omnibus 6.0.25 → 7.0.12

data/spec/unit/health_check_spec.rb

@@ -8,9 +8,7 @@ module Omnibus
         name: "chefdk",
         install_dir: "/opt/chefdk",
         library: double(Library,
-          components: []
-        )
-      )
+          components: []))
     end
 
     def mkdump(base, size, x64 = false)
@@ -19,9 +17,7 @@ module Omnibus
         x64?: x64,
         ioh: double(x64 ? PEdump::IMAGE_OPTIONAL_HEADER64 : PEdump::IMAGE_OPTIONAL_HEADER32,
           ImageBase: base,
-          SizeOfImage: size
-        )
-      )
+          SizeOfImage: size))
       expect(dump).to receive(:pe).and_return(pe)
       dump
     end

data/spec/unit/library_spec.rb

@@ -125,7 +125,8 @@ module Omnibus
               erchef, # project dep
               chef, # project dep
               chefdk, # project dep
-           ])
+           ]
+          )
         end
       end
     end

data/spec/unit/manifest_diff_spec.rb

@@ -12,7 +12,7 @@ module Omnibus
     end
 
     let(:manifest_one) do
-      m = Omnibus::Manifest.new()
+      m = Omnibus::Manifest.new
       m.add("foo", manifest_entry_for("foo", "1.2.4", "deadbeef"))
       m.add("bar", manifest_entry_for("bar", "1.2.4", "deadbeef"))
       m.add("baz", manifest_entry_for("baz", "1.2.4", "deadbeef"))
@@ -20,7 +20,7 @@ module Omnibus
     end
 
     let(:manifest_two) do
-      m = Omnibus::Manifest.new()
+      m = Omnibus::Manifest.new
       m.add("foo", manifest_entry_for("foo", "1.2.5", "deadbea0"))
       m.add("baz", manifest_entry_for("baz", "1.2.4", "deadbeef"))
       m.add("quux", manifest_entry_for("quux", "1.2.4", "deadbeef"))

data/spec/unit/manifest_spec.rb

@@ -45,7 +45,7 @@ module Omnibus
         second = ManifestEntry.new("wombat", {})
         subject.add("foobar", first)
         subject.add("wombat", second)
-        expect(subject.entry_names).to eq([:foobar, :wombat])
+        expect(subject.entry_names).to eq(%i{foobar wombat})
       end
     end
 

data/spec/unit/metadata_spec.rb

@@ -16,8 +16,7 @@ module Omnibus
         md5:    "abc123",
         sha1:   "abc123",
         sha256: "abcd1234",
-        sha512: "abcdef123456"
-      )
+        sha512: "abcdef123456")
     end
 
     let(:project) do
@@ -29,15 +28,13 @@ module Omnibus
         build_iteration:  "1",
         license:          "Apache-2.0",
         built_manifest:    double(Manifest,
-                                  to_hash: {
-                                    manifest_format: 2,
-                                    build_version: "1.2.3",
-                                    build_git_revision: "SHA",
-                                    license: "Apache-2.0",
-                                  }
-                                ),
-        license_file_path: license_path
-      )
+          to_hash: {
+            manifest_format: 2,
+            build_version: "1.2.3",
+            build_git_revision: "SHA",
+            license: "Apache-2.0",
+          }),
+        license_file_path: license_path)
     end
 
     let(:data) { { foo: "bar" } }
@@ -219,6 +216,7 @@ module Omnibus
       it_behaves_like "a version manipulator", "fedora", "11.5", "11"
       it_behaves_like "a version manipulator", "freebsd", "10.0", "10"
       it_behaves_like "a version manipulator", "gentoo", "4.9.95-gentoo", "rolling"
+      it_behaves_like "a version manipulator", "kali", "rolling", "rolling"
       it_behaves_like "a version manipulator", "mac_os_x", "10.9.1", "10.9"
       it_behaves_like "a version manipulator", "omnios", "r151010", "r151010"
       it_behaves_like "a version manipulator", "openbsd", "5.4.4", "5.4"

