agent: test Unix domain socket permission settings

command/agent/config_test.go

@@ -588,6 +588,21 @@ func TestDecodeConfig(t *testing.T) {
 		t.Fatalf("bad: %#v", config)
 	}
 
+	// Domain socket permissions
+	input = `{"unix_sockets": {"uid": "500", "gid": "500", "mode": "0700"}}`
+	config, err = DecodeConfig(bytes.NewReader([]byte(input)))
+	if err != nil {
+		t.Fatalf("err: %s", err)
+	}
+
+	if !reflect.DeepEqual(config.UnixSockets, map[string]string{
+		"uid":  "500",
+		"gid":  "500",
+		"mode": "0700",
+	}) {
+		t.Fatalf("bad: %v", config.UnixSockets)
+	}
+
 	// Disable updates
 	input = `{"disable_update_check": true, "disable_anonymous_signature": true}`
 	config, err = DecodeConfig(bytes.NewReader([]byte(input)))
@@ -998,6 +1013,11 @@ func TestMergeConfig(t *testing.T) {
 		HTTPAPIResponseHeaders: map[string]string{
 			"Access-Control-Allow-Origin": "*",
 		},
+		UnixSockets: map[string]string{
+			"uid":  "500",
+			"gid":  "500",
+			"mode": "0700",
+		},
 	}
 
 	c := MergeConfig(a, b)

command/agent/http_test.go

@@ -67,6 +67,10 @@ func TestHTTPServer_UnixSocket(t *testing.T) {
 
 	dir, srv := makeHTTPServerWithConfig(t, func(c *Config) {
 		c.Addresses.HTTP = "unix://" + socket
+
+		// Only testing mode, since uid/gid might not be settable
+		// from test environment.
+		c.UnixSockets = map[string]string{"mode": "0777"}
 	})
 	defer os.RemoveAll(dir)
 	defer srv.Shutdown()
@@ -77,6 +81,15 @@ func TestHTTPServer_UnixSocket(t *testing.T) {
 		t.Fatalf("err: %s", err)
 	}
 
+	// Ensure the mode was set properly
+	fi, err := os.Stat(socket)
+	if err != nil {
+		t.Fatalf("err: %s", err)
+	}
+	if fi.Mode().String() != "Srwxrwxrwx" {
+		t.Fatalf("bad permissions: %s", fi.Mode())
+	}
+
 	// Ensure we can get a response from the socket.
 	path, _ := unixSocketAddr(srv.agent.config.Addresses.HTTP)
 	client := &http.Client{