cmd/safcm/config/permissions_test.go

   1 // Copyright (C) 2021  Simon Ruderich
   2 //
   3 // This program is free software: you can redistribute it and/or modify
   4 // it under the terms of the GNU General Public License as published by
   5 // the Free Software Foundation, either version 3 of the License, or
   6 // (at your option) any later version.
   7 //
   8 // This program is distributed in the hope that it will be useful,
   9 // but WITHOUT ANY WARRANTY; without even the implied warranty of
  10 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  11 // GNU General Public License for more details.
  12 //
  13 // You should have received a copy of the GNU General Public License
  14 // along with this program.  If not, see <http://www.gnu.org/licenses/>.
  15
  16 package config
  17
  18 import (
  19         "fmt"
  20         "io/fs"
  21         "os"
  22         "reflect"
  23         "testing"
  24
  25         "github.com/google/go-cmp/cmp"
  26
  27         "ruderich.org/simon/safcm"
  28 )
  29
  30 func TestLoadPermissions(t *testing.T) {
  31         cwd, err := os.Getwd()
  32         if err != nil {
  33                 t.Fatal(err)
  34         }
  35         defer os.Chdir(cwd)
  36
  37         err = os.Chdir("../testdata/project")
  38         if err != nil {
  39                 t.Fatal(err)
  40         }
  41
  42         tests := []struct {
  43                 group  string
  44                 exp    map[string]*safcm.File
  45                 expErr error
  46         }{
  47
  48                 {
  49                         "empty",
  50                         nil,
  51                         nil,
  52                 },
  53
  54                 {
  55                         "group",
  56                         map[string]*safcm.File{
  57                                 "/": {
  58                                         Path: "/",
  59                                         Mode: fs.ModeDir | 0755 | fs.ModeSetgid,
  60                                         Uid:  -1,
  61                                         Gid:  -1,
  62                                 },
  63                                 "/etc": {
  64                                         Path: "/etc",
  65                                         Mode: fs.ModeDir | 0755,
  66                                         Uid:  -1,
  67                                         Gid:  -1,
  68                                 },
  69                                 "/etc/.hidden": {
  70                                         Path: "/etc/.hidden",
  71                                         Mode: 0100 | fs.ModeSetuid | fs.ModeSetgid | fs.ModeSticky,
  72                                         Uid:  -1,
  73                                         Gid:  -1,
  74                                         Data: []byte("..."),
  75                                 },
  76                                 "/etc/motd": {
  77                                         Path: "/etc/motd",
  78                                         Mode: 0644,
  79                                         Uid:  -1,
  80                                         Gid:  -1,
  81                                         Data: []byte(`Welcome to
  82 {{- if .IsHost "host1.example.org"}} Host ONE
  83 {{- else if "host2"}} Host TWO
  84 {{- end}}
  85
  86 {{if .InGroup "detected_linux"}}
  87 This is GNU/Linux host
  88 {{end}}
  89 {{if .InGroup "detected_freebsd"}}
  90 This is FreeBSD host
  91 {{end}}
  92 `),
  93                                 },
  94                                 "/etc/rc.local": {
  95                                         Path: "/etc/rc.local",
  96                                         Mode: 0700,
  97                                         Uid:  -1,
  98                                         Gid:  -1,
  99                                         Data: []byte("#!/bin/sh\n"),
 100                                 },
 101                                 "/etc/resolv.conf": {
 102                                         Path:  "/etc/resolv.conf",
 103                                         Mode:  0641,
 104                                         User:  "user",
 105                                         Uid:   -1,
 106                                         Group: "group",
 107                                         Gid:   -1,
 108                                         Data:  []byte("nameserver ::1\n"),
 109                                 },
 110                                 "/etc/test": {
 111                                         Path: "/etc/test",
 112                                         Mode: fs.ModeSymlink | 0777,
 113                                         Uid:  -1,
 114                                         Gid:  -1,
 115                                         Data: []byte("doesnt-exist"),
 116                                 },
 117                         },
 118                         nil,
 119                 },
 120
 121                 {
 122                         "permissions-invalid-execute",
 123                         map[string]*safcm.File{
 124                                 "/": {
 125                                         Path: "/",
 126                                         Mode: fs.ModeDir | 0755,
 127                                         Uid:  -1,
 128                                         Gid:  -1,
 129                                 },
 130                                 "/etc": {
 131                                         Path: "/etc",
 132                                         Mode: fs.ModeDir | 0755,
 133                                         Uid:  -1,
 134                                         Gid:  -1,
 135                                 },
 136                                 "/etc/rc.local": {
 137                                         Path: "/etc/rc.local",
 138                                         Mode: 0755,
