Fix support for policy.yaml

This change fixes support for policy.yaml, which was broken because of the following problems. - The default content was still formatted in json - Augeas doesn't support flat yaml contents required Change-Id: Ie308a481eb70d5f930633b18d8044f9542a142af
2021-01-07 11:51:05 +09:00
parent 083c01dcf9
commit 0ffc8e1c4b
3 changed files with 118 additions and 40 deletions
--- a/manifests/policy/base.pp
+++ b/manifests/policy/base.pp
@@ -43,6 +43,8 @@ define openstacklib::policy::base (
  $file_format = 'json',
 ) {

+  case $file_format {
+    'json': {
      ensure_resource('file', $file_path, {
        mode    => $file_mode,
        owner   => $file_user,
@@ -51,22 +53,9 @@ define openstacklib::policy::base (
        content => '{}'
      })

-  case $file_format {
-    'json': {
-      $file_lens = 'Json.lns'
-    }
-    'yaml': {
-      $file_lens = 'Yaml.lns'
-    }
-    default: {
-      fail("${file_format} is an unsupported policy file format. Choose 'json' or 'yaml'.")
-    }
-  }
-
-
      # Add entry if it doesn't exists
      augeas { "${file_path}-${key}-${value}-add":
-    lens    => $file_lens,
+        lens    => 'Json.lns',
        incl    => $file_path,
        changes => [
          "set dict/entry[last()+1] \"${key}\"",
@@ -77,7 +66,7 @@ define openstacklib::policy::base (

      # Requires that the entry is added before this call or it will fail.
      augeas { "${file_path}-${key}-${value}" :
-    lens    => $file_lens,
+        lens    => 'Json.lns',
        incl    => $file_path,
        changes => "set dict/entry[*][.=\"${key}\"]/string \"${value}\"",
      }
@@ -85,6 +74,27 @@ define openstacklib::policy::base (
      File<| title == $file_path |>
      -> Augeas<| title == "${file_path}-${key}-${value}-add" |>
        ~> Augeas<| title == "${file_path}-${key}-${value}" |>
+    }
+    'yaml': {
+      ensure_resource('file', $file_path, {
+        mode    => $file_mode,
+        owner   => $file_user,
+        group   => $file_group,
+        replace => false, # augeas will manage the content, we just need to make sure it exists
+        content => ''
+      })
+      file_line { "${file_path}-${key}" :
+        path  => $file_path,
+        line  => "'${key}': '${value}'",
+        match => "^['\"]?${key}['\"]?\\s*:.+"
+      }
+      File<| title == $file_path |>
+      -> File_line<| title == "${file_path}-${key}" |>
+    }
+    default: {
+      fail("${file_format} is an unsupported policy file format. Choose 'json' or 'yaml'.")
+    }
+  }

 }

--- a/spec/acceptance/openstacklib_policy_base_spec.rb
+++ b/spec/acceptance/openstacklib_policy_base_spec.rb
@@ -0,0 +1,36 @@
+require 'spec_helper_acceptance'
+
+describe 'policy file management' do
+
+  context 'with policy.yaml' do
+    it 'should work with no errors' do
+      pp= <<-EOS
+      Exec { logoutput => 'on_failure' }
+      openstacklib::policy::base { 'is_admin':
+        file_path   => '/tmp/policy.yaml',
+        key         => 'is_admin',
+        value       => 'role:admin',
+        file_format => 'yaml',
+      }
+      openstacklib::policy::base { 'is_member':
+        file_path   => '/tmp/policy.yaml',
+        key         => 'is_member',
+        value       => 'role:member',
+        file_format => 'yaml',
+      }
+
+      EOS
+
+      # Run it twice and test for idempotency
+      apply_manifest(pp, :catch_failures => true)
+      apply_manifest(pp, :catch_changes => true)
+    end
+
+    describe file('/tmp/policy.yaml') do
+      it { should exist }
+      it { should contain("'is_admin': 'role:admin'") }
+      it { should contain("'is_member': 'role:member'") }
+    end
+  end
+
+end
--- a/spec/defines/openstacklib_policy_base_spec.rb
+++ b/spec/defines/openstacklib_policy_base_spec.rb
@@ -2,7 +2,7 @@ require 'spec_helper'

 describe 'openstacklib::policy::base' do
  shared_examples 'openstacklib::policy::base' do
-    context 'with some basic parameters' do
+    context 'with policy.json' do
      let :title do
        'nova-contest_is_admin'
      end
@@ -14,7 +14,8 @@ describe 'openstacklib::policy::base' do
          :value       => 'foo:bar',
          :file_mode   => '0644',
          :file_user   => 'foo',
-          :file_group => 'bar'
+          :file_group  => 'bar',
+          :file_format => 'json',
        }
      end

@@ -40,6 +41,37 @@ describe 'openstacklib::policy::base' do
        :onlyif  => 'match dict/entry[*][.="context_is_admin or owner"] size == 0'
      )}
    end
+
+    context 'with policy.yaml' do
+      let :title do
+        'nova-contest_is_admin'
+      end
+
+      let :params do
+        {
+          :file_path   => '/etc/nova/policy.yaml',
+          :key         => 'context_is_admin or owner',
+          :value       => 'foo:bar',
+          :file_mode   => '0644',
+          :file_user   => 'foo',
+          :file_group  => 'bar',
+          :file_format => 'yaml',
+        }
+      end
+
+      it { should contain_file('/etc/nova/policy.yaml').with(
+        :mode  => '0644',
+        :owner => 'foo',
+        :group => 'bar'
+      )}
+
+      it { should contain_file_line('/etc/nova/policy.yaml-context_is_admin or owner').with(
+        :path  => '/etc/nova/policy.yaml',
+        :line  => '\'context_is_admin or owner\': \'foo:bar\'',
+        :match => '^[\'"]?context_is_admin or owner[\'"]?\s*:.+'
+      ) }
+
+    end
  end

  on_supported_os({