Merge pull request #83 from LeChatP/dev

v3.2.2

Author: LeChatP

.github/workflows/pkg.yml

@@ -4,7 +4,7 @@ members = ["xtask", "rar-common"]
 [package]
 name = "rootasrole"
 # The project version is managed on json file in resources/rootasrole.json
-version = "3.2.1"
+version = "3.2.2"
 rust-version = "1.83.0"
 authors = ["Eddie Billoir <[email protected]>"]
 edition = "2021"
@@ -71,7 +71,7 @@ toml = "0.8"
 chrono = { version = "0.4", features = ["unstable-locales"] }
 
 [dependencies]
-rar-common = { path = "rar-common", version = "3.2.1", package = "rootasrole-core" }
+rar-common = { path = "rar-common", version = "3.2.2", package = "rootasrole-core" }
 log = "0.4"
 libc = "0.2"
 strum = { version = "0.26", features = ["derive"] }

Cargo.toml

@@ -5,16 +5,18 @@
  </p>
  <p align="center">
 
-<img alt="Build Status" src="https://img.shields.io/github/actions/workflow/status/LeChatP/RootAsRole/build.yml?label=Build"/>
-<img alt="Test Status" src="https://img.shields.io/github/actions/workflow/status/LeChatP/RootAsRole/tests.yml?label=Unit%20Tests">
-<a href="https://codecov.io/gh/LeChatP/RootAsRole" ><img src="https://codecov.io/gh/LeChatP/RootAsRole/branch/main/graph/badge.svg?token=6J7CRGEIG8"/></a>
- <img alt="GitHub" src="https://img.shields.io/github/license/LeChatP/RootAsRole">
+<img alt="crates.io" src="https://img.shields.io/crates/v/rootasrole.svg?style=for-the-badge&label=Version&color=e37602&logo=rust" height="25"/>
+<img alt="Build Status" src="https://img.shields.io/github/actions/workflow/status/LeChatP/RootAsRole/build.yml?style=for-the-badge&logo=githubactions&label=Build&logoColor=white" height="25"/>
+<img alt="Tests Status" src="https://img.shields.io/github/actions/workflow/status/LeChatP/RootAsRole/tests.yml?style=for-the-badge&logo=githubactions&logoColor=white&label=Tests" height="25"/>
+<img alt="Codecov" src="https://img.shields.io/codecov/c/github/lechatp/rootasrole?style=for-the-badge&logo=codecov&color=green&link=https%3A%2F%2Fapp.codecov.io%2Fgh%2FLeChatP%2FRootAsRole" height="25">
+<img alt="GitHub" src="https://img.shields.io/github/license/LeChatP/RootAsRole?style=for-the-badge&logo=github&logoColor=white" height="25"/>
+
 
 </p>
 <!-- The project version is managed on json file in resources/rootasrole.json -->
 <!-- markdownlint-restore -->
 
-# RootAsRole (V3.2.1) — A better alternative to `sudo(-rs)`/`su` • ⚡ Blazing fast • 🛡️ Memory-safe • 🔐 Security-oriented
+# RootAsRole — A better alternative to `sudo(-rs)`/`su` • ⚡ Blazing fast • 🛡️ Memory-safe • 🔐 Security-oriented
 
 RootAsRole is a Linux/Unix privilege delegation tool based on **Role-Based Access Control (RBAC)**. It empowers administrators to assign precise privileges — not full root — to users and commands.
 

README.md

@@ -35,28 +35,6 @@ fn set_cargo_version(package_version: &str, file: &str) -> Result<(), Box<dyn Er
     Ok(())
 }
 
-fn set_readme_version(package_version: &str, file: &str) -> Result<(), Box<dyn Error>> {
-    let readme = File::open(std::path::Path::new(file)).expect("README.md not found");
-    let reader = BufReader::new(readme);
-    let lines = reader.lines().map(|l| l.unwrap()).collect::<Vec<String>>();
-    let mut readme = File::create(std::path::Path::new(file)).expect("README.md not found");
-    for line in lines {
-        if line.starts_with("# RootAsRole (V") {
-            let mut s = line.split("(V").next().unwrap().to_string();
-            let end = line
-                .split(')')
-                .skip(1)
-                .fold(String::new(), |acc, x| acc + ")" + x);
-            s.push_str(&format!("(V{}{}", package_version, end));
-            writeln!(readme, "{}", s)?;
-        } else {
-            writeln!(readme, "{}", line)?;
-        }
-    }
-    readme.sync_all()?;
-    Ok(())
-}
-
 fn some_kind_of_uppercase_first_letter(s: &str) -> String {
     let mut c = s.chars();
     match c.next() {
@@ -135,10 +113,6 @@ fn main() {
         eprintln!("cargo:warning={}", err);
     }
 
