diff options
author | Tim Smith <tsmith@chef.io> | 2018-02-28 12:45:23 -0800 |
---|---|---|
committer | Tim Smith <tsmith@chef.io> | 2018-02-28 12:45:23 -0800 |
commit | 5882fbc87692a4b7a638c43d5b033b2761a3bd79 (patch) | |
tree | e6c3edb1835ac62e70e6ace4eec9168a2c097b67 | |
parent | 739d78afffe2de792ca98323ac51ceede10e8d0d (diff) | |
download | chef-5882fbc87692a4b7a638c43d5b033b2761a3bd79.tar.gz |
Port the travis fix from #6888one_more
This fixes spec failures on this branch in Travis
Signed-off-by: Tim Smith <tsmith@chef.io>
-rw-r--r-- | spec/spec_helper.rb | 20 | ||||
-rw-r--r-- | spec/unit/daemon_spec.rb | 33 |
2 files changed, 40 insertions, 13 deletions
diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb index 283b8429e5..2b1d75bb49 100644 --- a/spec/spec_helper.rb +++ b/spec/spec_helper.rb @@ -1,6 +1,6 @@ # # Author:: Adam Jacob (<adam@chef.io>) -# Copyright:: Copyright 2008-2016, Chef Software, Inc. +# Copyright:: Copyright 2008-2018, Chef Software Inc. # License:: Apache License, Version 2.0 # # Licensed under the Apache License, Version 2.0 (the "License"); @@ -223,6 +223,24 @@ RSpec.configure do |config| ENV["CHEF_TREAT_DEPRECATION_WARNINGS_AS_ERRORS"] = "1" end + # This bit of jankiness guards against specs which accidentally drop privs when running as + # root -- which are nearly impossible to debug and so we bail out very hard if this + # condition ever happens. If a spec stubs Process.[e]uid this can throw a false positive + # which the spec must work around by unmocking Process.[e]uid to and_call_original in its + # after block. + if Process.euid == 0 && Process.uid == 0 + config.after(:each) do + if Process.uid != 0 + RSpec.configure { |c| c.fail_fast = true } + raise "rspec was invoked as root, but the last test dropped real uid to #{Process.uid}" + end + if Process.euid != 0 + RSpec.configure { |c| c.fail_fast = true } + raise "rspec was invoked as root, but the last test dropped effective uid to #{Process.euid}" + end + end + end + # raise if anyone commits any test to CI with :focus set on it if ENV["CI"] config.before(:example, :focus) do diff --git a/spec/unit/daemon_spec.rb b/spec/unit/daemon_spec.rb index ae3d626113..02736a1daf 100644 --- a/spec/unit/daemon_spec.rb +++ b/spec/unit/daemon_spec.rb @@ -1,6 +1,6 @@ # # Author:: AJ Christensen (<aj@junglist.gen.nz>) -# Copyright:: Copyright 2008-2016, Chef Software Inc. +# Copyright:: Copyright 2008-2018, Chef Software Inc. # License:: Apache License, Version 2.0 # # Licensed under the Apache License, Version 2.0 (the "License"); @@ -19,6 +19,9 @@ require "spec_helper" require "ostruct" describe Chef::Daemon do + let(:testuser) { "thisisausernamewhichshouldnotexist" } + let(:testgroup) { "thisisagroupnamewhichshouldnotexist" } + before do if windows? mock_struct = #Struct::Passwd.new(nil, nil, 111, 111) @@ -73,8 +76,9 @@ describe Chef::Daemon do describe ".change_privilege" do before do + allow(Chef::Daemon).to receive(:_change_privilege) allow(Chef::Application).to receive(:fatal!).and_return(true) - Chef::Config[:user] = "aj" + Chef::Config[:user] = testuser allow(Dir).to receive(:chdir) end @@ -86,28 +90,28 @@ describe Chef::Daemon do describe "when the user and group options are supplied" do before do - Chef::Config[:group] = "staff" + Chef::Config[:group] = testgroup end it "should log an appropriate info message" do - expect(Chef::Log).to receive(:info).with("About to change privilege to aj:staff") + expect(Chef::Log).to receive(:info).with("About to change privilege to #{testuser}:#{testgroup}") Chef::Daemon.change_privilege end it "should call _change_privilege with the user and group" do - expect(Chef::Daemon).to receive(:_change_privilege).with("aj", "staff") + expect(Chef::Daemon).to receive(:_change_privilege).with(testuser, testgroup) Chef::Daemon.change_privilege end end describe "when just the user option is supplied" do it "should log an appropriate info message" do - expect(Chef::Log).to receive(:info).with("About to change privilege to aj") + expect(Chef::Log).to receive(:info).with("About to change privilege to #{testuser}") Chef::Daemon.change_privilege end it "should call _change_privilege with just the user" do - expect(Chef::Daemon).to receive(:_change_privilege).with("aj") + expect(Chef::Daemon).to receive(:_change_privilege).with(testuser) Chef::Daemon.change_privilege end end @@ -138,18 +142,18 @@ describe Chef::Daemon do end it "should initialize the supplemental group list" do - expect(Process).to receive(:initgroups).with("aj", 20) - Chef::Daemon._change_privilege("aj") + expect(Process).to receive(:initgroups).with(testuser, 20) + Chef::Daemon._change_privilege(testuser) end it "should attempt to change the process GID" do expect(Process::GID).to receive(:change_privilege).with(20).and_return(20) - Chef::Daemon._change_privilege("aj") + Chef::Daemon._change_privilege(testuser) end it "should attempt to change the process UID" do expect(Process::UID).to receive(:change_privilege).with(501).and_return(501) - Chef::Daemon._change_privilege("aj") + Chef::Daemon._change_privilege(testuser) end end @@ -159,6 +163,11 @@ describe Chef::Daemon do allow(Process).to receive(:egid).and_return(999) end + after do + allow(Process).to receive(:euid).and_call_original + allow(Process).to receive(:egid).and_call_original + end + it "should log an appropriate error message and fail miserably" do allow(Process).to receive(:initgroups).and_raise(Errno::EPERM) error = "Operation not permitted" @@ -166,7 +175,7 @@ describe Chef::Daemon do error = "Not owner" end expect(Chef::Application).to receive(:fatal!).with("Permission denied when trying to change 999:999 to 501:20. #{error}") - Chef::Daemon._change_privilege("aj") + Chef::Daemon._change_privilege(testuser) end end |