Exemplo n.º 1
0
    def setUp(self):
        """Set up the security module."""
        # Set up the security module.
        self.security_module = SecurityService()
        self.security_interface = SecurityInterface(self.security_module)

        # Connect to the properties changed signal.
        self.callback = Mock()
        self.security_interface.PropertiesChanged.connect(self.callback)
Exemplo n.º 2
0
 def publish(self):
     """Publish the module."""
     TaskContainer.set_namespace(SECURITY.namespace)
     DBus.publish_object(SECURITY.object_path, SecurityInterface(self))
     DBus.register_service(SECURITY.service_name)
Exemplo n.º 3
0
class SecurityInterfaceTestCase(unittest.TestCase):
    """Test DBus interface for the Security module."""

    def setUp(self):
        """Set up the security module."""
        # Set up the security module.
        self.security_module = SecurityService()
        self.security_interface = SecurityInterface(self.security_module)

        # Connect to the properties changed signal.
        self.callback = Mock()
        self.security_interface.PropertiesChanged.connect(self.callback)

    def kickstart_properties_test(self):
        """Test kickstart properties."""
        self.assertEqual(self.security_interface.KickstartCommands,
                         ["auth", "authconfig", "authselect", "selinux", "realm"])
        self.assertEqual(self.security_interface.KickstartSections, [])
        self.assertEqual(self.security_interface.KickstartAddons, [])
        self.callback.assert_not_called()

    def selinux_property_test(self):
        """Test the selinux property."""
        self.security_interface.SetSELinux(SELINUX_ENFORCING)
        self.assertEqual(self.security_interface.SELinux, SELINUX_ENFORCING)
        self.callback.assert_called_once_with(SECURITY.interface_name, {'SELinux': SELINUX_ENFORCING}, [])

    def authselect_property_test(self):
        """Test the authselect property."""
        self.security_interface.SetAuthselect(["sssd", "with-mkhomedir"])
        self.assertEqual(self.security_interface.Authselect, ["sssd", "with-mkhomedir"])
        self.callback.assert_called_once_with(SECURITY.interface_name, {'Authselect': ["sssd", "with-mkhomedir"]}, [])

    def authconfig_property_test(self):
        """Test the authconfig property."""
        self.security_interface.SetAuthconfig(["--passalgo=sha512", "--useshadow"])
        self.assertEqual(self.security_interface.Authconfig, ["--passalgo=sha512", "--useshadow"])
        self.callback.assert_called_once_with(SECURITY.interface_name, {'Authconfig': ["--passalgo=sha512", "--useshadow"]}, [])

    def realm_property_test(self):
        """Test the realm property."""
        realm_in = {
            "name": "domain.example.com",
            "discover-options": ["--client-software=sssd"],
            "join-options": ["--one-time-password=password"],
            "discovered": True
        }

        realm_out = {
            "name": get_variant(Str, "domain.example.com"),
            "discover-options": get_variant(List[Str], ["--client-software=sssd"]),
            "join-options": get_variant(List[Str], ["--one-time-password=password"]),
            "discovered": get_variant(Bool, True),
            "required-packages": get_variant(List[Str], [])
        }

        self.security_interface.SetRealm(realm_in)
        self.assertEqual(realm_out, self.security_interface.Realm)
        self.callback.assert_called_once_with(SECURITY.interface_name, {'Realm': realm_out}, [])

    def _test_kickstart(self, ks_in, ks_out):
        check_kickstart_interface(self, self.security_interface, ks_in, ks_out)

    def no_kickstart_test(self):
        """Test with no kickstart."""
        ks_in = None
        ks_out = ""
        self._test_kickstart(ks_in, ks_out)

    def kickstart_empty_test(self):
        """Test with empty string."""
        ks_in = ""
        ks_out = ""
        self._test_kickstart(ks_in, ks_out)

    def selinux_kickstart_test(self):
        """Test the selinux command."""
        ks_in = """
        selinux --permissive
        """
        ks_out = """
        # SELinux configuration
        selinux --permissive
        """
        self._test_kickstart(ks_in, ks_out)

    def auth_kickstart_test(self):
        """Test the auth command."""
        ks_in = """
        auth --passalgo=sha512 --useshadow
        """
        ks_out = """
        # System authorization information
        auth --passalgo=sha512 --useshadow
        """
        self._test_kickstart(ks_in, ks_out)

    def authconfig_kickstart_test(self):
        """Test the authconfig command."""
        ks_in = """
        authconfig --passalgo=sha512 --useshadow
        """
        ks_out = """
        # System authorization information
        auth --passalgo=sha512 --useshadow
        """
        self._test_kickstart(ks_in, ks_out)

    def authselect_kickstart_test(self):
        """Test the authselect command."""
        ks_in = """
        authselect select sssd with-mkhomedir
        """
        ks_out = """
        # System authorization information
        authselect select sssd with-mkhomedir
        """
        self._test_kickstart(ks_in, ks_out)

    def realm_kickstart_test(self):
        """Test the realm command."""
        ks_in = """
        realm join --one-time-password=password --client-software=sssd domain.example.com
        """
        ks_out = """
        # Realm or domain membership
        realm join --one-time-password=password --client-software=sssd domain.example.com
        """
        self._test_kickstart(ks_in, ks_out)

