-
Notifications
You must be signed in to change notification settings - Fork 1.2k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Avoid using
sudo
in agent launchers when the current user is not a …
…sudoer (#5835) Signed-off-by: Mario Loriedo <mloriedo@redhat.com>
- Loading branch information
Showing
14 changed files
with
305 additions
and
24 deletions.
There are no files selected for viewing
62 changes: 62 additions & 0 deletions
62
agents/che-core-api-agent/src/test/resources/agents-launchers-tests-arbitraryuser.bats
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,62 @@ | ||
#!/usr/bin/env bats | ||
# Copyright (c) 2012-2017 Red Hat, Inc | ||
# All rights reserved. This program and the accompanying materials | ||
# are made available under the terms of the Eclipse Public License v1.0 | ||
# which accompanies this distribution, and is available at | ||
# http://www.eclipse.org/legal/epl-v10.html | ||
# | ||
# Contributors: | ||
# Mario | ||
# | ||
# How to run this script: | ||
# cd <root of che local git repository> | ||
# export CHE_BASE_DIR=$(pwd) | ||
# export LAUNCHER_SCRIPT_TO_TEST=wsagent/agent/src/main/resources/org.eclipse.che.ws-agent.script.sh | ||
# export BATS_TEST_SCRIPT=agents/che-core-api-agent/src/test/resources/agents-launchers-tests-arbitraryuser.bats | ||
# export DOCKER_IMAGE=rhche/centos_jdk8 | ||
# docker run -ti --rm -e CHE_BASE_DIR -e LAUNCHER_SCRIPT_TO_TEST -e DOCKER_IMAGE \ | ||
# -v ${CHE_BASE_DIR}/${BATS_TEST_SCRIPT}:/scripts/launcher_tests.bats \ | ||
# -v ${CHE_BASE_DIR}/dockerfiles:/dockerfiles \ | ||
# -v /var/run/docker.sock:/var/run/docker.sock \ | ||
# eclipse/che-bats bats /scripts/launcher_tests.bats | ||
# | ||
|
||
load '/bats-support/load.bash' | ||
load '/bats-assert/load.bash' | ||
. /dockerfiles/cli/tests/test_base.sh | ||
|
||
CONTAINER_NAME="test" | ||
|
||
script_host_path=${CHE_BASE_DIR}/${LAUNCHER_SCRIPT_TO_TEST} | ||
|
||
root_msg="I am root" | ||
not_root_msg="I am a not root" | ||
sudoer_msg="I am a sudoer" | ||
not_sudoer_msg="I am a not a sudoer" | ||
test_snippet="source <(grep -iE -A3 'is_current_user_root\(\)|is_current_user_sudoer\(\)|set_sudo_command\(\)' /launch.sh | grep -v -- "^--$"); is_current_user_root && echo -n '${root_msg} ' || echo -n '${not_root_msg} '; is_current_user_sudoer && echo '${sudoer_msg}' || echo -n '${not_sudoer_msg} '; set_sudo_command; echo SUDO=\${SUDO}" | ||
user="100000" | ||
|
||
# Kill running che server instance if there is any to be able to run tests | ||
setup() { | ||
kill_running_named_container ${CONTAINER_NAME} | ||
remove_named_container ${CONTAINER_NAME} | ||
docker run --security-opt no-new-privileges --user=${user} --name="${CONTAINER_NAME}" -d -v ${script_host_path}:/launch.sh "${DOCKER_IMAGE}" | ||
} | ||
|
||
teardown() { | ||
kill_running_named_container "${CONTAINER_NAME}" | ||
remove_named_container ${CONTAINER_NAME} | ||
} | ||
|
||
@test "should deduce that's not a sudoer nor root when ${LAUNCHER_SCRIPT_TO_TEST} is run as an arbitrary user" { | ||
#GIVEN | ||
expected_msg="${not_root_msg} ${not_sudoer_msg} SUDO=" | ||
|
||
#WHEN | ||
run docker exec --user=${user} "${CONTAINER_NAME}" bash -c "${test_snippet}" | ||
|
||
#THEN | ||
assert_success | ||
assert_output ${expected_msg} | ||
} | ||
|
76 changes: 76 additions & 0 deletions
76
