← Back to branch summary

~nvalcarcel/ubuntu/lucid/puppet/fix-546677

« back to all changes in this revision

Viewing changes to spec/unit/network/rights.rb

  • Committer: Bazaar Package Importer
  • Author(s): Chuck Short
  • Date: 2009-12-23 00:48:10 UTC
  • mfrom: (1.1.10 upstream) (3.1.7 squeeze)
  • Revision ID: james.westby@ubuntu.com-20091223004810-3i4oryds922g5n59
Tags: 0.25.1-3ubuntu1
* Merge from debian testing.  Remaining changes:
  - debian/rules:
    + Don't start puppet when first installing puppet.
  - debian/puppet.conf, lib/puppet/defaults.rb:
    + Move templates to /etc/puppet
  - lib/puppet/defaults.rb:
    + Fix /var/lib/puppet/state ownership.
  - man/man8/puppet.conf.8: 
    + Fix broken URL in manpage.
  - debian/control:
    + Update maintainer accordint to spec.
    + Puppetmaster Recommends -> Suggests
    + Created puppet-testsuite as a seperate. Allow the users to run puppet's 
      testsuite.
  - tests/Rakefile: Fix rakefile so that the testsuite can acutally be ran.

Show diffs side-by-side

added added

removed removed

Lines of Context:
spec/unit/network/rights.rb
 
1
#!/usr/bin/env ruby
 
2
 
 
3
require File.dirname(__FILE__) + '/../../spec_helper'
 
4
 
 
5
require 'puppet/network/rights'
 
6
 
 
7
describe Puppet::Network::Rights do
 
8
    before do
 
9
        @right = Puppet::Network::Rights.new
 
10
    end
 
11
 
 
12
    [:allow, :deny, :restrict_method, :restrict_environment, :restrict_authenticated].each do |m|
 
13
        it "should have a #{m} method" do
 
14
            @right.should respond_to(m)
 
15
        end
 
16
 
 
17
        describe "when using #{m}" do
 
18
            it "should delegate to the correct acl" do
 
19
                acl = stub 'acl'
 
20
                @right.stubs(:[]).returns(acl)
 
21
 
 
22
                acl.expects(m).with("me")
 
23
 
 
24
                @right.send(m, 'thisacl', "me")
 
25
            end
 
26
        end
 
27
    end
 
28
 
 
29
    it "should throw an error if type can't be determined" do
 
30
        lambda { @right.newright("name") }.should raise_error
 
31
    end
 
32
 
 
33
    describe "when creating new namespace ACLs" do
 
34
 
 
35
        it "should throw an error if the ACL already exists" do
 
36
            @right.newright("[name]")
 
37
 
 
38
            lambda { @right.newright("[name]") }.should raise_error
 
39
        end
 
40
 
 
41
        it "should create a new ACL with the correct name" do
 
42
            @right.newright("[name]")
 
43
 
 
44
            @right["name"].key.should == :name
 
45
        end
 
46
 
 
47
        it "should create an ACL of type Puppet::Network::AuthStore" do
 
48
            @right.newright("[name]")
 
49
 
 
50
            @right["name"].should be_a_kind_of(Puppet::Network::AuthStore)
 
51
        end
 
52
    end
 
53
 
 
54
    describe "when creating new path ACLs" do
 
55
        it "should not throw an error if the ACL already exists" do
 
56
            @right.newright("/name")
 
57
 
 
58
            lambda { @right.newright("/name")}.should_not raise_error
 
59
        end
 
60
 
 
61
        it "should throw an error if the acl uri path is not absolute" do
 
62
            lambda { @right.newright("name")}.should raise_error
 
63
        end
 
64
 
 
65
        it "should create a new ACL with the correct path" do
 
66
            @right.newright("/name")
 
67
 
 
68
            @right["/name"].should_not be_nil
 
69
        end
 
70
 
 
71
        it "should create an ACL of type Puppet::Network::AuthStore" do
 
72
            @right.newright("/name")
 
