diff options
| author | Steven Danna <steve@opscode.com> | 2014-12-09 13:27:21 +0000 |
|---|---|---|
| committer | Bryan McLellan <btm@opscode.com> | 2015-02-17 08:46:37 -0500 |
| commit | 9b6f1129364ab39dd272ccffd14bbc82f4c32ace (patch) | |
| tree | edf4a8534cef7b646ffc30783c0f3ae08ed6f092 | |
| parent | cd7bac6dc131c958c8f6ccac6e50f2dca655dfd9 (diff) | |
| download | chef-9b6f1129364ab39dd272ccffd14bbc82f4c32ace.tar.gz | |
Implement RFC 027 File Verification
This implements usable-suppliable file content verification per RFC
027. Users can supplie a block, string, or symbol to the `verify`
resource attribute. Blocks will be called, string will be executed as
shell commands (respecing the same options as not_if and only_if), and
symbols can be used to access built-in registered validations.
| -rw-r--r-- | lib/chef/exceptions.rb | 1 | ||||
| -rw-r--r-- | lib/chef/provider/file.rb | 8 | ||||
| -rw-r--r-- | lib/chef/resource/file.rb | 14 | ||||
| -rw-r--r-- | lib/chef/resource/file/verification.rb | 118 | ||||
| -rw-r--r-- | spec/support/shared/unit/provider/file.rb | 30 | ||||
| -rw-r--r-- | spec/unit/resource/conditional_spec.rb | 1 | ||||
| -rw-r--r-- | spec/unit/resource/file/verification_spec.rb | 107 | ||||
| -rw-r--r-- | spec/unit/resource/file_spec.rb | 14 |
8 files changed, 292 insertions, 1 deletions
diff --git a/lib/chef/exceptions.rb b/lib/chef/exceptions.rb index 38ba984ea7..ecd84c5ba5 100644 --- a/lib/chef/exceptions.rb +++ b/lib/chef/exceptions.rb @@ -90,6 +90,7 @@ class Chef class ConflictingMembersInGroup < ArgumentError; end class InvalidResourceReference < RuntimeError; end class ResourceNotFound < RuntimeError; end + class VerificationNotFound < RuntimeError; end # Can't find a Resource of this type that is valid on this platform. class NoSuchResourceType < NameError diff --git a/lib/chef/provider/file.rb b/lib/chef/provider/file.rb index a9390cc45c..c070d29458 100644 --- a/lib/chef/provider/file.rb +++ b/lib/chef/provider/file.rb @@ -345,6 +345,14 @@ class Chef if new_resource.checksum && tempfile && ( new_resource.checksum != tempfile_checksum ) raise Chef::Exceptions::ChecksumMismatch.new(short_cksum(new_resource.checksum), short_cksum(tempfile_checksum)) end + + if tempfile + new_resource.verify.each do |v| + if ! v.verify(tempfile.path) + raise Chef::Exceptions::ValidationFailed.new "Proposed content for #{new_resource.path} failed verification #{v}" + end + end + end end def do_unlink diff --git a/lib/chef/resource/file.rb b/lib/chef/resource/file.rb index 16491f9bc8..7662731f44 100644 --- a/lib/chef/resource/file.rb +++ b/lib/chef/resource/file.rb @@ -20,6 +20,7 @@ require 'chef/resource' require 'chef/platform/query_helpers' require 'chef/mixin/securable' +require 'chef/resource/file/verification' class Chef class Resource @@ -50,6 +51,7 @@ class Chef @force_unlink = false @manage_symlink_source = nil @diff = nil + @user_verifications = [] end def content(arg=nil) @@ -115,6 +117,18 @@ class Chef :kind_of => [ TrueClass, FalseClass ] ) end + + def verify(command=nil, opts={}, &block) + if ! (command.nil? || [String, Symbol].include?(command.class)) + raise ArgumentError, "verify requires either a string, symbol, or a block" + end + + if command || block_given? + @user_verifications << Verification.new(self, command, opts, &block) + else + @user_verifications + end + end end end end diff --git a/lib/chef/resource/file/verification.rb b/lib/chef/resource/file/verification.rb new file mode 100644 index 0000000000..5e75cbf6a7 --- /dev/null +++ b/lib/chef/resource/file/verification.rb @@ -0,0 +1,118 @@ +# +# Author:: Steven Danna (<steve@chef.io>) +# Copyright:: Copyright (c) 2014 Chef Software, Inc +# License:: Apache License, Version 2.0 +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +require 'chef/exceptions' + +class Chef + class Resource + class File < Chef::Resource + + # + # See RFC 027 for a full specification + # + # File verifications allow user-supplied commands a means of + # preventing file reosurce content deploys. Their intended use + # is to verify the contents of a temporary file before it is + # deployed onto the system. + # + # Similar to not_if and only_if, file verifications can take a + # ruby block, which