fortify/system/acl.go

package system

import (
	"fmt"
	"slices"

	"git.gensokyo.uk/security/fortify/acl"
)

// UpdatePerm appends an ephemeral acl update Op.
func (sys *I) UpdatePerm(path string, perms ...acl.Perm) *I {
	sys.UpdatePermType(Process, path, perms...)

	return sys
}

// UpdatePermType appends an acl update Op.
func (sys *I) UpdatePermType(et Enablement, path string, perms ...acl.Perm) *I {
	sys.lock.Lock()
	defer sys.lock.Unlock()

	sys.ops = append(sys.ops, &ACL{et, path, perms})

	return sys
}

type ACL struct {
	et    Enablement
	path  string
	perms acl.Perms
}

func (a *ACL) Type() Enablement { return a.et }

func (a *ACL) apply(sys *I) error {
	sys.println("applying ACL", a)
	return sys.wrapErrSuffix(acl.Update(a.path, sys.uid, a.perms...),
		fmt.Sprintf("cannot apply ACL entry to %q:", a.path))
}

func (a *ACL) revert(sys *I, ec *Criteria) error {
	if ec.hasType(a) {
		sys.println("stripping ACL", a)
		return sys.wrapErrSuffix(acl.Update(a.path, sys.uid),
			fmt.Sprintf("cannot strip ACL entry from %q:", a.path))
	} else {
		sys.println("skipping ACL", a)
		return nil
	}
}

func (a *ACL) Is(o Op) bool {
	a0, ok := o.(*ACL)
	return ok && a0 != nil &&
		a.et == a0.et &&
		a.path == a0.path &&
		slices.Equal(a.perms, a0.perms)
}

func (a *ACL) Path() string { return a.path }

func (a *ACL) String() string {
	return fmt.Sprintf("%s type: %s path: %q",
		a.perms, TypeString(a.et), a.path)
}
system: isolate app/system into generic implementation This improves maintainability and extensibility of system operations, makes writing tests for them possible, and operations now apply and revert in order, instead of being bunched up into their own categories. Signed-off-by: Ophestra Umiker <cat@ophivana.moe> 2024-10-16 01:31:23 +09:00			`package system`

			`import (`
			`"fmt"`
			`"slices"`

migrate to git.gensokyo.uk/security/fortify Signed-off-by: Ophestra Umiker <cat@ophivana.moe> 2024-12-20 00:20:02 +09:00			`"git.gensokyo.uk/security/fortify/acl"`
system: isolate app/system into generic implementation This improves maintainability and extensibility of system operations, makes writing tests for them possible, and operations now apply and revert in order, instead of being bunched up into their own categories. Signed-off-by: Ophestra Umiker <cat@ophivana.moe> 2024-10-16 01:31:23 +09:00			`)`

			`// UpdatePerm appends an ephemeral acl update Op.`
system: return sys in queueing methods This enables building an instance in a single statement. Signed-off-by: Ophestra Umiker <cat@ophivana.moe> 2024-10-23 12:34:16 +09:00			`func (sys I) UpdatePerm(path string, perms ...acl.Perm) I {`
system: isolate app/system into generic implementation This improves maintainability and extensibility of system operations, makes writing tests for them possible, and operations now apply and revert in order, instead of being bunched up into their own categories. Signed-off-by: Ophestra Umiker <cat@ophivana.moe> 2024-10-16 01:31:23 +09:00			`sys.UpdatePermType(Process, path, perms...)`
system: return sys in queueing methods This enables building an instance in a single statement. Signed-off-by: Ophestra Umiker <cat@ophivana.moe> 2024-10-23 12:34:16 +09:00
			`return sys`
system: isolate app/system into generic implementation This improves maintainability and extensibility of system operations, makes writing tests for them possible, and operations now apply and revert in order, instead of being bunched up into their own categories. Signed-off-by: Ophestra Umiker <cat@ophivana.moe> 2024-10-16 01:31:23 +09:00			`}`

			`// UpdatePermType appends an acl update Op.`
system: return sys in queueing methods This enables building an instance in a single statement. Signed-off-by: Ophestra Umiker <cat@ophivana.moe> 2024-10-23 12:34:16 +09:00			`func (sys I) UpdatePermType(et Enablement, path string, perms ...acl.Perm) I {`
system: isolate app/system into generic implementation This improves maintainability and extensibility of system operations, makes writing tests for them possible, and operations now apply and revert in order, instead of being bunched up into their own categories. Signed-off-by: Ophestra Umiker <cat@ophivana.moe> 2024-10-16 01:31:23 +09:00			`sys.lock.Lock()`
			`defer sys.lock.Unlock()`

			`sys.ops = append(sys.ops, &ACL{et, path, perms})`
system: return sys in queueing methods This enables building an instance in a single statement. Signed-off-by: Ophestra Umiker <cat@ophivana.moe> 2024-10-23 12:34:16 +09:00
			`return sys`
system: isolate app/system into generic implementation This improves maintainability and extensibility of system operations, makes writing tests for them possible, and operations now apply and revert in order, instead of being bunched up into their own categories. Signed-off-by: Ophestra Umiker <cat@ophivana.moe> 2024-10-16 01:31:23 +09:00			`}`

