src/test/shell/bazel/bazel_hermetic_sandboxing_test.sh - bazel - Git at Google

 #!/bin/bash
 #
 # Copyright 2015 The Bazel Authors. All rights reserved.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #    http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
 # Test hermetic Linux sandbox
 #


 # Load test environment
 # Load the test setup defined in the parent directory
 CURRENT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 source "${CURRENT_DIR}/../integration_test_setup.sh" \
   || { echo "integration_test_setup.sh not found!" >&2; exit 1; }
 source ${CURRENT_DIR}/../sandboxing_test_utils.sh \
   || { echo "sandboxing_test_utils.sh not found!" >&2; exit 1; }

 cat >>$TEST_TMPDIR/bazelrc <<'EOF'
 # Testing the sandboxed strategy requires using the sandboxed strategy. While it is the default,
 # we want to make sure that this explicitly fails when the strategy is not available on the system
 # running the test.
 # The hermetic sandbox requires the Linux sandbox.
 build --spawn_strategy=sandboxed
 build --experimental_use_hermetic_linux_sandbox
 build --sandbox_fake_username
 EOF

 # For the test to work we need to bind mount a couple of folders to
 # get access to bash, ls, python etc. Depending on linux distribution
 # these folders may vary. Mount all folders in the root directory '/'
 # except the project directory, the directory containing the bazel
 # workspace under test.
 project_folder=`pwd | cut -d"/" -f 2`
 for folder in /*/
 do
   if [ -d "$folder" ] && [ "$folder" != "/$project_folder/" ]
   then
     if [[ -L $folder ]]
     then
       # Get resolved link
       linked_folder=`readlink -f $folder`
       echo "build --sandbox_add_mount_pair=/$linked_folder:$folder" >> $TEST_TMPDIR/bazelrc
     else
       echo "build --sandbox_add_mount_pair=$folder" >> $TEST_TMPDIR/bazelrc
     fi
   fi
 done

 function set_up {
   export BAZEL_GENFILES_DIR=$(bazel info bazel-genfiles 2>/dev/null)
   export BAZEL_BIN_DIR=$(bazel info bazel-bin 2>/dev/null)

   sed -i.bak '/sandbox_tmpfs_path/d' $TEST_TMPDIR/bazelrc

   mkdir -p examples/hermetic

   cat << 'EOF' > examples/hermetic/unknown_file.txt
 text inside this file
 EOF

   ABSOLUTE_PATH=$CURRENT_DIR/workspace/examples/hermetic/unknown_file.txt

   # In this case the ABSOLUTE_PATH will be expanded
   # and the absolute path will be written to script_absolute_path.sh
   cat << EOF > examples/hermetic/script_absolute_path.sh
 #! /bin/sh
 ls ${ABSOLUTE_PATH}
 EOF

   chmod 777 examples/hermetic/script_absolute_path.sh

   cat << 'EOF' > examples/hermetic/script_symbolic_link.sh
 #! /bin/sh
 OUTSIDE_SANDBOX_DIR=$(dirname $(realpath $0))
 cat $OUTSIDE_SANDBOX_DIR/unknown_file.txt
 EOF

   chmod 777 examples/hermetic/script_symbolic_link.sh

   touch examples/hermetic/import_module.py

   cat << 'EOF' > examples/hermetic/py_module_test.py
 import import_module
 EOF

   cat << 'EOF' > examples/hermetic/BUILD
 genrule(
   name = "absolute_path",
   srcs = ["script_absolute_path.sh"], # unknown_file.txt not referenced.
   outs = [ "absolute_path.txt" ],
   cmd = "./$(location :script_absolute_path.sh) > $@",
 )

 genrule(
   name = "symbolic_link",
   srcs = ["script_symbolic_link.sh"], # unknown_file.txt not referenced.
   outs = ["symbolic_link.txt"],
   cmd = "./$(location :script_symbolic_link.sh) > $@",
 )

 py_test(
   name = "py_module_test",
   srcs = ["py_module_test.py"],  # import_module.py not referenced.
   size = "small",
 )

 genrule(
   name = "input_file",
   outs = ["input_file.txt"],
   cmd = "echo original text input > $@",
 )

 genrule(
   name = "write_input_test",
   srcs = [":input_file"],
   outs = ["status.txt"],
   cmd = "(chmod 777 $(location :input_file) && \
          (echo overwrite text > $(location :input_file)) && \
          (echo success > $@)) || (echo fail > $@)",
 )
 EOF
 }

 # Test that the build can't escape the sandbox via absolute path.
 function test_absolute_path() {
   bazel build examples/hermetic:absolute_path &> $TEST_log \
     && fail "Fail due to non hermetic sandbox: examples/hermetic:absolute_path" || true
   expect_log "ls:.* '\?.*/examples/hermetic/unknown_file.txt'\?: No such file or directory"
 }