73
 
 
74
            @right["/name"].should be_a_kind_of(Puppet::Network::AuthStore)
 
75
        end
 
76
    end
 
77
 
 
78
    describe "when creating new regex ACLs" do
 
79
        it "should not throw an error if the ACL already exists" do
 
80
            @right.newright("~ .rb$")
 
81
 
 
82
            lambda { @right.newright("~ .rb$")}.should_not raise_error
 
83
        end
 
84
 
 
85
        it "should create a new ACL with the correct regex" do
 
86
            @right.newright("~ .rb$")
 
87
 
 
88
            @right.include?(".rb$").should_not be_nil
 
89
        end
 
90
 
 
91
        it "should be able to lookup the regex" do
 
92
            @right.newright("~ .rb$")
 
93
 
 
94
            @right[".rb$"].should_not be_nil
 
95
        end
 
96
 
 
97
        it "should be able to lookup the regex by its full name" do
 
98
            @right.newright("~ .rb$")
 
99
 
 
100
            @right["~ .rb$"].should_not be_nil
 
101
        end
 
102
 
 
103
        it "should create an ACL of type Puppet::Network::AuthStore" do
 
104
            @right.newright("~ .rb$").should be_a_kind_of(Puppet::Network::AuthStore)
 
105
        end
 
106
    end
 
107
 
 
108
    describe "when checking ACLs existence" do
 
109
        it "should return false if there are no matching rights" do
 
110
            @right.include?("name").should be_false
 
111
        end
 
112
 
 
113
        it "should return true if a namespace rights exist" do
 
114
            @right.newright("[name]")
 
115
 
 
116
            @right.include?("name").should be_true
 
117
        end
 
118
 
 
119
        it "should return false if no matching namespace rights exist" do
 
120
            @right.newright("[name]")
 
121
 
 
122
            @right.include?("notname").should be_false
 
123
        end
 
124
 
 
125
        it "should return true if a path right exists" do
 
126
            @right.newright("/name")
 
127
 
 
128
            @right.include?("/name").should be_true
 
129
        end
 
130
 
 
131
        it "should return false if no matching path rights exist" do
 
132
            @right.newright("/name")
 
133
 
 
134
            @right.include?("/differentname").should be_false
 
135
        end
 
136
 
 
137
        it "should return true if a regex right exists" do
 
138
            @right.newright("~ .rb$")
 
139
 
 
140
            @right.include?(".rb$").should be_true
 
141
        end
 
142
 
 
143
        it "should return false if no matching path rights exist" do
 
144
            @right.newright("~ .rb$")
 
145
 
 
146
            @right.include?(".pp$").should be_false
 
147
        end
 
148
    end
 
149
 
 
150
    describe "when checking if right is allowed" do
 
151
        before :each do
 
152
            @right.stubs(:right).returns(nil)
 
153
 
 
154
            @pathacl = stub 'pathacl', :acl_type => :regex, :"<=>" => 1, :line => 0, :file => 'dummy'
 
155
            Puppet::Network::Rights::Right.stubs(:new).returns(@pathacl)
 
156
        end
 
157
 
 
158
        it "should delegate to fail_on_deny" do
 
159
            @right.expects(:fail_on_deny).with("namespace", :node => "host.domain.com", :ip => "127.0.0.1")
 
160
 
 
161
            @right.allowed?("namespace", "host.domain.com", "127.0.0.1")
 
162
        end
 
163
 
 
164
        it "should return true if fail_on_deny doesn't fail" do
 
165
            @right.stubs(:fail_on_deny)
 
166
            @right.allowed?("namespace", :args).should be_true
 
167
        end
 
168
 
 
169
        it "should return false if fail_on_deny raises an AuthorizationError" do
 
170
            @right.stubs(:fail_on_deny).raises(Puppet::Network::AuthorizationError.new("forbidden"))
 
