From d40c6776b59fb6ea6fc2e8bbc25fbedf2270b138 Mon Sep 17 00:00:00 2001 From: Philip Garrett Date: Sat, 4 Jun 2016 19:20:37 -0400 Subject: [PATCH] Derive default config permissions from attributes Use the same attributes to provide defaults for consul_definition and consul_watch as are used for consul_config. Consolidated each test suite as a recipe in the consul_spec cookbook to reduce the boilerplate this would have added to kitchen.yml. --- .kitchen.yml | 8 +++---- libraries/consul_definition.rb | 7 +++++-- libraries/consul_watch.rb | 4 ++-- test/cookbooks/consul_spec/recipes/acl.rb | 3 +++ .../consul_spec/recipes/consul_definition.rb | 21 +++++++++++++++++++ .../consul_spec/recipes/consul_watch.rb | 18 ++++++++++++++++ .../default/serverspec/default_spec.rb | 18 +++++++++++++++- test/spec/libraries/consul_definition_spec.rb | 12 +++++++---- test/spec/libraries/consul_watch_spec.rb | 8 +++++-- 9 files changed, 83 insertions(+), 16 deletions(-) create mode 100644 test/cookbooks/consul_spec/recipes/consul_definition.rb create mode 100644 test/cookbooks/consul_spec/recipes/consul_watch.rb diff --git a/.kitchen.yml b/.kitchen.yml index 640af0ac..6af4a3b0 100644 --- a/.kitchen.yml +++ b/.kitchen.yml @@ -37,7 +37,7 @@ platforms: suites: - name: default run_list: - - recipe[consul::default] + - recipe[consul_spec::default] attributes: consul: config: &default-config @@ -49,7 +49,7 @@ suites: encrypt: CGXC2NsXW4AvuB4h5ODYzQ== - name: git run_list: - - recipe[consul::default] + - recipe[consul_spec::default] attributes: consul: config: *default-config @@ -59,7 +59,7 @@ suites: - windows-2012r2 - name: webui run_list: - - recipe[consul::default] + - recipe[consul_spec::default] attributes: consul: config: @@ -70,8 +70,6 @@ suites: encrypt: CGXC2NsXW4AvuB4h5ODYzQ== - name: acl run_list: - - recipe[consul::default] - - recipe[consul::client_gem] - recipe[consul_spec::acl] attributes: consul: diff --git a/libraries/consul_definition.rb b/libraries/consul_definition.rb index a960e92a..95fe5997 100644 --- a/libraries/consul_definition.rb +++ b/libraries/consul_definition.rb @@ -21,11 +21,11 @@ class ConsulDefinition < Chef::Resource # @!attribute user # @return [String] - attribute(:user, kind_of: String, default: 'consul') + attribute(:user, kind_of: String, default: lazy { node['consul']['config']['owner'] }) # @!attribute group # @return [String] - attribute(:group, kind_of: String, default: 'consul') + attribute(:group, kind_of: String, default: lazy { node['consul']['config']['group'] }) # @!attribute type # @return [String] @@ -49,6 +49,9 @@ def to_json owner new_resource.user group new_resource.group mode '0755' + # Prevent clobbering permissions on the directory since the intent + # in this context is to set the permissions of the definition file + not_if { Dir.exist? self.path } end end diff --git a/libraries/consul_watch.rb b/libraries/consul_watch.rb index cfc2659e..c67e12d5 100644 --- a/libraries/consul_watch.rb +++ b/libraries/consul_watch.rb @@ -21,11 +21,11 @@ class ConsulWatch < Chef::Resource # @!attribute user # @return [String] - attribute(:user, kind_of: String, default: 'consul') + attribute(:user, kind_of: String, default: lazy { node['consul']['config']['owner'] }) # @!attribute group # @return [String] - attribute(:group, kind_of: String, default: 'consul') + attribute(:group, kind_of: String, default: lazy { node['consul']['config']['group'] }) # @!attribute type # @return [String] diff --git a/test/cookbooks/consul_spec/recipes/acl.rb b/test/cookbooks/consul_spec/recipes/acl.rb index 7786a3c0..cc94f528 100644 --- a/test/cookbooks/consul_spec/recipes/acl.rb +++ b/test/cookbooks/consul_spec/recipes/acl.rb @@ -1,3 +1,6 @@ +include_recipe 'consul_spec::default' +include_recipe 'consul::client_gem' + package 'curl' consul_acl 'anonymous' do diff --git a/test/cookbooks/consul_spec/recipes/consul_definition.rb b/test/cookbooks/consul_spec/recipes/consul_definition.rb new file mode 100644 index 00000000..cb5aa8ca --- /dev/null +++ b/test/cookbooks/consul_spec/recipes/consul_definition.rb @@ -0,0 +1,21 @@ + +# The ruby interpreter is guaranteed to exist since it's currently running. +file "/consul_definition_check.rb" do + content (<<-EOF).gsub(/^ */, '') + #!