-    if let Err(err) = set_readme_version(&package_version, "README.md") {
-        eprintln!("cargo:warning={}", err);
-    }
-
     if let Err(err) = set_man_version(&package_version, "resources/man/en_US.md", Locale::en_US) {
         eprintln!("cargo:warning={}", err);
     }

build.rs

@@ -1,6 +1,6 @@
 [package]
 name = "rootasrole-core"
-version = "3.2.1"
+version = "3.2.2"
 edition = "2021"
 description = "This core crate for the RootAsRole project."
 license = "LGPL-3.0-or-later"

rar-common/Cargo.toml

@@ -397,6 +397,7 @@ impl LockedSettingsFile {
             with_mutable_config(self.fd.deref_mut(), |file| {
                 debug!("Toggled immutable off for config file");
                 file.rewind()?;
+                file.set_len(0)?;
                 write_json_config(&versionned, file)
             })?;
         } else {
@@ -613,6 +614,7 @@ mod tests {
 
     use crate::database::actor::SActor;
     use crate::database::structs::{SCommand, SCommands, SCredentials, SRole, STask, SetBehavior};
+    use crate::util::unlock_immutable;
 
     use super::*;
 
@@ -1353,4 +1355,86 @@ mod tests {
         // File should exist now
         assert!(PathBuf::from(test_file).exists());
     }
+
+    #[test]
+    fn test_locked_settings_truncates_file_on_save() {
+        if has_privileges(&[Cap::LINUX_IMMUTABLE]).is_ok_and(|b| !b) {
+            println!("Test skipped due to insufficient privileges in test environment");
+            return;
+        }
+        let test_file = "/tmp/test_locked_settings_truncates_file_on_save.json";
+        let _cleanup = defer(|| {
+            let filename = PathBuf::from(test_file)
+                .canonicalize()
+                .unwrap_or(test_file.into());
+            if std::fs::remove_file(&filename).is_err() {
+                debug!("Failed to delete the file: {}", filename.display());
+            }
+        });
+
+        // Create a test file with some initial content
+        let initial_content = r#"{
+            "version": "0.1.0",
+            "storage": {
+                "method": "JSON"
+            },
+            "config": {
+                "roles": [
+                    {
+                        "name": "old_role",
+                        "actors": [],
+                        "tasks": []
+                    },
+                    {
+                        "name": "another_old_role",
+                        "actors": [],
+                        "tasks": []
+                    },
+                    {
+                        "name": "yet_another_old_role",
+                        "actors": [],
+                        "tasks": []
+                    },
+                    {
+                        "name": "oldest_role",
+                        "actors": [],
+                        "tasks": []
+                    }
+                ]
+            }
+        }"#;
+        let mut file = File::create(test_file).unwrap();
+        with_mutable_config(&mut file, |file| {
+            file.write_all(initial_content.as_bytes()).unwrap();
+            Ok(())
+        })
+        .unwrap();
+
+        // Open the file using LockedSettingsFile
+        let mut locked = LockedSettingsFile::open(
+            test_file,
+            std::fs::OpenOptions::new()
+                .read(true)
+                .write(true)
+                .to_owned(),
+            true, // write mode
+        )
+        .unwrap();
+
+        // Modify the settings to have fewer roles
+        let new_config = SConfig::builder().build();
+        locked.data.borrow_mut().config = Some(new_config);
+        locked.save().unwrap();
+        // Read back the file content
+        let mut file = File::open(test_file).unwrap();
+        let mut content = String::new();
+        file.read_to_string(&mut content).unwrap();
+        // The content should match the new settings and not contain old roles
+        assert!(!content.contains("old_role"));
+        assert!(!content.contains("another_old_role"));
+        assert!(!content.contains("yet_another_old_role"));
+        assert!(!content.contains("oldest_role"));
+        unlock_immutable(&mut file).unwrap();
+        fs::remove_file(test_file).unwrap();
+    }
 }

rar-common/src/lib.rs

@@ -94,6 +94,24 @@ pub fn with_mutable_config<F, R>(file: &mut File, f: F) -> std::io::Result<R>
 where
     F: FnOnce(&mut File) -> io::Result<R>,
 {
+    let mut val = unlock_immutable(file)?;
+    let res = f(file);
+    val |= FS_IMMUTABLE_FL;
+    lock_immutable(file, val)?;
+    res
+}
+
+pub fn lock_immutable(file: &mut File, mut val: u32) -> Result<(), io::Error> {
+    immutable_required_privileges(file, || {
+        if unsafe { nix::libc::ioctl(file.as_raw_fd(), FS_IOC_SETFLAGS, &mut val) } < 0 {
+            return Err(std::io::Error::last_os_error());
+        }
+        Ok(())
+    })?;
+    Ok(())
+}
+
+pub fn unlock_immutable(file: &mut File) -> Result<u32, io::Error> {
     let mut val = 0;
     if unsafe { nix::libc::ioctl(file.as_raw_fd(), FS_IOC_GETFLAGS, &mut val) } < 0 {
         return Err(std::io::Error::last_os_error());
@@ -109,15 +127,7 @@ where
     } else {
         warn!("Config file was not immutable.");
     }
-    let res = f(file);
-    val |= FS_IMMUTABLE_FL;
-    immutable_required_privileges(file, || {
-        if unsafe { nix::libc::ioctl(file.as_raw_fd(), FS_IOC_SETFLAGS, &mut val) } < 0 {
-            return Err(std::io::Error::last_os_error());
-        }
-        Ok(())
-    })?;
-    res
+    Ok(val)
 }
 
