From 1f2534d18da6c291033b133a8f24c64b81772c55 Mon Sep 17 00:00:00 2001 From: LeChatP Date: Mon, 6 May 2024 00:23:56 +0200 Subject: [PATCH 1/2] Tests and bugfix --- src/chsr/cli.pest | 8 +- src/chsr/cli.rs | 1968 +++++++++++++++++++++++++++++++++++-- src/chsr/main.rs | 1768 +-------------------------------- src/config.rs | 6 +- src/database/finder.rs | 3 +- src/database/mod.rs | 28 +- src/database/options.rs | 354 ++++++- src/database/structs.rs | 5 +- src/database/version.rs | 3 +- src/mod.rs | 3 +- src/plugin/hashchecker.rs | 1 - src/plugin/hierarchy.rs | 1 - src/sr/main.rs | 86 +- src/sr/timeout.rs | 10 +- 14 files changed, 2292 insertions(+), 1952 deletions(-) diff --git a/src/chsr/cli.pest b/src/chsr/cli.pest index f49f25d8..9141b631 100644 --- a/src/chsr/cli.pest +++ b/src/chsr/cli.pest @@ -184,11 +184,11 @@ opt_timeout_args = _{ opt_timeout_t_arg = ${ ("--type" ~ assignment? | "-t" ~ WHITESPACE*) ~ opt_timeout_type? } opt_timeout_type = { "tty" | "ppid" | "uid" } opt_timeout_d_arg = { ("--duration" ~ assignment? | "-d" ~ WHITESPACE*) ~ time? } -time = _{ (hours~colon)? ~ minutes ~ colon ~ seconds | (minutes~colon)? ~ seconds } +time = { (hours~colon)? ~ minutes ~ colon ~ seconds | (minutes~colon)? ~ seconds } colon = _{ ":"} -hours = { ASCII_DIGIT+ } -minutes = { ASCII_DIGIT+ } -seconds = { ASCII_DIGIT+ } +hours = _{ ASCII_DIGIT+ } +minutes = _{ ASCII_DIGIT+ } +seconds = _{ ASCII_DIGIT+ } opt_timeout_m_arg = { ("--max-usage" ~ assignment? | "-m" ~ WHITESPACE*) ~ opt_timeout_max_usage? } opt_timeout_max_usage = { ASCII_DIGIT+ } diff --git a/src/chsr/cli.rs b/src/chsr/cli.rs index afcf9a38..b1ee8013 100644 --- a/src/chsr/cli.rs +++ b/src/chsr/cli.rs @@ -24,7 +24,7 @@ use crate::{ SPathOptions, SPrivileged, STimeout, TimestampType, }, structs::{ - IdTask, SActor, SActorType, SCapabilities, SCommand, SCommands, SGroups, SRole, + IdTask, SActor, SActorType, SCapabilities, SCommand, SGroups, SRole, STask, SetBehavior, }, }, @@ -198,10 +198,19 @@ enum SetListType { CheckList, } +#[derive(Debug, PartialEq, Eq)] +#[repr(usize)] +enum TimeoutOpt { + Duration = 0, + Type, + MaxUsage, +} + #[derive(Debug)] struct Inputs { action: InputAction, setlist_type: Option, + timeout_arg: Option<[bool;3]>, timeout_type: Option, timeout_duration: Option, timeout_max_usage: Option, @@ -232,6 +241,7 @@ impl Default for Inputs { Inputs { action: InputAction::None, setlist_type: None, + timeout_arg: None, timeout_type: None, timeout_duration: None, timeout_max_usage: None, @@ -303,7 +313,7 @@ fn match_pair(pair: &Pair, inputs: &mut Inputs) { } else if pair.as_str() == "allow-all" { inputs.cmd_policy = Some(SetBehavior::All); } else { - warn!("Unknown cmd policy: {}", pair.as_str()) + unreachable!("Unknown cmd policy: {}", pair.as_str()) } } Rule::caps_policy => { @@ -313,7 +323,7 @@ fn match_pair(pair: &Pair, inputs: &mut Inputs) { } else if pair.as_str() == "allow-all" { inputs.cred_policy = Some(SetBehavior::All); } else { - warn!("Unknown caps policy: {}", pair.as_str()) + unreachable!("Unknown caps policy: {}", pair.as_str()) } } Rule::path_policy => { @@ -327,7 +337,7 @@ fn match_pair(pair: &Pair, inputs: &mut Inputs) { } else if pair.as_str() == "inherit" { inputs.options_path_policy = Some(PathBehavior::Inherit); } else { - warn!("Unknown path policy: {}", pair.as_str()) + unreachable!("Unknown path policy: {}", pair.as_str()) } } Rule::env_policy => { @@ -339,7 +349,7 @@ fn match_pair(pair: &Pair, inputs: &mut Inputs) { } else if pair.as_str() == "inherit" { inputs.options_env_policy = Some(EnvBehavior::Inherit); } else { - warn!("Unknown env policy: {}", pair.as_str()) + unreachable!("Unknown env policy: {}", pair.as_str()) } } // === timeout === @@ -348,20 +358,20 @@ fn match_pair(pair: &Pair, inputs: &mut Inputs) { let mut duration: Duration = Duration::try_seconds(reversed.next().unwrap().parse::().unwrap_or(0)) .unwrap_or_default(); - if let Some(mins) = reversed.nth(1) { + if let Some(mins) = reversed.next() { duration = duration .checked_add( &Duration::try_minutes(mins.parse::().unwrap_or(0)) .unwrap_or_default(), ) .expect("Invalid minutes"); - } - if let Some(hours) = reversed.nth(2) { - duration = duration - .checked_add( - &Duration::try_hours(hours.parse::().unwrap_or(0)).unwrap_or_default(), - ) - .expect("Invalid hours"); + if let Some(hours) = reversed.next() { + duration = duration + .checked_add( + &Duration::try_hours(hours.parse::().unwrap_or(0)).unwrap_or_default(), + ) + .expect("Invalid hours"); + } } inputs.timeout_duration = Some(duration); } @@ -373,9 +383,24 @@ fn match_pair(pair: &Pair, inputs: &mut Inputs) { } else if pair.as_str() == "uid" { inputs.timeout_type = Some(TimestampType::UID); } else { - warn!("Unknown timeout type: {}", pair.as_str()) + unreachable!("Unknown timeout type: {}", pair.as_str()) } } + Rule::opt_timeout_t_arg => { + let mut timeout_arg = inputs.timeout_arg.unwrap_or_default(); + timeout_arg[TimeoutOpt::Type as usize] = true; + inputs.timeout_arg.replace(timeout_arg); + } + Rule::opt_timeout_d_arg => { + let mut timeout_arg = inputs.timeout_arg.unwrap_or_default(); + timeout_arg[TimeoutOpt::Duration as usize] = true; + inputs.timeout_arg.replace(timeout_arg); + } + Rule::opt_timeout_m_arg => { + let mut timeout_arg = inputs.timeout_arg.unwrap_or_default(); + timeout_arg[TimeoutOpt::MaxUsage as usize] = true; + inputs.timeout_arg.replace(timeout_arg); + } Rule::opt_timeout_max_usage => { inputs.timeout_max_usage = Some(pair.as_str().parse::().unwrap()); } @@ -391,7 +416,7 @@ fn match_pair(pair: &Pair, inputs: &mut Inputs) { } else if pair.as_str() == "tasks" { inputs.role_type = Some(RoleType::Tasks); } else { - warn!("Unknown role type: {}", pair.as_str()) + unreachable!("Unknown role type: {}", pair.as_str()) } } // === actors === @@ -429,12 +454,12 @@ fn match_pair(pair: &Pair, inputs: &mut Inputs) { Rule::task_type_arg => { if pair.as_str() == "all" { inputs.task_type = Some(TaskType::All); - } else if pair.as_str() == "commands" || pair.as_str() == "cmds" { + } else if pair.as_str() == "commands" || pair.as_str() == "cmd" { inputs.task_type = Some(TaskType::Commands); } else if pair.as_str().starts_with("cred") { inputs.task_type = Some(TaskType::Credentials); } else { - warn!("Unknown role type: {}", pair.as_str()) + unreachable!("Unknown task type: {}", pair.as_str()); } } // === commands === @@ -493,12 +518,12 @@ fn match_pair(pair: &Pair, inputs: &mut Inputs) { inputs.options_type = Some(OptType::Root); } else if pair.as_str() == "bounding" { inputs.options_type = Some(OptType::Bounding); - } else if pair.as_str() == "wildcard" { + } else if pair.as_str() == "wildcard-denied" { inputs.options_type = Some(OptType::Wildcard); } else if pair.as_str() == "timeout" { inputs.options_type = Some(OptType::Timeout); } else { - warn!("Unknown option type: {}", pair.as_str()) + unreachable!("Unknown option type: {}", pair.as_str()) } } Rule::path => { @@ -524,7 +549,7 @@ fn match_pair(pair: &Pair, inputs: &mut Inputs) { } else if pair.as_str() == "inherit" { inputs.options_root = Some(SPrivileged::Inherit); } else { - warn!("Unknown root type: {}", pair.as_str()); + unreachable!("Unknown root type: {}", pair.as_str()); } } Rule::opt_bounding_args => { @@ -536,7 +561,7 @@ fn match_pair(pair: &Pair, inputs: &mut Inputs) { } else if pair.as_str() == "inherit" { inputs.options_bounding = Some(SBounding::Inherit); } else { - warn!("Unknown bounding type: {}", pair.as_str()); + unreachable!("Unknown bounding type: {}", pair.as_str()); } } Rule::wildcard_value => { @@ -555,6 +580,7 @@ fn match_pair(pair: &Pair, inputs: &mut Inputs) { } } + fn rule_to_string(rule: &Rule) -> String { match *rule { Rule::EOI => "no more input", @@ -901,7 +927,7 @@ where .retain(|a| !actors.contains(a)); Ok(true) } - _ => Err("Unknown action".into()), + _ => unreachable!("Invalid action"), } } }, @@ -985,7 +1011,7 @@ where } Ok(true) } - _ => Ok(false), + _ => unreachable!("Invalid action"), } } }, @@ -1032,6 +1058,7 @@ where cred_setgid, cmd_id: None, cmd_policy: None, + options: false, .. } => match storage { Storage::JSON(rconfig) => { @@ -1069,6 +1096,7 @@ where setlist_type: Some(setlist_type), cred_caps: Some(cred_caps), cmd_policy: None, + options: false, .. } => match storage { Storage::JSON(rconfig) => { @@ -1101,9 +1129,7 @@ where .unwrap() .add = cred_caps; } - _ => { - return Err("Unknown action".into()); - } + _ => unreachable!("Unknown action"), }, SetListType::BlackList => match action { InputAction::Add => { @@ -1130,13 +1156,9 @@ where .unwrap() .sub = cred_caps; } - _ => { - return Err("Unknown action".into()); - } + _ => unreachable!("Unknown action"), }, - _ => { - return Err("Unknown setlist type".into()); - } + _ => unreachable!("Unknown setlist type"), } Ok(true) } @@ -1145,6 +1167,7 @@ where role_id: Some(role_id), task_id: Some(task_id), cred_policy: Some(cred_policy), + options: false, .. } => match storage { Storage::JSON(rconfig) => { @@ -1241,9 +1264,7 @@ where *c != SCommand::Simple(cmd_id.clone()) }); } - _ => { - return Err("Unknown action".into()); - } + _ => unreachable!("Unknown action"), }, SetListType::BlackList => match action { InputAction::Add => { @@ -1280,13 +1301,9 @@ where .sub .retain(|c| c != &SCommand::Simple(cmd_id.clone())); } - _ => { - return Err("Unknown action".into()); - } + _ => unreachable!("Unknown action"), }, - _ => { - return Err("Unknown setlist type".into()); - } + _ => unreachable!("Unknown setlist type"), } Ok(true) } @@ -1402,9 +1419,7 @@ where opt.as_ref().borrow_mut().wildcard_denied = None; return Ok(()); } - _ => { - return Err("Unknown action".into()); - } + _ => unreachable!("Unknown action"), } Ok(()) @@ -1434,9 +1449,7 @@ where Some(SetListType::BlackList) => { path.sub = options_path.split(':').map(|s| s.to_string()).collect(); } - _ => { - return Err("Unknown setlist type".into()); - } + _ => unreachable!("Unknown setlist type"), } Ok(()) })?; @@ -1465,9 +1478,7 @@ where Some(SetListType::BlackList) => { path.sub.clear(); } - _ => { - return Err("Unknown setlist type".into()); - } + _ => unreachable!("Unknown setlist type"), } Ok(()) })?; @@ -1499,20 +1510,53 @@ where Some(SetListType::CheckList) => { env.check = options_env.clone(); } - _ => { - return Err("Internal Error: setlist type not found".into()); - } + _ => unreachable!("Unknown setlist type"), } Ok(()) })?; Ok(true) } }, + Inputs { + // chsr o timeout set --type tty --duration 00:00:00 --max-usage 1 + action: InputAction::Del, + role_id, + task_id, + options: true, + timeout_arg: Some(timeout_arg), + setlist_type: None, + .. + } => match storage { + Storage::JSON(rconfig) => { + perform_on_target_opt(rconfig, role_id, task_id, |opt: Rc>| { + let mut timeout = STimeout::default(); + if timeout_arg[TimeoutOpt::Type as usize] { + timeout.type_field = None; + } + if timeout_arg[TimeoutOpt::Duration as usize] { + timeout.duration = None; + } + if timeout_arg[TimeoutOpt::MaxUsage as usize] { + timeout.max_usage = None; + } + if timeout_arg.iter().all(|b| *b) { + opt.as_ref().borrow_mut().timeout = None; + } else { + opt.as_ref().borrow_mut().timeout = Some(timeout); + } + + Ok(()) + })?; + Ok(true) + } + }, Inputs { // chsr o timeout set --type tty --duration 00:00:00 --max-usage 1 action: InputAction::Set, role_id, task_id, + options: true, + timeout_arg: Some(_), timeout_type, timeout_duration, timeout_max_usage, @@ -1522,10 +1566,10 @@ where perform_on_target_opt(rconfig, role_id, task_id, |opt: Rc>| { let mut timeout = STimeout::default(); if let Some(timeout_type) = timeout_type { - timeout.type_field = timeout_type; + timeout.type_field = Some(timeout_type); } if let Some(duration) = timeout_duration { - timeout.duration = duration; + timeout.duration = Some(duration); } if let Some(max_usage) = timeout_max_usage { timeout.max_usage = Some(max_usage); @@ -1558,6 +1602,7 @@ where .extend(options_path.split(':').map(|s| s.to_string())); } InputAction::Del => { + debug!("path.add del {:?}", path.add); let hashset = options_path .split(':') .map(|s| s.to_string()) @@ -1568,9 +1613,7 @@ where .cloned() .collect::>(); } - _ => { - return Err("Unknown action".into()); - } + _ => unreachable!("Unknown action"), }, Some(SetListType::BlackList) => match action { InputAction::Add => { @@ -1578,6 +1621,7 @@ where .extend(options_path.split(':').map(|s| s.to_string())); } InputAction::Del => { + debug!("path.del del {:?}", path.sub); let hashset = options_path .split(':') .map(|s| s.to_string()) @@ -1588,13 +1632,9 @@ where .cloned() .collect::>(); } - _ => { - return Err("Unknown action".into()); - } + _ => unreachable!("Unknown action"), }, - _ => { - return Err("Unknown setlist type".into()); - } + _ => unreachable!("Unknown setlist type"), } Ok(()) })?; @@ -1644,9 +1684,7 @@ where InputAction::Purge => { env.keep = LinkedHashSet::new(); } - _ => { - return Err("Unknown action".into()); - } + _ => unreachable!("Unknown action"), }, SetListType::BlackList => match action { InputAction::Add => { @@ -1668,9 +1706,7 @@ where InputAction::Purge => { env.delete = LinkedHashSet::new(); } - _ => { - return Err("Unknown action".into()); - } + _ => unreachable!("Unknown action"), }, SetListType::CheckList => match action { InputAction::Add => { @@ -1692,9 +1728,7 @@ where InputAction::Purge => { env.check = LinkedHashSet::new(); } - _ => { - return Err("Unknown action".into()); - } + _ => unreachable!("Unknown action"), }, } Ok(()) @@ -1847,7 +1881,19 @@ fn print_task( #[cfg(test)] mod tests { + use std::{io::Write, rc::Rc}; + + use crate::common::{config, database::{read_json_config, structs::SCredentials}}; + + use super::super::common::{ + config::{RemoteStorageSettings, SettingsFile, ROOTASROLE, Storage}, + database::{options::*, structs::*, version::Versioning}, + }; + use super::*; + use capctl::Cap; + use chrono::TimeDelta; + use tracing::error; fn make_args(args: &str) -> String { shell_words::join(shell_words::split(args).unwrap()) @@ -1930,4 +1976,1780 @@ mod tests { assert_eq!(inputs.role_id, Some("r1".to_string())); assert_eq!