From 4deef05cf9b642d39e700f0646e865c3f1c2a80a Mon Sep 17 00:00:00 2001 From: Michael Cook Date: Wed, 5 Jul 2023 22:33:06 -0400 Subject: [PATCH 1/2] only test non-root users have permission denied for inaccessible paths --- internal/manager/api_impl/meta_test.go | 31 ++++++++++++++++---------- 1 file changed, 19 insertions(+), 12 deletions(-) diff --git a/internal/manager/api_impl/meta_test.go b/internal/manager/api_impl/meta_test.go index 18783cef..9eb81f6c 100644 --- a/internal/manager/api_impl/meta_test.go +++ b/internal/manager/api_impl/meta_test.go @@ -6,6 +6,7 @@ import ( "io/fs" "net/http" "os" + "os/user" "path/filepath" "runtime" "testing" @@ -189,20 +190,26 @@ func TestCheckSharedStoragePath(t *testing.T) { // that seems consistent. // FIXME: find another way to test with unwritable directories on Windows. if runtime.GOOS != "windows" { - parentPath := filepath.Join(mf.tempdir, "deep") - testPath := filepath.Join(parentPath, "nesting") - if err := os.Mkdir(parentPath, fs.ModePerm); !assert.NoError(t, err) { + currentUser, err := user.Current() + + if err != nil { t.FailNow() + } else if currentUser.Username != "root" { + parentPath := filepath.Join(mf.tempdir, "deep") + testPath := filepath.Join(parentPath, "nesting") + if err := os.Mkdir(parentPath, fs.ModePerm); !assert.NoError(t, err) { + t.FailNow() + } + if err := os.Mkdir(testPath, fs.FileMode(0)); !assert.NoError(t, err) { + t.FailNow() + } + echoCtx := doTest(testPath) + result := api.PathCheckResult{} + getResponseJSON(t, echoCtx, http.StatusOK, &result) + assert.Equal(t, testPath, result.Path) + assert.False(t, result.IsUsable) + assert.Contains(t, result.Cause, "Unable to create a file") } - if err := os.Mkdir(testPath, fs.FileMode(0)); !assert.NoError(t, err) { - t.FailNow() - } - echoCtx := doTest(testPath) - result := api.PathCheckResult{} - getResponseJSON(t, echoCtx, http.StatusOK, &result) - assert.Equal(t, testPath, result.Path) - assert.False(t, result.IsUsable) - assert.Contains(t, result.Cause, "Unable to create a file") } } -- 2.30.2 From e3a6522af6f76fd5b3b9a9607d6665afd7f5aa04 Mon Sep 17 00:00:00 2001 From: Michael Cook Date: Thu, 6 Jul 2023 14:59:44 +0200 Subject: [PATCH 2/2] disallow root running the TestCheckSharedStoragePath test --- internal/manager/api_impl/meta_test.go | 39 +++++++++++++++----------- 1 file changed, 22 insertions(+), 17 deletions(-) diff --git a/internal/manager/api_impl/meta_test.go b/internal/manager/api_impl/meta_test.go index 9eb81f6c..e8907cca 100644 --- a/internal/manager/api_impl/meta_test.go +++ b/internal/manager/api_impl/meta_test.go @@ -190,26 +190,31 @@ func TestCheckSharedStoragePath(t *testing.T) { // that seems consistent. // FIXME: find another way to test with unwritable directories on Windows. if runtime.GOOS != "windows" { - currentUser, err := user.Current() - if err != nil { + // Root can always create directories, so this test would fail with a + // confusing message. Instead it's better to refuse running as root at all. + currentUser, err := user.Current() + require.NoError(t, err) + require.NotEqual(t, "0", currentUser.Uid, + "this test requires running as normal user, not %s (%s)", currentUser.Username, currentUser.Uid) + require.NotEqual(t, "root", currentUser.Username, + "this test requires running as normal user, not %s (%s)", currentUser.Username, currentUser.Uid) + + parentPath := filepath.Join(mf.tempdir, "deep") + testPath := filepath.Join(parentPath, "nesting") + if err := os.Mkdir(parentPath, fs.ModePerm); !assert.NoError(t, err) { t.FailNow() - } else if currentUser.Username != "root" { - parentPath := filepath.Join(mf.tempdir, "deep") - testPath := filepath.Join(parentPath, "nesting") - if err := os.Mkdir(parentPath, fs.ModePerm); !assert.NoError(t, err) { - t.FailNow() - } - if err := os.Mkdir(testPath, fs.FileMode(0)); !assert.NoError(t, err) { - t.FailNow() - } - echoCtx := doTest(testPath) - result := api.PathCheckResult{} - getResponseJSON(t, echoCtx, http.StatusOK, &result) - assert.Equal(t, testPath, result.Path) - assert.False(t, result.IsUsable) - assert.Contains(t, result.Cause, "Unable to create a file") } + if err := os.Mkdir(testPath, fs.FileMode(0)); !assert.NoError(t, err) { + t.FailNow() + } + echoCtx := doTest(testPath) + result := api.PathCheckResult{} + getResponseJSON(t, echoCtx, http.StatusOK, &result) + assert.Equal(t, testPath, result.Path) + assert.False(t, result.IsUsable) + assert.Contains(t, result.Cause, "Unable to create a file") + } } -- 2.30.2