agents/che-core-api-agent/src/test/resources/agents-launchers-tests.bats
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,76 @@ | ||
#!/usr/bin/env bats | ||
# Copyright (c) 2012-2017 Red Hat, Inc | ||
# All rights reserved. This program and the accompanying materials | ||
# are made available under the terms of the Eclipse Public License v1.0 | ||
# which accompanies this distribution, and is available at | ||
# http://www.eclipse.org/legal/epl-v10.html | ||
# | ||
# Contributors: | ||
# Mario | ||
# | ||
# How to run this script: | ||
# cd <root of che local git repository> | ||
# export CHE_BASE_DIR=$(pwd) | ||
# export LAUNCHER_SCRIPT_TO_TEST=wsagent/agent/src/main/resources/org.eclipse.che.ws-agent.script.sh | ||
# export BATS_TEST_SCRIPT=agents/che-core-api-agent/src/test/resources/agents-launchers-tests.bats | ||
# export DOCKER_IMAGE=eclipse/centos_jdk8 | ||
# docker run -ti --rm -e CHE_BASE_DIR -e LAUNCHER_SCRIPT_TO_TEST -e DOCKER_IMAGE \ | ||
# -v ${CHE_BASE_DIR}/${BATS_TEST_SCRIPT}:/scripts/launcher_tests.bats \ | ||
# -v ${CHE_BASE_DIR}/dockerfiles:/dockerfiles \ | ||
# -v /var/run/docker.sock:/var/run/docker.sock \ | ||
# eclipse/che-bats bats /scripts/launcher_tests.bats | ||
# | ||
|
||
load '/bats-support/load.bash' | ||
load '/bats-assert/load.bash' | ||
. /dockerfiles/cli/tests/test_base.sh | ||
|
||
CONTAINER_NAME="batssshscripttest" | ||
|
||
script_host_path=${CHE_BASE_DIR}/${LAUNCHER_SCRIPT_TO_TEST} | ||
root_msg="I am root" | ||
not_root_msg="I am a not root" | ||
sudoer_msg="I am a sudoer" | ||
not_sudoer_msg="I am a not a sudoer" | ||
#test_snippet="source <(grep -iE -A3 'is_current_user_root\(\)|is_current_user_sudoer\(\)' /launch.sh | grep -v -- "^--$"); is_current_user_root && echo -n '${root_msg} ' || echo -n '${not_root_msg} '; is_current_user_sudoer && echo '${sudoer_msg}' || echo '${not_sudoer_msg}'" | ||
test_snippet="source <(grep -iE -A3 'is_current_user_root\(\)|is_current_user_sudoer\(\)|set_sudo_command\(\)' /launch.sh | grep -v -- "^--$"); is_current_user_root && echo -n '${root_msg} ' || echo -n '${not_root_msg} '; is_current_user_sudoer && echo -n '${sudoer_msg} ' || echo '${not_sudoer_msg}'; set_sudo_command; echo SUDO=\${SUDO}" | ||
|
||
# Kill running che server instance if there is any to be able to run tests | ||
setup() { | ||
kill_running_named_container ${CONTAINER_NAME} | ||
remove_named_container ${CONTAINER_NAME} | ||
docker run --name="${CONTAINER_NAME}" -d -v ${script_host_path}:/launch.sh "${DOCKER_IMAGE}" | ||
} | ||
|
||
teardown() { | ||
kill_running_named_container "${CONTAINER_NAME}" | ||
remove_named_container ${CONTAINER_NAME} | ||
} | ||
|
||
@test "should deduce that's root and sudoer when ${LAUNCHER_SCRIPT_TO_TEST} is run as root" { | ||
#GIVEN | ||
user="root" | ||
expected_msg="${root_msg} ${sudoer_msg} SUDO=" | ||
|
||
#WHEN | ||
run docker exec --user=${user} "${CONTAINER_NAME}" bash -c "${test_snippet}" | ||
|
||
#THEN | ||
assert_success | ||
# assert_output --partial ${expected_msg} | ||
assert_output ${expected_msg} | ||
} | ||
|
||
@test "should deduce that's not root but sudoer when ${LAUNCHER_SCRIPT_TO_TEST} is run as user with UID 1000" { | ||
#GIVEN | ||
user="1000" | ||
expected_msg="${not_root_msg} ${sudoer_msg} SUDO=sudo -E" | ||
|
||
#WHEN | ||
run docker exec --user=${user} "${CONTAINER_NAME}" bash -c "${test_snippet}" | ||
|
||