(inputs.role_type, Some(RoleType::All)); } + + + + + fn setup() { + //Write json test json file + let mut file = std::fs::File::create(ROOTASROLE).unwrap(); + let mut settings = SettingsFile::default(); + settings.storage.method = config::StorageMethod::JSON; + settings.storage.settings = Some(RemoteStorageSettings::default()); + settings.storage.settings.as_mut().unwrap().path = Some(ROOTASROLE.into()); + settings.storage.settings.as_mut().unwrap().immutable = Some(false); + + let mut opt = Opt::default(); + + opt.timeout = Some(STimeout::default()); + opt.timeout.as_mut().unwrap().type_field = Some(TimestampType::PPID); + opt.timeout.as_mut().unwrap().duration = Some(TimeDelta::hours(15) + .checked_add(&TimeDelta::minutes(30)) + .unwrap() + .checked_add(&TimeDelta::seconds(30)) + .unwrap()); + opt.timeout.as_mut().unwrap().max_usage = Some(1); + + opt.path = Some(SPathOptions::default()); + opt.path.as_mut().unwrap().default_behavior = PathBehavior::Delete; + opt.path.as_mut().unwrap().add = vec!["path1".to_string(), "path2".to_string()] + .into_iter() + .collect(); + opt.path.as_mut().unwrap().sub = vec!["path3".to_string(), "path4".to_string()] + .into_iter() + .collect(); + + opt.env = Some(SEnvOptions::default()); + opt.env.as_mut().unwrap().default_behavior = EnvBehavior::Delete; + opt.env.as_mut().unwrap().keep = vec!["env1".into(), "env2".into()].into_iter().collect(); + opt.env.as_mut().unwrap().check = vec!["env3".into(), "env4".into()].into_iter().collect(); + opt.env.as_mut().unwrap().delete = vec!["env5".into(), "env6".into()].into_iter().collect(); + + opt.root = Some(SPrivileged::Privileged); + opt.bounding = Some(SBounding::Ignore); + opt.wildcard_denied = Some("*".to_string()); + + settings.config.as_ref().borrow_mut().options = Some(rc_refcell!(opt.clone())); + + settings.config.as_ref().borrow_mut().roles = vec![]; + + let mut role = SRole::default(); + role.name = "complete".to_string(); + role.actors = vec![ + SActor::from_user_id(0), + SActor::from_group_id(0), + SActor::from_group_vec_string(vec!["groupA", "groupB"]), + ]; + role.options = Some(rc_refcell!(opt.clone())); + let role = rc_refcell!(role); + + let mut task = STask::new(IdTask::Name("t_complete".to_string()), Rc::downgrade(&role)); + task.purpose = Some("complete".to_string()); + task.commands = SCommands::default(); + task.commands.default_behavior = Some(SetBehavior::All); + task.commands.add.push(SCommand::Simple("ls".to_string())); + task.commands.add.push(SCommand::Simple("echo".to_string())); + task.commands.sub.push(SCommand::Simple("cat".to_string())); + task.commands.sub.push(SCommand::Simple("grep".to_string())); + + task.cred = SCredentials::default(); + task.cred.setuid = Some(SActorType::Name("user1".to_string())); + task.cred.setgid = Some(SGroups::Multiple(vec![ + SActorType::Name("group1".to_string()), + SActorType::Name("group2".to_string()), + ])); + task.cred.capabilities = Some(SCapabilities::default()); + task.cred.capabilities.as_mut().unwrap().default_behavior = SetBehavior::All; + task.cred + .capabilities + .as_mut() + .unwrap() + .add + .add(Cap::LINUX_IMMUTABLE); + task.cred + .capabilities + .as_mut() + .unwrap() + .add + .add(Cap::NET_BIND_SERVICE); + task.cred + .capabilities + .as_mut() + .unwrap() + .sub + .add(Cap::SYS_ADMIN); + task.cred + .capabilities + .as_mut() + .unwrap() + .sub + .add(Cap::SYS_BOOT); + + task.options = Some(rc_refcell!(opt.clone())); + + role.as_ref().borrow_mut().tasks.push(rc_refcell!(task)); + settings.config.as_ref().borrow_mut().roles.push(role); + + let versionned = Versioning::new(settings.clone()); + + file.write_all( + serde_json::to_string_pretty(&versionned) + .unwrap() + .as_bytes(), + ) + .unwrap(); + + file.flush().unwrap(); + } + + fn teardown() { + //Remove json test file + std::fs::remove_file(ROOTASROLE).unwrap(); + } + // we need to test every commands + // chsr r r1 create + // chsr r r1 delete + // chsr r r1 show (actors|tasks|all) + // chsr r r1 purge (actors|tasks|all) + // chsr r r1 grant -u user1 -g group1 group2&group3 + // chsr r r1 revoke -u user1 -g group1 group2&group3 + // chsr r r1 task t1 show (all|cmd|cred) + // chsr r r1 task t1 purge (all|cmd|cred) + // chsr r r1 t t1 add + // chsr r r1 t t1 del + // chsr r r1 t t1 commands show + // chsr r r1 t t1 cmd setpolicy (deny-all|allow-all) + // chsr r r1 t t1 cmd (whitelist|blacklist) (add|del) super command with spaces + // chsr r r1 t t1 credentials show + // chsr r r1 t t1 cred (unset|set) --caps capA,capB,capC --setuid user1 --setgid group1,group2 + // chsr r r1 t t1 cred caps setpolicy (deny-all|allow-all) + // chsr r r1 t t1 cred caps (whitelist|blacklist) (add|del) capA capB capC + // chsr (r r1) (t t1) options show (all|path|env|root|bounding|wildcard-denied) + // chsr o path set /usr/bin:/bin this regroups setpolicy delete and whitelist set + // chsr o path setpolicy (delete-all|keep-all|inherit) + // chsr o path (whitelist|blacklist) (add|del|set|purge) /usr/bin:/bin + + // chsr o env set MYVAR=1 VAR2=2 //this regroups setpolicy delete and whitelist set + // chsr o env setpolicy (delete-all|keep-all|inherit) + // chsr o env (whitelist|blacklist|checklist) (add|del|set|purge) MYVAR=1 + + // chsr o root (privileged|user|inherit) + // chsr o bounding (strict|ignore|inherit) + // chsr o wildcard-denied (set|add|del) * + + // chsr o timeout set --type tty --duration 5:00 --max_usage 1 + // chsr o t unset --type --duration --max_usage + + //TODO: verify values + #[test] + fn test_all_main() { + setup(); + + // lets test every commands + let settings = config::get_settings().expect("Failed to get settings"); + assert!(main( + &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), + vec!["chsr", "--help"], + ) + .inspect_err(|e| { + error!("{}", e); + }) + .inspect(|e| { + debug!("{}", e); + }) + .is_ok_and(|b| !b)); + assert!(main( + &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), + vec!["chsr", "r", "r1", "create"], + ) + .inspect_err(|e| { + error!("{}", e); + }) + .inspect(|e| { + debug!("{}", e); + }) + .is_ok_and(|b| b)); + assert!(main( + &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), + vec!["chsr", "r", "r1", "delete"], + ) + .inspect_err(|e| { + error!("{}", e); + }) + .inspect(|e| { + debug!("{}", e); + }) + .is_ok_and(|b| b)); + let settings = config::get_settings().expect("Failed to get settings"); + assert!(main( + &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), + vec!["chsr", "r", "complete", "show", "actors"], + ) + .inspect_err(|e| { + error!("{}", e); + }) + .inspect(|e| { + debug!("{}", e); + }) + .is_ok_and(|b| !b)); + assert!(main( + &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), + vec!["chsr", "r", "complete", "show", "tasks"], + ) + .inspect_err(|e| { + error!("{}", e); + }) + .inspect(|e| { + debug!("{}", e); + }) + .is_ok_and(|b| !b)); + assert!(main( + &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), + vec!["chsr", "r", "complete", "show", "all"], + ) + .inspect_err(|e| { + error!("{}", e); + }) + .inspect(|e| { + debug!("{}", e); + }) + .is_ok_and(|b| !b)); + assert!(main( + &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), + vec!["chsr", "r", "complete", "purge", "actors"], + ) + .inspect_err(|e| { + error!("{}", e); + }) + .inspect(|e| { + debug!("{}", e); + }) + .is_ok_and(|b| b)); + let settings = config::get_settings().expect("Failed to get settings"); + assert!(main( + &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), + vec!["chsr", "r", "complete", "purge", "tasks"], + ) + .inspect_err(|e| { + error!("{}", e); + }) + .inspect(|e| { + debug!("{}", e); + }) + .is_ok_and(|b| b)); + let settings = config::get_settings().expect("Failed to get settings"); + assert!(main( + &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), + vec!["chsr", "r", "complete", "purge", "all"], + ) + .inspect_err(|e| { + error!("{}", e); + }) + .inspect(|e| { + debug!("{}", e); + }) + .is_ok_and(|b| b)); + let settings = config::get_settings().expect("Failed to get settings"); + assert!(main( + &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), + vec![ + "chsr", + "r", + "complete", + "grant", + "-u", + "user1", + "-g", + "group1", + "-g", + "group2&group3" + ], + ) + .inspect_err(|e| { + error!("{}", e); + }) + .inspect(|e| { + debug!("{}", e); + }) + .is_ok_and(|b| b)); + let settings = config::get_settings().expect("Failed to get settings"); + assert!(main( + &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), + vec![ + "chsr", + "r", + "complete", + "revoke", + "-u", + "user1", + "-g", + "group1", + "-g", + "group2&group3" + ], + ) + .inspect_err(|e| { + error!("{}", e); + }) + .inspect(|e| { + debug!("{}", e); + }) + .is_ok_and(|b| b)); + let settings = config::get_settings().expect("Failed to get settings"); + assert!(main( + &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), + vec!["chsr", "r", "complete", "task", "t_complete", "show", "all"], + ) + .inspect_err(|e| { + error!("{}", e); + }) + .inspect(|e| { + debug!("{}", e); + }) + .is_ok_and(|b| !b)); + assert!(main( + &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), + vec!["chsr", "r", "complete", "task", "t_complete", "show", "cmd"], + ) + .inspect_err(|e| { + error!("{}", e); + }) + .inspect(|e| { + debug!("{}", e); + }) + .is_ok_and(|b| !b)); + assert!(main( + &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), + vec![ + "chsr", + "r", + "complete", + "task", + "t_complete", + "show", + "cred" + ], + ) + .inspect_err(|e| { + error!("{}", e); + }) + .inspect(|e| { + debug!("{}", e); + }) + .is_ok_and(|b| !b)); + assert!(main( + &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), + vec![ + "chsr", + "r", + "complete", + "task", + "t_complete", + "purge", + "all" + ], + ) + .inspect_err(|e| { + error!("{}", e); + }) + .inspect(|e| { + debug!("{}", e); + }) + .is_ok_and(|b| b)); + let settings = config::get_settings().expect("Failed to get settings"); + assert!(main( + &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), + vec![ + "chsr", + "r", + "complete", + "task", + "t_complete", + "purge", + "cmd" + ], + ) + .inspect_err(|e| { + error!("{}", e); + }) + .inspect(|e| { + debug!("{}", e); + }) + .is_ok_and(|b| b)); + let settings = config::get_settings().expect("Failed to get settings"); + assert!(main( + &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), + vec![ + "chsr", + "r", + "complete", + "task", + "t_complete", + "purge", + "cred" + ], + ) + .inspect_err(|e| { + error!("{}", e); + }) + .inspect(|e| { + debug!("{}", e); + }) + .is_ok_and(|b| b)); + let settings = config::get_settings().expect("Failed to get settings"); + assert!(main( + &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), + vec!["chsr", "r", "complete", "t", "t1", "add"], + ) + .inspect_err(|e| { + error!("{}", e); + }) + .inspect(|e| { + debug!("{}", e); + }) + .is_ok_and(|b| b)); + assert!(main( + &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), + vec!["chsr", "r", "complete", "t", "t1", "del"], + ) + .inspect_err(|e| { + error!("{}", e); + }) + .inspect(|e| { + debug!("{}", e); + }) + .is_ok_and(|b| b)); + let settings = config::get_settings().expect("Failed to get settings"); + assert!(main( + &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), + vec![ + "chsr", + "r", + "complete", + "t", + "t_complete", + "cmd", + "setpolicy", + "deny-all" + ], + ) + .inspect_err(|e| { + error!("{}", e); + }) + .inspect(|e| { + debug!("{}", e); + }) + .is_ok_and(|b| b)); + let settings = config::get_settings().expect("Failed to get settings"); + assert!(main( + &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), + vec![ + "chsr", + "r", + "complete", + "t", + "t_complete", + "cmd", + "setpolicy", + "allow-all" + ], + ) + .inspect_err(|e| { + error!("{}", e); + }) + .inspect(|e| { + debug!("{}", e); + }) + .is_ok_and(|b| b)); + let settings = config::get_settings().expect("Failed to get settings"); + assert!(main( + &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), + vec![ + "chsr", + "r", + "complete", + "t", + "t_complete", + "cmd", + "whitelist", + "add", + "super command with spaces" + ], + ) + .inspect_err(|e| { + error!("{}", e); + }) + .inspect(|e| { + debug!("{}", e); + }) + .is_ok_and(|b| b)); + let settings = config::get_settings().expect("Failed to get settings"); + assert!(main( + &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), + vec![ + "chsr", + "r", + "complete", + "t", + "t_complete", + "cmd", + "blacklist", + "add", + "super", + "command", + "with", + "spaces" + ], + ) + .inspect_err(|e| { + error!("{}", e); + }) + .inspect(|e| { + debug!("{}", e); + }) + .is_ok_and(|b| b)); + let settings = config::get_settings().expect("Failed to get settings"); + assert!(main( + &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), + vec![ + "chsr", + "r", + "complete", + "t", + "t_complete", + "cmd", + "whitelist", + "del", + "super command with spaces" + ], + ) + .inspect_err(|e| { + error!("{}", e); + }) + .inspect(|e| { + debug!("{}", e); + }) + .is_ok_and(|b| b)); + let settings = config::get_settings().expect("Failed to get settings"); + assert!(main( + &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), + vec![ + "chsr", + "r", + "complete", + "t", + "t_complete", + "cmd", + "blacklist", + "del", + "super command with spaces" + ], + ) + .inspect_err(|e| { + error!("{}", e); + }) + .inspect(|e| { + debug!("{}", e); + }) + .is_ok_and(|b| b)); + // let settings = config::get_settings().expect("Failed to get settings"); + // assert!(main( + // &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), + // vec!["chsr", "r", "complete", "t", "t_complete", "credentials", "show"], + // ) + // .inspect_err(|e| { + // error!("{}", e); + // }) + // .inspect(|e| { + // debug!("{}",e); + // }) + // .is_ok_and(|b| b)); + let settings = config::get_settings().expect("Failed to get settings"); + assert!(main( + &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), + vec![ + "chsr", + "r", + "complete", + "t", + "t_complete", + "cred", + "unset", + "--caps", + "capA,capB,capC", + "--setuid", + "user1", + "--setgid", + "group1,group2" + ], + ) + .inspect_err(|e| { + error!("{}", e); + }) + .inspect(|e| { + debug!("{}", e); + }) + .is_ok_and(|b| b)); + let settings = config::get_settings().expect("Failed to get settings"); + assert!(main( + &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), + vec![ + "chsr", + "r", + "complete", + "t", + "t_complete", + "cred", + "set", + "--caps", + "capA,capB,capC", + "--setuid", + "user1", + "--setgid", + "group1,group2" + ], + ) + .inspect_err(|e| { + error!("{}", e); + }) + .inspect(|e| { + debug!("{}", e); + }) + .is_ok_and(|b| b)); + let settings = config::get_settings().expect("Failed to get settings"); + assert!(main( + &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), + vec![ + "chsr", + "r", + "complete", + "t", + "t_complete", + "cred", + "caps", + "setpolicy", + "deny-all" + ], + ) + .inspect_err(|e| { + error!