Check configuration file permissions in CI

Typically, non-executable files should have 660 or 600 and executable files and directories should have 770. All should be owned by the 'config_owner_user' and 'config_owner_group' variables. This change adds a script to check the owner and permissions of config files under /etc/kolla, and runs it at the end of CI jobs. Change-Id: Icdbabf36e284b9030017a0dc07b9dc81a37758ab Related-Bug: #1821579
2019-03-25 11:39:41 +00:00 · 2019-03-25 11:39:41 +00:00 · 8c4ab41ffa
commit 8c4ab41ffa
parent a4bb8567da
2 changed files with 58 additions and 0 deletions
--- a/tests/check-config.sh
+++ b/tests/check-config.sh
@ -0,0 +1,52 @@
+#!/bin/bash
+
+# Check the generated configuration files.
+
+set -o errexit
+
+# Enable unbuffered output for Ansible in Jenkins.
+export PYTHONUNBUFFERED=1
+
+function check_config {
+    # Check every file in /etc/kolla/*.
+    failed=0
+    expected_user=${CONFIG_OWNER_USER:-root}
+    expected_group=${CONFIG_OWNER_GROUP:-root}
+    # Ignore files generated by Zuul.
+    for f in $(sudo find /etc/kolla \
+                -not -regex /etc/kolla/config.* \
+                -not -path /etc/kolla \
+                -not -name admin-openrc.sh \
+                -not -name globals.yml \
+                -not -name header \
+                -not -name inventory \
+                -not -name kolla-build.conf \
+                -not -name passwords.yml \
+                -not -name passwords.yml.old \
+                -not -name sources.list)
+    do
+        mode=$(sudo stat -c %a $f)
+        owner=$(sudo stat -c %U:%G $f)
+        if [[ -d $f ]]; then
+            # Directories should be 770.
+            if [[ $mode != "770" ]]; then
+                failed=1
+                echo "ERROR: Unexpected permissions on directory $f. Got $mode, expected 770"
+            fi
+        else
+            # Files should be 600, 660 or 770.
+            if [[ ! $mode =~ ^(600|660|770)$ ]] ; then
+                failed=1
+                echo "ERROR: Unexpected permissions on file $f. Got $mode, expected 770 or 660"
+            fi
+        fi
+        # Owner user & group should be the config owner, default root.
+        if [[ $owner != "$expected_user:$expected_group" ]]; then
+            failed=1
+            echo "ERROR: Unexpected ownership on $f. Got $owner, expected $expected_user:$expected_group"
+        fi
+    done
+    return $failed
+}
+
+check_config
--- a/tests/run.yml
+++ b/tests/run.yml
@ -295,3 +295,9 @@
        cmd: tests/check-failure.sh
        executable: /bin/bash
        chdir: "{{ kolla_ansible_src_dir }}"
+
+    - name: Run check-config.sh script
+      shell:
+        cmd: tests/check-config.sh
+        executable: /bin/bash
+        chdir: "{{ kolla_ansible_src_dir }}"