test_auth.py 30 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662
  1. # -*- coding: utf-8 -*-
  2. '''
  3. :codeauthor: Mike Place <mp@saltstack.com>
  4. '''
  5. # Import pytohn libs
  6. from __future__ import absolute_import, print_function, unicode_literals
  7. import time
  8. # Import Salt Testing libs
  9. from tests.support.unit import TestCase, skipIf
  10. from tests.support.mock import patch, call, MagicMock
  11. # Import Salt libraries
  12. import salt.master
  13. from tests.support.case import ModuleCase
  14. from salt import auth
  15. from salt.exceptions import SaltDeserializationError
  16. import salt.utils.platform
  17. class LoadAuthTestCase(TestCase):
  18. def setUp(self): # pylint: disable=W0221
  19. patches = (
  20. ('salt.payload.Serial', None),
  21. ('salt.loader.auth', dict(return_value={'pam.auth': 'fake_func_str', 'pam.groups': 'fake_groups_function_str'})),
  22. ('salt.loader.eauth_tokens', dict(return_value={'localfs.mk_token': 'fake_func_mktok',
  23. 'localfs.get_token': 'fake_func_gettok',
  24. 'localfs.rm_roken': 'fake_func_rmtok'}))
  25. )
  26. for mod, mock in patches:
  27. if mock:
  28. patcher = patch(mod, **mock)
  29. else:
  30. patcher = patch(mod)
  31. patcher.start()
  32. self.addCleanup(patcher.stop)
  33. self.lauth = auth.LoadAuth({}) # Load with empty opts
  34. def test_get_tok_with_broken_file_will_remove_bad_token(self):
  35. fake_get_token = MagicMock(side_effect=SaltDeserializationError('hi'))
  36. patch_opts = patch.dict(self.lauth.opts, {'eauth_tokens': 'testfs'})
  37. patch_get_token = patch.dict(
  38. self.lauth.tokens,
  39. {
  40. 'testfs.get_token': fake_get_token
  41. },
  42. )
  43. mock_rm_token = MagicMock()
  44. patch_rm_token = patch.object(self.lauth, 'rm_token', mock_rm_token)
  45. with patch_opts, patch_get_token, patch_rm_token:
  46. expected_token = 'fnord'
  47. self.lauth.get_tok(expected_token)
  48. mock_rm_token.assert_called_with(expected_token)
  49. def test_get_tok_with_no_expiration_should_remove_bad_token(self):
  50. fake_get_token = MagicMock(return_value={'no_expire_here': 'Nope'})
  51. patch_opts = patch.dict(self.lauth.opts, {'eauth_tokens': 'testfs'})
  52. patch_get_token = patch.dict(
  53. self.lauth.tokens,
  54. {
  55. 'testfs.get_token': fake_get_token
  56. },
  57. )
  58. mock_rm_token = MagicMock()
  59. patch_rm_token = patch.object(self.lauth, 'rm_token', mock_rm_token)
  60. with patch_opts, patch_get_token, patch_rm_token:
  61. expected_token = 'fnord'
  62. self.lauth.get_tok(expected_token)
  63. mock_rm_token.assert_called_with(expected_token)
  64. def test_get_tok_with_expire_before_current_time_should_remove_token(self):
  65. fake_get_token = MagicMock(return_value={'expire': time.time()-1})
  66. patch_opts = patch.dict(self.lauth.opts, {'eauth_tokens': 'testfs'})
  67. patch_get_token = patch.dict(
  68. self.lauth.tokens,
  69. {
  70. 'testfs.get_token': fake_get_token
  71. },
  72. )
  73. mock_rm_token = MagicMock()
  74. patch_rm_token = patch.object(self.lauth, 'rm_token', mock_rm_token)
  75. with patch_opts, patch_get_token, patch_rm_token:
  76. expected_token = 'fnord'
  77. self.lauth.get_tok(expected_token)
  78. mock_rm_token.assert_called_with(expected_token)
  79. def test_get_tok_with_valid_expiration_should_return_token(self):
  80. expected_token = {'expire': time.time()+1}
  81. fake_get_token = MagicMock(return_value=expected_token)
  82. patch_opts = patch.dict(self.lauth.opts, {'eauth_tokens': 'testfs'})
  83. patch_get_token = patch.dict(
  84. self.lauth.tokens,
  85. {
  86. 'testfs.get_token': fake_get_token
  87. },
  88. )
  89. mock_rm_token = MagicMock()
  90. patch_rm_token = patch.object(self.lauth, 'rm_token', mock_rm_token)
  91. with patch_opts, patch_get_token, patch_rm_token:
  92. token_name = 'fnord'
  93. actual_token = self.lauth.get_tok(token_name)
  94. mock_rm_token.assert_not_called()
  95. assert expected_token is actual_token, 'Token was not returned'
  96. def test_load_name(self):
  97. valid_eauth_load = {'username': 'test_user',
  98. 'show_timeout': False,
  99. 'test_password': '',
  100. 'eauth': 'pam'}
  101. # Test a case where the loader auth doesn't have the auth type
  102. without_auth_type = dict(valid_eauth_load)
  103. without_auth_type.pop('eauth')
  104. ret = self.lauth.load_name(without_auth_type)
  105. self.assertEqual(ret, '', "Did not bail when the auth loader didn't have the auth type.")