    @patch_dbus_publish_object
    def realm_discover_default_test(self, publisher):
        """Test module in default state with realm discover task."""
        realm_discover_task_path = self.security_interface.DiscoverRealmWithTask()

        publisher.assert_called()

        # realm discover
        obj = check_task_creation(self, realm_discover_task_path, publisher, RealmDiscoverTask)
        self.assertEqual(obj.implementation._realm_data.name, "")
        self.assertEqual(obj.implementation._realm_data.discover_options, [])

    @patch_dbus_publish_object
    def realm_discover_configured_test(self, publisher):
        """Test module in configured state with realm discover task."""

        realm_in = {
            "name": "domain.example.com",
            "discover-options": ["--client-software=sssd"],
        }

        self.security_interface.SetRealm(realm_in)

        realm_discover_task_path = self.security_interface.DiscoverRealmWithTask()

        publisher.assert_called()

        # realm discover
        obj = check_task_creation(self, realm_discover_task_path, publisher, RealmDiscoverTask)
        self.assertEqual(obj.implementation._realm_data.name, "domain.example.com")
        self.assertEqual(obj.implementation._realm_data.discover_options, ["--client-software=sssd"])

    @patch_dbus_publish_object
    def install_with_tasks_default_test(self, publisher):
        """Test install tasks - module in default state."""
        tasks = self.security_interface.InstallWithTasks()
        selinux_task_path = tasks[0]

        publisher.assert_called()

        # SELinux configuration
        object_path = publisher.call_args_list[0][0][0]
        obj = publisher.call_args_list[0][0][1]

        self.assertEqual(selinux_task_path, object_path)
        self.assertIsInstance(obj, TaskInterface)
        self.assertIsInstance(obj.implementation, ConfigureSELinuxTask)
        self.assertEqual(obj.implementation._selinux_mode, SELinuxMode.DEFAULT)

    @patch_dbus_publish_object
    def realm_join_default_test(self, publisher):
        """Test module in default state with realm join task."""

        realm_join_task_path = self.security_interface.JoinRealmWithTask()

        publisher.assert_called()

        # realm join
        obj = check_task_creation(self, realm_join_task_path, publisher, RealmJoinTask)
        self.assertEqual(obj.implementation._realm_data.discovered, False)
        self.assertEqual(obj.implementation._realm_data.name, "")
        self.assertEqual(obj.implementation._realm_data.join_options, [])

    @patch_dbus_publish_object
    def install_with_tasks_configured_test(self, publisher):
        """Test install tasks - module in configured state."""

        realm_in = {
            "name": "domain.example.com",
            "discover-options": ["--client-software=sssd"],
            "join-options": ["--one-time-password=password"],
            "discovered": True
        }

        self.security_interface.SetRealm(realm_in)
        self.security_interface.SetSELinux(SELINUX_PERMISSIVE)

        tasks = self.security_interface.InstallWithTasks()
        selinux_task_path = tasks[0]

        publisher.assert_called()

        # SELinux configuration
        object_path = publisher.call_args_list[0][0][0]
        obj = publisher.call_args_list[0][0][1]

        self.assertEqual(selinux_task_path, object_path)
        self.assertIsInstance(obj, TaskInterface)
        self.assertIsInstance(obj.implementation, ConfigureSELinuxTask)
        self.assertEqual(obj.implementation._selinux_mode, SELinuxMode.PERMISSIVE)

    @patch_dbus_publish_object
    def realm_join_configured_test(self, publisher):
        """Test module in configured state with realm join task."""

        realm_in = {
            "name": "domain.example.com",
            "discover-options": ["--client-software=sssd"],
            "join-options": ["--one-time-password=password"],
            "discovered": True
        }

        self.security_interface.SetRealm(realm_in)

        realm_join_task_path = self.security_interface.JoinRealmWithTask()

        publisher.assert_called()

        # realm join
        obj = check_task_creation(self, realm_join_task_path, publisher, RealmJoinTask)
        self.assertEqual(obj.implementation._realm_data.discovered, True)
        self.assertEqual(obj.implementation._realm_data.name, "domain.example.com")
        self.assertEqual(obj.implementation._realm_data.join_options, ["--one-time-password=password"])

    @patch_dbus_publish_object
    def realm_data_propagation_test(self, publisher):
        """Test that realm data changes propagate to realm join task."""

        # We connect to the realm_changed signal and update the realm data holder
        # in the realm join task when the signal is triggered.

        realm_in_1 = {
            "name": "domain.example.com",
            "discover-options": ["--client-software=sssd"],
            "discovered": False
        }

        self.security_interface.SetRealm(realm_in_1)

        realm_join_task_path = self.security_interface.JoinRealmWithTask()

        publisher.assert_called()

        # realm join - after task creation
        obj = check_task_creation(self, realm_join_task_path, publisher, RealmJoinTask)
        self.assertEqual(obj.implementation._realm_data.discovered, False)
        self.assertEqual(obj.implementation._realm_data.name, "domain.example.com")
        self.assertEqual(obj.implementation._realm_data.join_options, [])

        # change realm data and check the changes propagate to the realm join task
        realm_in_2 = {
            "name": "domain.example.com",
            "discover-options": ["--client-software=sssd"],
            "join-options": ["--one-time-password=password"],
            "discovered": True
        }
        self.security_interface.SetRealm(realm_in_2)

