Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package rancher-cli for openSUSE:Factory checked in at 2023-10-24 20:09:09 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/rancher-cli (Old) and /work/SRC/openSUSE:Factory/.rancher-cli.new.24901 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "rancher-cli" Tue Oct 24 20:09:09 2023 rev:8 rq:1119931 version:2.8.0 Changes: -------- --- /work/SRC/openSUSE:Factory/rancher-cli/rancher-cli.changes 2023-09-20 13:31:28.323551626 +0200 +++ /work/SRC/openSUSE:Factory/.rancher-cli.new.24901/rancher-cli.changes 2023-10-24 20:09:14.686460674 +0200 @@ -1,0 +2,10 @@ +Tue Oct 24 09:37:47 UTC 2023 - ka...@b1-systems.de + +- Update to version 2.8.0: + * Update saml auth login endpoint to dashboard endpoint + * Create configuration with 0600 permissions by default + * Move config loading to config/config.go + * Add missing packages after moving Dapper image to BCI (#340) + * Bump Go and Dockerfile versions (#338) + +------------------------------------------------------------------- Old: ---- cli-2.7.7.obscpio cli-2.7.7.tar.gz New: ---- cli-2.8.0.obscpio ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ rancher-cli.spec ++++++ --- /var/tmp/diff_new_pack.x1zE0e/_old 2023-10-24 20:09:15.638495287 +0200 +++ /var/tmp/diff_new_pack.x1zE0e/_new 2023-10-24 20:09:15.638495287 +0200 @@ -18,12 +18,12 @@ %define __arch_install_post export NO_BRP_STRIP_DEBUG=true Name: rancher-cli -Version: 2.7.7 +Version: 2.8.0 Release: 0 Summary: Rancher CLI License: Apache-2.0 URL: https://github.com/rancher/cli -Source: https://github.com/rancher/cli/archive/refs/tags/v%{version}.tar.gz#/cli-%{version}.tar.gz +Source: cli-%{version}.tar.gz Source1: vendor.tar.gz BuildRequires: golang(API) = 1.20 @@ -32,8 +32,7 @@ For usage information see: https://rancher.com/docs/rancher/v2.x/en/cli/ %prep -%setup -q -n cli-%{version} -%setup -q -T -D -a 1 -n cli-%{version} +%autosetup -p 1 -a 1 -n cli-%{version} %build -n cli-%{version} go build \ ++++++ _service ++++++ --- /var/tmp/diff_new_pack.x1zE0e/_old 2023-10-24 20:09:15.666496305 +0200 +++ /var/tmp/diff_new_pack.x1zE0e/_new 2023-10-24 20:09:15.670496450 +0200 @@ -3,7 +3,7 @@ <param name="url">https://github.com/rancher/cli</param> <param name="scm">git</param> <param name="exclude">.git</param> - <param name="revision">v2.7.7</param> + <param name="revision">v2.8.0</param> <param name="versionformat">@PARENT_TAG@</param> <param name="changesgenerate">enable</param> <param name="versionrewrite-pattern">v(.*)</param> @@ -16,7 +16,7 @@ <param name="compression">gz</param> </service> <service name="go_modules" mode="manual"> - <param name="archive">cli-2.7.7.obscpio</param> + <param name="archive">cli-2.8.0.obscpio</param> </service> </services> ++++++ _servicedata ++++++ --- /var/tmp/diff_new_pack.x1zE0e/_old 2023-10-24 20:09:15.690497177 +0200 +++ /var/tmp/diff_new_pack.x1zE0e/_new 2023-10-24 20:09:15.694497323 +0200 @@ -1,6 +1,6 @@ <servicedata> <service name="tar_scm"> <param name="url">https://github.com/rancher/cli</param> - <param name="changesrevision">d8f002e61dd0e6bbb8bd2259bfd84880b5491def</param></service></servicedata> + <param name="changesrevision">2cc3438cba73e9916729b8339d461ecfa9d85c33</param></service></servicedata> (No newline at EOF) ++++++ cli-2.7.7.obscpio -> cli-2.8.0.obscpio ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/cli-2.7.7/Dockerfile.dapper new/cli-2.8.0/Dockerfile.dapper --- old/cli-2.7.7/Dockerfile.dapper 2023-09-15 22:27:13.000000000 +0200 +++ new/cli-2.8.0/Dockerfile.dapper 