|
| 1 | +import importlib |
| 2 | +import sys |
| 3 | +import types |
| 4 | +import unittest |
| 5 | + |
| 6 | + |
| 7 | +def _install_stubs(): |
| 8 | + config_loader = types.ModuleType("utils.config_loader") |
| 9 | + config_loader.CONFIG_MANAGER = types.SimpleNamespace( |
| 10 | + get=lambda key, default=None: {"puid": 1000, "pgid": 1000}.get(key, default) |
| 11 | + ) |
| 12 | + sys.modules["utils.config_loader"] = config_loader |
| 13 | + |
| 14 | + global_logger = types.ModuleType("utils.global_logger") |
| 15 | + global_logger.logger = types.SimpleNamespace( |
| 16 | + debug=lambda *args, **kwargs: None, |
| 17 | + error=lambda *args, **kwargs: None, |
| 18 | + info=lambda *args, **kwargs: None, |
| 19 | + warning=lambda *args, **kwargs: None, |
| 20 | + ) |
| 21 | + sys.modules["utils.global_logger"] = global_logger |
| 22 | + |
| 23 | + |
| 24 | +_install_stubs() |
| 25 | +sys.modules.pop("utils.user_management", None) |
| 26 | +user_management = importlib.import_module("utils.user_management") |
| 27 | + |
| 28 | + |
| 29 | +class UserManagementSecurityTests(unittest.TestCase): |
| 30 | + def test_hash_user_password_uses_stdin_without_shell(self): |
| 31 | + calls = [] |
| 32 | + |
| 33 | + def fake_run(*args, **kwargs): |
| 34 | + calls.append((args, kwargs)) |
| 35 | + return types.SimpleNamespace(stdout="$6$hashed\n") |
| 36 | + |
| 37 | + original_run = user_management.subprocess.run |
| 38 | + user_management.subprocess.run = fake_run |
| 39 | + try: |
| 40 | + hashed = user_management._hash_user_password("raw-password") |
| 41 | + finally: |
| 42 | + user_management.subprocess.run = original_run |
| 43 | + |
| 44 | + self.assertEqual(hashed, "$6$hashed") |
| 45 | + self.assertEqual(calls[0][0][0], ["openssl", "passwd", "-6", "-stdin"]) |
| 46 | + self.assertEqual(calls[0][1]["input"], "raw-password") |
| 47 | + self.assertTrue(calls[0][1]["capture_output"]) |
| 48 | + self.assertTrue(calls[0][1]["text"]) |
| 49 | + self.assertTrue(calls[0][1]["check"]) |
| 50 | + self.assertNotIn("shell", calls[0][1]) |
| 51 | + |
| 52 | + def test_set_user_password_uses_argument_list_without_shell(self): |
| 53 | + calls = [] |
| 54 | + |
| 55 | + def fake_run(*args, **kwargs): |
| 56 | + calls.append((args, kwargs)) |
| 57 | + return types.SimpleNamespace(returncode=0) |
| 58 | + |
| 59 | + original_run = user_management.subprocess.run |
| 60 | + user_management.subprocess.run = fake_run |
| 61 | + try: |
| 62 | + user_management._set_user_password("dumb", "$6$hashed") |
| 63 | + finally: |
| 64 | + user_management.subprocess.run = original_run |
| 65 | + |
| 66 | + self.assertEqual(calls[0][0][0], ["usermod", "-p", "$6$hashed", "dumb"]) |
| 67 | + self.assertTrue(calls[0][1]["check"]) |
| 68 | + self.assertNotIn("shell", calls[0][1]) |
| 69 | + |
| 70 | + def test_generate_user_password_returns_nonempty_random_string(self): |
| 71 | + first = user_management._generate_user_password() |
| 72 | + second = user_management._generate_user_password() |
| 73 | + |
| 74 | + self.assertIsInstance(first, str) |
| 75 | + self.assertGreaterEqual(len(first), 16) |
| 76 | + self.assertNotEqual(first, second) |
| 77 | + |
| 78 | + |
| 79 | +if __name__ == "__main__": |
| 80 | + unittest.main() |
0 commit comments