allow _daemon_ user to run sudo (#46)

canonical · May 15, 2024 · 94e8d41 · 94e8d41
1 parent 9a71adf
commit 94e8d41
Show file tree

Hide file tree

Showing 5 changed files with 32 additions and 3 deletions.
diff --git a/.github/workflows/integration_test.yaml b/.github/workflows/integration_test.yaml
@@ -13,5 +13,5 @@ jobs:
         chmod +x tests/integration/pre_run_script.sh
         ./tests/integration/pre_run_script.sh"
       extra-arguments: |
-        --kube-config ${GITHUB_WORKSPACE}/kube-config
+        --kube-config=${GITHUB_WORKSPACE}/kube-config
       modules: '["test_agent_k8s.py"]'
diff --git a/.trivyignore b/.trivyignore
@@ -0,0 +1 @@
+CVE-2023-45288
diff --git a/jenkins_agent_k8s_rock/rockcraft.yaml b/jenkins_agent_k8s_rock/rockcraft.yaml
@@ -14,11 +14,14 @@ run-user: _daemon_
 parts:
   jenkins:
     plugin: nil
+    build-packages:
+      - sudo
     overlay-packages:
       - bash
       - ca-certificates-java
       - default-jre-headless
       - git
+      - sudo
     override-prime: |
       craftctl default
       /bin/bash -c "mkdir -p --mode=775 var/{lib/jenkins,lib/jenkins/agents,log/jenkins}"
@@ -38,3 +41,5 @@ parts:
     override-prime: |
       craftctl default
       /bin/bash -c "chown -R 584792:584792 $CRAFT_PRIME/var/{lib/jenkins,log/jenkins}"
+      echo "_daemon_ ALL=NOPASSWD: ALL" >> $CRAFT_PRIME/etc/sudoers
+      visudo -c
diff --git a/src/state.py b/src/state.py
@@ -65,8 +65,8 @@ def from_charm_config(cls, config: ops.ConfigData) -> typing.Optional["JenkinsCo
             JenkinsConfig if configuration exists, None otherwise.
         """
         server_url = config.get("jenkins_url")
-        agent_name_config = config.get("jenkins_agent_name")
-        agent_token_config = config.get("jenkins_agent_token")
+        agent_name_config = str(config.get("jenkins_agent_name"))
+        agent_token_config = str(config.get("jenkins_agent_token"))
         # None represents an unset Jenkins configuration values, meaning configuration values from
         # relation would be used.
         if not server_url and not agent_name_config and not agent_token_config:

diff --git a/tests/integration/test_agent_k8s.py b/tests/integration/test_agent_k8s.py
@@ -58,3 +58,26 @@ def containers_ready() -> bool:
     await wait_for(containers_ready, timeout=60 * 10)
     await wait_for(node.is_online, timeout=60 * 10)
     assert node.is_online(), "Node not online."
+
+
+async def test_agent_run_sudo(
+    application: Application,
+):
+    """
+    arrange: given a jenkins-agent-k8s charm.
+    act: Check if the _daemon_ user is allowed to run sudo commands.
+    assert: the _daemon_ user has the correct sudo privileges.
+    """
+    unit = application.units[0]
+    pebble_exec = (
+        "PEBBLE_SOCKET=/charm/containers/jenkins-agent-k8s/pebble.socket "
+        "pebble exec --user=_daemon_"
+    )
+    full_command = f"{pebble_exec} -- sudo -l"
+    logger.info("Enable plugins command: %s", full_command)
+
+    action = await unit.run(full_command)
+    await action.wait()
+
+    assert action.results["return-code"] == 0, action.results["stderr"]
+    assert "NOPASSWD" in action.results["stdout"]