Disable chroot and add daemon-enable-jail flag

- Disable chroot mechanism by default. - Adds the daemon-enable-jail flag which will allow users to enable the legacy chroot mechanism if anything goes wrong. This flag won't be available via Omnibus, instead users will need to define the environment variable and pass to Pages. - Simplify chroot logic from http_fs - Update jail documentation - Enable chroot when domain-config-source=disk Changelog: changed
author: Jaime Martinez <jmartinez@gitlab.com> 2021-07-02 05:18:39 +0300
committer: Jaime Martinez <jmartinez@gitlab.com> 2021-07-12 06:33:45 +0300
commit: 4d1dcf7933442c4b062b85fe26a2aa6cc75a078d (patch)
tree: d666b9d1ed7b452a439e9c8761701acae694ffc0 /test
parent: 98303e171b4e7ce5152cadb71afaded07944f92c (diff)
4 files changed, 77 insertions, 46 deletions
diff --git a/test/acceptance/artifacts_test.go b/test/acceptance/artifacts_test.go
index 2f578a73..398b62a6 100644
--- a/test/acceptance/artifacts_test.go
+++ b/test/acceptance/artifacts_test.go
@@ -15,8 +15,6 @@ import (
 )
 
 func TestArtifactProxyRequest(t *testing.T) {
-	skipUnlessEnabled(t, "not-inplace-chroot")
-
 	transport := (TestHTTPSClient.Transport).(*http.Transport).Clone()
 	transport.ResponseHeaderTimeout = 5 * time.Second
 
@@ -161,8 +159,6 @@ func TestArtifactProxyRequest(t *testing.T) {
 }
 
 func TestPrivateArtifactProxyRequest(t *testing.T) {
-	skipUnlessEnabled(t, "not-inplace-chroot")
-
 	setupTransport(t)
 
 	testServer := makeGitLabPagesAccessStub(t)
diff --git a/test/acceptance/auth_test.go b/test/acceptance/auth_test.go
index 980fe377..331bf7d6 100644
--- a/test/acceptance/auth_test.go
+++ b/test/acceptance/auth_test.go
@@ -483,8 +483,11 @@ func testAccessControl(t *testing.T, runPages runPagesFunc) {
 	keyFile, certFile := CreateHTTPSFixtureFiles(t)
 	cert, err := tls.LoadX509KeyPair(certFile, keyFile)
 	require.NoError(t, err)
-	defer os.Remove(keyFile)
-	defer os.Remove(certFile)
+
+	t.Cleanup(func() {
+		os.Remove(keyFile)
+		os.Remove(certFile)
+	})
 
 	testServer := makeGitLabPagesAccessStub(t)
 	testServer.TLS = &tls.Config{Certificates: []tls.Certificate{cert}}
@@ -572,67 +575,64 @@ func testAccessControl(t *testing.T, runPages runPagesFunc) {
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			teardown := runPages(t, *pagesBinary, supportedListeners(), "", certFile, testServer.URL)
+			teardown := runPages(t, *pagesBinary, []ListenSpec{httpsListener}, "", certFile, testServer.URL)
 			defer teardown()
 
-			rsp, err := GetRedirectPage(t, httpsListener, tt.host, tt.path)
+			rsp1, err1 := GetRedirectPage(t, httpsListener, tt.host, tt.path)
+			require.NoError(t, err1)
+			defer rsp1.Body.Close()
 
-			require.NoError(t, err)
-			defer rsp.Body.Close()
-
-			require.Equal(t, http.StatusFound, rsp.StatusCode)
-			cookie := rsp.Header.Get("Set-Cookie")
+			require.Equal(t, http.StatusFound, rsp1.StatusCode)
+			cookie := rsp1.Header.Get("Set-Cookie")
 
 			// Redirects to the projects under gitlab pages domain for authentication flow
-			url, err := url.Parse(rsp.Header.Get("Location"))
+			loc1, err := url.Parse(rsp1.Header.Get("Location"))
 			require.NoError(t, err)
-			require.Equal(t, "projects.gitlab-example.com", url.Host)
-			require.Equal(t, "/auth", url.Path)
-			state := url.Query().Get("state")
+			require.Equal(t, "projects.gitlab-example.com", loc1.Host)
+			require.Equal(t, "/auth", loc1.Path)
+			state := loc1.Query().Get("state")
 
