[service] Fix windows permissions

2024-12-06 12:00:20 +02:00
parent 6e173e3b96
commit 22253c4e9e
18 changed files with 138 additions and 57 deletions
--- a/base/utils/fs.go
+++ b/base/utils/fs.go
@@ -6,15 +6,13 @@ import (
 	"io/fs"
 	"os"
 	"runtime"
-
-	"github.com/hectane/go-acl"
 )

 const isWindows = runtime.GOOS == "windows"

 // EnsureDirectory ensures that the given directory exists and that is has the given permissions set.
 // If path is a file, it is deleted and a directory created.
-func EnsureDirectory(path string, perm os.FileMode) error {
+func EnsureDirectory(path string, perm FSPermission) error {
 	// open path
 	f, err := os.Stat(path)
 	if err == nil {
@@ -23,10 +21,10 @@ func EnsureDirectory(path string, perm os.FileMode) error {
 			// directory exists, check permissions
 			if isWindows {
 				// Ignore windows permission error. For none admin users it will always fail.
-				acl.Chmod(path, perm)
+				SetDirPermission(path, perm)
 				return nil
-			} else if f.Mode().Perm() != perm {
-				return os.Chmod(path, perm)
+			} else if f.Mode().Perm() != perm.AsUnixDirExecPermission() {
+				return SetDirPermission(path, perm)
 			}
 			return nil
 		}
@@ -37,17 +35,16 @@ func EnsureDirectory(path string, perm os.FileMode) error {
 	}
 	// file does not exist (or has been deleted)
 	if err == nil || errors.Is(err, fs.ErrNotExist) {
-		err = os.Mkdir(path, perm)
+		err = os.Mkdir(path, perm.AsUnixDirExecPermission())
 		if err != nil {
 			return fmt.Errorf("could not create dir %s: %w", path, err)
 		}
+		// Set windows permissions. Linux permission where already set with creation.
 		if isWindows {
 			// Ignore windows permission error. For none admin users it will always fail.
-			acl.Chmod(path, perm)
-			return nil
-		} else {
-			return os.Chmod(path, perm)
+			SetDirPermission(path, perm)
 		}
+		return nil
 	}
 	// other error opening path
 	return fmt.Errorf("failed to access %s: %w", path, err)
--- a/base/utils/permissions.go
+++ b/base/utils/permissions.go
@@ -0,0 +1,20 @@
+//go:build !windows
+
+package utils
+
+import "os"
+
+// SetDirPermission sets the permission of a directory.
+func SetDirPermission(path string, perm FSPermission) error {
+	return os.Chmod(path, perm.AsUnixDirExecPermission())
+}
+
+// SetExecPermission sets the permission of an executable file.
+func SetExecPermission(path string, perm FSPermission) error {
+	return SetDirPermission(path, perm)
+}
+
+// SetFilePermission sets the permission of a non executable file.
+func SetFilePermission(path string, perm FSPermission) error {
+	return os.Chmod(path, perm.AsUnixFilePermission())
+}
--- a/base/utils/permissions_windows.go
+++ b/base/utils/permissions_windows.go
@@ -0,0 +1,35 @@
+//go:build windows
+
+package utils
+
+import (
+	"github.com/hectane/go-acl"
+	"golang.org/x/sys/windows"
+)
+
+func SetDirPermission(path string, perm FSPermission) error {
+	setWindowsFilePermissions(path, perm)
+	return nil
+}
+
+// SetExecPermission sets the permission of an executable file.
+func SetExecPermission(path string, perm FSPermission) error {
+	return SetDirPermission(path, perm)
+}
+
+func setWindowsFilePermissions(path string, perm FSPermission) {
+	switch perm {
+	case AdminOnlyPermission:
+		// Set only admin rights, remove all others.
+		acl.Apply(path, true, false, acl.GrantName(windows.GENERIC_ALL|windows.STANDARD_RIGHTS_ALL, "Administrators"))
+	case PublicReadPermission:
+		// Set admin rights and read/execute rights for users, remove all others.
+		acl.Apply(path, true, false, acl.GrantName(windows.GENERIC_ALL|windows.STANDARD_RIGHTS_ALL, "Administrators"))
+		acl.Apply(path, false, false, acl.GrantName(windows.GENERIC_EXECUTE, "Users"))
+		acl.Apply(path, false, false, acl.GrantName(windows.GENERIC_READ, "Users"))
+	case PublicWritePermission:
+		// Set full control to admin and regular users. Guest users will not have access.
+		acl.Apply(path, true, false, acl.GrantName(windows.GENERIC_ALL|windows.STANDARD_RIGHTS_ALL, "Administrators"))
+		acl.Apply(path, false, false, acl.GrantName(windows.GENERIC_ALL|windows.STANDARD_RIGHTS_ALL, "Users"))
+	}
+}
--- a/base/utils/structure.go
+++ b/base/utils/structure.go
@@ -2,25 +2,61 @@ package utils

 import (
 	"fmt"
-	"os"
+	"io/fs"
 	"path/filepath"
 	"strings"
 	"sync"
 )

+type FSPermission uint8
+
+const (
+	AdminOnlyPermission FSPermission = iota
+	PublicReadPermission
+	PublicWritePermission
+)
+
+// AsUnixDirPermission return the corresponding unix permission for a directory or executable.
+func (perm FSPermission) AsUnixDirExecPermission() fs.FileMode {
+	switch perm {
+	case AdminOnlyPermission:
+		return 0o700
+	case PublicReadPermission:
+		return 0o755
+	case PublicWritePermission:
+		return 0o777
+	}
+
+	return 0
+}
+
+// AsUnixDirPermission return the corresponding unix permission for a regular file.
+func (perm FSPermission) AsUnixFilePermission() fs.FileMode {
+	switch perm {
+	case AdminOnlyPermission:
+		return 0o600
+	case PublicReadPermission:
+		return 0o655
+	case PublicWritePermission:
+		return 0o666
+	}
+
+	return 0
+}
+
 // DirStructure represents a directory structure with permissions that should be enforced.
 type DirStructure struct {
 	sync.Mutex

 	Path     string
 	Dir      string
-	Perm     os.FileMode
+	Perm     FSPermission
 	Parent   *DirStructure
 	Children map[string]*DirStructure
 }

 // NewDirStructure returns a new DirStructure.
-func NewDirStructure(path string, perm os.FileMode) *DirStructure {
+func NewDirStructure(path string, perm FSPermission) *DirStructure {
 	return &DirStructure{
 		Path:     path,
 		Perm:     perm,
@@ -29,7 +65,7 @@ func NewDirStructure(path string, perm os.FileMode) *DirStructure {
 }

 // ChildDir adds a new child DirStructure and returns it. Should the child already exist, the existing child is returned and the permissions are updated.
-func (ds *DirStructure) ChildDir(dirName string, perm os.FileMode) (child *DirStructure) {
+func (ds *DirStructure) ChildDir(dirName string, perm FSPermission) (child *DirStructure) {
 	ds.Lock()
 	defer ds.Unlock()