Merge branch 'main' into fmt-check-workflow

Author: dmah42

auraed/src/init/mod.rs

@@ -81,14 +81,15 @@ pub async fn init(
     socket_address: Option<String>,
 ) -> (Context, SocketStream) {
     let context = Context::get(nested);
-    let init_result = match context {
-        Context::Pid1 => Pid1SystemRuntime {}.init(verbose, socket_address),
-        Context::Cell => CellSystemRuntime {}.init(verbose, socket_address),
-        Context::Container => {
-            ContainerSystemRuntime {}.init(verbose, socket_address)
-        }
-        Context::Daemon => DaemonSystemRuntime {}.init(verbose, socket_address),
-    }
+    let init_result = init_with_runtimes(
+        context,
+        verbose,
+        socket_address,
+        Pid1SystemRuntime {},
+        CellSystemRuntime {},
+        ContainerSystemRuntime {},
+        DaemonSystemRuntime {},
+    )
     .await;
 
     match init_result {
@@ -97,6 +98,31 @@ pub async fn init(
     }
 }
 
+async fn init_with_runtimes<RPid1, RCell, RContainer, RDaemon>(
+    context: Context,
+    verbose: bool,
+    socket_address: Option<String>,
+    pid1_runtime: RPid1,
+    cell_runtime: RCell,
+    container_runtime: RContainer,
+    daemon_runtime: RDaemon,
+) -> Result<SocketStream, SystemRuntimeError>
+where
+    RPid1: SystemRuntime,
+    RCell: SystemRuntime,
+    RContainer: SystemRuntime,
+    RDaemon: SystemRuntime,
+{
+    match context {
+        Context::Pid1 => pid1_runtime.init(verbose, socket_address).await,
+        Context::Cell => cell_runtime.init(verbose, socket_address).await,
+        Context::Container => {
+            container_runtime.init(verbose, socket_address).await
+        }
+        Context::Daemon => daemon_runtime.init(verbose, socket_address).await,
+    }
+}
+
 #[derive(Debug, PartialEq, Eq, Copy, Clone)]
 pub enum Context {
     /// auraed is running as true PID 1
@@ -215,6 +241,16 @@ fn in_new_cgroup_namespace() -> bool {
 #[cfg(test)]
 mod tests {
     use super::*;
+    use crate::init::system_runtimes::{
+        SocketStream, SystemRuntime, SystemRuntimeError,
+    };
+    use anyhow::anyhow;
+    use std::sync::{
+        Arc,
+        atomic::{AtomicUsize, Ordering},
+    };
+    use tokio::runtime::Runtime;
+    use tonic::async_trait;
 
     fn pid_one() -> u32 {
         1
@@ -282,4 +318,83 @@ mod tests {
             Context::Cell
         );
     }
+
+    #[derive(Clone)]
+    struct MockRuntime {
+        calls: Arc<AtomicUsize>,
+        label: &'static str,
+    }
+
+    impl MockRuntime {
+        fn new(label: &'static str) -> Self {
+            Self { calls: Arc::new(AtomicUsize::new(0)), label }
+        }
+    }
+
+    #[async_trait]
+    impl SystemRuntime for Arc<MockRuntime> {
+        async fn init(
+            self,
+            _verbose: bool,
+            _socket_address: Option<String>,
+        ) -> Result<SocketStream, SystemRuntimeError> {
+            let _ = self.calls.fetch_add(1, Ordering::SeqCst);
+            Err(SystemRuntimeError::Other(anyhow!(self.label)))
+        }
+    }
+
+    fn assert_called_once(mock: &Arc<MockRuntime>) {
+        assert_eq!(
+            mock.calls.load(Ordering::SeqCst),
+            1,
+            "expected {} to be called once",
+            mock.label
+        );
+    }
+
+    #[test]
+    fn init_should_call_matching_system_runtime() {
+        // This test ensures the `init` dispatcher chooses the correct runtime
+        // implementation for each Context. We avoid spinning up real runtimes
+        // by injecting cheap mocks that count how many times they're called.
+        let rt = Runtime::new().expect("tokio runtime");
+
+        let pid1 = Arc::new(MockRuntime::new("pid1"));
+        let cell = Arc::new(MockRuntime::new("cell"));
+        let container = Arc::new(MockRuntime::new("container"));
+        let daemon = Arc::new(MockRuntime::new("daemon"));
+
+        rt.block_on(async {
+            // Each tuple represents (nested flag, pid, in_cgroup_namespace).
+            // We exercise the four Context variants the same way Context::get does.
+            let runtimes = [
+                (false, 1, false),
+                (true, 1, false),
+                (false, 42, true),
+                (false, 42, false),
+            ];
+
+            for (nested, pid, in_cgroup) in runtimes {
+                let ctx = derive_context(nested, pid, in_cgroup);
+
+                // Call the same routing code init() uses, but with our mocks.
+                let _ = init_with_runtimes(
+                    ctx,
+                    false,
+                    None,
+                    pid1.clone(),
+                    cell.clone(),
+                    container.clone(),
+                    daemon.clone(),
+                )
+                .await;
+            }
+        });
+
+        // Each mock should have been called exactly once by its matching Context.
+        assert_called_once(&pid1);
+        assert_called_once(&cell);
+        assert_called_once(&container);
+        assert_called_once(&daemon);
+    }
 }