 # Test that the build can't escape the sandbox by resolving symbolic link.
 function test_symbolic_link() {
   [ "$PLATFORM" != "darwin" ] || return 0

   bazel build examples/hermetic:symbolic_link &> $TEST_log \
     && fail "Fail due to non hermetic sandbox: examples/hermetic:symbolic_link" || true
   expect_log "cat: \/execroot\/main\/examples\/hermetic\/unknown_file.txt: No such file or directory"
 }

 # Test that the sandbox discover if the bazel python rule miss dependencies.
 function test_missing_python_deps() {
   [ "$PLATFORM" != "darwin" ] || return 0

   bazel test examples/hermetic:py_module_test --test_output=all &> $TEST_TMPDIR/log \
     && fail "Fail due to non hermetic sandbox: examples/hermetic:py_module_test" || true

   expect_log "No module named '\?import_module'\?"
 }

 # Test that the intermediate corrupt input file gets re:evaluated
 function test_writing_input_file() {
   [ "$PLATFORM" != "darwin" ] || return 0
   # Write an input file, this should cause the hermetic sandbox to fail with an exception
   bazel build examples/hermetic:write_input_test &> $TEST_log  \
     && fail "Fail due to non hermetic sandbox: examples/hermetic:write_input_test" || true
   expect_log "input dependency .*examples/hermetic/input_file.txt was modified during execution."
   cat "${BAZEL_GENFILES_DIR}/examples/hermetic/input_file.txt" &> $TEST_log
   expect_log "overwrite text"

   # Build the input file again, this should not use the cache, but instead re:evaluate the file
   bazel build examples/hermetic:input_file &> $TEST_log \
     || fail "Fail due to non hermetic sandbox: examples/hermetic:input_file"
   [ -f "${BAZEL_GENFILES_DIR}/examples/hermetic/input_file.txt" ] \
     || fail "Genrule did not produce output: examples/hermetic:input_file"
   cat "${BAZEL_GENFILES_DIR}/examples/hermetic/input_file.txt" &> $TEST_log
   expect_log "original text input"
 }

 # The test shouldn't fail if the environment doesn't support running it.
 check_sandbox_allowed || exit 0

 run_suite "hermetic_sandbox"
	#!/bin/bash
	#
	# Copyright 2015 The Bazel Authors. All rights reserved.
	#
	# Licensed under the Apache License, Version 2.0 (the "License");
	# you may not use this file except in compliance with the License.
	# You may obtain a copy of the License at
	#
	# http://www.apache.org/licenses/LICENSE-2.0
	#
	# Unless required by applicable law or agreed to in writing, software
	# distributed under the License is distributed on an "AS IS" BASIS,
	# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	# See the License for the specific language governing permissions and
	# limitations under the License.
	#
	# Test hermetic Linux sandbox
	#


	# Load test environment
	# Load the test setup defined in the parent directory
	CURRENT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
	source "${CURRENT_DIR}/../integration_test_setup.sh" \
	\|\| { echo "integration_test_setup.sh not found!" >&2; exit 1; }
	source ${CURRENT_DIR}/../sandboxing_test_utils.sh \
	\|\| { echo "sandboxing_test_utils.sh not found!" >&2; exit 1; }

	cat >>$TEST_TMPDIR/bazelrc <<'EOF'
	# Testing the sandboxed strategy requires using the sandboxed strategy. While it is the default,
	# we want to make sure that this explicitly fails when the strategy is not available on the system
	# running the test.
	# The hermetic sandbox requires the Linux sandbox.
	build --spawn_strategy=sandboxed
	build --experimental_use_hermetic_linux_sandbox
	build --sandbox_fake_username
	EOF

	# For the test to work we need to bind mount a couple of folders to
	# get access to bash, ls, python etc. Depending on linux distribution
	# these folders may vary. Mount all folders in the root directory '/'
	# except the project directory, the directory containing the bazel
	# workspace under test.
	project_folder=`pwd \| cut -d"/" -f 2`
	for folder in /*/
	do
	if [ -d "$folder" ] && [ "$folder" != "/$project_folder/" ]
	then
	if [[ -L $folder ]]
	then
	# Get resolved link
	linked_folder=`readlink -f $folder`
	echo "build --sandbox_add_mount_pair=/$linked_folder:$folder" >> $TEST_TMPDIR/bazelrc
	else
	echo "build --sandbox_add_mount_pair=$folder" >> $TEST_TMPDIR/bazelrc
	fi
	fi
	done

	function set_up {
	export BAZEL_GENFILES_DIR=$(bazel info bazel-genfiles 2>/dev/null)
	export BAZEL_BIN_DIR=$(bazel info bazel-bin 2>/dev/null)

