inspec/test/kitchen/policies/default/controls/file_spec.rb

230 lines
7.8 KiB
Ruby
Raw Normal View History

if os[:family] == 'windows'
filedata = {
user: os_env('COMPUTERNAME').content + '\TestUser'
}
elsif os[:name] == 'freebsd'
filedata = {
user: 'root',
group: 'wheel',
dir_content: "\u0003\u0000",
dir_md5sum: '598f4fe64aefab8f00bcbea4c9239abf',
dir_sha256sum: '9b4fb24edd6d1d8830e272398263cdbf026b97392cc35387b991dc0248a628f9',
}
2016-09-01 16:27:00 +00:00
elsif os[:name] == 'aix'
2015-12-21 22:08:17 +00:00
filedata = {
user: 'root',
group: 'system',
dir_content: nil,
dir_md5sum: nil,
dir_sha256sum: nil,
}
2016-01-28 13:51:54 +00:00
elsif os.solaris?
filedata = {
user: 'root',
group: 'sys',
dir_content: nil,
dir_md5sum: nil,
dir_sha256sum: nil,
}
else
filedata = {
user: 'root',
group: 'root',
dir_content: nil,
dir_md5sum: nil,
dir_sha256sum: nil,
}
2015-10-24 09:12:15 +00:00
end
if os.unix?
# test regular file
describe file('/tmp/file') do
it { should exist }
it { should be_file }
it { should_not be_directory }
it { should_not be_block_device }
it { should_not be_character_device }
it { should_not be_pipe }
it { should_not be_socket }
it { should_not be_symlink }
it { should_not be_mounted }
# check owner
it { should be_owned_by filedata[:user] }
it { should be_grouped_into filedata[:group] }
# it { should have_mode }
its('mode') { should eq 00765 }
it { should be_mode 00765 }
its('mode') { should cmp '0765' }
its('mode') { should_not cmp '0777' }
its('suid') { should eq false }
its('sgid') { should eq false }
its('sticky') { should eq false }
it { should be_readable }
Extend Windows ACL matchers (#1744) * Adds alias for 'ListDirectory' permission Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Works with Ruby array of permissions as long as possible Converts to PowerShell array just before use. Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Abstracts user-provided permissions to router method Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds FullControl as a specifiable permission Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds specific permission 'modify' Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Fixes #1743 Limits Windows' broad "read" permission to if it can read all of the above, instead of just the first: - File contents - File attributes - File extended attributes - File permissions This better aligns with how Windows names the permissions. 'read' -> Read instead of 'read' -> ReadData Signed-off-by: David Alexander <opensource@thelonelyghost.com> * 'Execute' Windows ACL has alias of 'Traverse' Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds 'Delete' permission Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds `should allow('perm').by_user('me')` matcher Provides hooks for later use with Windows ACL matching Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds remaining Windows ACL hooks Skips ReadAndExecute on intentionally since it just aliases the combo of 2 permissions into one new one. Signed-off-by: David Alexander <opensource@thelonelyghost.com> * [Rubocop] Reduces ABC / Cyclomatic complexity Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Reduces global scope with `allows()` -> `be_allowed()` RSpec inferred matchers work nicely here. This changes the `by_user()` and `by()` chained matchers to just be an options hash on the underlying `allowed?()` method. Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Fixes integration tests with rename `allows()` -> `be_allowed()` Signed-off-by: David Alexander <opensource@thelonelyghost.com>
2017-10-17 13:01:51 +00:00
it { should be_allowed('read') }
it { should be_readable.by('owner') }
Extend Windows ACL matchers (#1744) * Adds alias for 'ListDirectory' permission Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Works with Ruby array of permissions as long as possible Converts to PowerShell array just before use. Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Abstracts user-provided permissions to router method Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds FullControl as a specifiable permission Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds specific permission 'modify' Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Fixes #1743 Limits Windows' broad "read" permission to if it can read all of the above, instead of just the first: - File contents - File attributes - File extended attributes - File permissions This better aligns with how Windows names the permissions. 'read' -> Read instead of 'read' -> ReadData Signed-off-by: David Alexander <opensource@thelonelyghost.com> * 'Execute' Windows ACL has alias of 'Traverse' Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds 'Delete' permission Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds `should allow('perm').by_user('me')` matcher Provides hooks for later use with Windows ACL matching Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds remaining Windows ACL hooks Skips ReadAndExecute on intentionally since it just aliases the combo of 2 permissions into one new one. Signed-off-by: David Alexander <opensource@thelonelyghost.com> * [Rubocop] Reduces ABC / Cyclomatic complexity Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Reduces global scope with `allows()` -> `be_allowed()` RSpec inferred matchers work nicely here. This changes the `by_user()` and `by()` chained matchers to just be an options hash on the underlying `allowed?()` method. Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Fixes integration tests with rename `allows()` -> `be_allowed()` Signed-off-by: David Alexander <opensource@thelonelyghost.com>
2017-10-17 13:01:51 +00:00
it { should be_allowed('read', by: 'owner') }
it { should be_readable.by('group') }
Extend Windows ACL matchers (#1744) * Adds alias for 'ListDirectory' permission Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Works with Ruby array of permissions as long as possible Converts to PowerShell array just before use. Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Abstracts user-provided permissions to router method Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds FullControl as a specifiable permission Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds specific permission 'modify' Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Fixes #1743 Limits Windows' broad "read" permission to if it can read all of the above, instead of just the first: - File contents - File attributes - File extended attributes - File permissions This better aligns with how Windows names the permissions. 'read' -> Read instead of 'read' -> ReadData Signed-off-by: David Alexander <opensource@thelonelyghost.com> * 'Execute' Windows ACL has alias of 'Traverse' Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds 'Delete' permission Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds `should allow('perm').by_user('me')` matcher Provides hooks for later use with Windows ACL matching Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds remaining Windows ACL hooks Skips ReadAndExecute on intentionally since it just aliases the combo of 2 permissions into one new one. Signed-off-by: David Alexander <opensource@thelonelyghost.com> * [Rubocop] Reduces ABC / Cyclomatic complexity Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Reduces global scope with `allows()` -> `be_allowed()` RSpec inferred matchers work nicely here. This changes the `by_user()` and `by()` chained matchers to just be an options hash on the underlying `allowed?()` method. Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Fixes integration tests with rename `allows()` -> `be_allowed()` Signed-off-by: David Alexander <opensource@thelonelyghost.com>
2017-10-17 13:01:51 +00:00
it { should be_allowed('read', by: 'group') }
it { should be_readable.by('other') }
Extend Windows ACL matchers (#1744) * Adds alias for 'ListDirectory' permission Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Works with Ruby array of permissions as long as possible Converts to PowerShell array just before use. Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Abstracts user-provided permissions to router method Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds FullControl as a specifiable permission Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds specific permission 'modify' Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Fixes #1743 Limits Windows' broad "read" permission to if it can read all of the above, instead of just the first: - File contents - File attributes - File extended attributes - File permissions This better aligns with how Windows names the permissions. 'read' -> Read instead of 'read' -> ReadData Signed-off-by: David Alexander <opensource@thelonelyghost.com> * 'Execute' Windows ACL has alias of 'Traverse' Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds 'Delete' permission Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds `should allow('perm').by_user('me')` matcher Provides hooks for later use with Windows ACL matching Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds remaining Windows ACL hooks Skips ReadAndExecute on intentionally since it just aliases the combo of 2 permissions into one new one. Signed-off-by: David Alexander <opensource@thelonelyghost.com> * [Rubocop] Reduces ABC / Cyclomatic complexity Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Reduces global scope with `allows()` -> `be_allowed()` RSpec inferred matchers work nicely here. This changes the `by_user()` and `by()` chained matchers to just be an options hash on the underlying `allowed?()` method. Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Fixes integration tests with rename `allows()` -> `be_allowed()` Signed-off-by: David Alexander <opensource@thelonelyghost.com>
