i/prompting: implement path pattern matching and validation

go.mod

@@ -6,6 +6,7 @@ go 1.18
 replace maze.io/x/crypto => github.com/snapcore/maze.io-x-crypto v0.0.0-20190131090603-9b94c9afe066
 
 require (
+	github.com/bmatcuk/doublestar/v4 v4.6.1
 	github.com/canonical/go-efilib v0.3.1-0.20220815143333-7e5151412e93 // indirect
 	github.com/canonical/go-sp800.90a-drbg v0.0.0-20210314144037-6eeb1040d6c3 // indirect
 	github.com/canonical/go-tpm2 v0.0.0-20210827151749-f80ff5afff61

go.sum

@@ -1,3 +1,5 @@
+github.com/bmatcuk/doublestar/v4 v4.6.1 h1:FH9SifrbvJhnlQpztAx++wlkk70QBf0iBWDwNy7PA4I=
+github.com/bmatcuk/doublestar/v4 v4.6.1/go.mod h1:xBQ8jztBU6kakFMg+8WGxn0c6z1fTSPVIjEY1Wr7jzc=
 github.com/canonical/go-efilib v0.3.1-0.20220815143333-7e5151412e93 h1:F0bRDzPy/j2IX/iIWqCEA23S1nal+f7A+/vLyj6Ye+4=
 github.com/canonical/go-efilib v0.3.1-0.20220815143333-7e5151412e93/go.mod h1:9b2PNAuPcZsB76x75/uwH99D8CyH/A2y4rq1/+bvplg=
 github.com/canonical/go-sp800.108-kdf v0.0.0-20210314145419-a3359f2d21b9 h1:USzKjrfWo/ESzozv2i3OMM7XDgxrZRvaHFrKkIKRtwU=

interfaces/prompting/constraints.go

@@ -41,10 +41,9 @@ type Constraints struct {
 // ValidateForInterface returns nil if the constraints are valid for the given
 // interface, otherwise returns an error.
 func (c *Constraints) ValidateForInterface(iface string) error {
-	// TODO: change to this once PR #13866 is merged:
-	// if err := ValidatePathPattern(c.PathPattern); err != nil {
-	//	return err
-	// }
+	if err := ValidatePathPattern(c.PathPattern); err != nil {
+		return err
+	}
 	return c.validatePermissions(iface)
 }
 
@@ -81,9 +80,7 @@ func (c *Constraints) validatePermissions(iface string) error {
 //
 // If the constraints or path are invalid, returns an error.
 func (c *Constraints) Match(path string) (bool, error) {
-	// TODO: change to this once PR #13866 is merged:
-	// return PathPatternMatch(c.PathPattern, path)
-	return true, nil
+	return PathPatternMatch(c.PathPattern, path)
 }
 
 // RemovePermission removes every instance of the given permission from the

interfaces/prompting/constraints_test.go

@@ -24,8 +24,7 @@ import (
 
 	. "gopkg.in/check.v1"
 
-	// TODO: add this once PR #13730 is merged:
-	// doublestar "github.com/bmatcuk/doublestar/v4"
+	doublestar "github.com/bmatcuk/doublestar/v4"
 
 	"github.com/snapcore/snapd/interfaces/prompting"
 	"github.com/snapcore/snapd/sandbox/apparmor/notify"
@@ -44,17 +43,16 @@ func (s *constraintsSuite) TestConstraintsValidateForInterface(c *C) {
 	}{
 		{
 			"foo",
-			"invalid/path",
+			"/invalid/path",
 			[]string{"read"},
 			"unsupported interface.*",
 		},
-		// TODO: add this once PR #13730 is merged:
-		// {
-		//	"home",
-		//	"invalid/path",
-		//	[]string{"read"},
-		//	"invalid path pattern.*",
-		// },
+		{
+			"home",
+			"invalid/path",
+			[]string{"read"},
+			"invalid path pattern.*",
+		},
 		{
 			"home",
 			"/valid/path",
@@ -151,12 +149,11 @@ func (*constraintsSuite) TestConstraintsMatch(c *C) {
 			"/home/test/Documents/foo.txt",
 			true,
 		},
-		// TODO: add this once PR #13730 is merged:
-		// {
-		//	"/home/test/Documents/foo",
-		//	"/home/test/Documents/foo.txt",
-		//	false,
-		// },
+		{
+			"/home/test/Documents/foo",
+			"/home/test/Documents/foo.txt",
+			false,
+		},
 	}
 	for _, testCase := range cases {
 		constraints := &prompting.Constraints{
@@ -176,11 +173,8 @@ func (s *constraintsSuite) TestConstraintsMatchUnhappy(c *C) {
 		Permissions: []string{"read"},
 	}
 	matches, err := badConstraints.Match(badPath)
-	// TODO: change to this once PR #13730 is merged:
-	// c.Check(err, Equals, doublestar.ErrBadPattern)
-	// c.Check(matches, Equals, false)
-	c.Check(err, Equals, nil)
-	c.Check(matches, Equals, true)
+	c.Check(err, Equals, doublestar.ErrBadPattern)
+	c.Check(matches, Equals, false)
 }
 
