diff --git a/test/Makefile.am b/test/Makefile.am index 3c4077b..1088de4 100644 --- a/test/Makefile.am +++ b/test/Makefile.am @@ -1,6 +1,6 @@ EXTRA_DIST = lib.sh opts.sh EXTRA_DIST += api.sh local.sh unicode.sh remote.sh fwd.sh mark.sh \ - facility.sh notify.sh rotate_all.sh + facility.sh notify.sh rotate_all.sh secure.sh CLEANFILES = *~ *.trs *.log TEST_EXTENSIONS = .sh TESTS_ENVIRONMENT= unshare -mrun @@ -21,5 +21,6 @@ TESTS += fwd.sh TESTS += mark.sh TESTS += notify.sh TESTS += rotate_all.sh +TESTS += secure.sh programs: $(check_PROGRAMS) diff --git a/test/secure.sh b/test/secure.sh new file mode 100755 index 0000000..abf5cf5 --- /dev/null +++ b/test/secure.sh @@ -0,0 +1,70 @@ +#!/bin/sh +# Verify secure_mode changes at runtime w/o having to restart syslogd. +# We want to ensure goint from most secure, to no security, and back, +# works as intended. +# +# shellcheck disable=SC1090 +if [ x"${srcdir}" = x ]; then + srcdir=. +fi +. ${srcdir}/lib.sh + +MSG="Kilroy was here" + +set_secure_mode() +{ + cat <<-EOF > "${CONF}" + *.* @127.0.0.2 + secure_mode=$1 + EOF + if is_running; then + reload + else + setup -m0 + fi + sleep 1 +} + +do_port_check() +{ + netstat -atnup | grep "$PORT\|PORT2" +} + +check_no_port_open() +{ + do_port_check && FAIL "$@" +} + +check_port_open() +{ + do_port_check || FAIL "$@" +} + +check_remote_logging() +{ + cap_start + logger "$MSG" + cap_stop + cap_find "$MSG" || FAIL "Cannot find: $MSG" +} + +print "Secure mode 2 - no remote no ports" +set_secure_mode 2 +check_no_port_open "Secure mode 2, yet ports are opened!" + +print "Secure mode 1 - remote but no ports" +set_secure_mode 1 +check_no_port_open "Secure mode 1, yet ports are opened!" +check_remote_logging + +print "Secure mode 0 - remote and open ports" +set_secure_mode 0 +check_remote_logging "Secure mode 0, but no ports open!" +check_port_open + +print "Secure mode 1 - remote but no ports" +set_secure_mode 1 +check_no_port_open "Secure mode 1, yet ports are opened!" +check_remote_logging + +OK