xah30
c6f0d7af9b
Three v2-hardening features in aura-cli, one pass:
- nat::NatGuard: RAII auto-config of IP forwarding + MASQUERADE on server
startup. Linux (sysctl ip_forward + iptables -t nat MASQUERADE) and
macOS (sysctl ip.forwarding + pfctl with /tmp/aura-nat.conf). dry_run
works on every platform (logs "would run: ..."). Reverts everything in
Drop. New [server.nat] {auto, egress_iface, dry_run}; absent section =
back-compat no-op. Removes v1's "manual NAT/forwarding" step.
- privdrop::drop_to_user: drop euid/gid after binding TUN + privileged
ports. Linux setresuid/setresgid, macOS setgid+setuid (permanent drop),
Windows no-op with warning. New [server] / [client] run_as = "..."
(optional). Skipped with info-log if already non-root.
- admin: split transport into cfg(unix) Unix-socket and cfg(windows) Tokio
named-pipe modules sharing one JSON-line serve/request flow over
AsyncRead/AsyncWrite. DEFAULT_SOCKET = "/tmp/aura-admin.sock" on Unix,
r"\\.\pipe\aura-admin" on Windows. Removes v1's "admin Unix-only".
Deps: nix 0.29 user feature under [target.'cfg(unix)'.dependencies] (cli-
local, not workspace). Workspace: 155 tests passed (+13), clippy -D warnings
clean, fmt clean.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
27 lines
1.1 KiB
Rust
27 lines
1.1 KiB
Rust
//! Integration tests for `aura_cli::privdrop::drop_to_user`.
|
|
//!
|
|
//! These tests run unprivileged (the developer or CI is not root), so `drop_to_user` MUST take
|
|
//! the "already non-root, skip" fast path and return Ok. Actually exercising the syscalls
|
|
//! requires running the binary under sudo, which is out of scope for a unit test.
|
|
|
|
use aura_cli::privdrop::drop_to_user;
|
|
|
|
/// On a non-root host the call is a no-op: it logs a "skipped" line and returns Ok regardless of
|
|
/// whether the requested user actually exists (we never reach the lookup path).
|
|
#[test]
|
|
fn drop_to_user_is_noop_when_not_root() {
|
|
let res = drop_to_user("nobody");
|
|
assert!(
|
|
res.is_ok(),
|
|
"drop_to_user must be a no-op on a non-root host, got {res:?}"
|
|
);
|
|
}
|
|
|
|
/// A non-existent user is still tolerated when not root (because we never reach the lookup at
|
|
/// all). This guarantees the dev/CI flow never blows up on a misconfigured `[server] run_as`.
|
|
#[test]
|
|
fn drop_to_user_does_not_lookup_user_when_not_root() {
|
|
let res = drop_to_user("this-user-definitely-does-not-exist-aura-12345");
|
|
assert!(res.is_ok(), "no lookup happens on a non-root host: {res:?}");
|
|
}
|