From c4f2a41da69033b184f438a59b48496dba4a89ce Mon Sep 17 00:00:00 2001 From: Mike Nomitch Date: Tue, 19 Mar 2024 14:40:30 -0700 Subject: [PATCH] Splitting validators unix functions into own file --- drivers/shared/validators/validators.go | 88 ----------------- drivers/shared/validators/validators_unix.go | 99 +++++++++++++++++++ ...dators_test.go => validators_unix_test.go} | 2 + 3 files changed, 101 insertions(+), 88 deletions(-) create mode 100644 drivers/shared/validators/validators_unix.go rename drivers/shared/validators/{validators_test.go => validators_unix_test.go} (99%) diff --git a/drivers/shared/validators/validators.go b/drivers/shared/validators/validators.go index 7cf0d6991..d85f3d9eb 100644 --- a/drivers/shared/validators/validators.go +++ b/drivers/shared/validators/validators.go @@ -5,8 +5,6 @@ package validators import ( "fmt" - "os/user" - "strconv" "strings" ) @@ -37,89 +35,3 @@ func ParseIdRange(rangeType string, deniedRanges string) ([]IDRange, error) { return idRanges, nil } - -// HasValidIds is used when running a task to ensure the -// given user is in the ID range defined in the task config -func HasValidIds(user *user.User, deniedHostUIDs, deniedHostGIDs []IDRange) error { - uid, err := strconv.ParseUint(user.Uid, 10, 32) - if err != nil { - return fmt.Errorf("unable to convert userid %s to integer", user.Uid) - } - - // check uids - - for _, uidRange := range deniedHostUIDs { - if uid >= uidRange.Lower && uid <= uidRange.Upper { - return fmt.Errorf("running as uid %d is disallowed", uid) - } - } - - // check gids - - gidStrings, err := user.GroupIds() - if err != nil { - return fmt.Errorf("unable to lookup user's group membership: %w", err) - } - gids := make([]uint64, len(gidStrings)) - - for _, gidString := range gidStrings { - u, err := strconv.ParseUint(gidString, 10, 32) - if err != nil { - return fmt.Errorf("unable to convert user's group %q to integer: %w", gidString, err) - } - - gids = append(gids, u) - } - - for _, gidRange := range deniedHostGIDs { - for _, gid := range gids { - if gid >= gidRange.Lower && gid <= gidRange.Upper { - return fmt.Errorf("running as gid %d is disallowed", gid) - } - } - } - - return nil -} - -func parseRangeString(boundsString string) (*IDRange, error) { - uidDenyRangeParts := strings.Split(boundsString, "-") - - var idRange IDRange - - switch len(uidDenyRangeParts) { - case 0: - return nil, fmt.Errorf("range value cannot be empty") - case 1: - disallowedIdStr := uidDenyRangeParts[0] - disallowedIdInt, err := strconv.ParseUint(disallowedIdStr, 10, 32) - if err != nil { - return nil, fmt.Errorf("range bound not valid, invalid bound: %q ", disallowedIdInt) - } - - idRange.Lower = disallowedIdInt - idRange.Upper = disallowedIdInt - case 2: - lowerBoundStr := uidDenyRangeParts[0] - upperBoundStr := uidDenyRangeParts[1] - - lowerBoundInt, err := strconv.ParseUint(lowerBoundStr, 10, 32) - if err != nil { - return nil, fmt.Errorf("invalid bound: %q", lowerBoundStr) - } - - upperBoundInt, err := strconv.ParseUint(upperBoundStr, 10, 32) - if err != nil { - return nil, fmt.Errorf("invalid bound: %q", upperBoundStr) - } - - if lowerBoundInt > upperBoundInt { - return nil, fmt.Errorf("invalid range %q, lower bound cannot be greater than upper bound", boundsString) - } - - idRange.Lower = lowerBoundInt - idRange.Upper = upperBoundInt - } - - return &idRange, nil -} diff --git a/drivers/shared/validators/validators_unix.go b/drivers/shared/validators/validators_unix.go new file mode 100644 index 000000000..bd5b1b38b --- /dev/null +++ b/drivers/shared/validators/validators_unix.go @@ -0,0 +1,99 @@ +// Copyright (c) HashiCorp, Inc. +// SPDX-License-Identifier: MPL-2.0 + +//go:build !windows + +package validators + +import ( + "fmt" + "os/user" + "strconv" + "strings" +) + +// HasValidIds is used when running a task to ensure the +// given user is in the ID range defined in the task config +func HasValidIds(user *user.User, deniedHostUIDs, deniedHostGIDs []IDRange) error { + uid, err := strconv.ParseUint(user.Uid, 10, 32) + if err != nil { + return fmt.Errorf("unable to convert userid %s to integer", user.Uid) + } + + // check uids + + for _, uidRange := range deniedHostUIDs { + if uid >= uidRange.Lower && uid <= uidRange.Upper { + return fmt.Errorf("running as uid %d is disallowed", uid) + } + } + + // check gids + + gidStrings, err := user.GroupIds() + if err != nil { + return fmt.Errorf("unable to lookup user's group membership: %w", err) + } + gids := make([]uint64, len(gidStrings)) + + for _, gidString := range gidStrings { + u, err := strconv.ParseUint(gidString, 10, 32) + if err != nil { + return fmt.Errorf("unable to convert user's group %q to integer: %w", gidString, err) + } + + gids = append(gids, u) + } + + for _, gidRange := range deniedHostGIDs { + for _, gid := range gids { + if gid >= gidRange.Lower && gid <= gidRange.Upper { + return fmt.Errorf("running as gid %d is disallowed", gid) + } + } + } + + return nil +} + +func parseRangeString(boundsString string) (*IDRange, error) { + uidDenyRangeParts := strings.Split(boundsString, "-") + + var idRange IDRange + + switch len(uidDenyRangeParts) { + case 0: + return nil, fmt.Errorf("range value cannot be empty") + case 1: + disallowedIdStr := uidDenyRangeParts[0] + disallowedIdInt, err := strconv.ParseUint(disallowedIdStr, 10, 32) + if err != nil { + return nil, fmt.Errorf("range bound not valid, invalid bound: %q ", disallowedIdInt) + } + + idRange.Lower = disallowedIdInt + idRange.Upper = disallowedIdInt + case 2: + lowerBoundStr := uidDenyRangeParts[0] + upperBoundStr := uidDenyRangeParts[1] + + lowerBoundInt, err := strconv.ParseUint(lowerBoundStr, 10, 32) + if err != nil { + return nil, fmt.Errorf("invalid bound: %q", lowerBoundStr) + } + + upperBoundInt, err := strconv.ParseUint(upperBoundStr, 10, 32) + if err != nil { + return nil, fmt.Errorf("invalid bound: %q", upperBoundStr) + } + + if lowerBoundInt > upperBoundInt { + return nil, fmt.Errorf("invalid range %q, lower bound cannot be greater than upper bound", boundsString) + } + + idRange.Lower = lowerBoundInt + idRange.Upper = upperBoundInt + } + + return &idRange, nil +} diff --git a/drivers/shared/validators/validators_test.go b/drivers/shared/validators/validators_unix_test.go similarity index 99% rename from drivers/shared/validators/validators_test.go rename to drivers/shared/validators/validators_unix_test.go index 9c1eb84b6..0dbfd8e72 100644 --- a/drivers/shared/validators/validators_test.go +++ b/drivers/shared/validators/validators_unix_test.go @@ -1,6 +1,8 @@ // Copyright (c) HashiCorp, Inc. // SPDX-License-Identifier: MPL-2.0 +//go:build !windows + package validators import (