Merge pull request #324 from kingpong/more-permissions

More permissions

.kitchen.yml

@@ -37,7 +37,7 @@ platforms:
 suites:
   - name: default
     run_list:
-      - recipe[consul::default]
+      - recipe[consul_spec::default]
     attributes:
       consul:
         config: &default-config
@@ -49,7 +49,7 @@ suites:
           encrypt: CGXC2NsXW4AvuB4h5ODYzQ==
   - name: git
     run_list:
-      - recipe[consul::default]
+      - recipe[consul_spec::default]
     attributes:
       consul:
         config: *default-config
@@ -59,7 +59,7 @@ suites:
       - windows-2012r2
   - name: webui
     run_list:
-      - recipe[consul::default]
+      - recipe[consul_spec::default]
     attributes:
       consul:
         config:
@@ -70,8 +70,6 @@ suites:
           encrypt: CGXC2NsXW4AvuB4h5ODYzQ==
   - name: acl
     run_list:
-      - recipe[consul::default]
-      - recipe[consul::client_gem]
       - recipe[consul_spec::acl]
     attributes:
       consul:

libraries/consul_definition.rb

@@ -49,6 +49,9 @@ def to_json
               owner new_resource.user
               group new_resource.group
               mode '0755'
+              # Prevent clobbering permissions on the directory since the intent
+              # in this context is to set the permissions of the definition file
+              not_if { Dir.exist? path }
             end
           end
 

test/cookbooks/consul_spec/recipes/acl.rb

@@ -1,3 +1,6 @@
+include_recipe 'consul_spec::default'
+include_recipe 'consul::client_gem'
+
 package 'curl'
 
 consul_acl 'anonymous' do

test/cookbooks/consul_spec/recipes/consul_definition.rb

@@ -0,0 +1,22 @@
+
+# The ruby interpreter is guaranteed to exist since it's currently running.
+file "/consul_definition_check.rb" do
+  content (<<-EOF).gsub(/^ */, '')
+    #!#{RbConfig.ruby}
+    exit 0
+  EOF
+  unless node.platform?('windows')
+    owner 'root'
+    mode '0755'
+  end
+end
+
+consul_definition 'consul_definition_check' do
+  type 'check'
+  user 'root'
+  parameters(id: "consul_definition_check",
+             script: '/consul_definition_check.rb',
+             interval: '10s',
+             timeout: '10s')
+  notifies :reload, 'consul_service[consul]', :delayed
+end

test/cookbooks/consul_spec/recipes/consul_watch.rb

@@ -0,0 +1,19 @@
+
+# The ruby interpreter is guaranteed to exist since it's currently running.
+file "/consul_watch_handler.rb" do
+  content (<<-EOF).gsub(/^ */, '')
+    #!#{RbConfig.ruby}
+    exit 0
+  EOF
+  unless node.platform?('windows')
+    owner 'root'
+    mode '0755'
+  end
+end
+
+consul_watch 'consul_watch_check' do
+  type 'event'
+  user 'root'
+  parameters(handler: "/consul_watch_handler.rb")
+  notifies :reload, 'consul_service[consul]', :delayed
+end

test/integration/default/serverspec/default_spec.rb

@@ -88,4 +88,20 @@
       EOT
     end
   end
-end
+end
+
+describe file("#{confd_dir}/consul_definition_check.json") do
+  it { should be_file }
+  it { should be_owned_by     'root' }
+  it { should be_grouped_into 'consul' }
+
+  it { should be_mode 640 }
+end
+
+describe file("#{confd_dir}/consul_watch_check.json") do
+  it { should be_file }
+  it { should be_owned_by     'root' }
+  it { should be_grouped_into 'consul' }
+
+  it { should be_mode 640 }
+end

test/spec/libraries/consul_definition_spec.rb

@@ -16,14 +16,15 @@
     recipe do
       consul_definition 'redis' do
         type 'service'
+        user 'root'
         parameters(tags: %w{master}, address: '127.0.0.1', port: 6379, interval: '10s')
       end
     end
 
     it { is_expected.to create_directory('/etc/consul/conf.d') }
     it do
       is_expected.to create_file('/etc/consul/conf.d/redis.json')
-      .with(user: 'consul', group: 'consul', mode: '0640')
+      .with(user: 'root', group: 'consul', mode: '0640')
       .with(content: JSON.pretty_generate(
         service: {
           tags: ['master'],
@@ -40,14 +41,15 @@
     recipe do
       consul_definition 'redis' do
         type 'service'
+        user 'root'
         parameters(name: 'myredis', tags: %w{master}, address: '127.0.0.1', port: 6379, interval: '10s')
       end
     end
 
     it { is_expected.to create_directory('/etc/consul/conf.d') }
     it do
       is_expected.to create_file('/etc/consul/conf.d/redis.json')
-      .with(user: 'consul', group: 'consul', mode: '0640')
+      .with(user: 'root', group: 'consul', mode: '0640')
       .with(content: JSON.pretty_generate(
         service: {
           name: 'myredis',
@@ -64,14 +66,15 @@
     recipe do
       consul_definition 'web-api' do
         type 'check'
+        user 'root'
         parameters(http: 'http://localhost:5000/health', ttl: '30s')
       end
     end
 
     it { is_expected.to create_directory('/etc/consul/conf.d') }
     it do
       is_expected.to create_file('/etc/consul/conf.d/web-api.json')
-      .with(user: 'consul', group: 'consul', mode: '0640')
+      .with(user: 'root', group: 'consul', mode: '0640')
       .with(content: JSON.pretty_generate(
         check: {
           http: 'http://localhost:5000/health',

test/spec/libraries/consul_watch_spec.rb

@@ -16,14 +16,15 @@
     recipe do
       consul_watch 'foo' do
         type 'key'
+        user 'root'
         parameters(key: 'foo/bar/baz', handler: '/bin/false')
       end
     end
 
     it { is_expected.to create_directory('/etc/consul/conf.d') }
     it do
       is_expected.to create_file('/etc/consul/conf.d/foo.json')
-      .with(user: 'consul', group: 'consul', mode: '0640')
+      .with(user: 'root', group: 'consul', mode: '0640')
       .with(content: JSON.pretty_generate(
         {
           watches: [