55 "path/filepath"
66 "testing"
77
8+ "github.com/Azure/run-command-handler-linux/internal/constants"
89 "github.com/Azure/run-command-handler-linux/internal/handlersettings"
910 "github.com/go-kit/kit/log"
1011 "github.com/stretchr/testify/require"
@@ -23,10 +24,31 @@ func makeSettings(scriptType handlersettings.ScriptType, commandID string, runAs
2324 }
2425}
2526
27+ func TestInitializeExtensionPolicySettings_EmptyPath_ReturnsError (t * testing.T ) {
28+ _ , _ , err , exitCode := InitializeExtensionPolicySettings (nopCtx (), "" )
29+ require .Error (t , err )
30+ require .Contains (t , err .Error (), "policy path is empty" )
31+ require .Equal (t , constants .ExitCode_InitializeCalledWithNoPolicyPath , exitCode )
32+ }
2633func TestInitializeExtensionPolicySettings_InvalidPath_ReturnsError (t * testing.T ) {
27- _ , _ , err := InitializeExtensionPolicySettings (nopCtx (), "/definitely/not/found/policy.json" )
34+ _ , _ , err , exitCode := InitializeExtensionPolicySettings (nopCtx (), "/definitely/not/found/policy.json" )
35+ require .Error (t , err )
36+ require .Contains (t , err .Error (), "failed to load extension policy settings" )
37+ require .Equal (t , constants .ExitCode_LoadExtensionPolicySettingsFailed , exitCode )
38+ }
39+
40+ func TestInitializeExtensionPolicySettings_InvalidPolicyFails (t * testing.T ) {
41+ tmpDir := t .TempDir ()
42+ policyPath := filepath .Join (tmpDir , "policy.json" )
43+
44+ payload := `{"blah blah"}`
45+ err := os .WriteFile (policyPath , []byte (payload ), 0600 )
46+ require .NoError (t , err )
47+
48+ _ , _ , err , exitCode := InitializeExtensionPolicySettings (nopCtx (), policyPath )
2849 require .Error (t , err )
2950 require .Contains (t , err .Error (), "failed to" )
51+ require .Equal (t , constants .ExitCode_LoadExtensionPolicySettingsFailed , exitCode )
3052}
3153
3254func TestInitializeExtensionPolicySettings_ValidFile_ReturnsNil (t * testing.T ) {
@@ -37,11 +59,12 @@ func TestInitializeExtensionPolicySettings_ValidFile_ReturnsNil(t *testing.T) {
3759 err := os .WriteFile (policyPath , []byte ("{}" ), 0600 )
3860 require .NoError (t , err )
3961
40- _ , _ , err = InitializeExtensionPolicySettings (nopCtx (), policyPath )
62+ _ , _ , err , exitCode : = InitializeExtensionPolicySettings (nopCtx (), policyPath )
4163 require .NoError (t , err )
64+ require .Equal (t , 0 , exitCode )
4265}
4366
44- func TestInitializeExtensionPolicySettings_CurrentBehavior_DoesNotPopulateOutputStruct (t * testing.T ) {
67+ func TestInitializeExtensionPolicySettings_PopulatesOutputStruct (t * testing.T ) {
4568 tmpDir := t .TempDir ()
4669 policyPath := filepath .Join (tmpDir , "policy.json" )
4770
@@ -51,20 +74,22 @@ func TestInitializeExtensionPolicySettings_CurrentBehavior_DoesNotPopulateOutput
5174
5275 out := & RCv2ExtensionPolicySettings {}
5376
54- _ , out , err = InitializeExtensionPolicySettings (nopCtx (), policyPath )
77+ _ , out , err , exitCode : = InitializeExtensionPolicySettings (nopCtx (), policyPath )
5578 require .NoError (t , err )
79+ require .Equal (t , 0 , exitCode )
5680
5781 require .Equal (t , "inline" , out .LimitScripts )
5882 require .Equal (t , "alice" , out .RunAsUser )
5983}
6084
6185// Test that validation passes and fails as expected.
