11848Szelenkov@nginx.comimport pytest
21490St.nateldemoura@f5.comfrom unit.applications.lang.python import TestApplicationPython
31730Szelenkov@nginx.comfrom unit.option import option
41773Szelenkov@nginx.comfrom unit.utils import findmnt
51773Szelenkov@nginx.comfrom unit.utils import waitformount
61773Szelenkov@nginx.comfrom unit.utils import waitforunmount
71490St.nateldemoura@f5.com
81490St.nateldemoura@f5.com
91490St.nateldemoura@f5.comclass TestPythonIsolation(TestApplicationPython):
101490St.nateldemoura@f5.com    prerequisites = {'modules': {'python': 'any'}, 'features': ['isolation']}
111490St.nateldemoura@f5.com
121654Szelenkov@nginx.com    def test_python_isolation_rootfs(self, is_su, temp_dir):
131654Szelenkov@nginx.com        isolation_features = option.available['features']['isolation'].keys()
141490St.nateldemoura@f5.com
151596Szelenkov@nginx.com        if not is_su:
161490St.nateldemoura@f5.com            if not 'unprivileged_userns_clone' in isolation_features:
171596Szelenkov@nginx.com                pytest.skip('requires unprivileged userns or root')
181490St.nateldemoura@f5.com
191673St.nateldemoura@f5.com            if 'user' not in isolation_features:
201673St.nateldemoura@f5.com                pytest.skip('user namespace is not supported')
211673St.nateldemoura@f5.com
221673St.nateldemoura@f5.com            if 'mnt' not in isolation_features:
231673St.nateldemoura@f5.com                pytest.skip('mnt namespace is not supported')
241673St.nateldemoura@f5.com
251673St.nateldemoura@f5.com            if 'pid' not in isolation_features:
261673St.nateldemoura@f5.com                pytest.skip('pid namespace is not supported')
271490St.nateldemoura@f5.com
281673St.nateldemoura@f5.com        isolation = {'rootfs': temp_dir}
291490St.nateldemoura@f5.com
301673St.nateldemoura@f5.com        if not is_su:
311673St.nateldemoura@f5.com            isolation['namespaces'] = {
321673St.nateldemoura@f5.com                'mount': True,
331673St.nateldemoura@f5.com                'credential': True,
341848Szelenkov@nginx.com                'pid': True,
351673St.nateldemoura@f5.com            }
361490St.nateldemoura@f5.com
371490St.nateldemoura@f5.com        self.load('ns_inspect', isolation=isolation)
381490St.nateldemoura@f5.com
391596Szelenkov@nginx.com        assert (
401654Szelenkov@nginx.com            self.getjson(url='/?path=' + temp_dir)['body']['FileExists']
411596Szelenkov@nginx.com            == False
421596Szelenkov@nginx.com        ), 'temp_dir does not exists in rootfs'
431490St.nateldemoura@f5.com
441596Szelenkov@nginx.com        assert (
451848Szelenkov@nginx.com            self.getjson(url='/?path=/proc/self')['body']['FileExists'] == True
461596Szelenkov@nginx.com        ), 'no /proc/self'
471490St.nateldemoura@f5.com
481596Szelenkov@nginx.com        assert (
491596Szelenkov@nginx.com            self.getjson(url='/?path=/dev/pts')['body']['FileExists'] == False
501596Szelenkov@nginx.com        ), 'no /dev/pts'
511596Szelenkov@nginx.com
521596Szelenkov@nginx.com        assert (
531596Szelenkov@nginx.com            self.getjson(url='/?path=/sys/kernel')['body']['FileExists']
541596Szelenkov@nginx.com            == False
551596Szelenkov@nginx.com        ), 'no /sys/kernel'
561490St.nateldemoura@f5.com
571490St.nateldemoura@f5.com        ret = self.getjson(url='/?path=/app/python/ns_inspect')
581490St.nateldemoura@f5.com
59*2073Szelenkov@nginx.com        assert ret['body']['FileExists'] == True, 'application exists in rootfs'
601622St.nateldemoura@f5.com
611654Szelenkov@nginx.com    def test_python_isolation_rootfs_no_language_deps(self, is_su, temp_dir):
621622St.nateldemoura@f5.com        if not is_su:
631773Szelenkov@nginx.com            pytest.skip('requires root')
641673St.nateldemoura@f5.com
651848Szelenkov@nginx.com        isolation = {'rootfs': temp_dir, 'automount': {'language_deps': False}}
661622St.nateldemoura@f5.com
671622St.nateldemoura@f5.com        self.load('empty', isolation=isolation)
681622St.nateldemoura@f5.com
691773Szelenkov@nginx.com        assert findmnt().find(temp_dir) == -1
701848Szelenkov@nginx.com        assert self.get()['status'] != 200, 'disabled language_deps'
711773Szelenkov@nginx.com        assert findmnt().find(temp_dir) == -1
721622St.nateldemoura@f5.com
731622St.nateldemoura@f5.com        isolation['automount']['language_deps'] = True
741622St.nateldemoura@f5.com
751622St.nateldemoura@f5.com        self.load('empty', isolation=isolation)
761622St.nateldemoura@f5.com
771773Szelenkov@nginx.com        assert findmnt().find(temp_dir) == -1
781848Szelenkov@nginx.com        assert self.get()['status'] == 200, 'enabled language_deps'
791773Szelenkov@nginx.com        assert waitformount(temp_dir), 'language_deps mount'
801773Szelenkov@nginx.com
811773Szelenkov@nginx.com        self.conf({"listeners": {}, "applications": {}})
821773Szelenkov@nginx.com
831773Szelenkov@nginx.com        assert waitforunmount(temp_dir), 'language_deps unmount'
841774Szelenkov@nginx.com
851774Szelenkov@nginx.com    def test_python_isolation_procfs(self, is_su, temp_dir):
861774Szelenkov@nginx.com        if not is_su:
871774Szelenkov@nginx.com            pytest.skip('requires root')
881774Szelenkov@nginx.com
891774Szelenkov@nginx.com        isolation = {'rootfs': temp_dir, 'automount': {'procfs': False}}
901774Szelenkov@nginx.com
911774Szelenkov@nginx.com        self.load('ns_inspect', isolation=isolation)
921774Szelenkov@nginx.com
931774Szelenkov@nginx.com        assert (
94*2073Szelenkov@nginx.com            self.getjson(url='/?path=/proc/self')['body']['FileExists'] == False
951774Szelenkov@nginx.com        ), 'no /proc/self'
961774Szelenkov@nginx.com
971774Szelenkov@nginx.com        isolation['automount']['procfs'] = True
981774Szelenkov@nginx.com
991774Szelenkov@nginx.com        self.load('ns_inspect', isolation=isolation)
1001774Szelenkov@nginx.com
1011774Szelenkov@nginx.com        assert (
1021774Szelenkov@nginx.com            self.getjson(url='/?path=/proc/self')['body']['FileExists'] == True
1031774Szelenkov@nginx.com        ), '/proc/self'
104