inspec/test/unit/resources/file_test.rb

95 lines
5.8 KiB
Ruby
Raw Normal View History

2015-12-31 00:10:06 +00:00
# author: Christoph Hartmann
# author: Dominik Richter
require 'helper'
require 'inspec/resource'
describe Inspec::Resources::FileResource do
let(:file) { stub(unix_mode_mask: 000, mode: 000) }
it 'responds on Ubuntu' do
resource = MockLoader.new(:ubuntu1404).load_resource('file', '/fakepath/fakefile')
resource.stubs(:exist?).returns(true)
resource.stubs(:mounted?).returns(true)
resource.stubs(:source_path).returns('/fakepath/fakefile')
resource.stubs(:file).returns(file)
resource.stubs(:content).returns('content')
resource.stubs(:mode).returns(000)
resource.stubs(:suid).returns(true)
resource.stubs(:sgid).returns(true)
resource.stubs(:sticky).returns(true)
resource.stubs(:file_permission_granted?).with('read', 'by_usergroup', 'by_specific_user').returns('test_result')
resource.stubs(:file_permission_granted?).with('write', 'by_usergroup', 'by_specific_user').returns('test_result')
resource.stubs(:file_permission_granted?).with('execute', 'by_usergroup', 'by_specific_user').returns('test_result')
_(resource.content).must_equal 'content'
_(resource.more_permissive_than?('000').must_equal false)
_(resource.exist?).must_equal true
_(resource.mounted?).must_equal true
_(resource.to_s).must_equal 'File /fakepath/fakefile'
_(resource.readable?('by_usergroup', 'by_specific_user')).must_equal 'test_result'
Extend Windows ACL matchers (#1744) * Adds alias for 'ListDirectory' permission Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Works with Ruby array of permissions as long as possible Converts to PowerShell array just before use. Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Abstracts user-provided permissions to router method Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds FullControl as a specifiable permission Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds specific permission 'modify' Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Fixes #1743 Limits Windows' broad "read" permission to if it can read all of the above, instead of just the first: - File contents - File attributes - File extended attributes - File permissions This better aligns with how Windows names the permissions. 'read' -> Read instead of 'read' -> ReadData Signed-off-by: David Alexander <opensource@thelonelyghost.com> * 'Execute' Windows ACL has alias of 'Traverse' Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds 'Delete' permission Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds `should allow('perm').by_user('me')` matcher Provides hooks for later use with Windows ACL matching Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds remaining Windows ACL hooks Skips ReadAndExecute on intentionally since it just aliases the combo of 2 permissions into one new one. Signed-off-by: David Alexander <opensource@thelonelyghost.com> * [Rubocop] Reduces ABC / Cyclomatic complexity Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Reduces global scope with `allows()` -> `be_allowed()` RSpec inferred matchers work nicely here. This changes the `by_user()` and `by()` chained matchers to just be an options hash on the underlying `allowed?()` method. Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Fixes integration tests with rename `allows()` -> `be_allowed()` Signed-off-by: David Alexander <opensource@thelonelyghost.com>
2017-10-17 13:01:51 +00:00
_(resource.allowed?('read', by: 'by_usergroup', by_user: 'by_specific_user')).must_equal 'test_result'
_(resource.writable?('by_usergroup', 'by_specific_user')).must_equal 'test_result'
Extend Windows ACL matchers (#1744) * Adds alias for 'ListDirectory' permission Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Works with Ruby array of permissions as long as possible Converts to PowerShell array just before use. Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Abstracts user-provided permissions to router method Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds FullControl as a specifiable permission Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds specific permission 'modify' Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Fixes #1743 Limits Windows' broad "read" permission to if it can read all of the above, instead of just the first: - File contents - File attributes - File extended attributes - File permissions This better aligns with how Windows names the permissions. 'read' -> Read instead of 'read' -> ReadData Signed-off-by: David Alexander <opensource@thelonelyghost.com> * 'Execute' Windows ACL has alias of 'Traverse' Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds 'Delete' permission Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds `should allow('perm').by_user('me')` matcher Provides hooks for later use with Windows ACL matching Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds remaining Windows ACL hooks Skips ReadAndExecute on intentionally since it just aliases the combo of 2 permissions into one new one. Signed-off-by: David Alexander <opensource@thelonelyghost.com> * [Rubocop] Reduces ABC / Cyclomatic complexity Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Reduces global scope with `allows()` -> `be_allowed()` RSpec inferred matchers work nicely here. This changes the `by_user()` and `by()` chained matchers to just be an options hash on the underlying `allowed?()` method. Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Fixes integration tests with rename `allows()` -> `be_allowed()` Signed-off-by: David Alexander <opensource@thelonelyghost.com>
