projects
/
tinc
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
raw
|
patch
|
inline
| side by side (from parent 1:
38a4eb4
)
Remove access checks in tests under root
author
Kirill Isakov
<bootctl@gmail.com>
Sun, 29 May 2022 15:45:28 +0000
(21:45 +0600)
committer
Kirill Isakov
<bootctl@gmail.com>
Fri, 3 Jun 2022 06:56:18 +0000
(12:56 +0600)
test/integration/cmd_fsck.py
patch
|
blob
|
history
test/integration/cmd_import.py
patch
|
blob
|
history
test/integration/cmd_join.py
patch
|
blob
|
history
test/integration/cmd_keys.py
patch
|
blob
|
history
test/integration/cmd_misc.py
patch
|
blob
|
history
test/integration/testlib/const.py
patch
|
blob
|
history
test/unit/test_fs.c
patch
|
blob
|
history
diff --git
a/test/integration/cmd_fsck.py
b/test/integration/cmd_fsck.py
index
4e79ccd
..
e3dfa43
100755
(executable)
--- a/
test/integration/cmd_fsck.py
+++ b/
test/integration/cmd_fsck.py
@@
-7,14
+7,14
@@
import sys
import typing as T
from testlib import check
import typing as T
from testlib import check
+from testlib.const import RUN_ACCESS_CHECKS
from testlib.log import log
from testlib.proc import Tinc, Feature
from testlib.util import read_text, read_lines, write_lines, append_line, write_text
from testlib.log import log
from testlib.proc import Tinc, Feature
from testlib.util import read_text, read_lines, write_lines, append_line, write_text
-run_legacy_checks = Feature.LEGACY_PROTOCOL in Tinc().features
-run_access_checks = os.name != "nt" and os.geteuid() != 0
-run_executability_checks = os.name != "nt"
-run_permission_checks = run_executability_checks
+RUN_LEGACY_CHECKS = Feature.LEGACY_PROTOCOL in Tinc().features
+RUN_EXECUTABILITY_CHECKS = os.name != "nt"
+RUN_PERMISSION_CHECKS = RUN_EXECUTABILITY_CHECKS
# Sample RSA key pair (old format). Uses e = 0xFFFF.
RSA_N = """
# Sample RSA key pair (old format). Uses e = 0xFFFF.
RSA_N = """
@@
-132,24
+132,24
@@
def test_private_keys(keyfile: str) -> None:
keyfile_path = context.node.sub(keyfile)
os.truncate(keyfile_path, 0)
keyfile_path = context.node.sub(keyfile)
os.truncate(keyfile_path, 0)
- if
run_legacy_checks
:
+ if
RUN_LEGACY_CHECKS
:
context.expect_msg("no private key is known", code=0)
else:
context.expect_msg("No Ed25519 private key found")
context.expect_msg("no private key is known", code=0)
else:
context.expect_msg("No Ed25519 private key found")
- if
run_access_checks
:
+ if
RUN_ACCESS_CHECKS
:
context = test(f"fail on inaccessible {keyfile}")
keyfile_path = context.node.sub(keyfile)
os.chmod(keyfile_path, 0)
context = test(f"fail on inaccessible {keyfile}")
keyfile_path = context.node.sub(keyfile)
os.chmod(keyfile_path, 0)
- context.expect_msg("Error reading", code=0 if
run_legacy_checks
else 1)
+ context.expect_msg("Error reading", code=0 if
RUN_LEGACY_CHECKS
else 1)
- if
run_permission_checks
:
+ if
RUN_PERMISSION_CHECKS
:
context = test(f"warn about unsafe permissions on {keyfile}")
keyfile_path = context.node.sub(keyfile)
os.chmod(keyfile_path, 0o666)
context.expect_msg("unsafe file permissions", code=0)
context = test(f"warn about unsafe permissions on {keyfile}")
keyfile_path = context.node.sub(keyfile)
