require 'spec_helper' require 'puppet/util/ldap/manager' # If the ldap classes aren't available, go ahead and # create some, so our tests will pass. unless defined?(LDAP::Mod) class LDAP LDAP_MOD_ADD = :adding LDAP_MOD_REPLACE = :replacing LDAP_MOD_DELETE = :deleting class ResultError < RuntimeError; end class Mod def initialize(*args) end end end end describe Puppet::Util::Ldap::Manager do before do @manager = Puppet::Util::Ldap::Manager.new end it "should return self when specifying objectclasses" do expect(@manager.manages(:one, :two)).to equal(@manager) end it "should allow specification of what objectclasses are managed" do expect(@manager.manages(:one, :two).objectclasses).to eq([:one, :two]) end it "should return self when specifying the relative base" do expect(@manager.at("yay")).to equal(@manager) end it "should allow specification of the relative base" do expect(@manager.at("yay").location).to eq("yay") end it "should return self when specifying the attribute map" do expect(@manager.maps(:one => :two)).to equal(@manager) end it "should allow specification of the rdn attribute" do expect(@manager.named_by(:uid).rdn).to eq(:uid) end it "should allow specification of the attribute map" do expect(@manager.maps(:one => :two).puppet2ldap).to eq({:one => :two}) end it "should have a no-op 'and' method that just returns self" do expect(@manager.and).to equal(@manager) end it "should allow specification of generated attributes" do expect(@manager.generates(:thing)).to be_instance_of(Puppet::Util::Ldap::Generator) end describe "when generating attributes" do before do @generator = double('generator', :source => "one", :name => "myparam") allow(Puppet::Util::Ldap::Generator).to receive(:new).with(:myparam).and_return(@generator) end it "should create a generator to do the parameter generation" do expect(Puppet::Util::Ldap::Generator).to receive(:new).with(:myparam).and_return(@generator) @manager.generates(:myparam) end it "should return the generator from the :generates method" do expect(@manager.generates(:myparam)).to equal(@generator) end it "should not replace already present values" do @manager.generates(:myparam) attrs = {"myparam" => "testing"} expect(@generator).not_to receive(:generate) @manager.generate attrs expect(attrs["myparam"]).to eq("testing") end it "should look for the parameter as a string, not a symbol" do @manager.generates(:myparam) expect(@generator).to receive(:generate).with("yay").and_return(%w{double yay}) attrs = {"one" => "yay"} @manager.generate attrs expect(attrs["myparam"]).to eq(%w{double yay}) end it "should fail if a source is specified and no source value is not defined" do @manager.generates(:myparam) expect { @manager.generate "two" => "yay" }.to raise_error(ArgumentError) end it "should use the source value to generate the new value if a source attribute is specified" do @manager.generates(:myparam) expect(@generator).to receive(:generate).with("yay").and_return(%w{double yay}) @manager.generate "one" => "yay" end it "should not pass in any value if no source attribute is specified" do allow(@generator).to receive(:source).and_return(nil) @manager.generates(:myparam) expect(@generator).to receive(:generate).and_return(%w{double yay}) @manager.generate "one" => "yay" end it "should convert any results to arrays of strings if necessary" do expect(@generator).to receive(:generate).and_return(:test) @manager.generates(:myparam) attrs = {"one" => "two"} @manager.generate(attrs) expect(attrs["myparam"]).to eq(["test"]) end it "should add the result to the passed-in attribute hash" do expect(@generator).to receive(:generate).and_return(%w{test}) @manager.generates(:myparam) attrs = {"one" => "two"} @manager.generate(attrs) expect(attrs["myparam"]).to eq(%w{test}) end end it "should be considered invalid if it is missing a location" do @manager.manages :me @manager.maps :me => :you expect(@manager).not_to be_valid end it "should be considered invalid if it is missing an objectclass list" do @manager.maps :me => :you @manager.at "ou=yayness" expect(@manager).not_to be_valid end it "should be considered invalid if it is missing an attribute