Set config file mode to 0600 in packages

This PR changes the main config file (<beatname>.yml) from 0644 to 0600. It adds a test that checks all RPM, deb, tar.gz, and zip files to ensure that the config file has the correct file mode.

Author: andrewkroh

CHANGELOG.asciidoc

@@ -61,6 +61,7 @@ https://github.com/elastic/beats/compare/v5.1.1...master[Check the HEAD diff]
 - The limit for the number of fields is increased via the mapping template. {pull}3275[3275]
 - Updated to Go 1.7.4. {pull}3277[3277]
 - Added a NOTICE file containing the notices and licenses of the dependencies. {pull}3334[3334].
+- RPM/deb packages will now install the config file with 0600 permissions. {pull}3382[3382]
 
 *Metricbeat*
 

Makefile

@@ -96,6 +96,8 @@ package: update beats-dashboards
 	mkdir -p build/upload/
 	$(foreach var,$(BEATS),cp -r $(var)/build/upload/ build/upload/$(var)  || exit 1;)
 	cp -r build/dashboards-upload build/upload/dashboards
+	# Run tests on the generated packages.
+	go test ./dev-tools/package_test.go -files "${shell pwd}/build/upload/*/*"
 
 # Upload nightly builds to S3
 .PHONY: upload-nightlies-s3

dev-tools/package_test.go

@@ -0,0 +1,289 @@
+package dev_tools
+
+// This file contains tests that can be run on the generated packages.
+// To run these tests use `go test package_test.go`.
+
+import (
+	"archive/tar"
+	"archive/zip"
+	"bytes"
+	"compress/gzip"
+	"flag"
+	"io"
+	"os"
+	"path/filepath"
+	"regexp"
+	"strings"
+	"testing"
+
+	"github.com/blakesmith/ar"
+	"github.com/cavaliercoder/go-rpm"
+)
+
+const (
+	expectedConfigMode = os.FileMode(0600)
+	expectedConfigUID  = 0
+	expectedConfigGID  = 0
+)
+
+var (
+	configFilePattern = regexp.MustCompile(`.*beat\.yml`)
+)
+
+var (
+	files = flag.String("files", "../build/upload/*/*", "filepath glob containing package files")
+)
+
+func TestRPM(t *testing.T) {
+	rpms := getFiles(t, regexp.MustCompile(`\.rpm$`))
+	for _, rpm := range rpms {
+		checkRPM(t, rpm)
+	}
+}
+
+func TestDeb(t *testing.T) {
+	debs := getFiles(t, regexp.MustCompile(`\.deb$`))
+	buf := new(bytes.Buffer)
+	for _, deb := range debs {
+		checkDeb(t, deb, buf)
+	}
+}
+
+func TestTar(t *testing.T) {
+	tars := getFiles(t, regexp.MustCompile(`\.tar\.gz$`))
+	for _, tar := range tars {
+		checkTar(t, tar)
+	}
+}
+
+func TestZip(t *testing.T) {
+	zips := getFiles(t, regexp.MustCompile(`^\w+beat-\S+.zip$`))
+	for _, zip := range zips {
+		checkZip(t, zip)
+	}
+}
+
+// Sub-tests
+
+func checkRPM(t *testing.T, file string) {
+	p, err := readRPM(file)
+	if err != nil {
+		t.Error(err)
+		return
+	}
+
+	checkConfigPermissions(t, p)
+}
+
+func checkDeb(t *testing.T, file string, buf *bytes.Buffer) {
+	p, err := readDeb(file, buf)
+	if err != nil {
+		t.Error(err)
+		return
+	}
+
+	checkConfigPermissions(t, p)
+	checkConfigOwner(t, p)
+}
+
+func checkTar(t *testing.T, file string) {
+	p, err := readTar(file)
+	if err != nil {
+		t.Error(err)
+		return
+	}
+
+	checkConfigPermissions(t, p)
+	checkConfigOwner(t, p)
+}
+
+func checkZip(t *testing.T, file string) {
+	p, err := readZip(file)
+	if err != nil {
+		t.Error(err)
+		return
+	}
+
+	checkConfigPermissions(t, p)
+}
+
+// Verify that the main configuration file is installed with a 0600 file mode.
+func checkConfigPermissions(t *testing.T, p *packageFile) {
+	t.Run(p.Name+" config file permissions", func(t *testing.T) {
+		for _, entry := range p.Contents {
+			if configFilePattern.MatchString(entry.File) {
+				mode := entry.Mode.Perm()
+				if expectedConfigMode != mode {
+					t.Errorf("file %v has wrong permissions: expected=%v actual=%v",
+						entry.Mode, expectedConfigMode, mode)
+				}
+				return
+			}
+		}
+		t.Errorf("no config file found matching %v", configFilePattern)
+	})
+}
+
+func checkConfigOwner(t *testing.T, p *packageFile) {
+	t.Run(p.Name+" config file owner", func(t *testing.T) {
+		for _, entry := range p.Contents {
+			if configFilePattern.MatchString(entry.File) {
+				if expectedConfigUID != entry.UID {
