Added tests and doc

2025-04-17 10:10:20 +00:00 · 2017-10-20 05:32:43 +02:00 · 2017-10-20 05:32:43 +02:00 · 295b5d4834
commit 295b5d4834
parent 4a2a7b63d4
4 changed files with 128 additions and 3 deletions
--- a/conf/master
+++ b/conf/master
@ -337,7 +337,8 @@

 # If the autosign_file is specified, incoming keys specified in the
 # autosign_file will be automatically accepted. This is insecure.  Regular
-# expressions as well as globing lines are supported.
+# expressions as well as globing lines are supported. The file must be readonly
+# except for the owner. User permissive_pki_access to allow the group write access.
 #autosign_file: /etc/salt/autosign.conf

 # Works like autosign_file, but instead allows you to specify minion IDs for
--- a/conf/suse/master
+++ b/conf/suse/master
@ -311,7 +311,8 @@ syndic_user: salt

 # If the autosign_file is specified, incoming keys specified in the
 # autosign_file will be automatically accepted. This is insecure.  Regular
-# expressions as well as globing lines are supported.
+# expressions as well as globing lines are supported. The file must be readonly
+# except for the owner. User permissive_pki_access to allow the group write access.
 #autosign_file: /etc/salt/autosign.conf

 # Works like autosign_file, but instead allows you to specify minion IDs for
--- a/doc/ref/configuration/master.rst
+++ b/doc/ref/configuration/master.rst
@ -1275,6 +1275,9 @@ Default: ``not defined``
 If the ``autosign_file`` is specified incoming keys specified in the autosign_file
 will be automatically accepted. Matches will be searched for first by string
 comparison, then by globbing, then by full-string regex matching.
+The file must be readonly except for it's owner.
+If :conf_master:`permissive_pki_access` is ``True`` the owning group can also
+have write access, but if salt is running as ``root`` it must be a member of that group.
 This should still be considered a less than secure option, due to the fact
 that trust is based on just the requesting minion id.

--- a/tests/unit/daemons/test_masterapi.py
+++ b/tests/unit/daemons/test_masterapi.py
@ -2,19 +2,139 @@

 # Import Python libs
 from __future__ import absolute_import
+from functools import wraps
+import stat

 # Import Salt libs
 import salt.config
 import salt.daemons.masterapi as masterapi

 # Import Salt Testing Libs
-from tests.support.unit import TestCase
+from tests.support.unit import TestCase, skipIf
 from tests.support.mock import (
    patch,
    MagicMock,
+    NO_MOCK,
+    NO_MOCK_REASON,
 )