2023-09-28 18:32:48.000000000 +0200 @@ -1,4 +1,4 @@ -FROM registry.suse.com/bci/golang:1.19 +FROM registry.suse.com/bci/golang:1.20 RUN zypper -n install docker rsync xz zip diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/cli-2.7.7/cmd/common.go new/cli-2.8.0/cmd/common.go --- old/cli-2.7.7/cmd/common.go 2023-09-15 22:27:13.000000000 +0200 +++ new/cli-2.8.0/cmd/common.go 2023-09-28 18:32:48.000000000 +0200 @@ -5,7 +5,6 @@ "bytes" "context" "crypto/x509" - "encoding/json" "encoding/pem" "fmt" "io" @@ -259,27 +258,15 @@ return string(caCert), nil } -func loadConfig(ctx *cli.Context) (config.Config, error) { +func GetConfigPath(ctx *cli.Context) string { // path will always be set by the global flag default path := ctx.GlobalString("config") - path = filepath.Join(path, cfgFile) - - cf := config.Config{ - Path: path, - Servers: make(map[string]*config.ServerConfig), - } - - content, err := ioutil.ReadFile(path) - if os.IsNotExist(err) { - return cf, nil - } else if err != nil { - return cf, err - } - - err = json.Unmarshal(content, &cf) - cf.Path = path + return filepath.Join(path, cfgFile) +} - return cf, err +func loadConfig(ctx *cli.Context) (config.Config, error) { + path := GetConfigPath(ctx) + return config.LoadFromPath(path) } func lookupConfig(ctx *cli.Context) (*config.ServerConfig, error) { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/cli-2.7.7/cmd/kubectl_token.go new/cli-2.8.0/cmd/kubectl_token.go --- old/cli-2.7.7/cmd/kubectl_token.go 2023-09-15 22:27:13.000000000 +0200 +++ new/cli-2.8.0/cmd/kubectl_token.go 2023-09-28 18:32:48.000000000 +0200 @@ -415,7 +415,7 @@ client := &http.Client{Transport: tr, Timeout: 300 * time.Second} - loginRequest := fmt.Sprintf("%s/login?requestId=%s&publicKey=%s&responseType=%s", + loginRequest := fmt.Sprintf("%s/dashboard/auth/login?requestId=%s&publicKey=%s&responseType=%s", input.server, id, encodedKey, responseType) customPrint(fmt.Sprintf("\nLogin to Rancher Server at %s \n", loginRequest)) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/cli-2.7.7/config/config.go new/cli-2.8.0/config/config.go --- old/cli-2.7.7/config/config.go 2023-09-15 22:27:13.000000000 +0200 +++ new/cli-2.8.0/config/config.go 2023-09-28 18:32:48.000000000 +0200 @@ -2,6 +2,7 @@ import ( "encoding/json" + "fmt" "net/url" "os" "path" @@ -32,6 +33,56 @@ KubeConfigs map[string]*api.Config `json:"kubeConfigs"` } +// LoadFromPath attempts to load a config from the given file path. If the file +// doesn't exist, an empty config is returned. +func LoadFromPath(path string) (Config, error) { + cf := Config{ + Path: path, + Servers: make(map[string]*ServerConfig), + } + + content, err := os.ReadFile(path) + if err != nil { + // it's okay if the file is empty, we still return a valid config + if os.IsNotExist(err) { + return cf, nil + } + + return cf, err + } + + if err := json.Unmarshal(content, &cf); err != nil { + return cf, fmt.Errorf("unmarshaling %s: %w", path, err) + } + cf.Path = path + + return cf, nil +} + +// GetFilePermissionWarnings returns the following warnings based on the file permission: +// - one warning if the file is group-readable +// - one warning if the file is world-readable +// We want this because configuration may have sensitive information (eg: creds). +// A nil error is returned if the file doesn't exist. +func GetFilePermissionWarnings(path string) ([]string, error) { + info, err := os.Stat(path) + if err != nil { + if os.IsNotExist(err) { + return []string{}, nil + } + return []string{}, fmt.Errorf("get file