tests: add prompting tests for writes actioned by other pid

Signed-off-by: Oliver Calder <oliver.calder@canonical.com>

tests/main/apparmor-prompting-integration-tests/create_multiple_actioned_by_other_pid_always_allow.json

@@ -0,0 +1,55 @@
+{
+  "version": 1,
+  "prompt-filter": {
+    "snap": "prompting-client",
+    "interface": "home",
+    "constraints": {
+      "path": "$BASE_PATH/.*"
+    }
+  },
+  "prompts": [
+    {
+      "prompt-filter": {
+        "constraints": {
+          "path": ".*/test1.txt",
+          "requested-permissions": [ "write" ]
+        }
+      },
+      "reply": null
+    },
+    {
+      "prompt-filter": {
+        "constraints": {
+          "path": ".*/test2.txt",
+          "requested-permissions": [ "write" ]
+        }
+      },
+      "reply": null
+    },
+    {
+      "prompt-filter": {
+        "constraints": {
+          "path": ".*/test3.txt",
+          "requested-permissions": [ "write" ]
+        }
+      },
+      "reply": null
+    },
+    {
+      "prompt-filter": {
+        "constraints": {
+          "path": ".*/test4.txt",
+          "requested-permissions": [ "write" ]
+        }
+      },
+      "reply": {
+        "action": "allow",
+        "lifespan": "forever",
+        "constraints": {
+          "path-pattern": "${BASE_PATH}/test*.txt",
+          "permissions": [ "write" ]
+        }
+      }
+    }
+  ]
+}

tests/main/apparmor-prompting-integration-tests/create_multiple_actioned_by_other_pid_always_allow.sh

@@ -0,0 +1,36 @@
+#!/usr/bin/sh
+
+# A test that replying with allow forever actions previous matching prompts.
+
+TEST_DIR="$1"
+
+WRITABLE="$(snap run --shell prompting-client.scripted -c "cd ~; pwd")/$(basename "$TEST_DIR")"
+snap run --shell prompting-client.scripted -c "mkdir -p $WRITABLE"
+
+for name in test1.txt test2.txt test3.txt ; do
+	echo "Attempt to write $name in the background"
+	snap run --shell prompting-client.scripted -c "echo started > ${WRITABLE}/${name}; echo $name is written > ${TEST_DIR}/${name}" &
+	timeout 10 sh -c "while ! [ -f '${WRITABLE}/${name}' ] ; do sleep 0.1 ; done"
+done
+
+echo "Attempt to write test4.txt (for which client will reply)"
+snap run --shell prompting-client.scripted -c "echo test4.txt is written > ${TEST_DIR}/test4.txt"
+
+# Wait for the client to write its result and exit
+timeout 5 sh -c 'while pgrep -f "prompting-client-scripted" > /dev/null; do sleep 0.1; done'
+
+CLIENT_OUTPUT="$(cat "${TEST_DIR}/result")"
+
+if [ "$CLIENT_OUTPUT" != "success" ] ; then
+	echo "test failed"
+	echo "output='$CLIENT_OUTPUT'"
+	exit 1
+fi
+
+for name in test1.txt test2.txt test3.txt test4.txt; do
+	TEST_OUTPUT="$(cat "${TEST_DIR}/${name}")"
+	if [ "$TEST_OUTPUT" != "$name is written" ] ; then
+		echo "file creation failed for $name"
+		exit 1
+	fi
+done

tests/main/apparmor-prompting-integration-tests/create_multiple_actioned_by_other_pid_always_deny.json