2017-10-17 13:01:51 +00:00
_(resource.allowed?('write', by: 'by_usergroup', by_user: 'by_specific_user')).must_equal 'test_result'
_(resource.executable?('by_usergroup', 'by_specific_user')).must_equal 'test_result'
Extend Windows ACL matchers (#1744) * Adds alias for 'ListDirectory' permission Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Works with Ruby array of permissions as long as possible Converts to PowerShell array just before use. Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Abstracts user-provided permissions to router method Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds FullControl as a specifiable permission Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds specific permission 'modify' Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Fixes #1743 Limits Windows' broad "read" permission to if it can read all of the above, instead of just the first: - File contents - File attributes - File extended attributes - File permissions This better aligns with how Windows names the permissions. 'read' -> Read instead of 'read' -> ReadData Signed-off-by: David Alexander <opensource@thelonelyghost.com> * 'Execute' Windows ACL has alias of 'Traverse' Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds 'Delete' permission Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds `should allow('perm').by_user('me')` matcher Provides hooks for later use with Windows ACL matching Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds remaining Windows ACL hooks Skips ReadAndExecute on intentionally since it just aliases the combo of 2 permissions into one new one. Signed-off-by: David Alexander <opensource@thelonelyghost.com> * [Rubocop] Reduces ABC / Cyclomatic complexity Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Reduces global scope with `allows()` -> `be_allowed()` RSpec inferred matchers work nicely here. This changes the `by_user()` and `by()` chained matchers to just be an options hash on the underlying `allowed?()` method. Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Fixes integration tests with rename `allows()` -> `be_allowed()` Signed-off-by: David Alexander <opensource@thelonelyghost.com>
2017-10-17 13:01:51 +00:00
_(resource.allowed?('execute', by: 'by_usergroup', by_user: 'by_specific_user')).must_equal 'test_result'
_(resource.suid).must_equal true
_(resource.sgid).must_equal true
_(resource.sticky).must_equal true
proc { resource.send(:more_permissive_than?, nil) }.must_raise(ArgumentError)
proc { resource.send(:more_permissive_than?, 0700) }.must_raise(ArgumentError)
end
it 'responds on Windows' do
resource = MockLoader.new(:windows).load_resource('file', 'C:/fakepath/fakefile')
resource.stubs(:exist?).returns(true)
resource.stubs(:mounted?).returns(true)
resource.stubs(:content).returns('content')
resource.stubs(:file_permission_granted?).with('read', 'by_usergroup', 'by_specific_user').returns('test_result')
resource.stubs(:file_permission_granted?).with('write', 'by_usergroup', 'by_specific_user').returns('test_result')
resource.stubs(:file_permission_granted?).with('execute', 'by_usergroup', 'by_specific_user').returns('test_result')
Extend Windows ACL matchers (#1744) * Adds alias for 'ListDirectory' permission Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Works with Ruby array of permissions as long as possible Converts to PowerShell array just before use. Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Abstracts user-provided permissions to router method Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds FullControl as a specifiable permission Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds specific permission 'modify' Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Fixes #1743 Limits Windows' broad "read" permission to if it can read all of the above, instead of just the first: - File contents - File attributes - File extended attributes - File permissions This better aligns with how Windows names the permissions. 'read' -> Read instead of 'read' -> ReadData Signed-off-by: David Alexander <opensource@thelonelyghost.com> * 'Execute' Windows ACL has alias of 'Traverse' Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds 'Delete' permission Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds `should allow('perm').by_user('me')` matcher Provides hooks for later use with Windows ACL matching Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds remaining Windows ACL hooks Skips ReadAndExecute on intentionally since it just aliases the combo of 2 permissions into one new one. Signed-off-by: David Alexander <opensource@thelonelyghost.com> * [Rubocop] Reduces ABC / Cyclomatic complexity Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Reduces global scope with `allows()` -> `be_allowed()` RSpec inferred matchers work nicely here. This changes the `by_user()` and `by()` chained matchers to just be an options hash on the underlying `allowed?()` method. Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Fixes integration tests with rename `allows()` -> `be_allowed()` Signed-off-by: David Alexander <opensource@thelonelyghost.com>
2017-10-17 13:01:51 +00:00
resource.stubs(:file_permission_granted?).with('full-control', 'by_usergroup', 'by_specific_user').returns('test_result')
