Don't allow creation of data bags named node, role, client or environment via 'knife upload'.

(Fixes the ChefFS code path for data bag creation, for https://github.com/chef/chef/issues/3058). Signed-off-by: Sandra Tiffin <sandi.tiffin@gmail.com>
author: Sandra Tiffin <sandi.tiffin@gmail.com> 2017-10-04 03:29:35 -0700
committer: Sandra Tiffin <sandi.tiffin@gmail.com> 2017-10-04 03:32:46 -0700
commit: 09aea0b2775a2fb640d5b9e726e1ce5868c1ffb5 (patch)
tree: 8262058e94069921a12a57e66a18298a3b49d7bc
parent: 4cc81ce45ea0e7b851c622d8a18b33e1177b85cb (diff)
download: chef-09aea0b2775a2fb640d5b9e726e1ce5868c1ffb5.tar.gz
2 files changed, 84 insertions, 0 deletions
diff --git a/lib/chef/chef_fs/data_handler/data_bag_item_data_handler.rb b/lib/chef/chef_fs/data_handler/data_bag_item_data_handler.rb
index e799e72e36..4b272daabc 100644
--- a/lib/chef/chef_fs/data_handler/data_bag_item_data_handler.rb
+++ b/lib/chef/chef_fs/data_handler/data_bag_item_data_handler.rb
@@ -5,6 +5,8 @@ class Chef
   module ChefFS
     module DataHandler
       class DataBagItemDataHandler < DataHandlerBase
+        RESERVED_NAMES = /node|role|environment|client/
+
         def normalize(data_bag_item, entry)
           # If it's wrapped with raw_data, unwrap it.
           if data_bag_item["json_class"] == "Chef::DataBagItem" && data_bag_item["raw_data"]
@@ -43,6 +45,7 @@ class Chef
         end
 
         # Verify that the JSON hash for this type has a key that matches its name.
+        # Also check that the data bag name is not a reserved search index name.
         #
         # @param object [Object] JSON hash of the object
         # @param entry [Chef::ChefFS::FileSystem::BaseFSObject] filesystem object we are verifying
@@ -52,6 +55,8 @@ class Chef
           base_name = remove_dot_json(entry.name)
           if object["raw_data"]["id"] != base_name
             yield("ID in #{entry.path_for_printing} must be '#{base_name}' (is '#{object['raw_data']['id']}')")
+          elsif entry.parent.name =~ RESERVED_NAMES
+            yield("Data bag name ('#{entry.parent.name}') must not match #{RESERVED_NAMES.inspect}")
           end
         end
 
diff --git a/spec/unit/chef_fs/data_handler/data_bag_item_data_handler.rb b/spec/unit/chef_fs/data_handler/data_bag_item_data_handler.rb
new file mode 100644
index 0000000000..c90532c078
--- /dev/null
+++ b/spec/unit/chef_fs/data_handler/data_bag_item_data_handler.rb
@@ -0,0 +1,79 @@
+#
+# Author:: Sandra Tiffin (<sandi.tiffin@gmail.com>)
+# Copyright:: Copyright 2014-2016, Chef Software Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require "spec_helper"
+require "lib/chef/chef_fs/data_handler/data_bag_item_data_handler.rb"
+
+class TestDataBag < Mash
+  attr_accessor :name
+
+  def initialize(bag_name)
+    @name = bag_name
+  end
+end
+
+class TestDataBagItem < Mash
+  attr_accessor :name, :parent
+
+  def path_for_printing
+    "/some/path"
+  end
+
+  def initialize(bag_name, item_name)
+    @name = "#{item_name}.json"
+    @parent = TestDataBag.new(bag_name)
+  end
+end
+
+describe Chef::ChefFS::DataHandler::DataBagItemDataHandler do
+  let(:handler) { described_class.new }
+
+  describe "#verify_integrity" do
+    context "json id does not match data bag item name" do
+      let(:entry) { TestDataBagItem.new("luggage", "bag") }
+      let(:object) do
+        { "raw_data" => { "id" => "duffel" } }
+      end
+      it "rejects the data bag item name" do
+        expect { |b| handler.verify_integrity(object, entry, &b) }.to yield_with_args
+      end
+    end
+
+    context "using a reserved word for the data bag name" do
+      %w(node role environment client).each do |reserved_word|
+        let(:entry) { TestDataBagItem.new(reserved_word, "bag") }
+        let(:object) do
+          { "raw_data" => { "id" => "bag" } }
+        end
+        it "rejects the data bag name '#{reserved_word}'" do
+          expect { |b| handler.verify_integrity(object, entry, &b) }.to yield_with_args
+        end
+      end
+    end
+
+    context "valid data" do
+      let(:entry) { TestDataBagItem.new("luggage", "bag") }
+      let(:object) do
+        { "raw_data" => { "id" => "bag" } }
+      end
+      it "validates the data bag item" do
+        expect(handler.verify_integrity(object, entry)).to be_nil
+      end
+    end
+  end
+end
author	Sandra Tiffin <sandi.tiffin@gmail.com>	2017-10-04 03:29:35 -0700
committer	Sandra Tiffin <sandi.tiffin@gmail.com>	2017-10-04 03:32:46 -0700
commit	09aea0b2775a2fb640d5b9e726e1ce5868c1ffb5 (patch)
tree	8262058e94069921a12a57e66a18298a3b49d7bc
parent	4cc81ce45ea0e7b851c622d8a18b33e1177b85cb (diff)
download	chef-09aea0b2775a2fb640d5b9e726e1ce5868c1ffb5.tar.gz