("{}", e); + }) + .inspect(|e| { + debug!("{}", e); + }) + .is_ok_and(|b| b)); + let settings = config::get_settings().expect("Failed to get settings"); + assert!(main( + &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), + vec![ + "chsr", + "r", + "complete", + "t", + "t_complete", + "cred", + "caps", + "setpolicy", + "allow-all" + ], + ) + .inspect_err(|e| { + error!("{}", e); + }) + .inspect(|e| { + debug!("{}", e); + }) + .is_ok_and(|b| b)); + let settings = config::get_settings().expect("Failed to get settings"); + assert!(main( + &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), + vec![ + "chsr", + "r", + "complete", + "t", + "t_complete", + "cred", + "caps", + "whitelist", + "add", + "capA", + "capB", + "capC" + ], + ) + .inspect_err(|e| { + error!("{}", e); + }) + .inspect(|e| { + debug!("{}", e); + }) + .is_ok_and(|b| b)); + let settings = config::get_settings().expect("Failed to get settings"); + assert!(main( + &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), + vec![ + "chsr", + "r", + "complete", + "t", + "t_complete", + "cred", + "caps", + "blacklist", + "add", + "capA", + "capB", + "capC" + ], + ) + .inspect_err(|e| { + error!("{}", e); + }) + .inspect(|e| { + debug!("{}", e); + }) + .is_ok_and(|b| b)); + let settings = config::get_settings().expect("Failed to get settings"); + assert!(main( + &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), + vec![ + "chsr", + "r", + "complete", + "t", + "t_complete", + "cred", + "caps", + "whitelist", + "del", + "capA", + "capB", + "capC" + ], + ) + .inspect_err(|e| { + error!("{}", e); + }) + .inspect(|e| { + debug!("{}", e); + }) + .is_ok_and(|b| b)); + let settings = config::get_settings().expect("Failed to get settings"); + assert!(main( + &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), + vec![ + "chsr", + "r", + "complete", + "t", + "t_complete", + "cred", + "caps", + "blacklist", + "del", + "capA", + "capB", + "capC" + ], + ) + .inspect_err(|e| { + error!("{}", e); + }) + .inspect(|e| { + debug!("{}", e); + }) + .is_ok_and(|b| b)); + let settings = config::get_settings().expect("Failed to get settings"); + assert!(main( + &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), + vec!["chsr", "options", "show", "all"], + ) + .inspect_err(|e| { + error!("{}", e); + }) + .inspect(|e| { + debug!("{}", e); + }) + .is_ok_and(|b| !b)); + assert!(main( + &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), + vec!["chsr", "r", "complete", "options", "show", "path"], + ) + .inspect_err(|e| { + error!("{}", e); + }) + .inspect(|e| { + debug!("{}", e); + }) + .is_ok_and(|b| !b)); + assert!(main( + &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), + vec!["chsr", "r", "complete", "options", "show", "bounding"], + ) + .inspect_err(|e| { + error!("{}", e); + }) + .inspect(|e| { + debug!("{}", e); + }) + .is_ok_and(|b| !b)); + let settings = config::get_settings().expect("Failed to get settings"); + assert!(main( + &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), + vec![ + "chsr", + "r", + "complete", + "t", + "t_complete", + "options", + "show", + "env" + ], + ) + .inspect_err(|e| { + error!("{}", e); + }) + .inspect(|e| { + debug!("{}", e); + }) + .is_ok_and(|b| !b)); + assert!(main( + &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), + vec![ + "chsr", + "r", + "complete", + "t", + "t_complete", + "options", + "show", + "root" + ], + ) + .inspect_err(|e| { + error!("{}", e); + }) + .inspect(|e| { + debug!("{}", e); + }) + .is_ok_and(|b| !b)); + assert!(main( + &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), + vec![ + "chsr", + "r", + "complete", + "t", + "t_complete", + "options", + "show", + "bounding" + ], + ) + .inspect_err(|e| { + error!("{}", e); + }) + .inspect(|e| { + debug!("{}", e); + }) + .is_ok_and(|b| !b)); + assert!(main( + &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), + vec![ + "chsr", + "r", + "complete", + "t", + "t_complete", + "options", + "show", + "wildcard-denied" + ], + ) + .inspect_err(|e| { + error!("{}", e); + }) + .inspect(|e| { + debug!("{}", e); + }) + .is_ok_and(|b| !b)); + assert!(main( + &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), + vec![ + "chsr", + "r", + "complete", + "t", + "t_complete", + "o", + "path", + "set", + "/usr/bin:/bin" + ], + ) + .inspect_err(|e| { + error!("{}", e); + }) + .inspect(|e| { + debug!("{}", e); + }) + .is_ok_and(|b| b)); + let settings = config::get_settings().expect("Failed to get settings"); + assert!(main( + &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), + vec![ + "chsr", + "r", + "complete", + "t", + "t_complete", + "o", + "path", + "setpolicy", + "delete-all" + ], + ) + .inspect_err(|e| { + error!("{}", e); + }) + .inspect(|e| { + debug!("{}", e); + }) + .is_ok_and(|b| b)); + let settings = config::get_settings().expect("Failed to get settings"); + assert!(main( + &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), + vec![ + "chsr", + "r", + "complete", + "t", + "t_complete", + "o", + "path", + "setpolicy", + "keep-unsafe" + ], + ) + .inspect_err(|e| { + error!("{}", e); + }) + .inspect(|e| { + debug!("{}", e); + }) + .is_ok_and(|b| b)); + let settings = config::get_settings().expect("Failed to get settings"); + assert!(main( + &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), + vec![ + "chsr", + "r", + "complete", + "t", + "t_complete", + "o", + "path", + "setpolicy", + "inherit" + ], + ) + .inspect_err(|e| { + error!("{}", e); + }) + .inspect(|e| { + debug!("{}", e); + }) + .is_ok_and(|b| b)); + let settings = config::get_settings().expect("Failed to get settings"); + assert!(main( + &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), + vec![ + "chsr", + "r", + "complete", + "t", + "t_complete", + "o", + "path", + "whitelist", + "add", + "/usr/bin:/bin" + ], + ) + .inspect_err(|e| { + error!("{}", e); + }) + .inspect(|e| { + debug!("{}", e); + }) + .is_ok_and(|b| b)); + assert!(main( + &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), + vec![ + "chsr", + "r", + "complete", + "t", + "t_complete", + "o", + "path", + "whitelist", + "del", + "/usr/bin:/bin" + ], + ) + .inspect_err(|e| { + error!("{}", e); + }) + .inspect(|e| { + debug!("{}", e); + }) + .is_ok_and(|b| b)); + let settings = config::get_settings().expect("Failed to get settings"); + assert!(main( + &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), + vec![ + "chsr", + "r", + "complete", + "t", + "t_complete", + "o", + "path", + "whitelist", + "set", + "/usr/bin:/bin" + ], + ) + .inspect_err(|e| { + error!("{}", e); + }) + .inspect(|e| { + debug!("{}", e); + }) + .is_ok_and(|b| b)); + let settings = config::get_settings().expect("Failed to get settings"); + assert!(main( + &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), + vec![ + "chsr", + "r", + "complete", + "t", + "t_complete", + "o", + "path", + "whitelist", + "purge" + ], + ) + .inspect_err(|e| { + error!("{}", e); + }) + .inspect(|e| { + debug!("{}", e); + }) + .is_ok_and(|b| b)); + let settings = config::get_settings().expect("Failed to get settings"); + assert!(main( + &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), + vec![ + "chsr", + "r", + "complete", + "t", + "t_complete", + "o", + "path", + "blacklist", + "add", + "/usr/bin:/bin" + ], + ) + .inspect_err(|e| { + error!("{}", e); + }) + .inspect(|e| { + debug!("{}", e); + }) + .is_ok_and(|b| b)); + assert!(main( + &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), + vec![ + "chsr", + "r", + "complete", + "t", + "t_complete", + "o", + "path", + "blacklist", + "del", + "/usr/bin:/bin" + ], + ) + .inspect_err(|e| { + error!("{}", e); + }) + .inspect(|e| { + debug!("{}", e); + }) + .is_ok_and(|b| b)); + let settings = config::get_settings().expect("Failed to get settings"); + assert!(main( + &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), + vec![ + "chsr", + "r", + "complete", + "t", + "t_complete", + "o", + "path", + "blacklist", + "set", + "/usr/bin:/bin" + ], + ) + .inspect_err(|e| { + error!("{}", e); + }) + .inspect(|e| { + debug!("{}", e); + }) + .is_ok_and(|b| b)); + let settings = config::get_settings().expect("Failed to get settings"); + assert!(main( + &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), + vec![ + "chsr", + "r", + "complete", + "t", + "t_complete", + "o", + "path", + "blacklist", + "purge" + ], + ) + .inspect_err(|e| { + error!("{}", e); + }) + .inspect(|e| { + debug!("{}", e); + }) + .is_ok_and(|b| b)); + let settings = config::get_settings().expect("Failed to get settings"); + assert!(main( + &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), + vec![ + "chsr", + "r", + "complete", + "t", + "t_complete", + "o", + "env", + "set", + "MYVAR,VAR2" + ], + ) + .inspect_err(|e| { + error!("{}", e); + }) + .inspect(|e| { + debug!("{}", e); + }) + .is_ok_and(|b| b)); + let settings = config::get_settings().expect("Failed to get settings"); + assert!(main( + &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), + vec![ + "chsr", + "r", + "complete", + "t", + "t_complete", + "o", + "env", + "setpolicy", + "delete-all" + ], + ) + .inspect_err(|e| { + error!("{}", e); + }) + .inspect(|e| { + debug!("{}", e); + }) + .is_ok_and(|b| b)); + let settings = config::get_settings().expect("Failed to get settings"); + assert!(main( + &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), + vec![ + "chsr", + "r", + "complete", + "t", + "t_complete", + "o", + "env", + "setpolicy", + "keep-all" + ], + ) + .inspect_err(|e| { + error!("{}", e); + }) + .inspect(|e| { + debug!("{}", e); + }) + .is_ok_and(|b| b)); + let settings = config::get_settings().expect("Failed to get settings"); + assert!(main( + &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), + vec![ + "chsr", + "r", + "complete", + "t", + "t_complete", + "o", + "env", + "setpolicy", + "inherit" + ], + ) + .inspect_err(|e| { + error!("{}", e); + }) + .inspect(|e| { + debug!("{}", e); + }) + .is_ok_and(|b| b)); + let settings = config::get_settings().expect("Failed to get settings"); + assert!(main( + &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), + vec![ + "chsr", + "r", + "complete", + "t", + "t_complete", + "o", + "env", + "whitelist", + "add", + "MYVAR" + ], + ) + .inspect_err(|e| { + error!("{}", e); + }) + .inspect(|e| { + debug!("{}", e); + }) + .is_ok_and(|b| b)); + assert!(main( + &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), + vec![ + "chsr", + "r", + "complete", + "t", + "t_complete", + "o", + "env", + "whitelist", + "del", + "MYVAR" + ], + ) + .inspect_err(|e| { + error!("{}", e); + }) + .inspect(|e| { + debug!("{}", e); + }) + .is_ok_and(|b| b)); + let settings = config::get_settings().expect("Failed to get settings"); + assert!(main( + &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), + vec![ + "chsr", + "r", + "complete", + "t", + "t_complete", + "o", + "env", + "whitelist", + "set", + "MYVAR" + ], + ) + .inspect_err(|e| { + error!("{}", e); + }) + .inspect(|e| { + debug!("{}", e); + }) + .is_ok_and(|b| b)); + let settings = config::get_settings().expect("Failed to get settings"); + assert!(main( + &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), + vec![ + "chsr", + "r", + "complete", + "t", + "t_complete", + "o", + "env", + "whitelist", + "purge" + ], + ) + .inspect_err(|e| { + error!("{}", e); + }) + .inspect(|e| { + debug!("{}", e); + }) + .is_ok_and(|b| b)); + let settings = config::get_settings().expect("Failed to get settings"); + assert!(main( + &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), + vec![ + "chsr", + "r", + "complete", + "t", + "t_complete", + "o", + "env", + "blacklist", + "add", + "MYVAR" + ], + ) + .inspect_err(|e| { + error!("{}", e); + }) + .inspect(|e| { + debug!("{}", e); + }) + .is_ok_and(|b| b)); + assert!(main( + &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), + vec![ + "chsr", + "r", + "complete", + "t", + "t_complete", + "o", + "env", + "blacklist", + "del", + "MYVAR" + ], + ) + .inspect_err(|e| { + error!("{}", e); + }) + .inspect(|e| { + debug!("{}", e); + }) + .is_ok_and(|b| b)); + let settings = config::get_settings().expect("Failed to get settings"); + assert!(main( + &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), + vec![ + "chsr", + "r", + "complete", + "t", + "t_complete", + "o", + "env", + "blacklist", + "set", + "MYVAR" + ], + ) + .inspect_err(|e| { + error!("{}", e); + }) + .inspect(|e| { + debug!("{}", e); + }) + .is_ok_and(|b| b)); + let settings = config::get_settings().expect("Failed to get settings"); + assert!(main( + &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), + vec![ + "chsr", + "r", + "complete", + "t", + "t_complete", + "o", + "env", + "blacklist", + "purge" + ], + ) + .inspect_err(|e| { + error!("{}", e); + }) + .inspect(|e| { + debug!("{}", e); + }) + .is_ok_and(|b| b)); + let settings = config::get_settings().expect("Failed to get settings"); + assert!(main( + &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), + vec![ + "chsr", + "r", + "complete", + "t", + "t_complete", + "o", + "env", + "checklist", + "add", + "MYVAR" + ], + ) + .inspect_err(|e| { + error!("{}", e); + }) + .inspect(|e| { + debug!("{}", e); + }) + .is_ok_and(|b| b)); + let settings = config::get_settings().expect("Failed to get settings"); + assert!(main( + &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), + vec![ + "chsr", + "r", + "complete", + "t", + "t_complete", + "o", + "env", + "checklist", + "del", + "MYVAR" + ], + ) + .inspect_err(|e| { + error!("{}", e); + }) + .inspect(|e| { + debug!("{}", e); + }) + .is_ok_and(|b| b)); + let settings = config::get_settings().expect("Failed to get settings"); + assert!(main( + &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), + vec![ + "chsr", + "r", + "complete", + "t", + "t_complete", + "o", + "env", + "checklist", + "set", + "MYVAR" + ], + ) + .inspect_err(|e| { + error!("{}", e); + }) + .inspect(|e| { + debug!("{}", e); + }) + .is_ok_and(|b| b)); + let settings = config::get_settings().expect("Failed to get settings"); + assert!(main( + &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), + vec![ + "chsr", + "r", + "complete", + "t", + "t_complete", + "o", + "env", + "checklist", + "purge" + ], + ) + .inspect_err(|e| { + error!("{}", e); + }) + .inspect(|e| { + debug!("{}", e); + }) + .is_ok_and(|b| b)); + let settings = config::get_settings().expect("Failed to get settings"); + assert!