        # realm join - after realm data update
        self.assertEqual(obj.implementation._realm_data.discovered, True)
        self.assertEqual(obj.implementation._realm_data.name, "domain.example.com")
        self.assertEqual(obj.implementation._realm_data.join_options, ["--one-time-password=password"])

    def collect_requirements_default_test(self):
        """Test requrements are empty by default."""
        reqs = self.security_interface.CollectRequirements()
        self.assertListEqual(reqs, [])

    def realmd_requirements_test(self):
        """Test that package requirements in realm data propagate correctly."""

        realm_in = {
            "name": "domain.example.com",
            "discover-options": ["--client-software=sssd"],
            "join-options": ["--one-time-password=password"],
            "discovered": True,
            "required-packages" : ["realmd", "foo", "bar"]
        }

        self.security_interface.SetRealm(realm_in)

        # check that the teamd package is requested
        self.assertEqual(self.security_interface.CollectRequirements(), [
            {
                "type": get_variant(Str, "package"),
                "name": get_variant(Str, "realmd"),
                "reason": get_variant(Str, "Needed to join a realm.")
            },
            {
                "type": get_variant(Str, "package"),
                "name": get_variant(Str, "foo"),
                "reason": get_variant(Str, "Needed to join a realm.")
            },
            {
                "type": get_variant(Str, "package"),
                "name": get_variant(Str, "bar"),
                "reason": get_variant(Str, "Needed to join a realm.")
            }
        ])
Exemplo n.º 4
0
class SecurityInterfaceTestCase(unittest.TestCase):
    """Test DBus interface for the Security module."""
    def setUp(self):
        """Set up the security module."""
        # Set up the security module.
        self.security_module = SecurityService()
        self.security_interface = SecurityInterface(self.security_module)

        # Connect to the properties changed signal.
        self.callback = PropertiesChangedCallback()
        self.security_interface.PropertiesChanged.connect(self.callback)

    def _check_dbus_property(self, *args, **kwargs):
        check_dbus_property(SECURITY, self.security_interface, *args, **kwargs)

    def test_kickstart_properties(self):
        """Test kickstart properties."""
        assert self.security_interface.KickstartCommands == \
                         ["authselect", "selinux", "realm"]
        assert self.security_interface.KickstartSections == []
        assert self.security_interface.KickstartAddons == []
        self.callback.assert_not_called()

    def test_selinux_property(self):
        """Test the selinux property."""
        self._check_dbus_property("SELinux", SELINUX_ENFORCING)

    def test_authselect_property(self):
        """Test the authselect property."""
        self._check_dbus_property("Authselect", ["sssd", "with-mkhomedir"])

    def test_fingerprint_auth_enabled(self):
        """Test the fingerprint_auth_enabled property."""
        self._check_dbus_property("FingerprintAuthEnabled", True)

    def test_realm_property(self):
        """Test the realm property."""
        realm = {
            "name":
            get_variant(Str, "domain.example.com"),
            "discover-options":
            get_variant(List[Str], ["--client-software=sssd"]),
            "join-options":
            get_variant(List[Str], ["--one-time-password=password"]),
            "discovered":
            get_variant(Bool, True),
            "required-packages":
            get_variant(List[Str], [])
        }
        self._check_dbus_property("Realm", realm)

    def _test_kickstart(self, ks_in, ks_out):
        check_kickstart_interface(self.security_interface, ks_in, ks_out)

    def test_no_kickstart(self):
        """Test with no kickstart."""
        ks_in = None
        ks_out = ""
        self._test_kickstart(ks_in, ks_out)

    def test_kickstart_empty(self):
        """Test with empty string."""
        ks_in = ""
        ks_out = ""
        self._test_kickstart(ks_in, ks_out)

    def test_selinux_kickstart(self):
        """Test the selinux command."""
        ks_in = """
        selinux --permissive
        """
        ks_out = """
        # SELinux configuration
        selinux --permissive
        """
        self._test_kickstart(ks_in, ks_out)

    def test_authselect_kickstart(self):
        """Test the authselect command."""
        ks_in = """
        authselect select sssd with-mkhomedir
        """
        ks_out = """
        # System authorization information
        authselect select sssd with-mkhomedir
        """
        self._test_kickstart(ks_in, ks_out)

    def test_realm_kickstart(self):
        """Test the realm command."""
        ks_in = """
        realm join --one-time-password=password --client-software=sssd domain.example.com
        """
        ks_out = """
        # Realm or domain membership
        realm join --one-time-password=password --client-software=sssd domain.example.com
        """
        self._test_kickstart(ks_in, ks_out)

    @patch_dbus_publish_object
    def test_realm_discover_default(self, publisher):
        """Test module in default state with realm discover task."""
        realm_discover_task_path = self.security_interface.DiscoverRealmWithTask(
        )
        obj = check_task_creation(realm_discover_task_path, publisher,
                                  RealmDiscoverTask)
        assert obj.implementation._realm_data.name == ""
        assert obj.implementation._realm_data.discover_options == []

    @patch_dbus_publish_object
    def test_realm_discover_configured(self, publisher):
        """Test module in configured state with realm discover task."""
        realm = RealmData()
        realm.name = "domain.example.com"
        realm.discover_options = ["--client-software=sssd"]

        self.security_interface.SetRealm(RealmData.to_structure(realm))
        realm_discover_task_path = self.security_interface.DiscoverRealmWithTask(
        )

        obj = check_task_creation(realm_discover_task_path, publisher,
                                  RealmDiscoverTask)
        assert obj.implementation._realm_data.name == "domain.example.com"
        assert obj.implementation._realm_data.discover_options == [
            "--client-software=sssd"
        ]

