Cargo.toml: 0.1.0 -> 1.0.0

.gitignore

@@ -9,7 +9,6 @@ result-*
 
 # Nix VM
 *.qcow2
-.nixos-test-history
 
 # Packaging
 !/assets/debian/config.toml

Cargo.toml

@@ -1,12 +1,11 @@
 [package]
 name = "muscl"
-version = "0.1.0"
+version = "1.0.0"
 edition = "2024"
 resolver = "2"
 license = "BSD-3-Clause"
 authors = [
-  "oysteikt@pvv.ntnu.no",
-  "felixalb@pvv.ntnu.no",
+  "Programvareverkstedet <projects@pvv.ntnu.no>",
 ]
 homepage = "https://git.pvv.ntnu.no/Projects/muscl"
 repository = "https://git.pvv.ntnu.no/Projects/muscl"

assets/systemd/muscl.socket

@@ -3,6 +3,7 @@ Description=Muscl MySQL admin tool
 
 [Socket]
 ListenStream=/run/muscl/muscl.sock
+RemoveOnStop=true
 Accept=no
 PassCredentials=true
 

flake.lock

@@ -15,26 +15,6 @@
         "type": "github"
       }
     },
-    "nix-vm-test": {
-      "inputs": {
-        "nixpkgs": [
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1763976673,
-        "narHash": "sha256-QPeI8WR+brwodiy4YNfOnLI7rOHJfFPrGm+xT/HmtT4=",
-        "owner": "numtide",
-        "repo": "nix-vm-test",
-        "rev": "8611bdd7a49750a880be9ee2ea9f68c53f8c9299",
-        "type": "github"
-      },
-      "original": {
-        "owner": "numtide",
-        "repo": "nix-vm-test",
-        "type": "github"
-      }
-    },
     "nixpkgs": {
       "locked": {
         "lastModified": 1768127708,
@@ -54,7 +34,6 @@
     "root": {
       "inputs": {
         "crane": "crane",
-        "nix-vm-test": "nix-vm-test",
         "nixpkgs": "nixpkgs",
         "rust-overlay": "rust-overlay"
       }

flake.nix

@@ -6,12 +6,9 @@
     rust-overlay.inputs.nixpkgs.follows = "nixpkgs";
 
     crane.url = "github:ipetkov/crane";
-
-    nix-vm-test.url = "github:numtide/nix-vm-test";
-    nix-vm-test.inputs.nixpkgs.follows = "nixpkgs";
   };
 
-  outputs = { self, nixpkgs, rust-overlay, crane, nix-vm-test }:
+  outputs = { self, nixpkgs, rust-overlay, crane }:
   let
     inherit (nixpkgs) lib;
 
@@ -98,8 +95,6 @@
       muscl = import ./nix/module.nix;
     };
 
-    # vmlib = forAllSystems(system: _: _: nix-vm-test.lib.${system});
-
     packages = forAllSystems (system: pkgs: _:
       let
       cargoToml = builtins.fromTOML (builtins.readFile ./Cargo.toml);
@@ -135,8 +130,6 @@
       filteredSource = pkgs.runCommandLocal "filtered-source" { } ''
         ln -s ${src} $out
       '';
-
-      debianVm = import ./nix/debian-vm-configuration.nix { inherit nix-vm-test nixpkgs system pkgs; };
     });
 
     checks = forAllSystems (system: pkgs: _: {

nix/debian-vm-configuration.nix

@@ -1,49 +0,0 @@
-{ nix-vm-test, nixpkgs, system, pkgs, ... }:
-let
-  image = nix-vm-test.lib.${system}.debian.images."13";
-
-  generic = import "${nix-vm-test}/generic" { inherit pkgs nixpkgs; inherit (pkgs) lib; };
-
-  makeVmTestForImage =
-    image:
-    {
-      testScript,
-      sharedDirs ? {},
-      diskSize ? null,
-      config ? { }
-    }:
-    generic.makeVmTest {
-      inherit
-        system
-        testScript
-        sharedDirs;
-      image = nix-vm-test.lib.${system}.debian.prepareDebianImage {
-        inherit diskSize;
-        hostPkgs = pkgs;
-        originalImage = image;
-      };
-      machineConfigModule = config;
-    };
-
-    vmTest = makeVmTestForImage image {
-       diskSize = "10G";
-       sharedDirs = {
-         debDir = {
-           source = "${./.}";
-           target = "/mnt";
-         };
-       };
-       testScript = ''
-         vm.wait_for_unit("multi-user.target")
-         vm.succeed("apt-get update && apt-get -y install mariadb-server build-essential curl")
-         vm.succeed("curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y")
-         vm.succeed("source /root/.cargo/env && cargo install cargo-deb")
-         vm.succeed("cp -r /mnt /root/src && chmod -R +w /root/src")
-         vm.succeed("source /root/.cargo/env && cd /root/src && ./create-deb.sh")
-       '';
-       config.nodes.vm = {
-         virtualisation.memorySize = 8192;
-         virtualisation.cpus = 4;
-       };
-    };
-in vmTest.driverInteractive

scripts/download-and-upload-debs.sh

@@ -54,11 +54,13 @@ for variant in debian-bookworm debian-trixie ubuntu-jammy ubuntu-noble; do
     DEB_VERSION=$(find "$TMPDIR/muscl-deb-$variant-$GIT_SHA"/*.deb -print0 | xargs -0 -n1 basename | cut -d'_' -f2 | head -n1)
     DEB_ARCH=$(find "$TMPDIR/muscl-deb-$variant-$GIT_SHA"/*.deb -print0 | xargs -0 -n1 basename | cut -d'_' -f3 | cut -d'.' -f1 | head -n1)
 