data/spec/unit/omnibus_spec.rb

@@ -15,7 +15,7 @@ describe Omnibus do
 
     Omnibus::Config.project_root(File.join(tmp_path, "/foo/bar"))
     Omnibus::Config.local_software_dirs([File.join(tmp_path, "/local"), File.join(tmp_path, "/other")])
-    Omnibus::Config.software_gems(["omnibus-software", "custom-omnibus-software"])
+    Omnibus::Config.software_gems(%w{omnibus-software custom-omnibus-software})
   end
 
   describe "#which" do

data/spec/unit/packagers/bff_spec.rb

@@ -301,7 +301,7 @@ module Omnibus
         # A note - the /opt/ here is essentially project.install_dir one level up.
         # There is nothing magical about 'opt' as a directory.
         expect(subject).to receive(:shellout!)
-          .with(/chown -Rh 0:0 #{staging_dir}\/opt$/)
+          .with(%r{chown -Rh 0:0 #{staging_dir}/opt$})
         subject.create_bff_file
       end
 
@@ -312,7 +312,7 @@ module Omnibus
 
       it "uses the correct command" do
         expect(subject).to receive(:shellout!)
-          .with(/\/usr\/sbin\/mkinstallp -d/)
+          .with(%r{/usr/sbin/mkinstallp -d})
         subject.create_bff_file
       end
 

data/spec/unit/packagers/msi_spec.rb

@@ -419,7 +419,7 @@ module Omnibus
         end
 
         it "outputs a source.wxs file to the staging directory" do
-          expect(subject.candle_command).to include("#{subject.windows_safe_path(staging_dir, 'source.wxs')}")
+          expect(subject.candle_command).to include("#{subject.windows_safe_path(staging_dir, "source.wxs")}")
         end
       end
 
@@ -433,7 +433,7 @@ module Omnibus
         end
 
         it "outputs a bundle.wxs file to the staging directory" do
-          expect(subject.candle_command(is_bundle: true)).to include("#{subject.windows_safe_path(staging_dir, 'bundle.wxs')}")
+          expect(subject.candle_command(is_bundle: true)).to include("#{subject.windows_safe_path(staging_dir, "bundle.wxs")}")
         end
       end
     end

