Avoid using sudo in agent launchers when the current user is not a …

…sudoer (#5835) Signed-off-by: Mario Loriedo <mloriedo@redhat.com>
eclipse-che · Aug 1, 2017 · a419690 · a419690
1 parent 53c3842
commit a419690
Show file tree

Hide file tree

Showing 14 changed files with 305 additions and 24 deletions.
diff --git a/agents/che-core-api-agent/src/test/resources/agents-launchers-tests-arbitraryuser.bats b/agents/che-core-api-agent/src/test/resources/agents-launchers-tests-arbitraryuser.bats
@@ -0,0 +1,62 @@
+#!/usr/bin/env bats
+# Copyright (c) 2012-2017 Red Hat, Inc
+# All rights reserved. This program and the accompanying materials
+# are made available under the terms of the Eclipse Public License v1.0
+# which accompanies this distribution, and is available at
+# http://www.eclipse.org/legal/epl-v10.html
+#
+# Contributors:
+#   Mario
+#
+# How to run this script:
+#   cd <root of che local git repository>
+#   export CHE_BASE_DIR=$(pwd)
+#   export LAUNCHER_SCRIPT_TO_TEST=wsagent/agent/src/main/resources/org.eclipse.che.ws-agent.script.sh
+#   export BATS_TEST_SCRIPT=agents/che-core-api-agent/src/test/resources/agents-launchers-tests-arbitraryuser.bats
+#   export DOCKER_IMAGE=rhche/centos_jdk8
+#   docker run -ti --rm -e CHE_BASE_DIR -e LAUNCHER_SCRIPT_TO_TEST -e DOCKER_IMAGE \
+#        -v ${CHE_BASE_DIR}/${BATS_TEST_SCRIPT}:/scripts/launcher_tests.bats \
+#        -v ${CHE_BASE_DIR}/dockerfiles:/dockerfiles \
+#        -v /var/run/docker.sock:/var/run/docker.sock \
+#        eclipse/che-bats bats /scripts/launcher_tests.bats
+#
+
+load '/bats-support/load.bash'
+load '/bats-assert/load.bash'
+. /dockerfiles/cli/tests/test_base.sh
+
+CONTAINER_NAME="test"
+
+script_host_path=${CHE_BASE_DIR}/${LAUNCHER_SCRIPT_TO_TEST}
+
+root_msg="I am root"
+not_root_msg="I am a not root"
+sudoer_msg="I am a sudoer"
+not_sudoer_msg="I am a not a sudoer"
+test_snippet="source <(grep -iE -A3 'is_current_user_root\(\)|is_current_user_sudoer\(\)|set_sudo_command\(\)' /launch.sh | grep -v -- "^--$"); is_current_user_root && echo -n '${root_msg} ' || echo -n '${not_root_msg} '; is_current_user_sudoer && echo '${sudoer_msg}' || echo -n '${not_sudoer_msg} '; set_sudo_command; echo SUDO=\${SUDO}"
+user="100000"
+
+# Kill running che server instance if there is any to be able to run tests
+setup() {
+  kill_running_named_container ${CONTAINER_NAME}
+  remove_named_container ${CONTAINER_NAME}
+  docker run --security-opt no-new-privileges --user=${user} --name="${CONTAINER_NAME}" -d -v ${script_host_path}:/launch.sh "${DOCKER_IMAGE}"
+}
+
+teardown() {
+  kill_running_named_container "${CONTAINER_NAME}"
+  remove_named_container ${CONTAINER_NAME}
+}
+
+@test "should deduce that's not a sudoer nor root when ${LAUNCHER_SCRIPT_TO_TEST} is run as an arbitrary user" {
+  #GIVEN
+  expected_msg="${not_root_msg} ${not_sudoer_msg} SUDO="
+
+  #WHEN
+  run docker exec --user=${user} "${CONTAINER_NAME}" bash -c "${test_snippet}"
+
+  #THEN
+  assert_success
+  assert_output ${expected_msg}
+}
+
diff --git a/agents/che-core-api-agent/src/test/resources/agents-launchers-tests.bats b/agents/che-core-api-agent/src/test/resources/agents-launchers-tests.bats
@@ -0,0 +1,76 @@
+#!/usr/bin/env bats
