ws: connect to cockpit-session via socket

Unless it's otherwise specified in the configuration file, we now spawn cockpit-session by connecting to /run/cockpit/session if that exists. Fall back to calling cockpit-session directly for custom setups. We leave the cockpit_ws_session_program variable in place to allow the tests to override things. Update the unit files for cockpit-ws to ensure that the socket is available when cockpit-ws is running. Adjust TestConnection.testBasic accordingly: When running cockpit-session via unix socket activation, its group permissions are irrelevant. More thoroughly move the binary away and also disable the socket, to fail both of cockpit-ws' session creation attempts. Co-Authored-By: Martin Pitt <[email protected]>
cockpit-project · Nov 12, 2024 · 05fbf61 · 05fbf61
1 parent 47582cf
commit 05fbf61
Show file tree

Hide file tree

Showing 4 changed files with 25 additions and 30 deletions.
diff --git a/src/systemd/cockpit-wsinstance-http.service.in b/src/systemd/cockpit-wsinstance-http.service.in
@@ -2,6 +2,8 @@
 Description=Cockpit Web Service http instance
 Documentation=man:cockpit-ws(8)
 BindsTo=cockpit.service
+Requires=cockpit-session.socket
+After=cockpit-session.socket
 
 [Service]
 ExecStart=@libexecdir@/cockpit-ws --no-tls --port=0

diff --git a/src/systemd/[email protected] b/src/systemd/[email protected]
@@ -2,6 +2,8 @@
 Description=Cockpit Web Service https instance %I
 Documentation=man:cockpit-ws(8)
 BindsTo=cockpit.service
+Requires=cockpit-session.socket
+After=cockpit-session.socket
 
 [Service]
 Slice=system-cockpithttps.slice

diff --git a/src/ws/cockpitauth.c b/src/ws/cockpitauth.c
@@ -54,7 +54,10 @@
 const gchar *cockpit_ws_ssh_program = "/usr/bin/env python3 -m cockpit.beiboot --remote-bridge=supported";
 
 /* Some tunables that can be set from tests */
-const gchar *cockpit_ws_session_program = LIBEXECDIR "/cockpit-session";
+const gchar *cockpit_ws_session_program = NULL;
+
+#define WS_SESSION_SOCKET "/run/cockpit/session"
+#define WS_SESSION_PROGRAM LIBEXECDIR "/cockpit-session"
 
 /* Timeout of authenticated session when no connections */
 guint cockpit_ws_service_idle = 15;
@@ -1111,7 +1114,14 @@ cockpit_session_launch (CockpitAuth *self,
            g_str_equal (type, "tls-cert"))
     {
       if (command == NULL && unix_path == NULL)
-        command = cockpit_ws_session_program;
+        {
+          if (cockpit_ws_session_program)
+            command = cockpit_ws_session_program;
+          else if (g_file_test (WS_SESSION_SOCKET, G_FILE_TEST_EXISTS))
+            unix_path = WS_SESSION_SOCKET;
+          else
+            command = WS_SESSION_PROGRAM;
+        }
     }
 
   g_autoptr(CockpitPipe) pipe = NULL;

diff --git a/test/verify/check-connection b/test/verify/check-connection
@@ -161,11 +161,15 @@ class TestConnection(testlib.MachineCase):
         self.assertNoAdminProcessLeaks()
 
         if not m.ws_container:  # no cockpit-session
-            # damage cockpit-session permissions, expect generic error message
-            m.execute(f"chmod g-x {self.libexecdir}/cockpit-session")
-            b.open("/system")
-            b.wait_in_text('#login-fatal-message', "Internal error in login process")
-            m.execute(f"chmod g+x {self.libexecdir}/cockpit-session")
+            # damage cockpit-session, expect generic error message
+            try:
+                m.execute(f"mount -o bind /dev/null {self.libexecdir}/cockpit-session")
+                m.execute("mv /run/cockpit/session /run/cockpit/session.disabled")
+                b.open("/system")
+                b.wait_in_text('#login-fatal-message', "Internal error in login process")
+            finally:
+                m.execute("mv /run/cockpit/session.disabled /run/cockpit/session")
+                m.execute(f"umount {self.libexecdir}/cockpit-session")
 
             self.allow_journal_messages(".*cockpit-session: bridge program failed.*")
 
@@ -1137,29 +1141,6 @@ until pgrep -f '^(/usr/[^ ]+/[^ /]*python[^ /]* )?/usr/bin/cockpit-bridge'; do s
         b.wait_visible("#login")
         b.assert_pixels("body", "login-screen")
 
-    @testlib.skipWsContainer("cockpit/ws doesn't use systemd units")
-    @testlib.nondestructive
-    def testAuthUnixPath(self):
-        """test UnixPath for auth method in cockpit.conf"""
-        m = self.machine
-
-        m.execute(['systemctl', 'start', 'cockpit-session.socket'])
-        self.addCleanup(m.execute, 'systemctl stop cockpit-session.socket')
-        m.write('/etc/cockpit/cockpit.conf', """
-[Negotiate]
-Action=none
-
-[Basic]
-UnixPath=/run/cockpit/session
-""")
-
-        # make sure this isn't being run via spawning
-        m.execute(f'chmod 700 {self.libexecdir}/cockpit-session')
-        self.addCleanup(m.execute, f'chmod 4750 {self.libexecdir}/cockpit-session')
-
-        m.start_cockpit()
-        self.login_and_go("/system")
-
     @testlib.skipWsContainer("no local config with cockpit/ws")
     @testlib.nondestructive
     def testXdgConfig(self):