raise-if-root 0.0.1

data/README.md

@@ -0,0 +1,92 @@
+# Raise If Root
+
+[![Gem Version](https://badge.fury.io/rb/raise-if-root.svg)](https://rubygems.org/gems/raise-if-root)
+[![Build status](https://travis-ci.org/ab/raise-if-root.svg)](https://travis-ci.org/ab/raise-if-root)
+[![Code Climate](https://codeclimate.com/github/ab/raise-if-root.svg)](https://codeclimate.com/github/ab/raise-if-root)
+[![Inline Docs](http://inch-ci.org/github/ab/raise-if-root.svg?branch=master)](http://www.rubydoc.info/github/ab/raise-if-root/master)
+
+*Raise If Root* is a small gem that helps prevent your application from ever
+running as the root user (uid 0).
+
+## Why?
+
+Many software systems rely on user privilege separation for security reasons.
+Especially within containers or chroots, running as a non-privileged user gives
+stronger isolation.
+
+*Raise If Root* helps enforce that you never inadvertently load your
+application code as root.
+
+Will it protect you if your attacker is already running as root? Probably not.
+But it does help remove opportunities for error, where you might accidentally
+run root rake tasks, cron jobs, or deploy scripts.
+
+## Usage
+
+Add the gem to your application's Gemfile:
+
+```ruby
+gem 'raise-if-root', '~> 0'
+```
+
+Require it from your main application code:
+
+```ruby
+require 'raise-if-root'
+```
+
+There is no step three! This will raise `RaiseIfRoot::AssertionFailed` if the
+current uid is 0.
+
+### More complex patterns
+
+See the [YARD documentation](http://www.rubydoc.info/github/ab/raise-if-root/master).
+
+If you want to enforce that the application is running as a particular user,
+there are several more specific functions available.
+
+Load the library, which doesn't immediately raise when you load it.
+
+```ruby
+# load the library, which doesn't raise
+require 'raise-if-root/library'
+
+# raise if running as uid 1000
+RaiseIfRoot.raise_if_uid(1000)
+
+# raise unless user is nobody
+RaiseIfRoot.raise_if(username_not: 'nobody')
+
+# raise with multiple conditions
+RaiseIfRoot.raise_if(uid_not: 1000, gid_not: 500)
+```
+
+### Notification callbacks
+
+If you want to sound the alarm with something more than just the exception, you
+can add callbacks to send emails, smoke signals, etc.
+
+```ruby
+# load the library, which doesn't raise
+require 'raise-if-root/library'
+
+RaiseIfRoot.add_assertion_callback do |err|
+  Mail.deliver do
+    from    'system@example.com'
+    to      'alerts@example.com'
+    subject 'App was run as root'
+    body    "RaiseIfRoot is raising an exception:\n  #{err.inspect}\n"
+  end
+end
+
+# ensure we're not root
+RaiseIfRoot.raise_if_root
+```
+
+## Contributing
+
+1. Fork it
+2. Create your feature branch (`git checkout -b my-new-feature`)
+3. Commit your changes (`git commit -am 'Add some feature'`)
+4. Push to the branch (`git push origin my-new-feature`)
+5. Create new Pull Request

data/Rakefile

@@ -0,0 +1,15 @@
+require 'bundler/gem_tasks'
+require 'bundler/setup'
+require 'rspec/core/rake_task'
+
+task :default do
+  sh 'rake -T'
+end
+
+RSpec::Core::RakeTask.new(:spec)
+
+def alias_task(alias_task, original)
+  desc "Alias for rake #{original}"
+  task alias_task, Rake.application[original].arg_names => original
+end
+alias_task(:test, :spec)

data/lib/raise-if-root.rb

@@ -0,0 +1,3 @@
+require_relative 'raise-if-root/library'
+
+RaiseIfRoot.raise_if_root