-			rsp, err = GetRedirectPage(t, httpsListener, url.Host, url.Path+"?"+url.RawQuery)
+			rsp2, err2 := GetRedirectPage(t, httpsListener, loc1.Host, loc1.Path+"?"+loc1.RawQuery)
+			require.NoError(t, err2)
+			defer rsp2.Body.Close()
 
-			require.NoError(t, err)
-			defer rsp.Body.Close()
-
-			require.Equal(t, http.StatusFound, rsp.StatusCode)
-			pagesDomainCookie := rsp.Header.Get("Set-Cookie")
+			require.Equal(t, http.StatusFound, rsp2.StatusCode)
+			pagesDomainCookie := rsp2.Header.Get("Set-Cookie")
 
 			// Go to auth page with correct state will cause fetching the token
-			authrsp, err := GetRedirectPageWithCookie(t, httpsListener, "projects.gitlab-example.com", "/auth?code=1&state="+
+			authrsp1, err := GetRedirectPageWithCookie(t, httpsListener, "projects.gitlab-example.com", "/auth?code=1&state="+
 				state, pagesDomainCookie)
-
 			require.NoError(t, err)
-			defer authrsp.Body.Close()
+			defer authrsp1.Body.Close()
 
 			// Will redirect auth callback to correct host
-			url, err = url.Parse(authrsp.Header.Get("Location"))
+			authLoc, err := url.Parse(authrsp1.Header.Get("Location"))
 			require.NoError(t, err)
-			require.Equal(t, tt.host, url.Host)
-			require.Equal(t, "/auth", url.Path)
+			require.Equal(t, tt.host, authLoc.Host)
+			require.Equal(t, "/auth", authLoc.Path)
 
 			// Request auth callback in project domain
-			authrsp, err = GetRedirectPageWithCookie(t, httpsListener, url.Host, url.Path+"?"+url.RawQuery, cookie)
+			authrsp2, err := GetRedirectPageWithCookie(t, httpsListener, authLoc.Host, authLoc.Path+"?"+authLoc.RawQuery, cookie)
 			require.NoError(t, err)
 
 			// server returns the ticket, user will be redirected to the project page
-			require.Equal(t, http.StatusFound, authrsp.StatusCode)
-			cookie = authrsp.Header.Get("Set-Cookie")
-			rsp, err = GetRedirectPageWithCookie(t, httpsListener, tt.host, tt.path, cookie)
+			require.Equal(t, http.StatusFound, authrsp2.StatusCode)
+			cookie = authrsp2.Header.Get("Set-Cookie")
 
-			require.NoError(t, err)
-			defer rsp.Body.Close()
+			rsp3, err3 := GetRedirectPageWithCookie(t, httpsListener, tt.host, tt.path, cookie)
+			require.NoError(t, err3)
+			defer rsp3.Body.Close()
 
-			require.Equal(t, tt.status, rsp.StatusCode)
-			require.Equal(t, "", rsp.Header.Get("Cache-Control"))
+			require.Equal(t, tt.status, rsp3.StatusCode)
+			require.Equal(t, "", rsp3.Header.Get("Cache-Control"))
 
 			if tt.redirectBack {
-				url, err = url.Parse(rsp.Header.Get("Location"))
+				loc3, err := url.Parse(rsp3.Header.Get("Location"))
 				require.NoError(t, err)
 
-				require.Equal(t, "https", url.Scheme)
-				require.Equal(t, tt.host, url.Host)
-				require.Equal(t, tt.path, url.Path)
+				require.Equal(t, "https", loc3.Scheme)
+				require.Equal(t, tt.host, loc3.Host)
+				require.Equal(t, tt.path, loc3.Path)
 			}
 		})
 	}
diff --git a/test/acceptance/config_test.go b/test/acceptance/config_test.go
index aa568969..8e686277 100644
--- a/test/acceptance/config_test.go
+++ b/test/acceptance/config_test.go
@@ -5,6 +5,7 @@ import (
 	"net"
 	"net/http"
 	"testing"
+	"time"
 
