def test_replace_user_string(self): """Check that `replace_user` can replace $USER by username """ base = BaseCheck() payload = Payload({ "User": "******", "RequestMethod": "POST", "RequestUri": "/v1.32/containers/create", }) result = BaseCheck.replace_user("$USER-loves-me", payload) self.assertEqual(result, "mal-loves-me") result = BaseCheck.replace_user("$USERNAME-loves-me", payload) self.assertEqual(result, "malNAME-loves-me") result = BaseCheck.replace_user("do-you-think-$USER-loves-me", payload) self.assertEqual(result, "do-you-think-mal-loves-me") result = BaseCheck.replace_user("$USER-is-$USER", payload) self.assertEqual(result, "mal-is-mal") payload = Payload({ "User": "******", "RequestMethod": "POST", "RequestUri": "/v1.32/containers/create", }) result = BaseCheck.replace_user("$USER-loves-me", payload) self.assertEqual(result, "rda-loves-me")
def test_payload_headers(self): """Payload minimal check """ with self.assertRaises(InvalidRequestException): Payload() payload = Payload(payload=MOCKED_MISSING_HEADERS) self.assertEqual(payload.get_headers(), {})
def test_empty_payload(self): """Empty payload should return :exc:`InvalidRequestException` """ with self.assertRaises(InvalidRequestException): ContainerName().run(None, Payload({})) with self.assertRaises(InvalidRequestException): ContainerName().run(".*", Payload({}))
def test_name_not_defined(self): """Without name return :exc:`InvalidRequestException` """ with self.assertRaises(InvalidRequestException): ImageName().run(".*", Payload(PAYLOAD_BUILD_UNDEFINED)) with self.assertRaises(InvalidRequestException): ImageName().run(".+", Payload(PAYLOAD_BUILD_UNDEFINED))
def test_decode_RequestBody(self): """Decode request body """ payload = Payload(payload=MOCKED_BODY) decoded = payload._decode_base64(MOCKED_BODY) attended_response = {'foo': 'bar'} self.assertEqual(attended_response, decoded["RequestBody"])
def test_connected_user(self): """Force user to be connected user """ User().run("^$USER$", Payload(PAYLOAD_FOOBAR)) User().run("$USER", Payload(PAYLOAD_FOOBAR)) User().run("$USER", Payload(PAYLOAD_FOO)) with self.assertRaises(UnauthorizedException): User().run("^$USER$", Payload(PAYLOAD_FOO))
def test_name_not_defined(self): """Without name return :exc:`UnauthorizedException` """ # This case could be interresting in the future... # ContainerName().run("^hard-.*", Payload(PAYLOAD)) ContainerName().run(".*", Payload(PAYLOAD)) with self.assertRaises(UnauthorizedException): ContainerName().run(".+", Payload(PAYLOAD))
def test_empty_user(self): """Empty user is allowed and always accepted """ User().run(".*", Payload(PAYLOAD_EMPTY)) User().run(".+", Payload(PAYLOAD_EMPTY)) User().run([".*"], Payload(PAYLOAD_EMPTY)) User().run([".+"], Payload(PAYLOAD_EMPTY)) User().run([".*", ".+"], Payload(PAYLOAD_EMPTY))
def test_undefined_user(self): """Undefined user is allowed and always accepted """ User().run(".*", Payload(PAYLOAD_UNDEFINED)) User().run(".+", Payload(PAYLOAD_UNDEFINED)) User().run([".*"], Payload(PAYLOAD_UNDEFINED)) User().run([".+"], Payload(PAYLOAD_UNDEFINED)) User().run([".*", ".+"], Payload(PAYLOAD_UNDEFINED))
def test_get_name_images_create(self): """Get name from image create """ name, tag = ImageName()._get_name(Payload(PAYLOAD_CREATE_PULL)) self.assertEqual(name, "traefik") self.assertEqual(tag, "alpine") name, tag = ImageName()._get_name(Payload(PAYLOAD_CREATE_IMPORT)) self.assertEqual(name, "traefik") self.assertEqual(tag, "alpine")
