technocloud-public/nginx-unit
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

Tests: get rid of classes in test files.

Browse Source 
Class usage came from the unittest framework and it was always redundant
after migration to the pytest.  This commit removes classes from files
containing tests to make them more readable and understandable.
This commit is contained in:
Andrei Zeliankou
2023-06-14 18:20:09 +01:00
parent c6d05191a0
commit c183bd8749
84 changed files with 17455 additions and 16814 deletions
Download Patch File Download Diff File Expand all files Collapse all files

610
test/test_go_isolation.py
View File

@@ -3,357 +3,365 @@ import os
import pwd
import pytest
from unit.applications.lang.go import TestApplicationGo
from unit.applications.lang.go import ApplicationGo
from unit.option import option
from unit.utils import getns
prerequisites = {'modules': {'go': 'any'}, 'features': {'isolation': True}}
client = ApplicationGo()
class TestGoIsolation(TestApplicationGo):
def unpriv_creds(self):
nobody_uid = pwd.getpwnam('nobody').pw_uid
try:
nogroup_gid = grp.getgrnam('nogroup').gr_gid
nogroup = 'nogroup'
except KeyError:
nogroup_gid = grp.getgrnam('nobody').gr_gid
nogroup = 'nobody'
def unpriv_creds():
nobody_uid = pwd.getpwnam('nobody').pw_uid
return (nobody_uid, nogroup_gid, nogroup)
try:
nogroup_gid = grp.getgrnam('nogroup').gr_gid
nogroup = 'nogroup'
except KeyError:
nogroup_gid = grp.getgrnam('nobody').gr_gid
nogroup = 'nobody'
def test_isolation_values(self):
self.load('ns_inspect')
return (nobody_uid, nogroup_gid, nogroup)
obj = self.getjson()['body']
for ns, ns_value in option.available['features']['isolation'].items():
if ns.upper() in obj['NS']:
assert obj['NS'][ns.upper()] == ns_value, f'{ns} match'
def test_isolation_values():
client.load('ns_inspect')
def test_isolation_unpriv_user(self, require):
obj = client.getjson()['body']
for ns, ns_value in option.available['features']['isolation'].items():
if ns.upper() in obj['NS']:
assert obj['NS'][ns.upper()] == ns_value, f'{ns} match'
def test_isolation_unpriv_user(require):
require(
{
'privileged_user': False,
'features': {'isolation': ['unprivileged_userns_clone']},
}
)
client.load('ns_inspect')
obj = client.getjson()['body']
assert obj['UID'] == os.geteuid(), 'uid match'
assert obj['GID'] == os.getegid(), 'gid match'
client.load('ns_inspect', isolation={'namespaces': {'credential': True}})
obj = client.getjson()['body']
nobody_uid, nogroup_gid, nogroup = unpriv_creds()
# unprivileged unit map itself to nobody in the container by default
assert obj['UID'] == nobody_uid, 'uid of nobody'
assert obj['GID'] == nogroup_gid, f'gid of {nogroup}'
client.load(
'ns_inspect',
user='root',
isolation={'namespaces': {'credential': True}},
)
obj = client.getjson()['body']
assert obj['UID'] == 0, 'uid match user=root'
assert obj['GID'] == 0, 'gid match user=root'
client.load(
'ns_inspect',
user='root',
group=nogroup,
isolation={'namespaces': {'credential': True}},
)
obj = client.getjson()['body']
assert obj['UID'] == 0, 'uid match user=root group=nogroup'
assert obj['GID'] == nogroup_gid, 'gid match user=root group=nogroup'
client.load(
'ns_inspect',
user='root',
group='root',
isolation={
'namespaces': {'credential': True},
'uidmap': [{'container': 0, 'host': os.geteuid(), 'size': 1}],
'gidmap': [{'container': 0, 'host': os.getegid(), 'size': 1}],
},
)
obj = client.getjson()['body']
assert obj['UID'] == 0, 'uid match uidmap'
assert obj['GID'] == 0, 'gid match gidmap'
def test_isolation_priv_user(require):
require({'privileged_user': True})
client.load('ns_inspect')
nobody_uid, nogroup_gid, nogroup = unpriv_creds()
obj = client.getjson()['body']
assert obj['UID'] == nobody_uid, 'uid match'
assert obj['GID'] == nogroup_gid, 'gid match'
client.load('ns_inspect', isolation={'namespaces': {'credential': True}})
obj = client.getjson()['body']
