Add trial-user shared user with write-only uploads folder

Allows for us to give access to trial users to ease supplying us with test data for trials, closing a security hole. cc @haizhou
evertrue · Mar 26, 2014 · 7b678b5 · 7b678b5
1 parent 0c59b5e
commit 7b678b5
Show file tree

Hide file tree

Showing 4 changed files with 15 additions and 3 deletions.
diff --git a/recipes/users.rb b/recipes/users.rb
@@ -45,10 +45,12 @@
   end
 
   ["#{u['home']}/.ssh", "#{u['home']}/uploads"].each do |dir|
+    mode = uname == 'trial-user' && dir == "#{u['home']}/uploads" ? '0300' : '0700'
+
     directory dir do
       owner uname
       group u['gid']
-      mode '0700'
+      mode mode
     end
   end
 

diff --git a/spec/recipes/users_spec.rb b/spec/recipes/users_spec.rb
@@ -36,11 +36,13 @@
       end
 
       ["#{u['home']}/.ssh", "#{u['home']}/uploads"].each do |dir|
+        mode = (uname == 'trial-user' && dir == "#{u['home']}/uploads") ? '0300' : '0700'
+
         it "creates #{dir}" do
           expect(chef_run).to create_directory(dir).with(
             user:  uname,
             group: u['gid'],
-            mode:  '0700'
+            mode:  mode
           )
         end
       end

diff --git a/test/integration/default/data_bags/users/upload.json b/test/integration/default/data_bags/users/upload.json
@@ -11,5 +11,11 @@
     "ssh_keys": [ "ssh-key-2" ],
     "comment": "Test User 2",
     "password": "$6$UiWsps6a$Qxoz2oLDNyrVk1gEhk5CnjzNGnTY6iMYr5GqKK.PMDahmouI2fm8UF8LK.BHqQYgu9dDZ9eTdVEWMT7jzZ3d91"
+  },
+  "trial-user": {
+    "uid": 10040,
+    "ssh_keys": [],
+    "comment": "Shared Trial User",
+    "password": "$6$UiWsps6a$Qxoz2oLDNyrVk1gEhk5CnjzNGnTY6iMYr5GqKK.PMDahmouI2fm8UF8LK.BHqQYgu9dDZ9eTdVEWMT7jzZ3d91"
   }
 }
diff --git a/test/integration/default/serverspec/default_spec.rb b/test/integration/default/serverspec/default_spec.rb
@@ -111,9 +111,11 @@
     end
 
     ["#{u['home']}/.ssh", "#{u['home']}/uploads"].each do |dir|
+      mode = (uname == 'trial-user' && dir == "#{u['home']}/uploads") ? 300 : 700
+
       describe file(dir) do
         it { should be_directory }
-        it { should be_mode 700 }
+        it { should be_mode mode }
         it { should be_owned_by uname }
         it { should be_grouped_into u['gid'] }
       end