2017-10-17 13:01:51 +00:00
it { should be_allowed('read', by: 'other') }
it { should be_readable.by_user(filedata[:user]) }
Extend Windows ACL matchers (#1744) * Adds alias for 'ListDirectory' permission Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Works with Ruby array of permissions as long as possible Converts to PowerShell array just before use. Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Abstracts user-provided permissions to router method Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds FullControl as a specifiable permission Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds specific permission 'modify' Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Fixes #1743 Limits Windows' broad "read" permission to if it can read all of the above, instead of just the first: - File contents - File attributes - File extended attributes - File permissions This better aligns with how Windows names the permissions. 'read' -> Read instead of 'read' -> ReadData Signed-off-by: David Alexander <opensource@thelonelyghost.com> * 'Execute' Windows ACL has alias of 'Traverse' Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds 'Delete' permission Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds `should allow('perm').by_user('me')` matcher Provides hooks for later use with Windows ACL matching Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds remaining Windows ACL hooks Skips ReadAndExecute on intentionally since it just aliases the combo of 2 permissions into one new one. Signed-off-by: David Alexander <opensource@thelonelyghost.com> * [Rubocop] Reduces ABC / Cyclomatic complexity Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Reduces global scope with `allows()` -> `be_allowed()` RSpec inferred matchers work nicely here. This changes the `by_user()` and `by()` chained matchers to just be an options hash on the underlying `allowed?()` method. Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Fixes integration tests with rename `allows()` -> `be_allowed()` Signed-off-by: David Alexander <opensource@thelonelyghost.com>
2017-10-17 13:01:51 +00:00
it { should be_allowed('read', by_user: filedata[:user]) }
it { should_not be_readable.by_user('noroot') }
Extend Windows ACL matchers (#1744) * Adds alias for 'ListDirectory' permission Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Works with Ruby array of permissions as long as possible Converts to PowerShell array just before use. Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Abstracts user-provided permissions to router method Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds FullControl as a specifiable permission Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds specific permission 'modify' Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Fixes #1743 Limits Windows' broad "read" permission to if it can read all of the above, instead of just the first: - File contents - File attributes - File extended attributes - File permissions This better aligns with how Windows names the permissions. 'read' -> Read instead of 'read' -> ReadData Signed-off-by: David Alexander <opensource@thelonelyghost.com> * 'Execute' Windows ACL has alias of 'Traverse' Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds 'Delete' permission Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds `should allow('perm').by_user('me')` matcher Provides hooks for later use with Windows ACL matching Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds remaining Windows ACL hooks Skips ReadAndExecute on intentionally since it just aliases the combo of 2 permissions into one new one. Signed-off-by: David Alexander <opensource@thelonelyghost.com> * [Rubocop] Reduces ABC / Cyclomatic complexity Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Reduces global scope with `allows()` -> `be_allowed()` RSpec inferred matchers work nicely here. This changes the `by_user()` and `by()` chained matchers to just be an options hash on the underlying `allowed?()` method. Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Fixes integration tests with rename `allows()` -> `be_allowed()` Signed-off-by: David Alexander <opensource@thelonelyghost.com>
2017-10-17 13:01:51 +00:00
it { should_not be_allowed('read', by_user: 'noroot') }
# for server spec compatibility
it { should be_readable.by('others') }
Extend Windows ACL matchers (#1744) * Adds alias for 'ListDirectory' permission Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Works with Ruby array of permissions as long as possible Converts to PowerShell array just before use. Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Abstracts user-provided permissions to router method Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds FullControl as a specifiable permission Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds specific permission 'modify' Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Fixes #1743 Limits Windows' broad "read" permission to if it can read all of the above, instead of just the first: - File contents - File attributes - File extended attributes - File permissions This better aligns with how Windows names the permissions. 'read' -> Read instead of 'read' -> ReadData Signed-off-by: David Alexander <opensource@thelonelyghost.com> * 'Execute' Windows ACL has alias of 'Traverse' Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds 'Delete' permission Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds `should allow('perm').by_user('me')` matcher Provides hooks for later use with Windows ACL matching Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds remaining Windows ACL hooks Skips ReadAndExecute on intentionally since it just aliases the combo of 2 permissions into one new one. Signed-off-by: David Alexander <opensource@thelonelyghost.com> * [Rubocop] Reduces ABC / Cyclomatic complexity Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Reduces global scope with `allows()` -> `be_allowed()` RSpec inferred matchers work nicely here. This changes the `by_user()` and `by()` chained matchers to just be an options hash on the underlying `allowed?()` method. Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Fixes integration tests with rename `allows()` -> `be_allowed()` Signed-off-by: David Alexander <opensource@thelonelyghost.com>
2017-10-17 13:01:51 +00:00
it { should be_allowed('read', by: 'others') }
it { should be_writable }
Extend Windows ACL matchers (#1744) * Adds alias for 'ListDirectory' permission Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Works with Ruby array of permissions as long as possible Converts to PowerShell array just before use. Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Abstracts user-provided permissions to router method Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds FullControl as a specifiable permission Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds specific permission 'modify' Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Fixes #1743 Limits Windows' broad "read" permission to if it can read all of the above, instead of just the first: - File contents - File attributes - File extended attributes - File permissions This better aligns with how Windows names the permissions. 'read' -> Read instead of 'read' -> ReadData Signed-off-by: David Alexander <opensource@thelonelyghost.com> * 'Execute' Windows ACL has alias of 'Traverse' Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds 'Delete' permission Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds `should allow('perm').by_user('me')` matcher Provides hooks for later use with Windows ACL matching Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds remaining Windows ACL hooks Skips ReadAndExecute on intentionally since it just aliases the combo of 2 permissions into one new one. Signed-off-by: David Alexander <opensource@thelonelyghost.com> * [Rubocop] Reduces ABC / Cyclomatic complexity Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Reduces global scope with `allows()` -> `be_allowed()` RSpec inferred matchers work nicely here. This changes the `by_user()` and `by()` chained matchers to just be an options hash on the underlying `allowed?()` method. Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Fixes integration tests with rename `allows()` -> `be_allowed()` Signed-off-by: David Alexander <opensource@thelonelyghost.com>
