summaryrefslogtreecommitdiffstats
path: root/tests/functional/authentication/test_auth_reject_allow.py
blob: 9dd519f1ddde066002c692a35869866527bf7a46 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
#  Copyright (C) 2017-2018  Red Hat, Inc. <http://www.redhat.com>
#
#  This program is free software; you can redistribute it and/or modify
#  it under the terms of the GNU General Public License as published by
#  the Free Software Foundation; either version 2 of the License, or
#  any later version.
#
#  This program is distributed in the hope that it will be useful,
#  but WITHOUT ANY WARRANTY; without even the implied warranty of
#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#  GNU General Public License for more details.
#
#  You should have received a copy of the GNU General Public License along
#  with this program; if not, write to the Free Software Foundation, Inc.,
#  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.

""" Description:
        Test cases in this module tests the authentication allow feature
        using auth.allow and auth.reject volume options
"""
import copy
from glusto.core import Glusto as g
from glustolibs.gluster.gluster_base_class import (GlusterBaseClass,
                                                   runs_on)
from glustolibs.gluster.glusterdir import mkdir
from glustolibs.gluster.exceptions import ExecutionError
from glustolibs.gluster.auth_ops import set_auth_allow, set_auth_reject


@runs_on([['replicated', 'distributed', 'distributed-replicated',
           'dispersed', 'distributed-dispersed'],
          ['glusterfs']])
class FuseAuthRejectAllow(GlusterBaseClass):
    """
    Tests to verify auth.reject and auth.allow volume options in volume and
    sub-directory level on fuse mount.
    """
    @classmethod
    def setUpClass(cls):
        """
        Create and start volume
        """
        GlusterBaseClass.setUpClass.im_func(cls)
        # Create and start volume
        g.log.info("Starting volume setup process %s", cls.volname)
        ret = cls.setup_volume()
        if not ret:
            raise ExecutionError("Failed to setup "
                                 "and start volume %s" % cls.volname)
        g.log.info("Successfully created and started the volume: %s",
                   cls.volname)

    def authenticated_mount(self, mount_obj):
        """
        Mount volume/sub-directory on authenticated client

        Args:
            mount_obj(obj): Object of GlusterMount class
        """
        # Mount volume
        ret = mount_obj.mount()
        self.assertTrue(ret, ("Failed to mount %s on client %s" %
                              (mount_obj.volname,
                               mount_obj.client_system)))
        g.log.info("Successfully mounted %s on client %s", mount_obj.volname,
                   mount_obj.client_system)

        # Verify mount
        ret = mount_obj.is_mounted()
        self.assertTrue(ret, ("%s is not mounted on client %s"
                              % (mount_obj.volname, mount_obj.client_system)))
        g.log.info("Verified: %s is mounted on client %s",
                   mount_obj.volname, mount_obj.client_system)

    def unauthenticated_mount(self, mount_obj):
        """
        Try to mount volume/sub-directoty on unauthenticated client
        Args:
            mount_obj(obj): Object of GlusterMount class
        """
        # Try to mount volume/sub-directory and verify
        # Sometimes the mount command is returning exit code as 0 in case of
        # mount failures as well.
        # Hence not asserting while running mount command in test case.
        # Instead asserting only if it is actually mounted.
        # BZ 1590711
        mount_obj.mount()

        # Verify mount
        ret = mount_obj.is_mounted()
        if ret:
            # Mount operation did not fail as expected. Cleanup the mount.
            if not mount_obj.unmount():
                g.log.error("Failed to unmount %s from client %s",
                            mount_obj.volname, mount_obj.client_system)
        self.assertFalse(ret, ("Mount operation did not fail as "
                               "expected. Mount operation of "
                               "%s on client %s passed. "
                               "Mount point: %s"
                               % (mount_obj.volname,
                                  mount_obj.client_system,
                                  mount_obj.mountpoint)))
        g.log.info("Mount operation of %s on client %s failed as "
                   "expected", mount_obj.volname, mount_obj.client_system)

    def is_auth_failure(self, client_ip, previous_log_statement=''):
        """
        Check if the mount failure is due to authentication error
        Args:
            client_ip(str): IP of client in which mount failure has to be
                verified.
            previous_log_statement(str): AUTH_FAILED message of previous mount
                failure due to auth error(if any). This is used to distinguish
                between the current and previous message.
        Return(str):
            Latest AUTH_FAILED event log message.
        """
        # Command to find the log file
        cmd = "ls /var/log/glusterfs/ -1t | head -1"
        ret, out, _ = g.run(client_ip, cmd)
        self.assertEqual(ret, 0, "Failed to find the log file.")

