import typing as T
from testlib import check
+from testlib.const import RUN_ACCESS_CHECKS
from testlib.log import log
from testlib.proc import Tinc, Feature
from testlib.util import read_text, read_lines, write_lines, append_line, write_text
-run_legacy_checks = Feature.LEGACY_PROTOCOL in Tinc().features
-run_access_checks = os.name != "nt" and os.geteuid() != 0
-run_executability_checks = os.name != "nt"
-run_permission_checks = run_executability_checks
+RUN_LEGACY_CHECKS = Feature.LEGACY_PROTOCOL in Tinc().features
+RUN_EXECUTABILITY_CHECKS = os.name != "nt"
+RUN_PERMISSION_CHECKS = RUN_EXECUTABILITY_CHECKS
# Sample RSA key pair (old format). Uses e = 0xFFFF.
RSA_N = """
keyfile_path = context.node.sub(keyfile)
os.truncate(keyfile_path, 0)
- if run_legacy_checks:
+ if RUN_LEGACY_CHECKS:
context.expect_msg("no private key is known", code=0)
else:
context.expect_msg("No Ed25519 private key found")
- if run_access_checks:
+ if RUN_ACCESS_CHECKS:
context = test(f"fail on inaccessible {keyfile}")
keyfile_path = context.node.sub(keyfile)
os.chmod(keyfile_path, 0)
- context.expect_msg("Error reading", code=0 if run_legacy_checks else 1)
+ context.expect_msg("Error reading", code=0 if RUN_LEGACY_CHECKS else 1)
- if run_permission_checks:
+ if RUN_PERMISSION_CHECKS:
context = test(f"warn about unsafe permissions on {keyfile}")
keyfile_path = context.node.sub(keyfile)
os.chmod(keyfile_path, 0o666)
context.expect_msg("unsafe file permissions", code=0)
- if run_legacy_checks:
+ if RUN_LEGACY_CHECKS:
context = test(f"pass on missing {keyfile} when the other key is present")
keyfile_path = context.node.sub(keyfile)
os.remove(keyfile_path)
ctx = test("fail when all private keys are missing")
os.remove(ctx.ec_priv)
-if run_legacy_checks:
+if RUN_LEGACY_CHECKS:
os.remove(ctx.rsa_priv)
ctx.expect_msg("Neither RSA or Ed25519 private")
else:
ctx = test("test EC public key in hosts/")
test_ec_public_key_file_var(ctx, "hosts", ctx.node.name)
-if run_access_checks:
+if RUN_ACCESS_CHECKS:
ctx = test("fail on inaccessible tinc.conf")
os.chmod(ctx.conf, 0)
ctx.expect_msg("not running tinc as root")
os.chmod(ctx.host, 0)
ctx.expect_msg("Cannot open config file")
-if run_executability_checks:
+if RUN_EXECUTABILITY_CHECKS:
ctx = test("non-executable tinc-up MUST be fixed by tinc --force")
os.chmod(ctx.tinc_up, 0o644)
ctx.expect_msg("cannot read and execute", force=True, code=0)
###############################################################################
# Legacy protocol
###############################################################################
-if not run_legacy_checks:
+if not RUN_LEGACY_CHECKS:
log.info("skipping legacy protocol tests")
sys.exit(0)
ctx.expect_msg("No (usable) public RSA key found", force=True, code=0)
ctx.node.cmd("fsck")
-if run_permission_checks:
+if RUN_PERMISSION_CHECKS:
ctx = test("warn about unsafe permissions on tinc.conf with PrivateKey")
os.remove(ctx.rsa_priv)
append_line(ctx.conf, f"PrivateKey = {RSA_D}")
from testlib import check, cmd, util
from testlib.log import log
+from testlib.const import RUN_ACCESS_CHECKS
from testlib.proc import Tinc
from testlib.test import Test
_, err = foo.cmd("import", stdin="Name = node0", code=1)
check.is_in("node0 already exists", err)
- if os.name != "nt":
+ if RUN_ACCESS_CHECKS:
log.info("import to inaccessible hosts subdirectory")
os.chmod(foo.sub("hosts"), 0)
_, err = foo.cmd("import", stdin="Name = vinny", code=1)
log.info("unexpected number of separators: %s", lines)
assert False
- if os.name != "nt":
+ if RUN_ACCESS_CHECKS:
os.chmod(foo.sub("hosts"), 0)
_, err = foo.cmd("export-all", code=1)
check.is_in("Could not open host configuration", err)
with Test("test 'exchange' command") as context:
test_exchange(init(context))
-if os.name != "nt":
+if RUN_ACCESS_CHECKS:
with Test("test 'exchange-all' command") as context:
test_exchange_all(init(context))
from testlib import check, util
from testlib.log import log
+from testlib.const import RUN_ACCESS_CHECKS
from testlib.proc import Tinc
from testlib.test import Test
_, err = foo.cmd("invite", foo.name, code=1)
check.is_in("already exists", err)
- if os.name != "nt":
+ if RUN_ACCESS_CHECKS:
log.info("bad permissions on invitations are fixed")
invites = foo.sub("invitations")
os.chmod(invites, 0)
_, err = foo.cmd("-c", work_dir, "join", FAKE_INVITE, code=1)
check.is_in("Could not connect to", err)
- if os.name != "nt":
+ if RUN_ACCESS_CHECKS:
log.info("bad permissions on configuration directory are fixed")
work_dir = foo.sub("wd_access_test")
os.mkdir(work_dir, mode=400)
from testlib import check, util
from testlib.log import log
+from testlib.const import RUN_ACCESS_CHECKS
from testlib.feature import Feature
from testlib.proc import Tinc
from testlib.test import Test
key = util.read_text(rsa_priv)
check.has_prefix(key, "-----BEGIN RSA PRIVATE KEY-----")
- if os.name != "nt":
+ if RUN_ACCESS_CHECKS:
log.info("remove access to private key")
os.chmod(rsa_priv, 0)
_, err = foo.cmd("generate-rsa-keys", "1024", code=1)
check.has_prefix(util.read_text(ec_priv), "-----BEGIN ED25519 PRIVATE KEY-----")
check.has_prefix(util.read_text(ec_pub), "Ed25519PublicKey")
- if os.name != "nt":
+ if RUN_ACCESS_CHECKS:
log.info("remove access to EC private key file")
os.chmod(ec_priv, 0)
_, err = foo.cmd("generate-ed25519-keys", code=1)
log.info("test correct call")
log_client = foo.tinc("log")
foo.cmd("reload")
- time.sleep(1)
foo.cmd("stop")
+ time.sleep(1)
out, _ = log_client.communicate()
check.true(out)
# Family name for multiprocessing Listener/Connection
MPC_FAMILY = "AF_PIPE" if os.name == "nt" else "AF_UNIX"
+
+# Do access checks on files. Disabled when not available or not applicable.
+RUN_ACCESS_CHECKS = os.name != "nt" and os.geteuid() != 0
}
// Deny write access and make sure makedirs() detects that
- if(*container) {
+ if(getuid() && *container) {
assert_int_equal(0, chmod(tmp, 0));
assert_false(makedirs(dir));
assert_int_equal(0, chmod(tmp, 0755));
projects / tinc / commitdiff