Merge pull request coreos#1325 from sohankunkerkar/file-perm

Allow Ignition to preserve special file mode bits for specs >= 3.4.0
sohankunkerkar · Apr 10, 2022 · 3cd0933 · 3cd0933
2 parents 919102e + b42eac0
commit 3cd0933
Show file tree

Hide file tree

Showing 26 changed files with 330 additions and 43 deletions.
diff --git a/config/shared/errors/errors.go b/config/shared/errors/errors.go
@@ -62,6 +62,7 @@ var (
 	ErrClevisCustomWithOthers    = errors.New("cannot use custom clevis config with tpm2, tang, or threshold")
 	ErrTangThumbprintRequired    = errors.New("thumbprint is required")
 	ErrFileIllegalMode           = errors.New("illegal file mode")
+	ErrModeSpecialBits           = errors.New("setuid/setgid/sticky bits are not supported in spec versions older than 3.4.0")
 	ErrBothIDAndNameSet          = errors.New("cannot set both id and name")
 	ErrLabelTooLong              = errors.New("partition labels may not exceed 36 characters")
 	ErrDoesntMatchGUIDRegex      = errors.New("doesn't match the form \"01234567-89AB-CDEF-EDCB-A98765432101\"")

diff --git a/config/v3_0/types/directory.go b/config/v3_0/types/directory.go
@@ -22,5 +22,6 @@ import (
 func (d Directory) Validate(c path.ContextPath) (r report.Report) {
 	r.Merge(d.Node.Validate(c))
 	r.AddOnError(c.Append("mode"), validateMode(d.Mode))
+	r.AddOnWarn(c.Append("mode"), validateModeSpecialBits(d.Mode))
 	return
 }
diff --git a/config/v3_0/types/file.go b/config/v3_0/types/file.go
@@ -25,6 +25,7 @@ import (
 func (f File) Validate(c path.ContextPath) (r report.Report) {
 	r.Merge(f.Node.Validate(c))
 	r.AddOnError(c.Append("mode"), validateMode(f.Mode))
+	r.AddOnWarn(c.Append("mode"), validateModeSpecialBits(f.Mode))
 	r.AddOnError(c.Append("overwrite"), f.validateOverwrite())
 	return
 }

diff --git a/config/v3_0/types/mode.go b/config/v3_0/types/mode.go
@@ -24,3 +24,13 @@ func validateMode(m *int) error {
 	}
 	return nil
 }
+
+func validateModeSpecialBits(m *int) error {
+	if m != nil {
+		mode := uint32(*m)
+		if mode&07000 != 0 {
+			return errors.ErrModeSpecialBits
+		}
+	}
+	return nil
+}
diff --git a/config/v3_0/types/mode_test.go b/config/v3_0/types/mode_test.go
@@ -15,11 +15,12 @@
 package types
 
 import (
-	"reflect"
+	"fmt"
 	"testing"
 
 	"github.com/coreos/ignition/v2/config/shared/errors"
 	"github.com/coreos/ignition/v2/config/util"
+	"github.com/stretchr/testify/assert"
 )
 
 func TestModeValidate(t *testing.T) {
@@ -52,11 +53,58 @@ func TestModeValidate(t *testing.T) {
 			errors.ErrFileIllegalMode,
 		},
 	}
+	for i, test := range tests {
+		t.Run(fmt.Sprintf("validate %d", i), func(t *testing.T) {
+			actual := validateMode(test.in)
+			expected := test.out
+			assert.Equal(t, actual, expected, "bad validation for mode")
+		})
+	}
+}
 
