Skip to content

Commit

Permalink
Fix internal/policies/manager tests (#1158)
Browse files Browse the repository at this point in the history
We were not overriding the polkit system reserved dir for the tests
here, so it would cause a failure on launchpad builds (which work under
a different user with different permissions).
  • Loading branch information
denisonbarbosa authored Dec 9, 2024
2 parents 63606d5 + 29a66cd commit 99785ac
Show file tree
Hide file tree
Showing 8 changed files with 50 additions and 46 deletions.
2 changes: 2 additions & 0 deletions internal/consts/consts.go
Original file line number Diff line number Diff line change
Expand Up @@ -59,6 +59,8 @@ const (
DefaultSudoersDir = "/etc/sudoers.d"
// DefaultPolicyKitDir is the default directory for policykit configuration and rules.
DefaultPolicyKitDir = "/etc/polkit-1"
// DefaultPolicyKitSystemDir is the default directory for policykit reserved configuration.
DefaultPolicyKitSystemDir = "/usr/share/polkit-1"
// DefaultApparmorDir is the default directory for apparmor configuration.
DefaultApparmorDir = "/etc/apparmor.d/adsys"
// DefaultSystemUnitDir is the default directory for systemd unit files.
Expand Down
58 changes: 34 additions & 24 deletions internal/policies/manager.go
Original file line number Diff line number Diff line change
Expand Up @@ -93,20 +93,21 @@ type systemdCaller interface {
}

type options struct {
cacheDir string
stateDir string
dconfDir string
sudoersDir string
policyKitDir string
runDir string
shareDir string
apparmorDir string
apparmorFsDir string
systemUnitDir string
globalTrustDir string
proxyApplier proxy.Caller
systemdCaller systemdCaller
gdm *gdm.Manager
cacheDir string
stateDir string
dconfDir string
sudoersDir string
policyKitDir string
policyKitSystemDir string
runDir string
shareDir string
apparmorDir string
apparmorFsDir string
systemUnitDir string
globalTrustDir string
proxyApplier proxy.Caller
systemdCaller systemdCaller
gdm *gdm.Manager

apparmorParserCmd []string
certAutoenrollCmd []string
Expand Down Expand Up @@ -155,6 +156,14 @@ func WithPolicyKitDir(p string) Option {
}
}

// WithPolicyKitSystemDir specifies a personalized policykit system reserved directory.
func WithPolicyKitSystemDir(p string) Option {
return func(o *options) error {
o.policyKitSystemDir = p
return nil
}
}

// WithRunDir specifies a personalized run directory.
func WithRunDir(p string) Option {
return func(o *options) error {
Expand Down Expand Up @@ -248,15 +257,16 @@ func NewManager(bus *dbus.Conn, hostname string, backend backends.Backend, opts

// defaults
args := options{
cacheDir: consts.DefaultCacheDir,
stateDir: consts.DefaultStateDir,
runDir: consts.DefaultRunDir,
shareDir: consts.DefaultShareDir,
apparmorDir: consts.DefaultApparmorDir,
systemUnitDir: consts.DefaultSystemUnitDir,
globalTrustDir: consts.DefaultGlobalTrustDir,
systemdCaller: defaultSystemdCaller,
gdm: nil,
cacheDir: consts.DefaultCacheDir,
stateDir: consts.DefaultStateDir,
runDir: consts.DefaultRunDir,
shareDir: consts.DefaultShareDir,
apparmorDir: consts.DefaultApparmorDir,
systemUnitDir: consts.DefaultSystemUnitDir,
globalTrustDir: consts.DefaultGlobalTrustDir,
policyKitSystemDir: consts.DefaultPolicyKitSystemDir,
systemdCaller: defaultSystemdCaller,
gdm: nil,
}
// applied options (including dconf manager used by gdm)
for _, o := range opts {
Expand All @@ -271,7 +281,7 @@ func NewManager(bus *dbus.Conn, hostname string, backend backends.Backend, opts
}

// privilege manager
privilegeManager := privilege.NewWithDirs(args.sudoersDir, args.policyKitDir)
privilegeManager := privilege.NewWithDirs(args.sudoersDir, args.policyKitDir, args.policyKitSystemDir)

