diff options
| author | Stig Sandbeck Mathisen <ssm@debian.org> | 2014-09-07 10:14:36 +0200 |
|---|---|---|
| committer | Stig Sandbeck Mathisen <ssm@debian.org> | 2014-09-07 10:14:36 +0200 |
| commit | d4b83be375ac1dead058e091191ee7c7b7c24c8a (patch) | |
| tree | dc825687392ae3068de5b764be60c53122d9e02a /spec/integration/util | |
| parent | 229cbb976fe0f70f5f30548b83517b415840f9bb (diff) | |
| parent | 1681684857c6e39d60d87b0b3520d8783977ceff (diff) | |
| download | puppet-upstream/3.7.0.tar.gz | |
Imported Upstream version 3.7.0upstream/3.7.0
Diffstat (limited to 'spec/integration/util')
| -rwxr-xr-x | spec/integration/util/autoload_spec.rb | 12 | ||||
| -rwxr-xr-x | spec/integration/util/rdoc/parser_spec.rb | 7 | ||||
| -rw-r--r-- | spec/integration/util/windows/process_spec.rb | 12 | ||||
| -rwxr-xr-x | spec/integration/util/windows/security_spec.rb | 71 | ||||
| -rwxr-xr-x | spec/integration/util/windows/user_spec.rb | 84 |
5 files changed, 136 insertions, 50 deletions
diff --git a/spec/integration/util/autoload_spec.rb b/spec/integration/util/autoload_spec.rb index bfe8b67d2..c352fea9e 100755 --- a/spec/integration/util/autoload_spec.rb +++ b/spec/integration/util/autoload_spec.rb @@ -95,12 +95,12 @@ describe Puppet::Util::Autoload do file = File.join(libdir, "plugin.rb") - Puppet[:modulepath] = modulepath - - with_loader("foo", "foo") do |dir, loader| - with_file(:plugin, file.split("/")) do - loader.load(:plugin) - loader.class.should be_loaded("foo/plugin.rb") + Puppet.override(:environments => Puppet::Environments::Static.new(Puppet::Node::Environment.create(:production, [modulepath]))) do + with_loader("foo", "foo") do |dir, loader| + with_file(:plugin, file.split("/")) do + loader.load(:plugin) + loader.class.should be_loaded("foo/plugin.rb") + end end end end diff --git a/spec/integration/util/rdoc/parser_spec.rb b/spec/integration/util/rdoc/parser_spec.rb index d3bbef45c..2fdaf8019 100755 --- a/spec/integration/util/rdoc/parser_spec.rb +++ b/spec/integration/util/rdoc/parser_spec.rb @@ -127,6 +127,13 @@ end end.should_not(be_empty, "Could not match #{content_patterns} in any of the files found in #{glob}") end + around(:each) do |example| + env = Puppet::Node::Environment.create(:doc_test_env, [modules_dir], manifests_dir) + Puppet.override({:environments => Puppet::Environments::Static.new(env), :current_environment => env}) do + example.run + end + end + before :each do prepare_manifests_and_modules Puppet.settings[:document_all] = document_all diff --git a/spec/integration/util/windows/process_spec.rb b/spec/integration/util/windows/process_spec.rb index 6dc54d228..60eae3443 100644 --- a/spec/integration/util/windows/process_spec.rb +++ b/spec/integration/util/windows/process_spec.rb @@ -18,5 +18,17 @@ describe "Puppet::Util::Windows::Process", :if => Puppet.features.microsoft_wind Puppet::Util::Windows::User.should be_admin Puppet::Util::Windows::Process.process_privilege_symlink?.should be_false end + + it "should be able to lookup a standard Windows process privilege" do + Puppet::Util::Windows::Process.lookup_privilege_value('SeShutdownPrivilege') do |luid| + luid.should_not be_nil + luid.should be_instance_of(Puppet::Util::Windows::Process::LUID) + end + end + + it "should raise an error for an unknown privilege name" do + fail_msg = /LookupPrivilegeValue\(, foo, .*\): A specified privilege does not exist/ + expect { Puppet::Util::Windows::Process.lookup_privilege_value('foo') }.to raise_error(Puppet::Util::Windows::Error, fail_msg) + end end end diff --git a/spec/integration/util/windows/security_spec.rb b/spec/integration/util/windows/security_spec.rb index fa0eadc0d..7f7aa7cb6 100755 --- a/spec/integration/util/windows/security_spec.rb +++ b/spec/integration/util/windows/security_spec.rb @@ -1,8 +1,6 @@ #!