Introduce drun command, refactor code to use context package

author: Paul Bütow <pbuetow@mimecast.com> 2020-01-26 11:26:53 +0000
committer: Paul Bütow <pbuetow@mimecast.com> 2020-02-07 13:31:15 +0000
commit: 0945da8dfefcbb723eecea0e5f4eafff63398253 (patch)
tree: f06dab4d2bf21d25d176b23d5baeca588d27f5d7 /internal/user
parent: 2a8e5de265a0e0a31a5834909d6879f5c9941467 (diff)
2 files changed, 40 insertions, 19 deletions
diff --git a/internal/user/name.go b/internal/user/name.go
index 5171ec7..28ab0a4 100644
--- a/internal/user/name.go
+++ b/internal/user/name.go
@@ -2,10 +2,10 @@ package user
 
 import (
 	"os/user"
-  )
+)
 
-
-func Name() string {
+// NoRootCheck verifies that the DTail run user is not with UID or GID 0.
+func NoRootCheck() {
 	user, err := user.Current()
 	if err != nil {
 		panic(err)
@@ -18,7 +18,14 @@ func Name() string {
 	if user.Gid == "0" {
 		panic("Not allowed to run as GID 0")
 	}
+}
+
+// Name of the current run user.
+func Name() string {
+	user, err := user.Current()
+	if err != nil {
+		panic(err)
+	}
 
 	return user.Username
 }
-
diff --git a/internal/user/server/user.go b/internal/user/server/user.go
index fad38d8..271a4ac 100644
--- a/internal/user/server/user.go
+++ b/internal/user/server/user.go
@@ -1,14 +1,15 @@
 package server
 
 import (
-	"github.com/mimecast/dtail/internal/config"
-	"github.com/mimecast/dtail/internal/fs/permissions"
-	"github.com/mimecast/dtail/internal/logger"
 	"fmt"
 	"os"
 	"path/filepath"
 	"regexp"
 	"strings"
+
+	"github.com/mimecast/dtail/internal/config"
+	"github.com/mimecast/dtail/internal/io/fs/permissions"
+	"github.com/mimecast/dtail/internal/io/logger"
 )
 
 const maxLinkDepth int = 100
@@ -37,26 +38,28 @@ func (u *User) String() string {
 }
 
 // HasFilePermission is used to determine whether user is alowed to read a file.
-func (u *User) HasFilePermission(filePath string) (hasPermission bool) {
+func (u *User) HasFilePermission(filePath, permissionType string) (hasPermission bool) {
+	logger.Debug(u, filePath, permissionType, "Checking config permissions")
+
 	cleanPath, err := filepath.EvalSymlinks(filePath)
 	if err != nil {
-		logger.Error(u, filePath, "Unable to evaluate symlinks", err)
+		logger.Error(u, filePath, permissionType, "Unable to evaluate symlinks", err)
 		hasPermission = false
 		return
 	}
 
 	cleanPath, err = filepath.Abs(cleanPath)
 	if err != nil {
-		logger.Error(u, cleanPath, "Unable to make file path absolute", err)
+		logger.Error(u, cleanPath, permissionType, "Unable to make file path absolute", err)
 		hasPermission = false
 		return
 	}
 
 	if cleanPath != filePath {
-		logger.Info(u, filePath, cleanPath, "Calculated new clean path from original file path (possibly symlink)")
+		logger.Info(u, filePath, cleanPath, permissionType, "Calculated new clean path from original file path (possibly symlink)")
 	}
 
-	hasPermission, err = u.hasFilePermission(cleanPath)
+	hasPermission, err = u.hasFilePermission(cleanPath, permissionType)
 	if err != nil {
 		logger.Warn(u, cleanPath, err)
 	}
@@ -64,12 +67,12 @@ func (u *User) HasFilePermission(filePath string) (hasPermission bool) {
 	return
 }
 
-func (u *User) hasFilePermission(cleanPath string) (bool, error) {
+func (u *User) hasFilePermission(cleanPath, permissionType string) (bool, error) {
 	// First check file system Linux/UNIX permission.
 	if _, err := permissions.ToRead(u.Name, cleanPath); err != nil {
-		return false, fmt.Errorf("User without OS file system permissions to read file: '%v'", err)
+		return false, fmt.Errorf("User without OS file system permissions to read path: '%v'", err)
 	}
-	logger.Info(u, cleanPath, "User has OS file system permissions to read file")
+	logger.Info(u, cleanPath, permissionType, "User with OS file system permissions to path")
 
 	// If file system permission is given, also check permissions
 	// as configured in DTail config file.
@@ -84,7 +87,7 @@ func (u *User) hasFilePermission(cleanPath string) (bool, error) {
 	var hasPermission bool
 	var err error
 
-	if hasPermission, err = u.iteratePaths(cleanPath); err != nil {
+	if hasPermission, err = u.iteratePaths(cleanPath, permissionType); err != nil {
 		return false, err
 	}
 
@@ -101,17 +104,28 @@ func (u *User) hasFilePermission(cleanPath string) (bool, error) {
 	return hasPermission, nil
 }
 
-func (u *User) iteratePaths(cleanPath string) (bool, error) {
+func (u *User) iteratePaths(cleanPath, permissionType string) (bool, error) {
 	for _, permission := range u.permissions {
+		typeStr := "readfiles" // Assume ReadFiles by default.
+
 		var regexStr string
 		var negate bool
 
+		splitted := strings.Split(permission, ":")
+		if len(splitted) > 1 {
+			typeStr = splitted[0]
+			permission = strings.Join(splitted[1:], ":")
+		}
+
+		if typeStr != permissionType {
+			continue
+		}
+
+		regexStr = permission
 		if strings.HasPrefix(permission, "!") {
 			regexStr = permission[1:]
 			negate = true
 		}
-		regexStr = permission
-		negate = false
 
 		re, err := regexp.Compile(regexStr)
 		if err != nil {
author	Paul Bütow <pbuetow@mimecast.com>	2020-01-26 11:26:53 +0000
committer	Paul Bütow <pbuetow@mimecast.com>	2020-02-07 13:31:15 +0000
commit	0945da8dfefcbb723eecea0e5f4eafff63398253 (patch)
tree	f06dab4d2bf21d25d176b23d5baeca588d27f5d7 /internal/user
parent	2a8e5de265a0e0a31a5834909d6879f5c9941467 (diff)