From 1d5f8f120cbcb7d1ef314567aa9910e3d19554c3 Mon Sep 17 00:00:00 2001 From: Martin Pitt Date: Wed, 29 Apr 2020 07:29:23 +0200 Subject: [PATCH] tests: Run as unprivileged user Approach taken from cockpit: https://src.fedoraproject.org/rpms/cockpit/c/6d1be3eb74 --- tests/browser.sh | 59 ++++++++++++++++++----------------------------- tests/run-test.sh | 27 ++++++++++++++++++++++ tests/tests.yml | 2 +- 3 files changed, 51 insertions(+), 37 deletions(-) create mode 100755 tests/run-test.sh diff --git a/tests/browser.sh b/tests/browser.sh index 71fed8d..356b2b2 100755 --- a/tests/browser.sh +++ b/tests/browser.sh @@ -4,17 +4,34 @@ set -eux # from standard-test-source SOURCE="$(pwd)/source" LOGS="$(pwd)/logs" +TESTS="$(pwd)/tests" mkdir -p "$LOGS" chmod a+w "$LOGS" +# install browser; on RHEL, use chromium from epel +if ! rpm -q chromium-headless; then + if grep -q 'ID=rhel' /etc/os-release; then + dnf install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm + dnf config-manager --enable epel + fi + dnf install -y chromium-headless +fi + # create user account for logging in if ! id admin 2>/dev/null; then - useradd admin -G wheel + useradd -c Administrator -G wheel admin echo admin:foobar | chpasswd fi + # avoid sudo lecture during tests su -c 'echo foobar | sudo --stdin whoami' - admin +# create user account for running the test +if ! id runtest 2>/dev/null; then + useradd -c 'Test runner' runtest +fi +chown -R runtest "$SOURCE" + # disable core dumps, we rather investigate them upstream where test VMs are accessible echo core > /proc/sys/kernel/core_pattern @@ -30,42 +47,12 @@ podman pull docker.io/busybox podman pull docker.io/alpine podman pull docker.io/registry:2 EOF +loginctl disable-linger $(id -u admin) systemctl enable --now cockpit.socket io.podman.socket -# tests need cockpit's bots/ libraries and test infrastructure -cd $SOURCE -git init -make bots test/common +# Run tests as unprivileged user +su - -c "env SOURCE=$SOURCE LOGS=$LOGS $TESTS/run-test.sh" runtest -# only install a subset to save time/space -npm install chrome-remote-interface sizzle - -. /etc/os-release -export TEST_OS="${ID}-${VERSION_ID/./-}" -# HACK: upstream tests don't recognize rhel-8-3 yet -if [ "$TEST_OS" = "rhel-8-3" ]; then - export TEST_OS=rhel-8-2 -fi - -# install browser; on RHEL, use chromium from epel -if ! rpm -q chromium-headless; then - if [ "$ID" = "rhel" ]; then - dnf install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm - dnf config-manager --enable epel - fi - dnf install -y chromium-headless -fi - -export TEST_AUDIT_NO_SELINUX=1 - -# run tests -RC=0 -test/check-application -tv --machine 127.0.0.1:22 --browser 127.0.0.1:9090 TestApplication.testBasicSystem || { RC=$? ; cp --verbose Test* $LOGS || true; } - -# reset system changes from tests, for running this multiple times in a row -rm -f /etc/systemd/system/cockpit.service.d/notls.conf -systemctl daemon-reload -systemctl stop cockpit.service - -exit $RC +RC=$(cat $LOGS/exitcode) +exit ${RC:-1} diff --git a/tests/run-test.sh b/tests/run-test.sh new file mode 100755 index 0000000..bab1968 --- /dev/null +++ b/tests/run-test.sh @@ -0,0 +1,27 @@ +#!/bin/sh +set -eux + +# tests need cockpit's bots/ libraries and test infrastructure +cd $SOURCE +git init +make bots test/common + +# only install a subset to save time/space +npm install chrome-remote-interface sizzle + +. /etc/os-release +export TEST_OS="${ID}-${VERSION_ID/./-}" +# HACK: upstream tests don't recognize rhel-8-3 yet +if [ "$TEST_OS" = "rhel-8-3" ]; then + export TEST_OS=rhel-8-2 +fi + +export TEST_AUDIT_NO_SELINUX=1 + +RC=0 +test/check-application -tv --machine 127.0.0.1:22 --browser 127.0.0.1:9090 TestApplication.testBasicSystem || RC=$? + +echo $RC > "$LOGS/exitcode" +cp --verbose Test* "$LOGS" || true +# deliver test result via exitcode file +exit 0 diff --git a/tests/tests.yml b/tests/tests.yml index d8eb8d6..7779f62 100644 --- a/tests/tests.yml +++ b/tests/tests.yml @@ -17,7 +17,7 @@ - npm - python3 tests: - - verify: + - browser: dir: . run: ./browser.sh save-files: ["logs/*"]