def test_save_successor_maintains_group_mode(self, mock_rv): # Mock relevant_values() to claim that all values are relevant here # (to avoid instantiating parser) mock_rv.side_effect = lambda x: x for kind in ALL_FOUR: self._write_out_kind(kind, 1) self.test_rc.update_all_links_to(1) self.assertTrue( filesystem.check_mode(self.test_rc.version("privkey", 1), 0o600)) filesystem.chmod(self.test_rc.version("privkey", 1), 0o444) # If no new key, permissions should be the same (we didn't write any keys) self.test_rc.save_successor(1, b"newcert", None, b"new chain", self.config) self.assertTrue( filesystem.check_mode(self.test_rc.version("privkey", 2), 0o444)) # If new key, permissions should be kept as 644 self.test_rc.save_successor(2, b"newcert", b"new_privkey", b"new chain", self.config) self.assertTrue( filesystem.check_mode(self.test_rc.version("privkey", 3), 0o644)) # If permissions reverted, next renewal will also revert permissions of new key filesystem.chmod(self.test_rc.version("privkey", 3), 0o400) self.test_rc.save_successor(3, b"newcert", b"new_privkey", b"new chain", self.config) self.assertTrue( filesystem.check_mode(self.test_rc.version("privkey", 4), 0o600))
def test_right_mode(self): fd1, name1 = self._call(0o700) fd2, name2 = self._call(0o600) self.assertTrue(filesystem.check_mode(name1, 0o700)) self.assertTrue(filesystem.check_mode(name2, 0o600)) fd1.close() fd2.close()
def test_makedirs_correct_permissions(self): path = os.path.join(self.tempdir, 'dir') subpath = os.path.join(path, 'subpath') previous_umask = filesystem.umask(0o022) try: filesystem.makedirs(subpath, 0o700) assert filesystem.check_mode(path, 0o700) assert filesystem.check_mode(subpath, 0o700) finally: filesystem.umask(previous_umask)
def test_new_lineage(self, mock_rv): """Test for new_lineage() class method.""" # Mock relevant_values to say everything is relevant here (so we # don't have to mock the parser to help it decide!) mock_rv.side_effect = lambda x: x from certbot._internal import storage result = storage.RenewableCert.new_lineage( "the-lineage.com", b"cert", b"privkey", b"chain", self.config) # This consistency check tests most relevant properties about the # newly created cert lineage. # pylint: disable=protected-access self.assertTrue(result._consistent()) self.assertTrue(os.path.exists(os.path.join( self.config.renewal_configs_dir, "the-lineage.com.conf"))) self.assertTrue(os.path.exists(os.path.join( self.config.live_dir, "README"))) self.assertTrue(os.path.exists(os.path.join( self.config.live_dir, "the-lineage.com", "README"))) self.assertTrue(filesystem.check_mode(result.key_path, 0o600)) with open(result.fullchain, "rb") as f: self.assertEqual(f.read(), b"cert" + b"chain") # Let's do it again and make sure it makes a different lineage result = storage.RenewableCert.new_lineage( "the-lineage.com", b"cert2", b"privkey2", b"chain2", self.config) self.assertTrue(os.path.exists(os.path.join( self.config.renewal_configs_dir, "the-lineage.com-0001.conf"))) self.assertTrue(os.path.exists(os.path.join( self.config.live_dir, "the-lineage.com-0001", "README"))) # Allow write to existing but empty dir filesystem.mkdir(os.path.join(self.config.default_archive_dir, "the-lineage.com-0002")) result = storage.RenewableCert.new_lineage( "the-lineage.com", b"cert3", b"privkey3", b"chain3", self.config) self.assertTrue(os.path.exists(os.path.join( self.config.live_dir, "the-lineage.com-0002", "README"))) self.assertTrue(filesystem.check_mode(result.key_path, 0o600)) # Now trigger the detection of already existing files shutil.copytree(os.path.join(self.config.live_dir, "the-lineage.com"), os.path.join(self.config.live_dir, "the-lineage.com-0003")) self.assertRaises(errors.CertStorageError, storage.RenewableCert.new_lineage, "the-lineage.com", b"cert4", b"privkey4", b"chain4", self.config) shutil.copytree(os.path.join(self.config.live_dir, "the-lineage.com"), os.path.join(self.config.live_dir, "other-example.com")) self.assertRaises(errors.CertStorageError, storage.RenewableCert.new_lineage, "other-example.com", b"cert5", b"privkey5", b"chain5", self.config) # Make sure it can accept renewal parameters result = storage.RenewableCert.new_lineage( "the-lineage.com", b"cert2", b"privkey2", b"chain2", self.config)