171
            @right.allowed?("namespace", :args1, :args2).should be_false
 
172
        end
 
173
 
 
174
        it "should first check namespace rights" do
 
175
            acl = stub 'acl', :acl_type => :name, :key => :namespace
 
176
            Puppet::Network::Rights::Right.stubs(:new).returns(acl)
 
177
 
 
178
            @right.newright("[namespace]")
 
179
            acl.expects(:match?).returns(true)
 
180
            acl.expects(:allowed?).with { |node,ip,h| node == "node" and ip == "ip" }.returns(true)
 
181
 
 
182
            @right.fail_on_deny("namespace", { :node => "node", :ip => "ip" } )
 
183
        end
 
184
 
 
185
        it "should then check for path rights if no namespace match" do
 
186
            acl = stub 'nmacl', :acl_type => :name, :key => :namespace, :"<=>" => -1, :line => 0, :file => 'dummy'
 
187
            acl.stubs(:match?).returns(false)
 
188
            Puppet::Network::Rights::Right.stubs(:new).with("[namespace]").returns(acl)
 
189
 
 
190
            @right.newright("[namespace]")
 
191
            @right.newright("/path/to/there", 0, nil)
 
192
 
 
193
            @pathacl.stubs(:match?).returns(true)
 
194
 
 
195
            acl.expects(:allowed?).never
 
196
            @pathacl.expects(:allowed?).returns(true)
 
197
 
 
198
            @right.fail_on_deny("/path/to/there", {})
 
199
        end
 
200
 
 
201
        it "should pass the match? return to allowed?" do
 
202
            @right.newright("/path/to/there")
 
203
 
 
204
            @pathacl.expects(:match?).returns(:match)
 
205
            @pathacl.expects(:allowed?).with { |node,ip,h| h[:match] == :match }.returns(true)
 
206
 
 
207
            @right.fail_on_deny("/path/to/there", {})
 
208
        end
 
209
 
 
210
        describe "with namespace acls" do
 
211
            it "should raise an error if this namespace right doesn't exist" do
 
212
                lambda{ @right.fail_on_deny("namespace") }.should raise_error
 
213
            end
 
214
        end
 
215
 
 
216
        describe "with path acls" do
 
217
            before :each do
 
218
                @long_acl = stub 'longpathacl', :name => "/path/to/there", :acl_type => :regex, :line => 0, :file => 'dummy'
 
219
                Puppet::Network::Rights::Right.stubs(:new).with("/path/to/there", 0, nil).returns(@long_acl)
 
220
 
 
221
                @short_acl = stub 'shortpathacl', :name => "/path/to", :acl_type => :regex, :line => 0, :file => 'dummy'
 
222
                Puppet::Network::Rights::Right.stubs(:new).with("/path/to", 0, nil).returns(@short_acl)
 
223
 
 
224
                @long_acl.stubs(:"<=>").with(@short_acl).returns(0)
 
225
                @short_acl.stubs(:"<=>").with(@long_acl).returns(0)
 
226
            end
 
227
 
 
228
            it "should select the first match" do
 
229
                @right.newright("/path/to/there", 0)
 
230
                @right.newright("/path/to", 0)
 
231
 
 
232
                @long_acl.stubs(:match?).returns(true)
 
233
                @short_acl.stubs(:match?).returns(true)
 
234
 
 
235
                @long_acl.expects(:allowed?).returns(true)
 
236
                @short_acl.expects(:allowed?).never
 
237
 
 
238
                @right.fail_on_deny("/path/to/there/and/there", {})
 
239
            end
 
240
 
 
241
            it "should select the first match that doesn't return :dunno" do
 
242
                @right.newright("/path/to/there", 0, nil)
 
243
                @right.newright("/path/to", 0, nil)
 
244
 
 
245
                @long_acl.stubs(:match?).returns(true)
 
246
                @short_acl.stubs(:match?).returns(true)
 
247
 
 
248
                @long_acl.expects(:allowed?).returns(:dunno)
 
249
                @short_acl.expects(:allowed?).returns(true)
 
250
 
 
251
                @right.fail_on_deny("/path/to/there/and/there", {})
 