+# Copyright (c) 2012-2017 Red Hat, Inc
+# All rights reserved. This program and the accompanying materials
+# are made available under the terms of the Eclipse Public License v1.0
+# which accompanies this distribution, and is available at
+# http://www.eclipse.org/legal/epl-v10.html
+#
+# Contributors:
+#   Mario
+#
+# How to run this script:
+#   cd <root of che local git repository>
+#   export CHE_BASE_DIR=$(pwd)
+#   export LAUNCHER_SCRIPT_TO_TEST=wsagent/agent/src/main/resources/org.eclipse.che.ws-agent.script.sh
+#   export BATS_TEST_SCRIPT=agents/che-core-api-agent/src/test/resources/agents-launchers-tests.bats
+#   export DOCKER_IMAGE=eclipse/centos_jdk8
+#   docker run -ti --rm -e CHE_BASE_DIR -e LAUNCHER_SCRIPT_TO_TEST -e DOCKER_IMAGE \
+#        -v ${CHE_BASE_DIR}/${BATS_TEST_SCRIPT}:/scripts/launcher_tests.bats \
+#        -v ${CHE_BASE_DIR}/dockerfiles:/dockerfiles \
+#        -v /var/run/docker.sock:/var/run/docker.sock \
+#        eclipse/che-bats bats /scripts/launcher_tests.bats
+#
+
+load '/bats-support/load.bash'
+load '/bats-assert/load.bash'
+. /dockerfiles/cli/tests/test_base.sh
+
+CONTAINER_NAME="batssshscripttest"
+
+script_host_path=${CHE_BASE_DIR}/${LAUNCHER_SCRIPT_TO_TEST}
+root_msg="I am root"
+not_root_msg="I am a not root"
+sudoer_msg="I am a sudoer"
+not_sudoer_msg="I am a not a sudoer"
+#test_snippet="source <(grep -iE -A3 'is_current_user_root\(\)|is_current_user_sudoer\(\)' /launch.sh | grep -v -- "^--$"); is_current_user_root && echo -n '${root_msg} ' || echo -n '${not_root_msg} '; is_current_user_sudoer && echo '${sudoer_msg}' || echo '${not_sudoer_msg}'"
+test_snippet="source <(grep -iE -A3 'is_current_user_root\(\)|is_current_user_sudoer\(\)|set_sudo_command\(\)' /launch.sh | grep -v -- "^--$"); is_current_user_root && echo -n '${root_msg} ' || echo -n '${not_root_msg} '; is_current_user_sudoer && echo -n '${sudoer_msg} ' || echo '${not_sudoer_msg}'; set_sudo_command; echo SUDO=\${SUDO}"
+
+# Kill running che server instance if there is any to be able to run tests
+setup() {
+  kill_running_named_container ${CONTAINER_NAME}
+  remove_named_container ${CONTAINER_NAME}
+  docker run --name="${CONTAINER_NAME}" -d -v ${script_host_path}:/launch.sh "${DOCKER_IMAGE}"
+}
+
+teardown() {
+  kill_running_named_container "${CONTAINER_NAME}"
+  remove_named_container ${CONTAINER_NAME}
+}
+
+@test "should deduce that's root and sudoer when ${LAUNCHER_SCRIPT_TO_TEST} is run as root" {
+  #GIVEN
+  user="root"
+  expected_msg="${root_msg} ${sudoer_msg} SUDO="
+
+  #WHEN
+  run docker exec --user=${user} "${CONTAINER_NAME}" bash -c "${test_snippet}"
+
+  #THEN
+  assert_success
+#  assert_output --partial ${expected_msg}
+  assert_output ${expected_msg}
+}
+
+@test "should deduce that's not root but sudoer when ${LAUNCHER_SCRIPT_TO_TEST} is run as user with UID 1000" {
+  #GIVEN
+  user="1000"
+  expected_msg="${not_root_msg} ${sudoer_msg} SUDO=sudo -E"
+
+  #WHEN
+  run docker exec --user=${user} "${CONTAINER_NAME}" bash -c "${test_snippet}"
+
+  #THEN
+  assert_success
+#  assert_output --partial ${expected_msg}
+  assert_output ${expected_msg}
+}