map" do @manager.manages :me @manager.at "ou=yayness" expect(@manager).not_to be_valid end it "should be considered valid if it has an attribute map, location, and objectclass list" do @manager.maps :me => :you @manager.manages :me @manager.at "ou=yayness" expect(@manager).to be_valid end it "should calculate an instance's dn using the :ldapbase setting and the relative base" do Puppet[:ldapbase] = "dc=testing" @manager.at "ou=mybase" expect(@manager.dn("me")).to eq("cn=me,ou=mybase,dc=testing") end it "should use the specified rdn when calculating an instance's dn" do Puppet[:ldapbase] = "dc=testing" @manager.named_by :uid @manager.at "ou=mybase" expect(@manager.dn("me")).to match(/^uid=me/) end it "should calculate its base using the :ldapbase setting and the relative base" do Puppet[:ldapbase] = "dc=testing" @manager.at "ou=mybase" expect(@manager.base).to eq("ou=mybase,dc=testing") end describe "when generating its search filter" do it "should using a single 'objectclass=' filter if a single objectclass is specified" do @manager.manages("testing") expect(@manager.filter).to eq("objectclass=testing") end it "should create an LDAP AND filter if multiple objectclasses are specified" do @manager.manages "testing", "okay", "done" expect(@manager.filter).to eq("(&(objectclass=testing)(objectclass=okay)(objectclass=done))") end end it "should have a method for converting a Puppet attribute name to an LDAP attribute name as a string" do @manager.maps :puppet_attr => :ldap_attr expect(@manager.ldap_name(:puppet_attr)).to eq("ldap_attr") end it "should have a method for converting an LDAP attribute name to a Puppet attribute name" do @manager.maps :puppet_attr => :ldap_attr expect(@manager.puppet_name(:ldap_attr)).to eq(:puppet_attr) end it "should have a :create method for creating ldap entries" do expect(@manager).to respond_to(:create) end it "should have a :delete method for deleting ldap entries" do expect(@manager).to respond_to(:delete) end it "should have a :modify method for modifying ldap entries" do expect(@manager).to respond_to(:modify) end it "should have a method for finding an entry by name in ldap" do expect(@manager).to respond_to(:find) end describe "when converting ldap entries to hashes for providers" do before do @manager.maps :uno => :one, :dos => :two @result = @manager.entry2provider("dn" => ["cn=one,ou=people,dc=madstop"], "one" => ["two"], "three" => %w{four}, "objectclass" => %w{yay ness}) end it "should set the name to the short portion of the dn" do expect(@result[:name]).to eq("one") end it "should remove the objectclasses" do expect(@result["objectclass"]).to be_nil end it "should remove any attributes that are not mentioned in the map" do expect(@result["three"]).to be_nil end it "should rename convert to symbols all attributes to their puppet names" do expect(@result[:uno]).to eq(%w{two}) end it "should set the value of all unset puppet attributes as :absent" do expect(@result[:dos]).to eq(:absent) end end describe "when using an ldap connection" do before do @ldapconn = double('ldapconn') @conn = double('connection', :connection => @ldapconn, :start => nil, :close => nil) allow(Puppet::Util::Ldap::Connection).to receive(:new).and_return(@conn) end it "should fail unless a block is given" do expect { @manager.connect }.to raise_error(ArgumentError, /must pass a block/) end it "should open the connection with its server set to :ldapserver" do Puppet[:ldapserver] = "myserver" expect(Puppet::Util::Ldap::Connection).to receive(:new).with("myserver", anything, anything).and_return(@conn) @manager.connect { |c| } end it "should open the connection with its port set to the :ldapport" do Puppet[:ldapport] = "28" expect(Puppet::Util::Ldap::Connection).to receive(:new).with(anything, "28", anything).and_return(@conn) @manager.connect { |c| } end it "should open the connection with no user if :ldapuser is not set" do Puppet[:ldapuser] = "" expect(Puppet::Util::Ldap::Connection).to receive(:new).with(anything, anything, hash_excluding(:user)).and_return(@conn) @manager.connect { |c| } end it "should open the connection with its user set to the :ldapuser if it