test_masterapi.py 32 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735
  1. # -*- coding: utf-8 -*-
  2. # Import Python libs
  3. from __future__ import absolute_import, print_function, unicode_literals
  4. from functools import wraps
  5. import os
  6. import io
  7. import stat
  8. # Import Salt libs
  9. import salt.config
  10. import salt.daemons.masterapi as masterapi
  11. import salt.utils.platform
  12. # Import Salt Testing Libs
  13. from tests.support.runtests import RUNTIME_VARS
  14. from tests.support.unit import TestCase
  15. from tests.support.mock import (
  16. patch,
  17. MagicMock,
  18. )
  19. def gen_permissions(owner='', group='', others=''):
  20. '''
  21. Helper method to generate file permission bits
  22. Usage: gen_permissions('rw', 'r', 'r')
  23. '''
  24. ret = 0
  25. for c in owner:
  26. ret |= getattr(stat, 'S_I{}USR'.format(c.upper()), 0)
  27. for c in group:
  28. ret |= getattr(stat, 'S_I{}GRP'.format(c.upper()), 0)
  29. for c in others:
  30. ret |= getattr(stat, 'S_I{}OTH'.format(c.upper()), 0)
  31. return ret
  32. def patch_check_permissions(uid=1, groups=None, is_windows=False, permissive_pki=False):
  33. if not groups:
  34. groups = [uid]
  35. def decorator(func):
  36. @wraps(func)
  37. def wrapper(self):
  38. self.auto_key.opts['permissive_pki_access'] = permissive_pki
  39. if salt.utils.platform.is_windows():
  40. with patch('salt.utils.platform.is_windows', MagicMock(return_value=True)):
  41. func(self)
  42. else:
  43. with patch('os.stat', self.os_stat_mock), \
  44. patch('os.getuid', MagicMock(return_value=uid)), \
  45. patch('salt.utils.user.get_gid_list', MagicMock(return_value=groups)), \
  46. patch('salt.utils.platform.is_windows', MagicMock(return_value=is_windows)):
  47. func(self)
  48. return wrapper
  49. return decorator
  50. class AutoKeyTest(TestCase):
  51. '''
  52. Tests for the salt.daemons.masterapi.AutoKey class
  53. '''
  54. def setUp(self):
  55. opts = salt.config.master_config(None)
  56. opts['user'] = 'test_user'
  57. self.auto_key = masterapi.AutoKey(opts)
  58. self.stats = {}
  59. def os_stat_mock(self, filename):
  60. fmode = MagicMock()
  61. fstats = self.stats.get(filename, {})
  62. fmode.st_mode = fstats.get('mode', 0)
  63. fmode.st_gid = fstats.get('gid', 0)
  64. return fmode
  65. @patch_check_permissions(uid=0, is_windows=True)
  66. def test_check_permissions_windows(self):
  67. '''
  68. Assert that all files are accepted on windows
  69. '''
  70. self.stats['testfile'] = {'mode': gen_permissions('rwx', 'rwx', 'rwx'), 'gid': 2}
  71. self.assertTrue(self.auto_key.check_permissions('testfile'))
  72. @patch_check_permissions(permissive_pki=True)
  73. def test_check_permissions_others_can_write(self):
  74. '''
  75. Assert that no file is accepted, when others can write to it
  76. '''
  77. self.stats['testfile'] = {'mode': gen_permissions('', '', 'w'), 'gid': 1}
  78. if salt.utils.platform.is_windows():
  79. self.assertTrue(self.auto_key.check_permissions('testfile'))
  80. else:
  81. self.assertFalse(self.auto_key.check_permissions('testfile'))
  82. @patch_check_permissions()
  83. def test_check_permissions_group_can_write_not_permissive(self):
  84. '''
  85. Assert that a file is accepted, when group can write to it and perkissive_pki_access=False
  86. '''
  87. self.stats['testfile'] = {'mode': gen_permissions('w', 'w', ''), 'gid': 1}
  88. if salt.utils.platform.is_windows():
  89. self.assertTrue(self.auto_key.check_permissions('testfile'))
  90. else:
  91. self.assertFalse(self.auto_key.check_permissions('testfile'))
  92. @patch_check_permissions(permissive_pki=True)
  93. def test_check_permissions_group_can_write_permissive(self):
  94. '''
  95. Assert that a file is accepted, when group can write to it and perkissive_pki_access=True
  96. '''
  97. self.stats['testfile'] = {'mode': gen_permissions('w', 'w', ''), 'gid': 1}
