mirror of
https://github.com/inspec/inspec
synced 2024-12-29 22:43:25 +00:00
6ed4068fd1
* Adds alias for 'ListDirectory' permission Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Works with Ruby array of permissions as long as possible Converts to PowerShell array just before use. Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Abstracts user-provided permissions to router method Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds FullControl as a specifiable permission Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds specific permission 'modify' Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Fixes #1743 Limits Windows' broad "read" permission to if it can read all of the above, instead of just the first: - File contents - File attributes - File extended attributes - File permissions This better aligns with how Windows names the permissions. 'read' -> Read instead of 'read' -> ReadData Signed-off-by: David Alexander <opensource@thelonelyghost.com> * 'Execute' Windows ACL has alias of 'Traverse' Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds 'Delete' permission Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds `should allow('perm').by_user('me')` matcher Provides hooks for later use with Windows ACL matching Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Adds remaining Windows ACL hooks Skips ReadAndExecute on intentionally since it just aliases the combo of 2 permissions into one new one. Signed-off-by: David Alexander <opensource@thelonelyghost.com> * [Rubocop] Reduces ABC / Cyclomatic complexity Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Reduces global scope with `allows()` -> `be_allowed()` RSpec inferred matchers work nicely here. This changes the `by_user()` and `by()` chained matchers to just be an options hash on the underlying `allowed?()` method. Signed-off-by: David Alexander <opensource@thelonelyghost.com> * Fixes integration tests with rename `allows()` -> `be_allowed()` Signed-off-by: David Alexander <opensource@thelonelyghost.com>
232 lines
7.9 KiB
Ruby
232 lines
7.9 KiB
Ruby
# encoding: utf-8
|
|
|
|
if os[:family] == 'windows'
|
|
filedata = {
|
|
user: os_env('COMPUTERNAME').content + '\TestUser'
|
|
}
|
|
elsif os[:name] == 'freebsd'
|
|
filedata = {
|
|
user: 'root',
|
|
group: 'wheel',
|
|
dir_content: "\u0003\u0000",
|
|
dir_md5sum: '598f4fe64aefab8f00bcbea4c9239abf',
|
|
dir_sha256sum: '9b4fb24edd6d1d8830e272398263cdbf026b97392cc35387b991dc0248a628f9',
|
|
}
|
|
elsif os[:name] == 'aix'
|
|
filedata = {
|
|
user: 'root',
|
|
group: 'system',
|
|
dir_content: nil,
|
|
dir_md5sum: nil,
|
|
dir_sha256sum: nil,
|
|
}
|
|
elsif os.solaris?
|
|
filedata = {
|
|
user: 'root',
|
|
group: 'sys',
|
|
dir_content: nil,
|
|
dir_md5sum: nil,
|
|
dir_sha256sum: nil,
|
|
}
|
|
else
|
|
filedata = {
|
|
user: 'root',
|
|
group: 'root',
|
|
dir_content: nil,
|
|
dir_md5sum: nil,
|
|
dir_sha256sum: nil,
|
|
}
|
|
end
|
|
|
|
if os.unix?
