chore: check ec2ic perms if not in qemu mode

darora · darora · commit c7696d391428 · 2024-11-26T07:28:44.000+08:00
diff --git a/ansible/files/permission_check.py b/ansible/files/permission_check.py
@@ -1,6 +1,8 @@
 import subprocess
 import json
 import sys
+import argparse
+
 
 # Expected groups for each user
 expected_results = {
@@ -88,6 +90,9 @@
     "messagebus": [
         {"groupname":"messagebus","username":"messagebus"}
     ],
+    "ec2-instance-connect": [
+        {"groupname": "nogroup", "username": "ec2-instance-connect"}
+    ],
     "sshd": [
         {"groupname":"nogroup","username":"sshd"}
     ],
@@ -142,20 +147,23 @@
     ]
 }
 
+
 # This program depends on osquery being installed on the system
 # Function to run osquery
 def run_osquery(query):
     process = subprocess.Popen(['osqueryi', '--json', query], stdout=subprocess.PIPE, stderr=subprocess.PIPE)
     output, error = process.communicate()
     return output.decode('utf-8')
 
+
 def parse_json(json_str):
     try:
         return json.loads(json_str)
     except json.JSONDecodeError as e:
         print("Error decoding JSON:", e)
         sys.exit(1)
 
+
 def compare_results(username, query_result):
     expected_result = expected_results.get(username)
     if expected_result is None:
@@ -170,6 +178,7 @@ def compare_results(username, query_result):
         print("Got:", query_result)
         sys.exit(1)
 
+
 def check_nixbld_users():
     query = """
     SELECT u.username, g.groupname
@@ -188,15 +197,30 @@ def check_nixbld_users():
 
     print("All nixbld users are in the 'nixbld' group.")
 
-# Define usernames for which you want to compare results
-usernames = ["postgres", "ubuntu", "root", "daemon", "bin", "sys", "sync", "games","man","lp","mail","news","uucp","proxy","www-data","backup","list","irc","gnats","nobody","systemd-network","systemd-resolve","systemd-timesync","messagebus","sshd","wal-g","pgbouncer","gotrue","envoy","kong","nginx","vector","adminapi","postgrest","tcpdump","systemd-coredump"]
 
-# Iterate over usernames, run the query, and compare results
-for username in usernames:
-    query = f"SELECT u.username, g.groupname FROM users u JOIN user_groups ug ON u.uid = ug.uid JOIN groups g ON ug.gid = g.gid WHERE u.username = '{username}' ORDER BY g.groupname;"
-    query_result = run_osquery(query)
-    parsed_result = parse_json(query_result)
-    compare_results(username, parsed_result)
+def main():
+    parser = argparse.ArgumentParser(
+        prog='Supabase Postgres Artifact Permissions Checker',
+        description='Checks the Postgres Artifact for the appropriate users and group memberships')
+    parser.add_argument('-q', '--qemu', action='store_true', help='Whether we are checking a QEMU artifact')
+    args = parser.parse_args()
+    qemu_artifact = args.qemu or False
+
+    # Define usernames for which you want to compare results
+    usernames = ["postgres", "ubuntu", "root", "daemon", "bin", "sys", "sync", "games","man","lp","mail","news","uucp","proxy","www-data","backup","list","irc","gnats","nobody","systemd-network","systemd-resolve","systemd-timesync","messagebus","sshd","wal-g","pgbouncer","gotrue","envoy","kong","nginx","vector","adminapi","postgrest","tcpdump","systemd-coredump"]
+    if not qemu_artifact:
+        usernames.append("ec2-instance-connect")
+
+    # Iterate over usernames, run the query, and compare results
+    for username in usernames:
+        query = f"SELECT u.username, g.groupname FROM users u JOIN user_groups ug ON u.uid = ug.uid JOIN groups g ON ug.gid = g.gid WHERE u.username = '{username}' ORDER BY g.groupname;"
+        query_result = run_osquery(query)
+        parsed_result = parse_json(query_result)
+        compare_results(username, parsed_result)
+
+    # Check if all nixbld users are in the nixbld group
+    check_nixbld_users()
+
 
-# Check if all nixbld users are in the nixbld group
-check_nixbld_users()
+if __name__ == "__main__":
+    main()
diff --git a/ansible/playbook.yml b/ansible/playbook.yml
@@ -201,7 +201,7 @@
     - name: Run osquery permission checks
       become: yes
       shell: |
-        sudo -u ubuntu bash -c ". /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh && /usr/bin/python3 /tmp/ansible-playbook/ansible/files/permission_check.py"
+        sudo -u ubuntu bash -c ". /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh && /usr/bin/python3 /tmp/ansible-playbook/ansible/files/permission_check.py {{ '--qemu' if qemu_mode is defined else '' }}"
       when: stage2_nix
 
     - name: Remove osquery    
diff --git a/ebssurrogate/scripts/qemu-bootstrap-nix.sh b/ebssurrogate/scripts/qemu-bootstrap-nix.sh
@@ -96,7 +96,7 @@ EOF
     # Run Ansible playbook
     export ANSIBLE_LOG_PATH=/tmp/ansible.log && export ANSIBLE_REMOTE_TEMP=/tmp
     ansible-playbook ./ansible/playbook.yml \
-        --extra-vars '{"nixpkg_mode": false, "stage2_nix": true, "debpkg_mode": false}' \
+        --extra-vars '{"nixpkg_mode": false, "stage2_nix": true, "debpkg_mode": false, "qemu_mode": true}' \
         --extra-vars "git_commit_sha=${GIT_SHA}"
 }
 

Original file line number	Diff line number	Diff line change
`@@ -96,7 +96,7 @@ EOF`
`96`	`96`	`# Run Ansible playbook`
`97`	`97`	`export ANSIBLE_LOG_PATH=/tmp/ansible.log && export ANSIBLE_REMOTE_TEMP=/tmp`
`98`	`98`	`ansible-playbook ./ansible/playbook.yml \`
`99`		`- --extra-vars '{"nixpkg_mode": false, "stage2_nix": true, "debpkg_mode": false}' \`
	`99`	`+ --extra-vars '{"nixpkg_mode": false, "stage2_nix": true, "debpkg_mode": false, "qemu_mode": true}' \`
`100`	`100`	`--extra-vars "git_commit_sha=${GIT_SHA}"`
`101`	`101`	`}`
`102`	`102`