def test_get_cached_auth_token_invalid_permissions(self): shell = Shell() client = Client() username = '******' password = '******' cached_token_path = shell._get_cached_token_path_for_user(username=username) data = { 'token': 'yayvalid', 'expire_timestamp': (int(time.time()) + 20) } with open(cached_token_path, 'w') as fp: fp.write(json.dumps(data)) # 1. Current user doesn't have read access to the config directory os.chmod(self._mock_config_directory_path, 0000) shell.LOG = mock.Mock() result = shell._get_cached_auth_token(client=client, username=username, password=password) self.assertEqual(result, None) self.assertEqual(shell.LOG.warn.call_count, 1) log_message = shell.LOG.warn.call_args[0][0] expected_msg = ('Unable to retrieve cached token from .*? read access to the parent ' 'directory') self.assertRegexpMatches(log_message, expected_msg) # 2. Read access on the directory, but not on the cached token file os.chmod(self._mock_config_directory_path, 0777) # nosec os.chmod(cached_token_path, 0000) shell.LOG = mock.Mock() result = shell._get_cached_auth_token(client=client, username=username, password=password) self.assertEqual(result, None) self.assertEqual(shell.LOG.warn.call_count, 1) log_message = shell.LOG.warn.call_args[0][0] expected_msg = ('Unable to retrieve cached token from .*? read access to this file') self.assertRegexpMatches(log_message, expected_msg) # 3. Other users also have read access to the file os.chmod(self._mock_config_directory_path, 0777) # nosec os.chmod(cached_token_path, 0444) shell.LOG = mock.Mock() result = shell._get_cached_auth_token(client=client, username=username, password=password) self.assertEqual(result, 'yayvalid') self.assertEqual(shell.LOG.warn.call_count, 1) log_message = shell.LOG.warn.call_args[0][0] expected_msg = ('Permissions .*? for cached token file .*? are to permissive') self.assertRegexpMatches(log_message, expected_msg)
def test_cache_auth_token_invalid_permissions(self): shell = Shell() username = '******' cached_token_path = shell._get_cached_token_path_for_user(username=username) expiry = datetime.datetime.utcnow() + datetime.timedelta(seconds=30) token_db = TokenDB(user=username, token='fyeah', expiry=expiry) cached_token_path = shell._get_cached_token_path_for_user(username=username) data = { 'token': 'yayvalid', 'expire_timestamp': (int(time.time()) + 20) } with open(cached_token_path, 'w') as fp: fp.write(json.dumps(data)) # 1. Current user has no write access to the parent directory os.chmod(self._mock_config_directory_path, 0000) shell.LOG = mock.Mock() shell._cache_auth_token(token_obj=token_db) self.assertEqual(shell.LOG.warn.call_count, 1) log_message = shell.LOG.warn.call_args[0][0] expected_msg = ('Unable to write token to .*? doesn\'t have write access to the parent ' 'directory') self.assertRegexpMatches(log_message, expected_msg) # 2. Current user has no write access to the cached token file os.chmod(self._mock_config_directory_path, 0777) # nosec os.chmod(cached_token_path, 0000) shell.LOG = mock.Mock() shell._cache_auth_token(token_obj=token_db) self.assertEqual(shell.LOG.warn.call_count, 1) log_message = shell.LOG.warn.call_args[0][0] expected_msg = ('Unable to write token to .*? doesn\'t have write access to this file') self.assertRegexpMatches(log_message, expected_msg)
def test_dont_warn_multiple_times(self): mock_temp_dir_path = tempfile.mkdtemp() mock_config_dir_path = os.path.join(mock_temp_dir_path, 'testconfig') mock_config_path = os.path.join(mock_config_dir_path, 'config') # Make the temporary config directory os.makedirs(mock_config_dir_path) old_perms = os.stat(mock_config_dir_path).st_mode new_perms = old_perms | 0o7 os.chmod(mock_config_dir_path, new_perms) # Make the temporary config file shutil.copyfile(CONFIG_FILE_PATH_FULL, mock_config_path) os.chmod(mock_config_path, 0o777) # nosec shell = Shell() shell.LOG = mock.Mock() # Test without token. shell.run(['--config-file', mock_config_path, 'action', 'list']) self.assertEqual(shell.LOG.warn.call_count, 2) self.assertEqual( shell.LOG.warn.call_args_list[0][0][0][:63], 'The StackStorm configuration directory permissions are insecure') self.assertEqual( shell.LOG.warn.call_args_list[1][0][0][:58], 'The StackStorm configuration file permissions are insecure') self.assertEqual(shell.LOG.info.call_count, 2) self.assertEqual( shell.LOG.info.call_args_list[0][0][0], "The SGID bit is not " "set on the StackStorm configuration directory.") self.assertEqual( shell.LOG.info.call_args_list[1][0][0], 'Skipping parsing CLI config')
def test_get_cached_auth_token_invalid_permissions(self): shell = Shell() client = Client() username = '******' password = '******' cached_token_path = shell._get_cached_token_path_for_user( username=username) data = { 'token': 'yayvalid', 'expire_timestamp': (int(time.time()) + 20) } with open(cached_token_path, 'w') as fp: fp.write(json.dumps(data)) # 1. Current user doesn't have read access to the config directory os.chmod(self._mock_config_directory_path, 0o000) shell.LOG = mock.Mock() result = shell._get_cached_auth_token(client=client, username=username, password=password) self.assertEqual(result, None) self.assertEqual(shell.LOG.warn.call_count, 1) log_message = shell.LOG.warn.call_args[0][0] expected_msg = ( 'Unable to retrieve cached token from .*? read access to the parent ' 'directory') self.assertRegexpMatches(log_message, expected_msg) # 2. Read access on the directory, but not on the cached token file os.chmod(self._mock_config_directory_path, 0o777) # nosec os.chmod(cached_token_path, 0o000) shell.LOG = mock.Mock() result = shell._get_cached_auth_token(client=client, username=username, password=password) self.assertEqual(result, None) self.assertEqual(shell.LOG.warn.call_count, 1) log_message = shell.LOG.warn.call_args[0][0] expected_msg = ( 'Unable to retrieve cached token from .*? read access to this file' ) self.assertRegexpMatches(log_message, expected_msg) # 3. Other users also have read access to the file os.chmod(self._mock_config_directory_path, 0o777) # nosec os.chmod(cached_token_path, 0o444) shell.LOG = mock.Mock() result = shell._get_cached_auth_token(client=client, username=username, password=password) self.assertEqual(result, 'yayvalid') self.assertEqual(shell.LOG.warn.call_count, 1) log_message = shell.LOG.warn.call_args[0][0] expected_msg = ( 'Permissions .*? for cached token file .*? are too permissive.*') self.assertRegexpMatches(log_message, expected_msg)