will be called, or a string, which will be + # executed as a Shell command. + # + # Additonally, Chef or third-party verifications can ship + # "registered verifications" that the user can use by specifying + # a :symbol as the command name. + # + # To create a registered verification, create a class that + # inherits from Chef::Resource::File::Verification and use the + # register class method to give it name. Registered + # verifications are expected to supply a verify instance method + # that takes 2 arguments. + # + # Example: + # class Chef + # class Resource + # class File::Verification::Foo < Chef::Resource::File::Verification + # register :noop + # def verify(path, opts) + # #yolo + # true + # end + # end + # end + # end + # + # + + class Verification + @@registered_verifications = {} + + def self.register(name) + @@registered_verifications[name] = self.name + end + + def self.lookup(name) + c = @@registered_verifications[name] + if c.nil? + raise Chef::Exceptions::VerificationNotFound.new "No file verification for #{name} found." + end + Object.const_get(c) + end + + def initialize(parent_resource, command, opts, &block) + @command, @command_opts = command, opts + @block = block + @parent_resource = parent_resource + end + + def verify(path, opts={}) + Chef::Log.debug("Running verification[#{self}] on #{path}") + if @block + verify_block(path, opts) + elsif @command.is_a?(Symbol) + verify_registered_verification(path, opts) + elsif @command.is_a?(String) + verify_command(path, opts) + end + end + + def verify_block(path, opts) + @block.call(path) + end + + # We reuse Chef::GuardInterpreter in order to support + # the same set of options that the not_if/only_if blocks do + def verify_command(path, opts) + command = @command % {:file => path} + interpreter = if @parent_resource.guard_interpreter == :default + Chef::GuardInterpreter::DefaultGuardInterpreter.new(command, @command_opts) + else + Chef::GuardInterpreter::ResourceGuardInterpreter.new(@parent_resource, command, @command_opts) + end + interpreter.evaluate + end + + def verify_registered_verification(path, opts) + verification_class = Chef::Resource::File::Verification.lookup(@command) + v = verification_class.new(@parent_resource, @command, @command_opts, &@block) + v.verify(path, opts) + end + end + end + end +end diff --git a/spec/support/shared/unit/provider/file.rb b/spec/support/shared/unit/provider/file.rb index 25c2b52b1b..86f32c9e89 100644 --- a/spec/support/shared/unit/provider/file.rb +++ b/spec/support/shared/unit/provider/file.rb @@ -456,6 +456,36 @@ shared_examples_for Chef::Provider::File do provider.run_action(:create) end + context "do_validate_content" do + before { setup_normal_file } + + let(:tempfile) { + t = double('Tempfile', :path => "/tmp/foo-bar-baz", :closed? => true) + allow(content).to receive(:tempfile).and_return(t) + t + } + + let(:verification) { double("Verification") } + + context "with user-supplied verifications" do + it "calls #verify on each verification with tempfile path" do + allow(Chef::Resource::File::Verification).to receive(:new).and_return(verification) + provider.new_resource.verify "true" + provider.new_resource.verify "true" + expect(verification).to receive(:verify).with(tempfile.path).twice.and_return(true) + provider.send(:do_validate_content) + end + + it "raises an exception if any verification fails" do + provider.new_resource.verify "true" + provider.new_resource.verify "false" + allow(verification).to receive(:verify).with("true").and_return(true) + allow(verification).to receive(:verify).with("false").and_return(false) + expect{provider.send(:do_validate_content)}.to raise_error(Chef::Exceptions::ValidationFailed) + end + end + end + context "do_create_file" do context "when the file exists" do before { setup_normal_file } diff --git a/spec/unit/resource/conditional_spec.rb b/spec/unit/resource/conditional_spec.rb index 49240edfdf..489c1136b1 100644 --- a/spec/unit/resource/conditional_spec.rb +++ b/spec/unit/resource/conditional_spec.rb @@ -205,5 +205,4 @@ describe Chef::Resource::Conditional do end end end - end diff --git a/spec/unit/resource/file/verification_spec.rb b/spec/unit/resource/file/verification_spec.rb new file mode 