docker-letsencrypt-nginx-pr.../test/tests/permissions_custom/run.sh

#!/bin/bash

## Test for sensitive files and folders permissions

files_uid=1000
files_gid=1001
files_perms=644
folders_perms=750

if [[ -z $GITHUB_ACTIONS ]]; then
  le_container_name="$(basename "${0%/*}")_$(date "+%Y-%m-%d_%H.%M.%S")"
else
  le_container_name="$(basename "${0%/*}")"
fi
run_le_container "${1:?}" "$le_container_name" \
  "--env FILES_UID=$files_uid --env FILES_GID=$files_gid --env FILES_PERMS=$files_perms --env FOLDERS_PERMS=$folders_perms"

# Create the $domains array from comma separated domains in TEST_DOMAINS.
IFS=',' read -r -a domains <<< "$TEST_DOMAINS"

# Cleanup function with EXIT trap
function cleanup {
  # Remove the ${domains[0]} Nginx container silently.
  docker rm --force "${domains[0]}" &> /dev/null
  # Cleanup the files created by this run of the test to avoid foiling following test(s).
  docker exec "$le_container_name" /app/cleanup_test_artifacts
  # Stop the LE container
  docker stop "$le_container_name" > /dev/null
}
trap cleanup EXIT

# Run an nginx container for ${domains[0]}.
run_nginx_container --hosts "${domains[0]}"

# Wait for the cert symlink.
wait_for_symlink "${domains[0]}" "$le_container_name"

# Array of folder paths to test
folders=( \
  [0]="/etc/nginx/certs/${domains[0]}" \
  )

# Test folder paths
for folder in  "${folders[@]}"; do
  ownership_and_permissions="$(docker exec "$le_container_name" stat -c %u:%g:%a "$folder")"
  if [[ "$ownership_and_permissions" != ${files_uid}:${files_gid}:${folders_perms} ]]; then
    echo "Expected ${files_uid}:${files_gid}:${folders_perms} on ${folder}, found ${ownership_and_permissions}."
  fi
done

# Array of symlinks paths to test
symlinks=( \
  [0]="/etc/nginx/certs/${domains[0]}.crt" \
  [1]="/etc/nginx/certs/${domains[0]}.key" \
  [2]="/etc/nginx/certs/${domains[0]}.chain.pem" \
  [3]="/etc/nginx/certs/${domains[0]}.dhparam.pem" \
  )

# Test symlinks paths
for symlink in  "${symlinks[@]}"; do
  ownership="$(docker exec "$le_container_name" stat -c %u:%g "$symlink")"
  if [[ "$ownership" != ${files_uid}:${files_gid} ]]; then
    echo "Expected ${files_uid}:${files_gid} on ${symlink}, found ${ownership}."
  fi
done

# Array of private file paths to test
private_files=( \
  [0]="/etc/nginx/certs/default.key" \
  [1]="/etc/nginx/certs/${domains[0]}/key.pem" \
  [2]="/etc/acme.sh/default/${domains[0]}/${domains[0]}.key" \
  )

# Test private file paths
for file in  "${private_files[@]}"; do
  ownership_and_permissions="$(docker exec "$le_container_name" stat -c %u:%g:%a "$file")"
  if [[ "$ownership_and_permissions" != ${files_uid}:${files_gid}:${files_perms} ]]; then
    echo "Expected ${files_uid}:${files_gid}:${files_perms} on ${file}, found ${ownership_and_permissions}."
  fi
done

# Array of public files paths to test
public_files=( \
  [0]="/etc/nginx/certs/${domains[0]}/.companion" \
  [1]="/etc/nginx/certs/${domains[0]}/cert.pem" \
  [2]="/etc/nginx/certs/${domains[0]}/chain.pem" \
  [3]="/etc/nginx/certs/${domains[0]}/fullchain.pem" \
  [4]="/etc/nginx/certs/default.crt" \
  [5]="/etc/nginx/certs/dhparam.pem" \
  )

