def test_get_cached_auth_token_invalid_permissions(self):
shell = Shell()
client = Client()
username = '******'
password = '******'
cached_token_path = shell._get_cached_token_path_for_user(username=username)
data = {
'token': 'yayvalid',
'expire_timestamp': (int(time.time()) + 20)
}
with open(cached_token_path, 'w') as fp:
fp.write(json.dumps(data))
# 1. Current user doesn't have read access to the config directory
os.chmod(self._mock_config_directory_path, 0000)
shell.LOG = mock.Mock()
result = shell._get_cached_auth_token(client=client, username=username,
password=password)
self.assertEqual(result, None)
self.assertEqual(shell.LOG.warn.call_count, 1)
log_message = shell.LOG.warn.call_args[0][0]
expected_msg = ('Unable to retrieve cached token from .*? read access to the parent '
'directory')
self.assertRegexpMatches(log_message, expected_msg)
# 2. Read access on the directory, but not on the cached token file
os.chmod(self._mock_config_directory_path, 0777) # nosec
os.chmod(cached_token_path, 0000)
shell.LOG = mock.Mock()
result = shell._get_cached_auth_token(client=client, username=username,
password=password)
self.assertEqual(result, None)
self.assertEqual(shell.LOG.warn.call_count, 1)
log_message = shell.LOG.warn.call_args[0][0]
expected_msg = ('Unable to retrieve cached token from .*? read access to this file')
self.assertRegexpMatches(log_message, expected_msg)
# 3. Other users also have read access to the file
os.chmod(self._mock_config_directory_path, 0777) # nosec
os.chmod(cached_token_path, 0444)
shell.LOG = mock.Mock()
result = shell._get_cached_auth_token(client=client, username=username,
password=password)
self.assertEqual(result, 'yayvalid')
self.assertEqual(shell.LOG.warn.call_count, 1)
log_message = shell.LOG.warn.call_args[0][0]
expected_msg = ('Permissions .*? for cached token file .*? are to permissive')
self.assertRegexpMatches(log_message, expected_msg)
def test_cache_auth_token_invalid_permissions(self):
shell = Shell()
username = '******'
cached_token_path = shell._get_cached_token_path_for_user(username=username)
expiry = datetime.datetime.utcnow() + datetime.timedelta(seconds=30)
token_db = TokenDB(user=username, token='fyeah', expiry=expiry)
cached_token_path = shell._get_cached_token_path_for_user(username=username)
data = {
'token': 'yayvalid',
'expire_timestamp': (int(time.time()) + 20)
}
with open(cached_token_path, 'w') as fp:
fp.write(json.dumps(data))
# 1. Current user has no write access to the parent directory
os.chmod(self._mock_config_directory_path, 0000)
shell.LOG = mock.Mock()
shell._cache_auth_token(token_obj=token_db)
self.assertEqual(shell.LOG.warn.call_count, 1)
log_message = shell.LOG.warn.call_args[0][0]
expected_msg = ('Unable to write token to .*? doesn\'t have write access to the parent '
'directory')
self.assertRegexpMatches(log_message, expected_msg)
# 2. Current user has no write access to the cached token file
os.chmod(self._mock_config_directory_path, 0777) # nosec
os.chmod(cached_token_path, 0000)
shell.LOG = mock.Mock()
shell._cache_auth_token(token_obj=token_db)
self.assertEqual(shell.LOG.warn.call_count, 1)
log_message = shell.LOG.warn.call_args[0][0]
expected_msg = ('Unable to write token to .*? doesn\'t have write access to this file')
self.assertRegexpMatches(log_message, expected_msg)
def test_dont_warn_multiple_times(self):
mock_temp_dir_path = tempfile.mkdtemp()
mock_config_dir_path = os.path.join(mock_temp_dir_path, 'testconfig')
mock_config_path = os.path.join(mock_config_dir_path, 'config')
# Make the temporary config directory
os.makedirs(mock_config_dir_path)
old_perms = os.stat(mock_config_dir_path).st_mode
new_perms = old_perms | 0o7
os.chmod(mock_config_dir_path, new_perms)
# Make the temporary config file
shutil.copyfile(CONFIG_FILE_PATH_FULL, mock_config_path)
os.chmod(mock_config_path, 0o777) # nosec
shell = Shell()
shell.LOG = mock.Mock()
# Test without token.
shell.run(['--config-file', mock_config_path, 'action', 'list'])
self.assertEqual(shell.LOG.warn.call_count, 2)
self.assertEqual(
shell.LOG.warn.call_args_list[0][0][0][:63],
'The StackStorm configuration directory permissions are insecure')
self.assertEqual(
shell.LOG.warn.call_args_list[1][0][0][:58],
'The StackStorm configuration file permissions are insecure')
self.assertEqual(shell.LOG.info.call_count, 2)
self.assertEqual(
shell.LOG.info.call_args_list[0][0][0], "The SGID bit is not "
"set on the StackStorm configuration directory.")
self.assertEqual(
shell.LOG.info.call_args_list[1][0][0], 'Skipping parsing CLI config')
def test_get_cached_auth_token_invalid_permissions(self):
shell = Shell()
client = Client()
username = '******'
password = '******'
cached_token_path = shell._get_cached_token_path_for_user(
username=username)
data = {
'token': 'yayvalid',
'expire_timestamp': (int(time.time()) + 20)
}
with open(cached_token_path, 'w') as fp:
fp.write(json.dumps(data))
# 1. Current user doesn't have read access to the config directory
os.chmod(self._mock_config_directory_path, 0o000)
shell.LOG = mock.Mock()
result = shell._get_cached_auth_token(client=client,
username=username,
password=password)
self.assertEqual(result, None)
self.assertEqual(shell.LOG.warn.call_count, 1)
log_message = shell.LOG.warn.call_args[0][0]
expected_msg = (
'Unable to retrieve cached token from .*? read access to the parent '
'directory')
self.assertRegexpMatches(log_message, expected_msg)
# 2. Read access on the directory, but not on the cached token file
os.chmod(self._mock_config_directory_path, 0o777) # nosec
os.chmod(cached_token_path, 0o000)
shell.LOG = mock.Mock()
result = shell._get_cached_auth_token(client=client,
username=username,
password=password)
self.assertEqual(result, None)
self.assertEqual(shell.LOG.warn.call_count, 1)
log_message = shell.LOG.warn.call_args[0][0]
expected_msg = (
'Unable to retrieve cached token from .*? read access to this file'
)
self.assertRegexpMatches(log_message, expected_msg)
# 3. Other users also have read access to the file
os.chmod(self._mock_config_directory_path, 0o777) # nosec
os.chmod(cached_token_path, 0o444)
shell.LOG = mock.Mock()
result = shell._get_cached_auth_token(client=client,
username=username,
password=password)
self.assertEqual(result, 'yayvalid')
self.assertEqual(shell.LOG.warn.call_count, 1)
log_message = shell.LOG.warn.call_args[0][0]
expected_msg = (
'Permissions .*? for cached token file .*? are too permissive.*')
self.assertRegexpMatches(log_message, expected_msg)
