From 0ef94d85e58497dcb2c4c954cadcac918032467a Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guilhem@fripost.org>
Date: Thu, 18 Feb 2021 21:07:01 +0100
Subject: Add %-specifiers support.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

lacme(8): for --config=, --socket=, --config-certs= (and ‘socket’/
‘config-certs’/‘challenge-directory’ configuration options *before*
privilege drop; and for the [accountd] section ‘command’/‘config’
configuration options *after* privilege drop).

lacme-accountd(1): for --config=, --socket= and --privkey= (and
‘socket’/‘privkey’ configuration options).

This also changes the default configuration file location.  lacme(8) and
lacme-accountd(1) now respectively use /etc/lacme/lacme.conf resp.
/etc/lacme/lacme-accountd.conf when running as root, and
$XDG_CONFIG_HOME/lacme/lacme.conf resp. $XDG_CONFIG_HOME/lacme/lacme-accountd.conf
when running as a normal user.  There is no fallback to /etc anymore.
---
 tests/accountd       |  13 +++++-
 tests/spec-expansion | 130 +++++++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 141 insertions(+), 2 deletions(-)
 create mode 100644 tests/spec-expansion

(limited to 'tests')

diff --git a/tests/accountd b/tests/accountd
index 2f3985f..4626c78 100644
--- a/tests/accountd
+++ b/tests/accountd
@@ -20,12 +20,17 @@ grepstderr -Fxq "Can't stat $SOCKET: No such file or directory (Is lacme-account
 
 #######################################################################
 
+# missing configuration at default location
+! runuser -u lacme-account -- lacme-accountd --debug 2>"$STDERR" || fail
+grepstderr -Fxq "Ignoring missing configuration file at default location /home/lacme-account/.config/lacme/lacme-accountd.conf"
+grepstderr -Fxq "Error: 'privkey' is not specified"
+
 install -olacme-account -glacme-account -Ddm0700 ~lacme-account/.config/lacme
 mv -t ~lacme-account/.config/lacme /etc/lacme/account.key
 chown lacme-account: ~lacme-account/.config/lacme/account.key
 
 cat >~lacme-account/.config/lacme/lacme-accountd.conf <<-EOF
-	privkey = file:/home/lacme-account/.config/lacme/account.key
+	privkey = file:%E/lacme/account.key
 EOF
 
 # non-existent parent directory
@@ -33,9 +38,13 @@ EOF
 grepstderr -Fxq "stat(/nonexistent): No such file or directory"
 
 # word-writable parent directory
-! runuser -u lacme-account -- lacme-accountd --socket="/tmp/S.lacme" account 2>"$STDERR" || fail
+! runuser -u lacme-account -- lacme-accountd --socket="%T/S.lacme" account 2>"$STDERR" || fail
 grepstderr -Fxq "Error: insecure permissions on /tmp"
 
