Windows Support (#1159)

pkg/csplugin/utils.go

@@ -0,0 +1,150 @@
+//go:build linux || freebsd || netbsd || openbsd || solaris || !windows
+
+package csplugin
+
+import (
+	"fmt"
+	"io/fs"
+	"math"
+	"os"
+	"os/exec"
+	"os/user"
+	"path/filepath"
+	"strconv"
+	"strings"
+	"syscall"
+
+	"github.com/pkg/errors"
+)
+
+func CheckCredential(uid int, gid int) *syscall.SysProcAttr {
+	return &syscall.SysProcAttr{
+		Credential: &syscall.Credential{
+			Uid: uint32(uid),
+			Gid: uint32(gid),
+		},
+	}
+}
+
+func (pb *PluginBroker) CreateCmd(binaryPath string) (*exec.Cmd, error) {
+	var err error
+	cmd := exec.Command(binaryPath)
+	if pb.pluginProcConfig.User != "" || pb.pluginProcConfig.Group != "" {
+		if !(pb.pluginProcConfig.User != "" && pb.pluginProcConfig.Group != "") {
+			return nil, errors.New("while getting process attributes: both plugin user and group must be set")
+		}
+		cmd.SysProcAttr, err = getProcessAttr(pb.pluginProcConfig.User, pb.pluginProcConfig.Group)
+		if err != nil {
+			return nil, errors.Wrap(err, "while getting process attributes")
+		}
+		cmd.SysProcAttr.Credential.NoSetGroups = true
+	}
+	return cmd, err
+}
+
+func getUID(username string) (uint32, error) {
+	u, err := user.Lookup(username)
+	if err != nil {
+		return 0, err
+	}
+	uid, err := strconv.ParseInt(u.Uid, 10, 32)
+	if err != nil {
+		return 0, err
+	}
+	if uid < 0 || uid > math.MaxInt32 {
+		return 0, fmt.Errorf("out of bound uid")
+	}
+	return uint32(uid), nil
+}
+
+func getGID(groupname string) (uint32, error) {
+	g, err := user.LookupGroup(groupname)
+	if err != nil {
+		return 0, err
+	}
+	gid, err := strconv.ParseInt(g.Gid, 10, 32)
+	if err != nil {
+		return 0, err
+	}
+	if gid < 0 || gid > math.MaxInt32 {
+		return 0, fmt.Errorf("out of bound gid")
+	}
+	return uint32(gid), nil
+}
+
+func getPluginTypeAndSubtypeFromPath(path string) (string, string, error) {
+	pluginFileName := filepath.Base(path)
+	parts := strings.Split(pluginFileName, "-")
+	if len(parts) < 2 {
+		return "", "", fmt.Errorf("plugin name %s is invalid. Name should be like {type-name}", path)
+	}
+	return strings.Join(parts[:len(parts)-1], "-"), parts[len(parts)-1], nil
+}
+
+func getProcessAttr(username string, groupname string) (*syscall.SysProcAttr, error) {
+	u, err := user.Lookup(username)
+	if err != nil {
+		return nil, err
+	}
+	g, err := user.LookupGroup(groupname)
+	if err != nil {
+		return nil, err
+	}
+	uid, err := strconv.ParseInt(u.Uid, 10, 32)
+	if err != nil {
+		return nil, err
+	}
+	if uid < 0 && uid > math.MaxInt32 {
+		return nil, fmt.Errorf("out of bound uid")
+	}
+	gid, err := strconv.ParseInt(g.Gid, 10, 32)
+	if err != nil {
+		return nil, err
+	}
+	if gid < 0 && gid > math.MaxInt32 {
+		return nil, fmt.Errorf("out of bound gid")
+	}
+	return &syscall.SysProcAttr{
+		Credential: &syscall.Credential{
+			Uid: uint32(uid),
+			Gid: uint32(gid),
+		},
+	}, nil
+}
+
+func pluginIsValid(path string) error {
+	var details fs.FileInfo
+	var err error
+
+	// check if it exists
+	if details, err = os.Stat(path); err != nil {
+		return errors.Wrap(err, fmt.Sprintf("plugin at %s does not exist", path))
+	}
+
+	// check if it is owned by current user
+	currentUser, err := user.Current()
+	if err != nil {
+		return errors.Wrap(err, "while getting current user")
+	}
+	currentUID, err := getUID(currentUser.Username)
+	if err != nil {
+		return errors.Wrap(err, "while looking up the current uid")
+	}
+	stat := details.Sys().(*syscall.Stat_t)
+	if stat.Uid != currentUID {
+		return fmt.Errorf("plugin at %s is not owned by user '%s'", path, currentUser.Username)
+	}
+
+	mode := details.Mode()
+	perm := uint32(mode)
+	if (perm & 00002) != 0 {
+		return fmt.Errorf("plugin at %s is world writable, world writable plugins are invalid", path)
+	}
+	if (perm & 00020) != 0 {
+		return fmt.Errorf("plugin at %s is group writable, group writable plugins are invalid", path)
+	}
+	if (mode & os.ModeSetgid) != 0 {
+		return fmt.Errorf("plugin at %s has setgid permission, which is not allowed", path)
+	}
+	return nil
+}