2017-10-17 13:01:51 +00:00
it { should be_allowed('write') }
it { should be_writable.by('owner') }
Extend Windows ACL matchers (#1744) * Adds alias for 'ListDirectory' permission Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Works with Ruby array of permissions as long as possible Converts to PowerShell array just before use. Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Abstracts user-provided permissions to router method Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds FullControl as a specifiable permission Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds specific permission 'modify' Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Fixes #1743 Limits Windows' broad "read" permission to if it can read all of the above, instead of just the first: - File contents - File attributes - File extended attributes - File permissions This better aligns with how Windows names the permissions. 'read' -> Read instead of 'read' -> ReadData Signed-off-by: David Alexander <opensource@thelonelyghost.com> * 'Execute' Windows ACL has alias of 'Traverse' Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds 'Delete' permission Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds `should allow('perm').by_user('me')` matcher Provides hooks for later use with Windows ACL matching Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds remaining Windows ACL hooks Skips ReadAndExecute on intentionally since it just aliases the combo of 2 permissions into one new one. Signed-off-by: David Alexander <opensource@thelonelyghost.com> * [Rubocop] Reduces ABC / Cyclomatic complexity Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Reduces global scope with `allows()` -> `be_allowed()` RSpec inferred matchers work nicely here. This changes the `by_user()` and `by()` chained matchers to just be an options hash on the underlying `allowed?()` method. Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Fixes integration tests with rename `allows()` -> `be_allowed()` Signed-off-by: David Alexander <opensource@thelonelyghost.com>
2017-10-17 13:01:51 +00:00
it { should be_allowed('write', by: 'owner') }
it { should be_writable.by('group') }
Extend Windows ACL matchers (#1744) * Adds alias for 'ListDirectory' permission Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Works with Ruby array of permissions as long as possible Converts to PowerShell array just before use. Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Abstracts user-provided permissions to router method Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds FullControl as a specifiable permission Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds specific permission 'modify' Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Fixes #1743 Limits Windows' broad "read" permission to if it can read all of the above, instead of just the first: - File contents - File attributes - File extended attributes - File permissions This better aligns with how Windows names the permissions. 'read' -> Read instead of 'read' -> ReadData Signed-off-by: David Alexander <opensource@thelonelyghost.com> * 'Execute' Windows ACL has alias of 'Traverse' Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds 'Delete' permission Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds `should allow('perm').by_user('me')` matcher Provides hooks for later use with Windows ACL matching Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds remaining Windows ACL hooks Skips ReadAndExecute on intentionally since it just aliases the combo of 2 permissions into one new one. Signed-off-by: David Alexander <opensource@thelonelyghost.com> * [Rubocop] Reduces ABC / Cyclomatic complexity Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Reduces global scope with `allows()` -> `be_allowed()` RSpec inferred matchers work nicely here. This changes the `by_user()` and `by()` chained matchers to just be an options hash on the underlying `allowed?()` method. Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Fixes integration tests with rename `allows()` -> `be_allowed()` Signed-off-by: David Alexander <opensource@thelonelyghost.com>
2017-10-17 13:01:51 +00:00
it { should be_allowed('write', by: 'group') }
it { should_not be_writable.by('other') }
Extend Windows ACL matchers (#1744) * Adds alias for 'ListDirectory' permission Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Works with Ruby array of permissions as long as possible Converts to PowerShell array just before use. Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Abstracts user-provided permissions to router method Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds FullControl as a specifiable permission Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds specific permission 'modify' Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Fixes #1743 Limits Windows' broad "read" permission to if it can read all of the above, instead of just the first: - File contents - File attributes - File extended attributes - File permissions This better aligns with how Windows names the permissions. 'read' -> Read instead of 'read' -> ReadData Signed-off-by: David Alexander <opensource@thelonelyghost.com> * 'Execute' Windows ACL has alias of 'Traverse' Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds 'Delete' permission Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds `should allow('perm').by_user('me')` matcher Provides hooks for later use with Windows ACL matching Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds remaining Windows ACL hooks Skips ReadAndExecute on intentionally since it just aliases the combo of 2 permissions into one new one. Signed-off-by: David Alexander <opensource@thelonelyghost.com> * [Rubocop] Reduces ABC / Cyclomatic complexity Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Reduces global scope with `allows()` -> `be_allowed()` RSpec inferred matchers work nicely here. This changes the `by_user()` and `by()` chained matchers to just be an options hash on the underlying `allowed?()` method. Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Fixes integration tests with rename `allows()` -> `be_allowed()` Signed-off-by: David Alexander <opensource@thelonelyghost.com>
2017-10-17 13:01:51 +00:00
it { should_not be_allowed('write', by: 'other') }
it { should be_writable.by_user(filedata[:user]) }
Extend Windows ACL matchers (#1744) * Adds alias for 'ListDirectory' permission Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Works with Ruby array of permissions as long as possible Converts to PowerShell array just before use. Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Abstracts user-provided permissions to router method Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds FullControl as a specifiable permission Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds specific permission 'modify' Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Fixes #1743 Limits Windows' broad "read" permission to if it can read all of the above, instead of just the first: - File contents - File attributes - File extended attributes - File permissions This better aligns with how Windows names the permissions. 'read' -> Read instead of 'read' -> ReadData Signed-off-by: David Alexander <opensource@thelonelyghost.com> * 'Execute' Windows ACL has alias of 'Traverse' Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds 'Delete' permission Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds `should allow('perm').by_user('me')` matcher Provides hooks for later use with Windows ACL matching Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds remaining Windows ACL hooks Skips ReadAndExecute on intentionally since it just aliases the combo of 2 permissions into one new one. Signed-off-by: David Alexander <opensource@thelonelyghost.com> * [Rubocop] Reduces ABC / Cyclomatic complexity Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Reduces global scope with `allows()` -> `be_allowed()` RSpec inferred matchers work nicely here. This changes the `by_user()` and `by()` chained matchers to just be an options hash on the underlying `allowed?()` method. Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Fixes integration tests with rename `allows()` -> `be_allowed()` Signed-off-by: David Alexander <opensource@thelonelyghost.com>
2017-10-17 13:01:51 +00:00
it { should be_allowed('write', by_user: filedata[:user]) }
# it { should_not be_writable.by_user('noroot') }
# for server spec compatibility
it { should_not be_writable.by('others') }
