Add integration tests for switching between unprivileged and privileged mode.

blakerouse · blakerouse · commit df0160a98fd6 · 2024-04-30T15:12:30.000-04:00
diff --git a/testing/integration/install_test.go b/testing/integration/install_test.go
@@ -249,6 +249,17 @@ func checkInstallSuccess(t *testing.T, f *atesting.Fixture, topPath string, unpr
 		// Specific checks depending on the platform.
 		checkPlatformUnprivileged(t, f, topPath)
 	}
+
+	var output atesting.AgentStatusOutput
+	require.Eventuallyf(t, func() bool {
+		ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
+		defer cancel()
+		output, err = f.ExecStatus(ctx)
+		return err == nil
+	}, 3*time.Minute, 10*time.Second, "never got the status")
+
+	require.False(t, output.IsZero(), "must have an agent ID")
+	require.Equal(t, unprivileged, output.Info.Unprivileged, "unprivileged state doesn't match")
 }
 
 func randStr(length int) string {
diff --git a/testing/integration/install_windows_test.go b/testing/integration/install_windows_test.go
@@ -7,9 +7,7 @@
 package integration
 
 import (
-	"context"
 	"testing"
-	"time"
 
 	"github.com/stretchr/testify/require"
 
@@ -23,15 +21,4 @@ func checkPlatformUnprivileged(t *testing.T, f *atesting.Fixture, topPath string
 	require.NoErrorf(t, err, "failed to find %s user", install.ElasticUsername)
 	_, err = install.FindGID(install.ElasticGroupName)
 	require.NoError(t, err, "failed to find %s group", install.ElasticGroupName)
-
-	var output atesting.AgentStatusOutput
-	require.Eventuallyf(t, func() bool {
-		ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
-		defer cancel()
-		output, err = f.ExecStatus(ctx)
-		return err == nil
-	}, 3*time.Minute, 10*time.Second, "never got the status")
-
-	require.False(t, output.IsZero(), "must have an agent ID")
-	require.True(t, output.Info.Unprivileged, "must be unprivileged")
 }
diff --git a/testing/integration/switch_privileged_test.go b/testing/integration/switch_privileged_test.go
@@ -0,0 +1,154 @@
+// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+// or more contributor license agreements. Licensed under the Elastic License;
+// you may not use this file except in compliance with the Elastic License.
+
+//go:build integration
+
+package integration
+
+import (
+	"context"
+	"os"
+	"path/filepath"
+	"runtime"
+	"strings"
+	"testing"
+	"time"
+
+	atesting "github.com/elastic/elastic-agent/pkg/testing"
+	"github.com/elastic/elastic-agent/pkg/testing/define"
+	"github.com/elastic/elastic-agent/pkg/testing/tools/testcontext"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestSwitchPrivilegedWithoutBasePath(t *testing.T) {
+	define.Require(t, define.Requirements{
+		Group: Default,
+		// We require sudo for this test to run
+		// `elastic-agent install`.
+		Sudo: true,
+
+		// It's not safe to run this test locally as it
+		// installs Elastic Agent.
+		Local: false,
+	})
+
+	// Get path to Elastic Agent executable
+	fixture, err := define.NewFixture(t, define.Version())
+	require.NoError(t, err)
+
+	ctx, cancel := testcontext.WithDeadline(t, context.Background(), time.Now().Add(10*time.Minute))
+	defer cancel()
+
+	// Prepare the Elastic Agent so the binary is extracted and ready to use.
+	err = fixture.Prepare(ctx)
+	require.NoError(t, err)
+
+	// Check that default base path is clean
+	var defaultBasePath string
+	switch runtime.GOOS {
+	case "darwin":
+		defaultBasePath = `/Library`
+	case "linux":
+		defaultBasePath = `/opt`
+	case "windows":
+		defaultBasePath = `C:\Program Files`
+	}
+
+	topPath := filepath.Join(defaultBasePath, "Elastic", "Agent")
+	err = os.RemoveAll(topPath)
+	require.NoError(t, err, "failed to remove %q. The test requires this path not to exist.")
+
+	// Run `elastic-agent install`.  We use `--force` to prevent interactive
+	// execution.
+	opts := &atesting.InstallOpts{Force: true, Privileged: false}