#THEN | ||
assert_success | ||
# assert_output --partial ${expected_msg} | ||
assert_output ${expected_msg} | ||
} |
45 changes: 45 additions & 0 deletions
45
agents/che-core-api-agent/src/test/resources/run_launcher_bats_tests.sh
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,45 @@ | ||
#!/bin/bash | ||
# Copyright (c) 2012-2017 Red Hat, Inc | ||
# All rights reserved. This program and the accompanying materials | ||
# are made available under the terms of the Eclipse Public License v1.0 | ||
# which accompanies this distribution, and is available at | ||
# http://www.eclipse.org/legal/epl-v10.html | ||
# | ||
# Contributors: | ||
# Mario | ||
# | ||
# How to run this script: | ||
# cd <root of che local git repository> | ||
# sh agents/che-core-api-agent/src/test/resources/run_launcher_bats_tests.sh | ||
# | ||
|
||
#images=(bitnami/che-codeigniter:3.1.3-r6 bitnami/che-express:4.15.3-r2 bitnami/che-java-play:1.3.12-r3 bitnami/che-laravel:5.4.23-r1 bitnami/che-rails:5.1.2-r0 bitnami/che-swift:3.1.1-r0 bitnami/che-symfony:3.3.2-r0 eclipse/centos_jdk8 eclipse/cpp_gcc eclipse/debian_jdk8 eclipse/debian_jre eclipse/dotnet_core eclipse/hadoop-dev eclipse/kotlin eclipse/node eclipse/php eclipse/php:5.6 eclipse/php:gae eclipse/selenium eclipse/ubuntu_android eclipse/ubuntu_go eclipse/ubuntu_jdk8 eclipse/ubuntu_jre eclipse/ubuntu_python:2.7 eclipse/ubuntu_python:gae_python2.7 eclipse/ubuntu_python:latest eclipse/ubuntu_rails kaloyanraev/che-zendserver registry.centos.org/che-stacks/centos-go registry.centos.org/che-stacks/centos-nodejs registry.centos.org/che-stacks/spring-boot registry.centos.org/che-stacks/vertx registry.centos.org/che-stacks/wildfly-swarm tomitribe/ubuntu_tomee_173_jdk8 registry.centos.org/che-stacks/centos-git) | ||
#arbitrary_images=(rhche/centos_jdk8 rhche/vertx rhche/ubuntu_jdk8 rhche/centos-nodejs rhche/spring-boot rhche/wildfly-swarm) | ||
images=(eclipse/centos_jdk8) | ||
arbitrary_images=(rhche/centos_jdk8) | ||
|
||
run_bats_test() { | ||
export CHE_BASE_DIR=$(pwd) | ||
export BATS_TEST_SCRIPT=${1} | ||
export LAUNCHER_SCRIPT_TO_TEST=${2} | ||
export DOCKER_IMAGE=${3} | ||
docker run -ti --rm -e CHE_BASE_DIR -e LAUNCHER_SCRIPT_TO_TEST -e DOCKER_IMAGE \ | ||
-v ${CHE_BASE_DIR}/${BATS_TEST_SCRIPT}:/scripts/launcher_tests.bats \ | ||
-v ${CHE_BASE_DIR}/dockerfiles:/dockerfiles \ | ||
-v /var/run/docker.sock:/var/run/docker.sock \ | ||
eclipse/che-bats bats /scripts/launcher_tests.bats | ||
} | ||
|
||
for image in "${images[@]}"; do | ||
launcher_script_to_test="wsagent/agent/src/main/resources/org.eclipse.che.ws-agent.script.sh" | ||
bats_test_script="agents/che-core-api-agent/src/test/resources/agents-launchers-tests.bats" | ||
echo "RUNNING LAUNCHER BATS TESTS FOR IMAGE ${image}" | ||
run_bats_test "${bats_test_script}" "${launcher_script_to_test}" "${image}" | ||
done | ||
|
||
for arbitrary_image in "${arbitrary_images[@]}"; do | ||
launcher_script_to_test="wsagent/agent/src/main/resources/org.eclipse.che.ws-agent.script.sh" | ||
bats_test_script="agents/che-core-api-agent/src/test/resources/agents-launchers-tests-arbitraryuser.bats" | ||
echo "RUNNING LAUNCHER BATS TESTS FOR IMAGE ${arbitrary_image}" | ||
run_bats_test "${bats_test_script}" "${launcher_script_to_test}" "${arbitrary_image}" | ||
done |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.