xah30/AuraVPN
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
1893e24174f00589d89177e9ae09f56711a32144
AuraVPN/crates/aura-cli/tests/privdrop.rs
T
xah30 c6f0d7af9b feat(cli): auto-NAT + privilege drop + Windows named-pipe admin 
Three v2-hardening features in aura-cli, one pass:

- nat::NatGuard: RAII auto-config of IP forwarding + MASQUERADE on server
  startup. Linux (sysctl ip_forward + iptables -t nat MASQUERADE) and
  macOS (sysctl ip.forwarding + pfctl with /tmp/aura-nat.conf). dry_run
  works on every platform (logs "would run: ..."). Reverts everything in
  Drop. New [server.nat] {auto, egress_iface, dry_run}; absent section =
  back-compat no-op. Removes v1's "manual NAT/forwarding" step.
- privdrop::drop_to_user: drop euid/gid after binding TUN + privileged
  ports. Linux setresuid/setresgid, macOS setgid+setuid (permanent drop),
  Windows no-op with warning. New [server] / [client] run_as = "..."
  (optional). Skipped with info-log if already non-root.
- admin: split transport into cfg(unix) Unix-socket and cfg(windows) Tokio
  named-pipe modules sharing one JSON-line serve/request flow over
  AsyncRead/AsyncWrite. DEFAULT_SOCKET = "/tmp/aura-admin.sock" on Unix,
  r"\\.\pipe\aura-admin" on Windows. Removes v1's "admin Unix-only".

Deps: nix 0.29 user feature under [target.'cfg(unix)'.dependencies] (cli-
local, not workspace). Workspace: 155 tests passed (+13), clippy -D warnings
clean, fmt clean.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-27 02:09:38 +03:00

27 lines
1.1 KiB
Rust
Raw Blame History

//! Integration tests for `aura_cli::privdrop::drop_to_user`.
//!
//! These tests run unprivileged (the developer or CI is not root), so `drop_to_user` MUST take
//! the "already non-root, skip" fast path and return Ok. Actually exercising the syscalls
//! requires running the binary under sudo, which is out of scope for a unit test.
use aura_cli::privdrop::drop_to_user;
/// On a non-root host the call is a no-op: it logs a "skipped" line and returns Ok regardless of
/// whether the requested user actually exists (we never reach the lookup path).
#[test]
fn drop_to_user_is_noop_when_not_root() {
let res = drop_to_user("nobody");
assert!(
res.is_ok(),
"drop_to_user must be a no-op on a non-root host, got {res:?}"
);
}
/// A non-existent user is still tolerated when not root (because we never reach the lookup at
/// all). This guarantees the dev/CI flow never blows up on a misconfigured `[server] run_as`.
#[test]
fn drop_to_user_does_not_lookup_user_when_not_root() {
let res = drop_to_user("this-user-definitely-does-not-exist-aura-12345");
assert!(res.is_ok(), "no lookup happens on a non-root host: {res:?}");
}
Reference in New Issue View Git Blame Copy Permalink