  98. self.assertTrue(self.auto_key.check_permissions('testfile'))
  99. @patch_check_permissions(uid=0, permissive_pki=True)
  100. def test_check_permissions_group_can_write_permissive_root_in_group(self):
  101. '''
  102. Assert that a file is accepted, when group can write to it, perkissive_pki_access=False,
  103. salt is root and in the file owning group
  104. '''
  105. self.stats['testfile'] = {'mode': gen_permissions('w', 'w', ''), 'gid': 0}
  106. self.assertTrue(self.auto_key.check_permissions('testfile'))
  107. @patch_check_permissions(uid=0, permissive_pki=True)
  108. def test_check_permissions_group_can_write_permissive_root_not_in_group(self):
  109. '''
  110. Assert that no file is accepted, when group can write to it, perkissive_pki_access=False,
  111. salt is root and **not** in the file owning group
  112. '''
  113. self.stats['testfile'] = {'mode': gen_permissions('w', 'w', ''), 'gid': 1}
  114. if salt.utils.platform.is_windows():
  115. self.assertTrue(self.auto_key.check_permissions('testfile'))
  116. else:
  117. self.assertFalse(self.auto_key.check_permissions('testfile'))
  118. @patch_check_permissions()
  119. def test_check_permissions_only_owner_can_write(self):
  120. '''
  121. Assert that a file is accepted, when only the owner can write to it
  122. '''
  123. self.stats['testfile'] = {'mode': gen_permissions('w', '', ''), 'gid': 1}
  124. self.assertTrue(self.auto_key.check_permissions('testfile'))
  125. @patch_check_permissions(uid=0)
  126. def test_check_permissions_only_owner_can_write_root(self):
  127. '''
  128. Assert that a file is accepted, when only the owner can write to it and salt is root
  129. '''
  130. self.stats['testfile'] = {'mode': gen_permissions('w', '', ''), 'gid': 0}
  131. self.assertTrue(self.auto_key.check_permissions('testfile'))
  132. def _test_check_autosign_grains(self,
  133. test_func,
  134. file_content='test_value',
  135. file_name='test_grain',
  136. autosign_grains_dir='test_dir',
  137. permissions_ret=True):
  138. '''
  139. Helper function for testing autosign_grains().
  140. Patches ``os.walk`` to return only ``file_name`` and ``salt.utils.files.fopen`` to open a
  141. mock file with ``file_content`` as content. Optionally sets ``opts`` values.
  142. Then executes test_func. The ``os.walk`` and ``salt.utils.files.fopen`` mock objects
  143. are passed to the function as arguments.
  144. '''
  145. if autosign_grains_dir:
  146. self.auto_key.opts['autosign_grains_dir'] = autosign_grains_dir
  147. mock_file = io.StringIO(file_content)
  148. mock_dirs = [(None, None, [file_name])]
  149. with patch('os.walk', MagicMock(return_value=mock_dirs)) as mock_walk, \
  150. patch('salt.utils.files.fopen', MagicMock(return_value=mock_file)) as mock_open, \
  151. patch('salt.daemons.masterapi.AutoKey.check_permissions',
  152. MagicMock(return_value=permissions_ret)) as mock_permissions:
  153. test_func(mock_walk, mock_open, mock_permissions)
  154. def test_check_autosign_grains_no_grains(self):
  155. '''
  156. Asserts that autosigning from grains fails when no grain values are passed.
  157. '''
  158. def test_func(mock_walk, mock_open, mock_permissions):
  159. self.assertFalse(self.auto_key.check_autosign_grains(None))
  160. self.assertEqual(mock_walk.call_count, 0)
  161. self.assertEqual(mock_open.call_count, 0)
  162. self.assertEqual(mock_permissions.call_count, 0)
  163. self.assertFalse(self.auto_key.check_autosign_grains({}))
  164. self.assertEqual(mock_walk.call_count, 0)
  165. self.assertEqual(mock_open.call_count, 0)
  166. self.assertEqual(mock_permissions.call_count, 0)
  167. self._test_check_autosign_grains(test_func)
  168. def test_check_autosign_grains_no_autosign_grains_dir(self):
  169. '''
  170. Asserts that autosigning from grains fails when the \'autosign_grains_dir\' config option
  171. is undefined.
