Replace hard coded path, add tests

ba76b2c4 · John Long · Robert Marshall · 1968476b · ba76b2c4 · ba76b2c4
Commit ba76b2c4 authored 4 years ago by John Long Committed by Robert Marshall 4 years ago
--- a/files/gitlab-cookbooks/package/libraries/helpers/selinux_helper.rb
+++ b/files/gitlab-cookbooks/package/libraries/helpers/selinux_helper.rb
@@ -8,7 +8,7 @@ class SELinuxHelper
      gitlab_rails_dir = node['gitlab']['gitlab-rails']['dir']
      gitlab_rails_etc_dir = File.join(gitlab_rails_dir, "etc")
      gitlab_shell_secret_file = File.join(gitlab_rails_etc_dir, 'gitlab_shell_secret')
-      gitlab_workhorse_sock = '/var/opt/gitlab/gitlab-workhorse/socket'
+      gitlab_workhorse_sock = node['gitlab']['gitlab-workhorse']['listen_addr']
  
      # If SELinux is enabled, make sure that OpenSSH thinks the .ssh directory and authorized_keys file of the
      # git_user is valid.

--- a/spec/chef/recipes/selinux_spec.rb
+++ b/spec/chef/recipes/selinux_spec.rb
@@ -23,12 +23,13 @@ RSpec.describe 'gitlab::gitlab-selinux' do
      allow(File).to receive(:exist?).with('/var/opt/gitlab/.ssh/authorized_keys').and_return(true)
      allow(File).to receive(:exist?).with('/var/opt/gitlab/gitlab-rails/etc/gitlab_shell_secret').and_return(true)
      allow(File).to receive(:exist?).with('/var/opt/gitlab/gitlab-shell/config.yml').and_return(true)
+      allow(File).to receive(:exist?).with('/var/opt/gitlab/gitlab-workhorse/socket').and_return(true)
    end
  
    let(:bash_block) { chef_run.bash('Set proper security context on ssh files for selinux') }
  
    def semanage_fcontext(filename)
-      "semanage fcontext -a -t ssh_home_t '#{filename}'"
+      "semanage fcontext -a -t gitlab_shell_t '#{filename}'"
    end
  
    it 'should run the semanage bash command' do
@@ -40,7 +41,8 @@ RSpec.describe 'gitlab::gitlab-selinux' do
      files = %w(/var/opt/gitlab/.ssh(/.*)?
                 /var/opt/gitlab/.ssh/authorized_keys
                 /var/opt/gitlab/gitlab-shell/config.yml
-                 /var/opt/gitlab/gitlab-rails/etc/gitlab_shell_secret)
+                 /var/opt/gitlab/gitlab-rails/etc/gitlab_shell_secret
+                /var/opt/gitlab/gitlab-workhorse/socket)
      managed_files = files.map { |file| semanage_fcontext(file) }
  
      expect(lines).to include(*managed_files)
@@ -48,6 +50,7 @@ RSpec.describe 'gitlab::gitlab-selinux' do
      expect(lines).to include("restorecon -v '/var/opt/gitlab/.ssh/authorized_keys'")
      expect(lines).to include("restorecon -v '/var/opt/gitlab/gitlab-shell/config.yml'")
      expect(lines).to include("restorecon -v '/var/opt/gitlab/gitlab-rails/etc/gitlab_shell_secret'")
+      expect(lines).to include("restorecon -v '/var/opt/gitlab/gitlab-workhorse/socket'")
    end
  
    context 'when gitlab-rails is disabled' do