canonical · Thanhphan1147 · May 15, 2024 · May 13, 2024 · May 13, 2024 · May 13, 2024
@@ -13,5 +13,5 @@ jobs:
         chmod +x tests/integration/pre_run_script.sh
         ./tests/integration/pre_run_script.sh"
       extra-arguments: |
-        --kube-config ${GITHUB_WORKSPACE}/kube-config
+        --kube-config=${GITHUB_WORKSPACE}/kube-config
       modules: '["test_agent_k8s.py"]'
@@ -0,0 +1 @@
+CVE-2023-45288
@@ -14,11 +14,14 @@ run-user: _daemon_
 parts:
   jenkins:
     plugin: nil
+    build-packages:
+      - sudo
     overlay-packages:
       - bash
       - ca-certificates-java
       - default-jre-headless
       - git
+      - sudo
     override-prime: |
       craftctl default
       /bin/bash -c "mkdir -p --mode=775 var/{lib/jenkins,lib/jenkins/agents,log/jenkins}"
@@ -38,3 +41,5 @@ parts:
     override-prime: |
       craftctl default
       /bin/bash -c "chown -R 584792:584792 $CRAFT_PRIME/var/{lib/jenkins,log/jenkins}"
+      echo "_daemon_ ALL=NOPASSWD: ALL" >> $CRAFT_PRIME/etc/sudoers
+      visudo -c
@@ -65,8 +65,8 @@ def from_charm_config(cls, config: ops.ConfigData) -> typing.Optional["JenkinsCo
             JenkinsConfig if configuration exists, None otherwise.
         """
         server_url = config.get("jenkins_url")
-        agent_name_config = config.get("jenkins_agent_name")
-        agent_token_config = config.get("jenkins_agent_token")
+        agent_name_config = str(config.get("jenkins_agent_name"))
+        agent_token_config = str(config.get("jenkins_agent_token"))
         # None represents an unset Jenkins configuration values, meaning configuration values from
         # relation would be used.
         if not server_url and not agent_name_config and not agent_token_config:

@@ -58,3 +58,26 @@ def containers_ready() -> bool:
     await wait_for(containers_ready, timeout=60 * 10)
     await wait_for(node.is_online, timeout=60 * 10)
     assert node.is_online(), "Node not online."
+
+
+async def test_agent_run_sudo(
+    application: Application,
+):
+    """
+    arrange: given a jenkins-agent-k8s charm.
+    act: Check if the _daemon_ user is allowed to run sudo commands.
+    assert: the _daemon_ user has the correct sudo privileges.
+    """
+    unit = application.units[0]
+    pebble_exec = (
+        "PEBBLE_SOCKET=/charm/containers/jenkins-agent-k8s/pebble.socket "
+        "pebble exec --user=_daemon_"
+    )
+    full_command = f"{pebble_exec} -- sudo -l"
+    logger.info("Enable plugins command: %s", full_command)
+
+    action = await unit.run(full_command)
+    await action.wait()
+
+    assert action.results["return-code"] == 0, action.results["stderr"]
+    assert "NOPASSWD" in action.results["stdout"]
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		CVE-2023-45288
Check notice on line 1 in .trivyignore View workflow job for this annotation GitHub Actions / integration-tests / Scan Image (ghcr.io-canonical-jenkins-agent-k8s-c19b5446679d5bbbb006eb373138aebfd1f5b69c-_1.1_amd64.tar) `CVE-2023-45288 not present anymore, can be safely removed.`