#! /usr/bin/env ruby
# encoding: UTF-8
require 'spec_helper'
describe Puppet::Type.type(:user) do
before :each do
@provider_class = described_class.provide(:simple) do
has_features :manages_expiry, :manages_password_age, :manages_passwords, :manages_solaris_rbac, :manages_shell
mk_resource_methods
def create; end
def delete; end
def exists?; get(:ensure) != :absent; end
def flush; end
def self.instances; []; end
end
described_class.stubs(:defaultprovider).returns @provider_class
end
it "should be able to create an instance" do
expect(described_class.new(:name => "foo")).not_to be_nil
end
it "should have an allows_duplicates feature" do
expect(described_class.provider_feature(:allows_duplicates)).not_to be_nil
end
it "should have a manages_homedir feature" do
expect(described_class.provider_feature(:manages_homedir)).not_to be_nil
end
it "should have a manages_passwords feature" do
expect(described_class.provider_feature(:manages_passwords)).not_to be_nil
end
it "should have a manages_solaris_rbac feature" do
expect(described_class.provider_feature(:manages_solaris_rbac)).not_to be_nil
end
it "should have a manages_expiry feature" do
expect(described_class.provider_feature(:manages_expiry)).not_to be_nil
end
it "should have a manages_password_age feature" do
expect(described_class.provider_feature(:manages_password_age)).not_to be_nil
end
it "should have a system_users feature" do
expect(described_class.provider_feature(:system_users)).not_to be_nil
end
it "should have a manages_shell feature" do
expect(described_class.provider_feature(:manages_shell)).not_to be_nil
end
context "managehome" do
let (:provider) { @provider_class.new(:name => 'foo', :ensure => :absent) }
let (:instance) { described_class.new(:name => 'foo', :provider => provider) }
it "defaults to false" do
expect(instance[:managehome]).to be_falsey
end
it "can be set to false" do
instance[:managehome] = 'false'
end
it "cannot be set to true for a provider that does not manage homedirs" do
provider.class.stubs(:manages_homedir?).returns false
expect { instance[:managehome] = 'yes' }.to raise_error(Puppet::Error, /can not manage home directories/)
end
it "can be set to true for a provider that does manage homedirs" do
provider.class.stubs(:manages_homedir?).returns true
instance[:managehome] = 'yes'
end
end
describe "instances" do
it "should delegate existence questions to its provider" do
@provider = @provider_class.new(:name => 'foo', :ensure => :absent)
instance = described_class.new(:name => "foo", :provider => @provider)
expect(instance.exists?).to eq(false)
@provider.set(:ensure => :present)
expect(instance.exists?).to eq(true)
end
end
properties = [:ensure, :uid, :gid, :home, :comment, :shell, :password, :password_min_age, :password_max_age, :groups, :roles, :auths, :profiles, :project, :keys, :expiry]
properties.each do |property|
it "should have a #{property} property" do
expect(described_class.attrclass(property).ancestors).to be_include(Puppet::Property)
end
it "should have documentation for its #{property} property" do
expect(described_class.attrclass(property).doc).to be_instance_of(String)
end
end
list_properties = [:groups, :roles, :auths]
list_properties.each do |property|
it "should have a list '#{property}'" do
expect(described_class.attrclass(property).ancestors).to be_include(Puppet::Property::List)
end
end
it "should have an ordered list 'profiles'" do
expect(described_class.attrclass(:profiles).ancestors).to be_include(Puppet::Property::OrderedList)
end
it "should have key values 'keys'" do
expect(described_class.attrclass(:keys).ancestors).to be_include(Puppet::Property::KeyValue)
end
describe "when retrieving all current values" do
before do
@provider = @provider_class.new(:name => 'foo', :ensure => :present, :uid => 15, :gid => 15)
@user = described_class.new(:name => "foo", :uid => 10, :provider => @provider)
end
it "should return a hash containing values for all set properties" do
@user[:gid] = 10
values = @user.retrieve
[@user.property(:uid), @user.property(:gid)].each { |property| expect(values).to be_include(property) }
end
it "should set all values to :absent if the user is absent" do
@user.property(:ensure).expects(:retrieve).returns :absent
@user.property(:uid).expects(:retrieve).never
