2017-12-18 18:17:13 +00:00
|
|
|
# -*- coding: utf-8 -*-
|
|
|
|
# (c) 2012-2014, Michael DeHaan <michael.dehaan@gmail.com>
|
|
|
|
# (c) 2016 Toshio Kuratomi <tkuratomi@ansible.com>
|
|
|
|
# (c) 2017 Ansible Project
|
|
|
|
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
|
|
|
|
|
|
|
|
from __future__ import absolute_import, division, print_function
|
|
|
|
__metaclass__ = type
|
|
|
|
|
|
|
|
import errno
|
|
|
|
import json
|
|
|
|
|
|
|
|
from units.mock.procenv import ModuleTestCase, swap_stdin_and_argv
|
|
|
|
|
|
|
|
from ansible.compat.tests.mock import patch, MagicMock, mock_open, Mock
|
|
|
|
from ansible.module_utils.six.moves import builtins
|
|
|
|
|
|
|
|
realimport = builtins.__import__
|
|
|
|
|
|
|
|
|
|
|
|
class TestSELinux(ModuleTestCase):
|
|
|
|
def test_module_utils_basic_ansible_module_selinux_mls_enabled(self):
|
|
|
|
from ansible.module_utils import basic
|
|
|
|
basic._ANSIBLE_ARGS = None
|
|
|
|
|
|
|
|
am = basic.AnsibleModule(
|
|
|
|
argument_spec=dict(),
|
|
|
|
)
|
|
|
|
|
|
|
|
basic.HAVE_SELINUX = False
|
|
|
|
self.assertEqual(am.selinux_mls_enabled(), False)
|
|
|
|
|
|
|
|
basic.HAVE_SELINUX = True
|
|
|
|
basic.selinux = Mock()
|
|
|
|
with patch.dict('sys.modules', {'selinux': basic.selinux}):
|
|
|
|
with patch('selinux.is_selinux_mls_enabled', return_value=0):
|
|
|
|
self.assertEqual(am.selinux_mls_enabled(), False)
|
|
|
|
with patch('selinux.is_selinux_mls_enabled', return_value=1):
|
|
|
|
self.assertEqual(am.selinux_mls_enabled(), True)
|
|
|
|
delattr(basic, 'selinux')
|
|
|
|
|
|
|
|
def test_module_utils_basic_ansible_module_selinux_initial_context(self):
|
|
|
|
from ansible.module_utils import basic
|
|
|
|
basic._ANSIBLE_ARGS = None
|
|
|
|
|
|
|
|
am = basic.AnsibleModule(
|
|
|
|
argument_spec=dict(),
|
|
|
|
)
|
|
|
|
|
|
|
|
am.selinux_mls_enabled = MagicMock()
|
|
|
|
am.selinux_mls_enabled.return_value = False
|
|
|
|
self.assertEqual(am.selinux_initial_context(), [None, None, None])
|
|
|
|
am.selinux_mls_enabled.return_value = True
|
|
|
|
self.assertEqual(am.selinux_initial_context(), [None, None, None, None])
|
|
|
|
|
|
|
|
def test_module_utils_basic_ansible_module_selinux_enabled(self):
|
|
|
|
from ansible.module_utils import basic
|
|
|
|
basic._ANSIBLE_ARGS = None
|
|
|
|
|
|
|
|
am = basic.AnsibleModule(
|
|
|
|
argument_spec=dict(),
|
|
|
|
)
|
|
|
|
|
|
|
|
# we first test the cases where the python selinux lib is
|
|
|
|
# not installed, which has two paths: one in which the system
|
|
|
|
# does have selinux installed (and the selinuxenabled command
|
|
|
|
# is present and returns 0 when run), or selinux is not installed
|
|
|
|
basic.HAVE_SELINUX = False
|
|
|
|
am.get_bin_path = MagicMock()
|
|
|
|
am.get_bin_path.return_value = '/path/to/selinuxenabled'
|
|
|
|
am.run_command = MagicMock()
|
|
|
|
am.run_command.return_value = (0, '', '')
|
|
|
|
self.assertRaises(SystemExit, am.selinux_enabled)
|
|
|
|
am.get_bin_path.return_value = None
|
|
|
|
self.assertEqual(am.selinux_enabled(), False)
|
|
|
|
|
