Set permissions for headed execution

CMK-17430
elabit · May 28, 2024 · d4a4394 · d4a4394
1 parent b873dda
commit d4a4394
Showing 1 changed file with 39 additions and 1 deletion.
diff --git a/src/bin/scheduler/setup/zip.rs b/src/bin/scheduler/setup/zip.rs
@@ -1,6 +1,8 @@
 use crate::internal_config::Plan;
+use crate::setup::run_icacls_command;
 use camino::Utf8Path;
 use log::{error, info};
+use robotmk::session::Session;
 use std::fs;
 use std::io;
 
@@ -37,7 +39,7 @@ fn unzip_into(zip_file: &Utf8Path, target_path: &Utf8Path) -> anyhow::Result<()>
     Ok(())
 }
 
-pub fn setup(plans: Vec<Plan>) -> Vec<Plan> {
+fn zip_setup(plans: Vec<Plan>) -> Vec<Plan> {
     let mut surviving_plans = Vec::new();
     for plan in plans.into_iter() {
         if let Some(zip_file) = &plan.zip_file {
@@ -51,3 +53,39 @@ pub fn setup(plans: Vec<Plan>) -> Vec<Plan> {
     }
     surviving_plans
 }
+
+fn grant_full_access(user: &str, target_path: &Utf8Path) -> anyhow::Result<()> {
+    let arguments = [
+        target_path.as_ref(),
+        "/grant",
+        &format!("{user}:(OI)(CI)F"),
+        "/T",
+    ];
+    run_icacls_command(arguments).map_err(|e| {
+        let message = format!("Adjusting permissions of {target_path} for user `{user}` failed");
+        e.context(message)
+    })
+}
+
+fn permission_setup(plans: Vec<Plan>) -> Vec<Plan> {
+    let mut surviving_plans = Vec::new();
+    for plan in plans.into_iter() {
+        if let Session::User(user_session) = &plan.session {
+            if let Err(error) = grant_full_access(&user_session.user_name, &plan.managed_directory)
+            {
+                error!("{error:#}");
+                continue;
+            }
+            info!(
+                "Adjusted permissions for {} for user `{}`.",
+                &plan.managed_directory, &user_session.user_name
+            );
+        }
+        surviving_plans.push(plan);
+    }
+    surviving_plans
+}
+
+pub fn setup(plans: Vec<Plan>) -> Vec<Plan> {
+    permission_setup(zip_setup(plans))
+}