class SecurityInterfaceTestCase(unittest.TestCase): """Test DBus interface for the Security module.""" def setUp(self): """Set up the security module.""" # Set up the security module. self.security_module = SecurityService() self.security_interface = SecurityInterface(self.security_module) # Connect to the properties changed signal. self.callback = PropertiesChangedCallback() self.security_interface.PropertiesChanged.connect(self.callback) def _check_dbus_property(self, *args, **kwargs): check_dbus_property(SECURITY, self.security_interface, *args, **kwargs) def test_kickstart_properties(self): """Test kickstart properties.""" assert self.security_interface.KickstartCommands == \ ["authselect", "selinux", "realm"] assert self.security_interface.KickstartSections == [] assert self.security_interface.KickstartAddons == [] self.callback.assert_not_called() def test_selinux_property(self): """Test the selinux property.""" self._check_dbus_property("SELinux", SELINUX_ENFORCING) def test_authselect_property(self): """Test the authselect property.""" self._check_dbus_property("Authselect", ["sssd", "with-mkhomedir"]) def test_fingerprint_auth_enabled(self): """Test the fingerprint_auth_enabled property.""" self._check_dbus_property("FingerprintAuthEnabled", True) def test_realm_property(self): """Test the realm property.""" realm = { "name": get_variant(Str, "domain.example.com"), "discover-options": get_variant(List[Str], ["--client-software=sssd"]), "join-options": get_variant(List[Str], ["--one-time-password=password"]), "discovered": get_variant(Bool, True), "required-packages": get_variant(List[Str], []) } self._check_dbus_property("Realm", realm) def _test_kickstart(self, ks_in, ks_out): check_kickstart_interface(self.security_interface, ks_in, ks_out) def test_no_kickstart(self): """Test with no kickstart.""" ks_in = None ks_out = "" self._test_kickstart(ks_in, ks_out) def test_kickstart_empty(self): """Test with empty string.""" ks_in = "" ks_out = "" self._test_kickstart(ks_in, ks_out) def test_selinux_kickstart(self): """Test the selinux command.""" ks_in = """ selinux --permissive """ ks_out = """ # SELinux configuration selinux --permissive """ self._test_kickstart(ks_in, ks_out) def test_authselect_kickstart(self): """Test the authselect command.""" ks_in = """ authselect select sssd with-mkhomedir """ ks_out = """ # System authorization information authselect select sssd with-mkhomedir """ self._test_kickstart(ks_in, ks_out) def test_realm_kickstart(self): """Test the realm command.""" ks_in = """ realm join --one-time-password=password --client-software=sssd domain.example.com """ ks_out = """ # Realm or domain membership realm join --one-time-password=password --client-software=sssd domain.example.com """ self._test_kickstart(ks_in, ks_out) @patch_dbus_publish_object def test_realm_discover_default(self, publisher): """Test module in default state with realm discover task.""" realm_discover_task_path = self.security_interface.DiscoverRealmWithTask( ) obj = check_task_creation(realm_discover_task_path, publisher, RealmDiscoverTask) assert obj.implementation._realm_data.name == "" assert obj.implementation._realm_data.discover_options == [] @patch_dbus_publish_object def test_realm_discover_configured(self, publisher): """Test module in configured state with realm discover task.""" realm = RealmData() realm.name = "domain.example.com" realm.discover_options = ["--client-software=sssd"] self.security_interface.SetRealm(RealmData.to_structure(realm)) realm_discover_task_path = self.security_interface.DiscoverRealmWithTask( ) obj = check_task_creation(realm_discover_task_path, publisher, RealmDiscoverTask) assert obj.implementation._realm_data.name == "domain.example.com" assert obj.implementation._realm_data.discover_options == [ "--client-software=sssd" ] @patch_dbus_publish_object def test_install_with_tasks_default(self, publisher): """Test InstallWithTasks.""" task_classes = [ ConfigureSELinuxTask, ConfigureFingerprintAuthTask, ConfigureAuthselectTask, ] task_paths = self.security_interface.InstallWithTasks() task_objs = check_task_creation_list(task_paths, publisher, task_classes) # ConfigureSELinuxTask obj = task_objs[0] assert obj.implementation._selinux_mode == SELinuxMode.DEFAULT # ConfigureFingerprintAuthTask obj = task_objs[1] assert obj.implementation._fingerprint_auth_enabled is False # ConfigureAuthselectTask obj = task_objs[2] assert obj.implementation._authselect_options == [] @patch_dbus_publish_object def test_realm_join_default(self, publisher): """Test module in default state with realm join