|
| 1 | +/* -------------------------------------------------------------------------- *\ |
| 2 | + * | █████╗ ██╗ ██╗██████╗ █████╗ ███████╗ | * |
| 3 | + * | ██╔══██╗██║ ██║██╔══██╗██╔══██╗██╔════╝ | * |
| 4 | + * | ███████║██║ ██║██████╔╝███████║█████╗ | * |
| 5 | + * | ██╔══██║██║ ██║██╔══██╗██╔══██║██╔══╝ | * |
| 6 | + * | ██║ ██║╚██████╔╝██║ ██║██║ ██║███████╗ | * |
| 7 | + * | ╚═╝ ╚═╝ ╚═════╝ ╚═╝ ╚═╝╚═╝ ╚═╝╚══════╝ | * |
| 8 | + * +--------------------------------------------+ * |
| 9 | + * * |
| 10 | + * Distributed Systems Runtime * |
| 11 | + * -------------------------------------------------------------------------- * |
| 12 | + * Copyright 2022 - 2024, the aurae contributors * |
| 13 | + * SPDX-License-Identifier: Apache-2.0 * |
| 14 | +\* -------------------------------------------------------------------------- */ |
| 15 | + |
| 16 | +//! Ensure auraed defaults to a Unix socket in daemon mode and does not listen on TCP. |
| 17 | +
|
| 18 | +mod common; |
| 19 | + |
| 20 | +use std::{ |
| 21 | + io, |
| 22 | + net::{SocketAddr, TcpListener}, |
| 23 | + os::unix::fs::FileTypeExt, |
| 24 | + path::{Path, PathBuf}, |
| 25 | + process::{Command, Stdio}, |
| 26 | + thread, |
| 27 | + time::{Duration, Instant}, |
| 28 | +}; |
| 29 | +use test_helpers::*; |
| 30 | + |
| 31 | +fn tcp_addrs_available_before_spawn() -> Vec<SocketAddr> { |
| 32 | + ["127.0.0.1:8080", "[::1]:8080"] |
| 33 | + .into_iter() |
| 34 | + .filter_map(|addr| addr.parse::<SocketAddr>().ok()) |
| 35 | + .filter_map(|addr| match TcpListener::bind(addr) { |
| 36 | + Ok(listener) => { |
| 37 | + drop(listener); |
| 38 | + Some(addr) |
| 39 | + } |
| 40 | + Err(e) if e.kind() == io::ErrorKind::AddrInUse => None, |
| 41 | + Err(e) if e.kind() == io::ErrorKind::AddrNotAvailable => None, |
| 42 | + Err(e) => panic!("unexpected error probing {addr}: {e}"), |
| 43 | + }) |
| 44 | + .collect() |
| 45 | +} |
| 46 | + |
| 47 | +#[test] |
| 48 | +fn auraed_daemon_mode_should_bind_only_unix_socket() { |
| 49 | + skip_if_not_root!("auraed_daemon_mode_should_bind_only_unix_socket"); |
| 50 | + skip_if_seccomp!("auraed_daemon_mode_should_bind_only_unix_socket"); |
| 51 | + |
| 52 | + let tempdir = tempfile::tempdir().expect("tempdir"); |
| 53 | + let runtime_dir = tempdir.path().join("runtime"); |
| 54 | + let library_dir = tempdir.path().join("library"); |
| 55 | + std::fs::create_dir_all(&runtime_dir).expect("runtime dir"); |
| 56 | + std::fs::create_dir_all(&library_dir).expect("library dir"); |
| 57 | + |
| 58 | + let tls = generate_tls_material(tempdir.path()); |
| 59 | + |
| 60 | + let tcp_addrs = tcp_addrs_available_before_spawn(); |
| 61 | + |
| 62 | + let child = Command::new(env!("CARGO_BIN_EXE_auraed")) |
| 63 | + .arg("--runtime-dir") |
| 64 | + .arg(runtime_dir.to_str().expect("runtime dir")) |
| 65 | + .arg("--library-dir") |
| 66 | + .arg(library_dir.to_str().expect("library dir")) |
| 67 | + .arg("--ca-crt") |
| 68 | + .arg(tls.ca_crt.to_str().expect("ca crt")) |
| 69 | + .arg("--server-crt") |
| 70 | + .arg(tls.server_crt.to_str().expect("server crt")) |
| 71 | + .arg("--server-key") |
| 72 | + .arg(tls.server_key.to_str().expect("server key")) |
| 73 | + .stdout(Stdio::null()) |
| 74 | + .stderr(Stdio::null()) |
| 75 | + .spawn() |
| 76 | + .expect("spawn auraed"); |
| 77 | + let _guard = common::ChildGuard::new(child); |
| 78 | + |
| 79 | + let socket_path = runtime_dir.join("aurae.sock"); |
| 80 | + wait_for_socket(&socket_path, Duration::from_secs(5)); |
| 81 | + |
