feat: Add integration tests and --version

Author: LeChatP

.cargo/config.toml

@@ -10,12 +10,22 @@ test-root = [
     "--"
 ]
 
-coverage = [
+integration-test = [
+    "test",
+    "--test", "integration_tests",
+    "--features", "finder",
     "--config",
     "target.\"cfg(all())\".runner=\"/usr/bin/sudo -E\"",
+    "--",
+    "--nocapture",
+    "--test-threads=1"
+]
+
+coverage = [
     "tarpaulin",
     "--workspace",
     "--all-features",
+    "--all-targets",
     "--timeout",
     "120",
     "--exclude-files",

.github/workflows/tests.yml

@@ -28,24 +28,17 @@ jobs:
     - name: Install Dependencies
       run: cargo xtask dependencies -dip sudo
 
-    - name: run tests with coverage
-      run: cargo +nightly tarpaulin --verbose --all-features --workspace --timeout 120 --exclude-files build.rs xtask/src/* -e xtask --out Xml
+    - name: build integration coverage
+      run: sudo -E cargo +nightly coverage --out Xml
+      env:
+        RAR_AUTHENTICATION: skip
+        RAR_CFG_PATH: target/rootasrole.json
+        SKIP_BUILD: true
 
     - name: Upload coverage reports to Codecov
       uses: codecov/codecov-action@v3
       env: 
         CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
       with:
         file: cobertura.xml
-        flags: unittests
-
-    - name: run tests with coverage as Admin
-      run: sudo -E /usr/local/cargo/bin/cargo +nightly tarpaulin --verbose --all-features --workspace --timeout 120 --exclude-files build.rs xtask/src/* -e xtask --out Xml
-
-    - name: Upload coverage reports to Codecov as Admin
-      uses: codecov/codecov-action@v3
-      env: 
-        CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
-      with:
-        file: cobertura.xml
-        flags: admin-unittests
+        flags: unittests

Cargo.toml

@@ -51,7 +51,6 @@ name = "chsr"
 path = "src/chsr/main.rs"
 required-features = ["editor"]
 
-# Integration tests that require root privileges
 [[test]]
 name = "integration_tests"
 path = "tests/integration_tests.rs"

rar-common/src/util.rs

@@ -260,7 +260,12 @@ pub fn subsribe(_: &str) -> io::Result<()> {
 pub fn subsribe(tool: &str) -> io::Result<()> {
     use log::LevelFilter;
     use syslog::Facility;
-    syslog::init(Facility::LOG_AUTH, LevelFilter::Info, Some(tool))?;
+    syslog::init(Facility::LOG_AUTH, LevelFilter::Info, Some(tool)).map_err(|e| {
+        io::Error::new(
+            io::ErrorKind::Other,
+            format!("Failed to connect to syslog: {}", e),
+        )
+    })?;
     Ok(())
 }
 
@@ -347,6 +352,7 @@ pub fn open_lock_with_privileges<P: AsRef<Path>>(
 }
 
 pub fn read_with_privileges<P: AsRef<Path>>(p: P) -> std::io::Result<File> {
+    debug!("Opening file {:?}", p.as_ref());
     std::fs::File::open(&p).or_else(|e| {
         if e.kind() != std::io::ErrorKind::PermissionDenied {
             return Err(e);

src/chsr/cli/mod.rs

@@ -1,8 +1,11 @@
 pub(crate) mod data;
+#[cfg(not(tarpaulin_include))]
 #[cfg(feature = "editor")]
 pub(crate) mod editor;
 pub(crate) mod pair;
 pub(crate) mod process;
+//TODO: UI miri tests
+#[cfg(not(tarpaulin_include))]
 pub(crate) mod usage;
 
 use std::{cell::RefCell, error::Error, path::PathBuf, rc::Rc};

src/chsr/util.rs

@@ -68,4 +68,4 @@ where
         .map(|s| escape_parser_string(s))
         .collect::<Vec<String>>()
         .join(" ")
-}
+}

src/sr/finder/mod.rs

@@ -11,6 +11,7 @@ use api::{register_plugins, Api, ApiEvent};
 use capctl::CapSet;
 use de::{ConfigFinderDeserializer, DConfigFinder, DLinkedCommand, DLinkedRole, DLinkedTask};
 use log::debug;
+use nix::unistd::User;
 use options::BorrowedOptStack;
 use rar_common::{
     database::{
@@ -139,7 +140,15 @@ impl BestExecSettings {
         }
         result.env = opt_stack
             .calc_temp_env(opt_stack.calc_override_behavior(), &cli.opt_filter)
-            .calc_final_env(env_vars, opt_stack.calc_path(env_path), cred)?;
+            .calc_final_env(
+                env_vars,
+                opt_stack.calc_path(env_path),
+                cred,
+                result
+                    .setuid
+                    .and_then(|x| User::from_uid(x.into()).expect("Target user do not exist")),
+                format!("{}{}",cli.cmd_path.display(), if cli.cmd_args.is_empty() { "".into() } else { format!(" {}", cli.cmd_args.join(" ")) } )
+            )?;
         result.auth = opt_stack.calc_authentication();
         result.bounding = opt_stack.calc_bounding();
         result.timeout = opt_stack.calc_timeout();

