Skip to content

Commit

Permalink
dependency management, now tesing it on containers
Browse files Browse the repository at this point in the history
  • Loading branch information
LeChatP committed Sep 4, 2024
1 parent 6fd8919 commit 7496618
Show file tree
Hide file tree
Showing 13 changed files with 210 additions and 128 deletions.
3 changes: 1 addition & 2 deletions .cargo/config.toml
Original file line number Diff line number Diff line change
@@ -1,3 +1,2 @@
[alias]
xtask = "run --package xtask --"
dependencies = "run --package dependencies --"
xtask = "run --package xtask --release --"
14 changes: 2 additions & 12 deletions .github/workflows/build.yml
Original file line number Diff line number Diff line change
Expand Up @@ -12,14 +12,6 @@ jobs:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Update version
run: sudo apt-get update
- name: Install Dependencies
run: |
. ./dependencies.sh -yd
sudo ./configure.sh -yd
sudo sed -i 's/"immutable": true/"immutable": false/g' /etc/security/rootasrole.json
echo "/home/runner/.cargo/bin" >> $GITHUB_PATH
- name: Configure PAM
run: |
sudo bash -c 'echo "#%PAM-1.0
Expand All @@ -32,16 +24,14 @@ jobs:
session [success=1 default=ignore] pam_permit.so
session requisite pam_permit.so
session required pam_permit.so" | tee /etc/pam.d/sr'
- name: Install RootAsRole
run: sudo cargo xtask install --debug
- name: Add read access on config on rootasrole... Because Github Actions...
run: sudo chmod a+r /etc/security/rootasrole.json
- name: print config
run: cat /etc/security/rootasrole.json
- name: getenv
run: env
- name: Install Project
env:
PROFILE: debug
run: make -e install
- name: Run Sr
env:
RUST_LOG: debug
Expand Down
1 change: 1 addition & 0 deletions Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,7 @@ opt-level = "s"
[[bin]]
name = "sr"
path = "src/sr/main.rs"
required-features = ["rar-common/pcre2"]


[[bin]]
Expand Down
8 changes: 0 additions & 8 deletions dependencies.rs

This file was deleted.

70 changes: 0 additions & 70 deletions dependencies.sh

This file was deleted.

5 changes: 4 additions & 1 deletion rar-common/Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -43,4 +43,7 @@ tracing = "0.1.37"
tracing-subscriber = { version = "0.3.16", default-features = false, features = ["env-filter", "fmt"] }
pest-test-gen = "0.1.7"
pest-test = "0.1.6"
lazy_static = "1.4.0"
lazy_static = "1.4.0"

[features]
pcre2 = []
23 changes: 18 additions & 5 deletions rar-common/src/database/finder.rs
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@ use nix::{
libc::dev_t,
unistd::{Group, Pid, User},
};
#[cfg(feature = "pcre2")]
use pcre2::bytes::RegexBuilder;
use strum::EnumIs;
use tracing::{debug, warn};
Expand Down Expand Up @@ -397,14 +398,26 @@ fn match_args(input_args: &[String], role_args: &[String]) -> Result<CmdMin, Box
debug!("Matching args {:?} with {:?}", commandline, role_args);
if commandline != role_args {
debug!("test regex");
let regex = RegexBuilder::new().build(&role_args)?;
if regex.is_match(commandline.as_bytes())? {
return Ok(CmdMin::RegexArgs);
}
return evaluate_regex_cmd(role_args, commandline).inspect_err(|e| {
debug!("No match for args {:?}", input_args);
});
} else {
return Ok(CmdMin::Match);
}
debug!("No match for args {:?}", input_args);
}

#[cfg(feature = "pcre2")]
fn evaluate_regex_cmd(role_args: String, commandline: String) -> Result<CmdMin, Box<dyn Error>> {
let regex = RegexBuilder::new().build(&role_args)?;
if regex.is_match(commandline.as_bytes())? {
Ok(CmdMin::RegexArgs)
} else {
Err(Box::new(MatchError::NoMatch))
}
}

#[cfg(not(feature = "pcre2"))]
fn evaluate_regex_cmd(_role_args: String, _commandline: String) -> Result<CmdMin, Box<dyn Error>> {
Err(Box::new(MatchError::NoMatch))
}

Expand Down
68 changes: 45 additions & 23 deletions rar-common/src/database/options.rs
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ use chrono::Duration;
use libc::PATH_MAX;
use linked_hash_set::LinkedHashSet;

#[cfg(feature = "pcre2")]
use pcre2::bytes::Regex;
use serde::{Deserialize, Deserializer, Serialize};
use serde_json::{Map, Value};
Expand Down Expand Up @@ -325,32 +326,49 @@ impl Default for SPathOptions {
}
}

fn is_valid_env_name(s: &str) -> bool {
let mut chars = s.chars();

// Check if the first character is a letter or underscore
if let Some(first_char) = chars.next() {
if !(first_char.is_ascii_alphabetic() || first_char == '_') {
return false;
}
} else {
return false; // Empty string
}