is set" do Puppet[:ldapuser] = "mypass" expect(Puppet::Util::Ldap::Connection).to receive(:new).with(anything, anything, hash_including(user: "mypass")).and_return(@conn) @manager.connect { |c| } end it "should open the connection with no password if :ldappassword is not set" do Puppet[:ldappassword] = "" expect(Puppet::Util::Ldap::Connection).to receive(:new).with(anything, anything, hash_excluding(:password)).and_return(@conn) @manager.connect { |c| } end it "should open the connection with its password set to the :ldappassword if it is set" do Puppet[:ldappassword] = "mypass" expect(Puppet::Util::Ldap::Connection).to receive(:new).with(anything, anything, hash_including(password: "mypass")).and_return(@conn) @manager.connect { |c| } end it "should set ssl to :tls if ldaptls is enabled" do Puppet[:ldaptls] = true expect(Puppet::Util::Ldap::Connection).to receive(:new).with(anything, anything, hash_including(ssl: :tls)).and_return(@conn) @manager.connect { |c| } end it "should set ssl to true if ldapssl is enabled" do Puppet[:ldapssl] = true expect(Puppet::Util::Ldap::Connection).to receive(:new).with(anything, anything, hash_including(ssl: true)).and_return(@conn) @manager.connect { |c| } end it "should set ssl to false if neither ldaptls nor ldapssl is enabled" do Puppet[:ldapssl] = false expect(Puppet::Util::Ldap::Connection).to receive(:new).with(anything, anything, hash_including(ssl: false)).and_return(@conn) @manager.connect { |c| } end it "should open, yield, and then close the connection" do expect(@conn).to receive(:start) expect(@conn).to receive(:close) expect(Puppet::Util::Ldap::Connection).to receive(:new).and_return(@conn) expect(@ldapconn).to receive(:test) @manager.connect { |c| c.test } end it "should close the connection even if there's an exception in the passed block" do expect(@conn).to receive(:close) expect { @manager.connect { |c| raise ArgumentError } }.to raise_error(ArgumentError) end end describe "when using ldap" do before do @conn = double('connection') allow(@manager).to receive(:connect).and_yield(@conn) allow(@manager).to receive(:objectclasses).and_return([:oc1, :oc2]) @manager.maps :one => :uno, :two => :dos, :three => :tres, :four => :quatro end describe "to create entries" do it "should convert the first argument to its :create method to a full dn and pass the resulting argument list to its connection" do expect(@manager).to receive(:dn).with("myname").and_return("mydn") expect(@conn).to receive(:add).with("mydn", anything) @manager.create("myname", {"attr" => "myattrs"}) end it "should add the objectclasses to the attributes" do expect(@manager).to receive(:dn).with("myname").and_return("mydn") expect(@conn).to receive(:add) do |_, attrs| expect(attrs["objectClass"]).to include("oc1", "oc2") end @manager.create("myname", {:one => :testing}) end it "should add the rdn to the attributes" do expect(@manager).to receive(:dn).with("myname").and_return("mydn") expect(@conn).to receive(:add).with(anything, hash_including("cn" => %w{myname})) @manager.create("myname", {:one => :testing}) end it "should add 'top' to the objectclasses if it is not listed" do expect(@manager).to receive(:dn).with("myname").and_return("mydn") expect(@conn).to receive(:add) do |_, attrs| expect(attrs["objectClass"]).to include("top") end @manager.create("myname", {:one => :testing}) end it "should add any generated values that are defined" do generator = double('generator', :source => :one, :name => "myparam") expect(Puppet::Util::Ldap::Generator).to receive(:new).with(:myparam).and_return(generator) @manager.generates(:myparam) allow(@manager).to receive(:dn).with("myname").and_return("mydn") expect(generator).to receive(:generate).with(:testing).and_return(["generated value"]) expect(@conn).to receive(:add).with(anything, hash_including("myparam" => ["generated value"])) @manager.create("myname", {:one => :testing}) end it "should convert any generated values to arrays of strings if necessary" do generator = double('generator', :source => :one, :name => "myparam") expect(Puppet::Util::Ldap::Generator).to receive(:new).with(:myparam).and_return(generator) @manager.generates(:myparam) allow(@manager).to