    @patch_dbus_publish_object
    def test_install_with_tasks_default(self, publisher):
        """Test InstallWithTasks."""
        task_classes = [
            ConfigureSELinuxTask,
            ConfigureFingerprintAuthTask,
            ConfigureAuthselectTask,
        ]
        task_paths = self.security_interface.InstallWithTasks()
        task_objs = check_task_creation_list(task_paths, publisher,
                                             task_classes)

        # ConfigureSELinuxTask
        obj = task_objs[0]
        assert obj.implementation._selinux_mode == SELinuxMode.DEFAULT
        # ConfigureFingerprintAuthTask
        obj = task_objs[1]
        assert obj.implementation._fingerprint_auth_enabled is False
        # ConfigureAuthselectTask
        obj = task_objs[2]
        assert obj.implementation._authselect_options == []

    @patch_dbus_publish_object
    def test_realm_join_default(self, publisher):
        """Test module in default state with realm join task."""
        realm_join_task_path = self.security_interface.JoinRealmWithTask()
        obj = check_task_creation(realm_join_task_path, publisher,
                                  RealmJoinTask)
        assert obj.implementation._realm_data.discovered is False
        assert obj.implementation._realm_data.name == ""
        assert obj.implementation._realm_data.join_options == []

    @patch_dbus_publish_object
    def test_install_with_tasks_configured(self, publisher):
        """Test install tasks - module in configured state."""
        realm = RealmData()
        realm.name = "domain.example.com"
        realm.discover_options = ["--client-software=sssd"]
        realm.join_options = ["--one-time-password=password"]
        realm.discovered = True

        authselect = ['select', 'sssd']
        fingerprint = True

        self.security_interface.SetRealm(RealmData.to_structure(realm))
        self.security_interface.SetSELinux(SELINUX_PERMISSIVE)
        self.security_interface.SetAuthselect(authselect)
        self.security_interface.SetFingerprintAuthEnabled(fingerprint)

        task_classes = [
            ConfigureSELinuxTask,
            ConfigureFingerprintAuthTask,
            ConfigureAuthselectTask,
        ]
        task_paths = self.security_interface.InstallWithTasks()
        task_objs = check_task_creation_list(task_paths, publisher,
                                             task_classes)

        # ConfigureSELinuxTask
        obj = task_objs[0]
        assert obj.implementation._selinux_mode == SELinuxMode.PERMISSIVE
        # ConfigureFingerprintAuthTask
        obj = task_objs[1]
        assert obj.implementation._fingerprint_auth_enabled == fingerprint
        # ConfigureAuthselectTask
        obj = task_objs[2]
        assert obj.implementation._authselect_options == authselect

    @patch_dbus_publish_object
    def test_realm_join_configured(self, publisher):
        """Test module in configured state with realm join task."""
        realm = RealmData()
        realm.name = "domain.example.com"
        realm.discover_options = ["--client-software=sssd"]
        realm.join_options = ["--one-time-password=password"]
        realm.discovered = True

        self.security_interface.SetRealm(RealmData.to_structure(realm))
        realm_join_task_path = self.security_interface.JoinRealmWithTask()

        obj = check_task_creation(realm_join_task_path, publisher,
                                  RealmJoinTask)
        assert obj.implementation._realm_data.discovered is True
        assert obj.implementation._realm_data.name == "domain.example.com"
        assert obj.implementation._realm_data.join_options == [
            "--one-time-password=password"
        ]

    @patch_dbus_publish_object
    def test_realm_data_propagation(self, publisher):
        """Test that realm data changes propagate to realm join task."""
        # We connect to the realm_changed signal and update the realm data holder
        # in the realm join task when the signal is triggered.
        realm1 = RealmData()
        realm1.name = "domain.example.com"
        realm1.discover_options = ["--client-software=sssd"]
        realm1.discovered = False

        self.security_interface.SetRealm(RealmData.to_structure(realm1))
        realm_join_task_path = self.security_interface.JoinRealmWithTask()

        # realm join - after task creation
        obj = check_task_creation(realm_join_task_path, publisher,
                                  RealmJoinTask)
        assert obj.implementation._realm_data.discovered is False
        assert obj.implementation._realm_data.name == "domain.example.com"
        assert obj.implementation._realm_data.join_options == []

        # change realm data and check the changes propagate to the realm join task
        realm2 = RealmData()
        realm2.name = "domain.example.com"
        realm2.discover_options = ["--client-software=sssd"]
        realm2.join_options = ["--one-time-password=password"]
        realm2.discovered = True

        self.security_interface.SetRealm(RealmData.to_structure(realm2))

        # realm join - after realm data update
        assert obj.implementation._realm_data.discovered is True
        assert obj.implementation._realm_data.name == "domain.example.com"
        assert obj.implementation._realm_data.join_options == [
            "--one-time-password=password"
        ]

