Skip to content

Commit

Permalink
[#42] Add acl feature flag and deactive it by default
Browse files Browse the repository at this point in the history
  • Loading branch information
@elfenpiff
elfenpiff committed Dec 15, 2023
1 parent 04e367f commit 5543c0b
Show file tree
Hide file tree
Showing 25 changed files with 336 additions and 216 deletions.
3 changes: 3 additions & 0 deletions iceoryx2-bb/posix/Cargo.toml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,9 @@ repository = { workspace = true }
rust-version = { workspace = true }
version = { workspace = true }

[features]
acl = ["iceoryx2-pal-posix/acl"]

[dependencies]
iceoryx2-bb-container = { workspace = true }
iceoryx2-bb-system-types = { workspace = true }
Expand Down
15 changes: 11 additions & 4 deletions iceoryx2-bb/posix/src/file_descriptor.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,7 @@
//! use iceoryx2_bb_container::semantic_string::SemanticString;
//! use iceoryx2_bb_posix::file_descriptor::*;
//! use iceoryx2_bb_posix::file::*;
//! #[cfg(feature = "acl")]
//! use iceoryx2_bb_posix::access_control_list::*;
//! use iceoryx2_bb_posix::ownership::*;
//! use iceoryx2_bb_posix::user::UserExt;
Expand All @@ -68,14 +69,18 @@
//! file.set_permission(Permission::ALL);
//!
//! // set some new ACLs
//! let mut acl = file.access_control_list().expect("failed to get acl");
//! acl.add_user("testUser2".as_user().unwrap().uid(), AclPermission::Read)
//! .expect("failed to add user");
//! file.set_access_control_list(&acl);
//! #[cfg(feature = "acl")]
//! {
//! let mut acl = file.access_control_list().expect("failed to get acl");
//! acl.add_user("testUser2".as_user().unwrap().uid(), AclPermission::Read)
//! .expect("failed to add user");
//! file.set_access_control_list(&acl);
//! }
//! ```
use std::fmt::Debug;

#[cfg(feature = "acl")]
use crate::access_control_list::*;
use crate::config::EINTR_REPETITIONS;
use crate::file::*;
Expand Down Expand Up @@ -303,13 +308,15 @@ pub trait FileDescriptorManagement: FileDescriptorBased + Debug + Sized {
}

/// Returns the current access control list
#[cfg(feature = "acl")]
fn access_control_list(
&self,
) -> Result<AccessControlList, AccessControlListCreationFromFdError> {
AccessControlList::from_file_descriptor(unsafe { self.file_descriptor().native_handle() })
}

/// Sets a new access control list
#[cfg(feature = "acl")]
fn set_access_control_list(
&self,
acl: &AccessControlList,
Expand Down
24 changes: 24 additions & 0 deletions iceoryx2-bb/posix/src/lib.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@

//! Abstraction of POSIX constructs with a safe API
#[cfg(feature = "acl")]
use access_control_list::AccessControlListError;
use barrier::BarrierCreationError;
use clock::ClockError;
Expand All @@ -31,6 +32,7 @@ use thread::ThreadError;
use unix_datagram_socket::UnixDatagramError;
use user::UserError;

#[cfg(feature = "acl")]
pub mod access_control_list;
pub mod access_mode;
pub mod adaptive_wait;
Expand Down Expand Up @@ -70,6 +72,7 @@ pub mod unix_datagram_socket;
pub mod unmovable_ipc_handle;
pub mod user;

#[cfg(feature = "acl")]
enum_gen! {Error
generalization:
AccessControlList <= AccessControlListError,
Expand All @@ -90,3 +93,24 @@ enum_gen! {Error
User <= UserError,
UnixDatagramSocket <= UnixDatagramError
}