task.""" realm_join_task_path = self.security_interface.JoinRealmWithTask() obj = check_task_creation(realm_join_task_path, publisher, RealmJoinTask) assert obj.implementation._realm_data.discovered is False assert obj.implementation._realm_data.name == "" assert obj.implementation._realm_data.join_options == [] @patch_dbus_publish_object def test_install_with_tasks_configured(self, publisher): """Test install tasks - module in configured state.""" realm = RealmData() realm.name = "domain.example.com" realm.discover_options = ["--client-software=sssd"] realm.join_options = ["--one-time-password=password"] realm.discovered = True authselect = ['select', 'sssd'] fingerprint = True self.security_interface.SetRealm(RealmData.to_structure(realm)) self.security_interface.SetSELinux(SELINUX_PERMISSIVE) self.security_interface.SetAuthselect(authselect) self.security_interface.SetFingerprintAuthEnabled(fingerprint) task_classes = [ ConfigureSELinuxTask, ConfigureFingerprintAuthTask, ConfigureAuthselectTask, ] task_paths = self.security_interface.InstallWithTasks() task_objs = check_task_creation_list(task_paths, publisher, task_classes) # ConfigureSELinuxTask obj = task_objs[0] assert obj.implementation._selinux_mode == SELinuxMode.PERMISSIVE # ConfigureFingerprintAuthTask obj = task_objs[1] assert obj.implementation._fingerprint_auth_enabled == fingerprint # ConfigureAuthselectTask obj = task_objs[2] assert obj.implementation._authselect_options == authselect @patch_dbus_publish_object def test_realm_join_configured(self, publisher): """Test module in configured state with realm join task.""" realm = RealmData() realm.name = "domain.example.com" realm.discover_options = ["--client-software=sssd"] realm.join_options = ["--one-time-password=password"] realm.discovered = True self.security_interface.SetRealm(RealmData.to_structure(realm)) realm_join_task_path = self.security_interface.JoinRealmWithTask() obj = check_task_creation(realm_join_task_path, publisher, RealmJoinTask) assert obj.implementation._realm_data.discovered is True assert obj.implementation._realm_data.name == "domain.example.com" assert obj.implementation._realm_data.join_options == [ "--one-time-password=password" ] @patch_dbus_publish_object def test_realm_data_propagation(self, publisher): """Test that realm data changes propagate to realm join task.""" # We connect to the realm_changed signal and update the realm data holder # in the realm join task when the signal is triggered. realm1 = RealmData() realm1.name = "domain.example.com" realm1.discover_options = ["--client-software=sssd"] realm1.discovered = False self.security_interface.SetRealm(RealmData.to_structure(realm1)) realm_join_task_path = self.security_interface.JoinRealmWithTask() # realm join - after task creation obj = check_task_creation(realm_join_task_path, publisher, RealmJoinTask) assert obj.implementation._realm_data.discovered is False assert obj.implementation._realm_data.name == "domain.example.com" assert obj.implementation._realm_data.join_options == [] # change realm data and check the changes propagate to the realm join task realm2 = RealmData() realm2.name = "domain.example.com" realm2.discover_options = ["--client-software=sssd"] realm2.join_options = ["--one-time-password=password"] realm2.discovered = True self.security_interface.SetRealm(RealmData.to_structure(realm2)) # realm join - after realm data update assert obj.implementation._realm_data.discovered is True assert obj.implementation._realm_data.name == "domain.example.com" assert obj.implementation._realm_data.join_options == [ "--one-time-password=password" ] @patch_dbus_publish_object def test_preconfigure_fips_with_task(self, publisher): """Test the PreconfigureFIPSWithTask method.""" task_path = self.security_interface.PreconfigureFIPSWithTask( PAYLOAD_TYPE_DNF) obj = check_task_creation(task_path, publisher, PreconfigureFIPSTask) assert obj.implementation._sysroot == "/mnt/sysroot" assert obj.implementation._payload_type == PAYLOAD_TYPE_DNF assert obj.implementation._fips_enabled is False @patch_dbus_publish_object def test_configure_fips_with_task(self, publisher): """Test the ConfigureFIPSWithTask method.""" task_path = self.security_interface.ConfigureFIPSWithTask() obj = check_task_creation(task_path, publisher, ConfigureFIPSTask) assert obj.implementation._sysroot == "/mnt/sysroot" assert obj.implementation._fips_enabled is False def test_collect_requirements_default(self): """Test requrements are empty by default.""" reqs = self.security_interface.CollectRequirements() assert reqs == [] @patch("pyanaconda.modules.security.security.kernel_arguments") def test_fips_requirements(self, kernel_arguments_mock): """Test the package requirements for fips.""" kernel_arguments_mock.is_enabled.return_value = True assert self.security_interface.CollectRequirements() == [{ "type": get_variant(Str, "package"), "name": get_variant(Str, "/usr/bin/fips-mode-setup"), "reason": get_variant(Str, "Required for FIPS compliance.") }] kernel_arguments_mock.is_enabled.assert_called_once_with("fips") def test_realmd_requirements(self): """Test that package requirements in realm data propagate correctly.""" realm = RealmData() realm.name = "domain.example.com" realm.discover_options = ["--client-software=sssd"] realm.join_options = ["--one-time-password=password"] realm.discovered = True realm.required_packages = ["realmd", "foo", "bar"] self.security_interface.SetRealm(RealmData.to_structure(realm)) # check that the teamd package is requested assert self.security_interface.CollectRequirements() == [{ "type": get_variant(Str, "package"), "name": get_variant(Str, "realmd"), "reason": get_variant(Str, "Needed to join a realm.") }, { "type": get_variant(Str, "package"), "name": get_variant(Str, "foo"), "reason": get_variant(Str, "Needed to join a realm.") }, { "type": get_variant(Str, "package"), "name": get_variant(Str, "bar"), "reason": get_variant(Str, "Needed to join a realm.") }] def test_authselect_requirements(self): """Test that package requirements for authselect propagate correctly.""" self.security_interface.SetAuthselect(['select', 'sssd']) requirements = Requirement.from_structure_list( self.security_interface.CollectRequirements()) assert len(requirements) == 1 assert requirements[0].type == "package" assert requirements[0].name == "authselect" self.security_interface.SetAuthselect([]) self.security_interface.SetFingerprintAuthEnabled(True) requirements = Requirement.from_structure_list( self.security_interface.CollectRequirements()) assert len(requirements) == 1 assert requirements[0].type == "package" assert requirements[0].name == "authselect"
class SecurityInterfaceTestCase(unittest.TestCase): """Test DBus interface for the Security module.""" def setUp(self): """Set up the security module.""" # Set up the security module. self.security_module = SecurityService() self.security_interface = SecurityInterface(self.security_module) # Connect to the properties changed signal. self.callback = PropertiesChangedCallback() self.security_interface.PropertiesChanged.connect(self.callback) def _check_dbus_property(self, *args, **kwargs): check_dbus_property(self, SECURITY, self.security_interface, *args, **kwargs) def kickstart_properties_test(self): """Test kickstart properties.""" self.assertEqual( self.security_interface.KickstartCommands, ["auth", "authconfig", "authselect", "selinux", "realm"]) self.assertEqual(self.security_interface.KickstartSections, []) self.assertEqual(self.security_interface.KickstartAddons, []) self.callback.assert_not_called() def selinux_property_test(self): """Test the selinux property.""" self._check_dbus_property("SELinux", SELINUX_ENFORCING) def authselect_property_test(self): """Test the authselect property.""" self._check_dbus_property("Authselect", ["sssd", "with-mkhomedir"]) def authconfig_property_test(self): """Test the authconfig property.""" self._check_dbus_property("Authconfig", ["--passalgo=sha512", "--useshadow"]) def fingerprint_auth_enabled_test(self): """Test the fingerprint_auth_enabled property.""" self._check_dbus_property("FingerprintAuthEnabled", True) def realm_property_test(self): """Test the realm property.""" realm = { "name": get_variant(Str, "domain.example.com"), "discover-options": get_variant(List[Str], ["--client-software=sssd"]), "join-options": get_variant(List[Str], ["--one-time-password=password"]), "discovered": get_variant(Bool, True), "required-packages": get_variant(List[Str], []) } self._check_dbus_property("Realm", realm) def _test_kickstart(self, ks_in, ks_out): check_kickstart_interface(self, self.security_interface, ks_in, ks_out) def no_kickstart_test(self): """Test with no kickstart.""" ks_in = None ks_out = "" self._test_kickstart(ks_in, ks_out) def kickstart_empty_test(self): """Test with empty string.""" ks_in = "" ks_out = "" self._test_kickstart(ks_in, ks_out) def selinux_kickstart_test(self): """Test the selinux command.""" ks_in = """ selinux --permissive """ ks_out = """ # SELinux configuration selinux --permissive """ self._test_kickstart(ks_in, ks_out) def auth_kickstart_test(self): """Test the auth command.""" ks_in = """ auth --passalgo=sha512 --useshadow """ ks_out = """ # System authorization information auth --passalgo=sha512 --useshadow """ self._test_kickstart(ks_in, ks_out) def authconfig_kickstart_test(self): """Test the authconfig command.""" ks_in = """ authconfig --passalgo=sha512 --useshadow """ ks_out = """ # System authorization information auth --passalgo=sha512 --useshadow """ self._test_kickstart(ks_in, ks_out) def authselect_kickstart_test(self): """Test the authselect command.""" ks_in = """ authselect select sssd with-mkhomedir """ ks_out = """ # System authorization information authselect select sssd with-mkhomedir """ self._test_kickstart(ks_in, ks_out) def realm_kickstart_test(self): """Test the realm command.""" ks_in = """ realm join --one-time-password=password --client-software=sssd domain.example.com """ ks_out = """ # Realm or domain membership realm join --one-time-password=password --client-software=sssd domain.example.com """ self._test_kickstart(ks_in, ks_out) @patch_dbus_publish_object def realm_discover_default_test(self, publisher): """Test module in default state with realm discover task.""" realm_discover_task_path = self.security_interface.DiscoverRealmWithTask( ) obj = check_task_creation(self, realm_discover_task_path, publisher, RealmDiscoverTask) self.assertEqual(obj.implementation._realm_data.name, "") self.assertEqual(obj.implementation._realm_data.discover_options, []) @patch_dbus_publish_object def realm_discover_configured_test(self, publisher): """Test module in configured state with realm discover task.""" realm = RealmData() realm.name = "domain.example.com" realm.discover_options = ["--client-software=sssd"] self.security_interface.SetRealm(RealmData.to_structure(realm)) realm_discover_task_path = self.security_interface.DiscoverRealmWithTask( ) obj = check_task_creation(self, realm_discover_task_path, publisher, RealmDiscoverTask) self.assertEqual(obj.implementation._realm_data.name, "domain.example.com") self.assertEqual(obj.implementation._realm_data.discover_options, ["--client-software=sssd"]) @patch_dbus_publish_object def install_with_tasks_default_test(self, publisher): """Test InstallWithTasks.""" task_classes = [ ConfigureSELinuxTask, ConfigureFingerprintAuthTask, ConfigureAuthselectTask, ConfigureAuthconfigTask, ] task_paths = self.security_interface.InstallWithTasks() task_objs = check_task_creation_list(self, task_paths, publisher, task_classes) # ConfigureSELinuxTask obj = task_objs[0] self.assertEqual(obj.implementation._selinux_mode, SELinuxMode.DEFAULT) # ConfigureFingerprintAuthTask obj = task_objs[1] self.assertEqual(obj.implementation._fingerprint_auth_enabled, False) # ConfigureAuthselectTask obj = task_objs[2] self.assertEqual(obj.implementation._authselect_options, []) # ConfigureAuthconfigTask obj = task_objs[3] self.assertEqual(obj.implementation._authconfig_options, []) @patch_dbus_publish_object def realm_join_default_test(self, publisher): """Test module in default state with realm join task.""" realm_join_task_path = self.security_interface.JoinRealmWithTask() obj = check_task_creation(self, realm_join_task_path, publisher, RealmJoinTask) self.assertEqual(obj.implementation._realm_data.discovered, False) self.assertEqual(obj.implementation._realm_data.name, "") self.assertEqual(obj.implementation._realm_data.join_options, []) @patch_dbus_publish_object def install_with_tasks_configured_test(self, publisher): """Test install tasks - module in configured state.""" realm = RealmData() realm.name = "domain.example.com" realm.discover_options = ["--client-software=sssd"] realm.join_options = ["--one-time-password=password"] realm.discovered = True authselect = ['select', 'sssd'] authconfig = ['--passalgo=sha512', '--useshadow'] fingerprint = True self.security_interface.SetRealm(RealmData.to_structure(realm)) self.security_interface.SetSELinux(SELINUX_PERMISSIVE) self.security_interface.SetAuthselect(authselect) self.security_interface.SetAuthconfig(authconfig) self.security_interface.SetFingerprintAuthEnabled(fingerprint) task_classes = [ ConfigureSELinuxTask, ConfigureFingerprintAuthTask, ConfigureAuthselectTask, ConfigureAuthconfigTask, ] task_paths = self.security_interface.InstallWithTasks() task_objs = check_task_creation_list(self, task_paths, publisher, task_classes) # ConfigureSELinuxTask obj = task_objs[0] self.assertEqual(obj.implementation._selinux_mode, SELinuxMode.PERMISSIVE) # ConfigureFingerprintAuthTask obj = task_objs[1] self.assertEqual(obj.implementation._fingerprint_auth_enabled, fingerprint) # ConfigureAuthselectTask obj = task_objs[2] self.assertEqual(obj.implementation._authselect_options, authselect) # ConfigureAuthconfigTask