        # Command to fetch latest AUTH_FAILED event log message.
        cmd = "grep AUTH_FAILED /var/log/glusterfs/%s | tail -1" % out.strip()
        ret, current_log_statement, _ = g.run(client_ip, cmd)
        self.assertEqual(ret, 0, "Mount failure is not due to auth error")

        # Check whether the AUTH_FAILED log is of the latest mount failure
        self.assertNotEqual(current_log_statement.strip(),
                            previous_log_statement,
                            "Mount failure is not due to authentication "
                            "error")
        g.log.info("Mount operation has failed due to authentication error")
        return current_log_statement.strip()

    def test_auth_reject_allow(self):
        """
        Verify auth.reject and auth.allow volume options in volume level using
        both client ip and hostname.
        Verify auth.reject and auth.allow volume options in sub-directory
        level using both client ip and hostname.
        Steps:
        1. Create and start volume.
        2. Set auth.reject on volume for client1 using ip of client1.
        3. Set auth.allow on volume for client2 using ip of client2.
        4. Try to mount volume on client1. This should fail.
        5. Check the client1 log for AUTH_FAILED event.
        6. Mount volume on client2.
        7. Unmount the volume from client2.
        8. Set auth.reject on volume for client1 using hostname of client1.
        9. Set auth.allow on volume for client2 using hostname of client2.
        10. Repeat steps 4 to 6
        11. Create directory d1 on client2 mountpoint.
        12. Unmount the volume from client2.
        13. Set auth.reject on d1 for client1 using ip of client1.
        14. Set auth.allow on d1 for client2 using ip of client2.
        15. Try to mount d1 on client1. This should fail.
        16. Check the client1 log for AUTH_FAILED event.
        17. Mount d1 on client2.
        18. Unmount d1 from client2.
        19. Set auth.reject on d1 for client1 using hostname of client1.
        20. Set auth.allow on d1 for client2 using hostname of client2.
        21. Repeat steps 15 to 18.
        """
        # pylint: disable = too-many-statements
        # Setting auth.reject on volume for client1 using ip
        auth_dict = {'all': [self.mounts[0].client_system]}
        ret = set_auth_reject(self.volname, self.mnode, auth_dict)
        self.assertTrue(ret, "Failed to set auth.reject volume option.")
        g.log.info("Successfully set auth.reject option on volume")

        # Setting auth.allow on volume for client2 using ip
        auth_dict = {'all': [self.mounts[1].client_system]}
        ret = set_auth_allow(self.volname, self.mnode, auth_dict)
        self.assertTrue(ret, "Failed to set auth.allow volume option")
        g.log.info("Successfully set auth.allow option on volume")

        # Trying to mount volume on client1
        self.unauthenticated_mount(self.mounts[0])

        # Verify whether mount failure on client1 is due to auth error
        log_msg = self.is_auth_failure(self.mounts[0].client_system)
        prev_log_statement = log_msg

        # Mounting volume on client2
        self.authenticated_mount(self.mounts[1])

        g.log.info("Verification of auth.reject and auth.allow options on "
                   "volume using client IP is successful")

        # Unmount volume from client2
        ret = self.mounts[1].unmount()
        self.assertTrue(ret, ("Failed to unmount volume %s from client %s"
                              % (self.volname, self.mounts[1].client_system)))

        # Obtain hostname of client1
        ret, hostname_client1, _ = g.run(self.mounts[0].client_system,
                                         "hostname")
        self.assertEqual(ret, 0, ("Failed to obtain hostname of client %s"
                                  % self.mounts[0].client_system))
        g.log.info("Obtained hostname of client. IP- %s, hostname- %s",
                   self.mounts[0].client_system, hostname_client1.strip())

        # Obtain hostname of client2
        ret, hostname_client2, _ = g.run(self.mounts[1].client_system,
                                         "hostname")
        self.assertEqual(ret, 0, ("Failed to obtain hostname of client %s"
                                  % self.mounts[1].client_system))
        g.log.info("Obtained hostname of client. IP- %s, hostname- %s",
                   self.mounts[1].client_system, hostname_client2.strip())

        # Setting auth.reject on volume for client1 using hostname
        auth_dict = {'all': [hostname_client1.strip()]}
        ret = set_auth_reject(self.volname, self.mnode, auth_dict)
        self.assertTrue(ret, "Failed to set auth.reject volume option.")
        g.log.info("Successfully set auth.reject option on volume")