data/spec/unit/packagers/pkg_spec.rb

@@ -109,6 +109,158 @@ module Omnibus
       end
     end
 
+    describe "#sign_software_libs_and_bins" do
+      context "when pkg signing is disabled" do
+        it "does not sign anything" do
+          expect(subject).not_to receive(:sign_binary)
+          expect(subject).not_to receive(:sign_library)
+          subject.sign_software_libs_and_bins
+        end
+
+        it "returns an empty set" do
+          expect(subject.sign_software_libs_and_bins).to be_nil
+        end
+      end
+
+      context "when pkg signing is enabled" do
+        before do
+          subject.signing_identity("My Special Identity")
+        end
+
+        context "without software" do
+          it "does not sign anything" do
+            expect(subject).not_to receive(:sign_binary)
+            expect(subject).not_to receive(:sign_library)
+            subject.sign_software_libs_and_bins
+          end
+
+          it "returns an empty set" do
+            expect(subject.sign_software_libs_and_bins).to eq(Set.new)
+          end
+        end
+
+        context "project with software" do
+          let(:software) do
+            Software.new(project).tap do |software|
+              software.name("software-full-name")
+            end
+          end
+
+          before do
+            allow(project).to receive(:softwares).and_return([software])
+          end
+
+          context "with empty bin_dirs and lib_dirs" do
+            before do
+              allow(software).to receive(:lib_dirs).and_return([])
+              allow(software).to receive(:bin_dirs).and_return([])
+            end
+
+            it "does not sign anything" do
+              expect(subject).not_to receive(:sign_binary)
+              expect(subject).not_to receive(:sign_library)
+              subject.sign_software_libs_and_bins
+            end
+
+            it "returns an empty set" do
+              expect(subject.sign_software_libs_and_bins).to eq(Set.new)
+            end
+          end
+
+          context "with default bin_dirs and lib_dirs" do
+            context "with binaries" do
+              let(:bin) { "/opt/#{project.name}/bin/test_bin" }
+              let(:embedded_bin) { "/opt/#{project.name}/embedded/bin/test_bin" }
+              before do
+                allow(Dir).to receive(:[]).with("/opt/#{project.name}/bin/*").and_return([bin])
+                allow(Dir).to receive(:[]).with("/opt/#{project.name}/embedded/bin/*").and_return([embedded_bin])
+                allow(Dir).to receive(:[]).with("/opt/#{project.name}/embedded/lib/*").and_return([])
+                allow(subject).to receive(:is_binary?).with(bin).and_return(true)
+                allow(subject).to receive(:is_binary?).with(embedded_bin).and_return(true)
+                allow(subject).to receive(:find_linked_libs).with(bin).and_return([])
+                allow(subject).to receive(:find_linked_libs).with(embedded_bin).and_return([])
+                allow(subject).to receive(:sign_binary).with(bin, true)
+                allow(subject).to receive(:sign_binary).with(embedded_bin, true)
+              end
+
+              it "signs the binaries" do
+                expect(subject).to receive(:sign_binary).with(bin, true)
+                expect(subject).to receive(:sign_binary).with(embedded_bin, true)
+                subject.sign_software_libs_and_bins
+              end
+
+              it "returns a set with the signed binaries" do
+                expect(subject.sign_software_libs_and_bins).to eq(Set.new [bin, embedded_bin])
+              end
+            end
+
+            context "with library" do
+              let(:lib) { "/opt/#{project.name}/embedded/lib/test_lib" }
+              before do
+                allow(Dir).to receive(:[]).with("/opt/#{project.name}/bin/*").and_return([])
+                allow(Dir).to receive(:[]).with("/opt/#{project.name}/embedded/bin/*").and_return([])
+                allow(Dir).to receive(:[]).with("/opt/#{project.name}/embedded/lib/*").and_return([lib])
+                allow(subject).to receive(:is_macho?).with(lib).and_return(true)
