def test_named_parameter_escaping(self): # no sudo kwargs = copy.deepcopy(self._base_kwargs) kwargs['sudo'] = False kwargs['user'] = LOGGED_USER_USERNAME kwargs['named_args'] = OrderedDict([ ('key1', 'value foo bar'), ('key2', 'value "bar" foo'), ('key3', 'date ; whoami'), ('key4', '"date ; whoami"'), ]) action = ShellScriptAction(**kwargs) command = action.get_full_command_string() expected = self._get_fixture('escaping_test_command_1.txt') self.assertEqual(command, expected) # sudo kwargs = copy.deepcopy(self._base_kwargs) kwargs['sudo'] = True kwargs['user'] = LOGGED_USER_USERNAME kwargs['named_args'] = OrderedDict([ ('key1', 'value foo bar'), ('key2', 'value "bar" foo'), ('key3', 'date ; whoami'), ('key4', '"date ; whoami"'), ]) action = ShellScriptAction(**kwargs) command = action.get_full_command_string() expected = self._get_fixture('escaping_test_command_2.txt') self.assertEqual(command, expected)
def generate_arg(st2_arg, value): dummy_action = ShellScriptAction('', '', '') # noinspection PyProtectedMember arg = dummy_action._get_script_arguments(named_args={st2_arg: value}) arg = ' '.join(shlex.split(arg)) return arg
def test_various_ascii_parameters(self): kwargs = copy.deepcopy(self._base_kwargs) kwargs['sudo'] = False kwargs['user'] = LOGGED_USER_USERNAME kwargs['named_args'] = {'foo1': 'bar1', 'foo2': 'bar2'} kwargs['positional_args'] = [] action = ShellScriptAction(**kwargs) command = action.get_full_command_string() self.assertEqual(command, u"/tmp/foo.sh foo1=bar1 foo2=bar2")
def test_unicode_parameter_specifing(self): kwargs = copy.deepcopy(self._base_kwargs) kwargs['sudo'] = False kwargs['user'] = LOGGED_USER_USERNAME kwargs['named_args'] = {u'foo': u'bar'} kwargs['positional_args'] = [] action = ShellScriptAction(**kwargs) command = action.get_full_command_string() self.assertEqual(command, u"/tmp/foo.sh 'foo'='bar'")
def test_various_ascii_parameters(self): kwargs = copy.deepcopy(self._base_kwargs) kwargs["sudo"] = False kwargs["user"] = LOGGED_USER_USERNAME kwargs["named_args"] = {"foo1": "bar1", "foo2": "bar2"} kwargs["positional_args"] = [] action = ShellScriptAction(**kwargs) command = action.get_full_command_string() self.assertEqual(command, "/tmp/foo.sh foo1=bar1 foo2=bar2")
def test_unicode_parameter_specifing(self): kwargs = copy.deepcopy(self._base_kwargs) kwargs["sudo"] = False kwargs["user"] = LOGGED_USER_USERNAME kwargs["named_args"] = {"foo": "bar"} kwargs["positional_args"] = [] action = ShellScriptAction(**kwargs) command = action.get_full_command_string() self.assertEqual(command, "/tmp/foo.sh 'foo'='bar'")
def test_user_argument(self): # User is the same as logged user, no sudo should be used kwargs = copy.deepcopy(self._base_kwargs) kwargs['sudo'] = False kwargs['user'] = LOGGED_USER_USERNAME action = ShellScriptAction(**kwargs) command = action.get_full_command_string() self.assertEqual(command, '/tmp/foo.sh') # User is different, sudo should be used kwargs = copy.deepcopy(self._base_kwargs) kwargs['sudo'] = False kwargs['user'] = '******' action = ShellScriptAction(**kwargs) command = action.get_full_command_string() self.assertEqual(command, 'sudo -E -u mauser -- bash -c /tmp/foo.sh') # sudo is used, it doesn't matter what user is specified since the # command should run as root kwargs = copy.deepcopy(self._base_kwargs) kwargs['sudo'] = True kwargs['user'] = '******' action = ShellScriptAction(**kwargs) command = action.get_full_command_string() self.assertEqual(command, 'sudo -E -- bash -c /tmp/foo.sh')
def test_named_parameter_escaping(self): # no sudo kwargs = copy.deepcopy(self._base_kwargs) kwargs['sudo'] = False kwargs['user'] = LOGGED_USER_USERNAME kwargs['named_args'] = { 'key1': 'value foo bar', 'key2': 'value "bar" foo', 'key3': 'date ; whoami', 'key4': '"date ; whoami"', } action = ShellScriptAction(**kwargs) command = action.get_full_command_string() expected = self._get_fixture('escaping_test_command_1.txt') self.assertEqual(command, expected) # sudo kwargs = copy.deepcopy(self._base_kwargs) kwargs['sudo'] = True kwargs['user'] = LOGGED_USER_USERNAME kwargs['named_args'] = { 'key1': 'value foo bar', 'key2': 'value "bar" foo', 'key3': 'date ; whoami', 'key4': '"date ; whoami"', } action = ShellScriptAction(**kwargs) command = action.get_full_command_string() expected = self._get_fixture('escaping_test_command_2.txt') self.assertEqual(command, expected)
def test_named_parameter_escaping(self): # no sudo kwargs = copy.deepcopy(self._base_kwargs) kwargs["sudo"] = False kwargs["user"] = LOGGED_USER_USERNAME kwargs["named_args"] = OrderedDict([ ("key1", "value foo bar"), ("key2", 'value "bar" foo'), ("key3", "date ; whoami"), ("key4", '"date ; whoami"'), ]) action = ShellScriptAction(**kwargs) command = action.get_full_command_string() expected = self._get_fixture("escaping_test_command_1.txt") self.assertEqual(command, expected) # sudo kwargs = copy.deepcopy(self._base_kwargs) kwargs["sudo"] = True kwargs["user"] = LOGGED_USER_USERNAME kwargs["named_args"] = OrderedDict([ ("key1", "value foo bar"), ("key2", 'value "bar" foo'), ("key3", "date ; whoami"), ("key4", '"date ; whoami"'), ]) action = ShellScriptAction(**kwargs) command = action.get_full_command_string() expected = self._get_fixture("escaping_test_command_2.txt") self.assertEqual(command, expected)