# privileged unit map app creds in the container by default
assert obj['UID'] == nobody_uid, 'uid nobody'
assert obj['GID'] == nogroup_gid, 'gid nobody'
client.load(
'ns_inspect',
user='root',
isolation={'namespaces': {'credential': True}},
)
obj = client.getjson()['body']
assert obj['UID'] == 0, 'uid nobody user=root'
assert obj['GID'] == 0, 'gid nobody user=root'
client.load(
'ns_inspect',
user='root',
group=nogroup,
isolation={'namespaces': {'credential': True}},
)
obj = client.getjson()['body']
assert obj['UID'] == 0, 'uid match user=root group=nogroup'
assert obj['GID'] == nogroup_gid, 'gid match user=root group=nogroup'
client.load(
'ns_inspect',
user='root',
group='root',
isolation={
'namespaces': {'credential': True},
'uidmap': [{'container': 0, 'host': 0, 'size': 1}],
'gidmap': [{'container': 0, 'host': 0, 'size': 1}],
},
)
obj = client.getjson()['body']
assert obj['UID'] == 0, 'uid match uidmap user=root'
assert obj['GID'] == 0, 'gid match gidmap user=root'
# map 65535 uids
client.load(
'ns_inspect',
user='nobody',
isolation={
'namespaces': {'credential': True},
'uidmap': [{'container': 0, 'host': 0, 'size': nobody_uid + 1}],
},
)
obj = client.getjson()['body']
assert obj['UID'] == nobody_uid, 'uid match uidmap user=nobody'
assert obj['GID'] == nogroup_gid, 'gid match uidmap user=nobody'
def test_isolation_mnt(require):
require(
{
'features': {'isolation': ['unprivileged_userns_clone', 'mnt']},
}
)
client.load(
'ns_inspect',
isolation={'namespaces': {'mount': True, 'credential': True}},
)
obj = client.getjson()['body']
# all but user and mnt
allns = list(option.available['features']['isolation'].keys())
allns.remove('user')
allns.remove('mnt')
for ns in allns:
if ns.upper() in obj['NS']:
assert (
obj['NS'][ns.upper()]
== option.available['features']['isolation'][ns]
), f'{ns} match'
assert obj['NS']['MNT'] != getns('mnt'), 'mnt set'
assert obj['NS']['USER'] != getns('user'), 'user set'
def test_isolation_pid(is_su, require):
require({'features': {'isolation': ['pid']}})
if not is_su:
require(
{
'privileged_user': False,
'features': {'isolation': ['unprivileged_userns_clone']},
'features': {
'isolation': [
'unprivileged_userns_clone',
'user',
'mnt',
]
}
}
)
self.load('ns_inspect')
obj = self.getjson()['body']
isolation = {'namespaces': {'pid': True}}
assert obj['UID'] == os.geteuid(), 'uid match'
assert obj['GID'] == os.getegid(), 'gid match'
if not is_su:
isolation['namespaces']['mount'] = True
isolation['namespaces']['credential'] = True
self.load('ns_inspect', isolation={'namespaces': {'credential': True}})
client.load('ns_inspect', isolation=isolation)
obj = self.getjson()['body']
obj = client.getjson()['body']
nobody_uid, nogroup_gid, nogroup = self.unpriv_creds()
assert obj['PID'] == 2, 'pid of container is 2'
# unprivileged unit map itself to nobody in the container by default
assert obj['UID'] == nobody_uid, 'uid of nobody'
assert obj['GID'] == nogroup_gid, f'gid of {nogroup}'
self.load(
'ns_inspect',
user='root',
isolation={'namespaces': {'credential': True}},
)
def test_isolation_namespace_false():
client.load('ns_inspect')
allns = list(option.available['features']['isolation'].keys())
obj = self.getjson()['body']
remove_list = ['unprivileged_userns_clone', 'ipc', 'cgroup']
allns = [ns for ns in allns if ns not in remove_list]
assert obj['UID'] == 0, 'uid match user=root'
assert obj['GID'] == 0, 'gid match user=root'
namespaces = {}
for ns in allns:
if ns == 'user':
namespaces['credential'] = False
elif ns == 'mnt':
namespaces['mount'] = False
elif ns == 'net':
namespaces['network'] = False
elif ns == 'uts':
namespaces['uname'] = False
else:
namespaces[ns] = False
self.load(
'ns_inspect',
user='root',
group=nogroup,
isolation={'namespaces': {'credential': True}},
)
client.load('ns_inspect', isolation={'namespaces': namespaces})
obj = self.getjson()['body']
obj = client.getjson()['body']
assert obj['UID'] == 0, 'uid match user=root group=nogroup'