expect(@user.retrieve[@user.property(:uid)]).to eq(:absent)
end
it "should include the result of retrieving each property's current value if the user is present" do
expect(@user.retrieve[@user.property(:uid)]).to eq(15)
end
end
describe "when managing the ensure property" do
it "should support a :present value" do
expect { described_class.new(:name => 'foo', :ensure => :present) }.to_not raise_error
end
it "should support an :absent value" do
expect { described_class.new(:name => 'foo', :ensure => :absent) }.to_not raise_error
end
it "should call :create on the provider when asked to sync to the :present state" do
@provider = @provider_class.new(:name => 'foo', :ensure => :absent)
@provider.expects(:create)
described_class.new(:name => 'foo', :ensure => :present, :provider => @provider).parameter(:ensure).sync
end
it "should call :delete on the provider when asked to sync to the :absent state" do
@provider = @provider_class.new(:name => 'foo', :ensure => :present)
@provider.expects(:delete)
described_class.new(:name => 'foo', :ensure => :absent, :provider => @provider).parameter(:ensure).sync
end
describe "and determining the current state" do
it "should return :present when the provider indicates the user exists" do
@provider = @provider_class.new(:name => 'foo', :ensure => :present)
expect(described_class.new(:name => 'foo', :ensure => :absent, :provider => @provider).parameter(:ensure).retrieve).to eq(:present)
end
it "should return :absent when the provider indicates the user does not exist" do
@provider = @provider_class.new(:name => 'foo', :ensure => :absent)
expect(described_class.new(:name => 'foo', :ensure => :present, :provider => @provider).parameter(:ensure).retrieve).to eq(:absent)
end
end
end
describe "when managing the uid property" do
it "should convert number-looking strings into actual numbers" do
expect(described_class.new(:name => 'foo', :uid => '50')[:uid]).to eq(50)
end
it "should support UIDs as numbers" do
expect(described_class.new(:name => 'foo', :uid => 50)[:uid]).to eq(50)
end
it "should support :absent as a value" do
expect(described_class.new(:name => 'foo', :uid => :absent)[:uid]).to eq(:absent)
end
end
describe "when managing the gid" do
it "should support :absent as a value" do
expect(described_class.new(:name => 'foo', :gid => :absent)[:gid]).to eq(:absent)
end
it "should convert number-looking strings into actual numbers" do
expect(described_class.new(:name => 'foo', :gid => '50')[:gid]).to eq(50)
end
it "should support GIDs specified as integers" do
expect(described_class.new(:name => 'foo', :gid => 50)[:gid]).to eq(50)
end
it "should support groups specified by name" do
expect(described_class.new(:name => 'foo', :gid => 'foo')[:gid]).to eq('foo')
end
describe "when testing whether in sync" do
it "should return true if no 'should' values are set" do
# this is currently not the case because gid has no default value, so we would never even
# call insync? on that property
if param = described_class.new(:name => 'foo').parameter(:gid)
expect(param).to be_safe_insync(500)
end
end
it "should return true if any of the specified groups are equal to the current integer" do
Puppet::Util.expects(:gid).with("foo").returns 300
Puppet::Util.expects(:gid).with("bar").returns 500
expect(described_class.new(:name => 'baz', :gid => [ 'foo', 'bar' ]).parameter(:gid)).to be_safe_insync(500)
end
it "should return false if none of the specified groups are equal to the current integer" do
Puppet::Util.expects(:gid).with("foo").returns 300
Puppet::Util.expects(:gid).with("bar").returns 500
expect(described_class.new(:name => 'baz', :gid => [ 'foo', 'bar' ]).parameter(:gid)).to_not be_safe_insync(700)
end
end
describe "when syncing" do
it "should use the first found, specified group as the desired value and send it to the provider" do
Puppet::Util.expects(:gid).with("foo").returns nil
Puppet::Util.expects(:gid).with("bar").returns 500
@provider = @provider_class.new(:name => 'foo')
resource = described_class.new(:name => 'foo', :provider => @provider, :gid => [ 'foo', 'bar' ])
@provider.expects(:gid=).with 500
resource.parameter(:gid).sync
end
end
end
describe "when managing groups" do
it "should support a singe group" do