(main( + &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), + vec![ + "chsr", + "r", + "complete", + "t", + "t_complete", + "o", + "root", + "privileged" + ], + ) + .inspect_err(|e| { + error!("{}", e); + }) + .inspect(|e| { + debug!("{}", e); + }) + .is_ok_and(|b| b)); + let settings = config::get_settings().expect("Failed to get settings"); + assert!(main( + &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), + vec![ + "chsr", + "r", + "complete", + "t", + "t_complete", + "o", + "root", + "user" + ], + ) + .inspect_err(|e| { + error!("{}", e); + }) + .inspect(|e| { + debug!("{}", e); + }) + .is_ok_and(|b| b)); + let settings = config::get_settings().expect("Failed to get settings"); + assert!(main( + &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), + vec![ + "chsr", + "r", + "complete", + "t", + "t_complete", + "o", + "root", + "inherit" + ], + ) + .inspect_err(|e| { + error!("{}", e); + }) + .inspect(|e| { + debug!("{}", e); + }) + .is_ok_and(|b| b)); + let settings = config::get_settings().expect("Failed to get settings"); + assert!(main( + &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), + vec![ + "chsr", + "r", + "complete", + "t", + "t_complete", + "o", + "bounding", + "strict" + ], + ) + .inspect_err(|e| { + error!("{}", e); + }) + .inspect(|e| { + debug!("{}", e); + }) + .is_ok_and(|b| b)); + let settings = config::get_settings().expect("Failed to get settings"); + assert!(main( + &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), + vec![ + "chsr", + "r", + "complete", + "t", + "t_complete", + "o", + "bounding", + "ignore" + ], + ) + .inspect_err(|e| { + error!("{}", e); + }) + .inspect(|e| { + debug!("{}", e); + }) + .is_ok_and(|b| b)); + let settings = config::get_settings().expect("Failed to get settings"); + assert!(main( + &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), + vec![ + "chsr", + "r", + "complete", + "t", + "t_complete", + "o", + "bounding", + "inherit" + ], + ) + .inspect_err(|e| { + error!("{}", e); + }) + .inspect(|e| { + debug!("{}", e); + }) + .is_ok_and(|b| b)); + let settings = config::get_settings().expect("Failed to get settings"); + assert!(main( + &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), + vec![ + "chsr", + "r", + "complete", + "t", + "t_complete", + "o", + "wildcard-denied", + "set", + "*" + ], + ) + .inspect_err(|e| { + error!("{}", e); + }) + .inspect(|e| { + debug!("{}", e); + }) + .is_ok_and(|b| b)); + let settings = config::get_settings().expect("Failed to get settings"); + assert!(main( + &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), + vec![ + "chsr", + "r", + "complete", + "t", + "t_complete", + "o", + "wildcard-denied", + "add", + "*" + ], + ) + .inspect_err(|e| { + error!("{}", e); + }) + .inspect(|e| { + debug!("{}", e); + }) + .is_ok_and(|b| b)); + let settings = config::get_settings().expect("Failed to get settings"); + assert!(main( + &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), + vec![ + "chsr", + "r", + "complete", + "t", + "t_complete", + "o", + "wildcard-denied", + "del", + "*" + ], + ) + .inspect_err(|e| { + error!("{}", e); + }) + .inspect(|e| { + debug!("{}", e); + }) + .is_ok_and(|b| b)); + let settings = config::get_settings().expect("Failed to get settings"); + assert!(main( + &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), + vec![ + "chsr", + "r", + "complete", + "t", + "t_complete", + "o", + "timeout", + "set", + "--type", + "tty", + "--duration", + "15:05:10", + "--max-usage", + "1" + ], + ) + .inspect_err(|e| { + error!("{}", e); + }) + .inspect(|e| { + debug!("{}", e); + }) + .is_ok_and(|b| b)); + let settings = config::get_settings().expect("Failed to get settings"); + assert!(main( + &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), + vec![ + "chsr", + "r", + "complete", + "t", + "t_complete", + "o", + "timeout", + "unset", + "--type", + "--duration", + "--max-usage" + ], + ) + .inspect_err(|e| { + error!("{}", e); + }) + .inspect(|e| { + debug!("{}", e); + }) + .is_ok_and(|b| b)); + assert!(main( + &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), + vec![ + "chsr", + "r", + "complete", + "tosk", + ], + ) + .inspect_err(|e| { + error!("{}", e); + }) + .inspect(|e| { + debug!("{}", e); + }) + .is_err()); + teardown(); + } } diff --git a/src/chsr/main.rs b/src/chsr/main.rs index 326eb14e..eabacecf 100644 --- a/src/chsr/main.rs +++ b/src/chsr/main.rs @@ -14,6 +14,7 @@ mod cli; #[path = "../mod.rs"] mod common; +#[cfg(not(tarpaulin_include))] fn main() -> Result<(), Box> { subsribe("chsr"); drop_effective()?; @@ -39,1769 +40,4 @@ fn main() -> Result<(), Box> { } else { Ok(()) } -} - -#[cfg(test)] -mod tests { - use std::{io::Write, rc::Rc}; - - use self::common::{ - config::{RemoteStorageSettings, SettingsFile, ROOTASROLE}, - database::{options::*, structs::*, version::Versioning}, - }; - - use super::*; - use capctl::Cap; - use chrono::TimeDelta; - use common::config::Storage; - - fn setup() { - //Write json test json file - let mut file = std::fs::File::create(ROOTASROLE).unwrap(); - let mut settings = SettingsFile::default(); - settings.storage.method = config::StorageMethod::JSON; - settings.storage.settings = Some(RemoteStorageSettings::default()); - settings.storage.settings.as_mut().unwrap().path = Some(ROOTASROLE.into()); - settings.storage.settings.as_mut().unwrap().immutable = Some(false); - - let mut opt = Opt::default(); - - opt.timeout = Some(STimeout::default()); - opt.timeout.as_mut().unwrap().type_field = TimestampType::PPID; - opt.timeout.as_mut().unwrap().duration = TimeDelta::hours(15) - .checked_add(&TimeDelta::minutes(30)) - .unwrap() - .checked_add(&TimeDelta::seconds(30)) - .unwrap(); - opt.timeout.as_mut().unwrap().max_usage = Some(1); - - opt.path = Some(SPathOptions::default()); - opt.path.as_mut().unwrap().default_behavior = PathBehavior::Delete; - opt.path.as_mut().unwrap().add = vec!["path1".to_string(), "path2".to_string()] - .into_iter() - .collect(); - opt.path.as_mut().unwrap().sub = vec!["path3".to_string(), "path4".to_string()] - .into_iter() - .collect(); - - opt.env = Some(SEnvOptions::default()); - opt.env.as_mut().unwrap().default_behavior = EnvBehavior::Delete; - opt.env.as_mut().unwrap().keep = vec!["env1".into(), "env2".into()].into_iter().collect(); - opt.env.as_mut().unwrap().check = vec!["env3".into(), "env4".into()].into_iter().collect(); - opt.env.as_mut().unwrap().delete = vec!["env5".into(), "env6".into()].into_iter().collect(); - - opt.root = Some(SPrivileged::Privileged); - opt.bounding = Some(SBounding::Ignore); - opt.wildcard_denied = Some("*".to_string()); - - settings.config.as_ref().borrow_mut().options = Some(rc_refcell!(opt.clone())); - - settings.config.as_ref().borrow_mut().roles = vec![]; - - let mut role = SRole::default(); - role.name = "complete".to_string(); - role.actors = vec![ - SActor::from_user_id(0), - SActor::from_group_id(0), - SActor::from_group_vec_string(vec!["groupA", "groupB"]), - ]; - role.options = Some(rc_refcell!(opt.clone())); - let role = rc_refcell!(role); - - let mut task = STask::new(IdTask::Name("t_complete".to_string()), Rc::downgrade(&role)); - task.purpose = Some("complete".to_string()); - task.commands = SCommands::default(); - task.commands.default_behavior = Some(SetBehavior::All); - task.commands.add.push(SCommand::Simple("ls".to_string())); - task.commands.add.push(SCommand::Simple("echo".to_string())); - task.commands.sub.push(SCommand::Simple("cat".to_string())); - task.commands.sub.push(SCommand::Simple("grep".to_string())); - - task.cred = SCredentials::default(); - task.cred.setuid = Some(SActorType::Name("user1".to_string())); - task.cred.setgid = Some(SGroups::Multiple(vec![ - SActorType::Name("group1".to_string()), - SActorType::Name("group2".to_string()), - ])); - task.cred.capabilities = Some(SCapabilities::default()); - task.cred.capabilities.as_mut().unwrap().default_behavior = SetBehavior::All; - task.cred - .capabilities - .as_mut() - .unwrap() - .add - .add(Cap::LINUX_IMMUTABLE); - task.cred - .capabilities - .as_mut() - .unwrap() - .add - .add(Cap::NET_BIND_SERVICE); - task.cred - .capabilities - .as_mut() - .unwrap() - .sub - .add(Cap::SYS_ADMIN); - task.cred - .capabilities - .as_mut() - .unwrap() - .sub - .add(Cap::SYS_BOOT); - - task.options = Some(rc_refcell!(opt.clone())); - - role.as_ref().borrow_mut().tasks.push(rc_refcell!(task)); - settings.config.as_ref().borrow_mut().roles.push(role); - - let versionned = Versioning::new(settings.clone()); - - file.write_all( - serde_json::to_string_pretty(&versionned) - .unwrap() - .as_bytes(), - ) - .unwrap(); - - file.flush().unwrap(); - } - - fn teardown() { - //Remove json test file - std::fs::remove_file(ROOTASROLE).unwrap(); - } - // we need to test every commands - // chsr r r1 create - // chsr r r1 delete - // chsr r r1 show (actors|tasks|all) - // chsr r r1 purge (actors|tasks|all) - // chsr r r1 grant -u user1 -g group1 group2&group3 - // chsr r r1 revoke -u user1 -g group1 group2&group3 - // chsr r r1 task t1 show (all|cmd|cred) - // chsr r r1 task t1 purge (all|cmd|cred) - // chsr r r1 t t1 add - // chsr r r1 t t1 del - // chsr r r1 t t1 commands show - // chsr r r1 t t1 cmd setpolicy (deny-all|allow-all) - // chsr r r1 t t1 cmd (whitelist|blacklist) (add|del) super command with spaces - // chsr r r1 t t1 credentials show - // chsr r r1 t t1 cred (unset|set) --caps capA,capB,capC --setuid user1 --setgid group1,group2 - // chsr r r1 t t1 cred caps setpolicy (deny-all|allow-all) - // chsr r r1 t t1 cred caps (whitelist|blacklist) (add|del) capA capB capC - // chsr (r r1) (t t1) options show (all|path|env|root|bounding|wildcard-denied) - // chsr o path set /usr/bin:/bin this regroups setpolicy delete and whitelist set - // chsr o path setpolicy (delete-all|keep-all|inherit) - // chsr o path (whitelist|blacklist) (add|del|set|purge) /usr/bin:/bin - - // chsr o env set MYVAR=1 VAR2=2 //this regroups setpolicy delete and whitelist set - // chsr o env setpolicy (delete-all|keep-all|inherit) - // chsr o env (whitelist|blacklist|checklist) (add|del|set|purge) MYVAR=1 - - // chsr o root (privileged|user|inherit) - // chsr o bounding (strict|ignore|inherit) - // chsr o wildcard-denied (set|add|del) * - - // chsr o timeout set --type tty --duration 5:00 --max_usage 1 - // chsr o t unset --type --duration --max_usage - - //TODO: verify values - #[test] - fn test_main_1() { - setup(); - - // lets test every commands - let settings = config::get_settings().expect("Failed to get settings"); - assert!(cli::main( - &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), - vec!["chsr", "r", "r1", "create"], - ) - .inspect_err(|e| { - error!("{}", e); - }) - .inspect(|e| { - debug!("{}", e); - }) - .is_ok_and(|b| b)); - assert!(cli::main( - &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), - vec!["chsr", "r", "r1", "delete"], - ) - .inspect_err(|e| { - error!("{}", e); - }) - .inspect(|e| { - debug!("{}", e); - }) - .is_ok_and(|b| b)); - let settings = config::get_settings().expect("Failed to get settings"); - assert!(cli::main( - &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), - vec!["chsr", "r", "complete", "show", "actors"], - ) - .inspect_err(|e| { - error!("{}", e); - }) - .inspect(|e| { - debug!("{}", e); - }) - .is_ok_and(|b| !b)); - assert!(cli::main( - &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), - vec!["chsr", "r", "complete", "show", "tasks"], - ) - .inspect_err(|e| { - error!("{}", e); - }) - .inspect(|e| { - debug!("{}", e); - }) - .is_ok_and(|b| !b)); - assert!(cli::main( - &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), - vec!["chsr", "r", "complete", "show", "all"], - ) - .inspect_err(|e| { - error!("{}", e); - }) - .inspect(|e| { - debug!("{}", e); - }) - .is_ok_and(|b| !b)); - assert!(cli::main( - &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), - vec!["chsr", "r", "complete", "purge", "actors"], - ) - .inspect_err(|e| { - error!("{}", e); - }) - .inspect(|e| { - debug!("{}", e); - }) - .is_ok_and(|b| b)); - let settings = config::get_settings().expect("Failed to get settings"); - assert!(cli::main( - &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), - vec!["chsr", "r", "complete", "purge", "tasks"], - ) - .inspect_err(|e| { - error!("{}", e); - }) - .inspect(|e| { - debug!("{}", e); - }) - .is_ok_and(|b| b)); - let settings = config::get_settings().expect("Failed to get settings"); - assert!(cli::main( - &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), - vec!["chsr", "r", "complete", "purge", "all"], - ) - .inspect_err(|e| { - error!("{}", e); - }) - .inspect(|e| { - debug!("{}", e); - }) - .is_ok_and(|b| b)); - let settings = config::get_settings().expect("Failed to get settings"); - assert!(cli::main( - &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), - vec![ - "chsr", - "r", - "complete", - "grant", - "-u", - "user1", - "-g", - "group1", - "-g", - "group2&group3" - ], - ) - .inspect_err(|e| { - error!("{}", e); - }) - .inspect(|e| { - debug!("{}", e); - }) - .is_ok_and(|b| b)); - let settings = config::get_settings().expect("Failed to get settings"); - assert!(cli::main( - &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), - vec![ - "chsr", - "r", - "complete", - "revoke", - "-u", - "user1", - "-g", - "group1", - "-g", - "group2&group3" - ], - ) - .inspect_err(|e| { - error!("{}", e); - }) - .inspect(|e| { - debug!("{}", e); - }) - .is_ok_and(|b| b)); - let settings = config::get_settings().expect("Failed to get settings"); - assert!(cli::main( - &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), - vec!["chsr", "r", "complete", "task", "t_complete", "show", "all"], - ) - .inspect_err(|e| { - error!("{}", e); - }) - .inspect(|e| { - debug!("{}", e); - }) - .is_ok_and(|b| !b)); - assert!(cli::main( - &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), - vec!["chsr", "r", "complete", "task", "t_complete", "show", "cmd"], - ) - .inspect_err(|e| { - error!("{}", e); - }) - .inspect(|e| { - debug!("{}", e); - }) - .is_ok_and(|b| !b)); - assert!(cli::main( - &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), - vec![ - "chsr", - "r", - "complete", - "task", - "t_complete", - "show", - "cred" - ], - ) - .inspect_err(|e| { - error!("{}", e); - }) - .inspect(|e| { - debug!("{}", e); - }) - .is_ok_and(|b| !b)); - assert!(cli::main( - &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), - vec![ - "chsr", - "r", - "complete", - "task", - "t_complete", - "purge", - "all" - ], - ) - .inspect_err(|e| { - error!("{}", e); - }) - .inspect(|e| { - debug!