def test_replace_user_string(self):
"""Check that `replace_user` can replace $USER by username
"""
base = BaseCheck()
payload = Payload({
"User": "******",
"RequestMethod": "POST",
"RequestUri": "/v1.32/containers/create",
})
result = BaseCheck.replace_user("$USER-loves-me", payload)
self.assertEqual(result, "mal-loves-me")
result = BaseCheck.replace_user("$USERNAME-loves-me", payload)
self.assertEqual(result, "malNAME-loves-me")
result = BaseCheck.replace_user("do-you-think-$USER-loves-me", payload)
self.assertEqual(result, "do-you-think-mal-loves-me")
result = BaseCheck.replace_user("$USER-is-$USER", payload)
self.assertEqual(result, "mal-is-mal")
payload = Payload({
"User": "******",
"RequestMethod": "POST",
"RequestUri": "/v1.32/containers/create",
})
result = BaseCheck.replace_user("$USER-loves-me", payload)
self.assertEqual(result, "rda-loves-me")
def test_payload_headers(self):
"""Payload minimal check
"""
with self.assertRaises(InvalidRequestException):
Payload()
payload = Payload(payload=MOCKED_MISSING_HEADERS)
self.assertEqual(payload.get_headers(), {})
def test_empty_payload(self):
"""Empty payload should return :exc:`InvalidRequestException`
"""
with self.assertRaises(InvalidRequestException):
ContainerName().run(None, Payload({}))
with self.assertRaises(InvalidRequestException):
ContainerName().run(".*", Payload({}))
def test_name_not_defined(self):
"""Without name return :exc:`InvalidRequestException`
"""
with self.assertRaises(InvalidRequestException):
ImageName().run(".*", Payload(PAYLOAD_BUILD_UNDEFINED))
with self.assertRaises(InvalidRequestException):
ImageName().run(".+", Payload(PAYLOAD_BUILD_UNDEFINED))
def test_decode_RequestBody(self):
"""Decode request body
"""
payload = Payload(payload=MOCKED_BODY)
decoded = payload._decode_base64(MOCKED_BODY)
attended_response = {'foo': 'bar'}
self.assertEqual(attended_response, decoded["RequestBody"])
def test_connected_user(self):
"""Force user to be connected user
"""
User().run("^$USER$", Payload(PAYLOAD_FOOBAR))
User().run("$USER", Payload(PAYLOAD_FOOBAR))
User().run("$USER", Payload(PAYLOAD_FOO))
with self.assertRaises(UnauthorizedException):
User().run("^$USER$", Payload(PAYLOAD_FOO))
def test_name_not_defined(self):
"""Without name return :exc:`UnauthorizedException`
"""
# This case could be interresting in the future...
# ContainerName().run("^hard-.*", Payload(PAYLOAD))
ContainerName().run(".*", Payload(PAYLOAD))
with self.assertRaises(UnauthorizedException):
ContainerName().run(".+", Payload(PAYLOAD))
def test_empty_user(self):
"""Empty user is allowed and always accepted
"""
User().run(".*", Payload(PAYLOAD_EMPTY))
User().run(".+", Payload(PAYLOAD_EMPTY))
User().run([".*"], Payload(PAYLOAD_EMPTY))
User().run([".+"], Payload(PAYLOAD_EMPTY))
User().run([".*", ".+"], Payload(PAYLOAD_EMPTY))
def test_undefined_user(self):
"""Undefined user is allowed and always accepted
"""
User().run(".*", Payload(PAYLOAD_UNDEFINED))
User().run(".+", Payload(PAYLOAD_UNDEFINED))
User().run([".*"], Payload(PAYLOAD_UNDEFINED))
User().run([".+"], Payload(PAYLOAD_UNDEFINED))
User().run([".*", ".+"], Payload(PAYLOAD_UNDEFINED))
def test_get_name_images_create(self):
"""Get name from image create
"""
name, tag = ImageName()._get_name(Payload(PAYLOAD_CREATE_PULL))
self.assertEqual(name, "traefik")
self.assertEqual(tag, "alpine")
name, tag = ImageName()._get_name(Payload(PAYLOAD_CREATE_IMPORT))
self.assertEqual(name, "traefik")
self.assertEqual(tag, "alpine")
def test_get_uri(self):
"""Retrieve uri
"""
payload = Payload(payload=MOCKED_BODY)
uri = payload._get_uri(MOCKED_BODY)
self.assertEqual(uri, MOCKED_BODY['RequestUri'])
uri = payload._get_uri(None)
self.assertEqual(uri, None)
def test_get_method(self):
"""Retrieve method
"""
payload = Payload(payload=MOCKED_BODY)
method = payload._get_method(MOCKED_BODY)
self.assertEqual(method, MOCKED_BODY['RequestMethod'])
with self.assertRaises(InvalidRequestException):
method = payload._get_method(None)
def test_get_name_images_export(self):
"""Get name from image export
"""
name, tag = ImageName()._get_name(Payload(PAYLOAD_EXPORT))
self.assertEqual(name, "registry.example.net/traefik")
self.assertEqual(tag, "alpine")
name, tag = ImageName()._get_name(Payload(PAYLOAD_EXPORT_SINGLE))
self.assertEqual(name, "registry.example.net/traefik")
self.assertEqual(tag, "alpine")
def test_name_can_be_a_list(self):
"""names could be presented as a list
In such case, entries are compared with a 'or'.
