freeipa/ipatests/test_ipaserver/test_secure_ajp_connector.py
Florence Blanc-Renaud 12067297d8 pylint: remove useless suppression
The newer version of pylint has fixed false positives and
does not need anymore these suppressions:
- global-variable-not-assigned
- invalid-sequence-index
- no-name-in-module
- not-callable
- unsupported-assignment-operation

Related: https://pagure.io/freeipa/issue/9278
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
2023-01-10 08:30:58 +01:00

234 lines
7.7 KiB
Python

# Copyright (C) 2021 FreeIPA Project Contributors - see LICENSE file
from collections import namedtuple
from io import BytesIO
from lxml.etree import parse as myparse
import pytest
import textwrap
from unittest.mock import mock_open, patch
from ipaplatform.constants import constants
from ipaserver.install import dogtaginstance
class MyDogtagInstance(dogtaginstance.DogtagInstance):
"""Purpose is to avoid reading configuration files.
The real DogtagInstance will open up the system store and
try to determine the actual version of tomcat installed.
Fake it instead.
"""
def __init__(self, is_newer):
self.service_user = constants.PKI_USER
self.ajp_secret = None
self.is_newer = is_newer
def _is_newer_tomcat_version(self, default=None):
return self.is_newer
def mock_etree_parse(data):
"""Convert a string into a file-like object to pass in the XML"""
f = BytesIO(data.strip().encode('utf-8'))
return myparse(f)
def mock_pkiuser_entity():
"""Return struct_passwd for mocked pkiuser"""
StructPasswd = namedtuple(
"StructPasswd",
[
"pw_name",
"pw_passwd",
"pw_uid",
"pw_gid",
"pw_gecos",
"pw_dir",
"pw_shell",
]
)
pkiuser_entity = StructPasswd(
constants.PKI_USER,
pw_passwd="x",
pw_uid=-1,
pw_gid=-1,
pw_gecos="",
pw_dir="/dev/null",
pw_shell="/sbin/nologin",
)
return pkiuser_entity
# Format of test_data is:
# (
# is_newer_tomcat (boolean),
# XML input,
# expected secret attribute(s),
# expected password(s),
# rewrite of XML file expected (boolean),
# )
test_data = (
(
# Case 1: Upgrade requiredSecret to secret
True,
textwrap.dedent("""
<?xml version="1.0" encoding="UTF-8"?>
<Server port="1234" shutdown="SHUTDOWN">
<Service name="Catalina">
<Connector port="9000" protocol="AJP/1.3" redirectPort="443"
address="localhost" requiredSecret="testing_ajp_secret" />
</Service>
</Server>
"""),
('secret',),
('testing_ajp_secret',),
('requiredSecret',),
True,
),
(
# Case 2: One connector with secret, no update is needed
True,
textwrap.dedent("""
<?xml version="1.0" encoding="UTF-8"?>
<Server port="1234" shutdown="SHUTDOWN">
<Service name="Catalina">
<Connector port="9000" protocol="AJP/1.3" redirectPort="443"
address="localhost" secret="testing_ajp_secret" />
</Service>
</Server>
"""),
('secret',),
('testing_ajp_secret',),
('requiredSecret',),
False,
),
(
# Case 3: Two connectors, old secret attribute, different secrets
True,
textwrap.dedent("""
<?xml version="1.0" encoding="UTF-8"?>
<Server port="1234" shutdown="SHUTDOWN">
<Service name="Catalina">
<Connector port="9000" protocol="AJP/1.3" redirectPort="443"
address="localhost4" requiredSecret="testing_ajp_secret" />
<Connector port="9000" protocol="AJP/1.3" redirectPort="443"
address="localhost6" requiredSecret="other_secret" />
</Service>
</Server>
"""),
('secret', 'secret'),
('testing_ajp_secret', 'testing_ajp_secret'),
('requiredSecret', 'requiredSecret'),
True,
),
(
# Case 4: Two connectors, new secret attribute, same secrets
True,
textwrap.dedent("""
<?xml version="1.0" encoding="UTF-8"?>
<Server port="1234" shutdown="SHUTDOWN">
<Service name="Catalina">
<Connector port="9000" protocol="AJP/1.3" redirectPort="443"
address="localhost4" secret="testing_ajp_secret" />
<Connector port="9000" protocol="AJP/1.3" redirectPort="443"
address="localhost6" secret="testing_ajp_secret" />
</Service>
</Server>
"""),
('secret', 'secret'),
('testing_ajp_secret', 'testing_ajp_secret'),
('requiredSecret', 'requiredSecret'),
False,
),
(
# Case 5: Two connectors, no secrets
True,
textwrap.dedent("""
<?xml version="1.0" encoding="UTF-8"?>
<Server port="1234" shutdown="SHUTDOWN">
<Service name="Catalina">
<Connector port="9000" protocol="AJP/1.3" redirectPort="443"
address="localhost4" />
<Connector port="9000" protocol="AJP/1.3" redirectPort="443"
address="localhost6" />
</Service>
</Server>
"""),
('secret', 'secret'),
('RANDOM', 'RANDOM'),
('requiredSecret', 'requiredSecret'),
True,
),
(
# Case 6: Older tomcat, no update needed for requiredSecret
False,
textwrap.dedent("""
<?xml version="1.0" encoding="UTF-8"?>
<Server port="1234" shutdown="SHUTDOWN">
<Service name="Catalina">
<Connector port="9000" protocol="AJP/1.3" redirectPort="443"
address="localhost" requiredSecret="testing_ajp_secret" />
</Service>
</Server>
"""),
('requiredSecret',),
('testing_ajp_secret',),
('secret',),
False,
),
(
# Case 7: Older tomcat, both secrets are present, one s/b removed
False,
textwrap.dedent("""
<?xml version="1.0" encoding="UTF-8"?>
<Server port="1234" shutdown="SHUTDOWN">
<Service name="Catalina">
<Connector port="9000" protocol="AJP/1.3" redirectPort="443"
address="localhost" requiredSecret="testing_ajp_secret"
secret="other_secret" />
</Service>
</Server>
"""),
('requiredSecret',),
('testing_ajp_secret',),
('secret',),
True,
),
)
class TestAJPSecretUpgrade:
@patch("ipaplatform.base.constants.pwd.getpwnam")
@patch("ipaplatform.base.constants.os.chown")
@patch("ipaserver.install.dogtaginstance.lxml.etree.parse")
@pytest.mark.parametrize("test_data", test_data)
def test_connecter(self, mock_parse, mock_chown, mock_getpwnam, test_data):
is_newer, data, secret, expect, ex_secret, rewrite = test_data
mock_chown.return_value = None
mock_parse.return_value = mock_etree_parse(data)
mock_getpwnam.return_value = mock_pkiuser_entity()
dogtag = MyDogtagInstance(is_newer)
with patch('ipaserver.install.dogtaginstance.open', mock_open()) \
as mocked_file:
dogtag.secure_ajp_connector()
if rewrite:
newdata = mocked_file().write.call_args
f = BytesIO(newdata[0][0])
server_xml = myparse(f)
doc = server_xml.getroot()
connectors = doc.xpath('//Connector[@protocol="AJP/1.3"]')
assert len(connectors) == len(secret)
i = 0
for connector in connectors:
if expect[i] == 'RANDOM':
assert connector.attrib[secret[i]]
else:
assert connector.attrib[secret[i]] == expect[i]
assert connector.attrib.get(ex_secret[i]) is None
i += 1
else:
assert mocked_file().write.call_args is None