("{}", e); - }) - .is_ok_and(|b| b)); - let settings = config::get_settings().expect("Failed to get settings"); - assert!(cli::main( - &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), - vec![ - "chsr", - "r", - "complete", - "task", - "t_complete", - "purge", - "cmd" - ], - ) - .inspect_err(|e| { - error!("{}", e); - }) - .inspect(|e| { - debug!("{}", e); - }) - .is_ok_and(|b| b)); - let settings = config::get_settings().expect("Failed to get settings"); - assert!(cli::main( - &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), - vec![ - "chsr", - "r", - "complete", - "task", - "t_complete", - "purge", - "cred" - ], - ) - .inspect_err(|e| { - error!("{}", e); - }) - .inspect(|e| { - debug!("{}", e); - }) - .is_ok_and(|b| b)); - let settings = config::get_settings().expect("Failed to get settings"); - assert!(cli::main( - &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), - vec!["chsr", "r", "complete", "t", "t1", "add"], - ) - .inspect_err(|e| { - error!("{}", e); - }) - .inspect(|e| { - debug!("{}", e); - }) - .is_ok_and(|b| b)); - assert!(cli::main( - &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), - vec!["chsr", "r", "complete", "t", "t1", "del"], - ) - .inspect_err(|e| { - error!("{}", e); - }) - .inspect(|e| { - debug!("{}", e); - }) - .is_ok_and(|b| b)); - let settings = config::get_settings().expect("Failed to get settings"); - assert!(cli::main( - &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), - vec![ - "chsr", - "r", - "complete", - "t", - "t_complete", - "cmd", - "setpolicy", - "deny-all" - ], - ) - .inspect_err(|e| { - error!("{}", e); - }) - .inspect(|e| { - debug!("{}", e); - }) - .is_ok_and(|b| b)); - let settings = config::get_settings().expect("Failed to get settings"); - assert!(cli::main( - &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), - vec![ - "chsr", - "r", - "complete", - "t", - "t_complete", - "cmd", - "setpolicy", - "allow-all" - ], - ) - .inspect_err(|e| { - error!("{}", e); - }) - .inspect(|e| { - debug!("{}", e); - }) - .is_ok_and(|b| b)); - let settings = config::get_settings().expect("Failed to get settings"); - assert!(cli::main( - &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), - vec![ - "chsr", - "r", - "complete", - "t", - "t_complete", - "cmd", - "whitelist", - "add", - "super command with spaces" - ], - ) - .inspect_err(|e| { - error!("{}", e); - }) - .inspect(|e| { - debug!("{}", e); - }) - .is_ok_and(|b| b)); - let settings = config::get_settings().expect("Failed to get settings"); - assert!(cli::main( - &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), - vec![ - "chsr", - "r", - "complete", - "t", - "t_complete", - "cmd", - "blacklist", - "add", - "super", - "command", - "with", - "spaces" - ], - ) - .inspect_err(|e| { - error!("{}", e); - }) - .inspect(|e| { - debug!("{}", e); - }) - .is_ok_and(|b| b)); - let settings = config::get_settings().expect("Failed to get settings"); - assert!(cli::main( - &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), - vec![ - "chsr", - "r", - "complete", - "t", - "t_complete", - "cmd", - "whitelist", - "del", - "super command with spaces" - ], - ) - .inspect_err(|e| { - error!("{}", e); - }) - .inspect(|e| { - debug!("{}", e); - }) - .is_ok_and(|b| b)); - let settings = config::get_settings().expect("Failed to get settings"); - assert!(cli::main( - &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), - vec![ - "chsr", - "r", - "complete", - "t", - "t_complete", - "cmd", - "blacklist", - "del", - "super command with spaces" - ], - ) - .inspect_err(|e| { - error!("{}", e); - }) - .inspect(|e| { - debug!("{}", e); - }) - .is_ok_and(|b| b)); - // let settings = config::get_settings().expect("Failed to get settings"); - // assert!(cli::main( - // &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), - // vec!["chsr", "r", "complete", "t", "t_complete", "credentials", "show"], - // ) - // .inspect_err(|e| { - // error!("{}", e); - // }) - // .inspect(|e| { - // debug!("{}",e); - // }) - // .is_ok_and(|b| b)); - let settings = config::get_settings().expect("Failed to get settings"); - assert!(cli::main( - &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), - vec![ - "chsr", - "r", - "complete", - "t", - "t_complete", - "cred", - "unset", - "--caps", - "capA,capB,capC", - "--setuid", - "user1", - "--setgid", - "group1,group2" - ], - ) - .inspect_err(|e| { - error!("{}", e); - }) - .inspect(|e| { - debug!("{}", e); - }) - .is_ok_and(|b| b)); - let settings = config::get_settings().expect("Failed to get settings"); - assert!(cli::main( - &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), - vec![ - "chsr", - "r", - "complete", - "t", - "t_complete", - "cred", - "set", - "--caps", - "capA,capB,capC", - "--setuid", - "user1", - "--setgid", - "group1,group2" - ], - ) - .inspect_err(|e| { - error!("{}", e); - }) - .inspect(|e| { - debug!("{}", e); - }) - .is_ok_and(|b| b)); - let settings = config::get_settings().expect("Failed to get settings"); - assert!(cli::main( - &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), - vec![ - "chsr", - "r", - "complete", - "t", - "t_complete", - "cred", - "caps", - "setpolicy", - "deny-all" - ], - ) - .inspect_err(|e| { - error!("{}", e); - }) - .inspect(|e| { - debug!("{}", e); - }) - .is_ok_and(|b| b)); - let settings = config::get_settings().expect("Failed to get settings"); - assert!(cli::main( - &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), - vec![ - "chsr", - "r", - "complete", - "t", - "t_complete", - "cred", - "caps", - "setpolicy", - "allow-all" - ], - ) - .inspect_err(|e| { - error!("{}", e); - }) - .inspect(|e| { - debug!("{}", e); - }) - .is_ok_and(|b| b)); - let settings = config::get_settings().expect("Failed to get settings"); - assert!(cli::main( - &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), - vec![ - "chsr", - "r", - "complete", - "t", - "t_complete", - "cred", - "caps", - "whitelist", - "add", - "capA", - "capB", - "capC" - ], - ) - .inspect_err(|e| { - error!("{}", e); - }) - .inspect(|e| { - debug!("{}", e); - }) - .is_ok_and(|b| b)); - let settings = config::get_settings().expect("Failed to get settings"); - assert!(cli::main( - &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), - vec![ - "chsr", - "r", - "complete", - "t", - "t_complete", - "cred", - "caps", - "blacklist", - "add", - "capA", - "capB", - "capC" - ], - ) - .inspect_err(|e| { - error!("{}", e); - }) - .inspect(|e| { - debug!("{}", e); - }) - .is_ok_and(|b| b)); - let settings = config::get_settings().expect("Failed to get settings"); - assert!(cli::main( - &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), - vec![ - "chsr", - "r", - "complete", - "t", - "t_complete", - "cred", - "caps", - "whitelist", - "del", - "capA", - "capB", - "capC" - ], - ) - .inspect_err(|e| { - error!("{}", e); - }) - .inspect(|e| { - debug!("{}", e); - }) - .is_ok_and(|b| b)); - let settings = config::get_settings().expect("Failed to get settings"); - assert!(cli::main( - &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), - vec![ - "chsr", - "r", - "complete", - "t", - "t_complete", - "cred", - "caps", - "blacklist", - "del", - "capA", - "capB", - "capC" - ], - ) - .inspect_err(|e| { - error!("{}", e); - }) - .inspect(|e| { - debug!("{}", e); - }) - .is_ok_and(|b| b)); - let settings = config::get_settings().expect("Failed to get settings"); - assert!(cli::main( - &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), - vec!["chsr", "options", "show", "all"], - ) - .inspect_err(|e| { - error!("{}", e); - }) - .inspect(|e| { - debug!("{}", e); - }) - .is_ok_and(|b| !b)); - assert!(cli::main( - &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), - vec!["chsr", "r", "complete", "options", "show", "path"], - ) - .inspect_err(|e| { - error!("{}", e); - }) - .inspect(|e| { - debug!("{}", e); - }) - .is_ok_and(|b| !b)); - assert!(cli::main( - &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), - vec!["chsr", "r", "complete", "options", "show", "bounding"], - ) - .inspect_err(|e| { - error!("{}", e); - }) - .inspect(|e| { - debug!("{}", e); - }) - .is_ok_and(|b| !b)); - let settings = config::get_settings().expect("Failed to get settings"); - assert!(cli::main( - &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), - vec![ - "chsr", - "r", - "complete", - "t", - "t_complete", - "options", - "show", - "env" - ], - ) - .inspect_err(|e| { - error!("{}", e); - }) - .inspect(|e| { - debug!("{}", e); - }) - .is_ok_and(|b| !b)); - assert!(cli::main( - &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), - vec![ - "chsr", - "r", - "complete", - "t", - "t_complete", - "options", - "show", - "root" - ], - ) - .inspect_err(|e| { - error!("{}", e); - }) - .inspect(|e| { - debug!("{}", e); - }) - .is_ok_and(|b| !b)); - assert!(cli::main( - &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), - vec![ - "chsr", - "r", - "complete", - "t", - "t_complete", - "options", - "show", - "bounding" - ], - ) - .inspect_err(|e| { - error!("{}", e); - }) - .inspect(|e| { - debug!("{}", e); - }) - .is_ok_and(|b| !b)); - assert!(cli::main( - &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), - vec![ - "chsr", - "r", - "complete", - "t", - "t_complete", - "options", - "show", - "wildcard-denied" - ], - ) - .inspect_err(|e| { - error!("{}", e); - }) - .inspect(|e| { - debug!("{}", e); - }) - .is_ok_and(|b| !b)); - assert!(cli::main( - &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), - vec![ - "chsr", - "r", - "complete", - "t", - "t_complete", - "o", - "path", - "set", - "/usr/bin:/bin" - ], - ) - .inspect_err(|e| { - error!("{}", e); - }) - .inspect(|e| { - debug!("{}", e); - }) - .is_ok_and(|b| b)); - let settings = config::get_settings().expect("Failed to get settings"); - assert!(cli::main( - &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), - vec![ - "chsr", - "r", - "complete", - "t", - "t_complete", - "o", - "path", - "setpolicy", - "delete-all" - ], - ) - .inspect_err(|e| { - error!("{}", e); - }) - .inspect(|e| { - debug!("{}", e); - }) - .is_ok_and(|b| b)); - let settings = config::get_settings().expect("Failed to get settings"); - assert!(cli::main( - &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), - vec![ - "chsr", - "r", - "complete", - "t", - "t_complete", - "o", - "path", - "setpolicy", - "keep-unsafe" - ], - ) - .inspect_err(|e| { - error!("{}", e); - }) - .inspect(|e| { - debug!("{}", e); - }) - .is_ok_and(|b| b)); - let settings = config::get_settings().expect("Failed to get settings"); - assert!(cli::main( - &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), - vec![ - "chsr", - "r", - "complete", - "t", - "t_complete", - "o", - "path", - "setpolicy", - "inherit" - ], - ) - .inspect_err(|e| { - error!("{}", e); - }) - .inspect(|e| { - debug!("{}", e); - }) - .is_ok_and(|b| b)); - let settings = config::get_settings().expect("Failed to get settings"); - assert!(cli::main( - &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), - vec![ - "chsr", - "r", - "complete", - "t", - "t_complete", - "o", - "path", - "whitelist", - "add", - "/usr/bin:/bin" - ], - ) - .inspect_err(|e| { - error!("{}", e); - }) - .inspect(|e| { - debug!("{}", e); - }) - .is_ok_and(|b| b)); - let settings = config::get_settings().expect("Failed to get settings"); - assert!(cli::main( - &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), - vec![ - "chsr", - "r", - "complete", - "t", - "t_complete", - "o", - "path", - "whitelist", - "del", - "/usr/bin:/bin" - ], - ) - .inspect_err(|e| { - error!("{}", e); - }) - .inspect(|e| { - debug!("{}", e); - }) - .is_ok_and(|b| b)); - let settings = config::get_settings().expect("Failed to get settings"); - assert!(cli::main( - &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), - vec![ - "chsr", - "r", - "complete", - "t", - "t_complete", - "o", - "path", - "whitelist", - "set", - "/usr/bin:/bin" - ], - ) - .inspect_err(|e| { - error!("{}", e); - }) - .inspect(|e| { - debug!("{}", e); - }) - .is_ok_and(|b| b)); - let settings = config::get_settings().expect("Failed to get settings"); - assert!(cli::main( - &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), - vec![ - "chsr", - "r", - "complete", - "t", - "t_complete", - "o", - "path", - "whitelist", - "purge" - ], - ) - .inspect_err(|e| { - error!("{}", e); - }) - .inspect(|e| { - debug!("{}", e); - }) - .is_ok_and(|b| b)); - let settings = config::get_settings().expect("Failed to get settings"); - assert!(cli::main( - &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), - vec![ - "chsr", - "r", - "complete", - "t", - "t_complete", - "o", - "path", - "blacklist", - "add", - "/usr/bin:/bin" - ], - ) - .inspect_err(|e| { - error!("{}", e); - }) - .inspect(|e| { - debug!("{}", e); - }) - .is_ok_and(|b| b)); - let settings = config::get_settings().expect("Failed to get settings"); - assert!(cli::main( - &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), - vec![ - "chsr", - "r", - "complete", - "t", - "t_complete", - "o", - "path", - "blacklist", - "del", - "/usr/bin:/bin" - ], - ) - .inspect_err(|e| { - error!("{}", e); - }) - .inspect(|e| { - debug!("{}", e); - }) - .is_ok_and(|b| b)); - let settings = config::get_settings().expect("Failed to get settings"); - assert!(cli::main( - &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), - vec![ - "chsr", - "r", - "complete", - "t", - "t_complete", - "o", - "path", - "blacklist", - "set", - "/usr/bin:/bin" - ], - ) - .inspect_err(|e| { - error!("{}", e); - }) - .inspect(|e| { - debug!("{}", e); - }) - .is_ok_and(|b| b)); - let settings = config::get_settings().expect("Failed to get settings"); - assert!(cli::main( - &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), - vec![ - "chsr", - "r", - "complete", - "t", - "t_complete", - "o", - "path", - "blacklist", - "purge" - ], - ) - .inspect_err(|e| { - error!("{}", e); - }) - .inspect(|e| { - debug!("{}", e); - }) - .is_ok_and(|b| b)); - let settings = config::get_settings().expect("Failed to get settings"); - assert!(cli::main( - &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), - vec![ - "chsr", - "r", - "complete", - "t", - "t_complete", - "o", - "env", - "set", - "MYVAR,VAR2" - ], - ) - .inspect_err(|e| { - error!("{}", e); - }) - .inspect(|e| { - debug!("{}", e); - }) - .is_ok_and(|b| b)); - let settings = config::get_settings().expect("Failed to get settings"); - assert!(cli::main( - &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), - vec![ - "chsr", - "r", - "complete", - "t", - "t_complete", - "o", - "env", - "setpolicy", - "delete-all" - ], - ) - .inspect_err(|e| { - error!