 func (s *constraintsSuite) TestConstraintsRemovePermission(c *C) {

interfaces/prompting/patterns.go

@@ -0,0 +1,150 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2024 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package prompting
+
+import (
+	"fmt"
+	"strings"
+
+	doublestar "github.com/bmatcuk/doublestar/v4"
+)
+
+type countStack []int
+
+func (c *countStack) push(x int) {
+	*c = append(*c, x)
+}
+
+func (c *countStack) pop() int {
+	x := (*c)[len(*c)-1]
+	*c = (*c)[:len(*c)-1]
+	return x
+}
+
+// Limit the number of expanded path patterns for a particular pattern.
+// When fully expanded, the number of patterns for a given unexpanded pattern
+// may not exceed this limit.
+const maxExpandedPatterns = 1000
+
+// ValidatePathPattern returns nil if the pattern is valid, otherwise an error.
+func ValidatePathPattern(pattern string) error {
+	if pattern == "" || pattern[0] != '/' {
+		return fmt.Errorf("invalid path pattern: must start with '/': %q", pattern)
+	}
+	depth := 0
+	var currentGroupStack countStack
+	var currentOptionStack countStack
+	// Final currentOptionCount will be total expanded patterns for full pattern
+	currentGroupCount := 0
+	currentOptionCount := 1
+	reader := strings.NewReader(pattern)
+	for {
+		r, _, err := reader.ReadRune()
+		if err != nil {
+			// No more runes
+			break
+		}
+		switch r {
+		case '{':
+			depth++
+			if depth >= maxExpandedPatterns {
+				return fmt.Errorf("invalid path pattern: nested group depth exceeded maximum number of expanded path patterns (%d): %q", maxExpandedPatterns, pattern)
+			}
+			currentGroupStack.push(currentGroupCount)
+			currentOptionStack.push(currentOptionCount)
+			currentGroupCount = 0
+			currentOptionCount = 1
+		case ',':
+			if depth == 0 {
+				// Ignore commas outside of groups
+				break
+			}
+			currentGroupCount += currentOptionCount
+			currentOptionCount = 1
+		case '}':
+			depth--
+			if depth < 0 {
+				return fmt.Errorf("invalid path pattern: unmatched '}' character: %q", pattern)
+			}
+			currentGroupCount += currentOptionCount
+			currentOptionCount = currentOptionStack.pop() // option count of parent
+			currentOptionCount *= currentGroupCount       // parent option count * current group count
+			currentGroupCount = currentGroupStack.pop()   // group count of parent
+		case '\\':
+			// Skip next rune
+			_, _, err = reader.ReadRune()
+			if err != nil {
+				return fmt.Errorf(`invalid path pattern: trailing unescaped '\' character: %q`, pattern)
+			}
+		case '[', ']':
+			return fmt.Errorf("invalid path pattern: cannot contain unescaped '[' or ']': %q", pattern)
+		}
+	}
+	if depth != 0 {
+		return fmt.Errorf("invalid path pattern: unmatched '{' character: %q", pattern)
+	}
+	if currentOptionCount > maxExpandedPatterns {
+		return fmt.Errorf("invalid path pattern: exceeded maximum number of expanded path patterns (%d): %q expands to %d patterns", maxExpandedPatterns, pattern, currentOptionCount)
+	}
+	if !doublestar.ValidatePattern(pattern) {
+		return fmt.Errorf("invalid path pattern: %q", pattern)
+	}
+	return nil
+}
+
+// PathPatternMatch returns true if the given pattern matches the given path.
+//
+// The pattern should not contain groups, and should likely have been an output
+// of ExpandPathPattern.
+//
+// Paths to directories are received with trailing slashes, but we don't want
+// to require the user to include a trailing '/' if they want to match
+// directories (and end their pattern with `{,/}` if they want to match both
+// directories and non-directories). Thus, we want to ensure that patterns
+// without trailing slashes match paths with trailing slashes. However,
+// patterns with trailing slashes should not match paths without trailing
+// slashes.
+//
+// The doublestar package has special cases for patterns ending in `/**` and
+// `/**/`: `/foo/**`, and `/foo/**/` both match `/foo` and `/foo/`. We want to
+// override this behavior to make `/foo/**/` not match `/foo`. We also want to
+// override doublestar to make `/foo` match `/foo/`.
+func PathPatternMatch(pattern string, path string) (bool, error) {
+	// Check the usual doublestar match first, in case the pattern is malformed
+	// and causes an error, and return the error if so.
+	matched, err := doublestar.Match(pattern, path)
+	if err != nil {
+		return false, err
+	}
+	// No matter if doublestar matched, return false if pattern ends in '/' but
+	// path is not a directory.
+	if strings.HasSuffix(pattern, "/") && !strings.HasSuffix(path, "/") {
+		return false, nil
+	}
+	if matched {
+		return true, nil
+	}
+	if strings.HasSuffix(pattern, "/") {
+		return false, nil
+	}
+	// Try again with a '/' appended to the pattern, so patterns like `/foo`
+	// match paths like `/foo/`.
+	return doublestar.Match(pattern+"/", path)
+}