container
|
|
575
|
-
cookbook
|
|
576
|
-
data_bag
|
|
577
|
-
environment
|
|
578
|
-
group
|
|
579
|
-
node
|
|
580
|
-
role
|
|
581
|
-
sandbox
|
|
582
|
-
user
|
|
583
|
-
|
|
584
|
-
%w
|
|
572
|
+
user "u", {}
|
|
573
|
+
client "x", {}
|
|
574
|
+
container "x", {}
|
|
575
|
+
cookbook "x", "1.0.0", {}
|
|
576
|
+
data_bag "x", { "y" => {} }
|
|
577
|
+
environment "x", {}
|
|
578
|
+
group "x", {}
|
|
579
|
+
node "x", {}
|
|
580
|
+
role "x", {}
|
|
581
|
+
sandbox "x", {}
|
|
582
|
+
user "x", {}
|
|
583
|
+
|
|
584
|
+
%w{clients containers cookbooks data environments groups nodes roles sandboxes}.each do |type|
|
|
585
585
|
it "chef_acl #{type}/x' changes the acl" do
|
|
586
|
-
expect_recipe
|
|
586
|
+
expect_recipe do
|
|
587
587
|
chef_acl "#{type}/x" do
|
|
588
|
-
rights :read, users: %w
|
|
588
|
+
rights :read, users: %w{u}
|
|
589
589
|
end
|
|
590
|
-
|
|
591
|
-
expect(get("#{type}/x/_acl")).to partially_match(
|
|
590
|
+
end.to be_updated
|
|
591
|
+
expect(get("#{type}/x/_acl")).to partially_match("read" => { "actors" => %w{u} })
|
|
592
592
|
end
|
|
593
593
|
end
|
|
594
594
|
|
|
595
|
-
%w
|
|
595
|
+
%w{clients containers cookbooks data environments groups nodes roles}.each do |type|
|
|
596
596
|
it "chef_acl '#{type}/*' changes the acl" do
|
|
597
|
-
expect_recipe
|
|
597
|
+
expect_recipe do
|
|
598
598
|
chef_acl "#{type}/*" do
|
|
599
|
-
rights :read, users: %w
|
|
599
|
+
rights :read, users: %w{u}
|
|
600
600
|
end
|
|
601
|
-
|
|
602
|
-
expect(get("#{type}/x/_acl")).to partially_match(
|
|
601
|
+
end.to be_updated
|
|
602
|
+
expect(get("#{type}/x/_acl")).to partially_match("read" => { "actors" => %w{u} })
|
|
603
603
|
end
|
|
604
604
|
end
|
|
605
605
|
|
|
606
606
|
it "chef_acl '*/x' changes the acls" do
|
|
607
|
-
expect_recipe
|
|
607
|
+
expect_recipe do
|
|
608
608
|
chef_acl "*/x" do
|
|
609
|
-
rights :read, users: %w
|
|
609
|
+
rights :read, users: %w{u}
|
|
610
610
|
end
|
|
611
|
-
|
|
612
|
-
%w
|
|
611
|
+
end.to be_updated
|
|
612
|
+
%w{clients containers cookbooks data environments groups nodes roles sandboxes}.each do |type|
|
|
613
613
|
expect(get("#{type}/x/_acl")).to partially_match(
|
|
614
|
-
|
|
614
|
+
"read" => { "actors" => %w{u} })
|
|
615
615
|
end
|
|
616
616
|
end
|
|
617
617
|
|
|
618
618
|
it "chef_acl '*/*' changes the acls" do
|
|
619
|
-
expect_recipe
|
|
619
|
+
expect_recipe do
|
|
620
620
|
chef_acl "*/*" do
|
|
621
|
-
rights :read, users: %w
|
|
621
|
+
rights :read, users: %w{u}
|
|
622
622
|
end
|
|
623
|
-
|
|
624
|
-
%w
|
|
623
|
+
end.to be_updated
|
|
624
|
+
%w{clients containers cookbooks data environments groups nodes roles}.each do |type|
|
|
625
625
|
expect(get("#{type}/x/_acl")).to partially_match(
|
|
626
|
-
|
|
626
|
+
"read" => { "actors" => %w{u} })