data/lib/raise-if-root/library.rb

@@ -0,0 +1,169 @@
+require 'etc'
+
+require_relative './version'
+
+module RaiseIfRoot
+  # Error class for RaiseIfRoot assertion failures. Inherits directly from
+  # Exception because we don't want a bare rescue to catch this.
+  # rubocop:disable Lint/InheritException
+  class AssertionFailed < Exception; end
+
+  # Raise if the process UID/EUID is 0 or if the process GID/EGID is 0.
+  #
+  # @raise [AssertionFailed] if running as root
+  #
+  def self.raise_if_root
+    raise_if(uid: 0, gid: 0)
+  end
+
+  # Raise if the process UID or EUID equals +uid+.
+  #
+  # @param uid [Integer]
+  #
+  # @raise [AssertionFailed]
+  #
+  # @see .raise_if
+  #
+  def self.raise_if_uid(uid)
+    raise_if(uid: uid)
+  end
+
+  # Raise AssertionFailed if any of the specified conditions are met. This is
+  # the primary method powering RaiseIfRoot.
+  #
+  # @param uid [Integer] Raise if the process UID or EUID matches
+  # @param gid [Integer] Raise if the process GID or EGID matches
+  #
+  # @param uid_not [Integer] Raise if the process UID or EUID does not match
+  #   the provided value
+  # @param gid_not [Integer] Raise if the process GID or EGID does not match
+  #   the provided value
+  #
+  # @param username [String] Raise if the username of the process UID or EUID
+  #   matches the provided value
+  # @param username_not [String] Raise if the username of the process UID or
+  #   EUID does not match the provided value
+  #
+  # @raise [AssertionFailed] if any of the conditions match.
+  #
+  # rubocop:disable Metrics/ParameterLists
+  def self.raise_if(uid: nil, gid: nil, uid_not: nil, gid_not: nil,
+                    username: nil, username_not: nil)
+    if uid
+      assert_not_equal('UID', Process.uid, uid)
+      assert_not_equal('EUID', Process.euid, uid)
+    end
+
+    if gid
+      assert_not_equal('GID', Process.gid, gid)
+      assert_not_equal('EGID', Process.egid, gid)
+    end
+
+    if uid_not
+      assert_equal('UID', Process.uid, uid_not)
+      assert_equal('EUID', Process.euid, uid_not)
+    end
+
+    if gid_not
+      assert_equal('GID', Process.gid, gid_not)
+      assert_equal('EGID', Process.egid, gid_not)
+    end
+
+    # raise if username
+    if username
+      assert_not_equal('username', Etc.getpwuid(Process.uid).name, username)
+      assert_not_equal('effective username', Etc.getpwuid(Process.euid).name,
+                       username)
+    end
+
+    # raise unless username is username_not
+    if username_not
+      assert_equal('username', Etc.getpwuid(Process.uid).name, username_not)
+      assert_equal('effective username', Etc.getpwuid(Process.euid).name,
+                   username_not)
+    end
+  end
+
+  # Assert that two values are equal. If they are not, run assertion callbacks
+  # and raise AssertionFailed.
+  #
+  # @param label [String] The label for the comparison we're making
+  # @param actual The actual value
+  # @param expected The expected value
+  #
+  # @raise [AssertionFailed] if the values are not equal
+  #
+  def self.assert_equal(label, actual, expected)
+    if expected.nil?
+      warn('warning: RaiseIfRoot.assert_equal called with expected=nil')
+    end
+    if actual != expected
+      err = new_assertion_failed(label, actual, expected)
+      run_assertion_callbacks(err)
+      raise err
+    end
+  end
+
+  # Assert that two values are not equal. But if they are equal, run assertion
+  # callbacks and raise AssertionFailed.
+  #
+  # @param label [String] The label for the comparison we're making
+  # @param actual The actual value
+  # @param expected The expected value
+  #
+  # @raise [AssertionFailed] if the values are equal
+  #
+  def self.assert_not_equal(label, actual, expected)
+    if actual == expected
+      err = new_assertion_failed(label, actual)
+      run_assertion_callbacks(err)
+      raise err
+    end
+  end
+
+  # Create a new AssertionFailed object.
+  #
+  # @param label [String] The label for the comparison we're making
+  # @param actual The actual value
+  # @param expected The expected value, if any
+  #
+  # @return [AssertionFailed]
+  #
+  def self.new_assertion_failed(label, actual, expected=nil)
+    # rubocop:disable Style/SpecialGlobalVars
+    message = "Process[#{$$}] #{label} is #{actual.inspect}"
+    if expected
+      message << ", expected #{expected.inspect}"
+    end
+
+    AssertionFailed.new(message)
+  end
+
+  # Add a callback to the list of assertion callbacks that are executed when an
+  # assertion fails. The callback will be passed one argument: the
+  # AssertionFailed exception object just before it is raised.
+  def self.add_assertion_callback(&block)
+    raise ArgumentError.new("Must pass block") unless block
+
+    assertion_callbacks << block
+  end
+
+  # The list of stored assertion callbacks. These are executed when an
+  # assertion fails just before the assertion is raised.
+  #
+  # @return [Array<Proc>]
+  #
+  def self.assertion_callbacks
+    @assertion_callbacks ||= []
+  end
+
+  # Execute all of the stored assertion callbacks.
+  #
+  # @param [AssertionFailed] err The exception object to pass to each callback.
+  #
+  # @return [Array] The collected return values of the callbacks.
+  #
+  def self.run_assertion_callbacks(err)
+    assertion_callbacks.map { |block| block.call(err) }
+  end
+end