|
|
|
# finally we test the case where the python selinux lib is installed,
|
|
|
|
# and both possibilities there (enabled vs. disabled)
|
|
|
|
basic.HAVE_SELINUX = True
|
|
|
|
basic.selinux = Mock()
|
|
|
|
with patch.dict('sys.modules', {'selinux': basic.selinux}):
|
|
|
|
with patch('selinux.is_selinux_enabled', return_value=0):
|
|
|
|
self.assertEqual(am.selinux_enabled(), False)
|
|
|
|
with patch('selinux.is_selinux_enabled', return_value=1):
|
|
|
|
self.assertEqual(am.selinux_enabled(), True)
|
|
|
|
delattr(basic, 'selinux')
|
|
|
|
|
|
|
|
def test_module_utils_basic_ansible_module_selinux_default_context(self):
|
|
|
|
from ansible.module_utils import basic
|
|
|
|
basic._ANSIBLE_ARGS = None
|
|
|
|
|
|
|
|
am = basic.AnsibleModule(
|
|
|
|
argument_spec=dict(),
|
|
|
|
)
|
|
|
|
|
|
|
|
am.selinux_initial_context = MagicMock(return_value=[None, None, None, None])
|
|
|
|
am.selinux_enabled = MagicMock(return_value=True)
|
|
|
|
|
|
|
|
# we first test the cases where the python selinux lib is not installed
|
|
|
|
basic.HAVE_SELINUX = False
|
|
|
|
self.assertEqual(am.selinux_default_context(path='/foo/bar'), [None, None, None, None])
|
|
|
|
|
|
|
|
# all following tests assume the python selinux bindings are installed
|
|
|
|
basic.HAVE_SELINUX = True
|
|
|
|
|
|
|
|
basic.selinux = Mock()
|
|
|
|
|
|
|
|
with patch.dict('sys.modules', {'selinux': basic.selinux}):
|
|
|
|
# next, we test with a mocked implementation of selinux.matchpathcon to simulate
|
|
|
|
# an actual context being found
|
|
|
|
with patch('selinux.matchpathcon', return_value=[0, 'unconfined_u:object_r:default_t:s0']):
|
|
|
|
self.assertEqual(am.selinux_default_context(path='/foo/bar'), ['unconfined_u', 'object_r', 'default_t', 's0'])
|
|
|
|
|
|
|
|
# we also test the case where matchpathcon returned a failure
|
|
|
|
with patch('selinux.matchpathcon', return_value=[-1, '']):
|
|
|
|
self.assertEqual(am.selinux_default_context(path='/foo/bar'), [None, None, None, None])
|
|
|
|
|
|
|
|
# finally, we test where an OSError occurred during matchpathcon's call
|
|
|
|
with patch('selinux.matchpathcon', side_effect=OSError):
|
|
|
|
self.assertEqual(am.selinux_default_context(path='/foo/bar'), [None, None, None, None])
|
|
|
|
|
|
|
|
delattr(basic, 'selinux')
|
|
|
|
|
|
|
|
def test_module_utils_basic_ansible_module_selinux_context(self):
|
|
|
|
from ansible.module_utils import basic
|
|
|
|
basic._ANSIBLE_ARGS = None
|
|
|
|
|
|
|
|
am = basic.AnsibleModule(
|
|
|
|
argument_spec=dict(),
|
|
|
|
)
|
|
|
|
|
|
|
|
am.selinux_initial_context = MagicMock(return_value=[None, None, None, None])
|
|
|
|
am.selinux_enabled = MagicMock(return_value=True)
|
|
|
|
|
|
|
|
# we first test the cases where the python selinux lib is not installed
|
|
|
|
basic.HAVE_SELINUX = False
|
|
|
|
self.assertEqual(am.selinux_context(path='/foo/bar'), [None, None, None, None])
|
|
|
|
|
|
|
|
# all following tests assume the python selinux bindings are installed
|
|
|
|
basic.HAVE_SELINUX = True
|
|
|
|
|
|
|
|
