[tests] add lib/tests/run-nonpriv-wrapper

- runs as non-root
- does not require being in entropy/portage group
    - in fact, it's better (better isolation) to run as such
- thus does not modify running system

The wrapper script is ugly but very convenient.
This commit is contained in:
Sławomir Nizio
2018-08-05 00:34:54 +02:00
parent 8af6ececaa
commit fabb3e72da
5 changed files with 117 additions and 4 deletions

View File

@@ -2,7 +2,7 @@
import os
from entropy.exceptions import FileNotFound
def get_test_generic_package(test_pkg):
def _get_test_generic_package_path(test_pkg):
path1 = os.path.join(os.getcwd(), "packages", test_pkg)
path2 = os.path.join(os.getcwd(), "..", "packages", test_pkg)
if os.path.lexists(path1):
@@ -11,6 +11,14 @@ def get_test_generic_package(test_pkg):
return path2
raise FileNotFound("cannot find test package %s" % (test_pkg,))
def get_test_generic_package(test_pkg):
stage_dir = os.getenv("ETP_TESTS_PACKAGES_RW_PATH")
if stage_dir:
path = os.path.join(stage_dir, test_pkg)
else:
path = _get_test_generic_package_path(test_pkg)
return path
def get_test_package():
test_pkg = "zlib-1.2.3-r1.tbz2"
return get_test_generic_package(test_pkg)

View File

@@ -12,6 +12,7 @@ from entropy.exceptions import SecurityError
class ConstTest(unittest.TestCase):
@unittest.skipIf(os.getenv("ETP_TEST_SKIP_PRIVILEGED"), "ETP_TEST_SKIP_PRIVILEGED is set")
def test_privileges(self):
self.assertTrue(os.getuid() == 0)

View File

@@ -1,6 +1,9 @@
#!/usr/bin/python
# -*- coding: utf-8 -*-
# Too run in a (partially) isolated environment and as nonprivileged user, see
# run-nonpriv-wrapper.
import os
import sys
locale_dir = os.path.realpath(os.path.join(os.getcwd(), "i18n"))
@@ -19,8 +22,22 @@ from tests import locks, db, client, server, misc, fetchers, tools, dep, \
i18n, spm, qa, core, security, const
# Add to the list the module to test
mods = [locks, db, client, server, misc, fetchers, tools, dep, i18n, spm, qa,
core, security, const]
mods = [
locks,
db,
client,
server,
misc,
fetchers,
tools,
dep,
i18n,
spm,
qa,
core,
security,
const
]
tests = []
for mod in mods:

87
lib/tests/run-nonpriv-wrapper Executable file
View File

@@ -0,0 +1,87 @@
#!/bin/bash
# This is a wrapper that sets environment for running Entropy tests as
# unprivileged user (including not in entropy/portage group), and without
# altering the running system.
# Because the environment is modified (or artificial, e.g. some directories are
# empty), it might be possible that some code paths don't execute as intended.
# If you enounter this, file a bug.
# Requires bubblewrap (https://github.com/projectatomic/bubblewrap).
# Usage:
# ./nonpriv-wrapper.sh
# will call ./run.sh
# ./nonpriv-wrapper.sh COMMAND [ARG ...]
# will run COMMAND in modified environment
this_dir=$(dirname "$0") || exit 1
cmd=( "$this_dir/run" )
(( $# )) && cmd=( "$@" )
# Note: cannot be on a nonexec-mounted fs due to ldd -r xxx.so.
test_dir=/var/tmp/tdirs
rm -rf "$test_dir"
mkdir -p "$test_dir"/{var-lib-entropy,var-tmp-entropy,run,etc-entropy}
mkdir -p "$test_dir"/{var-db,var-lib-portage}
# For os.chown.
# For is_user_in_entropy_group().
grep -E -v "^(entropy|portage):" /etc/group > "$test_dir/etc-group"
echo "entropy:x:$(id -g):$(whoami)" >> "$test_dir/etc-group"
echo "portage:x:$(id -g):" >> "$test_dir/etc-group"
# Checkout of Entropy can be ro. Create place for writable files normally used
# just from the "packages" directory (get_test_generic_package, _misc.py).
mkdir -p "$test_dir/var-tmp-entropy/test-packages-rw"
cp -r "$this_dir/packages"/* "$test_dir/var-tmp-entropy/test-packages-rw"
# For the case when os.chown is being done on this file.
printf "product = standard\nbranch = 5\nofficial-repository-id = sabayonlinux.org\n" \
> "$test_dir/etc-entropy/repositories.conf"
# For test_clear_cache (tests.client.EntropyClientTest).
mkdir "$test_dir/var-lib-entropy/caches"
echo garbage > "$test_dir/var-lib-entropy/caches/garbage-file"
# For test_basic_methods (tests.spm.SpmTest).
mkdir -p "$test_dir/var-db/pkg/sys-apps/gawk-4.2.0"
mkdir -p "$test_dir/var-db/pkg/virtual/libc-1"
mkdir -p "$test_dir/var-db/pkg/virtual/editor-0-r1"
# For tests.security.SecurityTest.test_gpg_handling.
mkdir -p "$test_dir/var-lib-entropy/client/database/amd64"
# Some of these are .example, not real files but are good enough.
# For security.SecurityTest.test_security_cache.
cp -r "$this_dir/../../conf"/* "$test_dir/etc-entropy"
mkdir "$test_dir/etc-entropy/packages/sets"
realtowrapped() {
echo "$test_dir/$(echo "$1" | sed -e "s:^/::" -e "s:/:-:g")"
}
opts=(
--ro-bind / /
--dev /dev
--bind /tmp /tmp
--proc /proc
--bind "$(realtowrapped /var/lib/entropy)" /var/lib/entropy
--bind "$(realtowrapped /var/tmp/entropy)" /var/tmp/entropy
--bind "$(realtowrapped /run)" /run
--bind "$(realtowrapped /etc/entropy)" /etc/entropy
--bind "$(realtowrapped /var/db)" /var/db
--bind "$(realtowrapped /var/lib/portage)" /var/lib/portage
--bind "$(realtowrapped /etc/group)" /etc/group
)
export ETP_TESTS_PACKAGES_RW_PATH="/var/tmp/entropy/test-packages-rw"
# Disable a test that explicitly requires root (check os.getuid()).
export ETP_TEST_SKIP_PRIVILEGED=1
exec bwrap "${opts[@]}" "${cmd[@]}"

View File

@@ -26,7 +26,7 @@ class SecurityTest(unittest.TestCase):
self._entropy = Client(installed_repo = False)
self._repository = Repository(keystore_dir = self._tmp_dir)
tmp_dir = os.getenv("TMPDIR", os.getcwd())
tmp_dir = os.getenv("TMPDIR", etpConst['entropyunpackdir'])
self._security_cache_dir = const_mkdtemp(
dir=tmp_dir, prefix="entropy.SecurityTest")
self._security_dir = const_mkdtemp(