diff options
Diffstat (limited to 'spec/support/shared/functional/windows_script.rb')
-rw-r--r-- | spec/support/shared/functional/windows_script.rb | 78 |
1 files changed, 74 insertions, 4 deletions
diff --git a/spec/support/shared/functional/windows_script.rb b/spec/support/shared/functional/windows_script.rb index 908198add4..8a9a19d4ad 100644 --- a/spec/support/shared/functional/windows_script.rb +++ b/spec/support/shared/functional/windows_script.rb @@ -46,10 +46,6 @@ shared_context Chef::Resource::WindowsScript do File.delete(script_output_path) if File.exists?(script_output_path) end - let!(:resource) do - Chef::Resource::WindowsScript::Batch.new("Batch resource functional test", @run_context) - end - shared_examples_for "a script resource with architecture attribute" do context "with the given architecture attribute value" do let(:expected_architecture) do @@ -125,6 +121,55 @@ shared_context Chef::Resource::WindowsScript do end shared_examples_for "a Windows script running on Windows" do + shared_examples_for "a script that cannot be accessed by other users if they are not administrators" do + include Chef::Mixin::ShellOut + + let(:script_provider) { resource.provider_for_action(:run) } + let(:script_file) { script_provider.script_file } + let(:script_file_path) { script_file.to_path } + + let(:read_access_denied_command) { "::File.read('#{script_file_path}')" } + let(:modify_access_denied_command) { "::File.write('#{script_file_path}', 'stuff')" } + let(:delete_access_denied_command) { "::File.delete('#{script_file_path}')" } + let(:access_denied_sentinel) { 7334 } + let(:access_allowed_sentinel) { 1586 } + let(:access_command_invalid) { 0 } + + let(:ruby_interpreter_path) { RbConfig.ruby } + let(:ruby_command_template) { "require 'FileUtils';status = 0;begin; #{ruby_access_command};rescue Exception => e; puts e; status = e.class == Errno::EACCES ? #{access_denied_sentinel} : #{access_allowed_sentinel};end;exit status" } + let(:command_template) { "set BUNDLE_GEMFILE=&#{ruby_interpreter_path} -e \"#{ruby_command_template}\"" } + let(:access_command) { command_template } + + before do + expect(script_provider).to receive(:unlink_script_file) + resource.code("echo hi") + script_provider.action_run + end + + after do + script_file.close! if script_file + ::File.delete(script_file.to_path) if script_file && ::File.exists?(script_file.to_path) + end + + include_context "alternate user identity" + + shared_examples_for "a script whose file system location cannot be accessed by other non-admin users" do + let(:ruby_access_command) { file_access_command } + it "generates a script in the local file system that prevents read access to other non-admin users" do + shell_out!(access_command, { user: windows_nonadmin_user, password: windows_nonadmin_user_password, returns: [access_denied_sentinel] }) + end + end + + context "when a different non-admin user attempts write (modify) to access the script" do + let(:file_access_command) { modify_access_denied_command } + it_behaves_like "a script whose file system location cannot be accessed by other non-admin users" + end + + context "when a different non-admin user attempts write (delete) to access the script" do + let(:file_access_command) { delete_access_denied_command } + it_behaves_like "a script whose file system location cannot be accessed by other non-admin users" + end + end describe "when the run action is invoked on Windows" do it "executes the script code" do @@ -132,6 +177,21 @@ shared_context Chef::Resource::WindowsScript do resource.returns(0) resource.run_action(:run) end + + context "the script is executed with the identity of the current user" do + it_behaves_like "a script that cannot be accessed by other users if they are not administrators" + end + + context "the script is executed with an alternate non-admin identity" do + include_context "alternate user identity" + + before do + resource.user(windows_alternate_user) + resource.password(windows_alternate_user_password) + end + + it_behaves_like "a script that cannot be accessed by other users if they are not administrators" + end end context "when $env:TMP has a space" do @@ -165,6 +225,11 @@ shared_context Chef::Resource::WindowsScript do expect(resource.class).to receive(:new).and_call_original expect(resource.should_skip?(:run)).to be_falsey end + + context "when this resource is used as a guard and it is specified with an alternate user identity" do + let(:guard_interpreter_resource) { resource.resource_name } + it_behaves_like "a resource with a guard specifying an alternate user identity" + end end context "when the architecture attribute is not set" do @@ -181,6 +246,11 @@ shared_context Chef::Resource::WindowsScript do let(:resource_architecture) { :x86_64 } it_behaves_like "a script resource with architecture attribute" end + + describe "when running with an alternate user identity" do + let(:resource_command_property) { :code } + it_behaves_like "an execute resource that supports alternate user identity" + end end def get_windows_script_output(suffix = "") |