11306St.nateldemoura@f5.com /* 21306St.nateldemoura@f5.com * Copyright (C) NGINX, Inc. 31306St.nateldemoura@f5.com * Copyright (C) Valentin V. Bartenev 41306St.nateldemoura@f5.com */ 51306St.nateldemoura@f5.com 61306St.nateldemoura@f5.com #include <nxt_main.h> 71306St.nateldemoura@f5.com #include <nxt_conf.h> 81306St.nateldemoura@f5.com #include "nxt_tests.h" 91306St.nateldemoura@f5.com 101306St.nateldemoura@f5.com 111306St.nateldemoura@f5.com #define UIDMAP 1 121306St.nateldemoura@f5.com #define GIDMAP 2 131306St.nateldemoura@f5.com 141306St.nateldemoura@f5.com 151306St.nateldemoura@f5.com typedef struct { 161306St.nateldemoura@f5.com nxt_int_t map_type; 171306St.nateldemoura@f5.com nxt_str_t map_data; 181306St.nateldemoura@f5.com nxt_int_t setid; 191306St.nateldemoura@f5.com nxt_credential_t creds; 201306St.nateldemoura@f5.com nxt_uid_t unit_euid; 211306St.nateldemoura@f5.com nxt_gid_t unit_egid; 221306St.nateldemoura@f5.com nxt_int_t result; 231306St.nateldemoura@f5.com nxt_str_t errmsg; 241306St.nateldemoura@f5.com } nxt_clone_creds_testcase_t; 251306St.nateldemoura@f5.com 261306St.nateldemoura@f5.com typedef struct { 271306St.nateldemoura@f5.com nxt_clone_creds_testcase_t *tc; 281306St.nateldemoura@f5.com } nxt_clone_creds_ctx_t; 291306St.nateldemoura@f5.com 301306St.nateldemoura@f5.com 311306St.nateldemoura@f5.com nxt_int_t nxt_clone_test_mappings(nxt_task_t *task, nxt_mp_t *mp, 321306St.nateldemoura@f5.com nxt_clone_creds_ctx_t *ctx, nxt_clone_creds_testcase_t *tc); 331306St.nateldemoura@f5.com void nxt_cdecl nxt_clone_test_log_handler(nxt_uint_t level, nxt_log_t *log, 341306St.nateldemoura@f5.com const char *fmt, ...); 351306St.nateldemoura@f5.com nxt_int_t nxt_clone_test_map_assert(nxt_task_t *task, 361306St.nateldemoura@f5.com nxt_clone_creds_testcase_t *tc, nxt_clone_credential_map_t *map); 371306St.nateldemoura@f5.com static nxt_int_t nxt_clone_test_parse_map(nxt_task_t *task, 381306St.nateldemoura@f5.com nxt_str_t *map_str, nxt_clone_credential_map_t *map); 391306St.nateldemoura@f5.com 401306St.nateldemoura@f5.com 411306St.nateldemoura@f5.com nxt_log_t *test_log; 421306St.nateldemoura@f5.com 431306St.nateldemoura@f5.com static nxt_gid_t gids[] = {1000, 10000, 60000}; 441306St.nateldemoura@f5.com 451306St.nateldemoura@f5.com static nxt_clone_creds_testcase_t testcases[] = { 461306St.nateldemoura@f5.com { 471306St.nateldemoura@f5.com /* 481306St.nateldemoura@f5.com * Unprivileged unit 491306St.nateldemoura@f5.com * 501306St.nateldemoura@f5.com * if no uid mapping and app creds and unit creds are the same, 511306St.nateldemoura@f5.com * then we automatically add a map for the creds->uid. 521306St.nateldemoura@f5.com * Then, child process can safely setuid(creds->uid) in 531306St.nateldemoura@f5.com * the new namespace. 541306St.nateldemoura@f5.com */ 551306St.nateldemoura@f5.com UIDMAP, 561306St.nateldemoura@f5.com nxt_string(""), 571306St.nateldemoura@f5.com 0, 581306St.nateldemoura@f5.com {"nobody", 65534, 65534, 0, NULL}, 591306St.nateldemoura@f5.com 1000, 1000, 601306St.nateldemoura@f5.com NXT_OK, 611306St.nateldemoura@f5.com nxt_string("") 621306St.nateldemoura@f5.com }, 631306St.nateldemoura@f5.com { 641306St.nateldemoura@f5.com UIDMAP, 651306St.nateldemoura@f5.com nxt_string(""), 661306St.nateldemoura@f5.com 0, 671306St.nateldemoura@f5.com {"johndoe", 10000, 10000, 0, NULL}, 681306St.nateldemoura@f5.com 1000, 1000, 691306St.nateldemoura@f5.com NXT_OK, 701306St.nateldemoura@f5.com nxt_string("") 711306St.nateldemoura@f5.com }, 721306St.nateldemoura@f5.com { 731306St.nateldemoura@f5.com UIDMAP, 741306St.nateldemoura@f5.com nxt_string("[{\"container\": 1000, \"host\": 1000, \"size\": 1}]"), 751306St.nateldemoura@f5.com 0, 