foreman_dlm 0.1.0

data/test/controllers/api/v2/dlmlocks_controller_test.rb

@@ -0,0 +1,367 @@
+require 'test_plugin_helper'
+
+class Api::V2::DlmlocksControllerTest < ActionController::TestCase
+  let(:host1) { as_admin { FactoryBot.create(:host, :managed) } }
+  let(:host2) { as_admin { FactoryBot.create(:host, :managed) } }
+
+  context 'with user authentication' do
+    context '#index' do
+      test 'should show dlmlocks' do
+        dlmlock = FactoryBot.create(:dlmlock, :host => host1)
+        get :index
+        assert_response :success
+        body = ActiveSupport::JSON.decode(@response.body)
+        results = body['results']
+        assert results
+        entry = results.detect { |entry| entry['id'] == dlmlock.id }
+        assert entry
+        assert_equal dlmlock.name, entry['name']
+        assert_equal dlmlock.type, entry['type']
+        assert_equal dlmlock.enabled, entry['enabled']
+        assert_equal dlmlock.host_id, entry['host_id']
+      end
+    end
+
+    context '#create' do
+      test 'should create dlmlock' do
+        assert_difference('Dlmlock.unscoped.count') do
+          post :create, valid_attrs_with_root
+        end
+        assert_response :success
+        body = ActiveSupport::JSON.decode(@response.body)
+        dlmlock = Dlmlock.find(body['id'])
+        assert dlmlock
+        assert_equal valid_attrs['name'], dlmlock.name
+        assert_equal valid_attrs['type'], dlmlock.type
+        assert_equal true, dlmlock.enabled
+        assert_nil dlmlock.host
+      end
+    end
+
+    context '#show' do
+      test 'should show individual record with host' do
+        dlmlock = FactoryBot.create(:dlmlock, :host => host1)
+        get :show, { :id => dlmlock.to_param }
+        assert_response :success
+        body = ActiveSupport::JSON.decode(@response.body)
+        refute_empty body
+        assert_equal dlmlock.name, body['name']
+        assert_equal dlmlock.type, body['type']
+        assert_equal true, body['enabled']
+        assert_equal host1.id, body['host_id']
+      end
+
+      test 'should show individual record that is disabled' do
+        dlmlock = FactoryBot.create(:dlmlock, :enabled => false)
+        get :show, { :id => dlmlock.to_param }
+        assert_response :success
+        body = ActiveSupport::JSON.decode(@response.body)
+        refute_empty body
+        assert_equal dlmlock.name, body['name']
+        assert_equal dlmlock.type, body['type']
+        assert_equal false, body['enabled']
+        assert_nil body['host_id']
+      end
+
+      test 'should show individual record by name' do
+        dlmlock = FactoryBot.create(:dlmlock, :host => host1)
+        get :show, { :id => dlmlock.name }
+        assert_response :success
+        body = ActiveSupport::JSON.decode(@response.body)
+        refute_empty body
+        assert_equal dlmlock.id, body['id']
+        assert_equal dlmlock.name, body['name']
+        host = body['host']
+        assert host
+        assert_equal host1.name, host['name']
+        refute host.has_key?('self')
+      end
+
+      test 'should not find dlmlock with invalid id' do
+        get :show, { :id => 9999999 }
+        assert_response :not_found
+      end
+    end
+
+    context '#update' do
+      test 'should update dlmlock' do
+        dlmlock = FactoryBot.create(:dlmlock)
+        put :update, { :id => dlmlock.to_param, :dlmlock => valid_attrs.merge(:host_id => host1.id, :enabled => false) }
+        assert_response :success
+        dlmlock.reload
+        assert_equal valid_attrs['name'], dlmlock.name
+        assert_equal valid_attrs['type'], dlmlock.type
+        assert_equal false, dlmlock.enabled
+        assert_equal host1.id, dlmlock.host_id
+      end
+    end
+
+    context '#destroy' do
+      test 'should destroy dlmlock' do
