diff options
| author | John McCrae <john.mccrae@progress.com> | 2023-03-07 14:14:41 -0800 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-03-07 14:14:41 -0800 |
| commit | 36371b5f8ffa96c587286ac97a465d9f18c627ac (patch) | |
| tree | 6ff45eb1ca45425a30dfe6b5432366d6578ebd99 | |
| parent | 103f17e4e3ab1c59f6385ab5539a9213411983c1 (diff) | |
| parent | 83ad814c23d2b55411bd2f8d9e412008cfb81368 (diff) | |
| download | chef-jfm/chef18_test_build.tar.gz | |
Merge branch 'main' into jfm/chef18_test_buildjfm/chef18_test_build
| -rw-r--r-- | .github/workflows/func_spec.yml | 2 | ||||
| -rw-r--r-- | CHANGELOG.md | 8 | ||||
| -rw-r--r-- | Gemfile.lock | 62 | ||||
| -rw-r--r-- | VERSION | 2 | ||||
| -rw-r--r-- | chef-bin/lib/chef-bin/version.rb | 2 | ||||
| -rw-r--r-- | chef-config/lib/chef-config/version.rb | 2 | ||||
| -rw-r--r-- | chef-utils/lib/chef-utils/version.rb | 2 | ||||
| -rw-r--r-- | docs/dev/README.md | 1 | ||||
| -rw-r--r-- | kitchen-tests/cookbooks/end_to_end/recipes/linux.rb | 25 | ||||
| -rw-r--r-- | knife/Gemfile.lock | 4 | ||||
| -rw-r--r-- | knife/lib/chef/knife/version.rb | 2 | ||||
| -rw-r--r-- | lib/chef/resource/macos_userdefaults.rb | 14 | ||||
| -rw-r--r-- | lib/chef/resource/selinux_login.rb | 129 | ||||
| -rw-r--r-- | lib/chef/resource/selinux_user.rb | 137 | ||||
| -rw-r--r-- | lib/chef/resources.rb | 2 | ||||
| -rw-r--r-- | lib/chef/version.rb | 2 | ||||
| -rw-r--r-- | spec/functional/resource/macos_userdefaults_spec.rb | 8 | ||||
| -rw-r--r-- | spec/unit/resource/macos_user_defaults_spec.rb | 8 | ||||
| -rw-r--r-- | spec/unit/resource/selinux_login_spec.rb | 73 | ||||
| -rw-r--r-- | spec/unit/resource/selinux_user_spec.rb | 92 |
20 files changed, 544 insertions, 33 deletions
diff --git a/.github/workflows/func_spec.yml b/.github/workflows/func_spec.yml index 3900bd1d00..f7a2c47b21 100644 --- a/.github/workflows/func_spec.yml +++ b/.github/workflows/func_spec.yml @@ -40,4 +40,4 @@ jobs: ruby-version: ${{ matrix.ruby }} bundler-cache: false - run: bundle install - - run: bundle exec rspec spec/functional/resource/macos_userdefaults_spec.rb + - run: sudo bundle exec rspec spec/functional/resource/macos_userdefaults_spec.rb diff --git a/CHANGELOG.md b/CHANGELOG.md index 93e42f58c3..ff05fde037 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,17 +1,19 @@ <!-- usage documentation: http://expeditor-docs.es.chef.io/configuration/changelog/ --> This changelog lists individual merged pull requests to Chef Infra Client and geared towards developers. For a list of significant changes per release see the [Chef Infra Client Release Notes](https://docs.chef.io/release_notes_client/). -<!-- latest_release 18.1.29 --> -## [v18.1.29](https://github.com/chef/chef/tree/v18.1.29) (2023-03-02) +<!-- latest_release 18.1.31 --> +## [v18.1.31](https://github.com/chef/chef/tree/v18.1.31) (2023-03-07) #### Merged Pull Requests -- Correcting cert retrieval issues for multiple user scenarios [#13552](https://github.com/chef/chef/pull/13552) ([johnmccrae](https://github.com/johnmccrae)) +- set default values for user and host on userdefaults [#12791](https://github.com/chef/chef/pull/12791) ([rishichawda](https://github.com/rishichawda)) <!-- latest_release --> <!-- release_rollup since=18.1.0 --> ### Changes not yet released to stable #### Merged Pull Requests +- set default values for user and host on userdefaults [#12791](https://github.com/chef/chef/pull/12791) ([rishichawda](https://github.com/rishichawda)) <!-- 18.1.31 --> +- Add selinux_user and selinux_login resources [#13511](https://github.com/chef/chef/pull/13511) ([wheatevo](https://github.com/wheatevo)) <!