+# unset XDG_RUNTIME_DIR
+! runuser -u lacme-account -- lacme-accountd 2>"$STDERR" || fail
+grepstderr "Error: undefined expansion %t in \"%t/S.lacme\""
+
 # non-existent $XDG_RUNTIME_DIR
 ! runuser -u lacme-account -- env XDG_RUNTIME_DIR="/nonexistent" lacme-accountd 2>"$STDERR" || fail
 grepstderr -Fxq "stat(/nonexistent): No such file or directory"
diff --git a/tests/spec-expansion b/tests/spec-expansion
new file mode 100644
index 0000000..722bdfc
--- /dev/null
+++ b/tests/spec-expansion
@@ -0,0 +1,130 @@
+# %-specifiers expansion
+
+# lacme --config=, all specifiers, root privileges
+! lacme --config="%C %E %t %h %T %g %G %u %U %%.conf" account 2>"$STDERR" || fail
+grepstderr -Fxq "Can't open /var/cache /etc /run /root /tmp root 0 root 0 %.conf: No such file or directory"
+
+# lacme --config=, all specifiers, root privileges, defined XDG_*
+! env XDG_CACHE_HOME=/foo/cache XDG_CONFIG_HOME=/foo/config XDG_RUNTIME_DIR=/foo/run HOME=/foo/home USER=myuser TMPDIR=/foo/tmp \
+    lacme --config="%C %E %t %h %T %g %G %u %U %%.conf" account 2>"$STDERR" || fail
+grepstderr -Fxq "Can't open /var/cache /etc /run /root /foo/tmp root 0 root 0 %.conf: No such file or directory"
+
+# lacme --config=, all specifiers, non-root, unset XDG_RUNTIME_DIR
+! runuser -u nobody -- lacme --config="%C %E %t %h %T %g %G %u %U %%.conf" account 2>"$STDERR" || fail
+grepstderr -Fxq "Error: undefined expansion %t in \"%C %E %t %h %T %g %G %u %U %%.conf\""
+
+# lacme --config=, all specifiers, non-root, defined XDG_RUNTIME_DIR, no other XDG_*
+! runuser -u nobody -g www-data -- env XDG_RUNTIME_DIR=/foo/run \
+    lacme --config="%C %E %t %h %T %g %G %u %U %%.conf" account 2>"$STDERR" || fail
+grepstderr -Fxq "Can't open /nonexistent/.cache /nonexistent/.config /foo/run /nonexistent /tmp www-data 33 nobody 65534 %.conf: No such file or directory"
+
+# lacme --config=, all specifiers, non-root, defined XDG_*
+! runuser -u nobody -- env XDG_CACHE_HOME=/foo/cache XDG_CONFIG_HOME=/foo/config XDG_RUNTIME_DIR=/foo/run HOME=/foo/home USER=myuser TMPDIR=/foo/tmp \
+    lacme --config="%C %E %t %h %T %g %G %u %U %%.conf" account 2>"$STDERR" || fail
+grepstderr -Fxq "Can't open /foo/cache /foo/config /foo/run /nonexistent /foo/tmp nogroup 65534 nobody 65534 %.conf: No such file or directory"
+
+# lacme --socket=
+! lacme --config="%E/lacme/lacme.conf" --socket="%t/S.lacme2" account --debug 2>"$STDERR" || fail
+grepstderr -Fxq "Using configuration file: /etc/lacme/lacme.conf"
+grepstderr -Fxq "Can't stat /run/S.lacme2: No such file or directory (Is lacme-accountd running?)"
+
+# 'challenge-directory' setting (expands before privilege drop)
+sed -ri 's|^#?challenge-directory\s*=.*|challenge-directory = /nonexistent/%u:%g|' /etc/lacme/lacme.conf
+! lacme newOrder --debug 2>"$STDERR" || fail
+grepstderr -Fq "Using existing webserver on /nonexistent/root:root"
+
+# lacme --config-certs= and 'config-certs' settings (expands before privilege drop)
+! lacme newOrder --debug nonexistent 2>"$STDERR" || fail
+grepstderr -Fxq "Reading /etc/lacme/lacme-certs.conf"
+
+sed -ri 's|^#?config-certs\s*=.*|config-certs = /nonexistent/%u:%g.conf|' /etc/lacme/lacme.conf
+! lacme newOrder --debug nonexistent 2>"$STDERR" || fail
+grepstderr -Fxq "Reading /nonexistent/root:root.conf"
+
+! lacme newOrder --config-certs="%E/lacme/certs.conf.d" --debug nonexistent 2>"$STDERR" || fail
+grepstderr -vFxq "Reading /etc/lacme/lacme-certs.conf"
+grepstderr -Fxq "Reading /etc/lacme/certs.conf.d"
+
+# 'config' setting in [accountd] section (expands after privilege drop)
+sed -ri 's|^#?config\s*=\s*$|config = /nonexistent/%u:%g.conf|' /etc/lacme/lacme.conf
+! lacme account 2>"$STDERR" || fail
+grepstderr -Fxq "Failed to open file '/nonexistent/root:root.conf' for reading: No such file or directory"
+
+sed -ri 's|^#?user\s*=\s*$|user = nobody|' /etc/lacme/lacme.conf
+! lacme account 2>"$STDERR" || fail
+grepstderr -Fxq "Failed to open file '/nonexistent/nobody:root.conf' for reading: No such file or directory"
+
+# 'command' setting in [accountd] section (expands after privilege drop)