  172. '''
  173. def test_func(mock_walk, mock_open, mock_permissions):
  174. self.assertFalse(self.auto_key.check_autosign_grains({'test_grain': 'test_value'}))
  175. self.assertEqual(mock_walk.call_count, 0)
  176. self.assertEqual(mock_open.call_count, 0)
  177. self.assertEqual(mock_permissions.call_count, 0)
  178. self._test_check_autosign_grains(test_func, autosign_grains_dir=None)
  179. def test_check_autosign_grains_accept(self):
  180. '''
  181. Asserts that autosigning from grains passes when a matching grain value is in an
  182. autosign_grain file.
  183. '''
  184. def test_func(*args):
  185. self.assertTrue(self.auto_key.check_autosign_grains({'test_grain': 'test_value'}))
  186. file_content = '#test_ignore\ntest_value'
  187. self._test_check_autosign_grains(test_func, file_content=file_content)
  188. def test_check_autosign_grains_accept_not(self):
  189. '''
  190. Asserts that autosigning from grains fails when the grain value is not in the
  191. autosign_grain files.
  192. '''
  193. def test_func(*args):
  194. self.assertFalse(self.auto_key.check_autosign_grains({'test_grain': 'test_invalid'}))
  195. file_content = '#test_invalid\ntest_value'
  196. self._test_check_autosign_grains(test_func, file_content=file_content)
  197. def test_check_autosign_grains_invalid_file_permissions(self):
  198. '''
  199. Asserts that autosigning from grains fails when the grain file has the wrong permissions.
  200. '''
  201. def test_func(*args):
  202. self.assertFalse(self.auto_key.check_autosign_grains({'test_grain': 'test_value'}))
  203. file_content = '#test_ignore\ntest_value'
  204. self._test_check_autosign_grains(test_func, file_content=file_content, permissions_ret=False)
  205. class LocalFuncsTestCase(TestCase):
  206. '''
  207. TestCase for salt.daemons.masterapi.LocalFuncs class
  208. '''
  209. def setUp(self):
  210. opts = salt.config.master_config(None)
  211. self.local_funcs = masterapi.LocalFuncs(opts, 'test-key')
  212. # runner tests
  213. def test_runner_token_not_authenticated(self):
  214. '''
  215. Asserts that a TokenAuthenticationError is returned when the token can't authenticate.
  216. '''
  217. mock_ret = {'error': {'name': 'TokenAuthenticationError',
  218. 'message': 'Authentication failure of type "token" occurred.'}}
  219. ret = self.local_funcs.runner({'token': 'asdfasdfasdfasdf'})
  220. self.assertDictEqual(mock_ret, ret)
  221. def test_runner_token_authorization_error(self):
  222. '''
  223. Asserts that a TokenAuthenticationError is returned when the token authenticates, but is
  224. not authorized.
  225. '''
  226. token = 'asdfasdfasdfasdf'
  227. load = {'token': token, 'fun': 'test.arg', 'kwarg': {}}
  228. mock_token = {'token': token, 'eauth': 'foo', 'name': 'test'}
  229. mock_ret = {'error': {'name': 'TokenAuthenticationError',
  230. 'message': 'Authentication failure of type "token" occurred '
  231. 'for user test.'}}
  232. with patch('salt.auth.LoadAuth.authenticate_token', MagicMock(return_value=mock_token)), \
  233. patch('salt.auth.LoadAuth.get_auth_list', MagicMock(return_value=[])):
  234. ret = self.local_funcs.runner(load)
  235. self.assertDictEqual(mock_ret, ret)
  236. def test_runner_token_salt_invocation_error(self):
  237. '''
  238. Asserts that a SaltInvocationError is returned when the token authenticates, but the
  239. command is malformed.
  240. '''
  241. token = 'asdfasdfasdfasdf'
  242. load = {'token': token, 'fun': 'badtestarg', 'kwarg': {}}
  243. mock_token = {'token': token, 'eauth': 'foo', 'name': 'test'}
  244. mock_ret = {'error': {'name': 'SaltInvocationError',
  245. 'message': 'A command invocation error occurred: Check syntax.'}}
  246. with patch('salt.auth.LoadAuth.authenticate_token', MagicMock(return_value=mock_token)), \
  247. patch('salt.auth.LoadAuth.get_auth_list', MagicMock(return_value=['testing'])):
  248. ret = self.local_funcs.runner(load)
  249. self.assertDictEqual(mock_ret, ret)
  250. def test_runner_eauth_not_authenticated(self):
  251. '''
  252. Asserts that an EauthAuthenticationError is returned when the user can't authenticate.
  253. '''
  254. mock_ret = {'error': {'name': 'EauthAuthenticationError',
  255. 'message': 'Authentication failure of type "eauth" occurred for '
  256. 'user UNKNOWN.'}}
  257. ret = self.local_funcs.runner({'eauth': 'foo'})
  258. self.assertDictEqual(mock_ret, ret)
  259. def test_runner_eauth_authorization_error(self):
  260. '''
  261. Asserts that an EauthAuthenticationError is returned when the user authenticates, but is
  262. not authorized.
