From f2225165261d54e6b3281917b4cb3d0a85e2c7a2 Mon Sep 17 00:00:00 2001 From: "tlimoncelli@stackexchange.com" Date: Tue, 2 Sep 2014 22:10:37 +0000 Subject: [PATCH] * blackbox_postdeploy should accept an optional parameter for chgrp. * blackbox_postdeploy should 'cd' to $BASEDIR or the base VCS directory. * Add unit tests to confidence_test.sh to cover chgrp functionality. --- bin/blackbox_postdeploy | 27 ++++++++++++++++++++++++--- tools/confidence_test.sh | 33 ++++++++++++++++++++++++++++++--- 2 files changed, 54 insertions(+), 6 deletions(-) diff --git a/bin/blackbox_postdeploy b/bin/blackbox_postdeploy index fd252b5..d608327 100755 --- a/bin/blackbox_postdeploy +++ b/bin/blackbox_postdeploy @@ -4,15 +4,33 @@ # blackbox_postdeploy.sh -- Decrypt all blackbox files. # +# Usage: +# blackbox_postdeploy.sh [GROUP] +# GROUP is optional. If supplied, the resulting files +# are chgrp'ed to that group. + # Since this is often run in a security-critical situation, we # force /usr/bin and /bin to the front of the PATH. export PATH=/usr/bin:/bin:"$PATH" . _blackbox_common.sh -# If we aren't in a repo, assume /etc/puppet. -if [[ "$REPOBASE" = "/dev/null" ]]; then - REPOBASE=/etc/puppet +if [[ "$1" == "" ]]; then + FILE_GROUP="" +else + FILE_GROUP="$1" +fi + +# If BASEDIR is not set, use REPOBASE. +if [[ "$BASEDIR" = "" ]]; then + BASEDIR="$REPOBASE" +fi + +if [[ "$BASEDIR" = "/dev/null" ]]; then + echo 'WARNING: Not in a VCS repo. Not changing directory.' +else + echo "CDing to $BASEDIR" + cd "$BASEDIR" fi prepare_keychain @@ -23,5 +41,8 @@ while read unencrypted_file; do encrypted_file=$(get_encrypted_filename "$unencrypted_file") decrypt_file_overwrite "$encrypted_file" "$unencrypted_file" chmod g+r,o-rwx "$unencrypted_file" + if [[ ! -z "$FILE_GROUP" ]]; then + chgrp $FILE_GROUP "$unencrypted_file" + fi done <"$BB_FILES" echo '========== Decrypting new/changed files: DONE' diff --git a/tools/confidence_test.sh b/tools/confidence_test.sh index 893fd0e..c5778d6 100755 --- a/tools/confidence_test.sh +++ b/tools/confidence_test.sh @@ -30,10 +30,21 @@ function assert_file_exists() { function assert_file_md5hash() { local file="$1" local wanted="$2" - local found=$(md5sum <"$file" | cut -d' ' -f1 ) assert_file_exists "$file" + local found=$(md5sum <"$file" | cut -d' ' -f1 ) if [[ "$wanted" != "$found" ]]; then - echo "ASSERT FAILED: $file hash wanted=$desired found=$found" + echo "ASSERT FAILED: $file hash wanted=$wanted found=$found" + exit 1 + fi +} +function assert_file_group() { + local file="$1" + local wanted="$2" + assert_file_exists "$file" + local found=$(ls -l "$file" | awk '{ print $4 }') + # NB(tlim): We could do this with 'stat' but it would break on BSD-style OSs. + if [[ "$wanted" != "$found" ]]; then + echo "ASSERT FAILED: $file chgrp wanted=$wanted found=$found" exit 1 fi } @@ -168,11 +179,27 @@ PHASE 'Bob makes sure he has all new keys.' gpg --import keyrings/live/pubring.gpg -PHASE 'Bob postdeploys.' +# Pick a GID to use: +TEST_GID_NUM=$(id -G | fmt -1 | tail -n +2 | grep -xv $(id -u) | head -n 1) +TEST_GID_NAME=$(getent group "$TEST_GID_NUM" | cut -d: -f1) +DEFAULT_GID_NAME=$(getent group $(id -u) | cut -d: -f1) +echo TEST_GID_NUM=$TEST_GID_NUM +echo TEST_GID_NAME=$TEST_GID_NAME +echo DEFAULT_GID_NAME=$DEFAULT_GID_NAME + +PHASE 'Bob postdeploys... default.' blackbox_postdeploy assert_file_exists secret.txt assert_file_exists secret.txt.gpg assert_file_md5hash secret.txt "08a3fa763a05c018a38e9924363b97e7" +assert_file_group secret.txt "$DEFAULT_GID_NAME" + +PHASE 'Bob postdeploys... with a GID.' +blackbox_postdeploy $TEST_GID_NUM +assert_file_exists secret.txt +assert_file_exists secret.txt.gpg +assert_file_md5hash secret.txt "08a3fa763a05c018a38e9924363b97e7" +assert_file_group secret.txt "$TEST_GID_NAME" PHASE 'Bob cleans up the secret.' rm secret.txt