Support for new Polkit (versions >= 124)

cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/already_up_to_date/polkit-1/rules.d/00-adsys-privilege-enforcement.rules

@@ -0,0 +1,7 @@
+# This file is managed by adsys.
+# Do not edit this file manually.
+# Any changes will be overwritten.
+
+polkit.addAdminRule(function(action, subject){
+	return ["unix-user:[email protected]","unix-group:[email protected]"];
+});

cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/does_not_error_when_certmonger_or_cepces_is_not_available/polkit-1/rules.d/00-adsys-privilege-enforcement.rules

@@ -0,0 +1,7 @@
+# This file is managed by adsys.
+# Do not edit this file manually.
+# Any changes will be overwritten.
+
+polkit.addAdminRule(function(action, subject){
+	return ["unix-user:[email protected]","unix-group:[email protected]"];
+});

cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/does_not_error_when_d-bus_proxy_object_is_not_available/polkit-1/rules.d/00-adsys-privilege-enforcement.rules

@@ -0,0 +1,7 @@
+# This file is managed by adsys.
+# Do not edit this file manually.
+# Any changes will be overwritten.
+
+polkit.addAdminRule(function(action, subject){
+	return ["unix-user:[email protected]","unix-group:[email protected]"];
+});

cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/host_is_offline,_get_machine_from_cache_(no_update)/polkit-1/rules.d/00-adsys-privilege-enforcement.rules

@@ -0,0 +1,7 @@
+# This file is managed by adsys.
+# Do not edit this file manually.
+# Any changes will be overwritten.
+
+polkit.addAdminRule(function(action, subject){
+	return ["unix-group:sudo","unix-group:admin","unix-user:carole [email protected]"];
+});

cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/host_is_offline,_mach_gpos_cache_is_cleared,_with_policies_cache/polkit-1/rules.d/00-adsys-privilege-enforcement.rules

@@ -0,0 +1,7 @@
+# This file is managed by adsys.
+# Do not edit this file manually.
+# Any changes will be overwritten.
+
+polkit.addAdminRule(function(action, subject){
+	return ["unix-group:sudo","unix-group:admin","unix-user:carole [email protected]"];
+});

cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/host_is_offline,_regenerate_machine_from_old_data/polkit-1/rules.d/00-adsys-privilege-enforcement.rules

@@ -0,0 +1,7 @@
+# This file is managed by adsys.
+# Do not edit this file manually.
+# Any changes will be overwritten.
+
+polkit.addAdminRule(function(action, subject){
+	return ["unix-group:sudo","unix-group:admin","unix-user:carole [email protected]"];
+});

cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/machine,_first_time/polkit-1/rules.d/00-adsys-privilege-enforcement.rules

@@ -0,0 +1,7 @@
+# This file is managed by adsys.
+# Do not edit this file manually.
+# Any changes will be overwritten.
+
+polkit.addAdminRule(function(action, subject){
+	return ["unix-user:[email protected]","unix-group:[email protected]"];
+});

cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/machine,_first_time_with_winbind_backend/polkit-1/rules.d/00-adsys-privilege-enforcement.rules

@@ -0,0 +1,7 @@
+# This file is managed by adsys.
+# Do not edit this file manually.
+# Any changes will be overwritten.
+
+polkit.addAdminRule(function(action, subject){
+	return ["unix-user:[email protected]","unix-group:[email protected]"];
+});

cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/machine,_update_old_data/polkit-1/rules.d/00-adsys-privilege-enforcement.rules

@@ -0,0 +1,7 @@
+# This file is managed by adsys.
+# Do not edit this file manually.
+# Any changes will be overwritten.
+
+polkit.addAdminRule(function(action, subject){
+	return ["unix-user:[email protected]","unix-group:[email protected]"];
+});

cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/already_up_to_date/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf → cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/purge_machine_policies/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf

@@ -2,5 +2,9 @@
 # Do not edit this file manually.
 # Any changes will be overwritten.
 
