Windows: Reset permissions of plan working directories

Since we don't delete the entire working directory anymore at scheduler start, it's not enough to grant permissions to the user configured for headed execution (if any). We also have to ensure that no other, previously configured user has access. CMK-18459
elabit · Aug 23, 2024 · 5c221cc · 5c221cc
1 parent eb6f1df
commit 5c221cc
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 1 deletion.
diff --git a/src/bin/scheduler/setup/general.rs b/src/bin/scheduler/setup/general.rs
@@ -102,10 +102,27 @@ fn setup_plans_working_directory(plans: Vec<Plan>) -> (Vec<Plan>, Vec<SetupFailu
         }
         #[cfg(windows)]
         {
-            use super::windows_permissions::grant_full_access;
+            use super::windows_permissions::{grant_full_access, reset_access};
             use log::info;
             use robotmk::session::Session;
 
+            info!("Resetting permissions for {}", &plan.working_directory);
+            if let Err(e) = reset_access(&plan.working_directory) {
+                let error = anyhow!(e);
+                error!(
+                    "Plan {}: Failed to reset permissions for working directory. \
+                     Plan won't be scheduled.
+                     Error: {error:?}",
+                    plan.id
+                );
+                failures.push(SetupFailure {
+                    plan_id: plan.id.clone(),
+                    summary: "Failed to reset permissions for working directory".to_string(),
+                    details: format!("{error:?}"),
+                });
+                continue;
+            };
+
             if let Session::User(user_session) = &plan.session {
                 info!(
                     "Granting full access for {} to user `{}`.",

diff --git a/src/bin/scheduler/setup/windows_permissions.rs b/src/bin/scheduler/setup/windows_permissions.rs
@@ -86,6 +86,14 @@ pub fn grant_full_access(user: &str, target_path: &Utf8Path) -> anyhow::Result<(
     })
 }
 
+pub fn reset_access(target_path: &Utf8Path) -> anyhow::Result<()> {
+    let arguments = [target_path.as_ref(), "/reset", "/T"];
+    run_icacls_command(arguments).map_err(|e| {
+        let message = format!("Resetting permissions of {target_path} failed");
+        e.context(message)
+    })
+}
+
 pub fn adjust_rcc_file_permissions(
     rcc_config: &RCCConfig,
     rcc_plans: Vec<Plan>,