def test_authorizer_remove_timeout():
cfg = config.load(["test/conf.d/daemon.conf"])
auth = Authorizer(cfg)
ticket_info = testutil.create_ticket(ops=["read"])
auth.add(ticket_info)
ticket = auth.get(ticket_info["uuid"])
ticket.add_context(1, Context())
assert ticket.info()["connections"] == 1
# Use short timeout to keep the tests fast.
cfg.control.remove_timeout = 0.001
# Ticket cannot be removed since it is used by connection 1.
with pytest.raises(errors.TicketCancelTimeout):
auth.remove(ticket.uuid)
# Ticket was not removed.
assert auth.get(ticket.uuid) is ticket
# The connection was closed, the ticket can be removed now.
ticket.remove_context(1)
assert ticket.info()["connections"] == 0
auth.remove(ticket.uuid)
# Ticket was removed.
with pytest.raises(KeyError):
auth.get(ticket.uuid)
def test_tls(daemon, tmpfile, conf_files):
size = daemon.config.backend_file.buffer_size
data = b"x" * size
with open(tmpfile, "wb") as f:
f.write(data)
# Add daemon ticket serving tmpfile.
ticket = testutil.create_ticket(url="file://{}".format(tmpfile), size=size)
daemon.auth.add(ticket)
proxy = server.Server(config.load(conf_files))
proxy.start()
try:
# Add proxy ticket, proxying request to daemon.
proxy.auth.add(proxy_ticket(daemon, ticket))
# Download complete image.
with http.RemoteClient(proxy.config) as c:
res = c.request("GET", "/images/{}".format(ticket["uuid"]))
client_data = res.read()
finally:
proxy.stop()
assert res.status == 200
assert client_data == data
def srv(request):
path = "test/conf/{}.conf".format(request.param)
cfg = config.load(path)
s = server.Server(cfg)
s.start()
yield s
s.stop()
def test_authorizer_remove_async():
cfg = config.load(["test/conf.d/daemon.conf"])
auth = Authorizer(cfg)
ticket_info = testutil.create_ticket(ops=["read"])
auth.add(ticket_info)
ticket = auth.get(ticket_info["uuid"])
ticket.add_context(1, Context())
assert ticket.info()["connections"] == 1
# Disable the timeout, so removing a ticket cancel the ticket without
# waiting, and requiring polling the ticket status.
cfg.control.remove_timeout = 0
# Ticket is canceled, but not removed.
auth.remove(ticket.uuid)
assert ticket.canceled
assert ticket.info()["connections"] == 1
# Ticket was not removed.
assert auth.get(ticket.uuid) is ticket
# The connection was closed, the ticket can be removed now.
ticket.remove_context(1)
assert ticket.info()["connections"] == 0
auth.remove(ticket.uuid)
# Ticket was removed.
with pytest.raises(KeyError):
auth.get(ticket.uuid)
def srv():
cfg = config.load(["test/conf/daemon.conf"])
s = server.Server(cfg)
s.start()
try:
yield s
finally:
s.stop()
def test_authorizer_add():
cfg = config.load(["test/conf.d/daemon.conf"])
auth = Authorizer(cfg)
ticket_info = testutil.create_ticket(ops=["read"])
auth.add(ticket_info)
ticket = auth.get(ticket_info["uuid"])
assert ticket.uuid == ticket_info["uuid"]
def test_authorizer_remove_unused():
cfg = config.load(["test/conf.d/daemon.conf"])
auth = Authorizer(cfg)
ticket_info = testutil.create_ticket(ops=["read"])
auth.add(ticket_info)