  263. '''
  264. load = {'eauth': 'foo', 'username': 'test', 'fun': 'test.arg', 'kwarg': {}}
  265. mock_ret = {'error': {'name': 'EauthAuthenticationError',
  266. 'message': 'Authentication failure of type "eauth" occurred for '
  267. 'user test.'}}
  268. with patch('salt.auth.LoadAuth.authenticate_eauth', MagicMock(return_value=True)), \
  269. patch('salt.auth.LoadAuth.get_auth_list', MagicMock(return_value=[])):
  270. ret = self.local_funcs.runner(load)
  271. self.assertDictEqual(mock_ret, ret)
  272. def test_runner_eauth_salt_invocation_error(self):
  273. '''
  274. Asserts that an EauthAuthenticationError is returned when the user authenticates, but the
  275. command is malformed.
  276. '''
  277. load = {'eauth': 'foo', 'username': 'test', 'fun': 'bad.test.arg.func', 'kwarg': {}}
  278. mock_ret = {'error': {'name': 'SaltInvocationError',
  279. 'message': 'A command invocation error occurred: Check syntax.'}}
  280. with patch('salt.auth.LoadAuth.authenticate_eauth', MagicMock(return_value=True)), \
  281. patch('salt.auth.LoadAuth.get_auth_list', MagicMock(return_value=['testing'])):
  282. ret = self.local_funcs.runner(load)
  283. self.assertDictEqual(mock_ret, ret)
  284. # wheel tests
  285. def test_wheel_token_not_authenticated(self):
  286. '''
  287. Asserts that a TokenAuthenticationError is returned when the token can't authenticate.
  288. '''
  289. mock_ret = {'error': {'name': 'TokenAuthenticationError',
  290. 'message': 'Authentication failure of type "token" occurred.'}}
  291. ret = self.local_funcs.wheel({'token': 'asdfasdfasdfasdf'})
  292. self.assertDictEqual(mock_ret, ret)
  293. def test_wheel_token_authorization_error(self):
  294. '''
  295. Asserts that a TokenAuthenticationError is returned when the token authenticates, but is
  296. not authorized.
  297. '''
  298. token = 'asdfasdfasdfasdf'
  299. load = {'token': token, 'fun': 'test.arg', 'kwarg': {}}
  300. mock_token = {'token': token, 'eauth': 'foo', 'name': 'test'}
  301. mock_ret = {'error': {'name': 'TokenAuthenticationError',
  302. 'message': 'Authentication failure of type "token" occurred '
  303. 'for user test.'}}
  304. with patch('salt.auth.LoadAuth.authenticate_token', MagicMock(return_value=mock_token)), \
  305. patch('salt.auth.LoadAuth.get_auth_list', MagicMock(return_value=[])):
  306. ret = self.local_funcs.wheel(load)
  307. self.assertDictEqual(mock_ret, ret)
  308. def test_wheel_token_salt_invocation_error(self):
  309. '''
  310. Asserts that a SaltInvocationError is returned when the token authenticates, but the
  311. command is malformed.
  312. '''
  313. token = 'asdfasdfasdfasdf'
  314. load = {'token': token, 'fun': 'badtestarg', 'kwarg': {}}
  315. mock_token = {'token': token, 'eauth': 'foo', 'name': 'test'}
  316. mock_ret = {'error': {'name': 'SaltInvocationError',
  317. 'message': 'A command invocation error occurred: Check syntax.'}}
  318. with patch('salt.auth.LoadAuth.authenticate_token', MagicMock(return_value=mock_token)), \
  319. patch('salt.auth.LoadAuth.get_auth_list', MagicMock(return_value=['testing'])):
  320. ret = self.local_funcs.wheel(load)
  321. self.assertDictEqual(mock_ret, ret)
  322. def test_wheel_eauth_not_authenticated(self):
  323. '''
  324. Asserts that an EauthAuthenticationError is returned when the user can't authenticate.
  325. '''
  326. mock_ret = {'error': {'name': 'EauthAuthenticationError',
  327. 'message': 'Authentication failure of type "eauth" occurred for '
  328. 'user UNKNOWN.'}}
  329. ret = self.local_funcs.wheel({'eauth': 'foo'})
  330. self.assertDictEqual(mock_ret, ret)
  331. def test_wheel_eauth_authorization_error(self):
  332. '''
  333. Asserts that an EauthAuthenticationError is returned when the user authenticates, but is
  334. not authorized.