def test_get_uri(self): """Retrieve uri """ payload = Payload(payload=MOCKED_BODY) uri = payload._get_uri(MOCKED_BODY) self.assertEqual(uri, MOCKED_BODY['RequestUri']) uri = payload._get_uri(None) self.assertEqual(uri, None)
def test_get_method(self): """Retrieve method """ payload = Payload(payload=MOCKED_BODY) method = payload._get_method(MOCKED_BODY) self.assertEqual(method, MOCKED_BODY['RequestMethod']) with self.assertRaises(InvalidRequestException): method = payload._get_method(None)
def test_get_name_images_export(self): """Get name from image export """ name, tag = ImageName()._get_name(Payload(PAYLOAD_EXPORT)) self.assertEqual(name, "registry.example.net/traefik") self.assertEqual(tag, "alpine") name, tag = ImageName()._get_name(Payload(PAYLOAD_EXPORT_SINGLE)) self.assertEqual(name, "registry.example.net/traefik") self.assertEqual(tag, "alpine")
def test_name_can_be_a_list(self): """names could be presented as a list In such case, entries are compared with a 'or'. """ ContainerName().run(["^foo-.*", "^$USER-.*"], Payload(PAYLOAD_FOOBAR)) ContainerName().run(["^foo-.*", "^$USER-.*"], Payload(PAYLOAD_USER)) with self.assertRaises(UnauthorizedException): ContainerName().run(["^foo-.*", r"^\$USER-.*"], Payload(PAYLOAD_USER))
def test_tag_has_two_name(self): """The "tag" flag has two names """ ImageName().run("^foo-.+", Payload(PAYLOAD_DUAL_NAME_1)) ImageName().run(["^foo-.+"], Payload(PAYLOAD_DUAL_NAME_1)) with self.assertRaises(UnauthorizedException): ImageName().run("^foo-.+", Payload(PAYLOAD_DUAL_NAME_2)) with self.assertRaises(UnauthorizedException): ImageName().run(["^foo-.+"], Payload(PAYLOAD_DUAL_NAME_2))
def test_run_store_values(self): """Check if payload values are really stored """ with self.assertRaises(InvalidRequestException): payload = Payload(payload=None) payload = Payload(payload=MOCKED_BODY) self.assertNotEqual(payload.data, None) self.assertEqual(payload.user, MOCKED_BODY['User']) self.assertEqual(payload.method, MOCKED_BODY['RequestMethod']) self.assertEqual(payload.uri, MOCKED_BODY['RequestUri'])
def test_payload_is_not_shared(self): """Payload object are Immutable """ payload1 = Payload(MOCKED_BODY) self.assertNotEqual(payload1.data, None) self.assertNotEqual(payload1.user, None) payload2 = Payload(MOCKED_BODY_2) self.assertNotEqual(payload2.data, None) self.assertNotEqual(payload2.user, None) # Now config should be the same on first object self.assertNotEqual(payload1.data, payload2.data)
def test_write_operation(self): """Validate ReadOnly on write operations """ readonly = ReadOnly() with self.assertRaises(UnauthorizedException): readonly.run(Config(), Payload(MOCKED_POST_BODY)) with self.assertRaises(UnauthorizedException): readonly.run(Config(), Payload(MOCKED_DELETE_BODY)) with self.assertRaises(UnauthorizedException): readonly.run(Config(), Payload(MOCKED_PUT_BODY))
def test_tag_has_two_name_user(self): """Username replacement """ ImageName().run("^$USER-.+", Payload(PAYLOAD_DUAL_SOMEONE_1)) with self.assertRaises(UnauthorizedException): ImageName().run("^$USER-.+", Payload(PAYLOAD_DUAL_SOMEONE_2)) with self.assertRaises(UnauthorizedException): ImageName().run("^$USER-.+", Payload(PAYLOAD_DUAL_SOMEONE_3)) with self.assertRaises(UnauthorizedException): ImageName().run("^$USER-.+", Payload(PAYLOAD_DUAL_NAME_1))
def test_get_name_images_for_private_registry(self): """Get name from image for private registry """ name, tag = ImageName()._get_name(Payload(PAYLOAD_BUILD_PRIVATE)) self.assertEqual(name, "registry.example.net/traefik") self.assertEqual(tag, "alpine") name, tag = ImageName()._get_name(Payload(PAYLOAD_HISTORY_PRIVATE)) self.assertEqual(name, "registry.example.net/traefik") self.assertEqual(tag, "alpine") name, tag = ImageName()._get_name(Payload(PAYLOAD_PUSH_PRIVATE)) self.assertEqual(name, "registry.example.net/traefik") self.assertEqual(tag, "alpine")