#[cfg(not(feature = "acl"))]
enum_gen! {Error
generalization:
Barrier <= BarrierCreationError,
Clock <= ClockError,
Directory <= DirectoryError,
File <= FileError,
FileLock <= FileLockError,
Group <= GroupError,
MemoryLock <= MemoryLockError,
Mutex <= MutexError,
Process <= ProcessError,
ReadWriteMutex <= ReadWriteMutexError,
Semaphore <= SemaphoreError,
SharedMemory <= SharedMemoryCreationError,
Signal <= SignalError,
Thread <= ThreadError,
User <= UserError,
UnixDatagramSocket <= UnixDatagramError
}
233 changes: 119 additions & 114 deletions iceoryx2-bb/posix/tests/access_control_list_tests.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,137 +10,142 @@
//
// SPDX-License-Identifier: Apache-2.0 OR MIT

use iceoryx2_bb_posix::access_control_list::*;
use iceoryx2_bb_posix::config::TEST_DIRECTORY;
use iceoryx2_bb_posix::directory::*;
use iceoryx2_bb_posix::file::*;
use iceoryx2_bb_posix::file_descriptor::FileDescriptorBased;
use iceoryx2_bb_posix::group::*;
use iceoryx2_bb_posix::user::*;
use iceoryx2_bb_system_types::file_name::FileName;
use iceoryx2_bb_system_types::file_path::FilePath;
use iceoryx2_bb_testing::assert_that;
use iceoryx2_bb_testing::test_requires;
use iceoryx2_pal_posix::*;

// TODO: [#40]
#[ignore]
#[test]
fn access_control_list_string_conversion_works() {
test_requires!(posix::POSIX_SUPPORT_ACL);

let mut sut = AccessControlList::new().unwrap();
sut.add_user(0, AclPermission::Execute).unwrap();
sut.add_group(0, AclPermission::WriteExecute).unwrap();

let sut_string = sut.as_string().unwrap();
let new_sut = AccessControlList::from_string(&sut_string).unwrap();

assert_that!(sut.as_string().unwrap(), eq new_sut.as_string().unwrap());

let entries = sut.get().unwrap();
let new_entries = new_sut.get().unwrap();

assert_that!(entries, len 6);
let new_entries_len = new_entries.len();
assert_that!(entries, len new_entries_len);

for i in 0..6 {
assert_that!(entries[i].id(), eq new_entries[i].id());
assert_that!(entries[i].permission(), eq new_entries[i].permission());
assert_that!(entries[i].tag(), eq new_entries[i].tag());
#[cfg(feature = "acl")]
mod tests {
use iceoryx2_bb_posix::access_control_list::*;
use iceoryx2_bb_posix::config::TEST_DIRECTORY;
use iceoryx2_bb_posix::directory::*;
use iceoryx2_bb_posix::file::*;
use iceoryx2_bb_posix::file_descriptor::FileDescriptorBased;
use iceoryx2_bb_posix::group::*;
use iceoryx2_bb_posix::user::*;
use iceoryx2_bb_system_types::file_name::FileName;
use iceoryx2_bb_system_types::file_path::FilePath;
use iceoryx2_bb_testing::assert_that;
use iceoryx2_bb_testing::test_requires;
use iceoryx2_pal_posix::*;

// TODO: [#40]
#[ignore]
#[test]
fn access_control_list_string_conversion_works() {
test_requires!(posix::POSIX_SUPPORT_ACL);

let mut sut = AccessControlList::new().unwrap();
sut.add_user(0, AclPermission::Execute).unwrap();
sut.add_group(0, AclPermission::WriteExecute).unwrap();

let sut_string = sut.as_string().unwrap();
let new_sut = AccessControlList::from_string(&sut_string).unwrap();

assert_that!(sut.as_string().unwrap(), eq new_sut.as_string().unwrap());

let entries = sut.get().unwrap();
let new_entries = new_sut.get().unwrap();

assert_that!(entries, len 6);
let new_entries_len = new_entries.len();
assert_that!(entries, len new_entries_len);

for i in 0..6 {
assert_that!(entries[i].id(), eq new_entries[i].id());
assert_that!(entries[i].permission(), eq new_entries[i].permission());
assert_that!(entries[i].tag(), eq new_entries[i].tag());
}
}
}

#[test]
fn access_control_list_apply_to_file_works() {
test_requires!(posix::POSIX_SUPPORT_ACL);
#[test]
fn access_control_list_apply_to_file_works() {
test_requires!(posix::POSIX_SUPPORT_ACL);