-- 18.1.30 --> - Correcting cert retrieval issues for multiple user scenarios [#13552](https://github.com/chef/chef/pull/13552) ([johnmccrae](https://github.com/johnmccrae)) <!-- 18.1.29 --> - Updated the proxifier dependency [#13617](https://github.com/chef/chef/pull/13617) ([nikhil2611](https://github.com/nikhil2611)) <!-- 18.1.28 --> - chore: Use the `chef_dictionary` directly. [#13467](https://github.com/chef/chef/pull/13467) ([Jason3S](https://github.com/Jason3S)) <!-- 18.1.27 --> diff --git a/Gemfile.lock b/Gemfile.lock index 5d047fc1a9..f9285af0cf 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -37,12 +37,12 @@ GIT PATH remote: . specs: - chef (18.1.29) + chef (18.1.31) addressable aws-sdk-s3 (~> 1.91) aws-sdk-secretsmanager (~> 1.46) - chef-config (= 18.1.29) - chef-utils (= 18.1.29) + chef-config (= 18.1.31) + chef-utils (= 18.1.31) chef-vault chef-zero (>= 14.0.11) corefoundation (~> 0.3.4) @@ -71,19 +71,65 @@ PATH unf_ext (>= 0.0.8.2) uuidtools (>= 2.1.5, < 3.0) vault (~> 0.16) + chef (18.1.31-x64-mingw-ucrt) + addressable + aws-sdk-s3 (~> 1.91) + aws-sdk-secretsmanager (~> 1.46) + chef-config (= 18.1.31) + chef-powershell (~> 1.0.12) + chef-utils (= 18.1.31) + chef-vault + chef-zero (>= 14.0.11) + corefoundation (~> 0.3.4) + diff-lcs (>= 1.2.4, < 1.6.0, != 1.4.0) + erubis (~> 2.7) + ffi (>= 1.15.5) + ffi-libarchive (~> 1.0, >= 1.0.3) + ffi-yajl (~> 2.2) + iniparse (~> 1.4) + inspec-core (>= 5) + iso8601 (>= 0.12.1, < 0.14) + license-acceptance (>= 1.0.5, < 3) + mixlib-archive (>= 0.4, < 2.0) + mixlib-authentication (>= 2.1, < 4) + mixlib-cli (>= 2.1.1, < 3.0) + mixlib-log (>= 2.0.3, < 4.0) + mixlib-shellout (>= 3.1.1, < 4.0) + net-ftp + net-sftp (>= 2.1.2, < 5.0) + ohai (~> 18.0) + plist (~> 3.2) + proxifier2 (~> 1.1) + syslog-logger (~> 1.6) + train-core (~> 3.10) + train-rest (>= 0.4.1) + train-winrm (>= 0.2.5) + unf_ext (>= 0.0.8.2) + uuidtools (>= 2.1.5, < 3.0) + vault (~> 0.16) + win32-api (~> 1.10.0) + win32-certstore (~> 0.6.15) + win32-event (~> 0.6.1) + win32-eventlog (= 0.6.3) + win32-mmap (~> 0.4.1) + win32-mutex (~> 0.4.2) + win32-process (~> 0.9) + win32-service (>= 2.1.5, < 3.0) + win32-taskscheduler (~> 2.0) + wmi-lite (~> 1.0) PATH remote: chef-bin specs: - chef-bin (18.1.29) - chef (= 18.1.29) + chef-bin (18.1.31) + chef (= 18.1.31) PATH remote: chef-config specs: - chef-config (18.1.29) + chef-config (18.1.31) addressable - chef-utils (= 18.1.29) + chef-utils (= 18.1.31) fuzzyurl mixlib-config (>= 2.2.12, < 4.0) mixlib-shellout (>= 2.0, < 4.0) @@ -92,7 +138,7 @@ PATH PATH remote: chef-utils specs: - chef-utils (18.1.29) + chef-utils (18.1.31) concurrent-ruby GEM @@ -1 +1 @@ -18.1.29
\ No newline at end of file +18.1.31
\ No newline at end of file diff --git a/chef-bin/lib/chef-bin/version.rb b/chef-bin/lib/chef-bin/version.rb index 6e70ce8220..ddd01a63f9 100644 --- a/chef-bin/lib/chef-bin/version.rb +++ b/chef-bin/lib/chef-bin/version.rb @@ -21,7 +21,7 @@ module ChefBin CHEFBIN_ROOT = File.expand_path("..", __dir__) - VERSION = "18.1.29".freeze + VERSION = "18.1.31".freeze end # diff --git a/chef-config/lib/chef-config/version.rb b/chef-config/lib/chef-config/version.rb index 7954afd499..35b4083a44 100644 --- a/chef-config/lib/chef-config/version.rb +++ b/chef-config/lib/chef-config/version.rb @@ -15,5 +15,5 @@ module ChefConfig CHEFCONFIG_ROOT = File.expand_path("..", __dir__) - VERSION = "18.1.29".freeze + VERSION = "18.1.31".freeze end diff --git a/chef-utils/lib/chef-utils/version.rb b/chef-utils/lib/chef-utils/version.rb index 0e8409c46d..43435a03e2 100644 --- a/chef-utils/lib/chef-utils/version.rb +++ b/chef-utils/lib/chef-utils/version.rb @@ -16,5 +16,5 @@ module ChefUtils CHEFUTILS_ROOT = File.expand_path("..", __dir__) - VERSION = "18.1.29" + VERSION = "18.1.31" end diff --git a/docs/dev/README.md b/docs/dev/README.md index 20a756b1f4..756fe808e8 100644 --- a/docs/dev/README.md +++ b/docs/dev/README.md @@ -10,6 +10,7 @@ A good first start is our [How Chef Infra Is Built](./design_documents/how_chef_ - [Branching and Backporting Changes](./how_to/branching_and_backporting.md) - [Updating Dependencies](./how_to/updating_dependencies.md) - [Bumping Major and Minor Versions](./how_to/bumping_minor_or_major_versions.md) +- [Debugging Effortless Chef from Export](./how_to/debugging_effortless.md) ## Design Documents diff --git a/kitchen-tests/cookbooks/end_to_end/recipes/linux.rb b/kitchen-tests/cookbooks/end_to_end/recipes/linux.rb index d8e824fde6..b1b907a6d5 100644 --- a/kitchen-tests/cookbooks/end_to_end/recipes/linux.rb +++ b/kitchen-tests/cookbooks/end_to_end/recipes/linux.rb @@ -34,6 +34,31 @@ if platform_family?("rhel", "fedora", "amazon") selinux_state "permissive" do action :permissive end + + user "se_map_test" + + selinux_user "se_map_test_u" do + level "s0" + range "s0" + roles %w{sysadm_r staff_r} + end + + selinux_login "se_map_test" do + user "se_map_test_u" + range "s0" + end + + selinux_login "se_map_test" do + action :delete + end + + selinux_user "se_map_test_u" do + action :delete + end + + user "se_map_test" do + action :remove + end end build_essential do diff --git a/knife/Gemfile.lock b/knife/Gemfile.lock index a26ea03366..c8db6fa2a7 100644 --- a/knife/Gemfile.lock +++ b/knife/Gemfile.lock @@ -1,8 +1,8 @@ PATH remote: .. specs: - chef (18.1.29) - chef (18.1.29-x64-mingw-ucrt) + chef (18.1.31) + chef (18.1.31-x64-mingw-ucrt) PLATFORMS ruby diff --git a/knife/lib/chef/knife/version.rb b/knife/lib/chef/knife/version.rb index 4c321f1fd7..803a8e95a2 100644 --- a/knife/lib/chef/knife/version.rb +++ b/knife/lib/chef/knife/version.rb @@ -17,7 +17,7 @@ class Chef class Knife KNIFE_ROOT = File.expand_path("../..", __dir__) - VERSION = "18.1.29".freeze + VERSION = "18.1.31".freeze end end diff --git a/lib/chef/resource/macos_userdefaults.rb b/lib/chef/resource/macos_userdefaults.rb index 7559990d3a..558188c932 100644 --- a/lib/chef/resource/macos_userdefaults.rb +++ b/lib/chef/resource/macos_userdefaults.rb @@ -50,15 +50,17 @@ class Chef end ``` - **Specifying the type of a key to skip automatic type detection** + **Setting a value for specific user and hosts** ```ruby - macos_userdefaults 'Finder expanded save dialogs' do - key 'NSNavPanelExpandedStateForSaveMode' - value 'TRUE' - type 'bool' + macos_userdefaults 'Enable macOS firewall' do + key 'globalstate' + value 1 + user 'jane' + host :current end ``` + DOC property :domain, String, @@ -79,6 +81,7 @@ class Chef property :host, [String, Symbol], description: "Set either :current, :all or a hostname to set the user default at the host level.", + default: :all, desired_state: false, introduced: "16.3" @@ -94,6 +97,7 @@ class Chef property :user, [String, Symbol], description: "The system user that the default will be applied to. Set :current for current user, :all for all users or pass a valid username", + default: :current, desired_state: false property :sudo, [TrueClass, FalseClass], diff --git a/lib/chef/resource/selinux_login.rb b/lib/chef/resource/selinux_login.rb new file mode 100644 index 0000000000..f634b2cb9c --- /dev/null +++ b/lib/chef/resource/selinux_login.rb @@ -0,0 +1,129 @@ +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +require_relative "../resource" +require_relative "selinux/common_helpers" + +class Chef + class Resource + class SelinuxLogin < Chef::Resource + unified_mode true + + provides :selinux_login + + description "Use the **selinux_login** resource to add, update, or remove SELinux user to OS login mappings." + introduced "18.1" + examples <<~DOC + **Manage test OS user mapping with a range of s0 and associated SELinux user test_u**: + + ```ruby + selinux_login 'test' do + user 'test_u' + range 's0' + end + ``` + DOC + + property :login, String, + name_property: true, + description: "An optional property to set the OS user login value if it differs from the resource block's name." + + property :user, String, + description: "SELinux user to be mapped." + + property :range, String, + description: "MLS/MCS security range for the SELinux user." + + load_current_value do |new_resource| + logins = shell_out!("semanage login -l").stdout.split("\n") + + current_login = logins.grep(/^#{Regexp.escape(new_resource.login)}\s+/) do |l| + l.match(/^(?<login>[^\s]+)\s+(?<user>[^\s]+)\s+(?<range>[^\s]+)/) + # match returns [<Match 'data'>] or [], shift converts that to <Match 'data'> or nil + end.shift + + current_value_does_not_exist! unless current_login + + # Existing resources should maintain their current configuration unless otherwise specified + new_resource.user ||= current_login[:user] + new_resource.range ||= current_login[:range] + + user current_login[:user] + range current_login[:range] + end + + action_class do + include Chef::SELinux::CommonHelpers + + def semanage_login_args + # Generate arguments for semanage login -a or -m + args = "" + + args += " -s #{new_resource.user}" if new_resource.user + args += " -r #{new_resource.range}" if new_resource.range + + args + end + end + + action :manage, description: "Sets the SELinux login mapping to the desired settings regardless of previous state." do + run_action(:add) + run_action(:modify) + end + + # Create if doesn't exist, do not touch if user already exists + action :add, description: "Creates the SELinux login mapping if not previously created." do + raise "The user property must be populated to create a new SELinux login" if new_resource.user.to_s.empty? + + if selinux_disabled? + Chef::Log.warn("Unable to add SELinux login #{new_resource.login} as SELinux is disabled") + return + end + + unless current_resource + converge_if_changed do + shell_out!("semanage login -a#{semanage_login_args} #{new_resource.login}") + end + end + end + + # Only modify port if it exists & doesn't have the correct context already + action :modify, description: "Updates the SELinux login mapping if previously created." do + if selinux_disabled? + Chef::Log.warn("Unable to modify SELinux login #{new_resource.login} as SELinux is disabled") + return + end + + if current_resource + converge_if_changed do + shell_out!("semanage login -m#{semanage_login_args} #{new_resource.login}") + end + end + end + + # Delete if exists + action :delete, description: "Removes the SELinux login mapping if previously created." do + if selinux_disabled? + Chef::Log.warn("Unable to delete SELinux login #{new_resource.login} as SELinux is disabled") + return + end + + if current_resource + converge_by "deleting SELinux login #{new_resource.login}" do + shell_out!