os.chmod(keyfile_path, 0o666)
context.expect_msg("unsafe file permissions", code=0)
- if
run_legacy_checks
:
+ if
RUN_LEGACY_CHECKS
:
context = test(f"pass on missing {keyfile} when the other key is present")
keyfile_path = context.node.sub(keyfile)
os.remove(keyfile_path)
context = test(f"pass on missing {keyfile} when the other key is present")
keyfile_path = context.node.sub(keyfile)
os.remove(keyfile_path)
@@
-211,7
+211,7
@@
ctx.node.cmd("fsck")
ctx = test("fail when all private keys are missing")
os.remove(ctx.ec_priv)
ctx = test("fail when all private keys are missing")
os.remove(ctx.ec_priv)
-if
run_legacy_checks
:
+if
RUN_LEGACY_CHECKS
:
os.remove(ctx.rsa_priv)
ctx.expect_msg("Neither RSA or Ed25519 private")
else:
os.remove(ctx.rsa_priv)
ctx.expect_msg("Neither RSA or Ed25519 private")
else:
@@
-262,7
+262,7
@@
test_ec_public_key_file_var(ctx, "tinc.conf")
ctx = test("test EC public key in hosts/")
test_ec_public_key_file_var(ctx, "hosts", ctx.node.name)
ctx = test("test EC public key in hosts/")
test_ec_public_key_file_var(ctx, "hosts", ctx.node.name)
-if
run_access_checks
:
+if
RUN_ACCESS_CHECKS
:
ctx = test("fail on inaccessible tinc.conf")
os.chmod(ctx.conf, 0)
ctx.expect_msg("not running tinc as root")
ctx = test("fail on inaccessible tinc.conf")
os.chmod(ctx.conf, 0)
ctx.expect_msg("not running tinc as root")
@@
-271,7
+271,7
@@
if run_access_checks:
os.chmod(ctx.host, 0)
ctx.expect_msg("Cannot open config file")
os.chmod(ctx.host, 0)
ctx.expect_msg("Cannot open config file")
-if
run_executability_checks
:
+if
RUN_EXECUTABILITY_CHECKS
:
ctx = test("non-executable tinc-up MUST be fixed by tinc --force")
os.chmod(ctx.tinc_up, 0o644)
ctx.expect_msg("cannot read and execute", force=True, code=0)
ctx = test("non-executable tinc-up MUST be fixed by tinc --force")
os.chmod(ctx.tinc_up, 0o644)
ctx.expect_msg("cannot read and execute", force=True, code=0)
@@
-298,7
+298,7
@@
if run_executability_checks:
###############################################################################
# Legacy protocol
###############################################################################
###############################################################################
# Legacy protocol
###############################################################################
-if not
run_legacy_checks
:
+if not
RUN_LEGACY_CHECKS
:
log.info("skipping legacy protocol tests")
sys.exit(0)
log.info("skipping legacy protocol tests")
sys.exit(0)
@@
-369,7
+369,7
@@
remove_pem(ctx.host)
ctx.expect_msg("No (usable) public RSA key found", force=True, code=0)
ctx.node.cmd("fsck")
ctx.expect_msg("No (usable) public RSA key found", force=True, code=0)
ctx.node.cmd("fsck")
-if
run_permission_checks
:
+if
RUN_PERMISSION_CHECKS
:
ctx = test("warn about unsafe permissions on tinc.conf with PrivateKey")
os.remove(ctx.rsa_priv)
append_line(ctx.conf, f"PrivateKey = {RSA_D}")
ctx = test("warn about unsafe permissions on tinc.conf with PrivateKey")
os.remove(ctx.rsa_priv)
append_line(ctx.conf, f"PrivateKey = {RSA_D}")
diff --git
a/test/integration/cmd_import.py
b/test/integration/cmd_import.py
index
769cf79
..
