diff options
| author | Gabriel Nagy <gabriel.nagy@puppet.com> | 2019-08-13 12:41:03 +0300 |
|---|---|---|
| committer | Gabriel Nagy <gabriel.nagy@puppet.com> | 2019-10-23 12:23:47 +0300 |
| commit | b2c153b6ff070d620d47c83265992f7226646ee8 (patch) | |
| tree | 2754dfcb7d0b384a0c396f9c6bfd3a25c73d25e0 /spec/unit | |
| parent | 8fd51e76226ea0f2012dfad9e3e52156cccbe13d (diff) | |
| download | puppet-sshkeys_core-b2c153b6ff070d620d47c83265992f7226646ee8.tar.gz puppet-sshkeys_core-b2c153b6ff070d620d47c83265992f7226646ee8.tar.bz2 | |
(MODULES-9578) Create authorized_key in root path
Previously, when the `target` property was set, the ssh_authorized_key
resource could not create directories/files within root-owned paths.
This behavior is due to the module switching context to the user, then
attempting to create the directory/file as the specified user,
ultimately failing because of insufficient permissions.
This commit adds a new parameter, `drop_privileges` which when set to
false allows the module to write a ssh_authorized_key file in a
privileged path. Due to the possible security implications of this,
the parameter must be manually specified in order to activate this
functionality.
A path is considered to be privileged/trusted if all of its ancestors:
- do not contain any symlinks
- have the same owner as the user who runs Puppet
- are not world/group writable
Diffstat (limited to 'spec/unit')
| -rw-r--r-- | spec/unit/type/ssh_authorized_key_spec.rb | 24 |
1 files changed, 23 insertions, 1 deletions
diff --git a/spec/unit/type/ssh_authorized_key_spec.rb b/spec/unit/type/ssh_authorized_key_spec.rb index 866c688..457537c 100644 --- a/spec/unit/type/ssh_authorized_key_spec.rb +++ b/spec/unit/type/ssh_authorized_key_spec.rb @@ -17,7 +17,7 @@ describe Puppet::Type.type(:ssh_authorized_key), unless: Puppet.features.microso end describe 'when validating attributes' do - [:name, :provider].each do |param| + [:name, :provider, :drop_privileges].each do |param| it "has a #{param} parameter" do expect(described_class.attrtype(param)).to eq :param end @@ -56,6 +56,28 @@ describe Puppet::Type.type(:ssh_authorized_key), unless: Puppet.features.microso end end + describe 'for drop_privileges' do + it 'uses true as a default value' do + expect(described_class.new(name: 'whev', user: 'nobody')[:drop_privileges]).to eq true + end + + [true, :true, 'true', :yes, 'yes'].each do |value| + it "supports #{value} and returns a boolean true" do + expect(described_class.new(name: 'whev', user: 'nobody', drop_privileges: value)[:drop_privileges]).to eq true + end + end + + [false, :false, 'false', :no, 'no'].each do |value| + it "supports #{value} and returns a boolean false" do + expect(described_class.new(name: 'whev', user: 'nobody', drop_privileges: value)[:drop_privileges]).to eq false + end + end + + it 'raises an exception on something else' do + expect { described_class.new(name: 'whev', user: 'nobody', drop_privileges: 'nope') }.to raise_error(Puppet::Error, %r{Invalid value}) + end + end + describe 'for type' do [ :'ssh-dss', :dsa, |