src/sr/finder/options.rs

@@ -7,6 +7,7 @@ use chrono::Duration;
 use konst::primitive::parse_i64;
 use konst::{iter, option, result, slice, string, unwrap_ctx};
 use libc::PATH_MAX;
+use nix::unistd::User;
 use rar_common::database::options::{
     EnvBehavior, Level, PathBehavior, SAuthentication, SBounding, SPathOptions, SPrivileged,
     STimeout, TimestampType,
@@ -283,7 +284,9 @@ impl<'a> DEnvOptions<'a> {
         &self,
         env_vars: impl IntoIterator<Item = (impl Into<String>, impl Into<String>)>,
         env_path: impl IntoIterator<Item = impl AsRef<str>>,
-        target: &Cred,
+        current_user: &Cred,
+        target: Option<User>,
+        command: String,
     ) -> SrResult<HashMap<String, String>> {
         let mut final_set = match self.default_behavior {
             EnvBehavior::Inherit => {
@@ -329,16 +332,21 @@ impl<'a> DEnvOptions<'a> {
                 }
             }),
         );
-        final_set.insert("LOGNAME".into(), target.user.name.clone());
-        final_set.insert("USER".into(), target.user.name.clone());
-        final_set.insert("HOME".into(), target.user.dir.to_string_lossy().to_string());
-        final_set
-            .entry("TERM".into())
-            .or_insert_with(|| "unknown".into());
+        let target_user = target.unwrap_or_else(|| current_user.user.clone());
+        final_set.insert("LOGNAME".into(), target_user.name.clone());
+        final_set.insert("USER".into(), target_user.name.clone());
+        final_set.insert("HOME".into(), target_user.dir.to_string_lossy().to_string());
         final_set.insert(
             "SHELL".into(),
-            target.user.shell.to_string_lossy().to_string(),
+            target_user.shell.to_string_lossy().to_string(),
         );
+        final_set.insert("RAR_UID".into(), current_user.user.uid.to_string());
+        final_set.insert("RAR_GID".into(), current_user.user.gid.to_string());
+        final_set.insert("RAR_USER".into(), current_user.user.name.clone());
+        final_set.insert("RAR_COMMAND".into(), command);
+        final_set
+            .entry("TERM".into())
+            .or_insert_with(|| "unknown".into());
         final_set.extend(
             self.set
                 .iter()
@@ -1065,16 +1073,15 @@ mod tests {
         ];
         let env_path = vec!["/usr/local/bin", "/usr/bin"];
         let target = Cred::builder().build();
-        let result = env_options.calc_final_env(env_vars, &env_path, &target);
+        let result = env_options.calc_final_env(env_vars, &env_path, &target, None, String::new());
         assert!(
             result.is_ok(),
             "Failed to calculate final env {}",
             result.unwrap_err()
         );
         let final_env = result.unwrap();
         assert_eq!(final_env.get("PATH").unwrap(), "/usr/local/bin:/usr/bin");
-        assert_eq!(*final_env.get("LOGNAME").unwrap(), target.user.name);
-        assert_eq!(*final_env.get("USER").unwrap(), target.user.name);
+        assert_eq!(*final_env.get("RAR_USER").unwrap(), target.user.name);
         assert_eq!(
             *final_env.get("HOME").unwrap(),
             target.user.dir.to_string_lossy()
@@ -1107,7 +1114,7 @@ mod tests {
         ];
         let env_path = vec!["/usr/local/bin", "/usr/bin"];
         let target = Cred::builder().build();
-        let result = env_options.calc_final_env(env_vars, &env_path, &target);
+        let result = env_options.calc_final_env(env_vars, &env_path, &target, None, String::new());
         assert!(
             result.is_ok(),
             "Failed to calculate final env {}",
@@ -1149,7 +1156,7 @@ mod tests {
         ];
         let env_path = vec!["/usr/local/bin", "/usr/bin"];
         let target = Cred::builder().build();
-        let result = env_options.calc_final_env(env_vars, &env_path, &target);
+        let result = env_options.calc_final_env(env_vars, &env_path, &target, None, String::new());
         assert!(result.is_err());
     }
 

src/sr/main.rs

@@ -41,7 +41,7 @@ const ROOTASROLE: &str = "target/rootasrole.json";
 //and each role has a set of rights to execute commands.";
 
 const USAGE: &str = formatcp!(
-    r#"{UNDERLINE}{BOLD}Usage:{RST} {BOLD}sr{RST} [OPTIONS] [COMMAND]...
+    r#"{UNDERLINE}{BOLD}Usage:{RST} {BOLD}dosr{RST} [OPTIONS] [COMMAND]...
 
