tests/integration/includes/shell/FirejailCommandTest.php

   1 <?php
   2
   3 use MediaWiki\Shell\FirejailCommand;
   4 use MediaWiki\Shell\Shell;
   5
   6 /**
   7  * Integration tests to ensure that firejail actually prevents execution.
   8  * Meant to run on vagrant, although will probably work on other setups
   9  * as long as firejail and sudo has similar config.
  10  *
  11  * @group large
  12  * @group Shell
  13  * @covers FirejailCommand
  14  */
  15 class FirejailCommandIntegrationTest extends PHPUnit\Framework\TestCase {
  16
  17         public function setUp() {
  18                 parent::setUp();
  19                 if ( Shell::command( 'which', 'firejail' )->execute()->getExitCode() ) {
  20                         $this->markTestSkipped( 'firejail not installed' );
  21                 } elseif ( wfIsWindows() ) {
  22                         $this->markTestSkipped( 'test supports POSIX environments only' );
  23                 }
  24         }
  25
  26         public function testSanity() {
  27                 // Make sure that firejail works at all.
  28                 $command = new FirejailCommand( 'firejail' );
  29                 $command
  30                         ->unsafeParams( 'ls .' )
  31                         ->restrict( Shell::RESTRICT_DEFAULT );
  32                 $result = $command->execute();
  33                 $this->assertSame( 0, $result->getExitCode() );
  34         }
  35
  36         /**
  37          * @coversNothing
  38          * @dataProvider provideExecute
  39          */
  40         public function testExecute( $testCommand, $flag ) {
  41                 if ( preg_match( '/^sudo /', $testCommand ) ) {
  42                         if ( Shell::command( 'sudo', '-n', 'ls', '/' )->execute()->getExitCode() ) {
  43                                 $this->markTestSkipped( 'need passwordless sudo' );
  44                         }
  45                 }
  46
  47                 $command = new FirejailCommand( 'firejail' );
  48                 $command
  49                         ->unsafeParams( $testCommand )
  50                         // If we don't restrict at all, firejail won't be invoked,
  51                         // so the test will give a false positive if firejail breaks
  52                         // the command for some non-flag-related reason. Instead,
  53                         // set some flag that won't get in the way.
  54                         ->restrict( $flag === Shell::NO_NETWORK ? Shell::PRIVATE_DEV : Shell::NO_NETWORK );
  55                 $result = $command->execute();
  56                 $this->assertSame( 0, $result->getExitCode(), 'sanity check' );
  57
  58                 $command = new FirejailCommand( 'firejail' );
  59                 $command
  60                         ->unsafeParams( $testCommand )
  61                         ->restrict( $flag );
  62                 $result = $command->execute();
  63                 $this->assertNotSame( 0, $result->getExitCode(), 'real check' );
  64         }
  65
  66         public function provideExecute() {
  67                 global $IP;
  68                 return [
  69                         [ 'sudo -n ls /', Shell::NO_ROOT ],
  70                         [ 'sudo -n ls /', Shell::SECCOMP ], // not a great test but seems to work
  71                         [ 'ls /dev/cpu', Shell::PRIVATE_DEV ],
  72                         [ 'curl -fsSo /dev/null https://wikipedia.org/', Shell::NO_NETWORK ],
  73                         [ 'exec ls /', Shell::NO_EXECVE ],
  74                         [ "cat $IP/LocalSettings.php", Shell::NO_LOCALSETTINGS ],
  75                 ];
  76         }
  77
  78 }