diff --git a/agents/che-core-api-agent/src/test/resources/run_launcher_bats_tests.sh b/agents/che-core-api-agent/src/test/resources/run_launcher_bats_tests.sh
@@ -0,0 +1,45 @@
+#!/bin/bash
+# Copyright (c) 2012-2017 Red Hat, Inc
+# All rights reserved. This program and the accompanying materials
+# are made available under the terms of the Eclipse Public License v1.0
+# which accompanies this distribution, and is available at
+# http://www.eclipse.org/legal/epl-v10.html
+#
+# Contributors:
+#   Mario
+#
+# How to run this script:
+#   cd <root of che local git repository>
+#   sh agents/che-core-api-agent/src/test/resources/run_launcher_bats_tests.sh
+#
+
+#images=(bitnami/che-codeigniter:3.1.3-r6 bitnami/che-express:4.15.3-r2 bitnami/che-java-play:1.3.12-r3 bitnami/che-laravel:5.4.23-r1 bitnami/che-rails:5.1.2-r0 bitnami/che-swift:3.1.1-r0 bitnami/che-symfony:3.3.2-r0 eclipse/centos_jdk8 eclipse/cpp_gcc eclipse/debian_jdk8 eclipse/debian_jre eclipse/dotnet_core eclipse/hadoop-dev eclipse/kotlin eclipse/node eclipse/php eclipse/php:5.6 eclipse/php:gae eclipse/selenium eclipse/ubuntu_android eclipse/ubuntu_go eclipse/ubuntu_jdk8 eclipse/ubuntu_jre eclipse/ubuntu_python:2.7 eclipse/ubuntu_python:gae_python2.7 eclipse/ubuntu_python:latest eclipse/ubuntu_rails kaloyanraev/che-zendserver registry.centos.org/che-stacks/centos-go registry.centos.org/che-stacks/centos-nodejs registry.centos.org/che-stacks/spring-boot registry.centos.org/che-stacks/vertx registry.centos.org/che-stacks/wildfly-swarm tomitribe/ubuntu_tomee_173_jdk8 registry.centos.org/che-stacks/centos-git)
+#arbitrary_images=(rhche/centos_jdk8 rhche/vertx rhche/ubuntu_jdk8 rhche/centos-nodejs rhche/spring-boot rhche/wildfly-swarm)
+images=(eclipse/centos_jdk8)
+arbitrary_images=(rhche/centos_jdk8)
+
+run_bats_test() {
+  export CHE_BASE_DIR=$(pwd)
+  export BATS_TEST_SCRIPT=${1}
+  export LAUNCHER_SCRIPT_TO_TEST=${2}
+  export DOCKER_IMAGE=${3}
+  docker run -ti --rm -e CHE_BASE_DIR -e LAUNCHER_SCRIPT_TO_TEST -e DOCKER_IMAGE \
+       -v ${CHE_BASE_DIR}/${BATS_TEST_SCRIPT}:/scripts/launcher_tests.bats \
+       -v ${CHE_BASE_DIR}/dockerfiles:/dockerfiles \
+       -v /var/run/docker.sock:/var/run/docker.sock \
+       eclipse/che-bats bats /scripts/launcher_tests.bats
+}
+
+for image in "${images[@]}"; do
+   launcher_script_to_test="wsagent/agent/src/main/resources/org.eclipse.che.ws-agent.script.sh"
+   bats_test_script="agents/che-core-api-agent/src/test/resources/agents-launchers-tests.bats"
+   echo "RUNNING LAUNCHER BATS TESTS FOR IMAGE ${image}"
+   run_bats_test "${bats_test_script}" "${launcher_script_to_test}" "${image}"
+done
+
+for arbitrary_image in "${arbitrary_images[@]}"; do
+   launcher_script_to_test="wsagent/agent/src/main/resources/org.eclipse.che.ws-agent.script.sh"
+   bats_test_script="agents/che-core-api-agent/src/test/resources/agents-launchers-tests-arbitraryuser.bats"
+   echo "RUNNING LAUNCHER BATS TESTS FOR IMAGE ${arbitrary_image}"
+   run_bats_test "${bats_test_script}" "${launcher_script_to_test}"  "${arbitrary_image}"
+done
diff --git a/agents/exec/src/main/resources/org.eclipse.che.exec.script.sh b/agents/exec/src/main/resources/org.eclipse.che.exec.script.sh
@@ -9,8 +9,20 @@
 #   Codenvy, S.A. - initial API and implementation
 #
 
