xref: /unit/test/test_php_isolation.py (revision 1596)
1*1596Szelenkov@nginx.comimport pytest
21490St.nateldemoura@f5.com
31490St.nateldemoura@f5.comfrom unit.applications.lang.php import TestApplicationPHP
41490St.nateldemoura@f5.comfrom unit.feature.isolation import TestFeatureIsolation
5*1596Szelenkov@nginx.comfrom conftest import option
61490St.nateldemoura@f5.com
71490St.nateldemoura@f5.com
81490St.nateldemoura@f5.comclass TestPHPIsolation(TestApplicationPHP):
91490St.nateldemoura@f5.com    prerequisites = {'modules': {'php': 'any'}, 'features': ['isolation']}
101490St.nateldemoura@f5.com
111490St.nateldemoura@f5.com    isolation = TestFeatureIsolation()
121490St.nateldemoura@f5.com
131490St.nateldemoura@f5.com    @classmethod
14*1596Szelenkov@nginx.com    def setup_class(cls, complete_check=True):
15*1596Szelenkov@nginx.com        unit = super().setup_class(complete_check=False)
161490St.nateldemoura@f5.com
17*1596Szelenkov@nginx.com        TestFeatureIsolation().check(cls.available, unit.temp_dir)
181490St.nateldemoura@f5.com
191490St.nateldemoura@f5.com        return unit if not complete_check else unit.complete()
201490St.nateldemoura@f5.com
21*1596Szelenkov@nginx.com    def test_php_isolation_rootfs(self, is_su):
221490St.nateldemoura@f5.com        isolation_features = self.available['features']['isolation'].keys()
231490St.nateldemoura@f5.com
241490St.nateldemoura@f5.com        if 'mnt' not in isolation_features:
25*1596Szelenkov@nginx.com            pytest.skip('requires mnt ns')
261490St.nateldemoura@f5.com
27*1596Szelenkov@nginx.com        if not is_su:
281490St.nateldemoura@f5.com            if 'user' not in isolation_features:
29*1596Szelenkov@nginx.com                pytest.skip('requires unprivileged userns or root')
301490St.nateldemoura@f5.com
311490St.nateldemoura@f5.com            if not 'unprivileged_userns_clone' in isolation_features:
32*1596Szelenkov@nginx.com                pytest.skip('requires unprivileged userns or root')
331490St.nateldemoura@f5.com
341490St.nateldemoura@f5.com        isolation = {
35*1596Szelenkov@nginx.com            'namespaces': {'credential': not is_su, 'mount': True},
36*1596Szelenkov@nginx.com            'rootfs': option.test_dir,
371490St.nateldemoura@f5.com        }
381490St.nateldemoura@f5.com
391490St.nateldemoura@f5.com        self.load('phpinfo', isolation=isolation)
401490St.nateldemoura@f5.com
41*1596Szelenkov@nginx.com        assert 'success' in self.conf(
42*1596Szelenkov@nginx.com            '"/php/phpinfo"', 'applications/phpinfo/root'
431490St.nateldemoura@f5.com        )
44*1596Szelenkov@nginx.com        assert 'success' in self.conf(
45*1596Szelenkov@nginx.com            '"/php/phpinfo"', 'applications/phpinfo/working_directory'
461490St.nateldemoura@f5.com        )
471490St.nateldemoura@f5.com
48*1596Szelenkov@nginx.com        assert self.get()['status'] == 200, 'empty rootfs'
491490St.nateldemoura@f5.com
50*1596Szelenkov@nginx.com    def test_php_isolation_rootfs_extensions(self, is_su):
511584St.nateldemoura@f5.com        isolation_features = self.available['features']['isolation'].keys()
521584St.nateldemoura@f5.com
53*1596Szelenkov@nginx.com        if not is_su:
541584St.nateldemoura@f5.com            if 'user' not in isolation_features:
55*1596Szelenkov@nginx.com                pytest.skip('requires unprivileged userns or root')
561584St.nateldemoura@f5.com
571584St.nateldemoura@f5.com            if not 'unprivileged_userns_clone' in isolation_features:
58*1596Szelenkov@nginx.com                pytest.skip('requires unprivileged userns or root')
591584St.nateldemoura@f5.com
601584St.nateldemoura@f5.com            if 'mnt' not in isolation_features:
61*1596Szelenkov@nginx.com                pytest.skip('requires mnt ns')
621584St.nateldemoura@f5.com
631584St.nateldemoura@f5.com        isolation = {
64*1596Szelenkov@nginx.com            'rootfs': option.test_dir,
65*1596Szelenkov@nginx.com            'namespaces': {'credential': not is_su, 'mount': not is_su},
661584St.nateldemoura@f5.com        }
671584St.nateldemoura@f5.com
681584St.nateldemoura@f5.com        self.load('list-extensions', isolation=isolation)
691584St.nateldemoura@f5.com