|
|
627
627
|
end
|
|
628
628
|
end
|
|
629
629
|
|
|
630
630
|
it "chef_acl 'groups/*' changes the acl" do
|
|
631
|
-
expect_recipe
|
|
631
|
+
expect_recipe do
|
|
632
632
|
chef_acl "groups/*" do
|
|
633
|
-
rights :read, users: %w
|
|
633
|
+
rights :read, users: %w{u}
|
|
634
634
|
end
|
|
635
|
-
|
|
636
|
-
%w
|
|
635
|
+
end.to be_updated
|
|
636
|
+
%w{admins billing-admins clients users x}.each do |n|
|
|
637
637
|
expect(get("groups/#{n}/_acl")).to partially_match(
|
|
638
|
-
|
|
638
|
+
"read" => { "actors" => %w{u} })
|
|
639
639
|
end
|
|
640
640
|
end
|
|
641
641
|
|
|
642
642
|
it 'chef_acl "data_bags/x" changes the acl' do
|
|
643
|
-
expect_recipe
|
|
644
|
-
chef_acl
|
|
645
|
-
rights :read, users: %w
|
|
643
|
+
expect_recipe do
|
|
644
|
+
chef_acl "data_bags/x" do
|
|
645
|
+
rights :read, users: %w{u}
|
|
646
646
|
end
|
|
647
|
-
|
|
648
|
-
expect(get(
|
|
647
|
+
end.to be_updated
|
|
648
|
+
expect(get("data/x/_acl")).to partially_match("read" => { "actors" => %w{u} })
|
|
649
649
|
end
|
|
650
650
|
|
|
651
651
|
it 'chef_acl "data_bags/*" changes the acl' do
|
|
652
|
-
expect_recipe
|
|
653
|
-
chef_acl
|
|
654
|
-
rights :read, users: %w
|
|
652
|
+
expect_recipe do
|
|
653
|
+
chef_acl "data_bags/*" do
|
|
654
|
+
rights :read, users: %w{u}
|
|
655
655
|
end
|
|
656
|
-
|
|
657
|
-
expect(get(
|
|
656
|
+
end.to be_updated
|
|
657
|
+
expect(get("data/x/_acl")).to partially_match("read" => { "actors" => %w{u} })
|
|
658
658
|
end
|
|
659
659
|
|
|
660
660
|
it 'chef_acl "" changes the organization acl' do
|
|
661
|
-
expect_recipe
|
|
662
|
-
chef_acl
|
|
663
|
-
rights :read, users: %w
|
|
661
|
+
expect_recipe do
|
|
662
|
+
chef_acl "" do
|
|
663
|
+
rights :read, users: %w{u}
|
|
664
664
|
end
|
|
665
|
-
|
|
666
|
-
expect(get(
|
|
667
|
-
expect(get(
|
|
665
|
+
end.to be_updated
|
|
666
|
+
expect(get("/organizations/_acl")).to partially_match("read" => { "actors" => %w{u} })
|
|
667
|
+
expect(get("nodes/x/_acl")).to partially_match("read" => { "actors" => %w{u} })
|
|
668
668
|
end
|
|
669
669
|
end
|
|
670
670
|
end
|
|
671
671
|
|
|
672
|
-
context
|
|
673
|
-
when_the_chef_server
|
|
674
|
-
organization
|
|
675
|
-
user
|
|
676
|
-
client
|
|
677
|
-
container
|
|
678
|
-
cookbook
|
|
679
|
-
data_bag
|
|
680
|
-
environment
|
|
681
|
-
group
|
|
682
|
-
node
|
|
683
|
-
role
|
|
684
|
-
sandbox
|
|
685
|
-
user
|
|
686
|
-
end
|
|
687
|
-
|
|
688
|
-
%w
|
|
672
|
+
context "ACLs on each container type" do
|
|
673
|
+
when_the_chef_server "has an organization named foo", :osc_compat => false, :single_org => false do
|
|
674
|
+
organization "foo" do
|
|
675
|
+
user "u", {}
|
|
676
|
+
client "x", {}
|
|
677
|
+
container "x", {}
|
|
678
|
+
cookbook "x", "1.0.0", {}
|
|
679
|
+
