gandalf/secubox-openwrt
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: add automated permission validation and fix tools

Browse Source 
Added comprehensive automation for file permissions management to prevent
HTTP 403 errors caused by incorrect permissions (600 instead of 644).

🆕 New Tool: fix-permissions.sh
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

Automated script to fix and verify file permissions:

Features:
- Fixes local source permissions (--local)
- Fixes remote router permissions (--remote)
- Default: fixes both local and remote
- Auto-verifies RPCD scripts (755)
- Auto-verifies CSS files (644)
- Auto-verifies JS files (644)
- Clears cache and restarts services (remote)
- Reports all changes made

Usage:
  ./secubox-tools/fix-permissions.sh --local   # Before commit
  ./secubox-tools/fix-permissions.sh --remote  # After deploy
  ./secubox-tools/fix-permissions.sh           # Both

 Enhanced: validate-modules.sh - Check 7
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

Added comprehensive permission validation:

Check 7: htdocs file permissions
- Validates all CSS files have 644 permissions
- Validates all JS files have 644 permissions
- Reports files with wrong permissions
- Suggests fix-permissions.sh for auto-correction
- Counts permission errors in summary

Total validation checks: 7
1. RPCD script names vs ubus objects
2. Menu paths vs view file locations
3. View files have menu entries
4. RPCD script permissions (755)
5. JSON syntax validation
6. ubus object naming convention
7. htdocs file permissions (644) ← NEW

📚 Documentation Updates
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

DEVELOPMENT-GUIDELINES.md:
- Added "Correction Automatique" section with fix-permissions.sh
- Added "Validation Automatique des Permissions" section
- Added recommended workflow: fix → validate → commit → deploy → fix remote

QUICK-START.md:
- Updated Validation section with fix-permissions.sh
- Updated Common Errors Quick Fix with automated script
- Updated Pre-Commit Checklist with automated tools
- Marked permissions as "auto-verified" in checklist

CLAUDE.md:
- Updated critical rules with auto-fix commands
- Added 7 validation checks list
- Enhanced Validation section with detailed check descriptions
- Added fix-permissions.sh to workflow

🔧 Files Modified
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

New:
+ secubox-tools/fix-permissions.sh (executable)

Modified:
* secubox-tools/validate-modules.sh (Check 7 added)
* DEVELOPMENT-GUIDELINES.md (~50 lines added)
* QUICK-START.md (~15 lines added)
* CLAUDE.md (~25 lines added)

🎯 Problem Solved
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

Root cause: Files created/deployed with umask 0077 result in 600 permissions
Symptom: HTTP 403 Forbidden errors on CSS/JS resources
Impact: Modules fail to load in browser

Recent examples:
- secubox: 10 files with 600 permissions (monitoring.js, theme.js, etc.)
- netdata-dashboard: 3 files with 600 permissions

Solution: Automated detection and correction tools now prevent this issue

Workflow integration:
 Pre-commit: fix-permissions.sh --local
 Validation: validate-modules.sh (Check 7)
 Post-deploy: fix-permissions.sh --remote

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
This commit is contained in:
CyberMind-FR 2025-12-26 20:51:52 +01:00
parent 58a6bcba73
commit 14b0f4facb
5 changed files with 315 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
CLAUDE.md
View File

@ -35,7 +35,10 @@ This file provides guidance to Claude Code (claude.ai/code) when working with co
1. **RPCD Script Naming:** Nom fichier = objet ubus (`luci.system-hub`)
2. **Menu Path Matching:** Path menu = fichier vue (`system-hub/overview.js`)
3. **Permissions:** RPCD = 755, CSS/JS = 644
- **Auto-fix:** `./secubox-tools/fix-permissions.sh --local` (avant commit)
- **Auto-fix remote:** `./secubox-tools/fix-permissions.sh --remote` (après deploy)
4. **Validation:** Toujours exécuter `./secubox-tools/validate-modules.sh` avant commit
- **7 checks automatiques:** RPCD naming, menu paths, view files, RPCD permissions, JSON syntax, ubus naming, **htdocs permissions**
5. **CSS Variables:** Toujours utiliser `var(--sh-*)`, jamais hardcoder les couleurs
6. **Dark Mode:** Toujours supporter dark mode avec `[data-theme="dark"]`
7. **Typography:** Inter (texte), JetBrains Mono (valeurs numériques)
@ -77,8 +80,19 @@ opkg install /tmp/luci-app-*.ipk
### Validation
```bash
# Run comprehensive module validation (RECOMMENDED)
# Fix file permissions FIRST (CRITICAL)
./secubox-tools/fix-permissions.sh --local
# Run comprehensive module validation (RECOMMENDED - 7 checks)
./secubox-tools/validate-modules.sh
# Checks:
# 1. RPCD script names vs ubus objects
# 2. Menu paths vs view file locations
# 3. View files have menu entries
# 4. RPCD script permissions (755)
# 5. JSON syntax validation
# 6. ubus object naming convention
# 7. htdocs file permissions (644 for CSS/JS) ← NEW
# Validate shell scripts (RPCD backends)
shellcheck luci-app-*/root/usr/libexec/rpcd/*
@ -89,6 +103,9 @@ find . -name "*.json" -exec jsonlint {} \;
# Run automated repair tool
./secubox-tools/secubox-repair.sh
# Fix permissions on deployed router
./secubox-tools/fix-permissions.sh --remote
# Run diagnostics
./secubox-tools/secubox-debug.sh luci-app-<module-name>
```

