Apply restrictive file permissions

It conforms with [1] by creating a new venv which checks the unix
permissions. As jjobs call Functest console scripts [2], all perms
can be 644.

Dockerfiles are updated as well.

[1] https://security.openstack.org/guidelines/dg_apply-restrictive-file-permissions.html
[2] https://gerrit.opnfv.org/gerrit/#/c/36805/

Depends-On: I9209e6efa1b493e24135402a46df72aaa14115d1
Change-Id: I31bc7f12b775928845e23b6b40288b0a50b87219
Signed-off-by: Cédric Ollivier <cedric.ollivier@orange.com>

diff --git a/docker/Dockerfile b/docker/Dockerfile
index d38713e..a4a4258 100644 (file)
--- a/docker/Dockerfile
+++ b/docker/Dockerfile
@@ -101,22 +101,6 @@ RUN git clone --depth 1 -b $VIMS_TAG https://github.com/boucherv-orange/clearwat
 RUN git clone --depth 1 -b $VROUTER_TAG https://github.com/oolorg/opnfv-functest-vrouter.git ${REPOS_VNFS_DIR}/vrouter
 RUN git clone --depth 1 https://github.com/wuwenbin2/OnosSystemTest.git ${REPOS_DIR}/onos
 
-RUN find -L ${FUNCTEST_REPO_DIR} -name "*.py" \
-    -not -path "*tests/unit*" \
-    -not -path "*functest_venv*" \
-    |xargs grep -L __main__ |cut -d\: -f 1 |xargs chmod -c 644 \
-    && find -L ${FUNCTEST_REPO_DIR} -name "*.sh" \
-    -not -path "*functest_venv*" \
-    |xargs grep -L \#\! |cut -d\:  -f 1 |xargs chmod -c 644
-
-RUN find -L ${FUNCTEST_REPO_DIR} -name "*.py" \
-    -not -path "*tests/unit*" \
-    -not -path "*functest_venv*" \
-    |xargs grep __main__ |cut -d\: -f 1 |xargs chmod -c 755 \
-    && find -L ${FUNCTEST_REPO_DIR} -name "*.sh" \
-    -not -path "*functest_venv*" \
-    |xargs grep \#\! |cut -d\:  -f 1 |xargs chmod -c 755
-
 RUN wget -q https://git.openstack.org/cgit/openstack/rally/plain/install_rally.sh?h=${RALLY_TAG} -O install_rally.sh \
     && bash install_rally.sh --branch ${RALLY_TAG} --yes && rm install_rally.sh
 

diff --git a/docker/Dockerfile.aarch64 b/docker/Dockerfile.aarch64
index 77c94b0..a8f8667 100644 (file)
--- a/docker/Dockerfile.aarch64
+++ b/docker/Dockerfile.aarch64
@@ -93,22 +93,6 @@ RUN git clone --depth 1 -b $ODL_TAG https://git.opendaylight.org/gerrit/p/integr
 RUN git clone --depth 1 -b $VIMS_TAG https://github.com/boucherv-orange/clearwater-live-test ${REPOS_VNFS_DIR}/vims-test
 RUN git clone --depth 1 https://github.com/wuwenbin2/OnosSystemTest.git ${REPOS_DIR}/onos
 
-RUN find -L ${FUNCTEST_REPO_DIR} -name "*.py" \
-    -not -path "*tests/unit*" \
-    -not -path "*functest_venv*" \
-    |xargs grep -L __main__ |cut -d\: -f 1 |xargs chmod -c 644 \
-    && find -L ${FUNCTEST_REPO_DIR} -name "*.sh" \
-    -not -path "*functest_venv*" \
-    |xargs grep -L \#\! |cut -d\:  -f 1 |xargs chmod -c 644
-
-RUN find -L ${FUNCTEST_REPO_DIR} -name "*.py" \
-    -not -path "*tests/unit*" \
-    -not -path "*functest_venv*" \
-    |xargs grep __main__ |cut -d\: -f 1 |xargs chmod -c 755 \
-    && find -L ${FUNCTEST_REPO_DIR} -name "*.sh" \
-    -not -path "*functest_venv*" \
-    |xargs grep \#\! |cut -d\:  -f 1 |xargs chmod -c 755
-
 RUN wget -q https://git.openstack.org/cgit/openstack/rally/plain/install_rally.sh?h=${RALLY_TAG} -O install_rally.sh \
     && bash install_rally.sh --branch ${RALLY_TAG} --yes && rm install_rally.sh
 

diff --git a/docker/add_images.sh b/docker/add_images.sh
old mode 100755 (executable)
new mode 100644 (file)

diff --git a/docker/config_install_env.sh b/docker/config_install_env.sh
old mode 100755 (executable)
new mode 100644 (file)

diff --git a/docker/docker_remote_api/enable_remote_api.sh b/docker/docker_remote_api/enable_remote_api.sh
old mode 100755 (executable)
new mode 100644 (file)

diff --git a/functest/ci/download_images.sh b/functest/ci/download_images.sh
old mode 100755 (executable)
new mode 100644 (file)

diff --git a/functest/ci/prepare_env.py b/functest/ci/prepare_env.py
old mode 100755 (executable)
new mode 100644 (file)
index ae9d953..da3e624
--- a/functest/ci/prepare_env.py
+++ b/functest/ci/prepare_env.py
@@ -389,7 +389,3 @@ def main():
     parser = PrepareEnvParser()
     args = parser.parse_args(sys.argv[1:])
     return prepare_env(**args)
-
-
-if __name__ == '__main__':
-    sys.exit(main())

diff --git a/functest/ci/run_tests.py b/functest/ci/run_tests.py
old mode 100755 (executable)
new mode 100644 (file)
index 5155adc..b95e100
--- a/functest/ci/run_tests.py
+++ b/functest/ci/run_tests.py
@@ -276,6 +276,3 @@ def main():
     args = parser.parse_args(sys.argv[1:])
     runner = Runner()
     return runner.main(**args).value
-
-if __name__ == '__main__':
-    sys.exit(main())

diff --git a/functest/opnfv_tests/openstack/vping/ping.sh b/functest/opnfv_tests/openstack/vping/ping.sh
old mode 100755 (executable)
new mode 100644 (file)

diff --git a/functest/opnfv_tests/vnf/ims/create_venv.sh b/functest/opnfv_tests/vnf/ims/create_venv.sh
old mode 100755 (executable)
new mode 100644 (file)

diff --git a/tox.ini b/tox.ini
index 5622e33..4de5fa4 100644 (file)
--- a/tox.ini
+++ b/tox.ini
@@ -1,5 +1,5 @@
 [tox]
-envlist = docs,pep8,pylint,py35,py27
+envlist = docs,pep8,pylint,py35,py27,perm
 
 [testenv]
 usedevelop = True
@@ -49,3 +49,14 @@ dirs =
   functest/tests/unit/odl
   functest/tests/unit/utils/test_decorators.py
 commands = nosetests {[testenv:py35]dirs}
+
+[testenv:perm]
+basepython = python2.7
+whitelist_externals = bash
+path=. -not -path './.tox/*' -not -path './.git/*' -not -path './docs/com/pres/reveal.js/*'
+commands =
+  bash -c "\
+    find {[testenv:perm]path} \( -type f -not -perm 644 -o -type d -not -perm 755 \) \
+    -exec ls -l \{\} + | grep '.' && exit 1 || exit 0"
+  bash -c "\
+    find {[testenv:perm]path} -exec file \{\} + | grep CRLF && exit 1 || exit 0"