services/internal/servicetest: create shell without a mounttable
test.V23Init already creates a mounttable, and provides the root context with a
deterministic blessing name (test-blessing). We should use this mounttable, and
the root blessing where possible. As an example, this CL switches
TestApplicationUpdatePermissions to the simpler scheme.
The change in test/testutil/security.go allows us to conveniently give a default
blessing from one principal to another, and is useful where we don't want to
come up with a brand new principal IDP (as in the example above where we can
just use test-blessing).
Change-Id: I8e6a5e46b6a2937d8415df96008d2fc5b3cf8d4f
diff --git a/services/application/applicationd/perms_test.go b/services/application/applicationd/perms_test.go
index c4446f9..207c0a2 100644
--- a/services/application/applicationd/perms_test.go
+++ b/services/application/applicationd/perms_test.go
@@ -39,8 +39,6 @@
publishName := args[0]
storedir := args[1]
- v23.GetNamespace(ctx).CacheCtl(naming.DisableCache(true))
-
defer fmt.Fprintf(env.Stdout, "%v terminating\n", publishName)
defer ctx.VI(1).Infof("%v terminating", publishName)
@@ -50,7 +48,7 @@
}
server, err := xrpc.NewDispatchingServer(ctx, publishName, dispatcher)
if err != nil {
- ctx.Fatalf("Serve(%v) failed: %v", publishName, err)
+ ctx.Fatalf("NewDispatchingServer(%v) failed: %v", publishName, err)
}
ctx.VI(1).Infof("applicationd name: %v", server.Status().Endpoints[0].Name())
@@ -63,17 +61,18 @@
func TestApplicationUpdatePermissions(t *testing.T) {
ctx, shutdown := test.V23Init()
defer shutdown()
- v23.GetNamespace(ctx).CacheCtl(naming.DisableCache(true))
- // By default, all principals in this test will have blessings generated based
- // on the username/machine running this process. Give them recognizable names
- // ("root/self" etc.), so the Permissions can be set deterministically.
- idp := testutil.NewIDProvider("root")
+ // V23Init sets the context up with a self-signed principal, whose
+ // blessing (test-blessing) will act as the root blessing for the test.
+ const rootBlessing = test.TestBlessing
+ idp := testutil.IDProviderFromPrincipal(v23.GetPrincipal(ctx))
+ // Call ourselves test-blessing/self, distinct from test-blessing/other
+ // which we'll give to the 'other' context.
if err := idp.Bless(v23.GetPrincipal(ctx), "self"); err != nil {
t.Fatal(err)
}
- sh, deferFn := servicetest.CreateShellAndMountTable(t, ctx, v23.GetPrincipal(ctx))
+ sh, deferFn := servicetest.CreateShell(t, ctx, nil)
defer deferFn()
// setup mock up directory to put state in
@@ -122,29 +121,29 @@
}
expected := access.Permissions{
"Admin": access.AccessList{
- In: []security.BlessingPattern{"root/$", "root/self/$", "root/self/child"},
+ In: []security.BlessingPattern{test.TestBlessing + "/$", rootBlessing + "/self/$", rootBlessing + "/self/child"},
NotIn: []string(nil)},
"Read": access.AccessList{
- In: []security.BlessingPattern{"root/$", "root/self/$", "root/self/child"},
+ In: []security.BlessingPattern{rootBlessing + "/$", rootBlessing + "/self/$", rootBlessing + "/self/child"},
NotIn: []string(nil)},
"Write": access.AccessList{
- In: []security.BlessingPattern{"root/$", "root/self/$", "root/self/child"},
+ In: []security.BlessingPattern{rootBlessing + "/$", rootBlessing + "/self/$", rootBlessing + "/self/child"},
NotIn: []string(nil)},
"Debug": access.AccessList{
- In: []security.BlessingPattern{"root/$", "root/self/$", "root/self/child"},
+ In: []security.BlessingPattern{rootBlessing + "/$", rootBlessing + "/self/$", rootBlessing + "/self/child"},
NotIn: []string(nil)},
"Resolve": access.AccessList{
- In: []security.BlessingPattern{"root/$", "root/self/$", "root/self/child"},
+ In: []security.BlessingPattern{rootBlessing + "/$", rootBlessing + "/self/$", rootBlessing + "/self/child"},
NotIn: []string(nil)}}
if got := perms; !reflect.DeepEqual(expected.Normalize(), got.Normalize()) {
- t.Errorf("got %#v, exected %#v ", got, expected)
+ t.Errorf("got %#v, expected %#v ", got, expected)
}
ctx.VI(2).Infof("self attempting to give other permission to update application")
newPerms := make(access.Permissions)
for _, tag := range access.AllTypicalTags() {
- newPerms.Add("root/self", string(tag))
- newPerms.Add("root/other", string(tag))
+ newPerms.Add(rootBlessing+"/self", string(tag))