# Test public file paths
for file in  "${public_files[@]}"; do
  ownership_and_permissions="$(docker exec "$le_container_name" stat -c %u:%g:%a "$file")"
  if [[ "$ownership_and_permissions" != ${files_uid}:${files_gid}:644 ]]; then
    echo "Expected ${files_uid}:${files_gid}:644 on ${file}, found ${ownership_and_permissions}."
  fi
done
Add test unit for permissions 2018-09-02 22:03:32 +02:00			`#!/bin/bash`

			`## Test for sensitive files and folders permissions`

Change ownership of public files too 2018-10-16 16:48:52 +02:00			`files_uid=1000`
			`files_gid=1001`
fix: restrict private key permissions (#1016) * fix: restrict private file permissions by default * fix: check perms of /etc/acme.sh private keys * fix: typo 2023-03-27 19:03:21 +02:00			`files_perms=644`
Change ownership of public files too 2018-10-16 16:48:52 +02:00			`folders_perms=750`

Move CI/CD from Travis to Github Actions. 2020-11-30 19:10:20 +01:00			`if [[ -z $GITHUB_ACTIONS ]]; then`
Shell linting 2020-10-09 13:04:10 +02:00			`le_container_name="$(basename "${0%/*}")_$(date "+%Y-%m-%d_%H.%M.%S")"`
Add test unit for permissions 2018-09-02 22:03:32 +02:00			`else`
Shell linting 2020-10-09 13:04:10 +02:00			`le_container_name="$(basename "${0%/*}")"`
Add test unit for permissions 2018-09-02 22:03:32 +02:00			`fi`
Shell linting 2020-10-09 13:04:10 +02:00			`run_le_container "${1:?}" "$le_container_name" \`
Change ownership of public files too 2018-10-16 16:48:52 +02:00			`"--env FILES_UID=$files_uid --env FILES_GID=$files_gid --env FILES_PERMS=$files_perms --env FOLDERS_PERMS=$folders_perms"`
Add test unit for permissions 2018-09-02 22:03:32 +02:00
			`# Create the $domains array from comma separated domains in TEST_DOMAINS.`
			`IFS=',' read -r -a domains <<< "$TEST_DOMAINS"`

			`# Cleanup function with EXIT trap`
			`function cleanup {`
			`# Remove the ${domains[0]} Nginx container silently.`
Test suite refactoring As much as possible, output to stdout on error condition only in order to reduce the need for expected-std-out.txt 2020-10-22 01:09:18 +02:00			`docker rm --force "${domains[0]}" &> /dev/null`
Add test unit for permissions 2018-09-02 22:03:32 +02:00			`# Cleanup the files created by this run of the test to avoid foiling following test(s).`
Fix tests self cleanup 2020-11-27 18:16:35 +01:00			`docker exec "$le_container_name" /app/cleanup_test_artifacts`
Add test unit for permissions 2018-09-02 22:03:32 +02:00			`# Stop the LE container`
			`docker stop "$le_container_name" > /dev/null`
			`}`
			`trap cleanup EXIT`

			`# Run an nginx container for ${domains[0]}.`
CI/CD: Refactor the run_nginx_container() function 2020-12-28 11:26:52 +01:00			`run_nginx_container --hosts "${domains[0]}"`
Add test unit for permissions 2018-09-02 22:03:32 +02:00
			`# Wait for the cert symlink.`
			`wait_for_symlink "${domains[0]}" "$le_container_name"`

			`# Array of folder paths to test`
			`folders=( \`
Change ACME client to acme.sh 2018-12-31 12:53:21 +01:00			`[0]="/etc/nginx/certs/${domains[0]}" \`
Add test unit for permissions 2018-09-02 22:03:32 +02:00			`)`

			`# Test folder paths`
			`for folder in "${folders[@]}"; do`
Add test unit for non default permissions 2018-10-13 15:58:16 +02:00			`ownership_and_permissions="$(docker exec "$le_container_name" stat -c %u:%g:%a "$folder")"`
Change ownership of public files too 2018-10-16 16:48:52 +02:00			`if [[ "$ownership_and_permissions" != ${files_uid}:${files_gid}:${folders_perms} ]]; then`
			`echo "Expected ${files_uid}:${files_gid}:${folders_perms} on ${folder}, found ${ownership_and_permissions}."`
			`fi`
Add test unit for permissions 2018-09-02 22:03:32 +02:00			`done`

