File various-netapi-fixes-and-tests.patch of Package salt.14889
From 95f38ddf067b9c52654395a217afea988e44a54f Mon Sep 17 00:00:00 2001
From: Jochen Breuer <jbreuer@suse.de>
Date: Wed, 19 Feb 2020 14:37:05 +0100
Subject: [PATCH] various netapi fixes and tests
---
conf/master | 6 ++
salt/config/__init__.py | 6 +-
salt/netapi/__init__.py | 7 +-
tests/integration/netapi/test_client.py | 150 +++++++++++++++++++++++++++++++-
tests/support/helpers.py | 19 ++++
5 files changed, 185 insertions(+), 3 deletions(-)
diff --git a/conf/master b/conf/master
index 06bed3ea44..349d971414 100644
--- a/conf/master
+++ b/conf/master
@@ -1291,3 +1291,9 @@ syndic_user: salt
# use OS defaults, typically 75 seconds on Linux, see
# /proc/sys/net/ipv4/tcp_keepalive_intvl.
#tcp_keepalive_intvl: -1
+
+
+##### NetAPI settings #####
+############################################
+# Allow the raw_shell parameter to be used when calling Salt SSH client via API
+#netapi_allow_raw_shell: True
diff --git a/salt/config/__init__.py b/salt/config/__init__.py
index 5d0c18b5d1..dc257ff8b8 100644
--- a/salt/config/__init__.py
+++ b/salt/config/__init__.py
@@ -1216,6 +1216,10 @@ VALID_OPTS = {
# Use Adler32 hashing algorithm for server_id (default False until Sodium, "adler32" after)
# Possible values are: False, adler32, crc32
'server_id_use_crc': (bool, six.string_types),
+
+ # Allow raw_shell option when using the ssh
+ # client via the Salt API
+ 'netapi_allow_raw_shell': bool,
}
# default configurations
@@ -1869,9 +1873,9 @@ DEFAULT_MASTER_OPTS = {
'auth_events': True,
'minion_data_cache_events': True,
'enable_ssh_minions': False,
+ 'netapi_allow_raw_shell': False,
}
-
# ----- Salt Proxy Minion Configuration Defaults ----------------------------------->
# These are merged with DEFAULT_MINION_OPTS since many of them also apply here.
DEFAULT_PROXY_MINION_OPTS = {
diff --git a/salt/netapi/__init__.py b/salt/netapi/__init__.py
index 43b6e943a7..31a24bb420 100644
--- a/salt/netapi/__init__.py
+++ b/salt/netapi/__init__.py
@@ -71,10 +71,15 @@ class NetapiClient(object):
raise salt.exceptions.SaltInvocationError(
'Invalid client specified: \'{0}\''.format(low.get('client')))
- if not ('token' in low or 'eauth' in low) and low['client'] != 'ssh':
+ if not ('token' in low or 'eauth' in low):
raise salt.exceptions.EauthAuthenticationError(
'No authentication credentials given')
+ if low.get('raw_shell') and \
+ not self.opts.get('netapi_allow_raw_shell'):
+ raise salt.exceptions.EauthAuthenticationError(
+ 'Raw shell option not allowed.')
+
l_fun = getattr(self, low['client'])
f_call = salt.utils.args.format_call(l_fun, low)
return l_fun(*f_call.get('args', ()), **f_call.get('kwargs', {}))
diff --git a/tests/integration/netapi/test_client.py b/tests/integration/netapi/test_client.py
index 503bbaf335..a886563e3d 100644
--- a/tests/integration/netapi/test_client.py
+++ b/tests/integration/netapi/test_client.py
@@ -2,17 +2,32 @@
# Import Python libs
from __future__ import absolute_import, print_function, unicode_literals
+import logging
import os
import time
# Import Salt Testing libs
-from tests.support.paths import TMP_CONF_DIR
+from tests.support.paths import TMP_CONF_DIR, TMP
+from tests.support.runtests import RUNTIME_VARS
from tests.support.unit import TestCase, skipIf
+from tests.support.mock import patch
+from tests.support.case import SSHCase
+from tests.support.helpers import (
+ Webserver,
+ SaveRequestsPostHandler,
+ requires_sshd_server
+)
# Import Salt libs
import salt.config
import salt.netapi
+from salt.exceptions import (
+ EauthAuthenticationError
+)
+
+log = logging.getLogger(__name__)
+
class NetapiClientTest(TestCase):
eauth_creds = {
@@ -74,6 +89,12 @@ class NetapiClientTest(TestCase):
pass
self.assertEqual(ret, {'minions': sorted(['minion', 'sub_minion'])})
+ def test_local_unauthenticated(self):
+ low = {'client': 'local', 'tgt': '*', 'fun': 'test.ping'}
+
+ with self.assertRaises(EauthAuthenticationError) as excinfo:
+ ret = self.netapi.run(low)
+
def test_wheel(self):
low = {'client': 'wheel', 'fun': 'key.list_all'}
low.update(self.eauth_creds)
@@ -107,6 +128,12 @@ class NetapiClientTest(TestCase):
self.assertIn('jid', ret)
self.assertIn('tag', ret)
+ def test_wheel_unauthenticated(self):
+ low = {'client': 'wheel', 'tgt': '*', 'fun': 'test.ping'}
+
+ with self.assertRaises(EauthAuthenticationError) as excinfo:
+ ret = self.netapi.run(low)
+
@skipIf(True, 'This is not testing anything. Skipping for now.')
