forked from apptainer/singularity
/
file.go
237 lines (215 loc) · 6.19 KB
/
file.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
// Copyright (c) 2018, Sylabs Inc. All rights reserved.
// This software is licensed under a 3-clause BSD license. Please consult the
// LICENSE.md file distributed with the sources of this project regarding your
// rights to use or distribute this software.
package capabilities
import (
"encoding/json"
"fmt"
"io/ioutil"
"os"
"syscall"
)
// Caplist defines a map of users/groups with associated list of capabilities
type Caplist map[string][]string
type data struct {
Users Caplist `json:"users,omitempty"`
Groups Caplist `json:"groups,omitempty"`
}
// File represents a file containing a list of users/groups
// associated with authorized capabilities
type File struct {
file *os.File
data *data
}
// Open reads a capability file provided in path and returns a capability
// file with users/groups authorized capabilities
func Open(path string, readonly bool) (*File, error) {
oldmask := syscall.Umask(0)
defer syscall.Umask(oldmask)
flag := os.O_RDWR | os.O_CREATE
if readonly {
flag = os.O_RDONLY
}
f, err := os.OpenFile(path, flag, 0644)
if err != nil {
return nil, fmt.Errorf("failed to open %s capabilities: %s", path, err)
}
file := &File{file: f, data: &data{
Users: make(Caplist, 0),
Groups: make(Caplist, 0),
}}
b, err := ioutil.ReadAll(f)
if err != nil {
f.Close()
return nil, fmt.Errorf("failed to read %s: %s", path, err)
}
if len(b) > 0 {
if err := json.Unmarshal(b, file.data); err != nil {
f.Close()
return nil, fmt.Errorf("failed to decode JSON data in %s: %s", path, err)
}
} else {
data, err := json.Marshal(file.data)
if err != nil {
f.Close()
return nil, fmt.Errorf("failed to initialize data")
}
json.Unmarshal(data, file.data)
}
return file, nil
}
// Write writes capability modification into opened file
func (f *File) Write() error {
json, err := json.MarshalIndent(f.data, "", "\t")
if err != nil {
return fmt.Errorf("failed to save capabilities in file %s: %s", f.file.Name(), err)
}
if err := f.file.Truncate(0); err != nil {
return fmt.Errorf("failed to truncate file %s: %s", f.file.Name(), err)
}
if n, err := f.file.Seek(0, os.SEEK_SET); err != nil || n != 0 {
return fmt.Errorf("failed to reset %s cursor: %s", f.file.Name(), err)
}
if f.file.Write(json); err != nil {
return fmt.Errorf("failed to save capabilities in file %s: %s", f.file.Name(), err)
}
if f.file.Sync(); err != nil {
return fmt.Errorf("failed to flush capabilities in file %s: %s", f.file.Name(), err)
}
return nil
}
// Close closes capability file
func (f *File) Close() error {
return f.file.Close()
}
func (f *File) checkCaps(caps []string) error {
for _, c := range caps {
if _, ok := Map[c]; !ok {
return fmt.Errorf("unknown capability %s", c)
}
}
return nil
}
// AddUserCaps adds an authorized capability set to user
func (f *File) AddUserCaps(user string, caps []string) error {
if err := f.checkCaps(caps); err != nil {
return err
}
for _, cap := range caps {
present := false
for _, c := range f.data.Users[user] {
if c == cap {
present = true
}
}
if !present {
f.data.Users[user] = append(f.data.Users[user], cap)
}
}
return nil
}
// AddGroupCaps adds an authorized capability set to group
func (f *File) AddGroupCaps(group string, caps []string) error {
if err := f.checkCaps(caps); err != nil {
return err
}
for _, cap := range caps {
present := false
for _, c := range f.data.Groups[group] {
if c == cap {
present = true
}
}
if !present {
f.data.Groups[group] = append(f.data.Groups[group], cap)
}
}
return nil
}
// DropUserCaps drops a set of capabilities for user
func (f *File) DropUserCaps(user string, caps []string) error {
if err := f.checkCaps(caps); err != nil {
return err
}
if _, ok := f.data.Users[user]; !ok {
return fmt.Errorf("user '%s' not found", user)
}
for _, cap := range caps {
for i := len(f.data.Users[user]) - 1; i >= 0; i-- {
if f.data.Users[user][i] == cap {
f.data.Users[user] = append(f.data.Users[user][:i], f.data.Users[user][i+1:]...)
}
}
}
return nil
}
// DropGroupCaps drops a set of capabilities for group
func (f *File) DropGroupCaps(group string, caps []string) error {
if err := f.checkCaps(caps); err != nil {
return err
}
if _, ok := f.data.Groups[group]; !ok {
return fmt.Errorf("group '%s' not found", group)
}
for _, cap := range caps {
for i := len(f.data.Groups[group]) - 1; i >= 0; i-- {
if f.data.Groups[group][i] == cap {
f.data.Groups[group] = append(f.data.Groups[group][:i], f.data.Groups[group][i+1:]...)
}
}
}
return nil
}
// ListUserCaps returns a capability list authorized for user
func (f *File) ListUserCaps(user string) []string {
return f.data.Users[user]
}
// ListGroupCaps returns a capability list authorized for group
func (f *File) ListGroupCaps(group string) []string {
return f.data.Groups[group]
}
// ListAllCaps returns capability list for both authorized users and groups
func (f *File) ListAllCaps() (Caplist, Caplist) {
return f.data.Users, f.data.Groups
}
// CheckUserCaps checks if provided capability list for user are whether
// or not authorized by returning two lists, the first one containing
// authorized capabilities and the second one containing unauthorized
// capabilities
func (f *File) CheckUserCaps(user string, caps []string) (authorized []string, unauthorized []string) {
for _, ca := range caps {
present := false
for _, userCap := range f.ListUserCaps(user) {
if userCap == ca {
authorized = append(authorized, ca)
present = true
break
}
}
if !present {
unauthorized = append(unauthorized, ca)
}
}
return authorized, unauthorized
}
// CheckGroupCaps checks if provided capability list for group are whether
// or not authorized by returning two lists, the first one containing
// authorized capabilities and the second one containing unauthorized
// capabilities
func (f *File) CheckGroupCaps(group string, caps []string) (authorized []string, unauthorized []string) {
for _, ca := range caps {
present := false
for _, groupCap := range f.ListGroupCaps(group) {
if groupCap == ca {
authorized = append(authorized, ca)
present = true
break
}
}
if !present {
unauthorized = append(unauthorized, ca)
}
}
return authorized, unauthorized
}