+	out, err := fixture.Install(ctx, opts)
+	if err != nil {
+		t.Logf("install output: %s", out)
+		require.NoError(t, err)
+	}
+
+	// Check that Agent was installed in default base path in unprivileged mode
+	checkInstallSuccess(t, fixture, topPath, true)
+
+	// Switch to privileged mode
+	out, err = fixture.Exec(ctx, []string{"privileged", "-f"})
+	if err != nil {
+		t.Logf("privileged output: %s", out)
+		require.NoError(t, err)
+	}
+
+	// Check that Agent is running in default base path in privileged mode
+	checkInstallSuccess(t, fixture, topPath, false)
+}
+
+func TestSwitchPrivilegedWithBasePath(t *testing.T) {
+	define.Require(t, define.Requirements{
+		Group: Default,
+		// We require sudo for this test to run
+		// `elastic-agent install`.
+		Sudo: true,
+
+		// It's not safe to run this test locally as it
+		// installs Elastic Agent.
+		Local: false,
+	})
+
+	// Get path to Elastic Agent executable
+	fixture, err := define.NewFixture(t, define.Version())
+	require.NoError(t, err)
+
+	ctx, cancel := testcontext.WithDeadline(t, context.Background(), time.Now().Add(10*time.Minute))
+	defer cancel()
+
+	// Prepare the Elastic Agent so the binary is extracted and ready to use.
+	err = fixture.Prepare(ctx)
+	require.NoError(t, err)
+
+	// When running in unprivileged using a base path the
+	// base needs to be accessible by the `elastic-agent-user` user that will be
+	// executing the process, but is not created yet. Using a base that exists
+	// and is known to be accessible by standard users, ensures this tests
+	// works correctly and will not hit a permission issue when spawning the
+	// elastic-agent service.
+	var basePath string
+	switch runtime.GOOS {
+	case define.Linux:
+		basePath = `/usr`
+	case define.Windows:
+		basePath = `C:\`
+	default:
+		// Set up random temporary directory to serve as base path for Elastic Agent
+		// installation.
+		tmpDir := t.TempDir()
+		basePath = filepath.Join(tmpDir, strings.ToLower(randStr(8)))
+	}
+
+	// Run `elastic-agent install`.  We use `--force` to prevent interactive
+	// execution.
+	opts := &atesting.InstallOpts{
+		BasePath:   basePath,
+		Force:      true,
+		Privileged: false,
+	}
+	out, err := fixture.Install(ctx, opts)
+	if err != nil {
+		t.Logf("install output: %s", out)
+		require.NoError(t, err)
+	}
+
+	// Check that Agent was installed in the custom base path in unprivileged mode
+	topPath := filepath.Join(basePath, "Elastic", "Agent")
+	checkInstallSuccess(t, fixture, topPath, true)
+
+	// Switch to privileged mode
+	out, err = fixture.Exec(ctx, []string{"privileged", "-f"})
+	if err != nil {
+		t.Logf("privileged output: %s", out)
+		require.NoError(t, err)
+	}
+
+	// Check that Agent is running in the custom base path in privileged mode
+	checkInstallSuccess(t, fixture, topPath, false)
+}
diff --git a/testing/integration/switch_unprivileged_test.go b/testing/integration/switch_unprivileged_test.go
@@ -0,0 +1,154 @@
+// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+// or more contributor license agreements. Licensed under the Elastic License;
+// you may not use this file except in compliance with the Elastic License.
+
+//go:build integration
+
+package integration
+
+import (
+	"context"
+	"os"
+	"path/filepath"
+	"runtime"
+	"strings"
+	"testing"
+	"time"
+
+	atesting "github.com/elastic/elastic-agent/pkg/testing"
+	"github.com/elastic/elastic-agent/pkg/testing/define"
+	"github.com/elastic/elastic-agent/pkg/testing/tools/testcontext"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestSwitchUnprivilegedWithoutBasePath(t *testing.T) {
+	define.Require(t, define.Requirements{
+		Group: Default,
+		// We require sudo for this test to run
+		// `elastic-agent install`.
+		Sudo: true,
+
+		// It's not safe to run this test locally as it
+		// installs Elastic Agent.
