From 7658fba8df362c5674008ab6a2852592b6ec9cd1 Mon Sep 17 00:00:00 2001 From: vijaymmali1990 Date: Tue, 29 Jan 2019 01:58:14 -0800 Subject: - Minor fixes to fix functional test cases - Added functional test cases for deny_rights option - Ensured chef style - Fixes MSYS-958 Signed-off-by: vijaymmali1990 --- spec/functional/resource/link_spec.rb | 4 +-- .../shared/functional/directory_resource.rb | 22 ++++++++-------- spec/support/shared/functional/file_resource.rb | 4 +-- .../shared/functional/securable_resource.rb | 29 ++++++++++++++++++++-- 4 files changed, 43 insertions(+), 16 deletions(-) (limited to 'spec') diff --git a/spec/functional/resource/link_spec.rb b/spec/functional/resource/link_spec.rb index 4464b6ed69..4c8545e60b 100644 --- a/spec/functional/resource/link_spec.rb +++ b/spec/functional/resource/link_spec.rb @@ -417,11 +417,11 @@ describe Chef::Resource::Link do it_behaves_like "a securable resource without existing target" do let(:path) { target_file } - def allowed_acl(sid, expected_perms) + def allowed_acl(sid, expected_perms, flags = 0) [ ACE.access_allowed(sid, expected_perms[:specific]) ] end - def denied_acl(sid, expected_perms) + def denied_acl(sid, expected_perms, flags = 0) [ ACE.access_denied(sid, expected_perms[:specific]) ] end diff --git a/spec/support/shared/functional/directory_resource.rb b/spec/support/shared/functional/directory_resource.rb index 5e5e2bb360..c910e7c668 100644 --- a/spec/support/shared/functional/directory_resource.rb +++ b/spec/support/shared/functional/directory_resource.rb @@ -65,18 +65,20 @@ shared_examples_for "a directory resource" do end # Set up the context for security tests - def allowed_acl(sid, expected_perms) - [ - ACE.access_allowed(sid, expected_perms[:specific]), - ACE.access_allowed(sid, expected_perms[:generic], (Chef::ReservedNames::Win32::API::Security::INHERIT_ONLY_ACE | Chef::ReservedNames::Win32::API::Security::CONTAINER_INHERIT_ACE | Chef::ReservedNames::Win32::API::Security::OBJECT_INHERIT_ACE)), - ] + def allowed_acl(sid, expected_perms, flags = 0) + acl = [ ACE.access_allowed(sid, expected_perms[:specific], flags) ] + if expected_perms[:generic] + acl << ACE.access_allowed(sid, expected_perms[:generic], (Chef::ReservedNames::Win32::API::Security::INHERIT_ONLY_ACE | Chef::ReservedNames::Win32::API::Security::CONTAINER_INHERIT_ACE | Chef::ReservedNames::Win32::API::Security::OBJECT_INHERIT_ACE)) + end + acl end - def denied_acl(sid, expected_perms) - [ - ACE.access_denied(sid, expected_perms[:specific]), - ACE.access_denied(sid, expected_perms[:generic], (Chef::ReservedNames::Win32::API::Security::INHERIT_ONLY_ACE | Chef::ReservedNames::Win32::API::Security::CONTAINER_INHERIT_ACE | Chef::ReservedNames::Win32::API::Security::OBJECT_INHERIT_ACE)), - ] + def denied_acl(sid, expected_perms, flags = 0) + acl = [ ACE.access_denied(sid, expected_perms[:specific], flags) ] + if expected_perms[:generic] + acl << ACE.access_denied(sid, expected_perms[:generic], (Chef::ReservedNames::Win32::API::Security::INHERIT_ONLY_ACE | Chef::ReservedNames::Win32::API::Security::CONTAINER_INHERIT_ACE | Chef::ReservedNames::Win32::API::Security::OBJECT_INHERIT_ACE)) + end + acl end def parent_inheritable_acls diff --git a/spec/support/shared/functional/file_resource.rb b/spec/support/shared/functional/file_resource.rb index 8ae5db6a57..8aa4ffb65e 100644 --- a/spec/support/shared/functional/file_resource.rb +++ b/spec/support/shared/functional/file_resource.rb @@ -899,11 +899,11 @@ shared_examples_for "a configured file resource" do end # Set up the context for security tests - def allowed_acl(sid, expected_perms) + def allowed_acl(sid, expected_perms, flags = 0) [ ACE.access_allowed(sid, expected_perms[:specific]) ] end - def denied_acl(sid, expected_perms) + def denied_acl(sid, expected_perms, flags = 0) [ ACE.access_denied(sid, expected_perms[:specific]) ] end diff --git a/spec/support/shared/functional/securable_resource.rb b/spec/support/shared/functional/securable_resource.rb index d9a2110543..0a7eac442d 100644 --- a/spec/support/shared/functional/securable_resource.rb +++ b/spec/support/shared/functional/securable_resource.rb @@ -117,7 +117,6 @@ shared_context "use Windows permissions", :windows_only do let(:expected_write_perms) do { - generic: Chef::ReservedNames::Win32::API::Security::GENERIC_WRITE, specific: Chef::ReservedNames::Win32::API::Security::WRITE, } end @@ -136,6 +135,8 @@ shared_context "use Windows permissions", :windows_only do } end + let (:write_flag) { 3 } + RSpec::Matchers.define :have_expected_properties do |mask, type, flags| match do |ace| ace.mask == mask && @@ -380,7 +381,7 @@ shared_examples_for "a securable resource without existing target" do it "correctly sets :write rights" do resource.rights(:write, "Guest") resource.run_action(:create) - expect(explicit_aces).to eq(allowed_acl(SID.Guest, expected_write_perms)) + expect(explicit_aces).to eq(allowed_acl(SID.Guest, expected_write_perms, write_flag)) end it "correctly sets :modify rights" do @@ -395,6 +396,30 @@ shared_examples_for "a securable resource without existing target" do expect(explicit_aces).to eq(allowed_acl(SID.Guest, expected_full_control_perms)) end + it "correctly sets :read deny_rights" do + resource.deny_rights(:read, "Guest") + resource.run_action(:create) + expect(explicit_aces).to eq(denied_acl(SID.Guest, expected_read_perms)) + end + + it "correctly sets :read_execute deny_rights" do + resource.deny_rights(:read_execute, "Guest") + resource.run_action(:create) + expect(explicit_aces).to eq(denied_acl(SID.Guest, expected_read_execute_perms)) + end + + it "correctly sets :write deny_rights" do + resource.deny_rights(:write, "Guest") + resource.run_action(:create) + expect(explicit_aces).to eq(denied_acl(SID.Guest, expected_write_perms, write_flag)) + end + + it "correctly sets :modify deny_rights" do + resource.deny_rights(:modify, "Guest") + resource.run_action(:create) + expect(explicit_aces).to eq(denied_acl(SID.Guest, expected_modify_perms)) + end + it "correctly sets deny_rights" do # deny is an ACE with full rights, but is a deny type ace, not an allow type resource.deny_rights(:full_control, "Guest") -- cgit v1.2.1