github.com/hernad/nomad@v1.6.112/drivers/shared/capabilities/defaults_test.go (about) 1 // Copyright (c) HashiCorp, Inc. 2 // SPDX-License-Identifier: MPL-2.0 3 4 package capabilities 5 6 import ( 7 "errors" 8 "strings" 9 "testing" 10 11 "github.com/hernad/nomad/ci" 12 "github.com/stretchr/testify/require" 13 ) 14 15 func TestSet_NomadDefaults(t *testing.T) { 16 ci.Parallel(t) 17 18 result := NomadDefaults() 19 require.Len(t, result.Slice(false), 13) 20 defaults := strings.ToLower(HCLSpecLiteral) 21 for _, c := range result.Slice(false) { 22 require.Contains(t, defaults, c) 23 } 24 } 25 26 func TestSet_DockerDefaults(t *testing.T) { 27 ci.Parallel(t) 28 29 result := DockerDefaults() 30 require.Len(t, result.Slice(false), 14) 31 require.Contains(t, result.String(), "net_raw") 32 } 33 34 func TestCaps_Calculate(t *testing.T) { 35 ci.Parallel(t) 36 37 for _, tc := range []struct { 38 name string 39 40 // input 41 allowCaps []string // driver config 42 capAdd []string // task config 43 capDrop []string // task config 44 45 // output 46 exp []string 47 err error 48 skip bool // error message is linux version dependent 49 }{ 50 { 51 name: "the default setting", 52 allowCaps: NomadDefaults().Slice(false), 53 capAdd: nil, 54 capDrop: nil, 55 exp: NomadDefaults().Slice(true), 56 err: nil, 57 }, 58 { 59 name: "allow all no mods", 60 allowCaps: []string{"all"}, 61 capAdd: nil, 62 capDrop: nil, 63 exp: NomadDefaults().Slice(true), 64 err: nil, 65 }, 66 { 67 name: "allow selection no mods", 68 allowCaps: []string{"cap_net_raw", "chown", "SYS_TIME"}, 69 capAdd: nil, 70 capDrop: nil, 71 exp: []string{"CAP_CHOWN"}, 72 err: nil, 73 }, 74 { 75 name: "allow selection and add them", 76 allowCaps: []string{"cap_net_raw", "chown", "SYS_TIME"}, 77 capAdd: []string{"net_raw", "sys_time"}, 78 capDrop: nil, 79 exp: []string{"CAP_CHOWN", "CAP_NET_RAW", "CAP_SYS_TIME"}, 80 err: nil, 81 }, 82 { 83 name: "allow defaults and add redundant", 84 allowCaps: NomadDefaults().Slice(false), 85 capAdd: []string{"chown", "KILL"}, 86 capDrop: nil, 87 exp: NomadDefaults().Slice(true), 88 err: nil, 89 }, 90 { 91 skip: true, 92 name: "allow defaults and add all", 93 allowCaps: NomadDefaults().Slice(false), 94 capAdd: []string{"all"}, 95 capDrop: nil, 96 exp: nil, 97 err: errors.New("driver does not allow the following capabilities: audit_control, audit_read, block_suspend, bpf, dac_read_search, ipc_lock, ipc_owner, lease, linux_immutable, mac_admin, mac_override, net_admin, net_broadcast, net_raw, perfmon, sys_admin, sys_boot, sys_module, sys_nice, sys_pacct, sys_ptrace, sys_rawio, sys_resource, sys_time, sys_tty_config, syslog, wake_alarm"), 98 }, 99 { 100 name: "allow defaults and drop all", 101 allowCaps: NomadDefaults().Slice(false), 102 capAdd: nil, 103 capDrop: []string{"all"}, 104 exp: []string{}, 105 err: nil, 106 }, 107 { 108 name: "allow defaults and drop all and add back some", 109 allowCaps: NomadDefaults().Slice(false), 110 capAdd: []string{"chown", "fowner"}, 111 capDrop: []string{"all"}, 112 exp: []string{"CAP_CHOWN", "CAP_FOWNER"}, 113 err: nil, 114 }, 115 { 116 name: "add disallowed", 117 allowCaps: NomadDefaults().Slice(false), 118 capAdd: []string{"chown", "net_raw"}, 119 capDrop: nil, 120 exp: nil, 121 err: errors.New("driver does not allow the following capabilities: net_raw"), 122 }, 123 { 124 name: "drop some", 125 allowCaps: NomadDefaults().Slice(false), 126 capAdd: nil, 127 capDrop: []string{"chown", "fowner", "CAP_KILL", "SYS_CHROOT", "mknod", "dac_override"}, 128 exp: []string{"CAP_AUDIT_WRITE", "CAP_FSETID", "CAP_NET_BIND_SERVICE", "CAP_SETFCAP", "CAP_SETGID", "CAP_SETPCAP", "CAP_SETUID"}, 129 err: nil, 130 }, 131 { 132 name: "drop all", 133 allowCaps: NomadDefaults().Slice(false), 134 capAdd: nil, 135 capDrop: []string{"all"}, 136 exp: []string{}, 137 err: nil, 138 }, 139 { 140 name: "drop all and add back", 141 allowCaps: NomadDefaults().Slice(false), 142 capAdd: []string{"chown", "mknod"}, 143 capDrop: []string{"all"}, 144 exp: []string{"CAP_CHOWN", "CAP_MKNOD"}, 145 err: nil, 146 }, 147 } { 148 t.Run(tc.name, func(t *testing.T) { 149 caps, err := Calculate(NomadDefaults(), tc.allowCaps, tc.capAdd, tc.capDrop) 150 if !tc.skip { 151 require.Equal(t, tc.err, err) 152 require.Equal(t, tc.exp, caps) 153 } else { 154 require.Error(t, err) 155 require.Equal(t, tc.exp, caps) 156 } 157 }) 158 } 159 } 160 161 func TestCaps_Delta(t *testing.T) { 162 ci.Parallel(t) 163 164 for _, tc := range []struct { 165 name string 166 167 // input 168 allowCaps []string // driver config 169 capAdd []string // task config 170 capDrop []string // task config 171 172 // output 173 expAdd []string 174 expDrop []string 175 err error 176 skip bool // error message is linux version dependent 177 }{ 178 { 179 name: "the default setting", 180 allowCaps: NomadDefaults().Slice(false), 181 capAdd: nil, 182 capDrop: nil, 183 expAdd: []string{}, 184 expDrop: []string{"net_raw"}, 185 err: nil, 186 }, 187 { 188 name: "allow all no mods", 189 allowCaps: []string{"all"}, 190 capAdd: nil, 191 capDrop: nil, 192 expAdd: []string{}, 193 expDrop: []string{}, 194 err: nil, 195 }, 196 { 197 name: "allow non-default no mods", 198 allowCaps: []string{"cap_net_raw", "chown", "SYS_TIME"}, 199 capAdd: nil, 200 capDrop: nil, 201 expAdd: []string{}, 202 expDrop: []string{ 203 "audit_write", "dac_override", "fowner", "fsetid", 204 "kill", "mknod", "net_bind_service", "setfcap", 205 "setgid", "setpcap", "setuid", "sys_chroot"}, 206 err: nil, 207 }, 208 { 209 name: "allow default add from default", 210 allowCaps: NomadDefaults().Slice(false), 211 capAdd: []string{"chown", "KILL"}, 212 capDrop: nil, 213 expAdd: []string{"chown", "kill"}, 214 expDrop: []string{"net_raw"}, 215 err: nil, 216 }, 217 { 218 name: "allow default add disallowed", 219 allowCaps: NomadDefaults().Slice(false), 220 capAdd: []string{"chown", "net_raw"}, 221 capDrop: nil, 222 expAdd: nil, 223 expDrop: nil, 224 err: errors.New("driver does not allow the following capabilities: net_raw"), 225 }, 226 { 227 name: "allow default drop from default", 228 allowCaps: NomadDefaults().Slice(false), 229 capAdd: nil, 230 capDrop: []string{"chown", "fowner", "CAP_KILL", "SYS_CHROOT", "mknod", "dac_override"}, 231 expAdd: []string{}, 232 expDrop: []string{"chown", "dac_override", "fowner", "kill", "mknod", "net_raw", "sys_chroot"}, 233 err: nil, 234 }, 235 { 236 name: "allow default drop all", 237 allowCaps: NomadDefaults().Slice(false), 238 capAdd: nil, 239 capDrop: []string{"all"}, 240 expAdd: []string{}, 241 expDrop: []string{"all"}, 242 err: nil, 243 }, 244 { 245 name: "task drop all and add back", 246 allowCaps: NomadDefaults().Slice(false), 247 capAdd: []string{"chown", "fowner"}, 248 capDrop: []string{"all"}, 249 expAdd: []string{"chown", "fowner"}, 250 expDrop: []string{"all"}, 251 err: nil, 252 }, 253 { 254 name: "add atop allow all", 255 allowCaps: []string{"all"}, 256 capAdd: []string{"chown", "fowner"}, 257 capDrop: nil, 258 expAdd: []string{"chown", "fowner"}, 259 expDrop: []string{}, 260 err: nil, 261 }, 262 { 263 name: "add all atop all", 264 allowCaps: []string{"all"}, 265 capAdd: []string{"all"}, 266 capDrop: nil, 267 expAdd: []string{"all"}, 268 expDrop: []string{}, 269 err: nil, 270 }, 271 { 272 skip: true, 273 name: "add all atop defaults", 274 allowCaps: NomadDefaults().Slice(false), 275 capAdd: []string{"all"}, 276 capDrop: nil, 277 expAdd: nil, 278 expDrop: nil, 279 err: errors.New("driver does not allow the following capabilities: audit_control, audit_read, block_suspend, bpf, dac_read_search, ipc_lock, ipc_owner, lease, linux_immutable, mac_admin, mac_override, net_admin, net_broadcast, net_raw, perfmon, sys_admin, sys_boot, sys_module, sys_nice, sys_pacct, sys_ptrace, sys_rawio, sys_resource, sys_time, sys_tty_config, syslog, wake_alarm"), 280 }, 281 } { 282 t.Run(tc.name, func(t *testing.T) { 283 add, drop, err := Delta(DockerDefaults(), tc.allowCaps, tc.capAdd, tc.capDrop) 284 if !tc.skip { 285 require.Equal(t, tc.err, err) 286 require.Equal(t, tc.expAdd, add) 287 require.Equal(t, tc.expDrop, drop) 288 } else { 289 require.Error(t, err) 290 require.Equal(t, tc.expDrop, drop) 291 } 292 }) 293 } 294 }