gandalf/secubox-openwrt
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
9a4753e343
secubox-openwrt/secubox-tools
History
CyberMind-FR 14b0f4facb feat: add automated permission validation and fix tools 
Added comprehensive automation for file permissions management to prevent
HTTP 403 errors caused by incorrect permissions (600 instead of 644).

🆕 New Tool: fix-permissions.sh
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

Automated script to fix and verify file permissions:

Features:
- Fixes local source permissions (--local)
- Fixes remote router permissions (--remote)
- Default: fixes both local and remote
- Auto-verifies RPCD scripts (755)
- Auto-verifies CSS files (644)
- Auto-verifies JS files (644)
- Clears cache and restarts services (remote)
- Reports all changes made

Usage:
  ./secubox-tools/fix-permissions.sh --local   # Before commit
  ./secubox-tools/fix-permissions.sh --remote  # After deploy
  ./secubox-tools/fix-permissions.sh           # Both

 Enhanced: validate-modules.sh - Check 7
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

Added comprehensive permission validation:

Check 7: htdocs file permissions
- Validates all CSS files have 644 permissions
- Validates all JS files have 644 permissions
- Reports files with wrong permissions
- Suggests fix-permissions.sh for auto-correction
- Counts permission errors in summary

Total validation checks: 7
1. RPCD script names vs ubus objects
2. Menu paths vs view file locations
3. View files have menu entries
4. RPCD script permissions (755)
5. JSON syntax validation
6. ubus object naming convention
7. htdocs file permissions (644) ← NEW

📚 Documentation Updates
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

DEVELOPMENT-GUIDELINES.md:
- Added "Correction Automatique" section with fix-permissions.sh
- Added "Validation Automatique des Permissions" section
- Added recommended workflow: fix → validate → commit → deploy → fix remote

QUICK-START.md:
- Updated Validation section with fix-permissions.sh
- Updated Common Errors Quick Fix with automated script
- Updated Pre-Commit Checklist with automated tools
- Marked permissions as "auto-verified" in checklist

CLAUDE.md:
- Updated critical rules with auto-fix commands
- Added 7 validation checks list
- Enhanced Validation section with detailed check descriptions
- Added fix-permissions.sh to workflow

🔧 Files Modified
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

New:
+ secubox-tools/fix-permissions.sh (executable)

Modified:
* secubox-tools/validate-modules.sh (Check 7 added)
* DEVELOPMENT-GUIDELINES.md (~50 lines added)
* QUICK-START.md (~15 lines added)
* CLAUDE.md (~25 lines added)

🎯 Problem Solved
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

Root cause: Files created/deployed with umask 0077 result in 600 permissions
Symptom: HTTP 403 Forbidden errors on CSS/JS resources
Impact: Modules fail to load in browser

Recent examples:
- secubox: 10 files with 600 permissions (monitoring.js, theme.js, etc.)
- netdata-dashboard: 3 files with 600 permissions

Solution: Automated detection and correction tools now prevent this issue

Workflow integration:
 Pre-commit: fix-permissions.sh --local
 Validation: validate-modules.sh (Check 7)
 Post-deploy: fix-permissions.sh --remote

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2025-12-26 20:51:52 +01:00
..
acl fix: auto-repair all SecuBox modules 2025-12-23 01:30:26 +01:00
makefiles fix: auto-repair all SecuBox modules 2025-12-23 01:30:26 +01:00
rpcd fix: auto-repair all SecuBox modules 2025-12-23 01:30:26 +01:00
templates fix: auto-repair all SecuBox modules 2025-12-23 01:30:26 +01:00
cleanup-packages.sh fix: auto-repair all SecuBox modules 2025-12-23 01:30:26 +01:00
fix-makefiles.sh fix: auto-repair all SecuBox modules 2025-12-23 01:30:26 +01:00
fix-permissions.sh feat: add automated permission validation and fix tools 2025-12-26 20:51:52 +01:00
generate-rpcd-files.sh fix: auto-repair all SecuBox modules 2025-12-23 01:30:26 +01:00
install-git-hooks.sh feat: add module generation validation and pre-push hooks 2025-12-24 10:06:20 +01:00
install-rpcd-fix.sh fix: auto-repair all SecuBox modules 2025-12-23 01:30:26 +01:00
local-build.sh feat: add complete SecuBox package suite to firmware builds 2025-12-25 06:43:52 +01:00
pre-push-validation.sh feat: add module generation validation and pre-push hooks 2025-12-24 10:06:20 +01:00
README.md feat: add firmware image building to local build script 2025-12-24 16:31:12 +01:00
secubox-debug.sh fix: auto-repair all SecuBox modules 2025-12-23 01:30:26 +01:00
secubox-repair.sh fix: auto-repair all SecuBox modules 2025-12-23 01:30:26 +01:00
show-module-status.sh fix: resolve validation issues across all modules 2025-12-25 09:01:06 +01:00
validate-module-generation.sh feat: add module generation validation and pre-push hooks 2025-12-24 10:06:20 +01:00
validate-modules.sh feat: add automated permission validation and fix tools 2025-12-26 20:51:52 +01:00

README.md

SecuBox Development Tools

This directory contains utilities for validating, debugging, and maintaining SecuBox modules.

