Class: Terminalwire::Client::Entitlement::Paths::Permit

Inherits:

Object

• Object
• Terminalwire::Client::Entitlement::Paths::Permit

Defined in:

lib/terminalwire/client/entitlement/paths.rb

Constant Summary

MODE =

Ensure the default file mode is read/write for owner only. This ensures that if the server tries uploading an executable file, it won’t be when it lands on the client.

Eventually we’ll move this into entitlements so the client can set maximum permissions for files and directories.

0o600

OWNER_PERMISSIONS =

Constants for permission bit masks

0o700

GROUP_PERMISSIONS =

rwx——

0o070

OTHERS_PERMISSIONS =

—rwx—

0o007

MODE_RANGE =

We’ll validate that modes are within this range.

0o000..0o777

Instance Attribute Summary

• #mode ⇒ Object readonly

  Returns the value of attribute mode.

• #path ⇒ Object readonly

  Returns the value of attribute path.

Instance Method Summary

• #initialize(path:, mode: MODE) ⇒ Permit constructor

  A new instance of Permit.

• #permitted?(path:, mode: @mode) ⇒ Boolean
• #permitted_mode?(value) ⇒ Boolean
• #permitted_path?(path) ⇒ Boolean
• #serialize ⇒ Object

Constructor Details

#initialize(path:, mode: MODE) ⇒ Permit

Returns a new instance of Permit.

# File 'lib/terminalwire/client/entitlement/paths.rb', line 22

def initialize(path:, mode: MODE)
  @path = Pathname.new(path)
  @mode = convert(mode)
end

Instance Attribute Details

#mode ⇒ Object (readonly)

Returns the value of attribute mode.

# File 'lib/terminalwire/client/entitlement/paths.rb', line 5

def mode
  @mode
end

#path ⇒ Object (readonly)

Returns the value of attribute path.

# File 'lib/terminalwire/client/entitlement/paths.rb', line 5

def path
  @path
end

Instance Method Details

#permitted?(path:, mode: @mode) ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/terminalwire/client/entitlement/paths.rb', line 48

def permitted?(path:, mode: @mode)
  permitted_path?(path) && permitted_mode?(mode)
end

#permitted_mode?(value) ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/terminalwire/client/entitlement/paths.rb', line 33

def permitted_mode?(value)
  # Ensure the mode is at least as permissive as the permitted mode.
  mode = convert(value)

  # Extract permission bits for owner, group, and others
  owner_bits = mode & OWNER_PERMISSIONS
  group_bits = mode & GROUP_PERMISSIONS
  others_bits = mode & OTHERS_PERMISSIONS

  # Ensure that the mode doesn't grant more permissions than @mode in any class (owner, group, others)
  (owner_bits <= @mode & OWNER_PERMISSIONS) &&
  (group_bits <= @mode & GROUP_PERMISSIONS) &&
  (others_bits <= @mode & OTHERS_PERMISSIONS)
end

#permitted_path?(path) ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/terminalwire/client/entitlement/paths.rb', line 27

def permitted_path?(path)
  # This MUST be done via File.fnmatch because Pathname#fnmatch does not work. If you
  # try changing this 🚨 YOU MAY CIRCUMVENT THE SECURITY MEASURES IN PLACE. 🚨
  File.fnmatch @path.to_s, path.to_s, File::FNM_PATHNAME
end

#serialize ⇒ Object

# File 'lib/terminalwire/client/entitlement/paths.rb', line 52

def serialize
  {
    location: @path.to_s,
    mode: @mode
  }
end