veyron/tools/mgmt: Extend test.sh to support suid testing

This CL extends the test.sh script for the device manager to support running the
the tests with suidhelper.

Change-Id: I024739956fd5ec73aab9da9fc2c688fac5d4caaf
diff --git a/tools/mgmt/test.sh b/tools/mgmt/test.sh
index c42fa1d..0628c47 100755
--- a/tools/mgmt/test.sh
+++ b/tools/mgmt/test.sh
@@ -1,8 +1,29 @@
 #!/bin/bash
 
 # Test the device manager and related services and tools.
+#
+#
+# By default, this script tests the device manager in a fashion amenable
+# to automatic testing: the --single_user is passed to the device
+# manager so that all device manager components run as the same user and
+# no user input (such as an agent pass phrase) is needed.
+#
+# When this script is invoked with the --with_suid <user> flag, it
+# installs the device manager in its more secure multi-account
+# configuration where the device manager runs under the account of the
+# invoker and test apps will be executed as <user>. This mode will
+# require root permisisons to install and may require configuring an
+# agent passphrase.
+#
+# For exanple:
+#
+#   ./test.sh --with_suid vanaguest
+#
+# to test a device manager with multi-account support enabled for app
+# account vanaguest.
+#
 
-source "$(go list -f {{.Dir}} v.io/core/shell/lib)/shell_test.sh"
+ source "$(go list -f {{.Dir}} v.io/core/shell/lib)/shell_test.sh"
 
 # Run the test under the security agent.
 shell_test::enable_agent "$@"
@@ -83,6 +104,12 @@
 }
 
 main() {
+  local -r WITH_SUID="${1:-no}"
+   if [[ "${WITH_SUID}" == "--with_suid" ]]; then
+    local -r SUID_USER="$2"
+    SUDO_USER="root"
+  fi
+
   cd "${WORKDIR}"
   build
 
@@ -90,14 +117,17 @@
   cp "${AGENTD_BIN}" "${SUIDHELPER_BIN}" "${INITHELPER_BIN}" "${DEVICEMANAGER_BIN}" "${BIN_STAGING_DIR}"
   shell_test::setup_server_test
 
-  # TODO(caprita): Expose an option to turn --single_user off, so we can run
-  # test.sh by hand and exercise the code that requires root privileges.
-
   # Install and start device manager.
   DM_INSTALL_DIR=$(shell::tmp_dir)
 
   export VANADIUM_DEVICE_DIR="${DM_INSTALL_DIR}/dm"
-  "${DEVICE_SCRIPT}" install "${BIN_STAGING_DIR}" --single_user -- --veyron.tcp.address=127.0.0.1:0
+
+  if [[ "${WITH_SUID}" == "--with_suid" ]]; then
+    "${DEVICE_SCRIPT}" install "${BIN_STAGING_DIR}" --veyron.tcp.address=127.0.0.1:0
+  else
+      "${DEVICE_SCRIPT}" install "${BIN_STAGING_DIR}" --single_user -- --veyron.tcp.address=127.0.0.1:0
+  fi
+
   "${VRUN}" "${DEVICE_SCRIPT}" start
   local -r DM_NAME=$(hostname)
   DM_EP=$(wait_for_mountentry "${NAMESPACE_BIN}" 5 "${DM_NAME}")
@@ -119,6 +149,12 @@
   # Claim the device as "alice/myworkstation".
   "${DEVICE_BIN}" claim "${DM_NAME}/device" myworkstation
 
+  if [[ "${WITH_SUID}" == "--with_suid" ]]; then
+    "${DEVICE_BIN}" associate add "${DM_NAME}/device"   "${SUID_USER}"  "alice"
+     shell_test::assert_eq   "$("${DEVICE_BIN}" associate list "${DM_NAME}/device")" \
+       "alice ${SUID_USER}" "${LINENO}"
+  fi
+
   # Verify the device's default blessing is as expected.
   shell_test::assert_eq "$("${DEBUG_BIN}" stats read "${DM_NAME}/__debug/stats/security/principal/blessingstore" | head -1 | sed -e 's/^.*Default blessings: '//)" \
     "alice/myworkstation" "${LINENO}"
@@ -173,6 +209,8 @@
   # Verify that the instance shows up when globbing the device manager.
   shell_test::assert_eq "$("${NAMESPACE_BIN}" glob "${DM_NAME}/apps/BINARYD/*/*")" "${INSTANCE_NAME}" "${LINENO}"
 
+  # TODO(rjkroege): Verify that the app is actually running as ${SUID_USER}
+
   # Verify the app's default blessing.
   shell_test::assert_eq "$("${DEBUG_BIN}" stats read "${INSTANCE_NAME}/stats/security/principal/blessingstore" | head -1 | sed -e 's/^.*Default blessings: '//)" \
     "alice/myapp/BINARYD" "${LINENO}"