def test_files_group(mock_stat):
"""
Test the file group.
Our mocked files want root, nobody, (root, nobody), (root, root).
"""
f = FileCheck()
f.files = files
mock_stat.return_value = make_stat()
results = capture_results(f)
my_results = get_results(results, 'group')
assert my_results.results[0].result == constants.SUCCESS
assert my_results.results[1].result == constants.WARNING
assert my_results.results[2].result == constants.SUCCESS
assert my_results.results[3].result == constants.SUCCESS
mock_stat.return_value = make_stat(gid=nobody.pw_gid)
results = capture_results(f)
my_results = get_results(results, 'group')
assert my_results.results[0].result == constants.WARNING
assert my_results.results[0].kw.get('got') == 'nobody'
assert my_results.results[0].kw.get('expected') == 'root'
assert my_results.results[0].kw.get('type') == 'group'
assert my_results.results[1].result == constants.SUCCESS
assert my_results.results[2].result == constants.SUCCESS
assert my_results.results[3].result == constants.WARNING
assert my_results.results[3].kw.get('got') == 'nobody'
assert my_results.results[3].kw.get('expected') == 'root,bin'
assert my_results.results[3].kw.get('type') == 'group'
assert my_results.results[3].kw.get('msg') == \
'Group of fiz is nobody and should be one of root,bin'
def test_files_not_found(mock_exists):
mock_exists.return_value = False
f = FileCheck()
f.files = files
results = capture_results(f)
for type in ('mode', 'group', 'owner'):
my_results = get_results(results, type)
assert len(my_results.results) == len(f.files)
for result in my_results.results:
assert result.result == constants.SUCCESS
assert result.kw.get('msg') == 'File does not exist'
def check(self):
self.files = []
if self.ca.is_configured():
self.files.append((paths.RA_AGENT_PEM, 'root', 'ipaapi', '0440'))
self.files.append((paths.RA_AGENT_KEY, 'root', 'ipaapi', '0440'))
if krbinstance.is_pkinit_enabled():
self.files.append((paths.KDC_CERT, 'root', 'root', '0644'))
self.files.append((paths.KDC_KEY, 'root', 'root', '0600'))
if self.dns_container_exists():
self.files.append((paths.NAMED_KEYTAB, constants.NAMED_USER,
constants.NAMED_GROUP, '0400'))
if os.path.exists(paths.IPA_DNSKEYSYNCD_KEYTAB):
self.files.append((paths.IPA_DNSKEYSYNCD_KEYTAB, 'root',
constants.ODS_GROUP, '0440'))
self.files.append((paths.GSSAPI_SESSION_KEY, 'root', 'root', '0600'))
self.files.append(
(paths.DS_KEYTAB, constants.DS_USER, constants.DS_GROUP, '0600'))
self.files.append((paths.IPA_CA_CRT, 'root', 'root', '0644'))
self.files.append((paths.IPA_CUSTODIA_KEYS, 'root', 'root', '0600'))
self.files.append((paths.RESOLV_CONF, ('root', 'systemd-resolve'),
('root', 'systemd-resolve'), '0644'))
self.files.append((paths.HOSTS, 'root', 'root', '0644'))
return FileCheck.check(self)
def test_files_group(mock_stat):
mock_stat.return_value = make_stat()
f = FileCheck()
f.files = files
results = capture_results(f)
my_results = get_results(results, 'group')
assert my_results.results[0].result == constants.SUCCESS
assert my_results.results[1].result == constants.WARNING
mock_stat.return_value = make_stat(gid=nobody.pw_gid)
results = capture_results(f)
my_results = get_results(results, 'group')
assert my_results.results[0].result == constants.WARNING
assert my_results.results[1].result == constants.SUCCESS