expect { described_class.new(:name => 'foo', :groups => 'bar') }.to_not raise_error
end
it "should support multiple groups as an array" do
expect { described_class.new(:name => 'foo', :groups => [ 'bar' ]) }.to_not raise_error
expect { described_class.new(:name => 'foo', :groups => [ 'bar', 'baz' ]) }.to_not raise_error
end
it "should not support a comma separated list" do
expect { described_class.new(:name => 'foo', :groups => 'bar,baz') }.to raise_error(Puppet::Error, /Group names must be provided as an array/)
end
it "should not support an empty string" do
expect { described_class.new(:name => 'foo', :groups => '') }.to raise_error(Puppet::Error, /Group names must not be empty/)
end
describe "when testing is in sync" do
before :each do
# the useradd provider uses a single string to represent groups and so does Puppet::Property::List when converting to should values
@provider = @provider_class.new(:name => 'foo', :groups => 'a,b,e,f')
end
it "should not care about order" do
@property = described_class.new(:name => 'foo', :groups => [ 'a', 'c', 'b' ]).property(:groups)
expect(@property).to be_safe_insync([ 'a', 'b', 'c' ])
expect(@property).to be_safe_insync([ 'a', 'c', 'b' ])
expect(@property).to be_safe_insync([ 'b', 'a', 'c' ])
expect(@property).to be_safe_insync([ 'b', 'c', 'a' ])
expect(@property).to be_safe_insync([ 'c', 'a', 'b' ])
expect(@property).to be_safe_insync([ 'c', 'b', 'a' ])
end
it "should merge current value and desired value if membership minimal" do
@instance = described_class.new(:name => 'foo', :groups => [ 'a', 'c', 'b' ], :provider => @provider)
@instance[:membership] = :minimum
expect(@instance[:groups]).to eq('a,b,c,e,f')
end
it "should not treat a subset of groups insync if membership inclusive" do
@instance = described_class.new(:name => 'foo', :groups => [ 'a', 'c', 'b' ], :provider => @provider)
@instance[:membership] = :inclusive
expect(@instance[:groups]).to eq('a,b,c')
end
end
end
describe "when managing expiry" do
it "should fail if given an invalid date" do
expect { described_class.new(:name => 'foo', :expiry => "200-20-20") }.to raise_error(Puppet::Error, /Expiry dates must be YYYY-MM-DD/)
end
end
describe "when managing minimum password age" do
it "should accept a negative minimum age" do
expect { described_class.new(:name => 'foo', :password_min_age => '-1') }.to_not raise_error
end
it "should fail with an empty minimum age" do
expect { described_class.new(:name => 'foo', :password_min_age => '') }.to raise_error(Puppet::Error, /minimum age must be provided as a number/)
end
end
describe "when managing maximum password age" do
it "should accept a negative maximum age" do
expect { described_class.new(:name => 'foo', :password_max_age => '-1') }.to_not raise_error
end
it "should fail with an empty maximum age" do
expect { described_class.new(:name => 'foo', :password_max_age => '') }.to raise_error(Puppet::Error, /maximum age must be provided as a number/)
end
end
describe "when managing passwords" do
before do
@password = described_class.new(:name => 'foo', :password => 'mypass').parameter(:password)
end
it "should not include the password in the change log when adding the password" do
expect(@password.change_to_s(:absent, "mypass")).not_to be_include("mypass")
end
it "should not include the password in the change log when changing the password" do
expect(@password.change_to_s("other", "mypass")).not_to be_include("mypass")
end
it "should redact the password when displaying the old value" do
expect(@password.is_to_s("currentpassword")).to match(/^\[old password hash redacted\]$/)
end
it "should redact the password when displaying the new value" do
expect(@password.should_to_s("newpassword")).to match(/^\[new password hash redacted\]$/)
end
it "should fail if a ':' is included in the password" do
expect { described_class.new(:name => 'foo', :password => "some:thing") }.to raise_error(Puppet::Error, /Passwords cannot include ':'/)
end
it "should allow the value to be set to :absent" do
expect { described_class.new(:name => 'foo', :password => :absent) }.to_not raise_error
end
end
describe "when managing comment" do
before :each do
@value = 'abcd™'
expect(@value.encoding).to eq(Encoding::UTF_8)
@user = described_class.new(:name => 'foo', :comment => @value)
