cmd/safcm/config/permissions_test.go

   1 // Copyright (C) 2021-2024  Simon Ruderich
   2 //
   3 // This program is free software: you can redistribute it and/or modify
   4 // it under the terms of the GNU General Public License as published by
   5 // the Free Software Foundation, either version 3 of the License, or
   6 // (at your option) any later version.
   7 //
   8 // This program is distributed in the hope that it will be useful,
   9 // but WITHOUT ANY WARRANTY; without even the implied warranty of
  10 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  11 // GNU General Public License for more details.
  12 //
  13 // You should have received a copy of the GNU General Public License
  14 // along with this program.  If not, see <http://www.gnu.org/licenses/>.
  15
  16 package config
  17
  18 import (
  19         "fmt"
  20         "io/fs"
  21         "os"
  22         "testing"
  23
  24         "ruderich.org/simon/safcm"
  25         "ruderich.org/simon/safcm/testutil"
  26 )
  27
  28 func TestLoadPermissions(t *testing.T) {
  29         cwd, err := os.Getwd()
  30         if err != nil {
  31                 t.Fatal(err)
  32         }
  33         defer os.Chdir(cwd) //nolint:errcheck
  34
  35         err = os.Chdir("../testdata/project")
  36         if err != nil {
  37                 t.Fatal(err)
  38         }
  39
  40         tests := []struct {
  41                 group  string
  42                 exp    map[string]*safcm.File
  43                 expErr error
  44         }{
  45
  46                 {
  47                         "empty",
  48                         nil,
  49                         nil,
  50                 },
  51
  52                 {
  53                         "group",
  54                         map[string]*safcm.File{
  55                                 "/": {
  56                                         Path: "/",
  57                                         Mode: fs.ModeDir | 0755 | fs.ModeSetgid,
  58                                         Uid:  -1,
  59                                         Gid:  -1,
  60                                 },
  61                                 "/etc": {
  62                                         Path: "/etc",
  63                                         Mode: fs.ModeDir | 0755,
  64                                         Uid:  -1,
  65                                         Gid:  -1,
  66                                 },
  67                                 "/etc/.hidden": {
  68                                         Path: "/etc/.hidden",
  69                                         Mode: 0100 | fs.ModeSetuid | fs.ModeSetgid | fs.ModeSticky,
  70                                         Uid:  -1,
  71                                         Gid:  -1,
  72                                         Data: []byte("..."),
  73                                 },
  74                                 "/etc/motd": {
  75                                         Path: "/etc/motd",
  76                                         Mode: 0644,
  77                                         Uid:  -1,
  78                                         Gid:  -1,
  79                                         Data: []byte(`Welcome to
  80 {{- if .IsHost "host1.example.org"}} Host ONE
  81 {{- else if "host2"}} Host TWO
  82 {{- end}}
  83
  84 {{if .InGroup "detected_linux"}}
  85 This is GNU/Linux host
  86 {{end}}
  87 {{if .InGroup "detected_freebsd"}}
  88 This is FreeBSD host
  89 {{end}}
  90
  91 {{if .InGroup "all"}}
  92 all
  93 {{end}}
  94 {{if .InGroup "host1.example.org"}}
  95 host1.example.org
  96 {{end}}
  97 {{if .InGroup "host2"}}
  98 host2
  99 {{end}}
 100 {{if .InGroup "host3.example.net"}}
 101 host3.example.net
 102 {{end}}
 103 `),
 104                                 },
 105                                 "/etc/rc.local": {
 106                                         Path: "/etc/rc.local",
 107                                         Mode: 0700,
 108                                         Uid:  -1,
 109                                         Gid:  -1,
 110                                         Data: []byte("#!/bin/sh\n"),
 111                                 },
 112                                 "/etc/resolv.conf": {
 113                                         Path:  "/etc/resolv.conf",
 114                                         Mode:  0641,
 115                                         User:  "user",
 116                                         Uid:   -1,
 117                                         Group: "group",
 118                                         Gid:   -1,
 119                                         Data:  []byte("nameserver ::1\n"),
 120                                 },
 121                                 "/etc/test": {
 122                                         Path: "/etc/test",
 123                                         Mode: fs.ModeSymlink | 0777,
 124                                         Uid:  -1,
 125                                         Gid:  -1,
 126                                         Data: []byte("doesnt-exist"),
 127                                 },
 128                         },
 129                         nil,
 130                 },
 131
 132                 {
 133                         "permissions-invalid-execute",
 134                         map[string]*safcm.File{
 135                                 "/": {
 136                                         Path: "/",
 137                                         Mode: fs.ModeDir | 0755,
 138                                         Uid:  -1,
 139                                         Gid:  -1,
 140                                 },
 141                                 "/etc": {
 142                                         Path: "/etc",
 143                                         Mode: fs.ModeDir | 0755,
 144                                         Uid:  -1,
 145                                         Gid:  -1,
 146                                 },
 147                                 "/etc/rc.local": {
 148                                         Path: "/etc/rc.local",
 149                                         Mode: 0755,
 150                                         Uid:  -1,
 151                                         Gid:  -1,
 152                                         Data: []byte("#!/bin/sh\n"),
 153                                 },
 154                         },
 155                         fmt.Errorf("permissions-invalid-execute/permissions.yaml: \"/etc/rc.local\": trying to remove +x from file, manually chmod -x in files/"),