252
            end
 
253
 
 
254
            it "should not select an ACL that doesn't match" do
 
255
                @right.newright("/path/to/there", 0)
 
256
                @right.newright("/path/to", 0)
 
257
 
 
258
                @long_acl.stubs(:match?).returns(false)
 
259
                @short_acl.stubs(:match?).returns(true)
 
260
 
 
261
                @long_acl.expects(:allowed?).never
 
262
                @short_acl.expects(:allowed?).returns(true)
 
263
 
 
264
                @right.fail_on_deny("/path/to/there/and/there", {})
 
265
            end
 
266
 
 
267
            it "should not raise an AuthorizationError if allowed" do
 
268
                @right.newright("/path/to/there", 0)
 
269
 
 
270
                @long_acl.stubs(:match?).returns(true)
 
271
                @long_acl.stubs(:allowed?).returns(true)
 
272
 
 
273
                lambda { @right.fail_on_deny("/path/to/there/and/there", {}) }.should_not raise_error(Puppet::Network::AuthorizationError)
 
274
            end
 
275
 
 
276
            it "should raise an AuthorizationError if the match is denied" do
 
277
                @right.newright("/path/to/there", 0, nil)
 
278
 
 
279
                @long_acl.stubs(:match?).returns(true)
 
280
                @long_acl.stubs(:allowed?).returns(false)
 
281
 
 
282
                lambda{ @right.fail_on_deny("/path/to/there", {}) }.should raise_error(Puppet::Network::AuthorizationError)
 
283
            end
 
284
 
 
285
            it "should raise an AuthorizationError if no path match" do
 
286
                lambda { @right.fail_on_deny("/nomatch", {}) }.should raise_error(Puppet::Network::AuthorizationError)
 
287
            end
 
288
        end
 
289
 
 
290
        describe "with regex acls" do
 
291
            before :each do
 
292
                @regex_acl1 = stub 'regex_acl1', :name => "/files/(.*)/myfile", :acl_type => :regex, :line => 0, :file => 'dummy'
 
293
                Puppet::Network::Rights::Right.stubs(:new).with("~ /files/(.*)/myfile", 0, nil).returns(@regex_acl1)
 
294
 
 
295
                @regex_acl2 = stub 'regex_acl2', :name => "/files/(.*)/myfile/", :acl_type => :regex, :line => 0, :file => 'dummy'
 
296
                Puppet::Network::Rights::Right.stubs(:new).with("~ /files/(.*)/myfile/", 0, nil).returns(@regex_acl2)
 
297
 
 
298
                @regex_acl1.stubs(:"<=>").with(@regex_acl2).returns(0)
 
299
                @regex_acl2.stubs(:"<=>").with(@regex_acl1).returns(0)
 
300
            end
 
301
 
 
302
            it "should select the first match" do
 
303
                @right.newright("~ /files/(.*)/myfile", 0)
 
304
                @right.newright("~ /files/(.*)/myfile/", 0)
 
305
 
 
306
                @regex_acl1.stubs(:match?).returns(true)
 
307
                @regex_acl2.stubs(:match?).returns(true)
 
308
 
 
309
                @regex_acl1.expects(:allowed?).returns(true)
 
310
                @regex_acl2.expects(:allowed?).never
 
311
 
 
312
                @right.fail_on_deny("/files/repository/myfile/other", {})
 
313
            end
 
314
 
 
315
            it "should select the first match that doesn't return :dunno" do
 
316
                @right.newright("~ /files/(.*)/myfile", 0)
 
317
                @right.newright("~ /files/(.*)/myfile/", 0)
 
318
 
 
319
                @regex_acl1.stubs(:match?).returns(true)
 
320
                @regex_acl2.stubs(:match?).returns(true)
 
321
 
 
322
                @regex_acl1.expects(:allowed?).returns(:dunno)
 
323
                @regex_acl2.expects(:allowed?).returns(true)
 
324
 
 
325
                @right.fail_on_deny("/files/repository/myfile/other", {})
 
