From 38fa6dd0d8f8cf99983d221c28dd17f4a68f8cff Mon Sep 17 00:00:00 2001
From: willcl-ark <will@256k1.dev>
Date: Tue, 9 Jan 2024 12:36:29 +0000
Subject: [PATCH] test: add rpccookieperms test

Tests various perms on non-Windows OSes
---
 test/functional/rpc_users.py | 47 +++++++++++++++++++++++++++++++++++-
 1 file changed, 46 insertions(+), 1 deletion(-)

diff --git a/test/functional/rpc_users.py b/test/functional/rpc_users.py
index 66cdd7cf9a96d4..7350044f3409b5 100755
--- a/test/functional/rpc_users.py
+++ b/test/functional/rpc_users.py
@@ -4,19 +4,29 @@
 # file COPYING or http://www.opensource.org/licenses/mit-license.php.
 """Test multiple RPC users."""
 
-from test_framework.test_framework import BitcoinTestFramework
+from test_framework.test_framework import BitcoinTestFramework, SkipTest
 from test_framework.util import (
     assert_equal,
     str_to_b64str,
 )
 
 import http.client
+import os
 import urllib.parse
 import subprocess
 from random import SystemRandom
 import string
 import configparser
+import stat
 import sys
+from typing import Optional
+
+
+# Owner-read matches DEFAULT_COOKIE_PERMS in src/httprpc.h
+DEFAULT_COOKIE_PERMISSION = stat.S_IRUSR
+# Default umask from common/system.cpp
+PERM_BITS_UMASK = 0o777
+
 
 
 def call_with_auth(node, user, password):
@@ -84,6 +94,39 @@ def test_auth(self, node, user, password):
         self.log.info('Wrong...')
         assert_equal(401, call_with_auth(node, user + 'wrong', password + 'wrong').status)
 
+    def test_rpccookieperms(self):
+
+        if os.name == 'nt':
+            raise SkipTest(f"Skip cookie file permissions checks as OS detected as: {os.name=:}")
+        self.log.info('Check cookie file permissions can be set using -rpccookieperms')
+
+        cookie_file_path = self.nodes[1].chain_path / '.cookie'
+
+        def test_perm(perm: Optional[str]):
+            if not perm:
+                perm = f"{(DEFAULT_COOKIE_PERMISSION & PERM_BITS_UMASK):03o}"
+                self.restart_node(1)
+            else:
+                self.restart_node(1, extra_args=[f"-rpccookieperms={perm}"])
+            file_stat = os.stat(cookie_file_path)
+            actual_perms = f"{(file_stat.st_mode & PERM_BITS_UMASK):03o}"
+            assert_equal(perm, actual_perms)
+
+        # Remove any leftover rpc{user|password} config options from previous tests
+        conf = self.nodes[1].bitcoinconf
+        with conf.open('r') as file:
+            lines = file.readlines()
+        filtered_lines = [line for line in lines if not line.startswith('rpcuser') and not line.startswith('rpcpassword')]
+        with conf.open('w') as file:
+            file.writelines(filtered_lines)
+
+        self.log.info('Check default cookie permission')
+        test_perm(None)
+
+        self.log.info('Check custom cookie permissions')
+        for perm in ["440", "640", "444"]:
+            test_perm(perm)
+
     def run_test(self):
         self.conf_setup()
         self.log.info('Check correctness of the rpcauth config option')
@@ -115,6 +158,8 @@ def run_test(self):
         (self.nodes[0].chain_path / ".cookie.tmp").mkdir()
         self.nodes[0].assert_start_raises_init_error(expected_msg=init_error)
 
+        self.test_rpccookieperms()
+
 
 if __name__ == '__main__':
     HTTPBasicsTest().main()