.gitignore @@ -1,5 +1,8 @@ # -*- coding: utf-8 -*- +2009-01-27 Cory ODaniel <warningshot@coryodaniel.com> + * PermissionResolver + 2009-01-26 Cory ODaniel <warningshot@coryodaniel.com> * Resolver.branch takes a *params now * Added specs for Resolver.branch single & multiple branches CHANGELOG @@ -1,6 +1,12 @@ WarningShot Dependency Resolution Framework * Additional documentation @ http://github.com/coryodaniel/warningshot/wikis/ +==== Note on RSpecs + Currently the PermissionResolver RSpecs will probably fail that is because + I am not sure what the best way is to write them in regards to users & groups + that may or may not be on a remote machine. I wrote the specs, and they work on + my laptop (given that I have the groups/users) mentioned in the tests. + See: ./test/spec/unit/resolvers/permission_resolver_spec.rb ==== Installing WarningShot WarningShot installs a little differently than most gems. WarningShot itself has NO gem dependencies. Gems become README images/warning_shot_sml.png lib/core_ext/string.rb @@ -4,18 +4,21 @@ class WarningShot::DirectoryResolver branch :directory description 'Validates presence of directories' - - DirectoryResource = Struct.new(:path) - typecast do |path| - DirectoryResource.new File.expand_path(path) + + DirectoryResource = Struct.new(:target) + typecast(String) do |target| + DirectoryResource.new File.expand_path(target) + end + typecast(Hash) do |yaml| + DirectoryResource.new File.expand_path(yaml[:target]) end register :test do |dep| - dir_found = File.directory? dep.path + dir_found = File.directory? dep.target if dir_found - logger.debug " ~ [PASSED] directory: #{dep.path}" + logger.debug " ~ [PASSED] directory: #{dep.target}" else - logger.warn " ~ [FAILED] directory: #{dep.path}" + logger.warn " ~ [FAILED] directory: #{dep.target}" end dir_found @@ -23,9 +26,9 @@ class WarningShot::DirectoryResolver register :resolution do |dep| begin - FileUtils.mkdir_p dep.path + FileUtils.mkdir_p dep.target rescue Exception => ex - logger.error " ~ Could not create directory #{dep.path}" + logger.error " ~ Could not create directory #{dep.target}" end end end \ No newline at end of file lib/resolvers/directory_resolver.rb @@ -1,70 +1,195 @@ - -# TODO Branch should take a params of branches, here: file, directory, symlink -# TODO uid, gid should be integer or string (string for name, interger for id) -# - class WarningShot::PermissionResolver include WarningShot::Resolver - order 100 - branch :permission + add_dependency :core, 'etc' + add_dependency :core, 'fileutils' + + order 1000 + branch :directory, :file, :symlink description 'Validates mode, user, and group permission on files and directories' - - PermissionResource = Struct.new(:path,:target_mode,:target_user,:target_group,:recursive) do + + PermissionResource = Struct.new(:target,:target_mode,:target_user,:target_group,:recursive,:no_follow) do + # Get File.stat by stat name + # param s [Symbol] + # self.stat(:ftype) => File.stat(self.target).ftype + # + def stat(s) + #Read with links because WS will need to read the actual link if its set to no follow for symlinks + # For files, lstat still works for files + File.lstat(self.target).send(s) + rescue Exception => ex + nil + end + def exists? - File.exist? self.path + File.exist? self.target + end + + # @param type [Symbol] + # Retreive the target's current user ID or Name (:id,:name) + # + def user(type=:name) + file_uid = self.stat(:uid) + (type == :name) ? Etc.getpwuid(file_uid).name : file_uid + end + + # @param type [Symbol] + # Retreive the targets's current group ID or Name (:id,:name) + # + def group(type=:name) + file_gid = self.stat(:gid) + (type == :name) ? Etc.getgrgid(file_gid).name : file_gid + end + + # Retreive the target's current mode + # + def mode + "%o" % (self.stat(:mode) & 007777) + end + + #Attempt to change the user + def change_user! + tgt_uid = self.target_user.is_a?(Fixnum) ? self.target_user : Etc.getpwnam(self.target_user).uid + chown_params = [tgt_uid, nil, self.target] + + if(File.symlink?