@@ -0,0 +1,55 @@
+{
+  "version": 1,
+  "prompt-filter": {
+    "snap": "prompting-client",
+    "interface": "home",
+    "constraints": {
+      "path": "$BASE_PATH/.*"
+    }
+  },
+  "prompts": [
+    {
+      "prompt-filter": {
+        "constraints": {
+          "path": ".*/test1.txt",
+          "requested-permissions": [ "write" ]
+        }
+      },
+      "reply": null
+    },
+    {
+      "prompt-filter": {
+        "constraints": {
+          "path": ".*/test2.txt",
+          "requested-permissions": [ "write" ]
+        }
+      },
+      "reply": null
+    },
+    {
+      "prompt-filter": {
+        "constraints": {
+          "path": ".*/test3.txt",
+          "requested-permissions": [ "write" ]
+        }
+      },
+      "reply": null
+    },
+    {
+      "prompt-filter": {
+        "constraints": {
+          "path": ".*/test4.txt",
+          "requested-permissions": [ "write" ]
+        }
+      },
+      "reply": {
+        "action": "deny",
+        "lifespan": "forever",
+        "constraints": {
+          "path-pattern": "${BASE_PATH}/test*.txt",
+          "permissions": [ "write" ]
+        }
+      }
+    }
+  ]
+}

tests/main/apparmor-prompting-integration-tests/create_multiple_actioned_by_other_pid_always_deny.sh

@@ -0,0 +1,35 @@
+#!/usr/bin/sh
+
+# A test that replying with allow forever actions previous matching prompts.
+
+TEST_DIR="$1"
+
+WRITABLE="$(snap run --shell prompting-client.scripted -c "cd ~; pwd")/$(basename "$TEST_DIR")"
+snap run --shell prompting-client.scripted -c "mkdir -p $WRITABLE"
+
+for name in test1.txt test2.txt test3.txt ; do
+	echo "Attempt to write $name in the background"
+	snap run --shell prompting-client.scripted -c "echo started > ${WRITABLE}/${name}; echo $name is written > ${TEST_DIR}/${name}" &
+	timeout 10 sh -c "while ! [ -f '${WRITABLE}/${name}' ] ; do sleep 0.1 ; done"
+done
+
+echo "Attempt to write test4.txt (for which client will reply)"
+snap run --shell prompting-client.scripted -c "echo test4.txt is written > ${TEST_DIR}/test4.txt"
+
+# Wait for the client to write its result and exit
+timeout 5 sh -c 'while pgrep -f "prompting-client-scripted" > /dev/null; do sleep 0.1; done'
+
+CLIENT_OUTPUT="$(cat "${TEST_DIR}/result")"
+
+if [ "$CLIENT_OUTPUT" != "success" ] ; then
+	echo "test failed"
+	echo "output='$CLIENT_OUTPUT'"
+	exit 1
+fi
+
+for name in test1.txt test2.txt test3.txt test4.txt; do
+	if [ -f "${TEST_DIR}/${name}" ] ; then
+		echo "file creation unexpectedly succeeded for $name"
+		exit 1
+	fi
+done

tests/main/apparmor-prompting-integration-tests/create_multiple_allow.sh

@@ -24,12 +24,12 @@ fi
 for name in test1.txt test2.md test3.pdf ; do
 	TEST_OUTPUT="$(cat "${TEST_DIR}/${name}")"
 	if [ "$TEST_OUTPUT" != "$name is written" ] ; then
-		echo "file creation failed"
+		echo "file creation failed for $name"
 		exit 1
 	fi
 done
 
 if [ -f "${TEST_DIR}/fail.txt" ] ; then
-	echo "file creation unexpectedly succeeded"
+	echo "file creation unexpectedly succeeded for fail.txt"
 	exit 1
 fi

tests/main/apparmor-prompting-integration-tests/create_multiple_deny.sh

@@ -23,13 +23,13 @@ fi
 
 for name in test1.txt test2.md test3.pdf ; do
 	if [ -f "${TEST_DIR}/${name}" ] ; then
-		echo "file creation unexpectedly succeeded"
+		echo "file creation unexpectedly succeeded for $name"
 		exit 1
 	fi
 done
 
 TEST_OUTPUT="$(cat "${TEST_DIR}/succeed.txt")"
 if [ "$TEST_OUTPUT" != "succeed.txt is written" ] ; then
-	echo "file creation failed"
+	echo "file creation failed for succeed.txt"
 	exit 1
 fi

tests/main/apparmor-prompting-integration-tests/create_multiple_not_actioned_by_other_pid_single_allow.json