Update permissions test units for symlinks 2018-12-14 15:04:32 +01:00			`# Array of symlinks paths to test`
			`symlinks=( \`
			`[0]="/etc/nginx/certs/${domains[0]}.crt" \`
			`[1]="/etc/nginx/certs/${domains[0]}.key" \`
			`[2]="/etc/nginx/certs/${domains[0]}.chain.pem" \`
			`[3]="/etc/nginx/certs/${domains[0]}.dhparam.pem" \`
			`)`

fix: restrict private key permissions (#1016) * fix: restrict private file permissions by default * fix: check perms of /etc/acme.sh private keys * fix: typo 2023-03-27 19:03:21 +02:00			`# Test symlinks paths`
			`for symlink in "${symlinks[@]}"; do`
			`ownership="$(docker exec "$le_container_name" stat -c %u:%g "$symlink")"`
			`if [[ "$ownership" != ${files_uid}:${files_gid} ]]; then`
			`echo "Expected ${files_uid}:${files_gid} on ${symlink}, found ${ownership}."`
			`fi`
			`done`
Update permissions test units for symlinks 2018-12-14 15:04:32 +01:00
Change ownership of public files too 2018-10-16 16:48:52 +02:00			`# Array of private file paths to test`
			`private_files=( \`
Add test unit for permissions 2018-09-02 22:03:32 +02:00			`[0]="/etc/nginx/certs/default.key" \`
Change ACME client to acme.sh 2018-12-31 12:53:21 +01:00			`[1]="/etc/nginx/certs/${domains[0]}/key.pem" \`
fix: restrict private key permissions (#1016) * fix: restrict private file permissions by default * fix: check perms of /etc/acme.sh private keys * fix: typo 2023-03-27 19:03:21 +02:00			`[2]="/etc/acme.sh/default/${domains[0]}/${domains[0]}.key" \`
Add test unit for permissions 2018-09-02 22:03:32 +02:00			`)`

Change ownership of public files too 2018-10-16 16:48:52 +02:00			`# Test private file paths`
			`for file in "${private_files[@]}"; do`
			`ownership_and_permissions="$(docker exec "$le_container_name" stat -c %u:%g:%a "$file")"`
			`if [[ "$ownership_and_permissions" != ${files_uid}:${files_gid}:${files_perms} ]]; then`
			`echo "Expected ${files_uid}:${files_gid}:${files_perms} on ${file}, found ${ownership_and_permissions}."`
			`fi`
			`done`

			`# Array of public files paths to test`
			`public_files=( \`
Update the test suite for ACME v2 2019-10-08 21:24:34 +02:00			`[0]="/etc/nginx/certs/${domains[0]}/.companion" \`
			`[1]="/etc/nginx/certs/${domains[0]}/cert.pem" \`
			`[2]="/etc/nginx/certs/${domains[0]}/chain.pem" \`
			`[3]="/etc/nginx/certs/${domains[0]}/fullchain.pem" \`
			`[4]="/etc/nginx/certs/default.crt" \`
			`[5]="/etc/nginx/certs/dhparam.pem" \`
Change ownership of public files too 2018-10-16 16:48:52 +02:00			`)`

			`# Test public file paths`
			`for file in "${public_files[@]}"; do`
Add test unit for non default permissions 2018-10-13 15:58:16 +02:00			`ownership_and_permissions="$(docker exec "$le_container_name" stat -c %u:%g:%a "$file")"`
Change ownership of public files too 2018-10-16 16:48:52 +02:00			`if [[ "$ownership_and_permissions" != ${files_uid}:${files_gid}:644 ]]; then`
			`echo "Expected ${files_uid}:${files_gid}:644 on ${file}, found ${ownership_and_permissions}."`
			`fi`
Add test unit for permissions 2018-09-02 22:03:32 +02:00			`done`