45
DEVELOPMENT-GUIDELINES.md
View File

@ -1288,6 +1288,51 @@ find /usr/libexec/rpcd/ -name 'luci.*' -exec chmod 755 {} \;
EOF
```
**⚡ Correction Automatique (Recommandé):**
Utiliser le script automatique qui vérifie et corrige toutes les permissions:
```bash
# Corriger permissions locales (source code)
./secubox-tools/fix-permissions.sh --local
# Corriger permissions sur routeur
./secubox-tools/fix-permissions.sh --remote
# Corriger les deux (local + remote)
./secubox-tools/fix-permissions.sh
```
Le script `fix-permissions.sh` effectue automatiquement:
- ✅ Fixe tous les RPCD scripts à 755
- ✅ Fixe tous les CSS à 644
- ✅ Fixe tous les JS à 644
- ✅ Vérifie qu'aucun fichier 600 ne reste
- ✅ Clear cache et restart services (remote mode)
- ✅ Affiche un rapport complet des changements
**🔍 Validation Automatique des Permissions:**
Le script `validate-modules.sh` inclut maintenant un Check 7 qui vérifie automatiquement les permissions:
```bash
./secubox-tools/validate-modules.sh
# Check 7 validera:
# ✓ Tous les RPCD sont 755
# ✓ Tous les CSS sont 644
# ✓ Tous les JS sont 644
# ❌ Affichera erreurs si permissions incorrectes
```
**Workflow recommandé:**
1. Développer/modifier code
2. `./secubox-tools/fix-permissions.sh --local` (avant commit)
3. `./secubox-tools/validate-modules.sh` (vérifier tout)
4. Commit & push
5. Deploy sur routeur
6. `./secubox-tools/fix-permissions.sh --remote` (après deploy)
#### 3. Post-Deployment Verification
**Checklist après déploiement:**

15
QUICK-START.md
View File

@ -54,7 +54,10 @@ ssh root@192.168.8.191 "find /www/luci-static -name '*.js' -exec chmod 644 {} \;
### 5. Common Errors Quick Fix
```bash
# HTTP 403 Forbidden
# HTTP 403 Forbidden (BEST: use automated script)
./secubox-tools/fix-permissions.sh --remote # Auto-fix all permissions
# OR manual fix:
chmod 644 /www/luci-static/resources/**/*.{js,css}
# No space left on device
@ -116,9 +119,12 @@ grid-template-columns: repeat(auto-fit, minmax(300px, 1fr));
### Validation
```bash
# Valider TOUT avant commit
# Valider TOUT avant commit (7 checks incluant permissions)
./secubox-tools/validate-modules.sh
# Corriger automatiquement les permissions
./secubox-tools/fix-permissions.sh --local
# JSON
jsonlint file.json
@ -176,10 +182,11 @@ ssh root@router "logread | grep -i error"
## 📋 Pre-Commit Checklist
- [ ] `./secubox-tools/validate-modules.sh`
- [ ] `./secubox-tools/fix-permissions.sh --local` ✅ (auto-fix)
- [ ] `./secubox-tools/validate-modules.sh` ✅ (7 checks)
- [ ] RPCD name = ubus object name
- [ ] Menu path = view file path
- [ ] Permissions: 755 (RPCD), 644 (CSS/JS)
- [ ] Permissions: 755 (RPCD), 644 (CSS/JS) - auto-verified
- [ ] JSON valide (jsonlint)
- [ ] CSS: variables utilisées (pas hardcode)
- [ ] CSS: dark mode supporté

181
secubox-tools/fix-permissions.sh Executable file
View File

@ -0,0 +1,181 @@
#!/bin/bash
#
# SecuBox Permission Fix Script
# Automatically fixes file permissions for LuCI modules
#
# CRITICAL PERMISSIONS:
# - RPCD scripts (root/usr/libexec/rpcd/*): 755 (rwxr-xr-x) - Must be executable
# - CSS files (htdocs/**/*.css): 644 (rw-r--r--) - Web server readable
# - JS files (htdocs/**/*.js): 644 (rw-r--r--) - Web server readable
#
set -e
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
NC='\033[0m' # No Color
LOCAL_MODE=false
REMOTE_MODE=false
ROUTER=""
# Parse arguments
while [[ $# -gt 0 ]]; do
case $1 in
--local)
LOCAL_MODE=true
shift
;;
--remote)
REMOTE_MODE=true
ROUTER="${2:-root@192.168.8.191}"
shift 2
;;
*)
