1*1596Szelenkov@nginx.comimport pytest 21490St.nateldemoura@f5.com 31490St.nateldemoura@f5.comfrom unit.applications.lang.php import TestApplicationPHP 41490St.nateldemoura@f5.comfrom unit.feature.isolation import TestFeatureIsolation 5*1596Szelenkov@nginx.comfrom conftest import option 61490St.nateldemoura@f5.com 71490St.nateldemoura@f5.com 81490St.nateldemoura@f5.comclass TestPHPIsolation(TestApplicationPHP): 91490St.nateldemoura@f5.com prerequisites = {'modules': {'php': 'any'}, 'features': ['isolation']} 101490St.nateldemoura@f5.com 111490St.nateldemoura@f5.com isolation = TestFeatureIsolation() 121490St.nateldemoura@f5.com 131490St.nateldemoura@f5.com @classmethod 14*1596Szelenkov@nginx.com def setup_class(cls, complete_check=True): 15*1596Szelenkov@nginx.com unit = super().setup_class(complete_check=False) 161490St.nateldemoura@f5.com 17*1596Szelenkov@nginx.com TestFeatureIsolation().check(cls.available, unit.temp_dir) 181490St.nateldemoura@f5.com 191490St.nateldemoura@f5.com return unit if not complete_check else unit.complete() 201490St.nateldemoura@f5.com 21*1596Szelenkov@nginx.com def test_php_isolation_rootfs(self, is_su): 221490St.nateldemoura@f5.com isolation_features = self.available['features']['isolation'].keys() 231490St.nateldemoura@f5.com 241490St.nateldemoura@f5.com if 'mnt' not in isolation_features: 25*1596Szelenkov@nginx.com pytest.skip('requires mnt ns') 261490St.nateldemoura@f5.com 27*1596Szelenkov@nginx.com if not is_su: 281490St.nateldemoura@f5.com if 'user' not in isolation_features: 29*1596Szelenkov@nginx.com pytest.skip('requires unprivileged userns or root') 301490St.nateldemoura@f5.com 311490St.nateldemoura@f5.com if not 'unprivileged_userns_clone' in isolation_features: 32*1596Szelenkov@nginx.com pytest.skip('requires unprivileged userns or root') 331490St.nateldemoura@f5.com 341490St.nateldemoura@f5.com isolation = { 35*1596Szelenkov@nginx.com 'namespaces': {'credential': not is_su, 'mount': True}, 36*1596Szelenkov@nginx.com 'rootfs': option.test_dir, 371490St.nateldemoura@f5.com } 381490St.nateldemoura@f5.com 391490St.nateldemoura@f5.com self.load('phpinfo', isolation=isolation) 401490St.nateldemoura@f5.com 41*1596Szelenkov@nginx.com assert 'success' in self.conf( 42*1596Szelenkov@nginx.com '"/php/phpinfo"', 'applications/phpinfo/root' 431490St.nateldemoura@f5.com ) 44*1596Szelenkov@nginx.com assert 'success' in self.conf( 45*1596Szelenkov@nginx.com '"/php/phpinfo"', 'applications/phpinfo/working_directory' 461490St.nateldemoura@f5.com ) 471490St.nateldemoura@f5.com 48*1596Szelenkov@nginx.com assert self.get()['status'] == 200, 'empty rootfs' 491490St.nateldemoura@f5.com 50*1596Szelenkov@nginx.com def test_php_isolation_rootfs_extensions(self, is_su): 511584St.nateldemoura@f5.com isolation_features = self.available['features']['isolation'].keys() 521584St.nateldemoura@f5.com 53*1596Szelenkov@nginx.com if not is_su: 541584St.nateldemoura@f5.com if 'user' not in isolation_features: 55*1596Szelenkov@nginx.com pytest.skip('requires unprivileged userns or root') 561584St.nateldemoura@f5.com 571584St.nateldemoura@f5.com if not 'unprivileged_userns_clone' in isolation_features: 58*1596Szelenkov@nginx.com pytest.skip('requires unprivileged userns or root') 591584St.nateldemoura@f5.com 601584St.nateldemoura@f5.com if 'mnt' not in isolation_features: 61*1596Szelenkov@nginx.com pytest.skip('requires mnt ns') 621584St.nateldemoura@f5.com 631584St.nateldemoura@f5.com isolation = { 64*1596Szelenkov@nginx.com 'rootfs': option.test_dir, 65*1596Szelenkov@nginx.com 'namespaces': {'credential': not is_su, 'mount': not is_su}, 661584St.nateldemoura@f5.com } 671584St.nateldemoura@f5.com 681584St.nateldemoura@f5.com self.load('list-extensions', isolation=isolation) 691584St.nateldemoura@f5.com 