def on_before_init(self, **kwargs):
trace.setup_worker_optimizations(self.app, self.hostname)
# this signal can be used to set up configuration for
# workers by name.
signals.celeryd_init.send(sender=self.hostname, instance=self, conf=self.app.conf, options=kwargs)
check_privileges(self.app.conf.accept_content)
def test_check_privileges_with_c_force_root(os_module, accept_content):
os_module.environ = {'C_FORCE_ROOT': 'true'}
os_module.getuid.return_value = 0
os_module.getgid.return_value = 0
os_module.geteuid.return_value = 0
os_module.getegid.return_value = 0
with pytest.warns(SecurityWarning):
check_privileges(accept_content)
def test_check_privileges_suspicious_platform(os_module, accept_content):
del os_module.getuid
del os_module.getgid
del os_module.geteuid
del os_module.getegid
with pytest.raises(SecurityError,
match=r'suspicious platform, contact support'):
check_privileges(accept_content)
def on_before_init(self, **kwargs):
trace.setup_worker_optimizations(self.app)
# this signal can be used to set up configuration for
# workers by name.
signals.celeryd_init.send(
sender=self.hostname, instance=self,
conf=self.app.conf, options=kwargs,
)
check_privileges(self.app.conf.CELERY_ACCEPT_CONTENT)
def test_check_privileges_with_c_force_root(accept_content):
with patch('celery.platforms.os') as os_module:
os_module.environ = {'C_FORCE_ROOT': 'true'}
os_module.getuid.return_value = 0
os_module.getgid.return_value = 0
os_module.geteuid.return_value = 0
os_module.getegid.return_value = 0
with pytest.warns(SecurityWarning):
check_privileges(accept_content)
def on_before_init(self, **kwargs):
trace.setup_worker_optimizations(self.app, self.hostname)
# this signal can be used to set up configuration for
# workers by name.
signals.celeryd_init.send(
sender=self.hostname, instance=self,
conf=self.app.conf, options=kwargs,
)
check_privileges(self.app.conf.accept_content)
def test_check_privileges_without_c_force_root(os_module, accept_content):
os_module.environ = {}
os_module.getuid.return_value = 0
os_module.getgid.return_value = 0
os_module.geteuid.return_value = 0
os_module.getegid.return_value = 0
expected_message = re.escape(
ROOT_DISALLOWED.format(uid=0, euid=0, gid=0, egid=0))
with pytest.raises(SecurityError, match=expected_message):
check_privileges(accept_content)
def test_check_privileges():
class Obj(object):
fchown = 13
prev, platforms.os = platforms.os, Obj()
try:
with pytest.raises(SecurityError):
check_privileges({'pickle'})
finally:
platforms.os = prev
prev, platforms.os = platforms.os, object()
try:
check_privileges({'pickle'})
finally:
platforms.os = prev
def test_suspicious(self):
class Obj(object):
fchown = 13
prev, platforms.os = platforms.os, Obj()
try:
with self.assertRaises(AssertionError):
check_privileges({'pickle'})
finally:
platforms.os = prev
prev, platforms.os = platforms.os, object()
try:
check_privileges({'pickle'})
finally:
platforms.os = prev
def test_check_privileges():
class Obj(object):
fchown = 13
prev, platforms.os = platforms.os, Obj()
try:
with pytest.raises(SecurityError):
check_privileges({'pickle'})
finally:
platforms.os = prev
prev, platforms.os = platforms.os, object()
try:
check_privileges({'pickle'})
finally:
platforms.os = prev
def test_suspicious(self):
class Obj(object):
fchown = 13
prev, platforms.os = platforms.os, Obj()
try:
with self.assertRaises(AssertionError):
check_privileges({'pickle'})
finally:
platforms.os = prev
prev, platforms.os = platforms.os, object()
try:
check_privileges({'pickle'})
finally:
platforms.os = prev
def test_check_privileges_without_c_force_root_and_with_suspicious_group(
grp_module, os_module, accept_content, group_name):
os_module.environ = {}
os_module.getuid.return_value = 60
os_module.getgid.return_value = 60
os_module.geteuid.return_value = 60
os_module.getegid.return_value = 60
grp_module.getgrgid.return_value = [group_name]
grp_module.getgrgid.return_value = [group_name]
expected_message = re.escape(
ROOT_DISALLOWED.format(uid=60, euid=60, gid=60, egid=60))
with pytest.raises(SecurityError, match=expected_message):
check_privileges(accept_content)
def test_check_privileges_with_c_force_root_and_with_suspicious_group(
grp_module, os_module, accept_content, group_name):
os_module.environ = {'C_FORCE_ROOT': 'true'}
os_module.getuid.return_value = 60
os_module.getgid.return_value = 60
os_module.geteuid.return_value = 60
os_module.getegid.return_value = 60
grp_module.getgrgid.return_value = [group_name]
grp_module.getgrgid.return_value = [group_name]
expected_message = re.escape(
ROOT_DISCOURAGED.format(uid=60, euid=60, gid=60, egid=60))
with pytest.warns(SecurityWarning, match=expected_message):
check_privileges(accept_content)
def test_check_privileges_without_c_force_root_and_no_group_entry(
grp_module, os_module, accept_content, recwarn):
os_module.environ = {}
os_module.getuid.return_value = 60
os_module.getgid.return_value = 60
os_module.geteuid.return_value = 60
os_module.getegid.return_value = 60
grp_module.getgrgid.side_effect = KeyError
expected_message = re.escape(
ROOT_DISALLOWED.format(uid=60, euid=60, gid=60, egid=60))
with pytest.raises(SecurityError, match=expected_message):
check_privileges(accept_content)
assert recwarn[0].message.args[0] == ASSUMING_ROOT
def test_check_privileges_with_c_force_root_and_no_group_entry(
grp_module, os_module, accept_content, recwarn
):
os_module.environ = {'C_FORCE_ROOT': 'true'}
os_module.getuid.return_value = 60
os_module.getgid.return_value = 60
os_module.geteuid.return_value = 60
os_module.getegid.return_value = 60
grp_module.getgrgid.side_effect = KeyError
expected_message = ROOT_DISCOURAGED.format(uid=60, euid=60,
gid=60, egid=60)
check_privileges(accept_content)
assert len(recwarn) == 2
assert recwarn[0].message.args[0] == ASSUMING_ROOT
assert recwarn[1].message.args[0] == expected_message
def test_check_privileges_no_fchown(os_module, accept_content, recwarn):
del os_module.fchown
check_privileges(accept_content)
assert len(recwarn) == 0
def test_check_privileges(accept_content, recwarn):
check_privileges(accept_content)
assert len(recwarn) == 0
def test_skip_checking_privileges_when_grp_is_unavailable(recwarn):
with patch("celery.platforms.grp", new=None):
check_privileges({'pickle'})
assert len(recwarn) == 0
def test_check_privileges_no_fchown(accept_content, recwarn):
with patch('celery.platforms.os') as os_module:
del os_module.fchown
check_privileges(accept_content)
assert len(recwarn) == 0
