From 3dcd1e4db7540459d3dff337684547d68fea2b44 Mon Sep 17 00:00:00 2001
From: Cédric Ollivier <cedric.ollivier@orange.com>
Date: Sun, 2 Jul 2017 10:16:05 +0200
Subject: Apply restrictive file permissions
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

It conforms with [1] by creating a new venv which checks the unix
permissions. As jjobs call Functest console scripts [2], all perms
can be 644.

Dockerfiles are updated as well.

[1] https://security.openstack.org/guidelines/dg_apply-restrictive-file-permissions.html
[2] https://gerrit.opnfv.org/gerrit/#/c/36805/

Depends-On: I9209e6efa1b493e24135402a46df72aaa14115d1
Change-Id: I31bc7f12b775928845e23b6b40288b0a50b87219
Signed-off-by: Cédric Ollivier <cedric.ollivier@orange.com>
---
 docker/Dockerfile                             | 16 ----------------
 docker/Dockerfile.aarch64                     | 16 ----------------
 docker/add_images.sh                          |  0
 docker/config_install_env.sh                  |  0
 docker/docker_remote_api/enable_remote_api.sh |  0
 functest/ci/download_images.sh                |  0
 functest/ci/prepare_env.py                    |  4 ----
 functest/ci/run_tests.py                      |  3 ---
 functest/opnfv_tests/openstack/vping/ping.sh  |  0
 functest/opnfv_tests/vnf/ims/create_venv.sh   |  0
 tox.ini                                       | 13 ++++++++++++-
 11 files changed, 12 insertions(+), 40 deletions(-)
 mode change 100755 => 100644 docker/add_images.sh
 mode change 100755 => 100644 docker/config_install_env.sh
 mode change 100755 => 100644 docker/docker_remote_api/enable_remote_api.sh
 mode change 100755 => 100644 functest/ci/download_images.sh
 mode change 100755 => 100644 functest/ci/prepare_env.py
 mode change 100755 => 100644 functest/ci/run_tests.py
 mode change 100755 => 100644 functest/opnfv_tests/openstack/vping/ping.sh
 mode change 100755 => 100644 functest/opnfv_tests/vnf/ims/create_venv.sh

diff --git a/docker/Dockerfile b/docker/Dockerfile
index d38713e06..a4a425885 100644
--- a/docker/Dockerfile
+++ b/docker/Dockerfile
@@ -101,22 +101,6 @@ RUN git clone --depth 1 -b $VIMS_TAG https://github.com/boucherv-orange/clearwat
 RUN git clone --depth 1 -b $VROUTER_TAG https://github.com/oolorg/opnfv-functest-vrouter.git ${REPOS_VNFS_DIR}/vrouter
 RUN git clone --depth 1 https://github.com/wuwenbin2/OnosSystemTest.git ${REPOS_DIR}/onos
 
-RUN find -L ${FUNCTEST_REPO_DIR} -name "*.py" \
-    -not -path "*tests/unit*" \
-    -not -path "*functest_venv*" \
-    |xargs grep -L __main__ |cut -d\: -f 1 |xargs chmod -c 644 \
-    && find -L ${FUNCTEST_REPO_DIR} -name "*.sh" \
-    -not -path "*functest_venv*" \
-    |xargs grep -L \#\! |cut -d\:  -f 1 |xargs chmod -c 644
-
-RUN find -L ${FUNCTEST_REPO_DIR} -name "*.py" \
-    -not -path "*tests/unit*" \
-    -not -path "*functest_venv*" \
-    |xargs grep __main__ |cut -d\: -f 1 |xargs chmod -c 755 \
-    && find -L ${FUNCTEST_REPO_DIR} -name "*.sh" \
-    -not -path "*functest_venv*" \
-    |xargs grep \#\! |cut -d\:  -f 1 |xargs chmod -c 755
-
 RUN wget -q https://git.openstack.org/cgit/openstack/rally/plain/install_rally.sh?h=${RALLY_TAG} -O install_rally.sh \
     && bash install_rally.sh --branch ${RALLY_TAG} --yes && rm install_rally.sh
 
diff --git a/docker/Dockerfile.aarch64 b/docker/Dockerfile.aarch64
index 77c94b02f..a8f866718 100644
--- a/docker/Dockerfile.aarch64
+++ b/docker/Dockerfile.aarch64
@@ -93,22 +93,6 @@ RUN git clone --depth 1 -b $ODL_TAG https://git.opendaylight.org/gerrit/p/integr
 RUN git clone --depth 1 -b $VIMS_TAG https://github.com/boucherv-orange/clearwater-live-test ${REPOS_VNFS_DIR}/vims-test
 RUN git clone --depth 1 https://github.com/wuwenbin2/OnosSystemTest.git ${REPOS_DIR}/onos
 