echo "Usage: $0 [--local] [--remote [router]]"
echo ""
echo " --local Fix permissions in local source tree (development)"
echo " --remote [addr] Fix permissions on router (default: root@192.168.8.191)"
echo ""
echo "If no option specified, fixes both local and remote."
exit 1
;;
esac
done
# If neither specified, do both
if [ "$LOCAL_MODE" = false ] && [ "$REMOTE_MODE" = false ]; then
LOCAL_MODE=true
REMOTE_MODE=true
ROUTER="root@192.168.8.191"
fi
echo "========================================"
echo "SecuBox Permission Fix"
echo "========================================"
echo ""
# Fix local permissions
if [ "$LOCAL_MODE" = true ]; then
echo -e "${BLUE}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${NC}"
echo -e "${BLUE}Fixing Local Source Permissions${NC}"
echo -e "${BLUE}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${NC}"
echo ""
RPCD_FIXED=0
CSS_FIXED=0
JS_FIXED=0
for module_dir in luci-app-*/; do
module_name=$(basename "$module_dir")
# Fix RPCD scripts (must be executable: 755)
rpcd_dir="$module_dir/root/usr/libexec/rpcd"
if [ -d "$rpcd_dir" ]; then
while IFS= read -r script; do
if [ -n "$script" ] && [ ! -x "$script" ]; then
chmod 755 "$script"
echo "$module_name: RPCD $(basename $script) → 755"
((RPCD_FIXED++))
fi
done < <(find "$rpcd_dir" -type f ! -name "*.md" 2>/dev/null)
fi
# Fix CSS files (must be readable: 644)
htdocs_dir="$module_dir/htdocs"
if [ -d "$htdocs_dir" ]; then
while IFS= read -r css_file; do
if [ -n "$css_file" ]; then
current_perms=$(stat -c "%a" "$css_file" 2>/dev/null)
if [ "$current_perms" != "644" ]; then
chmod 644 "$css_file"
echo "$module_name: $(basename $css_file) $current_perms → 644"
((CSS_FIXED++))
fi
fi
done < <(find "$htdocs_dir" -name "*.css" -type f 2>/dev/null)
# Fix JS files (must be readable: 644)
while IFS= read -r js_file; do
if [ -n "$js_file" ]; then
current_perms=$(stat -c "%a" "$js_file" 2>/dev/null)
if [ "$current_perms" != "644" ]; then
chmod 644 "$js_file"
echo "$module_name: $(basename $js_file) $current_perms → 644"
((JS_FIXED++))
fi
fi
done < <(find "$htdocs_dir" -name "*.js" -type f 2>/dev/null)
fi
done
echo ""
echo -e "${GREEN}Local Permissions Fixed:${NC}"
echo " RPCD scripts: $RPCD_FIXED"
echo " CSS files: $CSS_FIXED"
echo " JS files: $JS_FIXED"
echo ""
fi
# Fix remote permissions
if [ "$REMOTE_MODE" = true ]; then
echo -e "${BLUE}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${NC}"
echo -e "${BLUE}Fixing Remote Permissions ($ROUTER)${NC}"
echo -e "${BLUE}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${NC}"
echo ""
# Test connection
if ! ssh "$ROUTER" "echo 'Connection OK'" >/dev/null 2>&1; then
echo -e "${YELLOW}⚠️ Cannot connect to $ROUTER${NC}"
echo " → Check router IP and SSH access"
exit 1
fi
echo " → Fixing RPCD script permissions (755)..."
ssh "$ROUTER" "find /usr/libexec/rpcd -name 'luci.*' -type f -exec chmod 755 {} \;" 2>/dev/null || true
echo " → Fixing CSS file permissions (644)..."
ssh "$ROUTER" "find /www/luci-static/resources -name '*.css' -type f -exec chmod 644 {} \;" 2>/dev/null || true
echo " → Fixing JS file permissions (644)..."
ssh "$ROUTER" "find /www/luci-static/resources -name '*.js' -type f -exec chmod 644 {} \;" 2>/dev/null || true
# Verify no files left with 600
REMAINING_600=$(ssh "$ROUTER" "find /www/luci-static/resources -type f \( -name '*.js' -o -name '*.css' \) -perm 600 | wc -l" 2>/dev/null || echo "0")
echo ""
if [ "$REMAINING_600" -eq 0 ]; then
echo -e "${GREEN}✓ All remote permissions fixed!${NC}"
else