def run(self, action_parameters): if not self.entry_point: raise ValueError('Missing entry_point action metadata attribute') script_local_path_abs = self.entry_point positional_args, named_args = self._get_script_args(action_parameters) named_args = self._transform_named_args(named_args) action = ShellScriptAction(name=self.action_name, action_exec_id=str(self.liveaction_id), script_local_path_abs=script_local_path_abs, named_args=named_args, positional_args=positional_args, user=self._user, env_vars=self._env, sudo=self._sudo, timeout=self._timeout, cwd=self._cwd, sudo_password=self._sudo_password) return self._run(action=action)
def run(self, action_parameters): LOG.debug(' action_parameters = %s', action_parameters) env_vars = self._env if not self.entry_point: script_action = False command = self.runner_parameters.get(RUNNER_COMMAND, None) action = ShellCommandAction(name=self.action_name, action_exec_id=str(self.liveaction_id), command=command, user=self._user, env_vars=env_vars, sudo=self._sudo, timeout=self._timeout) else: script_action = True script_local_path_abs = self.entry_point positional_args, named_args = self._get_script_args(action_parameters) named_args = self._transform_named_args(named_args) action = ShellScriptAction(name=self.action_name, action_exec_id=str(self.liveaction_id), script_local_path_abs=script_local_path_abs, named_args=named_args, positional_args=positional_args, user=self._user, env_vars=env_vars, sudo=self._sudo, timeout=self._timeout, cwd=self._cwd) args = action.get_full_command_string() # For consistency with the old Fabric based runner, make sure the file is executable if script_action: args = 'chmod +x %s ; %s' % (script_local_path_abs, args) env = os.environ.copy() # Include user provided env vars (if any) env.update(env_vars) # Make sure os.setsid is called on each spawned process so that all processes # are in the same group. process = subprocess.Popen(args=args, stdin=None, stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True, cwd=self._cwd, env=env, preexec_fn=os.setsid) error_holder = {} def on_timeout_expired(timeout): try: process.wait(timeout=self._timeout) except subprocess.TimeoutExpired: # Set the error prior to kill the process else the error is not picked up due # to eventlet scheduling. error_holder['error'] = 'Action failed to complete in %s seconds' % (self._timeout) # Action has timed out, kill the process and propagate the error. The process # is started as sudo -u {{system_user}} -- bash -c {{command}}. Introduction of the # bash means that multiple independent processes are spawned without them being # children of the process we have access to and this requires use of pkill. # Ideally os.killpg should have done the trick but for some reason that failed. # Note: pkill will set the returncode to 143 so we don't need to explicitly set # it to some non-zero value. try: killcommand = shlex.split('sudo pkill -TERM -s %s' % process.pid) subprocess.call(killcommand) except: LOG.exception('Unable to pkill.') timeout_expiry = eventlet.spawn(on_timeout_expired, self._timeout) stdout, stderr = process.communicate() timeout_expiry.cancel() error = error_holder.get('error', None) exit_code = process.returncode succeeded = (exit_code == 0) result = { 'failed': not succeeded, 'succeeded': succeeded, 'return_code': exit_code, 'stdout': stdout, 'stderr': stderr } if error: result['error'] = error status = LIVEACTION_STATUS_SUCCEEDED if exit_code == 0 else LIVEACTION_STATUS_FAILED return (status, jsonify.json_loads(result, LocalShellRunner.KEYS_TO_TRANSFORM), None)
def test_command_construction_with_parameters(self): # same user, named args, no positional args kwargs = copy.deepcopy(self._base_kwargs) kwargs['sudo'] = False kwargs['user'] = LOGGED_USER_USERNAME kwargs['named_args'] = {'key1': 'value1', 'key2': 'value2'} kwargs['positional_args'] = [] action = ShellScriptAction(**kwargs) command = action.get_full_command_string() self.assertEqual(command, '/tmp/foo.sh key2=value2 key1=value1') # different user, named args, no positional args kwargs = copy.deepcopy(self._base_kwargs) kwargs['sudo'] = False kwargs['user'] = '******' kwargs['named_args'] = {'key1': 'value1', 'key2': 'value2'} kwargs['positional_args'] = '' action = ShellScriptAction(**kwargs) command = action.get_full_command_string() expected = 'sudo -E -u mauser -- bash -c \'/tmp/foo.sh key2=value2 key1=value1\'' self.assertEqual(command, expected) # same user, positional args, no named args kwargs = copy.deepcopy(self._base_kwargs) kwargs['sudo'] = False kwargs['user'] = LOGGED_USER_USERNAME kwargs['named_args'] = {} kwargs['positional_args'] = 'ein zwei drei' action = ShellScriptAction(**kwargs) command = action.get_full_command_string() self.assertEqual(command, '/tmp/foo.sh ein zwei drei') # different user, named args, positional args kwargs = copy.deepcopy(self._base_kwargs) kwargs['sudo'] = False kwargs['user'] = '******' kwargs['named_args'] = {} kwargs['positional_args'] = 'ein zwei drei' action = ShellScriptAction(**kwargs) command = action.get_full_command_string() expected = 'sudo -E -u mauser -- bash -c \'/tmp/foo.sh ein zwei drei\'' self.assertEqual(command, expected) # same