cmd/safcm/config/permissions_test.go

   1 // SPDX-License-Identifier: GPL-3.0-or-later
   2 // Copyright (C) 2021-2024  Simon Ruderich
   3
   4 package config
   5
   6 import (
   7         "fmt"
   8         "io/fs"
   9         "os"
  10         "testing"
  11
  12         "ruderich.org/simon/safcm"
  13         "ruderich.org/simon/safcm/testutil"
  14 )
  15
  16 func TestLoadPermissions(t *testing.T) {
  17         cwd, err := os.Getwd()
  18         if err != nil {
  19                 t.Fatal(err)
  20         }
  21         defer os.Chdir(cwd) //nolint:errcheck
  22
  23         err = os.Chdir("../testdata/project")
  24         if err != nil {
  25                 t.Fatal(err)
  26         }
  27
  28         tests := []struct {
  29                 group  string
  30                 exp    map[string]*safcm.File
  31                 expErr error
  32         }{
  33
  34                 {
  35                         "empty",
  36                         nil,
  37                         nil,
  38                 },
  39
  40                 {
  41                         "group",
  42                         map[string]*safcm.File{
  43                                 "/": {
  44                                         Path: "/",
  45                                         Mode: fs.ModeDir | 0755 | fs.ModeSetgid,
  46                                         Uid:  -1,
  47                                         Gid:  -1,
  48                                 },
  49                                 "/etc": {
  50                                         Path: "/etc",
  51                                         Mode: fs.ModeDir | 0755,
  52                                         Uid:  -1,
  53                                         Gid:  -1,
  54                                 },
  55                                 "/etc/.hidden": {
  56                                         Path: "/etc/.hidden",
  57                                         Mode: 0100 | fs.ModeSetuid | fs.ModeSetgid | fs.ModeSticky,
  58                                         Uid:  -1,
  59                                         Gid:  -1,
  60                                         Data: []byte("..."),
  61                                 },
  62                                 "/etc/motd": {
  63                                         Path: "/etc/motd",
  64                                         Mode: 0644,
  65                                         Uid:  -1,
  66                                         Gid:  -1,
  67                                         Data: []byte(`Welcome to
  68 {{- if .IsHost "host1.example.org"}} Host ONE
  69 {{- else if "host2"}} Host TWO
  70 {{- end}}
  71
  72 {{if .InGroup "detected_linux"}}
  73 This is GNU/Linux host
  74 {{end}}
  75 {{if .InGroup "detected_freebsd"}}
  76 This is FreeBSD host
  77 {{end}}
  78
  79 {{if .InGroup "all"}}
  80 all
  81 {{end}}
  82 {{if .InGroup "host1.example.org"}}
  83 host1.example.org
  84 {{end}}
  85 {{if .InGroup "host2"}}
  86 host2
  87 {{end}}
  88 {{if .InGroup "host3.example.net"}}
  89 host3.example.net
  90 {{end}}
  91 `),
  92                                 },
  93                                 "/etc/rc.local": {
  94                                         Path: "/etc/rc.local",
  95                                         Mode: 0700,
  96                                         Uid:  -1,
  97                                         Gid:  -1,
  98                                         Data: []byte("#!/bin/sh\n"),
  99                                 },
 100                                 "/etc/resolv.conf": {
 101                                         Path:  "/etc/resolv.conf",
 102                                         Mode:  0641,
 103                                         User:  "user",
 104                                         Uid:   -1,
 105                                         Group: "group",
 106                                         Gid:   -1,
 107                                         Data:  []byte("nameserver ::1\n"),
 108                                 },
 109                                 "/etc/test": {
 110                                         Path: "/etc/test",
 111                                         Mode: fs.ModeSymlink | 0777,
 112                                         Uid:  -1,
 113                                         Gid:  -1,
 114                                         Data: []byte("doesnt-exist"),
 115                                 },
 116                         },
 117                         nil,
 118                 },
 119
 120                 {
 121                         "permissions-invalid-execute",
 122                         map[string]*safcm.File{
 123                                 "/": {
 124                                         Path: "/",
 125                                         Mode: fs.ModeDir | 0755,
 126                                         Uid:  -1,
 127                                         Gid:  -1,
 128                                 },
 129                                 "/etc": {
 130                                         Path: "/etc",
 131                                         Mode: fs.ModeDir | 0755,
 132                                         Uid:  -1,
 133                                         Gid:  -1,
 134                                 },
 135                                 "/etc/rc.local": {
 136                                         Path: "/etc/rc.local",
 137                                         Mode: 0755,
 138                                         Uid:  -1,
 139                                         Gid:  -1,
 140                                         Data: []byte("#!/bin/sh\n"),
 141                                 },
 142                         },
 143                         fmt.Errorf("permissions-invalid-execute/permissions.yaml: \"/etc/rc.local\": trying to remove +x from file, manually chmod -x in files/"),
 144                 },
 145                 {
 146                         "permissions-invalid-line",
 147                         map[string]*safcm.File{
 148                                 "/": {
 149                                         Path: "/",
 150                                         Mode: fs.ModeDir | 0755,