#{RbConfig.ruby} + exit 0 + EOF + unless node.platform?('windows') + owner 'root' + mode '0755' + end +end + +consul_definition 'consul_definition_check' do + type 'check' + parameters(id: "consul_definition_check", + script: '/consul_definition_check.rb', + interval: '10s', + timeout: '10s') + notifies :reload, 'consul_service[consul]', :delayed +end diff --git a/test/cookbooks/consul_spec/recipes/consul_watch.rb b/test/cookbooks/consul_spec/recipes/consul_watch.rb new file mode 100644 index 00000000..483c02c8 --- /dev/null +++ b/test/cookbooks/consul_spec/recipes/consul_watch.rb @@ -0,0 +1,18 @@ + +# The ruby interpreter is guaranteed to exist since it's currently running. +file "/consul_watch_handler.rb" do + content (<<-EOF).gsub(/^ */, '') + #!#{RbConfig.ruby} + exit 0 + EOF + unless node.platform?('windows') + owner 'root' + mode '0755' + end +end + +consul_watch 'consul_watch_check' do + type 'event' + parameters(handler: "/consul_watch_handler.rb") + notifies :reload, 'consul_service[consul]', :delayed +end diff --git a/test/integration/default/serverspec/default_spec.rb b/test/integration/default/serverspec/default_spec.rb index dca3e912..3b62ae52 100644 --- a/test/integration/default/serverspec/default_spec.rb +++ b/test/integration/default/serverspec/default_spec.rb @@ -88,4 +88,20 @@ EOT end end -end \ No newline at end of file +end + +describe file("#{confd_dir}/consul_definition_check.json") do + it { should be_file } + it { should be_owned_by 'root' } + it { should be_grouped_into 'consul' } + + it { should be_mode 640 } +end + +describe file("#{confd_dir}/consul_watch_check.json") do + it { should be_file } + it { should be_owned_by 'root' } + it { should be_grouped_into 'consul' } + + it { should be_mode 640 } +end diff --git a/test/spec/libraries/consul_definition_spec.rb b/test/spec/libraries/consul_definition_spec.rb index 95ef6fea..329836d7 100644 --- a/test/spec/libraries/consul_definition_spec.rb +++ b/test/spec/libraries/consul_definition_spec.rb @@ -8,7 +8,11 @@ default_attributes['consul'] = { 'service' => { 'config_dir' => '/etc/consul/conf.d' - } + }, + 'config' => { + 'owner' => 'root', + 'group' => 'consul' + } } end @@ -23,7 +27,7 @@ it { is_expected.to create_directory('/etc/consul/conf.d') } it do is_expected.to create_file('/etc/consul/conf.d/redis.json') - .with(user: 'consul', group: 'consul', mode: '0640') + .with(user: 'root', group: 'consul', mode: '0640') .with(content: JSON.pretty_generate( service: { tags: ['master'], @@ -47,7 +51,7 @@ it { is_expected.to create_directory('/etc/consul/conf.d') } it do is_expected.to create_file('/etc/consul/conf.d/redis.json') - .with(user: 'consul', group: 'consul', mode: '0640') + .with(user: 'root', group: 'consul', mode: '0640') .with(content: JSON.pretty_generate( service: { name: 'myredis', @@ -71,7 +75,7 @@ it { is_expected.to create_directory('/etc/consul/conf.d') } it do is_expected.to create_file('/etc/consul/conf.d/web-api.json') - .with(user: 'consul', group: 'consul', mode: '0640') + .with(user: 'root', group: 'consul', mode: '0640') .with(content: JSON.pretty_generate( check: { http: 'http://localhost:5000/health', diff --git a/test/spec/libraries/consul_watch_spec.rb b/test/spec/libraries/consul_watch_spec.rb index 6d8f9f7c..d2bc09f1 100644 --- a/test/spec/libraries/consul_watch_spec.rb +++ b/test/spec/libraries/consul_watch_spec.rb @@ -8,7 +8,11 @@ default_attributes['consul'] = { 'service' => { 'config_dir' => '/etc/consul/conf.d' - } + }, + 'config' => { + 'owner' => 'root', + 'group' => 'consul' + } } end @@ -23,7 +27,7 @@ it { is_expected.to create_directory('/etc/consul/conf.d') } it do is_expected.to create_file('/etc/consul/conf.d/foo.json') - .with(user: 'consul', group: 'consul', mode: '0640') + .with(user: 'root', group: 'consul', mode: '0640') .with(content: JSON.pretty_generate( { watches: [