326
            end
 
327
 
 
328
            it "should not select an ACL that doesn't match" do
 
329
                @right.newright("~ /files/(.*)/myfile", 0)
 
330
                @right.newright("~ /files/(.*)/myfile/", 0)
 
331
 
 
332
                @regex_acl1.stubs(:match?).returns(false)
 
333
                @regex_acl2.stubs(:match?).returns(true)
 
334
 
 
335
                @regex_acl1.expects(:allowed?).never
 
336
                @regex_acl2.expects(:allowed?).returns(true)
 
337
 
 
338
                @right.fail_on_deny("/files/repository/myfile/other", {})
 
339
            end
 
340
 
 
341
            it "should not raise an AuthorizationError if allowed" do
 
342
                @right.newright("~ /files/(.*)/myfile", 0)
 
343
 
 
344
                @regex_acl1.stubs(:match?).returns(true)
 
345
                @regex_acl1.stubs(:allowed?).returns(true)
 
346
 
 
347
                lambda { @right.fail_on_deny("/files/repository/myfile/other", {}) }.should_not raise_error(Puppet::Network::AuthorizationError)
 
348
            end
 
349
 
 
350
            it "should raise an error if no regex acl match" do
 
351
                lambda{ @right.fail_on_deny("/path", {}) }.should raise_error(Puppet::Network::AuthorizationError)
 
352
            end
 
353
 
 
354
            it "should raise an AuthorizedError on deny" do
 
355
                lambda { @right.fail_on_deny("/path", {}) }.should raise_error(Puppet::Network::AuthorizationError)
 
356
            end
 
357
 
 
358
        end
 
359
    end
 
360
 
 
361
    describe Puppet::Network::Rights::Right do
 
362
        before :each do
 
363
            @acl = Puppet::Network::Rights::Right.new("/path",0, nil)
 
364
        end
 
365
 
 
366
        describe "with path" do
 
367
            it "should say it's a regex ACL" do
 
368
                @acl.acl_type.should == :regex
 
369
            end
 
370
 
 
371
            it "should match up to its path length" do
 
372
                @acl.match?("/path/that/works").should_not be_nil
 
373
            end
 
374
 
 
375
            it "should match up to its path length" do
 
376
                @acl.match?("/paththatalsoworks").should_not be_nil
 
377
            end
 
378
 
 
379
            it "should return nil if no match" do
 
380
                @acl.match?("/notpath").should be_nil
 
381
            end
 
382
        end
 
383
 
 
384
        describe "with regex" do
 
385
            before :each do
 
386
                @acl = Puppet::Network::Rights::Right.new("~ .rb$",0, nil)
 
387
            end
 
388
 
 
389
            it "should say it's a regex ACL" do
 
390
                @acl.acl_type.should == :regex
 
391
            end
 
392
 
 
393
            it "should match as a regex" do
 
394
                @acl.match?("this shoud work.rb").should_not be_nil
 
395
            end
 
396
 
 
397
            it "should return nil if no match" do
 
398
                @acl.match?("do not match").should be_nil
 
399
            end
 
400
        end
 
401
 
 
402
        it "should allow all rest methods by default" do
 
403
            @acl.methods.should == Puppet::Network::Rights::Right::ALL
 
404
        end
 
405
 
 
406
        it "should allow only authenticated request by default" do
 
407
            @acl.authentication.should be_true
 
408
        end
 
409
 
 
410
        it "should allow modification of the methods filters" do
 
411
            @acl.restrict_method(:save)
 
412
 
 
413
            @acl.methods.should == [:save]
 
414
        end
 
415
 
 
416
        it "should stack methods filters" do
 
417
            @acl.restrict_method(:save)
 
418
            @acl.restrict_method(:destroy)
 
419
 
 
420
            @acl.methods.should == [:save, :destroy]
 
421
        end
 
422
 
 
423
        it "should raise an error if the method is already filtered" do
 
424
            @acl.restrict_method(:save)
 
