Permissions tests for modules and plugins

qa/vagrant/src/test/resources/packaging/scripts/modules.bash

@@ -29,12 +29,22 @@ check_module() {
     local name=$1
     shift
 
+    assert_module_or_plugin_directory "$ESMODULES/$name"
+
     for file in "$@"; do
-        assert_file_exist "$(readlink -m $ESMODULES/$name/$file)"
+        assert_module_file "$ESMODULES/$name/$file"
     done
 
-    assert_file_exist "$(readlink -m $ESMODULES/$name/$name-*.jar)"
-    assert_file_exist "$(readlink -m $ESMODULES/$name/plugin-descriptor.properties)"
+    assert_module_file "$ESMODULES/$name/$name-*.jar"
+    assert_module_file "$ESMODULES/$name/plugin-descriptor.properties"
+}
+
+assert_module_file() {
+    local file=$1
+    shift
+
+    assert_file_exist "$(readlink -m $file)"
+    assert_module_or_plugin_file $file
 }
 
 check_secure_module() {

qa/vagrant/src/test/resources/packaging/scripts/packaging_test_utils.bash

@@ -179,6 +179,30 @@ assert_file() {
     fi
 }
 
+assert_module_or_plugin_directory() {
+    local directory=$1
+    shift
+
+    #owner group and permissions vary depending on how es was installed
+    #just make sure that everything is the same as $CONFIG_DIR, which was properly set up during install
+    config_user=$(find "$ESHOME" -maxdepth 0 -printf "%u")
+    config_owner=$(find "$ESHOME" -maxdepth 0 -printf "%g")
+    # directories should use the user file-creation mask
+    config_privileges=$((0777 & ~$(sudo -E -u $ESPLUGIN_COMMAND_USER sh -c umask) | 0111))
+
+    assert_file $directory d $config_user $config_owner $(printf "%o" $config_privileges)
+}
+
+assert_module_or_plugin_file() {
+    local file=$1
+    shift
+
+    # config files should not be executable and otherwise use the user
+    # file-creation mask
+    expected_file_privileges=$((0777 & ~$(sudo -E -u $ESPLUGIN_COMMAND_USER sh -c umask) & ~0111))
+    assert_file $file f $config_user $config_owner $(printf "%o" $expected_file_privileges)
+}
+
 assert_output() {
     echo "$output" | grep -E "$1"
 }

qa/vagrant/src/test/resources/packaging/scripts/plugins.bash

@@ -133,14 +133,25 @@ install_and_check_plugin() {
     fi
 
     install_jvm_plugin $fullName "$(readlink -m $fullName-*.zip)"
+
+    assert_module_or_plugin_directory "$ESPLUGINS/$fullName"
+
     if [ $prefix == 'analysis' ]; then
-        assert_file_exist "$(readlink -m $ESPLUGINS/$fullName/lucene-analyzers-$name-*.jar)"
+        assert_plugin_file "$ESPLUGINS/$fullName/lucene-analyzers-$name-*.jar"
     fi
     for file in "$@"; do
-        assert_file_exist "$(readlink -m $ESPLUGINS/$fullName/$file)"
+        assert_plugin_file "$ESPLUGINS/$fullName/$file"
     done
 }
 
+assert_plugin_file() {
+    local file=$1
+    shift
+
+    assert_file_exist "$(readlink -m $file)"
+    assert_module_or_plugin_file $file
+}
+
 # Compare a list of plugin names to the plugins in the plugins pom and see if they are the same
 # $1 the file containing the list of plugins we want to compare to
 # $2 description of the source of the plugin list