("semanage login -d #{new_resource.login}") + end + end + end + end + end +end diff --git a/lib/chef/resource/selinux_user.rb b/lib/chef/resource/selinux_user.rb new file mode 100644 index 0000000000..ca8d69c919 --- /dev/null +++ b/lib/chef/resource/selinux_user.rb @@ -0,0 +1,137 @@ +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +require_relative "../resource" +require_relative "selinux/common_helpers" + +class Chef + class Resource + class SelinuxUser < Chef::Resource + unified_mode true + + provides :selinux_user + + description "Use the **selinux_user** resource to add, update, or remove SELinux users." + introduced "18.1" + examples <<~DOC + **Manage test_u SELinux user with a level and range of s0 and roles sysadm_r and staff_r**: + + ```ruby + selinux_user 'test_u' do + level 's0' + range 's0' + roles %w(sysadm_r staff_r) + end + ``` + DOC + + property :user, String, + name_property: true, + description: "An optional property to set the SELinux user value if it differs from the resource block's name." + + property :level, String, + description: "MLS/MCS security level for the SELinux user." + + property :range, String, + description: "MLS/MCS security range for the SELinux user." + + property :roles, Array, + description: "Associated SELinux roles for the user.", + coerce: proc { |r| Array(r).sort } + + load_current_value do |new_resource| + users = shell_out!("semanage user -l").stdout.split("\n") + + current_user = users.grep(/^#{Regexp.escape(new_resource.user)}\s+/) do |u| + u.match(/^(?<user>[^\s]+)\s+(?<prefix>[^\s]+)\s+(?<level>[^\s]+)\s+(?<range>[^\s]+)\s+(?<roles>.*)$/) + # match returns [<Match 'data'>] or [], shift converts that to <Match 'data'> or nil + end.shift + + current_value_does_not_exist! unless current_user + + # Existing resources should maintain their current configuration unless otherwise specified + new_resource.level ||= current_user[:level] + new_resource.range ||= current_user[:range] + new_resource.roles ||= current_user[:roles].to_s.split.sort + + level current_user[:level] + range current_user[:range] + roles current_user[:roles].to_s.split.sort + end + + action_class do + include Chef::SELinux::CommonHelpers + + def semanage_user_args + # Generate arguments for semanage user -a or -m + args = "" + + args += " -L #{new_resource.level}" if new_resource.level + args += " -r #{new_resource.range}" if new_resource.range + args += " -R '#{new_resource.roles.join(" ")}'" unless new_resource.roles.to_a.empty? + + args + end + end + + action :manage, description: "Sets the SELinux user to the desired settings regardless of previous state." do + run_action(:add) + run_action(:modify) + end + + # Create if doesn't exist, do not touch if user already exists + action :add, description: "Creates the SELinux user if not previously created." do + raise "The roles property must be populated to create a new SELinux user" if new_resource.roles.to_a.empty? + + if selinux_disabled? + Chef::Log.warn("Unable to add SELinux user #{new_resource.user} as SELinux is disabled") + return + end + + unless current_resource + converge_if_changed do + shell_out!("semanage user -a#{semanage_user_args} #{new_resource.user}") + end + end + end + + # Only modify port if it exists & doesn't have the correct context already + action :modify, description: "Updates the SELinux user if previously created." do + if selinux_disabled? + Chef::Log.warn("Unable to modify SELinux user #{new_resource.user} as SELinux is disabled") + return + end + + if current_resource + converge_if_changed do + shell_out!("semanage user -m#{semanage_user_args} #{new_resource.user}") + end + end + end + + # Delete if exists + action :delete, description: "Removes the SELinux user if previously created." do + if selinux_disabled? + Chef::Log.warn("Unable to delete SELinux user #{new_resource.user} as SELinux is disabled") + return + end + + if current_resource + converge_by "deleting SELinux user #{new_resource.user}" do + shell_out!