From c511e37f9eeef034ae19e6fd3a4580bad0fb2db8 Mon Sep 17 00:00:00 2001 From: denisonbarbosa Date: Wed, 27 Nov 2024 09:14:01 -0400 Subject: [PATCH 1/7] Support for Polkit 124 The "new" polkit (version 124 and above) introduced a lot of changes in its behavior. This commit updates the privilege escalation policy manager to be able to correctly identify which polkit version is running in the client and apply the policy properly --- internal/policies/privilege/privilege.go | 226 +++++++++++++++++++++-- 1 file changed, 212 insertions(+), 14 deletions(-) diff --git a/internal/policies/privilege/privilege.go b/internal/policies/privilege/privilege.go index 17631e568..4261ac312 100644 --- a/internal/policies/privilege/privilege.go +++ b/internal/policies/privilege/privilege.go @@ -22,6 +22,8 @@ import ( "io/fs" "os" "path/filepath" + "regexp" + "slices" "sort" "strings" @@ -43,24 +45,57 @@ import ( We are modifying 2 files: - one for sudo, named 99-adsys-privilege-enforcement in sudoers.d - - one under 99-adsys-privilege-enforcement.conf for policykit + - one under 00-adsys-privilege-enforcement.rules for policykit Both are installed under respective /etc directories. */ -const adsysBaseConfName = "99-adsys-privilege-enforcement" +const ( + adsysBaseSudoersName = "99-adsys-privilege-enforcement" + + adsysOldPolkitName = "99-adsys-privilege-enforcement" + adsysBasePolkitName = "00-adsys-privilege-enforcement" + + polkitSystemReservedPath = "/usr/share/polkit-1" +) + +// Templates to generate the polkit configuration files. +const ( + policyKitConfTemplate = "%s[Configuration]\nAdminIdentities=%s" + policyKitRulesTemplate = `%spolkit.addAdminRule(function(action, subject){ + return [%s]; +});` +) + +type option struct { + policyKitSystemDir string +} + +// Option is a functional option for the manager. +type Option func(*option) // Manager prevents running multiple privilege update process in parallel while parsing policy in ApplyPolicy. type Manager struct { sudoersDir string policyKitDir string + + // This is for testing purposes only + policyKitSystemDir string } // NewWithDirs creates a manager with a specific root directory. -func NewWithDirs(sudoersDir, policyKitDir string) *Manager { +func NewWithDirs(sudoersDir, policyKitDir string, opts ...Option) *Manager { + o := &option{ + policyKitSystemDir: polkitSystemReservedPath, + } + for _, opt := range opts { + opt(o) + } + return &Manager{ - sudoersDir: sudoersDir, - policyKitDir: policyKitDir, + sudoersDir: sudoersDir, + policyKitDir: policyKitDir, + policyKitSystemDir: o.policyKitSystemDir, } } @@ -77,12 +112,19 @@ func (m *Manager) ApplyPolicy(ctx context.Context, objectName string, isComputer if sudoersDir == "" { sudoersDir = consts.DefaultSudoersDir } + sudoersConf := filepath.Join(sudoersDir, adsysBaseSudoersName) + policyKitDir := m.policyKitDir if policyKitDir == "" { policyKitDir = consts.DefaultPolicyKitDir } - sudoersConf := filepath.Join(sudoersDir, adsysBaseConfName) - policyKitConf := filepath.Join(policyKitDir, "localauthority.conf.d", adsysBaseConfName+".conf") + policyKitConf := filepath.Join(policyKitDir, "rules.d", adsysBasePolkitName+".rules") + + // Polkit versions before 124 use a different directory for admin configuration and a different file extension and syntax + var oldPolkit bool + if oldPolkit = isOldPolkit(policyKitDir, m.policyKitSystemDir); oldPolkit { + policyKitConf = filepath.Join(policyKitDir, "localauthority.conf.d", adsysOldPolkitName+".conf") + } log.Debugf(ctx, "Applying privilege policy to %s", objectName) @@ -119,7 +161,7 @@ func (m *Manager) ApplyPolicy(ctx context.Context, objectName string, isComputer } defer policyKitConfF.Close() - systemPolkitAdmins, err := getSystemPolkitAdminIdentities(ctx, policyKitDir) + systemPolkitAdmins, err := m.getSystemPolkitAdminIdentities(ctx, policyKitDir, oldPolkit) if err != nil { return err } @@ -178,17 +220,31 @@ func (m *Manager) ApplyPolicy(ctx context.Context, objectName string, isComputer } // PolicyKitConf files depends on multiple keys, so we need to write it at the end if !allowLocalAdmins || polkitAdditionalUsersGroups != nil { - users := strings.Join(polkitAdditionalUsersGroups, ";") + polkitTemplate := policyKitRulesTemplate + sep := "," + if oldPolkit { + polkitTemplate = policyKitConfTemplate + sep = ";" + } + + // We need to write username between "" in the new format (Polkit version >= 124) + if !oldPolkit { + for i, user := range polkitAdditionalUsersGroups { + polkitAdditionalUsersGroups[i] = fmt.Sprintf("\"%s\"", user) + } + } + users := strings.Join(polkitAdditionalUsersGroups, sep) + // We need to set system local admin here as we override the key from the previous file // otherwise, they will be disabled. if allowLocalAdmins { if systemPolkitAdmins != "" { - systemPolkitAdmins += ";" + systemPolkitAdmins += sep } users = systemPolkitAdmins + users } - if _, err := policyKitConfF.WriteString(fmt.Sprintf("%s[Configuration]\nAdminIdentities=%s", header, users) + "\n"); err != nil { + if _, err := policyKitConfF.WriteString(fmt.Sprintf(polkitTemplate, header, users) + "\n"); err != nil { return err } } @@ -201,6 +257,14 @@ func (m *Manager) ApplyPolicy(ctx context.Context, objectName string, isComputer return err } + // If we applied the policy in the new format (Polkit version >= 124), we need to remove the old one + if !oldPolkit { + err := os.Remove(filepath.Join(policyKitDir, "localauthority.conf.d", adsysOldPolkitName+".conf")) + if err != nil && !errors.Is(err, fs.ErrNotExist) { + log.Debug(ctx, gotext.Get("Failed to remove old polkit configuration file: %v", err)) + } + } + return nil } @@ -243,10 +307,113 @@ func splitAndNormalizeUsersAndGroups(ctx context.Context, v string) []string { return elems } -// getSystemPolkitAdminIdentities returns the list of configured system polkit admins as a string. +// getSystemPolkitAdminIdentities parses the system polkit configuration (based on its version) to get the +// list of admin identities. +func (m *Manager) getSystemPolkitAdminIdentities(ctx context.Context, policyKitDir string, oldPolkit bool) (adminIdentities string, err error) { + if oldPolkit { + return polkitAdminIdentitiesFromConf(ctx, policyKitDir) + } + return polkitAdminIdentitiesFromRules(ctx, []string{ + policyKitDir, + m.policyKitSystemDir, + }) +} + +// polkitAdminIdentitiesFromRules parses the polkit rules files to get the list of admin identities. +// +// Since polkit >= 124 now only cares about the first valid return, this function will sort the files from all the +// specified directories (priority: lesser ascii value, higher priority), parse them and identify the first valid return. +func polkitAdminIdentitiesFromRules(ctx context.Context, rulesDirPaths []string) (adminIdentities string, err error) { + // Compile the regex needed to parse the polkit admin rules. + // Matches: polkit.addAdminRule(function(action, subject){(.*)}); + adminRulesRegex, err := regexp.Compile(`polkit\.addAdminRule\s*\(\s*function\s*\(\s*action\s*\,\s*subject\s*\)\s*{\s*[^\}]*}\s*\)\s*\;`) + if err != nil { + return "", err + } + // Matches for: { return [(.*)] } + returnRegex, err := regexp.Compile(`\{\s*return\s*\[(\s*([^\]]*))*\s*\]\s*;\s*\}`) + if err != nil { + return "", err + } + // Matches for: "someuser" or 'someuser' + userRegex, err := regexp.Compile(`(["']+([^,]*)["']+)`) + if err != nil { + return "", err + } + + var ruleFiles []string + for _, path := range rulesDirPaths { + files, err := filepath.Glob(filepath.Join(path, "rules.d", "*.rules")) + if err != nil { + return "", err + } + ruleFiles = append(ruleFiles, files...) + } + + // Sort the files respecting the priority that Polkit assigns to them. + slices.SortFunc(ruleFiles, func(i, j string) int { + // If the files have different name, we return the one with the lowest ascii value. + if order := strings.Compare(filepath.Base(i), filepath.Base(j)); order != 0 { + return order + } + + // If the files have the same name, we respect the directory priority in rulesDirPaths (lesser index, higher prio). + var idxI, idxJ int + for idx, dir := range rulesDirPaths { + if strings.Contains(i, dir) { + idxI = idx + } + if strings.Contains(j, dir) { + idxJ = idx + } + } + return idxI - idxJ + }) + + for _, path := range ruleFiles { + if filepath.Base(path) == adsysBasePolkitName+".rules" { + continue + } + + b, err := os.ReadFile(path) + if err != nil { + pathErr := &os.PathError{} + if errors.As(err, &pathErr) && pathErr.Op == "open" { + // This means that we couldn't open the file for reading, likely due to permission errors. + // If so, we can not ensure that we will match the expected admin identities from the system + // and we should return an error. + return "", err + } + // If we get an error when reading the file, it's likely due to it being a directory. + // This case we can ignore and continue to the next file. + log.Debug(ctx, gotext.Get("Ignoring %s: %v", path, err)) + continue + } + rules := string(b) + + // Check if the file contains the rule we are looking for + if !strings.Contains(rules, "polkit.addAdminRule") { + continue + } + + for _, adminRule := range adminRulesRegex.FindAllString(rules, -1) { + returnStmt := returnRegex.FindString(adminRule) + if returnStmt == "" { + continue + } + + log.Debug(ctx, gotext.Get("Using polkit admin identities from %q", path)) + return strings.Join(userRegex.FindAllString(returnStmt, -1), ","), nil + } + } + + return adminIdentities, nil +} + +// polkitAdminIdentitiesFromConf returns the list of configured system polkit admins as a string. // It lists /etc/polkit-1/localauthority.conf.d and take the highest file in ascii order to match // from the [configuration] section AdminIdentities value. -func getSystemPolkitAdminIdentities(ctx context.Context, policyKitDir string) (adminIdentities string, err error) { +func polkitAdminIdentitiesFromConf(ctx context.Context, policyKitDir string) (adminIdentities string, err error) { defer decorate.OnError(&err, gotext.Get("can't get existing system polkit administrators in %s", policyKitDir)) polkitConfFiles, err := filepath.Glob(filepath.Join(policyKitDir, "localauthority.conf.d", "*.conf")) @@ -265,7 +432,7 @@ func getSystemPolkitAdminIdentities(ctx context.Context, policyKitDir string) (a } // Ignore ourself - if filepath.Base(p) == adsysBaseConfName+".conf" { + if filepath.Base(p) == adsysOldPolkitName+".conf" { continue } @@ -279,3 +446,34 @@ func getSystemPolkitAdminIdentities(ctx context.Context, policyKitDir string) (a return adminIdentities, nil } + +// isOldPolkit checks current polkit-1 configuration to determine if the current version < 124. +// +// To determine the version, we follow the steps: +// 1. If the old configuration directory does not exist or is empty -> version < 124. +// 2. If the old configuration directory only contains the adsys generated file -> version < 124. +// +// If the previous checks are valid, we still need to check if the new configuration file exists as the user +// could have installed the compatibility package (polkitd-pkla), which adds old configuration files even if +// the polkit version is >= 124. +func isOldPolkit(policyKitDir, policyKitReservedDir string) bool { + dirEntries, err := os.ReadDir(filepath.Join(policyKitDir, "localauthority.conf.d")) + nEntries := len(dirEntries) + if err != nil || nEntries == 0 { + return false + } + + // If the directory only contains the adsys generated file, we can assume that the version is >= 124 + if nEntries == 1 && dirEntries[0].Name() == adsysOldPolkitName+".conf" { + return false + } + + // If the old directory isn't empty and there's no new configuration file, we can assume that the version is < 124. + if _, err := os.Stat(filepath.Join(policyKitReservedDir, "rules.d/49-ubuntu-admin.rules")); err != nil { + return true + } + + // If the new configuration file exists but the old directory is not empty, it likely means that the user + // installed the compatibility package (polkitd-pkla), but polkit version is still >= 124. + return false +} From 5cc63d94101a5fdfe2910413444bb522f00e7e25 Mon Sep 17 00:00:00 2001 From: denisonbarbosa Date: Wed, 27 Nov 2024 09:20:22 -0400 Subject: [PATCH 2/7] Add test for new AdminIdentitiesFromRules function This is likely the most senstive part of this update, since we need to ensure we properly parse the existing files so we don't damage the current admin structure of the client. Therefore, it deserves a unit test --- internal/policies/privilege/internal_test.go | 64 ++++++++++++++++++++ 1 file changed, 64 insertions(+) diff --git a/internal/policies/privilege/internal_test.go b/internal/policies/privilege/internal_test.go index 4c5c0fb9d..8b982440f 100644 --- a/internal/policies/privilege/internal_test.go +++ b/internal/policies/privilege/internal_test.go @@ -102,3 +102,67 @@ func TestGetSystemPolkitAdminIdentities(t *testing.T) { }) } } + +func TestPolkitAdminIdentitiesFromRules(t *testing.T) { + t.Parallel() + + tests := map[string]struct { + policyKitDirs []string + + emptyReturn bool + }{ + "Fetch previous admin identities": { + policyKitDirs: []string{"existing-previous-local-admins-one/etc/polkit-1"}, + }, + "Fetch previous admin identities from lower ascii file": { + policyKitDirs: []string{"existing-previous-local-admins-multi/etc/polkit-1"}, + }, + "Fetch previous admin identities ignoring adsys": { + policyKitDirs: []string{"existing-previous-local-admins-with-adsys-file/etc/polkit-1"}, + }, + + // Rules-specific cases + "Consider only first returned value": { + policyKitDirs: []string{"existing-previous-local-admins-return-early/etc/polkit-1"}, + }, + "Prioritize first specified directory if files have same ascii": { + policyKitDirs: []string{"multiple-polkit-dirs-same-file/etc/polkit-1", "multiple-polkit-dirs-same-file/etc/polkit-2"}, + }, + "Prioritize lower ascii file even if on second directory": { + policyKitDirs: []string{"multiple-polkit-dirs-diff-file/etc/polkit-1", "multiple-polkit-dirs-diff-file/etc/polkit-2"}, + }, + + // Edge cases + "No previous admin identities but regular directory structure": { + policyKitDirs: []string{"existing-other-files/etc/polkit-1"}, + emptyReturn: true, + }, + "Returns an empty string if directory does not exists": { + policyKitDirs: []string{"doesnotexists"}, + emptyReturn: true, + }, + "Directory instead of a conf file is ignored": { + policyKitDirs: []string{"incorrect-policikit-conf-is-dir/etc/polkit-1"}, + emptyReturn: true, + }, + } + for name, tc := range tests { + t.Run(name, func(t *testing.T) { + t.Parallel() + + for i, dir := range tc.policyKitDirs { + tc.policyKitDirs[i] = filepath.Join("testdata", dir) + } + + got, err := polkitAdminIdentitiesFromRules(context.Background(), tc.policyKitDirs) + require.NoError(t, err, "getSystemPolkitAdminIdentities failed but shouldn't have") + + if tc.emptyReturn { + require.Empty(t, got) + return + } + want := testutils.LoadWithUpdateFromGolden(t, got) + require.Equal(t, want, got) + }) + } +} From 8405364a246eb279b502a87ce4e2e0e54c172e05 Mon Sep 17 00:00:00 2001 From: denisonbarbosa Date: Wed, 27 Nov 2024 09:22:57 -0400 Subject: [PATCH 3/7] Allow overriding the default polkit path in tests --- internal/policies/privilege/export_test.go | 8 ++++++++ 1 file changed, 8 insertions(+) create mode 100644 internal/policies/privilege/export_test.go diff --git a/internal/policies/privilege/export_test.go b/internal/policies/privilege/export_test.go new file mode 100644 index 000000000..7c06b0c2e --- /dev/null +++ b/internal/policies/privilege/export_test.go @@ -0,0 +1,8 @@ +package privilege + +// WithPolicyKitSystemDir sets the directory where the default policykit files are stored. +func WithPolicyKitSystemDir(dir string) func(*option) { + return func(o *option) { + o.policyKitSystemDir = dir + } +} From 3ec1da5213fdcbb5ec647892f6ca045da45f365c Mon Sep 17 00:00:00 2001 From: denisonbarbosa Date: Wed, 27 Nov 2024 09:19:50 -0400 Subject: [PATCH 4/7] Update existing test with newer format --- internal/policies/privilege/internal_test.go | 39 ++++----- internal/policies/privilege/privilege_test.go | 86 ++++++++++--------- 2 files changed, 62 insertions(+), 63 deletions(-) diff --git a/internal/policies/privilege/internal_test.go b/internal/policies/privilege/internal_test.go index 8b982440f..206a7b651 100644 --- a/internal/policies/privilege/internal_test.go +++ b/internal/policies/privilege/internal_test.go @@ -2,10 +2,12 @@ package privilege import ( "context" + "path/filepath" "testing" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" + "github.com/ubuntu/adsys/internal/testutils" ) func TestSplitAndNormalizeUsersAndGroups(t *testing.T) { @@ -62,43 +64,36 @@ func TestSplitAndNormalizeUsersAndGroups(t *testing.T) { } } -func TestGetSystemPolkitAdminIdentities(t *testing.T) { +func TestPolkitAdminIdentitiesFromConf(t *testing.T) { t.Parallel() tests := map[string]struct { policyKitDir string - want string - wantErr bool + emptyReturn bool }{ - "Fetch previous admin identities": {policyKitDir: "testdata/existing-previous-local-admins-one/polkit-1", - want: "unix-user:local50admin1;unix-user:local50admin2"}, - "Fetch previous admin identities from highest ascii file": {policyKitDir: "testdata/existing-previous-local-admins-multi/polkit-1", - want: "unix-user:local50admin1;unix-user:local50admin2"}, - "Fetch previous admin identities ignoring adsys": {policyKitDir: "testdata/existing-previous-local-admins-with-adsys-file/polkit-1", - want: "unix-user:local50admin1;unix-user:local50admin2"}, + "Fetch previous admin identities": {policyKitDir: "old-polkit/etc/polkit-1"}, + "Fetch previous admin identities from highest ascii file": {policyKitDir: "old-polkit-multiple-files/etc/polkit-1"}, + "Fetch previous admin identities ignoring adsys": {policyKitDir: "old-polkit/etc/polkit-1"}, // Edge cases - "No previous admin identities but regular directory structure": {policyKitDir: "testdata/existing-other-files/polkit-1", - want: ""}, - "Returns an empty string if directory does not exists": {policyKitDir: "testdata/doesnotexists", - want: ""}, - "Directory instead of a conf file is ignored": {policyKitDir: "testdata/incorrect-policikit-conf-is-dir/polkit-1", - want: ""}, + "No previous admin identities but regular directory structure": {policyKitDir: "existing-other-files/etc/polkit-1", emptyReturn: true}, + "Returns an empty string if directory does not exists": {policyKitDir: "doesnotexists", emptyReturn: true}, + "Directory instead of a conf file is ignored": {policyKitDir: "incorrect-policikit-conf-is-dir/etc/polkit-1", emptyReturn: true}, } - for name, tc := range tests { t.Run(name, func(t *testing.T) { t.Parallel() - got, err := getSystemPolkitAdminIdentities(context.Background(), tc.policyKitDir) - if tc.wantErr { - require.NotNil(t, err, "getSystemPolkitAdminIdentities should have failed but didn't") + got, err := polkitAdminIdentitiesFromConf(context.Background(), filepath.Join("testdata", tc.policyKitDir)) + require.NoError(t, err, "polkitAdminIdentitiesFromConf failed but shouldn't have") + + if tc.emptyReturn { + require.Empty(t, got) return } - require.NoError(t, err, "ApplyPolicy failed but shouldn't have") - - assert.Equal(t, tc.want, got, "getSystemPolkitAdminIdentities returned expected value") + want := testutils.LoadWithUpdateFromGolden(t, got) + require.Equal(t, want, got, "polkitAdminIdentitiesFromConf did not return expected value") }) } } diff --git a/internal/policies/privilege/privilege_test.go b/internal/policies/privilege/privilege_test.go index db74be85c..b83a97d8a 100644 --- a/internal/policies/privilege/privilege_test.go +++ b/internal/policies/privilege/privilege_test.go @@ -19,12 +19,13 @@ func TestApplyPolicy(t *testing.T) { defaultLocalAdminDisabledRule := []entry.Entry{{Key: "allow-local-admins", Disabled: true}} tests := map[string]struct { - notComputer bool - entries []entry.Entry - existingSudoersDir string - existingPolkitDir string - makeReadOnly string - destIsDir string + notComputer bool + entries []entry.Entry + + destIsDir string + makeReadOnly string + existingFS string + polkitSystemReservedPath string wantErr bool }{ @@ -45,7 +46,7 @@ func TestApplyPolicy(t *testing.T) { {Key: "allow-local-admins", Disabled: true}, {Key: "client-admins", Value: "alice@domain.com"}}}, "Disallow local admins with previous local admin conf and set client admins": { - existingPolkitDir: "existing-previous-local-admins-multi", + existingFS: "existing-previous-local-admins-multi", entries: []entry.Entry{ {Key: "allow-local-admins", Disabled: true}, {Key: "client-admins", Value: "alice@domain.com"}}}, @@ -53,81 +54,84 @@ func TestApplyPolicy(t *testing.T) { {Key: "allow-local-admins", Disabled: false}, {Key: "client-admins", Value: "alice@domain.com"}}}, "Allow local admins with previous local admin conf (simple) and set client admins": { - existingPolkitDir: "existing-previous-local-admins-one", + existingFS: "existing-previous-local-admins-one", entries: []entry.Entry{ {Key: "allow-local-admins", Disabled: false}, {Key: "client-admins", Value: "alice@domain.com"}}}, "Allow local admins with previous local admin conf and set client admins": { - existingPolkitDir: "existing-previous-local-admins-multi", + existingFS: "existing-previous-local-admins-multi", entries: []entry.Entry{ {Key: "allow-local-admins", Disabled: false}, {Key: "client-admins", Value: "alice@domain.com"}}}, "Allow local admins with previous local admin conf (with adsys file) and set client admins": { - existingPolkitDir: "existing-previous-local-admins-with-adsys-file", + existingFS: "existing-previous-local-admins-with-adsys-file", entries: []entry.Entry{ {Key: "allow-local-admins", Disabled: false}, {Key: "client-admins", Value: "alice@domain.com"}}}, // Overwrite existing files "No rules and no existing history means no files": {}, - "Overwrite existing sudoers file": {existingSudoersDir: "existing-files", entries: defaultLocalAdminDisabledRule}, - "Overwrite existing polkit file": {existingPolkitDir: "existing-files", entries: defaultLocalAdminDisabledRule}, - "No rules still overwrite those files": {existingSudoersDir: "existing-files", existingPolkitDir: "existing-files"}, - "Don't overwrite other existing files": {existingSudoersDir: "existing-other-files", existingPolkitDir: "existing-other-files", entries: defaultLocalAdminDisabledRule}, + "Overwrite existing sudoers file": {existingFS: "existing-files", entries: defaultLocalAdminDisabledRule}, + "Overwrite existing polkit file": {existingFS: "existing-files", entries: defaultLocalAdminDisabledRule}, + "No rules still overwrite those files": {existingFS: "existing-files"}, + "Don't overwrite other existing files": {existingFS: "existing-other-files", entries: defaultLocalAdminDisabledRule}, + + // Migration + "Create on new polkit version and remove old file": {existingFS: "existing-old-adsys-conf", entries: []entry.Entry{{Key: "client-admins", Value: "alice@domain.com"}}}, + "Assume old polkit if cant read system reserved path": {existingFS: "old-polkit", entries: []entry.Entry{{Key: "client-admins", Value: "alice@domain.com"}}, polkitSystemReservedPath: "doesnotexist"}, // Not a computer, don’t do anything (even not create new files) - "Not a computer": {notComputer: true, existingSudoersDir: "existing-other-files", existingPolkitDir: "existing-other-files"}, + "Not a computer": {notComputer: true, existingFS: "existing-other-files"}, // Error cases - "Error on writing to sudoers file": {makeReadOnly: "sudoers.d/", existingSudoersDir: "existing-files", existingPolkitDir: "existing-files", entries: defaultLocalAdminDisabledRule, wantErr: true}, - "Error on writing to polkit subdirectory creation": {makeReadOnly: "polkit-1/", existingSudoersDir: "existing-files", existingPolkitDir: "only-base-polkit-dir", entries: defaultLocalAdminDisabledRule, wantErr: true}, - "Error on writing to polkit conf file": {makeReadOnly: "polkit-1/localauthority.conf.d", existingSudoersDir: "existing-files", existingPolkitDir: "existing-files", entries: defaultLocalAdminDisabledRule, wantErr: true}, - "Error on creating sudoers and polkit base directory": {makeReadOnly: ".", entries: defaultLocalAdminDisabledRule, wantErr: true}, - "Error if can’t rename to destination for sudoers file": {destIsDir: "sudoers.d/99-adsys-privilege-enforcement", entries: defaultLocalAdminDisabledRule, wantErr: true}, - "Error if can’t rename to destination for polkit conf file": {destIsDir: "polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf", entries: defaultLocalAdminDisabledRule, wantErr: true}, + "Error on writing to sudoers file": {makeReadOnly: "etc/sudoers.d/", existingFS: "existing-files", entries: defaultLocalAdminDisabledRule, wantErr: true}, + "Error on writing to polkit subdirectory creation": {makeReadOnly: "etc/polkit-1/", existingFS: "only-base-polkit-dir", entries: defaultLocalAdminDisabledRule, wantErr: true}, + "Error on writing to polkit conf file": {makeReadOnly: "etc/polkit-1/rules.d", existingFS: "existing-files", entries: defaultLocalAdminDisabledRule, wantErr: true}, + "Error on creating sudoers and polkit base directory": {makeReadOnly: "etc", entries: defaultLocalAdminDisabledRule, wantErr: true}, + "Error if can’t rename to destination for sudoers file": {destIsDir: "etc/sudoers.d/99-adsys-privilege-enforcement", entries: defaultLocalAdminDisabledRule, wantErr: true}, + "Error if can’t rename to destination for polkit conf file": {destIsDir: "etc/polkit-1/rules.d/00-adsys-privilege-enforcement.rules", entries: defaultLocalAdminDisabledRule, wantErr: true}, } for name, tc := range tests { t.Run(name, func(t *testing.T) { t.Parallel() - tempEtc := t.TempDir() - sudoersDir := filepath.Join(tempEtc, "sudoers.d") - policyKitDir := filepath.Join(tempEtc, "polkit-1") + tmp, err := os.MkdirTemp("", "privilege-test") + require.NoError(t, err, "Setup: Failed to create tempdir for tests") + t.Cleanup(func() { _ = os.RemoveAll(tmp) }) + tmpRootDir := filepath.Join(tmp, "root") - if tc.existingSudoersDir != "" { - require.NoError(t, - shutil.CopyTree( - filepath.Join("testdata", tc.existingSudoersDir, "sudoers.d"), sudoersDir, - &shutil.CopyTreeOptions{Symlinks: true, CopyFunction: shutil.Copy}), - "Setup: can't create initial sudoer directory") + if tc.existingFS != "" { + err = shutil.CopyTree(filepath.Join("testdata", tc.existingFS), tmpRootDir, &shutil.CopyTreeOptions{Symlinks: true, CopyFunction: shutil.Copy}) + require.NoError(t, err, "Setup: can't create initial filesystem") } - if tc.existingPolkitDir != "" { - require.NoError(t, - shutil.CopyTree( - filepath.Join("testdata", tc.existingPolkitDir, "polkit-1"), policyKitDir, - &shutil.CopyTreeOptions{Symlinks: true, CopyFunction: shutil.Copy}), - "Setup: can't create initial polkit directory") + + sudoersDir := filepath.Join(tmpRootDir, "etc", "sudoers.d") + policyKitDir := filepath.Join(tmpRootDir, "etc", "polkit-1") + if tc.polkitSystemReservedPath == "" { + tc.polkitSystemReservedPath = filepath.Join(tmpRootDir, "usr", "share", "polkit-1") } + // make read only destination to not be able to overwrite or write into it if tc.makeReadOnly != "" { - testutils.MakeReadOnly(t, filepath.Join(tempEtc, tc.makeReadOnly)) + _ = os.MkdirAll(filepath.Join(tmpRootDir, tc.makeReadOnly), 0750) + testutils.MakeReadOnly(t, filepath.Join(tmpRootDir, tc.makeReadOnly)) } // Fake destination unwritable file if tc.destIsDir != "" { - require.NoError(t, os.MkdirAll(filepath.Join(tempEtc, tc.destIsDir), 0750), "Setup: can't create fake unwritable file") + require.NoError(t, os.MkdirAll(filepath.Join(tmpRootDir, tc.destIsDir), 0750), "Setup: can't create fake unwritable file") } - m := privilege.NewWithDirs(sudoersDir, policyKitDir) - err := m.ApplyPolicy(context.Background(), "ubuntu", !tc.notComputer, tc.entries) + m := privilege.NewWithDirs(sudoersDir, policyKitDir, privilege.WithPolicyKitSystemDir(tc.polkitSystemReservedPath)) + err = m.ApplyPolicy(context.Background(), "ubuntu", !tc.notComputer, tc.entries) if tc.wantErr { require.NotNil(t, err, "ApplyPolicy should have failed but didn't") return } require.NoError(t, err, "ApplyPolicy failed but shouldn't have") - testutils.CompareTreesWithFiltering(t, tempEtc, testutils.GoldenPath(t), testutils.UpdateEnabled()) + testutils.CompareTreesWithFiltering(t, filepath.Join(tmpRootDir, "etc"), testutils.GoldenPath(t), testutils.UpdateEnabled()) }) } } From 8713c6698ae25fce17977a20f4807d092932a95e Mon Sep 17 00:00:00 2001 From: denisonbarbosa Date: Wed, 27 Nov 2024 09:10:31 -0400 Subject: [PATCH 5/7] Update tests golden files and assets --- .../polkit-1/localauthority.conf.d/.empty | 0 .../rules.d/00-adsys-privilege-enforcement.rules | 7 +++++++ .../polkit-1/localauthority.conf.d/.empty | 0 .../rules.d/00-adsys-privilege-enforcement.rules | 7 +++++++ .../polkit-1/localauthority.conf.d}/.empty | 0 .../rules.d/00-adsys-privilege-enforcement.rules | 7 +++++++ .../polkit-1/localauthority.conf.d/.empty | 0 .../rules.d/00-adsys-privilege-enforcement.rules | 7 +++++++ .../rules.d/00-adsys-privilege-enforcement.rules | 7 +++++++ .../99-adsys-privilege-enforcement.conf | 6 ------ .../rules.d/00-adsys-privilege-enforcement.rules | 7 +++++++ .../99-adsys-privilege-enforcement.conf | 6 ------ .../rules.d/00-adsys-privilege-enforcement.rules | 7 +++++++ .../99-adsys-privilege-enforcement.conf | 6 ------ .../rules.d/00-adsys-privilege-enforcement.rules | 7 +++++++ .../polkit-1/localauthority.conf.d}/.empty | 0 .../99-adsys-privilege-enforcement.conf | 6 ------ .../rules.d/00-adsys-privilege-enforcement.rules | 7 +++++++ .../99-adsys-privilege-enforcement.conf | 4 ++++ .../99-adsys-privilege-enforcement.conf | 1 + .../polkit-1/localauthority.conf.d/.empty | 0 .../99-adsys-privilege-enforcement.conf | 6 ------ .../rules.d/00-adsys-privilege-enforcement.rules | 7 +++++++ .../polkit-1/localauthority.conf.d/.empty | 0 .../99-adsys-privilege-enforcement.conf | 6 ------ .../rules.d/00-adsys-privilege-enforcement.rules | 7 +++++++ .../polkit-1/localauthority.conf.d/.empty | 0 .../99-adsys-privilege-enforcement.conf | 6 ------ .../rules.d/00-adsys-privilege-enforcement.rules | 7 +++++++ .../polkit-1/localauthority.conf.d/.empty | 0 .../99-adsys-privilege-enforcement.conf | 6 ------ .../rules.d/00-adsys-privilege-enforcement.rules | 7 +++++++ .../00-adsys-privilege-enforcement.rules} | 0 .../localauthority.conf.d/50-local-admins.conf | 6 ------ .../99-adsys-privilege-enforcement.conf | 6 ------ .../rules.d/00-adsys-privilege-enforcement.rules | 7 +++++++ .../polkit-1/rules.d/40-local-admins.rules | 7 +++++++ .../sudoers.d/40-local-admins | 0 .../localauthority.conf.d/40-local-admins.conf | 6 ------ .../localauthority.conf.d/50-local-admins.conf | 6 ------ .../99-adsys-privilege-enforcement.conf | 6 ------ .../rules.d/00-adsys-privilege-enforcement.rules | 7 +++++++ .../polkit-1/rules.d/40-local-admins.rules | 7 +++++++ .../polkit-1/rules.d/50-local-admins.rules | 7 +++++++ .../sudoers.d/40-local-admins | 0 .../sudoers.d/50-local-admins | 0 .../localauthority.conf.d/40-local-admins.conf | 6 ------ .../localauthority.conf.d/50-local-admins.conf | 6 ------ .../99-adsys-privilege-enforcement.conf | 6 ------ .../rules.d/00-adsys-privilege-enforcement.rules | 7 +++++++ .../polkit-1/rules.d/40-local-admins.rules | 7 +++++++ .../polkit-1/rules.d/50-local-admins.rules | 7 +++++++ .../sudoers.d/40-local-admins | 5 +++-- .../sudoers.d/50-local-admins | 0 .../rules.d/00-adsys-privilege-enforcement.rules | 5 +++-- .../localauthority.conf.d/50-ubuntu-admin.conf | 2 ++ .../99-adsys-privilege-enforcement.conf | 2 +- .../sudoers.d/99-adsys-privilege-enforcement} | 4 ++-- .../localauthority.conf.d/50-ubuntu-admin.conf | 2 ++ .../rules.d/00-adsys-privilege-enforcement.rules | 7 +++++++ .../sudoers.d/99-adsys-privilege-enforcement} | 4 ++-- .../rules.d/00-adsys-privilege-enforcement.rules} | 5 +++-- .../rules.d/00-adsys-privilege-enforcement.rules | 7 +++++++ .../localauthority.conf.d/40-local-admins.conf | 6 ------ .../localauthority.conf.d/50-local-admins.conf | 6 ------ .../rules.d/00-adsys-privilege-enforcement.rules | 7 +++++++ .../polkit-1/rules.d/40-local-admins.rules | 7 +++++++ .../polkit-1/rules.d/50-local-admins.rules | 7 +++++++ .../sudoers.d/40-local-admins | 7 +++++++ .../sudoers.d/50-local-admins | 0 .../rules.d/00-adsys-privilege-enforcement.rules} | 5 +++-- .../notadsys.conf => rules.d/notadsys.rules} | 0 .../00-adsys-privilege-enforcement.rules} | 0 .../00-adsys-privilege-enforcement.rules} | 0 .../polkit-1/rules.d/.empty} | 0 .../notadsys.conf => rules.d/notadsys.rules} | 0 .../99-adsys-privilege-enforcement.conf | 6 ------ .../rules.d/00-adsys-privilege-enforcement.rules} | 5 +++-- .../99-adsys-privilege-enforcement.conf | 6 ------ .../rules.d/00-adsys-privilege-enforcement.rules | 7 +++++++ .../99-adsys-privilege-enforcement.conf | 6 ------ .../rules.d/00-adsys-privilege-enforcement.rules | 7 +++++++ .../99-adsys-privilege-enforcement.conf | 6 ------ .../rules.d/00-adsys-privilege-enforcement.rules | 7 +++++++ .../99-adsys-privilege-enforcement.conf | 6 ------ .../rules.d/00-adsys-privilege-enforcement.rules | 7 +++++++ .../99-adsys-privilege-enforcement.conf | 6 ------ .../rules.d/00-adsys-privilege-enforcement.rules | 7 +++++++ .../golden/fetch_previous_admin_identities | 1 + ..._previous_admin_identities_from_highest_ascii_file | 1 + .../fetch_previous_admin_identities_ignoring_adsys | 1 + .../golden/consider_only_first_returned_value | 1 + .../golden/fetch_previous_admin_identities | 1 + ...ch_previous_admin_identities_from_lower_ascii_file | 1 + .../fetch_previous_admin_identities_ignoring_adsys | 1 + ...first_specified_directory_if_files_have_same_ascii | 1 + ...itize_lower_ascii_file_even_if_on_second_directory | 1 + .../rules.d/00-adsys-privilege-enforcement.rules | 0 .../sudoers.d/99-adsys-privilege-enforcement | 0 .../usr/share/polkit-1/rules.d/49-ubuntu-admin.rules | 3 +++ .../localauthority.conf.d/50-ubuntu-admin.conf | 2 ++ .../99-adsys-privilege-enforcement.conf | 0 .../etc/sudoers.d/99-adsys-privilege-enforcement} | 0 .../usr/share/polkit-1/rules.d/49-ubuntu-admin.rules | 3 +++ .../notadsys => etc/polkit-1/rules.d/notadsys.rules} | 0 .../existing-other-files/etc/sudoers.d/notadsys | 3 +++ .../usr/share/polkit-1/rules.d/49-ubuntu-admin.rules | 3 +++ .../etc/polkit-1/rules.d/40-local-admins.rules | 7 +++++++ .../etc/polkit-1/rules.d/50-local-admins.rules | 7 +++++++ .../etc/sudoers.d/40-local-admins | 7 +++++++ .../etc/sudoers.d/50-local-admins | 7 +++++++ .../localauthority.conf.d/40-local-admins.conf | 6 ------ .../localauthority.conf.d/50-local-admins.conf | 6 ------ .../usr/share/polkit-1/rules.d/49-ubuntu-admin.rules | 3 +++ .../etc/polkit-1/rules.d/40-local-admins.rules | 7 +++++++ .../etc/sudoers.d/40-local-admins | 7 +++++++ .../localauthority.conf.d/50-local-admins.conf | 6 ------ .../usr/share/polkit-1/rules.d/49-ubuntu-admin.rules | 3 +++ .../etc/polkit-1/rules.d/40-local-admins.rules | 11 +++++++++++ .../usr/share/polkit-1/rules.d/49-ubuntu-admin.rules | 3 +++ .../rules.d/00-adsys-privilege-enforcement.rules | 7 +++++++ .../etc/polkit-1/rules.d/40-local-admins.rules | 7 +++++++ .../etc/polkit-1/rules.d/50-local-admins.rules | 7 +++++++ .../etc/sudoers.d/40-local-admins | 7 +++++++ .../etc/sudoers.d/50-local-admins | 7 +++++++ .../sudoers.d/99-adsys-privilege-enforcement | 0 .../localauthority.conf.d/40-local-admins.conf | 6 ------ .../localauthority.conf.d/50-local-admins.conf | 6 ------ .../99-adsys-privilege-enforcement.conf | 6 ------ .../usr/share/polkit-1/rules.d/49-ubuntu-admin.rules | 3 +++ .../rules.d/50-this-is-not-a-file.rules/somethinginit | 0 .../usr/share/polkit-1/rules.d/49-ubuntu-admin.rules | 3 +++ .../etc/polkit-1/rules.d/50-local-admins.rules | 7 +++++++ .../etc/polkit-2/rules.d/40-local-admins.rules | 7 +++++++ .../etc/polkit-1/rules.d/50-local-admins.rules | 7 +++++++ .../etc/polkit-2/rules.d/50-local-admins.rules | 7 +++++++ .../localauthority.conf.d/50-ubuntu-admin.conf | 2 ++ .../etc/polkit-1/localauthority.conf.d/75-admin.conf | 2 ++ .../99-adsys-privilege-enforcement.conf | 3 +++ .../etc/sudoers.d/99-adsys-privilege-enforcement | 3 +++ .../localauthority.conf.d/50-ubuntu-admin.conf | 2 ++ .../99-adsys-privilege-enforcement.conf | 3 +++ .../etc/sudoers.d/99-adsys-privilege-enforcement | 3 +++ .../testdata/only-base-polkit-dir/etc/polkit-1/.empty | 0 .../usr/share/polkit-1/rules.d/49-ubuntu-admin.rules | 3 +++ .../etc/polkit-1/rules.d/.empty | 0 .../etc/polkit-1/rules.d/.empty" | 0 .../etc/polkit-1/rules.d/.empty" | 0 .../etc/polkit-1/rules.d/.empty | 0 .../99-adsys-privilege-enforcement.conf | 6 ------ .../rules.d/00-adsys-privilege-enforcement.rules | 7 +++++++ .../99-adsys-privilege-enforcement.conf | 6 ------ .../rules.d/00-adsys-privilege-enforcement.rules | 7 +++++++ 153 files changed, 442 insertions(+), 207 deletions(-) rename cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/{purge_machine_policies => already_up_to_date}/polkit-1/localauthority.conf.d/.empty (100%) create mode 100644 cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/already_up_to_date/polkit-1/rules.d/00-adsys-privilege-enforcement.rules rename cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/{purge_policies_for_all_cached_objects => does_not_error_when_certmonger_or_cepces_is_not_available}/polkit-1/localauthority.conf.d/.empty (100%) create mode 100644 cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/does_not_error_when_certmonger_or_cepces_is_not_available/polkit-1/rules.d/00-adsys-privilege-enforcement.rules rename {internal/policies/privilege/testdata/TestApplyPolicy/golden/no_rules_and_no_existing_history_means_no_files => cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/does_not_error_when_d-bus_proxy_object_is_not_available/polkit-1/localauthority.conf.d}/.empty (100%) create mode 100644 cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/does_not_error_when_d-bus_proxy_object_is_not_available/polkit-1/rules.d/00-adsys-privilege-enforcement.rules rename {internal/policies/privilege/testdata/TestApplyPolicy/golden/no_rules_still_overwrite_those_files => cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/host_is_offline,_get_machine_from_cache_(no_update)}/polkit-1/localauthority.conf.d/.empty (100%) create mode 100644 cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/host_is_offline,_get_machine_from_cache_(no_update)/polkit-1/rules.d/00-adsys-privilege-enforcement.rules create mode 100644 cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/host_is_offline,_mach_gpos_cache_is_cleared,_with_policies_cache/polkit-1/rules.d/00-adsys-privilege-enforcement.rules delete mode 100644 cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/host_is_offline,_regenerate_machine_from_old_data/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf create mode 100644 cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/host_is_offline,_regenerate_machine_from_old_data/polkit-1/rules.d/00-adsys-privilege-enforcement.rules delete mode 100644 cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/machine,_first_time/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf create mode 100644 cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/machine,_first_time/polkit-1/rules.d/00-adsys-privilege-enforcement.rules delete mode 100644 cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/machine,_first_time_with_winbind_backend/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf create mode 100644 cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/machine,_first_time_with_winbind_backend/polkit-1/rules.d/00-adsys-privilege-enforcement.rules rename {internal/policies/privilege/testdata/only-base-polkit-dir/polkit-1 => cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/machine,_update_old_data/polkit-1/localauthority.conf.d}/.empty (100%) delete mode 100644 cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/machine,_update_old_data/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf create mode 100644 cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/machine,_update_old_data/polkit-1/rules.d/00-adsys-privilege-enforcement.rules rename cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/{already_up_to_date => purge_machine_policies}/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf (74%) rename cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/{host_is_offline,_mach_gpos_cache_is_cleared,_with_policies_cache => purge_policies_for_all_cached_objects}/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf (99%) rename {internal/policies/testdata/TestApplyPolicies/golden/second_call_with_no_rules_deletes_everything/etc => cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/refresh_all_connected}/polkit-1/localauthority.conf.d/.empty (100%) delete mode 100644 cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/refresh_all_connected/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf create mode 100644 cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/refresh_all_connected/polkit-1/rules.d/00-adsys-privilege-enforcement.rules rename "internal/policies/testdata/TestApplyPolicies/golden/second_call_with_no_rules_don't_remove_scripts_if_session_hasn\342\200\231t_ended/etc/polkit-1/localauthority.conf.d/.empty" => cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/refresh_some_connected/polkit-1/localauthority.conf.d/.empty (100%) delete mode 100644 cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/refresh_some_connected/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf create mode 100644 cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/refresh_some_connected/polkit-1/rules.d/00-adsys-privilege-enforcement.rules rename "internal/policies/testdata/TestApplyPolicies/golden/second_call_with_no_subscription_don't_remove_scripts_if_session_hasn\342\200\231t_ended/etc/polkit-1/localauthority.conf.d/.empty" => cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/refresh_with_no_user_connected_updates_machines/polkit-1/localauthority.conf.d/.empty (100%) delete mode 100644 cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/refresh_with_no_user_connected_updates_machines/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf create mode 100644 cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/refresh_with_no_user_connected_updates_machines/polkit-1/rules.d/00-adsys-privilege-enforcement.rules rename {internal/policies/testdata/TestApplyPolicies/golden/second_call_with_no_subscription_should_remove_everything_but_dconf_content/etc => cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/refresh_with_one_dangling_symlink_ignores_the_respective_user}/polkit-1/localauthority.conf.d/.empty (100%) delete mode 100644 cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/refresh_with_one_dangling_symlink_ignores_the_respective_user/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf create mode 100644 cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/refresh_with_one_dangling_symlink_ignores_the_respective_user/polkit-1/rules.d/00-adsys-privilege-enforcement.rules rename internal/policies/privilege/testdata/TestApplyPolicy/golden/allow_local_admins_with_no_other_rules_is_a_noop/polkit-1/{localauthority.conf.d/99-adsys-privilege-enforcement.conf => rules.d/00-adsys-privilege-enforcement.rules} (100%) delete mode 100644 internal/policies/privilege/testdata/TestApplyPolicy/golden/allow_local_admins_with_previous_local_admin_conf_(simple)_and_set_client_admins/polkit-1/localauthority.conf.d/50-local-admins.conf delete mode 100644 internal/policies/privilege/testdata/TestApplyPolicy/golden/allow_local_admins_with_previous_local_admin_conf_(simple)_and_set_client_admins/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf create mode 