Directory::create(&TEST_DIRECTORY, Permission::OWNER_ALL).unwrap();
let file_path = FilePath::from_path_and_file(&TEST_DIRECTORY, unsafe {
&FileName::new_unchecked(b"access_control_list_test")
})
.unwrap();

let file = FileBuilder::new(&file_path)
.creation_mode(CreationMode::PurgeAndCreate)
.create()
Directory::create(&TEST_DIRECTORY, Permission::OWNER_ALL).unwrap();
let file_path = FilePath::from_path_and_file(&TEST_DIRECTORY, unsafe {
&FileName::new_unchecked(b"access_control_list_test")
})
.unwrap();

let mut sut = AccessControlList::new().unwrap();
sut.set(Acl::OwningUser, AclPermission::ReadExecute)
.unwrap();
sut.set(Acl::OwningGroup, AclPermission::Execute).unwrap();
sut.set(Acl::Other, AclPermission::None).unwrap();
sut.set(
Acl::MaxAccessRightsForNonOwners,
AclPermission::ReadWriteExecute,
)
.unwrap();

// apply basic settings
sut.apply_to_file_descriptor(unsafe { file.file_descriptor().native_handle() })
.unwrap();
let file = FileBuilder::new(&file_path)
.creation_mode(CreationMode::PurgeAndCreate)
.create()
.unwrap();

// // acquire acl from fd and extend it
let mut sut =
AccessControlList::from_file_descriptor(unsafe { file.file_descriptor().native_handle() })
let mut sut = AccessControlList::new().unwrap();
sut.set(Acl::OwningUser, AclPermission::ReadExecute)
.unwrap();
sut.set(Acl::OwningGroup, AclPermission::Execute).unwrap();
sut.set(Acl::Other, AclPermission::None).unwrap();
sut.set(
Acl::MaxAccessRightsForNonOwners,
AclPermission::ReadWriteExecute,
)
.unwrap();

let testuser1_uid = "testuser1".as_user().unwrap().uid();
let testuser2_uid = "testuser2".as_user().unwrap().uid();
let testgroup1_gid = "testgroup1".as_group().unwrap().gid();
let testgroup2_gid = "testgroup2".as_group().unwrap().gid();
// apply basic settings
sut.apply_to_file_descriptor(unsafe { file.file_descriptor().native_handle() })
.unwrap();

sut.add_user(testuser1_uid, AclPermission::Read).unwrap();
sut.add_user(testuser2_uid, AclPermission::Write).unwrap();
sut.add_group(testgroup1_gid, AclPermission::ReadWrite)
.unwrap();
sut.add_group(testgroup2_gid, AclPermission::WriteExecute)
.unwrap();
sut.apply_to_file_descriptor(unsafe { file.file_descriptor().native_handle() })
// // acquire acl from fd and extend it
let mut sut = AccessControlList::from_file_descriptor(unsafe {
file.file_descriptor().native_handle()
})
.unwrap();

let sut =
AccessControlList::from_file_descriptor(unsafe { file.file_descriptor().native_handle() })
let testuser1_uid = "testuser1".as_user().unwrap().uid();
let testuser2_uid = "testuser2".as_user().unwrap().uid();
let testgroup1_gid = "testgroup1".as_group().unwrap().gid();
let testgroup2_gid = "testgroup2".as_group().unwrap().gid();

sut.add_user(testuser1_uid, AclPermission::Read).unwrap();
sut.add_user(testuser2_uid, AclPermission::Write).unwrap();
sut.add_group(testgroup1_gid, AclPermission::ReadWrite)
.unwrap();
sut.add_group(testgroup2_gid, AclPermission::WriteExecute)
.unwrap();
sut.apply_to_file_descriptor(unsafe { file.file_descriptor().native_handle() })
.unwrap();
let entries = sut.get().unwrap();