data_bag "x", { "y" => {} }
|
|
680
|
+
environment "x", {}
|
|
681
|
+
group "x", {}
|
|
682
|
+
node "x", {}
|
|
683
|
+
role "x", {}
|
|
684
|
+
sandbox "x", {}
|
|
685
|
+
user "x", {}
|
|
686
|
+
end
|
|
687
|
+
|
|
688
|
+
%w{clients containers cookbooks data environments groups nodes roles sandboxes}.each do |type|
|
|
689
689
|
it "chef_acl '/organizations/foo/#{type}' changes the acl" do
|
|
690
|
-
expect_recipe
|
|
690
|
+
expect_recipe do
|
|
691
691
|
chef_acl "/organizations/foo/#{type}" do
|
|
692
|
-
rights :read, users: %w
|
|
692
|
+
rights :read, users: %w{u}
|
|
693
693
|
end
|
|
694
|
-
|
|
695
|
-
expect(get("/organizations/foo/containers/#{type}/_acl")).to partially_match(
|
|
694
|
+
end.to be_updated
|
|
695
|
+
expect(get("/organizations/foo/containers/#{type}/_acl")).to partially_match("read" => { "actors" => %w{u} })
|
|
696
696
|
end
|
|
697
697
|
end
|
|
698
698
|
|
|
699
|
-
%w
|
|
699
|
+
%w{clients containers cookbooks data environments groups nodes roles}.each do |type|
|
|
700
700
|
it "chef_acl '/*/*/#{type}' changes the acl" do
|
|
701
|
-
expect_recipe
|
|
701
|
+
expect_recipe do
|
|
702
702
|
chef_acl "/*/*/#{type}" do
|
|
703
|
-
rights :read, users: %w
|
|
703
|
+
rights :read, users: %w{u}
|
|
704
704
|
end
|
|
705
|
-
|
|
706
|
-
expect(get("/organizations/foo/containers/#{type}/_acl")).to partially_match(
|
|
705
|
+
end.to be_updated
|
|
706
|
+
expect(get("/organizations/foo/containers/#{type}/_acl")).to partially_match("read" => { "actors" => %w{u} })
|
|
707
707
|
end
|
|
708
708
|
end
|
|
709
709
|
|
|
710
710
|
it "chef_acl '/*/*/*' changes the acls" do
|
|
711
|
-
expect_recipe
|
|
711
|
+
expect_recipe do
|
|
712
712
|
chef_acl "/*/*/*" do
|
|
713
|
-
rights :read, users: %w
|
|
713
|
+
rights :read, users: %w{u}
|
|
714
714
|
end
|
|
715
|
-
|
|
716
|
-
%w
|
|
715
|
+
end.to be_updated
|
|
716
|
+
%w{clients containers cookbooks data environments groups nodes roles sandboxes}.each do |type|
|
|
717
717
|
expect(get("/organizations/foo/containers/#{type}/_acl")).to partially_match(
|
|
718
|
-
|
|
718
|
+
"read" => { "actors" => %w{u} })
|
|
719
719
|
end
|
|
720
720
|
end
|
|
721
721
|
|
|
722
722
|
it 'chef_acl "/organizations/foo/data_bags" changes the acl' do
|
|
723
|
-
expect_recipe
|
|
724
|
-
chef_acl
|
|
725
|
-
rights :read, users: %w
|
|
723
|
+
expect_recipe do
|
|
724
|
+
chef_acl "/organizations/foo/data_bags" do
|
|
725
|
+
rights :read, users: %w{u}
|
|
726
726
|
end
|
|
727
|
-
|
|
728
|
-
expect(get(
|
|
727
|
+
end.to be_updated
|
|
728
|
+
expect(get("/organizations/foo/containers/data/_acl")).to partially_match("read" => { "actors" => %w{u} })
|
|
729
729
|
end
|
|
730
730
|
|
|
731
731
|
it 'chef_acl "/*/*/data_bags" changes the acl' do
|
|
732
|
-
expect_recipe
|
|
733
|
