Add funcs in pkg/filesystem/util that can actually set file permissiosn

on Windows and update container log dir perms to 660 on Windows
2024-04-24 11:54:14 -07:00
parent 9b7a839bde
commit b377dfba0c
5 changed files with 300 additions and 8 deletions
--- a/pkg/util/filesystem/util_windows_test.go
+++ b/pkg/util/filesystem/util_windows_test.go
@@ -20,9 +20,12 @@ limitations under the License.
 package filesystem

 import (
+	"fmt"
 	"math/rand"
 	"net"
 	"os"
+	"path/filepath"
+	"strings"
 	"sync"
 	"testing"
 	"time"
@@ -30,6 +33,8 @@ import (
 	winio "github.com/Microsoft/go-winio"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
+
+	"golang.org/x/sys/windows"
 )

 func TestIsUnixDomainSocketPipe(t *testing.T) {
@@ -89,6 +94,119 @@ func TestPendingUnixDomainSocket(t *testing.T) {
 	unixln.Close()
 }

+func TestWindowsChmod(t *testing.T) {
+	// Note: OWNER will be replaced with the actual owner SID in the test cases
+	testCases := []struct {
+		fileMode           os.FileMode
+		expectedDescriptor string
+	}{
+		{
+			fileMode:           0777,
+			expectedDescriptor: "O:OWNERG:BAD:PAI(A;OICI;FA;;;OWNER)(A;OICI;FA;;;BA)(A;OICI;FA;;;BU)",
+		},
+		{
+			fileMode:           0750,
+			expectedDescriptor: "O:OWNERG:BAD:PAI(A;OICI;FA;;;OWNER)(A;OICI;0x1200a9;;;BA)", // 0x1200a9 = GENERIC_READ | GENERIC_EXECUTE
+		},
+		{
+			fileMode:           0664,
+			expectedDescriptor: "O:OWNERG:BAD:PAI(A;OICI;0x12019f;;;OWNER)(A;OICI;0x12019f;;;BA)(A;OICI;FR;;;BU)", // 0x12019f = GENERIC_READ | GENERIC_WRITE
+		},
+	}
+
+	for _, testCase := range testCases {
+		tempDir, err := os.MkdirTemp("", "test-dir")
+		require.NoError(t, err, "Failed to create temporary directory.")
+		defer os.RemoveAll(tempDir)
+
+		// Set the file GROUP to BUILTIN\Administrators (BA) for test determinism and
+		err = setGroupInfo(tempDir, "S-1-5-32-544")
+		require.NoError(t, err, "Failed to set group for directory.")
+
+		err = Chmod(tempDir, testCase.fileMode)
+		require.NoError(t, err, "Failed to set permissions for directory.")
+
+		owner, descriptor, err := getPermissionsInfo(tempDir)
+		require.NoError(t, err, "Failed to get permissions for directory.")
+
+		expectedDescriptor := strings.ReplaceAll(testCase.expectedDescriptor, "OWNER", owner)
+
+		assert.Equal(t, expectedDescriptor, descriptor, "Unexpected DACL for directory. when setting permissions to %o", testCase.fileMode)
+	}
+}
+
+// Gets the owner and entire security descriptor of a file or directory in the SDDL format
+// https://learn.microsoft.com/en-us/windows/win32/secauthz/security-descriptor-definition-language
+func getPermissionsInfo(path string) (string, string, error) {
+	sd, err := windows.GetNamedSecurityInfo(
+		path,
+		windows.SE_FILE_OBJECT,
+		windows.DACL_SECURITY_INFORMATION|windows.OWNER_SECURITY_INFORMATION|windows.GROUP_SECURITY_INFORMATION)
+	if err != nil {
+		return "", "", fmt.Errorf("Error getting security descriptor for file %s: %v", path, err)
+	}
+
+	owner, _, err := sd.Owner()
+	if err != nil {
+		return "", "", fmt.Errorf("Error getting owner SID for file %s: %v", path, err)
+	}
+
+	sdString := sd.String()
+
+	return owner.String(), sdString, nil
+}
+
+// Sets the GROUP of a file or a directory to the specified group
+func setGroupInfo(path, group string) error {
+	groupSID, err := windows.StringToSid(group)
+	if err != nil {
+		return fmt.Errorf("Error converting group name %s to SID: %v", group, err)
+
+	}
+
+	err = windows.SetNamedSecurityInfo(
+		path,
+		windows.SE_FILE_OBJECT,
+		windows.GROUP_SECURITY_INFORMATION,
+		nil, // owner SID
+		groupSID,
+		nil, // DACL
+		nil, //SACL
+	)
+
+	if err != nil {
+		return fmt.Errorf("Error setting group SID for file %s: %v", path, err)
+	}
+
+	return nil
+}
+
+// TestDeleteFilePermissions tests that when a folder's permissions are set to 0660, child items
+// cannot be deleted in the folder but when a folder's permissions are set to 0770, child items can be deleted.
+func TestDeleteFilePermissions(t *testing.T) {
+	tempDir, err := os.MkdirTemp("", "test-dir")
+	require.NoError(t, err, "Failed to create temporary directory.")
+
+	err = Chmod(tempDir, 0660)
+	require.NoError(t, err, "Failed to set permissions for directory to 0660.")
+
+	filePath := filepath.Join(tempDir, "test-file")
+	err = os.WriteFile(filePath, []byte("test"), 0440)
+	require.NoError(t, err, "Failed to create file in directory.")
+
+	err = os.Remove(filePath)
+	require.Error(t, err, "Expected expected error when trying to remove file in directory.")
+
+	err = Chmod(tempDir, 0770)
+	require.NoError(t, err, "Failed to set permissions for directory to 0770.")
+
+	err = os.Remove(filePath)
+	require.NoError(t, err, "Failed to remove file in directory.")
+
+	err = os.Remove(tempDir)
+	require.NoError(t, err, "Failed to remove directory.")
+}
+
 func TestAbsWithSlash(t *testing.T) {
 	// On Windows, filepath.IsAbs will not return True for paths prefixed with a slash
 	assert.True(t, IsAbs("/test"))