+ newPerms.Add(rootBlessing+"/other", string(tag))
}
if err := repostub.SetPermissions(ctx, newPerms, ""); err != nil {
t.Fatalf("SetPermissions failed: %v", err)
@@ -170,7 +169,7 @@
t.Fatalf("GetPermissions 2 should not have failed: %v", err)
}
perms["Admin"] = access.AccessList{
- In: []security.BlessingPattern{"root/other"},
+ In: []security.BlessingPattern{rootBlessing + "/other"},
NotIn: []string{}}
if err = repostub.SetPermissions(otherCtx, perms, version); err != nil {
t.Fatalf("SetPermissions failed: %v", err)
@@ -186,19 +185,19 @@
}
expected = access.Permissions{
"Admin": access.AccessList{
- In: []security.BlessingPattern{"root/other"},
+ In: []security.BlessingPattern{rootBlessing + "/other"},
NotIn: []string{}},
- "Read": access.AccessList{In: []security.BlessingPattern{"root/other",
- "root/self"},
+ "Read": access.AccessList{In: []security.BlessingPattern{rootBlessing + "/other",
+ rootBlessing + "/self"},
NotIn: []string{}},
- "Write": access.AccessList{In: []security.BlessingPattern{"root/other",
- "root/self"},
+ "Write": access.AccessList{In: []security.BlessingPattern{rootBlessing + "/other",
+ rootBlessing + "/self"},
NotIn: []string{}},
- "Debug": access.AccessList{In: []security.BlessingPattern{"root/other",
- "root/self"},
+ "Debug": access.AccessList{In: []security.BlessingPattern{rootBlessing + "/other",
+ rootBlessing + "/self"},
NotIn: []string{}},
- "Resolve": access.AccessList{In: []security.BlessingPattern{"root/other",
- "root/self"},
+ "Resolve": access.AccessList{In: []security.BlessingPattern{rootBlessing + "/other",
+ rootBlessing + "/self"},
NotIn: []string{}}}
if got := perms; !reflect.DeepEqual(expected.Normalize(), got.Normalize()) {
diff --git a/services/internal/servicetest/modules.go b/services/internal/servicetest/modules.go
index ee13fa5..56b4264 100644
--- a/services/internal/servicetest/modules.go
+++ b/services/internal/servicetest/modules.go
@@ -109,6 +109,35 @@
return sh, fn
}
+// CreateShell builds a new modules shell.
+func CreateShell(t *testing.T, ctx *context.T, p security.Principal) (*modules.Shell, func()) {
+ sh, err := modules.NewShell(ctx, p, testing.Verbose(), t)
+ if err != nil {
+ t.Fatalf("unexpected error: %s", err)
+ }
+ opts := sh.DefaultStartOpts()
+ opts.ExpectTimeout = ExpectTimeout
+ sh.SetDefaultStartOpts(opts)
+ // The shell, will, by default share credentials with its children.
+ sh.ClearVar(ref.EnvCredentials)
+
+ fn := func() {
+ ctx.VI(1).Info("------------ CLEANUP ------------")
+ ctx.VI(1).Info("---------------------------------")
+ ctx.VI(1).Info("--(cleaning up shell)------------")
+ if err := sh.Cleanup(os.Stdout, os.Stderr); err != nil {
+ t.Errorf(testutil.FormatLogLine(2, "sh.Cleanup failed with %v", err))
+ }
+ ctx.VI(1).Info("--(done cleaning up shell)-------")
+ }
+ nsRoots := v23.GetNamespace(ctx).Roots()
+ if len(nsRoots) == 0 {
+ t.Fatalf("shell context has no namespace roots")
+ }
+ sh.SetVar(ref.EnvNamespacePrefix, nsRoots[0])
+ return sh, fn
+}
+
// RunCommand runs a modules command.
func RunCommand(t *testing.T, sh *modules.Shell, env []string, prog modules.Program, args ...string) modules.Handle {
h, err := sh.StartWithOpts(sh.DefaultStartOpts(), env, prog, args...)
diff --git a/test/testutil/security.go b/test/testutil/security.go
index a59c5f8..2c673dd 100644
--- a/test/testutil/security.go
+++ b/test/testutil/security.go
@@ -78,6 +78,12 @@
return &IDProvider{p, b}
}
+// IDProviderFromPrincipal creates and IDProvider for the given principal. It
+// will bless other principals with extensions of its default blessing.
+func IDProviderFromPrincipal(p security.Principal) *IDProvider {
+ return &IDProvider{p, p.BlessingStore().Default()}
+}
+
// Bless sets up the provided principal to use blessings from idp as its
// default. It is shorthand for:
// b, _ := idp.NewBlessings(who, extension, caveats...)
@@ -89,16 +95,7 @@
if err != nil {
return err
}
- if err := who.BlessingStore().SetDefault(b); err != nil {
- return err
- }
- if _, err := who.BlessingStore().Set(b, security.AllPrincipals); err != nil {
- return err
- }
- if err := who.AddToRoots(b); err != nil {
- return err
- }
- return nil
+ return vsecurity.SetDefaultBlessings(who, b)
}
// NewBlessings returns Blessings that extend the identity provider's blessing
