test: new test, verifies .conf option secure_mode

Signed-off-by: Joachim Wiberg <troglobit@gmail.com>

test/Makefile.am

@@ -1,6 +1,6 @@
 EXTRA_DIST       = lib.sh opts.sh
 EXTRA_DIST      += api.sh local.sh unicode.sh remote.sh fwd.sh mark.sh \
-		   facility.sh notify.sh rotate_all.sh
+		   facility.sh notify.sh rotate_all.sh secure.sh
 CLEANFILES       = *~ *.trs *.log
 TEST_EXTENSIONS  = .sh
 TESTS_ENVIRONMENT= unshare -mrun
@@ -21,5 +21,6 @@ TESTS           += fwd.sh
 TESTS           += mark.sh
 TESTS           += notify.sh
 TESTS           += rotate_all.sh
+TESTS           += secure.sh
 
 programs: $(check_PROGRAMS)

test/secure.sh

@@ -0,0 +1,70 @@
+#!/bin/sh
+# Verify secure_mode changes at runtime w/o having to restart syslogd.
+# We want to ensure goint from most secure, to no security, and back,
+# works as intended.
+#
+# shellcheck disable=SC1090
+if [ x"${srcdir}" = x ]; then
+    srcdir=.
+fi
+. ${srcdir}/lib.sh
+
+MSG="Kilroy was here"
+
+set_secure_mode()
+{
+	cat <<-EOF > "${CONF}"
+		*.* @127.0.0.2
+		secure_mode=$1
+		EOF
+	if is_running; then
+		reload
+	else
+		setup -m0
+	fi
+	sleep 1
+}
+
+do_port_check()
+{
+	netstat -atnup | grep "$PORT\|PORT2"
+}
+
+check_no_port_open()
+{
+	do_port_check && FAIL "$@"
+}
+
+check_port_open()
+{
+	do_port_check || FAIL "$@"
+}
+
+check_remote_logging()
+{
+	cap_start
+	logger "$MSG"
+	cap_stop
+	cap_find "$MSG" || FAIL "Cannot find: $MSG"
+}
+
+print "Secure mode 2 - no remote no ports"
+set_secure_mode 2
+check_no_port_open "Secure mode 2, yet ports are opened!"
+
+print "Secure mode 1 - remote but no ports"
+set_secure_mode 1
+check_no_port_open "Secure mode 1, yet ports are opened!"
+check_remote_logging
+
+print "Secure mode 0 - remote and open ports"
+set_secure_mode 0
+check_remote_logging "Secure mode 0, but no ports open!"
+check_port_open
+
+print "Secure mode 1 - remote but no ports"
+set_secure_mode 1
+check_no_port_open "Secure mode 1, yet ports are opened!"
+check_remote_logging
+
+OK