def test_perform_permissions(self): self.auth.prepare() # Remove exec bit from permission check, so that it # matches the file self.auth.perform([self.achall]) self.assertTrue(filesystem.check_mode(self.validation_path, 0o644)) # Check permissions of the directories for dirpath, dirnames, _ in os.walk(self.path): for directory in dirnames: full_path = os.path.join(dirpath, directory) self.assertTrue(filesystem.check_mode(full_path, 0o755)) self.assertTrue(filesystem.has_same_ownership(self.validation_path, self.path))
def test_copy_ownership_and_mode_windows(self): src = self.probe_path dst = _create_probe(self.tempdir, name='dst') filesystem.chmod(src, 0o700) self.assertTrue(filesystem.check_mode(src, 0o700)) self.assertTrue(filesystem.check_mode(dst, 0o744)) # Checking an actual change of owner is tricky during a unit test, since we do not know # if any user exists beside the current one. So we mock _copy_win_ownership. It's behavior # have been checked theoretically with test_copy_ownership_and_apply_mode_windows. with mock.patch('certbot.compat.filesystem._copy_win_ownership') as mock_copy_owner: filesystem.copy_ownership_and_mode(src, dst) mock_copy_owner.assert_called_once_with(src, dst) self.assertTrue(filesystem.check_mode(dst, 0o700))
def test_umask_on_file(self): previous_umask = filesystem.umask(0o022) try: file1 = os.path.join(self.tempdir, 'probe1') UmaskTest._create_file(file1) self.assertTrue(filesystem.check_mode(file1, 0o755)) filesystem.umask(0o077) file2 = os.path.join(self.tempdir, 'probe2') UmaskTest._create_file(file2) self.assertTrue(filesystem.check_mode(file2, 0o700)) file3 = os.path.join(self.tempdir, 'probe3') UmaskTest._create_file(file3) self.assertTrue(filesystem.check_mode(file3, 0o700)) finally: filesystem.umask(previous_umask)
def test_umask_on_dir(self): previous_umask = filesystem.umask(0o022) try: dir1 = os.path.join(self.tempdir, 'probe1') filesystem.mkdir(dir1) self.assertTrue(filesystem.check_mode(dir1, 0o755)) filesystem.umask(0o077) dir2 = os.path.join(self.tempdir, 'dir2') filesystem.mkdir(dir2) self.assertTrue(filesystem.check_mode(dir2, 0o700)) dir3 = os.path.join(self.tempdir, 'dir3') filesystem.mkdir(dir3, mode=0o777) self.assertTrue(filesystem.check_mode(dir3, 0o700)) finally: filesystem.umask(previous_umask)
def test_save_and_restore(self): self.storage.save(self.acc, self.mock_client) account_path = os.path.join(self.config.accounts_dir, self.acc.id) self.assertTrue(os.path.exists(account_path)) for file_name in "regr.json", "meta.json", "private_key.json": self.assertTrue( os.path.exists(os.path.join(account_path, file_name))) self.assertTrue( filesystem.check_mode( os.path.join(account_path, "private_key.json"), 0o400)) # restore loaded = self.storage.load(self.acc.id) self.assertEqual(self.acc, loaded)
def test_existing_correct_mode_does_not_fail(self): self._call(self.path, 0o600) self.assertTrue(filesystem.check_mode(self.path, 0o600))
def test_creates_dir_when_missing(self): path = os.path.join(self.tempdir, "bar") self._call(path, 0o650) self.assertTrue(os.path.isdir(path)) self.assertTrue(filesystem.check_mode(path, 0o650))
def test_check_mode(self): self.assertTrue(filesystem.check_mode(self.probe_path, 0o744)) filesystem.chmod(self.probe_path, 0o700) self.assertFalse(filesystem.check_mode(self.probe_path, 0o744))