425
 
 
426
            lambda { @acl.restrict_method(:save) }.should raise_error
 
427
        end
 
428
 
 
429
        it "should allow setting an environment filters" do
 
430
            Puppet::Node::Environment.stubs(:new).with(:environment).returns(:env)
 
431
 
 
432
            @acl.restrict_environment(:environment)
 
433
 
 
434
            @acl.environment.should == [:env]
 
435
        end
 
436
 
 
437
        ["on", "yes", "true", true].each do |auth|
 
438
            it "should allow filtering on authenticated requests with '#{auth}'" do
 
439
                @acl.restrict_authenticated(auth)
 
440
 
 
441
                @acl.authentication.should be_true
 
442
            end
 
443
        end
 
444
 
 
445
        ["off", "no", "false", false].each do |auth|
 
446
            it "should allow filtering on unauthenticated requests with '#{auth}'" do
 
447
                @acl.restrict_authenticated(auth)
 
448
 
 
449
                @acl.authentication.should be_false
 
450
            end
 
451
        end
 
452
 
 
453
        ["all", "any", :all, :any].each do |auth|
 
454
            it "should not use request authenticated state filtering with '#{auth}'" do
 
455
                @acl.restrict_authenticated(auth)
 
456
 
 
457
                @acl.authentication.should be_nil
 
458
            end
 
459
        end
 
460
 
 
461
        describe "when checking right authorization" do
 
462
            it "should return :dunno if this right is not restricted to the given method" do
 
463
                @acl.restrict_method(:destroy)
 
464
 
 
465
                @acl.allowed?("me","127.0.0.1", { :method => :save } ).should == :dunno
 
466
            end
 
467
 
 
468
            it "should return allow/deny if this right is restricted to the given method" do
 
469
                @acl.restrict_method(:save)
 
470
                @acl.allow("127.0.0.1")
 
471
 
 
472
                @acl.allowed?("me","127.0.0.1", { :method => :save }).should be_true
 
473
            end
 
474
 
 
475
            it "should return :dunno if this right is not restricted to the given environment" do
 
476
                Puppet::Node::Environment.stubs(:new).returns(:production)
 
477
 
 
478
                @acl.restrict_environment(:production)
 
479
 
 
480
                @acl.allowed?("me","127.0.0.1", { :method => :save, :environment => :development }).should == :dunno
 
481
            end
 
482
 
 
483
            it "should return :dunno if this right is not restricted to the given request authentication state" do
 
484
                @acl.restrict_authenticated(true)
 
485
 
 
486
                @acl.allowed?("me","127.0.0.1", { :method => :save, :authenticated => false }).should == :dunno
 
487
            end
 
488
 
 
489
            it "should return allow/deny if this right is restricted to the given request authentication state" do
 
490
                @acl.restrict_authenticated(false)
 
491
                @acl.allow("127.0.0.1")
 
492
 
 
493
                @acl.allowed?("me","127.0.0.1", { :authenticated => false }).should be_true
 
494
            end
 
495
 
 
496
            it "should interpolate allow/deny patterns with the given match" do
 
497
                @acl.expects(:interpolate).with(:match)
 
498
 
 
499
                @acl.allowed?("me","127.0.0.1", { :method => :save, :match => :match, :authenticated => true })
 
500
            end
 
501
 
 
502
            it "should reset interpolation after the match" do
 
503
                @acl.expects(:reset_interpolation)
 
504
 
 
505
                @acl.allowed?("me","127.0.0.1", { :method => :save, :match => :match, :authenticated => true })
 
506
            end
 
507
 
 
508
            # mocha doesn't allow testing super...
 
509
            # it "should delegate to the AuthStore for the result" do
 
510
            #     @acl.method(:save)
 
511
            #
 
512
            #     @acl.expects(:allowed?).with("me","127.0.0.1")
 
513
            #
 
514
            #     @acl.allowed?("me","127.0.0.1", :save)
 
515
            # end
 
516
        end
 
517
    end
 
518
 
 
519
end