+[Configuration]
+AdminIdentities=unix-group:sudo;unix-group:admin
+
 [Configuration]
 AdminIdentities=unix-user:[email protected];unix-group:[email protected]
+

cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/host_is_offline,_mach_gpos_cache_is_cleared,_with_policies_cache/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf → cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/purge_policies_for_all_cached_objects/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf

@@ -4,3 +4,4 @@
 
 [Configuration]
 AdminIdentities=unix-user:carole [email protected]
+

cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/refresh_all_connected/polkit-1/rules.d/00-adsys-privilege-enforcement.rules

@@ -0,0 +1,7 @@
+# This file is managed by adsys.
+# Do not edit this file manually.
+# Any changes will be overwritten.
+
+polkit.addAdminRule(function(action, subject){
+	return ["unix-user:[email protected]","unix-group:[email protected]"];
+});

cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/refresh_some_connected/polkit-1/rules.d/00-adsys-privilege-enforcement.rules

@@ -0,0 +1,7 @@
+# This file is managed by adsys.
+# Do not edit this file manually.
+# Any changes will be overwritten.
+
+polkit.addAdminRule(function(action, subject){
+	return ["unix-user:[email protected]","unix-group:[email protected]"];
+});

cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/refresh_with_no_user_connected_updates_machines/polkit-1/rules.d/00-adsys-privilege-enforcement.rules

@@ -0,0 +1,7 @@
+# This file is managed by adsys.
+# Do not edit this file manually.
+# Any changes will be overwritten.
+
+polkit.addAdminRule(function(action, subject){
+	return ["unix-user:[email protected]","unix-group:[email protected]"];
+});

cmd/adsysd/integration_tests/testdata/TestPolicyUpdate/golden/refresh_with_one_dangling_symlink_ignores_the_respective_user/polkit-1/rules.d/00-adsys-privilege-enforcement.rules

@@ -0,0 +1,7 @@
+# This file is managed by adsys.
+# Do not edit this file manually.
+# Any changes will be overwritten.
+
+polkit.addAdminRule(function(action, subject){
+	return ["unix-user:[email protected]","unix-group:[email protected]"];
+});

internal/policies/privilege/export_test.go

@@ -0,0 +1,8 @@
+package privilege
+
+// WithPolicyKitSystemDir sets the directory where the default policykit files are stored.
+func WithPolicyKitSystemDir(dir string) func(*option) {
+	return func(o *option) {
+		o.policyKitSystemDir = dir
+	}
+}

internal/policies/privilege/internal_test.go

@@ -2,10 +2,12 @@ package privilege
 
 import (
 	"context"
+	"path/filepath"
 	"testing"
 
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
+	"github.com/ubuntu/adsys/internal/testutils"
 )
 
 func TestSplitAndNormalizeUsersAndGroups(t *testing.T) {
@@ -62,43 +64,100 @@ func TestSplitAndNormalizeUsersAndGroups(t *testing.T) {
 	}
 }
 
-func TestGetSystemPolkitAdminIdentities(t *testing.T) {
+func TestPolkitAdminIdentitiesFromConf(t *testing.T) {
 	t.Parallel()
 
 	tests := map[string]struct {
 		policyKitDir string
 
-		want    string
-		wantErr bool
+		emptyReturn bool
 	}{
-		"Fetch previous admin identities": {policyKitDir: "testdata/existing-previous-local-admins-one/polkit-1",
-			want: "unix-user:local50admin1;unix-user:local50admin2"},
-		"Fetch previous admin identities from highest ascii file": {policyKitDir: "testdata/existing-previous-local-admins-multi/polkit-1",
-			want: "unix-user:local50admin1;unix-user:local50admin2"},
-		"Fetch previous admin identities ignoring adsys": {policyKitDir: "testdata/existing-previous-local-admins-with-adsys-file/polkit-1",
-			want: "unix-user:local50admin1;unix-user:local50admin2"},
+		"Fetch previous admin identities":                         {policyKitDir: "old-polkit/etc/polkit-1"},
+		"Fetch previous admin identities from highest ascii file": {policyKitDir: "old-polkit-multiple-files/etc/polkit-1"},
+		"Fetch previous admin identities ignoring adsys":          {policyKitDir: "old-polkit/etc/polkit-1"},
 