|
|
|
|
# test regular file
|
|
describe file('/tmp/file') do
|
|
it { should exist }
|
|
it { should be_file }
|
|
|
|
it { should_not be_directory }
|
|
it { should_not be_block_device }
|
|
it { should_not be_character_device }
|
|
it { should_not be_pipe }
|
|
it { should_not be_socket }
|
|
it { should_not be_symlink }
|
|
it { should_not be_mounted }
|
|
|
|
# check owner
|
|
it { should be_owned_by filedata[:user] }
|
|
it { should be_grouped_into filedata[:group] }
|
|
|
|
# it { should have_mode }
|
|
its('mode') { should eq 00765 }
|
|
it { should be_mode 00765 }
|
|
its('mode') { should cmp '0765' }
|
|
its('mode') { should_not cmp '0777' }
|
|
its('suid') { should eq false }
|
|
its('sgid') { should eq false }
|
|
its('sticky') { should eq false }
|
|
|
|
it { should be_readable }
|
|
it { should be_allowed('read') }
|
|
it { should be_readable.by('owner') }
|
|
it { should be_allowed('read', by: 'owner') }
|
|
it { should be_readable.by('group') }
|
|
it { should be_allowed('read', by: 'group') }
|
|
it { should be_readable.by('other') }
|
|
it { should be_allowed('read', by: 'other') }
|
|
it { should be_readable.by_user(filedata[:user]) }
|
|
it { should be_allowed('read', by_user: filedata[:user]) }
|
|
it { should_not be_readable.by_user('noroot') }
|
|
it { should_not be_allowed('read', by_user: 'noroot') }
|
|
# for server spec compatibility
|
|
it { should be_readable.by('others') }
|
|
it { should be_allowed('read', by: 'others') }
|
|
|
|
it { should be_writable }
|
|
it { should be_allowed('write') }
|
|
it { should be_writable.by('owner') }
|
|
it { should be_allowed('write', by: 'owner') }
|
|
it { should be_writable.by('group') }
|
|
it { should be_allowed('write', by: 'group') }
|
|
it { should_not be_writable.by('other') }
|
|
it { should_not be_allowed('write', by: 'other') }
|
|
it { should be_writable.by_user(filedata[:user]) }
|
|
it { should be_allowed('write', by_user: filedata[:user]) }
|
|
# it { should_not be_writable.by_user('noroot') }
|
|
# for server spec compatibility
|
|
it { should_not be_writable.by('others') }
|
|
it { should_not be_allowed('write', by: 'others') }
|
|
|
|
it { should be_executable }
|
|
it { should be_allowed('execute') }
|
|
it { should be_executable.by('owner') }
|
|
it { should be_allowed('execute', by: 'owner') }
|
|
it { should_not be_executable.by('group') }
|
|
it { should_not be_allowed('execute', by: 'group') }
|
|
it { should be_executable.by('other') }
|
|
it { should be_allowed('execute', by: 'other') }
|
|
it { should be_executable.by_user(filedata[:user]) }
|
|
it { should be_allowed('execute', by_user: filedata[:user]) }
|
|
# it { should_not be_executable.by_user('noroot') }
|
|
# for server spec compatibility
|
|
it { should be_executable.by('others') }
|
|
it { should be_allowed('execute', by: 'others') }
|
|
|
|
# test extended linux attributes
|
|
# it { should be_immutable }
|
|
|
|
its('content') { should eq 'hello world' }
|
|
its('content') { should match('world') }
|
|
its('content') { should contain('hello') }
|
|
its('content') { should include('hello') }
|
|
its('size') { should eq 11 }
|
|
its('md5sum') { should eq '5eb63bbbe01eeed093cb22bb8f5acdc3' }
|
|
its('sha256sum') { should eq 'b94d27b9934d3e08a52e52d7da7dabfac484efe37a5380ee9088f7ace2efcde9' }