62- func TestInitialValidateHandlerSettingsAgainstPolicy (t * testing.T ) {
86+ func TestValidateHandlerSettingsAgainstPolicy (t * testing.T ) {
6387 t .Run ("nil policy" , func (t * testing.T ) {
6488 settings := makeSettings (handlersettings .InlineScript , "" , "" , "" )
65- err := ValidateHandlerSettingsAgainstPolicy (nopCtx (), settings , nil )
89+ err , exitCode := ValidateHandlerSettingsAgainstPolicy (nopCtx (), settings , nil )
6690 require .Error (t , err )
6791 require .Contains (t , err .Error (), "no policy provided" )
92+ require .Equal (t , constants .ExitCode_ValidateCalledWithNilPolicy , exitCode )
6893 })
6994
7095 // This test mimicks running an inline script, but policy only allows gallery scripts.
@@ -75,9 +100,10 @@ func TestInitialValidateHandlerSettingsAgainstPolicy(t *testing.T) {
75100 LimitScripts : "gallery" ,
76101 }
77102
78- err := ValidateHandlerSettingsAgainstPolicy (nopCtx (), settings , policy )
103+ err , exitCode := ValidateHandlerSettingsAgainstPolicy (nopCtx (), settings , policy )
79104 require .Error (t , err )
80105 require .Contains (t , err .Error (), "script type inline is not allowed by policy" )
106+ require .Equal (t , constants .ExitCode_ScriptTypeNotAllowedByExtensionPolicy , exitCode )
81107 })
82108
83109 // This test mimicks running a commandId that is not in the allowlist.
@@ -89,8 +115,9 @@ func TestInitialValidateHandlerSettingsAgainstPolicy(t *testing.T) {
89115 CommandIdAllowlist : []string {"safeCommand" },
90116 }
91117
92- err := ValidateHandlerSettingsAgainstPolicy (nopCtx (), settings , policy )
118+ err , exitCode := ValidateHandlerSettingsAgainstPolicy (nopCtx (), settings , policy )
93119 require .Error (t , err )
120+ require .Equal (t , constants .ExitCode_CommandIdNotAllowedByExtensionPolicy , exitCode )
94121 })
95122
96123 t .Run ("runAs mismatch" , func (t * testing.T ) {
@@ -100,9 +127,10 @@ func TestInitialValidateHandlerSettingsAgainstPolicy(t *testing.T) {
100127 RunAsUser : "alice" ,
101128 }
102129
103- err := ValidateHandlerSettingsAgainstPolicy (nopCtx (), settings , policy )
130+ err , exitCode := ValidateHandlerSettingsAgainstPolicy (nopCtx (), settings , policy )
104131 require .Error (t , err )
105132 require .Contains (t , err .Error (), "does not match" )
133+ require .Equal (t , constants .ExitCode_RunAsUserNotAllowedByExtensionPolicy , exitCode )
106134 })
107135
108136 t .Run ("enforce limitScripts must be set. If not set, all commands fail" , func (t * testing.T ) {
@@ -114,8 +142,9 @@ func TestInitialValidateHandlerSettingsAgainstPolicy(t *testing.T) {
114142 DisableOutputBlobs : true ,
115143 }
116144
117- err := ValidateHandlerSettingsAgainstPolicy (nopCtx (), settings , policy )
145+ err , exitCode := ValidateHandlerSettingsAgainstPolicy (nopCtx (), settings , policy )
118146 require .Contains (t , err .Error (), "script type commandId is not allowed by policy" )
147+ require .Equal (t , constants .ExitCode_ScriptTypeNotAllowedByExtensionPolicy , exitCode )
119148 })
120149
121150 t .Run ("all checks pass commandId" , func (t * testing.T ) {
@@ -127,8 +156,9 @@ func TestInitialValidateHandlerSettingsAgainstPolicy(t *testing.T) {
127156 DisableOutputBlobs : true ,
128157 }
129158
130- err := ValidateHandlerSettingsAgainstPolicy (nopCtx (), settings , policy )
159+ err , exitCode := ValidateHandlerSettingsAgainstPolicy (nopCtx (), settings , policy )
131160 require .NoError (t , err )
161+ require .Equal (t , 0 , exitCode )
132162 })
133163
134164 t .Run ("all checks pass downloadedScript" , func (t * testing.T ) {
@@ -140,8 +170,9 @@ func TestInitialValidateHandlerSettingsAgainstPolicy(t *testing.T) {
140170 DisableOutputBlobs : true ,
141171 }
142172
143- err := ValidateHandlerSettingsAgainstPolicy (nopCtx (), settings , policy )
173+ err , exitCode := ValidateHandlerSettingsAgainstPolicy (nopCtx (), settings , policy )
144174 require .NoError (t , err )
175+ require .Equal (t , 0 , exitCode )
145176 })
146177}
147178
0 commit comments