data/lib/raise-if-root/version.rb

@@ -0,0 +1,4 @@
+module RaiseIfRoot
+  # version string
+  VERSION = '0.0.1'.freeze
+end

data/raise-if-root.gemspec

@@ -0,0 +1,34 @@
+# coding: utf-8
+
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'raise-if-root/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = 'raise-if-root'
+  spec.version       = RaiseIfRoot::VERSION
+  spec.authors       = ['Andy Brody']
+  spec.email         = ['git@abrody.com']
+  spec.summary       = 'Library that raises when run as root user'
+  spec.description   = <<-EOM
+    Raise If Root is a small library that raises an exception when run as the
+    root user (uid 0). This helps ensure that you never accidentally run your
+    application as root.
+  EOM
+  spec.homepage      = 'https://github.com/ab/raise-if-root'
+  spec.license       = 'GPL-3'
+
+  spec.files         = `git ls-files`.split($/)
+  spec.executables   = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
+  spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
+  spec.require_paths = ['lib']
+
+  spec.add_development_dependency 'bundler', '~> 1.3'
+  spec.add_development_dependency 'pry'
+  spec.add_development_dependency 'rake'
+  spec.add_development_dependency 'rspec', '~> 3.0'
+  spec.add_development_dependency 'rubocop', '~> 0'
+  spec.add_development_dependency 'yard'
+
+  spec.required_ruby_version = '>= 2.0'
+end