  335. '''
  336. load = {'eauth': 'foo', 'username': 'test', 'fun': 'test.arg', 'kwarg': {}}
  337. mock_ret = {'error': {'name': 'EauthAuthenticationError',
  338. 'message': 'Authentication failure of type "eauth" occurred for '
  339. 'user test.'}}
  340. with patch('salt.auth.LoadAuth.authenticate_eauth', MagicMock(return_value=True)), \
  341. patch('salt.auth.LoadAuth.get_auth_list', MagicMock(return_value=[])):
  342. ret = self.local_funcs.wheel(load)
  343. self.assertDictEqual(mock_ret, ret)
  344. def test_wheel_eauth_salt_invocation_error(self):
  345. '''
  346. Asserts that an EauthAuthenticationError is returned when the user authenticates, but the
  347. command is malformed.
  348. '''
  349. load = {'eauth': 'foo', 'username': 'test', 'fun': 'bad.test.arg.func', 'kwarg': {}}
  350. mock_ret = {'error': {'name': 'SaltInvocationError',
  351. 'message': 'A command invocation error occurred: Check syntax.'}}
  352. with patch('salt.auth.LoadAuth.authenticate_eauth', MagicMock(return_value=True)), \
  353. patch('salt.auth.LoadAuth.get_auth_list', MagicMock(return_value=['testing'])):
  354. ret = self.local_funcs.wheel(load)
  355. self.assertDictEqual(mock_ret, ret)
  356. def test_wheel_user_not_authenticated(self):
  357. '''
  358. Asserts that an UserAuthenticationError is returned when the user can't authenticate.
  359. '''
  360. mock_ret = {'error': {'name': 'UserAuthenticationError',
  361. 'message': 'Authentication failure of type "user" occurred for '
  362. 'user UNKNOWN.'}}
  363. ret = self.local_funcs.wheel({})
  364. self.assertDictEqual(mock_ret, ret)
  365. # publish tests
  366. def test_publish_user_is_blacklisted(self):
  367. '''
  368. Asserts that an AuthorizationError is returned when the user has been blacklisted.
  369. '''
  370. mock_ret = {'error': {'name': 'AuthorizationError',
  371. 'message': 'Authorization error occurred.'}}
  372. with patch('salt.acl.PublisherACL.user_is_blacklisted', MagicMock(return_value=True)):
  373. self.assertEqual(mock_ret, self.local_funcs.publish({'user': 'foo', 'fun': 'test.arg'}))
  374. def test_publish_cmd_blacklisted(self):
  375. '''
  376. Asserts that an AuthorizationError is returned when the command has been blacklisted.
  377. '''
  378. mock_ret = {'error': {'name': 'AuthorizationError',
  379. 'message': 'Authorization error occurred.'}}
  380. with patch('salt.acl.PublisherACL.user_is_blacklisted', MagicMock(return_value=False)), \
  381. patch('salt.acl.PublisherACL.cmd_is_blacklisted', MagicMock(return_value=True)):
  382. self.assertEqual(mock_ret, self.local_funcs.publish({'user': 'foo', 'fun': 'test.arg'}))
  383. def test_publish_token_not_authenticated(self):
  384. '''
  385. Asserts that an AuthenticationError is returned when the token can't authenticate.
  386. '''
  387. load = {'user': 'foo', 'fun': 'test.arg', 'tgt': 'test_minion',
  388. 'kwargs': {'token': 'asdfasdfasdfasdf'}}
  389. mock_ret = {'error': {'name': 'AuthenticationError',
  390. 'message': 'Authentication error occurred.'}}
  391. with patch('salt.acl.PublisherACL.user_is_blacklisted', MagicMock(return_value=False)), \
  392. patch('salt.acl.PublisherACL.cmd_is_blacklisted', MagicMock(return_value=False)):
  393. self.assertEqual(mock_ret, self.local_funcs.publish(load))
  394. def test_publish_token_authorization_error(self):
  395. '''
  396. Asserts that an AuthorizationError is returned when the token authenticates, but is not
  397. authorized.