Extend Windows ACL matchers (#1744) * Adds alias for 'ListDirectory' permission Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Works with Ruby array of permissions as long as possible Converts to PowerShell array just before use. Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Abstracts user-provided permissions to router method Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds FullControl as a specifiable permission Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds specific permission 'modify' Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Fixes #1743 Limits Windows' broad "read" permission to if it can read all of the above, instead of just the first: - File contents - File attributes - File extended attributes - File permissions This better aligns with how Windows names the permissions. 'read' -> Read instead of 'read' -> ReadData Signed-off-by: David Alexander <opensource@thelonelyghost.com> * 'Execute' Windows ACL has alias of 'Traverse' Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds 'Delete' permission Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds `should allow('perm').by_user('me')` matcher Provides hooks for later use with Windows ACL matching Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds remaining Windows ACL hooks Skips ReadAndExecute on intentionally since it just aliases the combo of 2 permissions into one new one. Signed-off-by: David Alexander <opensource@thelonelyghost.com> * [Rubocop] Reduces ABC / Cyclomatic complexity Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Reduces global scope with `allows()` -> `be_allowed()` RSpec inferred matchers work nicely here. This changes the `by_user()` and `by()` chained matchers to just be an options hash on the underlying `allowed?()` method. Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Fixes integration tests with rename `allows()` -> `be_allowed()` Signed-off-by: David Alexander <opensource@thelonelyghost.com>
2017-10-17 13:01:51 +00:00
it { should_not be_allowed('write', by: 'others') }
it { should be_executable }
Extend Windows ACL matchers (#1744) * Adds alias for 'ListDirectory' permission Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Works with Ruby array of permissions as long as possible Converts to PowerShell array just before use. Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Abstracts user-provided permissions to router method Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds FullControl as a specifiable permission Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds specific permission 'modify' Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Fixes #1743 Limits Windows' broad "read" permission to if it can read all of the above, instead of just the first: - File contents - File attributes - File extended attributes - File permissions This better aligns with how Windows names the permissions. 'read' -> Read instead of 'read' -> ReadData Signed-off-by: David Alexander <opensource@thelonelyghost.com> * 'Execute' Windows ACL has alias of 'Traverse' Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds 'Delete' permission Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds `should allow('perm').by_user('me')` matcher Provides hooks for later use with Windows ACL matching Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds remaining Windows ACL hooks Skips ReadAndExecute on intentionally since it just aliases the combo of 2 permissions into one new one. Signed-off-by: David Alexander <opensource@thelonelyghost.com> * [Rubocop] Reduces ABC / Cyclomatic complexity Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Reduces global scope with `allows()` -> `be_allowed()` RSpec inferred matchers work nicely here. This changes the `by_user()` and `by()` chained matchers to just be an options hash on the underlying `allowed?()` method. Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Fixes integration tests with rename `allows()` -> `be_allowed()` Signed-off-by: David Alexander <opensource@thelonelyghost.com>
2017-10-17 13:01:51 +00:00
it { should be_allowed('execute') }
it { should be_executable.by('owner') }
Extend Windows ACL matchers (#1744) * Adds alias for 'ListDirectory' permission Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Works with Ruby array of permissions as long as possible Converts to PowerShell array just before use. Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Abstracts user-provided permissions to router method Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds FullControl as a specifiable permission Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds specific permission 'modify' Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Fixes #1743 Limits Windows' broad "read" permission to if it can read all of the above, instead of just the first: - File contents - File attributes - File extended attributes - File permissions This better aligns with how Windows names the permissions. 'read' -> Read instead of 'read' -> ReadData Signed-off-by: David Alexander <opensource@thelonelyghost.com> * 'Execute' Windows ACL has alias of 'Traverse' Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds 'Delete' permission Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds `should allow('perm').by_user('me')` matcher Provides hooks for later use with Windows ACL matching Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds remaining Windows ACL hooks Skips ReadAndExecute on intentionally since it just aliases the combo of 2 permissions into one new one. Signed-off-by: David Alexander <opensource@thelonelyghost.com> * [Rubocop] Reduces ABC / Cyclomatic complexity Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Reduces global scope with `allows()` -> `be_allowed()` RSpec inferred matchers work nicely here. This changes the `by_user()` and `by()` chained matchers to just be an options hash on the underlying `allowed?()` method. Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Fixes integration tests with rename `allows()` -> `be_allowed()` Signed-off-by: David Alexander <opensource@thelonelyghost.com>
2017-10-17 13:01:51 +00:00
it { should be_allowed('execute', by: 'owner') }
it { should_not be_executable.by('group') }
Extend Windows ACL matchers (#1744) * Adds alias for 'ListDirectory' permission Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Works with Ruby array of permissions as long as possible Converts to PowerShell array just before use. Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Abstracts user-provided permissions to router method Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds FullControl as a specifiable permission Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds specific permission 'modify' Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Fixes #1743 Limits Windows' broad "read" permission to if it can read all of the above, instead of just the first: - File contents - File attributes - File extended attributes - File permissions This better aligns with how Windows names the permissions. 'read' -> Read instead of 'read' -> ReadData Signed-off-by: David Alexander <opensource@thelonelyghost.com> * 'Execute' Windows ACL has alias of 'Traverse' Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds 'Delete' permission Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds `should allow('perm').by_user('me')` matcher Provides hooks for later use with Windows ACL matching Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds remaining Windows ACL hooks Skips ReadAndExecute on intentionally since it just aliases the combo of 2 permissions into one new one. Signed-off-by: David Alexander <opensource@thelonelyghost.com> * [Rubocop] Reduces ABC / Cyclomatic complexity Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Reduces global scope with `allows()` -> `be_allowed()` RSpec inferred matchers work nicely here. This changes the `by_user()` and `by()` chained matchers to just be an options hash on the underlying `allowed?()` method. Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Fixes integration tests with rename `allows()` -> `be_allowed()` Signed-off-by: David Alexander <opensource@thelonelyghost.com>
2017-10-17 13:01:51 +00:00
it { should_not be_allowed('execute', by: 'group') }
it { should be_executable.by('other') }