+
+is_current_user_root() {
+    test "$(id -u)" = 0
+}
+
+is_current_user_sudoer() {
+    sudo -n true > /dev/null 2>&1
+}
+
+set_sudo_command() {
+    if is_current_user_sudoer && ! is_current_user_root; then SUDO="sudo -E"; else unset SUDO; fi
+}
+
 unset PACKAGES
-unset SUDO
 command -v tar >/dev/null 2>&1 || { PACKAGES=${PACKAGES}" tar"; }
 CURL_INSTALLED=false
 WGET_INSTALLED=false
@@ -23,8 +35,6 @@ if [ ${CURL_INSTALLED} = false ] && [ ${WGET_INSTALLED} = false ]; then
   CURL_INSTALLED=true
 fi
 
-test "$(id -u)" = 0 || SUDO="sudo -E"
-
 CHE_DIR=$HOME/che
 LOCAL_AGENT_BINARIES_URI='/mnt/che/exec-agent/exec-agent-${PREFIX}.tar.gz'
 DOWNLOAD_AGENT_BINARIES_URI='${WORKSPACE_MASTER_URI}/agent-binaries/${PREFIX}/exec/exec-agent-${PREFIX}.tar.gz'

diff --git a/agents/ls-csharp/src/main/resources/org.eclipse.che.ls.csharp.script.sh b/agents/ls-csharp/src/main/resources/org.eclipse.che.ls.csharp.script.sh
@@ -9,11 +9,21 @@
 #   Codenvy, S.A. - initial API and implementation
 #
 
+is_current_user_root() {
+    test "$(id -u)" = 0
+}
+
+is_current_user_sudoer() {
+    sudo -n true > /dev/null 2>&1
+}
+
+set_sudo_command() {
+    if is_current_user_sudoer && ! is_current_user_root; then SUDO="sudo -E"; else unset SUDO; fi
+}
+
 unset PACKAGES
-unset SUDO
 command -v tar >/dev/null 2>&1 || { PACKAGES=${PACKAGES}" tar"; }
 command -v curl >/dev/null 2>&1 || { PACKAGES=${PACKAGES}" curl"; }
-test "$(id -u)" = 0 || SUDO="sudo -E"
 
 AGENT_BINARIES_URI=https://codenvy.com/update/repository/public/download/org.eclipse.che.ls.csharp.binaries
 CHE_DIR=$HOME/che

diff --git a/agents/ls-json/src/main/resources/org.eclipse.che.ls.json.script.sh b/agents/ls-json/src/main/resources/org.eclipse.che.ls.json.script.sh
@@ -9,11 +9,21 @@
 #   Codenvy, S.A. - initial API and implementation
 #
 
+is_current_user_root() {
+    test "$(id -u)" = 0
+}
+
+is_current_user_sudoer() {
+    sudo -n true > /dev/null 2>&1
+}
+
+set_sudo_command() {
+    if is_current_user_sudoer && ! is_current_user_root; then SUDO="sudo -E"; else unset SUDO; fi
+}
+
 unset PACKAGES
-unset SUDO
 command -v tar >/dev/null 2>&1 || { PACKAGES=${PACKAGES}" tar"; }
 command -v curl >/dev/null 2>&1 || { PACKAGES=${PACKAGES}" curl"; }
-test "$(id -u)" = 0 || SUDO="sudo -E"
 
 AGENT_BINARIES_URI=https://codenvy.com/update/repository/public/download/org.eclipse.che.ls.json.binaries
 CHE_DIR=$HOME/che

diff --git a/agents/ls-php/src/main/resources/org.eclipse.che.ls.php.script.sh b/agents/ls-php/src/main/resources/org.eclipse.che.ls.php.script.sh
@@ -9,11 +9,21 @@
 #   Codenvy, S.A. - initial API and implementation
 #
 
+is_current_user_root() {
+    test "$(id -u)" = 0
+}
+
+is_current_user_sudoer() {
+    sudo -n true > /dev/null 2>&1
+}
+
+set_sudo_command() {
+    if is_current_user_sudoer && ! is_current_user_root; then SUDO="sudo -E"; else unset SUDO; fi
+}
+
 unset PACKAGES
-unset SUDO
 command -v tar >/dev/null 2>&1 || { PACKAGES=${PACKAGES}" tar"; }
 command -v curl >/dev/null 2>&1 || { PACKAGES=${PACKAGES}" curl"; }
-test "$(id -u)" = 0 || SUDO="sudo -E"
 
 AGENT_BINARIES_URI=https://codenvy.com/update/repository/public/download/org.eclipse.che.ls.php.binaries
 CHE_DIR=$HOME/che

diff --git a/agents/ls-python/src/main/resources/org.eclipse.che.ls.python.script.sh b/agents/ls-python/src/main/resources/org.eclipse.che.ls.python.script.sh
@@ -9,16 +9,25 @@
 #   Codenvy, S.A. - initial API and implementation
 #
 