def test_files_mode(mock_stat):
mock_stat.return_value = make_stat()
f = FileCheck()
f.files = files
results = capture_results(f)
my_results = get_results(results, 'mode')
assert my_results.results[0].result == constants.SUCCESS
assert my_results.results[1].result == constants.WARNING
mock_stat.return_value = make_stat(mode=33204)
results = capture_results(f)
my_results = get_results(results, 'mode')
assert my_results.results[0].result == constants.WARNING
assert my_results.results[1].result == constants.SUCCESS
def test_files_mode(mock_stat):
mock_stat.return_value = make_stat()
f = FileCheck()
f.files = files
results = capture_results(f)
my_results = get_results(results, 'mode')
assert my_results.results[0].result == constants.SUCCESS
assert my_results.results[1].result == constants.ERROR
# Too restrictive
mock_stat.return_value = make_stat(mode=33152) # 0600
results = capture_results(f)
my_results = get_results(results, 'mode')
assert my_results.results[0].result == constants.ERROR
assert my_results.results[1].result == constants.ERROR
assert my_results.results[2].result == constants.ERROR
assert my_results.results[3].result == constants.ERROR
assert my_results.results[4].result == constants.ERROR
# Too permissive
mock_stat.return_value = make_stat(mode=33206) # 0666
results = capture_results(f)
my_results = get_results(results, 'mode')
assert my_results.results[0].result == constants.WARNING
assert my_results.results[1].result == constants.WARNING
assert my_results.results[2].result == constants.WARNING
assert my_results.results[3].result == constants.WARNING
assert my_results.results[4].result == constants.WARNING
# Too restrictive with allowed multi-mode value
mock_stat.return_value = make_stat(mode=33184) # 0640
results = capture_results(f)
my_results = get_results(results, 'mode')
assert my_results.results[0].result == constants.ERROR
assert my_results.results[1].result == constants.ERROR
assert my_results.results[2].result == constants.ERROR
assert my_results.results[3].result == constants.ERROR
assert my_results.results[4].result == constants.SUCCESS
def check(self):
if not self.ca.is_configured():
logger.debug('CA is not configured, skipping')
self.files = []
else:
self.files = [
(paths.PKI_TOMCAT_PASSWORD_CONF, constants.PKI_USER,
constants.PKI_GROUP, '0660'),
(paths.CA_CS_CFG_PATH, constants.PKI_USER, constants.PKI_GROUP,
'0660'),
(os.path.join(paths.PKI_TOMCAT, 'server.xml'),
constants.PKI_USER, constants.PKI_GROUP, '0660'),
]
return FileCheck.check(self)
def check(self):
self.files = []
self.collect_files(dsinstance.config_dirname(self.serverid),
NSS_SQL_FILES, 'dirsrv', 'root', '0640')
# There always has to be a special one. pkcs11.txt has a different
# group so pop off the auto-generated one and add a replacement.
old = (os.path.join(dsinstance.config_dirname(self.serverid),
'pkcs11.txt'), 'dirsrv', 'root', '0640')
self.files.remove(old)
new = (os.path.join(dsinstance.config_dirname(self.serverid),
'pkcs11.txt'), 'dirsrv', 'dirsrv', '0640')
self.files.append(new)
if self.ca.is_configured():
self.collect_files(paths.PKI_TOMCAT_ALIAS_DIR, NSS_SQL_FILES,
'pkiuser', 'pkiuser', '0600')
return FileCheck.check(self)
def check(self):
self.files = []
if self.ca.is_configured():
self.files.append(