basic.selinux = Mock()
|
|
|
|
|
|
|
|
with patch.dict('sys.modules', {'selinux': basic.selinux}):
|
|
|
|
# next, we test with a mocked implementation of selinux.lgetfilecon_raw to simulate
|
|
|
|
# an actual context being found
|
|
|
|
with patch('selinux.lgetfilecon_raw', return_value=[0, 'unconfined_u:object_r:default_t:s0']):
|
|
|
|
self.assertEqual(am.selinux_context(path='/foo/bar'), ['unconfined_u', 'object_r', 'default_t', 's0'])
|
|
|
|
|
|
|
|
# we also test the case where matchpathcon returned a failure
|
|
|
|
with patch('selinux.lgetfilecon_raw', return_value=[-1, '']):
|
|
|
|
self.assertEqual(am.selinux_context(path='/foo/bar'), [None, None, None, None])
|
|
|
|
|
|
|
|
# finally, we test where an OSError occurred during matchpathcon's call
|
|
|
|
e = OSError()
|
|
|
|
e.errno = errno.ENOENT
|
|
|
|
with patch('selinux.lgetfilecon_raw', side_effect=e):
|
|
|
|
self.assertRaises(SystemExit, am.selinux_context, path='/foo/bar')
|
|
|
|
|
|
|
|
e = OSError()
|
|
|
|
with patch('selinux.lgetfilecon_raw', side_effect=e):
|
|
|
|
self.assertRaises(SystemExit, am.selinux_context, path='/foo/bar')
|
|
|
|
|
|
|
|
delattr(basic, 'selinux')
|
|
|
|
|
|
|
|
def test_module_utils_basic_ansible_module_is_special_selinux_path(self):
|
|
|
|
from ansible.module_utils import basic
|
|
|
|
|
AnsiballZ improvements
Now that we don't need to worry about python-2.4 and 2.5, we can make
some improvements to the way AnsiballZ handles modules.
* Change AnsiballZ wrapper to use import to invoke the module
We need the module to think of itself as a script because it could be
coded as:
main()
or as:
if __name__ == '__main__':
main()
Or even as:
if __name__ == '__main__':
random_function_name()
A script will invoke all of those. Prior to this change, we invoked
a second Python interpreter on the module so that it really was
a script. However, this means that we have to run python twice (once
for the AnsiballZ wrapper and once for the module). This change makes
the module think that it is a script (because __name__ in the module ==
'__main__') but it's actually being invoked by us importing the module
code.
There's three ways we've come up to do this.
* The most elegant is to use zipimporter and tell the import mechanism
that the module being loaded is __main__:
* https://github.com/abadger/ansible/blob/5959f11c9ddb7b6eaa9c3214560bd85e631d4055/lib/ansible/executor/module_common.py#L175
* zipimporter is nice because we do not have to extract the module from
the zip file and save it to the disk when we do that. The import
machinery does it all for us.
* The drawback is that modules do not have a __file__ which points
to a real file when they do this. Modules could be using __file__
to for a variety of reasons, most of those probably have
replacements (the most common one is to find a writable directory
for temporary files. AnsibleModule.tmpdir should be used instead)
We can monkeypatch __file__ in fom AnsibleModule initialization
but that's kind of gross. There's no way I can see to do this
from the wrapper.
