diff options
author | Bryan McLellan <btm@loftninjas.org> | 2019-04-26 00:45:58 -0400 |
---|---|---|
committer | GitHub <noreply@github.com> | 2019-04-26 00:45:58 -0400 |
commit | b58793f304a342babf4050bf97180262d9ceda0e (patch) | |
tree | f7e76647d7adeae64b4318dd87a1393c719cab57 /spec | |
parent | 66c0fdeb65c19d267bd501550e60cd16d7bb4901 (diff) | |
parent | 3e2c9bcfb0423dce05a1e29f11ddef3f4f562713 (diff) | |
download | chef-b58793f304a342babf4050bf97180262d9ceda0e.tar.gz |
Merge pull request #8168 from MsysTechnologiesllc/Vijay/MSYS-958_write_permissions_does_not_work_properly_on_windows
Fix for write permissions were not working properly on windows
Diffstat (limited to 'spec')
-rw-r--r-- | spec/functional/resource/link_spec.rb | 4 | ||||
-rw-r--r-- | spec/support/shared/functional/directory_resource.rb | 22 | ||||
-rw-r--r-- | spec/support/shared/functional/file_resource.rb | 4 | ||||
-rw-r--r-- | spec/support/shared/functional/securable_resource.rb | 173 |
4 files changed, 118 insertions, 85 deletions
diff --git a/spec/functional/resource/link_spec.rb b/spec/functional/resource/link_spec.rb index 4464b6ed69..d86a904098 100644 --- a/spec/functional/resource/link_spec.rb +++ b/spec/functional/resource/link_spec.rb @@ -417,11 +417,11 @@ describe Chef::Resource::Link do it_behaves_like "a securable resource without existing target" do let(:path) { target_file } - def allowed_acl(sid, expected_perms) + def allowed_acl(sid, expected_perms, _flags = 0) [ ACE.access_allowed(sid, expected_perms[:specific]) ] end - def denied_acl(sid, expected_perms) + def denied_acl(sid, expected_perms, _flags = 0) [ ACE.access_denied(sid, expected_perms[:specific]) ] end diff --git a/spec/support/shared/functional/directory_resource.rb b/spec/support/shared/functional/directory_resource.rb index 5e5e2bb360..4fb08479e6 100644 --- a/spec/support/shared/functional/directory_resource.rb +++ b/spec/support/shared/functional/directory_resource.rb @@ -65,18 +65,20 @@ shared_examples_for "a directory resource" do end # Set up the context for security tests - def allowed_acl(sid, expected_perms) - [ - ACE.access_allowed(sid, expected_perms[:specific]), - ACE.access_allowed(sid, expected_perms[:generic], (Chef::ReservedNames::Win32::API::Security::INHERIT_ONLY_ACE | Chef::ReservedNames::Win32::API::Security::CONTAINER_INHERIT_ACE | Chef::ReservedNames::Win32::API::Security::OBJECT_INHERIT_ACE)), - ] + def allowed_acl(sid, expected_perms, flags = 0) + acl = [ ACE.access_allowed(sid, expected_perms[:specific], flags) ] + if expected_perms[:generic] + acl << ACE.access_allowed(sid, expected_perms[:generic], (Chef::ReservedNames::Win32::API::Security::SUBFOLDERS_AND_FILES_ONLY)) + end + acl end - def denied_acl(sid, expected_perms) - [ - ACE.access_denied(sid, expected_perms[:specific]), - ACE.access_denied(sid, expected_perms[:generic], (Chef::ReservedNames::Win32::API::Security::INHERIT_ONLY_ACE | Chef::ReservedNames::Win32::API::Security::CONTAINER_INHERIT_ACE | Chef::ReservedNames::Win32::API::Security::OBJECT_INHERIT_ACE)), - ] + def denied_acl(sid, expected_perms, flags = 0) + acl = [ ACE.access_denied(sid, expected_perms[:specific], flags) ] + if expected_perms[:generic] + acl << ACE.access_denied(sid, expected_perms[:generic], (Chef::ReservedNames::Win32::API::Security::SUBFOLDERS_AND_FILES_ONLY)) + end + acl end def parent_inheritable_acls diff --git a/spec/support/shared/functional/file_resource.rb