Fix selinux helper and rspec test

- Add test to be sure selinux helper sets context when the user configures their own workhorse directory - refactored selinux helper to not use the deprecated helper methods as discovered when the new test failed Signed-off-by: Robert Marshall <rmarshall@gitlab.com>

Fix selinux helper and rspec test
ad0838bf · Robert Marshall · 5f938bc9 · ad0838bf · ad0838bf
Commit ad0838bf authored 4 years ago by Robert Marshall
--- a/files/gitlab-cookbooks/package/libraries/helpers/selinux_helper.rb
+++ b/files/gitlab-cookbooks/package/libraries/helpers/selinux_helper.rb
@@ -5,8 +5,6 @@ class SELinuxHelper
    include ShellOutHelper
  
    def commands(node)
-      workhorse_helper = GitlabWorkhorseHelper.new(node)
-
      ssh_dir = File.join(node['gitlab']['user']['home'], ".ssh")
      authorized_keys = node['gitlab']['gitlab-shell']['auth_file']
      gitlab_shell_var_dir = node['gitlab']['gitlab-shell']['dir']
@@ -14,6 +12,7 @@ class SELinuxHelper
      gitlab_rails_dir = node['gitlab']['gitlab-rails']['dir']
      gitlab_rails_etc_dir = File.join(gitlab_rails_dir, "etc")
      gitlab_shell_secret_file = File.join(gitlab_rails_etc_dir, 'gitlab_shell_secret')
+      gitlab_workhorse_sockets_directory = node['gitlab']['gitlab-workhorse']['sockets_directory']
  
      # If SELinux is enabled, make sure that OpenSSH thinks the .ssh directory and authorized_keys file of the
      # git_user is valid.
@@ -24,7 +23,7 @@ class SELinuxHelper
        authorized_keys,
        gitlab_shell_config_file,
        gitlab_shell_secret_file,
-        workhorse_helper.sockets_directory
+        gitlab_workhorse_sockets_directory
      ].each do |file|
        selinux_code << "semanage fcontext -a -t gitlab_shell_t '#{file}'"
        next unless File.exist?(file)

--- a/spec/chef/recipes/selinux_spec.rb
+++ b/spec/chef/recipes/selinux_spec.rb
@@ -57,6 +57,28 @@ RSpec.describe 'gitlab::gitlab-selinux' do
      expect(lines).to include("restorecon -v '/var/opt/gitlab/gitlab-workhorse/sockets'")
    end
  
+    context 'and the user configured a custom workhorse sockets directory' do
+      let(:user_sockets_directory) { '/how/do/you/do' }
+      before do
+        stub_gitlab_rb(
+          gitlab_workhorse: {
+            listen_network: 'unix',
+            sockets_directory: user_sockets_directory
+          }
+        )
+      end
+
+      it 'sets the security context of a custom workhorse sockets directory' do
+        allow(File).to receive(:exist?).with(user_sockets_directory).and_return(true)
+        lines = bash_block.code.split("\n")
+        files = [user_sockets_directory]
+        managed_files = files.map { |file| semanage_fcontext(file) }
+
+        expect(lines).to include(*managed_files)
+        expect(lines).to include("restorecon -v '#{user_sockets_directory}'")
+      end
+    end
+
    context 'when gitlab-rails is disabled' do
      before do
        stub_gitlab_rb(