xref: /unit/test/test_php_isolation.py (revision 1848)
11596Szelenkov@nginx.comimport pytest
2*1848Szelenkov@nginx.com
31490St.nateldemoura@f5.comfrom unit.applications.lang.php import TestApplicationPHP
41730Szelenkov@nginx.comfrom unit.option import option
51490St.nateldemoura@f5.com
61490St.nateldemoura@f5.com
71490St.nateldemoura@f5.comclass TestPHPIsolation(TestApplicationPHP):
81490St.nateldemoura@f5.com    prerequisites = {'modules': {'php': 'any'}, 'features': ['isolation']}
91490St.nateldemoura@f5.com
101673St.nateldemoura@f5.com    def test_php_isolation_rootfs(self, is_su, temp_dir):
111654Szelenkov@nginx.com        isolation_features = option.available['features']['isolation'].keys()
121490St.nateldemoura@f5.com
131596Szelenkov@nginx.com        if not is_su:
141490St.nateldemoura@f5.com            if not 'unprivileged_userns_clone' in isolation_features:
151596Szelenkov@nginx.com                pytest.skip('requires unprivileged userns or root')
161490St.nateldemoura@f5.com
171673St.nateldemoura@f5.com            if 'user' not in isolation_features:
181673St.nateldemoura@f5.com                pytest.skip('user namespace is not supported')
191673St.nateldemoura@f5.com
201673St.nateldemoura@f5.com            if 'mnt' not in isolation_features:
211673St.nateldemoura@f5.com                pytest.skip('mnt namespace is not supported')
221673St.nateldemoura@f5.com
231673St.nateldemoura@f5.com            if 'pid' not in isolation_features:
241673St.nateldemoura@f5.com                pytest.skip('pid namespace is not supported')
251673St.nateldemoura@f5.com
261673St.nateldemoura@f5.com        isolation = {'rootfs': temp_dir}
271673St.nateldemoura@f5.com
281673St.nateldemoura@f5.com        if not is_su:
291673St.nateldemoura@f5.com            isolation['namespaces'] = {
301673St.nateldemoura@f5.com                'mount': True,
311673St.nateldemoura@f5.com                'credential': True,
32*1848Szelenkov@nginx.com                'pid': True,
331673St.nateldemoura@f5.com            }
341490St.nateldemoura@f5.com
351490St.nateldemoura@f5.com        self.load('phpinfo', isolation=isolation)
361490St.nateldemoura@f5.com
371596Szelenkov@nginx.com        assert 'success' in self.conf(
381673St.nateldemoura@f5.com            '"/app/php/phpinfo"', 'applications/phpinfo/root'
391490St.nateldemoura@f5.com        )
401596Szelenkov@nginx.com        assert 'success' in self.conf(
411673St.nateldemoura@f5.com            '"/app/php/phpinfo"', 'applications/phpinfo/working_directory'
421490St.nateldemoura@f5.com        )
431490St.nateldemoura@f5.com
441596Szelenkov@nginx.com        assert self.get()['status'] == 200, 'empty rootfs'
451490St.nateldemoura@f5.com
461673St.nateldemoura@f5.com    def test_php_isolation_rootfs_extensions(self, is_su, temp_dir):
471654Szelenkov@nginx.com        isolation_features = option.available['features']['isolation'].keys()
481584St.nateldemoura@f5.com
491596Szelenkov@nginx.com        if not is_su:
501584St.nateldemoura@f5.com            if not 'unprivileged_userns_clone' in isolation_features:
511596Szelenkov@nginx.com                pytest.skip('requires unprivileged userns or root')
521584St.nateldemoura@f5.com
531673St.nateldemoura@f5.com            if 'user' not in isolation_features:
541673St.nateldemoura@f5.com                pytest.skip('user namespace is not supported')
551673St.nateldemoura@f5.com
561584St.nateldemoura@f5.com            if 'mnt' not in isolation_features:
571673St.nateldemoura@f5.com                pytest.skip('mnt namespace is not supported')
581673St.nateldemoura@f5.com
591673St.nateldemoura@f5.com            if 'pid' not in isolation_features:
601673St.nateldemoura@f5.com                pytest.skip('pid namespace is not supported')
611584St.nateldemoura@f5.com
621673St.nateldemoura@f5.com        isolation = {'rootfs': temp_dir}
631673St.nateldemoura@f5.com
641673St.nateldemoura@f5.com        if not is_su:
651673St.nateldemoura@f5.com            isolation['namespaces'] = {
661673St.nateldemoura@f5.com                'mount': True,
671673St.nateldemoura@f5.com                'credential': True,
68*1848Szelenkov@nginx.com                'pid': True,
691673St.nateldemoura@f5.com            }
701584St.nateldemoura@f5.com
711584St.nateldemoura@f5.com        self.load('list-extensions', isolation=isolation)
721584St.nateldemoura@f5.com
731596Szelenkov@nginx.com        assert 'success' in self.conf(
741673St.nateldemoura@f5.com            '"/app/php/list-extensions"', 'applications/list-extensions/root'
751584St.nateldemoura@f5.com        )
761584St.nateldemoura@f5.com
771596Szelenkov@nginx.com        assert 'success' in self.conf(
781596Szelenkov@nginx.com            {'file': '/php/list-extensions/php.ini'},
791596Szelenkov@nginx.com            'applications/list-extensions/options',
801584St.nateldemoura@f5.com        )
811584St.nateldemoura@f5.com
821596Szelenkov@nginx.com        assert 'success' in self.conf(
831673St.nateldemoura@f5.com            '"/app/php/list-extensions"',
841596Szelenkov@nginx.com            'applications/list-extensions/working_directory',
851584St.nateldemoura@f5.com        )
861584St.nateldemoura@f5.com
871584St.nateldemoura@f5.com        extensions = self.getjson()['body']
881584St.nateldemoura@f5.com
891596Szelenkov@nginx.com        assert 'json' in extensions, 'json in extensions list'
901596Szelenkov@nginx.com        assert 'unit' in extensions, 'unit in extensions list'
91