for entry in entries {
match entry.tag() {
AclTag::OwningUser => {
assert_that!(entry.permission(), eq AclPermission::ReadExecute)
}
AclTag::OwningGroup => {
assert_that!(entry.permission(), eq AclPermission::Execute)
}
AclTag::Other => {
assert_that!(entry.permission(), eq AclPermission::None)
}
AclTag::MaxAccessRightsForNonOwners => {
assert_that!(entry.permission(), eq AclPermission::ReadWriteExecute)
}
AclTag::User => {
if entry.id() == Some(testuser1_uid) {
assert_that!(entry.permission(), eq AclPermission::Read);
} else if entry.id() == Some(testuser2_uid) {
assert_that!(entry.permission(), eq AclPermission::Write);
} else {
assert_that!(true, eq false);
let sut = AccessControlList::from_file_descriptor(unsafe {
file.file_descriptor().native_handle()
})
.unwrap();
let entries = sut.get().unwrap();

for entry in entries {
match entry.tag() {
AclTag::OwningUser => {
assert_that!(entry.permission(), eq AclPermission::ReadExecute)
}
}
AclTag::Group => {
if entry.id() == Some(testgroup1_gid) {
assert_that!(entry.permission(), eq AclPermission::ReadWrite);
} else if entry.id() == Some(testgroup2_gid) {
assert_that!(entry.permission(), eq AclPermission::WriteExecute);
} else {
AclTag::OwningGroup => {
assert_that!(entry.permission(), eq AclPermission::Execute)
}
AclTag::Other => {
assert_that!(entry.permission(), eq AclPermission::None)
}
AclTag::MaxAccessRightsForNonOwners => {
assert_that!(entry.permission(), eq AclPermission::ReadWriteExecute)
}
AclTag::User => {
if entry.id() == Some(testuser1_uid) {
assert_that!(entry.permission(), eq AclPermission::Read);
} else if entry.id() == Some(testuser2_uid) {
assert_that!(entry.permission(), eq AclPermission::Write);
} else {
assert_that!(true, eq false);
}
}
AclTag::Group => {
if entry.id() == Some(testgroup1_gid) {
assert_that!(entry.permission(), eq AclPermission::ReadWrite);
} else if entry.id() == Some(testgroup2_gid) {
assert_that!(entry.permission(), eq AclPermission::WriteExecute);
} else {
assert_that!(true, eq false);
}
}
_ => {
assert_that!(true, eq false);
}
}
_ => {
assert_that!(true, eq false);
}
}
}
}
3 changes: 3 additions & 0 deletions iceoryx2-bb/posix/tests/file_descriptor_tests.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@

use iceoryx2_bb_container::semantic_string::SemanticString;
use iceoryx2_bb_elementary::math::ToB64;
#[cfg(feature = "acl")]
use iceoryx2_bb_posix::access_control_list::*;
use iceoryx2_bb_posix::config::*;
use iceoryx2_bb_posix::file::*;
Expand All @@ -25,6 +26,7 @@ use iceoryx2_bb_system_types::file_path::FilePath;
use iceoryx2_bb_testing::assert_that;
use iceoryx2_bb_testing::test_requires;
use iceoryx2_pal_posix::posix::{POSIX_SUPPORT_PERMISSIONS, POSIX_SUPPORT_USERS_AND_GROUPS};
#[cfg(feature = "acl")]
use iceoryx2_pal_posix::*;

#[test]
Expand Down Expand Up @@ -142,6 +144,7 @@ mod file_descriptor_management {
test(Permission::OWNER_ALL | Permission::GROUP_ALL | Permission::OTHERS_ALL);
}

#[cfg(feature = "acl")]
#[test]
fn access_control_list_handling_works<Sut: GenericTestBuilder + FileDescriptorManagement>() {
test_requires!(posix::POSIX_SUPPORT_ACL);
Expand Down
3 changes: 3 additions & 0 deletions iceoryx2-pal/posix/Cargo.toml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,9 @@ version = { workspace = true }
cc = { workspace = true }
bindgen = { workspace = true }

[features]
acl = []

[dependencies]
iceoryx2-pal-concurrency-sync = { workspace = true }
iceoryx2-pal-configuration = { workspace = true }
Expand Down
Loading

0 comments on commit 5543c0b

Please sign in to comment.