From 5f7d2ac76da7a25fb1f6e940af08fc8952e9db42 Mon Sep 17 00:00:00 2001 From: James Falcon Date: Thu, 4 Mar 2021 10:23:46 -0600 Subject: [PATCH 1/3] Integration test for #783 Newer verisons of /etc/sudoers prefer @includedir over #includedir. Ensure we handle that properly and don't include an additional #includedir when one isn't warranted. --- .../modules/test_users_groups.py | 30 +++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/tests/integration_tests/modules/test_users_groups.py b/tests/integration_tests/modules/test_users_groups.py index ee08d87be16..fc5021cc69d 100644 --- a/tests/integration_tests/modules/test_users_groups.py +++ b/tests/integration_tests/modules/test_users_groups.py @@ -11,6 +11,9 @@ import pytest +from tests.integration_tests.clouds import ImageSpecification +from tests.integration_tests.instances import IntegrationInstance + USER_DATA = """\ #cloud-config @@ -86,3 +89,30 @@ def test_user_root_in_secret(self, class_client): _, groups_str = output.split(":", maxsplit=1) groups = groups_str.split() assert "secret" in groups + + +@pytest.mark.user_data(USER_DATA) +def test_sudoers_includedir(client: IntegrationInstance): + """Ensure we don't add additional #includedir to sudoers. + + Newer verisons of /etc/sudoers will use @includedir rather than + #includedir. Ensure we handle that properly and don't include an + additional #includedir when one isn't warranted. + + https://github.com/canonical/cloud-init/pull/783 + """ + if ImageSpecification.from_os_image().release not in ['hirsute', 'groovy']: + raise pytest.skip( + 'Test requires version of sudo installed on groovy and later' + ) + client.execute("sed -i 's/#include/@include/g' /etc/sudoers") + + sudoers = client.read_from_file('/etc/sudoers') + if '@includedir /etc/sudoers.d' not in sudoers: + client.execute("echo '@includedir /etc/sudoers.d' > /etc/sudoers") + client.execute('cloud-init clean --logs') + client.restart() + sudoers = client.read_from_file('/etc/sudoers') + + assert '#includedir' not in sudoers + assert sudoers.count('includedir /etc/sudoers.d') == 1 From 7d4e31321d0006d3b758d1a1d6879a1440d66a83 Mon Sep 17 00:00:00 2001 From: James Falcon Date: Fri, 5 Mar 2021 16:21:59 -0600 Subject: [PATCH 2/3] comments --- .../modules/test_users_groups.py | 23 +++++++++++-------- 1 file changed, 14 insertions(+), 9 deletions(-) diff --git a/tests/integration_tests/modules/test_users_groups.py b/tests/integration_tests/modules/test_users_groups.py index fc5021cc69d..445253243a3 100644 --- a/tests/integration_tests/modules/test_users_groups.py +++ b/tests/integration_tests/modules/test_users_groups.py @@ -1,10 +1,7 @@ -"""Integration test for the user_groups module. - -This test specifies a number of users and groups via user-data, and confirms -that they have been configured correctly in the system under test. +"""Integration tests for the user_groups module. TODO: -* This test assumes that the "ubuntu" user will be created when "default" is +* This modules assumes that the "ubuntu" user will be created when "default" is specified; this will need modification to run on other OSes. """ import re @@ -48,6 +45,12 @@ @pytest.mark.ci @pytest.mark.user_data(USER_DATA) class TestUsersGroups: + """Test users and groups. + + This test specifies a number of users and groups via user-data, and + confirms that they have been configured correctly in the system under test. + """ + @pytest.mark.ubuntu @pytest.mark.parametrize( "getent_args,regex", @@ -95,13 +98,15 @@ def test_user_root_in_secret(self, class_client): def test_sudoers_includedir(client: IntegrationInstance): """Ensure we don't add additional #includedir to sudoers. - Newer verisons of /etc/sudoers will use @includedir rather than + Newer versions of /etc/sudoers will use @includedir rather than #includedir. Ensure we handle that properly and don't include an additional #includedir when one isn't warranted. https://github.com/canonical/cloud-init/pull/783 """ - if ImageSpecification.from_os_image().release not in ['hirsute', 'groovy']: + if ImageSpecification.from_os_image().release in [ + 'xenial', 'bionic', 'focal' + ]: raise pytest.skip( 'Test requires version of sudo installed on groovy and later' ) @@ -109,8 +114,8 @@ def test_sudoers_includedir(client: IntegrationInstance): sudoers = client.read_from_file('/etc/sudoers') if '@includedir /etc/sudoers.d' not in sudoers: - client.execute("echo '@includedir /etc/sudoers.d' > /etc/sudoers") - client.execute('cloud-init clean --logs') + client.execute("echo '@includedir /etc/sudoers.d' >> /etc/sudoers") + client.instance.clean() client.restart() sudoers = client.read_from_file('/etc/sudoers') From 840f7d4b89554d89492256e5019f74d895b81969 Mon Sep 17 00:00:00 2001 From: Daniel Watkins Date: Thu, 11 Mar 2021 11:21:25 -0500 Subject: [PATCH 3/3] Update tests/integration_tests/modules/test_users_groups.py --- tests/integration_tests/modules/test_users_groups.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/integration_tests/modules/test_users_groups.py b/tests/integration_tests/modules/test_users_groups.py index 445253243a3..bcb17b7fd11 100644 --- a/tests/integration_tests/modules/test_users_groups.py +++ b/tests/integration_tests/modules/test_users_groups.py @@ -1,7 +1,7 @@ """Integration tests for the user_groups module. TODO: -* This modules assumes that the "ubuntu" user will be created when "default" is +* This module assumes that the "ubuntu" user will be created when "default" is specified; this will need modification to run on other OSes. """ import re