Extend Windows ACL matchers (#1744) * Adds alias for 'ListDirectory' permission Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Works with Ruby array of permissions as long as possible Converts to PowerShell array just before use. Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Abstracts user-provided permissions to router method Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds FullControl as a specifiable permission Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds specific permission 'modify' Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Fixes #1743 Limits Windows' broad "read" permission to if it can read all of the above, instead of just the first: - File contents - File attributes - File extended attributes - File permissions This better aligns with how Windows names the permissions. 'read' -> Read instead of 'read' -> ReadData Signed-off-by: David Alexander <opensource@thelonelyghost.com> * 'Execute' Windows ACL has alias of 'Traverse' Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds 'Delete' permission Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds `should allow('perm').by_user('me')` matcher Provides hooks for later use with Windows ACL matching Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds remaining Windows ACL hooks Skips ReadAndExecute on intentionally since it just aliases the combo of 2 permissions into one new one. Signed-off-by: David Alexander <opensource@thelonelyghost.com> * [Rubocop] Reduces ABC / Cyclomatic complexity Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Reduces global scope with `allows()` -> `be_allowed()` RSpec inferred matchers work nicely here. This changes the `by_user()` and `by()` chained matchers to just be an options hash on the underlying `allowed?()` method. Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Fixes integration tests with rename `allows()` -> `be_allowed()` Signed-off-by: David Alexander <opensource@thelonelyghost.com>
2017-10-17 13:01:51 +00:00
it { should be_allowed('execute', by: 'other') }
it { should be_executable.by_user(filedata[:user]) }
Extend Windows ACL matchers (#1744) * Adds alias for 'ListDirectory' permission Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Works with Ruby array of permissions as long as possible Converts to PowerShell array just before use. Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Abstracts user-provided permissions to router method Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds FullControl as a specifiable permission Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds specific permission 'modify' Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Fixes #1743 Limits Windows' broad "read" permission to if it can read all of the above, instead of just the first: - File contents - File attributes - File extended attributes - File permissions This better aligns with how Windows names the permissions. 'read' -> Read instead of 'read' -> ReadData Signed-off-by: David Alexander <opensource@thelonelyghost.com> * 'Execute' Windows ACL has alias of 'Traverse' Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds 'Delete' permission Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds `should allow('perm').by_user('me')` matcher Provides hooks for later use with Windows ACL matching Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds remaining Windows ACL hooks Skips ReadAndExecute on intentionally since it just aliases the combo of 2 permissions into one new one. Signed-off-by: David Alexander <opensource@thelonelyghost.com> * [Rubocop] Reduces ABC / Cyclomatic complexity Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Reduces global scope with `allows()` -> `be_allowed()` RSpec inferred matchers work nicely here. This changes the `by_user()` and `by()` chained matchers to just be an options hash on the underlying `allowed?()` method. Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Fixes integration tests with rename `allows()` -> `be_allowed()` Signed-off-by: David Alexander <opensource@thelonelyghost.com>
2017-10-17 13:01:51 +00:00
it { should be_allowed('execute', by_user: filedata[:user]) }
# it { should_not be_executable.by_user('noroot') }
# for server spec compatibility
it { should be_executable.by('others') }
Extend Windows ACL matchers (#1744) * Adds alias for 'ListDirectory' permission Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Works with Ruby array of permissions as long as possible Converts to PowerShell array just before use. Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Abstracts user-provided permissions to router method Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds FullControl as a specifiable permission Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds specific permission 'modify' Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Fixes #1743 Limits Windows' broad "read" permission to if it can read all of the above, instead of just the first: - File contents - File attributes - File extended attributes - File permissions This better aligns with how Windows names the permissions. 'read' -> Read instead of 'read' -> ReadData Signed-off-by: David Alexander <opensource@thelonelyghost.com> * 'Execute' Windows ACL has alias of 'Traverse' Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds 'Delete' permission Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds `should allow('perm').by_user('me')` matcher Provides hooks for later use with Windows ACL matching Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds remaining Windows ACL hooks Skips ReadAndExecute on intentionally since it just aliases the combo of 2 permissions into one new one. Signed-off-by: David Alexander <opensource@thelonelyghost.com> * [Rubocop] Reduces ABC / Cyclomatic complexity Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Reduces global scope with `allows()` -> `be_allowed()` RSpec inferred matchers work nicely here. This changes the `by_user()` and `by()` chained matchers to just be an options hash on the underlying `allowed?()` method. Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Fixes integration tests with rename `allows()` -> `be_allowed()` Signed-off-by: David Alexander <opensource@thelonelyghost.com>
2017-10-17 13:01:51 +00:00
it { should be_allowed('execute', by: 'others') }
# test extended linux attributes
# it { should be_immutable }
its('content') { should eq 'hello world' }
its('content') { should match('world') }
its('content') { should include('hello') }
its('size') { should eq 11 }
its('md5sum') { should eq '5eb63bbbe01eeed093cb22bb8f5acdc3' }
its('sha256sum') { should eq 'b94d27b9934d3e08a52e52d7da7dabfac484efe37a5380ee9088f7ace2efcde9' }
its('product_version') { should eq nil }
its('file_version') { should eq nil }
its('basename') { should cmp 'file' }
its('path') { should cmp '/tmp/file' }
its('owner') { should eq filedata[:user] }
its('group') { should eq filedata[:group] }
its('type') { should eq :file }
end
# see mount_spec.rb for file mount tests
# describe file('/mnt/iso-disk') do
# it { should be_mounted }
# ...
# end
2016-09-01 16:27:00 +00:00
describe file('/tmp/sfile') do
File Resource: add be_setgid, be_setuid, be_sticky matchers (#2104) * Provisioner script to setup resource tests for setgid/setuid/sticky bit tests. This appears to be the correct mechanism per docker_run, but I don't see any other provisioner scripts, so I suspect there is a different Chef-internal mechanism at play here. Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com> * TDD Red for setgid/setuid/sticky File matchers Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com> * Add documentation for file resource sgid, sticky, and suid matchers Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com> * Add matchers to File for setgid, setuid, and sticky by aliasing existing predicates; TDD green Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com> * Rubocop prefers alias to alias_method. Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com> * Lint before pushing, of course Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com> * Correct spelling of setgid and setuid matchers in docs Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com> * Add be_setgid, be_setuid, be_sticky matcher integration tests for File. Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com> * Revert "Provisioner script to setup resource tests for setgid/setuid/sticky bit tests. This appears to be the correct mechanism per docker_run, but I don't see any other provisioner scripts, so I suspect there is a different Chef-internal mechanism at play here." This reverts commit 42e672f3b1cea824451f23bb825b486baaa77c02. Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com> * Revert "TDD Red for setgid/setuid/sticky File matchers" This reverts commit a4f891fc7e47bad3096b6a1afd6e8f92fb3f8077. Signed-off-by: Clinton Wolfe <clintoncwolfe@gmail.com>
2017-09-03 18:43:13 +00:00
it { should be_setgid }
it { should be_setuid }
it { should be_sticky }
# These may eventually be deprecated
its('suid') { should eq true }
its('sgid') { should eq true }
its('sticky') { should eq true }
end
describe file('/tmp/folder') do
it { should exist }
it { should be_directory }
it { should_not be_file }
it { should_not be_block_device }
it { should_not be_character_device }
it { should_not be_pipe }
it { should_not be_socket }
it { should_not be_symlink }
its('content') { should eq filedata[:dir_content] }
its('md5sum') { should eq filedata[:dir_md5sum] }
its('sha256sum') { should eq filedata[:dir_sha256sum] }
its('product_version') { should eq nil }
its('file_version') { should eq nil }
its('basename') { should cmp 'folder' }
its('path') { should cmp '/tmp/folder' }
its('owner') { should eq filedata[:user] }
its('group') { should eq filedata[:group] }
its('type') { should eq :directory }
end
2016-01-28 13:51:54 +00:00
end
2016-01-28 13:51:54 +00:00
if os.windows?