    @patch_dbus_publish_object
    def test_preconfigure_fips_with_task(self, publisher):
        """Test the PreconfigureFIPSWithTask method."""
        task_path = self.security_interface.PreconfigureFIPSWithTask(
            PAYLOAD_TYPE_DNF)
        obj = check_task_creation(task_path, publisher, PreconfigureFIPSTask)
        assert obj.implementation._sysroot == "/mnt/sysroot"
        assert obj.implementation._payload_type == PAYLOAD_TYPE_DNF
        assert obj.implementation._fips_enabled is False

    @patch_dbus_publish_object
    def test_configure_fips_with_task(self, publisher):
        """Test the ConfigureFIPSWithTask method."""
        task_path = self.security_interface.ConfigureFIPSWithTask()
        obj = check_task_creation(task_path, publisher, ConfigureFIPSTask)
        assert obj.implementation._sysroot == "/mnt/sysroot"
        assert obj.implementation._fips_enabled is False

    def test_collect_requirements_default(self):
        """Test requrements are empty by default."""
        reqs = self.security_interface.CollectRequirements()
        assert reqs == []

    @patch("pyanaconda.modules.security.security.kernel_arguments")
    def test_fips_requirements(self, kernel_arguments_mock):
        """Test the package requirements for fips."""
        kernel_arguments_mock.is_enabled.return_value = True
        assert self.security_interface.CollectRequirements() == [{
            "type":
            get_variant(Str, "package"),
            "name":
            get_variant(Str, "/usr/bin/fips-mode-setup"),
            "reason":
            get_variant(Str, "Required for FIPS compliance.")
        }]
        kernel_arguments_mock.is_enabled.assert_called_once_with("fips")

    def test_realmd_requirements(self):
        """Test that package requirements in realm data propagate correctly."""
        realm = RealmData()
        realm.name = "domain.example.com"
        realm.discover_options = ["--client-software=sssd"]
        realm.join_options = ["--one-time-password=password"]
        realm.discovered = True
        realm.required_packages = ["realmd", "foo", "bar"]

        self.security_interface.SetRealm(RealmData.to_structure(realm))

        # check that the teamd package is requested
        assert self.security_interface.CollectRequirements() == [{
            "type":
            get_variant(Str, "package"),
            "name":
            get_variant(Str, "realmd"),
            "reason":
            get_variant(Str, "Needed to join a realm.")
        }, {
            "type":
            get_variant(Str, "package"),
            "name":
            get_variant(Str, "foo"),
            "reason":
            get_variant(Str, "Needed to join a realm.")
        }, {
            "type":
            get_variant(Str, "package"),
            "name":
            get_variant(Str, "bar"),
            "reason":
            get_variant(Str, "Needed to join a realm.")
        }]

    def test_authselect_requirements(self):
        """Test that package requirements for authselect propagate correctly."""

        self.security_interface.SetAuthselect(['select', 'sssd'])
        requirements = Requirement.from_structure_list(
            self.security_interface.CollectRequirements())
        assert len(requirements) == 1
        assert requirements[0].type == "package"
        assert requirements[0].name == "authselect"

        self.security_interface.SetAuthselect([])
        self.security_interface.SetFingerprintAuthEnabled(True)
        requirements = Requirement.from_structure_list(
            self.security_interface.CollectRequirements())
        assert len(requirements) == 1
        assert requirements[0].type == "package"
        assert requirements[0].name == "authselect"
Exemplo n.º 5
0
class SecurityInterfaceTestCase(unittest.TestCase):
    """Test DBus interface for the Security module."""
    def setUp(self):
        """Set up the security module."""
        # Set up the security module.
        self.security_module = SecurityModule()
        self.security_interface = SecurityInterface(self.security_module)

        # Connect to the properties changed signal.
        self.callback = Mock()
        self.security_interface.PropertiesChanged.connect(self.callback)

    def kickstart_properties_test(self):
        """Test kickstart properties."""
        self.assertEqual(
            self.security_interface.KickstartCommands,
            ["auth", "authconfig", "authselect", "selinux", "realm"])
        self.assertEqual(self.security_interface.KickstartSections, [])
        self.assertEqual(self.security_interface.KickstartAddons, [])
        self.callback.assert_not_called()

    def selinux_property_test(self):
        """Test the selinux property."""
        self.security_interface.SetSELinux(SELINUX_ENFORCING)
        self.assertEqual(self.security_interface.SELinux, SELINUX_ENFORCING)
        self.callback.assert_called_once_with(SECURITY.interface_name,
                                              {'SELinux': SELINUX_ENFORCING},
                                              [])

    def authselect_property_test(self):
        """Test the authselect property."""
        self.security_interface.SetAuthselect(["sssd", "with-mkhomedir"])
        self.assertEqual(self.security_interface.Authselect,
                         ["sssd", "with-mkhomedir"])
        self.callback.assert_called_once_with(
            SECURITY.interface_name,
            {'Authselect': ["sssd", "with-mkhomedir"]}, [])

    def authconfig_property_test(self):
        """Test the authconfig property."""
        self.security_interface.SetAuthconfig(
            ["--passalgo=sha512", "--useshadow"])
        self.assertEqual(self.security_interface.Authconfig,
                         ["--passalgo=sha512", "--useshadow"])
        self.callback.assert_called_once_with(
            SECURITY.interface_name,
            {'Authconfig': ["--passalgo=sha512", "--useshadow"]}, [])