user, positional and named args kwargs = copy.deepcopy(self._base_kwargs) kwargs['sudo'] = False kwargs['user'] = LOGGED_USER_USERNAME kwargs['named_args'] = {'key1': 'value1', 'key2': 'value2'} kwargs['positional_args'] = 'ein zwei drei' action = ShellScriptAction(**kwargs) command = action.get_full_command_string() self.assertEqual(command, '/tmp/foo.sh key2=value2 key1=value1 ein zwei drei') # different user, positional and named args kwargs = copy.deepcopy(self._base_kwargs) kwargs['sudo'] = False kwargs['user'] = '******' kwargs['named_args'] = {'key1': 'value1', 'key2': 'value2'} kwargs['positional_args'] = 'ein zwei drei' action = ShellScriptAction(**kwargs) command = action.get_full_command_string() expected = ('sudo -E -u mauser -- bash -c \'/tmp/foo.sh key2=value2 ' 'key1=value1 ein zwei drei\'') self.assertEqual(command, expected)
def test_command_construction_correct_default_parameter_values_are_used(self): runner_parameters = {} action_db_parameters = { 'project': { 'type': 'string', 'default': 'st2', 'position': 0, }, 'version': { 'type': 'string', 'position': 1, 'required': True }, 'fork': { 'type': 'string', 'position': 2, 'default': 'StackStorm', }, 'branch': { 'type': 'string', 'position': 3, 'default': 'master', }, 'update_changelog': { 'type': 'boolean', 'position': 4, 'default': False }, 'local_repo': { 'type': 'string', 'position': 5, } } context = {} action_db = ActionDB(pack='dummy', name='action') runner = LocalShellScriptRunner('id') runner.runner_parameters = {} runner.action = action_db # 1. All default values used live_action_db_parameters = { 'project': 'st2flow', 'version': '3.0.0', 'fork': 'StackStorm', 'local_repo': '/tmp/repo' } runner_params, action_params = param_utils.render_final_params(runner_parameters, action_db_parameters, live_action_db_parameters, context) self.assertDictEqual(action_params, { 'project': 'st2flow', 'version': '3.0.0', 'fork': 'StackStorm', 'branch': 'master', # default value used 'update_changelog': False, # default value used 'local_repo': '/tmp/repo' }) action_db.parameters = action_db_parameters positional_args, named_args = runner._get_script_args(action_params) named_args = runner._transform_named_args(named_args) shell_script_action = ShellScriptAction(name='dummy', action_exec_id='dummy', script_local_path_abs='/tmp/local.sh', named_args=named_args, positional_args=positional_args) command_string = shell_script_action.get_full_command_string() expected = '/tmp/local.sh st2flow 3.0.0 StackStorm master 0 /tmp/repo' self.assertEqual(command_string, expected) # 2. Some default values used live_action_db_parameters = { 'project': 'st2web', 'version': '3.1.0', 'fork': 'StackStorm1', 'update_changelog': True, 'local_repo': '/tmp/repob' } runner_params, action_params = param_utils.render_final_params(runner_parameters, action_db_parameters, live_action_db_parameters, context) self.assertDictEqual(action_params, { 'project': 'st2web', 'version': '3.1.0', 'fork': 'StackStorm1', 'branch': 'master', # default value used 'update_changelog': True, # default value used 'local_repo': '/tmp/repob' }) action_db.parameters = action_db_parameters positional_args, named_args = runner._get_script_args(action_params) named_args = runner._transform_named_args(named_args) shell_script_action = ShellScriptAction(name='dummy', action_exec_id='dummy', script_local_path_abs='/tmp/local.sh', named_args=named_args, positional_args=positional_args) command_string = shell_script_action.get_full_command_string() expected = '/tmp/local.sh st2web 3.1.0 StackStorm1 master 1 /tmp/repob' self.assertEqual(command_string, expected) # 3. None is specified for a boolean parameter, should use a default live_action_db_parameters = { 'project': 'st2rbac', 'version': '3.2.0', 'fork': 'StackStorm2', 'update_changelog': None, 'local_repo': '/tmp/repoc' } runner_params, action_params = param_utils.render_final_params(runner_parameters, action_db_parameters, live_action_db_parameters, context) self.assertDictEqual(action_params, { 'project': 'st2rbac', 'version': '3.2.0', 'fork': 'StackStorm2', 'branch': 'master', # default value used 'update_changelog': False, # default value used 'local_repo': '/tmp/repoc' }) action_db.parameters = action_db_parameters positional_args, named_args = runner._get_script_args(action_params) named_args = runner._transform_named_args(named_args) shell_script_action = ShellScriptAction(name='dummy', action_exec_id='dummy', script_local_path_abs='/tmp/local.sh', named_args=named_args, positional_args=positional_args) command_string = shell_script_action.get_full_command_string() expected = '/tmp/local.sh st2rbac 3.2.0 StackStorm2 master 0 /tmp/repoc' self.assertEqual(command_string, expected)
