-
Notifications
You must be signed in to change notification settings - Fork 689
/
Copy pathtest_appenv.py
113 lines (89 loc) · 3.46 KB
/
test_appenv.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
import pytest
import testutils
sdvars = testutils.securedrop_test_vars
testinfra_hosts = [sdvars.app_hostname]
@pytest.mark.parametrize("exp_pip_pkg", sdvars.pip_deps)
def test_app_pip_deps(host, exp_pip_pkg):
"""Ensure expected package versions are installed"""
cmd = "{}/bin/python3 -c \"from importlib.metadata import version; print(version('{}'))\"".format( # noqa
sdvars.securedrop_venv, exp_pip_pkg["name"]
)
result = host.run(cmd)
assert result.stdout.strip() == exp_pip_pkg["version"]
@pytest.mark.skip_in_prod()
def test_app_wsgi(host):
"""ensure logging is enabled for source interface in staging"""
f = host.file("/var/www/source.wsgi")
with host.sudo():
assert f.is_file
assert f.mode == 0o644
assert f.user == "root"
assert f.group == "root"
assert f.contains("^import logging$")
assert f.contains(r"^logging\.basicConfig(stream=sys\.stderr)$")
def test_pidfile(host):
"""ensure there are no pid files"""
assert not host.file("/tmp/journalist.pid").exists
assert not host.file("/tmp/source.pid").exists
@pytest.mark.parametrize(
("app_dir", "owner"),
[
("/var/www/securedrop", "root"),
("/var/lib/securedrop", "www-data"),
("/var/lib/securedrop/store", "www-data"),
("/var/lib/securedrop/keys", "www-data"),
("/var/lib/securedrop/tmp", "www-data"),
],
)
def test_app_directories(host, app_dir, owner):
"""ensure securedrop app directories exist with correct permissions"""
f = host.file(app_dir)
mode = 0o755 if owner == "root" else 0o700
with host.sudo():
assert f.is_directory
assert f.user == owner
assert f.group == owner
assert f.mode == mode
def test_config_permissions(host):
"""ensure config.py has correct permissions"""
f = host.file("/var/www/securedrop/config.py")
with host.sudo():
assert f.is_file
assert f.user == "root"
assert f.group == "www-data"
assert f.mode == 0o640
def test_app_code_pkg(host):
"""ensure securedrop-app-code package is installed"""
assert host.package("securedrop-app-code").is_installed
def test_app_code_venv(host):
"""
Ensure the securedrop-app-code virtualenv is correct.
"""
cmd = """test -z $VIRTUAL_ENV && . {}/bin/activate && test "$VIRTUAL_ENV" = "{}" """.format(
sdvars.securedrop_venv, sdvars.securedrop_venv
)
result = host.run(cmd)
assert result.rc == 0
def test_supervisor_not_installed(host):
"""ensure supervisor package is not installed"""
assert host.package("supervisor").is_installed is False
@pytest.mark.skip_in_prod()
def test_gpg_key_in_keyring(host):
"""ensure test gpg key is present in app keyring"""
with host.sudo(sdvars.securedrop_user):
c = host.run("gpg --homedir /var/lib/securedrop/keys " "--list-keys 28271441")
assert "2013-10-12" in c.stdout
assert "28271441" in c.stdout
def test_ensure_logo(host):
"""ensure default logo header file exists"""
f = host.file(f"{sdvars.securedrop_code}/static/i/logo.png")
with host.sudo():
assert f.mode == 0o644
assert f.user == "root"
assert f.group == "root"
@pytest.mark.parametrize("user", ["root", "www-data"])
def test_empty_crontabs(host, user):
"""Ensure root + www-data crontabs are empty"""
with host.sudo():
# Returns exit code 1 when it's empty
host.run_expect([1], f"crontab -u {user} -l")