 139                                         Uid:  -1,
 140                                         Gid:  -1,
 141                                         Data: []byte("#!/bin/sh\n"),
 142                                 },
 143                         },
 144                         fmt.Errorf("permissions-invalid-execute/permissions.yaml: \"/etc/rc.local\": trying to remove +x from file, manually chmod -x in files/"),
 145                 },
 146                 {
 147                         "permissions-invalid-line",
 148                         map[string]*safcm.File{
 149                                 "/": {
 150                                         Path: "/",
 151                                         Mode: fs.ModeDir | 0755,
 152                                         Uid:  -1,
 153                                         Gid:  -1,
 154                                 },
 155                                 "/etc": {
 156                                         Path: "/etc",
 157                                         Mode: fs.ModeDir | 0755,
 158                                         Uid:  -1,
 159                                         Gid:  -1,
 160                                 },
 161                                 "/etc/resolv.conf": {
 162                                         Path: "/etc/resolv.conf",
 163                                         Mode: 0644,
 164                                         Uid:  -1,
 165                                         Gid:  -1,
 166                                         Data: []byte("nameserver ::1\n"),
 167                                 },
 168                         },
 169                         fmt.Errorf("permissions-invalid-line/permissions.yaml: invalid line \"invalid line\" (expected <perm> [<user> <group>])"),
 170                 },
 171                 {
 172                         "permissions-invalid-path",
 173                         nil,
 174                         fmt.Errorf("permissions-invalid-path/permissions.yaml: \"/does/not/exist\" does not exist in files/"),
 175                 },
 176                 {
 177                         "permissions-invalid-permission",
 178                         map[string]*safcm.File{
 179                                 "/": {
 180                                         Path: "/",
 181                                         Mode: fs.ModeDir | 0755,
 182                                         Uid:  -1,
 183                                         Gid:  -1,
 184                                 },
 185                                 "/etc": {
 186                                         Path: "/etc",
 187                                         Mode: fs.ModeDir | 0755,
 188                                         Uid:  -1,
 189                                         Gid:  -1,
 190                                 },
 191                                 "/etc/resolv.conf": {
 192                                         Path: "/etc/resolv.conf",
 193                                         Mode: 0644,
 194                                         Uid:  -1,
 195                                         Gid:  -1,
 196                                         Data: []byte("nameserver ::1\n"),
 197                                 },
 198                         },
 199                         fmt.Errorf("permissions-invalid-permission/permissions.yaml: invalid permission \"u=rwg=r\" (expected e.g. \"0644\" or \"01777\")"),
 200                 },
 201                 {
 202                         "permissions-invalid-permission-int",
 203                         map[string]*safcm.File{
 204                                 "/": {
 205                                         Path: "/",
 206                                         Mode: fs.ModeDir | 0755,
 207                                         Uid:  -1,
 208                                         Gid:  -1,
 209                                 },
 210                                 "/etc": {
 211                                         Path: "/etc",
 212                                         Mode: fs.ModeDir | 0755,
 213                                         Uid:  -1,
 214                                         Gid:  -1,
 215                                 },
 216                                 "/etc/resolv.conf": {
 217                                         Path: "/etc/resolv.conf",
 218                                         Mode: 0644,
 219                                         Uid:  -1,
 220                                         Gid:  -1,
 221                                         Data: []byte("nameserver ::1\n"),
 222                                 },
 223                         },
 224                         fmt.Errorf("permissions-invalid-permission-int/permissions.yaml: invalid permission 066066 (expected e.g. 0644 or 01777)"),
 225                 },
 226         }
 227
 228         for _, tc := range tests {
 229                 // Use LoadFiles() so we work on real data and don't make any
 230                 // mistakes generating it
 231                 files, err := LoadFiles(tc.group)
 232                 if err != nil {
 233                         t.Fatalf("%s: err = %#v, want nil",
 234                                 tc.group, err)
 235                 }
 236                 err = LoadPermissions(tc.group, files)
 237
 238                 if !reflect.DeepEqual(tc.exp, files) {
 239                         t.Errorf("%s: res: %s", tc.group,
 240                                 cmp.Diff(tc.exp, files))
 241                 }
 242                 // Ugly but the simplest way to compare errors (including nil)
 243                 if fmt.Sprintf("%s", err) != fmt.Sprintf("%s", tc.expErr) {
 244                         t.Errorf("%s: err = %#v, want %#v",
 245                                 tc.group, err, tc.expErr)
 246                 }
 247         }
 248 }