* Next, there's imp.load_module():
* https://github.com/abadger/ansible/blob/340edf7489/lib/ansible/executor/module_common.py#L151
* imp has the nice property of allowing us to set __name__ to
__main__ without changing the name of the file itself
* We also don't have to do anything special to set __file__ for
backwards compatibility (although the reason for that is the
drawback):
* Its drawback is that it requires the file to exist on disk so we
have to explicitly extract it from the zipfile and save it to
a temporary file
* The last choice is to use exec to execute the module:
* https://github.com/abadger/ansible/blob/f47a4ccc76/lib/ansible/executor/module_common.py#L175
* The code we would have to maintain for this looks pretty clean.
In the wrapper we create a ModuleType, set __file__ on it, read
the module's contents in from the zip file and then exec it.
* Drawbacks: We still have to explicitly extract the file's contents
from the zip archive instead of letting python's import mechanism
handle it.
* Exec also has hidden performance issues and breaks certain
assumptions that modules could be making about their own code:
http://lucumr.pocoo.org/2011/2/1/exec-in-python/
Our plan is to use imp.load_module() for now, deprecate the use of
__file__ in modules, and switch to zipimport once the deprecation
period for __file__ is over (without monkeypatching a fake __file__ in
via AnsibleModule).
* Rename the name of the AnsiBallZ wrapped module
This makes it obvious that the wrapped module isn't the module file that
we distribute. It's part of trying to mitigate the fact that the module
is now named __main)).py in tracebacks.
* Shield all wrapper symbols inside of a function
With the new import code, all symbols in the wrapper become visible in
the module. To mitigate the chance of collisions, move most symbols
into a toplevel function. The only symbols left in the global namespace
are now _ANSIBALLZ_WRAPPER and _ansiballz_main.
revised porting guide entry
Integrate code coverage collection into AnsiballZ.
ci_coverage
ci_complete
2018-06-20 18:23:59 +00:00
|
|
|
args = json.dumps(dict(ANSIBLE_MODULE_ARGS={'_ansible_selinux_special_fs': "nfs,nfsd,foos",
|
|
|
|
'_ansible_remote_tmp': "/tmp",
|
|
|
|
'_ansible_keep_remote_files': False}))
|
2017-12-18 18:17:13 +00:00
|
|
|
|
|
|
|
with swap_stdin_and_argv(stdin_data=args):
|
|
|
|
basic._ANSIBLE_ARGS = None
|
|
|
|
am = basic.AnsibleModule(
|
|
|
|
argument_spec=dict(),
|
|
|
|
)
|
|
|
|
|
|
|
|
def _mock_find_mount_point(path):
|
|
|
|
if path.startswith('/some/path'):
|
|
|
|
return '/some/path'
|
|
|
|
elif path.startswith('/weird/random/fstype'):
|
|
|
|
return '/weird/random/fstype'
|
|
|
|
return '/'
|
|
|
|
|
|
|
|
am.find_mount_point = MagicMock(side_effect=_mock_find_mount_point)
|
|
|
|
am.selinux_context = MagicMock(return_value=['foo_u', 'foo_r', 'foo_t', 's0'])
|
|
|
|
|
|
|
|
m = mock_open()
|
|
|
|
m.side_effect = OSError
|
|
|
|
|
|
|
|
with patch.object(builtins, 'open', m, create=True):
|
|
|
|
self.assertEqual(am.is_special_selinux_path('/some/path/that/should/be/nfs'), (False, None))
|
|
|
|
|
|
|
|
mount_data = [
|
|
|
|
'/dev/disk1 / ext4 rw,seclabel,relatime,data=ordered 0 0\n',
|
|
|
|
'1.1.1.1:/path/to/nfs /some/path nfs ro 0 0\n',
|
|
|
|
'whatever /weird/random/fstype foos rw 0 0\n',
|
|
|
|
]
