66 "path/filepath"
77 "testing"
88
9- "github.com/Azure/azure-extension-platform/pkg/extensionpolicysettings"
109 "github.com/Azure/run-command-handler-linux/internal/handlersettings"
1110 "github.com/stretchr/testify/require"
1211)
@@ -44,10 +43,7 @@ func captureStdout(t *testing.T, fn func()) string {
4443}
4544
4645func TestInitializeExtensionPolicySettings_InvalidPath_ReturnsError (t * testing.T ) {
47- var mgr * extensionpolicysettings.ExtensionPolicySettingsManager [RCv2ExtensionPolicySettings ]
48- out := & RCv2ExtensionPolicySettings {}
49-
50- err := InitializeExtensionPolicySettings (mgr , "/definitely/not/found/policy.json" , out )
46+ _ , _ , err := InitializeExtensionPolicySettings ("/definitely/not/found/policy.json" )
5147 require .Error (t , err )
5248 require .Contains (t , err .Error (), "failed to" )
5349}
@@ -60,10 +56,7 @@ func TestInitializeExtensionPolicySettings_ValidFile_ReturnsNil(t *testing.T) {
6056 err := os .WriteFile (policyPath , []byte ("{}" ), 0600 )
6157 require .NoError (t , err )
6258
63- var mgr * extensionpolicysettings.ExtensionPolicySettingsManager [RCv2ExtensionPolicySettings ]
64- out := & RCv2ExtensionPolicySettings {}
65-
66- err = InitializeExtensionPolicySettings (mgr , policyPath , out )
59+ _ , _ , err = InitializeExtensionPolicySettings (policyPath )
6760 require .NoError (t , err )
6861}
6962
@@ -75,17 +68,16 @@ func TestInitializeExtensionPolicySettings_CurrentBehavior_DoesNotPopulateOutput
7568 err := os .WriteFile (policyPath , []byte (payload ), 0600 )
7669 require .NoError (t , err )
7770
78- var mgr * extensionpolicysettings.ExtensionPolicySettingsManager [RCv2ExtensionPolicySettings ]
7971 out := & RCv2ExtensionPolicySettings {}
8072
81- err = InitializeExtensionPolicySettings (mgr , policyPath , out )
73+ _ , out , err = InitializeExtensionPolicySettings (policyPath )
8274 require .NoError (t , err )
8375
84- // Documents current implementation behavior (pointer reassignment inside function).
85- require .Equal (t , "" , out .LimitScripts )
86- require .Equal (t , "" , out .RunAsUser )
76+ require .Equal (t , "inline" , out .LimitScripts )
77+ require .Equal (t , "alice" , out .RunAsUser )
8778}
8879
80+ // Test that validation passes and fails as expected.
8981func TestInitialValidateHandlerSettingsAgainstPolicy (t * testing.T ) {
9082 t .Run ("nil policy" , func (t * testing.T ) {
9183 settings := makeSettings (handlersettings .InlineScript , "" , "" , "" )
@@ -94,6 +86,8 @@ func TestInitialValidateHandlerSettingsAgainstPolicy(t *testing.T) {
9486 require .Contains (t , err .Error (), "no policy provided" )
9587 })
9688
89+ // This test mimicks running an inline script, but policy only allows gallery scripts.
90+ // Validation fails.
9791 t .Run ("script type blocked by policy" , func (t * testing.T ) {
9892 settings := makeSettings (handlersettings .InlineScript , "" , "" , "" )
9993 policy := & RCv2ExtensionPolicySettings {
@@ -105,7 +99,9 @@ func TestInitialValidateHandlerSettingsAgainstPolicy(t *testing.T) {
10599 require .Contains (t , err .Error (), "script type inline is not allowed by policy" )
106100 })
107101
108- t .Run ("command id not in allowlist" , func (t * testing.T ) {
102+ // This test mimicks running a commandId that is not in the allowlist.
103+ // Additionally, only commandId types are allowed.
