From 66eb66ec8f872db3dc12e1d01101772918d69a4a Mon Sep 17 00:00:00 2001
From: Kirill Isakov <bootctl@gmail.com>
Date: Sun, 29 May 2022 21:45:28 +0600
Subject: [PATCH] Remove access checks in tests under root

---
 test/integration/cmd_fsck.py      | 28 ++++++++++++++--------------
 test/integration/cmd_import.py    |  7 ++++---
 test/integration/cmd_join.py      |  5 +++--
 test/integration/cmd_keys.py      |  5 +++--
 test/integration/cmd_misc.py      |  2 +-
 test/integration/testlib/const.py |  3 +++
 test/unit/test_fs.c               |  2 +-
 7 files changed, 29 insertions(+), 23 deletions(-)

diff --git a/test/integration/cmd_fsck.py b/test/integration/cmd_fsck.py
index 4e79ccd5..e3dfa437 100755
--- a/test/integration/cmd_fsck.py
+++ b/test/integration/cmd_fsck.py
@@ -7,14 +7,14 @@ import sys
 import typing as T
 
 from testlib import check
+from testlib.const import RUN_ACCESS_CHECKS
 from testlib.log import log
 from testlib.proc import Tinc, Feature
 from testlib.util import read_text, read_lines, write_lines, append_line, write_text
 
-run_legacy_checks = Feature.LEGACY_PROTOCOL in Tinc().features
-run_access_checks = os.name != "nt" and os.geteuid() != 0
-run_executability_checks = os.name != "nt"
-run_permission_checks = run_executability_checks
+RUN_LEGACY_CHECKS = Feature.LEGACY_PROTOCOL in Tinc().features
+RUN_EXECUTABILITY_CHECKS = os.name != "nt"
+RUN_PERMISSION_CHECKS = RUN_EXECUTABILITY_CHECKS
 
 # Sample RSA key pair (old format). Uses e = 0xFFFF.
 RSA_N = """
@@ -132,24 +132,24 @@ def test_private_keys(keyfile: str) -> None:
     keyfile_path = context.node.sub(keyfile)
     os.truncate(keyfile_path, 0)
 
-    if run_legacy_checks:
+    if RUN_LEGACY_CHECKS:
         context.expect_msg("no private key is known", code=0)
     else:
         context.expect_msg("No Ed25519 private key found")
 
-    if run_access_checks:
+    if RUN_ACCESS_CHECKS:
         context = test(f"fail on inaccessible {keyfile}")
         keyfile_path = context.node.sub(keyfile)
         os.chmod(keyfile_path, 0)
-        context.expect_msg("Error reading", code=0 if run_legacy_checks else 1)
+        context.expect_msg("Error reading", code=0 if RUN_LEGACY_CHECKS else 1)
 
-    if run_permission_checks:
+    if RUN_PERMISSION_CHECKS:
         context = test(f"warn about unsafe permissions on {keyfile}")
         keyfile_path = context.node.sub(keyfile)
         os.chmod(keyfile_path, 0o666)
         context.expect_msg("unsafe file permissions", code=0)
 
-    if run_legacy_checks:
+    if RUN_LEGACY_CHECKS:
         context = test(f"pass on missing {keyfile} when the other key is present")
         keyfile_path = context.node.sub(keyfile)
         os.remove(keyfile_path)
@@ -211,7 +211,7 @@ ctx.node.cmd("fsck")
 
 ctx = test("fail when all private keys are missing")
 os.remove(ctx.ec_priv)
-if run_legacy_checks:
+if RUN_LEGACY_CHECKS:
     os.remove(ctx.rsa_priv)
     ctx.expect_msg("Neither RSA or Ed25519 private")
 else:
@@ -262,7 +262,7 @@ test_ec_public_key_file_var(ctx, "tinc.conf")
 ctx = test("test EC public key in hosts/")
 test_ec_public_key_file_var(ctx, "hosts", ctx.node.name)
 