 151                                         Uid:  -1,
 152                                         Gid:  -1,
 153                                 },
 154                                 "/etc": {
 155                                         Path: "/etc",
 156                                         Mode: fs.ModeDir | 0755,
 157                                         Uid:  -1,
 158                                         Gid:  -1,
 159                                 },
 160                                 "/etc/resolv.conf": {
 161                                         Path: "/etc/resolv.conf",
 162                                         Mode: 0644,
 163                                         Uid:  -1,
 164                                         Gid:  -1,
 165                                         Data: []byte("nameserver ::1\n"),
 166                                 },
 167                         },
 168                         fmt.Errorf("permissions-invalid-line/permissions.yaml: invalid line \"invalid line\" (expected <perm> [<user> <group>])"),
 169                 },
 170                 {
 171                         "permissions-invalid-path",
 172                         nil,
 173                         fmt.Errorf("permissions-invalid-path/permissions.yaml: \"/does/not/exist\" does not exist in files/"),
 174                 },
 175                 {
 176                         "permissions-invalid-permission",
 177                         map[string]*safcm.File{
 178                                 "/": {
 179                                         Path: "/",
 180                                         Mode: fs.ModeDir | 0755,
 181                                         Uid:  -1,
 182                                         Gid:  -1,
 183                                 },
 184                                 "/etc": {
 185                                         Path: "/etc",
 186                                         Mode: fs.ModeDir | 0755,
 187                                         Uid:  -1,
 188                                         Gid:  -1,
 189                                 },
 190                                 "/etc/resolv.conf": {
 191                                         Path: "/etc/resolv.conf",
 192                                         Mode: 0644,
 193                                         Uid:  -1,
 194                                         Gid:  -1,
 195                                         Data: []byte("nameserver ::1\n"),
 196                                 },
 197                         },
 198                         fmt.Errorf("permissions-invalid-permission/permissions.yaml: invalid permission \"u=rwg=r\" (expected e.g. \"0644\" or \"01777\")"),
 199                 },
 200                 {
 201                         "permissions-invalid-permission-int",
 202                         map[string]*safcm.File{
 203                                 "/": {
 204                                         Path: "/",
 205                                         Mode: fs.ModeDir | 0755,
 206                                         Uid:  -1,
 207                                         Gid:  -1,
 208                                 },
 209                                 "/etc": {
 210                                         Path: "/etc",
 211                                         Mode: fs.ModeDir | 0755,
 212                                         Uid:  -1,
 213                                         Gid:  -1,
 214                                 },
 215                                 "/etc/resolv.conf": {
 216                                         Path: "/etc/resolv.conf",
 217                                         Mode: 0644,
 218                                         Uid:  -1,
 219                                         Gid:  -1,
 220                                         Data: []byte("nameserver ::1\n"),
 221                                 },
 222                         },
 223                         fmt.Errorf("permissions-invalid-permission-int/permissions.yaml: invalid permission 066066 (expected e.g. 0644 or 01777)"),
 224                 },
 225                 {
 226                         "permissions-invalid-permission-negative",
 227                         map[string]*safcm.File{
 228                                 "/": {
 229                                         Path: "/",
 230                                         Mode: fs.ModeDir | 0755,
 231                                         Uid:  -1,
 232                                         Gid:  -1,
 233                                 },
 234                                 "/etc": {
 235                                         Path: "/etc",
 236                                         Mode: fs.ModeDir | 0755,
 237                                         Uid:  -1,
 238                                         Gid:  -1,
 239                                 },
 240                                 "/etc/resolv.conf": {
 241                                         Path: "/etc/resolv.conf",
 242                                         Mode: 0644,
 243                                         Uid:  -1,
 244                                         Gid:  -1,
 245                                         Data: []byte("nameserver ::1\n"),
 246                                 },
 247                         },
 248                         fmt.Errorf("permissions-invalid-permission-negative/permissions.yaml: invalid permission -042 (expected e.g. 0644 or 01777)"),
 249                 },
 250         }
 251
 252         for _, tc := range tests {
 253                 t.Run(tc.group, func(t *testing.T) {
 254                         // Use LoadFiles() so we work on real data and don't
 255                         // make any mistakes generating it
 256                         files, err := LoadFiles(tc.group)
 257                         if err != nil {
 258                                 t.Fatalf("err = %#v, want nil", err)
 259                         }
 260                         err = LoadPermissions(tc.group, files)
 261
 262                         testutil.AssertEqual(t, "res", files, tc.exp)
 263                         testutil.AssertErrorEqual(t, "err", err, tc.expErr)
 264                 })
 265         }
 266 }