def test_user_argument(self): # User is the same as logged user, no sudo should be used kwargs = copy.deepcopy(self._base_kwargs) kwargs["sudo"] = False kwargs["user"] = LOGGED_USER_USERNAME action = ShellScriptAction(**kwargs) command = action.get_full_command_string() self.assertEqual(command, "/tmp/foo.sh") # User is different, sudo should be used kwargs = copy.deepcopy(self._base_kwargs) kwargs["sudo"] = False kwargs["user"] = "******" action = ShellScriptAction(**kwargs) command = action.get_full_command_string() self.assertEqual(command, "sudo -E -H -u mauser -- bash -c /tmp/foo.sh") # sudo with password kwargs = copy.deepcopy(self._base_kwargs) kwargs["sudo"] = False kwargs["user"] = "******" kwargs["sudo_password"] = "******" action = ShellScriptAction(**kwargs) command = action.get_full_command_string() expected_command = "sudo -S -E -H -u mauser -- bash -c /tmp/foo.sh" self.assertEqual(command, expected_command) # complex sudo password which needs escaping kwargs = copy.deepcopy(self._base_kwargs) kwargs["sudo"] = False kwargs["user"] = "******" kwargs["sudo_password"] = "******"sss" action = ShellScriptAction(**kwargs) command = action.get_full_command_string() expected_command = "sudo -S -E -H " "-u mauser -- bash -c /tmp/foo.sh" self.assertEqual(command, expected_command) command = action.get_sanitized_full_command_string() expected_command = ("echo -e '%s\n' | sudo -S -E -H " "-u mauser -- bash -c /tmp/foo.sh" % (MASKED_ATTRIBUTE_VALUE)) self.assertEqual(command, expected_command) # sudo is used, it doesn't matter what user is specified since the # command should run as root kwargs = copy.deepcopy(self._base_kwargs) kwargs["sudo"] = True kwargs["user"] = "******" kwargs["sudo_password"] = "******" action = ShellScriptAction(**kwargs) command = action.get_full_command_string() expected_command = "sudo -S -E -- bash -c /tmp/foo.sh" self.assertEqual(command, expected_command)
def test_command_construction_with_parameters(self): # same user, named args, no positional args kwargs = copy.deepcopy(self._base_kwargs) kwargs["sudo"] = False kwargs["user"] = LOGGED_USER_USERNAME kwargs["named_args"] = OrderedDict([("key1", "value1"), ("key2", "value2")]) kwargs["positional_args"] = [] action = ShellScriptAction(**kwargs) command = action.get_full_command_string() self.assertEqual(command, "/tmp/foo.sh key1=value1 key2=value2") # same user, named args, no positional args, sudo password kwargs = copy.deepcopy(self._base_kwargs) kwargs["sudo"] = True kwargs["sudo_password"] = "******" kwargs["user"] = LOGGED_USER_USERNAME kwargs["named_args"] = OrderedDict([("key1", "value1"), ("key2", "value2")]) kwargs["positional_args"] = [] action = ShellScriptAction(**kwargs) command = action.get_full_command_string() expected = "sudo -S -E -- bash -c " "'/tmp/foo.sh key1=value1 key2=value2'" self.assertEqual(command, expected) # different user, named args, no positional args kwargs = copy.deepcopy(self._base_kwargs) kwargs["sudo"] = False kwargs["user"] = "******" kwargs["named_args"] = OrderedDict([("key1", "value1"), ("key2", "value2")]) kwargs["positional_args"] = [] action = ShellScriptAction(**kwargs) command = action.get_full_command_string() expected = ( "sudo -E -H -u mauser -- bash -c '/tmp/foo.sh key1=value1 key2=value2'" ) self.assertEqual(command, expected) # different user, named args, no positional args, sudo password kwargs = copy.deepcopy(self._base_kwargs) kwargs["sudo"] = False kwargs["sudo_password"] = "******" kwargs["user"] = "******" kwargs["named_args"] = OrderedDict([("key1", "value1"), ("key2", "value2")]) kwargs["positional_args"] = [] action = ShellScriptAction(**kwargs) command = action.get_full_command_string() expected = ("sudo -S -E -H -u mauser -- bash -c " "'/tmp/foo.sh key1=value1 key2=value2'") self.assertEqual(command, expected) # same user, positional args, no named args kwargs = copy.deepcopy(self._base_kwargs) kwargs["sudo"] = False kwargs["user"] = LOGGED_USER_USERNAME kwargs["named_args"] = {} kwargs["positional_args"] = [ "ein", "zwei", "drei", "mamma mia", "foo\nbar" ] action = ShellScriptAction(**kwargs) command = action.get_full_command_string() self.assertEqual(command, "/tmp/foo.sh ein zwei drei 'mamma mia' 'foo\nbar'") # different user, named args, positional args kwargs = copy.deepcopy(self._base_kwargs) kwargs["sudo"] = False kwargs["user"] = "******" kwargs["named_args"] = {} kwargs["positional_args"] = ["ein", "zwei", "drei", "mamma mia"] action = ShellScriptAction(**kwargs) command = action.get_full_command_string() ex = ("sudo -E -H -u mauser -- " "bash -c '/tmp/foo.sh ein zwei drei '\"'\"'mamma mia'\"'\"''") self.assertEqual(command, ex) # same user, positional and named args kwargs = copy.deepcopy(self._base_kwargs) kwargs["sudo"] = False kwargs["user"] = LOGGED_USER_USERNAME kwargs["named_args"] = OrderedDict([("key1", "value1"), ("key2", "value2"), ("key3", "value 3")]) kwargs["positional_args"] = ["ein", "zwei", "drei"] action = ShellScriptAction(**kwargs) command = action.get_full_command_string() exp = "/tmp/foo.sh key1=value1 key2=value2 key3='value 3' ein zwei drei" self.assertEqual(command, exp) # different user, positional and named args kwargs = copy.deepcopy(self._base_kwargs) kwargs["sudo"] = False kwargs["user"] = "******" kwargs["named_args"] = OrderedDict([("key1", "value1"), ("key2", "value2"), ("key3", "value 3")]) kwargs["positional_args"] = ["ein", "zwei", "drei"] action = ShellScriptAction(**kwargs) command = action.get_full_command_string() expected = ( "sudo -E -H -u mauser -- bash -c '/tmp/foo.sh key1=value1 key2=value2 " "key3='\"'\"'value 3'\"'\"' ein zwei drei'") self.assertEqual(command, expected)