receive(:dn).and_return("mydn") expect(generator).to receive(:generate).and_return(:generated) expect(@conn).to receive(:add).with(anything, hash_including("myparam" => ["generated"])) @manager.create("myname", {:one => :testing}) end end describe "do delete entries" do it "should convert the first argument to its :delete method to a full dn and pass the resulting argument list to its connection" do expect(@manager).to receive(:dn).with("myname").and_return("mydn") expect(@conn).to receive(:delete).with("mydn") @manager.delete("myname") end end describe "to modify entries" do it "should convert the first argument to its :modify method to a full dn and pass the resulting argument list to its connection" do expect(@manager).to receive(:dn).with("myname").and_return("mydn") expect(@conn).to receive(:modify).with("mydn", :mymods) @manager.modify("myname", :mymods) end end describe "to find a single entry" do it "should use the dn of the provided name as the search base, a scope of 0, and 'objectclass=*' as the filter for a search2 call" do expect(@manager).to receive(:dn).with("myname").and_return("mydn") expect(@conn).to receive(:search2).with("mydn", 0, "objectclass=*") @manager.find("myname") end it "should return nil if an exception is thrown because no result is found" do expect(@manager).to receive(:dn).with("myname").and_return("mydn") expect(@conn).to receive(:search2).and_raise(LDAP::ResultError) expect(@manager.find("myname")).to be_nil end it "should return a converted provider hash if the result is found" do expect(@manager).to receive(:dn).with("myname").and_return("mydn") result = {"one" => "two"} expect(@conn).to receive(:search2).and_yield(result) expect(@manager).to receive(:entry2provider).with(result).and_return("myprovider") expect(@manager.find("myname")).to eq("myprovider") end end describe "to search for multiple entries" do before do allow(@manager).to receive(:filter).and_return("myfilter") end it "should use the manager's search base as the dn of the provided name as the search base" do expect(@manager).to receive(:base).and_return("mybase") expect(@conn).to receive(:search2).with("mybase", anything, anything) @manager.search end it "should use a scope of 1" do expect(@conn).to receive(:search2).with(anything, 1, anything) @manager.search end it "should use any specified search filter" do expect(@manager).not_to receive(:filter) expect(@conn).to receive(:search2).with(anything, anything, "boo") @manager.search("boo") end it "should turn its objectclass list into its search filter if one is not specified" do expect(@manager).to receive(:filter).and_return("yay") expect(@conn).to receive(:search2).with(anything, anything, "yay") @manager.search end it "should return nil if no result is found" do expect(@conn).to receive(:search2) expect(@manager.search).to be_nil end it "should return an array of the found results converted to provider hashes" do # LAK: AFAICT, it's impossible to yield multiple times in an expectation. one = {"dn" => "cn=one,dc=madstop,dc=com", "one" => "two"} expect(@conn).to receive(:search2).and_yield(one) expect(@manager).to receive(:entry2provider).with(one).and_return("myprov") expect(@manager.search).to eq(["myprov"]) end end end describe "when an instance" do before do @name = "myname" @manager.maps :one => :uno, :two => :dos, :three => :tres, :four => :quatro end describe "is being updated" do it "should get created if the current attribute list is empty and the desired attribute list has :ensure == :present" do expect(@manager).to receive(:create) @manager.update(@name, {}, {:ensure => :present}) end it "should get created if the current attribute list has :ensure == :absent and the desired attribute list has :ensure == :present" do expect(@manager).to receive(:create) @manager.update(@name, {:ensure => :absent}, {:ensure => :present}) end it "should get deleted if the current attribute list has :ensure == :present and the desired attribute list has :ensure == :absent" do expect(@manager).to receive(:delete) @manager.update(@name, {:ensure => :present}, {:ensure => :absent}) end it "should