From 14b0f4facb7b05e50679aa1cf0121392e61a681d Mon Sep 17 00:00:00 2001 From: CyberMind-FR Date: Fri, 26 Dec 2025 20:51:52 +0100 Subject: [PATCH] feat: add automated permission validation and fix tools MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Added comprehensive automation for file permissions management to prevent HTTP 403 errors caused by incorrect permissions (600 instead of 644). πŸ†• New Tool: fix-permissions.sh ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ Automated script to fix and verify file permissions: Features: - Fixes local source permissions (--local) - Fixes remote router permissions (--remote) - Default: fixes both local and remote - Auto-verifies RPCD scripts (755) - Auto-verifies CSS files (644) - Auto-verifies JS files (644) - Clears cache and restarts services (remote) - Reports all changes made Usage: ./secubox-tools/fix-permissions.sh --local # Before commit ./secubox-tools/fix-permissions.sh --remote # After deploy ./secubox-tools/fix-permissions.sh # Both ✨ Enhanced: validate-modules.sh - Check 7 ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ Added comprehensive permission validation: Check 7: htdocs file permissions - Validates all CSS files have 644 permissions - Validates all JS files have 644 permissions - Reports files with wrong permissions - Suggests fix-permissions.sh for auto-correction - Counts permission errors in summary Total validation checks: 7 1. RPCD script names vs ubus objects 2. Menu paths vs view file locations 3. View files have menu entries 4. RPCD script permissions (755) 5. JSON syntax validation 6. ubus object naming convention 7. htdocs file permissions (644) ← NEW πŸ“š Documentation Updates ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ DEVELOPMENT-GUIDELINES.md: - Added "Correction Automatique" section with fix-permissions.sh - Added "Validation Automatique des Permissions" section - Added recommended workflow: fix β†’ validate β†’ commit β†’ deploy β†’ fix remote QUICK-START.md: - Updated Validation section with fix-permissions.sh - Updated Common Errors Quick Fix with automated script - Updated Pre-Commit Checklist with automated tools - Marked permissions as "auto-verified" in checklist CLAUDE.md: - Updated critical rules with auto-fix commands - Added 7 validation checks list - Enhanced Validation section with detailed check descriptions - Added fix-permissions.sh to workflow πŸ”§ Files Modified ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ New: + secubox-tools/fix-permissions.sh (executable) Modified: * secubox-tools/validate-modules.sh (Check 7 added) * DEVELOPMENT-GUIDELINES.md (~50 lines added) * QUICK-START.md (~15 lines added) * CLAUDE.md (~25 lines added) 🎯 Problem Solved ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ Root cause: Files created/deployed with umask 0077 result in 600 permissions Symptom: HTTP 403 Forbidden errors on CSS/JS resources Impact: Modules fail to load in browser Recent examples: - secubox: 10 files with 600 permissions (monitoring.js, theme.js, etc.) - netdata-dashboard: 3 files with 600 permissions Solution: Automated detection and correction tools now prevent this issue Workflow integration: βœ… Pre-commit: fix-permissions.sh --local βœ… Validation: validate-modules.sh (Check 7) βœ… Post-deploy: fix-permissions.sh --remote πŸ€– Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 --- CLAUDE.md | 19 +++- DEVELOPMENT-GUIDELINES.md | 45 ++++++++ QUICK-START.md | 15 ++- secubox-tools/fix-permissions.sh | 181 ++++++++++++++++++++++++++++++ secubox-tools/validate-modules.sh | 63 ++++++++++- 5 files changed, 315 insertions(+), 8 deletions(-) create mode 100755 secubox-tools/fix-permissions.sh diff --git a/CLAUDE.md b/CLAUDE.md index 664c3df7..b6d1c3a3 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -35,7 +35,10 @@ This file provides guidance to Claude Code (claude.ai/code) when working with co 1. **RPCD Script Naming:** Nom fichier = objet ubus (`luci.system-hub`) 2. **Menu Path Matching:** Path menu = fichier vue (`system-hub/overview.js`) 3. **Permissions:** RPCD = 755, CSS/JS = 644 + - **Auto-fix:** `./secubox-tools/fix-permissions.sh --local` (avant commit) + - **Auto-fix remote:** `./secubox-tools/fix-permissions.sh --remote` (aprΓ¨s deploy) 4. **Validation:** Toujours exΓ©cuter `./secubox-tools/validate-modules.sh` avant commit + - **7 checks automatiques:** RPCD naming, menu paths, view files, RPCD permissions, JSON syntax, ubus naming, **htdocs permissions** 5. **CSS Variables:** Toujours utiliser `var(--sh-*)`, jamais hardcoder les couleurs 6. **Dark Mode:** Toujours supporter dark mode avec `[data-theme="dark"]` 7. **Typography:** Inter (texte), JetBrains Mono (valeurs numΓ©riques) @@ -77,8 +80,19 @@ opkg install /tmp/luci-app-*.ipk ### Validation ```bash -# Run comprehensive module validation (RECOMMENDED) +# Fix file permissions FIRST (CRITICAL) +./secubox-tools/fix-permissions.sh --local + +# Run comprehensive module validation (RECOMMENDED - 7 checks) ./secubox-tools/validate-modules.sh +# Checks: +# 1. RPCD script names vs ubus objects +# 2. Menu paths vs view file locations +# 3. View files have menu entries +# 4. RPCD script permissions (755) +# 5. JSON syntax validation +# 6. ubus object naming convention +# 7. htdocs file permissions (644 for CSS/JS) ← NEW # Validate shell scripts (RPCD backends) shellcheck luci-app-*/root/usr/libexec/rpcd/* @@ -89,6 +103,9 @@ find . -name "*.json" -exec jsonlint {} \; # Run automated repair tool ./secubox-tools/secubox-repair.sh +# Fix permissions on deployed router +./secubox-tools/fix-permissions.sh --remote + # Run diagnostics ./secubox-tools/secubox-debug.sh luci-app- ``` diff --git a/DEVELOPMENT-GUIDELINES.md b/DEVELOPMENT-GUIDELINES.md index 668b0a16..a0e01bd9 100644 --- a/DEVELOPMENT-GUIDELINES.md +++ b/DEVELOPMENT-GUIDELINES.md @@ -1288,6 +1288,51 @@ find /usr/libexec/rpcd/ -name 'luci.*' -exec chmod 755 {} \; EOF ``` +**⚑ Correction Automatique (RecommandΓ©):** + +Utiliser le script automatique qui vΓ©rifie et corrige toutes les permissions: + +```bash +# Corriger permissions locales (source code) +./secubox-tools/fix-permissions.sh --local + +# Corriger permissions sur routeur +./secubox-tools/fix-permissions.sh --remote + +# Corriger les deux (local + remote) +./secubox-tools/fix-permissions.sh +``` + +Le script `fix-permissions.sh` effectue automatiquement: +- βœ… Fixe tous les RPCD scripts Γ  755 +- βœ… Fixe tous les CSS Γ  644 +- βœ… Fixe tous les JS Γ  644 +- βœ… VΓ©rifie qu'aucun fichier 600 ne reste +- βœ… Clear cache et restart services (remote mode) +- βœ… Affiche un rapport complet des changements + +**πŸ” Validation Automatique des Permissions:** + +Le script `validate-modules.sh` inclut maintenant un Check 7 qui vΓ©rifie automatiquement les permissions: + +```bash +./secubox-tools/validate-modules.sh + +# Check 7 validera: +# βœ“ Tous les RPCD sont 755 +# βœ“ Tous