  106. # Test a case with valid params
  107. with patch('salt.utils.args.arg_lookup',
  108. MagicMock(return_value={'args': ['username', 'password']})) as format_call_mock:
  109. expected_ret = call('fake_func_str')
  110. ret = self.lauth.load_name(valid_eauth_load)
  111. format_call_mock.assert_has_calls((expected_ret,), any_order=True)
  112. self.assertEqual(ret, 'test_user')
  113. def test_get_groups(self):
  114. valid_eauth_load = {'username': 'test_user',
  115. 'show_timeout': False,
  116. 'test_password': '',
  117. 'eauth': 'pam'}
  118. with patch('salt.utils.args.format_call') as format_call_mock:
  119. expected_ret = call('fake_groups_function_str', {
  120. 'username': 'test_user',
  121. 'test_password': '',
  122. 'show_timeout': False,
  123. 'eauth': 'pam'
  124. }, expected_extra_kws=auth.AUTH_INTERNAL_KEYWORDS)
  125. self.lauth.get_groups(valid_eauth_load)
  126. format_call_mock.assert_has_calls((expected_ret,), any_order=True)
  127. class MasterACLTestCase(ModuleCase):
  128. '''
  129. A class to check various aspects of the publisher ACL system
  130. '''
  131. def setUp(self):
  132. self.fire_event_mock = MagicMock(return_value='dummy_tag')
  133. self.addCleanup(delattr, self, 'fire_event_mock')
  134. opts = self.get_temp_config('master')
  135. patches = (
  136. ('zmq.Context', MagicMock()),
  137. ('salt.payload.Serial.dumps', MagicMock()),
  138. ('salt.master.tagify', MagicMock()),
  139. ('salt.utils.event.SaltEvent.fire_event', self.fire_event_mock),
  140. ('salt.auth.LoadAuth.time_auth', MagicMock(return_value=True)),
  141. ('salt.minion.MasterMinion', MagicMock()),
  142. ('salt.utils.verify.check_path_traversal', MagicMock()),
  143. ('salt.client.get_local_client', MagicMock(return_value=opts['conf_file'])),
  144. )
  145. for mod, mock in patches:
  146. patcher = patch(mod, mock)
  147. patcher.start()
  148. self.addCleanup(patcher.stop)
  149. opts['publisher_acl'] = {}
  150. opts['publisher_acl_blacklist'] = {}
  151. opts['master_job_cache'] = ''
  152. opts['sign_pub_messages'] = False
  153. opts['con_cache'] = ''
  154. opts['external_auth'] = {}
  155. opts['external_auth']['pam'] = \
  156. {'test_user': [{'*': ['test.ping']},
  157. {'minion_glob*': ['foo.bar']},
  158. {'minion_func_test': ['func_test.*']}],
  159. 'test_group%': [{'*': ['test.echo']}],
  160. 'test_user_mminion': [{'target_minion': ['test.ping']}],
  161. '*': [{'my_minion': ['my_mod.my_func']}],
  162. 'test_user_func': [{'*': [{'test.echo': {'args': ['MSG:.*']}},
  163. {'test.echo': {'kwargs': {'text': 'KWMSG:.*',
  164. 'anything': '.*',
  165. 'none': None}}},
  166. {'my_mod.*': {'args': ['a.*', 'b.*'],
  167. 'kwargs': {'kwa': 'kwa.*',
  168. 'kwb': 'kwb'}}}]},
  169. {'minion1': [{'test.echo': {'args': ['TEST',
  170. None,
  171. 'TEST.*']}},
  172. {'test.empty': {}}]}
  173. ]
  174. }
  175. self.clear = salt.master.ClearFuncs(opts, MagicMock())
  176. self.addCleanup(delattr, self, 'clear')
  177. # overwrite the _send_pub method so we don't have to serialize MagicMock
  178. self.clear._send_pub = lambda payload: True
  179. # make sure to return a JID, instead of a mock
  180. self.clear.mminion.returners = {'.prep_jid': lambda x: 1}