// Check if the remaining characters are alphanumeric or underscores
chars.all(|c| c.is_ascii_alphanumeric() || c == '_')
}

#[cfg(feature = "pcre2")]
fn is_regex(s: &str) -> bool {
Regex::new(s).is_ok()
}

#[cfg(not(feature = "pcre2"))]
fn is_regex(_s: &str) -> bool {
true // Always return true if regex feature is disabled
}

impl EnvKey {
pub fn new(s: String) -> Result<Self, String> {
//debug!("Creating env key: {}", s);
if Regex::new("^[a-zA-Z_]+[a-zA-Z0-9_]*$") // check if it is a valid env name
.unwrap()
.is_match(s.as_bytes())
.is_ok_and(|m| m)
if is_valid_env_name(&s)
{
Ok(EnvKey {
env_type: EnvKeyType::Normal,
value: s,
})
} else if Regex::new("^[a-zA-Z_*?]+.*$") // check if it is a valid env name
.unwrap()
.is_match(s.as_bytes())
.is_ok_and(|m| m)
} else if is_regex(&s)
{
Ok(EnvKey {
env_type: EnvKeyType::Wildcarded,
value: s,
})
} else {
Err(format!(
"Invalid env key {}, must start with letter or underscore following by a regex",
s
))
Err(format!("env key {}, must be a valid env, or a valid regex", s))
}
}
}
Expand Down Expand Up @@ -428,13 +446,7 @@ impl<T> EnvSet for HashMap<String, T> {
EnvKeyType::Normal => self.contains_key(&wildcarded.value),
EnvKeyType::Wildcarded => {
self.keys().any(|s| {
Regex::new(&format!(
"^{}$",
wildcarded.value.replace('*', ".*").replace('?', ".")
)) // convert to regex
.unwrap()
.is_match(s.as_bytes())
.is_ok_and(|m| m)
check_wildcarded(wildcarded, s)
})
}
}
Expand All @@ -447,16 +459,26 @@ impl EnvSet for LinkedHashSet<EnvKey> {
EnvKeyType::Normal => self.contains(wildcarded),
EnvKeyType::Wildcarded => {
self.iter().any(|s| {
Regex::new(&format!("^{}$", wildcarded.value)) // convert to regex
.unwrap()
.is_match(s.value.as_bytes())
.is_ok_and(|m| m)
check_wildcarded(wildcarded, &s.value)
})
}
}
}
}

#[cfg(feature = "pcre2")]
fn check_wildcarded(wildcarded: &EnvKey, s: &String) -> bool {
Regex::new(&format!("^{}$", wildcarded.value)) // convert to regex
.unwrap()
.is_match(s.as_bytes())
.is_ok_and(|m| m)
}

#[cfg(not(feature = "pcre2"))]
fn check_wildcarded(_wildcarded: &EnvKey, _s: &String) -> bool {
true
}

fn tz_is_safe(tzval: &str) -> bool {
// tzcode treats a value beginning with a ':' as a path.
let tzval = if tzval.starts_with(':') {
Expand Down
14 changes: 10 additions & 4 deletions xtask/src/install/build.rs
Original file line number Diff line number Diff line change
Expand Up @@ -3,20 +3,26 @@ use std::process::Command;

use super::BuildOptions;

pub fn build(options: &BuildOptions) -> Result<(), anyhow::Error> {
fn build_binary(name: &str, options: &BuildOptions, additionnal_args: Vec<&str>) {
let toolchain = format!("+{}", options.toolchain.to_string());
let mut args = vec![toolchain.as_str(), "build", "--bin", "sr", "--bin", "chsr"];
let mut args = vec![&toolchain, "build", "--bin", name];
if options.profile.is_release() {
args.push("--release");
}
if options.clean_before {
args.push("--clean");
}
println!("Building sr and chsr with {:?}", &args);
args.extend(additionnal_args);
Command::new("cargo")
.args(args)
.status()
.expect("failed to install rootasrole");
.expect(format!("failed to build {} binary", name).as_str());
}

pub fn build(options: &BuildOptions) -> Result<(), anyhow::Error> {

build_binary("sr", options, vec!["--features", "rar-common/pcre2"]);
build_binary("chsr", options, vec![]);

Ok(())
}
3 changes: 2 additions & 1 deletion xtask/src/install/configure.rs
Original file line number Diff line number Diff line change
Expand Up @@ -161,7 +161,8 @@ fn deploy_config_file() -> Result<ConfigState, anyhow::Error> {

match status {
ConfigState::Unchanged => {
println!("Config file newly created or has not been modified checking if filesystem allows immutability");
println!("Config file newly created or has not been modified.");
println!("Checking if filesystem allows immutability.");
let res = check_filesystem().context("Failed to configure the filesystem parameter");
if res.is_err() {
// If the filesystem check fails, ignore the error if running in a container as it may not have immutable access
Expand Down
Loading

0 comments on commit 7496618

Please sign in to comment.