// scripts manager
scriptsManager, err := scripts.New(args.runDir, args.systemdCaller)
Expand Down
2 changes: 2 additions & 0 deletions internal/policies/manager_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -78,6 +78,7 @@ func TestApplyPolicies(t *testing.T) {
runDir := filepath.Join(fakeRootDir, "run", "adsys")
dconfDir := filepath.Join(fakeRootDir, "etc", "dconf")
policyKitDir := filepath.Join(fakeRootDir, "etc", "polkit-1")
policyKitReservedDir := filepath.Join(fakeRootDir, "usr", "share", "polkit-1")
sudoersDir := filepath.Join(fakeRootDir, "etc", "sudoers.d")
apparmorDir := filepath.Join(fakeRootDir, "etc", "apparmor.d", "adsys")
systemUnitDir := filepath.Join(fakeRootDir, "etc", "systemd", "system")
Expand Down Expand Up @@ -108,6 +109,7 @@ func TestApplyPolicies(t *testing.T) {
policies.WithShareDir(shareDir),
policies.WithDconfDir(dconfDir),
policies.WithPolicyKitDir(policyKitDir),
policies.WithPolicyKitSystemDir(policyKitReservedDir),
policies.WithSudoersDir(sudoersDir),
policies.WithApparmorDir(apparmorDir),
policies.WithApparmorFsDir(filepath.Dir(loadedPoliciesFile)),
Expand Down
8 changes: 0 additions & 8 deletions internal/policies/privilege/export_test.go

This file was deleted.

20 changes: 9 additions & 11 deletions internal/policies/privilege/privilege.go
Original file line number Diff line number Diff line change
Expand Up @@ -55,8 +55,6 @@ const (

adsysOldPolkitName = "99-adsys-privilege-enforcement"
adsysBasePolkitName = "00-adsys-privilege-enforcement"

polkitSystemReservedPath = "/usr/share/polkit-1"
)

// Templates to generate the polkit configuration files.
Expand All @@ -74,6 +72,13 @@ type option struct {
// Option is a functional option for the manager.
type Option func(*option)

// WithPolicyKitSystemDir sets the directory where the default policykit files are stored.
func WithPolicyKitSystemDir(dir string) func(*option) {
return func(o *option) {
o.policyKitSystemDir = dir
}
}

// Manager prevents running multiple privilege update process in parallel while parsing policy in ApplyPolicy.
type Manager struct {
sudoersDir string
Expand All @@ -84,18 +89,11 @@ type Manager struct {
}

// NewWithDirs creates a manager with a specific root directory.
func NewWithDirs(sudoersDir, policyKitDir string, opts ...Option) *Manager {
o := &option{
policyKitSystemDir: polkitSystemReservedPath,
}
for _, opt := range opts {
opt(o)
}

func NewWithDirs(sudoersDir, policyKitDir, policyKitSystemDir string) *Manager {
return &Manager{
sudoersDir: sudoersDir,
policyKitDir: policyKitDir,
policyKitSystemDir: o.policyKitSystemDir,
policyKitSystemDir: policyKitSystemDir,
}
}

Expand Down
2 changes: 1 addition & 1 deletion internal/policies/privilege/privilege_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -123,7 +123,7 @@ func TestApplyPolicy(t *testing.T) {
require.NoError(t, os.MkdirAll(filepath.Join(tmpRootDir, tc.destIsDir), 0750), "Setup: can't create fake unwritable file")
}

m := privilege.NewWithDirs(sudoersDir, policyKitDir, privilege.WithPolicyKitSystemDir(tc.polkitSystemReservedPath))
m := privilege.NewWithDirs(sudoersDir, policyKitDir, tc.polkitSystemReservedPath)
err = m.ApplyPolicy(context.Background(), "ubuntu", !tc.notComputer, tc.entries)
if tc.wantErr {
require.NotNil(t, err, "ApplyPolicy should have failed but didn't")
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -3,5 +3,5 @@
# Any changes will be overwritten.

polkit.addAdminRule(function(action, subject){
return ["unix-group:sudo","unix-group:admin","unix-user:alice@domain","unix-user:bob@domain2","unix-group:mygroup@domain","unix-user:cosmic carole@domain"];
return ["unix-user:alice@domain","unix-user:bob@domain2","unix-group:mygroup@domain","unix-user:cosmic carole@domain"];
});
Original file line number Diff line number Diff line change
Expand Up @@ -3,5 +3,5 @@
# Any changes will be overwritten.

polkit.addAdminRule(function(action, subject){
return ["unix-group:sudo","unix-group:admin","unix-user:alice@domain","unix-user:bob@domain2","unix-group:mygroup@domain","unix-user:cosmic carole@domain"];
return ["unix-user:alice@domain","unix-user:bob@domain2","unix-group:mygroup@domain","unix-user:cosmic carole@domain"];
});

0 comments on commit 99785ac

Please sign in to comment.