@@ -0,0 +1,87 @@
+{
+  "version": 1,
+  "prompt-filter": {
+    "snap": "prompting-client",
+    "interface": "home",
+    "constraints": {
+      "path": "$BASE_PATH/.*"
+    }
+  },
+  "prompts": [
+    {
+      "prompt-filter": {
+        "constraints": {
+          "path": ".*/test1.txt",
+          "requested-permissions": [ "write" ]
+        }
+      },
+      "reply": null
+    },
+    {
+      "prompt-filter": {
+        "constraints": {
+          "path": ".*/test2.txt",
+          "requested-permissions": [ "write" ]
+        }
+      },
+      "reply": null
+    },
+    {
+      "prompt-filter": {
+        "constraints": {
+          "path": ".*/test3.txt",
+          "requested-permissions": [ "write" ]
+        }
+      },
+      "reply": null
+    },
+    {
+      "prompt-filter": {
+        "constraints": {
+          "path": ".*/test4.txt",
+          "requested-permissions": [ "write" ]
+        }
+      },
+      "reply": {
+        "action": "allow",
+        "lifespan": "single",
+        "constraints": {
+          "path-pattern": "${BASE_PATH}/test*.txt",
+          "permissions": [ "write" ]
+        }
+      }
+    },
+    {
+      "prompt-filter": {
+        "constraints": {
+          "path": ".*/test4.txt",
+          "requested-permissions": [ "write" ]
+        }
+      },
+      "reply": {
+        "action": "allow",
+        "lifespan": "single",
+        "constraints": {
+          "path-pattern": "${BASE_PATH}/test*.txt",
+          "permissions": [ "write" ]
+        }
+      }
+    },
+    {
+      "prompt-filter": {
+        "constraints": {
+          "path": ".*/test5.txt",
+          "requested-permissions": [ "write" ]
+        }
+      },
+      "reply": {
+        "action": "deny",
+        "lifespan": "forever",
+        "constraints": {
+          "path-pattern": "${BASE_PATH}/test*.txt",
+          "permissions": [ "write" ]
+        }
+      }
+    }
+  ]
+}

tests/main/apparmor-prompting-integration-tests/create_multiple_not_actioned_by_other_pid_single_allow.sh

@@ -0,0 +1,44 @@
+#!/usr/bin/sh
+
+# A test that replying with allow forever actions previous matching prompts.
+
+TEST_DIR="$1"
+
+WRITABLE="$(snap run --shell prompting-client.scripted -c "cd ~; pwd")/$(basename "$TEST_DIR")"
+snap run --shell prompting-client.scripted -c "mkdir -p $WRITABLE"
+
+for name in test1.txt test2.txt test3.txt ; do
+	echo "Attempt to write $name in the background"
+	snap run --shell prompting-client.scripted -c "echo started > ${WRITABLE}/${name}; echo $name is written > ${TEST_DIR}/${name}" &
+	timeout 10 sh -c "while ! [ -f '${WRITABLE}/${name}' ] ; do sleep 0.1 ; done"
+done
+
+echo "Attempt to write test4.txt (for which client will reply allow single)"
+snap run --shell prompting-client.scripted -c "echo test4.txt is written > ${TEST_DIR}/test4.txt"
+
+echo "Attempt to write test5.txt (for which client will reply deny forever)"
+snap run --shell prompting-client.scripted -c "echo test5.txt is written > ${TEST_DIR}/test5.txt"
+
+# Wait for the client to write its result and exit
+timeout 5 sh -c 'while pgrep -f "prompting-client-scripted" > /dev/null; do sleep 0.1; done'
+
+CLIENT_OUTPUT="$(cat "${TEST_DIR}/result")"
+
+if [ "$CLIENT_OUTPUT" != "success" ] ; then
+	echo "test failed"
+	echo "output='$CLIENT_OUTPUT'"
+	exit 1
+fi
+
+TEST_OUTPUT="$(cat "${TEST_DIR}/test4.txt")"
+if [ "$TEST_OUTPUT" != "test4.txt is written" ] ; then
+	echo "file creation failed for test4.txt"
+	exit 1
+fi
+
+for name in test1.txt test2.txt test3.txt test5.txt; do
+	if [ -f "${TEST_DIR}/${name}" ] ; then
+		echo "file creation unexpectedly succeeded for $name"
+		exit 1
+	fi
+done