end
describe "#insync" do
it "should delegate to the provider's #comments_insync? method if defined" do
# useradd subclasses nameservice and thus inherits #comments_insync?
user = described_class.new(:name => 'foo', :comment => @value, :provider => :useradd)
comment_property = user.properties.find {|p| p.name == :comment}
user.provider.expects(:comments_insync?)
comment_property.insync?('bar')
end
describe "#change_to_s" do
let(:is) { "\u2603" }
let(:should) { "\u06FF" }
let(:comment_property) { @user.properties.find { |p| p.name == :comment } }
context "given is and should strings with incompatible encoding" do
it "should return a formatted string" do
is.force_encoding(Encoding::ASCII_8BIT)
should.force_encoding(Encoding::UTF_8)
expect(Encoding.compatible?(is, should)).to be_falsey
expect(comment_property.change_to_s(is,should)).to match(/changed '\u{E2}\u{98}\u{83}' to '\u{DB}\u{BF}'/)
end
end
context "given is and should strings with compatible encoding" do
it "should return a formatted string" do
is.force_encoding(Encoding::UTF_8)
should.force_encoding(Encoding::UTF_8)
expect(Encoding.compatible?(is, should)).to be_truthy
expect(comment_property.change_to_s(is,should)).to match(/changed '\u{2603}' to '\u{6FF}'/u)
end
end
end
end
end
describe "when manages_solaris_rbac is enabled" do
it "should support a :role value for ensure" do
expect { described_class.new(:name => 'foo', :ensure => :role) }.to_not raise_error
end
end
describe "when user has roles" do
it "should autorequire roles" do
testuser = described_class.new(:name => "testuser", :roles => ['testrole'] )
testrole = described_class.new(:name => "testrole")
config = Puppet::Resource::Catalog.new :testing do |conf|
[testuser, testrole].each { |resource| conf.add_resource resource }
end
Puppet::Type::User::ProviderDirectoryservice.stubs(:get_macosx_version_major).returns "10.5"
rel = testuser.autorequire[0]
expect(rel.source.ref).to eq(testrole.ref)
expect(rel.target.ref).to eq(testuser.ref)
end
end
describe "when setting shell" do
before :each do
@shell_provider_class = described_class.provide(:shell_manager) do
has_features :manages_shell
mk_resource_methods
def create; check_valid_shell;end
def shell=(value); check_valid_shell; end
def delete; end
def exists?; get(:ensure) != :absent; end
def flush; end
def self.instances; []; end
def check_valid_shell; end
end
described_class.stubs(:defaultprovider).returns @shell_provider_class
end
it "should call :check_valid_shell on the provider when changing shell value" do
@provider = @shell_provider_class.new(:name => 'foo', :shell => '/bin/bash', :ensure => :present)
@provider.expects(:check_valid_shell)
resource = described_class.new(:name => 'foo', :shell => '/bin/zsh', :provider => @provider)
Puppet::Util::Storage.stubs(:load)
Puppet::Util::Storage.stubs(:store)
catalog = Puppet::Resource::Catalog.new
catalog.add_resource resource
catalog.apply
end
it "should call :check_valid_shell on the provider when changing ensure from present to absent" do
@provider = @shell_provider_class.new(:name => 'foo', :shell => '/bin/bash', :ensure => :absent)
@provider.expects(:check_valid_shell)
resource = described_class.new(:name => 'foo', :shell => '/bin/zsh', :provider => @provider)
Puppet::Util::Storage.stubs(:load)
