openstack/neutron-vpnaas
Code Issues Proposed changes

Merge "Remove root owned ipsec.secrets for ensure_configs"

Browse Source
This commit is contained in:
Jenkins 2015-10-09 21:39:03 +00:00 committed by Gerrit Code Review
commit 4733b73b7f
2 changed files with 43 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
neutron_vpnaas/services/vpn/device_drivers/libreswan_ipsec.py
View File

@ -17,7 +17,7 @@ import os.path
import eventlet
from neutron.i18n import _LE, _LW
from neutron.i18n import _LE, _LI, _LW
from oslo_config import cfg
from oslo_log import log as logging
@ -58,13 +58,21 @@ class LibreSwanProcess(ipsec.OpenSwanProcess):
Initialise the nssdb, otherwise pluto daemon will fail to run.
"""
# Since we set ipsec.secrets to be owned by root, the standard
# mechanisms for setting up the config files will get a permission
# problem when attempting to overwrite the file, so we need to
# remove it first.
secrets_file = self._get_config_filename('ipsec.secrets')
if os.path.exists(secrets_file):
os.remove(secrets_file)
super(LibreSwanProcess, self).ensure_configs()
# LibreSwan uses the capabilities library to restrict access to
# ipsec.secrets to users that have explicit access. Since pluto is
# running as root and the file has 0600 perms, we must set the
# owner of the file to root.
secrets_file = self._get_config_filename('ipsec.secrets')
self._execute(['chown', '--from=%s' % os.getuid(), 'root:root',
secrets_file])
@ -108,7 +116,9 @@ class LibreSwanProcess(ipsec.OpenSwanProcess):
return True
except IOError as e:
LOG.error(_LE('Unable to check control files on startup for '
# This is logged as "info" instead of error because it simply
# means that we couldn't find the files to check on them.
LOG.info(_LI('Unable to find control files on startup for '
'router %(router)s: %(msg)s'),
{'router': self.id, 'msg': e})
return False

29
neutron_vpnaas/tests/unit/services/vpn/device_drivers/test_ipsec.py
View File

@ -1001,7 +1001,9 @@ class TestLibreSwanProcess(base.BaseTestCase):
self.assertTrue(self.ipsec_process._process_running())
self.assertTrue(log_mock.called)
def test_ensure_configs(self):
@mock.patch('os.remove')
@mock.patch('os.path.exists', return_value=True)
def test_ensure_configs_on_restart(self, exists_mock, remove_mock):
openswan_ipsec.OpenSwanProcess.ensure_configs = mock.Mock()
with mock.patch.object(self.ipsec_process, '_execute') as fake_execute:
self.ipsec_process.ensure_configs()
@ -1014,6 +1016,29 @@ class TestLibreSwanProcess(base.BaseTestCase):
self.ipsec_process.etc_dir])]
fake_execute.assert_has_calls(expected)
self.assertEqual(3, fake_execute.call_count)
self.assertTrue(exists_mock.called)
self.assertTrue(remove_mock.called)
@mock.patch('os.remove')
@mock.patch('os.path.exists', return_value=False)
def test_ensure_configs(self, exists_mock, remove_mock):
openswan_ipsec.OpenSwanProcess.ensure_configs = mock.Mock()
with mock.patch.object(self.ipsec_process, '_execute') as fake_execute:
self.ipsec_process.ensure_configs()
expected = [mock.call(['chown', '--from=%s' % os.getuid(),
'root:root',
self.ipsec_process._get_config_filename(
'ipsec.secrets')]),
mock.call(['ipsec', '_stackmanager', 'start']),
mock.call(['ipsec', 'checknss',
self.ipsec_process.etc_dir])]
fake_execute.assert_has_calls(expected)
self.assertEqual(3, fake_execute.call_count)
self.assertTrue(exists_mock.called)
self.assertFalse(remove_mock.called)
exists_mock.reset_mock()
remove_mock.reset_mock()
with mock.patch.object(self.ipsec_process, '_execute') as fake_execute:
fake_execute.side_effect = [None, None, RuntimeError, None]
@ -1029,6 +1054,8 @@ class TestLibreSwanProcess(base.BaseTestCase):
self.ipsec_process.etc_dir])]
fake_execute.assert_has_calls(expected)
self.assertEqual(4, fake_execute.call_count)
self.assertTrue(exists_mock.called)
self.assertFalse(remove_mock.called)
class IPsecStrongswanDeviceDriverLegacy(IPSecDeviceLegacy):