/usr/bin/env ruby require 'spec_helper' -require 'puppet/util/adsi' - if Puppet.features.microsoft_windows? class WindowsSecurityTester require 'puppet/util/windows/security' @@ -15,11 +13,11 @@ describe "Puppet::Util::Windows::Security", :if => Puppet.features.microsoft_win before :all do @sids = { - :current_user => Puppet::Util::Windows::Security.name_to_sid(Sys::Admin.get_login), + :current_user => Puppet::Util::Windows::SID.name_to_sid(Puppet::Util::Windows::ADSI::User.current_user_name), :system => Win32::Security::SID::LocalSystem, - :admin => Puppet::Util::Windows::Security.name_to_sid("Administrator"), + :admin => Puppet::Util::Windows::SID.name_to_sid("Administrator"), :administrators => Win32::Security::SID::BuiltinAdministrators, - :guest => Puppet::Util::Windows::Security.name_to_sid("Guest"), + :guest => Puppet::Util::Windows::SID.name_to_sid("Guest"), :users => Win32::Security::SID::BuiltinUsers, :power_users => Win32::Security::SID::PowerUsers, :none => Win32::Security::SID::Nobody, @@ -31,11 +29,12 @@ describe "Puppet::Util::Windows::Security", :if => Puppet.features.microsoft_win # (like \\localhost) to fail with unhelpful error messages. # Put a check for this upfront to aid debug should this strike again. service = Puppet::Type.type(:service).new(:name => 'lmhosts') - service.provider.status.should == :running + expect(service.provider.status).to eq(:running), 'lmhosts service is not running' end let (:sids) { @sids } let (:winsec) { WindowsSecurityTester.new } + let (:klass) { Puppet::Util::Windows::File } def set_group_depending_on_current_user(path) if sids[:current_user] == sids[:system] @@ -53,8 +52,8 @@ describe "Puppet::Util::Windows::Security", :if => Puppet.features.microsoft_win def grant_everyone_full_access(path) sd = winsec.get_security_descriptor(path) everyone = 'S-1-1-0' - inherit = WindowsSecurityTester::OBJECT_INHERIT_ACE | WindowsSecurityTester::CONTAINER_INHERIT_ACE - sd.dacl.allow(everyone, Windows::File::FILE_ALL_ACCESS, inherit) + inherit = Puppet::Util::Windows::AccessControlEntry::OBJECT_INHERIT_ACE | Puppet::Util::Windows::AccessControlEntry::CONTAINER_INHERIT_ACE + sd.dacl.allow(everyone, klass::FILE_ALL_ACCESS, inherit) winsec.set_security_descriptor(path, sd) end @@ -178,7 +177,7 @@ describe "Puppet::Util::Windows::Security", :if => Puppet.features.microsoft_win # when running under SYSTEM account, multiple ACEs come back # so we only care that we have at least one of these system_aces.any? do |ace| - ace.mask == Windows::File::FILE_ALL_ACCESS + ace.mask == klass::FILE_ALL_ACCESS end.should be_true # changing the owner/group will no longer make the SD protected @@ -186,7 +185,7 @@ describe "Puppet::Util::Windows::Security", :if => Puppet.features.microsoft_win winsec.set_owner(sids[:administrators], path) system_aces.find do |ace| - ace.mask == Windows::File::FILE_ALL_ACCESS && ace.inherited? + ace.mask == klass::FILE_ALL_ACCESS && ace.inherited? end.should_not be_nil end @@ -227,7 +226,7 @@ describe "Puppet::Util::Windows::Security", :if => Puppet.features.microsoft_win # when running under SYSTEM account, multiple ACEs come back # so we only care that we have at least one of these system_aces.any? do |ace| - ace.mask == WindowsSecurityTester::FILE_ALL_ACCESS + ace.mask == klass::FILE_ALL_ACCESS end.should be_true # changing the mode will make the SD protected @@ -237,7 +236,7 @@ describe "Puppet::Util::Windows::Security", :if => Puppet.features.microsoft_win # and should have a non-inherited SYSTEM ACE(s) system_aces = winsec.get_aces_for_path_by_sid(path, sids[:system]) system_aces.each do |ace| - ace.mask.should == Windows::File::FILE_ALL_ACCESS && ! ace.inherited? + ace.mask.should == klass::FILE_ALL_ACCESS && ! ace.inherited? end end @@ -259,25 +258,25 @@ describe "Puppet::Util::Windows::Security", :if => Puppet.features.microsoft_win before :each do winsec.set_group(sids[:none], path) winsec.set_mode(0600, path) - winsec.add_attributes(path, WindowsSecurityTester::FILE_ATTRIBUTE_READONLY) - (winsec.get_attributes(path) & WindowsSecurityTester::FILE_ATTRIBUTE_READONLY).should be_nonzero + Puppet::Util::Windows::File.add_attributes(path, klass::FILE_ATTRIBUTE_READONLY) + (Puppet::Util::Windows::File.get_attributes(path) & klass::FILE_ATTRIBUTE_READONLY).should be_nonzero end it "should make them writable if any sid has write permission" do winsec.set_mode(WindowsSecurityTester::S_IWUSR, path) - (winsec.get_attributes(path) & WindowsSecurityTester::FILE_ATTRIBUTE_READONLY).should == 0 + (Puppet::Util::Windows::File.get_attributes(path) & klass::FILE_ATTRIBUTE_READONLY).should == 0 end it "should leave them read-only if no sid has write permission and should allow full access for SYSTEM" do winsec.set_mode(WindowsSecurityTester::S_IRUSR | WindowsSecurityTester::S_IXGRP, path) - (winsec.get_attributes(path) & WindowsSecurityTester::FILE_ATTRIBUTE_READONLY).should be_nonzero + (Puppet::Util::Windows::File.get_attributes(path) & klass::FILE_ATTRIBUTE_READONLY).should be_nonzero system_aces = winsec.get_aces_for_path_by_sid(path, sids[:system]) # when running under SYSTEM account, and set_group / set_owner hasn't been called # SYSTEM full access will be restored system_aces.any? do |ace| - ace.mask == Windows::File::FILE_ALL_ACCESS + ace.mask == klass::FILE_ALL_ACCESS end.should be_true end end @@ -291,7 +290,7 @@ describe "Puppet::Util::Windows::Security", :if => Puppet.features.microsoft_win it "should report when extra aces are encounted" do sd = winsec.get_security_descriptor(path) (544..547).each do |rid| - sd.dacl.allow("S-1-5-32-#{rid}", WindowsSecurityTester::STANDARD_RIGHTS_ALL) + sd.dacl.allow("S-1-5-32-#{rid}", klass::STANDARD_RIGHTS_ALL) end winsec.set_security_descriptor(path, sd) @@ -301,12 +300,12 @@ describe "Puppet::Util::Windows::Security", :if => Puppet.features.microsoft_win it "should return deny aces" do sd = winsec.get_security_descriptor(path) - sd.dacl.deny(sids[:guest], WindowsSecurityTester::FILE_GENERIC_WRITE) + sd.dacl.deny(sids[:guest], klass::FILE_GENERIC_WRITE) winsec.set_security_descriptor(path, sd) guest_aces = winsec.get_aces_for_path_by_sid(path, sids[:guest]) guest_aces.find do |ace| - ace.type == WindowsSecurityTester::ACCESS_DENIED_ACE_TYPE + ace.type == Puppet::Util::Windows::AccessControlEntry::ACCESS_DENIED_ACE_TYPE end.should_not be_nil end @@ -314,12 +313,12 @@ describe "Puppet::Util::Windows::Security", :if => Puppet.features.microsoft_win sd = winsec.get_security_descriptor(path) dacl = Puppet::Util::Windows::AccessControlList.new dacl.allow( - sids[:current_user], WindowsSecurityTester::STANDARD_RIGHTS_ALL | WindowsSecurityTester::SPECIFIC_RIGHTS_ALL + sids[:current_user], klass::STANDARD_RIGHTS_ALL | klass::SPECIFIC_RIGHTS_ALL ) dacl.allow( sids[:everyone], - WindowsSecurityTester::FILE_GENERIC_READ, - WindowsSecurityTester::INHERIT_ONLY_ACE | WindowsSecurityTester::OBJECT_INHERIT_ACE + klass::FILE_GENERIC_READ, + Puppet::Util::Windows::AccessControlEntry::INHERIT_ONLY_ACE | Puppet::Util::Windows::AccessControlEntry::OBJECT_INHERIT_ACE ) winsec.set_security_descriptor(path, sd) @@ -344,8 +343,8 @@ describe "Puppet::Util::Windows::Security", :if => Puppet.features.microsoft_win it "should be present when the access control list is unprotected" do # add a bunch of aces to the parent with permission to add children - allow = WindowsSecurityTester::STANDARD_RIGHTS_ALL | WindowsSecurityTester::SPECIFIC_RIGHTS_ALL - inherit = WindowsSecurityTester::OBJECT_INHERIT_ACE | WindowsSecurityTester::CONTAINER_INHERIT_ACE + allow = klass::STANDARD_RIGHTS_ALL | klass::SPECIFIC_RIGHTS_ALL + inherit = Puppet::Util::Windows::AccessControlEntry::OBJECT_INHERIT_ACE | Puppet::Util::Windows::AccessControlEntry::CONTAINER_INHERIT_ACE sd = winsec.get_security_descriptor(parent) sd.dacl.allow( @@ -356,7 +355,7 @@ describe "Puppet::Util::Windows::Security", :if => Puppet.features.microsoft_win (544..547).each do |rid| sd.dacl.allow( "S-1-5-32-#{rid}", - WindowsSecurityTester::STANDARD_RIGHTS_ALL, + klass::STANDARD_RIGHTS_ALL, inherit ) end @@ -371,10 +370,12 @@ describe "Puppet::Util::Windows::Security", :if => Puppet.features.microsoft_win describe "for an administrator", :if => Puppet.features.root? do before :each do + is_dir = Puppet::FileSystem.directory?