Puppet::Util::Storage.stubs(:store)
catalog = Puppet::Resource::Catalog.new
catalog.add_resource resource
catalog.apply
end
end
describe "when purging ssh keys" do
it "should not accept a keyfile with a relative path" do
expect {
described_class.new(:name => "a", :purge_ssh_keys => "keys")
}.to raise_error(Puppet::Error, /Paths to keyfiles must be absolute, not keys/)
end
context "with a home directory specified" do
it "should accept true" do
described_class.new(:name => "a", :home => "/tmp", :purge_ssh_keys => true)
end
it "should accept the ~ wildcard" do
described_class.new(:name => "a", :home => "/tmp", :purge_ssh_keys => "~/keys")
end
it "should accept the %h wildcard" do
described_class.new(:name => "a", :home => "/tmp", :purge_ssh_keys => "%h/keys")
end
it "raises when given a relative path" do
expect {
described_class.new(:name => "a", :home => "/tmp", :purge_ssh_keys => "keys")
}.to raise_error(Puppet::Error, /Paths to keyfiles must be absolute/)
end
end
context "with no home directory specified" do
it "should not accept true" do
expect {
described_class.new(:name => "a", :purge_ssh_keys => true)
}.to raise_error(Puppet::Error, /purge_ssh_keys can only be true for users with a defined home directory/)
end
it "should not accept the ~ wildcard" do
expect {
described_class.new(:name => "a", :purge_ssh_keys => "~/keys")
}.to raise_error(Puppet::Error, /meta character ~ or %h only allowed for users with a defined home directory/)
end
it "should not accept the %h wildcard" do
expect {
described_class.new(:name => "a", :purge_ssh_keys => "%h/keys")
}.to raise_error(Puppet::Error, /meta character ~ or %h only allowed for users with a defined home directory/)
end
end
context "with a valid parameter" do
let(:paths) do
[ "/dev/null", "/tmp/keyfile" ].map { |path| File.expand_path(path) }
end
subject do
res = described_class.new(:name => "test", :purge_ssh_keys => paths)
res.catalog = Puppet::Resource::Catalog.new
res
end
it "should not just return from generate" do
subject.expects :find_unmanaged_keys
subject.generate
end
it "should check each keyfile for readability" do
paths.each do |path|
File.expects(:readable?).with(path)
end
subject.generate
end
end
describe "generated keys" do
subject do
res = described_class.new(:name => "test_user_name", :purge_ssh_keys => purge_param)
res.catalog = Puppet::Resource::Catalog.new
res
end
context "when purging is disabled" do
let(:purge_param) { false }
its(:generate) { should be_empty }
end
context "when purging is enabled" do
let(:purge_param) { my_fixture('authorized_keys') }
let(:resources) { subject.generate }
it "should contain a resource for each key" do
names = resources.collect { |res| res.name }
expect(names).to include("key1 name")
expect(names).to include("keyname2")
end
it "should not include keys in comment lines" do
names = resources.collect { |res| res.name }
expect(names).not_to include("keyname3")
end
it "should generate names for unnamed keys" do
names = resources.collect { |res| res.name }
fixture_path = File.join(my_fixture_dir, 'authorized_keys')
expect(names).to include("#{fixture_path}:unnamed-1")
end
it "should each have a value for the user property" do
expect(resources.map { |res|
res[:user]
}.reject { |user_name|
user_name == "test_user_name"
}).to be_empty
end
end
end
end
end