100644 internal/policies/privilege/testdata/TestApplyPolicy/golden/allow_local_admins_with_previous_local_admin_conf_(simple)_and_set_client_admins/polkit-1/rules.d/00-adsys-privilege-enforcement.rules create mode 100644 internal/policies/privilege/testdata/TestApplyPolicy/golden/allow_local_admins_with_previous_local_admin_conf_(simple)_and_set_client_admins/polkit-1/rules.d/40-local-admins.rules rename internal/policies/privilege/testdata/{existing-previous-local-admins-multi => TestApplyPolicy/golden/allow_local_admins_with_previous_local_admin_conf_(simple)_and_set_client_admins}/sudoers.d/40-local-admins (100%) delete mode 100644 internal/policies/privilege/testdata/TestApplyPolicy/golden/allow_local_admins_with_previous_local_admin_conf_(with_adsys_file)_and_set_client_admins/polkit-1/localauthority.conf.d/40-local-admins.conf delete mode 100644 internal/policies/privilege/testdata/TestApplyPolicy/golden/allow_local_admins_with_previous_local_admin_conf_(with_adsys_file)_and_set_client_admins/polkit-1/localauthority.conf.d/50-local-admins.conf delete mode 100644 internal/policies/privilege/testdata/TestApplyPolicy/golden/allow_local_admins_with_previous_local_admin_conf_(with_adsys_file)_and_set_client_admins/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf create mode 100644 internal/policies/privilege/testdata/TestApplyPolicy/golden/allow_local_admins_with_previous_local_admin_conf_(with_adsys_file)_and_set_client_admins/polkit-1/rules.d/00-adsys-privilege-enforcement.rules create mode 100644 internal/policies/privilege/testdata/TestApplyPolicy/golden/allow_local_admins_with_previous_local_admin_conf_(with_adsys_file)_and_set_client_admins/polkit-1/rules.d/40-local-admins.rules create mode 100644 internal/policies/privilege/testdata/TestApplyPolicy/golden/allow_local_admins_with_previous_local_admin_conf_(with_adsys_file)_and_set_client_admins/polkit-1/rules.d/50-local-admins.rules rename internal/policies/privilege/testdata/{existing-previous-local-admins-with-adsys-file => TestApplyPolicy/golden/allow_local_admins_with_previous_local_admin_conf_(with_adsys_file)_and_set_client_admins}/sudoers.d/40-local-admins (100%) rename internal/policies/privilege/testdata/{existing-previous-local-admins-multi => TestApplyPolicy/golden/allow_local_admins_with_previous_local_admin_conf_(with_adsys_file)_and_set_client_admins}/sudoers.d/50-local-admins (100%) delete mode 100644 internal/policies/privilege/testdata/TestApplyPolicy/golden/allow_local_admins_with_previous_local_admin_conf_and_set_client_admins/polkit-1/localauthority.conf.d/40-local-admins.conf delete mode 100644 internal/policies/privilege/testdata/TestApplyPolicy/golden/allow_local_admins_with_previous_local_admin_conf_and_set_client_admins/polkit-1/localauthority.conf.d/50-local-admins.conf delete mode 100644 internal/policies/privilege/testdata/TestApplyPolicy/golden/allow_local_admins_with_previous_local_admin_conf_and_set_client_admins/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf create mode 100644 internal/policies/privilege/testdata/TestApplyPolicy/golden/allow_local_admins_with_previous_local_admin_conf_and_set_client_admins/polkit-1/rules.d/00-adsys-privilege-enforcement.rules create mode 100644 internal/policies/privilege/testdata/TestApplyPolicy/golden/allow_local_admins_with_previous_local_admin_conf_and_set_client_admins/polkit-1/rules.d/40-local-admins.rules create mode 100644 internal/policies/privilege/testdata/TestApplyPolicy/golden/allow_local_admins_with_previous_local_admin_conf_and_set_client_admins/polkit-1/rules.d/50-local-admins.rules rename cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/does_not_error_when_d-bus_proxy_object_is_not_available/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf => internal/policies/privilege/testdata/TestApplyPolicy/golden/allow_local_admins_with_previous_local_admin_conf_and_set_client_admins/sudoers.d/40-local-admins (53%) rename internal/policies/privilege/testdata/{existing-previous-local-admins-one => TestApplyPolicy/golden/allow_local_admins_with_previous_local_admin_conf_and_set_client_admins}/sudoers.d/50-local-admins (100%) rename cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/host_is_offline,_get_machine_from_cache_(no_update)/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf => internal/policies/privilege/testdata/TestApplyPolicy/golden/allow_local_admins_without_previous_local_admin_conf_and_set_client_admins/polkit-1/rules.d/00-adsys-privilege-enforcement.rules (53%) create mode 100644 internal/policies/privilege/testdata/TestApplyPolicy/golden/assume_old_polkit_if_cant_read_system_reserved_path/polkit-1/localauthority.conf.d/50-ubuntu-admin.conf rename {cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/does_not_error_when_certmonger_or_cepces_is_not_available => internal/policies/privilege/testdata/TestApplyPolicy/golden/assume_old_polkit_if_cant_read_system_reserved_path}/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf (61%) rename internal/policies/privilege/testdata/TestApplyPolicy/golden/{disallow_local_admins/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf => assume_old_polkit_if_cant_read_system_reserved_path/sudoers.d/99-adsys-privilege-enforcement} (73%) create mode 100644 internal/policies/privilege/testdata/TestApplyPolicy/golden/create_on_new_polkit_version_and_remove_old_file/polkit-1/localauthority.conf.d/50-ubuntu-admin.conf create mode 100644 internal/policies/privilege/testdata/TestApplyPolicy/golden/create_on_new_polkit_version_and_remove_old_file/polkit-1/rules.d/00-adsys-privilege-enforcement.rules rename internal/policies/privilege/testdata/TestApplyPolicy/golden/{don't_overwrite_other_existing_files/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf => create_on_new_polkit_version_and_remove_old_file/sudoers.d/99-adsys-privilege-enforcement} (73%) rename internal/policies/privilege/testdata/TestApplyPolicy/golden/{disallow_local_admins_and_set_client_admins/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf => disallow_local_admins/polkit-1/rules.d/00-adsys-privilege-enforcement.rules} (62%) create mode 100644 internal/policies/privilege/testdata/TestApplyPolicy/golden/disallow_local_admins_and_set_client_admins/polkit-1/rules.d/00-adsys-privilege-enforcement.rules delete mode 100644 internal/policies/privilege/testdata/TestApplyPolicy/golden/disallow_local_admins_with_previous_local_admin_conf_and_set_client_admins/polkit-1/localauthority.conf.d/40-local-admins.conf delete mode 100644 internal/policies/privilege/testdata/TestApplyPolicy/golden/disallow_local_admins_with_previous_local_admin_conf_and_set_client_admins/polkit-1/localauthority.conf.d/50-local-admins.conf create mode 100644 internal/policies/privilege/testdata/TestApplyPolicy/golden/disallow_local_admins_with_previous_local_admin_conf_and_set_client_admins/polkit-1/rules.d/00-adsys-privilege-enforcement.rules create mode 100644 internal/policies/privilege/testdata/TestApplyPolicy/golden/disallow_local_admins_with_previous_local_admin_conf_and_set_client_admins/polkit-1/rules.d/40-local-admins.rules create mode 100644 internal/policies/privilege/testdata/TestApplyPolicy/golden/disallow_local_admins_with_previous_local_admin_conf_and_set_client_admins/polkit-1/rules.d/50-local-admins.rules create mode 100644 internal/policies/privilege/testdata/TestApplyPolicy/golden/disallow_local_admins_with_previous_local_admin_conf_and_set_client_admins/sudoers.d/40-local-admins rename internal/policies/privilege/testdata/{existing-previous-local-admins-with-adsys-file => TestApplyPolicy/golden/disallow_local_admins_with_previous_local_admin_conf_and_set_client_admins}/sudoers.d/50-local-admins (100%) rename internal/policies/privilege/testdata/TestApplyPolicy/golden/{allow_local_admins_without_previous_local_admin_conf_and_set_client_admins/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf => don't_overwrite_other_existing_files/polkit-1/rules.d/00-adsys-privilege-enforcement.rules} (62%) rename internal/policies/privilege/testdata/TestApplyPolicy/golden/don't_overwrite_other_existing_files/polkit-1/{localauthority.conf.d/notadsys.conf => rules.d/notadsys.rules} (100%) rename internal/policies/privilege/testdata/TestApplyPolicy/golden/empty_client_ad_admins/polkit-1/{localauthority.conf.d/99-adsys-privilege-enforcement.conf => rules.d/00-adsys-privilege-enforcement.rules} (100%) rename internal/policies/privilege/testdata/TestApplyPolicy/golden/no_client_ad_admins/polkit-1/{localauthority.conf.d/99-adsys-privilege-enforcement.conf => rules.d/00-adsys-privilege-enforcement.rules} (100%) rename internal/policies/privilege/testdata/{incorrect-policikit-conf-is-dir/polkit-1/localauthority.conf.d/50-this-is-not-a-file.conf/somethinginit => TestApplyPolicy/golden/no_rules_still_overwrite_those_files/polkit-1/rules.d/.empty} (100%) rename internal/policies/privilege/testdata/TestApplyPolicy/golden/not_a_computer/polkit-1/{localauthority.conf.d/notadsys.conf => rules.d/notadsys.rules} (100%) delete mode 100644 internal/policies/privilege/testdata/TestApplyPolicy/golden/overwrite_existing_polkit_file/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf rename internal/policies/privilege/testdata/TestApplyPolicy/golden/{disallow_local_admins_with_previous_local_admin_conf_and_set_client_admins/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf => overwrite_existing_polkit_file/polkit-1/rules.d/00-adsys-privilege-enforcement.rules} (62%) delete mode 100644 internal/policies/privilege/testdata/TestApplyPolicy/golden/overwrite_existing_sudoers_file/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf create mode 100644 internal/policies/privilege/testdata/TestApplyPolicy/golden/overwrite_existing_sudoers_file/polkit-1/rules.d/00-adsys-privilege-enforcement.rules delete mode 100644 internal/policies/privilege/testdata/TestApplyPolicy/golden/set_client_group_admins/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf create mode 100644 internal/policies/privilege/testdata/TestApplyPolicy/golden/set_client_group_admins/polkit-1/rules.d/00-adsys-privilege-enforcement.rules delete mode 100644 internal/policies/privilege/testdata/TestApplyPolicy/golden/set_client_mixed_with_users_and_group_admins/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf create mode 100644 internal/policies/privilege/testdata/TestApplyPolicy/golden/set_client_mixed_with_users_and_group_admins/polkit-1/rules.d/00-adsys-privilege-enforcement.rules delete mode 100644 internal/policies/privilege/testdata/TestApplyPolicy/golden/set_client_multiple_users_admins/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf create mode 100644 internal/policies/privilege/testdata/TestApplyPolicy/golden/set_client_multiple_users_admins/polkit-1/rules.d/00-adsys-privilege-enforcement.rules delete mode 100644 internal/policies/privilege/testdata/TestApplyPolicy/golden/set_client_user_admins/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf create mode 100644 internal/policies/privilege/testdata/TestApplyPolicy/golden/set_client_user_admins/polkit-1/rules.d/00-adsys-privilege-enforcement.rules create mode 100644 internal/policies/privilege/testdata/TestPolkitAdminIdentitiesFromConf/golden/fetch_previous_admin_identities create mode 100644 internal/policies/privilege/testdata/TestPolkitAdminIdentitiesFromConf/golden/fetch_previous_admin_identities_from_highest_ascii_file create mode 100644 internal/policies/privilege/testdata/TestPolkitAdminIdentitiesFromConf/golden/fetch_previous_admin_identities_ignoring_adsys create mode 100644 internal/policies/privilege/testdata/TestPolkitAdminIdentitiesFromRules/golden/consider_only_first_returned_value create mode 100644 internal/policies/privilege/testdata/TestPolkitAdminIdentitiesFromRules/golden/fetch_previous_admin_identities create mode 100644 internal/policies/privilege/testdata/TestPolkitAdminIdentitiesFromRules/golden/fetch_previous_admin_identities_from_lower_ascii_file create mode 100644 internal/policies/privilege/testdata/TestPolkitAdminIdentitiesFromRules/golden/fetch_previous_admin_identities_ignoring_adsys create mode 100644 internal/policies/privilege/testdata/TestPolkitAdminIdentitiesFromRules/golden/prioritize_first_specified_directory_if_files_have_same_ascii create mode 100644 internal/policies/privilege/testdata/TestPolkitAdminIdentitiesFromRules/golden/prioritize_lower_ascii_file_even_if_on_second_directory create mode 100644 internal/policies/privilege/testdata/existing-files/etc/polkit-1/rules.d/00-adsys-privilege-enforcement.rules rename internal/policies/privilege/testdata/existing-files/{ => etc}/sudoers.d/99-adsys-privilege-enforcement (100%) create mode 100644 internal/policies/privilege/testdata/existing-files/usr/share/polkit-1/rules.d/49-ubuntu-admin.rules create mode 100644 internal/policies/privilege/testdata/existing-old-adsys-conf/etc/polkit-1/localauthority.conf.d/50-ubuntu-admin.conf rename internal/policies/privilege/testdata/{existing-files => existing-old-adsys-conf/etc}/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf (100%) rename internal/policies/privilege/testdata/{existing-other-files/polkit-1/localauthority.conf.d/notadsys.conf => existing-old-adsys-conf/etc/sudoers.d/99-adsys-privilege-enforcement} (100%) create mode 100644 internal/policies/privilege/testdata/existing-old-adsys-conf/usr/share/polkit-1/rules.d/49-ubuntu-admin.rules rename internal/policies/privilege/testdata/existing-other-files/{sudoers.d/notadsys => etc/polkit-1/rules.d/notadsys.rules} (100%) create mode 100644 internal/policies/privilege/testdata/existing-other-files/etc/sudoers.d/notadsys create mode 100644 internal/policies/privilege/testdata/existing-other-files/usr/share/polkit-1/rules.d/49-ubuntu-admin.rules create mode 100644 internal/policies/privilege/testdata/existing-previous-local-admins-multi/etc/polkit-1/rules.d/40-local-admins.rules create mode 100644 internal/policies/privilege/testdata/existing-previous-local-admins-multi/etc/polkit-1/rules.d/50-local-admins.rules create mode 100644 internal/policies/privilege/testdata/existing-previous-local-admins-multi/etc/sudoers.d/40-local-admins create mode 100644 internal/policies/privilege/testdata/existing-previous-local-admins-multi/etc/sudoers.d/50-local-admins delete mode 100644 internal/policies/privilege/testdata/existing-previous-local-admins-multi/polkit-1/localauthority.conf.d/40-local-admins.conf delete mode 100644 internal/policies/privilege/testdata/existing-previous-local-admins-multi/polkit-1/localauthority.conf.d/50-local-admins.conf create mode 100644 internal/policies/privilege/testdata/existing-previous-local-admins-multi/usr/share/polkit-1/rules.d/49-ubuntu-admin.rules create mode 100644 internal/policies/privilege/testdata/existing-previous-local-admins-one/etc/polkit-1/rules.d/40-local-admins.rules create mode 100644 internal/policies/privilege/testdata/existing-previous-local-admins-one/etc/sudoers.d/40-local-admins delete mode 100644 internal/policies/privilege/testdata/existing-previous-local-admins-one/polkit-1/localauthority.conf.d/50-local-admins.conf create mode 100644 internal/policies/privilege/testdata/existing-previous-local-admins-one/usr/share/polkit-1/rules.d/49-ubuntu-admin.rules create mode 100644 internal/policies/privilege/testdata/existing-previous-local-admins-return-early/etc/polkit-1/rules.d/40-local-admins.rules create mode 100644 internal/policies/privilege/testdata/existing-previous-local-admins-return-early/usr/share/polkit-1/rules.d/49-ubuntu-admin.rules create mode 100644 internal/policies/privilege/testdata/existing-previous-local-admins-with-adsys-file/etc/polkit-1/rules.d/00-adsys-privilege-enforcement.rules create mode 100644 internal/policies/privilege/testdata/existing-previous-local-admins-with-adsys-file/etc/polkit-1/rules.d/40-local-admins.rules create mode 100644 internal/policies/privilege/testdata/existing-previous-local-admins-with-adsys-file/etc/polkit-1/rules.d/50-local-admins.rules create mode 100644 internal/policies/privilege/testdata/existing-previous-local-admins-with-adsys-file/etc/sudoers.d/40-local-admins create mode 100644 internal/policies/privilege/testdata/existing-previous-local-admins-with-adsys-file/etc/sudoers.d/50-local-admins rename internal/policies/privilege/testdata/existing-previous-local-admins-with-adsys-file/{ => etc}/sudoers.d/99-adsys-privilege-enforcement (100%) delete mode 100644 internal/policies/privilege/testdata/existing-previous-local-admins-with-adsys-file/polkit-1/localauthority.conf.d/40-local-admins.conf delete mode 100644 internal/policies/privilege/testdata/existing-previous-local-admins-with-adsys-file/polkit-1/localauthority.conf.d/50-local-admins.conf delete mode 100644 internal/policies/privilege/testdata/existing-previous-local-admins-with-adsys-file/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf create mode 100644 internal/policies/privilege/testdata/existing-previous-local-admins-with-adsys-file/usr/share/polkit-1/rules.d/49-ubuntu-admin.rules create mode 100644 internal/policies/privilege/testdata/incorrect-policikit-conf-is-dir/etc/polkit-1/rules.d/50-this-is-not-a-file.rules/somethinginit create mode 100644 internal/policies/privilege/testdata/incorrect-policikit-conf-is-dir/usr/share/polkit-1/rules.d/49-ubuntu-admin.rules create mode 100644 internal/policies/privilege/testdata/multiple-polkit-dirs-diff-file/etc/polkit-1/rules.d/50-local-admins.rules create mode 100644 internal/policies/privilege/testdata/multiple-polkit-dirs-diff-file/etc/polkit-2/rules.d/40-local-admins.rules create mode 100644 internal/policies/privilege/testdata/multiple-polkit-dirs-same-file/etc/polkit-1/rules.d/50-local-admins.rules create mode 100644 internal/policies/privilege/testdata/multiple-polkit-dirs-same-file/etc/polkit-2/rules.d/50-local-admins.rules create mode 100644 internal/policies/privilege/testdata/old-polkit-multiple-files/etc/polkit-1/localauthority.conf.d/50-ubuntu-admin.conf create mode 100644 internal/policies/privilege/testdata/old-polkit-multiple-files/etc/polkit-1/localauthority.conf.d/75-admin.conf create mode 100644 internal/policies/privilege/testdata/old-polkit-multiple-files/etc/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf create mode 100644 internal/policies/privilege/testdata/old-polkit-multiple-files/etc/sudoers.d/99-adsys-privilege-enforcement create mode 100644 internal/policies/privilege/testdata/old-polkit/etc/polkit-1/localauthority.conf.d/50-ubuntu-admin.conf create mode 100644 internal/policies/privilege/testdata/old-polkit/etc/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf create mode 100644 internal/policies/privilege/testdata/old-polkit/etc/sudoers.d/99-adsys-privilege-enforcement create mode 100644 internal/policies/privilege/testdata/only-base-polkit-dir/etc/polkit-1/.empty create mode 100644 internal/policies/privilege/testdata/only-base-polkit-dir/usr/share/polkit-1/rules.d/49-ubuntu-admin.rules create mode 100644 internal/policies/testdata/TestApplyPolicies/golden/second_call_with_no_rules_deletes_everything/etc/polkit-1/rules.d/.empty create mode 100644 "internal/policies/testdata/TestApplyPolicies/golden/second_call_with_no_rules_don't_remove_scripts_if_session_hasn\342\200\231t_ended/etc/polkit-1/rules.d/.empty" create mode 100644 "internal/policies/testdata/TestApplyPolicies/golden/second_call_with_no_subscription_don't_remove_scripts_if_session_hasn\342\200\231t_ended/etc/polkit-1/rules.d/.empty" create mode 100644 internal/policies/testdata/TestApplyPolicies/golden/second_call_with_no_subscription_should_remove_everything_but_dconf_content/etc/polkit-1/rules.d/.empty delete mode 100644 internal/policies/testdata/TestApplyPolicies/golden/succeed/etc/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf create mode 100644 internal/policies/testdata/TestApplyPolicies/golden/succeed/etc/polkit-1/rules.d/00-adsys-privilege-enforcement.rules delete mode 100644 internal/policies/testdata/TestApplyPolicies/golden/succeed_if_checking_for_backend_online_status_returns_an_error/etc/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf create mode 100644 internal/policies/testdata/TestApplyPolicies/golden/succeed_if_checking_for_backend_online_status_returns_an_error/etc/polkit-1/rules.d/00-adsys-privilege-enforcement.rules diff --git a/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/purge_machine_policies/polkit-1/localauthority.conf.d/.empty b/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/already_up_to_date/polkit-1/localauthority.conf.d/.empty similarity index 100% rename from cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/purge_machine_policies/polkit-1/localauthority.conf.d/.empty rename to cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/already_up_to_date/polkit-1/localauthority.conf.d/.empty diff --git a/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/already_up_to_date/polkit-1/rules.d/00-adsys-privilege-enforcement.rules b/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/already_up_to_date/polkit-1/rules.d/00-adsys-privilege-enforcement.rules new file mode 100644 index 000000000..2a21705f1 --- /dev/null +++ b/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/already_up_to_date/polkit-1/rules.d/00-adsys-privilege-enforcement.rules @@ -0,0 +1,7 @@ +# This file is managed by adsys. +# Do not edit this file manually. +# Any changes will be overwritten. + +polkit.addAdminRule(function(action, subject){ + return ["unix-user:bob@example.com","unix-group:mygroup@example2.com"]; +}); diff --git a/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/purge_policies_for_all_cached_objects/polkit-1/localauthority.conf.d/.empty b/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/does_not_error_when_certmonger_or_cepces_is_not_available/polkit-1/localauthority.conf.d/.empty similarity index 100% rename from cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/purge_policies_for_all_cached_objects/polkit-1/localauthority.conf.d/.empty rename to cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/does_not_error_when_certmonger_or_cepces_is_not_available/polkit-1/localauthority.conf.d/.empty diff --git a/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/does_not_error_when_certmonger_or_cepces_is_not_available/polkit-1/rules.d/00-adsys-privilege-enforcement.rules b/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/does_not_error_when_certmonger_or_cepces_is_not_available/polkit-1/rules.d/00-adsys-privilege-enforcement.rules new file mode 100644 index 000000000..2a21705f1 --- /dev/null +++ b/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/does_not_error_when_certmonger_or_cepces_is_not_available/polkit-1/rules.d/00-adsys-privilege-enforcement.rules @@ -0,0 +1,7 @@ +# This file is managed by adsys. +# Do not edit this file manually. +# Any changes will be overwritten. + +polkit.addAdminRule(function(action, subject){ + return ["unix-user:bob@example.com","unix-group:mygroup@example2.com"]; +}); diff --git a/internal/policies/privilege/testdata/TestApplyPolicy/golden/no_rules_and_no_existing_history_means_no_files/.empty b/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/does_not_error_when_d-bus_proxy_object_is_not_available/polkit-1/localauthority.conf.d/.empty similarity index 100% rename from internal/policies/privilege/testdata/TestApplyPolicy/golden/no_rules_and_no_existing_history_means_no_files/.empty rename to cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/does_not_error_when_d-bus_proxy_object_is_not_available/polkit-1/localauthority.conf.d/.empty diff --git a/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/does_not_error_when_d-bus_proxy_object_is_not_available/polkit-1/rules.d/00-adsys-privilege-enforcement.rules b/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/does_not_error_when_d-bus_proxy_object_is_not_available/polkit-1/rules.d/00-adsys-privilege-enforcement.rules new file mode 100644 index 000000000..2a21705f1 --- /dev/null +++ b/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/does_not_error_when_d-bus_proxy_object_is_not_available/polkit-1/rules.d/00-adsys-privilege-enforcement.rules @@ -0,0 +1,7 @@ +# This file is managed by adsys. +# Do not edit this file manually. +# Any changes will be overwritten. + +polkit.addAdminRule(function(action, subject){ + return ["unix-user:bob@example.com","unix-group:mygroup@example2.com"]; +}); diff --git a/internal/policies/privilege/testdata/TestApplyPolicy/golden/no_rules_still_overwrite_those_files/polkit-1/localauthority.conf.d/.empty b/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/host_is_offline,_get_machine_from_cache_(no_update)/polkit-1/localauthority.conf.d/.empty similarity index 100% rename from internal/policies/privilege/testdata/TestApplyPolicy/golden/no_rules_still_overwrite_those_files/polkit-1/localauthority.conf.d/.empty rename to cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/host_is_offline,_get_machine_from_cache_(no_update)/polkit-1/localauthority.conf.d/.empty diff --git a/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/host_is_offline,_get_machine_from_cache_(no_update)/polkit-1/rules.d/00-adsys-privilege-enforcement.rules b/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/host_is_offline,_get_machine_from_cache_(no_update)/polkit-1/rules.d/00-adsys-privilege-enforcement.rules new file mode 100644 index 000000000..cd34bc975 --- /dev/null +++ b/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/host_is_offline,_get_machine_from_cache_(no_update)/polkit-1/rules.d/00-adsys-privilege-enforcement.rules @@ -0,0 +1,7 @@ +# This file is managed by adsys. +# Do not edit this file manually. +# Any changes will be overwritten. + +polkit.addAdminRule(function(action, subject){ + return ["unix-group:sudo","unix-group:admin","unix-user:carole cosmic@example.com"]; +}); diff --git a/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/host_is_offline,_mach_gpos_cache_is_cleared,_with_policies_cache/polkit-1/rules.d/00-adsys-privilege-enforcement.rules b/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/host_is_offline,_mach_gpos_cache_is_cleared,_with_policies_cache/polkit-1/rules.d/00-adsys-privilege-enforcement.rules new file mode 100644 index 000000000..cd34bc975 --- /dev/null +++ b/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/host_is_offline,_mach_gpos_cache_is_cleared,_with_policies_cache/polkit-1/rules.d/00-adsys-privilege-enforcement.rules @@ -0,0 +1,7 @@ +# This file is managed by adsys. +# Do not edit this file manually. +# Any changes will be overwritten. + +polkit.addAdminRule(function(action, subject){ + return ["unix-group:sudo","unix-group:admin","unix-user:carole cosmic@example.com"]; +}); diff --git a/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/host_is_offline,_regenerate_machine_from_old_data/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf b/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/host_is_offline,_regenerate_machine_from_old_data/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf deleted file mode 100644 index 4c88e198f..000000000 --- a/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/host_is_offline,_regenerate_machine_from_old_data/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf +++ /dev/null @@ -1,6 +0,0 @@ -# This file is managed by adsys. -# Do not edit this file manually. -# Any changes will be overwritten. - -[Configuration] -AdminIdentities=unix-user:carole cosmic@example.com diff --git a/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/host_is_offline,_regenerate_machine_from_old_data/polkit-1/rules.d/00-adsys-privilege-enforcement.rules b/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/host_is_offline,_regenerate_machine_from_old_data/polkit-1/rules.d/00-adsys-privilege-enforcement.rules new file mode 100644 index 000000000..cd34bc975 --- /dev/null +++ b/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/host_is_offline,_regenerate_machine_from_old_data/polkit-1/rules.d/00-adsys-privilege-enforcement.rules @@ -0,0 +1,7 @@ +# This file is managed by adsys. +# Do not edit this file manually. +# Any changes will be overwritten. + +polkit.addAdminRule(function(action, subject){ + return ["unix-group:sudo","unix-group:admin","unix-user:carole cosmic@example.com"]; +}); diff --git a/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/machine,_first_time/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf b/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/machine,_first_time/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf deleted file mode 100644 index 7b2facd62..000000000 --- a/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/machine,_first_time/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf +++ /dev/null @@ -1,6 +0,0 @@ -# This file is managed by adsys. -# Do not edit this file manually. -# Any changes will be overwritten. - -[Configuration] -AdminIdentities=unix-user:bob@example.com;unix-group:mygroup@example2.com diff --git a/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/machine,_first_time/polkit-1/rules.d/00-adsys-privilege-enforcement.rules b/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/machine,_first_time/polkit-1/rules.d/00-adsys-privilege-enforcement.rules new file mode 100644 index 000000000..2a21705f1 --- /dev/null +++ b/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/machine,_first_time/polkit-1/rules.d/00-adsys-privilege-enforcement.rules @@ -0,0 +1,7 @@ +# This file is managed by adsys. +# Do not edit this file manually. +# Any changes will be overwritten. + +polkit.addAdminRule(function(action, subject){ + return ["unix-user:bob@example.com","unix-group:mygroup@example2.com"]; +}); diff --git a/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/machine,_first_time_with_winbind_backend/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf b/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/machine,_first_time_with_winbind_backend/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf deleted file mode 100644 index 7b2facd62..000000000 --- a/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/machine,_first_time_with_winbind_backend/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf +++ /dev/null @@ -1,6 +0,0 @@ -# This file is managed by adsys. -# Do not edit this file manually. -# Any changes will be overwritten. - -[Configuration] -AdminIdentities=unix-user:bob@example.com;unix-group:mygroup@example2.com diff --git a/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/machine,_first_time_with_winbind_backend/polkit-1/rules.d/00-adsys-privilege-enforcement.rules b/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/machine,_first_time_with_winbind_backend/polkit-1/rules.d/00-adsys-privilege-enforcement.rules new file mode 100644 index 000000000..2a21705f1 --- /dev/null +++ b/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/machine,_first_time_with_winbind_backend/polkit-1/rules.d/00-adsys-privilege-enforcement.rules @@ -0,0 +1,7 @@ +# This file is managed by adsys. +# Do not edit this file manually. +# Any changes will be overwritten. + +polkit.addAdminRule(function(action, subject){ + return ["unix-user:bob@example.com","unix-group:mygroup@example2.com"]; +}); diff --git a/internal/policies/privilege/testdata/only-base-polkit-dir/polkit-1/.empty b/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/machine,_update_old_data/polkit-1/localauthority.conf.d/.empty similarity index 100% rename from internal/policies/privilege/testdata/only-base-polkit-dir/polkit-1/.empty rename to cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/machine,_update_old_data/polkit-1/localauthority.conf.d/.empty diff --git a/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/machine,_update_old_data/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf b/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/machine,_update_old_data/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf deleted file mode 100644 index 7b2facd62..000000000 --- a/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/machine,_update_old_data/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf +++ /dev/null @@ -1,6 +0,0 @@ -# This file is managed by adsys. -# Do not edit this file manually. -# Any changes will be overwritten. - -[Configuration] -AdminIdentities=unix-user:bob@example.com;unix-group:mygroup@example2.com diff --git a/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/machine,_update_old_data/polkit-1/rules.d/00-adsys-privilege-enforcement.rules b/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/machine,_update_old_data/polkit-1/rules.d/00-adsys-privilege-enforcement.rules new file mode 100644 index 000000000..2a21705f1 --- /dev/null +++ b/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/machine,_update_old_data/polkit-1/rules.d/00-adsys-privilege-enforcement.rules @@ -0,0 +1,7 @@ +# This file is managed by adsys. +# Do not edit this file manually. +# Any changes will be overwritten. + +polkit.addAdminRule(function(action, subject){ + return ["unix-user:bob@example.com","unix-group:mygroup@example2.com"]; +}); diff --git a/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/already_up_to_date/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf b/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/purge_machine_policies/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf similarity index 74% rename from cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/already_up_to_date/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf rename to cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/purge_machine_policies/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf index 7b2facd62..8569c5f32 100644 --- a/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/already_up_to_date/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf +++ b/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/purge_machine_policies/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf @@ -2,5 +2,9 @@ # Do not edit this file manually. # Any changes will be overwritten. +[Configuration] +AdminIdentities=unix-group:sudo;unix-group:admin + [Configuration] AdminIdentities=unix-user:bob@example.com;unix-group:mygroup@example2.com + diff --git a/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/host_is_offline,_mach_gpos_cache_is_cleared,_with_policies_cache/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf b/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/purge_policies_for_all_cached_objects/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf similarity index 99% rename from cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/host_is_offline,_mach_gpos_cache_is_cleared,_with_policies_cache/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf rename to cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/purge_policies_for_all_cached_objects/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf index 4c88e198f..16623a2ff 100644 --- a/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/host_is_offline,_mach_gpos_cache_is_cleared,_with_policies_cache/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf +++ b/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/purge_policies_for_all_cached_objects/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf @@ -4,3 +4,4 @@ [Configuration] AdminIdentities=unix-user:carole cosmic@example.com + diff --git a/internal/policies/testdata/TestApplyPolicies/golden/second_call_with_no_rules_deletes_everything/etc/polkit-1/localauthority.conf.d/.empty b/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/refresh_all_connected/polkit-1/localauthority.conf.d/.empty similarity index 100% rename from internal/policies/testdata/TestApplyPolicies/golden/second_call_with_no_rules_deletes_everything/etc/polkit-1/localauthority.conf.d/.empty rename to cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/refresh_all_connected/polkit-1/localauthority.conf.d/.empty diff --git a/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/refresh_all_connected/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf b/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/refresh_all_connected/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf deleted file mode 100644 index 7b2facd62..000000000 --- a/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/refresh_all_connected/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf +++ /dev/null @@ -1,6 +0,0 @@ -# This file is managed by adsys. -# Do not edit this file manually. -# Any changes will be overwritten. - -[Configuration] -AdminIdentities=unix-user:bob@example.com;unix-group:mygroup@example2.com diff --git a/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/refresh_all_connected/polkit-1/rules.d/00-adsys-privilege-enforcement.rules b/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/refresh_all_connected/polkit-1/rules.d/00-adsys-privilege-enforcement.rules new file mode 100644 index 000000000..2a21705f1 --- /dev/null +++ b/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/refresh_all_connected/polkit-1/rules.d/00-adsys-privilege-enforcement.rules @@ -0,0 +1,7 @@ +# This file is managed by adsys. +# Do not edit this file manually. +# Any changes will be overwritten. + +polkit.addAdminRule(function(action, subject){ + return ["unix-user:bob@example.com","unix-group:mygroup@example2.com"]; +}); diff --git "a/internal/policies/testdata/TestApplyPolicies/golden/second_call_with_no_rules_don't_remove_scripts_if_session_hasn\342\200\231t_ended/etc/polkit-1/localauthority.conf.d/.empty" b/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/refresh_some_connected/polkit-1/localauthority.conf.d/.empty similarity index 100% rename from "internal/policies/testdata/TestApplyPolicies/golden/second_call_with_no_rules_don't_remove_scripts_if_session_hasn\342\200\231t_ended/etc/polkit-1/localauthority.conf.d/.empty" rename to cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/refresh_some_connected/polkit-1/localauthority.conf.d/.empty diff --git a/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/refresh_some_connected/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf b/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/refresh_some_connected/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf deleted file mode 100644 index 7b2facd62..000000000 --- a/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/refresh_some_connected/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf +++ /dev/null @@ -1,6 +0,0 @@ -# This file is managed by adsys. -# Do not edit this file manually. -# Any changes will be overwritten. - -[Configuration] -AdminIdentities=unix-user:bob@example.com;unix-group:mygroup@example2.com diff --git a/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/refresh_some_connected/polkit-1/rules.d/00-adsys-privilege-enforcement.rules b/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/refresh_some_connected/polkit-1/rules.d/00-adsys-privilege-enforcement.rules new file mode 100644 index 000000000..2a21705f1 --- /dev/null +++ b/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/refresh_some_connected/polkit-1/rules.d/00-adsys-privilege-enforcement.rules @@ -0,0 +1,7 @@ +# This file is managed by adsys. +# Do not edit this file manually. +# Any changes will be overwritten. + +polkit.addAdminRule(function(action, subject){ + return ["unix-user:bob@example.com","unix-group:mygroup@example2.com"]; +}); diff --git "a/internal/policies/testdata/TestApplyPolicies/golden/second_call_with_no_subscription_don't_remove_scripts_if_session_hasn\342\200\231t_ended/etc/polkit-1/localauthority.conf.d/.empty" b/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/refresh_with_no_user_connected_updates_machines/polkit-1/localauthority.conf.d/.empty similarity index 100% rename from "internal/policies/testdata/TestApplyPolicies/golden/second_call_with_no_subscription_don't_remove_scripts_if_session_hasn\342\200\231t_ended/etc/polkit-1/localauthority.conf.d/.empty" rename to cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/refresh_with_no_user_connected_updates_machines/polkit-1/localauthority.conf.d/.empty diff --git a/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/refresh_with_no_user_connected_updates_machines/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf b/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/refresh_with_no_user_connected_updates_machines/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf deleted file mode 100644 index 7b2facd62..000000000 --- a/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/refresh_with_no_user_connected_updates_machines/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf +++ /dev/null @@ -1,6 +0,0 @@ -# This file is managed by adsys. -# Do not edit this file manually. -# Any changes will be overwritten. - -[Configuration] -AdminIdentities=unix-user:bob@example.com;unix-group:mygroup@example2.com diff --git a/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/refresh_with_no_user_connected_updates_machines/polkit-1/rules.d/00-adsys-privilege-enforcement.rules b/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/refresh_with_no_user_connected_updates_machines/polkit-1/rules.d/00-adsys-privilege-enforcement.rules new file mode 100644 index 000000000..2a21705f1 --- /dev/null +++ b/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/refresh_with_no_user_connected_updates_machines/polkit-1/rules.d/00-adsys-privilege-enforcement.rules @@ -0,0 +1,7 @@ +# This file is managed by adsys. +# Do not edit this file manually. +# Any changes will be overwritten. + +polkit.addAdminRule(function(action, subject){ + return ["unix-user:bob@example.com","unix-group:mygroup@example2.com"]; +}); diff --git a/internal/policies/testdata/TestApplyPolicies/golden/second_call_with_no_subscription_should_remove_everything_but_dconf_content/etc/polkit-1/localauthority.conf.d/.empty b/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/refresh_with_one_dangling_symlink_ignores_the_respective_user/polkit-1/localauthority.conf.d/.empty similarity index 100% rename from internal/policies/testdata/TestApplyPolicies/golden/second_call_with_no_subscription_should_remove_everything_but_dconf_content/etc/polkit-1/localauthority.conf.d/.empty rename to cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/refresh_with_one_dangling_symlink_ignores_the_respective_user/polkit-1/localauthority.conf.d/.empty diff --git a/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/refresh_with_one_dangling_symlink_ignores_the_respective_user/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf b/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/refresh_with_one_dangling_symlink_ignores_the_respective_user/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf deleted file mode 100644 index 7b2facd62..000000000 --- a/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/refresh_with_one_dangling_symlink_ignores_the_respective_user/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf +++ /dev/null @@ -1,6 +0,0 @@ -# This file is managed by adsys. -# Do not edit this file manually. -# Any changes will be overwritten. - -[Configuration] -AdminIdentities=unix-user:bob@example.com;unix-group:mygroup@example2.com diff --git a/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/refresh_with_one_dangling_symlink_ignores_the_respective_user/polkit-1/rules.d/00-adsys-privilege-enforcement.rules b/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/refresh_with_one_dangling_symlink_ignores_the_respective_user/polkit-1/rules.d/00-adsys-privilege-enforcement.rules new file mode 100644 index 000000000..2a21705f1 --- /dev/null +++ b/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/refresh_with_one_dangling_symlink_ignores_the_respective_user/polkit-1/rules.d/00-adsys-privilege-enforcement.rules @@ -0,0 +1,7 @@ +# This file is managed by adsys. +# Do not edit this file manually. +# Any changes will be overwritten. + +polkit.addAdminRule(function(action, subject){ + return ["unix-user:bob@example.com","unix-group:mygroup@example2.com"]; +}); diff --git a/internal/policies/privilege/testdata/TestApplyPolicy/golden/allow_local_admins_with_no_other_rules_is_a_noop/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf b/internal/policies/privilege/testdata/TestApplyPolicy/golden/allow_local_admins_with_no_other_rules_is_a_noop/polkit-1/rules.d/00-adsys-privilege-enforcement.rules similarity index 100% rename from internal/policies/privilege/testdata/TestApplyPolicy/golden/allow_local_admins_with_no_other_rules_is_a_noop/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf rename to internal/policies/privilege/testdata/TestApplyPolicy/golden/allow_local_admins_with_no_other_rules_is_a_noop/polkit-1/rules.d/00-adsys-privilege-enforcement.rules diff --git a/internal/policies/privilege/testdata/TestApplyPolicy/golden/allow_local_admins_with_previous_local_admin_conf_(simple)_and_set_client_admins/polkit-1/localauthority.conf.d/50-local-admins.conf b/internal/policies/privilege/testdata/TestApplyPolicy/golden/allow_local_admins_with_previous_local_admin_conf_(simple)_and_set_client_admins/polkit-1/localauthority.conf.d/50-local-admins.conf deleted file mode 100644 index 8b08116b6..000000000 --- a/internal/policies/privilege/testdata/TestApplyPolicy/golden/allow_local_admins_with_previous_local_admin_conf_(simple)_and_set_client_admins/polkit-1/localauthority.conf.d/50-local-admins.conf +++ /dev/null @@ -1,6 +0,0 @@ -# This file is managed by adsys. -# Do not edit this file manually. -# Any changes will be overwritten. - -[Configuration] -AdminIdentities=unix-user:local50admin1;unix-user:local50admin2 diff --git a/internal/policies/privilege/testdata/TestApplyPolicy/golden/allow_local_admins_with_previous_local_admin_conf_(simple)_and_set_client_admins/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf b/internal/policies/privilege/testdata/TestApplyPolicy/golden/allow_local_admins_with_previous_local_admin_conf_(simple)_and_set_client_admins/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf deleted file mode 100644 index 23a2d1b11..000000000 --- a/internal/policies/privilege/testdata/TestApplyPolicy/golden/allow_local_admins_with_previous_local_admin_conf_(simple)_and_set_client_admins/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf +++ /dev/null @@ -1,6 +0,0 @@ -# This file is managed by adsys. -# Do not edit this file manually. -# Any changes will be overwritten. - -[Configuration] -AdminIdentities=unix-user:local50admin1;unix-user:local50admin2;unix-user:alice@domain.com diff --git a/internal/policies/privilege/testdata/TestApplyPolicy/golden/allow_local_admins_with_previous_local_admin_conf_(simple)_and_set_client_admins/polkit-1/rules.d/00-adsys-privilege-enforcement.rules b/internal/policies/privilege/testdata/TestApplyPolicy/golden/allow_local_admins_with_previous_local_admin_conf_(simple)_and_set_client_admins/polkit-1/rules.d/00-adsys-privilege-enforcement.rules new file mode 100644 index 000000000..d71c3e335 --- /dev/null +++ b/internal/policies/privilege/testdata/TestApplyPolicy/golden/allow_local_admins_with_previous_local_admin_conf_(simple)_and_set_client_admins/polkit-1/rules.d/00-adsys-privilege-enforcement.rules @@ -0,0 +1,7 @@ +# This file is managed by adsys. +# Do not edit this file manually. +# Any changes will be overwritten. + +polkit.addAdminRule(function(action, subject){ + return ["unix-user:local40admin1","unix-user:local40admin2","unix-user:alice@domain.com"]; +}); diff --git a/internal/policies/privilege/testdata/TestApplyPolicy/golden/allow_local_admins_with_previous_local_admin_conf_(simple)_and_set_client_admins/polkit-1/rules.d/40-local-admins.rules b/internal/policies/privilege/testdata/TestApplyPolicy/golden/allow_local_admins_with_previous_local_admin_conf_(simple)_and_set_client_admins/polkit-1/rules.d/40-local-admins.rules new file mode 100644 index 000000000..383fbb8f1 --- /dev/null +++ b/internal/policies/privilege/testdata/TestApplyPolicy/golden/allow_local_admins_with_previous_local_admin_conf_(simple)_and_set_client_admins/polkit-1/rules.d/40-local-admins.rules @@ -0,0 +1,7 @@ +# This file is managed by adsys. +# Do not edit this file manually. +# Any changes will be overwritten. + +polkit.addAdminRule(function(action, subject) { + return ["unix-user:local40admin1", "unix-user:local40admin2"]; +}); \ No newline at end of file diff --git a/internal/policies/privilege/testdata/existing-previous-local-admins-multi/sudoers.d/40-local-admins b/internal/policies/privilege/testdata/TestApplyPolicy/golden/allow_local_admins_with_previous_local_admin_conf_(simple)_and_set_client_admins/sudoers.d/40-local-admins similarity index 100% rename from internal/policies/privilege/testdata/existing-previous-local-admins-multi/sudoers.d/40-local-admins rename to internal/policies/privilege/testdata/TestApplyPolicy/golden/allow_local_admins_with_previous_local_admin_conf_(simple)_and_set_client_admins/sudoers.d/40-local-admins diff --git a/internal/policies/privilege/testdata/TestApplyPolicy/golden/allow_local_admins_with_previous_local_admin_conf_(with_adsys_file)_and_set_client_admins/polkit-1/localauthority.conf.d/40-local-admins.conf b/internal/policies/privilege/testdata/TestApplyPolicy/golden/allow_local_admins_with_previous_local_admin_conf_(with_adsys_file)_and_set_client_admins/polkit-1/localauthority.conf.d/40-local-admins.conf deleted file mode 100644 index 1b4411fd8..000000000 --- a/internal/policies/privilege/testdata/TestApplyPolicy/golden/allow_local_admins_with_previous_local_admin_conf_(with_adsys_file)_and_set_client_admins/polkit-1/localauthority.conf.d/40-local-admins.conf +++ /dev/null @@ -1,6 +0,0 @@ -# This file is managed by adsys. -# Do not edit this file manually. -# Any changes will be overwritten. - -[Configuration] -AdminIdentities=unix-user:local40admin1;unix-user:local40admin2 diff --git a/internal/policies/privilege/testdata/TestApplyPolicy/golden/allow_local_admins_with_previous_local_admin_conf_(with_adsys_file)_and_set_client_admins/polkit-1/localauthority.conf.d/50-local-admins.conf b/internal/policies/privilege/testdata/TestApplyPolicy/golden/allow_local_admins_with_previous_local_admin_conf_(with_adsys_file)_and_set_client_admins/polkit-1/localauthority.conf.d/50-local-admins.conf deleted file mode 100644 index 8b08116b6..000000000 --- a/internal/policies/privilege/testdata/TestApplyPolicy/golden/allow_local_admins_with_previous_local_admin_conf_(with_adsys_file)_and_set_client_admins/polkit-1/localauthority.conf.d/50-local-admins.conf +++ /dev/null @@ -1,6 +0,0 @@ -# This file is managed by adsys. -# Do not edit this file manually. -# Any changes will be overwritten. - -[Configuration] -AdminIdentities=unix-user:local50admin1;unix-user:local50admin2 diff --git a/internal/policies/privilege/testdata/TestApplyPolicy/golden/allow_local_admins_with_previous_local_admin_conf_(with_adsys_file)_and_set_client_admins/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf b/internal/policies/privilege/testdata/TestApplyPolicy/golden/allow_local_admins_with_previous_local_admin_conf_(with_adsys_file)_and_set_client_admins/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf deleted file mode 100644 index 23a2d1b11..000000000 --- a/internal/policies/privilege/testdata/TestApplyPolicy/golden/allow_local_admins_with_previous_local_admin_conf_(with_adsys_file)_and_set_client_admins/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf +++ /dev/null @@ -1,6 +0,0 @@ -# This file is managed by adsys. -# Do not edit this file manually. -# Any changes will be overwritten. - -[Configuration] -AdminIdentities=unix-user:local50admin1;unix-user:local50admin2;unix-user:alice@domain.com diff --git a/internal/policies/privilege/testdata/TestApplyPolicy/golden/allow_local_admins_with_previous_local_admin_conf_(with_adsys_file)_and_set_client_admins/polkit-1/rules.d/00-adsys-privilege-enforcement.rules b/internal/policies/privilege/testdata/TestApplyPolicy/golden/allow_local_admins_with_previous_local_admin_conf_(with_adsys_file)_and_set_client_admins/polkit-1/rules.d/00-adsys-privilege-enforcement.rules new file mode 100644 index 000000000..d71c3e335 --- /dev/null +++ b/internal/policies/privilege/testdata/TestApplyPolicy/golden/allow_local_admins_with_previous_local_admin_conf_(with_adsys_file)_and_set_client_admins/polkit-1/rules.d/00-adsys-privilege-enforcement.rules @@ -0,0 +1,7 @@ +# This file is managed by adsys. +# Do not edit this file manually. +# Any changes will be overwritten. + +polkit.addAdminRule(function(action, subject){ + return ["unix-user:local40admin1","unix-user:local40admin2","unix-user:alice@domain.com"]; +}); diff --git a/internal/policies/privilege/testdata/TestApplyPolicy/golden/allow_local_admins_with_previous_local_admin_conf_(with_adsys_file)_and_set_client_admins/polkit-1/rules.d/40-local-admins.rules b/internal/policies/privilege/testdata/TestApplyPolicy/golden/allow_local_admins_with_previous_local_admin_conf_(with_adsys_file)_and_set_client_admins/polkit-1/rules.d/40-local-admins.rules new file mode 100644 index 000000000..383fbb8f1 --- /dev/null +++ b/internal/policies/privilege/testdata/TestApplyPolicy/golden/allow_local_admins_with_previous_local_admin_conf_(with_adsys_file)_and_set_client_admins/polkit-1/rules.d/40-local-admins.rules @@ -0,0 +1,7 @@ +# This file is managed by adsys. +# Do not edit this file manually. +# Any changes will be overwritten. + +polkit.addAdminRule(function(action, subject) { + return ["unix-user:local40admin1", "unix-user:local40admin2"]; +}); \ No newline at end of file diff --git a/internal/policies/privilege/testdata/TestApplyPolicy/golden/allow_local_admins_with_previous_local_admin_conf_(with_adsys_file)_and_set_client_admins/polkit-1/rules.d/50-local-admins.rules b/internal/policies/privilege/testdata/TestApplyPolicy/golden/allow_local_admins_with_previous_local_admin_conf_(with_adsys_file)_and_set_client_admins/polkit-1/rules.d/50-local-admins.rules new file mode 100644 index 000000000..c0f8907dd --- /dev/null +++ b/internal/policies/privilege/testdata/TestApplyPolicy/golden/allow_local_admins_with_previous_local_admin_conf_(with_adsys_file)_and_set_client_admins/polkit-1/rules.d/50-local-admins.rules @@ -0,0 +1,7 @@ +# This file is managed by adsys. +# Do not edit this file manually. +# Any changes will be overwritten. + +polkit.addAdminRule(function(action, subject) { + return ["unix-user:local50admin1", "unix-user:local50admin2"]; +}); \ No newline at end of file diff --git a/internal/policies/privilege/testdata/existing-previous-local-admins-with-adsys-file/sudoers.d/40-local-admins b/internal/policies/privilege/testdata/TestApplyPolicy/golden/allow_local_admins_with_previous_local_admin_conf_(with_adsys_file)_and_set_client_admins/sudoers.d/40-local-admins similarity index 100% rename from internal/policies/privilege/testdata/existing-previous-local-admins-with-adsys-file/sudoers.d/40-local-admins rename to internal/policies/privilege/testdata/TestApplyPolicy/golden/allow_local_admins_with_previous_local_admin_conf_(with_adsys_file)_and_set_client_admins/sudoers.d/40-local-admins diff --git a/internal/policies/privilege/testdata/existing-previous-local-admins-multi/sudoers.d/50-local-admins b/internal/policies/privilege/testdata/TestApplyPolicy/golden/allow_local_admins_with_previous_local_admin_conf_(with_adsys_file)_and_set_client_admins/sudoers.d/50-local-admins similarity index 100% rename from internal/policies/privilege/testdata/existing-previous-local-admins-multi/sudoers.d/50-local-admins rename to internal/policies/privilege/testdata/TestApplyPolicy/golden/allow_local_admins_with_previous_local_admin_conf_(with_adsys_file)_and_set_client_admins/sudoers.d/50-local-admins diff --git a/internal/policies/privilege/testdata/TestApplyPolicy/golden/allow_local_admins_with_previous_local_admin_conf_and_set_client_admins/polkit-1/localauthority.conf.d/40-local-admins.conf b/internal/policies/privilege/testdata/TestApplyPolicy/golden/allow_local_admins_with_previous_local_admin_conf_and_set_client_admins/polkit-1/localauthority.conf.d/40-local-admins.conf deleted file mode 100644 index 1b4411fd8..000000000 --- a/internal/policies/privilege/testdata/TestApplyPolicy/golden/allow_local_admins_with_previous_local_admin_conf_and_set_client_admins/polkit-1/localauthority.conf.d/40-local-admins.conf +++ /dev/null @@ -1,6 +0,0 @@ -# This file is managed by adsys. -# Do not edit this file manually. -# Any changes will be overwritten. - -[Configuration] -AdminIdentities=unix-user:local40admin1;unix-user:local40admin2 diff --git a/internal/policies/privilege/testdata/TestApplyPolicy/golden/allow_local_admins_with_previous_local_admin_conf_and_set_client_admins/polkit-1/localauthority.conf.d/50-local-admins.conf b/internal/policies/privilege/testdata/TestApplyPolicy/golden/allow_local_admins_with_previous_local_admin_conf_and_set_client_admins/polkit-1/localauthority.conf.d/50-local-admins.conf deleted file mode 100644 index 8b08116b6..000000000 --- a/internal/policies/privilege/testdata/TestApplyPolicy/golden/allow_local_admins_with_previous_local_admin_conf_and_set_client_admins/polkit-1/localauthority.conf.d/50-local-admins.conf +++ /dev/null @@ -1,6 +0,0 @@ -# This file is managed by adsys. -# Do not edit this file manually. -# Any changes will be overwritten. - -[Configuration] -AdminIdentities=unix-user:local50admin1;unix-user:local50admin2 diff --git a/internal/policies/privilege/testdata/TestApplyPolicy/golden/allow_local_admins_with_previous_local_admin_conf_and_set_client_admins/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf b/internal/policies/privilege/testdata/TestApplyPolicy/golden/allow_local_admins_with_previous_local_admin_conf_and_set_client_admins/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf deleted file mode 100644 index 23a2d1b11..000000000 --- a/internal/policies/privilege/testdata/TestApplyPolicy/golden/allow_local_admins_with_previous_local_admin_conf_and_set_client_admins/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf +++ /dev/null @@ -1,6 +0,0 @@ -# This file is managed by adsys. -# Do not edit this file manually. -# Any changes will be overwritten. - -[Configuration] -AdminIdentities=unix-user:local50admin1;unix-user:local50admin2;unix-user:alice@domain.com diff --git a/internal/policies/privilege/testdata/TestApplyPolicy/golden/allow_local_admins_with_previous_local_admin_conf_and_set_client_admins/polkit-1/rules.d/00-adsys-privilege-enforcement.rules b/internal/policies/privilege/testdata/TestApplyPolicy/golden/allow_local_admins_with_previous_local_admin_conf_and_set_client_admins/polkit-1/rules.d/00-adsys-privilege-enforcement.rules new file mode 100644 index 000000000..d71c3e335 --- /dev/null +++ b/internal/policies/privilege/testdata/TestApplyPolicy/golden/allow_local_admins_with_previous_local_admin_conf_and_set_client_admins/polkit-1/rules.d/00-adsys-privilege-enforcement.rules @@ -0,0 +1,7 @@ +# This file is managed by adsys. +# Do not edit this file manually. +# Any changes will be overwritten. + +polkit.addAdminRule(function(action, subject){ + return ["unix-user:local40admin1","unix-user:local40admin2","unix-user:alice@domain.com"]; +}); diff --git a/internal/policies/privilege/testdata/TestApplyPolicy/golden/allow_local_admins_with_previous_local_admin_conf_and_set_client_admins/polkit-1/rules.d/40-local-admins.rules b/internal/policies/privilege/testdata/TestApplyPolicy/golden/allow_local_admins_with_previous_local_admin_conf_and_set_client_admins/polkit-1/rules.d/40-local-admins.rules new file mode 100644 index 000000000..383fbb8f1 --- /dev/null +++ b/internal/policies/privilege/testdata/TestApplyPolicy/golden/allow_local_admins_with_previous_local_admin_conf_and_set_client_admins/polkit-1/rules.d/40-local-admins.rules @@ -0,0 +1,7 @@ +# This file is managed by adsys. +# Do not edit this file manually. +# Any changes will be overwritten. + +polkit.addAdminRule(function(action, subject) { + return ["unix-user:local40admin1", "unix-user:local40admin2"]; +}); \ No newline at end of file diff --git a/internal/policies/privilege/testdata/TestApplyPolicy/golden/allow_local_admins_with_previous_local_admin_conf_and_set_client_admins/polkit-1/rules.d/50-local-admins.rules b/internal/policies/privilege/testdata/TestApplyPolicy/golden/allow_local_admins_with_previous_local_admin_conf_and_set_client_admins/polkit-1/rules.d/50-local-admins.rules new file mode 100644 index 000000000..c0f8907dd --- /dev/null +++ b/internal/policies/privilege/testdata/TestApplyPolicy/golden/allow_local_admins_with_previous_local_admin_conf_and_set_client_admins/polkit-1/rules.d/50-local-admins.rules @@ -0,0 +1,7 @@ +# This file is managed by adsys. +# Do not edit this file manually. +# Any changes will be overwritten. + +polkit.addAdminRule(function(action, subject) { + return ["unix-user:local50admin1", "unix-user:local50admin2"]; +}); \ No newline at end of file diff --git a/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/does_not_error_when_d-bus_proxy_object_is_not_available/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf b/internal/policies/privilege/testdata/TestApplyPolicy/golden/allow_local_admins_with_previous_local_admin_conf_and_set_client_admins/sudoers.d/40-local-admins similarity index 53% rename from cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/does_not_error_when_d-bus_proxy_object_is_not_available/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf rename to internal/policies/privilege/testdata/TestApplyPolicy/golden/allow_local_admins_with_previous_local_admin_conf_and_set_client_admins/sudoers.d/40-local-admins index 7b2facd62..71ef8e9e2 100644 --- a/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/does_not_error_when_d-bus_proxy_object_is_not_available/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf +++ b/internal/policies/privilege/testdata/TestApplyPolicy/golden/allow_local_admins_with_previous_local_admin_conf_and_set_client_admins/sudoers.d/40-local-admins @@ -2,5 +2,6 @@ # Do not edit this file manually. # Any changes will be overwritten. -[Configuration] -AdminIdentities=unix-user:bob@example.com;unix-group:mygroup@example2.com +"local40admin1@domain.com" ALL=(ALL:ALL) ALL +"local40admin2@domain.com" ALL=(ALL:ALL) ALL + diff --git a/internal/policies/privilege/testdata/existing-previous-local-admins-one/sudoers.d/50-local-admins b/internal/policies/privilege/testdata/TestApplyPolicy/golden/allow_local_admins_with_previous_local_admin_conf_and_set_client_admins/sudoers.d/50-local-admins similarity index 100% rename from internal/policies/privilege/testdata/existing-previous-local-admins-one/sudoers.d/50-local-admins rename to internal/policies/privilege/testdata/TestApplyPolicy/golden/allow_local_admins_with_previous_local_admin_conf_and_set_client_admins/sudoers.d/50-local-admins diff --git a/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/host_is_offline,_get_machine_from_cache_(no_update)/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf b/internal/policies/privilege/testdata/TestApplyPolicy/golden/allow_local_admins_without_previous_local_admin_conf_and_set_client_admins/polkit-1/rules.d/00-adsys-privilege-enforcement.rules similarity index 53% rename from cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/host_is_offline,_get_machine_from_cache_(no_update)/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf rename to internal/policies/privilege/testdata/TestApplyPolicy/golden/allow_local_admins_without_previous_local_admin_conf_and_set_client_admins/polkit-1/rules.d/00-adsys-privilege-enforcement.rules index 4c88e198f..6cfc3f44a 100644 --- a/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/host_is_offline,_get_machine_from_cache_(no_update)/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf +++ b/internal/policies/privilege/testdata/TestApplyPolicy/golden/allow_local_admins_without_previous_local_admin_conf_and_set_client_admins/polkit-1/rules.d/00-adsys-privilege-enforcement.rules @@ -2,5 +2,6 @@ # Do not edit this file manually. # Any changes will be overwritten. -[Configuration] -AdminIdentities=unix-user:carole cosmic@example.com +polkit.addAdminRule(function(action, subject){ + return ["unix-user:alice@domain.com"]; +}); diff --git a/internal/policies/privilege/testdata/TestApplyPolicy/golden/assume_old_polkit_if_cant_read_system_reserved_path/polkit-1/localauthority.conf.d/50-ubuntu-admin.conf b/internal/policies/privilege/testdata/TestApplyPolicy/golden/assume_old_polkit_if_cant_read_system_reserved_path/polkit-1/localauthority.conf.d/50-ubuntu-admin.conf new file mode 100644 index 000000000..6b7177dd4 --- /dev/null +++ b/internal/policies/privilege/testdata/TestApplyPolicy/golden/assume_old_polkit_if_cant_read_system_reserved_path/polkit-1/localauthority.conf.d/50-ubuntu-admin.conf @@ -0,0 +1,2 @@ +[Configuration] +AdminIdentities=unix-group:sudo;unix-group:admin \ No newline at end of file diff --git a/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/does_not_error_when_certmonger_or_cepces_is_not_available/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf b/internal/policies/privilege/testdata/TestApplyPolicy/golden/assume_old_polkit_if_cant_read_system_reserved_path/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf similarity index 61% rename from cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/does_not_error_when_certmonger_or_cepces_is_not_available/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf rename to internal/policies/privilege/testdata/TestApplyPolicy/golden/assume_old_polkit_if_cant_read_system_reserved_path/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf index 7b2facd62..4b2cc78b1 100644 --- a/cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/does_not_error_when_certmonger_or_cepces_is_not_available/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf +++ b/internal/policies/privilege/testdata/TestApplyPolicy/golden/assume_old_polkit_if_cant_read_system_reserved_path/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf @@ -3,4 +3,4 @@ # Any changes will be overwritten. [Configuration] -AdminIdentities=unix-user:bob@example.com;unix-group:mygroup@example2.com +AdminIdentities=unix-group:sudo;unix-group:admin;unix-user:alice@domain.com diff --git a/internal/policies/privilege/testdata/TestApplyPolicy/golden/disallow_local_admins/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf b/internal/policies/privilege/testdata/TestApplyPolicy/golden/assume_old_polkit_if_cant_read_system_reserved_path/sudoers.d/99-adsys-privilege-enforcement similarity index 73% rename from internal/policies/privilege/testdata/TestApplyPolicy/golden/disallow_local_admins/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf rename to internal/policies/privilege/testdata/TestApplyPolicy/golden/assume_old_polkit_if_cant_read_system_reserved_path/sudoers.d/99-adsys-privilege-enforcement index 0ee940c01..1b44bcd07 100644 --- a/internal/policies/privilege/testdata/TestApplyPolicy/golden/disallow_local_admins/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf +++ b/internal/policies/privilege/testdata/TestApplyPolicy/golden/assume_old_polkit_if_cant_read_system_reserved_path/sudoers.d/99-adsys-privilege-enforcement @@ -2,5 +2,5 @@ # Do not edit this file manually. # Any changes will be overwritten. -[Configuration] -AdminIdentities= +"alice@domain.com" ALL=(ALL:ALL) ALL + diff --git a/internal/policies/privilege/testdata/TestApplyPolicy/golden/create_on_new_polkit_version_and_remove_old_file/polkit-1/localauthority.conf.d/50-ubuntu-admin.conf b/internal/policies/privilege/testdata/TestApplyPolicy/golden/create_on_new_polkit_version_and_remove_old_file/polkit-1/localauthority.conf.d/50-ubuntu-admin.conf new file mode 100644 index 000000000..6b7177dd4 --- /dev/null +++ b/internal/policies/privilege/testdata/TestApplyPolicy/golden/create_on_new_polkit_version_and_remove_old_file/polkit-1/localauthority.conf.d/50-ubuntu-admin.conf @@ -0,0 +1,2 @@ +[Configuration] +AdminIdentities=unix-group:sudo;unix-group:admin \ No newline at end of file diff --git a/internal/policies/privilege/testdata/TestApplyPolicy/golden/create_on_new_polkit_version_and_remove_old_file/polkit-1/rules.d/00-adsys-privilege-enforcement.rules b/internal/policies/privilege/testdata/TestApplyPolicy/golden/create_on_new_polkit_version_and_remove_old_file/polkit-1/rules.d/00-adsys-privilege-enforcement.rules new file mode 100644 index 000000000..792a943d4 --- /dev/null +++ b/internal/policies/privilege/testdata/TestApplyPolicy/golden/create_on_new_polkit_version_and_remove_old_file/polkit-1/rules.d/00-adsys-privilege-enforcement.rules @@ -0,0 +1,7 @@ +# This file is managed by adsys. +# Do not edit this file manually. +# Any changes will be overwritten. + +polkit.addAdminRule(function(action, subject){ + return ["unix-group:sudo","unix-group:admin","unix-user:alice@domain.com"]; +}); diff --git a/internal/policies/privilege/testdata/TestApplyPolicy/golden/don't_overwrite_other_existing_files/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf b/internal/policies/privilege/testdata/TestApplyPolicy/golden/create_on_new_polkit_version_and_remove_old_file/sudoers.d/99-adsys-privilege-enforcement similarity index 73% rename from internal/policies/privilege/testdata/TestApplyPolicy/golden/don't_overwrite_other_existing_files/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf rename to internal/policies/privilege/testdata/TestApplyPolicy/golden/create_on_new_polkit_version_and_remove_old_file/sudoers.d/99-adsys-privilege-enforcement index 0ee940c01..1b44bcd07 100644 --- a/internal/policies/privilege/testdata/TestApplyPolicy/golden/don't_overwrite_other_existing_files/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf +++ b/internal/policies/privilege/testdata/TestApplyPolicy/golden/create_on_new_polkit_version_and_remove_old_file/sudoers.d/99-adsys-privilege-enforcement @@ -2,5 +2,5 @@ # Do not edit this file manually. # Any changes will be overwritten. -[Configuration] -AdminIdentities= +"alice@domain.com" ALL=(ALL:ALL) ALL + diff --git a/internal/policies/privilege/testdata/TestApplyPolicy/golden/disallow_local_admins_and_set_client_admins/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf b/internal/policies/privilege/testdata/TestApplyPolicy/golden/disallow_local_admins/polkit-1/rules.d/00-adsys-privilege-enforcement.rules similarity index 62% rename from internal/policies/privilege/testdata/TestApplyPolicy/golden/disallow_local_admins_and_set_client_admins/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf rename to internal/policies/privilege/testdata/TestApplyPolicy/golden/disallow_local_admins/polkit-1/rules.d/00-adsys-privilege-enforcement.rules index cd660dd0b..218ec1458 100644 --- a/internal/policies/privilege/testdata/TestApplyPolicy/golden/disallow_local_admins_and_set_client_admins/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf +++ b/internal/policies/privilege/testdata/TestApplyPolicy/golden/disallow_local_admins/polkit-1/rules.d/00-adsys-privilege-enforcement.rules @@ -2,5 +2,6 @@ # Do not edit this file manually. # Any changes will be overwritten. -[Configuration] -AdminIdentities=unix-user:alice@domain.com +polkit.addAdminRule(function(action, subject){ + return []; +}); diff --git a/internal/policies/privilege/testdata/TestApplyPolicy/golden/disallow_local_admins_and_set_client_admins/polkit-1/rules.d/00-adsys-privilege-enforcement.rules b/internal/policies/privilege/testdata/TestApplyPolicy/golden/disallow_local_admins_and_set_client_admins/polkit-1/rules.d/00-adsys-privilege-enforcement.rules new file mode 100644 index 000000000..6cfc3f44a --- /dev/null +++ b/internal/policies/privilege/testdata/TestApplyPolicy/golden/disallow_local_admins_and_set_client_admins/polkit-1/rules.d/00-adsys-privilege-enforcement.rules @@ -0,0 +1,7 @@ +# This file is managed by adsys. +# Do not edit this file manually. +# Any changes will be overwritten. + +polkit.addAdminRule(function(action, subject){ + return ["unix-user:alice@domain.com"]; +}); diff --git a/internal/policies/privilege/testdata/TestApplyPolicy/golden/disallow_local_admins_with_previous_local_admin_conf_and_set_client_admins/polkit-1/localauthority.conf.d/40-local-admins.conf b/internal/policies/privilege/testdata/TestApplyPolicy/golden/disallow_local_admins_with_previous_local_admin_conf_and_set_client_admins/polkit-1/localauthority.conf.d/40-local-admins.conf deleted file mode 100644 index 1b4411fd8..000000000 --- a/internal/policies/privilege/testdata/TestApplyPolicy/golden/disallow_local_admins_with_previous_local_admin_conf_and_set_client_admins/polkit-1/localauthority.conf.d/40-local-admins.conf +++ /dev/null @@ -1,6 +0,0 @@ -# This file is managed by adsys. -# Do not edit this file manually. -# Any changes will be overwritten. - -[Configuration] -AdminIdentities=unix-user:local40admin1;unix-user:local40admin2 diff --git a/internal/policies/privilege/testdata/TestApplyPolicy/golden/disallow_local_admins_with_previous_local_admin_conf_and_set_client_admins/polkit-1/localauthority.conf.d/50-local-admins.conf b/internal/policies/privilege/testdata/TestApplyPolicy/golden/disallow_local_admins_with_previous_local_admin_conf_and_set_client_admins/polkit-1/localauthority.conf.d/50-local-admins.conf deleted file mode 100644 index 8b08116b6..000000000 --- a/internal/policies/privilege/testdata/TestApplyPolicy/golden/disallow_local_admins_with_previous_local_admin_conf_and_set_client_admins/polkit-1/localauthority.conf.d/50-local-admins.conf +++ /dev/null @@ -1,6 +0,0 @@ -# This file is managed by adsys. -# Do not edit this file manually. -# Any changes will be overwritten. - -[Configuration] -AdminIdentities=unix-user:local50admin1;unix-user:local50admin2 diff --git a/internal/policies/privilege/testdata/TestApplyPolicy/golden/disallow_local_admins_with_previous_local_admin_conf_and_set_client_admins/polkit-1/rules.d/00-adsys-privilege-enforcement.rules b/internal/policies/privilege/testdata/TestApplyPolicy/golden/disallow_local_admins_with_previous_local_admin_conf_and_set_client_admins/polkit-1/rules.d/00-adsys-privilege-enforcement.rules new file mode 100644 index 000000000..6cfc3f44a --- /dev/null +++ b/internal/policies/privilege/testdata/TestApplyPolicy/golden/disallow_local_admins_with_previous_local_admin_conf_and_set_client_admins/polkit-1/rules.d/00-adsys-privilege-enforcement.rules @@ -0,0 +1,7 @@ +# This file is managed by adsys. +# Do not edit this file manually. +# Any changes will be overwritten. + +polkit.addAdminRule(function(action, subject){ + return ["unix-user:alice@domain.com"]; +}); diff --git a/internal/policies/privilege/testdata/TestApplyPolicy/golden/disallow_local_admins_with_previous_local_admin_conf_and_set_client_admins/polkit-1/rules.d/40-local-admins.rules b/internal/policies/privilege/testdata/TestApplyPolicy/golden/disallow_local_admins_with_previous_local_admin_conf_and_set_client_admins/polkit-1/rules.d/40-local-admins.rules new file mode 100644 index 000000000..383fbb8f1 --- /dev/null +++ b/internal/policies/privilege/testdata/TestApplyPolicy/golden/disallow_local_admins_with_previous_local_admin_conf_and_set_client_admins/polkit-1/rules.d/40-local-admins.rules @@ -0,0 +1,7 @@ +# This file is managed by adsys. +# Do not edit this file manually. +# Any changes will be overwritten. + +polkit.addAdminRule(function(action, subject) { + return ["unix-user:local40admin1", "unix-user:local40admin2"]; +}); \ No newline at end of file diff --git a/internal/policies/privilege/testdata/TestApplyPolicy/golden/disallow_local_admins_with_previous_local_admin_conf_and_set_client_admins/polkit-1/rules.d/50-local-admins.rules b/internal/policies/privilege/testdata/TestApplyPolicy/golden/disallow_local_admins_with_previous_local_admin_conf_and_set_client_admins/polkit-1/rules.d/50-local-admins.rules new file mode 100644 index 000000000..c0f8907dd --- /dev/null +++ b/internal/policies/privilege/testdata/TestApplyPolicy/golden/disallow_local_admins_with_previous_local_admin_conf_and_set_client_admins/polkit-1/rules.d/50-local-admins.rules @@ -0,0 +1,7 @@ +# This file is managed by adsys. +# Do not edit this file manually. +# Any changes will be overwritten. + +polkit.addAdminRule(function(action, subject) { + return ["unix-user:local50admin1", "unix-user:local50admin2"]; +}); \ No newline at end of file diff --git a/internal/policies/privilege/testdata/TestApplyPolicy/golden/disallow_local_admins_with_previous_local_admin_conf_and_set_client_admins/sudoers.d/40-local-admins b/internal/policies/privilege/testdata/TestApplyPolicy/golden/disallow_local_admins_with_previous_local_admin_conf_and_set_client_admins/sudoers.d/40-local-admins new file mode 100644 index 000000000..71ef8e9e2 --- /dev/null +++ b/internal/policies/privilege/testdata/TestApplyPolicy/golden/disallow_local_admins_with_previous_local_admin_conf_and_set_client_admins/sudoers.d/40-local-admins @@ -0,0 +1,7 @@ +# This file is managed by adsys. +# Do not edit this file manually. +# Any changes will be overwritten. + +"local40admin1@domain.com" ALL=(ALL:ALL) ALL +"local40admin2@domain.com" ALL=(ALL:ALL) ALL + diff --git a/internal/policies/privilege/testdata/existing-previous-local-admins-with-adsys-file/sudoers.d/50-local-admins b/internal/policies/privilege/testdata/TestApplyPolicy/golden/disallow_local_admins_with_previous_local_admin_conf_and_set_client_admins/sudoers.d/50-local-admins similarity index 100% rename from internal/policies/privilege/testdata/existing-previous-local-admins-with-adsys-file/sudoers.d/50-local-admins rename to internal/policies/privilege/testdata/TestApplyPolicy/golden/disallow_local_admins_with_previous_local_admin_conf_and_set_client_admins/sudoers.d/50-local-admins diff --git a/internal/policies/privilege/testdata/TestApplyPolicy/golden/allow_local_admins_without_previous_local_admin_conf_and_set_client_admins/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf b/internal/policies/privilege/testdata/TestApplyPolicy/golden/don't_overwrite_other_existing_files/polkit-1/rules.d/00-adsys-privilege-enforcement.rules similarity index 62% rename from internal/policies/privilege/testdata/TestApplyPolicy/golden/allow_local_admins_without_previous_local_admin_conf_and_set_client_admins/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf rename to internal/policies/privilege/testdata/TestApplyPolicy/golden/don't_overwrite_other_existing_files/polkit-1/rules.d/00-adsys-privilege-enforcement.rules index cd660dd0b..218ec1458 100644 --- a/internal/policies/privilege/testdata/TestApplyPolicy/golden/allow_local_admins_without_previous_local_admin_conf_and_set_client_admins/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf +++ b/internal/policies/privilege/testdata/TestApplyPolicy/golden/don't_overwrite_other_existing_files/polkit-1/rules.d/00-adsys-privilege-enforcement.rules @@ -2,5 +2,6 @@ # Do not edit this file manually. # Any changes will be overwritten. -[Configuration] -AdminIdentities=unix-user:alice@domain.com +polkit.addAdminRule(function(action, subject){ + return []; +}); diff --git a/internal/policies/privilege/testdata/TestApplyPolicy/golden/don't_overwrite_other_existing_files/polkit-1/localauthority.conf.d/notadsys.conf b/internal/policies/privilege/testdata/TestApplyPolicy/golden/don't_overwrite_other_existing_files/polkit-1/rules.d/notadsys.rules similarity index 100% rename from internal/policies/privilege/testdata/TestApplyPolicy/golden/don't_overwrite_other_existing_files/polkit-1/localauthority.conf.d/notadsys.conf rename to internal/policies/privilege/testdata/TestApplyPolicy/golden/don't_overwrite_other_existing_files/polkit-1/rules.d/notadsys.rules diff --git a/internal/policies/privilege/testdata/TestApplyPolicy/golden/empty_client_ad_admins/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf b/internal/policies/privilege/testdata/TestApplyPolicy/golden/empty_client_ad_admins/polkit-1/rules.d/00-adsys-privilege-enforcement.rules similarity index 100% rename from internal/policies/privilege/testdata/TestApplyPolicy/golden/empty_client_ad_admins/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf rename to internal/policies/privilege/testdata/TestApplyPolicy/golden/empty_client_ad_admins/polkit-1/rules.d/00-adsys-privilege-enforcement.rules diff --git a/internal/policies/privilege/testdata/TestApplyPolicy/golden/no_client_ad_admins/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf b/internal/policies/privilege/testdata/TestApplyPolicy/golden/no_client_ad_admins/polkit-1/rules.d/00-adsys-privilege-enforcement.rules similarity index 100% rename from internal/policies/privilege/testdata/TestApplyPolicy/golden/no_client_ad_admins/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf rename to internal/policies/privilege/testdata/TestApplyPolicy/golden/no_client_ad_admins/polkit-1/rules.d/00-adsys-privilege-enforcement.rules diff --git a/internal/policies/privilege/testdata/incorrect-policikit-conf-is-dir/polkit-1/localauthority.conf.d/50-this-is-not-a-file.conf/somethinginit b/internal/policies/privilege/testdata/TestApplyPolicy/golden/no_rules_still_overwrite_those_files/polkit-1/rules.d/.empty similarity index 100% rename from internal/policies/privilege/testdata/incorrect-policikit-conf-is-dir/polkit-1/localauthority.conf.d/50-this-is-not-a-file.conf/somethinginit rename to internal/policies/privilege/testdata/TestApplyPolicy/golden/no_rules_still_overwrite_those_files/polkit-1/rules.d/.empty diff --git a/internal/policies/privilege/testdata/TestApplyPolicy/golden/not_a_computer/polkit-1/localauthority.conf.d/notadsys.conf b/internal/policies/privilege/testdata/TestApplyPolicy/golden/not_a_computer/polkit-1/rules.d/notadsys.rules similarity index 100% rename from internal/policies/privilege/testdata/TestApplyPolicy/golden/not_a_computer/polkit-1/localauthority.conf.d/notadsys.conf rename to internal/policies/privilege/testdata/TestApplyPolicy/golden/not_a_computer/polkit-1/rules.d/notadsys.rules diff --git a/internal/policies/privilege/testdata/TestApplyPolicy/golden/overwrite_existing_polkit_file/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf b/internal/policies/privilege/testdata/TestApplyPolicy/golden/overwrite_existing_polkit_file/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf deleted file mode 100644 index 0ee940c01..000000000 --- a/internal/policies/privilege/testdata/TestApplyPolicy/golden/overwrite_existing_polkit_file/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf +++ /dev/null @@ -1,6 +0,0 @@ -# This file is managed by adsys. -# Do not edit this file manually. -# Any changes will be overwritten. - -[Configuration] -AdminIdentities= diff --git a/internal/policies/privilege/testdata/TestApplyPolicy/golden/disallow_local_admins_with_previous_local_admin_conf_and_set_client_admins/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf b/internal/policies/privilege/testdata/TestApplyPolicy/golden/overwrite_existing_polkit_file/polkit-1/rules.d/00-adsys-privilege-enforcement.rules similarity index 62% rename from internal/policies/privilege/testdata/TestApplyPolicy/golden/disallow_local_admins_with_previous_local_admin_conf_and_set_client_admins/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf rename to internal/policies/privilege/testdata/TestApplyPolicy/golden/overwrite_existing_polkit_file/polkit-1/rules.d/00-adsys-privilege-enforcement.rules index cd660dd0b..218ec1458 100644 --- a/internal/policies/privilege/testdata/TestApplyPolicy/golden/disallow_local_admins_with_previous_local_admin_conf_and_set_client_admins/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf +++ b/internal/policies/privilege/testdata/TestApplyPolicy/golden/overwrite_existing_polkit_file/polkit-1/rules.d/00-adsys-privilege-enforcement.rules @@ -2,5 +2,6 @@ # Do not edit this file manually. # Any changes will be overwritten. -[Configuration] -AdminIdentities=unix-user:alice@domain.com +polkit.addAdminRule(function(action, subject){ + return []; +}); diff --git a/internal/policies/privilege/testdata/TestApplyPolicy/golden/overwrite_existing_sudoers_file/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf b/internal/policies/privilege/testdata/TestApplyPolicy/golden/overwrite_existing_sudoers_file/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf deleted file mode 100644 index 0ee940c01..000000000 --- a/internal/policies/privilege/testdata/TestApplyPolicy/golden/overwrite_existing_sudoers_file/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf +++ /dev/null @@ -1,6 +0,0 @@ -# This file is managed by adsys. -# Do not edit this file manually. -# Any changes will be overwritten. - -[Configuration] -AdminIdentities= diff --git a/internal/policies/privilege/testdata/TestApplyPolicy/golden/overwrite_existing_sudoers_file/polkit-1/rules.d/00-adsys-privilege-enforcement.rules b/internal/policies/privilege/testdata/TestApplyPolicy/golden/overwrite_existing_sudoers_file/polkit-1/rules.d/00-adsys-privilege-enforcement.rules new file mode 100644 index 000000000..218ec1458 --- /dev/null +++ b/internal/policies/privilege/testdata/TestApplyPolicy/golden/overwrite_existing_sudoers_file/polkit-1/rules.d/00-adsys-privilege-enforcement.rules @@ -0,0 +1,7 @@ +# This file is managed by adsys. +# Do not edit this file manually. +# Any changes will be overwritten. + +polkit.addAdminRule(function(action, subject){ + return []; +}); diff --git a/internal/policies/privilege/testdata/TestApplyPolicy/golden/set_client_group_admins/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf b/internal/policies/privilege/testdata/TestApplyPolicy/golden/set_client_group_admins/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf deleted file mode 100644 index 8eb4d72e5..000000000 --- a/internal/policies/privilege/testdata/TestApplyPolicy/golden/set_client_group_admins/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf +++ /dev/null @@ -1,6 +0,0 @@ -# This file is managed by adsys. -# Do not edit this file manually. -# Any changes will be overwritten. - -[Configuration] -AdminIdentities=unix-group:group@domain.com diff --git a/internal/policies/privilege/testdata/TestApplyPolicy/golden/set_client_group_admins/polkit-1/rules.d/00-adsys-privilege-enforcement.rules b/internal/policies/privilege/testdata/TestApplyPolicy/golden/set_client_group_admins/polkit-1/rules.d/00-adsys-privilege-enforcement.rules new file mode 100644 index 000000000..0b3ed8ce8 --- /dev/null +++ b/internal/policies/privilege/testdata/TestApplyPolicy/golden/set_client_group_admins/polkit-1/rules.d/00-adsys-privilege-enforcement.rules @@ -0,0 +1,7 @@ +# This file is managed by adsys. +# Do not edit this file manually. +# Any changes will be overwritten. + +polkit.addAdminRule(function(action, subject){ + return ["unix-group:group@domain.com"]; +}); diff --git a/internal/policies/privilege/testdata/TestApplyPolicy/golden/set_client_mixed_with_users_and_group_admins/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf b/internal/policies/privilege/testdata/TestApplyPolicy/golden/set_client_mixed_with_users_and_group_admins/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf deleted file mode 100644 index 80e313aec..000000000 --- a/internal/policies/privilege/testdata/TestApplyPolicy/golden/set_client_mixed_with_users_and_group_admins/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf +++ /dev/null @@ -1,6 +0,0 @@ -# This file is managed by adsys. -# Do not edit this file manually. -# Any changes will be