104+ t .Run ("command ID not in allowlist" , func (t * testing.T ) {
109105 settings := makeSettings (handlersettings .CommandIdScript , "restartVM" , "" , "" )
110106 policy := & RCv2ExtensionPolicySettings {
111107 LimitScripts : "allowedcommandid" ,
@@ -128,7 +124,33 @@ func TestInitialValidateHandlerSettingsAgainstPolicy(t *testing.T) {
128124 require .Contains (t , err .Error (), "does not match" )
129125 })
130126
131- t .Run ("all checks pass" , func (t * testing.T ) {
127+ t .Run ("enforce limitScripts must be set. If not set, all commands fail" , func (t * testing.T ) {
128+ settings := makeSettings (handlersettings .CommandIdScript , "safeCommand" , " Alice " , "https://example/blob" )
129+ policy := & RCv2ExtensionPolicySettings {
130+ LimitScripts : "" ,
131+ CommandIdAllowlist : []string {"safeCommand" },
132+ RunAsUser : "Alice" ,
133+ DisableOutputBlobs : true ,
134+ }
135+
136+ err := InitialValidateHandlerSettingsAgainstPolicy (settings , policy )
137+ require .Contains (t , err .Error (), "script type commandId is not allowed by policy" )
138+ })
139+
140+ t .Run ("all checks pass commandId" , func (t * testing.T ) {
141+ settings := makeSettings (handlersettings .CommandIdScript , "safeCommand" , " Alice " , "https://example/blob" )
142+ policy := & RCv2ExtensionPolicySettings {
143+ LimitScripts : "allowall" ,
144+ CommandIdAllowlist : []string {"safeCommand" },
145+ RunAsUser : "alice" ,
146+ DisableOutputBlobs : true ,
147+ }
148+
149+ err := InitialValidateHandlerSettingsAgainstPolicy (settings , policy )
150+ require .NoError (t , err )
151+ })
152+
153+ t .Run ("all checks pass commandId" , func (t * testing.T ) {
132154 settings := makeSettings (handlersettings .CommandIdScript , "safeCommand" , " Alice " , "https://example/blob" )
133155 policy := & RCv2ExtensionPolicySettings {
134156 LimitScripts : "allowall" ,
@@ -140,6 +162,19 @@ func TestInitialValidateHandlerSettingsAgainstPolicy(t *testing.T) {
140162 err := InitialValidateHandlerSettingsAgainstPolicy (settings , policy )
141163 require .NoError (t , err )
142164 })
165+
166+ t .Run ("all checks pass downloadedScript" , func (t * testing.T ) {
167+ settings := makeSettings (handlersettings .DownloadedScript , "safeCommand" , " Alice " , "https://example/blob" )
168+ policy := & RCv2ExtensionPolicySettings {
169+ LimitScripts : "alloweddownloaded" ,
170+ CommandIdAllowlist : []string {"safeCommand" },
171+ RunAsUser : "alice" ,
172+ DisableOutputBlobs : true ,
173+ }
174+
175+ err := InitialValidateHandlerSettingsAgainstPolicy (settings , policy )
176+ require .NoError (t , err )
177+ })
143178}
144179
145180func TestValidateScriptTypeAgainstPolicy (t * testing.T ) {
@@ -154,7 +189,8 @@ func TestValidateScriptTypeAgainstPolicy(t *testing.T) {
154189 require .Contains (t , err .Error (), "script type gallery is not allowed by policy" )
155190 })
156191
157- t .Run ("invalid policy token currently treated as blocked" , func (t * testing.T ) {
192+ // This tests edge case where policy has an invalid script type token.
193+ t .Run ("invalid policy token is treated as blocked" , func (t * testing.T ) {
158194 err := ValidateScriptTypeAgainstPolicy (handlersettings .InlineScript , "notARealScriptType" )
159195 require .Error (t , err )
160196 require .Contains (t , err .Error (), "script type inline is not allowed by policy" )
@@ -186,7 +222,8 @@ func TestValidateCommandId(t *testing.T) {
186222 CommandIdAllowlist : []string {"safeCommand" , "other" },
187223 }
188224 err := ValidateCommandId (settings , policy )
189- require .Error (t , err )
225+ require .Contains (t , err .Error (), "command ID restartVM is not allowed by policy" )
226+ require .Contains (t , err .Error (), "item is not in the allowlist" )
190227 })
191228}
192229
@@ -207,46 +244,6 @@ func TestValidateRunAsUser(t *testing.T) {
207244 }
208245 err := ValidateRunAsUser (settings , policy )
209246 require .Error (t , err )
210- require .Contains (t , err .Error (), "does not match" )
211- })
212- }
213-
214- func TestValidateOutputBlob (t * testing.T ) {
215- t .Run ("policy does not disable output blobs prints nothing" , func (t * testing.T ) {
216- settings := makeSettings (handlersettings .InlineScript , "" , "" , "https://example/blob" )
217- policy := & RCv2ExtensionPolicySettings {
218- DisableOutputBlobs : false ,
219- }
220-
221- out := captureStdout (t , func () {
222- ValidateOutputBlob (settings , policy )
223- })
224- require .Equal (t , "" , out )
225- })
226-
227- t .Run ("disabled with output blob uri prints ignore warning" , func (t * testing.T ) {
228- settings := makeSettings (handlersettings .InlineScript , "" , "" , "https://example/blob" )
229- policy := & RCv2ExtensionPolicySettings {
230- DisableOutputBlobs : true ,
231- }
232-
233- out := captureStdout (t , func () {
234- ValidateOutputBlob (settings , policy )
235- })
236- require .Contains (t , out , "Output blobs are disabled by policy" )
237- require .Contains (t , out , "provided output blob URI will be ignored" )
238- })
239-
240- t .Run ("disabled without output blob uri prints no blob warning" , func (t * testing.T ) {
241- settings := makeSettings (handlersettings .InlineScript , "" , "" , "" )
242- policy := & RCv2ExtensionPolicySettings {
243- DisableOutputBlobs : true ,
244- }
245-
246- out := captureStdout (t , func () {
247- ValidateOutputBlob (settings , policy )
248- })
249- require .Contains (t , out , "Output blobs are disabled by policy" )
250- require .Contains (t , out , "No output blobs will be created" )
247+ require .Contains (t , err .Error (), "RunAsUser 'bob' in settings does not match RunAsUser 'alice' in policy" )
251248 })
252249}
0 commit comments