        # Setting auth.allow on volume for client2 using hostname
        auth_dict = {'all': [hostname_client2.strip()]}
        ret = set_auth_allow(self.volname, self.mnode, auth_dict)
        self.assertTrue(ret, "Failed to set auth.allow volume option")
        g.log.info("Successfully set auth.allow option on volume")

        # Trying to mount volume on client1
        self.unauthenticated_mount(self.mounts[0])

        # Verify whether mount failure on client1 is due to auth error
        log_msg = self.is_auth_failure(self.mounts[0].client_system,
                                       prev_log_statement)
        prev_log_statement = log_msg

        # Mounting volume on client2
        self.authenticated_mount(self.mounts[1])

        g.log.info("Verification of auth.reject and auth.allow options on "
                   "volume using client hostname is successful")

        # Creating sub directory d1 on mounted volume
        ret = mkdir(self.mounts[1].client_system, "%s/d1"
                    % self.mounts[1].mountpoint)
        self.assertTrue(ret, ("Failed to create directory 'd1' in volume %s "
                              "from client %s"
                              % (self.volname, self.mounts[1].client_system)))

        # Unmount volume from client2
        ret = self.mounts[1].unmount()
        self.assertTrue(ret, ("Failed to unmount volume %s from client %s"
                              % (self.volname, self.mounts[1].client_system)))

        # Setting auth.reject on d1 for client1 using ip
        auth_dict = {'/d1': [self.mounts[0].client_system]}
        ret = set_auth_reject(self.volname, self.mnode, auth_dict)
        self.assertTrue(ret, "Failed to set auth.reject volume option.")
        g.log.info("Successfully set auth.reject option.")

        # Setting auth.allow on d1 for client2 using ip
        auth_dict = {'/d1': [self.mounts[1].client_system]}
        ret = set_auth_allow(self.volname, self.mnode, auth_dict)
        self.assertTrue(ret, "Failed to set auth.allow volume option")
        g.log.info("Successfully set auth.allow option.")

        # Creating mount object for sub-directory mount on client1
        mount_obj_client1 = copy.deepcopy(self.mounts[0])
        mount_obj_client1.volname = "%s/d1" % self.volname

        # Creating mount object for sub-directory mount on client2
        mount_obj_client2 = copy.deepcopy(self.mounts[1])
        mount_obj_client2.volname = "%s/d1" % self.volname

        # Trying to mount d1 on client1
        self.unauthenticated_mount(mount_obj_client1)

        # Verify whether mount failure on client1 is due to auth error
        log_msg = self.is_auth_failure(mount_obj_client1.client_system,
                                       prev_log_statement)
        prev_log_statement = log_msg

        # Mounting d1 on client2
        self.authenticated_mount(mount_obj_client2)

        g.log.info("Verification of auth.reject and auth.allow options on "
                   "sub-directory level using client IP is successful")

        # Unmount d1 from client2
        ret = mount_obj_client2.unmount()
        self.assertTrue(ret, ("Failed to unmount %s from client %s"
                              % (mount_obj_client2.volname,
                                 mount_obj_client2.client_system)))

        # Setting auth.reject on d1 for client1 using hostname
        auth_dict = {'/d1': [hostname_client1.strip()]}
        ret = set_auth_reject(self.volname, self.mnode, auth_dict)
        self.assertTrue(ret, "Failed to set auth.reject volume option.")
        g.log.info("Successfully set auth.reject option.")

        # Setting auth.allow on d1 for client2 using hostname
        auth_dict = {'/d1': [hostname_client2.strip()]}
        ret = set_auth_allow(self.volname, self.mnode, auth_dict)
        self.assertTrue(ret, "Failed to set auth.allow volume option")
        g.log.info("Successfully set auth.allow option.")

        # Trying to mount d1 on client1
        self.unauthenticated_mount(mount_obj_client1)

        # Verify whether mount failure on client1 is due to auth error
        self.is_auth_failure(mount_obj_client1.client_system,
                             prev_log_statement)

        # Mounting d1 on client2
        self.authenticated_mount(mount_obj_client2)

        g.log.info("Verification of auth.reject and auth.allow options on "
                   "sub-directory level using client hostname is successful")

        # Unmount d1 from client2
        ret = mount_obj_client2.unmount()
        self.assertTrue(ret, ("Failed to unmount %s from client %s"
                              % (mount_obj_client2.volname,
                                 mount_obj_client2.client_system)))

    def tearDown(self):
        """
        Cleanup volume
        """
        g.log.info("Cleaning up volume")
        ret = self.cleanup_volume()
        if not ret:
            raise ExecutionError("Failed to cleanup volume.")
        g.log.info("Volume cleanup was successful.")