From 3dcd1e4db7540459d3dff337684547d68fea2b44 Mon Sep 17 00:00:00 2001 From: =?utf8?q?C=C3=A9dric=20Ollivier?= Date: Sun, 2 Jul 2017 10:16:05 +0200 Subject: [PATCH] Apply restrictive file permissions MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit It conforms with [1] by creating a new venv which checks the unix permissions. As jjobs call Functest console scripts [2], all perms can be 644. Dockerfiles are updated as well. [1] https://security.openstack.org/guidelines/dg_apply-restrictive-file-permissions.html [2] https://gerrit.opnfv.org/gerrit/#/c/36805/ Depends-On: I9209e6efa1b493e24135402a46df72aaa14115d1 Change-Id: I31bc7f12b775928845e23b6b40288b0a50b87219 Signed-off-by: Cédric Ollivier --- docker/Dockerfile | 16 ---------------- docker/Dockerfile.aarch64 | 16 ---------------- docker/add_images.sh | 0 docker/config_install_env.sh | 0 docker/docker_remote_api/enable_remote_api.sh | 0 functest/ci/download_images.sh | 0 functest/ci/prepare_env.py | 4 ---- functest/ci/run_tests.py | 3 --- functest/opnfv_tests/openstack/vping/ping.sh | 0 functest/opnfv_tests/vnf/ims/create_venv.sh | 0 tox.ini | 13 ++++++++++++- 11 files changed, 12 insertions(+), 40 deletions(-) mode change 100755 => 100644 docker/add_images.sh mode change 100755 => 100644 docker/config_install_env.sh mode change 100755 => 100644 docker/docker_remote_api/enable_remote_api.sh mode change 100755 => 100644 functest/ci/download_images.sh mode change 100755 => 100644 functest/ci/prepare_env.py mode change 100755 => 100644 functest/ci/run_tests.py mode change 100755 => 100644 functest/opnfv_tests/openstack/vping/ping.sh mode change 100755 => 100644 functest/opnfv_tests/vnf/ims/create_venv.sh diff --git a/docker/Dockerfile b/docker/Dockerfile index d38713e06..a4a425885 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -101,22 +101,6 @@ RUN git clone --depth 1 -b $VIMS_TAG https://github.com/boucherv-orange/clearwat RUN git clone --depth 1 -b $VROUTER_TAG https://github.com/oolorg/opnfv-functest-vrouter.git ${REPOS_VNFS_DIR}/vrouter RUN git clone --depth 1 https://github.com/wuwenbin2/OnosSystemTest.git ${REPOS_DIR}/onos -RUN find -L ${FUNCTEST_REPO_DIR} -name "*.py" \ - -not -path "*tests/unit*" \ - -not -path "*functest_venv*" \ - |xargs grep -L __main__ |cut -d\: -f 1 |xargs chmod -c 644 \ - && find -L ${FUNCTEST_REPO_DIR} -name "*.sh" \ - -not -path "*functest_venv*" \ - |xargs grep -L \#\! |cut -d\: -f 1 |xargs chmod -c 644 - -RUN find -L ${FUNCTEST_REPO_DIR} -name "*.py" \ - -not -path "*tests/unit*" \ - -not -path "*functest_venv*" \ - |xargs grep __main__ |cut -d\: -f 1 |xargs chmod -c 755 \ - && find -L ${FUNCTEST_REPO_DIR} -name "*.sh" \ - -not -path "*functest_venv*" \ - |xargs grep \#\! |cut -d\: -f 1 |xargs chmod -c 755 - RUN wget -q https://git.openstack.org/cgit/openstack/rally/plain/install_rally.sh?h=${RALLY_TAG} -O install_rally.sh \ && bash install_rally.sh --branch ${RALLY_TAG} --yes && rm install_rally.sh diff --git a/docker/Dockerfile.aarch64 b/docker/Dockerfile.aarch64 index 77c94b02f..a8f866718 100644 --- a/docker/Dockerfile.aarch64 +++ b/docker/Dockerfile.aarch64 @@ -93,22 +93,6 @@ RUN git clone --depth 1 -b $ODL_TAG https://git.opendaylight.org/gerrit/p/integr RUN git clone --depth 1 -b $VIMS_TAG https://github.com/boucherv-orange/clearwater-live-test ${REPOS_VNFS_DIR}/vims-test RUN git clone --depth 1 https://github.com/wuwenbin2/OnosSystemTest.git ${REPOS_DIR}/onos -RUN find -L ${FUNCTEST_REPO_DIR} -name "*.py" \ - -not -path "*tests/unit*" \ - -not -path "*functest_venv*" \ - |xargs grep -L __main__ |cut -d\: -f 1 |xargs chmod -c 644 \ - && find -L ${FUNCTEST_REPO_DIR} -name "*.sh" \ - -not -path "*functest_venv*" \ - |xargs grep -L \#\! |cut -d\: -f 1 |xargs chmod -c 644 - -RUN find -L ${FUNCTEST_REPO_DIR} -name "*.py" \ - -not -path "*tests/unit*" \ - -not -path "*functest_venv*" \ - |xargs grep __main__ |cut -d\: -f 1 |xargs chmod -c 755 \ - && find -L ${FUNCTEST_REPO_DIR} -name "*.sh" \ - -not -path "*functest_venv*" \ - |xargs grep \#\! |cut -d\: -f 1 |xargs chmod -c 755 - RUN wget -q https://git.openstack.org/cgit/openstack/rally/plain/install_rally.sh?h=${RALLY_TAG} -O install_rally.sh \ && bash install_rally.sh --branch ${RALLY_TAG} --yes && rm install_rally.sh diff --git a/docker/add_images.sh b/docker/add_images.sh old mode 100755 new mode 100644 diff --git a/docker/config_install_env.sh b/docker/config_install_env.sh old mode 100755 new mode 100644 diff --git a/docker/docker_remote_api/enable_remote_api.sh b/docker/docker_remote_api/enable_remote_api.sh old mode 100755 new mode 100644 diff --git a/functest/ci/download_images.sh b/functest/ci/download_images.sh old mode 100755 new mode 100644 diff --git a/functest/ci/prepare_env.py b/functest/ci/prepare_env.py old mode 100755 new mode 100644 index ae9d9537e..da3e62450 --- a/functest/ci/prepare_env.py +++ b/functest/ci/prepare_env.py @@ -389,7 +389,3 @@ def main(): parser = PrepareEnvParser() args = parser.parse_args(sys.argv[1:]) return prepare_env(**args) - - -if __name__ == '__main__': - sys.exit(main()) diff --git a/functest/ci/run_tests.py b/functest/ci/run_tests.py old mode 100755 new mode 100644 index 5155adc46..b95e1008b --- a/functest/ci/run_tests.py +++ b/functest/ci/run_tests.py @@ -276,6 +276,3 @@ def main(): args = parser.parse_args(sys.argv[1:]) runner = Runner() return runner.main(**args).value - -if __name__ == '__main__': - sys.exit(main()) diff --git a/functest/opnfv_tests/openstack/vping/ping.sh b/functest/opnfv_tests/openstack/vping/ping.sh old mode 100755 new mode 100644 diff --git a/functest/opnfv_tests/vnf/ims/create_venv.sh b/functest/opnfv_tests/vnf/ims/create_venv.sh old mode 100755 new mode 100644 diff --git a/tox.ini b/tox.ini index 5622e33f5..4de5fa4ad 100644 --- a/tox.ini +++ b/tox.ini @@ -1,5 +1,5 @@ [tox] -envlist = docs,pep8,pylint,py35,py27 +envlist = docs,pep8,pylint,py35,py27,perm [testenv] usedevelop = True @@ -49,3 +49,14 @@ dirs = functest/tests/unit/odl functest/tests/unit/utils/test_decorators.py commands = nosetests {[testenv:py35]dirs} + +[testenv:perm] +basepython = python2.7 +whitelist_externals = bash +path=. -not -path './.tox/*' -not -path './.git/*' -not -path './docs/com/pres/reveal.js/*' +commands = + bash -c "\ + find {[testenv:perm]path} \( -type f -not -perm 644 -o -type d -not -perm 755 \) \ + -exec ls -l \{\} + | grep '.' && exit 1 || exit 0" + bash -c "\ + find {[testenv:perm]path} -exec file \{\} + | grep CRLF && exit 1 || exit 0" -- 2.16.6