auraed/src/lib.rs

@@ -355,3 +355,25 @@ pub fn prep_oci_spec_for_spawn(output: &str) -> Result<(), anyhow::Error> {
         .map_err(|e| anyhow!("building default oci spec: {e}"))?;
     spawn_auraed_oci_to(PathBuf::from(output), spec)
 }
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn auraed_runtime_default_socket_address_should_use_runtime_dir() {
+        let default_runtime = AuraedRuntime::default();
+        assert_eq!(
+            default_runtime.default_socket_address(),
+            PathBuf::from("/var/run/aurae/aurae.sock")
+        );
+
+        let custom_runtime_dir = PathBuf::from("/tmp/aurae-test-runtime");
+        let mut runtime = AuraedRuntime::default();
+        runtime.runtime_dir = custom_runtime_dir.clone();
+        assert_eq!(
+            runtime.default_socket_address(),
+            custom_runtime_dir.join("aurae.sock")
+        );
+    }
+}

auraed/tests/common/mod.rs

@@ -75,9 +75,11 @@ macro_rules! retry {
     }};
 }
 
+#[allow(dead_code)]
 static RT: Lazy<tokio::runtime::Runtime> =
     Lazy::new(|| tokio::runtime::Runtime::new().unwrap());
 
+#[allow(dead_code)]
 pub fn test<F>(f: F) -> F::Output
 where
     F: Future + Send + 'static,