  181. self.valid_clear_load = {'tgt_type': 'glob',
  182. 'jid': '',
  183. 'cmd': 'publish',
  184. 'tgt': 'test_minion',
  185. 'kwargs':
  186. {'username': 'test_user',
  187. 'password': 'test_password',
  188. 'show_timeout': False,
  189. 'eauth': 'pam',
  190. 'show_jid': False},
  191. 'ret': '',
  192. 'user': 'test_user',
  193. 'key': '',
  194. 'arg': '',
  195. 'fun': 'test.ping',
  196. }
  197. self.addCleanup(delattr, self, 'valid_clear_load')
  198. @skipIf(salt.utils.platform.is_windows(), 'PAM eauth not available on Windows')
  199. def test_master_publish_name(self):
  200. '''
  201. Test to ensure a simple name can auth against a given function.
  202. This tests to ensure test_user can access test.ping but *not* sys.doc
  203. '''
  204. _check_minions_return = {'minions': ['some_minions'], 'missing': []}
  205. with patch('salt.utils.minions.CkMinions.check_minions', MagicMock(return_value=_check_minions_return)):
  206. # Can we access test.ping?
  207. self.clear.publish(self.valid_clear_load)
  208. self.assertEqual(self.fire_event_mock.call_args[0][0]['fun'], 'test.ping')
  209. # Are we denied access to sys.doc?
  210. sys_doc_load = self.valid_clear_load
  211. sys_doc_load['fun'] = 'sys.doc'
  212. self.clear.publish(sys_doc_load)
  213. self.assertNotEqual(self.fire_event_mock.call_args[0][0]['fun'], 'sys.doc') # If sys.doc were to fire, this would match
  214. def test_master_publish_group(self):
  215. '''
  216. Tests to ensure test_group can access test.echo but *not* sys.doc
  217. '''
  218. _check_minions_return = {'minions': ['some_minions'], 'missing': []}
  219. with patch('salt.utils.minions.CkMinions.check_minions', MagicMock(return_value=_check_minions_return)):
  220. self.valid_clear_load['kwargs']['user'] = 'new_user'
  221. self.valid_clear_load['fun'] = 'test.echo'
  222. self.valid_clear_load['arg'] = 'hello'
  223. with patch('salt.auth.LoadAuth.get_groups', return_value=['test_group', 'second_test_group']):
  224. self.clear.publish(self.valid_clear_load)
  225. # Did we fire test.echo?
  226. self.assertEqual(self.fire_event_mock.call_args[0][0]['fun'], 'test.echo')
  227. # Request sys.doc
  228. self.valid_clear_load['fun'] = 'sys.doc'
  229. # Did we fire it?
  230. self.assertNotEqual(self.fire_event_mock.call_args[0][0]['fun'], 'sys.doc')
  231. def test_master_publish_some_minions(self):
  232. '''
  233. Tests to ensure we can only target minions for which we
  234. have permission with publisher acl.
  235. Note that in order for these sorts of tests to run correctly that
  236. you should NOT patch check_minions!
  237. '''
  238. self.valid_clear_load['kwargs']['username'] = 'test_user_mminion'
  239. self.valid_clear_load['user'] = 'test_user_mminion'
  240. self.clear.publish(self.valid_clear_load)
  241. self.assertEqual(self.fire_event_mock.mock_calls, [])
  242. def test_master_not_user_glob_all(self):
  243. '''
  244. Test to ensure that we DO NOT access to a given
  245. function to all users with publisher acl. ex:
  246. '*':
  247. my_minion:
  248. - my_func
  249. Yes, this seems like a bit of a no-op test but it's
  250. here to document that this functionality
  251. is NOT supported currently.
