From 253412b0bbf4797f4645bcd9439c06e8f894adf7 Mon Sep 17 00:00:00 2001
From: Ian Jackson <ijackson@chiark.greenend.org.uk>
Date: Fri, 6 Jan 2023 23:38:55 +0000
Subject: [PATCH] Add autopkgtest that tests a full-on setup

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
---
 adt/acleanup         |  20 +++++
 adt/acommon          | 192 +++++++++++++++++++++++++++++++++++++++++++
 adt/adt-full         |  36 ++++++++
 adt/in-              |  14 ++++
 debian/control       |   6 +-
 debian/tests/control |   8 ++
 6 files changed, 274 insertions(+), 2 deletions(-)
 create mode 100755 adt/acleanup
 create mode 100644 adt/acommon
 create mode 100755 adt/adt-full
 create mode 100755 adt/in-
 create mode 100644 debian/tests/control

diff --git a/adt/acleanup b/adt/acleanup
new file mode 100755
index 0000000..6a5472f
--- /dev/null
+++ b/adt/acleanup
@@ -0,0 +1,20 @@
+#!/bin/bash
+
+set -e
+. "${0%/*}"/acommon
+
+if [ "$AUTOPKGTEST_TMP" ]; then
+    tname="autopkgtest"
+    tmp="$AUTOPKGTEST_TMP"
+    host-cleanup client
+    host-cleanup server
+else
+    for tmp in tmp/adt-*; do
+	tname=${tmp#tmp/}
+	host-cleanup client
+	host-cleanup server
+	rm -r "$tmp"
+    done
+fi
+
+echo ok.
diff --git a/adt/acommon b/adt/acommon
new file mode 100644
index 0000000..98ae119
--- /dev/null
+++ b/adt/acommon
@@ -0,0 +1,192 @@
+# -*- shell-script -*-
+# Copyright 2021-2022 Ian Jackson and contributors to Hippotat
+# SPDX-License-Identifier: GPL-3.0-or-later WITH LicenseRef-Hippotat-OpenSSL-Exception
+# There is NO WARRANTY.
+
+set -o pipefail
+set -x
+
+. "${0%/*}"/../test/tcommon
+
+test-prep () {
+    determine-tname adt
+
+    if [ "$AUTOPKGTEST_TMP" ]; then
+	tmp=$AUTOPKGTEST_TMP
+    else
+	tmp=$PWD/tmp/$tname
+	host-pre-cleanup
+	mkdir -p tmp
+	rm -rf "$tmp"
+	mkdir "$tmp"
+    fi
+}
+
+filesystem-prep () {
+    cs=$1; shift
+    # expects $tmp to be set to test-specific temp dir (abs path)
+
+    host-cleanup $cs
+
+    mkdir "$tmp"/$cs-overlay
+    
+    for fs in root home; do
+	case "$fs" in
+	    root)	lower=/		;;
+	    home)	lower=/home	;;
+	    *) x-internal-error	;;
+	esac
+
+	rm -rf "$tmp"/$cs-$fs-{upper,work}
+	mkdir "$tmp"/$cs-$fs-{upper,work}
+
+	mount -t overlay -o \
+ lowerdir=$lower,upperdir="$tmp"/$cs-$fs-upper,workdir="$tmp"/$cs-$fs-work \
+	      none "$tmp"/$cs-overlay$lower
+    done
+    mount -o bind,ro /dev "$tmp"/$cs-overlay/dev
+}
+
+host-pre-cleanup () {
+    host-cleanup client
+    host-cleanup server
+}
+
+host-cleanup () {
+    cs=$1; shift
+    fuser -Mkm "$tmp"/$cs-overlay ||:
+    umount "$tmp"/$cs-overlay/proc ||:
+    umount "$tmp"/$cs-overlay/dev ||:
+    umount "$tmp"/$cs-overlay/home ||:
+    umount "$tmp"/$cs-overlay ||:
+    umount "$tmp"/$cs-pidns ||:
+    if test -d "$tmp"/$cs-overlay; then
+	rmdir "$tmp"/$cs-overlay
+    fi
+}
+
+pidnamespace-prep () {
+    cs=$1; shift
+    touch "$tmp"/$cs-pidns
+    rm -f "$tmp"/$cs-overlay/adt-pidns-sentinel
+    mkfifo -m 600 "$tmp"/$cs-overlay/adt-pidns-sentinel
