Skip to content

Refactor filesystem.go and adapt tests to use a real file system#71

Open
inteon wants to merge 1 commit intocert-manager:mainfrom
inteon:filesystem_tests
Open

Refactor filesystem.go and adapt tests to use a real file system#71
inteon wants to merge 1 commit intocert-manager:mainfrom
inteon:filesystem_tests

Conversation

@inteon
Copy link
Member

@inteon inteon commented Nov 21, 2024
edited
Loading

Adds tests to prevent bugs like #70 in the future.

Refactors filesystem.go to only accept absolute paths instead of the weird current relative absolute paths (due to os.DirFS("/")), fixing #15.

NOTE: we will have to modify all csi-drivers that use this lib to only accept/ input absolute paths

@cert-manager-prow cert-manager-prow bot added dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Nov 21, 2024
@inteon inteon requested a review from munnerz November 21, 2024 10:12
inteon
inteon commented Mar 28, 2025
View reviewed changes
storage/filesystem.go
// any sensitive data on disk in production.
func NewFilesystemOnDisk(log logr.Logger, basePath string) (*Filesystem, error) {
if !filepath.IsAbs(basePath) {
return nil, fmt.Errorf("baseDir must be an absolute path")
Copy link
Member Author

@inteon inteon Mar 28, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Starting from this PR, we no longer support the weird relative path notation. All paths have to be absolute.

Copy link
Member Author

@inteon inteon Jun 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

see https://github.com/cert-manager/csi-lib/pull/71/files#diff-ebf7d236278a68704d3f90c6e44983c3c663d2beb9ce124a1658cb93ffaa6276R89

@inteon inteon force-pushed the filesystem_tests branch from 5545d0b to 8e0e40f Compare May 30, 2025 10:59
@cert-manager-prow
Copy link
Contributor

cert-manager-prow bot commented May 30, 2025

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign wallrj for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@inteon
refactor filesystem.go and adapt tests to use a real file system
e846f8c 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
@inteon inteon force-pushed the filesystem_tests branch 3 times, most recently from ca97148 to e846f8c Compare June 4, 2025 07:45
inteon
inteon commented Jul 4, 2025
View reviewed changes
storage/filesystem.go
// If a fsGroup is defined, Chown the directory to that group.
if fsGroup != nil {
if err := os.Chown(f.dataPathForVolumeID(meta.VolumeID), -1, int(*fsGroup)); err != nil {
if err := os.Lchown(f.dataPathForVolumeID(meta.VolumeID), -1, int(*fsGroup)); err != nil {
Copy link
Member Author

@inteon inteon Jul 4, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Chown vs Lchown:

If the file is a symbolic link, it changes the uid and gid of the link itself.

This should be more secure. However, since the dataPathForVolumeID is a folder, this should not change anything.

inteon
inteon commented Jul 4, 2025
View reviewed changes
storage/filesystem.go
existingMeta, err := f.ReadMetadata(meta.VolumeID)
if errors.Is(err, ErrNotFound) {
// Ensure directory structure for the volume exists
if err := f.ensureVolumeDirectory(meta.VolumeID); err != nil {
Copy link
Member Author

@inteon inteon Jul 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is now called in WriteMetadata instead.

inteon
inteon commented Jul 4, 2025
View reviewed changes
storage/filesystem.go
}

// Data directory should be read and execute only to the fs user and group.
if err := os.MkdirAll(f.dataPathForVolumeID(volumeID), 0550); err != nil {
Copy link
Member Author

@inteon inteon Jul 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This was moved to WriteFiles, since we don't need it in WriteMetadata (the other caller of this function).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@munnerz munnerz Awaiting requested review from munnerz

Assignees

No one assigned

Labels

dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@inteon