 	"github.com/stretchr/testify/require"
 )
@@ -21,7 +22,7 @@ func TestEnvironmentVariablesConfig(t *testing.T) {
 	)
 	require.NoError(t, httpListener.WaitUntilRequestSucceeds(nil))
 
-	rsp, err := GetPageFromListener(t, httpListener, "group.gitlab-example.com:", "project/")
+	rsp, err := GetPageFromListener(t, httpListener, "group.gitlab-example.com", "project/")
 
 	require.NoError(t, err)
 	rsp.Body.Close()
@@ -69,3 +70,29 @@ func TestMultipleListenersFromEnvironmentVariables(t *testing.T) {
 		require.Equal(t, http.StatusOK, rsp.StatusCode)
 	}
 }
+
+// TODO: remove along chroot https://gitlab.com/gitlab-org/gitlab-pages/-/issues/561
+func TestEnableJailFromEnvironment(t *testing.T) {
+	out, teardown := runPagesProcess(t,
+		true,
+		*pagesBinary,
+		[]ListenSpec{httpListener},
+		"",
+		[]string{
+			"DAEMON_ENABLE_JAIL=true",
+		},
+		"-domain-config-source", "disk",
+	)
+	t.Cleanup(teardown)
+
+	require.Eventually(t, func() bool {
+		require.Contains(t, out.String(), "\"daemon-enable-jail\":true")
+		return true
+	}, time.Second, 10*time.Millisecond)
+
+	rsp, err := GetPageFromListener(t, httpListener, "group.gitlab-example.com", "project/")
+
+	require.NoError(t, err)
+	rsp.Body.Close()
+	require.Equal(t, http.StatusOK, rsp.StatusCode)
+}
diff --git a/test/acceptance/helpers_test.go b/test/acceptance/helpers_test.go
index b267f1a2..472f42d1 100644
--- a/test/acceptance/helpers_test.go
+++ b/test/acceptance/helpers_test.go
@@ -245,7 +245,13 @@ func RunPagesProcessWithStubGitLabServer(t *testing.T, opts ...processOption) *L
 	source := NewGitlabDomainsSourceStub(t, processCfg.gitlabStubOpts)
 
 	gitLabAPISecretKey := CreateGitLabAPISecretKeyFixtureFile(t)
-	processCfg.extraArgs = append(processCfg.extraArgs, "-pages-root", wd, "-internal-gitlab-server", source.URL, "-api-secret-key", gitLabAPISecretKey, "-domain-config-source", "gitlab")
+	processCfg.extraArgs = append(
+		processCfg.extraArgs,
+		"-pages-root", wd,
+		"-internal-gitlab-server", source.URL,
+		"-api-secret-key", gitLabAPISecretKey,
+		"-domain-config-source", "gitlab",
+	)
 
 	logBuf, cleanup := runPagesProcess(t, processCfg.wait, processCfg.pagesBinary, processCfg.listeners, "", processCfg.envs, processCfg.extraArgs...)
 
@@ -386,11 +392,13 @@ func getPagesArgs(t *testing.T, listeners []ListenSpec, promPort string, extraAr
 	}
 
 	// most of our acceptance tests still work only with disk source
-	// TODO: remove this with -domain-config-source flag itself:
-	// https://gitlab.com/gitlab-org/gitlab-pages/-/issues/571
+	// TODO: remove this with -domain-config-source flag itself along with daemon-enable-jail:
 	// https://gitlab.com/gitlab-org/gitlab-pages/-/issues/382
+	// https://gitlab.com/gitlab-org/gitlab-pages/-/issues/561
 	if !contains(extraArgs, "-domain-config-source") {
-		args = append(args, "-domain-config-source", "disk")
+		args = append(args,
+			"-domain-config-source", "disk",
+		)
 	}
 
 	args = append(args, getPagesDaemonArgs(t)...)
author	Jaime Martinez <jmartinez@gitlab.com>	2021-07-02 05:18:39 +0300
committer	Jaime Martinez <jmartinez@gitlab.com>	2021-07-12 06:33:45 +0300
commit	4d1dcf7933442c4b062b85fe26a2aa6cc75a078d (patch)
tree	d666b9d1ed7b452a439e9c8761701acae694ffc0 /test
parent	98303e171b4e7ce5152cadb71afaded07944f92c (diff)