Add besu CLI option to output dirs needing permission update

besu/src/main/java/org/hyperledger/besu/cli/BesuCommand.java

@@ -230,6 +230,11 @@
 import java.util.function.Predicate;
 import java.util.function.Supplier;
 import java.util.stream.Collectors;
+import java.nio.file.Files;
+import java.nio.file.attribute.PosixFilePermission;
+import java.nio.file.Paths;
+import java.nio.file.attribute.PosixFileAttributes;
+import java.nio.file.attribute.UserPrincipal;
 
 import com.google.common.annotations.VisibleForTesting;
 import com.google.common.base.Strings;
@@ -382,6 +387,12 @@ public class BesuCommand implements DefaultCommandValues, Runnable {
       arity = "1")
   private final Optional<String> identityString = Optional.empty();
 
+  @Option(
+          names = "--print-paths-and-exit",
+          description = "Print the configured paths and exit without starting the node."
+  )
+  private final Boolean printPathsAndExit = false;
+
   // P2P Discovery Option Group
   @CommandLine.ArgGroup(validate = false, heading = "@|bold P2P Discovery Options|@%n")
   P2PDiscoveryOptionGroup p2PDiscoveryOptionGroup = new P2PDiscoveryOptionGroup();
@@ -1093,6 +1104,12 @@ public void run() {
     try {
       configureLogging(true);
 
+      if (printPathsAndExit) {
+        // Print configured paths requiring read/write permissions to be adjusted
+        checkPermissionsAndPrintPaths();
+        System.exit(0);  // Exit before any services are started
+      }
+
       // set merge config on the basis of genesis config
       setMergeConfigOptions();
 
@@ -1138,6 +1155,58 @@ public void run() {
     }
   }
 
+  private void checkPermissionsAndPrintPaths() {
+    // Check permissions for the data path
+    checkPermissions(dataDir(), "besu", false);
+
+    // Check permissions for genesis file
+    try {
+      if(genesisFile != null) {
+        checkPermissions(genesisFile.toPath(),"besu", true);
+      }
+    } catch (Exception e) {
+      System.out.println("Error: Failed checking genesis file: Reason: " + e.getMessage());
+    }
+  }
+
+
+  // Helper method to check permissions on a given path
+  private void checkPermissions(final Path path,final String besuUser, final boolean readOnly) {
+    try {
+      // Get the permissions of the file
+      // check if besu user is the owner - get owner permissions if yes
+      // else, check if besu and owner are in the same group - if yes, check the group permission
+      // otherwise check permissions for others
+
+      // Get the owner of the file or directory
+      UserPrincipal owner = Files.getOwner(path);
+      boolean hasReadPermission , hasWritePermission;
+
+      // Get file permissions
+      Set<PosixFilePermission> permissions = Files.getPosixFilePermissions(path);
+
+      // Check if besu is the owner
+      if (owner.getName().equals(besuUser)) {
+        // Owner permissions
+        hasReadPermission = permissions.contains(PosixFilePermission.OWNER_READ);
+        hasWritePermission = permissions.contains(PosixFilePermission.OWNER_WRITE);
+      } else {
+        // Skipping group check for now as we know besu user and root don't have a common group
+        // Others' permissions
+        hasReadPermission = permissions.contains(PosixFilePermission.OTHERS_READ);
+        hasWritePermission = permissions.contains(PosixFilePermission.OTHERS_WRITE);
+      }
+
+      if (!hasReadPermission || (!readOnly && !hasWritePermission)) {
+        String accessType = readOnly ? "READ" : "READ_WRITE";
+        System.out.println("PERMISSION_CHECK_PATH:" + path + ":" + accessType);
+      }
+    } catch (Exception e) {
+      // Do nothing upon catching an error
+      System.out.println("Error: Failed to check permissions for path: '" + path + "'. Reason: " + e.getMessage());
+    }
+  }
+
   @VisibleForTesting
   void setBesuConfiguration(final BesuConfigurationImpl pluginCommonConfiguration) {
     this.pluginCommonConfiguration = pluginCommonConfiguration;