def test_command_construction_correct_default_parameter_values_are_used(self): runner_parameters = {} action_db_parameters = { 'project': { 'type': 'string', 'default': 'st2', 'position': 0, }, 'version': { 'type': 'string', 'position': 1, 'required': True }, 'fork': { 'type': 'string', 'position': 2, 'default': 'StackStorm', }, 'branch': { 'type': 'string', 'position': 3, 'default': 'master', }, 'update_mistral': { 'type': 'boolean', 'position': 4, 'default': False }, 'update_changelog': { 'type': 'boolean', 'position': 5, 'default': False }, 'local_repo': { 'type': 'string', 'position': 6, } } context = {} action_db = ActionDB(pack='dummy', name='action') runner = LocalShellScriptRunner('id') runner.runner_parameters = {} runner.action = action_db # 1. All default values used live_action_db_parameters = { 'project': 'st2flow', 'version': '3.0.0', 'fork': 'StackStorm', 'local_repo': '/tmp/repo' } runner_params, action_params = param_utils.render_final_params(runner_parameters, action_db_parameters, live_action_db_parameters, context) self.assertDictEqual(action_params, { 'project': 'st2flow', 'version': '3.0.0', 'fork': 'StackStorm', 'branch': 'master', # default value used 'update_mistral': False, # default value used 'update_changelog': False, # default value used 'local_repo': '/tmp/repo' }) action_db.parameters = action_db_parameters positional_args, named_args = runner._get_script_args(action_params) named_args = runner._transform_named_args(named_args) shell_script_action = ShellScriptAction(name='dummy', action_exec_id='dummy', script_local_path_abs='/tmp/local.sh', named_args=named_args, positional_args=positional_args) command_string = shell_script_action.get_full_command_string() expected = '/tmp/local.sh st2flow 3.0.0 StackStorm master 0 0 /tmp/repo' self.assertEqual(command_string, expected) # 2. Some default values used live_action_db_parameters = { 'project': 'st2web', 'version': '3.1.0', 'fork': 'StackStorm1', 'update_changelog': True, 'local_repo': '/tmp/repob' } runner_params, action_params = param_utils.render_final_params(runner_parameters, action_db_parameters, live_action_db_parameters, context) self.assertDictEqual(action_params, { 'project': 'st2web', 'version': '3.1.0', 'fork': 'StackStorm1', 'branch': 'master', # default value used 'update_mistral': False, # default value used 'update_changelog': True, # default value used 'local_repo': '/tmp/repob' }) action_db.parameters = action_db_parameters positional_args, named_args = runner._get_script_args(action_params) named_args = runner._transform_named_args(named_args) shell_script_action = ShellScriptAction(name='dummy', action_exec_id='dummy', script_local_path_abs='/tmp/local.sh', named_args=named_args, positional_args=positional_args) command_string = shell_script_action.get_full_command_string() expected = '/tmp/local.sh st2web 3.1.0 StackStorm1 master 0 1 /tmp/repob' self.assertEqual(command_string, expected) # 3. None is specified for a boolean parameter, should use a default live_action_db_parameters = { 'project': 'st2rbac', 'version': '3.2.0', 'fork': 'StackStorm2', 'update_changelog': None, 'local_repo': '/tmp/repoc' } runner_params, action_params = param_utils.render_final_params(runner_parameters, action_db_parameters, live_action_db_parameters, context) self.assertDictEqual(action_params, { 'project': 'st2rbac', 'version': '3.2.0', 'fork': 'StackStorm2', 'branch': 'master', # default value used 'update_mistral': False, # default value used 'update_changelog': False, # default value used 'local_repo': '/tmp/repoc' }) action_db.parameters = action_db_parameters positional_args, named_args = runner._get_script_args(action_params) named_args = runner._transform_named_args(named_args) shell_script_action = ShellScriptAction(name='dummy', action_exec_id='dummy', script_local_path_abs='/tmp/local.sh', named_args=named_args, positional_args=positional_args) command_string = shell_script_action.get_full_command_string() expected = '/tmp/local.sh st2rbac 3.2.0 StackStorm2 master 0 0 /tmp/repoc' self.assertEqual(command_string, expected)
def run(self, action_parameters): env_vars = self._env if not self.entry_point: script_action = False command = self.runner_parameters.get(RUNNER_COMMAND, None) action = ShellCommandAction(name=self.action_name, action_exec_id=str(self.liveaction_id), command=command, user=self._user, env_vars=env_vars, sudo=self._sudo, timeout=self._timeout) else: script_action = True script_local_path_abs = self.entry_point positional_args, named_args = self._get_script_args( action_parameters) named_args = self._transform_named_args(named_args) action = ShellScriptAction( name=self.action_name, action_exec_id=str(self.liveaction_id), script_local_path_abs=script_local_path_abs, named_args=named_args, positional_args=positional_args, user=self._user, env_vars=env_vars, sudo=self._sudo, timeout=self._timeout, cwd=self._cwd) args = action.get_full_command_string() # For consistency with the old Fabric based runner, make sure the file is executable if script_action: args = 'chmod +x %s ; %s' % (script_local_path_abs, args) env = os.environ.copy() # Include user provided env vars (if any) env.update(env_vars) # Include common st2 env vars st2_env_vars = self._get_common_action_env_variables() env.update(st2_env_vars) LOG.info('Executing