|
|
its('product_version') { should eq nil }
|
|
its('file_version') { should eq nil }
|
|
its('basename') { should cmp 'file' }
|
|
its('path') { should cmp '/tmp/file' }
|
|
|
|
its('owner') { should eq filedata[:user] }
|
|
its('group') { should eq filedata[:group] }
|
|
its('type') { should eq :file }
|
|
end
|
|
|
|
# see mount_spec.rb for file mount tests
|
|
# describe file('/mnt/iso-disk') do
|
|
# it { should be_mounted }
|
|
# ...
|
|
# end
|
|
|
|
describe file('/tmp/sfile') do
|
|
it { should be_setgid }
|
|
it { should be_setuid }
|
|
it { should be_sticky }
|
|
|
|
# These may eventually be deprecated
|
|
its('suid') { should eq true }
|
|
its('sgid') { should eq true }
|
|
its('sticky') { should eq true }
|
|
end
|
|
|
|
describe file('/tmp/folder') do
|
|
it { should exist }
|
|
it { should be_directory }
|
|
|
|
it { should_not be_file }
|
|
it { should_not be_block_device }
|
|
it { should_not be_character_device }
|
|
it { should_not be_pipe }
|
|
it { should_not be_socket }
|
|
it { should_not be_symlink }
|
|
|
|
its('content') { should eq filedata[:dir_content] }
|
|
its('md5sum') { should eq filedata[:dir_md5sum] }
|
|
its('sha256sum') { should eq filedata[:dir_sha256sum] }
|
|
its('product_version') { should eq nil }
|
|
its('file_version') { should eq nil }
|
|
its('basename') { should cmp 'folder' }
|
|
its('path') { should cmp '/tmp/folder' }
|
|
|
|
its('owner') { should eq filedata[:user] }
|
|
its('group') { should eq filedata[:group] }
|
|
its('type') { should eq :directory }
|
|
end
|
|
end
|
|
|
|
if os.windows?
|
|
describe file('C:\Windows') do
|
|
it { should exist }
|
|
it { should be_directory }
|
|
its('basename') { should cmp 'Windows' }
|
|
its('path') { should cmp "C:\\Windows" }
|
|
end
|
|
|
|
describe file('C:/Test Directory/test file.txt') do
|
|
it { should exist }
|
|
it { should be_file }
|
|
it { should be_readable.by_user('NT AUTHORITY\SYSTEM') }
|
|
it { should be_allowed('read', by_user: 'NT AUTHORITY\SYSTEM') }
|
|
it { should be_writable.by_user('NT AUTHORITY\SYSTEM') }
|
|
it { should be_allowed('write', by_user: 'NT AUTHORITY\SYSTEM') }
|
|
it { should be_executable.by_user('NT AUTHORITY\SYSTEM') }
|
|
it { should be_allowed('execute', by_user: 'NT AUTHORITY\SYSTEM') }
|
|
it { should_not be_readable.by_user(filedata[:user]) }
|
|
it { should_not be_allowed('read', by_user: filedata[:user]) }
|
|
it { should_not be_writable.by_user(filedata[:user]) }
|
|
it { should_not be_allowed('write', by_user: filedata[:user]) }
|
|
it { should_not be_executable.by_user(filedata[:user]) }
|
|
it { should_not be_allowed('execute', by_user: filedata[:user]) }
|
|
end
|
|
|
|
describe file('C:/Test Directory') do
|
|
it { should exist }
|
|
it { should be_directory }
|
|
it { should be_readable.by_user('NT AUTHORITY\SYSTEM') }
|
|
it { should be_allowed('read', by_user: 'NT AUTHORITY\SYSTEM') }
|
|
it { should be_writable.by_user('NT AUTHORITY\SYSTEM') }
|
|
it { should be_allowed('write', by_user: 'NT AUTHORITY\SYSTEM') }
|
|
it { should be_executable.by_user('NT AUTHORITY\SYSTEM') }
|
|
it { should be_allowed('execute', by_user: 'NT AUTHORITY\SYSTEM') }
|
|
it { should_not be_readable.by_user(filedata[:user]) }
|
|
it { should_not be_allowed('read', by_user: filedata[:user]) }
|
|
it { should_not be_writable.by_user(filedata[:user]) }
|
|
it { should_not be_allowed('write', by_user: filedata[:user]) }
|
|
it { should_not be_executable.by_user(filedata[:user]) }
|
|
it { should_not be_allowed('execute', by_user: filedata[:user]) }
|
|
end
|
|
|
|
describe file("C:/Program Files (x86)/Windows NT/Accessories/wordpad.exe") do
|
|
it { should exist }
|
|
# Only works on Windows 2012 R2
|
|
its('file_version') { should eq '6.3.9600.17415' }
|
|
end
|
|
|
|
# read the owner of a file
|
|
describe directory('C:/opscode/chef') do
|
|
its('owner') { should cmp 'NT AUTHORITY\SYSTEM' }
|
|
it { should be_owned_by 'NT AUTHORITY\SYSTEM' }
|
|
it { should be_allowed('full-control', by_user: 'NT AUTHORITY\SYSTEM') }
|
|
it { should be_allowed('modify', by_user: 'NT AUTHORITY\SYSTEM') }
|
|
end
|
|
end
|