+                allow(subject).to receive(:find_linked_libs).with(lib).and_return([])
+                allow(subject).to receive(:sign_library).with(lib)
+              end
+
+              it "signs the library" do
+                expect(subject).to receive(:sign_library).with(lib)
+                subject.sign_software_libs_and_bins
+              end
+            end
+
+            context "with binaries and libraries with linked libs" do
+              let(:bin) { "/opt/#{project.name}/bin/test_bin" }
+              let(:bin2) { "/opt/#{project.name}/bin/test_bin2" }
+              let(:embedded_bin) { "/opt/#{project.name}/embedded/bin/test_bin" }
+              let(:lib) { "/opt/#{project.name}/embedded/lib/test_lib" }
+              let(:lib2) { "/opt/#{project.name}/embedded/lib/test_lib2" }
+              before do
+                allow(Dir).to receive(:[]).with("/opt/#{project.name}/bin/*").and_return([bin, bin2])
+                allow(Dir).to receive(:[]).with("/opt/#{project.name}/embedded/bin/*").and_return([embedded_bin])
+                allow(Dir).to receive(:[]).with("/opt/#{project.name}/embedded/lib/*").and_return([lib])
+                allow(subject).to receive(:is_binary?).with(bin).and_return(true)
+                allow(subject).to receive(:is_binary?).with(bin2).and_return(true)
+                allow(subject).to receive(:is_binary?).with(embedded_bin).and_return(true)
+                allow(subject).to receive(:is_macho?).with(lib).and_return(true)
+                allow(subject).to receive(:is_macho?).with(lib2).and_return(true)
+                allow(subject).to receive(:find_linked_libs).with(bin).and_return([lib2])
+                allow(subject).to receive(:find_linked_libs).with(bin2).and_return([])
+                allow(subject).to receive(:find_linked_libs).with(embedded_bin).and_return([])
+                allow(subject).to receive(:find_linked_libs).with(lib).and_return([])
+                allow(subject).to receive(:find_linked_libs).with(lib2).and_return([])
+                allow(subject).to receive(:sign_binary).with(bin, true)
+                allow(subject).to receive(:sign_binary).with(bin2, true)
+                allow(subject).to receive(:sign_binary).with(embedded_bin, true)
+                allow(subject).to receive(:sign_library).with(lib)
+                allow(subject).to receive(:sign_library).with(lib2)
+                allow(Digest::SHA256).to receive(:file).with(bin).and_return(Digest::SHA256.new.update(bin))
+                allow(Digest::SHA256).to receive(:file).with(bin2).and_return(Digest::SHA256.new.update(bin2))
+                allow(Digest::SHA256).to receive(:file).with(embedded_bin).and_return(Digest::SHA256.new.update(embedded_bin))
+                allow(Digest::SHA256).to receive(:file).with(lib).and_return(Digest::SHA256.new.update(lib))
+                allow(Digest::SHA256).to receive(:file).with(lib2).and_return(Digest::SHA256.new.update(lib2))
+              end
+
+              it "signs the binaries" do
+                expect(subject).to receive(:sign_binary).with(bin, true)
+                expect(subject).to receive(:sign_binary).with(bin2, true)
+                expect(subject).to receive(:sign_binary).with(embedded_bin, true)
+                subject.sign_software_libs_and_bins
+              end
+
+              it "signs the libraries" do
+                expect(subject).to receive(:sign_library).with(lib)
+                expect(subject).to receive(:sign_library).with(lib2)
+                subject.sign_software_libs_and_bins
+              end
+            end
+          end
+        end
+      end
+    end
+
     describe "#build_component_pkg" do
       it "executes the pkgbuild command" do
         expect(subject).to receive(:shellout!).with <<-EOH.gsub(/^ {10}/, "")
@@ -118,6 +270,7 @@ module Omnibus
             --scripts "#{staging_dir}/Scripts" \\
             --root "/opt/project-full-name" \\
             --install-location "/opt/project-full-name" \\
+            --preserve-xattr \\
             "project-full-name-core.pkg"
         EOH
 