5bf37be
100755
(executable)
--- a/
test/integration/cmd_import.py
+++ b/
test/integration/cmd_import.py
@@
-6,6
+6,7
@@
import os
from testlib import check, cmd, util
from testlib.log import log
from testlib import check, cmd, util
from testlib.log import log
+from testlib.const import RUN_ACCESS_CHECKS
from testlib.proc import Tinc
from testlib.test import Test
from testlib.proc import Tinc
from testlib.test import Test
@@
-73,7
+74,7
@@
def test_import(foo: Tinc) -> None:
_, err = foo.cmd("import", stdin="Name = node0", code=1)
check.is_in("node0 already exists", err)
_, err = foo.cmd("import", stdin="Name = node0", code=1)
check.is_in("node0 already exists", err)
- if
os.name != "nt"
:
+ if
RUN_ACCESS_CHECKS
:
log.info("import to inaccessible hosts subdirectory")
os.chmod(foo.sub("hosts"), 0)
_, err = foo.cmd("import", stdin="Name = vinny", code=1)
log.info("import to inaccessible hosts subdirectory")
os.chmod(foo.sub("hosts"), 0)
_, err = foo.cmd("import", stdin="Name = vinny", code=1)
@@
-153,7
+154,7
@@
def test_export_all(foo: Tinc) -> None:
log.info("unexpected number of separators: %s", lines)
assert False
log.info("unexpected number of separators: %s", lines)
assert False
- if
os.name != "nt"
:
+ if
RUN_ACCESS_CHECKS
:
os.chmod(foo.sub("hosts"), 0)
_, err = foo.cmd("export-all", code=1)
check.is_in("Could not open host configuration", err)
os.chmod(foo.sub("hosts"), 0)
_, err = foo.cmd("export-all", code=1)
check.is_in("Could not open host configuration", err)
@@
-168,7
+169,7
@@
with Test("test 'export' command") as context:
with Test("test 'exchange' command") as context:
test_exchange(init(context))
with Test("test 'exchange' command") as context:
test_exchange(init(context))
-if
os.name != "nt"
:
+if
RUN_ACCESS_CHECKS
:
with Test("test 'exchange-all' command") as context:
test_exchange_all(init(context))
with Test("test 'exchange-all' command") as context:
test_exchange_all(init(context))
diff --git
a/test/integration/cmd_join.py
b/test/integration/cmd_join.py
index
a9bdd52
..
bfc1f19
100755
(executable)
--- a/
test/integration/cmd_join.py
+++ b/
test/integration/cmd_join.py
@@
-7,6
+7,7
@@
import shutil
from testlib import check, util
from testlib.log import log
from testlib import check, util
from testlib.log import log
+from testlib.const import RUN_ACCESS_CHECKS
from testlib.proc import Tinc
from testlib.test import Test
from testlib.proc import Tinc
from testlib.test import Test
@@
-77,7
+78,7
@@
def test_invite_errors(foo: Tinc) -> None:
_, err = foo.cmd("invite", foo.name, code=1)
check.is_in("already exists", err)
_, err = foo.cmd("invite", foo.name, code=1)
check.is_in("already exists", err)
- if
os.name != "nt"
:
+ if
RUN_ACCESS_CHECKS
:
log.info("bad permissions on invitations are fixed")
invites = foo.sub("invitations")
os.chmod(invites, 0)
log.info("bad permissions on invitations are fixed")
invites = foo.sub("invitations")
os.chmod(invites, 0)
@@
-121,7
+122,7
@@
def test_join_errors(foo: Tinc) -> None:
_, err = foo.cmd("-c", work_dir, "join", FAKE_INVITE, code=1)
check.is_in("Could not connect to", err)
_, err = foo.cmd("-c", work_dir, "join", FAKE_INVITE, code=1)
check.is_in("Could not connect to", err)
- if
os.name != "nt"
:
+ if
RUN_ACCESS_CHECKS
:
log.info("bad permissions on configuration directory are fixed")
work_dir = foo.sub("wd_access_test")
os.mkdir(work_dir, mode=400)
log.info("bad permissions on configuration directory are fixed")
work_dir = foo.sub("wd_access_test")
os.mkdir(work_dir, mode=400)
diff --git
a/test/integration/cmd_keys.py
b/test/integration/cmd_keys.py
index
d9af1e0
..
