tests: Run as unprivileged user

Approach taken from cockpit:
https://src.fedoraproject.org/rpms/cockpit/c/6d1be3eb74

tests/browser.sh

@@ -4,17 +4,34 @@ set -eux
 # from standard-test-source
 SOURCE="$(pwd)/source"
 LOGS="$(pwd)/logs"
+TESTS="$(pwd)/tests"
 mkdir -p "$LOGS"
 chmod a+w "$LOGS"
 
+# install browser; on RHEL, use chromium from epel
+if ! rpm -q chromium-headless; then
+    if grep -q 'ID=rhel' /etc/os-release; then
+        dnf install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
+        dnf config-manager --enable epel
+    fi
+    dnf install -y chromium-headless
+fi
+
 # create user account for logging in
 if ! id admin 2>/dev/null; then
-    useradd admin -G wheel
+    useradd -c Administrator -G wheel admin
     echo admin:foobar | chpasswd
 fi
+
 # avoid sudo lecture during tests
 su -c 'echo foobar | sudo --stdin whoami' - admin
 
+# create user account for running the test
+if ! id runtest 2>/dev/null; then
+    useradd -c 'Test runner' runtest
+fi
+chown -R runtest "$SOURCE"
+
 # disable core dumps, we rather investigate them upstream where test VMs are accessible
 echo core > /proc/sys/kernel/core_pattern
 
@@ -30,42 +47,12 @@ podman pull docker.io/busybox
 podman pull docker.io/alpine
 podman pull docker.io/registry:2
 EOF
+loginctl disable-linger $(id -u admin)
 
 systemctl enable --now cockpit.socket io.podman.socket
 
-# tests need cockpit's bots/ libraries and test infrastructure
-cd $SOURCE
-git init
-make bots test/common
+# Run tests as unprivileged user
+su - -c "env SOURCE=$SOURCE LOGS=$LOGS $TESTS/run-test.sh" runtest
 
-# only install a subset to save time/space
-npm install chrome-remote-interface sizzle
-
-. /etc/os-release
-export TEST_OS="${ID}-${VERSION_ID/./-}"
-# HACK: upstream tests don't recognize rhel-8-3 yet
-if [ "$TEST_OS" = "rhel-8-3" ]; then
-    export TEST_OS=rhel-8-2
-fi
-
-# install browser; on RHEL, use chromium from epel
-if ! rpm -q chromium-headless; then
-    if [ "$ID" = "rhel" ]; then
-        dnf install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
-        dnf config-manager --enable epel
-    fi
-    dnf install -y chromium-headless
-fi
-
-export TEST_AUDIT_NO_SELINUX=1
-
-# run tests
-RC=0
-test/check-application -tv --machine 127.0.0.1:22 --browser 127.0.0.1:9090 TestApplication.testBasicSystem || { RC=$? ; cp --verbose Test* $LOGS || true; }
-
-# reset system changes from tests, for running this multiple times in a row
-rm -f /etc/systemd/system/cockpit.service.d/notls.conf
-systemctl daemon-reload
-systemctl stop cockpit.service
-
-exit $RC
+RC=$(cat $LOGS/exitcode)
+exit ${RC:-1}

tests/run-test.sh

@@ -0,0 +1,27 @@
+#!/bin/sh
+set -eux
+
+# tests need cockpit's bots/ libraries and test infrastructure
+cd $SOURCE
+git init
+make bots test/common
+
+# only install a subset to save time/space
+npm install chrome-remote-interface sizzle
+
+. /etc/os-release
+export TEST_OS="${ID}-${VERSION_ID/./-}"
+# HACK: upstream tests don't recognize rhel-8-3 yet
+if [ "$TEST_OS" = "rhel-8-3" ]; then
+    export TEST_OS=rhel-8-2
+fi
+
+export TEST_AUDIT_NO_SELINUX=1
+
+RC=0
+test/check-application -tv --machine 127.0.0.1:22 --browser 127.0.0.1:9090 TestApplication.testBasicSystem || RC=$?
+
+echo $RC > "$LOGS/exitcode"
+cp --verbose Test* "$LOGS" || true
+# deliver test result via exitcode file
+exit 0

tests/tests.yml

@@ -17,7 +17,7 @@
     - npm
     - python3
     tests:
-    - verify:
+    - browser:
         dir: .
         run: ./browser.sh
         save-files: ["logs/*"]