Tools Overview

Build and Test Tools

local-build.sh

NEW! Local build system that replicates GitHub Actions workflows.

Build and test packages locally without pushing to GitHub. Automatically downloads and configures the OpenWrt SDK, builds packages, and collects artifacts.

Usage:

# Validate all packages
./secubox-tools/local-build.sh validate

# Build all packages (x86_64)
./secubox-tools/local-build.sh build

# Build single package
./secubox-tools/local-build.sh build luci-app-system-hub

# Build for specific architecture
./secubox-tools/local-build.sh build --arch aarch64-cortex-a72

# Build firmware image for MOCHAbin
./secubox-tools/local-build.sh build-firmware mochabin

# Build firmware image for ESPRESSObin V7
./secubox-tools/local-build.sh build-firmware espressobin-v7

# Full validation + build
./secubox-tools/local-build.sh full

# Clean build artifacts
./secubox-tools/local-build.sh clean

# Clean everything including OpenWrt source
./secubox-tools/local-build.sh clean-all

Supported Architectures (for package building):

  • x86-64 - PC, VMs (default)
  • aarch64-cortex-a53 - ARM Cortex-A53 (ESPRESSObin)
  • aarch64-cortex-a72 - ARM Cortex-A72 (MOCHAbin, RPi4)
  • aarch64-generic - Generic ARM64
  • mips-24kc - MIPS 24Kc (TP-Link)
  • mipsel-24kc - MIPS LE (Xiaomi, GL.iNet)

Supported Devices (for firmware building):

  • espressobin-v7 - ESPRESSObin V7 (1-2GB DDR4)
  • espressobin-ultra - ESPRESSObin Ultra (PoE, WiFi)
  • sheeva64 - Sheeva64 (Plug computer)
  • mochabin - MOCHAbin (Quad-core A72, 10G)
  • x86-64 - x86_64 Generic PC

Environment Variables:

  • OPENWRT_VERSION - OpenWrt version (default: 23.05.5)
  • SDK_DIR - SDK directory (default: ./sdk)
  • BUILD_DIR - Build output directory (default: ./build)
  • CACHE_DIR - Download cache directory (default: ./cache)
  • OPENWRT_DIR - OpenWrt source directory for firmware builds (default: ./openwrt)

Output:

  • Built packages are placed in build/<arch>/ with SHA256 checksums
  • Firmware images are placed in build/firmware/<device>/ with checksums and build info

Dependencies:

# Required for building
sudo apt-get install -y build-essential clang flex bison g++ gawk \
    gcc-multilib g++-multilib gettext git libncurses5-dev \
    libssl-dev python3-setuptools python3-dev rsync \
    swig unzip zlib1g-dev file wget curl jq

# Optional for validation
sudo apt-get install -y shellcheck nodejs

Features:

  • Package Building: Downloads and caches OpenWrt SDK for faster builds
  • Firmware Building: Downloads full OpenWrt source and builds custom firmware images
  • Configures feeds (packages, luci) automatically
  • Validates packages before building
  • Builds .ipk packages with verbose output
  • Builds complete firmware images (.img.gz, *sysupgrade.bin, etc.)
  • Collects artifacts with checksums
  • Supports single package or all packages
  • Multiple architecture and device support
  • Device profile verification before building

Example Workflow - Package Building:

# 1. Make changes to a module
vim luci-app-system-hub/htdocs/luci-static/resources/view/system-hub/overview.js

# 2. Validate and build locally
./secubox-tools/local-build.sh full

# 3. Test on router
scp build/x86-64/*.ipk root@192.168.1.1:/tmp/
ssh root@192.168.1.1
opkg install /tmp/luci-app-system-hub*.ipk
/etc/init.d/rpcd restart

Example Workflow - Firmware Building:

# 1. Build firmware for MOCHAbin with SecuBox pre-installed
./secubox-tools/local-build.sh build-firmware mochabin

# 2. Flash to device
# Firmware images are in: build/firmware/mochabin/
# - openwrt-*-sysupgrade.bin (for upgrading existing OpenWrt)
# - openwrt-*-factory.bin (for initial installation)
# - SHA256SUMS (checksums for verification)
# - BUILD_INFO.txt (build details)
# - packages/ (SecuBox .ipk files)

# 3. Clean up after building (optional)
./secubox-tools/local-build.sh clean-all  # Removes OpenWrt source (saves ~20GB)

Validation Tools

validate-modules.sh

Fast validation of all modules in the repository.

Usage:

./secubox-tools/validate-modules.sh

Checks performed:

  1. RPCD script names vs ubus objects - Ensures RPCD script filenames match JavaScript ubus object declarations
  2. Menu paths vs view files - Verifies menu.d JSON paths correspond to actual view files
  3. View files have menu entries - Checks that all view files are referenced in menus
  4. RPCD script permissions - Ensures scripts are executable
  5. JSON syntax validation - Validates all menu.d and acl.d JSON files
  6. ubus naming convention - Verifies all ubus objects use the luci. prefix

Exit codes:

  • 0 - All checks passed (or only warnings)
  • 1 - Critical errors found

Example output:

✓ luci-app-cdn-cache: RPCD script 'luci.cdn-cache' matches ubus object 'luci.cdn-cache'
✓ luci-app-cdn-cache: Menu path 'cdn-cache/overview' → file exists
❌ ERROR: luci-app-example: RPCD script 'example' does not match ubus object 'luci.example'

validate-module-generation.sh

NEW! Comprehensive validation for a single module during/after generation.