761306St.nateldemoura@f5.com {"johndoe", 1000, 1000, 0, NULL}, 771306St.nateldemoura@f5.com 1000, 1000, 781306St.nateldemoura@f5.com NXT_OK, 791306St.nateldemoura@f5.com nxt_string("") 801306St.nateldemoura@f5.com }, 811306St.nateldemoura@f5.com { 821306St.nateldemoura@f5.com UIDMAP, 831306St.nateldemoura@f5.com nxt_string("[{\"container\": 0, \"host\": 1000, \"size\": 1}]"), 841306St.nateldemoura@f5.com 0, 851306St.nateldemoura@f5.com {"root", 0, 0, 0, NULL}, 861306St.nateldemoura@f5.com 1000, 1000, 871306St.nateldemoura@f5.com NXT_OK, 881306St.nateldemoura@f5.com nxt_string("") 891306St.nateldemoura@f5.com }, 901306St.nateldemoura@f5.com { 911306St.nateldemoura@f5.com UIDMAP, 921306St.nateldemoura@f5.com nxt_string("[{\"container\": 65534, \"host\": 1000, \"size\": 1}]"), 931306St.nateldemoura@f5.com 0, 941306St.nateldemoura@f5.com {"nobody", 65534, 0, 0, NULL}, 951306St.nateldemoura@f5.com 1000, 1000, 961306St.nateldemoura@f5.com NXT_OK, 971306St.nateldemoura@f5.com nxt_string("") 981306St.nateldemoura@f5.com }, 991306St.nateldemoura@f5.com { 1001306St.nateldemoura@f5.com UIDMAP, 1011306St.nateldemoura@f5.com nxt_string("[{\"container\": 0, \"host\": 1000, \"size\": 1}," 1021306St.nateldemoura@f5.com " {\"container\": 1000, \"host\": 2000, \"size\": 1}]"), 1031306St.nateldemoura@f5.com 0, 1041306St.nateldemoura@f5.com {"root", 0, 0, 0, NULL}, 1051306St.nateldemoura@f5.com 1000, 1000, 1061306St.nateldemoura@f5.com NXT_ERROR, 1071306St.nateldemoura@f5.com nxt_string("\"uidmap\" field has 2 entries but unprivileged unit has " 1081306St.nateldemoura@f5.com "a maximum of 1 map.") 1091306St.nateldemoura@f5.com }, 1101306St.nateldemoura@f5.com { 1111306St.nateldemoura@f5.com UIDMAP, 1121306St.nateldemoura@f5.com nxt_string("[{\"container\": 0, \"host\": 1000, \"size\": 1}," 1131306St.nateldemoura@f5.com " {\"container\": 1000, \"host\": 2000, \"size\": 1}]"), 1141306St.nateldemoura@f5.com 1, /* privileged */ 1151306St.nateldemoura@f5.com {"root", 0, 0, 0, NULL}, 1161306St.nateldemoura@f5.com 1000, 1000, 1171306St.nateldemoura@f5.com NXT_OK, 1181306St.nateldemoura@f5.com nxt_string("") 1191306St.nateldemoura@f5.com }, 1201306St.nateldemoura@f5.com { 1211306St.nateldemoura@f5.com UIDMAP, 1221306St.nateldemoura@f5.com nxt_string("[{\"container\": 0, \"host\": 1000, \"size\": 1000}," 1231306St.nateldemoura@f5.com " {\"container\": 1000, \"host\": 2000, \"size\": 1000}]"), 1241306St.nateldemoura@f5.com 1, /* privileged */ 1251306St.nateldemoura@f5.com {"johndoe", 500, 0, 0, NULL}, 1261306St.nateldemoura@f5.com 1000, 1000, 1271306St.nateldemoura@f5.com NXT_OK, 1281306St.nateldemoura@f5.com nxt_string("") 1291306St.nateldemoura@f5.com }, 1301306St.nateldemoura@f5.com { 1311306St.nateldemoura@f5.com UIDMAP, 1321306St.nateldemoura@f5.com nxt_string("[{\"container\": 0, \"host\": 1000, \"size\": 1000}," 1331306St.nateldemoura@f5.com " {\"container\": 1000, \"host\": 2000, \"size\": 1000}]"), 1341306St.nateldemoura@f5.com 1, /* privileged */ 1351306St.nateldemoura@f5.com {"johndoe", 1000, 0, 0, NULL}, 1361306St.nateldemoura@f5.com 1000, 1000, 1371306St.nateldemoura@f5.com NXT_OK, 1381306St.nateldemoura@f5.com nxt_string("") 1391306St.nateldemoura@f5.com }, 1401306St.nateldemoura@f5.com { 1411306St.nateldemoura@f5.com UIDMAP, 1421306St.nateldemoura@f5.com nxt_string("[{\"container\": 0, \"host\": 1000, \"size\": 1000}," 1431306St.nateldemoura@f5.com " {\"container\": 1000, \"host\": 2000, \"size\": 1000}]"), 1441306St.nateldemoura@f5.com 1, /* privileged */ 1451306St.nateldemoura@f5.com {"johndoe", 1500, 0, 0, NULL}, 1461306St.nateldemoura@f5.com 1000, 1000, 1471306St.nateldemoura@f5.com NXT_OK, 1481306St.nateldemoura@f5.com nxt_string("") 1491306St.nateldemoura@f5.com }, 