action via LocalRunner: %s', self.runner_id) LOG.info( '[Action info] name: %s, Id: %s, command: %s, user: %s, sudo: %s' % (action.name, action.action_exec_id, args, action.user, action.sudo)) # Make sure os.setsid is called on each spawned process so that all processes # are in the same group. # Process is started as sudo -u {{system_user}} -- bash -c {{command}}. Introduction of the # bash means that multiple independent processes are spawned without them being # children of the process we have access to and this requires use of pkill. # Ideally os.killpg should have done the trick but for some reason that failed. # Note: pkill will set the returncode to 143 so we don't need to explicitly set # it to some non-zero value. exit_code, stdout, stderr, timed_out = run_command( cmd=args, stdin=None, stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True, cwd=self._cwd, env=env, timeout=self._timeout, preexec_func=os.setsid, kill_func=kill_process) error = None if timed_out: error = 'Action failed to complete in %s seconds' % (self._timeout) exit_code = -9 succeeded = (exit_code == 0) result = { 'failed': not succeeded, 'succeeded': succeeded, 'return_code': exit_code, 'stdout': strip_shell_chars(stdout), 'stderr': strip_shell_chars(stderr) } if error: result['error'] = error if exit_code == 0: status = LIVEACTION_STATUS_SUCCEEDED elif timed_out: status = LIVEACTION_STATUS_TIMED_OUT else: status = LIVEACTION_STATUS_FAILED return (status, jsonify.json_loads(result, LocalShellRunner.KEYS_TO_TRANSFORM), None)
def test_command_construction_correct_default_parameter_values_are_used( self): runner_parameters = {} action_db_parameters = { "project": { "type": "string", "default": "st2", "position": 0, }, "version": { "type": "string", "position": 1, "required": True }, "fork": { "type": "string", "position": 2, "default": "StackStorm", }, "branch": { "type": "string", "position": 3, "default": "master", }, "update_changelog": { "type": "boolean", "position": 4, "default": False }, "local_repo": { "type": "string", "position": 5, }, } context = {} action_db = ActionDB(pack="dummy", name="action") runner = LocalShellScriptRunner("id") runner.runner_parameters = {} runner.action = action_db # 1. All default values used live_action_db_parameters = { "project": "st2flow", "version": "3.0.0", "fork": "StackStorm", "local_repo": "/tmp/repo", } runner_params, action_params = param_utils.render_final_params( runner_parameters, action_db_parameters, live_action_db_parameters, context) self.assertDictEqual( action_params, { "project": "st2flow", "version": "3.0.0", "fork": "StackStorm", "branch": "master", # default value used "update_changelog": False, # default value used "local_repo": "/tmp/repo", }, ) action_db.parameters = action_db_parameters positional_args, named_args = runner._get_script_args(action_params) named_args = runner._transform_named_args(named_args) shell_script_action = ShellScriptAction( name="dummy", action_exec_id="dummy", script_local_path_abs="/tmp/local.sh", named_args=named_args, positional_args=positional_args, ) command_string = shell_script_action.get_full_command_string() expected = "/tmp/local.sh st2flow 3.0.0 StackStorm master 0 /tmp/repo" self.assertEqual(command_string, expected) # 2. Some default values used live_action_db_parameters = { "project": "st2web", "version": "3.1.0", "fork": "StackStorm1", "update_changelog": True, "local_repo": "/tmp/repob", } runner_params, action_params = param_utils.render_final_params( runner_parameters, action_db_parameters, live_action_db_parameters, context) self.assertDictEqual( action_params, { "project": "st2web", "version": "3.1.0", "fork": "StackStorm1", "branch": "master", # default value used "update_changelog": True, # default value used "local_repo": "/tmp/repob", }, ) action_db.parameters = action_db_parameters positional_args, named_args = runner._get_script_args(action_params) named_args = runner._transform_named_args(named_args) shell_script_action = ShellScriptAction( name="dummy", action_exec_id="dummy", script_local_path_abs="/tmp/local.sh", named_args=named_args, positional_args=positional_args, ) command_string = shell_script_action.get_full_command_string() expected = "/tmp/local.sh st2web 3.1.0 StackStorm1 master 1 /tmp/repob" self.assertEqual(command_string, expected) # 3. None is specified for a boolean parameter, should use a default live_action_db_parameters = { "project": "st2rbac", "version": "3.2.0", "fork": "StackStorm2", "update_changelog": None, "local_repo": "/tmp/repoc", } runner_params, action_params = param_utils.render_final_params( runner_parameters, action_db_parameters, live_action_db_parameters, context) self.assertDictEqual( action_params, { "project": "st2rbac", "version": "3.2.0", "fork": "StackStorm2", "branch": "master", # default value used "update_changelog": False, # default value used "local_repo": "/tmp/repoc", }, ) action_db.parameters = action_db_parameters positional_args, named_args = runner._get_script_args(action_params) named_args = runner._transform_named_args(named_args) shell_script_action = ShellScriptAction( name="dummy", action_exec_id="dummy", script_local_path_abs="/tmp/local.sh", named_args=named_args, positional_args=positional_args, ) command_string = shell_script_action.get_full_command_string() expected = "/tmp/local.sh st2rbac 3.2.0 StackStorm2 master 0 /tmp/repoc" self.assertEqual(command_string, expected)