b/spec/support/shared/functional/file_resource.rb index 8ae5db6a57..db947614b3 100644 --- a/spec/support/shared/functional/file_resource.rb +++ b/spec/support/shared/functional/file_resource.rb @@ -899,11 +899,11 @@ shared_examples_for "a configured file resource" do end # Set up the context for security tests - def allowed_acl(sid, expected_perms) + def allowed_acl(sid, expected_perms, _flags = 0) [ ACE.access_allowed(sid, expected_perms[:specific]) ] end - def denied_acl(sid, expected_perms) + def denied_acl(sid, expected_perms, _flags = 0) [ ACE.access_denied(sid, expected_perms[:specific]) ] end diff --git a/spec/support/shared/functional/securable_resource.rb b/spec/support/shared/functional/securable_resource.rb index 2abae030c2..18e7243453 100644 --- a/spec/support/shared/functional/securable_resource.rb +++ b/spec/support/shared/functional/securable_resource.rb @@ -117,8 +117,7 @@ shared_context "use Windows permissions", :windows_only do let(:expected_write_perms) do { - generic: Chef::ReservedNames::Win32::API::Security::GENERIC_WRITE, - specific: Chef::ReservedNames::Win32::API::Security::FILE_GENERIC_WRITE, + specific: Chef::ReservedNames::Win32::API::Security::WRITE, } end @@ -136,6 +135,8 @@ shared_context "use Windows permissions", :windows_only do } end + let (:write_flag) { 3 } + RSpec::Matchers.define :have_expected_properties do |mask, type, flags| match do |ace| ace.mask == mask && @@ -363,78 +364,108 @@ shared_examples_for "a securable resource without existing target" do expect(descriptor.group).to eq(arbitrary_non_default_group) end - describe "with rights and deny_rights attributes" do - - it "correctly sets :read rights" do - resource.rights(:read, "Guest") - resource.run_action(:create) - expect(explicit_aces).to eq(allowed_acl(SID.Guest, expected_read_perms)) + describe "#allowed_acl" do + context "correctly sets" do + + it ":read rights" do + resource.rights(:read, "Guest") + resource.run_action(:create) + expect(explicit_aces).to eq(allowed_acl(SID.Guest, expected_read_perms)) + end + + it ":read_execute rights" do + resource.rights(:read_execute, "Guest") + resource.run_action(:create) + expect(explicit_aces).to eq(allowed_acl(SID.Guest, expected_read_execute_perms)) + end + + it ":write rights" do + resource.rights(:write, "Guest") + resource.run_action(:create) + expect(explicit_aces).to eq(allowed_acl(SID.Guest, expected_write_perms, write_flag)) + end + + it ":modify rights" do + resource.rights(:modify, "Guest") + resource.run_action(:create) + expect(explicit_aces).to eq(allowed_acl(SID.Guest, expected_modify_perms)) + end + + it ":full_control rights" do + resource.rights(:full_control, "Guest") + resource.run_action(:create) + expect(explicit_aces).to eq(allowed_acl(SID.Guest, expected_full_control_perms)) + end + + it "multiple rights" do + resource.rights(:read, "Everyone") + resource.rights(:modify, "Guest") + resource.run_action(:create) + + expect(explicit_aces).to eq( + allowed_acl(SID.Everyone, expected_read_perms) + + allowed_acl(SID.Guest, expected_modify_perms) + ) + end end + end - it "correctly sets :read_execute rights" do - resource.rights(:read_execute, "Guest") - resource.run_action(:create) - expect(explicit_aces).to eq(allowed_acl(SID.Guest, expected_read_execute_perms)) - end - - it "correctly sets :write rights" do - resource.rights(:write, "Guest") - resource.run_action(:create) - expect(explicit_aces).to