1501306St.nateldemoura@f5.com { 1511306St.nateldemoura@f5.com UIDMAP, 1521306St.nateldemoura@f5.com nxt_string("[{\"container\": 0, \"host\": 1000, \"size\": 1000}," 1531306St.nateldemoura@f5.com " {\"container\": 1000, \"host\": 2000, \"size\": 1000}]"), 1541306St.nateldemoura@f5.com 1, /* privileged */ 1551306St.nateldemoura@f5.com {"johndoe", 1999, 0, 0, NULL}, 1561306St.nateldemoura@f5.com 1000, 1000, 1571306St.nateldemoura@f5.com NXT_OK, 1581306St.nateldemoura@f5.com nxt_string("") 1591306St.nateldemoura@f5.com }, 1601306St.nateldemoura@f5.com { 1611306St.nateldemoura@f5.com UIDMAP, 1621306St.nateldemoura@f5.com nxt_string("[{\"container\": 0, \"host\": 1000, \"size\": 1000}," 1631306St.nateldemoura@f5.com " {\"container\": 1000, \"host\": 2000, \"size\": 1000}]"), 1641306St.nateldemoura@f5.com 1, /* privileged */ 1651306St.nateldemoura@f5.com {"johndoe", 2000, 0, 0, NULL}, 1661306St.nateldemoura@f5.com 1000, 1000, 1671306St.nateldemoura@f5.com NXT_ERROR, 1681306St.nateldemoura@f5.com nxt_string("\"uidmap\" field has no \"container\" entry for user " 1691306St.nateldemoura@f5.com "\"johndoe\" (uid 2000)") 1701306St.nateldemoura@f5.com }, 1711306St.nateldemoura@f5.com { 1721306St.nateldemoura@f5.com /* 1731306St.nateldemoura@f5.com * Unprivileged unit 1741306St.nateldemoura@f5.com * 1751306St.nateldemoura@f5.com * if no gid mapping and app creds and unit creds are the same, 1761306St.nateldemoura@f5.com * then we automatically add a map for the creds->base_gid. 1771306St.nateldemoura@f5.com * Then, child process can safely setgid(creds->base_gid) in 1781306St.nateldemoura@f5.com * the new namespace. 1791306St.nateldemoura@f5.com */ 1801306St.nateldemoura@f5.com GIDMAP, 1811306St.nateldemoura@f5.com nxt_string("[]"), 1821306St.nateldemoura@f5.com 0, 1831306St.nateldemoura@f5.com {"nobody", 65534, 65534, 0, NULL}, 1841306St.nateldemoura@f5.com 1000, 1000, 1851306St.nateldemoura@f5.com NXT_OK, 1861306St.nateldemoura@f5.com nxt_string("") 1871306St.nateldemoura@f5.com }, 1881306St.nateldemoura@f5.com { 1891306St.nateldemoura@f5.com /* 1901306St.nateldemoura@f5.com * Unprivileged unit 1911306St.nateldemoura@f5.com * 1921306St.nateldemoura@f5.com * Inside the new namespace, we can have any gid but it 1931306St.nateldemoura@f5.com * should map to parent gid (in this case 1000) in parent 1941306St.nateldemoura@f5.com * namespace. 1951306St.nateldemoura@f5.com */ 1961306St.nateldemoura@f5.com GIDMAP, 1971306St.nateldemoura@f5.com nxt_string("[{\"container\": 0, \"host\": 1000, \"size\": 1}]"), 1981306St.nateldemoura@f5.com 0, 1991306St.nateldemoura@f5.com {"root", 0, 0, 0, NULL}, 2001306St.nateldemoura@f5.com 1000, 1000, 2011306St.nateldemoura@f5.com NXT_OK, 2021306St.nateldemoura@f5.com nxt_string("") 2031306St.nateldemoura@f5.com }, 2041306St.nateldemoura@f5.com { 2051306St.nateldemoura@f5.com GIDMAP, 2061306St.nateldemoura@f5.com nxt_string("[{\"container\": 65534, \"host\": 1000, \"size\": 1}]"), 2071306St.nateldemoura@f5.com 0, 2081306St.nateldemoura@f5.com {"nobody", 65534, 65534, 0, NULL}, 2091306St.nateldemoura@f5.com 1000, 1000, 2101306St.nateldemoura@f5.com NXT_OK, 2111306St.nateldemoura@f5.com nxt_string("") 2121306St.nateldemoura@f5.com }, 2131306St.nateldemoura@f5.com { 2141306St.nateldemoura@f5.com /* 2151306St.nateldemoura@f5.com * Unprivileged unit 2161306St.nateldemoura@f5.com * 2171306St.nateldemoura@f5.com * There's no mapping for "johndoe" (gid 1000) inside the namespace. 2181306St.nateldemoura@f5.com */ 2191306St.nateldemoura@f5.com GIDMAP, 2201306St.nateldemoura@f5.com nxt_string("[{\"container\": 65535, \"host\": 1000, \"size\": 1}]"), 2211306St.nateldemoura@f5.com 0, 2221306St.nateldemoura@f5.com {"johndoe", 1000, 1000, 0, NULL}, 2231306St.nateldemoura@f5.com 1000, 1000, 2241306St.nateldemoura@f5.com NXT_ERROR, 2251306St.nateldemoura@f5.com nxt_string("\"gidmap\" field has no \"container\" entry for " 2261306St.nateldemoura@f5.com "gid 1000.") 