	sed -i.bak '/sandbox_tmpfs_path/d' $TEST_TMPDIR/bazelrc

	mkdir -p examples/hermetic

	cat << 'EOF' > examples/hermetic/unknown_file.txt
	text inside this file
	EOF

	ABSOLUTE_PATH=$CURRENT_DIR/workspace/examples/hermetic/unknown_file.txt

	# In this case the ABSOLUTE_PATH will be expanded
	# and the absolute path will be written to script_absolute_path.sh
	cat << EOF > examples/hermetic/script_absolute_path.sh
	#! /bin/sh
	ls ${ABSOLUTE_PATH}
	EOF

	chmod 777 examples/hermetic/script_absolute_path.sh

	cat << 'EOF' > examples/hermetic/script_symbolic_link.sh
	#! /bin/sh
	OUTSIDE_SANDBOX_DIR=$(dirname $(realpath $0))
	cat $OUTSIDE_SANDBOX_DIR/unknown_file.txt
	EOF

	chmod 777 examples/hermetic/script_symbolic_link.sh

	touch examples/hermetic/import_module.py

	cat << 'EOF' > examples/hermetic/py_module_test.py
	import import_module
	EOF

	cat << 'EOF' > examples/hermetic/BUILD
	genrule(
	name = "absolute_path",
	srcs = ["script_absolute_path.sh"], # unknown_file.txt not referenced.
	outs = [ "absolute_path.txt" ],
	cmd = "./$(location :script_absolute_path.sh) > $@",
	)

	genrule(
	name = "symbolic_link",
	srcs = ["script_symbolic_link.sh"], # unknown_file.txt not referenced.
	outs = ["symbolic_link.txt"],
	cmd = "./$(location :script_symbolic_link.sh) > $@",
	)

	py_test(
	name = "py_module_test",
	srcs = ["py_module_test.py"], # import_module.py not referenced.
	size = "small",
	)

	genrule(
	name = "input_file",
	outs = ["input_file.txt"],
	cmd = "echo original text input > $@",
	)

	genrule(
	name = "write_input_test",
	srcs = [":input_file"],
	outs = ["status.txt"],
	cmd = "(chmod 777 $(location :input_file) && \
	(echo overwrite text > $(location :input_file)) && \
	(echo success > $@)) \|\| (echo fail > $@)",
	)
	EOF
	}

	# Test that the build can't escape the sandbox via absolute path.
	function test_absolute_path() {
	bazel build examples/hermetic:absolute_path &> $TEST_log \
	&& fail "Fail due to non hermetic sandbox: examples/hermetic:absolute_path" \|\| true
	expect_log "ls:.* '\?.*/examples/hermetic/unknown_file.txt'\?: No such file or directory"
	}

	# Test that the build can't escape the sandbox by resolving symbolic link.
	function test_symbolic_link() {
	[ "$PLATFORM" != "darwin" ] \|\| return 0

	bazel build examples/hermetic:symbolic_link &> $TEST_log \
	&& fail "Fail due to non hermetic sandbox: examples/hermetic:symbolic_link" \|\| true
	expect_log "cat: \/execroot\/main\/examples\/hermetic\/unknown_file.txt: No such file or directory"
	}

	# Test that the sandbox discover if the bazel python rule miss dependencies.
	function test_missing_python_deps() {
	[ "$PLATFORM" != "darwin" ] \|\| return 0

	bazel test examples/hermetic:py_module_test --test_output=all &> $TEST_TMPDIR/log \
	&& fail "Fail due to non hermetic sandbox: examples/hermetic:py_module_test" \|\| true

	expect_log "No module named '\?import_module'\?"
	}

	# Test that the intermediate corrupt input file gets re:evaluated
	function test_writing_input_file() {
	[ "$PLATFORM" != "darwin" ] \|\| return 0
	# Write an input file, this should cause the hermetic sandbox to fail with an exception
	bazel build examples/hermetic:write_input_test &> $TEST_log \
	&& fail "Fail due to non hermetic sandbox: examples/hermetic:write_input_test" \|\| true
	expect_log "input dependency .*examples/hermetic/input_file.txt was modified during execution."
	cat "${BAZEL_GENFILES_DIR}/examples/hermetic/input_file.txt" &> $TEST_log
	expect_log "overwrite text"

	# Build the input file again, this should not use the cache, but instead re:evaluate the file
	bazel build examples/hermetic:input_file &> $TEST_log \
	\|\| fail "Fail due to non hermetic sandbox: examples/hermetic:input_file"
	[ -f "${BAZEL_GENFILES_DIR}/examples/hermetic/input_file.txt" ] \
	\|\| fail "Genrule did not produce output: examples/hermetic:input_file"
	cat "${BAZEL_GENFILES_DIR}/examples/hermetic/input_file.txt" &> $TEST_log
	expect_log "original text input"
	}

	# The test shouldn't fail if the environment doesn't support running it.
	check_sandbox_allowed \|\| exit 0

	run_suite "hermetic_sandbox"