@@ -267,5 +420,206 @@ module Omnibus
         end
       end
     end
+
+    describe "#find_linked_libs" do
+      context "with linked libs" do
+        let(:file) { "/opt/#{project.name}/embedded/bin/test_bin" }
+        let(:stdout) do
+          <<~EOH
+            /opt/#{project.name}/embedded/bin/test_bin:
+                      /opt/#{project.name}/embedded/lib/lib.dylib (compatibility version 7.0.0, current version 7.4.0)
+                      /opt/#{project.name}/embedded/lib/lib.6.dylib (compatibility version 7.0.0, current version 7.4.0)
+                      /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1281.0.0)
+          EOH
+        end
+        let(:shellout) { Mixlib::ShellOut.new }
+
+        before do
+          allow(shellout).to receive(:run_command)
+          allow(shellout).to receive(:stdout)
+            .and_return(stdout)
+          allow(subject).to receive(:shellout!)
+            .with("otool -L #{file}")
+            .and_return(shellout)
+        end
+
+        it "returns empty array" do
+          expect(subject.find_linked_libs(file)).to eq([
+            "/opt/#{project.name}/embedded/lib/lib.dylib",
+            "/opt/#{project.name}/embedded/lib/lib.6.dylib",
+          ])
+        end
+      end
+
+      context "with only system linked libs" do
+        let(:file) { "/opt/#{project.name}/embedded/lib/lib.dylib" }
+        let(:stdout) do
+          <<~EOH
+            /opt/#{project.name}/embedded/lib/lib.dylib:
+                      /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1281.0.0)
+          EOH
+        end
+        let(:shellout) { Mixlib::ShellOut.new }
+        before do
+          allow(shellout).to receive(:run_command)
+          allow(shellout).to receive(:stdout)
+            .and_return(stdout)
+          allow(subject).to receive(:shellout!)
+            .with("otool -L #{file}")
+            .and_return(shellout)
+        end
+
+        it "returns empty array" do
+          expect(subject.find_linked_libs(file)).to eq([])
+        end
+      end
+
+      context "file is just a file" do
+        let(:file) { "/opt/#{project.name}/embedded/lib/file.rb" }
+        let(:shellout) { Mixlib::ShellOut.new }
+        before do
+          allow(shellout).to receive(:run_command)
+          allow(shellout).to receive(:stdout)
+            .and_return("#{file}: is not an object file")
+          allow(subject).to receive(:shellout!)
+            .with("otool -L #{file}")
+            .and_return(shellout)
+        end
+
+        it "returns empty array" do
+          expect(subject.find_linked_libs(file)).to eq([])
+        end
+      end
+    end
+
+    describe "#is_binary?" do
+      context "when is a file, executable, and not a symlink" do
+        before do
+          allow(File).to receive(:file?).with("file").and_return(true)
+          allow(File).to receive(:executable?).with("file").and_return(true)
+          allow(File).to receive(:symlink?).with("file").and_return(false)
+        end
+
+        it "returns true" do
+          expect(subject.is_binary?("file")).to be true
+        end
+      end
+
+      context "when not a file" do
+        before do
+          allow(File).to receive(:file?).with("file").and_return(false)
+          allow(File).to receive(:executable?).with("file").and_return(true)
+          allow(File).to receive(:symlink?).with("file").and_return(false)
+        end
+
+        it "returns false" do
+          expect(subject.is_binary?("file")).to be false
+        end
+      end
+
+      context "when not an executable" do
+        it "returns false" do
+          allow(File).to receive(:file?).with("file").and_return(true)
+          allow(File).to receive(:executable?).with("file").and_return(false)
+          allow(File).to receive(:symlink?).with("file").and_return(false)
+          expect(subject.is_binary?("file")).to be false
+        end
+      end
+
+      context "when is symlink" do
+        it "returns false" do
+          allow(File).to receive(:file?).with("file").and_return(true)
+          allow(File).to receive(:executable?).with("file").and_return(true)
+          allow(File).to receive(:symlink?).with("file").and_return(true)
+          expect(subject.is_binary?("file")).to be false
+        end
+      end
+    end
+
+    describe "#is_macho?" do
+      let(:shellout) { Mixlib::ShellOut.new }
+
+      context "when is a Mach-O library" do
+        before do
+          allow(subject).to receive(:is_binary?).with("file").and_return(true)
+          expect(subject).to receive(:shellout!).with("file file").and_return(shellout)
+          allow(shellout).to receive(:stdout)
+            .and_return("file: Mach-O 64-bit dynamically linked shared library x86_64")
+        end
+
+        it "returns true" do
+          expect(subject.is_macho?("file")).to be true
+        end
+      end
+
+      context "when is a Mach-O Bundle" do
+        before do
+          allow(subject).to receive(:is_binary?).with("file").and_return(true)
+          expect(subject).to receive(:shellout!).with("file file").and_return(shellout)
+          allow(shellout).to receive(:stdout)
+            .and_return("file: Mach-O 64-bit bundle x86_64")
+        end
+
+        it "returns true" do
+          expect(subject.is_macho?("file")).to be true
+        end
+      end
+
+      context "when is not a Mach-O Bundle or Mach-O library" do
+        before do
+          allow(subject).to receive(:is_binary?).with("file").and_return(true)
+          expect(subject).to receive(:shellout!).with("file file").and_return(shellout)
+          allow(shellout).to receive(:stdout)
+            .and_return("file: ASCII text")
+        end
+
+        it "returns true" do
+          expect(subject.is_macho?("file")).to be false
+        end
+      end
+    end
+
+    describe "#sign_library" do
+      before do
+        subject.signing_identity("My Special Identity")
+      end
+
+      it "calls sign_binary without hardened runtime" do
+        expect(subject).to receive(:sign_binary).with("file")
+        subject.sign_library("file")
+      end
+    end
+
+    describe "#sign_binary" do
+      before do
+        subject.signing_identity("My Special Identity")
+      end
+
+      it "it signs the binary without hardened runtime" do
+        expect(subject).to receive(:shellout!)
+          .with("codesign -s '#{subject.signing_identity}' 'file' --force\n")
+        subject.sign_binary("file")
+      end
+
+      context "with hardened runtime" do
+        it "it signs the binary with hardened runtime" do
+          expect(subject).to receive(:shellout!)
+            .with("codesign -s '#{subject.signing_identity}' 'file' --options=runtime --force\n")
+          subject.sign_binary("file", true)
+        end
+
+        context "with entitlements" do
+          let(:entitlements_file) { File.join(tmp_path, "project-full-name/resources/project-full-name/pkg/entitlements.plist") }
+
+          it "it signs the binary with the entitlements" do
+            allow(subject).to receive(:resource_path).with("entitlements.plist").and_return(entitlements_file)
+            allow(File).to receive(:exist?).with(entitlements_file).and_return(true)
+            expect(subject).to receive(:shellout!)
+              .with("codesign -s '#{subject.signing_identity}' 'file' --options=runtime --entitlements #{entitlements_file} --force\n")
+            subject.sign_binary("file", true)
+          end
+        end
+      end
+    end
   end
 end