 pub fn warn_if_mutable(file: &File, return_err: bool) -> std::io::Result<()> {
@@ -336,7 +346,10 @@ pub fn open_lock_with_privileges<P: AsRef<Path>>(
             if e.kind() != std::io::ErrorKind::PermissionDenied {
                 return Err(e);
             }
-            debug!("Permission denied while opening file, retrying with privileges",);
+            debug!(
+                "Permission denied while opening {} file, retrying with privileges",
+                p.as_ref().display()
+            );
             with_privileges(&[Cap::DAC_READ_SEARCH], || options.open(&p)).or_else(|e| {
                 if e.kind() != std::io::ErrorKind::PermissionDenied {
                     return Err(e);
@@ -353,7 +366,10 @@ pub fn read_with_privileges<P: AsRef<Path>>(p: P) -> std::io::Result<File> {
         if e.kind() != std::io::ErrorKind::PermissionDenied {
             return Err(e);
         }
-        debug!("Permission denied while opening file, retrying with privileges",);
+        debug!(
+            "Permission denied while opening {} file, retrying with privileges",
+            p.as_ref().display()
+        );
         with_privileges(&[Cap::DAC_READ_SEARCH], || std::fs::File::open(&p)).or_else(|e| {
             if e.kind() != std::io::ErrorKind::PermissionDenied {
                 return Err(e);
@@ -368,7 +384,10 @@ pub fn remove_with_privileges<P: AsRef<Path>>(p: P) -> std::io::Result<()> {
         if e.kind() != std::io::ErrorKind::PermissionDenied {
             return Err(e);
         }
-        debug!("Permission denied while removing file, retrying with privileges",);
+        debug!(
+            "Permission denied while removing {} file, retrying with privileges",
+            p.as_ref().display()
+        );
         with_privileges(&[Cap::DAC_OVERRIDE], || std::fs::remove_file(&p))
     })
 }
@@ -378,7 +397,10 @@ pub fn create_dir_all_with_privileges<P: AsRef<Path>>(p: P) -> std::io::Result<(
         if e.kind() != std::io::ErrorKind::PermissionDenied {
             return Err(e);
         }
-        debug!("Permission denied while creating directory, retrying with privileges",);
+        debug!(
+            "Permission denied while creating {} directory, retrying with privileges",
+            p.as_ref().display()
+        );
         with_privileges(&[Cap::DAC_OVERRIDE], || std::fs::create_dir_all(p))
     })
 }

rar-common/src/util.rs

@@ -1,4 +1,4 @@
-% RootAsRole(8) RootAsRole 3.2.1 | System Manager's Manual
+% RootAsRole(8) RootAsRole 3.2.2 | System Manager's Manual
 % Eddie Billoir <[email protected]>
 % August 2025
 

resources/man/en_US.md

@@ -1,4 +1,4 @@
-% RootAsRole(8) RootAsRole 3.2.1 | Manuel de l'administrateur système
+% RootAsRole(8) RootAsRole 3.2.2 | Manuel de l'administrateur système
 % Eddie Billoir <[email protected]>
 % Août 2025
 

resources/man/fr_FR.md

@@ -267,23 +267,21 @@ mod tests {
 
     #[test]
     fn test_check_auth_required_but_valid_timeout() {
+        if env!("RAR_PAM_SERVICE") == "dosr" {
+            println!("Skipping test_check_auth_required_but_valid_timeout because RAR_PAM_SERVICE is set to original dosr");
+            return;
+        }
         let authentication = SAuthentication::Perform;
         let timeout = create_test_timeout();
         let user = create_test_user();
 
-        // This test depends on the timeout::is_valid implementation
-        // In a real environment, you might want to mock this
-        let result = check_auth(&authentication, &timeout, &user, "Password: ");
-        // Result will depend on whether there's a valid timeout cookie
-        // We're just testing that it doesn't panic
-        assert!(result.is_ok() || result.is_err());
+        let _ = check_auth(&authentication, &timeout, &user, "Password: ");
     }
 
     #[test]
     fn test_conversation_handler_no_interact_flag() {
         let handler = SrConversationHandler::builder().no_interact().build();
 
-        // When no_interact is true, both prompt methods should return ConversationError
         let prompt_result = handler.prompt(OsStr::new("Test prompt"));
         assert!(matches!(prompt_result, Err(ErrorCode::ConversationError)));
 
@@ -299,10 +297,8 @@ mod tests {
         let custom_prompt = "Enter your secret: ";
         let handler = SrConversationHandler::new(custom_prompt);
 
-        // Test that the handler stores the custom prompt
         assert_eq!(handler.prompt, custom_prompt);
 
-        // Test that it recognizes standard PAM prompts
         assert!(handler.is_pam_password_prompt(&"Password:"));
         assert!(handler.is_pam_password_prompt(&"Password: "));
     }