			`type ACL struct {`
system: move enablements from state package This removes the unnecessary import of the state package. Signed-off-by: Ophestra Umiker <cat@ophivana.moe> 2024-10-16 14:38:57 +09:00			`et Enablement`
system: isolate app/system into generic implementation This improves maintainability and extensibility of system operations, makes writing tests for them possible, and operations now apply and revert in order, instead of being bunched up into their own categories. Signed-off-by: Ophestra Umiker <cat@ophivana.moe> 2024-10-16 01:31:23 +09:00			`path string`
system: include more info in ACL Stringer Signed-off-by: Ophestra Umiker <cat@ophivana.moe> 2024-10-25 16:23:22 +09:00			`perms acl.Perms`
system: isolate app/system into generic implementation This improves maintainability and extensibility of system operations, makes writing tests for them possible, and operations now apply and revert in order, instead of being bunched up into their own categories. Signed-off-by: Ophestra Umiker <cat@ophivana.moe> 2024-10-16 01:31:23 +09:00			`}`

system: wrap console output functions This eliminates all fmsg imports from internal/system. Signed-off-by: Ophestra <cat@gensokyo.uk> 2025-02-17 17:54:28 +09:00			`func (a *ACL) Type() Enablement { return a.et }`
system: isolate app/system into generic implementation This improves maintainability and extensibility of system operations, makes writing tests for them possible, and operations now apply and revert in order, instead of being bunched up into their own categories. Signed-off-by: Ophestra Umiker <cat@ophivana.moe> 2024-10-16 01:31:23 +09:00
			`func (a ACL) apply(sys I) error {`
system: wrap console output functions This eliminates all fmsg imports from internal/system. Signed-off-by: Ophestra <cat@gensokyo.uk> 2025-02-17 17:54:28 +09:00			`sys.println("applying ACL", a)`
acl: rename UpdatePerms to Update Signed-off-by: Ophestra <cat@gensokyo.uk> 2025-02-17 20:33:18 +09:00			`return sys.wrapErrSuffix(acl.Update(a.path, sys.uid, a.perms...),`
system: isolate app/system into generic implementation This improves maintainability and extensibility of system operations, makes writing tests for them possible, and operations now apply and revert in order, instead of being bunched up into their own categories. Signed-off-by: Ophestra Umiker <cat@ophivana.moe> 2024-10-16 01:31:23 +09:00			`fmt.Sprintf("cannot apply ACL entry to %q:", a.path))`
			`}`

			`func (a ACL) revert(sys I, ec *Criteria) error {`
			`if ec.hasType(a) {`
system: wrap console output functions This eliminates all fmsg imports from internal/system. Signed-off-by: Ophestra <cat@gensokyo.uk> 2025-02-17 17:54:28 +09:00			`sys.println("stripping ACL", a)`
acl: rename UpdatePerms to Update Signed-off-by: Ophestra <cat@gensokyo.uk> 2025-02-17 20:33:18 +09:00			`return sys.wrapErrSuffix(acl.Update(a.path, sys.uid),`
system: isolate app/system into generic implementation This improves maintainability and extensibility of system operations, makes writing tests for them possible, and operations now apply and revert in order, instead of being bunched up into their own categories. Signed-off-by: Ophestra Umiker <cat@ophivana.moe> 2024-10-16 01:31:23 +09:00			`fmt.Sprintf("cannot strip ACL entry from %q:", a.path))`
			`} else {`
system: wrap console output functions This eliminates all fmsg imports from internal/system. Signed-off-by: Ophestra <cat@gensokyo.uk> 2025-02-17 17:54:28 +09:00			`sys.println("skipping ACL", a)`
system: isolate app/system into generic implementation This improves maintainability and extensibility of system operations, makes writing tests for them possible, and operations now apply and revert in order, instead of being bunched up into their own categories. Signed-off-by: Ophestra Umiker <cat@ophivana.moe> 2024-10-16 01:31:23 +09:00			`return nil`
			`}`
			`}`

			`func (a *ACL) Is(o Op) bool {`
			`a0, ok := o.(*ACL)`
			`return ok && a0 != nil &&`
			`a.et == a0.et &&`
			`a.path == a0.path &&`
			`slices.Equal(a.perms, a0.perms)`
			`}`

system: wrap console output functions This eliminates all fmsg imports from internal/system. Signed-off-by: Ophestra <cat@gensokyo.uk> 2025-02-17 17:54:28 +09:00			`func (a *ACL) Path() string { return a.path }`
system: isolate app/system into generic implementation This improves maintainability and extensibility of system operations, makes writing tests for them possible, and operations now apply and revert in order, instead of being bunched up into their own categories. Signed-off-by: Ophestra Umiker <cat@ophivana.moe> 2024-10-16 01:31:23 +09:00
			`func (a *ACL) String() string {`
system: include more info in ACL Stringer Signed-off-by: Ophestra Umiker <cat@ophivana.moe> 2024-10-25 16:23:22 +09:00			`return fmt.Sprintf("%s type: %s path: %q",`
			`a.perms, TypeString(a.et), a.path)`
system: isolate app/system into generic implementation This improves maintainability and extensibility of system operations, makes writing tests for them possible, and operations now apply and revert in order, instead of being bunched up into their own categories. Signed-off-by: Ophestra Umiker <cat@ophivana.moe> 2024-10-16 01:31:23 +09:00			`}`