Usage:

./secubox-tools/validate-module-generation.sh luci-app-cdn-cache

Checks performed:

  • Makefile completeness (all required fields)
  • RPCD script naming convention (luci.* prefix)
  • RPCD script structure and handlers
  • ACL permissions coverage
  • Menu path validation
  • JavaScript view validation
  • RPC method declarations vs RPCD implementations
  • Security scans (hardcoded credentials, dangerous commands)
  • Documentation presence

When to use:

  • After generating a new module
  • Before committing changes to a module
  • When debugging module integration issues

pre-push-validation.sh

NEW! Git pre-push hook that validates all modules before allowing push.

Usage:

# Automatic (via git hook):
git push  # validation runs automatically

# Manual:
./secubox-tools/pre-push-validation.sh

Checks performed:

  • All validation from validate-modules.sh
  • Git staged changes analysis
  • Modified module detection
  • Comprehensive security scans
  • Full module validation on modified modules

Exit codes:

  • 0 - Push allowed
  • 1 - Push blocked (critical errors found)

Installation:

./secubox-tools/install-git-hooks.sh

Maintenance Tools

secubox-repair.sh

Auto-repair tool that fixes common issues in Makefiles and RPCD scripts.

Usage:

./secubox-tools/secubox-repair.sh

secubox-debug.sh

Validates individual package structure and dependencies on OpenWrt device.

Usage:

./secubox-tools/secubox-debug.sh luci-app-<module-name>

install-git-hooks.sh

NEW! Installs git hooks for automatic validation.

Usage:

./secubox-tools/install-git-hooks.sh

This creates a symbolic link from .git/hooks/pre-push to pre-push-validation.sh.

Recommended Workflow

When Generating a New Module

  1. Generate module files (use Claude with module-prompts.md)

  2. Validate the module:

    ./secubox-tools/validate-module-generation.sh luci-app-<module-name>

  3. Fix all ERRORS (critical)

  4. Review and fix WARNINGS (recommended)

  5. Build and test locally (recommended):

    ./secubox-tools/local-build.sh build luci-app-<module-name>
# Test on router if needed

  6. Commit changes:

    git add luci-app-<module-name>
git commit -m "feat: implement <module-name> module"
git push  # Pre-push validation runs automatically

When Modifying Existing Modules

  1. Make your changes

  2. Run quick validation:

    ./secubox-tools/validate-modules.sh

  3. For complex changes, run full validation:

    ./secubox-tools/validate-module-generation.sh luci-app-<module-name>

  4. Build and test locally (recommended):

    ./secubox-tools/local-build.sh build luci-app-<module-name>

  5. Commit and push (validation runs automatically)

Before Committing Changes

Always run at least one validation tool before committing:

  1. Run validation (CRITICAL):

    ./secubox-tools/validate-modules.sh
# Or use local-build.sh for validation + build:
./secubox-tools/local-build.sh full

  2. Fix any errors reported

  3. Run shellcheck on RPCD scripts:

    shellcheck luci-app-*/root/usr/libexec/rpcd/*

  4. Test build locally (recommended):

    ./secubox-tools/local-build.sh build

  5. Commit changes

Common Fixes

Fix RPCD naming mismatch

If validation reports RPCD script name doesn't match ubus object:

# Rename the script to include luci. prefix
cd luci-app-example/root/usr/libexec/rpcd
mv example luci.example

Fix menu path mismatch

If validation reports menu path doesn't match view file:

# Option 1: Update menu.d JSON to match file location
# Edit: root/usr/share/luci/menu.d/luci-app-example.json
# Change: "path": "example/view" → "path": "example-dashboard/view"

# Option 2: Move view files to match menu path
mv htdocs/luci-static/resources/view/example-dashboard \
   htdocs/luci-static/resources/view/example

Fix non-executable RPCD script

chmod +x luci-app-example/root/usr/libexec/rpcd/luci.example

Integration with CI/CD

The validation script can be integrated into GitHub Actions workflows:

- name: Validate modules
  run: |
    chmod +x secubox-tools/validate-modules.sh
    ./secubox-tools/validate-modules.sh

Critical Naming Rules

These rules are MANDATORY - violations will cause runtime errors:

  1. RPCD scripts must be named luci.<module-name>

    • luci.cdn-cache
    • cdn-cache

  2. Menu paths must match view file locations

    • Menu: "path": "cdn-cache/overview"
    • File: view/cdn-cache/overview.js

  3. ubus objects must use luci. prefix

    • object: 'luci.cdn-cache'
    • object: 'cdn-cache'

See CLAUDE.md for complete documentation.