Merge "Remove root owned ipsec.secrets for ensure_configs"
This commit is contained in:
commit
4733b73b7f
@ -17,7 +17,7 @@ import os.path
|
|||||||
|
|
||||||
import eventlet
|
import eventlet
|
||||||
|
|
||||||
from neutron.i18n import _LE, _LW
|
from neutron.i18n import _LE, _LI, _LW
|
||||||
from oslo_config import cfg
|
from oslo_config import cfg
|
||||||
from oslo_log import log as logging
|
from oslo_log import log as logging
|
||||||
|
|
||||||
@ -58,13 +58,21 @@ class LibreSwanProcess(ipsec.OpenSwanProcess):
|
|||||||
|
|
||||||
Initialise the nssdb, otherwise pluto daemon will fail to run.
|
Initialise the nssdb, otherwise pluto daemon will fail to run.
|
||||||
"""
|
"""
|
||||||
|
|
||||||
|
# Since we set ipsec.secrets to be owned by root, the standard
|
||||||
|
# mechanisms for setting up the config files will get a permission
|
||||||
|
# problem when attempting to overwrite the file, so we need to
|
||||||
|
# remove it first.
|
||||||
|
secrets_file = self._get_config_filename('ipsec.secrets')
|
||||||
|
if os.path.exists(secrets_file):
|
||||||
|
os.remove(secrets_file)
|
||||||
|
|
||||||
super(LibreSwanProcess, self).ensure_configs()
|
super(LibreSwanProcess, self).ensure_configs()
|
||||||
|
|
||||||
# LibreSwan uses the capabilities library to restrict access to
|
# LibreSwan uses the capabilities library to restrict access to
|
||||||
# ipsec.secrets to users that have explicit access. Since pluto is
|
# ipsec.secrets to users that have explicit access. Since pluto is
|
||||||
# running as root and the file has 0600 perms, we must set the
|
# running as root and the file has 0600 perms, we must set the
|
||||||
# owner of the file to root.
|
# owner of the file to root.
|
||||||
secrets_file = self._get_config_filename('ipsec.secrets')
|
|
||||||
self._execute(['chown', '--from=%s' % os.getuid(), 'root:root',
|
self._execute(['chown', '--from=%s' % os.getuid(), 'root:root',
|
||||||
secrets_file])
|
secrets_file])
|
||||||
|
|
||||||
@ -108,9 +116,11 @@ class LibreSwanProcess(ipsec.OpenSwanProcess):
|
|||||||
return True
|
return True
|
||||||
|
|
||||||
except IOError as e:
|
except IOError as e:
|
||||||
LOG.error(_LE('Unable to check control files on startup for '
|
# This is logged as "info" instead of error because it simply
|
||||||
'router %(router)s: %(msg)s'),
|
# means that we couldn't find the files to check on them.
|
||||||
{'router': self.id, 'msg': e})
|
LOG.info(_LI('Unable to find control files on startup for '
|
||||||
|
'router %(router)s: %(msg)s'),
|
||||||
|
{'router': self.id, 'msg': e})
|
||||||
return False
|
return False
|
||||||
|
|
||||||
def _cleanup_control_files(self):
|
def _cleanup_control_files(self):
|
||||||
|
@ -1001,7 +1001,9 @@ class TestLibreSwanProcess(base.BaseTestCase):
|
|||||||
self.assertTrue(self.ipsec_process._process_running())
|
self.assertTrue(self.ipsec_process._process_running())
|
||||||
self.assertTrue(log_mock.called)
|
self.assertTrue(log_mock.called)
|
||||||
|
|
||||||
def test_ensure_configs(self):
|
@mock.patch('os.remove')
|
||||||
|
@mock.patch('os.path.exists', return_value=True)
|
||||||
|
def test_ensure_configs_on_restart(self, exists_mock, remove_mock):
|
||||||
openswan_ipsec.OpenSwanProcess.ensure_configs = mock.Mock()
|
openswan_ipsec.OpenSwanProcess.ensure_configs = mock.Mock()
|
||||||
with mock.patch.object(self.ipsec_process, '_execute') as fake_execute:
|
with mock.patch.object(self.ipsec_process, '_execute') as fake_execute:
|
||||||
self.ipsec_process.ensure_configs()
|
self.ipsec_process.ensure_configs()
|
||||||
@ -1014,6 +1016,29 @@ class TestLibreSwanProcess(base.BaseTestCase):
|
|||||||
self.ipsec_process.etc_dir])]
|
self.ipsec_process.etc_dir])]
|
||||||
fake_execute.assert_has_calls(expected)
|
fake_execute.assert_has_calls(expected)
|
||||||
self.assertEqual(3, fake_execute.call_count)
|
self.assertEqual(3, fake_execute.call_count)
|
||||||
|
self.assertTrue(exists_mock.called)
|
||||||
|
self.assertTrue(remove_mock.called)
|
||||||
|
|
||||||
|
@mock.patch('os.remove')
|
||||||
|
@mock.patch('os.path.exists', return_value=False)
|
||||||
|
def test_ensure_configs(self, exists_mock, remove_mock):
|
||||||
|
openswan_ipsec.OpenSwanProcess.ensure_configs = mock.Mock()
|
||||||
|
with mock.patch.object(self.ipsec_process, '_execute') as fake_execute:
|
||||||
|
self.ipsec_process.ensure_configs()
|
||||||
|
expected = [mock.call(['chown', '--from=%s' % os.getuid(),
|
||||||
|
'root:root',
|
||||||
|
self.ipsec_process._get_config_filename(
|
||||||
|
'ipsec.secrets')]),
|
||||||
|
mock.call(['ipsec', '_stackmanager', 'start']),
|
||||||
|
mock.call(['ipsec', 'checknss',
|
||||||
|
self.ipsec_process.etc_dir])]
|
||||||
|
fake_execute.assert_has_calls(expected)
|
||||||
|
self.assertEqual(3, fake_execute.call_count)
|
||||||
|
self.assertTrue(exists_mock.called)
|
||||||
|
self.assertFalse(remove_mock.called)
|
||||||
|
|
||||||
|
exists_mock.reset_mock()
|
||||||
|
remove_mock.reset_mock()
|
||||||
|
|
||||||
with mock.patch.object(self.ipsec_process, '_execute') as fake_execute:
|
with mock.patch.object(self.ipsec_process, '_execute') as fake_execute:
|
||||||
fake_execute.side_effect = [None, None, RuntimeError, None]
|
fake_execute.side_effect = [None, None, RuntimeError, None]
|
||||||
@ -1029,6 +1054,8 @@ class TestLibreSwanProcess(base.BaseTestCase):
|
|||||||
self.ipsec_process.etc_dir])]
|
self.ipsec_process.etc_dir])]
|
||||||
fake_execute.assert_has_calls(expected)
|
fake_execute.assert_has_calls(expected)
|
||||||
self.assertEqual(4, fake_execute.call_count)
|
self.assertEqual(4, fake_execute.call_count)
|
||||||
|
self.assertTrue(exists_mock.called)
|
||||||
|
self.assertFalse(remove_mock.called)
|
||||||
|
|
||||||
|
|
||||||
class IPsecStrongswanDeviceDriverLegacy(IPSecDeviceLegacy):
|
class IPsecStrongswanDeviceDriverLegacy(IPSecDeviceLegacy):
|
||||||
|
Loading…
Reference in New Issue
Block a user