+        dlmlock = FactoryBot.create(:dlmlock)
+        assert_difference('Dlmlock.unscoped.count', -1) do
+          delete :destroy, { :id => dlmlock.to_param }
+        end
+        assert_response :success
+        assert_equal 0, Dlmlock.where(:id => dlmlock.id).count
+      end
+    end
+
+    context '#acquire' do
+      test 'should deny access' do
+        dlmlock = FactoryBot.create(:dlmlock)
+        put :acquire, { :id => dlmlock.to_param }
+        assert_response :forbidden
+        assert_nil dlmlock.reload.host
+      end
+    end
+
+    context '#release' do
+      test 'should deny access' do
+        dlmlock = FactoryBot.create(:dlmlock, :host => host2)
+        delete :release, { :id => dlmlock.to_param }
+        assert_response :forbidden
+        assert_equal host2, dlmlock.reload.host
+      end
+    end
+  end
+
+  context 'with client cert' do
+    setup do
+      User.current = nil
+      reset_api_credentials
+
+      Setting[:ssl_client_dn_env] = 'SSL_CLIENT_S_DN'
+      Setting[:ssl_client_verify_env] = 'SSL_CLIENT_VERIFY'
+
+      @request.env['HTTPS'] = 'on'
+      @request.env['SSL_CLIENT_S_DN'] = "CN=#{host1.name},DN=example,DN=com"
+      @request.env['SSL_CLIENT_VERIFY'] = 'SUCCESS'
+    end
+
+    context '#index' do
+      test 'should deny access' do
+        dlmlock = as_admin { FactoryBot.create(:dlmlock) }
+        get :index, { :id => dlmlock.to_param }
+        assert_response :unauthorized
+      end
+    end
+
+    context '#create' do
+      test 'should deny access' do
+        dlmlock = as_admin { FactoryBot.create(:dlmlock) }
+        post :create, valid_attrs_with_root
+        assert_response :unauthorized
+      end
+    end
+
+    context '#update' do
+      test 'should deny access' do
+        dlmlock = as_admin { FactoryBot.create(:dlmlock) }
+        put :update, { :id => dlmlock.to_param, :dlmlock => valid_attrs }
+        assert_response :unauthorized
+      end
+    end
+
+    context '#destroy' do
+      test 'should deny access' do
+        dlmlock = as_admin { FactoryBot.create(:dlmlock) }
+        delete :destroy, { :id => dlmlock.to_param }
+        assert_response :unauthorized
+        assert_equal 1, as_admin { Dlmlock.where(:id => dlmlock.id).count }
+      end
+    end
+
+    context '#show' do
+      test 'should show individual free lock' do
+        dlmlock = as_admin { FactoryBot.create(:dlmlock) }
+        get :show, { :id => dlmlock.to_param }
+        assert_response :success
+        body = ActiveSupport::JSON.decode(@response.body)
+        refute_empty body
+        assert_equal dlmlock.name, body['name']
+        assert_equal dlmlock.type, body['type']
+        assert_equal true, body['enabled']
+        assert_nil body['host_id']
+        assert_nil body['host']
+      end
+
+      test 'should show individual acquired lock by me' do
+        dlmlock = as_admin { FactoryBot.create(:dlmlock, :host => host1) }
+        get :show, { :id => dlmlock.to_param }
+        assert_response :success
+        body = ActiveSupport::JSON.decode(@response.body)
+        refute_empty body
+        assert_equal dlmlock.name, body['name']
+        assert_equal dlmlock.type, body['type']
+        assert_equal true, body['enabled']
+        assert_equal host1.id, body['host_id']
+        host = body['host']
+        assert host
+        assert_equal host1.name, host['name']
+        assert_equal true, host['self']
+      end
+
+      test 'should show individual acquired lock by other' do
+        dlmlock = as_admin { FactoryBot.create(:dlmlock, :host => host2) }
+        get :show, { :id => dlmlock.to_param }
+        assert_response :success
+        body = ActiveSupport::JSON.decode(@response.body)
+        refute_empty body
+        assert_equal dlmlock.name, body['name']
+        assert_equal dlmlock.type, body['type']