les CSS sont 644 +# βœ“ Tous les JS sont 644 +# ❌ Affichera erreurs si permissions incorrectes +``` + +**Workflow recommandΓ©:** +1. DΓ©velopper/modifier code +2. `./secubox-tools/fix-permissions.sh --local` (avant commit) +3. `./secubox-tools/validate-modules.sh` (vΓ©rifier tout) +4. Commit & push +5. Deploy sur routeur +6. `./secubox-tools/fix-permissions.sh --remote` (aprΓ¨s deploy) + #### 3. Post-Deployment Verification **Checklist aprΓ¨s dΓ©ploiement:** diff --git a/QUICK-START.md b/QUICK-START.md index e348a549..402ceff0 100644 --- a/QUICK-START.md +++ b/QUICK-START.md @@ -54,7 +54,10 @@ ssh root@192.168.8.191 "find /www/luci-static -name '*.js' -exec chmod 644 {} \; ### 5. Common Errors Quick Fix ```bash -# HTTP 403 Forbidden +# HTTP 403 Forbidden (BEST: use automated script) +./secubox-tools/fix-permissions.sh --remote # Auto-fix all permissions + +# OR manual fix: chmod 644 /www/luci-static/resources/**/*.{js,css} # No space left on device @@ -116,9 +119,12 @@ grid-template-columns: repeat(auto-fit, minmax(300px, 1fr)); ### Validation ```bash -# Valider TOUT avant commit +# Valider TOUT avant commit (7 checks incluant permissions) ./secubox-tools/validate-modules.sh +# Corriger automatiquement les permissions +./secubox-tools/fix-permissions.sh --local + # JSON jsonlint file.json @@ -176,10 +182,11 @@ ssh root@router "logread | grep -i error" ## πŸ“‹ Pre-Commit Checklist -- [ ] `./secubox-tools/validate-modules.sh` βœ… +- [ ] `./secubox-tools/fix-permissions.sh --local` βœ… (auto-fix) +- [ ] `./secubox-tools/validate-modules.sh` βœ… (7 checks) - [ ] RPCD name = ubus object name - [ ] Menu path = view file path -- [ ] Permissions: 755 (RPCD), 644 (CSS/JS) +- [ ] Permissions: 755 (RPCD), 644 (CSS/JS) - auto-verified - [ ] JSON valide (jsonlint) - [ ] CSS: variables utilisΓ©es (pas hardcode) - [ ] CSS: dark mode supportΓ© diff --git a/secubox-tools/fix-permissions.sh b/secubox-tools/fix-permissions.sh new file mode 100755 index 00000000..5265d54f --- /dev/null +++ b/secubox-tools/fix-permissions.sh @@ -0,0 +1,181 @@ +#!/bin/bash +# +# SecuBox Permission Fix Script +# Automatically fixes file permissions for LuCI modules +# +# CRITICAL PERMISSIONS: +# - RPCD scripts (root/usr/libexec/rpcd/*): 755 (rwxr-xr-x) - Must be executable +# - CSS files (htdocs/**/*.css): 644 (rw-r--r--) - Web server readable +# - JS files (htdocs/**/*.js): 644 (rw-r--r--) - Web server readable +# + +set -e + +GREEN='\033[0;32m' +YELLOW='\033[1;33m' +BLUE='\033[0;34m' +NC='\033[0m' # No Color + +LOCAL_MODE=false +REMOTE_MODE=false +ROUTER="" + +# Parse arguments +while [[ $# -gt 0 ]]; do + case $1 in + --local) + LOCAL_MODE=true + shift + ;; + --remote) + REMOTE_MODE=true + ROUTER="${2:-root@192.168.8.191}" + shift 2 + ;; + *) + echo "Usage: $0 [--local] [--remote [router]]" + echo "" + echo " --local Fix permissions in local source tree (development)" + echo " --remote [addr] Fix permissions on router (default: root@192.168.8.191)" + echo "" + echo "If no option specified, fixes both local and remote." + exit 1 + ;; + esac +done + +# If neither specified, do both +if [ "$LOCAL_MODE" = false ] && [ "$REMOTE_MODE" = false ]; then + LOCAL_MODE=true + REMOTE_MODE=true + ROUTER="root@192.168.8.191" +fi + +echo "========================================" +echo "SecuBox Permission Fix" +echo "========================================" +echo "" + +# Fix local permissions +if [ "$LOCAL_MODE" = true ]; then + echo -e "${BLUE}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${NC}" + echo -e "${BLUE}Fixing Local Source Permissions${NC}" + echo -e "${BLUE}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${NC}" + echo "" + + RPCD_FIXED=0 + CSS_FIXED=0 + JS_FIXED=0 + + for module_dir in luci-app-*/; do + module_name=$(basename "$module_dir") + + # Fix RPCD scripts (must be executable: 755) + rpcd_dir="$module_dir/root/usr/libexec/rpcd" + if [ -d "$rpcd_dir" ]; then + while IFS= read -r script; do + if [ -n "$script" ] && [ ! -x "$script" ]; then + chmod 755 "$script" + echo " βœ“ $module_name: RPCD $(basename $script) β†’ 755" + ((RPCD_FIXED++)) + fi + done < <(find "$rpcd_dir" -type f ! -name "*.md" 2>/dev/null) + fi + + # Fix CSS files (must be readable: 644) + htdocs_dir="$module_dir/htdocs" + if [ -d "$htdocs_dir" ]; then + while IFS= read -r css_file; do + if [ -n "$css_file" ]; then + current_perms=$(stat -c "%a" "$css_file" 2>/dev/null) + if [ "$current_perms" != "644" ]; then + chmod 644 "$css_file" + echo " βœ“ $module_name: $(basename $css_file) $current_perms β†’ 644" + ((CSS_FIXED++)) + fi + fi + done < <(find "$htdocs_dir" -name "*.css" -type f 2>/dev/null) + + # Fix JS files (must be readable: 644) + while IFS= read -r js_file; do + if [ -n "$js_file" ]; then + current_perms=$(stat -c "%a" "$js_file" 2>/dev/null) + if [ "$current_perms" != "644" ]; then + chmod 644 "$js_file" + echo " βœ“ $module_name: $(basename $js_file) $current_perms β†’ 644" + ((JS_FIXED++)) + fi + fi + done < <(find "$htdocs_dir" -name "*.js" -type f 2>/dev/null) + fi + done + + echo "" + echo -e "${GREEN}Local Permissions Fixed:${NC}" + echo " RPCD scripts: $RPCD_FIXED" + echo " CSS files: $CSS_FIXED" + echo " JS files: $JS_FIXED" + echo "" +fi + +# Fix remote permissions +if [ "$REMOTE_MODE" = true ]; then + echo -e "${BLUE}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${NC}" + echo -e "${BLUE}Fixing Remote Permissions ($ROUTER)${NC}" + echo -e "${BLUE}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${NC}" + echo "" + + # Test connection + if ! ssh "$ROUTER" "echo 'Connection OK'" >/dev/null 2>&1; then + echo -e "${YELLOW}⚠️ Cannot connect to $ROUTER${NC}" + echo " β†’ Check router IP and SSH access" + exit 1 + fi + + echo " β†’ Fixing RPCD script permissions (755)..." + ssh "$ROUTER" "find /usr/libexec/rpcd -name 'luci.*' -type f -exec chmod 755 {} \;" 2>/dev/null || true + + echo " β†’ Fixing CSS file permissions (644)..." + ssh "$ROUTER" "find /www/luci-static/resources -name '*.css' -type f -exec chmod 644 {} \;" 2>/dev/null || true + + echo " β†’ Fixing JS file permissions (644)..." + ssh "$ROUTER" "find /www/luci-static/resources -name '*.js' -type f -exec chmod 644 {} \;" 2>/dev/null || true + + # Verify no files left with 600 + REMAINING_600=$(ssh "$ROUTER" "find /www/luci-static/resources -type f \( -name '*.js' -o -name '*.css' \) -perm 600 | wc -l" 2>/dev/null || echo "0") + + echo "" + if [ "$REMAINING_600" -eq 0 ]; then + echo -e "${GREEN}βœ“ All remote permissions fixed!${NC}" + else + echo -e "${YELLOW}⚠️ Warning: $REMAINING_600 files still have 600 permissions${NC}" + fi + + echo "" + echo " β†’ Clearing LuCI cache..." + ssh "$ROUTER" "rm -f /tmp/luci-indexcache /tmp/luci-modulecache/* 2>/dev/null" || true + + echo " β†’ Restarting services..." + ssh "$ROUTER" "/etc/init.d/rpcd restart && /etc/init.d/uhttpd restart" >/dev/null 2>&1 || true + + echo "" + echo -e "${GREEN}βœ“ Remote permissions fixed and services restarted${NC}" + echo "" +fi + +echo "========================================" +echo -e "${GREEN}βœ“ Permission Fix Complete!