  252. WARNING: Do not patch this wit
  253. '''
  254. self.valid_clear_load['kwargs']['username'] = 'NOT_A_VALID_USERNAME'
  255. self.valid_clear_load['user'] = 'NOT_A_VALID_USERNAME'
  256. self.valid_clear_load['fun'] = 'test.ping'
  257. self.clear.publish(self.valid_clear_load)
  258. self.assertEqual(self.fire_event_mock.mock_calls, [])
  259. @skipIf(salt.utils.platform.is_windows(), 'PAM eauth not available on Windows')
  260. def test_master_minion_glob(self):
  261. '''
  262. Test to ensure we can allow access to a given
  263. function for a user to a subset of minions
  264. selected by a glob. ex:
  265. test_user:
  266. 'minion_glob*':
  267. - glob_mod.glob_func
  268. This test is a bit tricky, because ultimately the real functionality
  269. lies in what's returned from check_minions, but this checks a limited
  270. amount of logic on the way there as well. Note the inline patch.
  271. '''
  272. requested_function = 'foo.bar'
  273. requested_tgt = 'minion_glob1'
  274. self.valid_clear_load['tgt'] = requested_tgt
  275. self.valid_clear_load['fun'] = requested_function
  276. _check_minions_return = {'minions': ['minion_glob1'], 'missing': []}
  277. with patch('salt.utils.minions.CkMinions.check_minions', MagicMock(return_value=_check_minions_return)): # Assume that there is a listening minion match
  278. self.clear.publish(self.valid_clear_load)
  279. self.assertTrue(self.fire_event_mock.called, 'Did not fire {0} for minion tgt {1}'.format(requested_function, requested_tgt))
  280. self.assertEqual(self.fire_event_mock.call_args[0][0]['fun'], requested_function, 'Did not fire {0} for minion glob'.format(requested_function))
  281. def test_master_function_glob(self):
  282. '''
  283. Test to ensure that we can allow access to a given
  284. set of functions in an execution module as selected
  285. by a glob. ex:
  286. my_user:
  287. my_minion:
  288. 'test.*'
  289. '''
  290. # Unimplemented
  291. @skipIf(salt.utils.platform.is_windows(), 'PAM eauth not available on Windows')
  292. def test_args_empty_spec(self):
  293. '''
  294. Test simple arg restriction allowed.
  295. 'test_user_func':
  296. minion1:
  297. - test.empty:
  298. '''
  299. _check_minions_return = {'minions': ['minion1'], 'missing': []}
  300. with patch('salt.utils.minions.CkMinions.check_minions', MagicMock(return_value=_check_minions_return)):
  301. self.valid_clear_load['kwargs'].update({'username': 'test_user_func'})
  302. self.valid_clear_load.update({'user': 'test_user_func',
  303. 'tgt': 'minion1',
  304. 'fun': 'test.empty',
  305. 'arg': ['TEST']})
  306. self.clear.publish(self.valid_clear_load)
  307. self.assertEqual(self.fire_event_mock.call_args[0][0]['fun'], 'test.empty')
  308. @skipIf(salt.utils.platform.is_windows(), 'PAM eauth not available on Windows')
  309. def test_args_simple_match(self):
  310. '''
  311. Test simple arg restriction allowed.
  312. 'test_user_func':
  313. minion1:
  314. - test.echo:
  315. args:
  316. - 'TEST'
  317. - 'TEST.*'
  318. '''
  319. _check_minions_return = {'minions': ['minion1'], 'missing': []}
  320. with patch('salt.utils.minions.CkMinions.check_minions', MagicMock(return_value=_check_minions_return)):
  321. self.valid_clear_load['kwargs'].update({'username': 'test_user_func'})
  322. self.valid_clear_load.update({'user': 'test_user_func',
  323. 'tgt': 'minion1',
  324. 'fun': 'test.echo',
  325. 'arg': ['TEST', 'any', 'TEST ABC']})
  326. self.clear.publish(self.valid_clear_load)
  327. self.assertEqual(self.fire_event_mock.call_args[0][0]['fun'], 'test.echo')
  328. @skipIf(salt.utils.platform.is_windows(), 'PAM eauth not available on Windows')
  329. def test_args_more_args(self):
  330. '''
