From a8ac33d3abb0db449158c8b10f43c1567ce4208d Mon Sep 17 00:00:00 2001
From: Shishir Mahajan <smahajan@roblox.com>
Date: Thu, 4 Mar 2021 12:55:18 -0800
Subject: [PATCH] Add allow_privileged integration test.

---
 example/privileged_not_allowed.nomad          | 21 +++++++++
 ...lume_mount.sh => 005-test-volume-mount.sh} |  0
 tests/008-test-allow-privileged.sh            | 47 +++++++++++++++++++
 tests/run_tests.sh                            | 20 +-------
 tests/utils.sh                                | 22 +++++++++
 5 files changed, 92 insertions(+), 18 deletions(-)
 create mode 100644 example/privileged_not_allowed.nomad
 rename tests/{005-test-volume_mount.sh => 005-test-volume-mount.sh} (100%)
 create mode 100755 tests/008-test-allow-privileged.sh

diff --git a/example/privileged_not_allowed.nomad b/example/privileged_not_allowed.nomad
new file mode 100644
index 0000000..3823b8d
--- /dev/null
+++ b/example/privileged_not_allowed.nomad
@@ -0,0 +1,21 @@
+job "privileged-not-allowed" {
+  datacenters = ["dc1"]
+
+  group "privileged-not-allowed-group" {
+    task "privileged-not-allowed-task" {
+      driver = "containerd-driver"
+
+      config {
+        image           = "ubuntu:16.04"
+        command         = "sleep"
+        args            = ["600s"]
+        privileged      = true
+      }
+
+      resources {
+        cpu    = 500
+        memory = 256
+      }
+    }
+  }
+}
diff --git a/tests/005-test-volume_mount.sh b/tests/005-test-volume-mount.sh
similarity index 100%
rename from tests/005-test-volume_mount.sh
rename to tests/005-test-volume-mount.sh
diff --git a/tests/008-test-allow-privileged.sh b/tests/008-test-allow-privileged.sh
new file mode 100755
index 0000000..87769c1
--- /dev/null
+++ b/tests/008-test-allow-privileged.sh
@@ -0,0 +1,47 @@
+#!/bin/bash
+
+source $SRCDIR/utils.sh
+job_name=privileged-not-allowed
+
+# allow_privileged=false set in the plugin config, should deny all privileged jobs.
+test_allow_privileged() {
+    pushd ~/go/src/github.com/Roblox/nomad-driver-containerd/example
+
+    cp agent.hcl agent.hcl.bkp
+
+    sed -i '8 i \    allow_privileged = false' agent.hcl
+    sudo systemctl restart nomad
+    is_systemd_service_active "nomad.service" true
+
+    echo "INFO: Starting nomad ${job_name} job using nomad-driver-containerd."
+    nomad job run privileged_not_allowed.nomad
+    # Sleep for 5 seconds, to allow ${alloc_id} to get populated.
+    sleep 5s
+
+    echo "INFO: Checking status of ${job_name} job."
+    alloc_id=$(nomad job status ${job_name}|grep failed|awk 'NR==1'|cut -d ' ' -f 1)
+    output=$(nomad alloc status $alloc_id)
+    echo -e "$output" |grep "Running privileged jobs are not allowed" &>/dev/null
+    if [ $? -ne 0 ];then
+       echo "ERROR: ${job_name} should have failed to run."
+       return 1
+    fi
+
+    echo "INFO: purge nomad ${job_name} job."
+    nomad job stop -purge ${job_name}
+
+    mv agent.hcl.bkp agent.hcl
+    popd
+}
+
+cleanup() {
+    if [ -f agent.hcl.bkp ]; then
+       mv agent.hcl.bkp agent.hcl
+    fi
+    sudo systemctl restart nomad
+    is_systemd_service_active "nomad.service" false 
+}
+
+trap cleanup EXIT
+
+test_allow_privileged
diff --git a/tests/run_tests.sh b/tests/run_tests.sh
index 85eb83c..8adc4fe 100755
--- a/tests/run_tests.sh
+++ b/tests/run_tests.sh
@@ -132,7 +132,7 @@ EOF
         sudo systemctl unmask containerd
         echo "INFO: Starting containerd daemon."
         sudo systemctl start containerd
-	is_systemd_service_active "containerd.service"
+	is_systemd_service_active "containerd.service" false
 
 	# Remove default golang (1.7.3) and install a custom version (1.14.3) of golang.
 	# This is required for supporting go mod, and to be able to compile nomad-driver-containerd.
@@ -184,7 +184,7 @@ EOF
 
 	echo "INFO: Starting nomad server and nomad-driver-containerd."
 	sudo systemctl start nomad
-	is_systemd_service_active "nomad.service"
+	is_systemd_service_active "nomad.service" false
 	popd
 }
 
@@ -216,20 +216,4 @@ is_containerd_driver_active() {
 	fi
 }
 
-is_systemd_service_active() {
-	local service_name=$1
-	i="0"
-	while test $i -lt 5 && !(systemctl -q is-active "$service_name"); do
-		printf "INFO: %s is down, sleep for 4 seconds.\n" $service_name
-		sleep 4s
-		i=$[$i+1]
-	done
-
-	if [ $i -ge 5 ]; then
-		printf "ERROR: %s didn't come up. exit 1.\n" $service_name
-		exit 1
-	fi
-	printf "INFO: %s is up and running\n" $service_name
-}
-
 main "$@"
diff --git a/tests/utils.sh b/tests/utils.sh
index 32fa011..8c69d3a 100755
--- a/tests/utils.sh
+++ b/tests/utils.sh
@@ -25,3 +25,25 @@ is_container_active() {
                 exit 1
         fi
 }
+
+is_systemd_service_active() {
+	local service_name=$1
+	local is_sleep=$2
+
+	i="0"
+	while test $i -lt 5 && !(systemctl -q is-active "$service_name"); do
+		printf "INFO: %s is down, sleep for 4 seconds.\n" $service_name
+		sleep 4s
+		i=$[$i+1]
+		done
+
+	if [ $i -ge 5 ]; then
+	printf "ERROR: %s didn't come up. exit 1.\n" $service_name
+		exit 1
+	fi
+
+	if [ "$is_sleep" = true ]; then
+		sleep 7s
+	fi
+	printf "INFO: %s is up and running\n" $service_name
+}