-RUN find -L ${FUNCTEST_REPO_DIR} -name "*.py" \
-    -not -path "*tests/unit*" \
-    -not -path "*functest_venv*" \
-    |xargs grep -L __main__ |cut -d\: -f 1 |xargs chmod -c 644 \
-    && find -L ${FUNCTEST_REPO_DIR} -name "*.sh" \
-    -not -path "*functest_venv*" \
-    |xargs grep -L \#\! |cut -d\:  -f 1 |xargs chmod -c 644
-
-RUN find -L ${FUNCTEST_REPO_DIR} -name "*.py" \
-    -not -path "*tests/unit*" \
-    -not -path "*functest_venv*" \
-    |xargs grep __main__ |cut -d\: -f 1 |xargs chmod -c 755 \
-    && find -L ${FUNCTEST_REPO_DIR} -name "*.sh" \
-    -not -path "*functest_venv*" \
-    |xargs grep \#\! |cut -d\:  -f 1 |xargs chmod -c 755
-
 RUN wget -q https://git.openstack.org/cgit/openstack/rally/plain/install_rally.sh?h=${RALLY_TAG} -O install_rally.sh \
     && bash install_rally.sh --branch ${RALLY_TAG} --yes && rm install_rally.sh
 
diff --git a/docker/add_images.sh b/docker/add_images.sh
old mode 100755
new mode 100644
diff --git a/docker/config_install_env.sh b/docker/config_install_env.sh
old mode 100755
new mode 100644
diff --git a/docker/docker_remote_api/enable_remote_api.sh b/docker/docker_remote_api/enable_remote_api.sh
old mode 100755
new mode 100644
diff --git a/functest/ci/download_images.sh b/functest/ci/download_images.sh
old mode 100755
new mode 100644
diff --git a/functest/ci/prepare_env.py b/functest/ci/prepare_env.py
old mode 100755
new mode 100644
index ae9d9537e..da3e62450
--- a/functest/ci/prepare_env.py
+++ b/functest/ci/prepare_env.py
@@ -389,7 +389,3 @@ def main():
     parser = PrepareEnvParser()
     args = parser.parse_args(sys.argv[1:])
     return prepare_env(**args)
-
-
-if __name__ == '__main__':
-    sys.exit(main())
diff --git a/functest/ci/run_tests.py b/functest/ci/run_tests.py
old mode 100755
new mode 100644
index 5155adc46..b95e1008b
--- a/functest/ci/run_tests.py
+++ b/functest/ci/run_tests.py
@@ -276,6 +276,3 @@ def main():
     args = parser.parse_args(sys.argv[1:])
     runner = Runner()
     return runner.main(**args).value
-
-if __name__ == '__main__':
-    sys.exit(main())
diff --git a/functest/opnfv_tests/openstack/vping/ping.sh b/functest/opnfv_tests/openstack/vping/ping.sh
old mode 100755
new mode 100644
diff --git a/functest/opnfv_tests/vnf/ims/create_venv.sh b/functest/opnfv_tests/vnf/ims/create_venv.sh
old mode 100755
new mode 100644
diff --git a/tox.ini b/tox.ini
index 5622e33f5..4de5fa4ad 100644
--- a/tox.ini
+++ b/tox.ini
@@ -1,5 +1,5 @@
 [tox]
-envlist = docs,pep8,pylint,py35,py27
+envlist = docs,pep8,pylint,py35,py27,perm
 
 [testenv]
 usedevelop = True
@@ -49,3 +49,14 @@ dirs =
   functest/tests/unit/odl
   functest/tests/unit/utils/test_decorators.py
 commands = nosetests {[testenv:py35]dirs}
+
+[testenv:perm]
+basepython = python2.7
+whitelist_externals = bash
+path=. -not -path './.tox/*' -not -path './.git/*' -not -path './docs/com/pres/reveal.js/*'
+commands =
+  bash -c "\
+    find {[testenv:perm]path} \( -type f -not -perm 644 -o -type d -not -perm 755 \) \
+    -exec ls -l \{\} + | grep '.' && exit 1 || exit 0"
+  bash -c "\
+    find {[testenv:perm]path} -exec file \{\} + | grep CRLF && exit 1 || exit 0"
-- 
cgit