    def realm_property_test(self):
        """Test the realm property."""
        realm_in = {
            REALM_NAME: "domain.example.com",
            REALM_DISCOVER: ["--client-software=sssd"],
            REALM_JOIN: ["--one-time-password=password"]
        }

        realm_out = {
            REALM_NAME: get_variant(Str, "domain.example.com"),
            REALM_DISCOVER: get_variant(List[Str], ["--client-software=sssd"]),
            REALM_JOIN: get_variant(List[Str],
                                    ["--one-time-password=password"])
        }

        self.security_interface.SetRealm(realm_in)
        self.assertEqual(realm_out, self.security_interface.Realm)
        self.callback.assert_called_once_with(SECURITY.interface_name,
                                              {'Realm': realm_out}, [])

    def _test_kickstart(self, ks_in, ks_out):
        check_kickstart_interface(self, self.security_interface, ks_in, ks_out)

    def no_kickstart_test(self):
        """Test with no kickstart."""
        ks_in = None
        ks_out = ""
        self._test_kickstart(ks_in, ks_out)

    def kickstart_empty_test(self):
        """Test with empty string."""
        ks_in = ""
        ks_out = ""
        self._test_kickstart(ks_in, ks_out)

    def selinux_kickstart_test(self):
        """Test the selinux command."""
        ks_in = """
        selinux --permissive
        """
        ks_out = """
        # SELinux configuration
        selinux --permissive
        """
        self._test_kickstart(ks_in, ks_out)

    def auth_kickstart_test(self):
        """Test the auth command."""
        ks_in = """
        auth --passalgo=sha512 --useshadow
        """
        ks_out = """
        # System authorization information
        auth --passalgo=sha512 --useshadow
        """
        self._test_kickstart(ks_in, ks_out)

    def authconfig_kickstart_test(self):
        """Test the authconfig command."""
        ks_in = """
        authconfig --passalgo=sha512 --useshadow
        """
        ks_out = """
        # System authorization information
        auth --passalgo=sha512 --useshadow
        """
        self._test_kickstart(ks_in, ks_out)

    def authselect_kickstart_test(self):
        """Test the authselect command."""
        ks_in = """
        authselect select sssd with-mkhomedir
        """
        ks_out = """
        # System authorization information
        authselect select sssd with-mkhomedir
        """
        self._test_kickstart(ks_in, ks_out)

    def realm_kickstart_test(self):
        """Test the realm command."""
        ks_in = """
        realm join --one-time-password=password --client-software=sssd domain.example.com
        """
        ks_out = """
        # Realm or domain membership
        realm join --one-time-password=password --client-software=sssd domain.example.com
        """
        self._test_kickstart(ks_in, ks_out)
Exemplo n.º 6
0
 def publish(self):
     """Publish the module."""
     DBus.publish_object(SECURITY.object_path, SecurityInterface(self))
     DBus.register_service(SECURITY.service_name)
Exemplo n.º 7
0
class SecurityInterfaceTestCase(unittest.TestCase):
    """Test DBus interface for the Security module."""
    def setUp(self):
        """Set up the security module."""
        # Set up the security module.
        self.security_module = SecurityService()
        self.security_interface = SecurityInterface(self.security_module)

        # Connect to the properties changed signal.
        self.callback = PropertiesChangedCallback()
        self.security_interface.PropertiesChanged.connect(self.callback)

    def _check_dbus_property(self, *args, **kwargs):
        check_dbus_property(self, SECURITY, self.security_interface, *args,
                            **kwargs)

    def kickstart_properties_test(self):
        """Test kickstart properties."""
        self.assertEqual(
            self.security_interface.KickstartCommands,
            ["auth", "authconfig", "authselect", "selinux", "realm"])
        self.assertEqual(self.security_interface.KickstartSections, [])
        self.assertEqual(self.security_interface.KickstartAddons, [])
        self.callback.assert_not_called()

    def selinux_property_test(self):
        """Test the selinux property."""
        self._check_dbus_property("SELinux", SELINUX_ENFORCING)

    def authselect_property_test(self):
        """Test the authselect property."""
        self._check_dbus_property("Authselect", ["sssd", "with-mkhomedir"])

    def authconfig_property_test(self):
        """Test the authconfig property."""
        self._check_dbus_property("Authconfig",
                                  ["--passalgo=sha512", "--useshadow"])

    def fingerprint_auth_enabled_test(self):
        """Test the fingerprint_auth_enabled property."""
        self._check_dbus_property("FingerprintAuthEnabled", True)

    def realm_property_test(self):
        """Test the realm property."""
        realm = {
            "name":
            get_variant(Str, "domain.example.com"),
            "discover-options":
            get_variant(List[Str], ["--client-software=sssd"]),
            "join-options":
            get_variant(List[Str], ["--one-time-password=password"]),
            "discovered":
            get_variant(Bool, True),
            "required-packages":
            get_variant(List[Str], [])
        }
        self._check_dbus_property("Realm", realm)

    def _test_kickstart(self, ks_in, ks_out):
        check_kickstart_interface(self, self.security_interface, ks_in, ks_out)

    def no_kickstart_test(self):
        """Test with no kickstart."""
        ks_in = None
        ks_out = ""
        self._test_kickstart(ks_in, ks_out)

    def kickstart_empty_test(self):
        """Test with empty string."""
        ks_in = ""
        ks_out = ""
        self._test_kickstart(ks_in, ks_out)

