Changes: Wrote helpers and made security tests 1 & 2 very strict about credentials

tests/TestScripts/test-security.py

@@ -19,6 +19,36 @@ import unittest
 from utils import *
 
 class SecurityTests(unittest.TestCase):
+    def filter_creds(self, creds):
+        """
+        Filter out some unnecessary cruft from the test point of view
+        """
+
+        def f(x):
+            return (x[:3] != "SRC" and
+                    x[:3] != "AID" and
+                    x != "applauncherd-testapps::applauncherd-testapps")
+
+        return filter(f, creds)
+
+    def user_creds(self, suppl = False):
+        """
+        Returns the user id, group id and optionally supplementary
+        groups as credential tokens.
+        """
+
+        groups = []
+
+        if suppl:
+            groups = get_groups_for_user()
+
+            def f(x):
+                return 'GRP::' + x
+
+            groups = map(f, groups)
+
+        return ['UID::user', 'GID::users'] + groups
+        
     def test_001(self):
         """
         Test that the fala_ft_creds* applications have the correct
@@ -30,22 +60,31 @@ class SecurityTests(unittest.TestCase):
         self.assert_(creds1 != None, "couldn't get credentials")
         self.assert_(creds2 != None, "couldn't get credentials")
 
+        creds1 = self.filter_creds(creds1)
+        creds2 = self.filter_creds(creds2)
+
         debug("fala_ft_creds1 has %s" % ', '.join(creds1))
         debug("fala_ft_creds2 has %s" % ', '.join(creds2))
 
+        # When an application has a manifest, the users supplementary
+        # groups are not by default included in the credential list,
+        # only UID and GID.
+
         # required caps for fala_ft_creds1
         cap1 = ['tcb', 'drm', 'CAP::setuid', 'CAP::setgid',
-                'CAP::setfcap']
+                'CAP::setfcap'] + self.user_creds()
 
         # required caps for fala_ft_creds2
-        cap2 = ['Cellular']
+        cap2 = ['Cellular'] + self.user_creds()
 
-        # check that all required creds are there
+        cap1.sort()
-        for cap in cap1:
+        cap2.sort()
-            self.assert_(cap in creds1, "%s not set for fala_ft_creds1" % cap)
 
-        for cap in cap2:
+        creds1.sort()
-            self.assert_(cap in creds2, "%s not set for fala_ft_creds2" % cap)
+        creds2.sort()
+
+        self.assert_(cap1 == creds1, "fala_ft_creds1 has incorrect credentials")
+        self.assert_(cap2 == creds2, "fala_ft_creds2 has incorrect credentials")
 
     def test_002_no_aegis_Bug170905(self):
         """
@@ -58,15 +97,8 @@ class SecurityTests(unittest.TestCase):
 
         self.assert_(creds != None, "error retrieving credentials")
 
-        groups = get_groups_for_user()
-
-        print "user belongs to groups: %s" % ', '.join(groups)
-
-        def grouper(x): return 'GRP::' + x
-        groups = map(grouper, groups)
-
         # Credentials should be dropped, but uid/gid + groups retained
-        req_creds = ['UID::user', 'GID::users'] + groups
+        req_creds = self.user_creds(True)
 
         creds.sort()
         req_creds.sort()
@@ -75,7 +107,7 @@ class SecurityTests(unittest.TestCase):
         print "REQUIRED: " + ', '.join(req_creds)
 
         self.assert_(creds == req_creds,
-                     "fala_ft_hello has different creds set!")
+                     "fala_ft_hello has incorrect credentials")
 
     def test_003_invoker_creds(self):
         """