def test_command_construction_with_parameters(self): # same user, named args, no positional args kwargs = copy.deepcopy(self._base_kwargs) kwargs['sudo'] = False kwargs['user'] = LOGGED_USER_USERNAME kwargs['named_args'] = OrderedDict([ ('key1', 'value1'), ('key2', 'value2') ]) kwargs['positional_args'] = [] action = ShellScriptAction(**kwargs) command = action.get_full_command_string() self.assertEqual(command, '/tmp/foo.sh key1=value1 key2=value2') # same user, named args, no positional args, sudo password kwargs = copy.deepcopy(self._base_kwargs) kwargs['sudo'] = True kwargs['sudo_password'] = '******' kwargs['user'] = LOGGED_USER_USERNAME kwargs['named_args'] = OrderedDict([ ('key1', 'value1'), ('key2', 'value2') ]) kwargs['positional_args'] = [] action = ShellScriptAction(**kwargs) command = action.get_full_command_string() expected = ('sudo -S -E -- bash -c ' '\'/tmp/foo.sh key1=value1 key2=value2\'') self.assertEqual(command, expected) # different user, named args, no positional args kwargs = copy.deepcopy(self._base_kwargs) kwargs['sudo'] = False kwargs['user'] = '******' kwargs['named_args'] = OrderedDict([ ('key1', 'value1'), ('key2', 'value2') ]) kwargs['positional_args'] = [] action = ShellScriptAction(**kwargs) command = action.get_full_command_string() expected = 'sudo -E -H -u mauser -- bash -c \'/tmp/foo.sh key1=value1 key2=value2\'' self.assertEqual(command, expected) # different user, named args, no positional args, sudo password kwargs = copy.deepcopy(self._base_kwargs) kwargs['sudo'] = False kwargs['sudo_password'] = '******' kwargs['user'] = '******' kwargs['named_args'] = OrderedDict([ ('key1', 'value1'), ('key2', 'value2') ]) kwargs['positional_args'] = [] action = ShellScriptAction(**kwargs) command = action.get_full_command_string() expected = ('sudo -S -E -H -u mauser -- bash -c ' '\'/tmp/foo.sh key1=value1 key2=value2\'') self.assertEqual(command, expected) # same user, positional args, no named args kwargs = copy.deepcopy(self._base_kwargs) kwargs['sudo'] = False kwargs['user'] = LOGGED_USER_USERNAME kwargs['named_args'] = {} kwargs['positional_args'] = ['ein', 'zwei', 'drei', 'mamma mia', 'foo\nbar'] action = ShellScriptAction(**kwargs) command = action.get_full_command_string() self.assertEqual(command, '/tmp/foo.sh ein zwei drei \'mamma mia\' \'foo\nbar\'') # different user, named args, positional args kwargs = copy.deepcopy(self._base_kwargs) kwargs['sudo'] = False kwargs['user'] = '******' kwargs['named_args'] = {} kwargs['positional_args'] = ['ein', 'zwei', 'drei', 'mamma mia'] action = ShellScriptAction(**kwargs) command = action.get_full_command_string() ex = ('sudo -E -H -u mauser -- ' 'bash -c \'/tmp/foo.sh ein zwei drei \'"\'"\'mamma mia\'"\'"\'\'') self.assertEqual(command, ex) # same user, positional and named args kwargs = copy.deepcopy(self._base_kwargs) kwargs['sudo'] = False kwargs['user'] = LOGGED_USER_USERNAME kwargs['named_args'] = OrderedDict([ ('key1', 'value1'), ('key2', 'value2'), ('key3', 'value 3') ]) kwargs['positional_args'] = ['ein', 'zwei', 'drei'] action = ShellScriptAction(**kwargs) command = action.get_full_command_string() exp = '/tmp/foo.sh key1=value1 key2=value2 key3=\'value 3\' ein zwei drei' self.assertEqual(command, exp) # different user, positional and named args kwargs = copy.deepcopy(self._base_kwargs) kwargs['sudo'] = False kwargs['user'] = '******' kwargs['named_args'] = OrderedDict([ ('key1', 'value1'), ('key2', 'value2'), ('key3', 'value 3') ]) kwargs['positional_args'] = ['ein', 'zwei', 'drei'] action = ShellScriptAction(**kwargs) command = action.get_full_command_string() expected = ('sudo -E -H -u mauser -- bash -c \'/tmp/foo.sh key1=value1 key2=value2 ' 'key3=\'"\'"\'value 3\'"\'"\' ein zwei drei\'') self.assertEqual(command, expected)
def test_user_argument(self): # User is the same as logged user, no sudo should be used kwargs = copy.deepcopy(self._base_kwargs) kwargs['sudo'] = False kwargs['user'] = LOGGED_USER_USERNAME action = ShellScriptAction(**kwargs) command = action.get_full_command_string() self.assertEqual(command, '/tmp/foo.sh') # User is different, sudo should be used kwargs = copy.deepcopy(self._base_kwargs) kwargs['sudo'] = False kwargs['user'] = '******' action = ShellScriptAction(**kwargs) command = action.get_full_command_string() self.assertEqual(command, 'sudo -E -H -u mauser -- bash -c /tmp/foo.sh') # sudo with password kwargs = copy.deepcopy(self._base_kwargs) kwargs['sudo'] = False kwargs['user'] = '******' kwargs['sudo_password'] = '******' action = ShellScriptAction(**kwargs) command = action.get_full_command_string() expected_command = 'sudo -S -E -H -u mauser -- bash -c /tmp/foo.sh' self.assertEqual(command, expected_command) # complex sudo password which needs escaping kwargs = copy.deepcopy(self._base_kwargs) kwargs['sudo'] = False kwargs['user'] = '******' kwargs['sudo_password'] = '******'as"sss' action = ShellScriptAction(**kwargs) command = action.get_full_command_string() expected_command = ('sudo -S -E -H ' '-u mauser -- bash -c /tmp/foo.sh') self.assertEqual(command, expected_command) command = action.get_sanitized_full_command_string() expected_command = ('echo -e \'%s\n\' | sudo -S -E -H ' '-u mauser -- bash -c /tmp/foo.sh' % (MASKED_ATTRIBUTE_VALUE)) self.assertEqual(command, expected_command) # sudo is used, it doesn't matter what user is specified since the # command should run as root kwargs = copy.deepcopy(self._base_kwargs) kwargs['sudo'] = True kwargs['user'] = '******' kwargs['sudo_password'] = '******' action = ShellScriptAction(**kwargs) command = action.get_full_command_string() expected_command = 'sudo -S -E -- bash -c /tmp/foo.sh' self.assertEqual(command, expected_command)