overwritten. - -[Configuration] -AdminIdentities=unix-user:alice@domain.com;unix-group:group@domain.com diff --git a/internal/policies/privilege/testdata/TestApplyPolicy/golden/set_client_mixed_with_users_and_group_admins/polkit-1/rules.d/00-adsys-privilege-enforcement.rules b/internal/policies/privilege/testdata/TestApplyPolicy/golden/set_client_mixed_with_users_and_group_admins/polkit-1/rules.d/00-adsys-privilege-enforcement.rules new file mode 100644 index 000000000..0aa6fbb28 --- /dev/null +++ b/internal/policies/privilege/testdata/TestApplyPolicy/golden/set_client_mixed_with_users_and_group_admins/polkit-1/rules.d/00-adsys-privilege-enforcement.rules @@ -0,0 +1,7 @@ +# This file is managed by adsys. +# Do not edit this file manually. +# Any changes will be overwritten. + +polkit.addAdminRule(function(action, subject){ + return ["unix-user:alice@domain.com","unix-group:group@domain.com"]; +}); diff --git a/internal/policies/privilege/testdata/TestApplyPolicy/golden/set_client_multiple_users_admins/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf b/internal/policies/privilege/testdata/TestApplyPolicy/golden/set_client_multiple_users_admins/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf deleted file mode 100644 index 7a4e3c7ac..000000000 --- a/internal/policies/privilege/testdata/TestApplyPolicy/golden/set_client_multiple_users_admins/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf +++ /dev/null @@ -1,6 +0,0 @@ -# This file is managed by adsys. -# Do not edit this file manually. -# Any changes will be overwritten. - -[Configuration] -AdminIdentities=unix-user:alice@domain.com;unix-user:bob@domain;unix-user:carole cosmic@otherdomain.com diff --git a/internal/policies/privilege/testdata/TestApplyPolicy/golden/set_client_multiple_users_admins/polkit-1/rules.d/00-adsys-privilege-enforcement.rules b/internal/policies/privilege/testdata/TestApplyPolicy/golden/set_client_multiple_users_admins/polkit-1/rules.d/00-adsys-privilege-enforcement.rules new file mode 100644 index 000000000..6f2f0bd74 --- /dev/null +++ b/internal/policies/privilege/testdata/TestApplyPolicy/golden/set_client_multiple_users_admins/polkit-1/rules.d/00-adsys-privilege-enforcement.rules @@ -0,0 +1,7 @@ +# This file is managed by adsys. +# Do not edit this file manually. +# Any changes will be overwritten. + +polkit.addAdminRule(function(action, subject){ + return ["unix-user:alice@domain.com","unix-user:bob@domain","unix-user:carole cosmic@otherdomain.com"]; +}); diff --git a/internal/policies/privilege/testdata/TestApplyPolicy/golden/set_client_user_admins/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf b/internal/policies/privilege/testdata/TestApplyPolicy/golden/set_client_user_admins/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf deleted file mode 100644 index cd660dd0b..000000000 --- a/internal/policies/privilege/testdata/TestApplyPolicy/golden/set_client_user_admins/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf +++ /dev/null @@ -1,6 +0,0 @@ -# This file is managed by adsys. -# Do not edit this file manually. -# Any changes will be overwritten. - -[Configuration] -AdminIdentities=unix-user:alice@domain.com diff --git a/internal/policies/privilege/testdata/TestApplyPolicy/golden/set_client_user_admins/polkit-1/rules.d/00-adsys-privilege-enforcement.rules b/internal/policies/privilege/testdata/TestApplyPolicy/golden/set_client_user_admins/polkit-1/rules.d/00-adsys-privilege-enforcement.rules new file mode 100644 index 000000000..6cfc3f44a --- /dev/null +++ b/internal/policies/privilege/testdata/TestApplyPolicy/golden/set_client_user_admins/polkit-1/rules.d/00-adsys-privilege-enforcement.rules @@ -0,0 +1,7 @@ +# This file is managed by adsys. +# Do not edit this file manually. +# Any changes will be overwritten. + +polkit.addAdminRule(function(action, subject){ + return ["unix-user:alice@domain.com"]; +}); diff --git a/internal/policies/privilege/testdata/TestPolkitAdminIdentitiesFromConf/golden/fetch_previous_admin_identities b/internal/policies/privilege/testdata/TestPolkitAdminIdentitiesFromConf/golden/fetch_previous_admin_identities new file mode 100644 index 000000000..86a1393f2 --- /dev/null +++ b/internal/policies/privilege/testdata/TestPolkitAdminIdentitiesFromConf/golden/fetch_previous_admin_identities @@ -0,0 +1 @@ +unix-group:sudo;unix-group:admin \ No newline at end of file diff --git a/internal/policies/privilege/testdata/TestPolkitAdminIdentitiesFromConf/golden/fetch_previous_admin_identities_from_highest_ascii_file b/internal/policies/privilege/testdata/TestPolkitAdminIdentitiesFromConf/golden/fetch_previous_admin_identities_from_highest_ascii_file new file mode 100644 index 000000000..86a1393f2 --- /dev/null +++ b/internal/policies/privilege/testdata/TestPolkitAdminIdentitiesFromConf/golden/fetch_previous_admin_identities_from_highest_ascii_file @@ -0,0 +1 @@ +unix-group:sudo;unix-group:admin \ No newline at end of file diff --git a/internal/policies/privilege/testdata/TestPolkitAdminIdentitiesFromConf/golden/fetch_previous_admin_identities_ignoring_adsys b/internal/policies/privilege/testdata/TestPolkitAdminIdentitiesFromConf/golden/fetch_previous_admin_identities_ignoring_adsys new file mode 100644 index 000000000..86a1393f2 --- /dev/null +++ b/internal/policies/privilege/testdata/TestPolkitAdminIdentitiesFromConf/golden/fetch_previous_admin_identities_ignoring_adsys @@ -0,0 +1 @@ +unix-group:sudo;unix-group:admin \ No newline at end of file diff --git a/internal/policies/privilege/testdata/TestPolkitAdminIdentitiesFromRules/golden/consider_only_first_returned_value b/internal/policies/privilege/testdata/TestPolkitAdminIdentitiesFromRules/golden/consider_only_first_returned_value new file mode 100644 index 000000000..5c5604383 --- /dev/null +++ b/internal/policies/privilege/testdata/TestPolkitAdminIdentitiesFromRules/golden/consider_only_first_returned_value @@ -0,0 +1 @@ +"unix-user:local40admin1","unix-user:local40admin2" \ No newline at end of file diff --git a/internal/policies/privilege/testdata/TestPolkitAdminIdentitiesFromRules/golden/fetch_previous_admin_identities b/internal/policies/privilege/testdata/TestPolkitAdminIdentitiesFromRules/golden/fetch_previous_admin_identities new file mode 100644 index 000000000..5c5604383 --- /dev/null +++ b/internal/policies/privilege/testdata/TestPolkitAdminIdentitiesFromRules/golden/fetch_previous_admin_identities @@ -0,0 +1 @@ +"unix-user:local40admin1","unix-user:local40admin2" \ No newline at end of file diff --git a/internal/policies/privilege/testdata/TestPolkitAdminIdentitiesFromRules/golden/fetch_previous_admin_identities_from_lower_ascii_file b/internal/policies/privilege/testdata/TestPolkitAdminIdentitiesFromRules/golden/fetch_previous_admin_identities_from_lower_ascii_file new file mode 100644 index 000000000..5c5604383 --- /dev/null +++ b/internal/policies/privilege/testdata/TestPolkitAdminIdentitiesFromRules/golden/fetch_previous_admin_identities_from_lower_ascii_file @@ -0,0 +1 @@ +"unix-user:local40admin1","unix-user:local40admin2" \ No newline at end of file diff --git a/internal/policies/privilege/testdata/TestPolkitAdminIdentitiesFromRules/golden/fetch_previous_admin_identities_ignoring_adsys b/internal/policies/privilege/testdata/TestPolkitAdminIdentitiesFromRules/golden/fetch_previous_admin_identities_ignoring_adsys new file mode 100644 index 000000000..5c5604383 --- /dev/null +++ b/internal/policies/privilege/testdata/TestPolkitAdminIdentitiesFromRules/golden/fetch_previous_admin_identities_ignoring_adsys @@ -0,0 +1 @@ +"unix-user:local40admin1","unix-user:local40admin2" \ No newline at end of file diff --git a/internal/policies/privilege/testdata/TestPolkitAdminIdentitiesFromRules/golden/prioritize_first_specified_directory_if_files_have_same_ascii b/internal/policies/privilege/testdata/TestPolkitAdminIdentitiesFromRules/golden/prioritize_first_specified_directory_if_files_have_same_ascii new file mode 100644 index 000000000..d90ae9e0a --- /dev/null +++ b/internal/policies/privilege/testdata/TestPolkitAdminIdentitiesFromRules/golden/prioritize_first_specified_directory_if_files_have_same_ascii @@ -0,0 +1 @@ +"unix-user:local50admin1","unix-user:local50admin2" \ No newline at end of file diff --git a/internal/policies/privilege/testdata/TestPolkitAdminIdentitiesFromRules/golden/prioritize_lower_ascii_file_even_if_on_second_directory b/internal/policies/privilege/testdata/TestPolkitAdminIdentitiesFromRules/golden/prioritize_lower_ascii_file_even_if_on_second_directory new file mode 100644 index 000000000..5c5604383 --- /dev/null +++ b/internal/policies/privilege/testdata/TestPolkitAdminIdentitiesFromRules/golden/prioritize_lower_ascii_file_even_if_on_second_directory @@ -0,0 +1 @@ +"unix-user:local40admin1","unix-user:local40admin2" \ No newline at end of file diff --git a/internal/policies/privilege/testdata/existing-files/etc/polkit-1/rules.d/00-adsys-privilege-enforcement.rules b/internal/policies/privilege/testdata/existing-files/etc/polkit-1/rules.d/00-adsys-privilege-enforcement.rules new file mode 100644 index 000000000..e69de29bb diff --git a/internal/policies/privilege/testdata/existing-files/sudoers.d/99-adsys-privilege-enforcement b/internal/policies/privilege/testdata/existing-files/etc/sudoers.d/99-adsys-privilege-enforcement similarity index 100% rename from internal/policies/privilege/testdata/existing-files/sudoers.d/99-adsys-privilege-enforcement rename to internal/policies/privilege/testdata/existing-files/etc/sudoers.d/99-adsys-privilege-enforcement diff --git a/internal/policies/privilege/testdata/existing-files/usr/share/polkit-1/rules.d/49-ubuntu-admin.rules b/internal/policies/privilege/testdata/existing-files/usr/share/polkit-1/rules.d/49-ubuntu-admin.rules new file mode 100644 index 000000000..fd97cffd0 --- /dev/null +++ b/internal/policies/privilege/testdata/existing-files/usr/share/polkit-1/rules.d/49-ubuntu-admin.rules @@ -0,0 +1,3 @@ +polkit.addAdminRule(function(action, subject) { + return ["unix-group:sudo", "unix-group:admin"]; +}); \ No newline at end of file diff --git a/internal/policies/privilege/testdata/existing-old-adsys-conf/etc/polkit-1/localauthority.conf.d/50-ubuntu-admin.conf b/internal/policies/privilege/testdata/existing-old-adsys-conf/etc/polkit-1/localauthority.conf.d/50-ubuntu-admin.conf new file mode 100644 index 000000000..6b7177dd4 --- /dev/null +++ b/internal/policies/privilege/testdata/existing-old-adsys-conf/etc/polkit-1/localauthority.conf.d/50-ubuntu-admin.conf @@ -0,0 +1,2 @@ +[Configuration] +AdminIdentities=unix-group:sudo;unix-group:admin \ No newline at end of file diff --git a/internal/policies/privilege/testdata/existing-files/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf b/internal/policies/privilege/testdata/existing-old-adsys-conf/etc/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf similarity index 100% rename from internal/policies/privilege/testdata/existing-files/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf rename to internal/policies/privilege/testdata/existing-old-adsys-conf/etc/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf diff --git a/internal/policies/privilege/testdata/existing-other-files/polkit-1/localauthority.conf.d/notadsys.conf b/internal/policies/privilege/testdata/existing-old-adsys-conf/etc/sudoers.d/99-adsys-privilege-enforcement similarity index 100% rename from internal/policies/privilege/testdata/existing-other-files/polkit-1/localauthority.conf.d/notadsys.conf rename to internal/policies/privilege/testdata/existing-old-adsys-conf/etc/sudoers.d/99-adsys-privilege-enforcement diff --git a/internal/policies/privilege/testdata/existing-old-adsys-conf/usr/share/polkit-1/rules.d/49-ubuntu-admin.rules b/internal/policies/privilege/testdata/existing-old-adsys-conf/usr/share/polkit-1/rules.d/49-ubuntu-admin.rules new file mode 100644 index 000000000..fd97cffd0 --- /dev/null +++ b/internal/policies/privilege/testdata/existing-old-adsys-conf/usr/share/polkit-1/rules.d/49-ubuntu-admin.rules @@ -0,0 +1,3 @@ +polkit.addAdminRule(function(action, subject) { + return ["unix-group:sudo", "unix-group:admin"]; +}); \ No newline at end of file diff --git a/internal/policies/privilege/testdata/existing-other-files/sudoers.d/notadsys b/internal/policies/privilege/testdata/existing-other-files/etc/polkit-1/rules.d/notadsys.rules similarity index 100% rename from internal/policies/privilege/testdata/existing-other-files/sudoers.d/notadsys rename to internal/policies/privilege/testdata/existing-other-files/etc/polkit-1/rules.d/notadsys.rules diff --git a/internal/policies/privilege/testdata/existing-other-files/etc/sudoers.d/notadsys b/internal/policies/privilege/testdata/existing-other-files/etc/sudoers.d/notadsys new file mode 100644 index 000000000..df76d241e --- /dev/null +++ b/internal/policies/privilege/testdata/existing-other-files/etc/sudoers.d/notadsys @@ -0,0 +1,3 @@ +# RANDOM CONTENT +# On mutliple +# lines diff --git a/internal/policies/privilege/testdata/existing-other-files/usr/share/polkit-1/rules.d/49-ubuntu-admin.rules b/internal/policies/privilege/testdata/existing-other-files/usr/share/polkit-1/rules.d/49-ubuntu-admin.rules new file mode 100644 index 000000000..fd97cffd0 --- /dev/null +++ b/internal/policies/privilege/testdata/existing-other-files/usr/share/polkit-1/rules.d/49-ubuntu-admin.rules @@ -0,0 +1,3 @@ +polkit.addAdminRule(function(action, subject) { + return ["unix-group:sudo", "unix-group:admin"]; +}); \ No newline at end of file diff --git a/internal/policies/privilege/testdata/existing-previous-local-admins-multi/etc/polkit-1/rules.d/40-local-admins.rules b/internal/policies/privilege/testdata/existing-previous-local-admins-multi/etc/polkit-1/rules.d/40-local-admins.rules new file mode 100644 index 000000000..383fbb8f1 --- /dev/null +++ b/internal/policies/privilege/testdata/existing-previous-local-admins-multi/etc/polkit-1/rules.d/40-local-admins.rules @@ -0,0 +1,7 @@ +# This file is managed by adsys. +# Do not edit this file manually. +# Any changes will be overwritten. + +polkit.addAdminRule(function(action, subject) { + return ["unix-user:local40admin1", "unix-user:local40admin2"]; +}); \ No newline at end of file diff --git a/internal/policies/privilege/testdata/existing-previous-local-admins-multi/etc/polkit-1/rules.d/50-local-admins.rules b/internal/policies/privilege/testdata/existing-previous-local-admins-multi/etc/polkit-1/rules.d/50-local-admins.rules new file mode 100644 index 000000000..c0f8907dd --- /dev/null +++ b/internal/policies/privilege/testdata/existing-previous-local-admins-multi/etc/polkit-1/rules.d/50-local-admins.rules @@ -0,0 +1,7 @@ +# This file is managed by adsys. +# Do not edit this file manually. +# Any changes will be overwritten. + +polkit.addAdminRule(function(action, subject) { + return ["unix-user:local50admin1", "unix-user:local50admin2"]; +}); \ No newline at end of file diff --git a/internal/policies/privilege/testdata/existing-previous-local-admins-multi/etc/sudoers.d/40-local-admins b/internal/policies/privilege/testdata/existing-previous-local-admins-multi/etc/sudoers.d/40-local-admins new file mode 100644 index 000000000..71ef8e9e2 --- /dev/null +++ b/internal/policies/privilege/testdata/existing-previous-local-admins-multi/etc/sudoers.d/40-local-admins @@ -0,0 +1,7 @@ +# This file is managed by adsys. +# Do not edit this file manually. +# Any changes will be overwritten. + +"local40admin1@domain.com" ALL=(ALL:ALL) ALL +"local40admin2@domain.com" ALL=(ALL:ALL) ALL + diff --git a/internal/policies/privilege/testdata/existing-previous-local-admins-multi/etc/sudoers.d/50-local-admins b/internal/policies/privilege/testdata/existing-previous-local-admins-multi/etc/sudoers.d/50-local-admins new file mode 100644 index 000000000..4661c64da --- /dev/null +++ b/internal/policies/privilege/testdata/existing-previous-local-admins-multi/etc/sudoers.d/50-local-admins @@ -0,0 +1,7 @@ +# This file is managed by adsys. +# Do not edit this file manually. +# Any changes will be overwritten. + +"local50admin1@domain.com" ALL=(ALL:ALL) ALL +"local50admin2@domain.com" ALL=(ALL:ALL) ALL + diff --git a/internal/policies/privilege/testdata/existing-previous-local-admins-multi/polkit-1/localauthority.conf.d/40-local-admins.conf b/internal/policies/privilege/testdata/existing-previous-local-admins-multi/polkit-1/localauthority.conf.d/40-local-admins.conf deleted file mode 100644 index 1b4411fd8..000000000 --- a/internal/policies/privilege/testdata/existing-previous-local-admins-multi/polkit-1/localauthority.conf.d/40-local-admins.conf +++ /dev/null @@ -1,6 +0,0 @@ -# This file is managed by adsys. -# Do not edit this file manually. -# Any changes will be overwritten. - -[Configuration] -AdminIdentities=unix-user:local40admin1;unix-user:local40admin2 diff --git a/internal/policies/privilege/testdata/existing-previous-local-admins-multi/polkit-1/localauthority.conf.d/50-local-admins.conf b/internal/policies/privilege/testdata/existing-previous-local-admins-multi/polkit-1/localauthority.conf.d/50-local-admins.conf deleted file mode 100644 index 8b08116b6..000000000 --- a/internal/policies/privilege/testdata/existing-previous-local-admins-multi/polkit-1/localauthority.conf.d/50-local-admins.conf +++ /dev/null @@ -1,6 +0,0 @@ -# This file is managed by adsys. -# Do not edit this file manually. -# Any changes will be overwritten. - -[Configuration] -AdminIdentities=unix-user:local50admin1;unix-user:local50admin2 diff --git a/internal/policies/privilege/testdata/existing-previous-local-admins-multi/usr/share/polkit-1/rules.d/49-ubuntu-admin.rules b/internal/policies/privilege/testdata/existing-previous-local-admins-multi/usr/share/polkit-1/rules.d/49-ubuntu-admin.rules new file mode 100644 index 000000000..fd97cffd0 --- /dev/null +++ b/internal/policies/privilege/testdata/existing-previous-local-admins-multi/usr/share/polkit-1/rules.d/49-ubuntu-admin.rules @@ -0,0 +1,3 @@ +polkit.addAdminRule(function(action, subject) { + return ["unix-group:sudo", "unix-group:admin"]; +}); \ No newline at end of file diff --git a/internal/policies/privilege/testdata/existing-previous-local-admins-one/etc/polkit-1/rules.d/40-local-admins.rules b/internal/policies/privilege/testdata/existing-previous-local-admins-one/etc/polkit-1/rules.d/40-local-admins.rules new file mode 100644 index 000000000..383fbb8f1 --- /dev/null +++ b/internal/policies/privilege/testdata/existing-previous-local-admins-one/etc/polkit-1/rules.d/40-local-admins.rules @@ -0,0 +1,7 @@ +# This file is managed by adsys. +# Do not edit this file manually. +# Any changes will be overwritten. + +polkit.addAdminRule(function(action, subject) { + return ["unix-user:local40admin1", "unix-user:local40admin2"]; +}); \ No newline at end of file diff --git a/internal/policies/privilege/testdata/existing-previous-local-admins-one/etc/sudoers.d/40-local-admins b/internal/policies/privilege/testdata/existing-previous-local-admins-one/etc/sudoers.d/40-local-admins new file mode 100644 index 000000000..71ef8e9e2 --- /dev/null +++ b/internal/policies/privilege/testdata/existing-previous-local-admins-one/etc/sudoers.d/40-local-admins @@ -0,0 +1,7 @@ +# This file is managed by adsys. +# Do not edit this file manually. +# Any changes will be overwritten. + +"local40admin1@domain.com" ALL=(ALL:ALL) ALL +"local40admin2@domain.com" ALL=(ALL:ALL) ALL + diff --git a/internal/policies/privilege/testdata/existing-previous-local-admins-one/polkit-1/localauthority.conf.d/50-local-admins.conf b/internal/policies/privilege/testdata/existing-previous-local-admins-one/polkit-1/localauthority.conf.d/50-local-admins.conf deleted file mode 100644 index 8b08116b6..000000000 --- a/internal/policies/privilege/testdata/existing-previous-local-admins-one/polkit-1/localauthority.conf.d/50-local-admins.conf +++ /dev/null @@ -1,6 +0,0 @@ -# This file is managed by adsys. -# Do not edit this file manually. -# Any changes will be overwritten. - -[Configuration] -AdminIdentities=unix-user:local50admin1;unix-user:local50admin2 diff --git a/internal/policies/privilege/testdata/existing-previous-local-admins-one/usr/share/polkit-1/rules.d/49-ubuntu-admin.rules b/internal/policies/privilege/testdata/existing-previous-local-admins-one/usr/share/polkit-1/rules.d/49-ubuntu-admin.rules new file mode 100644 index 000000000..fd97cffd0 --- /dev/null +++ b/internal/policies/privilege/testdata/existing-previous-local-admins-one/usr/share/polkit-1/rules.d/49-ubuntu-admin.rules @@ -0,0 +1,3 @@ +polkit.addAdminRule(function(action, subject) { + return ["unix-group:sudo", "unix-group:admin"]; +}); \ No newline at end of file diff --git a/internal/policies/privilege/testdata/existing-previous-local-admins-return-early/etc/polkit-1/rules.d/40-local-admins.rules b/internal/policies/privilege/testdata/existing-previous-local-admins-return-early/etc/polkit-1/rules.d/40-local-admins.rules new file mode 100644 index 000000000..4d26a3573 --- /dev/null +++ b/internal/policies/privilege/testdata/existing-previous-local-admins-return-early/etc/polkit-1/rules.d/40-local-admins.rules @@ -0,0 +1,11 @@ +# This file is managed by adsys. +# Do not edit this file manually. +# Any changes will be overwritten. + +polkit.addAdminRule(function(action, subject) { + return ["unix-user:local40admin1", "unix-user:local40admin2"]; +}); + +polkit.addAdminRule(function(action, subject) { + return ["unix-user:shouldbeignored"]; +}); \ No newline at end of file diff --git a/internal/policies/privilege/testdata/existing-previous-local-admins-return-early/usr/share/polkit-1/rules.d/49-ubuntu-admin.rules b/internal/policies/privilege/testdata/existing-previous-local-admins-return-early/usr/share/polkit-1/rules.d/49-ubuntu-admin.rules new file mode 100644 index 000000000..fd97cffd0 --- /dev/null +++ b/internal/policies/privilege/testdata/existing-previous-local-admins-return-early/usr/share/polkit-1/rules.d/49-ubuntu-admin.rules @@ -0,0 +1,3 @@ +polkit.addAdminRule(function(action, subject) { + return ["unix-group:sudo", "unix-group:admin"]; +}); \ No newline at end of file diff --git a/internal/policies/privilege/testdata/existing-previous-local-admins-with-adsys-file/etc/polkit-1/rules.d/00-adsys-privilege-enforcement.rules b/internal/policies/privilege/testdata/existing-previous-local-admins-with-adsys-file/etc/polkit-1/rules.d/00-adsys-privilege-enforcement.rules new file mode 100644 index 000000000..6f18803b7 --- /dev/null +++ b/internal/policies/privilege/testdata/existing-previous-local-admins-with-adsys-file/etc/polkit-1/rules.d/00-adsys-privilege-enforcement.rules @@ -0,0 +1,7 @@ +# This file is managed by adsys. +# Do not edit this file manually. +# Any changes will be overwritten. + +polkit.addAdminRule(function(action, subject) { + return ["unix-user:shouldbeignored"]; +}); \ No newline at end of file diff --git a/internal/policies/privilege/testdata/existing-previous-local-admins-with-adsys-file/etc/polkit-1/rules.d/40-local-admins.rules b/internal/policies/privilege/testdata/existing-previous-local-admins-with-adsys-file/etc/polkit-1/rules.d/40-local-admins.rules new file mode 100644 index 000000000..383fbb8f1 --- /dev/null +++ b/internal/policies/privilege/testdata/existing-previous-local-admins-with-adsys-file/etc/polkit-1/rules.d/40-local-admins.rules @@ -0,0 +1,7 @@ +# This file is managed by adsys. +# Do not edit this file manually. +# Any changes will be overwritten. + +polkit.addAdminRule(function(action, subject) { + return ["unix-user:local40admin1", "unix-user:local40admin2"]; +}); \ No newline at end of file diff --git a/internal/policies/privilege/testdata/existing-previous-local-admins-with-adsys-file/etc/polkit-1/rules.d/50-local-admins.rules b/internal/policies/privilege/testdata/existing-previous-local-admins-with-adsys-file/etc/polkit-1/rules.d/50-local-admins.rules new file mode 100644 index 000000000..c0f8907dd --- /dev/null +++ b/internal/policies/privilege/testdata/existing-previous-local-admins-with-adsys-file/etc/polkit-1/rules.d/50-local-admins.rules @@ -0,0 +1,7 @@ +# This file is managed by adsys. +# Do not edit this file manually. +# Any changes will be overwritten. + +polkit.addAdminRule(function(action, subject) { + return ["unix-user:local50admin1", "unix-user:local50admin2"]; +}); \ No newline at end of file diff --git a/internal/policies/privilege/testdata/existing-previous-local-admins-with-adsys-file/etc/sudoers.d/40-local-admins b/internal/policies/privilege/testdata/existing-previous-local-admins-with-adsys-file/etc/sudoers.d/40-local-admins new file mode 100644 index 000000000..71ef8e9e2 --- /dev/null +++ b/internal/policies/privilege/testdata/existing-previous-local-admins-with-adsys-file/etc/sudoers.d/40-local-admins @@ -0,0 +1,7 @@ +# This file is managed by adsys. +# Do not edit this file manually. +# Any changes will be overwritten. + +"local40admin1@domain.com" ALL=(ALL:ALL) ALL +"local40admin2@domain.com" ALL=(ALL:ALL) ALL + diff --git a/internal/policies/privilege/testdata/existing-previous-local-admins-with-adsys-file/etc/sudoers.d/50-local-admins b/internal/policies/privilege/testdata/existing-previous-local-admins-with-adsys-file/etc/sudoers.d/50-local-admins new file mode 100644 index 000000000..4661c64da --- /dev/null +++ b/internal/policies/privilege/testdata/existing-previous-local-admins-with-adsys-file/etc/sudoers.d/50-local-admins @@ -0,0 +1,7 @@ +# This file is managed by adsys. +# Do not edit this file manually. +# Any changes will be overwritten. + +"local50admin1@domain.com" ALL=(ALL:ALL) ALL +"local50admin2@domain.com" ALL=(ALL:ALL) ALL + diff --git a/internal/policies/privilege/testdata/existing-previous-local-admins-with-adsys-file/sudoers.d/99-adsys-privilege-enforcement b/internal/policies/privilege/testdata/existing-previous-local-admins-with-adsys-file/etc/sudoers.d/99-adsys-privilege-enforcement similarity index 100% rename from internal/policies/privilege/testdata/existing-previous-local-admins-with-adsys-file/sudoers.d/99-adsys-privilege-enforcement rename to internal/policies/privilege/testdata/existing-previous-local-admins-with-adsys-file/etc/sudoers.d/99-adsys-privilege-enforcement diff --git a/internal/policies/privilege/testdata/existing-previous-local-admins-with-adsys-file/polkit-1/localauthority.conf.d/40-local-admins.conf b/internal/policies/privilege/testdata/existing-previous-local-admins-with-adsys-file/polkit-1/localauthority.conf.d/40-local-admins.conf deleted file mode 100644 index 1b4411fd8..000000000 --- a/internal/policies/privilege/testdata/existing-previous-local-admins-with-adsys-file/polkit-1/localauthority.conf.d/40-local-admins.conf +++ /dev/null @@ -1,6 +0,0 @@ -# This file is managed by adsys. -# Do not edit this file manually. -# Any changes will be overwritten. - -[Configuration] -AdminIdentities=unix-user:local40admin1;unix-user:local40admin2 diff --git a/internal/policies/privilege/testdata/existing-previous-local-admins-with-adsys-file/polkit-1/localauthority.conf.d/50-local-admins.conf b/internal/policies/privilege/testdata/existing-previous-local-admins-with-adsys-file/polkit-1/localauthority.conf.d/50-local-admins.conf deleted file mode 100644 index 8b08116b6..000000000 --- a/internal/policies/privilege/testdata/existing-previous-local-admins-with-adsys-file/polkit-1/localauthority.conf.d/50-local-admins.conf +++ /dev/null @@ -1,6 +0,0 @@ -# This file is managed by adsys. -# Do not edit this file manually. -# Any changes will be overwritten. - -[Configuration] -AdminIdentities=unix-user:local50admin1;unix-user:local50admin2 diff --git a/internal/policies/privilege/testdata/existing-previous-local-admins-with-adsys-file/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf b/internal/policies/privilege/testdata/existing-previous-local-admins-with-adsys-file/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf deleted file mode 100644 index ca37fbd9b..000000000 --- a/internal/policies/privilege/testdata/existing-previous-local-admins-with-adsys-file/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf +++ /dev/null @@ -1,6 +0,0 @@ -# This file is managed by adsys. -# Do not edit this file manually. -# Any changes will be overwritten. - -[Configuration] -AdminIdentities=unix-user:shouldbeignored diff --git a/internal/policies/privilege/testdata/existing-previous-local-admins-with-adsys-file/usr/share/polkit-1/rules.d/49-ubuntu-admin.rules b/internal/policies/privilege/testdata/existing-previous-local-admins-with-adsys-file/usr/share/polkit-1/rules.d/49-ubuntu-admin.rules new file mode 100644 index 000000000..fd97cffd0 --- /dev/null +++ b/internal/policies/privilege/testdata/existing-previous-local-admins-with-adsys-file/usr/share/polkit-1/rules.d/49-ubuntu-admin.rules @@ -0,0 +1,3 @@ +polkit.addAdminRule(function(action, subject) { + return ["unix-group:sudo", "unix-group:admin"]; +}); \ No newline at end of file diff --git a/internal/policies/privilege/testdata/incorrect-policikit-conf-is-dir/etc/polkit-1/rules.d/50-this-is-not-a-file.rules/somethinginit b/internal/policies/privilege/testdata/incorrect-policikit-conf-is-dir/etc/polkit-1/rules.d/50-this-is-not-a-file.rules/somethinginit new file mode 100644 index 000000000..e69de29bb diff --git a/internal/policies/privilege/testdata/incorrect-policikit-conf-is-dir/usr/share/polkit-1/rules.d/49-ubuntu-admin.rules b/internal/policies/privilege/testdata/incorrect-policikit-conf-is-dir/usr/share/polkit-1/rules.d/49-ubuntu-admin.rules new file mode 100644 index 000000000..fd97cffd0 --- /dev/null +++ b/internal/policies/privilege/testdata/incorrect-policikit-conf-is-dir/usr/share/polkit-1/rules.d/49-ubuntu-admin.rules @@ -0,0 +1,3 @@ +polkit.addAdminRule(function(action, subject) { + return ["unix-group:sudo", "unix-group:admin"]; +}); \ No newline at end of file diff --git a/internal/policies/privilege/testdata/multiple-polkit-dirs-diff-file/etc/polkit-1/rules.d/50-local-admins.rules b/internal/policies/privilege/testdata/multiple-polkit-dirs-diff-file/etc/polkit-1/rules.d/50-local-admins.rules new file mode 100644 index 000000000..c0f8907dd --- /dev/null +++ b/internal/policies/privilege/testdata/multiple-polkit-dirs-diff-file/etc/polkit-1/rules.d/50-local-admins.rules @@ -0,0 +1,7 @@ +# This file is managed by adsys. +# Do not edit this file manually. +# Any changes will be overwritten. + +polkit.addAdminRule(function(action, subject) { + return ["unix-user:local50admin1", "unix-user:local50admin2"]; +}); \ No newline at end of file diff --git a/internal/policies/privilege/testdata/multiple-polkit-dirs-diff-file/etc/polkit-2/rules.d/40-local-admins.rules b/internal/policies/privilege/testdata/multiple-polkit-dirs-diff-file/etc/polkit-2/rules.d/40-local-admins.rules new file mode 100644 index 000000000..383fbb8f1 --- /dev/null +++ b/internal/policies/privilege/testdata/multiple-polkit-dirs-diff-file/etc/polkit-2/rules.d/40-local-admins.rules @@ -0,0 +1,7 @@ +# This file is managed by adsys. +# Do not edit this file manually. +# Any changes will be overwritten. + +polkit.addAdminRule(function(action, subject) { + return ["unix-user:local40admin1", "unix-user:local40admin2"]; +}); \ No newline at end of file diff --git a/internal/policies/privilege/testdata/multiple-polkit-dirs-same-file/etc/polkit-1/rules.d/50-local-admins.rules b/internal/policies/privilege/testdata/multiple-polkit-dirs-same-file/etc/polkit-1/rules.d/50-local-admins.rules new file mode 100644 index 000000000..c0f8907dd --- /dev/null +++ b/internal/policies/privilege/testdata/multiple-polkit-dirs-same-file/etc/polkit-1/rules.d/50-local-admins.rules @@ -0,0 +1,7 @@ +# This file is managed by adsys. +# Do not edit this file manually. +# Any changes will be overwritten. + +polkit.addAdminRule(function(action, subject) { + return ["unix-user:local50admin1", "unix-user:local50admin2"]; +}); \ No newline at end of file diff --git a/internal/policies/privilege/testdata/multiple-polkit-dirs-same-file/etc/polkit-2/rules.d/50-local-admins.rules b/internal/policies/privilege/testdata/multiple-polkit-dirs-same-file/etc/polkit-2/rules.d/50-local-admins.rules new file mode 100644 index 000000000..321733482 --- /dev/null +++ b/internal/policies/privilege/testdata/multiple-polkit-dirs-same-file/etc/polkit-2/rules.d/50-local-admins.rules @@ -0,0 +1,7 @@ +# This file is managed by adsys. +# Do not edit this file manually. +# Any changes will be overwritten. + +polkit.addAdminRule(function(action, subject) { + return ["unix-user:WhatEvenIsPolkit2"]; +}); \ No newline at end of file diff --git a/internal/policies/privilege/testdata/old-polkit-multiple-files/etc/polkit-1/localauthority.conf.d/50-ubuntu-admin.conf b/internal/policies/privilege/testdata/old-polkit-multiple-files/etc/polkit-1/localauthority.conf.d/50-ubuntu-admin.conf new file mode 100644 index 000000000..d33fa0d11 --- /dev/null +++ b/internal/policies/privilege/testdata/old-polkit-multiple-files/etc/polkit-1/localauthority.conf.d/50-ubuntu-admin.conf @@ -0,0 +1,2 @@ +[Configuration] +AdminIdentities=unix-group:shouldbeignored \ No newline at end of file diff --git a/internal/policies/privilege/testdata/old-polkit-multiple-files/etc/polkit-1/localauthority.conf.d/75-admin.conf b/internal/policies/privilege/testdata/old-polkit-multiple-files/etc/polkit-1/localauthority.conf.d/75-admin.conf new file mode 100644 index 000000000..6b7177dd4 --- /dev/null +++ b/internal/policies/privilege/testdata/old-polkit-multiple-files/etc/polkit-1/localauthority.conf.d/75-admin.conf @@ -0,0 +1,2 @@ +[Configuration] +AdminIdentities=unix-group:sudo;unix-group:admin \ No newline at end of file diff --git a/internal/policies/privilege/testdata/old-polkit-multiple-files/etc/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf b/internal/policies/privilege/testdata/old-polkit-multiple-files/etc/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf new file mode 100644 index 000000000..df76d241e --- /dev/null +++ b/internal/policies/privilege/testdata/old-polkit-multiple-files/etc/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf @@ -0,0 +1,3 @@ +# RANDOM CONTENT +# On mutliple +# lines diff --git a/internal/policies/privilege/testdata/old-polkit-multiple-files/etc/sudoers.d/99-adsys-privilege-enforcement b/internal/policies/privilege/testdata/old-polkit-multiple-files/etc/sudoers.d/99-adsys-privilege-enforcement new file mode 100644 index 000000000..df76d241e --- /dev/null +++ b/internal/policies/privilege/testdata/old-polkit-multiple-files/etc/sudoers.d/99-adsys-privilege-enforcement @@ -0,0 +1,3 @@ +# RANDOM CONTENT +# On mutliple +# lines diff --git a/internal/policies/privilege/testdata/old-polkit/etc/polkit-1/localauthority.conf.d/50-ubuntu-admin.conf b/internal/policies/privilege/testdata/old-polkit/etc/polkit-1/localauthority.conf.d/50-ubuntu-admin.conf new file mode 100644 index 000000000..6b7177dd4 --- /dev/null +++ b/internal/policies/privilege/testdata/old-polkit/etc/polkit-1/localauthority.conf.d/50-ubuntu-admin.conf @@ -0,0 +1,2 @@ +[Configuration] +AdminIdentities=unix-group:sudo;unix-group:admin \ No newline at end of file diff --git a/internal/policies/privilege/testdata/old-polkit/etc/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf b/internal/policies/privilege/testdata/old-polkit/etc/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf new file mode 100644 index 000000000..df76d241e --- /dev/null +++ b/internal/policies/privilege/testdata/old-polkit/etc/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf @@ -0,0 +1,3 @@ +# RANDOM CONTENT +# On mutliple +# lines diff --git a/internal/policies/privilege/testdata/old-polkit/etc/sudoers.d/99-adsys-privilege-enforcement b/internal/policies/privilege/testdata/old-polkit/etc/sudoers.d/99-adsys-privilege-enforcement new file mode 100644 index 000000000..df76d241e --- /dev/null +++ b/internal/policies/privilege/testdata/old-polkit/etc/sudoers.d/99-adsys-privilege-enforcement @@ -0,0 +1,3 @@ +# RANDOM CONTENT +# On mutliple +# lines diff --git a/internal/policies/privilege/testdata/only-base-polkit-dir/etc/polkit-1/.empty b/internal/policies/privilege/testdata/only-base-polkit-dir/etc/polkit-1/.empty new file mode 100644 index 000000000..e69de29bb diff --git a/internal/policies/privilege/testdata/only-base-polkit-dir/usr/share/polkit-1/rules.d/49-ubuntu-admin.rules b/internal/policies/privilege/testdata/only-base-polkit-dir/usr/share/polkit-1/rules.d/49-ubuntu-admin.rules new file mode 100644 index 000000000..fd97cffd0 --- /dev/null +++ b/internal/policies/privilege/testdata/only-base-polkit-dir/usr/share/polkit-1/rules.d/49-ubuntu-admin.rules @@ -0,0 +1,3 @@ +polkit.addAdminRule(function(action, subject) { + return ["unix-group:sudo", "unix-group:admin"]; +}); \ No newline at end of file diff --git a/internal/policies/testdata/TestApplyPolicies/golden/second_call_with_no_rules_deletes_everything/etc/polkit-1/rules.d/.empty b/internal/policies/testdata/TestApplyPolicies/golden/second_call_with_no_rules_deletes_everything/etc/polkit-1/rules.d/.empty new file mode 100644 index 000000000..e69de29bb diff --git "a/internal/policies/testdata/TestApplyPolicies/golden/second_call_with_no_rules_don't_remove_scripts_if_session_hasn\342\200\231t_ended/etc/polkit-1/rules.d/.empty" "b/internal/policies/testdata/TestApplyPolicies/golden/second_call_with_no_rules_don't_remove_scripts_if_session_hasn\342\200\231t_ended/etc/polkit-1/rules.d/.empty" new file mode 100644 index 000000000..e69de29bb diff --git "a/internal/policies/testdata/TestApplyPolicies/golden/second_call_with_no_subscription_don't_remove_scripts_if_session_hasn\342\200\231t_ended/etc/polkit-1/rules.d/.empty" "b/internal/policies/testdata/TestApplyPolicies/golden/second_call_with_no_subscription_don't_remove_scripts_if_session_hasn\342\200\231t_ended/etc/polkit-1/rules.d/.empty" new file mode 100644 index 000000000..e69de29bb diff --git a/internal/policies/testdata/TestApplyPolicies/golden/second_call_with_no_subscription_should_remove_everything_but_dconf_content/etc/polkit-1/rules.d/.empty b/internal/policies/testdata/TestApplyPolicies/golden/second_call_with_no_subscription_should_remove_everything_but_dconf_content/etc/polkit-1/rules.d/.empty new file mode 100644 index 000000000..e69de29bb diff --git a/internal/policies/testdata/TestApplyPolicies/golden/succeed/etc/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf b/internal/policies/testdata/TestApplyPolicies/golden/succeed/etc/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf deleted file mode 100644 index dbf1b12ee..000000000 --- a/internal/policies/testdata/TestApplyPolicies/golden/succeed/etc/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf +++ /dev/null @@ -1,6 +0,0 @@ -# This file is managed by adsys. -# Do not edit this file manually. -# Any changes will be overwritten. - -[Configuration] -AdminIdentities=unix-user:alice@domain;unix-user:bob@domain2;unix-group:mygroup@domain;unix-user:cosmic carole@domain diff --git a/internal/policies/testdata/TestApplyPolicies/golden/succeed/etc/polkit-1/rules.d/00-adsys-privilege-enforcement.rules b/internal/policies/testdata/TestApplyPolicies/golden/succeed/etc/polkit-1/rules.d/00-adsys-privilege-enforcement.rules new file mode 100644 index 000000000..cbf3b6829 --- /dev/null +++ b/internal/policies/testdata/TestApplyPolicies/golden/succeed/etc/polkit-1/rules.d/00-adsys-privilege-enforcement.rules @@ -0,0 +1,7 @@ +# This file is managed by adsys. +# Do not edit this file manually. +# Any changes will be overwritten. + +polkit.addAdminRule(function(action, subject){ + return ["unix-group:sudo","unix-group:admin","unix-user:alice@domain","unix-user:bob@domain2","unix-group:mygroup@domain","unix-user:cosmic carole@domain"]; +}); diff --git a/internal/policies/testdata/TestApplyPolicies/golden/succeed_if_checking_for_backend_online_status_returns_an_error/etc/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf b/internal/policies/testdata/TestApplyPolicies/golden/succeed_if_checking_for_backend_online_status_returns_an_error/etc/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf deleted file mode 100644 index dbf1b12ee..000000000 --- a/internal/policies/testdata/TestApplyPolicies/golden/succeed_if_checking_for_backend_online_status_returns_an_error/etc/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf +++ /dev/null @@ -1,6 +0,0 @@ -# This file is managed by adsys. -# Do not edit this file manually. -# Any changes will be overwritten. - -[Configuration] -AdminIdentities=unix-user:alice@domain;unix-user:bob@domain2;unix-group:mygroup@domain;unix-user:cosmic carole@domain diff --git a/internal/policies/testdata/TestApplyPolicies/golden/succeed_if_checking_for_backend_online_status_returns_an_error/etc/polkit-1/rules.d/00-adsys-privilege-enforcement.rules b/internal/policies/testdata/TestApplyPolicies/golden/succeed_if_checking_for_backend_online_status_returns_an_error/etc/polkit-1/rules.d/00-adsys-privilege-enforcement.rules new file mode 100644 index 000000000..cbf3b6829 --- /dev/null +++ b/internal/policies/testdata/TestApplyPolicies/golden/succeed_if_checking_for_backend_online_status_returns_an_error/etc/polkit-1/rules.d/00-adsys-privilege-enforcement.rules @@ -0,0 +1,7 @@ +# This file is managed by adsys. +# Do not edit this file manually. +# Any changes will be overwritten. + +polkit.addAdminRule(function(action, subject){ + return ["unix-group:sudo","unix-group:admin","unix-user:alice@domain","unix-user:bob@domain2","unix-group:mygroup@domain","unix-user:cosmic carole@domain"]; +}); From 1e3563a90bdeb4bc9f8f57b6102b7220073a0109 Mon Sep 17 00:00:00 2001 From: denisonbarbosa Date: Mon, 2 Dec 2024 09:18:44 -0400 Subject: [PATCH 6/7] Remove polkitd-pkla from suggested packages Now that we support the new polkit versions, we don't need to recommend this anymore. --- debian/control | 1 - 1 file changed, 1 deletion(-) diff --git a/debian/control b/debian/control index dc3658eb6..c4cfc948b 100644 --- a/debian/control +++ b/debian/control @@ -47,7 +47,6 @@ Recommends: ${misc:Recommends}, Suggests: curlftpfs, ubuntu-proxy-manager, python3-cepces, - polkitd-pkla, Description: ${source:Synopsis} ${source:Extended-Description} From 50df13db496e0d860573af06f7e7387b1e76f33a Mon Sep 17 00:00:00 2001 From: denisonbarbosa Date: Mon, 2 Dec 2024 09:20:20 -0400 Subject: [PATCH 7/7] Update check for polkit configuration in e2e tests We used to rely only on a single way of applying the privilege policy. Now, we have two ways of applying it based on the polkit version. The e2e tests validation needs to account for that. --- e2e/cmd/run_tests/11_test_pro_managers/main.go | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/e2e/cmd/run_tests/11_test_pro_managers/main.go b/e2e/cmd/run_tests/11_test_pro_managers/main.go index 35a1e587a..d9217de4d 100644 --- a/e2e/cmd/run_tests/11_test_pro_managers/main.go +++ b/e2e/cmd/run_tests/11_test_pro_managers/main.go @@ -139,8 +139,15 @@ func action(ctx context.Context, cmd *command.Command) (err error) { "adminuser@warthogs.biz" ALL=(ALL:ALL) ALL`); err != nil { return err } + + // Due to differences in polkit versions between Ubuntu versions, the file path is different + polkitFilePath := "/etc/polkit-1/rules.d/00-adsys-privilege-enforcement.rules" + if cmd.Inventory.Codename == "focal" || cmd.Inventory.Codename == "jammy" { + polkitFilePath = "/etc/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf" + } + // Only partly assert the polkit file contents as there are differences in polkit configurations between Ubuntu versions - if err := rootClient.RequireContains(ctx, "cat /etc/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf", "unix-user:adminuser@warthogs.biz"); err != nil { + if err := rootClient.RequireContains(ctx, fmt.Sprintf("cat %s", polkitFilePath), "unix-user:adminuser@warthogs.biz"); err != nil { return err }