Added regression test against fetcher SSL spillover. Review: https://reviews.apache.org/r/56771/
Project: http://git-wip-us.apache.org/repos/asf/mesos/repo Commit: http://git-wip-us.apache.org/repos/asf/mesos/commit/209f8e7f Tree: http://git-wip-us.apache.org/repos/asf/mesos/tree/209f8e7f Diff: http://git-wip-us.apache.org/repos/asf/mesos/diff/209f8e7f Branch: refs/heads/master Commit: 209f8e7fd1c9da1140976748f85d05a426848e0e Parents: 916a43e Author: Till Toenshoff <[email protected]> Authored: Thu Feb 23 01:53:50 2017 +0100 Committer: Till Toenshoff <[email protected]> Committed: Thu Feb 23 01:53:50 2017 +0100 ---------------------------------------------------------------------- src/tests/fetcher_tests.cpp | 61 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 61 insertions(+) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/mesos/blob/209f8e7f/src/tests/fetcher_tests.cpp ---------------------------------------------------------------------- diff --git a/src/tests/fetcher_tests.cpp b/src/tests/fetcher_tests.cpp index 9c7e8b9..c4854b9 100644 --- a/src/tests/fetcher_tests.cpp +++ b/src/tests/fetcher_tests.cpp @@ -1088,6 +1088,67 @@ TEST_F(FetcherTest, HdfsURI) } #endif // __WINDOWS__ + +// Regression test against unwanted environment inheritance from the +// agent towards the fetcher. By supplying an invalid SSL setup, we +// force the fetcher to fail if the parent process does not filter +// them out. +TEST_F_TEMP_DISABLED_ON_WINDOWS(FetcherTest, SSLEnvironmentSpillover) +{ + // Patch some critical libprocess environment variables into the + // parent process of the mesos-fetcher. We expect this test to fail + // when the code path triggered does not filter them. + char* enabled = getenv("LIBPROCESS_SSL_ENABLED"); + char* key = getenv("LIBPROCESS_SSL_KEY_FILE"); + + os::setenv("LIBPROCESS_SSL_ENABLED", "true"); + os::unsetenv("LIBPROCESS_SSL_KEY_FILE"); + + // First construct a temporary file that can be fetched and archived with + // gzip. + Try<string> dir = os::mkdtemp(path::join(os::getcwd(), "XXXXXX")); + ASSERT_SOME(dir); + + Try<string> path = os::mktemp(path::join(dir.get(), "XXXXXX")); + ASSERT_SOME(path); + + ASSERT_SOME(os::write(path.get(), "hello world")); + ASSERT_SOME(os::shell("gzip " + path.get())); + + ContainerID containerId; + containerId.set_value(UUID::random().toString()); + + CommandInfo commandInfo; + CommandInfo::URI* uri = commandInfo.add_uris(); + uri->set_value(path.get() + ".gz"); + uri->set_extract(true); + + slave::Flags flags; + flags.launcher_dir = getLauncherDir(); + + Fetcher fetcher; + SlaveID slaveId; + + Future<Nothing> fetch = fetcher.fetch( + containerId, commandInfo, os::getcwd(), None(), slaveId, flags); + + // The mesos-fetcher runnable will fail initializing libprocess if + // the SSL environment spilled over. Such failure would cause it to + // abort and exit and that in turn would fail the `fetch` returned + // future. + AWAIT_READY(fetch); + + if (enabled != nullptr) { + os::setenv("LIBPROCESS_SSL_ENABLED", enabled); + } else { + os::unsetenv("LIBPROCESS_SSL_ENABLED"); + } + + if (key != nullptr) { + os::setenv("LIBPROCESS_SSL_KEY_FILE", key); + } +} + } // namespace tests { } // namespace internal { } // namespace mesos {