 {UNDERLINE}{BOLD}Arguments:{RST}
   [COMMAND]...
@@ -59,17 +59,20 @@ const USAGE: &str = formatcp!(
 
   {BOLD}-p, --prompt <PROMPT>{RST}
           Prompt option allows you to override the default password prompt and use a custom one
-          
           [default: "Password: "]
 
   {BOLD}-u, --user <USER>{RST}
           Specify the user to execute the command as
+
   {BOLD}-g --group <GROUP>(,<GROUP>...){RST}
           Specify the group to execute the command as
 
   {BOLD}-i, --info{RST}
           Display rights of executor
 
+  {BOLD}-v, --version{RST}
+          Print dosr version
+
   {BOLD}-h, --help{RST}
           Print help (see a summary with '-h')"#,
     UNDERLINE = UNDERLINE,
@@ -179,6 +182,10 @@ where
             "-h" | "--help" => {
                 args.help = true;
             }
+            "-v" | "--version" => {
+                println!("dosr: version {}", env!("CARGO_PKG_VERSION"));
+                std::process::exit(0);
+            }
             _ => {
                 if arg.as_ref().starts_with('-') {
                     error!("Unknown option: {}", arg.as_ref());
@@ -214,13 +221,51 @@ where
 }
 
 #[cfg(not(tarpaulin_include))]
-fn main() -> SrResult<()> {
+fn main() {
+    if let Err(e) = subsribe("sr") {
+        eprintln!("sr: Failed to initialize logging: {}", e);
+        std::process::exit(1);
+    }
+    if let Err(e) = main_inner() {
+        eprintln!("sr: {}", e);
+
+        use nix::unistd::{Uid, User};
+        if let SrError::InsufficientPrivileges = e {
+            error!("Insufficient privileges to run sr. {}", CAPABILITIES_ERROR);
+        } else if let SrError::AuthenticationFailed = e {
+            error!(
+                "Authentication failed for user '{}', when trying running '''{}'''",
+                User::from_uid(Uid::current())
+                    .and_then(|u| u
+                        .and_then(|u| Some(u.name))
+                        .ok_or(nix::errno::Errno::EAGAIN))
+                    .unwrap_or(Uid::current().to_string()),
+                std::env::args().skip(1).collect::<Vec<_>>().join(" ")
+            );
+            eprintln!("This incident is reported.");
+        } else {
+            error!(
+                "User '{}' got a '{}' when trying running '''{}'''",
+                User::from_uid(Uid::current())
+                    .and_then(|u| u
+                        .and_then(|u| Some(u.name))
+                        .ok_or(nix::errno::Errno::EAGAIN))
+                    .unwrap_or(Uid::current().to_string()),
+                e,
+                std::env::args().skip(1).collect::<Vec<_>>().join(" ")
+            );
+        }
+        std::process::exit(1);
+    }
+}
+
+#[cfg(not(tarpaulin_include))]
+fn main_inner() -> SrResult<()> {
     use std::env;
 
     use crate::{pam::check_auth, ROOTASROLE};
     use finder::find_best_exec_settings;
 
-    subsribe("sr")?;
     debug!("Started with capabilities: {:?}", CapState::get_current()?);
     drop_effective()?;
     let args = std::env::args();

tests/fixtures/env_override.json

@@ -0,0 +1,68 @@
+{
+    "version": "3.2.0",
+    "options": {
+        "env": {
+            "default": "delete",
+            "override_behavior": false,
+            "keep": [
+                "KEEP"
+            ],
+            "check": [
+                "TZ"
+            ],
+            "delete": [
+                "DELETE"
+            ]
+        }
+    },
+    "roles": [
+        {
+            "name": "env",
+            "actors": [
+                {
+                    "type": "user",
+                    "name": "root"
+                }
+            ],
+            "tasks": [
+                {
+                    "name": "allowed",
+                    "purpose": "Commands that allow environment override",
+                    "commands": [
+                        "/usr/bin/env ^.*$"
+                    ],
+                    "options": {
+                        "env": {
+                            "override_behavior": true,
+                            "set": {
+                                "TASK": "allowed"
+                            }
+                        }
+                    }
+                },
+                {
+                    "name": "denied", 
+                    "purpose": "Commands that deny environment override",
+                    "commands": [
+                        "/usr/bin/env ^.*$"
+                    ],
+                    "options": {
+                        "env": {
+                            "override_behavior": false,
+                            "set": {
+                                "TASK": "denied"
+                            }
+                        }
+                    }
+                }
+            ],
+            "options": {
+                "env": {
+                    "set": {
+                        "ROLE": "env"
+                    }
+                }
+            }
+        }
+    ]
+}