(self.target) && (self.no_follow == 'both' || self.no_follow == 'chown')) + File.lchown *chown_params + elsif(self.stat(:ftype) == 'directory' && (self.recursive == 'both' || self.recursive == 'chown')) + FileUtils.chown_R *chown_params + else + File.chown *chown_params + end + rescue Exception => ex + WarningShot::PermissionResolver.logger.error("Unable to change user for file: #{self.target}; Exception: #{ex.message}") + return false + end + + #Attempt to change the group + def change_group! + tgt_gid = self.target_group.is_a?(Fixnum) ? self.target_group : Etc.getgrnam(self.target_group).gid + chown_params = [nil, tgt_gid, self.target] + + if(File.symlink?(self.target) && (self.no_follow == 'both' || self.no_follow == 'chown')) + File.lchown *chown_params + elsif(self.stat(:ftype) == 'directory' && (self.recursive == 'both' || self.recursive == 'chown')) + FileUtils.chown_R *chown_params + else + File.chown *chown_params + end + rescue Exception => ex + WarningShot::PermissionResolver.logger.error("Unable to change group for file: #{self.target}; Exception: #{ex.message}") + return false end - - def correct_owner! - false + + #Attempt to change the mode + def change_mode! + chmod_params = [Integer("0" + self.target_mode), self.target] + + if(File.symlink?(self.target) && (self.no_follow == 'both' || self.no_follow == 'chmod')) + File.lchmod *chmod_params + elsif(self.stat(:ftype) == 'directory' && (self.recursive == 'both' || self.recursive == 'chmod')) + FileUtils.chmod_R *chmod_params + else + File.chmod *chmod_params + end + rescue Exception => ex + WarningShot::PermissionResolver.logger.error("Unable to change mode for file: #{self.target}; Exception: #{ex.message}") + return false end - - def correct_group! - false + + #Are all permissions correct + def permissions_correct? + (self.exists? & self.valid_user? & self.valid_group? & self.valid_mode?) end - - def correct_mode! - false + + #Where permissions supplied by the dependency requirement + def permissions_supplied? + !!(self.target_mode || self.target_user || self.target_group) end - - def correct_owner? - false + + # is the target's current user correct + def valid_user? + unless self.target_user.nil? + if self.target_user.is_a? String + !!(self.target_user == self.user) + else + !!(self.target_user == self.user(:id)) + end + else + # The user is OK if it wasn't specified + return true + end + rescue ArgumentError => ex + # The user is NOT OK if the user doesn't exist + WarningShot::PermissionResolver.logger.error("User [#{self.target_user}] does not exist: #{ex.message}") + return false end - - def correct_group? - false + + # is the target's current group correct + def valid_group? + unless self.target_group.nil? + if self.target_group.is_a? String + !!(self.target_group == self.group) + else + !!(self.target_group == self.group(:id)) + end + else + # The group is OK if it wasn't specified + return true + end + rescue ArgumentError => ex + # The group is NOT OK if the group doesn't exist + WarningShot::PermissionResolver.logger.error("Group [#{self.target_group}] does not exist: #{ex.message}") + return false end - - def correct_mode? - false + + # is the target's current mode correct + def valid_mode? + unless self.target_mode.nil? + !!(self.mode == self.target_mode) + else + return true + end end end - + typecast Hash do |yaml| - PermissionResource.new yaml.delete(:path), - yaml.delete(:mode) || '0755', - yaml.delete(:user) || 'nobody', - yaml.delete(:group) || 'nobody', - yaml.delete(:recursive) || 'none' + PermissionResource.new File.expand_path(yaml[:target]), + yaml[:mode], + yaml[:user], + yaml[:group], + yaml[:recursive], + yaml[:no_follow] end - + + #Symlinks, directories and files are sometimes plain strings, these cant be resolved + # as far as permissions go, but should at least be cast properly + typecast(String){|target| PermissionResource.new File.expand_path(target), nil, nil, nil, nil, nil } + register :test do |resource| _valid = resource.exists? - - if _valid - _valid &= resource.correct_owner? - _valid &= resource.correct_group? - _valid &= resource.correct_mode? - end - - if _valid - logger.debug " ~ [PASSED] permission: #{resource.path}" + + if _valid && resource.permissions_supplied? + _valid &= resource.valid_user? + _valid &= resource.valid_group? + _valid &= resource.valid_mode? + + if _valid + logger.debug " ~ [PASSED] permission: #{resource.target}" + else + logger.warn " ~ [FAILED] permission: #{resource.target}" + end else - logger.warn " ~ [FAILED] permission: #{resource.path}" + logger.debug " ~ [N/A] no permissions supplied: #{resource.target}" end - + _valid end - + register :resolution do |resource| + resource.change_user! unless resource.valid_user? + resource.change_group! unless resource.valid_group? + resource.change_mode! unless resource.valid_mode? + + resource.permissions_correct? end end \ No newline at end of file lib/resolvers/permission_resolver.rb @@ -1,6 +1,3 @@ -# SHOUDL DETERMINE IF LINK EXISTS (File.stat().ftype == "link") -# and it points at proper file - class WarningShot::SymlinkResolver include WarningShot::Resolver add_dependency :core, 'fileutils' lib/resolvers/symlink_resolver.rb lib/warningshot/growl.rb lib/warningshot/suite.rb more/ssh_resolver.rb more/ssh_resolver_spec.rb tasks/yard.rb @@ -9,10 +9,35 @@ # - /etc/nginx # - /tmp # - /mnt/media +# - {target: '/tmp/wherever'} # :test: [] # :qa: [] # :production: [] +# The PermissionResolver piggybacks on the FileResolver, SymlinkResolver and DirectoryResolver. +# Each of the config files associated with those resolvers can include the following +# options in their hash to be parsed by the permission resolver. So you will not generally have a 'permission.yml' file. +# Instead these options should be specified on a file in files.yml directories.yml or symlinks.yml + +# Each environt takes an array hashes +# @param target [String] REQUIRED +# the path to check permissions +# +# @param mode [String] OPTIONAL; +# MOde of file 0777, 0755, etc +# +# @param user [String|Integer] OPTIONAL; +# User that should own resource (name or ID) +# +# @param group [STring|Integer] OPTIONAL; +# Group that should own resource (name or ID) +# +# @param recursive [String|nil] OPTIONAL; Default nil +# What methods should be recursvie: 'chmod','chown','both' +# +# You can additionally set permissions like: +# - { target: "/tmp/cool_directory", mode: "777", user: "www-data", group: "www-data", recursive: "both"} + --- :branch: directory :environments: templates/directories.yml @@ -8,6 +8,28 @@ # - /etc/nginx/nginx.conf # - { target: "./public/this.txt", source: "http://example.com/index.html"} # - { target: "file:///tmp/somefile.txt", source: "~/.secret/file.txt"} + +# The PermissionResolver piggybacks on the FileResolver, SymlinkResolver and DirectoryResolver. +# Each of the config files associated with those resolvers can include the following +# options in their hash to be parsed by the permission resolver. So you will not generally have a 'permission.yml' file. +# Instead these options should be specified on a file in files.yml directories.yml or symlinks.yml + +# Each environt takes an array hashes +# @param target [String] REQUIRED +# the path to check permissions +# +# @param mode [String] OPTIONAL; +# MOde of file 0777, 0755, etc +# +# @param user [String|Integer] OPTIONAL; +# User that should own resource (name or ID) +# +# @param group [STring|Integer] OPTIONAL; +# Group that should own resource (name or ID) +# +# You can additionally set permissions like: +# - { target: "file:///tmp/somefile.txt", source: "~/.secret/file.txt", mode: "777", user: "www-data", group: "www-data"} + --- - :branch: file :environments: templates/files.yml @@ -20,6 +20,30 @@ # - { target: "/super/symlink", source: "/some/target/directory/"} # - { target: "/etc/my/awesome.conf", source: "/etc/the/real.conf"} +# The PermissionResolver piggybacks on the FileResolver, SymlinkResolver and DirectoryResolver. +# Each of the config files associated with those resolvers can include the following +# options in their hash to be parsed by the