mod_posix: Move everything to util.startup
This allows greater control over the order of events.
Notably, the internal ordering between daemonization, initialization of
libunbound and setup of signal handling is sensitive.
libunbound starts a separate thread for processing DNS requests.
If this thread is started before signal handling has been set up, it
will not inherit the signal handlers and instead behave as it would have
before signal handlers were set up, i.e. cause the whole process to
immediately exit.
libunbound is usually initialized on the first DNS request, usually
triggered by an outgoing s2s connection attempt.
If daemonization happens before signals have been set up, signals may
not be processed at all.
describe("util.roles", function ()
randomize(false);
local roles;
it("can be loaded", function ()
roles = require "util.roles";
end);
local test_role;
it("can create a new role", function ()
test_role = roles.new();
assert.is_not_nil(test_role);
assert.is_truthy(roles.is_role(test_role));
end);
describe("role object", function ()
it("can be initialized with permissions", function ()
local test_role_2 = roles.new({
permissions = {
perm1 = true;
perm2 = false;
};
});
assert.truthy(test_role_2:may("perm1"));
assert.falsy(test_role_2:may("perm2"));
end);
it("has a sensible tostring", function ()
local test_role_2 = roles.new({
id = "test-role-2";
name = "Test Role 2";
});
assert.truthy(tostring(test_role_2):find(test_role_2.id, 1, true));
assert.truthy(tostring(test_role_2):find("Test Role 2", 1, true));
end);
it("is restrictive by default", function ()
assert.falsy(test_role:may("my-permission"));
end);
it("allows you to set permissions", function ()
test_role:set_permission("my-permission", true);
assert.truthy(test_role:may("my-permission"));
end);
it("allows you to set negative permissions", function ()
test_role:set_permission("my-other-permission", false);
assert.falsy(test_role:may("my-other-permission"));
end);
it("does not allows you to override previously set permissions by default", function ()
local ok, err = test_role:set_permission("my-permission", false);
assert.falsy(ok);
assert.is_equal("policy-already-exists", err);
-- Confirm old permission still in place
assert.truthy(test_role:may("my-permission"));
end);
it("allows you to explicitly override previously set permissions", function ()
assert.truthy(test_role:set_permission("my-permission", false, true));
assert.falsy(test_role:may("my-permission"));
end);
describe("inheritance", function ()
local child_role;
it("works", function ()
test_role:set_permission("inherited-permission", true);
child_role = roles.new({
inherits = { test_role };
});
assert.truthy(child_role:may("inherited-permission"));
assert.falsy(child_role:may("my-permission"));
end);
it("allows listing policies", function ()
local expected = {
["my-permission"] = false;
["my-other-permission"] = false;
["inherited-permission"] = true;
};
local received = {};
for permission_name, permission_policy in child_role:policies() do
received[permission_name] = permission_policy;
end
assert.same(expected, received);
end);
it("supports multiple depths of inheritance", function ()
local grandchild_role = roles.new({
inherits = { child_role };
});
assert.truthy(grandchild_role:may("inherited-permission"));
end);
describe("supports ordered inheritance from multiple roles", function ()
local parent_role = roles.new();
local final_role = roles.new({
-- Yes, the names are getting confusing.
-- btw, test_role is inherited through child_role.
inherits = { parent_role, child_role };
});
local test_cases = {
-- { <final_role policy>, <parent_role policy>, <test_role policy> }
{ true, nil, false, result = true };
{ nil, false, true, result = false };
{ nil, true, false, result = true };
{ nil, nil, false, result = false };
{ nil, nil, true, result = true };
};
for n, test_case in ipairs(test_cases) do
it("(case "..n..")", function ()
local perm_name = ("multi-inheritance-perm-%d"):format(n);
assert.truthy(final_role:set_permission(perm_name, test_case[1]));
assert.truthy(parent_role:set_permission(perm_name, test_case[2]));
assert.truthy(test_role:set_permission(perm_name, test_case[3]));
assert.equal(test_case.result, final_role:may(perm_name));
end);
end
end);
it("updates child roles when parent roles change", function ()
assert.truthy(child_role:may("inherited-permission"));
assert.truthy(test_role:set_permission("inherited-permission", false, true));
assert.falsy(child_role:may("inherited-permission"));
end);
end);
describe("cloning", function ()
local cloned_role;
it("works", function ()
assert.truthy(test_role:set_permission("perm-1", true));
cloned_role = test_role:clone();
assert.truthy(cloned_role:may("perm-1"));
end);
it("isolates changes", function ()
-- After cloning, changes in either the original or the clone
-- should not appear in the other.
assert.truthy(test_role:set_permission("perm-1", false, true));
assert.truthy(test_role:set_permission("perm-2", true));
assert.truthy(cloned_role:set_permission("perm-3", true));
assert.truthy(cloned_role:may("perm-1"));
assert.falsy(cloned_role:may("perm-2"));
assert.falsy(test_role:may("perm-3"));
end);
end);
end);
end);