100644 index 0000000000..60e51ddb93 --- /dev/null +++ b/spec/unit/resource/file/verification_spec.rb @@ -0,0 +1,107 @@ +# +# Author:: Steven Danna (<steve@chef.io>) +# Copyright:: Copyright (c) 2014 Chef Software, Inc +# License:: Apache License, Version 2.0 +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +require 'spec_helper' + +describe Chef::Resource::File::Verification do + let(:t_block) { Proc.new { true } } + let(:f_block) { Proc.new { false } } + let(:path_block) { Proc.new { |path| path }} + let(:temp_path) { "/tmp/foobar" } + + describe "verification registration" do + it "registers a verification for later use" do + class Chef::Resource::File::Verification::Wombat < Chef::Resource::File::Verification + register :tabmow + end + expect(Chef::Resource::File::Verification.lookup(:tabmow)).to eq(Chef::Resource::File::Verification::Wombat) + end + + it "raises an error if a verificationc can't be found" do + expect{Chef::Resource::File::Verification.lookup(:dne)}.to raise_error(Chef::Exceptions::VerificationNotFound) + end + end + + describe "#verify" do + let(:parent_resource) { Chef::Resource.new("llama") } + + it "expects a string argument" do + v = Chef::Resource::File::Verification.new(parent_resource, nil, {}) {} + expect{ v.verify("/foo/bar") }.to_not raise_error + expect{ v.verify }.to raise_error + end + + it "accepts an options hash" do + v = Chef::Resource::File::Verification.new(parent_resource, nil, {}) {} + expect{ v.verify("/foo/bar", {:future => true}) }.to_not raise_error + end + + context "with a verification block" do + it "passes a file path to the block" do + v = Chef::Resource::File::Verification.new(parent_resource, nil, {}, &path_block) + expect(v.verify(temp_path)).to eq(temp_path) + end + + it "returns true if the block returned true" do + v = Chef::Resource::File::Verification.new(parent_resource, nil, {}, &t_block) + expect(v.verify(temp_path)).to eq(true) + end + + it "returns false if the block returned false" do + v = Chef::Resource::File::Verification.new(parent_resource, nil, {}, &f_block) + expect(v.verify(temp_path)).to eq(false) + end + end + + context "with a verification command(String)" do + it "substitutes \%{file} with the path" do + test_command = "test #{temp_path} = %{file}" + v = Chef::Resource::File::Verification.new(parent_resource, test_command, {}) + expect(v.verify(temp_path)).to eq(true) + end + + it "returns false if the command fails" do + v = Chef::Resource::File::Verification.new(parent_resource, "false", {}) + expect(v.verify(temp_path)).to eq(false) + end + + it "returns true if the command succeeds" do + v = Chef::Resource::File::Verification.new(parent_resource, "true", {}) + expect(v.verify(temp_path)).to eq(true) + end + end + + context "with a named verification(Symbol)" do + before(:each) do + class Chef::Resource::File::Verification::Turtle < Chef::Resource::File::Verification + register :cats + def verify(path, opts) + end + end + end + + it "delegates to the registered verification" do + registered_verification = double() + allow(Chef::Resource::File::Verification::Turtle).to receive(:new).and_return(registered_verification) + v = Chef::Resource::File::Verification.new(parent_resource, :cats, {}) + expect(registered_verification).to receive(:verify).with(temp_path, {}) + v.verify(temp_path, {}) + end + end + end +end diff --git a/spec/unit/resource/file_spec.rb b/spec/unit/resource/file_spec.rb index cfa7511673..db52e35004 100644 --- a/spec/unit/resource/file_spec.rb +++ b/spec/unit/resource/file_spec.rb @@ -66,6 +66,20 @@ describe Chef::Resource::File do expect { @resource.action :blues }.to raise_error(ArgumentError) end + it "should accept a block, symbol, or string for verify" do + expect {@resource.verify {}}.not_to raise_error + expect {@resource.verify ""}.not_to raise_error + expect {@resource.verify :json}.not_to raise_error + expect {@resource.verify true}.to raise_error + expect {@resource.verify false}.to raise_error + end + + it "should accept multiple verify statements" do + @resource.verify "foo" + @resource.verify "bar" + @resource.verify.length == 2 + end + it "should use the object name as the path by default" do expect(@resource.path).to eql("fakey_fakerton") end |