_(resource.content).must_equal 'content'
_(resource.exist?).must_equal true
_(resource.mounted?).must_equal true
_(resource.readable?('by_usergroup', 'by_specific_user')).must_equal 'test_result'
Extend Windows ACL matchers (#1744) * Adds alias for 'ListDirectory' permission Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Works with Ruby array of permissions as long as possible Converts to PowerShell array just before use. Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Abstracts user-provided permissions to router method Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds FullControl as a specifiable permission Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds specific permission 'modify' Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Fixes #1743 Limits Windows' broad "read" permission to if it can read all of the above, instead of just the first: - File contents - File attributes - File extended attributes - File permissions This better aligns with how Windows names the permissions. 'read' -> Read instead of 'read' -> ReadData Signed-off-by: David Alexander <opensource@thelonelyghost.com> * 'Execute' Windows ACL has alias of 'Traverse' Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds 'Delete' permission Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds `should allow('perm').by_user('me')` matcher Provides hooks for later use with Windows ACL matching Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds remaining Windows ACL hooks Skips ReadAndExecute on intentionally since it just aliases the combo of 2 permissions into one new one. Signed-off-by: David Alexander <opensource@thelonelyghost.com> * [Rubocop] Reduces ABC / Cyclomatic complexity Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Reduces global scope with `allows()` -> `be_allowed()` RSpec inferred matchers work nicely here. This changes the `by_user()` and `by()` chained matchers to just be an options hash on the underlying `allowed?()` method. Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Fixes integration tests with rename `allows()` -> `be_allowed()` Signed-off-by: David Alexander <opensource@thelonelyghost.com>
2017-10-17 13:01:51 +00:00
_(resource.allowed?('read', by: 'by_usergroup', by_user: 'by_specific_user')).must_equal 'test_result'
_(resource.writable?('by_usergroup', 'by_specific_user')).must_equal 'test_result'
Extend Windows ACL matchers (#1744) * Adds alias for 'ListDirectory' permission Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Works with Ruby array of permissions as long as possible Converts to PowerShell array just before use. Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Abstracts user-provided permissions to router method Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds FullControl as a specifiable permission Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds specific permission 'modify' Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Fixes #1743 Limits Windows' broad "read" permission to if it can read all of the above, instead of just the first: - File contents - File attributes - File extended attributes - File permissions This better aligns with how Windows names the permissions. 'read' -> Read instead of 'read' -> ReadData Signed-off-by: David Alexander <opensource@thelonelyghost.com> * 'Execute' Windows ACL has alias of 'Traverse' Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds 'Delete' permission Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds `should allow('perm').by_user('me')` matcher Provides hooks for later use with Windows ACL matching Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds remaining Windows ACL hooks Skips ReadAndExecute on intentionally since it just aliases the combo of 2 permissions into one new one. Signed-off-by: David Alexander <opensource@thelonelyghost.com> * [Rubocop] Reduces ABC / Cyclomatic complexity Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Reduces global scope with `allows()` -> `be_allowed()` RSpec inferred matchers work nicely here. This changes the `by_user()` and `by()` chained matchers to just be an options hash on the underlying `allowed?()` method. Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Fixes integration tests with rename `allows()` -> `be_allowed()` Signed-off-by: David Alexander <opensource@thelonelyghost.com>
2017-10-17 13:01:51 +00:00
_(resource.allowed?('write', by: 'by_usergroup', by_user: 'by_specific_user')).must_equal 'test_result'
_(resource.executable?('by_usergroup', 'by_specific_user')).must_equal 'test_result'
Extend Windows ACL matchers (#1744) * Adds alias for 'ListDirectory' permission Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Works with Ruby array of permissions as long as possible Converts to PowerShell array just before use. Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Abstracts user-provided permissions to router method Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds FullControl as a specifiable permission Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds specific permission 'modify' Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Fixes #1743 Limits Windows' broad "read" permission to if it can read all of the above, instead of just the first: - File contents - File attributes - File extended attributes - File permissions This better aligns with how Windows names the permissions. 