+        assert_equal true, body['enabled']
+        assert_equal host2.id, body['host_id']
+        host = body['host']
+        assert host
+        assert_equal host2.name, host['name']
+        assert_equal false, host['self']
+      end
+    end
+
+    context '#acquire' do
+      test 'should acquire empty dlmlock' do
+        dlmlock = as_admin { FactoryBot.create(:dlmlock) }
+        put :acquire, { :id => dlmlock.to_param }
+        assert_response :success
+        assert_equal host1, as_admin { dlmlock.reload.host }
+      end
+
+      test 'should acquire own dlmlock' do
+        dlmlock = as_admin { FactoryBot.create(:dlmlock, :host => host1) }
+        put :acquire, { :id => dlmlock.to_param }
+        assert_response :success
+        assert_equal host1, as_admin { dlmlock.reload.host }
+      end
+
+      test 'should not acquire foreign dlmlock' do
+        dlmlock = as_admin { FactoryBot.create(:dlmlock, :host => host2) }
+        put :acquire, { :id => dlmlock.to_param }
+        assert_response :precondition_failed
+        assert_equal host2, as_admin { dlmlock.reload.host }
+      end
+
+      test 'should transparently create non-existing dlmlock' do
+        lockname = 'Test Lock'
+        assert_equal 0, as_admin { Dlmlock.where(:name => lockname).count }
+        put :acquire, { :id => lockname }
+        assert_response :success
+        dlmlock = as_admin { Dlmlock.find_by(:name => lockname) }
+        assert_equal lockname, dlmlock.name
+        assert_equal host1, dlmlock.host
+      end
+    end
+
+    context '#release' do
+      test 'should release empty dlmlock' do
+        dlmlock = as_admin { FactoryBot.create(:dlmlock) }
+        delete :release, { :id => dlmlock.to_param }
+        assert_response :success
+        assert_nil as_admin { dlmlock.reload.host }
+      end
+
+      test 'should release own dlmlock' do
+        dlmlock = as_admin { FactoryBot.create(:dlmlock, :host => host1) }
+        delete :release, { :id => dlmlock.to_param }
+        assert_response :success
+        assert_nil as_admin { dlmlock.reload.host }
+      end
+
+      test 'should not acquire foreign dlmlock' do
+        dlmlock = as_admin { FactoryBot.create(:dlmlock, :host => host2) }
+        delete :release, { :id => dlmlock.to_param }
+        assert_response :precondition_failed
+        assert_equal host2, as_admin { dlmlock.reload.host }
+      end
+
+      test 'should transparently create non-existing dlmlock' do
+        lockname = 'Test Lock'
+        assert_equal 0, as_admin { Dlmlock.where(:name => lockname).count }
+        delete :release, { :id => lockname }
+        assert_response :success
+        dlmlock = as_admin { Dlmlock.find_by(:name => lockname) }
+        assert_equal lockname, dlmlock.name
+        assert_nil dlmlock.host
+      end
+    end
+  end
+
+  context 'without any credentials' do
+    setup do
+      User.current = nil
+      reset_api_credentials
+    end
+
+    context '#index' do
+      test 'should deny access' do
+        dlmlock = as_admin { FactoryBot.create(:dlmlock) }
+        get :index, { :id => dlmlock.to_param }
+        assert_response :unauthorized
+      end
+    end
+
+    context '#show' do
+      test 'should deny access' do
+        dlmlock = as_admin { FactoryBot.create(:dlmlock) }
+        get :show, { :id => dlmlock.to_param }
+        assert_response :unauthorized
+      end
+    end
+
+    context '#create' do
+      test 'should deny access' do
+        dlmlock = as_admin { FactoryBot.create(:dlmlock) }
+        post :create, valid_attrs_with_root
+        assert_response :unauthorized
+      end
+    end
+
+    context '#update' do
+      test 'should deny access' do
+        dlmlock = as_admin { FactoryBot.create(:dlmlock) }
+        put :update, { :id => dlmlock.to_param, :dlmlock => valid_attrs }