def test_runner(self):
# TODO: fix race condition in init of event-- right now the event class
@@ -125,3 +152,124 @@ class NetapiClientTest(TestCase):
low.update(self.eauth_creds)
ret = self.netapi.run(low)
+
+ def test_runner_unauthenticated(self):
+ low = {'client': 'runner', 'tgt': '*', 'fun': 'test.ping'}
+
+ with self.assertRaises(EauthAuthenticationError) as excinfo:
+ ret = self.netapi.run(low)
+
+
+@requires_sshd_server
+class NetapiSSHClientTest(SSHCase):
+ eauth_creds = {
+ 'username': 'saltdev_auto',
+ 'password': 'saltdev',
+ 'eauth': 'auto',
+ }
+
+ def setUp(self):
+ '''
+ Set up a NetapiClient instance
+ '''
+ opts = salt.config.client_config(os.path.join(TMP_CONF_DIR, 'master'))
+ self.netapi = salt.netapi.NetapiClient(opts)
+ self.priv_file = os.path.join(RUNTIME_VARS.TMP_CONF_DIR, 'key_test')
+ self.rosters = os.path.join(RUNTIME_VARS.TMP_CONF_DIR)
+
+ self.priv_file = os.path.join(RUNTIME_VARS.TMP_CONF_DIR, 'key_test')
+ self.rosters = os.path.join(RUNTIME_VARS.TMP_CONF_DIR)
+
+ # Initialize salt-ssh
+ self.run_function('test.ping')
+
+ def tearDown(self):
+ del self.netapi
+
+ @classmethod
+ def setUpClass(cls):
+ cls.post_webserver = Webserver(handler=SaveRequestsPostHandler)
+ cls.post_webserver.start()
+ cls.post_web_root = cls.post_webserver.web_root
+ cls.post_web_handler = cls.post_webserver.handler
+
+ @classmethod
+ def tearDownClass(cls):
+ cls.post_webserver.stop()
+ del cls.post_webserver
+
+ def test_ssh(self):
+ low = {'client': 'ssh',
+ 'tgt': 'localhost',
+ 'fun': 'test.ping',
+ 'ignore_host_keys': True,
+ 'roster_file': 'roster',
+ 'rosters': [self.rosters],
+ 'ssh_priv': self.priv_file}
+
+ low.update(self.eauth_creds)
+
+ ret = self.netapi.run(low)
+
+ self.assertIn('localhost', ret)
+ self.assertIn('return', ret['localhost'])
+ self.assertEqual(ret['localhost']['return'], True)
+ self.assertEqual(ret['localhost']['id'], 'localhost')
+ self.assertEqual(ret['localhost']['fun'], 'test.ping')
+
+ def test_ssh_unauthenticated(self):
+ low = {'client': 'ssh', 'tgt': 'localhost', 'fun': 'test.ping'}
+
+ with self.assertRaises(EauthAuthenticationError) as excinfo:
+ ret = self.netapi.run(low)
+
+ def test_ssh_unauthenticated_raw_shell_curl(self):
+
+ fun = '-o ProxyCommand curl {0}'.format(self.post_web_root)
+ low = {'client': 'ssh',
+ 'tgt': 'localhost',
+ 'fun': fun,
+ 'raw_shell': True}
+
+ ret = None
+ with self.assertRaises(EauthAuthenticationError) as excinfo:
+ ret = self.netapi.run(low)
+
+ self.assertEqual(self.post_web_handler.received_requests, [])
+ self.assertEqual(ret, None)
+
+ def test_ssh_unauthenticated_raw_shell_touch(self):
+
+ badfile = os.path.join(TMP, 'badfile.txt')
+ fun = '-o ProxyCommand touch {0}'.format(badfile)
+ low = {'client': 'ssh',
+ 'tgt': 'localhost',
+ 'fun': fun,
+ 'raw_shell': True}
+
+ ret = None
+ with self.assertRaises(EauthAuthenticationError) as excinfo:
+ ret = self.netapi.run(low)
+
+ self.assertEqual(ret, None)
+ self.assertFalse(os.path.exists('badfile.txt'))
+
+ def test_ssh_authenticated_raw_shell_disabled(self):
+
+ badfile = os.path.join(TMP, 'badfile.txt')
+ fun = '-o ProxyCommand touch {0}'.format(badfile)
+ low = {'client': 'ssh',
+ 'tgt': 'localhost',
+ 'fun': fun,
+ 'raw_shell': True}
+
+ low.update(self.eauth_creds)
+
+ ret = None
+ with patch.dict(self.netapi.opts,
+ {'netapi_allow_raw_shell': False}):
+ with self.assertRaises(EauthAuthenticationError) as excinfo:
+ ret = self.netapi.run(low)
+
+ self.assertEqual(ret, None)
+ self.assertFalse(os.path.exists('badfile.txt'))
diff --git a/tests/support/helpers.py b/tests/support/helpers.py
index 626da6a069..e5ca5918c9 100644
--- a/tests/support/helpers.py
+++ b/tests/support/helpers.py
@@ -1582,6 +1582,25 @@ class Webserver(object):
self.server_thread.join()
+class SaveRequestsPostHandler(tornado.web.RequestHandler):
+ '''
+ Save all requests sent to the server.
+ '''
+ received_requests = []
+
+ def post(self, *args): # pylint: disable=arguments-differ
+ '''
+ Handle the post
+ '''
+ self.received_requests.append(self.request)
+
+ def data_received(self): # pylint: disable=arguments-differ
+ '''
+ Streaming not used for testing
+ '''
+ raise NotImplementedError()
+
+
def win32_kill_process_tree(pid, sig=signal.SIGTERM, include_parent=True,
timeout=None, on_terminate=None):
'''
--
2.16.4