+is_current_user_root() {
+    test "$(id -u)" = 0
+}
+
+is_current_user_sudoer() {
+    sudo -n true > /dev/null 2>&1
+}
+
+set_sudo_command() {
+    if is_current_user_sudoer && ! is_current_user_root; then SUDO="sudo -E"; else unset SUDO; fi
+}
+
 unset PACKAGES
-unset SUDO
 unset PYTHON_DEPS
 command -v tar >/dev/null 2>&1 || { PACKAGES=${PACKAGES}" tar"; }
 command -v curl >/dev/null 2>&1 || { PACKAGES=${PACKAGES}" curl"; }
 command -v python3.5 >/dev/null 2>&1 || { PYTHON_DEPS=${PYTHON_DEPS}" python3.5"; }
 command -v pip3 >/dev/null 2>&1 || { PYTHON_DEPS=${PYTHON_DEPS}" pip3"; }
 
-test "$(id -u)" = 0 || SUDO="sudo -E"
-
 AGENT_BINARIES_URI=https://codenvy.com/update/repository/public/download/org.eclipse.che.ls.python.binaries
 CHE_DIR=$HOME/che
 LS_DIR=${CHE_DIR}/ls-python

diff --git a/agents/ls-typescript/src/main/resources/org.eclipse.che.ls.typescript.script.sh b/agents/ls-typescript/src/main/resources/org.eclipse.che.ls.typescript.script.sh
@@ -9,11 +9,21 @@
 #   Codenvy, S.A. - initial API and implementation
 #
 
+is_current_user_root() {
+    test "$(id -u)" = 0
+}
+
+is_current_user_sudoer() {
+    sudo -n true > /dev/null 2>&1
+}
+
+set_sudo_command() {
+    if is_current_user_sudoer && ! is_current_user_root; then SUDO="sudo -E"; else unset SUDO; fi
+}
+
 unset PACKAGES
-unset SUDO
 command -v tar >/dev/null 2>&1 || { PACKAGES=${PACKAGES}" tar"; }
 command -v curl >/dev/null 2>&1 || { PACKAGES=${PACKAGES}" curl"; }
-test "$(id -u)" = 0 || SUDO="sudo -E"
 
 AGENT_BINARIES_URI=https://codenvy.com/update/repository/public/download/org.eclipse.che.ls.typescript.binaries
 CHE_DIR=$HOME/che

diff --git a/agents/ssh/src/main/resources/org.eclipse.che.ssh.script.sh b/agents/ssh/src/main/resources/org.eclipse.che.ssh.script.sh
@@ -9,9 +9,19 @@
 #   Codenvy, S.A. - initial API and implementation
 #
 
-unset SUDO
+is_current_user_root() {
+    test "$(id -u)" = 0
+}
+
+is_current_user_sudoer() {
+    sudo -n true > /dev/null 2>&1
+}
+
+set_sudo_command() {
+    if is_current_user_sudoer && ! is_current_user_root; then SUDO="sudo -E"; else unset SUDO; fi
+}
+
 unset PACKAGES
-test "$(id -u)" = 0 || SUDO="sudo -E"
 
 if [ -f /etc/centos-release ]; then
     FILE="/etc/centos-release"

diff --git a/agents/terminal/src/main/resources/org.eclipse.che.terminal.script.sh b/agents/terminal/src/main/resources/org.eclipse.che.terminal.script.sh
@@ -9,8 +9,19 @@
 #   Codenvy, S.A. - initial API and implementation
 #
 
+is_current_user_root() {
+    test "$(id -u)" = 0
+}
+
+is_current_user_sudoer() {
+    sudo -n true > /dev/null 2>&1
+}
+
+set_sudo_command() {
+    if is_current_user_sudoer && ! is_current_user_root; then SUDO="sudo -E"; else unset SUDO; fi
+}
+
 unset PACKAGES
-unset SUDO
 command -v tar >/dev/null 2>&1 || { PACKAGES=${PACKAGES}" tar"; }
 CURL_INSTALLED=false
 WGET_INSTALLED=false
@@ -23,8 +34,6 @@ if [ ${CURL_INSTALLED} = false ] && [ ${WGET_INSTALLED} = false ]; then
   CURL_INSTALLED=true
 fi
 
-test "$(id -u)" = 0 || SUDO="sudo -E"
-
 CHE_DIR=$HOME/che
 LOCAL_AGENT_BINARIES_URI='/mnt/che/terminal/websocket-terminal-${PREFIX}.tar.gz'
 DOWNLOAD_AGENT_BINARIES_URI='${WORKSPACE_MASTER_URI}/agent-binaries/${PREFIX}/terminal/websocket-terminal-${PREFIX}.tar.gz'