assert obj['GID'] == nogroup_gid, 'gid match user=root group=nogroup'
for ns in allns:
if ns.upper() in obj['NS']:
assert (
obj['NS'][ns.upper()]
== option.available['features']['isolation'][ns]
), f'{ns} match'
self.load(
'ns_inspect',
user='root',
group='root',
isolation={
'namespaces': {'credential': True},
'uidmap': [{'container': 0, 'host': os.geteuid(), 'size': 1}],
'gidmap': [{'container': 0, 'host': os.getegid(), 'size': 1}],
},
)
obj = self.getjson()['body']
assert obj['UID'] == 0, 'uid match uidmap'
assert obj['GID'] == 0, 'gid match gidmap'
def test_isolation_priv_user(self, require):
require({'privileged_user': True})
self.load('ns_inspect')
nobody_uid, nogroup_gid, nogroup = self.unpriv_creds()
obj = self.getjson()['body']
assert obj['UID'] == nobody_uid, 'uid match'
assert obj['GID'] == nogroup_gid, 'gid match'
self.load('ns_inspect', isolation={'namespaces': {'credential': True}})
obj = self.getjson()['body']
# privileged unit map app creds in the container by default
assert obj['UID'] == nobody_uid, 'uid nobody'
assert obj['GID'] == nogroup_gid, 'gid nobody'
self.load(
'ns_inspect',
user='root',
isolation={'namespaces': {'credential': True}},
)
obj = self.getjson()['body']
assert obj['UID'] == 0, 'uid nobody user=root'
assert obj['GID'] == 0, 'gid nobody user=root'
self.load(
'ns_inspect',
user='root',
group=nogroup,
isolation={'namespaces': {'credential': True}},
)
obj = self.getjson()['body']
assert obj['UID'] == 0, 'uid match user=root group=nogroup'
assert obj['GID'] == nogroup_gid, 'gid match user=root group=nogroup'
self.load(
'ns_inspect',
user='root',
group='root',
isolation={
'namespaces': {'credential': True},
'uidmap': [{'container': 0, 'host': 0, 'size': 1}],
'gidmap': [{'container': 0, 'host': 0, 'size': 1}],
},
)
obj = self.getjson()['body']
assert obj['UID'] == 0, 'uid match uidmap user=root'
assert obj['GID'] == 0, 'gid match gidmap user=root'
# map 65535 uids
self.load(
'ns_inspect',
user='nobody',
isolation={
'namespaces': {'credential': True},
'uidmap': [{'container': 0, 'host': 0, 'size': nobody_uid + 1}],
},
)
obj = self.getjson()['body']
assert obj['UID'] == nobody_uid, 'uid match uidmap user=nobody'
assert obj['GID'] == nogroup_gid, 'gid match uidmap user=nobody'
def test_isolation_mnt(self, require):
def test_go_isolation_rootfs_container(is_su, require, temp_dir):
if not is_su:
require(
{
'features': {'isolation': ['unprivileged_userns_clone', 'mnt']},
'features': {
'isolation': [
'unprivileged_userns_clone',
'user',
'mnt',
'pid',
]
}
}
)
self.load(
'ns_inspect',
isolation={'namespaces': {'mount': True, 'credential': True}},
)
isolation = {'rootfs': temp_dir}
obj = self.getjson()['body']
# all but user and mnt
allns = list(option.available['features']['isolation'].keys())
allns.remove('user')
allns.remove('mnt')
for ns in allns:
if ns.upper() in obj['NS']:
assert (
obj['NS'][ns.upper()]
== option.available['features']['isolation'][ns]
), f'{ns} match'
assert obj['NS']['MNT'] != getns('mnt'), 'mnt set'
assert obj['NS']['USER'] != getns('user'), 'user set'
def test_isolation_pid(self, is_su, require):
require({'features': {'isolation': ['pid']}})
if not is_su:
require(
{
'features': {
'isolation': [
'unprivileged_userns_clone',
'user',
'mnt',
]
}
}
)
isolation = {'namespaces': {'pid': True}}
if not is_su:
isolation['namespaces']['mount'] = True
isolation['namespaces']['credential'] = True
self.load('ns_inspect', isolation=isolation)
obj = self.getjson()['body']
assert obj['PID'] == 2, 'pid of container is 2'
def test_isolation_namespace_false(self):
self.load('ns_inspect')
allns = list(option.available['features']['isolation'].keys())
remove_list = ['unprivileged_userns_clone', 'ipc', 'cgroup']
allns = [ns for ns in allns if ns not in remove_list]
namespaces = {}
for ns in allns:
if ns == 'user':
namespaces['credential'] = False
elif ns == 'mnt':
namespaces['mount'] = False
elif ns == 'net':
