[v9] Implement tbot init subcommand and ACL management (#10289)

go.mod

@@ -170,6 +170,9 @@ require (
 	github.com/jcmturner/goidentity/v6 v6.0.1 // indirect
 	github.com/jcmturner/rpc/v2 v2.0.3 // indirect
 	github.com/jmespath/go-jmespath v0.4.0 // indirect
+	github.com/joshlf/go-acl v0.0.0-20200411065538-eae00ae38531 // indirect
+	github.com/jstemmer/go-junit-report v0.9.1 // indirect
+	github.com/josharian/intern v1.0.0 // indirect
 	github.com/klauspost/compress v1.9.5 // indirect
 	github.com/kr/pretty v0.3.0 // indirect
 	github.com/kr/text v0.2.0 // indirect

go.sum

@@ -578,6 +578,8 @@ github.com/joho/godotenv v1.3.0/go.mod h1:7hK45KPybAkOC6peb+G5yklZfMxEjkZhHbwpqx
 github.com/jonboulle/clockwork v0.1.0/go.mod h1:Ii8DK3G1RaLaWxj9trq07+26W01tbo22gdxWY5EU2bo=
 github.com/jonboulle/clockwork v0.2.2 h1:UOGuzwb1PwsrDAObMuhUnj0p5ULPj8V/xJ7Kx9qUBdQ=
 github.com/jonboulle/clockwork v0.2.2/go.mod h1:Pkfl5aHPm1nk2H9h0bjmnJD/BcgbGXUBGnn1kMkgxc8=
+github.com/joshlf/go-acl v0.0.0-20200411065538-eae00ae38531 h1:hgVxRoDDPtQE68PT4LFvNlPz2nBKd3OMlGKIQ69OmR4=
+github.com/joshlf/go-acl v0.0.0-20200411065538-eae00ae38531/go.mod h1:fqTUQpVYBvhCNIsMXGl2GE9q6z94DIP6NtFKXCSTVbg=
 github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY=
 github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y=
 github.com/jpillora/backoff v1.0.0/go.mod h1:J/6gKK9jxlEcS3zixgDgUAsiuZ7yrSoa/FX5e0EB2j4=

lib/utils/cli.go

@@ -251,6 +251,8 @@ func formatCertError(err error) string {
 }
 
 const (
+	// Bold is an escape code to format as bold or increased intensity
+	Bold = 1
 	// Red is an escape code for red terminal color
 	Red = 31
 	// Yellow is an escape code for yellow terminal color

tool/tbot/botfs/botfs.go

@@ -0,0 +1,156 @@
+/*
+Copyright 2022 Gravitational, Inc.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package botfs
+
+import (
+	"io/fs"
+	"os"
+	"os/user"
+	"runtime"
+	"strconv"
+	"syscall"
+
+	"github.com/gravitational/teleport"
+	"github.com/gravitational/teleport/api/constants"
+	"github.com/gravitational/trace"
+	"github.com/sirupsen/logrus"
+)
+
+var log = logrus.WithFields(logrus.Fields{
+	trace.Component: teleport.ComponentTBot,
+})
+
+// SymlinksMode is an enum type listing various symlink behavior modes.
+type SymlinksMode string
+
+const (
+	// SymlinksInsecure does allow resolving symlink paths and does not issue
+	// any symlink-related warnings.
+	SymlinksInsecure SymlinksMode = "insecure"
+
+	// SymlinksTrySecure attempts to write files securely and avoid symlink
+	// attacks, but falls back with a warning if the necessary OS / kernel
+	// support is missing.
+	SymlinksTrySecure SymlinksMode = "try-secure"
+
+	// SymlinksSecure attempts to write files securely and fails with an error
+	// if the operation fails. This should be the default on systems where we
+	// expect it to be supported.
+	SymlinksSecure SymlinksMode = "secure"
+)
+
+// ACLMode is an enum type listing various ACL behavior modes.
+type ACLMode string
+
+const (
+	// ACLOff disables ACLs
+	ACLOff ACLMode = "off"
+
+	// ACLTry attempts to use ACLs but falls back to no ACLs with a warning if
+	// unavailable.
+	ACLTry ACLMode = "try"
+
+	// ACLRequired enables ACL support and fails if ACLs are unavailable.
+	ACLRequired ACLMode = "required"
+)
+
+const (
+	// DefaultMode is the preferred permissions mode for bot files.
+	DefaultMode fs.FileMode = 0600
+
+	// DefaultDirMode is the preferred permissions mode for bot directories.
+	// Directories need the execute bit set for most operations on their
+	// contents to succeed.
+	DefaultDirMode fs.FileMode = 0700
+)
+
+// ACLOptions contains parameters needed to configure ACLs
+type ACLOptions struct {
+	// BotUser is the bot user that should have write access to this entry
+	BotUser *user.User
+
+	// ReaderUser is the user that should have read access to the file. This
+	// may be nil if the reader user is not known.
+	ReaderUser *user.User
+}
+
+// openStandard attempts to open the given path for writing with O_CREATE set.
+func openStandard(path string) (*os.File, error) {
+	file, err := os.OpenFile(path, os.O_CREATE|os.O_WRONLY, DefaultMode)
+	if err != nil {
+		return nil, trace.ConvertSystemError(err)
+	}
+
+	return file, nil
+}
+
+// createStandard creates an empty file or directory at the given path without
+// attempting to prevent symlink attacks.
+func createStandard(path string, isDir bool) error {
+	if isDir {
+		if err := os.Mkdir(path, DefaultDirMode); err != nil {
+			return trace.ConvertSystemError(err)
+		}
+
+		return nil
+	}
+
+	f, err := openStandard(path)
+	if err != nil {
+		return trace.Wrap(err)
+	}
+
+	if err := f.Close(); err != nil {
+		log.Warnf("Failed to close file at %q: %+v", path, err)
+	}
+
+	return nil
+}
+
+// GetOwner attempts to retrieve the owner of the given file. This is not
+// supported on all platforms and will return a trace.NotImplemented in that
+// case.
+func GetOwner(fileInfo fs.FileInfo) (*user.User, error) {
+	info, ok := fileInfo.Sys().(*syscall.Stat_t)
+	if !ok {
+		return nil, trace.NotImplemented("Cannot verify file ownership on this platform.")
+	}
+
+	user, err := user.LookupId(strconv.Itoa(int(info.Uid)))
+	if err != nil {
+		return nil, trace.Wrap(err)
+	}
+
+	return user, nil
+}
+
+// IsOwnedBy checks that the file at the given path is owned by the given user.
+// Returns a trace.NotImplemented() on unsupported platforms.
+func IsOwnedBy(fileInfo fs.FileInfo, user *user.User) (bool, error) {
+	if runtime.GOOS == constants.WindowsOS {
+		// no-op on windows
+		return false, trace.NotImplemented("Cannot verify file ownership on this platform.")
+	}
+
+	info, ok := fileInfo.Sys().(*syscall.Stat_t)
+	if !ok {
+		return false, trace.NotImplemented("Cannot verify file ownership on this platform.")
+	}
+
+	// Our files are 0600, so don't bother checking gid.
+	return strconv.Itoa(int(info.Uid)) == user.Uid, nil
+}