+        assert_response :unauthorized
+      end
+    end
+
+    context '#destroy' do
+      test 'should deny access' do
+        dlmlock = as_admin { FactoryBot.create(:dlmlock) }
+        delete :destroy, { :id => dlmlock.to_param }
+        assert_response :unauthorized
+        assert_equal 1, as_admin { Dlmlock.where(:id => dlmlock.id).count }
+      end
+    end
+
+    context '#acquire' do
+      test 'should deny access' do
+        dlmlock = as_admin { FactoryBot.create(:dlmlock) }
+        put :acquire, { :id => dlmlock.to_param }
+        assert_response :unauthorized
+        assert_nil as_admin { dlmlock.reload.host }
+      end
+    end
+
+    context '#release' do
+      test 'should deny access' do
+        dlmlock = as_admin { FactoryBot.create(:dlmlock, :host => host2) }
+        delete :release, { :id => dlmlock.to_param }
+        assert_response :unauthorized
+        assert_equal host2, as_admin { dlmlock.reload.host }
+      end
+    end
+  end
+
+  private
+
+  def valid_attrs
+    {
+      'name' => 'testlock',
+      'type' => 'Dlmlock::Update'
+    }
+  end
+
+  def valid_attrs_with_root(extra_attrs = {})
+    { :dlmlock => valid_attrs.merge(extra_attrs) }
+  end
+end

data/test/controllers/dlmlocks_test.rb

@@ -0,0 +1,24 @@
+require 'test_plugin_helper'
+
+class DlmlocksControllerTest < ActionController::TestCase
+  test '#index' do
+    FactoryBot.create(:dlmlock)
+    get :index, {}, set_session_user
+    assert_response :success
+    assert_not_nil assigns('dlmlocks')
+    assert_template 'index'
+  end
+
+  test '#index with no lock shows welcome page' do
+    get :index, {}, set_session_user
+    assert_response :success
+    assert_template 'welcome'
+  end
+
+  test '#show' do
+    dlmlock = FactoryBot.create(:dlmlock)
+    get :show, { :id => dlmlock.id }, set_session_user
+    assert_response :success
+    assert_template 'show'
+  end
+end

data/test/controllers/find_host_by_client_cert_test.rb

@@ -0,0 +1,91 @@
+require 'test_plugin_helper'
+
+class FindHostByClientCertTest < ActionController::TestCase
+  tests "api/v2/dlmlocks"
+
+  def described_class
+    Api::V2::DlmlocksController
+  end
+
+  context 'with ssl settings' do
+    setup do
+      Setting[:ssl_client_dn_env] = 'SSL_CLIENT_S_DN'
+      Setting[:ssl_client_verify_env] = 'SSL_CLIENT_VERIFY'
+    end
+
+    let(:host) { as_admin { FactoryBot.create(:host, :managed) } }
+
+    context 'with api credentials' do
+      test 'certificate with dn permits access' do
+        @request.env['HTTPS'] = 'on'
+        @request.env['SSL_CLIENT_VERIFY'] = 'NONE'
+
+        get :index
+
+        assert @controller.send(:require_client_cert_or_login)
+        assert_nil @controller.detected_host
+      end
+
+      test 'certificate with dn permits access' do
+        @request.env['HTTPS'] = 'on'
+        @request.env['SSL_CLIENT_S_DN'] = "CN=#{host.name},DN=example,DN=com"
+        @request.env['SSL_CLIENT_VERIFY'] = 'SUCCESS'
+
+        get :index
+
+        assert @controller.send(:require_client_cert_or_login)
+        assert_equal host, @controller.detected_host
+      end
+    end
+
+    context 'without api credentials' do
+      setup do
+        User.current = nil
+        reset_api_credentials
+      end
+
+      test 'certificate with dn permits access' do
+        @request.env['HTTPS'] = 'on'
+        @request.env['SSL_CLIENT_S_DN'] = "CN=#{host.name},DN=example,DN=com"
+        @request.env['SSL_CLIENT_VERIFY'] = 'SUCCESS'
+
+        get :index
+
+        assert @controller.send(:require_client_cert_or_login)
+        assert_equal host, @controller.detected_host
+      end
+
+      test 'certificate with unknown dn denies access' do
+        @request.env['HTTPS'] = 'on'
+        @request.env['SSL_CLIENT_S_DN'] = "CN=doesnotexist.example.com,DN=example,DN=com"