besu/src/main/scripts/besu-entry.sh

@@ -0,0 +1,46 @@
+#!/bin/bash
+##
+## Copyright contributors to Hyperledger Besu.
+##
+## Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
+## the License. You may obtain a copy of the License at
+##
+## http://www.apache.org/licenses/LICENSE-2.0
+##
+## Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
+## an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+## specific language governing permissions and limitations under the License.
+##
+## SPDX-License-Identifier: Apache-2.0
+##
+
+
+# Run Besu first to get paths needing permission adjustment
+output=$(/opt/besu/bin/besu --print-paths-and-exit "$@")
+
+# Parse the output to find the paths and their required access types
+echo "$output" | while IFS=: read -r prefix path accessType; do
+    if [[ "$prefix" == "PERMISSION_CHECK_PATH" ]]; then
+      # Change ownership to besu user and group
+      chown -R besu:besu $path
+
+      # Ensure read/write permissions for besu user
+
+      echo "Setting permissions for: $path with access: $accessType"
+
+      if [[ "$accessType" == "READ" ]]; then
+        # Set read-only permissions for besu user
+        chmod -R u+r $path
+      elif [[ "$accessType" == "READ_WRITE" ]]; then
+        # Set read/write permissions for besu user
+        chmod -R u+rw $path
+      fi
+    fi
+done
+
+# Finally, run Besu with the actual arguments passed to the container
+# Construct the command as a single string
+COMMAND="/opt/besu/bin/besu $@"
+
+# Switch to the besu user and execute the command
+exec su -s /bin/bash besu -c "$COMMAND"

build.gradle

@@ -722,6 +722,7 @@ task evmToolStartScripts(type: CreateStartScripts) {
   doLast { tweakStartScript(evmToolStartScripts) }
 }
 
+
 task autocomplete(type: JavaExec) {
   dependsOn compileJava
   def tempAutocompleteFile = File.createTempFile("besu", ".autocomplete")
@@ -1097,6 +1098,8 @@ distributions {
       from("build/reports/license/license-dependency.html") { into "." }
       from("./docs/GettingStartedBinaries.md") { into "." }
       from("./docs/DocsArchive0.8.0.html") { into "." }
+      from("./docs/DocsArchive0.8.0.html") { into "." }
+      from("./besu/src/main/scripts/besu-entry.sh") { into "./bin/" }
       from(autocomplete) { into "." }
     }
   }

docker/Dockerfile

@@ -44,7 +44,6 @@ ENV OLDPATH="${PATH}"
 ENV PATH="/opt/besu/bin:${OLDPATH}"
 
 USER root
-
 RUN chmod +x /opt/besu/bin/besu-entry.sh
 
 ENTRYPOINT ["besu-entry.sh"]

docker/test.sh

@@ -41,4 +41,12 @@ bash $TEST_PATH/dgoss run --sysctl net.ipv6.conf.all.disable_ipv6=1 $DOCKER_IMAG
 --graphql-http-enabled \
 > ./reports/01.xml || i=`expr $i + 1`
 
+if [[ $i != 0 ]]; then exit $i; fi
+
+# Test for directory permissions
+GOSS_FILES_PATH=$TEST_PATH/02 \
+bash $TEST_PATH/dgoss run --sysctl net.ipv6.conf.all.disable_ipv6=1 -v besu-data:/var/lib/besu $DOCKER_IMAGE --data-path=/var/lib/besu \
+--network=dev \
+> ./reports/02.xml || i=`expr $i + 1`
+
 exit $i

docker/tests/02/goss.yaml

@@ -0,0 +1,10 @@
+---
+# runtime docker tests
+file:
+  /var/lib/besu:
+    exists: true
+    owner: besu
+    mode: "0755"
+process:
+  java:
+    running: true

docker/tests/dgoss

@@ -76,7 +76,7 @@ GOSS_PATH="${GOSS_PATH:-$(which goss 2> /dev/null || true)}"
 [[ $GOSS_PATH ]] || { error "Couldn't find goss installation, please set GOSS_PATH to it"; }
 [[ ${GOSS_OPTS+x} ]] || GOSS_OPTS="--color --format documentation"
 [[ ${GOSS_WAIT_OPTS+x} ]] || GOSS_WAIT_OPTS="-r 30s -s 1s > /dev/null"
-GOSS_SLEEP=${GOSS_SLEEP:-0.2}
+GOSS_SLEEP=${GOSS_SLEEP:-1.0}
 
 case "$1" in
     run)