| 82 | + let meta = |
| 83 | + std::fs::symlink_metadata(&socket_path).expect("metadata for socket"); |
| 84 | + assert!( |
| 85 | + meta.file_type().is_socket(), |
| 86 | + "expected {:?} to be a Unix socket", |
| 87 | + socket_path |
| 88 | + ); |
| 89 | + |
| 90 | + // Default daemon mode should not open the documented TCP endpoint ([::1]:8080 or 127.0.0.1:8080). |
| 91 | + // Only check addresses that were free before spawning auraed to avoid false positives from other services. |
| 92 | + for addr in tcp_addrs { |
| 93 | + let tcp_result = TcpListener::bind(addr).map(|listener| drop(listener)); |
| 94 | + assert!( |
| 95 | + tcp_result.is_ok(), |
| 96 | + "expected no TCP listener at {addr}, but binding failed after starting auraed" |
| 97 | + ); |
| 98 | + } |
| 99 | +} |
| 100 | + |
| 101 | +fn wait_for_socket(path: &Path, timeout: Duration) { |
| 102 | + let start = Instant::now(); |
| 103 | + while start.elapsed() < timeout { |
| 104 | + if path.exists() { |
| 105 | + return; |
| 106 | + } |
| 107 | + thread::sleep(Duration::from_millis(50)); |
| 108 | + } |
| 109 | + panic!("socket {path:?} not created within {:?}", timeout); |
| 110 | +} |
| 111 | + |
| 112 | +struct TlsMaterial { |
| 113 | + ca_crt: PathBuf, |
| 114 | + server_crt: PathBuf, |
| 115 | + server_key: PathBuf, |
| 116 | +} |
| 117 | + |
| 118 | +fn generate_tls_material(dir: &Path) -> TlsMaterial { |
| 119 | + let ca_crt = dir.join("ca.crt"); |
| 120 | + let ca_key = dir.join("ca.key"); |
| 121 | + let server_csr = dir.join("server.csr"); |
| 122 | + let server_crt = dir.join("server.crt"); |
| 123 | + let server_key = dir.join("server.key"); |
| 124 | + |
| 125 | + Command::new("openssl") |
| 126 | + .args([ |
| 127 | + "req", |
| 128 | + "-x509", |
| 129 | + "-nodes", |
| 130 | + "-newkey", |
| 131 | + "rsa:2048", |
| 132 | + "-sha256", |
| 133 | + "-days", |
| 134 | + "365", |
| 135 | + "-keyout", |
| 136 | + ca_key.to_str().unwrap(), |
| 137 | + "-out", |
| 138 | + ca_crt.to_str().unwrap(), |
| 139 | + "-subj", |
| 140 | + "/CN=AuraeTestCA", |
| 141 | + ]) |
| 142 | + .status() |
| 143 | + .expect("run openssl for CA") |
| 144 | + .success() |
| 145 | + .then_some(()) |
| 146 | + .expect("openssl CA generation failed"); |
| 147 | + |
| 148 | + Command::new("openssl") |
| 149 | + .args([ |
| 150 | + "req", |
| 151 | + "-nodes", |
| 152 | + "-newkey", |
| 153 | + "rsa:2048", |
| 154 | + "-keyout", |
| 155 | + server_key.to_str().unwrap(), |
| 156 | + "-out", |
| 157 | + server_csr.to_str().unwrap(), |
| 158 | + "-subj", |
| 159 | + "/CN=server.unsafe.aurae.io", |
| 160 | + ]) |
| 161 | + .status() |
| 162 | + .expect("run openssl for server csr") |
| 163 | + .success() |
| 164 | + .then_some(()) |
| 165 | + .expect("openssl server csr failed"); |
| 166 | + |
| 167 | + Command::new("openssl") |
| 168 | + .args([ |
| 169 | + "x509", |
| 170 | + "-req", |
| 171 | + "-in", |
| 172 | + server_csr.to_str().unwrap(), |
| 173 | + "-CA", |
| 174 | + ca_crt.to_str().unwrap(), |
| 175 | + "-CAkey", |
| 176 | + ca_key.to_str().unwrap(), |
| 177 | + "-CAcreateserial", |
| 178 | + "-out", |
| 179 | + server_crt.to_str().unwrap(), |
| 180 | + "-days", |
| 181 | + "365", |
| 182 | + "-sha256", |
| 183 | + ]) |
| 184 | + .status() |
| 185 | + .expect("run openssl to sign server cert") |
| 186 | + .success() |
| 187 | + .then_some(()) |
| 188 | + .expect("openssl sign server cert failed"); |
| 189 | + |
| 190 | + TlsMaterial { ca_crt, server_crt, server_key } |
| 191 | +} |
0 commit comments