2271306St.nateldemoura@f5.com }, 2281306St.nateldemoura@f5.com { 2291306St.nateldemoura@f5.com GIDMAP, 2301306St.nateldemoura@f5.com nxt_string("[{\"container\": 1000, \"host\": 1000, \"size\": 2}]"), 2311306St.nateldemoura@f5.com 0, 2321306St.nateldemoura@f5.com {"johndoe", 1000, 1000, 0, NULL}, 2331306St.nateldemoura@f5.com 1000, 1000, 2341306St.nateldemoura@f5.com NXT_ERROR, 2351306St.nateldemoura@f5.com nxt_string("\"gidmap\" field has an entry with \"size\": 2, but " 2361306St.nateldemoura@f5.com "for unprivileged unit it must be 1.") 2371306St.nateldemoura@f5.com }, 2381306St.nateldemoura@f5.com { 2391306St.nateldemoura@f5.com GIDMAP, 2401306St.nateldemoura@f5.com nxt_string("[{\"container\": 1000, \"host\": 1001, \"size\": 1}]"), 2411306St.nateldemoura@f5.com 0, 2421306St.nateldemoura@f5.com {"johndoe", 1000, 1000, 0, NULL}, 2431306St.nateldemoura@f5.com 1000, 1000, 2441306St.nateldemoura@f5.com NXT_ERROR, 2451306St.nateldemoura@f5.com nxt_string("\"gidmap\" field has an entry for host gid 1001 but " 2461306St.nateldemoura@f5.com "unprivileged unit can only map itself (gid 1000) " 2471306St.nateldemoura@f5.com "into child namespaces.") 2481306St.nateldemoura@f5.com }, 2491306St.nateldemoura@f5.com { 2501306St.nateldemoura@f5.com GIDMAP, 2511306St.nateldemoura@f5.com nxt_string("[{\"container\": 1000, \"host\": 1000, \"size\": 1}]"), 2521306St.nateldemoura@f5.com 0, 2531306St.nateldemoura@f5.com {"johndoe", 1000, 1000, 3, gids}, 2541306St.nateldemoura@f5.com 1000, 1000, 2551306St.nateldemoura@f5.com NXT_ERROR, 2561306St.nateldemoura@f5.com nxt_string("unprivileged unit disallow supplementary groups for " 2571306St.nateldemoura@f5.com "new namespace (user \"johndoe\" has 3 groups).") 2581306St.nateldemoura@f5.com }, 2591306St.nateldemoura@f5.com 2601306St.nateldemoura@f5.com /* privileged unit */ 2611306St.nateldemoura@f5.com 2621306St.nateldemoura@f5.com /* not root with capabilities */ 2631306St.nateldemoura@f5.com { 2641306St.nateldemoura@f5.com GIDMAP, 2651306St.nateldemoura@f5.com nxt_string("[]"), 2661306St.nateldemoura@f5.com 1, 2671306St.nateldemoura@f5.com {"johndoe", 1000, 1000, 0, NULL}, 2681306St.nateldemoura@f5.com 1000, 1000, 2691306St.nateldemoura@f5.com NXT_OK, 2701306St.nateldemoura@f5.com nxt_string("") 2711306St.nateldemoura@f5.com }, 2721306St.nateldemoura@f5.com { 2731306St.nateldemoura@f5.com GIDMAP, 2741306St.nateldemoura@f5.com nxt_string(""), 2751306St.nateldemoura@f5.com 1, 2761306St.nateldemoura@f5.com {"johndoe", 1000, 1000, 0, NULL}, 2771306St.nateldemoura@f5.com 1000, 1000, 2781306St.nateldemoura@f5.com NXT_OK, 2791306St.nateldemoura@f5.com nxt_string("") 2801306St.nateldemoura@f5.com }, 2811306St.nateldemoura@f5.com { 2821306St.nateldemoura@f5.com /* missing gid of {"user": "nobody"} */ 2831306St.nateldemoura@f5.com GIDMAP, 2841306St.nateldemoura@f5.com nxt_string("[{\"container\": 0, \"host\": 1000, \"size\": 1}]"), 2851306St.nateldemoura@f5.com 1, 2861306St.nateldemoura@f5.com {"nobody", 65534, 65534, 0, NULL}, 2871306St.nateldemoura@f5.com 1000, 1000, 2881306St.nateldemoura@f5.com NXT_ERROR, 2891306St.nateldemoura@f5.com nxt_string("\"gidmap\" field has no \"container\" entry for " 2901306St.nateldemoura@f5.com "gid 65534.") 