-if run_access_checks:
+if RUN_ACCESS_CHECKS:
     ctx = test("fail on inaccessible tinc.conf")
     os.chmod(ctx.conf, 0)
     ctx.expect_msg("not running tinc as root")
@@ -271,7 +271,7 @@ if run_access_checks:
     os.chmod(ctx.host, 0)
     ctx.expect_msg("Cannot open config file")
 
-if run_executability_checks:
+if RUN_EXECUTABILITY_CHECKS:
     ctx = test("non-executable tinc-up MUST be fixed by tinc --force")
     os.chmod(ctx.tinc_up, 0o644)
     ctx.expect_msg("cannot read and execute", force=True, code=0)
@@ -298,7 +298,7 @@ if run_executability_checks:
 ###############################################################################
 # Legacy protocol
 ###############################################################################
-if not run_legacy_checks:
+if not RUN_LEGACY_CHECKS:
     log.info("skipping legacy protocol tests")
     sys.exit(0)
 
@@ -369,7 +369,7 @@ remove_pem(ctx.host)
 ctx.expect_msg("No (usable) public RSA key found", force=True, code=0)
 ctx.node.cmd("fsck")
 
-if run_permission_checks:
+if RUN_PERMISSION_CHECKS:
     ctx = test("warn about unsafe permissions on tinc.conf with PrivateKey")
     os.remove(ctx.rsa_priv)
     append_line(ctx.conf, f"PrivateKey = {RSA_D}")
diff --git a/test/integration/cmd_import.py b/test/integration/cmd_import.py
index 769cf795..5bf37beb 100755
--- a/test/integration/cmd_import.py
+++ b/test/integration/cmd_import.py
@@ -6,6 +6,7 @@ import os
 
 from testlib import check, cmd, util
 from testlib.log import log
+from testlib.const import RUN_ACCESS_CHECKS
 from testlib.proc import Tinc
 from testlib.test import Test
 
@@ -73,7 +74,7 @@ def test_import(foo: Tinc) -> None:
     _, err = foo.cmd("import", stdin="Name = node0", code=1)
     check.is_in("node0 already exists", err)
 
-    if os.name != "nt":
+    if RUN_ACCESS_CHECKS:
         log.info("import to inaccessible hosts subdirectory")
         os.chmod(foo.sub("hosts"), 0)
         _, err = foo.cmd("import", stdin="Name = vinny", code=1)
@@ -153,7 +154,7 @@ def test_export_all(foo: Tinc) -> None:
         log.info("unexpected number of separators: %s", lines)
         assert False
 
-    if os.name != "nt":
+    if RUN_ACCESS_CHECKS:
         os.chmod(foo.sub("hosts"), 0)
         _, err = foo.cmd("export-all", code=1)
         check.is_in("Could not open host configuration", err)
@@ -168,7 +169,7 @@ with Test("test 'export' command") as context:
 with Test("test 'exchange' command") as context:
     test_exchange(init(context))
 
-if os.name != "nt":
+if RUN_ACCESS_CHECKS:
     with Test("test 'exchange-all' command") as context:
         test_exchange_all(init(context))
 
diff --git a/test/integration/cmd_join.py b/test/integration/cmd_join.py
index a9bdd52d..bfc1f197 100755
--- a/test/integration/cmd_join.py
+++ b/test/integration/cmd_join.py
@@ -7,6 +7,7 @@ import shutil
 
 from testlib import check, util
 from testlib.log import log
+from testlib.const import RUN_ACCESS_CHECKS
 from testlib.proc import Tinc
 from testlib.test import Test
 
@@ -77,7 +78,7 @@ def test_invite_errors(foo: Tinc) -> None:
     _, err = foo.cmd("invite", foo.name, code=1)
     check.is_in("already exists", err)
 