 156                 },
 157                 {
 158                         "permissions-invalid-line",
 159                         map[string]*safcm.File{
 160                                 "/": {
 161                                         Path: "/",
 162                                         Mode: fs.ModeDir | 0755,
 163                                         Uid:  -1,
 164                                         Gid:  -1,
 165                                 },
 166                                 "/etc": {
 167                                         Path: "/etc",
 168                                         Mode: fs.ModeDir | 0755,
 169                                         Uid:  -1,
 170                                         Gid:  -1,
 171                                 },
 172                                 "/etc/resolv.conf": {
 173                                         Path: "/etc/resolv.conf",
 174                                         Mode: 0644,
 175                                         Uid:  -1,
 176                                         Gid:  -1,
 177                                         Data: []byte("nameserver ::1\n"),
 178                                 },
 179                         },
 180                         fmt.Errorf("permissions-invalid-line/permissions.yaml: invalid line \"invalid line\" (expected <perm> [<user> <group>])"),
 181                 },
 182                 {
 183                         "permissions-invalid-path",
 184                         nil,
 185                         fmt.Errorf("permissions-invalid-path/permissions.yaml: \"/does/not/exist\" does not exist in files/"),
 186                 },
 187                 {
 188                         "permissions-invalid-permission",
 189                         map[string]*safcm.File{
 190                                 "/": {
 191                                         Path: "/",
 192                                         Mode: fs.ModeDir | 0755,
 193                                         Uid:  -1,
 194                                         Gid:  -1,
 195                                 },
 196                                 "/etc": {
 197                                         Path: "/etc",
 198                                         Mode: fs.ModeDir | 0755,
 199                                         Uid:  -1,
 200                                         Gid:  -1,
 201                                 },
 202                                 "/etc/resolv.conf": {
 203                                         Path: "/etc/resolv.conf",
 204                                         Mode: 0644,
 205                                         Uid:  -1,
 206                                         Gid:  -1,
 207                                         Data: []byte("nameserver ::1\n"),
 208                                 },
 209                         },
 210                         fmt.Errorf("permissions-invalid-permission/permissions.yaml: invalid permission \"u=rwg=r\" (expected e.g. \"0644\" or \"01777\")"),
 211                 },
 212                 {
 213                         "permissions-invalid-permission-int",
 214                         map[string]*safcm.File{
 215                                 "/": {
 216                                         Path: "/",
 217                                         Mode: fs.ModeDir | 0755,
 218                                         Uid:  -1,
 219                                         Gid:  -1,
 220                                 },
 221                                 "/etc": {
 222                                         Path: "/etc",
 223                                         Mode: fs.ModeDir | 0755,
 224                                         Uid:  -1,
 225                                         Gid:  -1,
 226                                 },
 227                                 "/etc/resolv.conf": {
 228                                         Path: "/etc/resolv.conf",
 229                                         Mode: 0644,
 230                                         Uid:  -1,
 231                                         Gid:  -1,
 232                                         Data: []byte("nameserver ::1\n"),
 233                                 },
 234                         },
 235                         fmt.Errorf("permissions-invalid-permission-int/permissions.yaml: invalid permission 066066 (expected e.g. 0644 or 01777)"),
 236                 },
 237                 {
 238                         "permissions-invalid-permission-negative",
 239                         map[string]*safcm.File{
 240                                 "/": {
 241                                         Path: "/",
 242                                         Mode: fs.ModeDir | 0755,
 243                                         Uid:  -1,
 244                                         Gid:  -1,
 245                                 },
 246                                 "/etc": {
 247                                         Path: "/etc",
 248                                         Mode: fs.ModeDir | 0755,
 249                                         Uid:  -1,
 250                                         Gid:  -1,
 251                                 },
 252                                 "/etc/resolv.conf": {
 253                                         Path: "/etc/resolv.conf",
 254                                         Mode: 0644,
 255                                         Uid:  -1,
 256                                         Gid:  -1,
 257                                         Data: []byte("nameserver ::1\n"),
 258                                 },
 259                         },
 260                         fmt.Errorf("permissions-invalid-permission-negative/permissions.yaml: invalid permission -042 (expected e.g. 0644 or 01777)"),
 261                 },
 262         }
 263
 264         for _, tc := range tests {
 265                 t.Run(tc.group, func(t *testing.T) {
 266                         // Use LoadFiles() so we work on real data and don't
 267                         // make any mistakes generating it
 268                         files, err := LoadFiles(tc.group)
 269                         if err != nil {
 270                                 t.Fatalf("err = %#v, want nil", err)
 271                         }
 272                         err = LoadPermissions(tc.group, files)
 273
 274                         testutil.AssertEqual(t, "res", files, tc.exp)
 275                         testutil.AssertErrorEqual(t, "err", err, tc.expErr)
 276                 })
 277         }
 278 }