2911306St.nateldemoura@f5.com }, 2921306St.nateldemoura@f5.com { 2931306St.nateldemoura@f5.com /* solves the previous by mapping 65534 gids */ 2941306St.nateldemoura@f5.com GIDMAP, 2951306St.nateldemoura@f5.com nxt_string("[{\"container\": 0, \"host\": 1000, \"size\": 65535}]"), 2961306St.nateldemoura@f5.com 1, 2971306St.nateldemoura@f5.com {"nobody", 65534, 65534, 0, NULL}, 2981306St.nateldemoura@f5.com 1000, 1000, 2991306St.nateldemoura@f5.com NXT_OK, 3001306St.nateldemoura@f5.com nxt_string("") 3011306St.nateldemoura@f5.com }, 3021306St.nateldemoura@f5.com { 3031306St.nateldemoura@f5.com /* solves by adding a separate mapping */ 3041306St.nateldemoura@f5.com GIDMAP, 3051306St.nateldemoura@f5.com nxt_string("[{\"container\": 0, \"host\": 1000, \"size\": 1}," 3061306St.nateldemoura@f5.com " {\"container\": 65534, \"host\": 1000, \"size\": 1}]"), 3071306St.nateldemoura@f5.com 1, 3081306St.nateldemoura@f5.com {"nobody", 65534, 65534, 0, NULL}, 3091306St.nateldemoura@f5.com 1000, 1000, 3101306St.nateldemoura@f5.com NXT_OK, 3111306St.nateldemoura@f5.com nxt_string("") 3121306St.nateldemoura@f5.com }, 3131306St.nateldemoura@f5.com { 3141306St.nateldemoura@f5.com /* 3151306St.nateldemoura@f5.com * Map a big range 3161306St.nateldemoura@f5.com */ 3171306St.nateldemoura@f5.com GIDMAP, 3181306St.nateldemoura@f5.com nxt_string("[{\"container\": 0, \"host\": 0, \"size\": 200000}]"), 3191306St.nateldemoura@f5.com 1, 3201306St.nateldemoura@f5.com {"johndoe", 100000, 100000, 0, NULL}, 3211306St.nateldemoura@f5.com 1000, 1000, 3221306St.nateldemoura@f5.com NXT_OK, 3231306St.nateldemoura@f5.com nxt_string("") 3241306St.nateldemoura@f5.com }, 3251306St.nateldemoura@f5.com { 3261306St.nateldemoura@f5.com /* 3271306St.nateldemoura@f5.com * Validate if supplementary groups are mapped 3281306St.nateldemoura@f5.com */ 3291306St.nateldemoura@f5.com GIDMAP, 3301306St.nateldemoura@f5.com nxt_string("[]"), 3311306St.nateldemoura@f5.com 1, 3321306St.nateldemoura@f5.com {"johndoe", 1000, 1000, 3, gids}, 3331306St.nateldemoura@f5.com 1000, 1000, 3341306St.nateldemoura@f5.com NXT_ERROR, 3351306St.nateldemoura@f5.com nxt_string("\"gidmap\" field has no entries but user \"johndoe\" " 3361306St.nateldemoura@f5.com "has 3 suplementary groups."), 3371306St.nateldemoura@f5.com }, 3381306St.nateldemoura@f5.com { 3391306St.nateldemoura@f5.com GIDMAP, 3401306St.nateldemoura@f5.com nxt_string("[{\"container\": 0, \"host\": 0, \"size\": 1}]"), 3411306St.nateldemoura@f5.com 1, 3421306St.nateldemoura@f5.com {"johndoe", 1000, 1000, 3, gids}, 3431306St.nateldemoura@f5.com 1000, 1000, 3441306St.nateldemoura@f5.com NXT_ERROR, 3451306St.nateldemoura@f5.com nxt_string("\"gidmap\" field has no \"container\" entry for " 3461306St.nateldemoura@f5.com "gid 1000."), 3471306St.nateldemoura@f5.com }, 3481306St.nateldemoura@f5.com { 3491306St.nateldemoura@f5.com GIDMAP, 3501306St.nateldemoura@f5.com nxt_string("[{\"container\": 1000, \"host\": 0, \"size\": 1}]"), 3511306St.nateldemoura@f5.com 1, 3521306St.nateldemoura@f5.com {"johndoe", 1000, 1000, 3, gids}, 3531306St.nateldemoura@f5.com 1000, 1000, 3541306St.nateldemoura@f5.com NXT_ERROR, 3551306St.nateldemoura@f5.com nxt_string("\"gidmap\" field has missing suplementary gid mappings " 3561306St.nateldemoura@f5.com "(found 1 out of 3)."), 3571306St.nateldemoura@f5.com }, 3581306St.nateldemoura@f5.com { 3591306St.nateldemoura@f5.com GIDMAP, 3601306St.nateldemoura@f5.com nxt_string("[{\"container\": 1000, \"host\": 0, \"size\": 1}," 3611306St.nateldemoura@f5.com " {\"container\": 10000, \"host\": 10000, \"size\": 1}]"), 3621306St.nateldemoura@f5.com 1, 3631306St.nateldemoura@f5.com {"johndoe", 1000, 1000, 3, gids}, 3641306St.nateldemoura@f5.com 1000, 1000, 3651306St.nateldemoura@f5.com NXT_ERROR, 3661306St.nateldemoura@f5.com nxt_string("\"gidmap\" field has missing suplementary gid mappings " 3671306St.nateldemoura@f5.com "(found 2 out of 3)."), 3681306St.nateldemoura@f5.com }, 3691306St.nateldemoura@f5.com { 3701306St.nateldemoura@f5.com /* 3711306St.nateldemoura@f5.com * Fix all mappings 3721306St.nateldemoura@f5.com */ 3731306St.nateldemoura@f5.com GIDMAP, 3741306St.nateldemoura@f5.com nxt_string("[{\"container\": 1000, \"host\": 0, \"size\": 1}," 3751306St.nateldemoura@f5.com "{\"container\": 10000, \"host\": 10000, \"size\": 1}," 3761306St.nateldemoura@f5.com " {\"container\": 60000, \"host\": 60000, \"size\": 1}]"), 3771306St.nateldemoura@f5.com 1, 3781306St.nateldemoura@f5.com {"johndoe", 1000, 1000, 3, gids}, 3791306St.nateldemoura@f5.com 1000, 1000, 3801306St.nateldemoura@f5.com NXT_OK, 3811306St.nateldemoura@f5.com nxt_string(""), 3821306St.nateldemoura@f5.com }, 3831306St.nateldemoura@f5.com }; 3841306St.nateldemoura@f5.com 3851306St.nateldemoura@f5.com 3861306St.nateldemoura@f5.com void nxt_cdecl 3871306St.nateldemoura@f5.com nxt_clone_test_log_handler(nxt_uint_t level, nxt_log_t *log, 3881306St.nateldemoura@f5.com const char *fmt, ...) 3891306St.nateldemoura@f5.com { 3901306St.nateldemoura@f5.com u_char *p, *end; 3911306St.nateldemoura@f5.com va_list args; 3921306St.nateldemoura@f5.com nxt_clone_creds_ctx_t *ctx; 3931306St.nateldemoura@f5.com nxt_clone_creds_testcase_t *tc; 3941306St.nateldemoura@f5.com u_char msg[NXT_MAX_ERROR_STR]; 3951306St.nateldemoura@f5.com 3961306St.nateldemoura@f5.com p = msg; 3971306St.nateldemoura@f5.com end = msg + NXT_MAX_ERROR_STR; 3981306St.nateldemoura@f5.com 3991306St.nateldemoura@f5.com ctx = log->ctx; 4001306St.nateldemoura@f5.com tc = ctx->tc; 4011306St.nateldemoura@f5.com 4021306St.nateldemoura@f5.com va_start(args, fmt); 4031306St.nateldemoura@f5.com p = nxt_vsprintf(p, end, fmt, args); 4041306St.nateldemoura@f5.com va_end(args); 4051306St.nateldemoura@f5.com 4061306St.nateldemoura@f5.com *p++ = '\0'; 4071306St.nateldemoura@f5.com 4081306St.nateldemoura@f5.com if (tc->result == NXT_OK && level == NXT_LOG_DEBUG) { 4091306St.nateldemoura@f5.com return; 4101306St.nateldemoura@f5.com } 4111306St.nateldemoura@f5.com 4121306St.nateldemoura@f5.com if (tc->errmsg.length == 0) { 4131306St.nateldemoura@f5.com nxt_log_error(NXT_LOG_ERR, &nxt_main_log, "unexpected log: %s", msg); 4141306St.nateldemoura@f5.com return; 4151306St.nateldemoura@f5.com } 4161306St.nateldemoura@f5.com 4171306St.nateldemoura@f5.com if (!nxt_str_eq(&tc->errmsg, msg, (nxt_uint_t) (p - msg - 1))) { 4181306St.nateldemoura@f5.com nxt_log_error(NXT_LOG_ERR, &nxt_main_log, 4191306St.nateldemoura@f5.com "error log mismatch: got [%s] but wants [%V]", 4201306St.nateldemoura@f5.com msg, &tc->errmsg); 4211306St.nateldemoura@f5.com return; 4221306St.nateldemoura@f5.com } 4231306St.nateldemoura@f5.com } 4241306St.nateldemoura@f5.com 4251306St.nateldemoura@f5.com 4261306St.nateldemoura@f5.com nxt_int_t 4271306St.nateldemoura@f5.com nxt_clone_creds_test(nxt_thread_t *thr) 4281306St.nateldemoura@f5.com { 4291306St.nateldemoura@f5.com nxt_mp_t *mp; 4301306St.nateldemoura@f5.com nxt_int_t ret; 4311306St.nateldemoura@f5.com nxt_uint_t count, i; 4321306St.nateldemoura@f5.com nxt_task_t *task; 4331306St.nateldemoura@f5.com nxt_runtime_t rt; 4341306St.nateldemoura@f5.com nxt_clone_creds_ctx_t ctx; 4351306St.nateldemoura@f5.com 4361306St.nateldemoura@f5.com nxt_log_t nxt_clone_creds_log = { 4371306St.nateldemoura@f5.com NXT_LOG_INFO, 4381306St.nateldemoura@f5.com 0, 4391306St.nateldemoura@f5.com nxt_clone_test_log_handler, 4401306St.nateldemoura@f5.com NULL, 4411306St.nateldemoura@f5.com &ctx 4421306St.nateldemoura@f5.com }; 4431306St.nateldemoura@f5.com 4441306St.nateldemoura@f5.com nxt_thread_time_update(thr); 4451306St.nateldemoura@f5.com 4461306St.nateldemoura@f5.com thr->runtime = &rt; 4471306St.nateldemoura@f5.com 4481306St.nateldemoura@f5.com task = thr->task; 4491306St.nateldemoura@f5.com 