  398. '''
  399. token = 'asdfasdfasdfasdf'
  400. load = {'user': 'foo', 'fun': 'test.arg', 'tgt': 'test_minion',
  401. 'arg': 'bar', 'kwargs': {'token': token}}
  402. mock_token = {'token': token, 'eauth': 'foo', 'name': 'test'}
  403. mock_ret = {'error': {'name': 'AuthorizationError',
  404. 'message': 'Authorization error occurred.'}}
  405. with patch('salt.acl.PublisherACL.user_is_blacklisted', MagicMock(return_value=False)), \
  406. patch('salt.acl.PublisherACL.cmd_is_blacklisted', MagicMock(return_value=False)), \
  407. patch('salt.auth.LoadAuth.authenticate_token', MagicMock(return_value=mock_token)), \
  408. patch('salt.auth.LoadAuth.get_auth_list', MagicMock(return_value=[])):
  409. self.assertEqual(mock_ret, self.local_funcs.publish(load))
  410. def test_publish_eauth_not_authenticated(self):
  411. '''
  412. Asserts that an AuthenticationError is returned when the user can't authenticate.
  413. '''
  414. load = {'user': 'test', 'fun': 'test.arg', 'tgt': 'test_minion',
  415. 'kwargs': {'eauth': 'foo'}}
  416. mock_ret = {'error': {'name': 'AuthenticationError',
  417. 'message': 'Authentication error occurred.'}}
  418. with patch('salt.acl.PublisherACL.user_is_blacklisted', MagicMock(return_value=False)), \
  419. patch('salt.acl.PublisherACL.cmd_is_blacklisted', MagicMock(return_value=False)):
  420. self.assertEqual(mock_ret, self.local_funcs.publish(load))
  421. def test_publish_eauth_authorization_error(self):
  422. '''
  423. Asserts that an AuthorizationError is returned when the user authenticates, but is not
  424. authorized.
  425. '''
  426. load = {'user': 'test', 'fun': 'test.arg', 'tgt': 'test_minion',
  427. 'kwargs': {'eauth': 'foo'}, 'arg': 'bar'}
  428. mock_ret = {'error': {'name': 'AuthorizationError',
  429. 'message': 'Authorization error occurred.'}}
  430. with patch('salt.acl.PublisherACL.user_is_blacklisted', MagicMock(return_value=False)), \
  431. patch('salt.acl.PublisherACL.cmd_is_blacklisted', MagicMock(return_value=False)), \
  432. patch('salt.auth.LoadAuth.authenticate_eauth', MagicMock(return_value=True)), \
  433. patch('salt.auth.LoadAuth.get_auth_list', MagicMock(return_value=[])):
  434. self.assertEqual(mock_ret, self.local_funcs.publish(load))
  435. def test_publish_user_not_authenticated(self):
  436. '''
  437. Asserts that an AuthenticationError is returned when the user can't authenticate.
  438. '''
  439. load = {'user': 'test', 'fun': 'test.arg', 'tgt': 'test_minion'}
  440. mock_ret = {'error': {'name': 'AuthenticationError',
  441. 'message': 'Authentication error occurred.'}}
  442. with patch('salt.acl.PublisherACL.user_is_blacklisted', MagicMock(return_value=False)), \
  443. patch('salt.acl.PublisherACL.cmd_is_blacklisted', MagicMock(return_value=False)):
  444. self.assertEqual(mock_ret, self.local_funcs.publish(load))
  445. def test_publish_user_authenticated_missing_auth_list(self):
  446. '''
  447. Asserts that an AuthenticationError is returned when the user has an effective user id and is
  448. authenticated, but the auth_list is empty.
  449. '''
  450. load = {'user': 'test', 'fun': 'test.arg', 'tgt': 'test_minion',
  451. 'kwargs': {'user': 'test'}, 'arg': 'foo'}
  452. mock_ret = {'error': {'name': 'AuthenticationError',
  453. 'message': 'Authentication error occurred.'}}
  454. with patch('salt.acl.PublisherACL.user_is_blacklisted', MagicMock(return_value=False)), \
  455. patch('salt.acl.PublisherACL.cmd_is_blacklisted', MagicMock(return_value=False)), \
  456. patch('salt.auth.LoadAuth.authenticate_key', MagicMock(return_value='fake-user-key')), \
  457. patch('salt.utils.master.get_values_of_matching_keys', MagicMock(return_value=[])):
  458. self.assertEqual(mock_ret, self.local_funcs.publish(load))
  459. def test_publish_user_authorization_error(self):
  460. '''
  461. Asserts that an AuthorizationError is returned when the user authenticates, but is not
  462. authorized.
