Enable unprivileged retrieve of file listing and content.
This commit is contained in:
Maximilian Paß
@ -330,6 +330,12 @@ paths:
|
||||
format: pct-encoded # rfc 3986
|
||||
default: "./"
|
||||
required: false
|
||||
- name: privilegedExecution
|
||||
in: query
|
||||
description: Specifies if the command should be executed as an privileged user.
|
||||
schema:
|
||||
type: boolean
|
||||
default: false
|
||||
responses:
|
||||
"200":
|
||||
description: Success. Returns the listing of the runner's filesystem.
|
||||
@ -423,6 +429,12 @@ paths:
|
||||
format: pct-encoded # rfc 3986
|
||||
example: "./flag.txt"
|
||||
required: true
|
||||
- name: privilegedExecution
|
||||
in: query
|
||||
description: Specifies if the command should be executed as an privileged user.
|
||||
schema:
|
||||
type: boolean
|
||||
default: false
|
||||
responses:
|
||||
"200":
|
||||
description: Success. Returns the file.
|
||||
|
||||
@ -28,6 +28,7 @@ const (
|
||||
ExecutionIDKey = "executionID"
|
||||
PathKey = "path"
|
||||
RecursiveKey = "recursive"
|
||||
PrivilegedExecutionKey = "privilegedExecution"
|
||||
)
|
||||
|
||||
type RunnerController struct {
|
||||
@ -93,9 +94,13 @@ func (r *RunnerController) listFileSystem(writer http.ResponseWriter, request *h
|
||||
if path == "" {
|
||||
path = "./"
|
||||
}
|
||||
privilegedExecution, err := strconv.ParseBool(request.URL.Query().Get(PrivilegedExecutionKey))
|
||||
if err != nil {
|
||||
privilegedExecution = false
|
||||
}
|
||||
|
||||
writer.Header().Set("Content-Type", "application/json")
|
||||
err = targetRunner.ListFileSystem(path, recursive, writer, request.Context())
|
||||
err = targetRunner.ListFileSystem(path, recursive, writer, privilegedExecution, request.Context())
|
||||
if errors.Is(err, runner.ErrFileNotFound) {
|
||||
writeClientError(writer, err, http.StatusFailedDependency)
|
||||
return
|
||||
@ -129,9 +134,13 @@ func (r *RunnerController) updateFileSystem(writer http.ResponseWriter, request
|
||||
func (r *RunnerController) fileContent(writer http.ResponseWriter, request *http.Request) {
|
||||
targetRunner, _ := runner.FromContext(request.Context())
|
||||
path := request.URL.Query().Get(PathKey)
|
||||
privilegedExecution, err := strconv.ParseBool(request.URL.Query().Get(PrivilegedExecutionKey))
|
||||
if err != nil {
|
||||
privilegedExecution = false
|
||||
}
|
||||
|
||||
writer.Header().Set("Content-Type", "application/octet-stream")
|
||||
err := targetRunner.GetFileContent(path, writer, request.Context())
|
||||
err = targetRunner.GetFileContent(path, writer, privilegedExecution, request.Context())
|
||||
if errors.Is(err, runner.ErrFileNotFound) {
|
||||
writeClientError(writer, err, http.StatusFailedDependency)
|
||||
return
|
||||
|
||||
@ -315,8 +315,8 @@ func (s *UpdateFileSystemRouteTestSuite) TestUpdateFileSystemReturnsInternalServ
|
||||
func (s *UpdateFileSystemRouteTestSuite) TestListFileSystem() {
|
||||
routeURL, err := s.router.Get(UpdateFileSystemPath).URL(RunnerIDKey, tests.DefaultMockID)
|
||||
s.Require().NoError(err)
|
||||
mockCall := s.runnerMock.On("ListFileSystem",
|
||||
mock.AnythingOfType("string"), mock.AnythingOfType("bool"), mock.Anything, mock.Anything)
|
||||
mockCall := s.runnerMock.On("ListFileSystem", mock.AnythingOfType("string"),
|
||||
mock.AnythingOfType("bool"), mock.Anything, mock.AnythingOfType("bool"), mock.Anything)
|
||||
|
||||
s.Run("default parameters", func() {
|
||||
mockCall.Run(func(args mock.Arguments) {
|
||||
@ -375,8 +375,8 @@ func (s *UpdateFileSystemRouteTestSuite) TestListFileSystem() {
|
||||
func (s *UpdateFileSystemRouteTestSuite) TestFileContent() {
|
||||
routeURL, err := s.router.Get(FileContentRawPath).URL(RunnerIDKey, tests.DefaultMockID)
|
||||
s.Require().NoError(err)
|
||||
mockCall := s.runnerMock.