'read' -> Read instead of 'read' -> ReadData Signed-off-by: David Alexander <opensource@thelonelyghost.com> * 'Execute' Windows ACL has alias of 'Traverse' Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds 'Delete' permission Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds `should allow('perm').by_user('me')` matcher Provides hooks for later use with Windows ACL matching Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds remaining Windows ACL hooks Skips ReadAndExecute on intentionally since it just aliases the combo of 2 permissions into one new one. Signed-off-by: David Alexander <opensource@thelonelyghost.com> * [Rubocop] Reduces ABC / Cyclomatic complexity Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Reduces global scope with `allows()` -> `be_allowed()` RSpec inferred matchers work nicely here. This changes the `by_user()` and `by()` chained matchers to just be an options hash on the underlying `allowed?()` method. Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Fixes integration tests with rename `allows()` -> `be_allowed()` Signed-off-by: David Alexander <opensource@thelonelyghost.com>
2017-10-17 13:01:51 +00:00
_(resource.allowed?('execute', by: 'by_usergroup', by_user: 'by_specific_user')).must_equal 'test_result'
_(resource.allowed?('full-control', by: 'by_usergroup', by_user: 'by_specific_user')).must_equal 'test_result'
end
it 'does not support Windows-style ACL on Ubuntu' do
resource = MockLoader.new(:ubuntu1404).load_resource('file', '/fakepath/fakefile')
resource.stubs(:exist?).returns(true)
proc { resource.send('allowed?', 'full-control', { by: 'by_usergroup', by_user: 'by_specific_user' }) }.must_raise(RuntimeError)
proc { resource.send('allowed?', 'modify', { by: 'by_usergroup', by_user: 'by_specific_user' }) }.must_raise(RuntimeError)
end
it 'does not support check by mask on Windows' do
resource = MockLoader.new(:windows).load_resource('file', 'C:/fakepath/fakefile')
resource.stubs(:exist?).returns(true)
proc { resource.send('readable?', 'by_usergroup', nil) }.must_raise(RuntimeError)
proc { resource.send('writable?', 'by_usergroup', nil) }.must_raise(RuntimeError)
proc { resource.send('executable?', 'by_usergroup', nil) }.must_raise(RuntimeError)
end
it 'responds with errors on unsupported OS' do
resource = MockLoader.new(:undefined).load_resource('file', 'C:/fakepath/fakefile')
resource.stubs(:exist?).returns(true)
_(resource.exist?).must_equal true
_(resource.readable?('by_usergroup', 'by_specific_user')).must_equal '`readable?` is not supported on your OS yet.'
_(resource.writable?('by_usergroup', 'by_specific_user')).must_equal '`writable?` is not supported on your OS yet.'
_(resource.executable?('by_usergroup', 'by_specific_user')).must_equal '`executable?` is not supported on your OS yet.'
Extend Windows ACL matchers (#1744) * Adds alias for 'ListDirectory' permission Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Works with Ruby array of permissions as long as possible Converts to PowerShell array just before use. Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Abstracts user-provided permissions to router method Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds FullControl as a specifiable permission Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds specific permission 'modify' Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Fixes #1743 Limits Windows' broad "read" permission to if it can read all of the above, instead of just the first: - File contents - File attributes - File extended attributes - File permissions This better aligns with how Windows names the permissions. 'read' -> Read instead of 'read' -> ReadData Signed-off-by: David Alexander <opensource@thelonelyghost.com> * 'Execute' Windows ACL has alias of 'Traverse' Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds 'Delete' permission Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds `should allow('perm').by_user('me')` matcher Provides hooks for later use with Windows ACL matching Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds remaining Windows ACL hooks Skips ReadAndExecute on intentionally since it just aliases the combo of 2 permissions into one new one. Signed-off-by: David Alexander <opensource@thelonelyghost.com> * [Rubocop] Reduces ABC / Cyclomatic complexity Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Reduces global scope with `allows()` -> `be_allowed()` RSpec inferred matchers work nicely here. This changes the `by_user()` and `by()` chained matchers to just be an options hash on the underlying `allowed?()` method. Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Fixes integration tests with rename `allows()` -> `be_allowed()` Signed-off-by: David Alexander <opensource@thelonelyghost.com>
2017-10-17 13:01:51 +00:00
_(resource.allowed?('permission', by: 'by_usergroup', by_user: 'by_specific_user')).must_equal '`allowed?` is not supported on your OS yet.'
proc { resource.send(:contain, nil) }.must_raise(RuntimeError)
end
end
describe Inspec::Resources::FileResource do
let(:file) { stub(unix_mode_mask: 000, mode: 644) }
it 'responds on Ubuntu' do
resource = MockLoader.new(:ubuntu1404).load_resource('file', '/fakepath/fakefile')
_(resource.more_permissive_than?('755').must_equal false)
_(resource.more_permissive_than?('644').must_equal false)
_(resource.more_permissive_than?('640').must_equal true)
proc { resource.send(:more_permissive_than?, '0888') }.must_raise(ArgumentError)
end
end