("{}", e); - }) - .inspect(|e| { - debug!("{}", e); - }) - .is_ok_and(|b| b)); - let settings = config::get_settings().expect("Failed to get settings"); - assert!(cli::main( - &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), - vec![ - "chsr", - "r", - "complete", - "t", - "t_complete", - "o", - "env", - "setpolicy", - "keep-all" - ], - ) - .inspect_err(|e| { - error!("{}", e); - }) - .inspect(|e| { - debug!("{}", e); - }) - .is_ok_and(|b| b)); - let settings = config::get_settings().expect("Failed to get settings"); - assert!(cli::main( - &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), - vec![ - "chsr", - "r", - "complete", - "t", - "t_complete", - "o", - "env", - "setpolicy", - "inherit" - ], - ) - .inspect_err(|e| { - error!("{}", e); - }) - .inspect(|e| { - debug!("{}", e); - }) - .is_ok_and(|b| b)); - let settings = config::get_settings().expect("Failed to get settings"); - assert!(cli::main( - &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), - vec![ - "chsr", - "r", - "complete", - "t", - "t_complete", - "o", - "env", - "whitelist", - "add", - "MYVAR" - ], - ) - .inspect_err(|e| { - error!("{}", e); - }) - .inspect(|e| { - debug!("{}", e); - }) - .is_ok_and(|b| b)); - let settings = config::get_settings().expect("Failed to get settings"); - assert!(cli::main( - &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), - vec![ - "chsr", - "r", - "complete", - "t", - "t_complete", - "o", - "env", - "whitelist", - "del", - "MYVAR" - ], - ) - .inspect_err(|e| { - error!("{}", e); - }) - .inspect(|e| { - debug!("{}", e); - }) - .is_ok_and(|b| b)); - let settings = config::get_settings().expect("Failed to get settings"); - assert!(cli::main( - &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), - vec![ - "chsr", - "r", - "complete", - "t", - "t_complete", - "o", - "env", - "whitelist", - "set", - "MYVAR" - ], - ) - .inspect_err(|e| { - error!("{}", e); - }) - .inspect(|e| { - debug!("{}", e); - }) - .is_ok_and(|b| b)); - let settings = config::get_settings().expect("Failed to get settings"); - assert!(cli::main( - &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), - vec![ - "chsr", - "r", - "complete", - "t", - "t_complete", - "o", - "env", - "whitelist", - "purge" - ], - ) - .inspect_err(|e| { - error!("{}", e); - }) - .inspect(|e| { - debug!("{}", e); - }) - .is_ok_and(|b| b)); - let settings = config::get_settings().expect("Failed to get settings"); - assert!(cli::main( - &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), - vec![ - "chsr", - "r", - "complete", - "t", - "t_complete", - "o", - "env", - "blacklist", - "add", - "MYVAR" - ], - ) - .inspect_err(|e| { - error!("{}", e); - }) - .inspect(|e| { - debug!("{}", e); - }) - .is_ok_and(|b| b)); - let settings = config::get_settings().expect("Failed to get settings"); - assert!(cli::main( - &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), - vec![ - "chsr", - "r", - "complete", - "t", - "t_complete", - "o", - "env", - "blacklist", - "del", - "MYVAR" - ], - ) - .inspect_err(|e| { - error!("{}", e); - }) - .inspect(|e| { - debug!("{}", e); - }) - .is_ok_and(|b| b)); - let settings = config::get_settings().expect("Failed to get settings"); - assert!(cli::main( - &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), - vec![ - "chsr", - "r", - "complete", - "t", - "t_complete", - "o", - "env", - "blacklist", - "set", - "MYVAR" - ], - ) - .inspect_err(|e| { - error!("{}", e); - }) - .inspect(|e| { - debug!("{}", e); - }) - .is_ok_and(|b| b)); - let settings = config::get_settings().expect("Failed to get settings"); - assert!(cli::main( - &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), - vec![ - "chsr", - "r", - "complete", - "t", - "t_complete", - "o", - "env", - "blacklist", - "purge" - ], - ) - .inspect_err(|e| { - error!("{}", e); - }) - .inspect(|e| { - debug!("{}", e); - }) - .is_ok_and(|b| b)); - let settings = config::get_settings().expect("Failed to get settings"); - assert!(cli::main( - &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), - vec![ - "chsr", - "r", - "complete", - "t", - "t_complete", - "o", - "env", - "checklist", - "add", - "MYVAR" - ], - ) - .inspect_err(|e| { - error!("{}", e); - }) - .inspect(|e| { - debug!("{}", e); - }) - .is_ok_and(|b| b)); - let settings = config::get_settings().expect("Failed to get settings"); - assert!(cli::main( - &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), - vec![ - "chsr", - "r", - "complete", - "t", - "t_complete", - "o", - "env", - "checklist", - "del", - "MYVAR" - ], - ) - .inspect_err(|e| { - error!("{}", e); - }) - .inspect(|e| { - debug!("{}", e); - }) - .is_ok_and(|b| b)); - let settings = config::get_settings().expect("Failed to get settings"); - assert!(cli::main( - &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), - vec![ - "chsr", - "r", - "complete", - "t", - "t_complete", - "o", - "env", - "checklist", - "set", - "MYVAR" - ], - ) - .inspect_err(|e| { - error!("{}", e); - }) - .inspect(|e| { - debug!("{}", e); - }) - .is_ok_and(|b| b)); - let settings = config::get_settings().expect("Failed to get settings"); - assert!(cli::main( - &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), - vec![ - "chsr", - "r", - "complete", - "t", - "t_complete", - "o", - "env", - "checklist", - "purge" - ], - ) - .inspect_err(|e| { - error!("{}", e); - }) - .inspect(|e| { - debug!("{}", e); - }) - .is_ok_and(|b| b)); - let settings = config::get_settings().expect("Failed to get settings"); - assert!(cli::main( - &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), - vec![ - "chsr", - "r", - "complete", - "t", - "t_complete", - "o", - "root", - "privileged" - ], - ) - .inspect_err(|e| { - error!("{}", e); - }) - .inspect(|e| { - debug!("{}", e); - }) - .is_ok_and(|b| b)); - let settings = config::get_settings().expect("Failed to get settings"); - assert!(cli::main( - &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), - vec![ - "chsr", - "r", - "complete", - "t", - "t_complete", - "o", - "root", - "user" - ], - ) - .inspect_err(|e| { - error!("{}", e); - }) - .inspect(|e| { - debug!("{}", e); - }) - .is_ok_and(|b| b)); - let settings = config::get_settings().expect("Failed to get settings"); - assert!(cli::main( - &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), - vec![ - "chsr", - "r", - "complete", - "t", - "t_complete", - "o", - "root", - "inherit" - ], - ) - .inspect_err(|e| { - error!("{}", e); - }) - .inspect(|e| { - debug!("{}", e); - }) - .is_ok_and(|b| b)); - let settings = config::get_settings().expect("Failed to get settings"); - assert!(cli::main( - &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), - vec![ - "chsr", - "r", - "complete", - "t", - "t_complete", - "o", - "bounding", - "strict" - ], - ) - .inspect_err(|e| { - error!("{}", e); - }) - .inspect(|e| { - debug!("{}", e); - }) - .is_ok_and(|b| b)); - let settings = config::get_settings().expect("Failed to get settings"); - assert!(cli::main( - &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), - vec![ - "chsr", - "r", - "complete", - "t", - "t_complete", - "o", - "bounding", - "ignore" - ], - ) - .inspect_err(|e| { - error!("{}", e); - }) - .inspect(|e| { - debug!("{}", e); - }) - .is_ok_and(|b| b)); - let settings = config::get_settings().expect("Failed to get settings"); - assert!(cli::main( - &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), - vec![ - "chsr", - "r", - "complete", - "t", - "t_complete", - "o", - "bounding", - "inherit" - ], - ) - .inspect_err(|e| { - error!("{}", e); - }) - .inspect(|e| { - debug!("{}", e); - }) - .is_ok_and(|b| b)); - let settings = config::get_settings().expect("Failed to get settings"); - assert!(cli::main( - &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), - vec![ - "chsr", - "r", - "complete", - "t", - "t_complete", - "o", - "wildcard-denied", - "set", - "*" - ], - ) - .inspect_err(|e| { - error!("{}", e); - }) - .inspect(|e| { - debug!("{}", e); - }) - .is_ok_and(|b| b)); - let settings = config::get_settings().expect("Failed to get settings"); - assert!(cli::main( - &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), - vec![ - "chsr", - "r", - "complete", - "t", - "t_complete", - "o", - "wildcard-denied", - "add", - "*" - ], - ) - .inspect_err(|e| { - error!("{}", e); - }) - .inspect(|e| { - debug!("{}", e); - }) - .is_ok_and(|b| b)); - let settings = config::get_settings().expect("Failed to get settings"); - assert!(cli::main( - &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), - vec![ - "chsr", - "r", - "complete", - "t", - "t_complete", - "o", - "wildcard-denied", - "del", - "*" - ], - ) - .inspect_err(|e| { - error!("{}", e); - }) - .inspect(|e| { - debug!("{}", e); - }) - .is_ok_and(|b| b)); - let settings = config::get_settings().expect("Failed to get settings"); - assert!(cli::main( - &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), - vec![ - "chsr", - "r", - "complete", - "t", - "t_complete", - "o", - "timeout", - "set", - "--type", - "tty", - "--duration", - "5:00", - "--max-usage", - "1" - ], - ) - .inspect_err(|e| { - error!("{}", e); - }) - .inspect(|e| { - debug!("{}", e); - }) - .is_ok_and(|b| b)); - let settings = config::get_settings().expect("Failed to get settings"); - assert!(cli::main( - &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), - vec![ - "chsr", - "r", - "complete", - "t", - "t_complete", - "o", - "t", - "unset", - "--type", - "--duration", - "--max-usage" - ], - ) - .inspect_err(|e| { - error!("{}", e); - }) - .inspect(|e| { - debug!("{}", e); - }) - .is_ok_and(|b| b)); - teardown(); - } -} +} \ No newline at end of file diff --git a/src/config.rs b/src/config.rs index d8ca1bb2..7cb912c4 100644 --- a/src/config.rs +++ b/src/config.rs @@ -55,18 +55,16 @@ pub const ROOTASROLE: &str = "target/rootasrole.json"; use std::{ cell::RefCell, error::Error, - fs::File, - path::{Path, PathBuf}, + path::PathBuf, rc::Rc, }; -use ciborium::de; use serde::{Deserialize, Serialize}; use tracing::debug; use crate::{ common::{ - dac_override_effective, immutable_effective, open_with_privileges, read_effective, + dac_override_effective, open_with_privileges, read_effective, util::toggle_lock_config, write_json_config, }, rc_refcell, diff --git a/src/database/finder.rs b/src/database/finder.rs index b43c6e7c..05bc2089 100644 --- a/src/database/finder.rs +++ b/src/database/finder.rs @@ -1,10 +1,9 @@ use std::{ cell::RefCell, cmp::Ordering, - env::var, error::Error, fmt::{Display, Formatter}, - path::{Path, PathBuf}, + path::PathBuf, rc::{Rc, Weak}, }; diff --git a/src/database/mod.rs b/src/database/mod.rs index fcdddc57..b8a1793e 100644 --- a/src/database/mod.rs +++ b/src/database/mod.rs @@ -1,7 +1,6 @@ use std::{cell::RefCell, error::Error, rc::Rc}; use crate::common::config::save_settings; -use crate::common::read_effective; use crate::common::util::toggle_lock_config; use crate::common::version::PACKAGE_VERSION; @@ -16,7 +15,7 @@ use super::config::SettingsFile; use super::util::warn_if_mutable; use super::{ config::{RemoteStorageSettings, ROOTASROLE}, - dac_override_effective, immutable_effective, + immutable_effective, util::parse_capset_iter, }; use super::{open_with_privileges, write_json_config}; @@ -139,7 +138,7 @@ fn write_sconfig( .path .as_ref() .unwrap_or(&binding); - write_json_config(&config, path); + write_json_config(&config, path)?; Ok(()) } @@ -183,20 +182,23 @@ pub fn is_default(t: &T) -> bool { t == &T::default() } -fn serialize_duration(value: &Duration, serializer: S) -> Result +fn serialize_duration(value: &Option, serializer: S) -> Result where S: serde::Serializer, { // hh:mm:ss format - serializer.serialize_str(&format!( - "{}:{}:{}", - value.num_hours(), - value.num_minutes() % 60, - value.num_seconds() % 60 - )) + match value { + Some(value) => serializer.serialize_str(&format!( + "{}:{}:{}", + value.num_hours(), + value.num_minutes() % 60, + value.num_seconds() % 60 + )), + None => serializer.serialize_none(), + } } -fn deserialize_duration<'de, D>(deserializer: D) -> Result +fn deserialize_duration<'de, D>(deserializer: D) -> Result, D::Error> where D: de::Deserializer<'de>, { @@ -208,9 +210,9 @@ where let hours: i64 = hours.parse().map_err(de::Error::custom)?; let minutes: i64 = minutes.parse().map_err(de::Error::custom)?; let seconds: i64 = seconds.parse().map_err(de::Error::custom)?; - return Ok(Duration::hours(hours) + return Ok(Some(Duration::hours(hours) + Duration::minutes(minutes) - + Duration::seconds(seconds)); + + Duration::seconds(seconds))); } Err(de::Error::custom("Invalid duration format")) } diff --git a/src/database/options.rs b/src/database/options.rs index f00aa853..65fad739 100644 --- a/src/database/options.rs +++ b/src/database/options.rs @@ -2,13 +2,12 @@ use std::{borrow::Borrow, cell::RefCell, path::PathBuf, rc::Rc}; use chrono::Duration; -use ciborium::de; use libc::PATH_MAX; use linked_hash_set::LinkedHashSet; use pcre2::bytes::Regex; use serde::{Deserialize, Deserializer, Serialize}; use serde_json::{Map, Value}; -use strum::{Display, EnumIs, EnumIter, FromRepr, IntoEnumIterator}; +use strum::{Display, EnumIs, EnumIter, FromRepr}; use tracing::debug; use crate::rc_refcell; @@ -63,13 +62,14 @@ pub enum TimestampType { #[derive(Serialize, Deserialize, PartialEq, Eq, Debug, Clone)] pub struct STimeout { - #[serde(default, rename = "type")] - pub type_field: TimestampType, + #[serde(default, rename = "type", skip_serializing_if = "Option::is_none")] + pub type_field: Option, #[serde( serialize_with = "serialize_duration", - deserialize_with = "deserialize_duration" + deserialize_with = "deserialize_duration", + skip_serializing_if = "Option::is_none" )] - pub duration: Duration, + pub duration: Option, #[serde(default, skip_serializing_if = "Option::is_none")] pub max_usage: Option, #[serde(default)] @@ -80,8 +80,8 @@ pub struct STimeout { impl Default for STimeout { fn default() -> Self { STimeout { - type_field: TimestampType::default(), - duration: Duration::minutes(5), + type_field: None, + duration: None, max_usage: None, _extra_fields: Map::default(), } @@ -213,6 +213,53 @@ impl Opt { opt.level = level; opt } + + pub fn level_default() -> Self { + let mut opt = Self::new(Level::Default); + opt.root = Some(SPrivileged::User); + opt.bounding = Some(SBounding::Strict); + opt.path.as_mut().unwrap().default_behavior = PathBehavior::Delete; + opt.path.as_mut().unwrap().add = vec![ + "/usr/local/sbin".to_string(), + "/usr/local/bin".to_string(), + "/usr/sbin".to_string(), + "/usr/bin".to_string(), + "/sbin".to_string(), + "/bin".to_string(), + "/snap/bin".to_string()].into_iter().collect(); + let mut env = SEnvOptions::new(EnvBehavior::Delete); + env.keep = vec![ + "HOME".into(), + "USER".into(), + "LOGNAME".into(), + "COLORS".into(), + "DISPLAY".into(), + "HOSTNAME".into(), + "KRB5CCNAME".into(), + "LS_COLORS".into(), + "PS1".into(), + "PS2".into(), + "XAUTHORY".into(), + "XAUTHORIZATION".into(), + "XDG_CURRENT_DESKTOP".into() + ].into_iter().collect(); + env.check = vec![ + "COLORTERM".into(), + "LANG".into(), + "LANGUAGE".into(), + "LC_*".into(), + "LINGUAS".into(), + "TERM".into(), + "TZ".into() + ].into_iter().collect(); + opt.env = Some(env); + let mut timeout = STimeout::default(); + timeout.type_field = Some(TimestampType::PPID); + timeout.duration = Some(Duration::minutes(5)); + opt.timeout = Some(timeout); + opt.wildcard_denied = Some(";&|".to_string()); + opt + } } impl Default for Opt { @@ -222,7 +269,7 @@ impl Default for Opt { env: Some(SEnvOptions::default()), root: Some(SPrivileged::default()), bounding: Some(SBounding::default()), - wildcard_denied: Some(";&|".to_string()), + wildcard_denied: None, timeout: Some(STimeout::default()), _extra_fields: Map::default(), level: Level::Default, @@ -233,7 +280,7 @@ impl Default for Opt { impl Default for OptStack { fn default() -> Self { OptStack { - stack: [None, Some(Rc::new(Opt::default().into())), None, None, None], + stack: [None, Some(Rc::new(Opt::level_default().into())), None, None, None], roles: None, role: None, task: None, @@ -493,25 +540,6 @@ impl OptStack { self.roles.to_owned() } - fn save(&mut self) { - let level = self.get_lowest_level(); - let opt = self.get_opt(level); - match level { - Level::Global => { - self.get_roles().unwrap().as_ref().borrow_mut().options = opt; - } - Level::Role => { - self.role.to_owned().unwrap().as_ref().borrow_mut().options = opt; - } - Level::Task => { - self.task.to_owned().unwrap().as_ref().borrow_mut().options = opt; - } - Level::None | Level::Default => { - panic!