info: %w", err) + } + + var warnings []string + if info.Mode()&0040 > 0 { + warnings = append(warnings, fmt.Sprintf("Rancher configuration file %s is group-readable. This is insecure.", path)) + } + if info.Mode()&0004 > 0 { + warnings = append(warnings, fmt.Sprintf("Rancher configuration file %s is world-readable. This is insecure.", path)) + } + return warnings, nil +} + func (c Config) Write() error { err := os.MkdirAll(path.Dir(c.Path), 0700) if err != nil { @@ -41,7 +92,7 @@ logrus.Infof("Saving config to %s", c.Path) p := c.Path c.Path = "" - output, err := os.Create(p) + output, err := os.OpenFile(p, os.O_RDWR|os.O_CREATE|os.O_TRUNC, 0600) if err != nil { return err } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/cli-2.7.7/config/config_test.go new/cli-2.8.0/config/config_test.go --- old/cli-2.7.7/config/config_test.go 1970-01-01 01:00:00.000000000 +0100 +++ new/cli-2.8.0/config/config_test.go 2023-09-28 18:32:48.000000000 +0200 @@ -0,0 +1,211 @@ +package config + +import ( + "os" + "path/filepath" + "testing" + + "github.com/stretchr/testify/assert" +) + +const ( + validFile = ` +{ + "Servers": { + "rancherDefault": { + "accessKey": "the-access-key", + "secretKey": "the-secret-key", + "tokenKey": "the-token-key", + "url": "https://example.com";, + "project": "cluster-id:project-id", + "cacert": "", + "kubeCredentials": null, + "kubeConfigs": null + } + }, + "CurrentServer": "rancherDefault" +}` + invalidFile = `invalid config file` +) + +func Test_GetFilePermissionWarnings(t *testing.T) { + t.Parallel() + + tests := []struct { + name string + mode os.FileMode + expectedWarnings int + }{ + { + name: "neither group-readable nor world-readable", + mode: os.FileMode(0600), + expectedWarnings: 0, + }, + { + name: "group-readable and world-readable", + mode: os.FileMode(0644), + expectedWarnings: 2, + }, + { + name: "group-readable", + mode: os.FileMode(0640), + expectedWarnings: 1, + }, + { + name: "world-readable", + mode: os.FileMode(0604), + expectedWarnings: 1, + }, + } + for _, tt := range tests { + tt := tt + t.Run(tt.name, func(t *testing.T) { + t.Parallel() + assert := assert.New(t) + + dir, err := os.MkdirTemp("", "rancher-cli-test-*") + assert.NoError(err) + defer os.RemoveAll(dir) + + path := filepath.Join(dir, "cli2.json") + err = os.WriteFile(path, []byte(validFile), tt.mode) + assert.NoError(err) + + warnings, err := GetFilePermissionWarnings(path) + assert.NoError(err) + assert.Len(warnings, tt.expectedWarnings) + }) + } +} + +func Test_Permission(t *testing.T) { + t.Parallel() + + // New config files should have 0600 permissions + t.Run("new config file", func(t *testing.T) { + t.Parallel() + assert := assert.New(t) + + dir, err := os.MkdirTemp("", "rancher-cli-test-*") + assert.NoError(err) + defer os.RemoveAll(dir) + + path := filepath.Join(dir, "cli2.json") + conf, err := LoadFromPath(path) + assert.NoError(err) + + err = conf.Write() + assert.NoError(err) + + info, err := os.Stat(path) + assert.NoError(err) + assert.Equal(os.FileMode(0600), info.Mode()) + + // make sure new file doesn't create permission warnings + warnings, err := GetFilePermissionWarnings(path) + assert.NoError(err) + assert.Len(warnings, 0) + }) + // Already existing config files should keep their current permissions + t.Run("existing config file", func(t *testing.T) { + t.Parallel() + assert := assert.New(t) + + dir, err := os.MkdirTemp("", "rancher-cli-test-*") + assert.NoError(err) + defer os.RemoveAll(dir) + + path := filepath.Join(dir, "cli2.json") + err = os.WriteFile(path, []byte(validFile), 0700) + assert.NoError(err) + + conf, err := LoadFromPath(path) + assert.NoError(err) + + err = conf.Write() + assert.NoError(err) + + info, err := os.Stat(path) + assert.NoError(err) + assert.Equal(os.FileMode(0700), info.Mode()) + }) +} + +func Test_LoadFromPath(t *testing.T) { + t.Parallel() + + tests := []struct { + name string + content string + expectedConf Config + expectedErr bool + }{ + { + name: "valid config", + content: validFile, + expectedConf: Config{ + Servers: map[string]*ServerConfig{ + "rancherDefault": { + AccessKey: "the-access-key", + SecretKey: "the-secret-key", + TokenKey: "the-token-key", + URL: "https://example.com";, + Project: "cluster-id:project-id", + CACerts: "", + }, + }, + CurrentServer: "rancherDefault", + }, + }, + { + name: "invalid config", + content: invalidFile, + expectedConf: Config{ + Servers: map[string]*ServerConfig{}, + }, + expectedErr: true, + }, + { + name: "non existing file", + content: "", + expectedConf: Config{ + Servers: map[string]*ServerConfig{}, + CurrentServer: "", + }, + }, + } + + for _, tt := range tests { + tt := tt + t.Run(tt.name, func(t *testing.T) { + t.Parallel() + assert := assert.New(t) + + dir, err := os.MkdirTemp("", "rancher-cli-test-*") + assert.NoError(err) + defer os.RemoveAll(dir) + + path := filepath.Join(dir, "cli2.json") + // make sure the path points to the temp dir created in the test + tt.expectedConf.Path = path + + if tt.content != "" { + err = os.WriteFile(path, []byte(tt.content), 0600) + assert.NoError(err) + } + + conf, err := LoadFromPath(path) + if tt.expectedErr { + assert.Error(err) + // We kept the old behavior of returning a valid config even in + // case of an error so we assert it here. If you change this + // behavior, make sure there aren't any regressions. + assert.Equal(tt.expectedConf, conf) + return + } + + assert.NoError(err) + assert.Equal(tt.expectedConf, conf) + }) + } +} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/cli-2.7.7/go.mod new/cli-2.8.0/go.mod --- old/cli-2.7.7/go.mod 2023-09-15 22:27:13.000000000 +0200 +++ new/cli-2.8.0/go.mod 2023-09-28 18:32:48.000000000 +0200 @@ -1,6 +1,6 @@ module github.com/rancher/cli -go 1.19 +go 1.20 replace k8s.io/client-go => k8s.io/client-go v0.20.1 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/cli-2.7.7/main.go new/cli-2.8.0/main.go --- old/cli-2.7.7/main.go 2023-09-15 22:27:13.000000000 +0200 +++ new/cli-2.8.0/main.go 2023-09-28 18:32:48.000000000 +0200 @@ -7,6 +7,7 @@ "github.com/pkg/errors" "github.com/rancher/cli/cmd" + "github.com/rancher/cli/config" rancherprompt "github.com/rancher/cli/rancher_prompt" "github.com/sirupsen/logrus" "github.com/urfave/cli" @@ -70,6 +71,17 @@ if ctx.GlobalBool("debug") { logrus.SetLevel(logrus.DebugLevel) } + + path := cmd.GetConfigPath(ctx) + warnings, err := config.GetFilePermissionWarnings(path) + if err != nil { + // We don't want to block the execution of the CLI in that case + logrus.Errorf("Unable to verify config file permission: %s. Continuing.", err) + } + for _, warning := range warnings { + logrus.Warning(warning) + } + return nil } app.Version = VERSION ++++++ cli.obsinfo ++++++ --- /var/tmp/diff_new_pack.x1zE0e/_old 2023-10-24 20:09:15.818501831 +0200 +++ /var/tmp/diff_new_pack.x1zE0e/_new 2023-10-24 20:09:15.822501977 +0200 @@ -1,5 +1,5 @@ name: cli -version: 2.7.7 -mtime: 1694809633 -commit: d8f002e61dd0e6bbb8bd2259bfd84880b5491def +version: 2.8.0 +mtime: 1695918768 +commit: 2cc3438cba73e9916729b8339d461ecfa9d85c33 ++++++ vendor.tar.gz ++++++
