From 8c4ab41ffa502a58714819e0407f3c17e6fde7d0 Mon Sep 17 00:00:00 2001
From: Mark Goddard <mark@stackhpc.com>
Date: Mon, 25 Mar 2019 11:39:41 +0000
Subject: [PATCH] Check configuration file permissions in CI

Typically, non-executable files should have 660 or 600 and executable
files and directories should have 770. All should be owned by the
'config_owner_user' and 'config_owner_group' variables.

This change adds a script to check the owner and permissions of config
files under /etc/kolla, and runs it at the end of CI jobs.

Change-Id: Icdbabf36e284b9030017a0dc07b9dc81a37758ab
Related-Bug: #1821579
---
 tests/check-config.sh | 52 +++++++++++++++++++++++++++++++++++++++++++
 tests/run.yml         |  6 +++++
 2 files changed, 58 insertions(+)
 create mode 100755 tests/check-config.sh

diff --git a/tests/check-config.sh b/tests/check-config.sh
new file mode 100755
index 0000000000..92d4f2c59d
--- /dev/null
+++ b/tests/check-config.sh
@@ -0,0 +1,52 @@
+#!/bin/bash
+
+# Check the generated configuration files.
+
+set -o errexit
+
+# Enable unbuffered output for Ansible in Jenkins.
+export PYTHONUNBUFFERED=1
+
+function check_config {
+    # Check every file in /etc/kolla/*.
+    failed=0
+    expected_user=${CONFIG_OWNER_USER:-root}
+    expected_group=${CONFIG_OWNER_GROUP:-root}
+    # Ignore files generated by Zuul.
+    for f in $(sudo find /etc/kolla \
+                -not -regex /etc/kolla/config.* \
+                -not -path /etc/kolla \
+                -not -name admin-openrc.sh \
+                -not -name globals.yml \
+                -not -name header \
+                -not -name inventory \
+                -not -name kolla-build.conf \
+                -not -name passwords.yml \
+                -not -name passwords.yml.old \
+                -not -name sources.list)
+    do
+        mode=$(sudo stat -c %a $f)
+        owner=$(sudo stat -c %U:%G $f)
+        if [[ -d $f ]]; then
+            # Directories should be 770.
+            if [[ $mode != "770" ]]; then
+                failed=1
+                echo "ERROR: Unexpected permissions on directory $f. Got $mode, expected 770"
+            fi
+        else
+            # Files should be 600, 660 or 770.
+            if [[ ! $mode =~ ^(600|660|770)$ ]] ; then
+                failed=1
+                echo "ERROR: Unexpected permissions on file $f. Got $mode, expected 770 or 660"
+            fi
+        fi
+        # Owner user & group should be the config owner, default root.
+        if [[ $owner != "$expected_user:$expected_group" ]]; then
+            failed=1
+            echo "ERROR: Unexpected ownership on $f. Got $owner, expected $expected_user:$expected_group"
+        fi
+    done
+    return $failed
+}
+
+check_config
diff --git a/tests/run.yml b/tests/run.yml
index bec3915f50..53c31933c0 100644
--- a/tests/run.yml
+++ b/tests/run.yml
@@ -295,3 +295,9 @@
         cmd: tests/check-failure.sh
         executable: /bin/bash
         chdir: "{{ kolla_ansible_src_dir }}"
+
+    - name: Run check-config.sh script
+      shell:
+        cmd: tests/check-config.sh
+        executable: /bin/bash
+        chdir: "{{ kolla_ansible_src_dir }}"