From d5e0b898a5df047ce010540767bd7bdd7d9a3fae Mon Sep 17 00:00:00 2001 From: "Bryan C. Mills" Date: Wed, 6 Mar 2019 13:51:43 -0500 Subject: [PATCH] cmd/go: convert TestACL to a script test Change-Id: Id25db146a317f2c5f5425cfabf4c3ca84066d5c8 Reviewed-on: https://go-review.googlesource.com/c/go/+/165752 Run-TryBot: Bryan C. Mills TryBot-Result: Gobot Gobot Reviewed-by: Ian Lance Taylor Reviewed-by: Alex Brainman --- src/cmd/go/go_windows_test.go | 74 ------------------- .../go/testdata/script/build_acl_windows.txt | 44 +++++++++++ 2 files changed, 44 insertions(+), 74 deletions(-) create mode 100644 src/cmd/go/testdata/script/build_acl_windows.txt diff --git a/src/cmd/go/go_windows_test.go b/src/cmd/go/go_windows_test.go index a8cfffea79..d65d91f712 100644 --- a/src/cmd/go/go_windows_test.go +++ b/src/cmd/go/go_windows_test.go @@ -5,7 +5,6 @@ package main import ( - "fmt" "internal/testenv" "io/ioutil" "os" @@ -47,76 +46,3 @@ func TestAbsolutePath(t *testing.T) { t.Fatalf("wrong output found: %v %v", err, string(output)) } } - -func runIcacls(t *testing.T, args ...string) string { - t.Helper() - out, err := exec.Command("icacls", args...).CombinedOutput() - if err != nil { - t.Fatalf("icacls failed: %v\n%v", err, string(out)) - } - return string(out) -} - -func runGetACL(t *testing.T, path string) string { - t.Helper() - cmd := fmt.Sprintf(`Get-Acl "%s" | Select -expand AccessToString`, path) - out, err := exec.Command("powershell", "-Command", cmd).CombinedOutput() - if err != nil { - t.Fatalf("Get-Acl failed: %v\n%v", err, string(out)) - } - return string(out) -} - -// For issue 22343: verify that executable file created by "go build" command -// has discretionary access control list (DACL) set as if the file -// was created in the destination directory. -func TestACL(t *testing.T) { - t.Parallel() - - tmpdir, err := ioutil.TempDir("", "TestACL") - if err != nil { - t.Fatal(err) - } - defer os.RemoveAll(tmpdir) - - newtmpdir := filepath.Join(tmpdir, "tmp") - err = os.Mkdir(newtmpdir, 0777) - if err != nil { - t.Fatal(err) - } - - // When TestACL/tmp directory is created, it will have - // the same security attributes as TestACL. - // Add Guest account full access to TestACL/tmp - this - // will make all files created in TestACL/tmp have different - // security attributes to the files created in TestACL. - runIcacls(t, newtmpdir, - "/grant", "*S-1-5-32-546:(oi)(ci)f", // add Guests group to have full access - ) - - src := filepath.Join(tmpdir, "main.go") - err = ioutil.WriteFile(src, []byte("package main; func main() { }\n"), 0644) - if err == nil { - err = ioutil.WriteFile(filepath.Join(tmpdir, "go.mod"), []byte("module TestACL\n"), 0644) - } - if err != nil { - t.Fatal(err) - } - - exe := filepath.Join(tmpdir, "main.exe") - cmd := exec.Command(testenv.GoToolPath(t), "build", "-o", exe, src) - cmd.Dir = tmpdir - cmd.Env = append(os.Environ(), - "TMP="+newtmpdir, - "TEMP="+newtmpdir, - ) - out, err := cmd.CombinedOutput() - if err != nil { - t.Fatalf("go command failed: %v\n%v", err, string(out)) - } - - // exe file is expected to have the same security attributes as the src. - if got, expected := runGetACL(t, exe), runGetACL(t, src); got != expected { - t.Fatalf("expected Get-Acl output of \n%v\n, got \n%v\n", expected, got) - } -} diff --git a/src/cmd/go/testdata/script/build_acl_windows.txt b/src/cmd/go/testdata/script/build_acl_windows.txt new file mode 100644 index 0000000000..13a3ba226a --- /dev/null +++ b/src/cmd/go/testdata/script/build_acl_windows.txt @@ -0,0 +1,44 @@ +[!windows] stop +[!exec:icacls] skip +[!exec:powershell] skip + +# Create $WORK\guest and give the Guests group full access. +# Files created within that directory will have different security attributes by default. +mkdir $WORK\guest +exec icacls $WORK\guest /grant '*S-1-5-32-546:(oi)(ci)f' + +env TMP=$WORK\guest +env TEMP=$WORK\guest + +# Build a binary using the guest directory as an intermediate +cd TestACL +go build -o main.exe main.go +# Build the same binary, but write it to the guest directory. +go build -o $TMP\main.exe main.go + +# Read ACLs for the files. +exec powershell -Command 'Get-Acl main.exe | Select -expand AccessToString' +cp stdout $WORK\exe-acl.txt +exec powershell -Command 'Get-Acl main.go | Select -expand AccessToString' +cp stdout $WORK\src-acl.txt +cd $TMP +exec powershell -Command 'Get-Acl main.exe | Select -expand AccessToString' +cp stdout $WORK\guest-acl.txt + +cd $WORK + +# The executable written to the source directory should have the same ACL as the source file. +cmp $WORK\exe-acl.txt $WORK\src-acl.txt + +# The file written to the guest-allowed directory should give Guests control. +grep 'BUILTIN\\Guests\s+Allow' $WORK\guest-acl.txt + +# The file written to the ordinary directory should not. +! grep 'BUILTIN\\Guests\s+Allow' $WORK\exe-acl.txt + + +-- TestACL/go.mod -- +module TestACL +-- TestACL/main.go -- +package main +func main() {} -- 2.50.0