-
chef_acl
|
|
734
|
-
rights :read, users: %w
|
|
732
|
+
expect_recipe do
|
|
733
|
+
chef_acl "/*/*/data_bags" do
|
|
734
|
+
rights :read, users: %w{u}
|
|
735
735
|
end
|
|
736
|
-
|
|
737
|
-
expect(get(
|
|
736
|
+
end.to be_updated
|
|
737
|
+
expect(get("/organizations/foo/containers/data/_acl")).to partially_match("read" => { "actors" => %w{u} })
|
|
738
738
|
end
|
|
739
739
|
end
|
|
740
740
|
|
|
741
741
|
when_the_chef_server 'has a user "u" in single org mode', :osc_compat => false do
|
|
742
|
-
user
|
|
743
|
-
client
|
|
744
|
-
container
|
|
745
|
-
cookbook
|
|
746
|
-
data_bag
|
|
747
|
-
environment
|
|
748
|
-
group
|
|
749
|
-
node
|
|
750
|
-
role
|
|
751
|
-
sandbox
|
|
752
|
-
user
|
|
753
|
-
|
|
754
|
-
%w
|
|
742
|
+
user "u", {}
|
|
743
|
+
client "x", {}
|
|
744
|
+
container "x", {}
|
|
745
|
+
cookbook "x", "1.0.0", {}
|
|
746
|
+
data_bag "x", { "y" => {} }
|
|
747
|
+
environment "x", {}
|
|
748
|
+
group "x", {}
|
|
749
|
+
node "x", {}
|
|
750
|
+
role "x", {}
|
|
751
|
+
sandbox "x", {}
|
|
752
|
+
user "x", {}
|
|
753
|
+
|
|
754
|
+
%w{clients containers cookbooks data environments groups nodes roles sandboxes}.each do |type|
|
|
755
755
|
it "chef_acl #{type}' changes the acl" do
|
|
756
|
-
expect_recipe
|
|
756
|
+
expect_recipe do
|
|
757
757
|
chef_acl "#{type}" do
|
|
758
|
-
rights :read, users: %w
|
|
758
|
+
rights :read, users: %w{u}
|
|
759
759
|
end
|
|
760
|
-
|
|
761
|
-
expect(get("containers/#{type}/_acl")).to partially_match(
|
|
760
|
+
end.to be_updated
|
|
761
|
+
expect(get("containers/#{type}/_acl")).to partially_match("read" => { "actors" => %w{u} })
|
|
762
762
|
end
|
|
763
763
|
end
|
|
764
764
|
|
|
765
765
|
it "chef_acl '*' changes the acls" do
|
|
766
|
-
expect_recipe
|
|
766
|
+
expect_recipe do
|
|
767
767
|
chef_acl "*" do
|
|
768
|
-
rights :read, users: %w
|
|
768
|
+
rights :read, users: %w{u}
|
|
769
769
|
end
|
|
770
|
-
|
|
771
|
-
%w
|
|
770
|
+
end.to be_updated
|
|
771
|
+
%w{clients containers cookbooks data environments groups nodes roles sandboxes}.each do |type|
|
|
772
772
|
expect(get("containers/#{type}/_acl")).to partially_match(
|
|
773
|
-
|
|
773
|
+
"read" => { "actors" => %w{u} })
|
|
774
774
|
end
|
|
775
775
|
end
|
|
776
776
|
end
|
|
777
777
|
end
|
|
778
778
|
|
|
779
|
-
context
|
|
779
|
+
context "remove_rights" do
|
|
780
780
|
when_the_chef_server 'has a node "x" with "u", "c" and "g" in its acl', :osc_compat => false do
|
|
781
|
-
user
|
|
782
|
-
user
|
|
783
|
-
client
|
|
784
|
-
client
|
|
785
|
-
group
|
|
786
|
-
group
|
|
787
|
-
node
|
|
788
|
-
acl
|
|
789
|
-
|
|
790
|
-
|
|
781
|
+
user "u", {}
|
|
782
|
+
user "u2", {}
|
|
783
|
+
client "c", {}
|
|
784
|
+
client "c2", {}
|
|
785
|
+
group "g", {}
|
|
786
|
+
group "g2", {}
