diff options
| author | Bryan McLellan <btm@loftninjas.org> | 2016-12-06 18:55:35 -0500 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2016-12-06 18:55:35 -0500 |
| commit | 8b3b685ef651d6a286a977d757935cc9b68ac484 (patch) | |
| tree | 3cda64a8ab8784477e96a8b2c493149d747eaa2f | |
| parent | 1c9970d97b043e250b5d000ce2f581f4a7466e72 (diff) | |
| parent | a0342df6a901110a48f1f2d4074d7bb5ea3cdc30 (diff) | |
| download | chef-8b3b685ef651d6a286a977d757935cc9b68ac484.tar.gz | |
Merge pull request #5601 from chef/COOL-604/chef-solo-node-permissions
Core: Ensure chef-solo creates node files w/ correct permissions
3 files changed, 81 insertions, 1 deletions
diff --git a/lib/chef/chef_fs/file_system/repository/chef_repository_file_system_root_dir.rb b/lib/chef/chef_fs/file_system/repository/chef_repository_file_system_root_dir.rb index 1b26ced372..06bda325dc 100644 --- a/lib/chef/chef_fs/file_system/repository/chef_repository_file_system_root_dir.rb +++ b/lib/chef/chef_fs/file_system/repository/chef_repository_file_system_root_dir.rb @@ -44,6 +44,7 @@ require "chef/chef_fs/data_handler/role_data_handler" require "chef/chef_fs/data_handler/user_data_handler" require "chef/chef_fs/data_handler/group_data_handler" require "chef/chef_fs/data_handler/container_data_handler" +require "chef/win32/security" if Chef::Platform.windows? class Chef module ChefFS @@ -109,7 +110,17 @@ class Chef else child_paths[name].each do |path| begin - Dir.mkdir(path) + Dir.mkdir(path, 0700) + if Chef::Platform.windows? + all_mask = Chef::ReservedNames::Win32::API::Security::GENERIC_ALL + owner = Chef::ReservedNames::Win32::Security::SID.current_user + dacl = Chef::ReservedNames::Win32::Security::ACL.create([ + Chef::ReservedNames::Win32::Security::ACE.access_allowed(owner, all_mask), + ]) + so = Chef::ReservedNames::Win32::Security::SecurableObject.new(path) + so.owner = owner + so.set_dacl(dacl, false) + end rescue Errno::EEXIST end end diff --git a/lib/chef/chef_fs/file_system/repository/nodes_dir.rb b/lib/chef/chef_fs/file_system/repository/nodes_dir.rb index 33ca7ca709..349ebf1c3d 100644 --- a/lib/chef/chef_fs/file_system/repository/nodes_dir.rb +++ b/lib/chef/chef_fs/file_system/repository/nodes_dir.rb @@ -20,6 +20,7 @@ require "chef/chef_fs/file_system/repository/node" require "chef/chef_fs/file_system/repository/directory" require "chef/chef_fs/file_system/exceptions" +require "chef/win32/security" if Chef::Platform.windows? class Chef module ChefFS @@ -30,6 +31,24 @@ class Chef def make_child_entry(child_name) Node.new(child_name, self) end + + def create_child(child_name, file_contents = nil) + child = super + File.chmod(0600, child.file_path) + if Chef::Platform.windows? + read_mask = Chef::ReservedNames::Win32::API::Security::GENERIC_READ + write_mask = Chef::ReservedNames::Win32::API::Security::GENERIC_WRITE + owner = Chef::ReservedNames::Win32::Security::SID.current_user + dacl = Chef::ReservedNames::Win32::Security::ACL.create([ + Chef::ReservedNames::Win32::Security::ACE.access_allowed(owner, read_mask), + Chef::ReservedNames::Win32::Security::ACE.access_allowed(owner, write_mask), + ]) + so = Chef::ReservedNames::Win32::Security::SecurableObject.new(child.file_path) + so.owner = owner + so.set_dacl(dacl, false) + end + child + end end end end diff --git a/spec/integration/solo/solo_spec.rb b/spec/integration/solo/solo_spec.rb index e4228a7559..f6cb2e43ef 100644 --- a/spec/integration/solo/solo_spec.rb +++ b/spec/integration/solo/solo_spec.rb @@ -4,6 +4,7 @@ require "chef/run_lock" require "chef/config" require "timeout" require "fileutils" +require "chef/win32/security" if Chef::Platform.windows? describe "chef-solo" do include IntegrationSupport @@ -17,6 +18,55 @@ describe "chef-solo" do let(:chef_solo) { "ruby bin/chef-solo --legacy-mode --minimal-ohai" } + when_the_repository "creates nodes" do + let(:nodes_dir) { File.join(@repository_dir, "nodes") } + let(:node_file) { Dir[File.join(nodes_dir, "*.json")][0] } + + before do + file "config/solo.rb", <<EOM +chef_repo_path "#{@repository_dir}" +EOM + result = shell_out("ruby bin/chef-solo -c \"#{path_to('config/solo.rb')}\" -l debug", :cwd => chef_dir) + result.error! + end + + describe "on unix", :unix_only do + describe "the nodes directory" do + it "has the correct permissions" do + expect(File.stat(nodes_dir).mode.to_s(8)[2..5]).to eq("700") + end + end + + describe "the node file" do + it "has the correct permissions" do + expect(File.stat(node_file).mode.to_s(8)[2..5]).to eq("0600") + end + end + end + + describe "on windows", :windows_only do + let(:read_mask) { Chef::ReservedNames::Win32::API::Security::GENERIC_READ } + let(:write_mask) { Chef::ReservedNames::Win32::API::Security::GENERIC_WRITE } + let(:execute_mask) { Chef::ReservedNames::Win32::API::Security::GENERIC_EXECUTE } + + describe "the nodes directory" do + it "has the correct permissions" do + expect(Chef::ReservedNames::Win32::File.file_access_check(nodes_dir, read_mask)).to be(true) + expect(Chef::ReservedNames::Win32::File.file_access_check(nodes_dir, write_mask)).to be(true) + expect(Chef::ReservedNames::Win32::File.file_access_check(nodes_dir, execute_mask)).to be(true) + end + end + + describe "the node file" do + it "has the correct permissions" do + expect(Chef::ReservedNames::Win32::File.file_access_check(node_file, read_mask)).to be(true) + expect(Chef::ReservedNames::Win32::File.file_access_check(node_file, write_mask)).to be(true) + expect(Chef::ReservedNames::Win32::File.file_access_check(node_file, execute_mask)).to be(false) + end + end + end + end + when_the_repository "has a cookbook with a basic recipe" do before do file "cookbooks/x/metadata.rb", cookbook_x_100_metadata_rb |