github.com/anth0d/nomad@v0.0.0-20221214183521-ae3a0a2cad06/drivers/shared/capabilities/defaults_test.go (about) 1 package capabilities 2 3 import ( 4 "errors" 5 "strings" 6 "testing" 7 8 "github.com/hashicorp/nomad/ci" 9 "github.com/stretchr/testify/require" 10 ) 11 12 func TestSet_NomadDefaults(t *testing.T) { 13 ci.Parallel(t) 14 15 result := NomadDefaults() 16 require.Len(t, result.Slice(false), 13) 17 defaults := strings.ToLower(HCLSpecLiteral) 18 for _, c := range result.Slice(false) { 19 require.Contains(t, defaults, c) 20 } 21 } 22 23 func TestSet_DockerDefaults(t *testing.T) { 24 ci.Parallel(t) 25 26 result := DockerDefaults() 27 require.Len(t, result.Slice(false), 14) 28 require.Contains(t, result.String(), "net_raw") 29 } 30 31 func TestCaps_Calculate(t *testing.T) { 32 ci.Parallel(t) 33 34 for _, tc := range []struct { 35 name string 36 37 // input 38 allowCaps []string // driver config 39 capAdd []string // task config 40 capDrop []string // task config 41 42 // output 43 exp []string 44 err error 45 skip bool // error message is linux version dependent 46 }{ 47 { 48 name: "the default setting", 49 allowCaps: NomadDefaults().Slice(false), 50 capAdd: nil, 51 capDrop: nil, 52 exp: NomadDefaults().Slice(true), 53 err: nil, 54 }, 55 { 56 name: "allow all no mods", 57 allowCaps: []string{"all"}, 58 capAdd: nil, 59 capDrop: nil, 60 exp: NomadDefaults().Slice(true), 61 err: nil, 62 }, 63 { 64 name: "allow selection no mods", 65 allowCaps: []string{"cap_net_raw", "chown", "SYS_TIME"}, 66 capAdd: nil, 67 capDrop: nil, 68 exp: []string{"CAP_CHOWN"}, 69 err: nil, 70 }, 71 { 72 name: "allow selection and add them", 73 allowCaps: []string{"cap_net_raw", "chown", "SYS_TIME"}, 74 capAdd: []string{"net_raw", "sys_time"}, 75 capDrop: nil, 76 exp: []string{"CAP_CHOWN", "CAP_NET_RAW", "CAP_SYS_TIME"}, 77 err: nil, 78 }, 79 { 80 name: "allow defaults and add redundant", 81 allowCaps: NomadDefaults().Slice(false), 82 capAdd: []string{"chown", "KILL"}, 83 capDrop: nil, 84 exp: NomadDefaults().Slice(true), 85 err: nil, 86 }, 87 { 88 skip: true, 89 name: "allow defaults and add all", 90 allowCaps: NomadDefaults().Slice(false), 91 capAdd: []string{"all"}, 92 capDrop: nil, 93 exp: nil, 94 err: errors.New("driver does not allow the following capabilities: audit_control, audit_read, block_suspend, bpf, dac_read_search, ipc_lock, ipc_owner, lease, linux_immutable, mac_admin, mac_override, net_admin, net_broadcast, net_raw, perfmon, sys_admin, sys_boot, sys_module, sys_nice, sys_pacct, sys_ptrace, sys_rawio, sys_resource, sys_time, sys_tty_config, syslog, wake_alarm"), 95 }, 96 { 97 name: "allow defaults and drop all", 98 allowCaps: NomadDefaults().Slice(false), 99 capAdd: nil, 100 capDrop: []string{"all"}, 101 exp: []string{}, 102 err: nil, 103 }, 104 { 105 name: "allow defaults and drop all and add back some", 106 allowCaps: NomadDefaults().Slice(false), 107 capAdd: []string{"chown", "fowner"}, 108 capDrop: []string{"all"}, 109 exp: []string{"CAP_CHOWN", "CAP_FOWNER"}, 110 err: nil, 111 }, 112 { 113 name: "add disallowed", 114 allowCaps: NomadDefaults().Slice(false), 115 capAdd: []string{"chown", "net_raw"}, 116 capDrop: nil, 117 exp: nil, 118 err: errors.New("driver does not allow the following capabilities: net_raw"), 119 }, 120 { 121 name: "drop some", 122 allowCaps: NomadDefaults().Slice(false), 123 capAdd: nil, 124 capDrop: []string{"chown", "fowner", "CAP_KILL", "SYS_CHROOT", "mknod", "dac_override"}, 125 exp: []string{"CAP_AUDIT_WRITE", "CAP_FSETID", "CAP_NET_BIND_SERVICE", "CAP_SETFCAP", "CAP_SETGID", "CAP_SETPCAP", "CAP_SETUID"}, 126 err: nil, 127 }, 128 { 129 name: "drop all", 130 allowCaps: NomadDefaults().Slice(false), 131 capAdd: nil, 132 capDrop: []string{"all"}, 133 exp: []string{}, 134 err: nil, 135 }, 136 { 137 name: "drop all and add back", 138 allowCaps: NomadDefaults().Slice(false), 139 capAdd: []string{"chown", "mknod"}, 140 capDrop: []string{"all"}, 141 exp: []string{"CAP_CHOWN", "CAP_MKNOD"}, 142 err: nil, 143 }, 144 } { 145 t.Run(tc.name, func(t *testing.T) { 146 caps, err := Calculate(NomadDefaults(), tc.allowCaps, tc.capAdd, tc.capDrop) 147 if !tc.skip { 148 require.Equal(t, tc.err, err) 149 require.Equal(t, tc.exp, caps) 150 } else { 151 require.Error(t, err) 152 require.Equal(t, tc.exp, caps) 153 } 154 }) 155 } 156 } 157 158 func TestCaps_Delta(t *testing.T) { 159 ci.Parallel(t) 160 161 for _, tc := range []struct { 162 name string 163 164 // input 165 allowCaps []string // driver config 166 capAdd []string // task config 167 capDrop []string // task config 168 169 // output 170 expAdd []string 171 expDrop []string 172 err error 173 skip bool // error message is linux version dependent 174 }{ 175 { 176 name: "the default setting", 177 allowCaps: NomadDefaults().Slice(false), 178 capAdd: nil, 179 capDrop: nil, 180 expAdd: []string{}, 181 expDrop: []string{"net_raw"}, 182 err: nil, 183 }, 184 { 185 name: "allow all no mods", 186 allowCaps: []string{"all"}, 187 capAdd: nil, 188 capDrop: nil, 189 expAdd: []string{}, 190 expDrop: []string{}, 191 err: nil, 192 }, 193 { 194 name: "allow non-default no mods", 195 allowCaps: []string{"cap_net_raw", "chown", "SYS_TIME"}, 196 capAdd: nil, 197 capDrop: nil, 198 expAdd: []string{}, 199 expDrop: []string{ 200 "audit_write", "dac_override", "fowner", "fsetid", 201 "kill", "mknod", "net_bind_service", "setfcap", 202 "setgid", "setpcap", "setuid", "sys_chroot"}, 203 err: nil, 204 }, 205 { 206 name: "allow default add from default", 207 allowCaps: NomadDefaults().Slice(false), 208 capAdd: []string{"chown", "KILL"}, 209 capDrop: nil, 210 expAdd: []string{"chown", "kill"}, 211 expDrop: []string{"net_raw"}, 212 err: nil, 213 }, 214 { 215 name: "allow default add disallowed", 216 allowCaps: NomadDefaults().Slice(false), 217 capAdd: []string{"chown", "net_raw"}, 218 capDrop: nil, 219 expAdd: nil, 220 expDrop: nil, 221 err: errors.New("driver does not allow the following capabilities: net_raw"), 222 }, 223 { 224 name: "allow default drop from default", 225 allowCaps: NomadDefaults().Slice(false), 226 capAdd: nil, 227 capDrop: []string{"chown", "fowner", "CAP_KILL", "SYS_CHROOT", "mknod", "dac_override"}, 228 expAdd: []string{}, 229 expDrop: []string{"chown", "dac_override", "fowner", "kill", "mknod", "net_raw", "sys_chroot"}, 230 err: nil, 231 }, 232 { 233 name: "allow default drop all", 234 allowCaps: NomadDefaults().Slice(false), 235 capAdd: nil, 236 capDrop: []string{"all"}, 237 expAdd: []string{}, 238 expDrop: []string{"all"}, 239 err: nil, 240 }, 241 { 242 name: "task drop all and add back", 243 allowCaps: NomadDefaults().Slice(false), 244 capAdd: []string{"chown", "fowner"}, 245 capDrop: []string{"all"}, 246 expAdd: []string{"chown", "fowner"}, 247 expDrop: []string{"all"}, 248 err: nil, 249 }, 250 { 251 name: "add atop allow all", 252 allowCaps: []string{"all"}, 253 capAdd: []string{"chown", "fowner"}, 254 capDrop: nil, 255 expAdd: []string{"chown", "fowner"}, 256 expDrop: []string{}, 257 err: nil, 258 }, 259 { 260 name: "add all atop all", 261 allowCaps: []string{"all"}, 262 capAdd: []string{"all"}, 263 capDrop: nil, 264 expAdd: []string{"all"}, 265 expDrop: []string{}, 266 err: nil, 267 }, 268 { 269 skip: true, 270 name: "add all atop defaults", 271 allowCaps: NomadDefaults().Slice(false), 272 capAdd: []string{"all"}, 273 capDrop: nil, 274 expAdd: nil, 275 expDrop: nil, 276 err: errors.New("driver does not allow the following capabilities: audit_control, audit_read, block_suspend, bpf, dac_read_search, ipc_lock, ipc_owner, lease, linux_immutable, mac_admin, mac_override, net_admin, net_broadcast, net_raw, perfmon, sys_admin, sys_boot, sys_module, sys_nice, sys_pacct, sys_ptrace, sys_rawio, sys_resource, sys_time, sys_tty_config, syslog, wake_alarm"), 277 }, 278 } { 279 t.Run(tc.name, func(t *testing.T) { 280 add, drop, err := Delta(DockerDefaults(), tc.allowCaps, tc.capAdd, tc.capDrop) 281 if !tc.skip { 282 require.Equal(t, tc.err, err) 283 require.Equal(t, tc.expAdd, add) 284 require.Equal(t, tc.expDrop, drop) 285 } else { 286 require.Error(t, err) 287 require.Equal(t, tc.expDrop, drop) 288 } 289 }) 290 } 291 }