4520154
100755
(executable)
--- a/
test/integration/cmd_keys.py
+++ b/
test/integration/cmd_keys.py
@@
-7,6
+7,7
@@
import os
from testlib import check, util
from testlib.log import log
from testlib import check, util
from testlib.log import log
+from testlib.const import RUN_ACCESS_CHECKS
from testlib.feature import Feature
from testlib.proc import Tinc
from testlib.test import Test
from testlib.feature import Feature
from testlib.proc import Tinc
from testlib.test import Test
@@
-99,7
+100,7
@@
def test_rsa(foo: Tinc) -> None:
key = util.read_text(rsa_priv)
check.has_prefix(key, "-----BEGIN RSA PRIVATE KEY-----")
key = util.read_text(rsa_priv)
check.has_prefix(key, "-----BEGIN RSA PRIVATE KEY-----")
- if
os.name != "nt"
:
+ if
RUN_ACCESS_CHECKS
:
log.info("remove access to private key")
os.chmod(rsa_priv, 0)
_, err = foo.cmd("generate-rsa-keys", "1024", code=1)
log.info("remove access to private key")
os.chmod(rsa_priv, 0)
_, err = foo.cmd("generate-rsa-keys", "1024", code=1)
@@
-136,7
+137,7
@@
def test_eddsa(foo: Tinc) -> None:
check.has_prefix(util.read_text(ec_priv), "-----BEGIN ED25519 PRIVATE KEY-----")
check.has_prefix(util.read_text(ec_pub), "Ed25519PublicKey")
check.has_prefix(util.read_text(ec_priv), "-----BEGIN ED25519 PRIVATE KEY-----")
check.has_prefix(util.read_text(ec_pub), "Ed25519PublicKey")
- if
os.name != "nt"
:
+ if
RUN_ACCESS_CHECKS
:
log.info("remove access to EC private key file")
os.chmod(ec_priv, 0)
_, err = foo.cmd("generate-ed25519-keys", code=1)
log.info("remove access to EC private key file")
os.chmod(ec_priv, 0)
_, err = foo.cmd("generate-ed25519-keys", code=1)
diff --git
a/test/integration/cmd_misc.py
b/test/integration/cmd_misc.py
index
5a8a973
..
c24e733
100755
(executable)
--- a/
test/integration/cmd_misc.py
+++ b/
test/integration/cmd_misc.py
@@
-149,8
+149,8
@@
def test_log(foo: Tinc) -> None:
log.info("test correct call")
log_client = foo.tinc("log")
foo.cmd("reload")
log.info("test correct call")
log_client = foo.tinc("log")
foo.cmd("reload")
- time.sleep(1)
foo.cmd("stop")
foo.cmd("stop")
+ time.sleep(1)
out, _ = log_client.communicate()
check.true(out)
out, _ = log_client.communicate()
check.true(out)
diff --git
a/test/integration/testlib/const.py
b/test/integration/testlib/const.py
index
36f5f97
..
b15e703
100755
(executable)
--- a/
test/integration/testlib/const.py
+++ b/
test/integration/testlib/const.py
@@
-7,3
+7,6
@@
EXIT_SKIP = 77
# Family name for multiprocessing Listener/Connection
MPC_FAMILY = "AF_PIPE" if os.name == "nt" else "AF_UNIX"
# Family name for multiprocessing Listener/Connection
MPC_FAMILY = "AF_PIPE" if os.name == "nt" else "AF_UNIX"
+
+# Do access checks on files. Disabled when not available or not applicable.
+RUN_ACCESS_CHECKS = os.name != "nt" and os.geteuid() != 0
diff --git
a/test/unit/test_fs.c
b/test/unit/test_fs.c
index
95d2d09
..
5b652ed
100644
(file)
--- a/
test/unit/test_fs.c
+++ b/
test/unit/test_fs.c
@@
-113,7
+113,7
@@
static void test_makedir(tinc_dir_t dir, bool exists) {
}
// Deny write access and make sure makedirs() detects that
}
// Deny write access and make sure makedirs() detects that
- if(*container) {
+ if(
getuid() &&
*container) {
assert_int_equal(0, chmod(tmp, 0));
assert_false(makedirs(dir));
assert_int_equal(0, chmod(tmp, 0755));
assert_int_equal(0, chmod(tmp, 0));
assert_false(makedirs(dir));
assert_int_equal(0, chmod(tmp, 0755));
projects / tinc / commitdiff