|
||||
On("GetFileContent", mock.AnythingOfType("string"), mock.Anything, mock.Anything)
|
||||
mockCall := s.runnerMock.On("GetFileContent",
|
||||
mock.AnythingOfType("string"), mock.Anything, mock.AnythingOfType("bool"), mock.Anything)
|
||||
|
||||
s.Run("Not Found", func() {
|
||||
mockCall.Return(runner.ErrFileNotFound)
|
||||
|
||||
@ -104,7 +104,7 @@ func (w *AWSFunctionWorkload) ExecuteInteractively(id string, _ io.ReadWriter, s
|
||||
// ListFileSystem is currently not supported with this aws serverless function.
|
||||
// This is because the function execution ends with the termination of the workload code.
|
||||
// So an on-demand file system listing after the termination is not possible. Also, we do not want to copy all files.
|
||||
func (w *AWSFunctionWorkload) ListFileSystem(_ string, _ bool, _ io.Writer, _ context.Context) error {
|
||||
func (w *AWSFunctionWorkload) ListFileSystem(_ string, _ bool, _ io.Writer, _ bool, _ context.Context) error {
|
||||
return dto.ErrNotSupported
|
||||
}
|
||||
|
||||
@ -125,7 +125,7 @@ func (w *AWSFunctionWorkload) UpdateFileSystem(request *dto.UpdateFileSystemRequ
|
||||
// GetFileContent is currently not supported with this aws serverless function.
|
||||
// This is because the function execution ends with the termination of the workload code.
|
||||
// So an on-demand file streaming after the termination is not possible. Also, we do not want to copy all files.
|
||||
func (w *AWSFunctionWorkload) GetFileContent(_ string, _ io.Writer, _ context.Context) error {
|
||||
func (w *AWSFunctionWorkload) GetFileContent(_ string, _ io.Writer, _ bool, _ context.Context) error {
|
||||
return dto.ErrNotSupported
|
||||
}
|
||||
|
||||
|
||||
@ -118,7 +118,8 @@ func (r *NomadJob) ExecuteInteractively(
|
||||
return exit, cancel, nil
|
||||
}
|
||||
|
||||
func (r *NomadJob) ListFileSystem(path string, recursive bool, content io.Writer, ctx context.Context) error {
|
||||
func (r *NomadJob) ListFileSystem(
|
||||
path string, recursive bool, content io.Writer, privilegedExecution bool, ctx context.Context) error {
|
||||
r.ResetTimeout()
|
||||
command := "ls -l --time-style=+%s -1 --literal"
|
||||
if recursive {
|
||||
@ -128,7 +129,8 @@ func (r *NomadJob) ListFileSystem(path string, recursive bool, content io.Writer
|
||||
ls2json := &nullio.Ls2JsonWriter{Target: content}
|
||||
defer ls2json.Close()
|
||||
retrieveCommand := (&dto.ExecutionRequest{Command: fmt.Sprintf("%s %q", command, path)}).FullCommand()
|
||||
exitCode, err := r.api.ExecuteCommand(r.id, ctx, retrieveCommand, false, &nullio.Reader{}, ls2json, io.Discard)
|
||||
exitCode, err := r.api.ExecuteCommand(r.id, ctx, retrieveCommand, false, privilegedExecution,
|
||||
&nullio.Reader{}, ls2json, io.Discard)
|
||||
if err != nil {
|
||||
return fmt.Errorf("%w: nomad error during retrieve file headers: %v",
|
||||
nomad.ErrorExecutorCommunicationFailed, err)
|
||||
@ -172,12 +174,13 @@ func (r *NomadJob) UpdateFileSystem(copyRequest *dto.UpdateFileSystemRequest) er
|
||||
return nil
|
||||
}
|
||||
|
||||
func (r *NomadJob) GetFileContent(path string, content io.Writer, ctx context.Context) error {
|
||||
func (r *NomadJob) GetFileContent(path string, content io.Writer, privilegedExecution bool, ctx context.Context) error {
|
||||
r.ResetTimeout()
|
||||
|
||||
retrieveCommand := (&dto.ExecutionRequest{Command: fmt.Sprintf("cat %q", path)}).FullCommand()
|
||||
// Improve: Instead of using io.Discard use a **fixed-sized** buffer. With that we could improve the error message.