describe file('C:\Windows') do
2015-12-31 00:10:39 +00:00
it { should exist }
it { should be_directory }
its('basename') { should cmp 'Windows' }
its('path') { should cmp "C:\\Windows" }
2015-12-31 00:10:39 +00:00
end
describe file('C:/Test Directory/test file.txt') do
it { should exist }
it { should be_file }
it { should be_readable.by_user('NT AUTHORITY\SYSTEM') }
Extend Windows ACL matchers (#1744) * Adds alias for 'ListDirectory' permission Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Works with Ruby array of permissions as long as possible Converts to PowerShell array just before use. Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Abstracts user-provided permissions to router method Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds FullControl as a specifiable permission Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds specific permission 'modify' Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Fixes #1743 Limits Windows' broad "read" permission to if it can read all of the above, instead of just the first: - File contents - File attributes - File extended attributes - File permissions This better aligns with how Windows names the permissions. 'read' -> Read instead of 'read' -> ReadData Signed-off-by: David Alexander <opensource@thelonelyghost.com> * 'Execute' Windows ACL has alias of 'Traverse' Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds 'Delete' permission Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds `should allow('perm').by_user('me')` matcher Provides hooks for later use with Windows ACL matching Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds remaining Windows ACL hooks Skips ReadAndExecute on intentionally since it just aliases the combo of 2 permissions into one new one. Signed-off-by: David Alexander <opensource@thelonelyghost.com> * [Rubocop] Reduces ABC / Cyclomatic complexity Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Reduces global scope with `allows()` -> `be_allowed()` RSpec inferred matchers work nicely here. This changes the `by_user()` and `by()` chained matchers to just be an options hash on the underlying `allowed?()` method. Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Fixes integration tests with rename `allows()` -> `be_allowed()` Signed-off-by: David Alexander <opensource@thelonelyghost.com>
2017-10-17 13:01:51 +00:00
it { should be_allowed('read', by_user: 'NT AUTHORITY\SYSTEM') }
it { should be_writable.by_user('NT AUTHORITY\SYSTEM') }
Extend Windows ACL matchers (#1744) * Adds alias for 'ListDirectory' permission Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Works with Ruby array of permissions as long as possible Converts to PowerShell array just before use. Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Abstracts user-provided permissions to router method Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds FullControl as a specifiable permission Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds specific permission 'modify' Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Fixes #1743 Limits Windows' broad "read" permission to if it can read all of the above, instead of just the first: - File contents - File attributes - File extended attributes - File permissions This better aligns with how Windows names the permissions. 'read' -> Read instead of 'read' -> ReadData Signed-off-by: David Alexander <opensource@thelonelyghost.com> * 'Execute' Windows ACL has alias of 'Traverse' Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds 'Delete' permission Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds `should allow('perm').by_user('me')` matcher Provides hooks for later use with Windows ACL matching Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds remaining Windows ACL hooks Skips ReadAndExecute on intentionally since it just aliases the combo of 2 permissions into one new one. Signed-off-by: David Alexander <opensource@thelonelyghost.com> * [Rubocop] Reduces ABC / Cyclomatic complexity Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Reduces global scope with `allows()` -> `be_allowed()` RSpec inferred matchers work nicely here. This changes the `by_user()` and `by()` chained matchers to just be an options hash on the underlying `allowed?()` method. Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Fixes integration tests with rename `allows()` -> `be_allowed()` Signed-off-by: David Alexander <opensource@thelonelyghost.com>
2017-10-17 13:01:51 +00:00
it { should be_allowed('write', by_user: 'NT AUTHORITY\SYSTEM') }
it { should be_executable.by_user('NT AUTHORITY\SYSTEM') }
Extend Windows ACL matchers (#1744) * Adds alias for 'ListDirectory' permission Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Works with Ruby array of permissions as long as possible Converts to PowerShell array just before use. Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Abstracts user-provided permissions to router method Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds FullControl as a specifiable permission Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds specific permission 'modify' Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Fixes #1743 Limits Windows' broad "read" permission to if it can read all of the above, instead of just the first: - File contents - File attributes - File extended attributes - File permissions This better aligns with how Windows names the permissions. 'read' -> Read instead of 'read' -> ReadData Signed-off-by: David Alexander <opensource@thelonelyghost.com> * 'Execute' Windows ACL has alias of 'Traverse' Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds 'Delete' permission Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds `should allow('perm').by_user('me')` matcher Provides hooks for later use with Windows ACL matching Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds remaining Windows ACL hooks Skips ReadAndExecute on intentionally since it just aliases the combo of 2 permissions into one new one. Signed-off-by: David Alexander <opensource@thelonelyghost.com> * [Rubocop] Reduces ABC / Cyclomatic complexity Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Reduces global scope with `allows()` -> `be_allowed()` RSpec inferred matchers work nicely here. This changes the `by_user()` and `by()` chained matchers to just be an options hash on the underlying `allowed?()` method. Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Fixes integration tests with rename `allows()` -> `be_allowed()` Signed-off-by: David Alexander <opensource@thelonelyghost.com>
2017-10-17 13:01:51 +00:00
it { should be_allowed('execute', by_user: 'NT AUTHORITY\SYSTEM') }
it { should_not be_readable.by_user(filedata[:user]) }
Extend Windows ACL matchers (#1744) * Adds alias for 'ListDirectory' permission Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Works with Ruby array of permissions as long as possible Converts to PowerShell array just before use. Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Abstracts user-provided permissions to router method Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds FullControl as a specifiable permission Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds specific permission 'modify' Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Fixes #1743 Limits Windows' broad "read" permission to if it can read all of the above, instead of just the first: - File contents - File attributes - File extended attributes - File permissions This better aligns with how Windows names the permissions. 'read' -> Read instead of 'read' -> ReadData Signed-off-by: David Alexander <opensource@thelonelyghost.com> * 'Execute' Windows ACL has alias of 'Traverse' Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds 'Delete' permission Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds `should allow('perm').by_user('me')` matcher Provides hooks for later use with Windows ACL matching Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds remaining Windows ACL hooks Skips ReadAndExecute on intentionally since it just aliases the combo of 2 permissions into one new one. Signed-off-by: David Alexander <opensource@thelonelyghost.com> * [Rubocop] Reduces ABC / Cyclomatic complexity Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Reduces global scope with `allows()` -> `be_allowed()` RSpec inferred matchers work nicely here. This changes the `by_user()` and `by()` chained matchers to just be an options hash on the underlying `allowed?()` method. Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Fixes integration tests with rename `allows()` -> `be_allowed()` Signed-off-by: David Alexander <opensource@thelonelyghost.com>
2017-10-17 13:01:51 +00:00
it { should_not be_allowed('read', by_user: filedata[:user]) }
it { should_not be_writable.by_user(filedata[:user]) }
