vmcheck/test-basic.sh: adjust for new polkit policy

Now that we require clients to have an active session to RegisterClient,
we can't use runuser to check for non-root functionality. Add a new
vm_cmd_as() function to allow connecting as a different user. While
we're there, do some minor cleanups to consistently use `local` when
possible.

Closes: #894
Approved by: cgwalters
This commit is contained in:
Jonathan Lebon 2017-07-27 07:16:23 -07:00 committed by Atomic Bot
parent f6c422a6d5
commit 95bc93205e
4 changed files with 45 additions and 25 deletions

View File

@ -39,7 +39,7 @@ vm_setup() {
vm_rsync() {
if ! test -f .vagrant/using_sshfs; then
pushd ${topsrcdir}
rsyncopts="ssh -o User=root"
local rsyncopts="ssh -o User=root"
if [ -f ssh-config ]; then
rsyncopts="$rsyncopts -F ssh-config"
fi
@ -53,6 +53,19 @@ vm_rsync() {
fi
}
# run command in vm as user
# - $1 username
# - $@ command to run
vm_cmd_as() {
local user=$1; shift
# don't reuse root's ControlPath
local sshopts="-o User=$user"
if [ -f "${topsrcdir}/ssh-config" ]; then
sshopts="$sshopts -F ${topsrcdir}/ssh-config"
fi
ssh $sshopts $VM "$@"
}
# run command in vm
# - $@ command to run
vm_cmd() {
@ -61,9 +74,9 @@ vm_cmd() {
# Copy argument (usually shell script) to VM, execute it there
vm_cmdfile() {
bin=$1
local bin=$1
chmod a+x ${bin}
bn=$(basename ${bin})
local bn=$(basename ${bin})
$SCP $1 $VM:/root/${bn}
$SSH /root/${bn}
}
@ -77,14 +90,14 @@ vm_clean_caches() {
# run rpm-ostree in vm
# - $@ args
vm_rpmostree() {
$SSH env ASAN_OPTIONS=detect_leaks=false rpm-ostree "$@"
vm_cmd env ASAN_OPTIONS=detect_leaks=false rpm-ostree "$@"
}
# copy files to a directory in the vm
# - $1 target directory
# - $2.. files & dirs to copy
vm_send() {
dir=$1; shift
local dir=$1; shift
vm_cmd mkdir -p $dir
$SCP -r "$@" $VM:$dir
}
@ -118,8 +131,8 @@ EOF
# - $1 timeout in second (optional)
# - $2 previous bootid (optional)
vm_ssh_wait() {
timeout=${1:-0}; shift
old_bootid=${1:-}; shift
local timeout=${1:-0}; shift
local old_bootid=${1:-}; shift
if ! vm_cmd true; then
echo "Failed to log into VM, retrying with debug:"
$SSH -o LogLevel=debug true || true
@ -151,7 +164,7 @@ vm_get_boot_id() {
# Run a command in the VM that will cause a reboot
vm_reboot_cmd() {
vm_cmd sync
bootid=$(vm_get_boot_id 2>/dev/null)
local bootid=$(vm_get_boot_id 2>/dev/null)
vm_cmd $@ || :
vm_ssh_wait 120 $bootid
}
@ -185,8 +198,8 @@ vm_has_packages() {
# - $1 index of deployment (or -1 for booted)
# - $2 key to retrieve
vm_get_deployment_info() {
idx=$1
key=$2
local idx=$1
local key=$2
vm_rpmostree status --json | \
python -c "
import sys, json
@ -215,10 +228,10 @@ if \"$key\" in depl:
# retrieve the deployment root
# - $1 index of deployment
vm_get_deployment_root() {
idx=$1
csum=$(vm_get_deployment_info $idx checksum)
serial=$(vm_get_deployment_info $idx serial)
osname=$(vm_get_deployment_info $idx osname)
local idx=$1
local csum=$(vm_get_deployment_info $idx checksum)
local serial=$(vm_get_deployment_info $idx serial)
local osname=$(vm_get_deployment_info $idx osname)
echo /ostree/deploy/$osname/deploy/$csum.$serial
}
@ -245,7 +258,7 @@ vm_get_local_packages() {
# check that the packages are currently layered
# - $@ packages to check for
vm_has_layered_packages() {
pkgs=$(vm_get_layered_packages)
local pkgs=$(vm_get_layered_packages)
for pkg in "$@"; do
if [[ " $pkgs " != *$pkg* ]]; then
return 1
@ -256,7 +269,7 @@ vm_has_layered_packages() {
# check that the packages are currently requested
# - $@ packages to check for
vm_has_requested_packages() {
pkgs=$(vm_get_requested_packages)
local pkgs=$(vm_get_requested_packages)
for pkg in "$@"; do
if [[ " $pkgs " != *$pkg* ]]; then
return 1
@ -265,7 +278,7 @@ vm_has_requested_packages() {
}
vm_has_local_packages() {
pkgs=$(vm_get_local_packages)
local pkgs=$(vm_get_local_packages)
for pkg in "$@"; do
if [[ " $pkgs " != *$pkg* ]]; then
return 1
@ -287,8 +300,8 @@ vm_get_booted_csum() {
# - $1 package to check for
# - $2 either "present" or "absent"
vm_assert_layered_pkg() {
pkg=$1; shift
policy=$1; shift
local pkg=$1; shift
local policy=$1; shift
set +e
vm_has_packages $pkg; pkg_in_rpmdb=$?

View File

@ -48,7 +48,7 @@ if test -z "${INSIDE_VM:-}"; then
vm_rsync
$SSH "env INSIDE_VM=1 /var/roothome/sync/tests/vmcheck/overlay.sh"
vm_cmd env INSIDE_VM=1 /var/roothome/sync/tests/vmcheck/overlay.sh
vm_reboot
exit 0
fi

View File

@ -38,7 +38,7 @@ if test -z "${INSIDE_VM:-}"; then
make install DESTDIR=${VMCHECK_INSTTREE}
vm_rsync
$SSH "env INSIDE_VM=1 /var/roothome/sync/tests/vmcheck/sync.sh"
vm_cmd env INSIDE_VM=1 /var/roothome/sync/tests/vmcheck/sync.sh
exit 0
else

View File

@ -34,17 +34,24 @@ vm_assert_status_jq \
'.deployments[0]["requested-base-removals"]'
echo "ok empty pkg arrays in status json"
# Be sure an unprivileged user exists
vm_cmd getent passwd bin
# Be sure an unprivileged user exists and that we can SSH into it. This is a bit
# underhanded, but we need a bona fide user session to verify non-priv status,
# and logging in through SSH is an easy way to achieve that.
if ! vm_cmd getent passwd testuser; then
vm_cmd useradd testuser
vm_cmd mkdir -pm 0700 /home/testuser/.ssh
vm_cmd cp -a /root/.ssh/authorized_keys /home/testuser/.ssh
vm_cmd chown -R testuser:testuser /home/testuser/.ssh
fi
# Make sure we can't layer as non-root
vm_build_rpm foo
if vm_cmd "runuser -u bin rpm-ostree pkg-add foo" &> err.txt; then
if vm_cmd_as testuser rpm-ostree pkg-add foo &> err.txt; then
assert_not_reached "Was able to install a package as non-root!"
fi
assert_file_has_content err.txt 'PkgChange not allowed for user'
echo "ok layering requires root"
# Assert that we can do status as non-root
vm_cmd "runuser -u bin rpm-ostree status"
vm_cmd_as testuser rpm-ostree status
echo "ok status doesn't require root"