+        @request.env['SSL_CLIENT_VERIFY'] = 'SUCCESS'
+
+        get :index
+
+        assert_equal false, @controller.send(:require_client_cert_or_login)
+        assert_nil @controller.detected_host
+      end
+
+      test 'invalid certificate denies access' do
+        @request.env['HTTPS'] = 'on'
+        @request.env['SSL_CLIENT_S_DN'] = "CN=#{host.name},DN=example,DN=com"
+        @request.env['SSL_CLIENT_VERIFY'] = 'GENEROUS'
+
+        get :index
+
+        assert_equal false, @controller.send(:require_client_cert_or_login)
+        assert_nil @controller.detected_host
+      end
+
+      test 'no certificate denies access' do
+        @request.env['HTTPS'] = 'on'
+        @request.env['SSL_CLIENT_VERIFY'] = 'NONE'
+
+        get :index
+
+        assert_equal false, @controller.send(:require_client_cert_or_login)
+        assert_nil @controller.detected_host
+      end
+    end
+  end
+end

data/test/factories/dlmlock.rb

@@ -0,0 +1,6 @@
+FactoryBot.define do
+  factory :dlmlock do
+    sequence(:name) { |n| "Lock #{n}" }
+    type 'Dlmlock::Update'
+  end
+end

data/test/models/dlmlock_test.rb

@@ -0,0 +1,201 @@
+require 'test_plugin_helper'
+
+class DlmlockTest < ActiveSupport::TestCase
+  setup do
+    User.current = users(:admin)
+  end
+
+  subject { FactoryBot.create(:dlmlock) }
+  should validate_presence_of(:name)
+  should validate_uniqueness_of(:name)
+
+  let(:host1) { FactoryBot.create(:host, :managed) }
+  let(:host2) { FactoryBot.create(:host, :managed) }
+
+  class HostWithCallbacks < ::Host::Managed
+    attr_accessor :callbacks
+
+    def initialize(*attributes, &block)
+      super
+      @callbacks = []
+    end
+
+    after_lock :callback1
+    after_unlock :callback2
+
+    def callback1
+      Rails.logger.debug "callback1 executed for #{self} (#{self.class})"
+      callbacks << 'callback1'
+    end
+
+    def callback2
+      Rails.logger.debug "callback2 executed for #{self} (#{self.class})"
+      callbacks << 'callback2'
+    end
+  end
+
+  let(:host1_with_callbacks) { HostWithCallbacks.create(:name => 'test1.example.com') }
+  let(:host2_with_callbacks) { HostWithCallbacks.create(:name => 'test2.example.com') }
+
+  context 'a free and enabled DLM lock' do
+    let(:dlmlock) { FactoryBot.create(:dlmlock) }
+
+    test 'should be enabled and unlocked' do
+      assert_equal true, dlmlock.enabled?
+      assert_equal false, dlmlock.disabled?
+      assert_equal false, dlmlock.locked?
+      assert_equal false, dlmlock.taken?
+    end
+
+    test 'can be acquired' do
+      assert_nil dlmlock.host
+      assert dlmlock.acquire!(host1)
+      assert_equal host1, dlmlock.reload.host
+    end
+
+    test 'can be released' do
+      assert_nil dlmlock.host
+      assert dlmlock.release!(host1)
+      assert_nil dlmlock.reload.host
+    end
+
+    test 'records audit change on acquisition by owner' do
+      assert_difference "Audit.where(auditable_type: 'Dlmlock').count" do
+        assert dlmlock.acquire!(host1)
+      end
+      audit_record = dlmlock.audits.last
+      assert_equal 'update', audit_record.action
+      assert_equal({:host_id => host1.id}, audit_record.audited_changes)
+    end
+
+    test 'records no audit change on release' do
+      assert_no_difference "Audit.where(auditable_type: 'Dlmlock').count" do
+        assert dlmlock.release!(host1)
+      end
+    end
+
+    test 'triggers after_lock callback' do
+      host = HostWithCallbacks.new
+      host.name = 'test.example.com'
+      host.save
+      assert dlmlock.acquire!(host)
+      assert_equal ['callback1'], host.callbacks
+    end
+  end
+
+  context 'a free and disabled DLM lock' do
+    let(:dlmlock) { FactoryBot.create(:dlmlock, :enabled => false) }
+
+    test 'should be disabled and unlocked' do
+      assert_equal false, dlmlock.enabled?