Extend Windows ACL matchers (#1744) * Adds alias for 'ListDirectory' permission Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Works with Ruby array of permissions as long as possible Converts to PowerShell array just before use. Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Abstracts user-provided permissions to router method Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds FullControl as a specifiable permission Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds specific permission 'modify' Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Fixes #1743 Limits Windows' broad "read" permission to if it can read all of the above, instead of just the first: - File contents - File attributes - File extended attributes - File permissions This better aligns with how Windows names the permissions. 'read' -> Read instead of 'read' -> ReadData Signed-off-by: David Alexander <opensource@thelonelyghost.com> * 'Execute' Windows ACL has alias of 'Traverse' Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds 'Delete' permission Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds `should allow('perm').by_user('me')` matcher Provides hooks for later use with Windows ACL matching Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds remaining Windows ACL hooks Skips ReadAndExecute on intentionally since it just aliases the combo of 2 permissions into one new one. Signed-off-by: David Alexander <opensource@thelonelyghost.com> * [Rubocop] Reduces ABC / Cyclomatic complexity Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Reduces global scope with `allows()` -> `be_allowed()` RSpec inferred matchers work nicely here. This changes the `by_user()` and `by()` chained matchers to just be an options hash on the underlying `allowed?()` method. Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Fixes integration tests with rename `allows()` -> `be_allowed()` Signed-off-by: David Alexander <opensource@thelonelyghost.com>
2017-10-17 13:01:51 +00:00
it { should_not be_allowed('write', by_user: filedata[:user]) }
it { should_not be_executable.by_user(filedata[:user]) }
Extend Windows ACL matchers (#1744) * Adds alias for 'ListDirectory' permission Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Works with Ruby array of permissions as long as possible Converts to PowerShell array just before use. Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Abstracts user-provided permissions to router method Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds FullControl as a specifiable permission Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds specific permission 'modify' Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Fixes #1743 Limits Windows' broad "read" permission to if it can read all of the above, instead of just the first: - File contents - File attributes - File extended attributes - File permissions This better aligns with how Windows names the permissions. 'read' -> Read instead of 'read' -> ReadData Signed-off-by: David Alexander <opensource@thelonelyghost.com> * 'Execute' Windows ACL has alias of 'Traverse' Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds 'Delete' permission Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds `should allow('perm').by_user('me')` matcher Provides hooks for later use with Windows ACL matching Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds remaining Windows ACL hooks Skips ReadAndExecute on intentionally since it just aliases the combo of 2 permissions into one new one. Signed-off-by: David Alexander <opensource@thelonelyghost.com> * [Rubocop] Reduces ABC / Cyclomatic complexity Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Reduces global scope with `allows()` -> `be_allowed()` RSpec inferred matchers work nicely here. This changes the `by_user()` and `by()` chained matchers to just be an options hash on the underlying `allowed?()` method. Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Fixes integration tests with rename `allows()` -> `be_allowed()` Signed-off-by: David Alexander <opensource@thelonelyghost.com>
2017-10-17 13:01:51 +00:00
it { should_not be_allowed('execute', by_user: filedata[:user]) }
end
describe file('C:/Test Directory') do
it { should exist }
it { should be_directory }
it { should be_readable.by_user('NT AUTHORITY\SYSTEM') }
Extend Windows ACL matchers (#1744) * Adds alias for 'ListDirectory' permission Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Works with Ruby array of permissions as long as possible Converts to PowerShell array just before use. Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Abstracts user-provided permissions to router method Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds FullControl as a specifiable permission Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds specific permission 'modify' Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Fixes #1743 Limits Windows' broad "read" permission to if it can read all of the above, instead of just the first: - File contents - File attributes - File extended attributes - File permissions This better aligns with how Windows names the permissions. 'read' -> Read instead of 'read' -> ReadData Signed-off-by: David Alexander <opensource@thelonelyghost.com> * 'Execute' Windows ACL has alias of 'Traverse' Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds 'Delete' permission Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds `should allow('perm').by_user('me')` matcher Provides hooks for later use with Windows ACL matching Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds remaining Windows ACL hooks Skips ReadAndExecute on intentionally since it just aliases the combo of 2 permissions into one new one. Signed-off-by: David Alexander <opensource@thelonelyghost.com> * [Rubocop] Reduces ABC / Cyclomatic complexity Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Reduces global scope with `allows()` -> `be_allowed()` RSpec inferred matchers work nicely here. This changes the `by_user()` and `by()` chained matchers to just be an options hash on the underlying `allowed?()` method. Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Fixes integration tests with rename `allows()` -> `be_allowed()` Signed-off-by: David Alexander <opensource@thelonelyghost.com>
2017-10-17 13:01:51 +00:00
it { should be_allowed('read', by_user: 'NT AUTHORITY\SYSTEM') }
it { should be_writable.by_user('NT AUTHORITY\SYSTEM') }
Extend Windows ACL matchers (#1744) * Adds alias for 'ListDirectory' permission Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Works with Ruby array of permissions as long as possible Converts to PowerShell array just before use. Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Abstracts user-provided permissions to router method Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds FullControl as a specifiable permission Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds specific permission 'modify' Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Fixes #1743 Limits Windows' broad "read" permission to if it can read all of the above, instead of just the first: - File contents - File attributes - File extended attributes - File permissions This better aligns with how Windows names the permissions. 'read' -> Read instead of 'read' -> ReadData Signed-off-by: David Alexander <opensource@thelonelyghost.com> * 'Execute' Windows ACL has alias of 'Traverse' Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds 'Delete' permission Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds `should allow('perm').by_user('me')` matcher Provides hooks for later use with Windows ACL matching Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds remaining Windows ACL hooks Skips ReadAndExecute on intentionally since it just aliases the combo of 2 permissions into one new one. Signed-off-by: David Alexander <opensource@thelonelyghost.com> * [Rubocop] Reduces ABC / Cyclomatic complexity Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Reduces global scope with `allows()` -> `be_allowed()` RSpec inferred matchers work nicely here. This changes the `by_user()` and `by()` chained matchers to just be an options hash on the underlying `allowed?()` method. Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Fixes integration tests with rename `allows()` -> `be_allowed()` Signed-off-by: David Alexander <opensource@thelonelyghost.com>
2017-10-17 13:01:51 +00:00
it { should be_allowed('write', by_user: 'NT AUTHORITY\SYSTEM') }
it { should be_executable.by_user('NT AUTHORITY\SYSTEM') }
Extend Windows ACL matchers (#1744) * Adds alias for 'ListDirectory' permission Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Works with Ruby array of permissions as long as possible Converts to PowerShell array just before use. Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Abstracts user-provided permissions to router method Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds FullControl as a specifiable permission Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds specific permission 'modify' Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Fixes #1743 Limits Windows' broad "read" permission to if it can read all of the above, instead of just the first: - File contents - File attributes - File extended attributes - File permissions This better aligns with how Windows names the permissions. 'read' -> Read instead of 'read' -> ReadData Signed-off-by: David Alexander <opensource@thelonelyghost.com> * 'Execute' Windows ACL has alias of 'Traverse' Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds 'Delete' permission Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds `should allow('perm').by_user('me')` matcher Provides hooks for later use with Windows ACL matching Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds remaining Windows ACL hooks Skips ReadAndExecute on intentionally since it just aliases the combo of 2 permissions into one new one. Signed-off-by: David Alexander <opensource@thelonelyghost.com> * [Rubocop] Reduces ABC / Cyclomatic complexity Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Reduces global scope with `allows()` -> `be_allowed()` RSpec inferred matchers work nicely here. This changes the `by_user()` and `by()` chained matchers to just be an options hash on the underlying `allowed?()` method. Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Fixes integration tests with rename `allows()` -> `be_allowed()` Signed-off-by: David Alexander <opensource@thelonelyghost.com>