def test_get_name_images_export_multiple(self): """Get name from image export """ [first, second] = ImageName()._get_name(Payload(PAYLOAD_EXPORT_MULTIPLE)) self.assertEqual(first, ("registry.example.net/traefik", "alpine")) self.assertEqual(second, ("mariadb", "latest"))
def test_with_flag_false(): """Validate Privileged with flag as false """ config = Config(policies=POLICIES, groups=GROUPS) privileged = Privileged() privileged.run(config, Payload(MOCKED_PRIVILEGED_FALSE))
def test_without_flag(): """Validate Privileged whithout flag """ config = Config(policies=POLICIES, groups=GROUPS) privileged = Privileged() privileged.run(config, Payload(MOCKED_WITHOUT_PRIVILEGED))
def test_invalid_names(self): """Invalid cases """ with self.assertRaises(UnauthorizedException): ContainerName().run("^foobar.*", Payload(PAYLOAD_FOOBAR)) with self.assertRaises(UnauthorizedException): ContainerName().run("^bar-foo.*", Payload(PAYLOAD_FOOBAR)) with self.assertRaises(UnauthorizedException): ContainerName().run("bar-foo", Payload(PAYLOAD_FOOBAR)) with self.assertRaises(UnauthorizedException): ContainerName().run("^mega-hard-biture.*", Payload(PAYLOAD_SOMETHING)) with self.assertRaises(UnauthorizedException): ContainerName().run("ard-bitur", Payload(PAYLOAD_SOMETHING))
def test_get_name_images_build(self): """Get name from image build """ name, tag = ImageName()._get_name(Payload(PAYLOAD_BUILD_COMPLETE)) self.assertEqual(name, "test") self.assertEqual(tag, "latest") name, tag = ImageName()._get_name(Payload(PAYLOAD_BUILD_FOOBAR)) self.assertEqual(name, "foobar") self.assertEqual(tag, "latest") name, tag = ImageName()._get_name(Payload(PAYLOAD_BUILD_FOOBAR_TAG)) self.assertEqual(name, "foobar") self.assertEqual(tag, "something") with self.assertRaises(InvalidRequestException): ImageName()._get_name(Payload(PAYLOAD_BUILD_UNDEFINED))
def test_process_simple_allow(cls): """Validate _process for Allow """ payload = Payload(mocked_body) check = Checks()._structure_convert({"Allow": None}) processor = Processor() processor._process(payload=payload, check=check)
def test_with_flag_true(self): """Validate Privileged with flag as true """ config = Config(policies=POLICIES, groups=GROUPS) privileged = Privileged() with self.assertRaises(UnauthorizedException): privileged.run(config, Payload(MOCKED_PRIVILEGED_TRUE))
def test_process_simple_deny(self): """Validate _process for Deny """ payload = Payload(mocked_body) check = Checks()._structure_convert({"Deny": None}) processor = Processor() with self.assertRaises(UnauthorizedException): processor._process(payload=payload, check=check)
def test_init(self): """Try init BindMounts with minimal informations """ args = [ '-/.*', '+/foo', '-/foo/.*', '+/foo/bar', ] with self.assertRaises(InvalidRequestException): BindMounts().run(None, Payload({})) with self.assertRaises(InvalidRequestException): BindMounts().run(args, Payload({})) BindMounts().run(args, Payload(PAYLOAD_MINIMAL)) BindMounts().run(None, Payload(PAYLOAD_MINIMAL))
def test_process_unexistent_check_action(self): """Validate _process for unknown action """ payload = Payload(mocked_body) check = Checks()._structure_convert({"SomethingThatIsnotDefied": None}) processor = Processor() with self.assertRaises(NoSuchCheckModuleException): processor._process(payload=payload, check=check)