get modified if both attribute lists have :ensure == :present" do expect(@manager).to receive(:modify) @manager.update(@name, {:ensure => :present, :one => :two}, {:ensure => :present, :one => :three}) end end describe "is being deleted" do it "should call the :delete method with its name and manager" do expect(@manager).to receive(:delete).with(@name) @manager.update(@name, {}, {:ensure => :absent}) end end describe "is being created" do before do @is = {} @should = {:ensure => :present, :one => :yay, :two => :absent} end it "should call the :create method with its name" do expect(@manager).to receive(:create).with(@name, anything) @manager.update(@name, @is, @should) end it "should call the :create method with its property hash converted to ldap attribute names" do expect(@manager).to receive(:create).with(anything, hash_including("uno" => ["yay"])) @manager.update(@name, @is, @should) end it "should convert the property names to strings" do expect(@manager).to receive(:create).with(anything, hash_including("uno" => ["yay"])) @manager.update(@name, @is, @should) end it "should convert the property values to arrays if necessary" do expect(@manager).to receive(:create).with(anything, hash_including("uno" => ["yay"])) @manager.update(@name, @is, @should) end it "should convert the property values to strings if necessary" do expect(@manager).to receive(:create).with(anything, hash_including("uno" => ["yay"])) @manager.update(@name, @is, @should) end it "should not include :ensure in the properties sent" do expect(@manager).to receive(:create).with(anything, hash_excluding(:ensure)) @manager.update(@name, @is, @should) end it "should not include attributes set to :absent in the properties sent" do expect(@manager).to receive(:create).with(anything, hash_excluding(:dos)) @manager.update(@name, @is, @should) end end describe "is being modified" do it "should call the :modify method with its name and an array of LDAP::Mod instances" do allow(LDAP::Mod).to receive(:new).and_return("whatever") @is = {:one => :yay} @should = {:one => :yay, :two => :foo} expect(@manager).to receive(:modify).with(@name, anything) @manager.update(@name, @is, @should) end it "should create the LDAP::Mod with the property name converted to the ldap name as a string" do @is = {:one => :yay} @should = {:one => :yay, :two => :foo} mod = double('module') expect(LDAP::Mod).to receive(:new).with(anything, "dos", anything).and_return(mod) allow(@manager).to receive(:modify) @manager.update(@name, @is, @should) end it "should create an LDAP::Mod instance of type LDAP_MOD_ADD for each attribute being added, with the attribute value converted to a string of arrays" do @is = {:one => :yay} @should = {:one => :yay, :two => :foo} mod = double('module') expect(LDAP::Mod).to receive(:new).with(LDAP::LDAP_MOD_ADD, "dos", ["foo"]).and_return(mod) allow(@manager).to receive(:modify) @manager.update(@name, @is, @should) end it "should create an LDAP::Mod instance of type LDAP_MOD_DELETE for each attribute being deleted" do @is = {:one => :yay, :two => :foo} @should = {:one => :yay, :two => :absent} mod = double('module') expect(LDAP::Mod).to receive(:new).with(LDAP::LDAP_MOD_DELETE, "dos", []).and_return(mod) allow(@manager).to receive(:modify) @manager.update(@name, @is, @should) end it "should create an LDAP::Mod instance of type LDAP_MOD_REPLACE for each attribute being modified, with the attribute converted to a string of arrays" do @is = {:one => :yay, :two => :four} @should = {:one => :yay, :two => :five} mod = double('module') expect(LDAP::Mod).to receive(:new).with(LDAP::LDAP_MOD_REPLACE, "dos", ["five"]).and_return(mod) allow(@manager).to receive(:modify) @manager.update(@name, @is, @should) end it "should pass all created Mod instances to the modify method" do @is = {:one => :yay, :two => :foo, :three => :absent} @should = {:one => :yay, :two => :foe, :three => :fee, :four => :fie} expect(LDAP::Mod).to receive(:new).exactly(3).times().and_return("mod1", "mod2", "mod3") expect(@manager).to receive(:modify).with(anything, contain_exactly(*%w{mod1 mod2 mod3})) @manager.update(@name, @is, @should) end end end end