(path) winsec.set_mode(WindowsSecurityTester::S_IRWXU | WindowsSecurityTester::S_IRWXG, path) set_group_depending_on_current_user(path) winsec.set_owner(sids[:guest], path) - lambda { File.open(path, 'r') }.should raise_error(Errno::EACCES) + expected_error = RUBY_VERSION =~ /^2\./ && is_dir ? Errno::EISDIR : Errno::EACCES + lambda { File.open(path, 'r') }.should raise_error(expected_error) end after :each do @@ -446,14 +447,14 @@ describe "Puppet::Util::Windows::Security", :if => Puppet.features.microsoft_win describe "when the sid refers to a deleted trustee" do it "should retrieve the user sid" do sid = nil - user = Puppet::Util::ADSI::User.create("delete_me_user") + user = Puppet::Util::Windows::ADSI::User.create("delete_me_user") user.commit begin - sid = Sys::Admin::get_user(user.name).sid + sid = Puppet::Util::Windows::ADSI::User.new(user.name).sid.to_s winsec.set_owner(sid, path) winsec.set_mode(WindowsSecurityTester::S_IRWXU, path) ensure - Puppet::Util::ADSI::User.delete(user.name) + Puppet::Util::Windows::ADSI::User.delete(user.name) end winsec.get_owner(path).should == sid @@ -462,14 +463,14 @@ describe "Puppet::Util::Windows::Security", :if => Puppet.features.microsoft_win it "should retrieve the group sid" do sid = nil - group = Puppet::Util::ADSI::Group.create("delete_me_group") + group = Puppet::Util::Windows::ADSI::Group.create("delete_me_group") group.commit begin - sid = Sys::Admin::get_group(group.name).sid + sid = Puppet::Util::Windows::ADSI::Group.new(group.name).sid.to_s winsec.set_group(sid, path) winsec.set_mode(WindowsSecurityTester::S_IRWXG, path) ensure - Puppet::Util::ADSI::Group.delete(group.name) + Puppet::Util::Windows::ADSI::Group.delete(group.name) end winsec.get_group(path).should == sid winsec.get_mode(path).should == WindowsSecurityTester::S_IRWXG @@ -813,7 +814,7 @@ describe "Puppet::Util::Windows::Security", :if => Puppet.features.microsoft_win Puppet::Util::Windows::AccessControlEntry::CONTAINER_INHERIT_ACE sd = winsec.get_security_descriptor(dir) - sd.dacl.allow(sd.owner, Windows::File::FILE_ALL_ACCESS, inherit_flags) + sd.dacl.allow(sd.owner, klass::FILE_ALL_ACCESS, inherit_flags) winsec.set_security_descriptor(dir, sd) sd = winsec.get_security_descriptor(dir) @@ -834,7 +835,7 @@ describe "Puppet::Util::Windows::Security", :if => Puppet.features.microsoft_win Puppet::Util::Windows::AccessControlEntry::CONTAINER_INHERIT_ACE sd = winsec.get_security_descriptor(dir) - sd.dacl.deny(sids[:guest], Windows::File::FILE_ALL_ACCESS, inherit_flags) + sd.dacl.deny(sids[:guest], klass::FILE_ALL_ACCESS, inherit_flags) winsec.set_security_descriptor(dir, sd) sd = winsec.get_security_descriptor(dir) diff --git a/spec/integration/util/windows/user_spec.rb b/spec/integration/util/windows/user_spec.rb index 0435b2cdc..4e873b34c 100755 --- a/spec/integration/util/windows/user_spec.rb +++ b/spec/integration/util/windows/user_spec.rb @@ -10,23 +10,23 @@ describe "Puppet::Util::Windows::User", :if => Puppet.features.microsoft_windows it "should be an admin if user's token contains the Administrators SID" do Puppet::Util::Windows::User.expects(:check_token_membership).returns(true) - Win32::Security.expects(:elevated_security?).never + Puppet::Util::Windows::Process.expects(:elevated_security?).never Puppet::Util::Windows::User.should be_admin end it "should not be an admin if user's token doesn't contain the Administrators SID" do Puppet::Util::Windows::User.expects(:check_token_membership).returns(false) - Win32::Security.expects(:elevated_security?).never + Puppet::Util::Windows::Process.expects(:elevated_security?).never Puppet::Util::Windows::User.should_not be_admin end it "should raise an exception if we can't check token membership" do - Puppet::Util::Windows::User.expects(:check_token_membership).raises(Win32::Security::Error, "Access