Merge pull request #243 from visioncritical/improve-selinux-support

Improve selinux support
sous-chefs · Dec 4, 2015 · 809b97d · 809b97d
2 parents 5751ec6 + 3838249
commit 809b97d
Show file tree

Hide file tree

Showing 4 changed files with 138 additions and 1 deletion.
diff --git a/recipes/default.rb b/recipes/default.rb
@@ -4,7 +4,11 @@
 #
 # Copyright 2014, 2015 Bloomberg Finance L.P.
 #
-include_recipe 'selinux::disabled' if node['os'] == 'linux'
+
+if node['os'] == 'linux'
+  node.default['selinux']['state'] = 'permissive'
+  include_recipe 'selinux::default'
+end
 
 if node['firewall']['allow_consul']
   include_recipe 'firewall::default'

diff --git a/test/spec/recipes/default_spec.rb b/test/spec/recipes/default_spec.rb
@@ -0,0 +1,55 @@
+require 'spec_helper'
+
+describe 'consul::default' do
+  context 'When all attributes are default, on an unspecified platform' do
+    let(:chef_run) do
+      ChefSpec::SoloRunner.new.converge(described_recipe)
+    end
+
+    it 'converges successfully' do
+      chef_run # This should not raise an error
+    end
+  end
+
+  context 'When selinux is set to be permissive, on a RHEL distribution' do
+    let(:chef_run) do
+      ChefSpec::SoloRunner.new do |node, server|
+        node.automatic['os'] = 'linux'
+        node.automatic['platform_family'] = 'rhel'
+        node.set['selinux']['state'] = 'permissive'
+      end.converge(described_recipe)
+    end
+
+    it 'selinux_state action is permissive' do
+      expect(chef_run).to permissive_selinux_state('SELinux Permissive')
+    end
+  end
+
+  context 'When selinux is set to be disabled, on a RHEL distribution' do
+    let(:chef_run) do
+      ChefSpec::SoloRunner.new do |node, server|
+        node.automatic['os'] = 'linux'
+        node.automatic['platform_family'] = 'rhel'
+        node.set['selinux']['state'] = 'disabled'
+      end.converge(described_recipe)
+    end
+
+    it 'selinux_state action is disabled' do
+      expect(chef_run).to disabled_selinux_state('SELinux Disabled')
+    end
+  end
+
+  context 'When selinux is set to be enforcing, on a RHEL distribution' do
+    let(:chef_run) do
+      ChefSpec::SoloRunner.new do |node, server|
+        node.automatic['os'] = 'linux'
+        node.automatic['platform_family'] = 'rhel'
+        node.set['selinux']['state'] = 'enforcing'
+      end.converge(described_recipe)
+    end
+
+    it 'selinux_state action is enforcing' do
+      expect(chef_run).to enforcing_selinux_state('SELinux Enforcing')
+    end
+  end
+end
diff --git a/test/spec/spec_helper.rb b/test/spec/spec_helper.rb
@@ -1,3 +1,4 @@
 require 'chefspec'
 require 'chefspec/berkshelf'
 require 'poise_boiler/spec_helper'
+require_relative('support/chefspec_extensions/automatic_resource_matcher')
diff --git a/test/spec/support/chefspec_extensions/automatic_resource_matcher.rb b/test/spec/support/chefspec_extensions/automatic_resource_matcher.rb
@@ -0,0 +1,77 @@
+# Modified for styling
+module ChefSpec
+  # https://github.com/lynx44/chefspec_extensions
+  module AutomaticResourceMatcher
+    def method_missing(meth, *args, &block)
+      method_name = meth.to_s
+      if resource_matcher_candidate?(method_name, args)
+        cookbook_candidates = get_cookbook_candidates(method_name)
+        cookbook_matches = find_cookbooks_with_matching_resources(cookbook_candidates, method_name)
+        if cookbook_matches.length == 1
+          cookbook = cookbook_matches.first
+          return create_matcher(args, cookbook[:name], method_name)
+        end
+      end
+      super
+    end
+
+    private
+
+    def resource_matcher_candidate?(method_name, args)
+      method_name.count('_') >= 1 && args.length == 1
+    end
+
+    def cookbooks
+      @@cookbooks ||=
+        cookbook_paths
+        .map { |cookbook_path| Dir.glob("#{cookbook_path}/*") }
+        .flatten
+        .select { |c| File.directory? c }
+        .map { |c| { name: Pathname.new(c).basename.to_s, path: c } }
+        .flatten
+    end
+
+    def cookbook_paths
+      Chef::Config[:cookbook_path].is_a?(Array) ? Chef::Config[:cookbook_path] : [Chef::Config[:cookbook_path]]
+    end
+
+    def get_cookbook_candidates(method_name)
+      cookbooks.select { |c| method_name.include? c[:name] }
+    end
+
+    def parse_lwrp(cookbook, method_name)
+      if (method_name.count('_') == 1)
+        method_name = "#{method_name}_default"
+      end
+
+      parts = method_name.split("_#{cookbook}_")
+      { action: parts[0], cookbook: cookbook, resource_name: parts[1] }
+    end
+
+    def find_cookbooks_with_matching_resources(cookbook_candidates, method_name)
+      cookbook_matches = []
+      cookbook_candidates.each do |cookbook|
+        resource_parts = parse_lwrp(cookbook[:name], method_name)
+        cookbook_matches.push(cookbook) if cookbook_has_resource?(cookbook, resource_parts[:resource_name])
+      end
+      cookbook_matches
+    end
+
+    def cookbook_has_resource?(cookbook, resource_name)
+      Dir.glob("#{cookbook[:path]}/resources/#{resource_name}.rb").length == 1
+    end
+
+    def create_matcher(args, cookbook, method_name)
+      resource_definition = parse_lwrp(cookbook, method_name)
+      resource_name = "#{cookbook}_#{resource_definition[:resource_name]}"
+      if (resource_definition[:resource_name] == 'default')
+        resource_name = cookbook
+      end
+      ChefSpec::Matchers::ResourceMatcher.new(resource_name.to_sym, resource_definition[:action].to_sym, args[0])
+    end
+  end
+end
+
+RSpec.configure do |c|
+  c.include ChefSpec::AutomaticResourceMatcher
+end