def run(self, action_parameters): env_vars = self._env if not self.entry_point: script_action = False command = self.runner_parameters.get(RUNNER_COMMAND, None) action = ShellCommandAction(name=self.action_name, action_exec_id=str(self.liveaction_id), command=command, user=self._user, env_vars=env_vars, sudo=self._sudo, timeout=self._timeout, sudo_password=self._sudo_password) else: script_action = True script_local_path_abs = self.entry_point positional_args, named_args = self._get_script_args(action_parameters) named_args = self._transform_named_args(named_args) action = ShellScriptAction(name=self.action_name, action_exec_id=str(self.liveaction_id), script_local_path_abs=script_local_path_abs, named_args=named_args, positional_args=positional_args, user=self._user, env_vars=env_vars, sudo=self._sudo, timeout=self._timeout, cwd=self._cwd, sudo_password=self._sudo_password) args = action.get_full_command_string() sanitized_args = action.get_sanitized_full_command_string() # For consistency with the old Fabric based runner, make sure the file is executable if script_action: args = 'chmod +x %s ; %s' % (script_local_path_abs, args) sanitized_args = 'chmod +x %s ; %s' % (script_local_path_abs, sanitized_args) env = os.environ.copy() # Include user provided env vars (if any) env.update(env_vars) # Include common st2 env vars st2_env_vars = self._get_common_action_env_variables() env.update(st2_env_vars) LOG.info('Executing action via LocalRunner: %s', self.runner_id) LOG.info('[Action info] name: %s, Id: %s, command: %s, user: %s, sudo: %s' % (action.name, action.action_exec_id, sanitized_args, action.user, action.sudo)) stdout = StringIO() stderr = StringIO() store_execution_stdout_line = functools.partial(store_execution_output_data, output_type='stdout') store_execution_stderr_line = functools.partial(store_execution_output_data, output_type='stderr') read_and_store_stdout = make_read_and_store_stream_func(execution_db=self.execution, action_db=self.action, store_data_func=store_execution_stdout_line) read_and_store_stderr = make_read_and_store_stream_func(execution_db=self.execution, action_db=self.action, store_data_func=store_execution_stderr_line) # If sudo password is provided, pass it to the subprocess via stdin> # Note: We don't need to explicitly escape the argument because we pass command as a list # to subprocess.Popen and all the arguments are escaped by the function. if self._sudo_password: LOG.debug('Supplying sudo password via stdin') echo_process = subprocess.Popen(['echo', self._sudo_password + '\n'], stdout=subprocess.PIPE) stdin = echo_process.stdout else: stdin = None # Make sure os.setsid is called on each spawned process so that all processes # are in the same group. # Process is started as sudo -u {{system_user}} -- bash -c {{command}}. Introduction of the # bash means that multiple independent processes are spawned without them being # children of the process we have access to and this requires use of pkill. # Ideally os.killpg should have done the trick but for some reason that failed. # Note: pkill will set the returncode to 143 so we don't need to explicitly set # it to some non-zero value. exit_code, stdout, stderr, timed_out = shell.run_command(cmd=args, stdin=stdin, stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True, cwd=self._cwd, env=env, timeout=self._timeout, preexec_func=os.setsid, kill_func=kill_process, read_stdout_func=read_and_store_stdout, read_stderr_func=read_and_store_stderr, read_stdout_buffer=stdout, read_stderr_buffer=stderr) error = None if timed_out: error = 'Action failed to complete in %s seconds' % (self._timeout) exit_code = -1 * exit_code_constants.SIGKILL_EXIT_CODE # Detect if user provided an invalid sudo password or sudo is not configured for that user if self._sudo_password: if re.search('sudo: \d+ incorrect password attempts', stderr): match = re.search('\[sudo\] password for (.+?)\:', stderr) if match: username = match.groups()[0] else: username = '******' error = ('Invalid sudo password provided or sudo is not configured for this user ' '(%s)' % (username)) exit_code = -1 succeeded = (exit_code == exit_code_constants.SUCCESS_EXIT_CODE) result = { 'failed': not succeeded, 'succeeded': succeeded, 'return_code': exit_code, 'stdout': strip_shell_chars(stdout), 'stderr': strip_shell_chars(stderr) } if error: result['error'] = error status = PROC_EXIT_CODE_TO_LIVEACTION_STATUS_MAP.get( str(exit_code), action_constants.LIVEACTION_STATUS_FAILED ) return (status, jsonify.json_loads(result, LocalShellRunner.KEYS_TO_TRANSFORM), None)