70*1596Szelenkov@nginx.com        assert 'success' in self.conf(
71*1596Szelenkov@nginx.com            '"/php/list-extensions"', 'applications/list-extensions/root'
721584St.nateldemoura@f5.com        )
731584St.nateldemoura@f5.com
74*1596Szelenkov@nginx.com        assert 'success' in self.conf(
75*1596Szelenkov@nginx.com            {'file': '/php/list-extensions/php.ini'},
76*1596Szelenkov@nginx.com            'applications/list-extensions/options',
771584St.nateldemoura@f5.com        )
781584St.nateldemoura@f5.com
79*1596Szelenkov@nginx.com        assert 'success' in self.conf(
80*1596Szelenkov@nginx.com            '"/php/list-extensions"',
81*1596Szelenkov@nginx.com            'applications/list-extensions/working_directory',
821584St.nateldemoura@f5.com        )
831584St.nateldemoura@f5.com
841584St.nateldemoura@f5.com        extensions = self.getjson()['body']
851584St.nateldemoura@f5.com
86*1596Szelenkov@nginx.com        assert 'json' in extensions, 'json in extensions list'
87*1596Szelenkov@nginx.com        assert 'unit' in extensions, 'unit in extensions list'
881584St.nateldemoura@f5.com
89*1596Szelenkov@nginx.com    def test_php_isolation_rootfs_no_language_libs(self, is_su):
901586St.nateldemoura@f5.com        isolation_features = self.available['features']['isolation'].keys()
911586St.nateldemoura@f5.com
92*1596Szelenkov@nginx.com        if not is_su:
931586St.nateldemoura@f5.com            if 'user' not in isolation_features:
94*1596Szelenkov@nginx.com                pytest.skip('requires unprivileged userns or root')
951586St.nateldemoura@f5.com
961586St.nateldemoura@f5.com            if not 'unprivileged_userns_clone' in isolation_features:
97*1596Szelenkov@nginx.com                pytest.skip('requires unprivileged userns or root')
981586St.nateldemoura@f5.com
991586St.nateldemoura@f5.com            if 'mnt' not in isolation_features:
100*1596Szelenkov@nginx.com                pytest.skip('requires mnt ns')
1011586St.nateldemoura@f5.com
1021586St.nateldemoura@f5.com        isolation = {
103*1596Szelenkov@nginx.com            'rootfs': option.test_dir,
1041586St.nateldemoura@f5.com            'automount': {'language_deps': False},
105*1596Szelenkov@nginx.com            'namespaces': {'credential': not is_su, 'mount': not is_su},
1061586St.nateldemoura@f5.com        }
1071586St.nateldemoura@f5.com
1081586St.nateldemoura@f5.com        self.load('list-extensions', isolation=isolation)
1091586St.nateldemoura@f5.com
110*1596Szelenkov@nginx.com        assert 'success' in self.conf(
111*1596Szelenkov@nginx.com            '"/php/list-extensions"', 'applications/list-extensions/root'
1121586St.nateldemoura@f5.com        )
1131586St.nateldemoura@f5.com
114*1596Szelenkov@nginx.com        assert 'success' in self.conf(
115*1596Szelenkov@nginx.com            {'file': '/php/list-extensions/php.ini'},
116*1596Szelenkov@nginx.com            'applications/list-extensions/options',
1171586St.nateldemoura@f5.com        )
1181586St.nateldemoura@f5.com
119*1596Szelenkov@nginx.com        assert 'success' in self.conf(
120*1596Szelenkov@nginx.com            '"/php/list-extensions"',
121*1596Szelenkov@nginx.com            'applications/list-extensions/working_directory',
1221586St.nateldemoura@f5.com        )
1231586St.nateldemoura@f5.com
1241586St.nateldemoura@f5.com        extensions = self.getjson()['body']
1251586St.nateldemoura@f5.com
126*1596Szelenkov@nginx.com        assert 'unit' in extensions, 'unit in extensions list'
127*1596Szelenkov@nginx.com        assert 'json' not in extensions, 'json not in extensions list'
1281586St.nateldemoura@f5.com
129*1596Szelenkov@nginx.com        assert 'success' in self.conf(
130*1596Szelenkov@nginx.com            {'language_deps': True},
131*1596Szelenkov@nginx.com            'applications/list-extensions/isolation/automount',
1321586St.nateldemoura@f5.com        )
1331586St.nateldemoura@f5.com
1341586St.nateldemoura@f5.com        extensions = self.getjson()['body']
1351586St.nateldemoura@f5.com
136*1596Szelenkov@nginx.com        assert 'unit' in extensions, 'unit in extensions list 2'
137*1596Szelenkov@nginx.com        assert 'json' in extensions, 'json in extensions list 2'
1381586St.nateldemoura@f5.com
139