data/spec/spec_helper.rb

@@ -0,0 +1,88 @@
+require_relative '../lib/raise-if-root/library'
+
+# Given that it is always loaded, you are encouraged to keep this file as
+# light-weight as possible. Requiring heavyweight dependencies from this file
+# will add to the boot time of your test suite on EVERY test run, even for an
+# individual file that may not need all of that loaded. Instead, consider making
+# a separate helper file that requires the additional dependencies and performs
+# the additional setup, and require it from the spec files that actually need
+# it.
+#
+# See http://rubydoc.info/gems/rspec-core/RSpec/Core/Configuration
+RSpec.configure do |config|
+  # rspec-expectations config goes here. You can use an alternate
+  # assertion/expectation library such as wrong or the stdlib/minitest
+  # assertions if you prefer.
+  config.expect_with :rspec do |expectations|
+    # This option will default to `true` in RSpec 4. It makes the `description`
+    # and `failure_message` of custom matchers include text for helper methods
+    # defined using `chain`, e.g.:
+    #     be_bigger_than(2).and_smaller_than(4).description
+    #     # => "be bigger than 2 and smaller than 4"
+    # ...rather than:
+    #     # => "be bigger than 2"
+    expectations.include_chain_clauses_in_custom_matcher_descriptions = true
+  end
+
+  # rspec-mocks config goes here. You can use an alternate test double
+  # library (such as bogus or mocha) by changing the `mock_with` option here.
+  config.mock_with :rspec do |mocks|
+    # Prevents you from mocking or stubbing a method that does not exist on
+    # a real object. This is generally recommended, and will default to
+    # `true` in RSpec 4.
+    mocks.verify_partial_doubles = true
+  end
+
+  # The settings below are suggested to provide a good initial experience
+  # with RSpec, but feel free to customize to your heart's content.
+
+  # These two settings work together to allow you to limit a spec run
+  # to individual examples or groups you care about by tagging them with
+  # `:focus` metadata. When nothing is tagged with `:focus`, all examples
+  # get run.
+  # config.filter_run :focus
+  # config.run_all_when_everything_filtered = true
+
+  # Allows RSpec to persist some state between runs in order to support
+  # the `--only-failures` and `--next-failure` CLI options. We recommend
+  # you configure your source control system to ignore this file.
+  # config.example_status_persistence_file_path = "spec/examples.txt"
+
+  # Limits the available syntax to the non-monkey patched syntax that is
+  # recommended. For more details, see:
+  #   - http://rspec.info/blog/2012/06/rspecs-new-expectation-syntax/
+  #   - http://www.teaisaweso.me/blog/2013/05/27/rspecs-new-message-expectation-syntax/
+  #   - http://rspec.info/blog/2014/05/notable-changes-in-rspec-3/#zero-monkey-patching-mode
+  config.disable_monkey_patching!
+
+  # This setting enables warnings. It's recommended, but in some cases may
+  # be too noisy due to issues in dependencies.
+  config.warnings = true
+
+  # Many RSpec users commonly either run the entire suite or an individual
+  # file, and it's useful to allow more verbose output when running an
+  # individual spec file.
+  if config.files_to_run.one?
+    # Use the documentation formatter for detailed output,
+    # unless a formatter has already been configured
+    # (e.g. via a command-line flag).
+    config.default_formatter = 'doc'
+  end
+
+  # Print the 10 slowest examples and example groups at the
+  # end of the spec run, to help surface which specs are running
+  # particularly slow.
+  config.profile_examples = 10
+
+  # Run specs in random order to surface order dependencies. If you find an
+  # order dependency and want to debug it, you can fix the order by providing
+  # the seed, which is printed after each run.
+  #     --seed 1234
+  config.order = :random
+
+  # Seed global randomization in this process using the `--seed` CLI option.
+  # Setting this allows you to use `--seed` to deterministically reproduce
+  # test failures related to randomization by passing the same `--seed` value
+  # as the one that triggered the failure.
+  Kernel.srand config.seed
+end