|
|
|
|
|
|
|
|
# mock_open has a broken readlines() implementation apparently...
|
|
|
|
# this should work by default but doesn't, so we fix it
|
|
|
|
m = mock_open(read_data=''.join(mount_data))
|
|
|
|
m.return_value.readlines.return_value = mount_data
|
|
|
|
|
|
|
|
with patch.object(builtins, 'open', m, create=True):
|
|
|
|
self.assertEqual(am.is_special_selinux_path('/some/random/path'), (False, None))
|
|
|
|
self.assertEqual(am.is_special_selinux_path('/some/path/that/should/be/nfs'), (True, ['foo_u', 'foo_r', 'foo_t', 's0']))
|
|
|
|
self.assertEqual(am.is_special_selinux_path('/weird/random/fstype/path'), (True, ['foo_u', 'foo_r', 'foo_t', 's0']))
|
|
|
|
|
|
|
|
def test_module_utils_basic_ansible_module_set_context_if_different(self):
|
|
|
|
from ansible.module_utils import basic
|
|
|
|
basic._ANSIBLE_ARGS = None
|
|
|
|
|
|
|
|
am = basic.AnsibleModule(
|
|
|
|
argument_spec=dict(),
|
|
|
|
)
|
|
|
|
|
|
|
|
basic.HAVE_SELINUX = False
|
|
|
|
|
|
|
|
am.selinux_enabled = MagicMock(return_value=False)
|
|
|
|
self.assertEqual(am.set_context_if_different('/path/to/file', ['foo_u', 'foo_r', 'foo_t', 's0'], True), True)
|
|
|
|
self.assertEqual(am.set_context_if_different('/path/to/file', ['foo_u', 'foo_r', 'foo_t', 's0'], False), False)
|
|
|
|
|
|
|
|
basic.HAVE_SELINUX = True
|
|
|
|
|
|
|
|
am.selinux_enabled = MagicMock(return_value=True)
|
|
|
|
am.selinux_context = MagicMock(return_value=['bar_u', 'bar_r', None, None])
|
|
|
|
am.is_special_selinux_path = MagicMock(return_value=(False, None))
|
|
|
|
|
|
|
|
basic.selinux = Mock()
|
|
|
|
with patch.dict('sys.modules', {'selinux': basic.selinux}):
|
|
|
|
with patch('selinux.lsetfilecon', return_value=0) as m:
|
|
|
|
self.assertEqual(am.set_context_if_different('/path/to/file', ['foo_u', 'foo_r', 'foo_t', 's0'], False), True)
|
|
|
|
m.assert_called_with('/path/to/file', 'foo_u:foo_r:foo_t:s0')
|
|
|
|
m.reset_mock()
|
|
|
|
am.check_mode = True
|
|
|
|
self.assertEqual(am.set_context_if_different('/path/to/file', ['foo_u', 'foo_r', 'foo_t', 's0'], False), True)
|
|
|
|
self.assertEqual(m.called, False)
|
|
|
|
am.check_mode = False
|
|
|
|
|
|
|
|
with patch('selinux.lsetfilecon', return_value=1) as m:
|
|
|
|
self.assertRaises(SystemExit, am.set_context_if_different, '/path/to/file', ['foo_u', 'foo_r', 'foo_t', 's0'], True)
|
|
|
|
|
|
|
|
with patch('selinux.lsetfilecon', side_effect=OSError) as m:
|
|
|
|
self.assertRaises(SystemExit, am.set_context_if_different, '/path/to/file', ['foo_u', 'foo_r', 'foo_t', 's0'], True)
|
|
|
|
|
|
|
|
am.is_special_selinux_path = MagicMock(return_value=(True, ['sp_u', 'sp_r', 'sp_t', 's0']))
|
|
|
|
|
|
|
|
with patch('selinux.lsetfilecon', return_value=0) as m:
|
|
|
|
self.assertEqual(am.set_context_if_different('/path/to/file', ['foo_u', 'foo_r', 'foo_t', 's0'], False), True)
|
|
|
|
m.assert_called_with('/path/to/file', 'sp_u:sp_r:sp_t:s0')
|
|
|
|
|
|
|
|
delattr(basic, 'selinux')
|