+      assert_equal true, dlmlock.disabled?
+      assert_equal false, dlmlock.locked?
+      assert_equal false, dlmlock.taken?
+    end
+
+    test 'can not be acquired' do
+      assert_nil dlmlock.host
+      assert_equal false, dlmlock.acquire!(host1)
+      assert_nil dlmlock.reload.host
+    end
+
+    test 'can not be released' do
+      assert_nil dlmlock.host
+      assert_equal false, dlmlock.release!(host1)
+      assert_nil dlmlock.reload.host
+    end
+
+    test 'triggers no callbacks' do
+      host = HostWithCallbacks.new
+      host.name = 'test.example.com'
+      host.save
+      assert_equal false, dlmlock.release!(host)
+      assert_equal [], host.callbacks
+    end
+  end
+
+  context 'an acquired DLM lock' do
+   let(:dlmlock) { FactoryBot.create(:dlmlock, :host => host1) }
+
+    test 'should be enabled and locked' do
+      assert_equal true, dlmlock.enabled?
+      assert_equal false, dlmlock.disabled?
+      assert_equal true, dlmlock.locked?
+      assert_equal true, dlmlock.taken?
+      assert_equal true, dlmlock.locked_by?(host1)
+      assert_equal true, dlmlock.acquired_by?(host1)
+    end
+
+    test 'can be acquired by owner' do
+      assert_equal host1, dlmlock.host
+      assert dlmlock.acquire!(host1)
+      assert_equal host1, dlmlock.reload.host
+    end
+
+    test 'can not be acquired by other host' do
+      assert_equal host1, dlmlock.host
+      assert_equal false, dlmlock.acquire!(host2)
+      assert_equal host1, dlmlock.reload.host
+    end
+
+    test 'can be released by owner' do
+      assert_equal host1, dlmlock.host
+      assert dlmlock.release!(host1)
+      assert_nil dlmlock.reload.host
+    end
+
+    test 'can not be released by other host' do
+      assert_equal host1, dlmlock.host
+      assert_equal false, dlmlock.release!(host2)
+      assert_equal host1, dlmlock.reload.host
+    end
+
+    test 'records audit change on release by owner' do
+      assert_difference "Audit.where(auditable_type: 'Dlmlock').count" do
+        assert dlmlock.release!(host1)
+      end
+      audit_record = dlmlock.audits.last
+      assert_equal 'update', audit_record.action
+      assert_equal({:host_id => nil}, audit_record.audited_changes)
+    end
+
+    test 'records no audit change on acquisition by owner' do
+      assert_no_difference "Audit.where(auditable_type: 'Dlmlock').count" do
+        assert dlmlock.acquire!(host1)
+      end
+    end
+
+    test 'triggers after_unlock callback on release by owner' do
+      host = HostWithCallbacks.new
+      host.name = 'test.example.com'
+      host.save
+      dlmlock.host = host
+      dlmlock.save
+      assert dlmlock.release!(host)
+      assert_equal ['callback2'], host.callbacks
+    end
+
+    test 'triggers no callbacks on release attempt by other host' do
+      assert host1_with_callbacks
+      assert host2_with_callbacks
+      dlmlock.update(:host => host1_with_callbacks)
+      assert_equal false, dlmlock.release!(host2_with_callbacks)
+      assert_equal [], host1_with_callbacks.callbacks
+      assert_equal [], host2_with_callbacks.callbacks
+    end
+
+    test 'triggers no callbacks on acquiry attempt by owner' do
+      assert host1_with_callbacks
+      dlmlock.update(:host => host1_with_callbacks)
+      assert dlmlock.acquire!(host1_with_callbacks)
+      assert_equal [], host1_with_callbacks.callbacks
+    end
+  end
+
+  context 'scoped search' do
+    test 'can be searched by name' do
+      dlmlock = FactoryBot.create(:dlmlock)
+      assert_equal Dlmlock::Update.find(dlmlock.id), Dlmlock.search_for("name ~ #{dlmlock.name}").first
+    end
+  end
+end