  463. '''
  464. load = {'user': 'test', 'fun': 'test.arg', 'tgt': 'test_minion',
  465. 'kwargs': {'user': 'test'}, 'arg': 'foo'}
  466. mock_ret = {'error': {'name': 'AuthorizationError',
  467. 'message': 'Authorization error occurred.'}}
  468. with patch('salt.acl.PublisherACL.user_is_blacklisted', MagicMock(return_value=False)), \
  469. patch('salt.acl.PublisherACL.cmd_is_blacklisted', MagicMock(return_value=False)), \
  470. patch('salt.auth.LoadAuth.authenticate_key', MagicMock(return_value='fake-user-key')), \
  471. patch('salt.utils.master.get_values_of_matching_keys', MagicMock(return_value=['test'])), \
  472. patch('salt.utils.minions.CkMinions.auth_check', MagicMock(return_value=False)):
  473. self.assertEqual(mock_ret, self.local_funcs.publish(load))
  474. class FakeCache(object):
  475. def __init__(self):
  476. self.data = {}
  477. def store(self, bank, key, value):
  478. self.data[bank, key] = value
  479. def fetch(self, bank, key):
  480. return self.data[bank, key]
  481. class RemoteFuncsTestCase(TestCase):
  482. '''
  483. TestCase for salt.daemons.masterapi.RemoteFuncs class
  484. '''
  485. def setUp(self):
  486. opts = salt.config.master_config(os.path.join(RUNTIME_VARS.TMP_CONF_DIR, 'master'))
  487. self.funcs = masterapi.RemoteFuncs(opts)
  488. self.funcs.cache = FakeCache()
  489. def test_mine_get(self, tgt_type_key='tgt_type'):
  490. '''
  491. Asserts that ``mine_get`` gives the expected results.
  492. Actually this only tests that:
  493. - the correct check minions method is called
  494. - the correct cache key is subsequently used
  495. '''
  496. self.funcs.cache.store('minions/webserver', 'mine',
  497. dict(ip_addr='2001:db8::1:3'))
  498. with patch('salt.utils.minions.CkMinions._check_compound_minions',
  499. MagicMock(return_value=(dict(
  500. minions=['webserver'],
  501. missing=[])))):
  502. ret = self.funcs._mine_get(
  503. {
  504. 'id': 'requester_minion',
  505. 'tgt': 'G@roles:web',
  506. 'fun': 'ip_addr',
  507. tgt_type_key: 'compound',
  508. }
  509. )
  510. self.assertDictEqual(ret, dict(webserver='2001:db8::1:3'))
  511. def test_mine_get_pre_nitrogen_compat(self):
  512. '''
  513. Asserts that pre-Nitrogen API key ``expr_form`` is still accepted.
  514. This is what minions before Nitrogen would issue.
  515. '''
  516. self.test_mine_get(tgt_type_key='expr_form')
  517. def test_mine_get_dict_str(self, tgt_type_key='tgt_type'):
  518. '''
  519. Asserts that ``mine_get`` gives the expected results when request
  520. is a comma-separated list.
  521. Actually this only tests that:
  522. - the correct check minions method is called
  523. - the correct cache key is subsequently used
  524. '''
  525. self.funcs.cache.store('minions/webserver', 'mine',
  526. dict(ip_addr='2001:db8::1:3', ip4_addr='127.0.0.1'))
  527. with patch('salt.utils.minions.CkMinions._check_compound_minions',
  528. MagicMock(return_value=(dict(
  529. minions=['webserver'],
  530. missing=[])))):
  531. ret = self.funcs._mine_get(
  532. {
  533. 'id': 'requester_minion',
  534. 'tgt': 'G@roles:web',
  535. 'fun': 'ip_addr,ip4_addr',
  536. tgt_type_key: 'compound',
  537. }
  538. )
  539. self.assertDictEqual(ret, dict(ip_addr=dict(webserver='2001:db8::1:3'), ip4_addr=dict(webserver='127.0.0.1')))
  540. def test_mine_get_dict_list(self, tgt_type_key='tgt_type'):
  541. '''
  542. Asserts that ``mine_get`` gives the expected results when request
  543. is a list.