 		// Edge cases
-		"No previous admin identities but regular directory structure": {policyKitDir: "testdata/existing-other-files/polkit-1",
-			want: ""},
-		"Returns an empty string if directory does not exists": {policyKitDir: "testdata/doesnotexists",
-			want: ""},
-		"Directory instead of a conf file is ignored": {policyKitDir: "testdata/incorrect-policikit-conf-is-dir/polkit-1",
-			want: ""},
+		"No previous admin identities but regular directory structure": {policyKitDir: "existing-other-files/etc/polkit-1", emptyReturn: true},
+		"Returns an empty string if directory does not exists":         {policyKitDir: "doesnotexists", emptyReturn: true},
+		"Directory instead of a conf file is ignored":                  {policyKitDir: "incorrect-policikit-conf-is-dir/etc/polkit-1", emptyReturn: true},
 	}
-
 	for name, tc := range tests {
 		t.Run(name, func(t *testing.T) {
 			t.Parallel()
 
-			got, err := getSystemPolkitAdminIdentities(context.Background(), tc.policyKitDir)
-			if tc.wantErr {
-				require.NotNil(t, err, "getSystemPolkitAdminIdentities should have failed but didn't")
+			got, err := polkitAdminIdentitiesFromConf(context.Background(), filepath.Join("testdata", tc.policyKitDir))
+			require.NoError(t, err, "polkitAdminIdentitiesFromConf failed but shouldn't have")
+
+			if tc.emptyReturn {
+				require.Empty(t, got)
 				return
 			}
-			require.NoError(t, err, "ApplyPolicy failed but shouldn't have")
+			want := testutils.LoadWithUpdateFromGolden(t, got)
+			require.Equal(t, want, got, "polkitAdminIdentitiesFromConf did not return expected value")
+		})
+	}
+}
+
+func TestPolkitAdminIdentitiesFromRules(t *testing.T) {
+	t.Parallel()
+
+	tests := map[string]struct {
+		policyKitDirs []string
+
+		emptyReturn bool
+	}{
+		"Fetch previous admin identities": {
+			policyKitDirs: []string{"existing-previous-local-admins-one/etc/polkit-1"},
+		},
+		"Fetch previous admin identities from lower ascii file": {
+			policyKitDirs: []string{"existing-previous-local-admins-multi/etc/polkit-1"},
+		},
+		"Fetch previous admin identities ignoring adsys": {
+			policyKitDirs: []string{"existing-previous-local-admins-with-adsys-file/etc/polkit-1"},
+		},
+
+		// Rules-specific cases
+		"Consider only first returned value": {
+			policyKitDirs: []string{"existing-previous-local-admins-return-early/etc/polkit-1"},
+		},
+		"Prioritize first specified directory if files have same ascii": {
+			policyKitDirs: []string{"multiple-polkit-dirs-same-file/etc/polkit-1", "multiple-polkit-dirs-same-file/etc/polkit-2"},
+		},
+		"Prioritize lower ascii file even if on second directory": {
+			policyKitDirs: []string{"multiple-polkit-dirs-diff-file/etc/polkit-1", "multiple-polkit-dirs-diff-file/etc/polkit-2"},
+		},
+
+		// Edge cases
+		"No previous admin identities but regular directory structure": {
+			policyKitDirs: []string{"existing-other-files/etc/polkit-1"},
+			emptyReturn:   true,
+		},
+		"Returns an empty string if directory does not exists": {
+			policyKitDirs: []string{"doesnotexists"},
+			emptyReturn:   true,
+		},
+		"Directory instead of a conf file is ignored": {
+			policyKitDirs: []string{"incorrect-policikit-conf-is-dir/etc/polkit-1"},
+			emptyReturn:   true,
+		},
+	}
+	for name, tc := range tests {
+		t.Run(name, func(t *testing.T) {
+			t.Parallel()
+
+			for i, dir := range tc.policyKitDirs {
+				tc.policyKitDirs[i] = filepath.Join("testdata", dir)
+			}
+
+			got, err := polkitAdminIdentitiesFromRules(context.Background(), tc.policyKitDirs)
+			require.NoError(t, err, "getSystemPolkitAdminIdentities failed but shouldn't have")
 
-			assert.Equal(t, tc.want, got, "getSystemPolkitAdminIdentities returned expected value")
+			if tc.emptyReturn {
+				require.Empty(t, got)
+				return
+			}
+			want := testutils.LoadWithUpdateFromGolden(t, got)
+			require.Equal(t, want, got)
 		})
 	}
 }