+func TestPermissionBitsValidate(t *testing.T) {
+	tests := []struct {
+		in  *int
+		out error
+	}{
+		{
+			nil,
+			nil,
+		},
+		{
+			util.IntToPtr(0),
+			nil,
+		},
+		{
+			util.IntToPtr(0644),
+			nil,
+		},
+		{
+			util.IntToPtr(0755),
+			nil,
+		},
+		{
+			util.IntToPtr(0777),
+			nil,
+		},
+		{
+			util.IntToPtr(01755),
+			errors.ErrModeSpecialBits,
+		},
+		{
+			util.IntToPtr(02755),
+			errors.ErrModeSpecialBits,
+		},
+		{
+			util.IntToPtr(04755),
+			errors.ErrModeSpecialBits,
+		},
+	}
 	for i, test := range tests {
-		err := validateMode(test.in)
-		if !reflect.DeepEqual(test.out, err) {
-			t.Errorf("#%d: bad err: want %v, got %v", i, test.out, err)
-		}
+		t.Run(fmt.Sprintf("validate %d", i), func(t *testing.T) {
+			actual := validateModeSpecialBits(test.in)
+			expected := test.out
+			assert.Equal(t, actual, expected, "bad validation for special bits")
+		})
 	}
 }
diff --git a/config/v3_1/types/directory.go b/config/v3_1/types/directory.go
@@ -22,5 +22,6 @@ import (
 func (d Directory) Validate(c path.ContextPath) (r report.Report) {
 	r.Merge(d.Node.Validate(c))
 	r.AddOnError(c.Append("mode"), validateMode(d.Mode))
+	r.AddOnWarn(c.Append("mode"), validateModeSpecialBits(d.Mode))
 	return
 }
diff --git a/config/v3_1/types/file.go b/config/v3_1/types/file.go
@@ -25,6 +25,7 @@ import (
 func (f File) Validate(c path.ContextPath) (r report.Report) {
 	r.Merge(f.Node.Validate(c))
 	r.AddOnError(c.Append("mode"), validateMode(f.Mode))
+	r.AddOnWarn(c.Append("mode"), validateModeSpecialBits(f.Mode))
 	r.AddOnError(c.Append("overwrite"), f.validateOverwrite())
 	return
 }

diff --git a/config/v3_1/types/mode.go b/config/v3_1/types/mode.go
@@ -24,3 +24,13 @@ func validateMode(m *int) error {
 	}
 	return nil
 }
+
+func validateModeSpecialBits(m *int) error {
+	if m != nil {
+		mode := uint32(*m)
+		if mode&07000 != 0 {
+			return errors.ErrModeSpecialBits
+		}
+	}
+	return nil
+}
diff --git a/config/v3_1/types/mode_test.go b/config/v3_1/types/mode_test.go
@@ -15,11 +15,12 @@
 package types
 
 import (
-	"reflect"
+	"fmt"
 	"testing"
 
 	"github.com/coreos/ignition/v2/config/shared/errors"
 	"github.com/coreos/ignition/v2/config/util"
+	"github.com/stretchr/testify/assert"
 )
 
 func TestModeValidate(t *testing.T) {
@@ -52,11 +53,58 @@ func TestModeValidate(t *testing.T) {
 			errors.ErrFileIllegalMode,
 		},
 	}
+	for i, test := range tests {
+		t.Run(fmt.Sprintf("validate %d", i), func(t *testing.T) {
+			actual := validateMode(test.in)
+			expected := test.out
+			assert.Equal(t, actual, expected, "bad validation for mode")
+		})
+	}
+}
 
+func TestPermissionBitsValidate(t *testing.T) {
+	tests := []struct {
+		in  *int
+		out error
+	}{
+		{
+			nil,
+			nil,
+		},
+		{
+			util.IntToPtr(0),
+			nil,
+		},
+		{
+			util.IntToPtr(0644),
+			nil,
+		},
+		{
+			util.IntToPtr(0755),
+			nil,
+		},
+		{
+			util.IntToPtr(0777),
+			nil,
+		},
+		{
+			util.IntToPtr(01755),
+			errors.ErrModeSpecialBits,
+		},
+		{
+			util.IntToPtr(02755),
+			errors.ErrModeSpecialBits,
+		},
+		{
+			util.IntToPtr(04755),
+			errors.ErrModeSpecialBits,
+		},
+	}
 	for i, test := range tests {
-		err := validateMode(test.in)
-		if !reflect.DeepEqual(test.out, err) {
-			t.Errorf("#%d: bad err: want %v, got %v", i, test.out, err)
-		}
+		t.Run(fmt.Sprintf("validate %d", i), func(t *testing.T) {
+			actual := validateModeSpecialBits(test.in)
+			expected := test.out
+			assert.Equal(t, actual, expected, "bad validation for special bits")
+		})
 	}
 }
diff --git a/config/v3_2/types/directory.go b/config/v3_2/types/directory.go
@@ -22,5 +22,6 @@ import (
 func (d Directory) Validate(c path.ContextPath) (r report.Report) {
 	r.Merge(d.Node.Validate(c))
 	r.AddOnError(c.Append("mode"), validateMode(d.Mode))
+	r.AddOnWarn(c.Append("mode"), validateModeSpecialBits(d.Mode))
 	return
 }
diff --git a/config/v3_2/types/file.go b/config/v3_2/types/file.go
@@ -25,6 +25,7 @@ import (
 func (f File) Validate(c path.ContextPath) (r report.Report) {
 	r.Merge(f.Node.Validate(c))
 	r.AddOnError(c.Append("mode"), validateMode(f.Mode))
+	r.AddOnWarn(c.Append("mode"), validateModeSpecialBits(f.Mode))
 	r.AddOnError(c.Append("overwrite"), f.validateOverwrite())
 	return
 }

