diff options
-rw-r--r-- | oslo_rootwrap/daemon.py | 28 | ||||
-rw-r--r-- | oslo_rootwrap/tests/test_functional.py | 14 | ||||
-rw-r--r-- | oslo_rootwrap/tests/test_rootwrap.py | 4 | ||||
-rw-r--r-- | test-requirements.txt | 6 |
4 files changed, 35 insertions, 17 deletions
diff --git a/oslo_rootwrap/daemon.py b/oslo_rootwrap/daemon.py index 5409dfd..cf7f03e 100644 --- a/oslo_rootwrap/daemon.py +++ b/oslo_rootwrap/daemon.py @@ -27,6 +27,7 @@ import sys import tempfile import threading +from oslo_rootwrap import cmd from oslo_rootwrap import jsonrpc from oslo_rootwrap import subprocess from oslo_rootwrap import wrapper @@ -45,14 +46,25 @@ class RootwrapClass(object): self.filters = filters def run_one_command(self, userargs, stdin=None): - obj = wrapper.start_subprocess( - self.filters, userargs, - exec_dirs=self.config.exec_dirs, - log=self.config.use_syslog, - close_fds=True, - stdin=subprocess.PIPE, - stdout=subprocess.PIPE, - stderr=subprocess.PIPE) + try: + obj = wrapper.start_subprocess( + self.filters, userargs, + exec_dirs=self.config.exec_dirs, + log=self.config.use_syslog, + close_fds=True, + stdin=subprocess.PIPE, + stdout=subprocess.PIPE, + stderr=subprocess.PIPE) + except wrapper.FilterMatchNotExecutable: + LOG.warning("Executable not found for: %s", + ' '.join(userargs)) + return cmd.RC_NOEXECFOUND, "", "" + + except wrapper.NoFilterMatched: + LOG.warning("Unauthorized command: %s (no filter matched)", + ' '.join(userargs)) + return cmd.RC_UNAUTHORIZED, "", "" + if six.PY3 and stdin is not None: stdin = os.fsencode(stdin) out, err = obj.communicate(stdin) diff --git a/oslo_rootwrap/tests/test_functional.py b/oslo_rootwrap/tests/test_functional.py index a23d9f1..83825a5 100644 --- a/oslo_rootwrap/tests/test_functional.py +++ b/oslo_rootwrap/tests/test_functional.py @@ -34,9 +34,9 @@ import testtools from testtools import content from oslo_rootwrap import client +from oslo_rootwrap import cmd from oslo_rootwrap import subprocess from oslo_rootwrap.tests import run_daemon -from oslo_rootwrap import wrapper class _FunctionalBase(object): @@ -57,6 +57,7 @@ echo: CommandFilter, /bin/echo, root cat: CommandFilter, /bin/cat, root sh: CommandFilter, /bin/sh, root id: CommandFilter, /usr/bin/id, nobody +unknown_cmd: CommandFilter, /unknown/unknown_cmd, root """) def _test_run_once(self, expect_byte=True): @@ -83,6 +84,14 @@ id: CommandFilter, /usr/bin/id, nobody self.assertEqual(expect_out, out) self.assertEqual(expect_err, err) + def test_run_command_not_found(self): + code, out, err = self.execute(['unknown_cmd']) + self.assertEqual(cmd.RC_NOEXECFOUND, code) + + def test_run_unauthorized_command(self): + code, out, err = self.execute(['unauthorized_cmd']) + self.assertEqual(cmd.RC_UNAUTHORIZED, code) + def test_run_as(self): if os.getuid() != 0: self.skip('Test requires root (for setuid)') @@ -183,9 +192,6 @@ class RootwrapDaemonTest(_FunctionalBase, testtools.TestCase): def test_run_with_stdin(self): self._test_run_with_stdin(expect_byte=False) - def test_error_propagation(self): - self.assertRaises(wrapper.NoFilterMatched, self.execute, ['other']) - def test_daemon_ressurection(self): # Let the client start a daemon self.execute(['cat']) diff --git a/oslo_rootwrap/tests/test_rootwrap.py b/oslo_rootwrap/tests/test_rootwrap.py index d023d5f..200c4f0 100644 --- a/oslo_rootwrap/tests/test_rootwrap.py +++ b/oslo_rootwrap/tests/test_rootwrap.py @@ -156,7 +156,7 @@ class RootwrapTestCase(testtools.TestCase): # check that environment variables are set self.assertEqual('/some/thing', env.get('A')) self.assertEqual('somethingelse', env.get('B')) - self.assertFalse('sleep' in env.keys()) + self.assertNotIn('sleep', env.keys()) def test_EnvFilter_without_leading_env(self): envset = ['A=/some/thing', 'B=somethingelse'] @@ -175,7 +175,7 @@ class RootwrapTestCase(testtools.TestCase): # check that environment variables are set self.assertEqual('/some/thing', env.get('A')) self.assertEqual('somethingelse', env.get('B')) - self.assertFalse('sleep' in env.keys()) + self.assertNotIn('sleep', env.keys()) def test_KillFilter(self): if not os.path.exists("/proc/%d" % os.getpid()): diff --git a/test-requirements.txt b/test-requirements.txt index aee933f..daad9c4 100644 --- a/test-requirements.txt +++ b/test-requirements.txt @@ -11,8 +11,8 @@ testscenarios>=0.4 # Apache-2.0/BSD testtools>=1.4.0 # MIT # this is required for the docs build jobs -sphinx!=1.3b1,<1.3,>=1.2.1 # BSD -oslosphinx!=3.4.0,>=2.5.0 # Apache-2.0 +sphinx!=1.3b1,<1.4,>=1.2.1 # BSD +oslosphinx>=4.7.0 # Apache-2.0 oslotest>=1.10.0 # Apache-2.0 @@ -22,4 +22,4 @@ mock>=2.0 # BSD # rootwrap daemon's client should be verified to run in eventlet eventlet!=0.18.3,>=0.18.2 # MIT -reno>=1.8.0 # Apache2 +reno>=1.8.0 # Apache-2.0 |