From 6b33cf99f43892a22f1ab4124b10c49462b9cbc2 Mon Sep 17 00:00:00 2001 From: Clay Gerrard Date: Wed, 11 Dec 2019 12:14:50 -0600 Subject: [PATCH] WSGI server workers must drop_privledges ... just like they always have and server per port strategy still does. Related-Change-Id: I3e5229d2fb04be67e53533ff65b0870038accbb7 Change-Id: I14e3ed201ceaceef0f8dbc44685395f350a0e7fc --- swift/common/wsgi.py | 24 ++++++++---------------- test/unit/common/test_wsgi.py | 25 ++++++++++++------------- 2 files changed, 20 insertions(+), 29 deletions(-) diff --git a/swift/common/wsgi.py b/swift/common/wsgi.py index c71d412860..33fe7a9314 100644 --- a/swift/common/wsgi.py +++ b/swift/common/wsgi.py @@ -695,6 +695,14 @@ class StrategyBase(object): Some operations common to all strategy classes. """ + def post_fork_hook(self): + """ + Called in each forked-off child process, prior to starting the actual + wsgi server, to perform any initialization such as drop privileges. + """ + + drop_privileges(self.conf.get('user', 'swift')) + def shutdown_sockets(self): """ Shutdown any listen sockets. @@ -785,14 +793,6 @@ class WorkersStrategy(StrategyBase): while len(self.children) < self.worker_count: yield self.sock, None - def post_fork_hook(self): - """ - Perform any initialization in a forked-off child process prior to - starting the wsgi server. - """ - - pass - def log_sock_exit(self, sock, _unused): """ Log a server's exit. @@ -1071,14 +1071,6 @@ class ServersPerPortStrategy(StrategyBase): # can close and forget them. self.port_pid_state.forget_port(orphan_pair[0]) - def post_fork_hook(self): - """ - Called in each child process, prior to starting the actual wsgi server, - to drop privileges. - """ - - drop_privileges(self.conf.get('user', 'swift')) - def log_sock_exit(self, sock, server_idx): """ Log a server's exit. diff --git a/test/unit/common/test_wsgi.py b/test/unit/common/test_wsgi.py index b72c415505..76743c7dfe 100644 --- a/test/unit/common/test_wsgi.py +++ b/test/unit/common/test_wsgi.py @@ -1284,7 +1284,17 @@ class TestProxyProtocol(unittest.TestCase): self.assertEqual(proxy_obj.get_environ(), expected_env) -class TestServersPerPortStrategy(unittest.TestCase): +class CommonTestMixin(object): + + def test_post_fork_hook(self): + self.strategy.post_fork_hook() + + self.assertEqual([ + mock.call('bob'), + ], self.mock_drop_privileges.mock_calls) + + +class TestServersPerPortStrategy(unittest.TestCase, CommonTestMixin): def setUp(self): self.logger = FakeLogger() self.conf = { @@ -1495,13 +1505,6 @@ class TestServersPerPortStrategy(unittest.TestCase): # This is one of the workers for port 6006 that already got reaped. self.assertIsNone(self.strategy.register_worker_exit(89)) - def test_post_fork_hook(self): - self.strategy.post_fork_hook() - - self.assertEqual([ - mock.call('bob'), - ], self.mock_drop_privileges.mock_calls) - def test_shutdown_sockets(self): self.strategy.do_bind_ports() @@ -1520,7 +1523,7 @@ class TestServersPerPortStrategy(unittest.TestCase): ], self.s2.mock_calls) -class TestWorkersStrategy(unittest.TestCase): +class TestWorkersStrategy(unittest.TestCase, CommonTestMixin): def setUp(self): self.logger = FakeLogger() self.conf = { @@ -1615,10 +1618,6 @@ class TestWorkersStrategy(unittest.TestCase): 'Started child %s from parent %s' % (90, mypid), ], self.logger.get_lines_for_level('notice')) - def test_post_fork_hook(self): - # Just don't crash or do something stupid - self.assertIsNone(self.strategy.post_fork_hook()) - def test_shutdown_sockets(self): self.mock_get_socket.return_value = mock.MagicMock() self.strategy.do_bind_ports()