data/spec/unit/raise-if-root/library_spec.rb

@@ -0,0 +1,140 @@
+# NB: These tests cannot be run as root (uid 0 or gid 0), sorry.
+RSpec.describe RaiseIfRoot do
+
+  describe '.raise_if_root' do
+    it 'should raise if uid is 0' do
+      allow(Process).to receive(:uid).and_return(0)
+      expect {
+        RaiseIfRoot.raise_if_root
+      }.to raise_error(RaiseIfRoot::AssertionFailed, /\bUID\b/)
+    end
+    it 'should raise if euid is 0' do
+      allow(Process).to receive(:euid).and_return(0)
+      expect {
+        RaiseIfRoot.raise_if_root
+      }.to raise_error(RaiseIfRoot::AssertionFailed, /\bEUID\b/)
+    end
+    it 'should raise if gid is 0' do
+      allow(Process).to receive(:gid).and_return(0)
+      expect {
+        RaiseIfRoot.raise_if_root
+      }.to raise_error(RaiseIfRoot::AssertionFailed, /\bGID\b/)
+    end
+    it 'should raise if egid is 0' do
+      allow(Process).to receive(:egid).and_return(0)
+      expect {
+        RaiseIfRoot.raise_if_root
+      }.to raise_error(RaiseIfRoot::AssertionFailed, /\bEGID\b/)
+    end
+
+    it 'should not raise otherwise' do
+      expect(RaiseIfRoot.raise_if_root).to eq nil
+    end
+
+    it 'runs assertion callbacks' do
+      allow(Process).to receive(:uid).and_return(0)
+      expect(RaiseIfRoot).to receive(:run_assertion_callbacks).with(
+        instance_of(RaiseIfRoot::AssertionFailed)
+      ).once.and_call_original
+
+      expect {
+        RaiseIfRoot.raise_if_root
+      }.to raise_error(RaiseIfRoot::AssertionFailed)
+    end
+  end
+
+  describe '.add_assertion_callback' do
+    before do
+      RaiseIfRoot.assertion_callbacks.clear
+    end
+    after do
+      RaiseIfRoot.assertion_callbacks.clear
+    end
+
+    it 'adds a callback' do
+      expect(RaiseIfRoot.assertion_callbacks.length).to eq 0
+
+      RaiseIfRoot.add_assertion_callback { :returnvalue }
+      expect(RaiseIfRoot.assertion_callbacks.last).is_a?(Proc)
+      expect(RaiseIfRoot.assertion_callbacks.length).to eq 1
+
+      expect(RaiseIfRoot.run_assertion_callbacks(nil)).to eq([:returnvalue])
+    end
+  end
+
+  describe '.run_assertion_callbacks' do
+    before do
+      RaiseIfRoot.assertion_callbacks.clear
+    end
+    after do
+      RaiseIfRoot.assertion_callbacks.clear
+    end
+
+    it 'runs callbacks' do
+      sentinel = double('Sentinel')
+      expect(sentinel).to(receive(:callback).with(
+        instance_of(RaiseIfRoot::AssertionFailed)
+      ).twice.and_return(:callbackresponse1, :callbackresponse2))
+
+      expect(RaiseIfRoot.assertion_callbacks.length).to eq 0
+
+      RaiseIfRoot.add_assertion_callback { |err| sentinel.callback(err) }
+      RaiseIfRoot.add_assertion_callback { |err| sentinel.callback(err) }
+
+      expect(RaiseIfRoot.assertion_callbacks.length).to eq 2
+
+      expect(RaiseIfRoot.run_assertion_callbacks(
+        RaiseIfRoot::AssertionFailed.new
+      )).to eq([:callbackresponse1, :callbackresponse2])
+    end
+  end
+
+  describe '.raise_if' do
+    before do
+      allow(Process).to receive(:uid).and_return(5000)
+      allow(Process).to receive(:euid).and_return(5000)
+
+      allow(Process).to receive(:gid).and_return(5000)
+      allow(Process).to receive(:egid).and_return(5000)
+
+      @someuser = double('Etc::Passwd', name: 'someuser')
+    end
+
+    it 'does not raise by default' do
+      expect(RaiseIfRoot.raise_if).to eq nil
+      expect(RaiseIfRoot.raise_if(uid: 0)).to eq nil
+      expect(RaiseIfRoot.raise_if(gid: 0)).to eq nil
+      expect(RaiseIfRoot.raise_if(uid_not: 5000)).to eq nil
+      expect(RaiseIfRoot.raise_if(gid_not: 5000)).to eq nil
+      expect(RaiseIfRoot.raise_if(uid: 0, gid: 0)).to eq nil
+    end
+
+    it 'raises when any condition matches' do
+      expect {
+        RaiseIfRoot.raise_if(uid: 0, gid: 0, uid_not: 123, gid_not: 5000)
+      }.to raise_error(RaiseIfRoot::AssertionFailed, /\bUID\b/)
+      expect {
+        RaiseIfRoot.raise_if(uid: 0, gid: 5000, uid_not: 5000, gid_not: 5000)
+      }.to raise_error(RaiseIfRoot::AssertionFailed, /\bGID\b/)
+      expect {
+        RaiseIfRoot.raise_if(uid: 5000, gid: 0)
+      }.to raise_error(RaiseIfRoot::AssertionFailed, /\bUID\b/)
+    end
+
+    it 'handles username and not_username' do
+      allow(Etc).to receive(:getpwuid).with(5000).and_return(@someuser)
+
+      expect {
+        RaiseIfRoot.raise_if(username: 'someuser')
+      }.to raise_error(RaiseIfRoot::AssertionFailed, /\busername\b/)
+
+      expect(RaiseIfRoot.raise_if(username: 'other')).to eq nil
+
+      expect {
+        RaiseIfRoot.raise_if(username_not: 'other')
+      }.to raise_error(RaiseIfRoot::AssertionFailed, /\busername\b/)
+
+      expect(RaiseIfRoot.raise_if(username_not: 'someuser')).to eq nil
+    end
+  end
+end