# Ticket is unused so it will be removed.
auth.remove(ticket_info["uuid"])
with pytest.raises(KeyError):
auth.get(ticket_info["uuid"])
def remote_service(config_file):
path = os.path.join("test/conf", config_file)
cfg = config.load([path])
authorizer = auth.Authorizer(cfg)
s = services.RemoteService(cfg, authorizer)
s.start()
try:
yield s
finally:
s.stop()
def test_authorize_read():
cfg = config.load(["test/conf.d/daemon.conf"])
auth = Authorizer(cfg)
ticket_info = testutil.create_ticket(ops=["read"])
auth.add(ticket_info)
ticket = auth.get(ticket_info["uuid"])
assert auth.authorize(ticket.uuid, "read") == ticket
with pytest.raises(errors.AuthorizationError):
auth.authorize(ticket.uuid, "write")
def test_authorize_write():
cfg = config.load(["test/conf.d/daemon.conf"])
auth = Authorizer(cfg)
ticket_info = testutil.create_ticket(ops=["write"])
auth.add(ticket_info)
ticket = auth.get(ticket_info["uuid"])
assert auth.authorize(ticket.uuid, "write") == ticket
# "write" implies also "read".
assert auth.authorize(ticket.uuid, "read") == ticket
def test_authorizer_expired():
cfg = config.load(["test/conf.d/daemon.conf"])
auth = Authorizer(cfg)
ticket_info = testutil.create_ticket(ops=["write"])
auth.add(ticket_info)
ticket = auth.get(ticket_info["uuid"])
# Extending with zero timeout expire the ticket.
ticket.extend(0)
for op in ("read", "write"):
with pytest.raises(errors.AuthorizationError):
auth.authorize(ticket.uuid, op)
def test_authorizer_canceled(ops, allowed):
cfg = config.load(["test/conf.d/daemon.conf"])
auth = Authorizer(cfg)
ticket_info = testutil.create_ticket(ops=ops)
auth.add(ticket_info)
ticket = auth.get(ticket_info["uuid"])
# Cancelling the ticket disables any operation.
ticket.cancel()
for op in allowed:
with pytest.raises(errors.AuthorizationError):
auth.authorize(ticket.uuid, op)
def started_imageio(tmpdir, drop_privileges="true"):
prepare_config(tmpdir, drop_privileges=drop_privileges)
conf_dir = tmpdir.join("conf")
cmd = ["./ovirt-imageio", "--conf-dir", str(conf_dir)]
proc = subprocess.Popen(cmd)
try:
socket = sockutil.UnixAddress(str(tmpdir.join("run", "sock")))
if not sockutil.wait_for_socket(socket, 10):
raise RuntimeError("Timeout waiting for {}".format(socket))
# Wait until server is listening - at this point it already dropped
# privileges.
if drop_privileges:
cfg = config.load(str(conf_dir.join("conf.d", "daemon.conf")))
with http.ControlClient(cfg) as c:
r = c.get("/tickets/no-such-ticket")
r.read()
assert r.status == 404
yield proc
finally:
proc.terminate()
def test_show_config():
cfg = config.load(["test/conf.d/daemon.conf"])
out = subprocess.check_output(
["./ovirt-imageio", "--conf-dir", "./test", "--show-config"])
assert json.loads(out) == config.to_dict(cfg)
def cfg():
return config.load(["test/conf.d/daemon.conf"])
def test_authorizer_no_ticket():
cfg = config.load(["test/conf.d/daemon.conf"])
auth = Authorizer(cfg)
with pytest.raises(errors.AuthorizationError):
auth.authorize("no-such-ticket", "read")
def daemon():
daemon = server.Server(config.load(["test/conf/daemon.conf"]))
daemon.start()
yield daemon
daemon.stop()
def test_authorizer_remove_mising():
cfg = config.load(["test/conf.d/daemon.conf"])
auth = Authorizer(cfg)
# Removing missing ticket does not raise.
auth.remove("no-such-ticket")
def proxy():
proxy = server.Server(config.load(["test/conf/proxy.conf"]))
proxy.start()
yield proxy
proxy.stop()
def cfg():
return config.load([])
def test_invalid_control_port(port):
cfg = config.load(["test/conf/proxy.conf"])
authorizer = auth.Authorizer(cfg)
cfg.control.port = port
with pytest.raises(errors.InvalidConfig):
services.ControlService(cfg, authorizer)
def srv():
cfg = config.load(["test/conf/daemon.conf"])
s = server.Server(cfg)
s.start()
yield s
s.stop()
def test_invalid_remote_port(port):
cfg = config.load(["test/conf/daemon.conf"])
authorizer = auth.Authorizer(cfg)
cfg.remote.port = port
with pytest.raises(errors.InvalidConfig):
services.RemoteService(cfg, authorizer)
