diff options
Diffstat (limited to 'tests/unittests')
-rw-r--r-- | tests/unittests/sources/test_init.py | 27 | ||||
-rw-r--r-- | tests/unittests/test_stages.py | 18 |
2 files changed, 37 insertions, 8 deletions
diff --git a/tests/unittests/sources/test_init.py b/tests/unittests/sources/test_init.py index 96e4dd90..005a571b 100644 --- a/tests/unittests/sources/test_init.py +++ b/tests/unittests/sources/test_init.py @@ -458,12 +458,24 @@ class TestDataSource(CiTestCase): "cred2": "othersekret", } }, + "someother": { + "nested": { + "userData": "HIDE ME", + } + }, + "VENDOR-DAta": "HIDE ME TOO", }, ) self.assertCountEqual( ( "merged_cfg", "security-credentials", + "userdata", + "user-data", + "user_data", + "vendordata", + "vendor-data", + "ds/vendor_data", ), datasource.sensitive_metadata_keys, ) @@ -490,7 +502,9 @@ class TestDataSource(CiTestCase): "base64_encoded_keys": [], "merged_cfg": REDACT_SENSITIVE_VALUE, "sensitive_keys": [ + "ds/meta_data/VENDOR-DAta", "ds/meta_data/some/security-credentials", + "ds/meta_data/someother/nested/userData", "merged_cfg", ], "sys_info": sys_info, @@ -500,6 +514,7 @@ class TestDataSource(CiTestCase): "availability_zone": "myaz", "cloud-name": "subclasscloudname", "cloud_name": "subclasscloudname", + "cloud_id": "subclasscloudname", "distro": "ubuntu", "distro_release": "focal", "distro_version": "20.04", @@ -522,14 +537,18 @@ class TestDataSource(CiTestCase): "ds": { "_doc": EXPERIMENTAL_TEXT, "meta_data": { + "VENDOR-DAta": REDACT_SENSITIVE_VALUE, "availability_zone": "myaz", "local-hostname": "test-subclass-hostname", "region": "myregion", "some": {"security-credentials": REDACT_SENSITIVE_VALUE}, + "someother": { + "nested": {"userData": REDACT_SENSITIVE_VALUE} + }, }, }, } - self.assertCountEqual(expected, redacted) + self.assertEqual(expected, redacted) file_stat = os.stat(json_file) self.assertEqual(0o644, stat.S_IMODE(file_stat.st_mode)) @@ -574,6 +593,12 @@ class TestDataSource(CiTestCase): ( "merged_cfg", "security-credentials", + "userdata", + "user-data", + "user_data", + "vendordata", + "vendor-data", + "ds/vendor_data", ), datasource.sensitive_metadata_keys, ) diff --git a/tests/unittests/test_stages.py b/tests/unittests/test_stages.py index 15a7e973..a61f9df9 100644 --- a/tests/unittests/test_stages.py +++ b/tests/unittests/test_stages.py @@ -606,19 +606,23 @@ class TestInit_InitializeFilesystem: # Assert we create it 0o640 by default if it doesn't already exist assert 0o640 == stat.S_IMODE(log_file.stat().mode) - def test_existing_file_permissions_are_not_modified(self, init, tmpdir): - """If the log file already exists, we should not modify its permissions + def test_existing_file_permissions(self, init, tmpdir): + """Test file permissions are set as expected. + + CIS Hardening requires 640 permissions. These permissions are + currently hardcoded on every boot, but if there's ever a reason + to change this, we need to then ensure that they + are *not* set every boot. See https://bugs.launchpad.net/cloud-init/+bug/1900837. """ - # Use a mode that will never be made the default so this test will - # always be valid - mode = 0o606 log_file = tmpdir.join("cloud-init.log") log_file.ensure() - log_file.chmod(mode) + # Use a mode that will never be made the default so this test will + # always be valid + log_file.chmod(0o606) init._cfg = {"def_log_file": str(log_file)} init._initialize_filesystem() - assert mode == stat.S_IMODE(log_file.stat().mode) + assert 0o640 == stat.S_IMODE(log_file.stat().mode) |