|
||||
exitCode, err := r.api.ExecuteCommand(r.id, ctx, retrieveCommand, false, &nullio.Reader{}, content, io.Discard)
|
||||
exitCode, err := r.api.ExecuteCommand(r.id, ctx, retrieveCommand, false, privilegedExecution,
|
||||
&nullio.Reader{}, content, io.Discard)
|
||||
|
||||
if err != nil {
|
||||
return fmt.Errorf("%w: nomad error during retrieve file content copy: %v",
|
||||
|
||||
@ -403,6 +403,6 @@ func NewRunner(id string, manager Accessor) Runner {
|
||||
func (s *UpdateFileSystemTestSuite) TestGetFileContentReturnsErrorIfExitCodeIsNotZero() {
|
||||
s.mockedExecuteCommandCall.RunFn = nil
|
||||
s.mockedExecuteCommandCall.Return(1, nil)
|
||||
err := s.runner.GetFileContent("", &bytes.Buffer{}, context.Background())
|
||||
err := s.runner.GetFileContent("", &bytes.Buffer{}, false, context.Background())
|
||||
s.ErrorIs(err, ErrFileNotFound)
|
||||
}
|
||||
|
||||
@ -46,7 +46,7 @@ type Runner interface {
|
||||
|
||||
// ListFileSystem streams the listing of the file system of the requested directory into the Writer provided.
|
||||
// The result is streamed via the io.Writer in order to not overload the memory with user input.
|
||||
ListFileSystem(path string, recursive bool, result io.Writer, ctx context.Context) error
|
||||
ListFileSystem(path string, recursive bool, result io.Writer, privilegedExecution bool, ctx context.Context) error
|
||||
|
||||
// UpdateFileSystem processes a dto.UpdateFileSystemRequest by first deleting each given dto.FilePath recursively
|
||||
// and then copying each given dto.File to the runner.
|
||||
@ -54,7 +54,7 @@ type Runner interface {
|
||||
|
||||
// GetFileContent streams the file content at the requested path into the Writer provided at content.
|
||||
// The result is streamed via the io.Writer in order to not overload the memory with user input.
|
||||
GetFileContent(path string, content io.Writer, ctx context.Context) error
|
||||
GetFileContent(path string, content io.Writer, privilegedExecution bool, ctx context.Context) error
|
||||
|
||||
// Destroy destroys the Runner in Nomad.
|
||||
Destroy() error
|
||||
|
||||
@ -92,13 +92,13 @@ func (_m *RunnerMock) ExecutionExists(id string) bool {
|
||||
return r0
|
||||
}
|
||||
|
||||
// GetFileContent provides a mock function with given fields: path, content, ctx
|
||||
func (_m *RunnerMock) GetFileContent(path string, content io.Writer, ctx context.Context) error {
|
||||
ret := _m.Called(path, content, ctx)
|
||||
// GetFileContent provides a mock function with given fields: path, content, privilegedExecution, ctx
|
||||
func (_m *RunnerMock) GetFileContent(path string, content io.Writer, privilegedExecution bool, ctx context.Context) error {
|
||||
ret := _m.Called(path, content, privilegedExecution, ctx)
|
||||
|
||||
var r0 error
|
||||
if rf, ok := ret.Get(0).(func(string, io.Writer, context.Context) error); ok {
|
||||
r0 = rf(path, content, ctx)
|
||||
if rf, ok := ret.Get(0).(func(string, io.Writer, bool, context.Context) error); ok {
|
||||
r0 = rf(path, content, privilegedExecution, ctx)
|
||||
} else {
|
||||
r0 = ret.Error(0)
|
||||
}
|
||||
@ -120,13 +120,13 @@ func (_m *RunnerMock) ID() string {
|
||||
return r0
|
||||
}
|
||||
|
||||
// ListFileSystem provides a mock function with given fields: path, recursive, result, ctx
|
||||
func (_m *RunnerMock) ListFileSystem(path string, recursive bool, result io.Writer, ctx context.Context) error {
|
||||
ret := _m.Called(path, recursive, result, ctx)
|
||||
// ListFileSystem provides a mock function with given fields: path, recursive, result, privilegedExecution, ctx
|
||||
func (_m *RunnerMock) ListFileSystem(path string, recursive bool, result io.Writer, privilegedExecution bool, ctx context.Context) error {
|
||||
ret := _m.Called(path, recursive, result, privilegedExecution, ctx)
|
||||
|
||||
var r0 error
|
||||
if rf, ok := ret.Get(0).(func(string, bool, io.Writer, context.Context) error); ok {
|
||||
r0 = rf(path, recursive, result, ctx)
|
||||
if rf, ok := ret.Get(0).(func(string, bool, io.Writer, bool, context.Context) error); ok {
|
||||
r0 = rf(path, recursive, result, privilegedExecution, ctx)
|
||||
} else {
|
||||
r0 = ret.Error(0)
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user