Port the travis fix from #6888one_more

This fixes spec failures on this branch in Travis

Signed-off-by: Tim Smith <tsmith@chef.io>

2 files changed, 40 insertions, 13 deletions

diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb
index 283b8429e5..2b1d75bb49 100644
--- a/spec/spec_helper.rb
+++ b/spec/spec_helper.rb
@@ -1,6 +1,6 @@
 #
 # Author:: Adam Jacob (<adam@chef.io>)
-# Copyright:: Copyright 2008-2016, Chef Software, Inc.
+# Copyright:: Copyright 2008-2018, Chef Software Inc.
 # License:: Apache License, Version 2.0
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -223,6 +223,24 @@ RSpec.configure do |config|
     ENV["CHEF_TREAT_DEPRECATION_WARNINGS_AS_ERRORS"] = "1"
   end
 
+  # This bit of jankiness guards against specs which accidentally drop privs when running as
+  # root -- which are nearly impossible to debug and so we bail out very hard if this
+  # condition ever happens.  If a spec stubs Process.[e]uid this can throw a false positive
+  # which the spec must work around by unmocking Process.[e]uid to and_call_original in its
+  # after block.
+  if Process.euid == 0 && Process.uid == 0
+    config.after(:each) do
+      if Process.uid != 0
+        RSpec.configure { |c| c.fail_fast = true }
+        raise "rspec was invoked as root, but the last test dropped real uid to #{Process.uid}"
+      end
+      if Process.euid != 0
+        RSpec.configure { |c| c.fail_fast = true }
+        raise "rspec was invoked as root, but the last test dropped effective uid to #{Process.euid}"
+      end
+    end
+  end
+
   # raise if anyone commits any test to CI with :focus set on it
   if ENV["CI"]
     config.before(:example, :focus) do
diff --git a/spec/unit/daemon_spec.rb b/spec/unit/daemon_spec.rb
index ae3d626113..02736a1daf 100644
--- a/spec/unit/daemon_spec.rb
+++ b/spec/unit/daemon_spec.rb
@@ -1,6 +1,6 @@
 #
 # Author:: AJ Christensen (<aj@junglist.gen.nz>)
-# Copyright:: Copyright 2008-2016, Chef Software Inc.
+# Copyright:: Copyright 2008-2018, Chef Software Inc.
 # License:: Apache License, Version 2.0
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -19,6 +19,9 @@ require "spec_helper"
 require "ostruct"
 
 describe Chef::Daemon do
+  let(:testuser) { "thisisausernamewhichshouldnotexist" }
+  let(:testgroup) { "thisisagroupnamewhichshouldnotexist" }
+
   before do
     if windows?
       mock_struct = #Struct::Passwd.new(nil, nil, 111, 111)
@@ -73,8 +76,9 @@ describe Chef::Daemon do
   describe ".change_privilege" do
 
     before do
+      allow(Chef::Daemon).to receive(:_change_privilege)
       allow(Chef::Application).to receive(:fatal!).and_return(true)
-      Chef::Config[:user] = "aj"
+      Chef::Config[:user] = testuser
       allow(Dir).to receive(:chdir)
     end
 
@@ -86,28 +90,28 @@ describe Chef::Daemon do
     describe "when the user and group options are supplied" do
 
       before do
-        Chef::Config[:group] = "staff"
+        Chef::Config[:group] = testgroup
       end
 
       it "should log an appropriate info message" do
-        expect(Chef::Log).to receive(:info).with("About to change privilege to aj:staff")
+        expect(Chef::Log).to receive(:info).with("About to change privilege to #{testuser}:#{testgroup}")
         Chef::Daemon.change_privilege
       end
 
       it "should call _change_privilege with the user and group" do
-        expect(Chef::Daemon).to receive(:_change_privilege).with("aj", "staff")
+        expect(Chef::Daemon).to receive(:_change_privilege).with(testuser, testgroup)
         Chef::Daemon.change_privilege
       end
     end
 
     describe "when just the user option is supplied" do
       it "should log an appropriate info message" do
-        expect(Chef::Log).to receive(:info).with("About to change privilege to aj")
+        expect(Chef::Log).to receive(:info).with("About to change privilege to #{testuser}")
         Chef::Daemon.change_privilege
       end
 
       it "should call _change_privilege with just the user" do
-        expect(Chef::Daemon).to receive(:_change_privilege).with("aj")
+        expect(Chef::Daemon).to receive(:_change_privilege).with(testuser)
         Chef::Daemon.change_privilege
       end
     end
@@ -138,18 +142,18 @@ describe Chef::Daemon do
       end
 
       it "should initialize the supplemental group list" do
-        expect(Process).to receive(:initgroups).with("aj", 20)
-        Chef::Daemon._change_privilege("aj")
+        expect(Process).to receive(:initgroups).with(testuser, 20)
+        Chef::Daemon._change_privilege(testuser)
       end
 
       it "should attempt to change the process GID" do
         expect(Process::GID).to receive(:change_privilege).with(20).and_return(20)
-        Chef::Daemon._change_privilege("aj")
+        Chef::Daemon._change_privilege(testuser)
       end
 
       it "should attempt to change the process UID" do
         expect(Process::UID).to receive(:change_privilege).with(501).and_return(501)
-        Chef::Daemon._change_privilege("aj")
+        Chef::Daemon._change_privilege(testuser)
       end
     end
 
@@ -159,6 +163,11 @@ describe Chef::Daemon do
         allow(Process).to receive(:egid).and_return(999)
       end
 
+      after do
+        allow(Process).to receive(:euid).and_call_original
+        allow(Process).to receive(:egid).and_call_original
+      end
+
       it "should log an appropriate error message and fail miserably" do
         allow(Process).to receive(:initgroups).and_raise(Errno::EPERM)
         error = "Operation not permitted"
@@ -166,7 +175,7 @@ describe Chef::Daemon do
           error = "Not owner"
         end
         expect(Chef::Application).to receive(:fatal!).with("Permission denied when trying to change 999:999 to 501:20. #{error}")
-        Chef::Daemon._change_privilege("aj")
+        Chef::Daemon._change_privilege(testuser)
       end
     end