2017-10-17 13:01:51 +00:00
it { should be_allowed('execute', by_user: 'NT AUTHORITY\SYSTEM') }
it { should_not be_readable.by_user(filedata[:user]) }
Extend Windows ACL matchers (#1744) * Adds alias for 'ListDirectory' permission Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Works with Ruby array of permissions as long as possible Converts to PowerShell array just before use. Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Abstracts user-provided permissions to router method Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds FullControl as a specifiable permission Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds specific permission 'modify' Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Fixes #1743 Limits Windows' broad "read" permission to if it can read all of the above, instead of just the first: - File contents - File attributes - File extended attributes - File permissions This better aligns with how Windows names the permissions. 'read' -> Read instead of 'read' -> ReadData Signed-off-by: David Alexander <opensource@thelonelyghost.com> * 'Execute' Windows ACL has alias of 'Traverse' Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds 'Delete' permission Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds `should allow('perm').by_user('me')` matcher Provides hooks for later use with Windows ACL matching Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds remaining Windows ACL hooks Skips ReadAndExecute on intentionally since it just aliases the combo of 2 permissions into one new one. Signed-off-by: David Alexander <opensource@thelonelyghost.com> * [Rubocop] Reduces ABC / Cyclomatic complexity Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Reduces global scope with `allows()` -> `be_allowed()` RSpec inferred matchers work nicely here. This changes the `by_user()` and `by()` chained matchers to just be an options hash on the underlying `allowed?()` method. Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Fixes integration tests with rename `allows()` -> `be_allowed()` Signed-off-by: David Alexander <opensource@thelonelyghost.com>
2017-10-17 13:01:51 +00:00
it { should_not be_allowed('read', by_user: filedata[:user]) }
it { should_not be_writable.by_user(filedata[:user]) }
Extend Windows ACL matchers (#1744) * Adds alias for 'ListDirectory' permission Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Works with Ruby array of permissions as long as possible Converts to PowerShell array just before use. Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Abstracts user-provided permissions to router method Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds FullControl as a specifiable permission Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds specific permission 'modify' Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Fixes #1743 Limits Windows' broad "read" permission to if it can read all of the above, instead of just the first: - File contents - File attributes - File extended attributes - File permissions This better aligns with how Windows names the permissions. 'read' -> Read instead of 'read' -> ReadData Signed-off-by: David Alexander <opensource@thelonelyghost.com> * 'Execute' Windows ACL has alias of 'Traverse' Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds 'Delete' permission Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds `should allow('perm').by_user('me')` matcher Provides hooks for later use with Windows ACL matching Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds remaining Windows ACL hooks Skips ReadAndExecute on intentionally since it just aliases the combo of 2 permissions into one new one. Signed-off-by: David Alexander <opensource@thelonelyghost.com> * [Rubocop] Reduces ABC / Cyclomatic complexity Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Reduces global scope with `allows()` -> `be_allowed()` RSpec inferred matchers work nicely here. This changes the `by_user()` and `by()` chained matchers to just be an options hash on the underlying `allowed?()` method. Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Fixes integration tests with rename `allows()` -> `be_allowed()` Signed-off-by: David Alexander <opensource@thelonelyghost.com>
2017-10-17 13:01:51 +00:00
it { should_not be_allowed('write', by_user: filedata[:user]) }
it { should_not be_executable.by_user(filedata[:user]) }
Extend Windows ACL matchers (#1744) * Adds alias for 'ListDirectory' permission Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Works with Ruby array of permissions as long as possible Converts to PowerShell array just before use. Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Abstracts user-provided permissions to router method Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds FullControl as a specifiable permission Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds specific permission 'modify' Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Fixes #1743 Limits Windows' broad "read" permission to if it can read all of the above, instead of just the first: - File contents - File attributes - File extended attributes - File permissions This better aligns with how Windows names the permissions. 'read' -> Read instead of 'read' -> ReadData Signed-off-by: David Alexander <opensource@thelonelyghost.com> * 'Execute' Windows ACL has alias of 'Traverse' Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds 'Delete' permission Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds `should allow('perm').by_user('me')` matcher Provides hooks for later use with Windows ACL matching Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds remaining Windows ACL hooks Skips ReadAndExecute on intentionally since it just aliases the combo of 2 permissions into one new one. Signed-off-by: David Alexander <opensource@thelonelyghost.com> * [Rubocop] Reduces ABC / Cyclomatic complexity Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Reduces global scope with `allows()` -> `be_allowed()` RSpec inferred matchers work nicely here. This changes the `by_user()` and `by()` chained matchers to just be an options hash on the underlying `allowed?()` method. Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Fixes integration tests with rename `allows()` -> `be_allowed()` Signed-off-by: David Alexander <opensource@thelonelyghost.com>
2017-10-17 13:01:51 +00:00
it { should_not be_allowed('execute', by_user: filedata[:user]) }
end
describe file("C:/Program Files (x86)/Windows NT/Accessories/wordpad.exe") do
it { should exist }
# Only works on Windows 2012 R2
its('file_version') { should eq '6.3.9600.17415' }
end
# read the owner of a file
describe directory('C:/opscode/chef') do
its('owner') { should cmp 'NT AUTHORITY\SYSTEM' }
it { should be_owned_by 'NT AUTHORITY\SYSTEM' }
Extend Windows ACL matchers (#1744) * Adds alias for 'ListDirectory' permission Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Works with Ruby array of permissions as long as possible Converts to PowerShell array just before use. Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Abstracts user-provided permissions to router method Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds FullControl as a specifiable permission Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds specific permission 'modify' Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Fixes #1743 Limits Windows' broad "read" permission to if it can read all of the above, instead of just the first: - File contents - File attributes - File extended attributes - File permissions This better aligns with how Windows names the permissions. 'read' -> Read instead of 'read' -> ReadData Signed-off-by: David Alexander <opensource@thelonelyghost.com> * 'Execute' Windows ACL has alias of 'Traverse' Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds 'Delete' permission Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds `should allow('perm').by_user('me')` matcher Provides hooks for later use with Windows ACL matching Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds remaining Windows ACL hooks Skips ReadAndExecute on intentionally since it just aliases the combo of 2 permissions into one new one. Signed-off-by: David Alexander <opensource@thelonelyghost.com> * [Rubocop] Reduces ABC / Cyclomatic complexity Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Reduces global scope with `allows()` -> `be_allowed()` RSpec inferred matchers work nicely here. This changes the `by_user()` and `by()` chained matchers to just be an options hash on the underlying `allowed?()` method. Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Fixes integration tests with rename `allows()` -> `be_allowed()` Signed-off-by: David Alexander <opensource@thelonelyghost.com>
2017-10-17 13:01:51 +00:00
it { should be_allowed('full-control', by_user: 'NT AUTHORITY\SYSTEM') }
it { should be_allowed('modify', by_user: 'NT AUTHORITY\SYSTEM') }
end
2015-10-24 09:12:15 +00:00
end