  331. Test simple arg restriction allowed to pass unlisted args.
  332. 'test_user_func':
  333. minion1:
  334. - test.echo:
  335. args:
  336. - 'TEST'
  337. - 'TEST.*'
  338. '''
  339. _check_minions_return = {'minions': ['minion1'], 'missing': []}
  340. with patch('salt.utils.minions.CkMinions.check_minions', MagicMock(return_value=_check_minions_return)):
  341. self.valid_clear_load['kwargs'].update({'username': 'test_user_func'})
  342. self.valid_clear_load.update({'user': 'test_user_func',
  343. 'tgt': 'minion1',
  344. 'fun': 'test.echo',
  345. 'arg': ['TEST',
  346. 'any',
  347. 'TEST ABC',
  348. 'arg 3',
  349. {'kwarg1': 'val1',
  350. '__kwarg__': True}]})
  351. self.clear.publish(self.valid_clear_load)
  352. self.assertEqual(self.fire_event_mock.call_args[0][0]['fun'], 'test.echo')
  353. def test_args_simple_forbidden(self):
  354. '''
  355. Test simple arg restriction forbidden.
  356. 'test_user_func':
  357. minion1:
  358. - test.echo:
  359. args:
  360. - 'TEST'
  361. - 'TEST.*'
  362. '''
  363. _check_minions_return = {'minions': ['minion1'], 'missing': []}
  364. with patch('salt.utils.minions.CkMinions.check_minions', MagicMock(return_value=_check_minions_return)):
  365. self.valid_clear_load['kwargs'].update({'username': 'test_user_func'})
  366. # Wrong last arg
  367. self.valid_clear_load.update({'user': 'test_user_func',
  368. 'tgt': 'minion1',
  369. 'fun': 'test.echo',
  370. 'arg': ['TEST', 'any', 'TESLA']})
  371. self.clear.publish(self.valid_clear_load)
  372. self.assertEqual(self.fire_event_mock.mock_calls, [])
  373. # Wrong first arg
  374. self.valid_clear_load['arg'] = ['TES', 'any', 'TEST1234']
  375. self.clear.publish(self.valid_clear_load)
  376. self.assertEqual(self.fire_event_mock.mock_calls, [])
  377. # Missing the last arg
  378. self.valid_clear_load['arg'] = ['TEST', 'any']
  379. self.clear.publish(self.valid_clear_load)
  380. self.assertEqual(self.fire_event_mock.mock_calls, [])
  381. # No args
  382. self.valid_clear_load['arg'] = []
  383. self.clear.publish(self.valid_clear_load)
  384. self.assertEqual(self.fire_event_mock.mock_calls, [])
  385. @skipIf(salt.utils.platform.is_windows(), 'PAM eauth not available on Windows')
  386. def test_args_kwargs_match(self):
  387. '''
  388. Test simple kwargs restriction allowed.
  389. 'test_user_func':
  390. '*':
  391. - test.echo:
  392. kwargs:
  393. text: 'KWMSG:.*'
  394. '''
  395. _check_minions_return = {'minions': ['some_minions'], 'missing': []}
  396. with patch('salt.utils.minions.CkMinions.check_minions', MagicMock(return_value=_check_minions_return)):
  397. self.valid_clear_load['kwargs'].update({'username': 'test_user_func'})
  398. self.valid_clear_load.update({'user': 'test_user_func',
  399. 'tgt': '*',
  400. 'fun': 'test.echo',
  401. 'arg': [{'text': 'KWMSG: a message',
  402. 'anything': 'hello all',
  403. 'none': 'hello none',
  404. '__kwarg__': True}]})
  405. self.clear.publish(self.valid_clear_load)
  406. self.assertEqual(self.fire_event_mock.call_args[0][0]['fun'], 'test.echo')
  407. def test_args_kwargs_mismatch(self):
  408. '''