auraed/tests/daemon_should_bind_only_unix_socket.rs

@@ -0,0 +1,191 @@
+/* -------------------------------------------------------------------------- *\
+ *                |   █████╗ ██╗   ██╗██████╗  █████╗ ███████╗ |              *
+ *                |  ██╔══██╗██║   ██║██╔══██╗██╔══██╗██╔════╝ |              *
+ *                |  ███████║██║   ██║██████╔╝███████║█████╗   |              *
+ *                |  ██╔══██║██║   ██║██╔══██╗██╔══██║██╔══╝   |              *
+ *                |  ██║  ██║╚██████╔╝██║  ██║██║  ██║███████╗ |              *
+ *                |  ╚═╝  ╚═╝ ╚═════╝ ╚═╝  ╚═╝╚═╝  ╚═╝╚══════╝ |              *
+ *                +--------------------------------------------+              *
+ *                                                                            *
+ *                         Distributed Systems Runtime                        *
+ * -------------------------------------------------------------------------- *
+ * Copyright 2022 - 2024, the aurae contributors                              *
+ * SPDX-License-Identifier: Apache-2.0                                        *
+\* -------------------------------------------------------------------------- */
+
+//! Ensure auraed defaults to a Unix socket in daemon mode and does not listen on TCP.
+
+mod common;
+
+use std::{
+    io,
+    net::{SocketAddr, TcpListener},
+    os::unix::fs::FileTypeExt,
+    path::{Path, PathBuf},
+    process::{Command, Stdio},
+    thread,
+    time::{Duration, Instant},
+};
+use test_helpers::*;
+
+fn tcp_addrs_available_before_spawn() -> Vec<SocketAddr> {
+    ["127.0.0.1:8080", "[::1]:8080"]
+        .into_iter()
+        .filter_map(|addr| addr.parse::<SocketAddr>().ok())
+        .filter_map(|addr| match TcpListener::bind(addr) {
+            Ok(listener) => {
+                drop(listener);
+                Some(addr)
+            }
+            Err(e) if e.kind() == io::ErrorKind::AddrInUse => None,
+            Err(e) if e.kind() == io::ErrorKind::AddrNotAvailable => None,
+            Err(e) => panic!("unexpected error probing {addr}: {e}"),
+        })
+        .collect()
+}
+
+#[test]
+fn auraed_daemon_mode_should_bind_only_unix_socket() {
+    skip_if_not_root!("auraed_daemon_mode_should_bind_only_unix_socket");
+    skip_if_seccomp!("auraed_daemon_mode_should_bind_only_unix_socket");
+
+    let tempdir = tempfile::tempdir().expect("tempdir");
+    let runtime_dir = tempdir.path().join("runtime");
+    let library_dir = tempdir.path().join("library");
+    std::fs::create_dir_all(&runtime_dir).expect("runtime dir");
+    std::fs::create_dir_all(&library_dir).expect("library dir");
+
+    let tls = generate_tls_material(tempdir.path());
+
+    let tcp_addrs = tcp_addrs_available_before_spawn();
+
+    let child = Command::new(env!("CARGO_BIN_EXE_auraed"))
+        .arg("--runtime-dir")
+        .arg(runtime_dir.to_str().expect("runtime dir"))
+        .arg("--library-dir")
+        .arg(library_dir.to_str().expect("library dir"))
+        .arg("--ca-crt")
+        .arg(tls.ca_crt.to_str().expect("ca crt"))
+        .arg("--server-crt")
+        .arg(tls.server_crt.to_str().expect("server crt"))
+        .arg("--server-key")
+        .arg(tls.server_key.to_str().expect("server key"))
+        .stdout(Stdio::null())
+        .stderr(Stdio::null())
+        .spawn()
+        .expect("spawn auraed");
+    let _guard = common::ChildGuard::new(child);
+
+    let socket_path = runtime_dir.join("aurae.sock");
+    wait_for_socket(&socket_path, Duration::from_secs(5));
+
+    let meta =
+        std::fs::symlink_metadata(&socket_path).expect("metadata for socket");
+    assert!(
+        meta.file_type().is_socket(),
+        "expected {:?} to be a Unix socket",
+        socket_path
+    );
+
+    // Default daemon mode should not open the documented TCP endpoint ([::1]:8080 or 127.0.0.1:8080).
+    // Only check addresses that were free before spawning auraed to avoid false positives from other services.
+    for addr in tcp_addrs {
+        let tcp_result = TcpListener::bind(addr).map(|listener| drop(listener));
+        assert!(
+            tcp_result.is_ok(),
+            "expected no TCP listener at {addr}, but binding failed after starting auraed"
+        );
+    }
+}
+
+fn wait_for_socket(path: &Path, timeout: Duration) {
+    let start = Instant::now();
+    while start.elapsed() < timeout {
+        if path.exists() {
+            return;
+        }
+        thread::sleep(Duration::from_millis(50));
+    }
+    panic!("socket {path:?} not created within {:?}", timeout);
+}
+
+struct TlsMaterial {
+    ca_crt: PathBuf,
+    server_crt: PathBuf,
+    server_key: PathBuf,
+}
+
+fn generate_tls_material(dir: &Path) -> TlsMaterial {
+    let ca_crt = dir.join("ca.crt");
+    let ca_key = dir.join("ca.key");
+    let server_csr = dir.join("server.csr");
+    let server_crt = dir.join("server.crt");
+    let server_key = dir.join("server.key");
+
+    Command::new("openssl")
+        .args([
+            "req",
+            "-x509",
+            "-nodes",
+            "-newkey",
+            "rsa:2048",
+            "-sha256",
+            "-days",
+            "365",
+            "-keyout",
+            ca_key.to_str().unwrap(),
+            "-out",
+            ca_crt.to_str().unwrap(),
+            "-subj",
+            "/CN=AuraeTestCA",
+        ])
+        .status()
+        .expect("run openssl for CA")
+        .success()
+        .then_some(())
+        .expect("openssl CA generation failed");
+
+    Command::new("openssl")
+        .args([
+            "req",
+            "-nodes",
+            "-newkey",
+            "rsa:2048",
+            "-keyout",
+            server_key.to_str().unwrap(),
+            "-out",
+            server_csr.to_str().unwrap(),
+            "-subj",
+            "/CN=server.unsafe.aurae.io",
+        ])
+        .status()
+        .expect("run openssl for server csr")
+        .success()
+        .then_some(())
+        .expect("openssl server csr failed");
+
+    Command::new("openssl")
+        .args([
+            "x509",
+            "-req",
+            "-in",
+            server_csr.to_str().unwrap(),
+            "-CA",
+            ca_crt.to_str().unwrap(),
+            "-CAkey",
+            ca_key.to_str().unwrap(),
+            "-CAcreateserial",
+            "-out",
+            server_crt.to_str().unwrap(),
+            "-days",
+            "365",
+            "-sha256",
+        ])
+        .status()
+        .expect("run openssl to sign server cert")
+        .success()
+        .then_some(())
+        .expect("openssl sign server cert failed");
+
+    TlsMaterial { ca_crt, server_crt, server_key }
+}