"""
ContainerName().run(["^foo-.*", "^$USER-.*"], Payload(PAYLOAD_FOOBAR))
ContainerName().run(["^foo-.*", "^$USER-.*"], Payload(PAYLOAD_USER))
with self.assertRaises(UnauthorizedException):
ContainerName().run(["^foo-.*", r"^\$USER-.*"], Payload(PAYLOAD_USER))
def test_tag_has_two_name(self):
"""The "tag" flag has two names
"""
ImageName().run("^foo-.+", Payload(PAYLOAD_DUAL_NAME_1))
ImageName().run(["^foo-.+"], Payload(PAYLOAD_DUAL_NAME_1))
with self.assertRaises(UnauthorizedException):
ImageName().run("^foo-.+", Payload(PAYLOAD_DUAL_NAME_2))
with self.assertRaises(UnauthorizedException):
ImageName().run(["^foo-.+"], Payload(PAYLOAD_DUAL_NAME_2))
def test_run_store_values(self):
"""Check if payload values are really stored
"""
with self.assertRaises(InvalidRequestException):
payload = Payload(payload=None)
payload = Payload(payload=MOCKED_BODY)
self.assertNotEqual(payload.data, None)
self.assertEqual(payload.user, MOCKED_BODY['User'])
self.assertEqual(payload.method, MOCKED_BODY['RequestMethod'])
self.assertEqual(payload.uri, MOCKED_BODY['RequestUri'])
def test_payload_is_not_shared(self):
"""Payload object are Immutable
"""
payload1 = Payload(MOCKED_BODY)
self.assertNotEqual(payload1.data, None)
self.assertNotEqual(payload1.user, None)
payload2 = Payload(MOCKED_BODY_2)
self.assertNotEqual(payload2.data, None)
self.assertNotEqual(payload2.user, None)
# Now config should be the same on first object
self.assertNotEqual(payload1.data, payload2.data)
def test_write_operation(self):
"""Validate ReadOnly on write operations
"""
readonly = ReadOnly()
with self.assertRaises(UnauthorizedException):
readonly.run(Config(), Payload(MOCKED_POST_BODY))
with self.assertRaises(UnauthorizedException):
readonly.run(Config(), Payload(MOCKED_DELETE_BODY))
with self.assertRaises(UnauthorizedException):
readonly.run(Config(), Payload(MOCKED_PUT_BODY))
def test_tag_has_two_name_user(self):
"""Username replacement
"""
ImageName().run("^$USER-.+", Payload(PAYLOAD_DUAL_SOMEONE_1))
with self.assertRaises(UnauthorizedException):
ImageName().run("^$USER-.+", Payload(PAYLOAD_DUAL_SOMEONE_2))
with self.assertRaises(UnauthorizedException):
ImageName().run("^$USER-.+", Payload(PAYLOAD_DUAL_SOMEONE_3))
with self.assertRaises(UnauthorizedException):
ImageName().run("^$USER-.+", Payload(PAYLOAD_DUAL_NAME_1))
def test_get_name_images_for_private_registry(self):
"""Get name from image for private registry
"""
name, tag = ImageName()._get_name(Payload(PAYLOAD_BUILD_PRIVATE))
self.assertEqual(name, "registry.example.net/traefik")
self.assertEqual(tag, "alpine")
name, tag = ImageName()._get_name(Payload(PAYLOAD_HISTORY_PRIVATE))
self.assertEqual(name, "registry.example.net/traefik")
self.assertEqual(tag, "alpine")
name, tag = ImageName()._get_name(Payload(PAYLOAD_PUSH_PRIVATE))
self.assertEqual(name, "registry.example.net/traefik")
self.assertEqual(tag, "alpine")
def test_get_name_images_export_multiple(self):
"""Get name from image export
"""
[first,
second] = ImageName()._get_name(Payload(PAYLOAD_EXPORT_MULTIPLE))
self.assertEqual(first, ("registry.example.net/traefik", "alpine"))