("semanage user -d #{new_resource.user}") + end + end + end + end + end +end diff --git a/lib/chef/resources.rb b/lib/chef/resources.rb index 0d310f8bea..ca8e5f28c3 100644 --- a/lib/chef/resources.rb +++ b/lib/chef/resources.rb @@ -127,10 +127,12 @@ require_relative "resource/script" require_relative "resource/selinux_boolean" require_relative "resource/selinux_fcontext" require_relative "resource/selinux_install" +require_relative "resource/selinux_login" require_relative "resource/selinux_module" require_relative "resource/selinux_permissive" require_relative "resource/selinux_port" require_relative "resource/selinux_state" +require_relative "resource/selinux_user" require_relative "resource/service" require_relative "resource/sudo" require_relative "resource/sysctl" diff --git a/lib/chef/version.rb b/lib/chef/version.rb index 4670020f8d..08bc3df8ae 100644 --- a/lib/chef/version.rb +++ b/lib/chef/version.rb @@ -23,7 +23,7 @@ require_relative "version_string" class Chef CHEF_ROOT = File.expand_path("..", __dir__) - VERSION = Chef::VersionString.new("18.1.29") + VERSION = Chef::VersionString.new("18.1.31") end # diff --git a/spec/functional/resource/macos_userdefaults_spec.rb b/spec/functional/resource/macos_userdefaults_spec.rb index 0ed7839ad0..2d3f538cf2 100644 --- a/spec/functional/resource/macos_userdefaults_spec.rb +++ b/spec/functional/resource/macos_userdefaults_spec.rb @@ -38,12 +38,12 @@ describe Chef::Resource::MacosUserDefaults, :macos_only do expect(resource.domain).to eq("NSGlobalDomain") end - it "nil for the host property" do - expect(resource.host).to be_nil + it ":all for the host property" do + expect(resource.host).to eq(:all) end - it "nil for the user property" do - expect(resource.user).to be_nil + it ":current for the user property" do + expect(resource.user).to eq(:current) end it ":write for resource action" do diff --git a/spec/unit/resource/macos_user_defaults_spec.rb b/spec/unit/resource/macos_user_defaults_spec.rb index 8363b822ec..5252684df5 100644 --- a/spec/unit/resource/macos_user_defaults_spec.rb +++ b/spec/unit/resource/macos_user_defaults_spec.rb @@ -39,12 +39,12 @@ describe Chef::Resource::MacosUserDefaults, :macos_only do expect(resource.domain).to eq("NSGlobalDomain") end - it "nil for the host property" do - expect(resource.host).to be_nil + it ":all for the host property" do + expect(resource.host).to eq(:all) end - it "nil for the user property" do - expect(resource.user).to be_nil + it ":current for the user property" do + expect(resource.user).to eq(:current) end it ":write for resource action" do diff --git a/spec/unit/resource/selinux_login_spec.rb b/spec/unit/resource/selinux_login_spec.rb new file mode 100644 index 0000000000..42aeb52391 --- /dev/null +++ b/spec/unit/resource/selinux_login_spec.rb @@ -0,0 +1,73 @@ +# +# Copyright:: Copyright (c) Chef Software Inc. +# License:: Apache License, Version 2.0 +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +require "spec_helper" + +describe Chef::Resource::SelinuxLogin do + let(:node) { Chef::Node.new } + let(:events) { Chef::EventDispatch::Dispatcher.new } + let(:run_context) { Chef::RunContext.new(node, {}, events) } + let(:resource) { Chef::Resource::SelinuxLogin.new("fakey_fakerton", run_context) } + let(:provider) { resource.provider_for_action(:manage) } + + it "sets login property as name_property" do + expect(resource.login).to eql("fakey_fakerton") + end + + it "sets the default action as :manage" do + expect(resource.action).to eql([:manage]) + end + + it "supports :manage, :add, :modify, :delete actions" do + expect { resource.action :manage }.not_to raise_error + expect { resource.action :add }.not_to raise_error + expect { resource.action :modify }.not_to raise_error + expect { resource.action :delete }.not_to raise_error + end + + describe "#semanage_login_args" do + let(:provider) { resource.provider_for_action(:modify) } + + context "when no parameters are provided" do + it "returns an empty string" do + expect(provider.semanage_login_args).to eq("") + end + end + + context "when all parameters are provided" do + it "returns all params" do + resource.user "user_u" + resource.range "s0" + expect(provider.semanage_login_args).to eq(" -s user_u -r s0") + end + end + + context "when no user is provided" do + it "returns range param" do + resource.range "s0" + expect(provider.semanage_login_args).to eq(" -r s0") + end + end + + context "when no range is provided" do + it "returns user param" do + resource.user "user_u" + expect(provider.semanage_login_args).to eq(" -s user_u") + end + end + end +end diff --git a/spec/unit/resource/selinux_user_spec.rb b/spec/unit/resource/selinux_user_spec.rb new file mode 100644 index 0000000000..227b79d8b9 --- /dev/null +++ b/spec/unit/resource/selinux_user_spec.rb @@ -0,0 +1,92 @@ +# +# Copyright:: Copyright (c) Chef Software Inc. +# License:: Apache License, Version 2.0 +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +require "spec_helper" + +describe Chef::Resource::SelinuxUser do + let(:node) { Chef::Node.new } + let(:events) { Chef::EventDispatch::Dispatcher.new } + let(:run_context) { Chef::RunContext.new(node, {}, events) } + let(:resource) { Chef::Resource::SelinuxUser.new("fakey_fakerton", run_context) } + let(:provider) { resource.provider_for_action(:manage) } + let(:semanage_list) { double("shellout", stdout: "") } + + it "sets user property as name_property" do + expect(resource.user).to eql("fakey_fakerton") + end + + it "sets the default action as :manage" do + expect(resource.action).to eql([:manage]) + end + + it "supports :manage, :add, :modify, :delete actions" do + expect { resource.action :manage }.not_to raise_error + expect { resource.action :add }.not_to raise_error + expect { resource.action :modify }.not_to raise_error + expect { resource.action :delete }.not_to raise_error + end + + it "sorts roles property values" do + expect { resource.roles %w{c a b} }.not_to raise_error + expect(resource.roles).to eq(%w{a b c}) + end + + describe "#semanage_user_args" do + let(:provider) { resource.provider_for_action(:modify) } + + context "when no parameters are provided" do + it "returns an empty string" do + expect(provider.semanage_user_args).to eq("") + end + end + + context "when all parameters are provided" do + it "returns all params" do + resource.level "s0" + resource.range "s0" + resource.roles %w{sysadm_r staff_r} + expect(provider.semanage_user_args).to eq(" -L s0 -r s0 -R 'staff_r sysadm_r'") + end + end + + context "when no roles are provided" do + it "returns level and range params" do + resource.level "s0" + resource.range "s0" + resource.roles [] + + expect(provider.semanage_user_args).to eq(" -L s0 -r s0") + end + end + + context "when no range is provided" do + it "returns level and roles params" do + resource.level "s0" + resource.roles %w{sysadm_r staff_r} + expect(provider.semanage_user_args).to eq(" -L s0 -R 'staff_r sysadm_r'") + end + end + + context "when no level is provided" do + it "returns range and roles params" do + resource.range "s0" + resource.roles %w{sysadm_r staff_r} + expect(provider.semanage_user_args).to eq(" -r s0 -R 'staff_r sysadm_r'") + end + end + end +end |