diff --git a/config/v3_2/types/mode.go b/config/v3_2/types/mode.go
@@ -24,3 +24,13 @@ func validateMode(m *int) error {
 	}
 	return nil
 }
+
+func validateModeSpecialBits(m *int) error {
+	if m != nil {
+		mode := uint32(*m)
+		if mode&07000 != 0 {
+			return errors.ErrModeSpecialBits
+		}
+	}
+	return nil
+}
diff --git a/config/v3_2/types/mode_test.go b/config/v3_2/types/mode_test.go
@@ -15,11 +15,12 @@
 package types
 
 import (
-	"reflect"
+	"fmt"
 	"testing"
 
 	"github.com/coreos/ignition/v2/config/shared/errors"
 	"github.com/coreos/ignition/v2/config/util"
+	"github.com/stretchr/testify/assert"
 )
 
 func TestModeValidate(t *testing.T) {
@@ -52,11 +53,58 @@ func TestModeValidate(t *testing.T) {
 			errors.ErrFileIllegalMode,
 		},
 	}
+	for i, test := range tests {
+		t.Run(fmt.Sprintf("validate %d", i), func(t *testing.T) {
+			actual := validateMode(test.in)
+			expected := test.out
+			assert.Equal(t, actual, expected, "bad validation for mode")
+		})
+	}
+}
 
+func TestPermissionBitsValidate(t *testing.T) {
+	tests := []struct {
+		in  *int
+		out error
+	}{
+		{
+			nil,
+			nil,
+		},
+		{
+			util.IntToPtr(0),
+			nil,
+		},
+		{
+			util.IntToPtr(0644),
+			nil,
+		},
+		{
+			util.IntToPtr(0755),
+			nil,
+		},
+		{
+			util.IntToPtr(0777),
+			nil,
+		},
+		{
+			util.IntToPtr(01755),
+			errors.ErrModeSpecialBits,
+		},
+		{
+			util.IntToPtr(02755),
+			errors.ErrModeSpecialBits,
+		},
+		{
+			util.IntToPtr(04755),
+			errors.ErrModeSpecialBits,
+		},
+	}
 	for i, test := range tests {
-		err := validateMode(test.in)
-		if !reflect.DeepEqual(test.out, err) {
-			t.Errorf("#%d: bad err: want %v, got %v", i, test.out, err)
-		}
+		t.Run(fmt.Sprintf("validate %d", i), func(t *testing.T) {
+			actual := validateModeSpecialBits(test.in)
+			expected := test.out
+			assert.Equal(t, actual, expected, "bad validation for special bits")
+		})
 	}
 }
diff --git a/config/v3_3/types/directory.go b/config/v3_3/types/directory.go
@@ -22,5 +22,6 @@ import (
 func (d Directory) Validate(c path.ContextPath) (r report.Report) {
 	r.Merge(d.Node.Validate(c))
 	r.AddOnError(c.Append("mode"), validateMode(d.Mode))
+	r.AddOnWarn(c.Append("mode"), validateModeSpecialBits(d.Mode))
 	return
 }
diff --git a/config/v3_3/types/file.go b/config/v3_3/types/file.go
@@ -25,6 +25,7 @@ import (
 func (f File) Validate(c path.ContextPath) (r report.Report) {
 	r.Merge(f.Node.Validate(c))
 	r.AddOnError(c.Append("mode"), validateMode(f.Mode))
+	r.AddOnWarn(c.Append("mode"), validateModeSpecialBits(f.Mode))
 	r.AddOnError(c.Append("overwrite"), f.validateOverwrite())
 	return
 }

diff --git a/config/v3_3/types/mode.go b/config/v3_3/types/mode.go
@@ -24,3 +24,13 @@ func validateMode(m *int) error {
 	}
 	return nil
 }
+
+func validateModeSpecialBits(m *int) error {
+	if m != nil {
+		mode := uint32(*m)
+		if mode&07000 != 0 {
+			return errors.ErrModeSpecialBits
+		}
+	}
+	return nil
+}