-    if os.name != "nt":
+    if RUN_ACCESS_CHECKS:
         log.info("bad permissions on invitations are fixed")
         invites = foo.sub("invitations")
         os.chmod(invites, 0)
@@ -121,7 +122,7 @@ def test_join_errors(foo: Tinc) -> None:
     _, err = foo.cmd("-c", work_dir, "join", FAKE_INVITE, code=1)
     check.is_in("Could not connect to", err)
 
-    if os.name != "nt":
+    if RUN_ACCESS_CHECKS:
         log.info("bad permissions on configuration directory are fixed")
         work_dir = foo.sub("wd_access_test")
         os.mkdir(work_dir, mode=400)
diff --git a/test/integration/cmd_keys.py b/test/integration/cmd_keys.py
index d9af1e09..4520154c 100755
--- a/test/integration/cmd_keys.py
+++ b/test/integration/cmd_keys.py
@@ -7,6 +7,7 @@ import os
 
 from testlib import check, util
 from testlib.log import log
+from testlib.const import RUN_ACCESS_CHECKS
 from testlib.feature import Feature
 from testlib.proc import Tinc
 from testlib.test import Test
@@ -99,7 +100,7 @@ def test_rsa(foo: Tinc) -> None:
     key = util.read_text(rsa_priv)
     check.has_prefix(key, "-----BEGIN RSA PRIVATE KEY-----")
 
-    if os.name != "nt":
+    if RUN_ACCESS_CHECKS:
         log.info("remove access to private key")
         os.chmod(rsa_priv, 0)
         _, err = foo.cmd("generate-rsa-keys", "1024", code=1)
@@ -136,7 +137,7 @@ def test_eddsa(foo: Tinc) -> None:
     check.has_prefix(util.read_text(ec_priv), "-----BEGIN ED25519 PRIVATE KEY-----")
     check.has_prefix(util.read_text(ec_pub), "Ed25519PublicKey")
 
-    if os.name != "nt":
+    if RUN_ACCESS_CHECKS:
         log.info("remove access to EC private key file")
         os.chmod(ec_priv, 0)
         _, err = foo.cmd("generate-ed25519-keys", code=1)
diff --git a/test/integration/cmd_misc.py b/test/integration/cmd_misc.py
index 5a8a973d..c24e733c 100755
--- a/test/integration/cmd_misc.py
+++ b/test/integration/cmd_misc.py
@@ -149,8 +149,8 @@ def test_log(foo: Tinc) -> None:
     log.info("test correct call")
     log_client = foo.tinc("log")
     foo.cmd("reload")
-    time.sleep(1)
     foo.cmd("stop")
+    time.sleep(1)
 
     out, _ = log_client.communicate()
     check.true(out)
diff --git a/test/integration/testlib/const.py b/test/integration/testlib/const.py
index 36f5f977..b15e7034 100755
--- a/test/integration/testlib/const.py
+++ b/test/integration/testlib/const.py
@@ -7,3 +7,6 @@ EXIT_SKIP = 77
 
 # Family name for multiprocessing Listener/Connection
 MPC_FAMILY = "AF_PIPE" if os.name == "nt" else "AF_UNIX"
+
+# Do access checks on files. Disabled when not available or not applicable.
+RUN_ACCESS_CHECKS = os.name != "nt" and os.geteuid() != 0
diff --git a/test/unit/test_fs.c b/test/unit/test_fs.c
index 95d2d09e..5b652ed6 100644
--- a/test/unit/test_fs.c
+++ b/test/unit/test_fs.c
@@ -113,7 +113,7 @@ static void test_makedir(tinc_dir_t dir, bool exists) {
 	}
 
 	// Deny write access and make sure makedirs() detects that
-	if(*container) {
+	if(getuid() && *container) {
 		assert_int_equal(0, chmod(tmp, 0));
 		assert_false(makedirs(dir));
 		assert_int_equal(0, chmod(tmp, 0755));
-- 
2.20.1