|
|
787
|
+
node "x", {} do
|
|
788
|
+
acl "create" => { "actors" => %w{u c}, "groups" => [ "g" ] },
|
|
789
|
+
"read" => { "actors" => %w{u c}, "groups" => [ "g" ] },
|
|
790
|
+
"update" => { "actors" => %w{u c}, "groups" => [ "g" ] }
|
|
791
791
|
end
|
|
792
792
|
|
|
793
793
|
it 'chef_acl with remove_rights "u" removes the user\'s rights' do
|
|
794
|
-
expect_recipe
|
|
794
|
+
expect_recipe do
|
|
795
795
|
chef_acl "nodes/x" do
|
|
796
|
-
remove_rights :read, users: %w
|
|
796
|
+
remove_rights :read, users: %w{u}
|
|
797
797
|
end
|
|
798
|
-
|
|
799
|
-
expect(get("nodes/x/_acl")).to partially_match(
|
|
798
|
+
end.to be_updated
|
|
799
|
+
expect(get("nodes/x/_acl")).to partially_match("read" => { "actors" => exclude("u") })
|
|
800
800
|
end
|
|
801
801
|
|
|
802
802
|
it 'chef_acl with remove_rights "c" removes the client\'s rights' do
|
|
803
|
-
expect_recipe
|
|
803
|
+
expect_recipe do
|
|
804
804
|
chef_acl "nodes/x" do
|
|
805
|
-
remove_rights :read, clients: %w
|
|
805
|
+
remove_rights :read, clients: %w{c}
|
|
806
806
|
end
|
|
807
|
-
|
|
808
|
-
expect(get("nodes/x/_acl")).to partially_match(
|
|
807
|
+
end.to be_updated
|
|
808
|
+
expect(get("nodes/x/_acl")).to partially_match("read" => { "actors" => exclude("c") })
|
|
809
809
|
end
|
|
810
810
|
|
|
811
811
|
it 'chef_acl with remove_rights "g" removes the group\'s rights' do
|
|
812
|
-
expect_recipe
|
|
812
|
+
expect_recipe do
|
|
813
813
|
chef_acl "nodes/x" do
|
|
814
|
-
remove_rights :read, groups: %w
|
|
814
|
+
remove_rights :read, groups: %w{g}
|
|
815
815
|
end
|
|
816
|
-
|
|
816
|
+
end.to be_updated
|
|
817
817
|
expect(get("nodes/x/_acl")).to partially_match(
|
|
818
|
-
|
|
818
|
+
"read" => { "groups" => exclude("g") }
|
|
819
819
|
)
|
|
820
820
|
end
|
|
821
821
|
|
|
822
822
|
it 'chef_acl with remove_rights [ :create, :read ], "u", "c", "g" removes all three' do
|
|
823
|
-
expect_recipe
|
|
823
|
+
expect_recipe do
|
|
824
824
|
chef_acl "nodes/x" do
|
|
825
|
-
remove_rights [ :create, :read ], users: %w
|
|
825
|
+
remove_rights [ :create, :read ], users: %w{u}, clients: %w{c}, groups: %w{g}
|
|
826
826
|
end
|
|
827
|
-
|
|
827
|
+
end.to be_updated
|
|
828
828
|
expect(get("nodes/x/_acl")).to partially_match(
|
|
829
|
-
|
|
830
|
-
|
|
829
|
+
"create" => { "actors" => exclude("u").and(exclude("c")), "groups" => exclude("g") },
|
|
830
|
+
"read" => { "actors" => exclude("u").and(exclude("c")), "groups" => exclude("g") }
|
|
831
831
|
)
|
|
832
832
|
end
|
|
833
833
|
|
|
834
834
|
it 'chef_acl with remove_rights "u2", "c2", "g2" has no effect' do
|
|
835
|
-
expect
|
|
836
|
-
expect_recipe
|
|
835
|
+
expect do
|
|
836
|
+
expect_recipe do
|
|
837
837
|
chef_acl "nodes/x" do
|
|
838
|
-
remove_rights :read, users: %w
|
|
838
|
+