+    unshare --fork --pid="$tmp"/$cs-pidns \
+	    chroot "$tmp"/$cs-overlay \
+	    sh -ec '
+		mount -t proc none /proc
+		>/adt-pidns-sentinel
+		sleep 10000000
+	    ' &
+    cat "$tmp"/$cs-overlay/adt-pidns-sentinel
+}
+
+configure () {
+    cs=$1; shift
+    in- $cs dd <<END of=/etc/hippotat/secrets.d/alice
+[sam 192.0.2.3]
+secret = sesame
+END
+    in- $cs dd <<END of=/etc/hippotat/main.cfg
+[COMMON]
+server = sam
+
+[sam]
+addrs = 198.51.100.1
+port = 443
+vnetwork = 192.0.2.0/24
+END
+
+    in- $cs bash -xe <<'END'
+	ln -s ../services-available/ipif /etc/userv/services.d/ipif
+END
+
+    configure-$cs
+}
+
+configure-client () {
+    in- client bash -xe <<'ENDC'
+	dd of=/etc/userv/ipif-access/hippo-client <<END
+permit group _hippotat ifname hippo%d hostnet 192.0.2.3/24
+END
+ENDC
+}
+configure-server () {
+    in- server bash -xe <<'ENDS'
+	f=/etc/authbind/byport/443
+	touch $f
+	chgrp _hippotat $f
+	chmod 554 $f
+
+	dd of=/etc/userv/ipif-access/hippo-server <<END
+permit group _hippotat ifname shippo%d hostnet 192.0.2.1/24
+END
+ENDS
+}
+
+setup-host () {
+    cs=$1; shift
+    filesystem-prep $cs
+    pidnamespace-prep $cs
+
+#    in- $cs ps -efH
+#false
+
+    in- $cs bash -xec '
+	if test -h /var/cache/apt/archives &&
+         ! test -d /var/cache/apt/archives; then
+	    rm /var/cache/apt/archives
+	fi
+    '
+
+    : remove redundant packages
+#    apt-mark showmanual |sort >$tmp/$cs-mark-manual
+    perl -ne '
+	next unless m{^Tests:.*\s'"$tname"'\s}..m{^$};
+	next unless m{^Depends:}...m{^\S};
+	s{^Depends:}{ };
+	next if m{^\S};
+	print $_, "\n" foreach split m{[\s,]+};
+    ' debian/tests/control |sort >$tmp/$cs-unwanted-deps
+    local unwanted_deps=$(perl -ne '
+	next if m{^(?:userv-utils|libnetaddr-ip-perl|net-tools)$};
+	next if m{^hippotat-'"$cs"'$};
+	next if m{^(?:iptables|rsyslog|authbind)$} && '"$cs"' eq "server";
+	print;
+    ' $tmp/$cs-unwanted-deps)
+#    join $tmp/$cs-unwanted-deps
+    in- $cs apt-mark auto $unwanted_deps
+    in- $cs apt-get -y autoremove
+
+    in- $cs service userv start
+    in- $cs service rsyslog start
+
+    configure $cs
+
+    finish-setup-host-$cs
+}
+
+finish-setup-host-client () {
+    yes '' | \
+    in- client adduser --disabled-password user ||:
+    in- client adduser user _hippotat
+}
+finish-setup-host-server () {
+    in- server iptables -D INPUT -j empty -s 192.0.2.0/24 ||:
+    in- server iptables -N empty ||:
+    in- server iptables -I INPUT -j empty -s 192.0.2.0/24
+}
+
+in- () {
+    cs=$1; shift
+    in-ns $cs \
+	  nsenter --pid="$tmp"/$cs-pidns \
+	  chroot "$tmp"/$cs-overlay \
+	  "$@"
+}
+
+setup-pair () {
+    test-prep
+    $test/netns-setup $tname
+    setup-host client
+    setup-host server
+}
diff --git a/adt/adt-full b/adt/adt-full
new file mode 100755
index 0000000..f23ce51
--- /dev/null
+++ b/adt/adt-full
@@ -0,0 +1,36 @@
+#!/bin/bash
+#
+# Tests a "full" setup.  Specifically, a setup including
+# userv-ipif, authbind, and with the iptables check not defeated.