  409. Test simple kwargs restriction allowed.
  410. 'test_user_func':
  411. '*':
  412. - test.echo:
  413. kwargs:
  414. text: 'KWMSG:.*'
  415. '''
  416. _check_minions_return = {'minions': ['some_minions'], 'missing': []}
  417. with patch('salt.utils.minions.CkMinions.check_minions', MagicMock(return_value=_check_minions_return)):
  418. self.valid_clear_load['kwargs'].update({'username': 'test_user_func'})
  419. self.valid_clear_load.update({'user': 'test_user_func',
  420. 'tgt': '*',
  421. 'fun': 'test.echo'})
  422. # Wrong kwarg value
  423. self.valid_clear_load['arg'] = [{'text': 'KWMSG a message',
  424. 'anything': 'hello all',
  425. 'none': 'hello none',
  426. '__kwarg__': True}]
  427. self.clear.publish(self.valid_clear_load)
  428. self.assertEqual(self.fire_event_mock.mock_calls, [])
  429. # Missing kwarg value
  430. self.valid_clear_load['arg'] = [{'anything': 'hello all',
  431. 'none': 'hello none',
  432. '__kwarg__': True}]
  433. self.clear.publish(self.valid_clear_load)
  434. self.assertEqual(self.fire_event_mock.mock_calls, [])
  435. self.valid_clear_load['arg'] = [{'__kwarg__': True}]
  436. self.clear.publish(self.valid_clear_load)
  437. self.assertEqual(self.fire_event_mock.mock_calls, [])
  438. self.valid_clear_load['arg'] = [{}]
  439. self.clear.publish(self.valid_clear_load)
  440. self.assertEqual(self.fire_event_mock.mock_calls, [])
  441. self.valid_clear_load['arg'] = []
  442. self.clear.publish(self.valid_clear_load)
  443. self.assertEqual(self.fire_event_mock.mock_calls, [])
  444. # Missing kwarg allowing any value
  445. self.valid_clear_load['arg'] = [{'text': 'KWMSG: a message',
  446. 'none': 'hello none',
  447. '__kwarg__': True}]
  448. self.clear.publish(self.valid_clear_load)
  449. self.assertEqual(self.fire_event_mock.mock_calls, [])
  450. self.valid_clear_load['arg'] = [{'text': 'KWMSG: a message',
  451. 'anything': 'hello all',
  452. '__kwarg__': True}]
  453. self.clear.publish(self.valid_clear_load)
  454. self.assertEqual(self.fire_event_mock.mock_calls, [])
  455. @skipIf(salt.utils.platform.is_windows(), 'PAM eauth not available on Windows')
  456. def test_args_mixed_match(self):
  457. '''
  458. Test mixed args and kwargs restriction allowed.
  459. 'test_user_func':
  460. '*':
  461. - 'my_mod.*':
  462. args:
  463. - 'a.*'
  464. - 'b.*'
  465. kwargs:
  466. 'kwa': 'kwa.*'
  467. 'kwb': 'kwb'
  468. '''
  469. _check_minions_return = {'minions': ['some_minions'], 'missing': []}
  470. with patch('salt.utils.minions.CkMinions.check_minions', MagicMock(return_value=_check_minions_return)):
  471. self.valid_clear_load['kwargs'].update({'username': 'test_user_func'})
  472. self.valid_clear_load.update({'user': 'test_user_func',
  473. 'tgt': '*',
  474. 'fun': 'my_mod.some_func',
  475. 'arg': ['alpha',
  476. 'beta',
  477. 'gamma',
  478. {'kwa': 'kwarg #1',
  479. 'kwb': 'kwb',
  480. 'one_more': 'just one more',
  481. '__kwarg__': True}]})
  482. self.clear.publish(self.valid_clear_load)
  483. self.assertEqual(self.fire_event_mock.call_args[0][0]['fun'],
  484. 'my_mod.some_func')
  485. def test_args_mixed_mismatch(self):
  486. '''
