fix: update cos-tool permissions to adhere to cis hardening rules (#664)

* fix: update cos-tool permissions to adhere to cis hardening rules * add remote-write and bump versions * fix cos-tool permissions for this charm as well * try to fix itests * remove chmod from library * fix unit tests * fix unit tests
canonical · Jan 15, 2025 · 9b42b34 · 9b42b34
1 parent 62cd2d9
commit 9b42b34
Show file tree

Hide file tree

Showing 4 changed files with 8 additions and 14 deletions.
diff --git a/charmcraft.yaml b/charmcraft.yaml
@@ -32,4 +32,4 @@ parts:
       - curl
     override-pull: |
       curl -L -O https://github.com/canonical/cos-tool/releases/latest/download/cos-tool-${CRAFT_TARGET_ARCH}
-      chmod +x cos-tool-*
+      chmod 775 cos-tool-*
diff --git a/lib/charms/prometheus_k8s/v0/prometheus_scrape.py b/lib/charms/prometheus_k8s/v0/prometheus_scrape.py
@@ -362,7 +362,7 @@ def _on_scrape_targets_changed(self, event):
 
 # Increment this PATCH version before using `charmcraft publish-lib` or reset
 # to 0 if you are raising the major API version
-LIBPATCH = 47
+LIBPATCH = 48
 
 PYDEPS = ["cosl"]
 
@@ -2364,12 +2364,9 @@ def _get_tool_path(self) -> Optional[Path]:
         arch = "amd64" if arch == "x86_64" else arch
         res = "cos-tool-{}".format(arch)
         try:
-            path = Path(res).resolve()
-            path.chmod(0o777)
+            path = Path(res).resolve(strict=True)
             return path
-        except NotImplementedError:
-            logger.debug("System lacks support for chmod")
-        except FileNotFoundError:
+        except (FileNotFoundError, OSError):
             logger.debug('Could not locate cos-tool at: "{}"'.format(res))
         return None
 

diff --git a/lib/charms/prometheus_k8s/v1/prometheus_remote_write.py b/lib/charms/prometheus_k8s/v1/prometheus_remote_write.py
@@ -46,7 +46,7 @@
 
 # Increment this PATCH version before using `charmcraft publish-lib` or reset
 # to 0 if you are raising the major API version
-LIBPATCH = 4
+LIBPATCH = 5
 
 PYDEPS = ["cosl"]
 
@@ -948,12 +948,9 @@ def _get_tool_path(self) -> Optional[Path]:
         arch = "amd64" if arch == "x86_64" else arch
         res = "cos-tool-{}".format(arch)
         try:
-            path = Path(res).resolve()
-            path.chmod(0o777)
+            path = Path(res).resolve(strict=True)
             return path
-        except NotImplementedError:
-            logger.debug("System lacks support for chmod")
-        except FileNotFoundError:
+        except (FileNotFoundError, OSError):
             logger.debug('Could not locate cos-tool at: "{}"'.format(res))
         return None
 

diff --git a/tests/integration/helpers.py b/tests/integration/helpers.py
@@ -183,7 +183,7 @@ def get_rules_for(app_name: str, rule_groups: list) -> list:
     """
     groups = []
     for group in rule_groups:
-        if app_name in group["name"]:
+        if app_name in group["name"] or app_name.replace("-", "_") in group["name"]:
             groups.append(group)
     return groups