4501306St.nateldemoura@f5.com mp = nxt_mp_create(1024, 128, 256, 32); 4511306St.nateldemoura@f5.com if (mp == NULL) { 4521306St.nateldemoura@f5.com return NXT_ERROR; 4531306St.nateldemoura@f5.com } 4541306St.nateldemoura@f5.com 4551306St.nateldemoura@f5.com rt.mem_pool = mp; 4561306St.nateldemoura@f5.com 4571306St.nateldemoura@f5.com test_log = task->log; 4581306St.nateldemoura@f5.com task->log = &nxt_clone_creds_log; 4591306St.nateldemoura@f5.com task->thread = thr; 4601306St.nateldemoura@f5.com 4611306St.nateldemoura@f5.com count = sizeof(testcases)/sizeof(nxt_clone_creds_testcase_t); 4621306St.nateldemoura@f5.com 4631306St.nateldemoura@f5.com for (i = 0; i < count; i++) { 4641306St.nateldemoura@f5.com ret = nxt_clone_test_mappings(task, mp, &ctx, &testcases[i]); 4651306St.nateldemoura@f5.com 4661306St.nateldemoura@f5.com if (ret != NXT_OK) { 4671306St.nateldemoura@f5.com goto fail; 4681306St.nateldemoura@f5.com } 4691306St.nateldemoura@f5.com } 4701306St.nateldemoura@f5.com 4711306St.nateldemoura@f5.com ret = NXT_OK; 4721306St.nateldemoura@f5.com 4731306St.nateldemoura@f5.com nxt_log_error(NXT_LOG_NOTICE, test_log, "clone creds test passed"); 4741306St.nateldemoura@f5.com 4751306St.nateldemoura@f5.com fail: 4761306St.nateldemoura@f5.com task->log = test_log; 4771306St.nateldemoura@f5.com nxt_mp_destroy(mp); 4781306St.nateldemoura@f5.com 4791306St.nateldemoura@f5.com return ret; 4801306St.nateldemoura@f5.com } 4811306St.nateldemoura@f5.com 4821306St.nateldemoura@f5.com 4831306St.nateldemoura@f5.com nxt_int_t 4841306St.nateldemoura@f5.com nxt_clone_test_mappings(nxt_task_t *task, nxt_mp_t *mp, 4851306St.nateldemoura@f5.com nxt_clone_creds_ctx_t *ctx, nxt_clone_creds_testcase_t *tc) 4861306St.nateldemoura@f5.com { 4871306St.nateldemoura@f5.com nxt_int_t ret; 4881306St.nateldemoura@f5.com nxt_runtime_t *rt; 4891306St.nateldemoura@f5.com nxt_clone_credential_map_t map; 4901306St.nateldemoura@f5.com 4911306St.nateldemoura@f5.com rt = task->thread->runtime; 4921306St.nateldemoura@f5.com 4931306St.nateldemoura@f5.com map.size = 0; 4941306St.nateldemoura@f5.com 4951306St.nateldemoura@f5.com if (tc->map_data.length > 0) { 4961306St.nateldemoura@f5.com ret = nxt_clone_test_parse_map(task, &tc->map_data, &map); 4971306St.nateldemoura@f5.com if (ret != NXT_OK) { 4981306St.nateldemoura@f5.com return NXT_ERROR; 4991306St.nateldemoura@f5.com } 5001306St.nateldemoura@f5.com } 5011306St.nateldemoura@f5.com 5021306St.nateldemoura@f5.com rt->capabilities.setid = tc->setid; 5031306St.nateldemoura@f5.com 5041306St.nateldemoura@f5.com nxt_euid = tc->unit_euid; 5051306St.nateldemoura@f5.com nxt_egid = tc->unit_egid; 5061306St.nateldemoura@f5.com 5071306St.nateldemoura@f5.com ctx->tc = tc; 5081306St.nateldemoura@f5.com 5091306St.nateldemoura@f5.com if (nxt_clone_test_map_assert(task, tc, &map) != NXT_OK) { 5101306St.nateldemoura@f5.com return NXT_ERROR; 5111306St.nateldemoura@f5.com } 5121306St.nateldemoura@f5.com 5131306St.nateldemoura@f5.com if (tc->setid && nxt_euid != 0) { 5141306St.nateldemoura@f5.com /* 5151306St.nateldemoura@f5.com * Running as root should have the same behavior as 5161306St.nateldemoura@f5.com * passing Linux capabilities. 