+					t.Errorf("file %v should be owned by user %v, owner=%v", entry.File, expectedConfigGID, entry.UID)
+				}
+				if expectedConfigGID != entry.GID {
+					t.Errorf("file %v should be owned by group %v, group=%v", entry.File, expectedConfigGID, entry.GID)
+				}
+				return
+			}
+		}
+		t.Errorf("no config file found matching %v", configFilePattern)
+	})
+}
+
+// Helpers
+
+type packageFile struct {
+	Name     string
+	Contents map[string]packageEntry
+}
+
+type packageEntry struct {
+	File string
+	UID  int
+	GID  int
+	Mode os.FileMode
+}
+
+func getFiles(t *testing.T, pattern *regexp.Regexp) []string {
+	matches, err := filepath.Glob(*files)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	files := matches[:0]
+	for _, f := range matches {
+		if pattern.MatchString(filepath.Base(f)) {
+			files = append(files, f)
+		}
+	}
+
+	return files
+}
+
+func readRPM(rpmFile string) (*packageFile, error) {
+	p, err := rpm.OpenPackageFile(rpmFile)
+	if err != nil {
+		return nil, err
+	}
+
+	contents := p.Files()
+	pf := &packageFile{Name: filepath.Base(rpmFile), Contents: map[string]packageEntry{}}
+
+	for _, file := range contents {
+		pf.Contents[file.Name()] = packageEntry{
+			File: file.Name(),
+			Mode: file.Mode(),
+		}
+	}
+
+	return pf, nil
+}
+
+// readDeb reads the data.tar.gz file from the .deb.
+func readDeb(debFile string, dataBuffer *bytes.Buffer) (*packageFile, error) {
+	file, err := os.Open(debFile)
+	if err != nil {
+		return nil, err
+	}
+	defer file.Close()
+
+	arReader := ar.NewReader(file)
+	for {
+		header, err := arReader.Next()
+		if err != nil {
+			if err == io.EOF {
+				break
+			}
+			return nil, err
+		}
+
+		if strings.HasPrefix(header.Name, "data.tar.gz") {
+			dataBuffer.Reset()
+			_, err := io.Copy(dataBuffer, arReader)
+			if err != nil {
+				return nil, err
+			}
+
+			gz, err := gzip.NewReader(dataBuffer)
+			if err != nil {
+				return nil, err
+			}
+			defer gz.Close()
+
+			return readTarContents(filepath.Base(debFile), gz)
+		}
+	}
+
+	return nil, io.EOF
+}
+
+func readTar(tarFile string) (*packageFile, error) {
+	file, err := os.Open(tarFile)
+	if err != nil {
+		return nil, err
+	}
+	defer file.Close()
+
+	var fileReader io.ReadCloser = file
+	if strings.HasSuffix(tarFile, ".gz") {
+		if fileReader, err = gzip.NewReader(file); err != nil {
+			return nil, err
+		}
+		defer fileReader.Close()
+	}
+
+	return readTarContents(filepath.Base(tarFile), fileReader)
+}
+
+func readTarContents(tarName string, data io.Reader) (*packageFile, error) {
+	tarReader := tar.NewReader(data)
+
+	p := &packageFile{Name: tarName, Contents: map[string]packageEntry{}}
+	for {
+		header, err := tarReader.Next()
+		if err != nil {
+			if err == io.EOF {
+				break
+			}
+			return nil, err
+		}
+
+		p.Contents[header.Name] = packageEntry{
+			File: header.Name,
+			UID:  header.Uid,
+			GID:  header.Gid,
+			Mode: os.FileMode(header.Mode),
+		}
+	}
+
+	return p, nil
+}
+
+func readZip(zipFile string) (*packageFile, error) {
+	r, err := zip.OpenReader(zipFile)
+	if err != nil {
+		return nil, err
+	}
+	defer r.Close()
+
+	p := &packageFile{Name: filepath.Base(zipFile), Contents: map[string]packageEntry{}}
+	for _, f := range r.File {
+		p.Contents[f.Name] = packageEntry{
+			File: f.Name,
+			Mode: f.Mode(),
+		}
+	}
+
+	return p, nil
+}

dev-tools/packer/xgo-scripts/before_build.sh

@@ -62,14 +62,17 @@ cp $BEAT_NAME.template-es2x.json $PREFIX/$BEAT_NAME.template-es2x.json
 
 # linux
 cp $BEAT_NAME.yml $PREFIX/$BEAT_NAME-linux.yml
+chmod 0600 $PREFIX/$BEAT_NAME-linux.yml
 cp $BEAT_NAME.full.yml $PREFIX/$BEAT_NAME-linux.full.yml
 
 # darwin
 cp $BEAT_NAME.yml $PREFIX/$BEAT_NAME-darwin.yml
+chmod 0600 $PREFIX/$BEAT_NAME-darwin.yml
 cp $BEAT_NAME.full.yml $PREFIX/$BEAT_NAME-darwin.full.yml
 
 # win
 cp $BEAT_NAME.yml $PREFIX/$BEAT_NAME-win.yml
+chmod 0600 $PREFIX/$BEAT_NAME-win.yml
 cp $BEAT_NAME.full.yml $PREFIX/$BEAT_NAME-win.full.yml
 
 # Contains beat specific adjustments. As it is platform specific knowledge, it should be in packer not the beats itself