From 73315d23d4190d6d8e2ae6894a198047a08f4201 Mon Sep 17 00:00:00 2001
From: Stuart Pook <stuart12@users.noreply.github.com>
Date: Thu, 7 Mar 2019 17:18:59 +0100
Subject: [PATCH] Set acls for users and groups

Very simple first version.  If the given group or user doesn't have an
acl at all then set the given acl.  The current acl is not checked to
conform to the requested acl.
---
 recipes/acls.rb           | 14 +++++++++++
 recipes/mcs.rb            |  1 +
 spec/unit/recipes/acls.rb | 51 +++++++++++++++++++++++++++++++++++++++
 3 files changed, 66 insertions(+)
 create mode 100644 recipes/acls.rb
 create mode 100644 spec/unit/recipes/acls.rb

diff --git a/recipes/acls.rb b/recipes/acls.rb
new file mode 100644
index 0000000..eb68e62
--- /dev/null
+++ b/recipes/acls.rb
@@ -0,0 +1,14 @@
+['user', 'group'].each do |what|
+  node['mapr']['config'].fetch('acls', {}).fetch(what, {}).each do |who, perms|
+    execute "set acl for #{what} #{who}" do
+      command "/opt/mapr/bin/maprcli acl edit -type cluster -#{what} #{who}:#{perms}"
+      user node['mapr']['config']['owner']
+      only_if do
+        Mixlib::ShellOut.new("/opt/mapr/bin/maprcli acl show -type cluster -#{what} #{who}").tap do |command|
+          command.run_command
+          command.error!
+        end.stdout.empty?
+      end
+    end
+  end
+end
diff --git a/recipes/mcs.rb b/recipes/mcs.rb
index bd39444..54efc95 100644
--- a/recipes/mcs.rb
+++ b/recipes/mcs.rb
@@ -5,6 +5,7 @@
 # Copyright:: 2018, The Authors, All Rights Reserved.
 
 include_recipe 'mapr'
+include_recipe 'mapr::acls'
 
 package 'mapr-webserver' do
   action :upgrade
diff --git a/spec/unit/recipes/acls.rb b/spec/unit/recipes/acls.rb
new file mode 100644
index 0000000..f0dce40
--- /dev/null
+++ b/spec/unit/recipes/acls.rb
@@ -0,0 +1,51 @@
+# Copyright:: 2018, Criteo, All Rights Reserved.
+
+require 'spec_helper'
+
+describe 'mapr::acls' do
+  let(:users) { ['fred', 'jane' ] }
+  context 'Two users should have acls' do
+    let(:chef_run) do
+      ChefSpec::SoloRunner.new(
+        platform:  'centos',
+        version:   '7.4.1708',
+      ) do |node|
+        users.each do |u|
+          node.default['mapr']['config']['acls']['user'][u] = 'fc2'
+          node.default['mapr']['config']['acls']['user'][u] = 'fc2'
+        end
+        node.default['mapr']['config']['acls']['ignored']['lake'] = 'fc'
+        node.override['mapr']['config']['owner'] = 'alice'
+      end.converge(described_recipe)
+    end
+
+    before do
+      users.each do |u|
+        expect(Mixlib::ShellOut).to receive(:new)
+          .with("/opt/mapr/bin/maprcli acl show -type cluster -user #{u}")
+          .and_return(double(run_command: nil, stdout: acls, error!: nil))
+      end
+    end
+
+    context 'no acls present' do
+      let(:acls) { '' }
+
+      it 'sets acl for all users' do
+        users.each do |u|
+          expect(chef_run).to run_execute("set acl for user #{u}")
+            .with(command: "/opt/mapr/bin/maprcli acl edit -type cluster -user #{u}:fc2", user: 'alice')
+        end
+      end
+    end
+
+    context 'existing acls' do
+      let(:acls) { "Allowed actions         Principal\n[login, ss, cv, a, fc]  User mapr\n" }
+
+      it 'does not set any acls' do
+        users.each do |u|
+          expect(chef_run).to_not run_execute("set acl for user #{u}")
+        end
+      end
+    end
+  end
+end