fix typo, use rancher/permissions

Signed-off-by: Harrison Affel <harrisonaffel@gmail.com>
2024-05-28 17:35:34 -04:00 · 2024-05-28 17:35:34 -04:00 · 76ba9db245
parent bdf076b2e5
commit 76ba9db245
5 changed files with 9 additions and 170 deletions
--- a/go.mod
+++ b/go.mod
@ -135,6 +135,7 @@ require (
 	github.com/prometheus/client_golang v1.19.1
 	github.com/rancher/dynamiclistener v0.3.6
 	github.com/rancher/lasso v0.0.0-20230830164424-d684fdeb6f29
+	github.com/rancher/permissions v0.0.0-20240523180510-4001d3d637f7
 	github.com/rancher/remotedialer v0.3.0
 	github.com/rancher/wharfie v0.5.3
 	github.com/rancher/wrangler v1.1.1
--- a/go.sum
+++ b/go.sum
@ -1246,6 +1246,8 @@ github.com/rancher/dynamiclistener v0.3.6 h1:iAFWeiFNra6tYlt4k+jINrK3hOxZ8mjW2S/
 github.com/rancher/dynamiclistener v0.3.6/go.mod h1:VqBaJNi+bZmre0+gi+2Jb6jbn7ovHzRueW+M7QhVKsk=
 github.com/rancher/lasso v0.0.0-20230830164424-d684fdeb6f29 h1:+kige/h8/LnzWgPjB5NUIHz/pWiW/lFpqcTUkN5uulY=
 github.com/rancher/lasso v0.0.0-20230830164424-d684fdeb6f29/go.mod h1:kgk9kJVMj9FIrrXU0iyM6u/9Je4bEjPImqswkTVaKsQ=
+github.com/rancher/permissions v0.0.0-20240523180510-4001d3d637f7 h1:0Kg2SGoMeU1ll4xPi4DE0+qNHLFO/U5MwtK0WrIdK+o=
+github.com/rancher/permissions v0.0.0-20240523180510-4001d3d637f7/go.mod h1:fsbs0YOsGn1ofPD5p+BuI4qDhbMbSJtTegKt6Ucna+c=
 github.com/rancher/remotedialer v0.3.0 h1:y1EO8JCsgZo0RcqTUp6U8FXcBAv27R+TLnWRcpvX1sM=
 github.com/rancher/remotedialer v0.3.0/go.mod h1:BwwztuvViX2JrLLUwDlsYt5DiyUwHLlzynRwkZLAY0Q=
 github.com/rancher/wharfie v0.5.3 h1:6hiO26H7YTgChbLAE6JppxFRjaH3tbKfMItv/LqV0Q0=
--- a/pkg/agent/config/config.go
+++ b/pkg/agent/config/config.go
@ -205,7 +205,7 @@ func ensureNodePassword(nodePasswordFile string) (string, error) {
 		return nodePassword, err
 	}

-	if err = configureACL(nodePassword); err != nil {
+	if err = configureACL(nodePasswordFile); err != nil {
 		return nodePassword, err
 	}

--- a/pkg/agent/config/config_windows.go
+++ b/pkg/agent/config/config_windows.go
@ -6,10 +6,12 @@ package config
 import (
 	"path/filepath"

-	"github.com/k3s-io/k3s/pkg/agent/util/acl"
 	"github.com/k3s-io/k3s/pkg/cli/cmds"
 	"github.com/k3s-io/k3s/pkg/daemons/config"
 	"github.com/pkg/errors"
+	"github.com/rancher/permissions/pkg/access"
+	"github.com/rancher/permissions/pkg/acl"
+	"github.com/rancher/permissions/pkg/sid"
 	"golang.org/x/sys/windows"
 )

