Merge branch 'pks-ci-run-tests-unprivileged' into 'master'

ci: Run tests as unprivileged user

See merge request gitlab-org/gitaly!4254

3 files changed, 21 insertions, 10 deletions

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index b996c16dd..38a6a4133 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -75,6 +75,7 @@ include:
     PGUSER: postgres
     POSTGRES_DB: praefect_test
     POSTGRES_HOST_AUTH_METHOD: trust
+    TEST_REPORT: /tmp/go-tests-report.xml
   before_script: &test_before_script
     - go version
     - while ! psql -h $PGHOST -U $PGUSER -c 'SELECT 1' > /dev/null; do echo "awaiting Postgres service to be ready..." && sleep 1 ; done && echo "Postgres service is ready!"
@@ -82,7 +83,7 @@ include:
     paths:
       - ruby/tmp/gitaly-rspec-test.log
     reports:
-      junit: _build/reports/go-tests-report.xml
+      junit: ${TEST_REPORT}
     when: on_failure
     expire_in: 1 week
 
@@ -156,16 +157,17 @@ build:binaries:
 test:
   <<: *test_definition
   script:
-    # This command will make all directories except of our build directory and Ruby code unwritable.
-    # The purpose is to verify that there is no test which writes into those directories anymore, as
-    # they should all instead use a temporary directory for runtime data.
-    - find . -type d \( -path ./_build -o -path ./ruby \) -prune -o -type d -exec chmod a-w {} \;
     # If we're testing with bundled Git, then we don't want to have the Git
     # installation around. Otherwise, Git would be able to resolve its binaries
     # by just looking at its own GIT_PREFIX and then pick binaries from that
     # installation directory.
     - if test -n "${WITH_BUNDLED_GIT}"; then rm -rf _build/deps/git/install; fi
-    - make ${TARGET}
+    # We need to prepare test dependencies as privileged user.
+    - make build prepare-tests
+    # But the actual tests should run unprivileged. This assures that we pay
+    # proper attention to permission bits and that we don't modify the source
+    # directory.
+    - setpriv --reuid=9999 --regid=9999 --clear-groups --no-new-privs env HOME=/dev/null make ${TARGET} SKIP_RSPEC_BUILD=YesPlease
   parallel:
     matrix:
       # These definitions are for the non-default Git versions.
@@ -233,7 +235,8 @@ test:nightly:
   <<: *test_definition
   script:
     - go version
-    - make all ${TARGET}
+    - make build prepare-tests
+    - setpriv --reuid=9999 --regid=9999 --clear-groups --no-new-privs env HOME=/dev/null make ${TARGET} SKIP_RSPEC_BUILD=YesPlease
   parallel:
     matrix:
       - GIT_VERSION: [ "master", "next" ]
diff --git a/Makefile b/Makefile
index bf61fd5b9..af89b4a65 100644
--- a/Makefile
+++ b/Makefile
@@ -356,7 +356,7 @@ prepare-test-repos: ${TEST_REPO} ${TEST_REPO_GIT}
 test: test-go test-ruby
 
 .PHONY: test-ruby
-test-ruby: prepare-tests rspec
+test-ruby: rspec
 
 .PHONY: test-go
 ## Run Go tests.
@@ -391,9 +391,17 @@ race-go: test-go
 
 .PHONY: rspec
 ## Run Ruby tests.
-rspec: build prepare-tests
+rspec: prepare-tests
 	${Q}cd ${GITALY_RUBY_DIR} && PATH='${SOURCE_DIR}/internal/testhelper/testdata/home/bin:${PATH}' bundle exec rspec
 
+# This is a workaround for our unprivileged CI builds. We manually execute the
+# build target as privileged user, but then run the rspec target unprivileged.
+# We thus cannot rebuild binaries there given that we have no permissions to
+# write into the build directory.
+ifndef SKIP_RSPEC_BUILD
+rspec: build
+endif
+
 .PHONY: verify
 ## Verify that various files conform to our expectations.
 verify: check-mod-tidy notice-up-to-date check-proto rubocop lint
diff --git a/internal/git/command_factory_cgroup_test.go b/internal/git/command_factory_cgroup_test.go
index dec22243f..fb470421d 100644
--- a/internal/git/command_factory_cgroup_test.go
+++ b/internal/git/command_factory_cgroup_test.go
@@ -50,7 +50,7 @@ func TestNewCommandAddsToCgroup(t *testing.T) {
 		BinDir: filepath.Join(root, "bin.d"),
 	}
 
-	require.NoError(t, os.MkdirAll(cfg.BinDir, 0o644))
+	require.NoError(t, os.MkdirAll(cfg.BinDir, 0o755))
 	require.NoError(t, cfg.SetGitPath())
 
 	gitCmdFactory := newCommandFactory(t, cfg, WithSkipHooks())