| Clint Byrum | 5870cca | 2017-04-04 16:20:00 -0700 | [diff] [blame] | 1 | # Licensed under the Apache License, Version 2.0 (the "License"); you may |
| 2 | # not use this file except in compliance with the License. You may obtain |
| 3 | # a copy of the License at |
| 4 | # |
| 5 | # http://www.apache.org/licenses/LICENSE-2.0 |
| 6 | # |
| 7 | # Unless required by applicable law or agreed to in writing, software |
| 8 | # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT |
| 9 | # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the |
| 10 | # License for the specific language governing permissions and limitations |
| 11 | # under the License. |
| 12 | |
| 13 | import fixtures |
| 14 | import logging |
| 15 | import subprocess |
| 16 | import tempfile |
| 17 | import testtools |
| Tristan Cacqueray | 2438860 | 2017-06-11 23:40:57 +0000 | [diff] [blame] | 18 | import os |
| Clint Byrum | 5870cca | 2017-04-04 16:20:00 -0700 | [diff] [blame] | 19 | |
| 20 | from zuul.driver import bubblewrap |
| 21 | from zuul.executor.server import SshAgent |
| 22 | |
| 23 | |
| 24 | class TestBubblewrap(testtools.TestCase): |
| 25 | def setUp(self): |
| 26 | super(TestBubblewrap, self).setUp() |
| 27 | self.log_fixture = self.useFixture( |
| 28 | fixtures.FakeLogger(level=logging.DEBUG)) |
| 29 | self.useFixture(fixtures.NestedTempfile()) |
| 30 | |
| 31 | def test_bubblewrap_wraps(self): |
| 32 | bwrap = bubblewrap.BubblewrapDriver() |
| 33 | work_dir = tempfile.mkdtemp() |
| Clint Byrum | 5870cca | 2017-04-04 16:20:00 -0700 | [diff] [blame] | 34 | ssh_agent = SshAgent() |
| 35 | self.addCleanup(ssh_agent.stop) |
| 36 | ssh_agent.start() |
| 37 | po = bwrap.getPopen(work_dir=work_dir, |
| Clint Byrum | 5870cca | 2017-04-04 16:20:00 -0700 | [diff] [blame] | 38 | ssh_auth_sock=ssh_agent.env['SSH_AUTH_SOCK']) |
| 39 | self.assertTrue(po.passwd_r > 2) |
| 40 | self.assertTrue(po.group_r > 2) |
| 41 | self.assertTrue(work_dir in po.command) |
| Clint Byrum | 5870cca | 2017-04-04 16:20:00 -0700 | [diff] [blame] | 42 | # Now run /usr/bin/id to verify passwd/group entries made it in |
| 43 | true_proc = po(['/usr/bin/id'], stdout=subprocess.PIPE, |
| 44 | stderr=subprocess.PIPE) |
| 45 | (output, errs) = true_proc.communicate() |
| 46 | # Make sure it printed things on stdout |
| 47 | self.assertTrue(len(output.strip())) |
| 48 | # And that it did not print things on stderr |
| 49 | self.assertEqual(0, len(errs.strip())) |
| 50 | # Make sure the _r's are closed |
| 51 | self.assertIsNone(po.passwd_r) |
| 52 | self.assertIsNone(po.group_r) |
| Tristan Cacqueray | 2438860 | 2017-06-11 23:40:57 +0000 | [diff] [blame] | 53 | |
| 54 | def test_bubblewrap_leak(self): |
| 55 | bwrap = bubblewrap.BubblewrapDriver() |
| 56 | work_dir = tempfile.mkdtemp() |
| 57 | ansible_dir = tempfile.mkdtemp() |
| 58 | ssh_agent = SshAgent() |
| 59 | self.addCleanup(ssh_agent.stop) |
| 60 | ssh_agent.start() |
| 61 | po = bwrap.getPopen(work_dir=work_dir, |
| 62 | ansible_dir=ansible_dir, |
| 63 | ssh_auth_sock=ssh_agent.env['SSH_AUTH_SOCK']) |
| 64 | leak_time = 7 |
| 65 | # Use hexadecimal notation to avoid false-positive |
| 66 | true_proc = po(['bash', '-c', 'sleep 0x%X & disown' % leak_time]) |
| 67 | self.assertEqual(0, true_proc.wait()) |
| 68 | cmdline = "sleep\x000x%X\x00" % leak_time |
| 69 | sleep_proc = [pid for pid in os.listdir("/proc") if |
| 70 | os.path.isfile("/proc/%s/cmdline" % pid) and |
| 71 | open("/proc/%s/cmdline" % pid).read() == cmdline] |
| 72 | self.assertEqual(len(sleep_proc), 0, "Processes leaked") |