+		Local: false,
+	})
+
+	// Get path to Elastic Agent executable
+	fixture, err := define.NewFixture(t, define.Version())
+	require.NoError(t, err)
+
+	ctx, cancel := testcontext.WithDeadline(t, context.Background(), time.Now().Add(10*time.Minute))
+	defer cancel()
+
+	// Prepare the Elastic Agent so the binary is extracted and ready to use.
+	err = fixture.Prepare(ctx)
+	require.NoError(t, err)
+
+	// Check that default base path is clean
+	var defaultBasePath string
+	switch runtime.GOOS {
+	case "darwin":
+		defaultBasePath = `/Library`
+	case "linux":
+		defaultBasePath = `/opt`
+	case "windows":
+		defaultBasePath = `C:\Program Files`
+	}
+
+	topPath := filepath.Join(defaultBasePath, "Elastic", "Agent")
+	err = os.RemoveAll(topPath)
+	require.NoError(t, err, "failed to remove %q. The test requires this path not to exist.")
+
+	// Run `elastic-agent install`.  We use `--force` to prevent interactive
+	// execution.
+	opts := &atesting.InstallOpts{Force: true, Privileged: true}
+	out, err := fixture.Install(ctx, opts)
+	if err != nil {
+		t.Logf("install output: %s", out)
+		require.NoError(t, err)
+	}
+
+	// Check that Agent was installed in default base path in privileged mode
+	checkInstallSuccess(t, fixture, topPath, false)
+
+	// Switch to unprivileged mode
+	out, err = fixture.Exec(ctx, []string{"unprivileged", "-f"})
+	if err != nil {
+		t.Logf("unprivileged output: %s", out)
+		require.NoError(t, err)
+	}
+
+	// Check that Agent is running in default base path in unprivileged mode
+	checkInstallSuccess(t, fixture, topPath, true)
+}
+
+func TestSwitchUnprivilegedWithBasePath(t *testing.T) {
+	define.Require(t, define.Requirements{
+		Group: Default,
+		// We require sudo for this test to run
+		// `elastic-agent install`.
+		Sudo: true,
+
+		// It's not safe to run this test locally as it
+		// installs Elastic Agent.
+		Local: false,
+	})
+
+	// Get path to Elastic Agent executable
+	fixture, err := define.NewFixture(t, define.Version())
+	require.NoError(t, err)
+
+	ctx, cancel := testcontext.WithDeadline(t, context.Background(), time.Now().Add(10*time.Minute))
+	defer cancel()
+
+	// Prepare the Elastic Agent so the binary is extracted and ready to use.
+	err = fixture.Prepare(ctx)
+	require.NoError(t, err)
+
+	// When running in unprivileged using a base path the
+	// base needs to be accessible by the `elastic-agent-user` user that will be
+	// executing the process, but is not created yet. Using a base that exists
+	// and is known to be accessible by standard users, ensures this tests
+	// works correctly and will not hit a permission issue when spawning the
+	// elastic-agent service.
+	var basePath string
+	switch runtime.GOOS {
+	case define.Linux:
+		basePath = `/usr`
+	case define.Windows:
+		basePath = `C:\`
+	default:
+		// Set up random temporary directory to serve as base path for Elastic Agent
+		// installation.
+		tmpDir := t.TempDir()
+		basePath = filepath.Join(tmpDir, strings.ToLower(randStr(8)))
+	}
+
+	// Run `elastic-agent install`.  We use `--force` to prevent interactive
+	// execution.
+	opts := &atesting.InstallOpts{
+		BasePath:   basePath,
+		Force:      true,
+		Privileged: true,
+	}
+	out, err := fixture.Install(ctx, opts)
+	if err != nil {
+		t.Logf("install output: %s", out)
+		require.NoError(t, err)
+	}
+
+	// Check that Agent was installed in the custom base path in privileged mode
+	topPath := filepath.Join(basePath, "Elastic", "Agent")
+	checkInstallSuccess(t, fixture, topPath, false)
+
+	// Switch to unprivileged mode
+	out, err = fixture.Exec(ctx, []string{"unprivileged", "-f"})
+	if err != nil {
+		t.Logf("unprivileged output: %s", out)
+		require.NoError(t, err)
+	}
+
+	// Check that Agent is running in the custom base path in unprivileged mode
+	checkInstallSuccess(t, fixture, topPath, true)
+}