@ -33,8 +35,8 @@ func configureACL(file string) error {
 	// as the owner and current user group as the allowed group
 	// additionally, we define a DACL to permit access to the file to the local system and all administrators
 	if err := acl.Apply(file, nil, nil, []windows.EXPLICIT_ACCESS{
-		acl.GrantSid(windows.GENERIC_ALL, acl.LocalSystemSID()),
-		acl.GrantSid(windows.GENERIC_ALL, acl.BuiltinAdministratorsSID()),
+		access.GrantSid(windows.GENERIC_ALL, sid.LocalSystem()),
+		access.GrantSid(windows.GENERIC_ALL, sid.BuiltinAdministrators()),
 	}...); err != nil {
 		return errors.Wrapf(err, "failed to configure Access Control List For %s", file)
 	}
--- a/pkg/agent/util/acl/acl_windows.go
+++ b/pkg/agent/util/acl/acl_windows.go
@ -1,166 +0,0 @@
-//go:build windows
-// +build windows
-
-package acl
-
-import (
-	"fmt"
-	"golang.org/x/sys/windows"
-	"unsafe"
-)
-
-// TODO: Remove in favor of the rancher/permissions repository once that is setup
-
-func BuiltinAdministratorsSID() *windows.SID {
-	return mustGetSid(windows.WinBuiltinAdministratorsSid)
-}
-
-func LocalSystemSID() *windows.SID {
-	return mustGetSid(windows.WinLocalSystemSid)
-}
-
-func mustGetSid(sidType windows.WELL_KNOWN_SID_TYPE) *windows.SID {
-	sid, err := windows.CreateWellKnownSid(sidType)
-	if err != nil {
-		panic(err)
-	}
-	return sid
-}
-
-// GrantSid creates an EXPLICIT_ACCESS instance granting permissions to the provided SID.
-func GrantSid(accessPermissions windows.ACCESS_MASK, sid *windows.SID) windows.EXPLICIT_ACCESS {
-	return windows.EXPLICIT_ACCESS{
-		AccessPermissions: accessPermissions,
-		AccessMode:        windows.GRANT_ACCESS,
-		Inheritance:       windows.SUB_CONTAINERS_AND_OBJECTS_INHERIT,
-		Trustee: windows.TRUSTEE{
-			TrusteeForm:  windows.TRUSTEE_IS_SID,
-			TrusteeValue: windows.TrusteeValueFromSID(sid),
-		},
-	}
-}
-
-// Apply performs both Chmod and Chown at the same time, where the filemode's owner and group will correspond to
-// the provided owner and group (or the current owner and group, if they are set to nil)
-func Apply(path string, owner *windows.SID, group *windows.SID, access ...windows.EXPLICIT_ACCESS) error {
-	if path == "" {
-		return fmt.Errorf("path cannot be empty")
-	}
-	return apply(path, owner, group, access...)
-}
-
-// apply performs a Chmod (if owner and group are provided) and sets a custom ACL based on the provided EXPLICIT_ACCESS rules
-// To create EXPLICIT_ACCESS rules, see the helper functions in pkg/access
-func apply(path string, owner *windows.SID, group *windows.SID, access ...windows.EXPLICIT_ACCESS) error {
-	// assemble arguments
-	args := securityArgs{
-		path:   path,
-		owner:  owner,
-		group:  group,
-		access: access,
-	}
-
-	securityInfo := args.ToSecurityInfo()
-	if securityInfo == 0 {
-		// nothing to change
-		return nil
-	}
-	dacl, err := args.ToDACL()
-	if err != nil {
-		return err
-	}
-	return windows.SetNamedSecurityInfo(
-		path,
-		windows.SE_FILE_OBJECT,
-		securityInfo,
-		owner,
-		group,
-		dacl,
-		nil,
-	)
-}
-
-type securityArgs struct {
-	path string
-
-	owner *windows.SID
-	group *windows.SID
-
-	access []windows.EXPLICIT_ACCESS
-}
-
-func (a *securityArgs) ToSecurityInfo() windows.SECURITY_INFORMATION {
-	var securityInfo windows.SECURITY_INFORMATION
-
-	if a.owner != nil {
-		// override owner
-		securityInfo |= windows.OWNER_SECURITY_INFORMATION
-	}
-
-	if a.group != nil {
-		// override group
-		securityInfo |= windows.GROUP_SECURITY_INFORMATION
-	}
-
-	if len(a.access) != 0 {
-		// override DACL
-		securityInfo |= windows.DACL_SECURITY_INFORMATION
-		securityInfo |= windows.PROTECTED_DACL_SECURITY_INFORMATION
-	}
-
-	return securityInfo
-}
-
-func (a *securityArgs) ToSecurityAttributes() (*windows.SecurityAttributes, error) {
-	// define empty security descriptor
-	sd, err := windows.NewSecurityDescriptor()
-	if err != nil {
-		return nil, err
-	}
-	err = sd.SetOwner(a.owner, false)
-	if err != nil {
-		return nil, err
-	}
-	err = sd.SetGroup(a.group, false)
-	if err != nil {
-		return nil, err
-	}
-
-	// define security attributes using descriptor
-	var sa windows.SecurityAttributes
-	sa.Length = uint32(unsafe.Sizeof(sa))
-	sa.SecurityDescriptor = sd
-
-	if len(a.access) == 0 {
-		// security attribute should simply inherit parent rules
-		sa.InheritHandle = 1
-		return &sa, nil
-	}
-
-	// apply provided access rules to the DACL
-	dacl, err := a.ToDACL()
-	if err != nil {
-		return nil, err
-	}
-	err = sd.SetDACL(dacl, true, false)
-	if err != nil {
-		return nil, err
-	}
-
-	// set the protected DACL flag to prevent the DACL of the security descriptor from being modified by inheritable ACEs
-	// (i.e. prevent parent folders from modifying this ACL)
-	err = sd.SetControl(windows.SE_DACL_PROTECTED, windows.SE_DACL_PROTECTED)
-	if err != nil {
-		return nil, err
-	}
-
-	return &sa, nil
-}
-
-func (a *securityArgs) ToDACL() (*windows.ACL, error) {
-	if len(a.access) == 0 {
-		// No rules were specified
-		return nil, nil
-	}
-	return windows.ACLFromEntries(a.access, nil)
-}