("Cannot save None/default options"); - } - } - } - fn set_opt(&mut self, level: Level, opt: Option>>) { if let Some(opt) = opt { self.stack[level as usize] = Some(opt); @@ -585,6 +613,61 @@ impl OptStack { PathBehavior, Rc>>, Rc>>, + ) { + let mut final_behavior = PathBehavior::Delete; + let final_add = rc_refcell!(LinkedHashSet::new()); + // Cannot use HashSet as we need to keep order + let final_sub = rc_refcell!(LinkedHashSet::new()); + self.iter_in_options(|opt| { + let final_add_clone = Rc::clone(&final_add); + let final_sub_clone = Rc::clone(&final_sub); + if let Some(p) = opt.path.borrow().as_ref() { + match p.default_behavior { + PathBehavior::Delete => { + final_add_clone.as_ref().replace(p.add.clone()); + } + PathBehavior::KeepSafe | PathBehavior::KeepUnsafe => { + final_sub_clone.as_ref().replace(p.sub.clone()); + } + PathBehavior::Inherit => { + if final_behavior.is_delete() { + let union: LinkedHashSet = final_add_clone + .as_ref() + .borrow() + .union(&p.add) + .filter(|e| !p.sub.contains(*e)) + .cloned() + .collect(); + final_add_clone.as_ref().borrow_mut().extend(union); + debug!("inherit final_add: {:?}", final_add_clone.as_ref().borrow()); + } else { + let union: LinkedHashSet = final_sub_clone + .as_ref() + .borrow() + .union(&p.sub) + .filter(|e| !p.add.contains(*e)) + .cloned() + .collect(); + final_sub_clone.as_ref().borrow_mut().extend(union); + } + } + } + if !p.default_behavior.is_inherit() { + final_behavior = p.default_behavior; + } + } + }); + (final_behavior, final_add, final_sub) + } + + #[allow(dead_code)] + #[cfg(not(tarpaulin_include))] + fn union_all_path( + &self, + ) -> ( + PathBehavior, + Rc>>, + Rc>>, ) { let mut final_behavior = PathBehavior::Delete; let final_add = rc_refcell!(LinkedHashSet::new()); @@ -690,6 +773,79 @@ impl OptStack { LinkedHashSet, LinkedHashSet, LinkedHashSet, + ) { + let mut final_behavior = EnvBehavior::default(); + let mut final_keep = LinkedHashSet::new(); + let mut final_check = LinkedHashSet::new(); + let mut final_delete = LinkedHashSet::new(); + self.iter_in_options(|opt| { + if let Some(p) = opt.env.borrow().as_ref() { + final_behavior = match p.default_behavior { + EnvBehavior::Delete => { + // policy is to delete, so we add whitelist and remove blacklist + final_keep = p.keep.iter() + .filter(|e| !p.check.env_matches(e) || !p.delete.env_matches(e)) + .cloned() + .collect(); + final_check = p.check.iter() + .filter(|e| !p.delete.env_matches(e)) + .cloned() + .collect(); + p.default_behavior + } + EnvBehavior::Keep => { + //policy is to keep, so we remove blacklist and add whitelist + final_delete = p.delete.iter() + .filter(|e| !p.keep.env_matches(e) || !p.check.env_matches(e)) + .cloned() + .collect(); + final_check = p.check.iter() + .filter(|e| !p.keep.env_matches(e)) + .cloned() + .collect(); + p.default_behavior + } + EnvBehavior::Inherit => { + if final_behavior.is_delete() { + final_keep = final_keep + .union(&p.keep) + .filter(|e| !p.delete.env_matches(e) || !p.check.env_matches(e)) + .cloned() + .collect(); + final_check = final_check + .union(&p.check) + .filter(|e| !p.delete.env_matches(e)) + .cloned() + .collect(); + } else { + final_delete = final_delete + .union(&p.delete) + .filter(|e| !p.keep.env_matches(e) || !p.check.env_matches(e)) + .cloned() + .collect(); + final_check = final_check + .union(&p.check) + .filter(|e| !p.keep.env_matches(e)) + .cloned() + .collect(); + } + final_behavior + } + }; + } + }); + (final_behavior, final_keep, final_check, final_delete) + } + + #[allow(dead_code)] + #[cfg(not(tarpaulin_include))] + fn union_all_env( + &self, + ) -> ( + EnvBehavior, + LinkedHashSet, + LinkedHashSet, + LinkedHashSet, ) { let mut final_behavior = EnvBehavior::default(); let mut final_keep = LinkedHashSet::new(); @@ -913,7 +1069,7 @@ mod tests { .insert("path1".to_string()); as_borrow_mut!(role)._config = Some(Rc::downgrade(&config)); let options = OptStack::from_role(role).calculate_path(); - assert_eq!(options, "path2"); + assert!(options.contains("path2")); } #[test] @@ -934,7 +1090,7 @@ mod tests { as_borrow_mut!(config).options = Some(rc_refcell!(opt_global)); as_borrow_mut!(role)._config = Some(Rc::downgrade(&config)); let options = OptStack::from_role(role).calculate_path(); - assert_eq!(options, ""); + assert!(!options.contains("path1")); } #[test] @@ -967,7 +1123,139 @@ mod tests { let options = OptStack::from_task(task).to_opt(); let res = options.env.unwrap().keep; assert!(res.contains(&EnvKey::from("env1"))); - assert!(res.contains(&EnvKey::from("env2"))); - assert!(res.contains(&EnvKey::from("env3"))); + //assert!(res.contains(&EnvKey::from("env2"))); + //assert!(res.contains(&EnvKey::from("env3"))); } + + // test to_opt() for OptStack + #[test] + fn test_to_opt() { + let role = SRoleWrapper::default(); + as_borrow_mut!(role).name = "test".to_string(); + let mut path_options = SPathOptions::new(PathBehavior::Inherit); + path_options.add.insert("path2".to_string()); + let mut opt_role = Opt::new(Level::Role); + opt_role.path = Some(path_options); + as_borrow_mut!(role).options = Some(rc_refcell!(opt_role)); + let mut path_options = SPathOptions::new(PathBehavior::Delete); + path_options.add.insert("path1".to_string()); + let mut opt_global = Opt::new(Level::Global); + opt_global.path = Some(path_options); + let config = SConfigWrapper::default(); + as_borrow_mut!(config).roles.push(role.clone()); + as_borrow_mut!(config).options = Some(rc_refcell!(opt_global)); + as_borrow_mut!(role)._config = Some(Rc::downgrade(&config)); + let options = OptStack::from_role(role).to_opt(); + assert_eq!(options.path.unwrap().add.len(), 2); + } + + #[test] + fn test_get_lowest_level() { + let config = SConfigWrapper::default(); + let role = SRoleWrapper::default(); + as_borrow_mut!(role)._config = Some(Rc::downgrade(&config)); + let task = STaskWrapper::default(); + as_borrow_mut!(task)._role = Some(Rc::downgrade(&role)); + let options = OptStack::from_task(task); + assert_eq!(options.get_lowest_level(), Level::Task); + let options = OptStack::from_role(role); + assert_eq!(options.get_lowest_level(), Level::Role); + let options = OptStack::from_roles(config); + assert_eq!(options.get_lowest_level(), Level::Global); + } + + #[test] + fn test_get_timeout() { + let role = SRoleWrapper::default(); + as_borrow_mut!(role).name = "test".to_string(); + let mut timeout = STimeout::default(); + timeout.duration = Some(Duration::minutes(5)); + let mut opt_role = Opt::new(Level::Role); + opt_role.timeout = Some(timeout); + as_borrow_mut!(role).options = Some(rc_refcell!(opt_role)); + let mut timeout = STimeout::default(); + timeout.duration = Some(Duration::minutes(10)); + let mut opt_global = Opt::new(Level::Global); + opt_global.timeout = Some(timeout); + let config = SConfigWrapper::default(); + as_borrow_mut!(config).roles.push(role.clone()); + as_borrow_mut!(config).options = Some(rc_refcell!(opt_global)); + as_borrow_mut!(role)._config = Some(Rc::downgrade(&config)); + let options = OptStack::from_role(role).get_timeout(); + assert_eq!(options.1.duration.unwrap(), Duration::minutes(5)); + assert_eq!(options.0, Level::Role); + assert!(options.1.type_field.is_none()); + } + + #[test] + fn test_get_root_behavior() { + let task = STaskWrapper::default(); + as_borrow_mut!(task).name = IdTask::Number(1); + as_borrow_mut!(task).options = Some(rc_refcell!(Opt::new(Level::Task))); + let role = SRoleWrapper::default(); + as_borrow_mut!(role).name = "test".to_string(); + let root = SPrivileged::User; + let mut opt_role = Opt::new(Level::Role); + opt_role.root = Some(root); + as_borrow_mut!(role).options = Some(rc_refcell!(opt_role)); + let root = SPrivileged::Privileged; + let mut opt_global = Opt::new(Level::Global); + opt_global.root = Some(root); + let config = SConfigWrapper::default(); + as_borrow_mut!(task)._role = Some(Rc::downgrade(&role)); + as_borrow_mut!(role).tasks.push(task.clone()); + as_borrow_mut!(config).roles.push(role.clone()); + as_borrow_mut!(config).options = Some(rc_refcell!(opt_global)); + as_borrow_mut!(role)._config = Some(Rc::downgrade(&config)); + let options = OptStack::from_task(task).get_root_behavior(); + assert_eq!(options.1, SPrivileged::User); + } + + #[test] + fn test_get_bounding() { + let role = SRoleWrapper::default(); + as_borrow_mut!(role).name = "test".to_string(); + let bounding = SBounding::Strict; + let mut opt_role = Opt::new(Level::Role); + opt_role.bounding = Some(bounding); + as_borrow_mut!(role).options = Some(rc_refcell!(opt_role)); + let bounding = SBounding::Ignore; + let mut opt_global = Opt::new(Level::Global); + opt_global.bounding = Some(bounding); + let config = SConfigWrapper::default(); + as_borrow_mut!(config).roles.push(role.clone()); + as_borrow_mut!(config).options = Some(rc_refcell!(opt_global)); + as_borrow_mut!(role)._config = Some(Rc::downgrade(&config)); + let options = OptStack::from_role(role).get_bounding(); + assert_eq!(options.1, SBounding::Strict); + } + + #[test] + fn test_get_wildcard() { + let role = SRoleWrapper::default(); + as_borrow_mut!(role).name = "test".to_string(); + let wildcard = ";&|".to_string(); + let mut opt_role = Opt::new(Level::Role); + opt_role.wildcard_denied = Some(wildcard); + as_borrow_mut!(role).options = Some(rc_refcell!(opt_role)); + let wildcard = ";&|".to_string(); + let mut opt_global = Opt::new(Level::Global); + opt_global.wildcard_denied = Some(wildcard); + let config = SConfigWrapper::default(); + as_borrow_mut!(config).roles.push(role.clone()); + as_borrow_mut!(config).options = Some(rc_refcell!(opt_global)); + as_borrow_mut!(role)._config = Some(Rc::downgrade(&config)); + let options = OptStack::from_role(role).get_wildcard(); + assert_eq!(options.1, ";&|"); + } + + #[test] + fn test_tz_is_safe() { + assert!(tz_is_safe("America/New_York")); + assert!(!tz_is_safe("/America/New_York")); + assert!(!tz_is_safe("America/New_York/..")); + //assert path max + assert!(!tz_is_safe(String::from_utf8(vec![b'a'; (PATH_MAX+1).try_into().unwrap()]).unwrap().as_str())); + } + } diff --git a/src/database/structs.rs b/src/database/structs.rs index f06aae73..0d241960 100644 --- a/src/database/structs.rs +++ b/src/database/structs.rs @@ -10,7 +10,6 @@ use serde::{ }; use serde_json::{Map, Value}; use strum::{Display, EnumIs}; -use tracing::debug; use std::{ cell::RefCell, @@ -749,8 +748,8 @@ mod tests { assert_eq!(options.wildcard_denied.as_ref().unwrap(), "wildcards"); let timeout = options.timeout.as_ref().unwrap(); - assert_eq!(timeout.type_field, TimestampType::PPID); - assert_eq!(timeout.duration, Duration::minutes(5)); + assert_eq!(timeout.type_field, Some(TimestampType::PPID)); + assert_eq!(timeout.duration, Some(Duration::minutes(5))); assert_eq!(config.roles[0].as_ref().borrow().name, "role1"); let actor0 = &config.roles[0].as_ref().borrow().actors[0]; match actor0 { diff --git a/src/database/version.rs b/src/database/version.rs index 9c0bc3da..bb7b5264 100644 --- a/src/database/version.rs +++ b/src/database/version.rs @@ -1,7 +1,6 @@ use semver::Version; -use serde::{Deserialize, Deserializer, Serialize}; +use serde::{Deserialize, Serialize}; use std::fmt::Debug; -use tracing::debug; use super::migration::Migration; use crate::common::config::SettingsFile; diff --git a/src/mod.rs b/src/mod.rs index 99959170..9580bb4c 100644 --- a/src/mod.rs +++ b/src/mod.rs @@ -4,12 +4,11 @@ use std::{ error::Error, ffi::CString, fs::File, - path::{Path, PathBuf}, + path::Path, }; use tracing::{debug, Level}; use tracing_subscriber::util::SubscriberInitExt; -use self::config::ROOTASROLE; pub mod api; pub mod config; diff --git a/src/plugin/hashchecker.rs b/src/plugin/hashchecker.rs index 12f0c13e..701f7ab2 100644 --- a/src/plugin/hashchecker.rs +++ b/src/plugin/hashchecker.rs @@ -1,6 +1,5 @@ use serde::{Deserialize, Serialize}; use tracing::debug; -use tracing_subscriber::field::debug; use crate::common::{ api::PluginManager, diff --git a/src/plugin/hierarchy.rs b/src/plugin/hierarchy.rs index 63bdd1fb..837330e5 100644 --- a/src/plugin/hierarchy.rs +++ b/src/plugin/hierarchy.rs @@ -8,7 +8,6 @@ use crate::common::{ }, }; -use ciborium::de; use serde::Deserialize; use tracing::{debug, warn}; diff --git a/src/sr/main.rs b/src/sr/main.rs index c7973443..eaeeb045 100644 --- a/src/sr/main.rs +++ b/src/sr/main.rs @@ -4,7 +4,7 @@ mod timeout; use capctl::CapState; use clap::Parser; -use common::database::finder::{Cred, CredMatcher, TaskMatch, TaskMatcher}; +use common::database::finder::{Cred, TaskMatch, TaskMatcher}; use common::database::structs::IdTask; use common::database::{options::OptStack, structs::SConfig}; use nix::{ @@ -26,7 +26,6 @@ use crate::common::plugin::register_plugins; use crate::common::{ activates_no_new_privs, config::{self, Storage}, - dac_override_effective, database::{read_json_config, structs::SGroups}, read_effective, setgid_effective, setpcap_effective, setuid_effective, }; @@ -206,6 +205,7 @@ fn from_json_execution_settings( } } +#[cfg(not(tarpaulin_include))] fn main() -> Result<(), Box> { subsribe("sr"); drop_effective()?; @@ -215,42 +215,6 @@ fn main() -> Result<(), Box> { read_effective(true).unwrap_or_else(|_| panic!