${NC}" +echo "========================================" +echo "" + +if [ "$LOCAL_MODE" = true ]; then + echo "Next steps:" + echo " 1. Run validation: ./secubox-tools/validate-modules.sh" + echo " 2. Build packages: ./secubox-tools/local-build.sh build" + echo " 3. Deploy to router" +fi + +if [ "$REMOTE_MODE" = true ]; then + echo "Test modules in browser (use private mode: Ctrl+Shift+N)" + echo " β†’ https://192.168.8.191/cgi-bin/luci/admin/secubox" +fi diff --git a/secubox-tools/validate-modules.sh b/secubox-tools/validate-modules.sh index 7e93aaec..1da33657 100755 --- a/secubox-tools/validate-modules.sh +++ b/secubox-tools/validate-modules.sh @@ -240,20 +240,77 @@ for module_dir in luci-app-*/; do done echo "" +# Check 7: htdocs files must have correct permissions (644 for web server) +echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━" +echo "7. Validating htdocs file permissions (CSS/JS must be 644)" +echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━" +echo "" + +PERMISSION_ERRORS=0 + +for module_dir in luci-app-*/; do + module_name=$(basename "$module_dir") + htdocs_dir="$module_dir/htdocs" + + if [ -d "$htdocs_dir" ]; then + # Check CSS files + while IFS= read -r css_file; do + if [ -n "$css_file" ]; then + perms=$(stat -c "%a" "$css_file" 2>/dev/null) + if [ "$perms" != "644" ]; then + error "$module_name: CSS file has wrong permissions: $css_file ($perms, should be 644)" + echo " β†’ Run: chmod 644 $css_file" + ((PERMISSION_ERRORS++)) + else + success "$module_name: CSS file has correct permissions (644): $(basename $css_file)" + fi + fi + done < <(find "$htdocs_dir" -name "*.css" -type f 2>/dev/null) + + # Check JS files + while IFS= read -r js_file; do + if [ -n "$js_file" ]; then + perms=$(stat -c "%a" "$js_file" 2>/dev/null) + if [ "$perms" != "644" ]; then + error "$module_name: JS file has wrong permissions: $js_file ($perms, should be 644)" + echo " β†’ Run: chmod 644 $js_file" + ((PERMISSION_ERRORS++)) + else + success "$module_name: JS file has correct permissions (644): $(basename $js_file)" + fi + fi + done < <(find "$htdocs_dir" -name "*.js" -type f 2>/dev/null) + fi +done + +if [ $PERMISSION_ERRORS -gt 0 ]; then + echo "" + echo -e "${YELLOW}⚠️ To fix all permission errors automatically, run:${NC}" + echo " ./secubox-tools/fix-permissions.sh --local" +fi +echo "" + +# Add permission errors to total error count +TOTAL_ERRORS=$((ERRORS + PERMISSION_ERRORS)) + # Summary echo "========================================" echo "Validation Summary" echo "========================================" echo "" -if [ $ERRORS -eq 0 ] && [ $WARNINGS -eq 0 ]; then +if [ $TOTAL_ERRORS -eq 0 ] && [ $WARNINGS -eq 0 ]; then echo -e "${GREEN}βœ“ All checks passed!${NC}" exit 0 -elif [ $ERRORS -eq 0 ]; then +elif [ $TOTAL_ERRORS -eq 0 ]; then echo -e "${YELLOW}βœ“ All critical checks passed with $WARNINGS warning(s)${NC}" exit 0 else - echo -e "${RED}βœ— Found $ERRORS error(s) and $WARNINGS warning(s)${NC}" + echo -e "${RED}βœ— Found $TOTAL_ERRORS error(s) and $WARNINGS warning(s)${NC}" + if [ $PERMISSION_ERRORS -gt 0 ]; then + echo -e "${YELLOW} ($PERMISSION_ERRORS permission error(s))${NC}" + fi echo "" echo "Please fix the errors listed above before deploying." + echo "Run: ./secubox-tools/fix-permissions.sh --local" exit 1 fi