blueprint: add functions checking dir / file customizations policy

Add helper functions for checking directory and file blueprint customizations against the policy of allowed paths. These functions are not yet used in the distro definitions. Signed-off-by: Tomáš Hozza <thozza@redhat.com>
2023-02-03 15:21:42 +01:00 · 2023-02-03 15:21:42 +01:00 · 3ee973c8ee
commit 3ee973c8ee
parent b98f5dad70
2 changed files with 155 additions and 0 deletions
--- a/internal/blueprint/fsnode_customizations.go
+++ b/internal/blueprint/fsnode_customizations.go
@ -12,6 +12,7 @@ import (
 	"github.com/osbuild/osbuild-composer/internal/common"
 	"github.com/osbuild/osbuild-composer/internal/fsnode"
 	"github.com/osbuild/osbuild-composer/internal/pathpolicy"
 )
 // validateModeString checks that the given string is a valid mode octal number
@ -434,3 +435,37 @@ func ValidateDirFileCustomizations(dirs []DirectoryCustomization, files []FileCu
 	return nil
 }
 // CheckFileCustomizationsPolicy checks if the given File customizations are allowed by the path policy.
 // If any of the customizations are not allowed by the path policy, an error is returned. Otherwise, nil is returned.
 func CheckFileCustomizationsPolicy(files []FileCustomization, pathPolicy *pathpolicy.PathPolicies) error {
 	var invalidPaths []string
 	for _, file := range files {
 		if err := pathPolicy.Check(file.Path); err != nil {
 			invalidPaths = append(invalidPaths, file.Path)
 		}
 	}
 	if len(invalidPaths) > 0 {
 		return fmt.Errorf("the following custom files are not allowed: %+q", invalidPaths)
 	}
 	return nil
 }
 // CheckDirectoryCustomizationsPolicy checks if the given Directory customizations are allowed by the path policy.
 // If any of the customizations are not allowed by the path policy, an error is returned. Otherwise, nil is returned.
 func CheckDirectoryCustomizationsPolicy(dirs []DirectoryCustomization, pathPolicy *pathpolicy.PathPolicies) error {
 	var invalidPaths []string
 	for _, dir := range dirs {
 		if err := pathPolicy.Check(dir.Path); err != nil {
 			invalidPaths = append(invalidPaths, dir.Path)
 		}
 	}
 	if len(invalidPaths) > 0 {
 		return fmt.Errorf("the following custom directories are not allowed: %+q", invalidPaths)
 	}
 	return nil
 }
--- a/internal/blueprint/fsnode_customizations_test.go
+++ b/internal/blueprint/fsnode_customizations_test.go
@ -8,6 +8,7 @@ import (
 	"github.com/BurntSushi/toml"
 	"github.com/osbuild/osbuild-composer/internal/common"
 	"github.com/osbuild/osbuild-composer/internal/fsnode"
 	"github.com/osbuild/osbuild-composer/internal/pathpolicy"
 	"github.com/stretchr/testify/assert"
 )
@ -1132,3 +1133,122 @@ func TestValidateDirFileCustomizations(t *testing.T) {
 		})
 	}
 }
 func TestCheckFileCustomizationsPolicy(t *testing.T) {
 	policy := map[string]pathpolicy.PathPolicy{
 		"/":               {Deny: true},
 		"/etc":            {},
 		"/etc/fstab":      {Deny: true},
 		"/etc/os-release": {Deny: true},
 		"/etc/hostname":   {Deny: true},
 		"/etc/shadow":     {Deny: true},
 		"/etc/passwd":     {Deny: true},
 		"/etc/group":      {Deny: true},
 	}
 	pathPolicy := pathpolicy.NewPathPolicies(policy)
 	testCases := []struct {
 		Name  string
 		Files []FileCustomization
 		Error bool
 	}{
 		{
 			Name: "disallowed-file",
 			Files: []FileCustomization{
 				{
 					Path: "/etc/shadow",
 				},
 			},
 			Error: true,
 		},
 		{
 			Name: "disallowed-file-2",
 			Files: []FileCustomization{
 				{
 					Path: "/home/user/.ssh/authorized_keys",
 				},
 			},
 			Error: true,
 		},
 		{
 			Name: "disallowed-file-3",
 			Files: []FileCustomization{
 				{
 					Path: "/file",
 				},
 			},
 			Error: true,
 		},
 		{
 			Name: "allowed-file-named",
 			Files: []FileCustomization{
 				{
 					Path: "/etc/named.conf",
 				},
 			},
 		},
 	}
 	for _, tc := range testCases {
 		t.Run(tc.Name, func(t *testing.T) {
 			err := CheckFileCustomizationsPolicy(tc.Files, pathPolicy)
 			if tc.Error {
 				assert.Error(t, err)
 			} else {
 				assert.NoError(t, err)
 			}
 		})
 	}
 }
 func TestCheckDirectoryCustomizationsPolicy(t *testing.T) {
 	policy := map[string]pathpolicy.PathPolicy{
 		"/":    {Deny: true},
 		"/etc": {},
 	}
 	pathPolicy := pathpolicy.NewPathPolicies(policy)
 	testCases := []struct {
 		Name        string
 		Directories []DirectoryCustomization
 		Error       bool
 	}{
 		{
 			Name: "disallowed-directory",
 			Directories: []DirectoryCustomization{
 				{
 					Path: "/dir",
 				},
 			},
 			Error: true,
 		},
 		{
 			Name: "disallowed-directory-2",
 			Directories: []DirectoryCustomization{
 				{
 					Path: "/var/log/fancy-dir",
 				},
 			},
 			Error: true,
 		},
 		{
 			Name: "allowed-directory",
 			Directories: []DirectoryCustomization{
 				{
 					Path: "/etc/systemd/system/sshd.service.d",
 				},
 			},
 		},
 	}
 	for _, tc := range testCases {
 		t.Run(tc.Name, func(t *testing.T) {
 			err := CheckDirectoryCustomizationsPolicy(tc.Directories, pathPolicy)
 			if tc.Error {
 				assert.Error(t, err)
 			} else {
 				assert.NoError(t, err)
 			}
 		})
 	}
 }