70*1596Szelenkov@nginx.com assert 'success' in self.conf( 71*1596Szelenkov@nginx.com '"/php/list-extensions"', 'applications/list-extensions/root' 721584St.nateldemoura@f5.com ) 731584St.nateldemoura@f5.com 74*1596Szelenkov@nginx.com assert 'success' in self.conf( 75*1596Szelenkov@nginx.com {'file': '/php/list-extensions/php.ini'}, 76*1596Szelenkov@nginx.com 'applications/list-extensions/options', 771584St.nateldemoura@f5.com ) 781584St.nateldemoura@f5.com 79*1596Szelenkov@nginx.com assert 'success' in self.conf( 80*1596Szelenkov@nginx.com '"/php/list-extensions"', 81*1596Szelenkov@nginx.com 'applications/list-extensions/working_directory', 821584St.nateldemoura@f5.com ) 831584St.nateldemoura@f5.com 841584St.nateldemoura@f5.com extensions = self.getjson()['body'] 851584St.nateldemoura@f5.com 86*1596Szelenkov@nginx.com assert 'json' in extensions, 'json in extensions list' 87*1596Szelenkov@nginx.com assert 'unit' in extensions, 'unit in extensions list' 881584St.nateldemoura@f5.com 89*1596Szelenkov@nginx.com def test_php_isolation_rootfs_no_language_libs(self, is_su): 901586St.nateldemoura@f5.com isolation_features = self.available['features']['isolation'].keys() 911586St.nateldemoura@f5.com 92*1596Szelenkov@nginx.com if not is_su: 931586St.nateldemoura@f5.com if 'user' not in isolation_features: 94*1596Szelenkov@nginx.com pytest.skip('requires unprivileged userns or root') 951586St.nateldemoura@f5.com 961586St.nateldemoura@f5.com if not 'unprivileged_userns_clone' in isolation_features: 97*1596Szelenkov@nginx.com pytest.skip('requires unprivileged userns or root') 981586St.nateldemoura@f5.com 991586St.nateldemoura@f5.com if 'mnt' not in isolation_features: 100*1596Szelenkov@nginx.com pytest.skip('requires mnt ns') 1011586St.nateldemoura@f5.com 1021586St.nateldemoura@f5.com isolation = { 103*1596Szelenkov@nginx.com 'rootfs': option.test_dir, 1041586St.nateldemoura@f5.com 'automount': {'language_deps': False}, 105*1596Szelenkov@nginx.com 'namespaces': {'credential': not is_su, 'mount': not is_su}, 1061586St.nateldemoura@f5.com } 1071586St.nateldemoura@f5.com 1081586St.nateldemoura@f5.com self.load('list-extensions', isolation=isolation) 1091586St.nateldemoura@f5.com 110*1596Szelenkov@nginx.com assert 'success' in self.conf( 111*1596Szelenkov@nginx.com '"/php/list-extensions"', 'applications/list-extensions/root' 1121586St.nateldemoura@f5.com ) 1131586St.nateldemoura@f5.com 114*1596Szelenkov@nginx.com assert 'success' in self.conf( 115*1596Szelenkov@nginx.com {'file': '/php/list-extensions/php.ini'}, 116*1596Szelenkov@nginx.com 'applications/list-extensions/options', 1171586St.nateldemoura@f5.com ) 1181586St.nateldemoura@f5.com 119*1596Szelenkov@nginx.com assert 'success' in self.conf( 120*1596Szelenkov@nginx.com '"/php/list-extensions"', 121*1596Szelenkov@nginx.com 'applications/list-extensions/working_directory', 1221586St.nateldemoura@f5.com ) 1231586St.nateldemoura@f5.com 1241586St.nateldemoura@f5.com extensions = self.getjson()['body'] 1251586St.nateldemoura@f5.com 126*1596Szelenkov@nginx.com assert 'unit' in extensions, 'unit in extensions list' 127*1596Szelenkov@nginx.com assert 'json' not in extensions, 'json not in extensions list' 1281586St.nateldemoura@f5.com 129*1596Szelenkov@nginx.com assert 'success' in self.conf( 130*1596Szelenkov@nginx.com {'language_deps': True}, 131*1596Szelenkov@nginx.com 'applications/list-extensions/isolation/automount', 1321586St.nateldemoura@f5.com ) 1331586St.nateldemoura@f5.com 1341586St.nateldemoura@f5.com extensions = self.getjson()['body'] 1351586St.nateldemoura@f5.com 136*1596Szelenkov@nginx.com assert 'unit' in extensions, 'unit in extensions list 2' 137*1596Szelenkov@nginx.com assert 'json' in extensions, 'json in extensions list 2' 1381586St.nateldemoura@f5.com 139