Reduce SSH service and file scan commands

Author: syrull

providers/os/connection/ssh/cat/cat.go

@@ -21,11 +21,17 @@ type CommandRunner interface {
 func New(cmdRunner CommandRunner) *Fs {
 	return &Fs{
 		commandRunner: cmdRunner,
+		statter:       statutil.New(cmdRunner),
 	}
 }
 
+type statter interface {
+	Stat(name string) (os.FileInfo, error)
+}
+
 type Fs struct {
 	commandRunner CommandRunner
+	statter       statter
 	base64        *bool
 }
 
@@ -54,7 +60,7 @@ func (cat *Fs) base64available() bool {
 }
 
 func (cat *Fs) Open(name string) (afero.File, error) {
-	_, err := statutil.New(cat.commandRunner).Stat(name)
+	_, err := cat.statter.Stat(name)
 	if err != nil {
 		return nil, err
 	}
@@ -65,7 +71,7 @@ func (cat *Fs) Open(name string) (afero.File, error) {
 var NotImplemented = errors.New("not implemented")
 
 func (cat *Fs) Stat(name string) (os.FileInfo, error) {
-	return statutil.New(cat.commandRunner).Stat(name)
+	return cat.statter.Stat(name)
 }
 
 func (cat *Fs) Create(name string) (afero.File, error) {

providers/os/connection/ssh/cat/cat_test.go

@@ -76,12 +76,50 @@ UsePAM yes
 	assert.True(t, errors.Is(err, os.ErrNotExist))
 }
 
+func TestCatFsReusesStatHelper(t *testing.T) {
+	filepath, _ := filepath.Abs("./testdata/cat.toml")
+	p, err := mock.New(0, &inventory.Asset{}, mock.WithPath(filepath))
+	require.NoError(t, err)
+
+	flags := map[string]*llx.Primitive{
+		"sudo": llx.BoolPrimitive(true),
+	}
+
+	cw := &CommandWrapper{
+		commandRunner: p,
+		sudo:          shared.ParseSudo(flags),
+	}
+
+	catfs := cat.New(cw)
+
+	_, err = catfs.Stat("/etc/ssh/sshd_config")
+	require.NoError(t, err)
+
+	f, err := catfs.Open("/etc/ssh/sshd_config")
+	require.NoError(t, err)
+	require.NoError(t, f.Close())
+
+	assert.Equal(t, 1, countCommands(cw.commands, "sudo uname -s"))
+}
+
+func countCommands(commands []string, target string) int {
+	count := 0
+	for _, command := range commands {
+		if command == target {
+			count++
+		}
+	}
+	return count
+}
+
 type CommandWrapper struct {
 	commandRunner cat.CommandRunner
 	sudo          *inventory.Sudo
+	commands      []string
 }
 
 func (cw *CommandWrapper) RunCommand(command string) (*shared.Command, error) {
 	cmd := shared.BuildSudoCommand(cw.sudo, command)
+	cw.commands = append(cw.commands, cmd)
 	return cw.commandRunner.RunCommand(cmd)
 }

providers/os/resources/file.go

@@ -7,6 +7,7 @@ import (
 	"errors"
 	"os"
 	"path"
+	"strings"
 
 	"github.com/spf13/afero"
 	"go.mondoo.com/mql/v13/llx"
@@ -42,13 +43,7 @@ func (s *mqlFile) content(path string, exists bool) (string, error) {
 	return string(res), err
 }
 
-func (s *mqlFile) stat() error {
-	conn := s.MqlRuntime.Connection.(shared.Connection)
-	stat, err := conn.FileInfo(s.Path.Data)
-	if err != nil {
-		return err
-	}
-
+func (s *mqlFile) cacheStatFields(stat shared.FileInfoDetails) error {
 	mode := stat.Mode.UnixMode()
 	res, err := CreateResource(s.MqlRuntime, "file.permissions", map[string]*llx.RawData{
 		"mode":             llx.IntData(int64(uint32(mode) & 0o7777)),
@@ -72,16 +67,65 @@ func (s *mqlFile) stat() error {
 		return err
 	}
 
+	s.Exists = plugin.TValue[bool]{
+		Data:  true,
+		State: plugin.StateIsSet,
+	}
 	s.Permissions = plugin.TValue[*mqlFilePermissions]{
 		Data:  res.(*mqlFilePermissions),
 		State: plugin.StateIsSet,
 	}
-
 	s.Size = plugin.TValue[int64]{
 		Data:  stat.Size,
 		State: plugin.StateIsSet,
 	}
 