    def selinux_kickstart_test(self):
        """Test the selinux command."""
        ks_in = """
        selinux --permissive
        """
        ks_out = """
        # SELinux configuration
        selinux --permissive
        """
        self._test_kickstart(ks_in, ks_out)

    def auth_kickstart_test(self):
        """Test the auth command."""
        ks_in = """
        auth --passalgo=sha512 --useshadow
        """
        ks_out = """
        # System authorization information
        auth --passalgo=sha512 --useshadow
        """
        self._test_kickstart(ks_in, ks_out)

    def authconfig_kickstart_test(self):
        """Test the authconfig command."""
        ks_in = """
        authconfig --passalgo=sha512 --useshadow
        """
        ks_out = """
        # System authorization information
        auth --passalgo=sha512 --useshadow
        """
        self._test_kickstart(ks_in, ks_out)

    def authselect_kickstart_test(self):
        """Test the authselect command."""
        ks_in = """
        authselect select sssd with-mkhomedir
        """
        ks_out = """
        # System authorization information
        authselect select sssd with-mkhomedir
        """
        self._test_kickstart(ks_in, ks_out)

    def realm_kickstart_test(self):
        """Test the realm command."""
        ks_in = """
        realm join --one-time-password=password --client-software=sssd domain.example.com
        """
        ks_out = """
        # Realm or domain membership
        realm join --one-time-password=password --client-software=sssd domain.example.com
        """
        self._test_kickstart(ks_in, ks_out)

    @patch_dbus_publish_object
    def realm_discover_default_test(self, publisher):
        """Test module in default state with realm discover task."""
        realm_discover_task_path = self.security_interface.DiscoverRealmWithTask(
        )
        obj = check_task_creation(self, realm_discover_task_path, publisher,
                                  RealmDiscoverTask)
        self.assertEqual(obj.implementation._realm_data.name, "")
        self.assertEqual(obj.implementation._realm_data.discover_options, [])

    @patch_dbus_publish_object
    def realm_discover_configured_test(self, publisher):
        """Test module in configured state with realm discover task."""
        realm = RealmData()
        realm.name = "domain.example.com"
        realm.discover_options = ["--client-software=sssd"]

        self.security_interface.SetRealm(RealmData.to_structure(realm))
        realm_discover_task_path = self.security_interface.DiscoverRealmWithTask(
        )

        obj = check_task_creation(self, realm_discover_task_path, publisher,
                                  RealmDiscoverTask)
        self.assertEqual(obj.implementation._realm_data.name,
                         "domain.example.com")
        self.assertEqual(obj.implementation._realm_data.discover_options,
                         ["--client-software=sssd"])

    @patch_dbus_publish_object
    def install_with_tasks_default_test(self, publisher):
        """Test InstallWithTasks."""
        task_classes = [
            ConfigureSELinuxTask,
            ConfigureFingerprintAuthTask,
            ConfigureAuthselectTask,
            ConfigureAuthconfigTask,
        ]
        task_paths = self.security_interface.InstallWithTasks()
        task_objs = check_task_creation_list(self, task_paths, publisher,
                                             task_classes)

        # ConfigureSELinuxTask
        obj = task_objs[0]
        self.assertEqual(obj.implementation._selinux_mode, SELinuxMode.DEFAULT)
        # ConfigureFingerprintAuthTask
        obj = task_objs[1]
        self.assertEqual(obj.implementation._fingerprint_auth_enabled, False)
        # ConfigureAuthselectTask
        obj = task_objs[2]
        self.assertEqual(obj.implementation._authselect_options, [])
        # ConfigureAuthconfigTask
        obj = task_objs[3]
        self.assertEqual(obj.implementation._authconfig_options, [])

    @patch_dbus_publish_object
    def realm_join_default_test(self, publisher):
        """Test module in default state with realm join task."""
        realm_join_task_path = self.security_interface.JoinRealmWithTask()
        obj = check_task_creation(self, realm_join_task_path, publisher,
                                  RealmJoinTask)
        self.assertEqual(obj.implementation._realm_data.discovered, False)
        self.assertEqual(obj.implementation._realm_data.name, "")
        self.assertEqual(obj.implementation._realm_data.join_options, [])

    @patch_dbus_publish_object
    def install_with_tasks_configured_test(self, publisher):
        """Test install tasks - module in configured state."""
        realm = RealmData()
        realm.name = "domain.example.com"
        realm.discover_options = ["--client-software=sssd"]
        realm.join_options = ["--one-time-password=password"]
        realm.discovered = True

        authselect = ['select', 'sssd']
        authconfig = ['--passalgo=sha512', '--useshadow']
        fingerprint = True

        self.security_interface.SetRealm(RealmData.to_structure(realm))
        self.security_interface.SetSELinux(SELINUX_PERMISSIVE)
        self.security_interface.SetAuthselect(authselect)
        self.security_interface.SetAuthconfig(authconfig)
        self.security_interface.SetFingerprintAuthEnabled(fingerprint)

        task_classes = [
            ConfigureSELinuxTask,
            ConfigureFingerprintAuthTask,
            ConfigureAuthselectTask,
            ConfigureAuthconfigTask,
        ]
        task_paths = self.security_interface.InstallWithTasks()
        task_objs = check_task_creation_list(self, task_paths, publisher,
                                             task_classes)