namespaces['network'] = False
elif ns == 'uts':
namespaces['uname'] = False
else:
namespaces[ns] = False
self.load('ns_inspect', isolation={'namespaces': namespaces})
obj = self.getjson()['body']
for ns in allns:
if ns.upper() in obj['NS']:
assert (
obj['NS'][ns.upper()]
== option.available['features']['isolation'][ns]
), f'{ns} match'
def test_go_isolation_rootfs_container(self, is_su, require, temp_dir):
if not is_su:
require(
{
'features': {
'isolation': [
'unprivileged_userns_clone',
'user',
'mnt',
'pid',
]
}
}
)
isolation = {'rootfs': temp_dir}
if not is_su:
isolation['namespaces'] = {
'mount': True,
'credential': True,
'pid': True,
}
self.load('ns_inspect', isolation=isolation)
obj = self.getjson(url='/?file=/go/app')['body']
assert obj['FileExists'], 'app relative to rootfs'
obj = self.getjson(url='/?file=/bin/sh')['body']
assert not obj['FileExists'], 'file should not exists'
def test_go_isolation_rootfs_container_priv(self, require, temp_dir):
require({'privileged_user': True, 'features': {'isolation': ['mnt']}})
isolation = {
'namespaces': {'mount': True},
'rootfs': temp_dir,
if not is_su:
isolation['namespaces'] = {
'mount': True,
'credential': True,
'pid': True,
}
self.load('ns_inspect', isolation=isolation)
client.load('ns_inspect', isolation=isolation)
obj = self.getjson(url='/?file=/go/app')['body']
obj = client.getjson(url='/?file=/go/app')['body']
assert obj['FileExists'], 'app relative to rootfs'
assert obj['FileExists'], 'app relative to rootfs'
obj = self.getjson(url='/?file=/bin/sh')['body']
assert not obj['FileExists'], 'file should not exists'
obj = client.getjson(url='/?file=/bin/sh')['body']
assert not obj['FileExists'], 'file should not exists'
def test_go_isolation_rootfs_automount_tmpfs(
self, is_su, require, temp_dir
):
try:
open("/proc/self/mountinfo")
except:
pytest.skip('The system lacks /proc/self/mountinfo file')
if not is_su:
require(
{
'features': {
'isolation': [
'unprivileged_userns_clone',
'user',
'mnt',
'pid',
]
}
def test_go_isolation_rootfs_container_priv(require, temp_dir):
require({'privileged_user': True, 'features': {'isolation': ['mnt']}})
isolation = {
'namespaces': {'mount': True},
'rootfs': temp_dir,
}
client.load('ns_inspect', isolation=isolation)
obj = client.getjson(url='/?file=/go/app')['body']
assert obj['FileExists'], 'app relative to rootfs'
obj = client.getjson(url='/?file=/bin/sh')['body']
assert not obj['FileExists'], 'file should not exists'
def test_go_isolation_rootfs_automount_tmpfs(is_su, require, temp_dir):
try:
open("/proc/self/mountinfo")
except:
pytest.skip('The system lacks /proc/self/mountinfo file')
if not is_su:
require(
{
'features': {
'isolation': [
'unprivileged_userns_clone',
'user',
'mnt',
'pid',
]
}
)
isolation = {'rootfs': temp_dir}
if not is_su:
isolation['namespaces'] = {
'mount': True,
'credential': True,
'pid': True,
}
)
isolation['automount'] = {'tmpfs': False}
isolation = {'rootfs': temp_dir}
self.load('ns_inspect', isolation=isolation)
if not is_su:
isolation['namespaces'] = {
'mount': True,
'credential': True,
'pid': True,
}
obj = self.getjson(url='/?mounts=true')['body']
isolation['automount'] = {'tmpfs': False}
assert (
"/ /tmp" not in obj['Mounts'] and "tmpfs" not in obj['Mounts']
), 'app has no /tmp mounted'
client.load('ns_inspect', isolation=isolation)
isolation['automount'] = {'tmpfs': True}
obj = client.getjson(url='/?mounts=true')['body']
self.load('ns_inspect', isolation=isolation)
assert (
"/ /tmp" not in obj['Mounts'] and "tmpfs" not in obj['Mounts']
), 'app has no /tmp mounted'
obj = self.getjson(url='/?mounts=true')['body']
isolation['automount'] = {'tmpfs': True}
assert (
"/ /tmp" in obj['Mounts'] and "tmpfs" in obj['Mounts']
), 'app has /tmp mounted on /'
client.load('ns_inspect', isolation=isolation)
obj = client.getjson(url='/?mounts=true')['body']
assert (
"/ /tmp" in obj['Mounts'] and "tmpfs" in obj['Mounts']
), 'app has /tmp mounted on /'