self.assertEqual(second, ("mariadb", "latest"))
def test_with_flag_false():
"""Validate Privileged with flag as false
"""
config = Config(policies=POLICIES, groups=GROUPS)
privileged = Privileged()
privileged.run(config, Payload(MOCKED_PRIVILEGED_FALSE))
def test_without_flag():
"""Validate Privileged whithout flag
"""
config = Config(policies=POLICIES, groups=GROUPS)
privileged = Privileged()
privileged.run(config, Payload(MOCKED_WITHOUT_PRIVILEGED))
def test_invalid_names(self):
"""Invalid cases
"""
with self.assertRaises(UnauthorizedException):
ContainerName().run("^foobar.*", Payload(PAYLOAD_FOOBAR))
with self.assertRaises(UnauthorizedException):
ContainerName().run("^bar-foo.*", Payload(PAYLOAD_FOOBAR))
with self.assertRaises(UnauthorizedException):
ContainerName().run("bar-foo", Payload(PAYLOAD_FOOBAR))
with self.assertRaises(UnauthorizedException):
ContainerName().run("^mega-hard-biture.*", Payload(PAYLOAD_SOMETHING))
with self.assertRaises(UnauthorizedException):
ContainerName().run("ard-bitur", Payload(PAYLOAD_SOMETHING))
def test_get_name_images_build(self):
"""Get name from image build
"""
name, tag = ImageName()._get_name(Payload(PAYLOAD_BUILD_COMPLETE))
self.assertEqual(name, "test")
self.assertEqual(tag, "latest")
name, tag = ImageName()._get_name(Payload(PAYLOAD_BUILD_FOOBAR))
self.assertEqual(name, "foobar")
self.assertEqual(tag, "latest")
name, tag = ImageName()._get_name(Payload(PAYLOAD_BUILD_FOOBAR_TAG))
self.assertEqual(name, "foobar")
self.assertEqual(tag, "something")
with self.assertRaises(InvalidRequestException):
ImageName()._get_name(Payload(PAYLOAD_BUILD_UNDEFINED))
def test_process_simple_allow(cls):
"""Validate _process for Allow
"""
payload = Payload(mocked_body)
check = Checks()._structure_convert({"Allow": None})
processor = Processor()
processor._process(payload=payload, check=check)
def test_with_flag_true(self):
"""Validate Privileged with flag as true
"""
config = Config(policies=POLICIES, groups=GROUPS)
privileged = Privileged()
with self.assertRaises(UnauthorizedException):
privileged.run(config, Payload(MOCKED_PRIVILEGED_TRUE))
def test_process_simple_deny(self):
"""Validate _process for Deny
"""
payload = Payload(mocked_body)
check = Checks()._structure_convert({"Deny": None})
processor = Processor()
with self.assertRaises(UnauthorizedException):
processor._process(payload=payload, check=check)
def test_init(self):
"""Try init BindMounts with minimal informations
"""
args = [
'-/.*',
'+/foo',
'-/foo/.*',
'+/foo/bar',
]
with self.assertRaises(InvalidRequestException):
BindMounts().run(None, Payload({}))
with self.assertRaises(InvalidRequestException):
BindMounts().run(args, Payload({}))
BindMounts().run(args, Payload(PAYLOAD_MINIMAL))
BindMounts().run(None, Payload(PAYLOAD_MINIMAL))
def test_process_unexistent_check_action(self):
"""Validate _process for unknown action
"""
payload = Payload(mocked_body)
check = Checks()._structure_convert({"SomethingThatIsnotDefied": None})
processor = Processor()
with self.assertRaises(NoSuchCheckModuleException):
processor._process(payload=payload, check=check)