+sed -ri 's|^#?command\s*=.*/lacme-accountd$|command = /usr/bin/lacme-accountd --%u|' /etc/lacme/lacme.conf
+! lacme account 2>"$STDERR" || fail
+grepstderr -Fxq "Unknown option: nobody"
+
+sed -ri 's|^#?command\s*=.*/lacme-accountd .*|command = /nonexistent/%u/%g %u %g|' /etc/lacme/lacme.conf
+! lacme account 2>"$STDERR" || fail
+grepstderr -Eq "^Can't exec \"/nonexistent/nobody/root\": No such file or directory"
+
+
+#######################################################################
+
+# lacme-accountd --config=, all specifiers, root privileges
+! lacme-accountd --config="%C %E %t %h %T %g %G %u %U %%.conf" 2>"$STDERR" || fail
+grepstderr -Fxq "Failed to open file '/var/cache /etc /run /root /tmp root 0 root 0 %.conf' for reading: No such file or directory"
+
+# lacme-accountd --config=, all specifiers, root privileges, defined XDG_*
+! env XDG_CACHE_HOME=/foo/cache XDG_CONFIG_HOME=/foo/config XDG_RUNTIME_DIR=/foo/run HOME=/foo/home USER=myuser TMPDIR=/foo/tmp \
+    lacme-accountd --config="%C %E %t %h %T %g %G %u %U %%.conf" 2>"$STDERR" || fail
+grepstderr -Fxq "Failed to open file '/var/cache /etc /run /root /foo/tmp root 0 root 0 %.conf' for reading: No such file or directory"
+
+# lacme-accountd --config=, all specifiers, non-root, unset XDG_RUNTIME_DIR
+! runuser -u nobody -- lacme-accountd --config="%C %E %t %h %T %g %G %u %U %%.conf" account 2>"$STDERR" || fail
+grepstderr -Fxq "Error: undefined expansion %t in \"%C %E %t %h %T %g %G %u %U %%.conf\""
+
+# lacme-accountd --config=, all specifiers, non-root, defined XDG_RUNTIME_DIR, no other XDG_*
+! runuser -u nobody -g www-data -- env XDG_RUNTIME_DIR=/foo/run \
+    lacme-accountd --config="%C %E %t %h %T %g %G %u %U %%.conf" 2>"$STDERR" || fail
+grepstderr -Fxq "Failed to open file '/nonexistent/.cache /nonexistent/.config /foo/run /nonexistent /tmp www-data 33 nobody 65534 %.conf' for reading: No such file or directory"
+
+# lacme-accountd --config=, all specifiers, non-root, defined XDG_*
+! runuser -u nobody -- env XDG_CACHE_HOME=/foo/cache XDG_CONFIG_HOME=/foo/config XDG_RUNTIME_DIR=/foo/run HOME=/foo/home USER=myuser TMPDIR=/foo/tmp \
+    lacme-accountd --config="%C %E %t %h %T %g %G %u %U %%.conf" 2>"$STDERR" || fail
+grepstderr -Fxq "Failed to open file '/foo/cache /foo/config /foo/run /nonexistent /foo/tmp nogroup 65534 nobody 65534 %.conf' for reading: No such file or directory"
+
+# lacme-accountd --privkey=
+! lacme-accountd --privkey="file:%h/lacme-accountd.key" --debug 2>"$STDERR" || fail
+grepstderr -Fxq "Error: Can't open /root/lacme-accountd.key: No such file or directory"
+
+# lacme-accountd, default socket location
+lacme-accountd --debug 2>"$STDERR" & PID=$!
+sleep 1
+kill $PID || fail
+wait || fail
+grepstderr -Fxq "Using configuration file: /etc/lacme/lacme-accountd.conf"
+grepstderr -Fxq "Starting lacme Account Key Manager at /run/S.lacme"
+grepstderr -Fxq "Unlinking /run/S.lacme"
+
+# lacme-accountd --config= --socket= --privkey=
+ln -s lacme-accountd.conf /etc/lacme/accountd.conf
+lacme-accountd --config="%E/lacme/accountd.conf" --socket="%t/S.lacme2" --privkey="file:%E/lacme/account.key" --debug 2>"$STDERR" & PID=$!
+sleep 1
+kill $PID || fail
+wait || fail
+grepstderr -Fxq "Using configuration file: /etc/lacme/accountd.conf"
+grepstderr -Fxq "Starting lacme Account Key Manager at /run/S.lacme2"
+grepstderr -Fxq "Unlinking /run/S.lacme2"
+
+# lacme-accountd, custom 'socket' setting
+sed -ri 's|^#?socket\s*=.*|socket = %t/S.lacme3|' /etc/lacme/lacme-accountd.conf
+lacme-accountd --debug 2>"$STDERR" & PID=$!
+sleep 1
+kill $PID || fail
+wait || fail
+grepstderr -Fxq "Using configuration file: /etc/lacme/lacme-accountd.conf"
+grepstderr -Fxq "Starting lacme Account Key Manager at /run/S.lacme3"
+grepstderr -Fxq "Unlinking /run/S.lacme3"
+
+# lacme-accountd, custom 'privkey' setting
+sed -ri 's|^privkey\s*=.*|privkey = file:%h/lacme-accountd.key|' /etc/lacme/lacme-accountd.conf
+! lacme-accountd --debug 2>"$STDERR" || fail
+grepstderr -Fxq "Error: Can't open /root/lacme-accountd.key: No such file or directory"
+
+# vim: set filetype=sh :
-- 
cgit v1.2.3