(paths.RA_AGENT_PEM, 'root', constants.IPAAPI_GROUP, '0440'))
self.files.append(
(paths.RA_AGENT_KEY, 'root', constants.IPAAPI_GROUP, '0440'))
if krbinstance.is_pkinit_enabled():
self.files.append((paths.KDC_CERT, 'root', 'root', '0644'))
self.files.append((paths.KDC_KEY, 'root', 'root', '0600'))
if self.dns_container_exists():
self.files.append((paths.NAMED_KEYTAB, constants.NAMED_USER,
constants.NAMED_GROUP, '0400'))
if os.path.exists(paths.IPA_DNSKEYSYNCD_KEYTAB):
self.files.append((paths.IPA_DNSKEYSYNCD_KEYTAB, 'root',
constants.ODS_GROUP, '0440'))
self.files.append((paths.GSSAPI_SESSION_KEY, 'root', 'root', '0600'))
self.files.append(
(paths.DS_KEYTAB, constants.DS_USER, constants.DS_GROUP, '0600'))
self.files.append((paths.IPA_CA_CRT, 'root', 'root', '0644'))
self.files.append((paths.IPA_CUSTODIA_KEYS, 'root', 'root', '0600'))
self.files.append((paths.RESOLV_CONF, ('root', 'systemd-resolve'),
('root', 'systemd-resolve'), '0644'))
self.files.append((paths.HOSTS, 'root', 'root', '0644'))
# IPA log files that may vary by installation. Only verify
# those that exist
for filename in (
paths.IPABACKUP_LOG,
paths.IPARESTORE_LOG,
paths.IPACLIENT_INSTALL_LOG,
paths.IPACLIENT_UNINSTALL_LOG,
paths.IPAREPLICA_CA_INSTALL_LOG,
paths.IPAREPLICA_CONNCHECK_LOG,
paths.IPAREPLICA_INSTALL_LOG,
paths.IPASERVER_INSTALL_LOG,
paths.IPASERVER_KRA_INSTALL_LOG,
paths.IPASERVER_UNINSTALL_LOG,
paths.IPAUPGRADE_LOG,
paths.IPATRUSTENABLEAGENT_LOG,
):
if os.path.exists(filename):
self.files.append((filename, 'root', 'root', '0600'))
self.files.append(
(paths.IPA_CUSTODIA_AUDIT_LOG, 'root', 'root', '0644'))
self.files.append(
(paths.KADMIND_LOG, 'root', 'root', ('0600', '0640')))
self.files.append((paths.KRB5KDC_LOG, 'root', 'root', '0640'))
inst = api.env.realm.replace('.', '-')
self.files.append((paths.SLAPD_INSTANCE_ACCESS_LOG_TEMPLATE % inst,
constants.DS_USER, constants.DS_GROUP, '0600'))
self.files.append((paths.SLAPD_INSTANCE_ERROR_LOG_TEMPLATE % inst,
constants.DS_USER, constants.DS_GROUP, '0600'))
self.files.append((paths.VAR_LOG_HTTPD_ERROR, 'root', 'root', '0644'))
for globpath in glob.glob("%s/debug*.log" % paths.TOMCAT_CA_DIR):
self.files.append(
(globpath, constants.PKI_USER, constants.PKI_GROUP, "0644"))
for globpath in glob.glob("%s/ca_audit*" %
paths.TOMCAT_SIGNEDAUDIT_DIR):
self.files.append(
(globpath, constants.PKI_USER, constants.PKI_GROUP, '0640'))
for filename in ('selftests.log', 'system', 'transactions'):
self.files.append((os.path.join(paths.TOMCAT_CA_DIR,
filename), constants.PKI_USER,
constants.PKI_GROUP, '0640'))
for globpath in glob.glob("%s/debug*.log" % paths.TOMCAT_KRA_DIR):
self.files.append(
(globpath, constants.PKI_USER, constants.PKI_GROUP, "0644"))
for globpath in glob.glob("%s/ca_audit*" %
paths.TOMCAT_KRA_SIGNEDAUDIT_DIR):
self.files.append(
(globpath, constants.PKI_USER, constants.PKI_GROUP, '0640'))
for filename in ('selftests.log', 'system', 'transactions'):
self.files.append((os.path.join(paths.TOMCAT_KRA_DIR,
filename), constants.PKI_USER,
constants.PKI_GROUP, '0640'))
self.files.append((paths.IPA_CCACHES, constants.IPAAPI_USER,
constants.IPAAPI_GROUP, '6770'))
self.files.append((paths.IPA_RENEWAL_LOCK, 'root', 'root', '0600'))
self.files.append((paths.SVC_LIST_FILE, 'root', 'root', '0644'))
return FileCheck.check(self)