obj = task_objs[3] self.assertEqual(obj.implementation._authconfig_options, authconfig) @patch_dbus_publish_object def realm_join_configured_test(self, publisher): """Test module in configured state with realm join task.""" realm = RealmData() realm.name = "domain.example.com" realm.discover_options = ["--client-software=sssd"] realm.join_options = ["--one-time-password=password"] realm.discovered = True self.security_interface.SetRealm(RealmData.to_structure(realm)) realm_join_task_path = self.security_interface.JoinRealmWithTask() obj = check_task_creation(self, realm_join_task_path, publisher, RealmJoinTask) self.assertEqual(obj.implementation._realm_data.discovered, True) self.assertEqual(obj.implementation._realm_data.name, "domain.example.com") self.assertEqual(obj.implementation._realm_data.join_options, ["--one-time-password=password"]) @patch_dbus_publish_object def realm_data_propagation_test(self, publisher): """Test that realm data changes propagate to realm join task.""" # We connect to the realm_changed signal and update the realm data holder # in the realm join task when the signal is triggered. realm1 = RealmData() realm1.name = "domain.example.com" realm1.discover_options = ["--client-software=sssd"] realm1.discovered = False self.security_interface.SetRealm(RealmData.to_structure(realm1)) realm_join_task_path = self.security_interface.JoinRealmWithTask() # realm join - after task creation obj = check_task_creation(self, realm_join_task_path, publisher, RealmJoinTask) self.assertEqual(obj.implementation._realm_data.discovered, False) self.assertEqual(obj.implementation._realm_data.name, "domain.example.com") self.assertEqual(obj.implementation._realm_data.join_options, []) # change realm data and check the changes propagate to the realm join task realm2 = RealmData() realm2.name = "domain.example.com" realm2.discover_options = ["--client-software=sssd"] realm2.join_options = ["--one-time-password=password"] realm2.discovered = True self.security_interface.SetRealm(RealmData.to_structure(realm2)) # realm join - after realm data update self.assertEqual(obj.implementation._realm_data.discovered, True) self.assertEqual(obj.implementation._realm_data.name, "domain.example.com") self.assertEqual(obj.implementation._realm_data.join_options, ["--one-time-password=password"]) def collect_requirements_default_test(self): """Test requrements are empty by default.""" reqs = self.security_interface.CollectRequirements() self.assertListEqual(reqs, []) def realmd_requirements_test(self): """Test that package requirements in realm data propagate correctly.""" realm = RealmData() realm.name = "domain.example.com" realm.discover_options = ["--client-software=sssd"] realm.join_options = ["--one-time-password=password"] realm.discovered = True realm.required_packages = ["realmd", "foo", "bar"] self.security_interface.SetRealm(RealmData.to_structure(realm)) # check that the teamd package is requested self.assertEqual( self.security_interface.CollectRequirements(), [{ "type": get_variant(Str, "package"), "name": get_variant(Str, "realmd"), "reason": get_variant(Str, "Needed to join a realm.") }, { "type": get_variant(Str, "package"), "name": get_variant(Str, "foo"), "reason": get_variant(Str, "Needed to join a realm.") }, { "type": get_variant(Str, "package"), "name": get_variant(Str, "bar"), "reason": get_variant(Str, "Needed to join a realm.") }]) def authselect_requirements_test(self): """Test that package requirements for authselect propagate correctly.""" self.security_interface.SetAuthconfig( ['--passalgo=sha512', '--useshadow']) requirements = Requirement.from_structure_list( self.security_interface.CollectRequirements()) self.assertEqual(len(requirements), 1) self.assertEqual(requirements[0].type, "package") self.assertEqual(requirements[0].name, "authselect-compat") self.security_interface.SetAuthconfig([]) self.security_interface.SetAuthselect(['select', 'sssd']) requirements = Requirement.from_structure_list( self.security_interface.CollectRequirements()) self.assertEqual(len(requirements), 1) self.assertEqual(requirements[0].type, "package") self.assertEqual(requirements[0].name, "authselect") self.security_interface.SetAuthconfig([]) self.security_interface.SetAuthselect([]) self.security_interface.SetFingerprintAuthEnabled(True) requirements = Requirement.from_structure_list( self.security_interface.CollectRequirements()) self.assertEqual(len(requirements), 1) self.assertEqual(requirements[0].type, "package") self.assertEqual(requirements[0].name, "authselect")