echo -e "${YELLOW}⚠️ Warning: $REMAINING_600 files still have 600 permissions${NC}"
fi
echo ""
echo " → Clearing LuCI cache..."
ssh "$ROUTER" "rm -f /tmp/luci-indexcache /tmp/luci-modulecache/* 2>/dev/null" || true
echo " → Restarting services..."
ssh "$ROUTER" "/etc/init.d/rpcd restart && /etc/init.d/uhttpd restart" >/dev/null 2>&1 || true
echo ""
echo -e "${GREEN}✓ Remote permissions fixed and services restarted${NC}"
echo ""
fi
echo "========================================"
echo -e "${GREEN}✓ Permission Fix Complete!${NC}"
echo "========================================"
echo ""
if [ "$LOCAL_MODE" = true ]; then
echo "Next steps:"
echo " 1. Run validation: ./secubox-tools/validate-modules.sh"
echo " 2. Build packages: ./secubox-tools/local-build.sh build"
echo " 3. Deploy to router"
fi
if [ "$REMOTE_MODE" = true ]; then
echo "Test modules in browser (use private mode: Ctrl+Shift+N)"
echo " → https://192.168.8.191/cgi-bin/luci/admin/secubox"
fi

63
secubox-tools/validate-modules.sh
View File

@ -240,20 +240,77 @@ for module_dir in luci-app-*/; do
done
echo ""
# Check 7: htdocs files must have correct permissions (644 for web server)
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
echo "7. Validating htdocs file permissions (CSS/JS must be 644)"
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
echo ""
PERMISSION_ERRORS=0
for module_dir in luci-app-*/; do
module_name=$(basename "$module_dir")
htdocs_dir="$module_dir/htdocs"
if [ -d "$htdocs_dir" ]; then
# Check CSS files
while IFS= read -r css_file; do
if [ -n "$css_file" ]; then
perms=$(stat -c "%a" "$css_file" 2>/dev/null)
if [ "$perms" != "644" ]; then
error "$module_name: CSS file has wrong permissions: $css_file ($perms, should be 644)"
echo " → Run: chmod 644 $css_file"
((PERMISSION_ERRORS++))
else
success "$module_name: CSS file has correct permissions (644): $(basename $css_file)"
fi
fi
done < <(find "$htdocs_dir" -name "*.css" -type f 2>/dev/null)
# Check JS files
while IFS= read -r js_file; do
if [ -n "$js_file" ]; then
perms=$(stat -c "%a" "$js_file" 2>/dev/null)
if [ "$perms" != "644" ]; then
error "$module_name: JS file has wrong permissions: $js_file ($perms, should be 644)"
echo " → Run: chmod 644 $js_file"
((PERMISSION_ERRORS++))
else
success "$module_name: JS file has correct permissions (644): $(basename $js_file)"
fi
fi
done < <(find "$htdocs_dir" -name "*.js" -type f 2>/dev/null)
fi
done
if [ $PERMISSION_ERRORS -gt 0 ]; then
echo ""
echo -e "${YELLOW}⚠️ To fix all permission errors automatically, run:${NC}"
echo " ./secubox-tools/fix-permissions.sh --local"
fi
echo ""
# Add permission errors to total error count
TOTAL_ERRORS=$((ERRORS + PERMISSION_ERRORS))
# Summary
echo "========================================"
echo "Validation Summary"
echo "========================================"
echo ""
if [ $ERRORS -eq 0 ] && [ $WARNINGS -eq 0 ]; then
if [ $TOTAL_ERRORS -eq 0 ] && [ $WARNINGS -eq 0 ]; then
echo -e "${GREEN}✓ All checks passed!${NC}"
exit 0
elif [ $ERRORS -eq 0 ]; then
elif [ $TOTAL_ERRORS -eq 0 ]; then
echo -e "${YELLOW}✓ All critical checks passed with $WARNINGS warning(s)${NC}"
exit 0
else
echo -e "${RED}✗ Found $ERRORS error(s) and $WARNINGS warning(s)${NC}"
echo -e "${RED}✗ Found $TOTAL_ERRORS error(s) and $WARNINGS warning(s)${NC}"
if [ $PERMISSION_ERRORS -gt 0 ]; then
echo -e "${YELLOW} ($PERMISSION_ERRORS permission error(s))${NC}"
fi
echo ""
echo "Please fix the errors listed above before deploying."
echo "Run: ./secubox-tools/fix-permissions.sh --local"
exit 1
fi