permission resolver. So you will not generally have a 'permission.yml' file. +# Instead these options should be specified on a file in files.yml directories.yml or symlinks.yml + +# Each environt takes an array hashes +# @param target [String] REQUIRED +# the path to check permissions +# +# @param mode [String] OPTIONAL; +# MOde of file 0777, 0755, etc +# +# @param user [String|Integer] OPTIONAL; +# User that should own resource (name or ID) +# +# @param group [STring|Integer] OPTIONAL; +# Group that should own resource (name or ID) +# +# @param follow [String|nil] OPTIONAL; Default nil (doesnt follow) +# What methods should be recursvie: 'chmod','chown','both' +# +# You can additionally set permissions like: +# - { target: "/tmp/somefile.txt", source: "~/my/link.txt", mode: "777", user: "www-data", group: "www-data", follow: 'both'} + --- :branch: symlink :environments: templates/symlinks.yml test/data/faux_test.yml test/data/faux_test_resolver.rb @@ -1,10 +1,75 @@ +#See TODO's below... (maybe the best bet it to take command line flags for User/Group names?) + +# Auto-generated ruby debug require +require 'rubygems' +require "ruby-debug" +Debugger.start +Debugger.settings[:autoeval] = true if Debugger.respond_to?(:settings) + require '.' / 'lib' / 'resolvers' / 'permission_resolver' describe WarningShot::PermissionResolver do before :all do + #You can add additional groups to try here... + @group_names = ['everyone'] + + # Test if user can chown/chmod files to found group... if not nil out names... + @grp_chmod_test = File.expand_path($test_data / "group_w_test.txt") + FileUtils.touch @grp_chmod_test + + # Set the @test_group_* for the first group found + Etc.group {|grp| + if @group_names.member?(grp.name) + begin + if @test_group_name.nil? && @test_group_id.nil? + @test_group_name = grp.name + @test_group_id = grp.gid + File.chown(nil,@test_group_id,@grp_chmod_test) + end + rescue Exception => ex + #Could chown group, keep looking... + @test_group_name = nil + @test_group_id = nil + end + end + } + + #Remove the chmod/chown test file + FileUtils.rm @grp_chmod_test + + #Test file for changing permissions + @perm_test_file = File.expand_path($test_data / "permission_test_#{Time.now.to_i}.txt") + File.open(@perm_test_file,"w+") do |fs| + fs.puts "This file is used for testing the PermissionResolver" + end + + #Test directory for recursive permissions + @perm_test_directory = File.expand_path($test_data / "permission_test_dir_#{Time.now.to_i}") + @perm_test_directory_subdirectory = File.expand_path(@perm_test_directory / "subdirectory") + FileUtils.mkdir_p @perm_test_directory_subdirectory + + #Test link target for testing nofollow + @perm_test_link_tgt = File.expand_path($test_data / "permission_test_link_tgt_#{Time.now.to_i}") + FileUtils.ln_s @perm_test_file, @perm_test_link_tgt + + #Use the create file above to get the current processes User/Group info + @orig_user_uid = File.stat(@perm_test_file).uid + @orig_user_name = Etc.getpwuid(@orig_user_uid).name + + @orig_group_gid = File.stat(@perm_test_file).gid + @orig_group_name = Etc.getgrgid(@orig_group_gid).name + + @orig_mode = File.stat(@perm_test_file).mode + WarningShot::PermissionResolver.logger = $logger end + after :all do + FileUtils.rm @perm_test_file + FileUtils.rm_rf @perm_test_directory + FileUtils.rm @perm_test_link_tgt + end + it 'should have tests registered' do WarningShot::PermissionResolver.tests.empty?.should be(false) end @@ -12,45 +77,212 @@ describe WarningShot::PermissionResolver do it 'should have resolutions registered' do WarningShot::PermissionResolver.resolutions.empty?.should be(false) end - - it 'should be able to determine if the user permission is correct' do - _file = $test_data / 'permission_test.txt' - _file2 = $test_data / 'permission_test.fake' - - resolver = WarningShot::PermissionResolver.new(WarningShot::Config.create,:file,{ - :path => _file, :mode => '0755', - :user => 'www-data', :group => 'www-data', - :recursive => "none" - }) - - resolver2 = WarningShot::PermissionResolver.new(WarningShot::Config.create,:file,{ - :path => _file2, :mode => '0755', - :user => 'www-data', :group => 'www-data', - :recursive => "none" - }) - - pending - end - - it 'should be able to determine if the group permission is correct' do - pending - end - - it 'should be able to determine if the mode is correct' do - pending + + describe WarningShot::PermissionResolver::PermissionResource do + it 'should be able to determine if its user permission is correct' do + + #Verify valid user by ID + pr = WarningShot::PermissionResolver::PermissionResource.new(@perm_test_file,nil,@orig_user_uid,nil,nil) + pr.valid_user?.should be(true) + + #Verify valid user by name + pr = WarningShot::PermissionResolver::PermissionResource.new(@perm_test_file,nil,@orig_user_name,nil,nil) + pr.valid_user?.should be(true) + + #Get a user that isn't the user that currently owns the file + test_user = Etc.passwd + if test_user.uid == @orig_user_uid + test_user = Etc.passwd + end + + #Invalid user by ID + pr = WarningShot::PermissionResolver::PermissionResource.new(@perm_test_file,nil,test_user.uid,nil,nil) + pr.valid_user?.should be(false) + + #Invalid user by name + pr = WarningShot::PermissionResolver::PermissionResource.new(@perm_test_file,nil,test_user.name,nil,nil) + pr.valid_user?.should be(false) + end + + it 'should consider the user permission to be correct if not provided' do + pr = WarningShot::PermissionResolver::PermissionResource.new(@perm_test_file,nil,nil,nil,nil) + pr.valid_user?.should be(true) + end + + it 'should consider the user permission to be incorrect if the user does not exist' do + pr = WarningShot::PermissionResolver::PermissionResource.new(@perm_test_file,nil,"randouser-#{Time.now.to_i}",nil,nil) + pr.valid_user?.should be(false) + end + + it 'should be able to determine if its group permission is correct' do + + #Verify valid group by ID + pr = WarningShot::PermissionResolver::PermissionResource.new(@perm_test_file,nil,nil,@orig_group_gid,nil) + pr.valid_group?.should be(true) + + #Verify valid group by name + pr = WarningShot::PermissionResolver::PermissionResource.new(@perm_test_file,nil,nil,@orig_group_name,nil) + pr.valid_group?.should be(true) + + #Get a group that isn't the group that currently owns the file + test_group = Etc.group + if test_group.gid == @orig_group_gid + test_group = Etc.group + end + + #Invalid group by ID + pr = WarningShot::PermissionResolver::PermissionResource.new(@perm_test_file,nil,nil,test_group.gid,nil) + pr.valid_group?.should be(false) + + #Invalid group by name + pr = WarningShot::PermissionResolver::PermissionResource.new(@perm_test_file,nil,nil,test_group.name,nil) + pr.valid_group?.should be(false) + end + + it 'should consider the group permission to be correct if not provided' do + pr = WarningShot::PermissionResolver::PermissionResource.new(@perm_test_file,nil,nil,nil,nil) + pr.valid_group?.should be(true) + end + + it 'should consider the group permission to be incorrect if the group does not exist' do + pr = WarningShot::PermissionResolver::PermissionResource.new(@perm_test_file,nil,nil,"randogroup-#{Time.now.to_i}",nil) + pr.valid_group?.should be(false) + end + + it 'should be able to determine if its mode is correct' do + pr = WarningShot::PermissionResolver::PermissionResource.new(@perm_test_file,'777',nil,nil,nil) + pr.valid_mode?.should be(false) + + pr = WarningShot::PermissionResolver::PermissionResource.new(@perm_test_file,'644',nil,nil,nil) + pr.valid_mode?.should be(true) + + pr = WarningShot::PermissionResolver::PermissionResource.new(@perm_test_file,'644',nil,nil,nil) + pr.valid_mode?.should be(true) + end + + it 'should consider the mode to be correct if the mode is not provided' do + pr = WarningShot::PermissionResolver::PermissionResource.new(@perm_test_file,nil,nil,nil,nil) + pr.valid_mode?.should be(true) + end end - + describe 'with healing enabled and with healing instructions' do - it 'should be able to correct the user' do + it 'should consider a dependency met if passed a string and the target exists' do + pr = WarningShot::PermissionResolver.new(WarningShot::Config.create, :file, @perm_test_file) + pr.test! + pr.passed.first.met.should be(true) + end + + it 'should be able to correct the user by name' do + # TODO How do you test this w/o SUDO, or without knowing the names of users/groups on test machine pending end - - it 'should be able to correct the group' do + it 'should be able to correct the user by id' do + # TODO How do you test this w/o SUDO, or without knowing the names of users/groups on test machine pending end - + + it 'should be able to correct the group by id' do + # Mark the spec as pending if it couldnt find a group to run this as + if @test_group_id + perm_file = { + :target => @perm_test_file, + :group => @test_group_id + } + + pr = WarningShot::PermissionResolver.new(WarningShot::Config.create, :file, perm_file) + + pr.test! + pr.failed.length.should be(1) + pr.resolve! + pr.resolved.length.should be(1) + + (File.stat(@perm_test_file).gid).should == @test_group_id + + #give it back to original group + File.chown(nil,@orig_group_gid,@perm_test_file) + else + # TODO How do you test this w/o SUDO, or without knowing the names of users/groups on test machine + pending + end + end + + it 'should be able to correct the group by name' do + # Mark the spec as pending if it couldnt find a group to run this as + if @test_group_name + perm_file = { + :target => @perm_test_file, + :group => @test_group_name + } + + pr = WarningShot::PermissionResolver.new(WarningShot::Config.create, :file, perm_file) + + pr.test! + pr.failed.length.should be(1) + + pr.resolve! + pr.resolved.length.should be(1) + + Etc.getgrgid(File.stat(@perm_test_file).gid).name.should == @test_group_name + + #Give it back to the original group + File.chown(nil,@orig_group_id,@perm_test_file) + else + # TODO How do you test this w/o SUDO, or without knowing the names of users/groups on test machine + pending + end + end + it 'should be able to correct the mode' do - pending + perm_file = { + :target => @perm_test_file, + :mode => '777' + } + pr = WarningShot::PermissionResolver.new(WarningShot::Config.create, :file, perm_file) + + pr.test! + pr.failed.length.should be(1) + pr.resolve! + pr.resolved.length.should be(1) + + ("%o" % (File.stat(@perm_test_file).mode & 007777)).to_i.should be(777) + + #set the mode back + File.chmod(@orig_mode,@perm_test_file) + end + + it 'should be able to correct permissions recursively for directories' do + perm_file = { + :target => @perm_test_directory, + :mode => '777', + :recursive => 'chmod' + } + pr = WarningShot::PermissionResolver.new(WarningShot::Config.create, :file, perm_file) + + pr.test! + pr.failed.length.should be(1) + pr.resolve! + pr.resolved.length.should be(1) + + ("%o" % (File.stat(@perm_test_directory).mode & 007777)).to_i.should be(777) + ("%o" % (File.stat(@perm_test_directory_subdirectory).mode & 007777)).to_i.should be(777) + end + + it 'should be able to correct permissions on links and not targets (no follow)' do + perm_file = { + :target => @perm_test_link_tgt, + :mode => '777', + :no_follow => 'chmod' + } + pr = WarningShot::PermissionResolver.new(WarningShot::Config.create, :file, perm_file) + + pr.test! + pr.failed.length.should be(1) + pr.resolve! + pr.resolved.length.should be(1) + + File.stat(@perm_test_file).mode.should == @orig_mode + ("%o" % (File.lstat(@perm_test_link_tgt).mode & 007777)).to_i.should be(777) end end end \ No newline at end of file test/spec/unit/resolvers/permission_resolver_spec.rb warningshot.gemspec yardoc_template.txt templates/permissions.yml test/data/permission_test.txt f95810417d2109d8e0a086e33e25acd779c390a7 Cory ODaniel contact@coryodaniel.com http://github.com/coryodaniel/warningshot/commit/f439654326b36b9b9f06b88fc72a2e0323e449f8 f439654326b36b9b9f06b88fc72a2e0323e449f8 2009-01-27T21:00:25-08:00 2009-01-27T21:00:25-08:00 Permission Resolver complete, note the notes on retarded rpsec testing since chmod/chown are sensitive commands... 1a601cb29e50a688d5e326702206f491801e22a1 Cory ODaniel contact@coryodaniel.com