remove_rights :read, users: %w{u2}, clients: %w{c2}, groups: %w{g2}
|
|
839
839
|
end
|
|
840
|
-
|
|
841
|
-
|
|
840
|
+
end.to be_up_to_date
|
|
841
|
+
end.not_to change { get("nodes/x/_acl") }
|
|
842
842
|
end
|
|
843
843
|
end
|
|
844
844
|
end
|
|
845
845
|
|
|
846
|
-
when_the_chef_server
|
|
847
|
-
user
|
|
848
|
-
node
|
|
846
|
+
when_the_chef_server "has a node named data_bags", :osc_compat => false do
|
|
847
|
+
user "blarghle", {}
|
|
848
|
+
node "data_bags", {}
|
|
849
849
|
|
|
850
850
|
it 'Converging chef_acl "nodes/data_bags" with user "blarghle" adds the user' do
|
|
851
|
-
expect_recipe
|
|
852
|
-
chef_acl
|
|
853
|
-
rights :read, users: %w
|
|
851
|
+
expect_recipe do
|
|
852
|
+
chef_acl "nodes/data_bags" do
|
|
853
|
+
rights :read, users: %w{blarghle}
|
|
854
854
|
end
|
|
855
|
-
|
|
856
|
-
expect(get(
|
|
855
|
+
end.to be_updated
|
|
856
|
+
expect(get("nodes/data_bags/_acl")).to partially_match("read" => { "actors" => %w{blarghle} })
|
|
857
857
|
end
|
|
858
858
|
end
|
|
859
859
|
|
|
860
|
-
when_the_chef_server
|
|
861
|
-
user
|
|
862
|
-
organization
|
|
863
|
-
node
|
|
860
|
+
when_the_chef_server "has a node named data_bags in multi-org mode", :osc_compat => false, :single_org => false do
|
|
861
|
+
user "blarghle", {}
|
|
862
|
+
organization "foo" do
|
|
863
|
+
node "data_bags", {}
|
|
864
864
|
end
|
|
865
865
|
|
|
866
866
|
it 'Converging chef_acl "/organizations/foo/nodes/data_bags" with user "blarghle" adds the user' do
|
|
867
|
-
expect_recipe
|
|
868
|
-
chef_acl
|
|
869
|
-
rights :read, users: %w
|
|
867
|
+
expect_recipe do
|
|
868
|
+
chef_acl "/organizations/foo/nodes/data_bags" do
|
|
869
|
+
rights :read, users: %w{blarghle}
|
|
870
870
|
end
|
|
871
|
-
|
|
872
|
-
expect(get(
|
|
871
|
+
end.to be_updated
|
|
872
|
+
expect(get("/organizations/foo/nodes/data_bags/_acl")).to partially_match("read" => { "actors" => %w{blarghle} })
|
|
873
873
|
end
|
|
874
874
|
end
|
|
875
875
|
|
|
876
|
-
when_the_chef_server
|
|
877
|
-
user
|
|
878
|
-
user
|
|
876
|
+
when_the_chef_server "has a user named data_bags in multi-org mode", :osc_compat => false, :single_org => false do
|
|
877
|
+
user "data_bags", {}
|
|
878
|
+
user "blarghle", {}
|
|
879
879
|
|
|
880
880
|
it 'Converging chef_acl "/users/data_bags" with user "blarghle" adds the user' do
|
|
881
|
-
expect_recipe
|
|
882
|
-
chef_acl
|
|
883
|
-
rights :read, users: %w
|
|
881
|
+
expect_recipe do
|
|
882
|
+
chef_acl "/users/data_bags" do
|
|
883
|
+
rights :read, users: %w{blarghle}
|
|
884
884
|
end
|
|
885
|
-
|
|
886
|
-
expect(get(
|
|
885
|
+
end.to be_updated
|
|
886
|
+
expect(get("/users/data_bags/_acl")).to partially_match("read" => { "actors" => %w{blarghle} })
|
|
887
887
|
end
|
|
888
888
|
end
|
|
889
889
|
end
|