  544. Actually this only tests that:
  545. - the correct check minions method is called
  546. - the correct cache key is subsequently used
  547. '''
  548. self.funcs.cache.store('minions/webserver', 'mine',
  549. dict(ip_addr='2001:db8::1:3', ip4_addr='127.0.0.1'))
  550. with patch('salt.utils.minions.CkMinions._check_compound_minions',
  551. MagicMock(return_value=(dict(
  552. minions=['webserver'],
  553. missing=[])))):
  554. ret = self.funcs._mine_get(
  555. {
  556. 'id': 'requester_minion',
  557. 'tgt': 'G@roles:web',
  558. 'fun': ['ip_addr', 'ip4_addr'],
  559. tgt_type_key: 'compound',
  560. }
  561. )
  562. self.assertDictEqual(ret, dict(ip_addr=dict(webserver='2001:db8::1:3'), ip4_addr=dict(webserver='127.0.0.1')))
  563. def test_mine_get_acl_allowed(self):
  564. '''
  565. Asserts that ``mine_get`` gives the expected results when this is allowed
  566. in the client-side ACL that was stored in the mine data.
  567. '''
  568. self.funcs.cache.store(
  569. 'minions/webserver',
  570. 'mine',
  571. {
  572. 'ip_addr': {
  573. salt.utils.mine.MINE_ITEM_ACL_DATA: '2001:db8::1:4',
  574. salt.utils.mine.MINE_ITEM_ACL_ID: salt.utils.mine.MINE_ITEM_ACL_VERSION,
  575. 'allow_tgt': 'requester_minion',
  576. 'allow_tgt_type': 'glob',
  577. },
  578. }
  579. )
  580. # The glob check is for the resolution of the allow_tgt
  581. # The compound check is for the resolution of the tgt in the mine_get request.
  582. with \
  583. patch('salt.utils.minions.CkMinions._check_glob_minions',
  584. MagicMock(return_value={'minions': ['requester_minion'], 'missing': []})
  585. ), \
  586. patch('salt.utils.minions.CkMinions._check_compound_minions',
  587. MagicMock(return_value={'minions': ['webserver'], 'missing': []})
  588. ):
  589. ret = self.funcs._mine_get(
  590. {
  591. 'id': 'requester_minion',
  592. 'tgt': 'anything',
  593. 'tgt_type': 'compound',
  594. 'fun': ['ip_addr'],
  595. }
  596. )
  597. self.assertDictEqual(
  598. ret,
  599. {'ip_addr': {'webserver': '2001:db8::1:4'}}
  600. )
  601. def test_mine_get_acl_rejected(self):
  602. '''
  603. Asserts that ``mine_get`` gives the expected results when this is rejected
  604. in the client-side ACL that was stored in the mine data. This results in
  605. no data being sent back (just as if the entry wouldn't exist).
  606. '''
  607. self.funcs.cache.store(
  608. 'minions/webserver',
  609. 'mine',
  610. {
  611. 'ip_addr': {
  612. salt.utils.mine.MINE_ITEM_ACL_DATA: '2001:db8::1:4',
  613. salt.utils.mine.MINE_ITEM_ACL_ID: salt.utils.mine.MINE_ITEM_ACL_VERSION,
  614. 'allow_tgt': 'not_requester_minion',
  615. 'allow_tgt_type': 'glob',
  616. }
  617. }
  618. )
  619. # The glob check is for the resolution of the allow_tgt
  620. # The compound check is for the resolution of the tgt in the mine_get request.
  621. with \
  622. patch('salt.utils.minions.CkMinions._check_glob_minions',
  623. MagicMock(return_value={'minions': ['not_requester_minion'], 'missing': []})
  624. ), \
  625. patch('salt.utils.minions.CkMinions._check_compound_minions',
  626. MagicMock(return_value={'minions': ['webserver'], 'missing': []})
  627. ):
  628. ret = self.funcs._mine_get(
  629. {
  630. 'id': 'requester_minion',
  631. 'tgt': 'anything',
  632. 'tgt_type': 'compound',
  633. 'fun': ['ip_addr'],
  634. }
  635. )
  636. self.assertDictEqual(
  637. ret,
  638. {}
  639. )