+    echo "[DELETE] https://git.pvv.ntnu.no/api/packages/Projects/debian/pool/$DISTRO_VERSION_NAME/main/$DEB_NAME/$DEB_VERSION/$DEB_ARCH"
     curl \
       -X DELETE \
       --user "$GITEA_USER:$GITEA_TOKEN" \
       "https://git.pvv.ntnu.no/api/packages/Projects/debian/pool/$DISTRO_VERSION_NAME/main/$DEB_NAME/$DEB_VERSION/$DEB_ARCH"
 
+    echo "[PUT] https://git.pvv.ntnu.no/api/packages/Projects/debian/pool/$DISTRO_VERSION_NAME/main/upload"
     curl \
       -X PUT \
       --user "$GITEA_USER:$GITEA_TOKEN" \

src/bin/muscl.rs

@@ -319,7 +319,8 @@ fn main() -> anyhow::Result<()> {
         #[cfg(not(feature = "suid-sgid-mode"))]
         None,
         args.verbose,
-    )?;
+    )
+    .context("Failed to connect to the server")?;
 
     tokio_run_command(args.command, connection)?;
 

src/core/bootstrap.rs

@@ -1,5 +1,6 @@
 use std::{
     fs,
+    os::unix::fs::FileTypeExt,
     path::{Path, PathBuf},
     sync::Arc,
     time::Duration,
@@ -7,7 +8,10 @@ use std::{
 
 use anyhow::{Context, anyhow};
 use clap_verbosity_flag::{InfoLevel, Verbosity};
-use nix::libc::{EXIT_SUCCESS, exit};
+use nix::{
+    libc::{EXIT_SUCCESS, exit},
+    unistd::{AccessFlags, access},
+};
 use sqlx::mysql::MySqlPoolOptions;
 use std::os::unix::net::UnixStream as StdUnixStream;
 use tokio::{net::UnixStream as TokioUnixStream, sync::RwLock};
@@ -130,11 +134,28 @@ pub fn bootstrap_server_connection_and_drop_privileges(
     }
 }
 
+fn socket_path_is_ok(path: &Path) -> anyhow::Result<()> {
+    fs::metadata(path)
+        .context(format!("Failed to get metadata for {:?}", path))
+        .and_then(|meta| {
+            if !meta.file_type().is_socket() {
+                anyhow::bail!("{:?} is not a unix socket", path);
+            }
+
+            access(path, AccessFlags::R_OK | AccessFlags::W_OK)
+                .with_context(|| format!("Socket at {:?} is not readable/writable", path))?;
+
+            Ok(())
+        })
+}
+
 fn connect_to_external_server(
     server_socket_path: Option<PathBuf>,
 ) -> anyhow::Result<StdUnixStream> {
-    // TODO: ensure this is both readable and writable
     if let Some(socket_path) = server_socket_path {
+        tracing::trace!("Checking socket at {:?}", socket_path);
+        socket_path_is_ok(&socket_path)?;
+
         tracing::debug!("Connecting to socket at {:?}", socket_path);
         return match StdUnixStream::connect(socket_path) {
             Ok(socket) => Ok(socket),
@@ -147,6 +168,9 @@ fn connect_to_external_server(
     }
 
     if fs::metadata(DEFAULT_SOCKET_PATH).is_ok() {
+        tracing::trace!("Checking socket at {:?}", DEFAULT_SOCKET_PATH);
+        socket_path_is_ok(Path::new(DEFAULT_SOCKET_PATH))?;
+
         tracing::debug!("Connecting to default socket at {:?}", DEFAULT_SOCKET_PATH);
         return match StdUnixStream::connect(DEFAULT_SOCKET_PATH) {
             Ok(socket) => Ok(socket),
@@ -158,7 +182,9 @@ fn connect_to_external_server(
         };
     }
 
-    anyhow::bail!("No socket path provided, and no default socket found");
+    anyhow::bail!(
+        "No socket path provided, and no socket found found at default location {DEFAULT_SOCKET_PATH}"
+    );
 }
 
 // TODO: this function is security critical, it should be integration tested

src/server/authorization.rs

@@ -59,6 +59,10 @@ fn parse_group_denylist(denylist_path: &Path, lines: Lines) -> GroupDenylist {
         }
         .trim();
 
+        if trimmed_line.is_empty() {
+            continue;
+        }
+
         let parts: Vec<&str> = trimmed_line.splitn(2, ':').collect();
         if parts.len() != 2 {
             tracing::warn!(