+	return nil
+}
+
+func isFileNotFound(err error) bool {
+	if err == nil {
+		return false
+	}
+	if errors.Is(err, os.ErrNotExist) {
+		return true
+	}
+
+	errText := strings.ToLower(err.Error())
+	return strings.Contains(errText, "file not found") || strings.Contains(errText, "no such file or directory")
+}
+
+
+func (s *mqlFile) loadStatFields(path string) (*shared.FileInfoDetails, bool, error) {
+	if s.Exists.IsSet() {
+		if !s.Exists.Data {
+			return nil, false, s.Exists.Error
+		}
+		if s.Permissions.IsSet() && s.Size.IsSet() {
+			return nil, true, nil
+		}
+	}
+
+	conn := s.MqlRuntime.Connection.(shared.Connection)
+	stat, err := conn.FileInfo(path)
+	if err != nil {
+		if isFileNotFound(err) {
+			s.Exists = plugin.TValue[bool]{
+				Data:  false,
+				State: plugin.StateIsSet,
+			}
+			return nil, false, nil
+		}
+		return nil, false, err
+	}
+	if err := s.cacheStatFields(stat); err != nil {
+		return nil, false, err
+	}
+
+	return &stat, true, nil
+}
+
+func (s *mqlFile) cacheOwnership(stat shared.FileInfoDetails) error {
 	raw, err := CreateResource(s.MqlRuntime, "users", nil)
 	if err != nil {
 		return errors.New("cannot get users info for file: " + err.Error())
@@ -92,7 +136,6 @@ func (s *mqlFile) stat() error {
 	if err != nil {
 		return err
 	}
-
 	s.User = plugin.TValue[*mqlUser]{
 		Data:  user,
 		State: plugin.StateIsSet,
@@ -108,7 +151,6 @@ func (s *mqlFile) stat() error {
 	if err != nil {
 		return err
 	}
-
 	s.Group = plugin.TValue[*mqlGroup]{
 		Data:  group,
 		State: plugin.StateIsSet,
@@ -117,20 +159,61 @@ func (s *mqlFile) stat() error {
 	return nil
 }
 
+func (s *mqlFile) loadOwnership(path string) error {
+	stat, exists, err := s.loadStatFields(path)
+	if err != nil {
+		return err
+	}
+	if !exists {
+		return os.ErrNotExist
+	}
+	if s.User.IsSet() && s.Group.IsSet() {
+		return nil
+	}
+	if stat == nil {
+		conn := s.MqlRuntime.Connection.(shared.Connection)
+		statValue, err := conn.FileInfo(path)
+		if err != nil {
+			return err
+		}
+		stat = &statValue
+	}
+
+	return s.cacheOwnership(*stat)
+}
+
+func (s *mqlFile) stat() error {
+	return s.loadOwnership(s.Path.Data)
+}
+
 func (s *mqlFile) size(path string) (int64, error) {
-	return 0, s.stat()
+	_, exists, err := s.loadStatFields(path)
+	if err != nil {
+		return 0, err
+	}
+	if !exists {
+		return 0, os.ErrNotExist
+	}
+	return 0, nil
 }
 
 func (s *mqlFile) permissions(path string) (*mqlFilePermissions, error) {
-	return nil, s.stat()
+	_, exists, err := s.loadStatFields(path)
+	if err != nil {
+		return nil, err
+	}
+	if !exists {
+		return nil, os.ErrNotExist
+	}
+	return nil, nil
 }
 
 func (s *mqlFile) user() (*mqlUser, error) {
-	return nil, s.stat()
+	return nil, s.loadOwnership(s.Path.Data)
 }
 
 func (s *mqlFile) group() (*mqlGroup, error) {
-	return nil, s.stat()
+	return nil, s.loadOwnership(s.Path.Data)
 }
 
 func (s *mqlFile) empty(path string) (bool, error) {
@@ -148,9 +231,8 @@ func (s *mqlFile) dirname(fullPath string) (string, error) {
 }
 
 func (s *mqlFile) exists(path string) (bool, error) {
-	conn := s.MqlRuntime.Connection.(shared.Connection)
-	afs := &afero.Afero{Fs: conn.FileSystem()}
-	return afs.Exists(path)
+	_, exists, err := s.loadStatFields(path)
+	return exists, err
 }
 
 func (l *mqlFilePermissions) id() (string, error) {