denied.") - Win32::Security.expects(:elevated_security?).never + Puppet::Util::Windows::User.expects(:check_token_membership).raises(Puppet::Util::Windows::Error, "Access denied.") + Puppet::Util::Windows::Process.expects(:elevated_security?).never - lambda { Puppet::Util::Windows::User.admin? }.should raise_error(Win32::Security::Error, /Access denied./) + lambda { Puppet::Util::Windows::User.admin? }.should raise_error(Puppet::Util::Windows::Error, /Access denied./) end end @@ -36,24 +36,90 @@ describe "Puppet::Util::Windows::User", :if => Puppet.features.microsoft_windows end it "should be an admin if user is running with elevated privileges" do - Win32::Security.stubs(:elevated_security?).returns(true) + Puppet::Util::Windows::Process.stubs(:elevated_security?).returns(true) Puppet::Util::Windows::User.expects(:check_token_membership).never Puppet::Util::Windows::User.should be_admin end it "should not be an admin if user is not running with elevated privileges" do - Win32::Security.stubs(:elevated_security?).returns(false) + Puppet::Util::Windows::Process.stubs(:elevated_security?).returns(false) Puppet::Util::Windows::User.expects(:check_token_membership).never Puppet::Util::Windows::User.should_not be_admin end it "should raise an exception if the process fails to open the process token" do - Win32::Security.stubs(:elevated_security?).raises(Win32::Security::Error, "Access denied.") + Puppet::Util::Windows::Process.stubs(:elevated_security?).raises(Puppet::Util::Windows::Error, "Access denied.") Puppet::Util::Windows::User.expects(:check_token_membership).never - lambda { Puppet::Util::Windows::User.admin? }.should raise_error(Win32::Security::Error, /Access denied./) + lambda { Puppet::Util::Windows::User.admin? }.should raise_error(Puppet::Util::Windows::Error, /Access denied./) + end + end + + describe "module function" do + let(:username) { 'fabio' } + let(:bad_password) { 'goldilocks' } + let(:logon_fail_msg) { /Failed to logon user "fabio": Logon failure: unknown user name or bad password./ } + + def expect_logon_failure_error(&block) + expect { + yield + }.to raise_error { |error| + expect(error).to be_a(Puppet::Util::Windows::Error) + # http://msdn.microsoft.com/en-us/library/windows/desktop/ms681385(v=vs.85).aspx + # ERROR_LOGON_FAILURE 1326 + expect(error.code).to eq(1326) + } + end + + describe "load_profile" do + it "should raise an error when provided with an incorrect username and password" do + expect_logon_failure_error { + Puppet::Util::Windows::User.load_profile(username, bad_password) + } + end + + it "should raise an error when provided with an incorrect username and nil password" do + expect_logon_failure_error { + Puppet::Util::Windows::User.load_profile(username, nil) + } + end + end + + describe "logon_user" do + it "should raise an error when provided with an incorrect username and password" do + expect_logon_failure_error { + Puppet::Util::Windows::User.logon_user(username, bad_password) + } + end + + it "should raise an error when provided with an incorrect username and nil password" do + expect_logon_failure_error { + Puppet::Util::Windows::User.logon_user(username, nil) + } + end + end + + describe "password_is?" do + it "should return false given an incorrect username and password" do + Puppet::Util::Windows::User.password_is?(username, bad_password).should be_false + end + + it "should return false given an incorrect username and nil password" do + Puppet::Util::Windows::User.password_is?(username, nil).should be_false + end + + it "should return false given a nil username and an incorrect password" do + Puppet::Util::Windows::User.password_is?(nil, bad_password).should be_false + end + end + + describe "check_token_membership" do + it "should not raise an error" do + # added just to call an FFI code path on all platforms + lambda { Puppet::Util::Windows::User.check_token_membership }.should_not raise_error + end end end end |