Skip to content

Commit

Permalink
Grant plan users read access to the ROBOCORP_HOME base directory
Browse files Browse the repository at this point in the history
As of now, only admin users have access to the ROBOCORP_HOME base directory on
Windows systems, which is what we want. Furthermore, plan users are granted full
access to their user-specific ROBOCORP_HOME directory (which is located inside
the base directory). This setup is as desired. However, it turned out that this
prevents non-admin plan users from building RCC environments. For some reason,
read access to the ROBOCORP_HOME base directory is required. Without it,
micromamba crashes:
```
info     libmamba ****************** Backtrace Start ******************
debug    libmamba Loading configuration
trace    libmamba Compute configurable 'create_base'
trace    libmamba Compute configurable 'no_env'
trace    libmamba Compute configurable 'no_rc'
trace    libmamba Compute configurable 'rc_files'
trace    libmamba Compute configurable 'root_prefix'
trace    libmamba Compute configurable 'envs_dirs'
critical libmamba weakly_canonical: Access is denied.: "C:\rmk\rcc_home\vagrant2\envs"
info     libmamba ****************** Backtrace End ********************
```
  • Loading branch information
jherbel committed Jan 14, 2025
1 parent 4382438 commit 027a367
Show file tree
Hide file tree
Showing 3 changed files with 87 additions and 12 deletions.
62 changes: 62 additions & 0 deletions src/bin/scheduler/setup/steps/directories.rs
Original file line number Diff line number Diff line change
Expand Up @@ -136,6 +136,68 @@ pub fn gather_robocorp_home_base(config: &GlobalConfig, plans: Vec<Plan>) -> Vec
]
}

#[cfg(windows)]
struct StepRobocorpHomeBaseReadAccess {
target: Utf8PathBuf,
user_name: String,
}

#[cfg(windows)]
impl SetupStep for StepRobocorpHomeBaseReadAccess {
fn label(&self) -> String {
format!(
"Grant user {user} read access to {target}",
user = self.user_name,
target = self.target
)
}

fn setup(&self) -> Result<(), api::Error> {
run_icacls_command([
self.target.as_str(),
"/grant",
&format!("{sid}:R", sid = self.user_name),
])
.map_err(|err| {
api::Error::new(
format!(
"Failed to grant user {user} read access to {target}",
user = self.user_name,
target = self.target
),
err,
)
})
}
}

#[cfg(windows)]
pub fn gather_robocorp_base_read_access(
config: &GlobalConfig,
plans: Vec<Plan>,
) -> Vec<StepWithPlans> {
let (rcc_plans, system_plans): (Vec<Plan>, Vec<Plan>) =
partition_into_rcc_and_system_plans(plans);
let mut setup_steps: Vec<StepWithPlans> = vec![skip(system_plans)];
for (session, plans_in_session) in plans_by_sessions(rcc_plans) {
match session {
Session::User(user_session) => {
setup_steps.push((
Box::new(StepRobocorpHomeBaseReadAccess {
target: config.rcc_config.robocorp_home_base.clone(),
user_name: user_session.user_name.clone(),
}),
plans_in_session,
));
}
_ => {
setup_steps.push(skip(plans_in_session));
}
}
}
setup_steps
}

#[cfg(windows)]
pub fn gather_robocorp_home_per_user(
config: &GlobalConfig,
Expand Down
19 changes: 18 additions & 1 deletion src/bin/scheduler/setup/steps/run.rs
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@ type Gatherer = fn(&GlobalConfig, Vec<Plan>) -> Vec<StepWithPlans>;
#[cfg(unix)]
type Steps = [(Gatherer, &'static str); 11];
#[cfg(windows)]
type Steps = [(Gatherer, &'static str); 17];
type Steps = [(Gatherer, &'static str); 18];

const STEPS: Steps = [
(
Expand All @@ -45,6 +45,23 @@ const STEPS: Steps = [
directories::gather_robocorp_home_base,
"ROBOCORP_HOME base directory",
),
// It is unclear why this is needed. Without it, non-admin users cannot build RCC environments
// (with ROBOCORP_HOME set). Micromamba crashes with the following error:
// info libmamba ****************** Backtrace Start ******************
// debug libmamba Loading configuration
// trace libmamba Compute configurable 'create_base'
// trace libmamba Compute configurable 'no_env'
// trace libmamba Compute configurable 'no_rc'
// trace libmamba Compute configurable 'rc_files'
// trace libmamba Compute configurable 'root_prefix'
// trace libmamba Compute configurable 'envs_dirs'
// critical libmamba weakly_canonical: Access is denied.: "C:\rmk\rcc_home\vagrant2\envs"
// info libmamba ****************** Backtrace End ********************
#[cfg(windows)]
(
directories::gather_robocorp_base_read_access,
"Read access to ROBOCORP_HOME base directory",
),
#[cfg(windows)]
(
directories::gather_robocorp_home_per_user,
Expand Down
18 changes: 7 additions & 11 deletions tests/test_scheduler.rs
Original file line number Diff line number Diff line change
Expand Up @@ -696,19 +696,15 @@ async fn assert_robocorp_home(
.lines()
.collect::<Vec<&str>>()
.len(),
3 // Administrator group + empty line + success message (suppressing the latter with /q does not seem to work)
4 // Administrator group + headed user name + empty line + success message (suppressing the latter with /q does not seem to work)
);
assert!(dacl_exists_for_sid(robocorp_home_base, "*S-1-5-32-544").await?);
assert!(
get_permissions(robocorp_home_base.join(format!("user_{headed_user_name}")))
.await?
.contains(&format!("{headed_user_name}:(OI)(CI)(F)",))
);
assert!(
get_permissions(robocorp_home_base.join(format!("user_{headed_user_name}")))
.await?
.contains(&format!("{headed_user_name}:(OI)(CI)(F)",))
);
assert_permissions(&robocorp_home_base, &format!("{headed_user_name}:(R)")).await?;
assert_permissions(
&robocorp_home_base.join(format!("user_{headed_user_name}")),
&format!("{headed_user_name}:(OI)(CI)(F)"),
)
.await?;
}
Ok(())
}

0 comments on commit 027a367

Please sign in to comment.