5171306St.nateldemoura@f5.com */ 5181306St.nateldemoura@f5.com 5191306St.nateldemoura@f5.com nxt_euid = 0; 5201306St.nateldemoura@f5.com nxt_egid = 0; 5211306St.nateldemoura@f5.com 5221306St.nateldemoura@f5.com if (nxt_clone_test_map_assert(task, tc, &map) != NXT_OK) { 5231306St.nateldemoura@f5.com return NXT_ERROR; 5241306St.nateldemoura@f5.com } 5251306St.nateldemoura@f5.com } 5261306St.nateldemoura@f5.com 5271306St.nateldemoura@f5.com return NXT_OK; 5281306St.nateldemoura@f5.com } 5291306St.nateldemoura@f5.com 5301306St.nateldemoura@f5.com 5311306St.nateldemoura@f5.com nxt_int_t 5321306St.nateldemoura@f5.com nxt_clone_test_map_assert(nxt_task_t *task, nxt_clone_creds_testcase_t *tc, 5331306St.nateldemoura@f5.com nxt_clone_credential_map_t *map) 5341306St.nateldemoura@f5.com { 5351306St.nateldemoura@f5.com nxt_int_t ret; 5361306St.nateldemoura@f5.com 5371306St.nateldemoura@f5.com if (tc->map_type == UIDMAP) { 5381306St.nateldemoura@f5.com ret = nxt_clone_vldt_credential_uidmap(task, map, &tc->creds); 5391306St.nateldemoura@f5.com } else { 5401306St.nateldemoura@f5.com ret = nxt_clone_vldt_credential_gidmap(task, map, &tc->creds); 5411306St.nateldemoura@f5.com } 5421306St.nateldemoura@f5.com 5431306St.nateldemoura@f5.com if (ret != tc->result) { 5441306St.nateldemoura@f5.com nxt_log_error(NXT_LOG_ERR, &nxt_main_log, 5451306St.nateldemoura@f5.com "return %d instead of %d (map: %V)", ret, tc->result, 5461306St.nateldemoura@f5.com &tc->map_data); 5471306St.nateldemoura@f5.com 5481306St.nateldemoura@f5.com return NXT_ERROR; 5491306St.nateldemoura@f5.com } 5501306St.nateldemoura@f5.com 5511306St.nateldemoura@f5.com return NXT_OK; 5521306St.nateldemoura@f5.com } 5531306St.nateldemoura@f5.com 5541306St.nateldemoura@f5.com 5551306St.nateldemoura@f5.com static nxt_int_t 5561306St.nateldemoura@f5.com nxt_clone_test_parse_map(nxt_task_t *task, nxt_str_t *map_str, 5571306St.nateldemoura@f5.com nxt_clone_credential_map_t *map) 5581306St.nateldemoura@f5.com { 5591306St.nateldemoura@f5.com nxt_uint_t i; 5601306St.nateldemoura@f5.com nxt_runtime_t *rt; 5611306St.nateldemoura@f5.com nxt_conf_value_t *array, *obj, *value; 5621306St.nateldemoura@f5.com 5631306St.nateldemoura@f5.com static nxt_str_t host_name = nxt_string("host"); 5641306St.nateldemoura@f5.com static nxt_str_t cont_name = nxt_string("container"); 5651306St.nateldemoura@f5.com static nxt_str_t size_name = nxt_string("size"); 5661306St.nateldemoura@f5.com 5671306St.nateldemoura@f5.com rt = task->thread->runtime; 5681306St.nateldemoura@f5.com 5691306St.nateldemoura@f5.com array = nxt_conf_json_parse_str(rt->mem_pool, map_str); 5701306St.nateldemoura@f5.com if (array == NULL) { 5711306St.nateldemoura@f5.com return NXT_ERROR; 5721306St.nateldemoura@f5.com } 5731306St.nateldemoura@f5.com 5741306St.nateldemoura@f5.com map->size = nxt_conf_array_elements_count(array); 5751306St.nateldemoura@f5.com 5761306St.nateldemoura@f5.com if (map->size == 0) { 5771306St.nateldemoura@f5.com return NXT_OK; 5781306St.nateldemoura@f5.com } 5791306St.nateldemoura@f5.com 5801306St.nateldemoura@f5.com map->map = nxt_mp_alloc(rt->mem_pool, 5811306St.nateldemoura@f5.com map->size * sizeof(nxt_clone_map_entry_t)); 5821306St.nateldemoura@f5.com 5831306St.nateldemoura@f5.com if (map->map == NULL) { 5841306St.nateldemoura@f5.com return NXT_ERROR; 5851306St.nateldemoura@f5.com } 5861306St.nateldemoura@f5.com 5871306St.nateldemoura@f5.com for (i = 0; i < map->size; i++) { 5881306St.nateldemoura@f5.com obj = nxt_conf_get_array_element(array, i); 5891306St.nateldemoura@f5.com 5901306St.nateldemoura@f5.com value = nxt_conf_get_object_member(obj, &host_name, NULL); 591*1439Svbart@nginx.com map->map[i].host = nxt_conf_get_number(value); 5921306St.nateldemoura@f5.com 5931306St.nateldemoura@f5.com value = nxt_conf_get_object_member(obj, &cont_name, NULL); 594*1439Svbart@nginx.com map->map[i].container = nxt_conf_get_number(value); 5951306St.nateldemoura@f5.com 5961306St.nateldemoura@f5.com value = nxt_conf_get_object_member(obj, &size_name, NULL); 597*1439Svbart@nginx.com map->map[i].size = nxt_conf_get_number(value); 5981306St.nateldemoura@f5.com } 5991306St.nateldemoura@f5.com 6001306St.nateldemoura@f5.com return NXT_OK; 6011306St.nateldemoura@f5.com } 602