("{}", cap_effective_error("dac_read"))); let settings = config::get_settings().expect("Failed to get settings"); read_effective(false).unwrap_or_else(|_| panic!("{}", cap_effective_error("dac_read"))); - let user = User::from_uid(getuid()) - .expect("Failed to get user") - .expect("Failed to get user"); - let mut groups = getgroups() - .expect("Failed to get groups") - .iter() - .map(|g| { - Group::from_gid(*g) - .expect("Failed to get group") - .expect("Failed to get group") - }) - .collect::>(); - groups.insert( - 0, - Group::from_gid(user.gid) - .expect("Failed to get group") - .expect("Failed to get group"), - ); - debug!("User: {} ({}), Groups: {:?}", user.name, user.uid, groups,); - let mut tty: Option = None; - if let Ok(stat) = stat::fstat(stdout().as_raw_fd()) { - if let Ok(istty) = isatty(stdout().as_raw_fd()) { - if istty { - tty = Some(stat.st_rdev); - } - } - } - // get parent pid - let ppid = nix::unistd::getppid(); - - let user = Cred { - user, - groups, - tty, - ppid, - }; let config = match settings.clone().as_ref().borrow().storage.method { config::StorageMethod::JSON => { Storage::JSON(read_json_config(settings).expect("Failed to read config")) @@ -259,6 +223,7 @@ fn main() -> Result<(), Box> { return Err("Unsupported storage method".into()); } }; + let user = make_cred(); let taskmatch = match config { Storage::JSON(ref config) => { from_json_execution_settings(&args, config, &user).unwrap_or_default() @@ -268,8 +233,6 @@ fn main() -> Result<(), Box> { let optstack = &execcfg.opt; check_auth(optstack, &config, &user, &args.prompt)?; - dac_override_effective(false) - .unwrap_or_else(|_| panic!("{}", cap_effective_error("dac_override"))); if !taskmatch.fully_matching() { println!("You are not allowed to execute this command, this incident will be reported."); @@ -334,6 +297,46 @@ fn main() -> Result<(), Box> { std::process::exit(status.code().unwrap_or(1)); } +fn make_cred() -> Cred { + let user = User::from_uid(getuid()) + .expect("Failed to get user") + .expect("Failed to get user"); + let mut groups = getgroups() + .expect("Failed to get groups") + .iter() + .map(|g| { + Group::from_gid(*g) + .expect("Failed to get group") + .expect("Failed to get group") + }) + .collect::>(); + groups.insert( + 0, + Group::from_gid(user.gid) + .expect("Failed to get group") + .expect("Failed to get group"), + ); + debug!("User: {} ({}), Groups: {:?}", user.name, user.uid, groups,); + let mut tty: Option = None; + if let Ok(stat) = stat::fstat(stdout().as_raw_fd()) { + if let Ok(istty) = isatty(stdout().as_raw_fd()) { + if istty { + tty = Some(stat.st_rdev); + } + } + } + // get parent pid + let ppid = nix::unistd::getppid(); + + let user = Cred { + user, + groups, + tty, + ppid, + }; + user +} + fn set_capabilities(execcfg: &common::database::finder::ExecSettings, optstack: &OptStack) { //set capabilities if let Some(caps) = execcfg.caps { @@ -451,13 +454,10 @@ mod tests { use nix::unistd::Pid; use super::*; - use crate::common::database::finder::TaskMatch; use crate::common::database::make_weak_config; use crate::common::database::structs::{ IdTask, SActor, SCommand, SCommands, SConfig, SRole, STask, }; - use std::cell::RefCell; - use std::rc::Rc; #[test] fn test_from_json_execution_settings() { diff --git a/src/sr/timeout.rs b/src/sr/timeout.rs index b51182c5..d522c00a 100644 --- a/src/sr/timeout.rs +++ b/src/sr/timeout.rs @@ -216,15 +216,15 @@ fn find_valid_cookie( CookieVersion::V1(cookie) => { debug!("Checking cookie: {:?}", cookie); if cookie.auth_uid != cred_asked.user.uid.as_raw() - || cookie.timestamp_type != constraint.type_field + || cookie.timestamp_type != constraint.type_field.unwrap_or_default() { continue; } let max_usage_ok = constraint.max_usage.is_none() || cookie.usage < constraint.max_usage.unwrap(); - debug!("timestamp: {}, now: {}, offset {}, now + offset : {}\ntimestamp-now+offset : {}", cookie.timestamp, Utc::now().timestamp(), constraint.duration.num_seconds(), Utc::now().timestamp() + constraint.duration.num_seconds(), cookie.timestamp - Utc::now().timestamp() + constraint.duration.num_seconds()); + debug!("timestamp: {}, now: {}, offset {}, now + offset : {}\ntimestamp-now+offset : {}", cookie.timestamp, Utc::now().timestamp(), constraint.duration.unwrap_or_default().num_seconds(), Utc::now().timestamp() + constraint.duration.unwrap_or_default().num_seconds(), cookie.timestamp - Utc::now().timestamp() + constraint.duration.unwrap_or_default().num_seconds()); let timeofuse: bool = cookie.timestamp - Utc::now().timestamp() - + constraint.duration.num_seconds() + + constraint.duration.unwrap_or_default().num_seconds() > 0; debug!("Time of use: {}, max_usage : {}", timeofuse, max_usage_ok); if timeofuse && max_usage_ok && res.is_none() { @@ -272,10 +272,10 @@ pub(crate) fn update_cookie( }); if res.is_none() { let mut cookies = read_cookies(from).unwrap_or_default(); - let parent_record = ParentRecord::new(&constraint.type_field, from); + let parent_record = ParentRecord::new(&constraint.type_field.unwrap_or_default(), from); let cookie = CookieVersion::V1(Cookiev1 { auth_uid: cred_asked.user.uid.as_raw(), - timestamp_type: constraint.type_field, + timestamp_type: constraint.type_field.unwrap_or_default(), start_time: Utc::now().timestamp(), timestamp: Utc::now().timestamp(), usage: 0, From 8d53497e986bb18a5c3d566f87d1236b7196ead6 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Sun, 5 May 2024 22:26:16 +0000 Subject: [PATCH 2/2] Format Rust code using rustfmt --- src/chsr/cli.rs | 43 +++++++++++++++++------------------ src/chsr/main.rs | 2 +- src/config.rs | 11 +++------ src/database/mod.rs | 6 ++--- src/database/options.rs | 50 ++++++++++++++++++++++++++++++----------- src/mod.rs | 8 +------ 6 files changed, 65 insertions(+), 55 deletions(-) diff --git a/src/chsr/cli.rs b/src/chsr/cli.rs index b1ee8013..6ce3cfad 100644 --- a/src/chsr/cli.rs +++ b/src/chsr/cli.rs @@ -24,8 +24,8 @@ use crate::{ SPathOptions, SPrivileged, STimeout, TimestampType, }, structs::{ - IdTask, SActor, SActorType, SCapabilities, SCommand, SGroups, SRole, - STask, SetBehavior, + IdTask, SActor, SActorType, SCapabilities, SCommand, SGroups, SRole, STask, + SetBehavior, }, }, util::escape_parser_string, @@ -210,7 +210,7 @@ enum TimeoutOpt { struct Inputs { action: InputAction, setlist_type: Option, - timeout_arg: Option<[bool;3]>, + timeout_arg: Option<[bool; 3]>, timeout_type: Option, timeout_duration: Option, timeout_max_usage: Option, @@ -368,7 +368,8 @@ fn match_pair(pair: &Pair, inputs: &mut Inputs) { if let Some(hours) = reversed.next() { duration = duration .checked_add( - &Duration::try_hours(hours.parse::().unwrap_or(0)).unwrap_or_default(), + &Duration::try_hours(hours.parse::().unwrap_or(0)) + .unwrap_or_default(), ) .expect("Invalid hours"); } @@ -580,7 +581,6 @@ fn match_pair(pair: &Pair, inputs: &mut Inputs) { } } - fn rule_to_string(rule: &Rule) -> String { match *rule { Rule::EOI => "no more input", @@ -1544,7 +1544,7 @@ where } else { opt.as_ref().borrow_mut().timeout = Some(timeout); } - + Ok(()) })?; Ok(true) @@ -1883,10 +1883,13 @@ fn print_task( mod tests { use std::{io::Write, rc::Rc}; - use crate::common::{config, database::{read_json_config, structs::SCredentials}}; + use crate::common::{ + config, + database::{read_json_config, structs::SCredentials}, + }; use super::super::common::{ - config::{RemoteStorageSettings, SettingsFile, ROOTASROLE, Storage}, + config::{RemoteStorageSettings, SettingsFile, Storage, ROOTASROLE}, database::{options::*, structs::*, version::Versioning}, }; @@ -1977,9 +1980,6 @@ mod tests { assert_eq!(inputs.role_type, Some(RoleType::All)); } - - - fn setup() { //Write json test json file let mut file = std::fs::File::create(ROOTASROLE).unwrap(); @@ -1993,11 +1993,13 @@ mod tests { opt.timeout = Some(STimeout::default()); opt.timeout.as_mut().unwrap().type_field = Some(TimestampType::PPID); - opt.timeout.as_mut().unwrap().duration = Some(TimeDelta::hours(15) - .checked_add(&TimeDelta::minutes(30)) - .unwrap() - .checked_add(&TimeDelta::seconds(30)) - .unwrap()); + opt.timeout.as_mut().unwrap().duration = Some( + TimeDelta::hours(15) + .checked_add(&TimeDelta::minutes(30)) + .unwrap() + .checked_add(&TimeDelta::seconds(30)) + .unwrap(), + ); opt.timeout.as_mut().unwrap().max_usage = Some(1); opt.path = Some(SPathOptions::default()); @@ -2134,7 +2136,7 @@ mod tests { #[test] fn test_all_main() { setup(); - + // lets test every commands let settings = config::get_settings().expect("Failed to get settings"); assert!(main( @@ -3736,12 +3738,7 @@ mod tests { .is_ok_and(|b| b)); assert!(main( &Storage::JSON(read_json_config(settings.clone()).expect("Failed to read json")), - vec![ - "chsr", - "r", - "complete", - "tosk", - ], + vec!["chsr", "r", "complete", "tosk",], ) .inspect_err(|e| { error!("{}", e); diff --git a/src/chsr/main.rs b/src/chsr/main.rs index eabacecf..f519a3ec 100644 --- a/src/chsr/main.rs +++ b/src/chsr/main.rs @@ -40,4 +40,4 @@ fn main() -> Result<(), Box> { } else { Ok(()) } -} \ No newline at end of file +} diff --git a/src/config.rs b/src/config.rs index 7cb912c4..33bf4043 100644 --- a/src/config.rs +++ b/src/config.rs @@ -52,20 +52,15 @@ pub const ROOTASROLE: &str = "/etc/security/rootasrole.json"; #[cfg(test)] pub const ROOTASROLE: &str = "target/rootasrole.json"; -use std::{ - cell::RefCell, - error::Error, - path::PathBuf, - rc::Rc, -}; +use std::{cell::RefCell, error::Error, path::PathBuf, rc::Rc}; use serde::{Deserialize, Serialize}; use tracing::debug; use crate::{ common::{ - dac_override_effective, open_with_privileges, read_effective, - util::toggle_lock_config, write_json_config, + dac_override_effective, open_with_privileges, read_effective, util::toggle_lock_config, + write_json_config, }, rc_refcell, }; diff --git a/src/database/mod.rs b/src/database/mod.rs index b8a1793e..5faf1258 100644 --- a/src/database/mod.rs +++ b/src/database/mod.rs @@ -210,9 +210,9 @@ where let hours: i64 = hours.parse().map_err(de::Error::custom)?; let minutes: i64 = minutes.parse().map_err(de::Error::custom)?; let seconds: i64 = seconds.parse().map_err(de::Error::custom)?; - return Ok(Some(Duration::hours(hours) - + Duration::minutes(minutes) - + Duration::seconds(seconds))); + return Ok(Some( + Duration::hours(hours) + Duration::minutes(minutes) + Duration::seconds(seconds), + )); } Err(de::Error::custom("Invalid duration format")) } diff --git a/src/database/options.rs b/src/database/options.rs index 65fad739..88838522 100644 --- a/src/database/options.rs +++ b/src/database/options.rs @@ -219,14 +219,17 @@ impl Opt { opt.root = Some(SPrivileged::User); opt.bounding = Some(SBounding::Strict); opt.path.as_mut().unwrap().default_behavior = PathBehavior::Delete; - opt.path.as_mut().unwrap().add = vec![ + opt.path.as_mut().unwrap().add = vec![ "/usr/local/sbin".to_string(), "/usr/local/bin".to_string(), "/usr/sbin".to_string(), "/usr/bin".to_string(), "/sbin".to_string(), "/bin".to_string(), - "/snap/bin".to_string()].into_iter().collect(); + "/snap/bin".to_string(), + ] + .into_iter() + .collect(); let mut env = SEnvOptions::new(EnvBehavior::Delete); env.keep = vec![ "HOME".into(), @@ -241,8 +244,10 @@ impl Opt { "PS2".into(), "XAUTHORY".into(), "XAUTHORIZATION".into(), - "XDG_CURRENT_DESKTOP".into() - ].into_iter().collect(); + "XDG_CURRENT_DESKTOP".into(), + ] + .into_iter() + .collect(); env.check = vec![ "COLORTERM".into(), "LANG".into(), @@ -250,8 +255,10 @@ impl Opt { "LC_*".into(), "LINGUAS".into(), "TERM".into(), - "TZ".into() - ].into_iter().collect(); + "TZ".into(), + ] + .into_iter() + .collect(); opt.env = Some(env); let mut timeout = STimeout::default(); timeout.type_field = Some(TimestampType::PPID); @@ -280,7 +287,13 @@ impl Default for Opt { impl Default for OptStack { fn default() -> Self { OptStack { - stack: [None, Some(Rc::new(Opt::level_default().into())), None, None, None], + stack: [ + None, + Some(Rc::new(Opt::level_default().into())), + None, + None, + None, + ], roles: None, role: None, task: None, @@ -783,11 +796,15 @@ impl OptStack { final_behavior = match p.default_behavior { EnvBehavior::Delete => { // policy is to delete, so we add whitelist and remove blacklist - final_keep = p.keep.iter() + final_keep = p + .keep + .iter() .filter(|e| !p.check.env_matches(e) || !p.delete.env_matches(e)) .cloned() .collect(); - final_check = p.check.iter() + final_check = p + .check + .iter() .filter(|e| !p.delete.env_matches(e)) .cloned() .collect(); @@ -795,11 +812,15 @@ impl OptStack { } EnvBehavior::Keep => { //policy is to keep, so we remove blacklist and add whitelist - final_delete = p.delete.iter() + final_delete = p + .delete + .iter() .filter(|e| !p.keep.env_matches(e) || !p.check.env_matches(e)) .cloned() .collect(); - final_check = p.check.iter() + final_check = p + .check + .iter() .filter(|e| !p.keep.env_matches(e)) .cloned() .collect(); @@ -1255,7 +1276,10 @@ mod tests { assert!(!tz_is_safe("/America/New_York")); assert!(!tz_is_safe("America/New_York/..")); //assert path max - assert!(!tz_is_safe(String::from_utf8(vec![b'a'; (PATH_MAX+1).try_into().unwrap()]).unwrap().as_str())); + assert!(!tz_is_safe( + String::from_utf8(vec![b'a'; (PATH_MAX + 1).try_into().unwrap()]) + .unwrap() + .as_str() + )); } - } diff --git a/src/mod.rs b/src/mod.rs index 9580bb4c..5caee50c 100644 --- a/src/mod.rs +++ b/src/mod.rs @@ -1,15 +1,9 @@ use capctl::{prctl, Cap, CapState}; use serde::Serialize; -use std::{ - error::Error, - ffi::CString, - fs::File, - path::Path, -}; +use std::{error::Error, ffi::CString, fs::File, path::Path}; use tracing::{debug, Level}; use tracing_subscriber::util::SubscriberInitExt; - pub mod api; pub mod config; pub mod database;