diff options
author | Lamont Granquist <lamont@scriptkiddie.org> | 2018-02-21 14:06:24 -0800 |
---|---|---|
committer | GitHub <noreply@github.com> | 2018-02-21 14:06:24 -0800 |
commit | e91fe995f8e93788f98ff32e1df4c0789b1a5a2a (patch) | |
tree | 2c62faa3ea7e64abc48574fa1f9b08753694d22a | |
parent | 8d081dc08f86b384f43e4f7dd72646b4c0c7a743 (diff) | |
parent | c20d2265f3e88a39f5ed88520fc4c06b6fa85fa5 (diff) | |
download | chef-e91fe995f8e93788f98ff32e1df4c0789b1a5a2a.tar.gz |
Merge pull request #6888 from chef/lcg/testing-crazy-fucking-ideas
The end of our long travis unit testing nightmare
-rw-r--r-- | .travis.yml | 12 | ||||
-rw-r--r-- | spec/spec_helper.rb | 20 | ||||
-rw-r--r-- | spec/unit/daemon_spec.rb | 33 |
3 files changed, 46 insertions, 19 deletions
diff --git a/.travis.yml b/.travis.yml index 7f3a518d53..db5edab1ad 100644 --- a/.travis.yml +++ b/.travis.yml @@ -61,18 +61,18 @@ matrix: - env: UNIT_SPECS_24: 1 rvm: 2.4.3 - sudo: false + sudo: true script: - - bundle exec rake spec:unit; - - bundle exec rake component_specs + - sudo -E $(which bundle) exec rake spec:unit; + - sudo -E $(which bundle) exec rake component_specs bundler_args: --without ci docgen guard integration maintenance omnibus_package --frozen - env: UNIT_SPECS_25: 1 rvm: 2.5.0 - sudo: false + sudo: true script: - - bundle exec rake spec:unit; - - bundle exec rake component_specs + - sudo -E $(which bundle) exec rake spec:unit; + - sudo -E $(which bundle) exec rake component_specs bundler_args: --without ci docgen guard integration maintenance omnibus_package --frozen - env: CHEFSTYLE: 1 diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb index 10e9818834..dbefbf29e4 100644 --- a/spec/spec_helper.rb +++ b/spec/spec_helper.rb @@ -1,6 +1,6 @@ # # Author:: Adam Jacob (<adam@chef.io>) -# Copyright:: Copyright 2008-2017, Chef Software Inc. +# Copyright:: Copyright 2008-2018, Chef Software Inc. # License:: Apache License, Version 2.0 # # Licensed under the Apache License, Version 2.0 (the "License"); @@ -254,6 +254,24 @@ RSpec.configure do |config| Chef.resource_priority_map.instance_variable_set(:@map, resource_priority_map.dup) end + # This bit of jankiness guards against specs which accidentally drop privs when running as + # root -- which are nearly impossible to debug and so we bail out very hard if this + # condition ever happens. If a spec stubs Process.[e]uid this can throw a false positive + # which the spec must work around by unmocking Process.[e]uid to and_call_original in its + # after block. + if Process.euid == 0 && Process.uid == 0 + config.after(:each) do + if Process.uid != 0 + RSpec.configure { |c| c.fail_fast = true } + raise "rspec was invoked as root, but the last test dropped real uid to #{Process.uid}" + end + if Process.euid != 0 + RSpec.configure { |c| c.fail_fast = true } + raise "rspec was invoked as root, but the last test dropped effective uid to #{Process.euid}" + end + end + end + # raise if anyone commits any test to CI with :focus set on it if ENV["CI"] config.before(:example, :focus) do diff --git a/spec/unit/daemon_spec.rb b/spec/unit/daemon_spec.rb index ae3d626113..02736a1daf 100644 --- a/spec/unit/daemon_spec.rb +++ b/spec/unit/daemon_spec.rb @@ -1,6 +1,6 @@ # # Author:: AJ Christensen (<aj@junglist.gen.nz>) -# Copyright:: Copyright 2008-2016, Chef Software Inc. +# Copyright:: Copyright 2008-2018, Chef Software Inc. # License:: Apache License, Version 2.0 # # Licensed under the Apache License, Version 2.0 (the "License"); @@ -19,6 +19,9 @@ require "spec_helper" require "ostruct" describe Chef::Daemon do + let(:testuser) { "thisisausernamewhichshouldnotexist" } + let(:testgroup) { "thisisagroupnamewhichshouldnotexist" } + before do if windows? mock_struct = #Struct::Passwd.new(nil, nil, 111, 111) @@ -73,8 +76,9 @@ describe Chef::Daemon do describe ".change_privilege" do before do + allow(Chef::Daemon).to receive(:_change_privilege) allow(Chef::Application).to receive(:fatal!).and_return(true) - Chef::Config[:user] = "aj" + Chef::Config[:user] = testuser allow(Dir).to receive(:chdir) end @@ -86,28 +90,28 @@ describe Chef::Daemon do describe "when the user and group options are supplied" do before do - Chef::Config[:group] = "staff" + Chef::Config[:group] = testgroup end it "should log an appropriate info message" do - expect(Chef::Log).to receive(:info).with("About to change privilege to aj:staff") + expect(Chef::Log).to receive(:info).with("About to change privilege to #{testuser}:#{testgroup}") Chef::Daemon.change_privilege end it "should call _change_privilege with the user and group" do - expect(Chef::Daemon).to receive(:_change_privilege).with("aj", "staff") + expect(Chef::Daemon).to receive(:_change_privilege).with(testuser, testgroup) Chef::Daemon.change_privilege end end describe "when just the user option is supplied" do it "should log an appropriate info message" do - expect(Chef::Log).to receive(:info).with("About to change privilege to aj") + expect(Chef::Log).to receive(:info).with("About to change privilege to #{testuser}") Chef::Daemon.change_privilege end it "should call _change_privilege with just the user" do - expect(Chef::Daemon).to receive(:_change_privilege).with("aj") + expect(Chef::Daemon).to receive(:_change_privilege).with(testuser) Chef::Daemon.change_privilege end end @@ -138,18 +142,18 @@ describe Chef::Daemon do end it "should initialize the supplemental group list" do - expect(Process).to receive(:initgroups).with("aj", 20) - Chef::Daemon._change_privilege("aj") + expect(Process).to receive(:initgroups).with(testuser, 20) + Chef::Daemon._change_privilege(testuser) end it "should attempt to change the process GID" do expect(Process::GID).to receive(:change_privilege).with(20).and_return(20) - Chef::Daemon._change_privilege("aj") + Chef::Daemon._change_privilege(testuser) end it "should attempt to change the process UID" do expect(Process::UID).to receive(:change_privilege).with(501).and_return(501) - Chef::Daemon._change_privilege("aj") + Chef::Daemon._change_privilege(testuser) end end @@ -159,6 +163,11 @@ describe Chef::Daemon do allow(Process).to receive(:egid).and_return(999) end + after do + allow(Process).to receive(:euid).and_call_original + allow(Process).to receive(:egid).and_call_original + end + it "should log an appropriate error message and fail miserably" do allow(Process).to receive(:initgroups).and_raise(Errno::EPERM) error = "Operation not permitted" @@ -166,7 +175,7 @@ describe Chef::Daemon do error = "Not owner" end expect(Chef::Application).to receive(:fatal!).with("Permission denied when trying to change 999:999 to 501:20. #{error}") - Chef::Daemon._change_privilege("aj") + Chef::Daemon._change_privilege(testuser) end end |