eq(allowed_acl(SID.Guest, expected_write_perms)) - end - - it "correctly sets :modify rights" do - resource.rights(:modify, "Guest") - resource.run_action(:create) - expect(explicit_aces).to eq(allowed_acl(SID.Guest, expected_modify_perms)) - end - - it "correctly sets :full_control rights" do - resource.rights(:full_control, "Guest") - resource.run_action(:create) - expect(explicit_aces).to eq(allowed_acl(SID.Guest, expected_full_control_perms)) - end - - it "correctly sets deny_rights" do - # deny is an ACE with full rights, but is a deny type ace, not an allow type - resource.deny_rights(:full_control, "Guest") - resource.run_action(:create) - expect(explicit_aces).to eq(denied_acl(SID.Guest, expected_full_control_perms)) - end - - it "Sets multiple rights" do - resource.rights(:read, "Everyone") - resource.rights(:modify, "Guest") - resource.run_action(:create) - - expect(explicit_aces).to eq( - allowed_acl(SID.Everyone, expected_read_perms) + - allowed_acl(SID.Guest, expected_modify_perms) - ) - end - - it "Sets deny_rights ahead of rights" do - resource.rights(:read, "Everyone") - resource.deny_rights(:modify, "Guest") - resource.run_action(:create) - - expect(explicit_aces).to eq( - denied_acl(SID.Guest, expected_modify_perms) + - allowed_acl(SID.Everyone, expected_read_perms) - ) - end - - it "Sets deny_rights ahead of rights when specified in reverse order" do - resource.deny_rights(:modify, "Guest") - resource.rights(:read, "Everyone") - resource.run_action(:create) - - expect(explicit_aces).to eq( - denied_acl(SID.Guest, expected_modify_perms) + - allowed_acl(SID.Everyone, expected_read_perms) - ) + describe "#denied_acl" do + context "correctly sets" do + + it ":read rights" do + resource.deny_rights(:read, "Guest") + resource.run_action(:create) + expect(explicit_aces).to eq(denied_acl(SID.Guest, expected_read_perms)) + end + + it ":read_execute rights" do + resource.deny_rights(:read_execute, "Guest") + resource.run_action(:create) + expect(explicit_aces).to eq(denied_acl(SID.Guest, expected_read_execute_perms)) + end + + it ":write rights" do + resource.deny_rights(:write, "Guest") + resource.run_action(:create) + expect(explicit_aces).to eq(denied_acl(SID.Guest, expected_write_perms, write_flag)) + end + + it ":modify rights" do + resource.deny_rights(:modify, "Guest") + resource.run_action(:create) + expect(explicit_aces).to eq(denied_acl(SID.Guest, expected_modify_perms)) + end + + it ":full_control rights" do + # deny is an ACE with full rights, but is a deny type ace, not an allow type + resource.deny_rights(:full_control, "Guest") + resource.run_action(:create) + expect(explicit_aces).to eq(denied_acl(SID.Guest, expected_full_control_perms)) + end + + it "deny_rights ahead of rights" do + resource.rights(:read, "Everyone") + resource.deny_rights(:modify, "Guest") + resource.run_action(:create) + + expect(explicit_aces).to eq( + denied_acl(SID.Guest, expected_modify_perms) + + allowed_acl(SID.Everyone, expected_read_perms) + ) + end + + it "deny_rights ahead of rights when specified in reverse order" do + resource.deny_rights(:modify, "Guest") + resource.rights(:read, "Everyone") + resource.run_action(:create) + + expect(explicit_aces).to eq( + denied_acl(SID.Guest, expected_modify_perms) + + allowed_acl(SID.Everyone, expected_read_perms) + ) + end end - end context "with a mode attribute" do |