+#
+# The server is run via the init script.
+# The client is run by hand as a user "user".
+
+set -e
+. "${0%/*}"/acommon
+
+setup-pair
+
+in- server sh -x /etc/init.d/userv start
+
+in- server service hippotatd restart
+
+in-ns-await-up server 192.0.2.1
+
+in- client su user -c hippotat &
+clientpid=$!
+
+in-ns-await-up client 192.0.2.3
+
+in-ns client \
+      env LC_MESSAGES=C \
+      ping -i 0.1 -c 100 192.0.2.1 \
+    | tee $tmp/ping
+
+grep ' 0% packet loss' $tmp/ping
+
+echo tests passed, cleaning up.
+
+$src/adt/acleanup
+
+echo ok.
diff --git a/adt/in- b/adt/in-
new file mode 100755
index 0000000..a4e6a2d
--- /dev/null
+++ b/adt/in-
@@ -0,0 +1,14 @@
+#!/bin/bash
+set -e
+. "${0%/*}"/acommon
+
+tname="$1"; shift
+cs="$1"; shift
+
+if [ "$AUTOPKGTEST_TMP" ]; then
+    tmp=$AUTOPKGTEST_TMP
+else
+    tmp=$PWD/tmp/$tname
+fi
+
+in- $cs "$@"
diff --git a/debian/control b/debian/control
index 8d6393b..82b2820 100644
--- a/debian/control
+++ b/debian/control
@@ -46,7 +46,8 @@ Package: hippotat-client
 Architecture: any
 Depends: ${misc:Depends}, ${shlibs:Depends}, hippotat-common
 Recommends: hippotat-doc,
-            userv, userv-utils (>= 0.6.0~~iwj4), libnetaddr-ip-perl
+            userv, userv-utils (>= 0.6.0~~iwj4),
+            libnetaddr-ip-perl, net-tools
 Description: IP Over HTTP (Asinine) - client
  IP-over-HTTP client.
  .
@@ -62,7 +63,8 @@ Architecture: any
 Depends: ${misc:Depends}, ${shlibs:Depends}, hippotat-common, lsb-base
 Pre-Depends: ${misc:Pre-Depends}
 Recommends: hippotat-doc,
-            userv, userv-utils (>= 0.6.0~~iwj4), libnetaddr-ip-perl,
+            userv, userv-utils (>= 0.6.0~~iwj4),
+            libnetaddr-ip-perl, net-tools,
             iptables, rsyslog | system-log-daemon
 Suggests: authbind
 Description: IP Over HTTP (Asinine) - server
diff --git a/debian/tests/control b/debian/tests/control
new file mode 100644
index 0000000..b4d03fd
--- /dev/null
+++ b/debian/tests/control
@@ -0,0 +1,8 @@
+Tests: adt-full
+Tests-Directory: adt
+Depends:
+  hippotat-client, hippotat-server,
+  userv-utils, libnetaddr-ip-perl, net-tools,
+  rsyslog, authbind, iptables,
+  bash, iproute2, util-linux, iputils-ping
+Restrictions: needs-root, allow-stderr
-- 
2.30.2