+def gen_permissions(owner='', group='', others=''):
+    '''
+    Helper method to generate file permission bits
+    Usage: gen_permissions('rw', 'r', 'r')
+    '''
+    ret = 0
+    for c in owner:
+        ret |= getattr(stat, 'S_I{}USR'.format(c.upper()), 0)
+    for c in group:
+        ret |= getattr(stat, 'S_I{}GRP'.format(c.upper()), 0)
+    for c in others:
+        ret |= getattr(stat, 'S_I{}OTH'.format(c.upper()), 0)
+    return ret
+
+
+@skipIf(NO_MOCK, NO_MOCK_REASON)
+class AutoKeyTest(TestCase):
+    '''
+    Tests for the salt.daemons.masterapi.AutoKey class
+    '''
+
+    def setUp(self):
+        opts = {'user': 'test_user'}
+        self.auto_key = masterapi.AutoKey(opts)
+        self.stats = {}
+
+    def _patch_check_permissions(uid=1, groups=None, is_windows=False, permissive_pki=False):
+        if not groups:
+            groups = [uid]
+
+        def decorator(func):
+            @wraps(func)
+            def wrapper(self):
+                self.auto_key.opts['permissive_pki_access'] = permissive_pki
+                with patch('os.stat', self.os_stat_mock), \
+                        patch('os.getuid', MagicMock(return_value=uid)), \
+                        patch('salt.utils.user.get_gid_list', MagicMock(return_value=groups)), \
+                        patch('salt.utils.platform.is_windows', MagicMock(return_value=is_windows)):
+                    func(self)
+            return wrapper
+        return decorator
+
+    def os_stat_mock(self, filename):
+        fmode = MagicMock()
+        fstats = self.stats.get(filename, {})
+        fmode.st_mode = fstats.get('mode', 0)
+        fmode.st_gid = fstats.get('gid', 0)
+        return fmode
+
+    @_patch_check_permissions(uid=0, is_windows=True)
+    def test_check_permissions_windows(self):
+        '''
+        Assert that all files are accepted on windows
+        '''
+        self.stats['testfile'] = {'mode': gen_permissions('rwx', 'rwx', 'rwx'), 'gid': 2}
+        self.assertTrue(self.auto_key.check_permissions('testfile'))
+
+    @_patch_check_permissions(permissive_pki=True)
+    def test_check_permissions_others_can_write(self):
+        '''
+        Assert that no file is accepted, when others can write to it
+        '''
+        self.stats['testfile'] = {'mode': gen_permissions('', '', 'w'), 'gid': 1}
+        self.assertFalse(self.auto_key.check_permissions('testfile'))
+
+    @_patch_check_permissions()
+    def test_check_permissions_group_can_write_not_permissive(self):
+        '''
+        Assert that a file is accepted, when group can write to it and perkissive_pki_access=False
+        '''
+        self.stats['testfile'] = {'mode': gen_permissions('w', 'w', ''), 'gid': 1}
+        self.assertFalse(self.auto_key.check_permissions('testfile'))
+
+    @_patch_check_permissions(permissive_pki=True)
+    def test_check_permissions_group_can_write_permissive(self):
+        '''
+        Assert that a file is accepted, when group can write to it and perkissive_pki_access=True
+        '''
+        self.stats['testfile'] = {'mode': gen_permissions('w', 'w', ''), 'gid': 1}
+        self.assertTrue(self.auto_key.check_permissions('testfile'))
+
+    @_patch_check_permissions(uid=0, permissive_pki=True)
+    def test_check_permissions_group_can_write_permissive_root_in_group(self):
+        '''
+        Assert that a file is accepted, when group can write to it, perkissive_pki_access=False,
+        salt is root and in the file owning group
+        '''
+        self.stats['testfile'] = {'mode': gen_permissions('w', 'w', ''), 'gid': 0}
+        self.assertTrue(self.auto_key.check_permissions('testfile'))
+
+    @_patch_check_permissions(uid=0, permissive_pki=True)
+    def test_check_permissions_group_can_write_permissive_root_not_in_group(self):
+        '''
+        Assert that no file is accepted, when group can write to it, perkissive_pki_access=False,
+        salt is root and **not** in the file owning group
+        '''
+        self.stats['testfile'] = {'mode': gen_permissions('w', 'w', ''), 'gid': 1}
+        self.assertFalse(self.auto_key.check_permissions('testfile'))
+
+    @_patch_check_permissions()
+    def test_check_permissions_only_owner_can_write(self):
+        '''
+        Assert that a file is accepted, when only the owner can write to it
+        '''
+        self.stats['testfile'] = {'mode': gen_permissions('w', '', ''), 'gid': 1}
+        self.assertTrue(self.auto_key.check_permissions('testfile'))
+
+    @_patch_check_permissions(uid=0)
+    def test_check_permissions_only_owner_can_write_root(self):
+        '''
+        Assert that a file is accepted, when only the owner can write to it and salt is root
+        '''
+        self.stats['testfile'] = {'mode': gen_permissions('w', '', ''), 'gid': 0}
+        self.assertTrue(self.auto_key.check_permissions('testfile'))
+
+
 class LocalFuncsTestCase(TestCase):
    '''
    TestCase for salt.daemons.masterapi.LocalFuncs class