        # ConfigureSELinuxTask
        obj = task_objs[0]
        self.assertEqual(obj.implementation._selinux_mode,
                         SELinuxMode.PERMISSIVE)
        # ConfigureFingerprintAuthTask
        obj = task_objs[1]
        self.assertEqual(obj.implementation._fingerprint_auth_enabled,
                         fingerprint)
        # ConfigureAuthselectTask
        obj = task_objs[2]
        self.assertEqual(obj.implementation._authselect_options, authselect)
        # ConfigureAuthconfigTask
        obj = task_objs[3]
        self.assertEqual(obj.implementation._authconfig_options, authconfig)

    @patch_dbus_publish_object
    def realm_join_configured_test(self, publisher):
        """Test module in configured state with realm join task."""
        realm = RealmData()
        realm.name = "domain.example.com"
        realm.discover_options = ["--client-software=sssd"]
        realm.join_options = ["--one-time-password=password"]
        realm.discovered = True

        self.security_interface.SetRealm(RealmData.to_structure(realm))
        realm_join_task_path = self.security_interface.JoinRealmWithTask()

        obj = check_task_creation(self, realm_join_task_path, publisher,
                                  RealmJoinTask)
        self.assertEqual(obj.implementation._realm_data.discovered, True)
        self.assertEqual(obj.implementation._realm_data.name,
                         "domain.example.com")
        self.assertEqual(obj.implementation._realm_data.join_options,
                         ["--one-time-password=password"])

    @patch_dbus_publish_object
    def realm_data_propagation_test(self, publisher):
        """Test that realm data changes propagate to realm join task."""
        # We connect to the realm_changed signal and update the realm data holder
        # in the realm join task when the signal is triggered.
        realm1 = RealmData()
        realm1.name = "domain.example.com"
        realm1.discover_options = ["--client-software=sssd"]
        realm1.discovered = False

        self.security_interface.SetRealm(RealmData.to_structure(realm1))
        realm_join_task_path = self.security_interface.JoinRealmWithTask()

        # realm join - after task creation
        obj = check_task_creation(self, realm_join_task_path, publisher,
                                  RealmJoinTask)
        self.assertEqual(obj.implementation._realm_data.discovered, False)
        self.assertEqual(obj.implementation._realm_data.name,
                         "domain.example.com")
        self.assertEqual(obj.implementation._realm_data.join_options, [])

        # change realm data and check the changes propagate to the realm join task
        realm2 = RealmData()
        realm2.name = "domain.example.com"
        realm2.discover_options = ["--client-software=sssd"]
        realm2.join_options = ["--one-time-password=password"]
        realm2.discovered = True

        self.security_interface.SetRealm(RealmData.to_structure(realm2))

        # realm join - after realm data update
        self.assertEqual(obj.implementation._realm_data.discovered, True)
        self.assertEqual(obj.implementation._realm_data.name,
                         "domain.example.com")
        self.assertEqual(obj.implementation._realm_data.join_options,
                         ["--one-time-password=password"])

    def collect_requirements_default_test(self):
        """Test requrements are empty by default."""
        reqs = self.security_interface.CollectRequirements()
        self.assertListEqual(reqs, [])

    def realmd_requirements_test(self):
        """Test that package requirements in realm data propagate correctly."""
        realm = RealmData()
        realm.name = "domain.example.com"
        realm.discover_options = ["--client-software=sssd"]
        realm.join_options = ["--one-time-password=password"]
        realm.discovered = True
        realm.required_packages = ["realmd", "foo", "bar"]

        self.security_interface.SetRealm(RealmData.to_structure(realm))

        # check that the teamd package is requested
        self.assertEqual(
            self.security_interface.CollectRequirements(),
            [{
                "type": get_variant(Str, "package"),
                "name": get_variant(Str, "realmd"),
                "reason": get_variant(Str, "Needed to join a realm.")
            }, {
                "type": get_variant(Str, "package"),
                "name": get_variant(Str, "foo"),
                "reason": get_variant(Str, "Needed to join a realm.")
            }, {
                "type": get_variant(Str, "package"),
                "name": get_variant(Str, "bar"),
                "reason": get_variant(Str, "Needed to join a realm.")
            }])

    def authselect_requirements_test(self):
        """Test that package requirements for authselect propagate correctly."""

        self.security_interface.SetAuthconfig(
            ['--passalgo=sha512', '--useshadow'])
        requirements = Requirement.from_structure_list(
            self.security_interface.CollectRequirements())
        self.assertEqual(len(requirements), 1)
        self.assertEqual(requirements[0].type, "package")
        self.assertEqual(requirements[0].name, "authselect-compat")

        self.security_interface.SetAuthconfig([])
        self.security_interface.SetAuthselect(['select', 'sssd'])
        requirements = Requirement.from_structure_list(
            self.security_interface.CollectRequirements())
        self.assertEqual(len(requirements), 1)
        self.assertEqual(requirements[0].type, "package")
        self.assertEqual(requirements[0].name, "authselect")

        self.security_interface.SetAuthconfig([])
        self.security_interface.SetAuthselect([])
        self.security_interface.SetFingerprintAuthEnabled(True)
        requirements = Requirement.from_structure_list(
            self.security_interface.CollectRequirements())
        self.assertEqual(len(requirements), 1)
        self.assertEqual(requirements[0].type, "package")
        self.assertEqual(requirements[0].name, "authselect")