  487. Test mixed args and kwargs restriction forbidden.
  488. 'test_user_func':
  489. '*':
  490. - 'my_mod.*':
  491. args:
  492. - 'a.*'
  493. - 'b.*'
  494. kwargs:
  495. 'kwa': 'kwa.*'
  496. 'kwb': 'kwb'
  497. '''
  498. _check_minions_return = {'minions': ['some_minions'], 'missing': []}
  499. with patch('salt.utils.minions.CkMinions.check_minions', MagicMock(return_value=_check_minions_return)):
  500. self.valid_clear_load['kwargs'].update({'username': 'test_user_func'})
  501. self.valid_clear_load.update({'user': 'test_user_func',
  502. 'tgt': '*',
  503. 'fun': 'my_mod.some_func'})
  504. # Wrong arg value
  505. self.valid_clear_load['arg'] = ['alpha',
  506. 'gamma',
  507. {'kwa': 'kwarg #1',
  508. 'kwb': 'kwb',
  509. 'one_more': 'just one more',
  510. '__kwarg__': True}]
  511. self.clear.publish(self.valid_clear_load)
  512. self.assertEqual(self.fire_event_mock.mock_calls, [])
  513. # Wrong kwarg value
  514. self.valid_clear_load['arg'] = ['alpha',
  515. 'beta',
  516. 'gamma',
  517. {'kwa': 'kkk',
  518. 'kwb': 'kwb',
  519. 'one_more': 'just one more',
  520. '__kwarg__': True}]
  521. self.clear.publish(self.valid_clear_load)
  522. self.assertEqual(self.fire_event_mock.mock_calls, [])
  523. # Missing arg
  524. self.valid_clear_load['arg'] = ['alpha',
  525. {'kwa': 'kwarg #1',
  526. 'kwb': 'kwb',
  527. 'one_more': 'just one more',
  528. '__kwarg__': True}]
  529. self.clear.publish(self.valid_clear_load)
  530. self.assertEqual(self.fire_event_mock.mock_calls, [])
  531. # Missing kwarg
  532. self.valid_clear_load['arg'] = ['alpha',
  533. 'beta',
  534. 'gamma',
  535. {'kwa': 'kwarg #1',
  536. 'one_more': 'just one more',
  537. '__kwarg__': True}]
  538. self.clear.publish(self.valid_clear_load)
  539. self.assertEqual(self.fire_event_mock.mock_calls, [])
  540. class AuthACLTestCase(ModuleCase):
  541. '''
  542. A class to check various aspects of the publisher ACL system
  543. '''
  544. def setUp(self):
  545. self.auth_check_mock = MagicMock(return_value=True)
  546. opts = self.get_temp_config('master')
  547. patches = (
  548. ('salt.minion.MasterMinion', MagicMock()),
  549. ('salt.utils.verify.check_path_traversal', MagicMock()),
  550. ('salt.utils.minions.CkMinions.auth_check', self.auth_check_mock),
  551. ('salt.auth.LoadAuth.time_auth', MagicMock(return_value=True)),
  552. ('salt.client.get_local_client', MagicMock(return_value=opts['conf_file'])),
  553. )
  554. for mod, mock in patches:
  555. patcher = patch(mod, mock)
  556. patcher.start()
  557. self.addCleanup(patcher.stop)
  558. self.addCleanup(delattr, self, 'auth_check_mock')
  559. opts['publisher_acl'] = {}
  560. opts['publisher_acl_blacklist'] = {}
  561. opts['master_job_cache'] = ''
  562. opts['sign_pub_messages'] = False
  563. opts['con_cache'] = ''
  564. opts['external_auth'] = {}
  565. opts['external_auth']['pam'] = {'test_user': [{'alpha_minion': ['test.ping']}]}
  566. self.clear = salt.master.ClearFuncs(opts, MagicMock())
  567. self.addCleanup(delattr, self, 'clear')
  568. # overwrite the _send_pub method so we don't have to serialize MagicMock
  569. self.clear._send_pub = lambda payload: True
  570. # make sure to return a JID, instead of a mock
  571. self.clear.mminion.returners = {'.prep_jid': lambda x: 1}
  572. self.valid_clear_load = {'tgt_type': 'glob',
  573. 'jid': '',
  574. 'cmd': 'publish',
  575. 'tgt': 'test_minion',
  576. 'kwargs':
  577. {'username': 'test_user',
  578. 'password': 'test_password',
  579. 'show_timeout': False,
  580. 'eauth': 'pam',
  581. 'show_jid': False},
  582. 'ret': '',
  583. 'user': 'test_user',
  584. 'key': '',
  585. 'arg': '',
  586. 'fun': 'test.ping',
  587. }
  588. self.addCleanup(delattr, self, 'valid_clear_load')
  589. @skipIf(salt.utils.platform.is_windows(), 'PAM eauth not available on Windows')
  590. def test_acl_simple_allow(self):
  591. self.clear.publish(self.valid_clear_load)
  592. self.assertEqual(self.auth_check_mock.call_args[0][0],
  593. [{'alpha_minion': ['test.ping']}])
  594. def test_acl_simple_deny(self):
  595. with patch('salt.auth.LoadAuth.get_auth_list', MagicMock(return_value=[{'beta_minion': ['test.ping']}])):
  596. self.clear.publish(self.valid_clear_load)
  597. self.assertEqual(self.auth_check_mock.call_args[0][0],
  598. [{'beta_minion': ['test.ping']}])